From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Wed, 10 Aug 2022 12:00:22 +0000 (-0400)
Subject: test/rules: Update ETOpen rules
X-Git-Tag: suricata-6.0.9~10
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1003%2Fhead;p=thirdparty%2Fsuricata-verify.git

test/rules: Update ETOpen rules

Issue: 2982

During 2982 development, an issue with some rules in the ETOpen ruleset
were discovered and reported to Proofpoint.

This commit updates the ETOpen rules containing the fixes for the
reported issue which manifested in 2 rules: sids 2037001 and 2035521.
---

diff --git a/tests/test-ruleparse-etopen-01/emerging-all.rules b/tests/test-ruleparse-etopen-01/emerging-all.rules
index 6569ed543..74a1c63ef 100644
--- a/tests/test-ruleparse-etopen-01/emerging-all.rules
+++ b/tests/test-ruleparse-etopen-01/emerging-all.rules
@@ -38,51629 +38,52435 @@
 
 # This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; classtype:bad-unknown; sid:2009244; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.IMAP4.6"; distance:0; nocase; content:"LicenseKey"; nocase; reference:url,secunia.com/advisories/24199/; reference:url,doc.emergingthreats.net/2010658; classtype:web-application-attack; sid:2010658; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; classtype:bad-unknown; sid:2009245; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011207; classtype:web-application-attack; sid:2011207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt"; flow:established,to_client; content:"66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; nocase; content:"SaveFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5/si"; reference:url,secunia.com/advisories/37967/; reference:url,doc.emergingthreats.net/2010943; classtype:web-application-attack; sid:2010943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; content:"savePageAsBitmap"; nocase; reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; reference:url,doc.emergingthreats.net/2008791; classtype:web-application-attack; sid:2008791; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; content:"clsid"; nocase; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009620; classtype:web-application-attack; sid:2009620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; content:"clsid"; nocase; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009621; classtype:web-application-attack; sid:2009621; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; content:"clsid"; nocase; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009622; classtype:web-application-attack; sid:2009622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; content:"clsid"; nocase; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009623; classtype:web-application-attack; sid:2009623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; content:"clsid"; nocase; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009624; classtype:web-application-attack; sid:2009624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; content:"clsid"; nocase; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009625; classtype:web-application-attack; sid:2009625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009626; classtype:web-application-attack; sid:2009626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009627; classtype:web-application-attack; sid:2009627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; content:"clsid"; nocase; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009628; classtype:web-application-attack; sid:2009628; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; content:"clsid"; nocase; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009629; classtype:web-application-attack; sid:2009629; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; content:"clsid"; nocase; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009630; classtype:web-application-attack; sid:2009630; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; content:"clsid"; nocase; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009631; classtype:web-application-attack; sid:2009631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; content:"clsid"; nocase; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009632; classtype:web-application-attack; sid:2009632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; content:"clsid"; nocase; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009633; classtype:web-application-attack; sid:2009633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; content:"clsid"; nocase; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009634; classtype:web-application-attack; sid:2009634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009635; classtype:web-application-attack; sid:2009635; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009636; classtype:web-application-attack; sid:2009636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; content:"clsid"; nocase; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009638; classtype:web-application-attack; sid:2009638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; content:"clsid"; nocase; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009639; classtype:web-application-attack; sid:2009639; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; content:"clsid"; nocase; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009640; classtype:web-application-attack; sid:2009640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009641; classtype:web-application-attack; sid:2009641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009642; classtype:web-application-attack; sid:2009642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSPkgDL.1"; nocase; distance:0; content:"DownloadAndInstall"; nocase; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,secunia.com/advisories/36679; reference:url,doc.emergingthreats.net/2010190; classtype:attempted-user; sid:2010190; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YGPWz.CAOLMemExpWz"; nocase; distance:0; content:"AppString"; nocase; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010987; classtype:attempted-user; sid:2010987; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AtHocGov IWSAlerts ActiveX Control Buffer Overflow Function Call Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"AtHocGovGSTlBar.GSHelper.1"; nocase; distance:0; content:"CompleteInstallation"; nocase; reference:url,metasploit.com/modules/exploit/windows/browser/athocgov_completeinstallation; reference:url,athoc.com/products/IWSAlerts_overview.aspx; reference:url,doc.emergingthreats.net/2011211; classtype:attempted-user; sid:2011211; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"R2AXCTRLLib.R2winCtrl"; nocase; distance:0; content:"ControlID"; nocase; reference:url,doc.emergingthreats.net/2011130; classtype:attempted-user; sid:2011130; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MPS.StormPlayer.1"; nocase; distance:0; content:"OnBeforeVideoDownload"; nocase; reference:bugtraq,34789; reference:url,doc.emergingthreats.net/2010995; classtype:attempted-user; sid:2010995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(EnableStartApplication|EnableStartBeforePrint|EnableKeepExistingFiles|EnablePassParameters)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010208; classtype:attempted-user; sid:2010208; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010209; classtype:attempted-user; sid:2010209; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010210; classtype:attempted-user; sid:2010210; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ClearUserSettings"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010211; classtype:attempted-user; sid:2010211; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ControlJob"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010212; classtype:attempted-user; sid:2010212; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control BOF Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SdcUser.TgConCtl"; nocase; distance:0; content:"RunCMD"; nocase; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011213; classtype:attempted-user; sid:2011213; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable SetLogLevel/SetLogFileName Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"SetLog"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010036; classtype:attempted-user; sid:2010036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"WriteToLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010154; classtype:web-application-attack; sid:2010154; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"SetLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010155; classtype:web-application-attack; sid:2010155; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"FOXITREADEROCXLib.FoxitReaderOCX"; nocase; distance:0; content:"OpenFile "; nocase; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010930; classtype:attempted-user; sid:2010930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; classtype:string-detect; sid:2000499; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"GOMWEBCTRLLib.GomWeb"; nocase; distance:0; content:"Command"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010368; classtype:web-application-attack; sid:2010368; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; classtype:string-detect; sid:2000500; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1"; nocase; distance:0; content:"URL"; nocase; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010374; classtype:attempted-user; sid:2010374; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; classtype:string-detect; sid:2000501; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HyleosChemView.HLChemView"; nocase; distance:0; pcre:"/(ReadMolFile|SaveasMolFile)/i"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010999; classtype:attempted-user; sid:2010999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; classtype:string-detect; sid:2000502; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"IbmEgath.IbmEgathCtl.1"; distance:0; nocase; content:"GetXMLValue"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010482; classtype:attempted-user; sid:2010482; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; classtype:string-detect; sid:2000503; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003103; classtype:attempted-user; sid:2003103; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; classtype:string-detect; sid:2000504; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"DirectAnimation.PathControl"; nocase; content:".KeyFrame|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003105; classtype:attempted-user; sid:2003105; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; classtype:string-detect; sid:2000505; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; nocase; reference:url,doc.emergingthreats.net/2003162; classtype:attempted-user; sid:2003162; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; classtype:string-detect; sid:2000506; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsaIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; nocase; reference:url,doc.emergingthreats.net/2003163; classtype:attempted-user; sid:2003163; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; classtype:string-detect; sid:2000507; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Business Object Factory object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; nocase; reference:url,doc.emergingthreats.net/2003164; classtype:attempted-user; sid:2003164; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; classtype:string-detect; sid:2000508; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook Data Object object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F033-0000-0000-C000-000000000046"; nocase; reference:url,doc.emergingthreats.net/2003165; classtype:attempted-user; sid:2003165; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; classtype:trojan-activity; sid:2007717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook.Application object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F03A-0000-0000-C000-000000000046"; nocase; reference:url,doc.emergingthreats.net/2003166; classtype:attempted-user; sid:2003166; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; classtype:trojan-activity; sid:2007723; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; content:"CLSID"; nocase; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; reference:url,doc.emergingthreats.net/2003514; classtype:attempted-user; sid:2003514; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; classtype:trojan-activity; sid:2002809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url,osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003231; classtype:attempted-user; sid:2003231; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; classtype:trojan-activity; sid:2002810; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)"; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003232; classtype:attempted-user; sid:2003232; rev:59; metadata:created_at 2010_07_30, former_category ACTIVEX, updated_at 2010_07_30;)
 
-alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; classtype:trojan-activity; sid:2002811; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution"; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003233; classtype:attempted-user; sid:2003233; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009210; classtype:trojan-activity; sid:2009210; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url,osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003234; classtype:attempted-user; sid:2003234; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009211; classtype:trojan-activity; sid:2009211; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001181; classtype:misc-attack; sid:2001181; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; classtype:successful-user; sid:2009558; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; reference:url,doc.emergingthreats.net/2008621; classtype:web-application-attack; sid:2008621; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; classtype:successful-user; sid:2009559; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image22 ActiveX DrawIcon Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"1DC09FDF-2EF8-4CE9-ADEA-4D6A98A2F779"; nocase; distance:0; content:"DrawIcon"; nocase; reference:url,exploit-db.com/exploits/14321/; reference:url,doc.emergingthreats.net/2011250; classtype:web-application-attack; sid:2011250; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; classtype:successful-user; sid:2009560; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"BDF9442E-9B03-42C2-87BA-2A459B0A5317"; nocase; pcre:"/file\:.*\.(jpg|ini|exe|dll|bat|com|cab|txt)/i"; content:"BuildSlideShow"; reference:url,www.milw0rm.com/exploits/4981; reference:bugtraq,27439; reference:url,doc.emergingthreats.net/2007853; classtype:web-application-attack; sid:2007853; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; classtype:successful-user; sid:2009561; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"F8984111-38B6-11D5-8725-0050DA2761C4"; nocase; distance:0; content:"ImShExt.dll"; nocase; content:"DoWebMenuAction"; nocase; content:"INCREDISHELLEXTLib.IMMenuShellExt"; nocase; content:"String"; nocase; distance:0; pcre:"/[0-9]{3,}/"; reference:url,www.milw0rm.com/exploits/3877; reference:bugtraq,23674; reference:cve,CVE-2007-1683; reference:url,doc.emergingthreats.net/2007931; classtype:web-application-attack; sid:2007931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; classtype:successful-user; sid:2009562; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"032038A5-B655-11D3-BB7D-0050DA276194"; nocase; distance:0; content:"Authenticate"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*032038A5-B655-11D3-BB7D-0050DA276194/si"; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011048; classtype:attempted-user; sid:2011048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; classtype:successful-user; sid:2009563; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; nocase; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010257; classtype:attempted-user; sid:2010257; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; classtype:successful-user; sid:2009564; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite clsid Access"; flow:established,to_client; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; content:"SaveToFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010258; classtype:web-application-attack; sid:2010258; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; classtype:successful-user; sid:2009565; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX InstanGet v2.08 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"98C92840-EB1C-40BD-B6A5-395EC9CD6510D"; nocase; distance:0; content:"ShowBar"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C92840-EB1C-40BD-B6A5-395EC9CD6510/si"; reference:url,www.packetstormsecurity.org/0909-exploits/instantget-dos.txt; reference:url,doc.emergingthreats.net/2010279; classtype:web-application-attack; sid:2010279; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; classtype:successful-user; sid:2009566; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; nocase; distance:0; content:"SaveToFile"; nocase; reference:bugtraq,33345; reference:url,doc.emergingthreats.net/2009115; classtype:web-application-attack; sid:2009115; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; classtype:successful-user; sid:2009567; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"INCREDISPOOLERLib.Pop"; nocase; distance:0; content:"Authenticate"; nocase; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011049; classtype:attempted-user; sid:2011049; rev:6; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; classtype:successful-user; sid:2009568; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; reference:url,doc.emergingthreats.net/2009434; classtype:web-application-attack; sid:2009434; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; classtype:successful-user; sid:2009569; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JuniperSetup Control Buffer Overflow"; flow:established,from_server; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; pcre:"/param[^>]*name\s*=\s*["']?productname["']?[^>]*\s+value\s*=\s*(['"])((?!\1).|\\['"]){200}/Ri"; reference:url,www.eeye.com/html/research/advisories/AD20060424.html; reference:url,doc.emergingthreats.net/2002889; classtype:attempted-user; sid:2002889; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; classtype:successful-user; sid:2009570; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0; content:"KEYHELP"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si"; reference:url,www.securityfocus.com/bid/36546/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html; reference:url,doc.emergingthreats.net/2010012; classtype:attempted-user; sid:2010012; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; classtype:successful-user; sid:2009571; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"00150B1A-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/iR"; content:"SaveSettingsToFile"; distance:0; nocase; reference:url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html; reference:bugtraq,28442; reference:cve,CVE-2008-1605; reference:url,doc.emergingthreats.net/2008129; classtype:web-application-attack; sid:2008129; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; classtype:successful-user; sid:2009572; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Liquid XML Studio 2010 OpenFile Method Remote Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E68E401C-7DB0-4F3A-88E1-159882468A79"; nocase; distance:0; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E68E401C-7DB0-4F3A-88E1-159882468A79/si"; reference:url,exploit-db.com/exploits/11750; reference:url,doc.emergingthreats.net/2011050; classtype:attempted-user; sid:2011050; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; classtype:successful-user; sid:2009573; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Logitech VideoCall ActiveX Start method buffer overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"BF4C7B03-F381-4544-9A33-CB6DAD2A87CD"; nocase; distance:0; content:"Start"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BF4C7B03-F381-4544-9A33-CB6DAD2A87CD/si"; reference:url,osvdb.org/36820; reference:url,www.packetstormsecurity.nl/0911-exploits/logitechvideocall_start.rb.txt; reference:url,www.kb.cert.org/vuls/id/330289; reference:url,doc.emergingthreats.net/2010851; classtype:web-application-attack; sid:2010851; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; classtype:successful-user; sid:2009574; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOZXLib.EmbeddedMoz"; nocase; distance:0; content:"ExecCommand"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010364; classtype:web-application-attack; sid:2010364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; classtype:successful-user; sid:2009575; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TRATLLib.Options"; nocase; distance:0; content:"Run"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010366; classtype:web-application-attack; sid:2010366; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; classtype:successful-user; sid:2009576; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rising Online Virus Scanner ActiveX Scan Method stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RavOLCtlLib.RavOnline"; nocase; distance:0; content:"Scan"; nocase; reference:url,packetstorm.foofus.com/1002-exploits/risingonline-dos.txt; reference:bugtraq,38282; reference:url,doc.emergingthreats.net/2011021; classtype:attempted-user; sid:2011021; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; classtype:successful-user; sid:2009577; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Buffer Overflow Function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"VSFlexGrid.VSFlexGridL"; nocase; distance:0; pcre:"/(Text|EditSelText|EditText|CellFontName|Archive)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010467; classtype:web-application-attack; sid:2010467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; classtype:successful-user; sid:2009578; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"RunCmd"; nocase; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010370; classtype:attempted-user; sid:2010370; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; classtype:successful-user; sid:2009579; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"cliproxy.objects.1"; nocase; distance:0; content:"SetRemoteComputerName"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010959; classtype:attempted-user; sid:2010959; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; classtype:successful-user; sid:2009580; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"DeleteValue"; nocase; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010835; classtype:attempted-user; sid:2010835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; classtype:successful-user; sid:2009651; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX WriteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"WriteValue"; nocase; reference:url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt; reference:url,doc.emergingthreats.net/2010837; classtype:attempted-user; sid:2010837; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; reference:url,doc.emergingthreats.net/2010454; classtype:successful-admin; sid:2010454; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RichUploadLib.UploadControl"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010703; classtype:attempted-user; sid:2010703; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; classtype:web-application-activity; sid:2007652; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"APWebGrabber.Object"; nocase; distance:0; content:"GetStatus"; nocase; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010690; classtype:attempted-user; sid:2010690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; classtype:policy-violation; sid:2006417; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 ActiveX control Import method Heap Overflow Attempt"; flow:established,to_client; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:"Import"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.exploit-db.com/exploits/11204; reference:url,doc.emergingthreats.net/2010977; classtype:attempted-user; sid:2010977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"CheckForUpdates"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/210560; classtype:web-application-attack; sid:2010560; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"UpdateComponents"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010561; classtype:web-application-attack; sid:2010561; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; classtype:attempted-user; sid:2010692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET SQL MSSQL sp_replwritetovarbin - potential memory overwrite case 1"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008909; classtype:attempted-user; sid:2008909; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCTAVIFileLib.AVIFileM"; nocase; distance:0; content:"OpenFile"; nocase; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010357; classtype:web-application-attack; sid:2010357; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DELETED MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008910; classtype:attempted-user; sid:2008910; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c/si"; reference:url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/; reference:bid,42100; reference:url,doc.emergingthreats.net/2011509; classtype:attempted-user; sid:2011509; rev:2; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; classtype:attempted-dos; sid:2009886; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Psyb0t joining an IRC Channel"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"JOIN #mipsel"; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:trojan-activity; sid:2009172; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/5086; reference:url,www.milw0rm.com/exploits/5100; reference:url,doc.emergingthreats.net/bin/view/Main/2007847; classtype:web-application-attack; sid:2007847; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING Suspicious SMTP handshake outbound"; flow:established,to_server; content:"001 RUTHERE"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008562; classtype:unknown; sid:2008562; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launch"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; classtype:attempted-user; sid:2011010; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP handshake reply"; flow:established,from_server; content:"701 IMHERE"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008563; classtype:unknown; sid:2008563; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; content:"offer-"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; classtype:attempted-user; sid:2010665; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2008779; classtype:unknown; sid:2008779; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcom Helper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:!"offer-"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+(service-url|banner|noexec|OS|Lang|return-page|core-product|userid|itemid|_c[xy]|sec-param|secparam)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.exploit-db.com/exploits/11172/; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2011675; classtype:attempted-user; sid:2011675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; classtype:unknown; sid:2008780; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; content:"clsid"; nocase; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009598; classtype:web-application-attack; sid:2009598; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; content:"clsid"; nocase; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009599; classtype:web-application-attack; sid:2009599; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002880; classtype:attempted-dos; sid:2002880; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; content:"clsid"; nocase; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009600; classtype:web-application-attack; sid:2009600; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002881; classtype:attempted-dos; sid:2002881; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; content:"clsid"; nocase; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009601; classtype:web-application-attack; sid:2009601; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002882; classtype:attempted-dos; sid:2002882; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; content:"clsid"; nocase; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009602; classtype:web-application-attack; sid:2009602; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002926; classtype:attempted-dos; sid:2002926; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; content:"clsid"; nocase; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009603; classtype:web-application-attack; sid:2009603; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002927; classtype:attempted-dos; sid:2002927; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009604; classtype:web-application-attack; sid:2009604; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002928; classtype:attempted-dos; sid:2002928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; classtype:web-application-attack; sid:2009606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED HELO Non-Displayable Characters MailEnable Denial of Service"; flow:established,to_server; content:"HELO "; nocase; depth:60; pcre:"/^[^\n]*[\x00-\x08\x0e-\x1f]/R"; reference:cve,2006-3277; reference:bugtraq,18630; reference:url,doc.emergingthreats.net/bin/view/Main/2002998; classtype:attempted-dos; sid:2002998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; classtype:web-application-attack; sid:2008408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; classtype:web-application-attack; sid:2008409; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009607; classtype:web-application-attack; sid:2009607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; content:"clsid"; nocase; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009609; classtype:web-application-attack; sid:2009609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; content:"clsid"; nocase; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009610; classtype:web-application-attack; sid:2009610; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; content:"clsid"; nocase; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009611; classtype:web-application-attack; sid:2009611; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010488; classtype:attempted-dos; sid:2010488; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; content:"clsid"; nocase; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009613; classtype:web-application-attack; sid:2009613; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010489; classtype:attempted-dos; sid:2010489; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; content:"clsid"; nocase; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009614; classtype:web-application-attack; sid:2009614; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; content:"clsid"; nocase; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009615; classtype:web-application-attack; sid:2009615; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009616; classtype:web-application-attack; sid:2009616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009617; classtype:web-application-attack; sid:2009617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; classtype:attempted-admin; sid:2003369; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; content:"clsid"; nocase; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009618; classtype:web-application-attack; sid:2009618; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; content:"clsid"; nocase; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009619; classtype:web-application-attack; sid:2009619; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt"; flow:from_server,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6/si"; reference:url,www.milw0rm.org/exploits/8733; reference:url,www.securityfocus.com/bid/35028; reference:url,doc.emergingthreats.net/2010160; classtype:attempted-user; sid:2010160; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; classtype:attempted-admin; sid:2000031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt"; flow:established,to_client; content:"BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; nocase; content:"BindToFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F/si"; reference:url,tcc.hellcode.net/advisories/hellcode-adv008.txt; reference:url,doc.emergingthreats.net/2010814; classtype:attempted-user; sid:2010814; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; classtype:attempted-admin; sid:2000049; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 Phobos.Playlist Import ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:".Import"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/; reference:url,doc.emergingthreats.net/2010962; classtype:attempted-user; sid:2010962; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; classtype:attempted-dos; sid:2000007; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt"; flow:established,from_server; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; nocase; content:"RUN"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3895DD35-7573-11D2-8FED-00606730D3AA/si"; reference:url,securitytracker.com/alerts/2009/Aug/1022752.html; reference:url,www.kb.cert.org/vuls/id/485961; reference:url,www.securityfocus.com/bid/21207/info; reference:url,doc.emergingthreats.net/2009868; classtype:attempted-user; sid:2009868; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; content:"PlayerVersion"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; reference:url,www.milw0rm.com/exploits/9682; reference:url,doc.emergingthreats.net/2010256; classtype:web-application-attack; sid:2010256; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 2"; flow:to_client,established; content:"2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009688; classtype:web-application-attack; sid:2009688; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 3"; flow:to_client,established; content:"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009689; classtype:web-application-attack; sid:2009689; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP SITE command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"SITE"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010732; classtype:attempted-recon; sid:2010732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution AeXNSPkgDLLib.dll ActiveX Control DownloadAndInstall Method Arbitrary Code Execution Attempt"; flow:from_server,established; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; content:"DownloadAndInstall"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7/si"; reference:url,securitytracker.com/alerts/2009/Sep/1022928.html; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,doc.emergingthreats.net/2010011; classtype:attempted-user; sid:2010011; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RMDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RMDIR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010733; classtype:attempted-recon; sid:2010733; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Attempt"; flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; nocase; content:"Appstring"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010986; classtype:attempted-user; sid:2010986; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP MKDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"MKDIR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010734; classtype:attempted-recon; sid:2010734; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Attempt"; flow:established,to_client; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; nocase; content:"ControlID"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15B168B2-AD3C-11D1-A8D8-00A0C9200E61/si"; reference:url,doc.emergingthreats.net/2011129; classtype:attempted-user; sid:2011129; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP PWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"PWD"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010735; classtype:attempted-recon; sid:2010735; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method"; flow:to_client,established; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; nocase; content:"SaveAS"; nocase; reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; reference:url,secunia.com/Advisories/31989/; reference:url,doc.emergingthreats.net/2008612; classtype:web-application-attack; sid:2008612; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RETR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RETR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010736; classtype:attempted-recon; sid:2010736; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk IDrop Indicator ActiveX Control Memory Corruption"; flow:to_client,established; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; nocase; pcre:"/(Src|Background|PackageXml)/i"; reference:url,secunia.com/advisories/34563/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2009-04/0020.html; reference:url,vupen.com/english/advisories/2009/0942; reference:url,milw0rm.com/exploits/8560; reference:url,doc.emergingthreats.net/2009399; classtype:web-application-attack; sid:2009399; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP NLST command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"NLST"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010737; classtype:attempted-recon; sid:2010737; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow"; flow:to_client,established; content:"9589AEC9-1C2D-4428-B7E8-63B39D356F9C"; nocase; content:"PrinterName"; nocase; reference:url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt; reference:bugtraq,35582; reference:url,juniper.net/security/auto/vulnerabilities/vuln35583.html; reference:url,doc.emergingthreats.net/2009792; classtype:web-application-attack; sid:2009792; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNTO command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNTO"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010738; classtype:attempted-recon; sid:2010738; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control OnBeforeVideoDownload Method Buffer Overflow"; flow:to_client,established; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; nocase; content:"OnBeforeVideoDownload"; nocase; reference:bugtraq,34789; reference:url,milw0rm.com/exploits/8579; reference:url,doc.emergingthreats.net/2009425; classtype:web-application-attack; sid:2009425; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNFR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNFR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010739; classtype:attempted-recon; sid:2010739; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow"; flow:to_client,established; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; nocase; content:"SetAttributeValue"; nocase; reference:bugtraq,34869; reference:url,juniper.net/security/auto/vulnerabilities/vuln34869.html; reference:url,vupen.com/english/advisories/2009/1392; reference:url,milw0rm.com/exploits/8757; reference:url,doc.emergingthreats.net/2009657; classtype:web-application-attack; sid:2009657; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP STOR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"STOR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010740; classtype:attempted-recon; sid:2010740; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"Enable"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(EnableKeepExistingFiles|EnableStartApplication|EnableStartBeforePrint|EnablePassParameters)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010203; classtype:attempted-user; sid:2010203; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; classtype:web-application-attack; sid:2008776; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"Set"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010204; classtype:attempted-user; sid:2010204; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; classtype:web-application-attack; sid:2008777; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"SaveBlackIceDEVMODE"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010205; classtype:attempted-user; sid:2010205; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"ClearUserSettings"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010206; classtype:attempted-user; sid:2010206; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP HP-UX LIST command without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:"LIST "; nocase; depth:5; reference:cve,2005-3296; reference:bugtraq,15138; reference:url,doc.emergingthreats.net/bin/view/Main/2002851; classtype:attempted-recon; sid:2002851; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"ControlJob"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010207; classtype:attempted-user; sid:2010207; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Charm Real Converter pro 6.6 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"F4F647AD-B160-11D2-A3EF-00104BDF4755"; nocase; content:"GetCodecModulus"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4F647AD-B160-11D2-A3EF-00104BDF4755/si"; reference:url,www.packetstormsecurity.org/0909-exploits/charmrc-dos.txt; reference:url,doc.emergingthreats.net/2010280; classtype:web-application-attack; sid:2010280; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS"; flow:to_client,established; content:"126FB030-1E9E-4517-A254-430616582C50"; nocase; content:"LoadXmlEmail"; nocase; reference:url,www.milw0rm.com/exploits/6600; reference:url,doc.emergingthreats.net/2008607; classtype:web-application-attack; sid:2008607; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; classtype:bad-unknown; sid:2001023; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method"; flow:to_client,established; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; content:"WriteFile"; nocase; reference:url,secunia.com/Advisories/32513/; reference:url,milw0rm.com/exploits/6963; reference:url,doc.emergingthreats.net/2008814; classtype:web-application-attack; sid:2008814; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; classtype:bad-unknown; sid:2001024; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation"; flow:to_client,established; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; nocase; content:"SaveLastError"; nocase; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7142; reference:url,doc.emergingthreats.net/2008870; classtype:web-application-attack; sid:2008870; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000046; reference:cve,2003-0533; classtype:misc-activity; sid:2000046; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; flow:to_client,established; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; content:"SaveLastError"; nocase; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; reference:url,doc.emergingthreats.net/2009046; classtype:web-application-attack; sid:2009046; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:cve,2003-0533; classtype:misc-activity; sid:2000033; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chinagames ActiveX Control CreateChinagames Method Buffer Overflow"; flow:to_client,established; content:"75108B29-202F-493C-86C5-1C182A485C4C"; nocase; content:"CreateChinagames"; nocase; reference:bugtraq,34871; reference:url,milw0rm.com/exploits/8758; reference:url,doc.emergingthreats.net/2009500; classtype:web-application-attack; sid:2009500; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite"; flow:to_client,established; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; content:"SaveToFile"; nocase; reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794; reference:url,doc.emergingthreats.net/2009064; classtype:web-application-attack; sid:2009064; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; classtype:shellcode-detect; sid:2001369; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit"; flow:established,to_client; content:"0x40000"; content:"SendChannelData"; nocase; content:"238F6F83-B8B4-11CF-8771-00A024541EE3"; nocase; reference:url,www.milw0rm.com/exploits/5106; reference:bugtraq,21458; reference:cve,CVE-2006-6334; reference:url,doc.emergingthreats.net/bin/view/Main/2007851; classtype:web-application-attack; sid:2007851; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; classtype:shellcode-detect; sid:2001363; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ComponentOne VSFlexGrid ActiveX Control Archive Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"C945E31A-102E-4A0D-8854-D599D7AED5FA"; nocase; distance:0; content:"Archive"; nocase; reference:url,exploit-db.com/exploits/12673; reference:url,doc.emergingthreats.net/2011210; classtype:attempted-user; sid:2011210; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; classtype:shellcode-detect; sid:2001364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"01113300-3E00-11D2-8470-0060089874ED"; nocase; distance:0; content:"RunCMD"; nocase; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011212; classtype:attempted-user; sid:2011212; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; classtype:misc-activity; sid:2001374; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods"; flow:to_client,established; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; pcre:"/(Save|SaveLayoutChanges|SaveMenuUsageData)/i"; reference:bugtraq,24959; reference:cve,CVE-2007-3883; reference:url,www.exploit-db.com/exploits/5395/; reference:url,doc.emergingthreats.net/2008127; classtype:web-application-attack; sid:2008127; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007905; classtype:web-application-attack; sid:2007905; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET NETBIOS ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002064; classtype:attempted-admin; sid:2002064; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EDraw Flowchart ActiveX Control OpenDocument Method Remote Code Execution Attempt"; flow:to_client,established; content:"F685AFD8-A5CC-410E-98E4-BAA1C559BA61"; nocase; content:"OpenDocument"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F685AFD8-A5CC-410E-98E4-BAA1C559BA61/si"; reference:url,doc.emergingthreats.net/2011055; classtype:attempted-user; sid:2011055; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; classtype:misc-activity; sid:2001848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable WriteToLog Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; content:"WriteToLog"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010035; classtype:attempted-user; sid:2010035; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; classtype:misc-activity; sid:2001849; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; content:"0x400000"; nocase; content:"CreateStore"; nocase; reference:bugtraq,32722; reference:url,milw0rm.com/exploits/7402; reference:url,doc.emergingthreats.net/2008963; classtype:web-application-attack; sid:2008963; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; classtype:misc-activity; sid:2001873; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quiksoft EasyMail imap connect() ActiveX stack overflow vulnerability"; flow:from_server,established; content:"<script"; nocase; content:"unescape|28|"; nocase; content:"|2e|connect"; nocase; distance:0; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,www.milw0rm.com/exploits/9704; reference:url,www.securityfocus.com/bid/22583; reference:url,doc.emergingthreats.net/2009948; classtype:attempted-user; sid:2009948; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; classtype:misc-activity; sid:2001874; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt"; flow:to_client,established; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; content:"LicenseKey"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,milw0rm.com/exploits/9684; reference:url,doc.emergingthreats.net/2010253; classtype:web-application-attack; sid:2010253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002186; classtype:attempted-admin; sid:2002186; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail ActiveX AddAttachment method Remote code excution clsid access attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"AddAttachment"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:url,www.milw0rm.com/exploits/9705; reference:url,doc.emergingthreats.net/2010278; classtype:web-application-attack; sid:2010278; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002199; classtype:protocol-command-decode; sid:2002199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX CreateStore method Remote code excution clsid access"; flow:established,to_client; content:"18A76B9A-45C1-11D3-80DC-00C04F6B92D0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0/si"; content:"CreateStore"; nocase; reference:url,www.milw0rm.com/exploits/9685; reference:url,doc.emergingthreats.net/2010277; classtype:web-application-attack; sid:2010277; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002200; classtype:protocol-command-decode; sid:2002200; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; content:"DoSaveFile"; nocase; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009102; classtype:web-application-attack; sid:2009102; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002201; classtype:attempted-admin; sid:2002201; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; content:"DoSaveFile"; nocase; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009063; classtype:web-application-attack; sid:2009063; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002202; classtype:protocol-command-decode; sid:2002202; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1)"; flow:from_server,established; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; nocase; content:"PictureUrls"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009402; classtype:attempted-user; sid:2009402; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; classtype:attempted-admin; sid:2002203; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2)"; flow:from_server,established; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; nocase; content:"PictureUrls"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009403; classtype:attempted-user; sid:2009403; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:8; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_09_28;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; nocase; content:"RemoteAddress"; nocase; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460; reference:url,doc.emergingthreats.net/2008999; classtype:web-application-attack; sid:2008999; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion"; flow:to_client,established; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; content:"DeleteFile"; nocase; reference:bugtraq,33842; reference:url,xforce.iss.net/xforce/xfdb/48837; reference:url,doc.emergingthreats.net/2009184; classtype:web-application-attack; sid:2009184; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX Control GetFromURL Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"GetFromURL"; nocase; reference:url,exploit-db.com/exploits/14269/; reference:url,doc.emergingthreats.net/2011251; classtype:web-application-attack; sid:2011251; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003082; classtype:misc-attack; sid:2003082; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FlexCell Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; nocase; pcre:"/(SaveFile|ExportToXML)/i"; reference:url,www.milw0rm.com/exploits/7868; reference:bugtraq,33453; reference:url,doc.emergingthreats.net/2009120; classtype:web-application-attack; sid:2009120; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008690; classtype:attempted-admin; sid:2008690; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX control OpenFile method Heap Overflow Attempt"; flow:established,to_client; content:"05563215-225C-45EB-BB34-AFA47217B1DE"; nocase; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05563215-225C-45EB-BB34-AFA47217B1DE/si"; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010929; classtype:attempted-user; sid:2010929; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008691; classtype:attempted-admin; sid:2008691; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit"; flow:to_client,established; content:"0x40000"; content:"DoWebLaunch"; content:"97BB6657-DC7F-4489-9067-51FAB9D8857E"; nocase; reference:url,www.milw0rm.com/exploits/4982; reference:bugtraq,27193; reference:url,doc.emergingthreats.net/2007852; classtype:web-application-attack; sid:2007852; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008692; classtype:attempted-admin; sid:2008692; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method"; flow:to_client,established; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; nocase; content:"SaveAsPDF"; nocase; reference:url,secunia.com/Advisories/31966/; reference:url,milw0rm.com/exploits/6638; reference:url,doc.emergingthreats.net/2008613; classtype:web-application-attack; sid:2008613; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008693; classtype:attempted-admin; sid:2008693; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution"; flow:to_client,established; content:"814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8"; nocase; content:"GetAudioPlayingTime"; nocase; reference:bugtraq,34115; reference:url,milw0rm.com/exploits/8206; reference:url,doc.emergingthreats.net/2009328; classtype:web-application-attack; sid:2009328; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008694; classtype:attempted-admin; sid:2008694; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"8D58D690-6B71-4ee8-85AD-006DB0287BF1"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009160; classtype:web-application-attack; sid:2009160; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any any -> $HOME_NET 139 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008695; classtype:attempted-admin; sid:2008695; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009161; classtype:web-application-attack; sid:2009161; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008696; classtype:attempted-admin; sid:2008696; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009162; classtype:web-application-attack; sid:2009162; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008697; classtype:attempted-admin; sid:2008697; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; content:"Command"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010367; classtype:web-application-attack; sid:2010367; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008698; classtype:attempted-admin; sid:2008698; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; content:"ViewProfile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; reference:url,www.securityfocus.com/bid/37834; reference:url,doc.emergingthreats.net/2010760; classtype:attempted-user; sid:2010760; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008699; classtype:attempted-admin; sid:2008699; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Attempt"; flow:from_server,established; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; content:"XUPLOAD"; nocase; content:"MakeHttpRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E87F6C8E-16C0-11D3-BEF7-009027438003/si"; reference:url,www.securityfocus.com/bid/36550/info; reference:url,doc.emergingthreats.net/2010010; classtype:attempted-user; sid:2010010; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008700; classtype:attempted-admin; sid:2008700; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX DisplayName method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"DisplayName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010611; classtype:web-application-attack; sid:2010611; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008701; classtype:attempted-admin; sid:2008701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX AddGroup method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"AddGroup"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010612; classtype:web-application-attack; sid:2010612; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008702; classtype:attempted-admin; sid:2008702; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"InstallComponent"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010613; classtype:web-application-attack; sid:2010613; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008703; classtype:attempted-admin; sid:2008703; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX Subscribe method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"Subscribe"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010614; classtype:web-application-attack; sid:2010614; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008704; classtype:attempted-admin; sid:2008704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; flow:established,to_client; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; content:"ProgColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010778; classtype:attempted-user; sid:2010778; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008705; classtype:attempted-admin; sid:2008705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; flow:established,to_client; content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; content:"ProgColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010779; classtype:attempted-user; sid:2010779; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008706; classtype:attempted-admin; sid:2008706; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Operations Manager SourceView ActiveX LoadFile/SaveFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"366C9C52-C402-416B-862D-1464F629CA59"; nocase; content:"File"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*366C9C52-C402-416B-862D-1464F629CA59.+(LoadFile|SaveFile)/si"; reference:url,packetstormsecurity.org/1004-exploits/CORELAN-10-027.txt; reference:url,secunia.com/advisories/39538/; reference:url,doc.emergingthreats.net/2011075; classtype:attempted-user; sid:2011075; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008707; classtype:attempted-admin; sid:2008707; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Virtual Rooms Control Clsid Access"; flow:from_server,established; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000032-9593-4264-8B29-930B3E4EDCCD/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01678405; reference:url,doc.emergingthreats.net/2009404; classtype:attempted-user; sid:2009404; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008708; classtype:attempted-admin; sid:2008708; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt"; flow:established,to_client; content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; content:"URL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si"; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010373; classtype:attempted-user; sid:2010373; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008709; classtype:attempted-admin; sid:2008709; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods"; flow:to_client,established; content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; reference:url,secunia.com/Advisories/32337/; reference:url,doc.emergingthreats.net/2008678; classtype:web-application-attack; sid:2008678; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008710; classtype:attempted-admin; sid:2008710; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"SaveasMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010997; classtype:attempted-user; sid:2010997; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008711; classtype:attempted-admin; sid:2008711; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control ReadMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"ReadMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010998; classtype:attempted-user; sid:2010998; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008712; classtype:attempted-admin; sid:2008712; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS"; flow:to_client,established; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; nocase; content:"PutProperty"; nocase; reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; reference:cve,2008-2639; reference:url,securityreason.com/securityalert/4323; reference:url,doc.emergingthreats.net/2008618; classtype:web-application-attack; sid:2008618; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008713; classtype:attempted-admin; sid:2008713; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:established,to_client; content:"74FFE28D-2378-11D5-990C-006094235084"; nocase; content:"GetXMLValue"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*74FFE28D-2378-11D5-990C-006094235084/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010483; classtype:attempted-user; sid:2010483; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008714; classtype:attempted-admin; sid:2008714; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".Spline|28|"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/si"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003102; classtype:attempted-user; sid:2003102; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008715; classtype:attempted-admin; sid:2008715; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID"; flow:from_server,established; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; nocase; reference:url,www.securityfocus.com/bid/20843; reference:url,secunia.com/advisories/22603; reference:cve,2006-4704; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; reference:url,doc.emergingthreats.net/2003158; classtype:attempted-user; sid:2003158; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 139 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008716; classtype:attempted-admin; sid:2008716; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsmIDE.DTE object call CSLID"; flow:from_server,established; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; nocase; reference:url,doc.emergingthreats.net/2003159; classtype:attempted-user; sid:2003159; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008717; classtype:attempted-admin; sid:2008717; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID"; flow:from_server,established; content:"639F725F-1B2D-4831-A9FD-874847682010"; nocase; reference:url,doc.emergingthreats.net/2003160; classtype:attempted-user; sid:2003160; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008718; classtype:attempted-admin; sid:2008718; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID"; flow:from_server,established; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; nocase; reference:url,doc.emergingthreats.net/2003161; classtype:attempted-user; sid:2003161; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008719; classtype:attempted-admin; sid:2008719; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; classtype:attempted-user; sid:2002971; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008720; classtype:attempted-admin; sid:2008720; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010263; classtype:attempted-user; sid:2010263; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008721; classtype:attempted-admin; sid:2008721; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010264; classtype:attempted-user; sid:2010264; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; classtype:attempted-admin; sid:2002845; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 1 Access Attempt"; flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5DFB2651-9668-11D0-B17B-00C04FC2A0CA/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010292; classtype:attempted-user; sid:2010292; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:2000488; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 2 Access Attempt"; flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010293; classtype:attempted-user; sid:2010293; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000373; classtype:attempted-user; sid:2000373; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 3 Access Attempt"; flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010294; classtype:attempted-user; sid:2010294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; classtype:attempted-admin; sid:2000377; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 4 Access Attempt"; flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010295; classtype:attempted-user; sid:2010295; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000378; classtype:attempted-dos; sid:2000378; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 5 Access Attempt"; flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010296; classtype:attempted-user; sid:2010296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000379; classtype:attempted-dos; sid:2000379; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 6 Access Attempt"; flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010297; classtype:attempted-user; sid:2010297; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; classtype:attempted-admin; sid:2000380; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 7 Access Attempt"; flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010298; classtype:attempted-user; sid:2010298; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; reference:url,doc.emergingthreats.net/2009999; classtype:attempted-user; sid:2009999; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 8 Access Attempt"; flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010299; classtype:attempted-user; sid:2010299; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; reference:url,doc.emergingthreats.net/2010000; classtype:attempted-user; sid:2010000; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 9 Access Attempt"; flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010300; classtype:attempted-user; sid:2010300; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 10 Access Attempt"; flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010301; classtype:attempted-user; sid:2010301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 11 Access Attempt"; flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010302; classtype:attempted-user; sid:2010302; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 12 Access Attempt"; flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010303; classtype:attempted-user; sid:2010303; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 13 Access Attempt"; flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010304; classtype:attempted-user; sid:2010304; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 14 Access Attempt"; flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010305; classtype:attempted-user; sid:2010305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 15 Access Attempt"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010306; classtype:attempted-user; sid:2010306; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 16 Access Attempt"; flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010307; classtype:attempted-user; sid:2010307; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 17 Access Attempt"; flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010308; classtype:attempted-user; sid:2010308; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 18 Access Attempt"; flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010309; classtype:attempted-user; sid:2010309; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 19 Access Attempt"; flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010310; classtype:attempted-user; sid:2010310; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 20 Access Attempt"; flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010311; classtype:attempted-user; sid:2010311; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 22 Access Attempt"; flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010313; classtype:attempted-user; sid:2010313; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 23 Access Attempt"; flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010314; classtype:attempted-user; sid:2010314; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 24 Access Attempt"; flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010315; classtype:attempted-user; sid:2010315; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 25 Access Attempt"; flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010316; classtype:attempted-user; sid:2010316; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 26 Access Attempt"; flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010317; classtype:attempted-user; sid:2010317; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 27 Access Attempt"; flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010318; classtype:attempted-user; sid:2010318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 28 Access Attempt"; flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010319; classtype:attempted-user; sid:2010319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative; reference:cve,2005-0399; reference:url,doc.emergingthreats.net/bin/view/Main/2001807; classtype:attempted-admin; sid:2001807; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 29 Access Attempt"; flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010320; classtype:attempted-user; sid:2010320; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001988; classtype:attempted-admin; sid:2001988; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 30 Access Attempt"; flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010321; classtype:attempted-user; sid:2010321; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; classtype:bad-unknown; sid:2000017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 31 Access Attempt"; flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010322; classtype:attempted-user; sid:2010322; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,support.microfocus.com/kb/doc.php?id=7006374; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt"; flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010323; classtype:attempted-user; sid:2010323; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002886; classtype:attempted-admin; sid:2002886; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt"; flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010324; classtype:attempted-user; sid:2010324; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002887; classtype:attempted-admin; sid:2002887; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt"; flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010325; classtype:attempted-user; sid:2010325; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002888; classtype:attempted-admin; sid:2002888; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt"; flow:established,to_client; content:"5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010326; classtype:attempted-user; sid:2010326; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; reference:url,doc.emergingthreats.net/2010375; classtype:attempted-admin; sid:2010375; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt"; flow:established,to_client; content:"ADEADEB8-E54B-11d1-9A72-0000F875EADE"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADEADEB8-E54B-11d1-9A72-0000F875EADE/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010327; classtype:attempted-user; sid:2010327; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message|0d 0a|"; distance:0; pcre:"/[^a-zA-Z0-9]+\.message/"; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003196; classtype:misc-attack; sid:2003196; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt"; flow:established,to_client; content:"EC85D8F1-1C4E-46e4-A748-7AA04E7C0496"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC85D8F1-1C4E-46e4-A748-7AA04E7C0496/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010328; classtype:attempted-user; sid:2010328; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003197; classtype:misc-attack; sid:2003197; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt"; flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010329; classtype:attempted-user; sid:2010329; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000565; classtype:suspicious-login; sid:2000565; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt"; flow:established,to_client; content:"E673DCF2-C316-4c6f-AA96-4E4DC6DC291E"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4c6f-AA96-4E4DC6DC291E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010330; classtype:attempted-user; sid:2010330; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000566; classtype:suspicious-login; sid:2000566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt"; flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010331; classtype:attempted-user; sid:2010331; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; reference:url,doc.emergingthreats.net/bin/view/Main/2000564; classtype:misc-attack; sid:2000564; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt"; flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010332; classtype:attempted-user; sid:2010332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; reference:url,doc.emergingthreats.net/bin/view/Main/2000567; classtype:misc-attack; sid:2000567; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Communications Control Clsid Access"; flow:from_server,established; content:"648A5600-2C6E-101B-82B6-000000000014"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*648A5600-2C6E-101B-82B6-000000000014/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,doc.emergingthreats.net/2009400; classtype:attempted-user; sid:2009400; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001053; classtype:misc-activity; sid:2001053; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; flow:to_client,established; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; content:"GetEntryPointForThread"; nocase; reference:bugtraq,31996; reference:url,doc.emergingthreats.net/2008792; classtype:web-application-attack; sid:2008792; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001544; classtype:misc-activity; sid:2001544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; content:"Open"; nocase; content:".avi"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7431; reference:bugtraq,32613; reference:url,doc.emergingthreats.net/2008993; classtype:web-application-attack; sid:2008993; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001052; classtype:misc-activity; sid:2001052; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"CheckForUpdates"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010562; classtype:web-application-attack; sid:2010562; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001543; classtype:misc-activity; sid:2001543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"UpdateComponents"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010563; classtype:web-application-attack; sid:2010563; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001753; classtype:suspicious-login; sid:2001753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Windows Media Services nskey.dll ActiveX Control Possible Remote Buffer Overflow"; flow:to_client,established; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; nocase; content:"CallHTMLHelp"; nocase; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,doc.emergingthreats.net/2008925; classtype:web-application-attack; sid:2008925; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001754; classtype:suspicious-login; sid:2001754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit"; flow:to_client,established; content:"0x40000"; content:"WksPictureInterface"; nocase; distance:0; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; nocase; distance:0; reference:bugtraq,28820; reference:url,www.milw0rm.com/exploits/5460; reference:url,www.milw0rm.com/exploits/5530; reference:url,doc.emergingthreats.net/2008226; classtype:web-application-attack; sid:2008226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002912; classtype:misc-activity; sid:2002912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid"; flow:to_client,established; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; content:"loadXML"; nocase; distance:0; content:"parseError.srcText"; nocase; distance:0; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008887; classtype:web-application-attack; sid:2008887; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002913; classtype:misc-activity; sid:2002913; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Macrovision FLEXnet Connect ActiveX Control Arbitrary File Download"; flow:to_client, established; content:"DownloadAndExecute"; nocase; content:"1DF951B1-8D40-4894-A04C-66AD824A0EEF"; nocase; distance:0; reference:bugtraq,27279; reference:url,www.milw0rm.com/exploits/4913; reference:url,doc.emergingthreats.net/2010358; classtype:successful-user; sid:2010358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt"; flow:from_server,established; content:"04D18721-749F-4140-AEB0-CAC099CA4741"; nocase; content:"WriteTaskDataToIniFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*04D18721-749F-4140-AEB0-CAC099CA4741/si"; reference:url,www.securitytracker.com/alerts/2009/Jun/1022413.html; reference:url,www.packetstormsecurity.com/0906-exploits/mcafee-activex.txt; reference:url,doc.emergingthreats.net/2009411; classtype:attempted-user; sid:2009411; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002918; classtype:misc-activity; sid:2002918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MetaProducts MetaTreeX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; nocase; pcre:"/(SaveToBMP|SaveToFile)/i"; reference:bugtraq,33318; reference:url,milw0rm.com/exploits/7804; reference:url,doc.emergingthreats.net/2009104; classtype:web-application-attack; sid:2009104; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002924; classtype:misc-activity; sid:2002924; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microgaming FlashXControl Control Clsid Access"; flow:from_server,established; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D8089245-3211-40F6-819B-9E5E92CD61A2/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,www.microgaming.co.uk/news_flashxcontrol.php; reference:url,doc.emergingthreats.net/2009401; classtype:attempted-user; sid:2009401; rev:26; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002923; classtype:misc-activity; sid:2002923; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTsoft NCTAudioFile2 ActiveX Control NCTWMAFILE2.DLL Arbitrary File Overwrite"; flow:to_client,established; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; nocase; content:"CreateFile"; nocase; reference:url,www.milw0rm.com/exploits/7871; reference:bugtraq,24613; reference:url,doc.emergingthreats.net/2009121; classtype:web-application-attack; sid:2009121; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002919; classtype:attempted-admin; sid:2002919; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow"; flow:to_client,established; content:"F85B4A10-B530-4D68-A714-7415838FD174"; nocase; content:"SelectDevice"; nocase; reference:bugtraq,33726; reference:url,doc.emergingthreats.net/2009178; classtype:web-application-attack; sid:2009178; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002915; classtype:attempted-admin; sid:2002915; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; content:"SetFontFace"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; classtype:attempted-user; sid:2009923; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002916; classtype:attempted-admin; sid:2002916; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client ExecuteRequest ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-0935; reference:url,doc.emergingthreats.net/2010693; classtype:attempted-user; sid:2010693; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002917; classtype:successful-admin; sid:2002917; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client GetDriverSettings ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"336723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-2908; reference:url,doc.emergingthreats.net/2010694; classtype:attempted-user; sid:2010694; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002921; classtype:attempted-admin; sid:2002921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete"; flow:to_client,established; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; content:"download"; nocase; reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257; reference:url,doc.emergingthreats.net/2009314; classtype:web-application-attack; sid:2009314; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008517; classtype:attempted-user; sid:2008517; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; content:"ExecCommand"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010363; classtype:web-application-attack; sid:2010363; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008518; classtype:attempted-user; sid:2008518; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PDFZilla 1.0.8 ActiveX DebugMsgLog method DOS CLSid Access"; flow:established,to_client; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; nocase; content:"DebugMsgLog"; nocase; reference:url,packetstormsecurity.org/0908-exploits/pdfzilla-overflow.txt; reference:url,doc.emergingthreats.net/9130; classtype:web-application-attack; sid:2010029; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000032; classtype:misc-activity; sid:2000032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability"; flow:to_client,established; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; nocase; content:"0x40000"; content:"Logo"; nocase; reference:bugtraq,25502; reference:url,doc.emergingthreats.net/2008173; classtype:web-application-attack; sid:2008173; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:url,doc.emergingthreats.net/bin/view/Main/2008426; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt"; flow:from_server,established; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si"; reference:url,www.securityfocus.com/bid/36234/info; reference:url,doc.emergingthreats.net/2009858; classtype:attempted-user; sid:2009858; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001385; classtype:shellcode-detect; sid:2001385; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; content:"SetID"; nocase; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505; reference:url,doc.emergingthreats.net/2009002; classtype:web-application-attack; sid:2009002; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference:url,online.securityfocus.com/archive/1/293844; reference:url,doc.emergingthreats.net/bin/view/Main/2001780; classtype:attempted-admin; sid:2001780; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite"; flow:to_client,established; content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; pcre:"/(SaveBarCode|SaveEnhWMF)/i"; reference:url,milw0rm.com/exploits/8332; reference:url,securityfocus.com/archive/1/502319; reference:url,doc.emergingthreats.net/2009315; classtype:web-application-attack; sid:2009315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003411; reference:cve,2007-0882; classtype:attempted-user; sid:2003411; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"DD50A655-10FB-11D2-A22B-00104B27F81B"; nocase; content:"Run"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DD50A655-10FB-11D2-A22B-00104B27F81B/si"; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010365; classtype:web-application-attack; sid:2010365; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003412; reference:cve,2007-0882; classtype:attempted-user; sid:2003412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Remote Desktop Connection ActiveX Control Heap Overflow clsid access"; flow:established,to_client; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(.+<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(\?P=q1)(\s|>)/si"; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-044.mspx; reference:url,doc.emergingthreats.net/2009907; classtype:attempted-user; sid:2009907; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RKD Software ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C26D9CA8-6747-11D5-AD4B-C01857C10000"; nocase; content:"SaveasMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000/si"; reference:url,packetstorm.foofus.com/1002-exploits/barcode_ax49.rb.txt; reference:bugtraq,24596; reference:url,doc.emergingthreats.net/2011020; classtype:attempted-user; sid:2011020; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010941; classtype:attempted-user; sid:2010941; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; nocase; content:"0x40000"; nocase; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007904; classtype:web-application-attack; sid:2007904; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; reference:url,doc.emergingthreats.net/bin/view/Main/2000342; classtype:misc-attack; sid:2000342; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution"; flow:to_client,established; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; nocase; content:"url"; nocase; distance:0; pcre:"/(exe|bat|com|dll|ini)/i"; content:"start"; nocase; reference:cve,CVE-2006-6838; reference:bugtraq,21831; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html; reference:url,doc.emergingthreats.net/2007998; classtype:web-application-attack; sid:2007998; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003198; classtype:non-standard-protocol; sid:2003198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Registry OCX ActiveX FullPath Method Buffer Overflow Attempt"; flow:to_client,established; content:"6D5B4E71-625F-11D2-B3AE-00A0C932C7DF"; nocase; content:"FullPath"; nocase; reference:url,exploit-db.com/exploits/14200/; reference:url,doc.emergingthreats.net/2011253; classtype:attempted-user; sid:2011253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003199; classtype:non-standard-protocol; sid:2003199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow Attempt"; flow:established,to_client; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; nocase; content:"Scan"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9FAFB576-6933-4CCC-AB3D-B988EC43D04E/si"; reference:url,www.securityfocus.com/bid/38282; reference:url,doc.emergingthreats.net/2010839; classtype:attempted-user; sid:2010839; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; reference:url,doc.emergingthreats.net/bin/view/Main/2003434; classtype:attempted-admin; sid:2003434; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; nocase; content:"DiskType"; nocase; reference:url,milw0rm.com/exploits/8824; reference:bugtraq,23412; reference:url,doc.emergingthreats.net/2009725; classtype:web-application-attack; sid:2009725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; classtype:attempted-admin; sid:2002062; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow"; flow:to_client,established; content:"EE1BBA18-F0C8-477E-8AC8-C28B94F1B7DC"; nocase; content:"SetIAPlayerName"; nocase; reference:url,xforce.iss.net/xforce/xfdb/50868; reference:url,milw0rm.com/exploits/8835; reference:url,doc.emergingthreats.net/2009735; classtype:web-application-attack; sid:2009735; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; classtype:attempted-recon; sid:2002068; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SAP GUI ActiveX Control Insecure Method File Overwrite Attempt"; flow:from_server,established; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; content:"Save"; nocase; content:"ToSessionFile"; within:17; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E/si"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022953.html; reference:url,doc.emergingthreats.net/2010013; classtype:attempted-user; sid:2010013; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002181; classtype:default-login-attempt; sid:2002181; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt"; flow:from_server,established; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; nocase; content:"Accept"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87/si"; reference:url,www.securityfocus.com/bid/35256/info; reference:url,doc.emergingthreats.net/2010219; classtype:attempted-user; sid:2010219; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002182; classtype:misc-attack; sid:2002182; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Archive method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"Archive"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010468; classtype:web-application-attack; sid:2010468; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002734; classtype:attempted-user; sid:2002734; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Text method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"Text"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010469; classtype:web-application-attack; sid:2010469; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditSelText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"EditSelText"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010470; classtype:web-application-attack; sid:2010470; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Starcraft login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"RATS"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002101; classtype:policy-violation; sid:2002101; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"EditText"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010471; classtype:web-application-attack; sid:2010471; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Brood War login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PXES"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002102; classtype:policy-violation; sid:2002102; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX CellFontName method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"CellFontName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010472; classtype:web-application-attack; sid:2010472; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"LTRD"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002103; classtype:policy-violation; sid:2002103; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP AG SAPgui EAI WebViewer2D ActiveX stack buffer overflow CLSid Access"; flow:established,to_client; content:"A76CEBEE-7364-11D2-AA6B-00E02924C34E"; nocase; content:"SaveToSessionFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A76CEBEE-7364-11D2-AA6B-00E02924C34E/si"; reference:url,dsecrg.com/pages/vul/show.php?id=143; reference:url,doc.emergingthreats.net/2010481; classtype:attempted-user; sid:2010481; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo 2 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"VD2D"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002104; classtype:policy-violation; sid:2002104; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI SAPBExCommonResources ActiveX Insecure Method Code Execution Attempt"; flow:established,to_client; content:"A009C90D-814B-11D3-BA3E-080009D22344"; nocase; content:"Execute"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A009C90D-814B-11D3-BA3E-080009D22344/si"; reference:url,dsecrg.com/pages/vul/show.php?id=164; reference:url,doc.emergingthreats.net/2010957; classtype:attempted-user; sid:2010957; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo 2 Lord of Destruction login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PX2D"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002105; classtype:policy-violation; sid:2002105; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; content:"Get"; nocase; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; reference:url,doc.emergingthreats.net/2009047; classtype:web-application-attack; sid:2009047; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 2 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"NB2W"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002106; classtype:policy-violation; sid:2002106; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt"; flow:established,from_server; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; nocase; content:"StartVideoSaving"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C/si"; reference:url,www.securityfocus.com/bid/36217/info; reference:url,doc.emergingthreats.net/2009869; classtype:attempted-user; sid:2009869; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 3 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"3RAW"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002107; classtype:policy-violation; sid:2002107; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt"; flow:to_client,established; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; content:"AddRouteEntry"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si"; reference:url,www.securityfocus.com/bid/26288/info; reference:cve,2007-5603; reference:url,doc.emergingthreats.net/2010456; classtype:attempted-user; sid:2010456; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net old game version"; flow:established,from_server; content:"|FF 51|"; depth:2; content:"|00 01 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002109; classtype:policy-violation; sid:2002109; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; content:"SetExternalPlayer"; nocase; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; reference:url,doc.emergingthreats.net/2009226; classtype:web-application-attack; sid:2009226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net invalid version"; flow:established,from_server; content:"|FF 51 08 00 01 01 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002110; classtype:policy-violation; sid:2002110; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution"; flow:to_client,established; content:"01110800-3E00-11D2-8470-0060089874ED"; nocase; pcre:"/(Packagefiles|SaveDna|SetIdentity|AddFile)/i"; reference:bugtraq,34004; reference:url,milw0rm.com/exploits/8160; reference:url,doc.emergingthreats.net/2009322; classtype:web-application-attack; sid:2009322; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net invalid cdkey"; flow:established,from_server; content:"|FF 51 09 00 00 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002111; classtype:policy-violation; sid:2002111; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sygate Personal Firewall ActiveX SetRegString Method Stack Overflow Attempt"; flow:established,to_client; content:"D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9"; nocase; content:"SetRegString"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9/si"; reference:url,www.exploit-db.com/exploits/13834/; reference:url,www.corelan.be#=#=8800/index.php/forum/security-advisories/10-050-sygate-personal-firewall-5-6-build-2808-activex/; reference:url,doc.emergingthreats.net/2011690; classtype:attempted-user; sid:2011690; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net cdkey in use"; flow:established,from_server; content:"|FF 51|"; depth:2; content:"|01 02 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002112; classtype:policy-violation; sid:2002112; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability"; flow:to_client,established; content:"22ACD16F-99EB-11D2-9BB3-00400561D975"; nocase; content:"0x40000"; pcre:"/(_DOWText)|(_MonthText)/i"; content:"Save"; nocase; reference:url,www.milw0rm.com/exploits/5205; reference:cve,CVE-2007-6017; reference:bugtraq,28008; reference:url,doc.emergingthreats.net/2007932; classtype:web-application-attack; sid:2007932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net banned key"; flow:established,from_server; content:"|FF 51 09 00 02 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002113; classtype:policy-violation; sid:2002113; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service"; flow:to_client,established; content:"7972D5BE-2213-4B28-884C-F8F82432EAA5"; nocase; pcre:"/(SetupDeleteVolume|GetBackupLocationPath|CallUninstall|CanUseEasySetup|CallAddInitialProtection|CallTour)/i"; reference:url,milw0rm.com/exploits/8523; reference:bugtraq,34696; reference:url,doc.emergingthreats.net/2009373; classtype:web-application-attack; sid:2009373; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net wrong product"; flow:established,from_server; content:"|FF 51 09 00 03 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002114; classtype:policy-violation; sid:2002114; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec WinFax Pro DCCFAXVW.DLL Heap Buffer Overflow"; flow:to_client,established; content:"C05A1FBC-1413-11D1-B05F-00805F4945F6"; nocase; content:"AppendFax"; nocase; reference:bugtraq,34766; reference:url,milw0rm.com/exploits/8562; reference:url,doc.emergingthreats.net/2009385; classtype:web-application-attack; sid:2009385; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user in channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|01 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002118; classtype:policy-violation; sid:2002118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow"; flow:to_client,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; nocase; pcre:"/classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; reference:bugtraq,8008; reference:url,xforce.iss.net/xforce/xfdb/12423; reference:url,juniper.net/security/auto/vulnerabilities/vuln8008.html; reference:url,doc.emergingthreats.net/2009847; classtype:web-application-attack; sid:2009847; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user joined channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|02 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002140; classtype:policy-violation; sid:2002140; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; content:"BrowseAndSaveFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010227; classtype:attempted-user; sid:2010227; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user left channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|03 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002141; classtype:policy-violation; sid:2002141; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt"; flow:established,to_client; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; content:"RunCmd"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010369; classtype:attempted-user; sid:2010369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net received whisper message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|04 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002142; classtype:policy-violation; sid:2002142; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"E381F1C0-910E-11D1-AB1E-00A0C90F8F6F"; nocase; content:"SetRemoteComputerName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E381F1C0-910E-11D1-AB1E-00A0C90F8F6F/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010958; classtype:attempted-user; sid:2010958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net received server broadcast"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|06 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002143; classtype:policy-violation; sid:2002143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"02C2DD87-2E67-11D2-96EF-0000861852D5"; nocase; content:"GetStatus"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02C2DD87-2E67-11D2-96EF-0000861852D5/si"; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010691; classtype:attempted-user; sid:2010691; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net joined channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|07 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002144; classtype:policy-violation; sid:2002144; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit"; flow:to_client,established; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; nocase; content:"TransferFile"; nocase; pcre:"/[\w\W]{2500,}/i"; reference:bugtraq,28662; reference:url,www.milw0rm.com/exploits/5398; reference:url,doc.emergingthreats.net/2008128; classtype:web-application-attack; sid:2008128; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user had a flags update"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|09 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002145; classtype:policy-violation; sid:2002145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt"; flow:established,from_server; content:"A0D43FB0-116B-47AB-80FB-6DCFA92A03E3"; nocase; content:"eXMLFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A0D43FB0-116B-47AB-80FB-6DCFA92A03E3/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009894; classtype:attempted-user; sid:2009894; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net sent a whisper"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0a 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002146; classtype:policy-violation; sid:2002146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt"; flow:established,from_server; content:"A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8"; nocase; content:"SetText"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s* \x7B?\s*A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009893; classtype:attempted-user; sid:2009893; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel full"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0d 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002147; classtype:policy-violation; sid:2002147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt"; flow:from_server,established; content:"44A8091F-8F01-43B7-8CF7-4BBA71E61E04"; nocase; content:"FtpConnect"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44A8091F-8F01-43B7-8CF7-4BBA71E61E04/si"; reference:url,www.milw0rm.org/exploits/8986; reference:url,doc.emergingthreats.net/2010161; classtype:attempted-user; sid:2010161; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel doesn't exist"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0e 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002148; classtype:policy-violation; sid:2002148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue/WriteValue method Heap Overflow Attempt"; flow:established,to_client; content:"07DD3249-A591-4949-8F20-09CD347C69DC"; nocase; content:"Value"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07DD3249-A591-4949-8F20-09CD347C69DC.+(DeleteValue|WriteValue)/si"; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010834; classtype:attempted-user; sid:2010834; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel is restricted"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0f 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002149; classtype:policy-violation; sid:2002149; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Attempt"; flow:established,to_client; content:"C2828995-4A83-4100-A212-3024BA117356"; nocase; content:"RichUploadControlContextData"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C2828995-4A83-4100-A212-3024BA117356/si"; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010702; classtype:attempted-user; sid:2010702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net informational message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|12 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002150; classtype:policy-violation; sid:2002150; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow"; flow:to_client,established; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; content:"OpenPDF"; nocase; reference:bugtraq,32313; reference:url,milw0rm.com/exploits/7126; reference:url,doc.emergingthreats.net/2008869; classtype:web-application-attack; sid:2008869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net error message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|13 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002151; classtype:policy-violation; sid:2002151; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; content:"extractPagesToFile"; nocase; distance:0; reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; reference:url,doc.emergingthreats.net/2008895; classtype:web-application-attack; sid:2008895; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net 'emote' message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|17 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002152; classtype:policy-violation; sid:2002152; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow Attempt"; flow:established,to_client; content:"F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E"; nocase; content:"DrawText"; nocase; content:!"|0A|"; within:25; isdataat:25,relative; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E/si"; reference:url,en.securitylab.ru/poc/extra/389924.php; reference:url,doc.emergingthreats.net/2010840; classtype:attempted-user; sid:2010840; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net outgoing chat message"; flow:established,to_server; content:"|FF 0E|"; depth:2; reference:url,doc.emergingthreats.net/bin/view/Main/2002119; classtype:policy-violation; sid:2002119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible VMware Console ActiveX Format String Remote Code Execution Attempt"; flow:established,to_client; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; nocase; content:"connect"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B94C2238-346E-4C5E-9B36-8CC627F35574/si"; reference:url,dsecrg.com/pages/vul/show.php?id=153; reference:url,lists.vmware.com/pipermail/security-announce/2010/000090.html; reference:cve,2009-3732; reference:url,doc.emergingthreats.net/2011126; classtype:attempted-user; sid:2011126; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3724 (msg:"ET GAMES World of Warcraft connection"; flow:established,to_server; content:"|00|"; depth:1; content:"|25 00|WoW|00|"; distance:1; within:7; reference:url,doc.emergingthreats.net/bin/view/Main/2002138; classtype:policy-violation; sid:2002138; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Web on Windows ActiveX Insecure Methods"; flow:to_client,established; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; nocase; pcre:"/(WriteIniFileString|ShellExecute)/i"; reference:bugtraq,33515; reference:url,xforce.iss.net/xforce/xfdb/48337; reference:url,doc.emergingthreats.net/2009136; classtype:web-application-attack; sid:2009136; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 3724 -> $HOME_NET any (msg:"ET GAMES World of Warcraft failed logon"; flow:established,from_server; content:"|01 0A|"; depth:2; reference:url,doc.emergingthreats.net/bin/view/Main/2002139; classtype:policy-violation; sid:2002139; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WinDVD7 IASystemInfo.DLL ActiveX ApplicationType method buffer overflow Attempt"; flow:established,to_client; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; content:"ApplicationType"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B727C217-2022-11D4-B2C6-0050DA1BD906/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/windvd7_applicationtype.rb.txt; reference:url,secunia.com/advisories/24556/; reference:url,doc.emergingthreats.net/2010852; classtype:web-application-attack; sid:2010852; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Guild Wars connection"; flow:established,to_server; content:"|01 00 00 00 00 F1 00 10 00 01 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002154; classtype:policy-violation; sid:2002154; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Universal HTTP File Upload Remote File Deletetion"; flow:to_client,established; content:"4FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; content:"RemoveFileOrDir"; nocase; pcre:"/(txt|ini|com|exe|bat|dll|dat)/i"; reference:url,www.milw0rm.com/exploits/5272; reference:url,doc.emergingthreats.net/2008062; classtype:web-application-attack; sid:2008062; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net incoming chat message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|05 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002170; classtype:policy-violation; sid:2002170; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit"; flow:to_client,established; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; content:"RemoveFileOrDir"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5569; reference:url,doc.emergingthreats.net/2008225; classtype:web-application-attack; sid:2008225; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 27015 (msg:"ET GAMES Steam connection"; content:"getchallengesteam"; reference:url,doc.emergingthreats.net/bin/view/Main/2002155; classtype:policy-violation; sid:2002155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; nocase; content:"CanUninstall"; nocase; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; reference:url,doc.emergingthreats.net/2008619; classtype:web-application-attack; sid:2008619; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 27020:27050 (msg:"ET GAMES STEAM Connection (v2)"; flow:established,to_server; content:"|00 00 00 03|"; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003089; classtype:policy-violation; sid:2003089; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IE ActiveX control Exec method Remote code execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; distance:0; content:"Exec"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72C24DD5-D70A-438B-8A42-98424B88AFB8/si"; reference:url,www.packetstormsecurity.org/1001-exploits/wshomocx-activex.txt; reference:url,doc.emergingthreats.net/2010978; classtype:attempted-user; sid:2010978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak3 Connect"; content:"|00 00 00 00 02 9d 74 8b 45 aa 7b ef b9 9e fe ad 08 19 ba cf 41 e0 16 a2|"; offset:8; depth:24; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011733; classtype:policy-violation; sid:2011733; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; content:"SetPassword"; nocase; reference:cve,2008-4301; reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; reference:url,doc.emergingthreats.net/2008620; classtype:web-application-attack; sid:2008620; rev:38; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login"; content:"|f4 be 03 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011734; classtype:policy-violation; sid:2011734; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007903; classtype:web-application-attack; sid:2007903; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login Replay"; content:"|f4 be 04 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011735; classtype:policy-violation; sid:2011735; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/i"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; reference:url,doc.emergingthreats.net/2002861; classtype:web-application-attack; sid:2002861; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping"; content:"|f4 be 01 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011736; classtype:policy-violation; sid:2011736; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; pcre:"/(Save|ExportImage)/i"; reference:url,milw0rm.com/exploits/8208; reference:bugtraq,23934; reference:url,doc.emergingthreats.net/2009334; classtype:web-application-attack; sid:2009334; rev:30; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping Reply"; content:"|f4 be 02 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011737; classtype:policy-violation; sid:2011737; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt"; flow:established,to_client; content:"6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790"; nocase; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790/si"; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010356; classtype:web-application-attack; sid:2010356; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Channel List"; content:"|f0 be 06 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011739; classtype:policy-violation; sid:2011739; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; pcre:"/(DeleteFile|write)/i"; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; classtype:web-application-attack; sid:2009187; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player List"; content:"|f0 be 07 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011740; classtype:policy-violation; sid:2011740; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; reference:url,doc.emergingthreats.net/2008809; classtype:web-application-attack; sid:2008809; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login End"; content:"|f0 be 08 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011741; classtype:policy-violation; sid:2011741; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; reference:url,doc.emergingthreats.net/2008810; classtype:web-application-attack; sid:2008810; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/New Player Joined"; content:"|f0 be 64 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011742; classtype:policy-violation; sid:2011742; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; reference:url,doc.emergingthreats.net/2008811; classtype:web-application-attack; sid:2008811; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player Left"; content:"|f0 be 65 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011743; classtype:policy-violation; sid:2011743; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; reference:url,doc.emergingthreats.net/2008812; classtype:web-application-attack; sid:2008812; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Change Status"; content:"|f0 be 30 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011744; classtype:policy-violation; sid:2011744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; reference:url,doc.emergingthreats.net/2009469; classtype:web-application-attack; sid:2009469; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Known Player Update"; content:"|f0 be 68 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011745; classtype:policy-violation; sid:2011745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 1"; flow:to_client,established; content:"4871A87A-BFDD-4106-8153-FFDE2BAC2967"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4871A87A-BFDD-4106-8153-FFDE2BAC2967/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009687; classtype:web-application-attack; sid:2009687; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Disconnect"; content:"|f0 be 2c 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011746; classtype:policy-violation; sid:2011746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MciWndx ActiveX Control"; flow:from_server,established; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002724; classtype:web-application-attack; sid:2002724; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 ACK"; content:"|f1 be|"; depth:2; dsize:16; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011747; classtype:policy-violation; sid:2011747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX PPMate PPMedia Class ActiveX Control Buffer Overflow"; flow:to_client,established; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; nocase; content:"StartURL"; nocase; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; reference:url,milw0rm.com/exploits/6090; reference:url,doc.emergingthreats.net/2009143; classtype:web-application-attack; sid:2009143; rev:37; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; classtype:protocol-command-decode; sid:2003284; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WBEM.SingleViewCtrl.1"; nocase; distance:0; pcre:"/WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; classtype:attempted-user; sid:2012157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; classtype:protocol-command-decode; sid:2003285; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt"; flow:established,to_client; content:"0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; nocase; content:"DelFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9/si"; reference:url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt; classtype:attempted-user; sid:2012192; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
 
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; classtype:protocol-command-decode; sid:2003288; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt"; flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; content:"RecordClip"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5/si"; reference:bid,44443; reference:cve,2010-3749; classtype:attempted-user; sid:2012194; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
 
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; classtype:protocol-command-decode; sid:2003289; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt"; flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010312; classtype:attempted-user; sid:2010312; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; classtype:protocol-command-decode; sid:2003290; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings2"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-256/; reference:url,www.vupen.com/english/advisories/2010/3023; reference:bid,44966; reference:cve,2010-4321; classtype:attempted-user; sid:2012206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; classtype:protocol-command-decode; sid:2003291; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"ImportBodyText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:cve,2010-3595; classtype:attempted-user; sid:2012231; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET P2P Ares Server Connection"; flow:established,to_server; dsize:<70; content:"r|be|bloop|00|dV"; content:"Ares|00 0a|"; distance:16; reference:url,aresgalaxy.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008591; classtype:policy-violation; sid:2008591; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Deletion Attempt"; flow:established,to_client; content:"F647CBE5-3C01-402A-B3F0-502A77054A24"; nocase; content:"DownloadSingleMessageToFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F647CBE5-3C01-402A-B3F0-502A77054A24/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012232; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"ET P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000369; classtype:policy-violation; sid:2000369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite Attempt"; flow:established,to_client; content:"4932CEF4-2CAA-11D2-A165-0060081C43D9"; nocase; content:"SaveLayoutChanges"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4932CEF4-2CAA-11D2-A165-0060081C43D9/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012233; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey IP Request"; dsize:4; content:"|e3 1b|"; depth:2; flowbits:set,BEedk.ip.requestect; flowbits:noalert; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003308; classtype:policy-violation; sid:2003308; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; content:"cdda|3A|//"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; reference:bid,44450; reference:cve,2010-3747; classtype:attempted-user; sid:2012543; rev:3; metadata:created_at 2011_03_24, updated_at 2011_03_24;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Reply"; flowbits:isset,BEedk.ip.requestect; dsize:<20; content:"|e3 1c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003309; classtype:policy-violation; sid:2003309; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; content:"Exec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5.+(Exec|ExecLow|ShellExec)/smi"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012636; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Query End"; dsize:<20; content:"|e3 1d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003316; classtype:policy-violation; sid:2003316; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; content:"CreateVistaTaskLow"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012637; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File ACK"; dsize:<20; content:"|e3 0d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003311; classtype:policy-violation; sid:2003311; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"ShellExec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012638; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Connect Request"; dsize:25; content:"|e3 0a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003312; classtype:policy-violation; sid:2003312; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"CreateShortcut"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012639; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Edonkey Connect Reply and Server List"; dsize:>200; content:"|e3 0b|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003313; classtype:policy-violation; sid:2003313; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"CopyDocument"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012640; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (by file hash)"; dsize:19; content:"|e3 0e 14|"; depth:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003314; classtype:policy-violation; sid:2003314; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt"; flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launchjnlp"; fast_pattern; nocase; distance:0; content:"docbase"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:257,relative; content:!"|0A|"; within:257; reference:bid,44023; reference:cve,2010-3552; classtype:attempted-user; sid:2012641; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; classtype:policy-violation; sid:2003317; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ELONFMTLib.ElonFmt"; nocase; distance:0; content:".GetItem1"; nocase; reference:url,exploit-db.com/exploits/17196; classtype:attempted-user; sid:2012742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Get Sources Request (by hash)"; dsize:19; content:"|e3 9a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003318; classtype:policy-violation; sid:2003318; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,doc.emergingthreats.net/2011007; classtype:attempted-user; sid:2011007; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Edonkey Search Results"; dsize:>21; content:"|e3 99|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003320; classtype:policy-violation; sid:2003320; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt"; flow:established,to_client; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; nocase; content:"ICMPSendEchoRequest"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A86F1F2-4921-4C75-AF2C-A1AA241E12BA/si"; reference:url,www.exploit-db.com/exploits/17328/; classtype:attempted-user; sid:2012905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Status"; flow:established; dsize:14; content:"|e3 09 00 00 00 34|"; depth:6; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003324; classtype:policy-violation; sid:2003324; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; content:"url"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:2; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P GnucDNA UDP Ultrapeer Traffic"; content:"SCP@|83|DNA@"; threshold: type both,track by_src,count 10,seconds 600; reference:url,doc.emergingthreats.net/bin/view/Main/2002760; classtype:policy-violation; sid:2002760; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Cisco.AnyConnect.VPNWeb.1"; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:3; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Kazaa over UDP"; content:"KaZaA"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001796; classtype:policy-violation; sid:2001796; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetFirstItem"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013132; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
 
-alert udp $EXTERNAL_NET 41170 -> $HOME_NET any (msg:"ET P2P Manolito Connection (1)"; dsize:<48; content:"|3d 4a d9|"; depth:3; reference:url,doc.emergingthreats.net/2009097; classtype:policy-violation; sid:2009097; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetItemQueue"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013131; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"ET P2P Manolito Ping"; dsize:<24; content:"|3d|"; depth:1; content:"|d9|"; distance:1; content:"|ed bb|"; distance:13; threshold: type limit, track by_src, seconds 300, count 1; reference:url,doc.emergingthreats.net/2009098; classtype:policy-violation; sid:2009098; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"79956462-F148-497F-B247-DF35A095F80B"; nocase; distance:0; content:".DownloadImageFileURL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79956462-F148-497F-B247-DF35A095F80B/si"; reference:url,exploit-db.com/exploits/17415/; reference:cve,2008-2683; classtype:attempted-user; sid:2013130; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
 
-alert udp $HOME_NET 8247 -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape UDP Session"; threshold: type both, count 2, seconds 60, track by_src; reference:url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx; reference:url,doc.emergingthreats.net/2009986; classtype:trojan-activity; sid:2009986; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Imaging LEADSmtp ActiveX SaveMessage Method Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".SaveMessage"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F/si"; reference:bugtraq,48408; classtype:attempted-user; sid:2013163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp any any -> any any (msg:"ET P2P Phatbot Control Connection"; flow: established; content:"Wonk-"; content:"|00|#waste|00|"; within: 15; reference:url,www.lurhq.com/phatbot.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000015; classtype:trojan-activity; sid:2000015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX RunCore method Buffer Overflow Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"27527D31-447B-11D5-A46E-0001023B4289"; nocase; distance:0; content:".RunCore"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"ET P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001187; classtype:policy-violation; sid:2001187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX Initialize method Buffer Overflow Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"27527D31-447B-11D5-A46E-0001023B4289"; nocase; distance:0; content:".Initialize"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013161; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud";  reference:url,doc.emergingthreats.net/2010816; classtype:command-and-control; sid:2010816; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX CygniCon CyViewer ActiveX Control SaveData Insecure Method Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"A6FC2988-16BE-4053-BE89-F562431FD6ED"; nocase; distance:0; content:".SaveData"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A6FC2988-16BE-4053-BE89-F562431FD6ED/si"; reference:bugtraq,48483; classtype:attempted-user; sid:2013160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000421; classtype:misc-activity; sid:2000421; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Control SaveDecrypted Insecure Method Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0B70AB61-5C95-4126-9985-A32531CA8619"; nocase; distance:0; content:".SaveDecrypted"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B70AB61-5C95-4126-9985-A32531CA8619/si"; reference:bugtraq,48585; classtype:attempted-user; sid:2013233; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000422; classtype:misc-activity; sid:2000422; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IDrive Online Backup ActiveX control SaveToFile Insecure Method"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E"; nocase; distance:0; content:".SaveToFIle"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E/si"; reference:url,htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html; classtype:attempted-user; sid:2013232; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000423; classtype:misc-activity; sid:2000423; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000424; classtype:misc-activity; sid:2000424; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 4"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000425; classtype:misc-activity; sid:2000425; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 3"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000426; classtype:misc-activity; sid:2000426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex; content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000428; classtype:misc-activity; sid:2000428; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 1"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6C10489-FB89-11D4-93C9-006008A7EED4/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000489; classtype:misc-activity; sid:2000489; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"658ED6E7-0DA1-4ADD-B2FB-095F08091118"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*658ED6E7-0DA1-4ADD-B2FB-095F08091118/si"; classtype:web-application-attack; sid:2013565; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000429; classtype:misc-activity; sid:2000429; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"; nocase; distance:0; classtype:attempted-user; sid:2013566; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
 
-#alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Reserved Internal IP Traffic"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002752; classtype:bad-unknown; sid:2002752; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; reference:url,doc.emergingthreats.net/2009798; classtype:policy-violation; sid:2009798; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013814; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001239; classtype:not-suspicious; sid:2001239; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013813; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001240; classtype:not-suspicious; sid:2001240; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013812; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002425; classtype:policy-violation; sid:2002425; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013811; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002426; classtype:policy-violation; sid:2002426; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013810; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002427; classtype:policy-violation; sid:2002427; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002428; classtype:policy-violation; sid:2002428; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:2103148; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002432; classtype:policy-violation; sid:2002432; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ipswcom.IPSWComItf"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(IMCON|IMC)[\s\w,/-]*(?=//(X1|MR))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002433; classtype:policy-violation; sid:2002433; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"F6FE8878-54D2-4333-B9F0-FC543B1BE1ED"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002435; classtype:policy-violation; sid:2002435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002437; classtype:policy-violation; sid:2002437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; content:"<object"; nocase; content:"E065E4A-BD9D-4547-8F90-985DC62A5591"; nocase; distance:0; content:"|2e|SetSource("; distance:0; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002442; classtype:policy-violation; sid:2002442; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1"; flow:from_server,established; content:"<script"; nocase; content:"PLAYERPT.PlayerPTCtrl.1"; nocase; distance:0; content:"|2e|SetSource("; distance:0; pcre:"/(ActiveXObject|CreateObject)\s*\(\s*(\x22|\x27)PLAYERPT\.PlayerPTCtrl\.1/iG"; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002445; classtype:policy-violation; sid:2002445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxClientSystem.ClientSystem.1"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002449; classtype:policy-violation; sid:2002449; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002452; classtype:policy-violation; sid:2002452; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002456; classtype:policy-violation; sid:2002456; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002510; classtype:policy-violation; sid:2002510; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002511; classtype:policy-violation; sid:2002511; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002512; classtype:policy-violation; sid:2002512; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002513; classtype:policy-violation; sid:2002513; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002517; classtype:policy-violation; sid:2002517; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; nocase; distance:0; content:"SelectServer"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002591; classtype:policy-violation; sid:2002591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002592; classtype:policy-violation; sid:2002592; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002593; classtype:policy-violation; sid:2002593; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Isig.isigCtl.1"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014551; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret TK"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002602; classtype:policy-violation; sid:2002602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002607; classtype:policy-violation; sid:2002607; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DETECTIESETTINGS.detectIESettingsCtrl.1"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002610; classtype:policy-violation; sid:2002610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6116A7EC-B914-4CCE-B186-66E0EE7067CF"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002621; classtype:policy-violation; sid:2002621; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"EDBoardLib.EDBoard"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Secret"; flow:to_server,established; pcre:"/(?<!TOP|//)\Wsecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002626; classtype:policy-violation; sid:2002626; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"D9397163-A2DB-4A4A-B2C9-34E876AF2DFC"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Club World Casino Client in Use"; flow:established,to_server; dsize:23; content:"Club World Casinos"; reference:url,doc.emergingthreats.net/2007754; classtype:policy-violation; sid:2007754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PNLLM.Client.1"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"65996200-3B87-11D4-A21F-00E029189826"; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; classtype:policy-violation; sid:2001376; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TList.TList.6"; fast_pattern; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001378; classtype:policy-violation; sid:2001378; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYCIOSCNLib.Scan"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014620; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001379; classtype:policy-violation; sid:2001379; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001380; classtype:policy-violation; sid:2001380; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001381; classtype:policy-violation; sid:2001381; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001382; classtype:policy-violation; sid:2001382; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001383; classtype:policy-violation; sid:2001383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{6} \d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009293; classtype:policy-violation; sid:2009293; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; classtype:bad-unknown; sid:2002676; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.com/files/112363; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, former_category ACTIVEX, updated_at 2012_05_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; reference:url,doc.emergingthreats.net/2001294; classtype:successful-admin; sid:2001294; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET POLICY SMTP Executable attachment"; flow:established,to_server; content:"filename="; nocase; content:".exe"; nocase; distance:0; pcre:"/filename=\s*[^\n]+\.exe/i"; reference:url,doc.emergingthreats.net/2003325; classtype:policy-violation; sid:2003325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; content:"CLSID"; nocase; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED offers.e-centives.com Coupon Printer"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; YourApp\; AK\; Windows 95)|0d 0a|"; nocase; reference:url,offers.e-centives.com; reference:url,doc.emergingthreats.net/2010338; classtype:policy-violation; sid:2010338; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,established; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; reference:url,doc.emergingthreats.net/2003303; classtype:misc-activity; sid:2003303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Administrator Login Attempts"; flow:to_server,established; content:"USER Administrator|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009667; classtype:attempted-admin; sid:2009667; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Admin Login Attempts"; flow:to_server,established; content:"USER Admin|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009668; classtype:attempted-admin; sid:2009668; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (TYPE A)"; flow:established,to_server; dsize:6; content:"TYPE "; depth:5; reference:url,doc.emergingthreats.net/2008589; classtype:trojan-activity; sid:2008589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (PASV)"; flow:established,to_server; dsize:4; content:"PASV"; reference:url,doc.emergingthreats.net/2008590; classtype:trojan-activity; sid:2008590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; classtype:policy-violation; sid:2010819; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-#alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"ET DELETED GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/2000309; classtype:policy-violation; sid:2000309; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg:"ET DELETED GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/2002022; classtype:policy-violation; sid:2002022; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail gtalk"; flow:established; pcre:"/\[\[\d{1,3}\,\[\\\"\w\\\"\,\\\".+@gmail.com.+\\\"\,\\\"/i"; reference:url,doc.emergingthreats.net/2003092; classtype:policy-violation; sid:2003092; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"ET MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; reference:url,doc.emergingthreats.net/2001055; classtype:attempted-admin; sid:2001055; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; classtype:bad-unknown; sid:2009243; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET !$HTTP_PORTS (msg:"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port"; flow:to_server,established; content:"CONNECT "; nocase; depth:8; content:" HTTP/1."; nocase; within:1000; reference:url,doc.emergingthreats.net/2008284; classtype:misc-activity; sid:2008284; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access"; flow:established,to_server; content:"GET /login/FetchProtocolVersion2.htm"; depth:36; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008842; classtype:policy-violation; sid:2008842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download)"; flow:established,to_server; content:"GET login/fetchFreeServersVersion2.aspx"; depth:39; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008843; classtype:policy-violation; sid:2008843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Client Login Packet"; flowbits:isset,ET.gadu.welcome; flow:established,to_server; dsize:<50; content:"|15 00 00 00|"; depth:4; flowbits:set,ET.gadu.loginsent; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008298; classtype:policy-violation; sid:2008298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login Failed Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|09 00 00 00 00 00 00 00|"; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008300; classtype:policy-violation; sid:2008300; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Server Available Status Packet"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|02 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008301; classtype:policy-violation; sid:2008301; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Send Message"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008302; classtype:policy-violation; sid:2008302; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Receive Message"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|0a 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008303; classtype:policy-violation; sid:2008303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Keepalive PING"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|08 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008304; classtype:policy-violation; sid:2008304; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Keepalive PONG"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|07 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008305; classtype:policy-violation; sid:2008305; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Request"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|01 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008306; classtype:policy-violation; sid:2008306; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Details"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008307; classtype:policy-violation; sid:2008307; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Accept"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|06 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008308; classtype:policy-violation; sid:2008308; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Begin"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008309; classtype:policy-violation; sid:2008309; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:4; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002327; classtype:policy-violation; sid:2002327; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002330; classtype:policy-violation; sid:2002330; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001241; classtype:policy-violation; sid:2001241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; reference:url,doc.emergingthreats.net/2001242; classtype:policy-violation; sid:2001242; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_14, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001243; classtype:policy-violation; sid:2001243; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; depth:90; reference:url,doc.emergingthreats.net/2002312; classtype:policy-violation; sid:2002312; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001254; classtype:policy-violation; sid:2001254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001255; classtype:policy-violation; sid:2001255; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001256; classtype:policy-violation; sid:2001256; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001257; classtype:policy-violation; sid:2001257; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; reference:url,doc.emergingthreats.net/2001427; classtype:policy-violation; sid:2001427; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; reference:url,doc.emergingthreats.net/2001260; classtype:policy-violation; sid:2001260; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001262; classtype:policy-violation; sid:2001262; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference request"; flow: to_server,established; content:"<R"; depth: 2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; reference:url,doc.emergingthreats.net/2001263; classtype:policy-violation; sid:2001263; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; reference:url,doc.emergingthreats.net/2001264; classtype:policy-violation; sid:2001264; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail (2)"; flow:established,to_server; content:"<Ymsg Command=|22|"; depth:15; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007069; classtype:policy-violation; sid:2007069; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; reference:url,doc.emergingthreats.net/2000356; classtype:misc-activity; sid:2000356; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (simple rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; reference:url,doc.emergingthreats.net/2003096; classtype:misc-activity; sid:2003096; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (complex rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQCBAQEBAQGBAQIBAQKBA"; content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQCCAQECAQGCAQICAQKCAQMCAQOCA"; content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg"; content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg"; content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg"; content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg"; content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA"; content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA"; content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA"; content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP/78KCg"; reference:url,doc.emergingthreats.net/2003097; classtype:misc-activity; sid:2003097; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (3)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"R0lGODlh"; depth:575; content:"AOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBgAACAACCA"; content:"AECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDAAEDAAGDAAIDA"; reference:url,doc.emergingthreats.net/2003120; classtype:misc-activity; sid:2003120; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002722; classtype:policy-violation; sid:2002722; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002723; classtype:policy-violation; sid:2002723; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"ET POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; reference:url,doc.emergingthreats.net/2003155; classtype:misc-activity; sid:2003155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Archive Download"; content:"GET /sploits/milw0rm.tar.bz2"; depth:60; flow:to_server,established; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2008524; classtype:misc-activity; sid:2008524; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; reference:url,doc.emergingthreats.net/2001597; classtype:policy-violation; sid:2001597; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001977; classtype:misc-activity; sid:2001977; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001983; classtype:misc-activity; sid:2001983; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration"; flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; classtype:policy-violation; sid:2009895; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET DELETED PCMesh Anonymous Proxy client connect"; flow: from_client,established; content:"http|3a|//www.pcmesh.com|3a|80/ip-check.cgi"; depth:37; offset:4; reference:url,doc.emergingthreats.net/2003040; classtype:policy-violation; sid:2003040; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference:url,www.prospero.com/technology.htm; reference:url,doc.emergingthreats.net/2001989; classtype:policy-violation; sid:2001989; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; reference:url,doc.emergingthreats.net/2010767; classtype:bad-unknown; sid:2010767; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Real.com Game Arcade Install (User agent)"; flow: established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+ARCADE_BUNDLE_DOWNLOADER/i"; reference:url,doc.emergingthreats.net/2003045; classtype:policy-violation; sid:2003045; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Real.com Game Arcade Install"; flow: established,to_server; content:"/gameconsole/bundlescripts/"; reference:url,doc.emergingthreats.net/2003046; classtype:policy-violation; sid:2003046; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:4; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Successful"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSvnc.auth.agreed; flowbits:unset,BSis.vnc.setup; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002922; classtype:not-suspicious; sid:2002922; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Failure"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 01|"; depth:4; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002920; classtype:attempted-admin; sid:2002920; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"<p>You will receive a log report every "; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; classtype:trojan-activity; sid:2002979; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; classtype:trojan-activity; sid:2008348; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003026; classtype:not-suspicious; sid:2003026; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg:"ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2004598; classtype:not-suspicious; sid:2004598; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003027; classtype:not-suspicious; sid:2003027; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003028; classtype:not-suspicious; sid:2003028; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003029; classtype:not-suspicious; sid:2003029; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8443 (msg:"ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003030; classtype:not-suspicious; sid:2003030; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Known SSL traffic on port 5222 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003031; classtype:not-suspicious; sid:2003031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5223 (msg:"ET CHAT Known SSL traffic on port 5223 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003032; classtype:not-suspicious; sid:2003032; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 2967 (msg:"ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003033; classtype:not-suspicious; sid:2003033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003035; classtype:not-suspicious; sid:2003035; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003036; classtype:not-suspicious; sid:2003036; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/i"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002725; classtype:web-application-attack; sid:2002725; rev:14; metadata:created_at 2010_07_30, updated_at 2016_04_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8292 (msg:"ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003037; classtype:not-suspicious; sid:2003037; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:16; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8294 (msg:"ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003038; classtype:not-suspicious; sid:2003038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1521 (msg:"ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003934; classtype:not-suspicious; sid:2003934; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; file_data; content:".HHClick|2829|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 995 (msg:"ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2008543; classtype:not-suspicious; sid:2008543; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port TLS"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|01|"; within:6; content:"|03 01|"; within:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003002; classtype:unusual-client-port-connection; sid:2003002; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 00|"; depth:3; content:"|01|"; within:2; content:"|03 00|"; within:3; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003003; classtype:unusual-client-port-connection; sid:2003003; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port Case 2"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 01|"; depth:5; offset:2; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003004; classtype:unusual-client-port-connection; sid:2003004; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 00|"; depth:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003005; classtype:unusual-client-port-connection; sid:2003005; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 01 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003008; classtype:unusual-client-port-connection; sid:2003008; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 00 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003009; classtype:unusual-client-port-connection; sid:2003009; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; depth:3; content:"|02|"; within:6; content:"|03 01|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003010; classtype:unusual-client-port-connection; sid:2003010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; depth:3; content:"|02|"; within:6; content:"|03 00|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003011; classtype:unusual-client-port-connection; sid:2003011; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003014; classtype:unusual-client-port-connection; sid:2003014; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003015; classtype:unusual-client-port-connection; sid:2003015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED TLS/SSL Server Hello Done on Unusual Port"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 01|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; reference:url,doc.emergingthreats.net/2003016; classtype:unusual-client-port-connection; sid:2003016; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED TLS/SSL Server Hello Done on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 00|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; reference:url,doc.emergingthreats.net/2003017; classtype:unusual-client-port-connection; sid:2003017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 01 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003018; classtype:unusual-client-port-connection; sid:2003018; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 00 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003019; classtype:unusual-client-port-connection; sid:2003019; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003020; classtype:unusual-client-port-connection; sid:2003020; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 00|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003021; classtype:unusual-client-port-connection; sid:2003021; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (dashed)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; reference:url,doc.emergingthreats.net/2001328; classtype:policy-violation; sid:2001328; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (spaced)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; reference:url,doc.emergingthreats.net/2001384; classtype:policy-violation; sid:2001384; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN )"; content:"SSN "; nocase; pcre:"/SSN ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007971; classtype:policy-violation; sid:2007971; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN# )"; content:"SSN# "; nocase; pcre:"/SSN# ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007972; classtype:policy-violation; sid:2007972; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY RemoteControlX rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html; reference:url,doc.emergingthreats.net/2010782; classtype:suspicious-filename-detect; sid:2010782; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; reference:url,doc.emergingthreats.net/2008117; classtype:policy-violation; sid:2008117; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP ACK"; content:"|00 04|"; depth:2; reference:url,doc.emergingthreats.net/2008118; classtype:policy-violation; sid:2008118; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Error Message"; content:"|00 05|"; depth:2; reference:url,doc.emergingthreats.net/2008119; classtype:policy-violation; sid:2008119; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:4; metadata:created_at 2011_01_27, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...)"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010570; classtype:policy-violation; sid:2010570; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...)"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010571; classtype:policy-violation; sid:2010571; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_24, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...)"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010572; classtype:policy-violation; sid:2010572; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; within:500; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; classtype:web-application-attack; sid:2003328; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...)"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010573; classtype:policy-violation; sid:2010573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:5; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...)"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010574; classtype:policy-violation; sid:2010574; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:9; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...)"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010575; classtype:policy-violation; sid:2010575; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...)"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010576; classtype:policy-violation; sid:2010576; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...)"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010577; classtype:policy-violation; sid:2010577; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010581; classtype:policy-violation; sid:2010581; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010582; classtype:policy-violation; sid:2010582; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010583; classtype:policy-violation; sid:2010583; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential  Buffer Overflow Attempt 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010584; classtype:policy-violation; sid:2010584; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:12; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010585; classtype:policy-violation; sid:2010585; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010586; classtype:policy-violation; sid:2010586; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; classtype:web-application-attack; sid:2008789; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010587; classtype:policy-violation; sid:2010587; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt (CVE-2010-3973)"; flow:established,to_client; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010588; classtype:policy-violation; sid:2010588; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Follina Payload Delivery Page"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c 21|doctype html|3e 0d 0a 3c|"; depth:18; content:"|3e 0d 0a 3c|head|3e 0d 0a 3c|title|3e 0d 0a|Good thing we disabled macros|0d 0a 3c 2f|title|3e 0d 0a 3c 2f|head|3e 0d 0a|"; within:85; fast_pattern; reference:md5,783f850d06c9f1286eb9b1bda0af0bce; reference:cve,2022-30190; classtype:trojan-activity; sid:2037082; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, deployment SSLDecrypt, former_category ACTIVEX, signature_severity Major, updated_at 2022_06_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010589; classtype:policy-violation; sid:2010589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010590; classtype:policy-violation; sid:2010590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; classtype:policy-violation; sid:2002950; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Win32/Wizpop Initial Checkin"; flow:established,to_server; content:"User-Agent|3a| WizPop"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:pup-activity; sid:2013461; rev:3; metadata:created_at 2011_08_26, former_category MALWARE, updated_at 2011_08_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; classtype:policy-violation; sid:2002951; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Wizpop Checkin"; flow:established,to_server; content:"/count.asp?exe="; http_uri; content:"&act="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:pup-activity; sid:2013502; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2011_08_31;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET P2P TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; classtype:policy-violation; sid:2002952; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QQHelper related Spyware User-Agent (H)"; flow:to_server,established; content:"User-Agent|3a| H|0d 0a|"; reference:url,doc.emergingthreats.net/2003749; classtype:pup-activity; sid:2003749; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; classtype:policy-violation; sid:2002953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"MyWay"; http_user_agent; reference:url,doc.emergingthreats.net/2002079; reference:url,www.funwebproducts.com; classtype:pup-activity; sid:2002079; rev:19; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET GAMES Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; reference:url,doc.emergingthreats.net/2007746; classtype:policy-violation; sid:2007746; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"wb v"; http_user_agent; fast_pattern; reference:url,doc.emergingthreats.net/2003449; classtype:pup-activity; sid:2003449; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET POLICY X-Box Live Connecting"; content:"<Xbox Version="; content:" Title=0x"; distance:4; within:32; reference:url,www.microsoft.com/xbox/; reference:url,doc.emergingthreats.net/2002796; classtype:policy-violation; sid:2002796; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:pup-activity; sid:2008500; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2017_04_04;)
 
-#alert tcp any any -> any any (msg:"ET POLICY ZIPPED DOC in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; reference:url,doc.emergingthreats.net/2001402; classtype:not-suspicious; sid:2001402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:pup-activity; sid:2003340; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
 
-#alert tcp any any -> any any (msg:"ET POLICY ZIPPED XLS in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; reference:url,doc.emergingthreats.net/2001403; classtype:not-suspicious; sid:2001403; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:pup-activity; sid:2003341; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
 
-#alert tcp any any -> any any (msg:"ET POLICY ZIPPED EXE in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2001404; classtype:not-suspicious; sid:2001404; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:pup-activity; sid:2003578; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
 
-#alert tcp any any -> any any (msg:"ET POLICY ZIPPED PPT in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; reference:url,doc.emergingthreats.net/2001405; classtype:not-suspicious; sid:2001405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.LoadMoney User Agent"; flow:established,to_server; content:"Downloader "; http_user_agent; fast_pattern:only; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024260; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; classtype:attempted-recon; sid:2010371; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:pup-activity; sid:2001539; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010372; classtype:attempted-recon; sid:2010372; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; reference:md5,42374945061c7941d6690793ae393d3a; classtype:pup-activity; sid:2024428; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2017_09_01;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; content:"ILMI"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011011; classtype:attempted-admin; sid:2011011; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2023750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; flow:to_server,established; content:"ILMI"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011012; classtype:attempted-admin; sid:2011012; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:pup-activity; sid:2000025; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; content:"cable-docsis"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011013; classtype:attempted-admin; sid:2011013; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:pup-activity; sid:2000366; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; flow:to_server,established; content:"cable-docsis"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011014; classtype:attempted-admin; sid:2011014; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:pup-activity; sid:2000367; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; offset:2; depth:21; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; classtype:attempted-recon; sid:2008414; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:pup-activity; sid:2000371; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:2010642; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:pup-activity; sid:2000466; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:2010643; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:pup-activity; sid:2000514; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"SELECT"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/SELECT.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009981; classtype:attempted-user; sid:2009981; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:pup-activity; sid:2000519; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"DELETE"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/DELETE.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009982; classtype:attempted-user; sid:2009982; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:pup-activity; sid:2000520; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INSERT"; within:200; nocase; content:"INTO"; distance:0; nocase; pcre:"/INSERT.+INTO/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009983; classtype:attempted-user; sid:2009983; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:pup-activity; sid:2000574; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UPDATE"; within:200; nocase; content:"SET"; distance:0; nocase; pcre:"/UPDATE.+SET/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009984; classtype:attempted-user; sid:2009984; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:pup-activity; sid:2000580; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UNION"; within:200; nocase; content:"SELECT"; distance:0; nocase; pcre:"/UNION.+SELECT/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009985; classtype:attempted-user; sid:2009985; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:pup-activity; sid:2000581; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INTO"; within:200; nocase; content:"OUTFILE"; distance:0; nocase; pcre:"/INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010081; classtype:attempted-user; sid:2010081; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:pup-activity; sid:2000582; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; reference:url,doc.emergingthreats.net/2007802; classtype:network-scan; sid:2007802; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:pup-activity; sid:2000583; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; depth: 64; reference:url,www.ks-soft.net/ip-tools.eng; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; reference:url,doc.emergingthreats.net/2000575; classtype:misc-activity; sid:2000575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:pup-activity; sid:2000584; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:pup-activity; sid:2000585; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:pup-activity; sid:2000587; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:pup-activity; sid:2000588; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 3306 -> any any (msg:"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"; flow:from_server,established; content:"|6A 04|Host|20 27|"; depth:70; content:"|27 20|is not allowed to connect to this MySQL server"; distance:0; reference:url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html; reference:url,doc.emergingthreats.net/2010493; classtype:attempted-recon; sid:2010493; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:pup-activity; sid:2000589; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:pup-activity; sid:2000590; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:pup-activity; sid:2000593; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:pup-activity; sid:2000597; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:pup-activity; sid:2000599; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:pup-activity; sid:2000600; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:pup-activity; sid:2000601; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:pup-activity; sid:2000902; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple NBTStat Query Responses to External Destination, Possible Automated Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; threshold: type threshold, track by_dst, count 10, seconds 60; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009767; classtype:attempted-recon; sid:2009767; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:pup-activity; sid:2000903; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009768; classtype:attempted-recon; sid:2009768; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:pup-activity; sid:2000908; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN PRO Search Crawler Probe"; flow:to_server,established; content:"PASS "; nocase; depth:5; content:"crawler"; nocase; within:30; pcre:"/^PASS\s+PRO(-|\s)*search\s+Crawler/smi"; reference:url,sourceforge.net/project/showfiles.php?group_id=149797; reference:url,doc.emergingthreats.net/2008179; classtype:not-suspicious; sid:2008179; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:pup-activity; sid:2000909; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious Scan"; content:"From|3A 20 22|sipvicious"; threshold: type limit, count 1, seconds 10, track by_src; reference:url,blog.sipvicious.org; reference:url,doc.emergingthreats.net/2008578; classtype:attempted-recon; sid:2008578; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:pup-activity; sid:2000910; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 0a|User-Agent|3A| sundayddr"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; sid:2011766; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:pup-activity; sid:2000911; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001764; classtype:misc-activity; sid:2001764; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:pup-activity; sid:2000912; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001766; classtype:misc-activity; sid:2001766; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:pup-activity; sid:2000913; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Mytob.X clam SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; reference:url,doc.emergingthreats.net/2002892; classtype:trojan-activity; sid:2002892; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:pup-activity; sid:2000914; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Mytob.X clam SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; reference:url,doc.emergingthreats.net/2002893; classtype:trojan-activity; sid:2002893; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:pup-activity; sid:2000915; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002894; classtype:trojan-activity; sid:2002894; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:pup-activity; sid:2000916; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002895; classtype:trojan-activity; sid:2002895; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:pup-activity; sid:2000917; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE Outbound AVISOSVB MSSQL Request"; flow:established,to_server; content:"|54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00|"; reference:url,doc.emergingthreats.net/2011199; reference:md5,1f5b6d6d94cc6272c937045e22e6d192; classtype:trojan-activity; sid:2011199; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:pup-activity; sid:2000918; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; reference:url,doc.emergingthreats.net/2010909; classtype:trojan-activity; sid:2010909; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:pup-activity; sid:2000919; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; reference:url,doc.emergingthreats.net/2010910; classtype:trojan-activity; sid:2010910; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:pup-activity; sid:2000920; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010911; classtype:trojan-activity; sid:2010911; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:pup-activity; sid:2000921; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; reference:url,doc.emergingthreats.net/2010912; classtype:trojan-activity; sid:2010912; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:pup-activity; sid:2000922; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; reference:url,doc.emergingthreats.net/2010913; classtype:trojan-activity; sid:2010913; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:pup-activity; sid:2000923; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010914; classtype:trojan-activity; sid:2010914; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:pup-activity; sid:2000924; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010915; classtype:trojan-activity; sid:2010915; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:pup-activity; sid:2000925; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010916; classtype:trojan-activity; sid:2010916; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:pup-activity; sid:2000927; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; reference:url,doc.emergingthreats.net/2010917; classtype:trojan-activity; sid:2010917; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:pup-activity; sid:2000928; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Aurora Backdoor (C&C) client connection to CnC"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; flowbits:set,ET.aurora.init; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010695; classtype:command-and-control; sid:2010695; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:pup-activity; sid:2000929; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Aurora Backdoor (C&C) connection CnC response"; flowbits:isset,ET.aurora.init; flow:established,from_server; content:"|cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc|"; depth:16; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010696; classtype:command-and-control; sid:2010696; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:pup-activity; sid:2000931; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; reference:url,doc.emergingthreats.net/2008465; classtype:command-and-control; sid:2008465; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:pup-activity; sid:2000932; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002974; classtype:trojan-activity; sid:2002974; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:pup-activity; sid:2000936; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002975; classtype:trojan-activity; sid:2002975; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:pup-activity; sid:2001013; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"ET MALWARE Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; reference:url,doc.emergingthreats.net/2007585; classtype:command-and-control; sid:2007585; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:pup-activity; sid:2001016; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; reference:url,doc.emergingthreats.net/2007922; classtype:command-and-control; sid:2007922; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:pup-activity; sid:2001017; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; reference:url,doc.emergingthreats.net/2007979; classtype:command-and-control; sid:2007979; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:pup-activity; sid:2001032; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; reference:url,doc.emergingthreats.net/2007981; classtype:command-and-control; sid:2007981; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:pup-activity; sid:2001033; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; reference:url,doc.emergingthreats.net/2007982; classtype:command-and-control; sid:2007982; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:pup-activity; sid:2001038; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:pup-activity; sid:2001041; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:pup-activity; sid:2001047; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:pup-activity; sid:2001050; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:pup-activity; sid:2001198; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:pup-activity; sid:2001199; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:pup-activity; sid:2001216; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:pup-activity; sid:2001221; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:pup-activity; sid:2001224; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003558; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"update"; depth:6; http_user_agent; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:pup-activity; sid:2001225; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:pup-activity; sid:2001228; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003560; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:pup-activity; sid:2001230; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:pup-activity; sid:2001307; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003562; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:pup-activity; sid:2001308; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003565; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:pup-activity; sid:2001309; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003563; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:pup-activity; sid:2001310; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003564; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:pup-activity; sid:2001311; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; reference:url,doc.emergingthreats.net/2003936; classtype:trojan-activity; sid:2003936; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:pup-activity; sid:2001313; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; reference:url,doc.emergingthreats.net/2007957; classtype:command-and-control; sid:2007957; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:pup-activity; sid:2001314; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Banker Trojan CnC AddNew Command"; flow:established,to_server; dsize:<120; content:"[S]ADDNEW|7c|"; depth:10; reference:url,doc.emergingthreats.net/2009862; classtype:command-and-control; sid:2009862; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:pup-activity; sid:2001315; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Banker Trojan CnC Hello Command"; flow:established,to_server; dsize:12; content:"[S]hello["; depth:9; reference:url,doc.emergingthreats.net/2009863; classtype:command-and-control; sid:2009863; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:pup-activity; sid:2001316; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET MALWARE Banload Gadu-Gadu CnC Message Detected"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"Uruchomiono trojana, wpisz help aby uzyskac pomoc"; nocase; reference:url,doc.emergingthreats.net/2008320; classtype:command-and-control; sid:2008320; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:pup-activity; sid:2001317; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET MALWARE Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008104; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:pup-activity; sid:2001321; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET MALWARE Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008105; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:pup-activity; sid:2001322; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET MALWARE Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008106; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:pup-activity; sid:2001335; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET MALWARE Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008109; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:pup-activity; sid:2001340; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg:"ET DELETED Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; reference:url,doc.emergingthreats.net/2001430; classtype:trojan-activity; sid:2001430; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:pup-activity; sid:2001341; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Ceckno Keepalive from Controller"; flow:established,from_server; dsize:1; content:"1"; flowbits:isset,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008178; classtype:trojan-activity; sid:2008178; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:pup-activity; sid:2001345; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Codesoft PW Stealer Email Report Outbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer"; content:"******STEAM PASS STEALER*******"; distance:0; reference:url,doc.emergingthreats.net/2008310; classtype:trojan-activity; sid:2008310; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:pup-activity; sid:2001359; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET MALWARE Conficker.a Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009200; classtype:trojan-activity; sid:2009200; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:pup-activity; sid:2001396; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET MALWARE Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; classtype:trojan-activity; sid:2009201; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:pup-activity; sid:2001398; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009206; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:pup-activity; sid:2001416; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009207; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Receiving Config"; flow:established,to_server; http.uri; content:"/config/?"; nocase; content:"v=5"; nocase; content:"n=mm2"; nocase; content:"i="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:pup-activity; sid:2001417; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
 
-#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:pup-activity; sid:2001423; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm CnC Channel Start"; flow:established,to_server; dsize:8; content:"|0b 01 00 00 00 00 00 00|"; flowbits:noalert; flowbits:set,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008805; classtype:command-and-control; sid:2008805; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET ADWARE_PUP Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:pup-activity; sid:2001440; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm CnC Channel Start Response"; flow:established,from_server; dsize:4; content:"|0b 01|"; depth:2; content:"|00|"; distance:1; within:1; flowbits:isset,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008806; classtype:command-and-control; sid:2008806; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:pup-activity; sid:2001441; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm Second CnC Channel Start"; flow:established,to_server; dsize:32; content:"|00 00 00 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; reference:url,doc.emergingthreats.net/2008807; classtype:command-and-control; sid:2008807; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:pup-activity; sid:2001442; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic"; flow:established,to_server; dsize:32; content:"|55 d8 09 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; reference:url,doc.emergingthreats.net/2008808; classtype:command-and-control; sid:2008808; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:pup-activity; sid:2001444; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; reference:url,doc.emergingthreats.net/2007858; classtype:trojan-activity; sid:2007858; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:pup-activity; sid:2001447; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Delf CnC Channel Keepalive Pong"; flow:established,to_server; dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; reference:url,doc.emergingthreats.net/2008009; classtype:command-and-control; sid:2008009; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:pup-activity; sid:2001450; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Delf CnC Channel Keepalive Ping"; flow:established,from_server; dsize:22; content:"|12 00 00 00 1c 5e|"; depth:6; reference:url,doc.emergingthreats.net/2008010; classtype:command-and-control; sid:2008010; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:pup-activity; sid:2001451; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 Checkin Error"; flow:established,to_server; dsize:350<>450; content:"Erorr File active\;sorry file erorr plaes down file agen"; reference:url,doc.emergingthreats.net/2008905; classtype:command-and-control; sid:2008905; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:pup-activity; sid:2001452; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 Egg Request"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileTransfer|7c|"; depth:29; reference:url,doc.emergingthreats.net/2008906; classtype:trojan-activity; sid:2008906; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:pup-activity; sid:2001453; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 File Manager Access Report"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileManager|7c|"; depth:30; reference:url,doc.emergingthreats.net/2008907; classtype:trojan-activity; sid:2008907; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:pup-activity; sid:2001454; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Donbot Report to CnC"; flow:established,to_server; content:"HASH|3a 20|"; depth:6; content:"|0d 0a|ID|3a 20|"; distance:0; content:"|0d 0a|Session|31 20|"; distance:0; content:"|0d 0a|RBL|3a 20|"; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; reference:url,doc.emergingthreats.net/2008451; classtype:command-and-control; sid:2008451; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:pup-activity; sid:2001456; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dorf/Win32.Inject.adt C&C Communication Outbound"; flow:established,to_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008031; classtype:command-and-control; sid:2008031; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:pup-activity; sid:2001458; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Dorf/Win32.Inject.adt C&C Communication Inbound"; flow:established,from_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008032; classtype:command-and-control; sid:2008032; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:pup-activity; sid:2001459; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><"; distance:0; content:"<MEM>"; content:"</MEM><"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007918; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:pup-activity; sid:2001460; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Dropper-497 Yumato Reply from server"; flow:established,from_server; content:"YUMATO|0d 0a|1234"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007919; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:pup-activity; sid:2001461; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (1)"; flow:established,to_server; content:"|08616c2d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007673; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:pup-activity; sid:2001462; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (2)"; flow:established,to_server; content:"|0861312d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007674; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:pup-activity; sid:2001463; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (3)"; flow:established,to_server; content:"|0661726464726104686f737402736b0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007675; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:pup-activity; sid:2001464; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (4)"; flow:established,to_server; content:"|03777777056a6f2d7566036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007676; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:pup-activity; sid:2001466; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (5)"; flow:established,to_server; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007677; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:pup-activity; sid:2001467; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (1)"; content:"|08616c2d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007678; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:pup-activity; sid:2001468; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (2)"; content:"|0861312d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007679; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:pup-activity; sid:2001469; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (3)"; content:"|0661726464726104686f737402736b0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:pup-activity; sid:2001470; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (4)"; content:"|03777777056a6f2d7566036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007681; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:pup-activity; sid:2001471; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (5)"; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007682; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:pup-activity; sid:2001479; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely EXE Cryptor Packed Binary - Likely Malware"; flow:from_server,established; content:"|4D 5A|"; content:"|2E 70 61 63 6B 65 64|"; within: 447; reference:url,bits.packetninjas.org; reference:url,doc.emergingthreats.net/2008557; classtype:trojan-activity; sid:2008557; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:pup-activity; sid:2001481; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE elitekeylogger v1.0 reporting - Inbound"; flow:established,to_server; content:"MAIL FROM|3a|<logs@logs.com>"; reference:url,doc.emergingthreats.net/2002938; classtype:trojan-activity; sid:2002938; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:pup-activity; sid:2001482; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE elitekeylogger v1.0 reporting - Outbound"; flow:established,to_server; content:"MAIL FROM|3a|<logs@logs.com>"; reference:url,doc.emergingthreats.net/2002941; classtype:trojan-activity; sid:2002941; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:pup-activity; sid:2001484; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO"; flow:established,to_server; content:"PC INFECTADO COM SUCCESSO"; nocase; reference:url,doc.emergingthreats.net/2002983; classtype:trojan-activity; sid:2002983; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:pup-activity; sid:2001485; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pass Stealer FTP Upload"; flow:established,to_server; content:"INFECTADO|0d 0a|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|0d 0a|Computador"; depth:64; reference:url,doc.emergingthreats.net/2008237; classtype:trojan-activity; sid:2008237; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:pup-activity; sid:2001489; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:command-and-control; sid:2010859; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:pup-activity; sid:2001490; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:command-and-control; sid:2010860; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:pup-activity; sid:2001491; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; reference:url,doc.emergingthreats.net/2008726; classtype:trojan-activity; sid:2008726; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:pup-activity; sid:2001495; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimmiv Infection Ping Inbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; reference:url,doc.emergingthreats.net/2008727; classtype:trojan-activity; sid:2008727; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:pup-activity; sid:2001501; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: session, 20, packets; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2001743; classtype:trojan-activity; sid:2001743; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:pup-activity; sid:2001503; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HackerDefender.HE Root Kit Control Connection"; flow: established,to_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003244; classtype:trojan-activity; sid:2003244; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:pup-activity; sid:2001505; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HackerDefender.HE Root Kit Control Connection Reply"; flow: established,from_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003245; classtype:trojan-activity; sid:2003245; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:pup-activity; sid:2001507; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HotLan.C Spambot C&C download command"; flow:established,from_server; content:"|3B|URL|3A|http|3A 2F 2F|"; pcre:"/\x0D\x0A\x0D\x0ASLP\x3A\d+\x3BMOD\x3A[\S\x3B]+\x3BURL\x3Ahttp\x3A\x2F{2}[^\x3B]+\x3BSRV\x3Aupd\x3B/"; reference:url,doc.emergingthreats.net/2008471; classtype:command-and-control; sid:2008471; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:pup-activity; sid:2001509; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Hupigon CnC init (variant abb)"; flow:established,to_server; dsize:4; flowbits:isnotset,ET.hupa.init; flowbits:noalert; content:"|00 00 00 00|"; flowbits:set,ET.hupa.init; reference:url,doc.emergingthreats.net/2008041; classtype:command-and-control; sid:2008041; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:pup-activity; sid:2001510; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon CnC Communication (variant bysj)"; flow:established,to_server; dsize:5; content:"HTTP|00|"; reference:url,doc.emergingthreats.net/2008258; classtype:command-and-control; sid:2008258; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:pup-activity; sid:2001513; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET DELETED Likely Hupigon Post to Controller"; flow:established,to_server; content:"POST /+"; depth:7; flowbits:noalert; flowbits:set,ET.Hupinit1; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008389; classtype:trojan-activity; sid:2008389; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:pup-activity; sid:2001514; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; classtype:trojan-activity; sid:2008390; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:pup-activity; sid:2001516; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32.Hupigon Control Server Response"; flow:from_server,established; dsize:16; content:"|03 00 00 00 00 00 00 00 c4 ec 48 f5 5e 00 85 80|"; depth:16; threshold: type both, count 2, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2009350; classtype:trojan-activity; sid:2009350; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:pup-activity; sid:2001517; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert icmp any any -> any any (msg:"ET DELETED ICMP Banking Trojan sending encrypted stolen data"; dsize:>64; itype:8; icode:0; content:"|08|"; depth:1; byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; reference:url,doc.emergingthreats.net/2003073; classtype:trojan-activity; sid:2003073; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:pup-activity; sid:2001520; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Kaiten IRCbotnet Response"; flow:established; flowbits:isset,irc.start; content:"NOTICE|20|"; content:"|20 3A|"; within:32; pcre:"/\x20\x3A(Receiving\x20file.\x0A|Saved\x20as\x20|Spoofs\x3A\x20|Kaiten\x20wa\x20goraku|Current\x20status\x20is\x3a\x20|Removed\x20all\x20spoofs|Packeting\x20|Panning\x20|Tsunami\x20heading\x20for\x20|Unknowing\x20|Killing\x20pid\x20)/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007622; classtype:trojan-activity; sid:2007622; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:pup-activity; sid:2001521; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Kaiten IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20 21|"; pcre:"/PRIVMSG\x20\x21\S+\x20(TSUNAMI\x20|PAN\x20|UDP\x20|UNKNOWN\x20|GETSPOOFS|SPOOFS\x20)/i"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007623; classtype:trojan-activity; sid:2007623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:pup-activity; sid:2001522; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; classtype:trojan-activity; sid:2009077; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:pup-activity; sid:2001525; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Juicopotomous to Controller"; flow:established,to_server; dsize:1; content:"|7c|"; flowbits:set,ET.unknown.setup; flowbits:noalert; reference:url,doc.emergingthreats.net/2008245; classtype:trojan-activity; sid:2008245; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:pup-activity; sid:2001526; rev:24; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Juicopotomous ack from Controller"; flowbits:isset,ET.unknown.setup; flow:established,from_server; dsize:<50; content:"|7d 27|"; depth:2; flowbits:set,ET.unknown.replied; reference:url,doc.emergingthreats.net/2008246; classtype:trojan-activity; sid:2008246; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:pup-activity; sid:2001530; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Juicopotomous ack to Controller"; flowbits:isset,ET.unknown.replied; flow:established,to_server; dsize:<50; content:"|7e 27|"; depth:2; reference:url,doc.emergingthreats.net/2008247; classtype:trojan-activity; sid:2008247; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:pup-activity; sid:2001533; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keylogger PRO GOLD Post"; flow:established,to_server; content:"to="; content:"&from="; within:200; content:"&subject="; within:200; content:"&message="; within:200; content:"Discribtion"; within:14; content:"KEYLOGG+PRO+GOLD+VERSION"; content:"IPHostName"; content:"IPAddress"; content:"YahooMessenger+Passwords"; reference:url,doc.emergingthreats.net/2008642; classtype:trojan-activity; sid:2008642; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:pup-activity; sid:2001536; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keylogger.ane Checkin"; flow:established,to_server; content:"Secret Client|00 00 00|"; depth:18; reference:url,doc.emergingthreats.net/2008449; classtype:command-and-control; sid:2008449; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:pup-activity; sid:2001537; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Koobface BLACKLABEL"; flow:established,from_server; content: "#BLACKLABEL|0d 0a|EXIT"; reference:url,blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html; reference:url,doc.emergingthreats.net/2009407; classtype:trojan-activity; sid:2009407; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:pup-activity; sid:2001538; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Koobface C&C availability check successful"; flowbits:isset,ET.koobfacecheck; flow:established,from_server; content:"|0d 0a 0d 0a|ACH_OK"; nocase; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010152; classtype:command-and-control; sid:2010152; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:pup-activity; sid:2001540; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lethic Spambot CnC Initial Connect"; flow:established,from_server; flowbits:isnotset,ET.lethic.init; flowbits:set,ET.lethic.init; flowbits:noalert; dsize:5; content:"|00 00 00 00 06|"; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010646; classtype:command-and-control; sid:2010646; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:pup-activity; sid:2001541; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lethic Spambot CnC Initial Connect Bot Response"; flow:established,to_server; flowbits:isset,ET.lethic.init; dsize:5; content:"|00 00 00 00 06|"; flowbits:set,ET.lethic.established; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010647; classtype:command-and-control; sid:2010647; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET ADWARE_PUP MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:pup-activity; sid:2001563; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lethic Spambot CnC Connect Command"; flowbits:isset,ET.lethic.established; flow:established,from_server; dsize:11; content:"|02|"; offset:4; depth:5; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010648; classtype:command-and-control; sid:2010648; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:pup-activity; sid:2001570; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lethic Spambot CnC Connect Command (port 25 specifically)"; flowbits:isset,ET.lethic.established; flow:established,from_server; dsize:11; content:"|02|"; offset:4; depth:5; content:"|00 19|"; offset:9; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010649; classtype:command-and-control; sid:2010649; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:pup-activity; sid:2001571; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lethic Spambot CnC Bot Command Confirmation"; flow:established,to_server; flowbits:isset,ET.lethic.established; dsize:6; content:"|21 01|"; offset:4; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010650; classtype:command-and-control; sid:2010650; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:pup-activity; sid:2001586; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lethic Spambot CnC Bot Transaction Relay"; flow:established,to_server; flowbits:isset,ET.lethic.established; content:"|03|"; offset:4; depth:5; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010651; classtype:command-and-control; sid:2010651; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:pup-activity; sid:2001587; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET MALWARE Looked.P/Gamania/Delf #109/! Style CnC Checkin Response from Server"; flow:established,from_server; dsize:6; content:"#1"; depth:2; content:"/!"; offset:4; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:command-and-control; sid:2008220; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:pup-activity; sid:2001588; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 6990:6999 (msg:"ET MALWARE Medbod UDP Phone Home Packet"; dsize:<50; content:"ebex"; nocase; pcre:"/\x06\x00?$/"; reference:url,doc.emergingthreats.net/2007949; classtype:trojan-activity; sid:2007949; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:pup-activity; sid:2001589; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 2227 (msg:"ET MALWARE Trojan-PSW.Win32.Nilage.crg Checkin"; flow:established,to_server; dsize:32; content:"|00 c0 a8 01 f4 6f 00 00 00|"; depth:12; content:"|00 00 00 05 01 28 0a|"; reference:url,doc.emergingthreats.net/2008481; classtype:command-and-control; sid:2008481; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:pup-activity; sid:2001641; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nine Ball Infection Ping Outbound"; icode:0; itype:8; dsize:32; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; reference:url,doc.emergingthreats.net/2011185; classtype:trojan-activity; sid:2011185; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:pup-activity; sid:2001643; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nine Ball Infection Posting Data"; flow:established,to_server; content:"POST /"; depth:6; content:"/gate/"; distance:0; content:".php"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:"AAAAAAAACI"; distance:67; within:10; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011187; classtype:trojan-activity; sid:2011187; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:pup-activity; sid:2001644; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Overtoolbar.net Backdoor ICMP Checkin Request"; dsize:9; icode:0; itype:8; content:"Echo This"; reference:url,doc.emergingthreats.net/2009130; classtype:command-and-control; sid:2009130; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:pup-activity; sid:2001645; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Overtoolbar.net Backdoor ICMP Checkin Response"; dsize:9; icode:0; itype:0; content:"Echo This"; reference:url,doc.emergingthreats.net/2009131; classtype:command-and-control; sid:2009131; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (1)"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:pup-activity; sid:2001646; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE Prg Trojan Server Reply"; flow:to_client,established; content:"HTTP"; depth:4; content:"|0d0a|Hall|3a|"; depth:512; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003183; classtype:trojan-activity; sid:2003183; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:pup-activity; sid:2001647; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.1 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"|1D B9 F2 75 62 85 5A 4F 15 48 52 1D 50 90 41 89 37 9F FF 94 CE A6 3E 63 35 AB 29 6B 30 43 2F 45 46 B0 E1 C2 11 7F 0C 55 0F C7|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003184; classtype:trojan-activity; sid:2003184; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:pup-activity; sid:2001648; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.2 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"|13 B9 F2 75 62 85 5A 4F 15 48 19 1D 10 4F 0D 5B 04 5B 04 60 CE 5F 00 67 F5 AE 25 6B 20 41 23 B3|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003185; classtype:trojan-activity; sid:2003185; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:pup-activity; sid:2001650; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.3 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"| 5E 7D 66 7D 28 40 19 88 5F 8C 13 50 15 59 08 58 3C 97 00 9B 33 A5 F9 AF 39 68 F0 9F 27 AF E9 A8 25 B7 18 B6 15 7F 0E B6 1A|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003186; classtype:trojan-activity; sid:2003186; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:pup-activity; sid:2001653; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1900 (msg:"ET MALWARE Backdoor.Win32/PcClient.ZL Checkin"; flow:established,to_server; content:"|00 00 00 10 c8 00 00 00 b0 ff|"; depth:10; reference:url,doc.emergingthreats.net/2008920; classtype:command-and-control; sid:2008920; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:pup-activity; sid:2001655; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PcClient Backdoor Checkin Packet 1"; flow:established,to_server; dsize:4; content:"|82 87 99 45|"; flowbits:set,ET.PcClient; flowbits:noalert; reference:url,doc.emergingthreats.net/2009238; classtype:command-and-control; sid:2009238; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:pup-activity; sid:2001656; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PcClient Backdoor Checkin"; flowbits:isset,ET.PcClient; flow:established,to_server; dsize:248; content:"|52 0d 12 12|"; depth:4; flowbits:noalert; reference:url,doc.emergingthreats.net/2009239; classtype:command-and-control; sid:2009239; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:pup-activity; sid:2001657; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PECompact2 Packed Binary - Sometimes Hostile"; flow:from_server,established; content:"|74 65 78 74|"; content:"|50 45 43 32|"; within:40; reference:url,www.bitsum.com/pecompact.shtml; reference:url,bits.packetninjas.org/eblog/?p=306; reference:url,doc.emergingthreats.net/2008547; classtype:trojan-activity; sid:2008547; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:pup-activity; sid:2001658; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Perfect Keylogger FTP Initial Install Log Upload"; flow:established,to_server; content:"Congratulations! Perfect Kelogger was successfully installed"; depth:63; reference:url,doc.emergingthreats.net/2007973; classtype:trojan-activity; sid:2007973; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:pup-activity; sid:2001659; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Perfect Keylogger FTP Initial Install Log Upload (Null obfuscated)"; flow:established,to_server; content:"C|00|o|00|n|00|g|00|r|00|a|00|t|00|u|00|l|00|a|00|t|00|i|00|o|00|n|00|s|00|!|00| |00|P|00|e|00|r|00|f|00|e|00|c|00|t|00| |00|K|00|e|00|l|00|o|00|g|00|g|00|e|00|r|00| |00|w|00|a|00|s|00| |00|s|00|u|00|c|00|c|00|e|00|s|00|s|00|f|00|u|00|l|00|l|00|y|00| |00|i|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|d|00|"; reference:url,doc.emergingthreats.net/2008327; classtype:trojan-activity; sid:2008327; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:pup-activity; sid:2001660; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RLPacked Binary - Likely Hostile"; flow:from_server,established; content:"|2E 70 61 63 6B 65 64|"; content:"|2E 52 4C 50 61 63 6B|"; within:50; reference:url,rlpack.jezgra.net; reference:url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/; reference:url,doc.emergingthreats.net/2008285; classtype:trojan-activity; sid:2008285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:pup-activity; sid:2001666; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any any -> any any (msg:"ET DELETED Generic Raider Obfuscated VBScript"; flow:established; content:"execute"; content:"|22 22 22 22 22 3A|"; offset:8; content:"function"; nocase; pcre:"/\x22\x3A(\w)\x3D\x22execute\s+\x22{5}\x3A.*\x3Aexecute\s*\x28\s*\1\s*\x29\x3Aend\s+function\x3A/s"; reference:url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1; reference:url,doc.emergingthreats.net/2008278; classtype:trojan-activity; sid:2008278; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:pup-activity; sid:2001678; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Trojan.Win32.Regrun.ro FTP connection detected"; flow:established,to_server; content:"RETR k3ylogger.txt|0d 0a|"; depth:21; reference:url,doc.emergingthreats.net/2008733; classtype:trojan-activity; sid:2008733; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http any any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:pup-activity; sid:2001683; rev:18; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Saturn Proxy Initial Outbound Checkin (404.txt)"; flow:established,to_server; dsize:<50; content:"GET /404.txt HTTP/1.0"; depth:21; flowbits:set,ET.saturn.checkin; reference:url,doc.emergingthreats.net/2007751; classtype:command-and-control; sid:2007751; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:pup-activity; sid:2001696; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Saturn Proxy C&C Activity"; flow:established,from_server; dsize:12; content:"|2d 00 00 00|"; offset:0; depth:4; content:"|00 00 55 00 00 00|"; distance:2; reference:url,doc.emergingthreats.net/2007753; classtype:command-and-control; sid:2007753; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:pup-activity; sid:2001697; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Socks666 Connection Initial Packet"; flow:established,to_server; dsize:24; content:"|9a 02 06 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006395; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:pup-activity; sid:2001700; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Socks666 Connect Command Packet"; flowbits:isset,BS.BPcheckin; flow:established,from_server; dsize:10; content:"|9a 02 07 00|"; offset:0; depth:4; flowbits:set,BS.BPset; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006396; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:pup-activity; sid:2001701; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Socks666 Successful Connect Packet Packet"; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:"|9a 02 08 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session,300,seconds; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006397; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:pup-activity; sid:2001705; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Socks666 Checkin Packet"; flow:established,to_server; dsize:30; content:"|9a 02 01 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin1; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:command-and-control; sid:2006398; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:pup-activity; sid:2001708; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Socks666 Checkin Success Packet"; flowbits:isset,BS.BPcheckin1; flow:established,from_server; dsize:4; content:"|9a 02 05 00|"; offset:0; depth:4; reference:url,doc.emergingthreats.net/2006396; classtype:command-and-control; sid:2006399; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:pup-activity; sid:2001710; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert icmp any any -> any any (msg:"ET MALWARE Storm Worm ICMP DDOS Traffic"; itype:8; icode:0; dsize:32; content:"abcdefghijklmnopqr|00 00|"; depth:22; threshold:type both, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2007618; classtype:trojan-activity; sid:2007618; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:pup-activity; sid:2001729; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Themida Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 69 64 61 74 61 20 20|"; content:"|54 68 65 6D 64 61 20 00|"; within:49; reference:url,www.oreans.com/themida.php; reference:url,cwsandbox.org/?page=samdet&id=164533&password=wnnpi; reference:url,doc.emergingthreats.net/2008341; classtype:trojan-activity; sid:2008341; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; http_uri; nocase; content:"?ID={"; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:pup-activity; sid:2001730; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Initial Checkin (ams)"; flow:established,to_server; dsize:3; content:"ams"; reference:url,doc.emergingthreats.net/2008021; classtype:command-and-control; sid:2008021; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:pup-activity; sid:2001734; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Logs Parse Command (LOGS1)"; flow:established,from_server; dsize:5; content:"LOGS1"; depth:5; reference:url,doc.emergingthreats.net/2008024; classtype:command-and-control; sid:2008024; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:pup-activity; sid:2001735; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Logs Parse Response Response (LOGS1)"; flow:established,to_server; content:"|08 00 00 00|LOGS1|5b|"; offset:0; depth:10; reference:url,doc.emergingthreats.net/2008025; classtype:command-and-control; sid:2008025; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:pup-activity; sid:2001737; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Keepalive (BAGLANTI)"; flow:established,to_server; dsize:9; content:"BAGLANTI?"; reference:url,doc.emergingthreats.net/2008026; classtype:command-and-control; sid:2008026; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:pup-activity; sid:2001744; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Browse Drive Command (BROWSC)"; flow:established,from_server; dsize:<100; content:"BROWS"; depth:5; content:"|3a|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2008027; classtype:command-and-control; sid:2008027; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:pup-activity; sid:2001747; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Browse Drive Command Response (metin)"; flow:established,to_server; content:"|00 00|metin|0d 3a|"; offset:2; depth:11; reference:url,doc.emergingthreats.net/2008028; classtype:command-and-control; sid:2008028; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:pup-activity; sid:2001748; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C nxt Command Response (nxt)"; flow:established,from_server; dsize:16; content:"nxt|09 00 00 00|"; depth:7; offset:0; reference:url,doc.emergingthreats.net/2008030; classtype:command-and-control; sid:2008030; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:pup-activity; sid:2001793; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET MALWARE Win32.Agent.bea C&C connection"; flow:to_server,established; dsize:24; content:"|9a 02 06 00|"; depth:4; reference:url,doc.emergingthreats.net/2007608; classtype:command-and-control; sid:2007608; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:pup-activity; sid:2001794; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Inject.zy Checkin Post"; flow:established,to_server; dsize:8; content:"|16 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007966; classtype:command-and-control; sid:2007966; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:pup-activity; sid:2001850; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Proxy.Win32.Wopla.ag Check-In"; flow:established,to_server; dsize:12; content:"|0a 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007603; classtype:trojan-activity; sid:2007603; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:pup-activity; sid:2001884; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Proxy.Win32.Wopla.ag Server Reply"; dsize:12; flow:established,from_server; content:"|0d 00 00 00|"; depth:4; content:"|00 00 00 00 00 00|"; distance:2; within:6; reference:url,doc.emergingthreats.net/2007604; classtype:trojan-activity; sid:2007604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:pup-activity; sid:2001885; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE XP keylogger v2.1 mail report - Inbound"; flow:established,to_server; content:"X-Mailer|3a| JMail 4.3.0 Free Version by Dimac"; content:"<H2=3EAbout the use of the PC</H2=3E"; reference:url,doc.emergingthreats.net/2002940; classtype:trojan-activity; sid:2002940; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:pup-activity; sid:2001895; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE XP keylogger v2.1 mail report - Outbound"; flow:established,to_server; content:"X-Mailer|3a| JMail 4.3.0 Free Version by Dimac"; content:"<H2=3EAbout the use of the PC</H2=3E"; reference:url,doc.emergingthreats.net/2002942; classtype:trojan-activity; sid:2002942; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:pup-activity; sid:2001947; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Yoda's Protector Packed Binary - VERY Likely Hostile"; flow:established,from_server; content:"|E8 03 00 00 00 EB 01|"; content:"|BB 55 00 00 00 E8 03 00 00 00 EB 01|"; within:14; reference:url,doc.emergingthreats.net/2009557; classtype:trojan-activity; sid:2009557; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:pup-activity; sid:2001994; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003292; classtype:trojan-activity; sid:2003292; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:pup-activity; sid:2001997; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; classtype:trojan-activity; sid:2003294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; http_uri; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:pup-activity; sid:2001998; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET DELETED Singworm MSN message Outbound"; flow:established; content:"Here are the new smiles for MSN, they are incredible!"; reference:url,doc.emergingthreats.net/2007605; classtype:trojan-activity; sid:2007605; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:pup-activity; sid:2001999; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"ET DELETED Singworm MSN message Inbound"; flow:established; content:"Here are the new smiles for MSN, they are incredible!"; reference:url,doc.emergingthreats.net/2007606; classtype:trojan-activity; sid:2007606; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:pup-activity; sid:2002000; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood TCP"; flow:established,to_server; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003192; classtype:attempted-dos; sid:2003192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; http_uri; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:pup-activity; sid:2002003; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2019_08_22, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009698; classtype:attempted-dos; sid:2009698; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:pup-activity; sid:2002004; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood TCP"; flow:established,to_server; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003193; classtype:attempted-dos; sid:2003193; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:pup-activity; sid:2002008; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood UDP"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009699; classtype:attempted-dos; sid:2009699; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:pup-activity; sid:2002009; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; depth:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,doc.emergingthreats.net/bin/view/Main/2002848; classtype:attempted-user; sid:2002848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:pup-activity; sid:2002010; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; reference:url,doc.emergingthreats.net/2003237; classtype:attempted-user; sid:2003237; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:pup-activity; sid:2002012; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:pup-activity; sid:2002013; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2009700; classtype:attempted-dos; sid:2009700; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:pup-activity; sid:2002015; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl?"; nocase; pcre:"/node=.*\|.+\|/i"; reference:bugtraq,14662; reference:url,doc.emergingthreats.net/2002365; classtype:web-application-attack; sid:2002365; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:pup-activity; sid:2002016; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt"; flow: to_server,established; content:"THCOWNZIIS!"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; reference:url,doc.emergingthreats.net/2000559; classtype:web-application-attack; sid:2000559; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:pup-activity; sid:2002017; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 82 (msg:"ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt"; flow:established,to_server; content:"GET"; content:"script"; nocase; content:"/proxy.php?"; nocase; content:"url="; nocase; pcre:"/\/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\']/i"; reference:url,www.securityfocus.com/bid/37446/info; reference:url,doc.emergingthreats.net/2010602; classtype:web-application-attack; sid:2010602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:pup-activity; sid:2002019; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.IMAP4.6"; distance:0; nocase; content:"LicenseKey"; nocase; reference:url,secunia.com/advisories/24199/; reference:url,doc.emergingthreats.net/2010658; classtype:web-application-attack; sid:2010658; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:pup-activity; sid:2002036; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt"; flow:established,to_client; content:"/HtmlAdaptor"; nocase; content:"action=invokeOpByName"; nocase; within:25; content:"DeploymentFileRepository"; nocase; within:80; content:"methodName="; nocase; within:25; content:".war"; nocase; distance:0; content:".jsp"; nocase; distance:0; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011697; classtype:web-application-attack; sid:2011697; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:pup-activity; sid:2002037; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED phpbb Session Cookie"; flow: established; content:"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"; nocase; reference:url,www.waraxe.us/ftopict-555.html; reference:url,doc.emergingthreats.net/2001762; classtype:web-application-attack; sid:2001762; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:pup-activity; sid:2002040; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (private message)"; flow: established,from_server; content:"privmsg.php"; pcre:"/\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001928; classtype:web-application-attack; sid:2001928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:pup-activity; sid:2002044; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (signature)"; flow: established,from_server; content:"_________________"; pcre:"/\<br \/\>_________________\<br \/\>\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001929; classtype:web-application-attack; sid:2001929; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:pup-activity; sid:2002046; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011207; classtype:web-application-attack; sid:2011207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:pup-activity; sid:2002048; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt"; flow:established,to_client; content:"66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; nocase; content:"SaveFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5/si"; reference:url,secunia.com/advisories/37967/; reference:url,doc.emergingthreats.net/2010943; classtype:web-application-attack; sid:2010943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:pup-activity; sid:2002083; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synactis All_IN_THE_BOX ActiveX SaveDoc Method Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"B5576893-F948-4E0F-9BE1-A37CB56D66FF"; nocase; distance:0; content:"SaveDoc"; nocase; reference:url,milw0rm.com/exploits/7928; reference:bugtraq,33535; reference:url,doc.emergingthreats.net/2009138; classtype:web-application-attack; sid:2009138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:pup-activity; sid:2002088; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/left.cgi?"; nocase; content:"dom="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009587; classtype:web-application-attack; sid:2009587; rev:5; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:pup-activity; sid:2002089; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/link.cgi/"; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009588; classtype:web-application-attack; sid:2009588; rev:5; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:pup-activity; sid:2002090; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin Anonymous Proxy attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/virtual-server/link.cgi/"; nocase; content:"/http\://"; nocase; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009589; classtype:web-application-attack; sid:2009589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:pup-activity; sid:2002091; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; content:"savePageAsBitmap"; nocase; reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; reference:url,doc.emergingthreats.net/2008791; classtype:web-application-attack; sid:2008791; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:pup-activity; sid:2002093; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:pup-activity; sid:2002095; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; content:"3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011723; classtype:attempted-user; sid:2011723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:pup-activity; sid:2002096; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:pup-activity; sid:2002099; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; nocase; distance:0; content:"Open"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B/si"; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010945; classtype:attempted-user; sid:2010945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:pup-activity; sid:2002169; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:pup-activity; sid:2002296; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 4274 (msg:"ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt"; flow: to_server,established; content:"/../data/log.txt"; content:"/../WINNT/"; nocase; reference:url,www.gulftech.org/?node=research&article_id=00047-08302004; reference:url,doc.emergingthreats.net/2001238; classtype:web-application-activity; sid:2001238; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:pup-activity; sid:2002297; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"admin/record_company.php/password_forgotten.php"; content:"action=insert"; nocase; depth:100; reference:url,www.securityfocus.com/bid/35467; reference:url,www.milw0rm.com/exploits/9004; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-activity; sid:2009693; rev:4; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:pup-activity; sid:2002298; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 10616 (msg:"ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow"; flow:established,to_server; content:"LICMGR_ADDLICENSE&"; nocase; depth:18; isdataat:450,relative; pcre:"/LICMGR_ADDLICENSE&[^\x00\n\r@&]{450}/i"; reference:cve,2006-3838; reference:url,secunia.com/advisories/21211/; reference:url,doc.emergingthreats.net/2003056; classtype:attempted-admin; sid:2003056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:pup-activity; sid:2002299; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:"WHCC"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003925; classtype:trojan-activity; sid:2003925; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:pup-activity; sid:2002300; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; classtype:misc-attack; sid:2002316; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:pup-activity; sid:2002301; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; classtype:misc-attack; sid:2002315; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:pup-activity; sid:2002302; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"|3b 00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000372; classtype:attempted-user; sid:2000372; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:pup-activity; sid:2002303; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007875; classtype:web-application-attack; sid:2007875; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:pup-activity; sid:2002305; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000563; classtype:misc-attack; sid:2000563; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:pup-activity; sid:2002306; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:pup-activity; sid:2002310; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Connect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>Connect</name>"; nocase; http_client_body; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011752; classtype:policy-violation; sid:2011752; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:pup-activity; sid:2002317; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn preteen"; flow: from_server,established; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001346; classtype:policy-violation; sid:2001346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:pup-activity; sid:2002318; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pre-teen"; flow: from_server,established; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001347; classtype:policy-violation; sid:2001347; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:pup-activity; sid:2002319; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn early teen"; flow: from_server,established; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001348; classtype:policy-violation; sid:2001348; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:pup-activity; sid:2002320; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn zeps"; flow: from_server,established; content:" zeps "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001387; classtype:policy-violation; sid:2001387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:pup-activity; sid:2002348; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn r@ygold"; flow: from_server,established; content:" r@ygold "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001388; classtype:policy-violation; sid:2001388; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:pup-activity; sid:2002349; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn childlover"; flow: from_server,established; content:" childlover "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001389; classtype:policy-violation; sid:2001389; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:pup-activity; sid:2002350; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE free XXX"; flow: to_client,established; content:"FREE XXX"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001349; classtype:policy-violation; sid:2001349; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:pup-activity; sid:2002351; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE hardcore anal"; flow: to_client,established; content:"hardcore anal"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001350; classtype:policy-violation; sid:2001350; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:pup-activity; sid:2002352; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE masturbation"; flow: to_client,established; content:"masturbat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001351; classtype:policy-violation; sid:2001351; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:pup-activity; sid:2002354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE ejaculation"; flow: to_client,established; content:"ejaculat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001352; classtype:policy-violation; sid:2001352; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:pup-activity; sid:2002394; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE BDSM"; flow: to_client,established; content:"BDSM"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001353; classtype:policy-violation; sid:2001353; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:pup-activity; sid:2002404; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (1)"; flow: from_server,established; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001392; classtype:policy-violation; sid:2001392; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:pup-activity; sid:2002708; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (2)"; flow: from_server,established; content:"BEGIN SEXTRACKER CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001393; classtype:policy-violation; sid:2001393; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:pup-activity; sid:2002709; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Likely Porn"; flow: established,from_server; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001608; classtype:policy-violation; sid:2001608; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:pup-activity; sid:2002736; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; classtype:trojan-activity; sid:2000327; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:pup-activity; sid:2002738; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:pup-activity; sid:2001447; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:pup-activity; sid:2002740; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; classtype:policy-violation; sid:2000906; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:pup-activity; sid:2002766; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; classtype:policy-violation; sid:2000598; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:pup-activity; sid:2002767; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; classtype:policy-violation; sid:2000907; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:pup-activity; sid:2002769; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Advertising.com Reporting Data"; flow: to_server,established; uricontent:"/site="; uricontent:"/mnum="; uricontent:"/bins="; uricontent:"/rich="; uricontent:"/logs="; uricontent:"/betr=";  reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; classtype:policy-violation; sid:2002304; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:pup-activity; sid:2002770; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; content:".c4tdownload.com"; within:26; nocase; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; classtype:trojan-activity; sid:2001531; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:pup-activity; sid:2002771; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; classtype:trojan-activity; sid:2001222; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:pup-activity; sid:2002804; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evidencenuker.com Fake AV Updating"; flow:established,to_server; uricontent:"/products/evidencenuker/update.php?version="; nocase; reference:url,www.evidencenuker.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; classtype:trojan-activity; sid:2003568; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:pup-activity; sid:2002805; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay|3b|"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; classtype:policy-violation; sid:2001043; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:pup-activity; sid:2002806; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; classtype:policy-violation; sid:2002194; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:pup-activity; sid:2002816; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; classtype:trojan-activity; sid:2001698; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:pup-activity; sid:2002817; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:!"rss"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003394; classtype:trojan-activity; sid:2003394; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:pup-activity; sid:2002820; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:9; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:pup-activity; sid:2002821; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Internet Antivirus Pro|0d 0a|"; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:pup-activity; sid:2002836; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ClickAdsByIE"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:pup-activity; sid:2002858; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:pup-activity; sid:2000514; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:pup-activity; sid:2002933; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET ADWARE_PUP MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:pup-activity; sid:2001563; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:pup-activity; sid:2002954; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:pup-activity; sid:2002956; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT announce_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:14; content:"e1|3a|q13|3a|announce_peer1|3a|"; nocase; distance:55; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008585; classtype:policy-violation; sid:2008585; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:pup-activity; sid:2002957; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; classtype:policy-violation; sid:2001808; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:pup-activity; sid:2002984; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"Server|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007800; classtype:policy-violation; sid:2007800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:pup-activity; sid:2002987; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape P2P streaming media"; content:"POST / HTTP/1."; depth:64; content:"Oshtcp-streamtype|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,doc.emergingthreats.net/2010008; classtype:policy-violation; sid:2010008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:pup-activity; sid:2002988; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:pup-activity; sid:2002990; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:pup-activity; sid:2002991; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|sivus-discovery@vopsecurity.org"; offset:110; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008610; classtype:attempted-recon; sid:2008610; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:pup-activity; sid:2002999; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET SCAN External to Internal UPnP Request udp port 1900"; content:"MSEARCH * HTTP/1.1"; depth:18; content:"MAN|3a| ssdp|3a|"; nocase; distance:0; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008094; classtype:attempted-recon; sid:2008094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:pup-activity; sid:2003000; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:"<sip|3a|smap@"; offset:80; depth:40; reference:url,www.go2linux.org/smap-find-voip-enabled-devices; reference:url,doc.emergingthreats.net/2008526; classtype:attempted-recon; sid:2008526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; http_uri; nocase; content:"partnerid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:pup-activity; sid:2003057; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008568; classtype:attempted-recon; sid:2008568; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:pup-activity; sid:2003058; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:pup-activity; sid:2003059; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 400"; depth:13; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,support.microsoft.com/kb/247249; reference:url,doc.emergingthreats.net/2009884; classtype:attempted-recon; sid:2009884; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:pup-activity; sid:2003061; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack"; flow:from_server,established; content:"HTTP/1.1 404"; depth:13; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,en.wikipedia.org/wiki/HTTP_404; reference:url,doc.emergingthreats.net/2009885; classtype:attempted-recon; sid:2009885; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:pup-activity; sid:2003074; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Virus User Agent Detected (SPM_ID=)"; flow:established,to_server; content:"User-Agent|3a| SPM_ID="; nocase; reference:url,doc.emergingthreats.net/2003651; classtype:trojan-activity; sid:2003651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:pup-activity; sid:2003075; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING OUTBOUND Suspicious Email Attachment"; flow: to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; pcre:"/^\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; reference:url,doc.emergingthreats.net/2000562; classtype:suspicious-filename-detect; sid:2000562; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:pup-activity; sid:2003076; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Inbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003293; classtype:trojan-activity; sid:2003293; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:pup-activity; sid:2003084; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM shell bot perl code download"; flow:to_client,established; content:"# ShellBOT"; nocase; reference:url,doc.emergingthreats.net/2002683; classtype:trojan-activity; sid:2002683; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:pup-activity; sid:2003151; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM Shell Bot Code Download"; flow:to_client,established; content:"##################### IRC #######################"; nocase; reference:url,doc.emergingthreats.net/2002684; classtype:trojan-activity; sid:2002684; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:pup-activity; sid:2003153; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Related Fake User-Agent (Apache (compatible...))"; flow:established,to_server; content:"User-Agent|3a| Apache (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; reference:url,doc.emergingthreats.net/2010823; classtype:trojan-activity; sid:2010823; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:pup-activity; sid:2003154; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa CaSpEr RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa CaSpEr|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:pup-activity; sid:2003201; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"UNION%20"; within:200; nocase; content:"SELECT"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]+UNION.+SELECT/i"; reference:url,www.w3schools.com/sql/sql_union.asp; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009770; classtype:web-application-attack; sid:2009770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; fast_pattern; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:pup-activity; sid:2003202; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0d\x0aCookie\x3a[^\n]+SELECT.+FROM/i"; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009771; classtype:web-application-attack; sid:2009771; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:pup-activity; sid:2003203; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DELETE FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"DELETE%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]DELETE.+FROM/i"; reference:url,www.w3schools.com/Sql/sql_delete.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009772; classtype:web-application-attack; sid:2009772; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:pup-activity; sid:2003204; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT INTO SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INSERT%20"; nocase; within:200; content:"INTO"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INSERT.+INTO/i"; reference:url,www.w3schools.com/SQL/sql_insert.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009773; classtype:web-application-attack; sid:2009773; rev:36; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; fast_pattern:only; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:pup-activity; sid:2003205; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INTO%20"; nocase; within:200; content:"OUTFILE"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010038; classtype:web-application-attack; sid:2010038; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:pup-activity; sid:2003211; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010517; classtype:web-application-attack; sid:2010517; rev:3; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2017_09_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; http_uri; nocase; fast_pattern; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:pup-activity; sid:2003217; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_05_03, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"INSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010286; classtype:web-application-attack; sid:2010286; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:pup-activity; sid:2003218; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"SUBSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010287; classtype:web-application-attack; sid:2010287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:pup-activity; sid:2003219; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; depth:6; content:"Connection|3A| Close"; nocase; distance:0; content:"Lock-token|3A|"; nocase; within:100; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; reference:url,doc.emergingthreats.net/2011015; classtype:web-application-attack; sid:2011015; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:pup-activity; sid:2003221; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS|20|"; depth:8; nocase; isdataat:400,relative; content:!"|0A|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; classtype:web-application-attack; sid:2011016; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:pup-activity; sid:2003222; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; reference:url,doc.emergingthreats.net/2002844; classtype:web-application-attack; sid:2002844; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:pup-activity; sid:2003240; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) SMTP"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010591; classtype:policy-violation; sid:2010591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:pup-activity; sid:2003241; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From|3a| anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent|3a| PHP"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; classtype:web-application-activity; sid:2001628; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:pup-activity; sid:2003251; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; classtype:web-application-activity; sid:2003536; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:pup-activity; sid:2003253; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; classtype:web-application-activity; sid:2007653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:pup-activity; sid:2003297; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; classtype:web-application-activity; sid:2007654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:pup-activity; sid:2003298; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; classtype:web-application-activity; sid:2007655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:pup-activity; sid:2003304; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; classtype:web-application-activity; sid:2007656; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:pup-activity; sid:2003307; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:pup-activity; sid:2003336; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D27CDB6E-AE6D-11cf-96B8-444553540000/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19710; reference:url,www.kb.cert.org/vuls/id/204889; reference:url,www.microsoft.com/technet/security/advisory/979267.mspx; reference:url,doc.emergingthreats.net/2010666; classtype:attempted-user; sid:2010666; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:pup-activity; sid:2003345; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED WU Malicious Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"WU_Details_"; within:50; pcre:"/filename\s*=\s*"WU_Details_.....\.zip/m"; reference:url,doc.emergingthreats.net/2010376; classtype:trojan-activity; sid:2010376; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:pup-activity; sid:2003348; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED MySpace Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"MySpace"; within:50; pcre:"/filename\s*=\s*MySpace_document_[0-9]{5}\.zip/m"; reference:url,doc.emergingthreats.net/2010629; classtype:trojan-activity; sid:2010629; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:pup-activity; sid:2003353; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 2"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"UPS_INVOICE_NR"; within:50; pcre:"/filename=\x22UPS_INVOICE_NR\.[0-9]{4}-[0-9]{6}\.zip\x22/mi"; reference:url,doc.emergingthreats.net/201150; classtype:trojan-activity; sid:2011150; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:pup-activity; sid:2003354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 3"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_LABEL_NR."; nocase; within:50; pcre:"/filename=\x22UPS_LABEL_NR\.[A-Z]+_[0-9]{4}-\d+\.ZIP\x22/i"; reference:url,doc.emergingthreats.net/2011151; classtype:trojan-activity; sid:2011151; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:pup-activity; sid:2003358; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; uricontent:"/Inst_58s6.exe"; nocase; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; classtype:trojan-activity; sid:2010339; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:pup-activity; sid:2003360; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hostile domain, NeoSploit FakeAV google.analytics.com.*.info"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d 0a|Host|3a| google.analytics.com."; nocase; content:".info|0d 0a|"; within:15; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage#-#-topic=3781.0; reference:url,doc.emergingthreats.net/2010866; classtype:trojan-activity; sid:2010866; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:pup-activity; sid:2003362; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; classtype:attempted-user; sid:2011053; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:pup-activity; sid:2003364; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows Shortcut LNK File Automatic File Execution Attempt Via WebDAV"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; content:"<D|3A|locktype><D|3A|write/></D|3A|locktype>"; nocase; distance:0; content:"<D|3A|getcontenttype>shortcut</D|3A|getcontenttype>"; nocase; distance:0; reference:url,support.microsoft.com/kb/2286198; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011239; classtype:attempted-user; sid:2011239; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:pup-activity; sid:2003365; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro"; nocase; content:"logo.gif"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009491; classtype:web-application-attack; sid:2009491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:pup-activity; sid:2003375; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Vulnerable Microsoft Video ActiveX CLSID access (43)"; flow:to_client,established; content:"clsid"; nocase; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009612; classtype:web-application-attack; sid:2009612; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:pup-activity; sid:2003376; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; content:"clsid"; nocase; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009620; classtype:web-application-attack; sid:2009620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:pup-activity; sid:2003377; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; content:"clsid"; nocase; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009621; classtype:web-application-attack; sid:2009621; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:pup-activity; sid:2003388; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; content:"clsid"; nocase; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009622; classtype:web-application-attack; sid:2009622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:pup-activity; sid:2003389; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; content:"clsid"; nocase; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009623; classtype:web-application-attack; sid:2009623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:pup-activity; sid:2003391; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; content:"clsid"; nocase; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009624; classtype:web-application-attack; sid:2009624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:pup-activity; sid:2003399; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; content:"clsid"; nocase; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009625; classtype:web-application-attack; sid:2009625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:pup-activity; sid:2003404; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009626; classtype:web-application-attack; sid:2009626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:pup-activity; sid:2003414; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009627; classtype:web-application-attack; sid:2009627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:pup-activity; sid:2003416; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; content:"clsid"; nocase; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009628; classtype:web-application-attack; sid:2009628; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:pup-activity; sid:2003417; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; content:"clsid"; nocase; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009629; classtype:web-application-attack; sid:2009629; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:pup-activity; sid:2003418; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; content:"clsid"; nocase; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009630; classtype:web-application-attack; sid:2009630; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:pup-activity; sid:2003419; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; content:"clsid"; nocase; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009631; classtype:web-application-attack; sid:2009631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:pup-activity; sid:2003429; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; content:"clsid"; nocase; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009632; classtype:web-application-attack; sid:2009632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:pup-activity; sid:2003438; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; content:"clsid"; nocase; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009633; classtype:web-application-attack; sid:2009633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:pup-activity; sid:2003441; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; content:"clsid"; nocase; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009634; classtype:web-application-attack; sid:2009634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:pup-activity; sid:2003442; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009635; classtype:web-application-attack; sid:2009635; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:pup-activity; sid:2003444; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009636; classtype:web-application-attack; sid:2009636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"Indy Library)"; nocase; http_user_agent; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:pup-activity; sid:2003446; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; content:"clsid"; nocase; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009638; classtype:web-application-attack; sid:2009638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:pup-activity; sid:2003450; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; content:"clsid"; nocase; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009639; classtype:web-application-attack; sid:2009639; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:pup-activity; sid:2003451; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; content:"clsid"; nocase; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009640; classtype:web-application-attack; sid:2009640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:pup-activity; sid:2003462; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009641; classtype:web-application-attack; sid:2009641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:pup-activity; sid:2003463; rev:18; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009642; classtype:web-application-attack; sid:2009642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:pup-activity; sid:2003472; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:".php?&&reader_version="; nocase; reference:url,doc.emergingthreats.net/2011715; classtype:trojan-activity; sid:2011715; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:pup-activity; sid:2003473; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Malvertising drive by kit encountered - bmb cookie"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Set-Cookie|3a| bmb="; nocase; reference:url,doc.emergingthreats.net/2011222; classtype:bad-unknown; sid:2011222; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:pup-activity; sid:2003496; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer/InstallerClean.exe"; nocase; reference:url,doc.emergingthreats.net/2010053; classtype:trojan-activity; sid:2010053; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:pup-activity; sid:2003504; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/Soft_21.exe"; nocase; reference:url,doc.emergingthreats.net/2010060; classtype:trojan-activity; sid:2010060; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:pup-activity; sid:2003525; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010444; classtype:bad-unknown; sid:2010444; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:pup-activity; sid:2003526; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010447; classtype:bad-unknown; sid:2010447; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:pup-activity; sid:2003529; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010448; classtype:bad-unknown; sid:2010448; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:pup-activity; sid:2003531; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010449; classtype:bad-unknown; sid:2010449; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:pup-activity; sid:2003533; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (annonce.pdf)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/ssp/files/annonce.pdf"; nocase; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010532; classtype:trojan-activity; sid:2010532; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:pup-activity; sid:2003541; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (loadjavad.php)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/ssp/loadjavad.php"; nocase; pcre:"/\/ssp\/loadjavad\.php$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010534; classtype:trojan-activity; sid:2010534; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:pup-activity; sid:2003543; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/wywg/"; nocase; uricontent:".exe"; nocase; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; classtype:trojan-activity; sid:2010716; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:pup-activity; sid:2003547; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; uricontent:"/nte/"; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; classtype:exploit-kit; sid:2010871; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003567; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Related CSS Download"; flow:established,from_server; content:"#hello_nod32_guys_how_u_doing"; nocase; reference:url,doc.emergingthreats.net/2011670; classtype:trojan-activity; sid:2011670; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003569; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Executable requested from /wp-content/languages"; flow:established,to_server; uricontent:"/wp-content/languages/"; nocase; uricontent:".exe"; nocase; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; classtype:trojan-activity; sid:2011220; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:pup-activity; sid:2003577; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; uricontent:"av_base/av-i386-daily.zip"; nocase; reference:url,doc.emergingthreats.net/2010565; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010568; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:pup-activity; sid:2003579; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; uricontent:"av_base/pay.php"; nocase; reference:url,doc.emergingthreats.net/2010566; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010566; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:pup-activity; sid:2003581; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; uricontent:"av_base/ip.php"; nocase; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:pup-activity; sid:2003585; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client registration"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyMyIP="; within:27; reference:url,doc.emergingthreats.net/2008950; classtype:trojan-activity; sid:2008950; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:pup-activity; sid:2003588; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client command"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyUserNamePassWord="; within:40; reference:url,doc.emergingthreats.net/2008951; classtype:trojan-activity; sid:2008951; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:pup-activity; sid:2003605; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSPkgDL.1"; nocase; distance:0; content:"DownloadAndInstall"; nocase; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,secunia.com/advisories/36679; reference:url,doc.emergingthreats.net/2010190; classtype:attempted-user; sid:2010190; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:pup-activity; sid:2003606; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YGPWz.CAOLMemExpWz"; nocase; distance:0; content:"AppString"; nocase; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010987; classtype:attempted-user; sid:2010987; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; http_uri; nocase; content:"&q="; http_uri; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:pup-activity; sid:2003610; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Winwebsec User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| InstallNotify/1.0"; http_header; reference:url,www.f-secure.com/sw-desc/rogue_w32_winwebsec.shtml; reference:url,blogs.technet.com/mmpc/archive/2009/05/13/msrt-tackles-another-rogue.aspx; reference:url,doc.emergingthreats.net/2009896; classtype:trojan-activity; sid:2009896; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:pup-activity; sid:2003611; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AtHocGov IWSAlerts ActiveX Control Buffer Overflow Function Call Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"AtHocGovGSTlBar.GSHelper.1"; nocase; distance:0; content:"CompleteInstallation"; nocase; reference:url,metasploit.com/modules/exploit/windows/browser/athocgov_completeinstallation; reference:url,athoc.com/products/IWSAlerts_overview.aspx; reference:url,doc.emergingthreats.net/2011211; classtype:attempted-user; sid:2011211; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:pup-activity; sid:2003612; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"R2AXCTRLLib.R2winCtrl"; nocase; distance:0; content:"ControlID"; nocase; reference:url,doc.emergingthreats.net/2011130; classtype:attempted-user; sid:2011130; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:pup-activity; sid:2003617; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MPS.StormPlayer.1"; nocase; distance:0; content:"OnBeforeVideoDownload"; nocase; reference:bugtraq,34789; reference:url,doc.emergingthreats.net/2010995; classtype:attempted-user; sid:2010995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:pup-activity; sid:2003619; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(EnableStartApplication|EnableStartBeforePrint|EnableKeepExistingFiles|EnablePassParameters)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010208; classtype:attempted-user; sid:2010208; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; http_uri; nocase; content:"&refe=http"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:pup-activity; sid:2003620; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010209; classtype:attempted-user; sid:2010209; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:pup-activity; sid:2003630; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010210; classtype:attempted-user; sid:2010210; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:pup-activity; sid:2003644; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ClearUserSettings"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010211; classtype:attempted-user; sid:2010211; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:pup-activity; sid:2003652; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ControlJob"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010212; classtype:attempted-user; sid:2010212; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:pup-activity; sid:2005319; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control BOF Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SdcUser.TgConCtl"; nocase; distance:0; content:"RunCMD"; nocase; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011213; classtype:attempted-user; sid:2011213; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:pup-activity; sid:2006386; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection Attempt"; flow:established,to_client; content:"<dxstudio"; nocase; content:"shell.execute("; nocase; reference:cve,2009-2011; reference:url,doc.emergingthreats.net/2010841; classtype:attempted-user; sid:2010841; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:pup-activity; sid:2006427; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable SetLogLevel/SetLogFileName Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"SetLog"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010036; classtype:attempted-user; sid:2010036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:pup-activity; sid:2006428; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"WriteToLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010154; classtype:web-application-attack; sid:2010154; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:pup-activity; sid:2006429; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"SetLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010155; classtype:web-application-attack; sid:2010155; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:pup-activity; sid:2006431; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 403 Forbidden|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010516; classtype:web-application-attack; sid:2010516; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:pup-activity; sid:2006432; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010518; classtype:web-application-attack; sid:2010518; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:pup-activity; sid:2006433; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"FOXITREADEROCXLib.FoxitReaderOCX"; nocase; distance:0; content:"OpenFile "; nocase; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010930; classtype:attempted-user; sid:2010930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:pup-activity; sid:2007570; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Pitbull IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20|"; pcre:"/PRIVMSG.*@(portscan|nmap|back|udpflood|tcpflood|httpflood|linuxhelp|rfi|system|milw0rm|logcleaner|sendmail|join|part|help)/i";  reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007625; classtype:trojan-activity; sid:2007625; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:pup-activity; sid:2007575; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001190; classtype:misc-activity; sid:2001190; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:pup-activity; sid:2007593; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001192; classtype:misc-activity; sid:2001192; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:pup-activity; sid:2007601; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Outbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003295; classtype:trojan-activity; sid:2003295; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:pup-activity; sid:2007602; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hidden iframe Served by nginx - Likely Hostile Code"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; nocase; offset:15; depth:15; content:"<iframe src="; nocase; content:"style=|22|visibility|3a|hidden|3b 22| width=|22|1|22| height=|22|1|22|></iframe>"; nocase; reference:url,doc.emergingthreats.net/2011714; classtype:bad-unknown; sid:2011714; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:pup-activity; sid:2007642; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, former_category CURRENT_EVENTS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; http.uri; content:"?proto="; nocase; content:"&rc="; nocase; content:"&v="; nocase; content:"&abbr="; nocase; content:"&platform="; nocase; content:"&os_version="; nocase; content:"&ac="; nocase; content:"&appid="; nocase; content:"&em="; nocase; content:"&pcid="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:pup-activity; sid:2007664; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malvertising drive by kit collecting browser info"; flow:established,to_server; uricontent:"/plugins.php?p=appName"; nocase; reference:url,doc.emergingthreats.net/2011224; classtype:bad-unknown; sid:2011224; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:pup-activity; sid:2007690; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; uricontent:"/x/?src="; nocase; uricontent:"&o=o"; nocase; reference:url,doc.emergingthreats.net/2011230; classtype:bad-unknown; sid:2011230; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:pup-activity; sid:2007696; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:!"nextgen-gallery"; nocase; within:15; content:"/ngg.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; classtype:trojan-activity; sid:2008387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; fast_pattern; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:pup-activity; sid:2007744; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:"/b.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; classtype:trojan-activity; sid:2008388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:pup-activity; sid:2007749; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"GOMWEBCTRLLib.GomWeb"; nocase; distance:0; content:"Command"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010368; classtype:web-application-attack; sid:2010368; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:pup-activity; sid:2007759; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST "; depth:5; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:pup-activity; sid:2007772; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008640; classtype:attempted-recon; sid:2008640; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"PCDoc"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:pup-activity; sid:2007786; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"mypcdoc"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:pup-activity; sid:2007804; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:pup-activity; sid:2007809; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail Message Send"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000044; classtype:policy-violation; sid:2000044; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rabio Spyware/Adware Initial Registration"; flow:established,to_server; content:"POST"; http_method; nocase; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:pup-activity; sid:2007820; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail General Page View"; flow:to_server,established; content:"/ym/login"; http_uri; nocase; content:".rand="; nocase; reference:url,doc.emergingthreats.net/2000341; classtype:policy-violation; sid:2000341; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:pup-activity; sid:2007855; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail Inbox Access"; flow:to_server,established; content:"/gmail?view=tl&search=inbox&start="; http_uri; nocase; reference:url,doc.emergingthreats.net/2001424; classtype:policy-violation; sid:2001424; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:pup-activity; sid:2007861; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1"; nocase; distance:0; content:"URL"; nocase; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010374; classtype:attempted-user; sid:2010374; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:pup-activity; sid:2007870; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HyleosChemView.HLChemView"; nocase; distance:0; pcre:"/(ReadMolFile|SaveasMolFile)/i"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010999; classtype:attempted-user; sid:2010999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:pup-activity; sid:2007899; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris HelpDesk"; flow:to_server,established; content:"/aexhd/worker/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009696; classtype:misc-activity; sid:2009696; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:pup-activity; sid:2007935; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris Console"; flow:to_server,established; content:"/altiris/ns/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009697; classtype:misc-activity; sid:2009697; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:pup-activity; sid:2007938; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 4 download"; flow:established; content:"REGEDIT4"; content:"|0D 0A|"; distance:0; content:"["; distance:0; content:"HKEY_"; distance:0; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000420; classtype:misc-activity; sid:2000420; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"gh20"; http_user_agent; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:pup-activity; sid:2007944; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MSI (microsoft installer file) download"; flow:established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001115; classtype:bad-unknown; sid:2001115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:pup-activity; sid:2007945; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:" 200 Connection established|0d 0a|Proxy-agent|3a| CCProxy "; depth:58; reference:url,www.youngzsoft.net; reference:url,doc.emergingthreats.net/bin/view/Main/2007576; classtype:trojan-activity; sid:2007576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:pup-activity; sid:2007946; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"IbmEgath.IbmEgathCtl.1"; distance:0; nocase; content:"GetXMLValue"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010482; classtype:attempted-user; sid:2010482; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:pup-activity; sid:2007947; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003103; classtype:attempted-user; sid:2003103; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:pup-activity; sid:2007958; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"DirectAnimation.PathControl"; nocase; content:".KeyFrame|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003105; classtype:attempted-user; sid:2003105; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:pup-activity; sid:2007959; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; nocase; reference:url,doc.emergingthreats.net/2003162; classtype:attempted-user; sid:2003162; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:pup-activity; sid:2007977; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsaIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; nocase; reference:url,doc.emergingthreats.net/2003163; classtype:attempted-user; sid:2003163; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:pup-activity; sid:2007978; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Business Object Factory object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; nocase; reference:url,doc.emergingthreats.net/2003164; classtype:attempted-user; sid:2003164; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:pup-activity; sid:2007993; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook Data Object object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F033-0000-0000-C000-000000000046"; nocase; reference:url,doc.emergingthreats.net/2003165; classtype:attempted-user; sid:2003165; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:pup-activity; sid:2007995; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook.Application object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F03A-0000-0000-C000-000000000046"; nocase; reference:url,doc.emergingthreats.net/2003166; classtype:attempted-user; sid:2003166; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:pup-activity; sid:2007996; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; content:"CLSID"; nocase; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; reference:url,doc.emergingthreats.net/2003514; classtype:attempted-user; sid:2003514; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:pup-activity; sid:2008000; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url,osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003231; classtype:attempted-user; sid:2003231; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:pup-activity; sid:2008016; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)"; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003232; classtype:attempted-user; sid:2003232; rev:59; metadata:created_at 2010_07_30, former_category ACTIVEX, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:pup-activity; sid:2008066; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution"; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003233; classtype:attempted-user; sid:2003233; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:pup-activity; sid:2008067; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url,osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003234; classtype:attempted-user; sid:2003234; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:pup-activity; sid:2008069; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<body\s+[^>]*onUnload\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009132; classtype:web-application-attack; sid:2009132; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:pup-activity; sid:2008135; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (img)"; flow:from_server,established; content:"img"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<img\s+[^>]*onEnd\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009133; classtype:web-application-attack; sid:2009133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:pup-activity; sid:2008145; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<body\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009134; classtype:web-application-attack; sid:2009134; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:pup-activity; sid:2008146; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt"; flow:from_server,established; content:"img"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<img\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009135; classtype:web-application-attack; sid:2009135; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:pup-activity; sid:2008148; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003400; classtype:web-application-attack; sid:2003400; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; fast_pattern; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:pup-activity; sid:2008149; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003401; classtype:web-application-attack; sid:2003401; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008150; classtype:pup-activity; sid:2008150; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003402; classtype:web-application-attack; sid:2003402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:pup-activity; sid:2008151; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003403; classtype:web-application-attack; sid:2003403; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:pup-activity; sid:2008157; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002783; classtype:trojan-activity; sid:2002783; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:pup-activity; sid:2008158; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002784; classtype:trojan-activity; sid:2002784; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:pup-activity; sid:2008180; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Java field reflector call java.lang.reflect.field"; flow:from_server,established; content:"java/lang/reflect/Field"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002785; classtype:trojan-activity; sid:2002785; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:pup-activity; sid:2008190; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Javascript unsafe applet call"; flow:from_server,established; content: "sun.misc.Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002786; classtype:trojan-activity; sid:2002786; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:pup-activity; sid:2008197; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Javascript Securitymanager class applet call"; flow:from_server,established; content: "java.lang.SecurityManager"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002787; classtype:trojan-activity; sid:2002787; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:pup-activity; sid:2008198; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001181; classtype:misc-attack; sid:2001181; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:pup-activity; sid:2008202; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; uricontent:"ts/in.cgi?pepsi"; nocase; pcre:"/ts\/in\.cgi\?pepsi\d+/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; classtype:bad-unknown; sid:2010222; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:pup-activity; sid:2008203; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; reference:url,doc.emergingthreats.net/2008621; classtype:web-application-attack; sid:2008621; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:pup-activity; sid:2008204; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image22 ActiveX DrawIcon Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"1DC09FDF-2EF8-4CE9-ADEA-4D6A98A2F779"; nocase; distance:0; content:"DrawIcon"; nocase; reference:url,exploit-db.com/exploits/14321/; reference:url,doc.emergingthreats.net/2011250; classtype:web-application-attack; sid:2011250; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:pup-activity; sid:2008205; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"BDF9442E-9B03-42C2-87BA-2A459B0A5317"; nocase; pcre:"/file\:.*\.(jpg|ini|exe|dll|bat|com|cab|txt)/i"; content:"BuildSlideShow"; reference:url,www.milw0rm.com/exploits/4981; reference:bugtraq,27439; reference:url,doc.emergingthreats.net/2007853; classtype:web-application-attack; sid:2007853; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:pup-activity; sid:2008356; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"F8984111-38B6-11D5-8725-0050DA2761C4"; nocase; distance:0; content:"ImShExt.dll"; nocase; content:"DoWebMenuAction"; nocase; content:"INCREDISHELLEXTLib.IMMenuShellExt"; nocase; content:"String"; nocase; distance:0; pcre:"/[0-9]{3,}/"; reference:url,www.milw0rm.com/exploits/3877; reference:bugtraq,23674; reference:cve,CVE-2007-1683; reference:url,doc.emergingthreats.net/2007931; classtype:web-application-attack; sid:2007931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopcenter.co .kr Spyware Install Report"; flow:established,to_server; http.uri; content:"/RewardInstall.php?mac=0"; content:"&hdd="; content:"&ver="; content:"&ie="; content:"&win="; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:pup-activity; sid:2008370; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"032038A5-B655-11D3-BB7D-0050DA276194"; nocase; distance:0; content:"Authenticate"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*032038A5-B655-11D3-BB7D-0050DA276194/si"; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011048; classtype:attempted-user; sid:2011048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; fast_pattern; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:pup-activity; sid:2008375; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; nocase; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010257; classtype:attempted-user; sid:2010257; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET ADWARE_PUP Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:pup-activity; sid:2008402; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite clsid Access"; flow:established,to_client; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; content:"SaveToFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010258; classtype:web-application-attack; sid:2010258; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:pup-activity; sid:2008419; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX InstanGet v2.08 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"98C92840-EB1C-40BD-B6A5-395EC9CD6510D"; nocase; distance:0; content:"ShowBar"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C92840-EB1C-40BD-B6A5-395EC9CD6510/si"; reference:url,www.packetstormsecurity.org/0909-exploits/instantget-dos.txt; reference:url,doc.emergingthreats.net/2010279; classtype:web-application-attack; sid:2010279; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:pup-activity; sid:2008425; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; nocase; distance:0; content:"SaveToFile"; nocase; reference:bugtraq,33345; reference:url,doc.emergingthreats.net/2009115; classtype:web-application-attack; sid:2009115; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:pup-activity; sid:2008456; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"INCREDISPOOLERLib.Pop"; nocase; distance:0; content:"Authenticate"; nocase; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011049; classtype:attempted-user; sid:2011049; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:pup-activity; sid:2008474; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; reference:url,doc.emergingthreats.net/2009434; classtype:web-application-attack; sid:2009434; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:pup-activity; sid:2008484; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JuniperSetup Control Buffer Overflow"; flow:established,from_server; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; pcre:"/param[^>]*name\s*=\s*["']?productname["']?[^>]*\s+value\s*=\s*(['"])((?!\1).|\\['"]){200}/Ri"; reference:url,www.eeye.com/html/research/advisories/AD20060424.html; reference:url,doc.emergingthreats.net/2002889; classtype:attempted-user; sid:2002889; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:pup-activity; sid:2008485; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftpuser; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; classtype:trojan-activity; sid:2007715; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|3b 20|Antivir"; http_user_agent; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:pup-activity; sid:2008549; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; classtype:trojan-activity; sid:2007725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:pup-activity; sid:2008647; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; classtype:trojan-activity; sid:2007726; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:pup-activity; sid:2008656; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Agent.END"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; content:"MyValue="; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010243; classtype:trojan-activity; sid:2010243; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:pup-activity; sid:2008681; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Slowloris Tool HTTP/Proxy Denial Of Service Attempt"; flow:to_server,established; content:"GET /"; depth:5; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| Trident/4.0"; http_header; threshold: type threshold, track by_src, count 100, seconds 30; reference:url,isc.sans.org/diary.html?storyid=6601; reference:url,www.packetstormsecurity.com/filedesc/slowloris.pl.txt.html; reference:url,doc.emergingthreats.net/2009413; classtype:attempted-dos; sid:2009413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:pup-activity; sid:2008742; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Casalemedia.com Related User Agent (0 0 ...)"; flow: established,to_server; content:"|0d 0a|User-Agent|3a| 0|3a|0|3a|"; pcre:"/\x0d\x0aUser-Agent\: 0\:0\:[^\n]{120}/"; reference:url,doc.emergingthreats.net/2007647; classtype:trojan-activity; sid:2007647; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:pup-activity; sid:2008743; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unidentified Spyware User Agent (0 0 + 128 chars)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 0|3a|0|3a|"; nocase; pcre:"/User-Agent\: 0\:0\:[^\x0a|\x0d]{128}/"; reference:url,doc.emergingthreats.net/2007615; classtype:trojan-activity; sid:2007615; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:pup-activity; sid:2008753; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0; content:"KEYHELP"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si"; reference:url,www.securityfocus.com/bid/36546/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html; reference:url,doc.emergingthreats.net/2010012; classtype:attempted-user; sid:2010012; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:pup-activity; sid:2008757; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"00150B1A-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/iR"; content:"SaveSettingsToFile"; distance:0; nocase; reference:url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html; reference:bugtraq,28442; reference:cve,CVE-2008-1605; reference:url,doc.emergingthreats.net/2008129; classtype:web-application-attack; sid:2008129; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:pup-activity; sid:2008839; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Liquid XML Studio 2010 OpenFile Method Remote Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E68E401C-7DB0-4F3A-88E1-159882468A79"; nocase; distance:0; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E68E401C-7DB0-4F3A-88E1-159882468A79/si"; reference:url,exploit-db.com/exploits/11750; reference:url,doc.emergingthreats.net/2011050; classtype:attempted-user; sid:2011050; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:pup-activity; sid:2008840; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Logitech VideoCall ActiveX Start method buffer overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"BF4C7B03-F381-4544-9A33-CB6DAD2A87CD"; nocase; distance:0; content:"Start"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BF4C7B03-F381-4544-9A33-CB6DAD2A87CD/si"; reference:url,osvdb.org/36820; reference:url,www.packetstormsecurity.nl/0911-exploits/logitechvideocall_start.rb.txt; reference:url,www.kb.cert.org/vuls/id/330289; reference:url,doc.emergingthreats.net/2010851; classtype:web-application-attack; sid:2010851; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:pup-activity; sid:2008894; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt"; flow:established,to_client; content:"setInterval("; nocase; content:"document.getElementById"; nocase; distance:0; content:".innerHTML"; nocase; distance:0; content:".toString("; nocase; within:60; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20815; reference:url,reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1; reference:url,doc.emergingthreats.net/2011764; classtype:attempted-user; sid:2011764; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:pup-activity; sid:2008915; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Opera Web Browser Content-Length Buffer Overflow Attempt"; flowbits:isset,ET.opera.useragent.request; flow:established,to_client; content:"Content-Length|3A|"; nocase; isdataat:3000,relative; content:!"|0A|"; within:3000; content:"Location|3A| chrome|3A|//"; nocase; distance:3000; reference:url,www.securityfocus.com/bid/38519; reference:url,doc.emergingthreats.net/2010874; classtype:attempted-user; sid:2010874; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:pup-activity; sid:2008917; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOZXLib.EmbeddedMoz"; nocase; distance:0; content:"ExecCommand"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010364; classtype:web-application-attack; sid:2010364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:pup-activity; sid:2008918; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TRATLLib.Options"; nocase; distance:0; content:"Run"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010366; classtype:web-application-attack; sid:2010366; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:pup-activity; sid:2009021; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rising Online Virus Scanner ActiveX Scan Method stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RavOLCtlLib.RavOnline"; nocase; distance:0; content:"Scan"; nocase; reference:url,packetstorm.foofus.com/1002-exploits/risingonline-dos.txt; reference:bugtraq,38282; reference:url,doc.emergingthreats.net/2011021; classtype:attempted-user; sid:2011021; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:pup-activity; sid:2009091; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Buffer Overflow Function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"VSFlexGrid.VSFlexGridL"; nocase; distance:0; pcre:"/(Text|EditSelText|EditText|CellFontName|Archive)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010467; classtype:web-application-attack; sid:2010467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:pup-activity; sid:2009111; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"RunCmd"; nocase; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010370; classtype:attempted-user; sid:2010370; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:pup-activity; sid:2009124; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"cliproxy.objects.1"; nocase; distance:0; content:"SetRemoteComputerName"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010959; classtype:attempted-user; sid:2010959; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:pup-activity; sid:2009150; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"DeleteValue"; nocase; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010835; classtype:attempted-user; sid:2010835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:pup-activity; sid:2009234; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX WriteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"WriteValue"; nocase; reference:url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt; reference:url,doc.emergingthreats.net/2010837; classtype:attempted-user; sid:2010837; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:pup-activity; sid:2009289; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RichUploadLib.UploadControl"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010703; classtype:attempted-user; sid:2010703; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:pup-activity; sid:2009438; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"APWebGrabber.Object"; nocase; distance:0; content:"GetStatus"; nocase; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010690; classtype:attempted-user; sid:2010690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:pup-activity; sid:2009439; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 ActiveX control Import method Heap Overflow Attempt"; flow:established,to_client; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:"Import"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.exploit-db.com/exploits/11204; reference:url,doc.emergingthreats.net/2010977; classtype:attempted-user; sid:2010977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:pup-activity; sid:2009712; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FathFTP ActiveX Control RasIsConnected Method Buffer Overflow Attempt"; flow:to_client,established; flowbits:isset,etpro.clsid.detected; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"RasIsConnected"; nocase; reference:url,exploit-db.com/exploits/14269/; reference:url,doc.emergingthreats.net/2011252; classtype:web-application-attack; sid:2011252; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:pup-activity; sid:2009765; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Opera User-Agent Flowbit Set"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| Opera/"; nocase; flowbits:set,ET.opera.useragent.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010873; classtype:not-suspicious; sid:2010873; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:pup-activity; sid:2009785; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2016_09_29;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft XML Core Services DTD Cross Domain Information Disclosure object"; flow:to_client,established; content:"Msxml2.DOMDocument.3.0"; nocase; content:"loadXML"; distance:0; nocase; content:"parseError.srcText"; distance:0; nocase; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008886; classtype:web-application-attack; sid:2008886; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:pup-activity; sid:2009796; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:"<imfl>"; pcre:"/<[^>%]*%/R"; content:"</imfl>"; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; reference:url,doc.emergingthreats.net/bin/view/Main/2002381; classtype:web-application-attack; sid:2002381; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:pup-activity; sid:2009809; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001099; classtype:misc-attack; sid:2001099; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?s="; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:pup-activity; sid:2009880; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001101; classtype:misc-attack; sid:2001101; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009995; classtype:pup-activity; sid:2009995; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001102; classtype:misc-attack; sid:2001102; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:pup-activity; sid:2010218; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to access SHELL#=#="; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001103; classtype:misc-attack; sid:2001103; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,doc.emergingthreats.net/2010333; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,e4664144f8e95cfec510d5efa24a35e7; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; classtype:pup-activity; sid:2010333; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001105; classtype:misc-activity; sid:2001105; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:pup-activity; sid:2010500; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001106; classtype:misc-activity; sid:2001106; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:pup-activity; sid:2010501; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001048; classtype:misc-activity; sid:2001048; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:pup-activity; sid:2010904; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url,riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; classtype:attempted-user; sid:2003110; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"Mozilla/0."; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2010905; classtype:pup-activity; sid:2010905; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection"; flow:from_server,established; content:"ftp|3a|//"; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; reference:url,doc.emergingthreats.net/bin/view/Main/2003230; classtype:attempted-user; sid:2003230; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:pup-activity; sid:2011087; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; classtype:suspicious-filename-detect; sid:2010783; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:pup-activity; sid:2011101; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY route1.com SSL certificate for remote access detected"; flow:established,to_client; content:"Route1 Security Corporation"; nocase; classtype:bad-unknown; sid:2011579; rev:1; metadata:attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:pup-activity; sid:2011105; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"CheckForUpdates"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/210560; classtype:web-application-attack; sid:2010560; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:pup-activity; sid:2011123; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"UpdateComponents"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010561; classtype:web-application-attack; sid:2010561; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:pup-activity; sid:2011229; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/include/admin/device_admin.php?"; nocase; uricontent:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; classtype:web-application-attack; sid:2011556; rev:1; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:pup-activity; sid:2011297; rev:4; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2010_09_28;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; classtype:attempted-user; sid:2010692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011517; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A; reference:url,support.microsoft.com/kb/971029; classtype:suspicious-filename-detect; sid:2011526; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011518; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1; metadata:created_at 2010_09_27, former_category EXPLOIT, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:pup-activity; sid:2011679; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCTAVIFileLib.AVIFileM"; nocase; distance:0; content:"OpenFile"; nocase; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010357; classtype:web-application-attack; sid:2010357; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:pup-activity; sid:2011691; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"PCA"; within:50; classtype:not-suspicious; sid:2011539; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:pup-activity; sid:2011718; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; flowbits:isset,etpro.clsid.detected; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002172; classtype:web-application-attack; sid:2002172; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,de1adb1df396863e7e3967271e7db734; classtype:pup-activity; sid:2011856; rev:4; metadata:created_at 2010_10_26, former_category ADWARE_PUP, updated_at 2010_10_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to js.zedo.com.* host"; flow:established,to_server; content:"Host|3a| js.zedo.com."; http_header; classtype:bad-unknown; sid:2011303; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:pup-activity; sid:2011938; rev:6; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to media.fastclick.net.* host"; flow:established,to_server; content:"Host|3a| media.fastclick.net."; http_header; classtype:bad-unknown; sid:2011302; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:pup-activity; sid:2011939; rev:8; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to view.ads.* host"; flow:established,to_server; content:"Host|3a| view.ads."; http_header; classtype:bad-unknown; sid:2011304; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:pup-activity; sid:2012172; rev:6; metadata:created_at 2011_01_12, former_category ADWARE_PUP, updated_at 2011_01_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to adnet.media.* host"; flow:established,to_server; content:"Host|3a| adnet.media."; http_header; classtype:bad-unknown; sid:2011305; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012228; rev:6; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to adfarm.mediaplex.com.* host"; flow:established,to_server; content:"Host|3a| adfarm.mediaplex.com."; http_header; classtype:bad-unknown; sid:2011306; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012229; rev:8; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting redirect to drive by - .php?c=cust"; flow:established,to_server; content:".php?c=cust"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011231; classtype:bad-unknown; sid:2011231; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:pup-activity; sid:2012536; rev:4; metadata:created_at 2011_03_22, former_category ADWARE_PUP, updated_at 2011_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET DELETED Yoyo-DDoS Bot Command from CnC Server"; flow:established,from_server; dsize:124; content:"|C1 00 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011401; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:pup-activity; sid:2012615; rev:3; metadata:created_at 2011_04_01, former_category ADWARE_PUP, updated_at 2011_04_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; classtype:bad-unknown; sid:2011546; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; classtype:pup-activity; sid:2012804; rev:6; metadata:created_at 2011_05_14, former_category ADWARE_PUP, updated_at 2011_05_14;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_client; content:"WScript.Shell"; nocase; content:"shell.Run"; nocase; within:40; content:"|22|"; within:6; reference:url,msdn.microsoft.com/en-us/library/d5fk67ky(VS.85).aspx; reference:url,doc.emergingthreats.net/2010961; classtype:attempted-user; sid:2010961; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:pup-activity; sid:2013389; rev:3; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2011_08_10;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c/si"; reference:url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/; reference:bid,42100; reference:url,doc.emergingthreats.net/2011509; classtype:attempted-user; sid:2011509; rev:2; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:pup-activity; sid:2013405; rev:4; metadata:created_at 2011_08_11, former_category ADWARE_PUP, updated_at 2011_08_11;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:pup-activity; sid:2013448; rev:7; metadata:created_at 2011_08_22, former_category ADWARE_PUP, updated_at 2011_08_22;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:pup-activity; sid:2013658; rev:3; metadata:created_at 2011_09_15, former_category ADWARE_PUP, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab jquery.jxx"; flow:established,to_server; content:"/jquery.jxx?v="; http_uri; classtype:bad-unknown; sid:2011353; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:pup-activity; sid:2013729; rev:3; metadata:created_at 2011_10_01, former_category ADWARE_PUP, updated_at 2011_10_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Driveby bredolab server response contains .ru 8080/index.php?"; flow:established,to_client; content:".ru|3a|8080/index.php?"; classtype:bad-unknown; sid:2011351; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET ADWARE_PUP W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; classtype:pup-activity; sid:2013956; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2017_09_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state|3a| 0 - zombie is ready for control"; depth:38; reference:url,doc.emergingthreats.net/2008507; classtype:trojan-activity; sid:2008507; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:pup-activity; sid:2013999; rev:3; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2011_12_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data|3a| "; nocase; content:"Hora|3a| "; nocase; content:"Development by "; nocase; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; reference:url,doc.emergingthreats.net/2002977; classtype:trojan-activity; sid:2002977; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:pup-activity; sid:2014069; rev:5; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2012_01_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Bredavi Checkin"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; http_uri; nocase; reference:url,doc.emergingthreats.net/2010791; classtype:trojan-activity; sid:2010791; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; reference:md5,8eaf3b7b72a9af5a85d01b674653ccac; classtype:pup-activity; sid:2014117; rev:5; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002976; classtype:trojan-activity; sid:2002976; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"EoAgence-"; http_user_agent; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:pup-activity; sid:2014120; rev:4; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 3 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Subject|3a| INFECT - "; nocase; content:"Data|3a| "; nocase; content:"Windows|3a| Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002980; classtype:trojan-activity; sid:2002980; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:pup-activity; sid:2014183; rev:5; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2012_02_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002981; classtype:trojan-activity; sid:2002981; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014287; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Delf/Hupigon C&C Channel Version Report"; flow:established,to_server; dsize:<25; content:"VERSON|3a|"; depth:7; reference:url,doc.emergingthreats.net/2007930; classtype:command-and-control; sid:2007930; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:pup-activity; sid:2014403; rev:3; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2012_03_20;)
 
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15|"; classtype:not-suspicious; sid:2011525; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:coin-mining; sid:2014535; rev:4; metadata:created_at 2012_04_10, former_category ADWARE_PUP, updated_at 2012_04_10;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/5086; reference:url,www.milw0rm.com/exploits/5100; reference:url,doc.emergingthreats.net/bin/view/Main/2007847; classtype:web-application-attack; sid:2007847; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"microsoft_predator_client"; nocase; http_header; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:pup-activity; sid:2014584; rev:6; metadata:created_at 2012_04_16, former_category ADWARE_PUP, updated_at 2012_04_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:cve,2009-3023; classtype:attempted-admin; sid:2009828; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; content:"|0d 0a 0d 0a|cfgint="; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:pup-activity; sid:2014605; rev:7; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Donbot Connect to CnC"; flow:established,to_server; dsize:7; content:"HALLO|0d 0a|"; depth:7; reference:url,doc.emergingthreats.net/2008450; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; classtype:command-and-control; sid:2008450; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:pup-activity; sid:2014606; rev:5; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007704; classtype:attempted-user; sid:2007704; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:pup-activity; sid:2014735; rev:4; metadata:created_at 2012_05_11, former_category ADWARE_PUP, updated_at 2012_05_11;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt"; flow:established,to_client; content:"window.open("; nocase; content:"setTimeout("; nocase; distance:0; content:"document.body.innerHTML"; nocase; distance:0; content:".stop"; nocase; distance:0; pcre:"/(window|w)\x2Estop/i"; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-45.html; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=556957; reference:cve,2010-1206; reference:url,doc.emergingthreats.net/2011240; classtype:misc-attack; sid:2011240; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:pup-activity; sid:2014798; rev:3; metadata:created_at 2012_05_22, former_category ADWARE_PUP, updated_at 2012_05_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key|3a|"; distance:0; reference:url,doc.emergingthreats.net/2008005; classtype:trojan-activity; sid:2008005; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:pup-activity; sid:2014810; rev:5; metadata:created_at 2012_05_25, former_category ADWARE_PUP, updated_at 2012_05_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Banker.OT Checkin (2 packet)"; flow:established,to_server; content:"praquem="; depth:8; content:"&titulo="; content:"&texto="; reference:url,doc.emergingthreats.net/2008491; classtype:trojan-activity; sid:2008491; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015018; rev:3; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2012_07_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; reference:url,doc.emergingthreats.net/2007805; classtype:trojan-activity; sid:2007805; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:pup-activity; sid:2018099; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004313; classtype:web-application-attack; sid:2004313; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:pup-activity; sid:2018149; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004314; classtype:web-application-attack; sid:2004314; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018338; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004315; classtype:web-application-attack; sid:2004315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018339; rev:4; metadata:created_at 2014_03_31, former_category ADWARE_PUP, updated_at 2014_03_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004316; classtype:web-application-attack; sid:2004316; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET ADWARE_PUP DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:pup-activity; sid:2018458; rev:4; metadata:created_at 2014_05_09, former_category ADWARE_PUP, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004318; classtype:web-application-attack; sid:2004318; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:pup-activity; sid:2018617; rev:7; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2016_06_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004317; classtype:web-application-attack; sid:2004317; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:pup-activity; sid:2020422; rev:16; metadata:created_at 2015_02_13, former_category ADWARE_PUP, updated_at 2016_07_20;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Browser HiJacker/Infostealer Stat file"; flow:established,to_server; content:"|5B00|u|00|p|00|d|00|a|00|t|00|e|005D|"; nocase; content:"v|00|e|00|r|00|="; nocase; reference:url,doc.emergingthreats.net/2007777; classtype:trojan-activity; sid:2007777; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:pup-activity; sid:2020712; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Likely eCard Malware Laden Email Inbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| You have received an eCard"; nocase; content:"e-card.zip"; nocase; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; reference:url,doc.emergingthreats.net/2008674; classtype:trojan-activity; sid:2008674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"MZ"; within:2; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2020757; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Egspy Infection Report Email"; flow:established,to_server; content:"FROM\: EgySpy Victim"; content:"TO|3a| EgySpy User"; distance:0; content:"SUBJECT|3a| E g y S p y KeyLogger"; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008039; classtype:trojan-activity; sid:2008039; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .cn Domain Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:pup-activity; sid:2012327; rev:6; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/global.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33691; reference:url,milw0rm.com/exploits/8026; reference:url,doc.emergingthreats.net/2009846; classtype:web-application-attack; sid:2009846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:pup-activity; sid:2012328; rev:8; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UNION SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003765; classtype:web-application-attack; sid:2003765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.iBryte.BO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do/?event="; depth:22; fast_pattern; content:"&user_id="; distance:0; http.user_agent; content:"download manager"; reference:md5,be6363e960d9a40b8e8c5825b13645c7; classtype:pup-activity; sid:2028633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_09_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid INSERT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003766; classtype:web-application-attack; sid:2003766; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; reference:url,doc.emergingthreats.net/2006420; classtype:pup-activity; sid:2006420; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_09_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid DELETE"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003767; classtype:web-application-attack; sid:2003767; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; dns_query; content:"go.querymo.com"; depth:14; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid ASCII"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003768; classtype:web-application-attack; sid:2003768; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Download Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"DownloadTracKRecord"; content:"<mac>"; distance:0; content:"<prgname>"; distance:0; content:"<cpuid>"; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003769; classtype:web-application-attack; sid:2003769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Install Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"SSCSM_TraceRecord"; content:"<prgname>"; distance:0; content:"<macid>"; distance:0; content:"<cpuid>"; distance:0; content:"<sysname>"; distance:0; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WPS wps_shop.cgi Remote Command Execution Attempt"; flow: to_server,established; content:"/wps_shop.cgi?"; http_uri; nocase; pcre:"/(art=\|.+\|)/"; reference:bugtraq,14245; reference:url,doc.emergingthreats.net/2002100; classtype:web-application-attack; sid:2002100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?q22="; startswith; content:"&q12=&q21="; distance:7; within:10; content:"&q9=&q16=0&q1="; distance:32; within:14; fast_pattern; reference:md5,3c2d90f21b60c5e2132f89120aa0a5e0; classtype:pup-activity; sid:2029075; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_11_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO"; flow:established,to_server; content:"Subject|3a| Microsoft Windows"; nocase; content:"INFECTADO"; nocase; within:20; reference:url,doc.emergingthreats.net/2002982; classtype:trojan-activity; sid:2002982; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?m22="; startswith; content:"&m12=&m21="; distance:7; within:10; content:"&m9=&m16=0&m1="; distance:32; within:14; fast_pattern; reference:md5,6b540ba2fc2e606e9e2c8b72818caa28; classtype:pup-activity; sid:2029076; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_11_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Login"; flow: to_server,established; content:"/login/login.psp?siteId="; http_uri; content:"triedAimAuth"; reference:url,doc.emergingthreats.net/bin/view/Main/2000572; classtype:policy-violation; sid:2000572; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PrivaZer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hcheck_updates.php?country="; startswith; fast_pattern; content:"&discret="; distance:0; reference:md5,eef867108e44942e9655ac71d0360d53; classtype:pup-activity; sid:2029098; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Placing Item for sale"; flow: to_server,established; content:"/ws2/eBayISAPI.dll"; http_uri; nocase; content:".ebay.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2001907; classtype:policy-violation; sid:2001907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.COG Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mUser.php"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"HWID="; startswith; content:"&USER="; distance:8; within:6; content:"&VER="; distance:0; content:"&TYPE="; distance:0; isdataat:!2,relative; reference:md5,f60c87a80ff2d2fe7e83667a4106e63f; classtype:pup-activity; sid:2029099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_06;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE IE Ilookup Trojan"; flow: from_server,established; content:"#@~^/gAAAA==@#@&@#@&7lMP|3a|HVK^P{P[W1Ehn"; content:"#@~^GAIAAA==@#@&\\CMPsX/DD,xPvEU+kmC2"; reference:url,62.131.86.111/analysis.htm; reference:url,doc.emergingthreats.net/2001066; classtype:misc-activity; sid:2001066; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Bundalore Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ioffers.tar.gz?ts="; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c; classtype:pup-activity; sid:2029106; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Bundalore, signature_severity Minor, updated_at 2019_12_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007611; classtype:trojan-activity; sid:2007611; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to OSX/Bundalore Domain"; dns.query; content:"appsdown.urbanvillager.xyz"; nocase; endswith; classtype:pup-activity; sid:2029107; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Bundalore, signature_severity Minor, updated_at 2019_12_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007612; classtype:trojan-activity; sid:2007612; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallDisck SMTP Checkin"; flow:established,to_server; content:"Subject: PCInfo:"; fast_pattern; content:"<li>User Name:<b>"; content:"PC Name:<b>"; distance:0; content:"<li>Proxy:<b>"; distance:0; content:"Gateway:<b>"; distance:0; reference:md5,b79640ae0cf9f3ad58b14c15c50f3de3; classtype:pup-activity; sid:2029186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007613; classtype:trojan-activity; sid:2007613; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.Q Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/v2/events"; fast_pattern; http.request_body; pcre:"/^[A-F0-9]+$/"; http.header_names; bsize:50; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,0ec90cb6e0e3f8cd86d5d1d08f184e5f; classtype:pup-activity; sid:2029210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007614; classtype:trojan-activity; sid:2007614; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.G Variant Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/1/dg/3/error"; http.request_body; content:"{|22|ApplicationName|22 3a 22|"; startswith; reference:md5,c48e6befa893cb771f0d7b6215240856; classtype:pup-activity; sid:2029211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FOX,ABC On-demand UA"; flow:to_server,established; content:"User-Agent|3a| QSP"; nocase; http_header; reference:url,doc.emergingthreats.net/2007639; classtype:policy-violation; sid:2007639; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.AdWare.iBryte.C Install"; flow:established,to_server; http.uri; content:"/config/"; startswith; content:"/offers.json"; distance:0; content:"version="; content:"pid=installer&ts="; fast_pattern; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:pup-activity; sid:2018197; rev:4; metadata:created_at 2014_03_01, former_category ADWARE_PUP, updated_at 2020_01_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Calendar in Use"; flow:established,to_server; content:"/calendar/"; http_uri; content:"Host|3a| www.google.com"; http_header; nocase; threshold:type both, count 1, seconds 60, track by_src; reference:url,www.computerworld.com.au/index.php?id=1687889918&eid=-255; reference:url,doc.emergingthreats.net/2003597; classtype:policy-violation; sid:2003597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Agent.NPP CnC Activity"; flow:established,to_server; http.request_line; bsize:27; content:"GET /show/push.txt HTTP/1.0"; fast_pattern; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,0bec370f25d557e6dd64d2e9391f23f4; classtype:pup-activity; sid:2029350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_02_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/HoTMaiL?curmbox="; nocase; http_uri; reference:url,doc.emergingthreats.net/2000035; classtype:policy-violation; sid:2000035; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GreatArcadeHits CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reports/install.php?options="; startswith; fast_pattern; http.user_agent; bsize:9; content:"USERAGENT"; reference:md5,15b2b90540f8b47b3773ce7fe80ae96b; classtype:pup-activity; sid:2029351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hi5.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.hi5.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003455; classtype:policy-violation; sid:2003455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/YTDDownloader.F Activity"; flow:established,to_server; http.request_line; content:"GET /offers/offers.php?id="; startswith; fast_pattern; content:" HTTP/1.0"; endswith; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,a53b0c85d4e65e06c59e854b84ad7f17; classtype:pup-activity; sid:2029470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Login Attempt"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"login_username"; reference:url,doc.emergingthreats.net/2007627; classtype:policy-violation; sid:2007627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webhancer Data Post"; flow: to_server,established; http.method; content:"POST"; nocase; http.uri; content:"http|3a|//prime.webhancer.com"; nocase; http.header_names; content:"AgentTag"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; classtype:pup-activity; sid:2001677; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_02_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms|3a|xml|3a|ns|3a|xmpp-s"; content:"X-GOOGLE-TOKEN"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002332; classtype:policy-violation; sid:2002332; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Download"; flow: established,to_server; http.uri; content:"/requestimpression.aspx?ver="; nocase; content:"host="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:pup-activity; sid:2001992; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_02_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic friend invited"; flow:to_server; content:"><invitati"; content:"on xmlns=\"google"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002333; classtype:policy-violation; sid:2002333; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?x22="; startswith; content:"&x12=&x21="; distance:7; within:10; content:"&x9=&x16=0&x1="; distance:32; within:14; fast_pattern; reference:md5,6b540ba2fc2e606e9e2c8b72818caa28; classtype:pup-activity; sid:2029531; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_02_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Jabber client sign-on"; flow:to_server; content:"gmail.com"; nocase; content:"jabber.org"; nocase; content:"version="; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002334; classtype:policy-violation; sid:2002334; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/RiskWare.YouXun.X CnC Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.header.raw; content:"Server|3a 20 20 20 20 20 20|"; startswith; content:"|20 20 20 20 20 20 20 20|/SERVER IP|3a 20 20 20|SERverWanip|0d 0a|"; within:60; fast_pattern; reference:md5,67d0bacdb3eae462fd5121eeb72e498f; classtype:command-and-control; sid:2029532; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_02_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET CHAT Possible MSN Messenger File Transfer"; flow:established,from_client; content:"x-msnmsgrp2p"; nocase; content:"appid|3a|"; nocase; pcre:"/appid\x3a\s+2/i"; reference:url,www.hypothetic.org/docs/msn/client/file_transfer.php; reference:url,doc.emergingthreats.net/2008289; classtype:policy-violation; sid:2008289; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ads2Srv Bundle Installer Offer Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bundles.php?cat="; startswith; fast_pattern; content:"&zone="; distance:0; content:"&pid="; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,6ac226609b33b32aa1e1adebb5cfefc0; classtype:pup-activity; sid:2029543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_02_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY McAfee Update User Agent (McAfee AutoUpdate)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; nocase; content:"McAfee AutoUpdate"; http_header; pcre:"/User-Agent\x3a[^\n]+McAfee AutoUpdate/i"; reference:url,doc.emergingthreats.net/2003381; classtype:not-suspicious; sid:2003381; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.YoutubeDownloaderGuru.A Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/php/update.php?m="; startswith; fast_pattern; content:"&s="; within:8; isdataat:!6,relative; http.user_agent; bsize:24; content:"Youtube Music Downloader"; http.header_names; bsize:37; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,638aad567ad2f0fc1a3e223eea6fa9a4; classtype:pup-activity; sid:2029545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_02_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rapidshare auth cookie download"; flow:to_server,established; content:"GET"; http_method; content:"/files/"; http_uri; nocase; content:"rapidshare.com"; nocase; http_header; content:"Cookie|3a| user="; nocase; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006369; classtype:policy-violation; sid:2006369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/YTDDownloader.F Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/pixel.gif?action=install&point=start&version="; startswith; fast_pattern; content:"&lngid="; distance:0; content:"&cid="; distance:0; content:"&isn="; distance:0; content:"&kt="; distance:0; content:"&lt=0"; endswith; reference:md5,5e438deb5e2dd34dcf6e96c8c97f8981; classtype:pup-activity; sid:2029546; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Newzbin Usenet Reader License Check"; flow:established,to_server; content:"/internal/"; http_uri; content:"prodID=nl&licID="; http_uri; content:"&prodVer="; http_uri; content:"Host|3A| www.newsleecher.com"; http_header; reference:url,doc.emergingthreats.net/2009095; classtype:policy-violation; sid:2009095; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (poller)"; flow: to_server,established; http.user_agent; content:"Poller"; fast_pattern; reference:url,doc.emergingthreats.net/2002005; classtype:pup-activity; sid:2002005; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_04_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in URI"; flow:established,to_server; content:"username="; nocase; http_uri; content:"password="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009001; classtype:policy-violation; sid:2009001; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; http.user_agent; content:"DriveCleaner Updater"; bsize:20; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; classtype:pup-activity; sid:2003486; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_04_21, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in POST Data"; flow:established,to_server; content:"POST"; http_method; content:"username="; http_client_body; nocase; content:"password="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009004; classtype:policy-violation; sid:2009004; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Optimum Installer User-Agent IE6 on Windows XP"; flow:established,to_server; http.user_agent; content:"IE6 on Windows XP"; startswith; fast_pattern; classtype:pup-activity; sid:2012629; rev:6; metadata:created_at 2011_04_05, former_category USER_AGENTS, updated_at 2020_04_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring detected"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; nocase; http_header; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003214; classtype:attempted-recon; sid:2003214; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Crackswin Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.host; content:"crackswin.com"; fast_pattern; reference:md5,1cabe67554195a5caf87a3c385e5aa23; classtype:pup-activity; sid:2030164; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_13, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_05_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring Node Active"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; http_header; nocase; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003215; classtype:attempted-recon; sid:2003215; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; http.user_agent; content:"SAIv"; fast_pattern; reference:url,doc.emergingthreats.net/2003062; classtype:pup-activity; sid:2003062; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET http|3a|//"; nocase; depth: 11; reference:url,doc.emergingthreats.net/2001669; classtype:bad-unknown; sid:2001669; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity"; flow:established,to_server; http.start; content:"POST /qy/g"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"js=DhIhAwgjKRsxKCJdJjgcAjIzMREiAQQcJyghAjEsIgIkASoYIg"; startswith; fast_pattern; reference:md5,92a0de9944b6d180f072c4bce5250ec8; classtype:pup-activity; sid:2030222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001670; classtype:bad-unknown; sid:2001670; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity M2"; flow:established,to_server; http.start; content:"POST /qy/g"; depth:10; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"js=|7b 22|appid|22 3a|"; startswith; fast_pattern; content:"|2c 22|avs|22 3a|"; distance:0; reference:md5,efa431afc414c52d0703392a19c9fa2e; classtype:pup-activity; sid:2030250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy POST Request"; flow: to_server,established; content:"POST http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001674; classtype:bad-unknown; sid:2001674; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.VrBrothers.AI Variant CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/SubmitUsageInfor "; startswith; fast_pattern; http.user_agent; bsize:24; content:"Mozilla/4.0 (compatible)"; http.request_body; content:"data="; startswith; reference:md5,b0e8fed85cf0ae29fe921508e9c60fb9; classtype:pup-activity; sid:2030353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
 
-#alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; content:"/proxyjudge.cgi"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003048; classtype:policy-violation; sid:2003048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaDrug CnC Activity"; flow:established,to_server; http.request_line; content:"GET /client.config/?format=json&advert_key="; startswith; fast_pattern; http.uri; content:"&app="; content:"&oslang="; content:"&uid="; reference:md5,d739e41e0ba4f1d72f9283c6fcb2f761; classtype:pup-activity; sid:2030354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:7; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SUPERAntiSpyware Install Checkin"; flow:established,to_server; http.uri; content:"&sEventData=tag:SUPERAntiSpyware.exe"; fast_pattern; http.user_agent; bsize:10; content:"SUPERSetup"; reference:md5,7f97a26e10500250b00e1f3c0240882a; classtype:pup-activity; sid:2030355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"Winamp"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Winamp/Hi"; reference:url,doc.emergingthreats.net/2003168; classtype:policy-violation; sid:2003168; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Predator Anti Ban CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; bsize:11; content:"TrinitySeal"; fast_pattern; http.request_body; content:"&programtoken="; content:"&session_id="; distance:0; content:"&session_salt="; distance:0; reference:md5,2423133b438fdc9ef479d73ca0364060; classtype:pup-activity; sid:2030410; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_06_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/visualizza.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008824; classtype:web-application-attack; sid:2008824; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZoomInfo Contact Contributor Install"; flow:established,to_server; http.request_line; content:"GET /client/installopen?client_id={"; startswith; fast_pattern; content:"} HTTP/"; distance:36; within:7; reference:md5,b2e902c566dda9a77d9dfe1adfc9de59; reference:url,smallbiztrends.com/2010/05/zoominfo-provides-free-sales-prospecting-tool-to-small-businesses-and-entrepreneurs.html; classtype:command-and-control; sid:2030515; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin Flowbit set"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; flowbits:set,ET.PINCH; flowbits:noalert; reference:url,doc.emergingthreats.net/2008468; classtype:trojan-activity; sid:2008468; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FormatFactory Install Checkin"; flow:established,to_server; http.request_line; content:"GET /ff/inst_stat?"; startswith; http.host; bsize:21; content:"server.pcfreetime.com"; reference:md5,3efa61c1ad1bc3a700563f54870676c3; classtype:pup-activity; sid:2030632; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_07_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [587,25] (msg:"ET MALWARE LDPinch Reporting infection via Email"; flow:established,to_server; content:"X-Mailer|3a| Blat v2.6.2 w/GSS encryption, a Win32 SMTP/NNTP mailer http|3a|//www.blat.net|0d 0a|"; content:"|0d 0a|Subject|3a| Contents of file|3a| WINDOWS/system32/"; distance:0; reference:url,doc.emergingthreats.net/2009242; classtype:trojan-activity; sid:2009242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownLoadAdmin Activity"; flow:established,to_server; http.uri; content:"/install.php?bc="; startswith; fast_pattern; content:"&d="; content:"&cb="; http.header_names; content:"|0d 0a|user-agent|0d 0a|x-webinstallcode|0d 0a|"; reference:md5,cff290dcb07183541783bbc9ce7056b4; classtype:pup-activity; sid:2030663; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan-PWS.Win32.Small.gs Passwords leak over FTP"; flow:established,to_server; content:"IE7 Passwords|3a|"; depth:14; content:"FF Passwords"; within:500; reference:url,doc.emergingthreats.net/2008841; classtype:trojan-activity; sid:2008841; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header"; flow:to_server,established; threshold: type limit, count 5, seconds 300, track by_src; http.header; content:"X-OSSProxy|3a 20|OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:13; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_08_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Perfect Keylogger FTP Log Upload"; flow:established,to_server; content:"Log upload date|3a| "; depth:17; content:"|0d 0a|Time|3a| "; within:40; content:"To view DAT files, please do the following steps|3a|"; distance:0; reference:url,doc.emergingthreats.net/2007974; classtype:trojan-activity; sid:2007974; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SpeedRunner User-Agent SRRemove"; flow:established,to_server; http.user_agent; content:"SRRemove"; startswith; classtype:pup-activity; sid:2013394; rev:4; metadata:created_at 2011_08_10, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Silon Encrypted Data POST to C&C"; flow:established,to_server; content:".php?i="; nocase; http_uri; content:"&k="; nocase; http_uri; pcre:"/\.php\?i=\w+_[0-9A-F]{8}&k=\d+$/Ui"; reference:url,www.trusteer.com/webform/w32silon-malware-analysis; reference:url,doc.emergingthreats.net/2010201; classtype:command-and-control; sid:2010201; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Onescan FraudWare User-Agent"; flow:established,to_server; http.user_agent; content:"test_hInternet"; startswith; classtype:pup-activity; sid:2013444; rev:5; metadata:created_at 2011_08_22, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snatch Reporting User Activity"; flow:established,to_server; content:"/snatch/module"; http_uri; content:"User-Agent|3a 20|Snatch-System"; http_header; reference:url,doc.emergingthreats.net/2003515; classtype:trojan-activity; sid:2003515; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (MediaLabsSiteInstaller)"; flow:established,to_server; http.user_agent; content:"MediaLabsSiteInstaller"; startswith; classtype:pup-activity; sid:2013889; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL"; flow:established,to_server; content:".php?"; http_uri; content:"&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; reference:url,doc.emergingthreats.net/2008280; classtype:command-and-control; sid:2008280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)"; flow:established,to_server; threshold:type limit, count 2, seconds 300, track by_src; http.user_agent; content:"OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:36; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_08_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL (2)"; flow:established,to_server; content:"/?&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; reference:url,doc.emergingthreats.net/2008393; classtype:command-and-control; sid:2008393; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET ADWARE_PUP [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative; isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; classtype:pup-activity; sid:2024793; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL (3)"; flow:established,to_server; content:"&ns="; http_uri; content:"&id="; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008395; classtype:command-and-control; sid:2008395; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallCore.GF CnC Activity"; flow:established,to_server; http.request_line; content:"GET /installer/configs/"; startswith; fast_pattern; content:" HTTP/1.0"; endswith; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,37cbc5d7eaa9ce6a097950aa051080b5; classtype:pup-activity; sid:2030798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category ADWARE_PUP, malware_family InstallCore, signature_severity Minor, updated_at 2020_08_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; content:"/manda.php?"; nocase; http_uri; content:"ns="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008324; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:md5,b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; classtype:command-and-control; sid:2008324; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AppControls.com User-Agent"; flow:established,to_server; http.user_agent; content:"auHTTP component (AppControls.com)"; classtype:pup-activity; sid:2026880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake.Googlebar or Softcash.org Related Post-Infection Checkin"; flow:established,to_server; content:"bl="; http_uri; content:"&cuid="; http_uri; content:"&cnid="; http_uri; content:"&luid="; http_uri; content:"&rnd="; http_uri; reference:url,doc.emergingthreats.net/2008236; classtype:command-and-control; sid:2008236; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AppControls.com User-Agent"; flow:established,to_server; http.user_agent; content:"AutoUpgrader component (AppControls.com)"; classtype:pup-activity; sid:2026881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyguarder.com Fake AV Install Report"; flow:established,to_server; content:"/statscnt.js?scrW="; http_uri; content:"&scrH="; http_uri; content:"&ua="; http_uri; content:"&referer="; http_uri; content:"&ref_id="; http_uri; content:"&cn_id="; http_uri; reference:url,doc.emergingthreats.net/2008911; classtype:trojan-activity; sid:2008911; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AppControls.com User-Agent"; flow:established,to_server; http.user_agent; content:"acHTTP component (AppControls.com)"; classtype:pup-activity; sid:2027359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Ssppyy.com Surveillance Agent Reporting via Email"; flow:established,to_server; content:"|0d 0a|Subject|3a| SSPPYY notification|0d 0a|X=Mailer|3a| Mail|0d 0a|"; content:"The computer you are monitoring has connected online - The module name of"; distance:5; reference:url,doc.emergingthreats.net/2007780; classtype:trojan-activity; sid:2007780; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator Agent Traffic"; flow:to_server,established; http.user_agent; content:"Gator/"; depth:6; reference:url,doc.emergingthreats.net/2000026; classtype:pup-activity; sid:2000026; rev:39; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010442; classtype:trojan-activity; sid:2010442; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator/Claria Data Submission"; flow: to_server,established; http.method; content:"POST"; nocase; http.uri; content:"gs_trickler"; nocase; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:pup-activity; sid:2000596; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010441; classtype:trojan-activity; sid:2010441; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Reporting Data"; flow: to_server,established; http.uri; content:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:pup-activity; sid:2001031; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stormy Variant HTTP Request"; flow:established,to_server; content:"/zzu/zc.php?l="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&k="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003435; classtype:trojan-activity; sid:2003435; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Regnow.com Access"; flow: to_server,established; http.uri; content:"/softsell/visitor.cgi?"; nocase; content:"affiliate="; nocase; reference:url,www.regnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; classtype:pup-activity; sid:2001223; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stpage Checkin (nomodem)"; flow:established,to_server; content:"/nomodem.php"; http_uri; content:"if="; http_uri; content:"&am="; http_uri; content:"&cl={"; http_uri; content:"&id="; http_uri; reference:url,doc.emergingthreats.net/2008522; classtype:command-and-control; sid:2008522; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator/Clarian Agent"; flow: to_server,established; http.uri; content:"/gbsf/"; nocase; content:"gtrg2ze"; nocase; reference:url,malware.wikia.com/wiki/Claria_Corporation; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; classtype:pup-activity; sid:2001306; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32.Downloader Tibs.jy Reporting to C&C"; flow:established,to_server; content:"/post.php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0b5a (Win95|3b| I)"; http_header; nocase; content:"data="; nocase; reference:url,doc.emergingthreats.net/2003238; classtype:command-and-control; sid:2003238; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Websearch.com Spyware"; flow: to_server,established; http.uri; content:"/sitereview.asmx/GetReview"; nocase; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; classtype:pup-activity; sid:2001325; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tibs Download"; flow:established,to_server; content:"/dl.php?code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002960; classtype:trojan-activity; sid:2002960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Install .exe"; flow: to_server,established; http.uri; content:"/install/eZinstall.exe"; nocase; http.user_agent; content:"eZula"; depth:5; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; classtype:pup-activity; sid:2001334; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibs Checkin 2"; flow:established,to_server; content:"/cntr.php?e="; nocase; http_uri; content:"&x="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002961; classtype:command-and-control; sid:2002961; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BInet Information Upload"; flow: to_server,established; http.uri; content:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; classtype:pup-activity; sid:2001339; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tibs Code Download"; flow:established,to_server; content:"/sred2.exe"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002962; classtype:trojan-activity; sid:2002962; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; http.uri; content:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; classtype:pup-activity; sid:2001395; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Spyware Update Download"; flow:established,to_server; content:"/synctl/task.fcgi?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002964; classtype:trojan-activity; sid:2002964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Downloading Code"; flow: to_server,established; http.uri; content:"/soft/unstall.exe"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; classtype:pup-activity; sid:2001418; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot Spam Download"; flow:established,to_server; content:"/synctl/getmail.fcgi?"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2002965; classtype:trojan-activity; sid:2002965; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Download"; flow: to_server,established; http.uri; content:"MediaTicketsInstaller.cab"; http.host; content:"www.mt-download.com"; startswith; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:pup-activity; sid:2001448; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trats.a Post-Infection Checkin"; flow:established,to_server; content:"AID="; http_uri; content:"GUID="; nocase; http_uri; content:"POST"; depth:4; http_method; content:"|0d 0a|SPK|3a| "; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0) WinNT 5.1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008155; classtype:command-and-control; sid:2008155; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Install Reporting"; flow: to_server,established; http.uri; content:"/report.php?user_id="; fast_pattern; content:"&status="; content:"&country_id="; http.user_agent; content:"Windows Internet"; depth:16; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:pup-activity; sid:2001472; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BackDoor-EGB Check-in"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp"; http_uri; content:"?username="; http_uri; content:"&serverMac="; http_uri; content:"&edition="; pcre:"/.asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition=/Ui"; reference:url,doc.emergingthreats.net/2009532; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060; classtype:trojan-activity; sid:2009532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (prog)"; flow: to_server,established; http.uri; content:"/dkprogs/dktibs.php"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:pup-activity; sid:2001474; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE smain?scout=acxc Generic Download landing"; flow:established,to_server; content:"GET"; depth:3; http_method; nocase; content:"/smain?scout=acxc"; nocase; http_uri; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010822; classtype:trojan-activity; sid:2010822; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Receiving Commands"; flow: to_server,established; http.uri; content:"/xpsystem/commands.ini"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:pup-activity; sid:2001475; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.StartPage activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; reference:url,doc.emergingthreats.net/2011228; classtype:trojan-activity; sid:2011228; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (systime)"; flow: to_server,established; http.uri; content:"/dkprogs/systime.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:pup-activity; sid:2001480; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vanquish Trojan HTTP Checkin"; flow:established,to_server; content:"ip="; http_uri; content:"&v=1&s="; http_uri; content:"&h="; http_uri; content:"&kb="; http_uri; content:"&o="; http_uri; content:"&c="; http_uri; content:"&un="; http_uri; content:"&m="; http_uri; content:"&w="; http_uri; content:"&ss="; http_uri; reference:url,doc.emergingthreats.net/2007698; classtype:command-and-control; sid:2007698; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (mstask)"; flow: to_server,established; http.uri; content:"/dkprogs/mstasks3.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:pup-activity; sid:2001483; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Download"; flow: to_server,established; http.uri; content:"/d4.fcgi?v="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:pup-activity; sid:2001488; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP (2)"; flow:established,to_server; content:"php?"; nocase; http_uri; content:"cmp="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&dn_uid="; nocase; http_uri; content:"&dn_affid="; nocase; http_uri; content:"&vm_guid="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&altid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007285; classtype:trojan-activity; sid:2007285; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; http.uri; content:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; classtype:pup-activity; sid:2001494; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut Counter/Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".asp?mac="; http_uri; content:"&rw="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009457; classtype:trojan-activity; sid:2009457; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; http.uri; content:"/campaigns"; nocase; http.header; content:"outerinfo.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; classtype:pup-activity; sid:2001496; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?SoftName="; nocase; http_uri; content:"&SoftVersion="; nocase; http_uri; content:"&UserIP"; nocase; http_uri; content:"&Mac"; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html; reference:url,www.threatexpert.com/threats/w32-virut-i.html; reference:url,doc.emergingthreats.net/2009829; classtype:trojan-activity; sid:2009829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Activity"; flow: to_server,established; http.host; content:"campaigns.outerinfo.com"; startswith; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; classtype:pup-activity; sid:2001497; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo.dam http Update"; flow:established,to_server; content:"/cgi-bin/heartbeat.php"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"&affiliate_id="; nocase; http_uri; content:"&db=1"; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007573; classtype:trojan-activity; sid:2007573; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer Activity User-Agent (IOKernel)"; flow: to_server,established; http.user_agent; content:"|20|IOKernel/"; reference:url,doc.emergingthreats.net/2001498; classtype:pup-activity; sid:2001498; rev:32; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo HTTP Pre-Install Checkin"; flow:established,to_server; content:"/app/preinstall.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007989; classtype:command-and-control; sid:2007989; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Look2me Spyware Activity (1)"; flow: to_server,established; http.referer; content:"Look2Me"; nocase; startswith; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; classtype:pup-activity; sid:2001499; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo HTTP Post-Install Checkin"; flow:established,to_server; content:"/app/install_done.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007990; classtype:command-and-control; sid:2007990; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; http.uri; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:pup-activity; sid:2001500; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo HTTP Post-Install Checkin (2)"; flow:established,to_server; content:"?w="; nocase; http_uri; content:"&ucid="; nocase; http_uri; content:"&e=00"; nocase; http_uri; content:"&err="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008082; classtype:command-and-control; sid:2008082; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; http.uri; content:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:pup-activity; sid:2001534; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo Variant reporting to Controller via HTTP (1)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/req.html?suid=&cuid="; http_uri; content:"&tid="; http_uri; content:"&cver="; http_uri; content:"&affid="; http_uri; reference:url,doc.emergingthreats.net/2008976; classtype:trojan-activity; sid:2008976; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; http.uri; content:"/protector.exe"; http.host; content:"install.searchmiracle.com"; startswith; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:pup-activity; sid:2001535; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo Variant reporting to Controller via HTTP (2)"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?cuid="; http_uri; content:"&suid="; http_uri; content:"&affid="; http_uri; reference:url,doc.emergingthreats.net/2008977; classtype:trojan-activity; sid:2008977; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BInet Information Install Report"; flow: to_server,established; http.uri; content:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:pup-activity; sid:2001576; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174; classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; http.user_agent; content:"AproposClient AutoLoader"; reference:url,doc.emergingthreats.net/2001703; classtype:pup-activity; sid:2001703; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE w32agent.dsi Domain Update"; flow:established,to_server; content:"/getgewinnspiel.php?uid="; http_uri; reference:url,doc.emergingthreats.net/2002782; classtype:trojan-activity; sid:2002782; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware Install"; flow: established,to_server; http.uri; content:"/AproposClientInstaller.exe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:pup-activity; sid:2001704; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE w32agent.dsi Posting Info"; flow:established,to_server; content:"/postgewinnspiel.php"; http_uri; content:"uid="; http_uri; reference:url,doc.emergingthreats.net/2002781; classtype:trojan-activity; sid:2002781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity"; flow: established,to_server; http.uri; content:"/Bundling/SskUpdater"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:pup-activity; sid:2001731; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Warezov/Stration Communicating with Controller 2"; flow:established,to_server; content:"/chr/"; nocase; http_uri; content:"/e/"; http_uri; content:"?lid="; nocase; http_uri; pcre:"/\/chr\/\d+\/e\/t\d+\?lid=/Ui"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html; reference:url,doc.emergingthreats.net/2003436; classtype:trojan-activity; sid:2003436; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (UCmore)"; flow: to_server,established; http.user_agent; content:"|20|UCmore"; reference:url,doc.emergingthreats.net/2001736; classtype:pup-activity; sid:2001736; rev:273; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Warezov/Stration Data Post to Controller (pr2.cgi)"; flow:established,to_server; content:"/cgi-bin/pr2.cgi"; http_uri; pcre:"/\/cgi-bin\/pr2\.cgi\?[a-zA-Z0-9]{172}/Ui"; reference:url,doc.emergingthreats.net/2006414; classtype:trojan-activity; sid:2006414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; http.user_agent; content:"HelperH"; reference:url,doc.emergingthreats.net/2001746; classtype:pup-activity; sid:2001746; rev:37; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Agent.ajx Trojan Reporting to Server"; flow:established,to_server; content:"/count.php?fid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; content:"&wc="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006448; classtype:trojan-activity; sid:2006448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ABX Toolbar ActiveX Install"; flow: to_server,established; http.uri; content:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; classtype:pup-activity; sid:2001761; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag ActiveX, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=c&s="; http_client_body; reference:url,doc.emergingthreats.net/2008004; classtype:command-and-control; sid:2008004; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Media Pass ActiveX Install"; flow: to_server,established; http.uri; content:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; classtype:pup-activity; sid:2001783; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag ActiveX, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Small.yml or Related HTTP Checkin"; flow:established,to_server; content:"/ClientReg.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008949; classtype:command-and-control; sid:2008949; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Spyware User-Agent (FunWebProducts)"; flow:established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"FunWebProducts"; reference:url,doc.emergingthreats.net/2001855; classtype:pup-activity; sid:2001855; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Small.yml or Related HTTP Command"; flow:established,to_server; content:"/ClientTask.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008952; classtype:trojan-activity; sid:2008952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Spyware User-Agent (Hotbar)"; flow: established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"|3b 20|Hotbar"; reference:url,doc.emergingthreats.net/2001858; classtype:pup-activity; sid:2001858; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD"; depth:4; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; content:"&pid="; http_uri; reference:url,doc.emergingthreats.net/2010240; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Visicom Spyware User-Agent (Visicom)"; flow: established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"Visicom"; reference:url,doc.emergingthreats.net/2001872; classtype:pup-activity; sid:2001872; rev:31; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin"; flow:established,to_server; content:"/stat.php?func=install&pid="; http_uri; content:"&ip="; http_uri; content:"&landing="; http_uri; reference:url,doc.emergingthreats.net/2008250; classtype:command-and-control; sid:2008250; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; http.uri; content:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; classtype:pup-activity; sid:2001890; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zhelatin Update Detected"; flow:established,to_server; content:".php?l="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&rvz1="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007769; classtype:trojan-activity; sid:2007769; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware Reporting"; flow: to_server,established; http.uri; content:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; classtype:pup-activity; sid:2001995; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zlob HTTP Checkin"; flow:established,to_server; content:"/confirm.php?aid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008386; classtype:command-and-control; sid:2008386; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; http.user_agent; content:"IEP"; depth:3; reference:url,doc.emergingthreats.net/2002021; classtype:pup-activity; sid:2002021; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zlob Initial Check-in Version 2 (confirm.php?sid=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"confirm.php?sid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008396; classtype:trojan-activity; sid:2008396; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopathomeselect .com Spyware User-Agent (WebDownloader)"; flow: to_server,established; http.user_agent; content:"WebDownloader"; reference:url,doc.emergingthreats.net/2002038; classtype:pup-activity; sid:2002038; rev:251; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE s4t4n1c Trojan Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".php"; http_uri; content:"continencia="; http_client_body; content:"&versao_kl="; http_client_body; content:"&data="; http_client_body; content:"&hora="; http_client_body; content:"&nome_maquina="; http_client_body; reference:url,doc.emergingthreats.net/2009518; classtype:trojan-activity; sid:2009518; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; http.uri; content:"/protector.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:pup-activity; sid:2002092; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thespybot.com installation download detected"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php"; http_uri; content:"m="; http_uri; content:"&ydf="; http_uri; content:"&e="; http_uri; content:"&w="; http_uri; content:"&t="; http_uri; content:"&apz="; http_uri; reference:url,doc.emergingthreats.net/2008482; classtype:trojan-activity; sid:2008482; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; http.uri; content:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:pup-activity; sid:2002098; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Evolmi Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/cgi-bin/v.pl|3f 5f|"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008846; classtype:trojan-activity; sid:2008846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; http.uri; content:"/sd?s="; nocase; pcre:"/\/sd\?s=\d+&f=\d/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:pup-activity; sid:2002196; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET"; http_method; content:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; http_uri; content:"ShowCount="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009800; classtype:policy-violation; sid:2009800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - loadadv***.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/i"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; classtype:pup-activity; sid:2002710; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication)"; flow:to_server,established; content:"/ap_home.html"; http_uri; reference:url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP; reference:url,doc.emergingthreats.net/bin/view/Main/2008862; classtype:misc-activity; sid:2008862; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware 2"; flow: to_server,established; http.uri; content:"/cl/clienthost"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:pup-activity; sid:2002735; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY MediaFire file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/?"; http_uri; content:"Host|3a|"; nocase; http_header; content:"mediafire.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009303; classtype:policy-violation; sid:2009303; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Spyware Install Report"; flow: to_server,established; http.uri; content:"/instreport"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:pup-activity; sid:2002737; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gigasize file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/get.php"; http_uri; content:"Host|3a| "; nocase; http_header; content:"gigasize.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009304; classtype:policy-violation; sid:2009304; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; http.user_agent; content:"|20|iDownloadAgent"; reference:url,doc.emergingthreats.net/2002739; classtype:pup-activity; sid:2002739; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Ecard Trojan download"; flow:established,to_server; content:".exe"; nocase; http_uri; pcre:"/(gif|car(d|tao)|jpe?g)\.exe$/Ui"; reference:url,doc.emergingthreats.net/2006434; classtype:trojan-activity; sid:2006434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP My Search Spyware Config Download"; flow: to_server,established; http.uri; content:"/ms"; nocase; content:"cfg.jsp?"; content:"v="; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; classtype:pup-activity; sid:2002839; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Bid Placed"; flow: to_server,established; content:"/ws/eBayISAPI.dll/"; http_uri; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001898; classtype:policy-violation; sid:2001898; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS Trafcool.biz Related Installer"; flow:established,to_server; http.uri; content:"/progs_traff/"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; classtype:pup-activity; sid:2002931; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay View Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001908; classtype:policy-violation; sid:2001908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Tibs Checkin"; flow:established,to_server; http.uri; content:"/adv/"; nocase; content:".php?a1="; nocase; content:"&a2=Type of Processor|3a|"; nocase; content:"&a3=Windows version is|20|"; nocase; content:"&a4=Build|3a|"; nocase; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:pup-activity; sid:2002955; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Watch This Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001909; classtype:policy-violation; sid:2001909; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Elitemediagroup.net Spyware Config Download"; flow:established,to_server; http.uri; content:"/bundle.php?aff="; nocase; reference:url,elitemediagroup.net; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; classtype:pup-activity; sid:2002966; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Search Appliance browsing the Internet"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3A| gsa-crawler"; http_header; nocase; reference:url,www.google.com/enterprise/gsa/index.html; reference:url,doc.emergingthreats.net/2002838; classtype:web-application-activity; sid:2002838; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dollarrevenue.com Spyware Code Download"; flow:established,to_server; http.uri; content:"/bundle/drsmartload.exe"; nocase; reference:url,dollarrevenue.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; classtype:pup-activity; sid:2002967; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2000560; classtype:misc-activity; sid:2000560; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Megaupload Spyware User-Agent (Megaupload)"; flow:to_server,established; http.user_agent; content:"Megaupload"; depth:10; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; classtype:pup-activity; sid:2003224; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2008330; classtype:misc-activity; sid:2008330; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; http.uri; content:"/upd/check?version="; nocase; content:"&localeId="; nocase; content:"&affid="; nocase; content:"&updatevalue="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; classtype:pup-activity; sid:2003344; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN User-Agent Activity"; flow:established,to_server; content:"User-Agent|3a| MSMSGS"; http_header; nocase; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009376; classtype:policy-violation; sid:2009376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyGlobalSearch Spyware bar update"; flow:established,to_server; http.uri; content:"/images/mysearchbar/highlight"; http.header; content:"|20|MySearch)"; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:pup-activity; sid:2003351; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET POLICY JBOSS/JMX port 8080 access from outside"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010378; classtype:web-application-attack; sid:2010378; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyGlobalSearch Spyware bar update 2"; flow:established,to_server; http.uri; content:"/images/mysearchbar/customize"; http.header; content:"|20|MySearch)"; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:pup-activity; sid:2003352; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Mozilla XPI install files download"; flow: from_server,established; content:"content-type|3a| application/x-xpinstall"; http_header; nocase; reference:url,doc.emergingthreats.net/2001114; classtype:bad-unknown; sid:2001114; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware Download"; flow: to_server,established; http.uri; content:"/WebServices/DesktopManager/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; classtype:pup-activity; sid:2003356; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Nagios HTTP Monitoring Connection"; flow:established,to_server; content:"User-Agent|3a| check_http/"; http_header; nocase; content:"(nagios-plugins "; http_header; nocase; reference:url,doc.emergingthreats.net/2006779; classtype:not-suspicious; sid:2006779; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Tools Spyware User-Agent (hbtools)"; flow:to_server,established; http.user_agent; content:"|3b 20|HbTools"; fast_pattern; reference:url,doc.emergingthreats.net/2003383; classtype:pup-activity; sid:2003383; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; reference:url,doc.emergingthreats.net/2001675; classtype:bad-unknown; sid:2001675; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dialno Dialer User-Agent (dialno)"; flow:to_server,established; threshold: type limit, count 5, seconds 60, track by_src; http.user_agent; content:"dialno"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003387; classtype:pup-activity; sid:2003387; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Wget User Agent"; flow:established,to_server; content:"User-Agent|3A| "; nocase; http_header; content:"Wget"; nocase; http_header; reference:url,www.gnu.org/software/wget; reference:url,doc.emergingthreats.net/2002822; classtype:attempted-recon; sid:2002822; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Updating"; flow:to_server,established; http.uri; content:"/sacc/sacc.cfg.php?"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:pup-activity; sid:2003390; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"libwww-perl/"; nocase; http_header; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002934; classtype:attempted-recon; sid:2002934; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; http.user_agent; content:"CS Fingerprint Module"; nocase; reference:url,doc.emergingthreats.net/2003425; classtype:pup-activity; sid:2003425; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002828; classtype:not-suspicious; sid:2002828; rev:9; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Checkin"; flow: to_server,established; http.uri; content:"/notify.php?"; nocase; content:"pid="; nocase; content:"&module="; nocase; content:"&v="; nocase; content:"&result="; nocase; content:"&message="; nocase; http.header; content:"outerinfo.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:pup-activity; sid:2003426; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002830; classtype:not-suspicious; sid:2002830; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Reporting"; flow:established,to_server; http.uri; content:"/reportaddon.cgi?"; nocase; content:"report.cgi?"; nocase; content:"user="; nocase; content:"software="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:pup-activity; sid:2003440; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002832; classtype:not-suspicious; sid:2002832; rev:9; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install INI Download"; flow: to_server,established; http.uri; content:"/GetAd/tekID"; nocase; content:".ini"; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:pup-activity; sid:2003445; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yahoo Crawler Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; classtype:attempted-recon; sid:2002833; rev:7; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; http.user_agent; content:"TBONAS"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:pup-activity; sid:2003501; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002944; classtype:attempted-recon; sid:2002944; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Security-updater.com Spyware Posting Data"; flow:established,to_server; http.uri; content:"/SA/receive_data.php3?tcpc="; http.header; content:"security-updater.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; classtype:pup-activity; sid:2003576; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Briefcase Upload"; flow:to_server,established; content:"briefcase.yahoo.com"; http_header; content:"/process_bcmultipart_form"; http_uri; nocase; reference:url,doc.emergingthreats.net/2001044; classtype:policy-violation; sid:2001044; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; http.user_agent; content:"KUKU"; nocase; depth:4; reference:url,doc.emergingthreats.net/2003636; classtype:pup-activity; sid:2003636; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail Message Send"; flow: to_server,established; content:"Content-Disposition|3A| form-data|3b| name=|22|to|22|"; nocase; http_header; content:"Content-Disposition|3A| form-data|3b| name=|22|msgbody|22|"; nocase; http_header; reference:url,doc.emergingthreats.net/2001426; classtype:policy-violation; sid:2001426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; http.user_agent; content:"mc_v1"; depth:5; reference:url,www.f-secure.com/v-descs/rizo.shtml; reference:url,doc.emergingthreats.net/2003656; classtype:pup-activity; sid:2003656; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo 360 Social Site Access"; flow:established,to_server; content:"Host|3a| 360.yahoo.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003454; classtype:policy-violation; sid:2003454; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; http.user_agent; content:"QQGame"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003658; classtype:pup-activity; sid:2003658; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon.dkxh Checkin to CnC"; flow:established,to_server; content:"OK|2e 01|200"; fast_pattern; depth:20; offset:13; content:"Windows "; distance:4; within:30; reference:url,doc.emergingthreats.net/2008540; classtype:command-and-control; sid:2008540; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; http.user_agent; content:"SpyLocked"; nocase; classtype:pup-activity; sid:2005322; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; http_method; nocase; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; classtype:web-application-attack; sid:2003332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear)"; flow:established,to_server; http.user_agent; content:"AntiVirGear"; reference:url,doc.emergingthreats.net/2007697; classtype:pup-activity; sid:2007697; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.wpx or Related Downloader Posting Data"; flow:to_server,established; content:"POST"; http_method; content:"=|22|boturl|22|"; nocase; fast_pattern; content:"=|22|filename|22|"; nocase; content:"=|22|compips|22|"; nocase; content:"=|22|loadername|22|"; nocase; content:"=|22|loaderid|22|"; nocase; content:"=|22|uptime|22|"; nocase; content:"=|22|comptime|22|"; nocase; content:"=|22|winver|22|"; nocase; reference:url,doc.emergingthreats.net/2008319; classtype:trojan-activity; sid:2008319; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP host-domain-lookup.com spyware related Start Report"; flow:established,to_server; http.uri; content:"?udata="; content:"program_started|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; classtype:pup-activity; sid:2007750; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET ADWARE_PUP Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:pup-activity; sid:2001440; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Theinstalls.com Initial Checkin"; flow:established,to_server; http.uri; content:"/plist.php?uid="; http.host; content:"theinstalls.com"; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; classtype:pup-activity; sid:2007788; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launch"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; classtype:attempted-user; sid:2011010; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; http.user_agent; content:"Locus|20|"; depth:6; reference:url,doc.emergingthreats.net/2007845; classtype:pup-activity; sid:2007845; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; content:"offer-"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; classtype:attempted-user; sid:2010665; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP System-defender.com Fake AV Install Checkin"; flow:established,to_server; http.uri; content:"?wmid="; nocase; content:"&mid="; nocase; content:"&lndid="; nocase; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; classtype:pup-activity; sid:2007856; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcom Helper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:!"offer-"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+(service-url|banner|noexec|OS|Lang|return-page|core-product|userid|itemid|_c[xy]|sec-param|secparam)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.exploit-db.com/exploits/11172/; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2011675; classtype:attempted-user; sid:2011675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; http.host; content:"0x"; depth:2; pcre:"/^0x[0-9a-f]+$/"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:pup-activity; sid:2007951; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; content:"clsid"; nocase; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009598; classtype:web-application-attack; sid:2009598; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; http.user_agent; content:"SnoopStick|20|"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; classtype:pup-activity; sid:2007956; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; content:"clsid"; nocase; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009599; classtype:web-application-attack; sid:2009599; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow:to_server,established; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Alexa Toolbar"; reference:url,doc.emergingthreats.net/2008085; classtype:pup-activity; sid:2008085; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; content:"clsid"; nocase; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009600; classtype:web-application-attack; sid:2009600; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP vaccine-program.co.kr Related Spyware User-Agent (vaccine)"; flow:established,to_server; http.user_agent; content:"vaccine"; depth:7; reference:url,doc.emergingthreats.net/2008200; classtype:pup-activity; sid:2008200; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET 3306 -> $HOME_NET any (msg:"ET POLICY External MYSQL Server Connection"; flow:from_server,established; content:"|00|"; depth:1; offset:3; reference:url,doc.emergingthreats.net/2008572; classtype:trojan-activity; sid:2008572; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adaware.BarACE Checkin and Update"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"|2E|php|3F|zone="; nocase; content:"|26|name="; nocase; content:"|26|bpid="; nocase; content:"|26|bnum="; nocase; content:"|26|pid="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; classtype:pup-activity; sid:2008318; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; content:"clsid"; nocase; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009601; classtype:web-application-attack; sid:2009601; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; http.user_agent; content:"ZCOM"; depth:4; classtype:pup-activity; sid:2008503; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; content:"clsid"; nocase; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009602; classtype:web-application-attack; sid:2009602; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; http.user_agent; content:"iWin|20|"; depth:5; reference:url,doc.emergingthreats.net/2008558; classtype:pup-activity; sid:2008558; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; content:"clsid"; nocase; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009603; classtype:web-application-attack; sid:2009603; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ezday.co .kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; http.user_agent; content:"Ezshop"; reference:url,doc.emergingthreats.net/2008594; classtype:pup-activity; sid:2008594; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009604; classtype:web-application-attack; sid:2009604; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; nocase; content:"action=stat&wmid="; nocase; content:"&event="; nocase; content:"&uid="; nocase; content:"&i1"; nocase; content:"&i2"; nocase; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:pup-activity; sid:2008732; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; classtype:web-application-attack; sid:2009606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".asp?rnd="; http.request_body; content:"uid="; depth:4; content:"&ref="; content:"&clid="; content:"&umode="; content:"&cn="; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; classtype:pup-activity; sid:2008798; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; http.uri; content:!"/?rnd="; depth:6; http.header; content:!"citrixonline.com"; http.user_agent; content:"Mozilla/4.0 (compatible)"; fast_pattern; bsize:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:pup-activity; sid:2008974; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; classtype:web-application-attack; sid:2008408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Simbar Spyware User-Agent Detected"; flow:established,to_server; http.user_agent; content:"|3b 20|SIMBAR={"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; classtype:pup-activity; sid:2009005; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; classtype:web-application-attack; sid:2008409; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AgavaDwnl) - Possibly Xema"; flow:established,to_server; http.user_agent; content:"AgavaDwnl"; reference:url,doc.emergingthreats.net/2009445; classtype:pup-activity; sid:2009445; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009607; classtype:web-application-attack; sid:2009607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader Checkin - Downloads Rogue Adware"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"AreaID="; nocase; content:"MediaID="; nocase; content:"AdNo="; nocase; content:"OriginalityID="; nocase; content:"Url"; nocase; content:"Mac="; nocase; content:"Version="; nocase; content:"ValidateCode="; nocase; content:"ParentName="; nocase; reference:url,doc.emergingthreats.net/2009526; classtype:pup-activity; sid:2009526; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; content:"clsid"; nocase; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009609; classtype:web-application-attack; sid:2009609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W3i Related Adware/Spyware"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"shortname="; nocase; content:"os="; nocase; content:"v="; nocase; content:"browsers="; nocase; content:"readable="; nocase; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; classtype:pup-activity; sid:2009705; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; content:"clsid"; nocase; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009610; classtype:web-application-attack; sid:2009610; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; http.user_agent; content:"IEToolbar"; reference:url,doc.emergingthreats.net/2009766; classtype:pup-activity; sid:2009766; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; content:"clsid"; nocase; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009611; classtype:web-application-attack; sid:2009611; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"IpAddr="; nocase; content:"&OS="; nocase; content:"&RegistryChanged="; nocase; content:"&RegistryUpdate="; nocase; content:"&NewInstallation="; nocase; content:"&utilMissing="; nocase; content:"&Basedir="; nocase; content:"&BundleID="; nocase; content:"&InitInstalled="; nocase; content:"&Interval="; nocase; content:"&LastInitRun="; nocase; content:"&LastInitVer="; nocase; content:"&LastSrngRun="; nocase; content:"&LastUtilRun="; nocase; content:"&SrngInstalled="; nocase; content:"&SrngVer="; nocase; content:"&UtilInstalled="; nocase; content:"&UtilVer="; nocase; content:"&PCID"; nocase; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; classtype:pup-activity; sid:2009807; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; content:"clsid"; nocase; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009613; classtype:web-application-attack; sid:2009613; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; http.user_agent; content:"RichCasino"; nocase; depth:10; reference:url,doc.emergingthreats.net/2009831; classtype:pup-activity; sid:2009831; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; content:"clsid"; nocase; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009614; classtype:web-application-attack; sid:2009614; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (MyIE/1.0)"; flow:established,to_server; http.user_agent; content:"MyIE/"; depth:5; reference:url,doc.emergingthreats.net/2009991; classtype:pup-activity; sid:2009991; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; content:"clsid"; nocase; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009615; classtype:web-application-attack; sid:2009615; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (M0zilla)"; flow:established,to_server; http.user_agent; content:"M0zilla/4.0|20|(compatible)"; startswith; reference:url,doc.emergingthreats.net/2010265; classtype:pup-activity; sid:2010265; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009616; classtype:web-application-attack; sid:2009616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (MSIE7 na)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|na|3b 20|)"; fast_pattern; reference:url,doc.emergingthreats.net/2010461; classtype:pup-activity; sid:2010461; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009617; classtype:web-application-attack; sid:2009617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent Mozilla/3.0"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Internet Explorer)"; reference:url,doc.emergingthreats.net/2010599; classtype:pup-activity; sid:2010599; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; content:"clsid"; nocase; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009618; classtype:web-application-attack; sid:2009618; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Generic Adware Install Report"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/nsi_install.php?inst_result=success&aff_id="; content:"&id="; nocase; reference:url,doc.emergingthreats.net/2010630; classtype:pup-activity; sid:2010630; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; content:"clsid"; nocase; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009619; classtype:web-application-attack; sid:2009619; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (browserbob.com)"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1|3b 20|Made with www.browserbob.com)"; fast_pattern; bsize:85; classtype:pup-activity; sid:2011279; rev:5; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt"; flow:from_server,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6/si"; reference:url,www.milw0rm.org/exploits/8733; reference:url,www.securityfocus.com/bid/35028; reference:url,doc.emergingthreats.net/2010160; classtype:attempted-user; sid:2010160; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; fast_pattern; bsize:46; classtype:pup-activity; sid:2011283; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt"; flow:established,to_client; content:"BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; nocase; content:"BindToFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F/si"; reference:url,tcc.hellcode.net/advisories/hellcode-adv008.txt; reference:url,doc.emergingthreats.net/2010814; classtype:attempted-user; sid:2010814; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ASKTOOLBAR.DLL Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/toolbarv/askBarCfg?"; nocase; content:"v="; nocase; content:"e="; nocase; reference:md5,3f6413475b1466964498c8450de4062f; classtype:pup-activity; sid:2012000; rev:5; metadata:created_at 2010_12_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 Phobos.Playlist Import ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:".Import"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/; reference:url,doc.emergingthreats.net/2010962; classtype:attempted-user; sid:2010962; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AdVantage)"; flow:established,to_server; http.user_agent; content:"AdVantage"; startswith; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:pup-activity; sid:2012104; rev:6; metadata:created_at 2010_12_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt"; flow:established,from_server; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; nocase; content:"RUN"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3895DD35-7573-11D2-8FED-00606730D3AA/si"; reference:url,securitytracker.com/alerts/2009/Aug/1022752.html; reference:url,www.kb.cert.org/vuls/id/485961; reference:url,www.securityfocus.com/bid/21207/info; reference:url,doc.emergingthreats.net/2009868; classtype:attempted-user; sid:2009868; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdVantage Malware URL Infection Report"; flow:established,to_server; http.uri; content:"cfg_ver="; nocase; content:"hwd="; nocase; content:"campaign="; nocase; content:"ver="; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:pup-activity; sid:2012105; rev:5; metadata:created_at 2010_12_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; content:"PlayerVersion"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; reference:url,www.milw0rm.com/exploits/9682; reference:url,doc.emergingthreats.net/2010256; classtype:web-application-attack; sid:2010256; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; classtype:pup-activity; sid:2012298; rev:5; metadata:created_at 2011_02_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 2"; flow:to_client,established; content:"2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009688; classtype:web-application-attack; sid:2009688; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"mozilla/2.0"; depth:11; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:pup-activity; sid:2012642; rev:9; metadata:created_at 2011_04_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 3"; flow:to_client,established; content:"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009689; classtype:web-application-attack; sid:2009689; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; http.host; content:".ru"; endswith; fast_pattern; content:!"101.ru"; content:!"9366858.ru"; pcre:"/^[^a-z]*?[0-9]{2,30}\.ru$/"; classtype:pup-activity; sid:2012649; rev:7; metadata:created_at 2011_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution AeXNSPkgDLLib.dll ActiveX Control DownloadAndInstall Method Arbitrary Code Execution Attempt"; flow:from_server,established; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; content:"DownloadAndInstall"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7/si"; reference:url,securitytracker.com/alerts/2009/Sep/1022928.html; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,doc.emergingthreats.net/2010011; classtype:attempted-user; sid:2010011; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP overtls.com adware request"; flow:to_server,established; http.uri; content:"/sidebar.asp?bn=0&qy="; http.header; content:"EmbeddedWB"; classtype:pup-activity; sid:2012693; rev:5; metadata:created_at 2011_04_19, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Attempt"; flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; nocase; content:"Appstring"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010986; classtype:attempted-user; sid:2010986; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible FakeAV Binary Download"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"antiv"; fast_pattern; nocase; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/i"; classtype:pup-activity; sid:2012753; rev:8; metadata:created_at 2011_04_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Attempt"; flow:established,to_client; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; nocase; content:"ControlID"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15B168B2-AD3C-11D1-A8D8-00A0C9200E61/si"; reference:url,doc.emergingthreats.net/2011129; classtype:attempted-user; sid:2011129; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; http.uri; content:"php?type=stats&affid="; content:"&subid="; content:"&version="; content:"&adwareok"; reference:md5,8d1b47452307259f1e191e16ed23cd35; classtype:pup-activity; sid:2013149; rev:4; metadata:created_at 2011_06_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method"; flow:to_client,established; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; nocase; content:"SaveAS"; nocase; reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; reference:url,secunia.com/Advisories/31989/; reference:url,doc.emergingthreats.net/2008612; classtype:web-application-attack; sid:2008612; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidetab or Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/install.asp?"; content:"version="; content:"&id="; content:"&mac="; http.header; content:".co.kr|0d 0a|"; classtype:pup-activity; sid:2013182; rev:3; metadata:created_at 2011_07_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk IDrop Indicator ActiveX Control Memory Corruption"; flow:to_client,established; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; nocase; pcre:"/(Src|Background|PackageXml)/i"; reference:url,secunia.com/advisories/34563/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2009-04/0020.html; reference:url,vupen.com/english/advisories/2009/0942; reference:url,milw0rm.com/exploits/8560; reference:url,doc.emergingthreats.net/2009399; classtype:web-application-attack; sid:2009399; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.EZula Adware Reporting Successful Install"; flow:established,to_server; http.uri; content:"/installer.cfc?res=success&hwid="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FEzula.F; classtype:pup-activity; sid:2013195; rev:5; metadata:created_at 2011_07_05, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow"; flow:to_client,established; content:"9589AEC9-1C2D-4428-B7E8-63B39D356F9C"; nocase; content:"PrinterName"; nocase; reference:url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt; reference:bugtraq,35582; reference:url,juniper.net/security/auto/vulnerabilities/vuln35583.html; reference:url,doc.emergingthreats.net/2009792; classtype:web-application-attack; sid:2009792; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SweetIM Install in Progress"; flow:established,to_server; http.uri; content:"/download/install/silent/SSweetIMSetup.CIS"; nocase; classtype:pup-activity; sid:2013243; rev:4; metadata:created_at 2011_07_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control OnBeforeVideoDownload Method Buffer Overflow"; flow:to_client,established; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; nocase; content:"OnBeforeVideoDownload"; nocase; reference:bugtraq,34789; reference:url,milw0rm.com/exploits/8579; reference:url,doc.emergingthreats.net/2009425; classtype:web-application-attack; sid:2009425; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; http.user_agent; content:"MM|20|"; startswith; pcre:"/^MM \d\.\d+$/"; classtype:pup-activity; sid:2013388; rev:6; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow"; flow:to_client,established; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; nocase; content:"SetAttributeValue"; nocase; reference:bugtraq,34869; reference:url,juniper.net/security/auto/vulnerabilities/vuln34869.html; reference:url,vupen.com/english/advisories/2009/1392; reference:url,milw0rm.com/exploits/8757; reference:url,doc.emergingthreats.net/2009657; classtype:web-application-attack; sid:2009657; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (go-diva)"; flow:to_server,established; http.user_agent; content:"go-diva"; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:pup-activity; sid:2013452; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"Enable"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(EnableKeepExistingFiles|EnableStartApplication|EnableStartBeforePrint|EnablePassParameters)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010203; classtype:attempted-user; sid:2010203; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 1"; flow:established,to_server; http.uri; content:"?gname="; content:"&pid="; content:"&m="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; reference:md5,81a119f7f47663c03053e76146f54fe9; classtype:pup-activity; sid:2013556; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"Set"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010204; classtype:attempted-user; sid:2010204; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 2"; flow:established,to_server; http.uri; content:"inst.php?"; content:"pcode="; content:"&ucode="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; classtype:pup-activity; sid:2013557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"SaveBlackIceDEVMODE"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010205; classtype:attempted-user; sid:2010205; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 3"; flow:established,to_server; http.uri; content:"size.php?"; content:"file="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; classtype:pup-activity; sid:2013558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"ClearUserSettings"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010206; classtype:attempted-user; sid:2010206; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tool.InstallToolbar.24 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; content:"TbId="; nocase; content:"TUID="; nocase; content:"Action_Type="; nocase; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:pup-activity; sid:2014060; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"ControlJob"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010207; classtype:attempted-user; sid:2010207; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gen5 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cmd/report.php?"; nocase; content:"PartnerId="; nocase; content:"OfferId="; nocase; content:"action="; nocase; content:"program="; nocase; reference:md5,90410d783f6321c8684ccb9ff0613a51; classtype:pup-activity; sid:2014071; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Charm Real Converter pro 6.6 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"F4F647AD-B160-11D2-A3EF-00104BDF4755"; nocase; content:"GetCodecModulus"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4F647AD-B160-11D2-A3EF-00104BDF4755/si"; reference:url,www.packetstormsecurity.org/0909-exploits/charmrc-dos.txt; reference:url,doc.emergingthreats.net/2010280; classtype:web-application-attack; sid:2010280; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OpenCandy Adware Checkin"; flow:established,to_server; http.uri; content:"clientv="; content:"&cltzone="; content:"&mstime="; content:"&os="; content:"&product_key="; http.host; content:"opencandy.com"; fast_pattern; classtype:pup-activity; sid:2014122; rev:6; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS"; flow:to_client,established; content:"126FB030-1E9E-4517-A254-430616582C50"; nocase; content:"LoadXmlEmail"; nocase; reference:url,www.milw0rm.com/exploits/6600; reference:url,doc.emergingthreats.net/2008607; classtype:web-application-attack; sid:2008607; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Common Adware Library ISX User Agent Detected"; flow:established,to_server; http.user_agent; content:"ISX Download DLL"; fast_pattern; startswith; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:pup-activity; sid:2014137; rev:5; metadata:created_at 2012_01_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method"; flow:to_client,established; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; content:"WriteFile"; nocase; reference:url,secunia.com/Advisories/32513/; reference:url,milw0rm.com/exploits/6963; reference:url,doc.emergingthreats.net/2008814; classtype:web-application-attack; sid:2008814; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; http.user_agent; content:"Open3"; startswith; classtype:pup-activity; sid:2014190; rev:4; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation"; flow:to_client,established; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; nocase; content:"SaveLastError"; nocase; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7142; reference:url,doc.emergingthreats.net/2008870; classtype:web-application-attack; sid:2008870; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/MediaGet Checkin"; flow:established,to_server; http.request_body; content:"<mediagetInstaller statVersion="; content:"mediagetIsAlreadyInstalled="; classtype:pup-activity; sid:2014192; rev:5; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; flow:to_client,established; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; content:"SaveLastError"; nocase; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; reference:url,doc.emergingthreats.net/2009046; classtype:web-application-attack; sid:2009046; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; http.uri; content:"/install.xml?pid="; http.header; content:"gameplaylabs.com|0d 0a|"; classtype:pup-activity; sid:2014249; rev:6; metadata:created_at 2012_02_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chinagames ActiveX Control CreateChinagames Method Buffer Overflow"; flow:to_client,established; content:"75108B29-202F-493C-86C5-1C182A485C4C"; nocase; content:"CreateChinagames"; nocase; reference:bugtraq,34871; reference:url,milw0rm.com/exploits/8758; reference:url,doc.emergingthreats.net/2009500; classtype:web-application-attack; sid:2009500; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PlaySushi User-Agent"; flow:established,to_server; http.user_agent; content:"psi|20|"; startswith; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:pup-activity; sid:2014261; rev:4; metadata:created_at 2012_02_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite"; flow:to_client,established; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; content:"SaveToFile"; nocase; reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794; reference:url,doc.emergingthreats.net/2009064; classtype:web-application-attack; sid:2009064; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Checkin"; flow:established,to_server; http.uri; content:"/inst.asp?d="; content:"&cl="; content:"&l="; content:"&e="; content:"&v="; content:"&uid="; content:"&time="; content:"&win="; content:"&ac="; content:"&ti="; content:"&xv="; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014339; rev:4; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit"; flow:established,to_client; content:"0x40000"; content:"SendChannelData"; nocase; content:"238F6F83-B8B4-11CF-8771-00A024541EE3"; nocase; reference:url,www.milw0rm.com/exploits/5106; reference:bugtraq,21458; reference:cve,CVE-2006-6334; reference:url,doc.emergingthreats.net/bin/view/Main/2007851; classtype:web-application-attack; sid:2007851; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware User Agent"; flow:established,to_server; http.user_agent; content:"zz_"; depth:3; pcre:"/^[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Ri"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014340; rev:8; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ComponentOne VSFlexGrid ActiveX Control Archive Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"C945E31A-102E-4A0D-8854-D599D7AED5FA"; nocase; distance:0; content:"Archive"; nocase; reference:url,exploit-db.com/exploits/12673; reference:url,doc.emergingthreats.net/2011210; classtype:attempted-user; sid:2011210; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/MediaGet.Adware Installer Download"; flow:established,to_client; flowbits:isnotset,ET.Adobe.Site.Download; http.header.raw; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:pup-activity; sid:2014353; rev:8; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"01113300-3E00-11D2-8470-0060089874ED"; nocase; distance:0; content:"RunCMD"; nocase; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011212; classtype:attempted-user; sid:2011212; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; http.user_agent; content:"Softonic Downloader/"; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:pup-activity; sid:2014355; rev:5; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods"; flow:to_client,established; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; pcre:"/(Save|SaveLayoutChanges|SaveMenuUsageData)/i"; reference:bugtraq,24959; reference:cve,CVE-2007-3883; reference:url,www.exploit-db.com/exploits/5395/; reference:url,doc.emergingthreats.net/2008127; classtype:web-application-attack; sid:2008127; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/LoudMo.Adware Checkin"; flow:established,to_server; http.uri; content:"/?aff="; http.host; content:"www.gamebound.com"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:pup-activity; sid:2014400; rev:5; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007905; classtype:web-application-attack; sid:2007905; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; http.user_agent; content:"pcsetup_"; pcre:"/^\w+pcsetup_\w+/"; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:pup-activity; sid:2014583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EDraw Flowchart ActiveX Control OpenDocument Method Remote Code Execution Attempt"; flow:to_client,established; content:"F685AFD8-A5CC-410E-98E4-BAA1C559BA61"; nocase; content:"OpenDocument"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F685AFD8-A5CC-410E-98E4-BAA1C559BA61/si"; reference:url,doc.emergingthreats.net/2011055; classtype:attempted-user; sid:2011055; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Dialer.Adultchat Checkin"; flow:established,to_server; http.uri; content:"/getclientid.wnk?srv="; content:"&ver="; content:"&pin="; content:"&OSInfo2="; content:"&cinfo="; content:"retryattempt="; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:pup-activity; sid:2014667; rev:4; metadata:created_at 2012_05_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable WriteToLog Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; content:"WriteToLog"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010035; classtype:attempted-user; sid:2010035; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/rdc/rnd.php"; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:pup-activity; sid:2014767; rev:7; metadata:created_at 2012_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; content:"0x400000"; nocase; content:"CreateStore"; nocase; reference:bugtraq,32722; reference:url,milw0rm.com/exploits/7402; reference:url,doc.emergingthreats.net/2008963; classtype:web-application-attack; sid:2008963; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames Checkin"; flow:established,to_server; http.uri; content:"/game"; content:"/diary/item/"; http.user_agent; content:"getURLDown"; bsize:10; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015017; rev:6; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quiksoft EasyMail imap connect() ActiveX stack overflow vulnerability"; flow:from_server,established; content:"<script"; nocase; content:"unescape|28|"; nocase; content:"|2e|connect"; nocase; distance:0; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,www.milw0rm.com/exploits/9704; reference:url,www.securityfocus.com/bid/22583; reference:url,doc.emergingthreats.net/2009948; classtype:attempted-user; sid:2009948; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP suspicious User-Agent (vb   wininet)"; flow:established,to_server; http.user_agent; content:"vb|20 20 20|wininet"; depth:12; classtype:pup-activity; sid:2016069; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt"; flow:to_client,established; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; content:"LicenseKey"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,milw0rm.com/exploits/9684; reference:url,doc.emergingthreats.net/2010253; classtype:web-application-attack; sid:2010253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; http.uri; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern; content:"&x_format="; content:"&x_pub_id="; content:"&tag="; http.user_agent; content:"Mozilla/4.0  (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest.5)"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:pup-activity; sid:2016546; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail ActiveX AddAttachment method Remote code excution clsid access attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"AddAttachment"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:url,www.milw0rm.com/exploits/9705; reference:url,doc.emergingthreats.net/2010278; classtype:web-application-attack; sid:2010278; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; http.uri; content:"?data="; content:"&version="; distance:0; http.user_agent; content:"win32"; depth:5; fast_pattern; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:pup-activity; sid:2016780; rev:6; metadata:created_at 2013_04_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX CreateStore method Remote code excution clsid access"; flow:established,to_client; content:"18A76B9A-45C1-11D3-80DC-00C04F6B92D0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0/si"; content:"CreateStore"; nocase; reference:url,www.milw0rm.com/exploits/9685; reference:url,doc.emergingthreats.net/2010277; classtype:web-application-attack; sid:2010277; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.MSIL.Solimba.b GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/dmr/access/"; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:pup-activity; sid:2016905; rev:6; metadata:created_at 2013_05_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; content:"DoSaveFile"; nocase; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009102; classtype:web-application-attack; sid:2009102; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.MSIL.Solimba.b POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/dmr/exception"; http.user_agent; content:"DownloadMR"; depth:10; nocase; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:pup-activity; sid:2016906; rev:6; metadata:created_at 2013_05_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; content:"DoSaveFile"; nocase; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009063; classtype:web-application-attack; sid:2009063; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Smart-RTP"; flow: established,to_server; http.user_agent; content:"Smart-RTP"; depth:9; nocase; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:md5,a80f33c94c44556caa2ef46cd5eb863c; classtype:pup-activity; sid:2016915; rev:7; metadata:created_at 2013_05_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1)"; flow:from_server,established; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; nocase; content:"PictureUrls"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009402; classtype:attempted-user; sid:2009402; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; http.user_agent; content:"Custom_56562_HttpClient/VER_STR_COMMA"; depth:37; nocase; classtype:pup-activity; sid:2016916; rev:5; metadata:created_at 2013_05_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2)"; flow:from_server,established; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; nocase; content:"PictureUrls"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009403; classtype:attempted-user; sid:2009403; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware pricepeep Adware.Shopper.297"; flow: established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/logger/software/hit/"; nocase; content:"/?v."; nocase; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:pup-activity; sid:2016917; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_05_23, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; nocase; content:"RemoteAddress"; nocase; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460; reference:url,doc.emergingthreats.net/2008999; classtype:web-application-attack; sid:2008999; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gamevance.AV Checkin"; flow:established,to_server; http.uri; content:"/aj/"; fast_pattern; content:".php?p="; http.header_names; content:!"Referer"; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:pup-activity; sid:2017136; rev:7; metadata:created_at 2013_07_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion"; flow:to_client,established; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; content:"DeleteFile"; nocase; reference:bugtraq,33842; reference:url,xforce.iss.net/xforce/xfdb/48837; reference:url,doc.emergingthreats.net/2009184; classtype:web-application-attack; sid:2009184; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Crossrider Spyware Checkin"; flow:established,to_server; http.uri; content:"/updater/"; depth:9; content:"/update.json?rnd="; distance:32; within:18; http.header_names; content:!"User-Agent"; classtype:pup-activity; sid:2017196; rev:6; metadata:created_at 2013_07_26, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX Control GetFromURL Method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"GetFromURL"; nocase; reference:url,exploit-db.com/exploits/14269/; reference:url,doc.emergingthreats.net/2011251; classtype:web-application-attack; sid:2011251; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Wajam.Adware Successful Install"; flow:established,to_server; http.uri; content:"/wajam_install.exe?aid="; http.user_agent; content:"NSIS_Inetc"; startswith; classtype:pup-activity; sid:2017561; rev:6; metadata:created_at 2013_10_05, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FlexCell Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; nocase; pcre:"/(SaveFile|ExportToXML)/i"; reference:url,www.milw0rm.com/exploits/7868; reference:bugtraq,33453; reference:url,doc.emergingthreats.net/2009120; classtype:web-application-attack; sid:2009120; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/?step_id="; content:"&publisher_id="; content:"&page_id="; content:"&country_code="; content:"&browser_id="; content:"&download_id="; content:"&hardware_id="; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017911; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX control OpenFile method Heap Overflow Attempt"; flow:established,to_client; content:"05563215-225C-45EB-BB34-AFA47217B1DE"; nocase; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05563215-225C-45EB-BB34-AFA47217B1DE/si"; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010929; classtype:attempted-user; sid:2010929; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?report_version="; http.request_body; content:"data="; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017912; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit"; flow:to_client,established; content:"0x40000"; content:"DoWebLaunch"; content:"97BB6657-DC7F-4489-9067-51FAB9D8857E"; nocase; reference:url,www.milw0rm.com/exploits/4982; reference:bugtraq,27193; reference:url,doc.emergingthreats.net/2007852; classtype:web-application-attack; sid:2007852; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; http.uri; content:"/updater/"; http.user_agent; content:"UpdaterResponse"; depth:15; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018024; rev:5; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method"; flow:to_client,established; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; nocase; content:"SaveAsPDF"; nocase; reference:url,secunia.com/Advisories/31966/; reference:url,milw0rm.com/exploits/6638; reference:url,doc.emergingthreats.net/2008613; classtype:web-application-attack; sid:2008613; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/AdLoad.Downloader Download"; flow:established,to_server; http.uri; content:"/v"; content:"&product_name="; content:"&installer_file_name="; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:pup-activity; sid:2018048; rev:5; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution"; flow:to_client,established; content:"814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8"; nocase; content:"GetAudioPlayingTime"; nocase; reference:bugtraq,34115; reference:url,milw0rm.com/exploits/8206; reference:url,doc.emergingthreats.net/2009328; classtype:web-application-attack; sid:2009328; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent EXE2"; flow: established,to_server; http.user_agent; content:"EXE2"; nocase; depth:4; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:pup-activity; sid:2018049; rev:5; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"8D58D690-6B71-4ee8-85AD-006DB0287BF1"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009160; classtype:web-application-attack; sid:2009160; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; http.method; content:"GET"; http.uri; content:".txt"; http.user_agent; content:"EXE2"; depth:4; fast_pattern; nocase; http.header_names; content:!"Accept|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; content:!"Connection|0d 0a|"; nocase; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:pup-activity; sid:2018050; rev:6; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009161; classtype:web-application-attack; sid:2009161; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Mozi11a"; flow: established,to_server; http.user_agent; content:"Mozi11a"; depth:7; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:pup-activity; sid:2018051; rev:6; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009162; classtype:web-application-attack; sid:2009162; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (gettingAnswer)"; flow: established,to_server; http.user_agent; content:"gettingAnswer"; depth:13; nocase; reference:md5,c305a0af3fe84525a993130b7854e3e0; classtype:pup-activity; sid:2018084; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_02_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; content:"Command"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010367; classtype:web-application-attack; sid:2010367; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BetterInstaller"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?v="; content:"&uid="; content:"&muid="; pcre:"/[a-f0-9]{32}\?v=/i"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:pup-activity; sid:2018195; rev:5; metadata:created_at 2014_01_15, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; content:"ViewProfile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; reference:url,www.securityfocus.com/bid/37834; reference:url,doc.emergingthreats.net/2010760; classtype:attempted-user; sid:2010760; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"&OSversion="; content:"&Slv="; content:"&Sysid="; content:"&Sysid1="; content:"&admin="; content:"&browser="; content:"&exe="; content:"&ffver="; content:"&lang_DfltUser="; content:"&ver="; content:"&ts="; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:pup-activity; sid:2018324; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Attempt"; flow:from_server,established; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; content:"XUPLOAD"; nocase; content:"MakeHttpRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E87F6C8E-16C0-11D3-BEF7-009027438003/si"; reference:url,www.securityfocus.com/bid/36550/info; reference:url,doc.emergingthreats.net/2010010; classtype:attempted-user; sid:2010010; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bundle/"; content:"/?p="; http.user_agent; content:"zz_afi"; depth:6; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:pup-activity; sid:2018333; rev:6; metadata:created_at 2014_03_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX DisplayName method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"DisplayName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010611; classtype:web-application-attack; sid:2010611; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"?v="; fast_pattern; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:pup-activity; sid:2018368; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_04_07, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX AddGroup method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"AddGroup"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010612; classtype:web-application-attack; sid:2010612; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.MultiInstaller"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"?s1="; fast_pattern; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/"; http.header_names; content:!"Referer"; reference:md5,26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:pup-activity; sid:2018512; rev:8; metadata:created_at 2014_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"InstallComponent"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010613; classtype:web-application-attack; sid:2010613; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadGuide.A"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/1/dg/3"; fast_pattern; http.request_body; content:"{|22|BuildId|22 3a|"; content:"|22|Campaign|22|"; content:"|22|TrackBackUrl|22|"; http.content_type; content:"application/json"; startswith; http.header_names; content:!"Referer"; reference:md5,37b91123a58a48975770241445392aeb; classtype:pup-activity; sid:2018513; rev:6; metadata:created_at 2014_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX Subscribe method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"Subscribe"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010614; classtype:web-application-attack; sid:2010614; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Checkin"; flow: established, to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla|29|"; depth:20; http.request_body; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; content:"|22|machine_ID|22 3a 22|"; distance:0; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:pup-activity; sid:2018557; rev:8; metadata:created_at 2014_06_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; flow:established,to_client; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; content:"ProgColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010778; classtype:attempted-user; sid:2010778; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.MultiInstaller checkin 2"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"/entrance?s1="; depth:13; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:pup-activity; sid:2018590; rev:4; metadata:created_at 2014_06_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; flow:established,to_client; content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; content:"ProgColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010779; classtype:attempted-user; sid:2010779; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OptimizerPro Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/op?sid="; content:"&dt="; distance:0; content:"&gid="; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:pup-activity; sid:2018742; rev:5; metadata:created_at 2013_12_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Operations Manager SourceView ActiveX LoadFile/SaveFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"366C9C52-C402-416B-862D-1464F629CA59"; nocase; content:"File"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*366C9C52-C402-416B-862D-1464F629CA59.+(LoadFile|SaveFile)/si"; reference:url,packetstormsecurity.org/1004-exploits/CORELAN-10-027.txt; reference:url,secunia.com/advisories/39538/; reference:url,doc.emergingthreats.net/2011075; classtype:attempted-user; sid:2011075; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SearchSuite Install CnC Beacon"; flow:established,to_server; urilen:23; http.method; content:"POST"; http.uri; content:"/install_statistics.php"; fast_pattern; depth:23; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE|3B 20|Win32)"; startswith; http.request_body; content:"XML="; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:pup-activity; sid:2018753; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Virtual Rooms Control Clsid Access"; flow:from_server,established; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000032-9593-4264-8B29-930B3E4EDCCD/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01678405; reference:url,doc.emergingthreats.net/2009404; classtype:attempted-user; sid:2009404; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.A checkin"; flow:to_server,established; http.uri; content:"get/?ver="; content:"&aid="; distance:0; content:"&hid="; distance:0; content:"&rid="; distance:0; content:"&data="; distance:0; content:"&report="; distance:0; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:pup-activity; sid:2018867; rev:4; metadata:created_at 2014_08_01, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt"; flow:established,to_client; content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; content:"URL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si"; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010373; classtype:attempted-user; sid:2010373; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/BrowseFox.H Checkin 2"; flow:established,to_server; urilen:3; http.method; content:"POST"; http.uri; content:"/rs"; http.request_body; content:"alpha="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,437a5cb57567c2691ce61a700682eab7; classtype:pup-activity; sid:2018899; rev:6; metadata:created_at 2014_07_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods"; flow:to_client,established; content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; reference:url,secunia.com/Advisories/32337/; reference:url,doc.emergingthreats.net/2008678; classtype:web-application-attack; sid:2008678; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maxpower-static/templates/"; depth:27; http.header_names; content:!"Referer"; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:pup-activity; sid:2019143; rev:7; metadata:created_at 2014_07_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"SaveasMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010997; classtype:attempted-user; sid:2010997; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MAC/Conduit Component Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/installer?dp="; content:"&sdp="; content:"&f="; content:"&id="; content:"&v="; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019144; rev:4; metadata:created_at 2014_09_10, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control ReadMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"ReadMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010998; classtype:attempted-user; sid:2010998; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SoftPulse.H Checkin"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/__dmp__/"; fast_pattern; http.request_body; content:"data={"; depth:6; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Referer"; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:pup-activity; sid:2019228; rev:6; metadata:created_at 2014_09_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS"; flow:to_client,established; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; nocase; content:"PutProperty"; nocase; reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; reference:cve,2008-2639; reference:url,securityreason.com/securityalert/4323; reference:url,doc.emergingthreats.net/2008618; classtype:web-application-attack; sid:2008618; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/ELEX Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v"; depth:2; content:"?update"; fast_pattern; distance:0; pcre:"/^[0-9]?=[a-z]+/Ri"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,2fed7fe9d055ebb63897bc2c8996676d; reference:md5,e2fd0d2c44e96cab5017bb8a68ca92a6; classtype:pup-activity; sid:2019779; rev:8; metadata:created_at 2014_11_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:established,to_client; content:"74FFE28D-2378-11D5-990C-006094235084"; nocase; content:"GetXMLValue"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*74FFE28D-2378-11D5-990C-006094235084/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010483; classtype:attempted-user; sid:2010483; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/CloudScout Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/QualityCheck/"; fast_pattern; content:".php"; distance:0; pcre:"/\.php$/"; http.request_body; content:"dp="; depth:3; content:"&sdp="; distance:0; content:"&a="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c732b52b245444e3f568d372ce399911; classtype:pup-activity; sid:2019780; rev:10; metadata:created_at 2014_11_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".Spline|28|"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/si"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003102; classtype:attempted-user; sid:2003102; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DomaIQ Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"&OSversion="; content:"&Sysid="; content:"&Sysid1="; content:"&X64="; content:"&exe="; content:"&ffver="; content:"&lang_DfltSys="; content:"&lang_DfltUser="; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:pup-activity; sid:2019944; rev:5; metadata:created_at 2014_12_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID"; flow:from_server,established; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; nocase; reference:url,www.securityfocus.com/bid/20843; reference:url,secunia.com/advisories/22603; reference:cve,2006-4704; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; reference:url,doc.emergingthreats.net/2003158; classtype:attempted-user; sid:2003158; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP W32/DownloadGuide.D"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config-from-production"; http.request_body; content:"{|22|os|22 3A 22|"; depth:7; content:"|22|lang|22 3A 22|"; distance:0; content:"|22|uid|22 3A 22|"; distance:0; content:"|22|prod|22 3A 22|"; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:pup-activity; sid:2019974; rev:4; metadata:created_at 2014_12_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsmIDE.DTE object call CSLID"; flow:from_server,established; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; nocase; reference:url,doc.emergingthreats.net/2003159; classtype:attempted-user; sid:2003159; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/iBryte.Adware Installer Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?mode="; content:"&sf="; content:"&browser="; content:"&useragent="; http.header_names; content:!"Referer"; reference:md5,4c80e5f72a2ab8324b981e37b3b0e5d1; classtype:pup-activity; sid:2020197; rev:7; metadata:created_at 2015_01_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID"; flow:from_server,established; content:"639F725F-1B2D-4831-A9FD-874847682010"; nocase; reference:url,doc.emergingthreats.net/2003160; classtype:attempted-user; sid:2003160; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.Win32.BoBrowser User-Agent (LogEvents)"; flow:established,to_server; http.user_agent; content:"LogEvents"; fast_pattern; bsize:9; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:pup-activity; sid:2020238; rev:4; metadata:created_at 2015_01_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID"; flow:from_server,established; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; nocase; reference:url,doc.emergingthreats.net/2003161; classtype:attempted-user; sid:2003161; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.Win32.BoBrowser User-Agent (VersionDwl)"; flow:established,to_server; http.user_agent; content:"VersionDwl"; fast_pattern; bsize:10; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:pup-activity; sid:2020239; rev:4; metadata:created_at 2015_01_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002171; classtype:web-application-attack; sid:2002171; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.Win32.BoBrowser User-Agent (BoBrowser)"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 180; http.header; content:"User-Agent|3a 20|"; http.user_agent; content:"|20|BoBrowser/"; fast_pattern; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:pup-activity; sid:2020240; rev:5; metadata:created_at 2015_01_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 2)"; flow:established,from_server; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002492; classtype:web-application-attack; sid:2002492; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/MultiPlug.Adware Adfraud Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?rmbs="; within:8; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"; bsize:108; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:pup-activity; sid:2020457; rev:4; metadata:created_at 2015_02_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; classtype:attempted-user; sid:2002971; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&ts="; content:"&dlip="; content:"&dlid="; content:"&proto="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020627; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010263; classtype:attempted-user; sid:2010263; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&proto="; http.user_agent; content:"WinWrapper"; depth:10; http.request_body; content:"{|22|appId|22 3a 22|"; content:"|22|uuId|22 3a 22|"; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020628; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010264; classtype:attempted-user; sid:2010264; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; http.user_agent; content:"WinWrapper"; depth:10; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020629; rev:6; metadata:created_at 2015_03_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 1 Access Attempt"; flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5DFB2651-9668-11D0-B17B-00C04FC2A0CA/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010292; classtype:attempted-user; sid:2010292; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/log/?"; fast_pattern; content:"="; distance:1; within:1; content:"&d="; distance:0; content:"&o="; content:"&r="; content:"&s="; content:"&t="; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:pup-activity; sid:2020701; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 2 Access Attempt"; flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010293; classtype:attempted-user; sid:2010293; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; http.user_agent; content:"Sendori-Client"; depth:14; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:pup-activity; sid:2020881; rev:5; metadata:created_at 2015_04_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 3 Access Attempt"; flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010294; classtype:attempted-user; sid:2010294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sentry_version="; content:"&sentry_client="; distance:0; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:pup-activity; sid:2021027; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 4 Access Attempt"; flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010295; classtype:attempted-user; sid:2010295; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.request_body; content:"postInstallReport"; fast_pattern; content:"machineId|22 3a 22|"; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:pup-activity; sid:2021094; rev:5; metadata:created_at 2015_05_14, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 5 Access Attempt"; flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010296; classtype:attempted-user; sid:2010296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.GigaClicks Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ver/"; content:"/sid/"; http.request_body; content:"instlog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:pup-activity; sid:2021099; rev:4; metadata:created_at 2015_05_15, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 6 Access Attempt"; flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010297; classtype:attempted-user; sid:2010297; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?uid="; content:"&affid="; distance:0; content:"&inst_date="; distance:0; fast_pattern; content:"&prod="; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:pup-activity; sid:2021173; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 7 Access Attempt"; flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010298; classtype:attempted-user; sid:2010298; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v2/"; depth:4; fast_pattern; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/"; http.header_names; content:"X-Crypto-Version"; content:!"User-Agent"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:pup-activity; sid:2021282; rev:5; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 8 Access Attempt"; flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010299; classtype:attempted-user; sid:2010299; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX ADWARE/Mackeeper Checkin"; flow:established,to_server; http.uri; content:"/landings/"; depth:10; http.user_agent; content:"Macintosh|3b|"; http.host; content:"mackeeper"; startswith; http.cookie; content:"ldrBrowser=|25|22Safari|25|22|3b|"; content:"ldrOs=|25|22Mac+OS+X|25|22|3b|"; classtype:pup-activity; sid:2021548; rev:5; metadata:created_at 2015_07_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 9 Access Attempt"; flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010300; classtype:attempted-user; sid:2010300; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; http.user_agent; content:"Installer(ref=["; fast_pattern; content:"|3b|windows="; distance:0; content:"|3b|uac="; distance:0; content:"|3b|elevated="; distance:0; content:"|3b|dotnet="; distance:0; content:"|3b|startTime="; distance:0; content:"|3b|pid="; distance:0; classtype:pup-activity; sid:2021564; rev:5; metadata:created_at 2015_07_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 10 Access Attempt"; flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010301; classtype:attempted-user; sid:2010301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?pcrc="; depth:7; fast_pattern; content:"&v="; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:pup-activity; sid:2021618; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 11 Access Attempt"; flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010302; classtype:attempted-user; sid:2010302; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 2"; flow:established,to_server; http.uri; content:"/?v="; depth:4; content:"&pcrc="; distance:0; content:"&LSVRDT="; distance:0; fast_pattern; content:"&ty="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; classtype:pup-activity; sid:2021619; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 12 Access Attempt"; flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010303; classtype:attempted-user; sid:2010303; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; content:"&pcrc="; content:"&LUDT="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:pup-activity; sid:2021643; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 13 Access Attempt"; flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010304; classtype:attempted-user; sid:2010304; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Boxore User-Agent"; flow:to_server,established; http.user_agent; content:"BoxoreClent"; depth:11; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:pup-activity; sid:2021700; rev:5; metadata:created_at 2015_08_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 14 Access Attempt"; flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010305; classtype:attempted-user; sid:2010305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; content:"/FMP.dmg?download_browser="; distance:0; fast_pattern; content:"&app_id="; distance:0; content:"&campaign="; distance:0; content:"&cargoType="; distance:0; content:"&oname=FMP.dmg"; distance:0; classtype:pup-activity; sid:2021984; rev:4; metadata:created_at 2015_10_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 15 Access Attempt"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010306; classtype:attempted-user; sid:2010306; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; fast_pattern; content:"&pcrc="; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:pup-activity; sid:2022354; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 16 Access Attempt"; flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010307; classtype:attempted-user; sid:2010307; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/v"; depth:2; content:".asp"; pcre:"/\/v\d\/[^.]+\.asp$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; bsize:38; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:pup-activity; sid:2022694; rev:4; metadata:created_at 2016_04_01, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 17 Access Attempt"; flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010308; classtype:attempted-user; sid:2010308; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".sh?do="; content:"&d="; content:"&inj="; content:"&cl="; content:"&cs="; content:"&id="; content:"&se="; http.user_agent; content:"Mozilla/5.0"; fast_pattern; bsize:11; http.header_names; content:!"Referer|0d 0a|"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022716; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 18 Access Attempt"; flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010309; classtype:attempted-user; sid:2010309; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?mid="; fast_pattern; pcre:"/\/(cld|update-effect)\?mid=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&(ct|st)=[a-z0-9]+$/i"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022717; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 19 Access Attempt"; flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010310; classtype:attempted-user; sid:2010310; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.user_agent; content:"curl/"; startswith; http.request_body; content:"vs_mid="; depth:7; fast_pattern; content:"&br_mid="; content:"&event_type="; content:"diss URL"; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022718; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 20 Access Attempt"; flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010311; classtype:attempted-user; sid:2010311; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit Web Injects"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mu?id="; fast_pattern; content:"&d="; content:"&cl="; pcre:"/\/mu\?id=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&d=[A-Za-z]+&cl=\d+$/i"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022719; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 22 Access Attempt"; flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010313; classtype:attempted-user; sid:2010313; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 3"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/u/?"; depth:4; fast_pattern; content:"&c="; distance:0; content:"&r="; distance:0; pcre:"/^\/u\/\?[a-z]=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&r=[0-9]{17,}$/"; reference:url,blog.malwarebytes.org/cybercrime/2016/01/trojan-dnschanger-circumvents-powershell-restrictions/; classtype:pup-activity; sid:2022722; rev:4; metadata:created_at 2016_04_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 23 Access Attempt"; flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010314; classtype:attempted-user; sid:2010314; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallCore Initial Install Activity 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; content:"&subver="; fast_pattern; distance:0; content:"&pcrc="; distance:0; pcre:"/^\/\?v=[\d\.]{3,4}&subver=[\d\.]{4,5}&pcrc=\d+$/"; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,0a6a0baf77b80706cab665754ecadac9; classtype:pup-activity; sid:2022807; rev:4; metadata:created_at 2016_05_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 24 Access Attempt"; flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010315; classtype:attempted-user; sid:2010315; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Successful QuizScope Installation"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qscope/ithankyou"; depth:17; fast_pattern; reference:md5,4dae2a394b792c36936a88cfc296f9b9; classtype:pup-activity; sid:2022812; rev:4; metadata:created_at 2016_05_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 25 Access Attempt"; flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010316; classtype:attempted-user; sid:2010316; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SearchProtect PUA User-Agent Observed"; flow:established,to_server; http.user_agent; content:"SearchProtect|3b|"; depth:14; reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87; classtype:pup-activity; sid:2022813; rev:4; metadata:created_at 2016_05_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 26 Access Attempt"; flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010317; classtype:attempted-user; sid:2010317; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Conduit Trovi Adware/PUA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?gd="; depth:5; fast_pattern; content:"&ctid="; distance:0; content:"&octid="; distance:0; content:"&SSPV="; distance:0; reference:md5,069ce8c2a553f9bc5a9599d7541943ce; classtype:pup-activity; sid:2022814; rev:4; metadata:created_at 2016_05_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 27 Access Attempt"; flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010318; classtype:attempted-user; sid:2010318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M1"; flow:established,to_server; http.uri; content:"/gettrk_l?partner="; depth:18; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022821; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 28 Access Attempt"; flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010319; classtype:attempted-user; sid:2010319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M2"; flow:established,to_server; http.uri; content:"/install-report?"; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022822; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 29 Access Attempt"; flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010320; classtype:attempted-user; sid:2010320; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M3"; flow:established,to_server; http.uri; content:"/event-report?"; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022823; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 30 Access Attempt"; flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010321; classtype:attempted-user; sid:2010321; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M4"; flow:established,to_server; http.uri; content:"?type=off"; content:"&topic="; distance:0; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022824; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 31 Access Attempt"; flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010322; classtype:attempted-user; sid:2010322; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toolbar User-Agent (BrandThunderHelper)"; flow:established,to_server; http.user_agent; content:"BrandThunderHelper"; fast_pattern; bsize:18; classtype:pup-activity; sid:2022825; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt"; flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010323; classtype:attempted-user; sid:2010323; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Toolbar.WIDGI User-Agent (WidgiToolbar-)"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"WidgiToolbar-"; depth:13; reference:md5,1785f9784cb4e7400ed6f2c8f0e421c2; classtype:pup-activity; sid:2022826; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt"; flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010324; classtype:attempted-user; sid:2010324; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP/DriverRestore Sending System Information to Affiliate"; flow:established,to_server; http.uri; content:".jsp?leadTrackerId="; content:"|22|ComputerName|22|"; distance:0; content:"|22|UserName|22|"; distance:0; content:"|22|IsAdmin|22|"; distance:0; http.user_agent; content:"DriverRestore/"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4f7f497668e3e716a6f4a53af0924a25; classtype:pup-activity; sid:2022827; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt"; flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010325; classtype:attempted-user; sid:2010325; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopTools PUP Install Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_install.cgi"; http.user_agent; content:"BIDUI18N"; bsize:8; http.request_body; content:"name=|22|ufile01|22 3b 20|filename=|22|boundary|22|"; fast_pattern; content:"Content-Type|3a 20|application/octet-stream"; distance:0; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,3e464cff8690c7a2f57542688a278c62; classtype:pup-activity; sid:2022829; rev:4; metadata:created_at 2016_05_19, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt"; flow:established,to_client; content:"5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010326; classtype:attempted-user; sid:2010326; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?alpha="; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/"; http.user_agent; content:"NSIS_Inetc"; depth:10; fast_pattern; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:pup-activity; sid:2022850; rev:5; metadata:created_at 2016_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt"; flow:established,to_client; content:"ADEADEB8-E54B-11d1-9A72-0000F875EADE"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADEADEB8-E54B-11d1-9A72-0000F875EADE/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010327; classtype:attempted-user; sid:2010327; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL/Adload.AT Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do"; fast_pattern; content:"source="; content:"&event="; content:"&implementation_id="; content:"user_id="; content:"&useragent="; content:"&sgn="; content:"&subid2="; content:"&ts="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:pup-activity; sid:2022893; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, former_category ADWARE_PUP, malware_family MSIL_Adload, signature_severity Major, tag Adware, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt"; flow:established,to_client; content:"EC85D8F1-1C4E-46e4-A748-7AA04E7C0496"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC85D8F1-1C4E-46e4-A748-7AA04E7C0496/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010328; classtype:attempted-user; sid:2010328; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LoadMoney Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; pcre:"/^Downloader\s\d+\.\d+$/"; content:"Downloader|20|"; startswith; http.request_body; content:"|0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2022987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt"; flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010329; classtype:attempted-user; sid:2010329; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Chrome Extension"; flow:established,to_server; http.uri; content:"page?url="; fast_pattern; content:"/user/"; content:"iframe="; http.header_names; content:!"Referer|0d 0a|"; classtype:pup-activity; sid:2023015; rev:4; metadata:affected_product Web_Browser_Plugins, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2016_08_05, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt"; flow:established,to_client; content:"E673DCF2-C316-4c6f-AA96-4E4DC6DC291E"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4c6f-AA96-4E4DC6DC291E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010330; classtype:attempted-user; sid:2010330; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; http.method; content:"GET"; http.uri; content:"/?q="; fast_pattern; depth:4; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/"; http.uri.raw; content:"+"; http.host; content:!"map24.com"; content:!"aptrk.com"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:pup-activity; sid:2023707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PUA, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt"; flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010331; classtype:attempted-user; sid:2010331; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 1"; flow:established,to_server; http.uri; content:"/get_xml?"; fast_pattern; pcre:"/\/get_xml\?(?:file_id|stb)=/i"; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024250; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt"; flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010332; classtype:attempted-user; sid:2010332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 2"; flow:established,to_server; http.uri; content:"/download.php?id="; fast_pattern; content:"&f="; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024251; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Communications Control Clsid Access"; flow:from_server,established; content:"648A5600-2C6E-101B-82B6-000000000014"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*648A5600-2C6E-101B-82B6-000000000014/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,doc.emergingthreats.net/2009400; classtype:attempted-user; sid:2009400; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 4"; flow:to_server,established; http.uri; content:"/get_file_info.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_23, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; flow:to_client,established; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; content:"GetEntryPointForThread"; nocase; reference:bugtraq,31996; reference:url,doc.emergingthreats.net/2008792; classtype:web-application-attack; sid:2008792; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 8"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&chromeLog="; fast_pattern; content:"&ffLog="; distance:0; content:"&operaLog="; distance:0; content:"&notAdmin="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; content:"Open"; nocase; content:".avi"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7431; reference:bugtraq,32613; reference:url,doc.emergingthreats.net/2008993; classtype:web-application-attack; sid:2008993; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 2"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/launch_info"; http.user_agent; content:"Downloader|20|"; depth:11; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024259; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"CheckForUpdates"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010562; classtype:web-application-attack; sid:2010562; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 4"; flow:established,to_server; http.uri; content:"/data_files="; depth:12; fast_pattern; content:"&rnd="; distance:0; http.user_agent; content:"Downloader 1"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024262; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"UpdateComponents"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010563; classtype:web-application-attack; sid:2010563; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ProxyGearPro Proxy Tool PUA"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Proxy|20|Gear|20|Pro/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:pup-activity; sid:2024484; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Windows Media Services nskey.dll ActiveX Control Possible Remote Buffer Overflow"; flow:to_client,established; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; nocase; content:"CallHTMLHelp"; nocase; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,doc.emergingthreats.net/2008925; classtype:web-application-attack; sid:2008925; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Adware Chrome Extension Detected (1)"; flow:to_server,established; http.uri; content:"/hostedsearch?"; fast_pattern; content:"subid"; distance:0; content:"&keyword="; distance:0; http.header; content:"User-Agent|3a 20|"; content:"Upgrade-Insecure-Requests|3a 20|"; content:"Accept"; content:"Connection|3a 20|"; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit"; flow:to_client,established; content:"0x40000"; content:"WksPictureInterface"; nocase; distance:0; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; nocase; distance:0; reference:bugtraq,28820; reference:url,www.milw0rm.com/exploits/5460; reference:url,www.milw0rm.com/exploits/5530; reference:url,doc.emergingthreats.net/2008226; classtype:web-application-attack; sid:2008226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Adware Chrome Extension Detected (2)"; flow:to_server,established; http.uri; content:"/?keyword="; fast_pattern; content:"&id="; distance:0; content:"&sysid="; distance:0; http.header; content:"User-Agent|3a 20|"; content:"Upgrade-Insecure-Requests|3a 20|"; content:"Accept"; content:"Connection|3a 20|"; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024727; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid"; flow:to_client,established; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; content:"loadXML"; nocase; distance:0; content:"parseError.srcText"; nocase; distance:0; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008887; classtype:web-application-attack; sid:2008887; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] WebToolbar.Win32.Searchbar.k HTTP JSON Artifact"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|7b 22|lib_version|22 3a 22|"; depth:16; content:"|22 2c 22|lib_url|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|bin_version|22 3a 22|"; distance:0; content:"|22 2c 22|bin_url|22 3a 22|"; distance:0; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:pup-activity; sid:2024761; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Macrovision FLEXnet Connect ActiveX Control Arbitrary File Download"; flow:to_client, established; content:"DownloadAndExecute"; nocase; content:"1DF951B1-8D40-4894-A04C-66AD824A0EEF"; nocase; distance:0; reference:bugtraq,27279; reference:url,www.milw0rm.com/exploits/4913; reference:url,doc.emergingthreats.net/2010358; classtype:successful-user; sid:2010358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware.SearchGo (start_page)"; flow:established,to_server; urilen: >100; http.method; content:"GET"; http.uri.raw; content:"/%f3%07%27%f6%46%d3"; depth:19; http.header; content:!"Content-Length|3a|"; http.user_agent; content:"start_page"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:pup-activity; sid:2024762; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_22, deployment Perimeter, former_category ADWARE_PUP, malware_family Searchgo, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET MALWARE Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch)"; flow:established,to_server; dsize:<40; content:"viruscatch|00|"; reference:url,doc.emergingthreats.net/2008573; classtype:trojan-activity; sid:2008573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware.FileFinder Activity"; flow:established, to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/?i="; http.request_body; content:"report=AAA"; depth:20; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:pup-activity; sid:2024904; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET MALWARE Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server; dsize:1; content:"d"; reference:url,doc.emergingthreats.net/2008335; classtype:trojan-activity; sid:2008335; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.LoadMoney User Agent 2"; flow:established,to_server; http.user_agent; content:"s|20|2.8"; depth:5; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2025302; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt"; flow:from_server,established; content:"04D18721-749F-4140-AEB0-CAC099CA4741"; nocase; content:"WriteTaskDataToIniFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*04D18721-749F-4140-AEB0-CAC099CA4741/si"; reference:url,www.securitytracker.com/alerts/2009/Jun/1022413.html; reference:url,www.packetstormsecurity.com/0906-exploits/mcafee-activex.txt; reference:url,doc.emergingthreats.net/2009411; classtype:attempted-user; sid:2009411; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/LoadMoney Adware Activity M2"; flow:to_server,established; flowbits:set,ETPTadmoney; http.method; content:"GET"; http.uri; content:"/software_install?sid="; fast_pattern; content:"&sub_id="; distance:0; content:"&hash="; distance:0; content:"&mid="; distance:0; content:"&fname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,844e53381099d572c3864c7a42ddbbf1; classtype:pup-activity; sid:2025303; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MetaProducts MetaTreeX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; nocase; pcre:"/(SaveToBMP|SaveToFile)/i"; reference:bugtraq,33318; reference:url,milw0rm.com/exploits/7804; reference:url,doc.emergingthreats.net/2009104; classtype:web-application-attack; sid:2009104; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lavasoft PUA/Adware Client Install"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/event-stat?ProductID="; fast_pattern; content:"&Type=StubStart"; distance:0; http.host; content:"lavasoft.com"; classtype:pup-activity; sid:2025537; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Adware, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microgaming FlashXControl Control Clsid Access"; flow:from_server,established; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D8089245-3211-40F6-819B-9E5E92CD61A2/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,www.microgaming.co.uk/news_flashxcontrol.php; reference:url,doc.emergingthreats.net/2009401; classtype:attempted-user; sid:2009401; rev:26; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WiseCleaner Installed (PUA)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p=install_statistics"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http.host; content:"wisecleaner.net"; fast_pattern; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:pup-activity; sid:2025589; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTsoft NCTAudioFile2 ActiveX Control NCTWMAFILE2.DLL Arbitrary File Overwrite"; flow:to_client,established; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; nocase; content:"CreateFile"; nocase; reference:url,www.milw0rm.com/exploits/7871; reference:bugtraq,24613; reference:url,doc.emergingthreats.net/2009121; classtype:web-application-attack; sid:2009121; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antibody Software Installed (PUA)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"version.php?ver="; nocase; content:"&newinstall="; nocase; distance:0; http.user_agent; content:"Embarcadero URI Client/1.0"; http.host; content:"antibody-software.com"; fast_pattern; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:pup-activity; sid:2025590; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow"; flow:to_client,established; content:"F85B4A10-B530-4D68-A714-7415838FD174"; nocase; content:"SelectDevice"; nocase; reference:bugtraq,33726; reference:url,doc.emergingthreats.net/2009178; classtype:web-application-attack; sid:2009178; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP [eSentire] Win32/Adware.Adposhel.lgvk CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/inst?data="; nocase; http.user_agent; content:"Installer event sender/"; depth:23; fast_pattern; isdataat:!3,relative; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,e7c2c1b796dad6210165110b7e8cda7d; classtype:pup-activity; sid:2025645; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category ADWARE_PUP, malware_family Adposhel, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; content:"SetFontFace"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; classtype:attempted-user; sid:2009923; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Luxsoft Win32/ICLoader User-Agent"; flow:to_server,established; http.user_agent; content:"Medunja Solodunnja"; depth:18; nocase; reference:url,fortinet.com/blog/threat-research/cookie-maker-inside-the-google-docs-malicious-network.html; classtype:pup-activity; sid:2026114; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client ExecuteRequest ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"ExecuteRequest"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-0935; reference:url,doc.emergingthreats.net/2010693; classtype:attempted-user; sid:2010693; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Adobe Update Download"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"filename=readerdc"; fast_pattern; nocase; pcre:"/(_[a-z]{2}){1,3}_[a-z]{3}_install\.exe/Ri"; content:!"Server|3a 20 20|Apache"; content:"Set-Cookie|3a 20|session="; classtype:pup-activity; sid:2026734; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client GetDriverSettings ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"336723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-2908; reference:url,doc.emergingthreats.net/2010694; classtype:attempted-user; sid:2010694; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Adobe Update Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/en"; nocase; content:"/reader/download/?installer=Reader_DC_20"; nocase; within:45; pcre:"/\d{2}\.0\d{2}\.200\d{2}_English(?:_for)?_Windows/R"; http.host; content:!"get.adobe.com"; classtype:pup-activity; sid:2026735; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete"; flow:to_client,established; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; content:"download"; nocase; reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257; reference:url,doc.emergingthreats.net/2009314; classtype:web-application-attack; sid:2009314; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for validate-site.js"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/validate-site.js?uid="; fast_pattern; content:"&r="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027418; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; content:"ExecCommand"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010363; classtype:web-application-attack; sid:2010363; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M2"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/optout/get?jsonp="; depth:18; fast_pattern; content:"&key="; distance:16; within:23; content:"&t="; distance:18; within:21; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027420; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PDFZilla 1.0.8 ActiveX DebugMsgLog method DOS CLSid Access"; flow:established,to_client; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; nocase; content:"DebugMsgLog"; nocase; reference:url,packetstormsecurity.org/0908-exploits/pdfzilla-overflow.txt; reference:url,doc.emergingthreats.net/9130; classtype:web-application-attack; sid:2010029; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M4"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"/optout/set/lat?jsonp="; fast_pattern; content:"key="; distance:16; within:27; content:"cv="; distance:18; within:27; content:"t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027428; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability"; flow:to_client,established; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; nocase; content:"0x40000"; content:"Logo"; nocase; reference:bugtraq,25502; reference:url,doc.emergingthreats.net/2008173; classtype:web-application-attack; sid:2008173; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/Agent.NDV Receiving Task Config File"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Settings|5d 0d 0a|"; depth:12; content:"post_page0="; distance:0; fast_pattern; reference:md5,c6c1292bf7dd1573b269afb203134b1d; classtype:pup-activity; sid:2027566; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_26, deployment Perimeter, former_category ADWARE_PUP, malware_family Agent_NDV, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt"; flow:from_server,established; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si"; reference:url,www.securityfocus.com/bid/36234/info; reference:url,doc.emergingthreats.net/2009858; classtype:attempted-user; sid:2009858; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getblob?v="; fast_pattern; content:"&cache="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027828; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; content:"SetID"; nocase; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505; reference:url,doc.emergingthreats.net/2009002; classtype:web-application-attack; sid:2009002; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Zonebac Traffic Redirect"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; http.request_body; content:"ic="; startswith; fast_pattern; content:"&fb="; distance:0; reference:md5,23ad5529074fa0fba3258b155440659f; classtype:pup-activity; sid:2030821; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite"; flow:to_client,established; content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; pcre:"/(SaveBarCode|SaveEnhWMF)/i"; reference:url,milw0rm.com/exploits/8332; reference:url,securityfocus.com/archive/1/502319; reference:url,doc.emergingthreats.net/2009315; classtype:web-application-attack; sid:2009315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Xetapp Installer Checkin"; flow:established,to_server; http.request_line; content:"GET /settings/launches.php?name="; startswith; fast_pattern; content:"&site="; distance:0; content:"&campaign="; distance:0; reference:md5,e9c4c9048651f62d39b12220d19dd936; classtype:pup-activity; sid:2030825; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_02;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"DD50A655-10FB-11D2-A22B-00104B27F81B"; nocase; content:"Run"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DD50A655-10FB-11D2-A22B-00104B27F81B/si"; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010365; classtype:web-application-attack; sid:2010365; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.DJC CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check.php?action="; depth:18; http.user_agent; content:"biteye4ever"; reference:md5,3dae205d72cb80d1c6ca4f796b28e384; classtype:pup-activity; sid:2028612; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_02;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Remote Desktop Connection ActiveX Control Heap Overflow clsid access"; flow:established,to_client; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(.+<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(\?P=q1)(\s|>)/si"; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-044.mspx; reference:url,doc.emergingthreats.net/2009907; classtype:attempted-user; sid:2009907; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; http.uri; content:"/trackedevent.aspx?"; nocase; content:"ver="; nocase; content:"&ver="; nocase; content:"&rnd="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:pup-activity; sid:2003306; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_02;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RKD Software ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C26D9CA8-6747-11D5-AD4B-C01857C10000"; nocase; content:"SaveasMolFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000/si"; reference:url,packetstorm.foofus.com/1002-exploits/barcode_ax49.rb.txt; reference:bugtraq,24596; reference:url,doc.emergingthreats.net/2011020; classtype:attempted-user; sid:2011020; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Kraddare Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"strID="; content:"strPC="; classtype:pup-activity; sid:2011492; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_04;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; nocase; content:"0x40000"; nocase; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007904; classtype:web-application-attack; sid:2007904; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Haken Clicker CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api_v5/facebook_api.php?n="; fast_pattern; reference:url,research.checkpoint.com/2020/android-app-fraud-haken-clicker-and-joker-premium-dialer/; reference:md5,02939b68596873ad1835d1062ee8836a; classtype:command-and-control; sid:2030836; rev:1; metadata:attack_target Mobile_Client, created_at 2020_09_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_09_04;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution"; flow:to_client,established; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; nocase; content:"url"; nocase; distance:0; pcre:"/(exe|bat|com|dll|ini)/i"; content:"start"; nocase; reference:cve,CVE-2006-6838; reference:bugtraq,21831; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html; reference:url,doc.emergingthreats.net/2007998; classtype:web-application-attack; sid:2007998; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; http.uri; content:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:pup-activity; sid:2003060; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Registry OCX ActiveX FullPath Method Buffer Overflow Attempt"; flow:to_client,established; content:"6D5B4E71-625F-11D2-B3AE-00A0C932C7DF"; nocase; content:"FullPath"; nocase; reference:url,exploit-db.com/exploits/14200/; reference:url,doc.emergingthreats.net/2011253; classtype:attempted-user; sid:2011253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (GeneralDownloadApplication)"; flow:to_server,established; http.user_agent; content:"GeneralDownloadApplication"; depth:26; endswith; classtype:pup-activity; sid:2025092; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow Attempt"; flow:established,to_client; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; nocase; content:"Scan"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9FAFB576-6933-4CCC-AB3D-B988EC43D04E/si"; reference:url,www.securityfocus.com/bid/38282; reference:url,doc.emergingthreats.net/2010839; classtype:attempted-user; sid:2010839; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP APN/Ask Toolbar PUA/PUP User-Agent"; flow:established,to_server; http.user_agent; content:"TBNotifier"; depth:10; fast_pattern; endswith; classtype:pup-activity; sid:2025400; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; nocase; content:"DiskType"; nocase; reference:url,milw0rm.com/exploits/8824; reference:bugtraq,23412; reference:url,doc.emergingthreats.net/2009725; classtype:web-application-attack; sid:2009725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Related User-Agent (WINTERNET)"; flow:established,to_server; http.user_agent; content:"WINTERNET"; depth:9; endswith; fast_pattern; reference:md5,feeb9efd6b724d772768cd89d3c30380; classtype:pup-activity; sid:2027141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_29, former_category USER_AGENTS, tag User_Agent, tag PUA, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow"; flow:to_client,established; content:"EE1BBA18-F0C8-477E-8AC8-C28B94F1B7DC"; nocase; content:"SetIAPlayerName"; nocase; reference:url,xforce.iss.net/xforce/xfdb/50868; reference:url,milw0rm.com/exploits/8835; reference:url,doc.emergingthreats.net/2009735; classtype:web-application-attack; sid:2009735; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:pup-activity; sid:2007860; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SAP GUI ActiveX Control Insecure Method File Overwrite Attempt"; flow:from_server,established; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; content:"Save"; nocase; content:"ToSessionFile"; within:17; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E/si"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022953.html; reference:url,doc.emergingthreats.net/2010013; classtype:attempted-user; sid:2010013; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Explorer)"; flow:established,to_server; http.user_agent; content:"Explorer"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:pup-activity; sid:2007921; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt"; flow:from_server,established; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; nocase; content:"Accept"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87/si"; reference:url,www.securityfocus.com/bid/35256/info; reference:url,doc.emergingthreats.net/2010219; classtype:attempted-user; sid:2010219; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:27; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:pup-activity; sid:2007929; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Archive method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"Archive"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010468; classtype:web-application-attack; sid:2010468; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP)"; flow:to_server,established; http.user_agent; content:"HTTP"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:pup-activity; sid:2007943; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Text method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"Text"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010469; classtype:web-application-attack; sid:2010469; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"wget 3.0"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007961; classtype:pup-activity; sid:2007961; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditSelText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"EditSelText"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010470; classtype:web-application-attack; sid:2010470; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"x"; depth:1; endswith; http.host; content:!"update.aida64.com"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:pup-activity; sid:2013017; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"EditText"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010471; classtype:web-application-attack; sid:2010471; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; http.host; content:"go2000.cn"; endswith; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:pup-activity; sid:2013422; rev:6; metadata:created_at 2011_08_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX CellFontName method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"CellFontName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010472; classtype:web-application-attack; sid:2010472; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; http.uri; content:"/dmresources/instructions"; fast_pattern; content:".dat"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.protocol; content:"HTTP/1.0"; endswith; http.header_names; content:!"Referer"; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; classtype:pup-activity; sid:2017992; rev:11; metadata:created_at 2014_01_20, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP AG SAPgui EAI WebViewer2D ActiveX stack buffer overflow CLSid Access"; flow:established,to_client; content:"A76CEBEE-7364-11D2-AA6B-00E02924C34E"; nocase; content:"SaveToSessionFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A76CEBEE-7364-11D2-AA6B-00E02924C34E/si"; reference:url,dsecrg.com/pages/vul/show.php?id=143; reference:url,doc.emergingthreats.net/2010481; classtype:attempted-user; sid:2010481; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/OptimizerPro.exe"; nocase; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018743; rev:6; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI SAPBExCommonResources ActiveX Insecure Method Code Execution Attempt"; flow:established,to_client; content:"A009C90D-814B-11D3-BA3E-080009D22344"; nocase; content:"Execute"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A009C90D-814B-11D3-BA3E-080009D22344/si"; reference:url,dsecrg.com/pages/vul/show.php?id=164; reference:url,doc.emergingthreats.net/2010957; classtype:attempted-user; sid:2010957; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PicColor Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?d="; content:"&format=json"; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:pup-activity; sid:2020948; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_20, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; content:"Get"; nocase; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; reference:url,doc.emergingthreats.net/2009047; classtype:web-application-attack; sid:2009047; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/launch/"; endswith; http.header_names; content:"X-Crypto-Version"; fast_pattern; content:!"User-Agent"; content:!"Referer"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:pup-activity; sid:2021283; rev:7; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt"; flow:established,from_server; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; nocase; content:"StartVideoSaving"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C/si"; reference:url,www.securityfocus.com/bid/36217/info; reference:url,doc.emergingthreats.net/2009869; classtype:attempted-user; sid:2009869; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; http.user_agent; content:"PCAcceleratePro"; depth:15; endswith; classtype:pup-activity; sid:2022828; rev:6; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt"; flow:to_client,established; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; content:"AddRouteEntry"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si"; reference:url,www.securityfocus.com/bid/26288/info; reference:cve,2007-5603; reference:url,doc.emergingthreats.net/2010456; classtype:attempted-user; sid:2010456; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/q/"; depth:3; fast_pattern; http.request_body; content:"q="; depth:2; pcre:"/^[a-zA-Z0-9_-]+$/R"; http.connection; content:"close"; nocase; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:pup-activity; sid:2025094; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Internet, former_category ADWARE_PUP, malware_family Adposhel, performance_impact Moderate, signature_severity Major, tag Adware, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; content:"SetExternalPlayer"; nocase; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; reference:url,doc.emergingthreats.net/2009226; classtype:web-application-attack; sid:2009226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.qbix.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:pup-activity; sid:2025424; rev:4; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2018_03_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution"; flow:to_client,established; content:"01110800-3E00-11D2-8470-0060089874ED"; nocase; pcre:"/(Packagefiles|SaveDna|SetIdentity|AddFile)/i"; reference:bugtraq,34004; reference:url,milw0rm.com/exploits/8160; reference:url,doc.emergingthreats.net/2009322; classtype:web-application-attack; sid:2009322; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"maraukog.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sygate Personal Firewall ActiveX SetRegString Method Stack Overflow Attempt"; flow:established,to_client; content:"D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9"; nocase; content:"SetRegString"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9/si"; reference:url,www.exploit-db.com/exploits/13834/; reference:url,www.corelan.be#=#=8800/index.php/forum/security-advisories/10-050-sygate-personal-firewall-5-6-build-2808-activex/; reference:url,doc.emergingthreats.net/2011690; classtype:attempted-user; sid:2011690; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"acinster.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability"; flow:to_client,established; content:"22ACD16F-99EB-11D2-9BB3-00400561D975"; nocase; content:"0x40000"; pcre:"/(_DOWText)|(_MonthText)/i"; content:"Save"; nocase; reference:url,www.milw0rm.com/exploits/5205; reference:cve,CVE-2007-6017; reference:bugtraq,28008; reference:url,doc.emergingthreats.net/2007932; classtype:web-application-attack; sid:2007932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aclassigned.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025489; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service"; flow:to_client,established; content:"7972D5BE-2213-4B28-884C-F8F82432EAA5"; nocase; pcre:"/(SetupDeleteVolume|GetBackupLocationPath|CallUninstall|CanUseEasySetup|CallAddInitialProtection|CallTour)/i"; reference:url,milw0rm.com/exploits/8523; reference:bugtraq,34696; reference:url,doc.emergingthreats.net/2009373; classtype:web-application-attack; sid:2009373; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"efishedo.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025490; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec WinFax Pro DCCFAXVW.DLL Heap Buffer Overflow"; flow:to_client,established; content:"C05A1FBC-1413-11D1-B05F-00805F4945F6"; nocase; content:"AppendFax"; nocase; reference:bugtraq,34766; reference:url,milw0rm.com/exploits/8562; reference:url,doc.emergingthreats.net/2009385; classtype:web-application-attack; sid:2009385; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"enclosely.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow"; flow:to_client,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; nocase; pcre:"/classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; reference:bugtraq,8008; reference:url,xforce.iss.net/xforce/xfdb/12423; reference:url,juniper.net/security/auto/vulnerabilities/vuln8008.html; reference:url,doc.emergingthreats.net/2009847; classtype:web-application-attack; sid:2009847; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"insupposity.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025492; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; content:"BrowseAndSaveFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010227; classtype:attempted-user; sid:2010227; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"suggedin.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025493; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt"; flow:established,to_client; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; content:"RunCmd"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010369; classtype:attempted-user; sid:2010369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; dns.query; content:"suggedin.info"; nocase; endswith; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:pup-activity; sid:2025531; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"E381F1C0-910E-11D1-AB1E-00A0C90F8F6F"; nocase; content:"SetRemoteComputerName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E381F1C0-910E-11D1-AB1E-00A0C90F8F6F/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010958; classtype:attempted-user; sid:2010958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr5.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027422; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"02C2DD87-2E67-11D2-96EF-0000861852D5"; nocase; content:"GetStatus"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02C2DD87-2E67-11D2-96EF-0000861852D5/si"; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010691; classtype:attempted-user; sid:2010691; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr30_nt.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027423; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit"; flow:to_client,established; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; nocase; content:"TransferFile"; nocase; pcre:"/[\w\W]{2500,}/i"; reference:bugtraq,28662; reference:url,www.milw0rm.com/exploits/5398; reference:url,doc.emergingthreats.net/2008128; classtype:web-application-attack; sid:2008128; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed OSX/PremierOpinionD Collection Domain in TLS SNI"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; tls.sni; content:"oss-content.securestudies.com"; endswith; reference:url,www.airoav.com/mitm-voicefive; classtype:pup-activity; sid:2027694; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PremierOpinionD, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt"; flow:established,from_server; content:"A0D43FB0-116B-47AB-80FB-6DCFA92A03E3"; nocase; content:"eXMLFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A0D43FB0-116B-47AB-80FB-6DCFA92A03E3/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009894; classtype:attempted-user; sid:2009894; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Reporting Details to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?ver="; content:"&t="; distance:0; content:"&domain="; distance:0; content:"&file="; distance:0; content:"&ext="; distance:0; content:"&cache="; distance:0; content:"&res1="; distance:0; http.user_agent; content:"VCSoapClient"; depth:12; fast_pattern; endswith; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027830; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt"; flow:established,from_server; content:"A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8"; nocase; content:"SetText"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s* \x7B?\s*A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009893; classtype:attempted-user; sid:2009893; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Lookup of Malware Domain twothousands.cm Likely Infection"; dns.query; content:"twothousands.cm"; depth:15; fast_pattern; endswith; nocase; classtype:pup-activity; sid:2012176; rev:6; metadata:created_at 2011_01_13, former_category ADWARE_PUP, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt"; flow:from_server,established; content:"44A8091F-8F01-43B7-8CF7-4BBA71E61E04"; nocase; content:"FtpConnect"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44A8091F-8F01-43B7-8CF7-4BBA71E61E04/si"; reference:url,www.milw0rm.org/exploits/8986; reference:url,doc.emergingthreats.net/2010161; classtype:attempted-user; sid:2010161; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; dns.query; content:"startupfraction.com"; depth:19; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024722; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue/WriteValue method Heap Overflow Attempt"; flow:established,to_client; content:"07DD3249-A591-4949-8F20-09CD347C69DC"; nocase; content:"Value"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07DD3249-A591-4949-8F20-09CD347C69DC.+(DeleteValue|WriteValue)/si"; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010834; classtype:attempted-user; sid:2010834; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; dns.query; content:"search.feedvertizus.com"; depth:23; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Attempt"; flow:established,to_client; content:"C2828995-4A83-4100-A212-3024BA117356"; nocase; content:"RichUploadControlContextData"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C2828995-4A83-4100-A212-3024BA117356/si"; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010702; classtype:attempted-user; sid:2010702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; dns.query; content:"opurie.com"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024725; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow"; flow:to_client,established; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; content:"OpenPDF"; nocase; reference:bugtraq,32313; reference:url,milw0rm.com/exploits/7126; reference:url,doc.emergingthreats.net/2008869; classtype:web-application-attack; sid:2008869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BundledInstaller PUA/PUP Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.host; content:"down.freefullversion.org"; depth:24; fast_pattern; reference:md5,8edee795e16433717eab784938060198; classtype:pup-activity; sid:2028613; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_09_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; content:"extractPagesToFile"; nocase; distance:0; reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; reference:url,doc.emergingthreats.net/2008895; classtype:web-application-attack; sid:2008895; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miuref/Boaxxe Checkin"; flow:to_server,established; urilen:>400; http.method; content:"GET"; http.uri.raw; content:"%2b"; fast_pattern; content:"%2f"; content:!"|2e|"; content:!"|3f|"; content:!"|26|"; pcre:"/^\/(?:[a-zA-Z0-9]|%2[fb]){400,}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/01/17/boaxxe-adware-a-good-advert-sells-the-product-without-drawing-attention-to-itself-part-2/; reference:url,blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx; classtype:pup-activity; sid:2018582; rev:12; metadata:created_at 2013_11_22, former_category MALWARE, updated_at 2020_09_24;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow Attempt"; flow:established,to_client; content:"F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E"; nocase; content:"DrawText"; nocase; content:!"|0A|"; within:25; isdataat:25,relative; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E/si"; reference:url,en.securitylab.ru/poc/extra/389924.php; reference:url,doc.emergingthreats.net/2010840; classtype:attempted-user; sid:2010840; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed DownloadAssistant User-Agent"; flow:established,to_server; http.user_agent; content:"DLA/"; startswith; reference:md5,521875fc63f4b2c004deb75e766cb8c5; classtype:pup-activity; sid:2030933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Internet, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible VMware Console ActiveX Format String Remote Code Execution Attempt"; flow:established,to_client; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; nocase; content:"connect"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B94C2238-346E-4C5E-9B36-8CC627F35574/si"; reference:url,dsecrg.com/pages/vul/show.php?id=153; reference:url,lists.vmware.com/pipermail/security-announce/2010/000090.html; reference:cve,2009-3732; reference:url,doc.emergingthreats.net/2011126; classtype:attempted-user; sid:2011126; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownloadAssistant Activity"; flow:established,to_server; http.start; content:"POST /v2/events HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Length|3a 20|"; fast_pattern; http.request_body; content:"4F44"; startswith; reference:md5,d6d20eef805a4719f0771321f832bbed; classtype:pup-activity; sid:2030934; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Web on Windows ActiveX Insecure Methods"; flow:to_client,established; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; nocase; pcre:"/(WriteIniFileString|ShellExecute)/i"; reference:bugtraq,33515; reference:url,xforce.iss.net/xforce/xfdb/48337; reference:url,doc.emergingthreats.net/2009136; classtype:web-application-attack; sid:2009136; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RelevantKnowledge Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&os="; content:"&osmajorver="; distance:0; content:"&osminorver="; distance:0; content:"&osmajorsp="; distance:0; content:"&lang="; distance:0; content:"&country="; distance:0; content:"&ossname="; distance:0; content:"&brand="; distance:0; content:"&bits="; distance:0; http.header; content:"X-OSSProxy|3a|"; fast_pattern; reference:md5,d93b888e08693119a1b0dd3983b8d1ec; classtype:command-and-control; sid:2018174; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_02_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WinDVD7 IASystemInfo.DLL ActiveX ApplicationType method buffer overflow Attempt"; flow:established,to_client; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; content:"ApplicationType"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B727C217-2022-11D4-B2C6-0050DA1BD906/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/windvd7_applicationtype.rb.txt; reference:url,secunia.com/advisories/24556/; reference:url,doc.emergingthreats.net/2010852; classtype:web-application-attack; sid:2010852; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; http.user_agent; content:"Envolo"; fast_pattern; reference:url,doc.emergingthreats.net/2001706; classtype:pup-activity; sid:2001706; rev:38; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Universal HTTP File Upload Remote File Deletetion"; flow:to_client,established; content:"4FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; content:"RemoveFileOrDir"; nocase; pcre:"/(txt|ini|com|exe|bat|dll|dat)/i"; reference:url,www.milw0rm.com/exploits/5272; reference:url,doc.emergingthreats.net/2008062; classtype:web-application-attack; sid:2008062; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; http.user_agent; content:"SAH Agent"; fast_pattern; reference:url,doc.emergingthreats.net/2001707; classtype:pup-activity; sid:2001707; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit"; flow:to_client,established; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; content:"RemoveFileOrDir"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5569; reference:url,doc.emergingthreats.net/2008225; classtype:web-application-attack; sid:2008225; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Spyware User-Agent (MyWay)"; flow: established,to_server; threshold:type limit, count 1, seconds 360, track by_src; http.user_agent; content:"MyWay"; fast_pattern; reference:url,doc.emergingthreats.net/2001864; classtype:pup-activity; sid:2001864; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; nocase; content:"CanUninstall"; nocase; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; reference:url,doc.emergingthreats.net/2008619; classtype:web-application-attack; sid:2008619; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; http.user_agent; content:"MyWebSearch"; fast_pattern; reference:url,doc.emergingthreats.net/2001865; classtype:pup-activity; sid:2001865; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; http.header; content:"|20|searchengine|0d 0a|"; fast_pattern; pcre:"/User-Agent\:[^\n]+searchengine/i"; reference:url,doc.emergingthreats.net/2001867; classtype:pup-activity; sid:2001867; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server"; flow:established,from_server; dsize:124; content:"|80 04 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011400; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (sureseeker)"; flow: established,to_server; http.user_agent; content:"sureseeker.com"; reference:url,doc.emergingthreats.net/2001868; classtype:pup-activity; sid:2001868; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011399; rev:4; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; http.header; content:"SurferPlugin"; fast_pattern; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference:url,doc.emergingthreats.net/2001870; classtype:pup-activity; sid:2001870; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Execute DDoS Command From CnC Server"; flow:established,from_server; dsize:124; content:"|00 10 00 00|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011398; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; http.header; content:"THNALL"; fast_pattern; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; reference:url,doc.emergingthreats.net/2002002; classtype:pup-activity; sid:2002002; rev:33; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|ftp|3a|//"; depth:10; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011592; rev:1; metadata:created_at 2010_10_07, former_category MALWARE, updated_at 2010_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; http.header; content:"XupiterToolbar"; fast_pattern; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:pup-activity; sid:2002071; rev:19; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; content:!"User-Agent|3a|"; http_header; content:!"download.windowsupdate.com"; http_header; content:!"mms|3a|//"; nocase; pcre:"/\.exe$/Ui"; reference:url,doc.emergingthreats.net/2003179; classtype:policy-violation; sid:2003179; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; http.header; content:"spywareaxe"; fast_pattern; pcre:"/User-Agent\:[^\n]+spywareaxe/"; reference:url,doc.emergingthreats.net/2002808; classtype:pup-activity; sid:2002808; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IE ActiveX control Exec method Remote code execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; distance:0; content:"Exec"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72C24DD5-D70A-438B-8A42-98424B88AFB8/si"; reference:url,www.packetstormsecurity.org/1001-exploits/wshomocx-activex.txt; reference:url,doc.emergingthreats.net/2010978; classtype:attempted-user; sid:2010978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; http.user_agent; content:"ErrorSafe|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003346; classtype:pup-activity; sid:2003346; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; content:"SetPassword"; nocase; reference:cve,2008-4301; reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; reference:url,doc.emergingthreats.net/2008620; classtype:web-application-attack; sid:2008620; rev:38; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; http.user_agent; content:"GAMEHOUSE"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003347; classtype:pup-activity; sid:2003347; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Asprox Spambot SQL-Injection Atempt"; flow:established,to_server; content:"GET"; http_method; content:"declare "; http_uri; nocase; content:"char("; http_uri; nocase; content:"exec(@"; nocase; http_uri; classtype:web-application-attack; sid:2011291; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; http.user_agent; content:"FreezeInet"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003355; classtype:pup-activity; sid:2003355; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|10|"; within:6; flowbits:noalert; reference:url,doc.emergingthreats.net/2003007; classtype:unusual-client-port-connection; sid:2003007; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; threshold: type limit, count 1, seconds 300, track by_src; http.user_agent; content:"SpamBlockerUtility|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003384; classtype:pup-activity; sid:2003384; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003012; classtype:unusual-client-port-connection; sid:2003012; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; http.user_agent; content:"Morpheus"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003396; classtype:pup-activity; sid:2003396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003013; classtype:unusual-client-port-connection; sid:2003013; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; threshold:type both, count 1, seconds 300, track by_src; http.user_agent; content:"Seekmo"; fast_pattern; nocase; classtype:pup-activity; sid:2003397; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; classtype:trojan-activity; sid:2000930; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; http.user_agent; content:"SmartInstaller"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003398; classtype:pup-activity; sid:2003398; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_12, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| ABC/ABC"; nocase; reference:url,pingpong-abc.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003475; classtype:trojan-activity; sid:2003475; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; http.header; content:"iMeshBar"; fast_pattern; pcre:"/User-Agent\:[^\n]+iMeshBar/i"; reference:url,doc.emergingthreats.net/2003406; classtype:pup-activity; sid:2003406; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; classtype:attempted-recon; sid:2009749; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; http.user_agent; content:"SF Installer"; fast_pattern; reference:url,doc.emergingthreats.net/2003428; classtype:pup-activity; sid:2003428; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_12, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; classtype:attempted-dos; sid:2003474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; http.user_agent; content:"DSInstall"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003439; classtype:pup-activity; sid:2003439; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_12, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007903; classtype:web-application-attack; sid:2007903; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; http.header; content:"|20|Oemji"; fast_pattern; pcre:"/User-Agent\:[^\n]+Oemji/i"; reference:url,doc.emergingthreats.net/2003468; classtype:pup-activity; sid:2003468; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED TinyPE Binary - Possibly Hostile"; flow:from_server,established; content:"MZ"; content:"PE|00 00|"; within:20; reference:url,www.phreedom.org/solar/code/tinype/; reference:url,www.packetninjas.net/blog/2008/11/20/ids-signature-for-extremely-small-portable-executable-files.html; reference:url,doc.emergingthreats.net/2008576; classtype:trojan-activity; sid:2008576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; threshold:type limit, count 2, seconds 360, track by_src; http.user_agent; content:"AskSearch"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003493; classtype:pup-activity; sid:2003493; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeAV SetupSecure Download Attempt SetupSecure"; flow:established,to_server; content:"/download/SetupSecure_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com; classtype:trojan-activity; sid:2011357; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Win95)"; flow:to_server,established; http.user_agent; content:"Win95"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:pup-activity; sid:2008015; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.FraudPack.aweo"; flow:established,to_server; content:"GET"; http_method; content:"update.php?do="; http_uri; content:"&coid="; http_uri; content:"&IP="; http_uri; content:"&fff="; http_uri; content:"&lct="; http_uri; content:"&ttt="; http_uri; content:"&v="; reference:md5,4bc4c32a8d93c29b026bbfb24ccecd14; classtype:trojan-activity; sid:2011294; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; http.uri; content:"?action="; content:"&pc_id="; content:"&abbr="; fast_pattern; content:"&err="; reference:url,doc.emergingthreats.net/2008282; classtype:pup-activity; sid:2008282; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Variant Checkin Activity"; flow:established,to_server; content:"/sm.php?pizda"; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:md5,f39d0a669ad98b95370a4f525d7d79ec; classtype:trojan-activity; sid:2011335; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Unknown Malware patchlist.xml Request"; flow:established,to_server; http.uri; content:"/update/patchlist.xml"; fast_pattern; classtype:pup-activity; sid:2013200; rev:5; metadata:created_at 2011_07_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stupid Stealer C&C Communication (1)"; flow:established,to_server; content:"cmd=give&pcname="; nocase; http_uri; content:"&status="; http_uri; nocase; pcre:"/cmd=give&pcname=.+&status=\d+$/U"; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:command-and-control; sid:2011370; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; http.uri; content:".php?pi="; fast_pattern; content:"&gu="; content:"&ac="; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 6.0)"; bsize:33; classtype:pup-activity; sid:2013540; rev:8; metadata:created_at 2011_09_06, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stupid Stealer C&C Communication (2)"; flow:established,to_server; content:"action=add"; nocase; http_uri; content:"&status="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&pcname="; http_uri; nocase; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:command-and-control; sid:2011371; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; http.uri; content:"/LogProc.php?"; fast_pattern; content:"mac="; content:"mode="; content:"&pCode="; reference:md5,2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:pup-activity; sid:2013797; rev:7; metadata:created_at 2011_10_24, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeYak or Related Infection Checkin 2"; flow:established,to_server; content:"&fff="; http_uri; content:"&coid="; http_uri; content:"saf="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:command-and-control; sid:2011397; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Ezula Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/download/UVid.asp?"; fast_pattern; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:pup-activity; sid:2016938; rev:6; metadata:created_at 2013_05_29, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE wisp backdoor detected reporting"; flow:established,to_server; content:"getkys.kys"; nocase; http_uri; content:"hostname="; nocase; http_uri; classtype:trojan-activity; sid:2011395; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; http.uri; content:"/api/success/?s="; fast_pattern; content:"&c="; content:"&cv="; content:"&context="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017880; rev:9; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(1)"; flow:established,to_server; content:"GET"; http_header; content:"/gatech.php?pn="; nocase; http_uri; reference:md5,ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011490; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; http.uri; content:"/downloads/icons.dat"; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017881; rev:6; metadata:created_at 2013_12_18, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(2)"; flow:established,to_server; content:"GET"; http_method; content:"/gatech.php?id="; nocase; http_uri; reference:md5,ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011491; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GMUnpackerInstaller.A Checkin"; flow:to_server,established; http.uri; content:"/new/rar.xml"; fast_pattern; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:pup-activity; sid:2017892; rev:5; metadata:created_at 2013_12_20, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011792; rev:5; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.PUQD Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/Version/"; fast_pattern; startswith; content:"/trace/"; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:pup-activity; sid:2017945; rev:6; metadata:created_at 2014_01_08, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz or Rohimafo config loaded"; flow: established,to_server; content:"knock.php"; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:"load|5f|success"; nocase; content:!"User-Agent"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011522; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; http.uri; content:".gif?action="; content:"&browser="; content:"&ver="; content:"&bic="; fast_pattern; content:"&app="; content:"&appver="; content:"&verifier="; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:pup-activity; sid:2018301; rev:6; metadata:created_at 2012_10_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011524; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/product-am.php?id="; fast_pattern; content:"&v="; content:"&offer["; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:pup-activity; sid:2018307; rev:7; metadata:created_at 2014_03_19, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso FTP Credential Theft Reported"; flow:to_server,established; content:"/receiver/ftp"; http_uri; nocase; content:"|0d 0a 0d 0a|ftp_uri_0="; nocase; content:"&ftp_source_0="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:md5,348ba619aab3a92b99701335f95fe2a7; reference:md5,8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011470; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; http.uri; content:"/api/software/?s="; fast_pattern; content:"&os="; content:"&output="; content:"&v="; content:"&l="; content:"&np="; content:"&osv="; content:"&b="; content:"&bv="; content:"&c="; content:"&cv="; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:pup-activity; sid:2018323; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso Checkin"; flow:established,to_server; content:"POST"; http_method; content:"receiver/online"; http_uri; content:"|0d 0a 0d 0a|guid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:md5,348ba619aab3a92b99701335f95fe2a7; reference:md5,8be56dbd057c3bde42ae804bfd647bb6; classtype:command-and-control; sid:2011471; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?mode="; fast_pattern; content:"&subid="; content:"&filedescription="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:pup-activity; sid:2018367; rev:10; metadata:created_at 2014_04_07, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pthc"; flow: from_server,established; content:" pthc "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001386; classtype:policy-violation; sid:2001386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/evt/?nexcb="; startswith; fast_pattern; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:pup-activity; sid:2018565; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_06_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"imgdir="; nocase; http_uri; content:".."; pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; reference:url,doc.emergingthreats.net/2010601; classtype:web-application-attack; sid:2010601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?q="; offset:4; depth:8; pcre:"/^\/(?:get|install)\/\?q=/"; http.header; content:"optpro"; fast_pattern; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018744; rev:7; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods"; flow:established,to_server; content:"/search/list/action_search/index.php?"; nocase; http_uri; content:"form[mods]["; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003905; classtype:web-application-attack; sid:2003905; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[a-f0-9]{50,}$/"; http.header; content:"Proxy-Authorization|3a 20|Basic"; http.host; content:"stan|2E|"; fast_pattern; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019145; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form"; flow:established,to_server; content:"/search/list/action_search/index.php?"; nocase; http_uri; content:"form["; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003906; classtype:web-application-attack; sid:2003906; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[\w-]{50,}$/"; http.host; content:"kyle|2E|"; fast_pattern; startswith; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019156; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id"; flow:established,to_server; content:"/modules/dl/download.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003907; classtype:web-application-attack; sid:2003907; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; http.method; content:"POST"; http.uri; content:"/?pcrc="; fast_pattern; pcre:"/^\/\?pcrc=[0-9]{7,10}$/"; http.request_body; content:"0A0Czut"; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:pup-activity; sid:2019511; rev:8; metadata:created_at 2014_10_27, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat"; flow:established,to_server; content:"/news/list/index.php?"; nocase; http_uri; content:"form[cat]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003908; classtype:web-application-attack; sid:2003908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pxl/"; fast_pattern; content:"e=-1"; content:"&c="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:pup-activity; sid:2019622; rev:5; metadata:created_at 2014_10_31, former_category ADWARE_PUP, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[cat]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003909; classtype:web-application-attack; sid:2003909; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?p="; fast_pattern; content:"&v="; content:"&id="; distance:0; http.user_agent; content:"AutoUpdate"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:pup-activity; sid:2021401; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[name]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003910; classtype:web-application-attack; sid:2003910; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney User Agent"; flow:established,to_server; http.user_agent; content:"Downloader|20|"; startswith; fast_pattern; pcre:"/^Downloader \d\.\d$/"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024249; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[message]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003911; classtype:web-application-attack; sid:2003911; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 3"; flow:to_server,established; http.uri; content:"/get_download_xml_"; fast_pattern; content:"?id="; http.user_agent; content:"tiny-dl"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024252; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail"; flow:established,to_server; content:"/newsletter/create/index.php?"; nocase; http_uri; content:"form[mail]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003912; classtype:web-application-attack; sid:2003912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 6"; flow:to_server,established; http.uri; content:"/get_xml?story="; fast_pattern; content:"&file"; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024254; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir"; flow:established,to_server; content:"/common/func.php?"; nocase; http_uri; content:"CommonAbsDir="; nocase; http_uri; reference:cve,CVE-2007-2596; reference:url,www.milw0rm.com/exploits/3884; reference:url,doc.emergingthreats.net/2003704; classtype:web-application-attack; sid:2003704; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 7"; flow:to_server,established; http.uri; content:"/info?story="; fast_pattern; content:"&file="; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024255; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header"; flow:established,to_server; content:"/common/errormsg.php?"; nocase; http_uri; content:"header="; nocase; http_uri; reference:cve,CVE-2007-2634; reference:url,secunia.com/advisories/25224; reference:url,doc.emergingthreats.net/2003736; classtype:web-application-attack; sid:2003736; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 5"; flow:to_server,established; http.uri; content:"/getspfile.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024256; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2625; reference:url,www.frsirt.com/english/advisories/2007/1637; reference:url,doc.emergingthreats.net/2003886; classtype:web-application-attack; sid:2003886; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 1"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/ppu.php"; fast_pattern; http.request_body; content:"xml_req="; depth:8; content:"system"; distance:0; content:"os+version"; distance:0; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024258; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php"; flow:established,to_server; content:"/shared/config/cp_config.php?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2624; reference:url,www.securityfocus.com/bid/23790; reference:url,doc.emergingthreats.net/2003887; classtype:web-application-attack; sid:2003887; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 3"; flow:established,to_server; http.uri; content:"/get_json?"; fast_pattern; content:"&name="; content:"rnd="; http.user_agent; content:"Downloader|20|"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024261; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail File Send"; flow:to_server,established; content:"Content-Disposition|3a| form-data|3b| name=|22|msgbody|22|"; nocase; http_client_body; content:"name=|22|form-data|3b| file0|22 3b| filename=|22|"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2001425; classtype:policy-violation; sid:2001425; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Java.Deathbot Requesting Proxies"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Socks"; fast_pattern; content:".txt"; endswith; distance:1; within:4; pcre:"/\/Socks[45]\.txt$/"; http.user_agent; content:"Java/1."; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:pup-activity; sid:2024794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, signature_severity Major, updated_at 2020_10_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 3 The Frozen throne login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PX3W"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002108; classtype:policy-violation; sid:2002108; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (OLS) wrong password"; flow:established,from_server; content:"|FF 3A 08 00 02 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002115; classtype:policy-violation; sid:2002115; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; http.user_agent; content:"NetInstaller"; nocase; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:pup-activity; sid:2003528; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (NLS) wrong password"; flow:established,from_server; content:"|FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002116; classtype:policy-violation; sid:2002116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (double dashes)"; flow:to_server,established; http.user_agent; content:"|2d 2d |"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:pup-activity; sid:2007948; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_13;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to eleonore exploit kit"; flow:established,to_client; content:"SL_"; http_cookie; content:"_0000="; http_cookie; classtype:exploit-kit; sid:2011810; rev:1; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; http.header; content:"Viper 4.0|29|"; nocase; fast_pattern; distance:2; within:10; http.user_agent; content:"Mozilla|2f|5|2e|0 |28|compatible"; depth:23; reference:url,doc.emergingthreats.net/2008586; classtype:pup-activity; sid:2008586; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/layouts/standard.php?"; nocase; http_uri; content:"page_include="; nocase; http_uri; pcre:"/page_include=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2009/0360; reference:url,milw0rm.com/exploits/8003; reference:url,doc.emergingthreats.net/2009717; classtype:web-application-attack; sid:2009717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; http.user_agent; content:"Museon"; depth:6; reference:url,doc.emergingthreats.net/2006418; classtype:pup-activity; sid:2006418; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007504; classtype:web-application-attack; sid:2007504; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Related Trojan User-Agent (kpangupdate)"; flow:established,to_server; http.user_agent; content:"kpangupdate"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007779; classtype:pup-activity; sid:2007779; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007505; classtype:web-application-attack; sid:2007505; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP my247eshop .com User-Agent"; flow:established,to_server; http.user_agent; content:"EShopee"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008243; classtype:pup-activity; sid:2008243; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007506; classtype:web-application-attack; sid:2007506; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Nimo Software HTTP"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:pup-activity; sid:2008257; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007507; classtype:web-application-attack; sid:2007507; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Artro Downloader User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|wget 3.0|3b 20|rv|3a|5.0) Gecko/20100101 Firefox/5.0"; depth:73; fast_pattern; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:pup-activity; sid:2013184; rev:9; metadata:created_at 2011_07_04, former_category USER_AGENTS, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007508; classtype:web-application-attack; sid:2007508; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer User-Agent (ROGUE)"; flow: to_server,established; http.user_agent; content:"ROGUE"; depth:5; reference:url,www.internet-optimizer.com; reference:url,doc.emergingthreats.net/2002405; classtype:pup-activity; sid:2002405; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007509; classtype:web-application-attack; sid:2007509; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Related User-Agent (mez)"; flow: to_server,established; http.user_agent; content:"mez"; nocase; depth:3; endswith; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:pup-activity; sid:2000586; rev:35; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2892; reference:url,www.securityfocus.com/bid/24135; reference:url,doc.emergingthreats.net/2004594; classtype:web-application-attack; sid:2004594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP YourSiteBar User-Agent (istsvc)"; flow: to_server,established; http.user_agent; content:"istsvc"; nocase; depth:6; endswith; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:pup-activity; sid:2001699; rev:264; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; http.user_agent; content:"Bundle"; depth:6; reference:url,doc.emergingthreats.net/2001702; classtype:pup-activity; sid:2001702; rev:40; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 404Search Spyware User-Agent (404search)"; flow:established,to_server; http.user_agent; content:"404search"; depth:9; reference:url,doc.emergingthreats.net/2001852; classtype:pup-activity; sid:2001852; rev:31; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002173; classtype:web-application-attack; sid:2002173; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; http.user_agent; content:"ESB"; depth:3; reference:url,doc.emergingthreats.net/2001853; classtype:pup-activity; sid:2001853; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; reference:url,doc.emergingthreats.net/2002308; classtype:web-application-attack; sid:2002308; rev:49; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZULA Spyware User Agent"; flow: established,to_server; http.user_agent; content:"ezula"; depth:5; nocase; reference:url,doc.emergingthreats.net/2001854; classtype:pup-activity; sid:2001854; rev:27; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 1)"; flow:established,from_server; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002491; classtype:web-application-attack; sid:2002491; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (Sidesearch)"; flow: established,to_server; http.user_agent; content:"Sidesearch"; depth:10; reference:url,doc.emergingthreats.net/2001869; classtype:pup-activity; sid:2001869; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 3)"; flow:established,from_server; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002493; classtype:web-application-attack; sid:2002493; rev:81; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; http.user_agent; content:"TSA/"; depth:4; reference:url,doc.emergingthreats.net/2001871; classtype:pup-activity; sid:2001871; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/i"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; reference:url,doc.emergingthreats.net/2002861; classtype:web-application-attack; sid:2002861; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (EI)"; flow: to_server,established; http.user_agent; content:"EI"; depth:2; endswith; reference:url,doc.emergingthreats.net/2001996; classtype:pup-activity; sid:2001996; rev:18; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; pcre:"/(Save|ExportImage)/i"; reference:url,milw0rm.com/exploits/8208; reference:bugtraq,23934; reference:url,doc.emergingthreats.net/2009334; classtype:web-application-attack; sid:2009334; rev:30; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware (Feat)"; flow: to_server,established; http.user_agent; content:"Feat"; nocase; depth:4; pcre:"/^Feat[^\r\n]+(?:Install|Updat)er/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:pup-activity; sid:2002160; rev:21; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt"; flow:established,to_client; content:"6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790"; nocase; content:"OpenFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790/si"; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010356; classtype:web-application-attack; sid:2010356; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Spyware User-Agent (host)"; flow: to_server,established; http.header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; http.user_agent; content:"host"; nocase; depth:4; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:pup-activity; sid:2002164; rev:16; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; pcre:"/(DeleteFile|write)/i"; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; classtype:web-application-attack; sid:2009187; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva User-Agent (TPSystem)"; flow: to_server,established; http.user_agent; content:"TPSystem"; nocase; depth:8; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:pup-activity; sid:2002395; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; http.user_agent; content:"Travel Update"; depth:13; endswith; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:pup-activity; sid:2002396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus User-Agent (PTS)"; flow: to_server,established; http.user_agent; content:"PTS"; depth:3; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:pup-activity; sid:2002403; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install)"; flow: to_server,established; http.uri; content:"/checkhttp.htm"; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:pup-activity; sid:2002840; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; http.uri; content:"/ping/?shortname="; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:pup-activity; sid:2002841; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; http.uri; content:"/checkin.php?"; nocase; content:"unq="; nocase; content:"version="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:pup-activity; sid:2003209; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Install"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"&pais="; nocase; content:"unq="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:pup-activity; sid:2003210; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_17, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/container.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009378; classtype:web-application-attack; sid:2009378; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; http.user_agent; content:"Download Agent"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:pup-activity; sid:2003243; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009379; classtype:web-application-attack; sid:2009379; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; http.user_agent; content:"YourScreen"; depth:10; reference:url,doc.emergingthreats.net/2003405; classtype:pup-activity; sid:2003405; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/latestposts.php?"; nocase; http_uri; content:"forumspath="; nocase; http_uri; pcre:"/forumspath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009903; classtype:web-application-attack; sid:2009903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; http.user_agent; content:"RX Bar"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003407; classtype:pup-activity; sid:2003407; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/rss_importer_functions.php?"; nocase; http_uri; content:"sitepath="; nocase; http_uri; pcre:"/sitepath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8016; reference:bugtraq,33698; reference:url,doc.emergingthreats.net/2009167; classtype:web-application-attack; sid:2009167; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; http.user_agent; content:"ad-protect"; nocase; depth:10; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:pup-activity; sid:2003476; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whstart.js"; flow:established,to_server; content:"/whstart.js?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003897; classtype:web-application-attack; sid:2003897; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; http.user_agent; content:"DInstaller"; nocase; depth:10; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:pup-activity; sid:2003477; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whcsh_home.htm"; flow:established,to_server; content:"/whcsh_home.htm?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003898; classtype:web-application-attack; sid:2003898; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; http.user_agent; content:"ERRORNUKER"; nocase; depth:10; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:pup-activity; sid:2003478; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startpage.js"; flow:established,to_server; content:"/wf_startpage.js?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003899; classtype:web-application-attack; sid:2003899; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; http.user_agent; content:"MalwareWipe"; nocase; depth:11; endswith; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:pup-activity; sid:2003489; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startqs.htm"; flow:established,to_server; content:"/wf_startqs.htm?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003900; classtype:web-application-attack; sid:2003900; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; http.user_agent; content:"Mirar_KeywordContent"; nocase; depth:20; endswith; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:pup-activity; sid:2003490; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt WindowManager.dll"; flow:established,to_server; content:"/WindowManager.dll?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003901; classtype:web-application-attack; sid:2003901; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ms)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"ms"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:pup-activity; sid:2003497; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture"; flow:established,to_server; content:"/picture.php?"; nocase; http_uri; content:"picture="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-0605; reference:url,www.securityfocus.com/bid/23873; reference:url,doc.emergingthreats.net/2003915; classtype:web-application-attack; sid:2003915; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; http.user_agent; content:"Sprout Game"; nocase; depth:11; endswith; reference:url,doc.emergingthreats.net/2003498; classtype:pup-activity; sid:2003498; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/frontpage_right.php?"; nocase; http_uri; content:"loadadminpage="; nocase; http_uri; pcre:"/loadadminpage=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,31959; reference:url,milw0rm.com/exploits/6859; reference:url,vupen.com/english/advisories/2008/2959; reference:url,doc.emergingthreats.net/2009382; classtype:web-application-attack; sid:2009382; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; http.user_agent; content:"SpyDawn"; nocase; depth:7; endswith; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:pup-activity; sid:2003499; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005772; classtype:web-application-attack; sid:2005772; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; http.user_agent; content:"STBHOGet"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/2003500; classtype:pup-activity; sid:2003500; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005773; classtype:web-application-attack; sid:2005773; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; http.user_agent; content:"Alawar Toolbar"; nocase; depth:14; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:pup-activity; sid:2003506; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005774; classtype:web-application-attack; sid:2005774; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; http.user_agent; content:"CommonName"; nocase; depth:10; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:pup-activity; sid:2003532; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005775; classtype:web-application-attack; sid:2005775; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; http.user_agent; content:"WinFixMaster"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003544; classtype:pup-activity; sid:2003544; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005776; classtype:web-application-attack; sid:2005776; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (DIALER)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"DIALER"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003566; classtype:pup-activity; sid:2003566; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005777; classtype:web-application-attack; sid:2005777; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; http.user_agent; content:"iefeatsl"; nocase; depth:8; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:pup-activity; sid:2003570; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pack="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004022; classtype:web-application-attack; sid:2004022; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; http.user_agent; content:"MalwareWiped"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003582; classtype:pup-activity; sid:2003582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"Act="; nocase; http_uri; content:"&pgm"; nocase; http_uri; pcre:"/\+UNION\+SELECT/Ui"; reference:bugtraq,30259; reference:url,milw0rm.com/exploits/6087; reference:url,doc.emergingthreats.net/2008439; classtype:web-application-attack; sid:2008439; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; http.user_agent; content:"EELoader"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003613; classtype:pup-activity; sid:2003613; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/LSTable.php?"; nocase; http_uri; content:"class_dir="; nocase; http_uri; pcre:"/class_dir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31419; reference:url,milw0rm.com/exploits/6575; reference:url,doc.emergingthreats.net/2009165; classtype:web-application-attack; sid:2009165; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; http.user_agent; content:"KRSystem"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003625; classtype:pup-activity; sid:2003625; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/main.inc.php?"; nocase; http_uri; content:"mj_config[src_path]="; nocase; http_uri; pcre:"/mj_config\[src_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009196; classtype:web-application-attack; sid:2009196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; http.user_agent; content:"ProxyDown"; nocase; depth:9; reference:url,doc.emergingthreats.net/2003639; classtype:pup-activity; sid:2003639; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath"; flow:established,to_server; content:"/language/1/splash.lang.php?"; nocase; http_uri; content:"languagePath="; nocase; http_uri; reference:cve,CVE-2007-2663; reference:url,www.milw0rm.com/exploits/3909; reference:url,doc.emergingthreats.net/2003738; classtype:web-application-attack; sid:2003738; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; http.user_agent; content:"91cast"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003640; classtype:pup-activity; sid:2003640; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/linkadmin.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009364; classtype:web-application-attack; sid:2009364; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; http.user_agent; content:"GTBank"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003654; classtype:pup-activity; sid:2003654; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot"; flow:established,to_server; content:"/berylium-classes.php?"; nocase; http_uri; content:"beryliumroot="; nocase; http_uri; reference:cve,CVE-2007-2531; reference:url,www.milw0rm.com/exploits/3869; reference:url,doc.emergingthreats.net/2003677; classtype:web-application-attack; sid:2003677; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; http.user_agent; content:"Internet 1."; nocase; depth:11; reference:url,doc.emergingthreats.net/2003655; classtype:pup-activity; sid:2003655; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; reference:url,doc.emergingthreats.net/2002069; classtype:web-application-attack; sid:2002069; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; http.user_agent; content:"PWMI/"; nocase; depth:5; reference:url,doc.emergingthreats.net/2003926; classtype:pup-activity; sid:2003926; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"blog="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2932; reference:url,www.securityfocus.com/bid/24156; reference:url,doc.emergingthreats.net/2004583; classtype:web-application-attack; sid:2004583; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; http.user_agent; content:"Mbar"; nocase; depth:4; endswith; reference:url,doc.emergingthreats.net/2003928; classtype:pup-activity; sid:2003928; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/HTMLSax3.php?"; nocase; http_uri; content:"dir[plugins]="; nocase; http_uri; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009370; classtype:web-application-attack; sid:2009370; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; http.user_agent; content:"Mirar_Toolbar"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003929; classtype:pup-activity; sid:2003929; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/safehtml.php?"; nocase; http_uri; content:"dir[plugins]="; nocase; http_uri; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009371; classtype:web-application-attack; sid:2009371; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; http.user_agent; content:"fetcher"; nocase; depth:7; endswith; reference:url,doc.emergingthreats.net/2005318; classtype:pup-activity; sid:2005318; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/inc/content.inc.php?"; nocase; http_uri; content:"sIncPath="; nocase; http_uri; pcre:"/sIncPath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009372; classtype:web-application-attack; sid:2009372; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; http.user_agent; content:"NavHelper"; nocase; depth:9; reference:url,doc.emergingthreats.net/2005321; classtype:pup-activity; sid:2005321; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id SELECT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003776; classtype:web-application-attack; sid:2003776; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; http.user_agent; content:"IBSBand-"; depth:8; reference:url,doc.emergingthreats.net/2006362; classtype:pup-activity; sid:2006362; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UNION SELECT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003777; classtype:web-application-attack; sid:2003777; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; http.user_agent; content:"atsu"; depth:4; endswith; reference:url,doc.emergingthreats.net/2006370; classtype:pup-activity; sid:2006370; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id INSERT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003778; classtype:web-application-attack; sid:2003778; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; http.user_agent; content:"WTRecover"; depth:9; reference:url,doc.emergingthreats.net/2006392; classtype:pup-activity; sid:2006392; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id DELETE"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003779; classtype:web-application-attack; sid:2003779; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; http.user_agent; content:"WTInstaller"; depth:11; reference:url,doc.emergingthreats.net/2006393; classtype:pup-activity; sid:2006393; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ASCII"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003780; classtype:web-application-attack; sid:2003780; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; http.user_agent; content:"pint_agency"; depth:11; reference:url,doc.emergingthreats.net/2006413; classtype:pup-activity; sid:2006413; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003781; classtype:web-application-attack; sid:2003781; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; http.user_agent; content:"anycleaner"; depth:10; reference:url,doc.emergingthreats.net/2006419; classtype:pup-activity; sid:2006419; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX"; flow:established,to_server; content:"/mtdialogo.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003726; classtype:web-application-attack; sid:2003726; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; http.user_agent; content:"DoctorVaccine"; depth:13; reference:url,doc.emergingthreats.net/2006421; classtype:pup-activity; sid:2006421; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX"; flow:established,to_server; content:"/ltdialogo.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003727; classtype:web-application-attack; sid:2003727; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; http.user_agent; content:"WT_GET_COMM"; depth:11; reference:url,doc.emergingthreats.net/2006422; classtype:pup-activity; sid:2006422; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003729; classtype:web-application-attack; sid:2003729; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; http.user_agent; content:"doctorpro"; depth:9; reference:url,doc.emergingthreats.net/2006423; classtype:pup-activity; sid:2006423; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir"; flow:established,to_server; content:"/pcltrace.lib.php?"; nocase; http_uri; content:"g_pcltar_lib_dir="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2660; reference:url,www.milw0rm.com/exploits/3915; reference:url,doc.emergingthreats.net/2003737; classtype:web-application-attack; sid:2003737; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; http.user_agent; content:"Access down"; depth:11; endswith; reference:url,doc.emergingthreats.net/2006430; classtype:pup-activity; sid:2006430; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid SELECT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003794; classtype:web-application-attack; sid:2003794; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; http.user_agent; content:"CPUSH_"; depth:6; reference:url,doc.emergingthreats.net/2006553; classtype:pup-activity; sid:2006553; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UNION SELECT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003795; classtype:web-application-attack; sid:2003795; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; http.user_agent; content:"blahrx"; depth:6; reference:url,doc.emergingthreats.net/2006778; classtype:pup-activity; sid:2006778; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid INSERT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003796; classtype:web-application-attack; sid:2003796; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; http.user_agent; content:"ZC-Bridgev"; depth:10; reference:url,doc.emergingthreats.net/2006780; classtype:pup-activity; sid:2006780; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid DELETE"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003865; classtype:web-application-attack; sid:2003865; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; http.user_agent; content:"ZC XML-RPC"; depth:10; reference:url,doc.emergingthreats.net/2006781; classtype:pup-activity; sid:2006781; rev:42; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ASCII"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003797; classtype:web-application-attack; sid:2003797; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; http.user_agent; content:"szNotifyIdent"; depth:13; reference:url,doc.emergingthreats.net/2006782; classtype:pup-activity; sid:2006782; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003798; classtype:web-application-attack; sid:2003798; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; http.user_agent; content:"vikiller ctrl"; nocase; depth:13; reference:url,doc.emergingthreats.net/2007582; classtype:pup-activity; sid:2007582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/id_menu\x3d.+DELETE.+FROM/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009977; classtype:web-application-attack; sid:2009977; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; http.user_agent; content:"B Register"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007597; classtype:pup-activity; sid:2007597; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/id_menu\x3d.+UPDATE.+SET/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009979; classtype:web-application-attack; sid:2009979; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; http.user_agent; content:"updatesodui"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007598; classtype:pup-activity; sid:2007598; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSV-DB CSV_DB.CGI Remote Command Execution Attempt"; flow:to_server,established; content:"/cgi-bin/csv_db.cgi?"; nocase; http_uri; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14059; reference:url,doc.emergingthreats.net/2002066; classtype:web-application-attack; sid:2002066; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; http.user_agent; content:"aaaabbb"; nocase; depth:7; reference:url,doc.emergingthreats.net/2007599; classtype:pup-activity; sid:2007599; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti graph_image.php Remote Command Execution Attempt"; flow:to_server,established; content:"/graph_image.php?"; nocase; http_uri; pcre:"/(graph_start=%0a.+%0a)/i"; reference:cve,CAN-2005-1524; reference:bugtraq,14129; reference:bugtraq,14042; reference:url,doc.emergingthreats.net/2002313; classtype:web-application-attack; sid:2002313; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; http.user_agent; content:"TryMedia_DM_"; nocase; depth:12; reference:url,doc.emergingthreats.net/2007600; classtype:pup-activity; sid:2007600; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt"; flow:to_server,established; content:"/cmd.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; reference:cve,CVE-2006-6799; reference:bugtraq,21799; reference:url,doc.emergingthreats.net/2003334; classtype:web-application-attack; sid:2003334; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; http.user_agent; content:"VirusProtectPro"; depth:15; reference:url,doc.emergingthreats.net/2007617; classtype:pup-activity; sid:2007617; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007889; classtype:web-application-attack; sid:2007889; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; http.user_agent; content:"viruscheck"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007643; classtype:pup-activity; sid:2007643; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list INSERT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007890; classtype:web-application-attack; sid:2007890; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; http.user_agent; content:"Ultimate Fixer"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007645; classtype:pup-activity; sid:2007645; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list DELETE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007891; classtype:web-application-attack; sid:2007891; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (XXX)"; flow:established,to_server; http.user_agent; content:"XXX"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:pup-activity; sid:2007648; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007892; classtype:web-application-attack; sid:2007892; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; http.user_agent; content:"QdrBi Starter"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:pup-activity; sid:2007659; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs"; flow:established,to_server; content:"/cand_login.asp?"; nocase; http_uri; content:"strJobIDs="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.*script/iU"; reference:cve,CVE-2007-2818; reference:url,www.securityfocus.com/bid/24078; reference:url,doc.emergingthreats.net/2004559; classtype:web-application-attack; sid:2004559; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Browser"; nocase; depth:26; endswith; reference:url,doc.emergingthreats.net/2007660; classtype:pup-activity; sid:2007660; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/embadmin/login.asp"; http_uri; nocase; content:"%27"; depth:300; reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html; reference:url,exploit-db.com/exploits/14376; classtype:web-application-attack; sid:2011826; rev:2; metadata:created_at 2010_10_19, updated_at 2010_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (install_s)"; flow:established,to_server; http.user_agent; content:"install_"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:pup-activity; sid:2007666; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004569; classtype:web-application-attack; sid:2004569; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (count)"; flow:established,to_server; http.user_agent; content:"count"; nocase; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:pup-activity; sid:2007667; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"Msg="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004570; classtype:web-application-attack; sid:2004570; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; http.user_agent; content:"BndDriveLoader"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007693; classtype:pup-activity; sid:2007693; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"ET DELETED Yahoo Chat Signin Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|550|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007066; classtype:policy-violation; sid:2007066; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; http.user_agent; content:"LmaokaazLdr"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007694; classtype:pup-activity; sid:2007694; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo Chat Signin Success Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|85|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007067; classtype:policy-violation; sid:2007067; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; http.user_agent; content:"ie"; depth:2; endswith; reference:url,doc.emergingthreats.net/2007827; classtype:pup-activity; sid:2007827; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
 
-#alert ip [192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 3"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002751; classtype:bad-unknown; sid:2002751; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; http.user_agent; content:"DrPCClean"; depth:9; reference:url,doc.emergingthreats.net/2007839; classtype:pup-activity; sid:2007839; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007068; classtype:policy-violation; sid:2007068; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"microsoft"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:pup-activity; sid:2007859; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Metacafe.com family filter off"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a| www.metacafe.com"; http_header; content:"submit=Continue+-+I%27m+over+18"; reference:url,doc.emergingthreats.net/2006367; classtype:policy-violation; sid:2006367; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Firefox"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:pup-activity; sid:2007868; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rapidshare download unauthd image post"; flow:to_server,established; content:"POST"; http_method; content:"/files/"; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:"rapidshare.com"; nocase; http_header; content:"&accesscode="; nocase; content:"&actionstring=Download"; nocase; within:50; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006368; classtype:policy-violation; sid:2006368; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; http.user_agent; content:"Vomba"; depth:5; reference:url,doc.emergingthreats.net/2007869; classtype:pup-activity; sid:2007869; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Netvacy.com Anonymizing Proxy Access"; flow:established,to_server; content:"Host|3a| www.netvacy.com"; http_header; reference:url,doc.emergingthreats.net/2003453; classtype:policy-violation; sid:2003453; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; http.user_agent; content:"HTTP_GET_COMM"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007881; classtype:pup-activity; sid:2007881; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHP Anonymizing/Evasion Proxy In Use"; flow: to_server,established; content:"GET"; http_method; content:"/index.php?q="; nocase; http_uri; pcre:"/index\.php\?q=(uggc|jjj|http|www|aHR0c|d3d3)/Ui"; reference:url,sourceforge.net/projects/php-proxy/; reference:url,doc.emergingthreats.net/2006410; classtype:policy-violation; sid:2006410; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; http.user_agent; content:"SHINI"; depth:5; endswith; reference:url,doc.emergingthreats.net/2007882; classtype:pup-activity; sid:2007882; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX"; flow:established,to_server; content:"/inc/logingecon.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003728; classtype:web-application-attack; sid:2003728; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; http.user_agent; content:"VirusHeat"; depth:9; reference:url,doc.emergingthreats.net/2007883; classtype:pup-activity; sid:2007883; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/config/edituser.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009590; classtype:web-application-attack; sid:2009590; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Example)"; flow:to_server,established; http.user_agent; content:"Example"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:pup-activity; sid:2007884; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/console.php?"; nocase; http_uri; content:"location="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009591; classtype:web-application-attack; sid:2009591; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; http.user_agent; content:"auctionplusup"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007900; classtype:pup-activity; sid:2007900; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/forcesd.php?"; nocase; http_uri; content:"vmrefid="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009592; classtype:web-application-attack; sid:2009592; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; http.user_agent; content:"HTTPGETDATA"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007908; classtype:pup-activity; sid:2007908; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/forcerestart.php?"; nocase; http_uri; content:"vmrefid="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009593; classtype:web-application-attack; sid:2009593; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTPFILEDOWN"; depth:12; endswith; reference:url,doc.emergingthreats.net/2007909; classtype:pup-activity; sid:2007909; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb changepw.php CSRF attempt"; flow:to_server,established; content:"GET"; http_method; content:"/config/changepw.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"&newpass="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009594; classtype:web-application-attack; sid:2009594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTP_FILEDOWN"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007910; classtype:pup-activity; sid:2007910; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb hardstopvm.php CSRF attempt"; flow:to_server,established; content:"GET"; http_method; content:"hardstopvm.php?"; nocase; http_uri; content:"stop_vmref="; nocase; http_uri; content:"&stop_vmname="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009595; classtype:web-application-attack; sid:2009595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; http.user_agent; content:"UDonkey"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007927; classtype:pup-activity; sid:2007927; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb writeconfig.php Remote Command Execution attempt"; flow:to_server,established; content:"GET"; http_method; content:"writeconfig.php?"; nocase; http_uri; content:"pool1="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009596; classtype:web-application-attack; sid:2009596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; http.user_agent; content:"InvokeAd"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007928; classtype:pup-activity; sid:2007928; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/install.clickheat.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009754; classtype:web-application-attack; sid:2009754; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet)"; flow:to_server,established; http.user_agent; content:"Internet"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:pup-activity; sid:2008013; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1"; flow:to_server,established; content:"GET"; http_method; content:"/heatmap/_main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009755; classtype:web-application-attack; sid:2009755; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; http.user_agent; content:"Ssol NetInstaller"; depth:17; reference:url,doc.emergingthreats.net/2008040; classtype:pup-activity; sid:2008040; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2"; flow:to_server,established; content:"GET"; http_method; content:"/heatmap/main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009756; classtype:web-application-attack; sid:2009756; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; http.user_agent; content:"WinTouch"; depth:8; reference:url,doc.emergingthreats.net/2008141; classtype:pup-activity; sid:2008141; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/Clickheat/Cache.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009757; classtype:web-application-attack; sid:2009757; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; http.user_agent; content:"Sidebar"; depth:7; reference:url,doc.emergingthreats.net/2008201; classtype:pup-activity; sid:2008201; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/Clickheat_Heatmap.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009758; classtype:web-application-attack; sid:2009758; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZenoSearch Spyware User-Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|["; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/i"; reference:url,doc.emergingthreats.net/2008279; classtype:pup-activity; sid:2008279; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1"; flow:to_server,established; content:"GET"; http_method; content:"/GlobalVariables.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009759; classtype:web-application-attack; sid:2009759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; http.user_agent; content:"AsmUpdater"; depth:10; reference:url,doc.emergingthreats.net/2008294; classtype:pup-activity; sid:2008294; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/overview/main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009760; classtype:web-application-attack; sid:2009760; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; http.user_agent; content:"Connector v"; depth:11; reference:url,doc.emergingthreats.net/2008372; classtype:pup-activity; sid:2008372; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/utdb_access.php?"; nocase; http_uri; content:"minsoft_path="; nocase; http_uri; pcre:"/minsoft_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31492; reference:url,milw0rm.com/exploits/6632; reference:url,doc.emergingthreats.net/2009141; classtype:web-application-attack; sid:2009141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; http.user_agent; content:"FavUpdate"; depth:9; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:pup-activity; sid:2008457; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/utgn_message.php?"; nocase; http_uri; content:"minsoft_path="; nocase; http_uri; pcre:"/minsoft_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31492; reference:url,milw0rm.com/exploits/6632; reference:url,doc.emergingthreats.net/2009142; classtype:web-application-attack; sid:2009142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Matcash Trojan Related Spyware Code Download"; flow:established,to_server; http.user_agent; content:"Windows 5.1 (2600)|3b 20|DMCP"; depth:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:pup-activity; sid:2008759; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/export_batch.inc.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008900; classtype:web-application-attack; sid:2008900; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; http.user_agent; content:"Smileware"; depth:9; reference:url,doc.emergingthreats.net/2008892; classtype:pup-activity; sid:2008892; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/run_auto_suspend.cron.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008901; classtype:web-application-attack; sid:2008901; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (FileDownloader)"; flow:to_server,established; http.user_agent; content:"FileDownloader"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:pup-activity; sid:2009027; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/send_email_cache.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008902; classtype:web-application-attack; sid:2008902; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake AV User-Agent (N1)"; flow:to_server,established; http.user_agent; content:"N1"; depth:2; endswith; reference:url,doc.emergingthreats.net/2009157; classtype:pup-activity; sid:2009157; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/2checkout_return.inc.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008903; classtype:web-application-attack; sid:2008903; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; http.user_agent; content:"Lobo Lunar"; depth:10; reference:url,doc.emergingthreats.net/2009222; classtype:pup-activity; sid:2009222; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/nettools.popup.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008904; classtype:web-application-attack; sid:2008904; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow:established,to_server; http.user_agent; content:"CTT"; depth:3; reference:url,doc.emergingthreats.net/2009236; classtype:pup-activity; sid:2009236; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"ticketID="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004566; classtype:web-application-attack; sid:2004566; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch Browser Optimizer"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?aff="; nocase; content:"&act="; nocase; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; nocase; depth:20; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:pup-activity; sid:2009524; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004567; classtype:web-application-attack; sid:2004567; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Microgaming Install Program"; nocase; depth:27; endswith; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:pup-activity; sid:2009783; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fuse="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004568; classtype:web-application-attack; sid:2004568; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"ERRN200"; depth:7; reference:url,doc.emergingthreats.net/2009861; classtype:pup-activity; sid:2009861; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"query="; nocase; fast_pattern; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2913; reference:url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded; reference:url,doc.emergingthreats.net/2004591; classtype:web-application-attack; sid:2004591; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"User Agent"; depth:10; reference:url,doc.emergingthreats.net/2009930; classtype:pup-activity; sid:2009930; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Community Link Pro Login.CGI Remote Command Execution Attempt"; flow:to_server,established; content:"/login.cgi?"; nocase; http_uri; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14097; reference:url,doc.emergingthreats.net/2002067; classtype:web-application-attack; sid:2002067; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; http.user_agent; content:"VaccineKiller"; depth:13; reference:url,doc.emergingthreats.net/2009993; classtype:pup-activity; sid:2009993; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"sections_file="; nocase; http_uri; pcre:"/sections_file=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31461; reference:url,milw0rm.com/exploits/6598; reference:url,doc.emergingthreats.net/2009166; classtype:web-application-attack; sid:2009166; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; http.user_agent; content:"SogouExplorerMiniSetup"; nocase; depth:22; reference:url,doc.emergingthreats.net/2010675; classtype:pup-activity; sid:2010675; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004713; classtype:web-application-attack; sid:2004713; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Fast Browser Search)"; flow:to_server,established; http.user_agent; content:"Fast Browser Search"; nocase; depth:19; reference:url,doc.emergingthreats.net/2010676; classtype:pup-activity; sid:2010676; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system"; flow:established,to_server; content:"/lib/smarty/SmartyFU.class.php?"; nocase; http_uri; content:"system["; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2608; reference:url,www.milw0rm.com/exploits/3878; reference:url,doc.emergingthreats.net/2003717; classtype:web-application-attack; sid:2003717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; http.user_agent; content:"General Antivirus"; nocase; depth:17; reference:url,doc.emergingthreats.net/2010679; classtype:pup-activity; sid:2010679; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; fast_pattern; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003835; classtype:web-application-attack; sid:2003835; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; http.user_agent; content:"Update1.0"; depth:9; reference:url,doc.emergingthreats.net/2010680; classtype:pup-activity; sid:2010680; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003836; classtype:web-application-attack; sid:2003836; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Live Enterprise Suite)"; flow:to_server,established; http.user_agent; content:"Live Enterprise Suite"; nocase; depth:21; reference:url,doc.emergingthreats.net/2010727; classtype:pup-activity; sid:2010727; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; fast_pattern; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003837; classtype:web-application-attack; sid:2003837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; http.user_agent; content:"InfoBox"; depth:7; reference:url,doc.emergingthreats.net/2010934; classtype:pup-activity; sid:2010934; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003839; classtype:web-application-attack; sid:2003839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Save)"; flow:to_server,established; http.user_agent; content:"Save"; depth:4; endswith; reference:url,poweredbysave.com; classtype:pup-activity; sid:2011120; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; fast_pattern; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003840; classtype:web-application-attack; sid:2003840; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Download Master"; depth:15; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:pup-activity; sid:2011146; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Cisco IOS HTTP Server Cross Site Scripting Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ping?"; nocase; http_uri; pcre:"/\/ping\?.+(script|alert|on(mouse[a-z]+|key[a-z]+|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17364; reference:url,www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html; reference:cve,2008-3821; reference:url,doc.emergingthreats.net/2011189; classtype:web-application-attack; sid:2011189; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (webcount)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"webcount"; depth:8; reference:url,doc.emergingthreats.net/2011149; classtype:pup-activity; sid:2011149; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/footer.php?"; nocase; http_uri; content:"footer_file="; nocase; http_uri; pcre:"/footer_file=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31217; reference:url,milw0rm.com/exploits/6475; reference:url,doc.emergingthreats.net/2009793; classtype:web-application-attack; sid:2009793; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou Toolbar Checkin"; flow:to_server,established; http.uri; content:"/seversion.txt"; http.user_agent; content:"SeFastSetup"; depth:11; reference:url,doc.emergingthreats.net/2011225; classtype:pup-activity; sid:2011226; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id SELECT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003752; classtype:web-application-attack; sid:2003752; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0 |28|SP3 WINLD|29 |"; depth:23; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2011238; classtype:pup-activity; sid:2011238; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UNION SELECT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003753; classtype:web-application-attack; sid:2003753; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; http.user_agent; content:"Forthgoer"; depth:9; reference:url,doc.emergingthreats.net/2011247; classtype:pup-activity; sid:2011247; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id INSERT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003754; classtype:web-application-attack; sid:2003754; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"XieHongWei"; depth:10; reference:url,doc.emergingthreats.net/2011248; classtype:pup-activity; sid:2011248; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id DELETE"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003755; classtype:web-application-attack; sid:2003755; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CustomSpy)"; flow:to_server,established; http.user_agent; content:"|28|CustomSpy|29 |"; depth:11; endswith; reference:url,doc.emergingthreats.net/2011271; classtype:pup-activity; sid:2011271; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ASCII"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003756; classtype:web-application-attack; sid:2003756; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; http.user_agent; content:"C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; depth:32; classtype:pup-activity; sid:2011334; rev:9; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003757; classtype:web-application-attack; sid:2003757; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"http-get-demo"; depth:13; endswith; classtype:pup-activity; sid:2011392; rev:7; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright"; flow:established,to_server; content:"/footer.php?"; nocase; http_uri; content:"copyright="; nocase; http_uri; fast_pattern; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0694; reference:url,www.securityfocus.com/bid/24200; reference:url,doc.emergingthreats.net/2004584; classtype:web-application-attack; sid:2004584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer 6.0"; depth:31; endswith; classtype:pup-activity; sid:2011393; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/dm-albums/template/album.php?"; nocase; http_uri; content:"SECURITY_FILE="; nocase; http_uri; pcre:"/SECURITY_FILE=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010027; classtype:web-application-attack; sid:2010027; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; http.uri; content:"/registerSession.py?"; nocase; content:"proj="; nocase; content:"&country="; nocase; content:"&lang="; nocase; content:"&channel="; nocase; content:"source="; nocase; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:url,doc.emergingthreats.net/2011677; reference:md5,af0bbdf6097233e8688c5429aa97bbed; classtype:pup-activity; sid:2011677; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"HomeDir="; nocase; http_uri; fast_pattern; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2527; reference:url,milw0rm.com/exploits/3868; reference:url,doc.emergingthreats.net/2003680; classtype:web-application-attack; sid:2003680; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_Query)"; flow:to_server,established; http.user_agent; content:"HTTP_Query"; nocase; depth:10; endswith; reference:url,doc.emergingthreats.net/2011678; classtype:pup-activity; sid:2011678; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005111; classtype:web-application-attack; sid:2005111; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Gbot)"; flow:established,to_server; http.user_agent; content:"gbot"; depth:4; classtype:pup-activity; sid:2011872; rev:6; metadata:created_at 2010_10_29, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003758; classtype:web-application-attack; sid:2003758; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; http.user_agent; content:"Search Toolbar"; depth:14; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:pup-activity; sid:2013333; rev:7; metadata:created_at 2011_07_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003759; classtype:web-application-attack; sid:2003759; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SWInformer.B Checkin"; flow:to_server,established; http.uri; content:"log.php?"; http.user_agent; content:"FDMuiless"; depth:9; endswith; reference:md5,0f90568d86557d62f7d4e1c0f7167431; classtype:pup-activity; sid:2014004; rev:7; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003760; classtype:web-application-attack; sid:2003760; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; http.uri; content:"/inst.php?"; http.user_agent; content:"psi"; depth:3; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:pup-activity; sid:2014262; rev:7; metadata:created_at 2012_01_21, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003761; classtype:web-application-attack; sid:2003761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; http.user_agent; content:"YOK Agent"; depth:9; endswith; reference:url,doc.emergingthreats.net/2008752; classtype:pup-activity; sid:2008752; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003762; classtype:web-application-attack; sid:2003762; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; http.user_agent; content:"WinFix Master"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003545; classtype:pup-activity; sid:2003545; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003763; classtype:web-application-attack; sid:2003763; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; http.user_agent; content:"SexTrackerWSI"; depth:13; nocase; reference:url,doc.emergingthreats.net/2003627; classtype:pup-activity; sid:2003627; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005087; classtype:web-application-attack; sid:2005087; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (???)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|???"; http.user_agent; content:!"|20|Sparkle|2f|"; reference:url,doc.emergingthreats.net/2010595; classtype:pup-activity; sid:2010595; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki Configure Script TYPEOF Remote Command Execution Attempt"; flow:to_server,established; content:"|26|TYPEOF"; http_uri; nocase; pcre:"/&TYPEOF\:.+system\s*\(/Ui"; reference:cve,CVE-2006-3819; reference:bugtraq,19188; reference:url,doc.emergingthreats.net/2003085; classtype:web-application-attack; sid:2003085; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toplist.cz Related Spyware Checkin"; flow:to_server,established; http.user_agent; content:"BWL"; depth:3; pcre:"/^BWL(?:\sToplist|\d_UPDATE)/"; classtype:pup-activity; sid:2003505; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization|3a|"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; classtype:web-application-attack; sid:2007874; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FLV/Youtube Downloader Install Activity"; flow:established,to_server; http.request_line; content:"GET /images/downloader/pixel.gif?action=install&"; startswith; content:"&lngid="; content:"cid="; content:"&kt=flvd"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,3af4b637e16922fdceaff00d64e98f53; classtype:pup-activity; sid:2031082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; reference:url,doc.emergingthreats.net/2009832; classtype:attempted-recon; sid:2009832; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; http.host; content:!"smartcom.com"; endswith; content:!"iscoresports.com"; endswith; content:!"popslotscasino.com"; endswith; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:pup-activity; sid:2007854; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/news/search.php3?"; nocase; http_uri; content:"bn="; nocase; http_uri; pcre:"/(..\\)/i"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011853; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.BrowSecX.AB Install Log Sent"; flow:established,to_server; http.request_line; content:"GET http://"; startswith; content:"/installLog.php?scheme="; fast_pattern; content:"&user="; content:"&cpuid="; content:"&execid="; content:"&chromeLog="; content:"&winVer="; reference:md5,336867c6cfe7aacc6aaa3107300f93b6; classtype:pup-activity; sid:2031116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Java JAR Download Attempt"; flow:established,to_server; content:".jar"; http_uri; reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; classtype:bad-unknown; sid:2011855; rev:2; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{25,40}$/"; http.user_agent; content:"UpdaterResponse"; fast_pattern; depth:15; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018025; rev:6; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_10_28;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid"; flow:established,to_server; content:"/loan.php?"; nocase; http_uri; content:"movieid="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003920; classtype:web-application-attack; sid:2003920; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; http.uri; content:"/Check.ashx?"; depth:12; content:"&e="; content:"&n="; content:"&mv="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018026; rev:5; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_10_28;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s"; flow:established,to_server; content:"/listmovies.php?"; nocase; http_uri; content:"s="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003921; classtype:web-application-attack; sid:2003921; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/optout/set/lt?jsonp="; fast_pattern; content:"key="; distance:16; within:27; content:"cv="; distance:18; within:27; content:"t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027427; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/engine/api/api.class.php?"; nocase; http_uri; content:"dle_config_api="; nocase; http_uri; pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html; reference:url,milw0rm.com/exploits/9572; reference:url,doc.emergingthreats.net/2010252; classtype:web-application-attack; sid:2010252; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr5.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027425; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name"; flow:established,to_server; content:"/room/info_book.asp?"; nocase; http_uri; content:"Room_name="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2880; reference:url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded; reference:url,doc.emergingthreats.net/2004595; classtype:web-application-attack; sid:2004595; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr30_nt.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027426; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear"; flow:established,to_server; content:"/room/week.asp?"; nocase; http_uri; content:"curYear="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2880; reference:url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded; reference:url,doc.emergingthreats.net/2004596; classtype:web-application-attack; sid:2004596; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M5"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/code?id="; fast_pattern; content:"subid="; distance:3; within:19; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027429; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img"; flow:established,to_server; content:"/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php?"; nocase; http_uri; content:"img="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2901; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004593; classtype:web-application-attack; sid:2004593; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware Keywords Download"; flow: to_server,established; http.method; content:"GET"; http.uri; content:"keywords/kyf"; nocase; content:"partner_id="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:pup-activity; sid:2002001; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.inc.php?"; nocase; http_uri; content:"root="; nocase; http_uri; pcre:"/root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5393; reference:bugtraq,28660; reference:url,doc.emergingthreats.net/2009848; classtype:web-application-attack; sid:2009848; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; threshold: type limit, count 1, track by_src, seconds 360; http.header; content:"UtilMind HTTPGet"; fast_pattern; http.host; content:!"www.blueocean.com"; content:!"www.backupmaker.com"; content:!"promo.ascomp.de"; content:!"www.synchredible.com"; content:!"support.numarasoftware.com"; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:pup-activity; sid:2002402; rev:25; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Small.gen!AQ Communication with Controller"; flow:established,to_server; content:"?uid="; nocase; http_uri; fast_pattern; content:"&action="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&b="; nocase; http_uri; pcre:"/\?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$/U"; reference:md5,eb3140416c06fa8cb7851076dd100dfb; reference:url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html; reference:md5,8033dffa899dcd16769f389073f9f053; classtype:trojan-activity; sid:2011414; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; http.user_agent; content:"TEST"; fast_pattern; bsize:4; http.host; content:!"messagecenter.comodo.com"; content:!"symantec.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:pup-activity; sid:2006357; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006718; classtype:web-application-attack; sid:2006718; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; http.user_agent; content:"Mozila"; nocase; fast_pattern; bsize:6; http.host; content:!"rd.jword.jp"; endswith; content:!".lge.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:pup-activity; sid:2008210; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006719; classtype:web-application-attack; sid:2006719; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Agent.PMS Variant CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|command="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"command="; depth:8; content:"&result="; within:12; classtype:pup-activity; sid:2011391; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_02;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006720; classtype:web-application-attack; sid:2006720; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/LoadMoney Adware Activity"; flow:to_server,established; flowbits:set,ETPTadmoney; http.method; content:"POST"; http.uri; content:".htm?v="; fast_pattern; content:"&eh="; distance:0; content:"&ts="; distance:0; content:"&u2="; distance:0; http.cookie; content:"a=h+"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:pup-activity; sid:2024693; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category ADWARE_PUP, malware_family Neshta, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006721; classtype:web-application-attack; sid:2006721; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; http.request_body; content:"a="; depth:2; content:"&c="; distance:0; content:"&r="; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/"; http.request_line; content:"POST /u/"; depth:8; fast_pattern; http.connection; content:"Close"; nocase; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; nocase; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:pup-activity; sid:2022723; rev:5; metadata:created_at 2016_04_11, former_category ADWARE_PUP, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006722; classtype:web-application-attack; sid:2006722; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; http.method; content:"GET"; http.uri; content:"/launch/?c="; fast_pattern; content:"&m="; content:"&l="; content:"&b="; content:"&sid="; content:"&os="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:pup-activity; sid:2018095; rev:9; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006723; classtype:web-application-attack; sid:2006723; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP STOPzilla Download Accelerator Activity"; flow:established,to_server; http.user_agent; content:"STOPzilla Download Accelerator"; depth:30; reference:md5,6748824b325cbc1be57394469e361d63; classtype:pup-activity; sid:2031182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006724; classtype:web-application-attack; sid:2006724; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SilverSpeedup Generic PUA Software UA"; flow:established,to_server; http.user_agent; content:"SilverSpeedup"; depth:13; reference:md5,b6640c915f827013c4cbfece4d5fb7c0; classtype:pup-activity; sid:2031183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006725; classtype:web-application-attack; sid:2006725; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Sogou.H Variant Request"; flow:established,to_server; http.request_line; content:"GET /appinfo?num="; startswith; fast_pattern; pcre:"/^\d+\sHTTP/1.1$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.user_agent; content:"HttpDownload"; bsize:12; reference:md5,29db559062d82a56c53c70c68dc160ec; classtype:pup-activity; sid:2031191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006726; classtype:web-application-attack; sid:2006726; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>200; content:"/q/?q="; startswith; pcre:"/^[a-zA-Z0-9_-]+/R"; http.user_agent; content:"User-Agent|3a 20|"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:pup-activity; sid:2029055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006727; classtype:web-application-attack; sid:2006727; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Malvertising Related Domain"; dns.query; content:"gdprcountryrestriction.com"; nocase; bsize:26; reference:url,duo.com/labs/research/crxcavator-malvertising-2020; classtype:pup-activity; sid:2030014; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006728; classtype:web-application-attack; sid:2006728; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX ADWARE/AD Injector"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mvr="; within:5; pcre:"/[a-fA-F0-9]{8}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{12}/"; http.user_agent; content:"Python-urllib/"; depth:14; fast_pattern; reference:url,objective-see.com/blog/blog_0x3F.html; classtype:pup-activity; sid:2027319; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006729; classtype:web-application-attack; sid:2006729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M1"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/optout/set/"; depth:12; fast_pattern; content:"?jsonp="; within:20; content:"&key="; distance:16; within:23; content:"&cv="; distance:18; within:23; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027419; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir"; flow:established,to_server; content:"/dp_logs.php?"; nocase; http_uri; content:"HomeDir="; nocase; http_uri; pcre:"/=\s*(https?|ftps|php)\:\//Ui"; reference:cve,CVE-2007-2527; reference:url,milw0rm.com/exploits/3868; reference:url,doc.emergingthreats.net/2003679; classtype:web-application-attack; sid:2003679; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M3"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/metric/?mid="; depth:13; fast_pattern; content:"&wid="; within:20; content:"&sid="; within:20; content:"&tid="; within:20; content:"&rid="; within:20; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027421; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a SELECT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003770; classtype:web-application-attack; sid:2003770; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/DealPly Configuration File Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<Data|20|"; depth:6; content:"|20|step1=|22|"; within:100; content:"|20|step2=|22|"; within:30; content:"|20|step3=|22|"; within:30; content:"<|2f|FName><FHash>"; distance:0; fast_pattern; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027829; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UNION SELECT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003771; classtype:web-application-attack; sid:2003771; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR Possible Response for LNKR js file"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"lnkr_redirecting"; fast_pattern; content:"_lnkr"; content:"excludeDomains"; within:40; content:"document.createElement|28 22|script|22|"; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027424; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a INSERT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003772; classtype:web-application-attack; sid:2003772; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; http.user_agent; content:"|20|MySearch"; reference:url,doc.emergingthreats.net/2002080; classtype:pup-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a DELETE"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003773; classtype:web-application-attack; sid:2003773; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Win32/EoRezo Reporting"; flow:established,to_server; http.uri; content:"/advert/get"; nocase; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/i"; reference:md5,b5708efc8b478274df4b03d8b7dbbb26; classtype:pup-activity; sid:2013983; rev:9; metadata:created_at 2011_12_02, former_category ADWARE_PUP, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a ASCII"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003774; classtype:web-application-attack; sid:2003774; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; fast_pattern; http.request_body; content:"from="; depth:5; content:"&type="; distance:0; content:"&pubid="; distance:0; content:"&BundleVersionID="; distance:0; classtype:pup-activity; sid:2018148; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"UPDATE"; nocase; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003775; classtype:web-application-attack; sid:2003775; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; http.user_agent; content:"AskPBar"; fast_pattern; reference:url,doc.emergingthreats.net/2006381; classtype:pup-activity; sid:2006381; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale"; flow:established,to_server; content:"/common.php?"; nocase; http_uri; content:"locale="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2521; reference:url,www.milw0rm.com/exploits/3846; reference:url,doc.emergingthreats.net/2003682; classtype:web-application-attack; sid:2003682; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windows Explorer Tab Add-on Post Install Checkin"; flow:established,to_server; http.request_line; content:"POST /api HTTP/1.1"; bsize:18; http.request_body; content:"f=100&p=ew0KICAgIk0iOi"; startswith; fast_pattern; reference:md5,47d9aee3497bed660b640194dbab5879; classtype:pup-activity; sid:2031386; rev:2; metadata:created_at 2020_12_15, former_category ADWARE_PUP, updated_at 2020_12_15;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"show="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2716; reference:url,www.securityfocus.com/bid/23951; reference:url,doc.emergingthreats.net/2003876; classtype:web-application-attack; sid:2003876; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Qihoo360.J Variant Install Report"; flow:established,to_server; http.request_line; content:"POST /v1/client/report"; startswith; fast_pattern; http.request_body; content:"|5b 7b 22|action|22 3a 22|"; startswith; content:"|22 2c 22|device|5f|id|22 3a 22|"; distance:0; reference:md5,93dc18be56153f41fd1e12b686cca9fe; classtype:pup-activity; sid:2031522; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_13, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_01_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show"; flow:established,to_server; content:"/stats.php?"; nocase; http_uri; content:"show="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2716; reference:url,www.securityfocus.com/bid/23951; reference:url,doc.emergingthreats.net/2003877; classtype:web-application-attack; sid:2003877; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/RemoteUtilities Checkin via SMTP"; flow:established,to_server; content:"|0d 0a|SUQ6"; content:"0J3QsNC30LLQsNC90LjQtSDQutC+0LzQv9GM0Y7RgtC1"; distance:0; fast_pattern; classtype:pup-activity; sid:2031618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_02_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007024; classtype:web-application-attack; sid:2007024; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VilnyNet VPN Install Started"; flow:established,to_server; http.uri; content:"?event=winInstaller"; fast_pattern; content:"&uuid="; distance:0; content:"&osver"; distance:0; content:"&osbuild="; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; bsize:20; reference:md5,3bdc372644285aa7b3c8263d7d1c9a4a; classtype:pup-activity; sid:2031533; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007025; classtype:web-application-attack; sid:2007025; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP klm123.com Spyware User Agent"; flow:established,to_server; http.user_agent; content:"{"; depth:1; fast_pattern; pcre:"/\{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/i"; http.host; content:!"directory.gladinet.com"; content:!"ff.avast.com"; content:!"ispringsolutions.com"; content:!"cdn.download.comodo.com"; content:!"liveupdate.symantec.com"; content:!"liveupdate.norton.com"; reference:url,doc.emergingthreats.net/2007616; classtype:pup-activity; sid:2007616; rev:17; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2021_03_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007026; classtype:web-application-attack; sid:2007026; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Agent.NSU CnC Activity M2"; flow:established,to_server; http.request_line; content:"POST /?z="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"zone="; startswith; content:"&rb="; distance:0; content:"&hil="; distance:0; content:"&wgl="; distance:0; reference:md5,d29f4467c54f688c8903d2e365f3ba8f; classtype:pup-activity; sid:2032327; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007027; classtype:web-application-attack; sid:2007027; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP DriverPack Domain in DNS Query"; dns.query; content:"drp.su"; nocase; endswith; classtype:pup-activity; sid:2032357; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2021_04_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007028; classtype:web-application-attack; sid:2007028; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downer.B Variant Checkin"; flow:established,to_server; http.method; content:"GET"; content:"winver="; distance:0; content:"&sdsoft="; distance:0; fast_pattern; content:"&webid="; distance:0; content:"&softid"; distance:0; content:"&usesnum="; distance:0; content:"&mac="; distance:0; content:"&filename="; distance:0; reference:md5,fa304e71504863f32e6f9032b772cea1; reference:md5,b4188819a0da135ada42e2df4fa97619; classtype:pup-activity; sid:2030565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_04_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007029; classtype:web-application-attack; sid:2007029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Vonteera.M Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getdata.php?wti="; fast_pattern; content:"&s="; distance:0; content:"&sta="; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; bsize:20; reference:md5,06cba7e1a75deca367afca8f27eb4db2; classtype:pup-activity; sid:2032761; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_04_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; content:"editmenu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011875; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SuperAntiSpyware Install Checkin"; flow:established,to_server; http.uri; content:"sEventName=SASRPI_Install&sEventData=tag|3a|SUPERAntiSpyware.exe"; fast_pattern; http.user_agent; content:"SUPERSetup"; bsize:10; reference:md5,05226ffa6102a0b3f9dfb8fa4965d0a2; classtype:pup-activity; sid:2032923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"p="; http_uri;content:"&id="; http_uri; content:"User-Agent|3a| personal"; http_header; nocase; reference:url,doc.emergingthreats.net/2008346; classtype:trojan-activity; sid:2008346; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rl?tm="; content:"&id="; content:"&cu="; content:"&ci="; content:"&cv="; content:"&iv="; content:"&pchid="; content:"&ug="; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active; classtype:pup-activity; sid:2033028; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_25;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt"; flow:established,to_client; content:"APPLET"; nocase; content:"children"; nocase; distance:0; content:"location.reload"; nocase; within:100; reference:url,code.google.com/p/skylined/issues/detail?id=18; reference:url,www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html; classtype:attempted-user; sid:2011864; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/exec.tgz"; endswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit; classtype:pup-activity; sid:2033029; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Spy.Agent.QCL Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/vocha/ogo"; bsize:10; fast_pattern; http.request_body; content:"data="; startswith; http.header_names; content:!"Referer"; reference:md5,8fe3b7be548ab6bba549ddbfdabc90ed; classtype:pup-activity; sid:2033130; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_06_09;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Spy.Agent.QCL Variant Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wiki/Hello_orld_(film)"; bsize:23; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; reference:md5,8fe3b7be548ab6bba549ddbfdabc90ed; classtype:pup-activity; sid:2033131; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_06_09;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; fast_pattern; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; reference:url,doc.emergingthreats.net/2009581; classtype:successful-admin; sid:2009581; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanClicker Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/test/err.asp?alerr="; startswith; fast_pattern; content:"&time="; distance:0; http.host; content:".cn"; endswith; reference:md5,f990d21e020f4130e58d49cc368921b1; classtype:pup-activity; sid:2033168; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_06_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref SELECT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003846; classtype:web-application-attack; sid:2003846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nivesro Cheat CnC Activity M1"; flow:established,to_server; http.uri; content:"authentication.php?a="; fast_pattern; content:"&b="; distance:0; http.accept; content:"text/*"; bsize:6; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,6aaa1742b89bd72be6ee50709fc457ab; classtype:trojan-activity; sid:2033221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UNION SELECT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003847; classtype:web-application-attack; sid:2003847; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NivesroCheat CnC Activity M2"; flow:established,to_server; http.uri; content:"version.php?a="; fast_pattern; content:!"&"; distance:0; http.accept; content:"text/*"; bsize:6; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|"; startswith; reference:md5,6aaa1742b89bd72be6ee50709fc457ab; classtype:trojan-activity; sid:2033222; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref INSERT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003848; classtype:web-application-attack; sid:2003848; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (IST)"; flow:to_server,established; http.user_agent; content:"IST"; bsize:3; fast_pattern; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; classtype:pup-activity; sid:2001493; rev:37; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2021_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref DELETE"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003849; classtype:web-application-attack; sid:2003849; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanDownloader.Agent.BXA CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Xingapp|2f 35 2e 30 20 28|windowsxue|29|"; bsize:24; threshold:type limit, track by_src, seconds 600, count 1; reference:md5,d4a8b93cb872a2817a1e7467ea449363; classtype:pup-activity; sid:2033383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_07_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref ASCII"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003850; classtype:web-application-attack; sid:2003850; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Socelars Related Domain in DNS Lookup"; dns.query; content:"www.cncode.pw"; nocase; bsize:13; reference:md5,f6c01214414fe2cedaa217c69ab093e1; classtype:bad-unknown; sid:2033607; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category ADWARE_PUP, updated_at 2021_07_28, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003851; classtype:web-application-attack; sid:2003851; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ThunderUnion Install Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"peerid="; content:"&userid="; distance:0; content:"referfrom="; distance:0; content:"&OS="; distance:0; content:"&OSversion="; distance:0; content:"productname="; distance:0; http.user_agent; content:"ThunderUnion"; bsize:12; fast_pattern; reference:md5,ae4c9b58510bd358745caf3b7ad81003; classtype:pup-activity; sid:2033896; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category ADWARE_PUP, updated_at 2021_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/FSphp.php?"; nocase; http_uri; content:"FSPHP_LIB="; nocase; http_uri; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58315; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010359; classtype:web-application-attack; sid:2010359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Honeygain Domain (api .honeygain .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.honeygain.com"; bsize:17; fast_pattern; reference:url,blog.talosintelligence.com/2021/08/proxyware-abuse.html; classtype:domain-c2; sid:2033900; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category ADWARE_PUP, malware_family PUP, signature_severity Informational, updated_at 2021_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/navigation.php?"; nocase; http_uri; content:"FSPHP_LIB="; nocase; http_uri; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58316; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010360; classtype:web-application-attack; sid:2010360; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M1"; flow:established,to_server; http.request_line; content:"POST /action "; startswith; http.user_agent; content:"Statistics"; bsize:10; http.request_body; content:"|7b 22|hwid|22 3a 22|"; startswith; content:"|22 2c 22|macAddress|22 3a 22|"; distance:0; content:"|22 2c 22|ipAddressLocal|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|installDate|22 3a 22|"; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033909; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/sitemap.xml.php?"; nocase; http_uri; content:"dir[classes]="; nocase; http_uri; pcre:"/dir\[classes\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/28047; reference:url,milw0rm.com/exploits/4712; reference:url,doc.emergingthreats.net/2009506; classtype:web-application-attack; sid:2009506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M2"; flow:established,to_server; http.request_line; content:"GET /action?hwid="; startswith; content:"&macAddress="; distance:0; content:"&ipAddressLocal="; distance:0; fast_pattern; content:"&installDate="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033910; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003788; classtype:web-application-attack; sid:2003788; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M3"; flow:established,to_server; http.request_line; content:"POST /sysinfo "; startswith; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"hwid="; startswith; content:"&macAddress="; distance:0; content:"&ipAddressLocal="; distance:0; fast_pattern; content:"&date="; distance:0; content:"&cpu="; distance:0; content:"&cpuUsage="; distance:0; content:"&os="; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003789; classtype:web-application-attack; sid:2003789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eyoorun.D Variant Checkin"; flow:established,to_server; http.request_line; content:"GET /?opt=put&mq="; startswith; fast_pattern; http.uri; content:"&mac="; content:"&pcname="; distance:12; within:8; content:"&bootid="; distance:0; reference:md5,957c7bf090944fb437e1b9f20bbea1ff; classtype:pup-activity; sid:2033945; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003790; classtype:web-application-attack; sid:2003790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanDownloader.Adload.NSD Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?commandline="; fast_pattern; content:"&country="; distance:0; content:"&username="; distance:0; content:"&newpc="; distance:0; content:"&av="; distance:0; http.user_agent; content:"WinHttpClient"; bsize:13; reference:md5,dd6dca8dd2f53fdedeb5513f103ab711; classtype:pup-activity; sid:2033958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003791; classtype:web-application-attack; sid:2003791; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Known PUA Host Domain"; dns.query; content:"honeypoc.io"; endswith; fast_pattern; classtype:bad-unknown; sid:2034111; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003792; classtype:web-application-attack; sid:2003792; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Perinet CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ceb.aspx"; endswith; http.user_agent; content:"Mozila"; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,c1c94bd5effc12455d7d0fe22e29feb5; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/Perion; classtype:pup-activity; sid:2034175; rev:1; metadata:created_at 2021_10_12, former_category ADWARE_PUP, updated_at 2021_10_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003793; classtype:web-application-attack; sid:2003793; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Systweak Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/IsUserAuthenticated|22 0d 0a|"; http.request_body; content:"<sUsername>"; content:"</sUsername><sPassword>"; distance:0; fast_pattern; content:"</sPassword><sMacId>"; distance:0; content:"</sMacId><refno>"; distance:0; reference:md5,cb5de25d798ed63a781926c903317f70; classtype:pup-activity; sid:2034297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT"; flow:established,to_server; content:"/modules/admin/include/config.php?"; nocase; http_uri; content:"DOCUMENT_ROOT="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2460; reference:url,www.frsirt.com/english/advisories/2007/1554; reference:url,doc.emergingthreats.net/2003690; classtype:web-application-attack; sid:2003690; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SecureDriverUpdater Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/driverupdateservicenewsdu/updateservice.asmx"; bsize:45; http.header; content:"SOAPAction|3a 20 22|http://systweak.com/GetDriverUpdatesData1|22 0d 0a|"; fast_pattern; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:pup-activity; sid:2034295; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid SELECT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003823; classtype:web-application-attack; sid:2003823; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lantern Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getlantern/data?action=startup&deviceID="; startswith; fast_pattern; content:"&goarch="; distance:0; content:"&osName="; distance:0; content:"&secret="; distance:0; reference:md5,0d79f6cae6898ab27f2df1740aedbbec; classtype:pup-activity; sid:2034314; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, updated_at 2021_11_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UNION SELECT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003824; classtype:web-application-attack; sid:2003824; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/2345.H Variant Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /dmdt/dmdt_data.php HTTP/1.1"; fast_pattern; http.request_body; content:"data_version="; startswith; content:"&client_data="; http.header_names; content:!"Referer"; reference:md5,3b2806dc35cb7bc4db464a5fe017ab4e; reference:md5,0b1f16f067ba71f5b8ec87c9f1a544c6; classtype:pup-activity; sid:2034724; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2021_12_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid INSERT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003825; classtype:web-application-attack; sid:2003825; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (showmypc.com)"; flow:established,to_client; tls.cert_subject; content:"showmypc.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?showmypc\.com(?!\.)/"; classtype:pup-activity; sid:2034846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid DELETE"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003826; classtype:web-application-attack; sid:2003826; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownWare.V Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"av="; content:"&mac="; content:"&os="; distance:17; within:4; content:"&secret="; distance:0; fast_pattern; content:"&sid="; pcre:"/^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/R"; reference:md5,68b8cd6e7905578b21dd2ad02b33648c; classtype:pup-activity; sid:2034903; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid ASCII"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003827; classtype:web-application-attack; sid:2003827; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kuwo Music Installer Log"; flow:established,to_server; http.request_line; content:"POST|20|/music.yl|20|"; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.request_body; pcre:"/(SU5TVEFMTF9JTkZP|lOU1RBTExfSU5GT|JTlNUQUxMX0lORk)/"; reference:md5,9387e26f309874d834d4bb699808654d; classtype:pup-activity; sid:2034907; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_01_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003828; classtype:web-application-attack; sid:2003828; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/RemoteUtilities Checkin via SMTP M2"; flow:established,to_server; content:"|0d 0a 0d 0a|UmVtb3RlIFV0aWxpdGllcy"; fast_pattern; pcre:"/(?:DQpTZXJ2ZXI6I|0KU2VydmVyOi|NClNlcnZlcjog)/R"; reference:md5,8574a1f23e4292f6d76857df1f70ff0e; classtype:pup-activity; sid:2034644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_01_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/init.php?"; nocase; http_uri; content:"API_HOME_DIR="; nocase; http_uri; pcre:"/API_HOME_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; reference:url,doc.emergingthreats.net/2008879; classtype:web-application-attack; sid:2008879; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Hao123.C Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|ufile01|22 3b 20|filename|3d 22|boundary|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a 2f 78 ec 05 67|"; fast_pattern; reference:md5,dd2a33d25cea02f25513940751a36649; classtype:pup-activity; sid:2034908; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_01_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33768/; reference:url,milw0rm.com/exploits/7955; reference:url,doc.emergingthreats.net/2009163; classtype:web-application-attack; sid:2009163; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.ADW CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?e="; offset:45; depth:12; content:"&k="; distance:0; http.user_agent; content:"Some USER-AGENT"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; reference:md5,89b7dd04a1f32b23a75c30a00523f7e8; classtype:pup-activity; sid:2035097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_02_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st"; flow:established,to_server; content:"/showown.php?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2916; reference:url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded; reference:url,doc.emergingthreats.net/2004586; classtype:web-application-attack; sid:2004586; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/2144FlashPlayer.E Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"computerName="; startswith; content:"diskId="; content:"&externalIp="; fast_pattern; content:"&machineId="; content:"&userName="; threshold:type limit, track by_src, count 1, seconds 600; reference:md5,99f1e8976f41e3089c7325af830a19e8; classtype:pup-activity; sid:2035205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_02_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/www/lib/head_auth.php?"; nocase; http_uri; content:"CFG[PREPEND_FILE]="; nocase; http_uri; pcre:"/CFG\[PREPEND_FILE\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,juniper.net/security/auto/vulnerabilities/vuln28024.html; reference:bugtraq,28024; reference:url,milw0rm.com/exploits/5197; reference:url,doc.emergingthreats.net/2010096; classtype:web-application-attack; sid:2010096; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rogue.WinPCDefender Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?machine_id={"; depth:14; fast_pattern; content:"}"; endswith; http.host; content:"anti"; depth:4; http.header_names; content:!"Referer"; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:pup-activity; sid:2025358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_cat_detail="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004563; classtype:web-application-attack; sid:2004563; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; fast_pattern; classtype:pup-activity; sid:2014286; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_gal_detail="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004564; classtype:web-application-attack; sid:2004564; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bluebox Data Exfiltration"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; fast_pattern; content:"corp="; content:"os="; content:"softid="; content:"hid="; content:"macadd="; content:"md5="; content:"rand="; content:"subid="; http.user_agent; content:"IEhook"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b13718f353c8c0ea51a15733e035199e; classtype:pup-activity; sid:2036236; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_cat_detail_sort="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004565; classtype:web-application-attack; sid:2004565; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; flowbits:isset,ETPTadmoney; http.stat_code; content:"200"; file.data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12; depth:4; classtype:pup-activity; sid:2024699; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Internet, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2003999; classtype:web-application-attack; sid:2003999; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/A.php"; bsize:6; fast_pattern; http.user_agent; content:"wx"; http.request_body; content:"a"; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, malware_family Win_Malware_Filetour, signature_severity Major, updated_at 2022_04_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rogue antivirus downloader x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; flow:established,to_server; content:"GET"; http_method; content:"x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; nocase; http_uri; classtype:bad-unknown; sid:2011898; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; depth:18; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.host; content:"dayzcheats.ru"; bsize:13; fast_pattern; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojandropper dunik!rts xxx/download7/21/install_flash_player.exe"; flow:established,to_server; content:"GET"; http_method; content:"xxx/download7/21/install_flash_player.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011900; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; fast_pattern; content:"&v="; distance:0; content:"&h="; content:"&r="; http.header_names; content:!"Referer"; reference:md5,527c4c13a656923be49ab2ff4c6738c0; classtype:bad-unknown; sid:2036672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Win_Malware_Filetour, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; fast_pattern; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.header_names; content:!"Referer"; reference:md5,527c4c13a656923be49ab2ff4c6738c0; classtype:bad-unknown; sid:2036673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Win_Malware_Filetour, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug MoBB#6"; flow:from_server,established; content:"DirectAnimation.StructuredGraphicsControl"; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; reference:cve,2006-3427; reference:url,doc.emergingthreats.net/bin/view/Main/2003023; classtype:web-application-activity; sid:2003023; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AlphabetSoup Adware Extension CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/installLog.php?scheme="; startswith; content:"cpuid="; content:"chromeLog="; content:"ffLog="; content:"operaLog="; content:"foundBefore="; content:"notAdmin="; content:"winVer="; content:"user="; content:"defBrowser="; fast_pattern; content:"uniID="; content:"partner="; content:"startid="; content:"execid="; content:"vbdg="; http.header_names; content:!"Referer"; reference:url,blog.zimperium.com/abc-soup-the-malicious-adware-extension-with-350-variants; classtype:trojan-activity; sid:2037741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2022_07_11;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001182; classtype:misc-attack; sid:2001182; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Mando Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pas/pas"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; http.host; content:"mandotv"; reference:md5,cf26a3650150700c05f33a75fd9bae03; reference:md5,cbc89b16c4064e7195a24d73d4a179ef; reference:md5,886ef29d4cc1d69dbb021805d7cd1704; classtype:pup-activity; sid:2037744; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_07_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING Hidden iframe Redirecting to SEO Driveby Site"; flow:established,to_client; content:"width=\"1\" height=\"1\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\"></iframe>"; classtype:bad-unknown; sid:2011417; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32 Handy Cafe Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/se/adx.php"; bsize:11; fast_pattern; http.request_body; content:"lang="; startswith; content:"&op="; distance:0; content:"&RndID="; distance:0; content:"&Mac="; distance:0; content:"&Version="; distance:0; content:"&LocalIp="; distance:0; content:"&ProductKey="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8ab0a4a3c9cd62727484e634457081a3; classtype:pup-activity; sid:2037785; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_07_18;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; reference:url,doc.emergingthreats.net/2008809; classtype:web-application-attack; sid:2008809; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to DriverPack Domain ( .drp .su)"; dns.query; dotprefix; content:".drp.su"; nocase; endswith; reference:md5,63181b2e347fbe0faf02e26085513a05; classtype:pup-activity; sid:2037895; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, malware_family PUP, performance_impact Low, signature_severity Informational, updated_at 2022_08_02;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; reference:url,doc.emergingthreats.net/2008810; classtype:web-application-attack; sid:2008810; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DriverPack Update Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notifier/watcher-check/?t="; fast_pattern; startswith; pcre:"/\d{13}$/UR"; http.host; content:".drp.su"; endswith; http.header_names; content:!"Referer"; reference:md5,63181b2e347fbe0faf02e26085513a05; classtype:pup-activity; sid:2037896; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2022_08_02;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; reference:url,doc.emergingthreats.net/2008811; classtype:web-application-attack; sid:2008811; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Restoro PUP Domain (restoro .com)"; dns.query; dotprefix; content:".restoro.com"; nocase; endswith; classtype:pup-activity; sid:2037932; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family PUP, signature_severity Informational, updated_at 2022_08_04;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; reference:url,doc.emergingthreats.net/2008812; classtype:web-application-attack; sid:2008812; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/ReImageRepair.T CnC Checkin"; flow:established,to_server; http.uri; content:"/lib/evt.php?version="; startswith; fast_pattern; content:"&SessionID="; distance:2; within:14; reference:md5,39fef85fe114d96dde745b8ce0659b2e; classtype:pup-activity; sid:2037933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Informational, updated_at 2022_08_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; reference:url,doc.emergingthreats.net/bin/view/Main/2001944; classtype:attempted-admin; sid:2001944; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP|//)\Wsecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002461; classtype:policy-violation; sid:2002461; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential TDSS HTTP Library GET"; flow:established,to_server; content:"=="; http_uri; content:"GET"; http_method; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|Cache-Control|3a 20|no-cache"; distance:0; content:!"|0d 0a|Accept|3a 20|"; content:!"Referer|3a 20|"; classtype:trojan-activity; sid:2011890; rev:7; metadata:created_at 2010_11_03, updated_at 2010_11_03;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; classtype:bad-unknown; sid:2009244; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007703; classtype:attempted-user; sid:2007703; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; classtype:bad-unknown; sid:2009245; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ligats/DR.Ilomo Agent Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"o="; http_client_body; content:"&s=000"; http_client_body; reference:url,doc.emergingthreats.net/2008740; classtype:trojan-activity; sid:2008740; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; classtype:string-detect; sid:2000499; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid SELECT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003866; classtype:web-application-attack; sid:2003866; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; classtype:string-detect; sid:2000500; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UNION SELECT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003841; classtype:web-application-attack; sid:2003841; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; classtype:string-detect; sid:2000501; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid INSERT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003842; classtype:web-application-attack; sid:2003842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; classtype:string-detect; sid:2000502; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid DELETE"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003843; classtype:web-application-attack; sid:2003843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; classtype:string-detect; sid:2000503; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid ASCII"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003844; classtype:web-application-attack; sid:2003844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; classtype:string-detect; sid:2000504; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003845; classtype:web-application-attack; sid:2003845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; classtype:string-detect; sid:2000505; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database"; flow:established,to_server; content:"/gnatsweb.pl?"; nocase; http_uri; content:"database="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2808; reference:url,www.secunia.com/advisories/25333; reference:url,doc.emergingthreats.net/2004562; classtype:web-application-attack; sid:2004562; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; classtype:string-detect; sid:2000506; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include"; flow:established,to_server; content:"/includes/common.php"; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,18180; reference:url,doc.emergingthreats.net/2003333; classtype:web-application-attack; sid:2003333; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; classtype:string-detect; sid:2000507; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/index_logged.php?"; nocase; http_uri; content:"main_loaded="; nocase; http_uri; content:"cur_module="; nocase; http_uri; pcre:"/cur_module=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8112; reference:url,vupen.com/english/advisories/2009/0553; reference:bugtraq,33916; reference:url,doc.emergingthreats.net/2009733; classtype:web-application-attack; sid:2009733; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; classtype:string-detect; sid:2000508; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Google Appliance External Proxy Stylesheet"; flow:established,to_server; content:"/search?"; http_uri; content:"proxystylesheet="; http_uri; pcre:"/proxystylesheet=\s*(https?|ftps?|php)/Ui"; reference:bugtraq,15509; reference:cve,2005-3758; reference:url,doc.emergingthreats.net/2002849; classtype:web-application-attack; sid:2002849; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; classtype:trojan-activity; sid:2007717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/functions.php?"; nocase; http_uri; content:"location="; nocase; http_uri; pcre:"/location=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28838; reference:url,juniper.net/security/auto/vulnerabilities/vuln28838.html; reference:url,milw0rm.com/exploits/5463; reference:url,doc.emergingthreats.net/2009427; classtype:web-application-attack; sid:2009427; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; classtype:trojan-activity; sid:2007723; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"authusername="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2847; reference:url,www.securityfocus.com/bid/24102; reference:url,doc.emergingthreats.net/2004554; classtype:web-application-attack; sid:2004554; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; classtype:trojan-activity; sid:2002809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"authpassword="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2847; reference:url,www.securityfocus.com/bid/24102; reference:url,doc.emergingthreats.net/2004555; classtype:web-application-attack; sid:2004555; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; classtype:trojan-activity; sid:2002810; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"| 3C |"; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2812; reference:url,www.securityfocus.com/bid/24063; reference:url,doc.emergingthreats.net/2004560; classtype:web-application-attack; sid:2004560; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; classtype:trojan-activity; sid:2002811; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2812; reference:url,www.securityfocus.com/bid/24063; reference:url,doc.emergingthreats.net/2004561; classtype:web-application-attack; sid:2004561; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009210; classtype:trojan-activity; sid:2009210; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid ICount Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"ICount="; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-085/; reference:cve,2010-1554; reference:url,doc.emergingthreats.net/2011196; classtype:web-application-attack; sid:2011196; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009211; classtype:trojan-activity; sid:2009211; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid MaxAge Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"MaxAge="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-084/; reference:cve,2010-1553; reference:url,doc.emergingthreats.net/2011197; classtype:web-application-attack; sid:2011197; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; classtype:successful-user; sid:2009558; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid Hostname Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"Hostname="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-086/; reference:cve,2010-1555; reference:url,doc.emergingthreats.net/2011198; classtype:web-application-attack; sid:2011198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; classtype:successful-user; sid:2009559; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/plugin_admin.php?"; nocase; http_uri; content:"_settings[pluginpath]="; nocase; http_uri; pcre:"/_settings\[pluginpath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5902; reference:bugtraq,29877; reference:url,doc.emergingthreats.net/2009398; classtype:web-application-attack; sid:2009398; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; classtype:successful-user; sid:2009560; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde Web Mail Help Access"; flow:established,to_server; content:"/horde/services/help/"; nocase; http_uri; reference:cve,2006-1491; reference:bugtraq,17292; reference:url,doc.emergingthreats.net/2002868; classtype:web-application-activity; sid:2002868; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; classtype:successful-user; sid:2009561; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde README access probe"; flow:to_server,established; content:"/horde"; nocase; http_uri; pcre:"/\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README/Ui"; reference:cve,CVE-2006-1491; reference:url,csirt.terradon.com/postarchive.php?month=4&year=2006#article28; reference:url,doc.emergingthreats.net/2002897; classtype:web-application-activity; sid:2002897; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; classtype:successful-user; sid:2009562; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Metasploit Framework Update"; flow:from_server,established; content:"http|3A|//certificates.godaddy.com/repository"; content: "metasploit.com"; fast_pattern; distance:0; reference:url,www.metasploit.com/framework/; reference:url,www.ethicalhacker.net/content/view/29/24/; reference:url,doc.emergingthreats.net/2008418; classtype:misc-activity; sid:2008418; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; classtype:successful-user; sid:2009563; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .cpl"; flow:established; content:"|20 20 2E 63 70 6C 50 4B|"; reference:url,doc.emergingthreats.net/2001406; classtype:suspicious-filename-detect; sid:2001406; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; classtype:successful-user; sid:2009564; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; classtype:successful-user; sid:2009565; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt"; flow:established,to_server; content:"/exec_raw.php"; http_uri; fast_pattern; nocase; content:"cmd="; http_uri; nocase; reference:bid,44974; classtype:web-application-attack; sid:2011940; rev:2; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; classtype:successful-user; sid:2009566; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 (Free Edition) Scan Detected"; flow:to_server,established; content:"(Acunetix Web Vulnerability Scanner"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2009646; classtype:attempted-recon; sid:2009646; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; classtype:successful-user; sid:2009567; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; classtype:successful-user; sid:2009568; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Facebook"; pcre:"/filename=\x22Facebook_(Password|Support|Document)_[A-Z0-9]{4,7}\.zip\x22/m"; reference:url,doc.emergingthreats.net/2010498; classtype:trojan-activity; sid:2010498; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; classtype:successful-user; sid:2009569; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; classtype:successful-user; sid:2009570; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewer Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008794; classtype:misc-activity; sid:2008794; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; classtype:successful-user; sid:2009571; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; classtype:successful-user; sid:2009572; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; classtype:successful-user; sid:2009573; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; classtype:successful-user; sid:2009574; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; classtype:successful-user; sid:2009575; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; classtype:successful-user; sid:2009576; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; classtype:successful-user; sid:2009577; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; classtype:successful-user; sid:2009578; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; classtype:successful-user; sid:2009579; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; classtype:successful-user; sid:2009580; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; classtype:successful-user; sid:2009651; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; reference:url,doc.emergingthreats.net/2010454; classtype:successful-admin; sid:2010454; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; classtype:web-application-activity; sid:2007652; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; classtype:policy-violation; sid:2006417; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From|3a| anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent|3a| PHP"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; classtype:web-application-activity; sid:2001628; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; classtype:web-application-activity; sid:2003536; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; classtype:web-application-activity; sid:2007653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; classtype:web-application-activity; sid:2007654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; classtype:web-application-activity; sid:2007655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; classtype:web-application-activity; sid:2007656; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftpuser; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; classtype:trojan-activity; sid:2007715; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; classtype:trojan-activity; sid:2007725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; classtype:trojan-activity; sid:2007726; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; fast_pattern; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; reference:url,doc.emergingthreats.net/2009581; classtype:successful-admin; sid:2009581; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; classtype:trojan-activity; sid:2003464; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; nocase; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; classtype:trojan-activity; sid:2003465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; depth:55; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; classtype:successful-recon-limited; sid:2009676; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2008953; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"; flow:established; dsize:<160; content:"Microsoft Windows [Version "; depth:30; content:"Copyright (c)"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2012690; rev:1; metadata:created_at 2011_04_17, updated_at 2011_04_17;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:2101882; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:2101883; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:2101885; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:2101886; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:2101666; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:2101200; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:2100495; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:2100497; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"GPL ATTACK_RESPONSE isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2102043; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:2101008; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN RatProxy in-use"; flow:established,to_server; content:"X-Ratproxy-Loop|3A| "; threshold: type limit, track by_src,count 1, seconds 60; classtype:attempted-recon; sid:2011975; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:2101292; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"ET SCADA RealWin SCADA System Buffer Overflow"; flow:established,to_server; content:"|64 12 54 6a|"; depth:4; content:"|00 00 00 f4 1f 00 00|"; distance:1; within:7; isdataat:220; content:!"|0a|"; distance:0; pcre:"/\x64\x12\x54\x6a[\x20\x10\x02]\x00\x00\x00\xf4\x1f\x00\x00/"; reference:url,www.exploit-db.com/exploits/15337/; classtype:attempted-dos; sid:2011976; rev:1; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/portal_block.php?"; nocase; http_uri; content:"phpbb_root_path="; nocase; http_uri; pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; reference:url,doc.emergingthreats.net/2008964; classtype:web-application-attack; sid:2008964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; within:25; classtype:bad-unknown; sid:2101884; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/acp_lcxbbportal.php?"; nocase; http_uri; content:"phpbb_root_path="; nocase; http_uri; pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; reference:url,doc.emergingthreats.net/2008965; classtype:web-application-attack; sid:2008965; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/embedforum.php?"; nocase; http_uri; content:"CONFIG[LANGUAGE_CPATH]="; nocase; http_uri; pcre:"/CONFIG\[LANGUAGE_CPATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009381; classtype:web-application-attack; sid:2009381; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401"; http_stat_code; threshold:type both, track by_dst, count 30, seconds 60; reference:url,doc.emergingthreats.net/2009346; classtype:attempted-recon; sid:2009346; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/scorm/lib.inc.php?"; nocase; http_uri; content:"CONFIG[BASE_PATH]="; nocase; http_uri; pcre:"/CONFIG\[BASE_PATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009386; classtype:web-application-attack; sid:2009386; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; file_data; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; classtype:successful-recon-limited; sid:2009675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; reference:url,doc.emergingthreats.net/2009469; classtype:web-application-attack; sid:2009469; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 1"; flow:to_client,established; content:"4871A87A-BFDD-4106-8153-FFDE2BAC2967"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4871A87A-BFDD-4106-8153-FFDE2BAC2967/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009687; classtype:web-application-attack; sid:2009687; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MciWndx ActiveX Control"; flow:from_server,established; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002724; classtype:web-application-attack; sid:2002724; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 2 status code Unauthorized Name"; content:"|06 13|"; offset:4; depth:2; content:"|0d|"; distance:11; within:1; classtype:protocol-command-decode; sid:2017121; rev:2; metadata:created_at 2013_07_09, former_category ATTACK_RESPONSE, updated_at 2013_07_09;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX PPMate PPMedia Class ActiveX Control Buffer Overflow"; flow:to_client,established; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; nocase; content:"StartURL"; nocase; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; reference:url,milw0rm.com/exploits/6090; reference:url,doc.emergingthreats.net/2009143; classtype:web-application-attack; sid:2009143; rev:37; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php"; flow:established,to_server; content:"/module_bbcodeloader.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004576; classtype:web-application-attack; sid:2004576; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php"; flow:established,to_server; content:"/module_div.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004577; classtype:web-application-attack; sid:2004577; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound"; flow:established; content:"netsh firewall|22| is deprecated|3b|"; content:"use |22|netsh advfirewall"; distance:0; content:"Ok."; distance:0; classtype:successful-admin; sid:2020087; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php"; flow:established,to_server; content:"/module_email.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004578; classtype:web-application-attack; sid:2004578; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; content:"SERVICE_EXIT_CODE"; distance:0; classtype:successful-admin; sid:2020088; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php"; flow:established,to_server; content:"/module_image.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004579; classtype:web-application-attack; sid:2004579; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php"; flow:established,to_server; content:"/module_link.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004580; classtype:web-application-attack; sid:2004580; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid"; flow:established,to_server; content:"/jscripts/folder_rte_files/module_table.php?"; nocase; http_uri; content:"editorid="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004581; classtype:web-application-attack; sid:2004581; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlException (0x"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020508; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006675; classtype:web-application-attack; sid:2006675; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid MySQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020509; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006676; classtype:web-application-attack; sid:2006676; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlClient."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020510; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006677; classtype:web-application-attack; sid:2006677; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"com.mysql.jdbc.exceptions"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020511; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006678; classtype:web-application-attack; sid:2006678; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"PostgreSQL"; fast_pattern; content:"ERROR"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020512; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006679; classtype:web-application-attack; sid:2006679; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"Wpg_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020513; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006680; classtype:web-application-attack; sid:2006680; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid PostgreSQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Npgsql."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020515; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.postgresql.util.PSQLException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020516; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt"; flow:established,to_client; content:"|3C|smil"; nocase; content:"|3C|img src="; nocase; distance:0; content:!"http"; nocase; within:20; content:"|3A|//"; within:20; isdataat:700,relative; content:!"|3C 2F|smil|3E|"; nocase; within:700; content:!"|0A|"; within:700; reference:url,securitytracker.com/alerts/2010/Aug/1024336.html; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:2011366; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ERROR|3a 20 20|syntax error at or near"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020517; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java JAR file download"; flow:from_server,established; content:"PK"; depth:500; content:"META-INF/"; within:100; content:"MANIFEST"; within:100; classtype:not-suspicious; sid:2011854; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Driver"; fast_pattern; pcre:"/^ SQL[-_ ]Server/R"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020518; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; classtype:trojan-activity; sid:2011873; rev:4; metadata:created_at 2010_10_29, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"OLEDB"; fast_pattern; content:"|20|SQL Server"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mac User-Agent Typo Likely Hostile/Trojan Infection"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Macintosh|3b|"; http_header; content:"(KHTML, like Geco,"; http_header; reference:url,doc.emergingthreats.net/2008954; classtype:trojan-activity; sid:2008954; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mssql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020521; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; classtype:trojan-activity; sid:2001397; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"System.Data.SqlClient."; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020523; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php"; flow:established,to_server; content:"/calendar.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2909; reference:url,www.vbulletin.com/forum/showthread.php?postid=1355012; reference:url,doc.emergingthreats.net/2004592; classtype:web-application-attack; sid:2004592; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"Roadhouse.Cms"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020524; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003939; classtype:web-application-attack; sid:2003939; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Microsoft Access"; fast_pattern; pcre:"/^ \d+ Driver/R"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020525; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UNION SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003940; classtype:web-application-attack; sid:2003940; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"JET Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020526; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php INSERT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003941; classtype:web-application-attack; sid:2003941; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Access Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020527; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php DELETE"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003942; classtype:web-application-attack; sid:2003942; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ORA-"; fast_pattern:only; pcre:"/ORA-\d{4}/"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020528; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php ASCII"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003943; classtype:web-application-attack; sid:2003943; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003944; classtype:web-application-attack; sid:2003944; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php SELECT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003945; classtype:web-application-attack; sid:2003945; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UNION SELECT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003946; classtype:web-application-attack; sid:2003946; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"CLI Driver"; fast_pattern:only; pcre:"/CLI Driver.*DB2/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020533; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php INSERT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003947; classtype:web-application-attack; sid:2003947; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"DB2 SQL error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020534; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php DELETE"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003948; classtype:web-application-attack; sid:2003948; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"bdb2_"; fast_pattern:only; pcre:"/bdb2_\w+\(/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php ASCII"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003949; classtype:web-application-attack; sid:2003949; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Informix error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; content:"Informix"; fast_pattern; pcre:"/Exception.*Informix/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020536; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003950; classtype:web-application-attack; sid:2003950; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php SELECT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003951; classtype:web-application-attack; sid:2003951; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UNION SELECT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003952; classtype:web-application-attack; sid:2003952; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite/JDBCDriver"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php INSERT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003953; classtype:web-application-attack; sid:2003953; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite.Exception"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php DELETE"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003954; classtype:web-application-attack; sid:2003954; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"System.Data.SQLite.SQLiteException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php ASCII"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003955; classtype:web-application-attack; sid:2003955; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"SQLite3|3a 3a|"; fast_pattern; distance:0; pcre:"/Warning.*SQLite3::/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020543; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003956; classtype:web-application-attack; sid:2003956; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[SQLITE_ERROR]"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003957; classtype:web-application-attack; sid:2003957; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL error"; fast_pattern; content:"POS("; distance:0; pcre:"/SQL error.*POS\([0-9]+\)/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003958; classtype:web-application-attack; sid:2003958; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"maxdb"; fast_pattern; distance:0; pcre:"/Warning.*maxdb/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003959; classtype:web-application-attack; sid:2003959; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sybase"; fast_pattern; distance:0; pcre:"/i?Warning.*sybase/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020547; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003960; classtype:web-application-attack; sid:2003960; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020548; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003961; classtype:web-application-attack; sid:2003961; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase Server message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020549; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003962; classtype:web-application-attack; sid:2003962; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ingres_"; fast_pattern; distance:0; pcre:"/Warning.*ingres_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020550; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id SELECT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003963; classtype:web-application-attack; sid:2003963; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sqlite_"; fast_pattern; distance:0; pcre:"/Warning.*sqlite_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020542; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UNION SELECT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003964; classtype:web-application-attack; sid:2003964; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres SQLSTATE"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020551; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id INSERT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003965; classtype:web-application-attack; sid:2003965; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres"; fast_pattern; content:"Driver"; distance:0; pcre:"/Ingres\W.*Driver/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020552; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id DELETE"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003966; classtype:web-application-attack; sid:2003966; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frontbase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception (condition )"; content:". Transaction rollback."; fast_pattern; distance:0; pcre:"/Exception (condition )\d+\. Transaction rollback\./m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020553; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id ASCII"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003967; classtype:web-application-attack; sid:2003967; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HSQLDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.hsqldb.jdbc"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003968; classtype:web-application-attack; sid:2003968; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"500 Internal Server Error"; file_data; content:"OLE DB Provider for SQL Server"; fast_pattern:only; pcre:"/SQL Server.*?error \x27[0-9a-f]{8}/mi"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020522; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003969; classtype:web-application-attack; sid:2003969; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003970; classtype:web-application-attack; sid:2003970; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; file_data; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003971; classtype:web-application-attack; sid:2003971; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003972; classtype:web-application-attack; sid:2003972; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003973; classtype:web-application-attack; sid:2003973; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003974; classtype:web-application-attack; sid:2003974; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; classtype:trojan-activity; sid:2024977; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2017_11_07, deployment Datacenter, former_category ATTACK_RESPONSE, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2017_11_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2686; reference:url,www.osvdb.org/34791; reference:url,doc.emergingthreats.net/2004572; classtype:web-application-attack; sid:2004572; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:3; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2018_01_08;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE passwd file Outbound from WEB SERVER Linux"; flow:established,from_server; file_data; content:"root:x:0:0:root:/root:/bin/"; within:27; classtype:successful-recon-limited; sid:2025879; rev:1; metadata:created_at 2018_07_20, updated_at 2018_07_20;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; reference:url,doc.emergingthreats.net/2009146; classtype:web-application-activity; sid:2009146; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009147; classtype:web-application-activity; sid:2009147; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|IconIndex|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|Text|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026920; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Response"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"ctT2J"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmp) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmp"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9iam) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9iam"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004122; classtype:web-application-attack; sid:2004122; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"XctT2JqZW"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026924; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004123; classtype:web-application-attack; sid:2004123; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmplY3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004124; classtype:web-application-attack; sid:2004124; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FydC1Qcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004125; classtype:web-application-attack; sid:2004125; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026927; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004126; classtype:web-application-attack; sid:2004126; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2N"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004127; classtype:web-application-attack; sid:2004127; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJvY2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"_m="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2562; reference:url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded; reference:url,doc.emergingthreats.net/2003913; classtype:web-application-attack; sid:2003913; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GFydC1Qcm9jZX"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004689; classtype:web-application-attack; sid:2004689; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2Nlc3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004690; classtype:web-application-attack; sid:2004690; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtV21pTWV"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004691; classtype:web-application-attack; sid:2004691; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004692; classtype:web-application-attack; sid:2004692; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXR"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write % Encoding"; flow:established,to_client; content:"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012059; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1ldG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004693; classtype:web-application-attack; sid:2004693; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtV21pTWV0aG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding"; flow:established,to_client; content:"%u64%u6f%u63%u75%u6d%u65%u6e%u74%u2e%u77%u72%u69%u74%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012060; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXRob2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004694; classtype:web-application-attack; sid:2004694; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtQ29"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding"; flow:established,to_client; content:"%61%72%67%75%6d%65%6e%74%73%2e%63%61%6c%6c%65%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012061; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding"; flow:established,to_client; content:"%u61%u72%u67%u75%u6d%u65%u6e%u74%u73%u2e%u63%u61%u6c%u6c%u65%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012062; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtQ29tbW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path"; flow:established,to_server; content:"/views/print/printbar.php?"; nocase; http_uri; content:"views_path="; nocase; http_uri; pcre:"/=\s*(https?|ftps|php)\:\//Ui"; reference:cve,CVE-2007-2607; reference:url,www.exploit-db.com/exploits/3870/; reference:url,doc.emergingthreats.net/2003716; classtype:web-application-attack; sid:2003716; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026941; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004409; classtype:web-application-attack; sid:2004409; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21tYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004410; classtype:web-application-attack; sid:2004410; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1hbm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004411; classtype:web-application-attack; sid:2004411; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004412; classtype:web-application-attack; sid:2004412; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"lzIHByb2d"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004413; classtype:web-application-attack; sid:2004413; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3J"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004414; classtype:web-application-attack; sid:2004414; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9ncm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005135; classtype:web-application-attack; sid:2005135; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GlzIHByb2dyYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027031; rev:2; metadata:attack_target DNS_Server, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005136; classtype:web-application-attack; sid:2005136; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3JhbS"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027032; rev:2; metadata:created_at 2019_03_05, former_category ATTACK_RESPONSE, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005137; classtype:web-application-attack; sid:2005137; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"gAaQBzACAAcAByAG8AZwByAGE"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005138; classtype:web-application-attack; sid:2005138; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027034; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005139; classtype:web-application-attack; sid:2005139; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005140; classtype:web-application-attack; sid:2005140; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgBhAG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027036; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler .exe request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; content:"|00 2E 00 65 00 78 00 65|"; distance:0; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; classtype:suspicious-filename-detect; sid:2011527; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GgAaQBzACAAcAByAG8AZwByAGEAbQ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php"; flow:established,to_server; content:"/sendmail.php?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2532; reference:url,www.securityfocus.com/bid/23847; reference:url,doc.emergingthreats.net/2003918; classtype:web-application-attack; sid:2003918; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQBtAC"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family CoinMiner, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php"; flow:established,to_server; content:"/order_form.php?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2532; reference:url,www.securityfocus.com/bid/23847; reference:url,doc.emergingthreats.net/2003919; classtype:web-application-attack; sid:2003919; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FyZ29ycCB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin"; flow:established,to_server; content:"/configure_plugin.tpl.php?"; nocase; http_uri; content:"edit_plugin="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003882; classtype:web-application-attack; sid:2003882; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnA"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1"; flow:established,to_server; content:"/web/phpinfo.php?"; nocase; http_uri; content:"1["; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003883; classtype:web-application-attack; sid:2003883; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHN"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a"; flow:established,to_server; content:"/web/phpinfo.php?"; nocase; http_uri; content:"a["; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003884; classtype:web-application-attack; sid:2003884; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnAgc2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Exploit"; flow:established,to_server; content:"mosConfig_absolute_path="; http_uri; content:".php"; nocase; http_uri; pcre:"/mosConfig_absolute_path=(https?|ftps?|php)\:\//Ui"; reference:url,seclists.org/lists/fulldisclosure/2005/Nov/0528.html; reference:url,isc.sans.org/diary.php?storyid=869; reference:url,www.us-cert.gov/cas/bulletins/SB07-106.html; reference:url,doc.emergingthreats.net/2002681; classtype:web-application-attack; sid:2002681; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"WFyZ29ycCBzaW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003987; classtype:web-application-attack; sid:2003987; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHNpaF"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003988; classtype:web-application-attack; sid:2003988; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET ATTACK_RESPONSE LaZagne Artifact Outbound in FTP"; flow:established,to_server; content:"The LaZagne Project"; fast_pattern; reference:url,github.com/AlessandroZ/LaZagne; classtype:trojan-activity; sid:2027151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family Stealer, malware_family LaZange, signature_severity Major, updated_at 2019_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003989; classtype:web-application-attack; sid:2003989; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert smb any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory (T1105)"; flow:established,to_server; content:"|05 00|"; offset:16; depth:2; content:"|00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00|"; fast_pattern; classtype:attempted-user; sid:2027267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1105, tag lateral_movement, tag remote_file_copy, updated_at 2019_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003990; classtype:web-application-attack; sid:2003990; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Remote System32 DLL Hijack Command Inbound via HTTP (T1038, T1105)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"copy|20|"; content:".dll"; distance:0; content:"|5c|Windows|5c|System32|5c|"; distance:0; fast_pattern; content:".dll"; distance:0; content:"copy|20|"; pcre:"/^(?P<dll_name>[a-z0-9\-_]{1,20})\.dll\s*\\\\(([0-9]{1,3}\.){3}[0-9]{1,3}|([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})\\\w{1,10}\$\\Windows\\System32\\(?P=dll_name)\.dll/Ri"; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, tag T1105, updated_at 2019_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003991; classtype:web-application-attack; sid:2003991; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 64bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00|6|00|4|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003992; classtype:web-application-attack; sid:2003992; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 32bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include"; flow:established,to_server; content:"/membres/membreManager.php"; nocase; http_uri; pcre:"/include_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22287; reference:url,doc.emergingthreats.net/2003331; classtype:web-application-attack; sid:2003331; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT nodes reply"; content:"d1|3a|rd2|3a|id20|3a|"; nocase; depth:12; content:"5|3a|nodes"; nocase; distance:20; within:7; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008583; classtype:policy-violation; sid:2008583; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Telnet to HP JetDirect Printer With No Password Set"; flow:to_client,established; content:"HP JetDirect"; content:"Password is not set"; offset:40; depth:30; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999#A3; reference:url,doc.emergingthreats.net/2009535; classtype:misc-activity; sid:2009535; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET POLICY External FTP Connection TO Local HP JetDirect Printer"; flow:to_client,established; content:"Hewlett-Packard FTP Print Server Version"; content:"To print a file, use the command|3a| put <filename> [portx]"; offset:40; depth:190; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06165; reference:url,doc.emergingthreats.net/2009536; classtype:misc-activity; sid:2009536; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; classtype:trojan-activity; sid:2003464; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:3; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
 
-alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; nocase; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; classtype:trojan-activity; sid:2003465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; content:!"|a9 d5 73 d2 a0 a5 a1 69|"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Direct Connect Traffic (client-server)"; flow:from_client,established; content:"$MyINFO"; depth:7; reference:url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application; reference:url,doc.emergingthreats.net/bin/view/Main/2002814; classtype:policy-violation; sid:2002814; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; http.uri; content:"?action=checkPort&port="; http.user_agent; content:"Java/"; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; classtype:trojan-activity; sid:2011667; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; http.uri; content:"?action=getData&servicePort="; http.user_agent; content:"Java/"; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status"; flow: to_server,established; content:"|e3 14|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001296; classtype:policy-violation; sid:2001296; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; http.stat_code; content:"502"; http.stat_msg; content:"Bad gateway"; file.data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:4; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status Request"; flow: to_server,established; content:"|e3 11|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001297; classtype:policy-violation; sid:2001297; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE webr00t WebShell Access"; flow:established,to_server; http.uri; content:"/?webr00t="; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:5; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey Server Status Request"; content:"|e3 96|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001298; classtype:policy-violation; sid:2001298; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; http.uri; content:"/wp-content/uploads/optpress/images_"; fast_pattern; content:".php"; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/i"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:4; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
 
-#alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg:"ET P2P eDonkey Server Status"; content:"|e3 97|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001299; classtype:policy-violation; sid:2001299; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible  MS CMD Shell opened on local system 2"; dsize:<200; content:"Microsoft Windows "; depth:40; content:"[Version"; within:10; content:"Copyright (c) 2009"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2018392; rev:2; metadata:created_at 2014_04_16, updated_at 2020_08_19;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip|3a|thisisthecanary@"; content:"sip|3a|test@"; offset:30; depth:70; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008641; classtype:attempted-recon; sid:2008641; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle"; fast_pattern; content:"Driver"; within:12; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020530; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
 
-alert tcp any 1024: -> any 1024: (msg:"ET P2P Gnutella TCP Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"200 OK|0d 0a|"; within:15; threshold: type both,track by_src,count 5,seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2007801; classtype:policy-violation; sid:2007801; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify/"; pcre:"/\/notify\/(?:single|mass)$/i"; http.request_body; content:"defacer|3d|"; depth:8; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:15; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2020_08_24;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P KuGoo P2P Connection"; dsize:<30; content:"|64|"; depth:1; content:"|70|"; distance:5; content:"|50 37|"; distance:4; reference:url,koogoo.com; reference:url,doc.emergingthreats.net/2009966; classtype:policy-violation; sid:2009966; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - POST structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&c="; content:"&p1="; content:"&p2="; content:"&p3="; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/"; classtype:attempted-user; sid:2015906; rev:4; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_24;)
 
-#alert udp any any -> any any (msg:"ET P2P Overnet (Edonkey) Server Announce"; content:"|00 00 02 03 00 6c 6f 63|"; offset: 36; content:"|00 62 63 70 3a 2f 2f|"; distance: 1; reference:url,www.overnet.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000335; classtype:policy-violation; sid:2000335; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|IKEEXT"; content:"copy|20|wlbsctrl.dll"; content:"|5c|Windows|5c|System32|5c|wlbsctrl.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027232; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
 
-alert tcp $EXTERNAL_NET 2240 -> $HOME_NET 1024: (msg:"ET P2P SoulSeek P2P Login Response"; flow:from_server,established; content:"|5c 01 00 00 01 00 00 00|"; depth:8; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008611; classtype:policy-violation; sid:2008611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|SessionEnv"; content:"copy|20|TSMSISrv.dll"; content:"|5c|Windows|5c|System32|5c|TSMSISrv.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027233; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
 
-alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; content:"|00 00|"; depth:2; content:"|05|AZVER|01|"; distance:5; within:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; classtype:policy-violation; sid:2010139; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|I|00|K|00|E|00|E|00|X|00|T|00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|w|00|l|00|b|00|s|00|c|00|t|00|r|00|l|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|w|00|l|00|b|00|s|00|c|00|t|00|r|00|l|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (2)"; dsize:94; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff 00 00 00 00 02 05 21|"; distance:8; within:11; content:"|00 00 00 00 00 00|"; distance:25; within:6; content:"|00 00|"; distance:20; within:2; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010141; classtype:policy-violation; sid:2010141; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|E|00|n|00|v|00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (3)"; dsize:80; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|02 05 21 04|"; distance:4; within:4; threshold:type limit, track by_dst, count 10, seconds 600; reference:url,doc.emergingthreats.net/2010142; classtype:policy-violation; sid:2010142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|"; content:"copy|20|TSVIPSrv.dll"; content:"|5c|Windows|5c|System32|5c|TSVIPSrv.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027236; rev:3; metadata:created_at 2019_04_22, former_category ATTACK_RESPONSE, updated_at 2020_08_28;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (4)"; dsize:<300; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff|"; distance:8; within:4; reference:url,doc.emergingthreats.net/2010143; classtype:policy-violation; sid:2010143; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|T|00|S|00|V|00|I|00|P|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027238; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request(2)"; dsize:35; content:"|e4 20|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009968; classtype:policy-violation; sid:2009968; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:to_server,established; http.uri; content:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:2101009; rev:10; metadata:created_at 2010_09_23, updated_at 2020_09_01;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; classtype:policy-violation; sid:2009969; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/javascript|0d 0a|Server|3a 20|Apache/2.2.3 (CentOS)|0d 0a|Pragma|3a|"; fast_pattern; depth:69; content:"|0d 0a|Expires|3a 20|0|0d 0a|"; http.header_names; content:!"Set-Cookie|0d 0a|"; content:!"X-Powered-By|0d 0a|"; classtype:attempted-user; sid:2024421; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; classtype:policy-violation; sid:2009972; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; http.header; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; content:"Next|2d|Polling"; fast_pattern; content:"Content|2d|Salt|3a 20|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/i"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:13; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Send Username"; flow:established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:1; within:4; byte_test:1,<,51,37; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009973; classtype:policy-violation; sid:2009973; rev:4; metadata:created_at 2010_07_30, former_category P2P, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Muhstik Botnet Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; pcre:"/^(?:curl|wget)/i"; http.uri; content:"/dk"; startswith; fast_pattern; pcre:"/^[0-9]{2}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/; reference:md5,898b3dc58bc5d05d3034a1c259b5a915; classtype:trojan-activity; sid:2033916; rev:1; metadata:created_at 2021_09_09, former_category ATTACK_RESPONSE, updated_at 2021_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; depth:17; reference:url,www.gnutella.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001664; classtype:policy-violation; sid:2001664; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M1"; flow:established,from_server; content:"|2c 31 25 25 27 3a 7e|"; content:"|2c 31 25 25 27 3a 7e|"; distance:0; pcre:"/[-\d]{1,4}(?:\x2c\x31\x25\x25\x27\x3a\x7e[-\d]{1,4}){10}/R"; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034183; rev:1; metadata:created_at 2021_10_13, former_category ATTACK_RESPONSE, updated_at 2021_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"X-Ultrapeer|3a| True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002761; classtype:policy-violation; sid:2002761; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M2"; flow:established,from_server; content:"%%comspec|3a|"; nocase; content:"%%programfiles|3a|"; content:"%commonprogramfiles|3a|"; nocase; fast_pattern; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034184; rev:1; metadata:created_at 2021_10_13, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_10_13;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Limewire P2P UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; classtype:policy-violation; sid:2001809; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore Var/Chr/math"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"Set|20|"; nocase; fast_pattern; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"Chr|28|"; nocase; pcre:"/^\d+(\+|\-|\\|\*)\d+/R"; classtype:bad-unknown; sid:2034499; rev:1; metadata:created_at 2021_11_18, former_category ATTACK_RESPONSE, updated_at 2021_11_18;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT get_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; offset:12; content:"9|3a|info_hash20|3a|"; nocase; distance:20; within:14; content:"e1|3a|q9|3a|get_peers1|3a|"; nocase; distance:20; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008584; classtype:policy-violation; sid:2008584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Bash Script Inbound - Kill Coin Mining Related Processes"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|0d 0a|ps|20|aux"; fast_pattern; pcre:"/^[^\r\n]+(?:mine\.moneropool|xmr\.crypto-pool|monerohash)[^\r\n]+kill\x20\-9/R"; content:"kill|20|-9"; classtype:bad-unknown; sid:2034504; rev:1; metadata:created_at 2021_11_18, former_category ATTACK_RESPONSE, updated_at 2021_11_18;)
 
-alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k request part"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 47|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000332; classtype:policy-violation; sid:2000332; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com)"; dns.query; dotprefix; content:".bingsearchlib.com"; nocase; endswith; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2021-44228; classtype:domain-c2; sid:2034670; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
 
-alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k file request answer"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 59|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000333; classtype:policy-violation; sid:2000333; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response"; flow:established,to_client; content:"|30 81|"; startswith; content:"|02 01|"; distance:1; within:2; content:"|64|"; distance:1; within:1; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0d|javaClassName"; within:20; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0c|javaCodeBase"; within:19; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|objectClass"; within:18; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|javaFactory"; within:18; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034722; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET 4660:4799 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Client to Server Hello"; flow:established; dsize:>5; content:"|e3|"; offset:1; content:"|01|"; distance:4; within:5; content:"|02 01 00 01|"; distance:26; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003323; classtype:policy-violation; sid:2003323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (rce .ee)"; dns.query; dotprefix; content:".rce.ee"; nocase; endswith; reference:url,www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228; reference:cve,2021-44228; classtype:domain-c2; sid:2034747; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_17;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 2240 (msg:"ET P2P SoulSeek P2P Server Connection"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008595; classtype:policy-violation; sid:2008595; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2"; flow:established,to_client; content:"|30|"; startswith; content:"|04 0d|javaClassName"; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 12|javaSerializedData"; within:25; content:"|ac ed|"; within:10; content:"|2e|exec"; distance:0; content:"FromCharCode"; nocase; distance:0; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034769; rev:2; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category ATTACK_RESPONSE, updated_at 2021_12_20;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign SSL Certificate"; flow:established,to_client; content:"www.bozvanovna.com"; fast_pattern:only; nocase; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012083; rev:1; metadata:attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j .binaryedge .io)"; dns.query; dotprefix; content:".log4j.binaryedge.io"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034819; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; depth:55; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; classtype:successful-recon-limited; sid:2009676; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com)"; dns.query; dotprefix; content:".log4shell.huntress.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034820; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (kryptoslogic-cve-2021-44228 .com)"; dns.query; dotprefix; content:".kryptoslogic-cve-2021-44228.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034821; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
 
-#alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k connection to server"; flow: to_server,established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:2; within:4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000330; classtype:policy-violation; sid:2000330; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (ceye .io)"; dns.query; dotprefix; content:".ceye.io"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034822; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Message"; flow:established; dsize:>10; content:"|e3|"; depth:1; content:"|38|"; distance:4; within:5; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003321; classtype:policy-violation; sid:2003321; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (oob .li)"; dns.query; dotprefix; content:".oob.li"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034823; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server List"; flow:established; dsize:>12; content:"|e3|"; depth:1; content:"|32|"; distance:4; within:5; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003322; classtype:policy-violation; sid:2003322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (pwn .af)"; dns.query; dotprefix; content:".pwn.af"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034824; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET DELETED Anonymous Proxy Traffic from Inside"; flow: from_client,established; flags:*AP,12; content:"GET http|3a|//"; depth:11; content:"HTTP/1.0"; within:50; reference:url,doc.emergingthreats.net/2003069; classtype:policy-violation; sid:2003069; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (notburpcollaborator .net)"; dns.query; dotprefix; content:".notburpcollaborator.net"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034825; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Vipdataend C&C Traffic Checkin variant 2"; flowbits:set,ET.vipdataend; flow:established,to_server; dsize:<22; content:"|3a|"; depth:5; offset:2; content:"|7c|win "; within:12; reference:url,doc.emergingthreats.net/2009025; classtype:command-and-control; sid:2009025; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scannermcscanface-edgescan .com)"; dns.query; dotprefix; content:".scannermcscanface-edgescan.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034826; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET P2P MS Foldershare Login Detected"; flow:established,to_client; content:"|0b|FolderShare|30 81 9f 30|"; nocase; offset:392; depth:18; reference:url,www.foldershare.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002673; classtype:policy-violation; sid:2002673; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (service .exfil .site)"; dns.query; dotprefix; content:".service.exfil.site"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034827; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT find_node request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:24; content:"6|3a|target20|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; distance:20; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008582; classtype:policy-violation; sid:2008582; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scanworld .net)"; dns.query; dotprefix; content:".scanworld.net"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034828; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET DELETED NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002187; classtype:attempted-admin; sid:2002187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (log .exposedbotnets .ru)"; dns.query; dotprefix; content:".log.exposedbotnets.ru"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034830; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DELETED NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002188; classtype:attempted-admin; sid:2002188; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (canarytokens .com)"; dns.query; content:".l4j."; nocase; content:".canarytokens.com"; nocase; endswith; fast_pattern; reference:cve,2021-44228; classtype:domain-c2; sid:2034832; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set"; flow:to_client,established; content:"NtDllImageBase|22|"; nocase; content:"getModuleInfos|28|"; distance:0; content:"|27|ntdll.dll|27|"; nocase; within:50; flowbits:set,NtDll.ImageBase.Module.Called; flowbits:noalert; classtype:not-suspicious; sid:2012085; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j. leakix .net)"; dns.query; content:"log4j.leakix.net"; nocase; endswith; reference:cve,2021-44228; reference:url,twitter.com/VessOnSecurity/status/1473414886533304322; classtype:domain-c2; sid:2034831; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Command Tunneling M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|GET"; content:"|22|xp_cmdshell"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034862; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Command Tunneling M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|474554"; content:"78705f636d647368656c6c"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034863; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt"; flow:established,to_client; content:"@import url(|22|"; nocase; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,www.microsoft.com/technet/security/advisory/2488013.mspx; reference:bid,45246; reference:cve,2010-3971; classtype:attempted-user; sid:2012075; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Enumeration Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|GET"; content:"whoami"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:attempted-recon; sid:2034864; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding"; flow:established,to_client; content:"%u646f%u6375%u6d65%u6e74%u2e77%u7269%u7465"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012107; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Enumeration Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|474554"; content:"77686f616d69"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:attempted-recon; sid:2034865; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding"; flow:established,to_client; content:"%u6368%u6172%u436f%u6465%u4174"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012108; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Lateral Movement Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?kmd=|22|"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034866; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16 Encoding"; flow:established,to_client; content:"%u5374%u7269%u6e67%u2e66%u726f%u6d43%u6861%u7243%u6f64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012109; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp-pkt $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Apache Spark RPC - Unauthenticated RegisterApplication - Successfully Registered (CVE-2020-9480)"; flow:established,to_client; flowbits:isset,ET.ApacheSpark_UnauthRegisterApplication; content:"org.apache.spark.deploy.DeployMessages$RegisteredApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:successful-admin; sid:2035004; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_01_28;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated JS - URL Encoded Unescape Function Call Inbound"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:misc-activity; sid:2016134; rev:4; metadata:created_at 2012_12_30, former_category EXPLOIT, updated_at 2012_12_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated JS - Possible URL Encoded JS Inbound"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:misc-activity; sid:2016132; rev:5; metadata:created_at 2012_12_30, former_category EXPLOIT, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"%PDF-"; depth:300; nocase; content:"/U3D/Length 172"; distance:0; pcre:"/\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012121; rev:1; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command completed"; flow:established; content:"|0a|The|20|Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:2100494; rev:13; metadata:created_at 2010_09_23, former_category ATTACK_RESPONSE, updated_at 2022_06_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage"; flow:established,to_client; content:"|5C|x"; nocase; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; pcre:"/\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; classtype:bad-unknown; sid:2012119; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Geo Check Before Execution"; flow:established,to_client; http.response_body; content:"|7c 20|Select|20 2d|exp|20|country|0a|"; offset:110; depth:40; fast_pattern; content:"|20|If|20 28 24|"; within:10; content:"|2d|eq|20 27|"; distance:7; within:10; content:"|27 29|"; distance:2; within:2; pcre:"/ElseIf\s+\x28\x24\w{8,10}\s+\x2deq\s+\x27\w{2}\x27\x29\s+\x7b/R"; reference:md5,0777d02ed4a7a6301bac5102e4569256; reference:url,twitter.com/StopMalvertisin/status/1542782976052056065; classtype:misc-activity; sid:2037253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_07_01;)
 
-alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active"; ip_proto:41; threshold:type both,track by_dst, count 1, seconds 60; reference:url,en.wikipedia.org/wiki/6in4; classtype:policy-violation; sid:2012141; rev:2; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M1"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037281; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set"; flow:established,to_client; flowbits:set,ET.AVI.RIFF.Chunk; content:"|52 49 46 46|"; content:"|41 56 49 20|"; distance:4; within:4; flowbits:noalert; classtype:not-suspicious; sid:2012142; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M2"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037282; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M3"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037283; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"|0d 0a|ORGANIZER"; content:"mailto|3a|"; nocase; within:50; isdataat:2000,relative; content:!"|0a|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M4"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037284; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound"; flow:established,to_server; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012151; rev:1; metadata:created_at 2011_01_06, updated_at 2011_01_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M5"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037285; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set"; flow:established,to_client; flowbits:set,DXF.Ext.Access; content:"|20 20 30|"; content:"|0A 53 45 43 54 49 4F 4E|"; within:10; content:"|20 20 32|"; within:5; content:"|48 45 41 44 45 52|"; distance:0; content:"|0a|"; within:2; flowbits:noalert; classtype:not-suspicious; sid:2012152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M6"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037286; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WBEM.SingleViewCtrl.1"; nocase; distance:0; pcre:"/WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; classtype:attempted-user; sid:2012157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M7"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037287; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M8"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037288; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Megaupload file download service access"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a| "; http_header; content:"megaupload.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2009301; classtype:policy-violation; sid:2009301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M9"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037289; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent no space"; flow:established,to_server; content:"|0d 0a|User-Agent|3a|"; content:!"|0d 0a|User-Agent|3a 20|"; classtype:bad-unknown; sid:2012180; rev:3; metadata:created_at 2011_01_15, former_category HUNTING, updated_at 2011_01_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M10"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037290; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt"; flow:established,to_client; content:"0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; nocase; content:"DelFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9/si"; reference:url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt; classtype:attempted-user; sid:2012192; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M11"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037291; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt"; flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; content:"RecordClip"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5/si"; reference:bid,44443; reference:cve,2010-3749; classtype:attempted-user; sid:2012194; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M12"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037292; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt"; flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010312; classtype:attempted-user; sid:2010312; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M13"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037293; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)"; flow:established,to_server; flowbits:isset,ET.phpBB3_test; flowbits:isnotset,ET.phpBB3_register_stage3; flowbits:isset,ET.phpBB3_register_stage4; reference:url,doc.emergingthreats.net/2010897; classtype:web-application-attack; sid:2010897; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M14"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037294; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)"; flow:established,to_server; flowbits:isnotset,ET.phpBB3_register_stage1; flowbits:isset,ET.phpBB3_register_stage2; flowbits:isset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010896; classtype:web-application-attack; sid:2010896; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M15"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037295; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting"; flow:established,to_server; content:"/BPELConsole/default/processLog.jsp"; nocase; depth:50; content:"processName="; nocase; within:100; pcre:"/processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,43954; reference:cve,2010-3581; classtype:attempted-admin; sid:2011860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M16"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037296; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login Part 2"; flow:established; content:"|f0 be 05 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011738; classtype:policy-violation; sid:2011738; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M17"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037297; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)"; content:"From|3A 20 22|sipsscuser|22|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; sid:2012204; rev:3; metadata:created_at 2011_01_20, updated_at 2011_01_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M18"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037298; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED HP Data Protector Media Operations SignInName Parameter Overflow"; flow:established,to_server; content:"/4daction/wHandleURLs/handleSignIn|3F|sess|3D|"; http_uri; content:"Referer|3A 20|"; nocase; http_header; content:"SignInName|3D|"; nocase; isdataat:1000; reference:url,elotrolad0.blogspot.com/2010/10/hp-data-protector-media-operations-611_23.html; reference:url,securitytracker.com/id?1024634; classtype:attempted-user; sid:2011889; rev:5; metadata:created_at 2010_11_02, updated_at 2010_11_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M19"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037299; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"|2E|charCodeAt|28|"; nocase; within:32; pcre:"/String.fromCharCode|28|[a-z,0-9]{1,20}\x2EcharCodeAt\x28/i"; classtype:misc-activity; sid:2012205; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M20"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037300; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings2"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-256/; reference:url,www.vupen.com/english/advisories/2010/3023; reference:bid,44966; reference:cve,2010-4321; classtype:attempted-user; sid:2012206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M21"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037301; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED m28sx twitter worm redirect access"; flow:established,to_server; content:"/undo/red.php"; http_uri; content:"Host|3a| gdfgdfgdgdfgdfg.in.ua"; nocase; http_header; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012209; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M22"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037302; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/OvCgi/Main/Snmp.exe"; http_uri; nocase; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M23"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037303; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"ImportBodyText"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:cve,2010-3595; classtype:attempted-user; sid:2012231; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M24"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037304; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Deletion Attempt"; flow:established,to_client; content:"F647CBE5-3C01-402A-B3F0-502A77054A24"; nocase; content:"DownloadSingleMessageToFile"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F647CBE5-3C01-402A-B3F0-502A77054A24/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012232; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M25"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037305; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite Attempt"; flow:established,to_client; content:"4932CEF4-2CAA-11D2-A165-0060081C43D9"; nocase; content:"SaveLayoutChanges"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4932CEF4-2CAA-11D2-A165-0060081C43D9/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012233; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M26"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037306; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto Init"; flow:established,from_server; dsize:2; content:"x0"; depth:2; flowbits:noalert; flowbits:set,et.x0proto; classtype:trojan-activity; sid:2012236; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M27"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037307; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE x0Proto Client Info"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:<128; content:"x0|0c|"; depth:3; classtype:trojan-activity; sid:2012237; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M28"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037308; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE x0Proto Pong"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:9; content:"x53|0c|"; depth:4; content:"|0c|0|0c|1"; distance:1; within:4; classtype:trojan-activity; sid:2012238; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M29"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037309; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto Ping"; flow:established,from_server; flowbits:isset,et.x0proto; dsize:7; content:"x53|0c|1|0c|0"; depth:7; classtype:trojan-activity; sid:2012239; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M30"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037310; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto Download Cmd"; flow:established,from_server; flowbits:isset,et.x0proto; content:"x74|0c|1|0c|1x"; depth:8; classtype:trojan-activity; sid:2012240; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M31"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037311; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible % Encoded Iframe Tag"; flow:established,to_client; content:"%69%66%72%61%6d%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012241; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M32"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037312; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag"; flow:established,to_client; content:"%u69%u66%u72%u61%u6d%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012242; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M33"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:!"|06 03 55 04 0a|"; distance:0; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037313; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag"; flow:established,to_client; content:"%u6966%u7261%u6d65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012243; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M34"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037314; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible # Encoded Iframe Tag"; flow:established,to_client; content:"#69#66#72#61#6d#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012244; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M35"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037315; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write # Encoding"; flow:established,to_client; content:"#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012245; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M36"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037316; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M37"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037317; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M38"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037318; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity to document.doc"; flow:established,to_server; content:"/forum/document.doc"; http_uri; content:"!Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012280; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M39"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037319; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download request"; flow:established,to_server; content:"/forum/load.php?file="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012281; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M40"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037320; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Base64 Encoded FTP Commands (21 > o&echo user 1 1 >> o &echo get)"; flow:established,from_server; content:"MjEgPiBvJmVjaG8gdXNlciAxIDEgPj4gbyAmZWNobyBnZXQgUm"; fast_pattern; classtype:attempted-user; sid:2012291; rev:2; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M41"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037321; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ip [102.0.0.0/7,104.0.0.0/8,106.0.0.0/8,179.0.0.0/8,185.0.0.0/8] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 2"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002750; classtype:bad-unknown; sid:2002750; rev:27; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M42"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037322; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ip [0.0.0.0/8,192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET POLICY Unallocated IP Space Traffic - Bogon Nets"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002749; classtype:bad-unknown; sid:2002749; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M43"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037323; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M44"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037324; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M45"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037325; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm Worm HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/?"; http_uri; pcre:"/GET \/\?[0-9a-f]{16}/Ui"; pcre:"/Host\x3a [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2006411; classtype:trojan-activity; sid:2006411; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M46"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037326; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent|3a| Godzilla"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; classtype:trojan-activity; sid:2001711; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M47"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037327; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; classtype:trojan-activity; sid:2000307; rev:26; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M48"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037328; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012307; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M49"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037329; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon Server Auth to Bot"; flow:established,from_server; dsize:29; content:"|00 00|password|00 00 00|"; offset:3; depth:13; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012309; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M50"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037330; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon CnC Traffic Inbound 2"; flow:established,from_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012305; rev:5; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M51"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037331; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Traffic Outbound 2"; flow:established,to_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012306; rev:6; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M52"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037332; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Beacon Outbound"; flow:established,to_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:command-and-control; sid:2012303; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2011_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M53"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037333; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon CnC Beacon Inbound"; flow:established,from_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012304; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2011_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M54"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037334; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012308; rev:2; metadata:created_at 2011_02_11, former_category MALWARE, updated_at 2011_02_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M55"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037335; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.SillyP2P Checkin"; flow:to_server,established; content:"GET"; http_method; content:"csi?v="; http_uri; content:"&s=webhp&action=&e=0&ei="; http_uri; content:"&expi="; http_uri; content:"&imc="; http_uri; content:"&imn="; http_uri; content:"&imp="; http_uri; content:"&rt=xjsls"; http_uri; reference:md5,a7e1388c38c1fed12785bc335f95b15d; reference:url,www.securehomenetwork.blogspot.com/2011/02/anonleaks-continues-relationship-with.html; classtype:trojan-activity; sid:2012311; rev:4; metadata:created_at 2011_02_14, updated_at 2011_02_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M56"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037336; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE PWS Banker Trojan Sending Report of Infection"; flow: established,to_server; content:"From|3a 20 22|PC ID|3a|"; nocase; content:"Subject|3a| INFECTED"; nocase; content:"esta infectado"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html; reference:url,doc.emergingthreats.net/2001933; classtype:trojan-activity; sid:2001933; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M57"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037337; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M58"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037338; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3; metadata:created_at 2011_02_22, former_category CURRENT_EVENTS, updated_at 2011_02_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M59"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037339; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/index.jsp"; nocase; http_uri; pcre:"/help\x2Findex\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012396; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M60"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037340; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/advanced/content.jsp"; nocase; http_uri; pcre:"/content\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012397; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M61"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037341; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage"; flow:established,to_client; content:"eval|28|CRYPT.obfuscate|28|"; nocase; fast_pattern; reference:url,research.zscaler.com/2010/05/malicious-hidden-iframes-using-publicly.html; classtype:bad-unknown; sid:2012404; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M62"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037342; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Base64 Encoded FTP Commands Upload (21 > o&echo user 1 1 >> o &echo get)"; flow:established,to_server; content:"MjEgPiBvJmVjaG8gdXNlciAxIDEgPj4gbyAmZWNobyBnZXQgUm"; fast_pattern; classtype:attempted-user; sid:2012292; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M63"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037343; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Modified Sipvicious OPTIONS Scan"; content:"OPTIONS "; depth:8; content:"ccxllrlflgig|22|<sip|3A|100"; nocase; distance:0; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; classtype:attempted-recon; sid:2011422; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M64"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037344; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] any (msg:"ET DELETED Facebook URL Redirect Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/track.php?"; nocase; http_uri; content:"r="; nocase; http_uri; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html; classtype:trojan-activity; sid:2012402; rev:7; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M65"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037345; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Eleonore Exploit pack download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/load/load.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=ultranichehost.com; classtype:trojan-activity; sid:2012446; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M66"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Cloud"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037346; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Agent.FakeAV.AVG 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=lr&id="; http_uri; content:"&ver="; http_uri; content:"&bit="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012448; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M67"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037347; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Agent.FakeAV.AVG 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=vv&i="; http_uri; content:"&id="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012449; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M68"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037348; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M69"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037349; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Android Use-After-Free Remote Code Execution on Webkit"; flow:to_client,established; content:".appendChild"; content:"-parseFloat("; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/15548/; classtype:web-application-attack; sid:2012046; rev:3; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M70"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037350; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M71"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037351; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Ocelot BitTorrent Server in Use"; flow:established,from_server; content:"HTTP/1.1 200 |0d 0a|Server|3a| Ocelot "; depth:30; classtype:policy-violation; sid:2012467; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M72"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037352; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009173; classtype:trojan-activity; sid:2009173; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M73"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037353; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M74"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037354; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M75"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037355; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt"; flow:established,to_client; content:"window.open|28|"; nocase; content:"document.createElement|28|"; nocase; distance:0; content:"document.body.appendChild|28|"; nocase; distance:0; content:"close|28|"; nocase; distance:0; content:"document.cloneNode|28|"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/16979/; classtype:attempted-user; sid:2012511; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M76"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037356; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hiloti loader installed successfully response"; flow:established,from_server; content:"|0d 0a 0d 0a|a|0d 0a|install OK"; classtype:trojan-activity; sid:2012512; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M77"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037357; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake Google Toolbar User-Agent"; flow:established,to_server; content:"|3b| GTB0.0|3b| "; http_header; classtype:trojan-activity; sid:2012516; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M78"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037358; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"nacha.org."; nocase; uricontent:".exe"; nocase; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; classtype:trojan-activity; sid:2010342; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M79"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037359; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; nocase; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; classtype:trojan-activity; sid:2010729; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M80"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037360; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:".php?"; http_uri; content:"zip="; http_uri; content:"type="; http_uri; content:"name="; http_uri; content:"q="; http_uri; content:"item="; http_uri; content:"id="; http_uri; content:"rdp="; http_uri; reference:url,doc.emergingthreats.net/2008661; classtype:trojan-activity; sid:2008661; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M81"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037361; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus Dropper Infection - /check"; flow:established,to_server; content:"/check"; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009212; classtype:trojan-activity; sid:2009212; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M82"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037362; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*|0d 0a|"; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; classtype:trojan-activity; sid:2010348; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M83"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037363; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS http client library detected"; flow:established,to_server; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:3; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M84"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037364; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus GET Request to CnC"; flow:established,to_server; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:command-and-control; sid:2011817; rev:3; metadata:created_at 2010_10_14, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M85"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037365; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus http client library detected"; flow:established,to_server; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0D 0A|User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2011818; rev:4; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M86"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037366; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:5; metadata:created_at 2010_11_16, updated_at 2010_11_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M87"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037367; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Config File URL"; flow:established,to_server; content:"000"; http_uri; content:".so"; http_uri; nocase; fast_pattern; pcre:"/\/000[a-z][0-9]{3}\x2Eso/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012081; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M88"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037368; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Binary File URL"; flow:established,to_server; content:"000"; fast_pattern; http_uri; content:".exe"; http_uri; nocase; pcre:"/\/000[a-z][0-9]{3}\x2Eexe/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012082; rev:3; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M89"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037369; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:exploit-kit; sid:2012518; rev:2; metadata:created_at 2011_03_17, former_category CURRENT_EVENTS, updated_at 2011_03_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M90"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037370; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Inject.ql Checkin Post"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"MAC="; nocase; http_client_body; content:"&IP="; nocase; http_client_body; content:"&NAME="; nocase; http_client_body; content:"&OS="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007803; classtype:command-and-control; sid:2007803; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M91"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037371; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d 0a|Host|3a20|"; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; classtype:trojan-activity; sid:2008434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M92"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037372; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; content:"MSPublisher"; flowbits:set,ms.publisher.file; flowbits:noalert; reference:cve,2010-3995; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; classtype:attempted-user; sid:2012519; rev:4; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M93"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037373; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> 67.15.94.80 any (msg:"ET DELETED Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; content:"/GeoIP.dat.gz"; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; classtype:trojan-activity; sid:2008802; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M94"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037374; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M95"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037375; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"<title>MWL</title>"; classtype:bad-unknown; sid:2012530; rev:3; metadata:created_at 2011_03_21, former_category CURRENT_EVENTS, updated_at 2011_03_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M96"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037376; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M97"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037377; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M98"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037378; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Injecter Checkin"; flow:established,to_server; content:"GET"; http_method; content:"mod="; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008349; classtype:trojan-activity; sid:2008349; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M99"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Test"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037379; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M100"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037380; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M101"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037381; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:pup-activity; sid:2012536; rev:3; metadata:created_at 2011_03_22, former_category ADWARE_PUP, updated_at 2011_03_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M102"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037382; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.small Generic Checkin"; flow:established,to_server; content:"/install.asp?mac="; http_uri; content:"User-Agent|3a| MyAgent"; http_header; classtype:command-and-control; sid:2012541; rev:2; metadata:created_at 2011_03_22, former_category MALWARE, updated_at 2011_03_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M103"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037383; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; content:"cdda|3A|//"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; reference:bid,44450; reference:cve,2010-3747; classtype:attempted-user; sid:2012543; rev:3; metadata:created_at 2011_03_24, updated_at 2011_03_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M104"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037384; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012580; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M105"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037385; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; nocase; http_uri; content:"appMVCPath="; http_uri; nocase; pcre:"/appMVCPath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012583; rev:3; metadata:created_at 2011_03_25, updated_at 2011_03_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M106"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037386; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; nocase; http_uri; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012584; rev:3; metadata:created_at 2011_03_25, updated_at 2011_03_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M107"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037387; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M108"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037388; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; http_uri; nocase; content:"appMVCPath="; nocase; http_uri; pcre:"/appMVCPath=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012604; rev:4; metadata:created_at 2011_03_29, updated_at 2011_03_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M109"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037389; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; http_uri; nocase; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012605; rev:3; metadata:created_at 2011_03_29, updated_at 2011_03_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M110"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037390; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M111"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037391; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:pup-activity; sid:2012615; rev:2; metadata:created_at 2011_04_01, former_category ADWARE_PUP, updated_at 2011_04_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M112"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037392; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED .dll Request Without User-Agent Likely Malware"; flow:established,to_server; content:".dll"; nocase; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2012618; rev:2; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M113"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037393; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:"AllowScriptAccess"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15698/; classtype:attempted-dos; sid:2012056; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M114"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037394; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_04_01, former_category CURRENT_EVENTS, updated_at 2011_04_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M115"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037395; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif/DlKroha Trojan Activity HTTP Outbound"; flow:to_server,established; content:".php?"; http_uri; content:"4x4x4x4x4x6x"; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2009752; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; classtype:trojan-activity; sid:2009752; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M116"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037396; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3; metadata:created_at 2011_04_04, updated_at 2011_04_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M117"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037397; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Dropper Checkin with NSISDL/1.2 User-Agent"; flow:established,to_server; content:".php?id="; http_uri; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; sid:2012626; rev:4; metadata:created_at 2011_04_04, updated_at 2011_04_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M118"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037398; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:social-engineering; sid:2012630; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M119"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037399; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET PHISHING Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M120"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037400; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Content-Type image/jpeg with DOS MZ header set likely 2nd stage download"; flow:established,from_server; content:"Content-Type|3a 20|image/jpeg|0d 0a|"; content:"MZ"; distance:0; content:"This program cannot be run in DOS mode"; fast_pattern; distance:0; classtype:trojan-activity; sid:2012633; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M121"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037401; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Content-Type image/jpeg with Win32 MZ header set likely 2nd stage download"; flow:established,from_server; content:"Content-Type|3a 20|image/jpeg|0d 0a|"; content:"MZ"; distance:0; content:"This program must be run under Win"; fast_pattern; distance:0; classtype:trojan-activity; sid:2012634; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M122"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037402; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET PHISHING Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:social-engineering; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M123"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037403; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; content:"Exec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5.+(Exec|ExecLow|ShellExec)/smi"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012636; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M124"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037404; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; content:"CreateVistaTaskLow"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012637; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M125"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037405; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"ShellExec"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012638; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M126"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037406; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"CreateShortcut"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012639; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M127"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037407; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"CopyDocument"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012640; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M128"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037408; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt"; flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launchjnlp"; fast_pattern; nocase; distance:0; content:"docbase"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:257,relative; content:!"|0A|"; within:257; reference:bid,44023; reference:cve,2010-3552; classtype:attempted-user; sid:2012641; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M129"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037409; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3; metadata:created_at 2011_04_06, former_category CURRENT_EVENTS, updated_at 2011_04_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M130"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037410; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3; metadata:created_at 2011_04_07, former_category CURRENT_EVENTS, updated_at 2011_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M131"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037411; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M132"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 02|co"; nocase; distance:4; within:9; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037412; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Outbound"; flow:established; content:"|16 03 00|"; content:"|00 5c|"; distance:0; content:"|c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012078; rev:5; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M133"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037413; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2"; flow:established; content:"|16 03 00|"; content:"|00 26|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012079; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M134"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037414; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3"; flow:established; content:"|16 03 00|"; content:"|00 34|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012080; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M135"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037415; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; classtype:bad-unknown; sid:2011866; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M136"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037416; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M137"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037417; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hex Obfuscated arguments.callee Javascript Method in PDF Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"|61|"; distance:0; content:"|72|"; distance:1; within:2; content:"|67|"; distance:1; within:2; content:"|75|"; distance:1; within:2; content:"|6d|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|6e|"; distance:1; within:2; content:"|74|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|2e|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|65|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010879; classtype:misc-activity; sid:2010879; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M138"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037418; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Hex Obfuscation of Javascript Declaration Within PDF File - Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"|2f|"; distance:0; content:"|4a|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|76|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|72|"; distance:1; within:2; content:"|69|"; content:"|70|"; distance:1; within:2; content:"|74|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010880; classtype:misc-activity; sid:2010880; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M139"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037419; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"arguments.callee"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=1519; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010883; classtype:misc-activity; sid:2010883; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M140"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037420; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED .pdf File Possibly Containing Basic Hex Obfuscation"; flow:established,from_server; content:"PDF-"; depth:300; pcre:"/PDF-.+[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F]/si"; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010884; classtype:misc-activity; sid:2010884; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M141"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037421; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"Launch"; distance:0; content:"Win"; distance:0; content:".exe"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,doc.emergingthreats.net/2010968; classtype:attempted-user; sid:2010968; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M142"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037422; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With eval Function - Possibly Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"eval|28|"; nocase; distance:0; reference:url,www.w3schools.com/jsref/jsref_eval.asp; classtype:bad-unknown; sid:2011506; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M143"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037423; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Foxit PDF Reader Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"Launch"; nocase; distance:0; isdataat:600,relative; content:!"|0A|"; within:600; content:"NewWindow true"; nocase; distance:600; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0837; reference:url,doc.emergingthreats.net/2010876; classtype:attempted-user; sid:2010876; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M144"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037424; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2; metadata:created_at 2011_04_13, former_category CURRENT_EVENTS, updated_at 2011_04_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M145"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037425; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Buzus FTP Log Upload"; flow:established,to_server; dsize:100<>500; content:"|20 20 20 20|"; depth:4; content:"************CD-Key Pack************"; distance:0; content:"Microsoft Windows Product ID CD Key\: "; distance:0; reference:url,doc.emergingthreats.net/2008750; classtype:trojan-activity; sid:2008750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M146"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037426; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2008953; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M147"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037427; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M148"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037428; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"; flow:established; dsize:<160; content:"Microsoft Windows [Version "; depth:30; content:"Copyright (c)"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2012690; rev:1; metadata:created_at 2011_04_17, updated_at 2011_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M149"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037429; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"|00 00 00|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M150"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037430; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M151"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037431; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED IP Check Domain (showmyipaddress.com in HTTP Host)"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:2; metadata:created_at 2011_04_18, former_category POLICY, updated_at 2018_07_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M152"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037432; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL Slammer Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102003; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M153"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037433; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M154"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037434; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M155"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037435; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M156"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037436; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M157"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037437; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2102008; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M158"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037438; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2102009; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M159"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037439; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M160"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037440; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102011; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M161"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037441; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2102012; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M162"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037442; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2102013; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M163"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037443; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102014; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M164"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037444; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102015; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M165"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Partners"; nocase; distance:1; within:8; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037445; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2102016; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M166"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037446; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2102017; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M167"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037447; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M168"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037448; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M169"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037449; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M170"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037450; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102021; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M171"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037451; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102022; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M172"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037452; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102023; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M173"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037453; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M174"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037454; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102026; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M175"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037455; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:2101990; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M176"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037456; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:2101991; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M177"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037457; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:2101992; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M178"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037458; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M179"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037459; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101980; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M180"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037460; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt 3150"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101981; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M181"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037461; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"GPL DELETED DeepThroat 3.1 Server Response 3150"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101982; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M182"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037462; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt 4120"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101983; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M183"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037463; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"GPL DELETED DeepThroat 3.1 Server Response 4120"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101984; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M184"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037464; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:2101986; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M185"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037465; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M186"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037466; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:2101988; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M187"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037467; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:2101989; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M188"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037468; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:2101971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M189"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037469; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:2101972; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M190"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037470; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:2101973; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M191"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037471; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:2101974; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M192"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037472; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101975; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M193"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037473; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101976; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M194"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037474; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:2101977; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M195"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037475; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:2101978; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M196"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037476; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"HTTP/1.1 414 Request-URI Too Large"; depth:35; nocase; classtype:web-application-attack; sid:2012708; rev:2; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M197"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037477; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL DELETED MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; within:6; distance:2; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101448; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M198"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|llc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037478; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !3389 (msg:"ET POLICY Remote Desktop Connection via non RDP Port"; flow:established,to_server; content:"|03|"; depth:1; content:"|e0|"; distance:4; within:1; content:"Cookie|3a|"; distance:5; within:7; reference:url,doc.emergingthreats.net/2007571; classtype:policy-violation; sid:2007571; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M199"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037479; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL DELETED MS Remote Desktop non-encrypted session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2102418; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M200"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037480; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL POLICY MS Remote Desktop Request RDP"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101447; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M201"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037481; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M202"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037482; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Service User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M203"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037483; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop POS User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M204"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037484; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pinkslipbot Trojan Downloader"; flow:to_server,established; uricontent:"/jl/jloader.pl?u="; nocase; content:"&it=2"; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&n="; nocase; http_uri; pcre:"/\x26n\x3d[a-z]{5}\d{4}/U"; reference:url,doc.emergingthreats.net/2010742; classtype:trojan-activity; sid:2010742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M205"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037485; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M206"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037486; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101950; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M207"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037487; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2101951; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M208"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037488; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101952; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M209"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037489; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101953; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M210"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037490; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101954; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M211"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037491; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101955; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M212"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037492; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:2101956; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M213"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037493; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:2101957; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M214"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037494; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:2101958; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M215"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037495; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101959; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M216"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037496; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101960; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M217"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037497; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101961; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M218"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037498; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101962; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M219"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037499; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2101963; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M220"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037500; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101964; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M221"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037501; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101965; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M222"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037502; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:2101934; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M223"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037503; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:2101935; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M224"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037504; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2101936; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M225"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037505; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M226"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037506; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:2101938; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M227"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037507; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M228"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037508; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:2101940; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M229"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037509; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M230"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037510; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:2101942; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M231"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 04|corp"; nocase; distance:4; within:11; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037511; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"GPL DELETED answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:2101946; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2101945; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"GPL DELETED answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:2101947; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101949; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:2101920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:2101921; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101922; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M232"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037512; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101923; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M233"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037513; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2101925; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M234"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037514; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp any any -> 212.146.0.34 1963 (msg:"GPL DELETED TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:2101929; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M235"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037515; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:2100334; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M236"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037516; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:2100335; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M237"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037517; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:2100144; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M238"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037518; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2102449; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M239"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037519; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:2100337; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M240"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037520; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2101621; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M241"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037521; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan Downloader Win32/Small.CBA download"; flow:established,to_server; content:"popjs.asp?uid="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&c="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177; reference:url,doc.emergingthreats.net/2010569; classtype:trojan-activity; sid:2010569; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M242"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037522; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101900; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M243"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037523; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101901; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M244"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037524; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M245"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037525; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M246"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037526; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M247"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037527; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:2101906; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M248"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037528; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101907; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M249"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037529; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101908; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M250"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037530; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:2101909; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M251"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037531; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101911; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M252"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037532; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101912; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M253"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037533; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101913; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M254"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037534; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101914; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M255"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037535; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101915; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M256"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037536; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101916; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M257"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037537; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:2101917; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M258"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037538; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; nocase; classtype:network-scan; sid:2101918; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M259"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037539; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:24; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M260"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037540; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2; metadata:created_at 2011_04_28, former_category CURRENT_EVENTS, updated_at 2011_04_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M261"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037541; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2; metadata:created_at 2011_04_28, former_category CURRENT_EVENTS, updated_at 2011_04_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M262"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037542; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:2; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M263"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037543; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ELONFMTLib.ElonFmt"; nocase; distance:0; content:".GetItem1"; nocase; reference:url,exploit-db.com/exploits/17196; classtype:attempted-user; sid:2012742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M264"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|ltd"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037544; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Help and Support Center XSS Attempt"; flow:established,to_client; content:"hcp|3A|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; reference:cve,2010-1885; classtype:attempted-user; sid:2012756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M265"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037545; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,doc.emergingthreats.net/2011007; classtype:attempted-user; sid:2011007; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M266"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037546; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:2101882; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M267"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037547; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:2101883; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M268"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037548; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:2101885; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M269"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037549; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:2101886; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M270"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037550; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:2101887; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M271"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037551; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:2101888; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M272"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037552; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL DELETED status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101890; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M273"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037553; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101891; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M274"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037554; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M275"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037555; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M276"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037556; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101894; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M277"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037557; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101895; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M278"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037558; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101896; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M279"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037559; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101897; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M280"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037560; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 2"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101898; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M281"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037561; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 3"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101899; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M282"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037562; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER robots.txt access"; flow:to_server,established; content:"/robots.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101852; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M283"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037563; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"GPL DELETED win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:2101853; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M284"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037564; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101854; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M285"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037565; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101855; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M286"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037566; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101856; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M287"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037567; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER robot.txt access"; flow:to_server,established; content:"/robot.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101857; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M288"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037568; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"GPL DELETED CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:2101858; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M289"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037569; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:2101864; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M290"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037570; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL RPC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:2101867; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M291"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037571; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101868; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M292"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037572; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl access"; flow:to_server,established; uricontent:"/story.pl"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101869; rev:6; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M293"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037573; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M294"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037574; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012770; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M295"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037575; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M296"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037576; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M297"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Tech"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037577; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M298"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037578; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M299"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037579; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M300"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037580; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:2; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M301"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037581; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M302"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037582; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M303"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037583; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M304"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037584; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query for Possible FakeAV Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"antiv"; nocase; fast_pattern; distance:0; classtype:bad-unknown; sid:2012786; rev:1; metadata:created_at 2011_05_04, updated_at 2011_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M305"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037585; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:500,relative; pcre:"/\sFETCH\s[^\n]{500}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103070; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M306"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037586; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Egypack/1.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|Egypack"; http_header; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2012785; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M307"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037587; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA ICONICS WebHMI ActiveX Stack Overflow"; flow:to_client,established; content:"D25FCAFC-F795-4609-89BB-5F78B4ACAF2C"; nocase; content:"SetActiveXGUID"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D25FCAFC-F795-4609-89BB-5F78B4ACAF2C/si"; reference:url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf; reference:url,www.exploit-db.com/exploits/17240/; classtype:attempted-user; sid:2012787; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M308"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037588; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP POST on unusual Port Possibly Hostile"; flow:established,to_server; content:"POST"; nocase; http_method; reference:url,doc.emergingthreats.net/2006409; classtype:policy-violation; sid:2006409; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M309"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037589; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (768)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 768"; reference:url,doc.emergingthreats.net/2010682; classtype:trojan-activity; sid:2010682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M310"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037590; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (657)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 657"; reference:url,doc.emergingthreats.net/2010683; classtype:trojan-activity; sid:2010683; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M311"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037591; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash 0Day Exploit Attempt"; flow:established,from_server; content:"CWS|09|"; content:"|BA D5 19 5D 86 67 D5 8E 7F BC D0 3C 6E D8 E2 17 16 E8 3A 9F CF 59 B8 7B F6|"; distance:16; reference:url,www.exploit-db.com/exploits/13787/; reference:url,doc.emergingthreats.net/2011672; classtype:misc-attack; sid:2011672; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M312"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037592; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; content:"<script src=http\://www.ads-t.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010032; classtype:trojan-activity; sid:2010032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M313"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037593; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (bannert.ru)"; flow:established,from_server; content:"<script src=http|3a|//www.bannert.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010033; classtype:trojan-activity; sid:2010033; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M314"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037594; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (bannerdriven.ru)"; flow:established,from_server; content:"<script src=http|3a|//www.bannerdriven.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010034; classtype:trojan-activity; sid:2010034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M315"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037595; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; classtype:trojan-activity; sid:2009493; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M316"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037596; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Twitter Worm Attack"; flow:to_server,established; content:"m28sx.html"; http_uri; nocase; reference:url,threatpost.com/en_us/blogs/twitter-worm-uses-google-url-shortener-spread-scareware-012011; classtype:misc-attack; sid:2012207; rev:4; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M317"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037597; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZBot sp107fb/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"sp107fb/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011896; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M318"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037598; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; content:"|2f 2f|mshtml|2e|dll"; nocase; content:"unescape|28|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad|28|"; within:32; pcre:"/src\s*\x3d\s*\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M319"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037599; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M320"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037600; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M321"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037601; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"GPL DELETED successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:2101810; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M322"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037602; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"GPL DELETED successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:2101811; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M323"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037603; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL DELETED gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:2101812; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M324"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037604; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; content:"TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE"; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:2101817; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M325"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037605; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; reference:nessus,11018; classtype:web-application-attack; sid:2101818; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M326"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037606; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M327"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037607; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:2101827; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_23, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M328"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037608; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Tomcat TroubleShooter servlet access"; flow:established,to_server; content:"/examples/servlet/TroubleShooter"; http_uri; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:2101829; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M329"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037609; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Tomcat SnoopServlet servlet access"; flow:established,to_server; content:"/examples/servlet/SnoopServlet"; http_uri; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:2101830; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M330"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Debug"; nocase; distance:1; within:5; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037610; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M331"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037611; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:2101840; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M332"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037612; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M333"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037613; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M334"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037614; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M335"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037615; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"GPL POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:2101846; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M336"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037616; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER webalizer access"; flow:established,to_server; content:"/webalizer/"; nocase; http_uri; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:2101847; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M337"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037617; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"GPL DELETED IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:2101790; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M338"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037618; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101780; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M339"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037619; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set"; flow:established,to_client; content:"PDF-"; depth:300; content:".ses"; fast_pattern; nocase; distance:0; flowbits:set,ET_Assassin.ses; flowbits:noalert; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:bad-unknown; sid:2012813; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M340"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037620; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud download"; flow:established,to_server; content:"/peca"; nocase; http_uri; content:".exe"; nocase; http_uri; content:"User-Agent|3a 20|SKOLOVANI"; nocase; http_header; pcre:"/\x2fpeca\d+\x2eexe/Ui"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A; classtype:trojan-activity; sid:2012828; rev:2; metadata:created_at 2011_05_20, updated_at 2011_05_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M341"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037621; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Palevo/BFBot/Mariposa server join acknowledgement"; dsize:8; content:"|40|"; depth:1; flowbits:isset,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010101; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010101; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M342"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037622; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M343"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037623; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:4; metadata:created_at 2011_05_18, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M344"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037624; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M345"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037625; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; http_uri; nocase; content:"hotmail.msn.com"; http_header; nocase; content:"/cgi-bin/compose?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2000037; classtype:policy-violation; sid:2000037; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M346"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037626; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M347"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037627; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; http_header; content:"/cgi-bin/premail/"; http_uri; reference:url,doc.emergingthreats.net/2000038; classtype:policy-violation; sid:2000038; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M348"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037628; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; reference:url,doc.emergingthreats.net/2000039; classtype:policy-violation; sid:2000039; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M349"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037629; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hotmail Compose Message Submit"; flow:to_server,established; content:"POST"; http_method; content:"mail.live.com"; nocase; http_header; content:"SendMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008241; classtype:policy-violation; sid:2008241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M350"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037630; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"GPL EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:2101751; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M351"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037631; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M352"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037632; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M353"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037633; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:2101771; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M354"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037634; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:2101775; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M355"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037635; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:2101776; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M356"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037636; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101778; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M357"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037637; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M358"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037638; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101740; rev:6; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M359"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037639; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:2101744; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M360"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037640; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M361"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037641; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M362"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037642; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:2101748; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M363"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13 03|inc"; nocase; distance:4; within:10; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037643; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101732; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M364"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101733; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M365"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037645; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:2101735; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M366"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037646; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101739; rev:7; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M367"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037647; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:2101728; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M368"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037648; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SGI InfoSearch fname access"; flow:to_server,established; uricontent:"/infosrch.cgi"; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:2101727; rev:8; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M369"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037649; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012844; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M370"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037650; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012845; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M371"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037651; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012846; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M372"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037652; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012847; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M373"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037653; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M374"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037654; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012853; rev:2; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M375"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037655; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M376"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037656; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M377"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037657; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M378"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037658; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M379"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037659; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M380"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037660; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M381"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037661; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M382"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037662; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater"; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003584; classtype:trojan-activity; sid:2003584; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M383"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037663; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012851; rev:3; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M384"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037664; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012852; rev:4; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M385"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037665; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; nocase; http_uri; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M386"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037666; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.Win32.AutoIt.ai Checkin"; flow:to_server,established; content:"/getpmnum"; http_uri; content:".asp?"; http_uri; content:"id="; http_uri; reference:md5,39d0dbe4f6923ed36864ae339f558963; classtype:command-and-control; sid:2012867; rev:3; metadata:created_at 2011_05_26, former_category MALWARE, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M387"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037667; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a password"; flow:established,to_server; content:"password|3a|"; nocase; http_header; classtype:policy-violation; sid:2012868; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M388"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037668; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a pass field"; flow:established,to_server; content:"pass|3a| "; nocase; http_header; classtype:policy-violation; sid:2012869; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M389"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037669; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Http Client Body contains password= in cleartext"; flow:established,to_server; content:"password="; nocase; http_client_body; classtype:policy-violation; sid:2012885; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M390"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037670; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M391"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037671; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt"; flow:established,to_client; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; nocase; content:"ICMPSendEchoRequest"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A86F1F2-4921-4C75-AF2C-A1AA241E12BA/si"; reference:url,www.exploit-db.com/exploits/17328/; classtype:attempted-user; sid:2012905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M392"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037672; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; classtype:bad-unknown; sid:2012908; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M393"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037673; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 288 (msg:"ET MALWARE Dropper.Win32.Agent.ahju Checkin"; flow:established,to_server; content:"|44 78 47 54 33 43 6D 42 66 39 73 39 6C 74 62 6A 35 61 4A 7C 0A|"; depth:21; reference:md5,48ad09c574a4bd3bb24d007005382e63; reference:md5,a264690a775a4e1b3d91c2dbcd850ce9; classtype:command-and-control; sid:2012895; rev:2; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M394"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037674; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".KeyFrame|28|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003104; classtype:attempted-user; sid:2003104; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M395"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037675; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains password Parameter"; flow:established,to_server; content:"password="; nocase; http_uri; pcre:"/(?<=(\?|&))password=(?!&)/Ui"; classtype:policy-violation; sid:2012911; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M396"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"ACME"; nocase; distance:1; within:4; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037676; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains passwd Parameter"; flow:established,to_server; content:"passwd="; nocase; http_uri; pcre:"/(?<=(\?|&))passwd=(?!&)/Ui"; classtype:policy-violation; sid:2012912; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M397"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 00|"; distance:4; within:7; content:"|06 03 55 04 07 13 00|"; distance:4; within:7; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037677; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pass Parameter"; flow:established,to_server; content:"pass="; nocase; http_uri; pcre:"/(?<=(\?|&))pass=(?!&)/Ui"; classtype:policy-violation; sid:2012913; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M398"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Phoenix"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037678; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pwd Parameter"; flow:established,to_server; content:"pwd="; nocase; http_uri; pcre:"/(?<=(\?|&))pwd=(?!&)/iU"; classtype:policy-violation; sid:2012914; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M399"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 04|Mesa"; distance:4; within:11; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037679; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pw Parameter"; flow:established,to_server; content:"pw="; nocase; http_uri; pcre:"/(?<=(\?|&))pw=(?!&)/Ui"; classtype:policy-violation; sid:2012915; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M400"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 0a|Scottsdale"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037680; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains passphrase Parameter"; flow:established,to_server; content:"passphrase="; http_uri; nocase; pcre:"/(?<=(\?|&))passphrase=(?!&)/Ui"; classtype:policy-violation; sid:2012916; rev:3; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M401"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Arizona"; distance:4; within:14; content:"|06 03 55 04 07 13 08|Chandler"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037681; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pword Parameter"; flow:established,to_server; content:"pword="; nocase; http_uri; pcre:"/(?<=(\?|&))pword=(?!&)/Ui"; classtype:policy-violation; sid:2012917; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M402"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037682; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:2100229; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M403"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0d|San Francisco"; distance:4; within:20; content:"|06 03 55 04 09 13 12|Golden Gate Bridge"; distance:4; within:25; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037683; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:2100251; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M404"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Oakland"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037684; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:2100221; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M405"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|Berkeley"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037685; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:2100228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M406"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|Palo Alto"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037686; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:2100222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M407"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 0b|Los Angeles"; distance:4; within:18; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037687; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:2100387; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M408"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 09|San Diego"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037688; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:2100389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M409"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|California"; distance:4; within:17; content:"|06 03 55 04 07 13 08|San Jose"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037689; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:2100388; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M410"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Denver"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037690; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:2100391; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M411"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Boulder"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037691; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:2100390; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M412"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037692; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M413"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Colorado"; distance:4; within:15; content:"|06 03 55 04 07 13 0c|Fort Collins"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037693; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:2100393; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M414"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 09|New Haven"; distance:4; within:16; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037694; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:2100392; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M415"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 0a|Bridgeport"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037695; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:2100394; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M416"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 08|Stamford"; distance:4; within:15; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037696; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:2100395; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M417"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0b|Connecticut"; distance:4; within:18; content:"|06 03 55 04 07 13 07|Norwalk"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037697; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:2100396; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M418"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Seattle"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037698; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:2100397; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M419"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 06|Tacoma"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037699; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:2100398; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M420"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Olympia"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037700; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:2100399; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M421"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 0a|Washington"; distance:4; within:17; content:"|06 03 55 04 07 13 07|Spokane"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037701; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:2100400; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M422"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Miami"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037702; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:2100401; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M423"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 07|Orlando"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037703; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:2100402; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M424"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 05|Tampa"; distance:4; within:12; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037704; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:2100403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M425"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 07|Florida"; distance:4; within:14; content:"|06 03 55 04 07 13 0c|Jacksonville"; distance:4; within:19; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037705; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:2100404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M426"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 07|Chicago"; distance:4; within:14; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037706; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:2100405; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M427"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Aurora"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037707; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:2100406; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M428"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 0a|Naperville"; distance:4; within:17; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037708; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Destination Unreachable undefined code"; icode:>15; itype:3; classtype:misc-activity; sid:2100407; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Sliver Framework TLS Certificate Observed M429"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02|US"; distance:0; content:"|06 03 55 04 08 13 08|Illinois"; distance:4; within:15; content:"|06 03 55 04 07 13 06|Peoria"; distance:4; within:13; content:"|06 03 55 04 09 13 00|"; distance:4; within:7; fast_pattern; content:"|06 03 55 04 11 13 04|"; distance:4; within:7; pcre:"/^\d{4}[01]/R"; content:"|06 03 55 04 0a 13|"; distance:3; within:6; content:"Synergy"; nocase; distance:1; within:7; pcre:"/^(?:\s(?:co(?:rp)?|l(?:lc|td)|inc))?[01]/Ri"; content:"|06 03 55 04 03|"; distance:3; within:5; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,github.com/BishopFox/sliver/blob/97d3da75b6e24defb3a2a97443a15a632b3a8448/server/certs/subject.go; classtype:trojan-activity; sid:2037709; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag Sliver, updated_at 2022_07_07;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:2100409; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Trojan.Dropper.HTML.Agent Payload"; flow:to_client,established; http.response_body; content:"|3c|p|3e|Password is"; offset:55; depth:30; content:"|3c|iframe src|3d 22|data|3a|application|2f|x|2d|zip|2d|compressed|3b|base64|2c|"; distance:0; fast_pattern; reference:md5,82498960fca3bef7c52db530c31df598; reference:url,twitter.com/phage_nz/status/1552779565663387653; classtype:trojan-activity; sid:2037863; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_07_29;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:2100408; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE HTML Smuggling Powershell Payload In href"; flow:to_client,established; http.response_body; content:"|3c|a|20|href|3d 22|data|3a|text|2f|x|2d|powershell|3b|base64|2c|"; fast_pattern; reference:url,twitter.com/phage_nz/status/1552779565663387653; classtype:trojan-activity; sid:2037886; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, deployment SSLDecrypt, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_08_02;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:2100410; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE HTML Smuggling Powershell Payload In iframe"; flow:to_client,established; http.response_body; content:"|3c|iframe|20|src|3d 22 22|data|3a|text|2f|x|2d|powershell|3b|base64|2c|"; fast_pattern; classtype:trojan-activity; sid:2037887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, deployment SSLDecrypt, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_08_02;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:2100412; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; nocase; content:"Copyright |28|C|29|"; distance:0; nocase; content:"Microsoft Corp"; distance:0; nocase; classtype:successful-admin; sid:2020084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_05, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_08_03;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:2100411; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:2100414; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:2100413; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; classtype:policy-violation; sid:2010819; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100363; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Client Login Packet"; flowbits:isset,ET.gadu.welcome; flow:established,to_server; dsize:<50; content:"|15 00 00 00|"; depth:4; flowbits:set,ET.gadu.loginsent; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008298; classtype:policy-violation; sid:2008298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100364; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login Failed Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|09 00 00 00 00 00 00 00|"; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008300; classtype:policy-violation; sid:2008300; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:2100465; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Server Available Status Packet"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|02 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008301; classtype:policy-violation; sid:2008301; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:2100418; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Send Message"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008302; classtype:policy-violation; sid:2008302; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Information Request"; icode:0; itype:15; classtype:misc-activity; sid:2100417; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Receive Message"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|0a 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008303; classtype:policy-violation; sid:2008303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:2100466; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Keepalive PING"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|08 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008304; classtype:policy-violation; sid:2008304; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2100499; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Keepalive PONG"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|07 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008305; classtype:policy-violation; sid:2008305; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:2100420; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Request"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|01 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008306; classtype:policy-violation; sid:2008306; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:2100419; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Details"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008307; classtype:policy-violation; sid:2008307; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:2100422; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Accept"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|06 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008308; classtype:policy-violation; sid:2008308; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:2100421; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Begin"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008309; classtype:policy-violation; sid:2008309; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:2100424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:2100423; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:2100368; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:2100369; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:2100370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002327; classtype:policy-violation; sid:2002327; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:2100371; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001241; classtype:policy-violation; sid:2001241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:2100483; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; reference:url,doc.emergingthreats.net/2001242; classtype:policy-violation; sid:2001242; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:2100372; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001243; classtype:policy-violation; sid:2001243; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:2100373; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, deprecation_reason Relevance, former_category CHAT, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:2100374; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001254; classtype:policy-violation; sid:2001254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:2100375; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001255; classtype:policy-violation; sid:2001255; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:2100376; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001256; classtype:policy-violation; sid:2001256; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001257; classtype:policy-violation; sid:2001257; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:2100377; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:2100378; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; reference:url,doc.emergingthreats.net/2001427; classtype:policy-violation; sid:2001427; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:2100379; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; reference:url,doc.emergingthreats.net/2001260; classtype:policy-violation; sid:2001260; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:2100380; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001262; classtype:policy-violation; sid:2001262; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:2100484; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference request"; flow: to_server,established; content:"<R"; depth: 2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; reference:url,doc.emergingthreats.net/2001263; classtype:policy-violation; sid:2001263; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:2100381; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; reference:url,doc.emergingthreats.net/2001264; classtype:policy-violation; sid:2001264; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:2100482; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:2100382; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Known SSL traffic on port 5222 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003031; classtype:not-suspicious; sid:2003031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:2100480; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5223 (msg:"ET CHAT Known SSL traffic on port 5223 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003032; classtype:not-suspicious; sid:2003032; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:2100365; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Jabber client sign-on"; flow:to_server; content:"gmail.com"; nocase; content:"jabber.org"; nocase; content:"version="; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002334; classtype:policy-violation; sid:2002334; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING"; icode:0; itype:8; classtype:misc-activity; sid:2100384; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET CHAT Possible MSN Messenger File Transfer"; flow:established,from_client; content:"x-msnmsgrp2p"; nocase; content:"appid|3a|"; nocase; pcre:"/appid\x3a\s+2/i"; reference:url,www.hypothetic.org/docs/msn/client/file_transfer.php; reference:url,doc.emergingthreats.net/2008289; classtype:policy-violation; sid:2008289; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:2100425; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:2101990; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:2100426; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:2101991; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:2100427; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:2101986; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:2100428; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:2101988; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:2100429; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:2101989; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:2100430; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:2101633; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:2100431; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:2101632; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:2100432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:2101631; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:2100433; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC CHAT chat"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101640; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC SEND"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101639; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:2100437; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:2100438; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:2100440; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:2100439; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:2100441; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:2100443; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:2100446; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO SKIP"; icode:0; itype:39; classtype:misc-activity; sid:2100445; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:2100448; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:2100477; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:2100481; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:2100452; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:2100451; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:2100454; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:2100453; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:2100455; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:2100457; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:2100456; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:2100471; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:2100472; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:2100473; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:2100474; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outoing Message"; flow:to_server,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100233; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:2100475; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:"<stream"; nocase; reference:url,www.google.com/talk/; classtype:not-suspicious; sid:2100230; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:2100385; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:"<auth"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100231; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:2100459; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Log Out"; flow:to_server,established; content:"</stream"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:2100458; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2100877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:2100461; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream|3a|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:2100460; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:2100463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:2100462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:5; metadata:created_at 2010_07_30, former_category CHAT, updated_at 2017_12_11;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:2100476; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:2100225; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; http.user_agent; content:"Skype"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:12; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:2100226; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (buddy list)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/buddy_list.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010785; classtype:policy-violation; sid:2010785; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:2100238; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT Google Talk Version Check"; flow: established,to_server; http.uri; content:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype:policy-violation; sid:2100876; rev:5; metadata:created_at 2010_09_23, updated_at 2020_05_13;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:2100386; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:20; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:2100416; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu IM Login Server Request"; flow:established,to_server; http.uri; content:"/appsvc/appmsg"; nocase; content:".asp"; nocase; content:"fmnumber="; content:"&version="; content:"&fmt="; http.host; content:"appmsg.gadu-gadu."; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:2100415; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu Chat Client Checkin via HTTP"; flow:established,to_server; http.uri; content:"/appsvc/appmsg"; nocase; content:"fmnumber="; nocase; content:"&version="; nocase; content:"&fmt="; nocase; content:"&lastmsg="; nocase; reference:url,doc.emergingthreats.net/2007866; classtype:trojan-activity; sid:2007866; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:2100450; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; http.uri; content:"/ui/"; nocase; content:"/getlatestversion?ver="; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:2100449; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/send.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-#alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:2100224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; http.uri; content:"/ycontent/stats.php?version="; nocase; content:"EVENT=InstallBegin"; nocase; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:2100485; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/settings.php"; http.header; content:"facebook.com|0d 0a|"; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:2100486; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow:established; http.header; content:"Content-Type|3A|"; content:"application/x-msn-messenger"; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation; sid:2009375; rev:9; metadata:created_at 2010_07_30, updated_at 2020_12_03;)
 
-#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:2100487; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC Channel join"; flow:to_server,established; content:"JOIN|20 3a 20 23|"; fast_pattern; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101729; rev:12; metadata:created_at 2010_09_23, updated_at 2021_07_07;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2102391; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017872; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bifrose Response from Controller"; flow:established,from_server; dsize:9; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008274; classtype:trojan-activity; sid:2008274; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:coin-mining; sid:2017874; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose Connect to Controller"; flow:established,to_server; dsize:<20; content:"|09 00 00 9a|"; depth:4; content:"|cc|"; distance:3; within:4; content:"|74|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008273; classtype:trojan-activity; sid:2008273; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017873; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Connect to Controller (variant 2)"; flow:established,to_server; dsize:<220; content:"|d2 00 00 9b|"; depth:4; reference:url,doc.emergingthreats.net/2008532; classtype:trojan-activity; sid:2008532; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017878; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; content:"url"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:2; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017879; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Cisco.AnyConnect.VPNWeb.1"; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:3; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2016_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Banker Trojan CnC Server Ping"; flow:established,from_server; dsize:<100; content:"PING|7c|"; reference:url,doc.emergingthreats.net/2009864; classtype:command-and-control; sid:2009864; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017871; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile"; flow:established,to_client; content:"Server|3a| nginx"; nocase; offset:15; depth:15; content:"Content-Type|3a| text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; reference:url,doc.emergingthreats.net/2011765; classtype:bad-unknown; sid:2011765; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:coin-mining; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url,zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, former_category DOS, updated_at 2011_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:coin-mining; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, former_category CURRENT_EVENTS, updated_at 2011_06_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2018_01_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Java Exploit Attempt applet via file URI"; flow:established,from_server; content:"applet|20|"; nocase; content:"codebase"; nocase; distance:0; content:"|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"|5c|java|5c|jre6|5c|lib|5c|ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012608; rev:7; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; classtype:coin-mining; sid:2024721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category COINMINER, performance_impact Moderate, signature_severity Minor, updated_at 2018_05_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.ZZSlash/Redosdru.E checkin"; flow:established,to_server; content:"|14 00 00 00 04 00 00 00 78 9C 63 60 60 60 00 00 00 04 00 01|"; depth:20; reference:md5,3b0299d72c853f56a1595c855776f89f; reference:md5,adc3a35d1244c9129be6edd6ccfaec5b; classtype:command-and-control; sid:2012957; rev:2; metadata:created_at 2011_06_08, former_category MALWARE, updated_at 2011_06_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET COINMINER Random Hash Pascalcoin Miner Checkin"; flow:established,to_server; content:"{|22|params|22|:[|22|rhminer/"; depth:20; classtype:coin-mining; sid:2026750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2019_01_02;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:2101698; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Bitcoin Mining Extensions Header"; flow:to_server,established; http.method; content:"POST"; http.header; content:"X-Mining-Extensions|3a|"; classtype:coin-mining; sid:2016758; rev:5; metadata:created_at 2013_04_16, former_category POLICY, updated_at 2020_04_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET "; depth:4; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:2101699; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Cryptexplorer API Check - Potential CoinMiner Traffic"; flow:established,to_server; http.uri; content:"/api/"; startswith; content:"coin/balance/"; distance:0; fast_pattern; pcre:"/^\/api\/(?:bit|lite)coin\/balance\//"; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019825; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:2101674; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET COINMINER PrimeCoinMiner.Protominer"; flow:established,to_server; content:"|01 27 00 00 05 00 00 00 09|"; depth:9; content:"node"; nocase; within:4; content:"Protominer"; distance:14; within:10; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:coin-mining; sid:2018014; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2020_08_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:2101673; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Crypto Coin Miner Login"; flow:to_server,established; content:"|7b 22|method|22 3a|"; depth:10; fast_pattern; content:"|22|login|22 2c|"; within:9; content:"|22|params|22 3a|"; within:10; content:"|7b 22|login"; nocase; within:8; content:"agent|22 3a|"; nocase; distance:0; reference:md5,d1082e445f932938366a449631b82946; reference:md5,33d7a82fe13c9737a103bcc4a21f9425; reference:md5,ebe1aeb5dd692b222f8cf964e7785a55; classtype:coin-mining; sid:2022886; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, performance_impact Low, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_08_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:2101672; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Suspicious SSL Cert (Minerpool - CoinMining)"; flow:from_server,established; tls.cert_subject; content:"CN=eu.minerpool.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:coin-mining; sid:2028623; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_02;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:2101666; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns.query; content:"crypto-loot.com"; endswith; classtype:coin-mining; sid:2024828; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Observed Coin-Hive In Browser Mining Domain (coin-hive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"coin-hive.com"; endswith; classtype:trojan-activity; sid:2025535; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:2101638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.coin-hive.com"; nocase; endswith; classtype:coin-mining; sid:2025536; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"GPL DELETED Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:2101636; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coinhive URL Shortener)"; flow:established,to_client; tls.cert_subject; content:"CN=cnhv.co"; nocase; endswith; reference:url,blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html; classtype:coin-mining; sid:2025582; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_05_22, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:2101635; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /update HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031464; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:2101634; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /banner HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031465; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
 
-alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:2101633; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to herominers Domain (herominers .com)"; dns.query; content:".herominers.com"; nocase; endswith; fast_pattern; classtype:coin-mining; sid:2033901; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2021_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:2101632; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; http.user_agent; content:"miner"; nocase; content:!"IdleMiner"; content:!"CFNetwork"; pcre:"/miner[^a-z]/i"; http.host; content:!".kaspersky.com"; endswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016067; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, former_category COINMINER, signature_severity Informational, tag Bitcoin_Miner, updated_at 2021_11_15;)
 
-alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:2101631; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2022-03-11 1)"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3a|"; pcre:"/(?:\x22mining\.authorize\x22\x2c|\x22login\x22\x2c)/R"; content:"|22|params|22|"; within:50; pcre:"/(?:\x22login\x22\x3a\x22x\.0929c\x22\x2c\x22pass\x22\x3a\x22x\x22|\x22login\x22\x3a\x2282ZEhnLaX3ggrz5HbJJyinFjt8JyLomMnXYctMHJZCg368RrSyjQgN3TgrfbjqjUVdBPTP5VgEBkBYEWnTVHUgtjPweS5gc\x22\x2c\x22pass\x22\x3a\x22\x22|\x22login\x22\x3a\x224GdoN7NCTi8a5gZug7PrwZNKjvHFmKeV11L6pNJPgj5QNEHsN6eeX3DaAQFwZ1ufD4LYCZKArktt113W7QjWvQ7CW864Ah1Quz41mP4MJy\x22\x2c\x22pass\x22\x3a\x22x\x22|\x22login\x22\x3a\x2249GB8ucxW13fM78PMN2X3ZDYunniTj3pfdoyjztCkjDZQLSxRuZARgKEsfMDtoGGuiGGxWqeh6uez8mxYsPfm8TEGFq48Ce\x22\x2c\x22pass\x22\x3a\x22SynopsisX\x22|\x22login\x22\x3a\x22tyrenke\x22\x2c\x22pass\x22\x3a\x22tyrenke\x22)/R"; reference:md5,5c8ccae9c6841583a026c8276992045f; reference:url,www.btcguild.com/new_protocol.php; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2035435; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:2101629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2022-03-11 2)"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3a|"; pcre:"/(?:\x22mining\.authorize\x22\x2c|\x22login\x22\x2c)/R"; content:"|22|params|22|"; within:50; pcre:"/(?:\x22login\x22\x3a\x226243128\x22\x2c\x22pass\x22\x3a\x22myminer\x22|\x22login\x22\x3a\x226249832\x22\x2c\x22pass\x22\x3a\x22viristotal\x22|\x22login\x22\x3a\x226250474\x22\x2c\x22pass\x22\x3a\x22Minecraft\x22|\x22login\x22\x3a\x2244z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db\x22\x2c\x22pass\x22\x3a\x22bomba3\x22|\x22login\x22\x3a\x2247WpQT7o5YMPeUjZ2AYqo2HNu9SnfQ3Le5MywXMgCuBS1DHqMTQFNY7MCsWkr466gQNC5G182ZCCDiKs69mwdvr4EjvhT5c\x22\x2c\x22pass\x22\x3a\x22Krutish\x22)/R"; reference:md5,63c361252b50f6099ef962a554501257; reference:url,www.btcguild.com/new_protocol.php; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2035436; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)"; dns.query; content:"pool.hashvault.pro"; nocase; bsize:18; classtype:coin-mining; sid:2036289; rev:1; metadata:created_at 2022_04_21, former_category COINMINER, performance_impact Significant, signature_severity Major, updated_at 2022_04_21;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:2101625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1919 (msg:"ET COINMINER Panchan Mining Rig CnC Activity (Outbound)"; flow:established,to_server; content:"pan|2d|chan|27|s mining rig hi|21 0a|sharepeer|20|"; startswith; fast_pattern; pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/R"; content:"|0a|sharepeer"; within:30; reference:url,github.com/akamai/akamai-security-research/tree/main/malware/panchan; classtype:coin-mining; sid:2036997; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_06_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:2101623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:2101622; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"GPL DELETED iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:2101604; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:exploit-kit; sid:2011468; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:3; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious SEO landing in.cgi with URI HTTP_REFERER"; flow:established,to_server; content:"/in.cgi?"; http_uri; content:"&seoref=http"; http_uri; content:"&parameter=$"; http_uri; content:"&HTTP_REFERER=http"; http_uri; fast_pattern; classtype:bad-unknown; sid:2012796; rev:3; metadata:created_at 2011_05_09, updated_at 2011_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3; metadata:created_at 2011_04_04, updated_at 2011_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot .cb File Extention FTP Upload"; flow:established,to_server; content:"si_"; content:".cb"; distance:10; within:3; pcre:"/si\x5F[a-z]{5}[0-9]{5}\x2Ecb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012974; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Seclog FTP Upload"; flow:established,to_server; content:"seclog_"; content:".kcb"; within:30; pcre:"/seclog\x5F[a-z]{5}[0-9]{5}\x5F.+\x2Ekcb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012975; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
 
-alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Message"; flow:established,from_server; content:"robtex.com"; classtype:not-suspicious; sid:2012986; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>400; classtype:bad-unknown; sid:2013093; rev:3; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; content:"<div style=\"visibility|3a| hidden|3b|\"><"; depth:120; classtype:bad-unknown; sid:2011307; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:3; metadata:created_at 2012_04_03, updated_at 2012_04_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Carberp CnC Reply no tasks"; flow:established,from_server; content:"|0d 0a 0d 0a|no tasks"; classtype:command-and-control; sid:2011851; rev:7; metadata:created_at 2010_10_26, former_category MALWARE, updated_at 2010_10_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3; metadata:created_at 2012_04_18, updated_at 2012_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SL_*_0000 JavaScript redirect"; flow:established,to_client; content:"200"; http_stat_code; content:"SL_"; http_cookie; content:"_0000="; http_cookie; content:"window.location"; classtype:bad-unknown; sid:2013012; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=http|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012997; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:exploit-kit; sid:2014892; rev:2; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:exploit-kit; sid:2013025; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:exploit-kit; sid:2015042; rev:2; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:exploit-kit; sid:2013024; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:exploit-kit; sid:2013027; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CURL User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"curl"; nocase; within:100; http_header; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002824; classtype:attempted-recon; sid:2002824; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:exploit-kit; sid:2015516; rev:3; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2012_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Java User Agent"; flow:established,to_server; content:"User-Agent|3a| Java/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013029; rev:2; metadata:created_at 2011_06_14, updated_at 2011_06_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Dropper Checkin (2)"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:!"|0d 0a|User-Agent|3a| "; nocase; content:"|0d 0a 0d 0a|updater_version="; nocase; content:"&updater_lang="; distance:0; nocase; content:"&action_type=log"; distance:0; nocase; reference:url,doc.emergingthreats.net/2010830; classtype:trojan-activity; sid:2010830; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
 
-#alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - Admin Login Page Detected Outbound"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011280; rev:3; metadata:created_at 2010_09_28, former_category EXPLOIT_KIT, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Tonclank Sending Device Information"; flow:established,to_server; content:"/ProtocolGW/instal"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013039; rev:5; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3; metadata:created_at 2012_09_08, updated_at 2012_09_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3; metadata:created_at 2012_06_27, updated_at 2012_06_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader PWS Module Data Upload Activity"; flow:established,to_server; content:"/grabbers.php"; http_uri; content:"logs="; content:"&module=grabbers"; distance:0; reference:md5,12554e7f2e78daf26e73a2f92d01e7a7; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:md5,3310259795b787210dd6825e7b6d6d28; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:md5,7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013046; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyeEye Trojan Request file=grabbers"; flow:established,to_server; content:".php?file="; nocase; http_uri; content:"grabber"; distance: 0; http_uri; classtype:trojan-activity; sid:2012613; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5; metadata:created_at 2012_01_28, updated_at 2012_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by 2"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src="; content:"style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011961; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2; metadata:created_at 2012_11_07, updated_at 2012_11_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4; metadata:created_at 2012_11_06, updated_at 2012_11_06;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3; metadata:created_at 2012_11_10, updated_at 2012_11_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:md5,6c9ad4d06f72edcd2b301d66b25ad101; reference:md5,91fa03240b5a59853d0dad708055a7a8; reference:md5,3dd8193692b62a875985349b67da38c6; classtype:trojan-activity; sid:2011415; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Client Visiting Sidename.js Injected Website - Malware Related"; flow:established,to_client; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013060; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:5; metadata:created_at 2011_04_02, updated_at 2011_04_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacShield FakeAV CnC Communication"; flow:established,to_server; content:"/mac/soft.php?affid="; nocase; http_uri; fast_pattern:only; reference:url,blog.trendmicro.com/obfuscated-ip-addresses-and-affiliate-ids-in-mac-fakeav/; classtype:command-and-control; sid:2013062; rev:2; metadata:created_at 2011_06_17, former_category MALWARE, updated_at 2011_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:exploit-kit; sid:2016365; rev:5; metadata:created_at 2013_02_07, former_category CURRENT_EVENTS, updated_at 2013_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_17, former_category MOBILE_MALWARE, updated_at 2011_06_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED OneStep Adware related User Agent (x)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| x|0d 0a|"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; classtype:trojan-activity; sid:2009987; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1064 (msg:"ET DELETED Win32/Fynloski Backdoor Keepalive Message"; flow:established,to_server; content:"KEEPALIVE"; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; reference:md5,baca8170608c189e2911dc4e430c7719; classtype:trojan-activity; sid:2013067; rev:2; metadata:created_at 2011_06_20, updated_at 2011_06_20;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Scanner Landing Page (Initializing Virus Protection System...)"; flow:established,from_server; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2012815; rev:3; metadata:created_at 2011_05_18, updated_at 2011_05_18;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow:to_client,established; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2011343; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:pup-activity; sid:2011293; rev:7; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101926; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101924; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:2; metadata:created_at 2013_08_23, updated_at 2013_08_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; classtype:attempted-admin; sid:2101282; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP root directory"; content:"|00 01|/"; depth:3; reference:cve,1999-0183; classtype:bad-unknown; sid:2100520; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2; metadata:created_at 2013_10_11, updated_at 2013_10_11;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP parent directory"; content:".."; offset:2; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:2100519; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3; metadata:created_at 2013_10_14, updated_at 2013_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"GPL POLICY PCAnywhere server response"; content:"ST"; depth:2; classtype:misc-activity; sid:2100566; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:6; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"GPL RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101281; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:7; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; classtype:attempted-recon; sid:2100517; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:4; metadata:created_at 2013_10_23, updated_at 2013_10_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101277; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3; metadata:created_at 2012_12_14, updated_at 2012_12_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:exploit-kit; sid:2013098; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:2; metadata:created_at 2013_10_28, updated_at 2013_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; content:"GET /muieblackcat HTTP/1.1"; depth:26; classtype:attempted-recon; sid:2013115; rev:3; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit|0D 0A|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MacDefender OS X Fake AV Scareware"; flow:established,to_server; content:"GET"; http_method; content:"affid="; http_uri; content:"data="; http_uri; content:"v="; http_uri; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012958; rev:5; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:command-and-control; sid:2017665; rev:3; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging  Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RiskTool.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:md5,c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vilsel.ayjv Checkin (aid)"; flow:to_server,established; content:"?aid="; http_uri; content:"&si="; http_uri; content:"&rd="; http_uri; pcre:"/&si=\d+&si=\d+&rd=20\d{11}/U"; classtype:command-and-control; sid:2013122; rev:5; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4; metadata:created_at 2013_11_30, updated_at 2013_11_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetFirstItem"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013132; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2E980303-C865-11CF-BA24-444553540000"; nocase; distance:0; content:".GetItemQueue"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013131; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"79956462-F148-497F-B247-DF35A095F80B"; nocase; distance:0; content:".DownloadImageFileURL"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79956462-F148-497F-B247-DF35A095F80B/si"; reference:url,exploit-db.com/exploits/17415/; reference:cve,2008-2683; classtype:attempted-user; sid:2013130; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:exploit-kit; sid:2017815; rev:2; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00|"; within:19; reference:md5,7684532e7e1d717427f6842e9d5ecd56; classtype:trojan-activity; sid:2013121; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeAlert.Rena.n Checkin Flowbit set"; flow:established,to_server; content:"/1020000"; http_uri; depth:8; content:" HTTP/1.0|0d 0a|"; http_header; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:command-and-control; sid:2013135; rev:1; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013143; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Compressed Flash Content"; flowbits:noalert; flow:established,to_client; content:"stream"; content:"|0A|CWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)CWS/"; flowbits:set,ET.flash.pdf; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012907; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave rcsL Chunk Remote Code Execution Attempt"; flow:established,to_client; content:"rcsL"; content:"|FF F0 02 67|"; fast_pattern; distance:0; reference:url,www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/; reference:bid,42682; reference:cve,2010-2873; classtype:attempted-user; sid:2013069; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"tSAC|1D 02|"; fast_pattern; content:"|01 00 FF FF 11 11|"; distance:0; reference:url,www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/; classtype:attempted-user; sid:2013070; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018237; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of OpenAction"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"OpenAction"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^OpenAction](O|#4F)(p|#70)(e|#65)(n|#6E)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011537; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018238; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of JS"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JS"; within:2; content:"#"; within:4; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JS](J|#4A)(S|#53)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011535; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018239; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of EmbeddedFile"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"EmbeddedFile"; within:12; content:"#"; within:34; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^EmbeddedFile](E|#45)(m|#6D)(b|#62)(e|#65)(d|#64)(d|#64)(e|#65)(d#64)(F|#46)(i|#69)(l|#6C)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011530; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018240; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Type"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Type"; within:4; content:"#"; within:11; pcre:"/\x3C\x3C[^>]*\x2F[^Type](T|#54)(y|#79)(p|#70)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011531; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2; metadata:created_at 2014_03_13, former_category CURRENT_EVENTS, updated_at 2014_03_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Javascript"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C[^\n]*\x2F[^Javascript](J|#4A)(a|#61)(v|#76)(a|#61)(S|#73|#53)(c|#63)(r|#72)(i|#69)(p|#70)(t|#74)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011532; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of URL"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"URL"; within:3; content:"#"; within:7; pcre:"/\x3C\x3C[^>]*\x2F[^URL](U|#55)(R|#52)(L|#4C)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011533; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3; metadata:created_at 2014_04_02, updated_at 2014_04_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013140; rev:3; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; http_user_agent; depth:35; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:"<param name="; nocase; content:"value="; nocase; distance:0; content:"|2E|swf?info="; fast_pattern; nocase; distance:0; pcre:"/value\x22[^\x22]*\x2Eswf\x3finfo\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html; reference:bid,48268; reference:cve,2011-2110; classtype:attempted-user; sid:2013137; rev:3; metadata:created_at 2011_06_30, former_category CURRENT_EVENTS, updated_at 2011_06_30;)
+#alert http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
+#alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_04, updated_at 2014_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:exploit-kit; sid:2013094; rev:9; metadata:created_at 2011_06_22, former_category CURRENT_EVENTS, updated_at 2011_06_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED KazaaClient P2P Traffic"; flow: established; content:"Agent|3a| KazaaClient"; nocase; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001812; classtype:policy-violation; sid:2001812; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Imaging LEADSmtp ActiveX SaveMessage Method Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".SaveMessage"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F/si"; reference:bugtraq,48408; classtype:attempted-user; sid:2013163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX RunCore method Buffer Overflow Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"27527D31-447B-11D5-A46E-0001023B4289"; nocase; distance:0; content:".RunCore"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"<!DOCTYPE html PUBLIC"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX Initialize method Buffer Overflow Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"27527D31-447B-11D5-A46E-0001023B4289"; nocase; distance:0; content:".Initialize"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013161; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3; metadata:created_at 2014_07_26, updated_at 2014_07_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX CygniCon CyViewer ActiveX Control SaveData Insecure Method Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"A6FC2988-16BE-4053-BE89-F562431FD6ED"; nocase; distance:0; content:".SaveData"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A6FC2988-16BE-4053-BE89-F562431FD6ED/si"; reference:bugtraq,48483; classtype:attempted-user; sid:2013160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019008; rev:8; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2017813; rev:9; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
 
-#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 26 2014"; flow:established,to_client; file_data; content:"|22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29|"; classtype:trojan-activity; sid:2019024; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|minerva|05|cdmon|03|org"; fast_pattern; distance:0; nocase; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:md5,13e43c44681ba9acb8fd42217bd3dbd2; classtype:command-and-control; sid:2013187; rev:1; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2011_07_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"c="; http_uri; content:"&wv="; http_uri; content:"&wd="; http_uri; content:"&ie="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/2008347; classtype:successful-recon-limited; sid:2008347; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SafeFighter Fake Scanner Installation in Progress"; flow:established,to_server; content:"/safefighter.php"; nocase; http_uri; content:"User-Agent|3a| NSIS"; nocase; http_header; reference:url,doc.emergingthreats.net/2010065; classtype:trojan-activity; sid:2010065; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Client Visiting cssminibar.js Injected Website Malware Related"; flow:established,to_client; content:"/cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013191; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2; metadata:created_at 2011_07_05, former_category CURRENT_EVENTS, updated_at 2011_07_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:command-and-control; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Initial Checkin"; flow:established,to_server; content:"/username.asp?Uid="; http_uri; fast_pattern:only; classtype:command-and-control; sid:2013198; rev:2; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2011_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:2; metadata:created_at 2014_10_16, updated_at 2014_10_16;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Hooker Checkin Message"; flow:established,to_server; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&sin="; http_uri; classtype:trojan-activity; sid:2013205; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2"; flow:established,to_server; content:"/aG91c2VhdHJlaWRlczk0/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019462; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&msg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&pauid="; nocase; http_uri; content:"&checkId="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:command-and-control; sid:2013215; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3"; flow:established,to_server; content:"/QmFzaGFyb2Z0aGVTYXJkYXVrYXJz/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019463; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Specfix Checkin"; flow:established,to_server; content:"/AWS"; http_uri; content:".jsp?"; http_uri; content:"x-bigfix-client-string|3A|"; http_header; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2; classtype:trojan-activity; sid:2013218; rev:2; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4"; flow:established,to_server; content:"/U2FsdXNhU2VjdW5kdXMy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019464; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Put"; content:"|00 02|"; depth:2; reference:cve,1999-0183; classtype:bad-unknown; sid:2100518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014"; flow:established,to_server; content:"/ldcigar.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019487; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability"; flow:to_server; content:"GET"; http_method; content:"res|3a|"; http_uri; content:"ieframe.dll"; http_uri; content:"acr_error"; pcre:"/(\&lt\;).+(\&gt\;)/Ui"; reference:bugtraq,28581; reference:url,doc.emergingthreats.net/bin/view/Main/2008170; classtype:web-application-attack; sid:2008170; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host"; flow:established,from_server; content:"|14|www.kitchensinks.n0t"; nocase; classtype:trojan-activity; sid:2019503; rev:2; metadata:created_at 2014_10_24, updated_at 2014_10_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/IRCBrute Checkin 2"; flow:established,to_server; content:"/Dialer_Min/telcom.asp"; nocase; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-IRB/detailed-analysis.aspx; classtype:command-and-control; sid:2013225; rev:3; metadata:created_at 2011_07_07, former_category MALWARE, updated_at 2011_07_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Control SaveDecrypted Insecure Method Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"0B70AB61-5C95-4126-9985-A32531CA8619"; nocase; distance:0; content:".SaveDecrypted"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B70AB61-5C95-4126-9985-A32531CA8619/si"; reference:bugtraq,48585; classtype:attempted-user; sid:2013233; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:exploit-kit; sid:2019800; rev:2; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IDrive Online Backup ActiveX control SaveToFile Insecure Method"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E"; nocase; distance:0; content:".SaveToFIle"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E/si"; reference:url,htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html; classtype:attempted-user; sid:2013232; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2; metadata:created_at 2011_07_11, former_category CURRENT_EVENTS, updated_at 2011_07_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo Download Command"; flow:established,to_server; content:"PRIVMSG #"; depth:9; content:"|3a 5b|d=|22|http|3a|//"; distance:0; reference:md5,2d69d8d243499ab53b840c64f68cc830; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013245; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2; metadata:created_at 2015_04_24, former_category CURRENT_EVENTS, updated_at 2015_04_24;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo CnC PONG"; flow:established,to_server; content:"PONG |3a|hub.us.com"; depth:16; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:command-and-control; sid:2013246; rev:2; metadata:created_at 2011_07_11, former_category MALWARE, updated_at 2011_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017024; rev:4; metadata:created_at 2013_06_18, former_category CURRENT_EVENTS, updated_at 2013_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zapchast Bot User-Agent"; flow:established,to_server; content:"User-Agent|3a| MJ12bot/"; http_header; reference:url,www.majestic12.co.uk/bot.php; reference:url,doc.emergingthreats.net/2007781; classtype:trojan-activity; sid:2007781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Majestic-12 Spider Bot User-Agent (MJ12bot)"; flow:to_server,established; content:"User-Agent|3a| MJ12bot"; reference:url,www.majestic12.co.uk/; reference:url,doc.emergingthreats.net/2003409; classtype:trojan-activity; sid:2003409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Majestic-12 Spider Bot User-Agent Inbound (MJ12bot)"; flow:to_server,established; content:"User-Agent|3a| MJ12bot"; http_header; reference:url,www.majestic12.co.uk/; reference:url,doc.emergingthreats.net/2007762; classtype:trojan-activity; sid:2007762; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible docs.google.com Activity"; flow:established,to_server; content:"WRITELY_SID"; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003122; classtype:policy-violation; sid:2003122; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY docs.google.com Activity"; flow:established,to_server; content:"Host|3a| docs.google.com|0d 0a|"; http_header; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003121; classtype:policy-violation; sid:2003121; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Guagua Trojan Update Checkin"; flow:established,to_server; content:"/update_check?version="; http_uri; content:"User-Agent|3A| Update"; http_header; classtype:command-and-control; sid:2013259; rev:3; metadata:created_at 2011_07_13, former_category MALWARE, updated_at 2011_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:"<script"; content:"navigator.userAgent.indexOf|28 27|Mac|27 29|"; distance:0; nocase; content:"setAttribute|28 27|code|27|"; distance:0; nocase; content:".class"; nocase; distance:0; content:"setAttribute|28 27|archive|27|"; distance:0; nocase; content:".jar"; nocase; distance:0; reference:url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/; reference:cve,2011-3544; classtype:bad-unknown; sid:2014565; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nekill Checkin"; flow:established,to_server; content:"?v="; http_uri; content:"&mid="; http_uri; content:"&r1="; http_uri; content:"&tm="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&uid="; http_uri; content:"&cht="; http_uri; content:"&sn="; http_uri; reference:url,blog.emergingthreatspro.com/2011/07/bot-of-day-nekilla.html; classtype:command-and-control; sid:2013260; rev:3; metadata:created_at 2011_07_13, former_category MALWARE, updated_at 2011_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
 
-alert ftp any any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)"; flow:to_server,established; content:"pass nessus@"; depth:12; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=10079; reference:url,osvdb.org/show/osvdb/69; classtype:attempted-recon; sid:2013263; rev:3; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl)"; flow:to_server,established; content:"MKD"; nocase; depth:3; content:"Nessus"; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=19782; reference:url,osvdb.org/show/osvdb/76; classtype:attempted-recon; sid:2013264; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Nome Computador|3a| "; nocase; content:"Data|3a| "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002978; classtype:trojan-activity; sid:2002978; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013265; rev:2; metadata:attack_target Mobile_Client, created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3; metadata:created_at 2014_10_03, updated_at 2017_02_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013266; rev:2; metadata:created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:2; metadata:created_at 2011_07_14, former_category SHELLCODE, updated_at 2017_09_08;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:3; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sohanad Checkin via HTTP"; flow:established,to_server; content:"GET"; http_method; content:"/cs/bux/check.php"; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007898; classtype:command-and-control; sid:2007898; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; fast_pattern; content:"="; distance:0; isdataat:2,relative; reference:url,twitter.com/SettiDavide89/status/970965983228723201; reference:url,www.certego.net/it/news/quant-url/; classtype:trojan-activity; sid:2025409; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_03_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4"; flow:established,to_server; urilen:>6; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox"; http_user_agent; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2018_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M3"; flow:established,to_server; urilen:>6; content:"MSIE"; http_user_agent; fast_pattern; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; http_header_names; content:!"Referer"; content:!"Cookie"; http_start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026461; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Moderate, signature_severity Major, updated_at 2019_05_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox/54.0"; http_user_agent; classtype:trojan-activity; sid:2024768; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"MSIE 7.0"; http_user_agent; classtype:trojan-activity; sid:2024767; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3; metadata:created_at 2011_07_19, updated_at 2011_07_19;)
+#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30"; dns_query; content:"canasikos.info"; nocase; isdataat:!1,relative; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:trojan-activity; sid:2027415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2019_05_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cycbot Pay-Per-Install Executable Download"; flow:established,to_server; content:"/adv.php?login="; http_uri; content:"&key="; http_uri; content:"&subacc="; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:trojan-activity; sid:2013291; rev:2; metadata:created_at 2011_07_19, updated_at 2011_07_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:4; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2013_05_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cycbot Initial Checkin to CnC"; flow:established,to_server; content:"id="; http_uri; content:"&hwid="; http_uri; content:"&step="; http_uri; content:"&wd="; http_uri; content:"&av="; fast_pattern; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:command-and-control; sid:2013292; rev:2; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2011_07_19;)
+#alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:4; metadata:created_at 2014_04_02, former_category CURRENT_EVENTS, updated_at 2014_04_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL DELETED nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:2101518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:3; metadata:created_at 2015_04_07, updated_at 2019_10_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:2101529; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:3; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:3; metadata:created_at 2015_04_07, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; http.uri; content:"/img/info.php?info="; nocase; classtype:trojan-activity; sid:2017257; rev:3; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:2101562; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Python Eval Compile seen in HTTP Request Headers"; flow:established,to_server; http.header; content:"eval(compile("; reference:url,sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html; classtype:bad-unknown; sid:2026848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Majestic12 User-Agent Request Inbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013255; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)
+#alert http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; flowbits:set,ET.Rbrute.incoming; http.user_agent; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; fast_pattern; nocase; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:5; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2020_09_23;)
 
-#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009205; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab request to a .ru 8080 URI"; flow:established,to_server; content:".ru|3a|8080|0D 0A|"; classtype:bad-unknown; sid:2011354; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Persona Not Validated)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Persona Not Validated"; classtype:policy-violation; sid:2013294; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] POSSIBLE HackTool.TCP.Rubeus.[User32LogonProcesss]"; flow:to_server; content:"User32LogonProcesss"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Google Warning Infected Local User"; flow:established,from_server; content:"<span>It appears that your computer is infected with software that intercepts your connection to Google and other sites.</span>"; classtype:trojan-activity; sid:2013318; rev:1; metadata:created_at 2011_07_26, updated_at 2011_07_26;)
+alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[Build ID]"; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.SSL.BEACON.[CSBundle Ajax]"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; fast_pattern; tls.cert_issuer; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|0a|_domainkey"; distance:0; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer toStaticHTML HTML Sanitizing Information Disclosure Attempt"; flow:established,to_client; content:"toStaticHTML|28|"; fast_pattern; nocase; content:"expression|28|"; nocase; within:150; reference:bid,48199; reference:cve,2011-1252; classtype:attempted-user; sid:2013321; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Ruskill CnC Download Command 1"; flow:established,to_client; content:"|3a|["; depth:2; content:".r.getfile http|3a|//"; distance:0; classtype:command-and-control; sid:2013329; rev:3; metadata:created_at 2011_07_27, former_category MALWARE, updated_at 2011_07_27;)
+alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Ruskill CnC Download Command 2"; flow:established,to_client; content:"|3a|n"; depth:2; content:"on .dl http|3a|//"; distance:0; classtype:command-and-control; sid:2013330; rev:1; metadata:created_at 2011_07_27, former_category MALWARE, updated_at 2011_07_27;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M2"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 31 00 30 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ruskill Reporting on Local Scans"; flow:established,to_server; content:"PRRVMSG"; depth:7; content:"Port Scan started on"; distance:0; content:"with a delay of"; distance:0; classtype:trojan-activity; sid:2013331; rev:1; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M1"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 20 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031300; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:command-and-control; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M3"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4c 00 69 00 63 00 65 00 6e 00 73 00 65 00 20 00 4b 00 65 00 79 00 20 00 41 00 63 00 74 00 69 00 76 00 61 00 74 00 69 00 6f 00 6e|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:2101928; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M4"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 66 00 66 00 69 00 63 00 65 00 20 00 33 00 36 00 35 00 20 00 50 00 72 00 6f 00 78 00 79|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M5"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M6"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 6e 00 65 00 44 00 72 00 69 00 76 00 65 00 20 00 53 00 79 00 6e 00 63 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M7"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|42 00 61 00 63 00 6b 00 67 00 72 00 6f 00 75 00 6e 00 64 00 20 00 41 00 63 00 74 00 69 00 6f 00 6e 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031306; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M8"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|53 00 65 00 63 00 75 00 72 00 65 00 20 00 54 00 6f 00 6b 00 65 00 6e 00 20 00 4d 00 65 00 73 00 73 00 61 00 67 00 69 00 6e 00 67 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M9"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 20 00 55 00 70 00 64 00 61 00 74 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; content:"Cookie|3a 20|"; content:"display-culture=en|3b|check=true|3b|lbcs=0|3b|sess-id="; content:"|3b|SIDCC=AN0-TY21iJHH32j2m|3b|FHBv3=B"; fast_pattern; http.uri; pcre:"/^\/(?:v(?:1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|4\/links\/activity-stream|3\/links\/ping-centre)|gp\/(?:aj\/private\/reviewsGallery\/get-(?:application-resource|image-gallery-asset)s|cerberus\/gv)|en-us\/(?:p\/(?:onerf\/MeSilentPassport|book-2\/8MCPZJJCC98C)|store\/api\/checkproductinwishlist)|wp-(?:content\/themes\/am43-6\/dist\/records|includes\/js\/script\/indigo-migrate)|api2\/json\/(?:cluster\/(?:resource|task)s|access\/ticket))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; flow:established,from_server; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031293; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Accept-Ranges|3a 20|bytes"; content:"Age|3a 20|5806"; content:"Cache-Control|3a 20|public,max-age=31536000"; content:"Content-Encoding|3a 20|gzip"; content:"Content-Length|3a 20|256398"; content:"Content-Type|3a 20|application/javascript"; content:"Server|3a 20|UploadServer"; content:"Vary|3a 20|Accept-Encoding, Fastly-SSL"; content:"x-api-version|3a 20|F-X"; content:"x-cache|3a 20|HIT"; content:"x-Firefox-Spdy|3a 20|h2"; content:"x-nyt-route|3a 20|vi-assets"; content:"x-served-by|3a 20|cache-mdw17344-MDW"; content:"x-timer|3a 20|S1580937960.346550,VS0,VE0"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031267; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a 22|"; fast_pattern; content:"nid"; content:"msg-"; http.method; content:"POST"; http.uri; content:"/notification"; startswith; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031292; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; content:!"|00|server."; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007711; classtype:trojan-activity; sid:2007711; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 3]"; flow:established,from_server; content:"{|22|alias|22 3a 22|apx|22|,|22|prefix|22 3a 22 22|,|22|suffix|22 3a|null,|22|suggestions|22 3a|[],|22|responseId|22 3a 22|15QE9JX9CKE2P|22|,|22|addon|22 3a 20 22|"; fast_pattern; content:"|22|,|22|shuffled|22 3a|false}"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031268; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Potential muieblackcat scanner double-URI and HTTP library"; flow:established,to_server; content:"GET //"; depth:6; fast_pattern; content:"HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Accept-Language|3a| en-us|0d 0a|Accept-Encoding|3a| gzip, deflate|0d 0a|Host|3a| "; http_header; content:"|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; distance:0; classtype:attempted-recon; sid:2013116; rev:5; metadata:created_at 2011_06_24, former_category SCAN, updated_at 2011_06_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[POST]"; flow:established,to_server; urilen:1; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.connection; content:"upgrade"; depth:7; http.header; content:"|0d 0a|Upgrade|3a 20|tcp/1|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie:"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dictcn Trojan Downloader Update Check to CnC"; flow:established,to_server; content:".php?cid="; http_uri; content:"&version="; http_uri; content:"&lose="; http_uri; content:"&tipsid="; http_uri; content:"&from="; http_uri; classtype:command-and-control; sid:2013323; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 2]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Receiving XML Format Update File From CnC Server"; flow:established,to_client; content:"<dictcn>"; fast_pattern; content:"<update from="; distance:0; content:"method="; distance:0; classtype:command-and-control; sid:2013324; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:from_server,established; file.data; content:"{|22|navgd|22 3a 22|<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https|3a|//supportlocal.usatoday.com/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031273; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Receiving XML Format Node ID File From CnC Server"; flow:established,to_client; content:"<node><id>"; content:"<|2F|id><ip>"; distance:1; within:9; content:"<|2F|type><|2F|node>-->"; distance:0; content:"<node><id>"; distance:0; content:"<|2F|id><ip>"; distance:1; within:9; content:"<|2F|dict>"; distance:0; classtype:command-and-control; sid:2013325; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server]"; flow:established,from_server; content:"{|22|meta|22|:{},|22|status|22 3a 22|OK|22|,|22|saved|22 3a 22|1|22|,|22|starttime|22 3a|17656184060,|22|id|22 3a 22 22|,|22|vims|22 3a|{|22|dtc|22 3a|"; fast_pattern; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031275; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL)"; flow:established,to_server; content:"User-Agent|3a| InetURL"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2017_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; flow:established,to_server; content:"sess-="; content:"auth=0|3b|loc=US|7d|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; content:".addBehavior"; nocase; content:"|23|default|23|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; flow:established,to_server; content:"nyt-a="; content:"nyt-gdpr=0|3b|nyt-purr=cfh|3b|nyt-geo=US}"; fast_pattern; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; http.request_line; pcre:"/^GET\s(?:\/(?:(?:v(?:i-assets\/static-asset|[12]\/preference)|idcta\/translation)s|ads\/google))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031276; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:2101200; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]"; flow:established,to_server; http.cookie; content:"hl=en|3b|bse="; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9_\/\+\-]{2}==|[a-zA-Z0-9_\/\+\-]{3}=|[a-zA-Z0-9_\/\+\-]{4})\x3b/"; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b|"; endswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:2100494; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Connection|3a 20|close"; content:"Content-Type|3a 20|application/json|3b 20|charset=utf-8"; content:"Content-Security-Policy|3a 20|upgrade-insecure-requests"; content:"Strict-Transport-Security|3a 20|max-age=10890000"; content:"Cache-Control|3a 20|public, immutable, max-age=315360000"; content:"Accept-Ranges|3a 20|bytes"; content:"X-Cache|3a 20|HIT, HIT"; content:"X-Timer|3a 20|S1593010188.776402,VS0,VE1"; content:"Vary|3a 20|X-AbVariant, X-AltUrl, Accept-Encoding"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031274; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:2100495; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; http.accept; content:"*/*"; startswith; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:2100497; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[SID1]"; flow:established,to_server; http.start; content:"|0d 0a|Cookie: SID1="; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
 
-alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"GPL ATTACK_RESPONSE isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2102043; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager]"; flow:established,from_client; http.accept; content:"*/*"; depth:3; http.accept_lang; content:"en-US"; depth:5; http.accept_enc; content:"gzip, deflate"; depth:13; http.cookie; content:"SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; depth:80; fast_pattern; http.uri; content:"/api/v1/user/"; content:"/avatar/"; distance:3; within:8; pcre:"/\/api\/v1\/user\/(?:512|124)\/avatar/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:2101008; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Type|3a 20|image/gif"; file_data; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; fast_pattern; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:2101292; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp GET]"; flow:established,to_server; content:"request_origin=user"; http.method; content:"GET"; http.request_line; content:"&parent_request_id="; within:256; fast_pattern; content:"|20|HTTP/1"; within:1024; pcre:"/^GET [^\r\n]{0,256}&parent_request_id=(?:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/"; http.header; content:"|0d 0a|Sec-Fetch-Dest|3a 20|empty|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle CDN GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; http.header; content:"client-="; fast_pattern; content:"|3b|auth=1}"; http.uri; pcre:"/^\/v1\/(?:queue|profile|docs\/wsdl|pull)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102439; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:from_server,established; http.response_line; content:"HTTP/1."; depth:7; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102440; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"; flow:established,to_server; content:"gnt_ub=86|3b|gnt_sb=18|3b|usprivacy=1YNY|3b|DigiTrust.v1.identity="; fast_pattern; content:"%3D|3b|GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM|3b|"; http.method; content:"GET"; http.connection; content:"close"; bsize:5; http.accept; content:"*/*"; bsize:3; http.header; content:"Cookie|3a 20|"; http.request_line; pcre:"/^GET\s(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2102589; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|03|"; within:15; content:"|0a|_domainkey"; distance:3; within:11; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:2103079; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original POST]"; flow:established,to_server; content:"ses-"; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; http.request_line; pcre:"/^POST\s(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103134; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; content:"cli"; content:"l-"; http.request_line; content:"POST /v1/push"; depth:13; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:2; metadata:created_at 2012_03_05, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103132; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Crypto Drainer Fetch"; flow:established,to_server; http.host; content:"deep-index.moralis.io"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|accept|0d 0a|x-api-key"; content:!"|0d 0a|Referer|0d 0a|"; http.uri; content:"/api/v2/"; startswith; content:"/nft?chain=eth&format=decimal"; distance:0; endswith; fast_pattern; flowbits:set,ET.crypto_drainer_fetch; reference:url,blog.confiant.com/how-one-crypto-drainer-template-facilitates-tens-of-millions-of-dollars-in-theft-66f3794aea4b; classtype:trojan-activity; sid:2037023; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2022_06_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2102437; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Crypto Drainer Enumerate"; flow:established,to_server; http.host; content:"deep-index.moralis.io"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|accept|0d 0a|x-api-key"; content:!"|0d 0a|Referer|0d 0a|"; http.uri; content:"/api/v2/nft"; startswith; content:"lowestprice?chain=eth&days="; distance:0; content:"&marketplace=opensea"; endswith; fast_pattern; distance:0; flowbits:isset,ET.crypto_drainer_fetch; reference:url,blog.confiant.com/how-one-crypto-drainer-template-facilitates-tens-of-millions-of-dollars-in-theft-66f3794aea4b; classtype:trojan-activity; sid:2037024; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2022_06_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2102671; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain (gooqlepics .com)"; dns.query; content:".com.ru"; fast_pattern; nocase; bsize:14; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:5; metadata:created_at 2011_07_27, former_category CURRENT_EVENTS, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2102673; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware (soaksoak .ru)"; dns.query; content:"soaksoak.ru"; fast_pattern; nocase; bsize:11; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:2103149; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Sliver Related Domain in DNS Lookup (saleforces-it .com)"; dns.query; content:"saleforces-it.com"; nocase; bsize:17; reference:url,twitter.com/ESETresearch/status/1547943014860894210; classtype:trojan-activity; sid:2037772; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:2103088; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Sliver Related Domain in DNS Lookup"; dns.query; content:"saleforces.s3-accelerate.amazonaws.com"; nocase; bsize:38; reference:url,mobile.twitter.com/ESETresearch/status/1547943014860894210; classtype:trojan-activity; sid:2037773; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102438; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS NATO Themed Maldoc Related Domain in DNS Lookup (am .my-zo .org)"; dns.query; content:"am.my-zo.org"; nocase; bsize:12; reference:url,twitter.com/souiten/status/1548963032574767104; reference:md5,4b160dea19282597342c160f44d4bdf8; reference:md5,a23a106fc8049feb296aa281ef5319a6; reference:md5,9e5500cf454bc49609bb0200f7de23c3; classtype:trojan-activity; sid:2037782; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, signature_severity Major, updated_at 2022_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2102925; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2102041; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dropper.Win32.Agent.bpxo Checkin"; flow:established,to_server; content:"|71 4E 6C 39 34 65 66 59 41 7A 32 32 37 4F 71 45 44 4D 50 0A|"; depth:20; reference:md5,02e447b347a90680e03c8b7d843a8e46; reference:url,www.antivirus365.org/PCAntivirus/37128.html; classtype:command-and-control; sid:2012894; rev:4; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DELETED MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008910; classtype:attempted-user; sid:2008910; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose Client Checkin"; flow:established,to_server; content:"|00 00 99 4F B9 74 E2 75 94 0A 5A|"; offset:2; depth:11; classtype:command-and-control; sid:2013338; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2008779; classtype:unknown; sid:2008779; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"|2f 3f|data="; http_uri; nocase; content:"jpdesk.com|0d 0a|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:md5,08f116cf4feff245dca581244e4f509c; classtype:command-and-control; sid:2013340; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; classtype:unknown; sid:2008780; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; http_uri; content:"&time="; http_uri; content:"&msg="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&fy="; http_uri; content:"&pauid="; http_uri; content:"&checkId="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:md5,0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED HELO Non-Displayable Characters MailEnable Denial of Service"; flow:established,to_server; content:"HELO "; nocase; depth:60; pcre:"/^[^\n]*[\x00-\x08\x0e-\x1f]/R"; reference:cve,2006-3277; reference:bugtraq,18630; reference:url,doc.emergingthreats.net/bin/view/Main/2002998; classtype:attempted-dos; sid:2002998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
+#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010488; classtype:attempted-dos; sid:2010488; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - flickr.com.*"; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010489; classtype:attempted-dos; sid:2010489; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - picasa.com.*"; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp any any -> $HOME_NET 139 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008695; classtype:attempted-admin; sid:2008695; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - blogger.com.*"; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008711; classtype:attempted-admin; sid:2008711; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert tcp any any -> $HOME_NET 139 (msg:"ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008716; classtype:attempted-admin; sid:2008716; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - img.youtube.com.*"; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative; reference:cve,2005-0399; reference:url,doc.emergingthreats.net/bin/view/Main/2001807; classtype:attempted-admin; sid:2001807; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.*"; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Edonkey Connect Reply and Server List"; dsize:>200; content:"|e3 0b|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003313; classtype:policy-violation; sid:2003313; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Checkin"; flow:established,to_server; content:"/ping.php?v="; http_uri; content:"&cid="; http_uri; content:"&s="; http_uri; content:"&wid="; http_uri; content:"&fid="; http_uri; content:"&step="; http_uri; classtype:command-and-control; sid:2013366; rev:2; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Edonkey Search Request (any type file)"; dsize:>19; content:"|e3 0e|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003317; classtype:policy-violation; sid:2003317; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alunik User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| Alun4ik"; http_header; classtype:trojan-activity; sid:2013377; rev:2; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Edonkey Search Results"; dsize:>21; content:"|e3 99|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003320; classtype:policy-violation; sid:2003320; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; depth:300; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; classtype:trojan-activity; sid:2008783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED NE EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000423; classtype:misc-activity; sid:2000423; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Set flow on rar file get"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:".rar HTTP/1."; flowbits:set,ET.rar_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2008781; classtype:trojan-activity; sid:2008781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LX EXE OS2 file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in a DOS session."; isdataat: 6,relative; content:"LX"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000424; classtype:misc-activity; sid:2000424; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:exploit-kit; sid:2013237; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED NE EXE Windows 3.x file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program requires Microsoft Windows."; isdataat: 10,relative; content:"NE"; distance: 0; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000425; classtype:misc-activity; sid:2000425; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 1"; flow:established,to_server; content:"/images/thanks_25.php?id="; fast_pattern:only; content:"HTTP/1.1|0d 0a|User-Agent"; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013383; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002425; classtype:policy-violation; sid:2002425; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Accept-encode HTTP header with UA indicating infected host"; flow:established,to_server; content:"Accept-encode|3a| "; fast_pattern; http_header; content:"Accept-Encoding|3a| "; http_header; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; sid:2013385; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002426; classtype:policy-violation; sid:2002426; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:pup-activity; sid:2013389; rev:2; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2011_08_10;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002427; classtype:policy-violation; sid:2002427; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent 3653Client"; flow:established,to_server; content:"User-Agent|3A 20|3653Client"; http_header; classtype:trojan-activity; sid:2013390; rev:2; metadata:created_at 2011_08_10, updated_at 2011_08_10;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret COMINT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002428; classtype:policy-violation; sid:2002428; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|></iframe>"; fast_pattern; content:"<html"; nocase; distance:0; classtype:bad-unknown; sid:2013380; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_10, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002432; classtype:policy-violation; sid:2002432; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent|3A 20|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret IMCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(IMCON|IMC)[\s\w,/-]*(?=//(X1|MR))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002433; classtype:policy-violation; sid:2002433; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET MALWARE Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 20 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; classtype:command-and-control; sid:2013411; rev:1; metadata:created_at 2011_08_16, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002435; classtype:policy-violation; sid:2002435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/TrojanDropper.Agent Checkin"; flow:established,to_server; content:".gif?aid="; http_uri; content:"&lc="; http_uri; content:"&time="; http_uri; content:"&flag="; http_uri; content:"&domain="; http_uri; classtype:trojan-activity; sid:2013402; rev:3; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002437; classtype:policy-violation; sid:2002437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http any any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; classtype:trojan-activity; sid:2001685; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002442; classtype:policy-violation; sid:2002442; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_08_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002445; classtype:policy-violation; sid:2002445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewer Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008795; classtype:misc-activity; sid:2008795; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002449; classtype:policy-violation; sid:2002449; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; classtype:command-and-control; sid:2012961; rev:3; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2011_06_09;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002452; classtype:policy-violation; sid:2002452; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FCB4B50A-E3F1-4174-BD18-54C3B3287258"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002456; classtype:policy-violation; sid:2002456; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 4"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret REL TO"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002510; classtype:policy-violation; sid:2002510; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 3"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"FAB9B41C-87D6-474D-AB7E-F07D78F2422E"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002511; classtype:policy-violation; sid:2002511; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"536600D3-70FE-4C50-92FB-640F6BFC49AD"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002512; classtype:policy-violation; sid:2002512; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 1"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6C10489-FB89-11D4-93C9-006008A7EED4"; nocase; distance:0; content:".AddSeries"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6C10489-FB89-11D4-93C9-006008A7EED4/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret COMINT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002513; classtype:policy-violation; sid:2002513; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP CWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"CWD"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010731; classtype:attempted-recon; sid:2010731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret COMSEC"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002517; classtype:policy-violation; sid:2002517; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; classtype:not-suspicious; sid:2002850; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMINT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002591; classtype:policy-violation; sid:2002591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Trojan CnC"; dsize:2; byte_test:2, >, 1024, 0; threshold:type both, track by_src, count 1000, seconds 300; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder; classtype:command-and-control; sid:2013418; rev:5; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMINT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002592; classtype:policy-violation; sid:2002592; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Chekafe.D Initial Checkin"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&isInst="; http_uri; content:"&lockcode="; http_uri; content:"&pc="; http_uri; content:"&PcType="; http_uri; content:"&AvName="; http_uri; content:"&ProCount="; http_uri; classtype:command-and-control; sid:2013447; rev:3; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2011_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret COMINT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(COMINT|SI)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002593; classtype:policy-violation; sid:2002593; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:pup-activity; sid:2013448; rev:6; metadata:created_at 2011_08_22, former_category ADWARE_PUP, updated_at 2011_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret TK"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002602; classtype:policy-violation; sid:2002602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET MALWARE Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:md5,f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret NOFORN"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002607; classtype:policy-violation; sid:2002607; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSPlayer User-Agent Windows Media Player streaming detected"; flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|"; http_header; threshold: type limit, track by_src, seconds 300, count 1; reference:url,msdn.microsoft.com/en-us/library/cc234851; classtype:policy-violation; sid:2011874; rev:3; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret ORCON"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002610; classtype:policy-violation; sid:2002610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_28, former_category CURRENT_EVENTS, updated_at 2011_05_28;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret SPECAT"; flow:to_server,established; pcre:"/(?<!TOP\s|T)(SECRET|S)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002621; classtype:policy-violation; sid:2002621; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (1)"; flow:to_server,established; content:"/uiserver.php?social_plugin=like"; http_uri; content:"external_page_url="; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013458; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Secret"; flow:to_server,established; pcre:"/(?<!TOP|//)\Wsecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002626; classtype:policy-violation; sid:2002626; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (2)"; flow:to_server,established; content:"/plugins/like.php?"; http_uri; content:"href="; http_uri; content:"action=like"; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013459; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED offers.e-centives.com Coupon Printer"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; YourApp\; AK\; Windows 95)|0d 0a|"; nocase; reference:url,offers.e-centives.com; reference:url,doc.emergingthreats.net/2010338; classtype:policy-violation; sid:2010338; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Win32/Wizpop Initial Checkin"; flow:established,to_server; content:"User-Agent|3a| WizPop"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:pup-activity; sid:2013461; rev:3; metadata:created_at 2011_08_26, former_category MALWARE, updated_at 2011_08_26;)
+#alert tcp $HOME_NET any -> 66.151.158.177 any (msg:"ET DELETED GotoMyPC Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/2000309; classtype:policy-violation; sid:2000309; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Phoenix Landing Page Obfuscated Javascript 2"; flow:established,to_client; content:"<html><body><input|20|type|3d 27|hidden|27 20|value|3d 27|"; pcre:"/\S{20,40}\'\>/R"; classtype:trojan-activity; sid:2013314; rev:5; metadata:created_at 2011_07_26, updated_at 2011_07_26;)
+#alert tcp 66.151.158.177 8200 -> $HOME_NET any (msg:"ET DELETED GotoMyPC poll.gotomypc.com Server Response to Polling Client OK"; flow: established,from_server; content:"cnt=0"; nocase; depth: 40; content:"eventid="; nocase; depth: 40; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/2002022; classtype:policy-violation; sid:2002022; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013497; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail gtalk"; flow:established; pcre:"/\[\[\d{1,3}\,\[\\\"\w\\\"\,\\\".+@gmail.com.+\\\"\,\\\"/i"; reference:url,doc.emergingthreats.net/2003092; classtype:policy-violation; sid:2003092; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; reference:url,www.kahusecurity.com/2011/best-pack/; classtype:bad-unknown; sid:2013489; rev:3; metadata:created_at 2011_08_30, updated_at 2011_08_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN Game Loading"; flow:established,to_server; content:"|6D 73 6E 67 61 6D 65 2E 61 73 70 78|"; depth:90; reference:url,doc.emergingthreats.net/2002312; classtype:policy-violation; sid:2002312; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JBIG2Decode"; within:11; content:"#"; within:31; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JBIG2Decode](J|#4A)(B|#42)(I|#49)(G|#47)(2|#32)(D|#44)(e|#65)(c|#63)(o|#6F)(d|#64)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; reference:url,blog.didierstevens.com/2009/03/01/quickpost-jbig2decode-signatures/; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:2011534; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail (2)"; flow:established,to_server; content:"<Ymsg Command=|22|"; depth:15; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007069; classtype:policy-violation; sid:2007069; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Wizpop Checkin"; flow:established,to_server; content:"/count.asp?exe="; http_uri; content:"&act="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818; classtype:pup-activity; sid:2013502; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2011_08_31;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (simple rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; reference:url,doc.emergingthreats.net/2003096; classtype:misc-activity; sid:2003096; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET MALWARE W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1; metadata:created_at 2011_08_31, updated_at 2011_08_31;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (complex rule)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"AMAgAOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBg"; depth:575; content:"AACAACCAAECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDA"; content:"AEDAAGDAAIDAAKDAAMDAAODAAADgACDgAEDgAGDgAIDgAKDgAMDgAODgAAAAQCAAQEAAQGAA"; content:"QIAAQKAAQMAAQOAAQAAgQCAgQEAgQGAgQIAgQKAgQMAgQOAgQABAQCBAQEBAQGBAQIBAQKBA"; content:"QMBAQOBAQABgQCBgQEBgQGBgQIBgQKBgQMBgQOBgQACAQCCAQECAQGCAQICAQKCAQMCAQOCA"; content:"QACgQCCgQECgQGCgQICgQKCgQMCgQOCgQADAQCDAQEDAQGDAQIDAQKDAQMDAQODAQADgQCDg"; content:"QEDgQGDgQIDgQKDgQMDgQODgQAAAgCAAgEAAgGAAgIAAgKAAgMAAgOAAgAAggCAggEAggGAg"; content:"gIAggKAggMAggOAggABAgCBAgEBAgGBAgIBAgKBAgMBAgOBAgABggCBggEBggGBggIBggKBg"; content:"gMBggOBggACAgCCAgECAgGCAgICAgKCAgMCAgOCAgACggCCggECggGCggICggKCggMCggOCg"; content:"gADAgCDAgEDAgGDAgIDAgKDAgMDAgODAgADggCDggEDggGDggIDggKDggMDggODggAAAwCAA"; content:"wEAAwGAAwIAAwKAAwMAAwOAAwAAgwCAgwEAgwGAgwIAgwKAgwMAgwOAgwABAwCBAwEBAwGBA"; content:"wIBAwKBAwMBAwOBAwABgwCBgwEBgwGBgwIBgwKBgwMBgwOBgwACAwCCAwECAwGCAwICAwKCA"; content:"wMCAwOCAwACgwCCgwECgwGCgwICgwKCgwMCgwOCgwADAwCDAwEDAwGDAwIDAwKDAwP/78KCg"; reference:url,doc.emergingthreats.net/2003097; classtype:misc-activity; sid:2003097; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bancos Reporting"; flow:established,to_server; content:".php?codigo="; http_uri; content:"&g_id="; http_uri; content:"&g_windows="; http_uri; content:"&func_versao_ie="; http_uri; content:"&firefox="; http_uri; content:"&primeira_versao_update="; http_uri; content:"&ultimo_acesso="; http_uri; classtype:trojan-activity; sid:2013513; rev:2; metadata:created_at 2011_08_31, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Possible Image Spam Inbound (3)"; flow:established,to_server; content:"Content-Transfer-Encoding|3A|"; content:"R0lGODlh"; depth:575; content:"AOAgAABAACBAAEBAAGBAAIBAAKBAAMBAAOBAAABgACBgAEBgAGBgAIBgAKBgAMBgAOBgAACAACCA"; content:"AECAAGCAAICAAKCAAMCAAOCAAACgACCgAECgAGCgAICgAKCgAMCgAOCgAADAACDAAEDAAGDAAIDA"; reference:url,doc.emergingthreats.net/2003120; classtype:misc-activity; sid:2003120; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent FSD - Possible FakeAV Related"; flow:established,to_server; content:"User-Agent|3A 20|FSD|0D 0A|"; http_header; classtype:trojan-activity; sid:2013393; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_10, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Archive Download"; content:"GET /sploits/milw0rm.tar.bz2"; depth:60; flow:to_server,established; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2008524; classtype:misc-activity; sid:2008524; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET DELETED PCMesh Anonymous Proxy client connect"; flow: from_client,established; content:"http|3a|//www.pcmesh.com|3a|80/ip-check.cgi"; depth:37; offset:4; reference:url,doc.emergingthreats.net/2003040; classtype:policy-violation; sid:2003040; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pitbull IRCbotnet Fetch"; flow:to_server,established; content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|Mozilla/5.0|0d0a|"; http_header; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007626; classtype:trojan-activity; sid:2007626; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Prospero Chat Session in Progress"; flow: established,to_server; content:"PCHAT2 "; offset: 0; depth: 7; content:"v='"; nocase; offset: 8; depth: 400; content:"jv='"; nocase; offset: 8; depth: 400; content:"u='"; nocase; offset: 8; depth: 400; reference:url,www.prospero.com/technology.htm; reference:url,doc.emergingthreats.net/2001989; classtype:policy-violation; sid:2001989; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Fynloski.A Command Request"; flow:to_server,established; content:"#BOT#"; depth:5; pcre:"/^\x23BOT\x23(VisitUrl|OpenUrl|Ping|RunPrompt|CloseServer|SvrUninstall|URLUpate|URLDownload)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013532; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Real.com Game Arcade Install (User agent)"; flow: established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+ARCADE_BUNDLE_DOWNLOADER/i"; reference:url,doc.emergingthreats.net/2003045; classtype:policy-violation; sid:2003045; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command|Error|Finish|Http\x20Flood|Mass\x20Download|Respond\x20\x5bOK|Syn\x20Flood|UDP\x20Flood|uninstall|Update|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Real.com Game Arcade Install"; flow: established,to_server; content:"/gameconsole/bundlescripts/"; reference:url,doc.emergingthreats.net/2003046; classtype:policy-violation; sid:2003046; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013514; rev:2; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED TLS/SSL Server Hello Done on Unusual Port"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 01|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; reference:url,doc.emergingthreats.net/2003016; classtype:unusual-client-port-connection; sid:2003016; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host|3A 20|google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013544; rev:2; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED TLS/SSL Server Hello Done on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Server.Key; flow:established; content:"|16 03 00|"; content:"|0e|"; within:6; flowbits:set,BS.SSL.Server.Hello.Done; flowbits:noalert; reference:url,doc.emergingthreats.net/2003017; classtype:unusual-client-port-connection; sid:2003017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET MALWARE Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:command-and-control; sid:2013547; rev:2; metadata:created_at 2011_09_07, former_category MALWARE, updated_at 2011_09_07;)
+#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001766; classtype:misc-activity; sid:2001766; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fivfrom Downloader (Unitrix)"; flow:established,to_server; content:".php?seller="; http_uri; content:"&hash={"; http_uri; pcre:"/hash=\{[a-f0-9]+-/Ui"; classtype:trojan-activity; sid:2013555; rev:5; metadata:created_at 2011_09_10, updated_at 2011_09_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Mytob.X clam SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; reference:url,doc.emergingthreats.net/2002892; classtype:trojan-activity; sid:2002892; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Program Storm3-607.exe Download Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/Storm3-607.exe"; nocase; http_uri; content:"User-Agent|3a| InnoTools_Downloader"; http_header; classtype:trojan-activity; sid:2013560; rev:3; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Mytob.X clam SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; reference:url,doc.emergingthreats.net/2002893; classtype:trojan-activity; sid:2002893; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"658ED6E7-0DA1-4ADD-B2FB-095F08091118"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*658ED6E7-0DA1-4ADD-B2FB-095F08091118/si"; classtype:web-application-attack; sid:2013565; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002894; classtype:trojan-activity; sid:2002894; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"; nocase; distance:0; classtype:attempted-user; sid:2013566; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002895; classtype:trojan-activity; sid:2002895; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012316; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+#alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg:"ET DELETED Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; reference:url,doc.emergingthreats.net/2001430; classtype:trojan-activity; sid:2001430; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/JavaScript"; nocase; distance:0; pcre:"/\x3C\x3C[^>]*\x2FJavaScript/smi"; threshold:type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2010882; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely EXE Cryptor Packed Binary - Likely Malware"; flow:from_server,established; content:"|4D 5A|"; content:"|2E 70 61 63 6B 65 64|"; within: 447; reference:url,bits.packetninjas.org; reference:url,doc.emergingthreats.net/2008557; classtype:trojan-activity; sid:2008557; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:command-and-control; sid:2010859; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:pup-activity; sid:2013658; rev:2; metadata:created_at 2011_09_15, former_category ADWARE_PUP, updated_at 2011_09_15;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:command-and-control; sid:2010860; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:exploit-kit; sid:2013661; rev:2; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Hupigon CnC init (variant abb)"; flow:established,to_server; dsize:4; flowbits:isnotset,ET.hupa.init; flowbits:noalert; content:"|00 00 00 00|"; flowbits:set,ET.hupa.init; reference:url,doc.emergingthreats.net/2008041; classtype:command-and-control; sid:2008041; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PinBall Corp. Related suspicious activity"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| PinBallCorp-BSAI"; reference:url,doc.emergingthreats.net/2009908; classtype:trojan-activity; sid:2009908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET DELETED Likely Hupigon Post to Controller"; flow:established,to_server; content:"POST /+"; depth:7; flowbits:noalert; flowbits:set,ET.Hupinit1; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008389; classtype:trojan-activity; sid:2008389; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; within:25; classtype:bad-unknown; sid:2101884; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; classtype:trojan-activity; sid:2008390; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:2; metadata:created_at 2011_09_19, updated_at 2011_09_19;)
+#alert icmp any any -> any any (msg:"ET DELETED ICMP Banking Trojan sending encrypted stolen data"; dsize:>64; itype:8; icode:0; content:"|08|"; depth:1; byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; reference:url,doc.emergingthreats.net/2003073; classtype:trojan-activity; sid:2003073; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (touch)"; flow:to_server,established; content:"/touch.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013671; rev:2; metadata:created_at 2011_09_19, former_category MALWARE, updated_at 2011_09_19;)
+#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Kaiten IRCbotnet Response"; flow:established; flowbits:isset,irc.start; content:"NOTICE|20|"; content:"|20 3A|"; within:32; pcre:"/\x20\x3A(Receiving\x20file.\x0A|Saved\x20as\x20|Spoofs\x3A\x20|Kaiten\x20wa\x20goraku|Current\x20status\x20is\x3a\x20|Removed\x20all\x20spoofs|Packeting\x20|Panning\x20|Tsunami\x20heading\x20for\x20|Unknowing\x20|Killing\x20pid\x20)/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007622; classtype:trojan-activity; sid:2007622; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Kaiten IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20 21|"; pcre:"/PRIVMSG\x20\x21\S+\x20(TSUNAMI\x20|PAN\x20|UDP\x20|UNKNOWN\x20|GETSPOOFS|SPOOFS\x20)/i"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007623; classtype:trojan-activity; sid:2007623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Juicopotomous to Controller"; flow:established,to_server; dsize:1; content:"|7c|"; flowbits:set,ET.unknown.setup; flowbits:noalert; reference:url,doc.emergingthreats.net/2008245; classtype:trojan-activity; sid:2008245; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Juicopotomous ack from Controller"; flowbits:isset,ET.unknown.setup; flow:established,from_server; dsize:<50; content:"|7d 27|"; depth:2; flowbits:set,ET.unknown.replied; reference:url,doc.emergingthreats.net/2008246; classtype:trojan-activity; sid:2008246; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Juicopotomous ack to Controller"; flowbits:isset,ET.unknown.replied; flow:established,to_server; dsize:<50; content:"|7e 27|"; depth:2; reference:url,doc.emergingthreats.net/2008247; classtype:trojan-activity; sid:2008247; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102479; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nine Ball Infection Ping Outbound"; icode:0; itype:8; dsize:32; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; reference:url,doc.emergingthreats.net/2011185; classtype:trojan-activity; sid:2011185; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102478; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nine Ball Infection Posting Data"; flow:established,to_server; content:"POST /"; depth:6; content:"/gate/"; distance:0; content:".php"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:"AAAAAAAACI"; distance:67; within:10; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011187; classtype:trojan-activity; sid:2011187; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102477; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.1 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"|1D B9 F2 75 62 85 5A 4F 15 48 52 1D 50 90 41 89 37 9F FF 94 CE A6 3E 63 35 AB 29 6B 30 43 2F 45 46 B0 E1 C2 11 7F 0C 55 0F C7|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003184; classtype:trojan-activity; sid:2003184; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102476; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.2 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"|13 B9 F2 75 62 85 5A 4F 15 48 19 1D 10 4F 0D 5B 04 5B 04 60 CE 5F 00 67 F5 AE 25 6B 20 41 23 B3|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003185; classtype:trojan-activity; sid:2003185; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Prg Trojan v0.3 Binary In Transit"; flow:to_client,established; content:"MZ"; content:"| 5E 7D 66 7D 28 40 19 88 5F 8C 13 50 15 59 08 58 3C 97 00 9B 33 A5 F9 AF 39 68 F0 9F 27 AF E9 A8 25 B7 18 B6 15 7F 0E B6 1A|"; depth:128; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003186; classtype:trojan-activity; sid:2003186; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102473; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp any any -> any any (msg:"ET DELETED Generic Raider Obfuscated VBScript"; flow:established; content:"execute"; content:"|22 22 22 22 22 3A|"; offset:8; content:"function"; nocase; pcre:"/\x22\x3A(\w)\x3D\x22execute\s+\x22{5}\x3A.*\x3Aexecute\s*\x28\s*\1\s*\x29\x3Aend\s+function\x3A/s"; reference:url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1; reference:url,doc.emergingthreats.net/2008278; classtype:trojan-activity; sid:2008278; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102470; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Proxy.Win32.Wopla.ag Check-In"; flow:established,to_server; dsize:12; content:"|0a 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007603; classtype:trojan-activity; sid:2007603; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102467; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET DELETED Singworm MSN message Outbound"; flow:established; content:"Here are the new smiles for MSN, they are incredible!"; reference:url,doc.emergingthreats.net/2007605; classtype:trojan-activity; sid:2007605; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"ET DELETED Singworm MSN message Inbound"; flow:established; content:"Here are the new smiles for MSN, they are incredible!"; reference:url,doc.emergingthreats.net/2007606; classtype:trojan-activity; sid:2007606; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED phpbb Session Cookie"; flow: established; content:"phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bb%3A1%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%222%22%3B%7D"; nocase; reference:url,www.waraxe.us/ftopict-555.html; reference:url,doc.emergingthreats.net/2001762; classtype:web-application-attack; sid:2001762; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; classtype:trojan-activity; sid:2000327; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103425; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; content:".c4tdownload.com"; within:26; nocase; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; classtype:trojan-activity; sid:2001531; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103426; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; classtype:trojan-activity; sid:2001222; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103177; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay|3b|"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; classtype:policy-violation; sid:2001043; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103176; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Virus User Agent Detected (SPM_ID=)"; flow:established,to_server; content:"User-Agent|3a| SPM_ID="; nocase; reference:url,doc.emergingthreats.net/2003651; classtype:trojan-activity; sid:2003651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103427; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa CaSpEr RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa CaSpEr|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D27CDB6E-AE6D-11cf-96B8-444553540000/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19710; reference:url,www.kb.cert.org/vuls/id/204889; reference:url,www.microsoft.com/technet/security/advisory/979267.mspx; reference:url,doc.emergingthreats.net/2010666; classtype:attempted-user; sid:2010666; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103179; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED WU Malicious Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"WU_Details_"; within:50; pcre:"/filename\s*=\s*"WU_Details_.....\.zip/m"; reference:url,doc.emergingthreats.net/2010376; classtype:trojan-activity; sid:2010376; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103178; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED MySpace Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"MySpace"; within:50; pcre:"/filename\s*=\s*MySpace_document_[0-9]{5}\.zip/m"; reference:url,doc.emergingthreats.net/2010629; classtype:trojan-activity; sid:2010629; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 2"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; within:100; content:"UPS_INVOICE_NR"; within:50; pcre:"/filename=\x22UPS_INVOICE_NR\.[0-9]{4}-[0-9]{6}\.zip\x22/mi"; reference:url,doc.emergingthreats.net/201150; classtype:trojan-activity; sid:2011150; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103378; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 3"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_LABEL_NR."; nocase; within:50; pcre:"/filename=\x22UPS_LABEL_NR\.[A-Z]+_[0-9]{4}-\d+\.ZIP\x22/i"; reference:url,doc.emergingthreats.net/2011151; classtype:trojan-activity; sid:2011151; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103379; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hostile domain, NeoSploit FakeAV google.analytics.com.*.info"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d 0a|Host|3a| google.analytics.com."; nocase; content:".info|0d 0a|"; within:15; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage#-#-topic=3781.0; reference:url,doc.emergingthreats.net/2010866; classtype:trojan-activity; sid:2010866; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103380; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows Shortcut LNK File Automatic File Execution Attempt Via WebDAV"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; content:"<D|3A|locktype><D|3A|write/></D|3A|locktype>"; nocase; distance:0; content:"<D|3A|getcontenttype>shortcut</D|3A|getcontenttype>"; nocase; distance:0; reference:url,support.microsoft.com/kb/2286198; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:cve,2010-2568; reference:url,doc.emergingthreats.net/2011239; classtype:attempted-user; sid:2011239; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103393; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro"; nocase; content:"logo.gif"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009491; classtype:web-application-attack; sid:2009491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Vulnerable Microsoft Video ActiveX CLSID access (43)"; flow:to_client,established; content:"clsid"; nocase; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009612; classtype:web-application-attack; sid:2009612; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Malvertising drive by kit encountered - bmb cookie"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Set-Cookie|3a| bmb="; nocase; reference:url,doc.emergingthreats.net/2011222; classtype:bad-unknown; sid:2011222; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Fake AV Related CSS Download"; flow:established,from_server; content:"#hello_nod32_guys_how_u_doing"; nocase; reference:url,doc.emergingthreats.net/2011670; classtype:trojan-activity; sid:2011670; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001190; classtype:misc-activity; sid:2001190; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001192; classtype:misc-activity; sid:2001192; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hidden iframe Served by nginx - Likely Hostile Code"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; nocase; offset:15; depth:15; content:"<iframe src="; nocase; content:"style=|22|visibility|3a|hidden|3b 22| width=|22|1|22| height=|22|1|22|></iframe>"; nocase; reference:url,doc.emergingthreats.net/2011714; classtype:bad-unknown; sid:2011714; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103257; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:!"nextgen-gallery"; nocase; within:15; content:"/ngg.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; classtype:trojan-activity; sid:2008387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103258; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http|3a|//"; nocase; content:"/b.js>"; nocase; within:50; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; classtype:trojan-activity; sid:2008388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail Inbox Access"; flow:to_server,established; content:"/gmail?view=tl&search=inbox&start="; http_uri; nocase; reference:url,doc.emergingthreats.net/2001424; classtype:policy-violation; sid:2001424; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Java field reflector call java.lang.reflect.field"; flow:from_server,established; content:"java/lang/reflect/Field"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002785; classtype:trojan-activity; sid:2002785; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Javascript unsafe applet call"; flow:from_server,established; content: "sun.misc.Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002786; classtype:trojan-activity; sid:2002786; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Javascript Securitymanager class applet call"; flow:from_server,established; content: "java.lang.SecurityManager"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002787; classtype:trojan-activity; sid:2002787; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102937; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Agent.END"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; content:"MyValue="; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010243; classtype:trojan-activity; sid:2010243; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Slowloris Tool HTTP/Proxy Denial Of Service Attempt"; flow:to_server,established; content:"GET /"; depth:5; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| Trident/4.0"; http_header; threshold: type threshold, track by_src, count 100, seconds 30; reference:url,isc.sans.org/diary.html?storyid=6601; reference:url,www.packetstormsecurity.com/filedesc/slowloris.pl.txt.html; reference:url,doc.emergingthreats.net/2009413; classtype:attempted-dos; sid:2009413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Casalemedia.com Related User Agent (0 0 ...)"; flow: established,to_server; content:"|0d 0a|User-Agent|3a| 0|3a|0|3a|"; pcre:"/\x0d\x0aUser-Agent\: 0\:0\:[^\n]{120}/"; reference:url,doc.emergingthreats.net/2007647; classtype:trojan-activity; sid:2007647; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103219; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unidentified Spyware User Agent (0 0 + 128 chars)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 0|3a|0|3a|"; nocase; pcre:"/User-Agent\: 0\:0\:[^\x0a|\x0d]{128}/"; reference:url,doc.emergingthreats.net/2007615; classtype:trojan-activity; sid:2007615; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103218; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Opera Web Browser Content-Length Buffer Overflow Attempt"; flowbits:isset,ET.opera.useragent.request; flow:established,to_client; content:"Content-Length|3A|"; nocase; isdataat:3000,relative; content:!"|0A|"; within:3000; content:"Location|3A| chrome|3A|//"; nocase; distance:3000; reference:url,www.securityfocus.com/bid/38519; reference:url,doc.emergingthreats.net/2010874; classtype:attempted-user; sid:2010874; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103221; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FathFTP ActiveX Control RasIsConnected Method Buffer Overflow Attempt"; flow:to_client,established; flowbits:isset,etpro.clsid.detected; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"RasIsConnected"; nocase; reference:url,exploit-db.com/exploits/14269/; reference:url,doc.emergingthreats.net/2011252; classtype:web-application-attack; sid:2011252; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103220; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Opera User-Agent Flowbit Set"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| Opera/"; nocase; flowbits:set,ET.opera.useragent.request; flowbits:noalert; reference:url,doc.emergingthreats.net/2010873; classtype:not-suspicious; sid:2010873; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103409; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft XML Core Services DTD Cross Domain Information Disclosure object"; flow:to_client,established; content:"Msxml2.DOMDocument.3.0"; nocase; content:"loadXML"; distance:0; nocase; content:"parseError.srcText"; distance:0; nocase; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008886; classtype:web-application-attack; sid:2008886; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103410; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; flowbits:isset,etpro.clsid.detected; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002172; classtype:web-application-attack; sid:2002172; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103411; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to js.zedo.com.* host"; flow:established,to_server; content:"Host|3a| js.zedo.com."; http_header; classtype:bad-unknown; sid:2011303; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103412; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to media.fastclick.net.* host"; flow:established,to_server; content:"Host|3a| media.fastclick.net."; http_header; classtype:bad-unknown; sid:2011302; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103240; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to view.ads.* host"; flow:established,to_server; content:"Host|3a| view.ads."; http_header; classtype:bad-unknown; sid:2011304; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103241; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to adnet.media.* host"; flow:established,to_server; content:"Host|3a| adnet.media."; http_header; classtype:bad-unknown; sid:2011305; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103115; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING request to adfarm.mediaplex.com.* host"; flow:established,to_server; content:"Host|3a| adfarm.mediaplex.com."; http_header; classtype:bad-unknown; sid:2011306; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103114; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting redirect to drive by - .php?c=cust"; flow:established,to_server; content:".php?c=cust"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011231; classtype:bad-unknown; sid:2011231; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103117; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET DELETED Yoyo-DDoS Bot Command from CnC Server"; flow:established,from_server; dsize:124; content:"|C1 00 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011401; rev:1; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103116; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; classtype:bad-unknown; sid:2011546; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103098; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab jquery.jxx"; flow:established,to_server; content:"/jquery.jxx?v="; http_uri; classtype:bad-unknown; sid:2011353; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103090; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Driveby bredolab server response contains .ru 8080/index.php?"; flow:established,to_client; content:".ru|3a|8080/index.php?"; classtype:bad-unknown; sid:2011351; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103099; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Bredavi Checkin"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; http_uri; nocase; reference:url,doc.emergingthreats.net/2010791; classtype:trojan-activity; sid:2010791; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103160; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Banker.OT Checkin (2 packet)"; flow:established,to_server; content:"praquem="; depth:8; content:"&titulo="; content:"&texto="; reference:url,doc.emergingthreats.net/2008491; classtype:trojan-activity; sid:2008491; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103161; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; reference:url,doc.emergingthreats.net/2007805; classtype:trojan-activity; sid:2007805; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Browser HiJacker/Infostealer Stat file"; flow:established,to_server; content:"|5B00|u|00|p|00|d|00|a|00|t|00|e|005D|"; nocase; content:"v|00|e|00|r|00|="; nocase; reference:url,doc.emergingthreats.net/2007777; classtype:trojan-activity; sid:2007777; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103162; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/visualizza.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008824; classtype:web-application-attack; sid:2008824; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin Flowbit set"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; flowbits:set,ET.PINCH; flowbits:noalert; reference:url,doc.emergingthreats.net/2008468; classtype:trojan-activity; sid:2008468; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tibs Download"; flow:established,to_server; content:"/dl.php?code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002960; classtype:trojan-activity; sid:2002960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tibs Code Download"; flow:established,to_server; content:"/sred2.exe"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002962; classtype:trojan-activity; sid:2002962; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102929; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot Spam Download"; flow:established,to_server; content:"/synctl/getmail.fcgi?"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2002965; classtype:trojan-activity; sid:2002965; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.StartPage activity"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"stat.htm?id="; http_uri; content:"&r="; http_uri; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&cnzz|5f|eid="; http_uri; content:"|2d|&showp="; http_uri; content:"&st="; http_uri; content:"&sin"; http_uri; content:"&res="; http_uri; reference:url,doc.emergingthreats.net/2011228; classtype:trojan-activity; sid:2011228; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102940; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Warezov/Stration Data Post to Controller (pr2.cgi)"; flow:established,to_server; content:"/cgi-bin/pr2.cgi"; http_uri; pcre:"/\/cgi-bin\/pr2\.cgi\?[a-zA-Z0-9]{172}/Ui"; reference:url,doc.emergingthreats.net/2006414; classtype:trojan-activity; sid:2006414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102174; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Evolmi Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/cgi-bin/v.pl|3f 5f|"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008846; classtype:trojan-activity; sid:2008846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103203; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MSN User-Agent Activity"; flow:established,to_server; content:"User-Agent|3a| MSMSGS"; http_header; nocase; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009376; classtype:policy-violation; sid:2009376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail Message Send"; flow: to_server,established; content:"Content-Disposition|3A| form-data|3b| name=|22|to|22|"; nocase; http_header; content:"Content-Disposition|3A| form-data|3b| name=|22|msgbody|22|"; nocase; http_header; reference:url,doc.emergingthreats.net/2001426; classtype:policy-violation; sid:2001426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102941; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002171; classtype:web-application-attack; sid:2002171; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102175; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 2)"; flow:established,from_server; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002492; classtype:web-application-attack; sid:2002492; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103433; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; classtype:trojan-activity; sid:2000930; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103434; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED TinyPE Binary - Possibly Hostile"; flow:from_server,established; content:"MZ"; content:"PE|00 00|"; within:20; reference:url,www.phreedom.org/solar/code/tinype/; reference:url,www.packetninjas.net/blog/2008/11/20/ids-signature-for-extremely-small-portable-executable-files.html; reference:url,doc.emergingthreats.net/2008576; classtype:trojan-activity; sid:2008576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103185; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Variant Checkin Activity"; flow:established,to_server; content:"/sm.php?pizda"; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:md5,f39d0a669ad98b95370a4f525d7d79ec; classtype:trojan-activity; sid:2011335; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103184; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011792; rev:5; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103435; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz or Rohimafo config loaded"; flow: established,to_server; content:"knock.php"; nocase; http_uri; content:"=seller-"; nocase; http_uri; content:"load|5f|success"; nocase; content:!"User-Agent"; http_header; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011522; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103436; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011524; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gmail File Send"; flow:to_server,established; content:"Content-Disposition|3a| form-data|3b| name=|22|msgbody|22|"; nocase; http_client_body; content:"name=|22|form-data|3b| file0|22 3b| filename=|22|"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2001425; classtype:policy-violation; sid:2001425; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to eleonore exploit kit"; flow:established,to_client; content:"SL_"; http_cookie; content:"_0000="; http_cookie; classtype:exploit-kit; sid:2011810; rev:1; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007504; classtype:web-application-attack; sid:2007504; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007505; classtype:web-application-attack; sid:2007505; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103385; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007506; classtype:web-application-attack; sid:2007506; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103386; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007507; classtype:web-application-attack; sid:2007507; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103387; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007508; classtype:web-application-attack; sid:2007508; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; content:"/vehiclelistings.asp?"; nocase; http_uri; content:"vehicleID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007509; classtype:web-application-attack; sid:2007509; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i"; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; reference:url,doc.emergingthreats.net/2002173; classtype:web-application-attack; sid:2002173; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; reference:url,doc.emergingthreats.net/2002308; classtype:web-application-attack; sid:2002308; rev:49; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103401; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 1)"; flow:established,from_server; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002491; classtype:web-application-attack; sid:2002491; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103402; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED COM Object MS05-052 (group 3)"; flow:established,from_server; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/i"; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; reference:url,doc.emergingthreats.net/2002493; classtype:web-application-attack; sid:2002493; rev:81; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103403; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/embadmin/login.asp"; http_uri; nocase; content:"%27"; depth:300; reference:url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html; reference:url,exploit-db.com/exploits/14376; classtype:web-application-attack; sid:2011826; rev:2; metadata:created_at 2010_10_19, updated_at 2010_10_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"ET DELETED Yahoo Chat Signin Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|550|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007066; classtype:policy-violation; sid:2007066; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103264; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo Chat Signin Success Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|85|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007067; classtype:policy-violation; sid:2007067; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103265; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert ip [192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 3"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002751; classtype:bad-unknown; sid:2002751; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103266; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 5050 <> $HOME_NET any (msg:"ET DELETED Yahoo Chat Activity Inside Webmail"; flow:established,to_server; content:"content-length|3a|"; nocase; depth:15; content:"<Ymsg Command=|22|"; nocase; reference:url,yahoo.com; reference:url,doc.emergingthreats.net/2007068; classtype:policy-violation; sid:2007068; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Metacafe.com family filter off"; flow:established,to_server; content:"POST"; http_method; content:"Host|3a| www.metacafe.com"; http_header; content:"submit=Continue+-+I%27m+over+18"; reference:url,doc.emergingthreats.net/2006367; classtype:policy-violation; sid:2006367; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rapidshare download unauthd image post"; flow:to_server,established; content:"POST"; http_method; content:"/files/"; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:"rapidshare.com"; nocase; http_header; content:"&accesscode="; nocase; content:"&actionstring=Download"; nocase; within:50; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006368; classtype:policy-violation; sid:2006368; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102939; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Netvacy.com Anonymizing Proxy Access"; flow:established,to_server; content:"Host|3a| www.netvacy.com"; http_header; reference:url,doc.emergingthreats.net/2003453; classtype:policy-violation; sid:2003453; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103024; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHP Anonymizing/Evasion Proxy In Use"; flow: to_server,established; content:"GET"; http_method; content:"/index.php?q="; nocase; http_uri; pcre:"/index\.php\?q=(uggc|jjj|http|www|aHR0c|d3d3)/Ui"; reference:url,sourceforge.net/projects/php-proxy/; reference:url,doc.emergingthreats.net/2006410; classtype:policy-violation; sid:2006410; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103227; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Community Link Pro Login.CGI Remote Command Execution Attempt"; flow:to_server,established; content:"/login.cgi?"; nocase; http_uri; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14097; reference:url,doc.emergingthreats.net/2002067; classtype:web-application-attack; sid:2002067; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103226; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006718; classtype:web-application-attack; sid:2006718; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103229; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006719; classtype:web-application-attack; sid:2006719; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006720; classtype:web-application-attack; sid:2006720; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103417; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006721; classtype:web-application-attack; sid:2006721; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103418; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006722; classtype:web-application-attack; sid:2006722; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103419; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"iType="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006723; classtype:web-application-attack; sid:2006723; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103420; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006724; classtype:web-application-attack; sid:2006724; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103248; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UNION SELECT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006725; classtype:web-application-attack; sid:2006725; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103249; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action INSERT"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006726; classtype:web-application-attack; sid:2006726; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103250; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action DELETE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006727; classtype:web-application-attack; sid:2006727; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103251; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006728; classtype:web-application-attack; sid:2006728; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103123; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UPDATE"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"Action="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006729; classtype:web-application-attack; sid:2006729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103122; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007024; classtype:web-application-attack; sid:2007024; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103125; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UNION SELECT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007025; classtype:web-application-attack; sid:2007025; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id INSERT"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007026; classtype:web-application-attack; sid:2007026; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103106; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id DELETE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007027; classtype:web-application-attack; sid:2007027; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103094; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id ASCII"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007028; classtype:web-application-attack; sid:2007028; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UPDATE"; flow:established,to_server; content:"/ad.asp?"; nocase; http_uri; content:"ad_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007029; classtype:web-application-attack; sid:2007029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"p="; http_uri;content:"&id="; http_uri; content:"User-Agent|3a| personal"; http_header; nocase; reference:url,doc.emergingthreats.net/2008346; classtype:trojan-activity; sid:2008346; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103095; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Rogue antivirus downloader x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; flow:established,to_server; content:"GET"; http_method; content:"x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1"; nocase; http_uri; classtype:bad-unknown; sid:2011898; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojandropper dunik!rts xxx/download7/21/install_flash_player.exe"; flow:established,to_server; content:"GET"; http_method; content:"xxx/download7/21/install_flash_player.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011900; rev:1; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103170; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING Hidden iframe Redirecting to SEO Driveby Site"; flow:established,to_client; content:"width=\"1\" height=\"1\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\"></iframe>"; classtype:bad-unknown; sid:2011417; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!TOP|//)\Wsecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002461; classtype:policy-violation; sid:2002461; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential TDSS HTTP Library GET"; flow:established,to_server; content:"=="; http_uri; content:"GET"; http_method; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|Cache-Control|3a 20|no-cache"; distance:0; content:!"|0d 0a|Accept|3a 20|"; content:!"Referer|3a 20|"; classtype:trojan-activity; sid:2011890; rev:7; metadata:created_at 2010_11_03, updated_at 2010_11_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Ligats/DR.Ilomo Agent Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"o="; http_client_body; content:"&s=000"; http_client_body; reference:url,doc.emergingthreats.net/2008740; classtype:trojan-activity; sid:2008740; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Metasploit Framework Update"; flow:from_server,established; content:"http|3A|//certificates.godaddy.com/repository"; content: "metasploit.com"; fast_pattern; distance:0; reference:url,www.metasploit.com/framework/; reference:url,www.ethicalhacker.net/content/view/29/24/; reference:url,doc.emergingthreats.net/2008418; classtype:misc-activity; sid:2008418; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Facebook"; pcre:"/filename=\x22Facebook_(Password|Support|Document)_[A-Z0-9]{4,7}\.zip\x22/m"; reference:url,doc.emergingthreats.net/2010498; classtype:trojan-activity; sid:2010498; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103211; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010408; classtype:shellcode-detect; sid:2010408; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010422; classtype:shellcode-detect; sid:2010422; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mac User-Agent Typo Likely Hostile/Trojan Infection"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Macintosh|3b|"; http_header; content:"(KHTML, like Geco,"; http_header; reference:url,doc.emergingthreats.net/2008954; classtype:trojan-activity; sid:2008954; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103394; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign SSL Certificate"; flow:established,to_client; content:"www.bozvanovna.com"; fast_pattern:only; nocase; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012083; rev:1; metadata:attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103395; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> any !$HTTP_PORTS (msg:"ET DELETED Anonymous Proxy Traffic from Inside"; flow: from_client,established; flags:*AP,12; content:"GET http|3a|//"; depth:11; content:"HTTP/1.0"; within:50; reference:url,doc.emergingthreats.net/2003069; classtype:policy-violation; sid:2003069; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103242; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET DELETED NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002187; classtype:attempted-admin; sid:2002187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103243; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DELETED NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; distance:110; within:5; content:"|F6387A76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002188; classtype:attempted-admin; sid:2002188; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103100; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"%PDF-"; depth:300; nocase; content:"/U3D/Length 172"; distance:0; pcre:"/\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012121; rev:1; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103101; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Megaupload file download service access"; flow:to_server,established; content:"GET"; http_method; content:"Host|3a| "; http_header; content:"megaupload.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2009301; classtype:policy-violation; sid:2009301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED HP Data Protector Media Operations SignInName Parameter Overflow"; flow:established,to_server; content:"/4daction/wHandleURLs/handleSignIn|3F|sess|3D|"; http_uri; content:"Referer|3A 20|"; nocase; http_header; content:"SignInName|3D|"; nocase; isdataat:1000; reference:url,elotrolad0.blogspot.com/2010/10/hp-data-protector-media-operations-611_23.html; reference:url,securitytracker.com/id?1024634; classtype:attempted-user; sid:2011889; rev:5; metadata:created_at 2010_11_02, updated_at 2010_11_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED m28sx twitter worm redirect access"; flow:established,to_server; content:"/undo/red.php"; http_uri; content:"Host|3a| gdfgdfgdgdfgdfg.in.ua"; nocase; http_header; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012209; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103168; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity to document.doc"; flow:established,to_server; content:"/forum/document.doc"; http_uri; content:"!Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012280; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103169; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download request"; flow:established,to_server; content:"/forum/load.php?file="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012281; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100538; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Base64 Encoded FTP Commands (21 > o&echo user 1 1 >> o &echo get)"; flow:established,from_server; content:"MjEgPiBvJmVjaG8gdXNlciAxIDEgPj4gbyAmZWNobyBnZXQgUm"; fast_pattern; classtype:attempted-user; sid:2012291; rev:2; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100537; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert ip [102.0.0.0/7,104.0.0.0/8,106.0.0.0/8,179.0.0.0/8,185.0.0.0/8] any -> $HOME_NET any (msg:"ET DELETED Reserved IP Space Traffic - Bogon Nets 2"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002750; classtype:bad-unknown; sid:2002750; rev:27; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100536; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; classtype:trojan-activity; sid:2000307; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:2100535; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.SillyP2P Checkin"; flow:to_server,established; content:"GET"; http_method; content:"csi?v="; http_uri; content:"&s=webhp&action=&e=0&ei="; http_uri; content:"&expi="; http_uri; content:"&imc="; http_uri; content:"&imn="; http_uri; content:"&imp="; http_uri; content:"&rt=xjsls"; http_uri; reference:md5,a7e1388c38c1fed12785bc335f95b15d; reference:url,www.securehomenetwork.blogspot.com/2011/02/anonleaks-continues-relationship-with.html; classtype:trojan-activity; sid:2012311; rev:4; metadata:created_at 2011_02_14, updated_at 2011_02_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:2100534; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Base64 Encoded FTP Commands Upload (21 > o&echo user 1 1 >> o &echo get)"; flow:established,to_server; content:"MjEgPiBvJmVjaG8gdXNlciAxIDEgPj4gbyAmZWNobyBnZXQgUm"; fast_pattern; classtype:attempted-user; sid:2012292; rev:3; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2100533; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] any (msg:"ET DELETED Facebook URL Redirect Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/track.php?"; nocase; http_uri; content:"r="; nocase; http_uri; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html; classtype:trojan-activity; sid:2012402; rev:7; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100532; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Android Use-After-Free Remote Code Execution on Webkit"; flow:to_client,established; content:".appendChild"; content:"-parseFloat("; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/15548/; classtype:web-application-attack; sid:2012046; rev:3; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:2100530; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake Google Toolbar User-Agent"; flow:established,to_server; content:"|3b| GTB0.0|3b| "; http_header; classtype:trojan-activity; sid:2012516; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus Dropper Infection - /check"; flow:established,to_server; content:"/check"; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; content:"Cache-Control|3a| no-cache|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009212; classtype:trojan-activity; sid:2009212; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic";  reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:6; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS http client library detected"; flow:established,to_server; content:"GET "; depth:4; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0d 0a|User-Agent|3a| "; classtype:trojan-activity; sid:2011811; rev:3; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
 
-#alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus http client library detected"; flow:established,to_server; content:"Accept|3a| */*|0D 0A|Connection|3a| Close|0D 0A|User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2011818; rev:4; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
 
-#alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY udp port 0 traffic";  reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:2100525; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Config File URL"; flow:established,to_server; content:"000"; http_uri; content:".so"; http_uri; nocase; fast_pattern; pcre:"/\/000[a-z][0-9]{3}\x2Eso/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012081; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Bozvanovna Zeus Campaign Binary File URL"; flow:established,to_server; content:"000"; fast_pattern; http_uri; content:".exe"; http_uri; nocase; pcre:"/\/000[a-z][0-9]{3}\x2Eexe/Ui"; reference:url,www.abuse.ch/?p=2986; classtype:trojan-activity; sid:2012082; rev:3; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; content:"MSPublisher"; flowbits:set,ms.publisher.file; flowbits:noalert; reference:cve,2010-3995; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; classtype:attempted-user; sid:2012519; rev:4; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL DELETED MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:12; metadata:created_at 2010_09_23, former_category CHAT, updated_at 2019_05_21;)
+#alert http $HOME_NET any -> 67.15.94.80 any (msg:"ET DELETED Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; content:"/GeoIP.dat.gz"; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; classtype:trojan-activity; sid:2008802; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:2100543; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Injecter Checkin"; flow:established,to_server; content:"GET"; http_method; content:"mod="; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/2008349; classtype:trojan-activity; sid:2008349; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:2100544; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012580; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100545; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EICAR test file with MZ header double-stacking AV evasion technique"; flow:established,from_server; content:"|24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49|"; fast_pattern; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d 53 54 41 4e 44 41 52 44 2d 41 4e 54 49 56 49 52 55 53 2d 54 45 53 54 2d 46 49 4c 45 21 24 48 2b 48 2a|"; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode"; reference:url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612; reference:url,www.eicar.org/anti_virus_test_file.htm; classtype:bad-unknown; sid:2012591; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; classtype:misc-activity; sid:2100546; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED .dll Request Without User-Agent Likely Malware"; flow:established,to_server; content:".dll"; nocase; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:trojan-activity; sid:2012618; rev:2; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:2100548; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Dropper Checkin with NSISDL/1.2 User-Agent"; flow:established,to_server; content:".php?id="; http_uri; content:"User-Agent|3a 20|NSISDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; sid:2012626; rev:4; metadata:created_at 2011_04_04, updated_at 2011_04_04;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP anonymous login attempt"; flow:to_server,established; content:"USER "; depth:5; nocase; content:"anon"; distance:0; classtype:misc-activity; sid:2100553; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Content-Type image/jpeg with DOS MZ header set likely 2nd stage download"; flow:established,from_server; content:"Content-Type|3a 20|image/jpeg|0d 0a|"; content:"MZ"; distance:0; content:"This program cannot be run in DOS mode"; fast_pattern; distance:0; classtype:trojan-activity; sid:2012633; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD space space possible warez site"; flow:to_server,established; content:"MKD  "; depth:5; nocase; classtype:misc-activity; sid:2100547; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Content-Type image/jpeg with Win32 MZ header set likely 2nd stage download"; flow:established,from_server; content:"Content-Type|3a 20|image/jpeg|0d 0a|"; content:"MZ"; distance:0; content:"This program must be run under Win"; fast_pattern; distance:0; classtype:trojan-activity; sid:2012634; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102382; rev:22; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hex Obfuscated arguments.callee Javascript Method in PDF Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"|61|"; distance:0; content:"|72|"; distance:1; within:2; content:"|67|"; distance:1; within:2; content:"|75|"; distance:1; within:2; content:"|6d|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|6e|"; distance:1; within:2; content:"|74|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|2e|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|6c|"; distance:1; within:2; content:"|65|"; distance:1; within:2; content:"|65|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010879; classtype:misc-activity; sid:2010879; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Hex Obfuscation of Javascript Declaration Within PDF File - Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"|2f|"; distance:0; content:"|4a|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|76|"; distance:1; within:2; content:"|61|"; distance:1; within:2; content:"|73|"; distance:1; within:2; content:"|63|"; distance:1; within:2; content:"|72|"; distance:1; within:2; content:"|69|"; content:"|70|"; distance:1; within:2; content:"|74|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2010880; classtype:misc-activity; sid:2010880; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013686; rev:2; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2011_09_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED .pdf File Possibly Containing Basic Hex Obfuscation"; flow:established,from_server; content:"PDF-"; depth:300; pcre:"/PDF-.+[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F].[0-9,A-F][0-9,A-F]/si"; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010884; classtype:misc-activity; sid:2010884; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013551; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Foxit PDF Reader Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"Launch"; nocase; distance:0; isdataat:600,relative; content:!"|0A|"; within:600; content:"NewWindow true"; nocase; distance:600; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0837; reference:url,doc.emergingthreats.net/2010876; classtype:attempted-user; sid:2010876; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013552; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Buzus FTP Log Upload"; flow:established,to_server; dsize:100<>500; content:"|20 20 20 20|"; depth:4; content:"************CD-Key Pack************"; distance:0; content:"Microsoft Windows Product ID CD Key\: "; distance:0; reference:url,doc.emergingthreats.net/2008750; classtype:trojan-activity; sid:2008750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:md5,4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:2; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2011_09_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"|00 00 00|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET MALWARE Win32.Parite Checkin SQL Database"; flow:established,to_server; content:"SHOW COLUMNS FROM webronaldogyn01"; reference:md5,19441bc629e6c1dcb54cb5febdf9a22d; classtype:command-and-control; sid:2013683; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_09_22, deployment Perimeter, former_category MALWARE, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102023; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103003; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101980; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2013248; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt 3150"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101981; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013696; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
+#alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"GPL DELETED DeepThroat 3.1 Server Response 3150"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101982; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013697; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"GPL DELETED DeepThroat 3.1 Connection attempt 4120"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101983; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013698; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
+#alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"GPL DELETED DeepThroat 3.1 Server Response 4120"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:2101984; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013334; rev:4; metadata:created_at 2011_07_30, updated_at 2011_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; nocase; classtype:web-application-activity; sid:2101977; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013335; rev:5; metadata:created_at 2011_07_30, updated_at 2011_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; nocase; classtype:web-application-activity; sid:2101978; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Rbot User-Agent (tiehttp)"; flow:established,to_server; content:"User-Agent|3A 20|tiehttp"; http_header; classtype:trojan-activity; sid:2013449; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL DELETED MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; within:6; distance:2; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101448; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Driveby Download Secondary Request 4"; flow:established,to_server; content:"main.php?page="; http_uri; pcre:"/[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2013651; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL DELETED MS Remote Desktop non-encrypted session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2102418; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/iU"; content: "&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009412; classtype:trojan-activity; sid:2009412; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101953; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:2101122; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101954; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101955; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"GPL DELETED HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:2100510; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:2101956; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"GPL POLICY PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:2100512; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:2101934; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:command-and-control; sid:2013722; rev:2; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:2101935; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; classtype:trojan-activity; sid:2013725; rev:2; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2017_10_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"GPL DELETED answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:2101946; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"GPL DELETED answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:2101947; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:pup-activity; sid:2013729; rev:2; metadata:created_at 2011_10_01, former_category ADWARE_PUP, updated_at 2011_10_01;)
+#alert tcp any any -> 212.146.0.34 1963 (msg:"GPL DELETED TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:2101929; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BD9E5104-2F20-4A9F-AB14-82D558FF374E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD9E5104-2F20-4A9F-AB14-82D558FF374E/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan Downloader Win32/Small.CBA download"; flow:established,to_server; content:"popjs.asp?uid="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&c="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177; reference:url,doc.emergingthreats.net/2010569; classtype:trojan-activity; sid:2010569; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (GetExtendedColor)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".GetExtendedColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"GPL DELETED AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:2101906; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (LoadObject)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".LoadObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013733; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101911; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (SaveObject)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".SaveObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:2; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; reference:bid,49933; reference:cve,2011-2841; classtype:attempted-user; sid:2013742; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_10_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:2101887; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL DELETED status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101890; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2011_07_12, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"GPL DELETED win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:2101853; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101854; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE anal sex"; flow:to_client,established; content:"anal sex"; nocase; classtype:policy-violation; sid:2101317; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101855; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED dildo"; flow:to_client,established; content:"dildo"; nocase; classtype:policy-violation; sid:2101781; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"GPL DELETED Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:2101856; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck fuck fuck"; flow:to_client,established; content:"fuck fuck fuck"; nocase; classtype:policy-violation; sid:2101316; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8181 (msg:"GPL DELETED CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:2101858; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck movies"; flow:to_client,established; content:"fuck movies"; nocase; classtype:policy-violation; sid:2101320; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101868; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore anal"; flow:to_client,established; content:"hardcore anal"; nocase; classtype:policy-violation; sid:2101311; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Egypack/1.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|Egypack"; http_header; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2012785; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore rape"; flow:to_client,established; content:"hardcore rape"; nocase; classtype:policy-violation; sid:2101318; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (768)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 768"; reference:url,doc.emergingthreats.net/2010682; classtype:trojan-activity; sid:2010682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hot young sex"; flow:to_client,established; content:"hot young sex"; nocase; classtype:policy-violation; sid:2101315; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV AntivirusDoktor2009 User-Agent (657)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| 657"; reference:url,doc.emergingthreats.net/2010683; classtype:trojan-activity; sid:2010683; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any ->  $EXTERNAL_NET any (msg:"ET MALWARE Win32.Swisyn Reporting"; flow:to_server,established; content:"/Qvodav.exe"; nocase; http_uri; content:"User-Agent|3a| Av_DVD"; nocase; http_header; reference:url,precisesecurity.com/worms/trojan-win32-swisyn-algm; classtype:trojan-activity; sid:2013766; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash 0Day Exploit Attempt"; flow:established,from_server; content:"CWS|09|"; content:"|BA D5 19 5D 86 67 D5 8E 7F BC D0 3C 6E D8 E2 17 16 E8 3A 9F CF 59 B8 7B F6|"; distance:16; reference:url,www.exploit-db.com/exploits/13787/; reference:url,doc.emergingthreats.net/2011672; classtype:misc-attack; sid:2011672; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE naked lesbians"; flow:to_client,established; content:"naked lesbians"; nocase; classtype:policy-violation; sid:2101833; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; content:"<script src=http\://www.ads-t.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010032; classtype:trojan-activity; sid:2010032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED nipple clamp"; flow:to_client,established; content:"nipple"; nocase; content:"clamp"; nocase; classtype:policy-violation; sid:2101782; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (bannert.ru)"; flow:established,from_server; content:"<script src=http|3a|//www.bannert.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010033; classtype:trojan-activity; sid:2010033; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED raw sex"; flow:to_client,established; content:"raw sex"; nocase; classtype:policy-violation; sid:2101786; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Internal User may have Visited an ASProx Infected Site (bannerdriven.ru)"; flow:established,from_server; content:"<script src=http|3a|//www.bannerdriven.ru/ads.js>"; nocase; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010034; classtype:trojan-activity; sid:2010034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED oral sex"; flow:to_client,established; content:"oral sex"; nocase; classtype:policy-violation; sid:2101783; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; classtype:trojan-activity; sid:2009493; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE up skirt"; flow:to_client,established; content:"up skirt"; nocase; classtype:policy-violation; sid:2101313; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Twitter Worm Attack"; flow:to_server,established; content:"m28sx.html"; http_uri; nocase; reference:url,threatpost.com/en_us/blogs/twitter-worm-uses-google-url-shortener-spread-scareware-012011; classtype:misc-attack; sid:2012207; rev:4; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ZBot sp107fb/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"sp107fb/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011896; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"GPL DELETED successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:2101810; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|"; reference:url,exploit-db.com/download_pdf/15077; classtype:attempted-user; sid:2011543; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"GPL DELETED successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:2101811; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"CryptSoft Pty Ltd"; within:50; classtype:bad-unknown; sid:2011542; rev:6; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL DELETED gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:2101812; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible German Governmental Backdoor/R2D2.A 2"; flow:from_client,established; content:"C3PO-r2d2-POE"; depth:13; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013752; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Tomcat servlet mapping cross site scripting attempt"; flow:established,to_server; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:2101827; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_23, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Tomcat TroubleShooter servlet access"; flow:established,to_server; content:"/examples/servlet/TroubleShooter"; http_uri; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:2101829; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible German Governmental Backdoor/R2D2.A 1"; flow:from_client,established; content:"|11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|"; fast_pattern; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013751; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Tomcat SnoopServlet servlet access"; flow:established,to_server; content:"/examples/servlet/SnoopServlet"; http_uri; reference:bugtraq,4575; reference:nessus,11046; classtype:web-application-activity; sid:2101830; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Prosti Checkin"; flow:from_client,established; content:"&first& # 0d 0h "; depth:16; reference:md5,5113c6dbd644874482f3a26650970600; classtype:command-and-control; sid:2013769; rev:1; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+#alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"GPL DELETED IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:2101790; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os="; http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/"; http_header; classtype:command-and-control; sid:2013716; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hotmail Compose Message Submit"; flow:to_server,established; content:"POST"; http_method; content:"mail.live.com"; nocase; http_header; content:"SendMessageLight.aspx"; http_uri; reference:url,doc.emergingthreats.net/2008241; classtype:policy-violation; sid:2008241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip 207.158.22.134 any -> $HOME_NET any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/gui/file/be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013755; rev:4; metadata:created_at 2011_10_11, former_category MALWARE, updated_at 2011_10_11;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; reference:bugtraq,4621; classtype:web-application-attack; sid:2101744; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ip $HOME_NET any -> 207.158.22.134 any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013756; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".KeyFrame|28|"; nocase; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003104; classtype:attempted-user; sid:2003104; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Server ping"; flow:from_server,established; content:"wBmpf3Pb7RJe|0d0a|"; depth:14; dsize:14; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013774; rev:2; metadata:created_at 2011_10_14, updated_at 2011_10_14;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:2100229; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Outbound"; flow:established,to_server; content:"Ypmw1Syv023QZD"; depth:30; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013771; rev:4; metadata:created_at 2011_10_14, former_category MALWARE, updated_at 2011_10_14;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:2100251; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Response"; flow:established,to_client; content:"Ypmw1Syv023QZD"; depth:30; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013772; rev:2; metadata:created_at 2011_10_14, former_category MALWARE, updated_at 2011_10_14;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:2100221; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Client pong"; flow:from_client,established; content:"wZ2pla"; depth:6; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013773; rev:2; metadata:created_at 2011_10_14, updated_at 2011_10_14;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:2100228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ssh any any -> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress on Unusual Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001984; classtype:misc-activity; sid:2001984; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:2100222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert ssh any any -> any $SSH_PORTS (msg:"ET POLICY SSH session in progress on Expected Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001978; classtype:misc-activity; sid:2001978; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:2100225; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED New Malware Information Post"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0d 0a|Pragma|3a| no-cache|0d 0a 0d 0a|"; http_header; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; fast_pattern; reference:url,doc.emergingthreats.net/2009092; classtype:trojan-activity; sid:2009092; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:2100226; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Akamai Redswoosh CLIOnlineManager Connection Detected"; flow:established,to_server; content:"PUT "; depth:4; nocase; content:"|0d 0a|User-Agent|3a|"; content:"rswin_3725.dll"; within:30; nocase; reference:url,doc.emergingthreats.net/2011275; classtype:policy-violation; sid:2011275; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL DELETED TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:2100238; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Centralops.net Probe"; flow:established,to_server; content:"CentralOps.net/)"; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003631; classtype:policy-violation; sid:2003631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"GPL DELETED Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:2100224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED OWASP Joomla Vulnerability Scanner Detected"; flow:established,to_server; content:"HEAD "; depth:5; content:"/joomla/"; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (Windows\; U\; Windows NT 5.2\; en-US\; rv|3a|1.9.0.3) Gecko/2008092417 Firefox/3.0.3"; pcre:"/(/joomla/admin|/joomla/administrator|/joomla/manage|/joomla/administration)/U"; threshold: type threshold, track by_dst, count 4, seconds 15; reference:url,www.owasp.org/index.php/Category%3aOWASP_Joomla_Vulnerability_Scanner_Project; reference:url,doc.emergingthreats.net/2009837; classtype:attempted-recon; sid:2009837; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Connect to Controller (variant 2)"; flow:established,to_server; dsize:<220; content:"|d2 00 00 9b|"; depth:4; reference:url,doc.emergingthreats.net/2008532; classtype:trojan-activity; sid:2008532; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QQHelper related Spyware User-Agent (H)"; flow:to_server,established; content:"User-Agent|3a| H|0d 0a|"; reference:url,doc.emergingthreats.net/2003749; classtype:pup-activity; sid:2003749; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Banker Trojan CnC Server Ping"; flow:established,from_server; dsize:<100; content:"PING|7c|"; reference:url,doc.emergingthreats.net/2009864; classtype:command-and-control; sid:2009864; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; http_header; content:!")|0d 0a|"; within:100; http_header; pcre:"/\(compatible[^\)]+\n/"; reference:url,doc.emergingthreats.net/2010906; classtype:bad-unknown; sid:2010906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Java Exploit Attempt applet via file URI"; flow:established,from_server; content:"applet|20|"; nocase; content:"codebase"; nocase; distance:0; content:"|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"|5c|java|5c|jre6|5c|lib|5c|ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012608; rev:7; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banload iLLBrain Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_uri; content:"/iLL"; http_uri; content:".xxx"; http_uri; reference:url,doc.emergingthreats.net/2008328; classtype:trojan-activity; sid:2008328; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"GPL DELETED Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:2101636; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Koobface.C User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/5.01"; content:"Gecko/2005"; fast_pattern; within:50; content:"Firefox/3"; distance:5; reference:url,doc.emergingthreats.net/2008848; classtype:trojan-activity; sid:2008848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:2101629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot related infection - Unique HTTP get request"; flow:established,to_server; content:".dll|0d 0a|e|20|HTTP/1.1"; rawbytes; content:!"User-Agent|3a|"; nocase; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003432; classtype:trojan-activity; sid:2003432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"GPL DELETED iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; reference:cve,1999-0897; classtype:web-application-activity; sid:2101604; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; uricontent:"/script.php?"; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:exploit-kit; sid:2011468; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Java"; http_header; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:3; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE"; flow:established,to_server; content:"user-agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:!"|0d 0a|VIA|3a 20|"; http_header; classtype:trojan-activity; sid:2012607; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious SEO landing in.cgi with URI HTTP_REFERER"; flow:established,to_server; content:"/in.cgi?"; http_uri; content:"&seoref=http"; http_uri; content:"&parameter=$"; http_uri; content:"&HTTP_REFERER=http"; http_uri; fast_pattern; classtype:bad-unknown; sid:2012796; rev:3; metadata:created_at 2011_05_09, updated_at 2011_05_09;)
 
-#alert ssh $HOME_NET any -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:4; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; content:"<div style=\"visibility|3a| hidden|3b|\"><"; depth:120; classtype:bad-unknown; sid:2011307; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Outbound"; flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010824; classtype:trojan-activity; sid:2010824; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SL_*_0000 JavaScript redirect"; flow:established,to_client; content:"200"; http_stat_code; content:"SL_"; http_cookie; content:"_0000="; http_cookie; content:"window.location"; classtype:bad-unknown; sid:2013012; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Inbound"; flow:from_server; dsize:<20; content:"PING |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010825; classtype:trojan-activity; sid:2010825; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Java User Agent"; flow:established,to_server; content:"User-Agent|3a| Java/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013029; rev:2; metadata:created_at 2011_06_14, updated_at 2011_06_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED B0tN3t IRCbotnet"; flow:from_server,established; content:"|3a|"; offset:0; depth:1; content:"B0tN3t"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; reference:url,en.wikipedia.org/wiki/Botnet; reference:url,doc.emergingthreats.net/2007672; classtype:misc-activity; sid:2007672; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Dropper Checkin (2)"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:!"|0d 0a|User-Agent|3a| "; nocase; content:"|0d 0a 0d 0a|updater_version="; nocase; content:"&updater_lang="; distance:0; nocase; content:"&action_type=log"; distance:0; nocase; reference:url,doc.emergingthreats.net/2010830; classtype:trojan-activity; sid:2010830; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 1)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; reference:url,doc.emergingthreats.net/2006910; classtype:trojan-activity; sid:2006910; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Tonclank Sending Device Information"; flow:established,to_server; content:"/ProtocolGW/instal"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013039; rev:5; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 3)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02|"; content:"|02|"; within: 32; pcre:"/\x3A\x02(Alvo dos Pacotes|Conectando-se em|M.dia de envio|Tempo.*|Total .*)\x02/i"; reference:url,doc.emergingthreats.net/2006912; classtype:trojan-activity; sid:2006912; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyeEye Trojan Request file=grabbers"; flow:established,to_server; content:".php?file="; nocase; http_uri; content:"grabber"; distance: 0; http_uri; classtype:trojan-activity; sid:2012613; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BOT - potential DDoS command (2)"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"ddos"; nocase; pcre:"/ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; reference:url,doc.emergingthreats.net/2003132; classtype:trojan-activity; sid:2003132; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by 2"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src="; content:"style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011961; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential DDoS command 1"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"floodnet "; pcre:"/floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2002032; classtype:trojan-activity; sid:2002032; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:md5,6c9ad4d06f72edcd2b301d66b25ad101; reference:md5,91fa03240b5a59853d0dad708055a7a8; reference:md5,3dd8193692b62a875985349b67da38c6; classtype:trojan-activity; sid:2011415; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via http command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:" http|3a|//"; fast_pattern:only; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+http\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2002031; classtype:trojan-activity; sid:2002031; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Client Visiting Sidename.js Injected Website - Malware Related"; flow:established,to_client; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013060; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow:to_client,established; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within:40; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002029; classtype:trojan-activity; sid:2002029; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED OneStep Adware related User Agent (x)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| x|0d 0a|"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; classtype:trojan-activity; sid:2009987; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE perlb0t/w0rmb0t Response 2"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within: 32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; reference:url,doc.emergingthreats.net/2006911; classtype:trojan-activity; sid:2006911; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1064 (msg:"ET DELETED Win32/Fynloski Backdoor Keepalive Message"; flow:established,to_server; content:"KEEPALIVE"; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; content:"KEEPALIVE"; distance:5; within:10; reference:md5,baca8170608c189e2911dc4e430c7719; classtype:trojan-activity; sid:2013067; rev:2; metadata:created_at 2011_06_20, updated_at 2011_06_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; nocase; depth:8; content:" |3a|.DCC CHAT chat"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; classtype:policy-violation; sid:2000350; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Scanner Landing Page (Initializing Virus Protection System...)"; flow:established,from_server; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2012815; rev:3; metadata:created_at 2011_05_18, updated_at 2011_05_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC DNS request on non-standard port"; flow:to_server,established; content:"USERHOST "; nocase; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; classtype:policy-violation; sid:2000352; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; classtype:attempted-admin; sid:2101282; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET !6666:7000 -> $HOME_NET any (msg:"ET DELETED IRC Name response on non-standard port"; flow: to_client,established; dsize:<128; content:"|3a|"; depth:1; content:" 302 "; content:"=+"; content:"@"; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; classtype:trojan-activity; sid:2000346; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MacDefender OS X Fake AV Scareware"; flow:established,to_server; content:"GET"; http_method; content:"affid="; http_uri; content:"data="; http_uri; content:"v="; http_uri; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012958; rev:5; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kaiten IRCbotnet login"; flow:to_server,established; content:"NICK|20|"; depth:5; content:"USER|20|"; within:32; content:"localhost|20|localhost|20 3A|"; within:32; pcre:"/NICK\x20\S+\x0AUSER\x20\S+localhost\x20localhost\x20\x3A/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007621; classtype:trojan-activity; sid:2007621; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RiskTool.Win32.WFPDisabler Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/go.asp?"; nocase; http_uri; content:"svid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"tpages="; nocase; http_uri; content:"ttimes="; nocase; http_uri; content:"tzone="; nocase; http_uri; content:"tcolor="; nocase; http_uri; content:"vpage="; http_uri; nocase; reference:md5,c81be1cf10d9578803dab8c1bc62ccfa; classtype:web-application-attack; sid:2012588; rev:4; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
 
-#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Pitbull IRCbotnet Response"; flow:established; content:"PRIVMSG|20|"; content:"|3A|"; within:32; content:"4"; within:5; content:"12"; within:5; content:"|3a|"; within:5; pcre:"/\x3a.4\x7c.12.\x3a.4/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007624; classtype:trojan-activity; sid:2007624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00|"; within:19; reference:md5,7684532e7e1d717427f6842e9d5ecd56; classtype:trojan-activity; sid:2013121; rev:3; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE psyBNC IRC Server Connection"; flow:from_server,established; content:"psyBNC@lam3rz"; depth:33; nocase; flowbits:isset,is_proto_irc; reference:url,en.wikipedia.org/wiki/PsyBNC; reference:url,doc.emergingthreats.net/2003302; classtype:misc-activity; sid:2003302; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED KazaaClient P2P Traffic"; flow: established; content:"Agent|3a| KazaaClient"; nocase; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001812; classtype:policy-violation; sid:2001812; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot scan/exploit command"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002030; classtype:trojan-activity; sid:2002030; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Client Visiting cssminibar.js Injected Website Malware Related"; flow:established,to_client; content:"/cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013191; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC potential bot commands"; flow:established,from_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; reference:url,doc.emergingthreats.net/2002384; classtype:trojan-activity; sid:2002384; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Hooker Checkin Message"; flow:established,to_server; content:"&lg="; http_uri; content:"&ntime="; http_uri; content:"&repeatip="; http_uri; content:"&rtime="; http_uri; content:"&sin="; http_uri; classtype:trojan-activity; sid:2013205; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC potential reptile commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002363; classtype:trojan-activity; sid:2002363; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&msg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&pauid="; nocase; http_uri; content:"&checkId="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:command-and-control; sid:2013215; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Username in IRC (XP-..)"; flow:established,to_server; content:"USER XP-"; depth:8; reference:url,doc.emergingthreats.net/2008123; classtype:trojan-activity; sid:2008123; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Specfix Checkin"; flow:established,to_server; content:"/AWS"; http_uri; content:".jsp?"; http_uri; content:"x-bigfix-client-string|3A|"; http_header; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2; classtype:trojan-activity; sid:2013218; rev:2; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content:"USA"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zapchast Bot User-Agent"; flow:established,to_server; content:"User-Agent|3a| MJ12bot/"; http_header; reference:url,www.majestic12.co.uk/bot.php; reference:url,doc.emergingthreats.net/2007781; classtype:trojan-activity; sid:2007781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC CHAT chat"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101640; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Majestic-12 Spider Bot User-Agent (MJ12bot)"; flow:to_server,established; content:"User-Agent|3a| MJ12bot"; reference:url,www.majestic12.co.uk/; reference:url,doc.emergingthreats.net/2003409; classtype:trojan-activity; sid:2003409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC SEND"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101639; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Majestic-12 Spider Bot User-Agent Inbound (MJ12bot)"; flow:to_server,established; content:"User-Agent|3a| MJ12bot"; http_header; reference:url,www.majestic12.co.uk/; reference:url,doc.emergingthreats.net/2007762; classtype:trojan-activity; sid:2007762; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo KCIK IRC Command"; flow:established,to_server; content:"KCIK |7b|"; depth:6; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013247; rev:5; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible docs.google.com Activity"; flow:established,to_server; content:"WRITELY_SID"; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003122; classtype:policy-violation; sid:2003122; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:4; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL DELETED nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; reference:nessus,10753; classtype:web-application-activity; sid:2101518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_20, updated_at 2011_10_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby bredolab request to a .ru 8080 URI"; flow:established,to_server; content:".ru|3a|8080|0D 0A|"; classtype:bad-unknown; sid:2011354; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Srizbi registering with controller"; dsize:20; content:"|2d|"; offset:6; content:"|2d|"; distance:6; within:1; content:!"|00|server."; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007711; classtype:trojan-activity; sid:2007711; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dictcn Trojan Downloader Update Check to CnC"; flow:established,to_server; content:".php?cid="; http_uri; content:"&version="; http_uri; content:"&lose="; http_uri; content:"&tipsid="; http_uri; content:"&from="; http_uri; classtype:command-and-control; sid:2013323; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Client Checkin"; flow:established,to_server; content:"|40 1f|"; offset:1; depth:2; content:"|03|"; distance:1; within:1; content:"|20 00 00 00|"; distance:1; within:4; dsize:10; reference:md5,a7f4a7d08fa650a5f09a00519b944b0b; classtype:command-and-control; sid:2013793; rev:1; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Receiving XML Format Update File From CnC Server"; flow:established,to_client; content:"<dictcn>"; fast_pattern; content:"<update from="; distance:0; content:"method="; distance:0; classtype:command-and-control; sid:2013324; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:md5,a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Receiving XML Format Node ID File From CnC Server"; flow:established,to_client; content:"<node><id>"; content:"<|2F|id><ip>"; distance:1; within:9; content:"<|2F|type><|2F|node>-->"; distance:0; content:"<node><id>"; distance:0; content:"<|2F|id><ip>"; distance:1; within:9; content:"<|2F|dict>"; distance:0; classtype:command-and-control; sid:2013325; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102439; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.SuspectCRC FakeAV Checkin"; flow:established,to_server; content:"value.php?"; http_uri; content:"md="; http_uri; content:"&pc="; http_uri; content:"User-Agent|3a| sample"; http_header; reference:md5,54c9d51661a05151e5143f4e80cbed86; classtype:command-and-control; sid:2013799; rev:3; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102440; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2102589; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; classtype:string-detect; sid:2001620; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102438; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Redirection to Unknown Exploit Pack"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|"; nocase; reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/; classtype:misc-attack; sid:2013804; rev:4; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
+#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2102041; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; http_uri; content:"&time="; http_uri; content:"&msg="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&fy="; http_uri; content:"&pauid="; http_uri; content:"&checkId="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:md5,0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; content:"D="; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006613; classtype:web-application-attack; sid:2006613; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Lighty Variant or UltimateDefender POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; depth:300; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; classtype:trojan-activity; sid:2008783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/vars.inc.php?"; http_uri; nocase; content:"_SESSION[SCRIPT_PATH]="; http_uri; pcre:"/_SESSION\[SCRIPT_PATH\]=\s*(https?|ftps?|php)\x3a\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009179; classtype:web-application-attack; sid:2009179; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Set flow on rar file get"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:".rar HTTP/1."; flowbits:set,ET.rar_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2008781; classtype:trojan-activity; sid:2008781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Warezov/Stration Data Post to Controller"; flow:established,to_server; content:"/cgi-bin/pr.cgi"; http_uri; content:"POST"; http_method; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003180; classtype:trojan-activity; sid:2003180; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/TrojanDropper.Agent Checkin"; flow:established,to_server; content:".gif?aid="; http_uri; content:"&lc="; http_uri; content:"&time="; http_uri; content:"&flag="; http_uri; content:"&domain="; http_uri; classtype:trojan-activity; sid:2013402; rev:3; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013814; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http any any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; classtype:trojan-activity; sid:2001685; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013813; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Trojan CnC"; dsize:2; byte_test:2, >, 1024, 0; threshold:type both, track by_src, count 1000, seconds 300; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder; classtype:command-and-control; sid:2013418; rev:5; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013812; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013497; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013811; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JBIG2Decode"; within:11; content:"#"; within:31; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JBIG2Decode](J|#4A)(B|#42)(I|#49)(G|#47)(2|#32)(D|#44)(e|#65)(c|#63)(o|#6F)(d|#64)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; reference:url,blog.didierstevens.com/2009/03/01/quickpost-jbig2decode-signatures/; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:2011534; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013810; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent FSD - Possible FakeAV Related"; flow:established,to_server; content:"User-Agent|3A 20|FSD|0D 0A|"; http_header; classtype:trojan-activity; sid:2013393; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_10, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"B6FCC215-D303-11D1-BC6C-0000C078797F"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_31, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pitbull IRCbotnet Fetch"; flow:to_server,established; content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|Mozilla/5.0|0d0a|"; http_header; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007626; classtype:trojan-activity; sid:2007626; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Basine Trojan Checkin"; flow:established,to_server; content:"a="; http_client_body; content:"&b=reported"; http_client_body; content:"&d=report"; http_client_body; reference:url,doc.emergingthreats.net/2007692; classtype:command-and-control; sid:2007692; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012316; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bifrose Connect to Controller (PING PONG)"; flow:stateless; dsize:10; content:"PING |3a|i.|0d 0a|"; flowbits:set,ET.bifrose1; reference:url,doc.emergingthreats.net/2009128; classtype:trojan-activity; sid:2009128; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PinBall Corp. Related suspicious activity"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| PinBallCorp-BSAI"; reference:url,doc.emergingthreats.net/2009908; classtype:trojan-activity; sid:2009908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Bifrose Response from Controller (PING PONG)"; flow:stateless; flowbits:isset,ET.bifrose1; dsize:9; content:"PONG |3a|i.|0d|"; reference:url,doc.emergingthreats.net/2009129; classtype:trojan-activity; sid:2009129; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2013248; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET DELETED Unknown Malware Keepalive"; flow:established,to_server; content:"keepalive"; nocase; depth:9; pcre:"/keepalive([0-9]{4}|\x7c[0-9]{4})/i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2012409; rev:3; metadata:created_at 2011_03_02, updated_at 2011_03_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013334; rev:4; metadata:created_at 2011_07_30, updated_at 2011_07_30;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP large PWD command"; flow:to_server,established; content:"PWD"; isdataat:7,relative; content:!"|0A|"; within:7; nocase; classtype:protocol-command-decode; sid:2101624; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013335; rev:5; metadata:created_at 2011_07_30, updated_at 2011_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV FakeAlertRena.n Checkin NO Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; content:"Content-Length|3a| 2|0d 0a 0d 0a|NO"; classtype:command-and-control; sid:2013420; rev:4; metadata:created_at 2011_08_18, former_category MALWARE, updated_at 2011_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Rbot User-Agent (tiehttp)"; flow:established,to_server; content:"User-Agent|3A 20|tiehttp"; http_header; classtype:trojan-activity; sid:2013449; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:command-and-control; sid:2013821; rev:2; metadata:created_at 2011_11_04, former_category MALWARE, updated_at 2011_11_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Driveby Download Secondary Request 4"; flow:established,to_server; content:"main.php?page="; http_uri; pcre:"/[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2013651; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".SaveCfg"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013878; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/iU"; content: "&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009412; classtype:trojan-activity; sid:2009412; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (AddTrend)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".AddTrend"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"GPL DELETED HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:2100510; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Koobface Variant Initial Checkin"; flow:established,to_server; content:".php?datos=c|3A|"; http_uri; content:"&user="; http_uri; classtype:command-and-control; sid:2013890; rev:2; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2011_11_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:command-and-control; sid:2013722; rev:2; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Checkin"; flow:from_client,established; dsize:12; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; depth:12; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:command-and-control; sid:2013891; rev:1; metadata:created_at 2011_11_09, former_category MALWARE, updated_at 2011_11_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Server Reply"; flow:from_server,established; dsize:44; content:"|33 39 0d ff 0a c4 e5 9f d5 ec 58 4a 69|"; depth:13; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013892; rev:1; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED dildo"; flow:to_client,established; content:"dildo"; nocase; classtype:policy-violation; sid:2101781; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Ping"; flow:from_client,established; dsize:7; content:"|33 0D FF 0A C5 F8 C1|"; depth:7; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013893; rev:2; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED nipple clamp"; flow:to_client,established; content:"nipple"; nocase; content:"clamp"; nocase; classtype:policy-violation; sid:2101782; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; http_uri; content:"&action="; http_uri; within:10; content:"&mac="; http_uri; within:10; content:"&lockcode="; http_uri; within:30; content:"&homepc="; http_uri; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; http_header; classtype:command-and-control; sid:2013900; rev:2; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED raw sex"; flow:to_client,established; content:"raw sex"; nocase; classtype:policy-violation; sid:2101786; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:2; metadata:created_at 2011_11_11, former_category TROJAN, updated_at 2017_11_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED oral sex"; flow:to_client,established; content:"oral sex"; nocase; classtype:policy-violation; sid:2101783; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os="; http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/"; http_header; classtype:command-and-control; sid:2013716; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED New Malware Information Post"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0d 0a|Pragma|3a| no-cache|0d 0a 0d 0a|"; http_header; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; fast_pattern; reference:url,doc.emergingthreats.net/2009092; classtype:trojan-activity; sid:2009092; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rimecud User Agent beat"; flow:established,to_server; content:"User-Agent|3A 20|beat|0D 0A|"; http_header; classtype:trojan-activity; sid:2013904; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Akamai Redswoosh CLIOnlineManager Connection Detected"; flow:established,to_server; content:"PUT "; depth:4; nocase; content:"|0d 0a|User-Agent|3a|"; content:"rswin_3725.dll"; within:30; nocase; reference:url,doc.emergingthreats.net/2011275; classtype:policy-violation; sid:2011275; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED OWASP Joomla Vulnerability Scanner Detected"; flow:established,to_server; content:"HEAD "; depth:5; content:"/joomla/"; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (Windows\; U\; Windows NT 5.2\; en-US\; rv|3a|1.9.0.3) Gecko/2008092417 Firefox/3.0.3"; pcre:"/(/joomla/admin|/joomla/administrator|/joomla/manage|/joomla/administration)/U"; threshold: type threshold, track by_dst, count 4, seconds 15; reference:url,www.owasp.org/index.php/Category%3aOWASP_Joomla_Vulnerability_Scanner_Project; reference:url,doc.emergingthreats.net/2009837; classtype:attempted-recon; sid:2009837; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 1"; flow:established,to_server; content:"/WebIpc.asp?UID="; http_uri; content:"&NAME="; http_uri; content:"&mode="; http_uri; classtype:trojan-activity; sid:2013370; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banload iLLBrain Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_uri; content:"/iLL"; http_uri; content:".xxx"; http_uri; reference:url,doc.emergingthreats.net/2008328; classtype:trojan-activity; sid:2008328; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 2"; flow:established,to_server; content:"/link32.asp?SID="; http_uri; content:"&UID="; http_uri; content:"&MID="; http_uri; classtype:trojan-activity; sid:2013371; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Koobface.C User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/5.01"; content:"Gecko/2005"; fast_pattern; within:50; content:"Firefox/3"; distance:5; reference:url,doc.emergingthreats.net/2008848; classtype:trojan-activity; sid:2008848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; http_header; classtype:bad-unknown; sid:2013836; rev:3; metadata:created_at 2011_11_05, updated_at 2011_11_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot related infection - Unique HTTP get request"; flow:established,to_server; content:".dll|0d 0a|e|20|HTTP/1.1"; rawbytes; content:!"User-Agent|3a|"; nocase; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003432; classtype:trojan-activity; sid:2003432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection"; flow:established; content:"maininfo|7c|"; depth:9; nocase; content:"|7c|"; distance:3; reference:url,doc.emergingthreats.net/2008644; classtype:trojan-activity; sid:2008644; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Outbound"; flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010824; classtype:trojan-activity; sid:2010824; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:3; metadata:created_at 2011_11_18, updated_at 2011_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Inbound"; flow:from_server; dsize:<20; content:"PING |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010825; classtype:trojan-activity; sid:2010825; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Emp Keepalive to CnC"; flow:established,to_server; content:"|7a 05 61 17 27 f5 09 f9 05 a2 ff 71 e0 49 96 47|"; offset:16; depth:16; dsize:48; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210; classtype:command-and-control; sid:2013922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED B0tN3t IRCbotnet"; flow:from_server,established; content:"|3a|"; offset:0; depth:1; content:"B0tN3t"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; reference:url,en.wikipedia.org/wiki/Botnet; reference:url,doc.emergingthreats.net/2007672; classtype:misc-activity; sid:2007672; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu2 Keepalive to CnC"; flow:established,to_server; content:"|1c e9 a1 06 39 95 48 0d 64 1f 39 23 21 7f dc 43|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 1)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; reference:url,doc.emergingthreats.net/2006910; classtype:trojan-activity; sid:2006910; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu3 Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 3)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02|"; content:"|02|"; within: 32; pcre:"/\x3A\x02(Alvo dos Pacotes|Conectando-se em|M.dia de envio|Tempo.*|Total .*)\x02/i"; reference:url,doc.emergingthreats.net/2006912; classtype:trojan-activity; sid:2006912; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET !6666:7000 -> $HOME_NET any (msg:"ET DELETED IRC Name response on non-standard port"; flow: to_client,established; dsize:<128; content:"|3a|"; depth:1; content:" 302 "; content:"=+"; content:"@"; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; classtype:trojan-activity; sid:2000346; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern;  content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kaiten IRCbotnet login"; flow:to_server,established; content:"NICK|20|"; depth:5; content:"USER|20|"; within:32; content:"localhost|20|localhost|20 3A|"; within:32; pcre:"/NICK\x20\S+\x0AUSER\x20\S+localhost\x20localhost\x20\x3A/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007621; classtype:trojan-activity; sid:2007621; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; classtype:bad-unknown; sid:2013950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Pitbull IRCbotnet Response"; flow:established; content:"PRIVMSG|20|"; content:"|3A|"; within:32; content:"4"; within:5; content:"12"; within:5; content:"|3a|"; within:5; pcre:"/\x3a.4\x7c.12.\x3a.4/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007624; classtype:trojan-activity; sid:2007624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:md5,1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_20, updated_at 2011_10_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:md5,1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert tcp $HOME_NET any -> any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; classtype:string-detect; sid:2001620; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (counters)"; flow:to_server,established; content:"User-Agent|3a| counters|0d 0a|"; http_header; reference:md5,60ce66bd10fcac3c97151612c8a4d343; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013953; rev:3; metadata:created_at 2011_11_22, updated_at 2011_11_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Redirection to Unknown Exploit Pack"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|"; nocase; reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/; classtype:misc-attack; sid:2013804; rev:4; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (giftz)"; flow:to_server,established; content:"User-Agent|3a| giftz|0d 0a|"; http_header; reference:md5,0f726e84bae5a8d1f166bbf6d09d821b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013954; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality User-Agent (Internet Explorer 5.01)"; flow:established,to_server; content:"User-Agent|3A 20|Internet Explorer 5.01|0D 0A|"; http_header; classtype:trojan-activity; sid:2013963; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Lighty Variant or UltimateDefender POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spamblockerutility.com-Hotbar User Agent (sbu-hb-)"; flow:to_server,established; content:"sbu-hb-"; http_header; pcre:"/User-Agent\x3a[^\n]+sbu-hb-/i"; reference:url,doc.emergingthreats.net/2003363; classtype:trojan-activity; sid:2003363; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET DELETED Unknown Malware Keepalive"; flow:established,to_server; content:"keepalive"; nocase; depth:9; pcre:"/keepalive([0-9]{4}|\x7c[0-9]{4})/i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2012409; rev:3; metadata:created_at 2011_03_02, updated_at 2011_03_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103437; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 1"; flow:established,to_server; content:"/WebIpc.asp?UID="; http_uri; content:"&NAME="; http_uri; content:"&mode="; http_uri; classtype:trojan-activity; sid:2013370; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103429; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 2"; flow:established,to_server; content:"/link32.asp?SID="; http_uri; content:"&UID="; http_uri; content:"&MID="; http_uri; classtype:trojan-activity; sid:2013371; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:2103148; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; http_header; classtype:bad-unknown; sid:2013836; rev:3; metadata:created_at 2011_11_05, updated_at 2011_11_05;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; fast_pattern:only; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:2100308; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spamblockerutility.com-Hotbar User Agent (sbu-hb-)"; flow:to_server,established; content:"sbu-hb-"; http_header; pcre:"/User-Agent\x3a[^\n]+sbu-hb-/i"; reference:url,doc.emergingthreats.net/2003363; classtype:trojan-activity; sid:2003363; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL DELETED cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:2100320; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103159; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:2100314; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:2100303; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103276; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hiloti loader receiving payload URL"; flow:established,from_server; content:"|0d 0a 0d 0a|20|0d 0a|http|3a|//"; classtype:trojan-activity; sid:2012515; rev:5; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103198; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|User-Agent|3a| Mozilla"; fast_pattern; content:"|0d 0a|Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:!"Content-Type|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2011816; rev:16; metadata:created_at 2010_10_14, updated_at 2010_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent|3A| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points)"; flow: established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"Peer Points"; http_header; within:150; pcre:"/User-Agent\:[^\n]+Peer Points/iH"; reference:url,doc.emergingthreats.net/2001640; classtype:policy-violation; sid:2001640; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103239; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (BlueSky)"; flow:to_server,established; content:"User-Agent|3a| BlueSky|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011084; classtype:trojan-activity; sid:2011084; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (GM Login)"; flow:to_server,established; content:"User-Agent|3a| GM Login|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011273; classtype:trojan-activity; sid:2011273; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103237; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (MSIE XPSP2)"; flow:to_server,established; content:"MSIE XPSP2"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003200; classtype:trojan-activity; sid:2003200; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103156; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; content:!"|0d 0a|MZ"; classtype:trojan-activity; sid:2014019; rev:4; metadata:created_at 2011_12_10, updated_at 2011_12_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zbu-hb-)"; flow:to_server,established; content:"zbu-hb-"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+zbu-hb-/Hi"; reference:url,doc.emergingthreats.net/2003305; classtype:trojan-activity; sid:2003305; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_11_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:5; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103180; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmeup Spyware Install (toolbar)"; flow: to_server,established; content:"/dkprogs/toolbar.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; classtype:trojan-activity; sid:2001473; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103430; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HSN.com Toolbar Spyware User-Agent (HSN)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; http_header; content:"HSN"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HSN/iH"; reference:url,doc.emergingthreats.net/2003495; classtype:trojan-activity; sid:2003495; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103181; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Wild Tangent Agent User-Agent (WildTangent)"; flow: to_server,established; content:"WildTangent"; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Wildtangent/iH"; reference:url,doc.emergingthreats.net/2001639; classtype:trojan-activity; sid:2001639; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103431; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103182; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx"; depth:300; content:"%PDF-"; within:300; threshold:type limit, seconds 60, count 10, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; classtype:bad-unknown; sid:2009076; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103381; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server in use - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008054; classtype:bad-unknown; sid:2008054; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103382; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeAV Served To Client"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; content:"|0D 0A|Set-Cookie|3a| ds=1|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011221; classtype:trojan-activity; sid:2011221; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103383; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit"; flow:established,to_client; content:"domain=trafficbiztds.com"; http_cookie; content:!"google.com"; classtype:exploit-kit; sid:2011469; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103384; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Serving EXE/DLL File Often Malware Related"; flow:established,to_client; content:"Server|3a| nginx"; nocase; fast_pattern; content:"MZ"; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; classtype:misc-activity; sid:2012195; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103397; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; content:"MZ"; isdataat:80,relative; content:"PE"; distance:0; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013437; rev:5; metadata:created_at 2011_08_19, updated_at 2011_08_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103398; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; nocase; content:"MZ"; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103399; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; classtype:command-and-control; sid:2014104; rev:2; metadata:created_at 2012_01_10, updated_at 2012_01_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103400; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"GPL DELETED RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2102335; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103260; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2102089; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103261; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2102042; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103262; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"GPL DELETED xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2102040; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103263; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102038; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103022; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2102034; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103034; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN inst.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"inst.exe"; distance:0; fast_pattern; classtype:trojan-activity; sid:2011923; rev:6; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103026; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED W32/Ramnit Initial CnC Connection"; flow:established,to_server; dsize:6; content:"|00 FF FB 00 00 00|"; fast_pattern:only; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:command-and-control; sid:2014131; rev:3; metadata:created_at 2012_01_17, updated_at 2012_01_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103035; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/class.class"; http_uri; classtype:trojan-activity; sid:2014138; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_21, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.Lpxenur Checkin"; flow:established,to_server; content:"/data/mail.js?yaru="; http_uri; classtype:trojan-activity; sid:2013714; rev:3; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103051; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Esf Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:md5,e6ca06e9b000933567a8604300094a85; classtype:command-and-control; sid:2014143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103042; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Eks Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:md5,9a494e7a48436e6defcb44dd6f053b33; classtype:command-and-control; sid:2014144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103050; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; reference:url,doc.emergingthreats.net/2007806; classtype:trojan-activity; sid:2007806; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103036; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.PEx.C.91139756616/Win32.Zwangi-BU Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?vn="; http_uri; content:"&partner="; http_uri; content:"&ptag="; http_uri; content:"&cid="; http_uri; content:"&se="; http_uri; content:"&au="; http_uri; content:"&pver="; http_uri; reference:url,threatcenter.crdf.fr/?More&ID=49889&D=CRDF.Win32.Win32.PEx.C.91139756616; reference:md5,2c969afbe71f35571d11e30f1e854b29; reference:url,www.pcsafedoctor.com/Adware/remove-AdWare.Win32.Zwangi.bu.html; classtype:trojan-activity; sid:2013789; rev:3; metadata:created_at 2011_10_21, updated_at 2011_10_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103028; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto Outbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013531; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (TheWorld)"; flow:established,to_server; content:"TheWorld"; http_header; pcre:"/User-Agent\x3A[^\n]+TheWorld/H"; reference:url,www.virustotal.com/file-scan/report.html?id=70e502c9b8752da6dc0ff2a41c6975d59090482d2c0758387aca1b5702f96988-1305238279; classtype:trojan-activity; sid:2013403; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_11, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103029; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL DELETED CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2102583; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103045; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; http_header; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102597; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103053; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"GPL DELETED Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102598; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; content:!"Host|3a 20|update.cooliris.com|0d 0a|"; http_header; classtype:command-and-control; sid:2014106; rev:3; metadata:created_at 2012_01_10, updated_at 2012_01_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103052; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; classtype:trojan-activity; sid:2014178; rev:2; metadata:created_at 2012_02_03, updated_at 2012_02_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103038; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious getpvstat.php file Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/getpvstat.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"jss.155game.com"; http_header; nocase; classtype:trojan-activity; sid:2014182; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103030; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Unknown HTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".ru|3a|8080|0D 0A|"; http_header; fast_pattern; pcre:"/Host\x3a\s[a-z]{16}\.ru/H"; classtype:command-and-control; sid:2014221; rev:3; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103039; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|PK"; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103031; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"vssMlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103047; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> any any (msg:"ET DELETED Http Client Body contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; http_client_body; classtype:policy-violation; sid:2012889; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103055; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible Attempt to Create MSSQL SOAP/HTTP Endpoint in URI to Allow for Operating System Interaction"; flow:established,to_server; content:"CREATE"; nocase; http_uri; content:"ENDPOINT"; nocase; http_uri; pcre:"/CREATE.+ENDPOINT/Ui"; reference:url,msdn.microsoft.com/en-us/library/ms345123.aspx; classtype:web-application-attack; sid:2011425; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103046; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Shiz or Rohimafo config download"; flow: established,to_client; content:"|21|config"; nocase; content:"|21|load"; nocase; content:"|2e|php|3f|id|3d|1|26|magic|3d|"; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011521; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103054; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adobe 0day Shovelware"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"/ppp/listdir.php?dir="; http_uri; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/Ui"; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; classtype:trojan-activity; sid:2010496; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103040; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Java JAR PROPFIND via DAV possible alternative JVM exploit"; flow:established,to_server; content:"PROPFIND"; http_method; content:".jar"; http_uri; nocase; content:"User-Agent|3a| Microsoft-WebDAV-MiniRedir"; http_header; content:!"Referer|3a| "; http_header; reference:url,blogs.zdnet.com/security/?p=6082; reference:url,doc.emergingthreats.net/2011009; classtype:bad-unknown; sid:2011009; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103032; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco %u IDS evasion"; flow:to_server,established; content:"%u002F"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000012; classtype:attempted-dos; sid:2000012; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103041; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco IOS HTTP server DoS"; flow: to_server,established; content:"/TEST?/"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000013; classtype:attempted-dos; sid:2000013; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103033; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco IOS HTTP DoS"; flow: to_server,established; content:"/error?/"; http_uri; nocase; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000009; classtype:attempted-dos; sid:2000009; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103049; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; content:".jsp?"; nocase; http_uri; content:"JSESSIONID="; nocase; isdataat:5132; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; classtype:attempted-admin; sid:2009216; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103057; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cutwail Landing Page WAIT PLEASE"; flow:established,from_server; content:"<h1>WAIT PLEASE</h1>"; nocase; depth:300; classtype:bad-unknown; sid:2014377; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103048; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103056; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".ak-networks.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; classtype:trojan-activity; sid:2001529; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; content:"/stat.php?id="; nocase; http_uri; content:"&web_id="; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; classtype:trojan-activity; sid:2003607; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103223; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103225; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPoint Agent Retrieving New Code"; flow: to_server,established; content:"/ftxmon.php?"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; classtype:trojan-activity; sid:2000905; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103413; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing with prototype catch"; flow:established,from_server; content:"if(window.document)try{new"; content:".prototype}catch("; distance:0; fast_pattern; classtype:bad-unknown; sid:2014369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103414; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103415; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popuptraffic.com Bot Reporting"; flow: to_server,established; content:"/scripts/click.php?"; nocase; http_uri; content:"hid="; http_uri; reference:url,popuptraffic.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; classtype:policy-violation; sid:2000577; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103416; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; content:"/?action="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&pc_id="; nocase; http_uri; content:"&abbr="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; classtype:trojan-activity; sid:2003548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; classtype:trojan-activity; sid:2000024; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103245; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spylog.ru Related Spyware Checkin"; flow:established,to_server; content:"/cnt?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&rn="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&tl="; nocase; http_uri; content:"&ls="; nocase; http_uri; content:"&ln="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&j="; nocase; http_uri; content:"&wh="; nocase; http_uri; content:"&px="; nocase; http_uri; content:"&sl="; nocase; http_uri; content:"&r="; nocase; http_uri; content:"&fr="; nocase; http_uri; content:"&pg="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; classtype:trojan-activity; sid:2007649; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103246; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; content:"/updatestats/all_files"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; classtype:policy-violation; sid:2001523; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103247; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; classtype:trojan-activity; sid:2000306; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103118; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; http_header; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; classtype:trojan-activity; sid:2000308; rev:24; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103119; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug"; flow: to_server,established; content:"WxAlertIsapi"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; classtype:misc-activity; sid:2001235; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; http_method; content:"Host|3a|"; nocase; http_header; content:"wxbug.com"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; classtype:misc-activity; sid:2002364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103121; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; nocase; http_uri; content:"?ZipCode="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; classtype:trojan-activity; sid:2003421; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103102; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Vista Gadget Activity"; flow:established,to_server; content:"/Command/VistaGadget_v"; nocase; http_uri; content:"UserId="; nocase; http_uri; content:"&AppVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; classtype:trojan-activity; sid:2003534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103092; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; content:"/img1big.gif"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; classtype:trojan-activity; sid:2000336; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103103; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; content:"/cgi-bin/yes.pl"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; classtype:trojan-activity; sid:2000337; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103104; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103093; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Feral Checkin via HTTP"; flow:established,to_server; content:"?ucid="; nocase; http_uri; content:"&wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007286; classtype:trojan-activity; sid:2007286; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103105; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Inject.BV Trojan User Agent Detected (faserx)"; flow:established,to_server; content:"User-Agent|3a| faser"; http_header; nocase; reference:url,doc.emergingthreats.net/2003637; classtype:trojan-activity; sid:2003637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103164; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103165; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; urilen:13; content:"POST"; http_method; nocase; content:"/bbs/info.asp"; http_uri; classtype:trojan-activity; sid:2012250; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103166; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103167; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2f|sogou"; http_uri; pcre:"/\x2fsogou(config)?\x2f/Ui"; reference:md5,f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 897 (msg:"ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jsp"; nocase; depth:35; pcre:"/\/\d{8,}\/\d{4,}\/\d{4,}\.jsp/"; reference:url,doc.emergingthreats.net/2009093; classtype:trojan-activity; sid:2009093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103207; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:3; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CPL Trojan Downloader Request"; flow:established,to_server; content:".cpl?|20|HTTP/1.1"; nocase; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2012910; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_01, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103209; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/UFR POST to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ufr/ufr.php"; http_uri; content:"UFR"; http_client_body; classtype:command-and-control; sid:2013424; rev:3; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http any any -> $HOME_NET any (msg:"ET DELETED Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; classtype:trojan-activity; sid:2001684; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103438; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103439; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103190; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Backdoor.Kbot Config Retrieval"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; content:"oop="; http_client_body; depth:4; reference:md5,b8ee86e57261fd3fb422a2b20a3c3e09; classtype:trojan-activity; sid:2014291; rev:4; metadata:created_at 2012_02_29, updated_at 2012_02_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103440; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED iframebiz - adv***.php"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adv"; nocase; http_uri; pcre:"/adv\d+\.php/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; classtype:trojan-activity; sid:2002707; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Possible Hupigon Connect"; flow:established,from_server; flowbits:set,ET.Hupinit2; dsize:<28; content:"HTTP/1.0 200 "; depth:13; flowbits:noalert; reference:url,doc.emergingthreats.net/2009290; classtype:trojan-activity; sid:2009290; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103389; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 3128:9000 -> $HOME_NET any (msg:"ET DELETED Hupigon CnC Client Status"; flow:established,to_server; flowbits:isset,ET.Hupinit2; dsize:<6; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009291; classtype:command-and-control; sid:2009291; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103390; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Hupigon CnC Server Response"; flow:established,from_server; flowbits:isset,ET.Hupinit2; dsize:3; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009292; classtype:command-and-control; sid:2009292; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103391; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater post-auth checkin"; flow:established,to_server; content:"/search6"; http_uri; fast_pattern; content:"?h1="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|Windows NT 5.2)"; http_header; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014214; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103392; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED osCommerce vulnerable web application extras update.php exists"; flow:to_client,established; content:"Select an SQL file to install"; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002863; classtype:attempted-recon; sid:2002863; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103405; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2"; flow:established,from_server; content:"|0c 76 da 9c 91 0c 4e 2c 9e fe 15 d0 58 93 3c 4c|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013501; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103406; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Krunchy/BZub HTTP Checkin/Update"; flow:established,to_server; content:".php?action="; http_uri; content:"&guid="; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007775; classtype:trojan-activity; sid:2007775; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103407; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; nocase; http_method; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103408; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32 Jadtre/Wapomi/Nimnul/Viking.AY ICMP ping"; icode:0; itype:8; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; classtype:trojan-activity; sid:2014595; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002655; classtype:policy-violation; sid:2002655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103269; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002654; classtype:policy-violation; sid:2002654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103270; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002653; classtype:policy-violation; sid:2002653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103271; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002652; classtype:policy-violation; sid:2002652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103023; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/2002651; classtype:policy-violation; sid:2002651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103025; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002650; classtype:policy-violation; sid:2002650; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103230; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002649; classtype:policy-violation; sid:2002649; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103231; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/2002648; classtype:policy-violation; sid:2002648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/2002642; classtype:policy-violation; sid:2002642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103233; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/2002640; classtype:policy-violation; sid:2002640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103421; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/2002639; classtype:policy-violation; sid:2002639; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103422; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/2002638; classtype:policy-violation; sid:2002638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103423; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/2002637; classtype:policy-violation; sid:2002637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103424; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/2002636; classtype:policy-violation; sid:2002636; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103004; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/2002635; classtype:policy-violation; sid:2002635; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103005; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/2002634; classtype:policy-violation; sid:2002634; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103142; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/2002633; classtype:policy-violation; sid:2002633; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/2002632; classtype:policy-violation; sid:2002632; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103253; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002631; classtype:policy-violation; sid:2002631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103254; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002630; classtype:policy-violation; sid:2002630; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103255; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002629; classtype:policy-violation; sid:2002629; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103126; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002628; classtype:policy-violation; sid:2002628; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103127; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002627; classtype:policy-violation; sid:2002627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103128; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002625; classtype:policy-violation; sid:2002625; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103129; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002624; classtype:policy-violation; sid:2002624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002623; classtype:policy-violation; sid:2002623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103096; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002410; classtype:policy-violation; sid:2002410; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002411; classtype:policy-violation; sid:2002411; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002412; classtype:policy-violation; sid:2002412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103097; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002413; classtype:policy-violation; sid:2002413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002414; classtype:policy-violation; sid:2002414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103172; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002415; classtype:policy-violation; sid:2002415; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103173; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002416; classtype:policy-violation; sid:2002416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103174; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002417; classtype:policy-violation; sid:2002417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103175; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002418; classtype:policy-violation; sid:2002418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103214; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002419; classtype:policy-violation; sid:2002419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103215; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002420; classtype:policy-violation; sid:2002420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; classtype:policy-violation; sid:2002421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103217; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; classtype:policy-violation; sid:2002422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103196; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002423; classtype:policy-violation; sid:2002423; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL NETBIOS WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103200; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002424; classtype:policy-violation; sid:2002424; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002429; classtype:policy-violation; sid:2002429; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:2100333; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002430; classtype:policy-violation; sid:2002430; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:2103151; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002431; classtype:policy-violation; sid:2002431; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger 0 Query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:2100332; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002434; classtype:policy-violation; sid:2002434; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Account Enumeration Attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:2100321; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002436; classtype:policy-violation; sid:2002436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:2100328; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002438; classtype:policy-violation; sid:2002438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL DELETED cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:2100320; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002439; classtype:policy-violation; sid:2002439; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:2100331; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002440; classtype:policy-violation; sid:2002440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:2100329; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002441; classtype:policy-violation; sid:2002441; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Null Request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:2100324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002443; classtype:policy-violation; sid:2002443; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Probe 0 Attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:2100325; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002444; classtype:policy-violation; sid:2002444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Redirection Attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:2100330; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002446; classtype:policy-violation; sid:2002446; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:2100326; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002447; classtype:policy-violation; sid:2002447; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, former_category MISC, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002448; classtype:policy-violation; sid:2002448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Root Query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:2100323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002450; classtype:policy-violation; sid:2002450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Search Query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:2100322; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002451; classtype:policy-violation; sid:2002451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002453; classtype:policy-violation; sid:2002453; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002454; classtype:policy-violation; sid:2002454; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:2100314; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002455; classtype:policy-violation; sid:2002455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:2100303; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002457; classtype:policy-violation; sid:2002457; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002458; classtype:policy-violation; sid:2002458; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002459; classtype:policy-violation; sid:2002459; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002462; classtype:policy-violation; sid:2002462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow"; flow:to_server,established; content:"MKD "; isdataat:100,relative; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:2100349; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002463; classtype:policy-violation; sid:2002463; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; fast_pattern:only; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:2100339; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002464; classtype:policy-violation; sid:2002464; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:2100338; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002465; classtype:policy-violation; sid:2002465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP PWD overflow"; flow:to_server,established; content:"PWD|0A|/i"; fast_pattern:only; classtype:attempted-admin; sid:2100340; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002466; classtype:policy-violation; sid:2002466; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP XXXXX overflow"; flow:to_server,established; content:"XXXXX/"; fast_pattern:only; classtype:attempted-admin; sid:2100341; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002467; classtype:policy-violation; sid:2002467; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:2100346; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002468; classtype:policy-violation; sid:2002468; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:2100343; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002469; classtype:policy-violation; sid:2002469; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; fast_pattern:only; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:2100344; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002470; classtype:policy-violation; sid:2002470; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; fast_pattern:only; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:2100342; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002471; classtype:policy-violation; sid:2002471; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; fast_pattern; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:2100345; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002472; classtype:policy-violation; sid:2002472; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:2100348; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002473; classtype:policy-violation; sid:2002473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; fast_pattern:only; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:2100360; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002474; classtype:policy-violation; sid:2002474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:2100361; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002475; classtype:policy-violation; sid:2002475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET MALWARE TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1; metadata:created_at 2011_12_02, updated_at 2011_12_02;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002477; classtype:policy-violation; sid:2002477; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hiloti loader receiving payload URL"; flow:established,from_server; content:"|0d 0a 0d 0a|20|0d 0a|http|3a|//"; classtype:trojan-activity; sid:2012515; rev:5; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002483; classtype:policy-violation; sid:2002483; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:3; metadata:created_at 2011_12_02, former_category CURRENT_EVENTS, updated_at 2011_12_02;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002484; classtype:policy-violation; sid:2002484; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:3; metadata:created_at 2011_12_02, former_category CURRENT_EVENTS, updated_at 2011_12_02;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002485; classtype:policy-violation; sid:2002485; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|User-Agent|3a| Mozilla"; fast_pattern; content:"|0d 0a|Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:!"Content-Type|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2011816; rev:16; metadata:created_at 2010_10_14, updated_at 2010_10_14;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; content:"payment history"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002486; classtype:policy-violation; sid:2002486; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; http_method; content:"top_graph_header.php"; http_uri; pcre:"/top_graph_header\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; reference:url,doc.emergingthreats.net/2002129; classtype:web-application-activity; sid:2002129; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002487; classtype:policy-violation; sid:2002487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2"; flow:established,to_server; content:"GET"; http_method; content:"config_settings.php"; http_uri; pcre:"/config_settings\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; classtype:web-application-activity; sid:2013993; rev:2; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002488; classtype:policy-violation; sid:2002488; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002489; classtype:policy-violation; sid:2002489; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Referer|3a| "; content:"search?"; nocase; within:50; content:"q="; nocase; within:100; uricontent:".com"; nocase; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; reference:url,doc.emergingthreats.net/2011066; classtype:trojan-activity; sid:2011066; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002490; classtype:policy-violation; sid:2002490; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Jorik DDOS Instructions From CnC Server"; flow:established,to_client; content:"|7C|ddos|7C|"; pcre:"/\x7Cddos\x7C(syn|http)\x7C/"; classtype:command-and-control; sid:2013998; rev:3; metadata:created_at 2011_12_08, former_category MALWARE, updated_at 2011_12_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002495; classtype:policy-violation; sid:2002495; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:pup-activity; sid:2013999; rev:2; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2011_12_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002496; classtype:policy-violation; sid:2002496; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,090986b0e303779bde1ddad3c65a9d78; classtype:command-and-control; sid:2014003; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002497; classtype:policy-violation; sid:2002497; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent|3A| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002498; classtype:policy-violation; sid:2002498; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE P2P Zeus Response From CnC"; flow:established,from_server; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74|"; distance:5; within:2; content:"|C1|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:command-and-control; sid:2013912; rev:4; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002499; classtype:policy-violation; sid:2002499; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent (Gootkit HTTP Client)"; flow:to_server,established; content:"Gootkit HTTP Client"; http_header; nocase; reference:url,doc.emergingthreats.net/2010718; classtype:command-and-control; sid:2010718; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002500; classtype:policy-violation; sid:2002500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2014025; rev:1; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002501; classtype:policy-violation; sid:2002501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:exploit-kit; sid:2014027; rev:2; metadata:created_at 2011_12_13, former_category CURRENT_EVENTS, updated_at 2011_12_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002502; classtype:policy-violation; sid:2002502; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points)"; flow: established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"Peer Points"; http_header; within:150; pcre:"/User-Agent\:[^\n]+Peer Points/iH"; reference:url,doc.emergingthreats.net/2001640; classtype:policy-violation; sid:2001640; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002503; classtype:policy-violation; sid:2002503; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:pup-activity; sid:2003531; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002504; classtype:policy-violation; sid:2002504; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002505; classtype:policy-violation; sid:2002505; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (BlueSky)"; flow:to_server,established; content:"User-Agent|3a| BlueSky|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011084; classtype:trojan-activity; sid:2011084; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002506; classtype:policy-violation; sid:2002506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:pup-activity; sid:2003429; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002507; classtype:policy-violation; sid:2002507; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:pup-activity; sid:2006386; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002508; classtype:policy-violation; sid:2002508; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003569; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002509; classtype:policy-violation; sid:2002509; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:pup-activity; sid:2008647; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002514; classtype:policy-violation; sid:2002514; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:pup-activity; sid:2008484; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002515; classtype:policy-violation; sid:2002515; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:pup-activity; sid:2008485; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002516; classtype:policy-violation; sid:2002516; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:pup-activity; sid:2007977; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002519; classtype:policy-violation; sid:2002519; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:pup-activity; sid:2008000; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002521; classtype:policy-violation; sid:2002521; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:pup-activity; sid:2007759; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002523; classtype:policy-violation; sid:2002523; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:pup-activity; sid:2007690; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002524; classtype:policy-violation; sid:2002524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (GM Login)"; flow:to_server,established; content:"User-Agent|3a| GM Login|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011273; classtype:trojan-activity; sid:2011273; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002525; classtype:policy-violation; sid:2002525; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:pup-activity; sid:2003652; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002526; classtype:policy-violation; sid:2002526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:pup-activity; sid:2008202; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002704; classtype:policy-violation; sid:2002704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:pup-activity; sid:2008203; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002528; classtype:policy-violation; sid:2002528; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:pup-activity; sid:2007935; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002530; classtype:policy-violation; sid:2002530; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:pup-activity; sid:2007938; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002531; classtype:policy-violation; sid:2002531; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:pup-activity; sid:2002404; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002532; classtype:policy-violation; sid:2002532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:pup-activity; sid:2010218; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002534; classtype:policy-violation; sid:2002534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P JoltID Agent New Code Download"; flow: established; content:"PeerEnabler"; http_header; fast_pattern:only; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/2001652; classtype:trojan-activity; sid:2001652; rev:34; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002535; classtype:policy-violation; sid:2002535; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:pup-activity; sid:2009289; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002537; classtype:policy-violation; sid:2002537; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:pup-activity; sid:2009150; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002538; classtype:policy-violation; sid:2002538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:pup-activity; sid:2007809; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002539; classtype:policy-violation; sid:2002539; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:pup-activity; sid:2006429; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002541; classtype:policy-violation; sid:2002541; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:pup-activity; sid:2008198; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002542; classtype:policy-violation; sid:2002542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:pup-activity; sid:2008204; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002543; classtype:policy-violation; sid:2002543; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:pup-activity; sid:2007947; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002544; classtype:policy-violation; sid:2002544; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:pup-activity; sid:2007958; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002546; classtype:policy-violation; sid:2002546; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:pup-activity; sid:2007959; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002547; classtype:policy-violation; sid:2002547; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:pup-activity; sid:2002394; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002548; classtype:policy-violation; sid:2002548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (MSIE XPSP2)"; flow:to_server,established; content:"MSIE XPSP2"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003200; classtype:trojan-activity; sid:2003200; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002549; classtype:policy-violation; sid:2002549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:pup-activity; sid:2003529; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002550; classtype:policy-violation; sid:2002550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:pup-activity; sid:2011101; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002551; classtype:policy-violation; sid:2002551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:pup-activity; sid:2009765; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002552; classtype:policy-violation; sid:2002552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:pup-activity; sid:2008894; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002553; classtype:policy-violation; sid:2002553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:pup-activity; sid:2009796; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002554; classtype:policy-violation; sid:2002554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:pup-activity; sid:2008656; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002555; classtype:policy-violation; sid:2002555; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:pup-activity; sid:2003644; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002556; classtype:policy-violation; sid:2002556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:pup-activity; sid:2008145; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002557; classtype:policy-violation; sid:2002557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:pup-activity; sid:2008146; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002558; classtype:policy-violation; sid:2002558; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:pup-activity; sid:2008151; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002559; classtype:policy-violation; sid:2002559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spyaxe Spyware User-Agent (spyaxe)"; flow:to_server,established; content:" spyaxe "; fast_pattern:only; http_header;  reference:url,doc.emergingthreats.net/2002807; classtype:trojan-activity; sid:2002807; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002561; classtype:policy-violation; sid:2002561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:pup-activity; sid:2003399; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002567; classtype:policy-violation; sid:2002567; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; fast_pattern:only; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:pup-activity; sid:2003205; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002568; classtype:policy-violation; sid:2002568; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:pup-activity; sid:2007570; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002569; classtype:policy-violation; sid:2002569; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:pup-activity; sid:2007575; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002570; classtype:policy-violation; sid:2002570; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:pup-activity; sid:2007772; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002571; classtype:policy-violation; sid:2002571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:pup-activity; sid:2007899; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002572; classtype:policy-violation; sid:2002572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:pup-activity; sid:2007946; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002573; classtype:policy-violation; sid:2002573; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:pup-activity; sid:2007993; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002574; classtype:policy-violation; sid:2002574; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:pup-activity; sid:2008743; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002575; classtype:policy-violation; sid:2002575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:pup-activity; sid:2009021; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002576; classtype:policy-violation; sid:2002576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:pup-activity; sid:2009111; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002577; classtype:policy-violation; sid:2002577; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:pup-activity; sid:2009124; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002578; classtype:policy-violation; sid:2002578; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:pup-activity; sid:2009439; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; classtype:policy-violation; sid:2002579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009995; classtype:pup-activity; sid:2009995; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; classtype:policy-violation; sid:2002580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,doc.emergingthreats.net/2010333; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,e4664144f8e95cfec510d5efa24a35e7; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; classtype:pup-activity; sid:2010333; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002581; classtype:policy-violation; sid:2002581; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:11; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002582; classtype:policy-violation; sid:2002582; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:pup-activity; sid:2008205; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002583; classtype:policy-violation; sid:2002583; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; content:!"|0d 0a|MZ"; classtype:trojan-activity; sid:2014019; rev:4; metadata:created_at 2011_12_10, updated_at 2011_12_10;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002584; classtype:policy-violation; sid:2002584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:pup-activity; sid:2011679; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002585; classtype:policy-violation; sid:2002585; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:pup-activity; sid:2011718; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002586; classtype:policy-violation; sid:2002586; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:pup-activity; sid:2008190; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002587; classtype:policy-violation; sid:2002587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:pup-activity; sid:2003567; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002588; classtype:policy-violation; sid:2002588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:pup-activity; sid:2011123; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002589; classtype:policy-violation; sid:2002589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zbu-hb-)"; flow:to_server,established; content:"zbu-hb-"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+zbu-hb-/Hi"; reference:url,doc.emergingthreats.net/2003305; classtype:trojan-activity; sid:2003305; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002594; classtype:policy-violation; sid:2002594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:pup-activity; sid:2011691; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002595; classtype:policy-violation; sid:2002595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:pup-activity; sid:2011087; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002596; classtype:policy-violation; sid:2002596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:pup-activity; sid:2011105; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002599; classtype:policy-violation; sid:2002599; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:pup-activity; sid:2002169; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002601; classtype:policy-violation; sid:2002601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ADWARE_PUP User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:pup-activity; sid:2000466; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002603; classtype:policy-violation; sid:2002603; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:pup-activity; sid:2003345; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002604; classtype:policy-violation; sid:2002604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:pup-activity; sid:2003588; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002605; classtype:policy-violation; sid:2002605; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:pup-activity; sid:2011297; rev:3; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2010_09_28;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002606; classtype:policy-violation; sid:2002606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:pup-activity; sid:2012172; rev:5; metadata:created_at 2011_01_12, former_category ADWARE_PUP, updated_at 2011_01_12;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002608; classtype:policy-violation; sid:2002608; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; classtype:pup-activity; sid:2012804; rev:5; metadata:created_at 2011_05_14, former_category ADWARE_PUP, updated_at 2011_05_14;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002609; classtype:policy-violation; sid:2002609; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Infection Report via HTTP"; flow:established,to_server; content:"/keylogkontrol/"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; classtype:trojan-activity; sid:2008047; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002611; classtype:policy-violation; sid:2002611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:5; metadata:created_at 2011_10_26, updated_at 2011_10_26;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002612; classtype:policy-violation; sid:2002612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:exploit-kit; sid:2014031; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002613; classtype:policy-violation; sid:2002613; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:exploit-kit; sid:2014032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002615; classtype:policy-violation; sid:2002615; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:exploit-kit; sid:2014033; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002616; classtype:policy-violation; sid:2002616; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:exploit-kit; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002618; classtype:policy-violation; sid:2002618; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:pup-activity; sid:2003463; rev:17; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002619; classtype:policy-violation; sid:2002619; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmeup Spyware Install (toolbar)"; flow: to_server,established; content:"/dkprogs/toolbar.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; classtype:trojan-activity; sid:2001473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002620; classtype:policy-violation; sid:2002620; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HSN.com Toolbar Spyware User-Agent (HSN)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; http_header; content:"HSN"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HSN/iH"; reference:url,doc.emergingthreats.net/2003495; classtype:trojan-activity; sid:2003495; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002622; classtype:policy-violation; sid:2002622; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:pup-activity; sid:2003441; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] $HTTP_PORTS (msg:"ET DELETED facebook activity"; flow:established,to_server; threshold: type both, track by_dst, count 2, seconds 120; reference:url,compnetworking.about.com/od/traceipaddresses/f/facebook-ip-address.htm; reference:url,doc.emergingthreats.net/2010952; classtype:policy-violation; sid:2010952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Wild Tangent Agent User-Agent (WildTangent)"; flow: to_server,established; content:"WildTangent"; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Wildtangent/iH"; reference:url,doc.emergingthreats.net/2001639; classtype:trojan-activity; sid:2001639; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; content:".txt"; nocase; http_uri; fast_pattern; content:"Pragma|3a| no-cache"; http_header; content:"User-Agent|3a| "; http_header; pcre:"/User-Agent\x3a \d{6}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2008664; classtype:trojan-activity; sid:2008664; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Ping"; flow: to_server,established; content:"Host|3a| srv.peopleonpage.com"; nocase; http_header; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; classtype:policy-violation; sid:2001446; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2014047; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2013745; rev:5; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; content:"getElementById']('qwe')"; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Bluecoat Proxy in use"; flow:established,to_server; content:"X-BlueCoat-Via|3A|"; http_header; classtype:not-suspicious; sid:2014049; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:4; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:8; metadata:created_at 2010_07_30, updated_at 2016_09_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2; metadata:created_at 2011_12_30, former_category CURRENT_EVENTS, updated_at 2011_12_30;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014055; rev:1; metadata:created_at 2011_12_31, former_category MALWARE, updated_at 2011_12_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]*&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type|3A| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_31, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_31, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:2; metadata:created_at 2012_06_05, updated_at 2012_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER xp_cmdshell Attempt in Cookie"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_header; pcre:"/\x0a\x0dCookie\x3a[^\n]+xp_cmdshell/i"; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=4072; reference:url,doc.emergingthreats.net/2010119; classtype:web-application-attack; sid:2010119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx"; depth:300; content:"%PDF-"; within:300; threshold:type limit, seconds 60, count 10, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; classtype:bad-unknown; sid:2009076; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http any any -> $HOME_NET any (msg:"ET POLICY HTTP Redirect to IPv4 Address"; flow:established,from_server; content:"302"; http_stat_code; content:"Found"; nocase; content:"Location|3a| "; nocase; pcre:"/Location\: (http\:\/\/)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//i"; reference:url,doc.emergingthreats.net/2011085; classtype:misc-activity; sid:2011085; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; nocase; content:"|00 01|"; distance:6; within:2; classtype:policy-violation; sid:2102450; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server in use - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008054; classtype:bad-unknown; sid:2008054; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file)"; flow:established,from_server; content:"|0d 0a|Content-Type|3a| application|2f|octet-stream"; content:"|0d 0a 0d 0a 52 61 72 21|"; content:!"|1A 07|"; within:2; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008782; classtype:trojan-activity; sid:2008782; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeAV Served To Client"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; content:"|0D 0A|Set-Cookie|3a| ds=1|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011221; classtype:trojan-activity; sid:2011221; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2102577; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit"; flow:established,to_client; content:"domain=trafficbiztds.com"; http_cookie; content:!"google.com"; classtype:exploit-kit; sid:2011469; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Serving EXE/DLL File Often Malware Related"; flow:established,to_client; content:"Server|3a| nginx"; nocase; fast_pattern; content:"MZ"; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; classtype:misc-activity; sid:2012195; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:6; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:18; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015287; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetProtection Download"; flow:established,from_server; content:"|3b 20|filename=|22|InstallInternetProtection_"; nocase; classtype:trojan-activity; sid:2012696; rev:3; metadata:created_at 2011_04_21, updated_at 2011_04_21;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015288; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump successful leakage"; flow:established,from_server; content:"|0d 0a|<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->|0d 0a|"; content:"|0d 0a|Content-Type|3a 20|text/plain|0d 0a|"; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:successful-recon-largescale; sid:2012809; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015289; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV FakeAlertRena.n Checkin Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; content:"Content-Length|3a| 2|0d 0a|"; content:"|0d 0a 0d 0a|OK"; distance:0; classtype:command-and-control; sid:2013136; rev:6; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015290; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server|3A| Dict/"; fast_pattern:only;  classtype:trojan-activity; sid:2013326; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_08_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015291; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; content:"MZ"; isdataat:80,relative; content:"PE"; distance:0; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013437; rev:5; metadata:created_at 2011_08_19, updated_at 2011_08_19;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015292; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; nocase; content:"MZ"; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015293; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SecurityDefender exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"SecurityDefender"; nocase; within:24; content:".exe"; within:24; classtype:trojan-activity; sid:2013826; rev:3; metadata:created_at 2011_11_05, updated_at 2011_11_05;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015294; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; content:"bomgar-scc-"; nocase; distance:0; fast_pattern; content:".exe"; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:3; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015295; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; classtype:policy-violation; sid:2101438; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015296; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014079; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015297; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Nurech Checkin UA"; flow:from_client,established; content:"User-Agent|3a| ipwf|0d 0a|"; http_header; classtype:command-and-control; sid:2014093; rev:3; metadata:created_at 2012_01_03, former_category MALWARE, updated_at 2012_01_03;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015298; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015299; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015300; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"<applet"; nocase; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013961; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015301; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013786; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015302; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015303; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015304; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015305; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015306; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013775; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015307; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013777; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015308; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011348; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015309; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011813; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2010_10_13;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015310; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013363; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015311; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013690; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015312; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013691; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015313; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013692; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015314; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013693; rev:7; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015315; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011988; rev:5; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015316; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015317; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:exploit-kit; sid:2014096; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015318; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:exploit-kit; sid:2014097; rev:3; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015319; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011349; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015320; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:"<html><body><script>|0d 0a|"; fast_pattern; nocase; content:"document.createElement"; within:50; content:"|28|String["; distance:0; pcre:"/,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,/iR"; classtype:exploit-kit; sid:2013660; rev:4; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015321; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Jupiter Exploit Kit Landing Page with Malicious Java Applets"; flow:established,from_server; content:"<applet"; content:"code="; content:".jar"; distance:0; content:"u//FCyy"; within:50; fast_pattern; content:"</applet>"; within:100; classtype:exploit-kit; sid:2013955; rev:3; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2011_11_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015322; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit pdfopen.pdf"; flow:established,to_server; content:"pdfopen.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011180; classtype:exploit-kit; sid:2011180; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015323; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012941; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2017_04_10;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015324; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012942; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015325; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012943; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015326; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012944; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015327; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java exploit request"; flow:established,to_server; content:"/dl/apache.php"; depth:14; http_uri; classtype:exploit-kit; sid:2013776; rev:3; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015328; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:exploit-kit; sid:2011972; rev:3; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015329; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:exploit-kit; sid:2011973; rev:3; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015330; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit pdfswf.pdf"; flow:established,to_server; content:"pdfswf.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011181; classtype:exploit-kit; sid:2011181; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015331; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - libtiff.pdf"; flow:established,to_server; content:"libtiff.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011182; classtype:exploit-kit; sid:2011182; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015332; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011350; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015333; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Blackshades Payload Download Command"; flow:established,to_client; content:"x74|0C|64|0C|"; depth:7; content:"x49|0C|"; distance:64; classtype:trojan-activity; sid:2014101; rev:2; metadata:created_at 2012_01_05, updated_at 2012_01_05;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015334; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/file/"; http_uri; content:"Host|3a| "; nocase; http_header; content:"badongo.com"; nocase; http_header; within:15; content:"badongoL="; http_cookie; reference:url,doc.emergingthreats.net/2009302; classtype:policy-violation; sid:2009302; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015335; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible BASE Authentication Bypass Attempt"; flow:to_server,established; content:"BASERole="; http_header; content:"794b69ad33015df95578d5f4a19d390e"; within:40; http_header; reference:url,seclists.org/bugtraq/2009/Jun/0218.html; reference:url,seclists.org/bugtraq/2009/Jun/0217.html; reference:url,doc.emergingthreats.net/2009677; classtype:web-application-attack; sid:2009677; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015336; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FACEBOOK user id in http_client_body, lookup with fb.com/profile.php?id="; flow:established,to_server; content:".facebook.com|0D 0A|"; http_header; content:"&__user="; http_client_body; threshold: type limit, count 1, seconds 600, track by_src; classtype:not-suspicious; sid:2014102; rev:3; metadata:created_at 2012_01_06, updated_at 2012_01_06;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015337; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; nocase; http_uri; content:"cache="; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015338; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; classtype:command-and-control; sid:2014104; rev:2; metadata:created_at 2012_01_10, updated_at 2012_01_10;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015339; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2014108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015340; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.UFRStealer.A issuing MKD command FTP"; flow:to_server,established; content:"MKD UFR_Stealer"; nocase; depth:15; reference:md5,a251ef38f048d695eae52626e57d617d; classtype:trojan-activity; sid:2014111; rev:6; metadata:created_at 2011_04_20, updated_at 2011_04_20;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015341; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET MALWARE Cythosia V2 DDoS WebPanel Hosted Locally"; flow:established,from_server; content:"|3C|title|3E|Cythosia|20|V2|20|Bot|20|Webpanel|20 2D 20|Login|3C 2F|title|3E|"; nocase; reference:url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/; classtype:successful-admin; sid:2014118; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015342; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 5"; flow:established,to_server; content:"|7A 7A 7A 7A 72 71 71 71 71 73 73 73 73 7D 7D 7D 7D|"; offset:5; depth:17; classtype:trojan-activity; sid:2013526; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015343; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 6"; flow:established,to_server; content:"|B5 B5 B5 B5 BD BE BE BE BE BC BC BC BC B2 B2 B2 B2|"; offset:5; depth:17; classtype:trojan-activity; sid:2013527; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015344; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 7"; flow:established,to_server; content:"|6F 6F 6F 6F 67 64 64 64 64 66 66 66 66 68 68 68 68|"; offset:5; depth:17; classtype:trojan-activity; sid:2013528; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015345; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 8"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013529; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015346; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 9"; flow:established,to_server; content:"|0F 0F 0F 0F 07 04 04 04 04 06 06 06 06 08 08 08 08|"; offset:5; depth:17; classtype:trojan-activity; sid:2013530; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015347; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015348; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 1"; flow:established,to_server; content:"|40 40 40 40 48 4B 4B 4B 4B 49 49 49 49 47 47 47 47|"; offset:5; depth:17; classtype:trojan-activity; sid:2013522; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015349; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 2"; flow:established,to_server; content:"|0B 0B 0B 0B 03 00 00 00 00 02 02 02 02 0C 0C 0C 0C|"; offset:5; depth:17; classtype:trojan-activity; sid:2013523; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015350; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 3"; flow:established,to_server; content:"|AC AC AC AC A4 A7 A7 A7 A7 A5 A5 A5 A5 AB AB AB AB|"; offset:5; depth:17; classtype:trojan-activity; sid:2013524; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015351; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015352; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015353; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; classtype:trojan-activity; sid:2014126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015354; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015355; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; fast_pattern; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2102349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015356; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2102348; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015357; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2102344; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015358; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2102343; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015359; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2102340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015360; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:100,relative; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2102338; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015361; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp any any -> any 69 (msg:"GPL TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2102337; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015362; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2102336; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015363; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"GPL DELETED RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2102335; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015364; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102333; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015365; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102332; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015366; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; isdataat:100,relative; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2102330; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015367; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015368; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015369; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015370; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015371; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015372; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015373; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015374; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015375; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015376; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102309; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015377; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102308; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015378; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015379; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015380; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015381; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015382; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102255; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015383; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015384; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015385; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2102250; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015386; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015387; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102192; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015388; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015389; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102190; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015390; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015391; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert ip any any -> any any (msg:"GPL MISC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015392; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert ip any any -> any any (msg:"GPL MISC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015393; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert ip any any -> any any (msg:"GPL MISC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015394; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102185; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015395; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102184; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015396; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"GPL P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2102181; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015397; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2102179; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015398; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2102178; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015399; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015400; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2102176; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015401; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015402; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015403; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015404; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; fast_pattern; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2102125; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015405; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"GPL POLICY Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2102124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015406; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2102122; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015407; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2102121; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015408; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015409; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015410; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015411; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL RPC rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102114; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015412; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015457; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015413; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015455; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015414; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015454; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015453; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2102107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015452; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102106; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015415; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2102105; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015416; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"GPL RPC rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2102104; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015451; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015417; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; reference:nessus,11110; classtype:denial-of-service; sid:2102102; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015418; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102101; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015450; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102095; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015419; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102094; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015420; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102093; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015449; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015421; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2102089; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015422; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2102088; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015423; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102084; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015448; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102083; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015447; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102082; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015446; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102081; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015445; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102080; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015424; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102079; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015425; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER TRACE attempt"; flow:to_server,established; content:"TRACE"; http_method; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2102056; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015444; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2102049; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015426; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015427; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL EXPLOIT rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2102047; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015443; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; isdataat:1024,relative; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2102046; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015428; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"GPL POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2102044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015441; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2102042; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015429; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"GPL DELETED xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2102040; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015430; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2102039; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015440; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102038; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015431; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015432; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102036; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015433; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015434; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2102034; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015439; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2102033; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015435; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102032; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015436; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102031; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015437; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102030; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015438; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102029; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015462; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102028; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015244; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102027; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015463; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN inst.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"inst.exe"; distance:0; fast_pattern; classtype:trojan-activity; sid:2011923; rev:6; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Class 1 Primary Intermediate Server CA"; classtype:policy-violation; sid:2013296; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:3; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate (StartCom Free Certificate Member)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Free Certificate Member"; classtype:policy-violation; sid:2013297; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015087; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4; metadata:created_at 2011_04_01, former_category CURRENT_EVENTS, updated_at 2011_04_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015088; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015089; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED W32/Ramnit Initial CnC Connection"; flow:established,to_server; dsize:6; content:"|00 FF FB 00 00 00|"; fast_pattern:only; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; classtype:command-and-control; sid:2014131; rev:3; metadata:created_at 2012_01_17, updated_at 2012_01_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015090; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015091; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/class.class"; http_uri; classtype:trojan-activity; sid:2014138; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_21, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015092; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.Lpxenur Checkin"; flow:established,to_server; content:"/data/mail.js?yaru="; http_uri; classtype:trojan-activity; sid:2013714; rev:3; metadata:created_at 2011_10_01, updated_at 2011_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015094; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Esf Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:md5,e6ca06e9b000933567a8604300094a85; classtype:command-and-control; sid:2014143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015095; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Eks Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:md5,9a494e7a48436e6defcb44dd6f053b33; classtype:command-and-control; sid:2014144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015096; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:command-and-control; sid:2014145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015097; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"|3A 3A 3A 3A 3A 28 20|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015098; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; reference:url,doc.emergingthreats.net/2007806; classtype:trojan-activity; sid:2007806; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015099; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.PEx.C.91139756616/Win32.Zwangi-BU Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?vn="; http_uri; content:"&partner="; http_uri; content:"&ptag="; http_uri; content:"&cid="; http_uri; content:"&se="; http_uri; content:"&au="; http_uri; content:"&pver="; http_uri; reference:url,threatcenter.crdf.fr/?More&ID=49889&D=CRDF.Win32.Win32.PEx.C.91139756616; reference:md5,2c969afbe71f35571d11e30f1e854b29; reference:url,www.pcsafedoctor.com/Adware/remove-AdWare.Win32.Zwangi.bu.html; classtype:trojan-activity; sid:2013789; rev:3; metadata:created_at 2011_10_21, updated_at 2011_10_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015100; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2014029; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015101; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>400; classtype:bad-unknown; sid:2013093; rev:3; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015102; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Alternate Data Stream source view attempt"; flow:to_server,established; content:"|3A 3A|$DATA"; http_uri; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; reference:url,doc.emergingthreats.net/2001365; classtype:web-application-activity; sid:2001365; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015103; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"&ver="; http_client_body; content:"&MAX_EXECUTE_TIME="; http_client_body; fast_pattern; content:"&RELOAD_JOBS="; http_client_body; content:"&BROWSER_DELAY="; http_client_body; content:"&CONTROL_PAGE"; http_client_body; content:"&lastlogcount"; http_client_body; content:"&min_captchasize"; http_client_body; content:"&botid"; http_client_body; content:"&REG_NAME"; http_client_body; content:"&botlogin="; http_client_body; reference:url,doc.emergingthreats.net/2009830; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FWombot.A; classtype:command-and-control; sid:2009830; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015104; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Known Malicious Link Leading to Exploit Kits (t.php?id=is1)"; flow:established,to_server; content:"/t.php?id=is1"; http_uri; classtype:exploit-kit; sid:2014151; rev:2; metadata:created_at 2012_01_26, former_category EXPLOIT_KIT, updated_at 2012_01_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015105; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity"; flow:established,to_server; content:".php?param="; http_uri; content:"&socks="; http_uri; content:"User-Agent|3a| Windows Updater"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002775; classtype:trojan-activity; sid:2002775; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015106; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VB.aie Reporting User Activity"; flow:established,to_server; content:"php?iso="; nocase; http_uri; content:"&country="; nocase; http_uri; content:"&proxy="; nocase; http_uri; content:"&tel="; nocase; http_uri; content:"&ftp="; nocase; http_uri; content:"&socks="; nocase; http_uri; content:"&remote="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002857; classtype:trojan-activity; sid:2002857; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015107; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Checkin to CnC"; flow:to_server,established; content:"user_id="; depth:8; http_client_body; content:"&version_id="; http_client_body; content:"&socks="; fast_pattern; http_client_body; content:"&build="; http_client_body; classtype:command-and-control; sid:2014152; rev:3; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2012_01_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015108; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto Outbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013531; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015109; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015110; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015111; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014166; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015112; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; content:"[DBINFO]|0D 0A|Info ="; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014167; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015113; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:md5,4b8adc7612e984d12b77f197c59827a2; classtype:command-and-control; sid:2012882; rev:4; metadata:created_at 2011_05_27, former_category MALWARE, updated_at 2011_05_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015114; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (TheWorld)"; flow:established,to_server; content:"TheWorld"; http_header; pcre:"/User-Agent\x3A[^\n]+TheWorld/H"; reference:url,www.virustotal.com/file-scan/report.html?id=70e502c9b8752da6dc0ff2a41c6975d59090482d2c0758387aca1b5702f96988-1305238279; classtype:trojan-activity; sid:2013403; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_11, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015115; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015116; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102508; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015117; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102509; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015118; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102510; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015119; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102511; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015120; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102512; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015121; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102513; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015122; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015123; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL DELETED BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:8; metadata:created_at 2010_09_23, former_category MISC, updated_at 2019_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015124; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015125; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015126; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102526; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015127; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015128; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015129; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102552; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015130; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102553; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015131; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102554; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015132; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102555; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015133; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:432,relative; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015134; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102557; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015135; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102558; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015136; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102559; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015137; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102560; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015138; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2102561; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015139; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_08_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015140; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2102574; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015141; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015142; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL DELETED CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2102583; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015143; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"GPL P2P eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; content:"|01|SENDLINK|7c|"; distance:0; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2102584; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015144; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp any 4711 -> $HOME_NET any (msg:"GPL P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2102587; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015145; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2102590; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015146; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; http_header; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102597; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015147; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"GPL DELETED Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102598; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015148; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; content:!"Host|3a 20|update.cooliris.com|0d 0a|"; http_header; classtype:command-and-control; sid:2014106; rev:3; metadata:created_at 2012_01_10, updated_at 2012_01_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015149; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; classtype:trojan-activity; sid:2014178; rev:2; metadata:created_at 2012_02_03, updated_at 2012_02_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015150; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious getpvstat.php file Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/getpvstat.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"jss.155game.com"; http_header; nocase; classtype:trojan-activity; sid:2014182; rev:3; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015151; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Java request to showthread.php?t="; flow:established,to_server; content:"/showthread.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/showthread\.php\?t=\d+$/Ui"; reference:url,research.zscaler.com/2012/01/popularity-of-exploit-kits-leading-to.html; classtype:exploit-kit; sid:2013916; rev:6; metadata:created_at 2011_11_16, former_category EXPLOIT_KIT, updated_at 2011_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015152; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014197; rev:2; metadata:created_at 2012_02_06, former_category EXPLOIT_KIT, updated_at 2012_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015153; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Exploiting IEPeers"; flow:established,to_client; content:"booom["; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; reference:url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/; reference:cve,2010-0806; classtype:exploit-kit; sid:2014199; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2016_11_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015154; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:command-and-control; sid:2014200; rev:4; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015155; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CUTE-IE.html CutePack Exploit Kit Landing Page Request"; flow:established,to_server; content:"/CUTE-IE.html"; nocase; http_uri; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014203; rev:3; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015156; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CutePack Exploit Kit JavaScript Variable Detected"; flow:established,to_client; content:"var Cute"; nocase; fast_pattern:only; pcre:"/var\x20Cute(Money|Power|Shine)/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014204; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015157; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected"; flow:established,to_client; content:"/CUTE-IE.html"; nocase; fast_pattern:only; pcre:"/iframe[^\r\n]*\x2FCUTE-IE\x2Ehtml/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014205; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015158; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CutePack Exploit Kit Landing Page Detected"; flow:established,to_client; content:"button id=|22|evilcute|22|"; nocase; fast_pattern:only; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014206; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015159; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TLD4 Purple Haze Variant Initial CnC Request for Ad Servers"; flow:established,to_server; content:"trf?q="; http_uri; content:"&edv="; http_uri; content:"&o="; http_uri; content:"&kp="; http_uri; content:"&tk="; http_uri; content:"&fk="; http_uri; content:"&ks="; http_uri; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:command-and-control; sid:2014208; rev:2; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015160; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Sykipot SSL Certificate subject emailAddress detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"marry.smith@ltu.edu"; within:400; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014210; rev:1; metadata:attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015162; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Sykipot SSL Certificate serial number detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014209; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015163; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Delf/Troxen/Zema controller responding to client"; flow:established,to_client; content:"|0d 0a 0d 0a|wait.<os>"; classtype:trojan-activity; sid:2014216; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015164; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Delf/Troxen/Zema controller delivering clickfraud instructions"; flow:established,to_client; content:"|0d 0a 0d 0a|<md5>"; content:"</md5><url>"; distance:16; within:11; classtype:trojan-activity; sid:2014217; rev:3; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015165; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Unknown HTTP CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".ru|3a|8080|0D 0A|"; http_header; fast_pattern; pcre:"/Host\x3a\s[a-z]{16}\.ru/H"; classtype:command-and-control; sid:2014221; rev:3; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015166; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BB Trojan Communication Protocol detected"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; depth:4; content:"|01 04 01 00 00|"; distance:8; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014227; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015167; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE QDIGIT Trojan Protocol detected"; flow:to_server,established; content:"|51 31 39 21 00|"; depth:5; dsize:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014222; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015168; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|PK"; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015169; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"vssMlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015170; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014247; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015171; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 5"; flow:established,to_server; content:"?subid="; http_uri; content:"&u="; distance:0; http_uri; pcre:"/\?subid=\d{9}&u=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014248; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015172; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> any any (msg:"ET DELETED Http Client Body contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; http_client_body; classtype:policy-violation; sid:2012889; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015173; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert ftp $HOME_NET any -> any any (msg:"ET POLICY FTP Login Successful"; flow:from_server,established; flowbits:isset,ET.ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; depth:4; reference:url,doc.emergingthreats.net/2003410; classtype:misc-activity; sid:2003410; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015174; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pasta.IK Checkin"; flow:established,to_server; content:"/data/index.asp?act="; http_uri; content:"&ver=Ver"; http_uri; content:"&a="; http_uri; reference:md5,1a13d56365e864aba54967d4745ab660; classtype:command-and-control; sid:2014263; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015175; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:6; metadata:created_at 2012_01_19, former_category POLICY, updated_at 2012_01_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015176; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP geo location service response"; flow:established,from_server; flowbits:isset,ETPRO.IP.geo.loc; content:"city_name="; http_cookie; content:"state="; http_cookie; content:"country_"; http_cookie; content:"latitude="; http_cookie; content:"longitude="; http_cookie; content:"|0d 0a 0d 0a|document.write(|22|"; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014265; rev:4; metadata:created_at 2012_01_19, former_category POLICY, updated_at 2012_01_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015177; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IP2B Trojan Communication Protocol detected"; flow:established,to_server; content:"|78 56 34 12 00 10 00 10|"; depth:8; content:"|00 18 09 07 20|"; distance:4; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014226; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015178; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Query for Known Hostile *test.3322.org.cn Domain"; content:"|01 00 00 01 00 00 00 00 00|"; depth:9; offset:2; content:"test|04|3322|03|org|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015179; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RShot Checkin"; flow:established,to_server; content:"connected#"; depth:10; content:"#Windows "; content:"##"; distance:0; dsize:<120; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:command-and-control; sid:2014268; rev:1; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015180; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015181; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015183; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015184; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015185; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015186; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015187; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015188; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015189; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:command-and-control; sid:2014300; rev:1; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2012_03_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015190; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; content:"|3B 20|Ini download file modue"; nocase; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015191; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:exploit-kit; sid:2014315; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015192; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|<xml>"; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015193; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"HTTP/1.1 30"; depth:11; content:"clickpayz.com/"; classtype:bad-unknown; sid:2014318; rev:2; metadata:created_at 2012_03_06, former_category CURRENT_EVENTS, updated_at 2012_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015194; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:2; metadata:created_at 2012_03_06, former_category CURRENT_EVENTS, updated_at 2012_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015195; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ipswcom.IPSWComItf"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015196; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015197; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015198; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan"; itype:3; dsize:>69; content:"securityfocus"; content:"securityfocus"; distance:50; within:15; reference:url,xprobe.sourceforge.net/; reference:url,doc.emergingthreats.net/2009298; classtype:attempted-recon; sid:2009298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015199; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible jBroFuzz Fuzzer Detected"; flow:to_server,established; content:"Host|3a| localhost"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-GB|3b| rv|3b|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; threshold: type threshold, track by_src, count 3, seconds 6; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; classtype:attempted-recon; sid:2009476; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015200; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015201; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015202; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015203; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015204; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015205; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Riern.K Checkin Off Port"; flow:established,from_client; content:"|01|new_host_"; depth:10; fast_pattern; content:"|ff ff ff ff ff 00 00 00 00 00 00 00 00|"; distance:0; classtype:command-and-control; sid:2014358; rev:2; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015206; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015207; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014362; rev:3; metadata:created_at 2012_03_10, former_category EXPLOIT_KIT, updated_at 2012_03_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015208; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy Checkin"; flow:established,to_server; content:"/guidcheck.php?q="; http_uri; content:"&g="; http_uri; content:"&n="; http_uri; content:"&h="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; reference:md5,bb129d433271951abb0e5262060a4583; classtype:command-and-control; sid:2014357; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015209; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:pup-activity; sid:2001586; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015210; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2; metadata:created_at 2010_09_29, former_category FTP, updated_at 2010_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015211; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015212; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; classtype:attempted-dos; sid:2003750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015213; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015214; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015215; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015216; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible Attempt to Create MSSQL SOAP/HTTP Endpoint in URI to Allow for Operating System Interaction"; flow:established,to_server; content:"CREATE"; nocase; http_uri; content:"ENDPOINT"; nocase; http_uri; pcre:"/CREATE.+ENDPOINT/Ui"; reference:url,msdn.microsoft.com/en-us/library/ms345123.aspx; classtype:web-application-attack; sid:2011425; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015217; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp"; http_uri; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:2101056; rev:10; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015218; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 3"; flow:to_server,established; content:".js%2570"; http_uri; nocase; classtype:attempted-recon; sid:2101236; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015219; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 2"; flow:to_server,established; content:".j%2573p"; http_uri; nocase; classtype:attempted-recon; sid:2101237; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015220; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 1"; flow:to_server,established; content:".%256Asp"; http_uri; nocase; classtype:attempted-recon; sid:2101238; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015221; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015222; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~ftp access"; flow:to_server,established; content:"/~ftp"; nocase; http_uri; classtype:attempted-recon; sid:2101662; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015223; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-activity; sid:2101285; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015224; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:2101023; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015225; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot-Spyware Access"; flow:established,to_server; content:"/synctl/"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002963; classtype:trojan-activity; sid:2002963; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015226; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Shiz or Rohimafo config download"; flow: established,to_client; content:"|21|config"; nocase; content:"|21|load"; nocase; content:"|2e|php|3f|id|3d|1|26|magic|3d|"; nocase; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011521; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015227; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015228; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adobe 0day Shovelware"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"/ppp/listdir.php?dir="; http_uri; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/Ui"; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; classtype:trojan-activity; sid:2010496; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015229; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Java JAR PROPFIND via DAV possible alternative JVM exploit"; flow:established,to_server; content:"PROPFIND"; http_method; content:".jar"; http_uri; nocase; content:"User-Agent|3a| Microsoft-WebDAV-MiniRedir"; http_header; content:!"Referer|3a| "; http_header; reference:url,blogs.zdnet.com/security/?p=6082; reference:url,doc.emergingthreats.net/2011009; classtype:bad-unknown; sid:2011009; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015230; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download ws.exe"; flow:established,to_server; content:"GET"; http_method; content:"/install/ws.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010051; classtype:trojan-activity; sid:2010051; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015231; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015232; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url,securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, former_category DOS, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015233; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; classtype:attempted-admin; sid:2001217; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015234; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco %u IDS evasion"; flow:to_server,established; content:"%u002F"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000012; classtype:attempted-dos; sid:2000012; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015235; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco IOS HTTP server DoS"; flow: to_server,established; content:"/TEST?/"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000013; classtype:attempted-dos; sid:2000013; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015236; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco IOS HTTP DoS"; flow: to_server,established; content:"/error?/"; http_uri; nocase; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000009; classtype:attempted-dos; sid:2000009; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015237; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; http_uri; nocase; content:"SecurityMode=0"; nocase; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; classtype:attempted-admin; sid:2003072; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015238; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; content:".jsp?"; nocase; http_uri; content:"JSESSIONID="; nocase; isdataat:5132; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; classtype:attempted-admin; sid:2009216; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015239; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013746; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015240; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:command-and-control; sid:2014364; rev:2; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2012_03_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015241; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:4; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015242; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; content:"%PDF-"; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015243; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:pup-activity; sid:2001735; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015245; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:pup-activity; sid:2003438; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015246; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:pup-activity; sid:2001441; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015247; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cutwail Landing Page WAIT PLEASE"; flow:established,from_server; content:"<h1>WAIT PLEASE</h1>"; nocase; depth:300; classtype:bad-unknown; sid:2014377; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015248; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015249; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:pup-activity; sid:2008419; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015250; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:pup-activity; sid:2008425; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015251; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:pup-activity; sid:2007601; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015252; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:pup-activity; sid:2001228; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015253; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:pup-activity; sid:2001230; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015254; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:pup-activity; sid:2001450; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015255; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".ak-networks.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; classtype:trojan-activity; sid:2001529; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015256; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:pup-activity; sid:2001530; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015257; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:pup-activity; sid:2001737; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:exploit-kit; sid:2014894; rev:4; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:pup-activity; sid:2002349; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; http_header; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015182; rev:5; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:pup-activity; sid:2003219; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:pup-activity; sid:2003619; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:pup-activity; sid:2000903; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:pup-activity; sid:2001999; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:pup-activity; sid:2003340; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:pup-activity; sid:2003341; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:pup-activity; sid:2003578; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_04_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:pup-activity; sid:2003605; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:pup-activity; sid:2003630; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:pup-activity; sid:2000574; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:pup-activity; sid:2001885; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:pup-activity; sid:2003211; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; nocase; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:pup-activity; sid:2002956; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:pup-activity; sid:2002957; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?open="; nocase; http_uri; content:"&myid="; fast_pattern; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009814; classtype:trojan-activity; sid:2009814; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:pup-activity; sid:2003153; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"|04 00 00 01 01 00 00 00 04|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:pup-activity; sid:2000366; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"|04 00 00 01 01 00 00 00 05|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:pup-activity; sid:2000367; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:pup-activity; sid:2000371; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:pup-activity; sid:2000593; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:command-and-control; sid:2014351; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:pup-activity; sid:2001198; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:pup-activity; sid:2001199; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:pup-activity; sid:2001216; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015461; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:pup-activity; sid:2001398; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015061; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:pup-activity; sid:2005319; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015062; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:pup-activity; sid:2001345; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015063; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:pup-activity; sid:2002954; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015064; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:pup-activity; sid:2003541; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015065; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:pup-activity; sid:2001501; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015066; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:pup-activity; sid:2001451; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015067; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:pup-activity; sid:2001452; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015068; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:pup-activity; sid:2001458; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015069; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:pup-activity; sid:2002088; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015070; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:command-and-control; sid:2006404; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015071; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:pup-activity; sid:2003417; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015072; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:pup-activity; sid:2003418; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015073; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:pup-activity; sid:2003419; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015074; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:pup-activity; sid:2002089; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015075; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:pup-activity; sid:2002095; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015076; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:pup-activity; sid:2002933; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015077; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:pup-activity; sid:2001521; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015078; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:pup-activity; sid:2001041; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015079; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:pup-activity; sid:2001032; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015080; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:pup-activity; sid:2001033; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015081; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:pup-activity; sid:2003358; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015082; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; content:"/stat.php?id="; nocase; http_uri; content:"&web_id="; nocase; http_uri; content:"Host|3a|"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; classtype:trojan-activity; sid:2003607; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015083; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:pup-activity; sid:2000931; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015084; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:pup-activity; sid:2001050; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015085; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:pup-activity; sid:2001655; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015086; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:pup-activity; sid:2001658; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015261; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:pup-activity; sid:2002351; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015262; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:pup-activity; sid:2002352; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015263; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:pup-activity; sid:2003307; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015264; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:pup-activity; sid:2003218; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015265; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:pup-activity; sid:2003074; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015266; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:pup-activity; sid:2003075; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015267; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:pup-activity; sid:2003076; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015268; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:pup-activity; sid:2001456; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015269; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:pup-activity; sid:2003462; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015270; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:pup-activity; sid:2001479; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015271; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:pup-activity; sid:2002766; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015272; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:pup-activity; sid:2002767; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015273; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:pup-activity; sid:2002769; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015274; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:pup-activity; sid:2002770; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015275; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:pup-activity; sid:2002771; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015276; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:pup-activity; sid:2001453; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015277; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:pup-activity; sid:2001454; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015278; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:pup-activity; sid:2002816; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015279; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:pup-activity; sid:2002817; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015280; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:pup-activity; sid:2003472; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015281; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:pup-activity; sid:2003473; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015282; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:pup-activity; sid:2001884; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015283; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:pup-activity; sid:2003444; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015284; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:pup-activity; sid:2007978; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015285; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015286; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:pup-activity; sid:2006427; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:pup-activity; sid:2006428; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:pup-activity; sid:2006431; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:pup-activity; sid:2006432; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:pup-activity; sid:2006433; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:pup-activity; sid:2007642; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:pup-activity; sid:2003084; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:pup-activity; sid:2001416; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:pup-activity; sid:2001423; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:pup-activity; sid:2003504; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:pup-activity; sid:2002009; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:pup-activity; sid:2002010; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:pup-activity; sid:2002317; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:pup-activity; sid:2002318; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:pup-activity; sid:2002319; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:pup-activity; sid:2001038; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10; metadata:created_at 2010_07_30, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:pup-activity; sid:2003304; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:pup-activity; sid:2003360; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:pup-activity; sid:2003414; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:pup-activity; sid:2003416; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:5; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:pup-activity; sid:2000585; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d0a|User-Agent|3a| gomtour|0d0a|"; within:200; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:pup-activity; sid:2000582; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:pup-activity; sid:2001221; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:pup-activity; sid:2003579; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:pup-activity; sid:2003581; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPoint Agent Retrieving New Code"; flow: to_server,established; content:"/ftxmon.php?"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; classtype:trojan-activity; sid:2000905; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:pup-activity; sid:2000936; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:pup-activity; sid:2001710; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:pup-activity; sid:2001705; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing with prototype catch"; flow:established,from_server; content:"if(window.document)try{new"; content:".prototype}catch("; distance:0; fast_pattern; classtype:bad-unknown; sid:2014369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:pup-activity; sid:2000599; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:pup-activity; sid:2001013; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:pup-activity; sid:2002305; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:pup-activity; sid:2002310; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:pup-activity; sid:2002306; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:pup-activity; sid:2003151; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:pup-activity; sid:2003348; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:pup-activity; sid:2000025; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:pup-activity; sid:2000597; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:command-and-control; sid:2014669; rev:4; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:pup-activity; sid:2000519; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:pup-activity; sid:2000520; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:pup-activity; sid:2001656; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:pup-activity; sid:2001657; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:pup-activity; sid:2001660; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:pup-activity; sid:2002012; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:pup-activity; sid:2002013; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:pup-activity; sid:2007749; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:pup-activity; sid:2000921; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:pup-activity; sid:2000922; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:pup-activity; sid:2000923; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:pup-activity; sid:2000924; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:pup-activity; sid:2000929; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:pup-activity; sid:2003364; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:pup-activity; sid:2008917; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:pup-activity; sid:2002090; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:pup-activity; sid:2002096; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:pup-activity; sid:2001659; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:pup-activity; sid:2000927; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:pup-activity; sid:2000928; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:pup-activity; sid:2001793; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:pup-activity; sid:2001794; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:pup-activity; sid:2003376; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:pup-activity; sid:2002015; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:pup-activity; sid:2001308; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:pup-activity; sid:2002019; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:pup-activity; sid:2002016; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:pup-activity; sid:2008918; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:exploit-kit; sid:2010438; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:3; metadata:created_at 2011_12_31, updated_at 2011_12_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:pup-activity; sid:2003201; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:pup-activity; sid:2003203; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:pup-activity; sid:2003204; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; http_header; fast_pattern:only; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; depth:2; classtype:trojan-activity; sid:2014968; rev:8; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:pup-activity; sid:2003298; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,doc.emergingthreats.net/2009305; reference:md5,1ca433d3f5538fda49c5defb59232f9d; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:pup-activity; sid:2003526; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:pup-activity; sid:2008067; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015729; rev:2; metadata:created_at 2012_09_22, updated_at 2012_09_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:pup-activity; sid:2008069; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:pup-activity; sid:2001340; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:pup-activity; sid:2003611; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:pup-activity; sid:2003612; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:pup-activity; sid:2000902; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:pup-activity; sid:2001359; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype|3b|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:pup-activity; sid:2003253; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:3; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:pup-activity; sid:2001587; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2014371; rev:6; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:pup-activity; sid:2001588; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:pup-activity; sid:2001589; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:pup-activity; sid:2001481; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:pup-activity; sid:2001503; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:pup-activity; sid:2001509; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:pup-activity; sid:2001507; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:pup-activity; sid:2001666; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:pup-activity; sid:2001641; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:pup-activity; sid:2001643; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:pup-activity; sid:2001644; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:pup-activity; sid:2001645; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:pup-activity; sid:2000583; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:pup-activity; sid:2000584; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:pup-activity; sid:2003577; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:pup-activity; sid:2009234; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:pup-activity; sid:2001747; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:command-and-control; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:pup-activity; sid:2007996; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015509; rev:3; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:pup-activity; sid:2008915; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:pup-activity; sid:2000600; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:pup-activity; sid:2003222; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:pup-activity; sid:2003617; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:pup-activity; sid:2003240; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014024; rev:4; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:2; metadata:created_at 2012_03_15, former_category DOS, updated_at 2012_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"cv_v"; depth:4; http_user_agent; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:pup-activity; sid:2003241; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx|0d 0a|"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:pup-activity; sid:2001538; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:command-and-control; sid:2014460; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:pup-activity; sid:2001539; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:pup-activity; sid:2001341; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:pup-activity; sid:2007855; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:pup-activity; sid:2002044; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:pup-activity; sid:2001495; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:pup-activity; sid:2008456; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:pup-activity; sid:2002083; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:pup-activity; sid:2009712; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popuptraffic.com Bot Reporting"; flow: to_server,established; content:"/scripts/click.php?"; nocase; http_uri; content:"hid="; http_uri; reference:url,popuptraffic.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; classtype:policy-violation; sid:2000577; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:pup-activity; sid:2003547; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; content:"/?action="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&pc_id="; nocase; http_uri; content:"&abbr="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; classtype:trojan-activity; sid:2003548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert http $HOME_NET any -> any any (msg:"ET ADWARE_PUP Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:pup-activity; sid:2001748; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; classtype:trojan-activity; sid:2000024; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:exploit-kit; sid:2016092; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:pup-activity; sid:2001311; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:pup-activity; sid:2001224; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:pup-activity; sid:2000601; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:pup-activity; sid:2001696; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:pup-activity; sid:2002296; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:pup-activity; sid:2002297; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:pup-activity; sid:2002298; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:pup-activity; sid:2002299; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:pup-activity; sid:2002300; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:pup-activity; sid:2002301; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:pup-activity; sid:2002302; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:pup-activity; sid:2002303; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:pup-activity; sid:2001484; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016315; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_01_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:pup-activity; sid:2001540; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:pup-activity; sid:2001744; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:pup-activity; sid:2002091; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:pup-activity; sid:2001650; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:exploit-kit; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:pup-activity; sid:2001653; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:pup-activity; sid:2008356; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:pup-activity; sid:2008016; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Featured-Results.com Agent Reporting Data"; flow: to_server,established; content:"action=any"; nocase; http_uri; content:"country="; nocase; http_uri; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; classtype:trojan-activity; sid:2001293; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:pup-activity; sid:2001460; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"POST|2C|"; fast_pattern; nocase; depth:100; content:"ACCEPT|3A|"; nocase; within:300; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:pup-activity; sid:2000580; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:pup-activity; sid:2000581; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:pup-activity; sid:2001708; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:command-and-control; sid:2016096; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:pup-activity; sid:2002037; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT  6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko)  Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_07, updated_at 2013_03_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:pup-activity; sid:2002000; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2010_07_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:pup-activity; sid:2001016; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:pup-activity; sid:2001017; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:4; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:pup-activity; sid:2002821; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016561; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_03_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:pup-activity; sid:2001505; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, updated_at 2010_07_30, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:pup-activity; sid:2001516; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:command-and-control; sid:2016712; rev:3; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:pup-activity; sid:2001513; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; fast_pattern; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:pup-activity; sid:2008135; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008110; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:pup-activity; sid:2008148; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008108; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:pup-activity; sid:2007861; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008103; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:pup-activity; sid:2007696; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:pup-activity; sid:2002990; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:pup-activity; sid:2002991; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:pup-activity; sid:2003450; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:pup-activity; sid:2001321; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:pup-activity; sid:2003377; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:pup-activity; sid:2003375; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/nymain/"; http_uri; fast_pattern:only; content:"/index.php"; http_uri; content:"filename="; http_client_body; content:"&data="; http_client_body; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:pup-activity; sid:2002984; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_16, updated_at 2012_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:pup-activity; sid:2002987; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:pup-activity; sid:2003251; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:pup-activity; sid:2007593; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:pup-activity; sid:2002804; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:pup-activity; sid:2002805; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:pup-activity; sid:2002806; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016112; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spylog.ru Related Spyware Checkin"; flow:established,to_server; content:"/cnt?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&rn="; nocase; http_uri; content:"&c="; nocase; http_uri; content:"&tl="; nocase; http_uri; content:"&ls="; nocase; http_uri; content:"&ln="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&j="; nocase; http_uri; content:"&wh="; nocase; http_uri; content:"&px="; nocase; http_uri; content:"&sl="; nocase; http_uri; content:"&r="; nocase; http_uri; content:"&fr="; nocase; http_uri; content:"&pg="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; classtype:trojan-activity; sid:2007649; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:pup-activity; sid:2001536; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015161; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:pup-activity; sid:2001537; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:pup-activity; sid:2001522; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:pup-activity; sid:2001570; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:pup-activity; sid:2001571; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; content:"/updatestats/all_files"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; classtype:policy-violation; sid:2001523; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:pup-activity; sid:2001442; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; content:"applet"; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:pup-activity; sid:2001994; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; content:"|3c|script"; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:pup-activity; sid:2002738; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:pup-activity; sid:2003391; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:pup-activity; sid:2001510; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:pup-activity; sid:2001514; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:pup-activity; sid:2007945; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:pup-activity; sid:2003533; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; classtype:trojan-activity; sid:2015582; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:pup-activity; sid:2001997; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:pup-activity; sid:2002046; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:pup-activity; sid:2001482; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:pup-activity; sid:2001485; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:pup-activity; sid:2001729; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:pup-activity; sid:2001734; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:pup-activity; sid:2001895; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:pup-activity; sid:2000588; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (1)"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:pup-activity; sid:2001646; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:pup-activity; sid:2001647; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; http_method; content:"?o="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:pup-activity; sid:2001648; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:pup-activity; sid:2001335; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"wininetget/"; nocase; depth:11; http_user_agent; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:pup-activity; sid:2001520; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_01, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:pup-activity; sid:2002004; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:pup-activity; sid:2002040; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_26, updated_at 2012_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:pup-activity; sid:2001313; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:pup-activity; sid:2001315; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:4; metadata:created_at 2012_10_16, updated_at 2012_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:pup-activity; sid:2001316; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:4; metadata:created_at 2012_10_26, updated_at 2012_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:pup-activity; sid:2002736; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:pup-activity; sid:2002320; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zhelatin Variant Checkin"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:pup-activity; sid:2003297; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent|3a| file|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:pup-activity; sid:2009091; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:pup-activity; sid:2002999; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:pup-activity; sid:2003000; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:pup-activity; sid:2008158; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016597; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:pup-activity; sid:2008180; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017164; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:pup-activity; sid:2002348; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"|0d 0a|Connection|3a| close|0d 0a 0d 0a a9 3a d4 31 4b 84|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:pup-activity; sid:2002350; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent|3a|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:exploit-kit; sid:2012807; rev:4; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; classtype:trojan-activity; sid:2000306; rev:29; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent|3a 20|iexplorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2016140; rev:5; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; http_header; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; classtype:trojan-activity; sid:2000308; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.fishplay Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:pup-activity; sid:2001525; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:pup-activity; sid:2001526; rev:23; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:2; metadata:created_at 2013_08_30, updated_at 2013_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:pup-activity; sid:2007870; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug"; flow: to_server,established; content:"WxAlertIsapi"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; classtype:misc-activity; sid:2001235; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; http_method; content:"Host|3a|"; nocase; http_header; content:"wxbug.com"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; classtype:misc-activity; sid:2002364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow:established,to_server; content:"/WeatherWindow/WeatherWindow"; nocase; http_uri; content:"?rnd="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; classtype:trojan-activity; sid:2003420; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; nocase; http_uri; content:"?ZipCode="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; classtype:trojan-activity; sid:2003421; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Command Activity"; flow:established,to_server; content:"/connection/connectionv"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; classtype:trojan-activity; sid:2003422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; dsize:>0; byte_jump:2,1,little,post_offset -4; isdataat:!2,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017414; rev:3; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weatherbug Vista Gadget Activity"; flow:established,to_server; content:"/Command/VistaGadget_v"; nocase; http_uri; content:"UserId="; nocase; http_uri; content:"&AppVersion="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; classtype:trojan-activity; sid:2003534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 1"; flow:established,to_client; file_data; content:"cHJlbG9hZGVyLWNsYXNz"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017494; rev:2; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:pup-activity; sid:2003442; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 2"; flow:established,to_client; file_data; content:"wcmVsb2FkZXItY2xhc3"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017495; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:pup-activity; sid:2001678; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 3"; flow:established,to_client; file_data; content:"ByZWxvYWRlci1jbGFzc"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017496; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:pup-activity; sid:2001517; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:pup-activity; sid:2002036; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:pup-activity; sid:2000919; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:command-and-control; sid:2017614; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:pup-activity; sid:2001307; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Kelihos p2p traffic detected via byte_test - SET"; flow:established,to_server; dsize:100<>2000; pcre:"/^[^OGHPDTCMLUVRBAS]/"; content:!"HTTP/1."; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; flowbits:set,ET.Kelihos-P2P; flowbits:noalert; classtype:trojan-activity; sid:2017612; rev:5; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:pup-activity; sid:2001309; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:3; metadata:created_at 2013_09_27, updated_at 2013_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:pup-activity; sid:2001310; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:pup-activity; sid:2001314; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:pup-activity; sid:2001322; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:pup-activity; sid:2002008; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:pup-activity; sid:2001700; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:pup-activity; sid:2001701; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:pup-activity; sid:2003543; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:pup-activity; sid:2003353; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:pup-activity; sid:2008197; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:pup-activity; sid:2001461; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:pup-activity; sid:2001462; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:pup-activity; sid:2001463; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:pup-activity; sid:2001464; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:pup-activity; sid:2001466; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:pup-activity; sid:2001467; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:pup-activity; sid:2001468; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:pup-activity; sid:2001469; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:pup-activity; sid:2001470; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:pup-activity; sid:2001471; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"|3b| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:pup-activity; sid:2001541; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; content:"/img1big.gif"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; classtype:trojan-activity; sid:2000336; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; content:"/cgi-bin/yes.pl"; nocase; http_uri; reference:url,isc.sans.org/presentations/banking_malware.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; classtype:trojan-activity; sid:2000337; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type|3a| image/gif"; http_header; content:"x|da|"; http_client_body; depth:2; content:"|0d 0a|Content-type|3a| image/gif|0d 0a 0d 0a|x|da|"; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:pup-activity; sid:2003354; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:pup-activity; sid:2001947; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET DELETED UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:pup-activity; sid:2003525; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-7]{3})(?P<d>[0-7]{3})(?P=p)(?P=d)([0-7]{3}){10}(?P<q>[0-7]{3})[0-7]{3}(?P<dot>[0-7]{3})[0-7]{3}(?P=dot)[0-7]{3}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:pup-activity; sid:2002740; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P<p>[0-7]{2,4})(?P<sep>[^0-7])(?P<d>(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P<q>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P<dot>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:pup-activity; sid:2002708; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:4; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:pup-activity; sid:2002709; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:pup-activity; sid:2008681; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:pup-activity; sid:2003451; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Badur.Spy User Agent HWMPro"; flow:established,to_server; content:"HWMPro"; depth:6; http_user_agent; reference:md5,234c47b5b29a2cfcc00900bbc13ea181; classtype:trojan-activity; sid:2017654; rev:4; metadata:created_at 2013_11_01, updated_at 2013_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:pup-activity; sid:2011229; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,de1adb1df396863e7e3967271e7db734; classtype:pup-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, former_category ADWARE_PUP, updated_at 2010_10_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:exploit-kit; sid:2017795; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:pup-activity; sid:2011938; rev:5; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; file_data; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:pup-activity; sid:2011939; rev:7; metadata:created_at 2010_11_20, former_category ADWARE_PUP, updated_at 2010_11_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:3; metadata:created_at 2013_12_12, updated_at 2013_12_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012228; rev:5; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"Mozilla Gecko Firefox 25"; http_user_agent; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017883; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_19, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:pup-activity; sid:2012229; rev:7; metadata:created_at 2011_01_25, former_category ADWARE_PUP, updated_at 2011_01_25;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:pup-activity; sid:2014069; rev:4; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2012_01_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:pup-activity; sid:2014183; rev:4; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2012_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; http_uri; content:".exe"; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/2010050; classtype:trojan-activity; sid:2010050; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (4)"; flow:established,to_server; content:"a="; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus"; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010062; classtype:trojan-activity; sid:2010062; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; classtype:trojan-activity; sid:2010452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; classtype:trojan-activity; sid:2010453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET DELETED LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/install.php"; http_uri; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; classtype:trojan-activity; sid:2010465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0|0d 0a|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0a 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; sid:2013994; rev:4; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Setup_2012.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; pcre:"/Setup_20\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/xxxxxxx; classtype:trojan-activity; sid:2010684; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN LDPinch Loader Binary Request"; flow:to_server,established; content:"HTTP/1.0|0D 0A|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0D 0A|Connection|3a| close|0D 0A 0D 0A|"; http_header; classtype:trojan-activity; sid:2014015; rev:7; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware Download Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/GR_OLD_CR.EXE"; nocase; http_uri; reference:url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html; reference:url,doc.emergingthreats.net/2011148; classtype:trojan-activity; sid:2011148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,doc.emergingthreats.net/2010789; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:md5,2b8a408b56eaf3ce0198c9d1d8a75ec0; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; content:"document.location="; depth:200; content:".php?"; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b\x20\x0a\x0d]/"; classtype:bad-unknown; sid:2014378; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"|34 44 35 41|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader Possible AV KILLER"; flow:established,to_server; content:"GET"; nocase; http_method; content:"SoftName="; http_uri; nocase; content:"SoftVersion="; http_uri; nocase; content:"UserIP="; http_uri; nocase; content:"Mac="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009487; classtype:trojan-activity; sid:2009487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:5; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:command-and-control; sid:2009812; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:3; metadata:created_at 2014_01_23, updated_at 2014_01_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; content:"/?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; http_uri; content:"&a="; http_uri; content:"&l="; http_uri; content:"&addt"; reference:url,doc.emergingthreats.net/2008502; classtype:command-and-control; sid:2008502; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|ru|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014373; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; content:"?type=scanner&pin="; http_uri; content:"&lnd="; http_uri; reference:url,doc.emergingthreats.net/2008511; classtype:trojan-activity; sid:2008511; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|04|info|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x04info\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014374; rev:3; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_r.php?fid="; http_uri; content:"&mac="; http_uri; within:15; content:"&version="; http_uri; distance:0; content:"&uuid="; http_uri; distance:0; reference:url,doc.emergingthreats.net/2008755; classtype:trojan-activity; sid:2008755; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|03|biz|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x03biz\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014375; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; depth:55; http_header; content:"Content-Length|3a20|"; http_header; content:"VISITED_URL"; depth:100; http_client_body; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; classtype:trojan-activity; sid:2003937; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Sality.bh Checkin"; flow:to_server,established; content:"/logo.gif?"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50728)|0d 0a|Host|3a| "; http_header; pcre:"/\x2flogo\x2egif\x3f([0-9a-z]){5}\x3d\d{6,7}/U"; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:md5,c15f4fe2e180150dc511aa64427404c5; classtype:trojan-activity; sid:2018111; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:command-and-control; sid:2007901; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:command-and-control; sid:2018151; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.ili HTTP Checkin"; flow:established,to_server; content:"/ctrl/cnt_boot.php?pgv="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007940; classtype:command-and-control; sid:2007940; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:5; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin"; flow:established,to_server; content:".php?PC="; http_uri; content:"&Data="; http_uri; content:"&Mac="; http_uri; reference:url,doc.emergingthreats.net/2007984; classtype:command-and-control; sid:2007984; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_user_agent; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:6; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:command-and-control; sid:2008267; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Havex Rat Check-in URI Struct"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a 20|"; content:".php?id"; http_uri; content:"&v1="; http_uri; content:"&v2="; http_uri; content:"&q="; http_uri; pcre:"/\.php\?id=[A-F0-9]+\-[A-F0-9]+&v1=[A-F0-9]+&v2=[A-F0-9]+&q=[A-F0-9]+$/U"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018251; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"appdata="; http_uri; nocase; content:"hd="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"computador="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008519; classtype:command-and-control; sid:2008519; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic Banker Trojan Downloader Config to client"; flow:established,to_client; content:"|0d 0a 0d 0a|[Controlinfo]"; nocase; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; reference:url,doc.emergingthreats.net/2009090; classtype:trojan-activity; sid:2009090; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD"; http_method; nocase; content:".php?action="; http_uri; nocase; content:"&uid="; nocase; http_uri; content:"&locale="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&build="; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; classtype:trojan-activity; sid:2009750; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED JCE Joomla Extension User-Agent (BOT)"; flow:to_server,established; content:"BOT/0.1 (BOT for JCE)"; depth:21; http_user_agent; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:attempted-recon; sid:2018327; rev:4; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch Module Download Request"; flow:established,to_server; content:"/dl/AcroIEHelpe"; nocase; http_uri; content:".dll"; http_uri; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; classtype:trojan-activity; sid:2009409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:command-and-control; sid:2018328; rev:2; metadata:created_at 2014_03_27, updated_at 2014_03_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected"; flow:established,to_server; content:"php?mac="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"++++++++"; nocase; content:"&ver="; nocase; http_uri; content:"&ie="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007864; classtype:command-and-control; sid:2007864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"Opera/9 (Windows NT "; http_user_agent; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:5; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:command-and-control; sid:2008283; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CWS Related Installer"; flow:established,to_server; content:"/image_tracker.php?l="; http_uri; fast_pattern:only; content:"&x="; http_uri; content:"&deptid="; distance:0; http_uri; content:"&page"; distance:0; http_uri; content:"&unique="; distance:0; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; classtype:trojan-activity; sid:2002932; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_uri; content:"sys="; http_uri; content:"yp="; http_uri; content:"rand="; http_uri; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; reference:url,doc.emergingthreats.net/2009453; classtype:command-and-control; sid:2009453; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; reference:url,doc.emergingthreats.net/2010266; classtype:command-and-control; sid:2010266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type=slg&id="; http_uri; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; classtype:trojan-activity; sid:2009351; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus js.js"; flow:established,to_server; content:"/js.js"; http_uri; urilen:15; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/js\.js$/U"; classtype:bad-unknown; sid:2014629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:command-and-control; sid:2016857; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&entity="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; classtype:trojan-activity; sid:2009354; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Inbox View"; flow:to_server,established; content:"/ym/ShowFolder"; http_uri; nocase; content:"rb=Inbox"; nocase; reference:url,doc.emergingthreats.net/2000041; classtype:policy-violation; sid:2000041; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Check In"; flow:established,to_server; content:"GET"; nocase; http_method; content:"v="; http_uri; content:"&s="; http_uri; content:"&uid="; http_uri; content:"&p="; http_uri; content:"&q="; content:"User-Agent|3a 0d 0a|"; http_header; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; classtype:trojan-activity; sid:2009360; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message View"; flow:to_server,established; content:"/ym/ShowLetter"; nocase; http_uri; content:"MsgId"; nocase; reference:url,doc.emergingthreats.net/2000042; classtype:policy-violation; sid:2000042; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; content:"ver="; nocase; http_uri; content:"&lg="; nocase; http_uri; content:"&phid="; nocase; http_uri; content:"&r="; http_uri; pcre:"/phid=[A-F0-9]{64}/Ui"; reference:url,doc.emergingthreats.net/2009349; classtype:trojan-activity; sid:2009349; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Compose Open"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000043; classtype:policy-violation; sid:2000043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?version="; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&fid="; nocase; http_uri; content:"&vpc="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008623; classtype:command-and-control; sid:2008623; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_09, updated_at 2014_01_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"?fid="; nocase; http_uri; content:"&kid="; nocase; http_uri; content:"&cnt="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&kw="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008624; classtype:command-and-control; sid:2008624; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; classtype:command-and-control; sid:2013344; rev:5; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:command-and-control; sid:2008153; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; content:"/download.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; fast_pattern; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; classtype:trojan-activity; sid:2003542; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; classtype:trojan-activity; sid:2008739; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Download"; flow:established,to_server; content:"/taskmgr.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017659; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:command-and-control; sid:2008353; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cosmu Process Dump Report"; flow:established,to_server; content:"] Dumping processes {|0d 0a|"; reference:url,doc.emergingthreats.net/2011234; classtype:trojan-activity; sid:2011234; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| BIE|0d 0a|"; http_header; content:"cname="; http_client_body; reference:url,doc.emergingthreats.net/2009204; classtype:command-and-control; sid:2009204; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"x="; http_client_body; content:!"User-Agent|3a| "; http_header; pcre:"/^x=[0-9a-zA-Z]{50}/P"; reference:url,doc.emergingthreats.net/2008263; classtype:command-and-control; sid:2008263; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length|3a| "; depth:50; content:"|0d 0a 0d 0a|"; within:10; reference:url,doc.emergingthreats.net/2008940; classtype:command-and-control; sid:2008940; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Daonol C&C Communication"; flow:established,to_server; content:"/x/?0"; http_uri; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; classtype:command-and-control; sid:2010164; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Password Stealer Checkin URL Detected"; flow:established,to_server; content:"method=get"; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006384; classtype:trojan-activity; sid:2006384; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent|3a| Varlok_"; http_header; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003931; classtype:trojan-activity; sid:2003931; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Spy.Win32.Zbot.hmcm Checkin"; flow:established,to_server; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(eve|opt|req)\/[\-f0-9A-F]{24}$/U"; reference:md5,291b5ce96b3932944a32031d33bc8cfc; classtype:trojan-activity; sid:2018437; rev:4; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf HTTP Checkin (1)"; flow:established,to_server; content:"/mydown.asp?"; nocase; http_uri; content:"reg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tgid="; nocase; http_uri; content:"&address="; nocase; http_uri; content:"&mydo="; nocase; http_uri; content:"&flag="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007838; classtype:command-and-control; sid:2007838; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp any any -> any 443 (msg:"ET DELETED Potential Selfint C2 traffic (from client)"; flow: from_client,established; content:"PuTTY-Local|3a| Feb 5 2013 18|3a|27|3a|27"; classtype:command-and-control; sid:2018450; rev:7; metadata:created_at 2014_05_05, updated_at 2014_05_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Download via HTTP"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/mdfexcute/"; http_uri; content:"Windows 98)"; http_header; reference:url,doc.emergingthreats.net/2007911; classtype:trojan-activity; sid:2007911; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"umbra"; depth:5; nocase; http_user_agent; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (up)"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&MAC="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007939; classtype:command-and-control; sid:2007939; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?v="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&=w"; http_uri; nocase; reference:url,doc.emergingthreats.net/2008071; classtype:command-and-control; sid:2008071; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?macros="; nocase; http_uri; content:"&botstatus="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008090; classtype:command-and-control; sid:2008090; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DELETED SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; classtype:trojan-activity; sid:2009824; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:command-and-control; sid:2018473; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer"; flow: established,to_server; content:"/getnumtemp.asp?nip=0"; http_uri; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; reference:url,doc.emergingthreats.net/2003083; classtype:trojan-activity; sid:2003083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED TROJAN Downloader.Win32.Tesch.A Client CnC Checkin"; flow:established,to_server; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018476; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_15, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dialer.buv Sending Information Home"; flow:established,to_server; content:"/exit.php?if="; http_uri; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; reference:url,doc.emergingthreats.net/2008430; classtype:trojan-activity; sid:2008430; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:command-and-control; sid:2018424; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; content:"login="; nocase; http_uri; content:"&brokerid="; nocase; http_uri; content:"&extlogin="; nocase; http_uri; content:"&autosize="; nocase; http_uri; content:"&icp="; nocase; http_uri; content:"&id_site="; nocase; http_uri; content:"&dl_tracker="; nocase; http_uri; content:"&connection_type="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008490; classtype:command-and-control; sid:2008490; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET DELETED Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008770; classtype:trojan-activity; sid:2008770; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent|3a| cv_v"; http_header; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; reference:url,doc.emergingthreats.net/2003598; classtype:trojan-activity; sid:2003598; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008771; classtype:trojan-activity; sid:2008771; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE dlink router access attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1.0|0d 0a 0d 0a|"; content:!"|0d 0a|Host|3a| "; reference:url,doc.emergingthreats.net/2008945; classtype:trojan-activity; sid:2008945; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008772; classtype:trojan-activity; sid:2008772; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Dluca HTTP Checkin"; flow:established,to_server; content:"?id={"; nocase; http_uri; content:"&srv="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&docid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&cstate="; nocase; http_uri; content:"&state="; nocase; http_uri; content:"&flash="; nocase; http_uri; content:"&pin="; nocase; http_uri; content:"&OSInfo2="; nocase; content:"&cinfo="; nocase; http_uri; content:"&smd="; nocase; http_uri; content:"&rts="; nocase; http_uri; content:"&retryattempt="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007595; classtype:command-and-control; sid:2007595; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET DELETED EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; classtype:attempted-dos; sid:2000381; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:command-and-control; sid:2006377; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:" Alexa Toolbar|3b|"; http_header; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,doc.emergingthreats.net/2002166; classtype:trojan-activity; sid:2002166; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,6}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:6; metadata:created_at 2014_05_28, updated_at 2014_05_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"lunch_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/2006401; classtype:trojan-activity; sid:2006401; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Enfal.F Checkin via HTTP Post 7"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/Owpp4.cgi"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; content:!"Referer|3a 20|"; pcre:"/^[^\r\n]{15}\x5f[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}/m"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; classtype:trojan-activity; sid:2018665; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Downloader or Virut C&C Ack"; flow:established,to_server; content:"uid="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&actionname="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&success="; nocase; http_uri; content:"&debug="; nocase; http_uri; content:"&nocache="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007587; classtype:command-and-control; sid:2007587; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018847; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Checkin"; flow:established,to_server; content:"/boot.php/boot.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007952; classtype:command-and-control; sid:2007952; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|passinggas|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018848; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Install Report"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007953; classtype:trojan-activity; sid:2007953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:5; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Online Report"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007954; classtype:trojan-activity; sid:2007954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cygo Checkin"; flow:established,to_server; content:"/count.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007955; classtype:command-and-control; sid:2007955; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.HavexSysinfo Response"; flow:from_server,established; file_data; content:"<!--havexhavex-->"; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:2; metadata:created_at 2014_08_11, updated_at 2014_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:command-and-control; sid:2008087; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; classtype:trojan-activity; sid:2000339; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Downloader.pgp Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&e="; http_uri; content:"&err="; http_uri;content:"&c="; http_uri; reference:url,doc.emergingthreats.net/2008492; classtype:trojan-activity; sid:2008492; rev:5; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_01;)
+#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000338; classtype:trojan-activity; sid:2000338; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan peer exchange"; flow:established,to_server; content:"|01|hs5p|0000|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003138; classtype:trojan-activity; sid:2003138; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper User-Agent (XXXwww)"; flow:established,to_server; content:"User-Agent|3a| XXXwww"; http_header; classtype:trojan-activity; sid:2014387; rev:1; metadata:created_at 2012_03_16, updated_at 2012_03_16;)
+#alert tcp any 25 -> any any (msg:"ET DELETED SpamThru trojan SMTP test successful"; flow:established,to_client; dsize:6; content:"XSMTPX"; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003139; classtype:trojan-activity; sid:2003139; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.cah Checkin Request"; flow:established,to_server; content:"?v="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&r1="; nocase; http_uri; content:"&tm=201"; nocase; http_uri; content:"&av="; nocase; http_uri; content:"&os=Windows"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"cht="; http_uri; reference:url,doc.emergingthreats.net/2007644; classtype:command-and-control; sid:2007644; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan update request"; flow:established,to_server; content:"|01|hs5p|0001|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003140; classtype:trojan-activity; sid:2003140; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor|3a|"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; sid:2007987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV DLL request"; flow:established,to_server; content:"|01|hs5p|0007|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003141; classtype:trojan-activity; sid:2003141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mdodo"; http_header; reference:url,doc.emergingthreats.net/2008195; classtype:trojan-activity; sid:2008195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam template request"; flow:established,to_server; content:"|01|hs5p|0004|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003142; classtype:trojan-activity; sid:2003142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| 6dzone|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008196; classtype:trojan-activity; sid:2008196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam run report"; flow:established,to_server; content:"|01|hs5p|0005|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003143; classtype:trojan-activity; sid:2003143; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Duntek establishing remote connection"; flow:established,to_server; content:"rfe.php?"; nocase; http_uri; content:"cmp=dun_tekfirst"; nocase; http_uri; content:"guid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; reference:url,doc.emergingthreats.net/2003537; classtype:trojan-activity; sid:2003537; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV scan report"; flow:established,to_server; content:"|01|hs5p|0008|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003144; classtype:trojan-activity; sid:2003144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007686; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007963; classtype:trojan-activity; sid:2007963; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007687; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (variant 3)"; flow:established,to_server; dsize:<42; content:"|3a|Windows "; depth:11; offset:2; reference:url,doc.emergingthreats.net/2009037; classtype:trojan-activity; sid:2009037; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Install Report via HTTP"; flow:established,to_server; content:"/control.php?pcad="; nocase; http_uri; content:"&tarih="; nocase; http_uri; content:"&saat="; nocase; http_uri; content:"&veri="; http_uri; reference:url,doc.emergingthreats.net/2008136; classtype:trojan-activity; sid:2008136; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic Checkin"; flow:established,to_server; dsize:<20; content:"|3a 20|"; offset:2; depth:6; content:"|20 7c 20|"; within:10; reference:url,doc.emergingthreats.net/2007962; classtype:trojan-activity; sid:2007962; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity"; flow:established,to_server; content:"?spl="; http_uri; content:"&br="; http_uri; content:"&vers="; http_uri; content:"&s="; http_uri; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2010248; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Server Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007964; classtype:trojan-activity; sid:2007964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XY)"; flow:established,to_server; dsize:<20; content:"XY|3a|2|7c|212"; offset:0; depth:9; reference:url,doc.emergingthreats.net/2007970; classtype:trojan-activity; sid:2007970; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; classtype:trojan-activity; sid:2002773; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (FYWL)"; flow:established,to_server; dsize:11; content:"FYWL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008223; classtype:trojan-activity; sid:2008223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"?campaign="; http_uri; content:"&country="; http_uri; content:"&counter="; http_uri; content:"&campaign="; http_uri; content:"&landid="; http_uri; reference:url,doc.emergingthreats.net/2009209; classtype:trojan-activity; sid:2009209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XYLL)"; flow:established,to_server; dsize:11; content:"XYLL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008224; classtype:trojan-activity; sid:2008224; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV HTTP Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"mid="; content:"&wv="; content:"&r="; content:"&tp="; content:"&exe="; fast_pattern; content:"&ls="; content:"&uid="; reference:url,doc.emergingthreats.net/2009514; classtype:trojan-activity; sid:2009514; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend/Ceckno C&C Traffic - Checkin"; flow:established,to_server; dsize:<30; content:"VERSONEXc|3a|2|7c|212|7c|"; depth:16; reference:url,doc.emergingthreats.net/2008254; classtype:trojan-activity; sid:2008254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV Encoded data= HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"data=/CjEfcLas0KCj/"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009553; classtype:trojan-activity; sid:2009553; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Delf CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<15; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; reference:url,doc.emergingthreats.net/2008007; classtype:command-and-control; sid:2008007; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; reference:url,doc.emergingthreats.net/2008008; classtype:command-and-control; sid:2008008; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; content:"|2F|installer|2F|Installer|2E|exe"; nocase; http_uri; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; classtype:trojan-activity; sid:2010221; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008006; classtype:command-and-control; sid:2008006; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Feral Checkin via HTTP"; flow:established,to_server; content:"?ucid="; nocase; http_uri; content:"&wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007286; classtype:trojan-activity; sid:2007286; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; reference:url,doc.emergingthreats.net/2008033; classtype:trojan-activity; sid:2008033; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Flystud"; flow:to_server,established; content:"loading.html?fn="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&clientid="; nocase; http_uri; content:"channel="; nocase; http_uri; content:"&stn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011086; classtype:trojan-activity; sid:2011086; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED System.Poser HTTP Checkin"; flow:established,to_server; content:"/check.php?c="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"User-Agent|3a| Microsoft BITS"; http_header; reference:url,doc.emergingthreats.net/2008035; classtype:trojan-activity; sid:2008035; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit Kit Landing"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"hello="; nocase; http_uri; pcre:"/\.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$/Ui"; reference:url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2011693; classtype:exploit-kit; sid:2011693; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with modified version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx/"; nocase; pcre:"/Server\: nginx/[a-zA-Z]/i"; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008065; classtype:bad-unknown; sid:2008065; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (1)"; flow:established,to_server; content:"/config.php?ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&ras="; nocase; http_uri; content:"&verfull="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008397; classtype:command-and-control; sid:2008397; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL Pattern (/loader/setup.php)"; flow:established,to_server; content:"/loader/setup.php?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008076; classtype:trojan-activity; sid:2008076; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:command-and-control; sid:2008431; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Xorer.ez HTTP Checkin to CnC"; flow:established,to_server; content:"/qq.html?username="; nocase; http_uri; content:"&zhaosp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008081; classtype:command-and-control; sid:2008081; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET DELETED Looked.P/Gamania/Delf #108/! Style CnC Checkin"; flow:established,to_server; dsize:6; content:"#1"; depth:2; content:"/!"; distance:2; within:2; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:command-and-control; sid:2008219; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| wget 3.0|0d 0a|"; nocase; http_header; content:"aid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009539; classtype:command-and-control; sid:2009539; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winspywareprotect.com Fake AV/Anti-Spyware Secondary Checkin"; flow:established,to_server; content:"/stat.php?func=scanfinished&id="; http_uri; reference:url,doc.emergingthreats.net/2008251; classtype:trojan-activity; sid:2008251; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; content:"cike.php?fid="; nocase; http_uri; content: "&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; classtype:command-and-control; sid:2010138; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin Initial Packet"; flow:established,to_server; dsize:<100; content:"|00 00 00 00 00 00|WindowsXP|00 00 00|"; flowbits:set,ET.emogen1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008269; classtype:trojan-activity; sid:2008269; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; reference:url,doc.emergingthreats.net/2008521; classtype:trojan-activity; sid:2008521; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin CnC Keepalive"; flow:established,to_server; flowbits:isset,ET.emogen1; dsize:4; content:"test"; reference:url,doc.emergingthreats.net/2008270; classtype:command-and-control; sid:2008270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Spambot HTTP Checkin"; flow:established,to_server; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&uptime="; http_uri; content:"&cmd="; http_uri; reference:url,doc.emergingthreats.net/2008261; classtype:command-and-control; sid:2008261; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Banker Infostealer/PRG POST on High Port"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2E|php|3F|2="; nocase; content:"|26|n="; nocase; content:"|26|v="; nocase; content:"|26|i="; nocase; content:"|26|sp="; nocase; content:"|26|lcp="; nocase; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2008326; classtype:trojan-activity; sid:2008326; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unnamed Generic.Malware http get"; flow:established,to_server; content:"/ww20/script.php?id="; nocase; http_uri; content:"&config="; nocase; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2003431; classtype:trojan-activity; sid:2003431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config/fgun_install_"; http_uri; content:"User-Agent|3a| NSI SDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; classtype:trojan-activity; sid:2008359; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"Content-Type|3a| text/html"; http_header; content:"Content-type|3a| image/gif"; http_header; reference:url,doc.emergingthreats.net/2010282; classtype:command-and-control; sid:2010282; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test Start port 8888"; flow:established,to_server; dsize:25; content:"GET /test_link HTTP/1.0|0d 0a|"; reference:url,doc.emergingthreats.net/2008435; classtype:trojan-activity; sid:2008435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv.A.dll Infection"; flow: to_server,established; content:"/test"; http_uri; content:".php"; http_uri; content:"?abc="; http_uri; content:"?def="; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; reference:url,doc.emergingthreats.net/2008689; classtype:trojan-activity; sid:2008689; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Checkin port 8888"; flow:established,to_server; content:"/stat?uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; reference:url,doc.emergingthreats.net/2008437; classtype:trojan-activity; sid:2008437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:md5,fd3d061ee86987e8f3f245c2dc0ceb46; reference:md5,912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,doc.emergingthreats.net/2010163; classtype:command-and-control; sid:2010163; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test port 8888"; flow:established,to_server; dsize:>1000; content:"Data|3a| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:35; reference:url,doc.emergingthreats.net/2008436; classtype:trojan-activity; sid:2008436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Bobax trojan infection"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/reg|3f|u="; http_uri; content:"|26|v="; http_uri; reference:url,www.lurhq.com/bobax.html; reference:url,doc.emergingthreats.net/2001901; classtype:trojan-activity; sid:2001901; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED XPantivirus2008 Download"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"XPantivirus20"; nocase; http_uri; pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui"; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; reference:url,doc.emergingthreats.net/2008516; classtype:trojan-activity; sid:2008516; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"F6FE8878-54D2-4333-B9F0-FC543B1BE1ED"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1030 (msg:"ET DELETED Ipbill.com Related Dialer Trojan Checkin"; flow:established,to_server; dsize:7; content:"|0a|"; offset:6; pcre:"/\d\d\d\d\d\d\x0a/"; flowbits:set,ET.ipbill1; reference:url,doc.emergingthreats.net/2008730; classtype:trojan-activity; sid:2008730; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit download payload likely Hiloti Gozi FakeAV etc"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/eH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/eH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011103; classtype:exploit-kit; sid:2011103; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1030 -> $HOME_NET any (msg:"ET DELETED Ipbill.com Related Dialer Trojan Server Response"; flow:established,from_server; dsize:<20; content:"|0a 5b 27|"; offset:2; depth:5; content:"|27 5d 0a|"; distance:0; flowbits:isset,ET.ipbill1; reference:url,doc.emergingthreats.net/2008731; classtype:trojan-activity; sid:2008731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit attack activity likely hostile"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/oH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011104; classtype:exploit-kit; sid:2011104; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp any any -> any 5554 (msg:"ET DELETED Sasser FTP Traffic"; flow: to_server,established; content:"up.exe"; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000040; classtype:misc-activity; sid:2000040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; classtype:command-and-control; sid:2008275; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp any any -> any 9996 (msg:"ET DELETED Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000047; classtype:misc-activity; sid:2000047; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent|3a| SykO"; http_header; nocase; reference:url,doc.emergingthreats.net/2003649; classtype:trojan-activity; sid:2003649; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:4; metadata:created_at 2014_06_24, updated_at 2014_06_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent|3a| IE_7.0"; http_header; nocase; reference:url,doc.emergingthreats.net/2003932; classtype:trojan-activity; sid:2003932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.b"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001056; classtype:misc-activity; sid:2001056; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp?mac="; nocase; http_uri; content:"&xxx="; nocase; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009811; classtype:trojan-activity; sid:2009811; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.a"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001057; classtype:misc-activity; sid:2001057; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Inject.BV Trojan User Agent Detected (faserx)"; flow:established,to_server; content:"User-Agent|3a| faser"; http_header; nocase; reference:url,doc.emergingthreats.net/2003637; classtype:trojan-activity; sid:2003637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CIA Trojan download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; reference:url,doc.emergingthreats.net/2001233; classtype:trojan-activity; sid:2001233; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Insidebar.co.kr Related Infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"e=inside&s="; http_client_body; content:"&ver="; http_client_body; content:"&p="; http_client_body; reference:url,doc.emergingthreats.net/2008760; classtype:command-and-control; sid:2008760; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Beagle User Agent Detected"; flow: to_server,established; dsize:<150; content:"User-Agent|3a| beagle_beagle"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; reference:url,doc.emergingthreats.net/2001269; classtype:trojan-activity; sid:2001269; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Klom.A Connecting to Controller"; flow:established,to_server; content:"/s_13_0?m="; nocase; http_uri; content:"r="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html; reference:url,doc.emergingthreats.net/2003538; classtype:trojan-activity; sid:2003538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; within: 30; distance: 16; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; reference:url,doc.emergingthreats.net/2001273; classtype:trojan-activity; sid:2001273; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; classtype:trojan-activity; sid:2010787; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> any 445 (msg:"ET DELETED Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001337; classtype:trojan-activity; sid:2001337; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Koblu"; flow:established,to_server; content:"GET"; nocase; http_method; content:"sid="; nocase; http_uri; content:"&sa="; nocase; http_uri; content: "&p="; http_uri; content:"&q=cards&rf="; http_uri; content:"&enc="; http_uri; content:"&enk=&xsc=&xsp=&xsm="; http_uri; reference:url,doc.emergingthreats.net/2010230; classtype:trojan-activity; sid:2010230; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001338; classtype:trojan-activity; sid:2001338; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface fetch C&C command detected"; flow:established, to_server; content:".php"; nocase; http_uri; content:"f=0&a="; fast_pattern; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; content:"&c_tg="; content:"&c_nl="; content:"&c_fu="; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010153; classtype:command-and-control; sid:2010153; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; classtype:policy-violation; sid:2001455; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Korklic.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:"mode=boot&MyValue="; http_uri; content:"&code="; http_uri; pcre:"/MyValue=[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:/Ui"; reference:url,doc.emergingthreats.net/2009003; classtype:trojan-activity; sid:2009003; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"ET DELETED Sasser FTP exploit attempt"; flow: to_server,established; dsize: >150; content:"PORT "; depth: 5; reference:url,www.lurhq.com/dabber.html; reference:url,doc.emergingthreats.net/2001548; classtype:attempted-admin; sid:2001548; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting Spam"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/sp/post.php"; nocase; http_uri; content:"data="; depth:400; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003190; classtype:trojan-activity; sid:2003190; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 1025:5000 (msg:"ET MALWARE Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001610; classtype:misc-activity; sid:2001610; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001611; classtype:misc-activity; sid:2001611; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mcboo.com/Bundlext.com related Trojan Checkin URL"; flow:established,to_server; content:"/ack.php?version="; http_uri; content:"&uid="; http_uri; content:"&status="; http_uri; reference:url,doc.emergingthreats.net/2008758; classtype:command-and-control; sid:2008758; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http|3a|//"; nocase; content:"|3a|3531/.pkt"; nocase; within: 20; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; classtype:trojan-activity; sid:2001679; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MEREDROP/micr0s0fts.cn Related Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.asp"; http_uri; content:"ver="; http_client_body; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http_client_body; reference:url,doc.emergingthreats.net/2008891; classtype:command-and-control; sid:2008891; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"ET DELETED MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001712; classtype:policy-violation; sid:2001712; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metajuan trojan checkin"; flow:established,to_server; content:"trafc-2/rfe"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99; reference:url,doc.emergingthreats.net/2007811; classtype:command-and-control; sid:2007811; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"ET DELETED MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001713; classtype:policy-violation; sid:2001713; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.MisleadApp Fake Security Product Install"; flow:established,to_server; content:"GET"; nocase; http_method; content:"hash?http"; nocase; http_uri; pcre:"/\/(ucleaner|udefender|ufixer)\.com\/demo\.php\?/Ui"; reference:url,doc.emergingthreats.net/2007566; classtype:trojan-activity; sid:2007566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"ET DELETED MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001714; classtype:policy-violation; sid:2001714; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Monkif Downloader Checkin"; flow:to_server,established; content:"/cgi/"; http_uri; content:".php?"; nocase; http_uri; content:"x640<x"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; reference:url,doc.emergingthreats.net/2009126; classtype:command-and-control; sid:2009126; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET !21:587 -> any any (msg:"ET DELETED Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; classtype:non-standard-protocol; sid:2001815; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nanspy Bot Checkin"; flow:established,to_server; content:"HEAD"; nocase; http_method; content:"/bbcount.php?action="; http_uri; content:"&uid="; http_uri; content:"&locale="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2010158; classtype:command-and-control; sid:2010158; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg:"ET DELETED AIM Bot Outbound Control Channel Open and Login"; flow: to_server,established; content:"PASS"; nocase; pcre:"/PASS\s.*?\x0d\x0aNICK\s.*?\x0d\x0aUSER\s.*?\s\d\s\d\s\:\S/im"; reference:url,doc.emergingthreats.net/2001910; classtype:trojan-activity; sid:2001910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Navipromo related update"; flow:established,to_client; content:"|0d 0a|Server|3a| lighttpd|0d 0a 0d 0a|<HTML><CFG>_SYSTEM_DIR_"; reference:url,doc.emergingthreats.net/2009694; classtype:trojan-activity; sid:2009694; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit exe"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2002323; classtype:misc-activity; sid:2002323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nine Ball Infection ya.ru Post"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/gate/"; http_uri; content:".php"; http_uri; content:"|0d 0a 0d 0a|"; content:"ya.ru/"; distance:67; within:6; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011186; classtype:trojan-activity; sid:2011186; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit php"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".php"; nocase; reference:url,doc.emergingthreats.net/2002322; classtype:misc-activity; sid:2002322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoBo Downloader Dropper GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NoBo"; http_header; reference:url,www.spynomore.com/trojan-nobo-v1-3.htm; reference:url,doc.emergingthreats.net/2009443; classtype:trojan-activity; sid:2009443; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit pif"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".pif"; nocase; reference:url,doc.emergingthreats.net/2002324; classtype:misc-activity; sid:2002324; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel trojan calling home"; flow:established,to_server; content:"/gate.php?hash="; http_uri; content:"/gate.php?hash="; content:" HTTP/1."; distance:8; within:16; reference:url,www.abuse.ch/?p=143; reference:url,doc.emergingthreats.net/2008405; classtype:trojan-activity; sid:2008405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32.kelvir.HI"; flow: established; content:"X-MMS-IM-"; depth:153; content:"search.php?data="; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html; reference:url,doc.emergingthreats.net/2002325; classtype:misc-activity; sid:2002325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response with runurl"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]runurl|3a|"; content:"|7c|taskid|3a|"; within:100; content:"|7c|delay|3a|"; within:30; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010723; classtype:command-and-control; sid:2010723; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET DELETED Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002390; classtype:misc-attack; sid:2002390; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]kill|3a|"; content:"|7c|delay|3a|"; within:50; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010724; classtype:command-and-control; sid:2010724; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET DELETED Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; classtype:successful-recon-limited; sid:2002389; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response (2)"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]delay|3a|"; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010744; classtype:command-and-control; sid:2010744; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,emerging_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,emerging_wmf_http; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002743; classtype:unknown; sid:2002743; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE onmuz.com Infection Activity"; flow:established,to_server; content:"pid=patchup_notpid_update^on"; http_uri; content:"/logonmuz"; http_uri; reference:url,doc.emergingthreats.net/2008973; classtype:trojan-activity; sid:2008973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 3"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002741; classtype:unknown; sid:2002741; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker Traffic Redirection"; flow:established,to_server; content:"/?do=rphp"; nocase; http_uri; content:"&sub="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&q="; nocase; http_uri; content:"&orig="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010224; classtype:trojan-activity; sid:2010224; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 1"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002757; classtype:unknown; sid:2002757; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?2="; http_uri; content:"&n="; http_uri; content:"&v="; http_uri; content:"&i="; http_uri; content:"&sp="; http_uri; content:"&lcp="; http_uri; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007688; classtype:trojan-activity; sid:2007688; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 1"; flow:established; flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002758; classtype:attempted-user; sid:2002758; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002742; classtype:attempted-user; sid:2002742; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET MALWARE LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; nocase; reference:url,doc.emergingthreats.net/2008366; classtype:command-and-control; sid:2008366; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 4C 24 00 8B 44 24 02 59 59 C3 E8 ED FF FF FF 25 00 00 00 FF 33 C9 3D 00 00 00 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003094; classtype:trojan-activity; sid:2003094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PWS.Win32.VB.tr Checkin Detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp"; http_uri; content:"id="; content:"&tit="; content:"&comm"; content:"Run|2B|Successfully"; fast_pattern; reference:url,doc.emergingthreats.net/2008506; classtype:command-and-control; sid:2008506; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 27 00 C1 FB B5 D5 35 02 E2 C3 D1 66 25 32 BD 83 7F B7 4E 3D 06 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003095; classtype:trojan-activity; sid:2003095; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Warezov/Stration Challenge Response"; flowbits:isset,BEposs.warezov.challenge; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003176; classtype:trojan-activity; sid:2003176; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PassSickle Reporting User Activity"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&data="; nocase; http_uri; content:"PassSickle"; http_header; nocase; pcre:"/^User-Agent\:[^\n]+PassSickle/Hmi"; reference:url,doc.emergingthreats.net/2002859; classtype:trojan-activity; sid:2002859; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Warezov/Stration Challenge"; flow:established,to_server; dsize:1; content:"|38|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003175; classtype:not-suspicious; sid:2003175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:".gif?"; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:command-and-control; sid:2009522; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http any any -> any $HTTP_PORTS (msg:"ET DELETED Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET /  HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2003484; reference:url,isc.sans.org/diary.html?storyid=2451; classtype:trojan-activity; sid:2003484; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - prinimalka.py"; flow:established,to_server; content:"/prinimalka.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009405; classtype:trojan-activity; sid:2009405; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET DELETED TroDjan 2.0 Infection Report"; flow:established,to_server; dsize:<60; content:"Windows NT "; depth:11; reference:url,doc.emergingthreats.net/2008587; classtype:trojan-activity; sid:2008587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - trash.py"; flow:established,to_server; content:"/trash.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009406; classtype:trojan-activity; sid:2009406; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 1802 -> $HOME_NET any (msg:"ET DELETED TroDjan 2.0 FTP Channel Open Command"; flow:established,to_server; dsize:7; content:"ftpopen"; reference:url,doc.emergingthreats.net/2008588; classtype:trojan-activity; sid:2008588; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit VBscript download"; flow:established,to_client; content:"Createobject(StrReverse("; nocase; content:"|22|tcejbOmetsySeliF.gnitpircS|22|))"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,doc.emergingthreats.net/2011184; classtype:exploit-kit; sid:2011184; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig Initial CnC Connect on port 8392"; flow:established,to_server; dsize:4; content:"|00 00 78 e3|"; flowbits:set,ET.torpig.init; reference:url,doc.emergingthreats.net/2010826; classtype:command-and-control; sid:2010826; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; content:"/cd/un.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008384; classtype:command-and-control; sid:2008384; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig CnC Connect on port 8392"; flowbits:isset,ET.torpig.init; flow:established,to_server; content:"|00 00|"; depth:2; content:"|00 00 00|"; distance:2; within:5; flowbits:set,ET.torpig.fosure; reference:url,doc.emergingthreats.net/2010827; classtype:command-and-control; sid:2010827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointfree.co.kr Trojan/Spyware Infection Checkin"; flow:established,to_server; content:"log.php?mac="; http_uri; content:"&hdd="; content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/2008972; classtype:command-and-control; sid:2008972; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC IP Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 00 0d|"; reference:url,doc.emergingthreats.net/2010828; classtype:command-and-control; sid:2010828; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:command-and-control; sid:2006405; rev:4; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 01 6f|"; reference:url,doc.emergingthreats.net/2010829; classtype:command-and-control; sid:2010829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:command-and-control; sid:2008493; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Loader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lds.php"; http_uri; reference:url,doc.emergingthreats.net/2009036; classtype:trojan-activity; sid:2009036; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qhosts Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"UserID="; http_client_body; content:"&wv="; http_client_body; content:"&res="; http_client_body; content:"&lng="; http_client_body; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99; reference:url,doc.emergingthreats.net/2009517; classtype:trojan-activity; sid:2009517; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rcash.co.kr Bootup Checkin via HTTP"; flow:established,to_server; content:"/install/Boot.asp?macaddr="; nocase; http_uri; content:"&partner="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007807; classtype:command-and-control; sid:2007807; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Renos/ssd.com HTTP Checkin"; flow:established,to_server; content:"/dlp.php?"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&ydf="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&w=___"; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&apzx="; nocase; http_uri; content:"&apz="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007834; classtype:command-and-control; sid:2007834; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Response from victim"; flow:established,from_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; reference:url,doc.emergingthreats.net/2009797; classtype:trojan-activity; sid:2009797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A|  Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010289; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST"; nocase; http_method; content:"?mod=log&user="; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008140; classtype:trojan-activity; sid:2008140; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010290; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010290; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:md5,fa078834dd3b4c6604d12823a6f9f17e; classtype:command-and-control; sid:2011820; rev:3; metadata:created_at 2010_10_15, former_category MALWARE, updated_at 2010_10_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,doc.emergingthreats.net/2010291; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010291; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)
+#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET DELETED Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12; metadata:created_at 2010_10_27, updated_at 2010_10_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Twitter Status Update"; flow:to_server,established; content:"POST"; http_method; content:"/status/update"; http_uri; content:"twitter.com"; nocase; content:"authenticity_token="; nocase; content:"status="; nocase; reference:url,twitter.com; reference:url,doc.emergingthreats.net/2010797; classtype:policy-violation; sid:2010797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; classtype:trojan-activity; sid:2000901; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:md5,df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:2; metadata:created_at 2010_12_18, updated_at 2010_12_18;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent|3a|"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; classtype:trojan-activity; sid:2001654; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2010_12_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; classtype:trojan-activity; sid:2001015; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".htm"; http_uri; content:"Host|3a| "; http_header; content:"Content-Length|3a| "; http_header; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:command-and-control; sid:2012137; rev:5; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2011_01_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:md5,af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:md5,58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:md5,7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:command-and-control; sid:2008515; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Unknown Web Backdoor Keep-Alive"; flow:established,to_server; urilen:13; content:"POST"; http_method; nocase; content:"/bbs/info.asp"; http_uri; classtype:trojan-activity; sid:2012250; rev:3; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; reference:md5,664a5147e6258f10893c3fd375f16ce4; classtype:trojan-activity; sid:2012289; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server greenter.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|greenter|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012202; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Twitter m28sx Worm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"gdfgdfgdgdfgdfg|02|in|02|ua"; nocase; distance:0; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012210; rev:2; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; reference:md5,8556aec7ff96824e2da9d1b948ed7029; classtype:command-and-control; sid:2012300; rev:3; metadata:created_at 2011_02_07, former_category TROJAN, updated_at 2017_03_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:exploit-kit; sid:2012389; rev:3; metadata:created_at 2011_02_27, former_category EXPLOIT_KIT, updated_at 2011_02_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:command-and-control; sid:2012391; rev:3; metadata:created_at 2011_02_28, former_category MALWARE, updated_at 2011_02_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:md5,de85ae919d48325189bead995e8052e7; classtype:trojan-activity; sid:2012440; rev:4; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:command-and-control; sid:2012505; rev:4; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
+#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:md5,01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt"; flow:established,to_client; content:"%PDF-"; nocase; depth:300; content:"doc.printSeps"; nocase; distance:0; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2012156; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:command-and-control; sid:2014399; rev:3; metadata:created_at 2012_03_15, former_category MALWARE, updated_at 2012_03_15;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Post Express Inbound SPAM (possible Spyeye)"; flow:established,to_server; content:"Content-Disposition|3A|attachment|3b|"; nocase; content:"filename=|22|Post_Express_Label_"; nocase; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012275; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"/qvod/ff.txt"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Trojan dropper Wlock.A (AS1680)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/pornoplayer.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=pworldxxx.info; classtype:trojan-activity; sid:2012301; rev:4; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:md5,e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Fast Flux Trojan Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/SecurIns_194.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=microantivirus5.com; classtype:bad-unknown; sid:2012332; rev:3; metadata:created_at 2011_02_22, updated_at 2011_02_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
+#alert http $HOME_NET any -> 184.105.245.17 8080 (msg:"ET DELETED DroidDream Android Trojan info upload"; flow:to_server,established; content:"/GMServer/GMServlet"; http_uri; reference:url,androguard.blogspot.com/2011/03/droiddream.html; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=79&blogId=1; reference:url,blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/; reference:url,countermeasures.trendmicro.eu/google-android-rooted-backdoored-infected/; classtype:trojan-activity; sid:2012410; rev:3; metadata:created_at 2011_03_03, updated_at 2011_03_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:pup-activity; sid:2014403; rev:2; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2012_03_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Fast Flux Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/Setup_2004.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=spyremover-k3.com; classtype:trojan-activity; sid:2012447; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Clicker.Win32.Agent.qqf Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2f|sogou"; http_uri; pcre:"/\x2fsogou(config)?\x2f/Ui"; reference:md5,f468778836fd27a2ccca88c99f6dd3e9; classtype:trojan-activity; sid:2012643; rev:2; metadata:created_at 2011_04_06, updated_at 2011_04_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android Trojan HongTouTou Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/index.aspx?im="; http_uri; nocase; content:"|0d 0a|User-Agent|3a| Apache-HttpClient"; http_header; reference:url,blog.netqin.com/en/?p=451; classtype:trojan-activity; sid:2012450; rev:4; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 897 (msg:"ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jsp"; nocase; depth:35; pcre:"/\/\d{8,}\/\d{4,}\/\d{4,}\.jsp/"; reference:url,doc.emergingthreats.net/2009093; classtype:trojan-activity; sid:2009093; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/games/pdf"; nocase; http_uri; content:"php?f=7"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=poleoa.net; classtype:trojan-activity; sid:2012538; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow: to_server,established; content:"weatherbug.com|0d 0a|"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; classtype:misc-activity; sid:2001267; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer.0042.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012539; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:3; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Win32 Backdoor Poison"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/salvando-usb.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=arteencueros.com; classtype:trojan-activity; sid:2012540; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (png)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".png"; nocase; http_uri; content:".png HTTP"; nocase; pcre:"/\.png$/Ui"; reference:url,doc.emergingthreats.net/2010070; classtype:trojan-activity; sid:2010070; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/CazinoSilver Download VegasVIP_setup.exe"; flow:established,to_server; content:"/VegasVIP_setup.exe"; nocase; http_uri; reference:url,ddanchev.blogspot.com/2011/04/dont-play-poker-on-infected-table-part.html; classtype:trojan-activity; sid:2012685; rev:3; metadata:created_at 2011_04_12, updated_at 2011_04_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpeg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpeg"; nocase; http_uri; content:".jpeg HTTP"; nocase; pcre:"/\.jpeg$/i"; reference:url,doc.emergingthreats.net/2010068; classtype:trojan-activity; sid:2010068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013407; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"|2e|ashx|3f|m|3d|"; http_uri; content:"|2d|"; distance:2; within:1; http_uri; content:"|26|mid|3d|"; http_uri; distance:0; content:"|26|tid|3d|"; http_uri; distance:0; content:"|26|d|3d|"; http_uri; distance:0; content:"|26|uid|3d|"; http_uri; distance:0; content:"|26|t|3d|"; http_uri; distance:0; reference:md5,48432bdd116dccb684c8cef84579b963; classtype:command-and-control; sid:2012839; rev:4; metadata:created_at 2011_05_23, former_category MALWARE, updated_at 2011_05_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack landing"; flow:established,to_server; content:".php?f="; http_uri; content:!"Cookie|3a|"; http_header; pcre:"/\.php\?f=\d+$/U"; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012688; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_15, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
+#alert ip $HOME_NET any -> 83.236.140.90 any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013754; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CPL Trojan Downloader Request"; flow:established,to_server; content:".cpl?|20|HTTP/1.1"; nocase; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2012910; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_01, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert ip 83.236.140.90 any -> $HOME_NET any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013753; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:command-and-control; sid:2012934; rev:4; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2011_06_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AirOS .css Worm Outbound Propagation Sweep"; flow:established,to_server; content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014041; rev:6; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:md5,27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED AirOS admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:md5,4860e53b7e71cd57956e10ef48342b5f; classtype:command-and-control; sid:2013071; rev:4; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2011_06_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Install"; flow: to_server,established; content:"/install/pop"; nocase; http_uri; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; classtype:policy-violation; sid:2001445; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/UFR POST to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ufr/ufr.php"; http_uri; content:"UFR"; http_client_body; classtype:command-and-control; sid:2013424; rev:3; metadata:created_at 2011_08_18, updated_at 2011_08_18;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007635; classtype:trojan-activity; sid:2007635; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:command-and-control; sid:2014405; rev:10; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2012_02_29;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:command-and-control; sid:2013456; rev:5; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007637; classtype:trojan-activity; sid:2007637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:command-and-control; sid:2013451; rev:3; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2010262; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_21, updated_at 2012_03_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Rdxrp.com Traffic (Generic)"; flow: to_server,established; content:"/rdxr"; nocase; http_uri; content:".dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; classtype:trojan-activity; sid:2001312; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; classtype:trojan-activity; sid:2013543; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:exploit-kit; sid:2014748; rev:4; metadata:created_at 2012_05_14, updated_at 2012_05_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Aeausuc P2P Variant Retrieving Peers List"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gameover"; http_uri; pcre:"/gameover(\d+)?\.php/U"; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|X-ID|3a|"; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013740; rev:9; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:command-and-control; sid:2013767; rev:3; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tomcat Successful default credential login from external source"; flow:from_server,established; content:"HTTP/1."; depth:7; content:"200"; http_stat_code; content:"OK"; http_stat_msg; reference:url,tomcat.apache.org; classtype:successful-admin; sid:2009219; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:md5,07ed70b6e7775a510d725c9f032c70d8; classtype:command-and-control; sid:2013781; rev:4; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2011_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:md5,f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:4; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:4; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:command-and-control; sid:2013948; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
+#alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.*facebook.*\.(rar|exe|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV2|0d 0a|"; http_header; classtype:command-and-control; sid:2013949; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
+#alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*?=[^\n]*?(UPS|United Parcel Service)[^\n]*?\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; content:"<applet"; content:"<param"; distance:0; content:"window.document"; distance:0; classtype:bad-unknown; sid:2014414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"Cookie|3a| WinSec"; nocase; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; classtype:trojan-activity; sid:2011178; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2017_10_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; classtype:attempted-user; sid:2009665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flow:established,from_server; content:"VirtualProtect|00|"; reference:url,doc.emergingthreats.net/2009080; classtype:trojan-activity; sid:2009080; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; classtype:attempted-user; sid:2011270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010052; classtype:trojan-activity; sid:2010052; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetStartupInfo"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:7; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Fake Antivirus Download installpv.exe"; flow:established,to_server; content:"GET"; http_method; content:"/installpv.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010057; classtype:trojan-activity; sid:2010057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwProtectVirtualMemory"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012768; rev:7; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Malware Download flash-HQ-plugin exe"; flow:established,to_server; content:"GET"; http_method; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[A-Z0-9]+-plugin\.[A-Z0-9]+\.exe/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; classtype:bad-unknown; sid:2010440; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:9; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; classtype:trojan-activity; sid:2009171; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2011_05_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2010234; reference:md5,7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010234; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http any any -> $HOME_NET any (msg:"ET DELETED Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; classtype:trojan-activity; sid:2001684; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; http_uri; nocase; content:"/qwerce.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; classtype:trojan-activity; sid:2010231; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; classtype:trojan-activity; sid:2010235; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; classtype:trojan-activity; sid:2010236; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; content:"<object"; nocase; content:"E065E4A-BD9D-4547-8F90-985DC62A5591"; nocase; distance:0; content:"|2e|SetSource("; distance:0; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4"; flow:established,to_server; content:"POST"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; classtype:trojan-activity; sid:2010237; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1"; flow:from_server,established; content:"<script"; nocase; content:"PLAYERPT.PlayerPTCtrl.1"; nocase; distance:0; content:"|2e|SetSource("; distance:0; pcre:"/(ActiveXObject|CreateObject)\s*\(\s*(\x22|\x27)PLAYERPT\.PlayerPTCtrl\.1/iG"; reference:url,retrogod.altervista.org/9sg_linksys_playerpt.htm; classtype:command-and-control; sid:2014416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_23, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; classtype:trojan-activity; sid:2010238; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxClientSystem.ClientSystem.1"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010239; reference:md5,316fd88ac18d21889b1dbf9b979c1959; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010239; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Client requesting fake scanner page /scan/?key="; flow:established,to_server; content:"/scan/?key="; http_uri; classtype:bad-unknown; sid:2011545; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Eleonore - landing page"; flow:established,to_client; content:"{display|3A|none}</style><a class="; classtype:bad-unknown; sid:2011510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:pup-activity; sid:2003585; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Fragus - landing page delivered"; flow:established,to_client; content:"|0d 0a 0d 0a|var CRYPT={signature|3a|"; classtype:bad-unknown; sid:2011330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.PowerPointer checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<packet>"; http_client_body; content:"</packet>"; http_client_body; classtype:command-and-control; sid:2014040; rev:3; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
+#alert tcp any $HTTP_PORTS -> any any (msg:"ET DELETED Malvertising DRIVEBY Fragus Admin Panel Delivered To Client"; flow:established,to_client; content:"<head>|0D 0A 09 09|<title>Fragus</title>"; classtype:bad-unknown; sid:2011342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED POST to /x48/x58/ Possible Zeus Version 3 Command and Control Server Traffic"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/x48/x58/"; http_uri; nocase; content:".php"; http_uri; nocase; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011344; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:md5,e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:5; metadata:created_at 2012_01_03, updated_at 2012_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zeus Version 3 Infection Posting Banking HTTP Log to Command and Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_dr.php?"; http_uri; nocase; content:"https|3A|//"; nocase; pcre:"/\x2Fget\x5Fdr\x2Ephp\x3F(e|ini)\x3D/Ui"; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011345; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:3; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2012_01_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Bredolab - client requesting java exploit"; flow:established,to_server; content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; sid:2011795; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Driveby Bredolab - landing page"; flow:established,to_client; content:"Server|3a| nginx"; content:"<div style=|22|visibility|3a| hidden|3b||22|><"; depth:120; classtype:bad-unknown; sid:2011796; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=6Prm67"; depth:11; http_client_body; classtype:command-and-control; sid:2014044; rev:5; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014223; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014224; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_22, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; classtype:trojan-activity; sid:2014239; rev:3; metadata:created_at 2012_02_18, updated_at 2012_02_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Banker (AS33182)"; flow:established,to_server; content:"GET"; http_method; content:"/update/html2.exe.bak"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=allmobilefashion.com; classtype:trojan-activity; sid:2011968; rev:3; metadata:created_at 2010_11_22, updated_at 2010_11_22;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5; metadata:created_at 2012_03_26, former_category CURRENT_EVENTS, updated_at 2012_03_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Ircbrute Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/imagFaceBook.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=egyboys.net; classtype:bad-unknown; sid:2011980; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:command-and-control; sid:2014307; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2012_03_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/QuickTime_Update_KB673901.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=media-download-kb572810.biz; classtype:bad-unknown; sid:2011981; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 04|"; distance:1; within:2; byte_test:4,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014434; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/av-scanner.48370.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=mediafilesonline.net; classtype:bad-unknown; sid:2011983; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 03|"; distance:1; within:2; byte_test:3,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014433; rev:10; metadata:created_at 2012_03_24, updated_at 2012_03_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/MalvRem_"; nocase; http_uri; pcre:"/MalvRem_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011984; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big;  reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:9; metadata:created_at 2012_03_24, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus avdistr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avdistr_"; nocase; http_uri; pcre:"/avdistr_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011985; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:md5,881e21645e5ffe1ffb959835f8fdf71d; classtype:command-and-control; sid:2013768; rev:4; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus RunAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/RunAV_"; nocase; http_uri; pcre:"/RunAV_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011986; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
 
-#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Rogue AV (installer.xxxx.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/installer\.\d{4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc; classtype:bad-unknown; sid:2011990; rev:4; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshare.org|3A|999"; http_header; classtype:trojan-activity; sid:2012132; rev:6; metadata:created_at 2011_01_04, updated_at 2011_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake AV Scan (AS31252)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/powersecure_2005-19_ibr8.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com; classtype:trojan-activity; sid:2012302; rev:3; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; content:!"|0d 0a 0d 0a|MZ"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:5; metadata:created_at 2012_02_16, updated_at 2012_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Rogue Antivirus FakePAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/firefox_update_2011.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=76.76.102.214; classtype:trojan-activity; sid:2012403; rev:3; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Backdoor.Kbot Config Retrieval"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/getcfg.php"; http_uri; content:"oop="; http_client_body; depth:4; reference:md5,b8ee86e57261fd3fb422a2b20a3c3e09; classtype:trojan-activity; sid:2014291; rev:4; metadata:created_at 2012_02_29, updated_at 2012_02_29;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeAV campaign related JavaScript eval document obfuscation"; flow:established,from_server; content:"|20|=|20|eval('docu'+'men'+'t')|3b 0d 0a 0d 0a|"; classtype:trojan-activity; sid:2012495; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/trusteer.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012537; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:4; metadata:created_at 2011_05_17, updated_at 2011_05_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshares.org|3A|"; http_header; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_13, updated_at 2011_01_13;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"E5D2CE27-5FA0-11D2-A666-204C4F4F5020"; nocase; distance:0; content:"SelectServer"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:4; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:command-and-control; sid:2013348; rev:8; metadata:created_at 2011_08_04, former_category MALWARE, updated_at 2011_08_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
 
-alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; content:"/cgi-bin/unshopping3.cgi?b="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013180; rev:10; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"<div id=\"obj\"></div><div id=\"pdf\"></div><div id=\"hcp\">"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011812; rev:4; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_07_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED iframebiz - adv***.php"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adv"; nocase; http_uri; pcre:"/adv\d+\.php/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; classtype:trojan-activity; sid:2002707; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:7; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Possible Hupigon Connect"; flow:established,from_server; flowbits:set,ET.Hupinit2; dsize:<28; content:"HTTP/1.0 200 "; depth:13; flowbits:noalert; reference:url,doc.emergingthreats.net/2009290; classtype:trojan-activity; sid:2009290; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET 3128:9000 -> $HOME_NET any (msg:"ET DELETED Hupigon CnC Client Status"; flow:established,to_server; flowbits:isset,ET.Hupinit2; dsize:<6; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009291; classtype:command-and-control; sid:2009291; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:"&nbsp|3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET DELETED Hupigon CnC Server Response"; flow:established,from_server; flowbits:isset,ET.Hupinit2; dsize:3; content:"|0d 0a|"; reference:url,doc.emergingthreats.net/2009292; classtype:command-and-control; sid:2009292; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch V2 Communication with Controller"; flow:established,to_server; content:"id="; nocase; http_uri; content:"&check="; nocase; http_uri; content:"&version2="; http_uri; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z0-9]+&/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O; classtype:trojan-activity; sid:2009408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:6; metadata:created_at 2012_02_20, updated_at 2012_02_20;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:3; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
 
-#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa"; flow:established,to_server; content:"/searches?q=#pepbyfadxeoa"; fast_pattern; http_uri; content:"Host|3A 20|mobile.twitter.com|0d 0a|"; http_header; reference:url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/; classtype:trojan-activity; sid:2014333; rev:4; metadata:created_at 2012_03_07, updated_at 2012_03_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater post-auth checkin"; flow:established,to_server; content:"/search6"; http_uri; fast_pattern; content:"?h1="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|Windows NT 5.2)"; http_header; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014214; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014859; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:3; metadata:created_at 2012_04_03, updated_at 2012_04_03;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014860; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014861; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary"; flow:established,to_server; content:"/ngt.exe"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014464; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014862; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary 2"; flow:established,to_server; content:"/?path=qx200.exe"; http_uri; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014465; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Security Shield payment page request"; flow:established,to_server; content:!"Referer|3a| "; http_header; content:"/payform/?k="; http_uri; classtype:trojan-activity; sid:2014631; rev:4; metadata:created_at 2012_04_23, updated_at 2012_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014476; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014477; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014474; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin NewAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" NewAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,77d68770fcdc6052bd8d761d14a14f5a; classtype:command-and-control; sid:2014467; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; content:"|0D 0A 0D 0A CE FA ED FE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014516; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+#alert tcp any any -> any any (msg:"ET DELETED njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019223; rev:1; metadata:created_at 2014_09_23, updated_at 2014_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; content:"|0D 0A 0D 0A FE ED FA CE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; content:"|0D 0A 0D 0A CA FE BA BE|"; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+#alert udp any 67 -> any 68 (msg:"ET DELETED Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2; content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1; within:10; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019238; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; content:"|0D 0A 0D 0A|"; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:5; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c32f1e7d9d6f88c4d2468fe205f4abfc; classtype:trojan-activity; sid:2019274; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor Command Request CnC Checkin"; flow:established,to_server; content:".php?id="; http_uri; content:"&ext="; fast_pattern; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+[a-f0-9]{12}&ext\x3D/Ui"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014528; rev:2; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2012_04_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Common Downloader Trojan Checkin"; flow:established,to_server; content:".php?pid="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&amd="; nocase; http_uri; content:"&win64="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007975; classtype:trojan-activity; sid:2007975; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"fesexy.net"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; classtype:trojan-activity; sid:2002768; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED osCommerce vulnerable web application extras update.php exists"; flow:to_client,established; content:"Select an SQL file to install"; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002863; classtype:attempted-recon; sid:2002863; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,doc.emergingthreats.net/2010594; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:md5,94e13e13c6da5e32bde00bc527475bd2; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2"; flow:established,from_server; content:"|0c 76 da 9c 91 0c 4e 2c 9e fe 15 d0 58 93 3c 4c|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013501; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Zonebac.D"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"cid="; nocase; http_uri;content:"&aid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&fw="; nocase; http_uri; content:"&v="; nocase; http_uri;content:"&m="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008682; classtype:trojan-activity; sid:2008682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2019362; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; content:"/athenareg.php?pass= |3b|"; nocase; http_uri; reference:cve,CAN-2004-1782; reference:bugtraq,9349; reference:url,doc.emergingthreats.net/2001949; classtype:web-application-attack; sid:2001949; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000: (msg:"ET DELETED Possible Sweet Orange Secondary Landing"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(?:\/[a-z-]+)+\.php\?[a-z]+=[0-9]+[^\r\n]+HTTP\/1\.1/R"; content:"3 HTTP/1.1"; fast_pattern:only; classtype:exploit-kit; sid:2019351; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; content:"/inst.php?wmid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&s="; nocase; http_uri; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; classtype:trojan-activity; sid:2007865; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019356; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:exploit-kit; sid:2014539; rev:2; metadata:created_at 2012_04_11, updated_at 2012_04_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.KeyLogger.ODN Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"pcname="; depth:7; http_client_body; content:"&note="; distance:0; http_client_body; content:"&country="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&log="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019468; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server;  content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding;  classtype:bad-unknown; sid:2014445; rev:5; metadata:created_at 2012_03_30, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:2100183; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; content:"/script/bzDellHpData.js?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; classtype:trojan-activity; sid:2003621; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Isig.isigCtl.1"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014551; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,ca22207c5441a100437b75d7ce0d3fe2; classtype:command-and-control; sid:2019591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; classtype:web-application-attack; sid:2008126; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DETECTIESETTINGS.detectIESettingsCtrl.1"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Krunchy/BZub HTTP Checkin/Update"; flow:established,to_server; content:".php?action="; http_uri; content:"&guid="; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007775; classtype:trojan-activity; sid:2007775; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007578; classtype:trojan-activity; sid:2007578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; nocase; http_method; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007579; classtype:trojan-activity; sid:2007579; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE Download With Content Type Specified As Empty"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; content:"|0d 0a 0d 0a|"; distance:0; content:"MZ"; within:2; isdataat:80,relative; content:"This program "; distance:0; content:"PE|00|"; distance:0; reference:md5,d51218653323e48672023806f6ace26b; classtype:trojan-activity; sid:2014567; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007580; classtype:trojan-activity; sid:2007580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6116A7EC-B914-4CCE-B186-66E0EE7067CF"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007581; classtype:trojan-activity; sid:2007581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"EDBoardLib.EDBoard"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:20; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"D9397163-A2DB-4A4A-B2C9-34E876AF2DFC"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate"; flow:established,from_server; content:"|7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b|"; content:"sef1941@gmail.com"; within:250; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; classtype:misc-activity; sid:2013223; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PNLLM.Client.1"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Potential DNS Request from Trojan.DNSChanger infected system"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2014043; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"65996200-3B87-11D4-A21F-00E029189826"; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Code Download"; flow: to_server,established; content:"/updatestats/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; classtype:policy-violation; sid:2001524; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TList.TList.6"; fast_pattern; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bedep Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"Content-Length|3a 20|2"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/^Content-Length\x3a 2\d{2}\r?$/Hmi"; flowbits:set,ET.Trojan.Bedep; classtype:trojan-activity; sid:2019949; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Winwebsec.B Checkin"; flow:established,to_server; content:"/temp1.jpg"; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; reference:md5,9c9109cea5845272d6abd1b5523c8de7; classtype:command-and-control; sid:2014578; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2012_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Download URI Struct June 19 2014"; flow:established, to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"=aHR0cD"; http_uri; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/\/[a-z]{2,9}\.php\?(?:[a-z0-9]{2,4}|[cktw])=[a-zA-Z0-9\x2b\x2f\x5c]{43,56}=?$/U"; classtype:trojan-activity; sid:2018589; rev:6; metadata:created_at 2014_06_20, updated_at 2014_06_20;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002385; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020073; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"microsoft_predator_client"; nocase; http_header; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:pup-activity; sid:2014584; rev:5; metadata:created_at 2012_04_16, former_category ADWARE_PUP, updated_at 2012_04_16;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020074; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for Loading prototype catch"; flow:established,from_server; content:">Loading..."; fast_pattern:only; content:").prototype."; content:"}catch("; within:10; classtype:trojan-activity; sid:2014540; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Bedep Checkin Response"; flow:established,from_server; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"Content-Length|3a| 108|0d 0a|"; http_header; fast_pattern:only; content:!"Keep-Alive|3a 20|"; http_header; file_data; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; classtype:trojan-activity; sid:2019952; rev:5; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x="; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern; content:"&pdf="; http_uri; content:"&flash="; content:"&qt="; http_uri; classtype:exploit-kit; sid:2014569; rev:5; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (10)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020227; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Malicious PDF (EmbeddedFiles) improper case"; flow:from_server,established; content:"|0d 0a 0d 0a|%PDF"; content:"/EmbeddedFiles"; within:128; nocase; content:!"/EmbeddedFiles"; distance:-14; within:14; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:trojan-activity; sid:2014575; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:pup-activity; sid:2014606; rev:4; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Flashpack Redirect Method 3"; flow:established,to_server; content:"POST"; http_method; content:!"/gateway.php"; http_uri; content:"gate"; http_uri; fast_pattern:only; content:".php"; http_uri; content:".swf"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; classtype:trojan-activity; sid:2019325; rev:9; metadata:created_at 2014_09_30, updated_at 2014_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3; metadata:created_at 2012_04_18, updated_at 2012_04_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020379; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYCIOSCNLib.Scan"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014620; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; fast_pattern; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2019764; rev:9; metadata:created_at 2014_11_21, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED High Probability Blackhole Landing with catch qq"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:bad-unknown; sid:2014294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32 Jadtre/Wapomi/Nimnul/Viking.AY ICMP ping"; icode:0; itype:8; dsize:36; content:"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; classtype:trojan-activity; sid:2014595; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020399; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Es11 Keepalive to CnC"; flow:established,to_server; content:"|89 e7 52 d4 68 64 a7 73 bd 7e 3f 5c f7 99 3a 2e|"; offset:16; depth:16; dsize:48; reference:md5,4a17e9bd99f496c518ddfaaef93384b0; classtype:command-and-control; sid:2014630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED Microsoft Access database error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"JET Database Engine"; fast_pattern:only; classtype:web-application-attack; sid:2020502; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; content:"|0d 0a 0d 0a|cfgint="; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:pup-activity; sid:2014605; rev:6; metadata:created_at 2012_04_17, former_category ADWARE_PUP, updated_at 2012_04_17;)
+#alert tcp $EXTERNAL_NET [1024:7989,7991:] -> $HOME_NET any (msg:"ET DELETED Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007920; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002655; classtype:policy-violation; sid:2002655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Scam - FakeAV Alert Request March 2 2015"; flow:established,to_server; content:"afid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&Expires="; distance:0; http_uri; content:"&Signature="; distance:0; http_uri; content:"&Key-Pair-Id="; distance:0; http_uri; classtype:social-engineering; sid:2020587; rev:2; metadata:created_at 2015_03_03, updated_at 2015_03_03;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002654; classtype:policy-violation; sid:2002654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; classtype:policy-violation; sid:2001443; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/2002653; classtype:policy-violation; sid:2002653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2016589; rev:8; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002652; classtype:policy-violation; sid:2002652; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2015927; rev:4; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/2002651; classtype:policy-violation; sid:2002651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:exploit-kit; sid:2014917; rev:4; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002650; classtype:policy-violation; sid:2002650; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2014916; rev:3; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/2002649; classtype:policy-violation; sid:2002649; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/2002648; classtype:policy-violation; sid:2002648; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/2002642; classtype:policy-violation; sid:2002642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/2002640; classtype:policy-violation; sid:2002640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_09, updated_at 2015_05_09;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/2002639; classtype:policy-violation; sid:2002639; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/2002638; classtype:policy-violation; sid:2002638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:external-ip-check; sid:2021161; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/2002637; classtype:policy-violation; sid:2002637; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any [139,445] (msg:"ET DELETED Possible Duqu 2.0 Accessing SMB/SMB2 backdoor"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"tttttttt"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021243; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/2002636; classtype:policy-violation; sid:2002636; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cryptolocker C2 SSL cert serial"; flow:established,to_client; content:"|b3 b2 82 08 58 32 5e 8e|"; fast_pattern:only; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/2002635; classtype:policy-violation; sid:2002635; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:exploit-kit; sid:2020497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_22, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/2002634; classtype:policy-violation; sid:2002634; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; nocase; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016588; rev:15; metadata:created_at 2013_03_15, updated_at 2013_03_15;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/2002633; classtype:policy-violation; sid:2002633; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing June 16 2015 M3"; flow:established,to_client; file_data; content:"<title>Virus Firewall Alert!</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; content:"popup-mac-warning.png"; nocase; distance:0; classtype:social-engineering; sid:2021287; rev:2; metadata:created_at 2015_06_17, updated_at 2015_06_17;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/2002632; classtype:policy-violation; sid:2002632; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"/ie7.html"; http_uri; classtype:exploit-kit; sid:2018932; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002631; classtype:policy-violation; sid:2002631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M1 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; offset:49; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"|0d 0a|Host|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020385; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002630; classtype:policy-violation; sid:2002630; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_10, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002629; classtype:policy-violation; sid:2002629; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 29 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,8,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])(?P<var>[a-zA-Z0-9]{9,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002628; classtype:policy-violation; sid:2002628; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015698; rev:3; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/2002627; classtype:policy-violation; sid:2002627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dridex SSL Cert July 6 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 0e 34 be 9a f3 1e d7|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:8; reference:md5,0facc32fc6f9c67650575c8a8298bef2; classtype:trojan-activity; sid:2021380; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002625; classtype:policy-violation; sid:2002625; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_14, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/2002624; classtype:policy-violation; sid:2002624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:exploit-kit; sid:2017793; rev:4; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002623; classtype:policy-violation; sid:2002623; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup ip-api.com"; flow:established,to_server; content:"GET"; http_method; content:"/xml"; http_uri; content:"ip-api.com"; fast_pattern:only; http_header; classtype:external-ip-check; sid:2021406; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Restricted Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002410; classtype:policy-violation; sid:2002410; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; urilen:3; content:"/dd"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; classtype:exploit-kit; sid:2018934; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Confidential Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002411; classtype:policy-violation; sid:2002411; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 20 2015 M3"; flow:to_client,established; file_data; content:"html class=|22|js js sessionstorage|22|"; fast_pattern:13,20; content:"getURLParameter"; distance:0; content:"Toll Free"; nocase; distance:0; content:"myFunction|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2021448; rev:2; metadata:created_at 2015_07_20, updated_at 2015_07_20;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Top Secret Outbound"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002412; classtype:policy-violation; sid:2002412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK SilverLight Payload Request - May 2014"; flow:established,to_server; urilen:71<>79; content:!"/aHR0c"; depth:6; http_uri; content:!"/Uk0v"; depth:5; http_uri; content:"="; http_uri; offset:71; depth:6; pcre:"/^\/[-a-zA-Z0-9_]{70,75}==?$/U"; reference:url,blogs.cisco.com/security/angling-for-silverlight-exploits/; classtype:exploit-kit; sid:2018497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Non-US Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002413; classtype:policy-violation; sid:2002413; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 23 2015"; flow:to_client,established; file_data; content:"navigator.sayswho"; content:"alertforSecuity"; fast_pattern; distance:0; content:"Firefox"; distance:0; content:"Chrome"; distance:0; content:"Netscape"; distance:0; classtype:social-engineering; sid:2021522; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002414; classtype:policy-violation; sid:2002414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021524; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002415; classtype:policy-violation; sid:2002415; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2016155; rev:7; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Confidential"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002416; classtype:policy-violation; sid:2002416; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO COSMIC Top Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002417; classtype:policy-violation; sid:2002417; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 3"; flow:established,to_server; content:"ZEV4ZWN"; http_uri; classtype:trojan-activity; sid:2012923; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret Atomal"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002418; classtype:policy-violation; sid:2002418; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 1"; flow:established,to_server; content:"Q21kRXhl"; http_uri; classtype:trojan-activity; sid:2012921; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP NATO Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002419; classtype:policy-violation; sid:2002419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 2"; flow:established,to_server; content:"bWRFeGVj"; http_uri; classtype:trojan-activity; sid:2012922; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002420; classtype:policy-violation; sid:2002420; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021823; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002421; classtype:policy-violation; sid:2002421; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"ET DELETED Soulseek traffic (2)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001186; classtype:policy-violation; sid:2001186; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.E Keepalive to CnC"; flow:established,to_server; dsize:>30; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:md5,fc414168a5b4ca074ea6e03f770659ef; classtype:command-and-control; sid:2013337; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_01, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"ET DELETED Soulseek traffic (1)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001185; classtype:policy-violation; sid:2001185; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Secret, Electronic"; flow:to_server,established; content:"Subject|3A|"; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002422; classtype:policy-violation; sid:2002422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; http_uri; nocase; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002423; classtype:policy-violation; sid:2002423; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008055; classtype:command-and-control; sid:2008055; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret REL TO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002424; classtype:policy-violation; sid:2002424; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008056; classtype:command-and-control; sid:2008056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002429; classtype:policy-violation; sid:2002429; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008057; classtype:command-and-control; sid:2008057; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002430; classtype:policy-violation; sid:2002430; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:command-and-control; sid:2008058; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret COMSEC"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002431; classtype:policy-violation; sid:2002431; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008059; classtype:command-and-control; sid:2008059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret CNWDI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002434; classtype:policy-violation; sid:2002434; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response port 443"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008060; classtype:command-and-control; sid:2008060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret TK"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002436; classtype:policy-violation; sid:2002436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Google Android Device HTTP Request"; flow:established,to_server; content:"|3B 20|Android|20|"; http_header; classtype:policy-violation; sid:2012251; rev:9; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FGI"; flow:to_server,established; content:"Subject|3A|"; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002438; classtype:policy-violation; sid:2002438; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Evil EXE download from MSXMLHTTP non-exe extension M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022052; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US FOUO"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002439; classtype:policy-violation; sid:2002439; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (2)"; flow:established,to_client; file_data; content:"|29 26 9a 62 39 55 b6 0d|"; distance:4; within:8; classtype:trojan-activity; sid:2022139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002440; classtype:policy-violation; sid:2002440; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (5)"; flow:established,to_client; file_data; content:"|63 86 34 11 a3 ae 83 1e|"; distance:4; within:8; classtype:trojan-activity; sid:2022142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret NOFORN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002441; classtype:policy-violation; sid:2002441; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (6)"; flow:established,to_client; file_data; content:"|94 ae 9f 55 3d 25 7f 7d|"; distance:4; within:8; classtype:trojan-activity; sid:2022143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002443; classtype:policy-violation; sid:2002443; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; content:!"User-Agent"; http_header; nocase; content:!"Accept"; http_header; nocase; content:!"Referer"; nocase; http_header; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; classtype:exploit-kit; sid:2021158; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret ORCON"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002444; classtype:policy-violation; sid:2002444; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHP/Mayhem Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:".php HTTP/1.0|0d 0a|"; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf; classtype:trojan-activity; sid:2022195; rev:2; metadata:created_at 2015_11_30, updated_at 2015_11_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Unclassified PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002446; classtype:policy-violation; sid:2002446; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.iBryte.B Install"; flow:to_server,established; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern:only; content:"event="; http_uri; content:"_id="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,1497c33eede2a81627c097aad762817f; classtype:trojan-activity; sid:2018194; rev:9; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002447; classtype:policy-violation; sid:2002447; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible CryptoWall encrypted download"; flow:to_client,established; file_data; byte_test:1,<,12,0; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; pcre:"/^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00/s"; classtype:trojan-activity; sid:2018788; rev:3; metadata:created_at 2014_07_28, updated_at 2014_07_28;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002448; classtype:policy-violation; sid:2002448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:exploit-kit; sid:2020638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002450; classtype:policy-violation; sid:2002450; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http [$EXTERNAL_NET,!208.85.44.0/24] $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (3)"; flow:established,to_client; file_data; content:"|dc 18 02|"; distance:4; within:3; pcre:"/^(?:\x62|\x1b)/R"; classtype:trojan-activity; sid:2022140; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret RD"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002451; classtype:policy-violation; sid:2002451; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US SAMI"; flow:to_server,established; content:"Subject|3A|"; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002453; classtype:policy-violation; sid:2002453; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED APT.Fexel Checkin"; flow:established,to_server; content:"agtid="; http_header; content:"08x"; http_client_body; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2019469; rev:6; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Confidential SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002454; classtype:policy-violation; sid:2002454; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M3"; flow:established,to_server; urilen:40<>65; content:"3"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])3(?:(?P=sep)|\d)*?$/U"; content:!"computerwoche.de|0d 0a|"; http_header; classtype:exploit-kit; sid:2020998; rev:5; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret SPECAT"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002455; classtype:policy-violation; sid:2002455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M4"; flow:established,to_server; urilen:40<>65; content:"4"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])4(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020999; rev:4; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP US Top Secret STOP"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002457; classtype:policy-violation; sid:2002457; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (4)"; flow:established,to_client; file_data; content:"|f4 ec 9a|"; distance:4; within:4; pcre:"/^(?:\x8b|\xf2)/R"; classtype:trojan-activity; sid:2022141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Private"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002458; classtype:policy-violation; sid:2002458; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (1)"; flow:established,to_client; file_data; content:"|01 d2 02 8b e7 98 09 18|"; distance:4; within:8; classtype:trojan-activity; sid:2022138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Restricted"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002459; classtype:policy-violation; sid:2002459; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:social-engineering; sid:2022577; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Top Secret"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002462; classtype:policy-violation; sid:2002462; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:3; metadata:created_at 2016_02_27, updated_at 2016_02_27;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sealed"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002463; classtype:policy-violation; sid:2002463; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_03_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002464; classtype:policy-violation; sid:2002464; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN - 302 Redirect"; flow:established,from_server; content:"Cookie|3a| Hello-friend="; http_raw_header; classtype:bad-unknown; sid:2011920; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Proprietary"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002465; classtype:policy-violation; sid:2002465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Protected"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002466; classtype:policy-violation; sid:2002466; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:3; metadata:created_at 2012_08_29, updated_at 2016_04_29;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Law Enorcement Sensitive"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002467; classtype:policy-violation; sid:2002467; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blizzard Downloader"; flow: established,to_server; content: "User-Agent|3a| Blizzard Downloader"; nocase; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002855; classtype:policy-violation; sid:2002855; rev:8; metadata:created_at 2010_07_30, updated_at 2016_04_29;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Internal Use Only"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002468; classtype:policy-violation; sid:2002468; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED String Replace in PDF File, Likely Hostile"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:".replace|28|"; nocase; reference:url,www.w3schools.com/jsref/jsref_replace.asp; classtype:bad-unknown; sid:2011504; rev:6; metadata:created_at 2010_09_27, updated_at 2016_05_03;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Date of Birth"; flow:to_server,established; content:"Subject|3A|"; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002469; classtype:policy-violation; sid:2002469; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; nocase; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:13; metadata:created_at 2010_09_23, updated_at 2016_05_04;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP HCPCS Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002470; classtype:policy-violation; sid:2002470; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED FedEX Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|FedEX_"; nocase; classtype:trojan-activity; sid:2011979; rev:3; metadata:created_at 2010_11_24, updated_at 2016_05_04;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ICD-10 Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002471; classtype:policy-violation; sid:2002471; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre SSL Cert venturesonsite.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|venturesonsite.com"; distance:1; within:19; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP FDA NDC Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002472; classtype:policy-violation; sid:2002472; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M0"; flow:established,to_server; urilen:40<>65; content:"0"; http_uri; offset:40; depth:15; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])0(?:(?P=sep)|\d)*?$/Ui"; classtype:exploit-kit; sid:2020995; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP ADA Procedure Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002473; classtype:policy-violation; sid:2002473; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M1"; flow:established,to_server; urilen:40<>65; content:"1"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])1(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020996; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP DSM-IV Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002474; classtype:policy-violation; sid:2002474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M2"; flow:established,to_server; urilen:40<>65; content:"2"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])2(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020997; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP AMA CPT Code"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002475; classtype:policy-violation; sid:2002475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M5"; flow:established,to_server; urilen:40<>65; content:"5"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])5(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021000; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit Card, JCB"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002477; classtype:policy-violation; sid:2002477; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M6"; flow:established,to_server; urilen:40<>65; content:"6"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])6(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021001; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Password"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002483; classtype:policy-violation; sid:2002483; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M7"; flow:established,to_server; urilen:40<>65; content:"7"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])7(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021002; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Appraisal"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002484; classtype:policy-violation; sid:2002484; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M8"; flow:established,to_server; urilen:40<>65; content:"8"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])8(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021003; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Account Balance"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002485; classtype:policy-violation; sid:2002485; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M9"; flow:established,to_server; urilen:40<>65; content:"9"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])9(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021004; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Payment History"; flow:to_server,established; content:"Subject|3A|"; content:"payment history"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002486; classtype:policy-violation; sid:2002486; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014830; rev:3; metadata:created_at 2012_05_30, updated_at 2016_06_10;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Annual Income"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002487; classtype:policy-violation; sid:2002487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL DELETED WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:8; metadata:created_at 2010_09_23, updated_at 2016_06_14;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Credit History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002488; classtype:policy-violation; sid:2002488; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zb-hb)"; flow:to_server,established; content:"zb-hb-"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+zb-hb-/Hi"; reference:url,doc.emergingthreats.net/2003223; classtype:trojan-activity; sid:2003223; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Transaction History"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002489; classtype:policy-violation; sid:2002489; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"ET DELETED SMTP Customer List"; flow:to_server,established; content:"Subject|3A|"; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002490; classtype:policy-violation; sid:2002490; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED SQLCheck Database Scan Detected"; flow:to_server,established; content:"%20FROM%20customers"; fast_pattern:only; content:"User-Agent|3a| Lynx/2.8.6rel.4 libwww-FM/2.14"; http_header; threshold: type threshold, track by_dst, count 10, seconds 20; reference:url,wiki.remote-exploit.org/backtrack/wiki/SQLcheck; reference:url,doc.emergingthreats.net/2009478; classtype:attempted-recon; sid:2009478; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002495; classtype:policy-violation; sid:2002495; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL DELETED IRC nick change"; flow:to_server,established; content:"NICK "; depth:5; fast_pattern; classtype:policy-violation; sid:2100542; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002496; classtype:policy-violation; sid:2002496; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019541; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002497; classtype:policy-violation; sid:2002497; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/^[^\r\n]*\/[0-9a-f]{78}\sHTTP/Ri"; reference:url,doc.emergingthreats.net/2007755; classtype:trojan-activity; sid:2007755; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002498; classtype:policy-violation; sid:2002498; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002499; classtype:policy-violation; sid:2002499; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M1"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021263; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002500; classtype:policy-violation; sid:2002500; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M2"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002501; classtype:policy-violation; sid:2002501; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M3"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002502; classtype:policy-violation; sid:2002502; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct T1"; flow:to_server,established; urilen:>14; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".html"; http_uri; fast_pattern; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.html$/U"; pcre:"/Host\x3a\x20(?=[0-9]{0,22}[a-z])(?=[a-z]*?[0-9][a-z]{0,22}[0-9])[a-z0-9]{23}\x2e[^\x2e\r\n]+\x2e[^\x2e\r\n]/H"; classtype:exploit-kit; sid:2021040; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002503; classtype:policy-violation; sid:2002503; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct Oct 26 2015"; flow:to_server,established; content:".php?option=com_"; http_uri; content:"&itemid="; http_uri; content:"&id="; http_uri; pcre:"/&id=\d+(?:\x3a(?:[a-z0-9]*?[A-Z])(?:[A-Z0-9]*?[a-z])[A-Za-z0-9]{10,}\.{0,2})?&catid=\d+&itemid=\d+$/U"; classtype:exploit-kit; sid:2021999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002504; classtype:policy-violation; sid:2002504; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002505; classtype:policy-violation; sid:2002505; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:"/pd.php?id="; http_uri; fast_pattern:only; pcre:"/\/pd\.php\?id=[a-f0-9]+$/U"; classtype:exploit-kit; sid:2017812; rev:5; metadata:created_at 2013_12_06, updated_at 2016_08_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002506; classtype:policy-violation; sid:2002506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:4; metadata:created_at 2011_07_06, updated_at 2016_08_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002507; classtype:policy-violation; sid:2002507; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002508; classtype:policy-violation; sid:2002508; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; depth:6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000340; classtype:policy-violation; sid:2000340; rev:11; metadata:created_at 2010_07_30, updated_at 2016_09_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002509; classtype:policy-violation; sid:2002509; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL DELETED eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002514; classtype:policy-violation; sid:2002514; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_06, updated_at 2016_09_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002515; classtype:policy-violation; sid:2002515; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019391; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002516; classtype:policy-violation; sid:2002516; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019392; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002519; classtype:policy-violation; sid:2002519; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019393; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002521; classtype:policy-violation; sid:2002521; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:command-and-control; sid:2019394; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002523; classtype:policy-violation; sid:2002523; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019390; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002524; classtype:policy-violation; sid:2002524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Potentially Malicious Traffic 1"; flow:established,to_server; content:"285d7b6cf94d8fdc657edaa73c2f07f3"; classtype:trojan-activity; sid:2023339; rev:3; metadata:created_at 2016_10_18, updated_at 2016_10_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002525; classtype:policy-violation; sid:2002525; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CryptoWall download from e-mail link March 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".zip"; http_uri; fast_pattern:only; content:".html"; http_header; pcre:"/\.zip$/U"; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[a-z0-9]{6}\/[a-z0-9]{5}\.html\r?$/Hm"; classtype:trojan-activity; sid:2020649; rev:3; metadata:created_at 2015_03_09, updated_at 2016_11_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002526; classtype:policy-violation; sid:2002526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:command-and-control; sid:2018415; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002704; classtype:policy-violation; sid:2002704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:" MyApp|0d 0a|"; http_header; fast_pattern:only; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001492; classtype:trojan-activity; sid:2001492; rev:39; metadata:created_at 2010_07_30, updated_at 2016_12_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002528; classtype:policy-violation; sid:2002528; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_12_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002530; classtype:policy-violation; sid:2002530; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002531; classtype:policy-violation; sid:2002531; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_12_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002532; classtype:policy-violation; sid:2002532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/upload"; nocase; http_uri; content:"file="; nocase; http_uri; content:"&id="; http_uri; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008352; classtype:trojan-activity; sid:2008352; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002534; classtype:policy-violation; sid:2002534; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:4; metadata:created_at 2011_08_04, updated_at 2017_01_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002535; classtype:policy-violation; sid:2002535; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nemucod Downloader Oct 04"; flow:established,to_server; content:"/log.php?f="; http_uri; depth:11; fast_pattern; pcre:"/^\/log\.php\?f=[0-1](?:\.[a-z]+)?$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2023318; rev:3; metadata:created_at 2016_10_05, updated_at 2017_01_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002537; classtype:policy-violation; sid:2002537; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, tag dupe, updated_at 2017_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002538; classtype:policy-violation; sid:2002538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-9a-f]{2,4})(?P<sep>[\x2e\x2c\x3b\x3a])(?P<d>(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P<q>(?!((?P=p)|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P<dot>(?!((?P=p)|(?P=d)|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; classtype:trojan-activity; sid:2016730; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002539; classtype:policy-violation; sid:2002539; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023881; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, tag Phishing, tag dupe, updated_at 2017_02_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002541; classtype:policy-violation; sid:2002541; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DustySky Checkin"; flow:established,to_server; urilen:10; content:"GET"; http_method; content:"/index.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"uvnc.com|0d 0a|"; http_header; nocase; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|Keep-Alive"; distance:0; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; content:!"Cookie|3a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021918; rev:7; metadata:created_at 2015_10_06, former_category TROJAN, updated_at 2017_03_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Private"; flow:to_server,established; pcre:"/\Wprivate\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002542; classtype:policy-violation; sid:2002542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M1"; flow:to_server,established; content:"Content-Length|3a|"; nocase; content:"{"; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Length\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024094; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Restricted"; flow:to_server,established; pcre:"/(?<!//)\Wrestricted[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002543; classtype:policy-violation; sid:2002543; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M2"; flow:to_server,established; content:"Content-Length|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024095; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Confidential"; flow:to_server,established; pcre:"/(?<!//)\Wconfidential[^\w/]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002544; classtype:policy-violation; sid:2002544; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M2"; flow:to_server,established; content:"Content-Disposition|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024097; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Top Secret"; flow:to_server,established; pcre:"/(?<!//)\Wtop\ssecret[^\w/a]/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002546; classtype:policy-violation; sid:2002546; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Banker.AAD CnC Communication"; flow:established,to_server; content:"filename=|22|C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; content:"Content-Type|3A| C|3A 5C|WINDOWS|5C|system32"; nocase; http_header; reference:md5,8556aec7ff96824e2da9d1b948ed7029; classtype:command-and-control; sid:2012300; rev:4; metadata:created_at 2011_02_07, former_category TROJAN, updated_at 2017_03_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sealed"; flow:to_server,established; pcre:"/\Wsealed\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002547; classtype:policy-violation; sid:2002547; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017179; rev:5; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Sensitive"; flow:to_server,established; pcre:"/(?<!law\senforcement)\Wsensitive\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002548; classtype:policy-violation; sid:2002548; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017180; rev:5; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Proprietary"; flow:to_server,established; pcre:"/\Wproprietary\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002549; classtype:policy-violation; sid:2002549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017267; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Protected"; flow:to_server,established; pcre:"/\Wprotected\W(?!/(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002550; classtype:policy-violation; sid:2002550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017268; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Law Enorcement Sensitive"; flow:to_server,established; pcre:"/\Wlaw\senforcement\ssensitive\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002551; classtype:policy-violation; sid:2002551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LoadMoney User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader 18.7|0d 0a|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022911; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category MALWARE, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Internal Use Only"; flow:to_server,established; pcre:"/\Winternal\suse\sonly\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002552; classtype:policy-violation; sid:2002552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Downloader.pgp Checkin"; flow:established,to_server; content:"?id="; http_uri; content:"&e="; http_uri; content:"&err="; http_uri;content:"&c="; http_uri; reference:url,doc.emergingthreats.net/2008492; classtype:trojan-activity; sid:2008492; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Date of Birth"; flow:to_server,established; pcre:"/[^\w&]d(ate)?(-)?o(f)?(-)?b(irth)?\W[\s\w,/-]*(?=([0-9]{2}[-/][0-9]{2}[-/][0-9]{2,4})|[0-9]{8})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002553; classtype:policy-violation; sid:2002553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cerber Bitcoin Address Check"; flow:to_server,established; content:"/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_="; http_uri; nocase; fast_pattern:20,20; content:!"Referer"; http_header; content:!"|0d 0a|Cookie|3a 20|"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; reference:url,www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/; classtype:trojan-activity; sid:2023676; rev:3; metadata:created_at 2016_12_20, former_category TROJAN, updated_at 2017_07_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - HCPCS Code"; flow:to_server,established; pcre:"/\Whcpcs\W[\s\w,/-]*(?=[a-z][0-9]{10})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002554; classtype:policy-violation; sid:2002554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023046; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ICD-10 Code"; flow:to_server,established; pcre:"/\Wicd\W[\s\w,/-]*(?=[a-z][0-9]{2}\.[0-9]{2})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002555; classtype:policy-violation; sid:2002555; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023181; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - FDA NDC Code"; flow:to_server,established; pcre:"/\Wndc\W[\s\w,/-]*(?=([0-9]{4}-[0-9]{4}-[0-9]{2}|[0-9]{5}-[0-9]{3}-[0-9]{2}|[0-9]{5}-[0-9]{4}-[0-9]{1,2}))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002556; classtype:policy-violation; sid:2002556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022036; rev:3; metadata:created_at 2015_11_04, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - ADA Procedure Code"; flow:to_server,established; pcre:"/\Wada\W[\s\w,/-]*(?=d[0-9]{4})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002557; classtype:policy-violation; sid:2002557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_09_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - DSM-IV Code"; flow:to_server,established; pcre:"/\Wdsm\W[\s\w,/-]*(?=([2-9][0-9]{2}(\.[0-9]{1,2}?)|(v[167][0-9]\.[0-9]{1,2})))/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002558; classtype:policy-violation; sid:2002558; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:3; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2017_09_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - AMA CPT Code"; flow:to_server,established; pcre:"/\Wcpt\W[\s\w,/-]*(?=[0-9]{4}[ft]|[0-9]{5})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002559; classtype:policy-violation; sid:2002559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"OPTIONS"; http_method; flowbits:set,ET.2017-9798; threshold: type both, count 30, seconds 30, track by_src; classtype:misc-activity; sid:2024759; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, cve 2017_9798, deployment Perimeter, former_category WEB_SERVER, performance_impact Moderate, signature_severity Major, updated_at 2019_12_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit Card, JCB"; flow:to_server,established; pcre:"/\Wj(apan\s)?c(redit\s)?b(ureau)?\W[\s\w,/-]*(?=(3[12359][0-9]{14})|(1800|2131)[0-9]{11})/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002561; classtype:policy-violation; sid:2002561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cookie|3a| cid="; http_raw_header; pcre:"/^\d{4}\r$/RDm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:14; metadata:created_at 2012_02_07, former_category TROJAN, updated_at 2017_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Password"; flow:to_server,established; pcre:"/\W[p][a4@][sz5]{0,2}[w]([o0][r])?[d]\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002567; classtype:policy-violation; sid:2002567; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; classtype:attempted-user; sid:2002802; rev:9; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Appraisal"; flow:to_server,established; pcre:"/\Wappraisal(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002568; classtype:policy-violation; sid:2002568; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"user="; depth:5; nocase; http_client_body; fast_pattern; content:"&email_address="; nocase; http_client_body; distance:0; content:"&pass"; nocase; http_client_body; distance:0; content:"&captcha="; nocase; http_client_body; distance:0; content:"&submitbutton="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022084; rev:3; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Account Balance"; flow:to_server,established; pcre:"/\Waccount\sbalance(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002569; classtype:policy-violation; sid:2002569; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic 107 Phish Jul 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"-login.id-107sbtd9cbhsbt"; nocase; http_header; fast_pattern:4,20; pcre:"/^Host\x3a\x20[^\r\n]+\-login\.id\-107sbtd9cbhsbt[^\r]+$/Hmi"; classtype:credential-theft; sid:2024463; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Payment History"; flow:to_server,established; pcre:"/\Wpayment\shistory\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002570; classtype:policy-violation; sid:2002570; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful GoogleFile Phish"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; classtype:credential-theft; sid:2020803; rev:4; metadata:created_at 2015_03_30, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Annual Income"; flow:to_server,established; pcre:"/\Wannual\sincome(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002571; classtype:policy-violation; sid:2002571; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; classtype:credential-theft; sid:2022085; rev:3; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Credit History"; flow:to_server,established; pcre:"/\Wcredit\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002572; classtype:policy-violation; sid:2002572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75  62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b  50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:credential-theft; sid:2022094; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Transaction History"; flow:to_server,established; pcre:"/\Wtransaction\shistor(y|ies)\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002573; classtype:policy-violation; sid:2002573; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE Install Windows file download"; flow:established; content:"MZ"; isdataat:76,relative; content:"This program must be "; distance:0; isdataat:140,relative; content:"PE"; distance:0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; classtype:policy-violation; sid:2000427; rev:16; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP - Customer List"; flow:to_server,established; pcre:"/\Wcustomer\slist(s)?\W/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002574; classtype:policy-violation; sid:2002574; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download (2)"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; distance:0; reference:url,doc.emergingthreats.net/2010869; classtype:policy-violation; sid:2010869; rev:5; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Restricted"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+RESTRICTED//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002575; classtype:policy-violation; sid:2002575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; content:"HTTP/1"; depth:6; content:"|0d 0a|Content-Type|3a| application/"; nocase; reference:url,doc.emergingthreats.net/2007670; classtype:not-suspicious; sid:2007670; rev:11; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Confidential"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+CONFIDENTIAL//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002576; classtype:policy-violation; sid:2002576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a a known malware domain (sektori. org)"; flow: to_server,established; content:"sektori.org|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014571; rev:7; metadata:created_at 2012_04_16, former_category TROJAN, updated_at 2018_01_02;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Top Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+TOP\sSECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002577; classtype:policy-violation; sid:2002577; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments4you. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|holidayapartments4you|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021645; rev:3; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - Non-US Secret"; flow:to_server,established; pcre:"///([A-Z]{3}\s)+(?<!TOP\s)SECRET//X5/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002578; classtype:policy-violation; sid:2002578; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (euro-rafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euro-rafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021646; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Restricted"; flow:to_server,established; pcre:"///((NATO\sRESTRICTED)|NR)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002579; classtype:policy-violation; sid:2002579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments-Paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|holidayapartments-Paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021647; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential Atomal"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL\sATOMAL)|NCA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002580; classtype:policy-violation; sid:2002580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (paris-holidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|paris-holidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021648; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Confidential"; flow:to_server,established; pcre:"///((NATO\sCONFIDENTIAL)|NC)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002581; classtype:policy-violation; sid:2002581; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (franceholidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|franceholidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021649; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO COSMIC Top Secret Atomal"; flow:to_server,established; pcre:"///((COSMIC\sTOP\sSECRET\sATOMAL)|CTSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002582; classtype:policy-violation; sid:2002582; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (apartmentsin-paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|apartmentsin-paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021650; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret Atomal"; flow:to_server,established; pcre:"///((NATO\sSECRET\sATOMAL)|NSA)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002583; classtype:policy-violation; sid:2002583; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingholiday.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|raftingholiday|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021651; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - NATO Secret"; flow:to_server,established; pcre:"///((NATO\sSECRET)|NS)//MR/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002584; classtype:policy-violation; sid:2002584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (eurorafting-tr.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|eurorafting-tr|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021652; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(CC)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002585; classtype:policy-violation; sid:2002585; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (turkeyextremerafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|turkeyextremerafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021653; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(TT)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002586; classtype:policy-violation; sid:2002586; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingtours-turkey.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|raftingtours-turkey|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021654; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Secret, Electronic"; flow:to_server,established; pcre:"/QQQQ\r\n(?=(O|P|R|Z)\r\n(SS)\r\n)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002587; classtype:policy-violation; sid:2002587; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021655; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential REL TO"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002588; classtype:policy-violation; sid:2002588; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazy-jump.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|crazy-jump|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021656; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret REL TO"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*REL\sTO\sUSA[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002589; classtype:policy-violation; sid:2002589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (dive-extreme.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dive-extreme|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021657; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified COMSEC"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002594; classtype:policy-violation; sid:2002594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021658; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential COMSEC"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002595; classtype:policy-violation; sid:2002595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021659; rev:3; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret COMSEC"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*COMSEC[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002596; classtype:policy-violation; sid:2002596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021660; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret CNWDI"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(CRITICAL\sNUCLEAR\sWEAPON\sDESIGN\sINFORMATION|CNWDI)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002599; classtype:policy-violation; sid:2002599; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021661; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret TK"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(TALENT\sKEYHOLE|TK)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002601; classtype:policy-violation; sid:2002601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (brazil-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|brazil-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021662; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FGI"; flow:to_server,established; pcre:"///FGI[\s\w,/-]*(?=//X5)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002603; classtype:policy-violation; sid:2002603; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021663; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US FOUO"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//(FOR\sOFFICIAL\sUSE\sONLY|FOUO)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002604; classtype:policy-violation; sid:2002604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021664; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential NOFORN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002605; classtype:policy-violation; sid:2002605; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021665; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret NOFORN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*NOFORN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002606; classtype:policy-violation; sid:2002606; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazyjump-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|crazyjump-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021666; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential ORCON"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002608; classtype:policy-violation; sid:2002608; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (stuntjumps.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|stuntjumps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021667; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret ORCON"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(ORIGINATOR\sCONTROLLED|ORCON)[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002609; classtype:policy-violation; sid:2002609; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021668; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Unclassified PROPIN"; flow:to_server,established; pcre:"/(UNCLASSIFIED|U)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002611; classtype:policy-violation; sid:2002611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|groupdive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021669; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential PROPIN"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002612; classtype:policy-violation; sid:2002612; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (au-skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|au-skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021670; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret PROPIN"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*PROPIN[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002613; classtype:policy-violation; sid:2002613; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021671; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential RD"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002615; classtype:policy-violation; sid:2002615; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (uruguay-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|uruguay-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021672; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret RD"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*(RESTRICTED\sDATA|RD)[\s\w,/-]*(?=//MR)/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002616; classtype:policy-violation; sid:2002616; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021673; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US SAMI"; flow:to_server,established; pcre:"/SAMI[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002618; classtype:policy-violation; sid:2002618; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021674; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Confidential SPECAT"; flow:to_server,established; pcre:"/(CONFIDENTIAL|C)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002619; classtype:policy-violation; sid:2002619; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (circlesofourlives-ir.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|circlesofourlives-ir|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021675; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret SPECAT"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*SPECAT[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/bin/view/Main/2002620; classtype:policy-violation; sid:2002620; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (clickflowers-hk.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|clickflowers-hk|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021676; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED High Ports - US Top Secret STOP"; flow:to_server,established; pcre:"/(TOP\sSECRET|TS)//[\s\w,/-]*STOP[\s\w,/-]*(?=//(25)?X[1-9])/ism"; reference:url,doc.emergingthreats.net/2002622; classtype:policy-violation; sid:2002622; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (cropcirclestours.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cropcirclestours|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021677; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $HOME_NET any -> [69.63.176.0/20,69.63.176.0/20,204.15.20.0/22] $HTTP_PORTS (msg:"ET DELETED facebook activity"; flow:established,to_server; threshold: type both, track by_dst, count 2, seconds 120; reference:url,compnetworking.about.com/od/traceipaddresses/f/facebook-ip-address.htm; reference:url,doc.emergingthreats.net/2010952; classtype:policy-violation; sid:2010952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (irelancropcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|irelancropcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021678; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; content:".txt"; nocase; http_uri; fast_pattern; content:"Pragma|3a| no-cache"; http_header; content:"User-Agent|3a| "; http_header; pcre:"/User-Agent\x3a \d{6}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2008664; classtype:trojan-activity; sid:2008664; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (ir-cool.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ir-cool|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021679; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Ping"; flow: to_server,established; content:"Host|3a| srv.peopleonpage.com"; nocase; http_header; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; classtype:policy-violation; sid:2001446; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (magnificentcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|magnificentcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021680; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:command-and-control; sid:2013805; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (china-flowershop.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|china-flowershop|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021681; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:command-and-control; sid:2013806; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (hongkong-bouquets.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|hongkong-bouquets|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021682; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (beautifuldaisies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|beautifuldaisies|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021683; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021684; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:4; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for Windows"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.tmp2"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014637; rev:3; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014640; rev:1; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 9C 00 00 00|"; distance:31; within:5; fast_pattern; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00|"; distance:2; within:2; content:"|00|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category TROJAN, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013746; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013786; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_28, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; classtype:bad-unknown; sid:2013950; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2013975; rev:3; metadata:created_at 2011_12_01, former_category EXPLOIT_KIT, updated_at 2011_12_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:exploit-kit; sid:2014568; rev:3; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; http_uri; nocase; content:"input|3D|smb|3A 2F|"; http_uri; nocase; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; classtype:trojan-activity; sid:2014126; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_01_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014658; rev:1; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2012_04_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"replace|28 2F|"; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:exploit-kit; sid:2014098; rev:4; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc."; http_header; distance:0; fast_pattern; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?calc\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014237; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:command-and-control; sid:2013911; rev:9; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:"<applet"; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.com/files/112363; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, former_category ACTIVEX, updated_at 2012_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; content:"CLSID"; nocase; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; depth:8; content:"|20 28|qwe123"; classtype:trojan-activity; sid:2014368; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"/rclgx.php?id="; depth:14; http_uri; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:command-and-control; sid:2014719; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; content:"document.location="; depth:200; content:".php?"; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b\x20\x0a\x0d]/"; classtype:bad-unknown; sid:2014378; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:command-and-control; sid:2014720; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:command-and-control; sid:2014721; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:2; metadata:created_at 2012_05_08, updated_at 2012_05_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; content:"<applet"; content:"<param"; distance:0; content:"window.document"; distance:0; classtype:bad-unknown; sid:2014414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:command-and-control; sid:2014731; rev:2; metadata:created_at 2012_05_11, former_category MALWARE, updated_at 2012_05_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving DDoS Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving Download Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:4; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:pup-activity; sid:2014735; rev:3; metadata:created_at 2012_05_11, former_category ADWARE_PUP, updated_at 2012_05_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014749; rev:1; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:command-and-control; sid:2014760; rev:2; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for Loading prototype catch"; flow:established,from_server; content:">Loading..."; fast_pattern:only; content:").prototype."; content:"}catch("; within:10; classtype:trojan-activity; sid:2014540; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_19, updated_at 2012_05_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:pup-activity; sid:2014798; rev:2; metadata:created_at 2012_05_22, former_category ADWARE_PUP, updated_at 2012_05_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; content:"getElementById']('qwe')"; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2; metadata:created_at 2012_05_24, former_category CURRENT_EVENTS, updated_at 2012_05_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:command-and-control; sid:2014804; rev:6; metadata:created_at 2011_11_05, former_category MALWARE, updated_at 2011_11_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; within:12; classtype:trojan-activity; sid:2014921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:pup-activity; sid:2001489; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:pup-activity; sid:2001491; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:4; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
+#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:pup-activity; sid:2014810; rev:4; metadata:created_at 2012_05_25, former_category ADWARE_PUP, updated_at 2012_05_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:4; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7; metadata:created_at 2011_06_03, updated_at 2011_06_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:8; metadata:created_at 2010_07_30, updated_at 2016_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014641; rev:4; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET MALWARE Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; http_uri; pcre:"/\.txt$/U"; content:"User-Agent|3a| Download|0d 0a|"; http_header; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:command-and-control; sid:2014826; rev:5; metadata:created_at 2012_04_09, former_category MALWARE, updated_at 2012_04_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:5; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014852; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2012_06_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"<applet"; depth:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014176; rev:3; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:exploit-kit; sid:2014177; rev:5; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:2; metadata:created_at 2012_06_05, updated_at 2012_06_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET POLICY SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4; metadata:created_at 2012_06_08, updated_at 2012_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Security Reaserch WWEB Group|2c| LLC"; classtype:trojan-activity; sid:2014871; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; content:"<p>Your current User-Agent string appears to be from an automated process,"; classtype:trojan-activity; sid:2012692; rev:6; metadata:created_at 2011_04_19, updated_at 2011_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:command-and-control; sid:2014887; rev:2; metadata:created_at 2012_06_12, former_category MALWARE, updated_at 2012_06_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; nocase; content:"|00 01|"; distance:6; within:2; classtype:policy-violation; sid:2102450; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:pup-activity; sid:2003365; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:exploit-kit; sid:2014891; rev:1; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:exploit-kit; sid:2014892; rev:2; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:exploit-kit; sid:2014895; rev:2; metadata:created_at 2012_06_15, former_category CURRENT_EVENTS, updated_at 2012_06_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; dsize:>10; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:2; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free"; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_15, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:exploit-kit; sid:2014913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Possible BlackHole request with decryption Base"; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016931; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014824; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:exploit-kit; sid:2014922; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:exploit-kit; sid:2014923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, former_category CURRENT_EVENTS, updated_at 2012_06_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:exploit-kit; sid:2016984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_08, deployment Perimeter, former_category TROJAN, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017076; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:3; metadata:created_at 2012_06_20, updated_at 2012_06_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1; metadata:created_at 2012_06_21, updated_at 2012_06_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017141; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:command-and-control; sid:2014135; rev:3; metadata:created_at 2012_01_19, former_category MALWARE, updated_at 2018_02_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rabio Spyware/Adware Initial Registration"; flow:established,to_server; content:"POST"; http_method; nocase; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:pup-activity; sid:2007820; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017265; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:9; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; classtype:trojan-activity; sid:2017346; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; http_header; fast_pattern:only; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017416; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017454; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,doc.emergingthreats.net/2010246; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010246; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:exploit-kit; sid:2017556; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole eval haha"; flow:established,from_server; content:"eval(haha"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2020604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&panic="; fast_pattern; http_client_body; content:"&input="; http_client_body; reference:url,doc.emergingthreats.net/2009287; classtype:command-and-control; sid:2009287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Landing Nov 17 2015"; flow:from_server,established; file_data; content:"|2e 73 74 79 6c 65 2e 6c 65 66 74 3d 3d 3d 22 22 29 7b 67 67 3d 22 67 65 74 41 22 3b 7d 71 71 3d 22 71 22 3b 67 67 2b 3d 22 74 74 72 69 22 3b 66 75 6e 63 74 69 6f 6e 20 63 78 7a 28 29|"; fast_pattern:17,20; classtype:exploit-kit; sid:2022113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; content:"|0d 0a 0d 0a|ne_unik"; classtype:command-and-control; sid:2014933; rev:3; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2012_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Status Messages"; flow:established,to_server; content:".php?context="; fast_pattern; http_uri; content:"&status="; http_uri; distance:0; content:"&sesid="; http_uri; distance:0; content:"&iid="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022808; rev:3; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M1"; flow:established,to_server; content:".php?a="; fast_pattern; http_uri; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022809; rev:3; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5; metadata:created_at 2011_04_04, former_category CURRENT_EVENTS, updated_at 2011_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M2"; flow:established,to_server; content:"/?f="; depth:4; http_uri; fast_pattern; content:"&a="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022810; rev:3; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021421; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_03_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:exploit-kit; sid:2023187; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2018_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:6; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2011_01_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category WEB_CLIENT, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2018_04_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:command-and-control; sid:2014955; rev:2; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP"; flow:to_server,established; content:".asp?device_t="; http_uri; content:"&key="; http_uri; content:"&device_id="; http_uri; content:"&cv="; http_uri; threshold: type both, track by_src, count 1, seconds 120; reference:md5,e4a4e2a3b3adaf3a31e34cd2844a3374; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none; classtype:trojan-activity; sid:2016430; rev:5; metadata:created_at 2012_04_18, former_category TROJAN, updated_at 2018_05_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:command-and-control; sid:2014956; rev:1; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:command-and-control; sid:2015581; rev:3; metadata:created_at 2012_08_07, former_category TROJAN, updated_at 2018_05_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024868; rev:3; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2018_05_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019761; rev:5; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019762; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:exploit-kit; sid:2019763; rev:9; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:command-and-control; sid:2014961; rev:2; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:exploit-kit; sid:2019908; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020320; rev:6; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.msn .com)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020321; rev:5; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.live .com)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2020388; rev:9; metadata:created_at 2015_02_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?)*?\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021587; rev:6; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021588; rev:4; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M3 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"ZWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021589; rev:6; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:18; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; classtype:exploit-kit; sid:2021590; rev:7; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:exploit-kit; sid:2021694; rev:6; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Oct 19 2015"; flow:established,from_server; file_data; content:!".swf"; content:"<html>"; pcre:"/^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?<\/script>/Rs"; content:"value=|22|#ffffff|22|"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021969; rev:4; metadata:created_at 2015_10_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025040; rev:4; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:5; metadata:created_at 2012_06_14, updated_at 2012_06_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Host\x3a\x20(?P<host>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?Referer\x3a\x20http\x3a\x2f\x2f(?P=host)\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025041; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; content:"|0d 0a 0d 0a|SZDD"; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025042; rev:4; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing May 31 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025043; rev:3; metadata:created_at 2016_05_31, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015018; rev:2; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:"<html>"; pcre:"/^\s*?<body>(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P<var1>[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025044; rev:3; metadata:created_at 2016_06_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:command-and-control; sid:2015022; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025045; rev:3; metadata:created_at 2016_06_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:6; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"<script>"; within:500; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>\s*<object(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025046; rev:3; metadata:created_at 2016_06_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushbot server response"; flow:to_client,established; content:"|0d 0a 0d 0a|ZG%|20|!GX"; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"<object"; content:"  <param"; distance:0; pcre:"/^[^>]*name\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025047; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1; metadata:created_at 2012_07_04, former_category CURRENT_EVENTS, updated_at 2012_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer)"; flow:established,from_server; flowbits:isset,Neutrino.URI.Primer; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; content:"bgcolor"; nocase; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025048; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015010; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|62 5f 39 34 38 38 33 66 36 34 35 33 31 65 65 37 62 31 37 61 37 33 62 38 32 33 66 5f 63 31 61 36 63 63 36 36 37 65|"; fast_pattern; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025049; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|3c 68 31 3e 62 6c 61 63 6b 62 6f 78 3c 2f 68 31 3e|"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/[^\x22\x27]*\.html\.swf[\x22\x27]/R"; content:".html.swf"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025051; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025052; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:exploit-kit; sid:2015042; rev:2; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025053; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Monkif CnC response in fake JPEG"; flow:established,from_server; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:command-and-control; sid:2012507; rev:5; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025054; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:pup-activity; sid:2008840; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M4"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:pup-activity; sid:2008839; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M5"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025056; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M6"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025057; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M7"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025058; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M8"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2016551; rev:9; metadata:created_at 2013_03_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:exploit-kit; sid:2016562; rev:8; metadata:created_at 2013_03_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016753; rev:11; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016756; rev:7; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014750; rev:2; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016853; rev:16; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016868; rev:15; metadata:created_at 2013_05_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015287; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2016975; rev:4; metadata:created_at 2013_06_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015288; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017104; rev:5; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015289; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017266; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015290; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017491; rev:6; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015291; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017492; rev:5; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015292; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017493; rev:5; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015293; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017593; rev:8; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015294; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017594; rev:9; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015295; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017595; rev:10; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015296; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017596; rev:4; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015297; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017597; rev:4; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015298; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017652; rev:9; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015299; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; reference:url,pastebin.com/194D8UuK; classtype:exploit-kit; sid:2017653; rev:15; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015300; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:exploit-kit; sid:2017661; rev:4; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015301; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:exploit-kit; sid:2017824; rev:4; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015302; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET DELETED Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:exploit-kit; sid:2017958; rev:3; metadata:created_at 2014_01_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015303; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017971; rev:11; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015304; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2021752; rev:14; metadata:created_at 2015_09_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015305; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015306; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:exploit-kit; sid:2017569; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015307; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017571; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015308; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017630; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015309; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017695; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015310; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017703; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015311; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:exploit-kit; sid:2017729; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015312; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2017732; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015313; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"|7c 68 a3 34 36 36 37 38|"; within:8; classtype:exploit-kit; sid:2017809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015314; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015315; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017902; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015316; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:exploit-kit; sid:2017904; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015317; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:exploit-kit; sid:2017953; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015318; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:exploit-kit; sid:2017954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015319; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:exploit-kit; sid:2017955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015320; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:exploit-kit; sid:2017956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015321; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017984; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015322; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017985; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015323; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"|7d 6b f8 64 76 74 6e 66|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015324; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015325; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:exploit-kit; sid:2018171; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015326; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:exploit-kit; sid:2018346; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015327; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015328; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit 2"; flow:established,from_server; file_data; content:"PK"; within:2; content:"fotosaster.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2018498; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015329; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018509; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015330; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018510; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015331; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018511; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category TROJAN, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015332; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:exploit-kit; sid:2018950; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015333; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode IE"; flow:established,from_server; file_data; content:"|f1 f4 c2 a2 8b 34 6e 68|"; within:8; classtype:exploit-kit; sid:2018954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015334; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Silverlight"; flow:established,from_server; file_data; content:"|f1 fc f4 ff 87 6a 66 67|"; within:8; classtype:exploit-kit; sid:2018955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015335; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Flash"; flow:established,from_server; file_data; content:"|e7 c4 a6 c1 9d 79 53 59|"; within:8; classtype:exploit-kit; sid:2018956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015336; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Java"; flow:established,from_server; file_data; content:"|d6 e2 ff c3 a1 75 39 68|"; within:8; classtype:exploit-kit; sid:2018957; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015337; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; classtype:exploit-kit; sid:2019224; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015338; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:exploit-kit; sid:2019488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015339; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Oct 22 2014"; flow:established,from_server; file_data; content:".join(|22 22|)|3b 3b|"; pcre:"/^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+/Rs"; classtype:exploit-kit; sid:2019489; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015340; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Flash Exploit URI Struct"; flow:established,to_server; urilen:65; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019513; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015341; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Java Exploit URI Struct"; flow:established,to_server; urilen:65; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019514; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015342; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015343; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (2)"; flow:established,to_client; file_data; content:"|69 b8 3c 09 08 6c b1 4c|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019968; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015344; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (3)"; flow:established,to_client; file_data; content:"|28 46 c5 83 df ef a3 2a|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019969; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015345; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019992; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015346; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019993; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015347; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Dec 24 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2039 "; http_header; fast_pattern:12,20; classtype:exploit-kit; sid:2020068; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015348; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015349; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (7)"; flow:established,to_client; file_data; content:"|04 6e 76 82 2e 2c 2c 48|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015350; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015351; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015352; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:exploit-kit; sid:2020234; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015353; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; classtype:exploit-kit; sid:2020355; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015354; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; classtype:exploit-kit; sid:2020356; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015355; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Elinor"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020365; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015356; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020366; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015357; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; classtype:exploit-kit; sid:2020367; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015358; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015359; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:exploit-kit; sid:2020496; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015360; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (12)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020591; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015361; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (13)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020592; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015362; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (14)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015363; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (15)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020594; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015364; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015365; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (17)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020596; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015366; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (18)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020597; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015367; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (19)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015368; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (20)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020599; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015369; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (21)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020600; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015370; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015371; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015372; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021126; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015373; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021127; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015374; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:exploit-kit; sid:2021157; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015375; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021248; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015376; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M2"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021266; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015377; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021267; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015378; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021269; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015379; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; classtype:exploit-kit; sid:2021270; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015380; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021271; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015381; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16) M2"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021280; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015382; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11) M2"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021281; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015383; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; classtype:exploit-kit; sid:2021360; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015384; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (27)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:1424; within:8; classtype:exploit-kit; sid:2021361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015385; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; classtype:exploit-kit; sid:2021509; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015386; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:exploit-kit; sid:2021510; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015387; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:exploit-kit; sid:2021840; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015388; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|d8 57 45 e6 17 f8 ec bb|"; distance:4; within:8; classtype:exploit-kit; sid:2021970; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015389; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (2)"; flow:established,to_client; file_data; content:"|d5 88 7d dc 8a 95 4b be|"; distance:4; within:8; classtype:exploit-kit; sid:2021971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015390; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; classtype:exploit-kit; sid:2021972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015391; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; classtype:exploit-kit; sid:2021973; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015392; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (5)"; flow:established,to_client; file_data; content:"|91 29 83 25 66 1e be fb|"; distance:4; within:8; classtype:exploit-kit; sid:2021989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015393; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (6)"; flow:established,to_client; file_data; content:"|57 05 11 53 6c d2 02 f9|"; distance:4; within:8; classtype:exploit-kit; sid:2021990; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015394; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_09, deployment Datacenter, former_category TROJAN, signature_severity Major, tag Wordpress, updated_at 2018_07_18;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015395; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET DELETED Zeus P2P CnC"; dsize:72; content:!"|00 00 00|"; offset:5; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:command-and-control; sid:2013739; rev:16; metadata:created_at 2011_10_05, former_category TROJAN, updated_at 2018_07_24;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015396; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; http_header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; file_data; content:"name:location.hostname,init:function()"; nocase; within:300; content:"document.body.appendChild(UserData.userData)"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:".setAttribute(|22|type|22|,|22|application/x-shockwave-flash|22|)"; nocase; distance:0; content:".test(navigator.userAgent)?function"; nocase; distance:0; content:"map([|22|ShockwaveFlash.ShockwaveFlash|22|,|22|AcroPDF.PDF|22|,|22|PDF.PdfCtrl|22|,|22|QuickTime.QuickTime|22|,|22|RealPlayer|22|,|22|SWCtl.SWCtl|22|,|22|WMPlayer.OCX|22|,|22|AgControl.AgControl|22|,|22|Skype.Detection|22|]"; nocase; fast_pattern; classtype:exploit-kit; sid:2025915; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_09_28;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015397; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED IP Check Domain (showmyipaddress.com in HTTP Host)"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:3; metadata:created_at 2011_04_18, former_category POLICY, updated_at 2018_07_31;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015398; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:command-and-control; sid:2021117; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag c2, updated_at 2018_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015399; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delphi APT28 Zebrocy/Zekapab Reporting to CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?res="; http_uri; content:"data="; http_client_body; depth:5; content:"%0D%0AHost%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0AOS%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0ARegistered%20Owner|3a|%20%20%20"; http_client_body; distance:0; fast_pattern; content:"%0D%0AOriginal%20Install%20Date|3a|%20%20%20"; http_client_body; distance:0; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026682; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category TROJAN, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2018_11_30;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015400; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CozyDuke APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020962; rev:4; metadata:created_at 2015_04_22, former_category TROJAN, updated_at 2018_12_03;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015401; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2019_04_03;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015402; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Yahoo CD Player ActiveX Open Stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YoPlayer.YoPlyCd.1"; nocase; distance:0; content:"open"; nocase; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010946; classtype:attempted-user; sid:2010946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015403; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; content:"3AFFD7F7-FD3D-4C9D-8F83-03296A1A8840"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011723; classtype:attempted-user; sid:2011723; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015404; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Webmoney Advisor ActiveX Control DoS Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TOOLBAR3Lib.ToolbarObj"; nocase; distance:0; content:"Redirect"; nocase; reference:url,exploit-db.com/exploits/12431; reference:url,doc.emergingthreats.net/2011724; classtype:attempted-user; sid:2011724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag ActiveX, updated_at 2019_04_15;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015405; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL DELETED BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:9; metadata:created_at 2010_09_23, former_category MISC, updated_at 2019_05_21;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015406; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL DELETED MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:13; metadata:created_at 2010_09_23, former_category CHAT, updated_at 2019_05_21;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015407; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; classtype:trojan-activity; sid:2024650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Significant, signature_severity Major, updated_at 2019_05_28;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015408; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET DELETED Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; sid:2027890; rev:2; metadata:created_at 2019_08_15, former_category SNMP, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015409; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/exploit.php?id="; http_uri; nocase; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; classtype:misc-activity; sid:2009586; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015410; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; content:"/nte/"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; classtype:exploit-kit; sid:2010871; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015411; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (agtray)"; flow: to_server,established; content:"/pr/agtray.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000569; classtype:policy-violation; sid:2000569; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015412; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (autray)"; flow: to_server,established; content:"/pr/autray.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000570; classtype:policy-violation; sid:2000570; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015457; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> 76.74.9.19 $HTTP_PORTS (msg:"ET DELETED Packetstormsecurity Exploits Of The Month Download"; content:"GET /"; content:"-exploits.tgz"; http_uri; depth:70; flow:to_server,established; reference:url,www.packetstormsecurity.org; reference:url,doc.emergingthreats.net/2008525; classtype:misc-activity; sid:2008525; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015456; rev:2; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible PHP-Calendar configfile Remote .PHP File Inclusion Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/php-calendar-1.1/update"; http_uri; nocase; content:"configfile="; http_uri; nocase; content:".php"; nocase; pcre:"/\x2Fphp-calendar-1.1\x2Fupdate(08|10)\x2Ephp(\x3F|.*(\x26|\x3B))configfile=[^\x26\x3B]*[^a-zA-Z0-9_]/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023375.html; reference:cve,2009-3702; reference:url,doc.emergingthreats.net/2010531; classtype:web-application-attack; sid:2010531; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015413; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED TxtBlog index.php m Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?m="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32498; reference:url,milw0rm.com/exploits/7241; reference:url,doc.emergingthreats.net/2008923; classtype:web-application-attack; sid:2008923; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015455; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior crea.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"crea.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008825; classtype:web-application-attack; sid:2008825; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015414; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Activity"; flow:to_server,established; content:"/banman/banman.asp?ZoneID="; http_uri; nocase; content:"&Task="; http_uri; nocase; content:"&X="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; classtype:trojan-activity; sid:2003170; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015454; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Start"; flow: to_server,established; content:"/pm/start.asp"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; classtype:policy-violation; sid:2000906; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015453; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Data Submission"; flow: to_server,established; content:"/backoffice.net/stats/Add.aspx"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; classtype:policy-violation; sid:2000598; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015452; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Altnet PeerPoints Manager Settings Download"; flow: to_server,established; content:"/pointsmanager/settings.cab?"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; classtype:policy-violation; sid:2000907; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015415; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Advertising.com Reporting Data"; flow: to_server,established; uricontent:"/site="; uricontent:"/mnum="; uricontent:"/bins="; uricontent:"/rich="; uricontent:"/logs="; uricontent:"/betr="; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; classtype:policy-violation; sid:2002304; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015416; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Evidencenuker.com Fake AV Updating"; flow:established,to_server; content:"/products/evidencenuker/update.php?version="; http_uri; nocase; reference:url,www.evidencenuker.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; classtype:trojan-activity; sid:2003568; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015451; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to_server; content:"/popsetarray.php?&country="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; classtype:trojan-activity; sid:2002094; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015417; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Pacimedia Spyware 2"; flow: to_server,established; content:"/xml/check.php?"; http_uri; nocase; content:"u="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; classtype:policy-violation; sid:2002194; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015418; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; content:"/progs_traff/"; http_uri; nocase; reference:url,research.sunbelt-software.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; classtype:trojan-activity; sid:2003034; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015450; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; http_uri; nocase; content:"?ZipCode="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; classtype:trojan-activity; sid:2003423; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015419; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED YourSiteBar Data Submision"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?version="; http_uri; nocase; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; classtype:trojan-activity; sid:2001698; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015420; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Crewbox Proxy Scan"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"crewbox.by.ru/crew/"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003156; classtype:attempted-recon; sid:2003156; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015449; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP remote file include exploit attempt"; flow: to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; reference:url,doc.emergingthreats.net/2001810; classtype:attempted-admin; sid:2001810; rev:29; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015421; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED PacketShaper DoS attempt"; flow:to_server,established; content:"/rpttop.htm"; http_uri; pcre:"/MEAS\.TYPE=(?!(link|class)&)/U"; reference:url,doc.emergingthreats.net/2004449; classtype:denial-of-service; sid:2004449; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015422; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; content:"/WebID/IISWebAgentIF.dll"; http_uri; content:"?Redirect?"; http_uri; nocase; pcre:"/url=.{8000}/iU"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; reference:url,doc.emergingthreats.net/2002660; reference:url,doc.emergingthreats.net/2002660; classtype:web-application-activity; sid:2002660; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015423; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; content:"/Inst_58s6.exe"; http_uri; nocase; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; classtype:trojan-activity; sid:2010339; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015448; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Adobe Exploited Check-In"; flow:established,to_server; content:"GET "; nocase; depth:4; content:".php?&&reader_version="; http_uri; nocase; reference:url,doc.emergingthreats.net/2011715; classtype:trojan-activity; sid:2011715; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015447; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/installer/InstallerClean.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010053; classtype:trojan-activity; sid:2010053; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015446; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/softwarefortubeview.40009.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010058; classtype:trojan-activity; sid:2010058; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015445; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/Soft_21.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010060; classtype:trojan-activity; sid:2010060; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015424; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; content:"/ssp/files/annonce.pdf"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010444; classtype:bad-unknown; sid:2010444; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015425; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; content:"/ssp/loadjavad.php"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010446; classtype:bad-unknown; sid:2010446; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015444; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; content:"/download/IAInstall.exe"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010447; classtype:bad-unknown; sid:2010447; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015426; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; content:"/globaldirectory/updatetool.exe"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010448; classtype:bad-unknown; sid:2010448; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015427; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; content:"/fkzd/2.htm"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010449; classtype:bad-unknown; sid:2010449; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015443; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (annonce.pdf)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/ssp/files/annonce.pdf"; http_uri; nocase; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010532; classtype:trojan-activity; sid:2010532; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain";  content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015442; rev:2; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl.com - potential oficla download (loadjavad.php)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/ssp/loadjavad.php"; http_uri; nocase; pcre:"/\/ssp\/loadjavad\.php$/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010534; classtype:trojan-activity; sid:2010534; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015428; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/wywg/"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; classtype:trojan-activity; sid:2010716; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015441; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Executable requested from /wp-content/languages"; flow:established,to_server; content:"/wp-content/languages/"; http_uri; nocase; content:".exe"; http_uri; nocase; reference:url,www.malewareurl.com; reference:url,doc.emergingthreats.net/2011220; classtype:trojan-activity; sid:2011220; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015429; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av-i386-daily.zip)"; flow:established,to_server; content:"av_base/av-i386-daily.zip"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010565; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010568; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015430; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/pay.php)"; flow:established,to_server; content:"av_base/pay.php"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010566; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; classtype:trojan-activity; sid:2010566; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015440; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot update (av_base/ip.php)"; flow:established,to_server; content:"av_base/ip.php"; http_uri; nocase; reference:md5,06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; classtype:trojan-activity; sid:2010567; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015431; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; content:"/i1000000.gif"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011760; classtype:bad-unknown; sid:2011760; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015432; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; content:"/xml/p.php?id="; http_uri; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; classtype:trojan-activity; sid:2010551; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015433; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malvertising drive by kit collecting browser info"; flow:established,to_server; content:"/plugins.php?p=appName"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011224; classtype:bad-unknown; sid:2011224; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015434; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING client requesting drive by - /x/?src="; flow:established,to_server; content:"/x/?src="; http_uri; nocase; content:"&o=o"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011230; classtype:bad-unknown; sid:2011230; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015439; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; http_uri; nocase; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015435; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; content:"ts/in.cgi?pepsi"; http_uri; nocase; pcre:"/ts\/in\.cgi\?pepsi\d+/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; classtype:bad-unknown; sid:2010222; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015436; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/include/admin/device_admin.php?"; http_uri; nocase; content:"cs_base_path="; http_uri; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; classtype:web-application-attack; sid:2011556; rev:2; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015437; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (action url reported)"; flow: to_server,established; content:"/actionurls/ActionUrl"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; classtype:trojan-activity; sid:2001399; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015438; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (tracked event reported)"; flow: to_server,established; content:"/TrackedEvent.aspx?"; http_uri; nocase; content:"eid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; classtype:trojan-activity; sid:2001397; rev:13; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"nacha.org."; nocase; content:".exe"; http_uri; nocase; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; classtype:trojan-activity; sid:2010342; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:8; metadata:created_at 2011_05_18, former_category MALWARE, updated_at 2011_05_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/us01d/in.php"; http_uri; nocase; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; classtype:trojan-activity; sid:2010729; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015462; rev:2; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot Request to CnC"; flow:established,to_server; content:".bin"; http_uri; content:"GET"; depth:3; http_method; content:".bin HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; content:!"|0d 0a|Referer|3a|"; nocase; reference:url,doc.emergingthreats.net/2010861; classtype:command-and-control; sid:2010861; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015244; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Buzus Posting Data"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/fdsupdate"; http_uri; nocase; content:"|0d 0a 0d 0a|PUTF"; reference:url,doc.emergingthreats.net/2010064; classtype:trojan-activity; sid:2010064; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015463; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pinkslipbot Trojan Downloader"; flow:to_server,established; content:"/jl/jloader.pl?u="; http_uri; nocase; content:"&it=2"; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&n="; nocase; http_uri; pcre:"/\x26n\x3d[a-z]{5}\d{4}/U"; reference:url,doc.emergingthreats.net/2010742; classtype:trojan-activity; sid:2010742; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL DELETED story.pl access"; flow:to_server,established; content:"/story.pl"; http_uri; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:2101869; rev:7; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; http_uri; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101740; rev:7; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED DNSTools administrator authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; http_uri; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:2101739; rev:8; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
-#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED SGI InfoSearch fname access"; flow:to_server,established; content:"/infosrch.cgi"; http_uri; reference:arachnids,290; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:2101727; rev:9; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:3; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"name="; http_uri; nocase; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2001621; classtype:web-application-attack; sid:2001621; rev:36; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015087; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; content:"/www.metareward.com/mailimg/disclaimer/"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015088; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; content:"/script.php?"; http_uri; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015089; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; content:"/access.php?"; http_uri; nocase; content:"w="; http_uri; nocase; content:"&a="; http_uri; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015090; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Referer|3a| "; content:"search?"; nocase; within:50; content:"q="; nocase; within:100; content:".com"; http_uri; nocase; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; reference:url,doc.emergingthreats.net/2011066; classtype:trojan-activity; sid:2011066; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015091; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:4; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015092; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/jmx-console/HtmlAdaptor"; http_uri; nocase; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015094; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; http_uri; nocase; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015095; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware Reporting"; flow: to_server,established; content:"/showme.aspx?"; http_uri; nocase; content:"partner_id="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:13; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015096; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adwave Agent Access"; flow: to_server,established; content:"/search_404.aspx?aff="; http_uri; nocase; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015097; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015098; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015099; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015100; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015101; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015102; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; content:"/wp-trackback.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015103; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015104; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015105; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015106; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015107; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015108; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; content:"/nukesentinel.php?"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015109; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 1"; flow:to_server,established; content:"/posting.php"; http_uri; content:"color="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009679; classtype:web-application-attack; sid:2009679; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015110; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 2"; flow:to_server,established; content:"/posting.php"; http_uri; content:"size="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009680; classtype:web-application-attack; sid:2009680; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015111; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 3"; flow:to_server,established; content:"/posting.php"; http_uri; content:"color="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009681; classtype:web-application-attack; sid:2009681; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015112; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 4"; flow:to_server,established; content:"/posting.php"; http_uri; content:"size="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009682; classtype:web-application-attack; sid:2009682; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015113; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 5"; flow:to_server,established; content:"/posting.php"; http_uri; content:"color="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009683; classtype:web-application-attack; sid:2009683; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015114; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 6"; flow:to_server,established; content:"/posting.php"; http_uri; content:"size="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009684; classtype:web-application-attack; sid:2009684; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015115; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mindset Interactive Ad Retrieval"; flow: to_server,established; content:"/mindset5"; http_uri; nocase; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; classtype:trojan-activity; sid:2000594; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015116; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; content:"/error.php?"; http_uri; nocase; content:"err="; http_uri; nocase; content:"_SERVER[REMOTE_ADDR]="; http_uri; nocase; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; classtype:web-application-attack; sid:2002703; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015117; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (bug ie0604)"; flow:established,to_server; content:"ie0604.cgi?bug="; http_uri; nocase; reference:url,doc.emergingthreats.net/2002871; classtype:web-application-attack; sid:2002871; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015118; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit1 ie0601)"; flow:established,to_server; content:"ie0601.cgi?exploit"; http_uri; nocase; reference:url,doc.emergingthreats.net/2002869; classtype:web-application-attack; sid:2002869; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015119; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (ie0606)"; flow:established,to_server; content:"ie0606.cgi?"; http_uri; nocase; reference:url,doc.emergingthreats.net/2002937; classtype:web-application-attack; sid:2002937; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015120; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker RootLauncher"; flow:established,to_server; content:"rleadmin.cgi?getexe="; http_uri; nocase; reference:url,doc.emergingthreats.net/2003063; classtype:web-application-attack; sid:2003063; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015121; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit ie0604)"; flow:established,to_server; content:"ie0604.cgi?exploit"; http_uri; nocase; reference:url,doc.emergingthreats.net/2002870; classtype:web-application-attack; sid:2002870; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015122; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.U Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"cnt="; http_uri; nocase; content:"&scn="; http_uri; nocase; content:"&inf="; http_uri; nocase; content:"&ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; reference:url,doc.emergingthreats.net/2003070; classtype:trojan-activity; sid:2003070; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015123; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Post"; flow:to_server,established; content:"/te.aspx?ver="; http_uri; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; classtype:trojan-activity; sid:2007607; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015124; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.P Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"?cnt="; http_uri; nocase; content:"?scn="; http_uri; nocase; content:"?inf="; http_uri; nocase; content:"?ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2008192; classtype:trojan-activity; sid:2008192; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015125; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/Setup_"; http_uri; nocase; content:".exe"; http_uri; nocase; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; classtype:trojan-activity; sid:2010867; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015126; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/codec/197.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015127; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Unknown Malware Download Attempt"; flow:established,to_server; content:"/installer/Installer"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010796; classtype:bad-unknown; sid:2010796; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015128; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Psyb0t Code Download"; flow:established,to_server; content:"/udhcpc.env"; http_uri; nocase; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; classtype:trojan-activity; sid:2009170; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015129; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET "; depth:4; content:"/werber/"; http_uri; nocase; content:"/217.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; classtype:trojan-activity; sid:2010232; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015130; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET "; depth:4; content:"/item/"; http_uri; nocase; content:"/titem.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; classtype:trojan-activity; sid:2010233; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015131; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; content:"trest1"; http_uri; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015132; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (5-12 Byte keyword)"; flow:to_server,established; dsize:<900; content:"|00 00|"; offset:7; depth:9; content:"|00 00 78 9C|"; distance:2; within:4; pcre:"/^[a-z0-9\x40\x2d\x5f]{5,12}..\x00\x00..\x00\x00\x78\x9c/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2015624; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_23, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015133; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023771; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015134; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:credential-theft; sid:2023772; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015135; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023773; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015136; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015137; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024011; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015138; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015139; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015140; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024014; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015141; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Adobe Online Phish Aug 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"=sent"; nocase; http_uri; content:"feedback="; nocase; depth:9; http_client_body; fast_pattern; content:"&feedbacknow="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; pcre:"/=sent$/Ui"; classtype:credential-theft; sid:2024559; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015142; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; classtype:credential-theft; sid:2021892; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015143; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful BBVA Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"cuenta="; depth:7; nocase; http_client_body; fast_pattern; content:"&cuenta="; nocase; distance:0; http_client_body; content:"&nvoWizard="; nocase; distance:0; http_client_body; content:"&domain="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024372; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015144; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; classtype:credential-theft; sid:2024542; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015145; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Paypal Phish M1 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&rememberProfile="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&showTryPasswordlessButton="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024544; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015146; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Bitstamp Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://www.bitstamp.net"; http_header; classtype:credential-theft; sid:2024639; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015147; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Dropbox Phish (Locky) Sep 01 2017"; flow:to_server,established; content:"POST"; http_method; content:"is_xhr="; depth:7; nocase; http_client_body; content:"current_email"; nocase; distance:0; http_client_body; content:"&email_sig="; nocase; distance:0; http_client_body; content:"&login_sd="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&remember_me="; nocase; distance:0; http_client_body; content:"&specter_login_tm="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024657; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015148; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023758; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015149; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024032; rev:3; metadata:created_at 2017_03_06, former_category PHISHING, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015150; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024050; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015151; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024102; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015152; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024103; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015153; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert</title>"; fast_pattern:7,20; nocase; content:"<script type=|22|text/javascript|22 20|src=|22|/alert.php?h="; nocase; distance:0; classtype:credential-theft; sid:2024266; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015154; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024267; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015155; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M3 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/javascript"; http_header; content:"alert="; http_cookie; file_data; content:"navigator.languages"; nocase; content:"Your computer is infected"; nocase; distance:0; fast_pattern:5,20; content:"navegador contiene malware"; nocase; distance:0; content:"navigateur contient MALWARE"; nocase; distance:0; content:"&subid=alertyes"; nocase; distance:0; classtype:credential-theft; sid:2024268; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015156; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M4 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/tds.php?h="; depth:11; http_uri; fast_pattern; nocase; content:"&subid=alert"; nocase; distance:32; within:12; http_uri; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024269; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015157; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:9; metadata:created_at 2013_05_24, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015158; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:3; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015159; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:5; metadata:created_at 2013_04_23, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015160; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:7; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015162; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:3; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015163; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:3; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015164; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"risp"; http_user_agent; depth:4; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:4; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015165; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:3; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015166; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015167; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015168; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2019_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015169; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016663; rev:3; metadata:created_at 2013_03_26, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015170; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:3; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015171; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:3; metadata:created_at 2014_03_28, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015172; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021755; rev:3; metadata:created_at 2015_09_09, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015173; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase; pcre:!"/#http:\/\/cert.*coinhive/i"; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015174; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:exploit-kit; sid:2016192; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015175; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015176; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015177; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015178; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Captcha Malware C2 SSL Certificate"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|Mojolicious"; distance:1; within:17; content:"|55 04 0a|"; distance:0; content:"|0b|Mojolicious"; distance:1; within:17; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/25/captcha-protected-malware-downloader; classtype:command-and-control; sid:2018322; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015179; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015180; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015181; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015183; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015184; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015185; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015186; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015187; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015188; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015189; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015190; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015191; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015192; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015193; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015194; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015195; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015196; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_08_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015197; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Napolar / Shifu SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015198; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015199; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted check-in response Oct 19 (1)"; flow:established,to_client; file_data; content:"|0c 3c|"; depth:2; content:"|04 a3|"; distance:1; within:2; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024909; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015200; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET [!37018,!37039,1024:65535] (msg:"ET DELETED Possible NanoCore C2 64B"; flow:established,to_server; dsize:68; content:"|40 00 00 00|"; depth:5; pcre:"/^(?!.{0,63}\x00.{0,62}\x00.{0,61}\x00.{0,60}\x00)(?!.{0,62}\x00{2})(?!.{0,59}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,63}(?P=b1).{0,62}(?P=b1).{0,61}(?P=b1).{0,60}(?P=b1))(?!.(?P<b2>.).{0,62}(?P=b2).{0,61}(?P=b2).{0,60}(?P=b2).{0,59}(?P=b2))(?!..(?P<b3>.).{0,61}(?P=b3).{0,60}(?P=b3).{0,59}(?P=b3).{0,58}(?P=b3))(?!...(?P<b4>.).{0,60}(?P=b4).{0,59}(?P=b4).{0,58}(?P=b4).{0,57}(?P=b4))(?!....(?P<b5>.).{0,59}(?P=b5).{0,58}(?P=b5).{0,57}(?P=b5).{0,56}(?P=b5))(?!.....(?P<b6>.).{0,58}(?P=b6).{0,57}(?P=b6).{0,56}(?P=b6).{0,55}(?P=b6))(?!......(?P<b7>.).{0,57}(?P=b7).{0,56}(?P=b7).{0,55}(?P=b7).{0,54}(?P=b7))(?!.......(?P<b8>.).{0,56}(?P=b8).{0,55}(?P=b8).{0,54}(?P=b8).{0,53}(?P=b8))(?!........(?P<b9>.).{0,55}(?P=b9).{0,54}(?P=b9).{0,53}(?P=b9).{0,52}(?P=b9))(?!.........(?P<b10>.).{0,54}(?P=b10).{0,53}(?P=b10).{0,52}(?P=b10).{0,51}(?P=b10))/Rs"; classtype:command-and-control; sid:2025018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2019_10_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015201; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015202; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015203; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015204; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015205; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015206; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015207; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015208; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015209; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015210; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015211; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AcroCEF"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027975; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015212; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (a)"; ja3_hash; content:"93948924e733e9df15a3bb44404cd909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027976; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015213; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015214; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015215; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"0bb402a703d08a608bf82763b1b63313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027979; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015216; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"d5169d6e19447685bf6f1af8c055d94d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027980; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015217; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Airmail 3"; ja3_hash; content:"561145462cfc7de1d6a97e93d3264786"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027981; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015218; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Alation Compose"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027982; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015219; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music"; ja3_hash; content:"6003b52942a2e1e1ea72d802d153ec08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027983; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015220; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music,Dreamweaver,Spotify"; ja3_hash; content:"eb149984fc9c44d85ed7f12c90d818be"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027984; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015221; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android App"; ja3_hash; content:"662fdc668dd6af994a0f903dbcf25d66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027985; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015222; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Google API Access"; ja3_hash; content:"515601c4141e718865697050a7a1765f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027986; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015223; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"1aab4c2c84b6979c707ed052f724734b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027987; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015224; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"25b72c88f837567856118febcca761e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027988; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015225; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"5331a12866e19199b363f6e903381498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027989; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015226; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"855953256ecc8e2b6d2360aff8e5d337"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027990; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015227; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"85bb8aa8e5ba373906348831bdbed41a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027991; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015228; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"99d8afeec9a4422120336ad720a5d692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027992; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015229; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AnypointStudio"; ja3_hash; content:"8e3f1bf87bc652a20de63bfd4952b16a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027993; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015230; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Push Notification System, apple.WebKit.Networking,CalendarAgent,Go for Gmail"; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027994; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015231; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight Search (OSX)"; ja3_hash; content:"3e404f1e1b5a79e614d7543a79f3a1da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027995; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015232; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"69b2859aec70e8934229873fe53902fd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027996; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015233; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"6b9b64bbe95ea112d02c8812fc2e7ef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027997; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015234; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"e5e4c0eeb02fdcf30af8235b4de07780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027998; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015235; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple SpotlightNetHelper (OSX)"; ja3_hash; content:"97827640b0c15c83379b7d71a3c2c5b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027999; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015236; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Apple usbmuxd iOS socket multiplexer"; ja3_hash; content:"47e42b00af27b87721e526ff85fd2310"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028000; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015237; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"5507277945374659a5b4572e1b6d9b9f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028001; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015238; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"f753495f2eab5155c61b760c838018f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028002; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015239; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod/parsecd,apple.photomoments"; ja3_hash; content:"ba40fea2b2638908a3b3b482ac78d729"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028003; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015240; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"474e73aea21d1e0910f25c3e6c178535"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028004; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015241; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"eeeb5e7485f5e10cbc39db4cfb69b264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028005; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015242; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Chatter/FieldServiceApp/socialstudio"; ja3_hash; content:"63de2b6188d5694e79b678f585b13264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028006; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015243; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/itunesstored"; ja3_hash; content:"7b343af1092863fdd822d6f10645abfb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028007; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015245; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Spotify/WhatsApp/Skype/iTunes"; ja3_hash; content:"a312f9162a08eeedf7feb7a13cd7e9bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028008; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015246; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"1a6ef47ab8325fbb42c447048cea9167"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028009; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015247; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"b677934e592ece9e09805bf36cd68d8a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028010; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015248; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30, AppleWebKit/534.30"; ja3_hash; content:"ef323f542a99ab12d6b5348bf039b7b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028011; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015249; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30"; ja3_hash; content:"e1e03b911a28815836d79c5cdd900a20"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028012; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015250; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46 Mobile/9A334"; ja3_hash; content:"04e1f90d8719caabafb76d4a7b13c984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028013; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015251; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46, iOS AppleWebKit/534.46"; ja3_hash; content:"dc08cf4510f70bf16d4106ee22f89197"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028014; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015252; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/535 & Ubuntu Product Search"; ja3_hash; content:"4049550d5f57eae67d958440bdc133e4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028015; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015253; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12 or 600.1.4"; ja3_hash; content:"ef75a13be2ed7a82f16eefe6e84bc375"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028016; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015254; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12"; ja3_hash; content:"eaa8a172289b09a6789a415d1faac4c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028017; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015255; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - AT&T Connect"; ja3_hash; content:"c5c11e6105c56fd29cc72c3ac7a2b78b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028018; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015256; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (git library?) (Tested v1.6.21.0)"; ja3_hash; content:"42215ee83bbf3a857a72ef42213cfbd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028019; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015257; rev:2; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (Tested v1.6.21.0)"; ja3_hash; content:"1c8a17e58c20b49e3786fc61e0533e50"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028020; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_14, updated_at 2012_07_14;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #1"; ja3_hash; content:"4e5e5d9fbc43697be755696191fe649a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028021; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:exploit-kit; sid:2014894; rev:4; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #2"; ja3_hash; content:"c94858c6eb06de179493b3fac847143e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028022; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; http_header; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015182; rev:5; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator (Mystery 3rd) (37.0.2062.99) (OS X)"; ja3_hash; content:"58360f4f663a0f5657f415ac2f47fe1b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028023; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator Updates"; ja3_hash; content:"5149f53b5554a31116f9d86237552ee3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028024; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:exploit-kit; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Battle.net/Dropbox"; ja3_hash; content:"fa030dbcb2e3c7141d3c2803780ee8db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028025; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"sgrunt"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+sgrunt/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003385; classtype:trojan-activity; sid:2003385; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - bitgo/ShapeShift"; ja3_hash; content:"0ef9ca1c10d3f186f5786e1ef3461a46"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028026; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Browser (Tested BB10)"; ja3_hash; content:"add211c763889c665ae4ab675165cbc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028027; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Mail Client"; ja3_hash; content:"a921515f014005af03fc1e2c4c9e66ce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028028; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry Messenger (Android) 2"; ja3_hash; content:"4692263d4130929ae222ef50816527ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028029; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/PR"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry"; ja3_hash; content:"b5d42ca0e68a39d5c0a294134a21f020"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028030; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:command-and-control; sid:2015489; rev:2; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2012_07_20;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Blackbery Messenger (Android)"; ja3_hash; content:"32b0ae286d1612c82cad93b4880ee512"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028031; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlueCoat Proxy"; ja3_hash; content:"5182f54f9c6e99d117d9dde3fa2b4cff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028032; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BlueJeans,CEPHtmlEngine"; ja3_hash; content:"cdec81515ccc75a5aa41eb3db22226e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028033; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Ahrefs, hola_svc"; ja3_hash; content:"5c1c89f930122bccc7a97d52f73bea2c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028034; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: GoogleBot"; ja3_hash; content:"a1cb2295baf199acf82d11ba4553b4a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028035; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM|0D 0A|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Qwant"; ja3_hash; content:"706567223fbf37d112fba2d95b8ecac3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028036; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION*"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BrowserShots Script"; ja3_hash; content:"01aead19a1b1780978f732e056b183a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028037; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Browsershots"; ja3_hash; content:"a4dc1c39a68bffec1cc7767472ac85a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028038; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"93fbcdadc1bf98ff0e3c03e7f921edd1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028039; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"c3ca411515180e79c765dc2c3c8cea88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028040; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"15617351d807aa3145547d0ad0c976cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028041; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"34f8cac266d07bfc6bd3966e99b54d00"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028042; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (Tested: 1.7.03 on Windows 10), eclipse,JavaApplicationStub,idea"; ja3_hash; content:"8c5a50f1e833ed581e9cfc690814719a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028043; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Candy Crush (testing iOS 8.3)"; ja3_hash; content:"17a40616b856ec472714cd144471e0e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028044; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Charles/java/eclipse"; ja3_hash; content:"424008725394c634a4616b8b1f2828a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028045; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:exploit-kit; sid:2015516; rev:3; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2012_07_24;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)"; ja3_hash; content:"64bb259b446fe13f66bcd62d1f0d33df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028046; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (iOS)"; ja3_hash; content:"bec8267042d5885aa3acc07b4409cafc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028047; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Possible 41.x)"; ja3_hash; content:"d54a0979516e607a1166e6efd157301c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028048; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1"; ja3_hash; content:"ac67a2d0e3bd59459c32c996b5985979"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028049; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2"; ja3_hash; content:"34dfce2bb848da7c5dafa4d475f0ba41"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028050; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; nocase; classtype:trojan-activity; sid:2015532; rev:2; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3"; ja3_hash; content:"937edefedb6fe13f26d1a425ef1c15a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028051; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4"; ja3_hash; content:"a342d14afad3a448029ec808295ccce9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028052; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5"; ja3_hash; content:"71e74faaed87acd177bd3b47a543f476"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028053; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"1d64ab25ad6f7258581d43077147b9b1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028054; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"230018e44608686b64907360b6def678"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028055; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"dea05e8c68dfeb28003f21d22efc0aba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028056; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 10, Chrome 10.0.648.82 (Chromium Portable 9.0)"; ja3_hash; content:"62351d5ea3cd4f21f697965b10a9bbbe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028057; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:10; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 11 - 18, Chrome 11.0.696.16 - 18.0.1025.33  Chrome 11.0.696.16 (Chromium Portable 9.2)"; ja3_hash; content:"a9da823fe77cd3df081644249edbf395"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028058; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 19 - 20, Chrome 19.0.1084.15 - 20.0.1132.57, Chrome 21.0.1180.89, Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11"; ja3_hash; content:"df4a50323dfcaf1789f72e4946a7be44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028059; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 22.0.1201.0, Chrome/22.0.1229.96"; ja3_hash; content:"3c8cb61208e191af38b1fbef4eacd502"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028060; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36"; ja3_hash; content:"1ef061c02d85b7e2654e11a9959096f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028061; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31"; ja3_hash; content:"89d37026246d4888e78e69af4f8d1147"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028062; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.0"; ja3_hash; content:"206ee819879457f7536d2614695a5029"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028063; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"76d36fc79db002baa1b5e741fcd863bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028064; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"bbc3992faa92affc0d835717ea557e99"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028065; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.0.0"; ja3_hash; content:"dc3eaee99a9221345698f8a8b2f4fc3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028066; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.1599.101"; ja3_hash; content:"53c7ed581cbaf36951559878fcec4559"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028067; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36"; ja3_hash; content:"fb8a6d2441ee9eaee8b560d48a8f59df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028068; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.63"; ja3_hash; content:"f7c4dc1d9595c27369a183a5df9f7b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028069; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"16d7ebc398d772ef9969d2ed2a15f4c0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028070; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"f3136cf565acf70dd2f98ca652f43780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028071; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.154"; ja3_hash; content:"af0ae1083ab10ac957e394c2e7ec4634"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028072; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"4807d61f519249470ebed0b633e707cf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028073; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"ef3364da4d76c98a669cb828f2e5283a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028074; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36"; ja3_hash; content:"5b348680dec77f585cfe82513213ac3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028075; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36"; ja3_hash; content:"52be6e88840d2211a243d9356550c4a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028076; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0 Safari & Mobile Safari/537.36"; ja3_hash; content:"5f775bbfc50459e900d464ca1cecd136"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028077; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0"; ja3_hash; content:"a167568462b993d5787488ece82a439a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028078; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.2062.120"; ja3_hash; content:"98652faa7e0a4d85f91e37aa6b8c0135"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028079; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 41.0.2272.89"; ja3_hash; content:"8b8322bad90e8bfbd66e664839b7a037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028080; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"aa9074aa1ff31c65d01c35b9764762b6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028081; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"de0963bc1f3a0f70096232b272774025"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028082; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 43.0.2357.132 & 45.02454.94"; ja3_hash; content:"3bb36ec17fef5d3da04ceeb6287314c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028083; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.116"; ja3_hash; content:"cd3f72760dfd5575b91213a8016c596b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028084; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.97"; ja3_hash; content:"5406c4a87aa6cbcb7fc469fee526a206"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028085; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:2101340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 49.0.2623.75"; ja3_hash; content:"503fe06db7ef09b2cbd771c4e784c686"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028086; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 1"; ja3_hash; content:"bd4267e1672f9df843ada7c963490a0d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028087; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 2"; ja3_hash; content:"caeb3b546fc7469776d51f1f54a792ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028088; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.106 (test)"; ja3_hash; content:"aa84deda2a937ad225ef94161887b0cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028089; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 1"; ja3_hash; content:"473e8bad0e8e1572197be80faa1795c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028090; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 2"; ja3_hash; content:"e0b0e6c934c686fd18a5727648b3ed4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028091; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 3"; ja3_hash; content:"7ddfe8d6f8b51a90d10ab3fe2587c581"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028092; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 4"; ja3_hash; content:"bc76a4185cc9bd4c72471620e552618c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028093; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 5"; ja3_hash; content:"8e3eea71cb5a932031d90cc0fba581bc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028094; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_27, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 6"; ja3_hash; content:"653924bcb1d6fd09a048a4978574e2c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028095; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 7"; ja3_hash; content:"1ef652ecfb8e60e771a4710166afc262"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028096; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"8a8159e6abf9fe493ca87efc38855149"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028097; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"a7f2d0376cdcfde3117bf6a8359b2ab8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028098; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028099; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028100; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"94c485bca29d5392be53f2b8cf7f4304"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028101; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:11; metadata:created_at 2010_09_23, former_category EXPLOIT, updated_at 2017_06_29;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028102; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 61.0.3163,100(64-bit) Win10"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028103; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx) - also TextSecure Desktop"; ja3_hash; content:"cafd1f84716def1a414c688943b99faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028104; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx)"; ja3_hash; content:"62d8823f52dd8e1ba75a9a83e8748313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028105; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/30.0.1599.101"; ja3_hash; content:"c405bbbe31c0e53ac4c8448355b2af5b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028106; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/41.0.2272.89"; ja3_hash; content:"2c3221f495d5e4debbb34935e1717703"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028107; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/49.0.2623.112 WinXP"; ja3_hash; content:"248bdbc3873396b05198a7e001fbd49a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028108; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET MALWARE Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:command-and-control; sid:2008023; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/56.0.2924.87 Linux/Charles/Google Play Music Desktop Player/Postman/Slack/other desktop programs"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028109; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:command-and-control; sid:2008022; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/59.0.3071.115 Win10, node.js"; ja3_hash; content:"9811c1bb9f0f6835d5c13a831cca4173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028110; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/60.0.3112.113 Win10, Chromium"; ja3_hash; content:"def8761e4bcaaf91d99801a22ac6f6d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028111; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"be9f1360cf52dc1f61ae025252f192a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028112; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"fc5cb0985a5f5e295163cc8ffff8a6e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028113; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client (3.1.09013)"; ja3_hash; content:"7f340e6caa1fa4c979df919227160ff6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028114; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"e7d46c98b078477c4324031e0d3b22f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028115; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"ed36017db541879619c399c95e22067d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028116; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Receiver 4.4.0.8014"; ja3_hash; content:"203157ed9f587f0cfd265061bf309823"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028117; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Viewer"; ja3_hash; content:"5ee1a653fb824db7182714897fd3b5df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028118; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Covenant Eyes"; ja3_hash; content:"a9d17f74e55dd53fcf7c234f8a240919"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028119; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - CRAWLER: facebookexternalhit/1.1"; ja3_hash; content:"111da7c75fee7fe934b35a8d88eb350a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028120; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Creative Cloud"; ja3_hash; content:"c882d9444412c00e71b643f3f54145ff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028121; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2102417; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - cscan"; ja3_hash; content:"bc0608d33dc64506b42f7f5f87958f37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028122; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.22.0 on Linux)"; ja3_hash; content:"764b8952983230b0ac23dbd3741d2bb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028123; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.43.0 OS X)"; ja3_hash; content:"9f198208a855994e1b8ec82c892b7d37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028124; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:2100491; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.35.0 (tested Ubuntu 14.x  openssl 1.0.1f)"; ja3_hash; content:"c458ae71119005c8bc26d38a215af68f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028125; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)"; ja3_hash; content:"e14d427fab707af91e4bbd0bf03076f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028126; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl"; ja3_hash; content:"f672d8f0e827ca1e704a9489b14dd316"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028127; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:2101449; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"; ja3_hash; content:"e3891da2a758d67ba921e5eec0b9707d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028128; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Customised Postfix - Damnit Matt"; ja3_hash; content:"f865de0807a17e9cb797e618162356db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028129; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dashlane"; ja3_hash; content:"0217dc3bd88c696cc15374db0d848de4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028130; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.15)"; ja3_hash; content:"f7baf7d9da27449e823a4003e14cd623"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028131; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.20+)"; ja3_hash; content:"ec2e8760003621ca668b5f03e616cd57"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028132; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Deezer"; ja3_hash; content:"4fcd1770545298cc119865aeba81daba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028133; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (installer?)"; ja3_hash; content:"ede63467191e9a12300e252c41ca9004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028134; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)"; ja3_hash; content:"653d342bee5001569662198a672746af"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028135; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (Win 8.1)"; ja3_hash; content:"482a11a20da1629b77aaadf640478d13"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028136; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"GPL POLICY AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:nessus,10441; classtype:misc-activity; sid:2101504; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"21ed4c7ee1daeb84c72199ceaf119b24"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028137; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hi"; classtype:policy-violation; sid:2101437; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"30b168d81e38d9a55c474c1e30eaf9f9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028138; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"f8e42933ba5b3990858ba621489047e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028139; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Setup (tested: 3.10.11 on Win 8.x)"; ja3_hash; content:"2f8363419a9fb80ad46b380778d8eaf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028140; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Splash Pages (Win 10)"; ja3_hash; content:"c1e8322501b4d56d484b50bd7273e798"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028141; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Windows"; ja3_hash; content:"6c141f98cd79d8b505123e555c1c3119"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028142; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"054c9f9d304b7a2add3d6fa75bc20ae4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028143; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"36bc8c7e10647bbfea3f740e7f05c0f1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028144; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Dynalist/Postman/Google Chrome/Franz/GOG Galaxy"; ja3_hash; content:"4c40bf8baa7c301c5dba8a20bc4119e2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028145; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"0411bbb5ff27ad46e1874a7a8beedacb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028146; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"4990c9da08f44a01ecd7ddc3837caf25"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028147; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"fa106fe5beec443af7e211ef8902e7e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028148; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse/java"; ja3_hash; content:"d74778f454e2b047e030b291b94dd698"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028149; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Facebook iOS"; ja3_hash; content:"576a1288426703ae0008c42f95499690"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028150; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Feedly/1.0, java,eclipse,Cyberduck"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028151; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - fetchmail 6.3.26 (openSUSE Leap 42.1)"; ja3_hash; content:"a698fe6c52d210e3376bb6667729d4d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028152; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FieldServiceApp/socialstudio"; ja3_hash; content:"1fbe5382f9d8430fe921df747c46d95f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028153; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 24.0 Iceweasel24.3.0"; ja3_hash; content:"3d99dda4f6992b35fdb16d7ce1b6ccba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028154; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 25.0"; ja3_hash; content:"c57914fadb301a73e712378023b4b177"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028155; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 26.0, Firefox/26.0"; ja3_hash; content:"755cdaa3496eb8728247a639dee17aad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028156; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 27.0"; ja3_hash; content:"ff9223b5c9a5d44a8a423833751fa158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028157; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.0.19"; ja3_hash; content:"df9bedd5713fe0cc2e9184d7c16a5913"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028158; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.5 - 3.6, Firefox 3.5.19  3.6.27  SeaMonkey 2.0.14"; ja3_hash; content:"4a9bd55341e1ffe6fedb06ad4d3010a0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028159; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 40.0.3 (tested Windows 8), Firefox/37.0"; ja3_hash; content:"2872afed8370401ec6fe92acb53e5301"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028160; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"46129449560e5731dc9c5106f111a3db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028161; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"d06b3234356cb3df0983fc8dd02ece68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028162; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.0 2"; ja3_hash; content:"05ece02fb23acf2efbfff54ce4099a45"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028163; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)"; ja3_hash; content:"aa907c2c4720b6f54cd8b67a14cef0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028164; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (dev edition)"; ja3_hash; content:"f586111542f330901d9a3885a9c821b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028165; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled - I think websockets)"; ja3_hash; content:"1996e434b11323df4e87f8fe0e702209"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028166; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled)"; ja3_hash; content:"8ed0a2cdcad81fc29313910eb94941d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028167; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 49.0a2 Developer TLS 1.3 enabled"; ja3_hash; content:"8b18c5b0c54cba1ffb2438fe24792b63"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028168; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 63.0"; ja3_hash; content:"b20b44b18b853ef29ab773e921b03422"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028169; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0a81538cf247c104edb677bdb8902ed5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028170; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0b6592fd91d4843c823b75e49b43838d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028171; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"1c15aca4a38bad90f9c40678f6aface9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028172; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"5163bc7c08f57077bc652ec370459c2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028173; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"a88f1426c4603f2a8cd8bb41e875cb75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028174; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"b03910cc6de801d2fcfa0c3b9f397df4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028175; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; dsize:>6; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"bfcc1a3891601edb4f137ab7ab25b840"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028176; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3; metadata:created_at 2012_07_31, former_category CURRENT_EVENTS, updated_at 2012_07_31;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"f15797a734d0b4f171a86fd35c9a5e43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028177; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; fast_pattern; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:pup-activity; sid:2008375; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/10.0.11esrpre Iceape/2.7.12"; ja3_hash; content:"55f2bd38d462d74fb6bb72d3630aae16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028178; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:pup-activity; sid:2002988; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/13.0-25.0"; ja3_hash; content:"85c420ab089dac5025034444789a8fb5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028179; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; nocase; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/14.0.1 Linux"; ja3_hash; content:"847b0c334fd0f6f85457054fabff3145"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028180; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/25.0"; ja3_hash; content:"e98db583389531a37f2fe8d251f0f7ae"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028181; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/27.0-32.0, IceWeasel 31.8.0"; ja3_hash; content:"cc9bcf019b339c01d200515d1cb39092"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028182; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Control Checkin"; flow:established,to_server; content:"/track.cgi"; http_uri; content:"POST"; depth:4; http_method; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; content:"&z="; http_client_body; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; classtype:command-and-control; sid:2009096; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/28.0-30.0"; ja3_hash; content:"45d22e6403f053bfb2cc223755588533"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028183; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/track.cgi"; http_uri; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&b="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; reference:url,doc.emergingthreats.net/2009347; classtype:command-and-control; sid:2009347; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/31 Linux, firefox"; ja3_hash; content:"ce694315cbb81ce95e6ae4ae8cbafde6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028184; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/32.0"; ja3_hash; content:"8df37d4e7430e2d9a291ae9ee500a1a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028185; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"5ba6ed04b246c96c6839e0268a8b826f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028186; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"c5392af25feaf95cfefe858abd01c86b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028187; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"9250f97ba65d86e7b0e60164c820d91a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028188; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"ab834ac5135f2204d473878821979cea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028189; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/37.0, Google Chrome 45.0.2454.85 or FireFox 41-42"; ja3_hash; content:"514058a66606ae870bcc670e95ca7e68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028190; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/38 Linux"; ja3_hash; content:"edf844351bc867631b5ebceda318669b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028191; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/40.1 Windows 7"; ja3_hash; content:"05af1f5ca1b87cc9cc9b25185115607d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028192; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/45.0 Linux, firefox,thunderbird"; ja3_hash; content:"07b4162d4db57554961824a21c4a0fde"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028193; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/51.0 Windows 10, firefox,thunderbird"; ja3_hash; content:"61d0d709fe7ac199ef4b2c52bc8cef75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028194; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52 Linux"; ja3_hash; content:"4e66f5ad78f3d9ad8d5c7c88d138db43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028195; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:2100617; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52"; ja3_hash; content:"ca0f3f4c08cbd372720beb1af7d2721f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028196; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; distance:0; http_header; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/Hi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55 Windows 10"; ja3_hash; content:"1885aa9927f99ed538ed895d9335995c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028197; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55/56 Mac/Win/Linux"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028198; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/56.0 Windows 10"; ja3_hash; content:"be1a7de97ea176604a3c70622189d78d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028199; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/6.0.1 - 12.0"; ja3_hash; content:"2aef69b4ba1938c3a400de4188743185"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028200; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Flux"; ja3_hash; content:"504ecb2d3e5e83a179316f098dadbaeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028201; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; fast_pattern; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:command-and-control; sid:2014219; rev:4; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2012_02_11;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Franz/Google Chrome/Kiwi/Spotify/nwjs/Slack"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028202; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; fast_pattern; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) #1"; ja3_hash; content:"a6090977601dc1345948f101e46d5759"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028203; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pandex Trojan Dropper Initial Checkin"; flow:established,to_server; content:"?r="; http_uri; content:"&hdd="; fast_pattern; http_uri; content:"&gen="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:command-and-control; sid:2013397; rev:3; metadata:created_at 2011_08_10, former_category MALWARE, updated_at 2011_08_10;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) or DropBox"; ja3_hash; content:"f1b9f86645cb839bd6992e848d943898"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028204; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; fast_pattern; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:pup-activity; sid:2007744; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Fuze"; ja3_hash; content:"900c1fa84b4ea86537e1d148ee16eae8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028205; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?open="; nocase; http_uri; content:"&myid="; fast_pattern; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009814; classtype:trojan-activity; sid:2009814; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"107144b88827da5da9ed42d8776ccdc5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028206; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_28, former_category MALWARE, updated_at 2011_09_28;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"c46941d4de99445aef6b497679474cf4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028207; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; fast_pattern; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:pup-activity; sid:2008149; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - git commandline (tested: 1.9. Linux)"; ja3_hash; content:"3e765b7a69050906e5e48d020921b98e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028208; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Keylogger checkin"; flow:established; content:"GET"; nocase; http_method; content:"?mail="; http_uri; content:"subject=Keylogger"; http_uri; fast_pattern; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; classtype:command-and-control; sid:2008368; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)"; ja3_hash; content:"d0df7f7c9ca173059b2cd17ce5c2e5cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028209; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; http_uri; nocase; fast_pattern; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:pup-activity; sid:2003217; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GitHub Desktop (tested build 216 on OSX)"; ja3_hash; content:"f8c50bbee59c526ca66da05f3dc4b735"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028210; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Glympse Location Tracking??"; ja3_hash; content:"c5cbafbbcf53dfbfc2a803ca3833fce2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028211; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GMail SMTP Relay"; ja3_hash; content:"a3b2fe29619fdcb7a9422b8fddb37a67"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028212; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GNU Wget 1.16.1 built on darwin14.0.0"; ja3_hash; content:"94b94048a438e77122fc4eee3a6a4a26"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028213; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:2; metadata:created_at 2012_08_02, former_category INFO, updated_at 2017_06_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GNUTLS Commandline"; ja3_hash; content:"0267b752d6a8b5fd195096b41ea5839c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028214; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"|04 00 00 01 05 00 00 00 00 07 00 01 00|"; reference:md5,7bf026c71d4ca6cdc7b6e543f9a5bb64; classtype:trojan-activity; sid:2014348; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - golang (tested: 1.4.1)"; ja3_hash; content:"f11b0fca6c063aa69d8d39e0d68b6178"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028215; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"|04 00 00 01 01 00 00 00 04|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Calendar Agent (Tested on OSX)"; ja3_hash; content:"07ef3a7f5f8ffef08affb186284f2af4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028216; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"|04 00 00 01 01 00 00 00 05|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (43.0.2357.130 64-bit OSX)"; ja3_hash; content:"abe568de919448adcd756aea9a136aea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028217; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (Android)"; ja3_hash; content:"400961c8161ba7661a7029d3f7e8bb95"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028218; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"072c0469aa4f2f597bb38bcc17095c51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028219; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"696cd0c8c241e19e3d6336c3d3d9e2e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028220; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"c40b51e2a59425b6a2b500d569962a60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028221; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:pup-activity; sid:2008742; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 45.0.2454.101"; ja3_hash; content:"e8aabc4fe1fc8d47c648d37b2df7485f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028222; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_03, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71 m"; ja3_hash; content:"7ea3e17d09294aee8425ae05588f0c66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028223; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71"; ja3_hash; content:"a9030ea4837810ce89fb8a3d39ca12ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028224; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"0e46737668fe75092919ee047a0b5945"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028225; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"39fa85654105398ee7ef6a3a1c81d685"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028226; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (Win exe under 128)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"4ba7b7022f5f5e1e500bb19199d8b1a4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028227; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"002205d0f96c37c5e660b9f041363c11"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028228; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"073eede15b2a5a0302d823ecbd5ad15b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028229; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http any any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:pup-activity; sid:2001683; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"0b61c673ee71fe9ee725bd687c455809"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028230; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:7; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"6cd1b944f5885e2cfbe98a840b75eeb8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028231; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b4f4e6164f938870486578536fc1ffce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028232; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_17, updated_at 2011_08_17;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028233; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:7; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"baaac9b6bf25ad098115c71c59d29e51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028234; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"|0d 0a|Content-Language|3A| ru"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:8; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"da949afd9bd6df820730f8f171584a71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028235; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX compressed file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"f58966d34ff9488a83797b55c804724d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028236; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:pup-activity; sid:2001047; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"fd6314b03413399e4f23d1524d206692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028237; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:command-and-control; sid:2015587; rev:2; metadata:created_at 2012_08_08, former_category MALWARE, updated_at 2012_08_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome/Slack"; ja3_hash; content:"5498cef2cca704eb01cf2041cc1089c1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028238; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2012_08_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)"; ja3_hash; content:"c1741dd3d2eec548df0bcd89e08fa431"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028239; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; reference:md5,5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:2; metadata:created_at 2011_07_09, former_category TROJAN, updated_at 2018_06_26;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive File Stream"; ja3_hash; content:"d27fb8deca6e3b9739db3fda2b229fe3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028240; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth Linux 7.1.4.1529"; ja3_hash; content:"b16614e71d26ba348c94bfc8e33b1767"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028241; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth"; ja3_hash; content:"ae340571b4fd0755c4a0821b18d8fa93"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028242; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Mail server starttls connection"; ja3_hash; content:"9af622c65a17a0bf90d6e9504be96a43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028243; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:exploit-kit; sid:2015043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Google Photos Backup"; ja3_hash; content:"f059212ce3de94b1e8253a7522cb1b44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028244; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - GoogleBot"; ja3_hash; content:"50dfee94717e9640b1c384e5bd78e61e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028245; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - gramblr"; ja3_hash; content:"fd10cc8cce9493a966c57249e074755f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028246; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)"; ja3_hash; content:"e76ac6872939f6ebfdf75f1ea73b4daf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028247; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:2; metadata:created_at 2012_08_11, updated_at 2012_08_11;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - HipChat"; ja3_hash; content:"d9b07b9095590f4ff910ceee7b6af88a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028248; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"3e860202fc555b939e83e7a7ab518c38"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028249; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_06_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"54328bd36c14bd82ddaa0c04b25ed9ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028250; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"56ac3a0bef0824c49e4b569941937088"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028251; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:command-and-control; sid:2014351; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"8bd59c4b7f3193db80fd64318429bcec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028252; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"d1f9f9b224387d2597f02095fcec96d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028253; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:command-and-control; sid:2015635; rev:3; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2012_08_16;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"ff1040ba1e3d235855ef0d7cd9237fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028254; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - HTTRack"; ja3_hash; content:"a1ec6fd012b9ee6f84c50339c4205270"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028255; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IDSyncDaemon"; ja3_hash; content:"5af143afdbf58ec11ab3b3d53dd4e5e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028256; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11 Win10"; ja3_hash; content:"fee8ec956f324c71e58a8c0baf7223ef"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028257; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; reference:md5,47a6dd02ee197f82b28cee0ab2b9bd35; classtype:command-and-control; sid:2012960; rev:8; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2011_06_09;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"4cafc7a0acf83a49317ca199b2f25c82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028258; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"78273d33877a36c0c30e3fb7578ee9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028259; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015258; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - In all the malware samples - Java updater perhaps, java"; ja3_hash; content:"a61299f9b501adcf680b9275d79d4ac6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028260; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015461; rev:3; metadata:created_at 2012_07_13, updated_at 2012_07_13;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Inbox OSX"; ja3_hash; content:"d06acbe8ac31e753f40600a9d6717cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028261; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015061; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - inoreader.com-like FeedFetcher-Google, inoreader.com"; ja3_hash; content:"3ca5d63fa122552463772d3e87d276f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028262; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015062; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11 .0.9600.1731.(Win 8.1)"; ja3_hash; content:"a6776199188c09f5124b46b895772fa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028263; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015063; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.17959"; ja3_hash; content:"a264c0bb146b2fade4410bcd61744b69"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028264; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015064; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check"; ja3_hash; content:"d54b3eb800cbeccf99fd5d5cdcd7b5b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028265; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015065; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iOS AppleWebKit/536.26"; ja3_hash; content:"06d930b072bf052b10d0a9eea1554f60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028266; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015066; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iOS Mail App (tested: iOS 9.3.3)"; ja3_hash; content:"99204897b101b15f87e9b07f67453f4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028267; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015067; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iPad CPU OS 9_3_5 Safari 601.1 Used by many programs - apple.WebKit.Networking"; ja3_hash; content:"a9aecaa66ad9c6cfe1c361da31768506"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028268; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015068; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iPhone OS 10_3_3 Safari 602.1, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7e72698146290dd68239f788a452e7d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028269; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015069; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #1"; ja3_hash; content:"c6ecc5ba2a6ab724a7430fa4890d957d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028270; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015070; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #2"; ja3_hash; content:"c07295da5465d5705a38f044e53ef7c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028271; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015071; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Java 8U91 Update Check, Windows Java Plugin (tested: v8 Update 60), BurpSuite Free (Tested: 1.7.03 on Windows 10), java,studio,eclipse"; ja3_hash; content:"2db6873021f2a95daa7de0d93a1d1bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028272; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015072; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"093081b45872912be9a1f2a8163fe041"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028273; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015073; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"2080bf56cb87e64303e27fcd781e7efd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028274; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015074; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"225a24b45f0f1adbc2e245d4624c6e08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028275; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015075; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3afe1fb5976d0999abe833b14b7d6485"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028276; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015076; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3b844830bfbb12eb5d2f8dc281d349a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028277; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015077; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"550628650380ff418de25d3d890e836e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028278; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015078; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5b270b309ad8c6478586a15dece20a88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028279; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015079; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5d7abe53ae15b4272a34f10431e06bf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028280; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015080; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"7c7a68b96d2aab15d678497a12119f4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028281; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015081; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"88afa0dea1608e28f50acbad32d7f195"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028282; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015082; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"8ce6933b8c12ce931ca238e9420cc5dd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028283; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015083; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"a9fead344bf3ac09f62df3cd9b22c268"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028284; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015084; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java/eclipse/STS"; ja3_hash; content:"028563cffc7a3a2e32090aee0294d636"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028285; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015085; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - java/JavaApplicationStub"; ja3_hash; content:"5f9b53f0d39dc9d940a3b5568fe5f0bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028286; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015086; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - JavaApplicationStub"; ja3_hash; content:"c376061f96329e1020865a1dc726927d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028287; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ppsvcvrcgkllplyn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015259; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - K9 Mail (Android)"; ja3_hash; content:"ced7418dee422dd70d2a6f42bb042432"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028288; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ruhctasjmpqbyvhm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015260; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Kindle/stack/nextcloud"; ja3_hash; content:"e516ad69a423f8e0407307aa7bfd6344"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028289; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015261; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 (openSUSE Leap 42.1) 2"; ja3_hash; content:"8194818a46f5533268472f2167ffec70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028290; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015262; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1"; ja3_hash; content:"78253eb48a1431a4bbbe6bb4358464ac"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028291; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015263; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.8, OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)"; ja3_hash; content:"0e0b798d0208ad365eec733b29da92a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028292; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015264; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LeagueClientUx"; ja3_hash; content:"3959d0a1344896e9fb5c0564ca0a2956"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028293; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015265; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"0fe51fa93812c2ebb50a655222a57bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028294; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015266; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"2e094913d88f0ad8dc69447cb7d2ce65"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028295; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015267; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - LogMeIn Client"; ja3_hash; content:"193349d34561d1d5d1a270172eb2d97e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028296; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015268; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mail app iOS"; ja3_hash; content:"0cbbafcdaf63cbf1e490c4a2d903f24b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028297; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015269; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)"; ja3_hash; content:"fc5574de96793b73355ca9e555748225"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028298; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015270; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Maxthon"; ja3_hash; content:"d732ca39155f38942f90e9fc2b0f97f7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028299; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015271; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Messenger/Jumpshare"; ja3_hash; content:"c9dbeed362a32f9a50a26f4d9b32bbd8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028300; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015272; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Smartscreen"; ja3_hash; content:"bedb7e0ff43a24272eb0a41993c65faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028305; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015273; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P"; ja3_hash; content:"bff2c7b5c666331bfe9afacefd1bdb51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028306; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015274; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Windows Socket (Tested: Windows 10)"; ja3_hash; content:"48cf5fb702315efbfc88ee3c8c94c6cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028307; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015275; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mj12bot.com"; ja3_hash; content:"11e1137464a4343105031631d470cd92"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028310; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015276; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mobile Safari/537.35+ BB10"; ja3_hash; content:"87c6dda19108d68e526a72d9ae09fb9e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028311; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015277; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mono-sgen/Syncplicity/Axure RP 8/Amazon Drive"; ja3_hash; content:"6acb250ada693067812c3335705dae79"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028312; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015278; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Sync Services (Android)"; ja3_hash; content:"d65ddade944f9acfe4052b2c9435eb85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028313; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015279; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 31.5.0)"; ja3_hash; content:"c2116e5bb14394aafbefe12ade9bd8ab"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028314; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015280; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 38.3.0), ThunderBird (v38.0.1 OS X)"; ja3_hash; content:"6fd163150b060dd7d07add280f42f4ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028315; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015281; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla/4.0 MSIE 6.0 or MSIE 7.0 User-Agent"; ja3_hash; content:"de350869b8c85de67a350c8d186f11e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028316; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015282; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"5bf43fbca3454853c26df6d996954aca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028317; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015283; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"888ecd3b5821a497195932b0338f2f12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028318; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015284; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"8d2e46c9e2b1ee9b1503cab4905cb3e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028319; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015285; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MS Office Components"; ja3_hash; content:"f66b0314f269695fe3528ef39a27c158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028320; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015286; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0"; ja3_hash; content:"2201d8e006f8f005a6b415f61e677532"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028321; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0)"; ja3_hash; content:"7b3b37883b5e80065b35f27888ed2b04"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028322; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 8.0 & 9.0 Trident/5.0)"; ja3_hash; content:"2baf01616e930d378df97576e2686df3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028323; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mutt (tested: 1.5.23 OSX)"; ja3_hash; content:"dc7c914e1817944435dd6b82a8495fbb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028324; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:2100287; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - mutt"; ja3_hash; content:"6761a36cfa692fcd3bc7d570b23cc168"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028325; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - NetFlix App on AppleTV (possibly others also)"; ja3_hash; content:"146c6a6537ba4cc22d874bf8ff346144"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028326; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node-webkit/Kindle"; ja3_hash; content:"3ee4aaac7147ff2b80ada31686db660c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028330; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node.js"; ja3_hash; content:"641df9d6dbe7fdb74f70c8ad93def8cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028331; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - node.js/Postman/WhatsApp"; ja3_hash; content:"106ecbd3d14b4dc6e413494263720afe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028332; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:2100492; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Non-Specific Microsoft Socket"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028333; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - NVIDEA GeForce Experience, Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)"; ja3_hash; content:"4025f224557638ee81afc4f272fd7577"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028334; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - nwjs/Chromium"; ja3_hash; content:"49de9b1c7e60bd3b8e1d4f7a49ba362e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028335; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - One Drive"; ja3_hash; content:"388a4049af7e631f8d36eb0f909de65a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028336; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.01"; ja3_hash; content:"a35c1457421bcfaf5edaccb910bfea1d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028337; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)"; ja3_hash; content:"07aa6d7cac645c8845d6e96503f7d985"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028338; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)"; ja3_hash; content:"6fffa2be612102d25dbed5f433b8238c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028339; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 10.53  10.60  11.61  11.64  12.02, Presto 2.5.24  2.6.30  2.10.229  2.10.289"; ja3_hash; content:"4e6f7f036fb2b05a50ee8a686b1176a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028340; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 11.11  11.52, Presto 2.8.131  2.9.168"; ja3_hash; content:"ceee08c3603b53be80c8afdc98babdd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028341; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:2100601; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 12.14 - 12.16, Presto 2.12.388"; ja3_hash; content:"561271bdcbfe68504ce78b38c957eef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028342; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 (X11 Linux x86_64 U en) Presto/2.6.30 Version/10.60"; ja3_hash; content:"8b475d6105c72827a234fbd47e25b0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028343; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.229 Version/11.62"; ja3_hash; content:"44f37c3ceccb551271bfe0ba6d39426c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028344; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 & Presto/2.10.229"; ja3_hash; content:"a16170ff03466c8ee703dd71feda9bfe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028345; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 Version/12.00"; ja3_hash; content:"b237ac4bcc16c142168df03a871677bd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028346; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"07715901e2c6fe4c45e7c42587847d5d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028347; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"329ff4616732b84de926caa7fd6777b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028348; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - OS X WebSockets"; ja3_hash; content:"43bb6a18756587426681e4964e5ea4bf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028349; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 1"; ja3_hash; content:"3b6da2971936ac24457616e8ad46f362"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028350; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 2"; ja3_hash; content:"95baa3d2068d8c8da71990a353cf8453"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028351; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Outlook 2007 (Win 8.1)"; ja3_hash; content:"53eb89fe6147474039c1162e4d9d3dc0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028352; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - p4v/owncloud"; ja3_hash; content:"38cbe70b308f42da7c9980c0e1c89656"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028353; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PaleMoon Browser"; ja3_hash; content:"d82cbe0b93f2b02d490a14f6bc1d421a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028354; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - parsecd/apple.geod/apple.photomoments/photoanalysisd/FreedomProxy"; ja3_hash; content:"62448833d8230241227c03b7d441e31b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028355; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:9; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - php script (tested 5.5.27)"; ja3_hash; content:"16765fe48127809dc0ca406769c9391e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028356; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pidgin (tested 2.10.11)"; ja3_hash; content:"b74f9ecf158e0575101c16c5265a85b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028357; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015646; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pocket/Slack/Duo (Android)"; ja3_hash; content:"6ea7cfa450ce959818178b420f59fec4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028358; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015647; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Polycom IP Phone Directory Lookup"; ja3_hash; content:"9e41b6bf545347abccf0dc8fd76083a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028359; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:3; metadata:created_at 2011_07_06, updated_at 2011_07_06;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - postbox-bin"; ja3_hash; content:"e846898acc767ebeb2b4388e58a968d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028404; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Postfix with StartTLS"; ja3_hash; content:"26fa3da4032424ab61dc9be62c8e3ed0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028405; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #1 & Apteligent"; ja3_hash; content:"ef48bf8b2ccaab35642fd0a9f1bbe831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028406; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,5310a7d855a14c93b12a36869cd252ec; classtype:trojan-activity; sid:2015653; rev:4; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #2"; ja3_hash; content:"8cc24a6ff485c62e3eb213d2ca61cf12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028407; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|http|3a|//"; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:4; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Pusherapp API"; ja3_hash; content:"12ad03cb3faa2748e92c9a38faab949f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028408; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - py2app application (including box.net & google drive clients)"; ja3_hash; content:"ba502b2f5d64ac3d1d54646c0d6dd4dc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028409; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Python Requests Library 2.4.3"; ja3_hash; content:"c398c55518355639c5a866c15784f969"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028410; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64"; ja3_hash; content:"1a9fb04aa1b4439666672be8661f9386"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028411; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Qsync Client"; ja3_hash; content:"a7823092705a5e91ce2b7f561b6e5b98"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028412; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Reported as -"; ja3_hash; content:"4b06b445e3e12cdae777cec815ab90f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028414; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10; metadata:created_at 2012_08_23, former_category WEB_CLIENT, updated_at 2012_08_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RescueTime/Plantronics Hub"; ja3_hash; content:"c048d9f26a79e11ca7276499ef24daf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028415; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App #2"; ja3_hash; content:"90f755509cba37094eb66be02335b932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028416; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App"; ja3_hash; content:"7743db23afb26f18d632420e6c36e076"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028417; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - RSiteAuditor"; ja3_hash; content:"35c0a31c481927f022a3b530255ac080"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028418; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ruby script (tested: 2.0.0p481)"; ja3_hash; content:"688b34ca00a291ece0bc07b264b1344c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028419; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ruby"; ja3_hash; content:"d219efd07cbb8fbe547e6a5335843f0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028420; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:md5,899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 525 - 533  534.57.2, Safari 525.21  525.29  531.22.7  533.21.1  534.57.2 / Adobe Reader DC 15.x Updater"; ja3_hash; content:"cbcd1d81f242de31fd683d5acbc70dca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028421; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34"; ja3_hash; content:"4c551900711d12c864cfe2f95e1c98c2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028422; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_15, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, rekonq1.1  Arora0.11.0"; ja3_hash; content:"30701f5050d504c31805594fb5c083b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028423; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:command-and-control; sid:2015616; rev:3; metadata:created_at 2012_08_11, former_category MALWARE, updated_at 2012_08_11;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, Safari/537.21"; ja3_hash; content:"41ba55231de6643721fbe2ae25fab85d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028424; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:command-and-control; sid:2009540; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.59.8"; ja3_hash; content:"fb1d89e16f4dd558ad99011070785cce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028425; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET EXPLOIT_KIT Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:exploit-kit; sid:2015672; rev:5; metadata:created_at 2012_08_30, former_category EXPLOIT_KIT, updated_at 2012_08_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 536.30.1"; ja3_hash; content:"e2a482fbb281f7662f12ff6cc871cfe7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028426; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
-
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
-
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
-
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.71"; ja3_hash; content:"cc5925c4720edb550491a12a35c15d4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028427; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.78.2"; ja3_hash; content:"88770e3ad9e9d85b2e463be2b5c5a026"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028428; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari"; ja3_hash; content:"c36fb08942cf19508c08d96af22d4ffc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028429; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/534.57.2, hola_svc"; ja3_hash; content:"77310efe11f1943306ee317cf02150b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028430; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.1.38 Macintosh, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c07cb55f88702033a8f52c046d23e0b2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028431; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.3.1 Macintosh/apple.WebKit.Networking,itunesstored"; ja3_hash; content:"3e4e87dda5a3162306609b7e330441d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028432; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Salesforce Files"; ja3_hash; content:"844166382cc98d98595e6778c470f5d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028433; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10; metadata:created_at 2010_07_30, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: hoax Firefox/40.1"; ja3_hash; content:"9a35e493f961ac377f948690b5334a9c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028434; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: wordpress wp-login Firefox/40.1"; ja3_hash; content:"ce5f3254611a8c095a3d821d44539877"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028435; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SCRAPER: DotBot"; ja3_hash; content:"d8844f000e5571807e9094e0fcd795fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028436; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Scraper: yandex.ru based Mozilla 4.0"; ja3_hash; content:"05e15a226e00230c416a8cdefeb483c7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:misc-activity; sid:2028437; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:5; metadata:created_at 2012_02_06, updated_at 2012_02_06;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SeznamBot/3.2"; ja3_hash; content:"6cc3c7debc31952d05ecaacb6021925f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028438; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d0a|User-Agent|3a| gomtour|0d0a|"; within:200; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 1"; ja3_hash; content:"fa8b8ed07b1dd0e4a262bd44d31251ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028439; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 2"; ja3_hash; content:"c05809230e9f7a6bf627a48b72dc4e1c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028440; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 3"; ja3_hash; content:"0ad94fcb7d3a2c56679fbd004f6b12cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028441; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0add6ceb611a7613f97329af3b6828d9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028442; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0b63812a99e66c82a20d30c3b9ba6e06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028443; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"109dbd9238634b21363c3d62793c029c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028444; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"11e49581344c117df2c9ceb46e5594c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028445; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"302579fd4ba13eca27932664f66725ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028446; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"badc09d74edf43c0204c4827a038c2fa"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028447; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f59a024cf47fdb835053ebf144189a47"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028448; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f8f522671d2d2eba5803e6c002760c05"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028449; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.5.23 - OS X)"; ja3_hash; content:"9d5869f950eeca2e39196c61fdf510c8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028450; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.6.2 OS X)"; ja3_hash; content:"3fcc12d9ee1f75a0212d1d16f7b9f8ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028451; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Signal (tested: 3.16.0 - Android)"; ja3_hash; content:"7dde4e4f0dceb29f711fb34b4bdbf420"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028452; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Signal Chrome App"; ja3_hash; content:"07931ada5b9dd93ec706e772ee60782d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028453; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SkipFish (tested: v2.10b kali)"; ja3_hash; content:"cfb6d1c72d09d4eaa4c7d2c0b1ecbce7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028454; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (additional Win 10)"; ja3_hash; content:"7a75198d3e18354a6763860d331ff46a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028455; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (multiple platforms)"; ja3_hash; content:"06207a1730b5deeb207b0556e102ded2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028456; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_09_13;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (tested 7.18(341) on OSX)"; ja3_hash; content:"5ef08bc989a9fcc18d5011f07d953c14"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028457; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:13; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Skype"; ja3_hash; content:"49a341a21f4fd4ac63b027ff2b1a331f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028458; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:exploit-kit; sid:2015676; rev:3; metadata:created_at 2012_09_05, former_category EXPLOIT_KIT, updated_at 2012_09_05;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack Desktop App"; ja3_hash; content:"c8ada45922a3e7857e4bfd4fc13e8f64"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028459; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:pup-activity; sid:2013405; rev:3; metadata:created_at 2011_08_11, former_category ADWARE_PUP, updated_at 2011_08_11;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"3d72e4827837391cd5b6f5c6b2d5b1e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028460; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"a5aa6e939e4770e3b8ac38ce414fd0d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028461; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015679; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"cdd8179dc9c0e4802f557b62bae73d43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028462; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:exploit-kit; sid:2015682; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Slackbot Link Expander"; ja3_hash; content:"22cca8ed59288f4984724f0ee03484ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028463; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:exploit-kit; sid:2015683; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Spark"; ja3_hash; content:"116ffc8889873efad60457cd55eaf543"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028464; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SpiderOak (tested: 6.0.1)"; ja3_hash; content:"f51156bcd5033603e750c8bd4db254e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028465; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SpotlightNetHelper/Safari"; ja3_hash; content:"8db4b0f8e9dd8f2fff38ee7c5a1e4496"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028466; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3; metadata:created_at 2012_09_08, updated_at 2012_09_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 1"; ja3_hash; content:"24339ea346521d98a8c50fd3713090c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028469; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:command-and-control; sid:2014669; rev:4; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 2"; ja3_hash; content:"ad5d6f490f3819dc60b2a2fbe5bd1cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028470; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Opera/"; http_header; content:"Presto/"; http_header; fast_pattern; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:command-and-control; sid:2013154; rev:5; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2011_07_01;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 3"; ja3_hash; content:"1e9557c377f8ff50b80b7f87b60b1054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028471; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 4"; ja3_hash; content:"c3c59ec21835721c92571e7742fadb88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028472; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:4; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Steam OSX"; ja3_hash; content:"39cf5b7a13a764494de562add874f016"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028473; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:pup-activity; sid:2008157; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Synology DDNS Beacon"; ja3_hash; content:"cab4a6a0c7ac91c2bd9e93cb0507ad4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028474; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category JA3, signature_severity Major, tag c2, updated_at 2019_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"2d3854d1cbcdceece83eabd85bdcc056"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028475; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"a585c632a2b49be1256881fb0c16c864"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028476; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100677; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"cd7c06b9459c9cfd4af2dba5696ea930"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028477; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:2100678; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tenable Passive Vulnerability Scanner Plugin Updater"; ja3_hash; content:"24993abb75ddda7eaf0709395e47ab4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028478; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - TextSecure Name Lookup (Tested: Android)"; ja3_hash; content:"97d3b9036d5a4d7f1fe33fe730f38231"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028479; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v17.0 OS X)"; ja3_hash; content:"207409c2b30e670ca50e1eac016a4831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028480; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100683; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v38.0.1 OS X), Thunderbird 38.7.0 (openSUSE Leap 42.1)"; ja3_hash; content:"4623da8b4586a8a4b86e31d689aa0c15"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028481; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:2100684; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (tested: 5.0.1f - May clash with FF38)"; ja3_hash; content:"0ed768d6e3bc66af60d31315afd423f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028482; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:2100685; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (v4.5.3 OS X - based on FF 31.8.0)"; ja3_hash; content:"8c9a7fe81ba61dab1454e08f42f0a004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028483; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6)"; ja3_hash; content:"5b3eee2766b876e623ba05508d269830"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028484; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6), Tor Uplink (via Tails distro)"; ja3_hash; content:"79f0842a32b359d1b683c569bd07f23b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028485; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - tor uplink (tested 0.2.2.35)"; ja3_hash; content:"3b8f3ace50a7c7cd5205af210f17bb70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028486; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tor uplink (tested: 0.2.6.10)"; ja3_hash; content:"659007d8bae74d1053f6ca4a329d25a7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028487; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:2100692; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Tracking something (noted with Dropbox Installer & Skype - Win 10)"; ja3_hash; content:"bc329d2a71e749067424502f1f72e13a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028488; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:2100693; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"2a458dd9c65afbcf591cd8c2a194b804"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028489; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:2100694; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"aea96546ac042f29fed1e2203a9b4c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028490; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - True Key"; ja3_hash; content:"df65746370dcabc9b4f370c6e14a8156"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028491; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Twitterbot/1.0"; ja3_hash; content:"edcf2fd479271286879efebd22bc8d16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028492; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"633e9558d4b25b46e8b1c49e10faaff4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028493; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"b9b4d1f7283b5ddc59d0b8d15e386106"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028494; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #1"; ja3_hash; content:"ac206b75530d569a0a64cec378eb4b66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028495; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #2"; ja3_hash; content:"94feb9008aeb393e76bac31b30af6ad0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028496; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #3"; ja3_hash; content:"f1b7bbeb8b79cecd728c72bba350d173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028497; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #4"; ja3_hash; content:"3f00755c412442e642f5572ed4f2eaf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028498; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"0e580f864235348848418123f96bbaa0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028499; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"9a1c3fed39b016b8d81cc77dae70f60f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028500; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"dc76bc3a4e3bc38939dfd90d8b7214b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028501; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unidentified attack tool"; ja3_hash; content:"90f6c4b0577fb24a31bea0acc1fcc27d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028502; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown BrowserStack timeframe SMTP STARTLS"; ja3_hash; content:"7bc3475b771c44c764614397da069d28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028503; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP server (207.46.100.103)"; ja3_hash; content:"23a9b0eb3584e358816a123c208a2c8b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028504; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:6; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP Server (used by Facebook)"; ja3_hash; content:"26cdef14ec70c2d6ebd943fe8069c4da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028505; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown Something on Android that talks to Google Analytics"; ja3_hash; content:"335ec05b3ddb3800a8df47641c2d8e33"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028506; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown TLS Scanner"; ja3_hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028507; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - UNVERIFIED: May be BlueCoat proxy"; ja3_hash; content:"f6bae8bacf93b5e97e80b594ffeba859"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028508; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - urlgrabber/3.10 yum/3.4.3"; ja3_hash; content:"37f691b063c10372135db21579643bf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028509; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many desktop apps,Quip,Spotify,GitHub Desktop"; ja3_hash; content:"84071ea96fc8a60c55fc8a405e214c0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028510; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028511; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"618ee2509ef52bf0b8216e1564eea909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028512; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"799135475da362592a4be9199d258726"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028513; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7b530a25af9016a9d12de5abc54d9e74"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028514; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c05de18b01a054f2f6900ffe96b3da7a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028515; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"e4d448cdfe06dc1243c1eb026c74ac9a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028516; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"f1c5cf087b959cec31bd6285407f689a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028517; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Python/PHP/Git/dotnet/Adobe"; ja3_hash; content:"488b6b601cb141b062d4da7f524b4b22"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028518; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Aura/Spotify/Chatty"; ja3_hash; content:"f28d34ce9e732f644de2350027d74c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028519; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Spotify/Dropbox/GitHub Desktop/etc"; ja3_hash; content:"190dfb280fe3b541acc6a2e5f00690e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028520; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Slack/Postman/Spotify/Google Chrome"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028521; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #1"; ja3_hash; content:"2d96ffb535c7c7a30cad924b9b9f2b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028522; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #2"; ja3_hash; content:"ab1fa6468096ab057291aa381d5de2b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028523; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Viber"; ja3_hash; content:"e0224fc1c33658f2d3d963bfb0a76a85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028524; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VirtualBox Update Poll (tested 5.0.8 r103449)"; ja3_hash; content:"41e3681b7c8c915e33b1f80d275c19d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028525; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VLC"; ja3_hash; content:"81fb3e51bf3f18c5755146c28d07431b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028526; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Fusion / Workstation / Player Update Check 8.x-12.x"; ja3_hash; content:"cff90930827e8b0f4e5a6fcc17319954"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028527; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Update Check 6.x"; ja3_hash; content:"a50a861119aceb0ccc74902e8fddb618"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028528; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - VMware vSphere Client (Tested v4.1.0)"; ja3_hash; content:"48e69b57de145720885af2894f2ab9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028529; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - vpnkit"; ja3_hash; content:"01319090aea981dde6fc8d6ae71ead54"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028530; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 1)"; ja3_hash; content:"10a686de1c41107df06c21df245e24cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028531; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 2)"; ja3_hash; content:"f13e6d84b915e17f76fdf4ea8c959b4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028532; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 3)"; ja3_hash; content:"345b5717dae9006a8bcd4cb1a5f09891"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028533; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator"; ja3_hash; content:"74ebac04b642a0cab032dd46e8099fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028534; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator, java,eclipse"; ja3_hash; content:"4056657a50a8a4e5cfac40ba48becfa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028535; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m (tested: 0.5.3 OS X)"; ja3_hash; content:"975ef0826e8485f2335db71873cb34c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028536; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 (OS X version)"; ja3_hash; content:"6b4b535249a1dcd95e3b4b6e9e572e5e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028537; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)"; ja3_hash; content:"575771dbc723df24b764ac0303c19d10"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028538; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Web"; ja3_hash; content:"0172e9e41a8940e6a809967e4835214a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028539; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"58d97971a14d0520c5c56caa75470948"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028540; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"9ef7a86952e78eeb83590ff4d82a5538"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028541; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - WeeChat"; ja3_hash; content:"8e1172bd5dcc4698928c7eb454a2c3de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028542; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - wget (tested GNU Wget 1.16.1 & 1.17 on OS X)"; ja3_hash; content:"5f1d4c631ddedf942033c9ae919158b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028543; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - wget 1.14 (openSUSE Leap 42.1)"; ja3_hash; content:"70663c6da28b3b9ac281d7b31d6b97c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028544; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Wii-U"; ja3_hash; content:"444434ebe3f52b8453c3803bff077ebd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028545; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Win default thing a la webkit"; ja3_hash; content:"c8d1364bba308db5a4a20c65c58ffde1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028546; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Win10 Mail Client"; ja3_hash; content:"123b8f4705d525caffa3f2b36447f481"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028547; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 Native Connection"; ja3_hash; content:"aee020803d10a4d39072817184c8eedc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028548; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #1"; ja3_hash; content:"205200cdaac61b110838556b834070d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028549; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #2"; ja3_hash; content:"5a0fa8873e5ffe7d9385647adc8912d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028550; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Apps Store thing (unconfirmed)"; ja3_hash; content:"a7b2f0639f58f97aec151e015be1f684"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028551; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Builtin Mail Client"; ja3_hash; content:"0d15924fe8f8950a3ec3a916e97c8498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028552; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x TLS Socket"; ja3_hash; content:"a8ee937cf82bb0972fecc23d63c9cd82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028553; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Windows Watson WCEI Telemetry Gather"; ja3_hash; content:"2c14bfb3f8a2067fbc88d8345e9f97f3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028554; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - wineserver"; ja3_hash; content:"84607748f3887541dd60fe974a042c71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028555; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"1202a58b454f54a47d2c216567ebd4fb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028557; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"de364c46b0dfc283b5e38c79ceae3f8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028558; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Yandex Bot, wget 1.18"; ja3_hash; content:"d83881675de3f6aacbcc0b2bae6f8923"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028559; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - youtube-dl 2016.06.03 (openSUSE Leap 42.1)"; ja3_hash; content:"11404429d240670cc018bed04e918b6f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028560; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 1 - May collide with Chrome"; ja3_hash; content:"f8f5b71e02603b283e55b50d17ede861"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028561; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 2 - May collide with Chome"; ja3_hash; content:"5ae88f37a16f1b054f2edff1c8730471"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028562; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls any any -> any any (msg:"ET DELETED Hash - ZwiftApp"; ja3_hash; content:"c2b4710c6888a5d47befe865c8e6fb19"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028563; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dyre Downloading Mailer"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36|0d 0a|Host|3a|"; depth:132; http_header; fast_pattern:50,20; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RH"; pcre:"/\.tar$/U"; classtype:trojan-activity; sid:2020308; rev:4; metadata:created_at 2015_01_26, former_category MALWARE, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:3; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2019_10_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Onkod.Downloader Executable Download"; flow:established,to_server; content:"/js/"; http_uri; content:".exe"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| rv|3a|22.0) Gecko/20100101 Firefox/22.0|0D 0A|"; http_header; pcre:"/\x2Fjs\x2F[\r\n]*\x2Eexe$/U"; reference:url,blog.fortinet.com/Avoiding-Heuristic-Detection/; classtype:trojan-activity; sid:2017617; rev:4; metadata:created_at 2013_10_18, former_category MALWARE, updated_at 2019_10_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - NuclearEK/Malspam"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028384; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Unk/LNKR CnC Domain Observed in DNS Query"; dns_query; content:"cdn-javascript.net"; nocase; isdataat:!1,relative; classtype:domain-c2; sid:2028923; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_11_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $HOME_NET 7 (msg:"ET DELETED Ryuk Wake-on-LAN Packet Observed"; dsize:<200; content:"|ff ff ff ff ff ff|"; startswith; fast_pattern; pcre:"/^(?P<mac_addr>[\x00-\xff]{6})(?P=mac_addr){2,}$/R"; reference:url,www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/; classtype:command-and-control; sid:2028943; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_05, deployment Internal, former_category MALWARE, malware_family Ransomware, malware_family Ryuk, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:md5,0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:5; metadata:created_at 2011_03_28, updated_at 2019_11_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls_cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029003; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_19, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2019_12_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029214; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_01_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029592; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029593; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029600; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029601; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"username="; nocase; depth:9; http_client_body; fast_pattern; content:"&pass"; nocase; http_client_body; distance:0; content:!"__utma="; classtype:credential-theft; sid:2031580; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; http.uri; content:"/push/androidxml/"; nocase; content:"sim="; nocase; content:"tel="; nocase; content:"imsi="; content:"pid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_03_10, signature_severity Critical, updated_at 2020_04_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"T8hlGOo9"; fast_pattern; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:"AAAAAAAA"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030007; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Online%20Scheduling%20System/"; http.request_body; content:"username=0&password=0&lgn=Login"; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030107; rev:1; metadata:attack_target Server, created_at 2020_05_05, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030167; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_05_14, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030175; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_05_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cushion Redirection"; flow:established,to_server; http.uri; content:"/index.php?"; content:"="; distance:1; within:1; content:!"=aHR0"; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:7; metadata:created_at 2013_10_02, updated_at 2020_06_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - Banking Phish"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028362; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2020_06_26;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - Banking Phish"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2030399; rev:3; metadata:created_at 2019_09_10, former_category JA3, updated_at 2020_06_26;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET"; nocase; depth:4; content:!".newsinc.com"; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus GET Request to CnC"; flow:established,to_server; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:command-and-control; sid:2011817; rev:4; metadata:created_at 2010_10_14, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; http_uri; nocase; classtype:web-application-activity; sid:2101371; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/png/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; classtype:web-application-attack; sid:2008315; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Beizhu/Womble/Vipdataend Checking in with Controller"; flow:established,to_server; dsize:<70; content:"|3a|Windows"; depth:11; offset:2; content:"|7c|212("; within:15; reference:url,doc.emergingthreats.net/2008334; classtype:trojan-activity; sid:2008334; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"18,0,0,366|0d 0a|"; within:12; http_header; content:!"22,0,0,209|0d 0a|"; within:12; http_header; content:"Macintosh"; http_user_agent; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:61; metadata:created_at 2012_05_09, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp any any -> $HOME_NET any (msg:"ET DELETED Pitbull IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20|"; pcre:"/PRIVMSG.*@(portscan|nmap|back|udpflood|tcpflood|httpflood|linuxhelp|rfi|system|milw0rm|logcleaner|sendmail|join|part|help)/i"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007625; classtype:trojan-activity; sid:2007625; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern; content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spyaxe Spyware User-Agent (spyaxe)"; flow:to_server,established; content:" spyaxe "; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2002807; classtype:trojan-activity; sid:2002807; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server|3A| Dict/"; fast_pattern:only; classtype:trojan-activity; sid:2013326; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02 02|"; distance:1; within:2; byte_test:2,<,0x06,0,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014432; rev:10; metadata:created_at 2012_03_24, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server; content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014445; rev:6; metadata:created_at 2012_03_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015456; rev:3; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015442; rev:3; metadata:created_at 2012_07_12, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:20; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_user_agent; content:"MSIE"; http_user_agent; classtype:trojan-activity; sid:2016074; rev:5; metadata:created_at 2012_12_21, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"|0d 0a|Host|3a| "; http_header; content:"theinstalls.com|0d 0a|"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"HTTP/1.1"; content:!"BDNC"; http_user_agent; depth:4; content:"a="; depth:2; http_client_body; fast_pattern; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; content:"a="; http_client_body; depth:2; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED My Search Bar Install"; flow: to_server,established; content:"/mysetup.exe"; nocase; http_uri; fast_pattern:only; reference:url,www.2-spyware.com/parasite-my-search-bar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; classtype:trojan-activity; sid:2001040; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; fast_pattern; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh-"; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:11; metadata:created_at 2010_07_30, updated_at 2021_08_27;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2 Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh2_"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:4; metadata:created_at 2014_07_17, updated_at 2021_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Probing or Announcing UDP";  reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; classtype:trojan-activity; sid:2000900; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate"; classtype:trojan-activity; sid:2011919; rev:5; metadata:created_at 2010_11_10, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"Setup_"; fast_pattern; nocase; http_uri; content:".exe"; distance:0; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010901; classtype:trojan-activity; sid:2010901; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED PHP Remote File Inclusion (monster list http)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"http"; nocase; http_uri; pcre:"/\.php.+?(?:c(?:(?:onfi|f)g|alendar)|p(?:a(?:ge|th)|rog)|l(?:ang(uage)?|ib)|f(?:older|ile|ad)|d(?:omain|ir|f)|s(?:ettings|bp)|a(?:genda|uth)|i(?:con|ncl|d)|n(?:ame|ews)|r(?:oot|f)|gallery|type|ext|mod|[a-z](\[.*\])+?)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; reference:url,doc.emergingthreats.net/2002997; classtype:web-application-attack; sid:2002997; rev:13; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:9; metadata:created_at 2012_05_11, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC";  reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:command-and-control; sid:2016473; rev:4; metadata:created_at 2013_02_22, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015501; rev:7; metadata:created_at 2012_07_21, updated_at 2020_08_20;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/NixScare Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"zipx=UEs"; startswith; fast_pattern; reference:md5,b04981c338165b27fc2e1e19c9713379; classtype:command-and-control; sid:2030845; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_07, deployment Perimeter, former_category MALWARE, malware_family NixScare, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Battle.net Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?"; http.request_body; content:"accountName="; depth:12; fast_pattern; content:"&password="; distance:0; content:"&persistLogin="; distance:0; content:"&csrftoken="; distance:0; classtype:credential-theft; sid:2031742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Phishing Landing via Tripod.com M3 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"mail"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032215; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_31, signature_severity Major, updated_at 2021_03_15;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish M1 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032269; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_31, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Cobalt Strike Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"ESF"; bsize:3; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032974; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_20;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:10; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Microsoft Windows NT 6.1 User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| "; nocase; http_header; content:"|3b 20|Windows NT 6.1|3b 20|"; http_header; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.microsoft.com/windows/windows-7/default.aspx; reference:url,doc.emergingthreats.net/2010228; classtype:policy-violation; sid:2010228; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Internet Antivirus Pro)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Internet Antivirus Pro|0d 0a|"; reference:url,doc.emergingthreats.net/2009440; classtype:trojan-activity; sid:2009440; rev:7; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (ClickAdsByIE)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ClickAdsByIE"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009456; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; fast_pattern; http_header; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:14; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:5; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Notes1.pdf"; http_uri; classtype:policy-violation; sid:2011325; rev:4; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:exploit-kit; sid:2011479; rev:5; metadata:created_at 2010_09_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious HTTP GET to JPG with query string"; flow:established,to_server; content:"GET"; nocase; http_method; content:".jpg?"; nocase; http_uri; classtype:trojan-activity; sid:2011873; rev:5; metadata:created_at 2010_10_29, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:5; metadata:created_at 2011_05_18, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013962; rev:15; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"replace|28 2F|"; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:exploit-kit; sid:2014098; rev:5; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:exploit-kit; sid:2014171; rev:6; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"<applet"; depth:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014176; rev:4; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:exploit-kit; sid:2014177; rev:6; metadata:created_at 2012_02_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:exploit-kit; sid:2014220; rev:8; metadata:created_at 2012_02_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:exploit-kit; sid:2014527; rev:5; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014844; rev:4; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:exploit-kit; sid:2014845; rev:4; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015006; rev:7; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015007; rev:10; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015009; rev:4; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015558; rev:5; metadata:created_at 2012_08_02, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:exploit-kit; sid:2015677; rev:6; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2015681; rev:4; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015696; rev:5; metadata:created_at 2012_09_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:exploit-kit; sid:2015699; rev:4; metadata:created_at 2012_09_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015705; rev:5; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015706; rev:5; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; http_header; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; file_data; content:"%PDF-"; within:5; classtype:exploit-kit; sid:2015725; rev:9; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; classtype:exploit-kit; sid:2015731; rev:4; metadata:created_at 2012_09_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:exploit-kit; sid:2015815; rev:5; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:exploit-kit; sid:2015816; rev:5; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:exploit-kit; sid:2016057; rev:9; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:exploit-kit; sid:2016058; rev:12; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:exploit-kit; sid:2016059; rev:15; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:exploit-kit; sid:2016060; rev:20; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:exploit-kit; sid:2016066; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:exploit-kit; sid:2016278; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:exploit-kit; sid:2016280; rev:8; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016402; rev:5; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016554; rev:8; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016555; rev:8; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016557; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017841; rev:5; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:exploit-kit; sid:2017998; rev:9; metadata:created_at 2014_01_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"DebuggerPresent"; nocase; distance:0; pcre:"/(Is|CheckRemote)DebuggerPresent/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012763; rev:10; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"NtQueryInformationProcess"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012764; rev:6; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetStartupInfo"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetStartupInfo"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012765; rev:8; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT GetComputerName"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"GetComputerName"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012766; rev:6; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSetSystemInformation"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012769; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ZwSystemDebugControl"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012770; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"SetSfcFileException"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012771; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012772; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtQueueApcThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012773; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NoExecuteAddFileOptOutList"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012774; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"ModifyExecuteProtectionSupport"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012775; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"LdrLoadDll"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012776; rev:3; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NamedPipe"; nocase; fast_pattern:only; pcre:"/(Create|Connect|Peek)NamedPipe/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012778; rev:4; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Suspicious IAT FTP File Interaction"; flow:established,to_client; content:"ftp"; nocase; content:"file"; nocase; within:8; pcre:"/ftp(open|get)file/i"; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012779; rev:5; metadata:created_at 2011_05_03, former_category HUNTING, updated_at 2021_06_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015549; rev:6; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:exploit-kit; sid:2015891; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015892; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015893; rev:6; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015915; rev:5; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015916; rev:5; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:exploit-kit; sid:2016064; rev:6; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:exploit-kit; sid:2016221; rev:6; metadata:created_at 2013_01_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016320; rev:7; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016406; rev:4; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:exploit-kit; sid:2016408; rev:15; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016495; rev:9; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016506; rev:7; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:exploit-kit; sid:2016547; rev:11; metadata:created_at 2013_03_07, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:exploit-kit; sid:2016782; rev:16; metadata:created_at 2013_04_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:exploit-kit; sid:2017396; rev:7; metadata:created_at 2013_08_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login"; fast_pattern; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:social-engineering; sid:2021760; rev:4; metadata:created_at 2015_09_11, former_category PHISHING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2012401; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; classtype:exploit-kit; sid:2013313; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013363; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013652; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013664; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013665; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013666; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013667; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013788; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013960; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"<applet"; nocase; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013961; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:exploit-kit; sid:2013990; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:exploit-kit; sid:2014048; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014189; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:exploit-kit; sid:2014194; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014457; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2014725; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014843; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:exploit-kit; sid:2014981; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:exploit-kit; sid:2015043; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:exploit-kit; sid:2015044; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:exploit-kit; sid:2015046; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:exploit-kit; sid:2015047; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:exploit-kit; sid:2015056; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:exploit-kit; sid:2015579; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:exploit-kit; sid:2015648; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2015670; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:exploit-kit; sid:2016024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:exploit-kit; sid:2016025; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:exploit-kit; sid:2016166; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:exploit-kit; sid:2016213; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:exploit-kit; sid:2016524; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:exploit-kit; sid:2016525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:2100673; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:exploit-kit; sid:2016526; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:exploit-kit; sid:2017340; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:exploit-kit; sid:2017341; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3)"; flow:established,to_server; content:"User-Agent|3a| DigitAl56K/"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008659; classtype:trojan-activity; sid:2008659; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:exploit-kit; sid:2011369; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:exploit-kit; sid:2017976; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:credential-theft; sid:2020224; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:exploit-kit; sid:2016522; rev:4; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:exploit-kit; sid:2010870; rev:8; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (ld)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"DownloadNetFile"; depth:15; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Windows+NT"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent WebUpdate"; flow:established,to_server; http.user_agent; content:"WebUpdate"; bsize:9; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:6; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> any any (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; http.user_agent; content:"asp2009"; depth:7; endswith; reference:md5,6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit malware payload download"; flow:established,to_server; http.uri; content:".php?deserialize="; reference:url,doc.emergingthreats.net/2011183; classtype:exploit-kit; sid:2011183; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".avi"; classtype:exploit-kit; sid:2011513; rev:7; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; http.uri; content:"tmp/flash.swf"; classtype:exploit-kit; sid:2011514; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL MALWARE BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:6; metadata:created_at 2010_09_23, former_category TROJAN, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; http.uri; content:"collab.pdf"; classtype:exploit-kit; sid:2011515; rev:7; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NewGames.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/NewGames.jar"; http_uri;  classtype:policy-violation; sid:2011326; rev:5; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; http.uri; content:".php?exp=SMB"; classtype:exploit-kit; sid:2011814; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; http.uri; content:".php?exp=PDF"; classtype:exploit-kit; sid:2011815; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/index.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/index.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011905; rev:5; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401"; http_stat_code; threshold:type both, track by_dst, count 30, seconds 60; reference:url,doc.emergingthreats.net/2009346; classtype:attempted-recon; sid:2009346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/l.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/l.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011907; rev:5; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; file_data; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; classtype:successful-recon-limited; sid:2009675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/exe.php?x=mdac"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"exe.php?x=mdac"; nocase; classtype:exploit-kit; sid:2011908; rev:5; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; http.header; content:".cu.cc|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2013242; rev:5; metadata:created_at 2011_07_09, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; http.header.raw; content:"|0d 0a|Cookie|3a|"; content:"%3D|3b 20|cc2="; distance:0; content:"%3D|3b 20|cc3="; content:"%3D|3b 20|cc4="; content:"|20|Java/"; classtype:exploit-kit; sid:2013695; rev:6; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; http.uri; content:"/Google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013895; rev:6; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; http.uri; content:"google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013896; rev:6; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard"; flow:established,to_server; content:" CFNetwork/"; http_user_agent; content:" Darwin/"; http_user_agent; content:"UDID"; nocase; http_client_body; pcre:"/[0-9a-f]{40}[^0-9a-f]/P"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013289; rev:6; metadata:created_at 2011_07_19, former_category POLICY, updated_at 2017_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; http.uri; content:"/FaceBook_Complemento.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013897; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"PCDoc"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:pup-activity; sid:2007786; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; http.uri; content:"/YouTube_Setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013898; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"mypcdoc"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:pup-activity; sid:2007804; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; http.uri; content:"/google2.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013899; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"gh20"; http_user_agent; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:pup-activity; sid:2007944; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; urilen:37; http.uri; content:"/"; offset:2; depth:3; content:"/"; within:3; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/"; classtype:exploit-kit; sid:2014026; rev:3; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"boitho.com"; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; classtype:trojan-activity; sid:2003653; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014415; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"Windows 98"; http_user_agent; content:"GtekClient"; fast_pattern; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern; classtype:exploit-kit; sid:2015548; rev:9; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"eurobarre "; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U"; classtype:exploit-kit; sid:2016279; rev:8; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:2; metadata:created_at 2012_09_18, updated_at 2012_09_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; http.uri; content:".pdf"; nocase; fast_pattern; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/"; classtype:exploit-kit; sid:2016405; rev:10; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; http.uri; content:"/jot.class"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016556; rev:8; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; http.uri; content:"/get"; fast_pattern; content:".jpg"; pcre:"/\/(?:w(?:hite|orld)|step)\/get(?:a+|n+)\.jpg/"; classtype:exploit-kit; sid:2016559; rev:18; metadata:created_at 2013_03_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017678; rev:5; metadata:created_at 2013_11_06, former_category HUNTING, updated_at 2021_06_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6; metadata:created_at 2012_09_18, former_category CURRENT_EVENTS, updated_at 2012_09_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; http_referer; content:!"http|3a 2f 2f|www.crdbbank.com"; nocase; isdataat:!1,relative; classtype:social-engineering; sid:2018045; rev:7; metadata:created_at 2014_01_30, former_category PHISHING, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"Mozilla/4.1"; http_user_agent; depth:11; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:command-and-control; sid:2015713; rev:3; metadata:created_at 2012_09_18, former_category MALWARE, updated_at 2012_09_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish 2015-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"onlineid="; depth:9; fast_pattern; content:"&passcode="; distance:0; content:"&fullname="; distance:0; content:"&address="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031761; rev:4; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2021_06_23;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Phishing Landing Uri 2015-11-25"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?usernms="; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/i"; classtype:social-engineering; sid:2022185; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Generic Phish (set) 2016-01-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031862; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:3; metadata:created_at 2011_12_31, updated_at 2011_12_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic PDF Online Phish (set) 2016-10-11"; flow:to_server,established; flowbits:set,ET.GenericPDFOnline.Phish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; endswith; classtype:credential-theft; sid:2032631; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2021_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious HTTP Request to .bit domain"; flow:to_server,established; http.host; content:".bit"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:6; metadata:created_at 2014_01_24, former_category HUNTING, updated_at 2021_06_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Baidu Spider Webcrawler User Agent - inbound"; flow:established,to_server; content:"baiduspider"; nocase; http_user_agent; classtype:not-suspicious; sid:2033002; rev:1; metadata:attack_target Web_Server, created_at 2021_05_19, former_category SCAN, signature_severity Informational, updated_at 2021_07_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hash - Suspected Meterpreter Reverse Shell (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"e35df3e00ca4ef31d42b34bebaa2f86e"; flowbits:isset,ET.meterpreter.ja3; classtype:command-and-control; sid:2028829; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2021_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; http_header; fast_pattern:only; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; depth:2; classtype:trojan-activity; sid:2014968; rev:8; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M1 (CVE-2020-0796)"; flow:established,to_server; content:"|41 8B 47 3C 4C 01 F8 8B 80 88 00 00 00 4C 01 F8 50|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030263; rev:3; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,doc.emergingthreats.net/2009305; reference:md5,1ca433d3f5538fda49c5defb59232f9d; classtype:trojan-activity; sid:2009305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M2 (CVE-2020-0796)"; flow:established,to_server; content:"|FF C9 8B 34 8B 4C 01 FE|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030264; rev:3; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017457; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:pup-activity; sid:2008757; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017458; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:exploit-kit; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017459; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017460; rev:5; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3; metadata:created_at 2012_06_27, updated_at 2012_06_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SiameseKitten/Lyceum/Hexane MSIL/Shark Response - 1 Byte XOR Key"; flow:established,from_server; file.data; base64_decode:offset 0; base64_data; content:"|6e 4b 5e 4b|"; content:"|27 20|"; classtype:command-and-control; sid:2033761; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_08_22, deployment Perimeter, deprecation_reason Performance, former_category MALWARE, malware_family Shark, performance_impact Significant, signature_severity Major, updated_at 2021_09_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; classtype:attempted-recon; sid:2002667; rev:38; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible BlackByte Ransomware Encryption Key Inbound (fake .png)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:!"|89 50 4E 47 0D 0A 1A 0A|"; startswith; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; flowbits:isset,ET.httpget.png; classtype:command-and-control; sid:2034213; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackByte, signature_severity Major, tag Ransomware, updated_at 2021_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?s="; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:pup-activity; sid:2009880; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kimsuky Related FTP File Download"; flow:established,to_server; content:"RETR|20|/mongo/"; fast_pattern; pcre:"/[a-z]{8}.(:?tif|gif)/Ri";  classtype:trojan-activity; sid:2034513; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_18, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012767; rev:11; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"&newid="; content:"?pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034008; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015729; rev:2; metadata:created_at 2012_09_22, updated_at 2012_09_22;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"?path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034010; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"&path="; content:"?context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034011; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"?newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034007; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"usrfiles.com"; nocase; bsize:12; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034687; rev:2; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:command-and-control; sid:2006403; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"traderstruthrevealed.com"; nocase; bsize:24; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034682; rev:2; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_17;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:domain-c2; sid:2018736; rev:9; metadata:attack_target Client_and_Server, created_at 2014_06_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018600; rev:13; metadata:attack_target Client_and_Server, created_at 2014_06_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018693; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018694; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018695; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018697; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018698; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018699; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018700; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018701; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018702; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018704; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018705; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018706; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018707; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018708; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018711; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018712; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018714; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018715; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018716; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018717; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015733; rev:3; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2012_09_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018718; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015549; rev:5; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018720; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015558; rev:4; metadata:created_at 2012_08_02, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018721; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015696; rev:4; metadata:created_at 2012_09_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018722; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015705; rev:4; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018723; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015706; rev:4; metadata:created_at 2012_09_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018724; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; classtype:exploit-kit; sid:2015731; rev:3; metadata:created_at 2012_09_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018725; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018726; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018727; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> any any (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_user_agent; depth:34; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018728; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018729; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 06 13 02|SE"; distance:3; within:Certs.len; content:"|55 04 08 13 01 20|"; distance:0; content:"|55 04 07 13 01 20|"; distance:0; content:"|55 04 0a 13 01 20|"; distance:0; content:"|55 04 0b 13 01 20|"; distance:0; content:"|55 04 03 13 01 20|"; distance:0; fast_pattern; classtype:exploit-kit; sid:2015742; rev:1; metadata:attack_target Client_Endpoint, created_at 2012_09_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018730; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; dsize:<16; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:command-and-control; sid:2013090; rev:10; metadata:created_at 2010_11_22, former_category MALWARE, updated_at 2010_11_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018731; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; fast_pattern; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:pup-activity; sid:2003202; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018732; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:!"|0a|"; within:300; isdataat:300; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018733; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:pup-activity; sid:2007602; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018734; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018746; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:command-and-control; sid:2007980; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018747; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018851; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018858; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018859; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:command-and-control; sid:2008130; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018860; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018861; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018862; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:command-and-control; sid:2009300; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018863; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:command-and-control; sid:2007610; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018864; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018865; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018866; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018910; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018911; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018915; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018916; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018937; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023529; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag dupe, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype|3b|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; tls.fingerprint:"4c:1c:1a:aa:58:80:31:74:58:79:8a:04:db:76:42:8e:ce:55:f1:40"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018703; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021428; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:3; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021521; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2014371; rev:6; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021562; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021613; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021614; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:exploit-kit; sid:2015046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021899; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021932; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021933; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021934; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022324; rev:4; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022480; rev:4; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_10, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014457; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022960; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_02, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018760; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018807; rev:6; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018913; rev:5; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:domain-c2; sid:2018917; rev:5; metadata:attack_target Client_and_Server, created_at 2014_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018940; rev:5; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED test CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".to.sv"; nocase; endswith; classtype:trojan-activity; sid:2035217; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; http.uri; content:"?&"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"User-Agent|3a 20|Update"; fast_pattern; classtype:trojan-activity; sid:2017281; rev:5; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2022_03_02;)
 
-alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; content:"layout"; http_uri; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; content:"/?777"; http_uri; classtype:bad-unknown; sid:2011421; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; metadata:created_at 2012_10_10, updated_at 2012_10_10;)
+#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pegasus Domain in DNS Lookup (alrai .com)"; dns.query; content:"alrai.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035780; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:3; metadata:created_at 2012_09_11, updated_at 2012_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Archie EK Payload Checkin GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log?log="; depth:9; http.host; content:!"gigwise.com"; endswith; content:!"cleanerapp.net"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019680; rev:7; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2022_04_22;)
 
-#alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:exploit-kit; sid:2015792; rev:2; metadata:created_at 2012_10_12, updated_at 2012_10_12;)
+#alert udp any any -> $DNS_SERVERS 53 (msg:"ET DELETED BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:4; metadata:affected_product BIND, attack_target Server, created_at 2016_10_04, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_29;)
 
-#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_12, former_category CURRENT_EVENTS, updated_at 2012_10_12;)
+#alert http any any -> $HTTP_SERVERS any (msg:"ET DELETED Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; http.protocol; content:"|28 29 20 7b|"; startswith; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:7; metadata:created_at 2014_09_25, former_category WEB_SERVER, updated_at 2022_05_02;)
 
-#alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:command-and-control; sid:2015630; rev:5; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; content:"/exe2.php?wm_id=acc"; http_uri; classtype:trojan-activity; sid:2011916; rev:5; metadata:created_at 2010_11_10, updated_at 2022_05_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015509; rev:3; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:16; metadata:created_at 2014_04_22, former_category MALWARE, updated_at 2022_05_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET DELETED Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET DELETED PHP Code in User-Agent (Inbound) - Possible Command Injections"; flow:established,to_server; http.user_agent; content:"|3c 3f|php"; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50844; classtype:bad-unknown; sid:2036728; rev:2; metadata:attack_target Client_and_Server, created_at 2022_05_31, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Duplicate, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2022_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com|autoflash\.info)|update\.(?:dyndns\.info|hopto\.org)|app\.serveftp\.com)|flash(?:center\.info|rider\.org)|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015805; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st RAT Backdoor Checkin"; flow:established,to_server; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"GET /?ocid="; offset:4; depth:11; reference:md5,1a5efd98ee8f8c69f2167ba91095835c; classtype:command-and-control; sid:2036862; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_04_21, deprecation_reason Moved_to_Open, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream|oft)|drivers)|(?:rendercode|videosyn)c|flashupdates|syncstream)\.info|194\.192\.14\.125|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015806; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:22; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:exploit-kit; sid:2015859; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_11_02, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2022_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:exploit-kit; sid:2015887; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_11_14, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PHP-CGI query string parameter vulnerability"; flow:to_server,established; http.uri; content:"?"; content:"-"; fast_pattern; distance:0; pcre:"/(?:\/(?:php)?|\.php)\?[\s\+]*\-[A-Za-z]/i"; http.uri.raw; content:!"="; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:9; metadata:created_at 2012_05_04, former_category WEB_SPECIFIC_APPS, updated_at 2022_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GeckaSeka User-Agent"; flow:established,to_server; content:"GeckaSeka"; http_user_agent; classtype:trojan-activity; sid:2015824; rev:6; metadata:created_at 2012_10_19, updated_at 2012_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:exploit-kit; sid:2016276; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2022_06_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"googlebot"; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; classtype:attempted-recon; sid:2002829; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2022_06_14;)
 
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:6; metadata:created_at 2013_06_12, former_category EXPLOIT, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TA457 Related Activity M4 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Cookie|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.content_type; content:"application/octet-stream"; bsize:24; http.cookie; pcre:"/^[A-Z]=[A-Za-z/+0-9=]{200,400}$/"; reference:md5,214011a0d57b1d8238532be4f6414f58; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2036759; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family TA457, performance_impact Moderate, signature_severity Major, updated_at 2022_06_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5; metadata:created_at 2012_01_28, updated_at 2012_01_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious Zipped Filename in Outbound POST Request (Steam_htmlcache.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK|03 04|"; distance:0; byte_test:1,<=,20,0,relative; content:"Steam_htmlcache.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2037092; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, deprecation_reason Duplicate, former_category HUNTING, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2022_06_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED Observed DNS Query to DarkCrystal Rat Domain (plexbd .net) (2022-06-27)"; dns.query; content:"plexbd.net"; nocase; bsize:10; reference:url,cert.gov.ua/article/405538; classtype:domain-c2; sid:2037131; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_06_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:exploit-kit; sid:2017563; rev:4; metadata:created_at 2013_10_08, former_category EXPLOIT_KIT, updated_at 2022_06_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|5c|u"; content:"|5c|u"; distance:4; within:4; content:"|5c|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_06_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:4; metadata:created_at 2013_11_26, former_category EXPLOIT, updated_at 2022_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:4; metadata:created_at 2013_11_26, former_category EXPLOIT, updated_at 2022_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:exploit-kit; sid:2015699; rev:3; metadata:created_at 2012_09_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:7; metadata:created_at 2013_06_12, former_category EXPLOIT, updated_at 2022_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_08_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_07_04;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:exploit-kit; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, tag Metasploit, updated_at 2022_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:exploit-kit; sid:2015841; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_04, deployment Perimeter, former_category HUNTING, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:exploit-kit; sid:2015840; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:4; metadata:created_at 2013_11_30, former_category EXPLOIT, updated_at 2022_07_08;)
 
-alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_25, updated_at 2012_10_25;)
+#alert dns any any -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:4; metadata:created_at 2012_12_28, updated_at 2022_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:exploit-kit; sid:2014036; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert dns any any -> $HOME_NET any (msg:"ET DELETED Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:2; metadata:created_at 2015_04_28, updated_at 2022_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CVE-2012-4792 EIP in URI M2"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%82%AB"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:6; metadata:created_at 2013_01_08, former_category EXPLOIT, updated_at 2022_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; http.uri; content:"/vw.php?i="; fast_pattern; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:9; metadata:created_at 2013_06_12, former_category EXPLOIT, updated_at 2022_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013976; rev:10; metadata:created_at 2011_12_01, former_category MALWARE, updated_at 2011_12_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2012-1533 altjvm (jvm.dll) Requested Over WebDAV"; flow:established,to_server; http.uri; content:"/jvm.dll"; fast_pattern; endswith; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:8; metadata:created_at 2013_06_13, former_category EXPLOIT, updated_at 2022_07_14;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:exploit-kit; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server (greenter .ru)"; dns.query; content:"greenter.ru"; fast_pattern; nocase; bsize:11; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012202; rev:3; metadata:created_at 2011_01_18, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server (globdomain .ru)"; dns.query; content:"globdomain.ru"; fast_pattern; nocase; bsize:13; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012203; rev:3; metadata:created_at 2011_01_18, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:exploit-kit; sid:2015859; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_11_02, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED DNS Lookup of Twitter m28sx Worm"; dns.query; content:"gdfgdfgdgdfgdfg.in.ua"; fast_pattern; nocase; bsize:21; reference:url,isc.sans.edu/diary.html?storyid=10297; classtype:trojan-activity; sid:2012210; rev:3; metadata:created_at 2011_01_21, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2; metadata:created_at 2012_11_07, updated_at 2012_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain (fjgtmicxtlxynlpf .ru) Pseudo Random Domain"; dns.query; content:"fjgtmicxtlxynlpf.ru"; fast_pattern; nocase; bsize:19; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015258; rev:5; metadata:created_at 2012_07_12, updated_at 2022_07_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015868; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain (ppsvcvrcgkllplyn .ru) Pseudo Random Domain"; dns.query; content:"ppsvcvrcgkllplyn.ru"; fast_pattern; nocase; bsize:19; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015259; rev:5; metadata:created_at 2012_07_12, updated_at 2022_07_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015869; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain (ruhctasjmpqbyvhm .ru) Pseudo Random Domain"; dns.query; content:"ruhctasjmpqbyvhm.ru"; fast_pattern; nocase; bsize:19; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015260; rev:5; metadata:created_at 2012_07_12, updated_at 2022_07_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015870; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:exploit-kit; sid:2018091; rev:3; metadata:created_at 2014_02_07, former_category EXPLOIT_KIT, updated_at 2022_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4; metadata:created_at 2012_11_06, updated_at 2012_11_06;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Self-Signed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:exploit-kit; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015735; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
+#alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; classtype:bad-unknown; sid:2008446; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Alms backdoor checkin"; content:"/getnewv.php?keyword=google&id="; http_uri; nocase; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_user_agent; flow:to_server,established; classtype:command-and-control; sid:2012803; rev:5; metadata:created_at 2011_05_11, former_category MALWARE, updated_at 2011_05_11;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; classtype:bad-unknown; sid:2008475; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; classtype:bad-unknown; sid:2008447; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:exploit-kit; sid:2014220; rev:7; metadata:created_at 2012_02_11, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2101948; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_08, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10028; classtype:attempted-recon; sid:2101616; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3; metadata:created_at 2012_11_10, updated_at 2012_11_10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:2100252; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015881; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:nessus,10728; classtype:attempted-recon; sid:2100256; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015882; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103154; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:exploit-kit; sid:2015884; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
+#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Format error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x81/"; reference:url,doc.emergingthreats.net/2001116; classtype:not-suspicious; sid:2001116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:exploit-kit; sid:2015886; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;)
+#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Name Error"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x83/"; reference:url,doc.emergingthreats.net/2001117; classtype:not-suspicious; sid:2001117; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Not Implemented"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x84/"; reference:url,doc.emergingthreats.net/2001118; classtype:not-suspicious; sid:2001118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:command-and-control; sid:2014599; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2012_04_17;)
+#alert udp $DNS_SERVERS 53 -> any any (msg:"ET DNS Standard query response, Refused"; pcre:"/^..[\x81\x82\x83\x84\x85\x86\x87]\x85/"; reference:url,doc.emergingthreats.net/2001119; classtype:not-suspicious; sid:2001119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:4; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 50, seconds 10; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; classtype:bad-unknown; sid:2008470; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:exploit-kit; sid:2015890; rev:3; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2012_11_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:3; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:command-and-control; sid:2015921; rev:2; metadata:created_at 2012_11_21, former_category PHISHING, updated_at 2012_11_21;)
+alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for .co TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|co|00|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2027759; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2019_07_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:18; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2011911; rev:3; metadata:created_at 2010_11_09, former_category DNS, updated_at 2019_08_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated_at 2019_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_25, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016569; rev:4; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_24, updated_at 2012_11_24;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016571; rev:2; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"cv_v"; depth:4; http_user_agent; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016570; rev:3; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015930; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; classtype:policy-violation; sid:2013016; rev:5; metadata:created_at 2011_06_13, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015931; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; dns.query; content:".su"; nocase; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:4; metadata:created_at 2012_01_31, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.top domain - Likely Hostile"; threshold:type limit, track by_src, count 1, seconds 30; dns.query; content:".top"; nocase; endswith; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2015936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns.query; content:".to"; endswith; fast_pattern; classtype:bad-unknown; sid:2027757; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:exploit-kit; sid:2015943; rev:3; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; content:".cc"; endswith; fast_pattern; classtype:bad-unknown; sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:exploit-kit; sid:2015944; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; dns.query; content:"tun.vpnoverdns.com"; depth:18; fast_pattern; nocase; endswith; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:6; metadata:created_at 2014_05_02, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:exploit-kit; sid:2015945; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a .tk domain - Likely Hostile"; dns.query; content:".tk"; fast_pattern; nocase; endswith; content:!"www.google.tk"; classtype:bad-unknown; sid:2012811; rev:7; metadata:created_at 2011_05_15, former_category DNS, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:exploit-kit; sid:2015783; rev:5; metadata:created_at 2012_10_06, former_category EXPLOIT_KIT, updated_at 2017_09_08;)
+alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:13; metadata:created_at 2012_05_04, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:exploit-kit; sid:2015949; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
+alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns.query; content:".pw"; nocase; endswith; content:!".u.pw"; endswith; nocase; classtype:bad-unknown; sid:2016778; rev:8; metadata:created_at 2013_04_20, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx|0d 0a|"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:5; metadata:created_at 2013_02_15, former_category DNS, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:6; metadata:created_at 2013_02_16, former_category DNS, updated_at 2022_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:exploit-kit; sid:2015955; rev:2; metadata:created_at 2012_11_29, former_category CURRENT_EVENTS, updated_at 2012_11_29;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:6; metadata:created_at 2013_02_16, former_category DNS, updated_at 2022_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:exploit-kit; sid:2015956; rev:2; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2012_11_29;)
+#alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:7; metadata:created_at 2013_02_16, former_category DNS, updated_at 2022_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:3; metadata:created_at 2012_11_29, former_category INFO, updated_at 2012_11_29;)
+#alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:7; metadata:created_at 2013_02_16, former_category DNS, updated_at 2022_07_13;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:6; metadata:created_at 2013_02_16, former_category DNS, updated_at 2022_07_13;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:7; metadata:created_at 2013_02_16, former_category DNS, updated_at 2022_07_13;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:7; metadata:created_at 2013_03_19, former_category DNS, updated_at 2022_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:command-and-control; sid:2014460; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+alert dns any any -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:2; metadata:created_at 2014_06_04, former_category DNS, updated_at 2022_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:exploit-kit; sid:2015970; rev:11; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:13; metadata:created_at 2012_05_04, former_category DNS, performance_impact Significant, updated_at 2022_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:exploit-kit; sid:2015971; rev:9; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:13; metadata:created_at 2012_05_04, former_category DNS, performance_impact Significant, updated_at 2022_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2015979; rev:1; metadata:created_at 2012_12_04, former_category EXPLOIT_KIT, updated_at 2012_12_04;)
+#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; classtype:attempted-dos; sid:2010817; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:social-engineering; sid:2015983; rev:2; metadata:created_at 2012_12_05, former_category CURRENT_EVENTS, updated_at 2017_06_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000011; classtype:attempted-dos; sid:2000011; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|3a|"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2001795; classtype:denial-of-service; sid:2001795; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:exploit-kit; sid:2015988; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"geometrycollectionfromwkb"; distance:0; nocase; pcre:"/SELECT.+geometrycollectionfromwkb/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010491; classtype:attempted-dos; sid:2010491; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:exploit-kit; sid:2015989; rev:2; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2012_12_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt"; flow:to_server,established; content:"SELECT"; nocase; content:"WHERE"; distance:0; nocase; content:"SELECT"; nocase; content:"INTO"; distance:0; nocase; content:"|60|"; within:50; content:"|60|"; pcre:"/SELECT.+WHERE.+SELECT.+\x60/si"; reference:url,www.securityfocus.com/bid/37297/info; reference:url,marc.info/?l=oss-security&m=125881733826437&w=2; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt; reference:cve,2009-4019; reference:url,doc.emergingthreats.net/2010492; classtype:attempted-dos; sid:2010492; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt"; flow:established,to_server; content:"ALTER "; nocase; content:"DATABASE"; nocase; within:12; content:"|22|."; distance:0; content:"UPGRADE "; nocase; distance:0; content:"DATA"; nocase; within:8; pcre:"/ALTER.+DATABASE.+\x22\x2E(\x22|\x2E\x22|\x2E\x2E\x2F\x22).+UPGRADE.+DATA/si"; reference:url,securitytracker.com/alerts/2010/Jun/1024160.html; reference:url,dev.mysql.com/doc/refman/5.1/en/alter-database.html; reference:cve,2010-2008; reference:url,doc.emergingthreats.net/2011761; classtype:attempted-dos; sid:2011761; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+#alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"|17|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010486; classtype:attempted-dos; sid:2010486; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"|97 00 00 00|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010487; classtype:attempted-dos; sid:2010487; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt"; content:"|00 01 01|"; depth:3; content:"NETASCII"; reference:url,www.exploit-db.com/exploits/12683/; reference:url,doc.emergingthreats.net/2011673; classtype:attempted-dos; sid:2011673; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt"; content:"|00 02|"; depth:2; isdataat:1000,relative; content:!"|0A|"; within:1000; content:"NETASCII"; distance:1000; reference:url,www.exploit-db.com/exploits/13836/; reference:url,doc.emergingthreats.net/2011674; classtype:attempted-dos; sid:2011674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5900 (msg:"ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt"; flow:established,to_server; content:"|06|"; depth:1; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html; reference:url,doc.emergingthreats.net/2011732; classtype:attempted-dos; sid:2011732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 6014 (msg:"ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt"; flow:established,to_server; content:"|00 05 03 31 41|"; reference:url,www.securityfocus.com/bid/38018; reference:url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html; reference:url,doc.emergingthreats.net/2010755; classtype:attempted-dos; sid:2010755; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:2; metadata:created_at 2012_12_08, updated_at 2012_12_08;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000010; classtype:attempted-dos; sid:2000010; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:exploit-kit; sid:2016001; rev:5; metadata:created_at 2012_12_08, former_category CURRENT_EVENTS, updated_at 2012_12_08;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6; byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,doc.emergingthreats.net/bin/view/Main/2001882; classtype:denial-of-service; sid:2001882; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flow: established,to_server; content:"|10 00 00 10 cc|"; depth:5; reference:bugtraq,11265; reference:url,doc.emergingthreats.net/bin/view/Main/2001366; classtype:attempted-dos; sid:2001366; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; within:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; within:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; reference:url,doc.emergingthreats.net/bin/view/Main/2003236; classtype:attempted-dos; sid:2003236; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_13, former_category CURRENT_EVENTS, updated_at 2012_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 9495 (msg:"ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt"; flow:established,to_server; content:"POST"; http_method; isdataat:261; content:!"|0A|"; depth:261; reference:url,zerodayinitiative.com/advisories/ZDI-11-169/; classtype:denial-of-service; sid:2012938; rev:2; metadata:created_at 2011_06_07, former_category DOS, updated_at 2011_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco Router HTTP DoS"; flow:to_server,established; content:"/%%"; http_uri; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000006; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_14, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Netgear DG632 Web Management Denial Of Service Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/firmwarecfg"; http_uri; nocase; reference:url,securitytracker.com/alerts/2009/Jun/1022403.html; reference:cve,2009-2256; reference:url,doc.emergingthreats.net/2010554; classtype:attempted-dos; sid:2010554; rev:4; metadata:created_at 2010_07_30, former_category DOS, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt"; flags:R; flow:to_server; flowbits:isset,ms.rdp.synack; flowbits:isnotset,ms.rdp.established; flowbits:unset,ms.rdp.synack; reference:cve,2012-0152; classtype:attempted-dos; sid:2014384; rev:8; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/screens/frameset.html"; fast_pattern; http_uri; nocase; content:"Authorization|3A 20|Basic"; nocase; content:!"|0a|"; distance:2; within:118; isdataat:120,relative; pcre:"/^Authorization\x3A Basic.{120}/Hmi"; reference:url,www.securityfocus.com/bid/35805; reference:url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml; reference:cve,2009-1164; reference:url,doc.emergingthreats.net/2010674; classtype:attempted-dos; sid:2010674; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016047; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1; metadata:created_at 2012_05_02, former_category DOS, updated_at 2012_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016049; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;)
 
-#alert http $EXTERNAL_NET any ->  $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:exploit-kit; sid:2016053; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:exploit-kit; sid:2016056; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; distance:0; http_client_body; content:"&name="; distance:0; http_client_body; content:"&email="; http_client_body; distance:0; content:"&pw="; http_client_body; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:5; metadata:created_at 2012_12_18, former_category MALWARE, updated_at 2012_12_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:exploit-kit; sid:2016054; rev:3; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set"; flow:from_server; flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014385; rev:5; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:command-and-control; sid:2016062; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016071; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016072; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_user_agent; content:"MSIE"; http_user_agent;  classtype:trojan-activity; sid:2016074; rev:4; metadata:created_at 2012_12_21, updated_at 2020_08_20;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:exploit-kit; sid:2016106; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_03, updated_at 2014_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:command-and-control; sid:2016124; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:command-and-control; sid:2016126; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:command-and-control; sid:2016127; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:exploit-kit; sid:2016128; rev:2; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
+#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
+alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_05, updated_at 2013_01_05;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:exploit-kit; sid:2016169; rev:3; metadata:created_at 2013_01_08, updated_at 2013_01_08;)
+alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:4; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:exploit-kit; sid:2016174; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 3"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016180; rev:2; metadata:created_at 2013_01_09, former_category SNMP, updated_at 2017_08_24;)
+alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015977; rev:7; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
+alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:exploit-kit; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:exploit-kit; sid:2016191; rev:6; metadata:created_at 2013_01_12, former_category EXPLOIT_KIT, updated_at 2013_01_12;)
+alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM  Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:exploit-kit; sid:2016192; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_09_10;)
+alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2017_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2017_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:exploit-kit; sid:2016092; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016247; rev:6; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+alert udp any 11211 -> $EXTERNAL_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Response Outbound"; flowbits:isset,ET.memcached.ddos; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025402; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016255; rev:2; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2013_01_24;)
+alert udp $EXTERNAL_NET 11211 -> $HOME_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Inbound"; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert tcp any any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set"; flow:to_server,established; flowbits:isset,ms.rdp.synack; flowbits:unset,ms.rdp.synack; flowbits:set,ms.rdp.established; flowbits:noalert; reference:cve,2012-0152; classtype:not-suspicious; sid:2014386; rev:3; metadata:created_at 2012_03_15, former_category DOS, updated_at 2012_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; threshold: type both, track by_src, count 100, seconds 300; http.uri; content:"/?"; fast_pattern; depth:2; content:"="; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/"; http.header; content:"Keep|2d|Alive|3a|"; content:"Connection|3a| keep|2d|alive"; content:"Cache|2d|Control|3a|"; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/m"; content:"Accept|2d|Encoding|3a|"; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:3; metadata:created_at 2014_03_05, updated_at 2020_04_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"/?id="; fast_pattern; depth:5; content:"&msg="; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:6; metadata:created_at 2012_01_23, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.request_body; content:"13"; depth:2; content:"=MSG"; fast_pattern; distance:11; within:4; pcre:"/^13\d{11}/"; classtype:web-application-attack; sid:2016030; rev:5; metadata:created_at 2012_12_14, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"GET"; http.uri; content:"/?msg=MSG"; classtype:web-application-attack; sid:2016031; rev:4; metadata:created_at 2012_12_14, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|ru|3b 20|rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|ru|3b 20|rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; http.user_agent; content:"Opera/9.02 (Windows NT 5.1|3b 20|U|3b 20|ru)"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; http.user_agent; content:"Opera/9.02 (Windows NT 5.1|3b 20|U|3b 20|ru)"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:5; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; threshold:type both, track  by_src, count 5, seconds 90; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; classtype:attempted-dos; sid:2018277; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_03_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:exploit-kit; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; http.user_agent; content:"x00_-gawa.sa.pilipinas.2015"; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:3; metadata:created_at 2016_04_26, updated_at 2020_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:exploit-kit; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+#alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET any -> any 11211 (msg:"ET DOS Possible Memcached DDoS Amplification Query (set)"; content:"|00 00 00 00 00 01 00|"; depth:7; fast_pattern; content:"|0d 0a|"; within:20; endswith; threshold: type both, count 100, seconds 60, track by_dst; flowbits:set,ET.memcached.ddos; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025401; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:exploit-kit; sid:2016307; rev:6; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2013_01_30;)
+alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test:  3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2022_05_03;)
 
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; threshold: type both, count 1, seconds 60, track by_src; http.user_agent; content:"Bittorrent"; depth:10; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:4; metadata:created_at 2015_03_18, updated_at 2020_10_14;)
 
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_src; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:5; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016315; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_01_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_dst; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:4; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; threshold: type both, track by_src, count 225, seconds 60; http.header.raw; content:"User-Agent|3a 20 20|"; fast_pattern; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:8; metadata:created_at 2012_01_28, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"CALLBACK|3a 20|"; fast_pattern; nocase; content:"<http"; distance:0; content:"><http"; distance:0; pcre:"/^Callback\x3a\x20<http[^>]+><http/mi"; reference:url,github.com/yunuscadirci/CallStranger; reference:cve,2020-12695; classtype:attempted-dos; sid:2030339; rev:2; metadata:affected_product UPnP, attack_target IoT, created_at 2020_06_15, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DOS Possible Microsoft Windows HTTP2 Reset Flood Denial of Service Inbound (CVE-2019-9514)"; flow:established,to_server; dsize:9; content:"|00 00 00 01 04 00 00 00|"; startswith; fast_pattern; threshold:type threshold, count 45, seconds 60, track by_src; reference:cve,2019-9514; classtype:denial-of-service; sid:2034093; rev:1; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9514, deployment Perimeter, deployment Internal, former_category DOS, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015858; rev:3; metadata:created_at 2012_11_01, former_category EXPLOIT_KIT, updated_at 2012_11_01;)
+#alert tcp any any -> any any (msg:"ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515)"; flow:established,to_server; content:"|04|"; offset:3; depth:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; threshold:type threshold, track by_dst, count 20, seconds 10; flowbits:isset,ET.http2; flowbits:set,ET.CVE20199515; flowbits:noalert; reference:cve,2019-9515; classtype:denial-of-service; sid:2034095; rev:2; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9515, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category DOS, performance_impact Significant, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016353; rev:2; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2013_02_05;)
+#alert tcp any any -> any any (msg:"ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515)"; flow:established,to_client; content:"|00 00 00 04 01|"; depth:5; content:"|00 00 00 04 01|"; distance:4; within:5; content:"|00 00 00 04 01|"; distance:4; within:5; threshold:type threshold, track by_src, count 20, seconds 10; flowbits:isset,ET.CVE20199515; reference:cve,2019-9515; classtype:denial-of-service; sid:2034096; rev:2; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9515, deployment Perimeter, deployment Internal, former_category DOS, performance_impact Moderate, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
 
-#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP ST UDN Buffer Overflow (CVE-2012-5963)"; content:"|0D 0A|ST|3A|"; nocase; pcre:"/^[^\r\n]*uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:2; metadata:created_at 2013_01_31, former_category DOS, updated_at 2013_01_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, former_category MOBILE_MALWARE, updated_at 2013_02_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Miniupnpd SoapAction MethodName Buffer Overflow (CVE-2013-0230)"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:2; metadata:created_at 2013_02_07, former_category DOS, updated_at 2013_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2016356; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
+#alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow (CVE-2013-0229)"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:3; metadata:created_at 2013_02_07, former_category DOS, updated_at 2013_02_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:exploit-kit; sid:2016357; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:3; metadata:created_at 2013_01_31, former_category DOS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:3; metadata:created_at 2013_01_31, former_category DOS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:3; metadata:created_at 2013_01_31, former_category DOS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS CVE-2013-0230 Miniupnpd SoapAction MethodName Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|SOAPAction|3a|"; nocase; distance:0; pcre:"/^[^\r\n]+#[^\x22\r\n]{2049}/R"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0230; classtype:attempted-dos; sid:2016364; rev:1; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:3; metadata:created_at 2013_01_31, former_category DOS, updated_at 2019_10_08;)
 
-alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"|0d 0a|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:exploit-kit; sid:2016373; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:exploit-kit; sid:2016377; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:exploit-kit; sid:2013025; rev:2; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:exploit-kit; sid:2013024; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2; metadata:created_at 2013_02_08, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:exploit-kit; sid:2013027; rev:3; metadata:created_at 2011_06_13, former_category EXPLOIT_KIT, updated_at 2011_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016393; rev:3; metadata:created_at 2013_02_09, former_category EXPLOIT_KIT, updated_at 2013_02_09;)
+#alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - Admin Login Page Detected Outbound"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011280; rev:3; metadata:created_at 2010_09_28, former_category EXPLOIT_KIT, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_02_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:exploit-kit; sid:2013098; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:exploit-kit; sid:2013237; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_09, former_category CURRENT_EVENTS, updated_at 2013_02_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:exploit-kit; sid:2013661; rev:2; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013551; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:exploit-kit; sid:2013552; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_04_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013696; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:exploit-kit; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013697; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:exploit-kit; sid:2013698; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2014025; rev:1; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, former_category CURRENT_EVENTS, updated_at 2013_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:exploit-kit; sid:2014031; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016403; rev:2; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:exploit-kit; sid:2014032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"|00 00 01 ba|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:exploit-kit; sid:2014033; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016407; rev:3; metadata:created_at 2013_02_13, updated_at 2013_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:exploit-kit; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"|00 01 00 01|"; content:"|00 04 94 51 6f 6f|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4; metadata:created_at 2013_02_15, updated_at 2013_02_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013775; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013777; rev:2; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Featured-Results.com Agent Reporting Data"; flow: to_server,established; content:"action=any"; nocase; http_uri; content:"country="; nocase; http_uri; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; classtype:trojan-activity; sid:2001293; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011348; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"|00 01 00 01|"; content:"|00 04 32 3e 0c 67|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011813; rev:6; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2010_10_13;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"|00 01 00 01|"; content:"|00 04 c6 3d e3 06|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013690; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 d2|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013691; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"|00 01 00 01|"; content:"|00 04 52 a5 19 a7|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013692; rev:3; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"|00 01 00 01|"; content:"|00 04 b0 1f 3e 4c|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013693; rev:7; metadata:created_at 2011_09_24, former_category EXPLOIT_KIT, updated_at 2011_09_24;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"|00 01 00 01|"; content:"|00 04 5b e9 f4 6a|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5; metadata:created_at 2013_02_16, updated_at 2013_02_16;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:exploit-kit; sid:2014096; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016426; rev:3; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2013_02_19;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:exploit-kit; sid:2014097; rev:3; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"POST|2C|"; fast_pattern; nocase; depth:100; content:"ACCEPT|3A|"; nocase; within:300; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011349; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 0d 0a 3c|img border="; nocase; content:"|2f 23|KX8|2E|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:command-and-control; sid:2016428; rev:7; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:"<html><body><script>|0d 0a|"; fast_pattern; nocase; content:"document.createElement"; within:50; content:"|28|String["; distance:0; pcre:"/,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,/iR"; classtype:exploit-kit; sid:2013660; rev:4; metadata:created_at 2011_09_15, former_category EXPLOIT_KIT, updated_at 2011_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:targeted-activity; sid:2016438; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Jupiter Exploit Kit Landing Page with Malicious Java Applets"; flow:established,from_server; content:"<applet"; content:"code="; content:".jar"; distance:0; content:"u//FCyy"; within:50; fast_pattern; content:"</applet>"; within:100; classtype:exploit-kit; sid:2013955; rev:3; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2011_11_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016441; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit pdfopen.pdf"; flow:established,to_server; content:"pdfopen.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011180; classtype:exploit-kit; sid:2011180; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012942; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016443; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012943; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=|22|"; content:"|5c|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016448; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012944; rev:7; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2011_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:targeted-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Saturn Exploit Kit probable Java exploit request"; flow:established,to_server; content:"/dl/apache.php"; depth:14; http_uri; classtype:exploit-kit; sid:2013776; rev:3; metadata:created_at 2011_10_14, former_category EXPLOIT_KIT, updated_at 2011_10_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016444; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit pdfswf.pdf"; flow:established,to_server; content:"pdfswf.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011181; classtype:exploit-kit; sid:2011181; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:targeted-activity; sid:2016455; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit - libtiff.pdf"; flow:established,to_server; content:"libtiff.pdf"; http_uri; reference:url,doc.emergingthreats.net/2011182; classtype:exploit-kit; sid:2011182; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011350; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016457; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Known Malicious Link Leading to Exploit Kits (t.php?id=is1)"; flow:established,to_server; content:"/t.php?id=is1"; http_uri; classtype:exploit-kit; sid:2014151; rev:2; metadata:created_at 2012_01_26, former_category EXPLOIT_KIT, updated_at 2012_01_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016472; rev:2; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Java request to showthread.php?t="; flow:established,to_server; content:"/showthread.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/showthread\.php\?t=\d+$/Ui"; reference:url,research.zscaler.com/2012/01/popularity-of-exploit-kits-leading-to.html; classtype:exploit-kit; sid:2013916; rev:6; metadata:created_at 2011_11_16, former_category EXPLOIT_KIT, updated_at 2011_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:command-and-control; sid:2016496; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2013_02_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014197; rev:2; metadata:created_at 2012_02_06, former_category EXPLOIT_KIT, updated_at 2012_02_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016497; rev:7; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Exploiting IEPeers"; flow:established,to_client; content:"booom["; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; reference:url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/; reference:cve,2010-0806; classtype:exploit-kit; sid:2014199; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2016_11_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:exploit-kit; sid:2016500; rev:8; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CUTE-IE.html CutePack Exploit Kit Landing Page Request"; flow:established,to_server; content:"/CUTE-IE.html"; nocase; http_uri; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014203; rev:3; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CutePack Exploit Kit JavaScript Variable Detected"; flow:established,to_client; content:"var Cute"; nocase; fast_pattern:only; pcre:"/var\x20Cute(Money|Power|Shine)/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014204; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected"; flow:established,to_client; content:"/CUTE-IE.html"; nocase; fast_pattern:only; pcre:"/iframe[^\r\n]*\x2FCUTE-IE\x2Ehtml/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014205; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CutePack Exploit Kit Landing Page Detected"; flow:established,to_client; content:"button id=|22|evilcute|22|"; nocase; fast_pattern:only; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:exploit-kit; sid:2014206; rev:1; metadata:created_at 2012_02_07, former_category EXPLOIT_KIT, updated_at 2012_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:exploit-kit; sid:2014315; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:exploit-kit; sid:2016333; rev:4; metadata:created_at 2013_02_01, former_category EXPLOIT_KIT, updated_at 2013_02_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014362; rev:3; metadata:created_at 2012_03_10, former_category EXPLOIT_KIT, updated_at 2012_03_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014024; rev:4; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2011_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; classtype:exploit-kit; sid:2016494; rev:5; metadata:created_at 2013_02_25, former_category INFO, updated_at 2013_02_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit Kit Landing"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"hello="; nocase; http_uri; pcre:"/\.php\?(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+&(id=|pid=|hello=)\d+$/Ui"; reference:url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2011693; classtype:exploit-kit; sid:2011693; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:pup-activity; sid:2007995; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit download payload likely Hiloti Gozi FakeAV etc"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/eH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/eH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011103; classtype:exploit-kit; sid:2011103; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit kit attack activity likely hostile"; flow:to_server,established; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"/oH"; http_uri; fast_pattern; pcre:"/\/[a-z0-9]+\.[a-z0-9]{2,4}\/oH[a-z0-9]{60,}$/Ui"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D; reference:url,doc.emergingthreats.net/2011104; classtype:exploit-kit; sid:2011104; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:command-and-control; sid:2016096; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit VBscript download"; flow:established,to_client; content:"Createobject(StrReverse("; nocase; content:"|22|tcejbOmetsySeliF.gnitpircS|22|))"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,doc.emergingthreats.net/2011184; classtype:exploit-kit; sid:2011184; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:exploit-kit; sid:2012389; rev:3; metadata:created_at 2011_02_27, former_category EXPLOIT_KIT, updated_at 2011_02_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT  6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko)  Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_07, updated_at 2013_03_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:exploit-kit; sid:2014539; rev:2; metadata:created_at 2012_04_11, updated_at 2012_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:exploit-kit; sid:2016558; rev:4; metadata:created_at 2013_03_09, updated_at 2013_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x="; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern; content:"&pdf="; http_uri; content:"&flash="; content:"&qt="; http_uri; classtype:exploit-kit; sid:2014569; rev:5; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:exploit-kit; sid:2016562; rev:7; metadata:created_at 2013_03_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014640; rev:1; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2013975; rev:3; metadata:created_at 2011_12_01, former_category EXPLOIT_KIT, updated_at 2011_12_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:exploit-kit; sid:2014568; rev:3; metadata:created_at 2012_04_16, former_category EXPLOIT_KIT, updated_at 2012_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:targeted-activity; sid:2016579; rev:2; metadata:created_at 2013_03_15, former_category MALWARE, updated_at 2013_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014658; rev:1; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2012_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016587; rev:6; metadata:created_at 2013_03_15, former_category EXPLOIT_KIT, updated_at 2013_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014749; rev:1; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014641; rev:4; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2012_04_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014852; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2012_06_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:exploit-kit; sid:2014913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:exploit-kit; sid:2014922; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:exploit-kit; sid:2014923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015010; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2012_07_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014750; rev:2; metadata:created_at 2012_05_14, former_category EXPLOIT_KIT, updated_at 2012_05_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:exploit-kit; sid:2014915; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015646; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:exploit-kit; sid:2015647; rev:4; metadata:created_at 2012_08_17, former_category EXPLOIT_KIT, updated_at 2012_08_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET EXPLOIT_KIT Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:exploit-kit; sid:2015672; rev:5; metadata:created_at 2012_08_30, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:exploit-kit; sid:2015676; rev:3; metadata:created_at 2012_09_05, former_category EXPLOIT_KIT, updated_at 2012_09_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015679; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:exploit-kit; sid:2015682; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:exploit-kit; sid:2015683; rev:2; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2012_09_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015733; rev:3; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2012_09_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:exploit-kit; sid:2015789; rev:2; metadata:created_at 2012_10_10, updated_at 2012_10_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET EXPLOIT_KIT Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:exploit-kit; sid:2015792; rev:2; metadata:created_at 2012_10_12, updated_at 2012_10_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RevProxy Java  Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:exploit-kit; sid:2015841; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_24, updated_at 2013_01_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:exploit-kit; sid:2015840; rev:3; metadata:created_at 2012_10_25, former_category EXPLOIT_KIT, updated_at 2012_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:4; metadata:created_at 2013_01_25, updated_at 2013_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:exploit-kit; sid:2014036; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_12_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:exploit-kit; sid:2015849; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_10_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:exploit-kit; sid:2016643; rev:5; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Self-Signed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:exploit-kit; sid:2015865; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015735; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015881; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:exploit-kit; sid:2015882; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:exploit-kit; sid:2015884; rev:2; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2012_11_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"Python PDF Library - http|3a|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:exploit-kit; sid:2015886; rev:2; metadata:created_at 2012_11_14, updated_at 2012_11_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016561; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_03_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:exploit-kit; sid:2015890; rev:3; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2012_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015930; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe Acrobat 9.2.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016652; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015931; rev:2; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2012_11_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe PDF Library 9.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016653; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2015936; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:exploit-kit; sid:2015943; rev:3; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:exploit-kit; sid:2015944; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:exploit-kit; sid:2015945; rev:2; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:exploit-kit; sid:2015949; rev:2; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:exploit-kit; sid:2015955; rev:2; metadata:created_at 2012_11_29, former_category CURRENT_EVENTS, updated_at 2012_11_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016663; rev:2; metadata:created_at 2013_03_26, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:exploit-kit; sid:2015956; rev:2; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2012_11_29;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_26, updated_at 2013_03_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:exploit-kit; sid:2015970; rev:11; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:exploit-kit; sid:2015971; rev:9; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2015979; rev:1; metadata:created_at 2012_12_04, former_category EXPLOIT_KIT, updated_at 2012_12_04;)
 
-alert http $HTTP_SERVERS any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:exploit-kit; sid:2015988; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:exploit-kit; sid:2015989; rev:2; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2012_12_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:exploit-kit; sid:2016001; rev:5; metadata:created_at 2012_12_08, former_category CURRENT_EVENTS, updated_at 2012_12_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any ->  $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:exploit-kit; sid:2016053; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_02, updated_at 2013_04_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:exploit-kit; sid:2016056; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016704; rev:3; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2013_04_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:exploit-kit; sid:2016054; rev:3; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016071; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016072; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:2; metadata:created_at 2013_04_04, former_category SHELLCODE, updated_at 2017_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:exploit-kit; sid:2016106; rev:2; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:exploit-kit; sid:2016169; rev:3; metadata:created_at 2013_01_08, updated_at 2013_01_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:exploit-kit; sid:2016174; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015977; rev:7; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016726; rev:6; metadata:created_at 2013_04_05, former_category EXPLOIT_KIT, updated_at 2013_04_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:exploit-kit; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:command-and-control; sid:2016712; rev:3; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:exploit-kit; sid:2016191; rev:6; metadata:created_at 2013_01_12, former_category EXPLOIT_KIT, updated_at 2013_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; fast_pattern; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016247; rev:6; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008110; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016255; rev:2; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2013_01_24;)
 
-#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008108; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:exploit-kit; sid:2016307; rev:6; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2013_01_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008103; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015858; rev:3; metadata:created_at 2012_11_01, former_category EXPLOIT_KIT, updated_at 2012_11_01;)
 
-#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016353; rev:2; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2013_02_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:exploit-kit; sid:2016356; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:exploit-kit; sid:2016357; rev:2; metadata:created_at 2013_02_07, former_category EXPLOIT_KIT, updated_at 2013_02_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:exploit-kit; sid:2016373; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:exploit-kit; sid:2016377; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016393; rev:3; metadata:created_at 2013_02_09, former_category EXPLOIT_KIT, updated_at 2013_02_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016403; rev:2; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2013_02_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016734; rev:2; metadata:created_at 2013_04_09, former_category EXPLOIT_KIT, updated_at 2013_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016407; rev:3; metadata:created_at 2013_02_13, updated_at 2013_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016426; rev:3; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2013_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/NSISDL.Downloader CnC Server Response"; flow:established,to_client; file_data; content:"[install 1]"; within:11; content:"Ins="; within:40; classtype:command-and-control; sid:2016746; rev:2; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2013_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016497; rev:7; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siscos CnC Checkin"; flow:established,to_server; content:".php?getcmd="; fast_pattern:only; http_uri; content:"&uid="; http_uri; content:"User-Agent|3a| "; http_header; content:"|3b| MSlE 6.0|3b|"; distance:23; within:11; http_header; classtype:command-and-control; sid:2013384; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:exploit-kit; sid:2016500; rev:8; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:5; metadata:created_at 2011_04_02, updated_at 2011_04_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:exploit-kit; sid:2016333; rev:4; metadata:created_at 2013_02_01, former_category EXPLOIT_KIT, updated_at 2013_02_01;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:exploit-kit; sid:2016558; rev:4; metadata:created_at 2013_03_09, updated_at 2013_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016587; rev:6; metadata:created_at 2013_03_15, former_category EXPLOIT_KIT, updated_at 2013_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/nymain/"; http_uri; fast_pattern:only; content:"/index.php"; http_uri; content:"filename="; http_client_body; content:"&data="; http_client_body; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:exploit-kit; sid:2016643; rev:5; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"Mozilla/0."; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2010905; classtype:pup-activity; sid:2010905; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016704; rev:3; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2013_04_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_16, updated_at 2012_11_16;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013175; rev:4; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2011_07_04;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:2; metadata:created_at 2013_04_16, updated_at 2013_04_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016726; rev:6; metadata:created_at 2013_04_05, former_category EXPLOIT_KIT, updated_at 2013_04_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016734; rev:2; metadata:created_at 2013_04_09, former_category EXPLOIT_KIT, updated_at 2013_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015006; rev:6; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016070; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015007; rev:9; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016781; rev:2; metadata:created_at 2013_04_23, updated_at 2013_04_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015009; rev:3; metadata:created_at 2012_07_03, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:exploit-kit; sid:2016784; rev:3; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016113; rev:3; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016797; rev:2; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016070; rev:5; metadata:created_at 2012_12_21, updated_at 2012_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016585; rev:7; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016111; rev:4; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:3; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016655; rev:5; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:exploit-kit; sid:2016093; rev:4; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016753; rev:10; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:exploit-kit; sid:2016831; rev:3; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016852; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016781; rev:2; metadata:created_at 2013_04_23, updated_at 2013_04_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016896; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:exploit-kit; sid:2016782; rev:15; metadata:created_at 2013_04_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015575; rev:11; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:3; metadata:created_at 2012_04_13, updated_at 2012_04_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016925; rev:2; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4; metadata:created_at 2013_04_23, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:exploit-kit; sid:2016791; rev:6; metadata:created_at 2013_04_27, updated_at 2013_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"vb wininet"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
+#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:exploit-kit; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/U"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:exploit-kit; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:exploit-kit; sid:2016784; rev:3; metadata:created_at 2013_04_26, former_category EXPLOIT_KIT, updated_at 2013_04_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016966; rev:7; metadata:created_at 2013_06_04, updated_at 2013_06_04;)
 
-#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016113; rev:3; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2015724; rev:10; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_26, former_category CURRENT_EVENTS, updated_at 2012_09_26;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:exploit-kit; sid:2017028; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:exploit-kit; sid:2017029; rev:5; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:exploit-kit; sid:2017030; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:exploit-kit; sid:2017034; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:exploit-kit; sid:2017040; rev:2; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2013_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:"<applet"; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016817; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016797; rev:2; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016818; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016585; rev:7; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2013_03_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:exploit-kit; sid:2017020; rev:10; metadata:created_at 2013_06_15, updated_at 2013_06_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_27, former_category CURRENT_EVENTS, updated_at 2012_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016733; rev:4; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016112; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016111; rev:4; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:exploit-kit; sid:2017098; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:exploit-kit; sid:2016705; rev:19; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016655; rev:5; metadata:created_at 2013_03_22, former_category CURRENT_EVENTS, updated_at 2013_03_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017117; rev:2; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:exploit-kit; sid:2016093; rev:4; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017118; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:command-and-control; sid:2015161; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:exploit-kit; sid:2016945; rev:8; metadata:created_at 2013_05_30, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016107; rev:6; metadata:created_at 2012_12_28, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016250; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016640; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:exploit-kit; sid:2016213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_16, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016735; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_26, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016736; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016828; rev:5; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016832; rev:7; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; content:"applet"; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016930; rev:4; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; content:"|3c|script"; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_23, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017016; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:exploit-kit; sid:2015648; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017017; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017018; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017097; rev:4; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:exploit-kit; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016052; rev:4; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_09, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016249; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; classtype:trojan-activity; sid:2015582; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:exploit-kit; sid:2016374; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016375; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:exploit-kit; sid:2015579; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016378; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016514; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_24, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:exploit-kit; sid:2016598; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016859; rev:4; metadata:created_at 2013_05_17, updated_at 2013_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:exploit-kit; sid:2017200; rev:5; metadata:created_at 2013_07_26, former_category EXPLOIT_KIT, updated_at 2013_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017201; rev:6; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:exploit-kit; sid:2015047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017202; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:exploit-kit; sid:2015044; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017203; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_14, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017204; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:exploit-kit; sid:2016025; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:exploit-kit; sid:2017071; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016560; rev:10; metadata:created_at 2013_03_12, updated_at 2013_03_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=|22|visibility|3a|hidden|3b 22|"; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:exploit-kit; sid:2014194; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017248; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017249; rev:2; metadata:created_at 2013_07_30, updated_at 2016_10_21;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:exploit-kit; sid:2017250; rev:2; metadata:created_at 2013_07_30, cve CVE_1234_CVE_341, former_category EXPLOIT_KIT, updated_at 2020_08_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017251; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017252; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017253; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017254; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; content:"bytes="; nocase; distance:0; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:5; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf/Styx EK - fnts.html"; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:exploit-kit; sid:2016129; rev:4; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"|0a|"; within:255; pcre:"/^EXPN[^\n]{255}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017100; rev:4; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding|3a|"; http_header; nocase; content:"Referer|3a| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017101; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017102; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:command-and-control; sid:2014276; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2012_02_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2017270; rev:7; metadata:created_at 2013_08_03, former_category EXPLOIT_KIT, updated_at 2013_08_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED - Possible BlackHole request with decryption Base"; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:exploit-kit; sid:2017271; rev:3; metadata:created_at 2013_08_03, updated_at 2013_08_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"Indy Library)"; nocase; http_user_agent; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:pup-activity; sid:2003446; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017114; rev:5; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:exploit-kit; sid:2017328; rev:2; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017166; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:exploit-kit; sid:2017333; rev:3; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:exploit-kit; sid:2017387; rev:5; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017115; rev:8; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, former_category CURRENT_EVENTS, updated_at 2013_05_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017407; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:exploit-kit; sid:2016831; rev:3; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:exploit-kit; sid:2017376; rev:7; metadata:created_at 2013_08_27, former_category EXPLOIT_KIT, updated_at 2013_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016834; rev:2; metadata:created_at 2013_05_08, updated_at 2013_05_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:exploit-kit; sid:2017435; rev:4; metadata:created_at 2013_09_07, former_category CURRENT_EVENTS, updated_at 2013_09_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016852; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017451; rev:6; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:exploit-kit; sid:2017167; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017470; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017471; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; http_method; content:"?o="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017472; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:exploit-kit; sid:2017469; rev:5; metadata:created_at 2013_09_17, former_category CURRENT_EVENTS, updated_at 2013_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016896; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016065; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2012_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT)"; flow:to_server,established; content:"EMSCBVDFRT"; http_user_agent; depth:10; classtype:trojan-activity; sid:2016907; rev:5; metadata:created_at 2012_03_02, updated_at 2012_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:exploit-kit; sid:2017482; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT)"; flow:to_server,established; content:"MBVDFRESCT"; nocase; depth:10; http_user_agent; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ; classtype:trojan-activity; sid:2016908; rev:5; metadata:created_at 2011_09_09, updated_at 2011_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2015901; rev:3; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2012_11_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"wininetget/"; nocase; depth:11; http_user_agent; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:exploit-kit; sid:2017484; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8; metadata:created_at 2013_05_24, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:exploit-kit; sid:2017485; rev:1; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:5; metadata:created_at 2013_05_24, former_category INFO, updated_at 2017_10_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(|27|unescape|27|)"; nocase; content:"|27|%u|27|"; classtype:exploit-kit; sid:2017486; rev:2; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015575; rev:11; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:exploit-kit; sid:2017497; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016925; rev:2; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(|22|ms-help|3a|//|22|)|3b|"; nocase; content:"(|22|ms-help|3a|//|22|)|3b|"; distance:0; content:"(|22|ms-help|3a 22|)|3b|"; nocase; content:"(|22|ms-help|3a 22|)|3b|"; nocase; distance:0; classtype:exploit-kit; sid:2017488; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:exploit-kit; sid:2016791; rev:6; metadata:created_at 2013_04_27, updated_at 2013_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:exploit-kit; sid:2017503; rev:2; metadata:created_at 2013_09_21, former_category CURRENT_EVENTS, updated_at 2013_09_21;)
 
-#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:exploit-kit; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016380; rev:4; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017529; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:exploit-kit; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017530; rev:2; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"EoAgence-"; http_user_agent; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:pup-activity; sid:2014120; rev:3; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017531; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_02, former_category CURRENT_EVENTS, updated_at 2010_10_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017532; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"|78 9c|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2016962; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_01, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017534; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:exploit-kit; sid:2016365; rev:5; metadata:created_at 2013_02_07, former_category CURRENT_EVENTS, updated_at 2013_02_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017535; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016966; rev:7; metadata:created_at 2013_06_04, updated_at 2013_06_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017536; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017537; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017538; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:exploit-kit; sid:2016984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017539; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; http_uri; nocase; content:"webkey="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017540; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017541; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017542; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017543; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017551; rev:2; metadata:created_at 2013_10_02, updated_at 2013_10_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:exploit-kit; sid:2017553; rev:3; metadata:created_at 2013_10_03, former_category CURRENT_EVENTS, updated_at 2013_10_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017533; rev:5; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2015724; rev:10; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2012_09_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:exploit-kit; sid:2017483; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; http_header; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; file_data; content:"%PDF-"; within:5; classtype:exploit-kit; sid:2015725; rev:8; metadata:created_at 2012_09_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy  Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017562; rev:6; metadata:created_at 2013_10_05, former_category EXPLOIT_KIT, updated_at 2013_10_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_26, former_category CURRENT_EVENTS, updated_at 2012_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3; metadata:created_at 2013_10_08, former_category CURRENT_EVENTS, updated_at 2013_10_08;)
 
-#alert  http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6; metadata:created_at 2012_09_26, updated_at 2012_09_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2017576; rev:2; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4; metadata:created_at 2012_10_09, updated_at 2012_10_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2013_10_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:4; metadata:created_at 2012_10_16, updated_at 2012_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017405; rev:6; metadata:created_at 2013_09_03, former_category EXPLOIT_KIT, updated_at 2013_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:4; metadata:created_at 2012_10_26, updated_at 2012_10_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017589; rev:3; metadata:created_at 2013_10_14, former_category CURRENT_EVENTS, updated_at 2013_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; content:"Srv.SSA-KeyLogger"; http_uri; reference:url,doc.emergingthreats.net/2002175; classtype:command-and-control; sid:2002175; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2017591; rev:2; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:exploit-kit; sid:2017473; rev:6; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
 
-#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:exploit-kit; sid:2017011; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
 
-#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017635; rev:4; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
 
-#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET MALWARE Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017650; rev:2; metadata:created_at 2013_10_31, updated_at 2013_10_31;)
 
-#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017295; rev:6; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017693; rev:2; metadata:created_at 2013_11_07, updated_at 2013_11_07;)
 
-#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016142; rev:3; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_user_agent; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:command-and-control; sid:2008523; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017110; rev:7; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2013_07_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:2; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:exploit-kit; sid:2017735; rev:4; metadata:created_at 2013_11_21, former_category CURRENT_EVENTS, updated_at 2013_11_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"|00|h|00|t|00|t|00|p|00 3a 00 2f 00 2f 00|"; content:"|2f 00|v|00|w|00|.|00|p|00|h|00|p|00|?|00|i|00|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:5; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:exploit-kit; sid:2017736; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3; metadata:created_at 2012_12_28, former_category TROJAN, updated_at 2018_04_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:exploit-kit; sid:2017737; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:3; metadata:created_at 2013_06_11, former_category POLICY, updated_at 2018_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:exploit-kit; sid:2017738; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:exploit-kit; sid:2017744; rev:2; metadata:created_at 2013_11_22, former_category CURRENT_EVENTS, updated_at 2013_11_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:exploit-kit; sid:2017756; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:5; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:exploit-kit; sid:2017757; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:exploit-kit; sid:2017758; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; offset:8; depth:4; content:"|00 00 00 00 00 00|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2014751; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:exploit-kit; sid:2017786; rev:2; metadata:created_at 2013_11_28, former_category CURRENT_EVENTS, updated_at 2013_11_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zhelatin Variant Checkin"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:exploit-kit; sid:2017794; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6; metadata:created_at 2013_06_12, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:exploit-kit; sid:2017797; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent|3a| file|0d 0a|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:3; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015888; rev:8; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016970; rev:4; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2013_06_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27]/R"; classtype:exploit-kit; sid:2017602; rev:5; metadata:created_at 2013_10_17, former_category CURRENT_EVENTS, updated_at 2013_10_17;)
 
-alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017811; rev:2; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2013_12_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:exploit-kit; sid:2017759; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:exploit-kit; sid:2017028; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016520; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2013_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:exploit-kit; sid:2017029; rev:5; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017740; rev:3; metadata:created_at 2013_11_22, former_category EXPLOIT_KIT, updated_at 2013_11_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:exploit-kit; sid:2017030; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:exploit-kit; sid:2017819; rev:5; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017840; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:exploit-kit; sid:2017034; rev:2; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017844; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:exploit-kit; sid:2017040; rev:2; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2013_06_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:exploit-kit; sid:2017796; rev:3; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:exploit-kit; sid:2017848; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:4; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:exploit-kit; sid:2017851; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:exploit-kit; sid:2017826; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:exploit-kit; sid:2017827; rev:6; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017861; rev:3; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017893; rev:4; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:12; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017894; rev:3; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017908; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:command-and-control; sid:2017056; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:exploit-kit; sid:2017907; rev:4; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:exploit-kit; sid:2017957; rev:2; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016817; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2016818; rev:4; metadata:created_at 2013_05_04, updated_at 2013_05_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:exploit-kit; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:exploit-kit; sid:2017020; rev:10; metadata:created_at 2013_06_15, updated_at 2013_06_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017995; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017996; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:command-and-control; sid:2017055; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017997; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:exploit-kit; sid:2018011; rev:2; metadata:created_at 2014_01_24, former_category CURRENT_EVENTS, updated_at 2014_01_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:exploit-kit; sid:2018127; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:exploit-kit; sid:2018161; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017073; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018163; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|prettylikeher|03|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:exploit-kit; sid:2018206; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016733; rev:4; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:exploit-kit; sid:2018207; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018209; rev:7; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=|22|haz|22| value=|22|pasa|22|>"; classtype:trojan-activity; sid:2017087; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018225; rev:2; metadata:created_at 2014_03_06, former_category EXPLOIT_KIT, updated_at 2014_03_06;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_12, former_category EXPLOIT_KIT, updated_at 2013_04_12;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018261; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:exploit-kit; sid:2017095; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017064; rev:18; metadata:created_at 2013_06_25, former_category EXPLOIT_KIT, updated_at 2013_06_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:exploit-kit; sid:2017098; rev:2; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018260; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_04, updated_at 2013_07_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (3)"; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018297; rev:2; metadata:created_at 2014_03_20, former_category EXPLOIT_KIT, updated_at 2014_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:2; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:exploit-kit; sid:2018298; rev:3; metadata:created_at 2014_03_20, updated_at 2014_03_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"risp"; http_user_agent; depth:4; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:3; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:".text+=String.fromCharCode"; content:"35"; pcre:"/^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76/Rsi"; classtype:exploit-kit; sid:2018337; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:2; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2019_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016541; rev:4; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:exploit-kit; sid:2016705; rev:19; metadata:created_at 2013_04_01, former_category EXPLOIT_KIT, updated_at 2013_04_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:exploit-kit; sid:2018363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016756; rev:6; metadata:created_at 2013_04_13, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:exploit-kit; sid:2017031; rev:3; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017117; rev:2; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:exploit-kit; sid:2018409; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017118; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2018411; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:2; metadata:affected_product Any, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_07_09, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, tag Wordpress, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT 32-byte by 32-byte PHP EK Gate with HTTP POST"; flow:established,to_server; urilen:72; content:"POST"; http_method; content:".php?q="; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2018442; rev:3; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:exploit-kit; sid:2018441; rev:10; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:2; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015846; rev:3; metadata:created_at 2012_10_27, updated_at 2012_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:2; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2013.php"; flow:established,to_server; content:"/flash2013.php"; http_uri; nocase; classtype:exploit-kit; sid:2018470; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2014.php"; flow:established,to_server; content:"/flash2014.php"; http_uri; nocase; classtype:exploit-kit; sid:2018471; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:exploit-kit; sid:2018472; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:exploit-kit; sid:2018501; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:exploit-kit; sid:2018502; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:exploit-kit; sid:2018503; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018330; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_13, former_category CHAT, updated_at 2017_11_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:exploit-kit; sid:2018535; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:exploit-kit; sid:2018536; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Java Jar"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:exploit-kit; sid:2017467; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; file_data; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:exploit-kit; sid:2018544; rev:2; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2014_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit Landing Page Requested"; flow:established,to_server; content:"/load_module.php?user="; http_uri; depth:22; pcre:"/^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; classtype:exploit-kit; sid:2018562; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit SWF Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".swf"; http_uri; distance:1; within:5; pcre:"/^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2013-0634; reference:cve,2014-0515; classtype:exploit-kit; sid:2018563; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
 
-#alert http any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host|3a| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:2; metadata:created_at 2013_07_17, updated_at 2013_07_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:exploit-kit; sid:2018564; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:exploit-kit; sid:2016945; rev:8; metadata:created_at 2013_05_30, updated_at 2013_05_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:exploit-kit; sid:2018573; rev:3; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:exploit-kit; sid:2018577; rev:2; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php\?[^\s]*(notdoing|howme|uname)=/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018583; rev:4; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu\.php\?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018593; rev:2; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:exploit-kit; sid:2018595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_06_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Ransomware, updated_at 2013_07_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:exploit-kit; sid:2018613; rev:3; metadata:created_at 2014_06_28, former_category CURRENT_EVENTS, updated_at 2014_06_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:exploit-kit; sid:2018606; rev:4; metadata:created_at 2014_06_26, former_category CURRENT_EVENTS, updated_at 2014_06_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:exploit-kit; sid:2018668; rev:5; metadata:created_at 2014_07_12, former_category CURRENT_EVENTS, updated_at 2014_07_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:exploit-kit; sid:2018737; rev:2; metadata:created_at 2014_07_18, former_category CURRENT_EVENTS, updated_at 2014_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc."; http_header; distance:0; fast_pattern; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?calc\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014237; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 21 July 2014"; flow:to_client,established; file_data; content:"jquery_datepicker=|27|"; pcre:"/[^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018751; rev:2; metadata:created_at 2014_07_22, former_category EXPLOIT_KIT, updated_at 2014_07_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence Kaspersky AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|kl1.sys"; nocase; pcre:"/^[\x22\x27]/Rs"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018756; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence TrendMicro AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|tm"; nocase; pcre:"/^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27]/Rsi"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018757; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 28 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"hex2bin"; fast_pattern:only; content:"eval"; pcre:"/^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\(/Rsi"; classtype:exploit-kit; sid:2018794; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; pcre:"/^[\x22\x27]/R"; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018795; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016107; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; pcre:"/^[\x22\x27]/R"; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018796; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018797; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016250; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018786; rev:3; metadata:created_at 2014_07_26, former_category CURRENT_EVENTS, updated_at 2014_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:exploit-kit; sid:2017474; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2013_03_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[|22|replace|22|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]*?\,[\r\n\s]*?[\x22\x27][\%\\]u"/Rsi"; classtype:exploit-kit; sid:2017487; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6; metadata:created_at 2013_03_20, former_category HUNTING, updated_at 2013_03_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018922; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016640; rev:4; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018923; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018924; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK PluginDetect URI Struct"; flow:to_server,established; content:"/log.html?"; http_uri; content:"java="; http_uri; content:"gie="; http_uri; content:"header="; http_uri; classtype:exploit-kit; sid:2018930; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016735; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"/ie8910.html"; http_uri; classtype:exploit-kit; sid:2018931; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016736; rev:5; metadata:created_at 2013_04_09, updated_at 2013_04_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M3"; flow:established,from_server; file_data; content:"<script>function z("; content:"createElement|28 22|iframe|22 29|"; distance:0; content:".style.left = |22|-"; content:".style.top = |22|-"; content:"|3b|}z()|3b|</script></body></html>"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018965; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016828; rev:5; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; pcre:"/^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27]/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018966; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016832; rev:7; metadata:created_at 2013_05_07, updated_at 2013_05_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018967; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018987; rev:4; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016930; rev:4; metadata:created_at 2013_05_25, updated_at 2013_05_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018988; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/eipm.php"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018989; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/yztl.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018990; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/vpclcy.x"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018991; rev:3; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017016; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Flash URI Sruct Aug 22 2014"; flow:established,to_server; urilen:17; content:"/nhqdxa/oujyt.swf"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018992; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017017; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:19; content:"/nhqdxa/gjtzssq.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018993; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017018; rev:6; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018997; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017097; rev:4; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2013_07_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:exploit-kit; sid:2019004; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016554; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:exploit-kit; sid:2019006; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016555; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:exploit-kit; sid:2019007; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016557; rev:6; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife EK Variant Aug 26 2014"; flow:established,to_server; content:".php?spl="; http_uri; fast_pattern:only; pcre:"/\.php\?spl=[\w_]+$/Ui"; classtype:exploit-kit; sid:2019023; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:5; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Aug 27 2014"; flow:established,to_client; file_data; content:"|28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2019071; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing URI Struct"; flow:established,to_server; content:"/?PHPSSESID=njr"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019072; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:exploit-kit; sid:2017182; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"nhweb="; http_cookie; depth:6; classtype:exploit-kit; sid:2019073; rev:2; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"ZWS"; classtype:exploit-kit; sid:2018362; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:exploit-kit; sid:2019098; rev:2; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:exploit-kit; sid:2019099; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:exploit-kit; sid:2019005; rev:3; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_11_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:exploit-kit; sid:2019100; rev:3; metadata:created_at 2014_09_02, former_category CURRENT_EVENTS, updated_at 2014_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019154; rev:3; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"|7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65|"; content:"|3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a|"; content:"|29 5e 32 35 35 26|"; classtype:exploit-kit; sid:2019130; rev:3; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"%65%64%6f%43%72%61%68%43%6d%6f%72%66"; content:"%74%41%65%64%6f%43%72%61%68%63"; classtype:exploit-kit; sid:2019131; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:exploit-kit; sid:2019180; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:exploit-kit; sid:2019184; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; classtype:exploit-kit; sid:2017667; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014"; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:exploit-kit; sid:2019188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:2; metadata:created_at 2013_07_24, updated_at 2013_07_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016052; rev:4; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017817; rev:11; metadata:created_at 2013_12_10, former_category EXPLOIT_KIT, updated_at 2013_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016249; rev:8; metadata:created_at 2013_01_22, former_category EXPLOIT_KIT, updated_at 2013_01_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:exploit-kit; sid:2019078; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:exploit-kit; sid:2016374; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016375; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016378; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019370; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016514; rev:4; metadata:created_at 2013_03_04, updated_at 2013_03_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019372; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016597; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019373; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:exploit-kit; sid:2016598; rev:5; metadata:created_at 2013_03_20, updated_at 2013_03_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016859; rev:4; metadata:created_at 2013_05_17, updated_at 2013_05_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0515 Aug 24 2014"; flow:established,to_server; content:"GET"; http_method; content:"flashhigh.swf"; fast_pattern:only; http_uri; pcre:"/^\/(?:pruncd)?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2018995; rev:4; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?flashlow\.swf$/U"; classtype:exploit-kit; sid:2018996; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019097; rev:3; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:exploit-kit; sid:2017200; rev:5; metadata:created_at 2013_07_26, former_category EXPLOIT_KIT, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:exploit-kit; sid:2019480; rev:2; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017201; rev:6; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Exploit/Payload Struct"; flow:established,to_server; content:"?action="; http_uri; content:"&exp="; http_uri; fast_pattern; pcre:"/\?action=(?:pld|exp)&exp=/U"; classtype:exploit-kit; sid:2019479; rev:3; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017202; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Flash Exploit URI Struct"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[^\r\n]*?[a-z]+?\.php\?[a-z]+?=\d/Hm"; classtype:exploit-kit; sid:2019543; rev:2; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017203; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:exploit-kit; sid:2019594; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:exploit-kit; sid:2017204; rev:5; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:exploit-kit; sid:2019600; rev:3; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"|61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019634; rev:6; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2014_11_04;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 03 2014"; flow:established,from_server; content:"ruarc="; fast_pattern:only; content:"ruarc="; depth:6; http_cookie; classtype:exploit-kit; sid:2019638; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2014_11_04;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3; metadata:created_at 2013_07_25, updated_at 2013_07_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:exploit-kit; sid:2019146; rev:6; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:exploit-kit; sid:2019352; rev:3; metadata:created_at 2014_10_03, former_category EXPLOIT_KIT, updated_at 2014_10_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:exploit-kit; sid:2017071; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2019656; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:exploit-kit; sid:2019657; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016560; rev:10; metadata:created_at 2013_03_12, updated_at 2013_03_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:exploit-kit; sid:2019659; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019658; rev:4; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2019669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:exploit-kit; sid:2019672; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK URI Struct Actor Specific"; flow:to_server,established; content:"?zho="; http_uri; fast_pattern:only; pcre:"/\/(?:[a-z0-9]{1,7}\.php)?\?zho=/U"; classtype:exploit-kit; sid:2019673; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Actor Specific Injected iframe"; flow:from_server,established; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; content:"|22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e|"; nocase; distance:0; content:"<iframe"; nocase; distance:0; content:" vspace="; nocase; content:"0"; within:3; content:" hspace="; content:"0"; within:3; content:" marginwidth="; content:"0"; within:3; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; distance:0; classtype:exploit-kit; sid:2019675; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019677; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_11, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:exploit-kit; sid:2019684; rev:3; metadata:created_at 2014_11_08, former_category CURRENT_EVENTS, updated_at 2014_11_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:exploit-kit; sid:2019685; rev:2; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:exploit-kit; sid:2018998; rev:10; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:exploit-kit; sid:2019722; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:exploit-kit; sid:2019723; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:exploit-kit; sid:2019724; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:exploit-kit; sid:2019725; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:exploit-kit; sid:2019726; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019744; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:exploit-kit; sid:2019742; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:exploit-kit; sid:2019745; rev:2; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:exploit-kit; sid:2019743; rev:5; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:4; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"CWS"; classtype:exploit-kit; sid:2019765; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_11_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018925; rev:5; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019769; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019768; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_25, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_06, former_category EXPLOIT_KIT, updated_at 2014_11_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019773; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"NocncoMDEpJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMC"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019774; rev:3; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019775; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2019807; rev:2; metadata:created_at 2014_11_26, updated_at 2014_11_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2019823; rev:7; metadata:created_at 2014_12_01, former_category EXPLOIT_KIT, updated_at 2014_12_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:exploit-kit; sid:2019874; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| +  |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2019892; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:exploit-kit; sid:2019895; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:exploit-kit; sid:2019844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious JS Leading to Fiesta EK"; flow:established,from_server; file_data; content:"xapLoad"; fast_pattern; content:"swfLoad"; content:"xapURL"; content:"swfURL"; content:"errURL"; content:"var id"; classtype:exploit-kit; sid:2019920; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:exploit-kit; sid:2019193; rev:3; metadata:created_at 2014_09_18, former_category CURRENT_EVENTS, updated_at 2014_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:exploit-kit; sid:2019950; rev:3; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Activity Dec 18 2014"; flow:established,to_server; content:"/landing?action="; http_uri; fast_pattern:only; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r\n)/Hmi"; classtype:exploit-kit; sid:2019973; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020291; rev:2; metadata:created_at 2015_01_23, former_category EXPLOIT_KIT, updated_at 2015_01_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:exploit-kit; sid:2020319; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1"; flow:established,from_server; file_data; content:"lRXdjVGeFxGblh2U"; classtype:exploit-kit; sid:2020423; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1"; flow:established,from_server; file_data; content:"Z0V3YlhXRsxWZoN"; classtype:exploit-kit; sid:2020424; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1"; flow:established,from_server; file_data; content:"Gd1NWZ4VEbsVGaT"; classtype:exploit-kit; sid:2020425; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M2"; flow:established,from_server; file_data; content:"KkxSZssGLjxSYsAHKu9Wa0Nmb1ZGKsFmdl"; classtype:exploit-kit; sid:2020428; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:exploit-kit; sid:2020429; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:exploit-kit; sid:2020318; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:exploit-kit; sid:2020477; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:exploit-kit; sid:2020478; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:exploit-kit; sid:2020484; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020407; rev:5; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2020494; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:exploit-kit; sid:2020495; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Unknown EK HFS CVE-2014-6332"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; fast_pattern; file_data; content:"Wscript.Shell"; content:"Microsoft.XMLHTTP"; content:"ADODB.Stream"; content:"cmd.exe"; classtype:exploit-kit; sid:2020498; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown EK Landing"; flow:established,from_server; content:"|64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b|"; content:"|3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65|"; distance:0; content:"|2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22|"; distance:0; classtype:exploit-kit; sid:2020501; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020562; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020559; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes ActiveX Call"; flow:established,from_server; file_data; content:"var version|3b|var ax|3b|var e|3b|try{axo=new ActiveXObject"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag ActiveX, tag DriveBy, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020558; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:exploit-kit; sid:2020584; rev:3; metadata:created_at 2015_03_03, former_category EXPLOIT_KIT, updated_at 2015_03_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:exploit-kit; sid:2020698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MWI Maldoc Exploit Kit Stats Callout"; flow:established,from_server; flowbits:isset,ETPRO.RTF; file_data; content:"INCLUDEPICTURE "; pcre:"/^\s*?[\x22\x27][^\x22\x27]+\.php\?id=\d+[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020700; rev:2; metadata:created_at 2015_03_16, former_category EXPLOIT_KIT, updated_at 2015_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:exploit-kit; sid:2014099; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:exploit-kit; sid:2020725; rev:2; metadata:created_at 2015_03_21, updated_at 2015_03_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:exploit-kit; sid:2020726; rev:2; metadata:created_at 2015_03_23, updated_at 2015_03_23;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020743; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020744; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017248; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017666; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017249; rev:2; metadata:created_at 2013_07_30, updated_at 2016_10_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:exploit-kit; sid:2020832; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:exploit-kit; sid:2017250; rev:2; metadata:created_at 2013_07_30, cve CVE_1234_CVE_341, former_category EXPLOIT_KIT, updated_at 2020_08_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019845; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017251; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019846; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017252; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; classtype:exploit-kit; sid:2019873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017253; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:exploit-kit; sid:2020840; rev:2; metadata:created_at 2015_04_03, updated_at 2015_04_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017254; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:command-and-control; sid:2016963; rev:5; metadata:created_at 2012_04_13, former_category MALWARE, updated_at 2012_04_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:exploit-kit; sid:2020715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>|0D 0A|<link href=|22|favicon.ico|22| rel=|22|shortcut icon|22| type=|22|image/x-icon|22| />"; classtype:exploit-kit; sid:2016066; rev:3; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"QWRtaW5SaWdodHMy"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020903; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf/Styx EK - fnts.html"; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:exploit-kit; sid:2016129; rev:4; metadata:created_at 2012_12_29, former_category EXPLOIT_KIT, updated_at 2012_12_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"FkbWluUmlnaHRzM"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020904; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017100; rev:4; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020905; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017101; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:exploit-kit; sid:2020987; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:exploit-kit; sid:2017102; rev:3; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:exploit-kit; sid:2020990; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2017270; rev:7; metadata:created_at 2013_08_03, former_category EXPLOIT_KIT, updated_at 2013_08_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:exploit-kit; sid:2020994; rev:3; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:exploit-kit; sid:2017271; rev:3; metadata:created_at 2013_08_03, updated_at 2013_08_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:exploit-kit; sid:2020950; rev:3; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<|2F|dudp>"; within:100; content:"<pudp>"; within:50; content:"<|2F|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<|2F|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:command-and-control; sid:2017275; rev:2; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2013_08_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:exploit-kit; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017114; rev:5; metadata:created_at 2013_07_05, updated_at 2013_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:exploit-kit; sid:2021034; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:exploit-kit; sid:2021046; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:exploit-kit; sid:2021047; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:exploit-kit; sid:2017296; rev:5; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:exploit-kit; sid:2021048; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:exploit-kit; sid:2021054; rev:2; metadata:created_at 2015_05_04, former_category EXPLOIT_KIT, updated_at 2015_05_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:2; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:exploit-kit; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:5; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2021291; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_08_12, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"Refresh|3a 20|"; http_header; content:"|3b 20|url"; distance:0; http_header; content:"/999/00000/|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Refresh\x3a\x20\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Hm"; classtype:exploit-kit; sid:2021306; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
 
-alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Covert Channel (VERSONEX and Mr.Black)"; content:"VERSONEX|3a|"; depth:64; fast_pattern; content:"Mr.Black"; within:50; classtype:trojan-activity; sid:2017315; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:exploit-kit; sid:2021313; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021320; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021169; rev:3; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017265; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:exploit-kit; sid:2021507; rev:2; metadata:created_at 2015_07_22, updated_at 2015_07_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = |22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017164; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:exploit-kit; sid:2021559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"|0d 0a|Connection|3a| close|0d 0a 0d 0a a9 3a d4 31 4b 84|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:exploit-kit; sid:2018909; rev:4; metadata:created_at 2014_08_07, former_category EXPLOIT_KIT, updated_at 2014_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; http_method; content:"/ld/"; http_uri; content:".php"; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:".html&"; http_uri; fast_pattern; content:"/"; distance:-47; http_uri; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})?$/U"; classtype:exploit-kit; sid:2021639; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC"; flow:from_server,established; file_data; content:"c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015902; rev:7; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:"Referer|3a|"; http_header; content:"|3a|443/"; distance:0; http_header; fast_pattern; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{40}\/$/U"; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021640; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 2"; flow:from_server,established; file_data; content:"c=idl"; within:5; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015903; rev:5; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2012_09_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:exploit-kit; sid:2021696; rev:2; metadata:created_at 2015_08_20, updated_at 2015_08_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, former_category HUNTING, updated_at 2013_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:exploit-kit; sid:2021707; rev:3; metadata:created_at 2015_08_24, former_category EXPLOIT_KIT, updated_at 2015_08_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:exploit-kit; sid:2021740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:exploit-kit; sid:2020426; rev:3; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:exploit-kit; sid:2017328; rev:2; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:exploit-kit; sid:2019542; rev:7; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017166; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:exploit-kit; sid:2021908; rev:3; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:exploit-kit; sid:2022001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:exploit-kit; sid:2017333; rev:3; metadata:created_at 2013_08_15, former_category CURRENT_EVENTS, updated_at 2013_08_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:exploit-kit; sid:2021708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 1"; flow:established,from_server; file_data; content:"=(eval)|3b|"; classtype:bad-unknown; sid:2017334; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:exploit-kit; sid:2022009; rev:3; metadata:created_at 2015_10_29, updated_at 2015_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 2"; flow:established,from_server; file_data; content:"=[|22|eval|22|]|3b|"; classtype:bad-unknown; sid:2017335; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[|27|eval|27|]|3b|"; classtype:bad-unknown; sid:2017336; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net add PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"<title>NACHA</title>"; classtype:exploit-kit; sid:2013474; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - netsh - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:exploit-kit; sid:2014136; rev:7; metadata:created_at 2012_01_19, updated_at 2012_01_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - ipconfig - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:exploit-kit; sid:2014168; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot -  reg - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:exploit-kit; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:exploit-kit; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:exploit-kit; sid:2014316; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:exploit-kit; sid:2014526; rev:3; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2012_04_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:exploit-kit; sid:2014549; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:exploit-kit; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:"  <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015574; rev:5; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net user - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:exploit-kit; sid:2015605; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:exploit-kit; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:exploit-kit; sid:2013699; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2022290; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; content:".exe"; http_uri; nocase; content:"GET"; http_method; nocase; pcre:"/\.exe\b/Ui"; reference:url,doc.emergingthreats.net/2003595; classtype:policy-violation; sid:2003595; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:exploit-kit; sid:2022312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:exploit-kit; sid:2022313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:exploit-kit; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:targeted-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2012_06_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:exploit-kit; sid:2016064; rev:5; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:exploit-kit; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=|22|http|3A|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]*\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:3; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:exploit-kit; sid:2016952; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent|3a|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:exploit-kit; sid:2012807; rev:4; metadata:created_at 2011_05_15, updated_at 2011_05_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:exploit-kit; sid:2017649; rev:6; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017648; rev:7; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPCIOUS Non-standard base64 charset used for encoding"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(|22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2017364; rev:7; metadata:created_at 2013_08_21, updated_at 2013_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017706; rev:6; metadata:created_at 2013_11_12, former_category CURRENT_EVENTS, updated_at 2013_11_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent|3a 20|iexplorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2016140; rev:5; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:exploit-kit; sid:2019544; rev:6; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.admin@388 Keepalive to CnC"; flow:established,to_server; content:"|b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016371; rev:5; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.th3bug Keepalive to CnC"; flow:established,to_server; content:"|35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:exploit-kit; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.keaidestone Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:exploit-kit; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.suzuki Keepalive to CnC"; flow:established,to_server; content:"|d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:exploit-kit; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.happyyongzi Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:exploit-kit; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.key@123 Keepalive to CnC"; flow:established,to_server; content:"|ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:exploit-kit; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.gwx@123 Keepalive to CnC"; flow:established,to_server; content:"|6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:exploit-kit; sid:2022629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.wwwst@Admin Keepalive to CnC"; flow:established,to_server; content:"|b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:exploit-kit; sid:2022630; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.xiaoxiaohuli Keepalive to CnC"; flow:established,to_server; content:"|4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:exploit-kit; sid:2022635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.smallfish Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:exploit-kit; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.XGstone Keepalive to CnC"; flow:established,to_server; content:"|ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:exploit-kit; sid:2022682; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.fishplay Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:exploit-kit; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:exploit-kit; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mashigoom/Tranwos/RevProxy ClickFraud - hello"; flow:established,to_server; threshold:type both,track by_src,seconds 60,count 1; dsize:<150; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}/"; classtype:trojan-activity; sid:2016292; rev:6; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:exploit-kit; sid:2020300; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:2; metadata:created_at 2013_08_23, updated_at 2013_08_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:exploit-kit; sid:2022751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2013_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:exploit-kit; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"/*/"; fast_pattern; pcre:"/^[a-f0-9]{6}\*\//R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:exploit-kit; sid:2022805; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool get command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgwKH08DHh4bVURA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017378; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:exploit-kit; sid:2022956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool long command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgcABQhLAh4fH1FA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017379; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022957; rev:2; metadata:created_at 2016_07_11, updated_at 2016_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool smart command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhgCCh0fSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017380; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:exploit-kit; sid:2022964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post1 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtaSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017381; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:exploit-kit; sid:2022984; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post2 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtZSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017382; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgkWHwpL"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017383; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:exploit-kit; sid:2022998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgIMBh9L"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017384; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:exploit-kit; sid:2022916; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021763; rev:3; metadata:created_at 2015_09_12, updated_at 2016_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:exploit-kit; sid:2017387; rev:5; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:exploit-kit; sid:2023151; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017388; rev:3; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:exploit-kit; sid:2023152; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:exploit-kit; sid:2023153; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:exploit-kit; sid:2023188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:exploit-kit; sid:2023189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC ([country|so version|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:exploit-kit; sid:2023150; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:2; metadata:created_at 2013_08_30, updated_at 2013_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:exploit-kit; sid:2023190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:exploit-kit; sid:2023191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017115; rev:8; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2013_07_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:exploit-kit; sid:2023192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:command-and-control; sid:2017404; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_08_31, deployment Perimeter, former_category WORM, signature_severity Major, tag c2, updated_at 2013_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:exploit-kit; sid:2023193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017407; rev:2; metadata:created_at 2013_09_03, updated_at 2013_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:exploit-kit; sid:2023194; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:exploit-kit; sid:2023195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family RIG, performance_impact Low, signature_severity Major, updated_at 2016_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?"; nocase; uricontent:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:exploit-kit; sid:2023248; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:exploit-kit; sid:2023250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:exploit-kit; sid:2023251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (OUTBOUND)"; flow:to_server,established; content:"P[endof]"; dsize:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017418; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:exploit-kit; sid:2023303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!2,relative; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017419; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:exploit-kit; sid:2023252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (File Manager)"; flow:from_server,established; content:"FM|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017420; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_02, former_category CURRENT_EVENTS, updated_at 2013_05_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (File Manager)"; flow:to_server,established; content:"rn|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017421; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:exploit-kit; sid:2023313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Desktop)"; flow:from_server,established; content:"sc~|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017422; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:exploit-kit; sid:2023314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Desktop)"; flow:to_server,established; content:"scPK|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017423; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:exploit-kit; sid:2023312; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017424; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017426; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:exploit-kit; sid:2023352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017427; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:exploit-kit; sid:2023353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Kill Process)"; flow:from_server,established; content:"k|7c 27 7c 27 7c|"; depth:6; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017428; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:exploit-kit; sid:2023343; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:exploit-kit; sid:2017376; rev:7; metadata:created_at 2013_08_27, former_category EXPLOIT_KIT, updated_at 2013_08_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:exploit-kit; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:exploit-kit; sid:2017435; rev:4; metadata:created_at 2013_09_07, former_category CURRENT_EVENTS, updated_at 2013_09_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_02_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017451; rev:6; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:exploit-kit; sid:2024053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:exploit-kit; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017456; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:exploit-kit; sid:2017963; rev:3; metadata:created_at 2014_01_14, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:exploit-kit; sid:2017167; rev:4; metadata:created_at 2013_07_23, updated_at 2013_07_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018226; rev:3; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:exploit-kit; sid:2020984; rev:3; metadata:created_at 2015_04_23, former_category CURRENT_EVENTS, updated_at 2017_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017470; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:exploit-kit; sid:2024169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017471; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017472; rev:2; metadata:created_at 2013_09_17, updated_at 2013_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:exploit-kit; sid:2012941; rev:8; metadata:created_at 2011_06_07, former_category EXPLOIT_KIT, updated_at 2017_04_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:exploit-kit; sid:2017469; rev:5; metadata:created_at 2013_09_17, former_category CURRENT_EVENTS, updated_at 2013_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:social-engineering; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02  00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40  00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016065; rev:4; metadata:created_at 2012_12_20, former_category EXPLOIT_KIT, updated_at 2012_12_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:exploit-kit; sid:2015946; rev:3; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"<div id=\"obj\"></div><div id=\"pdf\"></div><div id=\"hcp\">"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011812; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:exploit-kit; sid:2017482; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2011988; rev:6; metadata:created_at 2010_12_01, former_category EXPLOIT_KIT, updated_at 2017_04_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2015901; rev:3; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2012_11_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirection to driveby Page Home index.php"; flow:established,from_server; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; classtype:exploit-kit; sid:2013436; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, former_category INFO, signature_severity Major, tag DriveBy, updated_at 2017_04_14;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_17, updated_at 2012_07_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:exploit-kit; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; dsize:>0; byte_jump:2,1,little,post_offset -4; isdataat:!2,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017414; rev:3; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:exploit-kit; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:exploit-kit; sid:2017484; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:exploit-kit; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:exploit-kit; sid:2017485; rev:1; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; classtype:exploit-kit; sid:2024346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(|27|unescape|27|)"; nocase; content:"|27|%u|27|"; classtype:exploit-kit; sid:2017486; rev:2; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:exploit-kit; sid:2024347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 1"; flow:established,to_client; file_data; content:"cHJlbG9hZGVyLWNsYXNz"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017494; rev:2; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:exploit-kit; sid:2024353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 2"; flow:established,to_client; file_data; content:"wcmVsb2FkZXItY2xhc3"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017495; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; classtype:exploit-kit; sid:2024354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JavaFX Click To Run Bypass 3"; flow:established,to_client; file_data; content:"ByZWxvYWRlci1jbGFzc"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017496; rev:3; metadata:created_at 2013_09_20, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; classtype:exploit-kit; sid:2024355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:exploit-kit; sid:2017497; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; classtype:exploit-kit; sid:2024356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(|22|ms-help|3a|//|22|)|3b|"; nocase; content:"(|22|ms-help|3a|//|22|)|3b|"; distance:0; content:"(|22|ms-help|3a 22|)|3b|"; nocase; content:"(|22|ms-help|3a 22|)|3b|"; nocase; distance:0; classtype:exploit-kit; sid:2017488; rev:3; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; classtype:exploit-kit; sid:2024357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"|22|%u"; content:!"|22|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; classtype:exploit-kit; sid:2024358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"|27|%u"; nocase; content:!"|27|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|22 5f|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; classtype:exploit-kit; sid:2024362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:exploit-kit; sid:2017503; rev:2; metadata:created_at 2013_09_21, former_category CURRENT_EVENTS, updated_at 2013_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; classtype:exploit-kit; sid:2024363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:social-engineering; sid:2024494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022484; rev:3; metadata:created_at 2016_02_03, former_category CURRENT_EVENTS, updated_at 2017_08_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:exploit-kit; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2; metadata:created_at 2013_09_24, updated_at 2013_09_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; classtype:exploit-kit; sid:2024493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016380; rev:4; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; classtype:exploit-kit; sid:2024514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:exploit-kit; sid:2024515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3; metadata:created_at 2013_09_11, updated_at 2013_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:exploit-kit; sid:2024608; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; content:"RAM|0a 7c|"; pcre:"/^\d+\w+\/\d+\w+ free \(\d+% used\)/R"; classtype:command-and-control; sid:2017525; rev:2; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2024609; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command response"; flow:established,from_server; file_data; content:"send|3c 7c 3e|"; within:7; pcre:"/^[A-Z]\x3a\x5f/R"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017523; rev:5; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2024610; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hiloti/Mufanom CnC Response"; flow:established,from_server; flowbits:isset,ET.Hiloti; file_data; content:"<!-- vbe -->"; distance:0; classtype:command-and-control; sid:2017526; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:exploit-kit; sid:2024611; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; file_data; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:exploit-kit; sid:2015783; rev:6; metadata:created_at 2012_10_06, former_category EXPLOIT_KIT, updated_at 2017_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017529; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024238; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2017_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017530; rev:2; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 2"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font was not found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"To install |22|HoeflerText|22| font for your PC"; distance:0; nocase; content:"Download the .js"; distance:0; nocase; content:".attr('href',"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017531; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; classtype:exploit-kit; sid:2024691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_09_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017532; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; classtype:exploit-kit; sid:2021307; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017534; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"/%"; http_header; content:"http%3A%2F%2F"; distance:2; within:13; nocase; http_header; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//U"; content:"Referer|3a 20|http"; http_header; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; classtype:exploit-kit; sid:2021309; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017535; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET EXPLOIT_KIT Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023249; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector_07012016, updated_at 2016_09_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017536; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017537; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017538; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017539; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015758; rev:3; metadata:created_at 2012_10_04, former_category EXPLOIT_KIT, updated_at 2018_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017540; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; classtype:exploit-kit; sid:2021638; rev:3; metadata:created_at 2015_08_17, former_category CURRENT_EVENTS, updated_at 2018_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017541; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK IE Exploit"; flow:established,to_client; file_data; content:"IE=EmulateIE9"; nocase; content:"</head"; nocase; within:200; content:"<body"; nocase; within:200; content:"<script"; nocase; within:200; content:"!!window.ActiveXObject"; nocase; within:200; content:"try"; within:200; content:"parent.parent.setLocalStoreUserData"; nocase; distance:0; pcre:"/^\s*\([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s*\)\s*\x3b\s*}\s*catch\s*\(e\)\s*\{\s*\}\s*\}\s*<\/script>\s*<\/body>/Rsi"; classtype:exploit-kit; sid:2025911; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017542; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"<param"; nocase; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; classtype:exploit-kit; sid:2025914; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017543; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M1"; flow:from_server,established; file_data; content:"|554778315a326c75524756305a574e30|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M2"; flow:from_server,established; file_data; content:"|516248566e615735455a58526c5933|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027073; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M3"; flow:from_server,established; file_data; content:"|427364576470626b526c6447566a64|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_11, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:exploit-kit; sid:2017140; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_07_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:exploit-kit; sid:2014438; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017551; rev:2; metadata:created_at 2013_10_02, updated_at 2013_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:exploit-kit; sid:2017297; rev:6; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017073; rev:4; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017076; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:exploit-kit; sid:2010438; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:exploit-kit; sid:2017553; rev:3; metadata:created_at 2013_10_03, former_category CURRENT_EVENTS, updated_at 2013_10_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017533; rev:5; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2013_09_30;)
+#alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:exploit-kit; sid:2017483; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017454; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:exploit-kit; sid:2020427; rev:3; metadata:created_at 2015_02_16, updated_at 2019_09_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; http_header; fast_pattern:only; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017416; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020563; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:exploit-kit; sid:2017556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:exploit-kit; sid:2022962; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_05, updated_at 2013_10_05;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:exploit-kit; sid:2025037; rev:3; metadata:created_at 2012_03_01, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy  Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017562; rev:6; metadata:created_at 2013_10_05, former_category EXPLOIT_KIT, updated_at 2013_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015573; rev:3; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:exploit-kit; sid:2017563; rev:3; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015479; rev:4; metadata:created_at 2012_07_17, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3; metadata:created_at 2013_10_08, former_category CURRENT_EVENTS, updated_at 2013_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:exploit-kit; sid:2015604; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2017576; rev:2; metadata:created_at 2013_10_10, former_category CURRENT_EVENTS, updated_at 2013_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2015678; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2013_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:exploit-kit; sid:2015689; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:exploit-kit; sid:2017579; rev:2; metadata:created_at 2013_10_11, former_category EXPLOIT_KIT, updated_at 2013_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:exploit-kit; sid:2015690; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2; metadata:created_at 2013_10_11, updated_at 2013_10_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:exploit-kit; sid:2015691; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017405; rev:6; metadata:created_at 2013_09_03, former_category EXPLOIT_KIT, updated_at 2013_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:exploit-kit; sid:2015694; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
 
-#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015873; rev:6; metadata:created_at 2012_11_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3; metadata:created_at 2013_10_14, updated_at 2013_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015929; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017589; rev:3; metadata:created_at 2013_10_14, former_category CURRENT_EVENTS, updated_at 2013_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015928; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2017591; rev:2; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015939; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017592; rev:1; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:exploit-kit; sid:2015950; rev:3; metadata:created_at 2012_11_28, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length|3a| 7|0d 0a|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014229; rev:3; metadata:created_at 2012_02_16, former_category MALWARE, updated_at 2012_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:exploit-kit; sid:2015981; rev:3; metadata:created_at 2012_12_04, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017593; rev:7; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern; content:"|22|bhjwfffiorjwe|22|"; classtype:exploit-kit; sid:2015991; rev:5; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:exploit-kit; sid:2016012; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016027; rev:6; metadata:created_at 2012_12_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:exploit-kit; sid:2016306; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016319; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern; content:"&token="; http_uri; classtype:exploit-kit; sid:2015962; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:exploit-kit; sid:2016412; rev:3; metadata:created_at 2013_02_15, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:command-and-control; sid:2017614; rev:2; metadata:created_at 2013_10_18, updated_at 2013_10_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016542; rev:4; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Onkod.Downloader Executable Download"; flow:established,to_server; content:"/js/"; http_uri; content:".exe"; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| rv|3a|22.0) Gecko/20100101 Firefox/22.0|0D 0A|"; http_header; pcre:"/\x2Fjs\x2F[\r\n]*\x2Eexe$/U"; reference:url,blog.fortinet.com/Avoiding-Heuristic-Detection/; classtype:trojan-activity; sid:2017617; rev:3; metadata:created_at 2013_10_18, former_category MALWARE, updated_at 2019_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016543; rev:3; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Kelihos p2p traffic detected via byte_test - SET"; flow:established,to_server; dsize:100<>2000; pcre:"/^[^OGHPDTCMLUVRBAS]/"; content:!"HTTP/1."; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; flowbits:set,ET.Kelihos-P2P; flowbits:noalert; classtype:trojan-activity; sid:2017612; rev:5; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016026; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:exploit-kit; sid:2017621; rev:3; metadata:created_at 2013_10_21, former_category CURRENT_EVENTS, updated_at 2013_10_21;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016718; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3; metadata:created_at 2013_10_21, updated_at 2013_10_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016717; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:6; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:7; metadata:created_at 2013_10_22, updated_at 2013_10_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:exploit-kit; sid:2015000; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pl|3a|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:4; metadata:created_at 2013_10_23, former_category CURRENT_EVENTS, updated_at 2013_10_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern; classtype:exploit-kit; sid:2016805; rev:4; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:4; metadata:created_at 2013_10_23, updated_at 2013_10_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:exploit-kit; sid:2015974; rev:15; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:exploit-kit; sid:2016833; rev:6; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:exploit-kit; sid:2017473; rev:6; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016924; rev:12; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:exploit-kit; sid:2016928; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:exploit-kit; sid:2016929; rev:12; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:exploit-kit; sid:2017011; rev:7; metadata:created_at 2013_06_13, updated_at 2013_06_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016926; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017635; rev:4; metadata:created_at 2013_10_25, updated_at 2013_10_25;)
+#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:exploit-kit; sid:2016787; rev:4; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:4; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:exploit-kit; sid:2016964; rev:3; metadata:created_at 2013_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:5; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17; metadata:created_at 2012_11_28, updated_at 2012_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017019; rev:3; metadata:created_at 2013_06_15, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3; metadata:created_at 2012_12_14, updated_at 2012_12_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017069; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:2; metadata:created_at 2013_10_28, updated_at 2013_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:exploit-kit; sid:2017070; rev:3; metadata:created_at 2013_06_27, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:exploit-kit; sid:2017079; rev:4; metadata:created_at 2013_07_02, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit|0D 0A|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:2; metadata:created_at 2013_10_30, updated_at 2013_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017092; rev:3; metadata:created_at 2013_07_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014266; rev:4; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017093; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017650; rev:2; metadata:created_at 2013_10_31, updated_at 2013_10_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:exploit-kit; sid:2017099; rev:3; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017652; rev:8; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2017138; rev:4; metadata:created_at 2013_07_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017493; rev:4; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:exploit-kit; sid:2017139; rev:3; metadata:created_at 2013_07_13, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017492; rev:4; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:exploit-kit; sid:2017151; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017491; rev:5; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:exploit-kit; sid:2017150; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017266; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:exploit-kit; sid:2017106; rev:4; metadata:created_at 2013_07_05, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017268; rev:7; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:exploit-kit; sid:2017153; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017180; rev:4; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:exploit-kit; sid:2016427; rev:8; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017179; rev:4; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016013; rev:7; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2017104; rev:4; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016299; rev:11; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:exploit-kit; sid:2016975; rev:3; metadata:created_at 2013_06_05, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:exploit-kit; sid:2016350; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2016551; rev:8; metadata:created_at 2013_03_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/^\/search\/[0-9]{64}/U"; classtype:exploit-kit; sid:2016593; rev:9; metadata:created_at 2013_03_19, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017571; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\/m1[1-6]\.jar$/U"; classtype:exploit-kit; sid:2016708; rev:9; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:2; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016709; rev:9; metadata:created_at 2013_04_02, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:exploit-kit; sid:2016786; rev:6; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
 
-#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:command-and-control; sid:2017665; rev:3; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016804; rev:5; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
 
-#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:exploit-kit; sid:2016943; rev:9; metadata:created_at 2013_05_29, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:3; metadata:created_at 2013_09_27, updated_at 2013_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016965; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:4; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2017038; rev:5; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:5; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2017041; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"MyWebClient"; depth:11; http_user_agent; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:command-and-control; sid:2017671; rev:5; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2013_11_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017042; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017043; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017295; rev:6; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017044; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017693; rev:2; metadata:created_at 2013_11_07, updated_at 2013_11_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:exploit-kit; sid:2017119; rev:5; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:5; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2013_11_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/amor\d{0,2}\.jar/U"; classtype:exploit-kit; sid:2015941; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:4; metadata:created_at 2012_08_29, updated_at 2012_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2015942; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:exploit-kit; sid:2017152; rev:6; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017272; rev:5; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017273; rev:4; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017022; rev:4; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017324; rev:3; metadata:created_at 2013_08_13, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern; classtype:exploit-kit; sid:2017039; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017372; rev:6; metadata:created_at 2013_08_26, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017406; rev:6; metadata:created_at 2013_09_03, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017434; rev:3; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017433; rev:4; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017468; rev:3; metadata:created_at 2013_09_17, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2015782; rev:6; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2016798; rev:4; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:exploit-kit; sid:2016349; rev:6; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:exploit-kit; sid:2016348; rev:8; metadata:created_at 2013_02_05, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017545; rev:7; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017550; rev:3; metadata:created_at 2013_10_02, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016549; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017613; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017601; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:exploit-kit; sid:2017785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017699; rev:4; metadata:created_at 2013_11_09, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017863; rev:5; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017862; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017864; rev:3; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017865; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017866; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017774; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:exploit-kit; sid:2017698; rev:2; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2013_11_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:exploit-kit; sid:2018262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018360; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"|3b| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017078; rev:7; metadata:created_at 2013_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern; content:"eval(function("; classtype:exploit-kit; sid:2018405; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption|3a| on|0d 0a|Content-Length|3a| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:exploit-kit; sid:2018469; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"|0d 0a|Host|3a| "; http_header; content:"theinstalls.com|0d 0a|"; http_header;  reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:exploit-kit; sid:2018440; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type|3a| image/gif"; http_header; content:"x|da|"; http_client_body; depth:2; content:"|0d 0a|Content-type|3a| image/gif|0d 0a 0d 0a|x|da|"; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern; http_uri; nocase; classtype:exploit-kit; sid:2018540; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:exploit-kit; sid:2018592; rev:3; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
 
-#alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET DELETED UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:exploit-kit; sid:2018920; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:command-and-control; sid:2007752; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:exploit-kit; sid:2019167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-7]{3})(?P<d>[0-7]{3})(?P=p)(?P=d)([0-7]{3}){10}(?P<q>[0-7]{3})[0-7]{3}(?P<dot>[0-7]{3})[0-7]{3}(?P=dot)[0-7]{3}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url,blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:exploit-kit; sid:2019194; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P<p>[0-7]{2,4})(?P<sep>[^0-7])(?P<d>(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P<q>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P<dot>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_19, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:exploit-kit; sid:2019195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:exploit-kit; sid:2019210; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:exploit-kit; sid:2019185; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|5c|u"; content:"|5c|u"; distance:4; within:4; content:"|5c|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:exploit-kit; sid:2019226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"|25|u"; content:"|25|u"; distance:4; within:4; content:"|25|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:exploit-kit; sid:2019288; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018361; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2; metadata:created_at 2013_11_14, former_category CURRENT_EVENTS, updated_at 2013_11_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:exploit-kit; sid:2019209; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs|g)e|rocess)|(?:securit|quer)y|(?:defaul|abou)t|index|login|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent|3a| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:4; metadata:created_at 2013_09_04, updated_at 2013_09_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:exploit-kit; sid:2019359; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern; reference:cve,2014-2820; classtype:exploit-kit; sid:2018933; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer|3a 20|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:5; metadata:created_at 2013_05_21, updated_at 2013_05_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:exploit-kit; sid:2019676; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert icmp any any -> any any (msg:"ET MALWARE PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:command-and-control; sid:2017724; rev:3; metadata:created_at 2013_11_15, former_category MALWARE, updated_at 2013_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019358; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:command-and-control; sid:2017728; rev:2; metadata:created_at 2013_11_20, former_category MALWARE, updated_at 2013_11_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:exploit-kit; sid:2019315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016142; rev:3; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2013_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019989; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016860; rev:18; metadata:created_at 2013_05_17, former_category CURRENT_EVENTS, updated_at 2013_05_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019990; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017110; rev:7; metadata:created_at 2013_07_05, former_category CURRENT_EVENTS, updated_at 2013_07_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019991; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017116; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET MALWARE Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_16, updated_at 2013_11_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019894; rev:4; metadata:created_at 2014_12_09, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:exploit-kit; sid:2017735; rev:4; metadata:created_at 2013_11_21, former_category CURRENT_EVENTS, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:exploit-kit; sid:2020207; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:exploit-kit; sid:2017736; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:exploit-kit; sid:2020236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:exploit-kit; sid:2017737; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020317; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:exploit-kit; sid:2017738; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:4; metadata:created_at 2013_11_21, updated_at 2013_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:exploit-kit; sid:2017744; rev:2; metadata:created_at 2013_11_22, former_category CURRENT_EVENTS, updated_at 2013_11_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:exploit-kit; sid:2020570; rev:4; metadata:created_at 2015_02_25, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:exploit-kit; sid:2020643; rev:4; metadata:created_at 2015_03_07, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|read|(?:fo|tu)r)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:exploit-kit; sid:2016057; rev:8; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:exploit-kit; sid:2020626; rev:4; metadata:created_at 2015_03_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020823; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Class flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|CA FE BA BE|"; within:4; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017749; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020824; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:exploit-kit; sid:2017756; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:exploit-kit; sid:2017757; rev:2; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019917; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:exploit-kit; sid:2017758; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020841; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:exploit-kit; sid:2020985; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern; pcre:"/\/street[1-5]\.php$/U"; classtype:exploit-kit; sid:2020988; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern; pcre:"/\/XV-\d+\.exe$/U"; classtype:exploit-kit; sid:2020989; rev:3; metadata:created_at 2015_04_24, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern; classtype:exploit-kit; sid:2020992; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:exploit-kit; sid:2020951; rev:4; metadata:created_at 2015_04_21, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021045; rev:3; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021042; rev:6; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:exploit-kit; sid:2020980; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:exploit-kit; sid:2020979; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:exploit-kit; sid:2021136; rev:3; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2014751; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:exploit-kit; sid:2020392; rev:6; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS HTTP Target/EXE"; flow:from_server,established; file_data; content:"Z"; within:1; content:"PWh0dHA"; distance:2; within:9; pcre:"/^[a-z0-9\+\/]+={0,2}$/Rsi"; classtype:trojan-activity; sid:2017775; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:exploit-kit; sid:2021219; rev:5; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern; content:"long2str"; nocase; content:"str2long"; nocase; classtype:exploit-kit; sid:2021218; rev:4; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Badur.Spy User Agent HWMPro"; flow:established,to_server; content:"HWMPro"; depth:6; http_user_agent; reference:md5,234c47b5b29a2cfcc00900bbc13ea181; classtype:trojan-activity; sid:2017654; rev:4; metadata:created_at 2013_11_01, updated_at 2013_11_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:exploit-kit; sid:2021033; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:exploit-kit; sid:2021035; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:exploit-kit; sid:2021037; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:exploit-kit; sid:2017786; rev:2; metadata:created_at 2013_11_28, former_category CURRENT_EVENTS, updated_at 2013_11_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:exploit-kit; sid:2021305; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4; metadata:created_at 2013_11_30, updated_at 2013_11_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:exploit-kit; sid:2021308; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern; classtype:exploit-kit; sid:2021310; rev:4; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2; metadata:created_at 2013_12_02, updated_at 2013_12_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021137; rev:4; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:exploit-kit; sid:2017794; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:exploit-kit; sid:2021364; rev:3; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:exploit-kit; sid:2017795; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:exploit-kit; sid:2021373; rev:3; metadata:created_at 2015_07_02, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:exploit-kit; sid:2017797; rev:2; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:exploit-kit; sid:2021394; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015888; rev:8; metadata:created_at 2012_11_15, former_category EXPLOIT_KIT, updated_at 2012_11_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:exploit-kit; sid:2021435; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27]/R"; classtype:exploit-kit; sid:2017602; rev:5; metadata:created_at 2013_10_17, former_category CURRENT_EVENTS, updated_at 2013_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:exploit-kit; sid:2021036; rev:5; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"|7c 68 a3 34 36 36 37 38|"; within:8; classtype:exploit-kit; sid:2017809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021542; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017811; rev:2; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2013_12_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021543; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:exploit-kit; sid:2017815; rev:2; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2021620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern; classtype:exploit-kit; sid:2021637; rev:3; metadata:created_at 2015_08_17, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:exploit-kit; sid:2017759; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:exploit-kit; sid:2021698; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016520; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2013_03_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:exploit-kit; sid:2021699; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017740; rev:3; metadata:created_at 2013_11_22, former_category EXPLOIT_KIT, updated_at 2013_11_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:exploit-kit; sid:2020895; rev:7; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:exploit-kit; sid:2017819; rev:5; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:exploit-kit; sid:2021764; rev:3; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:exploit-kit; sid:2017823; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021787; rev:3; metadata:created_at 2015_09_16, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern; classtype:exploit-kit; sid:2021841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021905; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:exploit-kit; sid:2021906; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021907; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021939; rev:6; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:exploit-kit; sid:2022040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022090; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016923; rev:15; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:exploit-kit; sid:2016090; rev:3; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern; classtype:exploit-kit; sid:2020719; rev:5; metadata:created_at 2015_03_20, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; file_data; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_27, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:exploit-kit; sid:2022242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:3; metadata:created_at 2013_12_12, updated_at 2013_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:exploit-kit; sid:2022304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017840; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017844; rev:3; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2013_12_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:exploit-kit; sid:2022772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:exploit-kit; sid:2017796; rev:3; metadata:created_at 2013_12_05, former_category CURRENT_EVENTS, updated_at 2013_12_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:exploit-kit; sid:2022774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern; content:"campaigns"; http_cookie; classtype:exploit-kit; sid:2022904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:exploit-kit; sid:2017848; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:exploit-kit; sid:2022909; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-)/Ri"; classtype:exploit-kit; sid:2017849; rev:2; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:exploit-kit; sid:2022910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2017_09_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:exploit-kit; sid:2023186; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:exploit-kit; sid:2017851; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020311; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:exploit-kit; sid:2017826; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern; classtype:exploit-kit; sid:2023302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:exploit-kit; sid:2017827; rev:6; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2013_12_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:targeted-activity; sid:2016451; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017861; rev:3; metadata:created_at 2013_12_13, updated_at 2013_12_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023482; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"|22|result|22 3A| [[|22|mining.notify|22|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017872; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:social-engineering; sid:2023743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:coin-mining; sid:2017874; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:exploit-kit; sid:2011544; rev:7; metadata:created_at 2010_09_27, former_category MALWARE, updated_at 2010_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:social-engineering; sid:2023745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"|22|params|22 3A| [|22|"; depth:120; content:"|22|method|22 3A| |22|mining.notify|22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017873; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:exploit-kit; sid:2023547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3A| |22|getblocktemplate|22|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017878; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern; classtype:exploit-kit; sid:2023878; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"|22|result|22 3A| {"; depth:50; content:"|22|coinbasetxn|22 3A| {"; within:30; content:"|22|data|22 3A| |22|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:coin-mining; sid:2017879; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:exploit-kit; sid:2023879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"Mozilla Gecko Firefox 25"; http_user_agent; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017883; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_19, deployment Perimeter, signature_severity Major, tag c2, updated_at 2013_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern; content:" lonly="; http_cookie; classtype:exploit-kit; sid:2014884; rev:3; metadata:created_at 2012_06_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern; classtype:exploit-kit; sid:2024092; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023748; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_08;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:exploit-kit; sid:2020605; rev:6; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:exploit-kit; sid:2025071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:command-and-control; sid:2017891; rev:2; metadata:created_at 2013_12_20, former_category MALWARE, updated_at 2013_12_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim "; nocase; content:"Dim "; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:exploit-kit; sid:2025272; rev:3; metadata:created_at 2018_01_30, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017893; rev:4; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017299; rev:8; metadata:created_at 2013_08_08, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:exploit-kit; sid:2017894; rev:3; metadata:created_at 2013_12_21, updated_at 2013_12_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014853; rev:6; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category MALWARE, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern; classtype:exploit-kit; sid:2017014; rev:4; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:exploit-kit; sid:2017901; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"Egypack"; nocase; http_user_agent; depth:7; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013176; rev:7; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect on ActiveXObject support"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<script>"; content:"if|20 28|window.ActiveXObject"; distance:0; content:"ActiveXObject|22 20|in window"; within:40; fast_pattern; content:"window|2e|location|2e|href|3d 22|"; within:35; content:"|7d|else|7b|"; within:100; content:"window|2e|location|2e|href|3d 22|"; within:35; classtype:exploit-kit; sid:2028833; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:exploit-kit; sid:2017904; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Capesand EK Landing"; flow:established,to_client; file_data; content:"NzgzNDI"; fast_pattern; content:"NzgzNDI"; distance:0; content:"NzgzNDI"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; pcre:"/^[a-zA-Z0-9]{4}NzgzNDI[a-zA-Z0-9]{8}=\x22/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/; classtype:exploit-kit; sid:2028937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect Observed - Possible EK Activity"; flow:established,to_client; file_data; content:"/* PluginDetect v"; fast_pattern; within:20; content:"PluginDetect={version|3a 22|"; distance:0; content:"getMimeEnabledPlugin:function("; distance:0; classtype:exploit-kit; sid:2028938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2; metadata:created_at 2013_12_27, updated_at 2013_12_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible MSFVenom Exploit via Browser"; flow:established,to_client; file_data; content:"<script"; within:12; content:"ARR_SIZE ="; distance:0; content:"function search_corrupted_array()"; distance:0; content:"//msfvenom -p"; distance:0; fast_pattern; content:"windows/exec cmd="; within:20; classtype:exploit-kit; sid:2028940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4; metadata:created_at 2013_12_24, former_category INFO, updated_at 2013_12_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Landing"; flow:established,to_client; file_data; content:"<!DOCTYPE html>|0d 0a|<html>|0d 0a|<head>|0d 0a|<meta charset =|20 22|UTF-8|22|>|0d 0a|<script>|0d 0a|if (window.ActiveXObject|20 7c 7c 20 22|ActiveXObject|22 20|in window){"; within:200; fast_pattern; content:"</html>|0d 0a|<body>|0d 0a|</body>"; distance:0; isdataat:!1,relative; classtype:exploit-kit; sid:2028974; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017908; rev:2; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Landing - Various Exploits"; flow:established,to_client; file_data; content:"<!DOCTYPE html>|0d 0a|<html>|0d 0a|<head>|0d 0a|<meta charset =|20 22|UTF-8|22|>|0d 0a|<title></title>|0d 0a|<embed src=|22|"; content:".swf|22|></embed>|0d 0a|"; content:"if (window.ActiveXObject|20 7c 7c 20 22|ActiveXObject|22 20|in window){|0d 0a|document.write(unescape("; fast_pattern; classtype:exploit-kit; sid:2028975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2019_11_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:exploit-kit; sid:2017907; rev:4; metadata:created_at 2013_12_30, updated_at 2013_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M1"; flow:established,to_server; content:"GET"; http_method; content:".swf"; http_uri; isdataat:!1,relative; content:"contype"; http_user_agent; fast_pattern; depth:7; isdataat:!1,relative; content:"__cfduid="; http_cookie; depth:9; content:!".maxmind.com"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cookie|0d 0a 0d 0a|"; depth:38; isdataat:!1,relative; classtype:exploit-kit; sid:2028972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - uncompressed pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ca fe d0 0d|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017909; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo Download Payload Landing"; flow:established,to_client; file_data; content:"<title>Please, wait...</title>"; nocase; content:"dgduehue()|3b|"; nocase; distance:0; fast_pattern; content:"catch ("; nocase; distance:0; classtype:trojan-activity; sid:2028866; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Major, updated_at 2019_11_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"GET"; http_method; content:"/flow"; fast_pattern; depth:5; http_uri; pcre:"/^\d{1,2}\.php$/UR"; content:".ru"; http_host; isdataat:!1,relative; classtype:exploit-kit; sid:2015897; rev:4; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2020_02_04;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"|00 02 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; distance:0; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016108; rev:4; metadata:created_at 2012_12_28, updated_at 2020_02_06;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-
-alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-
-alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2; metadata:created_at 2014_01_03, updated_at 2014_01_03;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|3b 20|Antivir"; http_user_agent; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:pup-activity; sid:2008549; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
-
-alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
-
-alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"HTTP/1.1"; content:!"BDNC"; http_user_agent; depth:4;  content:"a="; depth:2; http_client_body; fast_pattern; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (4)"; flow:established,to_server; content:"a="; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET DELETED LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application|2F|x-www-form-urlencoded|0D 0A|"; http_header; content:"a=";  http_client_body; depth:2; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0|0d 0a|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0a 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; classtype:trojan-activity; sid:2013994; rev:4; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
-
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN LDPinch Loader Binary Request"; flow:to_server,established; content:"HTTP/1.0|0D 0A|Host|3a|"; content:".exe"; http_uri; nocase; content:"User-Agent|3a| "; http_header; content:"|0D 0A|Connection|3a| close|0D 0A 0D 0A|"; http_header; classtype:trojan-activity; sid:2014015; rev:7; metadata:created_at 2011_12_09, updated_at 2011_12_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015818; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin (3)"; flow:established,to_server; content:"a="; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:command-and-control; sid:2007862; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015819; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"GET"; http_method; content:"/stat/load"; http_uri; fast_pattern; content:".php"; http_uri; http_start; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:exploit-kit; sid:2021141; rev:4; metadata:created_at 2015_05_22, updated_at 2020_02_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:exploit-kit; sid:2017953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT [PTsecurity] Grandsoft EK Payload"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|96 08 FA EC DE C0 22 84 66 58 4A BC 2E|"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2018/03/15/index3.html; classtype:exploit-kit; sid:2025437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family GrandSoft_EK, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:exploit-kit; sid:2017954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Checkin"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php|3F|a|3D|QQk"; reference:url,blog.fireeye.com/research/2011/03/the-rise-of-incognito.html; classtype:exploit-kit; sid:2012841; rev:6; metadata:created_at 2011_05_25, former_category EXPLOIT_KIT, updated_at 2020_04_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:exploit-kit; sid:2017955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Landing Page Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?s="; pcre:"/^[0-9a-fA-F]{25}$/R"; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:exploit-kit; sid:2014147; rev:3; metadata:created_at 2012_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:exploit-kit; sid:2017956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Binary Load Request"; flow:established,to_server; http.uri; content:"/load.php?spl="; pcre:"/^[-_\w]+$/R"; classtype:exploit-kit; sid:2014148; rev:3; metadata:created_at 2012_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:exploit-kit; sid:2017957; rev:2; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Facebook phishing page payload could be ZeuS"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/LoginFacebook.php"; endswith; pcre:"/\/[a-z]{2}[0-9]{3}[a-z]{2}\/LoginFacebook\.php$/"; reference:url,malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html; reference:url,doc.emergingthreats.net/2011121; classtype:exploit-kit; sid:2011121; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Phishing, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET DELETED Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:exploit-kit; sid:2017958; rev:2; metadata:created_at 2014_01_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/s"; depth:5; classtype:exploit-kit; sid:2014446; rev:3; metadata:created_at 2012_03_31, updated_at 2022_05_03;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/"; depth:4; content:".jar"; distance:32; within:4; classtype:exploit-kit; sid:2014447; rev:7; metadata:created_at 2012_03_31, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET MALWARE Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:command-and-control; sid:2017922; rev:3; metadata:created_at 2014_01_03, former_category MALWARE, updated_at 2014_01_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - request in.cgi"; flow:to_server,established; http.uri; content:"/in.cgi"; classtype:exploit-kit; sid:2014543; rev:3; metadata:created_at 2012_04_12, former_category CURRENT_EVENTS, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,doc.emergingthreats.net/2010789; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:md5,2b8a408b56eaf3ce0198c9d1d8a75ec0; classtype:trojan-activity; sid:2010789; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:established,to_client; http.header; content:"/in.cgi"; classtype:exploit-kit; sid:2014546; rev:6; metadata:created_at 2012_04_12, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"|34 44 35 41|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/images.php?t="; startswith; pcre:"/^\d+$/Ri"; http.header; content:"|29 20|Java/"; classtype:exploit-kit; sid:2014609; rev:3; metadata:created_at 2012_04_17, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017973; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/images.php?t=81118"; classtype:exploit-kit; sid:2014639; rev:3; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit pdf download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.uri; content:".php?"; content:"x=x"; fast_pattern; content:"&u="; content:"&s="; content:"&id="; content:"&file="; content:".pdf"; classtype:exploit-kit; sid:2014657; rev:2; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; http.uri; content:"/getfile.php?i="; content:"&key="; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/i"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014851; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redirect to driveby sid=mix"; flow:to_server,established; http.uri; content:"/go.php?sid=mix"; classtype:exploit-kit; sid:2014866; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; http.uri; content:"/getfile.php?"; http.user_agent; content:"Java/1"; classtype:exploit-kit; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/^\/[a-z]{15}[0-9]\.php$/"; classtype:exploit-kit; sid:2014967; rev:4; metadata:created_at 2012_06_26, updated_at 2020_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2017732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ payload"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/mix/"; depth:5; content:".php"; content:"fid="; content:"quote="; classtype:exploit-kit; sid:2015011; rev:3; metadata:created_at 2012_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017985; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely TDS redirecting to exploit kit"; flow:established,to_server; http.uri; content:".php?go="; pcre:"/^\d$/R"; classtype:exploit-kit; sid:2014854; rev:5; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"|7d 6b f8 64 76 74 6e 66|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017986; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/nano.php?x="; classtype:exploit-kit; sid:2015734; rev:4; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2; metadata:created_at 2014_01_17, former_category CURRENT_EVENTS, updated_at 2014_01_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; isdataat:64,relative; content:"="; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/"; classtype:exploit-kit; sid:2015781; rev:3; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:exploit-kit; sid:2017975; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; http.uri; content:"/Dot.class"; classtype:exploit-kit; sid:2015885; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:exploit-kit; sid:2017569; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java payload request /5-digit"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/\d{5}$/"; http.user_agent; content:"|29 20|Java/"; classtype:exploit-kit; sid:2015923; rev:4; metadata:created_at 2012_11_24, updated_at 2020_04_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request"; flow:established,to_server; http.uri; content:"/p5.php?t=u00"; content:"&oh="; classtype:exploit-kit; sid:2015961; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017989; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; http.uri; content:".html"; endswith; pcre:"/\/[0-9]{2}\.html$/"; http.user_agent; content:" Java/1"; classtype:exploit-kit; sid:2015990; rev:3; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive Response"; flow:to_server,established; dsize:<100; content:"pong|7c|"; depth:5; classtype:trojan-activity; sid:2017991; rev:6; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; http.uri; content:"KAhFXlx9"; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/"; classtype:exploit-kit; sid:2016091; rev:3; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/Jacksbot Check-in"; flow:established,to_server; content:"|00 2d 00 68 00 20 00 32 00 66 00|"; pcre:"/^(?:4\x00[1-9a-f]|5\x00[\da])/Rs"; content:"|00 33 00 61 00|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3; metadata:created_at 2014_01_17, updated_at 2014_01_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; http.uri; pcre:"/\x2F[0-9]{3}\.pdf$/"; http.request_line; content:".pdf HTTP/1."; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:exploit-kit; sid:2016210; rev:3; metadata:created_at 2013_01_15, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017995; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,to_server; urilen:>100; flowbits:set,et.exploitkitlanding; http.uri; content:"/i.html?0x"; startswith; pcre:"/^\d{1,2}=[a-zA-Z0-9+=]{100}/R"; classtype:exploit-kit; sid:2016248; rev:7; metadata:created_at 2013_01_22, updated_at 2020_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017996; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; http.uri; content:"/"; depth:1; content:".jar"; distance:1; within:4; endswith; pcre:"/^\/[a-z]\.jar$/"; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016254; rev:3; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:exploit-kit; sid:2017997; rev:2; metadata:created_at 2014_01_22, updated_at 2014_01_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; http.uri; content:"/cve2012xxxx/Gondvv.class"; classtype:exploit-kit; sid:2016256; rev:3; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:5; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS - in.php"; flow:established,to_server; http.uri; content:"/in.php?s="; classtype:exploit-kit; sid:2016272; rev:3; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host|3a 20|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:3; metadata:created_at 2014_01_23, updated_at 2014_01_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; http.header; content:!".jar"; nocase; file.data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; classtype:exploit-kit; sid:2016540; rev:4; metadata:created_at 2013_03_06, updated_at 2020_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:exploit-kit; sid:2018011; rev:2; metadata:created_at 2014_01_24, former_category CURRENT_EVENTS, updated_at 2014_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; http.cookie; content:"visited=TRUE|3b 20|mutex="; startswith; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014408; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; http_header; pcre:"/^([\x7f-\xff]){100}/HRi"; reference:md5,176638536e926019e3e79370777d5e03; classtype:pup-activity; sid:2017982; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - pdfx.html"; flow:established,to_server; http.uri; content:"/pdfx.html"; classtype:exploit-kit; sid:2016055; rev:4; metadata:created_at 2012_12_18, updated_at 2020_04_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletHigh.jar"; flow:established,to_server; http.uri; content:"/AppletHigh.jar"; http.user_agent; content:"Java/1."; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016639; rev:5; metadata:created_at 2013_03_22, updated_at 2020_04_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2018027; rev:2; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2014_01_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; http.request_line; content:".zip HTTP/1."; http.uri; pcre:"/\/[a-f0-9]+\.zip$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016839; rev:7; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2014_01_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; http.uri; content:"/app.jar"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017096; rev:5; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:command-and-control; sid:2018034; rev:1; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2014_01_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; http.uri; content:!"/404."; depth:5; pcre:"/^\/\d{2,}\.[a-z0-9]+$/i"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017199; rev:5; metadata:created_at 2013_07_26, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2014_01_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits"; flow:established,to_client; http.content_type; content:"application/java-archive"; fast_pattern; http.header; content:"X-Powered-By|3a 20|PHP/"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2017637; rev:4; metadata:created_at 2013_10_28, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:social-engineering; sid:2018043; rev:2; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude IE EK Payload Nov 8 2013"; flow:established,to_server; urilen:34; http.uri; content:"/?"; depth:2; fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:exploit-kit; sid:2017694; rev:7; metadata:created_at 2013_11_08, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack URI Struct .php?id=Hex"; flow:established,to_server; http.uri; content:".php?id="; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=/"; classtype:exploit-kit; sid:2017814; rev:4; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|ru|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014373; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SWF filename used in IE 2014-0322 Watering Hole Attacks"; flow:established,to_server; http.uri; content:"/Tope.swf"; classtype:exploit-kit; sid:2018223; rev:4; metadata:created_at 2014_03_05, updated_at 2020_04_28;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|04|info|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x04info\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014374; rev:3; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; http.header; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; content:"|0d 0a|X-Powered-By|3a 20|PHP"; file.data; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:exploit-kit; sid:2018451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_04_29;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|03|biz|00|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x03biz\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014375; rev:2; metadata:created_at 2012_03_14, updated_at 2012_03_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; http.uri; content:"/load_module.php?e="; classtype:exploit-kit; sid:2014705; rev:5; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 444 (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading DLL"; flow:to_server,established; content:"SIZE libcurl-4.dll|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018072; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; http.uri; content:"/download_file.php?e="; classtype:exploit-kit; sid:2014706; rev:4; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; http.header; content:"filename=payload.exe.exe|0d 0a|"; classtype:exploit-kit; sid:2014707; rev:5; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK randomized javascript Gate Jul 18 2014"; flow:established,to_server; urilen:23<>85; http.method; content:"GET"; http.uri; content:".js?"; fast_pattern; content:"="; distance:7; within:26; content:!"&"; pcre:"/^\/[A-Za-z0-9]{6,16}\.js\?[a-zA-Z0-9]{7,32}=(?![0-9]+$)[a-f0-9]{5,30}$/U"; http.header; pcre:"/^Host\x3a\x20[^\.\r\n]+?\.[a-z]{2,4}\r\n/mi"; classtype:exploit-kit; sid:2018741; rev:3; metadata:created_at 2014_07_18, former_category EXPLOIT_KIT, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit exe.exe Payload"; flow:established,to_client; http.header; content:"Content-disposition|3a 20|attachment|3b 20|filename=exe.exe"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2014/08/06/index.html; classtype:exploit-kit; sid:2018914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:exploit-kit; sid:2018091; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/load/svchost.exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"load/svchost.exe"; nocase; classtype:exploit-kit; sid:2011906; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2020_05_06;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit URI Struct"; flow:established,to_server; urilen:>68; http.uri; content:"|3b|1"; offset:60; content:"|3b|"; distance:5; within:1; content:!"="; content:!"&"; pcre:"/\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}$/"; classtype:exploit-kit; sid:2019612; rev:8; metadata:created_at 2014_10_31, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:pup-activity; sid:2018099; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight 5.x Exploit URI Struct"; flow:established,to_server; urilen:>68; http.uri; content:"|3b|5"; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b5[0-1]\d{5}$/"; classtype:exploit-kit; sid:2019624; rev:3; metadata:created_at 2014_11_03, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta URI Struct"; flow:established,to_server; urilen:>64; flowbits:set,ET.Fiesta.Exploit.URI; http.uri; content:"|3b|"; offset:63; fast_pattern; content:!"="; content:!"&"; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/"; classtype:exploit-kit; sid:2018407; rev:10; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE FTP File Upload - BlackPOS Naming Scheme"; flow:established,to_server; content:"STOR "; depth:5; content:".txt"; pcre:"/data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt/"; reference:url,www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/; classtype:trojan-activity; sid:2018115; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Jar URI Struct"; flow:established,to_server; http.uri; content:".jar"; pcre:"/(?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2020476; rev:4; metadata:created_at 2015_02_19, updated_at 2020_05_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop edc User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=edc|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018116; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)"; flow:established,from_server; flowbits:isset,exe.no.referer; http.header; content:"Server|3a 20|HFS"; fast_pattern; file.data; content:"MZ"; within:2; classtype:exploit-kit; sid:2020500; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_05_15;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop micros User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=micros|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018124; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Payload URI Struct March 20 2015"; flow:established,to_server; urilen:>220; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2020720; rev:3; metadata:created_at 2015_03_21, updated_at 2020_05_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Sality.bh Checkin"; flow:to_server,established; content:"/logo.gif?"; http_uri; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50728)|0d 0a|Host|3a| "; http_header; pcre:"/\x2flogo\x2egif\x3f([0-9a-z]){5}\x3d\d{6,7}/U"; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; reference:md5,c15f4fe2e180150dc511aa64427404c5; classtype:trojan-activity; sid:2018111; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".swf"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/m"; file.data; content:"WS"; within:3; classtype:exploit-kit; sid:2020981; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Landing URI Struct March 20 2015"; flow:established,to_server; http.uri; content:"/?"; depth:2; content:"=l3S"; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/"; classtype:exploit-kit; sid:2020722; rev:4; metadata:created_at 2015_03_21, updated_at 2020_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:exploit-kit; sid:2018127; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Spartan/Nuclear EK Payload"; flow:established,from_server; http.header; content:"nginx"; content:"X-Powered-By|3a|"; content:"application/octet-stream"; content:"Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; fast_pattern; classtype:exploit-kit; sid:2021765; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014844; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Sep 30 2015"; flow:to_server,established; urilen:5; http.uri; content:"/052F"; classtype:exploit-kit; sid:2021870; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:exploit-kit; sid:2014845; rev:3; metadata:created_at 2012_06_01, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Spartan/Nuclear EK Payload"; flow:established,from_server; http.server; content:"nginx"; startswith; http.header; content:"Accept-Ranges|3a 20|bytes|0d 0a|Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; fast_pattern; pcre:"/\x20filename=\r\n(?:\r\n)?$/"; http.content_type; content:"application/octet-stream"; startswith; classtype:exploit-kit; sid:2022135; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline"; nocase; content:".exe"; content:"load/"; fast_pattern; file.data; content:"MZ"; depth:2; classtype:exploit-kit; sid:2014314; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_06_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; flowbits:set,et.exploitkitlanding; http.header; content:!"smartsvn.com"; file.data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; classtype:exploit-kit; sid:2017181; rev:7; metadata:created_at 2013_07_24, updated_at 2020_06_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; flowbits:set,ET.RIGEKExploit; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header; content:"/?"; content:"=l3S"; classtype:exploit-kit; sid:2020721; rev:4; metadata:created_at 2015_03_21, updated_at 2020_06_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3; metadata:created_at 2014_02_14, updated_at 2014_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; http.header; content:"Cookie|3a 20|visited=TRUE"; http.header.raw; content:"Cookie|3a 20|mutex="; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014407; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_06_30;)
 
-#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.*"; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit jar Download"; flow:established,to_server; http.uri; content:"_.jar?"; pcre:"/\w_\.jar\?[a-f0-9]{8}$/"; classtype:exploit-kit; sid:2014802; rev:4; metadata:created_at 2012_05_23, former_category CURRENT_EVENTS, updated_at 2020_08_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024133; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:2; metadata:created_at 2014_02_15, updated_at 2014_02_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024134; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Torrent Client User-Agent (Solid Core/0.82)"; flow:to_server,established; content:"User-Agent|3a| Solid Core/"; http_header; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b; classtype:policy-violation; sid:2013869; rev:7; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024135; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:pup-activity; sid:2018149; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024136; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Azbreg.Backdoor CnC Beacon"; flow:established,to_server; urilen:17; content:"/instant_messages"; http_uri; content:"sid="; http_cookie; content:"locale="; http_cookie; distance:0; content:"name="; http_cookie; distance:0; content:"password="; http_cookie; content:"uid="; http_cookie; distance:0; reference:md5,4b435a3f43d0e7ffa71453cf18804b70; classtype:command-and-control; sid:2018151; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_02_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024137; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024138; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Ui"; content:!"dynamicdrive.com"; nocase; http_header; classtype:trojan-activity; sid:2017258; rev:5; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024140; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:exploit-kit; sid:2018161; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024141; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018163; rev:2; metadata:created_at 2014_02_20, updated_at 2014_02_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024142; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:1; metadata:created_at 2014_02_21, updated_at 2014_02_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017 M2"; flow:established,from_server; http.header; content:"Content-Description|3a 20|File Transfer"; content:"Expires|3a 20|0"; pcre:"/Content-Disposition\x3a[^\r\n]+\.exe-rc4\.exe\r\n/i"; http.cookie; content:"ci_session"; file.data; content:!"MZ"; within:2; classtype:exploit-kit; sid:2024345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_08_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:command-and-control; sid:2018167; rev:1; metadata:created_at 2014_02_21, former_category MALWARE, updated_at 2014_02_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Request for Grey Advertising Often Leading to EK"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?&tid="; fast_pattern; content:"&red="; distance:0; content:"&abt="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024350; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:command-and-control; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Hancitor/Tordal Document Inbound"; flow:established,from_server; flowbits:isset,ET.Hancitor; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".doc"; distance:0; http.content_type; content:"application/msword|3b|"; startswith; file.data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; classtype:exploit-kit; sid:2024605; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2; metadata:created_at 2014_02_25, former_category CURRENT_EVENTS, updated_at 2014_02_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; flowbits:set,ET.DisDain.EK; http.uri; content:".php"; offset:38; depth:4; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/"; classtype:exploit-kit; sid:2024606; rev:3; metadata:created_at 2017_08_23, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; flowbits:set,ET.DisDain.EK; http.uri; content:"/test.mp3"; offset:25; depth:9; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/"; classtype:exploit-kit; sid:2024607; rev:3; metadata:created_at 2017_08_23, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4; metadata:created_at 2014_02_26, updated_at 2014_02_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; within:50; classtype:exploit-kit; sid:2015788; rev:3; metadata:created_at 2012_10_10, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015922; rev:7; metadata:created_at 2012_11_24, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018185; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:exploit-kit; sid:2017547; rev:4; metadata:created_at 2013_10_01, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018186; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017075; rev:6; metadata:created_at 2013_06_28, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018187; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:exploit-kit; sid:2019751; rev:7; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018188; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:exploit-kit; sid:2019770; rev:6; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:exploit-kit; sid:2022869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android FakeInst.BX checkin"; flow:to_server; content:".html?c="; http_uri; content:"&o="; http_uri; distance:2; within:3; content:"&n="; http_uri; distance:0; content:"&pid="; http_uri; distance:10; within:10; content:"Apache-HttpClient"; http_user_agent; reference:md5,b2397ddc90e57f2d0eb6b0d3b8bb63f8; classtype:trojan-activity; sid:2018180; rev:6; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023200; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:3; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:6; metadata:created_at 2011_04_15, updated_at 2011_04_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:3; metadata:created_at 2014_02_28, former_category CURRENT_EVENTS, updated_at 2014_02_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:exploit-kit; sid:2018206; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:exploit-kit; sid:2018207; rev:2; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018209; rev:7; metadata:created_at 2014_03_05, former_category CURRENT_EVENTS, updated_at 2014_03_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018225; rev:2; metadata:created_at 2014_03_06, former_category EXPLOIT_KIT, updated_at 2014_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:2; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2014_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkshell.A Checkin XOR C0 Win XP"; flow:to_server,established; dsize:<512; content:"|e0 e0 e0 e0 97 89 8e 84 8f|"; content:"|98 90 e0|"; distance:2; within:3; classtype:command-and-control; sid:2018229; rev:2; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2014_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:command-and-control; sid:2018154; rev:3; metadata:created_at 2014_02_19, former_category MALWARE, updated_at 2014_02_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:exploit-kit; sid:2023307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:pup-activity; sid:2008474; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:exploit-kit; sid:2023473; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:exploit-kit; sid:2016751; rev:10; metadata:created_at 2013_04_12, former_category EXPLOIT_KIT, updated_at 2013_04_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:!"[Adblock Plus"; depth:13; content:"/in.cgi?"; distance:0; flowbits:isnotset,ET.opera.adblock; classtype:exploit-kit; sid:2014545; rev:8; metadata:created_at 2012_04_12, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017023; rev:7; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:exploit-kit; sid:2018236; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:11; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018237; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023742; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018238; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising Redirect to EK M1"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; file.data; content:"<script|20|"; content:"new Date()).getTime()|3b|"; nocase; distance:0; content:".php?JBOSSESSION="; distance:0; fast_pattern; content:"window.location.href="; distance:0; content:"<script|20|"; pcre:"/^\s*type\s*=\s*[\x22\x27]\s*text\/javascript\s*[\x22\x27]\s*>\s+var\s*(?P<timestamp>[A-Za-z0-9]{1,25})\s*=\s*\(new\sDate\(\)\)\.getTime\(\)\;\s+(?P<url>[A-Za-z0-9]{1,25})\s*=\s*[\x22\x27]\s*[^\r\n]+\.php\?JBOSSESSION=\s*[\x22\x27]\s+(?P<urlvar2>[A-Za-z0-9]{1,25})\s*=\s*(?P=url)\s*\+\s*(?P=timestamp)\s+window\.location\.href\s*=\s*(?P=urlvar2)\s+/Rsi"; content:"</script>"; distance:0; classtype:exploit-kit; sid:2025912; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018239; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Underminer EK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7|0d 0a|"; file.data; content:"style=|22|width|3a|1px|3b|height|3a|1px|22|"; nocase; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; nocase; content:"px|3b 20|width|3a 20|1px|3b 20|height|3a 20|1px|3b 22|"; within:40; content:"<!--[if lte IE 6]>"; nocase; distance:0; fast_pattern; content:"if(!!window.ActiveXObject && typeof("; nocase; distance:0; content:"<!--[if gte IE 7]>"; nocase; distance:0; content:"if(!!window.ActiveXObject && typeof("; nocase; distance:0; pcre:"/^[^\r\n]+\s*\)\s*\!==\s*[\x22\x27]undefined[\x22\x27]\s*\)\{\s+var\s+(?P<var>[A-Za-z0-9]{1,25})\s*=\s*[^\.]+\.getElementById\s*\([\x22\x2][^\x22\x27]+[\x22\x27]\s*\)\s*\x3b\s+(?P=var)\s*\.\s*elements\[[\x22\x27][^\x22\x27]+[\x22\x27]\]\.value\s*=\s*[0-9]{1,15}\s*\;/Rsi"; content:"src="; nocase; distance:0; pcre:"/^\s*[\x22\x27][^\r\n]+\/[a-z0-9]{20,40}\.js[\x22\x27]\s*>\s*<\/script>\s*<\/body>/Rs"; classtype:exploit-kit; sid:2025916; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018240; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Key POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/"; content:".html"; distance:26; within:5; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/"; http.cookie; content:"token="; depth:6; http.request_body; content:"{|22|mode|22 3a|10,|22|key|22 3a 22|"; nocase; depth:18; fast_pattern; http.content_type; content:"text/plain|3b|charset=UTF-8"; classtype:exploit-kit; sid:2026421; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Havex Rat Check-in URI Struct"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a 20|"; content:".php?id"; http_uri; content:"&v1="; http_uri; content:"&v2="; http_uri; content:"&q="; http_uri; pcre:"/\.php\?id=[A-F0-9]+\-[A-F0-9]+&v1=[A-F0-9]+&v2=[A-F0-9]+&q=[A-F0-9]+$/U"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:trojan-activity; sid:2018251; rev:2; metadata:created_at 2014_03_11, updated_at 2014_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Resource File Download M1"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/static/tinyjs.min.js"; fast_pattern; http.header; content:"/"; content:".html|0d 0a|"; distance:26; within:7; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/i"; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2026422; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE TDLv4 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|*.city.com"; distance:1; within:11; content:"|55 04 07|"; content:"|06|Cities"; distance:1; within:7; content:"|55 04 0a|"; content:"|0a|State Corp"; distance:1; within:11; classtype:trojan-activity; sid:2018256; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Resource File Download M2"; flow:established,to_server; urilen:22; http.method; content:"GET"; http.uri; content:"/static/encrypt.min.js"; fast_pattern; http.header; content:"/"; content:".html|0d 0a|"; distance:26; within:7; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/i"; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2026423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018261; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Plugin Check"; flow:established,to_client; http.header; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; file.data; content:"name:location.hostname,init:function()"; nocase; within:300; content:"document.body.appendChild(UserData.userData)"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:".setAttribute(|22|type|22|,|22|application/x-shockwave-flash|22|)"; nocase; distance:0; content:".test(navigator.userAgent)?function"; nocase; distance:0; content:"map([|22|ShockwaveFlash.ShockwaveFlash|22|,|22|AcroPDF.PDF|22|,|22|PDF.PdfCtrl|22|,|22|QuickTime.QuickTime|22|,|22|RealPlayer|22|,|22|SWCtl.SWCtl|22|,|22|WMPlayer.OCX|22|,|22|AgControl.AgControl|22|,|22|Skype.Detection|22|]"; nocase; fast_pattern; classtype:exploit-kit; sid:2026424; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
 
-#alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2; metadata:created_at 2014_03_13, former_category CURRENT_EVENTS, updated_at 2014_03_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash/WAV Loader"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7"; file.data; content:"function getSalt(){"; nocase; content:"function getAudioResource(){"; nocase; distance:0; fast_pattern; content:"/"; distance:0; content:".wav|22 3b|"; nocase; distance:26; within:6; content:"<param name=|22|movie|22 20|value=|22|"; nocase; distance:0; content:"/"; distance:0; content:".swf|22|"; nocase; distance:26; within:5; content:"<embed src=|22|"; nocase; distance:0; content:"/"; distance:0; content:".swf|22 20|allowScriptAccess=|22|always|22 20|type=|22|application/x-shockwave-flash|22|"; nocase; distance:26; within:69; classtype:exploit-kit; sid:2026425; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017064; rev:18; metadata:created_at 2013_06_25, former_category EXPLOIT_KIT, updated_at 2013_06_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Flash Exploit Attempt"; flow:established,to_server; urilen:38; http.uri; content:"/?s="; depth:4; fast_pattern; pcre:"/^\/\?s=[a-f0-9]{32}[a-z]{2}$/"; http.header; content:"/?s="; content:"|0d 0a|"; distance:34; within:2; content:"x-flash-version|3a|"; http.referer; pcre:"/^http\:\/\/[^\r\n\x2f]+\/\?s=[a-f0-9]{32}[a-z]{2}$/i"; classtype:exploit-kit; sid:2027145; rev:3; metadata:affected_product Adobe_Flash, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Spelevo_EK, updated_at 2020_08_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018260; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Observed LordEK HTTP POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; depth:2; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.request_body; content:"|7b 22|flash|22 3a|"; depth:9; fast_pattern; content:"|22|ip_address|22 3a 22|"; distance:0; content:"|22|country|22 3a 22|"; distance:0; http.header_names; content:"Referer"; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:exploit-kit; sid:2027788; rev:2; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MtGox Leak wallet stealer UA"; flow:established,to_server; content:"MtGoxBackOffice"; depth:15; http_user_agent; reference:url,www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive; reference:md5,c4e99fdcd40bee6eb6ce85167969348d; classtype:trojan-activity; sid:2018279; rev:3; metadata:created_at 2014_03_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<!--|20|Lord|20|EK|20|-|20|Landing|20|page"; depth:60; nocase; fast_pattern; classtype:exploit-kit; sid:2027791; rev:2; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<head>|0d 0a|<|2f|head>|0d 0a|<body>|0d 0a 20 20 20 20|<script>|0d 0a|var|20|"; depth:60; fast_pattern; pcre:"/^(?P<vars>[a-z0-9]{1,20})\s*=\s*new\s*Array\x3b\r\n(?:(?P=vars)\[\d{1,3}\]\s*=\s*\d{4,12}\x3b\r\n){5,40}/Ri"; content:"String.fromCharCode|28|"; nocase; content:"document.write|28|"; nocase; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:exploit-kit; sid:2027787; rev:3; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017603; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2020_09_13;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; http.uri; content:"/timthumb.php?"; content:!"webshot=1"; distance:0; content:"src="; distance:0; content:"http"; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/i"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:exploit-kit; sid:2014846; rev:14; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_13;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; http.content_type; content:"application/x-msdownload"; bsize:24; file.data; content:"|3d 28 28|"; within:3; endswith; classtype:exploit-kit; sid:2023768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_09_14;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET MALWARE Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_13, updated_at 2014_03_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; http.header; content:"Content-Length|3a 20|8|0d 0a|"; fast_pattern; file.data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; endswith; classtype:exploit-kit; sid:2024414; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:command-and-control; sid:2017417; rev:9; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising EK Redirect to EK M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?id="; isdataat:!5,relative; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.referer; content:".php?JBOSSESSION="; fast_pattern; classtype:exploit-kit; sid:2025913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK SWF Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; content:".swf"; distance:26; within:4; endswith; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.swf$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; content:"x-flash-version|3a 20|"; http.referer; pcre:"/^.+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.cookie; content:"token="; depth:6; fast_pattern; pcre:"/^[a-f0-9]{32}$/Ri"; classtype:exploit-kit; sid:2026426; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_09_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject|3a 20|LOG|20|FILE|20 20|Current User|3a|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT ScanBox Framework used in WateringHole Attacks Initial (POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"seed="; fast_pattern; content:"&referrer="; content:"&agent="; content:"&location="; content:"&toplocation="; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:exploit-kit; sid:2019094; rev:8; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK - Unexpected Victim Location Server Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Sea|20|for|20|a|20|life"; startswith; fast_pattern; endswith; classtype:exploit-kit; sid:2027934; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RigEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT SUSPICIOUS DNS Request for Grey Advertising Often Leading to EK"; dns.query; content:"roughted.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024349; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sutra TDS /simmetry"; flow:to_server,established; http.uri; content:"/simmetry?"; fast_pattern; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:exploit-kit; sid:2015593; rev:4; metadata:created_at 2012_08_09, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,from_server; file_data; content:"<title>CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:2; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; http.uri; content:"/spl_data/"; fast_pattern; http.header; content:"|20|Java/"; classtype:exploit-kit; sid:2015603; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive (flowbit set)"; flow:established,to_server; dsize:2; content:"/P"; depth:2; flowbits:set,WinSpy.KeepAlive; flowbits:noalert; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; reference:md5,815576890789003a7575c2948508c6b1; classtype:trojan-activity; sid:2018291; rev:1; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2014_03_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; http.uri; content:"/1."; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//"; classtype:exploit-kit; sid:2015693; rev:4; metadata:created_at 2012_09_11, updated_at 2020_09_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive Server Response"; flow:established,from_server; dsize:2; content:"/P"; depth:2; flowbits:isset,WinSpy.KeepAlive; threshold:type limit,count 2,track by_src,seconds 300; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018292; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2015695; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"ET MALWARE MultiThreat/Winspy.RAT SMTP Data Exfiltration"; flow:established,to_server; content:"X-Mailer|3A| SysMon v1.0.0"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018293; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing URL"; flow:established,to_server; http.uri; content:".php?dentesus=208779"; fast_pattern; classtype:exploit-kit; sid:2015964; rev:13; metadata:created_at 2012_11_30, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET MALWARE MultiThreat/Winspy.RAT FTP File Download Command"; flow:established,to_server; dsize:>0; content:"/CD |5C 5C 5C|"; depth:9; pcre:"/^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS)/Ri"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018294; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; http.uri; content:"/js/java.js"; fast_pattern; http.host; content:"."; offset:2; depth:1; pcre:"/^[a-z]{2}\./"; classtype:exploit-kit; sid:2015982; rev:4; metadata:created_at 2012_12_04, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK encrypted binary (3)"; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018297; rev:2; metadata:created_at 2014_03_20, former_category EXPLOIT_KIT, updated_at 2014_03_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible JDB Exploit Kit Class Request"; flow:established,to_server; http.uri; content:"/jdb/"; nocase; content:".class"; nocase; pcre:"/\/jdb\/[^\/]+\.class$/i"; http.header; content:"|20|Java/1"; fast_pattern; classtype:exploit-kit; sid:2016308; rev:8; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:exploit-kit; sid:2018298; rev:3; metadata:created_at 2014_03_20, updated_at 2014_03_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; http.uri; content:"/lib/adobe.php?id="; nocase; fast_pattern; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/i"; classtype:exploit-kit; sid:2016310; rev:7; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; classtype:attempted-admin; sid:2003519; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Pattern"; flow:established,to_server; http.uri; content:"/i.php?token="; fast_pattern; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/i"; classtype:exploit-kit; sid:2015998; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; http.uri; content:"/jerk.cgi?"; fast_pattern; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016352; rev:4; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_25, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Secondary Landing"; flow:established,to_server; http.uri; content:".js"; pcre:"/^[a-z]+\.js$/"; http.referer; content:"/i.html"; fast_pattern; pcre:"/^(\?[^=]{1,10}=[^&\r\n]{100,})?$/Ri"; classtype:exploit-kit; sid:2016347; rev:8; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Exploit Request"; flow:established,to_server; http.uri; content:"/module.php?e="; fast_pattern; pcre:"/\.php\?e=[^&]+?$/"; classtype:exploit-kit; sid:2016523; rev:4; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (5)"; flow:established,to_server; http.uri; content:".txt?e="; nocase; fast_pattern; pcre:"/\.txt\?e=\d+(?:&[fh]=\d+)?$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016414; rev:10; metadata:created_at 2013_02_16, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site trudeausociety"; flow:established,to_client; content:"|12|trudeausociety.com"; fast_pattern:only; classtype:trojan-activity; sid:2018319; rev:1; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; http.uri; content:"/?wps="; depth:6; fast_pattern; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017068; rev:4; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Captcha Malware C2 SSL Certificate"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|Mojolicious"; distance:1; within:17; content:"|55 04 0a|"; distance:0; content:"|0b|Mojolicious"; distance:1; within:17; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/25/captcha-protected-malware-downloader; classtype:command-and-control; sid:2018322; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect to DotkaChef EK Landing"; flow:established,from_server; http.stat_code; content:"302"; http.location; pcre:"/^[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/i"; http.header; content:".js?cp="; fast_pattern; classtype:exploit-kit; sid:2017077; rev:5; metadata:created_at 2013_06_29, updated_at 2020_09_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisproc"; flow:established,to_server; content:"/page_"; content:"Cookie|3a 20|XX=0|3b 20|BX=0"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,aaf73666cbd750ed22b80ed836d2b1e4; classtype:trojan-activity; sid:2018320; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Possible Redkit 1-4 char JNLP request"; flow:established,to_server; urilen:<11; http.uri; content:".jnlp"; endswith; nocase; fast_pattern; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; classtype:exploit-kit; sid:2016811; rev:8; metadata:created_at 2013_05_03, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED JCE Joomla Extension User-Agent (BOT)"; flow:to_server,established; content:"BOT/0.1 (BOT for JCE)"; depth:21; http_user_agent; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:attempted-recon; sid:2018327; rev:4; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit JAR Download"; flow:established,to_server; http.uri; content:".php?id="; nocase; pcre:"/\.php\?id=[a-f0-9]{32}$/i"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016309; rev:9; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:command-and-control; sid:2018325; rev:3; metadata:created_at 2014_03_26, former_category MALWARE, updated_at 2014_03_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; http.uri; content:"/Java-SPLOIT.jar"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016521; rev:7; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Kryptik.AZER C2 SSL Stolen Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:md5,b27e0561283697c1fb1a973c37b52265; classtype:command-and-control; sid:2018328; rev:2; metadata:created_at 2014_03_27, updated_at 2014_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; http.uri; content:".swf"; offset:66; depth:4; endswith; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/i"; classtype:exploit-kit; sid:2016799; rev:5; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:2; metadata:created_at 2014_03_28, former_category CURRENT_EVENTS, updated_at 2019_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK POST Compromise POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?id="; nocase; content:"&v1="; nocase; content:"&v2="; nocase; fast_pattern; content:"&q="; nocase; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017544; rev:4; metadata:created_at 2013_09_30, updated_at 2020_09_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; flowbits:set,et.exploitkitlanding; http.uri; content:".php?"; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017554; rev:5; metadata:created_at 2013_10_03, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2014_03_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; http.uri; content:".js?cp="; fast_pattern; pcre:"/\/[A-F0-9]{8}\.js\?cp=/"; classtype:exploit-kit; sid:2017555; rev:4; metadata:created_at 2013_10_03, updated_at 2020_09_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018338; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2014_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FiestaEK js-redirect"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/"; classtype:exploit-kit; sid:2017567; rev:5; metadata:created_at 2013_10_08, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:pup-activity; sid:2018339; rev:3; metadata:created_at 2014_03_31, former_category ADWARE_PUP, updated_at 2014_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request"; flow:established,to_server; http.uri; content:"/j.php?t=u00"; fast_pattern; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2015960; rev:14; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:".text+=String.fromCharCode"; content:"35"; pcre:"/^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76/Rsi"; classtype:exploit-kit; sid:2018337; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Payload Download"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; content:"&h="; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016499; rev:16; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; http_user_agent; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; pcre:"/^\/1[34]\d{8}\.pdf$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018258; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:exploit-kit; sid:2018342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".htm"; fast_pattern; pcre:"/^\/1[34]\d{8}\.htm$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018259; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
 
-#alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:3; metadata:created_at 2014_04_02, former_category CURRENT_EVENTS, updated_at 2014_04_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Java Payload"; flow:established,to_server; http.uri; content:".mp3"; pcre:"/\/\d{6}\.mp3$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017755; rev:7; metadata:created_at 2013_11_25, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:exploit-kit; sid:2018346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight URI Struct (noalert)"; flow:established,to_server; flowbits:set,et.Nuclear.SilverLight; flowbits:noalert; http.uri; content:"/14"; fast_pattern; pcre:"/\/14\d{8}(?:\.xap)?$/"; classtype:exploit-kit; sid:2019668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3; metadata:created_at 2014_04_02, updated_at 2014_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Flash Redirector to RIG EK Dec 17 2014"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf?myid="; fast_pattern; pcre:"/\.swf\?myid=[a-zA-Z0-9]+$/"; classtype:exploit-kit; sid:2019967; rev:4; metadata:created_at 2014_12_18, updated_at 2020_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M2 Feb 06 2015"; flow:established,to_server; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$/"; classtype:exploit-kit; sid:2020644; rev:4; metadata:created_at 2015_03_07, updated_at 2020_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP MyWaySearch Products Spyware User Agent"; flow: established,to_server; content:"MyWay"; http_user_agent; reference:url,doc.emergingthreats.net/2002079; reference:url,www.funwebproducts.com; classtype:pup-activity; sid:2002079; rev:19; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/"; classtype:exploit-kit; sid:2020991; rev:4; metadata:created_at 2015_04_24, updated_at 2020_09_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016541; rev:4; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".xap"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/m"; file.data; content:"AppManifest.xaml"; fast_pattern; classtype:exploit-kit; sid:2020982; rev:5; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"Opera/9 (Windows NT "; http_user_agent; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:5; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; pcre:"/\/win\.html$/"; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/si"; classtype:exploit-kit; sid:2021292; rev:4; metadata:created_at 2015_06_18, updated_at 2020_10_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; http.uri; content:".xap"; nocase; fast_pattern; pcre:"/\/\d{2,}\.xap$/i"; classtype:exploit-kit; sid:2018402; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_10_01;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site kionic"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|kionic.com"; distance:1; within:11; nocase; reference:url,blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html; classtype:trojan-activity; sid:2018351; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2021786; rev:4; metadata:created_at 2015_09_16, updated_at 2020_10_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FakeAV binary download (setup)"; content:"GET"; http_method; content:"index.php?key="; http_uri; content:"&key2=download"; http_uri; classtype:trojan-activity; sid:2018352; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; http.uri; content:"/?keyword="; fast_pattern; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/"; classtype:exploit-kit; sid:2022493; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_10_05;)
 
-#alert http $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; http_user_agent; depth:35; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI struct Oct 24 2016  (RIG-v)"; flow:established,to_server; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"q="; content:"oq="; fast_pattern; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/"; classtype:exploit-kit; sid:2023401; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; http.header; content:"Font_Update.exe"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/mi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:social-engineering; sid:2023817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_08;)
 
-#alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3; metadata:created_at 2014_04_04, updated_at 2014_04_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; http.header; content:"Content-Disposition|3a|"; nocase; content:"|43 68 72 ce bf 6d 65|"; nocase; fast_pattern; content:"|66 ce bf 6e 74|"; nocase; content:"|2e 65 78 65|"; nocase; file.data; content:"MZ"; within:2; classtype:social-engineering; sid:2024040; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2014_04_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:exploit-kit; sid:2024055; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family terror_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:exploit-kit; sid:2018363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download"; flow:established,to_server; http.uri; content:"e=cve"; fast_pattern; pcre:"/[&?]e=cve\d{8}(?:&|$)/"; pcre:"/=[a-f0-9]{32,}(?:&|$)/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2024180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity 2"; flow:established,to_server; content:"?phid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&nn="; nocase; http_uri; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; classtype:trojan-activity; sid:2002780; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017"; flow:established,to_server; http.uri; content:"/d/"; content:"/?q=r4&"; fast_pattern; pcre:"/\&e=(?:cve|flash)/i"; classtype:exploit-kit; sid:2024344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CWS Related Installer"; flow:established,to_server; content:"/image_tracker.php?l="; http_uri; fast_pattern:only; content:"&x="; http_uri; content:"&deptid="; distance:0; http_uri; content:"&page"; distance:0; http_uri; content:"&unique="; distance:0; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; classtype:trojan-activity; sid:2002932; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:10; http.uri; content:"/top2.html"; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015478; rev:5; metadata:created_at 2012_07_17, updated_at 2020_10_09;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Capesand EK Visitor Tracking"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add_visitor.php?referrer=http"; depth:30; fast_pattern; http.header; content:"/landing.php|0d 0a|"; classtype:exploit-kit; sid:2028939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp - content"; flow:established,from_server; file_data; content:"<title>zehir3--> powered by zehir"; content:"Sistem Bilgileri"; content:"color=red>Local Adres</td"; content:"zehirhacker"; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018371; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Landing Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.htm$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028979; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:3; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Flash Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.swf$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028980; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"NetScafe"; http_user_agent; depth:8; reference:url,doc.emergingthreats.net/2003641; classtype:trojan-activity; sid:2003641; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"[Byte[]]$image = 0x4d, 0x5a,|20|"; depth:29; fast_pattern; pcre:"/^(?:0x[a-f0-9]{1,2}, ){500}/R"; classtype:exploit-kit; sid:2028982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:command-and-control; sid:2012865; rev:11; metadata:created_at 2010_12_22, former_category MALWARE, updated_at 2010_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:".xyz"; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|x-flash-version|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; depth:110; endswith; fast_pattern; classtype:exploit-kit; sid:2028973; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"__cfduid="; http.content_type; content:"image/jpeg"; bsize:10; file.data; content:"|20 2e 20|$Env|3a|comSPEC["; depth:16; nocase; fast_pattern; content:"]-joIN|27 27|)( -JoiN(|20 27|"; nocase; within:30; classtype:exploit-kit; sid:2028976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash HEAD Request"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; classtype:exploit-kit; sid:2028977; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:pup-activity; sid:2010500; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash GET Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:"|0d 0a|x-flash-version|0d 0a|"; distance:0; classtype:exploit-kit; sid:2028978; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:pup-activity; sid:2010501; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; content:"|0d 0a 0d 0a 20 28 20 27|"; fast_pattern; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"|20 28 20 27|"; depth:4; pcre:"/^[0-9_,{AbZwP&-]{2000}/R"; classtype:exploit-kit; sid:2028981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:exploit-kit; sid:2017031; rev:3; metadata:created_at 2013_06_19, updated_at 2013_06_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check JS"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"hasFlash=0x1"; content:"flashVersion=parseInt(VSwf"; distance:0; fast_pattern; content:"new RegExp('MSIE|5c|x20(|5c|x5cd+|5c|x5c.|5c|x5cd+)|3b|')|3b|"; distance:0; content:"))|3b|if(user==''){setCookie("; distance:0; content:"'data':{'data1':chk,'data2':is64,'data3':fls"; distance:0; classtype:exploit-kit; sid:2029123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3; metadata:created_at 2014_02_20, former_category CURRENT_EVENTS, updated_at 2014_02_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?callback=?&data1="; fast_pattern; content:"&data2="; distance:0; content:"&data3="; distance:0; content:"&callback=JSONP_"; distance:0; http.cookie; content:"username="; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2029124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP authorized_keys file transferred"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:2101927; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious VBS Encoding Observed in BottleEK"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; classtype:bad-unknown; sid:2029125; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?ge="; depth:13; fast_pattern; http.cookie; content:"username="; http.header_names; content:!"Referer"; classtype:exploit-kit; sid:2029126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014542; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014548; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014547; rev:7; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014544; rev:6; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; http.uri; content:"/1"; depth:2; fast_pattern; pcre:"/^[a-z0-9]{13}\.[a-z]{3}$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:exploit-kit; sid:2017731; rev:5; metadata:created_at 2013_11_20, updated_at 2020_10_28;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (9)"; flow:established,to_server; http.uri; content:".txt?f="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016976; rev:12; metadata:created_at 2013_06_06, former_category EXPLOIT_KIT, updated_at 2020_10_28;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; http.start; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; classtype:exploit-kit; sid:2022990; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_29;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Powershell Download Command Observed within Flash File - Probable EK Activity"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/x-shockwave-flash"; file.data; content:"cmd.exe /c powershell"; fast_pattern; content:"DownloadFile("; nocase; within:100; classtype:exploit-kit; sid:2028941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_30;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; endswith; http.header; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/si"; http.host; content:!"www.carrona.org"; classtype:exploit-kit; sid:2021293; rev:6; metadata:created_at 2015_06_18, updated_at 2022_05_03;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED eMule KAD Network Hello Request (2)"; dsize:27; content:"|e4 10|"; depth:2; byte_test:2,<,65535,0,relative; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009971; classtype:policy-violation; sid:2009971; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; http.uri; content:!"/"; offset:1; content:".asp"; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/"; pcre:"/[a-z].*?[a-z]/"; pcre:"/[A-Z].*?[A-Z]/"; pcre:"/\d.*?\d/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2021407; rev:6; metadata:created_at 2015_07_13, updated_at 2020_11_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Server Check-in Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00 00 00|"; content:"|40 00 00 00 00|"; distance:1; within:6; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018130; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; http.uri; content:".php?sid="; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022070; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Sending Data"; flow:established,to_server; content:"@"; pcre:"/^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; content:" OS|3a 20|Win"; within:8; content:" CPU|3a|"; distance:0; content:"Hz|2c|RAM|3a|"; distance:0; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018129; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; http.uri; content:".php?id=4"; fast_pattern; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/"; http.host; content:!".hostingcatalog.com"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022071; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"2search"; http_user_agent; fast_pattern:only; reference:url,doc.emergingthreats.net/2003335; classtype:trojan-activity; sid:2003335; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET"; http_method; content:"/stat/tuk/"; http_uri; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2012_05_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024048; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014759; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"QMvXcJ"; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE cryptodefense Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| multipart/form-data|3b 20|boundary="; pcre:"/^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27]/Rsi"; content:!"Referer"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:"filename="; fast_pattern:only; http_client_body; content:"form-data|3b| name="; pcre:"/^[\x22\x27][a-z][\x27\x22]/Ri"; classtype:command-and-control; sid:2018386; rev:2; metadata:created_at 2014_04_14, former_category MALWARE, updated_at 2014_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Router EK Landing Page Inbound 2019-05-24"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Loading ...<|2f|title>"; content:"|3b|base64,"; distance:0; content:"ZnVuY3Rpb24gTWFrZShDcmVkZW50aWF"; distance:0; fast_pattern; content:"ZG5zU2Vjb25kYXJ5OiAn"; distance:0; classtype:exploit-kit; sid:2027380; rev:3; metadata:created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Post-Compromise Data Dump"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/?"; depth:2; http.request_body; content:"|06 00 00 00 01 00 00 00|"; depth:8; content:"|00 00 02 00 00 00|"; offset:8; depth:16; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2027075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET MALWARE Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:command-and-control; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Jun 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"=x"; fast_pattern; distance:0; pcre:"/^[HX3][^&]Q[cdM][^&]{3}[ab]R/R"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024381; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bingo EK Payload Download"; flow:established,to_server; urilen:116; http.uri; content:"/?"; depth:2; pcre:"/^\/\?[a-f0-9]{114}$/"; http.user_agent; content:"WinHttp.WinHttpRequest.5"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024367; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Bingo, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus js.js"; flow:established,to_server; content:"/js.js"; http_uri; urilen:15; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/js\.js$/U"; classtype:bad-unknown; sid:2014629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Keitaro TDS Redirect"; flow:established,from_server; http.stat_code; content:"302"; http.header; content:"LOCATION|3a 20|http"; nocase; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; fast_pattern; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/s"; http.content_type; content:"text/html|3b 20|charset=utf-8"; depth:24; endswith; classtype:exploit-kit; sid:2022466; rev:7; metadata:created_at 2016_01_28, updated_at 2020_11_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:command-and-control; sid:2018390; rev:1; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2014_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Post Exploit Payload Download"; flow:to_server,established; urilen:17; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]{16}$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.connection; content:"close"; depth:5; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; depth:38; endswith; classtype:exploit-kit; sid:2016869; rev:6; metadata:created_at 2013_05_21, updated_at 2020_11_05;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GrandSoft PDF Payload Download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.user_agent; content:"http|3a|//"; fast_pattern; startswith; http.start; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; classtype:exploit-kit; sid:2016764; rev:19; metadata:created_at 2013_04_17, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_04_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie is set RULEZ"; flow:established,to_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014612; rev:5; metadata:created_at 2012_04_18, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=|22|data|3A|image/jpeg|3B|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:command-and-control; sid:2016857; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set RULEZ"; flow:established,from_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014611; rev:5; metadata:created_at 2012_04_18, updated_at 2020_11_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Inbox View"; flow:to_server,established; content:"/ym/ShowFolder"; http_uri; nocase; content:"rb=Inbox"; nocase; reference:url,doc.emergingthreats.net/2000041; classtype:policy-violation; sid:2000041; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo VBS Payload Downloaded"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&00000111&11"; fast_pattern; endswith; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; depth:49; classtype:exploit-kit; sid:2028865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Spelevo_EK, signature_severity Major, tag Spelevo_EK, updated_at 2020_11_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message View"; flow:to_server,established; content:"/ym/ShowLetter"; nocase; http_uri; content:"MsgId"; nocase; reference:url,doc.emergingthreats.net/2000042; classtype:policy-violation; sid:2000042; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK PDF URI Struct"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; content:"/1"; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/"; http.header; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2017636; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Compose Open"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000043; classtype:policy-violation; sid:2000043; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK URI Struct"; flow:established,to_server; http.uri; content:"/3/"; fast_pattern; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/"; classtype:exploit-kit; sid:2018534; rev:6; metadata:created_at 2014_06_05, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host|3a 20|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)*?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:4; metadata:created_at 2014_01_09, updated_at 2014_01_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; http.request_line; content:"|2e 20|HTTP/1."; fast_pattern; http.uri; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/"; classtype:exploit-kit; sid:2019176; rev:5; metadata:created_at 2014_09_16, updated_at 2020_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; content:"for("; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\x29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:4; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT PurpleFox EK Domain in DNS Lookup"; dns.query; content:"rawcdn.githack.cyou"; nocase; bsize:19; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:domain-c2; sid:2031461; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/up.php?key="; startswith; bsize:13; fast_pattern; pcre:"/^\d$/R"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.avan"; flow:to_server,established; content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"/?key="; fast_pattern; pcre:"/^[A-F0-9]{16}$/R"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"/?key="; within:400; pcre:"/^[A-F0-9]{16}\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031463; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Jpg Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; content:".jpg"; endswith; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-zA-Z0-9]{16}\/[a-f0-9]{40}\/[a-zA-Z0-9]+\.jpg$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2031466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:exploit-kit; sid:2018409; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:social-engineering; sid:2024199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2021_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect M2"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"?key="; fast_pattern; content:"&id="; distance:16; within:4; content:"&gid="; pcre:"/key=[A-F0-9]{16}&id=\d+&gid=[A-F0-9\-]+$/"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"?key="; within:400; pcre:"/^[A-F0-9]{16}(?:&|&amp\x3b)id=\d+(?:&|&amp\x3b)gid=[A-F0-9\-]+\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1378546891349106692; classtype:exploit-kit; sid:2032480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2018411; rev:2; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2014_04_23;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT Suspicious GitHack DNS Request - Possible PurpleFox EK"; flow:established,to_server; dns.query; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:exploit-kit; sid:2013094; rev:9; metadata:created_at 2011_06_22, former_category CURRENT_EVENTS, updated_at 2011_06_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"|27|urn|3a|schemas-microsoft-com|3a|vml|27|"; content:"=String.fromCharCode|3b|"; fast_pattern; content:"return parseInt"; content:"return |27 27|"; classtype:exploit-kit; sid:2017577; rev:5; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:command-and-control; sid:2013720; rev:5; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern; classtype:exploit-kit; sid:2022465; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; classtype:command-and-control; sid:2013344; rev:5; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern; content:"display"; nocase; pcre:"/^[\r\n\s]*?\x3a[\r\n\s]*?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017634; rev:8; metadata:created_at 2013_10_25, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSW.Win32.Ruftar.lon File Stealer FTP File Upload"; flow:established,to_server; content:"CWD Stealer"; classtype:trojan-activity; sid:2013346; rev:4; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:exploit-kit; sid:2021038; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; content:"/download.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; fast_pattern; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; classtype:trojan-activity; sid:2003542; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021762; rev:3; metadata:created_at 2015_09_12, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Download"; flow:established,to_server; content:"/taskmgr.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017659; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"</script></head>|0d 0a|<body>"; fast_pattern; content:" id="; pcre:"/^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27]/R"; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:exploit-kit; sid:2020354; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language|3a 20|zh-cn|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:6; metadata:created_at 2013_11_04, updated_at 2013_11_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021044; rev:3; metadata:created_at 2015_05_01, updated_at 2022_03_17;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_24, updated_at 2014_04_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 14 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern; content:"|24 2c|"; distance:0; pcre:"/^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c/R"; classtype:exploit-kit; sid:2020180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:command-and-control; sid:2014272; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016493; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:command-and-control; sid:2014271; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Job314 EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"embedSWF(|22|index.swf?action=swf|22|"; fast_pattern; content:"src=|22|index.js?action=swfobject|22|"; classtype:exploit-kit; sid:2019689; rev:4; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:exploit-kit; sid:2021374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:from_server,established; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:2; metadata:created_at 2014_04_28, former_category CURRENT_EVENTS, updated_at 2014_04_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern; classtype:exploit-kit; sid:2023513; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED My Search Bar Install"; flow: to_server,established; content:"/mysetup.exe"; nocase; http_uri; fast_pattern:only;  reference:url,www.2-spyware.com/parasite-my-search-bar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; classtype:trojan-activity; sid:2001040; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:exploit-kit; sid:2021064; rev:4; metadata:created_at 2015_05_07, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016490; rev:13; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:exploit-kit; sid:2016721; rev:5; metadata:created_at 2013_04_04, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern; pcre:"/^\d+\x3b/R"; classtype:exploit-kit; sid:2021338; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020342; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_01, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016492; rev:13; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Password Stealer Checkin URL Detected"; flow:established,to_server; content:"method=get"; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&type="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006384; classtype:trojan-activity; sid:2006384; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"xmlhttp.open(|22|POST|22|, |22|/foo|22|, false)|3b|"; fast_pattern; content:"xmlhttp.send(sendstr)|3b|"; distance:0; classtype:exploit-kit; sid:2019690; rev:4; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download April 28 2014"; flow:established,from_server; file_data; content:"|ff d1 4e 8d|"; within:4; classtype:trojan-activity; sid:2018422; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=|27|Exploit()|3b 27|>"; fast_pattern; content:"|3a|stroke"; nocase; classtype:exploit-kit; sid:2017852; rev:3; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Nov 4 2014"; flow:established,from_server; file_data; content:"var main_request_data_content"; within:29; fast_pattern; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:exploit-kit; sid:2019642; rev:3; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4; metadata:created_at 2014_04_30, former_category CURRENT_EVENTS, updated_at 2014_04_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK"; flow:established,from_server; file_data; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; pcre:"/^[^\x27]+[\x27]\s*/R"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern; within:93; isdataat:!3,relative; classtype:exploit-kit; sid:2019798; rev:4; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT 32-byte by 32-byte PHP EK Gate with HTTP POST"; flow:established,to_server; urilen:72; content:"POST"; http_method; content:".php?q="; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; classtype:exploit-kit; sid:2018442; rev:3; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2021746; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Spy.Win32.Zbot.hmcm Checkin"; flow:established,to_server; content:"/b/"; depth:3; http_uri; pcre:"/^\/b\/(eve|opt|req)\/[\-f0-9A-F]{24}$/U"; reference:md5,291b5ce96b3932944a32031d33bc8cfc; classtype:trojan-activity; sid:2018437; rev:4; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 06 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern; pcre:"/^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{/Rs"; classtype:exploit-kit; sid:2020103; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:exploit-kit; sid:2022479; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert tcp any any -> any 443 (msg:"ET DELETED Potential Selfint C2 traffic (from client)"; flow: from_client,established; content:"PuTTY-Local|3a| Feb 5 2013 18|3a|27|3a|27"; classtype:command-and-control; sid:2018450; rev:7; metadata:created_at 2014_05_05, updated_at 2014_05_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:exploit-kit; sid:2022779; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:exploit-kit; sid:2018441; rev:10; metadata:created_at 2014_05_02, former_category CURRENT_EVENTS, updated_at 2014_05_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020352; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015846; rev:3; metadata:created_at 2012_10_27, updated_at 2012_10_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021043; rev:3; metadata:created_at 2015_05_01, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; http_client_body; within:30; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:command-and-control; sid:2014356; rev:5; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:exploit-kit; sid:2024037; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"umbra"; depth:5; nocase; http_user_agent; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern; content:"spawAnyone("; nocase; distance:0; classtype:exploit-kit; sid:2016927; rev:12; metadata:created_at 2013_05_25, updated_at 2022_03_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; file_data; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:2; metadata:created_at 2014_05_09, former_category WEB_SERVER, updated_at 2014_05_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016240; rev:6; metadata:created_at 2013_01_18, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021090; rev:4; metadata:created_at 2015_05_13, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Gate"; flow:established,from_server; file_data; content:"AgControl.AgControl"; content:"document.cookie.indexOf|28 22|xap|22 29|"; fast_pattern; content:"Math.random()|3b|"; classtype:exploit-kit; sid:2019183; rev:4; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Jar Download Method 2"; flow:established,from_server; content:"Content-Type|3a 20|application/octed-stream"; http_header; fast_pattern; flowbits:isset,ET.http.javaclient; classtype:exploit-kit; sid:2018545; rev:4; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Injected iframe Oct 22 2014"; flow:established,from_server; file_data; content:"|2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29|"; within:93; fast_pattern; classtype:exploit-kit; sid:2019497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:4; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29  29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74  6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern; classtype:exploit-kit; sid:2021544; rev:3; metadata:created_at 2015_07_28, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DELETED SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:exploit-kit; sid:2017408; rev:4; metadata:created_at 2013_09_03, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Unrecom Download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Unrecom"; nocase; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018466; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2021249; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Activity"; flow:established,to_server; content:"|c3 b8 ba ab a0 bc b0 b1 c1 7c|"; depth:10; content:"|7c|N|7c|"; within:200; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018467; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016491; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Directory Listing Sent To Server"; flow:established,to_server; content:"|7C|DIR#0#bin|7C|DIR#0"; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018468; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:exploit-kit; sid:2023074; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2013.php"; flow:established,to_server; content:"/flash2013.php"; http_uri; nocase; classtype:exploit-kit; sid:2018470; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:exploit-kit; sid:2023480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, signature_severity Major, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash2014.php"; flow:established,to_server; content:"/flash2014.php"; http_uri; nocase; classtype:exploit-kit; sid:2018471; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:exploit-kit; sid:2018472; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; endswith; classtype:exploit-kit; sid:2029122; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2022_03_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Alina.POS-Trojan CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/insidee/loading.php"; fast_pattern:only; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| InfoPath.1 Spark v1.1|0D 0A|"; http_header; reference:url,pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf; classtype:command-and-control; sid:2018473; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,to_client; content:"ashburn@gmail.com"; fast_pattern; classtype:exploit-kit; sid:2015717; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED TROJAN Downloader.Win32.Tesch.A Client CnC Checkin"; flow:established,to_server; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018476; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_15, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Downloading Payload"; flow:established,to_server; http.uri; content:"get"; content:"?src="; fast_pattern; distance:0; content:"snet"; endswith; pcre:"/\?src=[a-z]+snet$/"; http.user_agent; content:" WinHttp.WinHttpRequest"; classtype:exploit-kit; sid:2016566; rev:5; metadata:created_at 2013_03_14, updated_at 2022_04_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_16, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file.data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri"; content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:exploit-kit; sid:2017177; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Webprefix checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^Accept\x3a\x20\*\/\*\r\nConnection\x3a\x20close\r\nHost\x3a\x20[^\r\n\x2e]+\x2e[^\r\n\x2e]+(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/H"; reference:md5,8284c2202342102000ae9a04dd07bb76; classtype:command-and-control; sid:2018481; rev:8; metadata:created_at 2012_01_23, former_category MALWARE, updated_at 2017_11_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 14 2016"; flow:established,to_client; file.data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R"; content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:exploit-kit; sid:2022898; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023272; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"x7soyTdaNq94NWpdLGZ4NWpd"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_21, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"MlADchNaR0LGZ4NWpdLGZ4N"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"azTEhyWNbKGpdLGZ4NWpdLG"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017 M2"; flow:established,to_client; file.data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri"; content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:exploit-kit; sid:2024093; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"update"; depth:6; http_user_agent; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:pup-activity; sid:2001225; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643"; flow:established,to_client; file.data; content:"|4e6f636e636f4d7a49334e6a6370|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024361; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Styx/Angler EK SilverLight Exploit 2"; flow:established,from_server; file_data; content:"PK"; within:2; content:"fotosaster.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2018498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017"; flow:established,to_client; flowbits:isset,ET.DisDain.EK; http.stat_code; content:"200"; file.data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0; within:75; classtype:exploit-kit; sid:2024612; rev:4; metadata:created_at 2017_08_23, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15"; dns.query; content:"ctgame.tk"; nocase; bsize:9; reference:url,twitter.com/nao_sec/status/1381100024919035908; classtype:domain-c2; sid:2032764; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:exploit-kit; sid:2018501; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Suspicious GitHack TLS SNI Request - Possible PurpleFox EK"; flow:established,to_server; tls.sni; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:exploit-kit; sid:2018502; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:exploit-kit; sid:2018342; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, deprecation_reason Relevance, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:exploit-kit; sid:2018503; rev:2; metadata:created_at 2014_05_28, former_category CURRENT_EVENTS, updated_at 2014_05_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:exploit-kit; sid:2017823; rev:3; metadata:created_at 2013_12_10, former_category EXPLOIT_KIT, updated_at 2013_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:4; metadata:created_at 2014_05_13, former_category MALWARE, updated_at 2014_05_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-)/Ri"; classtype:exploit-kit; sid:2017849; rev:3; metadata:created_at 2013_12_13, former_category EXPLOIT_KIT, updated_at 2013_12_13;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_29, updated_at 2014_05_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:exploit-kit; sid:2021039; rev:3; metadata:created_at 2015_04_30, deprecation_reason False_Positive, former_category EXPLOIT_KIT, updated_at 2015_04_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/MadnessPro.DDOSBot CnC Beacon"; flow:established,to_server; content:"/?uid="; http_uri; content:"&ver="; http_uri; content:"&mk="; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:command-and-control; sid:2018424; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018510; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; classtype:attempted-admin; sid:2003369; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted binary (7)"; flow:established,to_client; file_data; content:"|0b 28 ff 53 4b 75 39 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_31, deployment Perimeter, former_category TROJAN, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; classtype:attempted-admin; sid:2003378; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:2; metadata:created_at 2014_06_02, former_category CURRENT_EVENTS, updated_at 2014_06_02;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:exploit-kit; sid:2018330; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; classtype:attempted-admin; sid:2000031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole FBI Zeus P2P 1 - 142.0.36.234"; content:"|00 01 00 01|"; content:"|00 04 8e 00 24 ea|"; distance:4; within:6; classtype:trojan-activity; sid:2018517; rev:1; metadata:created_at 2014_06_04, updated_at 2014_06_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; classtype:attempted-admin; sid:2000049; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:exploit-kit; sid:2018535; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; classtype:attempted-dos; sid:2000007; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:exploit-kit; sid:2018536; rev:2; metadata:created_at 2014_06_05, former_category CURRENT_EVENTS, updated_at 2014_06_05;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; classtype:attempted-dos; sid:2000005; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Java Jar"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:exploit-kit; sid:2017467; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; classtype:attempted-user; sid:2003039; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET INFO tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; classtype:successful-dos; sid:2007876; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET MALWARE TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; classtype:web-application-attack; sid:2008776; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; classtype:web-application-attack; sid:2008777; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; file_data; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:exploit-kit; sid:2018544; rev:2; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2014_06_09;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; pcre:"/module=[^\;]*\;.*\"/UGi"; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 1"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009679; classtype:web-application-attack; sid:2009679; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; classtype:bad-unknown; sid:2001023; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 2"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"xss|3a|expression"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009680; classtype:web-application-attack; sid:2009680; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; classtype:bad-unknown; sid:2001024; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 3"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009681; classtype:web-application-attack; sid:2009681; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; classtype:misc-activity; sid:2001195; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 4"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"javascript"; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009682; classtype:web-application-attack; sid:2009682; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; classtype:shellcode-detect; sid:2001369; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 5"; flow:to_server,established; uricontent:"/posting.php"; content:"color="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009683; classtype:web-application-attack; sid:2009683; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; classtype:shellcode-detect; sid:2001363; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Phorum Possible Javascript/Remote-File-Inclusion 6"; flow:to_server,established; uricontent:"/posting.php"; content:"size="; nocase; content:"|3a|url("; within: 20; nocase; reference:url,www.securityfocus.com/bid/12869; reference:url,www.milw0rm.com/exploits/9231; reference:url,doc.emergingthreats.net/2009684; classtype:web-application-attack; sid:2009684; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; classtype:shellcode-detect; sid:2001364; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit Landing Page Requested"; flow:established,to_server; content:"/load_module.php?user="; http_uri; depth:22; pcre:"/^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; classtype:exploit-kit; sid:2018562; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; classtype:misc-activity; sid:2001374; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit SWF Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".swf"; http_uri; distance:1; within:5; pcre:"/^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2013-0634; reference:cve,2014-0515; classtype:exploit-kit; sid:2018563; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; classtype:misc-attack; sid:2001668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:exploit-kit; sid:2018564; rev:2; metadata:created_at 2014_06_13, former_category EXPLOIT_KIT, updated_at 2014_06_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; classtype:misc-activity; sid:2001848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; classtype:misc-activity; sid:2001849; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; classtype:misc-activity; sid:2001873; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)"; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:2; metadata:created_at 2014_06_17, former_category HUNTING, updated_at 2014_06_17;)
+#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; classtype:misc-activity; sid:2001874; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:exploit-kit; sid:2018573; rev:3; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:exploit-kit; sid:2018577; rev:2; metadata:created_at 2014_06_17, former_category CURRENT_EVENTS, updated_at 2014_06_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; classtype:attempted-admin; sid:2002845; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004838; classtype:web-application-attack; sid:2004838; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; classtype:attempted-user; sid:2000488; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET 3000:8000 -> $HOME_NET any (msg:"ET DELETED Unknown Trojan P2P Data Download"; flow:established,from_server; dsize:>1000; content:"|00 00 00|"; depth:5; offset:2; content:"|00 01 01 00 00 05 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_dst; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008770; classtype:trojan-activity; sid:2008770; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000373; classtype:attempted-user; sid:2000373; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Download Request"; flow:established,to_server; dsize:<100; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 08 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008771; classtype:trojan-activity; sid:2008771; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; classtype:attempted-admin; sid:2000377; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3000:8000 (msg:"ET DELETED Unknown Trojan P2P Request"; flow:established,to_server; dsize:<60; content:"|00 00 00 00|"; depth:5; offset:1; content:"|00 01 01 00 00 03 00 00|"; distance:1; within:9; threshold: type both, count 5, seconds 120, track by_src; reference:url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/; reference:url,doc.emergingthreats.net/2008772; classtype:trojan-activity; sid:2008772; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000378; classtype:attempted-dos; sid:2000378; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2018583; rev:4; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000379; classtype:attempted-dos; sid:2000379; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:4; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2014_02_01;)
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; classtype:attempted-admin; sid:2000380; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018593; rev:2; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; reference:url,doc.emergingthreats.net/2009999; classtype:attempted-user; sid:2009999; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:exploit-kit; sid:2018595; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_06_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; reference:url,doc.emergingthreats.net/2010000; classtype:attempted-user; sid:2010000; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET DELETED EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; classtype:attempted-dos; sid:2000381; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001988; classtype:attempted-admin; sid:2001988; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32/Tesch.A Checkin"; flow:to_server,established; dsize:<100; content:"|01 00 30 01 01 00|"; fast_pattern; depth:6; content:!"|00|"; distance:3; within:1; content:"|00|"; distance:4; within:1; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; reference:md5,f2e5900061c5ac470fa005580681be94; reference:md5,872763d48730506af7eee0bf22c2f47b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FTesch.A; classtype:trojan-activity; sid:2018611; rev:5; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,support.microfocus.com/kb/doc.php?id=7006374; reference:url,doc.emergingthreats.net/2011235; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4; metadata:created_at 2014_05_08, former_category CURRENT_EVENTS, updated_at 2014_05_08;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002886; classtype:attempted-admin; sid:2002886; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:exploit-kit; sid:2018613; rev:3; metadata:created_at 2014_06_28, former_category CURRENT_EVENTS, updated_at 2014_06_28;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002887; classtype:attempted-admin; sid:2002887; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018616; rev:1; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2014_06_30;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; reference:url,doc.emergingthreats.net/bin/view/Main/2002888; classtype:attempted-admin; sid:2002888; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:exploit-kit; sid:2016059; rev:14; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; reference:url,doc.emergingthreats.net/2010375; classtype:attempted-admin; sid:2010375; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Alexa Search Toolbar User-Agent (Alexa Toolbar)"; flow: to_server,established; content:" Alexa Toolbar|3b|"; http_header; reference:url,www.spywareguide.com/product_show.php?id=418; reference:url,doc.emergingthreats.net/2002166; classtype:trojan-activity; sid:2002166; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message|0d 0a|"; distance:0; pcre:"/[^a-zA-Z0-9]+\.message/"; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003196; classtype:misc-attack; sid:2003196; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:exploit-kit; sid:2018606; rev:4; metadata:created_at 2014_06_26, former_category CURRENT_EVENTS, updated_at 2014_06_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; reference:url,doc.emergingthreats.net/bin/view/Main/2003197; classtype:misc-attack; sid:2003197; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:exploit-kit; sid:2018493; rev:4; metadata:created_at 2014_05_21, former_category CURRENT_EVENTS, updated_at 2014_05_21;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000565; classtype:suspicious-login; sid:2000565; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000566; classtype:suspicious-login; sid:2000566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018625; rev:5; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2014_07_02;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; reference:url,doc.emergingthreats.net/bin/view/Main/2000564; classtype:misc-attack; sid:2000564; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; reference:url,doc.emergingthreats.net/bin/view/Main/2000567; classtype:misc-attack; sid:2000567; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001053; classtype:misc-activity; sid:2001053; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:command-and-control; sid:2018645; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2014_07_07;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001544; classtype:misc-activity; sid:2001544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 999servers.com"; flow:established,to_client; content:"|55 04 03|"; content:"|10|*.999servers.com"; distance:1; within:17; reference:md5,b9ffad739bb47a0e4619b76af51d9a74; classtype:trojan-activity; sid:2018647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001052; classtype:misc-activity; sid:2001052; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert July 7 2014"; flow:established,from_server; content:"|16 03 00|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"smalbach2424@hotmail.com"; distance:2; within:24; reference:md5,52084660d2ae0ee8f033621a9252cfb9; classtype:trojan-activity; sid:2018651; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001543; classtype:misc-activity; sid:2001543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,6}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:6; metadata:created_at 2014_05_28, updated_at 2014_05_28;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001753; classtype:suspicious-login; sid:2001753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Enfal.F Checkin via HTTP Post 7"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/Owpp4.cgi"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; content:!"Referer|3a 20|"; pcre:"/^[^\r\n]{15}\x5f[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}\x2d[^\r\n]{2}/m"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; classtype:trojan-activity; sid:2018665; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001754; classtype:suspicious-login; sid:2001754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2014_07_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002912; classtype:misc-activity; sid:2002912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:exploit-kit; sid:2018668; rev:5; metadata:created_at 2014_07_12, former_category CURRENT_EVENTS, updated_at 2014_07_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002913; classtype:misc-activity; sid:2002913; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:4; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002914; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002918; classtype:misc-activity; sid:2002918; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert new-install.privatedns.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|1a|new-install.privatedns.com"; distance:1; within:27; fast_pattern; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|1e|ssl@new-install.privatedns.com"; distance:1; within:31; reference:md5,280a3a944878d57bc44ead271a0cc457; classtype:trojan-activity; sid:2018672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002924; classtype:misc-activity; sid:2002924; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert July 14 2014"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|groberts.com.au"; distance:1; within:16; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|info@dctreasure.com"; distance:1; within:20; reference:md5,9f48eb74687492978259edb8f79ac397; classtype:trojan-activity; sid:2018673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002923; classtype:misc-activity; sid:2002923; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert faithmentoringandmore.com"; flow:established,to_client; content:"|55 04 03|"; content:"|1d|www.faithmentoringandmore.com"; distance:1; within:31; reference:md5,b5df3ba04c987692929f35d9c64e0c0d; classtype:trojan-activity; sid:2018674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002919; classtype:attempted-admin; sid:2002919; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DDoS bot Antiq IRC"; flow:established,to_server; content:"PRIVMSG|20|#"; content:"status checking progam online"; within:60; reference:url,deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2018675; rev:1; metadata:created_at 2014_07_14, updated_at 2014_07_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002915; classtype:attempted-admin; sid:2002915; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:5; metadata:created_at 2014_07_16, former_category CURRENT_EVENTS, updated_at 2014_07_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002916; classtype:attempted-admin; sid:2002916; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; reference:url,doc.emergingthreats.net/bin/view/Main/2002917; classtype:successful-admin; sid:2002917; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:2; metadata:created_at 2014_07_04, updated_at 2014_07_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002921; classtype:attempted-admin; sid:2002921; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008517; classtype:attempted-user; sid:2008517; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2008518; classtype:attempted-user; sid:2008518; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018692; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:url,doc.emergingthreats.net/bin/view/Main/2008426; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018696; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001385; classtype:shellcode-detect; sid:2001385; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018494; rev:2; metadata:attack_target Client_and_Server, created_at 2014_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference:url,online.securityfocus.com/archive/1/293844; reference:url,doc.emergingthreats.net/bin/view/Main/2001780; classtype:attempted-admin; sid:2001780; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:exploit-kit; sid:2018737; rev:2; metadata:created_at 2014_07_18, former_category CURRENT_EVENTS, updated_at 2014_07_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003411; reference:cve,2007-0882; classtype:attempted-user; sid:2003411; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:pup-activity; sid:2000908; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:url,doc.emergingthreats.net/bin/view/Main/2003412; reference:cve,2007-0882; classtype:attempted-user; sid:2003412; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:pup-activity; sid:2000909; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:pup-activity; sid:2000910; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010941; classtype:attempted-user; sid:2010941; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:pup-activity; sid:2000911; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; reference:url,doc.emergingthreats.net/bin/view/Main/2000342; classtype:misc-attack; sid:2000342; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:pup-activity; sid:2000912; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003198; classtype:non-standard-protocol; sid:2003198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:pup-activity; sid:2000913; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003199; classtype:non-standard-protocol; sid:2003199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:pup-activity; sid:2000914; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; reference:url,doc.emergingthreats.net/bin/view/Main/2003434; classtype:attempted-admin; sid:2003434; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:pup-activity; sid:2000915; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002062; classtype:attempted-admin; sid:2002062; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:pup-activity; sid:2000916; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2002068; classtype:attempted-recon; sid:2002068; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:pup-activity; sid:2000917; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002181; classtype:default-login-attempt; sid:2002181; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:pup-activity; sid:2000918; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002182; classtype:misc-attack; sid:2002182; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:pup-activity; sid:2003404; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002734; classtype:attempted-user; sid:2002734; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:pup-activity; sid:2003389; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; reference:url,doc.emergingthreats.net/2010759; classtype:attempted-admin; sid:2010759; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 21 July 2014"; flow:to_client,established; file_data; content:"jquery_datepicker=|27|"; pcre:"/[^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018751; rev:2; metadata:created_at 2014_07_22, former_category EXPLOIT_KIT, updated_at 2014_07_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; classtype:misc-attack; sid:2002316; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence Kaspersky AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|kl1.sys"; nocase; pcre:"/^[\x22\x27]/Rs"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018756; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; classtype:misc-attack; sid:2002315; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT XMLDOM Check for Presence TrendMicro AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|tm"; nocase; pcre:"/^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27]/Rsi"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:exploit-kit; sid:2018757; rev:2; metadata:created_at 2014_07_23, former_category CURRENT_EVENTS, updated_at 2014_07_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"|3b 00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000372; classtype:attempted-user; sid:2000372; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert twitterbacklinks.com"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.twitterbacklinks.com"; distance:1; within:25; reference:md5,4cb5a748416b9f03d875245437344177; classtype:trojan-activity; sid:2018758; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007875; classtype:web-application-attack; sid:2007875; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f4 4b cc 89 9e b7 45 a8|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:md5,55f8682aab1089b68a8a391b927d7a74; classtype:trojan-activity; sid:2018759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000563; classtype:misc-attack; sid:2000563; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018767; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000568; classtype:misc-attack; sid:2000568; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018768; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003400; classtype:web-application-attack; sid:2003400; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003401; classtype:web-application-attack; sid:2003401; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cactussports.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cactussports.com"; distance:1; within:17; reference:md5,fe557165290ae68b768591eb746fa1c5; classtype:trojan-activity; sid:2018777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003402; classtype:web-application-attack; sid:2003402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert yellowdevilgear.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.yellowdevilgear.com"; distance:1; within:24; reference:md5,2def687d8159d7859e86855b6c4a20c8; classtype:trojan-activity; sid:2018778; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003403; classtype:web-application-attack; sid:2003403; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert michaelswinecellar.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|www.michaelswinecellar.com"; distance:1; within:27; reference:md5,c9869431ad760912a553a63266173442; classtype:trojan-activity; sid:2018779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002783; classtype:trojan-activity; sid:2002783; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert migsparkle.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|migsparkle.com"; distance:1; within:15; reference:md5,bc74dd7e0350ad7ad8f75ca0de6fb9dc; classtype:trojan-activity; sid:2018780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; reference:url,www.mullingsecurity.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002784; classtype:trojan-activity; sid:2002784; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"<!DOCTYPE html PUBLIC"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2; metadata:created_at 2014_07_25, updated_at 2014_07_25;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; reference:url,doc.emergingthreats.net/2010783; classtype:suspicious-filename-detect; sid:2010783; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018745; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1; metadata:created_at 2010_09_27, former_category EXPLOIT, updated_at 2010_09_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:cve,2009-3023; classtype:attempted-admin; sid:2009828; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 1stopmall.us"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.1stopmall.us"; distance:1; within:17; reference:md5,b833914b8171bc8f400b41449c3ef06b; classtype:trojan-activity; sid:2018791; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST"; http_method; nocase; content:"/error.php?"; nocase; http_uri; content:"err="; nocase; http_uri; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; classtype:web-application-attack; sid:2003332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing June 28 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"hex2bin"; fast_pattern:only; content:"eval"; pcre:"/^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\(/Rsi"; classtype:exploit-kit; sid:2018794; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization|3a|"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; classtype:web-application-attack; sid:2007874; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; pcre:"/^[\x22\x27]/R"; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018795; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+#alert http any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; pcre:"/^[\x22\x27]/R"; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018796; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:2; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:exploit-kit; sid:2018797; rev:5; metadata:created_at 2014_07_28, former_category CURRENT_EVENTS, updated_at 2014_07_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:exploit-kit; sid:2012518; rev:2; metadata:created_at 2011_03_17, former_category CURRENT_EVENTS, updated_at 2011_03_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:command-and-control; sid:2018798; rev:2; metadata:created_at 2014_07_29, former_category MALWARE, updated_at 2014_07_29;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3; metadata:created_at 2014_07_26, updated_at 2014_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3; metadata:created_at 2011_04_06, former_category CURRENT_EVENTS, updated_at 2011_04_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2; metadata:created_at 2011_04_13, former_category CURRENT_EVENTS, updated_at 2011_04_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|fxbingpanel.fareexchange.co.uk"; distance:1; within:31; reference:md5,3c4e0c0e4dbe2bf0e4d3ca825b95209c; classtype:trojan-activity; sid:2018803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 66h.66hosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|11|66h.66hosting.net"; distance:1; within:18; reference:md5,f9c0bc6e8c08acbe520df0ab6efcd962; classtype:trojan-activity; sid:2018804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101900; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert businesswebstudios.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|businesswebstudios.com"; distance:1; within:23; reference:md5,b8ca6c78deeb448421073a65f708c34e; classtype:trojan-activity; sid:2018805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101901; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101894; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018786; rev:3; metadata:created_at 2014_07_26, former_category CURRENT_EVENTS, updated_at 2014_07_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101895; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; content:".passinggas.net"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.passinggas\.net(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2018847; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101896; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; content:"|01 00 00 01 00 00 00 00 00 00|"; offset:2; depth:10; content:"|0a|passinggas|03|net|00|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2018848; rev:1; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101897; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.senorwooly.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.senorwooly.com"; distance:1; within:19; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 2"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101898; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 3"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101899; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:domain-c2; sid:2018852; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:social-engineering; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:5; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chinasemservice.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|chinasemservice.com"; distance:1; within:20; reference:md5,c2ecc111018491cee3853e2c93472bb9; classtype:trojan-activity; sid:2018868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"GPL EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:2101751; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns7-777.777servers.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; distance:1; within:23; reference:md5,b5b97b4da688aaa6ddbdb6a6e567ffba; classtype:trojan-activity; sid:2018870; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, former_category CURRENT_EVENTS, updated_at 2011_06_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Command Prompt OUTBOUND"; flow:established,to_server; content:"Microsoft Windows"; content:"[Version|20|"; distance:0; pcre:"/^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration)/Ri"; content:"|0d 0a 0d 0a|C|3a 5c 3e|"; fast_pattern; distance:0; isdataat:!2,relative; classtype:trojan-activity; sid:2018885; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:coin-mining; sid:2018896; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Coinminer, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:"<param name="; nocase; content:"value="; nocase; distance:0; content:"|2E|swf?info="; fast_pattern; nocase; distance:0; pcre:"/value\x22[^\x22]*\x2Eswf\x3finfo\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html; reference:bid,48268; reference:cve,2011-2110; classtype:attempted-user; sid:2013137; rev:3; metadata:created_at 2011_06_30, former_category CURRENT_EVENTS, updated_at 2011_06_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:exploit-kit; sid:2017474; rev:4; metadata:created_at 2013_09_17, former_category EXPLOIT_KIT, updated_at 2013_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; content:"/xslt"; http_uri; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_client_body; content:"&PASSWORD="; http_client_body; distance:0; content:"&PASSWORD_CONF="; http_client_body; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:2; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[|22|replace|22|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]*?\,[\r\n\s]*?[\x22\x27][\%\\]u"/Rsi"; classtype:exploit-kit; sid:2017487; rev:4; metadata:created_at 2013_09_19, former_category CURRENT_EVENTS, updated_at 2013_09_19;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3; metadata:created_at 2011_07_19, updated_at 2011_07_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text|HTML)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)*?<span[\r\n\s\>]((?!<\/span>).)*?<(?:[QU]|S(?:TR(?:IKE|ONG)|U[BP]|MALL|AMP)?|B(?:LINK|DO|IG)?|A(?:CRONYM|BBR)|R(?:[PT]|UBY)|(?:NOB|VA)R|C(?:IT|OD)E|D(?:EL|FN)|I(?:NS)?|KBD|EM|TT)[^>]*?\bid[\r\n\s]*?=/Rsi"; classtype:attempted-user; sid:2017463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; fast_pattern; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_28, former_category CURRENT_EVENTS, updated_at 2011_05_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyre SSL Self-Signed Cert Aug 06 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|94.23.236.54"; distance:1; within:13; reference:md5,384a3c3a250341aa7f7c6aba11467afb; classtype:trojan-activity; sid:2018903; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert ssh $HOME_NET any -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:4; metadata:created_at 2011_07_01, updated_at 2011_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:5; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/dnscfg.cgi"; http_uri; content:"dnsPrimary="; http_client_body; content:"&dnsSecondary="; http_client_body; content:"&dnsDynamic="; http_client_body; content:"&dnsRefresh="; http_client_body; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:3; metadata:created_at 2011_11_18, updated_at 2011_11_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2; metadata:created_at 2010_09_23, former_category EXPLOIT, malware_family Arkei, updated_at 2010_09_23;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:exploit-kit; sid:2014027; rev:2; metadata:created_at 2011_12_13, former_category CURRENT_EVENTS, updated_at 2011_12_13;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:exploit-kit; sid:2011972; rev:3; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:exploit-kit; sid:2011973; rev:3; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; tls.fingerprint:"4c:1c:1a:aa:58:80:31:74:58:79:8a:04:db:76:42:8e:ce:55:f1:40"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018703; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; nocase; http_uri; content:"cache="; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.HavexSysinfo Response"; flow:from_server,established; file_data; content:"<!--havexhavex-->"; fast_pattern:only; reference:url,securelist.com/blog/research/65240/energetic-bear-more-like-a-crouching-yeti/; reference:md5,bdd1d473a56607ec366bb2e3af5aedea; reference:url,802bba9d078a09530189e95e459adcdf; classtype:trojan-activity; sid:2018921; rev:2; metadata:created_at 2014_08_11, updated_at 2014_08_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018922; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018923; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018924; rev:2; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL EXPLOIT rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2102047; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; classtype:trojan-activity; sid:2017346; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2102039; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4; metadata:created_at 2011_04_01, former_category CURRENT_EVENTS, updated_at 2011_04_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRISM Backdoor"; content:"PRISM v"; pcre:"/^\d+?\.\d+?\sstarted/R"; classtype:trojan-activity; sid:2017314; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102552; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK PluginDetect URI Struct"; flow:to_server,established; content:"/log.html?"; http_uri; content:"java="; http_uri; content:"gie="; http_uri; content:"header="; http_uri; classtype:exploit-kit; sid:2018930; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102553; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"/ie8910.html"; http_uri; classtype:exploit-kit; sid:2018931; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102554; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:domain-c2; sid:2018935; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102555; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018939; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:432,relative; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ClickFraud Trojan Socks5 Connection"; flow:to_server,established; content:"socks5init|3a|"; depth:11; threshold: type limit,track by_src, count 1, seconds 300; flowbits:set,ET.2018855; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; classtype:trojan-activity; sid:2018855; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102557; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ClickFraud Trojan Socks5 Init Response"; flow:established,from_server; flowbits:isset,ET.2018855; dsize:6<>9; content:"|fe|"; depth:1; content:"|1f|"; distance:4; within:1; reference:md5,de31e17ff4b3791c92a93b72d779e61f; classtype:trojan-activity; sid:2018941; rev:2; metadata:created_at 2014_08_14, updated_at 2014_08_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102558; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018942; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102559; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018943; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102560; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018944; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:2; metadata:created_at 2012_03_06, former_category CURRENT_EVENTS, updated_at 2012_03_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018947; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:exploit-kit; sid:2018950; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; classtype:attempted-dos; sid:2003750; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode IE"; flow:established,from_server; file_data; content:"|f1 f4 c2 a2 8b 34 6e 68|"; within:8; classtype:exploit-kit; sid:2018954; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Silverlight"; flow:established,from_server; file_data; content:"|f1 fc f4 ff 87 6a 66 67|"; within:8; classtype:exploit-kit; sid:2018955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; reference:url,doc.emergingthreats.net/bin/view/Main/2007584; classtype:misc-attack; sid:2007584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Flash"; flow:established,from_server; file_data; content:"|e7 c4 a6 c1 9d 79 53 59|"; within:8; classtype:exploit-kit; sid:2018956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5; metadata:created_at 2010_12_27, updated_at 2010_12_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Encoded Shellcode Java"; flow:established,from_server; file_data; content:"|d6 e2 ff c3 a1 75 39 68|"; within:8; classtype:exploit-kit; sid:2018957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; classtype:attempted-admin; sid:2001217; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ZeroLocker EXE Download"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c|"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018963; rev:2; metadata:created_at 2014_08_19, former_category CURRENT_EVENTS, updated_at 2014_08_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; http_uri; nocase; content:"SecurityMode=0"; nocase; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; classtype:attempted-admin; sid:2003072; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M3"; flow:established,from_server; file_data; content:"<script>function z("; content:"createElement|28 22|iframe|22 29|"; distance:0; content:".style.left = |22|-"; content:".style.top = |22|-"; content:"|3b|}z()|3b|</script></body></html>"; distance:0; fast_pattern; classtype:exploit-kit; sid:2018965; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
+#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, updated_at 2012_03_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; pcre:"/^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27]/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018966; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5; metadata:created_at 2012_03_26, former_category CURRENT_EVENTS, updated_at 2012_03_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:exploit-kit; sid:2018967; rev:2; metadata:created_at 2014_08_20, former_category CURRENT_EVENTS, updated_at 2014_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, former_category EXPLOIT, malware_family Arkei, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:domain-c2; sid:2018748; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; http_uri; nocase; content:"input|3D|smb|3A 2F|"; http_uri; nocase; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:exploit-kit; sid:2014891; rev:1; metadata:created_at 2012_06_14, former_category CURRENT_EVENTS, updated_at 2012_06_14;)
 
-#alert tcp $EXTERNAL_NET [!21,!22,!23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5; metadata:created_at 2011_04_04, former_category CURRENT_EVENTS, updated_at 2011_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hoic.zip retrieval"; flow:from_server,established; file_data; content:"Hoic/buttons2/PK"; content:"Hoic/buttons2/buttons.rar"; distance:0; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018976; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:md5,37207835e128516fe17af3dacc83a00c; reference:md5,e7d9bc670d69ad8a6ad2784255324eec; classtype:command-and-control; sid:2016913; rev:5; metadata:created_at 2011_05_17, former_category MALWARE, updated_at 2011_05_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3; metadata:created_at 2012_07_07, former_category CURRENT_EVENTS, updated_at 2012_07_07;)
 
-#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Info Stealer - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Type|3a| multipart/form-data|3b| boundary|3d|"; nocase; content:"name=\"id\"|0d 0a|"; nocase; content:"name=\"upt\"|0d 0a|"; nocase; content:"name=\"mode\"|0d 0a|"; nocase; content:"name=\"version\"|0d 0a|"; nocase; content:"name=\"cpu\"|0d 0a|"; nocase; fast_pattern; content:"name=\"ram\"|0d 0a|"; nocase; content:"name=\"os\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009470; classtype:trojan-activity; sid:2009470; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET MALWARE Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:command-and-control; sid:2008029; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Exploit Kit Delivering Compressed Flash Content to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; content:"|0d 0a 0d 0a|CWS"; classtype:exploit-kit; sid:2014527; rev:4; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:exploit-kit; sid:2018987; rev:4; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_24, updated_at 2012_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018988; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Landing URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/eipm.php"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018989; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/yztl.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018990; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/vpclcy.x"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018991; rev:3; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Flash URI Sruct Aug 22 2014"; flow:established,to_server; urilen:17; content:"/nhqdxa/oujyt.swf"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018992; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:19; content:"/nhqdxa/gjtzssq.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:exploit-kit; sid:2018993; rev:2; metadata:created_at 2014_08_23, former_category CURRENT_EVENTS, updated_at 2014_08_23;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2018997; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:exploit-kit; sid:2019004; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:exploit-kit; sid:2019006; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:exploit-kit; sid:2019007; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019008; rev:8; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2017813; rev:9; metadata:created_at 2013_12_06, former_category CURRENT_EVENTS, updated_at 2013_12_06;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019009; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019010; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019011; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:2101340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019012; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress PEER_LIST_SUM Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019013; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 106.187.96.49 blacklistthisdomain.com"; content:"|00 01 00 01|"; content:"|00 04 6a bb 60 31|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:6; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot offered files advertisement"; flow: from_server,established; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000339; classtype:trojan-activity; sid:2000339; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET DELETED iroffer IRC Bot help message"; flow: from_server,established; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth: 500; reference:url,iroffer.org; reference:url,doc.emergingthreats.net/bin/view/Main/2000338; classtype:trojan-activity; sid:2000338; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan peer exchange"; flow:established,to_server; content:"|01|hs5p|0000|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003138; classtype:trojan-activity; sid:2003138; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any 25 -> any any (msg:"ET DELETED SpamThru trojan SMTP test successful"; flow:established,to_client; dsize:6; content:"XSMTPX"; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003139; classtype:trojan-activity; sid:2003139; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan update request"; flow:established,to_server; content:"|01|hs5p|0001|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003140; classtype:trojan-activity; sid:2003140; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV DLL request"; flow:established,to_server; content:"|01|hs5p|0007|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003141; classtype:trojan-activity; sid:2003141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam template request"; flow:established,to_server; content:"|01|hs5p|0004|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003142; classtype:trojan-activity; sid:2003142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan spam run report"; flow:established,to_server; content:"|01|hs5p|0005|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003143; classtype:trojan-activity; sid:2003143; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp any any -> any any (msg:"ET DELETED SpamThru trojan AV scan report"; flow:established,to_server; content:"|01|hs5p|0008|"; depth:7; reference:url,www.secureworks.com/analysis/spamthru/; reference:url,doc.emergingthreats.net/2003144; classtype:trojan-activity; sid:2003144; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007963; classtype:trojan-activity; sid:2007963; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Vipdataend C&C Traffic - Status OK (variant 2)"; flowbits:isset,ET.vipdataend; flow:established,to_server; dsize:1; content:"1"; depth:1; reference:url,doc.emergingthreats.net/2009026; classtype:command-and-control; sid:2009026; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (variant 3)"; flow:established,to_server; dsize:<42; content:"|3a|Windows "; depth:11; offset:2; reference:url,doc.emergingthreats.net/2009037; classtype:trojan-activity; sid:2009037; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic Checkin"; flow:established,to_server; dsize:<20; content:"|3a 20|"; offset:2; depth:6; content:"|20 7c 20|"; within:10; reference:url,doc.emergingthreats.net/2007962; classtype:trojan-activity; sid:2007962; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Server Status OK"; flow:established,to_server; dsize:2; content:"OK"; reference:url,doc.emergingthreats.net/2007964; classtype:trojan-activity; sid:2007964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XY)"; flow:established,to_server; dsize:<20; content:"XY|3a|2|7c|212"; offset:0; depth:9; reference:url,doc.emergingthreats.net/2007970; classtype:trojan-activity; sid:2007970; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (FYWL)"; flow:established,to_server; dsize:11; content:"FYWL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008223; classtype:trojan-activity; sid:2008223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend C&C Traffic - Checkin (XYLL)"; flow:established,to_server; dsize:11; content:"XYLL|3a|2|7c|212"; offset:0; depth:11; reference:url,doc.emergingthreats.net/2008224; classtype:trojan-activity; sid:2008224; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Vipdataend/Ceckno C&C Traffic - Checkin"; flow:established,to_server; dsize:<30; content:"VERSONEXc|3a|2|7c|212|7c|"; depth:16; reference:url,doc.emergingthreats.net/2008254; classtype:trojan-activity; sid:2008254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6; metadata:created_at 2011_03_31, former_category CURRENT_EVENTS, updated_at 2011_03_31;)
 
-#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET DELETED Beizhu/Womble/Vipdataend Checking in with Controller"; flow:established,to_server; dsize:<70; content:"|3a|Windows"; depth:11; offset:2; content:"|7c|212("; distance:0; within:15; reference:url,doc.emergingthreats.net/2008334; classtype:trojan-activity; sid:2008334; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED Delf CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<15; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; reference:url,doc.emergingthreats.net/2008007; classtype:command-and-control; sid:2008007; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_12, former_category CURRENT_EVENTS, updated_at 2012_10_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; reference:url,doc.emergingthreats.net/2008008; classtype:command-and-control; sid:2008008; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Delf CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008006; classtype:command-and-control; sid:2008006; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, former_category CURRENT_EVENTS, updated_at 2012_12_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; reference:url,doc.emergingthreats.net/2008033; classtype:trojan-activity; sid:2008033; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED System.Poser HTTP Checkin"; flow:established,to_server; content:"/check.php?c="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"User-Agent|3a| Microsoft BITS"; http_header; reference:url,doc.emergingthreats.net/2008035; classtype:trojan-activity; sid:2008035; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2012_12_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server with modified version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx/"; nocase; pcre:"/Server\: nginx/[a-zA-Z]/i"; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008065; classtype:bad-unknown; sid:2008065; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Downloader URL Pattern (/loader/setup.php)"; flow:established,to_server; content:"/loader/setup.php?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008076; classtype:trojan-activity; sid:2008076; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Xorer.ez HTTP Checkin to CnC"; flow:established,to_server; content:"/qq.html?username="; nocase; http_uri; content:"&zhaosp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008081; classtype:command-and-control; sid:2008081; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET DELETED Looked.P/Gamania/Delf #108/! Style CnC Checkin"; flow:established,to_server; dsize:6; content:"#1"; depth:2; content:"/!"; distance:2; within:2; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:command-and-control; sid:2008219; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_04, updated_at 2012_12_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winspywareprotect.com Fake AV/Anti-Spyware Secondary Checkin"; flow:established,to_server; content:"/stat.php?func=scanfinished&id="; http_uri; reference:url,doc.emergingthreats.net/2008251; classtype:trojan-activity; sid:2008251; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin Initial Packet"; flow:established,to_server; dsize:<100; content:"|00 00 00 00 00 00|WindowsXP|00 00 00|"; flowbits:set,ET.emogen1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008269; classtype:trojan-activity; sid:2008269; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Emogen Infection Checkin CnC Keepalive"; flow:established,to_server; flowbits:isset,ET.emogen1; dsize:4; content:"test"; reference:url,doc.emergingthreats.net/2008270; classtype:command-and-control; sid:2008270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_02, former_category CURRENT_EVENTS, updated_at 2010_10_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED Banker Infostealer/PRG POST on High Port"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|2E|php|3F|2="; nocase; content:"|26|n="; nocase; content:"|26|v="; nocase; content:"|26|i="; nocase; content:"|26|sp="; nocase; content:"|26|lcp="; nocase; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2008326; classtype:trojan-activity; sid:2008326; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_04, updated_at 2013_07_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config/fgun_install_"; http_uri; content:"User-Agent|3a| NSI SDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; classtype:trojan-activity; sid:2008359; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test Start port 8888"; flow:established,to_server; dsize:25; content:"GET /test_link HTTP/1.0|0d 0a|"; reference:url,doc.emergingthreats.net/2008435; classtype:trojan-activity; sid:2008435; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Checkin port 8888"; flow:established,to_server; content:"/stat?uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; reference:url,doc.emergingthreats.net/2008437; classtype:trojan-activity; sid:2008437; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"ET DELETED Win32.Testlink Trojan Speed Test port 8888"; flow:established,to_server; dsize:>1000; content:"Data|3a| |00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:35; reference:url,doc.emergingthreats.net/2008436; classtype:trojan-activity; sid:2008436; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED XPantivirus2008 Download"; flow:to_server,established; content:"GET"; depth:3; http_method; content:"XPantivirus20"; nocase; http_uri; pcre:"/XPantivirus20\d{2}_v\d{6}\.exe/Ui"; reference:url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html; reference:url,seo.mhvt.net/blog/?p=390; reference:url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html; reference:url,doc.emergingthreats.net/2008516; classtype:trojan-activity; sid:2008516; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_14, updated_at 2013_11_14;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED Possible External Ultrasurf Anonymizer DNS Query"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,doc.emergingthreats.net/2008533; classtype:policy-violation; sid:2008533; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category MALWARE, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1030 (msg:"ET DELETED Ipbill.com Related Dialer Trojan Checkin"; flow:established,to_server; dsize:7; content:"|0a|"; offset:6; pcre:"/\d\d\d\d\d\d\x0a/"; flowbits:set,ET.ipbill1; reference:url,doc.emergingthreats.net/2008730; classtype:trojan-activity; sid:2008730; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
 
-#alert tcp $EXTERNAL_NET 1030 -> $HOME_NET any (msg:"ET DELETED Ipbill.com Related Dialer Trojan Server Response"; flow:established,from_server; dsize:<20; content:"|0a 5b 27|"; offset:2; depth:5; content:"|27 5d 0a|"; distance:0; flowbits:isset,ET.ipbill1; reference:url,doc.emergingthreats.net/2008731; classtype:trojan-activity; sid:2008731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_04, updated_at 2014_01_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:pup-activity; sid:2008753; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_19, updated_at 2014_02_19;)
 
-#alert tcp any any -> any 5554 (msg:"ET DELETED Sasser FTP Traffic"; flow: to_server,established; content:"up.exe"; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000040; classtype:misc-activity; sid:2000040; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-#alert tcp any any -> any 9996 (msg:"ET DELETED Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; reference:url,doc.emergingthreats.net/2000047; classtype:misc-activity; sid:2000047; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; reference:url,doc.emergingthreats.net/bin/view/Main/2002061; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018596; rev:3; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2014_06_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dyreza RAT Checkin Response 2"; flow:established,to_client; dsize:3; content:"/1/"; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018597; rev:4; metadata:created_at 2014_06_24, updated_at 2014_06_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_23, former_category CURRENT_EVENTS, updated_at 2014_04_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.b"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001056; classtype:misc-activity; sid:2001056; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4; metadata:created_at 2014_04_30, former_category CURRENT_EVENTS, updated_at 2014_04_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Sasser.worm.a"; flow: established; content:"|BC 3B 74 0B 50 8B 3D E8 46 A7 3D 09 85 B8 F8 CD 76 40 DE 7C 5B 5C D7 2A A8 E8 58 75 62 96 25 24|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/2001057; classtype:misc-activity; sid:2001057; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CIA Trojan download/upload attempt"; content:"|6C 75 66 6A 65 6F 6F|"; reference:url,doc.emergingthreats.net/2001233; classtype:trojan-activity; sid:2001233; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Beagle User Agent Detected"; flow: to_server,established; dsize:<150; content:"User-Agent|3a| beagle_beagle"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html; reference:url,doc.emergingthreats.net/2001269; classtype:trojan-activity; sid:2001269; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Outbound W32.Novarg.A worm"; flow: established; content:"TVqQAAMAAAAEAAAA"; content:"8AALgAAAAAAAAAQ"; within: 20; distance: 2; content:"UEUA..AEwBAW"; content:"DgAA8BCwEHAABQAAAAE"; within: 40; distance: 16; content:"ABVUFgwAAAAAABgAAAAEAAAAAAAAAAEA"; content:"ACAAADg"; within: 30; distance: 16; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html; reference:url,doc.emergingthreats.net/2001273; classtype:trojan-activity; sid:2001273; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> any 445 (msg:"ET DELETED Korgo.P offering executable"; flow: to_server,established; content:"|FF|SMB"; depth: 10; content:"|58|http"; content:".exe"; nocase; within: 36; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001337; classtype:trojan-activity; sid:2001337; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
 
-#alert tcp $HOME_NET any -> any any (msg:"ET DELETED Korgo.P binary upload"; flow: to_server,established; content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2001338; classtype:trojan-activity; sid:2001338; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; classtype:policy-violation; sid:2001455; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5554 (msg:"ET DELETED Sasser FTP exploit attempt"; flow: to_server,established; dsize: >150; content:"PORT "; depth: 5; reference:url,www.lurhq.com/dabber.html; reference:url,doc.emergingthreats.net/2001548; classtype:attempted-admin; sid:2001548; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001609; classtype:misc-activity; sid:2001609; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001610; classtype:misc-activity; sid:2001610; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:68<>101; content:"Java/1."; http_user_agent; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:exploit-kit; sid:2019611; rev:8; metadata:created_at 2014_10_31, former_category CURRENT_EVENTS, updated_at 2014_10_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; reference:url,www.f5.com/f5products/v9intro/index.html; reference:url,doc.emergingthreats.net/2001611; classtype:misc-activity; sid:2001611; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:exploit-kit; sid:2019623; rev:2; metadata:created_at 2014_11_03, former_category CURRENT_EVENTS, updated_at 2014_11_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http|3a|//"; nocase; content:"|3a|3531/.pkt"; nocase; within: 20; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; classtype:trojan-activity; sid:2001679; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
 
-#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] 443 (msg:"ET DELETED MyWebEx Server Traffic"; flow: to_server,established; dsize: <50; content:"|17|"; offset: 0; depth: 1; threshold: type limit,track by_src, count 1, seconds 360; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001712; classtype:policy-violation; sid:2001712; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
 
-#alert tcp $HOME_NET any -> [208.8.81.0/24,64.68.96.0/19] $HTTP_PORTS (msg:"ET DELETED MyWebEx Installation"; flow: to_server,established; content:"/pc/r.php?AT=RS"; nocase; threshold: type limit, track by_src, count 1, seconds 30; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001713; classtype:policy-violation; sid:2001713; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
 
-#alert tcp [208.8.81.0/24,64.68.96.0/19] 443 -> $HOME_NET any (msg:"ET DELETED MyWebEx Incoming Connection"; flow: to_client,established; content:"|16 03|"; offset: 0; depth: 2; content:"Comodo"; nocase; depth: 240; content:"accessanywhere.com"; nocase; offset: 592; depth: 48; reference:url,www.mywebexpc.com; reference:url,doc.emergingthreats.net/2001714; classtype:policy-violation; sid:2001714; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; content:"/Main.swf"; http_uri; content:"/gate.php"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/gate.php\r$/Hm"; classtype:trojan-activity; sid:2019766; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
 
-#alert tcp $HOME_NET !21:587 -> any any (msg:"ET DELETED Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; classtype:non-standard-protocol; sid:2001815; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/U"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:exploit-kit; sid:2019799; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1345 (msg:"ET DELETED AIM Bot Outbound Control Channel Open and Login"; flow: to_server,established; content:"PASS"; nocase; pcre:"/PASS\s.*?\x0d\x0aNICK\s.*?\x0d\x0aUSER\s.*?\s\d\s\d\s\:\S/im"; reference:url,doc.emergingthreats.net/2001910; classtype:trojan-activity; sid:2001910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit exe"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2002323; classtype:misc-activity; sid:2002323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit php"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".php"; nocase; reference:url,doc.emergingthreats.net/2002322; classtype:misc-activity; sid:2002322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible MSN Worm Exploit pif"; flow: established; content:"X-MMS-IM-"; depth:153; content:"http"; nocase; content:".pif"; nocase; reference:url,doc.emergingthreats.net/2002324; classtype:misc-activity; sid:2002324; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32.kelvir.HI"; flow: established; content:"X-MMS-IM-"; depth:153; content:"search.php?data="; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html; reference:url,doc.emergingthreats.net/2002325; classtype:misc-activity; sid:2002325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_24, former_category CURRENT_EVENTS, updated_at 2014_12_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET DELETED Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002390; classtype:misc-attack; sid:2002390; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:2; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
 
-#alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET DELETED Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; classtype:successful-recon-limited; sid:2002389; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - all versions"; flow:established,from_server; flowbits:isnotset,emerging_wmf_http; content:"HTTP"; depth:4; nocase; flowbits:set,emerging_wmf_http; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002743; classtype:unknown; sid:2002743; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 3"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 03|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002741; classtype:unknown; sid:2002741; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4; metadata:created_at 2015_02_18, former_category CURRENT_EVENTS, updated_at 2015_02_18;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Web Only - version 1"; flow:established; flowbits:isset,emerging_wmf_http; flowbits:isnotset,emerging_wmf_expl; flowbits:isnotset,emerging_wmf_expl_v1; content:"|00 09 00 00 01|"; content:"|00 00|"; distance:10; within:12; flowbits:set,emerging_wmf_expl_v1; flowbits:noalert; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002757; classtype:unknown; sid:2002757; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 1"; flow:established; flowbits:isset,emerging_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002758; classtype:attempted-user; sid:2002758; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; reference:url,doc.emergingthreats.net/bin/view/Main/2002742; classtype:attempted-user; sid:2002742; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (bug ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?bug="; nocase; reference:url,doc.emergingthreats.net/2002871; classtype:web-application-attack; sid:2002871; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit1 ie0601)"; flow:established,to_server; uricontent:"ie0601.cgi?exploit"; nocase; reference:url,doc.emergingthreats.net/2002869; classtype:web-application-attack; sid:2002869; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (ie0606)"; flow:established,to_server; uricontent:"ie0606.cgi?"; nocase; reference:url,doc.emergingthreats.net/2002937; classtype:web-application-attack; sid:2002937; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker RootLauncher"; flow:established,to_server; uricontent:"rleadmin.cgi?getexe="; nocase; reference:url,doc.emergingthreats.net/2003063; classtype:web-application-attack; sid:2003063; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED WebAttacker kit (exploit ie0604)"; flow:established,to_server; uricontent:"ie0604.cgi?exploit"; nocase; reference:url,doc.emergingthreats.net/2002870; classtype:web-application-attack; sid:2002870; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 4C 24 00 8B 44 24 02 59 59 C3 E8 ED FF FF FF 25 00 00 00 FF 33 C9 3D 00 00 00 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003094; classtype:trojan-activity; sid:2003094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan"; flow:to_client,established; content:"|51 51 0F 01 27 00 C1 FB B5 D5 35 02 E2 C3 D1 66 25 32 BD 83 7F B7 4E 3D 06 80 0F 95 C1 8B C1 C3|"; reference:url,doc.emergingthreats.net/2003095; classtype:trojan-activity; sid:2003095; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Warezov/Stration Challenge Response"; flowbits:isset,BEposs.warezov.challenge; flow:established,from_server; dsize:4; content:"|00 00 00 00|"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003176; classtype:trojan-activity; sid:2003176; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2015_08_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Warezov/Stration Challenge"; flow:established,to_server; dsize:1; content:"|38|"; flowbits:noalert; flowbits:set,BEposs.warezov.challenge; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003175; classtype:not-suspicious; sid:2003175; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, updated_at 2015_08_11;)
 
-#alert http any any -> any $HTTP_PORTS (msg:"ET DELETED Allaple Unique HTTP Request - Possibly part of DDOS"; flow:established,to_server; content:"GET /  HTTP/1.1|0d 0a|"; rawbytes; depth:20; threshold:type both, count 1, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2003484; reference:url,isc.sans.org/diary.html?storyid=2451; classtype:trojan-activity; sid:2003484; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_25, former_category CURRENT_EVENTS, updated_at 2015_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Post"; flow:to_server,established; uricontent:"/te.aspx?ver="; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; classtype:trojan-activity; sid:2007607; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1800 (msg:"ET DELETED TroDjan 2.0 Infection Report"; flow:established,to_server; dsize:<60; content:"Windows NT "; depth:11; reference:url,doc.emergingthreats.net/2008587; classtype:trojan-activity; sid:2008587; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
 
-#alert tcp $EXTERNAL_NET 1802 -> $HOME_NET any (msg:"ET DELETED TroDjan 2.0 FTP Channel Open Command"; flow:established,to_server; dsize:7; content:"ftpopen"; reference:url,doc.emergingthreats.net/2008588; classtype:trojan-activity; sid:2008588; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig Initial CnC Connect on port 8392"; flow:established,to_server; dsize:4; content:"|00 00 78 e3|"; flowbits:set,ET.torpig.init; reference:url,doc.emergingthreats.net/2010826; classtype:command-and-control; sid:2010826; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2; metadata:created_at 2015_10_21, former_category EXPLOIT, updated_at 2015_10_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 8392 (msg:"ET DELETED Torpig CnC Connect on port 8392"; flowbits:isset,ET.torpig.init; flow:established,to_server; content:"|00 00|"; depth:2; content:"|00 00 00|"; distance:2; within:5; flowbits:set,ET.torpig.fosure; reference:url,doc.emergingthreats.net/2010827; classtype:command-and-control; sid:2010827; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
 
-#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC IP Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 00 0d|"; reference:url,doc.emergingthreats.net/2010828; classtype:command-and-control; sid:2010828; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
 
-#alert tcp $EXTERNAL_NET 8392 -> $HOME_NET any (msg:"ET DELETED Torpig CnC Report Command on port 8392"; flowbits:isset,ET.torpig.fosure; flow:established,from_server; dsize:4; content:"|00 00 01 6f|"; reference:url,doc.emergingthreats.net/2010829; classtype:command-and-control; sid:2010829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BleedingLife EK Variant Aug 26 2014"; flow:established,to_server; content:".php?spl="; http_uri; fast_pattern:only; pcre:"/\.php\?spl=[\w_]+$/Ui"; classtype:exploit-kit; sid:2019023; rev:2; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 26 2014"; flow:established,to_client; file_data; content:"|22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29|"; classtype:trojan-activity; sid:2019024; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:command-and-control; sid:2008358; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Srizbi requesting template"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"|0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007712; classtype:trojan-activity; sid:2007712; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Universal1337 FTP Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007967; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Universal1337 Email Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007968; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1)"; flow:to_server,established; content:"User-Agent|3a| doshowmeanad "; http_header; reference:url,doc.emergingthreats.net/2008142; classtype:trojan-activity; sid:2008142; rev:5; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Downloader likely malicious payload download src=xrun"; flow:established,to_server; content:"/get?src=xrun"; nocase; content:"Request|3a| "; nocase; http_header; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010821; classtype:trojan-activity; sid:2010821; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, former_category CURRENT_EVENTS, updated_at 2011_09_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Pass Stealer FTP Upload"; flow:established,to_server; dsize:33; content:"STEAM nicht eingespeichert!!!"; reference:url,doc.emergingthreats.net/2008332; classtype:trojan-activity; sid:2008332; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:6; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2012_05_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirtualProtect Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 72 73 72 63|"; content:"|2E 70 61 63 6B 33 32 00|"; within:49; reference:url,bits.packetninjas.org/eblog/?p=3; reference:url,doc.emergingthreats.net/2008509; classtype:trojan-activity; sid:2008509; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting to Controller"; flow:established,to_server; dsize:<150; content:"|00 00|Visual Shock Keylogger "; offset:10; depth:34; flowbits:set,ET.vskeylogger; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008601; classtype:trojan-activity; sid:2008601; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting Idle to Controller"; flowbits:isset,ET.vskeylogger; flow:established,to_server; dsize:8; content:"|08 00 00 00 00 00 00 00|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008602; classtype:trojan-activity; sid:2008602; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection (2)"; flow:established; content:"conectado|7c 0a|"; depth:11; reference:url,doc.emergingthreats.net/2008645; classtype:trojan-activity; sid:2008645; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Infection Reporting"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a| "; http_header; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|"; http_header; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U"; reference:url,www2.gmer.net/mbr/; reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf; reference:url,doc.emergingthreats.net/2008660; reference:url,offensivecomputing.net/?q=node/909; classtype:trojan-activity; sid:2008660; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unkown Trojan User-Agent (5.1 ...)"; flow:established,to_server; content:"User-Agent|3a| 5.1 "; http_header; reference:url,doc.emergingthreats.net/2009685; classtype:trojan-activity; sid:2009685; rev:5; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; classtype:policy-violation; sid:2008744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; classtype:policy-violation; sid:2008745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; classtype:policy-violation; sid:2008746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; classtype:policy-violation; sid:2008747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; classtype:policy-violation; sid:2008748; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trash Family - HTTP POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a|"; http_header; nocase; content:"Type="; http_client_body; nocase; content:"&Dvip="; http_client_body; nocase; content:"&Mask="; http_client_body; nocase; content:"&Guid="; http_client_body; nocase; content:"&Addr="; http_client_body; nocase; content:"&Protect="; http_client_body; nocase; content:"Url"; http_client_body; nocase; content:"&OSVer="; http_client_body; nocase; reference:url,www.spywareguide.com/product_show.php?id=1935; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=Trojan.Trash.Gen&tid=178782&cs=03253E96A71C3EE824071E5BE3A32CCD; reference:url,doc.emergingthreats.net/2009449; classtype:trojan-activity; sid:2009449; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Demo version Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E|rsrc|00|"; content:"vmp0|00|"; within: 50; content:"vmp1|00|"; within:50; reference:url,www.vmprotect.ru; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009019; classtype:trojan-activity; sid:2009019; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008221; classtype:trojan-activity; sid:2008221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008222; classtype:trojan-activity; sid:2008222; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Key Checkin (Clicker.Win32.Delf.afl)"; flow:established,to_server; content:".php?key=???????+????????????"; content:"+Dial-up+??????+?+??????????????"; reference:url,doc.emergingthreats.net/2008666; classtype:command-and-control; sid:2008666; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"wversion=&eversion=&fid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008667; classtype:command-and-control; sid:2008667; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $EXTERNAL_NET 91 -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008676; classtype:trojan-activity; sid:2008676; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008677; classtype:trojan-activity; sid:2008677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:to_server,established; content:"User-Agent|3a| NV32ts"; reference:url,doc.emergingthreats.net/2009029; classtype:web-application-attack; sid:2009029; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_10_15;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Armitage Loader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lds.php"; http_uri; reference:url,doc.emergingthreats.net/2009036; classtype:trojan-activity; sid:2009036; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Version Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28substring%28%28select%20%40%40version"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009038; classtype:attempted-recon; sid:2009038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert freeb4u.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|freeb4u.com"; distance:1; within:12; reference:md5,3c140d775b33a5201089e8f8118b7fb5; classtype:trojan-activity; sid:2019025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert developmentinn.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.developmentinn.com"; distance:1; within:23; reference:md5,2f17d82e939efe315a89f1aa42e93cf1; classtype:trojan-activity; sid:2019026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert directory92.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|directory92.com"; distance:1; within:16; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert epr-co.ch"; flow:established,from_server; content:"|55 04 03|"; content:"|09|epr-co.ch"; distance:1; within:10; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2019752; rev:9; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pouyasazan.org"; flow:established,from_server; content:"|55 04 03|"; content:"|15|linux4.pouyasazan.org"; distance:1; within:22; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:4; metadata:created_at 2016_02_16, updated_at 2016_02_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ara-photos.net"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.ara-photos.net"; distance:1; within:19; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tecktalk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.tecktalk.com"; distance:1; within:17; reference:md5,0181d134ff73743e8dd5e23b9cf7ff51; classtype:trojan-activity; sid:2019031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cyclivate.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.cyclivate.com"; distance:1; within:18; reference:md5,b911327d0ba6ce016e8e33ba97e87e83; classtype:trojan-activity; sid:2019032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mentoringgroup.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.mentoringgroup.com"; distance:1; within:23; reference:md5,444dd80b551ac28e43380c2ef0bc4df0; classtype:trojan-activity; sid:2019033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ssshosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ssshosting.net"; distance:1; within:15; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert erotikturk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|server.erotikturk.com"; distance:1; within:22; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mtnoutfitters.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; distance:1; within:18; reference:md5,ebca10e0a4eb99758f0fb3612fa970ba; classtype:trojan-activity; sid:2019037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert jojik-international.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|jojik-international.com"; distance:1; within:24; reference:md5,ffa19cd3be6a89da96bcfb5a1a52b6ae; classtype:trojan-activity; sid:2019038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, updated_at 2016_03_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert abarsolutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|abarsolutions.com"; distance:1; within:18; reference:md5,029e3713002bd3514b1f2493caea8294; classtype:trojan-activity; sid:2019039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert eastwoodvalley.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.eastwoodvalley.com"; distance:1; within:23; reference:md5,450b394d88a69f6cb9722a5b56168ce6; classtype:trojan-activity; sid:2019040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pejlain.se"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|pejlain.se"; distance:1; within:11; reference:md5,1658e12bb1fe8a25127e8bd09b923acd; classtype:trojan-activity; sid:2019042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any !80 -> $HOME_NET any (msg:"ET EXPLOIT Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, former_category CURRENT_EVENTS, updated_at 2016_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dominionthe.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dominionthe.com"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert delanecanada.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|delanecanada.ca"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert hebergement-solutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|19|hebergement-solutions.com"; distance:1; within:26; reference:md5,e5f8caba2b2832de5c13a16d5b4f6d6f; classtype:trojan-activity; sid:2019045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert sportofteniq.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sportofteniq.com"; distance:1; within:17; reference:md5,d06ec89944b566df8dcd959a2196b37c; classtype:trojan-activity; sid:2019046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adoraacc.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|adoraacc.com"; distance:1; within:13; reference:md5,a938c50d686663f97d62dff812fc575b; classtype:trojan-activity; sid:2019047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tristacey.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|tristacey.com"; distance:1; within:14; reference:md5,e40ec448fd7cfea641a18fb6b38e4e92; classtype:trojan-activity; sid:2019048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert nbc-mail.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nbc-mail.com"; distance:1; within:13; reference:md5,348b8a9e693a6784a6cf26d9afe6fed9; classtype:trojan-activity; sid:2019049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tridayacipta.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|tridayacipta.com"; distance:1; within:17; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert trainthetrainerinternational.com"; flow:established,from_server; content:"|55 04 03|"; content:"|20|trainthetrainerinternational.com"; distance:1; within:33; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert lingayasuniversity.edu.in"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|www.lingayasuniversity.edu.in"; distance:1; within:30; reference:md5,b2c3bb2b56876e325d86731a693fd138; classtype:trojan-activity; sid:2019052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert uleideargan.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.uleideargan.com"; distance:1; within:20; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_25, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert picklingtank.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|picklingtank.com"; distance:1; within:17; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Datacenter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert vcomdesign.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|vcomdesign.com"; distance:1; within:15; reference:md5,9ad86fc9a57b620e96082cd61aa1b494; classtype:trojan-activity; sid:2019055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Perimeter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert technosysuk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|technosysuk.com"; distance:1; within:16; reference:md5,fc23d6cbe926a022cac003214679ec7a; classtype:trojan-activity; sid:2019056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert slmp-550-105.slc.westdc.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|slmp-550-105.slc.westdc.net"; distance:1; within:28; reference:md5,f053b1aa875751944bae74fce67fe965; classtype:trojan-activity; sid:2019057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:2; metadata:created_at 2016_09_12, tag Android_Exploit, updated_at 2016_09_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert itiltrainingcertworkshop.com"; flow:established,from_server; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; distance:1; within:36; reference:md5,f7b715ad4235599ed21179a369279225; classtype:trojan-activity; sid:2019058; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android_Exploit, updated_at 2016_09_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|udderperfection.com"; distance:1; within:20; reference:md5,27938e57f7928e9559e71d384a8fffe6; classtype:trojan-activity; sid:2019059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2016_09_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert efind.co.il"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|efind.co.il"; distance:1; within:12; reference:md5,6d8a5b36f61e392aaa048b97b3d9e090; classtype:trojan-activity; sid:2019060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:exploit-kit; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_21, deployment Perimeter, former_category EXPLOIT, malware_family Magnitude, signature_severity Major, tag Magnitude_EK, updated_at 2016_09_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bloodsoft.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|bloodsoft.com"; distance:1; within:14; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert walletmix.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.walletmix.com"; distance:1; within:18; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert turnaliinsaat.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|turnaliinsaat.com"; distance:1; within:18; reference:md5,feb5304d966a0f1610e642984a64d54c; classtype:trojan-activity; sid:2019063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, created_at 2016_09_29, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|mdus-pp-wb12.webhostbox.net"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert plastics-technology.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|www.plastics-technology.com"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deserve.org.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|deserve.org.uk"; distance:1; within:15; reference:md5,9d16352f292d86f40236afc7e06bce08; classtype:trojan-activity; sid:2019067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL DELETED wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Aug 27 2014"; flow:established,to_client; file_data; content:"|28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2019071; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing URI Struct"; flow:established,to_server; content:"/?PHPSSESID=njr"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019072; rev:3; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET DELETED Bifrose Response from victim"; flow:established,from_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; reference:url,doc.emergingthreats.net/2009797; classtype:trojan-activity; sid:2009797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"M Fucking Scanner"; http_user_agent; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2009799; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"nhweb="; http_cookie; depth:6; classtype:exploit-kit; sid:2019073; rev:2; metadata:created_at 2014_08_27, former_category CURRENT_EVENTS, updated_at 2014_08_27;)
+alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert paydaypedro.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|11|paydaypedro.co.uk"; distance:1; within:18; reference:md5,39877be17bd3435f275fc54577beaa6e; classtype:trojan-activity; sid:2019075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:exploit-kit; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chatso.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|chatso.com"; distance:1; within:11; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_01_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/Torpig Checkin"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"MyValue="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010267; classtype:command-and-control; sid:2010267; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.SillyFDC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php"; nocase; http_uri; content:"getowner=1&uniqueid="; http_uri; content:"User-Agent|3a| WinHttp.WinHttpRequest"; http_header; reference:url,doc.emergingthreats.net/2010268; classtype:command-and-control; sid:2010268; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; http_uri; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; classtype:attempted-user; sid:2010281; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_03_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Communication with C&C"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&cnt="; http_uri; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010289; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, created_at 2017_04_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_04_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/chck.dat"; fast_pattern; http_uri; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; flowbits:set,ET.clod1; flowbits:noalert; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,doc.emergingthreats.net/2010290; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010290; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, created_at 2017_04_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_04_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Clod/Sereki Checkin Response"; flow:established,from_server; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; reference:url,doc.emergingthreats.net/2010291; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:md5,bbb6ac2181dbbe15efd13c294cb991fa; reference:md5,3c39bfc78fcf3fe805c7472296bf6319; classtype:trojan-activity; sid:2010291; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"pangolin"; http_user_agent; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; reference:url,doc.emergingthreats.net/2010463; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\x3a.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; classtype:bad-unknown; sid:2010721; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
 
-#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET DELETED Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pragma hack Detected Outbound - Likely Infected Source"; flow:established,to_client; content:"Pragma|3a| hack/"; nocase; http_header; classtype:trojan-activity; sid:2010872; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_05_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Twitter Status Update"; flow:to_server,established; content:"POST"; http_method; content:"/status/update"; http_uri; content:"twitter.com"; nocase; content:"authenticity_token="; nocase; content:"status="; nocase; reference:url,twitter.com; reference:url,doc.emergingthreats.net/2010797; classtype:policy-violation; sid:2010797; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; classtype:trojan-activity; sid:2000901; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
 
-#alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent|3a|"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; classtype:trojan-activity; sid:2001654; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
 
-#alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Probing or Announcing UDP";  reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; classtype:trojan-activity; sid:2000900; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET DELETED JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; classtype:trojan-activity; sid:2001015; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_30, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_30;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND "; depth:9; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; distance:0; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 9295 (msg:"ET DELETED Troxen GetSpeed Request"; flow:established,to_server; content:"GetSpeed |0d 0a|"; depth:11; reference:md5,af89d15930fe59dcb621069abc83cc66; reference:url,doc.emergingthreats.net/2011233; classtype:trojan-activity; sid:2011233; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12; metadata:created_at 2010_09_23, former_category EXPLOIT, updated_at 2017_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, created_at 2017_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_06_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:to_server,established; content:"User-Agent|3a| tiehttp"; nocase; reference:url,www.torry.net/authorsmore.php?id=4292; classtype:web-application-activity; sid:2011759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_17, former_category NETBIOS, updated_at 2017_06_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_07_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED vb exploits / trojan vietshow"; flow:established,to_server; content:"GET"; http_method; content:"~vietshow/"; nocase; http_uri; classtype:bad-unknown; sid:2011897; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_07_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan perflogger ~duydati/inst_PCvw.exe"; flow:established,to_server; content:"GET"; http_method; content:"~duydati/inst_PCvw.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011899; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2017_09_07;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Phishing ~mbscom/moneybookers/app/login/login.html"; flow:established,to_server; content:"GET"; http_method; content:"~mbscom/moneybookers/app/login/login.html"; nocase; http_uri; classtype:bad-unknown; sid:2011902; rev:2; metadata:attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Hacked server to exploits ~rio1/admin/login.php"; flow:established,to_server; content:"GET"; http_method; content:"~rio1/admin/login.php"; nocase; http_uri; classtype:bad-unknown; sid:2011901; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iframe Phoenix Exploit & ZBot vt073pd/photo.exe"; flow:established,to_server; content:"GET"; http_method; content:"vt073pd/photo.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011903; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED trojan renos Flash.HD.exe"; flow:established,to_server; content:"GET"; http_method; content:"Flash.HD.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011909; rev:2; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, created_at 2017_11_27, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED fast flux rogue antivirus download.php?id=2004"; flow:established,to_server; content:"GET"; http_method; nocase; content:"download.php?id=2004"; nocase; http_uri; classtype:bad-unknown; sid:2011904; rev:3; metadata:created_at 2010_11_09, updated_at 2010_11_09;)
+alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2017_11_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SEO/Malvertising Executable Landing exe2.php"; flow:established,to_server; uricontent:"/exe2.php?wm_id=acc"; classtype:trojan-activity; sid:2011916; rev:3; metadata:created_at 2010_11_10, updated_at 2019_08_22;)
+alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Critical, updated_at 2017_11_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - packupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=packupdate";  classtype:trojan-activity; sid:2011919; rev:4; metadata:created_at 2010_11_10, updated_at 2020_08_20;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By SMB/JavaWebStart"; flow:established,to_server; content:"loadsmb.php"; http_uri; classtype:trojan-activity; sid:2011951; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Exploited By PDF"; flow:established,to_server; content:"loadlibtiff.php"; http_uri; classtype:trojan-activity; sid:2011952; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript srctable"; flow:established,to_client; content:"var srctable=|27|"; depth:14; classtype:bad-unknown; sid:2011959; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family MeltDown_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Obfuscated JavaScript desttable"; flow:established,to_client; content:"var desttable=|27|"; depth:15; classtype:bad-unknown; sid:2011958; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family Spectre_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadpeers.php"; flow:established,to_server; content:"loadpeers.php"; http_uri; classtype:bad-unknown; sid:2011956; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2018_03_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious lib.pdf"; flow:established,to_server; content:"/files/lib.pdf"; http_uri; classtype:bad-unknown; sid:2011955; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_04_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_06;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious loadjjar.php"; flow:established,to_server; content:"loadjjar.php"; http_uri; classtype:bad-unknown; sid:2011954; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY SEO Client Requesting Malicious jjar.jar"; flow:established,to_server; content:"/files/jjar.jar"; http_uri; classtype:bad-unknown; sid:2011953; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
 
-#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:2; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:7; metadata:created_at 2010_12_07, updated_at 2010_12_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_11, updated_at 2010_12_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:3; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
+alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2018_07_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt"; flow:established,to_client; content:"%PDF-"; nocase; depth:300; content:"doc.printSeps"; nocase; distance:0; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2012156; rev:2; metadata:created_at 2011_01_06, updated_at 2011_01_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_2018_6892, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED Post Express Inbound SPAM (possible Spyeye)"; flow:established,to_server; content:"Content-Disposition|3A|attachment|3b|"; nocase; content:"filename=|22|Post_Express_Label_"; nocase; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012275; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Trojan dropper Wlock.A (AS1680)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/pornoplayer.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=pworldxxx.info; classtype:trojan-activity; sid:2012301; rev:4; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Critical, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Fast Flux Trojan Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/SecurIns_194.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=microantivirus5.com; classtype:bad-unknown; sid:2012332; rev:3; metadata:created_at 2011_02_22, updated_at 2011_02_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> 184.105.245.17 8080 (msg:"ET DELETED DroidDream Android Trojan info upload"; flow:to_server,established; content:"/GMServer/GMServlet"; http_uri; reference:url,androguard.blogspot.com/2011/03/droiddream.html; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=79&blogId=1; reference:url,blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/; reference:url,countermeasures.trendmicro.eu/google-android-rooted-backdoored-infected/; classtype:trojan-activity; sid:2012410; rev:3; metadata:created_at 2011_03_03, updated_at 2011_03_03;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Fast Flux Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/Setup_2004.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=spyremover-k3.com; classtype:trojan-activity; sid:2012447; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution"; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android Trojan HongTouTou Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/index.aspx?im="; http_uri; nocase; content:"|0d 0a|User-Agent|3a| Apache-HttpClient"; http_header; reference:url,blog.netqin.com/en/?p=451; classtype:trojan-activity; sid:2012450; rev:4; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/games/pdf"; nocase; http_uri; content:"php?f=7"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=poleoa.net; classtype:trojan-activity; sid:2012538; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Rogue Antivirus"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer.0042.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012539; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Win32 Backdoor Poison"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/salvando-usb.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=arteencueros.com; classtype:trojan-activity; sid:2012540; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/CazinoSilver Download VegasVIP_setup.exe"; flow:established,to_server; content:"/VegasVIP_setup.exe"; nocase; http_uri; reference:url,ddanchev.blogspot.com/2011/04/dont-play-poker-on-infected-table-part.html; classtype:trojan-activity; sid:2012685; rev:3; metadata:created_at 2011_04_12, updated_at 2011_04_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Interface|3a|"; content:"--- 0x"; distance:0; content:"Internet Address"; content:"Physical Address"; fast_pattern; distance:0; content:"Type"; content:"dynamic"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019080; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows set Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"ALLUSERSPROFILE="; fast_pattern; content:"APPDATA="; distance:0; content:"CLIENTNAME="; content:"CommonProgramFiles="; distance:0; content:"COMPUTERNAME="; content:"ComSpec="; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019081; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013407; rev:6; metadata:created_at 2011_08_12, updated_at 2011_08_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential Blackhole Exploit Pack landing"; flow:established,to_server; content:".php?f="; http_uri; content:!"Cookie|3a|"; http_header; pcre:"/\.php\?f=\d+$/U"; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012688; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_15, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert ip $HOME_NET any -> 83.236.140.90 any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013754; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert ip 83.236.140.90 any -> $HOME_NET any (msg:"ET DELETED Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013753; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AirOS .css Worm Outbound Propagation Sweep"; flow:established,to_server; content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014041; rev:6; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED AirOS admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:command-and-control; sid:2019084; rev:1; metadata:created_at 2014_08_29, former_category MALWARE, updated_at 2014_08_29;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"ZWS"; classtype:exploit-kit; sid:2018362; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor based locker Ransom Page"; flow:established,to_server; content:"/buy.php?"; http_uri; content:"iet7v4dciocgxhdv."; nocase; fast_pattern; http_header; classtype:trojan-activity; sid:2018873; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3; metadata:created_at 2014_08_30, updated_at 2014_08_30;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:exploit-kit; sid:2019098; rev:2; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:exploit-kit; sid:2019099; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT_KIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN RST"; flags:SR; classtype:bad-unknown; sid:2011368; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PeopleOnPage Install"; flow: to_server,established; content:"/install/pop"; nocase; http_uri; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; classtype:policy-violation; sid:2001445; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007634; classtype:trojan-activity; sid:2007634; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007635; classtype:trojan-activity; sid:2007635; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, updated_at 2018_07_24;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Inbound - Likely Search by md5"; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; reference:url,doc.emergingthreats.net/2007636; classtype:trojan-activity; sid:2007636; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2018_07_24;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Traffic Outbound - Likely Connect Ack"; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007637; classtype:trojan-activity; sid:2007637; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Internal, former_category EXPLOIT, signature_severity Minor, updated_at 2018_08_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:exploit-kit; sid:2019005; rev:3; metadata:created_at 2014_08_26, former_category CURRENT_EVENTS, updated_at 2014_08_26;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP)"; flow:to_server,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026084; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:exploit-kit; sid:2019100; rev:3; metadata:created_at 2014_09_02, former_category CURRENT_EVENTS, updated_at 2014_09_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt"; flow:to_client,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026085; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP)"; flow:to_server,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026086; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WindowsEnterpriseSuite FakeAV Dynamic User-Agent"; flow:established,to_server; content:"User-Agent|3a| We"; content:!"User-Agent|3a| Webmin|0d 0a|"; http_header; pcre:"/User-Agent\x3a We[a-z0-9]{4}\x0d\x0a/H"; reference:url,doc.emergingthreats.net/2010262; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010262; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt"; flow:to_client,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026087; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Possible SSDP Amplification Scan in Progress"; content:"M-SEARCH * HTTP/1.1"; content:"ST|3a 20|ssdp|3a|all|0d 0a|"; nocase; distance:0; fast_pattern; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/29/weekly-metasploit-update; classtype:attempted-dos; sid:2019102; rev:1; metadata:created_at 2014_09_03, updated_at 2014_09_03;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP)"; flow:to_server,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]*\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026088; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt"; flow:to_client,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]+\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026089; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert tls 66.147.244.132 any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026090; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019106; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt"; flow:to_client,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026091; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019107; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026092; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt"; flow:to_client,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026093; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_11;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_11_01, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_11_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack"; flags:A; window:0; threshold: type both, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009414; classtype:attempted-dos; sid:2009414; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:created_at 2019_02_18, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_02_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Rdxrp.com Traffic (Generic)"; flow: to_server,established; content:"/rdxr"; nocase; http_uri; content:".dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; classtype:trojan-activity; sid:2001312; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M2"; flow:from_server,established; file_data; content:"|68546147567362474e765a4756425a475279554746795957|"; classtype:attempted-user; sid:2027070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:pup-activity; sid:2009809; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M1"; flow:from_server,established; file_data; content:"|4b464e6f5a5778735932396b5a55466b5a484a5159584a6862|"; classtype:attempted-user; sid:2027069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; content:"DZKS"; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:command-and-control; sid:2014618; rev:3; metadata:created_at 2012_04_20, former_category MALWARE, updated_at 2012_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M3"; flow:from_server,established; file_data; content:"|6f5532686c6247786a6232526c5157526b636c4268636d4674|"; classtype:attempted-user; sid:2027071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
+alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold: type limit, track by_src, count 2, seconds 600; reference:cve,CVE-2019-0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_21, deployment Perimeter, deployment Internet, deployment Internal, former_category EXPLOIT, malware_family Bluekeep, signature_severity Major, updated_at 2019_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:exploit-kit; sid:2014748; rev:4; metadata:created_at 2012_05_14, updated_at 2012_05_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450)"; flow:established,to_client; file_data; content:"localhost|3a|19421/launch?action=join&confno="; reference:url,medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5; reference:cve,2019-13450; classtype:attempted-user; sid:2027696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2019_07_10;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET DELETED Cisco Torch SNMP Scan"; content:"public"; content:"|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00|"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag"; flags:U+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027768; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_07_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019147; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_08_01;)
 
-#alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tomcat Successful default credential login from external source"; flow:from_server,established; content:"HTTP/1."; depth:7; content:"200"; http_stat_code; content:"OK"; http_stat_msg; reference:url,tomcat.apache.org; classtype:successful-admin; sid:2009219; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"MyWebClient"; depth:11; http_user_agent; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:command-and-control; sid:2017671; rev:6; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2013_11_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019148; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_26, former_category CURRENT_EVENTS, updated_at 2014_11_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019149; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019150; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019151; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019152; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019153; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>TV"; content:"VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU"; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:6; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:4; metadata:created_at 2012_11_01, updated_at 2012_11_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2019154; rev:3; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; http_uri; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:pup-activity; sid:2001998; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:pup-activity; sid:2003058; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)
+alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018912; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:4; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS"; flow:to_server,established; content:"hihihihihihihihihihihihihihihihi"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012048; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:5; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:4; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:5; metadata:created_at 2010_12_13, updated_at 2010_12_13;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:6; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 500.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/500.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012456; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:9; metadata:created_at 2014_04_11, former_category CURRENT_EVENTS, updated_at 2014_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download desyms.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/desyms.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012458; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:3; metadata:created_at 2014_04_15, former_category CURRENT_EVENTS, updated_at 2014_04_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 1691.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/1691.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012459; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
+alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:4; metadata:created_at 2014_04_15, former_category CURRENT_EVENTS, updated_at 2014_04_15;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions"; flow:from_server,established; flowbits:isset,is_proto_irc; content:"PRIVMSG|20|"; pcre:"/^PRIVMSG.*@(portscan|back|(tcp|udp|http)flood|tsunami|(de)?voice|reset|die|say|join|part|(de)?op)/mi"; reference:url,theprojectxblog.net/another-perl-irc-bot-that-have-dosddos-functions/; classtype:trojan-activity; sid:2025065; rev:3; metadata:created_at 2012_05_22, former_category TROJAN, updated_at 2017_11_28;)
+alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET DOS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; classtype:attempted-dos; sid:2010624; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:9; metadata:created_at 2014_04_11, former_category CURRENT_EVENTS, updated_at 2014_04_11;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; http_uri; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET DELETED Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.*facebook.*\.(rar|exe|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*?=[^\n]*?(UPS|United Parcel Service)[^\n]*?\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:6; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET "; nocase; depth:4;  content:"Setup_"; fast_pattern; nocase; http_uri; content:".exe"; distance:0; nocase; http_uri; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010901; classtype:trojan-activity; sid:2010901; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Download with Cookie WinSec"; flow:established,to_server; content:"/down.php?c="; nocase; http_uri; content:"Cookie|3a| WinSec"; nocase; reference:url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791; reference:url,doc.emergingthreats.net/2011178; classtype:trojan-activity; sid:2011178; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_09_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding|3a| pack200-gzip"; within:55; reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; classtype:attempted-user; sid:2009665; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_09_09;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt"; flow:established,to_client; content:"<lp2|3A|executable>T</lp2|3A|executable>"; nocase; content:"<D|3A|lockscope><D|3A|exclusive/></D|3A|lockscope>"; nocase; distance:0; content:"</D|3A|lockentry>"; nocase; distance:0; content:"<D|3A|lockscope><D|3A|shared/></D|3A|lockscope>"; nocase; distance:0; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20918; reference:url,www.kb.cert.org/vuls/id/940193; reference:url,www.microsoft.com/technet/security/advisory/2286198.mspx; reference:cve,2010-2568; classtype:attempted-user; sid:2011270; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, former_category EXPLOIT, performance_impact Significant, updated_at 2019_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install/ws.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/2010052; classtype:trojan-activity; sid:2010052; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Tinba Server Response"; flow:established,to_client; flowbits:isset,ET.Tinba.Checkin; file_data; content:"|64 b4 dc a4|"; within:4; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019169; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; http_uri; nocase; classtype:trojan-activity; sid:2010055; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2019_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Fake Antivirus Download installpv.exe"; flow:established,to_server; content:"GET"; http_method; content:"/installpv.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010057; classtype:trojan-activity; sid:2010057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Malware Download flash-HQ-plugin exe"; flow:established,to_server; content:"GET"; http_method; content:"flash-"; http_uri; nocase; content:"-plugin"; http_uri; nocase; content:".exe"; nocase; http_uri; pcre:"/flash-[A-Z0-9]+-plugin\.[A-Z0-9]+\.exe/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; classtype:bad-unknown; sid:2010440; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Unknown Malware Download Attempt"; flow:established,to_server; uricontent:"/installer/Installer"; nocase; uricontent:".exe"; nocase; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010796; classtype:bad-unknown; sid:2010796; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category EXPLOIT, malware_family ETERNALBLUE, signature_severity Major, updated_at 2019_09_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK [NIP]-"; fast_pattern:only; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; classtype:trojan-activity; sid:2009171; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1"; flow:established,to_server; content:"POST"; http_method; content:"/senm.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2010234; reference:md5,7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010234; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1"; flow:established,to_server; content:"GET"; http_method; content:"/perce/"; http_uri; nocase; content:"/qwerce.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; classtype:trojan-activity; sid:2010231; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2"; flow:established,to_server; content:"POST"; http_method; content:"/perce/"; nocase; http_uri; content:"/qwerce.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; classtype:trojan-activity; sid:2010235; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3"; flow:established,to_server; content:"POST"; http_method; content:"/werber/"; nocase; http_uri; content:"/217.gif"; http_uri; nocase; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; classtype:trojan-activity; sid:2010236; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4"; flow:established,to_server; content:"POST"; http_method; content:"/item/"; nocase; http_uri; content:"/titem.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; classtype:trojan-activity; sid:2010237; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_25, former_category EXPLOIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5"; flow:established,to_server; content:"POST"; http_method; content:"/report.php?data="; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; classtype:trojan-activity; sid:2010238; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_25, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6"; flow:established,to_server; content:"POST"; http_method; content:"/arrows/"; nocase; http_uri; content:"/arrow_up.gif"; nocase; http_uri; content:"data="; nocase; http_client_body; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010239; reference:md5,316fd88ac18d21889b1dbf9b979c1959; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; classtype:trojan-activity; sid:2010239; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5; metadata:created_at 2014_02_26, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:command-and-control; sid:2008531; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Client requesting fake scanner page /scan/?key="; flow:established,to_server; content:"/scan/?key="; http_uri; classtype:bad-unknown; sid:2011545; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Eleonore - landing page"; flow:established,to_client; content:"{display|3A|none}</style><a class="; classtype:bad-unknown; sid:2011510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Phoenix landing page - valium"; flow:established,to_client; content:"var string = val+|22|ium|22|\;"; classtype:bad-unknown; sid:2011486; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV client requesting fake scanner page"; flow:established,to_server; content:"/?p=p"; http_uri; content:".co.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2011373; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:exploit-kit; sid:2011369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2021_06_23;)
+alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; http_header; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; http_header; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, former_category POLICY, updated_at 2010_09_28;)
+alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Games.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/Games.jar"; http_uri; classtype:policy-violation; sid:2011324; rev:4; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
+alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Fragus - landing page delivered"; flow:established,to_client; content:"|0d 0a 0d 0a|var CRYPT={signature|3a|"; classtype:bad-unknown; sid:2011330; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
 
-#alert tcp any $HTTP_PORTS -> any any (msg:"ET DELETED Malvertising DRIVEBY Fragus Admin Panel Delivered To Client"; flow:established,to_client; content:"<head>|0D 0A 09 09|<title>Fragus</title>"; classtype:bad-unknown; sid:2011342; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_02, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED POST to /x48/x58/ Possible Zeus Version 3 Command and Control Server Traffic"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/x48/x58/"; http_uri; nocase; content:".php"; http_uri; nocase; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011344; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zeus Version 3 Infection Posting Banking HTTP Log to Command and Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_dr.php?"; http_uri; nocase; content:"https|3A|//"; nocase; pcre:"/\x2Fget\x5Fdr\x2Ephp\x3F(e|ini)\x3D/Ui"; reference:url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp; reference:url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf; classtype:trojan-activity; sid:2011345; rev:5; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV landing page - sector.hdd.png no-repeat"; flow:established,to_client; content:"sector.hdd.png) no-repeat"; classtype:bad-unknown; sid:2011419; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEAV client requesting image - sector.hdd.png"; flow:established,to_server; content:"sector.hdd.png"; nocase; http_uri; classtype:bad-unknown; sid:2011420; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING redirect to exploit kit (unoeuro server)"; flow:established,to_client; content:"=|5b 22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; content:"|0d 0a|Serverxi|3a| Apache/Unoeuro (Unix) - Secured|0d 0a|"; classtype:exploit-kit; sid:2011479; rev:4; metadata:created_at 2010_09_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby Bredolab - client requesting java exploit"; flow:established,to_server; content:"/Notes1.pdf"; depth:11; http_uri; classtype:bad-unknown; sid:2011795; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Driveby Bredolab - landing page"; flow:established,to_client; content:"Server|3a| nginx"; content:"<div style=|22|visibility|3a| hidden|3b||22|><"; depth:120; classtype:bad-unknown; sid:2011796; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY SEO Landing Page Encountered"; flow:established,to_client; content:"<script src=|27|src.js|27|></script><script src=|27|dest.js|27|></script><script>var "; depth:73; classtype:bad-unknown; sid:2011957; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING SEO iframe redirect to drive by"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Ciframe src=|22 3b| content|3a 22|style=|27|visibility|3a|hidden|3b 27| width=|27|1|27| height=|27|1|27| %3E%3C/iframe%3E|22 29 29 3b|"; classtype:bad-unknown; sid:2011960; rev:4; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_11_22, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Banker (AS33182)"; flow:established,to_server; content:"GET"; http_method; content:"/update/html2.exe.bak"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=allmobilefashion.com; classtype:trojan-activity; sid:2011968; rev:3; metadata:created_at 2010_11_22, updated_at 2010_11_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Ircbrute Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/imagFaceBook.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=egyboys.net; classtype:bad-unknown; sid:2011980; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/QuickTime_Update_KB673901.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=media-download-kb572810.biz; classtype:bad-unknown; sid:2011981; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/av-scanner.48370.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=mediafilesonline.net; classtype:bad-unknown; sid:2011983; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; http.request_body; content:"|7b 22|jsonrpc|22 3a 22|"; startswith; content:"/getEnterpriseUser|22|"; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/R"; http.method; content:"POST"; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:1; metadata:created_at 2019_10_31, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/MalvRem_"; nocase; http_uri; pcre:"/MalvRem_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011984; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2020_02_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_02_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus avdistr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avdistr_"; nocase; http_uri; pcre:"/avdistr_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011985; rev:4; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|"; http.uri; content:"/apply.cgi"; startswith; http.request_body; content:"change_action=gozila_cgi"; fast_pattern; content:"submit_type=language"; content:"&ui_language="; pcre:"/^[(?:\x60|%60)(?:\x27|%27)]/R"; reference:url,nstarke.github.io/0034-linksys-wrt54g-v3.1-writeup.html; classtype:attempted-admin; sid:2029734; rev:1; metadata:created_at 2020_03_24, former_category EXPLOIT, updated_at 2020_03_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Fast Flux Rogue Antivirus RunAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/RunAV_"; nocase; http_uri; pcre:"/RunAV_\d{3,4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=giga-protectiona.com; reference:url,www.malwareurl.com/listing.php?domain=protectsystemf.com; reference:url,www.malwareurl.com/listing.php?domain=1cnetantispy.com; reference:url,www.malwareurl.com/listing.php?domain=3gb-scanner.com; classtype:bad-unknown; sid:2011986; rev:3; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; depth:47; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029804; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download adobe-flash.v"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adobe-flash.v"; nocase; http_uri; pcre:"/adobe-flash\.v\.\d{5}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com; classtype:bad-unknown; sid:2011989; rev:2; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; depth:47; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029805; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious executable download possible Rogue AV (installer.xxxx.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/installer."; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/installer\.\d{4}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc; classtype:bad-unknown; sid:2011990; rev:4; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029806; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_04_03;)
 
-#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, former_category FTP, updated_at 2010_12_02;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/boaform/admin/formPing"; fast_pattern; http.request_body; content:"target_addr=|3b|"; startswith; reference:url,blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/; reference:url,www.exploit-db.com/exploits/48225; classtype:attempted-admin; sid:2029976; rev:2; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2020_04_20, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.E Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|10 27 60 ea|Linux|20|"; offset:4; depth:64; reference:md5,9a2a00f4bba2f3e0b1211a1f0cb48896; classtype:command-and-control; sid:2019171; rev:2; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2014_09_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:15; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshare.org|3A|999"; http_header; classtype:trojan-activity; sid:2012132; rev:6; metadata:created_at 2011_01_04, updated_at 2011_01_04;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/restAPI/v2/nmap/run/scan/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|ipAddress|22 0d 0a 0d 0a|--script="; fast_pattern; pcre:"/^\/(?:home\/a3user|root)\/agile3\/patches\//R"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029985; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; fast_pattern; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:md5,531e84b0894a7496479d186712acd7d2; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:command-and-control; sid:2012248; rev:5; metadata:created_at 2011_01_29, former_category MALWARE, updated_at 2011_01_29;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Session ID Assignment (set)"; flow:established,to_server; xbits:set,ET.IBMDRM1,track ip_dst, expire 10; noalert; http.method; content:"GET"; http.uri; content:"/albatross/saml/idpSelection"; startswith; fast_pattern; content:"id="; content:"userName="; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029986; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; xbits:isset,ET.IBMDRM1,track ip_dst; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029987; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:command-and-control; sid:2012279; rev:4; metadata:created_at 2011_02_03, former_category MALWARE, updated_at 2011_02_03;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029989; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Fake AV Scan (AS31252)"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/powersecure_2005-19_ibr8.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com; classtype:trojan-activity; sid:2012302; rev:3; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass - Session ID Assignment"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/albatross/saml/idpSelection"; startswith; fast_pattern; content:"id="; content:"userName="; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029988; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/albatross/eurekaservice/fetchLogFiles"; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|logFileNameList|22 3a 22|../"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:trojan-activity; sid:2029990; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; http.uri; content:".ida"; nocase; endswith; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cx.cc domain"; flow: to_server,established; content:".cx.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012321; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; http.uri; content:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM variant 3"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Individual_Income_Tax_Rtrn_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012329; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; http.uri; content:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_"; nocase; content:".zip|22|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; http.uri; content:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:17; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential Rogue Antivirus FakePAV"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/firefox_update_2011.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=76.76.102.214; classtype:trojan-activity; sid:2012403; rev:3; metadata:created_at 2011_03_01, updated_at 2011_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; http.uri; content:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; http.uri; content:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; http.uri; content:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; http.uri; content:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; http.uri; content:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:17; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; nocase; classtype:trojan-activity; sid:2012494; rev:4; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; http.uri; content:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED FakeAV campaign related JavaScript eval document obfuscation"; flow:established,from_server; content:"|20|=|20|eval('docu'+'men'+'t')|3b 0d 0a 0d 0a|"; classtype:trojan-activity; sid:2012495; rev:2; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; http.uri; content:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32 Banker Trojan CheckIn"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/sys7."; http_uri; fast_pattern; reference:url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY; classtype:command-and-control; sid:2012521; rev:3; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2011_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; http.uri; content:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:9; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Zbot Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/trusteer.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=umbralinversiones.com; classtype:trojan-activity; sid:2012537; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; http.uri; content:".cmd?&"; nocase; classtype:web-application-attack; sid:2101003; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for addons.mozilla.org"; flow:established,from_server; content:"|00 92 39 d5 34 8f 40 d1 69 5a 74 54 70 e1 f2 3f|"; content:"addons.mozilla.org"; within:250; classtype:misc-activity; sid:2012546; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; http.uri; content:".cmd|22|"; nocase; pcre:"/^.*?\x26/Ri"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for Global Trustee"; flow:established,from_server; content:"|00 d8 f3 5f 4e b7 87 2b 2d ab 06 92 e3 15 38 2f b0|"; classtype:misc-activity; sid:2012547; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; http.uri; content:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.live.com"; flow:established,from_server; content:"|00 b0 b7 13 3e d0 96 f9 b5 6f ae 91 c8 74 bd 3a c0|"; content:"login.live.com"; within:250; classtype:misc-activity; sid:2012548; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:15; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.skype.com"; flow:established,from_server; content:"|00 e9 02 8b 95 78 e4 15 dc 1a 71 0a 2b 88 15 44 47|"; content:"login.skype.com"; within:250; classtype:misc-activity; sid:2012549; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:20; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 1"; flow:established,from_server; content:"|00 d7 55 8f da f5 f1 10 5b b2 13 28 2b 70 77 29 a3|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012550; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; pcre:"/(?:\x0a|\\n)\/s1Caa6/"; content:"J1Ls9RWH"; fast_pattern; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030009; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 2"; flow:established,from_server; content:"|39 2a 43 4f 0e 07 df 1f 8a a3 05 de 34 e0 c2 29|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012551; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://44449"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030010; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for login.yahoo.com 3"; flow:established,from_server; content:"|3e 75 ce d4 6b 69 30 21 21 88 30 ae 86 a8 2a 71|"; content:"login.yahoo.com"; within:250; classtype:misc-activity; sid:2012552; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://84371"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030011; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for mail.google.com"; flow:established,from_server; content:"|04 7e cb e9 fc a5 5f 7b d0 9e ae 36 e1 0c ae 1e|"; content:"mail.google.com"; within:250; classtype:misc-activity; sid:2012553; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://87756"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030012; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate for www.google.com"; flow:established,from_server; content:"|00 f5 c8 6a f3 61 62 f1 3a 64 f5 4f 6d c9 58 7c 06|"; content:"www.google.com"; within:250; classtype:misc-activity; sid:2012554; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2019_10_14;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://94654"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030013; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; classtype:trojan-activity; sid:2012617; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarext32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7; metadata:created_at 2011_04_08, updated_at 2011_04_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarhlp32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV BestAntivirus2011 Download"; flow:established,from_server; content:"|3b 20|filename=|22|BestAntivirus20"; nocase; classtype:trojan-activity; sid:2012714; rev:4; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; http.request_body; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; classtype:attempted-user; sid:2016954; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:md5,014945cf93ffc94833f7a3efd92fe263; classtype:command-and-control; sid:2012736; rev:9; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2011_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; http.uri; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval|28|function|28|p,a,c,k,e,"; nocase; content:"replace|28|newRegExp|28|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:4; metadata:created_at 2011_05_17, updated_at 2011_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; http.request_body; content:"java.lang.Runtime@getRuntime().exec("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:4; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; http.request_body; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:4; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; http.uri; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; http.uri; content:"java.lang.ProcessBuilder("; nocase; classtype:attempted-user; sid:2017172; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED p2pshares.org Related Malware"; flow:to_server,established; content:"GET"; http_method; content:"Host|3A| p2pshares.org|3A|"; http_header; classtype:trojan-activity; sid:2012177; rev:6; metadata:created_at 2011_01_13, updated_at 2011_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request"; flow:established,to_server; content:"GET"; http_method; content:"/log.txt"; http_uri; content:"|2E|swf?info=02"; http_header; reference:cve,2011-2110; reference:url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html; classtype:trojan-activity; sid:2013113; rev:4; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; http.uri; content:"/post.php?referanceMod="; nocase; content:"java"; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:5; metadata:created_at 2013_11_20, updated_at 2020_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update before fake JPEG download"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/shopping3.cgi?a="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013179; rev:9; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; http.user_agent; content:"Zollard"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:3; metadata:created_at 2013_12_05, updated_at 2020_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup C2 Malware Update after fake JPEG download"; flow:established,to_server; content:"/cgi-bin/unshopping3.cgi?b="; nocase; http_uri; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013180; rev:10; metadata:created_at 2011_07_04, updated_at 2011_07_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; http.request_body; content:"Jm9zX2ZsYXZvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_07_04, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; http.request_body; content:"Zvc19mbGF2b3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; http.request_body; content:"mb3NfZmxhdm9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_19, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED PHP Remote File Inclusion (monster list http)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"http"; nocase; http_uri;  pcre:"/\.php.+?(?:c(?:(?:onfi|f)g|alendar)|p(?:a(?:ge|th)|rog)|l(?:ang(uage)?|ib)|f(?:older|ile|ad)|d(?:omain|ir|f)|s(?:ettings|bp)|a(?:genda|uth)|i(?:con|ncl|d)|n(?:ame|ews)|r(?:oot|f)|gallery|type|ext|mod|[a-z](\[.*\])+?)\s*=\s*https?/Ui"; reference:url,www.sans.org/top20/; reference:url,doc.emergingthreats.net/2002997; classtype:web-application-attack; sid:2002997; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_19, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"TTu0d0fu0d0eKKJJu0d0du0d0dLL1043416UU"; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013251; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:4; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; http.uri; content:"/wsman/simple_auth.passwd"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:5; metadata:created_at 2014_06_20, updated_at 2020_04_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:command-and-control; sid:2013362; rev:7; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
+alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1"; flow:established,to_server; content:"_prep_auth_info"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030071; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE windows_security_update Fake AV download"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:7; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
+alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2"; flow:established,to_server; content:"_send_pub"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030072; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; classtype:command-and-control; sid:2013413; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"AAAAAAAA"; content:"AAAAATEy"; content:"EA"; pcre:"/^(?:\\r\\n|\x0d\x0a)AABI/R"; content:"$|0e ce a0 d4 c7 cb 08|"; content:"T8hlGOo9"; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:!"|0d 0a|/9j/4S"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030006; rev:3; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Morto Worm Rar Download"; flow:established,to_server; content:"GET /160.rar HTTP"; depth:17; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:trojan-activity; sid:2013517; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"3r0TRZfh"; fast_pattern; content:"AAAAAAAA"; content:"|00 41 00 41 00 41 00 41|"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030008; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:7; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//netcore_get.cgi"; depth:17; fast_pattern; http.cookie; content:"homeFirstShow=yes"; reference:url,www.exploit-db.com/exploits/48384; classtype:attempted-admin; sid:2030095; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
 
-alert udp any 53 -> $DNS_SERVERS any (msg:"ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; content:"|06|google|03|com|02|br|00|"; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; classtype:bad-unknown; sid:2013894; rev:5; metadata:created_at 2011_11_10, updated_at 2011_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT NEC SL2100 - Session Enumeration Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PyxisUaMenu.htm?sessionId="; startswith; pcre:"/^\d{3}/R"; content:"&MAINFRM|28|444,-1,591|29|"; distance:0; fast_pattern; threshold:type threshold, count 5, seconds 60, track by_dst; reference:url,www.exploit-db.com/exploits/48425; classtype:attempted-recon; sid:2030102; rev:2; metadata:attack_target Server, created_at 2020_05_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Minor, updated_at 2020_05_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS estatements mailing campaign landing page"; flow:established,to_server; content:"/estatements/stetement_id."; http_uri; pcre:"/\/stetement_id\.\d+\//U"; classtype:trojan-activity; sid:2013908; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Image Manager 5.2.4 - RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"index.php?&p="; content:"/backup/uploadRestore"; endswith; fast_pattern; http.request_body; content:"<?"; reference:url,www.exploit-db.com/exploits/48423; classtype:attempted-admin; sid:2030103; rev:1; metadata:affected_product PHP, attack_target Server, created_at 2020_05_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ZeuS estatements fake transaction page flash warning"; flow:established,from_server; content:"&nbsp|3b|Notification of Incompatibility</font></strong></font></td>"; content:">Your version of Macromedia Flash Player is too old to continue. <a href="; classtype:trojan-activity; sid:2013909; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT BlogEngine 3.3 - syndication.axd XXE Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/syndication.axd?apml="; fast_pattern; pcre:"/^(?:https?:\/\/|(\d{1,3}\.){3}\d{1,3}|([a-z0-9-]+\.)+[a-z]{1,8})/Ri"; reference:url,www.exploit-db.com/exploits/48422; classtype:attempted-admin; sid:2030106; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_05_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible MPC Sharj 3.11.1 - Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; fast_pattern; pcre:"/^(?:==[A-Z0-9+/]{2}|=[A-Z0-9+/]{3}|[A-Z0-9+/]{4})(?:[A-Z0-9+/]{4})*$/Ri"; content:"L"; endswith; reference:url,www.exploit-db.com/exploits/48433; classtype:attempted-admin; sid:2030115; rev:1; metadata:attack_target Web_Server, created_at 2020_05_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:3; metadata:created_at 2012_01_26, updated_at 2012_01_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted D-Link ShareCenter (DNS-320/325) RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1="; startswith; fast_pattern; reference:url,roberto.greyhats.it/advisories/20120208-dlink-rce.txt/; classtype:web-application-attack; sid:2030120; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/"; fast_pattern; content:".cnf"; nocase; endswith; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:15; metadata:created_at 2010_09_23, updated_at 2020_11_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_12_11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle WebLogic CVE-2020-2551 Scanning"; flow:established,to_server; content:"|47 49 4f 50 01 02 00 03 00 00 00 17 00 00 00 02 00 00 00 00 00 00 00 0b 4e 61 6d 65 53 65 72 76 69 63 65|"; startswith; fast_pattern; reference:url,www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2020-2551; reference:url,github.com/hktalent/CVE-2020-2551/blob/master/CVE-2020-2551.py; classtype:attempted-admin; sid:2030128; rev:1; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:3; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Complaint Management System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Complaint%20Management%20System/admin/"; http.request_body; content:"username=%27%3D%27%27or%27&password="; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48452; classtype:attempted-admin; sid:2030160; rev:1; metadata:attack_target Web_Server, created_at 2020_05_12, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_12;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:4; metadata:created_at 2014_11_11, updated_at 2020_05_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:6; metadata:created_at 2012_02_20, updated_at 2012_02_20;)
+alert http any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; http.server; content:"RomPager"; nocase; startswith; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:3; metadata:created_at 2015_01_06, updated_at 2020_05_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:3; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"b3NfbmFtZT"; depth:10; fast_pattern; pcre:"/^[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa"; flow:established,to_server; content:"/searches?q=#pepbyfadxeoa"; fast_pattern; http_uri; content:"Host|3A 20|mobile.twitter.com|0d 0a|"; http_header; reference:url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/; classtype:trojan-activity; sid:2014333; rev:4; metadata:created_at 2012_03_07, updated_at 2012_03_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Jm9zX3ZlbmRvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Zvc192ZW5kb3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"mb3NfdmVuZG9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:6; metadata:created_at 2012_03_28, updated_at 2012_03_28;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/goformFOO/AlFrame?"; content:"/goformFOO/AlFrame?"; distance:0; content:"Gateway.Wan.dnsAddress1="; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a known malware domain (regicsgf.net)"; flow: to_server,established; content:"regicsgf.net|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014570; rev:6; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1="; distance:0; content:"action_mode=apply"; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020862; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a a known malware domain (sektori. org)"; flow: to_server,established; content:"sektori.org|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014571; rev:6; metadata:created_at 2012_04_16, former_category TROJAN, updated_at 2018_01_02;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1_x="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
 
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_28, former_category INFO, updated_at 2012_04_28;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/webcm?"; fast_pattern; content:"getpage="; distance:0; content:"&var|3a|lang="; http.uri.raw; content:"|2e 2e|/html/menus/menu2.html"; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:5; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:3; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; urilen:26; http.method; content:"POST"; http.uri; content:"/apply.cgi?/BAS_update.htm"; http.request_body; content:"submit_flag=ether"; depth:17; fast_pattern; content:"&ether_dnsaddr1="; distance:0; nocase; content:"&Apply=Apply"; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:5; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3A 20|RAbcLib|0D 0A|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:command-and-control; sid:2014755; rev:4; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; fast_pattern; content:"dnsserver="; distance:0; content:"&dnsserver2="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014859; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/basic/uiViewIPAddr="; fast_pattern; content:"&uiViewDns1Mark="; distance:0; content:"&uiViewDns2Mark="; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014860; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prim.htm?"; depth:10; fast_pattern; nocase; content:"i00110004="; distance:0; content:"&i00110005="; distance:0; nocase; content:"&i00035007="; distance:0; nocase; reference:url,www.gnucitizen.org/blog/router-hacking-challenge; classtype:attempted-admin; sid:2020873; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014861; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup_dns.stm?page=setup_dns"; content:"&dns1_1="; reference:url,www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4; classtype:attempted-admin; sid:2020875; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014862; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/LanDhcpServerRpm.htm?"; fast_pattern; content:"dhcpserver=1"; content:"&dnsserver="; content:"&Save="; reference:url,www.exploit-db.com/exploits/34584; classtype:attempted-admin; sid:2020878; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:command-and-control; sid:2014863; rev:3; metadata:created_at 2012_06_06, updated_at 2012_06_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Basic.tri?"; fast_pattern; content:"&dns0_0="; content:"&dns0_1="; reference:url,sebug.net/paper/Exploits-Archives/2008-exploits/0803-exploits/linksys-bypass.txt; classtype:attempted-admin; sid:2020879; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanStaticIpCfgRpm.htm"; fast_pattern; content:"&dnsserver="; content:"&Save=Save"; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M1 (encrypted token)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; http.request_body; content:"etc/config/.app_token"; fast_pattern; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030201; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:5; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Pre-Auth Local File Disclosure Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; fast_pattern; http.header; content:"QMS_SID="; http.request_body; content:"./../"; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030202; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M2 (plaintext token)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; http.request_body; content:"__thumb/ps.app.token"; fast_pattern; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030203; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015533; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Authenticated Session Tampering Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"sysRequest.cgi"; endswith; http.request_body; content:"smtp_fw_update="; startswith; fast_pattern; content:"=<?"; distance:0; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030204; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015534; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
+alert tcp $HOME_NET [!$HTTP_PORTS,!445,!22] -> any any (msg:"ET EXPLOIT Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:5; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2020_05_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:command-and-control; sid:2015546; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
+alert http any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/submit_net_debug.cgi"; nocase; http.request_body; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:4; metadata:created_at 2015_08_18, updated_at 2020_05_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; http.uri; content:"/NEI_ModuleDispatch.php"; content:"module=NEI_AdvancedConfig"; distance:0; content:"&function=HapiGetFileContents"; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/i"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_10, updated_at 2020_06_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"|7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65|"; content:"|3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a|"; content:"|29 5e 32 35 35 26|"; classtype:exploit-kit; sid:2019130; rev:3; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|sudo"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030237; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Astrum EK Landing"; flow:established,from_server; file_data; content:"%65%64%6f%43%72%61%68%43%6d%6f%72%66"; content:"%74%41%65%64%6f%43%72%61%68%63"; classtype:exploit-kit; sid:2019131; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2014_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|wget"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030238; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon CnC Data Post (variant abb)"; flow:established,to_server; dsize:>200; content:"Windows "; content:"Service Pack "; distance:0; content:"HACK|00 00|"; fast_pattern; distance:100; reference:url,doc.emergingthreats.net/2008042; classtype:command-and-control; sid:2008042; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WordPress Plugin BBPress 2.5 - Unauthenticated Priv Esc Attempt (CVE-2020-13693)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user_login"; content:"user_pass"; distance:0; content:"|22|bbp_keymaster|22|"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/48534; reference:cve,2020-13693; classtype:attempted-admin; sid:2030239; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; flowbits:set,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:exploit-kit; sid:2019180; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,from_server; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; flowbits:isset,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:exploit-kit; sid:2019184; rev:3; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
+alert icmp $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Zephyr RTOS ICMPv4 Stack Buffer Overflow"; icode:0; dsize:>120; content:"|30 31 32 07 80|"; fast_pattern; content:"|00|"; endswith; reference:url,research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment/; classtype:bad-unknown; sid:2030242; rev:1; metadata:created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:exploit-kit; sid:2018171; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear Multiple Router Auth Bypass"; flow:to_server,established; http.uri; content:"/BRS_netgear_success.html"; depth:25; nocase; fast_pattern; reference:url,www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html; classtype:attempted-admin; sid:2021944; rev:3; metadata:created_at 2015_10_12, former_category CURRENT_EVENTS, updated_at 2020_06_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Magento Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/magmi-importer/web/"; fast_pattern; content:"download_file.php?file="; distance:0; http.uri.raw; content:"|2e 2e 2f|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:3; metadata:created_at 2015_10_15, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; classtype:exploit-kit; sid:2017667; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Directory Traversal via HTTP Cookie (CVE-2020-9484)"; flow:established,to_server; http.cookie; content:"JSESSIONID=../"; startswith; fast_pattern; reference:url,github.com/masahiro331/CVE-2020-9484/blob/master/README.md; reference:cve,2020-9484; classtype:attempted-recon; sid:2030256; rev:1; metadata:affected_product Tomcat, attack_target Server, created_at 2020_06_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WebSocket Session Initiation Request"; flow:established,to_server; flowbits:set,ETPRO.WebSocket.Request; content:"Connection|3a 20|Upgrade|0d 0a|"; fast_pattern; nocase; content:"Upgrade|3a 20|websocket|0d 0a|"; reference:url,tools.ietf.org/html/rfc6455; classtype:policy-violation; sid:2036219; rev:2; metadata:created_at 2014_09_17, former_category POLICY, updated_at 2014_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Archer C5 v4 (CVE-2019-7405)"; flow:established,to_server; http.uri; content:"/cgi/setPwd?pwd="; http.referer; bsize:14; content:"tplinkwifi.net"; fast_pattern; reference:cve,2019-7405; reference:url,securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/; classtype:attempted-admin; sid:2029181; rev:3; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2019_12_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014"; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:exploit-kit; sid:2019188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:to_server,established; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; startswith; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276"; flow:to_server,established; urilen:19; http.method; content:"POST"; http.uri; content:"/ws/rest/v1/concept"; fast_pattern; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; reference:url,www.rapid7.com/db/modules/exploit/multi/http/openmrs_deserialization; reference:cve,2018-19276; classtype:attempted-admin; sid:2030258; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple Router RCE Routersploit"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view/IPV6/ipv6networktool/traceroute/ping.php?text_target="; depth:59; fast_pattern; content:"&text_pingcount="; distance:0; content:"&text_packetsize="; distance:0; content:"|7c|"; distance:0; reference:url,github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/netsys/multi_rce.py; classtype:attempted-admin; sid:2030259; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; depth:12; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; classtype:policy-violation; sid:2010144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/goform/mp"; fast_pattern; content:"command=%7C%7C+"; depth:15; reference:url,www.exploit-db.com/exploits/48318; classtype:attempted-admin; sid:2030260; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Technicolor TD5130.2 - Remote Command Execution"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/mnt_ping.cgi"; fast_pattern; http.request_body; content:"isSubmit=1&addrType=3&pingAddr=|3b|"; depth:32; reference:url,www.exploit-db.com/exploits/47651; classtype:attempted-admin; sid:2030261; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019192; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Xfinity Gateway - Remote Code Execution"; flow:to_server,established; urilen:48; http.method; content:"POST"; http.uri; content:"/actionHandler/ajax_network_diagnostic_tools.php"; fast_pattern; http.request_body; content:"test_connectivity=true&destination_address=www.comcast.net|20 7c 7c 20|"; depth:62; reference:url,www.exploit-db.com/exploits/40856; classtype:attempted-admin; sid:2030262; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, signature_severity Major, updated_at 2020_06_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV Gemini - JavaScript Redirection To FakeAV Binary"; flow:established,to_client; content:"<script type=|22|text/javascript|22|>"; nocase; content:"location.assign|28|"; nocase; within:17; classtype:bad-unknown; sid:2011918; rev:5; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fastweb Fastgate 0.00.81 - Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/status.cgi?cmd="; content:"&act=nvset&service=usb_remove&mount="; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/47654; classtype:attempted-admin; sid:2030276; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:14; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple DLink Routers Remote Code Execution CVE-2019-16920"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/apply_sec.cgi"; http.request_body; content:"html_response_page=login_pic.asp&action=ping_test&ping_ipaddr="; fast_pattern; reference:cve,2019-16920; reference:url,www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce; classtype:attempted-admin; sid:2030277; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin-igd/netcore_set.cgi"; http.request_body; content:"mode_name=netcore_set&tools_type=2&tools_ip_url=|7c|+"; fast_pattern; content:"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"; distance:0; reference:cve,2019-19356; reference:url,www.exploit-db.com/exploits/48149; classtype:attempted-admin; sid:2030278; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, signature_severity Minor, updated_at 2020_06_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET MALWARE Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:command-and-control; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert tcp any any -> any 62522 (msg:"ET EXPLOIT Cisco AnyConnect Path Traversal Priv Esc (CVE-2020-3153)"; flow:established,to_server; content:"OCSC"; depth:4; content:"vpndownloader.exe"; distance:0; content:"|5c 2e 2e 2f|dbghelp.dll"; fast_pattern; distance:0; reference:url,ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal; reference:url,gist.github.com/ykoster/aeaa893d68adbc5004aa873b3290acd1; reference:cve,2020-3153; classtype:attempted-admin; sid:2030280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_10, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Security Shield payment page request"; flow:established,to_server; content:!"Referer|3a| "; http_header; content:"/payform/?k="; http_uri; classtype:trojan-activity; sid:2014631; rev:4; metadata:created_at 2012_04_23, updated_at 2012_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT-N56U/RT-AC66U Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?current_page=Main_AdmStatus_Content.asp&next_page=Main_AdmStatus_Content.asp&next_host=&sid_list=FirewallConfig%3B&group_id=&modified=0&action_mode=+Refresh+&first_time=&action_script=&preferred_lang=EN&SystemCmd="; fast_pattern; content:"&action=Refresh"; distance:0; reference:url,www.ise.io/research/studies-and-papers/asus_rtn56u/; classtype:attempted-admin; sid:2030310; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established;  content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:8; metadata:created_at 2012_05_11, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"&sns=sns&grant=1&guest_user_id=guid&timeout="; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018-13023; classtype:attempted-admin; sid:2030311; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi TV Integration Remote Code Execution CVE-2018???16130"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"/api/xqsmarthome/request_mitv?payload={"; distance:0; content:"$("; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018???16130; classtype:attempted-admin; sid:2030312; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/qsr_server/device/getThumbnail?sourceUri="; fast_pattern; content:"'&targetUri="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2030317; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015719; rev:2; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible D-Link Command Injection Attempt Inbound (CVE-2020-13782)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_ajax_explorer.sgi?action="; fast_pattern; content:"&path="; distance:0; content:"&where="; distance:0; content:"&en=|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/; reference:cve,2020-13782; classtype:attempted-admin; sid:2030335; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_06_15, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:command-and-control; sid:2015720; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5405)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%28_%29..%28_%29"; fast_pattern; reference:url,tanzu.vmware.com/security/cve-2020-5405; reference:cve,2020-5405; classtype:attempted-admin; sid:2030336; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015721; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%252F..%252F"; nocase; fast_pattern; reference:url,xz.aliyun.com/t/7877; reference:cve,2020-5410; classtype:attempted-admin; sid:2030337; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015722; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Centreon 20.04 Authenticated RCE (CVE-2020-12688)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/main.get.php?p="; content:"&command_id="; distance:0; content:"&command_name=../"; distance:0; fast_pattern; content:"|3b|&command_line="; distance:0; reference:url,github.com/TheCyberGeek/Centreon-20.04; reference:cve,2020-12688; classtype:attempted-admin; sid:2030338; rev:1; metadata:attack_target Web_Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015728; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; classtype:attempted-user; sid:2030348; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_16;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015730; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
+#alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11896/CVE-2020-11898 Fragments inside IP-in-IP tunnel"; ip_proto:4; fragbits:M; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030385; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015736; rev:4; metadata:created_at 2012_09_26, former_category MALWARE, updated_at 2012_09_26;)
+#alert ipv6 any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11897 IPv6 deprecated RH Type 0 source routing attack"; decode-event:ipv6.rh_type_0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030386; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:command-and-control; sid:2015741; rev:4; metadata:created_at 2012_09_27, former_category MALWARE, updated_at 2012_09_27;)
+#alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030388; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, former_category INFO, updated_at 2012_09_28;)
+#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11902 ICMPv4 parameter problem with tunnel inside"; itype:12; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030389; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:3; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
+#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11910 anomalous ICMPv4 type 3,code 4 Path MTU Discovery"; itype:3; icode:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030390; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:5; metadata:created_at 2012_11_09, former_category TROJAN, updated_at 2018_02_08;)
+#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-1191 anomalous ICMPv4 Address Mask Reply message (type 18, code 0)"; itype:18; icode:0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030391; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:exploit-kit; sid:2015887; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_11_14, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; http.method; content:"POST"; nocase; http.uri; content:"/setSystemCommand"; nocase; http.request_body; content:"SystemCommand="; nocase; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:3; metadata:created_at 2016_02_13, updated_at 2020_06_24;)
 
-#alert udp $HOME_NET 53 -> any any (msg:"ET DOS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:7; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/data.ria?CfgType=get_homeCfg&file="; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:3; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:4; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:3; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:3; metadata:created_at 2012_12_13, updated_at 2012_12_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:4; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"Opera/11.1"; depth:10; http_user_agent; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:4; metadata:created_at 2012_12_22, updated_at 2012_12_22;)
+alert http any any -> any any (msg:"ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1"; flow:established,to_server; http.uri; content:"/tmui/login.jsp"; depth:15; fast_pattern; content:"|3b|"; distance:0; reference:cve,2020-5902; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_05, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Critical, updated_at 2020_07_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE|00 00|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
+alert http any any -> any any (msg:"ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2"; flow:established,to_server; http.uri; content:"/hsqldb"; depth:7; fast_pattern; content:"|3b|"; distance:0; reference:cve,2020-5902; reference:url,www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030483; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_08, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Critical, updated_at 2020_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:4; metadata:created_at 2013_01_12, updated_at 2013_01_12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Inbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030487; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Outbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030488; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_09;)
 
-#alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET DELETED Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC";  reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:command-and-control; sid:2016473; rev:3; metadata:created_at 2013_02_22, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potentially Malicious .cab Inbound (CVE-2020-1300)"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MSCF"; startswith; content:"../../"; distance:0; fast_pattern; pcre:"/^[a-z0-9\-_\.\/]+\x00/Ri"; reference:url,www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files; classtype:attempted-admin; sid:2030493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_10, deployment Perimeter, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00|"; depth:20; classtype:targeted-activity; sid:2016474; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ping.cgi?pingIpAddress="; fast_pattern; content:"|3b|"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/; reference:cve,2020-10173; classtype:attempted-admin; sid:2030502; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_07_13, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_07_13;)
 
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:targeted-activity; sid:2016476; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert tcp any 53 -> any any (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1 (CVE-2020-1350)"; flow:established,from_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; content:"|00 00 18|"; distance:12; within:64; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030533; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, former_category EXPLOIT, performance_impact Significant, signature_severity Critical, updated_at 2020_07_16;)
 
-alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications html return 1"; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:targeted-activity; sid:2016477; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert tcp any any -> any 53 (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2 (CVE-2020-1350)"; flow:established,to_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030532; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, former_category EXPLOIT, performance_impact Significant, signature_severity Critical, updated_at 2020_07_16;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:targeted-activity; sid:2016478; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Vulnerable Response"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; flowbits:isset,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030577; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:targeted-activity; sid:2016479; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<baData>PHJvb3Q+ICA8dXNlcj4"; fast_pattern; flowbits:set,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030578; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:targeted-activity; sid:2016480; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Success"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; content:"Add|20|user|20|success"; distance:0; flowbits:isset,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030579; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:targeted-activity; sid:2016482; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Probe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CTCWebService/CTCWebServiceBean"; fast_pattern; flowbits:set,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030576; rev:2; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:targeted-activity; sid:2016483; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read  (CVE-2020-3452) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/+CSCO"; fast_pattern; content:"=.."; distance:0; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030585; rev:1; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_23;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:targeted-activity; sid:2016484; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; http.server; file.data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head"; flow:established,to_client; file_data; content:"MS4nJzJ4cHZyeQ=="; classtype:targeted-activity; sid:2016485; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Attempted Netgear Buffer Overflow into RCE Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade_check.cgi"; bsize:18; http.content_len; byte_test:0,>,4000,0,string,dec; http.request_body; content:"mknod|20 2f|dev/ptyp"; fast_pattern; reference:url,github.com/grimm-co/NotQuite0dayFriday/blob/master/2020.06.15-netgear/exploit.py; classtype:attempted-admin; sid:2030630; rev:1; metadata:affected_product Netgear_Router, created_at 2020_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2020_07_31;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:targeted-activity; sid:2016486; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Attempted Netgear Buffer Overflow into RCE Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade_check.cgi"; bsize:18; fast_pattern; http.content_len; byte_test:0,>,1000,0,string,dec; http.request_body; content:"/bin/"; reference:url,github.com/grimm-co/NotQuite0dayFriday/blob/master/2020.06.15-netgear/exploit.py; classtype:attempted-admin; sid:2030631; rev:1; metadata:affected_product Netgear_Router, created_at 2020_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2020_07_31;)
 
-alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:targeted-activity; sid:2016488; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/mi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:5; metadata:created_at 2015_04_13, updated_at 2020_08_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2012_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R7000 Command Injection Exploit"; flow:established,to_server; http.uri; content:"/cgi-bin/"; depth:9; content:"$IFS"; fast_pattern; distance:0; content:"|3b|"; reference:url,www.kb.cert.org/vuls/id/582384; classtype:attempted-user; sid:2023628; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2016_12_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?php"; fast_pattern; content:"|5c 22 20|"; content:"-X"; content:".php"; content:"@"; http.content_type; content:"multipart/form-data|3b|"; startswith; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:3; metadata:affected_product PHPMailer, attack_target Web_Server, created_at 2016_12_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, former_category MALWARE, updated_at 2014_03_25;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type both,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/userRpm/"; depth:9; fast_pattern; content:"&dnsserver="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023995; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Archer C2 and Archer C20i Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi?"; nocase; http.header; content:"/mainFrame.htm"; http.request_body; content:"IPPING"; nocase; content:"X_TP_ConnName=ewan_ipoe_s"; fast_pattern; reference:url,github.com/reverse-shell/routersploit/blob/master/routersploit/modules/exploits/tplink/archer_c2_c20i_rce.py; classtype:command-and-control; sid:2024191; rev:3; metadata:affected_product TPLINK, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Trojan Dropped by Angler Aug 29 2014"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 c4 a8 4b da 47 94 14 c1|"; within:35; content:"|55 04 0b|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|06|office"; distance:1; within:7; classtype:trojan-activity; sid:2019086; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_29, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt"; flow:to_server,established; urilen:1; http.method; content:"PROPFIND"; http.header; content:"Content-Length|3a 20|0|0d 0a|Host|3a 20|"; depth:25; content:"|0d 0a|If|3a 20|<http"; fast_pattern; classtype:trojan-activity; sid:2024222; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2017_04_18, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:3; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019205; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET [16992,16993,623,664] (msg:"ET EXPLOIT Intel AMT Login Attempt Detected (CVE 2017-5689)"; flow:to_server,established; http.header; content:"Authorization|3a 20|Digest"; content:"username=|22|"; content:"response="; fast_pattern; pcre:"/^\s*\x22{2}/R"; reference:url,mjg59.dreamwidth.org/48429.html; reference:url,www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability; reference:cve,2017-5689; classtype:attempted-admin; sid:2024287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_10, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019206; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible SharePoint XSS (CVE-2017-8514) Inbound"; flow:to_server,established; http.uri; content:"FollowSite="; nocase; fast_pattern; content:"SiteName="; nocase; content:"-confirm"; nocase; distance:0; reference:url,respectxss.blogspot.fr/2017/06/a-look-at-cve-2017-8514-sharepoints.html; classtype:attempted-user; sid:2024412; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_06_19, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019207; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,from_server; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Teamviewer, updated_at 2020_08_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/BillGates Checkin Response"; flow:established,from_server; dsize:20; content:"|08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00|"; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019208; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/AES.DDoS Sending Real/Fake CPU&BW Info"; flow:established,to_server; content:"INFO|3a|"; depth:5; pcre:"/^\d/R"; content:"|25 7c|"; distance:0; threshold: type both, count 1, seconds 30, track by_src; reference:md5,d8059b555dde05e184c0b16bbff523f1; classtype:trojan-activity; sid:2019177; rev:3; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|"; classtype:trojan-activity; sid:2024193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:7; http.method; content:"GET"; nocase; http.uri; content:"/status"; fast_pattern; http.header; content:"Host|3a|"; nocase; content:"|3b|"; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/mi"; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:2024548; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_08_14, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert tcp any any -> any any (msg:"ET DELETED njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019223; rev:1; metadata:created_at 2014_09_23, updated_at 2014_09_23;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)"; flow:to_server,established; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; content:".exec"; distance:0; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024664; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; classtype:exploit-kit; sid:2019224; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"eXNvc2VyaWFsL"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024668; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017817; rev:11; metadata:created_at 2013_12_10, former_category EXPLOIT_KIT, updated_at 2013_12_10;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"lzb3NlcmlhbC"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024669; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019225; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"5c29zZXJpYWwv"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024670; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; fast_pattern; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|79 76 36 36 76|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024671; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|72 2b 75 72|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024672; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:command-and-control; sid:2019229; rev:1; metadata:created_at 2014_09_24, former_category MALWARE, updated_at 2014_09_24;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|4b 2f 72 71 2b|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024673; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:exploit-kit; sid:2019078; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024674; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET MALWARE Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:command-and-control; sid:2019235; rev:1; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2014_09_25;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024675; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
 
-#alert udp any 67 -> any 68 (msg:"ET DELETED Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK - option 67"; content:"|02 01|"; depth:2; content:"|43|"; distance:238; content:"|28 29 20 7b 20|"; distance:1; within:10; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019238; rev:2; metadata:created_at 2014_09_25, updated_at 2014_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit HFS Actor"; flow:established,from_server; http.server; content:"HFS"; startswith; file.data; content:"triggerBug"; nocase; fast_pattern; content:"exploit"; nocase; content:"intToStr"; nocase; content:"strToInt"; nocase; classtype:trojan-activity; sid:2024677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2020_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kuluoz/Asprox CnC Response"; flow:from_server,established; flowbits:isset,ET.Kuluoz; content:"|0d 0a 0d 0a|"; content:"|0d 0a 80 00 00 00|"; distance:2; within:6; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:command-and-control; sid:2019187; rev:5; metadata:created_at 2014_09_17, former_category MALWARE, updated_at 2014_09_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"newcollection/config"; http.request_body; content:"|22|add-listener|22|"; content:"|22|event|22 3a 22|postCommit|22|"; content:"|22|class|22|"; content:"RunExecutableListener|22 2c|"; fast_pattern; content:"|22|exe|22|"; content:"|22|dir|22|"; content:"|22|args|22|"; http.content_type; content:"application/json"; startswith; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024884; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c32f1e7d9d6f88c4d2468fe205f4abfc; classtype:trojan-activity; sid:2019274; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI)"; flow:to_server,established; flowbits:set,ET.CVE-2017-12629; http.uri; content:"?q=|7b 21|xmlparser"; content:"|3d 27 3c 21|DOCTYPE"; nocase; distance:0; fast_pattern; pcre:"/^(?:(?!\x0d\x0a).)+\x22(?:https?|file):\x2f\x2f/R"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024885; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 1)"; flow:to_server,established; flowbits:isset,ET.CVE-2017-12629; http.method; content:"GET"; http.uri; content:"newcollection/config"; content:"|22|add-listener|22 3a|"; distance:0; content:"|22|event|22 3a 22|postCommit|22|"; distance:0; content:"|22|class|22|"; distance:0; content:"RunExecutableListener|22 2c 22|exe|22|"; distance:0; fast_pattern; content:"|22|dir|22|"; content:"|22|args|22|"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024886; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 2)"; flow:to_server,established; flowbits:isset,ET.CVE-2017-12629; http.method; content:"GET"; http.uri; content:"?q="; content:"update?"; distance:0; content:"stream.body="; content:"commit="; content:"overwrite="; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024887; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert santa.my"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|www.santa.my"; distance:1; within:13; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; http.method; content:"POST"; http.uri; content:"/hedwig.cgi"; fast_pattern; http.request_body; content:"DEVICE.ACCOUNT"; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution"; flow:to_server,established; http.uri; content:"/board.cgi?cmd="; depth:15; reference:url,blogs.securiteam.com/index.php/archives/3445; classtype:attempted-recon; sid:2024915; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019279; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Command Execution"; flow:to_server,established; http.uri; content:"/setup.cgi?next_file="; nocase; content:"&todo=syscmd&cmd="; nocase; distance:0; content:"currentsetting.htm"; nocase; fast_pattern; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019280; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices"; flow:to_server,established; http.uri; content:"/Search.cgi?action=cgi_query"; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024917; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024918; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in adcommand.cgi"; urilen:33; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/supervisor/adcommand.cgi"; nocase; fast_pattern; http.request_body; content:"DoShellCmd"; nocase; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024919; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in PwdGrp.cgi"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/PwdGrp.cgi?action="; nocase; depth:38; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024920; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http any any -> any any (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/passwordrecovered.cgi?id="; nocase; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:5; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; http.uri; content:"/rom-0"; nocase; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; within:4; content:"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:2; metadata:created_at 2010_12_15, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:4; metadata:created_at 2010_12_27, updated_at 2020_08_20;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:3; metadata:created_at 2015_03_03, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; within:12; fast_pattern; content:"|7d 7d 40|"; distance:0; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:4; metadata:attack_target SMTP_Server, created_at 2019_06_07, cve 2019_10149, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"routestring"; fast_pattern; content:"ajax"; within:100; content:"render"; within:9; content:"widget_php"; within:13; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; classtype:attempted-admin; sid:2028621; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; http.request_body; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028825; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; content:"&widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028826; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT UCM6202 1.0.18.13 - Remote Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=sendPasswordEmail&user_name="; startswith; fast_pattern; content:"|27|"; within:40; content:"|60 3b 60|"; within:100; reference:url,www.exploit-db.com/exploits/48247; classtype:attempted-admin; sid:2030206; rev:2; metadata:created_at 2020_05_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT SAP NetWeaver AS Directory Traversal Attempt Inbound (CVE-2020-6286)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<soapenv"; startswith; content:"<sessionID>"; distance:0; content:"../../../"; within:10; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; reference:cve,2020-6286; classtype:attempted-user; sid:2030549; rev:2; metadata:created_at 2020_07_16, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_08_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:13; metadata:created_at 2010_09_23, updated_at 2022_03_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:2; metadata:created_at 2016_06_30, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs"; content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CVE_2016_0189, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:3; metadata:attack_target IoT, created_at 2017_06_16, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; endswith; classtype:trojan-activity; sid:2024214; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_05_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert udp any any -> $HOME_NET 50000 (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:3; metadata:attack_target Client_and_Server, created_at 2017_06_12, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL Over FTP"; flow:established,from_server; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Critical, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server; dsize:<24; content:"My IP|3A| "; depth:7; pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019294; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adv,/cgi-bin/weblogin.cgi?username="; startswith; fast_pattern; content:"|27 3b|"; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029616; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/^\d+&w=\d+&ua=.+&e=1$/UR"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:3; metadata:created_at 2014_09_29, former_category CURRENT_EVENTS, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adv,/cgi-bin/weblogin.cgi"; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"|27 3b|"; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029617; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019316; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/client/v1/mdmLogUploader?udid=si|5c|..|5c|..|5c|..|5c|webapps|5c|DesktopCentral|5c|_chart&filename="; startswith; fast_pattern; http.request_body; content:"|ac ed 00 05 73 72 00 17 6a 61 76 61 2e 75 74 69 6c 2e 50 72 69 6f 72 69 74 79 51 75 65 75 65 94|"; startswith; reference:url,twitter.com/steventseeley/status/1235635108498948096; reference:cve,2020-10189; reference:url,www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html; classtype:attempted-admin; sid:2029618; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_12, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019317; rev:4; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ipv6 any any -> ff00::/8 any (msg:"ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read";  reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030387; rev:2; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; classtype:policy-violation; sid:2003437; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)"; flow:to_server,established; http.uri; content:"/kerbynet?"; nocase; fast_pattern; content:"Action="; nocase; content:"Section="; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M1"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"ProcessBuilder"; nocase; distance:0; fast_pattern; content:"java"; nocase; content:"lang"; nocase; pcre:"/=\s*\x25\s*\{\s*.+?\bProcessBuilder\b/i"; classtype:attempted-admin; sid:2024814; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET 52869 (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/picdesc.xml"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category EXPLOIT, updated_at 2020_08_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Common Downloader Trojan Checkin"; flow:established,to_server; content:".php?pid="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&amd="; nocase; http_uri; content:"&win64="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007975; classtype:trojan-activity; sid:2007975; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MikroTik RouterOS Chimay Red Remote Code Execution Probe"; flow:to_server,established; urilen:8; http.method; content:"POST"; http.uri; content:"/jsproxy"; fast_pattern; http.header; content:"Content-Length|3a 20|"; depth:16; reference:url,www.exploit-db.com/exploits/44284/; reference:url,www.exploit-db.com/exploits/44283/; classtype:attempted-admin; sid:2025426; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious embedded zip file in web page"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:40; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019324; rev:2; metadata:created_at 2014_09_30, former_category EXPLOIT_KIT, updated_at 2014_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpLDAPadmin LDAP Injection"; flow:to_server,established; http.uri; content:"!(()&&!|7c|*|7c|*|7c|"; nocase; classtype:web-application-attack; sid:2025733; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_06_22, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:3; metadata:created_at 2014_09_30, former_category CURRENT_EVENTS, updated_at 2014_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution"; flow:to_server,established; http.uri; content:"/wps.setup.json"; fast_pattern; nocase; http.request_body; content:"operation=write"; content:"option=connect"; content:"wps_setup_pin="; content:"%2Fbin%2Fsh"; reference:url,exploit-db.com/exploits/44912/; classtype:web-application-attack; sid:2025735; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_22, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpMyAdmin 4.8.1 - Local File Inclusion"; flow:to_server,established; http.uri; content:"db_sql.php"; nocase; http.uri.raw; content:"|2e 2e 2f|"; classtype:web-application-attack; sid:2025734; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_06_22, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019328; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Enable Guest Network)"; flow:established,to_server; http.uri; content:"/cgi?2&2&2&2&2"; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN_MULTISSID"; fast_pattern; content:"multiSSIDEnable"; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025752; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019329; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Reboot Router)"; flow:established,to_server; http.uri; content:"/cgi?7"; http.header; content:"mainFrame.htm"; http.request_body; content:"ACT_REBOOT"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025754; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-2"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b/R"; classtype:trojan-activity; sid:2019326; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (GET conf.bin)"; flow:established,to_server; http.uri; content:"/cgi/conf.bin"; http.header; content:"/mainFrame.htm"; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025753; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b/R"; classtype:trojan-activity; sid:2019327; rev:6; metadata:created_at 2014_10_01, updated_at 2014_10_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B - OS Command Injection"; flow:established,to_server; http.uri; content:"/login.cgi?cli="; pcre:"/^[ a-zA-Z0-9+_]*[\x27\x3b]/Ri"; reference:url,exploit-db.com/exploits/44760/; classtype:attempted-user; sid:2025756; rev:3; metadata:attack_target IoT, created_at 2018_06_27, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert udp any any -> $HOME_NET 53 (msg:"ET DOS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type both, track by_dst, seconds 60, count 5; classtype:bad-unknown; sid:2016016; rev:8; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Exec Backdoor"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"|7b 22|action|22 3a 20 22|exec|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025761; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019330; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Install Backdoor"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"|7b 22|action|22 3a 20 22|install|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025762; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download 2"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018465; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco Adaptive Security Appliance - Path Traversal"; flow:established,to_server; http.uri; content:"+CSCOE+/files/file_list.json?path=+CSCOE+"; fast_pattern; http.uri.raw; content:"../"; reference:url,exploit-db.com/exploits/44956/; reference:cve,2018-0296; classtype:attempted-user; sid:2025764; rev:2; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"fesexy.net"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; classtype:trojan-activity; sid:2002768; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,doc.emergingthreats.net/2010594; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:md5,94e13e13c6da5e32bde00bc527475bd2; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"name="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/name=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Geutebruck Remote Command Execution"; flow:established,to_server; http.uri; content:"/uapi-cgi/viewer/simple_loglistjs.cgi?"; fast_pattern; content:"/bin/sh"; reference:url,exploit-db.com/exploits/44957/; reference:cve,2018-7520; classtype:attempted-user; sid:2025769; rev:2; metadata:attack_target IoT, created_at 2018_07_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:3; metadata:created_at 2012_03_10, updated_at 2012_03_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution"; flow:established,to_server; http.uri; content:"/ajaxhelper.php?cmd=getxicoreajax"; fast_pattern; http.uri.raw; content:"&opts=%7b%22func%22%3a%22get_hoststatus_table%22%7d"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025774; rev:2; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/graphApi.php?host="; fast_pattern; http.uri.raw; content:"%3bsudo%20../profile/getprofile.sh%20%23"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025773; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CryptoLocker TorComponent DL"; flow:from_server,established; flowbits:isset,FakeIEMinimal; file_data; byte_extract:1,0,size,relative; content:"|00 00 00|"; within:3; content:!"|00|"; within:size; content:"|00|"; distance:size; within:1; pcre:"/^.\x00\x00\x00[a-z0-9]+?\x00/s"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019345; rev:2; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2014_10_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyClicker.ClickFraud Query Instructions CnC Response"; flow:established,to_client; content:"|0D 0A 0D 0A|{|22|query|22 3A|"; content:"|22|tasks|22 3A|"; distance:0; content:"|22|referer|22 3A|"; distance:0; content:"|22|useragent|22 3A|"; distance:0; content:"|22|clickurl|22 3A|"; distance:0; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019357; rev:2; metadata:created_at 2014_10_06, former_category MALWARE, updated_at 2014_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Set DB User Root"; flow:established,to_server; http.uri; content:"/admin/settings.php"; http.request_body; content:"txtRootPath="; content:"&txtBasePath="; content:"&selProtocol="; content:"&txtTempdir="; content:"&selLanguage="; content:"&txtEncoding="; content:"&txtDBserver="; content:"&txtDBport="; content:"&txtDBname="; content:"&txtDBuser=root"; fast_pattern; content:"&txtDBpass="; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025777; rev:2; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Zonebac.D"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"cid="; nocase; http_uri;content:"&aid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&fw="; nocase; http_uri; content:"&v="; nocase; http_uri;content:"&m="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008682; classtype:trojan-activity; sid:2008682; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Adding Administrative User"; flow:established,to_server; http.uri; content:"/api/v1/system/user"; http.request_body; content:"username="; content:"&password="; content:"&name="; content:"&email="; content:"&auth_level=admin&force_pw_change=0"; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025778; rev:2; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019360; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ADB Broadband Authorization Bypass"; flow:established,to_server; http.uri; content:"/ui/dboard/settings/management/"; fast_pattern; http.uri.raw; content:"/management//"; reference:cve,2018-13109; reference:url,exploit-db.com/exploits/44982/; classtype:web-application-attack; sid:2025785; rev:2; metadata:attack_target IoT, created_at 2018_07_05, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019361; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR601 2.02 Credential Disclosure"; flow:established,to_server; http.uri; content:"/my_cgi.cgi"; http.request_body; content:"request=no_auth"; content:"request=load_settings"; content:"table_name=admin_user"; fast_pattern; content:"table_name=user_user"; content:"table_name=wireless_settings"; content:"table_name=wireless_security"; content:"table_name=wireless_wpa_settings"; reference:url,exploit-db.com/exploits/45002/; classtype:attempted-recon; sid:2025823; rev:3; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 42"; flow:to_server,established; dsize:>11; content:"|7c 01|"; offset:9; depth:2; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5}.{4}\x7c\x01/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2019362; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IBM QRadar SIEM Unauthenticated Remote Code Execution"; flow:established,to_server; http.uri; content:"/ForensicsAnalysisServlet/?"; fast_pattern; content:"[pcap]=$("; content:"/bin/bash"; reference:url,exploit-db.com/exploits/45005/; classtype:attempted-user; sid:2025826; rev:2; metadata:attack_target Server, created_at 2018_07_11, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; http.uri; content:"/init.do?"; content:"java.util"; content:"Runtime.getRuntime().exec"; fast_pattern; content:"cmd"; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019363; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; http.uri; content:"/amf"; http.request_body; content:"sun.rmi.server.UnicastRef"; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:3; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:command-and-control; sid:2015835; rev:7; metadata:created_at 2012_10_23, former_category MALWARE, updated_at 2012_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>/bin/sh"; content:"<string>-c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:suspicious-filename-detect; sid:2019338; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>cmd</string>"; content:"<string>/c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE MSF Check"; flow:to_server,established; http.uri; content:"/shell?echo+"; depth:12; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025882; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Minor, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019369; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE"; flow:to_server,established; http.uri; content:"/shell?"; depth:7; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025883; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019370; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple CCTV-DVR Vendors RCE"; flow:to_server,established; http.uri; content:"/language/Swedish${IFS}&&"; depth:25; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025884; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Minor, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019372; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic Unrestricted File Upload (CVE-2018-2894)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ws_utc/resources/setting/keystore"; fast_pattern; http.request_body; content:"ks_filename="; reference:url,github.com/LandGrey/CVE-2018-2894/blob/master/CVE-2018-2894.py; reference:cve,2018-2894; classtype:attempted-admin; sid:2025907; rev:3; metadata:attack_target Server, created_at 2018_07_25, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019373; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI M2"; flow:to_server,established; http.uri; content:"java.lang.Runtime|25|40getRuntime().exec("; nocase; classtype:attempted-user; sid:2026024; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019374; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1"; flow:to_server,established; http.uri; content:"memberAccess"; content:"allowStaticMethodAccess"; distance:0; content:"java.lang.Runtime|25|40getRuntime().exec("; nocase; fast_pattern; distance:0; content:".getInputStream()"; content:"java.io.InputStreamReader("; content:"java.io.BufferedReader("; content:".read("; content:"org.apache.struts2.ServletActionContext"; content:"getResponse().getWriter()"; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026025; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000: (msg:"ET DELETED Possible Sweet Orange Secondary Landing"; flow:established,to_server; content:"GET "; depth:4; pcre:"/(?:\/[a-z-]+)+\.php\?[a-z]+=[0-9]+[^\r\n]+HTTP\/1\.1/R"; content:"3 HTTP/1.1"; fast_pattern:only; classtype:exploit-kit; sid:2019351; rev:3; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2"; flow:to_server,established; http.uri; content:"memberAccess"; content:"allowStaticMethodAccess"; distance:0; content:"java.lang.Runtime@getRuntime().exec("; nocase; fast_pattern; distance:0; content:".getInputStream"; content:"java.io.InputStreamReader"; content:"java.io.BufferedReader"; content:".read"; content:"@org.apache.struts2.ServletActionContext@getResponse"; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026026; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; content:"/inst.php?wmid="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&s="; nocase; http_uri; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; classtype:trojan-activity; sid:2007865; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Unix)"; flow:established,to_server; content:"|5c 5c|x73|5c 5c|x68|5c 5c|x20|5c 5c|x2d|5c 5c|x63"; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026028; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_user_agent; classtype:command-and-control; sid:2019286; rev:4; metadata:created_at 2014_09_27, former_category MALWARE, updated_at 2014_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Linux)"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; content:".deb"; content:"/var/lib/sdn/uploads"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026029; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|23|_memberAccess"; fast_pattern; content:".getWriter"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026094; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/SpyClicker.ClickFraud Click CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/click?sid="; http_uri; depth:11; content:"&cid="; http_uri; distance:0; pcre:"/&cid=\d+$/U"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019356; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, signature_severity Major, tag c2, updated_at 2014_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"com|2E|opensymphony"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026095; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|2E|getWriter"; fast_pattern; content:"symphony|2E|"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026096; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SonicWall Global Management System - XMLRPC set_time_zone Command Injection (CVE-2018-9866)"; flow:established,to_server; http.request_body; content:"<methodName>set_time_"; fast_pattern; content:"<string>|22 60|"; distance:0; reference:url,exploit-db.com/exploits/45124/; reference:cve,2018-9866; classtype:attempted-user; sid:2026023; rev:4; metadata:attack_target Server, created_at 2018_08_23, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:pup-activity; sid:2002858; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution M2"; flow:to_server,established; http.uri; content:"/board.cgi"; fast_pattern; http.request_body; content:"cmd="; depth:4; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,blogs.securiteam.com/index.php/archives/3445; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026103; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT EnGenius EnShare IoT Gigabit Cloud Service RCE"; flow:to_server,established; http.uri; content:"/usbinteract.cgi"; http.request_body; content:"action=7&path="; fast_pattern; depth:14; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026104; rev:3; metadata:created_at 2018_09_10, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:to_server,established; http.uri; content:"/cgi-bin/luci/"; content:"stok="; content:"/nslookup?nslookup_button=nslookup_button&"; fast_pattern; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018719; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NetGain Enterprise Manager 7.2.562 Ping Command Injection"; flow:to_server,established; http.uri; content:"/exec.jsp"; http.request_body; content:"command=cmd"; fast_pattern; content:"ping&argument="; distance:0; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026106; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019388; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection M2"; flow:to_server,established; http.uri; content:"/cgi_system?cmd=saveconfig"; http.request_body; content:"bfolder="; pcre:"/(?:\x60|\x24)/"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026108; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/certificate_handle2.htm?type="; http.request_body; content:"page=self_generator.htm&totalRules="; depth:35; fast_pattern; content:"|25 32 37 25 32 34 25 32 38|"; distance:0; reference:url,seclists.org/fulldisclosure/2019/Jan/54; classtype:trojan-activity; sid:2026860; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_01_29, cve 2019_1652, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_27;)
 
-#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB)"; flow:to_client,established; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019398; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?images/"; pcre:"/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/i"; http.request_body; content:"XWebPageName=diag&diag"; depth:22; fast_pattern; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:2; metadata:attack_target IoT, created_at 2019_03_06, cve 2018_10561, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB UNICODE)"; flow:to_client,established; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; fast_pattern; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019399; rev:3; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZTE ZXV10 H108L Router Root RCE Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getpage.gch?pid="; depth:17; content:"&Host=|3b|"; distance:0; fast_pattern; content:"&DataBlockSize="; distance:0; reference:url,github.com/stasinopoulos/ZTExploit/blob/master/ZTExploit_Source/ztexploit.py; classtype:attempted-user; sid:2027098; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASProtect/ASPack Packed Binary"; flow:from_server,established; flowbits:isnotset,ET.http.binary; content:"|2E 61 73 70 61 63 6B|"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; reference:url,doc.emergingthreats.net/2008575; classtype:trojan-activity; sid:2008575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026102; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Informational, updated_at 2020_08_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PPT Download with Embedded OLE Object"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"ppt/embeddings/oleObject"; classtype:misc-activity; sid:2019405; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
+alert http any any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2027153; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"; classtype:misc-activity; sid:2019407; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"**ACE**"; offset:7; depth:7; fast_pattern; content:"|00|"; distance:0; pcre:"/^(?:(\S\:\\){2,}|\S\:\\\S\:\S\:|S\:\\\\\\([0-9]{1,3}\.){3}[0-9]{1,3}|\S\:\\\\\\([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/R"; classtype:attempted-admin; sid:2027310; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_05_01, cve 2018_20250, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, tag WinRAR, tag ACE, updated_at 2020_08_28;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M3"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3/R"; classtype:misc-activity; sid:2019408; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/JNAP/"; depth:6; http.header; content:"X-JNAP-Action|3a 20|http|3a 2f 2f|"; fast_pattern; pcre:"/^(?:www\.)?(cisco|linksys)\.com\/jnap\//Ri"; http.request_body; content:"|7b 7d|"; depth:2; reference:url,raw.githubusercontent.com/zeropwn/Linksys-Smart-WiFi-Information-Disclosure/master/nss.py; classtype:attempted-recon; sid:2027357; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M4"; flow:established,to_server; content:"cHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; classtype:misc-activity; sid:2019409; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027375; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M5"; flow:established,to_server; content:"cHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; classtype:misc-activity; sid:2019410; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027376; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M6"; flow:established,to_server; content:"BwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; classtype:misc-activity; sid:2019411; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027453; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027452; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019414; rev:3; metadata:attack_target Client_and_Server, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; depth:23; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027461; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; depth:23; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027460; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:exploit-kit; sid:2019375; rev:4; metadata:created_at 2014_10_09, former_category CURRENT_EVENTS, updated_at 2014_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FCM-MB40 Attempted Remote Command Execution as Root"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/camctrl_save_profile.cgi"; depth:33; fast_pattern; content:"num="; distance:0; content:"name="; distance:0; content:"a|20|-e|20|s|2f 5e|"; distance:0; content:"|20 2e 2e|/cgi-bin/ddns.cgi|20|"; distance:0; content:"&save=profile"; distance:0; reference:url,xor.cat/2019/06/19/fortinet-forticam-vulns/; classtype:attempted-admin; sid:2027513; rev:3; metadata:attack_target IoT, created_at 2019_06_24, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:2; metadata:created_at 2014_10_16, updated_at 2014_10_16;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/struts2"; http.content_type; content:"|25 7b 28 23|"; isdataat:500,relative; content:"cmd.exe"; fast_pattern; content:"@java.lang.System@getProperty(|27|os.name|27|)"; reference:cve,2017-9805; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027516; rev:2; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0515 Aug 24 2014"; flow:established,to_server; content:"GET"; http_method; content:"flashhigh.swf"; fast_pattern:only; http_uri; pcre:"/^\/(?:pruncd)?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2018995; rev:4; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ThinkPHP Attempted Bypass and Payload Retrieval"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/public/hydra.php?xcmd=cmd.exe"; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027518; rev:2; metadata:attack_target Server, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?flashlow\.swf$/U"; classtype:exploit-kit; sid:2018996; rev:3; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell GIF Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027736; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019097; rev:3; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2014_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell JPEG Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027737; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; fast_pattern; http.request_body; content:"|3c|u|3a|AddPortMapping"; content:"|3c|NewRemoteHost|3e|"; distance:0; content:"|3c|NewInternalClient"; distance:0; content:"|3c 2f|NewInternalClient|3e|"; distance:0; content:"NewEnabled|3e|1"; distance:0; classtype:trojan-activity; sid:2027339; rev:3; metadata:attack_target IoT, created_at 2019_05_08, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2"; flow:established,to_server; content:"/aG91c2VhdHJlaWRlczk0/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019462; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit (CVE-2018-15982)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application|2f|x-shockwave-flash"; file.data; content:"FWS"; depth:3; content:"cmd.exe|20 2f|c"; distance:0; nocase; fast_pattern; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:attempted-user; sid:2027789; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3"; flow:established,to_server; content:"/QmFzaGFyb2Z0aGVTYXJkYXVrYXJz/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019463; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit with Stack-Based wininet"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application|2f|x-shockwave-flash"; file.data; content:"FWS"; depth:3; content:"hnet|00|hwini"; fast_pattern; distance:0; nocase; within:1000; content:".exe|00|"; pcre:"/^.{1,10}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/R"; classtype:attempted-user; sid:2027790; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4"; flow:established,to_server; content:"/U2FsdXNhU2VjdW5kdXMy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019464; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Pre-Auth Messages Payload Buffer Overflow (CVE-2018-13381)"; flow:established,to_server; http.request_body; content:"&msg=%26%23%3c"; fast_pattern; nocase; pcre:"/(?:\%3C){1000}/Ri"; http.start; content:"POST /message HTTP/1.1"; reference:cve,CVE-2018-13381; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027884; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; depth:33; fast_pattern; pcre:"/A{1000}/R"; content:"python -c"; distance:0; content:"socket"; distance:0; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019466; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remote/fgt_lang?lang=/../"; depth:35; isdataat:30,relative; fast_pattern; reference:cve,CVE-2018-13379; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027883; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Spy.KeyLogger.ODN Exfiltrating Data"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"pcname="; depth:7; http_client_body; content:"&note="; distance:0; http_client_body; content:"&country="; distance:0; http_client_body; content:"&user="; distance:0; http_client_body; content:"&log="; distance:0; http_client_body; content:!"Referer|3a|"; http_header; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:trojan-activity; sid:2019468; rev:2; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; content:"select password"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019477; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/i"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:exploit-kit; sid:2019480; rev:2; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/../dana/html5acc/guacamole/../"; depth:39; fast_pattern; isdataat:10,relative; reference:url,packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html; reference:cve,CVE-2019-11510; classtype:trojan-activity; sid:2027904; rev:3; metadata:affected_product Pulse_Secure, created_at 2019_08_22, former_category EXPLOIT, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Job314 EK URI Exploit/Payload Struct"; flow:established,to_server; content:"?action="; http_uri; content:"&exp="; http_uri; fast_pattern; pcre:"/\?action=(?:pld|exp)&exp=/U"; classtype:exploit-kit; sid:2019479; rev:3; metadata:created_at 2014_10_20, former_category CURRENT_EVENTS, updated_at 2014_10_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Secutech Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1="; fast_pattern; content:"&ds2="; distance:0; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027909; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert tls any any -> any any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2"; flow:established,to_server; tls.sni; content:"|5c 00|"; fast_pattern; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, updated_at 2014_10_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DLink DNS 320 Remote Code Execution (CVE-2019-16057)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/login_mgr.cgi"; fast_pattern; content:"cmd|3d|login"; distance:0; content:"&port="; distance:0; pcre:"/^\d{2,5}+(?!\&|\d)/R"; reference:cve,2019-16057; reference:url,blog.cystack.net/d-link-dns-320-rce/; classtype:attempted-admin; sid:2028603; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_09_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRC Bot Common PRIVMSG Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?(?:p[ao]rt|udp|c?tcp|http|d(?:ie|ownload)|mail|c?back|(?:msg|notice)?flood)/Ri"; classtype:trojan-activity; sid:2019486; rev:1; metadata:created_at 2014_10_21, updated_at 2014_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/device.rsp?opt=user&cmd=list"; depth:29; fast_pattern; http.cookie; content:"uid=admin"; nocase; reference:url,github.com/ezelf/CVE-2018-9995_dvr_credentials; reference:cve,2018-9995; classtype:attempted-admin; sid:2027971; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014"; flow:established,to_server; content:"/ldcigar.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019487; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Buffer Overflow in Builtin Web Server"; flow:established,to_server; urilen:>200; http.start; content:"GET|20 01 10 8f e2 11 ff|"; depth:10; fast_pattern; content:"aaaaaaaa"; distance:0; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:attempted-admin; sid:2027972; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Oct 22 2014"; flow:established,from_server; file_data; content:".join(|22 22|)|3b 3b|"; pcre:"/^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+/Rs"; classtype:exploit-kit; sid:2019489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; http.uri; content:"/debug.cgi"; http.header; content:"Authorization|3a 20|Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Apache2 Memory Corruption Inbound (CVE-2020-9490)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Cache-Digest|3a 20|EA"; fast_pattern; pcre:"/^(?:8=|9BQQ==)\r?\n?/R"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2030&q=apache&can=1; reference:cve,2020-9490; classtype:attempted-admin; sid:2030830; rev:1; metadata:created_at 2020_09_03, cve CVE_2020_9490, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
 
-alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, updated_at 2014_10_22;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type limit,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/router/UserPassSet.cgi?"; depth:24; fast_pattern; content:"new_user_name="; content:"password1="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023996; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internal, performance_impact Moderate, signature_severity Major, updated_at 2020_09_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M2"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"getRunTime"; nocase; distance:0; fast_pattern; content:"exec"; nocase; pcre:"/=\s*\x25\s*\{\s*(?=.+?\bgetRunTime\b).+?\bexec\b/i"; classtype:attempted-admin; sid:2024815; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT vBulletin 5.6.2 widget_tabbedContainer_tab_panel Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/render/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"echo%20shell_exec("; reference:url,www.exploit-db.com/exploits/48743; classtype:attempted-admin; sid:2030832; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_04, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT vBulletin 5.6.2 widget_tabbedContainer_tab_panel Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/render/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"echo%20shell_exec("; reference:url,www.exploit-db.com/exploits/48743; classtype:attempted-admin; sid:2030833; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_04, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_09_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Cisco Jabber RCE Inbound (CVE-2020-3495)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CLIENT_REQUEST/"; http.request_body; content:".CallCppFunction|28|"; fast_pattern; reference:url,watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/; reference:cve,2020-3495; classtype:attempted-admin; sid:2030837; rev:1; metadata:created_at 2020_09_05, cve CVE_2020_3495, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_05;)
 
-alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; urilen:22; http.method; content:"POST"; http.uri; content:"/cgi-bin/setup_dns.exe"; http.request_body; content:"getpage=|2e 2e|/html/setup/dns.htm"; depth:29; fast_pattern; content:"resolver|3a|settings/nameserver1="; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:6; metadata:created_at 2015_04_08, updated_at 2020_09_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host"; flow:established,from_server; content:"|14|www.kitchensinks.n0t"; nocase; classtype:trojan-activity; sid:2019503; rev:2; metadata:created_at 2014_10_24, updated_at 2014_10_24;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9a ba cb 13 6d 76 5b 79|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019504; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN"; fast_pattern; content:"IEEE11iAuthenticationMode"; content:"IEEE11iEncryptionModes"; content:"X_TP_PreSharedKey="; content:"X_TP_GroupKeyUpdateInterval"; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0b|"; distance:0; content:"|07|NETWORK"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|144.76.119.48"; distance:1; within:14; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019505; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"DMZ_HOST_CFG"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon"; flow:established,to_client; content:".hdd_icon"; content:!"nmap.org"; content:!"seclists.org"; classtype:bad-unknown; sid:2011921; rev:7; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; http.uri; content:"/cgi?3"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"IP_CONN_PORTTRIGGERING"; content:"openProtocol"; content:"openPort="; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"|38 45 41 34 41 42 30 35 46 41 37 45|"; flowbits:set,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:4; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"!<arch>|0a|debian-binary"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert Oct 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 91 76 a5 11 ca 47 2d|"; within:35; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|04|none"; distance:1; within:5; content:"|55 04 08|"; distance:0; content:"|0c|Someprovince"; distance:1; within:13; reference:md5,35f6b510f94bd96ed9bc44e1f7bf7f38; classtype:trojan-activity; sid:2019506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; content:".deb|0d 0a|"; http.request_body; content:"|7f|ELF"; depth:4; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Tor/Noscript JS Bypass"; flow:established,to_client; http.content_type; content:"text/html|3b|/json"; depth:15; endswith; reference:url,twitter.com/Zerodium/status/1039127214602641409; classtype:trojan-activity; sid:2026109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019516; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nuuo NVR RCE Attempt (CVE-2018-15716)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_handle.php?cmd=getupgradinginfo"; fast_pattern; endswith; classtype:attempted-admin; sid:2026982; rev:3; metadata:created_at 2019_02_26, cve 2018_15716, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019517; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rdfs.cgi"; depth:17; endswith; fast_pattern; http.request_body; content:"Client="; depth:7; content:"|3b|"; distance:0; content:"&Download="; distance:0; classtype:attempted-admin; sid:2027090; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 File Inclusion"; flow:established,to_server; content:"&src=|2e 2e 2f 2e 2e 2f 2e 2e 2f|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/cgi-bin/login.cgi"; depth:18; endswith; classtype:attempted-user; sid:2027091; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"&ping_IPAddr="; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6077; classtype:attempted-user; sid:2027093; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnslookup.cgi"; depth:14; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"host_name="; depth:10; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/debug.cgi"; depth:10; endswith; http.request_body; content:"data1=|3b|"; depth:7; fast_pattern; content:"&command="; distance:0; reference:url,seclists.org/bugtraq/2010/Jun/93; classtype:attempted-user; sid:2027095; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:2100197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outoing Message"; flow:to_server,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100233; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PasswordVault/auth/saml/"; fast_pattern; endswith; http.request_body; content:"SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1F"; depth:41; reference:url,www.exploit-db.com/exploits/46828; classtype:attempted-admin; sid:2027358; rev:4; metadata:created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:"<stream"; nocase; reference:url,www.google.com/talk/; classtype:not-suspicious; sid:2100230; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:"<auth"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100231; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Log Out"; flow:to_server,established; content:"</stream"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2100877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream|3a|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:2100236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/sslmgr"; endswith; nocase; http.request_body; content:"scep-profile-name=%"; depth:19; fast_pattern; pcre:"/^[0-9]+/R"; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:4; metadata:attack_target Server, created_at 2019_07_18, cve cve_2019_1579, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Flash Exploit URI Struct"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[^\r\n]*?[a-z]+?\.php\?[a-z]+?=\d/Hm"; classtype:exploit-kit; sid:2019543; rev:2; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027881; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL DELETED SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:2100183; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027882; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"|22 5c|x6C|5c|x6F|5c|x63|5c|x61|5c|x74|5c|x69|5c|x6F|5c|x6E"; nocase; content:"window[_0x"; content:"[1]][_0x"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019540; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; depth:18; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:4; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; content:"/script/bzDellHpData.js?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; classtype:trojan-activity; sid:2003621; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] ![139,445] (msg:"ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/ZxShell Server Checkin Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019587; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
+#alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; content:"|05 00 00|"; depth:3; content:"|1a 00|"; distance:19; within:3; content:"|00 00 00 00 00 00 00 00|"; isdataat:!5,relative; threshold:type both, track by_src, seconds 60, count 3; reference:cve,2020-1472; classtype:attempted-admin; sid:2030889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ZxShell Checkin"; flow:established,from_server; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019588; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Compromise svchost.jpg Beacon - Java  Zeroday"; flow:established,to_server; http.uri; content:"/svchost.jpg"; fast_pattern; http.user_agent; content:"Java/1."; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae|"; offset:16; depth:16; reference:md5,184a9d13616702154fb10ff9c5d67041; classtype:command-and-control; sid:2019589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; http.uri; content:"/PSBlock"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:6; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21|"; offset:16; depth:16; reference:md5,09d4c2f1f24fbdcb1c286b2f4c5589d2; classtype:command-and-control; sid:2019590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; http.uri; content:"/PSStore"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:7; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,ca22207c5441a100437b75d7ce0d3fe2; classtype:command-and-control; sid:2019591; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,2b825e46ae60a9d15b5a731e57410425; classtype:command-and-control; sid:2019592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; http.request_body; content:"name%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:command-and-control; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; http.request_body; content:"nam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:exploit-kit; sid:2019594; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; http.request_body; content:"nam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; http.request_body; content:"na%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; http.request_body; content:"na%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:exploit-kit; sid:2019600; rev:3; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; http.request_body; content:"na%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019603; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; http.request_body; content:"na%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025068; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; http.request_body; content:"n%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND"; flow:established,from_server; flowbits:isset,ET.Zberp; dsize:24; content:"|10 00 00 00 00 01 00 00|"; depth:8; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025069; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; http.request_body; content:"n%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; http.request_body; content:"n%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Flash Exploit URI Struct"; flow:established,to_server; urilen:65; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019513; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; http.request_body; content:"n%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Java Exploit URI Struct"; flow:established,to_server; urilen:65; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:exploit-kit; sid:2019514; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; http.request_body; content:"n%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; http.request_body; content:"n%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert ip any any -> any 5060 (msg:"GPL VOIP SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100158; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; http.request_body; content:"n%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert ip any any -> any 5060 (msg:"GPL VOIP SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; http.request_body; content:"n%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:2101222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; http.request_body; content:"%6eame["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:2100208; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; http.request_body; content:"%6eame%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; http.request_body; content:"%6eam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; http.request_body; content:"%6eam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trest1 Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; nocase; depth:3; http_method; content:!"Referer|3a| "; http_header; nocase; uricontent:"trest1"; fast_pattern; nocase; content:"User-Agent|3a| "; http_header; nocase; pcre:"/\/(nte|ld)\/[0-9A-Z]*trest1[0-9](\.php|\s\.asp|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; reference:url,doc.emergingthreats.net/2010596; classtype:trojan-activity; sid:2010596; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; http.request_body; content:"%6ea%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; http.request_body; content:"%6ea%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; http.request_body; content:"%6ea%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019610; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; http.request_body; content:"%6ea%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M1"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d/R"; classtype:misc-activity; sid:2019406; rev:3; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; http.request_body; content:"%6e%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; http.request_body; content:"%6e%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; http.request_body; content:"%6e%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; http.request_body; content:"%6e%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; http.request_body; content:"%6e%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; http.request_body; content:"%6e%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:68<>101; content:"Java/1."; http_user_agent; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:exploit-kit; sid:2019611; rev:8; metadata:created_at 2014_10_31, former_category CURRENT_EVENTS, updated_at 2014_10_31;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:exploit-kit; sid:2019623; rev:2; metadata:created_at 2014_11_03, former_category CURRENT_EVENTS, updated_at 2014_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rtpd.cgi?"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.TrojanProxy Configuration file Download"; flow:established,from_server; file_data; content:"@$@"; fast_pattern; within:3; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$/Ri"; reference:url,fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html; classtype:trojan-activity; sid:2019631; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; http.method; content:"GET"; http.uri; content:"/upnp/asf-mp4.asf"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Download.php HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?nd="; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2013197; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/md/lums.cgi"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"|61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019634; rev:6; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2014_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ddnsmngr.cmd?action=apply"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ROM/BackOff C2 SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed fd 42 65 de 77 35 ea|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware; classtype:command-and-control; sid:2019635; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
 
-#alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F C2"; flow:to_server,established; content:"JOIN #shock 777"; content:"PRIVMSG #shock|20 3a|uid="; distance:0; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:command-and-control; sid:2019637; rev:1; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2014_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"dnsPrimary="; fast_pattern; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 03 2014"; flow:established,from_server; content:"ruarc="; fast_pattern:only; content:"ruarc="; depth:6; http_cookie; classtype:exploit-kit; sid:2019638; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2014_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"dnsDynamic="; content:"dnsRefresh="; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; urilen:9; http.method; content:"POST"; http.uri; content:"/ping.ccp"; fast_pattern; http.request_body; content:"ccp_act=ping_v6&ping_addr="; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:4; metadata:created_at 2015_03_03, updated_at 2020_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:exploit-kit; sid:2019146; rev:6; metadata:created_at 2014_09_10, former_category CURRENT_EVENTS, updated_at 2014_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/fwupgrade.ccp"; fast_pattern; http.request_body; content:"|0d 0a|fwupgrade"; content:"|0d 0a|resolv.conf"; nocase; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:exploit-kit; sid:2019352; rev:3; metadata:created_at 2014_10_03, former_category EXPLOIT_KIT, updated_at 2014_10_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; fast_pattern; http.request_body; content:"set_general"; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:5; metadata:created_at 2015_03_02, updated_at 2020_09_29;)
 
-#alert tcp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole TCP Connection"; flow:to_server; classtype:trojan-activity; sid:2019629; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/cgi-bin/webcm"; fast_pattern; http.request_body; content:"getpage="; depth:10; content:"errorpage="; distance:0; content:"/html/index.html&login|3a|command"; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
 
-#alert udp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole UDP Connection";  classtype:trojan-activity; sid:2019632; rev:4; metadata:created_at 2014_11_03, updated_at 2020_08_20;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup.cgi?todo=wan_dns1="; fast_pattern; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F retrieval"; flow:to_client,established; file_data; content:"#you got shellshocked???"; depth:24; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019644; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?wan_primary_dns="; fast_pattern; content:"&wan_secondary_dns="; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; fast_pattern; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019645; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/router/add_dhcp_segment.cgi?"; fast_pattern; content:"is_router_as_dns=1"; content:"&dns1="; content:"submitbutton="; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method"; flow:to_client,established; content:"24445430-F789-11CE-86F8-0020AFD8C6DB"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"WriteOFXDataFile"; nocase; reference:url,www.milw0rm.com/exploits/5416; reference:url,doc.emergingthreats.net/2008126; classtype:web-application-attack; sid:2008126; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; http.stat_code; content:"302"; http.stat_msg; content:"Found"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:4; metadata:created_at 2015_04_16, updated_at 2020_09_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019648; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; http.stat_code; content:"301"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:4; metadata:created_at 2015_04_16, updated_at 2020_09_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019649; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; http.stat_code; content:"307"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Malicious Attachment With Double Extension Ending In EXE"; flow:established,to_client; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; http_header; content:".exe|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a\x20attachment\x3b\x20filename=[^\r\n]+?\.[a-z]{2,4}\.exe\r?$/Hmi"; classtype:trojan-activity; sid:2019650; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; http.stat_code; content:"303"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; threshold: type both, track by_dst, count 10, seconds 60; http.method; content:"POST"; http.uri; content:"/apply_noauth.cgi"; fast_pattern; http.request_body; content:"timestamp="; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:4; metadata:created_at 2015_04_28, updated_at 2020_09_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi_test.cgi?write_"; fast_pattern; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/i"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:4; metadata:created_at 2015_07_13, updated_at 2020_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:exploit-kit; sid:2019656; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+alert tcp any any -> $HOME_NET 40006 (msg:"ET EXPLOIT [401TRG] HPDM Backdoor Login"; flow:established,to_server; content:"user|00|dm_postgres|00|database|00|hpdmdb|00|"; fast_pattern; reference:url,twitter.com/nickstadb/status/1310853783765815297; classtype:attempted-admin; sid:2030961; rev:2; metadata:created_at 2020_10_02, former_category EXPLOIT, performance_impact Low, updated_at 2020_10_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:exploit-kit; sid:2019657; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:4; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:exploit-kit; sid:2019659; rev:2; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:4; metadata:created_at 2015_12_16, updated_at 2020_10_05;)
 
-alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; nocase; http.header; content:"Authorization|3a 20|Basic"; http.request_body; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; fast_pattern; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:4; metadata:created_at 2016_04_25, updated_at 2020_10_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mida eFramework RCE Attempt Inbound (CVE-2020-15922)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipaddress0|22|"; fast_pattern; content:"|3b|"; within:6; reference:url,www.exploit-db.com/exploits/48835; reference:cve,2020-15922; classtype:attempted-admin; sid:2030989; rev:1; metadata:created_at 2020_10_07, cve CVE_2020_15922, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; http.request_body; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; http.request_body; content:"=OIMINTERNAL"; fast_pattern; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:4; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, created_at 2017_11_01, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"_v="; content:"deleteid="; http.method; content:"POST"; http.uri; content:"/centralbackup.php?"; fast_pattern; classtype:trojan-activity; sid:2017060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_06_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; http.uri; content:"/proxy.cgi?chk&url="; fast_pattern; classtype:attempted-user; sid:2025223; rev:3; metadata:attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; http.uri; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"Enable_DNSFollowing=1"; classtype:attempted-user; sid:2025222; rev:4; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MobileIron RCE Attempt Inbound (CVE-2020-15505)"; flow:established,to_server; http.uri; content:"|2f 2e 3b 2f|"; fast_pattern; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2030997; rev:1; metadata:created_at 2020_10_12, cve CVE_2020_15505, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock CVE-2014-6271"; flow:established,to_server; http.uri; content:"authLogin.cgi"; http.header; content:"|28 29 20 7b|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:5; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007578; classtype:trojan-activity; sid:2007578; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"pjl_ready_message="; nocase; fast_pattern; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_10_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Outbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007579; classtype:trojan-activity; sid:2007579; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; depth:32; content:"&dnsserver="; content:"&Save=Save"; fast_pattern; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:5; metadata:created_at 2015_04_08, updated_at 2020_10_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case1)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 1|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007580; classtype:trojan-activity; sid:2007580; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Trojan.Win32.Qhost C&C Traffic Inbound (case2)"; flow:established; dsize:>1000; content:"|00 00 00 28 0a 00 00 02 0f|Service Pack 2|00|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=142254; reference:url,doc.emergingthreats.net/2007581; classtype:trojan-activity; sid:2007581; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:exploit-kit; sid:2019658; rev:4; metadata:created_at 2014_11_06, former_category CURRENT_EVENTS, updated_at 2014_11_06;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP NULL Pointer Dereference Attempt Inbound (CVE-2020-25858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; pcre:"/^[^=]{1,}$/RUi"; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-25858; classtype:attempted-admin; sid:2031058; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_25858, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:exploit-kit; sid:2019669; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019670; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Authentication Bypass Attempt Inbound (CVE-2020-8193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&sid=loginchallenge"; content:"&username=nsroot"; distance:0; fast_pattern; http.request_body; content:"<appfwprofile"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8193; classtype:attempted-admin; sid:2031067; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8193, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019671; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Information Disclosure Attempt Inbound (CVE-2020-8195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?filter=path|3a 25|2F"; fast_pattern; http.request_body; content:"<clipermission"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8195; classtype:attempted-admin; sid:2031068; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8195, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
 
-#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:exploit-kit; sid:2019672; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT_KIT Possible HanJuan EK URI Struct Actor Specific"; flow:to_server,established; content:"?zho="; http_uri; fast_pattern:only; pcre:"/\/(?:[a-z0-9]{1,7}\.php)?\?zho=/U"; classtype:exploit-kit; sid:2019673; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan EK Actor Specific Injected iframe"; flow:from_server,established; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; content:"|22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e|"; nocase; distance:0; content:"<iframe"; nocase; distance:0; content:" vspace="; nocase; content:"0"; within:3; content:" hspace="; content:"0"; within:3; content:" marginwidth="; content:"0"; within:3; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; distance:0; classtype:exploit-kit; sid:2019675; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019677; rev:2; metadata:created_at 2014_11_07, former_category CURRENT_EVENTS, updated_at 2014_11_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029156; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019681; rev:3; metadata:created_at 2014_11_08, updated_at 2014_11_08;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029157; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:exploit-kit; sid:2019684; rev:3; metadata:created_at 2014_11_08, former_category CURRENT_EVENTS, updated_at 2014_11_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:exploit-kit; sid:2019685; rev:2; metadata:created_at 2014_11_10, former_category CURRENT_EVENTS, updated_at 2014_11_10;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:exploit-kit; sid:2018998; rev:10; metadata:created_at 2014_08_25, former_category CURRENT_EVENTS, updated_at 2014_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029160; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019691; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029161; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_12, updated_at 2014_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2014_11_12;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029168; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029169; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029170; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029171; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019663; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019708; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029174; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019709; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029175; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:9; metadata:created_at 2014_11_15, updated_at 2014_11_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029162; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET MALWARE W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:command-and-control; sid:2019711; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029163; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019720; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Authentication Bypass Attempt Inbound (CVE-2020-26879)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|OlDkR+oocZg="; fast_pattern; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26879; classtype:attempted-admin; sid:2031115; rev:1; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26879, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019721; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:exploit-kit; sid:2019722; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:exploit-kit; sid:2019723; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound"; flow:established,to_server; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:exploit-kit; sid:2019724; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031121; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:exploit-kit; sid:2019725; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031122; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:exploit-kit; sid:2019726; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:1; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:exploit-kit; sid:2019727; rev:2; metadata:created_at 2014_11_18, former_category CURRENT_EVENTS, updated_at 2014_11_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/apply.cgi"; endswith; http.request_body; content:"submit_button=index"; depth:19; content:"&action=Apply"; distance:0; nocase; content:"&lan_dns0="; distance:0; fast_pattern; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:4; metadata:created_at 2015_04_08, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; http.method; content:"PUT"; http.uri; content:"/_users/"; http.request_body; content:"_admin"; fast_pattern; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:4; metadata:attack_target Server, created_at 2018_03_19, deployment Datacenter, former_category EXPLOIT, malware_family CoinMiner, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct"; flow:to_client,established; file_data; content:"chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)"; reference:cve,2014-6332; classtype:attempted-user; sid:2019734; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
+alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; urilen:26; http.method; content:"PUT"; http.uri; content:"/_config/query_servers/cmd"; http.header; content:"Authorization|3a 20|Basic"; http.request_body; pcre:"/^\s*[\x22\x27]/"; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:4; metadata:created_at 2018_03_13, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode"; flow:to_client,established; file_data; content:"chrw|25|"; pcre:"/^(?:25)?282176\x25(?:25)?29\x25(?:25)?26chrw\x25(?:25)?2801/Rs"; reference:cve,2014-6332; classtype:attempted-user; sid:2019735; rev:3; metadata:created_at 2014_11_18, updated_at 2014_11_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; http.uri; content:".hta"; nocase; fast_pattern; pcre:"/\.hta(?:[?&]|$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; depth:34; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT_KIT SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:exploit-kit; sid:2019744; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:6; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:exploit-kit; sid:2019742; rev:3; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/index"; http.start; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:attempted-admin; sid:2023075; rev:4; metadata:affected_product Fortigate, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:exploit-kit; sid:2019745; rev:2; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; http.uri.raw; content:"%"; content:"temp%"; nocase; fast_pattern; within:7; pcre:"/\%(?:25)?temp\%/i"; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:5; metadata:created_at 2016_02_22, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:exploit-kit; sid:2019743; rev:5; metadata:created_at 2014_11_19, former_category CURRENT_EVENTS, updated_at 2014_11_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; http.uri; content:"/vid.aspx?id="; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]+$/Ri"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:7; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 1"; flow:established,from_server; file_data; content:"$$$$"; within:4; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>/Ri"; classtype:command-and-control; sid:2019757; rev:2; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2014_11_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.header; content:"|0d 0a|NSC_USER|3a 20|"; nocase; content:"|0d 0a|NSC_NONCE|3a 20|"; nocase; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_01_13, deployment Perimeter, signature_severity Critical, updated_at 2020_11_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"CWS"; classtype:exploit-kit; sid:2019765; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_11_21, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Telerik.Web.UI.WebResource.axd"; fast_pattern; content:"type=rau"; nocase; distance:0; http.request_body; content:"rauPostData"; nocase; reference:url,github.com/noperator/CVE-2019-18935; reference:cve,2019-18935; classtype:web-application-attack; sid:2029761; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; content:"/Main.swf"; http_uri; content:"/gate.php"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/gate.php\r$/Hm"; classtype:trojan-activity; sid:2019766; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M2"; http.method; content:"GET"; http.uri; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; reference:url,www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid:2029762; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:20; metadata:created_at 2013_04_01, updated_at 2013_04_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jsp?view="; fast_pattern; content:"&os="; distance:0; content:"&address="; distance:0; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:targeted-activity; sid:2018925; rev:5; metadata:created_at 2014_08_12, former_category CURRENT_EVENTS, updated_at 2014_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi (Outbound)"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2030503; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019769; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M1"; flow:established,to_server; http.uri; content:"/+CSCOT+/translation-table?type=mst&textdomain=/|2b|CSCOE|2b|/"; fast_pattern; content:"&default-language&lang="; distance:0; http.uri.raw; content:"&default-language&lang=../"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030581; rev:3; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:exploit-kit; sid:2019768; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2014_11_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M2"; flow:established,to_server; http.uri; content:"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform="; fast_pattern; content:"&name=|2b|CSCOE|2b 2f|"; distance:0; http.uri.raw; content:"&platform=..&resource-type=.."; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030582; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:exploit-kit; sid:2019655; rev:6; metadata:created_at 2014_11_06, former_category EXPLOIT_KIT, updated_at 2014_11_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apply.cgi"; depth:10; http.request_body; content:"submit_button="; depth:14; content:"&submit_type=start_ping"; distance:0; fast_pattern; content:"&ping_size="; distance:0; content:"|3b|"; within:30; reference:url,www.exploit-db.com/exploits/24936; classtype:attempted-user; sid:2027099; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019773; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M1 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script language=|22|"; content:"VBScript"; within:8; nocase; content:"|2e|scrollLeft"; distance:0; content:"|26|h4003|09 27 20|VT_BYREF|20 7c 20|VT_I4"; distance:0; fast_pattern; content:"|28 28 28 28 5c 2e 2e 5c|"; distance:0; content:"Powershell"; within:10; nocase; content:"|26|h40|2c 20 22 23 3e 24|"; within:400; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use; reference:url,www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer; reference:cve,CVE-2019-0752; classtype:attempted-admin; sid:2027721; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"NocncoMDEpJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMC"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019774; rev:3; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.request_body; content:"pingstr="; depth:8; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:5; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:exploit-kit; sid:2019775; rev:2; metadata:created_at 2014_11_24, former_category EXPLOIT_KIT, updated_at 2014_11_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019786; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019787; rev:3; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:exploit-kit; sid:2019800; rev:2; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2019807; rev:2; metadata:created_at 2014_11_26, updated_at 2014_11_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET MALWARE W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019809; rev:2; metadata:created_at 2014_11_26, former_category MALWARE, updated_at 2014_11_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019810; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; depth:42; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:5; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019811; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019812; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019813; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019814; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019815; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_10, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019818; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/setup.htm"; nocase; http.request_body; content:"wan_proto=dhcp"; nocase; content:"dhcps_dns_1="; nocase; fast_pattern; content:"dhcps_mode=enabled"; nocase; content:"lan_proto=enable"; nocase; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; classtype:attempted-admin; sid:2023468; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2020_11_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019819; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:exploit-kit; sid:2015677; rev:5; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forms/dns_1?"; fast_pattern; content:"Enable_DNSFollowing=1"; distance:0; content:"dnsPrimary="; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:8; metadata:created_at 2015_01_29, updated_at 2020_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:7; metadata:created_at 2014_12_01, former_category CURRENT_EVENTS, updated_at 2014_12_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET EXPLOIT_KIT WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2019823; rev:7; metadata:created_at 2014_12_01, former_category EXPLOIT_KIT, updated_at 2014_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; http.user_agent; content:"JDatabaseDriverMysqli"; fast_pattern; http.header; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:4; metadata:created_at 2015_12_14, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 401TRG Liferay RCE (CVE-2020-7961)"; flow:established,to_server; http.uri; content:"/api/jsonws/expandocolumn/update-column"; nocase; http.request_body; content:"userOverridesAsString=HexAsciiSerializedMap"; nocase; fast_pattern; reference:cve,2020-7961; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; classtype:attempted-admin; sid:2031318; rev:1; metadata:created_at 2020_12_11, cve CVE_2020_7961, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019839; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2"; flow:established,to_server; http.header; content:"JDatabaseDriverMysqli"; fast_pattern; content:"JSimplepieFactory"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2031319; rev:1; metadata:created_at 2020_12_11, updated_at 2020_12_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message"; flow:established,to_client; content:"! SH"; depth:4; pcre:"/^[^\r\n]+?\n$/R"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019298; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; pcre:"/(localhost|127\.0\.0\.1)/W"; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Hidden Embedded File"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/Embeddedfile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedfile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2019850; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,CVE-2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_16846, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/U"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:exploit-kit; sid:2019799; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17132)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ecp/DLPPolicy/ManagePolicyFromISV.aspx"; startswith; http.request_body; content:"ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; content:"[Diagnostics.Process]::start|28|"; distance:0; reference:cve,CVE-2020-17132; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-17132/CVE-2020-17132.rules; reference:cve,2020-17132; classtype:attempted-admin; sid:2031506; rev:2; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17132, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:exploit-kit; sid:2019874; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> any any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17141)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; startswith; http.request_body; content:"<m:RouteComplaint|20|"; content:"<m:Data>"; distance:0; base64_decode:bytes 300, offset 0, relative; base64_data; content:"<!DOCTYPE"; content:"SYSTEM"; distance:0; reference:cve,CVE-2020-17141; reference:cve,2020-17141; classtype:web-application-attack; sid:2031507; rev:1; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17141, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:exploit-kit; sid:2016058; rev:11; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tcp any any -> any any (msg:"ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability"; flow:established; file_data; content:"|63 3a 5c 3a 24 69 33 30 3a 24 62 69 74 6d 61 70|"; classtype:attempted-admin; sid:2031526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_15, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Informational, updated_at 2021_01_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE  Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0  48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] DeDeCMS RFI Attempt"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data"; http.uri; content:"/select_soft_post.php"; nocase; http.request_body; content:"cfg_basedir"; nocase; content:"uploadfile"; nocase; content:"upload"; nocase; reference:cve,2010-1097; reference:url,www.exploit-db.com/exploits/33685; classtype:attempted-admin; sid:2031527; rev:2; metadata:created_at 2021_01_19, former_category EXPLOIT, updated_at 2021_01_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlienSpy RAT Checkin Set"; flow:established,to_server; dsize:4; content:"|ac ed|"; depth:2; flowbits:set,ET.rat.alienspy; flowbits:noalert; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019738; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zend3/public/"; bsize:14; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:1; metadata:created_at 2021_01_22, cve CVE_2021_3007, updated_at 2021_01_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2; metadata:created_at 2011_06_21, updated_at 2011_06_21;)
+alert http any any -> any any (msg:"ET EXPLOIT Suspected SAP EEM SOLMAN RCE (CVE-2020-6207)"; flow:established,to_server; http.uri; content:"/EemAdminService/EemAdmin"; startswith; fast_pattern; http.request_body; content:"getruntime|28 29 2e|exec"; nocase; content:"processbuilder|28|"; nocase; reference:url,github.com/chipik/SAP_EEM_CVE-2020-6207; classtype:attempted-admin; sid:2031546; rev:1; metadata:created_at 2021_01_25, cve CVE_2020_6207, former_category EXPLOIT, updated_at 2021_01_25;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_18, updated_at 2014_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/jarrewrite.sh"; endswith; fast_pattern; http.user_agent; content:"|28 29 20 7b|"; reference:url,darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/; reference:cve,2014-6271; classtype:attempted-admin; sid:2031543; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message"; flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019304; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle WebLogic JNDI Injection RCE Attempt (CVE-2021-2109)"; flow:established,to_server; http.uri; content:"/consolejndi.portal?"; content:"_pageLabel=JNDIBindingPageGeneral"; content:"_nfpb=true"; content:"JNDIBindingPortletHandle=com.bea.console.handles.JndiBindingHandle("; content:"ldap|3a 2f 2f|"; distance:0; within:20; content:"|3b|AdminServer"; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw; reference:cve,2021-2109; reference:url,packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html; classtype:attempted-user; sid:2031532; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_20, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message"; flow:established,to_client; content:"! UDP "; depth:6; pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019300; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover"; nocase; http.request_body; content:"<!DOCTYPE"; depth:50; content:"file:///etc/passwd"; distance:0; fast_pattern; content:"<EMailAddress>"; content:"<AcceptableResponseSchema>"; reference:url,www.exploit-db.com/exploits/46967; reference:url,packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html; reference:cve,2019-9621; reference:cve,2021-2109; classtype:attempted-user; sid:2031562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message"; flow:established,to_client; content:"! TCP "; depth:6; pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019301; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E"; fast_pattern; reference:url,www.kb.cert.org/vuls/id/520827; reference:cve,2012-2311; classtype:attempted-user; sid:2031563; rev:1; metadata:affected_product PHP, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2012_2311, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message"; flow:established,to_client; content:"! HOLD "; depth:7; pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019302; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE  (CVE-2017-18368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; depth:20; endswith; http.request_body; content:"remote_submit_Flag="; depth:19; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:cve,2017-18368; reference:url,github.com/pedrib/PoC/blob/master/advisories/zyxel_trueonline.txt; classtype:attempted-user; sid:2027092; rev:5; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_18368, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_02_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message"; flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019303; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSMTPD RCE Inbound (CVE-2020-7247)"; flow:established,to_server; content:"MAIL|20|FROM|3a|<|3b|"; fast_pattern; reference:url,blog.qualys.com/vulnerabilities-research/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247; reference:cve,2020-7247; classtype:attempted-admin; sid:2031621; rev:1; metadata:attack_target SMTP_Server, created_at 2021_02_17, cve CVE_2020_7247, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016772; rev:2; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M1 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031667; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server globdomain.ru"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0A|globdomain|02|ru"; nocase; distance:0; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913; classtype:command-and-control; sid:2012203; rev:2; metadata:created_at 2011_01_18, updated_at 2011_01_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M2 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|2f|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031668; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email"; flow:established,to_server; content:"From|3A 20 22|Bitch Infected|22|"; reference:md5,007eb53d1b0de237f86750a239cae48e; classtype:trojan-activity; sid:2014668; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt with Untrusted SSH Key Upload (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:".tar|22|"; content:"|0d 0a|."; distance:0; content:"|2f|.ssh|2f|authorized_keys"; distance:0; within:100; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031669; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock.6870 SSL Cert"; flow:from_server,established; content:"|00 cc 05 c7 80 14 cf 3f 50|"; content:"|55 04 08 13 0c|Someprovince"; distance:0; content:"|55 04 07 13 08|Sometown"; distance:0; classtype:trojan-activity; sid:2015795; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M3 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031670; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M4 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|2f|"; distance:0; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031671; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Searchwebmobile.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0F|searchwebmobile|03|com"; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:2; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound Hashicorp Consul RCE via Services API"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"v1/agent/service/register"; fast_pattern; http.request_body; content:"|22|sh|22|"; content:"|22|-c|22|"; reference:url,www.exploit-db.com/exploits/46074; classtype:attempted-admin; sid:2031675; rev:1; metadata:attack_target Web_Server, created_at 2021_02_26, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; nocase; content:"dnsPrimary="; content:"dnsRefresh="; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2021_03_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT DNS Change Attempt (Unknown Device)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/advWAN.cgi"; startswith; http.request_body; content:"tAction=editApply"; content:"viewPage=multiWANCfg"; content:"action=edit"; content:"dns1="; content:"dns2="; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031804; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_03, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/form2dns.cgi?dnsmode=1&dns1="; nocase; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&submit.htm?dns.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:4; metadata:attack_target Networking_Equipment, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2021_03_04;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 2a|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017966; rev:3; metadata:created_at 2014_01_14, updated_at 2014_01_14;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt M2"; flow:established,to_server; http.uri; content:"/form2wan.cgi?wantype=1"; nocase; content:"&wan_dns2="; distance:0; content:"&wan_dns3="; distance:0; content:"&submit.htm"; distance:0; content:"wan.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031808; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_20, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DI-804HV DNS Changer Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/prim"; startswith; content:"prim&rf=0004&"; fast_pattern; content:"&ID00="; distance:0; content:"&ID01="; distance:0; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031809; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Unauthenticated RCE Inbound (CVE-2020-26919)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.htm"; http.request_body; content:"submitId=debug&debugCmd="; startswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-26919; classtype:attempted-admin; sid:2031936; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_26919, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_18, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Remote Authentication Bypass with Factory Reset (CVE-2020-35231)"; dsize:13; content:"|00 1a 00 00 04 00 00 01 01 ff ff 00 00|"; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35231; classtype:attempted-admin; sid:2031937; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35231, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely GoodBye 5.2 DDoS tool"; flow:to_server,established; dsize:<50; content:"|20|HTTP/1.1Host|3a 20|"; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019350; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)"; dsize:>16; content:"|00 1a 00 0a|"; startswith; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35232; classtype:attempted-admin; sid:2031938; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35232, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message"; flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019296; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Stored XSS Inbound (CVE-2020-35228)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submitId=multiLanguageCfg&selectLang="; fast_pattern; content:"|27 3a|"; distance:0; within:50; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35228; classtype:attempted-admin; sid:2031939; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message"; flow:established,to_client; dsize:12<>15; content:"! SCANNER "; depth:10; pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019297; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Write Access to DHCP Config (CVE-2020-35226)"; content:"|00 0b 00|"; content:"|ff ff 00 00|"; distance:2; within:4; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031940; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message"; flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019295; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M1 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&groupId=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031941; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8444 (msg:"ET POLICY Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:url,bitmessage.org; classtype:policy-violation; sid:2019746; rev:2; metadata:created_at 2014_11_19, updated_at 2014_11_19;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M2 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&memBMap=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031942; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 75 54|"; distance:4; within:12; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019740; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0003 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 03|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031943; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0005 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 05|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031944; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category P2P, signature_severity Major, tag c2, updated_at 2012_11_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x000a (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 0a|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031945; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, former_category POLICY, updated_at 2013_07_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2021_03_15;)
 
-alert udp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 2 status code Unauthorized Name"; content:"|06 13|"; offset:4; depth:2; content:"|0d|"; distance:11; within:1; classtype:protocol-command-decode; sid:2017121; rev:2; metadata:created_at 2013_07_09, former_category ATTACK_RESPONSE, updated_at 2013_07_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_15;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2021_03_16;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Unauthenticated RCE Inbound (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/"; http.request_body; content:"|22|filepath|22 3a 22 60|"; fast_pattern; reference:cve,2021-22986; classtype:attempted-admin; sid:2032092; rev:1; metadata:attack_target Server, created_at 2021_03_17, cve CVE_2021_22986, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible F5 BIG-IP Infoleak and Out-of-Bounds Write Inbound (CVE-2021-22991)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3a 2f 2f 5b|"; fast_pattern; content:"|5d|"; endswith; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2126; reference:cve,2021-22991; classtype:attempted-admin; sid:2032173; rev:1; metadata:attack_target Server, created_at 2021_03_18, cve CVE_2021_22991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_18;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_12_23, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [NCC/FOX-IT] Possible F5 BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; nocase; fast_pattern; http.request_body; content:"|22|command|22 3a 20 22|run|22|"; content:"|22|utilCmdArgs|22 3a 20 22|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2021_03_cve_2021_22986.txt; reference:cve,2021-22986; classtype:attempted-admin; sid:2032220; rev:1; metadata:created_at 2021_03_19, cve CVE_2021_22986, former_category EXPLOIT, updated_at 2021_03_19;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Known Fraudulent SSL Certificate"; flow:established,from_server; content:"|7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b|"; content:"sef1941@gmail.com"; within:250; reference:url,contagiodump.blogspot.com/2011/06/jun-22-cve-2011-0611-pdf-swf-fruits-of.html; classtype:misc-activity; sid:2013223; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, former_category EXPLOIT, updated_at 2021_03_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely LOIC"; flow:to_server,established; dsize:18; content:"GET / HTTP/1.1|0d 0a 0d 0a|"; depth:18; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019346; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert udp any any -> $HOME_NET 1900 (msg:"ET EXPLOIT DD-WRT UPNP Unauthenticated Buffer Overflow (CVE-2021-27137)"; content:"M-SEARCH|20|"; startswith; content:"|0d 0a|ST|3a|"; nocase; fast_pattern; content:"uuid|3a|"; distance:0; within:6; pcre:"/^[^\r\n]{128,}\r\n/R"; reference:url,ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/; reference:cve,2021-27137; classtype:attempted-admin; sid:2032326; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_25, cve CVE_2021_27137, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS HTTP GET AAAAAAAA Likely FireFlood"; flow:to_server,established; content:"GET AAAAAAAA HTTP/1.1"; content:!"Referer|3a|"; distance:0; content:!"Accept"; distance:0; content:!"|0d 0a|"; distance:0; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019347; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+#alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26877)"; content:"|2e 95|"; offset:2; depth:2; content:"|00 10 00 01|"; distance:0; fast_pattern; byte_extract:1,5,data_len,relative; byte_test:1,>,data_len,0,relative; reference:cve,2021-26877; classtype:attempted-admin; sid:2032347; rev:2; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26877, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonMafiaIC DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.0|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019348; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DOS Terse HTTP GET Likely AnonGhost DDoS tool"; flow:to_server,established; dsize:20; content:"GET / HTTP/1.1|0d 0a 0d 0a 0d 0a|"; depth:20; threshold:type both,track by_dst,count 500,seconds 60; classtype:attempted-dos; sid:2019349; rev:2; metadata:created_at 2014_10_03, updated_at 2014_10_03;)
+#alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible OpenSSL TLSv1.2 DoS Inbound (CVE-2021-3449)"; flow:established,to_server; tls.version:1.2; ssl_state:client_hello; content:!"|00 0d|"; content:"|00 32 00|"; content:"|ff 01 00 01 00|"; distance:0; fast_pattern; reference:cve,2021-3449; classtype:denial-of-service; sid:2032358; rev:1; metadata:affected_product OpenSSL, created_at 2021_04_01, cve CVE_2021_3449, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_01;)
 
-alert tcp any 2067 -> $EXTERNAL_NET any (msg:"ET EXPLOIT DLSw Information Disclosure CVE-2014-7992"; flow:established,from_server; content:"Cisco"; nocase; pcre:"/^(?: Systems|\.com\/techsupport)/Ri"; threshold:type both,count 1,seconds 60,track by_dst; reference:url,www.fishnetsecurity.com/6labs/blog/cisco-dlsw-leakage-allows-retrieval-packet-contents-remote-routers; reference:url,github.com/tatehansen/dlsw_exploit; reference:cve,2014-7992; classtype:trojan-activity; sid:2019778; rev:2; metadata:created_at 2014_11_24, updated_at 2014_11_24;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_08;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message"; flow:established,to_client; content:"! JUNK "; depth:7; pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019299; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
+alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MALWARE W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019808; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019014; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; distance:0; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:1; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
 
-alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress GET_RESTRICT Response to Non-Ephemeral Port IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2019015; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x03"; content:"|00 03 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019016; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".config"; endswith; http.request_body; content:"CMD=CONFIG&GO=index.asp&TYPE=CONFIG"; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032780; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST Requests IMPL 0x02"; content:"|00 02 00|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019017; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M2"; flow:established,to_server; flowbits:set,ZBLEPON.1; http.method; content:"GET"; http.uri; content:"/system_password.asp"; endswith; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032781; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
 
-alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation - Responding with Superuser Credentials"; flow:established,from_server; flowbits:isset,ZBLEPON.1; http.stat_code; content:"200"; file_data; content:"1|3b|super|3b|"; fast_pattern; content:"1|3b|admin|3b|"; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032782; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x03"; content:"|00 03 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019018; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_28;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed PEER_LIST_SUM Requests IMPL 0x02"; content:"|00 02 01|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019019; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http $HOME_NET any -> $HOME_NET 80 (msg:"ET EXPLOIT Possible Local Active Directory Federation Services (AD FS) Replication Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/services/policystoretransfer"; startswith; fast_pattern; threshold:type limit,track by_src,count 1,seconds 600; reference:url,fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html; classtype:web-application-attack; sid:2032884; rev:1; metadata:attack_target Server, created_at 2021_04_28, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_28;)
 
-alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange RCE Setup Inbound (CVE-2021-28482)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; http.request_body; content:"ProposeOptionsMeeting"; content:"&quot|3b|&gt|3b|cmd"; distance:0; fast_pattern; content:"Value&gt|3b|"; distance:0; reference:cve,2021-28482; classtype:attempted-admin; sid:2032897; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_05_04, cve CVE_2021_28482, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sophos.com Block Message"; flow:established,from_server; content:"sophos.com"; classtype:not-suspicious; sid:2012984; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M1 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 20|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032898; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M2 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 09|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032899; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-#alert udp $HOME_NET any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Potential DNS Request from Trojan.DNSChanger infected system"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2014043; rev:2; metadata:created_at 2011_12_28, updated_at 2011_12_28;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M1 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+\+0A/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032900; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M2 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+(?:\+[A-F0-9]{2}){4,}/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032901; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound - Information Disclosure Attempt (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^.{0,100}\+0A.{0,100}\x40/R"; content:"+0A"; fast_pattern; content:"|40|"; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032902; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET MALWARE W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:command-and-control; sid:2019712; rev:2; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
+alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim Stack Exhaustion via BDAT Error Inbound (CVE-2020-28019)"; flow:established,to_server; content:"BDAT|20|"; pcre:"/^[^\r\n]{50,}/R"; content:"BDAT|20|"; distance:0; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28019; classtype:attempted-admin; sid:2032903; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28019, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x02"; content:"|00 02 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019021; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1"; flow:established,to_server; http.uri; content:"/dana"; depth:7; fast_pattern; pcre:"/^\S{0,7}\/(?:meeting|fb\/smb|namedusers|metric)/Ri"; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032904; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
 
-alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed GET_RESTRICT Requests IMPL 0x03"; content:"|00 03 10|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019020; rev:3; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2"; flow:established,to_server; http.uri.raw; content:"/dana-na/"; depth:11; content:"cat%20/home/webserver/htdocs/dana-na/"; nocase; distance:2; within:100; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032905; rev:1; metadata:affected_product Pulse_Secure, attack_target Networking_Equipment, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
 
-alert udp any 123 -> any any (msg:"ET DOS Likely NTP DDoS In Progress Multiple UNSETTRAP Mode 6 Responses"; content:"|df 00 00 04 00|"; offset:1; depth:5; byte_test:1,!&,128,0; byte_test:1,!&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,!&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,community.rapid7.com/community/metasploit/blog/2014/08/25/r7-2014-12-more-amplification-vulnerabilities-in-ntp-allow-even-more-drdos-attacks; classtype:attempted-dos; sid:2019022; rev:4; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3"; flow:established,to_server; content:"MIME|3a 3a|Base64|3b|"; nocase; http.uri; content:"/dana-na/"; depth:11; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:trojan-activity; sid:2032906; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_05_05, cve CVE_2021_22893, former_category EXPLOIT, updated_at 2021_05_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_09_30, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound"; flow:established,to_server; http.accept_enc; content:",|20|,"; fast_pattern; reference:url,github.com/0vercl0k/CVE-2021-31166; reference:cve,2021-31166; classtype:attempted-admin; sid:2032962; rev:1; metadata:attack_target Server, created_at 2021_05_17, cve CVE_2021_31166, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2; metadata:created_at 2014_12_05, former_category CURRENT_EVENTS, updated_at 2014_12_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP MusicStation Pre-Auth RCE Inbound (CVE-2020-36197)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/musicstation/api/upload.php?arttype=../../"; fast_pattern; reference:url,www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/; reference:cve,2020-36197; classtype:attempted-admin; sid:2033013; rev:2; metadata:created_at 2021_05_24, cve CVE_2020_36197, former_category EXPLOIT, updated_at 2021_05_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_06, updated_at 2014_12_06;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019879; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033079; rev:1; metadata:attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019762; rev:3; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033080; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2019761; rev:4; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Command Injection Attempt Inbound (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm?type=4"; fast_pattern; http.request_body; content:"|22|common_name|22 3a|"; nocase; content:"|27 24 28|"; distance:0; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1652; classtype:attempted-admin; sid:2033088; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1652, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Config Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/config.exp"; endswith; fast_pattern; flowbits:set,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033089; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Config Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"sysconfig"; flowbits:isset,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033090; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Debug Dump Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/export_debug_msg.exp"; endswith; fast_pattern; http.request_body; content:"submitdebugmsg|22 3a 20 22|1|22|"; flowbits:set,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033091; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Debug Dump Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"Salted__"; flowbits:isset,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033092; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT XXL-Job RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; http.request_body; content:"GLUE_SHELL"; nocase; fast_pattern; content:"glueSource"; nocase; content:"glueUpdatetime"; nocase; reference:url,github.com/jas502n/xxl-job; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019890; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jboss RCE (CVE-2017-12149)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/readonly"; fast_pattern; http.request_body; content:"java.util.HashSet"; reference:cve,2017-12149; reference:url,github.com/gottburgm/Exploits/blob/master/CVE-2017-12149/CVE_2017_12149.pl#L180; classtype:attempted-admin; sid:2033118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, cve CVE_2017_12149, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| +  |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2019892; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET [!443] -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2021_06_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:exploit-kit; sid:2019895; rev:2; metadata:created_at 2014_12_09, former_category CURRENT_EVENTS, updated_at 2014_12_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; pkt_data; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; classtype:attempted-admin; sid:2033208; rev:1; metadata:created_at 2021_06_30, cve CVE_2021_35464, former_category EXPLOIT, updated_at 2021_06_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:targeted-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; pkt_data; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; reference:url,attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464; reference:cve,2021-35464; classtype:attempted-admin; sid:2033210; rev:1; metadata:attack_target Server, created_at 2021_06_30, cve CVE_2021_35464, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_06_30;)
 
-alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Insomnia Shell Outbound CMD Banner"; flow:to_server,established; content:"Shell enroute......."; depth:20; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019900; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Command Injection Attempt Inbound (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/op_type="; startswith; fast_pattern; content:"|3b|"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-user; sid:2033272; rev:1; metadata:created_at 2021_07_07, former_category EXPLOIT, updated_at 2021_07_07;)
 
-alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019897; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Vulnerability Exploit Attempt (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/"; startswith; http.request_body; content:"key=|27 3b 60|"; startswith; fast_pattern; content:"wget"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-admin; sid:2033273; rev:1; metadata:attack_target Server, created_at 2021_07_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033280; rev:2; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019906; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033281; rev:1; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033282; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, updated_at 2021_07_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:exploit-kit; sid:2019908; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033283; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, updated_at 2021_07_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:exploit-kit; sid:2019844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, updated_at 2021_07_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious JS Leading to Fiesta EK"; flow:established,from_server; file_data; content:"xapLoad"; fast_pattern; content:"swfLoad"; content:"xapURL"; content:"swfURL"; content:"errURL"; content:"var id"; classtype:exploit-kit; sid:2019920; rev:2; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, updated_at 2021_07_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (smartoptionsinc.com)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|05 11 32 08 1d 81|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019923; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033294; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (ppc.cba.pl)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 00 81 3d 59 00 8d f2 04 04 8c 3a d3 d0 8e 36 d4 2a|"; distance:9; within:40; content:"|55 04 03|"; distance:0; content:"|06|cba.pl"; distance:1; within:7; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019924; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033296; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033298; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033299; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033300; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033301; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033302; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Statblaster Code Download"; flow: to_server,established; content:"/updatestats/"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; classtype:policy-violation; sid:2001524; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET MALWARE Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:command-and-control; sid:2019941; rev:1; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2014_12_16;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033306; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Bedep Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"Content-Length|3a 20|2"; http_header; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; pcre:"/^Content-Length\x3a 2\d{2}\r?$/Hmi"; flowbits:set,ET.Trojan.Bedep; classtype:trojan-activity; sid:2019949; rev:2; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033307; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Download URI Struct June 19 2014"; flow:established, to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"=aHR0cD"; http_uri; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/\/[a-z]{2,9}\.php\?(?:[a-z0-9]{2,4}|[cktw])=[a-zA-Z0-9\x2b\x2f\x5c]{43,56}=?$/U"; classtype:trojan-activity; sid:2018589; rev:6; metadata:created_at 2014_06_20, updated_at 2014_06_20;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Outbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033308; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Inbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033309; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, former_category EXPLOIT, updated_at 2021_07_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2; metadata:created_at 2014_12_17, former_category CURRENT_EVENTS, updated_at 2014_12_17;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, updated_at 2021_07_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, updated_at 2021_07_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE MSHTML Out-of-Bounds Write Inbound (CVE-2021-33742)"; flow:from_server,established; file.data; content:"innerHTML|20|=|20|Array|28|"; nocase; fast_pattern; byte_test:0,>=,33554431,0,string,dec,relative; content:"|29|.toString|28 29 3b|"; distance:0; within:50; reference:url,googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html; reference:cve,2021-33742; classtype:attempted-admin; sid:2033326; rev:1; metadata:created_at 2021_07_15, cve CVE_2021_33742, updated_at 2021_07_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:exploit-kit; sid:2019193; rev:3; metadata:created_at 2014_09_18, former_category CURRENT_EVENTS, updated_at 2014_09_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA Authentication Bypass (management) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/management"; http.referer; content:!"/__api__/v1/logon"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033345; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002385; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/sslvpnclient"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033346; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019962; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (portal) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/portal"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033347; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:command-and-control; sid:2019964; rev:1; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2014_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url,www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; reference:cve,2019-7481; classtype:web-application-attack; sid:2033348; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2019_7481, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:exploit-kit; sid:2019950; rev:3; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (2)"; flow:established,to_client; file_data; content:"|69 b8 3c 09 08 6c b1 4c|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (3)"; flow:established,to_client; file_data; content:"|28 46 c5 83 df ef a3 2a|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019969; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Download Redirection Dec 18 2014"; flow:established,from_server; file_data; content:"<br><meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; pcre:"/^[^\x2f\x22]+?\x22>/R"; classtype:trojan-activity; sid:2019970; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 Activity Dec 18 2014"; flow:established,to_server; content:"/landing?action="; http_uri; fast_pattern:only; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r\n)/Hmi"; classtype:exploit-kit; sid:2019973; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS and Webpass IoT devices CVE-2021-31643"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=EmpRcd.htm"; content:"&username=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3c|"; distance:0; reference:cve,2021-31643; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31643, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CHIYU IoT Devices - Denial of Service"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=AccLog.htm"; startswith; content:"&type=go_log_page&page=2781000"; endswith; fast_pattern; http.referer; content:"/AccLog.htm"; endswith; reference:cve,2021-31642; reference:url,www.exploit-db.com/exploits/49937; classtype:denial-of-service; sid:2033362; rev:2; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Teerac.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019918; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"|3a|addUser>"; content:"<userName>"; content:"<roleName>"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15976, updated_at 2021_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3; metadata:created_at 2014_12_20, former_category CURRENT_EVENTS, updated_at 2014_12_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Information Disclosure Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=displayServerInfos"; http.header; content:"|20|YWRtaW46bmJ2XzEyMzQ1|0d|"; fast_pattern; reference:url,www.exploit-db.com/exploits/48019; classtype:attempted-admin; sid:2033410; rev:1; metadata:created_at 2021_07_24, updated_at 2021_07_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019987; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbInventoryWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"sortType>|3b|"; content:"|3b|--"; distance:0; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15984; classtype:attempted-admin; sid:2033411; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15984, updated_at 2021_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Directory Traversal Inbound (CVE-2019-15980)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ReportWSService/ReportWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:">..|2f|..|2f|"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15980; classtype:attempted-admin; sid:2033412; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15980, updated_at 2021_07_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019993; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC M1 (CVE-2019-16662)"; flow:established,to_server; http.uri.raw; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Solr DataImport Handler RCE (CVE-2019-0193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/solr/"; content:"dataimport"; distance:0; http.request_body; content:"command=full-import"; fast_pattern; pcre:"/\bexec\b/Ri"; reference:cve,2019-0193; reference:url,github.com/jas502n/CVE-2019-0193; classtype:attempted-admin; sid:2033114; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, updated_at 2021_07_27;)
 
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:!"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, updated_at 2021_07_27;)
 
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 8888 (msg:"ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)"; flow:established,to_server; content:"|90 90 90 90 90 90 90 90|"; offset:500; depth:800; content:"|90 90 90 90 90 90|"; distance:0; within:64; reference:url,www.exploit-db.com/exploits/44175; reference:cve,2018-6892; classtype:attempted-admin; sid:2033448; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2018_6892, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
 
-#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+#alert tcp any any -> [$HOME_NET,$SMTP_SERVERS] [25,143,993,995] (msg:"ET EXPLOIT Possible Dovecot Memory Corruption Inbound (CVE-2019-11500)"; flow:to_server,established; content:"|22|"; content:"|00|"; distance:0; content:"|5c|"; distance:200; reference:url,nickroessler.com/dovecot-cve-2019-11500/; reference:cve,2019-11500; classtype:attempted-admin; sid:2033451; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_11500, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LibreOffice pydoc RCE Inbound (CVE-2018-16858)"; flow:from_server,established; file.data; content:"<office|3a|document"; depth:100; content:"<office|3a|"; distance:0; content:"<script|3a|"; content:"|2f|pydoc.py|24|tempfilepager"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/46727; reference:cve,2018-16858; classtype:attempted-admin; sid:2033456; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_16858, updated_at 2021_07_27;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, former_category EXPLOIT, updated_at 2021_07_27;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033464; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033465; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033466; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033467; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033468; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033469; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp any any -> any [8000,8080] (msg:"ET MALWARE US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033470; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033471; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033472; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020025; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033473; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020026; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033474; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trojan.Nurjax SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.njaxjs.me"; distance:1; within:14; classtype:trojan-activity; sid:2020033; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033475; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3; metadata:created_at 2014_12_24, former_category CURRENT_EVENTS, updated_at 2014_12_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033476; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033477; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (7)"; flow:established,to_client; file_data; content:"|04 6e 76 82 2e 2c 2c 48|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033478; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (ddnservice11.ru)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|ddnservice11|02|ru|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020073; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033479; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS query for known Anunak APT Domain (financialnewsonline.pw)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|financialnewsonline|02|pw|00|"; nocase; distance:0; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020074; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033480; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033481; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET MALWARE Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033482; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020075; rev:3; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033483; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033484; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert udp any any -> 1.1.1.0 80 (msg:"ET MALWARE TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033485; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033486; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033487; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound"; flow:established; content:"netsh firewall|22| is deprecated|3b|"; content:"use |22|netsh advfirewall"; distance:0; content:"Ok."; distance:0; classtype:successful-admin; sid:2020087; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033488; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; content:"SERVICE_EXIT_CODE"; distance:0; classtype:successful-admin; sid:2020088; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033489; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page"; flow:established,to_client; file_data; content:"cPanel Cracker"; classtype:trojan-activity; sid:2020096; rev:3; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033490; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:2; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033491; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:8; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033492; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020104; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033493; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020149; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033494; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET MALWARE Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020155; rev:2; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2015_01_08;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033495; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013962; rev:14; metadata:created_at 2011_11_23, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033496; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:command-and-control; sid:2019242; rev:2; metadata:created_at 2014_09_26, former_category MALWARE, updated_at 2014_09_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033497; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033498; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033499; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033500; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033501; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033502; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp any any -> any 1024: (msg:"ET MALWARE Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033503; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033504; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET MALWARE Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:command-and-control; sid:2020169; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_01_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033505; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:2; metadata:created_at 2015_01_13, former_category MALWARE, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033506; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; file_data; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_12, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033507; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033508; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; file_data; content:"UEsDB"; content:"var"; pcre:"/^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB/R"; flowbits:isset,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020161; rev:3; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2015_01_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033509; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Bedep Checkin Response"; flow:established,from_server; content:"Content-Type|3a 20|text/html|0d 0a|"; http_header; content:"Content-Length|3a| 108|0d 0a|"; http_header; fast_pattern:only; content:!"Keep-Alive|3a 20|"; http_header; file_data; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; classtype:trojan-activity; sid:2019952; rev:5; metadata:created_at 2014_12_16, updated_at 2014_12_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033510; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020187; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033511; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin"; flow:established,to_server; content:"|00 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"MHz|00|"; distance:0; content:"|20 2a 20|"; distance:-12; within:5; pcre:"/^\d+MHz\x00/R"; content:"|20|MB|00|"; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3682; classtype:command-and-control; sid:2020188; rev:1; metadata:created_at 2015_01_15, former_category MALWARE, updated_at 2015_01_15;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033512; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020196; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033513; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033514; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Dalexis Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 d7 f0 71 9c ed 67 99 74|"; within:35; fast_pattern; reference:md5,a01fdd1585dc5c8b4e09536eede5e6d4; classtype:trojan-activity; sid:2020208; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033515; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:command-and-control; sid:2020209; rev:2; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2015_01_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033516; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020216; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033517; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020217; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033518; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020218; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033519; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020219; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033520; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020220; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033521; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:command-and-control; sid:2020222; rev:1; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2015_01_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033522; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033523; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (10)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020227; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033524; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"wb v"; http_user_agent; fast_pattern; reference:url,doc.emergingthreats.net/2003449; classtype:pup-activity; sid:2003449; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033525; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020242; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033526; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033527; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Suspicious torwoman.com Domain - Possible CryptoWall Activity"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|torwoman|03|com"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020283; rev:1; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033528; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033529; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020291; rev:2; metadata:created_at 2015_01_23, former_category EXPLOIT_KIT, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033530; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033531; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC%20Report_Vol.58_Eng.pdf; classtype:command-and-control; sid:2020303; rev:2; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033532; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2; metadata:created_at 2015_01_23, former_category CURRENT_EVENTS, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033533; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020307; rev:4; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033534; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET MALWARE Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033535; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|6|00|f|00|b|00|e|00|8|00|7|00|a|00|-|00|4|00|3|00|7|00|2|00|-|00|1|00|f|00|5|00|1|00|-|00|1|00|0|00|1|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|0|00|4|00|3|00|1|00|2|00|7|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020309; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033536; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB Named Pipe (Unicode) 2"; flow:to_server,established; content:"|FF|SMB"; offset:4; depth:4; content:"|00|{|00|4|00|4|00|f|00|d|00|g|00|2|00|3|00|a|00|-|00|1|00|5|00|2|00|2|00|-|00|6|00|f|00|9|00|e|00|-|00|d|00|0|00|5|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|1|00|7|00|6|00|1|00|3|00|8|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020310; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033537; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020313; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033538; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020314; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033539; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article|contact|new|sale)s|(?:fo|tu)r|public|read)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:exploit-kit; sid:2016278; rev:6; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033540; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite|orld)|step)\/mypic\.dll$/U"; classtype:exploit-kit; sid:2016547; rev:10; metadata:created_at 2013_03_07, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033541; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:exploit-kit; sid:2015815; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033542; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:exploit-kit; sid:2015816; rev:4; metadata:created_at 2012_10_18, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033543; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015892; rev:4; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033544; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:exploit-kit; sid:2015893; rev:5; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033545; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015915; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033546; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:exploit-kit; sid:2015891; rev:4; metadata:created_at 2012_11_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033547; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:exploit-kit; sid:2015916; rev:4; metadata:created_at 2012_11_21, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033548; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/Host\x3a[^\r\n]+?\.(pw|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:exploit-kit; sid:2016060; rev:19; metadata:created_at 2012_12_19, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033549; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/new\.png$/U"; classtype:exploit-kit; sid:2016221; rev:5; metadata:created_at 2013_01_16, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033550; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/foto\.png$/U"; classtype:exploit-kit; sid:2016280; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033551; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016406; rev:3; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033552; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (4)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:w(?:hite|orld)|step)\/\d+$/U"; classtype:exploit-kit; sid:2016408; rev:14; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033553; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:exploit-kit; sid:2017396; rev:6; metadata:created_at 2013_08_29, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033554; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:exploit-kit; sid:2020319; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033555; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020320; rev:5; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033556; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020321; rev:4; metadata:created_at 2015_01_28, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033557; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020322; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033558; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:2; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2015_01_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033559; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020331; rev:3; metadata:attack_target Client_and_Server, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033560; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:2; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033561; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:4; metadata:created_at 2015_01_28, updated_at 2015_01_28;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033562; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033563; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.PYO Receiving Config"; flow:established,from_server; file_data; content:"path = "; within:7; content:"|0a|delay = "; distance:0; pcre:"/^\d+\n/R"; content:"hash = "; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020335; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033564; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Flashpack Redirect Method 3"; flow:established,to_server; content:"POST"; http_method; content:!"/gateway.php"; http_uri; content:"gate"; http_uri; fast_pattern:only; content:".php"; http_uri; content:".swf"; http_header; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; classtype:trojan-activity; sid:2019325; rev:9; metadata:created_at 2014_09_30, updated_at 2014_09_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033565; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dropper YABROD Downloading Files"; flow:from_client,established; urilen:11; content:"/Yabrod.pdf"; content:"User-Agent|3a 20|n1|0d 0a|"; fast_pattern:12,4; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,44df02ac28d80deb45f5c7c48b56a858; reference:url,fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020346; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2019_10_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033566; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033567; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020349; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2015_02_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033568; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:1; metadata:created_at 2015_02_03, former_category CURRENT_EVENTS, updated_at 2015_02_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033569; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; classtype:exploit-kit; sid:2020355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033570; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; classtype:exploit-kit; sid:2020356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033571; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Dec 24 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2039 "; http_header; fast_pattern:12,20; classtype:exploit-kit; sid:2020068; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033572; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Elinor"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020365; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033573; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:exploit-kit; sid:2020366; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033574; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Chaintor/Tordal User-Agent spotted downloading payload"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b| Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25"; fast_pattern:50,20; http_header; classtype:trojan-activity; sid:2020347; rev:4; metadata:created_at 2015_02_03, updated_at 2015_02_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033575; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible HTTP GET Deep Panda C2 Activity"; flow:established,to_server; content:"GET"; http_method; content:".jpg?id="; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\.jpg\?id=\d+$/U"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020379; rev:2; metadata:created_at 2015_02_06, updated_at 2015_02_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033576; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:command-and-control; sid:2020381; rev:3; metadata:created_at 2015_02_07, former_category MALWARE, malware_family XorDDoS, updated_at 2015_02_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033577; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033578; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020174; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033579; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020175; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033580; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020176; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033581; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020177; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033582; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033583; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_07, former_category MALWARE, updated_at 2015_02_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033584; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033585; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033586; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033587; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:exploit-kit; sid:2019647; rev:5; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033588; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Mozilla"; http_header; fast_pattern; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){3,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2019764; rev:9; metadata:created_at 2014_11_21, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033589; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 6d|"; distance:4; within:11; pcre:"/^[\x53\x54]/R"; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019739; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Monitorr 1.7.6m RCE Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/assets/php/upload.php"; nocase; http.request_body; content:"name=|22|fileToUpload|22|"; nocase; content:"<?"; reference:url,github.com/Monitorr/Monitorr; reference:url,www.exploit-db.com/exploits/48980; classtype:attempted-admin; sid:2033599; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE MSIL/Golroted.B Keylogger FTP"; flow:established,to_server; content:"STOR Logger_"; reference:md5,b2b82fd662dd0ddf53aa37bb9025bf92; classtype:trojan-activity; sid:2020411; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jenkins Plugin Script RCE Exploit Attempt (CVE-2019-1003001)"; flow:established,to_server; http.uri; content:"CpsFlowDefinition"; nocase; content:"checkScriptCompile"; nocase; content:"GrabResolver"; nocase; content:"GrabConfig"; nocase; content:"Grab("; nocase; reference:url,0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html; reference:url,www.exploit-db.com/exploits/46427; reference:cve,2019-1003001; classtype:attempted-admin; sid:2033600; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2019_1003001, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Ambari Default Credentials Attempt"; flow:established,to_server; http.uri; content:"/api/v1/users/admin?fields="; nocase; content:"privilege"; nocase; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; nocase; reference:url,docs.cloudera.com/HDPDocuments/Ambari-2.7.4.0/bk_ambari-installation/content/log_in_to_apache_ambari.html; classtype:attempted-admin; sid:2033601; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED High Probability Blackhole Landing with catch qq"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:bad-unknown; sid:2014294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - IP - 161.69.13.44"; content:"|00 01 00 01|"; content:"|00 04 A1 45 0D 2C|"; distance:4; within:6; content:!"|07|sa-live|03|com"; classtype:trojan-activity; sid:2019508; rev:3; metadata:created_at 2014_10_27, updated_at 2014_10_27;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GraphQL Introspection Query Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20|"; nocase; startswith; content:"__schema"; nocase; distance:0; content:"queryType"; nocase; distance:0; reference:url,blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/; classtype:attempted-admin; sid:2033603; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY I2P Seeds File Download"; flow:established,to_client; file_data; content:"I2Psu3"; within:6; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020416; rev:2; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, cve CVE_2018_17254, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert udp $HOME_NET 1434 -> $EXTERNAL_NET any (msg:"ET DOS MC-SQLR Response Outbound Possible DDoS Participation"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_src,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020305; rev:4; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
 
-alert udp $EXTERNAL_NET 1434 -> $HOME_NET any (msg:"ET DOS MC-SQLR Response Inbound Possible DDoS Target"; content:"|05|"; depth:1; content:"ServerName|3b|"; nocase; content:"InstanceName|3b|"; distance:0; content:"IsClustered|3b|"; distance:0; content:"Version|3b|"; distance:0; threshold:type both,track by_dst,count 30,seconds 60; reference:url,kurtaubuchon.blogspot.com.es/2015/01/mc-sqlr-amplification-ms-sql-server.html; classtype:attempted-dos; sid:2020306; rev:3; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"sgcgoogleanalytic="; nocase; startswith; content:"<script"; nocase; distance:0; content:"savegooglecode"; nocase; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3810; classtype:attempted-admin; sid:2033637; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:2; metadata:created_at 2015_02_13, updated_at 2015_02_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 SQLi (CVE-2018-3811)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"action=saveadwords"; nocase; startswith; content:"oId="; nocase; distance:0; pcre:"/oId=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/i"; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3811; classtype:attempted-admin; sid:2033638; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1"; flow:established,from_server; file_data; content:"lRXdjVGeFxGblh2U"; classtype:exploit-kit; sid:2020423; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1"; flow:established,from_server; file_data; content:"Z0V3YlhXRsxWZoN"; classtype:exploit-kit; sid:2020424; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT phpMyAdmin setup.php Local File Include"; flow:established,to_server; http.uri; content:"/scripts/setup.php"; nocase; fast_pattern; http.request_body; content:"action="; nocase; startswith; content:"configuration="; nocase; content:"PMA_Config"; nocase; content:"source"; nocase; reference:url,www.programmersought.com/article/87603212281/; reference:url,github.com/projectdiscovery/nuclei; classtype:attempted-admin; sid:2033640; rev:1; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1"; flow:established,from_server; file_data; content:"Gd1NWZ4VEbsVGaT"; classtype:exploit-kit; sid:2020425; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)"; flow:established,to_server; http.uri; content:"/v2/api/product/manger/getInfo"; nocase; http.request_body; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:url,www.cnblogs.com/0day-li/p/13663350.html; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1; metadata:created_at 2021_08_02, cve CVE_2020_11991, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M2"; flow:established,from_server; file_data; content:"KkxSZssGLjxSYsAHKu9Wa0Nmb1ZGKsFmdl"; classtype:exploit-kit; sid:2020428; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:exploit-kit; sid:2020429; rev:2; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020456; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover?"; nocase; content:"/mapi/nspi"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033682; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:exploit-kit; sid:2020234; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)"; flow:established,from_server; http.stat_code; content:"302"; flowbits:isset,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033683; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M2 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Host|3a|"; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Connection|3a 20|Keep-Alive|0d 0a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020399; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE with Python PSRP Client UA Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover/autodiscover.json?"; http.user_agent; content:"Python|20|PSRP|20|Client"; fast_pattern; reference:cve,2021-34473; classtype:attempted-admin; sid:2033712; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:exploit-kit; sid:2020318; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M1 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<s"; content:"SerializedSecurityContext>"; distance:0; content:"Message>"; distance:0; content:"Attachments>"; distance:0; content:"Content>"; distance:0; content:"|60 c2 ac c2 aa|"; distance:0; within:200; reference:cve,2021-34473; classtype:attempted-admin; sid:2033684; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4; metadata:created_at 2015_02_18, former_category CURRENT_EVENTS, updated_at 2015_02_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:exploit-kit; sid:2020477; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:exploit-kit; sid:2020478; rev:3; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033752; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger, PoC Based (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; http.header; pcre:"/^[A-Z]{8}\x3a/m"; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033753; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps"; flow:to_client,established; file_data; content:"5368656c6c45786563757465"; nocase; classtype:trojan-activity; sid:2020482; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange ProxyLogon Activity - OABVirtualDirectory SetObject (CVE-2021-27065)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ecp/"; content:"/SetObject?"; content:"schema=OABVirtualDirectory"; fast_pattern; http.header; content:"msExchLogonMailbox|3a|"; http.request_body; content:"__type"; content:"Microsoft.Exchange.Management.ControlPanel"; distance:0; content:"ExternalUrl"; distance:0; reference:url,github.com/praetorian-inc/proxylogon-exploit/blob/main/exploit.py; reference:cve,2021-27065; classtype:attempted-admin; sid:2033754; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_27065, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in URLENCODE"; flow:to_client,established; file_data; content:"%53%68%65%6c%6c%45%78%65%63%75%74%65"; nocase; classtype:trojan-activity; sid:2020483; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Initial Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/setTargetObject"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b|null|5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5bnull\x5d/"; xbits:set,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033755; rev:1; metadata:created_at 2021_08_20, cve CVE_2021_21985, updated_at 2021_08_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:exploit-kit; sid:2020484; rev:2; metadata:created_at 2015_02_19, updated_at 2015_02_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Final Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/invoke"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b 5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5b\x5d/"; xbits:isset,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033756; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_21985, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020492; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/card_scan"; startswith; fast_pattern; content:".php"; distance:0; within:15; content:"=|60|"; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:1; metadata:created_at 2021_08_22, cve CVE_2019_7256, former_category EXPLOIT, updated_at 2021_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020407; rev:5; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:exploit-kit; sid:2020494; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Target Application Command Injection Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nrdh.php?cmd"; fast_pattern; content:"="; distance:0; within:3; pcre:"/^.{0,5}(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2033759; rev:1; metadata:attack_target Server, created_at 2021_08_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:exploit-kit; sid:2020495; rev:3; metadata:created_at 2015_02_20, updated_at 2015_02_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Use-After-Free in QuickTimePluginReplacement (CVE-2021-1879)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var"; pcre:"/^\s*(?P<worker>[A-Za-z0-9_-]{1,20})\s*=\s*null\x3b.{1,300}(?P=worker)\s*=\s*document\.getElementById\([\x22\x27](?P=worker)[\x22\x27]\)\x3b.{1,300}\.addEventListener\([\x22\x27]DOMNodeInserted[\x22\x27]\s*,\s*(?P<callback0>[A-Za-z0-9_-]{1,20}).{0,300}(?P=worker)(?P<worker_ext>(\.\w{1,20})+)\s*=\s*\d+\x3b.{1,300}function\s*(?P=callback0)\([^\)]+\)\s*\{\s*.{1,300}\.requestAnimationFrame\((?P<callback>[A-Za-z0-9_-]{1,20})\)\x3b.{1,300}function\s*(?P<garbagecollector>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*.{0,100}for\s*\(let\s*(?P<gc_counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=gc_counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=gc_counter)(?:\+{2}|-{2})\s*\)\s*.{1,300}function\s*(?P=callback)\([^\)]+\)\s*\{\s*.{1,300}(?P=garbagecollector)\(\)\s*\x3b\s*.{1,300}\((?P=worker)(?P=worker_ext)\)/Rs"; content:"document.getElementById|28|"; content:".addEventListener|28 22|DOMNodeInserted"; content:"window.requestAnimationFrame"; fast_pattern; reference:cve,2021-1879; classtype:attempted-admin; sid:2033781; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2021_1879, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020455; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InjectJsBuiltInLibraryCode Use-After-Free Inbound (CVE-2019-0568)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<opt>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*let\s*(?P<o_var>[A-Za-z0-9_-]{1,20})\s*=\s*\{\}\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=o_var)\.(?P<x_prop>[A-Za-z0-9_-]{1,20}).{1,300}for\s*\(\s*let\s*(?P<counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)(?:\+{2}|-{2})\).{1,100}(?P=opt)\(\).{1,300}let\s*(?P<leaked_stack_obj>[A-Za-z0-9_-]{1,20})\s*=\s*null.{1,100}let\s*(?P<obj_proto>[A-Za-z0-9_-]{1,20})\s*=\s*\(\{\}\)\.__proto__\x3b.{1,300}(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P=x_prop)[\x22\x27],\s*Error\.prototype\.toString\)\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P<message_proto>[A-Za-z0-9_-]{1,20})[\x22\x27].{1,300}delete\s*(?P=obj_proto)\.(?P=message_proto)\x3b.{1,300}(?P=obj_proto)\.\w+\s*=\s*Array\.prototype.{1,300}(?P=opt)/Rs"; content:"|28 7b 7d 29|.__proto__"; fast_pattern; content:"Error.prototype.toString"; reference:cve,2019-0568; classtype:attempted-admin; sid:2033775; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2019_0568, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:exploit-kit; sid:2020496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M1 (CVE-2018-8617)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_opt>[\w-]{1,20})\((?P<var_a>[\w-]{1,20})\s*,\s*(?P<var_b>[\w-]{1,20}).{1,300}(?:(?P=var_a)\.(?P=var_b)|(?P=var_b)\.(?P=var_a))\s*=\s*\d+\x3b\s*(?:(?P=var_a)|(?P=var_b))\.push\(\d+\)\x3b\s*(?:(?P=var_a)\.(?P=var_a)|(?P=var_b)\.(?P=var_b))\s*=\s*0x.{1,300}Object\.prototype\.push\s*=\s*Array\.prototype\.push\x3b\s*for\s*\(\s*let\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\).{1,300}let\s*(?:(?P=var_a)|(?P=var_b))\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}\x3b.{1,300}(?P=func_opt)\((?:(?P=var_a)|(?P=var_b)),\s*\{\}.{1,300}let\s*(?P<var_o>[\w-]{1,20})\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}.{1,300}(?P=func_opt)\((?P=var_o)/Rs"; content:"Object.prototype.push = Array.prototype.push"; fast_pattern; content:".push|28|"; reference:cve,2018-8617; classtype:attempted-admin; sid:2033782; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2018_8617, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; classtype:exploit-kit; sid:2020367; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - NewScObjectNoCtor InitProtoType Confusion Inbound (CVE-2019-0567)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_a>[\w-]{1,20})\((?P<obj1>[\w-]{1,20})\s*,\s*(?P<tmp_obj>[\w-]{1,20})\s*,\s*(?P<value>[\w-]{1,20})\).{1,300}(?P=obj1)\.\w+\s*=\s*\d+\.\d+\x3b\s*var\s*\w+\s*=\s*\{__proto__:\s*(?P=tmp_obj)\}\x3b\s*(?P=obj1)\.\w+\s*=\s*(?P=value)\x3b.{1,300}var\s*(?P=obj1)\s*=\s*\{\w+:\s*\d+\.\d+\s*,\s*\w+:\s*\d+\.\d+\}\x3b\s*for\s*\(\s*var\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\)\s*\{\s*(?P=func_a)\((?P=obj1)\s*,\s*(\x22{2}|\x27{2})\s*,\s*(\x22{2}|\x27{2})\)\x3b.{1,300}(?P=func_a)\((?P=obj1)\s*,\s*(?P=obj1)\s*,\s*\d+\.\d{8,}.{1,300}eval\((?P=obj1)\./Rs"; content:" = |7b|__proto__|3a|"; fast_pattern; content:"eval|28|"; reference:cve,2019-0567; classtype:attempted-admin; sid:2033783; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2019_0567, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Unknown EK HFS CVE-2014-6332"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; fast_pattern; file_data; content:"Wscript.Shell"; content:"Microsoft.XMLHTTP"; content:"ADODB.Stream"; content:"cmd.exe"; classtype:exploit-kit; sid:2020498; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Orderfiles Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=orderfiles"; nocase; content:"controller=filesmanager"; nocase; fast_pattern; http.request_body; content:"addfile"; nocase; content:"file|5b|"; nocase; classtype:attempted-admin; sid:2033826; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown EK Landing"; flow:established,from_server; content:"|64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b|"; content:"|3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65|"; distance:0; content:"|2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22|"; distance:0; classtype:exploit-kit; sid:2020501; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Supercheckout Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=supercheckout"; nocase; content:"controller=supercheckout"; nocase; content:"method=SaveFilesCustomField"; nocase; fast_pattern; http.request_body; content:"custom_fields|5b|"; nocase; classtype:attempted-admin; sid:2033827; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_27;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET DELETED Microsoft Access database error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"JET Database Engine"; fast_pattern:only; classtype:web-application-attack; sid:2020502; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - Information Disclosure flowbit set (CVE-2021-33766)"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; fast_pattern; http.cookie; content:"SecurityToken="; flowbits:set,ET.proxytoken; reference:cve,2021-33766; classtype:attempted-admin; sid:2033834; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_33766, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - InboxRules.svc Access Observed Following Successful ProxyToken Attack"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; content:"RulesEditor/InboxRules.svc/"; fast_pattern; content:"?msExchEcpCanary="; xbits:isset,ET.proxytoken.500,track ip_src,expire 30; classtype:attempted-admin; sid:2033836; rev:1; metadata:attack_target Server, created_at 2021_08_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlException (0x"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020508; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formStaticDHCP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formStaticDHCP"; endswith; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]{42,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033841; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid MySQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020509; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlanMultipleAP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlanMultipleAP"; endswith; fast_pattern; http.request_body; content:"submit-url="; pcre:"/^[^&]{512,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033842; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlClient."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020510; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.uri; content:"/upnp/"; http.header; content:"Callback|3a 20 3c|http"; fast_pattern; pcre:"/^Callback\x3a\x20\x3chttp[^\x3a]+\x3a\d{1,5}[^\/]/Hmi"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033843; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"com.mysql.jdbc.exceptions"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020511; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033845; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"PostgreSQL"; fast_pattern; content:"ERROR"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020512; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%22%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033846; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"Wpg_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020513; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%27%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033847; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid PostgreSQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=|22 3e 3c|script|3e|"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033848; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Npgsql."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020515; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Microsoft Exchange - Successful msExchEcpCanary Disclosure (CVE-2021-33766)"; flow:established,from_server; http.stat_code; content:"500"; http.cookie; content:"msExchEcpCanary="; fast_pattern; flowbits:isset,ET.proxytoken; flowbits:unset,ET.proxytoken; xbits:set,ET.proxytoken.500,track ip_src,expire 30; reference:cve,2021-33766; classtype:attempted-admin; sid:2033835; rev:2; metadata:created_at 2021_08_30, cve CVE_2021_33766, former_category EXPLOIT, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.postgresql.util.PSQLException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020516; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlSiteSurvey Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlSiteSurvey"; fast_pattern; endswith; http.request_body; content:"ifname="; pcre:"/^[^&]{90,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033838; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ERROR|3a 20 20|syntax error at or near"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020517; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; endswith; http.request_body; content:"sysCmd="; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033839; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Driver"; fast_pattern; pcre:"/^ SQL[-_ ]Server/R"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020518; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Injection Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWsc"; fast_pattern; endswith; http.request_body; content:"peerPin="; content:"|3b|"; distance:0; within:50; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033840; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"OLEDB"; fast_pattern; content:"|20|SQL Server"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mssql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020521; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"r|00|u|00|n|00|C|00|o|00|m|00|m|00|a|00|n|00|d"; fast_pattern; classtype:attempted-admin; sid:2033850; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"System.Data.SqlClient."; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020523; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"runCommand"; fast_pattern; classtype:attempted-admin; sid:2033851; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"Roadhouse.Cms"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020524; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"g|00|e|00|t|00|R|00|u|00|n|00|t|00|i|00|m|00|e"; fast_pattern; classtype:attempted-admin; sid:2033852; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Microsoft Access"; fast_pattern; pcre:"/^ \d+ Driver/R"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020525; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"getRuntime"; fast_pattern; classtype:attempted-admin; sid:2033853; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"JET Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020526; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".|00|e|00|x|00|e|00|c|00 28|"; fast_pattern; classtype:attempted-admin; sid:2033854; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Access Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020527; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".exec|28|"; fast_pattern; classtype:attempted-admin; sid:2033855; rev:1; metadata:created_at 2021_08_31, former_category EXPLOIT, updated_at 2021_08_31;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ORA-"; fast_pattern:only; pcre:"/ORA-\d{4}/"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020528; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; threshold:type threshold, track by_dst, count 10, seconds 30; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033893; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_02;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; content:"|ec 19 0e 80 01|"; distance:0; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033894; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_02;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_07;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"CLI Driver"; fast_pattern:only; pcre:"/CLI Driver.*DB2/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020533; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web.config.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031459; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"DB2 SQL error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020534; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick Malformed SVG Upload Leading to RCE"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|svg|20|"; content:"|28|%pipe%/"; fast_pattern; content:"/|3b|"; distance:0; within:100; classtype:attempted-admin; sid:2033933; rev:1; metadata:attack_target Server, created_at 2021_09_13, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"bdb2_"; fast_pattern:only; pcre:"/bdb2_\w+\(/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"domains=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033934; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Informix error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; content:"Informix"; fast_pattern; pcre:"/Exception.*Informix/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020536; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"clients=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033935; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteScript"; fast_pattern; nocase; content:"|3c|p|3a|Script|3e|"; nocase; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033952; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_15, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_15;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteShellCommand"; fast_pattern; nocase; content:"|3c|p|3a|command|3e|"; nocase; reference:url,github.com/horizon3ai/CVE-2021-38647/blob/main/omigod.py; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033968; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_16, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite/JDBCDriver"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno CVE-2021-41314 (new line injection)"; http.method; content:"POST"; http.uri; content:"/cgi/set.cgi?cmd=home_loginAuth"; fast_pattern; http.request_body; content:"_ds="; content:"pwd="; distance:0; pcre:"/^[^&\x0d\r]+[\n\x0a]/R"; reference:url,gynvael.coldwind.pl/?id=742; reference:cve,2021-41314; classtype:attempted-dos; sid:2033969; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_16;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite.Exception"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_17;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"System.Data.SQLite.SQLiteException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561_CVE_2021_27562, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_20;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"SQLite3|3a 3a|"; fast_pattern; distance:0; pcre:"/Warning.*SQLite3::/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020543; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WP Download From Files Plugin <= 1.48 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; bsize:4; http.uri; content:"/wp-admin/admin-ajax.php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|files[]|22 3b 20|filename=|22|"; content:"<?"; content:"download_from_files_617_fileupload"; fast_pattern; reference:url,cxsecurity.com/issue/WLB-2021090097; classtype:attempted-admin; sid:2033989; rev:1; metadata:created_at 2021_09_20, former_category EXPLOIT, updated_at 2021_09_20;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[SQLITE_ERROR]"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA XSS Attempt (CVE-2020-3580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/+CSCOE+/saml/sp/acs?tgname="; fast_pattern; http.request_body; content:"=|22|><"; reference:url,twitter.com/ptswarm/status/1408050644460650502; reference:cve,2020-3580; classtype:web-application-attack; sid:2033994; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2021_09_21, cve CVE_2020_3580, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_21;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL error"; fast_pattern; content:"POS("; distance:0; pcre:"/SQL error.*POS\([0-9]+\)/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M2 (CVE-2018-8617)"; flow:established,from_server; file_data; content:"function"; pcre:"/^\s*(?P<func_a>[\w\-]{1,20})\((?P<obj_1>[\w\-]{1,20})\s*,\s*(?P<obj_2>[\w\-]{1,20}).{1,300}(?P=obj_1)\.(?P<prop_2>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,300}?(?P=obj_2)\.pop\(\).{1,300}?(?P=obj_1)\.(?P<prop_1>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,500}Object\.prototype\.p(op|ush)\s*=\s*Array\.prototype\.p(op|ush)\x3b.{1,500}var\s*(?P<obj_3>[\w\-]{1,20})\s*=\s*\{\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?:(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?|(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)).{1,500}(?P=func_a)\(\s*(?:(?P=obj_3)\s*,\s*new\s*Object\(\)|\s*new\s*Object\(\)\s*,\s*(?P=obj_3)\s*).{1,500}?(?P=func_a)\((?P=obj_3)/Rsi"; content:"Object.prototype.p"; content:"|20|=|20|Array.prototype.p"; fast_pattern; reference:cve,2018-8617; classtype:attempted-admin; sid:2034004; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, cve CVE_2018_8617, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_21;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"maxdb"; fast_pattern; distance:0; pcre:"/Warning.*maxdb/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fgt_lang?lang="; fast_pattern; content:"|2e 2e 2f|"; distance:0; reference:url,devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/; reference:url,github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py; reference:cve,2018-13379; classtype:attempted-admin; sid:2034005; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2021_09_22, cve CVE_2018_13379, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sybase"; fast_pattern; distance:0; pcre:"/i?Warning.*sybase/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020547; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020548; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:2; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase Server message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020549; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (post-auth shell injection)"; http.method; content:"POST"; http.uri; content:"/set.cgi?cmd=diag_traceroute"; fast_pattern; http.request_body; content:"&hostname="; pcre:"/^[^&\r\n]+(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033971; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ingres_"; fast_pattern; distance:0; pcre:"/Warning.*ingres_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020550; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (fake packet upload)"; http.method; content:"POST"; http.uri; content:"/cgi/get.cgi?cmd=home_login"; http.content_type; content:"multipart/form-data"; http.content_len; byte_test:0,>=,300000000,0,string,dec; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033970; rev:3; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sqlite_"; fast_pattern; distance:0; pcre:"/Warning.*sqlite_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020542; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/diag/diag.cgi"; fast_pattern; content:"&options="; distance:0; content:"-r"; distance:0; reference:url,packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html; reference:url,packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html; reference:cve,2019-11539; classtype:attempted-admin; sid:2034014; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_09_23, cve CVE_2019_11539, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_09_23;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres SQLSTATE"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020551; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:1; metadata:affected_product Nagios, attack_target Server, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_09_23;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres"; fast_pattern; content:"Driver"; distance:0; pcre:"/Ingres\W.*Driver/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020552; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.aspx"; content:"id=../"; fast_pattern; content:"bp="; content:"accountid="; reference:url,codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html; reference:cve,2021-22941; classtype:attempted-admin; sid:2034033; rev:1; metadata:attack_target Server, created_at 2021_09_27, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_27;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frontbase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception (condition )"; content:". Transaction rollback."; fast_pattern; distance:0; pcre:"/Exception (condition )\d+\. Transaction rollback\./m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020553; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter RCE Exploitation Attempt M2 (CVE-2021-22005)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&_i=."; content:"../../"; fast_pattern; reference:cve,2021-22005; classtype:attempted-admin; sid:2034037; rev:1; metadata:attack_target Server, created_at 2021_09_28, cve CVE_2021_22005, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_28;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HSQLDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.hsqldb.jdbc"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3b"; distance:0; pcre:"/^(?:%[a-f0-9]{2}){5,}/R"; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034043; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2; metadata:created_at 2015_02_24, updated_at 2015_02_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3bimport|20|"; distance:0; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034044; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020561; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (web.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/web.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034150; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020562; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (seraph-config.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/classes/seraph-config.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034151; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020559; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.properties) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034152; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes ActiveX Call"; flow:established,from_server; file_data; content:"var version|3b|var ax|3b|var e|3b|try{axo=new ActiveXObject"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag ActiveX, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034153; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020558; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; distance:0; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020564; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:1; metadata:created_at 2015_02_25, former_category TROJAN, updated_at 2017_12_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M1"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; content:"="; distance:0; within:5; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2034161; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020567; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M2"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; http.uri.raw; content:"="; pcre:"/^%(?:3b|0a|26|60|7C|24)/R"; classtype:attempted-admin; sid:2034162; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET MALWARE Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:2; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"500 Internal Server Error"; file_data; content:"OLE DB Provider for SQL Server"; fast_pattern:only; pcre:"/SQL Server.*?error \x27[0-9a-f]{8}/mi"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020522; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M1"; flow:established,to_server; content:"/.%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/.%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034172; rev:2; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
 
-#alert tcp $EXTERNAL_NET [1024:7989,7991:] -> $HOME_NET any (msg:"ET DELETED Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007920; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M2"; flow:established,to_server; content:"/%%32%65%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/%%32%65%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034173; rev:2; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020582; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (Unassigned CVE)"; flow:established,to_server; content:"%%%25%33%32%25%36%35/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"%%%25%33%32%25%36%35/"; classtype:attempted-admin; sid:2034174; rev:2; metadata:attack_target Server, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:exploit-kit; sid:2020584; rev:3; metadata:created_at 2015_03_03, former_category EXPLOIT_KIT, updated_at 2015_03_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/set_ftp.cgi?"; fast_pattern; content:"loginuse="; content:"next_url=ftp.htm"; content:"loginpas="; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:attempted-admin; sid:2030309; rev:4; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2021_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Scam - FakeAV Alert Request March 2 2015"; flow:established,to_server; content:"afid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&Expires="; distance:0; http_uri; content:"&Signature="; distance:0; http_uri; content:"&Key-Pair-Id="; distance:0; http_uri; classtype:social-engineering; sid:2020587; rev:2; metadata:created_at 2015_03_03, updated_at 2015_03_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (12)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Shiro 1.2.4 Cookie RememberME Deserial RCE (CVE-2016-4437)"; flow:established,to_server; http.cookie; content:"rememberMe="; startswith; fast_pattern; bsize:>125; reference:url,issues.apache.org/jira/browse/SHIRO-550; reference:cve,2016-4437; classtype:attempted-admin; sid:2034256; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2016_4437, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (13)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (14)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M1 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; content:"/solr/test/config"; nocase; endswith; http.request_body; content:"solr.VelocityResponseWriter"; nocase; fast_pattern; content:"params.resource.loader.enabled"; nocase; pcre:"/[^\r\n]*true/Ri"; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034258; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (15)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M2 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"GET"; bsize:3; http.uri; content:"/select"; nocase; endswith; content:"wt=velocity"; nocase; distance:0; content:"v.template=custom"; nocase; content:"v.template.custom="; nocase; fast_pattern; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034259; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020595; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8080 (msg:"ET EXPLOIT Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution (CVE-2020-12133)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; pcre:"/\x2f(?:FURUKAWA|APROS)\x2f/i"; http.request_body; content:"javax.faces.ViewState"; nocase; fast_pattern; content:"|3a|"; distance:0; content:"|22|"; distance:0; reference:url,packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html; reference:cve,2020-12133; classtype:attempted-admin; sid:2034260; rev:2; metadata:created_at 2021_10_27, cve CVE_2020_12133, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (17)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020596; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8090 (msg:"ET EXPLOIT Confluence Server Path Traversal Vulnerability (CVE-2019-3398)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"plugins/drag-and-drop/upload.action"; nocase; fast_pattern; content:"draftId="; nocase; distance:0; content:"filename="; nocase; content:"/shell.jsp"; nocase; content:"atl_token"; nocase; http.request_body; content:"<%"; reference:url,github.com/superevr/cve-2019-3398/blob/master/poc.py; reference:cve,2019-3398; classtype:attempted-admin; sid:2034261; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_3398, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (18)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020597; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M1 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/translation-table?"; nocase; fast_pattern; content:"type=mst"; content:"textdomain="; content:"&lang="; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286012324722155525; reference:cve,2020-3452; classtype:attempted-admin; sid:2034262; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (19)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M2 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem-customization?"; nocase; fast_pattern; content:"app=AnyConnect"; nocase; content:"type=oem"; nocase; content:"platform="; nocase; content:"resource-type="; nocase; content:"name="; nocase; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286141887716503553; reference:cve,2020-3452; classtype:attempted-admin; sid:2034263; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (20)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020599; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"|2d 27 20|AND|20 28|SELECT|20|"; content:"|28|SELECT|28|SLEEP|28 5b|SLEEPTIME|5d 29 29 29 2d 2d|"; distance:9; fast_pattern; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034270; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Blackhole eval haha"; flow:established,from_server; content:"eval(haha"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2020604; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"UNION|20|ALL|20|SELECT|20|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL"; fast_pattern; distance:0; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034271; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (21)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020600; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IP Phones Web Server Vulnerability (CVE-2020-3161)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/deviceconfig/setActivationCode?params="; nocase; fast_pattern; isdataat:150,relative; reference:url,github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt; reference:cve,2020-3161; classtype:attempted-admin; sid:2034277; rev:1; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2020_3161, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm"; nocase; fast_pattern; http.request_body; content:"page=self_generator.htm"; nocase; content:"common_name="; pcre:"/[^\r\n]*(?:\x60|\x24|\x7c|\bsh\b)/Ri"; reference:url,www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection; reference:cve,2019-1653; classtype:attempted-admin; sid:2034278; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2019_1653, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:1; metadata:created_at 2021_10_28, cve CVE_2020_29557, former_category EXPLOIT, updated_at 2021_10_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020625; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 2 Inbound - Upload Malicious Config (CVE-2020-8260)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-admin/cached/config/import.cgi"; http.referer; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:isset,ET.2020_8260.1,track ip_src,expire 10; xbits:set,ET.2020_8260.2,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033751; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
 
-#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 1 Inbound - Request Config Backup (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:set,ET.2020_8260.1,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033750; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; classtype:policy-violation; sid:2001443; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020647; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Firefox Plug-In Download"; flow:to_client,established; file_data; content:"PK|03 04|"; distance:0; content:"/addon-sdk/"; content:"|00 00|resources|2f|numberchangerfirefox|2f|PK"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020653; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2016589; rev:8; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_4430, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2015927; rev:4; metadata:created_at 2012_11_27, updated_at 2012_11_27;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; content:"pluginName="; content:"|2e 2e 2f|"; distance:0; within:5; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034331; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:exploit-kit; sid:2014917; rev:4; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT GoCD Authentication Bypass Successful Leak"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"agentAutoRegisterKey="; nocase; fast_pattern; content:"webhookSecret="; nocase; content:" tokenGenerationKey="; nocase; flowbits:isset,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034333; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:exploit-kit; sid:2014916; rev:3; metadata:created_at 2012_06_19, updated_at 2012_06_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory Corruption (CVE-2019-0667)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"Class|20|"; pcre:"/^(?P<class>[A-Z0-9_-]{1,20})\s*.*?(?P<var>[A-Z0-9_-]{1,15})\s*=\s*(?:&amp\x3b|0x|\\x|&?h)*\d{8}\s*.*?(?:ReDim|Dim)\s*(?P=var)\(\d{4,20}\).*?set\s*(?P=var)\(\d+\)\s*=\s*new\s*(?P=class).*?Erase\s*(?P=var).*?Erase\s*(?P=var)/Rsi"; content:"Erase|20|"; fast_pattern; content:"Dim|20|"; reference:cve,2019-0667; classtype:attempted-admin; sid:2033733; rev:4; metadata:attack_target Server, created_at 2021_08_13, cve CVE_2019_0667, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_03;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"phps_query|3d 22 3e 25 32 30 3c|iframe src="; startswith; fast_pattern; content:"onload="; distance:0; content:"|29 3e 26|phps_search|3d 3b 29|"; endswith; reference:url,exploit-db.com/exploits/50491; classtype:attempted-admin; sid:2034354; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_05, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_05;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 06|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020635; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)"; flow:established,to_server; http.uri; content:"/./RestAPI/"; startswith; fast_pattern; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034362; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 08|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020636; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034363; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; content:"filename=|22|"; pcre:"/^[^\x22]+\.jsp\x22/R"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034364; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET DELETED FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020658; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/Connection"; http.request_body; content:"methodToCall=openSSLTool"; nocase; content:"+-providerclass"; fast_pattern; content:"+-providerpath"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034365; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
-alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:"<?"; content:"<base64>"; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Webshell Upload (CVE-2021-42669)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"teacher_avatar.php"; fast_pattern; http.request_body; content:"<?php"; reference:cve,2021-42669; classtype:attempted-admin; sid:2034453; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42669, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Access Control Bypass (CVE-2021-42671)"; flow:established,to_server; http.uri; content:"/nia_munoz_monitoring_system/admin/uploads"; fast_pattern; reference:cve,2021-42671; classtype:attempted-admin; sid:2034454; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42671, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploads/user"; http.request_body; content:"Content-Type|3a 20|image/jpeg"; content:"DJVMDIRM|00|"; content:"DJVIANT"; content:"|7b|"; content:"|7d|"; distance:0; within:400; reference:cve,2021-22205; classtype:attempted-admin; sid:2034455; rev:2; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_22205, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 26|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020677; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HNAP1/"; nocase; http.header; content:"SOAPAction|3a 20 22|http|3a 2f 2f|purenetworks|2e|com|2f|HNAP1|2f|GetDeviceSettings|2f 60|"; fast_pattern; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; classtype:attempted-admin; sid:2034491; rev:2; metadata:created_at 2021_11_17, cve CVE_2015_2051, updated_at 2021_11_17;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 27|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020678; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted IDSVSE IP Camera RCE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ctrl.cgi?language=ie&sntpip="; startswith; content:"uname"; distance:0; content:"telnet"; distance:0; content:"&timezone="; content:"&timezone=13&setdaylight=0&timeformat=2&tstampformat=2"; reference:url,en.0day.today/exploit/27569; classtype:attempted-admin; sid:2034480; rev:1; metadata:created_at 2021_11_17, former_category EXPLOIT, updated_at 2021_11_17;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 28|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020679; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - XR300 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|b7 05 00|"; content:"|e0 e7 02|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034493; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_18;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 29|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020680; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - R6700V3 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|d0|j|06 00|"; content:"|81 01 00|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034494; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_18;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2A|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020681; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_vti_bin"; content:"/webpartpages.asmx"; endswith; http.request_body; content:"<?xml"; content:"System.Diagnostics.Process.Start"; fast_pattern; reference:url,dl.packetstormsecurity.net/2003-exploits/sharepoint_workflows_xoml.rb.txt; reference:cve,2020-0646; classtype:attempted-admin; sid:2034509; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_0646, former_category EXPLOIT, updated_at 2021_11_18;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020682; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-1147)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"__SUGGESTIONSCACHE__"; fast_pattern; content:"<DataSet"; nocase; distance:0; content:"System.Data.Services.Internal.ExpandedWrapper"; nocase; distance:0; reference:url,srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html; reference:cve,2020-1147; classtype:attempted-admin; sid:2034510; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_1147, updated_at 2021_11_18;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020672; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Delete User Configuration - xbit set 1 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|DeleteUserConfiguration>"; xbits:set,ET.2021.42321.1,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034519; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Create User Configuration - xbit set 2 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|CreateUserConfiguration>"; content:"|3a|UserConfiguration>"; content:"|3a|BinaryData>"; base64_decode:offset 0, relative; base64_data; content:"|00|"; depth:10; xbits:isset,ET.2021.42321.1,track ip_src,expire 30; xbits:unset,ET.2021.42321.1,track ip_src,expire 30; xbits:set,ET.2021.42321.2,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034520; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server Remote Code Execution Inbound (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|GetClientAccessToken>"; content:"|3a|TokenRequests>"; xbits:isset,ET.2021.42321.2,track ip_src,expire 30; xbits:unset,ET.2021.42321.2,track ip_src,expire 30; reference:cve,2021-42321; classtype:attempted-admin; sid:2034521; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020689; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fpui/uploadConfigServlet?fileNumber="; nocase; fast_pattern; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034530; rev:1; metadata:attack_target Server, created_at 2021_11_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:exploit-kit; sid:2017976; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_23;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012089; rev:2; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2017_09_08;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/?unix|3a|"; nocase; fast_pattern; content:"|7c|http"; reference:cve,2021-40438; classtype:attempted-admin; sid:2034566; rev:2; metadata:attack_target Server, created_at 2021_11_30, cve CVE_2021_40438, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020697; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Edgewater Networks Edgemarc Blind Command Injection Attempt (CVE-2017-6079)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config?page=50&form=mainForm"; nocase; fast_pattern; reference:url,github.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/blob/master/CVE-2017-6079.py; reference:cve,2017-6079; classtype:attempted-admin; sid:2034575; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_12_01, cve CVE_2017_6079, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:exploit-kit; sid:2020698; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Code Execution"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; fast_pattern; startswith; content:"&curpath=/&currentsetting.htm=1"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2034576; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2021_12_02, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:from_server,established; file_data; content:"|7b 5c|rt"; within:4; flowbits:set,ETPRO.RTF; flowbits:noalert; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"document.getelementbyid|28|"; nocase; content:".scroll"; nocase; fast_pattern; content:"Set"; nocase; pcre:"/^\s*(?P<obj>[\w\-]{1,20})\s*=\s*document\.getElementById\(.{1,500}Class\s*(?P<class>[\w\-]{1,20}).{1,500}End\s*Class.{1,500}set\s*(?P=obj)\.scroll((Left|Top)(Max)?|Height|Width)\s*=\s*New\s*(?P=class)/Rsi"; reference:cve,2019-0752; classtype:attempted-user; sid:2034578; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, cve CVE_2019_0752, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, tag Exploit, updated_at 2021_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT MWI Maldoc Exploit Kit Stats Callout"; flow:established,from_server; flowbits:isset,ETPRO.RTF; file_data; content:"INCLUDEPICTURE "; pcre:"/^\s*?[\x22\x27][^\x22\x27]+\.php\?id=\d+[\x22\x27]/Rs"; classtype:exploit-kit; sid:2020700; rev:2; metadata:created_at 2015_03_16, former_category EXPLOIT_KIT, updated_at 2015_03_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter Unauthorized File Read Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=file|3a|"; classtype:attempted-admin; sid:2034582; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; content:"|0f|torpig-sinkhole|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:7; metadata:created_at 2012_10_18, updated_at 2012_10_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter SSRF Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=http"; classtype:attempted-admin; sid:2034583; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt"; flow:established,to_server; content:"POST /"; depth:6; content:"search"; distance:0; content:"script_fields"; distance:0; nocase; content:".class.forName"; nocase; distance:0; content:"java.lang.Runtime"; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ANTa|00 00|"; fast_pattern; pcre:"/[^\r\n]*\x5c(?:n|c)[^\r\n]{0,100}[\x60\x24]/Ri"; reference:url,blogs.blogs.blackberry.com/en/2021/06/from-fix-to-exploit-arbitrary-code-execution-for-cve-2021-22204-in-exiftool; classtype:attempted-admin; sid:2034626; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_07, cve CVE_2021_22204, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; fast_pattern; content:!".msi"; content:!".img"; content:!"This program cannot"; classtype:exploit-kit; sid:2014099; rev:6; metadata:created_at 2012_01_04, former_category EXPLOIT_KIT, updated_at 2012_01_04;)
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS-Officecmd Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; content:"filename"; nocase; distance:0; content:"|2d 2d|gpu|2d|launcher|3d|"; nocase; distance:0; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-user; sid:2034627; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:exploit-kit; sid:2020725; rev:2; metadata:created_at 2015_03_21, updated_at 2015_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/SDK/webLanguage"; bsize:16; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:2; metadata:affected_product IP_Camera, attack_target Networking_Equipment, created_at 2021_12_08, cve CVE_2021_36260, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:exploit-kit; sid:2020726; rev:2; metadata:created_at 2015_03_23, updated_at 2015_03_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/ImportTechnicians"; fast_pattern; http.request_body; content:"filename=|22|msiexec.exe|22|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-336a; reference:cve,2021-44077; reference:url,attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis; classtype:attempted-admin; sid:2034577; rev:2; metadata:attack_target Server, created_at 2021_12_03, cve CVE_2021_44077, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:command-and-control; sid:2019172; rev:4; metadata:created_at 2014_08_19, former_category MALWARE, updated_at 2014_08_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2020730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020735; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020743; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:exploit-kit; sid:2020744; rev:3; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020745; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:2; metadata:created_at 2015_03_26, former_category CURRENT_EVENTS, updated_at 2015_03_26;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020802; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017666; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020807; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034676; rev:1; metadata:attack_target Server, created_at 2021_12_13, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020808; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034699; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020809; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:exploit-kit; sid:2020832; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:3; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020836; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034671; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019845; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034672; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019846; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034700; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Payload"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; classtype:exploit-kit; sid:2019873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034701; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034702; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
+#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034703; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3460 (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Init"; flow:established,to_server; dsize:256; flowbits:set,ET.Poison1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008380; classtype:command-and-control; sid:2008380; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034706; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET 3460 -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Response"; flow:established,from_server; dsize:256; flowbits:isset,ET.Poison1; reference:url,doc.emergingthreats.net/2008381; classtype:command-and-control; sid:2008381; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034707; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034708; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034709; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034710; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034711; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034712; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034713; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034714; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034715; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - PoisonIvy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034716; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034717; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023911; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2017_02_16;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034763; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:exploit-kit; sid:2020840; rev:2; metadata:created_at 2015_04_03, updated_at 2015_04_03;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034764; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034767; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034768; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:pup-activity; sid:2003362; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Obfuscated log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|env|3a|NaN|3a|-j|7d|ndi|24 7b|env|3a|NaN|3a|"; nocase; fast_pattern; content:"|24 7b|env|3a|NaN|3a|-l|7d|dap|24|"; reference:url,twitter.com/bad_packets/status/1471253695459332102; reference:cve,2021-44228; classtype:attempted-admin; sid:2034755; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:pup-activity; sid:2000925; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034750; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:pup-activity; sid:2002820; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034751; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:pup-activity; sid:2003388; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:pup-activity; sid:2001490; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (Outbound) (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034782; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:pup-activity; sid:2001697; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034787; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:pup-activity; sid:2001396; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034788; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:pup-activity; sid:2003221; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034789; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:pup-activity; sid:2002836; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034790; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016771; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034791; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2015_04_07, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034792; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034793; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034794; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034795; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020854; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034796; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020864; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034797; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:pup-activity; sid:2000920; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034798; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034834; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET MALWARE Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)
+#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034835; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:1; metadata:created_at 2015_04_11, updated_at 2015_04_11;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034799; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034800; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034836; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:exploit-kit; sid:2020715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034804; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_server; dsize:>68; content:"|41 00 00 00 03|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018426; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034806; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"QWRtaW5SaWdodHMy"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020903; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034807; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"FkbWluUmlnaHRzM"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020904; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle Coherence Deserialization RCE (CVE-2020-2555)"; flow:established,to_server; content:"|74 33 20 31 32 2e 32 2e 31 0a 41 53 3a 32 35 35|"; content:"javax.management.BadAttributeValueExpException"; nocase; fast_pattern; content:"weblogic.common.internal.PackageInfo"; reference:url,github.com/Y4er/CVE-2020-2555/blob/master/weblogic_t3.py; reference:url,www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server; reference:cve,2020-2555; classtype:attempted-admin; sid:2034780; rev:1; metadata:attack_target Server, created_at 2021_12_20, cve CVE_2020_2555, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:exploit-kit; sid:2020905; rev:2; metadata:created_at 2015_04_14, updated_at 2015_04_14;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b 24 7b 3a 3a 2d 24 7b 3a 3a 2d 24 24 7b 3a 3a 2d|"; fast_pattern; content:"|7d 7d 7d 7d|"; distance:0; within:6; reference:cve,2021-45105; classtype:attempted-admin; sid:2034839; rev:1; metadata:created_at 2021_12_22, cve CVE_2021_45105, former_category EXPLOIT, updated_at 2021_12_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020909; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_30;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ELEFANTE/ElephantBeetle WebShell Access Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp"; content:"zc="; distance:0; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:web-application-attack; sid:2034861; rev:1; metadata:created_at 2022_01_10, former_category EXPLOIT, updated_at 2022_01_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; file_data; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Qianxin Netcom NGFW Command Injection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/directdata/direct/router"; http.request_body; content:"SSLVPN_Resource"; fast_pattern; content:"deleteImage"; content:"f8839p7rqtj"; reference:url,www.fatalerrors.org/a/national-hw-action-part-0-day-loopholes-reappear-in-2021.html; classtype:attempted-admin; sid:2034885; rev:1; metadata:created_at 2022_01_11, deployment Perimeter, former_category EXPLOIT, updated_at 2022_01_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034674; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
 
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034673; rev:3; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034786; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
 
-alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; distance:0; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:1; metadata:attack_target Server, created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_12;)
 
-alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, updated_at 2022_01_12;)
 
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Windows Defender POWERLIKS Detection Bypass"; flow:established,to_client; file.data; content:"|3c 21 5b|CDATA|5b 0a|var"; content:"|20 3d 20 22|6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E2"; fast_pattern; content:"str|20 2b 3d 20|String.fromCharCode|28|parseInt"; reference:url,exploit-db.com/exploits/50654; classtype:trojan-activity; sid:2034914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (1)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; within:2048; classtype:trojan-activity; sid:2020929; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/agentLogUploader?"; distance:0; content:"filename="; nocase; distance:0; pcre:"/^[a-zA-Z0-9]+\.(?:zip|7z|gz)/Ri"; content:"branchofficeid="; nocase; http.cookie; content:"STATE_COOKIE="; reference:url,attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis; reference:cve,2021-44515; classtype:attempted-admin; sid:2034957; rev:2; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (2)"; flow:established,to_client; file_data; content:"|35 8c 0c 43 e2 1c f7 e4|"; distance:40; within:8; classtype:trojan-activity; sid:2020930; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; http.uri; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:1; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (3)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; distance:32; within:8; classtype:trojan-activity; sid:2020931; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx"; content:"id"; content:"|40|"; distance:0; content:"|2e 2e 2f|"; distance:0; content:"|2e|cshtml"; distance:0; fast_pattern; content:"bp"; content:"accountid"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; reference:cve,2021-22941; classtype:attempted-admin; sid:2034972; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; distance:0; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer Overflow (CVE-2021-20038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f 04 3f 7f 3f 18 3f 7f 3f 18 3f 7f 3f 64 3f 06 08 3b|"; startswith; fast_pattern; content:"|3b 3f|"; distance:0; bsize:>200; http.header_names; content:!"Referer"; reference:url,psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026; reference:cve,2021-20038; classtype:attempted-admin; sid:2034970; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2022_01_25, cve CVE_2021_20038, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_21, former_category MALWARE, updated_at 2015_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible vRealize Operations Manager API SSRF Attempt (CVE-2021-21975)"; flow:established,to_server; http.request_line; content:"POST /casa/nodes/thumbprints HTTP/1.1"; fast_pattern; http.request_body; content:"|5b|"; http.content_type; content:"application/json|3b|charset=UTF-8"; bsize:30; reference:cve,2021-21975; classtype:attempted-admin; sid:2034974; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21975, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -n Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Local Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020955; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%08%b7%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034985; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020965; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"delete"; nocase; content:"CERT"; nocase; distance:0; content:"n"; nocase; content:"perl"; nocase; distance:0; content:"base64"; nocase; within:30; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:exploit-kit; sid:2020984; rev:2; metadata:created_at 2015_04_23, former_category CURRENT_EVENTS, updated_at 2017_04_04;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; distance:0; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_1947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts RCE Attempt (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"="; pcre:"/^(%25|%)(%7b|{)(%28|\()(%23|#)/R"; content:"instancemanager"; nocase; fast_pattern; pcre:"/^(%3d|=)(%23|#)application(%5b|\[)(%22|")org(%2e|\.)apache(%2e|\.)tomcat(%2e|\.)instancemanager(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)(ognlstack|stack)(%3d|=)(%23|#)attr(%5b|\[)(%22|")com(%2e|\.)opensymphony(%2e|\.)xwork2(%2e|\.)util(%2e|\.)valuestack(%2e|\.)valuestack(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)/Rsi"; content:"bean"; distance:0; within:200; content:"java"; distance:0; within:400; content:"execute"; distance:0; pcre:"/^(%2e|\.)exec/Ri"; reference:cve,2020-17530; classtype:attempted-admin; sid:2035009; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_17530, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:exploit-kit; sid:2020987; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)"; flow:established,to_server; flowbits:set,ET.Cisco_ABypass; http.request_line; content:"GET /api/v1/auth/token-services/debug HTTP/1.1"; nocase; fast_pattern; http.accept; content:"application/json"; bsize:16; reference:cve,2019-12643; classtype:attempted-admin; sid:2035010; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:exploit-kit; sid:2020990; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http [$HOME_NET,$HTTP_SERVERS] 55443 -> any any (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)"; flow:established,from_server; flowbits:isset,ET.Cisco_ABypass; http.stat_code; content:"200"; file.data; content:"|5b 7b 22|last-access-time|22 3a|"; fast_pattern; content:"|22|token-id|22 3a 20 22|"; within:200; pcre:"/^[a-zA-Z0-9]{5,40}/R"; xbits:set,ET.Cisco_ABypass,track ip_pair,expire 60; reference:cve,2019-12643; classtype:successful-admin; sid:2035011; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2; metadata:created_at 2015_04_24, former_category CURRENT_EVENTS, updated_at 2015_04_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; content:"X-auth-token"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:exploit-kit; sid:2020994; rev:3; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert tcp any any -> any any (msg:"ET EXPLOIT Oracle WebLogic IIOP JNDI Injection (CVE-2020-14841)"; flow:established,to_server; content:"corbaloc|3a|iiop|3a|"; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]{7,200}/R"; content:"idl|3a|weblogic/corba/cos/naming/namingcontextany"; nocase; reference:cve,2020-14841; classtype:attempted-admin; sid:2035013; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_14841, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern; classtype:trojan-activity; sid:2021006; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert tcp any any -> any any (msg:"ET EXPLOIT Sangoma Asterisk Originate AMI RCE (CVE-2019-18610) (PoC Based)"; content:"Action|3a 20|Originate"; nocase; distance:0; fast_pattern; content:"Data|3a|"; nocase; distance:0; content:"|20|/tmp/"; nocase; within:45; reference:cve,2019-18610; classtype:attempted-admin; sid:2035014; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_18610, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_28;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"ludGVybmV0T3Blb"; fast_pattern; classtype:trojan-activity; sid:2021007; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035003; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_01_28; target:dest_ip;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"JbnRlcm5ldE9wZW"; fast_pattern; classtype:trojan-activity; sid:2021008; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request - RCE Attempt (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; content:"spark.driver.port="; distance:0; pcre:"/^\d+..(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))-XX:OnOutOfMemoryError=/R"; content:"-XX:OnOutOfMemoryError="; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035005; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_28;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"d2luaW5ldC5kbG"; fast_pattern; classtype:trojan-activity; sid:2021009; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-17418)"; flow:established,to_server; http.uri; content:"/admin/?"; content:"a=doSearchParameter"; fast_pattern; distance:0; content:"appno=0"; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-17418; reference:cve,2019-17418; classtype:attempted-admin; sid:2035018; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_17418, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_31;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"dpbmluZXQuZGxs"; fast_pattern; classtype:trojan-activity; sid:2021010; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-16997)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/?"; content:"a=doExportPack"; fast_pattern; distance:0; http.request_body; content:"appno="; startswith; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,y4er.com/post/metinfo7-sql-tips/#sql-injection-2; reference:cve,2019-16997; classtype:attempted-admin; sid:2035019; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_16997, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_31;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"3aW5pbmV0LmRsb"; fast_pattern; classtype:trojan-activity; sid:2021011; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Create DAG (CVE-2020-11978)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/dag_runs"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035035; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CORESHELL Malware Response from server"; flow:from_server,established; file_data; content:"O|00|K|00 00 00|"; within:6; pcre:"/^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019584; rev:3; metadata:created_at 2014_10_29, updated_at 2014_10_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Unpause (CVE-2020-11978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/paused/false"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035036; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Type: image/jpeg"; content:"AT&TFORM|00 00 03 AF|DJVMDIRM"; fast_pattern; distance:80; within:40; http.header_names; content:!"Referer"; reference:cve,CVE-2021-24563; reference:url,about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/; reference:cve,2021-24563; classtype:trojan-activity; sid:2034961; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2022_01_24, cve CVE_2021_24563, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:exploit-kit; sid:2020950; rev:3; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, updated_at 2022_02_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:exploit-kit; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:exploit-kit; sid:2020388; rev:8; metadata:created_at 2015_02_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator SQL Injection (CVE-2020-3984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portal/"; http.request_body; content:"softwareUpdate/getSoftwareUpdates"; fast_pattern; content:"|22|modulus|22 3a|"; content:"UNION SELECT"; nocase; distance:0; reference:cve,2020-3984; classtype:attempted-admin; sid:2035104; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_3984, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021016; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET DELETED Team Cymru Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 26 E5 46 04|"; distance:4; within:6; classtype:trojan-activity; sid:2021020; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Authentication Bypass (CVE-2020-4001)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|login|2f|doResetPassword|2e|html"; http.request_body; content:"super|40|velocloud|2e|net"; fast_pattern; content:"|7b|CLEAR|7b|"; nocase; content:"logicalId"; nocase; reference:cve,2020-4001; classtype:attempted-admin; sid:2035102; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_4001, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/newbm.pl"; nocase; fast_pattern; endswith; http.header_names; content:"|0d 0a|NSC_USER|0d 0a|"; nocase; content:"|0d 0a|NSC_NONCE|0d 0a|"; nocase; http.request_body; content:"template.new"; nocase; content:"url="; nocase; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2034279; rev:2; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2019_19781, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:5; metadata:attack_target Server, created_at 2019_12_30, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021031; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2035109; rev:2; metadata:attack_target Server, created_at 2022_02_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021032; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpns/cfg/smb.con"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035110; rev:2; metadata:created_at 2022_02_05, cve CVE_2019_19781, updated_at 2022_02_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:exploit-kit; sid:2021034; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
+alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Via|3a 20|NS-CACHE-"; http.response_body; content:"|5b|global|5d|"; startswith; content:"encrypt passwords"; distance:0; fast_pattern; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035111; rev:2; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:exploit-kit; sid:2021039; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Viptela vManage Directory Traversal (CVE-2020-27128)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dataservice/statistics/download/dr/filelist"; fast_pattern; http.request_body; content:"|2f 2e 2e 2f|"; reference:cve,2020-27128; classtype:web-application-attack; sid:2035136; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_27128, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01 00 44|"; depth:4; content:"|00 01 00 08|"; distance:16; within:4; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tools.ietf.org/html/rfc5389; classtype:protocol-command-decode; sid:2018908; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco SD-WAN vManage Software Directory Traversal (CVE-2020-26073)"; flow:established,to_server; http.request_line; content:"GET /dataservice/disasterrecovery/download/token/"; startswith; fast_pattern; pcre:"/^(%2E%2E%2F|\.\.\/)/Ri"; reference:cve,2020-26073; classtype:web-application-attack; sid:2035137; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_26073, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:exploit-kit; sid:2021046; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server OWA GetWacUrl Information Disclosure Attempt (CVE-2020-17143)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/owa/service.svc"; fast_pattern; http.header; content:"Action|3a 20|GetWacIframeUrlForOneDrive"; nocase; content:"|22|EndPointUrl|22 3a 22|"; nocase; reference:cve,2020-17143; classtype:web-application-attack; sid:2035138; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_17143, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:exploit-kit; sid:2021047; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/public/bc/ur/Login/assets/corbu/sap_logo.png"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035182; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:exploit-kit; sid:2021048; rev:2; metadata:created_at 2015_05_02, updated_at 2015_05_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/admin/public/default.html?"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035183; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:command-and-control; sid:2021050; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Moxa MxView RCE Attempt (CVE-2021-38454)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"api/sites/site/"; fast_pattern; pcre:"/^[a-zA-Z0-9]{5,45}/R"; content:"/ping"; endswith; reference:cve,2021-38454; classtype:attempted-admin; sid:2035194; rev:2; metadata:attack_target Server, created_at 2022_02_14, cve CVE_2021_38454, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021053; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization RCE T3 (CVE-2015-4852)"; flow:established,to_server; content:"|00 00|"; startswith; content:"|01 65|"; distance:2; within:2; content:"|ac ed 00|"; distance:0; content:"weblogic.rjvm.ClassTableEntry"; fast_pattern; distance:0; reference:cve,2015-4852; reference:url,www.exploit-db.com/exploits/46628; classtype:attempted-admin; sid:2035204; rev:1; metadata:created_at 2022_02_15, cve CVE_2015_4852, former_category EXPLOIT, updated_at 2022_02_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:exploit-kit; sid:2021054; rev:2; metadata:created_at 2015_05_04, former_category EXPLOIT_KIT, updated_at 2015_05_04;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isnotset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; fast_pattern; content:"|04 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; endswith; threshold: type limit, count 1, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2030870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RHi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035259; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|2d 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035263; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035258; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021063; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035260; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:2; metadata:created_at 2015_05_08, former_category INFO, updated_at 2015_05_08;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035261; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_15, former_category CURRENT_EVENTS, updated_at 2015_04_15;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"filter_func"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035272; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Cryptolocker .onion Proxy Domain (24u4jf7s4regu6hn)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|24u4jf7s4regu6hn"; fast_pattern; distance:0; nocase; reference:md5,36095572717aee2399b6bdacef936e22; classtype:trojan-activity; sid:2021085; rev:1; metadata:created_at 2015_05_09, updated_at 2015_05_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"script"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035273; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017024; rev:4; metadata:created_at 2013_06_18, former_category CURRENT_EVENTS, updated_at 2013_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extensis Portfolio Unrestricted File Upload (CVE-2022-24252)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/FileTransfer/upload?sessionId="; fast_pattern; content:"&action=customPreview"; content:"&catalogId="; http.request_body; content:"filename="; content:"\\.."; within:25; reference:url,whiteoaksecurity.com/blog/extensis-portfolio-vulnerability-disclosure/; classtype:attempted-admin; sid:2035274; rev:2; metadata:attack_target Server, created_at 2022_02_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021086; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TOTOLINK Realtek SDK RCE (CVE-2019-19824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/formSysCmd"; fast_pattern; http.request_body; content:"Run|2b|Command|26|sysCmd|3d|"; nocase; reference:cve,2019-19824; classtype:attempted-admin; sid:2035282; rev:2; metadata:attack_target Server, created_at 2022_02_23, cve CVE_2019_19824, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Suspicious SVCCTL CreateService Command via SMB - Observed Zerologon Post Compromise Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; fast_pattern; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; reference:md5,59e7f22d2c290336826700f05531bd30; classtype:attempted-admin; sid:2035287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_25, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert smb any any -> $HOME_NET 445 (msg:"ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|00|R|00|e|00|s|00|e|00|t|00|-|00|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|M|00|a|00|c|00|h|00|i|00|n|00|e|00|P|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; distance:0; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_24, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_02_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linux/Attempted Hosts File Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?url=file|3a 2f 2f 2f|etc|2f|hosts"; endswith; http.header_names; content:!"Referer"; classtype:attempted-admin; sid:2035315; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2015_05_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947) (set)"; flow:established,to_server; flowbits:set,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/routes/"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035380; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947)"; flow:established,to_server; flowbits:isset,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/refresh"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035381; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Win32/Troldesh.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 bf 81 b3 c2 61 36 e4 9d|"; fast_pattern; content:"|55 04 03|"; content:"|16|www.jyxc3nn7eu2iqd.net"; distance:1; within:23; reference:md5,3358793e79042faa2298856373e644dc; classtype:trojan-activity; sid:2021098; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:command-and-control; sid:2020671; rev:3; metadata:created_at 2015_03_11, former_category MALWARE, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.php5"; http.request_body; content:"|3c 3f|php|20|system|28 24 5f|POST|5b 27|"; nocase; fast_pattern; reference:cve,2020-16152; classtype:attempted-admin; sid:2035401; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:domain-c2; sid:2021102; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/action.php5"; http.request_body; content:"|2f 2e 2e 2f 2e 2e|"; fast_pattern; content:"/tmp/messages"; reference:cve,2020-16152; classtype:attempted-admin; sid:2035402; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021109; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Azure Automation Authentication Bypass"; flow:established,to_server; http.uri; content:"/oauth2/token"; http.request_body; content:"resource"; content:"management.azure.com"; within:60; fast_pattern; http.header; content:"metadata"; nocase; content:!"X-IDENTITY-HEADER"; nocase; reference:url,orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/; classtype:attempted-admin; sid:2035403; rev:2; metadata:attack_target Server, created_at 2022_03_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Interactsh CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|Event|3d|"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; http.header_names; content:!"Referer"; threshold:type limit, seconds 600, count 5, track by_src; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:attempted-admin; sid:2034200; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_10_15, cve CVE_2020_28188, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Oracle Access Manager RCE Attempt (CVE-2021-35587)"; flow:established,to_server; http.request_line; content:"POST /oam/server/opensso/sessionservice HTTP/1.1"; fast_pattern; http.request_body; content:"svcid"; content:"|5b|CDATA"; content:"requester|3d|"; distance:0; nocase; reference:cve,2021-35587; classtype:attempted-admin; sid:2035429; rev:2; metadata:attack_target Server, created_at 2022_03_10, cve CVE_2021_35587, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021112; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R6260 Mini_httpd Buffer Overflow Attempt - Possible RCE (CVE-2021-34979)"; flow:established,to_server; http.header; content:"SOAPAction|3a 20|"; content:"urn:NETGEAR-ROUTER:service:"; within:30; fast_pattern; content:!"|0d 0a|"; within:131; pcre:"/^SOAPAction\x3a\x20\x22?urn\x3aNETGEAR-ROUTER\x3aservice\x3a.{128,}(?!:\d#)/Hm"; http.request_body; content:"|3c 3f|xml"; startswith; reference:url,nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-netgear-nday.html; reference:cve,2021-34979; classtype:trojan-activity; sid:2035446; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_03_14, cve CVE_2021_34979, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021113; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, former_category EXPLOIT, updated_at 2022_03_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:domain-c2; sid:2021106; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:4; metadata:created_at 2015_08_25, updated_at 2022_03_17;)
 
-#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024207; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6; metadata:created_at 2012_12_28, updated_at 2012_12_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:3; metadata:created_at 2012_11_14, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:targeted-activity; sid:2021116; rev:2; metadata:created_at 2015_05_19, former_category MALWARE, updated_at 2015_05_19;)
+alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; classtype:trojan-activity; sid:2024217; rev:4; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021121; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:3; metadata:created_at 2015_08_10, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, updated_at 2022_03_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021127; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_03_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021149; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_05_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2022_03_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:2; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021154; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021155; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:8; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup - whoer.net"; flow:established,to_server; content:"Host|3a 20|whoer.net|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; classtype:external-ip-check; sid:2021161; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fpui/"; nocase; fast_pattern; content:"|2e|jsp"; within:30; endswith; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034531; rev:3; metadata:created_at 2021_11_22, updated_at 2022_03_24;)
 
-alert udp $HOME_NET 5093 -> $EXTERNAL_NET any (msg:"ET DOS Possible Sentinal LM  Application attack in progress Outbound (Response)"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021170; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nodebb|2e|org|2f 3f 5b 5b 2e 2e 2f|"; nocase; fast_pattern; content:"|3a|"; content:"|5d 5d|"; within:50; endswith; reference:url,blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot; reference:cve,2021-43788; classtype:attempted-admin; sid:2034590; rev:2; metadata:attack_target Server, created_at 2021_12_06, cve CVE_2021_43788, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_24;)
 
-alert udp $EXTERNAL_NET 5093 -> $HOME_NET any (msg:"ET DOS Possible Sentinal LM Amplification attack (Response) Inbound"; dsize:>1390; content:"|7a 00 00 00 00 00 00 00 00 00 00 00|"; depth:12; threshold: type both,track by_src,count 10,seconds 60; classtype:attempted-dos; sid:2021171; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; content:"|1e 00|"; offset:22; depth:2; content:"|24 00 00 00 06|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035262; rev:3; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_03_24;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"ET DOS Possible Sentinal LM Amplification attack (Request) Inbound"; dsize:6; content:"|7a 00 00 00 00 00|"; threshold: type both,track by_dst,count 10,seconds 60; classtype:attempted-dos; sid:2021172; rev:1; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; classtype:trojan-activity; sid:2024213; rev:5; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021175; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.header; content:"Content-Encoding|3a 20|gzip"; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021186; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:4; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:exploit-kit; sid:2021157; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"Email=autodiscover/"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; reference:cve,2021-31207; classtype:attempted-admin; sid:2033701; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_10, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021192; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2035648; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021193; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; content:"Email="; distance:0; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2033711; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; http.cookie; content:"Email="; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2035649; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021196; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; nocase; fast_pattern; http.request_body; content:"<s"; content:"<m:ResolveNames ReturnFullContactData=|22|true|22| SearchScope=|22|ActiveDirectory|22|>"; distance:0; content:"</m:ResolveNames>"; distance:0; reference:cve,2021-34473; classtype:attempted-admin; sid:2035650; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021197; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021198; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021199; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:1; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021208; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)"; flow:to_server,established; http.header; content:"spring.cloud.function.routing-expression|3a|"; fast_pattern; reference:cve,2022-22963; classtype:attempted-admin; sid:2035670; rev:1; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22963, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021209; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound (CVE-2022-27643)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; nocase; content:"urn:NETGEARROUTER:service:ParentalControl:1#Authenticate"; fast_pattern; nocase; pcre:"/^SOAPAction\x3a\s?urn\x3aNETGEARROUTER\x3aservice\x3aParentalControl\x3a1#Authenticate/Hmi"; http.request_body; content:"<NewMACAddress>"; nocase; pcre:"/^[^<]{30,}<\/NewMACAddress>/Ri"; reference:url,blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html; reference:cve,2022-27643; classtype:attempted-admin; sid:2035717; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_03, cve CVE_2022_27643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021210; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021211; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, former_category EXPLOIT, updated_at 2022_04_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021212; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:exploit-kit; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021220; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26210)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"setUpgradeFW"; fast_pattern; content:"FileName|3a 20 3a|"; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26210; classtype:attempted-admin; sid:2035744; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26210, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021221; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:to_server,established; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021222; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-25075)"; flow:to_server,established; http.uri; content:"/cgi-bin/downloadFlile.cgi"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-25075; classtype:attempted-admin; sid:2035746; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_25075, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021223; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021224; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.pattern="; fast_pattern; classtype:attempted-admin; sid:2035674; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.suffix="; fast_pattern; classtype:attempted-admin; sid:2035675; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AB6172ED-8105-4996-9D2A-597B5F827501}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021231; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.directory="; fast_pattern; classtype:attempted-admin; sid:2035676; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{0710880F-3A55-4A2D-AA67-1123384FD859}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021232; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.prefix="; fast_pattern; classtype:attempted-admin; sid:2035677; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{6C51A4DB-E3DE-4FEB-86A4-32F7F8E73B99}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021233; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)"; flow:to_server,established; http.request_body; content:"pipeline.first.pattern="; fast_pattern; content:"pipeline.first.suffix="; content:"pipeline.first.directory="; content:"pipeline.first.prefix="; classtype:attempted-admin; sid:2035678; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021234; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021235; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035875; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|A|00|F|00|F|00|C|00|4|00|F|00|0|00|-|00|E|00|0|00|4|00|B|00|-|00|4|00|C|00|7|00|C|00|-|00|B|00|4|00|0|00|A|00|-|00|B|00|4|00|5|00|D|00|E|00|9|00|7|00|1|00|E|00|8|00|1|00|E|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021236; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; distance:0; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035874; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_08;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|B|00|6|00|1|00|7|00|2|00|E|00|D|00|-|00|8|00|1|00|0|00|5|00|-|00|4|00|9|00|9|00|6|00|-|00|9|00|D|00|2|00|A|00|-|00|5|00|9|00|7|00|B|00|5|00|F|00|8|00|2|00|7|00|5|00|0|00|1|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021237; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via TCP (CVE-2022-0778)"; flow:established,to_server; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035887; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|0|00|7|00|1|00|0|00|8|00|8|00|0|00|F|00|-|00|3|00|A|00|5|00|5|00|-|00|4|00|A|00|2|00|D|00|-|00|A|00|A|00|6|00|7|00|-|00|1|00|1|00|2|00|3|00|3|00|8|00|4|00|F|00|D|00|8|00|5|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021238; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via UDP (CVE-2022-0778)"; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035888; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|C|00|5|00|1|00|A|00|4|00|D|00|B|00|-|00|E|00|3|00|D|00|E|00|-|00|4|00|F|00|E|00|B|00|-|00|8|00|6|00|A|00|4|00|-|00|3|00|2|00|F|00|7|00|F|00|8|00|E|00|7|00|3|00|B|00|9|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021239; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|7|00|F|00|9|00|B|00|C|00|F|00|C|00|0|00|-|00|B|00|3|00|6|00|B|00|-|00|4|00|5|00|E|00|C|00|-|00|B|00|3|00|7|00|7|00|-|00|D|00|8|00|8|00|5|00|9|00|7|00|B|00|E|00|5|00|D|00|7|00|8|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021240; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/public/plugins/"; fast_pattern; content:"|2f 2e 2e 2f|"; distance:0; within:40; reference:url,github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p; classtype:attempted-admin; sid:2034629; rev:2; metadata:attack_target Server, created_at 2021_12_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_14;)
 
-alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|5|00|7|00|D|00|2|00|D|00|E|00|9|00|2|00|-|00|C|00|E|00|1|00|7|00|-|00|4|00|A|00|5|00|7|00|-|00|B|00|F|00|D|00|7|00|-|00|C|00|D|00|3|00|C|00|6|00|E|00|9|00|6|00|5|00|C|00|6|00|A|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021241; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; distance:0; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert tcp any any -> any [139,445] (msg:"ET DELETED Possible Duqu 2.0 Accessing SMB/SMB2 backdoor"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"tttttttt"; nocase; distance:0; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021243; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:1; metadata:created_at 2022_04_14, cve CVE_2020_17456, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130 RCE Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; http.request_body; content:"&queriesCnt="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2035952; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cryptolocker C2 SSL cert serial"; flow:established,to_client; content:"|b3 b2 82 08 58 32 5e 8e|"; fast_pattern:only; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/chkisg.htm"; content:"%3FSip%"; fast_pattern; nocase; distance:0; content:"%7C"; nocase; distance:0; reference:cve,2018-10823; classtype:attempted-admin; sid:2035953; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2018_10823, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:command-and-control; sid:2021260; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Angler EK Landing URI Struct Feb 21"; flow:established,to_server; urilen:<28; content:"/lists/"; depth:7; http_uri; pcre:"/^\/lists\/\d{15}(?:\d{5})?$/U"; classtype:exploit-kit; sid:2020497; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_22, deployment Perimeter, malware_family Angler, signature_severity Major, tag Angler, tag DriveBy, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2035955; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; nocase; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016588; rev:15; metadata:created_at 2013_03_15, updated_at 2013_03_15;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2035956; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021248; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/%2e%2e/%2e%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,twitter.com/HackerGautam/status/1445412108863041544; reference:cve,2021-41773; classtype:attempted-admin; sid:2034124; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M2"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/.%2e/.%2e/.%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,github.com/iilegacyyii/PoC-CVE-2021-41773/blob/main/CVE-2021-41773.py; reference:cve,2021-41773; classtype:attempted-admin; sid:2034125; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M3"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/.%2e/"; reference:cve,2021-41773; classtype:attempted-admin; sid:2034128; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_06, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:domain-c2; sid:2021273; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M1"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0|3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036254; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46"; fast_pattern; content:!"|0d 0a|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036255; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (16) M2"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"auInfo|3d|YWRtaW46"; fast_pattern; content:!"|3b|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036256; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (11) M2"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, updated_at 2022_04_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing June 16 2015 M3"; flow:established,to_client; file_data; content:"<title>Virus Firewall Alert!</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; content:"popup-mac-warning.png"; nocase; distance:0; classtype:social-engineering; sid:2021287; rev:2; metadata:created_at 2015_06_17, updated_at 2015_06_17;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc Login Attempt"; flow:established,to_server; stream_size:server,<,5; dsize:38; content:"{D79E94C5-70F0-46BD-965B-E17497CCB598}"; startswith; flowbits:set,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036272; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in 2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 02|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,acccfa6107c712a63b1473d524461163; classtype:trojan-activity; sid:2021290; rev:1; metadata:created_at 2015_06_17, former_category TROJAN, updated_at 2017_12_11;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc System Details Request"; flow:established,to_server; content:"GET /"; startswith; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|1|0d 0a 0d 0a|"; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036273; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:exploit-kit; sid:2021291; rev:4; metadata:created_at 2015_06_18, updated_at 2015_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M2"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDp7MTIyMTNCRDEtNjlDNy00ODYyLTg0M0QtMjYwNTAwRDFEQTQwfQ|3d 3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036274; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"Refresh|3a 20|"; http_header; content:"|3b 20|url"; distance:0; http_header; content:"/999/00000/|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Refresh\x3a\x20\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Hm"; classtype:exploit-kit; sid:2021306; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
+alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE Attempt"; flow:established,to_server; content:"GET /saveSystemConfig"; depth:21; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|2|0d 0a 0d 0a|DAAAAAEAAAADAAAAIQACAAEABA"; distance:0; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036275; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:2; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WSO2 Server RCE (CVE-2022-29464)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileupload/toolsAny"; startswith; bsize:20; http.request_body; content:"name=|22 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|repository/deployment/server/"; fast_pattern; content:".jsp|22 0d 0a|"; distance:0; reference:url,github.com/hakivvi/CVE-2022-29464; reference:cve,CVE-2022-29464; reference:cve,2022-29464; classtype:trojan-activity; sid:2036378; rev:2; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2022_04_26, cve CVE_2022_29464, deployment Internet, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:exploit-kit; sid:2021313; rev:2; metadata:created_at 2015_06_19, updated_at 2015_06_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) TLS Signature (CVE-2022-21449)"; flow:established, to_client; content:"|16 03 03|"; content:"|0c|"; distance:2; within:1; content:"|04 03 00 08 30 06 02 01 00 02 01 00|"; distance:0; tag:session,5,packets; reference:url,github.com/thack1/CVE-2022-21449; reference:cve,2022-21449; classtype:targeted-activity; sid:2036377; rev:1; metadata:created_at 2022_04_26, cve CVE_2022_21449, updated_at 2022_04_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021301; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2015_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449)"; flow:established, to_server; http.header; content:"Authorization|3a 20|Bearer|20|"; pcre:"/(yJ0eXAiOiJKV1Qi|InR5cCI6IkpXVCJ)/HR"; content:"JhbGciOiJFUzI1Ni"; distance:0; fast_pattern; content:"MAYCAQACAQA|0d 0a|"; endswith; tag:session,5,packets; reference:cve,CVE-2022-21449; reference:cve,2022-21449; classtype:web-application-activity; sid:2036392; rev:3; metadata:affected_product Java, attack_target Server, created_at 2022_04_27, cve CVE_2022_21449, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021314; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)"; flow:to_server,established; http.uri; content:"/catalog-portal/ui/oauth/verify?"; http.uri.raw; content:"&deviceUdid=%24%7b"; fast_pattern; nocase; reference:cve,2022-22954; classtype:attempted-admin; sid:2036416; rev:1; metadata:attack_target Server, created_at 2022_04_29, cve CVE_2022_22954, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021315; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed Translogic Packet (CVE-2021-37164)"; dsize:>369; content:"TLPU"; startswith; fast_pattern; reference:cve,2021-37164; reference:url,www.armis.com/pwnedPiper; classtype:attempted-admin; sid:2033662; rev:2; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37164, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin 2"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021316; rev:1; metadata:created_at 2015_06_22, former_category MALWARE, updated_at 2015_06_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/xmlpserver/ReportTemplateService.xls"; bsize:37; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"|3c 21|DOCTYPE|20|soap|3a|envelope|20|PUBLIC|20 22 2d 2f 2f|B|2f|A|2f|EN|22 20 22|http"; startswith; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-2616; reference:cve,2019-2616; classtype:attempted-admin; sid:2034199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_15, cve CVE_2019_2616, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021320; rev:2; metadata:created_at 2015_06_23, updated_at 2015_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034481; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:"ET MALWARE Sony Breach Wiper Callout"; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034482; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021169; rev:3; metadata:created_at 2015_05_29, updated_at 2015_05_29;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:3; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE Exploit URI Struct"; flow:to_server,established; content:"/ie7.html"; http_uri; classtype:exploit-kit; sid:2018932; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"tmp"; distance:0; content:"wget"; distance:0; reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021339; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase; reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021340; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:2; metadata:created_at 2021_11_17, cve CVE_2017_18362, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021341; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021342; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021343; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021344; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021345; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021346; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021347; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021348; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021349; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1"; flow:established,to_server; http.request_line; content:"POST|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021350; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2"; flow:established,to_server; http.request_line; content:"PUT|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036458; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload DL M1 Feb 06 2015"; flow:to_server,established; urilen:>48; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; offset:49; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"|0d 0a|Host|3a|"; http_header; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; content:"GET"; http_method; classtype:exploit-kit; sid:2020385; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE-2022-1388) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; fast_pattern; bsize:18; http.header; content:"Authorization|3a 20|Basic YWRtaW46"; http.connection; content:"x-F5-Auth-Token"; nocase; http.header_names; content:!"Referer"; content:"X-F5-Auth-Token"; http.request_body; content:"command"; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; flowbits:set,ET.F5AuthBypass; reference:cve,2022-1388; classtype:attempted-admin; sid:2036546; rev:2; metadata:attack_target Web_Server, created_at 2022_05_09, cve CVE_2022_1388, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 9 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_10, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE-2022-1388)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; flowbits:isset,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:1; metadata:attack_target Web_Server, created_at 2022_05_09, cve CVE_2022_1388, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userportal/Controller?"; fast_pattern; startswith; content:"mode="; content:"operation="; content:"datagrid="; content:"json="; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; http.header_names; content:!"Referer"; flowbits:set,ET.SophosAuthBypass; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036548; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021353; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|Session Expired|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036549; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021354; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|-2|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036550; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021355; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST authentication bypass attempt (CVE-2022-1388) M2"; flow:established,to_server; http.method; content:!"GET"; http.uri; content:"/mgmt/tm"; startswith; http.header; content:"Authorization|3a 20|Basic YWRtaW46"; http.connection; content:"x-F5-Auth-Token"; nocase; http.header_names; content:!"Referer"; content:"X-F5-Auth-Token"; fast_pattern; threshold:type limit, count 1, seconds 60, track by_src; reference:cve,2022-1388; classtype:trojan-activity; sid:2036556; rev:1; metadata:attack_target Web_Server, created_at 2022_05_10, cve CVE_2022_1388, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; classtype:exploit-kit; sid:2021360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exploit Attempt (CVE 2022-30525)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ztp/cgi-bin/handler"; fast_pattern; bsize:20; http.request_body; content:"setWanPortSt"; content:"mtu"; pcre:"/^["']\s*:\s*["']\s*[^0-9]+/Ri"; reference:cve,2022-30525; reference:url,www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/; classtype:misc-attack; sid:2036596; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_16, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (27)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:1424; within:8; classtype:exploit-kit; sid:2021361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036598; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2022_05_17;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET DELETED Possible Upatre or Dyre SSL Cert June 29 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,8,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])[a-zA-Z0-9]{9,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-zA-Z]{0,119}[0-9])(?P<var>[a-zA-Z0-9]{9,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_29, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036599; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2022_05_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015698; rev:3; metadata:created_at 2012_09_12, updated_at 2012_09_12;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/conf_mail.php"; fast_pattern; http.request_body; content:"mail_address="; pcre:"/^\s?(?:[\x3b\x0a\x26\x60\x7c\x24]|%(3b|0a|26|60|7c|24))/Ri"; reference:cve,2022-29303; classtype:attempted-admin; sid:2036649; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_29303, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:domain-c2; sid:2021375; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/admin.cgi?Command=sysCommand&Cmd="; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:cve,2021-46422; reference:url,twitter.com/momika233/status/1528742287072980992; classtype:attempted-admin; sid:2036663; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_05_23, cve CVE_2021_46422, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:command-and-control; sid:2021379; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Default Apache CouchDB Erlang Cookie Observed (CVE-2022-24706)"; flow:established,to_server; content:"|00 15|r|01 02 03 04|"; startswith; content:"|8b f4 e6 ad dd 72 a9 c4 c4 71 47 08 d2 94 15 28|"; fast_pattern; reference:cve,2022-24706; classtype:attempted-admin; sid:2036650; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_24706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dridex SSL Cert July 6 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 0e 34 be 9a f3 1e d7|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:8; reference:md5,0facc32fc6f9c67650575c8a8298bef2; classtype:trojan-activity; sid:2021380; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion"; flow:established,to_server; http.uri.raw; content:"/reglages/Menu_Plugins/"; fast_pattern; content:"|2e|php?p=|2e 2e 2f|"; distance:0; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50844; classtype:attempted-admin; sid:2036727; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2022_05_31, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_05_31;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:command-and-control; sid:2021385; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)"; flow:from_server,established; file.data; bsize:>4095; content:"location.href"; nocase; pcre:"/^\s*=\s*[\x22\x27]\s*ms-msdt\x3a/Ri"; content:"ms-msdt|3a|"; fast_pattern; nocase; reference:cve,2022-30190; classtype:attempted-user; sid:2036726; rev:2; metadata:attack_target Server, created_at 2022_05_31, cve CVE_2022_30190, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Local File Inclusion with Shell Execution via proc/self/environ"; flow:established,to_server; http.uri; content:"?"; content:"="; distance:0; content:"/proc/self/environ"; nocase; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:\x2e|%2e)(?:\x2e|%2e)(?:\x2f|%2f)/i"; reference:url,www.exploit-db.com/papers/12886; classtype:web-application-attack; sid:2036730; rev:1; metadata:attack_target Web_Server, created_at 2022_05_31, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CFIDE/wizards/common/utils.cfc?"; startswith; fast_pattern; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:url,www.exploit-db.com/exploits/50781; reference:url,github.com/berez23/canvas/blob/cb306a9d8b1d8a743049a29164e6d324f8dabbfa/exploits/web/coldfusion_rce/coldfusion_rce.py; reference:url,url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2018-15957; classtype:attempted-admin; sid:2036731; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2022_05_31, cve CVE_2018_15957, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_31;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|08|portable"; distance:1; within:9; content:"|55 04 03|"; distance:0; content:"|0b|nintendo.jp"; distance:1; within:12; classtype:trojan-activity; sid:2021388; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/wizards/common/utils.cfc"; startswith; fast_pattern; http.request_body; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50781; reference:url,github.com/berez23/canvas/blob/cb306a9d8b1d8a743049a29164e6d324f8dabbfa/exploits/web/coldfusion_rce/coldfusion_rce.py; reference:cve,2018-15957; classtype:attempted-admin; sid:2036732; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2022_05_31, cve CVE_2018_15957, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_05_31;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:command-and-control; sid:2021389; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Scriptcase 9.7 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|files|5b 5d 22 3b 20|"; reference:url,www.exploit-db.com/exploits/50872; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036736; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_06_01, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021391; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login/login.html"; bsize:17; fast_pattern; http.request_body; content:"myname="; content:"mypasswd="; content:"Submit=Login"; pcre:"/myname=[^&]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/i"; reference:url,www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50870; reference:cve,2021-4039; classtype:attempted-admin; sid:2036737; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_01, cve CVE_2021_4039, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer|3a| "; http_header; content:!"|0d 0a|"; http_header; within:100; content:"|0d 0a|"; distance:0; http_header; classtype:exploit-kit; sid:2014171; rev:5; metadata:created_at 2012_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxPages/writeBrowseFilePathAjax.php"; bsize:38; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin; sid:2036738; rev:1; metadata:attack_target Server, created_at 2022_06_01, cve CVE_2021_35064_CVE_2021_36356, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_06_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DBltek GoIP GoIP-1 GSM Gateway - Local File Inclusion"; flow:established,to_server; http.uri; content:"/default/en_US/frame."; startswith; fast_pattern; content:"html?"; within:10; pcre:"/^\x2fdefault\x2fen_US\x2fframe(?:\x2eA100)?\x2ehtml\?(?:content|sidebar)=.*\x2e\x2e\x2f/i"; reference:url,shufflingbytes.com/posts/hacking-goip-gsm-gateway/; reference:url,www.exploit-db.com/exploits/50775; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036729; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_31, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cab-fare-calculator/"; fast_pattern; content:"controller=|2e 2e 2f|"; distance:0; reference:url,www.exploit-db.com/exploits/50843; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036739; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, created_at 2022_06_01, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:exploit-kit; sid:2017715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_14, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Archeevo 5.0 - Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/error?StatusCode=404&file="; fast_pattern; content:!"~/FileNotFoundPage.html"; within:23; reference:url,www.exploit-db.com/exploits/50665; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,miguelsantareno.github.io/MoD_1.pdf; classtype:attempted-admin; sid:2036740; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, created_at 2022_06_01, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_06_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:exploit-kit; sid:2017793; rev:4; metadata:created_at 2013_12_05, updated_at 2013_12_05;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuel/pages/select/"; fast_pattern; content:"filter=|27 2b|"; content:"|2b 27|"; distance:0; reference:url,github.com/daylightstudio/FUEL-CMS/issues/478; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2018-16763; classtype:attempted-admin; sid:2036748; rev:1; metadata:attack_target Web_Server, created_at 2022_06_02, cve CVE_2018_16763, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_06_02;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021397; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=ping"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036749; rev:1; metadata:attack_target Web_Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_06_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED External IP Lookup ip-api.com"; flow:established,to_server; content:"GET"; http_method; content:"/xml"; http_uri; content:"ip-api.com"; fast_pattern:only; http_header; classtype:external-ip-check; sid:2021406; rev:3; metadata:created_at 2015_07_13, updated_at 2015_07_13;)
+alert http any any -> any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=traceroute"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036750; rev:1; metadata:attack_target Web_Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_06_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021393; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Bonitasoft Successful Default User Login Attempt (Possible Staging for CVE-2022-25237)"; flow:established,to_client; flowbits:isset,ET.BonitaDefaultCreds; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; fast_pattern; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:successful-admin; sid:2036817; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021411; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass M1 (CVE-2022-25237)"; flow:established,to_server; http.uri; content:"|3b|i18ntranslation"; fast_pattern; http.cookie; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036818; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass M2 (CVE-2022-25237)"; flow:established,to_server; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036819; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021417; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036820; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED APT CozyCar SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.illuminatistudios.net"; distance:1; within:26; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021421; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category TROJAN, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_03_27;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M1 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; content:"|3b|i18ntranslation"; fast_pattern; http.cookie; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036821; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021426; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific (CVE-2012-0507)"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:11; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, tag Metasploit, updated_at 2022_03_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021427; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT EIP in URI M1 (CVE-2012-4792)"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%88%92"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:5; metadata:created_at 2012_12_31, former_category EXPLOIT, updated_at 2020_09_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (HTTPBrowser CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 d3 99 b4 6f 4e 77 43|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021428; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Landing Page (CVE-2013-0422)"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:command-and-control; sid:2019601; rev:6; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2014_10_30;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Autodiscover Servlet XXE (CVE-2019-9670)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Autodiscover/Autodiscover.xml"; http.request_body; content:"<!ENTITY|20|"; content:"|20|SYSTEM|20 22|"; fast_pattern; pcre:"/^\s?(?:file|https?)\x3a/Ri"; reference:cve,2019-9670; classtype:attempted-admin; sid:2037040; rev:1; metadata:attack_target Server, created_at 2022_06_20, cve CVE_2019_9670, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_06_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Archie.EK IE CVE-2013-2551 Payload Struct"; flow:to_server,established; urilen:3; content:"/dd"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; classtype:exploit-kit; sid:2018934; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Tommcat/JBoss RCE Inbound (CVE-2013-4810)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; content:"InvokerServlet/"; fast_pattern; http.request_body; content:"|ac ed 00|"; depth:5; reference:cve,2013-4810; classtype:attempted-admin; sid:2037041; rev:1; metadata:attack_target Server, created_at 2022_06_20, cve CVE_2013_4810, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_06_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021431; rev:2; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2015_07_17;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|28 27 24 7b 24 7b|env|3a|"; depth:30; fast_pattern; content:"|3a 2d|j|7d|ndi|24 7b|env|3a|"; distance:0; content:"|2f|TomcatBypass|2f|Command|2f|Base64|2f|"; distance:0; reference:url,isc.sans.edu/diary/rss/28246; reference:cve,2021-44228; classtype:attempted-admin; sid:2037046; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|28 27 24 7b 24 7b|env|3a|"; depth:25; fast_pattern; content:"|3a 2d|j|7d|ndi|24 7b|env|3a|"; distance:0; content:"|2f|TomcatBypass|2f|Command|2f|Base64|2f|"; distance:0; reference:url,isc.sans.edu/diary/rss/28246; reference:cve,2021-44228; classtype:attempted-admin; sid:2037047; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021436; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)"; flow:from_server,established; file.data; bsize:>4095; content:"ms|2d|msdt|3a 2f|"; nocase; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|Windows|2f|System32|2f|mpsigstub|2e|exe"; distance:700; fast_pattern; reference:cve,2022-30190; reference:md5,783f850d06c9f1286eb9b1bda0af0bce; classtype:attempted-user; sid:2037083; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, cve CVE_2022_30190, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_06_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:command-and-control; sid:2021437; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/"; http.header_names; content:!"Referer"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021445; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization"; flow:established,to_server; http.uri; content:"/cewolf/"; fast_pattern; content:"?img="; distance:0; pcre:"/^(?:\/?\.\.?\/){2}/R"; content:"|2e 2f|"; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; classtype:attempted-admin; sid:2037216; rev:1; metadata:attack_target Server, created_at 2022_06_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_06_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021446; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/agent/tabs/agentData"; endswith; fast_pattern; http.request_body; content:"|22|Task|20|Content|22|"; content:"<?"; distance:0; content:"<!ENTITY|20|"; distance:0; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; reference:cve,2022-28219; classtype:attempted-admin; sid:2037217; rev:1; metadata:attack_target Server, created_at 2022_06_30, cve CVE_2022_28219, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_06_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 20 2015 M3"; flow:to_client,established; file_data; content:"html class=|22|js js sessionstorage|22|"; fast_pattern:13,20; content:"getURLParameter"; distance:0; content:"Toll Free"; nocase; distance:0; content:"myFunction|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2021448; rev:2; metadata:created_at 2015_07_20, updated_at 2015_07_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:4; metadata:created_at 2013_09_03, former_category EXPLOIT, updated_at 2013_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:command-and-control; sid:2021049; rev:2; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:4; metadata:created_at 2013_09_03, former_category EXPLOIT, updated_at 2013_09_03;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:4; metadata:created_at 2013_09_03, former_category EXPLOIT, updated_at 2013_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:command-and-control; sid:2021503; rev:1; metadata:created_at 2015_07_22, former_category MALWARE, malware_family QRat, updated_at 2018_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_10_08, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Exploit Specific Function Naming"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Use-After-Free Inbound (CVE-2012-4792)"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:7; metadata:created_at 2013_01_03, former_category EXPLOIT, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK SilverLight Payload Request - May 2014"; flow:established,to_server; urilen:71<>79; content:!"/aHR0c"; depth:6; http_uri; content:!"/Uk0v"; depth:5; http_uri; content:"="; http_uri; offset:71; depth:6; pcre:"/^\/[-a-zA-Z0-9_]{70,75}==?$/U"; reference:url,blogs.cisco.com/security/angling-for-silverlight-exploits/; classtype:exploit-kit; sid:2018497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"symbol"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:7; metadata:created_at 2013_01_09, former_category EXPLOIT, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:exploit-kit; sid:2021507; rev:2; metadata:created_at 2015_07_22, updated_at 2015_07_22;)
+#alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"yaml"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]yaml[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:7; metadata:created_at 2013_01_09, former_category EXPLOIT, updated_at 2020_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; classtype:exploit-kit; sid:2021509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:6; metadata:created_at 2013_10_04, former_category EXPLOIT, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:exploit-kit; sid:2021510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; http.method; content:"GET"; nocase; http.referer; content:"?//"; fast_pattern; pcre:"/\/(?:(?:index|toc)\.html?)?\?\/\//i"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:6; metadata:created_at 2013_06_20, former_category EXPLOIT, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:social-engineering; sid:2020623; rev:3; metadata:created_at 2015_03_05, updated_at 2015_03_05;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021512; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP SITE command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"SITE"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010732; classtype:attempted-recon; sid:2010732; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021515; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RMDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RMDIR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010733; classtype:attempted-recon; sid:2010733; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021514; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP MKDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"MKDIR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010734; classtype:attempted-recon; sid:2010734; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021516; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP PWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"PWD"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010735; classtype:attempted-recon; sid:2010735; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021517; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RETR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RETR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010736; classtype:attempted-recon; sid:2010736; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP NLST command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"NLST"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010737; classtype:attempted-recon; sid:2010737; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021519; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNTO command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNTO"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010738; classtype:attempted-recon; sid:2010738; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Fake AV Phone Scam Landing July 23 2015"; flow:to_client,established; file_data; content:"navigator.sayswho"; content:"alertforSecuity"; fast_pattern; distance:0; content:"Firefox"; distance:0; content:"Chrome"; distance:0; content:"Netscape"; distance:0; classtype:social-engineering; sid:2021522; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP RNFR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNFR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010739; classtype:attempted-recon; sid:2010739; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:".php/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/P"; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/Hmi"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021524; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP STOR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"STOR"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010740; classtype:attempted-recon; sid:2010740; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021525; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP HP-UX LIST command without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:"LIST "; nocase; depth:5; reference:cve,2005-3296; reference:bugtraq,15138; reference:url,doc.emergingthreats.net/bin/view/Main/2002851; classtype:attempted-recon; sid:2002851; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:md5,2190a2c0a3775bc9c60629ec2eb6f3b9; reference:md5,bfbc0b106a440c111a42936906d36643; classtype:command-and-control; sid:2012842; rev:3; metadata:created_at 2011_05_25, former_category MALWARE, updated_at 2011_05_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"SELECT"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/SELECT.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009981; classtype:attempted-user; sid:2009981; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021529; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"DELETE"; within:200; nocase; content:"FROM"; distance:0; nocase; pcre:"/DELETE.+FROM/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009982; classtype:attempted-user; sid:2009982; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021541; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INSERT"; within:200; nocase; content:"INTO"; distance:0; nocase; pcre:"/INSERT.+INTO/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009983; classtype:attempted-user; sid:2009983; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021546; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UPDATE"; within:200; nocase; content:"SET"; distance:0; nocase; pcre:"/UPDATE.+SET/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009984; classtype:attempted-user; sid:2009984; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"UNION"; within:200; nocase; content:"SELECT"; distance:0; nocase; pcre:"/UNION.+SELECT/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2009985; classtype:attempted-user; sid:2009985; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021553; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"USER"; depth:4; content:"INTO"; within:200; nocase; content:"OUTFILE"; distance:0; nocase; pcre:"/INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010081; classtype:attempted-user; sid:2010081; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:exploit-kit; sid:2021559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:2101992; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021563; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:2101971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021565; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:2101972; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021566; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:2101973; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:2101974; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021568; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101975; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101976; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:2101942; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:2101920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, updated_at 2015_08_01;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:2101921; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:exploit-kit; sid:2018909; rev:4; metadata:created_at 2014_08_07, former_category EXPLOIT_KIT, updated_at 2014_08_07;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:2100334; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019604; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:2100335; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020961; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:2100144; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021530; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2102449; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021562; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:2100337; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2101621; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021592; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:2101919; rev:24; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021593; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:2101888; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021594; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:2101864; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2015_08_04;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101778; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021596; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021598; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:2101748; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021599; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:2101728; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:exploit-kit; sid:2017841; rev:4; metadata:created_at 2013_12_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2102391; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021602; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:2101672; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021603; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:2101625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021604; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:2101623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, updated_at 2015_08_11;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:2101622; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021585; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:2101529; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ghheranon.ad"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021613; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:2101562; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|idcythef.tj"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021614; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:2101928; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP FTP CWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"CWD"; nocase; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010731; classtype:attempted-recon; sid:2010731; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; content:!"fonts.gstatic.com|0d 0a|"; http_header; content:!".fitbit.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2016155; rev:7; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; classtype:not-suspicious; sid:2002850; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021622; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:2100543; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021623; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:2100544; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021633; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100545; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021635; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; depth:5; nocase; classtype:misc-activity; sid:2100546; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021636; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:2100548; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021634; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP anonymous login attempt"; flow:to_server,established; content:"USER "; depth:5; nocase; content:"anon"; distance:0; classtype:misc-activity; sid:2100553; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8; metadata:created_at 2013_08_13, former_category INFO, updated_at 2013_08_13;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD space space possible warez site"; flow:to_server,established; content:"MKD  "; depth:5; nocase; classtype:misc-activity; sid:2100547; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; classtype:exploit-kit; sid:2021638; rev:2; metadata:created_at 2015_08_17, former_category CURRENT_EVENTS, updated_at 2018_04_03;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP large PWD command"; flow:to_server,established; content:"PWD"; isdataat:7,relative; content:!"|0A|"; within:7; nocase; classtype:protocol-command-decode; sid:2101624; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:".html&"; http_uri; fast_pattern; content:"/"; distance:-47; http_uri; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})?$/U"; classtype:exploit-kit; sid:2021639; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; fast_pattern:only; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:2100308; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:"Referer|3a|"; http_header; content:"|3a|443/"; distance:0; http_header; fast_pattern; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{40}\/$/U"; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021640; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD overflow"; flow:to_server,established; content:"MKD "; isdataat:100,relative; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:2100349; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (euro-rafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|euro-rafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021646; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; fast_pattern:only; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:2100339; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments-Paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|holidayapartments-Paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021647; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:2100338; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (paris-holidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|paris-holidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021648; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP PWD overflow"; flow:to_server,established; content:"PWD|0A|/i"; fast_pattern:only; classtype:attempted-admin; sid:2100340; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (franceholidayapartments.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|17|franceholidayapartments|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021649; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP XXXXX overflow"; flow:to_server,established; content:"XXXXX/"; fast_pattern:only; classtype:attempted-admin; sid:2100341; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (apartmentsin-paris.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|apartmentsin-paris|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021650; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:2100346; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingholiday.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|raftingholiday|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021651; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:2100343; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (eurorafting-tr.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|eurorafting-tr|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021652; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; fast_pattern:only; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:2100344; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (turkeyextremerafting.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|turkeyextremerafting|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021653; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; fast_pattern:only; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:2100342; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (raftingtours-turkey.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|raftingtours-turkey|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021654; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; fast_pattern; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:2100345; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021655; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:2100348; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazy-jump.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|crazy-jump|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021656; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; fast_pattern:only; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:2100360; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (dive-extreme.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dive-extreme|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021657; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:2100361; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-ar.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-ar|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021658; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2102344; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021660; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2102343; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021661; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2102340; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (brazil-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|brazil-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021662; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:100,relative; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2102338; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021663; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102333; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-br.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-br|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021664; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102332; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (divextreme-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|divextreme-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021665; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2102179; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (crazyjump-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|crazyjump-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021666; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2102178; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (stuntjumps.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|stuntjumps|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021667; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; fast_pattern; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2102125; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (tandemskydive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tandemskydive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021668; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive-au.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|groupdive-au|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021669; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2102574; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (au-skydivelessons.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|au-skydivelessons|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021670; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungee4you-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|bungee4you-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021671; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (uruguay-crazybungee.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|uruguay-crazybungee|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021672; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (bungeejumping-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bungeejumping-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021673; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupbungee-uy.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|groupbungee-uy|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021674; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (circlesofourlives-ir.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|circlesofourlives-ir|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021675; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (clickflowers-hk.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|clickflowers-hk|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021676; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (cropcirclestours.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cropcirclestours|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021677; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (irelancropcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|irelancropcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021678; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (ir-cool.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|ir-cool|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021679; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (magnificentcircles.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|magnificentcircles|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021680; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (china-flowershop.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|china-flowershop|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021681; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2102417; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (hongkong-bouquets.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|hongkong-bouquets|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021682; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (beautifuldaisies.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|beautifuldaisies|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021683; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (rosesinchina.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|rosesinchina|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021684; rev:1; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:2100491; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021686; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:2101449; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021695; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:exploit-kit; sid:2021696; rev:2; metadata:created_at 2015_08_20, updated_at 2015_08_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"ET GAMES MINECRAFT Server response inbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021701; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP authorized_keys file transferred"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:2101927; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET 25565 -> $EXTERNAL_NET any (msg:"ET GAMES MINECRAFT Server response outbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021702; rev:1; metadata:created_at 2015_08_21, former_category GAMES, updated_at 2015_08_21;)
+#alert tcp any any -> $HOME_NET 21 (msg:"ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url,sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:5; metadata:created_at 2010_12_02, former_category FTP, updated_at 2010_12_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET DELETED Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:exploit-kit; sid:2021694; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER|20|"; nocase; isdataat:100,relative; pcre:"/^USER\x20[^\x00\x20\x0a\x0d]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:2101734; rev:36; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021703; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:12; metadata:created_at 2010_09_23, former_category FTP, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021704; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021705; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; fast_pattern; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021706; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern; classtype:suspicious-login; sid:2100357; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_25, former_category CURRENT_EVENTS, updated_at 2015_08_25;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021717; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017413; rev:3; metadata:created_at 2013_09_04, former_category MALWARE, updated_at 2013_09_04;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; fast_pattern; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:15; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021722; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021721; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:3; metadata:created_at 2013_03_29, updated_at 2019_10_08;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021720; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET FTP Outbound Java Anonymous FTP Login"; flow:to_server,established; content:"USER anonymous|0d 0a|PASS Java1."; fast_pattern; pcre:"/^\d\.\d(_\d+)?\@\r\n/R"; flowbits:set,ET.Java.FTP.Logon; classtype:misc-activity; sid:2016687; rev:4; metadata:created_at 2013_03_29, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021725; rev:2; metadata:created_at 2015_08_27, former_category EXPLOIT_KIT, updated_at 2015_08_27;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:exploit-kit; sid:2021707; rev:3; metadata:created_at 2015_08_24, former_category EXPLOIT_KIT, updated_at 2015_08_24;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:command-and-control; sid:2021724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Starcraft login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"RATS"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002101; classtype:policy-violation; sid:2002101; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Brood War login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PXES"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002102; classtype:policy-violation; sid:2002102; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:targeted-activity; sid:2021726; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"LTRD"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002103; classtype:policy-violation; sid:2002103; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:targeted-activity; sid:2021727; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo 2 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"VD2D"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002104; classtype:policy-violation; sid:2002104; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:targeted-activity; sid:2021728; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Diablo 2 Lord of Destruction login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PX2D"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002105; classtype:policy-violation; sid:2002105; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021731; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 2 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"NB2W"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002106; classtype:policy-violation; sid:2002106; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021732; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 3 login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"3RAW"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002107; classtype:policy-violation; sid:2002107; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021733; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net old game version"; flow:established,from_server; content:"|FF 51|"; depth:2; content:"|00 01 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002109; classtype:policy-violation; sid:2002109; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021734; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net invalid version"; flow:established,from_server; content:"|FF 51 08 00 01 01 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002110; classtype:policy-violation; sid:2002110; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:exploit-kit; sid:2021740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net invalid cdkey"; flow:established,from_server; content:"|FF 51 09 00 00 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002111; classtype:policy-violation; sid:2002111; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:exploit-kit; sid:2020426; rev:3; metadata:created_at 2015_02_16, updated_at 2015_02_16;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net cdkey in use"; flow:established,from_server; content:"|FF 51|"; depth:2; content:"|01 02 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002112; classtype:policy-violation; sid:2002112; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net banned key"; flow:established,from_server; content:"|FF 51 09 00 02 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002113; classtype:policy-violation; sid:2002113; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net wrong product"; flow:established,from_server; content:"|FF 51 09 00 03 02 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002114; classtype:policy-violation; sid:2002114; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:command-and-control; sid:2021748; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user in channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|01 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002118; classtype:policy-violation; sid:2002118; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021750; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user joined channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|02 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002140; classtype:policy-violation; sid:2002140; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021751; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user left channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|03 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002141; classtype:policy-violation; sid:2002141; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021755; rev:2; metadata:created_at 2015_09_09, former_category EXPLOIT_KIT, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net received whisper message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|04 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002142; classtype:policy-violation; sid:2002142; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net received server broadcast"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|06 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002143; classtype:policy-violation; sid:2002143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:2; metadata:created_at 2015_09_10, updated_at 2015_09_10;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net joined channel"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|07 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002144; classtype:policy-violation; sid:2002144; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net user had a flags update"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|09 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002145; classtype:policy-violation; sid:2002145; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021767; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net sent a whisper"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0a 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002146; classtype:policy-violation; sid:2002146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021769; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel full"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0d 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002147; classtype:policy-violation; sid:2002147; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021770; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel doesn't exist"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0e 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002148; classtype:policy-violation; sid:2002148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021771; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net channel is restricted"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|0f 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002149; classtype:policy-violation; sid:2002149; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net informational message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|12 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002150; classtype:policy-violation; sid:2002150; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021776; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net error message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|13 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002151; classtype:policy-violation; sid:2002151; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021777; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net 'emote' message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|17 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002152; classtype:policy-violation; sid:2002152; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021778; rev:2; metadata:created_at 2015_09_15, former_category EXPLOIT_KIT, updated_at 2015_09_15;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net outgoing chat message"; flow:established,to_server; content:"|FF 0E|"; depth:2; reference:url,doc.emergingthreats.net/bin/view/Main/2002119; classtype:policy-violation; sid:2002119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021779; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3724 (msg:"ET GAMES World of Warcraft connection"; flow:established,to_server; content:"|00|"; depth:1; content:"|25 00|WoW|00|"; distance:1; within:7; reference:url,doc.emergingthreats.net/bin/view/Main/2002138; classtype:policy-violation; sid:2002138; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021780; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 3724 -> $HOME_NET any (msg:"ET GAMES World of Warcraft failed logon"; flow:established,from_server; content:"|01 0A|"; depth:2; reference:url,doc.emergingthreats.net/bin/view/Main/2002139; classtype:policy-violation; sid:2002139; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021781; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Guild Wars connection"; flow:established,to_server; content:"|01 00 00 00 00 F1 00 10 00 01 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002154; classtype:policy-violation; sid:2002154; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021782; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net incoming chat message"; flow:established,from_server; content:"|FF 0F|"; depth:2; content:"|05 00 00 00|"; offset:4; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002170; classtype:policy-violation; sid:2002170; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021783; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 27015 (msg:"ET GAMES Steam connection"; content:"getchallengesteam"; reference:url,doc.emergingthreats.net/bin/view/Main/2002155; classtype:policy-violation; sid:2002155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021784; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 27020:27050 (msg:"ET GAMES STEAM Connection (v2)"; flow:established,to_server; content:"|00 00 00 03|"; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003089; classtype:policy-violation; sid:2003089; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:exploit-kit; sid:2017570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak3 Connect"; content:"|00 00 00 00 02 9d 74 8b 45 aa 7b ef b9 9e fe ad 08 19 ba cf 41 e0 16 a2|"; offset:8; depth:24; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011733; classtype:policy-violation; sid:2011733; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 80 (msg:"ET MALWARE SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:command-and-control; sid:2021785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login"; content:"|f4 be 03 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011734; classtype:policy-violation; sid:2011734; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 3"; flow:established,to_server; content:"ZEV4ZWN"; http_uri; classtype:trojan-activity; sid:2012923; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Login Replay"; content:"|f4 be 04 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011735; classtype:policy-violation; sid:2011735; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 1"; flow:established,to_server; content:"Q21kRXhl"; http_uri; classtype:trojan-activity; sid:2012921; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping"; content:"|f4 be 01 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011736; classtype:policy-violation; sid:2011736; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible TDSS Base64 Encoded Command 2"; flow:established,to_server; content:"bWRFeGVj"; http_uri; classtype:trojan-activity; sid:2012922; rev:3; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Connection/Ping Reply"; content:"|f4 be 02 00|"; depth:4; threshold:type limit, count 1, seconds 300, track by_src; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011737; classtype:policy-violation; sid:2011737; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021789; rev:2; metadata:created_at 2015_09_17, former_category MALWARE, updated_at 2015_09_17;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Channel List"; content:"|f0 be 06 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011739; classtype:policy-violation; sid:2011739; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET MALWARE PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021791; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player List"; content:"|f0 be 07 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011740; classtype:policy-violation; sid:2011740; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login End"; content:"|f0 be 08 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011741; classtype:policy-violation; sid:2011741; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021797; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/New Player Joined"; content:"|f0 be 64 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011742; classtype:policy-violation; sid:2011742; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021798; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Player Left"; content:"|f0 be 65 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011743; classtype:policy-violation; sid:2011743; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021799; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Change Status"; content:"|f0 be 30 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011744; classtype:policy-violation; sid:2011744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021801; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Known Player Update"; content:"|f0 be 68 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011745; classtype:policy-violation; sid:2011745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021802; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Disconnect"; content:"|f0 be 2c 01|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011746; classtype:policy-violation; sid:2011746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021803; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 ACK"; content:"|f1 be|"; depth:2; dsize:16; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011747; classtype:policy-violation; sid:2011747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021804; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET GAMES Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; reference:url,doc.emergingthreats.net/2007746; classtype:policy-violation; sid:2007746; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021805; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Connect"; flow:to_server,established; content:"POST"; http_method; content:"/online_game/request.php"; http_uri; content:"User-Agent|3a| GameBox"; http_header; content:"<request><name>Connect</name>"; nocase; http_client_body; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011752; classtype:policy-violation; sid:2011752; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021809; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6112 (msg:"ET GAMES Battle.net Warcraft 3 The Frozen throne login"; flow:established,to_server; content:"|FF 50|"; depth:2; content:"PX3W"; offset:12; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2002108; classtype:policy-violation; sid:2002108; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021810; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (OLS) wrong password"; flow:established,from_server; content:"|FF 3A 08 00 02 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002115; classtype:policy-violation; sid:2002115; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Meterpreter or Other Reverse Shell SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|04 08 bb 00 ee|"; distance:23; within:5; fast_pattern; content:"|55 04 06 13 00|"; distance:0; content:"|55 04 08 13 00|"; distance:0; content:"|55 04 07 13 00|"; distance:0; content:"|55 04 0a 13 00|"; distance:0; content:"|55 04 0b 13 00|"; distance:0; content:"|55 04 03 13 00|"; distance:0; reference:md5,c3f76f444edf0b90b887d7979342e9f0; classtype:trojan-activity; sid:2035651; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"ET GAMES Battle.net failed account login (NLS) wrong password"; flow:established,from_server; content:"|FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002116; classtype:policy-violation; sid:2002116; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:domain-c2; sid:2021815; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET GAMES TeamSpeak2 Standard/Login Part 2"; flow:established; content:"|f0 be 05 00|"; depth:4; reference:url,teamspeak.com; reference:url,doc.emergingthreats.net/2011738; classtype:policy-violation; sid:2011738; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:domain-c2; sid:2021816; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021817; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print|0A 5C|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021818; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; http_uri; nocase; content:"webkey="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:domain-c2; sid:2021819; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 25565 -> $HOME_NET any (msg:"ET GAMES MINECRAFT Server response inbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021701; rev:1; metadata:created_at 2015_08_21, updated_at 2015_08_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:!"Referer|3a|"; http_header; content:"unit_action="; depth:12; http_client_body; fast_pattern; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021823; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, signature_severity Major, tag c2, updated_at 2015_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET 25565 -> $EXTERNAL_NET any (msg:"ET GAMES MINECRAFT Server response outbound"; flow:established,from_server; content:"|7B 22|"; depth:10; classtype:policy-violation; sid:2021702; rev:1; metadata:created_at 2015_08_21, former_category GAMES, updated_at 2015_08_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021824; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET !443 (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flow:to_client; flags:R,12; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; classtype:policy-violation; sid:2002117; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021825; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Ad Report"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/ad_report.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"protocol="; http_uri; content:"author="; http_uri; content:"login="; http_uri; content:"zone="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011758; classtype:policy-violation; sid:2011758; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021826; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Launch"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/launcher_init.php?"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011748; classtype:policy-violation; sid:2011748; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021827; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Check for Patch"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/patch.php?"; http_uri; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011749; classtype:policy-violation; sid:2011749; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021828; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetConnectionAndGameParams"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetConnectionAndGameParams</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011750; classtype:policy-violation; sid:2011750; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:exploit-kit; sid:2021840; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request OpenSession"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>OpenSession</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011751; classtype:policy-violation; sid:2011751; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:domain-c2; sid:2021842; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Disconnect"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>Disconnect</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011753; classtype:policy-violation; sid:2011753; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetOnlineProfile"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetOnlineProfile</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011754; classtype:policy-violation; sid:2011754; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021844; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetBuddies"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetBuddies</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011755; classtype:policy-violation; sid:2011755; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021845; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request SearchNew"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>SearchNew</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011756; classtype:policy-violation; sid:2011756; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2; metadata:created_at 2015_09_30, former_category CURRENT_EVENTS, updated_at 2015_09_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request LiveUpdate"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>LiveUpdate</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011757; classtype:policy-violation; sid:2011757; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET GAMES Growtopia Hack - WrongGrow CnC Activity"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|20|HeySurfer#1234"; fast_pattern; reference:md5,b76a144f412b680e6a04ee4f4fbcf000; classtype:bad-unknown; sid:2029784; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category GAMES, signature_severity Informational, updated_at 2020_04_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021863; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Second Life setup download"; flow:established,to_server; http.uri; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:4; metadata:created_at 2011_11_11, updated_at 2020_04_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021864; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; http.header; content:"(Nintendo Wii"; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:4; metadata:created_at 2012_05_08, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021865; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Blizzard"; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/2011708; classtype:policy-violation; sid:2011708; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021866; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Dragon Raja Activity"; flow:established,to_server; http.uri; bsize:14; content:"/setup/dir.txt"; http.user_agent; bsize:16; content:"DragonRajaOrigin"; fast_pattern; reference:md5,33200121c71932220c67b9f3ccc57d60; classtype:misc-activity; sid:2030484; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Major, updated_at 2020_07_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Web Downloader Install Detected"; flow: established,to_server; http.user_agent; content: "Blizzard Web Client"; nocase; depth:19; classtype:policy-violation; sid:2012170; rev:4; metadata:created_at 2011_01_10, updated_at 2020_08_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 eb 96 25 e5 32 57 ee 34|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,77ebe2b014baf75e45c3009b0d42fa5d; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021868; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET GAMES Wolfteam HileYapak Server Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; file.data; content:"Temizleme Yapildi HileYapak"; depth:27; fast_pattern; reference:md5,85cf4df17fcf04286fcbbdf9fbe11077; classtype:policy-violation; sid:2027417; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2020_10_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021869; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Playit Activity (playit .gg)"; flow:established,to_server; http.method; content:"GET"; http.referer; content:"https://playit.gg/claim/v2/"; startswith; http.host; content:"playit.gg"; bsize:9; fast_pattern; reference:md5,adef7b6d9fcd8c2a0fabd94d73bc9789; classtype:policy-violation; sid:2031619; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, deployment SSLDecrypt, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2021_02_12;)
 
-#alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg:"ET DELETED Soulseek traffic (2)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001186; classtype:policy-violation; sid:2001186; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES GameHouse License Check"; flow:established,to_server; http.request_line; content:"POST /lm/dynamicLicense HTTP/1.1"; bsize:32; fast_pattern; http.header_names; content:"|0d 0a|Referer|0d 0a|"; http.request_body; content:"parameters="; startswith; reference:md5,0e29380dcc1f9a57f545fc26b4045c94; classtype:policy-violation; sid:2031878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2021_03_08;)
 
-#alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg:"ET DELETED Soulseek traffic (1)"; flow: established; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001185; classtype:policy-violation; sid:2001185; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES Moonlight Hack Domain in DNS Lookup"; dns.query; content:"moonsoft.eu3.biz"; nocase; bsize:16; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034841; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
 
-#alert tcp $EXTERNAL_NET 6112 -> $HOME_NET !443 (msg:"ET GAMES Battle.net connection reset (possible IP-Ban)"; flow:to_client; flags:R,12; reference:url,doc.emergingthreats.net/bin/view/Main/2002117; classtype:policy-violation; sid:2002117; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES Moonlight Hack Domain in DNS Lookup"; dns.query; content:"moonlight.uno"; nocase; bsize:13; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034842; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021884; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Moonlight Hack Actvity (GET)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moonlight.uno"; bsize:13; fast_pattern; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034843; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, deployment SSLDecrypt, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021885; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES UnknownApps Game Cheat Service Checkin (auth .hwidspoof .me)"; dns.query; content:"auth.hwidspoof.me"; nocase; bsize:17; reference:md5,26c643629102e506561890596fb2dd5c; reference:md5,dc4b2c44289288d64fa757311515304f; classtype:misc-activity; sid:2034901; rev:1; metadata:created_at 2022_01_12, updated_at 2022_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:exploit-kit; sid:2019542; rev:7; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
+alert dns $HOME_NET any -> any any (msg:"ET GAMES UnknownApps Game Cheat Service Checkin (auth .unknownp .one)"; dns.query; content:"auth.unknownp.one"; nocase; bsize:17; reference:md5,26c643629102e506561890596fb2dd5c; reference:md5,dc4b2c44289288d64fa757311515304f; classtype:misc-activity; sid:2034902; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
 
-#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; reference:url,doc.emergingthreats.net/bin/view/Main/2002656; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Solaris2 Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/patch/serial.php|20|"; startswith; fast_pattern; http.user_agent; content:"Solaris"; bsize:7; http.request_body; content:"cpuid="; startswith; content:"&hddserial="; distance:0; content:"&macaddr="; distance:0; content:"&machineguid="; distance:16; within:13; content:"&name="; distance:0; content:"&serial="; distance:0; content:!"&"; distance:0; reference:md5,9953874a71e5df4a8b73a83db9576ae4; reference:url,solaris2.hu; classtype:misc-activity; sid:2037905; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_03, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2022_08_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021887; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021888; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-02"; flow:to_client,established; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"Thank you</title>"; nocase; distance:0; content:"information.Your submitted"; nocase; distance:0; content:"Accounts Management Department in 24 hours"; nocase; distance:0; classtype:credential-theft; sid:2031686; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2015_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING Suspicious SMTP handshake outbound"; flow:established,to_server; content:"001 RUTHERE"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008562; classtype:unknown; sid:2008562; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP handshake reply"; flow:established,from_server; content:"701 IMHERE"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008563; classtype:unknown; sid:2008563; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET HUNTING OUTBOUND Suspicious Email Attachment"; flow: to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename="; distance:0; pcre:"/^\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c(rt|[ho]m|li|pl|md|pp)|d(iz|ll)|e(m[fl]|xe|bs)|h(lp|sq|ta)|jse?|m(d[abzew]|s[tcgip]|htm|ht)|p(cd|if|l[xsc]|[lm]|ot)|r(eg|ar)|s(cr|ct|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[msz]|s[cfh])|xl[tw]|folder|fol|ba[st]|i(sp|n[sif])|lnk|nws|ocx|zip|url)[\x27\x22\n\r\s]/iR"; reference:url,doc.emergingthreats.net/2000562; classtype:suspicious-filename-detect; sid:2000562; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021895; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"x-shockwave-flash"; nocase; distance:0; pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i"; classtype:bad-unknown; sid:2011866; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021896; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Percentage Symbol Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; nocase; content:!"|0d 0a|"; within:50; content:"%"; distance:0; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011487; rev:2; metadata:created_at 2010_09_29, former_category FTP, updated_at 2010_09_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021897; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwProtectVirtualMemory"; distance:0; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012768; rev:7; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021898; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2011_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET"; http_method; content:"nsi_install.php?"; http_uri; nocase; content:"aff_id="; nocase; http_uri; content:"&inst_result="; http_uri; content:"&id="; nocase; http_uri; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake%20AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; classtype:trojan-activity; sid:2009548; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:command-and-control; sid:2013805; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008055; classtype:command-and-control; sid:2008055; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:command-and-control; sid:2013806; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008056; classtype:command-and-control; sid:2008056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:8; metadata:created_at 2011_05_18, former_category MALWARE, updated_at 2011_05_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008057; classtype:command-and-control; sid:2008057; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (Win exe under 128)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:command-and-control; sid:2008058; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 160)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443"; flow:established,to_server; content:"|07|F"; depth:2; flowbits:isset,ET.inj.ajq.1; reference:url,doc.emergingthreats.net/2008059; classtype:command-and-control; sid:2008059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Executable (PE offset 512)"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Win32.Inject.ajq Initial Checkin to CnC Response port 443"; flow:established,from_server; flowbits:isset,ET.inj.ajq.1; dsize:4; content:"|00 0e 04 00|"; reference:url,doc.emergingthreats.net/2008060; classtype:command-and-control; sid:2008060; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:5; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2012_08_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021902; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"HttpAddRequestHeader"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:command-and-control; sid:2012767; rev:11; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2011_05_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021903; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021904; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:exploit-kit; sid:2021908; rev:3; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:3; metadata:created_at 2013_05_07, former_category INFO, updated_at 2013_05_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021909; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6; metadata:created_at 2013_08_13, former_category HUNTING, updated_at 2013_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021910; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021911; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2013_08_13;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 1"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|Priv|20|Version"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021912; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 1"; flow:established,from_server; file_data; content:"=(eval)|3b|"; classtype:bad-unknown; sid:2017334; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 2"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|says|20|"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021913; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 2"; flow:established,from_server; file_data; content:"=[|22|eval|22|]|3b|"; classtype:bad-unknown; sid:2017335; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 3"; flow:established,from_server; content:"NOTICE"; content:"|3a|[Apache / PHP 5.x"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021914; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[|27|eval|27|]|3b|"; classtype:bad-unknown; sid:2017336; rev:3; metadata:created_at 2013_08_15, former_category INFO, updated_at 2013_08_15;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 4"; flow:established,from_server; content:"NOTICE"; content:"FLOOD <target> <port> <secs>"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021915; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:exploit-kit; sid:2017579; rev:2; metadata:created_at 2013_10_11, former_category EXPLOIT_KIT, updated_at 2013_10_11;)
 
-alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 5"; flow:established,from_server; content:"NOTICE"; content:"|3a|Flooding with TCP"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021916; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021920; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021921; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021899; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021924; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:2; metadata:created_at 2013_11_25, former_category WEB_CLIENT, updated_at 2013_11_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021925; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021926; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; classtype:policy-violation; sid:2003315; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; classtype:policy-violation; sid:2009970; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2; metadata:created_at 2013_11_26, former_category WEB_CLIENT, updated_at 2013_11_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG|LmV4|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t|5jb2|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc|Euc2Ny|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2; metadata:created_at 2013_12_20, former_category INFO, updated_at 2013_12_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (HTTPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{HTTPFLOOD}"; fast_pattern; nocase; content:"Started consuming data from host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021872; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - uncompressed pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ca fe d0 0d|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017909; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021873; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|1f 8b 08 00|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:3; metadata:created_at 2013_12_30, former_category INFO, updated_at 2013_12_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021874; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (AUTH)"; flow:established,from_server; content:"PRIVMSG"; content:"] {AUTH} User"; fast_pattern; distance:0; nocase; content:"logged "; distance:0; pcre:"/^(?:in|out)/R"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021875; rev:5; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2; metadata:created_at 2014_02_25, former_category CURRENT_EVENTS, updated_at 2014_02_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RAW)"; flow:established,from_server; content:"PRIVMSG"; content:"{RAW}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021876; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5; metadata:created_at 2014_02_13, former_category CURRENT_EVENTS, updated_at 2014_02_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (EXEC)"; flow:established,from_server; content:"PRIVMSG"; content:"{EXEC}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021877; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:from_server,established; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:2; metadata:created_at 2014_04_28, former_category CURRENT_EVENTS, updated_at 2014_04_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (CHSERVER)"; flow:established,from_server; content:"PRIVMSG"; content:"{CHSERVER}"; fast_pattern; nocase; content:"Changing server|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021878; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible WebShell Login Form (Outbound)"; flow:established,from_server; file_data; content:"<pre align=center><form method=post>Password|3a| <input type=password name=pass><input type=submit value=|27|>>|27|></form></pre>"; within:120; isdataat:!2,relative; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:trojan-activity; sid:2018459; rev:2; metadata:created_at 2014_05_09, former_category WEB_SERVER, updated_at 2014_05_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RESTART)"; flow:established,from_server; content:"PRIVMSG"; content:"{RESTART}"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021880; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)"; flow:from_server,established; flowbits:isset,ET.Suspicious.Domain.Fake.Browser; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018572; rev:2; metadata:created_at 2014_06_17, former_category HUNTING, updated_at 2014_06_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 1"; flow:established,from_server; content:"PRIVMSG"; content:"] Process finished => Total bytes read|3a|"; fast_pattern; nocase; content:"Total bytes sent|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021881; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\x3a.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; classtype:bad-unknown; sid:2010721; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 2"; flow:established,from_server; content:"PRIVMSG"; content:"Total connections completed|3a|"; fast_pattern; nocase; content:"Total connections failed|3a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021882; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"|5C|"; http_user_agent; depth:200; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_user_agent; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/Hi"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING suspicious embedded zip file in web page"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:40; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019324; rev:2; metadata:created_at 2014_09_30, former_category EXPLOIT_KIT, updated_at 2014_09_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021937; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:suspicious-filename-detect; sid:2019338; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PPT Download with Embedded OLE Object"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"ppt/embeddings/oleObject"; classtype:misc-activity; sid:2019405; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021933; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"; classtype:misc-activity; sid:2019407; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021934; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M3"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3/R"; classtype:misc-activity; sid:2019408; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; dsize:100<>300; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:command-and-control; sid:2013214; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M4"; flow:established,to_server; content:"cHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; classtype:misc-activity; sid:2019409; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021940; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M5"; flow:established,to_server; content:"cHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; classtype:misc-activity; sid:2019410; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M6"; flow:established,to_server; content:"BwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; classtype:misc-activity; sid:2019411; rev:2; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M1"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d/R"; classtype:misc-activity; sid:2019406; rev:3; metadata:created_at 2014_10_15, former_category SMTP, updated_at 2014_10_15;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"_|00|V|00|B|00|A|00|_|00|P|00|R|00|O|00|J|00|E|00|C|00|T|00|"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019837; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021945; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Windows nbtstat -r Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Names Resolution and Registration Statistics"; fast_pattern; content:"Name"; distance:0; content:"Type"; distance:0; content:"Status"; distance:0; classtype:trojan-activity; sid:2020956; rev:2; metadata:created_at 2015_04_21, former_category MALWARE, updated_at 2015_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response"; flow:established,to_client; flowbits:isset,http.dottedquadhost; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2021076; rev:2; metadata:created_at 2015_05_08, former_category INFO, updated_at 2015_05_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:command-and-control; sid:2021947; rev:3; metadata:created_at 2015_10_13, former_category MALWARE, updated_at 2015_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"/vbaProject"; nocase; pcre:"/\d*?\.bin/Ri"; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019835; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Possible Office Doc with Embedded VBA Project"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"_VBA_PROJECT"; nocase; flowbits:set,et.DocVBAProject; classtype:bad-unknown; sid:2019836; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2015_05_13;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021950; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8; metadata:created_at 2013_08_13, former_category INFO, updated_at 2013_08_13;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User-Agent Beginning with digits - Likely spyware/trojan"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| "; content:!"|0d 0a|User-Agent|3a| Mozilla/"; pcre:"/^\d+/V"; content:!"liveupdate.symantecliveupdate.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010697; classtype:trojan-activity; sid:2010697; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010579; classtype:policy-violation; sid:2010579; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,ET.SuspExeTLDs; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023464; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2017_10_12;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010580; classtype:policy-violation; sid:2010580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag DriveBy, updated_at 2017_01_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,ET.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021954; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5500 (msg:"ET HUNTING Suspicious VNC Remote Admin Request"; flow:to_server,established; content:"|49 44 3a|"; depth:3; content:"temp"; nocase; fast_pattern; distance:0; content:"|52 46 42 20 30 30 33 2e 30 30 38 0a|"; distance:0; reference:md5,2faf3040e8286d506144a0585d8f4162; classtype:trojan-activity; sid:2024029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Local file read using read protocol"; flow:established,to_client; file_data; content:"read|3a|"; nocase; fast_pattern; byte_test:1,>,0x21,-6,relative; byte_test:1,<,0x28,-6,relative; byte_test:1,!=,0x23,-6,relative; byte_test:1,!=,0x24,-6,relative; byte_test:1,!=,0x25,-6,relative; byte_test:1,!=,0x26,-6,relative; pcre:"/^\s*,\s*[a-zA-Z]\x3a[\x2f\x5c]/Ri"; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024031; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021957; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_12_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021958; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ARM Binary Downloaded via WGET Containing Suspicious Netcat Command - Possible IoT Malware"; flow:from_server,established; flowbits:isset,ET.armwget; content:"|25|24|25|28nc+"; content:"+-e+|25|2Fbin|25|2Fsh|25|29"; within:50; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024241; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_04_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021959; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:pup-activity; sid:2011124; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_09_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack"; flow:to_server,established; content:"/index.php?"; http_uri; nocase; content:"select="; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/URi"; reference:bugtraq,15068; reference:url,doc.emergingthreats.net/2002494; classtype:web-application-attack; sid:2002494; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; classtype:bad-unknown; sid:2024769; rev:2; metadata:created_at 2017_09_26, former_category WEB_CLIENT, updated_at 2017_09_26;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER|20|"; nocase; isdataat:100,relative; pcre:"/^USER\x20[^\x00\x20\x0a\x0d]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:2101734; rev:36; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:social-engineering; sid:2022974; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Oct 19 2015"; flow:established,from_server; file_data; content:!".swf"; content:"<html>"; pcre:"/^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?<\/script>/Rs"; content:"value=|22|#ffffff|22|"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021969; rev:3; metadata:created_at 2015_10_19, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:6; metadata:created_at 2013_05_24, former_category INFO, updated_at 2017_10_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|d8 57 45 e6 17 f8 ec bb|"; distance:4; within:8; classtype:exploit-kit; sid:2021970; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (2)"; flow:established,to_client; file_data; content:"|d5 88 7d dc 8a 95 4b be|"; distance:4; within:8; classtype:exploit-kit; sid:2021971; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017"; flow:established,from_server; file_data; content:"U3RhcnQtUHJvY2Vzc"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; classtype:exploit-kit; sid:2021972; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017"; flow:established,from_server; file_data; content:"N0YXJ0LVByb2Nlc3"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:domain-c2; sid:2021980; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017"; flow:established,from_server; file_data; content:"TdGFydC1Qcm9jZXNz"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; classtype:policy-violation; sid:2021983; rev:2; metadata:created_at 2015_10_20, former_category POLICY, updated_at 2015_10_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017"; flow:established,from_server; file_data; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021981; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021982; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| M|4f|zilla/"; http_header; reference:url,doc.emergingthreats.net/2003513; classtype:trojan-activity; sid:2003513; rev:12; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2; metadata:created_at 2015_10_21, former_category EXPLOIT, updated_at 2015_10_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; content:!"|0d 0a|Host|3a| download.releasenotes.nokia.com"; content:!"Mozilla/5.0|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; reference:url,doc.emergingthreats.net/2009295; classtype:trojan-activity; sid:2009295; rev:10; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox shell"; flow:to_server,established; content:"shell"; fast_pattern:only; pcre:"/\bshell\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023017; rev:3; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:2; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2015_10_21;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox enable"; flow:to_server,established; content:"enable"; fast_pattern:only; pcre:"/\benable\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023018; rev:4; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; fast_pattern; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (5)"; flow:established,to_client; file_data; content:"|91 29 83 25 66 1e be fb|"; distance:4; within:8; classtype:exploit-kit; sid:2021989; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert smtp any any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:3; metadata:created_at 2013_12_20, former_category INFO, updated_at 2019_03_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (6)"; flow:established,to_client; file_data; content:"|57 05 11 53 6c d2 02 f9|"; distance:4; within:8; classtype:exploit-kit; sid:2021990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert smb any any -> $HOME_NET 445 (msg:"ET HUNTING Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetWire Variant - Client Hello"; flow:established,to_server; flowbits:set,ET.NetWire; flowbits:noalert; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021976; rev:2; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
+alert dns any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Registrar Nameservers in DNS Response (carbon2u)"; content:"|00 02 00 01|"; content:"|03|ns1|08|carbon2u|03|com|00|"; distance:14; within:18; fast_pattern; classtype:bad-unknown; sid:2027471; rev:1; metadata:created_at 2019_06_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2019_06_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NetWire Variant - Server Directory Listing Request"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01|"; depth:1; content:"|00 00 00 06 43 3A|"; distance:1; within:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021979; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;)
+alert tcp any ![445,138,80] -> any any (msg:"ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command"; flow:established,to_client; content:"PRIVMSG|20|"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:5; metadata:created_at 2013_08_13, former_category CURRENT_EVENTS, updated_at 2019_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"<title>Sign in</title>"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; classtype:social-engineering; sid:2025692; rev:2; metadata:created_at 2015_10_22, former_category CURRENT_EVENTS, updated_at 2018_07_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; http_header; pcre:"/^([\x7f-\xff]){100}/HRi"; reference:md5,176638536e926019e3e79370777d5e03; classtype:pup-activity; sid:2017982; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021993; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2019_09_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021994; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:exploit-kit; sid:2018172; rev:3; metadata:created_at 2014_02_25, former_category WEB_CLIENT, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET HUNTING Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:2; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?)*?\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2021587; rev:5; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:3; metadata:created_at 2016_01_20, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Duuzer Checkin"; flow:established,to_server; content:"|32 a3 56 bb 47 4f 32 00|"; depth:8; fast_pattern; content:"|30 b9 00 00|"; distance:3; within:4; reference:url,symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers; reference:md5,cd7a72be9c16c2ece1140bc461d6226d; classtype:command-and-control; sid:2022000; rev:1; metadata:created_at 2015_10_26, former_category MALWARE, updated_at 2015_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern; classtype:misc-activity; sid:2022636; rev:4; metadata:created_at 2016_03_22, former_category INFO, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:exploit-kit; sid:2022001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Random String)"; flow:established,to_server; http.user_agent; content:"Random String"; bsize:13; reference:md5,a1e56bd465d1c1b5fc19384a3a7ec461; classtype:trojan-activity; sid:2028947; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2019_11_07;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request"; flow:established,to_server; content:"NO|7C|CRYPTDESK*"; depth:13; classtype:trojan-activity; sid:2022002; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Outbound)"; flow:established,to_server; content:"GET "; depth:4; content:"wget http"; within:200; content:"|20 3b 20|chmod "; within:200; fast_pattern; content:"|20 3b 20|./"; within:100; classtype:bad-unknown; sid:2029010; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2019_11_20;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Server Response"; flow:established,to_client; content:"GO8_=_8"; dsize:7; classtype:trojan-activity; sid:2022003; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Inbound)"; flow:established,to_server; content:"GET "; depth:4; content:"wget http"; within:200; content:"|20 3b 20|chmod "; within:200; fast_pattern; content:"|20 3b 20|./"; within:100; classtype:bad-unknown; sid:2029012; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, signature_severity Minor, updated_at 2019_11_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:exploit-kit; sid:2021708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious EXE requested with Java UA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; isdataat:!1,relative; http.header; content:"User-Agent|3a 20|Java/"; fast_pattern; classtype:misc-activity; sid:2029421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_02_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022004; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TGI] Entrust Entelligence Security Provider (Flowbits Set)"; flow:established,to_server; flowbits:set,ET.entrust_entelligence; flowbits:noalert; http.user_agent; content:"Entrust Entelligence Security Provider"; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.entrustdatacard.com/products/pki/entrust-entelligence-security-provider; classtype:trojan-activity; sid:2029424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_02_12;)
 
-#alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_28, updated_at 2015_10_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TGI] Possible Cobalt Strike Extra Whitespace HTTP Response"; flow:established,to_client; flowbits:isnotset,ET.entrust_entelligence; http.start; content:"HTTP/1.1|20|200|20|OK|20 0d 0a|Content-Type|3a|"; reference:url,github.com/fox-it/cobaltstrike-extraneous-space; classtype:trojan-activity; sid:2029425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_02_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:exploit-kit; sid:2022009; rev:3; metadata:created_at 2015_10_29, updated_at 2015_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Base64 Encoded potential malware"; flow:established,from_server; file.data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern; content:!"<html"; nocase; content:!"<body"; nocase; content:!"<script"; nocase; reference:url,urlhaus.abuse.ch/url/319004/; classtype:misc-activity; sid:2029538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4; metadata:created_at 2013_11_22, updated_at 2013_11_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Bit.do Shortened Link Request to EXE"; flow:established,to_client; flowbits:isset,ET.bit.do.shortener; http.stat_code; content:"30"; depth:2; http.location; content:".exe"; isdataat:!1,relative; classtype:misc-activity; sid:2029550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_02_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Downloaded from Github"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"|0d 0a|X-GitHub-Request-Id|0d 0a|"; fast_pattern; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:misc-activity; sid:2029573; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_03_04;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:domain-c2; sid:2022021; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wget+http"; within:200; content:"sh+/"; within:200; fast_pattern; content:"rm+-rf"; within:100; classtype:bad-unknown; sid:2029589; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_09, deployment Perimeter, signature_severity Major, updated_at 2020_03_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wget+http"; within:200; content:"sh+/"; within:200; fast_pattern; content:"rm+-rf"; within:100; classtype:bad-unknown; sid:2029590; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_09, deployment Perimeter, signature_severity Minor, updated_at 2020_03_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Lets Encrypt Certificate - Possible COVID-19 Related M1"; flow:established,to_client; tls.cert_subject; content:"covid"; nocase; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029703; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_03_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Lets Encrypt Certificate - Possible COVID-19 Related M2"; flow:established,to_client; tls.cert_subject; content:"corona"; nocase; fast_pattern; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_03_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:social-engineering; sid:2022029; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1"; dns.query; content:"covid"; nocase; classtype:bad-unknown; sid:2029709; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_03_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive"; flow:from_server,established; dsize:<100; content:"ping|7c|"; depth:5; content:!"|7c|"; within:1; classtype:trojan-activity; sid:2017990; rev:12; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M2"; flow:to_server,established; content:"coronavirus"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029777; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"<title>Meet Google Drive"; nocase; distance:0; classtype:social-engineering; sid:2022035; rev:2; metadata:created_at 2015_11_04, former_category CURRENT_EVENTS, updated_at 2017_08_17;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M3"; flow:to_server,established; content:"covid19"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029778; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022036; rev:2; metadata:created_at 2015_11_04, former_category PHISHING, updated_at 2019_09_06;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M4"; flow:to_server,established; content:"corona virus"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029779; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"var translate_dict = {"; nocase; content:"VERIFICATION_CODE"; nocase; distance:0; fast_pattern; content:"VERIFICATION_CODE_REQUIRED"; nocase; distance:0; content:"NOT_BEGIN_OR_END_WITH_SPACE"; nocase; distance:0; content:"USERNAME_ALL_NUMERIC"; nocase; distance:0; content:"PASSWORDS_DONT_MATCH"; nocase; distance:0; content:"PWD_HINT_REQUIRED"; nocase; distance:0; content:"PASSWORD_MATCHES_USERNAME"; nocase; distance:0; content:"REQUEST_PASSWORD_RESET"; nocase; distance:0; content:"ENTER_VALID_VERIFICATION_CODE"; nocase; distance:0; content:"PASSWORD_MATCH_HINT"; nocase; distance:0; content:"Your work here is done"; nocase; distance:0; content:"Yikes! Something's gone wrong."; nocase; distance:0; classtype:social-engineering; sid:2031691; rev:2; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2015_11_05;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M5"; flow:to_server,established; content:"covid-19"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029780; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:exploit-kit; sid:2017993; rev:9; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2014_01_22;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M6"; flow:to_server,established; content:"sars-cov-2"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029781; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:command-and-control; sid:2022047; rev:1; metadata:created_at 2015_11_09, former_category MALWARE, updated_at 2015_11_09;)
+alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2"; flow:established,to_server; tls.sni; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; classtype:bad-unknown; sid:2029708; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_04_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible COVID-19 Domain in SSL Certificate M1"; flow:established,to_client; tls.cert_subject; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; classtype:bad-unknown; sid:2029705; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_04_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for EXE via WinHTTP M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2029840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Registry)"; flow:from_server,established; content:"RG|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017429; rev:4; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for EXE via WinHTTP M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.user_agent; content:"WinHTTP"; startswith; http.header; content:"User-Agent|3a 20|WinHTTP"; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2029841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Keylogger)"; flow:from_server,established; content:"kl|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017430; rev:7; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for EXE via WinHTTP M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.user_agent; content:"WinHttp-Autoproxy-Service/"; startswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2029842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Get Passwords)"; flow:to_server,established; content:"pl|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017432; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Hardware.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Hardware.txt"; nocase; fast_pattern; classtype:bad-unknown; sid:2029843; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Get Passwords)"; flow:from_server,established; content:"ret|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017431; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Prgrm.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Prgrm.txt"; nocase; fast_pattern; classtype:bad-unknown; sid:2029844; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PK/Compressed doc/JAR header"; flow:from_server,established; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,ET.zipfile; flowbits:noalert; classtype:misc-activity; sid:2022055; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (CookiesList.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"CookiesList.txt"; nocase; fast_pattern; classtype:bad-unknown; sid:2029845; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:domain-c2; sid:2022056; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.doc.exe in HTTP URL"; flow:to_server,established; http.uri; content:".doc.exe"; nocase; classtype:bad-unknown; sid:2013475; rev:3; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022057; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.pdf.exe in HTTP URL"; flow:to_server,established; http.uri; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2013476; rev:3; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022058; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.o)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|o|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029962; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022059; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.chan)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|chan|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029965; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022060; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.dyn)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|dyn|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029959; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022061; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.lib)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|lib|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029970; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:command-and-control; sid:2022062; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP Request for gift.exe"; flow:established,to_server; http.uri; content:"/gift.exe"; classtype:trojan-activity; sid:2013780; rev:3; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2020_04_20;)
 
-alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:command-and-control; sid:2022063; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.cyb)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|cyb|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029956; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:command-and-control; sid:2022064; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.neo)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|neo|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029961; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:domain-c2; sid:2022065; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.geek)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|geek|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029957; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:domain-c2; sid:2022066; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oz)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|oz|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029955; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:domain-c2; sid:2022067; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; http.header; content:"Accept|3a 20|?"; classtype:trojan-activity; sid:2013974; rev:4; metadata:created_at 2011_12_01, former_category POLICY, updated_at 2020_04_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022069; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious exe.exe request - possible downloader/Oficla"; flow:to_server,established; http.request_line; content:"/exe.exe HTTP/1."; nocase; reference:url,anubis.iseclab.org/?action=result&task_id=11873c8979f34c8d4fd0da512df635cac&format=txt; reference:url,doc.emergingthreats.net/2010741; classtype:trojan-activity; sid:2010741; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019214; rev:2; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS *.doc.exe in HTTP HEADER"; flow:from_server,established; http.header; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; content:".doc.exe"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2013477; rev:10; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00kl\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019222; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; content:".pdf.exe"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2013478; rev:9; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00fm\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019221; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious NULL DNS Request"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; fast_pattern; distance:0; classtype:misc-activity; sid:2029994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Informational, updated_at 2020_04_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00proc\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019220; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Jar name JavaUpdate.jar"; flow:established,to_server; http.uri; content:"/JavaUpdate.jar"; nocase; http.user_agent; content:"Java/1."; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018106; rev:4; metadata:created_at 2014_02_11, former_category HUNTING, updated_at 2020_04_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019219; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING URL Observed in PDF Downloaded via Dropbox"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"x-dropbox-request-id|3a|"; file.data; content:"|25 50 44 46|"; depth:4; content:"/Type /Action /S /URI"; fast_pattern; nocase; classtype:misc-activity; sid:2030047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment SSLDecrypt, signature_severity Informational, updated_at 2020_04_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00srv\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019218; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Terse Numeric .dat File"; flow:established,to_server; http.start; content:".dat|20|HTTP/1.1|0d 0a|"; fast_pattern; http.uri; pcre:"/\/[0-9]{1,2}\.dat$/"; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; classtype:bad-unknown; sid:2030225; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_05_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rs\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019217; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Download Request Containing Suspicious Filename - Crypted"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"crypted.exe"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ff823130efcdf8ab267cad92eb5b90d7; reference:md5,e953e6b3be506c5b8ca80fbcd79c065e; reference:md5,1e2fa2e401cd2295a03ba8d8d3d3698b; classtype:trojan-activity; sid:2022491; rev:3; metadata:created_at 2016_02_04, former_category MALWARE, updated_at 2020_06_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019215; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse Request for .bmp"; flow:established,to_server; content:".bmp|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".bmp"; endswith; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache-"; content:!"Pragma"; content:!"Referer"; classtype:bad-unknown; sid:2030384; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_06_24, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_06_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2015_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse Request for .pif"; flow:established,to_server; content:".pif|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".pif"; endswith; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache-"; content:!"Pragma"; content:!"Referer"; classtype:bad-unknown; sid:2030392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_06_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022076; rev:1; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to NOIP DynDNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_07_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022077; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to NOIP DynDNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_07_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:social-engineering; sid:2022083; rev:2; metadata:created_at 2015_11_13, updated_at 2015_11_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"user="; depth:5; nocase; http_client_body; fast_pattern; content:"&email_address="; nocase; http_client_body; distance:0; content:"&pass"; nocase; http_client_body; distance:0; content:"&captcha="; nocase; http_client_body; distance:0; content:"&submitbutton="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2022084; rev:2; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; classtype:credential-theft; sid:2022085; rev:2; metadata:created_at 2015_11_13, former_category PHISHING, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022087; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022088; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Hostinger Domains"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; classtype:misc-activity; sid:2030511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022089; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Hostinger Domains"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; classtype:misc-activity; sid:2030512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:6; metadata:created_at 2015_08_11, former_category CURRENT_EVENTS, updated_at 2015_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to .tk domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; content:".tk"; endswith; fast_pattern; classtype:misc-activity; sid:2030513; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to .tk domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; content:".tk"; endswith; fast_pattern; classtype:misc-activity; sid:2030514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED BlackHole EK Landing Nov 17 2015"; flow:from_server,established; file_data; content:"|2e 73 74 79 6c 65 2e 6c 65 66 74 3d 3d 3d 22 22 29 7b 67 67 3d 22 67 65 74 41 22 3b 7d 71 71 3d 22 71 22 3b 67 67 2b 3d 22 74 74 72 69 22 3b 66 75 6e 63 74 69 6f 6e 20 63 78 7a 28 29|"; fast_pattern:17,20; classtype:exploit-kit; sid:2022113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; http.uri; content:".exe"; http.host; content:"a.pomf.cat"; fast_pattern; bsize:10; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:3; metadata:created_at 2016_06_09, former_category CURRENT_EVENTS, updated_at 2020_07_14;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Excel Add-in Download M1"; flow:to_server,established; http.uri; content:".xla"; nocase; endswith; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"commons.collections"; nocase; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022115; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Excel Add-in Download M2"; flow:to_server,established; http.header; content:".xla"; nocase; pcre:"/Content-Disposition\x3a[^\r\n]*?\.xla[\s\x22\x27]/i"; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022966; rev:3; metadata:created_at 2016_07_13, former_category INFO, updated_at 2020_07_17;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST Form Submitted to 123formbuilder Free Hosting"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/form-"; depth:6; http.host; content:"www.123formbuilder.com"; depth:22; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag Phishing, updated_at 2020_07_31;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST Form Submitted to Weebly Free Hosting"; flow:established,to_server; urilen:27; http.method; content:"POST"; http.uri; content:"/weebly/apps/formSubmit.php"; http.host; content:"www.weebly.com"; depth:14; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_31;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, updated_at 2015_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS DOC Download from commonly abused file share site"; flow:to_server,established; http.uri; content:".doc"; http.host; content:"a.pomf.cat"; fast_pattern; bsize:10; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024836; rev:3; metadata:created_at 2017_10_11, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Google Android Device HTTP Request"; flow:established,to_server; content:"|3B 20|Android|20|"; http_header; classtype:policy-violation; sid:2012251; rev:9; metadata:created_at 2011_02_02, updated_at 2011_02_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; http.host; pcre:"/\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022896; rev:6; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022093; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious UA (^IE[\d\s])"; flow:established,to_server; http.header; content:!"symantec"; nocase; content:!"norton"; nocase; http.user_agent; content:"IE"; depth:2; nocase; fast_pattern; pcre:"/^[\d\s]/R"; http.host; content:!".bing.com"; reference:md5,209e6701da137084c2f60c90d64505f2; classtype:trojan-activity; sid:2018010; rev:6; metadata:created_at 2014_01_24, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-20"; flow:established,from_server; file_data; content:"<title>Google Drive"; fast_pattern; nocase; content:"For security reasons"; nocase; distance:0; content:"select your email provider"; nocase; distance:0; content:"enter your email and password"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2031701; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP Referer C Drive Path"; flow:established,to_server; http.referer; http.referer; content:"res|3a 2f 2f|c|3a 5c|"; depth:9; nocase; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:5; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webmail Phishing Landing 2015-11-21"; flow:established,from_server; file_data; content:"login.live.com"; nocase; content:"<title>Sign In"; nocase; distance:0; fast_pattern; content:"Generic Password Error Message"; nocase; distance:0; content:"enter your email address"; nocase; distance:0; content:"Microsoft account"; nocase; distance:0; classtype:social-engineering; sid:2031702; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Powershell Downloader with Start-Process Inbound M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"new-object System.Net.WebClient"; nocase; fast_pattern; content:".DownloadFile("; distance:0; content:"Start-Process"; within:500; reference:md5,b510f48b9ac735a197093ad5fb99b0ee; classtype:bad-unknown; sid:2029339; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Phishing 2015-11-21"; flow:established,from_server; file_data; content:"<title>Outlook"; fast_pattern; nocase; content:"http-equiv=|22|refresh"; nocase; distance:0; content:"Update successful"; nocase; distance:0; content:"your account verification information"; nocase; distance:0; content:"emailed to you shortly"; nocase; distance:0; classtype:credential-theft; sid:2031703; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022130; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:3; metadata:created_at 2010_09_29, former_category FTP, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022129; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious UA (Windows)"; flow:established,to_server; http.user_agent; content:"Windows"; bsize:7; http.header; content:"User-Agent|3a 20|Windows|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028879; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Evil EXE download from MSXMLHTTP non-exe extension M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022052; rev:2; metadata:created_at 2015_11_09, updated_at 2015_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|Firefox/"; nocase; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Encoding"; content:!"Referer"; content:!"X-Requested-With"; nocase; classtype:bad-unknown; sid:2018359; rev:4; metadata:created_at 2014_04_04, former_category INFO, updated_at 2020_08_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Rincux CnC (set)"; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|Windows"; distance:0; content:"|20 4d 42 00 00 00 00 00|"; fast_pattern; distance:0; content:"|20 4d 48 7a 00 00 00 00 00|"; distance:0; flowbits:set,ET.Rincux; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022131; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Phishing - Form submitted to submit-form Form Hosting"; flow:established,to_server; http.method; content:"POST"; http.host; content:"submit-form.com"; endswith; classtype:credential-theft; sid:2030707; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_20, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rincux CnC"; content:"|02 00 00 00|"; fast_pattern; depth:4; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Rs"; content:"|00 00 00 00|"; distance:0; flowbits:isset,ET.Rincux; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022132; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to .php on Appspot Hosting - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; isdataat:!1,relative; http.host; content:".appspot.com"; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030708; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022133; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gdn) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gdn"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/"; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023458; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_08_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (2)"; flow:established,to_client; file_data; content:"|29 26 9a 62 39 55 b6 0d|"; distance:4; within:8; classtype:trojan-activity; sid:2022139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request to Image with User-Agent Ending in .exe"; flow:established,to_server; http.uri; pcre:"/\.(?:gif|jpe?g|png)$/i"; http.user_agent; content:".exe"; endswith; fast_pattern; classtype:misc-activity; sid:2030732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, signature_severity Informational, updated_at 2020_08_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (5)"; flow:established,to_client; file_data; content:"|63 86 34 11 a3 ae 83 1e|"; distance:4; within:8; classtype:trojan-activity; sid:2022142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.icu) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".icu"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2026891; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (6)"; flow:established,to_client; file_data; content:"|94 ae 9f 55 3d 25 7f 7d|"; distance:4; within:8; classtype:trojan-activity; sid:2022143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET To gate.php with no Referer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2030802; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Payload URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; content:!"User-Agent"; http_header; nocase; content:!"Accept"; http_header; nocase; content:!"Referer"; nocase; http_header; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; classtype:exploit-kit; sid:2021158; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_28, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027103; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"passwords.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"wallet.dat"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027114; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027107; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022193; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"csrss.exe"; content:"explorer.exe"; fast_pattern; content:"svchost.exe"; content:"lsass.exe"; classtype:trojan-activity; sid:2027117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Suspicious_POST_body, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PHP/Mayhem Checkin via HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"Pragma|3a 20|1337|0d 0a|"; http_header; fast_pattern:only; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:".php HTTP/1.0|0d 0a|"; reference:url,www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf; classtype:trojan-activity; sid:2022195; rev:2; metadata:created_at 2015_11_30, updated_at 2015_11_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"cookie.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021269; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"ccdata.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_08_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING cPanel Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"<title>Please wait.."; nocase; fast_pattern; content:"form id=|22|myForm|22|"; nocase; distance:0; content:"name=|22|myForm|22|"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; content:"name=|22|email|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"name=|22|submit|22|"; nocase; distance:0; classtype:social-engineering; sid:2031704; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (google_chrome_default_) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"google_chrome_default_"; distance:26; within:100; nocase; fast_pattern; pcre:"/^(?:logins|c(?:cdata|ookie))/Ri"; classtype:trojan-activity; sid:2027276; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_08_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"id=|22|Anonisma"; fast_pattern; nocase; content:"class=|22|Anonisma"; nocase; distance:0; classtype:social-engineering; sid:2031705; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027278; rev:2; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_08_28;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; depth:120; classtype:bad-unknown; sid:2011355; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; http.user_agent; content:"User-Agent|3a 20|"; depth:12; nocase; content:!"SogouMobileTool"; nocase; http.host; content:!".lge.com"; content:!".kugou.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:bad-unknown; sid:2003626; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious BITS EXE DL From Dotted Quad"; flow:established,to_server; http.uri; content:".exe"; nocase; content:!".gvt1.com/"; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"download.windowsupdate.com"; content:!"download.adobe.com"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2022858; rev:6; metadata:created_at 2016_06_03, former_category INFO, updated_at 2020_09_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Microsoft Malware Protection User-Agent Observed to Non-Microsoft Domain"; flow:to_server,established; http.user_agent; content:"MpCommunication"; depth:15; fast_pattern; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:misc-activity; sid:2030850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_09, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_09_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"<title>NACHA</title>"; classtype:exploit-kit; sid:2013474; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode"; flow:established,to_server; http.uri; content:"/svn/"; nocase; content:".exe"; distance:0; nocase; fast_pattern; http.host; content:".googlecode.com"; endswith; classtype:trojan-activity; sid:2018191; rev:4; metadata:created_at 2014_02_27, former_category CURRENT_EVENTS, updated_at 2020_09_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)"; flow:established,to_server; threshold:type both,track by_src,count 2,seconds 10; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; depth:36; endswith; classtype:bad-unknown; sid:2018430; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, former_category CURRENT_EVENTS, updated_at 2011_08_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious double Server Header"; flow:from_server,established; http.header_names; content:"|0d 0a|Server|0d 0a|"; content:"Server|0d 0a|"; distance:0; http.response_line; content:"HTTP/1.1 200"; depth:12; endswith; classtype:trojan-activity; sid:2012707; rev:7; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent Containing .exe"; flow:established,to_server; http.uri; content:!"CTX_"; http.header; content:!"lnssatt.exe"; http.user_agent; content:".exe"; nocase; endswith; fast_pattern; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; content:!"vsee.exe"; nocase; http.host; content:!"gfi.com"; content:!"pandasoftware.com"; classtype:trojan-activity; sid:2013224; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag User_Agent, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, former_category CURRENT_EVENTS, updated_at 2011_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP request for resource ending in .scr"; flow:established,to_server; http.uri; content:".scr"; endswith; fast_pattern; http.host; content:!"kaspersky.com"; classtype:misc-activity; sid:2018231; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_03_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ml)"; flow:established,to_client; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gdn)"; flow:established,to_client; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025190; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6; metadata:created_at 2011_12_08, updated_at 2011_12_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gq)"; flow:established,to_client; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025191; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ga)"; flow:established,to_client; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025192; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:exploit-kit; sid:2014136; rev:7; metadata:created_at 2012_01_19, updated_at 2012_01_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.cf)"; flow:established,to_client; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025193; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)"; flow:established,to_client; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025194; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:exploit-kit; sid:2014168; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for .bin with BITS/ User-Agent"; flow:established,to_server; http.uri; content:".bin"; endswith; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"microsoft.com"; content:!"pdfcomplete.com"; content:!"mymitchell.com"; content:!"azureedge.net"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2024420; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:exploit-kit; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!"nvidia.com"; endswith; content:!"dc.services.visualstudio.com"; endswith; content:!".avg.com"; endswith; content:!"bitdefender.net"; endswith; content:!"svc.iolo.com"; endswith; content:!".lavasoft.com"; endswith; content:!"canonicalizer.ucsuri.tcs"; http.request_body; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; classtype:trojan-activity; sid:2011341; rev:17; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:exploit-kit; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_29, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Malformed Double Accept Header"; flow:established,to_server; http.user_agent; content:!"-DRM"; http.host; content:!"buhphone.ru"; content:!"www.backupmaker.com"; content:!"ati.com"; content:!"amd.com"; endswith; http.accept; content:"Accept|3a 20|"; fast_pattern; reference:url,doc.emergingthreats.net/2008975; classtype:policy-violation; sid:2008975; rev:18; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:exploit-kit; sid:2014316; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious EXE Download Content-Type image/jpeg"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; flowbits:set,ET.http.binary; http.content_type; content:"image/jpeg"; depth:10; endswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:policy-violation; sid:2026537; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; depth:8; content:"|20 28|qwe123"; classtype:trojan-activity; sid:2014368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/putty.exe"; nocase; endswith; http.host; content:!"the.earth.li"; classtype:bad-unknown; sid:2026570; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:exploit-kit; sid:2014526; rev:3; metadata:created_at 2012_04_06, former_category EXPLOIT_KIT, updated_at 2012_04_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)"; flow:established,to_client; tls.cert_subject; content:"CN=ident.me"; nocase; endswith; classtype:external-ip-check; sid:2026743; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:exploit-kit; sid:2014549; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)"; flow:established,to_client; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2026890; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".doc"; fast_pattern; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; classtype:bad-unknown; sid:2025162; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6; metadata:created_at 2012_04_13, former_category CURRENT_EVENTS, updated_at 2012_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/svchost.exe"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2016696; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:"<script"; content:"navigator.userAgent.indexOf|28 27|Mac|27 29|"; distance:0; nocase; content:"setAttribute|28 27|code|27|"; distance:0; nocase; content:".class"; nocase; distance:0; content:"setAttribute|28 27|archive|27|"; distance:0; nocase; content:".jar"; nocase; distance:0; reference:url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/; reference:cve,2011-3544; classtype:bad-unknown; sid:2014565; rev:3; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious explorer.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/explorer.exe"; nocase; endswith; fast_pattern; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5; metadata:created_at 2012_04_16, former_category CURRENT_EVENTS, updated_at 2012_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious winlogin.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/winlogon.exe"; nocase; endswith; fast_pattern; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious services.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/services.exe"; nocase; endswith; fast_pattern; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious smss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/smss.exe"; nocase; endswith; fast_pattern; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious csrss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/csrss.exe"; nocase; fast_pattern; endswith; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious rundll32.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/rundll32.exe"; nocase; fast_pattern; endswith; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:exploit-kit; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious lsass.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/lsass.exe"; nocase; endswith; fast_pattern; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_05_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages"; flow:established,to_server; http.method; content:"POST"; http.host; content:".atwebpages.com"; fast_pattern; classtype:misc-activity; sid:2030890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, signature_severity Informational, updated_at 2020_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msctcd.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskmgr.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wsqmocn.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017676; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:6; metadata:created_at 2012_05_30, former_category CURRENT_EVENTS, updated_at 2012_05_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wimhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winlog.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/waulct.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/alg.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mssrs.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhosts.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhost(32|64).exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhost"; nocase; fast_pattern; pcre:"/\/winhost(?:32|64)\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017842; rev:4; metadata:created_at 2013_12_12, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, former_category CURRENT_EVENTS, updated_at 2012_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS pony.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pony."; nocase; fast_pattern; pcre:"/\/pony\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017843; rev:4; metadata:created_at 2013_12_12, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_03, former_category CURRENT_EVENTS, updated_at 2012_07_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Possible Process Dump in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"System Idle Process"; fast_pattern; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:6; metadata:created_at 2014_01_15, former_category INFO, updated_at 2020_09_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:"commondatastorage.googleapis.com"; bsize:32; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:4; metadata:created_at 2014_06_11, former_category CURRENT_EVENTS, updated_at 2020_09_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.rar.exe in HTTP URL"; flow:to_server,established; http.uri; content:".rar.exe"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2020386; rev:4; metadata:created_at 2015_02_09, former_category POLICY, updated_at 2020_09_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; http.uri; content:"/movie.swf"; fast_pattern; classtype:trojan-activity; sid:2021414; rev:4; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern; classtype:social-engineering; sid:2023068; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_10_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Google Adwords Conversion not from Google"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pagead/conversion_async.js"; endswith; fast_pattern; http.host; content:!"googleadservices.com"; content:!"doubleclick.net"; content:!"google.com"; classtype:bad-unknown; sid:2030980; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2020_10_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Pdf.exe Observed in Zeus/Luminosity Link"; flow:established,to_server; http.uri; content:"/pdf.exe"; fast_pattern; classtype:trojan-activity; sid:2018080; rev:6; metadata:created_at 2014_02_05, former_category MALWARE, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.science) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".science"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023454; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.top) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".top"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023455; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015574; rev:5; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2012_08_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.stream) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".stream"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023456; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4; metadata:created_at 2012_08_07, updated_at 2012_08_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.download) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".download"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023457; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.biz) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".biz"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023459; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:exploit-kit; sid:2015605; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.accountant) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".accountant"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023460; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.click) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".click"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023461; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:exploit-kit; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.link) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".link"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023462; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:exploit-kit; sid:2013699; rev:3; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2011_09_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.win) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".win"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023463; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Evil Download wsf Double Ext No Referer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".wsf"; nocase; fast_pattern; pcre:"/\/[^\x2f]+\.[^\x2f]+\.wsf$/i"; http.header; content:!"User-Agent|3a 20 2a|"; classtype:trojan-activity; sid:2022271; rev:5; metadata:created_at 2015_12_17, former_category INFO, updated_at 2020_10_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022208; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".men"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022212; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".webcam"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".yokohama"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/KDefend Checkin"; flow:established,to_server; content:"c|00|h|00|i|00|n|00|a|00 00 00|"; offset:16; depth:12; fast_pattern; content:"|20|MB|00|"; within:10; content:"/proc/stat|00|cpu|00|"; within:21; reference:url,blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html; classtype:command-and-control; sid:2022219; rev:3; metadata:created_at 2015_12_04, former_category MALWARE, updated_at 2015_12_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".tokyo"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Adware.iBryte.B Install"; flow:to_server,established; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern:only; content:"event="; http_uri; content:"_id="; http_uri; content:!"Referer|3a|"; http_header; reference:md5,1497c33eede2a81627c097aad762817f; classtype:trojan-activity; sid:2018194; rev:9; metadata:created_at 2012_02_13, updated_at 2012_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gq"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:4; metadata:created_at 2018_04_16, former_category HUNTING, updated_at 2020_10_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:pup-activity; sid:2008066; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".work"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022078; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+/"; depth:31; fast_pattern; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:16; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_10_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022226; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (c \windows)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"c|3a 5c|"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022230; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (NULL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"NULL"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022231; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (C slash)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|5c|Citrix|5c|"; content:!"|5c|Panda S"; nocase; content:!"|5c|Mapinfo"; nocase; http.user_agent; content:"C|3a 5c|"; depth:3; fast_pattern; classtype:trojan-activity; sid:2008512; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022233; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User Agent (_)"; flow:to_server,established; http.user_agent; content:"_"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; classtype:trojan-activity; sid:2007942; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022235; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; http.uri; content:!"/CallParrotWebClient/"; http.header.raw; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http.user_agent; content:"Mozilla/4.0"; fast_pattern; nocase; bsize:11; http.host; content:!"www.google.com"; content:!"secure.logmein.com"; content:!"weixin.qq.com"; content:!"slickdeals.net"; content:!"cloudera.com"; content:!"secure.digitalalchemy.net.au"; content:!".ksmobile.com"; content:!"gstatic.com"; content:!".cmcm.com"; content:!".deckedbuilder.com"; content:!".mobolize.com"; content:!"wq.cloud.duba.net"; content:!"infoc2.duba.net"; content:!".bitdefender.net"; reference:url,doc.emergingthreats.net/2003492; classtype:bad-unknown; sid:2003492; rev:34; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phish Landing 2015-12-08"; flow:to_client,established; file_data; content:"id=|22|sfm_excel_body|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|Email|22|"; nocase; distance:0; content:"name=|22|Password|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"Keep me signed in"; nocase; distance:0; classtype:social-engineering; sid:2031692; rev:4; metadata:created_at 2015_12_08, former_category PHISHING, updated_at 2015_12_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .XYZ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".xyz"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_09, deployment Datacenter, former_category TROJAN, signature_severity Major, tag Wordpress, updated_at 2018_07_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TOP Domain with Minimal Headers"; flow:established,to_server; http.host; content:".top"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible CryptoWall encrypted download"; flow:to_client,established; file_data; byte_test:1,<,12,0; content:"|00 00 00|"; distance:1; within:3; byte_test:1,<,127,0,relative; byte_test:1,>,48,0,relative; byte_jump:1,0,from_beginning,post_offset 5; byte_test:1,=,0,0,relative; pcre:"/^[\x00-\x0c]\x00\x00\x00[a-z0-9]{6,12}\x00/s"; classtype:trojan-activity; sid:2018788; rev:3; metadata:created_at 2014_07_28, updated_at 2014_07_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to 000webhostapp Domain with Minimal Headers"; flow:established,to_server; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert udp $HOME_NET any -> any [5060,5061,5600] (msg:"ET MALWARE Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022206; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .ML Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Evil Redirector Leading to EK Mar 06 2015"; flow:established,to_server; content:"/counter.php?referrer=http"; http_uri; classtype:exploit-kit; sid:2020638; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .CF Domain with Minimal Headers"; flow:established,to_server; http.host; content:".cf"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022248; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GQ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022249; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TK Domain with Minimal Headers"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022250; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GA Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022251; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Root"; flow:established,to_server; tls.sni; content:"Root"; depth:4; endswith; nocase; classtype:bad-unknown; sid:2029191; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Minor, updated_at 2020_10_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022252; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Inbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:10; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M1"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|04|Asia"; distance:1; within:5; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M2"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|North America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022254; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Improperly Spaced Accept Header in User-Agent"; flow:established,to_server; http.user_agent; content:"Accept|3a|*/*"; classtype:misc-activity; sid:2031120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M3"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Africa"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022255; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031123; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M4"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Europe"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022256; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031124; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M5"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|09|Australia"; distance:1; within:10; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022257; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031125; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M6"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|South America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022258; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031126; rev:2; metadata:attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M7"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0a|Antarctica"; distance:1; within:11; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022259; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Telegram API Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=api.telegram.org"; fast_pattern; nocase; endswith; classtype:misc-activity; sid:2029322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022267; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|MSIE|20|"; nocase; fast_pattern; content:!"Mozilla/4.0 (compatible|3b 20|MSIE|20|6.0|3b 20|DynGate)"; content:!"Windows Live Messenger"; content:!"MS Web Services Client Protocol"; http.host; content:!"groove.microsoft.com"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.request_body; content:!"grooveDNS|3a|//"; http.header_names; content:!"X-Requested-With"; nocase; content:!"Accept-Encoding"; content:!"Referer"; classtype:bad-unknown; sid:2018358; rev:10; metadata:created_at 2014_04_04, former_category INFO, updated_at 2020_11_03;)
 
-#alert http [$EXTERNAL_NET,!208.85.44.0/24] $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (3)"; flow:established,to_client; file_data; content:"|dc 18 02|"; distance:4; within:3; pcre:"/^(?:\x62|\x1b)/R"; classtype:trojan-activity; sid:2022140; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Redirect to Joom AG Hosted Document - Potential Phishing"; flow:to_client,established; http.stat_code; content:"302"; http.location; content:"https://view.joomag.com/"; fast_pattern; startswith; classtype:misc-activity; sid:2031173; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag Phishing, updated_at 2020_11_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022275; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029011; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, signature_severity Minor, updated_at 2020_11_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022276; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029009; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_11_04;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022277; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; http.uri; content:"/distr/Proxifier"; nocase; depth:16; fast_pattern; http.host; content:"proxifier.com"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; content:!"Accept-"; content:!"Cookie|0d 0a|"; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022278; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; http.uri; content:!".swf"; nocase; content:!".flv"; nocase; content:!"/crossdomain.xml"; http.header; content:"x-flash-version|3a|"; fast_pattern; content:!"/crossdomain.xml"; content:!".swf"; nocase; content:!".flv"; nocase; content:!"[DYNAMIC]"; content:!"sync-eu.exe.bid"; http.host; pcre:"/^[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)/i"; http.header_names; content:!"|0d 0a|Cookie|0d 0a|"; classtype:trojan-activity; sid:2022894; rev:8; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022286; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious Reversed String Inbound (StrReverse)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"esreveRrtS"; nocase; classtype:bad-unknown; sid:2036336; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022287; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; endswith; fast_pattern; http.request_body; content:"pass"; nocase; classtype:misc-activity; sid:2031189; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, updated_at 2015_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2"; http.method; content:"POST"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029714; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022292; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M1"; http.method; content:"POST"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022293; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2"; http.method; content:"GET"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET MALWARE Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:command-and-control; sid:2022294; rev:1; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2015_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1"; http.method; content:"GET"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M2"; http.method; content:"POST"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029756; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2022290; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M1"; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029755; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022301; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2"; http.method; content:"GET"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029754; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022302; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1"; http.method; content:"GET"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029753; rev:3; metadata:created_at 2020_03_28, former_category HUNTING, updated_at 2020_11_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"22C83263-E4B8-4233-82CD-FB047C6BF13E"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*22C83263-E4B8-4233-82CD-FB047C6BF13E/si"; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:web-application-attack; sid:2013462; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.parody)"; dns.query; content:".parody"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029954; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:3; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)"; dns.query; content:".libre"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029958; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; reference:url,doc.emergingthreats.net/2010878; classtype:attempted-user; sid:2010878; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.bbs)"; dns.query; content:".bbs"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029960; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.null)"; dns.query; content:".null"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029963; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, updated_at 2011_01_12;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)"; dns.query; content:".pirate"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029964; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:3; metadata:created_at 2015_12_23, updated_at 2015_12_23;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oss)"; dns.query; content:".oss"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029966; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022305; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.epic)"; dns.query; content:".epic"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029967; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022307; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.indy)"; dns.query; content:".indy"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029968; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022308; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.gopher)"; dns.query; content:".gopher"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029969; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)"; dns.query; content:".coin"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029971; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.emc)"; dns.query; content:".emc"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029972; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:exploit-kit; sid:2022312; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.bazar)"; dns.query; content:".bazar"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029973; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:exploit-kit; sid:2022313; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for FurNIC TLD (.fur)"; dns.query; content:".fur"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029974; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, signature_severity Informational, updated_at 2020_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Logging in"; nocase; fast_pattern; content:".php?cmd=_"; nocase; distance:0; content:"Hold a while"; nocase; distance:0; content:"Still loading after a few seconds"; nocase; distance:0; classtype:social-engineering; sid:2031706; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (1 space)"; flow:to_server,established; http.header; content:"User-Agent|3a 20 0d 0a|"; http.host; content:!"connectivitycheck.gstatic.com"; endswith; content:!".mcafee.com"; content:!"deezer.com"; endswith; content:!"googlezip.net"; content:!"metrics.tbliab.net"; endswith; content:!"dajax.com"; endswith; content:!"update.eset.com"; endswith; content:!".sketchup.com"; endswith; content:!".yieldmo.com"; endswith; content:!"ping-start.com"; endswith; content:!".bluekai.com"; content:!".stockstracker.com"; content:!".doubleclick.net"; content:!".pingstart.com"; content:!".colis-logistique.com"; content:!"android-lrcresource.wps.com"; content:!"track.package-buddy.com"; content:!"talkgadget.google.com"; endswith; content:!".visualstudio.com"; endswith; content:!".slack-edge.com"; endswith; content:!".slack.com"; endswith; content:!".lifesizecloud.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:24; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category INFO, signature_severity Major, tag User_Agent, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Apple Phish Landing Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>iTunes"; nocase; fast_pattern; content:"Enter Your Password"; nocase; distance:0; content:"<!-- PHOEN!X -->"; nocase; distance:0; classtype:social-engineering; sid:2031693; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027104; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Phish Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Checking Informations"; content:"http-equiv=|22|refresh|22|"; classtype:social-engineering; sid:2031694; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"passwords.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027106; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022321; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"wallet.dat"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027115; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022322; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027108; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021624; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookie.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; content:"|0a|infosec.jp"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0e|www.infosec.jp"; distance:1; within:15; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022324; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"ccdata.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027272; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (google_chrome_default_) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"google_chrome_default_"; distance:26; within:100; nocase; fast_pattern; pcre:"/^(?:logins|c(?:cdata|ookie))/Ri"; classtype:trojan-activity; sid:2027277; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022328; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027279; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022329; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:7; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2"; dns.query; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!"services.corona.be"; isdataat:!1,relative; classtype:bad-unknown; sid:2029710; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_11_20;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Redirect to Download EXE from Bitbucket"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"https://bitbucket.org"; startswith; content:".exe"; endswith; classtype:bad-unknown; sid:2026515; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_12_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_07, updated_at 2016_01_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Password - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031523; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:exploit-kit; sid:2022338; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"pass="; nocase; depth:5; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:2; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST to Wordpress Folder - Possible Successful Banking Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; http.request_body; content:"pin="; depth:4; fast_pattern; classtype:credential-theft; sid:2031547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category HUNTING, signature_severity Major, tag Phishing, updated_at 2021_01_26;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:4; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/upload/upload.php HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031558; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:exploit-kit; sid:2022341; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/download/download.asp HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031559; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing Jan 07 2015"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?){3,}\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025040; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/upload/upload.asp HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031560; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M1"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Host\x3a\x20(?P<host>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?Referer\x3a\x20http\x3a\x2f\x2f(?P=host)\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025041; rev:2; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Use of rzd URL Shortener Service"; flow:established,to_server; http.method; content:"HEAD"; http.host; content:"rzd.ac"; bsize:6; fast_pattern; classtype:policy-violation; sid:2031647; rev:1; metadata:created_at 2021_02_22, former_category HUNTING, updated_at 2021_02_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bulta CnC Beacon"; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:command-and-control; sid:2022345; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_01_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Hidden embedded HTML Document"; flow:established,to_client; file.data; content:"<embed src=|27|data|3a|text/html|3b|base64|2c|PCFET0NUWVBFIGh0bWw+"; content:"|27 20|height|3d 27|0|27 20|frameborder|3d 27|0|27 3e 3c 2f|embed|3e|"; within:6000; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:bad-unknown; sid:2031803; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:coin-mining; sid:2022349; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2016_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Glitch Hosted GET Request - Possible Phishing Landing"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:".glitch.me"; fast_pattern; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031917; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Loading Gif Inline Image"; flow:established,from_server; content:"background|3a|url(data|3a|image/gif|3b|base64,R0lGODlhEAAQAAAAACH/C05FVFNDQVBFMi4wAwH//"; classtype:trojan-activity; sid:2014842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Glitch Hosted DNS Request - Possible Phishing Landing"; dns.query; content:".glitch.me"; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031918; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_04_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing"; flow:established,to_server; tls.sni; content:".glitch.me"; endswith; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031919; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.STD.ddos Checkin"; flow:established,to_server; dsize:28; content:"2-1Q3@@4V-9-W$p#=A#9c=#W~,|0d 0a|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=2747&start=20#p27639; classtype:command-and-control; sid:2022367; rev:2; metadata:created_at 2016_01_14, former_category MALWARE, updated_at 2016_01_14;)
+alert tls any any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (Metasploit Self Signed CA)"; flow:from_server,established; tls.cert_issuer; content:"CN=MetasploitSelfSignedCA"; classtype:policy-violation; sid:2031932; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, deployment Internet, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_03_11;)
 
-alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
+alert tls any any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (Metasploit in TLS Subject)"; flow:from_server,established; tls.cert_subject; content:"Metasploit"; nocase; classtype:policy-violation; sid:2031933; rev:2; metadata:attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, deployment Internet, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_03_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Phishing Page - Page Saved with SingleFile Extension"; flow:to_client,established; file.data; content:"Page saved with SingleFile"; fast_pattern; content:"|0d 0a 20|url|3a 20|"; distance:0; content:"|0d 0a 20|saved date|3a 20|"; distance:0; reference:url,chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle?hl=en; classtype:misc-activity; sid:2032082; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell DownloadString Command"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:".DownloadString("; nocase; fast_pattern; classtype:bad-unknown; sid:2032169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
 
-alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell DownloadFile Command"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:".DownloadFile("; nocase; fast_pattern; classtype:bad-unknown; sid:2032170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022385; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell Starting Wscript Process"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:"start-process wscript"; nocase; fast_pattern; classtype:bad-unknown; sid:2032171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022386; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell Launching Hidden Window"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:"-windowstyle hidden"; nocase; fast_pattern; classtype:bad-unknown; sid:2032172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022387; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for EXE from DigitalOcean Spaces"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:".digitaloceanspaces.com"; endswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:bad-unknown; sid:2032359; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_04_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022388; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed POST to xsph .ru Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xsph.ru"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032531; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2021_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022389; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SSL/TLS Certificate Observed (OpenNIC Project API)"; flow:established,to_client; tls.cert_subject; content:"CN=api.opennicproject.org"; bsize:25; fast_pattern; reference:url,wiki.opennic.org/API; classtype:bad-unknown; sid:2032744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_04_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022390; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP Request for OpenNIC API GeoIP Request"; flow:established,to_server; http.uri; content:"/geoip"; nocase; startswith; http.host; content:"api.opennicproject.org"; bsize:22; fast_pattern; reference:url,wiki.opennic.org/API; classtype:bad-unknown; sid:2032745; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_04_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022391; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Netlify Hosted GET Request - Possible Phishing Landing"; flow:established,to_server; http.method; content:"GET"; http.host; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022392; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Netlify Hosted DNS Request - Possible Phishing Landing"; dns.query; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032759; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022393; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing"; flow:established,to_server; tls.sni; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032760; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022394; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET HUNTING Malformed Domain Name in DNS Query (Domain Length Exceeds 253 Bytes)"; dns.query; bsize:>253; classtype:bad-unknown; sid:2032779; rev:1; metadata:created_at 2021_04_19, former_category HUNTING, updated_at 2021_04_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022395; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded Server Response (success)"; flow:established,from_server; file.data; content:"c3VjY2Vzcw=="; depth:12; classtype:bad-unknown; sid:2032883; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_04_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022396; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request for .x86"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032924; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022397; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request for .x64"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x64"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032925; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022404; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible ELF executable sent when remote host claims to send a Text File"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/plain"; file.data; content:"|7f 45 4c 46|"; startswith; fast_pattern; isdataat:3000,relative; classtype:bad-unknown; sid:2032973; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022408; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Office Doc Retrieving Shortened URL (bit .do)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:"bit.do"; bsize:6; fast_pattern; reference:md5,04a303e67b4a2f9f7bb532779aef2c72; classtype:bad-unknown; sid:2033133; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_06_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_29, updated_at 2019_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING URL Shortening Service Used by Curl (ic9 .in)"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; http.host; content:"ic9.in"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2033134; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_06_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022474; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected DNS CnC via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 500, seconds 300; classtype:bad-unknown; sid:2033185; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, deployment Internal, former_category HUNTING, performance_impact Significant, updated_at 2021_06_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022475; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET HUNTING Possible REvil 0day Exploitation Activity Inbound"; flow:established,to_server; content:"|0a|procCreate|28 22|Archive"; content:"procStep|28|"; distance:0; within:50; content:"+++SQLCMD|3a 22|+"; distance:0; within:100; content:"|22|DELETE|20|FROM"; reference:url,blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/; classtype:bad-unknown; sid:2033236; rev:1; metadata:created_at 2021_07_05, former_category HUNTING, updated_at 2021_07_05;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; classtype:exploit-kit; sid:2021973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING jpg download from fileupload .site"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.host; content:"fileupload.site"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033287; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_07_09;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022476; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (nltest)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"nltest /domain_trusts"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_07_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipconfig /all"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_07_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022478; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (net view)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net view /all"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_07_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (net config)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net config workstation"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_07_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021526; rev:2; metadata:created_at 2015_07_23, former_category MALWARE, updated_at 2015_07_23;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING .exec in HTTP URI Inbound - Possible Exploit Activity"; flow:established,to_server; http.uri; content:".exec|28|"; fast_pattern; classtype:bad-unknown; sid:2033406; rev:2; metadata:created_at 2021_07_24, former_category HUNTING, updated_at 2021_07_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022489; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING .exec in HTTP Header Inbound - Possible Exploit Activity"; flow:established,to_server; http.header; content:".exec|28|"; fast_pattern; classtype:bad-unknown; sid:2033407; rev:2; metadata:created_at 2021_07_24, former_category HUNTING, updated_at 2021_07_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED APT.Fexel Checkin"; flow:established,to_server; content:"agtid="; http_header; content:"08x"; http_client_body; reference:md5,70e87b2898333e11344b16a72183f8e9; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2019469; rev:6; metadata:created_at 2014_10_17, updated_at 2014_10_17;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING NOP Sled in HTTP Header Inbound - Possible Exploit Activity"; flow:established,to_server; http.header; content:"|90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern; classtype:bad-unknown; sid:2033430; rev:1; metadata:created_at 2021_07_26, former_category HUNTING, updated_at 2021_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:exploit-kit; sid:2022496; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Screenshot Uploaded to Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:"filename="; content:"screenshot."; within:12; fast_pattern; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:bad-unknown; sid:2033447; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2021_07_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9uDQoNCiAgIEhvc3QgTmFtZSAuI"; classtype:bad-unknown; sid:2033734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aW5kb3dzIElQIENvbmZpZ3VyYXRpb24NCg0KICAgSG9zdCBOYW1lIC4g"; classtype:bad-unknown; sid:2033735; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvbg0KDQogICBIb3N0IE5hbWUgLi"; classtype:bad-unknown; sid:2033736; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING NOP Sled in HTTP URI Inbound - Possible Exploit Activity"; flow:established,to_server; http.uri.raw; content:"|90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern; classtype:bad-unknown; sid:2033431; rev:3; metadata:created_at 2021_07_26, former_category HUNTING, updated_at 2021_08_18;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded whoami in HTTP Server Response"; flow:established,to_client; file.data; content:"d2hvYW1p"; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:bad-unknown; sid:2033745; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2021_08_19;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Request to iplogger .org Contains Period"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|"; http.host; content:"iplogger|2e|org"; bsize:12; fast_pattern; reference:md5,dcef208fcdac3345c6899a478d16980f; classtype:bad-unknown; sid:2033859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2021_09_01;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"Chrome_Default.txt"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2033886; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Cookies/Firefox_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"Cookies/Firefox_"; nocase; distance:0; fast_pattern; content:".default.txt"; within:25; classtype:bad-unknown; sid:2033887; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (History/Firefox_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"History/Firefox_"; nocase; distance:0; fast_pattern; content:".default.txt"; within:25; classtype:bad-unknown; sid:2033888; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious Request nc.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nc.exe"; fast_pattern; nocase; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_09_02;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Inbound Powershell Creating .hta File"; flow:established,to_client; file.data; content:".hta|22 3b|"; content:"|28|New-Object|20|-COM"; classtype:bad-unknown; sid:2033956; rev:1; metadata:created_at 2021_09_15, former_category HUNTING, updated_at 2021_09_15;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Inbound Powershell Creating .lnk File"; flow:established,to_client; file.data; content:".lnk|22|"; content:"|28|New-Object|20|-COM|20|WScript.Shell|29|.CreateShortcut|28|"; classtype:bad-unknown; sid:2033957; rev:1; metadata:created_at 2021_09_15, former_category HUNTING, updated_at 2021_09_15;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain"; dns.query; content:".duckdns.org"; fast_pattern; pcre:"/^[a-f0-9]{8,}\.duckdns\.org$/"; reference:md5,cfaed1a20d1d7e877f58d54272361df1; classtype:bad-unknown; sid:2033959; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Major, updated_at 2021_09_16;)
 
-#alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING Telegram API Domain in DNS Lookup"; dns.query; content:"api.telegram.org"; nocase; bsize:16; classtype:misc-activity; sid:2033966; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_09_16;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.telegram.org"; bsize:16; fast_pattern; classtype:misc-activity; sid:2033967; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_09_16;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Phishkit Javascript Response with Phishy Text"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"click OK or reload"; nocase; fast_pattern; content:"longtime to request"; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2034003; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Informational, updated_at 2021_09_22;)
 
-#alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (autodesk360 .com)"; flow:established,to_server; tls.sni; dotprefix; content:".autodesk360.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2034097; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_10_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M3"; flow:established,to_server; urilen:40<>65; content:"3"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])3(?:(?P=sep)|\d)*?$/U"; content:!"computerwoche.de|0d 0a|"; http_header; classtype:exploit-kit; sid:2020998; rev:5; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (api .autodesk .com)"; flow:established,to_server; tls.sni; content:"developer.api.autodesk.com"; bsize:26; fast_pattern; classtype:bad-unknown; sid:2034098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M4"; flow:established,to_server; urilen:40<>65; content:"4"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])4(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020999; rev:4; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Set flow on bmp file get"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bmp"; http.request_line; content:".bmp HTTP/1."; fast_pattern; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_10_08;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Microsoft Office"; startswith; fast_pattern; pcre:"/^[^\x3b\x2f\x28]+$/R"; content:!"2014"; endswith; content:!"Discovery"; endswith; content:!"OneNote"; endswith; reference:url,twitter.com/silv0123/status/1437869745961832455; classtype:bad-unknown; sid:2033960; rev:3; metadata:created_at 2021_09_16, former_category HUNTING, updated_at 2021_10_25;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse HTTP Request to textbin"; flow:established,to_server; http.request_line; content:"GET /raw/"; startswith; http.host; content:"textbin.net"; bsize:11; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; classtype:bad-unknown; sid:2034461; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2021_11_15;)
 
-#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, updated_at 2015_05_20;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from External Host - SUBSCRIBE/UNSUBSCRIBE"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034495; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
 
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from Internal Host - SUBSCRIBE/UNSUBSCRIBE"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034496; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from External Host - NOTIFY"; flow:established,to_server; http.method; content:"NOTIFY"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034497; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:exploit-kit; sid:2016952; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from Internal Host - NOTIFY"; flow:established,to_server; http.method; content:"NOTIFY"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034498; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING curl User-Agent to Dotted Quad"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; nocase; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2034567; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful WZ-REKLAMA Phish 2016-01-08"; flow:to_client,established; file_data; content:"<!--WZ-REKLAMA"; nocase; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; within:8; classtype:credential-theft; sid:2031952; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for .txt - Likely Hostile"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; bsize:6; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2034581; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022508; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9u"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034641; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022509; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvb"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022510; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"XaW5kb3dzIElQIENvbmZpZ3VyYXRpb2"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022511; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034661; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022512; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034662; rev:2; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022513; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034663; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022514; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034664; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:exploit-kit; sid:2017649; rev:6; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034665; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017648; rev:7; metadata:created_at 2013_10_31, former_category CURRENT_EVENTS, updated_at 2013_10_31;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (udp) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2017706; rev:6; metadata:created_at 2013_11_12, former_category CURRENT_EVENTS, updated_at 2013_11_12;)
+alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Kimsuky Related Malicious VBScript Inbound"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"reg add"; nocase; fast_pattern; content:"ftp://"; distance:0; within:200; pcre:"/[a-z]{8}.[a-z]{3}/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:exploit-kit; sid:2019544; rev:6; metadata:created_at 2014_10_28, former_category CURRENT_EVENTS, updated_at 2014_10_28;)
+alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034783; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:exploit-kit; sid:2019752; rev:9; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2014_11_20;)
+alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034784; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022521; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034785; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022522; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034801; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_02_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034802; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:4; metadata:created_at 2016_02_16, updated_at 2016_02_16;)
+alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034803; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, updated_at 2016_02_17;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034808; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022488; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034809; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022536; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034810; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022537; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034811; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible cs2nginx Proxy Redirect"; flow:established,to_client; content:"302"; http_stat_code; content:"|0d 0a|Server|3a 20|Server|0d 0a|Referrer-Policy|3a 20|no-referrer|0d 0a|"; http_header; isdataat:!1,relative; fast_pattern; reference:url,github.com/threatexpress/cs2modrewrite/blob/d6516e153dfd2a19cc3fba6c26b948e2b0933708/cs2nginx.py; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/; classtype:bad-unknown; sid:2034874; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_01_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus Time Check to Microsoft.com"; flow:to_server,established; content:"GET|20 20|HTTP/1.0|0d 0a|"; depth:15; content:"www.microsoft.com"; distance:6; within:23; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:targeted-activity; sid:2022539; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible NOBELIUM CnC Traffic (Observed UA)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|6|2e|2|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|90|2e|0|2e|4430|2e|85|20|Safari|2f|537|2e|36"; bsize:101; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:bad-unknown; sid:2034870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_01_10;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible OceanLotus CnC Heartbeat"; flow:to_client,established; dsize:14; content:"|75 7a 76 7e 1a 1b 1b 1b 1b 1b 11 1b 1b 1b|"; fast_pattern; threshold: type limit, count 1, track by_src, seconds 60; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022540; rev:1; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2016_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Powershell Request for paste .ee Page"; flow:established,to_server; http.method; content:"GET"; http.host; content:"paste.ee"; fast_pattern; http.user_agent; content:") WindowsPowerShell/"; classtype:bad-unknown; sid:2034979; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .LNK File Inside of Zip"; flow:established,from_server; file_data; content:"PK|03 04|"; startswith; content:".lnk"; nocase; fast_pattern; within:500; classtype:unknown; sid:2035026; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_02_01;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension ZIP File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".zip"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.zip$/"; classtype:unknown; sid:2035027; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension VBS File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".vbs"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.vbs$/"; classtype:unknown; sid:2035028; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension PIF File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".pif"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.pif$/"; classtype:unknown; sid:2035029; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension EXE File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".exe"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.exe$/"; classtype:unknown; sid:2035030; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
 
-alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache Airflow Experimental API Authentication Bypass Attempt (CVE-2020-13927)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/test"; fast_pattern; reference:cve,2020-13927; classtype:attempted-admin; sid:2035037; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_13927, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Informational, updated_at 2022_02_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022552; rev:2; metadata:created_at 2016_02_22, former_category MALWARE, updated_at 2016_02_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Information.txt"; fast_pattern; reference:md5,50f2b28aba4d4cb47544bcc98980a63e; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_03_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022553; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Multiple User-Agent Components in a single UA"; flow:established,to_server; http.user_agent; content:"Compatible|3b 20|"; nocase; content:"Compatible|3b 20|"; nocase; distance:0; content:"MSIE|20|"; nocase; content:"MSIE|20|"; distance:0; nocase; fast_pattern; content:"|20|Windows|20|NT|20|"; nocase; content:"|20|Windows|20|NT|20|"; distance:0; nocase; reference:md5,0fc3d71e211f8d5101311d2800c459f7; classtype:misc-activity; sid:2035396; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_03_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016320; rev:6; metadata:created_at 2013_01_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl"; content:".ovh.net"; within:10; fast_pattern; pcre:"/CN=ssl\d{1,2}.ovh.net(?:$|,)/"; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_05, deployment Perimeter, former_category POLICY, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016371; rev:5; metadata:created_at 2013_02_08, former_category EXPLOIT_KIT, updated_at 2013_02_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING ZIP file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; content:"|00 00 00|"; distance: 1; within:3; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035478; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016402; rev:4; metadata:created_at 2013_02_12, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING RAR file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035479; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:"Java/1."; http_user_agent; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016495; rev:8; metadata:created_at 2013_02_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RAR file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035481; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:exploit-kit; sid:2016506; rev:6; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ZIP file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035482; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (4)"; flow:established,to_client; file_data; content:"|f4 ec 9a|"; distance:4; within:4; pcre:"/^(?:\x8b|\xf2)/R"; classtype:trojan-activity; sid:2022141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.bing.com)"; flow:established,to_server; dsize:38; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.bing.com|0d 0a 0d 0a|"; distance:1; within:24; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018432; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler encrypted payload Nov 23 (1)"; flow:established,to_client; file_data; content:"|01 d2 02 8b e7 98 09 18|"; distance:4; within:8; classtype:trojan-activity; sid:2022138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.msn.com)"; flow:established,to_server; dsize:37; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.msn.com|0d 0a 0d 0a|"; distance:1; within:23; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018431; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:exploit-kit; sid:2022565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.yahoo.com)"; flow:established,to_server; dsize:39; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.yahoo.com|0d 0a 0d 0a|"; distance:1; within:25; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018433; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:exploit-kit; sid:2022567; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PE EXE Download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"MZ"; startswith; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,github.com/corkami/docs/blob/master/PE/PE.md; classtype:misc-activity; sid:2035480; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_04_18;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022571; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Fake Edu Host with __test Cookie"; flow:established,to_server; http.method; content:"GET"; http.host; content:"edu"; pcre:"/(?!\.[a-z]{2}$|$)/R"; http.cookie; content:"__test="; fast_pattern; depth:7; classtype:misc-activity; sid:2035555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Download (set)"; flow:to_server,established; content:"GET"; http_method; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/\/\?[A-Z]{10,}$/U"; flowbits:set,ET.andromeda; flowbits:noalert; classtype:trojan-activity; sid:2022572; rev:2; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2016_02_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; tls.cert_subject; content:"C=, ST=, L=, O=, OU=, CN="; endswith; bsize:25; fast_pattern; classtype:targeted-activity; sid:2023629; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M1"; flow:established,from_server; dsize:17; content:"|0c 00 00 00 00|info=command"; reference:md5,50eb7ae1d3c075dfc9c9e82a9fa9caf5; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:command-and-control; sid:2035903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2015_10_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request to note .youdao .com - Possible Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/yws/api/personal/file/"; content:"?method=download&shareKey="; distance:0; pcre:"/[a-f0-9]{32}$/UR"; http.host; content:"note.youdao.com"; fast_pattern; bsize:15; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; classtype:misc-activity; sid:2035681; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_31;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (dirs list)"; flow:established,from_server; content:"dirs=list"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036283; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Kaspov Related Hex In HTTP Accept Header"; flow:to_server,established; http.method; content:"GET"; http.accept; content:"|d1 69 4a cd 4f a4 77 44 bb 85 c3 6d 8d 4a 84 d6 86 a0 fa 1a af 8b d8 98 05 5e a0|"; startswith; fast_pattern; reference:md5,767370995ad5bdbcdaee2e3123cfe47c; classtype:bad-unknown; sid:2035768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (folders list)"; flow:established,from_server; content:"fldr="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036284; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Hex Executable String"; flow:to_client,established; file_data; content:"4D5A"; content:"63616E6E6F74"; fast_pattern; distance:178; within:12; content:"72756E"; distance:8; within:6; content:"444F53"; distance:8; within:6; classtype:misc-activity; sid:2035769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (files list)"; flow:established,from_server; content:"fles="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036285; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET HUNTING FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a 5c|WINDOWS|5c|system32|5c|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2022_04_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (ping) M1"; flow:established,from_server; content:"clping=Ping"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:trojan-activity; sid:2035904; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2016_02_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS Path to BusyBox"; flow:established,to_server; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputerhave"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:social-engineering; sid:2022577; rev:1; metadata:created_at 2016_03_01, updated_at 2016_03_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_03_01;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Header"; flow:to_server,established; http.header; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036223; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Spam/Phish Campaign Feb 25 2016"; flow:established,to_server; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/\/[a-z]\/\?[A-Z]{10}$/U"; pcre:"/^Host\x3a\x20[^\r\n]+\.pw\r?$/Hmi"; classtype:trojan-activity; sid:2022570; rev:3; metadata:created_at 2016_02_27, updated_at 2016_02_27;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Body"; flow:to_server,established; http.request_body; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036224; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP URI"; flow:to_server,established; http.uri; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036222; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC4_128_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 01 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022584; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (key)"; flow:established,to_server; http.uri; content:"/key"; startswith; bsize:4; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (payload)"; flow:established,to_server; http.uri; content:"/payload"; startswith; bsize:8; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, former_category POLICY, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Interesting Content-Type Inbound (application/x-sh)"; flow:established,from_server; http.header; content:"Content-Type|3a 20|application/x-sh"; fast_pattern; pcre:"/^(?:\x3b|\r\n)/R"; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types; classtype:policy-violation; sid:2031747; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_22;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check"; flow:established,to_server; http.request_line; content:"GET / "; startswith; http.host; dotprefix; content:".google.com"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:trojan-activity; sid:2036303; rev:2; metadata:created_at 2022_04_22, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious Reversed String Inbound (Powershell)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"llehSrewoP"; nocase; classtype:bad-unknown; sid:2036350; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious Reversed String Inbound (Winmgmts)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3a|stmgmniw"; nocase; classtype:bad-unknown; sid:2036351; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2014_02_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Bot CnC Checkin (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?register=V2luZG93"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d4fdd80e3f4b1ef0e6c3904d91e5d319; classtype:bad-unknown; sid:2036381; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2022_04_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Bot CnC Beacon (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?beacon=V2luZG93"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d4fdd80e3f4b1ef0e6c3904d91e5d319; classtype:bad-unknown; sid:2036382; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2022_04_26;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:domain-c2; sid:2022613; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious SSL Certificate detected (Observed in US Government Bid Credential Phish)"; flow:established,to_client; tls.cert_subject; content:".gov.procurement."; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?\.gov\.procurement\.(?!\.)/"; classtype:bad-unknown; sid:2036393; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_04_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:exploit-kit; sid:2022620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"var _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036300; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:exploit-kit; sid:2022621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_16, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"function _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036301; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022623; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3"; flow:to_client,established; http.content_type; content:"text/html"; file_data; content:"return _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; content:!"FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT"; content:!"/cdn-cgi/bm/cv/result?req_id="; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022624; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; http.user_agent; content:"Agent"; depth:5; pcre:"/^Agent\d{5,6}$/i"; http.host; content:!"cloud.10jqka.com.cn"; content:!".maxthon.com"; classtype:trojan-activity; sid:2013315; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3A|"; content:"|22|mining."; within:9; content:"|22|params|22|"; within:50; pcre:"/\x22mining\x2E(subscribe|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2017871; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2013_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Response (MS-Officecmd)"; flow:established,to_client; http.response_body; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-admin; sid:2034628; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:exploit-kit; sid:2022628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request (Likely Pentester CnC)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentest-macro?computer=c_"; fast_pattern; reference:md5,f7ddcef3607b41c593284dde397e35b8; classtype:command-and-control; sid:2034637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:exploit-kit; sid:2022629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RDP Authentication Bypass Attempt"; flow:established,to_server; content:"|03 00 00 2f 2a|"; startswith; content:"Cookie: mstshash="; dsize:<60; reference:url,pastebin.com/PSbQXJYL; classtype:attempted-admin; sid:2034857; rev:3; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2022_01_04, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:exploit-kit; sid:2022630; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_19, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING [TW] Internet Computer Domain Observed"; dns.query; content:".ic0.app"; endswith; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036464; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:exploit-kit; sid:2022635; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TW] Internet Computer HTTP Request Observed"; flow:established,to_server; http.host; content:".ic0.app"; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036465; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TW] Internet Computer HTTP Referer Observed"; flow:established,to_server; http.referer; content:".ic0.app/"; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036466; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text M2"; flow:established,from_server; file_data; content:"4D5A"; nocase; within:4; content:"50450000"; distance:0; content:"21546869732070726f6772616d"; nocase; fast_pattern; classtype:trojan-activity; sid:2022640; rev:2; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Internet Computer HTTP Location Redirect Observed"; flow:established,to_client; http.location; content:".ic0.app"; reference:url,internetcomputer.org; classtype:misc-activity; sid:2036467; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Suspicious HTTP Connection Header Observed"; flow:established,to_server; http.connection; content:!"upgrade"; nocase; content:!"keep-alive"; nocase; content:!"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|"; fast_pattern; nocase; classtype:misc-activity; sid:2036551; rev:2; metadata:created_at 2022_05_06, former_category HUNTING, updated_at 2022_05_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M1"; flow:established,to_server; http.uri; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9u"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:unknown; sid:2036566; rev:1; metadata:attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2022_05_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M2"; flow:established,to_server; http.uri; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvb"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:unknown; sid:2036567; rev:1; metadata:attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; reference:md5,8eaf3b7b72a9af5a85d01b674653ccac; classtype:pup-activity; sid:2014117; rev:4; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2012_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP URI M3"; flow:established,to_server; http.uri; content:"XaW5kb3dzIElQIENvbmZpZ3VyYXRpb2"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:unknown; sid:2036568; rev:1; metadata:attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:exploit-kit; sid:2022666; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M1"; flow:established,to_server; http.uri; content:"VjJsdVpHOTNjeUJKVUNCRGIyNW1hV2QxY21GMGFXOX"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036572; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:exploit-kit; sid:2022682; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M2"; flow:established,to_server; http.uri; content:"YybHVaRzkzY3lCSlVDQkRiMjVtYVdkMWNtRjBhVzl1"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022685; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M3"; flow:established,to_server; http.uri; content:"WMmx1Wkc5M2N5QkpVQ0JEYjI1bWFXZDFjbUYwYVc5d"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036574; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|32kl2rwsjvqjeui7"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022659; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_03_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M4"; flow:established,to_server; http.uri; content:"ZHBibVJ2ZDNNZ1NWQWdRMjl1Wm1sbmRYSmhkR2x2Y"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036575; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, updated_at 2016_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M5"; flow:established,to_server; http.uri; content:"RwYm1SdmQzTWdTVkFnUTI5dVptbG5kWEpoZEdsdm"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036576; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; reference:url,doc.emergingthreats.net/2011124; classtype:pup-activity; sid:2011124; rev:19; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M6"; flow:established,to_server; http.uri; content:"kcGJtUnZkM01nU1ZBZ1EyOXVabWxuZFhKaGRHbHZi"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036577; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, updated_at 2016_04_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M7"; flow:established,to_server; http.uri; content:"WGFXNWtiM2R6SUVsUUlFTnZibVpwWjNWeVlYUnBiM"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036578; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M8"; flow:established,to_server; http.uri; content:"hhVzVrYjNkeklFbFFJRU52Ym1acFozVnlZWFJwYj"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, updated_at 2016_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP URI M9"; flow:established,to_server; http.uri; content:"YYVc1a2IzZHpJRWxRSUVOdmJtWnBaM1Z5WVhScGIy"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|velodrivve|03|biz|00|"; fast_pattern; distance:0; content:"|00 01 00 01|"; distance:0; within:4; pcre:"/[a-z]{4,10}\x08velodrivve\x03biz\x00/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M1"; flow:established,to_server; http.request_body; content:"VjJsdVpHOTNjeUJKVUNCRGIyNW1hV2QxY21GMGFXOX"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:domain-c2; sid:2022713; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M2"; flow:established,to_server; http.request_body; content:"YybHVaRzkzY3lCSlVDQkRiMjVtYVdkMWNtRjBhVzl1"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M3"; flow:established,to_server; http.request_body; content:"WMmx1Wkc5M2N5QkpVQ0JEYjI1bWFXZDFjbUYwYVc5d"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, former_category MALWARE, updated_at 2018_10_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M4"; flow:established,to_server; http.request_body; content:"ZHBibVJ2ZDNNZ1NWQWdRMjl1Wm1sbmRYSmhkR2x2Y"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:exploit-kit; sid:2022724; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M5"; flow:established,to_server; http.request_body; content:"RwYm1SdmQzTWdTVkFnUTI5dVptbG5kWEpoZEdsdm"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:exploit-kit; sid:2022725; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M6"; flow:established,to_server; http.request_body; content:"kcGJtUnZkM01nU1ZBZ1EyOXVabWxuZFhKaGRHbHZi"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; flow:to_server; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M7"; flow:established,to_server; http.request_body; content:"WGFXNWtiM2R6SUVsUUlFTnZibVpwWjNWeVlYUnBiM"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036587; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET SCAN Possible SSL Brute Force attack or Site Crawl"; flow: established,to_server; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2001553; classtype:attempted-dos; sid:2001553; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M8"; flow:established,to_server; http.request_body; content:"hhVzVrYjNkeklFbFFJRU52Ym1acFozVnlZWFJwYj"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036588; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tcp $EXTERNAL_NET 10000: -> $HOME_NET 0:1023 (msg:"ET DOS Potential Tsunami SYN Flood Denial Of Service Attempt"; flags:S; flow:to_server; dsize:>900; threshold: type both, count 20, seconds 120, track by_src; reference:url,security.radware.com/uploadedFiles/Resources_and_Content/Threat/TsunamiSYNFloodAttack.pdf; classtype:attempted-dos; sid:2019404; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Base64 Encoded ipconfig sent via HTTP Requset Body M9"; flow:established,to_server; http.request_body; content:"YYVc1a2IzZHpJRWxRSUVOdmJtWnBaM1Z5WVhScGIy"; fast_pattern; pcre:"/(?:R(?:Mjl1Ym1WamRHbHZiaTF6Y0dWamFXWnBZeUJFVGxNZ1UzVm1abWw0|GIyNXVaV04wYVc5dUxYTndaV05wWm1saklFUk9VeUJUZFdabWFY|iMjV1WldOMGFXOXVMWE53WldOcFptbGpJRVJPVXlCVGRXWm1hW)|E(?:yOXVibVZqZEdsdmJpMXpjR1ZqYVdacFl5QkVUbE1nVTNWbVptbD|YjI1dVpXTjBhVzl1TFhOd1pXTnBabWxqSUVST1V5QlRkV1ptYV)|UTI5dWJtVmpkR2x2YmkxemNHVmphV1pwWXlCRVRsTWdVM1ZtWm1sN|TnZibTVsWTNScGIyNHRjM0JsWTJsbWFXTWdSRTVUSUZOMVptWnBl|52Ym01bFkzUnBiMjR0YzNCbFkybG1hV01nUkU1VElGTjFabVpwZ|OdmJtNWxZM1JwYjI0dGMzQmxZMmxtYVdNZ1JFNVRJRk4xWm1acG)/R"; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022714; rev:3; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded ipconfig In Server Response M1"; flow:established,to_client; http.response_body; content:"aXBjb25maW"; fast_pattern; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022733; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded ipconfig In Server Response M2"; flow:established,to_client; http.response_body; content:"lwY29uZmln"; fast_pattern; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022734; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded ipconfig In Server Response M3"; flow:established,to_client; http.response_body; content:"pcGNvbmZpZ"; fast_pattern; reference:md5,65c64c5aa55d3d78f08456cb20012fcf; classtype:unknown; sid:2036571; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_05_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_05_12;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022735; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible PHP Backdoor Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; content:"=system|28 27|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.ic3.gov/Media/News/2022/220516.pdf; classtype:trojan-activity; sid:2036626; rev:1; metadata:affected_product PHP, attack_target Web_Server, created_at 2022_05_18, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:exploit-kit; sid:2020300; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
+alert tcp $HOME_NET ![80,8080] -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_05_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:exploit-kit; sid:2014438; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; http.method; content:"POST"; http.content_len; content:"0"; bsize:1; endswith; http.request_body; bsize:>0; classtype:bad-unknown; sid:2011819; rev:5; metadata:created_at 2010_10_15, former_category POLICY, updated_at 2022_05_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_raw_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TW] Uri Contains Likely Urlpages Web Hosting Technique"; flow:established,to_server; http.uri; content:"#eyJ2ZXJzaW9uIjoiMC4yLjAiLCJjb21wcmVzc2Vk"; isdataat:5000; reference:url,github.com/jstrieb/urlpages; classtype:misc-activity; sid:2036744; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_06_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FAKEAV CryptMEN - 302 Redirect"; flow:established,from_server; content:"Cookie|3a| Hello-friend="; http_raw_header; classtype:bad-unknown; sid:2011920; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Page Contains Redirect to Likely Urlpages Web Hosting Technique"; flow:established,to_client; file_data; content:"window.location.replace("; content:"#eyJ2ZXJzaW9uIjoiMC4yLjAiLCJjb21wcmVzc2Vk"; distance:0; reference:url,github.com/jstrieb/urlpages; classtype:misc-activity; sid:2036745; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_06_01;)
 
-alert tcp any !80 -> $HOME_NET any (msg:"ET EXPLOIT Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, former_category CURRENT_EVENTS, updated_at 2016_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Fake Edu Host On InfinityFree Service"; flow:established,to_server; http.method; content:"GET"; http.host; content:"edu.rf.gd"; endswith; fast_pattern; pcre:"/.*[^A-Za-z0-9]edu\.rf\.gd$/"; classtype:misc-activity; sid:2036761; rev:1; metadata:created_at 2022_06_02, former_category HUNTING, updated_at 2022_06_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:exploit-kit; sid:2022751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_20, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING DNS Lookup to (laurentprotector .com)"; dns.query; content:"laurentprotector.com"; nocase; bsize:20; classtype:bad-unknown; sid:2036852; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:exploit-kit; sid:2022752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_21, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Domain (laurentprotector .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"laurentprotector.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2036853; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible GRANT TO SQL Injection Attempt"; flow:established,to_server; content:"GRANT"; nocase; http_uri; content:"TO"; nocase; http_uri; pcre:"/GRANT.{1,5}TO/Ui"; reference:url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm; classtype:web-application-attack; sid:2013068; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING File Sharing Related Domain in DNS Lookup (download .mediafire .com)"; dns.query; content:"download"; startswith; content:".mediafire.com"; endswith; classtype:bad-unknown; sid:2036936; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_06_09;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/i"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002725; classtype:web-application-attack; sid:2002725; rev:14; metadata:created_at 2010_07_30, updated_at 2016_04_25;)
+alert dns $HOME_NET any -> any any (msg:"ET HUNTING File Sharing Related Domain in DNS Lookup (filesend .jp)"; dns.query; dotprefix; content:".filesend.jp"; nocase; endswith; classtype:bad-unknown; sid:2036937; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET HUNTING Suspicious User-Agent Beginning with digits - Likely spyware/trojan"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| "; content:!"|0d 0a|User-Agent|3a| Mozilla/"; pcre:"/^\d+/V"; content:!"liveupdate.symantecliveupdate.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010697; classtype:trojan-activity; sid:2010697; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Cloned Page Hosted on Microsoft Hosting"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server|3a 20|Windows-Azure-Web/"; file.data; content:"<!-- saved from url=("; within:100; fast_pattern; classtype:misc-activity; sid:2030680; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category PHISHING, signature_severity Informational, tag Phishing, updated_at 2020_08_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (record)"; flow:established,to_server; http.user_agent; content:"record"; fast_pattern; bsize:6; reference:md5,c00ee58c2ec98724a1e865cb91703ff1; classtype:trojan-activity; sid:2036956; rev:1; metadata:created_at 2022_06_09, former_category HUNTING, updated_at 2022_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:3; metadata:created_at 2012_08_29, updated_at 2016_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Generic Stealer Sending System Information"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"filename=|22|System Info.txt|22|"; fast_pattern; reference:md5,0a7b32e75a01764ef5389a1d9e72ed63; classtype:misc-activity; sid:2036884; rev:3; metadata:created_at 2022_06_06, former_category HUNTING, updated_at 2022_06_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blizzard Downloader"; flow: established,to_server; content: "User-Agent|3a| Blizzard Downloader"; nocase; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002855; classtype:policy-violation; sid:2002855; rev:8; metadata:created_at 2010_07_30, updated_at 2016_04_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Generic Stealer Sending a Screenshot"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"filename=|22|---Screenshot.jpeg|22|"; fast_pattern; reference:md5,0a7b32e75a01764ef5389a1d9e72ed63; classtype:misc-activity; sid:2036885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED String Replace in PDF File, Likely Hostile"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:".replace|28|"; nocase; reference:url,www.w3schools.com/jsref/jsref_replace.asp; classtype:bad-unknown; sid:2011504; rev:6; metadata:created_at 2010_09_27, updated_at 2016_05_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Steam_htmlcache.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"Steam_htmlcache.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2037091; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2022_06_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; nocase; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:13; metadata:created_at 2010_09_23, updated_at 2016_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed TinyNuke Admin Panel URL Pattern"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/panel/admin/login.php"; bsize:22; startswith; fast_pattern; reference:url,twitter.com/ViriBack/status/1540328577425612802; classtype:bad-unknown; sid:2037106; rev:1; metadata:created_at 2022_06_24, former_category HUNTING, malware_family TinyNuke, updated_at 2022_06_24;)
 
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED FedEX Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|FedEX_"; nocase; classtype:trojan-activity; sid:2011979; rev:3; metadata:created_at 2010_11_24, updated_at 2016_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Invalid User-Agent - MSIE 9 on Windows NT 5"; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 9.0|3b| Windows NT 5."; fast_pattern; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:bad-unknown; sid:2016897; rev:9; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022795; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET HUNTING Self-Signed Cert O=XX Observed"; flow:established,to_client; tls.cert_subject; content:"O=XX"; fast_pattern; tls.cert_issuer; content:"O=XX"; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_17, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2022_04_11;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022796; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Microsoft Office User-Agent Requesting A Doc File"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2edoc[xm]?$/"; http.user_agent; content:"|3b 20|ms|2d|office|3b|"; fast_pattern; classtype:bad-unknown; sid:2037155; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Minor, updated_at 2022_06_29;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:domain-c2; sid:2022799; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Microsoft Office User-Agent Requesting An Excel File"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2exls[xm]?$/"; http.user_agent; content:"|3b 20|ms|2d|office|3b|"; fast_pattern; classtype:bad-unknown; sid:2037156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Minor, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:exploit-kit; sid:2020896; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Mozilla/5.0_)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0_"; fast_pattern; classtype:bad-unknown; sid:2037715; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_07_07;)
 
-alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13; metadata:created_at 2010_07_30, updated_at 2016_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GET Request to Pastebin .com with PowerShell User-Agent"; flow:established,to_server; http.method; content:"GET"; http.host; content:"pastebin.com"; endswith; http.user_agent; content:"WindowsPowerShell/5"; fast_pattern; classtype:bad-unknown; sid:2037753; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_13, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_07_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:exploit-kit; sid:2022805; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_13, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for WordPress Site ending in all digits"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; startswith; fast_pattern; pcre:"/\/\d+$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Cookie|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; classtype:trojan-activity; sid:2037880; rev:1; metadata:created_at 2022_08_02, former_category HUNTING, performance_impact Moderate, updated_at 2022_08_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible COVID-19 Domain in SSL Certificate M2"; flow:established,to_client; tls.cert_subject; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; content:!"CN=*.nicovideo.jp"; classtype:bad-unknown; sid:2029706; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2022_08_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Status Messages"; flow:established,to_server; content:".php?context="; fast_pattern; http_uri; content:"&status="; http_uri; distance:0; content:"&sesid="; http_uri; distance:0; content:"&iid="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022808; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
+alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1"; flow:established,to_server; tls.sni; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; content:!".nicovideo.jp"; isdataat:!1,relative; content:!"strib-covid-data.s3.amazonaws.com"; isdataat:!1,relative; content:!"nicovideo.cdn.nimg.jp"; isdataat:!1,relative; classtype:bad-unknown; sid:2029707; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2022_08_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M1"; flow:established,to_server; content:".php?a="; fast_pattern; http_uri; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022809; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Taplika Browser Hijacker Checkin M2"; flow:established,to_server; content:"/?f="; depth:4; http_uri; fast_pattern; content:"&a="; http_uri; distance:0; content:"&cd="; http_uri; distance:0; content:"&cr="; http_uri; distance:0; content:"&ir="; http_uri; distance:0; reference:md5,02aa7a5e3a78f1a50ae5f72519787bb9; reference:url,malwaretips.com/blogs/remove-taplika-virus/; classtype:trojan-activity; sid:2022810; rev:2; metadata:created_at 2016_05_16, former_category MALWARE, updated_at 2018_03_14;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre SSL Cert venturesonsite.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|venturesonsite.com"; distance:1; within:19; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019077; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:2100388; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022736; rev:4; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:2100390; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:2100394; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:2100395; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:domain-c2; sid:2022833; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:2100396; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:2100397; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:2100398; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:2100399; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:2100400; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing May 31 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"value=|22|#ffffff|22|"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)\x22/Rsi"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025043; rev:2; metadata:created_at 2016_05_31, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:2100401; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:command-and-control; sid:2022861; rev:1; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2016_06_06;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:2100402; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:2100403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022877; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:2100404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022878; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:2100405; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022879; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:2100406; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022868; rev:4; metadata:attack_target Client_and_Server, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:2100408; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022880; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:2100410; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET MALWARE Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022882; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:2100411; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET 1714 -> $HOME_NET any (msg:"ET MALWARE Qarallax RAT Keepalive C2"; flow:from_server,established; flowbits:isset,ET.qarallax; content:"|00 00 0c 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022883; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:2100413; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M0"; flow:established,to_server; urilen:40<>65; content:"0"; http_uri; offset:40; depth:15; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])0(?:(?P=sep)|\d)*?$/Ui"; classtype:exploit-kit; sid:2020995; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100363; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M1"; flow:established,to_server; urilen:40<>65; content:"1"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])1(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020996; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:2100364; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M2"; flow:established,to_server; urilen:40<>65; content:"2"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])2(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2020997; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Information Request"; icode:0; itype:15; classtype:misc-activity; sid:2100417; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M5"; flow:established,to_server; urilen:40<>65; content:"5"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])5(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021000; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:2100419; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M6"; flow:established,to_server; urilen:40<>65; content:"6"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])6(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021001; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:2100421; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M7"; flow:established,to_server; urilen:40<>65; content:"7"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])7(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021002; rev:4; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:2100423; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M8"; flow:established,to_server; urilen:40<>65; content:"8"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])8(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021003; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:2100366; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fiesta Payload/Exploit URI Struct M9"; flow:established,to_server; urilen:40<>65; content:"9"; http_uri; offset:40; depth:10; pcre:"/^\/[a-z0-9_-]+\/[A-Za-z0-9_-]{36}(?P<sep>[\x2c\x3b])9(?:(?P=sep)|\d)*?$/U"; classtype:exploit-kit; sid:2021004; rev:5; metadata:created_at 2015_04_24, updated_at 2016_06_09;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:2100368; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014830; rev:3; metadata:created_at 2012_05_30, updated_at 2016_06_10;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:2100369; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; content:"bgcolor"; content:"<html>"; pcre:"/^\s*?<body>(?:\s*<\/?[^\s\x2f>]+>\s*)*\s*?<object(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value=\x22#[a-f0-9]{6}\x22[^>]*?>\s*?\n\s*?<param(?=[^>]*?name\s*?=\s*?\x22allowScriptAccess\x22)[^>]*?value=\x22always\x22[^>]*?>\s*?\n\s*?).{1,1000}?\s<\/object>\s+<\/body>\s+<\/html>\s*$/Rs"; content:" name"; pcre:"/^\s*=\s*(?P<var1>[\x22\x27][a-z]+[\x22\x27]).+?\sid\s*=\s*(?P=var1)/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025044; rev:2; metadata:created_at 2016_06_11, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:2100370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"|3c 2f 73 63 72 69 70 74 3e 0a 3c 6f 62 6a 65 63 74|"; within:150; pcre:"/^(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025045; rev:2; metadata:created_at 2016_06_12, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:2100371; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|brutus.neuronio.pt"; distance:1; within:19; content:"|0c|sampo@iki.fi"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021521; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:2100373; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:2100374; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"data="; nocase; http_client_body; depth:5; content:"ew0KCSJhZGRyZXNzIiA6"; fast_pattern; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:command-and-control; sid:2022891; rev:2; metadata:created_at 2016_06_13, former_category MALWARE, updated_at 2016_06_13;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:2100375; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,doc.emergingthreats.net/bin/view/Main/2002065; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_14;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:2100376; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL DELETED WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:8; metadata:created_at 2010_09_23, updated_at 2016_06_14;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:2100377; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:2100378; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:md5,d6b3baae9fb476f0cf3196e556cab348; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; classtype:command-and-control; sid:2012892; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:2100379; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4; metadata:created_at 2014_10_15, updated_at 2016_06_21;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Seer Windows"; itype:8; content:"|88 04|              "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:2100380; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LoadMoney User-Agent"; flow:established,to_server; content:"User-Agent|3a 20|Downloader 18.7|0d 0a|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022911; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category MALWARE, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:2100381; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M2"; flow:established,from_server; content:"nginx"; http_header; nocase; file_data; content:"<script>"; within:500; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>\s*<object(?=[^\r\n]*d27cdb6e-ae6d-11cf-96b8-444553540000)[^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P<var>[a-z]+)[\x22\x27][^\r\n]*\s(?:name|id)\s*=\s*[\x22\x27](?P=var)[\x22\x27][^\r\n]*>[\r\n]+(?P<spc>\s+)<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22bgcolor\x22)[^\r\n]*>[\r\n]+(?P=spc)<param(?=[^\r\n>]*name\s*?=\s*?\x22allowScriptAccess\x22)[^\r\n]*>[\r\n]+(?P=spc)<embed(?=[^\r\n]*\ssrc\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27])[^\r\n]+[\r\n]*<\/object>\s*<\/body>\s*<\/html>\s*$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025046; rev:2; metadata:created_at 2016_06_24, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:2100482; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1; metadata:created_at 2016_06_24, updated_at 2016_06_24;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:2100382; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022920; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:2100480; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022921; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING"; icode:0; itype:8; classtype:misc-activity; sid:2100384; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:2100436; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:2; metadata:created_at 2016_06_29, updated_at 2016_06_29;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:2100437; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:2100441; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:2100443; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, updated_at 2016_06_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO SKIP"; icode:0; itype:39; classtype:misc-activity; sid:2100445; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022943; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:2100477; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022944; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:2100481; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:2100451; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022946; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:2100453; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|62 5f 39 34 38 38 33 66 36 34 35 33 31 65 65 37 62 31 37 61 37 33 62 38 32 33 66 5f 63 31 61 36 63 63 36 36 37 65|"; fast_pattern; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025049; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:2100455; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"|3c 68 31 3e 62 6c 61 63 6b 62 6f 78 3c 2f 68 31 3e|"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:2100456; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Landing Jul 04 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; content:"name"; pcre:"/^\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/[^\x22\x27]*\.html\.swf[\x22\x27]/R"; content:".html.swf"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025051; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:2100472; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2016_07_05;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:2100473; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"<object"; content:"  <param"; distance:0; pcre:"/^[^>]*name\s*=\s*[\x22\x27]bgcolor[\x22\x27]/R"; content:"<script>"; pcre:"/^(?:\s*var\s[a-z]+\s*=\s*\d+\x3b\s*\n)*\s*<\/script>/Rs"; content:" id"; distance:0; pcre:"/^\s*=\s*[\x22\x27][a-z]+[\x22\x27]/R"; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025047; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:2100475; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022922; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:2100385; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:social-engineering; sid:2022954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:2100458; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:domain-c2; sid:2022888; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_10, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:2100460; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zb-hb)"; flow:to_server,established; content:"zb-hb-"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+zb-hb-/Hi"; reference:url,doc.emergingthreats.net/2003223; classtype:trojan-activity; sid:2003223; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:2100462; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Halberd Load Balanced Webserver Detection Scan"; flow:to_server,established; content:"Pragma|3a| no-cache"; http_header; content:"Firefox/1.0.3"; http_header; fast_pattern; offset:40; depth:40; threshold: type threshold, track by_src, count 40, seconds 15; reference:url,www.halberd.superadditive.com; reference:url,doc.emergingthreats.net/2008536; classtype:attempted-recon; sid:2008536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:2100386; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED SQLCheck Database Scan Detected"; flow:to_server,established; content:"%20FROM%20customers"; fast_pattern:only; content:"User-Agent|3a| Lynx/2.8.6rel.4 libwww-FM/2.14"; http_header; threshold: type threshold, track by_dst, count 10, seconds 20; reference:url,wiki.remote-exploit.org/backtrack/wiki/SQLcheck; reference:url,doc.emergingthreats.net/2009478; classtype:attempted-recon; sid:2009478; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP_INFO Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:2100415; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL DELETED IRC nick change"; flow:to_server,established; content:"NICK "; depth:5; fast_pattern; classtype:policy-violation; sid:2100542; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:2100485; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing June 11 2016 M4 (with URI Primer)"; flow:established,from_server; flowbits:isset,Neutrino.URI.Primer; content:"Server|3a 20|nginx"; http_header; file_data; content:"allowScriptAccess"; fast_pattern:only; content:"movie"; content:"value"; pcre:"/^\s*=\s*[\x22\x27]\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)[\x22\x27]/R"; content:"bgcolor"; nocase; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025048; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:2100486; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Job314/Neutrino Reboot EK Flash Exploit Jan 07 2015 M2"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern; content:!"|0d 0a|Cookie|3a|"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|(?=[a-z]*\d+[a-z]+\d)(?=\d*[a-z]+\d+[a-z])[a-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?=[a-z\d]*?[A-Z]{2}\d+))(?:\.swf)?|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}(?:\.html)?(?:\.swf)?)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f(?P<host>[^\r\n\x3a\x2f]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=host)(?:\x3a\d{1,5})?\r\n/Hsi"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025042; rev:3; metadata:created_at 2016_01_08, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert icmp any any -> any any (msg:"GPL ICMP_INFO Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:2100487; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:exploit-kit; sid:2022956; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_11;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022957; rev:2; metadata:created_at 2016_07_11, updated_at 2016_07_11;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:2100387; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Account Exceeded Quota Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>WebMail"; nocase; fast_pattern; content:"E-Mail account has exceeded"; nocase; distance:0; content:"upgrade your mailbox"; nocase; distance:0; content:"avoid disrupt and lost"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_11;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:2100389; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"18,0,0,366|0d 0a|"; distance:0; within:12; http_header;  content:!"22,0,0,209|0d 0a|"; distance:0; within:12; http_header; content:"Macintosh"; http_user_agent; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:60; metadata:created_at 2012_05_09, updated_at 2020_08_20;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:2100391; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"// stop for sometime if needed"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019541; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_12;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:2100393; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:2100392; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/^[^\r\n]*\/[0-9a-f]{78}\sHTTP/Ri"; reference:url,doc.emergingthreats.net/2007755; classtype:trojan-activity; sid:2007755; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Destination Unreachable undefined code"; icode:>15; itype:3; classtype:misc-activity; sid:2100407; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:exploit-kit; sid:2022964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_13;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:2100409; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_07, former_category CURRENT_EVENTS, updated_at 2016_07_13;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:2100412; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Bart .onion Payment Domain (khh5cmzh5q7yp7th)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|khh5cmzh5q7yp7th"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:2100414; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:to_server; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:2100418; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:to_server; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:2100466; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:to_server; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2100499; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2001904; classtype:misc-activity; sid:2001904; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:2100420; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; reference:url,doc.emergingthreats.net/2002973; classtype:misc-activity; sid:2002973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:2100422; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2008230; classtype:misc-activity; sid:2008230; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:2100424; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M1"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021263; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:2100365; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M2"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; classtype:exploit-kit; sid:2021264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:2100425; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Angler EK Landing URI Struct June 13 M3"; flow:established,to_server; urilen:27<>114; content:"/index.php?"; depth:11; http_uri; pcre:"/^\/index\.php\?[a-z]{8,80}=(?:\d{10,13}|\d{15,20})$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_13, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:2100426; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct T1"; flow:to_server,established; urilen:>14; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".html"; http_uri; fast_pattern; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.html$/U"; pcre:"/Host\x3a\x20(?=[0-9]{0,22}[a-z])(?=[a-z]*?[0-9][a-z]{0,22}[0-9])[a-z0-9]{23}\x2e[^\x2e\r\n]+\x2e[^\x2e\r\n]/H"; classtype:exploit-kit; sid:2021040; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:2100427; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Nuclear EK Landing URI Struct Oct 26 2015"; flow:to_server,established; content:".php?option=com_"; http_uri; content:"&itemid="; http_uri; content:"&id="; http_uri; pcre:"/&id=\d+(?:\x3a(?:[a-z0-9]*?[A-Z])(?:[A-Z0-9]*?[a-z])[A-Za-z0-9]{10,}\.{0,2})?&catid=\d+&itemid=\d+$/U"; classtype:exploit-kit; sid:2021999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_18;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:2100428; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2017_10_12;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:2100429; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:social-engineering; sid:2022974; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:2100430; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:pup-activity; sid:2020422; rev:15; metadata:created_at 2015_02_13, former_category ADWARE_PUP, updated_at 2016_07_20;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:2100431; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:social-engineering; sid:2022981; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_21;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:2100432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lethic - Client Alive"; flow:established,to_server; dsize:6; content:"|01 00 21 01|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:3; metadata:created_at 2012_07_25, updated_at 2016_07_26;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:2100433; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:exploit-kit; sid:2022984; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_07_26;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:2100438; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|svr2"; distance:1; within:5; tls.fingerprint:"0e:03:44:08:34:6e:2c:66:fa:ec:a8:f8:97:24:ea:1f:f6:c7:5a:5e"; reference:md5,87223f535afd8b11dd79c6f39fc059d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018600; rev:12; metadata:attack_target Client_and_Server, created_at 2014_06_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:2100440; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|20|kpai7ycr7jxqkilp.torexplorer.com"; tls.fingerprint:"0e:dd:72:24:52:c1:2c:68:6f:16:a7:ee:7b:e7:4b:56:e8:9a:6d:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018693; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:2100439; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1b|corporati-sdfs222222you.com"; fast_pattern:8,20; tls.fingerprint:"19:56:b7:ff:84:f6:f8:41:f5:b5:8d:63:76:88:59:b6:d5:f0:3d:3c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018694; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:2100446; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|11|evergreen.kiev.ua"; fast_pattern:only; tls.fingerprint:"1a:3f:a8:f8:56:d4:da:64:83:f0:7b:29:40:41:cf:84:2e:b4:e9:b5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018695; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:2100448; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|kilomenter.com"; tls.fingerprint:"25:c3:39:6d:47:d5:df:12:fa:af:dd:06:68:7e:7e:69:f8:fc:6f:e8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018697; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:2100452; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|21|worldwidetrading-compaanny2you.su"; fast_pattern:9,20; tls.fingerprint:"28:49:e8:47:e0:d5:ba:85:bf:59:18:2a:92:e5:35:41:d5:5f:a8:dc"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018698; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:2100454; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.net"; fast_pattern:only; tls.fingerprint:"34:8e:8f:a3:05:d8:b1:e5:fe:d5:3c:07:1e:dd:58:e7:a0:c9:d9:d4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018699; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:2100457; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Malware C2)"; flow:established,from_server; content:"|0e|jpyjcy0qmd.gov"; fast_pattern:only; tls.fingerprint:"36:ae:19:7c:21:ca:c2:56:0f:6d:6e:dc:a5:0c:46:3e:a0:49:f1:52"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018700; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:2100459; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0d|riffpedia.net"; fast_pattern:only; tls.fingerprint:"46:de:ba:70:b2:f5:e1:7b:a8:54:cf:02:26:ec:5b:df:8f:b0:06:7b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018701; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:2100461; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0f|slksecurity.com"; fast_pattern:only; tls.fingerprint:"4b:1d:64:c1:63:7a:ae:42:7a:a0:7d:6c:75:6c:13:b9:77:71:56:03"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018702; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:2100463; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|12|billing-service.ru"; fast_pattern:only; tls.fingerprint:"4e:ac:f7:ce:46:3d:ff:ae:b2:40:cb:d9:7a:09:f0:dd:42:08:e7:48"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018704; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:2100416; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0e|ckytiqfles.com"; fast_pattern:only; tls.fingerprint:"4f:b4:c8:1e:f5:c1:bf:0e:2e:53:3d:8c:46:63:40:67:a1:5f:25:fe"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018705; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:2100450; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|web-names1.com"; fast_pattern:only; tls.fingerprint:"59:c1:d3:55:1c:d5:43:55:39:10:72:03:0d:21:57:7a:c6:5a:49:83"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018706; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:2100197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|09|server265"; fast_pattern:only; tls.fingerprint:"65:a7:7d:36:d1:b5:36:65:f6:0d:19:71:89:24:50:4f:7d:3f:95:08"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018707; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|13|statistic4he2om.com"; fast_pattern:only; tls.fingerprint:"69:c6:78:70:7b:fd:48:36:29:15:71:fb:ae:40:04:59:c9:0b:9e:ed"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018708; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|17|delfi-fro-youindigo.com"; tls.fingerprint:"72:ce:ed:55:39:c6:0f:e7:ef:db:c8:7e:77:7f:73:1c:75:d3:ff:ea"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018711; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|secureonesee.com"; fast_pattern:only; tls.fingerprint:"74:06:45:7d:94:2e:bc:79:e4:91:45:4c:d5:7d:fc:f9:bc:c8:95:af"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018712; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|bitcoin-send.ru"; fast_pattern:only; tls.fingerprint:"78:0e:3b:97:7f:c1:19:e7:a0:e1:cd:51:92:90:9b:a0:ba:95:c8:c7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018714; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS C2)"; flow:established,from_server; content:"|06|lzx.su"; fast_pattern:only; tls.fingerprint:"79:67:bb:dd:e9:c1:17:46:8d:26:cd:de:db:20:e2:1c:46:63:bd:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018715; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server8"; fast_pattern:only; tls.fingerprint:"9d:5f:4b:bd:00:81:77:0e:67:43:31:e9:a0:db:e7:45:c9:85:e8:50"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018716; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:500,relative; pcre:"/\sFETCH\s[^\n]{500}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103070; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|1c|kpai7ycr7jxqkilp.tor2www.com"; tls.fingerprint:"a7:da:82:eb:15:e9:87:09:ba:62:5c:84:3d:bb:e7:ad:d3:24:6a:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018717; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1a|root@localhost.localdomain"; tls.fingerprint:"a8:c7:79:04:f3:e6:1e:6d:18:2d:7a:69:15:25:c4:09:ff:12:ef:86"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018718; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2)"; flow:established,from_server; content:"|10|Internet Banking"; fast_pattern:only; tls.fingerprint:"b0:03:44:3e:f1:2b:5f:f4:4b:5a:00:a2:68:d2:09:5b:43:d2:a8:6f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018720; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|15|futuredynamicteam.com"; tls.fingerprint:"b6:02:85:17:c1:0f:e9:e3:10:48:f0:2e:58:53:e5:c1:74:1f:ef:b8"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018721; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101780; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2)"; flow:established,from_server; content:"|0f|security256.com"; fast_pattern:only; tls.fingerprint:"ba:e6:e4:56:b7:23:9d:2e:01:cd:2a:bb:6a:10:13:9d:96:3c:73:14"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018722; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0f|sec-picture.net"; fast_pattern:only; tls.fingerprint:"c8:7e:eb:70:75:75:e5:23:8d:77:73:10:2d:f1:73:07:2a:bb:bf:0b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018723; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; isdataat:100,relative; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2102330; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|1d|planet2wideg2yandex-corti.com"; tls.fingerprint:"c9:b0:97:d6:2d:6f:7b:36:5f:88:fc:ec:1d:a9:4d:ed:5e:d9:32:1f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018724; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|0c|kin.pgsox.cc"; fast_pattern:only; tls.fingerprint:"cb:f6:8e:89:9c:14:cd:be:d2:5b:20:d3:98:ce:67:24:d6:0d:e0:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018725; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|bitcoin-beta.com"; fast_pattern:only; tls.fingerprint:"d4:fa:65:54:b5:f6:24:3a:50:eb:14:53:e4:40:bb:a5:8d:a5:6f:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018726; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|10|invoice-maker.ru"; fast_pattern:only; tls.fingerprint:"d7:b1:19:96:6c:5b:41:dd:99:b2:e1:e1:c8:74:5f:cb:65:f8:09:de"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018727; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2102107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|poppperdropper.com"; fast_pattern:only; tls.fingerprint:"dd:bd:80:27:40:3b:bd:f2:17:e6:34:53:0b:ee:72:40:ce:d6:8a:8e"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018728; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102106; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|www.total4me.org"; fast_pattern:only; tls.fingerprint:"df:4b:2f:32:9f:19:f8:a5:02:33:e4:f5:1e:e1:61:6e:b8:0d:c7:f1"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018729; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2102105; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|06|0bg.ru"; fast_pattern:only; tls.fingerprint:"df:9c:32:dd:ba:0b:e9:6f:08:52:bc:59:3d:a3:d7:82:12:b1:d5:45"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018730; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; isdataat:1024,relative; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2102046; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|10|greengarden1.com"; fast_pattern:only; tls.fingerprint:"e8:52:a3:e8:cd:0b:eb:2d:28:df:62:2e:2c:a4:d5:4d:f4:3c:cc:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018731; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|07|server9"; fast_pattern:only; tls.fingerprint:"f5:e2:b6:7a:1e:92:49:ab:ac:d0:4f:68:36:9b:2a:0d:fb:0b:4f:d7"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018732; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0e|fileprofes.com"; fast_pattern:only; tls.fingerprint:"f9:86:e8:fa:b5:55:bb:db:96:9f:f2:4c:48:8c:d9:66:09:43:5e:ec"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018733; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|0b|gorms4tu.be"; fast_pattern:only; tls.fingerprint:"ff:15:52:d1:df:5c:d0:0e:c5:69:00:31:9e:9f:24:80:4a:e6:0c:63"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018734; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"47:46:41:98:fc:47:5a:2e:a1:76:18:38:b1:f8:0d:ea:e7:99:d0:5f"; classtype:domain-c2; sid:2018736; rev:8; metadata:attack_target Client_and_Server, created_at 2014_06_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|pistofon.ru"; distance:1; within:12; content:"|13|someone@pistofon.ru"; fast_pattern:only; tls.fingerprint:"43:cb:f3:ff:69:9b:3d:dc:58:29:17:bd:ff:41:ed:59:13:c7:39:8a"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018746; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|trustasia.asia"; distance:1; within:15; tls.fingerprint:"09:f0:c1:86:37:73:63:98:2c:19:7a:ed:2a:ca:60:2d:ce:4f:cf:16"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018747; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nagchampa.in"; distance:1; within:13; tls.fingerprint:"cd:bc:8b:c2:e9:63:ee:6c:e5:18:e0:6a:92:42:a5:4a:28:19:eb:7f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018851; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"1e:0f:3d:14:42:f9:52:2b:24:25:15:cb:69:68:a1:0b:08:f4:85:7c"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018858; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ac 31 2f c6 b3 12 c1 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"be:1a:58:4a:85:c8:79:f8:55:5d:98:4f:c3:6b:ef:69:db:6d:8a:d5"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018859; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 dd 04 88 42 80 63 7d af|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"80:ac:8f:7c:a8:c6:dd:1b:5b:23:17:63:e9:09:50:52:40:a9:d1:a6"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018860; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"4d:0f:1f:0f:96:85:ef:f1:24:e5:6a:31:19:2a:2b:ea:e7:88:d8:8b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018861; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"ab:92:db:cc:12:05:45:36:1d:3a:cc:c5:50:d4:e5:79:67:d4:85:71"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018862; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; fast_pattern; distance:1; within:20; tls.fingerprint:"f7:41:76:2e:a8:09:4a:8d:95:ad:84:ba:ea:0d:42:e8:0c:e5:84:d0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018863; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ab 62 ca a2 20 83 75 2d|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"bc:08:3e:da:9c:3a:84:fa:bf:6d:39:23:7e:bb:7a:d8:65:54:0b:56"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018864; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 f6 57 75 bc c6 71 7c 74|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"0b:b0:85:d5:61:df:07:c8:89:e5:ba:d5:1c:84:63:71:d4:fc:fd:61"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018865; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 cf 22 8c cf e7 2c 1b 1f|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"a9:24:0e:12:4a:b9:4f:16:74:4d:54:c2:50:f2:df:46:1d:dc:39:2b"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018866; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|msvsprot.com"; distance:1; within:13; tls.fingerprint:"ea:ab:3c:a3:76:94:c8:9d:57:b9:21:b4:f3:93:0b:af:de:02:2d:e0"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018910; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn preteen"; flow: from_server,established; content:"preteen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001346; classtype:policy-violation; sid:2001346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|local.domain"; distance:1; within:13; tls.fingerprint:"8f:37:76:15:40:99:b6:c2:dc:34:b8:c3:7f:f5:21:17:21:44:a9:a4"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018911; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pre-teen"; flow: from_server,established; content:"pre-teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001347; classtype:policy-violation; sid:2001347; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e5:0e:e9:90:a3:12:b9:e2:e6:8c:46:d1:89:e1:e9:23:81:74:1b:f9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018915; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn early teen"; flow: from_server,established; content:"early teen"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001348; classtype:policy-violation; sid:2001348; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 08 13 0a|Some-State"; content:"|13 18|Internet Widgits Pty"; within:35; tls.fingerprint:"e6:d3:0c:d0:41:d1:9d:3a:3e:9c:82:e0:b9:e3:e1:67:ad:0f:ee:9f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018916; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn zeps"; flow: from_server,established; content:" zeps "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001387; classtype:policy-violation; sid:2001387; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 ff 7f 8a 27 bf 5c f4 53|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; tls.fingerprint:"35:66:21:93:91:b9:56:61:88:b4:c8:02:1e:a3:eb:c6:1c:97:35:c3"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018937; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn r@ygold"; flow: from_server,established; content:" r@ygold "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001388; classtype:policy-violation; sid:2001388; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:social-engineering; sid:2022991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn childlover"; flow: from_server,established; content:" childlover "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001389; classtype:policy-violation; sid:2001389; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:social-engineering; sid:2022994; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE free XXX"; flow: to_client,established; content:"FREE XXX"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001349; classtype:policy-violation; sid:2001349; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:social-engineering; sid:2022955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE hardcore anal"; flow: to_client,established; content:"hardcore anal"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001350; classtype:policy-violation; sid:2001350; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 Data URI Javascript Refresh - Possible Phishing Landing"; flow:from_server,established; file_data; content:"<script"; nocase; content:"window.location="; distance:0; content:"data|3a|text/html|3b|base64,"; distance:1; within:22; fast_pattern; classtype:social-engineering; sid:2031955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE masturbation"; flow: to_client,established; content:"masturbat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001351; classtype:policy-violation; sid:2001351; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:exploit-kit; sid:2022995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE ejaculation"; flow: to_client,established; content:"ejaculat"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001352; classtype:policy-violation; sid:2001352; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:exploit-kit; sid:2022998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_08_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE BDSM"; flow: to_client,established; content:"BDSM"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001353; classtype:policy-violation; sid:2001353; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Zeus_SSL, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (1)"; flow: from_server,established; content:"BEGIN SEXLIST REFERRER-STATS CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001392; classtype:policy-violation; sid:2001392; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023006; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Sextracker Tracking Code Detected (2)"; flow: from_server,established; content:"BEGIN SEXTRACKER CODE"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001393; classtype:policy-violation; sid:2001393; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023007; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Likely Porn"; flow: established,from_server; pcre:"/ (FREE XXX|dildo|masturbat|oral sex|ejaculat|up skirt|tits|bondage|lolita|clitoris|cock suck|hardcore (teen|anal|sex|porn)|raw sex|((fuck|sex|porn|xxx) (movies|dvd))|((naked|nude) (celeb|lesbian)))\b/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001608; classtype:policy-violation; sid:2001608; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023008; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INAPPROPRIATE Kiddy Porn pthc"; flow: from_server,established; content:" pthc "; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001386; classtype:policy-violation; sid:2001386; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023009; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:policy-violation; sid:2101837; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023010; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE anal sex"; flow:to_client,established; content:"anal sex"; nocase; classtype:policy-violation; sid:2101317; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023011; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck fuck fuck"; flow:to_client,established; content:"fuck fuck fuck"; nocase; classtype:policy-violation; sid:2101316; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023012; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE fuck movies"; flow:to_client,established; content:"fuck movies"; nocase; classtype:policy-violation; sid:2101320; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023013; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore anal"; flow:to_client,established; content:"hardcore anal"; nocase; classtype:policy-violation; sid:2101311; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware Locky .onion Payment Domain (zjfq4lnfbs7pncr5)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zjfq4lnfbs7pncr5"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2022997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2016_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hardcore rape"; flow:to_client,established; content:"hardcore rape"; nocase; classtype:policy-violation; sid:2101318; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, updated_at 2016_08_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE hot young sex"; flow:to_client,established; content:"hot young sex"; nocase; classtype:policy-violation; sid:2101315; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:"/pd.php?id="; http_uri; fast_pattern:only; pcre:"/\/pd\.php\?id=[a-f0-9]+$/U"; classtype:exploit-kit; sid:2017812; rev:5; metadata:created_at 2013_12_06, updated_at 2016_08_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE naked lesbians"; flow:to_client,established; content:"naked lesbians"; nocase; classtype:policy-violation; sid:2101833; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M1"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 44 72 6f 70 50 61 74 68|"; nocase; content:"|57 53 48 73 68 65 6c 6c 2e 52 75 6e 20 44 72 6f 70 50 61 74 68 2c 20 30|"; nocase; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, malware_family Ramnit, performance_impact Moderate, signature_severity Major, updated_at 2016_08_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL INAPPROPRIATE up skirt"; flow:to_client,established; content:"up skirt"; nocase; classtype:policy-violation; sid:2101313; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; content:"&safe=off"; http_uri; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023030; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023031; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014475; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Class Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A CA FE BA BE|"; classtype:trojan-activity; sid:2014474; rev:6; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:social-engineering; sid:2023038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Intel Arch"; flow:established,to_client; content:"|0D 0A 0D 0A CE FA ED FE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014516; rev:4; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:social-engineering; sid:2023040; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - PowerPC Arch"; flow:established,to_client; content:"|0D 0A 0D 0A FE ED FA CE|"; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014517; rev:4; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:social-engineering; sid:2023041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC"; flow:established,to_client; content:"|0D 0A 0D 0A CA FE BA BE|"; content:"|FE ED FA CE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014515; rev:4; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Disk Image Download"; flow:established,to_client; content:"|0D 0A 0D 0A|"; content:"<plist version="; distance:0; content:"Apple_partition_map"; distance:0; content:"Apple_HFS"; distance:0; classtype:misc-activity; sid:2014518; rev:5; metadata:created_at 2012_04_06, updated_at 2012_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE Download With Content Type Specified As Empty"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; content:"|0d 0a 0d 0a|"; distance:0; content:"MZ"; within:2; isdataat:80,relative; content:"This program "; distance:0; content:"PE|00|"; distance:0; reference:md5,d51218653323e48672023806f6ace26b; classtype:trojan-activity; sid:2014567; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Malicious PDF (EmbeddedFiles) improper case"; flow:from_server,established; content:"|0d 0a 0d 0a|%PDF"; content:"/EmbeddedFiles"; within:128; nocase; content:!"/EmbeddedFiles"; distance:-14; within:14; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:trojan-activity; sid:2014575; rev:4; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:social-engineering; sid:2023052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:3; metadata:created_at 2012_05_30, updated_at 2012_05_30;)
 
-alert udp $HOME_NET 53 -> $EXTERNAL_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Outbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023054; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; dsize:>10; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:2; metadata:created_at 2012_06_15, updated_at 2012_06_15;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET 1:1023 (msg:"ET DOS DNS Amplification Attack Possible Inbound Windows Non-Recursive Root Hint Reserved Port"; content:"|81 00 00 01 00 00|"; depth:6; offset:2; byte_test:2,>,10,0,relative; byte_test:2,>,10,2,relative; content:"|0c|root-servers|03|net|00|"; distance:0; content:"|0c|root-servers|03|net|00|"; distance:0; threshold: type both, track by_dst, seconds 60, count 5; reference:url,twitter.com/sempersecurus/status/763749835421941760; reference:url,pastebin.com/LzubgtVb; classtype:bad-unknown; sid:2023053; rev:2; metadata:attack_target Server, created_at 2016_08_12, deployment Datacenter, performance_impact Low, updated_at 2016_08_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:3; metadata:created_at 2012_06_20, updated_at 2012_06_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:exploit-kit; sid:2022916; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_26, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; content:"|0d 0a 0d 0a|SZDD"; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:social-engineering; sid:2023069; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2; metadata:created_at 2012_07_04, updated_at 2012_07_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Adobe Online Phish Aug 16 2016"; flow:to_server,established; content:"POST"; http_method; content:"=sent"; nocase; http_uri; content:"feedback="; nocase; depth:9; http_client_body; fast_pattern; content:"&feedbacknow="; nocase; distance:0; http_client_body; flowbits:set,ET.genericphish; pcre:"/=sent$/Ui"; classtype:credential-theft; sid:2024559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|http|3a|//"; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:4; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
 
-alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:2; metadata:created_at 2012_09_18, updated_at 2012_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021763; rev:3; metadata:created_at 2015_09_12, updated_at 2016_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6; metadata:created_at 2012_09_18, former_category CURRENT_EVENTS, updated_at 2012_09_18;)
 
-alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:2; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023072; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2; metadata:created_at 2012_10_25, updated_at 2012_10_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:social-engineering; sid:2023079; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:2; metadata:created_at 2012_11_29, updated_at 2012_11_29;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_25, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_08_25;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2; metadata:created_at 2012_12_06, updated_at 2012_12_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_25;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:social-engineering; sid:2022574; rev:3; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_08_26;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"|D5 20 08 80|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:4; metadata:created_at 2011_07_06, updated_at 2016_08_29;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Datacenter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4; metadata:created_at 2013_01_30, updated_at 2013_01_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Perimeter, performance_impact Significant, signature_severity Major, updated_at 2016_08_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Client KeepAlive"; flow:established,to_server; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021978; rev:6; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:2; metadata:created_at 2013_02_07, updated_at 2013_02_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER AnonGhost PHP Webshell"; flow:from_server,established; file_data; content:"base64_decode("; content:"Bbm9uR2hvc3Qg"; fast_pattern; classtype:trojan-activity; sid:2023143; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2016_09_01, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"|00 00 01 ba|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|ac ed|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET MALWARE Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; classtype:exploit-kit; sid:2016494; rev:5; metadata:created_at 2013_02_25, former_category INFO, updated_at 2013_02_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:exploit-kit; sid:2023151; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2016538; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:exploit-kit; sid:2023152; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:3; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:exploit-kit; sid:2023153; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, signature_severity Major, updated_at 2016_09_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"Python PDF Library - http|3a|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3; metadata:created_at 2013_03_22, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon Response"; flow:established,from_server; file_data; content:"script|7c|"; within:7; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023156; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2016_09_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 58|"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2012086; rev:3; metadata:created_at 2010_12_23, updated_at 2016_09_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe Acrobat 9.2.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016652; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe PDF Library 9.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016653; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:2; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:3; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$|3a|(![]+|22 22|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:2; metadata:created_at 2013_07_11, updated_at 2013_07_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2013_03_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6; metadata:created_at 2013_03_20, former_category HUNTING, updated_at 2013_03_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023164; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:3; metadata:created_at 2013_07_26, updated_at 2013_07_26;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"|22|e|22|+|22|val|22|"; classtype:trojan-activity; sid:2017206; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|al|22|"; classtype:trojan-activity; sid:2017207; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|al|22|"; classtype:trojan-activity; sid:2017208; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"|22|e|22|+|22|v|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017209; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"|22|ev|22|+|22|a|22|+|22|l|22|"; classtype:trojan-activity; sid:2017210; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"|22|e|22|+|22|va|22|+|22|l|22|"; classtype:trojan-activity; sid:2017211; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|e|27|+|27|val|27|"; classtype:trojan-activity; sid:2017212; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|al|27|"; classtype:trojan-activity; sid:2017213; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|eva|27|+|27|l|27|"; classtype:trojan-activity; sid:2017214; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|al|27|"; classtype:trojan-activity; sid:2017215; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|e|27|+|27|v|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017216; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|e|27|+|27|va|27|+|27|l|27|"; classtype:trojan-activity; sid:2017218; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|ev|27|+|27|a|27|+|27|l|27|"; classtype:trojan-activity; sid:2017217; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023181; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"|22|eva|22|+|22|l|22|"; classtype:trojan-activity; sid:2017219; rev:2; metadata:created_at 2013_07_27, updated_at 2013_07_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat"; flow:established,to_client; dsize:<300; content:"200"; offset:9; depth:3; content:"Content-Type|3a 20|text/html"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; flowbits:isset,ET.OSX.Mokes; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023183; rev:2; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2016_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"|27|s|27|+|27|plit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kaaza Media desktop p2pnetworking.exe Activity"; content:"|e30cb0|"; depth:6; threshold: type limit, track by_dst, count 1 , seconds 600; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000340; classtype:policy-violation; sid:2000340; rev:11; metadata:created_at 2010_07_30, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|lit|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL DELETED eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:2; metadata:created_at 2016_09_12, tag Android_Exploit, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android_Exploit, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pl|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:exploit-kit; sid:2023187; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2018_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|it|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:exploit-kit; sid:2023188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"|27|spli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:exploit-kit; sid:2023189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, tag Redirector, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:exploit-kit; sid:2023150; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"|27|sp|27|+|27|li|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:exploit-kit; sid:2023190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"|27|spl|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:exploit-kit; sid:2023191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"|27|s|27|+|27|pli|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:exploit-kit; sid:2023192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"|27|s|27|+|27|p|27|+|27|l|27|+|27|i|27|+|27|t|27|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:exploit-kit; sid:2023193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"|22|s|22|+|22|plit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:exploit-kit; sid:2023194; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:exploit-kit; sid:2023195; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family SunDown, malware_family RIG, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|lit|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023196; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family RIG, performance_impact Low, signature_severity Major, updated_at 2016_09_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2016_09_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; classtype:exploit-kit; sid:2015681; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pl|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"<DIR>"; content:"File(s)"; distance:0; content:"Dir(s)"; content:"bytes free"; fast_pattern; distance:0; classtype:trojan-activity; sid:2023205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|it|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error Invalid Argument"; flow:established,to_server; content:"ERROR|3a| Invalid Argument/Option"; fast_pattern; classtype:trojan-activity; sid:2023206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"|22|spli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized"; flow:established,to_server; content:"|27| is not recognized as an internal or external command|2c|"; content:"operable program or batch file."; fast_pattern; classtype:trojan-activity; sid:2023207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not found"; flow:established,to_server; content:"The following command was not found|3a 20|"; classtype:trojan-activity; sid:2023208; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"|22|sp|22|+|22|li|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics workstation Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Workstation Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"|22|spl|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics server Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Server Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"|22|s|22|+|22|pli|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -v Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Module Name"; content:"Display Name"; content:"Description"; content:"Driver Type"; fast_pattern; classtype:trojan-activity; sid:2023211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"|22|s|22|+|22|p|22|+|22|l|22|+|22|i|22|+|22|t|22|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:2; metadata:created_at 2013_07_30, updated_at 2013_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -si Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"DeviceName"; fast_pattern; content:"InfName"; content:"IsSigned"; content:"Manufacturer"; classtype:trojan-activity; sid:2023212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows qwinsta Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SESSIONNAME"; fast_pattern; content:"USERNAME"; content:"ID"; content:"STATE"; content:"TYPE"; content:"DEVICE"; classtype:trojan-activity; sid:2023213; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=|22|http|3A|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]*\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:3; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows quser Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"USERNAME"; fast_pattern; content:"SESSIONNAME"; content:"ID"; content:"STATE"; content:"IDLE TIME"; content:"LOGON TIME"; classtype:trojan-activity; sid:2023214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO SUSPCIOUS Non-standard base64 charset used for encoding"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(|22|"; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2017364; rev:7; metadata:created_at 2013_08_21, updated_at 2013_08_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows gpresult Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Operating System Group Policy Result tool v"; fast_pattern; classtype:trojan-activity; sid:2023215; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"|22|%u"; content:!"|22|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC OS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Boot Device"; fast_pattern; content:"Build Number"; content:"Build Type"; classtype:trojan-activity; sid:2023217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"|27|%u"; nocase; content:!"|27|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC COMPUTERSYSTEM get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdminPasswordStatus"; fast_pattern; content:"AutomaticManagedPagefile"; content:"Build Type"; classtype:trojan-activity; sid:2023218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|22 5f|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NETLOGIN get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccountExpires"; fast_pattern; content:"AuthorizationFlags"; content:"BadPasswordCount"; classtype:trojan-activity; sid:2023219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:2; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NIC get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdapterType"; fast_pattern; content:"AdapterTypeId"; content:"AutoSense"; classtype:trojan-activity; sid:2023220; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|22|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?m(?:\x22\s*?\+\s*?\x22)?C(?:\x22\s*?\+\s*?\x22)?h(?:\x22\s*?\+\s*?\x22)?a(?:\x22\s*?\+\s*?\x22)?r(?:\x22\s*?\+\s*?\x22)?c(?:\x22\s*?\+\s*?\x22)?o(?:\x22\s*?\+\s*?\x22)?d(?:\x22\s*?\+\s*?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:4; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC PROCESS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"CSCreationClassName"; fast_pattern; content:"CSName"; content:"Description"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"|27|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?m(?:\x27\s*?\+\s*?\x27)?C(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?c(?:\x27\s*?\+\s*?\x27)?o(?:\x27\s*?\+\s*?\x27)?d(?:\x27\s*?\+\s*?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:5; metadata:created_at 2013_10_08, updated_at 2013_10_08;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVER get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"BlockingRequestsRejected"; fast_pattern; content:"BytesReceivedPersec"; content:"BytesTotalPersec"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:5; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SHARE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccessMask"; fast_pattern; content:"AllowMaximum"; content:"Caption"; content:"Description"; classtype:trojan-activity; sid:2023224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SYSACCOUNT get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Description"; content:"Domain"; content:"InstallDate"; content:"LocalAccount"; fast_pattern; classtype:trojan-activity; sid:2023225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java Downloading Class flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"|CA FE BA BE|"; within:4; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017749; rev:6; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC STARTUP get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Command"; content:"Description"; content:"Location"; content:"UserSID"; fast_pattern; classtype:trojan-activity; sid:2023226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; content:"for("; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\x29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:4; metadata:created_at 2012_07_07, updated_at 2012_07_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:social-engineering; sid:2023238; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2016_09_15;)
+alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET INFO tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp any any -> any any (msg:"ET DELETED LuminosityLink - Data Channel Server Response 2"; flow:established,to_client; content:"8_=_8"; isdataat:!1,relative; dsize:<25; classtype:trojan-activity; sid:2022708; rev:2; metadata:created_at 2016_04_06, updated_at 2016_09_15;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 00|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018904; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 02|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018905; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 04|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018906; rev:6; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023245; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)"; dsize:28; content:"|00 01 00 08|"; depth:4; content:"|00 03 00 04 00 00 00 06|"; fast_pattern; distance:16; within:8; threshold: type limit, track by_dst, count 1, seconds 120; reference:url,tools.ietf.org/html/rfc3489; classtype:protocol-command-decode; sid:2018907; rev:5; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012088; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2016_09_16;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET INFO RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:3; metadata:created_at 2012_04_28, former_category INFO, updated_at 2012_04_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SERVICE_NAME|3A|"; content:"DISPLAY_NAME|3A|"; content:"TYPE"; content:"STATE"; classtype:trojan-activity; sid:2023246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_16, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:exploit-kit; sid:2023248; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilRedirector, malware_family Magnitude, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WebSocket Session Initiation Request"; flow:established,to_server; flowbits:set,ETPRO.WebSocket.Request; content:"Connection|3a 20|Upgrade|0d 0a|"; fast_pattern; nocase; content:"Upgrade|3a 20|websocket|0d 0a|"; reference:url,tools.ietf.org/html/rfc6455; classtype:policy-violation; sid:2036219; rev:2; metadata:created_at 2014_09_17, former_category POLICY, updated_at 2014_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:exploit-kit; sid:2023250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"|30 82|"; content:"|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00|"; distance:6; within:38; content:"|1e 17 0d|101215000000Z|17 0d|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:2; metadata:created_at 2012_09_28, former_category INFO, updated_at 2012_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:exploit-kit; sid:2023251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, signature_severity Major, tag Redirector, updated_at 2016_09_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:7; metadata:created_at 2014_12_01, former_category CURRENT_EVENTS, updated_at 2014_12_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Microsoft Compact Office Document Format File Download"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; flowbits:set,et.MCOFF; flowbits:noalert; classtype:misc-activity; sid:2019834; rev:2; metadata:created_at 2014_12_02, updated_at 2014_12_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"ET INFO NetSSH SSH Version String Hardcoded in Metasploit"; flow:established,to_server; content:"SSH-2.0-OpenSSH_5.0|0d 0a|"; depth:21; reference:url,github.com/rapid7/metasploit-framework/blob/master/lib/net/ssh/transport/server_version.rb; classtype:attempted-user; sid:2014925; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_20, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M3"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 3478 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016149; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M4"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert udp $EXTERNAL_NET 3478 -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2016150; rev:2; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M5"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)"; content:"|01 01 00 44|"; depth:4; content:"|00 01 00 08|"; distance:16; within:4; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tools.ietf.org/html/rfc5389; classtype:protocol-command-decode; sid:2018908; rev:2; metadata:created_at 2014_08_07, updated_at 2014_08_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M6"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P=space)<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable Downloaded from Google Cloud Storage"; flow:established,to_client; content:"x-goog-generation|3a 20|"; http_header; fast_pattern; content:"x-goog-metageneration|3a 20|"; http_header; content:"x-goog-stored-content-encoding|3a 20|"; http_header; content:"x-goog-stored-content-length|3a 20|"; http_header; content:"x-goog-hash|3a 20|"; http_header; file_data; content:"MZ"; within:2; reference:md5,e742e844d0ea55ef9f1c68491c702120; classtype:trojan-activity; sid:2021216; rev:3; metadata:created_at 2015_06_09, updated_at 2015_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M7"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025058; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PK/Compressed doc/JAR header"; flow:from_server,established; file_data; content:"|50 4B 03 04|"; depth:4; flowbits:set,ET.zipfile; flowbits:noalert; classtype:misc-activity; sid:2022055; rev:2; metadata:created_at 2015_11_10, updated_at 2015_11_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino Reboot EK Landing July 07 2016 M8"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:!"Cookie|3a 20|"; file_data; content:"#version=10,1,52,0"; content:"always"; content:"sameDomain"; content:"allowScriptAccess"; fast_pattern:only; content:"<embed"; pcre:"/^[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27]/R"; content:"<object"; pcre:"/^(?=[^\r\n]*\sid\s*=[\x22\x27][a-z]+[\x22\x27])(?=[^\r\n]*\sname\s*=[\x22\x27][a-z]+[\x22\x27])[^>]*>\s*\n\s*(?:<embed[^\r\n>]*allowScriptAccess\s*=\s*[\x22\x27]sameDomain[\x22\x27][^\r\n>]*\s*\n\s*)?<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?allowScriptAccess[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]always[\x22\x27][^\r\n>]*>(?P<space>[\s\r\n]+)<param(?=[^\r\n>]*name\s*=\s*[\x22\x27]?movie[\x22\x27]?)[^\r\n>]*value\s*=\s*[\x22\x27]\/[^\x22\x27]+\.swf[\x22\x27][^>\r\n]*>(?P=space)<param[^\r\n>]*name\s*=\s*[\x22\x27]?bgcolor[\x22\x27]?[^>\r\n]*>(?P=space)/R"; flowbits:set,ET.Neutrino; classtype:exploit-kit; sid:2025059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, tag Neutrino, updated_at 2018_06_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2014_02_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 2"; flow:established,to_server; content:"/search/?"; http_uri; depth:10; pcre:"/^\x2Fsearch\x2F\x3F[a-z]{2,5}\x3D/U"; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019391; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp any 67 -> any 68 (msg:"ET INFO Web Proxy Auto Discovery Protocol WPAD DHCP 252 option Possible BadTunnel"; content:"|02|"; depth:1; content:"|fc|"; byte_jump:1,0,relative,post_offset -9; content:"/wpad.dat"; within:9; fast_pattern; classtype:protocol-command-decode; sid:2022915; rev:1; metadata:created_at 2016_06_24, updated_at 2016_06_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 3"; flow:established,to_server; content:"GET"; http_method; content:"/results/?text="; http_uri; depth:15; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019392; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"ET INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E 4F 43 54 49 4F 4E 20 49 52 50|"; reference:url,www.noction.com/faq; classtype:bad-unknown; sid:2023640; rev:1; metadata:created_at 2016_12_14, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2016_12_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 4"; flow:established,to_server; content:"GET"; http_method; content:"/find/?utm="; http_uri; depth:11; content:"&oprnd="; http_uri; content:"&channel="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019393; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO ATF file in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|41 54 46|"; within:3; flowbits:set,ET.atf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023714; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, updated_at 2017_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 5"; flow:established,to_server; content:"GET"; http_method; content:"/watch/?"; http_uri; depth:8; content:"channel="; http_uri; content:"&utm="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; reference:md5,ee64d3273f9b4d80020c24edcbbf961e; classtype:command-and-control; sid:2019394; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe FDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%FDF-"; within:5; flowbits:set,ET.fdf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023715; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Symmi.23950 Dropper CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/close/?channel="; http_uri; depth:16; content:"&ags="; http_uri; content:"&ai="; http_uri; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; reference:md5,df895e6479abf85c4c65d7d3a2451ddb; classtype:command-and-control; sid:2019390; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_13, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_09_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:5; metadata:created_at 2011_07_14, updated_at 2017_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:exploit-kit; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_21, deployment Perimeter, former_category EXPLOIT, malware_family Magnitude, signature_severity Major, tag Magnitude_EK, updated_at 2016_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|66 74 79 70 6D|"; offset:4; depth:5; content:"mp4"; within:12; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023713; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:social-engineering; sid:2023180; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M2"; flow:from_server,established; file_data; content:"|66 74 79 70 69 73 6f 6d|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023892; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M3"; flow:from_server,established; file_data; content:"|66 74 79 70 71 74 20 20|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023900; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> any [139,445] (msg:"ET INFO Potentially unsafe SMBv1 protocol in use"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; content:!"r"; within:1; threshold: type limit, count 1, track by_src, seconds 1200; reference:url,www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices; reference:url,blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/; classtype:not-suspicious; sid:2023997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_04_03;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3; metadata:created_at 2010_12_30, former_category CURRENT_EVENTS, updated_at 2017_04_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:3; metadata:created_at 2012_08_02, former_category INFO, updated_at 2017_06_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; classtype:policy-violation; sid:2024764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2017_09_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Download of Embedded OpenType (EOT) File flowbit set"; flow:established,to_client; file_data; content:"|4c 50|"; offset:34; depth:2; flowbits:set,ET.EOT.Download; flowbits:noalert; reference:url,www.w3.org/Submission/EOT/#FileFormat; classtype:misc-activity; sid:2024829; rev:2; metadata:affected_product Internet_Explorer, affected_product Mac_OSX, affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2017_10_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2014_06_13;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".php?e="; http_uri; fast_pattern; content:"&h="; content:!"Referer|3a|"; http_header; pcre:"/\.php\?e=\d{4}\-\d{4}&h=[a-f0-9]{32}$/Ui"; flowbits:set,ET.BleedingLife.Payload; classtype:exploit-kit; sid:2023290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2016_09_23;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_26;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:exploit-kit; sid:2023303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_27;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, created_at 2016_09_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_27;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023309; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:exploit-kit; sid:2023252; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, malware_family EvilTDS, malware_family Malvertising, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_09_29;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, created_at 2016_09_29, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_29;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:pup-activity; sid:2009785; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2016_09_29;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6; metadata:created_at 2013_05_02, former_category CURRENT_EVENTS, updated_at 2013_05_02;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:exploit-kit; sid:2023313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:exploit-kit; sid:2023314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family SunDown, performance_impact Low, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_03;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-alert udp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT BIND9 msg->reserved Assertion DoS Packet Inbound (CVE-2016-2776)"; dsize:>512; content:"|00 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; content:"|00 00 01 00 01|"; distance:0; content:"|00 00 FA|"; distance:0; reference:cve,cve-2016-2776; reference:url,blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html; classtype:attempted-dos; sid:2023317; rev:3; metadata:affected_product BIND, attack_target Server, created_at 2016_10_04, deployment Datacenter, signature_severity Major, updated_at 2016_10_05;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; classtype:protocol-command-decode; sid:2003284; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; classtype:protocol-command-decode; sid:2003285; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; classtype:protocol-command-decode; sid:2003286; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_dst, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; classtype:protocol-command-decode; sid:2003287; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:exploit-kit; sid:2023312; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_06;)
+#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; classtype:protocol-command-decode; sid:2003288; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_10_06;)
+#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; classtype:protocol-command-decode; sid:2003289; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2021752; rev:13; metadata:created_at 2015_09_09, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; classtype:protocol-command-decode; sid:2003290; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; classtype:protocol-command-decode; sid:2003291; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014473; rev:5; metadata:created_at 2012_04_04, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Minor, updated_at 2018_04_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Potentially Malicious Traffic 1"; flow:established,to_server; content:"285d7b6cf94d8fdc657edaa73c2f07f3"; classtype:trojan-activity; sid:2023339; rev:3; metadata:created_at 2016_10_18, updated_at 2016_10_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDX in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDX-"; within:5; flowbits:set,ET.pdx.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025985; rev:2; metadata:affected_product Adobe_Reader, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:exploit-kit; sid:2023352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:7; metadata:created_at 2013_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:exploit-kit; sid:2023353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Containing Executable Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2018_10_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:command-and-control; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2016_10_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M2"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0A|"; depth:28; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2018_12_04;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M1"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; depth:29; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2018_11_26;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET 853 (msg:"ET INFO DNS Over TLS Request Outbound"; flow:established,to_server; content:"|16 03 01 01|"; depth:4; reference:url,www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls; classtype:trojan-activity; sid:2026774; rev:2; metadata:created_at 2019_01_10, former_category INFO, updated_at 2019_01_10;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible RTF File With Obfuscated Version Header"; flow:established,to_client; file_data; content:"{|5C|rt"; within:4; content:!"f"; within:1; classtype:bad-unknown; sid:2026863; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2019_01_30;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NoProfile Command Received In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-nop"; nocase; distance:0; classtype:trojan-activity; sid:2026988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Minor, tag PowerShell, updated_at 2019_02_28;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023406; rev:2; metadata:attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w"; nocase; distance:0; content:"hidden"; within:17; classtype:trojan-activity; sid:2026989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:command-and-control; sid:2023453; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w 1"; nocase; distance:0; classtype:trojan-activity; sid:2026990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,ET.SuspExeTLDs; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023464; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2017_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NonInteractive Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-noni"; nocase; distance:0; classtype:trojan-activity; sid:2026991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:exploit-kit; sid:2023343; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"FromBase64String|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026993; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible CryptoWall download from e-mail link March 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".zip"; http_uri; fast_pattern:only; content:".html"; http_header; pcre:"/\.zip$/U"; content:"Referer|3a|"; http_header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\x2f]+\/[a-z0-9]{6}\/[a-z0-9]{5}\.html\r?$/Hm"; classtype:trojan-activity; sid:2020649; rev:3; metadata:created_at 2015_03_09, updated_at 2016_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadFile Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadFile|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7; metadata:created_at 2010_07_30, updated_at 2016_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadString Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadString|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:exploit-kit; sid:2023474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2016_11_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadData Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadData|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cookie|3a| cid="; http_raw_header; pcre:"/^\d{4}\r$/RDm"; content:!"mowersdirect.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014198; rev:13; metadata:created_at 2012_02_07, former_category TROJAN, updated_at 2017_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"|20|-e"; nocase; distance:0; pcre:"/^(?:nc)?\s*(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=)/Ri"; classtype:trojan-activity; sid:2026992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_03_05;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022535; rev:11; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Initial Connection Attempt (005)"; flow:established,to_server; content:"HTTP|2f|1.1|20|005|0d 0a|VERSION|3a 20|"; depth:23; content:"PLATFORM|3a 20|"; distance:0; content:"IPADDRESS|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:11; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Checkin (051)"; flow:established,to_server; content:"HTTP|2f|1.1|20|051"; depth:12; content:"VER|3a 20|"; distance:0; content:"OBJ|3a 20|"; distance:0; content:"FUNC|3a 20|"; distance:0; content:"NAME|3a 20|"; distance:0; content:"ACC|3a 20|"; distance:0; content:"SRV|3a 20|"; distance:0; content:"PRODUCT|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027324; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 2"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe|"; distance:-10; within:2; byte_test:2,>,100,0,relative,little; byte_extract:2,0,config_len,relative,little; content:!"|00|"; distance:6; within:config_len; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021383; rev:3; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.biz Domain"; flow:established,to_server; content:".biz"; fast_pattern; http_host; isdataat:!1,relative; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027872; rev:2; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2019_08_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:5; metadata:created_at 2015_07_23, updated_at 2016_11_03;)
+alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:7; metadata:created_at 2010_12_30, former_category HUNTING, updated_at 2019_08_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Linux.Mirai Login Attempt (xc3511)"; flow:to_server,established; content:"xc3511|0d 0a|"; dsize:8; reference:url,www.flashpoint-intel.com/when-vulnerabilities-travel-downstream; classtype:trojan-activity; sid:2023333; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2016_10_10, deployment Datacenter, malware_family ddos_bot, performance_impact Low, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, updated_at 2019_09_27;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (1111111)"; flow:to_server,established; content:"1111111|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023430; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (54321)"; flow:to_server,established; content:"54321|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023431; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (666666)"; flow:to_server,established; content:"666666|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023432; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:5; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0admin)"; flow:to_server,established; content:"7ujMko0admin|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023433; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:2; metadata:created_at 2013_01_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0vizxv)"; flow:to_server,established; content:"7ujMko0vizxv|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023434; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:6; metadata:created_at 2013_01_30, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (888888)"; flow:to_server,established; content:"888888|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023435; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern; classtype:exploit-kit; sid:2016510; rev:5; metadata:created_at 2013_02_27, former_category INFO, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (anko)"; flow:to_server,established; content:"anko|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023436; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:2; metadata:created_at 2015_11_12, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (dreambox)"; flow:to_server,established; content:"dreambox|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023437; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern; classtype:trojan-activity; sid:2014472; rev:8; metadata:created_at 2012_04_04, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (fucker)"; flow:to_server,established; content:"fucker|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023438; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:5; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (hi3518)"; flow:to_server,established; content:"hi3518|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023439; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:2; metadata:created_at 2016_06_23, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ikwb)"; flow:to_server,established; content:"ikwb|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023440; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:6; metadata:created_at 2012_09_18, former_category INFO, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (juantech)"; flow:to_server,established; content:"juantech|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023441; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern; classtype:trojan-activity; sid:2023749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (jvbzd)"; flow:to_server,established; content:"jvbzd|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023442; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; classtype:bad-unknown; sid:2024236; rev:3; metadata:attack_target SMTP_Server, created_at 2017_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv123)"; flow:to_server,established; content:"klv123|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023443; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed HTTP Request to *.pythonanywhere .com Domain"; flow:established,to_server; http.host; content:".pythonanywhere.com"; endswith; fast_pattern; classtype:policy-violation; sid:2036456; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv1234)"; flow:to_server,established; content:"klv1234|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023444; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO TLS Handshake Failure"; flow:established,to_client; dsize:7; content:"|15|"; depth:1; content:"|00 02 02 28|"; distance:2; within:4; fast_pattern; classtype:bad-unknown; sid:2029340; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_01_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (meinsm)"; flow:to_server,established; content:"meinsm|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023445; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Bit.do Shortened Link Request (set)"; flow:established,to_server; flowbits:set,ET.bit.do.shortener; http.method; content:"GET"; http.header; content:"Host|3a 20|bit.do|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:38; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; classtype:misc-activity; sid:2029549; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_02_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (realtek)"; flow:to_server,established; content:"realtek|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023446; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DLL Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.dll; flowbits:unset,http.dottedquadhost; http.request_line; content:".dll HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027250; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Minor, updated_at 2020_04_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (service)"; flow:to_server,established; content:"service|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023447; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DOC Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.doc; flowbits:unset,http.dottedquadhost; http.request_line; content:".doc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027251; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ubnt)"; flow:to_server,established; content:"ubnt|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023448; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DOCX Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.docx; flowbits:unset,http.dottedquadhost; http.request_line; content:".docx HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027252; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (vizxv)"; flow:to_server,established; content:"vizxv|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023449; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host XLS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.xls; flowbits:unset,http.dottedquadhost; http.request_line; content:".xls HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027253; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (xmhdipc)"; flow:to_server,established; content:"xmhdipc|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023450; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host XLSX Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.xlsx; flowbits:unset,http.dottedquadhost; http.request_line; content:".xlsx HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027254; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (zlxx)"; flow:to_server,established; content:"zlxx|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023451; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PPT Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ppt; flowbits:unset,http.dottedquadhost; http.request_line; content:".ppt HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027255; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (Zte521)"; flow:to_server,established; content:"Zte521|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023452; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PPTX Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.pptx; flowbits:unset,http.dottedquadhost; http.request_line; content:".pptx HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027256; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023487; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host RTF Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.rtf; flowbits:unset,http.dottedquadhost; http.request_line; content:".rtf HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027257; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:domain-c2; sid:2023489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027258; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:domain-c2; sid:2023491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host VBS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.vbs; flowbits:unset,http.dottedquadhost; http.request_line; content:".vbs HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027260; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:domain-c2; sid:2023492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host HTA Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.hta; flowbits:unset,http.dottedquadhost; http.request_line; content:".hta HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027261; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Minor, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:domain-c2; sid:2023493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host ZIP Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.zip; flowbits:unset,http.dottedquadhost; http.request_line; content:".zip HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027262; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:domain-c2; sid:2023494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host GZ Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.gz; flowbits:unset,http.dottedquadhost; http.request_line; content:".gz HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027263; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host TGZ Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.tgz; flowbits:unset,http.dottedquadhost; http.request_line; content:".tgz HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027264; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PDF Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.pdf; flowbits:unset,http.dottedquadhost; http.request_line; content:".pdf HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027265; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host RAR Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.rar; flowbits:unset,http.dottedquadhost; http.request_line; content:".rar HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027266; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; http.host; content:".myftp.biz|0d 0a|"; endswith; classtype:bad-unknown; sid:2013824; rev:5; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 HTTP URL Refresh - Common Phish Landing Obfuscation 2016-01-01"; flow:to_client,established; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"data|3a|text/html|3b|base64,"; distance:0; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22|\x27/Rsi"; content:!"cGFnZV9ub3RfZm91bmQuaHRtb"; classtype:social-engineering; sid:2031695; rev:3; metadata:created_at 2016_01_01, former_category PHISHING, updated_at 2016_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; http.host; content:".ez-dns.com"; endswith; classtype:bad-unknown; sid:2013846; rev:4; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; http.host; content:".dyndns-web.com"; endswith; classtype:bad-unknown; sid:2013864; rev:4; metadata:created_at 2011_11_07, updated_at 2022_05_03;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.3d-game.com Domain"; flow:established,to_server; http.host; content:".3d-game.com"; endswith; classtype:bad-unknown; sid:2014479; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:command-and-control; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2016_11_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4irc.com Domain"; flow:established,to_server; http.host; content:".4irc.com"; endswith; classtype:bad-unknown; sid:2014481; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET SCAN Redis SSH Key Overwrite Probing"; flow:to_server,established; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"dir"; distance:0; content:"/.ssh"; distance:0; isdataat:!5,relative; reference:url,antirez.com/news/96; classtype:misc-attack; sid:2023510; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Datacenter, performance_impact Low, signature_severity Minor, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0ne.com Domain"; flow:established,to_server; http.host; content:".b0ne.com"; endswith; classtype:bad-unknown; sid:2014483; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.bbsindex.com Domain"; flow:established,to_server; http.host; content:".bbsindex.com"; endswith; classtype:bad-unknown; sid:2014485; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.chatnook.com Domain"; flow:established,to_server; http.host; content:".chatnook.com"; endswith; classtype:bad-unknown; sid:2014487; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.darktech.org Domain"; flow:established,to_server; http.host; content:".darktech.org"; endswith; classtype:bad-unknown; sid:2014489; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.deaftone.com Domain"; flow:established,to_server; http.host; content:".deaftone.com"; endswith; classtype:bad-unknown; sid:2014491; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:command-and-control; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, malware_family KeyBoy, signature_severity Major, tag c2, updated_at 2016_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.effers.com Domain"; flow:established,to_server; http.host; content:".effers.com"; endswith; classtype:bad-unknown; sid:2014495; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.net Domain"; flow:established,to_server; http.host; content:".etowns.net"; endswith; classtype:bad-unknown; sid:2014497; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023530; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.org Domain"; flow:established,to_server; http.host; content:".etowns.org"; endswith; classtype:bad-unknown; sid:2014499; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.flnet.org Domain"; flow:established,to_server; http.host; content:".flnet.org"; endswith; classtype:bad-unknown; sid:2014501; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gotgeeks.com Domain"; flow:established,to_server; http.host; content:".gotgeeks.com"; endswith; classtype:bad-unknown; sid:2014503; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:domain-c2; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.scieron.com Domain"; flow:established,to_server; http.host; content:".scieron.com"; endswith; classtype:bad-unknown; sid:2014505; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.com Domain"; flow:established,to_server; http.host; content:".slyip.com"; endswith; classtype:bad-unknown; sid:2014507; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:domain-c2; sid:2023538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain"; flow:established,to_server; http.host; content:".slyip.net"; endswith; classtype:bad-unknown; sid:2014509; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:domain-c2; sid:2023539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org"; flow:established,to_server; http.host; content:".2288.org"; endswith; classtype:misc-activity; sid:2014787; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org"; flow:established,to_server; http.host; content:".6600.org"; endswith; classtype:misc-activity; sid:2014789; rev:5; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org"; flow:established,to_server; http.host; content:".7766.org"; endswith; classtype:misc-activity; sid:2014790; rev:7; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:domain-c2; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org"; flow:established,to_server; http.host; content:".8800.org"; endswith; classtype:misc-activity; sid:2014791; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org"; flow:established,to_server; http.host; content:".9966.org"; endswith; classtype:misc-activity; sid:2014792; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com"; flow:established,to_server; http.host; content:"dns-stuff.com"; endswith; classtype:bad-unknown; sid:2014867; rev:4; metadata:created_at 2012_06_07, updated_at 2020_04_21;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:domain-c2; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"attachment"; nocase; file.data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:7; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M5"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"usr="; nocase; depth:4; http_client_body; fast_pattern; content:"&pss="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2031561; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/0"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/0"; fast_pattern; nocase; classtype:bad-unknown; sid:2016695; rev:3; metadata:created_at 2013_04_02, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Flokibot, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:domain-c2; sid:2023555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:domain-c2; sid:2023556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/7"; flow:established,to_server; http.user_agent; content:"Mozilla/7"; depth:9; nocase; classtype:bad-unknown; sid:2016692; rev:5; metadata:created_at 2013_04_02, updated_at 2020_04_24;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_server; dsize:69; content:"|41 00 00 00 83|"; depth:5; flowbits:set,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; http.user_agent; content:"Mozilla/9"; depth:9; nocase; classtype:bad-unknown; sid:2016694; rev:5; metadata:created_at 2013_04_02, updated_at 2020_04_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_client; dsize:69; content:"|41 00 00 00 85|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 0"; nocase; classtype:trojan-activity; sid:2016880; rev:7; metadata:created_at 2013_05_21, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious MSIE 10 on Windows NT 5"; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 10.0|3b| Windows NT 5."; fast_pattern; classtype:trojan-activity; sid:2016898; rev:7; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_11_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour"; flow:established,to_server; http.uri; content:"/tmp/"; depth:5; content:".exe"; distance:0; pcre:"/^\/tmp\/.+\.exe$/"; classtype:bad-unknown; sid:2016985; rev:3; metadata:created_at 2013_06_07, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
+alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa= in cleartext"; flow:established,to_server; http.request_body; content:"pasa="; pcre:"/^(?!&)./R"; classtype:policy-violation; sid:2017080; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2016_11_30;)
+alert http any any -> any any (msg:"ET INFO HTTP URI contains pasa="; flow:established,to_server; http.uri; content:"pasa="; nocase; pcre:"/(?<=(?:\?|&))pasa=(?!&)./i"; classtype:policy-violation; sid:2017081; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:domain-c2; sid:2023590; rev:2; metadata:attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa form"; flow:established,to_server; http.request_body; content:"name=|22|pasa|22|"; classtype:policy-violation; sid:2017082; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:domain-c2; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Serialized Data request"; flow:established,to_server; http.uri; content:".ser"; endswith; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016504; rev:5; metadata:created_at 2013_02_26, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Tepfer.InfoStealer CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/scan.php"; fast_pattern:only; http_uri; content:!"Referer|3A|"; http_header; content:"="; http_client_body; depth:10; reference:md5,6e715fe727f927bc76e923d2e524d1e3; classtype:command-and-control; sid:2018415; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_24, deployment Perimeter, signature_severity Major, tag c2, updated_at 2016_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Adobe.Site.Download; flowbits:noalert; http.uri; content:"pkg"; http.host; content:"platformdl.adobe.com"; bsize:20; classtype:misc-activity; sid:2017294; rev:4; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED ISearchTech.com XXXPornToolbar Activity (MyApp)"; flow: to_server,established; content:" MyApp|0d 0a|"; http_header; fast_pattern:only; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001492; classtype:trojan-activity; sid:2001492; rev:39; metadata:created_at 2010_07_30, updated_at 2016_12_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InetSim Response from External Source Possible SinkHole"; flow:from_server,established; http.server; content:"INetSim HTTP Server"; bsize:19; classtype:bad-unknown; sid:2017363; rev:3; metadata:created_at 2013_08_21, updated_at 2020_04_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:domain-c2; sid:2023593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DRIVEBY Generic - *.com.exe HTTP Attachment"; flow:established,to_client; http.header; content:".com.exe"; nocase; file.data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim "; nocase; fast_pattern; pcre:"/^\s*?Preserve/Rsi"; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text\/vbscript[\x22\x27])/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019706; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_12_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.info Domain"; flow:established,to_server; http.host; content:".ddns.info"; endswith; classtype:bad-unknown; sid:2018220; rev:6; metadata:created_at 2011_12_15, updated_at 2020_04_28;)
 
-alert tcp any 443 -> any any (msg:"ET MALWARE Potential Sefnit C2 traffic (from server)"; flow: from_server,established; content:"SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1"; classtype:command-and-control; sid:2018449; rev:8; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2016_12_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.name Domain"; flow:established,to_server; http.host; content:".ddns.name"; endswith; classtype:bad-unknown; sid:2018221; rev:6; metadata:created_at 2011_12_15, updated_at 2020_04_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"image/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018233; rev:3; metadata:created_at 2014_03_08, former_category INFO, updated_at 2020_04_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 33434 (msg:"ET INFO Noction IRP Probe"; flow:stateless; flags:SP; content:"|4E 4F 43 54 49 4F 4E 20 49 52 50|"; reference:url,www.noction.com/faq; classtype:bad-unknown; sid:2023640; rev:1; metadata:created_at 2016_12_14, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2016_12_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"text/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018234; rev:3; metadata:created_at 2014_03_08, former_category INFO, updated_at 2020_04_28;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".pif"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016582; rev:6; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_04_30;)
 
-#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".scr"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016581; rev:5; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:social-engineering; sid:2023657; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, malware_family Tech_Support_Scam, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_12_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016933; rev:6; metadata:created_at 2013_05_29, former_category INFO, updated_at 2020_04_30;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET DELETED Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:9; metadata:created_at 2010_09_28, updated_at 2016_12_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.co.com.au domain"; flow:to_server,established; http.host; content:".co.com.au"; endswith; classtype:bad-unknown; sid:2013412; rev:4; metadata:created_at 2011_08_16, updated_at 2020_05_06;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022627; rev:12; metadata:attack_target Client_and_Server, created_at 2016_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cz.tf domain"; flow:to_server,established; http.host; content:".cz.tf"; endswith; classtype:bad-unknown; sid:2013415; rev:4; metadata:created_at 2011_08_17, updated_at 2020_05_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET MALWARE Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1; metadata:attack_target IoT, created_at 2016_12_20, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_12_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.c0m.li domain"; flow:to_server,established; http.host; content:".c0m.li"; endswith; classtype:bad-unknown; sid:2013460; rev:4; metadata:created_at 2011_08_26, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cerber Bitcoin Address Check"; flow:to_server,established; content:"/api/v1/address/txs/17gd1msp5FnMcEMF1MitTNSsYs7w7AQyCt?_="; http_uri; nocase; fast_pattern:20,20; content:!"Referer"; http_header; content:!"|0d 0a|Cookie|3a 20|"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; reference:url,www.bleepingcomputer.com/news/security/cerber-ransomware-4-10-now-shows-the-version-number-in-ransom-notes/; classtype:trojan-activity; sid:2023676; rev:2; metadata:created_at 2016_12_20, former_category TROJAN, updated_at 2017_07_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.int.tf domain"; flow:to_server,established; http.host; content:".int.tf"; endswith; classtype:bad-unknown; sid:2013829; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M5"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/javascript"; file_data; pcre:"/^(?P<v1>\S{1,100})\s+(?P<v2>\S{1,100})\s+=\s+\x22\x22\x3b\s+(?P=v2)\s+\+\=\s+\x27(?P=v1).+?(?P=v1)\x27\x3b.+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27]/R"; classtype:trojan-activity; sid:2023673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2016_12_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.edu.tf domain"; flow:to_server,established; http.host; content:".edu.tf"; endswith; classtype:bad-unknown; sid:2013830; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent|3a| "; http_header; content:"application/octet-stream|0d 0a 0d 0a|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2016_12_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.us.tf domain"; flow:to_server,established; http.host; content:".us.tf"; endswith; classtype:bad-unknown; sid:2013831; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; http.host; content:".ca.tf"; endswith; classtype:bad-unknown; sid:2013832; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023689; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.bg.tf domain"; flow:to_server,established; http.host; content:".bg.tf"; endswith; classtype:bad-unknown; sid:2013833; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ru.tf domain"; flow:to_server,established; http.host; content:".ru.tf"; endswith; classtype:bad-unknown; sid:2013834; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET MALWARE W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:command-and-control; sid:2023695; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category MALWARE, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_01_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pl.tf domain"; flow:to_server,established; http.host; content:".pl.tf"; endswith; classtype:bad-unknown; sid:2013835; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/upload"; nocase; http_uri; content:"file="; nocase; http_uri; content:"&id="; http_uri; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008352; classtype:trojan-activity; sid:2008352; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.tf domain"; flow:to_server,established; http.host; content:".de.tf"; endswith; classtype:bad-unknown; sid:2013837; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.at.tf domain"; flow:to_server,established; http.host; content:".at.tf"; endswith; classtype:bad-unknown; sid:2013838; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ch.tf domain"; flow:to_server,established; http.host; content:".ch.tf"; endswith; classtype:bad-unknown; sid:2013839; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.sg.tf domain"; flow:to_server,established; http.host; content:".sg.tf"; endswith; classtype:bad-unknown; sid:2013840; rev:7; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.nl.ai domain"; flow:to_server,established; http.host; content:".nl.ai"; endswith; classtype:bad-unknown; sid:2013841; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.xe.cx domain"; flow:to_server,established; http.host; content:".xe.cx"; endswith; classtype:bad-unknown; sid:2013842; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag DriveBy, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; http.host; content:".orge.pl"; endswith; classtype:bad-unknown; sid:2013844; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:exploit-kit; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2017_01_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a 3322.org.cn Domain"; flow:to_server,established; http.host; content:".3322.org.cn"; endswith; classtype:bad-unknown; sid:2014289; rev:4; metadata:created_at 2012_02_28, updated_at 2020_05_08;)
 
-#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:command-and-control; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2017_01_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinHttpRequest (flowbits no alert)"; flow:established,to_server; flowbits:set,et.WinHttpRequest; flowbits:noalert; http.host; content:!".microsoft.com"; endswith; content:!".qq.com"; endswith; http.user_agent; content:"WinHttp.WinHttpRequest"; fast_pattern; classtype:trojan-activity; sid:2019821; rev:9; metadata:created_at 2014_12_01, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO ATF file in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|41 54 46|"; within:3; flowbits:set,ET.atf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023714; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, updated_at 2017_01_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible ThousandEyes User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; fast_pattern; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021025; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe FDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%FDF-"; within:5; flowbits:set,ET.fdf.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023715; rev:2; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_01_10;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET INFO Possible ThousandEyes User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; fast_pattern; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021026; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_01_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; http.header; content:!"|0d 0a|x-avast"; file.data; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:5; metadata:created_at 2012_09_28, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\x3frnd\x3d\d+$/U"; classtype:exploit-kit; sid:2017998; rev:8; metadata:created_at 2014_01_22, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request for ISO File Direct to IP"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d+)?$/"; http.request_line; content:".iso HTTP/1."; fast_pattern; classtype:misc-activity; sid:2030205; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_05_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:command-and-control; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_Venom, signature_severity Major, tag c2, updated_at 2017_01_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO User-Agent (wininet)"; flow:established,to_server; flowbits:set,ET.wininet.UA; flowbits:noalert; http.header; content:"User-Agent|3a 20|wininet|0d 0a|"; classtype:misc-activity; sid:2021311; rev:4; metadata:created_at 2015_06_19, updated_at 2020_05_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\.jpg(?:\?\d+)?$/"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:102; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022220; rev:3; metadata:created_at 2015_12_05, updated_at 2020_06_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Range|3a 20|"; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022262; rev:4; metadata:created_at 2015_12_15, updated_at 2020_06_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls any any -> $HTTP_SERVERS any (msg:"ET INFO GnuTLS Cryptographic Flaw Observed (CVE-2020-13777)"; flow:to_server,established; content:"|16|"; startswith; content:"|00 23|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:2; within:16; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; reference:url,corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/; classtype:attempted-recon; sid:2030340; rev:2; metadata:created_at 2020_06_15, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Significant, signature_severity Major, updated_at 2020_06_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ZoneAlarm Download Flowbit Set"; flow:established,to_server; http.uri; content:"pkg"; http.host; content:"zonealarm.com"; endswith; flowbits:set,ET.ZoneAlarm.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2022285; rev:3; metadata:created_at 2015_12_18, updated_at 2020_06_16;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023721; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 1"; nocase; content:!"0"; within:1; pcre:"/^[^0-9]/R"; classtype:trojan-activity; sid:2015898; rev:5; metadata:created_at 2012_11_20, updated_at 2020_06_24;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to DuckDNS Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".duckdns."; fast_pattern; classtype:bad-unknown; sid:2031581; rev:1; metadata:created_at 2020_07_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_07_14;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ma Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2030518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any 53 (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M1"; flow:established,to_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030524; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any 53 -> any any (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M2"; flow:established,from_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030525; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Symantec Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Symantec.Site.Download; flowbits:noalert; http.host; content:".symantec.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:misc-activity; sid:2023067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
-alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Unconfigured nginx Access"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"|3C|title|3E|Welcome to nginx|213C2F|title|3E|"; classtype:bad-unknown; sid:2023668; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (1)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,64,0,relative; classtype:trojan-activity; sid:2018575; rev:3; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Inline HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"inline"; nocase; file.data; content:"MZ"; depth:2; fast_pattern; classtype:misc-activity; sid:2014519; rev:8; metadata:created_at 2012_04_06, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative; classtype:trojan-activity; sid:2018576; rev:4; metadata:created_at 2014_06_17, updated_at 2017_01_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows Update/Microsoft FP Flowbit"; flow:established,to_server; flowbits:set,ET.INFO.WindowsUpdate; flowbits:noalert; http.host; content:".windowsupdate.com"; endswith; classtype:trojan-activity; sid:2023818; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony DLL Download M2"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|59 55 49 50 57 44 46 49 4c 45 30 59 55 49 50 4b 44 46 49 4c 45 30 59 55 49 43 52 59 50 54 45 44 30 59 55 49|"; classtype:trojan-activity; sid:2023741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, malware_family Pony, signature_severity Major, updated_at 2017_01_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Opera Adblocker Update Flowbit Set"; flow:established,to_server; flowbits:set,ET.opera.adblock; flowbits:noalert; http.host; content:"get.geo.opera.com.global.prod.fastly.net"; bsize:40; classtype:not-suspicious; sid:2024006; rev:3; metadata:created_at 2017_02_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DustySky Checkin"; flow:established,to_server; urilen:10; content:"GET"; http_method; content:"/index.php"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"uvnc.com|0d 0a|"; http_header; nocase; content:"Host|3a|"; depth:5; http_header; content:"Connection|3a 20|Keep-Alive"; distance:0; http_header; pcre:"/^Host\x3a[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\n(?:\r\n)?$/H"; content:!"Cookie|3a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:trojan-activity; sid:2021918; rev:6; metadata:created_at 2015_10_06, former_category TROJAN, updated_at 2017_03_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain"; flow:to_server,established; http.host; content:".dns-free.com"; endswith; classtype:bad-unknown; sid:2022380; rev:4; metadata:created_at 2016_01_20, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:4; metadata:created_at 2011_08_04, updated_at 2017_01_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain"; flow:to_server,established; http.host; content:".dyn-dns.ru"; endswith; classtype:bad-unknown; sid:2022379; rev:4; metadata:created_at 2016_01_20, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_01_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain"; flow:to_server,established; http.host; content:".dnsip.ru"; endswith; classtype:bad-unknown; sid:2022378; rev:3; metadata:created_at 2016_01_20, former_category INFO, updated_at 2020_08_04;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2023750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain"; flow:to_server,established; http.host; content:".dnsalias.ru"; endswith; classtype:bad-unknown; sid:2022377; rev:4; metadata:created_at 2016_01_20, former_category INFO, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Nemucod Downloader Oct 04"; flow:established,to_server; content:"/log.php?f="; http_uri; depth:11; fast_pattern; pcre:"/^\/log\.php\?f=[0-1](?:\.[a-z]+)?$/U"; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2023318; rev:3; metadata:created_at 2016_10_05, updated_at 2017_01_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/8"; flow:established,to_server; http.user_agent; content:"Mozilla/8"; nocase; depth:9; classtype:bad-unknown; sid:2016693; rev:6; metadata:created_at 2013_04_02, updated_at 2020_08_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Requested via WGET (set)"; flow:to_server,established; flowbits:set,ET.armwget; flowbits:noalert; http.method; content:"GET"; http.uri; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/"; http.user_agent; content:"Wget/"; depth:5; fast_pattern; classtype:policy-violation; sid:2024240; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:social-engineering; sid:2023757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2017_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Bitcoin QR Code Generated via Btcfrog.com"; flow:established,to_server; http.uri; content:"/qr/bitcoinPNG.php?address="; fast_pattern; http.host; content:"www.btcfrog.com"; bsize:15; classtype:coin-mining; sid:2024292; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_05_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_08_06;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Ransomware CrypMIC Payment Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|j24ojpexpgaorlxj"; fast_pattern; distance:0; nocase; classtype:trojan-activity; sid:2023738; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, tag dupe, updated_at 2017_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BitNinja IO Security Check"; flow:established,to_client; http.stat_code; content:"403"; http.header; content:"BitNinja Captcha Server"; fast_pattern; file.data; content:"<title>Waiting for the redirectiron..."; classtype:misc-activity; sid:2030694; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_08_17;)
 
-alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; dns.query; content:".no-ip."; classtype:bad-unknown; sid:2013743; rev:5; metadata:created_at 2011_10_05, former_category HUNTING, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; file_data; content:"|5C|x0a|5C|x0a|5C|x0a|5C|x0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013267; rev:5; metadata:created_at 2011_07_14, updated_at 2017_01_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; dns.query; content:".dyndns."; nocase; classtype:misc-activity; sid:2012758; rev:6; metadata:created_at 2011_05_02, updated_at 2020_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-9a-f]{2,4})(?P<sep>[\x2e\x2c\x3b\x3a])(?P<d>(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P<q>(?!((?P=p)|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P<dot>(?!((?P=p)|(?P=d)|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; classtype:trojan-activity; sid:2016730; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2018_01_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; http.host; content:".dyndns."; fast_pattern; content:!"checkip."; pcre:"/\.dyndns\.(biz|info|org|tv)$/"; classtype:bad-unknown; sid:2013097; rev:9; metadata:created_at 2011_06_22, updated_at 2020_08_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:credential-theft; sid:2023772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; http.host; content:".dyndns-"; pcre:"/(?:at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com/R"; classtype:bad-unknown; sid:2013096; rev:6; metadata:created_at 2011_06_22, updated_at 2020_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; http.host; content:".no-ip.com"; fast_pattern; content:!"www.no-ip.com"; classtype:bad-unknown; sid:2013744; rev:10; metadata:created_at 2011_10_05, updated_at 2020_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain"; dns.query; content:".duckdns."; nocase; classtype:misc-activity; sid:2022918; rev:3; metadata:created_at 2016_06_27, updated_at 2020_08_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST to WP Theme Directory Without Referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/themes/"; fast_pattern; pcre:"/^[^&=?]*\/wp-content\/themes\//i"; http.host; content:!"citytv.com"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2020822; rev:7; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2020_08_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 7 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 7"; nocase; fast_pattern; classtype:trojan-activity; sid:2015820; rev:5; metadata:created_at 2012_10_19, updated_at 2020_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3; metadata:created_at 2014_10_03, updated_at 2017_02_01;)
+alert tcp $HOME_NET any -> any 22 (msg:"ET INFO Plaintext SSH Authentication Identified (Encryption set to None)"; flow:established,to_server; content:"|00 00 00|"; content:"|00 00 00|"; within:50; content:"|0e|ssh-connection|00 00 00 08|password|00 00 00 00|"; within:31; content:"|00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,hamwan.org/Standards/Network%20Engineering/Authentication/SSH%20Without%20Encryption.html; classtype:attempted-user; sid:2026643; rev:3; metadata:attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:14; metadata:created_at 2014_09_25, updated_at 2017_02_03;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Outbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030520; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:pup-activity; sid:2008500; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2017_04_04;)
+#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Inbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030521; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2023873; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_06, cve url_nctc_gov_site_groups_hamas_html, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2018_01_25;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Outbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; within:50; classtype:bad-unknown; sid:2030522; rev:3; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
 
-alert tcp any 445 -> $HOME_NET any (msg:"ET DOS SMB Tree_Connect Stack Overflow Attempt (CVE-2017-0016)"; flow:from_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|03 00|"; distance:8; within:2; byte_test:1,&,1,2,relative; byte_jump:2,8,little,from_beginning; byte_jump:2,4,relative,little; isdataat:1000,relative; content:!"|FE|SMB"; within:1000; reference:cve,2017-0016; classtype:attempted-dos; sid:2023832; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2017_02_07;)
+#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Inbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030523; rev:3; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; content:"|0d 0a 0d 0a CA FE BA BE|"; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:8; metadata:created_at 2012_04_06, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO NetSupport Remote Admin Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NetSupport Manager"; depth:18; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035892; rev:4; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"|66 74 79 70 6D|"; offset:4; depth:5; content:"mp4"; within:12; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023713; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_01_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.top domain"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.host; content:".top"; fast_pattern; pcre:"/^(\x3a\d{1,5})?$/R"; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023882; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M2"; flow:from_server,established; file_data; content:"|66 74 79 70 69 73 6f 6d|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023892; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_10, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; http.content_type; content:"application/java-archive"; depth:24; fast_pattern; http.content_len; byte_test:0,<=,30000,0,string,dec; file.data; content:"PK"; within:2; classtype:bad-unknown; sid:2017639; rev:8; metadata:created_at 2013_10_28, updated_at 2020_08_20;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M1"; flow:established,from_server; http.content_type; content:"text/plain"; startswith; file.data; content:"cG93ZXJzaGVsbC5leG"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025238; rev:4; metadata:created_at 2018_01_22, former_category INFO, updated_at 2020_08_24;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2017_02_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M2"; flow:established,from_server; http.content_type; content:"text/plain"; startswith; file.data; content:"Bvd2Vyc2hlbGwuZXhl"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025239; rev:4; metadata:created_at 2018_01_22, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP4 in HTTP Flowbit Set M3"; flow:from_server,established; file_data; content:"|66 74 79 70 71 74 20 20|"; offset:4; depth:8; flowbits:set,ET.mp4.in.http; flowbits:noalert; classtype:not-suspicious; sid:2023900; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M3"; flow:established,from_server; http.content_type; content:"text/plain"; startswith; file.data; content:"wb3dlcnNoZWxsLmV4Z"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025240; rev:4; metadata:created_at 2018_01_22, updated_at 2020_08_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023881; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, tag Phishing, tag dupe, updated_at 2017_02_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Secondary Flash Request Seen (no alert)"; flow:established,to_server; flowbits:set,ET.SecondaryFlash.Req; flowbits:noalert; http.referer; content:"/[[DYNAMIC]]/1"; fast_pattern; http.header_names; content:"x-flash-version"; classtype:trojan-activity; sid:2025411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_09, deployment Perimeter, former_category INFO, signature_severity Major, tag Sundown_EK, updated_at 2020_08_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023529; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag dupe, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (CustomStringHere)"; flow:established,to_server; http.user_agent; content:"CustomStringHere"; reference:md5,7a8cb1223e006bc7e70169c060d7057b; classtype:misc-activity; sid:2025436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_19, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_14, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2017_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NYU Internet HTTP/SSL Census Scan"; flow:to_server,established; http.user_agent; content:"NYU Internet Census (https://scan.lol|3b 20|research@scan.lol)"; reference:url,scan.lol; classtype:network-scan; sid:2025460; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_03, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; urilen:1; threshold: type limit, count 2, seconds 300, track by_src; http.method; content:"POST"; http.header; content:"TagId|3a 20|"; fast_pattern; content:!".namequery.com|0d 0a|"; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_05_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_Fan WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|win32_fan"; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:domain-c2; sid:2023904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (MSAcpi_ThermalZoneTemperature WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|MSAcpi_ThermalZoneTemperature"; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:domain-c2; sid:2023905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_PointingDevice WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_PointingDevice"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:domain-c2; sid:2023906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_DiskDevice WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_DiskDevice"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:domain-c2; sid:2023907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_BaseBoard WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_BaseBoard"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:domain-c2; sid:2023908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct)"; flow:established,from_server; threshold:type limit, count 1, seconds 60, track by_src; http.stat_code; content:"200"; file.data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|AntiVirusProduct"; distance:0; fast_pattern; nocase; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Enumeration, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct)"; flow:established,from_server; threshold:type limit, count 1, seconds 60, track by_src; http.stat_code; content:"200"; file.data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|AntiSpywareProduct"; distance:0; fast_pattern; nocase; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Enumeration, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (FirewallProduct)"; flow:established,from_server; threshold:type limit, count 1, seconds 60, track by_src; http.stat_code; content:"200"; file.data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|FirewallProduct"; distance:0; fast_pattern; nocase; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Enumeration, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO RealThinClient Session Init"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?ACTION=HELLO"; distance:0; fast_pattern; http.host; content:!"nanosystems.it"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:url,www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html; reference:md5,7553a383bbdee93624e8208dad686c5a; reference:url,rtc.teppi.net; classtype:bad-unknown; sid:2036705; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO maas.io Image Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Maas.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"maas/2.3."; http.host; content:"images.maas.io"; classtype:trojan-activity; sid:2026747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, former_category INFO, signature_severity Informational, updated_at 2020_08_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO External Host Probing for ChromeCast Devices"; flow:established,to_server; urilen:18; http.method; content:"GET"; http.uri; content:"/setup/eureka_info"; fast_pattern; reference:url,www.theverge.com/2019/1/2/18165386/pewdiepie-chromecast-hack-tseries-google-chromecast-smart-tv; classtype:trojan-activity; sid:2026758; rev:3; metadata:attack_target IoT, created_at 2019_01_04, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, tag Enumeration, updated_at 2020_08_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO [eSentire] Possible Kali Linux Updates"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"APT-HTTP|2f|"; http.host; content:"kali.org"; fast_pattern; pcre:"/^[a-z0-9.]+\.kali\.org/"; classtype:policy-violation; sid:2025627; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request with Double Cache-Control"; flow:established,to_server; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Cache-Control|3a 20|no-cache"; classtype:trojan-activity; sid:2027207; rev:2; metadata:created_at 2019_04_16, updated_at 2020_08_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET Minimal HTTP Headers Flowbit Set"; flow:established,to_server; flowbits:set,min.gethttp; flowbits:noalert; http.method; content:"GET"; http.header_names; content:!"Accept"; content:!"If-"; content:!"Referer"; content:!"User-Agent"; content:!"Content"; classtype:bad-unknown; sid:2016537; rev:4; metadata:created_at 2013_03_06, updated_at 2020_08_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Internet Connectivity Check via Network GUID Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|GetTypeFromCLSID"; nocase; content:"|5b|Guid|5d 27 7b|DCB00C01-570F-4A9B-8D69-199FDBA5723B|7d 27 29 29|.IsConnectedToInternet"; distance:0; nocase; fast_pattern; reference:md5,036180b14dce975a055e62902e5f3567; classtype:trojan-activity; sid:2027394; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_08_31;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:!"SlimBrowser"; http.host; content:!".taobao.com"; content:!".dict.cn"; content:!".avg.com"; content:!".weather.hao.360.cn"; content:!"es.f.360.cn"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; fast_pattern; classtype:trojan-activity; sid:2012612; rev:18; metadata:created_at 2011_03_31, former_category TROJAN, updated_at 2020_08_31;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.noc.su domain"; dns.query; content:".noc.su"; fast_pattern; classtype:bad-unknown; sid:2012901; rev:5; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a *.slyip.net Dynamic DNS Domain"; dns.query; content:".try2check.me"; fast_pattern; nocase; classtype:bad-unknown; sid:2014508; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:created_at 2015_10_14, cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, updated_at 2017_02_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download - Set"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McHttpH"; fast_pattern; http.host; content:"download.mcafee.com"; classtype:not-suspicious; sid:2027945; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious PowerSploit PowerShell Script Observed over HTTP"; flow:established,from_server; file_data; content:"CmdletBinding()"; content:"$DoNotZeroMZ"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023947; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, updated_at 2017_02_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious HTTP POST to 404.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/404.php"; endswith; fast_pattern; classtype:misc-activity; sid:2030819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely MAGICHOUND.FETCH Receiving PowerSploit PowerShell over HTTP"; flow:established,from_server; content:"$PEBytes"; content:"$PEBytes0=|22|TV"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2017_02_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Java/1."; http.host; pcre:"/\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?$/"; classtype:bad-unknown; sid:2016583; rev:6; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_09_02;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MAGICHOUND.FETCH SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|service.chrome-up.date"; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023952; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_related, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO TRR DNS over HTTPS detected"; flow:established,to_server; http.header; content:"application/dns-udpwireformat"; reference:url,tools.ietf.org/html/draft-ietf-doh-dns-over-https-02; classtype:misc-activity; sid:2025980; rev:3; metadata:created_at 2018_08_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2020_09_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_LEASH, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Imposter USPS Domain"; flow:established,to_server; http.host; content:".usps.com."; fast_pattern; classtype:bad-unknown; sid:2015848; rev:5; metadata:created_at 2012_10_27, updated_at 2020_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:credential-theft; sid:2024000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Java/1."; http.host; pcre:"/\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?$/"; classtype:bad-unknown; sid:2016580; rev:6; metadata:created_at 2013_03_15, updated_at 2020_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO User-Agent (python-requests) Inbound to Webserver"; flow:established,to_server; http.user_agent; content:"python-requests/"; classtype:attempted-recon; sid:2017515; rev:6; metadata:created_at 2013_09_25, updated_at 2020_09_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:social-engineering; sid:2025688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.uni.cc domain"; flow:to_server,established; http.host; content:".uni.cc"; endswith; classtype:bad-unknown; sid:2013438; rev:5; metadata:created_at 2011_08_19, updated_at 2020_09_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2017_01_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_23;)
+alert http any any -> any any (msg:"ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wpad.dat"; fast_pattern; endswith; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022913; rev:5; metadata:created_at 2016_06_23, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; dns.query; content:".3322.org"; nocase; endswith; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:9; metadata:created_at 2011_01_12, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024012; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; http.host; content:".pw"; fast_pattern; endswith; content:!"u.pw"; depth:4; endswith; classtype:bad-unknown; sid:2016777; rev:14; metadata:created_at 2013_04_20, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024013; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".exe"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2016141; rev:7; metadata:created_at 2013_01_03, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024014; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; dns.query; content:".flnet.org"; nocase; endswith; classtype:bad-unknown; sid:2014500; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:social-engineering; sid:2024017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2017_02_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; http.host; content:".3322.net"; endswith; classtype:misc-activity; sid:2014788; rev:9; metadata:created_at 2012_05_19, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_02_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; dns.query; content:".dtdns.net"; nocase; endswith; classtype:bad-unknown; sid:2014492; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; classtype:social-engineering; sid:2025689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2013684; rev:6; metadata:created_at 2011_09_22, updated_at 2020_09_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5500 (msg:"ET HUNTING Suspicious VNC Remote Admin Request"; flow:to_server,established; content:"|49 44 3a|"; depth:3; content:"temp"; nocase; fast_pattern; distance:0; content:"|52 46 42 20 30 30 33 2e 30 30 38 0a|"; distance:0; reference:md5,2faf3040e8286d506144a0585d8f4162; classtype:trojan-activity; sid:2024029; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2014493; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt"; flow:established,to_client; content:"table"; nocase; content:"position|3A|absolute"; nocase; within:30; content:"clip|3A|rect"; fast_pattern; nocase; within:15; reference:bid,44536; reference:cve,2010-3962; classtype:attempted-user; sid:2011891; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_03_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; dns.query; content:".myftp.biz"; nocase; endswith; classtype:bad-unknown; sid:2013823; rev:5; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_15;)
 
-#alert tcp any any -> any [139,445] (msg:"ET INFO Potentially unsafe SMBv1 protocol in use"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; content:!"r"; within:1; threshold: type limit, count 1, track by_src, seconds 1200; reference:url,www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices; reference:url,blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/; classtype:not-suspicious; sid:2023997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2017_03_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".8800.org"; endswith; classtype:misc-activity; sid:2014784; rev:8; metadata:created_at 2012_05_18, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use (Observed in Magnitude EK)"; flow:established,to_client; file_data; content:"microsoft-edge|3a|http"; nocase; fast_pattern; byte_test:1,>,0x21,-20,relative; byte_test:1,<,0x28,-20,relative; byte_test:1,!=,0x23,-20,relative; byte_test:1,!=,0x24,-20,relative; byte_test:1,!=,0x25,-20,relative; byte_test:1,!=,0x26,-20,relative; content:"location"; nocase; content:"iframe"; nocase; content:"contentWindow"; nocase; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:exploit-kit; sid:2024030; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; http.host; content:".mooo.com"; endswith; classtype:bad-unknown; sid:2015634; rev:6; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Local file read using read protocol"; flow:established,to_client; file_data; content:"read|3a|"; nocase; fast_pattern; byte_test:1,>,0x21,-6,relative; byte_test:1,<,0x28,-6,relative; byte_test:1,!=,0x23,-6,relative; byte_test:1,!=,0x24,-6,relative; byte_test:1,!=,0x25,-6,relative; byte_test:1,!=,0x26,-6,relative; pcre:"/^\s*,\s*[a-zA-Z]\x3a[\x2f\x5c]/Ri"; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:misc-activity; sid:2024031; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query Domain .bit"; dns.query; content:".bit"; nocase; endswith; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:5; metadata:created_at 2013_10_30, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024032; rev:2; metadata:created_at 2017_03_06, former_category PHISHING, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)"; dns.query; content:"freegeoip.net"; nocase; endswith; fast_pattern; classtype:external-ip-check; sid:2036860; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_03_10, deployment Perimeter, former_category POLICY, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:2; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_03_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; dns.query; content:".8866.org"; endswith; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:8; metadata:created_at 2011_04_28, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:exploit-kit; sid:2021271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; dns.query; content:".3d-game.com"; nocase; endswith; classtype:bad-unknown; sid:2014478; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; classtype:exploit-kit; sid:2021270; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_06_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2018_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cz.cc Domain"; dns.query; content:".cz.cc"; endswith; nocase; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:command-and-control; sid:2015581; rev:2; metadata:created_at 2012_08_07, former_category TROJAN, updated_at 2018_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; http.host; content:".hopto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:command-and-control; sid:2015019; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.cu.cc domain"; dns.query; content:".cu.cc"; nocase; endswith; classtype:bad-unknown; sid:2013172; rev:5; metadata:created_at 2011_07_02, former_category HUNTING, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:command-and-control; sid:2014864; rev:2; metadata:created_at 2012_06_06, former_category MALWARE, updated_at 2012_06_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; http.host; content:".osa.pl"; endswith; classtype:bad-unknown; sid:2014037; rev:6; metadata:created_at 2011_12_22, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:2; metadata:created_at 2010_10_29, former_category POLICY, updated_at 2010_10_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to Free Hosting Domain (freevnn . com)"; dns.query; content:".freevnn.com"; nocase; endswith; reference:md5,18c1c99412549815bdb89c36316243a7; classtype:bad-unknown; sid:2024235; rev:5; metadata:created_at 2017_04_21, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011769; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; http.host; content:".suroot.com"; endswith; classtype:bad-unknown; sid:2014511; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Myvnc.com"; flow:established,to_server; http.host; content:".myvnc.com"; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018213; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; dns.query; content:".bbsindex.com"; nocase; endswith; classtype:bad-unknown; sid:2014484; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024050; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".mooo.com"; nocase; endswith; classtype:misc-activity; sid:2015633; rev:5; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:exploit-kit; sid:2024053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.co.tv domain"; dns.query; content:".co.tv"; nocase; endswith; classtype:bad-unknown; sid:2012956; rev:6; metadata:created_at 2011_06_08, former_category HUNTING, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:exploit-kit; sid:2024054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_03_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; http.host; content:".3322.org"; endswith; classtype:misc-activity; sid:2013213; rev:8; metadata:created_at 2011_07_06, updated_at 2020_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:credential-theft; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; http.host; content:".sytes.net"; endswith; classtype:bad-unknown; sid:2018219; rev:9; metadata:created_at 2012_03_05, updated_at 2022_05_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_03_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tc domain"; flow:established,to_server; http.host; content:".tc"; endswith; classtype:bad-unknown; sid:2013535; rev:7; metadata:created_at 2011_09_06, updated_at 2020_09_15;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gdn Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gdn"; fast_pattern; endswith; classtype:bad-unknown; sid:2025097; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gq domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2025100; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ga Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2025101; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ml Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2025102; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.cf Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; fast_pattern; endswith; classtype:bad-unknown; sid:2025103; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ga Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ga"; nocase; endswith; classtype:bad-unknown; sid:2025105; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ml Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ml"; nocase; endswith; classtype:bad-unknown; sid:2025106; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cf Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".cf"; nocase; endswith; classtype:bad-unknown; sid:2025107; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gq Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".gq"; nocase; endswith; classtype:bad-unknown; sid:2025104; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ga) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ga"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025109; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gq) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gq"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025108; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ml) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ml"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025110; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.cf) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".cf"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025111; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gdn) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gdn"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025112; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPSEL File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mipsel"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025122; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPS File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mips"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025123; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025124; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM7 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm7"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025125; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO x86 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025126; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO m68k File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".m68k"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025127; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SPARC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".sparc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025128; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POWERPC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".powerpc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025129; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO X86_64 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86_64"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025130; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M1"; flow:to_server,established; content:"Content-Length|3a|"; nocase; content:"{"; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Length\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024094; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUPERH File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".superh"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025131; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Length) M2"; flow:to_server,established; content:"Content-Length|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024095; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns.query; content:".gr.com"; endswith; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:5; metadata:created_at 2017_12_12, former_category HUNTING, updated_at 2020_09_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M2"; flow:to_server,established; content:"Content-Disposition|3a 20 25 7b 28|"; nocase; content:"{"; content:"}"; classtype:web-application-attack; sid:2024097; rev:1; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_03_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)"; dns.query; content:".000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026657; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_16;)
 
-#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:2101777; rev:12; metadata:created_at 2010_09_23, former_category FTP, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026658; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; dns.query; content:".myq-see.com"; nocase; endswith; classtype:policy-violation; sid:2025560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET DOS Microsoft Windows LSASS Remote Memory Corruption (CVE-2017-0004)"; flow:established,to_server; content:"|FF|SMB|73|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; byte_test:1,&,0x08,6,relative; byte_test:1,&,0x10,5,relative; byte_test:1,&,0x04,5,relative; byte_test:1,&,0x02,5,relative; byte_test:1,&,0x01,5,relative; content:"|ff 00|"; distance:28; within:2; content:"|84|"; distance:25; within:1; content:"NTLMSSP"; fast_pattern; within:64; reference:url,github.com/lgandx/PoC/tree/master/LSASS; reference:url,support.microsoft.com/en-us/kb/3216771; reference:url,support.microsoft.com/en-us/kb/3199173; reference:cve,2017-0004; reference:url,technet.microsoft.com/library/security/MS17-004; classtype:attempted-dos; sid:2023497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2017_01_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Android Device Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/generate_204"; fast_pattern; endswith; http.host; content:"connectivitycheck.gstatic.com"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Cache"; content:!"Referer"; classtype:policy-violation; sid:2036220; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_09_14, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Minor, tag Connectivity_Check, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024102; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)"; flow:to_server,established; flowbits:set,ET.000webhostpost; flowbits:noalert; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:misc-activity; sid:2026420; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024103; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET to Puu.sh for TXT File with Minimal Headers"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".txt"; nocase; endswith; http.host; content:"puu.sh"; depth:6; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2026569; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:exploit-kit; sid:2017824; rev:3; metadata:created_at 2013_12_10, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to Bit.ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|bit.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2026674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016868; rev:14; metadata:created_at 2013_05_21, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.icu domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".icu"; fast_pattern; endswith; classtype:bad-unknown; sid:2026887; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017267; rev:8; metadata:created_at 2013_08_01, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .icu Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".icu"; nocase; endswith; classtype:bad-unknown; sid:2026888; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017594; rev:8; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017595; rev:9; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Wget Request for Executable"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; http.user_agent; content:"Wget/"; depth:5; fast_pattern; classtype:bad-unknown; sid:2027076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_12, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017596; rev:3; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request to Dotted Quad"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.ip.request; flowbits:noalert; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"UA-CPU"; content:!"Cookie"; content:!"Referer"; content:!"Accept-Language"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:misc-activity; sid:2022054; rev:6; metadata:created_at 2015_11_10, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Neutrino EK XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017597; rev:3; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myddns.me Domain"; flow:established,to_server; http.host; content:".myddns.me"; endswith; classtype:policy-violation; sid:2027288; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; reference:url,pastebin.com/194D8UuK; classtype:exploit-kit; sid:2017653; rev:14; metadata:created_at 2013_11_01, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.autoddns .com Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".autoddns.com"; nocase; endswith; classtype:policy-violation; sid:2027299; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:exploit-kit; sid:2017661; rev:3; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.autoddns.com Domain"; flow:established,to_server; http.host; content:".autoddns.com"; endswith; classtype:policy-violation; sid:2027300; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:exploit-kit; sid:2017963; rev:3; metadata:created_at 2014_01_14, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User-Agent Downloading ZIP"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".zip"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2027360; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET DELETED Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:exploit-kit; sid:2017971; rev:10; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious shell .now .sh Domain"; dns.query; content:"shell.now.sh"; nocase; endswith; reference:url,www.lacework.com/blog-attacks-exploiting-confluence; classtype:misc-attack; sid:2027367; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2018226; rev:3; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2017_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic - Mozilla 4.0 EXE Request"; flow:established,to_server; urilen:6<>15; http.uri; content:".exe"; endswith; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:unknown; sid:2020705; rev:7; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021588; rev:3; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User Agent Executable Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019935; rev:7; metadata:created_at 2014_12_15, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag AutoIt, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M3 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"ZWS"; fast_pattern; within:3; classtype:exploit-kit; sid:2021589; rev:5; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"cloudflare-dns.com"; endswith; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/json-format; classtype:misc-activity; sid:2027695; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Job314/Neutrino EK Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; classtype:exploit-kit; sid:2021590; rev:6; metadata:created_at 2015_08_04, former_category CURRENT_EVENTS, updated_at 2018_06_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; http.host; content:"8866.org"; endswith; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:7; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2019_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .biz TLD"; dns.query; content:".biz"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027863; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0|0d 0a|"; nocase; http_header; content:!"autodesk.com"; http_header; reference:url,doc.emergingthreats.net/2010908; classtype:trojan-activity; sid:2010908; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .okinawa TLD"; dns.query; content:".okinawa"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027864; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .cloud TLD"; dns.query; content:".cloud"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027865; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:exploit-kit; sid:2024169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .desi TLD"; dns.query; content:".desi"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027866; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .life TLD"; dns.query; content:".life"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027867; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, created_at 2017_04_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_04_05;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .work TLD"; dns.query; content:".work"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027868; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .ryukyu TLD"; dns.query; content:".ryukyu"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027869; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .world TLD"; dns.query; content:".world"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027870; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .fit TLD"; dns.query; content:".fit"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027871; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.okinawa Domain"; flow:established,to_server; http.host; content:".okinawa"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027873; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:command-and-control; sid:2017627; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_10_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_04_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.cloud Domain"; flow:established,to_server; http.host; content:".cloud"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027874; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, created_at 2017_04_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.desi Domain"; flow:established,to_server; http.host; content:".desi"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027875; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.life Domain"; flow:established,to_server; http.host; content:".life"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027876; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:social-engineering; sid:2024200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2017_04_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.work Domain"; flow:established,to_server; http.host; content:".work"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027877; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, signature_severity Major, tag Android, updated_at 2017_04_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.ryukyu Domain"; flow:established,to_server; http.host; content:".ryukyu"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027878; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:exploit-kit; sid:2015946; rev:3; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2017_04_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.world Domain"; flow:established,to_server; http.host; content:".world"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027879; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.fit Domain"; flow:established,to_server; http.host; content:".fit"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027880; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.vv.cc domain"; dns.query; content:".vv.cc"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2012826; rev:5; metadata:created_at 2011_05_19, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.be Domain"; dns.query; content:".co.be"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013124; rev:7; metadata:created_at 2011_06_29, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .net.tf Domain"; dns.query; content:".net.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013847; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .eu.tf Domain"; dns.query; content:".eu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013848; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .int.tf Domain"; dns.query; content:".int.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013849; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .edu.tf Domain"; dns.query; content:".edu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013850; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .us.tf Domain"; dns.query; content:".us.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013851; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ca.tf Domain"; dns.query; content:".ca.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013852; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .bg.tf Domain"; dns.query; content:".bg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013853; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ru.tf Domain"; dns.query; content:".ru.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013854; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .pl.tf Domain"; dns.query; content:".pl.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013855; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .cz.tf Domain"; dns.query; content:".cz.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013856; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .de.tf Domain"; dns.query; content:".de.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013857; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .at.tf Domain"; dns.query; content:".at.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013858; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ch.tf Domain"; dns.query; content:".ch.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013859; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3; metadata:created_at 2010_12_30, former_category CURRENT_EVENTS, updated_at 2017_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .sg.tf Domain"; dns.query; content:".sg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013860; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirection to driveby Page Home index.php"; flow:established,from_server; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; classtype:exploit-kit; sid:2013436; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_19, deployment Perimeter, former_category INFO, signature_severity Major, tag DriveBy, updated_at 2017_04_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .nl.ai Domain"; dns.query; content:".nl.ai"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013861; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .xe.cx Domain"; dns.query; content:".xe.cx"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013862; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .noip.cn Domain"; dns.query; content:".noip.cn"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013970; rev:5; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ch.vu Domain"; dns.query; content:".ch.vu"; fast_pattern; nocase; endswith; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:8; metadata:created_at 2012_02_28, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious Gzip PowerShell over HTTP"; flow:established,from_server; file_data; content:"FromBase64String"; content:"H4sIAI"; distance:0; fast_pattern; content:"GzipStream"; nocase; distance:0; classtype:trojan-activity; sid:2024221; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_18, deployment Perimeter, former_category TROJAN, malware_family PowerShell, performance_impact Moderate, signature_severity Major, tag PowerShell, updated_at 2017_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; dns.query; content:".ez-dns.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013845; rev:6; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; dns.query; content:".dyndns-web.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013863; rev:7; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; dns.query; content:".dyndns-at-home.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013971; rev:7; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain"; dns.query; content:".4irc.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014480; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain"; dns.query; content:".b0ne.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014482; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain"; dns.query; content:".chatnook.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014486; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert ftp $HOME_NET [0:20,22:24,26:118,120:138,140:444,446:464,466:586,588:901,903:1432,1434:65535] -> any any (msg:"ET HUNTING Suspicious FTP 220 Banner on Local Port (-)"; flow:from_server,established; content:"220-"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; classtype:non-standard-protocol; sid:2003055; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_12_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain"; dns.query; content:".darktech.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014488; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:exploit-kit; sid:2024237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2017_04_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain"; dns.query; content:".deaftone.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014490; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ARM Binary Downloaded via WGET Containing Suspicious Netcat Command - Possible IoT Malware"; flow:from_server,established; flowbits:isset,ET.armwget; content:"|25|24|25|28nc+"; content:"+-e+|25|2Fbin|25|2Fsh|25|29"; within:50; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024241; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_04_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.effers.com Domain"; dns.query; content:".effers.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014494; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ARM Binary Downloaded via WGET Containing GoAhead and Multiple Camera RCE 0Day Vulnerabilities"; flow:from_server,established; flowbits:isset,ET.armwget; content:"/set_ftp.cgi"; fast_pattern; content:"&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr="; distance:0; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:trojan-activity; sid:2024242; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_04_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain"; dns.query; content:".etowns.net"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014496; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, malware_family pyteHole, signature_severity Major, tag Ransomware, updated_at 2017_04_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain"; dns.query; content:".etowns.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014498; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CozyDuke APT HTTP Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http_header; pcre:"/\.php\?$/U"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020962; rev:3; metadata:created_at 2015_04_22, former_category TROJAN, updated_at 2018_12_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain"; dns.query; content:".gotgeeks.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014502; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.LoadMoney User Agent"; flow:established,to_server; content:"Downloader "; http_user_agent; fast_pattern:only; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2017_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain"; dns.query; content:".scieron.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014504; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Red Leaves magic packet response detected (APT10 implant)"; flowbits:isset,ncc.apt10.beacon_send; flow:established,to_client; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; threshold:type limit, track by_dst, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain"; dns.query; content:".slyip.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014506; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves magic packet detected (APT10 implant)"; flow:established,to_server; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; flowbits:set,ncc.apt10.beacon_send; threshold:type limit, track by_src, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain"; dns.query; content:".suroot.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014510; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".2288.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014779; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".3322.net"; fast_pattern; endswith; classtype:misc-activity; sid:2014781; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".6600.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014782; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, former_category EXPLOIT, updated_at 2017_05_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".7766.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014783; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert</title>"; fast_pattern:7,20; nocase; content:"<script type=|22|text/javascript|22 20|src=|22|/alert.php?h="; nocase; distance:0; classtype:credential-theft; sid:2024266; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".9966.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014786; rev:9; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Google App Oauth Phish M3 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/javascript"; http_header; content:"alert="; http_cookie; file_data; content:"navigator.languages"; nocase; content:"Your computer is infected"; nocase; distance:0; fast_pattern:5,20; content:"navegador contiene malware"; nocase; distance:0; content:"navigateur contient MALWARE"; nocase; distance:0; content:"&subid=alertyes"; nocase; distance:0; classtype:credential-theft; sid:2024268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com"; dns.query; content:".dns-stuff.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014868; rev:6; metadata:created_at 2012_06_07, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M4 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/tds.php?h="; depth:11; http_uri; fast_pattern; nocase; content:"&subid=alert"; nocase; distance:32; within:12; http_uri; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024269; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.be.ma domain"; dns.query; content:".be.ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2012902; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:credential-theft; sid:2024267; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.upas.su domain"; dns.query; content:".upas.su"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2015550; rev:5; metadata:created_at 2012_07_31, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:command-and-control; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.cc Domain"; dns.query; content:".co.cc"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:7; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1"; flow:to_server,established; content:"Host|3a|"; http_header; nocase; content:"("; http_header; nocase; content:")"; http_header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024277; rev:2; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbasic.com Domain"; dns.query; content:".mrbasic.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2018366; rev:6; metadata:created_at 2014_04_05, updated_at 2020_09_17;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain ant.trenz .pl Lookup"; content:"|03|ant|05|trenz|02|pl|00|"; nocase; classtype:trojan-activity; sid:2024281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; dns.query; content:".passinggas.net"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018810; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:16; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myredirect.us Domain (Sitelutions)"; dns.query; content:".myredirect.us"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018812; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.rr.nu Domain (Sitelutions)"; dns.query; content:".rr.nu"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018814; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; file_data; content:".HHClick|2829|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.kwik.to Domain (Sitelutions)"; dns.query; content:".kwik.to"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018816; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_08_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myfw.us Domain (Sitelutions)"; dns.query; content:".myfw.us"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018818; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:exploit-kit; sid:2022859; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *ontheweb.nu Domain (Sitelutions)"; dns.query; content:".ontheweb.nu"; nocase; endswith; classtype:bad-unknown; sid:2018820; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4; metadata:created_at 2010_07_30, former_category EXPLOIT, updated_at 2017_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isthebe.st Domain (Sitelutions)"; dns.query; content:".isthebe.st"; nocase; endswith; classtype:bad-unknown; sid:2018822; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008150; classtype:pup-activity; sid:2008150; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *byinter.net Domain (Sitelutions)"; dns.query; content:".byinter.net"; nocase; endswith; classtype:bad-unknown; sid:2018824; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *findhere.org Domain (Sitelutions)"; dns.query; content:".findhere.org"; nocase; endswith; classtype:bad-unknown; sid:2018826; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:4; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *onthenetas.com Domain (Sitelutions)"; dns.query; content:".onthenetas.com"; nocase; endswith; classtype:bad-unknown; sid:2018828; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *uglyas.com Domain (Sitelutions)"; dns.query; content:".uglyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018830; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *assexyas.com Domain (Sitelutions)"; dns.query; content:".assexyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018832; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *passas.us Domain (Sitelutions)"; dns.query; content:".passas.us"; nocase; endswith; classtype:bad-unknown; sid:2018834; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *atthissite.com Domain (Sitelutions)"; dns.query; content:"athissite.com"; nocase; endswith; classtype:bad-unknown; sid:2018836; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *athersite.com Domain (Sitelutions)"; dns.query; content:"athersite.com"; nocase; endswith; classtype:bad-unknown; sid:2018838; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:16; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isgre.at Domain (Sitelutions)"; dns.query; content:".isgre.at"; nocase; endswith; classtype:bad-unknown; sid:2018840; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:20; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lookin.at Domain (Sitelutions)"; dns.query; content:".lookin.at"; nocase; endswith; classtype:bad-unknown; sid:2018842; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *bestdeals.at Domain (Sitelutions)"; dns.query; content:".bestdeals.at"; nocase; endswith; classtype:bad-unknown; sid:2018844; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:5; metadata:created_at 2011_08_29, former_category SCAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lowestprices Domain (Sitelutions)"; dns.query; content:".lowestprices.at"; nocase; endswith; classtype:bad-unknown; sid:2018846; rev:7; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
 
-alert icmp any any -> any any (msg:"ET MALWARE Philis.J ICMP Sweep (Payload Hello World)"; icode:0; itype:0; dsize:11; content:"Hello,World"; reference:url,vil.nai.com/vil/content/v_141203.htm; reference:url,doc.emergingthreats.net/2008017; classtype:trojan-activity; sid:2008017; rev:4; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.orge.pl Domain"; dns.query; content:".orge.pl"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013843; rev:6; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, former_category TROJAN, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsip.ru Domain"; dns.query; content:".dnsip.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022382; rev:5; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyn-dns.ru Domain"; dns.query; content:".dyn-dns.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022383; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; nocase; within:100; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru Domain"; dns.query; content:".dnsalias.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022381; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2017_05_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru Domain"; dns.query; content:".dns-free.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022384; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family May, signature_severity Major, tag Ransomware, updated_at 2017_05_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.ae.am domain"; dns.query; content:".ae.am"; fast_pattern; endswith; classtype:bad-unknown; sid:2012900; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.qc.cx domain"; dns.query; content:".qc.cx"; fast_pattern; endswith; classtype:bad-unknown; sid:2012903; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious dynapoint.pw Domain"; dns.query; content:"dynapoint.pw"; depth:12; endswith; fast_pattern; classtype:bad-unknown; sid:2022876; rev:5; metadata:created_at 2016_06_08, former_category HUNTING, updated_at 2020_09_17;)
 
-alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Cloudflare DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2027671; rev:5; metadata:created_at 2019_07_03, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2020_09_17;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; classtype:trojan-activity; sid:2022006; rev:3; metadata:created_at 2015_10_28, former_category TROJAN, updated_at 2017_05_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; http.uri; content:"/go.php?sid="; fast_pattern; classtype:trojan-activity; sid:2015675; rev:5; metadata:created_at 2012_09_05, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 9"; nocase; fast_pattern; classtype:trojan-activity; sid:2015822; rev:5; metadata:created_at 2012_10_19, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 2"; nocase; fast_pattern; classtype:trojan-activity; sid:2015899; rev:5; metadata:created_at 2012_11_20, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 3"; nocase; fast_pattern; classtype:trojan-activity; sid:2015900; rev:6; metadata:created_at 2012_11_20, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_05_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PDF - Acrobat Enumeration - pdfobject.js"; flow:established,to_server; http.uri; content:"/pdfobject.js"; fast_pattern; classtype:misc-activity; sid:2016765; rev:4; metadata:created_at 2013_04_18, updated_at 2020_09_18;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO myobfuscate.com Encoded Script Calling home"; flow:to_server,established; http.uri; content:"/?getsrc="; content:"&url="; http.header; content:"api.myobfuscate.com|0d|"; nocase; fast_pattern; classtype:misc-activity; sid:2016802; rev:6; metadata:created_at 2013_05_01, updated_at 2020_09_18;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2017_05_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Chrome Plugin install"; flow:to_server,established; http.uri; content:"|2f|crx|2f|blobs"; nocase; fast_pattern; http.user_agent; content:"|20|Chrome/"; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:2016847; rev:5; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_30, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_05_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Firefox Plugin install"; flow:to_server,established; http.uri; content:".xpi"; nocase; fast_pattern; endswith; http.user_agent; content:"|20|Firefox/"; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:2016846; rev:6; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp-pkt any any -> any any (msg:"ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)"; flow:established,to_server; content:"|05 00 0B|"; depth:3; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 cf fb|"; distance:0; flowbits:set,dcerpc.rpcnetlogon; flowbits:noalert; reference:cve,2020-1472; classtype:misc-activity; sid:2030888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_18, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing URI T1 Jun 02 2017"; flow:established,to_server; content:"/e71cac9dd645d92189c49e2b30ec627a/dcb4c6c6149b2208fbcf7c9d8c59548e"; http_uri; classtype:exploit-kit; sid:2024343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Adultdns.net"; flow:established,to_server; http.host; content:".adultdns.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018211; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M1"; flow:established,from_server; file_data; content:"|3c 70 61 72 61 6d 20 6e 61 6d 65 3d 46 6c 61 73 68 56 61 72 73 20 76 61 6c 75 65 3d 22 69 64 64 71 64 3d 27|"; classtype:exploit-kit; sid:2024346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Servehttp.com"; flow:established,to_server; http.host; content:".servehttp.com"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018212; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing T1 Jun 02 2017 M2"; flow:established,from_server; file_data; content:"|25 37 37 25 37 33 25 36 33 25 37 32 25 36 39 25 37 30 25 37 34 25 32 45 25 36 35 25 37 38 25 36 35|"; content:"|2e 53 74 61 72 74 52 65 6d 6f 74 65 44 65 73 6b 74 6f 70|"; classtype:exploit-kit; sid:2024347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2017_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Redirectme.net"; flow:established,to_server; http.host; content:".redirectme.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018214; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET MALWARE Executioner Ransomware Reporting Infection via SMTP"; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Executioner, signature_severity Major, tag Ransomware, updated_at 2017_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Zapto.org"; flow:established,to_server; http.host; content:".zapto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018215; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B641"; flow:established,from_server; file_data; content:"|4a694270626e525562314e30636968685a4752794b|"; classtype:exploit-kit; sid:2024353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain serveblog.net"; flow:established,to_server; http.host; content:".serveblog.net"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018217; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B642"; flow:established,from_server; file_data; content:"|596761573530564739546448496f5957526b6369|"; classtype:exploit-kit; sid:2024354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain myftp.com"; flow:established,to_server; http.host; content:".myftp.com"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018218; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M1 B643"; flow:established,from_server; file_data; content:"|6d49476c7564465276553352794b47466b5a484970|"; classtype:exploit-kit; sid:2024355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 8"; nocase; fast_pattern; content:!"NOKIA"; nocase; classtype:trojan-activity; sid:2015821; rev:6; metadata:created_at 2012_10_19, updated_at 2020_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B641"; flow:established,from_server; file_data; content:"|496d784a62477873496a6f69646d6c7964485668624842796233526c5933|"; classtype:exploit-kit; sid:2024356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain"; flow:established,to_server; http.host; content:".mrbasic.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018365; rev:4; metadata:created_at 2014_04_05, updated_at 2020_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B642"; flow:established,from_server; file_data; content:"|4a735357787362434936496e5a70636e523159577877636d39305a574e30|"; classtype:exploit-kit; sid:2024357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passinggas.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018809; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M2 B643"; flow:established,from_server; file_data; content:"|6962456c73624777694f694a3261584a306457467363484a766447566a64|"; classtype:exploit-kit; sid:2024358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myredirect.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myredirect.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018811; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B641"; flow:established,from_server; file_data; content:"|593268796479677a4d6a63324e79|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.rr.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".rr.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018813; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B642"; flow:established,from_server; file_data; content:"|6a61484a334b444d794e7a59334b|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.kwik.to Domain (Sitelutions)"; flow:established,to_server; http.host; content:".kwik.to"; fast_pattern; endswith; classtype:bad-unknown; sid:2018815; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B641"; flow:established,from_server; file_data; content:"|657949784e7a51784e6949364e4441344d44597a4e6977694d5463304f5459694f6a51774f4441324d7a5973496a45334e6a4d78496a6f304d4467304e7a51344c4349784e7a59304d43|"; classtype:exploit-kit; sid:2024362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myfw.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myfw.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018817; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M4 B642"; flow:established,from_server; file_data; content:"|73694d5463304d5459694f6a51774f4441324d7a5973496a45334e446b32496a6f304d4467774e6a4d324c4349784e7a597a4d5349364e4441344e4463304f4377694d5463324e444169|"; classtype:exploit-kit; sid:2024363; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2017_06_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.ontheweb.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".ontheweb.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018819; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful GoogleFile Phish"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; classtype:credential-theft; sid:2020803; rev:3; metadata:created_at 2015_03_30, former_category PHISHING, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isthebe.st Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isthebe.st"; fast_pattern; endswith; classtype:bad-unknown; sid:2018821; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert icmp any any -> any any (msg:"ET MALWARE OpenSSH in ICMP Payload - Possible Covert Channel"; itype:8; icode:0; content:"openssh"; nocase; classtype:trojan-activity; sid:2024366; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_06_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.byinter.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".byinter.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018823; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful BBVA Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"cuenta="; depth:7; nocase; http_client_body; fast_pattern; content:"&cuenta="; nocase; distance:0; http_client_body; content:"&nvoWizard="; nocase; distance:0; http_client_body; content:"&domain="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.findhere.org Domain (Sitelutions)"; flow:established,to_server; http.host; content:".findhere.org"; fast_pattern; endswith; classtype:bad-unknown; sid:2018825; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; classtype:social-engineering; sid:2018303; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.onthenetas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".onthenetas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018827; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:social-engineering; sid:2020332; rev:3; metadata:created_at 2015_01_30, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.uglyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".uglyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018829; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Alibaba&nbsp|3b|Manufacturer&nbsp|3b|Directory"; nocase; classtype:social-engineering; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.assexyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".assexyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018831; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; classtype:social-engineering; sid:2024393; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passas.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passas.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018833; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun</title>"; nocase; classtype:social-engineering; sid:2024394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athissite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athissite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018835; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web Access</title>"; nocase; classtype:social-engineering; sid:2024395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athersite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athersite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018837; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; nocase; classtype:social-engineering; sid:2024396; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isgre.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isgre.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018839; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Facebook Help Center</title>"; nocase; classtype:social-engineering; sid:2024397; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lookin.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lookin.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018841; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe PDF</title>"; nocase; classtype:social-engineering; sid:2024399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.bestdeals.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".bestdeals.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018843; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; classtype:social-engineering; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lowestprices.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lowestprices.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018845; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>Sign In - Adobe ID</TITLE>"; nocase; classtype:social-engineering; sid:2024401; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.ms domain"; flow:to_server,established; http.host; content:".de.ms"; fast_pattern; endswith; classtype:bad-unknown; sid:2013378; rev:5; metadata:created_at 2011_08_08, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.websocket.send"; pcre:"/^\s*?\(/Rs"; content:"beef.encode.base64.encode"; pcre:"/^\s*?\(/Rs"; classtype:attempted-user; sid:2024415; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.eu.tf domain"; flow: to_server,established; http.host; content:".eu.tf"; fast_pattern; endswith; classtype:bad-unknown; sid:2013828; rev:5; metadata:created_at 2011_11_05, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a .noip.cn domain"; flow:to_server,established; http.host; content:".noip.cn"; fast_pattern; endswith; classtype:bad-unknown; sid:2013969; rev:5; metadata:created_at 2011_11_28, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category TROJAN, malware_family DragonOK, malware_family KHRAT, performance_impact Low, signature_severity Major, tag Targeted, tag APT, tag CNAPT, updated_at 2017_06_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.upas.su domain"; flow:to_server,established; http.host; content:".upas.su"; fast_pattern; endswith; classtype:bad-unknown; sid:2015551; rev:5; metadata:created_at 2012_07_31, updated_at 2020_09_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe download with no referer (noalert)"; flow:established,to_server; flowbits:set,exe.no.referer; flowbits:noalert; http.uri; content:".exe"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2020573; rev:4; metadata:created_at 2015_02_27, former_category INFO, updated_at 2020_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M1 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^1\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021067; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus / ELF/RotaJakario CnC Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; reference:url,blog.netlab.360.com/stealth_rotajakiro_backdoor_en; classtype:targeted-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, tag Targeted, tag APT, tag OceanLotus, tag OSX, updated_at 2017_06_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M2 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^2\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021068; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:2; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M3 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^3\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021069; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:domain-c2; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_06_28, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_06_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M4 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^4\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021070; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, created_at 2017_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M5 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^5\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021071; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_17, former_category NETBIOS, updated_at 2017_06_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M6 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^6\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021072; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024441; rev:2; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2019_10_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M7 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^7\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021073; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_07_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M8 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^8\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021074; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_07_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M9 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^9\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021075; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Capitec Internet Banking</title>"; nocase; classtype:social-engineering; sid:2024453; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (exe) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".exe"; nocase; fast_pattern; classtype:misc-activity; sid:2022264; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023758; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msi) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msi"; nocase; fast_pattern; classtype:misc-activity; sid:2022265; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msp) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msp"; nocase; fast_pattern; classtype:misc-activity; sid:2022266; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)"; depth:50; endswith; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:"Cache-Control|0d 0a 0d 0a|"; distance:0; classtype:trojan-activity; sid:2012384; rev:5; metadata:created_at 2011_02_27, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic 107 Phish Jul 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"-login.id-107sbtd9cbhsbt"; nocase; http_header; fast_pattern:4,20; pcre:"/^Host\x3a\x20[^\r\n]+\-login\.id\-107sbtd9cbhsbt[^\r]+$/Hmi"; classtype:credential-theft; sid:2024463; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Lets Encrypt Certificate for Suspicious TLD (.top)"; flow:established,to_client; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029257; rev:3; metadata:created_at 2020_01_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Flowbit set for POST to Quicken Updater"; flow:established,to_server; flowbits:set,ET.QuickenUpdater; flowbits:noalert; http.method; content:"POST"; http.header; content:"quicken.com|0d 0a|"; content:"Date|3a|"; http.user_agent; content:"InetClntApp"; fast_pattern; depth:11; classtype:misc-activity; sid:2022803; rev:4; metadata:created_at 2016_05_11, updated_at 2020_10_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023771; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible WinHttpRequest (no .exe)"; flow:to_server,established; flowbits:set,et.MS.WinHttpRequest.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022652; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:command-and-control; sid:2024465; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO IE7UA No Cookie No Referer"; flow:to_server,established; flowbits:set,et.IE7.NoRef.NoCookie; flowbits:noalert; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:bad-unknown; sid:2023670; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:social-engineering; sid:2024392; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:45; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2022_05_03;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-11 1)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|slavf1@yandex.ru|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:coin-mining; sid:2024454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO RealThinClient Outbound Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/$rdgate?ACTION="; depth:16; fast_pattern; http.header; content:"HOST|3a|"; nocase; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,e6fe6b5f943a45018d2d0da4357cfe6d; reference:url,rtc.teppi.net; classtype:bad-unknown; sid:2036704; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:command-and-control; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family Parite, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; http.uri; content:".jar"; fast_pattern; http.header; content:"|20|Java/1"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2015483; rev:6; metadata:created_at 2012_07_18, updated_at 2020_11_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2017-07-17 7)"; flow:established,to_server; dsize:<120; content:"|22|login|22 3a|"; content:"|22|ownyaga@gmail.com|22|"; distance:0; fast_pattern; content:"|22|pass|22|"; distance:0; content:"|22|XMRig/"; reference:md5,3b24a327e60ee77668d09e5b96e27dc8; classtype:coin-mining; sid:2024471; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2017_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Suspicious Outbound SIG DNS Query"; content:"|00 00 18 00 01|"; fast_pattern; dns.query; pcre:"/^\d/"; classtype:bad-unknown; sid:2030547; rev:2; metadata:created_at 2020_07_16, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; reference:md5,42374945061c7941d6690793ae393d3a; classtype:pup-activity; sid:2024428; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2017_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possibly Malicious VBS Writing to Persistence Registry Location"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"on|20|error|20|resume|20|next"; nocase; content:".regwrite|20 22|"; distance:0; content:"|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"; within:80; fast_pattern; reference:md5,cac1aedbcb417dcba511db5caae4b8c0; classtype:trojan-activity; sid:2026427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_28, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Persistence, updated_at 2020_11_18;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_11_01, former_category TFTP, updated_at 2017_07_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NetSupport Remote Admin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/x-www-form-urlencoded"; http.server; content:"NetSupport Gateway"; fast_pattern; startswith; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035895; rev:5; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2022_04_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, created_at 2017_07_19, deployment Perimeter, former_category TFTP, performance_impact Moderate, signature_severity Major, updated_at 2017_07_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns.query; content:".gdn"; nocase; endswith; classtype:bad-unknown; sid:2025098; rev:5; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET MALWARE Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:command-and-control; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2017_07_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; flowbits:set,ET.iTunes.vuln; flowbits:noalert; http.header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/m"; http.user_agent; content:"iTunes/10.6."; depth:12; classtype:policy-violation; sid:2014954; rev:12; metadata:created_at 2012_06_25, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EITest Keitaro Evil Redirect Leading to SocENG July 25 2017"; flow:established,to_server; content:"/?nbVykj"; pcre:"/\/\?nbVykj$/U"; classtype:social-engineering; sid:2024494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gdn)"; flow:from_server,established; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031223; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2017_07_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ml)"; flow:from_server,established; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031224; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ISMAgent Receiving Commands from CnC Server"; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2017_07_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gq)"; flow:from_server,established; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031225; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Feb 02 2016"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:exploit-kit; sid:2022484; rev:3; metadata:created_at 2016_02_03, former_category CURRENT_EVENTS, updated_at 2017_08_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ga)"; flow:from_server,established; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031226; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG encrypted payload M1 Aug 01 2017"; flow:established,to_client; file_data; content:"|73 29 88 ff e0 d1 0e 74|"; within:8; reference:md5,263a2cf88f340b2a755db749be1371ea; classtype:exploit-kit; sid:2024507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, signature_severity Major, tag RigEK, updated_at 2017_08_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.cf)"; flow:from_server,established; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031227; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject July 25 2017"; flow:established,from_server; file_data; content:"var a=a|7c 7c|window.event|3b|doOpen|28 22|http"; nocase; pcre:"/^s?\x3a\x2f\x2f[^\x22\x27]+\/\?[A-Za-z0-9]{5,6}(?:=[^&\x22\x27]+)?[\x22\x27]\x29\x3bsetCookie\(\x22popundr\x22,1,864e5\)\}/Ri"; classtype:exploit-kit; sid:2024493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2017_07_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.xyz)"; flow:from_server,established; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031228; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS Possible SMBLoris NBSS Length Mem Exhaustion Vuln Inbound"; flow:established,to_server; content:"|00 01|"; depth:2; threshold:type both,track by_dst,count 3, seconds 90; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.icu)"; flow:from_server,established; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031229; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (JS_POWMET)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 0c|bogerando.ru"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware; reference:md5,31f83bf81b139bcc69e51df2c76a0bf2; classtype:trojan-activity; sid:2024512; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family JS_POWMET, performance_impact Low, signature_severity Major, updated_at 2017_08_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.top)"; flow:from_server,established; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031230; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET DOS SMBLoris NBSS Length Mem Exhaustion Attempt (PoC Based)"; flow:established,to_server; content:"|00 01 ff ff|"; depth:4; threshold:type both,track by_dst,count 30, seconds 300; reference:url,isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/; classtype:trojan-activity; sid:2024511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_08_02, deployment Internal, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL SSL/TLS Certificate"; flow:from_server,established; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031231; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M1 Aug 05 2017"; flow:established,from_server; file_data; content:"|5b 30 5d 5b 22 41 22 2b|"; content:"|29 2b 22 58 22 2b 22 4f 22 2b|"; distance:0; fast_pattern; content:"|72 65 74 75 72 6e 20 28 22 22 2b|"; content:"|29 2b 22 41 74 22 5d|"; distance:0; classtype:exploit-kit; sid:2024514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.pw)"; flow:from_server,established; tls.cert_subject; content:".pw"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031232; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing M2 Aug 05 2017"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 4f 62 6a 65 63 74 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Rsi"; content:"|45 78 65 63 75 74 65 28|"; pcre:"/^(?P<var>[A-Z0-9a-z]{1,20})\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29&(?P=var)\x28\d+\x29/Ri"; content:"|52 65 44 69 6d|"; content:"|50 72 65 73 65 72 76 65|"; content:"|55 6e 45 73 63 61 70 65|"; classtype:exploit-kit; sid:2024515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Magnitude, updated_at 2017_08_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download (set)"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McAfee ePO"; fast_pattern; http.host; content:"update.nai.com"; classtype:not-suspicious; sid:2031317; rev:1; metadata:created_at 2020_12_11, former_category INFO, performance_impact Low, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_08_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic 302 Redirect to Google"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"https://google.com"; fast_pattern; startswith; classtype:misc-activity; sid:2030594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, signature_severity Informational, updated_at 2020_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dotm)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dotm; http.method; content:"GET"; http.uri; content:".dotm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; classtype:bad-unknown; sid:2031379; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; http.stat_code; content:"3"; depth:1; http.location; content:"data|3a|"; fast_pattern; depth:5; classtype:misc-activity; sid:2015674; rev:6; metadata:created_at 2012_09_05, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; classtype:trojan-activity; sid:2024535; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http any any -> $HOME_NET any (msg:"ET INFO PHP Xdebug Extension Query Parameter (XDEBUG_SESSION_START)"; flow:established,to_server; http.uri; content:"?XDEBUG_SESSION_START="; classtype:web-application-activity; sid:2031499; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; classtype:trojan-activity; sid:2024536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Spring Boot Actuator Health Check Request"; flow:established,to_server; http.uri; content:"/actuator/health"; endswith; classtype:web-application-activity; sid:2031500; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; classtype:trojan-activity; sid:2024537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Netlink GPON Login Attempt (GET)"; flow:established,to_server; http.uri; content:"/boaform/admin/formLogin"; fast_pattern; content:"username="; content:"psd="; classtype:attempted-admin; sid:2031501; rev:2; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; classtype:trojan-activity; sid:2024538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Request to Hidden Environment File"; flow:established,to_server; http.uri; content:"/.env"; endswith; classtype:misc-attack; sid:2031502; rev:1; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; classtype:trojan-activity; sid:2024539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Liferay JSON Web Services Invoker"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/invoke"; http.content_type; content:"application/json"; classtype:web-application-activity; sid:2031503; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
+alert http any any -> $HOME_NET any (msg:"ET INFO Apache Solr System Information Request"; flow:established,to_server; http.uri; content:"/solr/admin/info/system"; classtype:web-application-activity; sid:2031504; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:credential-theft; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to cl .ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|cl.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2031588; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_02_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Successful Phish - Verify Email Error Message M2 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"ERROR! PLEASE CLICK BACK"; nocase; depth:24; fast_pattern; classtype:credential-theft; sid:2024542; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to rebrand .ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|rebrand.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:misc-activity; sid:2031589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Paypal Phish M1 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"_csrf="; depth:6; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&rememberProfile="; nocase; distance:0; http_client_body; content:"&rememberProfileCheck="; nocase; distance:0; http_client_body; content:"&showTryPasswordlessButton="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO NoxPlayer Simulator Update Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/posttoken/simulator/"; startswith; fast_pattern; content:"/update"; endswith; http.host; content:"api.bignox.com"; bsize:14; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:policy-violation; sid:2031594; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_02_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You have almost been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; classtype:social-engineering; sid:2031611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2021_02_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish M1 Aug 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"<title>"; nocase; content:"Chase Online"; nocase; within:50; fast_pattern; classtype:credential-theft; sid:2031575; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP3 with ID3 in HTTP Flowbit Set"; flow:from_server,established; file.data; content:"ID3"; within:3; content:"|FB FF|"; distance:0; flowbits:set,ET.mp3.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025986; rev:2; metadata:affected_product Adobe_Flash, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_03_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS1 Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps1; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027259; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2021_03_18;)
 
-alert udp $EXTERNAL_NET 389 -> $HOME_NET 389 (msg:"ET DOS CLDAP Amplification Reflection (PoC based)"; dsize:52; content:"|30 84 00 00 00 2d 02 01 01 63 84 00 00 00 24 04 00 0a 01 00|"; fast_pattern; threshold:type both, count 100, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024584; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PS1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032162; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"ET DOS Potential CLDAP Amplification Reflection"; content:"objectclass0"; fast_pattern; threshold:type both, count 200, seconds 60, track by_src; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; reference:url,packetstormsecurity.com/files/139561/LDAP-Amplication-Denial-Of-Service.html; classtype:attempted-dos; sid:2024585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2017_08_16, deployment Perimeter, former_category DOS, performance_impact Significant, signature_severity Major, updated_at 2017_08_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSM1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psm1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert tcp [$EXTERNAL_NET,!199.30.201.192/29] any -> $HOME_NET any (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Server Hello"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021977; rev:6; metadata:created_at 2015_10_20, former_category TROJAN, updated_at 2017_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSD1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psd1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032164; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID"; distance:0; content:"document.other.email"; distance:0; fast_pattern; content:"emailPASS"; distance:0; content:"document.other.phone"; distance:0; classtype:social-engineering; sid:2031712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PS1XML Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".ps1xml HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:social-engineering; sid:2025683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSSC Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".pssc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:social-engineering; sid:2021400; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSRC Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psrc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:credential-theft; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO CDXML Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".cdxml HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive Phishing Landing 2015-07-13"; flow:to_client,established; file_data; content:"UPLOADED FILE"; fast_pattern; content:"Sign in with your existing Email Service"; distance:0; content:"Email Service Provider"; distance:0; content:"select.com"; distance:0; content:"VIEW DOCUMENT"; distance:0; classtype:social-engineering; sid:2031707; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Request for EXE via GO HTTP Client"; flow:established,to_server; http.request_line; content:".exe HTTP/"; http.user_agent; content:"Go-http-client/"; startswith; classtype:misc-activity; sid:2032355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID.value"; distance:0; content:"emailPASS.value"; distance:0; classtype:social-engineering; sid:2031713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Control Panel Applet File Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"CPlApplet"; fast_pattern; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/bb776392%28v=vs.85%29.aspx; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf; classtype:policy-violation; sid:2018087; rev:3; metadata:created_at 2014_02_07, updated_at 2021_04_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; content:"|78 9c|"; distance:8; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:3; metadata:created_at 2012_02_14, former_category TROJAN, updated_at 2017_08_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Killbot JS Configuration - Possible Phishing"; flow:established,to_client; file.data; content:"const killbot"; nocase; content:"apiKey|3a|"; nocase; content:"botRedirection|3a|"; nocase; content:"killbot-security.js"; nocase; fast_pattern; reference:url,killbot.org; classtype:misc-activity; sid:2032468; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category INFO, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2017_08_22;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .myfirewall .org"; dns.query; content:".myfirewall.org"; endswith; fast_pattern; classtype:bad-unknown; sid:2032792; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Payload Aug 23 2017"; flow:established,from_server; file_data; content:"|30 26 e2 3d 9d f5 5b 16|"; within:8; flowbits:set,ET.DisDain.EK; classtype:exploit-kit; sid:2024608; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.addns .org Domain"; dns.query; content:".addns.org"; endswith; classtype:bad-unknown; sid:2032896; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M1 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"CWS"; within:3; classtype:exploit-kit; sid:2024609; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound"; flow:established,to_server; content:"EHLO"; startswith; isdataat:1000,relative; classtype:bad-unknown; sid:2032926; rev:2; metadata:attack_target SMTP_Server, created_at 2021_05_10, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M2 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2024610; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.date domain"; flow:established,to_server; http.host; content:".date"; fast_pattern; endswith; classtype:bad-unknown; sid:2032983; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Flash Exploit M3 Aug 23 2017"; flow:established,from_server; flowbits:isset,ET.DisDain.EK; file_data; content:"FWS"; within:3; classtype:exploit-kit; sid:2024611; rev:2; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cam domain"; flow:established,to_server; http.host; content:".cam"; fast_pattern; endswith; classtype:bad-unknown; sid:2032984; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX.Pwnet.A Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|vlone.cc"; distance:1; within:9; reference:url,sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/; classtype:trojan-activity; sid:2024613; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.surf domain"; flow:established,to_server; http.host; content:".surf"; fast_pattern; endswith; classtype:bad-unknown; sid:2032985; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; classtype:social-engineering; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.asia domain"; flow:established,to_server; http.host; content:".asia"; fast_pattern; endswith; classtype:bad-unknown; sid:2032986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tw domain"; flow:established,to_server; http.host; content:".tw"; fast_pattern; endswith; classtype:bad-unknown; sid:2032987; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ml domain"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2032988; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Successful Bitstamp Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; content:"302"; http_stat_code; content:"Location|3a 20|https://www.bitstamp.net"; http_header; classtype:credential-theft; sid:2024639; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.gq domain"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2032989; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED HEX Payload DL with MSXMLHTP (Observed in Locky campaign)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"4d"; nocase; within:2; pcre:"/^\s*5a\s*90\s*00\s*03\s*00\s*00\s*00/Rsi"; classtype:trojan-activity; sid:2024650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Significant, signature_severity Major, updated_at 2019_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ga domain"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2032990; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Additional Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"more|7c 2d 7c|"; within:30; fast_pattern; pcre:"/^(?:FM|SM|CP|CM|MC|NF|CH|PS|PT)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.buzz domain"; flow:established,to_server; http.host; content:".buzz"; fast_pattern; endswith; classtype:bad-unknown; sid:2032991; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Verify Email</title>"; fast_pattern; classtype:social-engineering; sid:2024656; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POST to Double Slash in URI"; flow:established,to_server; http.request_line; content:"POST|20|//|20|HTTP/1."; startswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033045; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Checkin to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|LOGIN|7c 2d 7c|"; within:30; fast_pattern; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033077; rev:1; metadata:created_at 2021_06_03, former_category INFO, updated_at 2021_06_03;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; fast_pattern; content:"|00 00 02|"; within:30; pcre:"/^(?:Lg|Execute|FLD|Sc)\x7c\x2d\x7c/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Config Commands from CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"Svr|7c 2d 7c|"; within:100; fast_pattern; pcre:"/^(?:\x40|\x21|\x23|\x7e|\x24)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Unix/Linux Processhider Source Being Downloaded"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/d/processhider.c"; bsize:17; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; content:"m.windowsupdatesupport.org"; bsize:26; reference:md5,4ff3828a2ecc6314bfc7dc22ca194480; reference:url,twitter.com/JAMESWT_MHT/status/1402239031602302983; classtype:bad-unknown; sid:2033117; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_06_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Screenshot Exfil to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|Sc|7c 2d 7c|"; within:30; fast_pattern; content:"JFIF"; within:10; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .dns1 .us"; dns.query; content:".dns1.us"; endswith; fast_pattern; classtype:bad-unknown; sid:2033119; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Dropbox Phish (Locky) Sep 01 2017"; flow:to_server,established; content:"POST"; http_method; content:"is_xhr="; depth:7; nocase; http_client_body; content:"current_email"; nocase; distance:0; http_client_body; content:"&email_sig="; nocase; distance:0; http_client_body; content:"&login_sd="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&remember_me="; nocase; distance:0; http_client_body; content:"&specter_login_tm="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024657; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .otzo .com"; dns.query; content:".otzo.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033120; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2017_09_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .zyns .com"; dns.query; content:".zyns.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033121; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024679; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2017_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .zzux .com"; dns.query; content:".zzux.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033122; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Adwind, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Ransomware Decryptor Domain in DNS Query (decryptor .top)"; dns.query; content:"decryptor.top"; nocase; bsize:13; reference:url,tria.ge/191216-4rcmytrrka; classtype:domain-c2; sid:2033201; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_06_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Ransomware Decryptor Domain in  DNS Query (decoder .re)"; dns.query; content:"decoder.re"; nocase; bsize:10; classtype:domain-c2; sid:2033202; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_06_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.2ip.ua"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033214; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_07_01;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO URL Shortening Service Domain in TLS SNI (coki .me)"; flow:established,to_server; tls.sni; content:"coki.me"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2033267; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_07, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_07;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO URL Shortening Service Domain in TLS SNI (hyp .ae)"; flow:established,to_server; tls.sni; content:"hyp.ae"; bsize:6; fast_pattern; classtype:policy-violation; sid:2033288; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_09;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows Powershell User-Agent Usage"; flow:established,to_server; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; classtype:not-suspicious; sid:2033355; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_07_16;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024687; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to freemyip .com Domain"; dns.query; content:".freemyip.com"; nocase; endswith; classtype:bad-unknown; sid:2033365; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 0"; flow:established, to_server; dsize:200<>513; stream_size:client,>,0; stream_size:server,=,1; stream_size:client, <,513; flowbits:noalert; flowbits:set,FB180732_0; classtype:trojan-activity; sid:2024694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Sharepoint Resource Infection"; flow:established,to_client; http.response_line; content:"HTTP/1.1|20|409|20|CONFLICT"; http.header; content:"|0d 0a|x-virus-infected|3a 20|"; content:"-location|3a 20|"; distance:0; reference:url,docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-wsshp/ba4ee7a8-704c-4e9c-ab14-fa44c574bdf4; classtype:bad-unknown; sid:2033698; rev:1; metadata:attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_08_10;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 1"; flow:established, to_client; dsize:30<>33; stream_size:server,<,35; stream_size:client,<,513; stream_size:server,>,0; stream_size:client,>,30; flowbits:noalert; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits:set,FB180732_1; classtype:trojan-activity; sid:2024695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Pulse Secure VPN Version Disclosure Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/misc/admin.cgi"; fast_pattern; classtype:attempted-recon; sid:2033749; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_08_20, former_category INFO, updated_at 2021_08_20;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 3"; flow:established, to_client; dsize:30<>33; stream_size:server, <,70; stream_size:client, <,610; stream_size:client, >,0; stream_size:server, >,35; flowbits:noalert; flowbits:isset, FB180732_2; flowbits:unset, FB180732_2; flowbits:set, FB180732_3; classtype:trojan-activity; sid:2024697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Shellcode Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shellcode/"; fast_pattern; startswith; content:".txt"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"python-requests/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8f21b629ef0aa2558962644a4a1605ca; classtype:bad-unknown; sid:2033844; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2020_11_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Office Retrieving .rtf (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rtf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1433038639961804800; reference:md5,c9f8addb927c3b96aee6a9f671a1f801; classtype:bad-unknown; sid:2033858; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>101; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; classtype:trojan-activity; sid:2024696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Significant, signature_severity Major, updated_at 2017_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (decoding .at)"; dns.query; content:"decoding.at"; nocase; bsize:11; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; classtype:bad-unknown; sid:2033860; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 1"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024238; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2017_09_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (bigblog .at)"; dns.query; content:"bigblog.at"; nocase; bsize:10; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; classtype:bad-unknown; sid:2033861; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HoeflerText Chrome Popup DriveBy Download Attempt 2"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font was not found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"To install |22|HoeflerText|22| font for your PC"; distance:0; nocase; content:"Download the .js"; distance:0; nocase; content:".attr('href',"; distance:0; nocase; metadata: former_category CURRENT_EVENTS; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; classtype:exploit-kit; sid:2024700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_09_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbit-decryptor .com)"; dns.query; content:"lockbit-decryptor.com"; nocase; bsize:21; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; reference:md5,5b741c6abf44d2eecd853addeafdcf24; classtype:bad-unknown; sid:2033862; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK encrypted payload Sept 11 (1)"; flow:established,to_client; file_data; content:"|8d b1 8a d0 36 8d 5d bf|"; within:8; classtype:exploit-kit; sid:2024691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2017_09_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbit-decryptor .top)"; dns.query; content:"lockbit-decryptor.top"; nocase; bsize:21; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; reference:md5,69bec32d50744293e85606a5e8f80425; classtype:bad-unknown; sid:2033863; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms"; flow:established,from_server; file_data; content:"|502163174a9069e5f28277c59da7fb141ee82f8e|"; classtype:command-and-control; sid:2035042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_09_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Blockchain Domain (api .blockcypher .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.blockcypher.com"; bsize:19; fast_pattern; classtype:bad-unknown; sid:2033877; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_09_02;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|30 82 04|"; depth:300; content:"|30 82 03|"; distance:1; within:3; content:"|a0 03 02 01 02 02 04|"; distance:1; within:7; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert tls any [5986,5985,1270] -> any any (msg:"ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"cloudapp.net"; tls.cert_issuer; content:".cloudapp.net"; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; classtype:bad-unknown; sid:2033955; rev:2; metadata:attack_target Server, created_at 2021_09_15, deployment Perimeter, deployment Internet, former_category POLICY, signature_severity Informational, updated_at 2021_09_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|5c|nUpdate your browser"; nocase; content:"is out-of-date"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_09_22;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Outdated Browser Landing Page M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Your browser is"; nocase; fast_pattern; content:"work well in"; nocase; distance:0; content:"your browser to view this"; nocase; distance:0; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033996; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_09_22;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2436; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024756; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Netconnection Domain in DNS Lookup"; dns.query; content:"internetbeacon.msedge.net"; fast_pattern; nocase; bsize:25; reference:url,lazyadmin.nl/powershell/test-netconnection/; classtype:bad-unknown; sid:2034025; rev:2; metadata:created_at 2021_09_24, former_category INFO, updated_at 2021_09_24;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:domain-c2; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_and_Server, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MalDoc, updated_at 2017_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp any any -> any any (msg:"ET INFO HTTP/2 Traffic (SET)"; flow:established,to_server; stream_size:server,<,5; content:"|50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a 0d 0a 53 4d 0d 0a 0d 0a|"; startswith; flowbits:set,ET.http2; flowbits:noalert; classtype:misc-activity; sid:2034094; rev:2; metadata:created_at 2021_10_04, former_category INFO, updated_at 2021_10_04;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Possible OptionsBleed (CVE-2017-9798)"; flow:established,to_server; content:"OPTIONS"; http_method; flowbits:set,ET.2017-9798; threshold: type both, count 30, seconds 30, track by_src; classtype:misc-activity; sid:2024759; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, cve 2017_9798, deployment Perimeter, former_category WEB_SERVER, performance_impact Moderate, signature_severity Major, updated_at 2019_12_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Suspicious POST to Axis OS (smtptest.cgi)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/axis-cgi/smtptest.cgi"; fast_pattern; reference:url,nozominetworks.com/blog/new-axis-os-security-research-aided-by-transparent-design/; reference:cve,2021-31986; classtype:attempted-admin; sid:2034130; rev:1; metadata:attack_target Server, created_at 2021_10_06, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; classtype:policy-violation; sid:2024764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2017_09_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)"; dns.query; dotprefix; content:".my-ip.io"; nocase; endswith; classtype:bad-unknown; sid:2034196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2017_09_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interact .sh)"; dns.query; dotprefix; content:".interact.sh"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034198; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"MSIE 7.0"; http_user_agent; classtype:trojan-activity; sid:2024767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Outbound .png HTTP GET flowbit set"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; endswith; flowbits:set,ET.httpget.png; flowbits:noalert; classtype:misc-activity; sid:2034212; rev:1; metadata:created_at 2021_10_18, former_category INFO, updated_at 2021_10_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2"; flow:established,to_server; urilen:6<>20; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox/54.0"; http_user_agent; classtype:trojan-activity; sid:2024768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Fake AppleWebKit User-Agent Version Number Observed"; flow:established,to_server; http.user_agent; content:"AppleWebKit/"; fast_pattern; byte_test:3,>,605,0,string,dec,relative; reference:url,bugs.webkit.org/show_bug.cgi?id=180365; classtype:bad-unknown; sid:2034228; rev:1; metadata:created_at 2021_10_19, former_category INFO, updated_at 2021_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Possible Zip DL containing single VBS script"; flow:established,from_server; file_data; content:"|50 4b 01 02|"; content:".vbs"; nocase; distance:0; pcre:"/^(?:(?!PK).)*?\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00/Rs"; classtype:bad-unknown; sid:2024769; rev:2; metadata:created_at 2017_09_26, former_category WEB_CLIENT, updated_at 2017_09_26;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034330; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-06"; flow:established,from_server; file_data; content:"Sign in with your email address"; nocase; content:"view or download attachment"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; content:"Sign in with Gmail"; nocase; distance:0; fast_pattern; content:"Sign in with Yahoo"; nocase; distance:0; content:"Sign in with Hotmail"; nocase; distance:0; content:"Sign in with AOL"; nocase; distance:0; content:"Sign in with Others"; nocase; distance:0; classtype:social-engineering; sid:2031736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_09_27;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - cruise_config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cruise_config"; nocase; fast_pattern; flowbits:set,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034332; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; classtype:command-and-control; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET INFO Observed Initial NKN POST Request"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|id|22 3a 22|"; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:policy-violation; sid:2034414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_11_10;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; classtype:command-and-control; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to Commonly Abused Preview Domain (preview-domain .com)"; dns.query; dotprefix; content:".preview-domain.com"; nocase; endswith; classtype:bad-unknown; sid:2034561; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_11_30;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; classtype:command-and-control; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO webhook .site in TLS SNI"; flow:established,to_server; tls.sni; content:"webhook.site"; endswith; nocase; reference:md5,58f8070803608bd0bd2cb6b18351918e; reference:url,isc.sans.edu/forums/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088/; classtype:misc-activity; sid:2034634; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; classtype:command-and-control; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert http $HOME_NET any -> any any (msg:"ET INFO Python SimpleHTTP ServerBanner"; flow:established; http.server; content:"SimpleHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; classtype:command-and-control; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interactsh .com)"; dns.query; dotprefix; content:".interactsh.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034732; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; classtype:command-and-control; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortner Domain in DNS Lookup (urlz .fr)"; dns.query; content:"urlz.fr"; nocase; bsize:7; reference:md5,947c34579e51417d9290c0cd8475cc54; classtype:bad-unknown; sid:2034742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
 
-#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; classtype:policy-violation; sid:2024785; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (s .id)"; dns.query; dotprefix; content:".s.id"; nocase; endswith; classtype:bad-unknown; sid:2034852; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_31;)
 
-#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; classtype:policy-violation; sid:2024787; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (s .id in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.id"; bsize:4; fast_pattern; classtype:misc-activity; sid:2034858; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_31, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_01_05;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil FTP STOR"; flow:established,to_server; content:"STOR Black Stealer"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2024791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_10_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (ip .dnsexit .com)"; dns.query; content:"ip.dnsexit.com"; nocase; bsize:14; classtype:external-ip-check; sid:2034898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
 
-#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 6000: (msg:"ET DELETED Zeus P2P CnC"; dsize:72; content:!"|00 00 00|"; offset:5; byte_extract:1,63,padding; byte_test:1,!=,0xff,71; byte_test:1,!=,0x00,71; byte_test:1,=,padding,64; byte_test:1,=,padding,65; byte_test:1,=,padding,66; byte_test:1,=,padding,67; byte_test:1,=,padding,68; byte_test:1,=,padding,69; byte_test:1,=,padding,70; byte_test:1,=,padding,71; reference:url,www.abuse.ch/?p=3499; classtype:command-and-control; sid:2013739; rev:15; metadata:created_at 2011_10_05, former_category TROJAN, updated_at 2018_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO External IP Lookup HTTP Request (ip .dnsexit .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip.dnsexit.com"; bsize:14; fast_pattern; classtype:misc-activity; sid:2034899; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4"; flow:established,to_server; urilen:>6; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; content:"Firefox"; http_user_agent; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2018_10_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dns.alidns.com"; bsize:14; fast_pattern; classtype:misc-activity; sid:2034912; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; classtype:social-engineering; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (dik .si in TLS SNI)"; flow:established,to_server; tls.sni; content:"dik.si"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2034932; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; classtype:social-engineering; sid:2024796; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (s3r .io)"; dns.query; content:"s3r.io"; nocase; bsize:6; classtype:bad-unknown; sid:2034950; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking</title>"; nocase; classtype:social-engineering; sid:2024798; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET INFO Apache Spark RPC - CheckExistence Request (set)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_CE; flowbits:isnotset,ET.ApacheSpark_CE; flowbits:noalert; content:"endpoint-verifier"; fast_pattern; content:"CheckExistence"; distance:0; classtype:not-suspicious; sid:2035001; rev:2; metadata:attack_target Server, created_at 2022_01_28, deployment Internal, deployment Datacenter, former_category INFO, signature_severity Informational, updated_at 2022_01_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp-pkt any any -> $HOME_NET any (msg:"ET INFO Apache Spark RPC - Auth Request (set)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_AuthAttempted; flowbits:noalert; content:"sparkSaslUser|00 00 00 00|"; endswith; classtype:not-suspicious; sid:2035002; rev:2; metadata:attack_target Server, created_at 2022_01_28, deployment Internal, deployment Datacenter, former_category INFO, signature_severity Informational, updated_at 2022_01_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; classtype:social-engineering; sid:2019785; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2017_10_05;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (yourls .org)"; dns.query; content:"yourls.org"; nocase; bsize:10; classtype:bad-unknown; sid:2035023; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; classtype:credential-theft; sid:2021892; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dot)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dot; http.method; content:"GET"; http.uri; content:".dot"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2035038; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Template Downloaded from DDNS Site"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dot"; endswith; http.host; content:".ddns.net"; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2035078; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:social-engineering; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Gophish X-Server"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"|58 2d 53 65 72 76 65 72|"; http.header; content:"gophish"; fast_pattern; reference:md5,bf2162ca3c0cb9253af87d7a785a97a4; classtype:misc-activity; sid:2035087; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Jimdo Outlook Web App Phishing Nov 16 2105"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75  62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b  50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:credential-theft; sid:2022094; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_06;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (geoiplookup .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"geoiplookup.io"; bsize:14; fast_pattern; classtype:misc-activity; sid:2035114; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing Oct 04 2017"; flow:established,to_client; file_data; content:"|0d 0a 54 68 65 6d 65 20 4e 61 6d 65 3a 20|"; within:100; content:"|0d 0a 41 75 74 68 6f 72 3a 20 4d 4b 28 72 6a 29|"; within:100; fast_pattern; classtype:social-engineering; sid:2024799; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)"; dns.query; content:"transfer.sh"; nocase; bsize:11; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035139; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Download of Embedded OpenType (EOT) File flowbit set"; flow:established,to_client; file_data; content:"|4c 50|"; offset:34; depth:2; flowbits:set,ET.EOT.Download; flowbits:noalert; reference:url,www.w3.org/Submission/EOT/#FileFormat; classtype:misc-activity; sid:2024829; rev:2; metadata:affected_product Internet_Explorer, affected_product Mac_OSX, affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2017_10_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)"; dns.query; content:"sendspace.com"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035140; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (anonfiles .com in DNS Lookup)"; dns.query; content:"anonfiles.com,"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035141; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2015-07-27"; flow:to_client,established; file_data; content:"<title>Secure Login</title>"; content:"action=|22|emsg1.php|22|"; fast_pattern; distance:0; content:"valid Apple ID"; distance:0; content:"valid Password"; distance:0; classtype:social-engineering; sid:2031708; rev:3; metadata:created_at 2015_07_27, former_category PHISHING, updated_at 2017_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (send .exploit .in in DNS Lookup)"; dns.query; content:"send.exploit.in"; nocase; bsize:15; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035142; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:social-engineering; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (fex .net in DNS Lookup)"; dns.query; content:"fex.net"; nocase; bsize:7; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035143; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; classtype:social-engineering; sid:2021536; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (privatlab .net in DNS Lookup)"; dns.query; content:"privatlab.net"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035144; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PHISH Generic Webmail - Landing Page Sept 11"; flow:established,to_client; file_data; content:"<title>Webmail Login"; fast_pattern; content:"For Webmail to function properly"; distance:0; content:"you must enable JavaScript"; distance:0; content:"You have logged out"; distance:0; content:"Please select a locale"; distance:0; content:"Email Address"; distance:0; classtype:social-engineering; sid:2021760; rev:3; metadata:created_at 2015_09_11, former_category PHISHING, updated_at 2021_06_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)"; flow:established,to_server; tls.sni; content:"transfer.sh"; bsize:11; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035145; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:social-engineering; sid:2021893; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sendspace.com"; bsize:13; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035146; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE DNSMessenger Payload (TXT base64 gzip header)"; content:"|00 10 00 01|"; content:"H4sIA"; distance:7; within:5; fast_pattern; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:2024840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category TROJAN, malware_family DNSMessenger, performance_impact Moderate, signature_severity Major, updated_at 2017_10_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (anonfiles .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"anonfiles.com,"; bsize:14; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035147; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:credential-theft; sid:2022604; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (send .exploit .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"send.exploit.in"; bsize:15; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035148; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg2.php|22|"; distance:0; fast_pattern; content:"Adress Line"; distance:0; content:"Zip/Postal Code"; distance:0; classtype:credential-theft; sid:2031709; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (fex .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"fex.net"; bsize:7; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035149; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"Question Of Security"; fast_pattern; content:"nom de votre meilleur"; distance:0; content:"What is your mother maiden name ?"; distance:0; content:"rue avez-vous grandi"; distance:0; content:"What is your favourite show ?"; distance:0; classtype:credential-theft; sid:2031710; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (privatlab .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.net"; bsize:13; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035150; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg1.php|22|"; fast_pattern; distance:0; content:"Cardholder's Name"; distance:0; content:"Credit Card Number"; distance:0; content:"CVC (CVV)"; distance:0; content:"3D Secure/VBV"; distance:0; classtype:credential-theft; sid:2031711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applied Privacy DNS over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=doh.applied-privacy.net"; bsize:26; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=R3"; bsize:28; classtype:misc-activity; sid:2035125; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Apple Store - Verification</title>"; nocase; content:"/* VODKA */"; nocase; fast_pattern; classtype:social-engineering; sid:2031716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.censurfridns.dk"; bsize:26; fast_pattern; classtype:misc-activity; sid:2035126; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"fancyConfirm|28|"; nocase; fast_pattern; content:"checkcvv|28 29|"; nocase; distance:0; content:"checkexm|28 29|"; nocase; distance:0; content:"isvalidcc|28 29|"; nocase; distance:0; content:"imready|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2031717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused Github-like Site (codeberg .org in DNS Lookup)"; dns.query; content:"codeberg.org"; nocase; bsize:12; classtype:misc-activity; sid:2035173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"Verification</title>"; nocase; fast_pattern; content:"chosed your country."; nocase; content:"chosed an expiration month."; nocase; distance:0; content:"chosed an expiration year."; nocase; distance:0; classtype:social-engineering; sid:2031718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.censurfridns.nu"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035151; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.uncensoreddns.dk"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035152; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloud Drive Phish Landing 2015-08-12"; flow:to_client,established; file_data; content:"<title>Cloud Drive</title>"; nocase; fast_pattern; content:"reqired to view this document"; nocase; distance:0; classtype:social-engineering; sid:2031721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.uncensoreddns.org"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035153; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma AES Crypto Observed in Javascript - Possible Phishing Landing 2015-12-29"; flow:established,from_server; file_data; content:"Encriptado por Anonisma"; nocase; fast_pattern; content:"Aes.cipher"; nocase; distance:0; content:"Aes.keyExpansion"; nocase; distance:0; classtype:social-engineering; sid:2031741; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN="; startswith; content:".anycast.censurfridns.dk"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035154; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>DHL GLOBAL"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"E-mail Address or Member ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; classtype:social-engineering; sid:2031998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN="; startswith; content:".anycast.censurfridns.nu"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035155; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Winnti-related DNS Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|securitytactics|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024868; rev:2; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2018_05_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Keweon Center DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=dns.keweon.center"; fast_pattern; bsize:20; threshold:type both, count 1, seconds 600, track by_src; reference:url,serverinfo.keweon.center/; classtype:misc-activity; sid:2035156; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024864; rev:2; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2017_10_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Keweon Center DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=doh.asecdns.com"; fast_pattern; bsize:18; threshold:type both, count 1, seconds 600, track by_src; reference:url,serverinfo.keweon.center/; classtype:misc-activity; sid:2035157; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag DoH, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Retired Intermediate"; flow:from_server,established; tls_cert_issuer; content:"Let's Encrypt Authority X"; fast_pattern; depth:25; offset:0; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035189; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B641 Oct 19 2017"; flow:established,from_server; file_data; content:"U3RhcnQtUHJvY2Vzc"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3"; flow:from_server,established; tls.cert_issuer; content:"R3"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035190; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B642 Oct 19 2017"; flow:established,from_server; file_data; content:"N0YXJ0LVByb2Nlc3"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, E1"; flow:from_server,established; tls.cert_issuer; content:"E1"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035191; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B643 Oct 19 2017"; flow:established,from_server; file_data; content:"TdGFydC1Qcm9jZXNz"; pcre:"/(?:RG93bmxvYWRGaWxl|Rvd25sb2FkRmlsZ|Eb3dubG9hZEZpbG)/"; pcre:"/(?:V3JpdGUtSG9zd|dyaXRlLUhvc3|Xcml0ZS1Ib3N0)/"; pcre:"/U3lzdGVtLk5ldC5XZWJDbGllbn|N5c3RlbS5OZXQuV2ViQ2xpZW50|TeXN0ZW0uTmV0LldlYkNsaWVud/"; classtype:trojan-activity; sid:2024880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Backup Intermediate, R4"; flow:from_server,established; tls.cert_issuer; content:"R4"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035192; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B644W Oct 19 2017"; flow:established,from_server; file_data; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Backup Intermediate, E2"; flow:from_server,established; tls.cert_issuer; content:"E2"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035193; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, signature_severity Informational, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS PSHELL Downloader Primitives B645W Oct 19 2017"; flow:established,from_server; file_data; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; pcre:"/(?:RABvAHcAbgBsAG8AYQBkAEYAaQBsAG|QAbwB3AG4AbABvAGEAZABGAGkAbABl|EAG8AdwBuAGwAbwBhAGQARgBpAGwAZ)/"; pcre:"/(?:VwByAGkAdABlAC0ASABvAHMAd|cAcgBpAHQAZQAtAEgAbwBzAH|XAHIAaQB0AGUALQBIAG8AcwB0)/"; pcre:"/(?:UwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0|MAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4Ad|TAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAH)/"; classtype:trojan-activity; sid:2024882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2017_10_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Cloudflare Universal (Shared) Certificate, Retired"; flow:established,to_server; tls.sni; content:"sni."; depth:4; pcre:"/(?:/d{6})/R"; content:".cloudflaressl.com"; fast_pattern; offset:9; reference:url,community.cloudflare.com/t/cloudflare-universal-and-universal-shared-certificates/59523; classtype:misc-activity; sid:2035203; rev:2; metadata:created_at 2022_02_15, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_15;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024896; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2017_10_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Namecheap URL Forward"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; content:"X-Served-By"; http.header; content:"Namecheap URL Forward"; fast_pattern; reference:md5,a85e405481368f8a3384149243577155; classtype:misc-activity; sid:2035208; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_16;)
 
-alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_10_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wa .sv)"; dns.query; content:"wa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:domain-c2; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (in .sv)"; dns.query; content:"in.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:domain-c2; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (fl .sv)"; dns.query; content:"fl.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|1a 3d d0 28 82 1a 6f 08|"; depth:8; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (vk .sv)"; dns.query; content:"vk.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035227; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Qtloader encrypted check-in response Oct 19 (1)"; flow:established,to_client; file_data; content:"|0c 3c|"; depth:2; content:"|04 a3|"; distance:1; within:2; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024909; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (2 .ua)"; dns.query; content:"2.ua"; nocase; bsize:4; classtype:misc-activity; sid:2035228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2017_10_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (fb .sv)"; dns.query; content:"fb.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET MALWARE Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:command-and-control; sid:2007917; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (lc .sv)"; dns.query; content:"lc.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Download"; flow:established,from_server; flowbits:isset,ET.iotreaper; file_data; content:"|7f 45 4c 46|"; depth:4; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024929; rev:1; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_10_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (cli .co)"; dns.query; content:"cli.co"; nocase; bsize:6; classtype:misc-activity; sid:2035231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tg .sv)"; dns.query; content:"tg.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (dl .sv)"; dns.query; content:"dl.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (qq .sv)"; dns.query; content:"qq.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035234; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:6; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tt .sv)"; dns.query; content:"tt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (ai .sv)"; dns.query; content:"ai.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (do .sv)"; dns.query; content:"do.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (youlinkto .com)"; dns.query; content:"youlinkto.com"; nocase; bsize:13; classtype:misc-activity; sid:2035238; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (me .sv)"; dns.query; content:"me.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035239; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (bd .sv)"; dns.query; content:"bd.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (link .sv)"; dns.query; content:"link.sv"; nocase; bsize:7; classtype:misc-activity; sid:2035241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (go .sv)"; dns.query; content:"go.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tra-ta-ta.it .com)"; dns.query; content:"tra-ta-ta.it.com"; nocase; bsize:16; classtype:misc-activity; sid:2035243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (id .sv)"; dns.query; content:"id.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (to .sv)"; dns.query; content:"to.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (rt .sv)"; dns.query; content:"rt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wc .sv)"; dns.query; content:"wc.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (4 .fo)"; dns.query; content:"4.fo"; nocase; bsize:4; classtype:misc-activity; sid:2035248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (ya .sv)"; dns.query; content:"ya.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (sa .sv)"; dns.query; content:"sa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tw .sv)"; dns.query; content:"tw.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (yt .sv)"; dns.query; content:"yt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Online File Storage Domain in DNS Lookup (gofile .io)"; dns.query; dotprefix; content:".gofile.io"; nocase; endswith; classtype:bad-unknown; sid:2035264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_22;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (u .to)"; dns.query; content:"u.to"; nocase; bsize:4; reference:md5,8c57fcf51e1d0f3fc1e1775d9fc624df; classtype:misc-activity; sid:2035281; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_23;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+#alert tls $HOME_NET any -> 195.22.26.192/26 443 (msg:"ET INFO invalid.cab domain in SNI"; flow:established,to_server; tls.sni; content:"invalid.cab"; fast_pattern; flowbits:set,ET.invalid.cab; flowbits:noalert; classtype:misc-activity; sid:2020888; rev:4; metadata:created_at 2015_04_10, former_category INFO, updated_at 2022_03_16;)
 
-alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed TA453 Related URL Shortening Service  TLS SNI (litby .us)"; flow:established,to_server; tls.sni; content:"litby.us"; bsize:8; fast_pattern; reference:url,research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/; classtype:bad-unknown; sid:2035284; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_24, deployment Perimeter, former_category INFO, malware_family TA453, signature_severity Informational, updated_at 2022_02_24;)
 
-alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2017_10_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"0sh.org"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2035304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple ID Phishing Landing 2015-08-19"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"My Apple ID"; fast_pattern; nocase; within:35; classtype:social-engineering; sid:2031723; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2017_10_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"prourl.in"; bsize:9; fast_pattern; classtype:bad-unknown; sid:2035305; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:"nethelper"; http_user_agent; fast_pattern:only; pcre:"/\bnethelper\b/Vi"; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:16; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"community.chocolatey.org"; bsize:24; fast_pattern; classtype:bad-unknown; sid:2035303; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Chocolatey Windows Package Management Installation File Retrieval"; flow:established,to_server; http.request_line; content:"GET /install.ps1 HTTP/1.1"; http.host; content:"community.chocolatey.org"; fast_pattern; bsize:24; classtype:bad-unknown; sid:2035306; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed IP Tracking Domain (grabify .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"grabify.link"; bsize:12; fast_pattern; classtype:bad-unknown; sid:2035419; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification)"; flow:to_server,established; content:"RFRudokop"; http_user_agent; depth:9; reference:url,doc.emergingthreats.net/2008046; classtype:trojan-activity; sid:2008046; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Free Hosting Domain (*.freehostia .com in DNS Lookup)"; dns.query; dotprefix; content:".freehostia.com"; nocase; endswith; classtype:misc-activity; sid:2035422; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Self Signed SSL Certificate to 'My Company Ltd'"; flow:established,to_client; tls.cert_issuer; content:"My Company Ltd"; classtype:bad-unknown; sid:2013703; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2017_10_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,to_client; tls.cert_subject; content:"CN=*.tor2web."; nocase; fast_pattern; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2017_11_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Tor Proxy Domain in DNS Lookup (onion .pet)"; dns.query; dotprefix; content:".onion.pet"; nocase; endswith; classtype:domain-c2; sid:2035461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain (discord .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035463; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; classtype:exploit-kit; sid:2021307; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain (discordapp .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035464; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"/%"; http_header; content:"http%3A%2F%2F"; distance:2; within:13; nocase; http_header; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//U"; content:"Referer|3a 20|http"; http_header; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; classtype:exploit-kit; sid:2021309; rev:3; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO imPcRemote Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloads/impcremote"; depth:21; http.host; content:"impcremote.com"; bsize:14; reference:md5,3d72ee8e1e59b143fa496fa63ca33994; classtype:attempted-admin; sid:2035475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 6.0.1 (Windows)"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016650; rev:3; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
 
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,ET.BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adilbo HTML Encoder Observed"; flow:established,to_client; file_data; content:"|2f 2a 20 61 64 69 6c 62 6f 20 48 54 4d 4c 20 45 6e 63 6f 64 65 72|"; fast_pattern; content:"*|20 20|Checksum|3a 20|927c770095e0daa48298343b8fd14624"; within:200; classtype:policy-violation; sid:2024763; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_03_17;)
 
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe LiveCycle Designer ES 8.2"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016647; rev:4; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,ET.is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 9.0.0 (Windows)"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016649; rev:3; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
 
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:8; metadata:created_at 2010_07_30, updated_at 2017_02_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Public Cloud Domain (cld .pt in TLS SNI)"; flow:established,to_server; tls.sni; content:"cld.pt"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2035514; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_17;)
 
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Public Cloud Domain in DNS Lookup (cld .pt)"; dns.query; content:"cld.pt"; nocase; bsize:6; classtype:bad-unknown; sid:2035515; rev:1; metadata:created_at 2022_03_17, former_category INFO, updated_at 2022_03_17;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO stopify .co Domain in DNS Lookup"; dns.query; content:"stopify.co"; nocase; bsize:10; reference:md5,fff7de030fe2f4dfdedc7e8bab7e48a5; classtype:misc-activity; sid:2035519; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, signature_severity Major, updated_at 2022_03_17;)
 
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:3; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO infinityfree .net Domain in DNS Lookup"; dns.query; dotprefix; content:".infinityfree.net"; nocase; endswith; reference:md5,bf3ce5b341d021b4a03123fe81aa854e; classtype:misc-activity; sid:2035538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, signature_severity Major, updated_at 2022_03_18;)
 
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:2; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET INFO Non Standard Port DNS Query to google .com (udp)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|google|03|com"; fast_pattern; classtype:bad-unknown; sid:2035472; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_18;)
 
-#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET INFO DNS Query to google .com Non Standard Port (tcp)"; content:"|01|"; offset:4; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|google|03|com"; fast_pattern; classtype:bad-unknown; sid:2035535; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_18;)
 
-#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed testcookie-nginx-module"; flow:established,to_client; http.stat_code; content:"200"; bsize:3; http.server; content:"nginx"; depth:5; file.data; content:"toNumbers"; content:"d.replace"; distance:30; content:"e.push(parseInt"; distance:30; content:"toHex"; distance:200; content:"e.toLowerCase"; distance:0; content:"toNumbers"; distance:20; content:"toNumbers"; distance:0; content:"toNumbers"; distance:0; content:"toHex(slowAES.decrypt"; distance:100; content:"<noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript>"; fast_pattern; distance:100; reference:url,github.com/kyprizel/testcookie-nginx-module; classtype:credential-theft; sid:2035554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_21;)
 
-#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (vtaurl .com)"; dns.query; content:"vtaurl.com"; nocase; bsize:10; classtype:bad-unknown; sid:2035562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_23;)
 
-#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (vtaurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vtaurl.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2035563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox shell"; flow:to_server,established; content:"shell"; fast_pattern:only; pcre:"/\bshell\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023017; rev:3; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
+alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; endswith; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:3; metadata:attack_target Client_and_Server, created_at 2018_03_13, deployment Datacenter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS busybox enable"; flow:to_server,established; content:"enable"; fast_pattern:only; pcre:"/\benable\b/"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023018; rev:4; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2016_08_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dl.dropboxusercontent.com"; bsize:25; fast_pattern; classtype:misc-activity; sid:2035593; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Binary in HTTP by Type Flowbit"; flow:established,from_server; content:"HTTP/1"; depth:6; content:"|0d 0a|Content-Type|3a| application/"; nocase; reference:url,doc.emergingthreats.net/2007670; classtype:not-suspicious; sid:2007670; rev:10; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DropBox User Content Download Access over SSL M2"; flow:established,to_client; tls.cert_subject; content:"CN=dl.dropbox.com"; fast_pattern; classtype:misc-activity; sid:2035594; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE Install Windows file download"; flow:established; content:"MZ"; isdataat:76,relative; content:"This program must be "; distance:0; isdataat:140,relative; content:"PE"; distance:0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000427; classtype:policy-violation; sid:2000427; rev:15; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to BaitAndPhish Domain"; dns.query; dotprefix; content:".important-notification.com"; nocase; endswith; threshold: type limit, track by_dst, count 1, seconds 120; fast_pattern; classtype:misc-activity; sid:2035613; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download (2)"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"Windows Program"; distance:0; isdataat:10,relative; content:"PE"; distance:0; reference:url,doc.emergingthreats.net/2010869; classtype:policy-violation; sid:2010869; rev:4; metadata:created_at 2010_07_30, former_category INFO, updated_at 2017_11_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (kutti .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"kutti.co"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Update/Installer ForceDL Template Nov 03 2017"; flow:established,from_server; file_data; content:"addDownloadHint"; nocase; pcre:"/^\s*\x28\s*[\x22\x27][^\x22\x27]*[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Rsi"; content:"doDownload(force)"; nocase; content:"userConversion(true)"; nocase; distance:0; content:"trigger_dl"; nocase; pcre:"/^\s*\(\s*force\s*\?\s*true\s*\x3a\s*false\s*,\s*\d+\s*,\s*\d+\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Ri"; classtype:social-engineering; sid:2024945; rev:1; metadata:created_at 2017_11_03, former_category CURRENT_EVENTS, updated_at 2017_11_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Abused File Hosting Domain in DNS Lookup (transferxl .com)"; dns.query; dotprefix; content:".transferxl.com"; nocase; endswith; classtype:misc-activity; sid:2035636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (holidayapartments4you. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|15|holidayapartments4you|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021645; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
 
-#alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET EXPLOIT_KIT Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023249; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector_07012016, updated_at 2016_09_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl-download .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl-download.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Fake Page URL Builder Response"; flow:to_client,established; file_data; content:"|7b 22|link|22 3a 22|http"; depth:13; content:"|22|load|22|"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024967; rev:3; metadata:created_at 2017_11_06, former_category TROJAN, updated_at 2017_11_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (kutti .co)"; dns.query; content:"kutti.co"; fast_pattern; nocase; bsize:8; classtype:bad-unknown; sid:2035639; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus System Profiling JavaScript (linkStorage.x00SOCKET)"; flow:to_client,established; file_data; content:"linkStorage.x00SOCKET"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024968; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_11_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru)"; dns.query; content:"digital-ministry.ru"; fast_pattern; nocase; bsize:19; reference:md5,fbe79895053b29ec2cfe99cad3eb83d5; reference:md5,29fe7a619970157adfcecfade1b204be; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:bad-unknown; sid:2035654; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)"; dns.query; dotprefix; content:".hizliresim.com"; nocase; endswith; classtype:misc-activity; sid:2035655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:command-and-control; sid:2018101; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_11_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert (hizliresim .com)"; flow:established,to_client; tls.cert_subject; content:"hizliresim.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hizliresim\.com(?!\.)/"; classtype:misc-activity; sid:2035656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (kisa .link)"; dns.query; dotprefix; content:".kisa.link"; nocase; endswith; classtype:misc-activity; sid:2035657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 2"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"J1bmRsbDMy"; content:"VzZXJJbml0TXByTG9nb25TY3JpcH"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Service Domain (www .kisa .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.kisa.link"; bsize:13; fast_pattern; classtype:misc-activity; sid:2035658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M1"; flow:to_server,established; http.header; content:"request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035671; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M2"; flow:to_server,established; http.header; content:"executeCmd|28|request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035672; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M3"; flow:to_server,established; http.header; content:"getRuntime|28 29|.exec"; fast_pattern; nocase; classtype:attempted-admin; sid:2035673; rev:1; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 6"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"Eb3dubG9hZEZpbG"; content:"XZWJDbGllbn"; content:"pby5GaWxl"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)"; dns.query; dotprefix; content:".seeklogo.com"; nocase; endswith; classtype:misc-activity; sid:2035690; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; classtype:trojan-activity; sid:2024977; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2017_11_07, deployment Datacenter, former_category ATTACK_RESPONSE, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2017_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Custom Logo Domain (seeklogo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"seeklogo.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Informational, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; classtype:social-engineering; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (imgyukle .com)"; dns.query; dotprefix; content:".imgyukle.com"; nocase; endswith; classtype:misc-activity; sid:2035697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:domain-c2; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (imgyukle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"imgyukle.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:social-engineering; sid:2024985; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family SocEng, performance_impact Low, signature_severity Major, updated_at 2017_11_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimag .com)"; dns.query; dotprefix; content:".resimag.com"; nocase; endswith; classtype:misc-activity; sid:2035699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 1"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|88 4d 76|"; distance:5; within:3; fast_pattern; pcre:"/[\x04\x06]\x88\x4d\x76$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimag .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimag.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
 
-alert tcp any any -> any any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 2"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|63 70 7b|"; distance:5; within:3; fast_pattern; pcre:"/[\xb0\xb2]\x63\x70\x7b$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimupload .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimupload.org"; bsize:15; fast_pattern; classtype:misc-activity; sid:2035701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,from_server; file_data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Significant, signature_severity Major, updated_at 2017_11_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimupload .org)"; dns.query; dotprefix; content:".resimupload.org"; nocase; endswith; classtype:misc-activity; sid:2035702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PWNJS JS Constructs"; flow:established,from_server; file_data; content:"base_lo"; content:"base_hi"; content:"fake_object"; fast_pattern; pcre:"/^\s*?\[\s*?\d/Rs"; content:"i32"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"f64"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"array_addr"; reference:url,raw.githubusercontent.com/theori-io/pwnjs/; classtype:attempted-user; sid:2024994; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (dumpor .com)"; dns.query; dotprefix; content:".dumpor.com"; nocase; endswith; classtype:misc-activity; sid:2035736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1"; flow:established,from_server; file_data; content:"VwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAw"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (smihub .com)"; dns.query; dotprefix; content:".smihub.com"; nocase; endswith; classtype:misc-activity; sid:2035737; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2"; flow:established,from_server; file_data; content:"cAdwBCAE8AQQBHAFUAQQBkAEEAQQB1AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBVAEEAQgB2AEEARwBrAEEAYgBnAEIAM"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (greatfon .com)"; dns.query; dotprefix; content:".greatfon.com"; nocase; endswith; classtype:misc-activity; sid:2035738; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3"; flow:established,from_server; file_data; content:"XAHcAQgBPAEEARwBVAEEAZABBAEEAdQBBAEYATQBBAFoAUQBCAHkAQQBIAFkAQQBhAFEAQgBqAEEARwBVAEEAVQBBAEIAdgBBAEcAawBBAGIAZwBCAD"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (dumpor .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dumpor.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M1"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (smihub .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"smihub.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M2"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023942; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (greatfon .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"greatfon.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M3"; flow:established,from_server; file_data; content:"XAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBn"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener  Domain in DNS Lookup (lk .tc)"; dns.query; dotprefix; content:".lk.tc"; nocase; endswith; classtype:misc-activity; sid:2035742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin Server Hello"; flow:established,to_client; dsize:9; stream_size:client,=,1; stream_size:server,=,10; content:"|05 00 00 00 00 ff ff ff ff|"; depth:9; fast_pattern; classtype:policy-violation; sid:2025008; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Domain (lk .tc in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lk.tc"; endswith; fast_pattern; classtype:misc-activity; sid:2035743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Informational, updated_at 2022_04_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0b 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; classtype:policy-violation; sid:2025009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
 
-alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; classtype:command-and-control; sid:2025019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2017_11_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .eu) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035765; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018394; rev:8; metadata:created_at 2014_04_16, former_category TROJAN, updated_at 2022_03_17;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Proxy Domain in DNS Lookup (proxynet .io)"; dns.query; dotprefix; content:".proxynet.io"; nocase; endswith; classtype:misc-activity; sid:2035757; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_05;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:3; metadata:created_at 2014_12_23, former_category TROJAN, updated_at 2022_03_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Proxy Domain (proxynet .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"proxynet.io"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035758; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Informational, updated_at 2022_04_05;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:established,to_server; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:md5,28110a8ea5c13859ddf026db5a8a864a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; classtype:trojan-activity; sid:2012932; rev:8; metadata:created_at 2011_06_06, updated_at 2011_06_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BrowseTor .onion Proxy Service SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=*.browsetor.com"; fast_pattern; classtype:bad-unknown; sid:2018396; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO Observed URL Shortening Service Domain (s59 .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"s59.site"; fast_pattern; classtype:misc-activity; sid:2035871; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Ordns DNS over HTTPS Domain (Ordns .he .net in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"ordns.he.net"; endswith; reference:url,www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike; classtype:misc-activity; sid:2035858; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2017_11_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Ordns DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"CN=ordns.he.net"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2035859; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2022464; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com)"; dns.query; content:"blogattach.naver.com"; nocase; bsize:20; classtype:bad-unknown; sid:2035889; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 24 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:7; content:"/xLMCJ4"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025038; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogattach.naver.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2035890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, signature_severity Major, updated_at 2022_04_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 29 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:5; content:"/5c2C"; http_uri; flowbits:set,ET.Keitaro; flowbits:noalert; classtype:exploit-kit; sid:2025039; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2017_11_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET INFO Empty POST with Terse Headers Over Non Standard Port"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,twitter.com/3xp0rtblog/status/1509267848958562305; reference:md5,52a46f058ec6b726fe2829a590a15155; classtype:bad-unknown; sid:2036225; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2022_04_15;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, created_at 2017_11_27, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.longmusic .com Domain"; flow:established,to_server; http.host; content:".longmusic.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035961; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Abuseat.org Block Message"; flow:established,from_server; content:"abuseat.org"; classtype:not-suspicious; sid:2012982; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.longmusic .com Domain"; dns.query; content:".longmusic.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035962; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls_cert_subject; content:"CN=robervalmotores.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035963; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:2; metadata:created_at 2016_06_14, former_category NETBIOS, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035964; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain"; flow:established,to_server; http.host; content:".zzux.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035965; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2015_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035966; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035967; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; metadata: former_category EXPLOIT; classtype:attempted-admin; sid:2025080; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2017_11_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dumb1 .com Domain"; dns.query; content:".dumb1.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035968; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Critical, updated_at 2017_11_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dumb1 .com Domain"; flow:established,to_server; http.host; content:".dumb1.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035969; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, former_category TROJAN, updated_at 2017_11_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onedumb .com Domain"; dns.query; content:".onedumb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035970; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onedumb .com Domain"; flow:established,to_server; http.host; content:".onedumb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035971; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.youdontcare .com Domain"; dns.query; content:".youdontcare.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035972; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; dns_query; content:".mynumber.org"; nocase; isdataat:!1,relative; pcre:"/^[acdefghijlmopqrtwz]{16}\.mynumber\.org$/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.youdontcare .com Domain"; flow:established,to_server; http.host; content:".youdontcare.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035973; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014473; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.yourtrap .com Domain"; dns.query; content:".yourtrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035974; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBoatRAT CnC Check-in"; flow:established,to_server; dsize:>48; content:"|bc b0 b0 88 88 88 88 88 88 88 88 88|"; depth:12; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/; classtype:command-and-control; sid:2025093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Perimeter, former_category MALWARE, malware_family UBoatRAT, performance_impact Low, signature_severity Major, updated_at 2017_12_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.yourtrap .com Domain"; flow:established,to_server; http.host; content:".yourtrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035975; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh_proto; content:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:6; metadata:created_at 2014_12_05, former_category SCAN, updated_at 2017_12_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.2waky .com Domain"; dns.query; content:".2waky.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035976; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; classtype:social-engineering; sid:2025140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.2waky .com Domain"; flow:established,to_server; http.host; content:".2waky.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035977; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexidude .com Domain"; dns.query; content:".sexidude.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035978; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:5; metadata:created_at 2010_07_30, former_category CHAT, updated_at 2017_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexidude .com Domain"; flow:established,to_server; http.host; content:".sexidude.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035979; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP Check Response (rl. ammyy. com)"; flow:to_client,established; file_data; content:"Your IP="; depth:8; content:", country = "; distance:0; isdataat:!3,relative; classtype:policy-violation; sid:2025150; rev:1; metadata:created_at 2017_12_13, updated_at 2017_12_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mefound .com Domain"; dns.query; content:".mefound.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035980; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; classtype:trojan-activity; sid:2025151; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_12_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mefound .com Domain"; flow:established,to_server; http.host; content:".mefound.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035981; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls_cert_subject; content:"C=AU, ST=f2tee4, L=gf23et65adt, O=tg4r6tds, OU=rst, CN=rvgvtfdf"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2025155; rev:1; metadata:attack_target Client_and_Server, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_12_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.organiccrap .com Domain"; dns.query; content:".organiccrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035982; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; tls_cert_serial; content:"89:BF:80:13:42:0A:2E:F5"; classtype:trojan-activity; sid:2025156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2017_12_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.organiccrap .com Domain"; flow:established,to_server; http.host; content:".organiccrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035983; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking</TITLE>"; fast_pattern; nocase; classtype:social-engineering; sid:2025158; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toythieves .com Domain"; dns.query; content:".toythieves.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035984; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|48 61 6c 6b 62 61 6e 6b 20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|</title>"; nocase; classtype:social-engineering; sid:2025159; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toythieves .com Domain"; flow:established,to_server; http.host; content:".toythieves.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035985; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Ziraat Bank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|20 48 6f c5 9f 67 65 6c 64 69 6e 69 7a 20 7c 20 5a 69 72 61 61 74 20 42 61 6e 6b 61 73 c4 b1|"; nocase; classtype:social-engineering; sid:2025160; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.justdied .com Domain"; dns.query; content:".justdied.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035986; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M4"; flow:established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"This program must be run under Win"; within:125; fast_pattern; classtype:trojan-activity; sid:2025161; rev:2; metadata:created_at 2017_12_21, former_category TROJAN, updated_at 2017_12_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.justdied .com Domain"; flow:established,to_server; http.host; content:".justdied.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035987; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"MZ"; within:2; content:"!This program"; distance:0; fast_pattern; classtype:pup-activity; sid:2020757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2017_12_21;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain"; dns.query; content:".jungleheart.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035988; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2017-12-26"; flow:established,to_client; file_data; content:"&Rho|3b|ay&Rho|3b|aI</title>"; within:200; classtype:social-engineering; sid:2025173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jungleheart .com Domain"; flow:established,to_server; http.host; content:".jungleheart.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035989; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024583; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_16, deployment Internet, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbonus .com Domain"; dns.query; content:".mrbonus.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035990; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"L&#959|3b|g|20|in|20|t&#959|3b 20|y&#959|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|acc&#959|3b|unt"; nocase; depth:300; classtype:social-engineering; sid:2025181; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbonus .com Domain"; flow:established,to_server; http.host; content:".mrbonus.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035991; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Malicious Authline Seen After CVE-2017-10271 Exploit"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|4AQe5sAFWZKECiaeNTt59LG7kVtqRoSRJMjrmQ6GiMFAeUvoL3MFeTE6zwwHkFPrAyNw2JHDxUSWL82RiZThPpk4SEg7Vqe|22 2c 20 22|"; distance:0; reference:url,otx.alienvault.com/pulse/5a4e1c4993199b299f90a212; classtype:coin-mining; sid:2025186; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, deployment Datacenter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2018_01_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.x24hr .com Domain"; dns.query; content:".x24hr.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035992; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET MALWARE Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, former_category TROJAN, updated_at 2018_01_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.x24hr .com Domain"; flow:established,to_server; http.host; content:".x24hr.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035993; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:3; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2018_01_08;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.fartit .com Domain"; dns.query; content:".fartit.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035994; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010001; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.fartit .com Domain"; flow:established,to_server; http.host; content:".fartit.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035995; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; reference:url,doc.emergingthreats.net/2010002; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itemdb .com Domain"; dns.query; content:".itemdb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035996; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; reference:url,doc.emergingthreats.net/2010003; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2018_01_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itemdb .com Domain"; flow:established,to_server; http.host; content:".itemdb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035997; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download Non-HTTP"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; app-layer-protocol:!http; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:24; metadata:created_at 2010_07_30, former_category POLICY, performance_impact Significant, updated_at 2018_01_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.instanthq .com Domain"; dns.query; content:".instanthq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035998; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED APT Cheshire Cat DNS Lookup (groupdive. com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|groupdive|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021659; rev:2; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2018_01_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.instanthq .com Domain"; flow:established,to_server; http.host; content:".instanthq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035999; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:social-engineering; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxuz .com Domain"; dns.query; content:".xxuz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036000; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET MALWARE OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2018_01_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxuz .com Domain"; flow:established,to_server; http.host; content:".xxuz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036001; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Dropbox"; nocase; within:25; content:"Select Your Email Provider"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025206; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jkub .com Domain"; dns.query; content:".jkub.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036002; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Chase"; nocase; within:25; content:"WYSIWYG Web Builder"; nocase; distance:0; content:"folling information about yourself"; nocase; fast_pattern; classtype:social-engineering; sid:2025207; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jkub .com Domain"; flow:established,to_server; http.host; content:".jkub.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036003; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"background-color|3a 20|rgb(235, 60, 0)"; fast_pattern; nocase; within:200; content:"$Config={|22|scid|22 3a|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; content:"<title"; nocase; distance:0; content:"Sign in to your account"; nocase; within:50; classtype:social-engineering; sid:2025208; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itsaol .com Domain"; dns.query; content:".itsaol.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036004; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title>Chase"; nocase; fast_pattern; content:"googlebot|22 20|content=|22|noindex"; nocase; distance:0; content:"function unhideBody()"; nocase; distance:0; content:"type=|22|password"; nocase; distance:0; classtype:social-engineering; sid:2025210; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itsaol .com Domain"; flow:established,to_server; http.host; content:".itsaol.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036005; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; within:300; classtype:social-engineering; sid:2025211; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.faqserv .com Domain"; dns.query; content:".faqserv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036006; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Confirm Your Account"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025212; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.faqserv .com Domain"; flow:established,to_server; http.host; content:".faqserv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036007; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>chase online - confirm</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025213; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jetos .com Domain"; dns.query; content:".jetos.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036008; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; content:"<form action=|22|webscr.php?cmd=_"; nocase; distance:0; classtype:social-engineering; sid:2025215; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_01_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jetos .com Domain"; flow:established,to_server; http.host; content:".jetos.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036009; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Questionnaire Phishing Landing 2018-01-19"; flow:established,to_client; file_data; content:"<title>Questionnaire</title>"; nocase; fast_pattern; content:"assets/css/theDocs.all.min.css"; nocase; distance:0; content:"<h3>DOCUMENT MANAGEMENT SYSTEM"; distance:0; classtype:social-engineering; sid:2025226; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qpoe .com Domain"; dns.query; content:".qpoe.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036010; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Verification/Upgrade Phishing Landing 2018-01-22"; flow:established,to_client; file_data; content:"<title>Email Verification</title>"; nocase; fast_pattern; content:"Sign in to upgrade your mailbox"; nocase; distance:0; content:"Mail Admin"; nocase; distance:0; classtype:social-engineering; sid:2025229; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qpoe .com Domain"; flow:established,to_server; http.host; content:".qpoe.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036011; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing"; flow:established,to_client; file_data; content:"document.write(unescape"; fast_pattern; nocase; within:100; content:"document.write(unescape"; nocase; distance:0; content:"document.write(unescape"; nocase; distance:0; classtype:social-engineering; sid:2025231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qhigh .com Domain"; dns.query; content:".qhigh.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036012; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Server Mobile Security Settings Phishing Landing 2018-01-22"; flow:established,to_client; file_data; file_data; content:"<html>|0d 0a 0d 0a|<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|document.write"; within:100; nocase; content:"3c%68%65%61%64%3e%0d%0a%0d%0a%3c%74%69%74%6c%65%3e%45%6d%61%69%6c%20%53%65%72%76%65%72"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|login|22 20|value=|22|"; nocase; distance:0; content:"User ID|3a 20|<font face=|22|verdana|22 20|size=|22|2|22 20|color=|22|#000000|22|"; nocase; distance:0; classtype:social-engineering; sid:2025232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qhigh .com Domain"; flow:established,to_server; http.host; content:".qhigh.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036013; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>&#68|3b|&#114|3b|&#111|3b|&#112|3b|&#98|3b|&#111|3b|&#120|3b|</title>"; nocase; within:300; classtype:social-engineering; sid:2025233; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.vizvaz .com Domain"; dns.query; content:".vizvaz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036014; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Incoming Emails Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Retrieval Error</title>"; nocase; fast_pattern; content:"onload=|22|populate()"; nocase; distance:0; content:"<input id=|22|Password|22 20|name=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025242; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.vizvaz .com Domain"; flow:established,to_server; http.host; content:".vizvaz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036015; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ABSA Online Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"setTimeout(function(){top.window.location"; nocase; fast_pattern; content:"<title"; nocase; within:150; content:"Absa Online"; nocase; within:50; classtype:social-engineering; sid:2025243; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrface .com Domain"; dns.query; content:".mrface.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036016; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; content:"Login with Facebook"; nocase; distance:0; content:"Hosted on free web hosting 000webhost.com"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025245; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrface .com Domain"; flow:established,to_server; http.host; content:".mrface.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036017; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque et Assurance (FR) Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title"; nocase; content:"La Banque Postale|20 e2 80 93 20|La Banque Postale"; fast_pattern; within:80; nocase; content:"background-color|3a 20|#FFFFFF|3b|"; nocase; distance:0; classtype:social-engineering; sid:2025246; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.isasecret .com Domain"; dns.query; content:".isasecret.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036018; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"security is our top priority"; nocase; content:"Use us wherever you pay"; fast_pattern; nocase; distance:0; content:"onsubmit=|22|return checkform(this)|3b 22|"; nocase; distance:0; content:"function checkform"; nocase; distance:0; content:"style.backgroundColor=|22|#FF6A6A|22|"; nocase; distance:0; classtype:social-engineering; sid:2025247; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.isasecret .com Domain"; flow:established,to_server; http.host; content:".isasecret.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036019; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Popupwnd Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"function popupwnd(url, "; fast_pattern; nocase; content:"var popupwindow = this.open(url"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"'no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025248; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrslove .com Domain"; dns.query; content:".mrslove.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036020; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title"; nocase; content:"View Document"; nocase; within:30; content:"<a href=|22|eciffo365.php"; nocase; fast_pattern; distance:0; content:"<a href=|22|kooltuo.php"; nocase; distance:0; classtype:social-engineering; sid:2025249; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrslove .com Domain"; flow:established,to_server; http.host; content:".mrslove.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036021; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; fast_pattern; content:"function LoginErrors(){this.userNameFormatError"; nocase; within:300; classtype:social-engineering; sid:2025250; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.americanunfinished .com Domain"; dns.query; content:".americanunfinished.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036022; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2012401; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.americanunfinished .com Domain"; flow:established,to_server; http.host; content:".americanunfinished.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036023; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body>"; within:500; content:"<script>|0d 0a 09 09 09|"; fast_pattern; within:500; pcre:"/([a-z$+-]{0,4}[0-9.*]+[a-z$+-]{0,4},){24}/R"; classtype:exploit-kit; sid:2013313; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveusers .com Domain"; dns.query; content:".serveusers.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036024; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013652; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveusers .com Domain"; flow:established,to_server; http.host; content:".serveusers.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036025; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013664; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveuser .com Domain"; dns.query; content:".serveuser.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036026; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveuser .com Domain"; flow:established,to_server; http.host; content:".serveuser.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036027; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013666; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_09_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myftp .info Domain"; dns.query; content:".myftp.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036028; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2013788; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2011_10_20, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .info Domain"; flow:established,to_server; http.host; content:".myftp.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036029; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:exploit-kit; sid:2013960; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mydad .info Domain"; dns.query; content:".mydad.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036030; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:exploit-kit; sid:2013990; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mydad .info Domain"; flow:established,to_server; http.host; content:".mydad.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036031; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:exploit-kit; sid:2014048; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mymom .info Domain"; dns.query; content:".mymom.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036032; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_02_18, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mymom .info Domain"; flow:established,to_server; http.host; content:".mymom.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036033; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:exploit-kit; sid:2014415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypicture .info Domain"; dns.query; content:".mypicture.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036034; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypicture .info Domain"; flow:established,to_server; http.host; content:".mypicture.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036035; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myz .info Domain"; dns.query; content:".myz.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036036; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2012_03_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag DriveBy, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myz .info Domain"; flow:established,to_server; http.host; content:".myz.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036037; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2014725; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_09, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.squirly .info Domain"; dns.query; content:".squirly.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036038; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2014843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_01, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.squirly .info Domain"; flow:established,to_server; http.host; content:".squirly.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036039; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; within:12; classtype:trojan-activity; sid:2014921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toh .info Domain"; dns.query; content:".toh.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036040; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toh .info Domain"; flow:established,to_server; http.host; content:".toh.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036041; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:exploit-kit; sid:2014981; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_28, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .info Domain"; dns.query; content:".xxxy.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036042; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:exploit-kit; sid:2015056; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .info Domain"; flow:established,to_server; http.host; content:".xxxy.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036043; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:exploit-kit; sid:2015670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_08_29, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.freewww .info Domain"; dns.query; content:".freewww.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036044; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.freewww .info Domain"; flow:established,to_server; http.host; content:".freewww.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036045; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:exploit-kit; sid:2016024; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .biz Domain"; dns.query; content:".xxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036046; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:exploit-kit; sid:2016166; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .biz Domain"; flow:established,to_server; http.host; content:".xxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036047; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:exploit-kit; sid:2016524; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexxxy .biz Domain"; dns.query; content:".sexxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036048; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific -  4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:exploit-kit; sid:2016525; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexxxy .biz Domain"; flow:established,to_server; http.host; content:".sexxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036049; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific -  4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:exploit-kit; sid:2016526; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.www1 .biz Domain"; dns.query; content:".www1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036050; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:exploit-kit; sid:2017340; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.www1 .biz Domain"; flow:established,to_server; http.host; content:".www1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036051; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:exploit-kit; sid:2017341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_19, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dhcp .biz Domain"; dns.query; content:".dhcp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036052; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; classtype:command-and-control; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, malware_family SchwartzSonnne, signature_severity Major, tag c2, updated_at 2018_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dhcp .biz Domain"; flow:established,to_server; http.host; content:".dhcp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036053; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"document.write(unescape"; nocase; fast_pattern; content:"3C%74%69%74%6C%65%3E%26%23%33%37%30%33%38%3B%26%23%32%30%32%31%34%3B%26%23%33%35%37%37%34%3B%26%23%33%32%36%32%32%3B"; nocase; distance:0; classtype:social-engineering; sid:2025255; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_26;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.edns .biz Domain"; dns.query; content:".edns.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036054; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Halkbank|20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|"; within:50; fast_pattern; classtype:social-engineering; sid:2025258; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.edns .biz Domain"; flow:established,to_server; http.host; content:".edns.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036055; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Smail Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"...|7c|1|7c|Smail Code|7c|1|7c|..."; fast_pattern; nocase; content:"ALTER ANYTHING BELOW THIS LINE"; nocase; distance:0; classtype:social-engineering; sid:2025259; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftp1 .biz Domain"; dns.query; content:".ftp1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036056; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-01-29 M1"; flow:established,to_client; file_data; content:"Apple ID|20 3a|"; within:100; content:"<title>Apple (Switzerland)"; nocase; fast_pattern; classtype:social-engineering; sid:2025260; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftp1 .biz Domain"; flow:established,to_server; http.host; content:".ftp1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036057; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M2 2018-01-29"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025261; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mywww .biz Domain"; dns.query; content:".mywww.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036058; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"Dear <b id=|22|accessreturn|22|>User</b>,"; nocase; fast_pattern; content:"<b>Ticket|20 3a 20|#"; nocase; distance:0; content:"<b>For This Reason|20 3a 20|"; nocase; distance:0; classtype:social-engineering; sid:2025262; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mywww .biz Domain"; flow:established,to_server; http.host; content:".mywww.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036059; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; content:"Office 365"; nocase; within:25; content:"function LoginErrors(){this.userNameFormatError"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025263; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftpserver .biz Domain"; dns.query; content:".ftpserver.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036060; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; classtype:social-engineering; sid:2025264; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftpserver .biz Domain"; flow:established,to_server; http.host; content:".ftpserver.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036061; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartsheet Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>Log In|20 7c 20|Smartsheet</title>"; nocase; fast_pattern; content:"<form action="; nocase; distance:0; content:".php|22 20|class=|22|clsJspOuterForm|22 20|id="; nocase; distance:0; content:"method=|22|POST|22 20|name=|22|ctlForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025265; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .biz Domain"; dns.query; content:".wwwhost.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036062; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .biz Domain"; flow:established,to_server; http.host; content:".wwwhost.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036063; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots.gouv.fr Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Particulier|20 7c 20|impots.gouv.fr"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2025268; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.moneyhome .biz Domain"; dns.query; content:".moneyhome.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036064; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Turbotax Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title>My TurboTax"; nocase; fast_pattern; content:"Login to your MyTurboTax account to start"; nocase; distance:0; content:"User ID"; nocase; distance:0; content:"Email Password"; nocase; distance:0; classtype:social-engineering; sid:2025269; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.moneyhome .biz Domain"; flow:established,to_server; http.host; content:".moneyhome.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036065; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Bank of America|20 7c 20|Online Banking"; nocase; within:40; fast_pattern; content:"CONTENT=|22|Unrecognized computer"; nocase; distance:0; content:"SiteKey Challenge Questions"; nocase; distance:0; classtype:social-engineering; sid:2025270; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.port25 .biz Domain"; dns.query; content:".port25.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036066; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capital One Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Online Banking - Capital One 360</title>"; nocase; classtype:social-engineering; sid:2025271; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.port25 .biz Domain"; flow:established,to_server; http.host; content:".port25.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036067; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Verizon Wireless Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:200; content:"<title"; nocase; distance:0; content:"Sign in"; nocase; within:10; content:"verizonwireless.com"; nocase; within:100; classtype:social-engineering; sid:2025274; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.esmtp .biz Domain"; dns.query; content:".esmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036068; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"P&#97|3b|yP&#97|3b|l"; nocase; within:35; fast_pattern; classtype:social-engineering; sid:2025276; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.esmtp .biz Domain"; flow:established,to_server; http.host; content:".esmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036069; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple iTunes Phishing Landing (DE) 2018-01-31"; flow:established,to_client; file_data; content:"<ISONLINE VALUE=TRUE></ISONLINE>"; nocase; within:200; content:"<title>iTunes - Stornierungsformular"; nocase; fast_pattern; classtype:social-engineering; sid:2025277; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .biz Domain"; dns.query; content:".dsmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036070; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"/hellion/postmaster.png"; fast_pattern; nocase; content:"/hellion/logos.png"; nocase; distance:0; classtype:social-engineering; sid:2025279; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .biz Domain"; flow:established,to_server; http.host; content:".dsmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036071; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Roundcube Multi-Brand Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"FILES/jstz.min.js?s="; nocase; fast_pattern; content:"rcube_webmail()"; nocase; distance:0; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; classtype:social-engineering; sid:2025280; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sixth .biz Domain"; dns.query; content:".sixth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036072; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; pcre:"/^(?:www(?:1\.masterconsultas\.com\.ar|\.linkedin\.com)|(?:tools\.google|facebook)\.com|cfspart\.impots\.gouv\.fr)/Ri"; content:"by HTTrack Website Copier/"; distance:0; classtype:social-engineering; sid:2025282; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sixth .biz Domain"; flow:established,to_server; http.host; content:".sixth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036073; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Login Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Sign In</title>"; nocase; content:"Outlook.com is a free, personal email service from Microsoft."; nocase; within:150; fast_pattern; classtype:social-engineering; sid:2025284; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ninth .biz Domain"; dns.query; content:".ninth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036074; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2025285; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ninth .biz Domain"; flow:established,to_server; http.host; content:".ninth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036075; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online|c2 ae 20|Verification</title>"; nocase; classtype:social-engineering; sid:2025286; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.misecure .com Domain"; dns.query; content:".misecure.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036076; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>AT&amp|3b|T - Login</title>"; nocase; fast_pattern; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22 20 20|focus=|22|userid|22 20|name=|22|LoginForm|22 20|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025244; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.got-game .org Domain"; dns.query; content:".got-game.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036078; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Likely Cloned .EDU Website Phishing Landing 2018-02-02"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)https?:\/\/[^/]+\.edu\//Rsi"; content:"<form"; nocase; distance:0; classtype:social-engineering; sid:2025290; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.got-game .org Domain"; flow:established,to_server; http.host; content:".got-game.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036079; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M2"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"Online &amp|3b 20|Mobile Security"; nocase; distance:0; classtype:social-engineering; sid:2025293; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dns2 .us Domain"; dns.query; content:".dns2.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036080; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M3"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"View Your Accounts</h1>"; nocase; distance:0; content:"disableSubmitsCollectUserPrefs"; nocase; distance:0; classtype:social-engineering; sid:2025294; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns2 .us Domain"; flow:established,to_server; http.host; content:".dns2.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036081; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M5"; flow:established,to_client; file_data; content:"<title>Wells Fargo  - Update Your Identification</title>"; nocase; fast_pattern; content:"../css js/passwordReset.css"; within:200; classtype:social-engineering; sid:2025296; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .us Domain"; dns.query; content:".changeip.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036082; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M6"; flow:established,to_client; file_data; content:"Online Banking Identity Verification Process</TITLE>"; within:300; content:"name=KONICHIWA1"; within:250; classtype:social-engineering; sid:2025297; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .us Domain"; flow:established,to_server; http.host; content:".changeip.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036083; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M7"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online&reg|3b 20|Enrollment</title>"; classtype:social-engineering; sid:2025298; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .biz Domain"; dns.query; content:".changeip.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036084; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M8"; flow:established,to_client; file_data; content:"<head><!-- WFB 3.4 -->"; within:300; fast_pattern; content:"var bundle|3b|(function(){function a(b){var c=|22 22 3b|for(var d=0,e=b.length|3b|d<e|3b|++d){var f=b.charCodeAt(d)|3b|c+=f>=55296?b[d]|3a|String.fromCharCode"; distance:0; classtype:social-engineering; sid:2025299; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .biz Domain"; flow:established,to_server; http.host; content:".changeip.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036085; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M9"; flow:established,to_client; file_data; content:"<title>Wells Fargo - Security Upgrade</title>"; classtype:social-engineering; sid:2025300; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.almostmy .com Domain"; dns.query; content:".almostmy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036086; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M10"; flow:established,to_client; file_data; content:"<title>Wells Fargo Email Verification"; nocase; fast_pattern; content:"input[type=email], input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025301; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.almostmy .com Domain"; flow:established,to_server; http.host; content:".almostmy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036087; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flow:established,to_client; content:"stream"; content:"|0a|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ocry .com Domain"; dns.query; content:".ocry.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036088; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family MeltDown_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ocry .com Domain"; flow:established,to_server; http.host; content:".ocry.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036089; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category EXPLOIT, malware_family Spectre_Exploit, performance_impact Low, signature_severity Major, updated_at 2018_02_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ourhobby .com Domain"; dns.query; content:".ourhobby.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036090; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banque Populaire Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:".logo_banque"; nocase; content:",.authentif p.num_carte"; nocase; fast_pattern; content:"<title"; content:"Authentification"; nocase; within:20; classtype:social-engineering; sid:2025306; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ourhobby .com Domain"; flow:established,to_server; http.host; content:".ourhobby.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036091; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"PayPaI</title>"; nocase; fast_pattern; content:"application-name content=PayPaI>"; nocase; distance:0; classtype:social-engineering; sid:2025307; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsfailover .net Domain"; dns.query; content:".dnsfailover.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036092; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Antibots Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<?php|0d 0a|include|20 22|antibots.php|22 3b 0d 0a|?>"; within:100; classtype:social-engineering; sid:2025308; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfailover .net Domain"; flow:established,to_server; http.host; content:".dnsfailover.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036093; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Upgrade Payment Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"ONE MORE STEP"; content:"<title"; nocase; distance:0; content:"Enter Your Credit"; nocase; within:25; content:"UPGRADE PAYMENT"; distance:0; content:"fbCreditCard"; nocase; distance:0; classtype:social-engineering; sid:2025309; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ygto .com Domain"; dns.query; content:".ygto.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036094; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Verification Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Yahoo! Account Verification"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025311; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ygto .com Domain"; flow:established,to_server; http.host; content:".ygto.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036095; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google/Adobe Shared Document Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"sign in"; nocase; within:25; content:"MM_validateForm(|27|password|27 2c 27 27 2c 27|R|27 2c 27|mail|27 2c 27 27 2c 27|RisEmail|27 2c 27|phone|27 2c 27 27 2c 27|NisNum|27|)"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025312; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gettrials .com Domain"; dns.query; content:".gettrials.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036096; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Orange Phishing Landing 2018-02-05 (FR)"; flow:established,to_client; file_data; content:"<title"; content:"pour continuer, identifiez-vous"; nocase; within:50; fast_pattern; content:"index_fichiers/authuser"; nocase; distance:0; content:"title=|22|site orange.fr"; nocase; distance:0; classtype:social-engineering; sid:2025313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gettrials .com Domain"; flow:established,to_server; http.host; content:".gettrials.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036097; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Response"; flow:established,to_client; dsize:517; content:"|45 36 27 18|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_02_05;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4dq .com Domain"; dns.query; content:".4dq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036098; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_02_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4dq .com Domain"; flow:established,to_server; http.host; content:".4dq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036099; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_02_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4pu .com Domain"; dns.query; content:".4pu.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036100; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"; flow:established,from_server; file_data; content:"<script"; nocase; content:"<"; distance:0; content:".length"; distance:0; nocase; fast_pattern; pcre:"/^\s*?\)\s*?\{\s*(?P<var>[^\s]+)\s*=[^\x5b]+?\x5b\s*(?P=var)\s*?\|\s*?0\s*?\]\s*?\x3b\s*?/Rsi"; content:"^="; distance:0; pcre:"/^\s*[^\s]+\x5b\s*?[^\x5d\x7c]+\x7c\s*?0\s*?\x5d\s*?\x7c\s*?0\s*?\x3b/Rsi"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025185; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4pu .com Domain"; flow:established,to_server; http.host; content:".4pu.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036101; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-06"; flow:established,to_client; file_data; content:"content=|22|Connecting to PDSA"; nocase; within:600; content:"<title>Sign In</title>"; nocase; distance:0; content:"function LoginErrors(){this.userNameFormatError"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025316; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036102; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^.\x04[^\x08\x10\x14\x20\x30\x40]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025319; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036103; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^[\x80-\xff]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025320; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036104; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Google|20 7c 20|Drive , Safe"; nocase; fast_pattern; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2025322; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036105; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>DropBox Buisness</title>"; nocase; classtype:social-engineering; sid:2025323; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynumber .org Domain"; dns.query; content:".mynumber.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036106; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Apple - Login"; nocase; content:"href=|22|incorrect_files/"; nocase; distance:0; classtype:social-engineering; sid:2025324; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynumber .org Domain"; flow:established,to_server; http.host; content:".mynumber.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036107; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:50; fast_pattern; content:"your mailbox"; nocase; distance:0; content:"email password"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025278; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.rebatesrule .net Domain"; dns.query; content:".rebatesrule.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036108; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Settings|20 7c 20|Email"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.rebatesrule .net Domain"; flow:established,to_server; http.host; content:".rebatesrule.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036109; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"background-color|3a 20|#ffffff|3b|border|3a 20|1px solid #d0d4d9|3b|box-shadow|3a 20|4px 4px 4px #d0d4d9|3b|"; nocase; content:"id=|22|wk|22 20|name=|22|wk|22 20|method=|22|post|22|"; nocase; distance:0; fast_pattern; content:"Sign In To View"; nocase; distance:0; classtype:social-engineering; sid:2025325; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ezua .com Domain"; dns.query; content:".ezua.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036110; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Sign in</title>"; nocase; content:"border|3a 20|1px solid #848484|3b|"; nocase; distance:0; content:"background-color|3a 20|#fff3c0|3b|"; nocase; distance:0; content:"left|3a|389px|3b 20|top|3a|0px|3b 20|width|3a|507px|3b 20|height|3a|474px|3b 20|z-index|3a|0"; nocase; distance:0; content:"<input name=|22|userid|22|"; nocase; distance:0; content:"<input name=|22|formtext2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025326; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ezua .com Domain"; flow:established,to_server; http.host; content:".ezua.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036111; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon"; nocase; fast_pattern; content:"<!--POH-->"; nocase; distance:0; content:"function AllowNoDups()"; nocase; distance:0; classtype:social-engineering; sid:2025328; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sendsmtp .com Domain"; dns.query; content:".sendsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036112; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Admin|20 7c 20|Upgrade|3b|</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sendsmtp .com Domain"; flow:established,to_server; http.host; content:".sendsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036113; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025336; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssmailer .com Domain"; dns.query; content:".ssmailer.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036114; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; classtype:social-engineering; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssmailer .com Domain"; flow:established,to_server; http.host; content:".ssmailer.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036115; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online</title>"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"placeholder=|22|Personal ID"; nocase; distance:0; content:"Connection Secured"; nocase; distance:0; classtype:social-engineering; sid:2025337; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .net Domain"; dns.query; content:".trickip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036116; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In to LinkedIn|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025335; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .net Domain"; flow:established,to_server; http.host; content:".trickip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036117; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; fast_pattern; content:"We didn't recognize your email address or phone number"; nocase; distance:0; content:"theForm.pass.value.length"; nocase; distance:0; classtype:social-engineering; sid:2025339; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .org Domain"; dns.query; content:".trickip.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036118; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Revalidation Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Re-Validate Your Mailbox</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025340; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .org Domain"; flow:established,to_server; http.host; content:".trickip.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036119; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; classtype:social-engineering; sid:2025341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsrd .com Domain"; dns.query; content:".dnsrd.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036120; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; classtype:social-engineering; sid:2025342; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsrd .com Domain"; flow:established,to_server; http.host; content:".dnsrd.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036121; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; classtype:social-engineering; sid:2025343; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .com Domain"; dns.query; content:".lflinkup.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036122; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook Application"; nocase; within:30; fast_pattern; content:"placeholder=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025347; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .com Domain"; flow:established,to_server; http.host; content:".lflinkup.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036123; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook"; nocase; within:20; content:"k7LsZ6Kzebp.css"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .net Domain"; dns.query; content:".lflinkup.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036124; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .net Domain"; flow:established,to_server; http.host; content:".lflinkup.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036125; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn"; nocase; fast_pattern; content:"<title>Sign Up</title>"; nocase; distance:0; classtype:social-engineering; sid:2025349; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .org Domain"; dns.query; content:".lflinkup.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036126; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Verification"; nocase; within:40; fast_pattern; content:"account was suspended"; nocase; distance:0; content:"enable verification process"; nocase; distance:0; classtype:social-engineering; sid:2025351; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .org Domain"; flow:established,to_server; http.host; content:".lflinkup.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036127; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Validate Your Card Information"; nocase; within:50; fast_pattern; content:"</capitaloneheader>"; nocase; distance:0; classtype:social-engineering; sid:2025352; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflink .com Domain"; dns.query; content:".lflink.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036128; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"ng-app=|22|signInControllerApp|22|"; nocase; within:100; content:"<title>Sign In</title>"; nocase; distance:0; content:"href=|22|index_fichiers/favicon.ico"; nocase; distance:0; content:"usabilla_live_button_container"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025350; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflink .com Domain"; flow:established,to_server; http.host; content:".lflink.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036129; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Validation Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"function validateForm()"; nocase; content:"email.match(/fuck"; nocase; distance:0; content:"email.match(/asshole"; nocase; distance:0; content:"email.match(/dickhead"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025353; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0tnet .com Domain"; dns.query; content:".b0tnet.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036130; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title"; nocase; content:"dropbox"; nocase; within:10; content:"text/css|22|>.hny-htirfw"; nocase; fast_pattern; within:100; content:"class=|22|psw_error"; nocase; distance:0; classtype:social-engineering; sid:2025355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0tnet .com Domain"; flow:established,to_server; http.host; content:".b0tnet.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036131; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn</title>"; nocase; content:"function MM_validateForm()"; nocase; distance:0; content:"#a11y-content"; nocase; distance:0; classtype:social-engineering; sid:2025356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .net Domain"; dns.query; content:".changeip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036132; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Account Recovery Information</title>"; nocase; fast_pattern; content:"<title>Account Recovery Information</title>"; nocase; distance:0; content:"facebook account has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2025357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .net Domain"; flow:established,to_server; http.host; content:".changeip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036133; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)(?:https://(?:w(?:ww(?:\.(?:(?:bankofamerica|paypal|ups|wellsfargo)\.com|a(?:dobecloud\.com|mazon\.co\.jp)|tax\.service\.gov\.uk|cibc\.mobi)|1\.royalbank\.com)|ebmail\.(?:i(?:llinois|ndstate)\.ed|optusnet\.com\.a)u)|(?:s(?:i(?:tekey\.bankofamerica|gnin\.ebay)|ecure(?:\.bankofamerica|05c\.chase))|login\.(?:(?:microsoftonlin|liv)e|verizonwireless|alibaba)|my\.screenname\.aol)\.com|(?:(?:ex(?:change\.(?:louisvill|purdu)|mail\.oregonstat)e|owa\.uaa\.alaska)\.ed|ib\.nab\.com\.a)u|voscomptesenligne\.labanquepostale\.fr|auth\.centurylink\.net)|/logon/logon/chaseOnline|#www\.kucoin\.com)/Rsi"; classtype:social-engineering; sid:2025281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mysecondarydns .com Domain"; dns.query; content:".mysecondarydns.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036134; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Online...... - Berliner....</title>"; nocase; fast_pattern; content:"berliner-sparkasse.de"; nocase; distance:0; classtype:social-engineering; sid:2025361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mysecondarydns .com Domain"; flow:established,to_server; http.host; content:".mysecondarydns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036135; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Dropbox</title>"; within:300; nocase; fast_pattern; content:"featuredcontentglider.init({"; nocase; distance:0; content:"#yregbnr #yregbnrti #yregbnrtii"; nocase; distance:0; classtype:social-engineering; sid:2025362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dynssl .com Domain"; dns.query; content:".dynssl.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036136; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"images/fbgiftscards.jpg"; within:100; fast_pattern; content:"CavalryLogger="; nocase; distance:0; content:"Facebook</title>"; nocase; content:"function Form1_Validator"; nocase; distance:0; content:"var alertsay"; nocase; distance:0; classtype:social-engineering; sid:2025363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dynssl .com Domain"; flow:established,to_server; http.host; content:".dynssl.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036137; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M1"; flow:established,to_client; file_data; content:"<title>Wells Fargo BANK</title>"; fast_pattern; content:"Access Your Accounts</div>"; nocase; distance:0; classtype:social-engineering; sid:2025292; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mylftv .com Domain"; dns.query; content:".mylftv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036138; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign in - Google Accounts"; nocase; within:30; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025364; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mylftv .com Domain"; flow:established,to_server; http.host; content:".mylftv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036139; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; content:"Dropbox Verification"; within:30; nocase; fast_pattern; content:"PhoneVerificationChallenge"; nocase; distance:0; content:"RecoveryEmailChallenge"; nocase; distance:0; classtype:social-engineering; sid:2025365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .com Domain"; dns.query; content:".mynetav.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036140; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon</title><!--"; nocase; fast_pattern; classtype:social-engineering; sid:2025366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .com Domain"; flow:established,to_server; http.host; content:".mynetav.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036141; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Square Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"/* VODKA */"; fast_pattern; content:"<form action=|22|--WEBBOT-SELF--"; nocase; distance:0; classtype:social-engineering; sid:2025367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .net Domain"; dns.query; content:".mynetav.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036142; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .net Domain"; flow:established,to_server; http.host; content:".mynetav.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036143; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; classtype:social-engineering; sid:2025369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .org Domain"; dns.query; content:".mynetav.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036144; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartermail Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; content:"SmarterMail"; nocase; within:20; fast_pattern; content:"<form method=|22|post|22 20|action=|22|login.php|22 20|id=|22|aspnetForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .org Domain"; flow:established,to_server; http.host; content:".mynetav.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036145; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; nocase; content:"USAA / Welcome to USAA"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|POST|22 20|id=|22|Logon|22 20|name=|22|Logon|22 20|class=|22|yuimenubaritemlabel|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.homingbeacon .net Domain"; dns.query; content:".homingbeacon.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036146; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title>Securite utilisateur</title>"; nocase; fast_pattern; content:"<title>S&eacute|3b|curite Yahoo</title>"; nocase; distance:0; classtype:social-engineering; sid:2025373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.homingbeacon .net Domain"; flow:established,to_server; http.host; content:".homingbeacon.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036147; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo Sign On to Unlock Your Accounts"; nocase; within:50; classtype:social-engineering; sid:2025377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ikwb .com Domain"; dns.query; content:".ikwb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036148; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In"; nocase; within:15; content:"Validate"; nocase; within:20; content:"personal Microsoft account"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ikwb .com Domain"; flow:established,to_server; http.host; content:".ikwb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036149; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Advantage Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo1.png"; nocase; fast_pattern; content:"method=|22|post|22 20|action=|22|post.php"; nocase; distance:0; classtype:social-engineering; sid:2025379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.acmetoy .com Domain"; dns.query; content:".acmetoy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036150; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Please confirm your identity"; fast_pattern; within:50; nocase; content:"For security reasons"; nocase; distance:0; content:".php|22 20|novalidate=|22 22|"; nocase; distance:0; classtype:social-engineering; sid:2025380; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.acmetoy .com Domain"; flow:established,to_server; http.host; content:".acmetoy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036151; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Craigslist Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"craigslist - account log in"; nocase; fast_pattern; within:30; content:".php|22 20|method=|22|POST|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnset .com Domain"; dns.query; content:".dnset.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036152; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Mobile Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title>Login</title>"; nocase; content:"mbasic.facebook.com"; nocase; distance:0; content:"name=|22|username|22 20|autocomplete=|22|off|22 20|placeholder=|22|E-mail|22|"; nocase; distance:0; fast_pattern; content:"name=|22|password|22 20|autocomplete=|22|off|22 20|placeholder=|22|Password|22|"; nocase; distance:0; classtype:social-engineering; sid:2025396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnset .com Domain"; flow:established,to_server; http.host; content:".dnset.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036153; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo.png"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; content:"<input name=|22|email|22 20|type=|22|hidden|22|"; nocase; distance:0; classtype:social-engineering; sid:2025397; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.as19557 .net Domain"; dns.query; content:".as19557.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036154; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing (DE) 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Amazon.de - Kontofreischaltung"; nocase; within:40; fast_pattern; content:"$(|22|#browser_info|22|).val(client.getBrowser"; nocase; distance:0; content:"$(|22|#os_info|22|).val(client.getOS()"; nocase; distance:0; classtype:social-engineering; sid:2025398; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.as19557 .net Domain"; flow:established,to_server; http.host; content:".as19557.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036155; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; classtype:social-engineering; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toshibanetcam .com Domain"; dns.query; content:".toshibanetcam.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036156; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert udp any 11211 -> $EXTERNAL_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Response Outbound"; flowbits:isset,ET.memcached.ddos; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025402; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toshibanetcam .com Domain"; flow:established,to_server; http.host; content:".toshibanetcam.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036157; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert udp $EXTERNAL_NET 11211 -> $HOME_NET any (msg:"ET DOS Possible Memcached DDoS Amplification Inbound"; content:"STATS|20|pid"; depth:9; fast_pattern; threshold: type both, count 100, seconds 60, track by_dst; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2018_03_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .net Domain"; dns.query; content:".authorizeddns.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036158; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2"; flow:established,from_server; content:"|FE|SMB"; offset:4; depth:8; content:"|08 00|"; distance:8; within:10; content:"var"; distance:48; fast_pattern; content:"="; distance:0; isdataat:2,relative; reference:url,twitter.com/SettiDavide89/status/970965983228723201; reference:url,www.certego.net/it/news/quant-url/; classtype:trojan-activity; sid:2025409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_03_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .net Domain"; flow:established,to_server; http.host; content:".authorizeddns.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036159; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .org Domain"; dns.query; content:".authorizeddns.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036160; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:command-and-control; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2011_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .org Domain"; flow:established,to_server; http.host; content:".authorizeddns.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036161; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"document.forms[|22|chalbhai|22|][|22|password|22|]"; nocase; classtype:social-engineering; sid:2025418; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .us Domain"; dns.query; content:".authorizeddns.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036162; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Email Account Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Secure Login|20 7c 20|E-Mail Administrator"; within:40; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; classtype:social-engineering; sid:2025421; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .us Domain"; flow:established,to_server; http.host; content:".authorizeddns.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036163; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Retrieve Pending Emails Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Retrieve Pending Emails"; within:30; nocase; fast_pattern; content:"receive any pending mails on server after login"; nocase; distance:0; classtype:social-engineering; sid:2025422; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .biz Domain"; dns.query; content:".cleansite.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036164; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ourtime Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"ourtime.com - the 50+ single network"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; nocase; distance:0; classtype:social-engineering; sid:2025423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .biz Domain"; flow:established,to_server; http.host; content:".cleansite.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036165; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2018_03_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .info Domain"; dns.query; content:".cleansite.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036166; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:exploit-kit; sid:2015758; rev:3; metadata:created_at 2012_10_04, former_category EXPLOIT_KIT, updated_at 2018_03_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .info Domain"; flow:established,to_server; http.host; content:".cleansite.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036167; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Napolar / Shifu SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .us Domain"; dns.query; content:".cleansite.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036168; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET [!37018,!37039,1024:65535] (msg:"ET DELETED Possible NanoCore C2 64B"; flow:established,to_server; dsize:68; content:"|40 00 00 00|"; depth:5; pcre:"/^(?!.{0,63}\x00.{0,62}\x00.{0,61}\x00.{0,60}\x00)(?!.{0,62}\x00{2})(?!.{0,59}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,63}(?P=b1).{0,62}(?P=b1).{0,61}(?P=b1).{0,60}(?P=b1))(?!.(?P<b2>.).{0,62}(?P=b2).{0,61}(?P=b2).{0,60}(?P=b2).{0,59}(?P=b2))(?!..(?P<b3>.).{0,61}(?P=b3).{0,60}(?P=b3).{0,59}(?P=b3).{0,58}(?P=b3))(?!...(?P<b4>.).{0,60}(?P=b4).{0,59}(?P=b4).{0,58}(?P=b4).{0,57}(?P=b4))(?!....(?P<b5>.).{0,59}(?P=b5).{0,58}(?P=b5).{0,57}(?P=b5).{0,56}(?P=b5))(?!.....(?P<b6>.).{0,58}(?P=b6).{0,57}(?P=b6).{0,56}(?P=b6).{0,55}(?P=b6))(?!......(?P<b7>.).{0,57}(?P=b7).{0,56}(?P=b7).{0,55}(?P=b7).{0,54}(?P=b7))(?!.......(?P<b8>.).{0,56}(?P=b8).{0,55}(?P=b8).{0,54}(?P=b8).{0,53}(?P=b8))(?!........(?P<b9>.).{0,55}(?P=b9).{0,54}(?P=b9).{0,53}(?P=b9).{0,52}(?P=b9))(?!.........(?P<b10>.).{0,54}(?P=b10).{0,53}(?P=b10).{0,52}(?P=b10).{0,51}(?P=b10))/Rs"; classtype:command-and-control; sid:2025018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2019_10_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .us Domain"; flow:established,to_server; http.host; content:".cleansite.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036169; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .net Domain"; dns.query; content:".https443.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036170; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .net Domain"; flow:established,to_server; http.host; content:".https443.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036171; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .org Domain"; dns.query; content:".https443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036172; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .org Domain"; flow:established,to_server; http.host; content:".https443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036173; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .net Domain"; dns.query; content:".mypop3.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036174; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Reader Phishing Landing 2018-03-27"; flow:established,to_client; file_data; content:"<title>Adobe|d0 92 c2 ae 20|PDF Reader|d0 92 c2 ae 20|Xl</title>"; nocase; fast_pattern; content:"this file is protected by adobe"; nocase; distance:0; content:"confirm your email to access this document"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onsubmit=|22|MM_validateForm(&#39|3b|email&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|RisEmail&#39|3b|,&#39|3b|password&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|R&#39|3b|)"; nocase; distance:0; content:"view pdf document"; nocase; distance:0; classtype:social-engineering; sid:2025442; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .net Domain"; flow:established,to_server; http.host; content:".mypop3.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036175; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>internal revenue service</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"last 4 of ssn"; nocase; distance:0; content:"if ($('#email').val() == '')"; nocase; distance:0; classtype:social-engineering; sid:2025443; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .org Domain"; dns.query; content:".mypop3.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036176; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Ursnif Socks Proxy Check-in"; flow:established,to_server; stream_size:server,=,1; content:"|2d|"; offset:8; depth:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d30|"; distance:12; within:2; content:"|0000 0000 0000 0000 0000 0000|"; distance:1; within:12; fast_pattern; pcre:"/^[0-9A-Z]{8}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9]{12}-0[0-9]{1}/"; flowbits:set,PT.UrsnifProxy; flowbits:noalert; classtype:trojan-activity; sid:2025444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .org Domain"; flow:established,to_server; http.host; content:".mypop3.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036177; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert tcp $EXTERNAL_NET !$HTTP_PORTS  -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Socks5 Proxy Connection"; flow:established,from_server; flowbits:isset,PT.UrsnifProxy; stream_size:server,=,5; dsize:3; content:"|050100|"; fast_pattern; depth:3; classtype:trojan-activity; sid:2025445; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssl443 .org Domain"; dns.query; content:".ssl443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036178; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<TITLE>Chase Online - Logon</TITLE>"; nocase; fast_pattern; content:"name=started action=logon.php?lob=rbglogon method=post"; nocase; distance:0; classtype:social-engineering; sid:2025447; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssl443 .org Domain"; flow:established,to_server; http.host; content:".ssl443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036179; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>impots.gouv.fr</title>"; nocase; fast_pattern; content:".php|22|"; nocase; distance:0; content:"name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025448; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .biz Domain"; dns.query; content:".iownyour.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036180; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-03-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; fast_pattern; within:300; content:")https://"; within:15; pcre:"/^[^/]+(?:xfinity|comcast)\.(?:com|net)/Ri"; classtype:social-engineering; sid:2025450; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .biz Domain"; flow:established,to_server; http.host; content:".iownyour.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036181; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Zero Content-Length HTTP POST with data (outbound)"; flow:established,to_server; content:"POST"; nocase; http_method; http_content_len; content:"0"; fast_pattern; pcre:"/^./P"; classtype:bad-unknown; sid:2011819; rev:2; metadata:created_at 2010_10_15, updated_at 2010_10_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .org Domain"; dns.query; content:".iownyour.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036182; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTML Script Tag in 401 Unauthorized Response (External Source)"; flow:from_server,established; content:"HTTP/1.1 401 Unauthorized|0d 0a|"; depth:27; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010514; classtype:web-application-activity; sid:2010514; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_04_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .org Domain"; flow:established,to_server; http.host; content:".iownyour.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036183; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_04_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_06;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .biz Domain"; dns.query; content:".onmypc.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036184; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>wells,fargo sign on to view your accounts</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025473; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .biz Domain"; flow:established,to_server; http.host; content:".onmypc.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036185; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>|7c 20|tracking system</title>"; nocase; content:"DHL%20_%20Tracking%20System_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025474; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .info Domain"; dns.query; content:".onmypc.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036186; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>resolution center - paypal</title>"; nocase; content:"href=|22|resolutioncenter_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025478; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .info Domain"; flow:established,to_server; http.host; content:".onmypc.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036187; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title id=|22|pagetitle|22|>facebook - log in or sign up</title>"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|onsubmit=|22|return window.event"; nocase; distance:0; classtype:social-engineering; sid:2025479; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .net Domain"; dns.query; content:".onmypc.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036188; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; classtype:social-engineering; sid:2025480; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .net Domain"; flow:established,to_server; http.host; content:".onmypc.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036189; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>apple - my apple id</title>"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:"id=|22|donnee"; nocase; distance:0; fast_pattern; content:"name=|22|donnee"; nocase; distance:0; classtype:social-engineering; sid:2025481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .org Domain"; dns.query; content:".onmypc.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036190; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Post.ch Cloned Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:300; content:"https://account.post.ch"; nocase; within:30; classtype:social-engineering; sid:2025482; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .org Domain"; flow:established,to_server; http.host; content:".onmypc.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036191; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>chase online - account update</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"onsubmit=|22|javascript|3a|return webform_onsubmit()|3b 22|"; nocase; distance:0; classtype:social-engineering; sid:2025475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .us Domain"; dns.query; content:".onmypc.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036192; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2018_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .us Domain"; flow:established,to_server; http.host; content:".onmypc.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036193; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-04-14"; flow:established,to_client; file_data; content:"method=|22|post|22|"; nocase; content:"javascript|3a|popupwnd(|22|gmail"; nocase; distance:0; fast_pattern; content:"javascript|3a|popupwnd(|22|outlook"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|aol"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025502; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .info Domain"; dns.query; content:".dubya.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036194; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mail Verification Phishing Landing 2018-04-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:20; fast_pattern; content:"img src=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|passwd|22|"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .info Domain"; flow:established,to_server; http.host; content:".dubya.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036195; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PDF Cloud Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign In - PDF Cloud"; nocase; fast_pattern; content:"href=|22|index_files/adobe.css"; nocase; distance:0; content:"Sign in with your email address to view or download attachment"; nocase; distance:0; classtype:social-engineering; sid:2025515; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .us Domain"; dns.query; content:".dubya.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036196; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Bank of America|20 7c 20|Online Banking|20 7c 20|Sign In|20 7c 20|Online ID"; nocase; fast_pattern; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"href=|22|css/Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025516; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .us Domain"; flow:established,to_server; http.host; content:".dubya.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036197; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox 000webhost Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Dropbox"; nocase; content:"method=|22|POST|22|"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; fast_pattern; content:"powered-by-000webhost"; nocase; distance:0; classtype:social-engineering; sid:2025517; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .biz Domain"; dns.query; content:".dubya.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036198; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:5; metadata:created_at 2014_05_08, former_category TROJAN, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .biz Domain"; flow:established,to_server; http.host; content:".dubya.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036199; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Minor, updated_at 2018_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .net Domain"; dns.query; content:".dubya.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036200; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .net Domain"; flow:established,to_server; http.host; content:".dubya.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036201; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .us Domain"; dns.query; content:".wwwhost.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036202; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .us Domain"; flow:established,to_server; http.host; content:".wwwhost.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036203; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Centurylink Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>centurylink"; nocase; content:"href=|22|centurylink|25|20_|25|20login_files/"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2025523; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zyns .com Domain"; flow:established,to_server; http.host; content:".zyns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036204; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING MyADP Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Login to MyADP"; nocase; fast_pattern; content:"href=|22|AD/"; nocase; distance:0; content:"src=|22|AD/"; nocase; distance:0; classtype:social-engineering; sid:2025524; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.otzo .com Domain"; flow:established,to_server; http.host; content:".otzo.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036205; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M1 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your Microsoft account"; nocase; content:"<!-- /ko -->"; nocase; distance:0; fast_pattern; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; classtype:social-engineering; sid:2025525; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-report .com Domain"; flow:established,to_server; http.host; content:".dns-report.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036206; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>sign in to xfinity"; nocase; content:"src=|22|comcast_files/"; nocase; distance:0; fast_pattern; content:"src=|22|comcast_files/"; nocase; distance:0; classtype:social-engineering; sid:2025528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns1 .us Domain"; flow:established,to_server; http.host; content:".dns1.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036207; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>lcl banque"; nocase; content:"src=|22|./lcl_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./lcl_files/"; nocase; distance:0; classtype:social-engineering; sid:2025529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .co Domain"; dns.query; content:".changeip.co"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036208; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M2 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"<form name=|22|ff|22|"; nocase; distance:0; fast_pattern; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2025526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .co Domain"; flow:established,to_server; http.host; content:".changeip.co"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036209; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Popupwnd Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:",'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (maxiurl .com)"; dns.query; content:"maxiurl.com"; nocase; bsize:11; classtype:misc-activity; sid:2036226; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (maxiurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxiurl.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2036227; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, signature_severity Informational, updated_at 2022_04_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase; flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_13, former_category POLICY, updated_at 2018_04_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"!|5c|n|5c|nWebsite work well"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded"; flow:to_client,established; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; content:"|40 00 69 00 6d 00 70 00 6f 00 72 00 74 00|"; distance:0; pcre:"/@\x00i\x00m\x00p\x00o\x00r\x00t\x00\x20.{4,20}[^\x00\w\s.]/sG"; reference:cve,CVE-2010-3971; reference:url,breakingpointsystems.com/community/blog/ie-vulnerability/; reference:bid,45246; classtype:attempted-admin; sid:2012149; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2011_01_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category WEB_CLIENT, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2018_04_30;)
+alert http $HOME_NET any -> any any (msg:"ET INFO Python BaseHTTP ServerBanner"; flow:established; http.server; content:"BaseHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034635; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP"; flow:to_server,established; content:".asp?device_t="; http_uri; content:"&key="; http_uri; content:"&device_id="; http_uri; content:"&cv="; http_uri; threshold: type both, track by_src, count 1, seconds 120; reference:md5,e4a4e2a3b3adaf3a31e34cd2844a3374; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none; classtype:trojan-activity; sid:2016430; rev:4; metadata:created_at 2012_04_18, former_category TROJAN, updated_at 2018_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Microsoft Connection Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connecttest.txt"; bsize:16; http.host; content:"www.msftconnecttest.com"; bsize:23; fast_pattern; classtype:bad-unknown; sid:2031071; rev:2; metadata:created_at 2020_10_21, former_category INFO, performance_impact Low, updated_at 2022_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"bank of america"; nocase; within:30; content:"<form name=|22|b0a|22|"; nocase; distance:0; fast_pattern; content:".php?session=$pmd$pmd|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025549; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Pastebin Style Domain in DNS Lookup (pastetext .net)"; dns.query; content:"pastetext.net"; nocase; bsize:13; classtype:bad-unknown; sid:2036287; rev:1; metadata:created_at 2022_04_21, former_category INFO, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025550; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Pastebin Style Domain (pastetext .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"pastetext.net"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, signature_severity Informational, updated_at 2022_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title> DocuSlgn </title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025551; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)"; dns.query; content:"filetransfer.io"; nocase; bsize:15; classtype:bad-unknown; sid:2036310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Variant Checkin"; flow:established,to_server; dsize:9; content:"|00 07|nemesis"; classtype:command-and-control; sid:2025552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_05_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"filetransfer.io"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036311; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"icanhazip.com"; bsize:13; fast_pattern; classtype:external-ip-check; sid:2036304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"|23 20 4e 65 77 20 53 63 61 6d 61 20 4e 65 74 66 6c 69 78 20 32 30 31 38 20 42 79 20 58 2d 59 61 63 20 23|"; within:500; classtype:social-engineering; sid:2025555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Remote Management Software Domain (syncromsp .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".syncromsp.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2036347; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, signature_severity Informational, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Log in to your PayPal"; nocase; within:40; content:"PayPaI.|20 7c 20|All rights reserved."; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025556; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Remote Management Software Domain in DNS Lookup (syncromsp .com)"; dns.query; dotprefix; content:".syncromsp.com"; nocase; endswith; classtype:bad-unknown; sid:2036348; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Terse Request For Bitbucket Snippet"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/|21|api/2.0/snippets/"; startswith; http.host; content:"bitbucket.org"; bsize:13; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; classtype:bad-unknown; sid:2036349; rev:1; metadata:created_at 2022_04_25, updated_at 2022_04_25;)
 
-#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC)"; flow:established,from_server; content:"|09 00 b5 c7 52 c9 87 81 b5 03|"; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022960; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed File Sharing Domain (drive .protonmail .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"drive.protonmail.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2036352; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, signature_severity Informational, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-05-07"; flow:established,to_client; file_data; content:"<title>mytax portal</title>"; nocase; fast_pattern; content:"id=|22|form1|22 20|name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"name=|22|pww|22 20|type=|22|password|22 20|id=|22|pww|22|"; nocase; distance:0; classtype:social-engineering; sid:2025561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO File Sharing Domain in DNS Lookup (drive .protonmail .com)"; dns.query; content:"drive.protonmail.com"; nocase; bsize:20; classtype:bad-unknown; sid:2036353; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER CoinHive In-Browser Miner Detected"; flow:established,from_server; file_data; content:"coinhive.min.js"; nocase; fast_pattern; content:"start"; nocase; distance:0; content:"script"; content:"var"; distance:0; pcre:"/^\s*(?P<var>[a-zA-Z0-9]{3,20})\s*=\s*new\s*CoinHive\s*\.\s*[^\(]+\(\s*[\x22\x27][A-Za-z0-9]+\s*[\x22\x27]\s*(?:\x2c\s*\x7b\s*\w+\x3a\s*\d\.\d\x7d)?\)\s*\x3b\s+(?P=var)\s*\.\s*start/Ri"; classtype:coin-mining; sid:2024721; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category COINMINER, performance_impact Moderate, signature_severity Minor, updated_at 2018_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Commonly Abused SSL/TLS Certificate Observed (mylnavyfederal .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.mylnavyfederal.com"; bsize:23; fast_pattern; reference:md5,1f28014859bd7cc1a4240aebb5241af0; classtype:bad-unknown; sid:2036389; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"content=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; content:"name=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; distance:0; content:"class=|22 48 46 5f 4a 61 63 6b 73 6f 4e 5f|"; nocase; distance:0; content:"class=|22 42 79 5f 48 61 73 73 61 6e 5f 46 61 72 74 6f 75 74 22|"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025568; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (gg-l .xyz)"; dns.query; content:"gg-l.xyz"; nocase; bsize:8; classtype:bad-unknown; sid:2036420; rev:1; metadata:created_at 2022_04_29, former_category INFO, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 77 69 7a 22|"; nocase; distance:0; content:"class=|22 68 61 73 73 61 6e 22|"; nocase; distance:0; classtype:social-engineering; sid:2025569; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (gg-l .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gg-l.xyz"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2036421; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, signature_severity Informational, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6c 6f 67 69 6e 5f 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 6e 73 69 74 22|"; nocase; distance:0; content:"class=|22 74 39 61 79 61 64 22|"; nocase; distance:0; content:"class=|22 74 73 61 6e 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025570; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Abused Redirect Service SSL Cert (svc .dynamics .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.svc.dynamics.com"; bsize:21; fast_pattern; classtype:bad-unknown; sid:2036422; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, former_category INFO, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 69 6d 67 5f 76 69 63 74 69 6d 65 22|"; nocase; fast_pattern; content:"class=|22 6e 61 6d 65 5f 76 69 63 74 69 6d 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 5f 61 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 6d 69 61 5f 6b 68 61 6c 69 66 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025571; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed File Sharing Domain (www .cloudme .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.cloudme.com"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036423; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, signature_severity Informational, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"<!--|20 41 6e 4f 5f 6f 6e 69 73 6d 61 20|-->"; nocase; fast_pattern; content:"name=|22 41 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 41 6e 6f 6e 69 73 6d 61|"; nocase; distance:0; classtype:social-engineering; sid:2025572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO File Retrieved from File Sharing Site (cloudme .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1/ws2/|3a|"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-User|0d 0a|Sec-Fetch-Dest|0d 0a|Accept-Encoding|0d 0a|"; classtype:bad-unknown; sid:2036424; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 61 2d 6e 2d 6f 2d 6e 2d 69 2d 73 2d 6d 2d 61 22|"; nocase; fast_pattern; content:"id=|22 62 6f 74 64 6b 68 6f 6c 22|"; nocase; distance:0; classtype:social-engineering; sid:2025573; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .eu)"; dns.query; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035764; rev:2; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; fast_pattern; content:"bodyElems"; distance:0; pcre:"/^\s*=\s*document\s*\.\s*getElementsByTagName\s*\(\s*[\x22\x27]body[\x22\x27]/Ri"; content:"bodyElems[0]"; distance:0; pcre:"/^\s*\.\s*style\s*\.\s*visibility\s*=\s*[\x22\x27]visible[\x22\x27]/Ri"; content:"style=|22|visibility:hidden|22 20|onload=|22|unhideBody()|22|"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position|3a|absolute|3b 20|overflow|3a|hidden|3b 20|left|3a|"; nocase; distance:0; classtype:social-engineering; sid:2025653; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO ET INFO URL Shortening Service Domain in DNS Lookup (s59 .site)"; dns.query; content:"s59.site"; fast_pattern; classtype:bad-unknown; sid:2035870; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)"; dns.query; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035466; rev:2; metadata:created_at 2022_03_15, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discord .com)"; dns.query; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035465; rev:2; metadata:created_at 2022_03_15, updated_at 2022_05_02;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021013; rev:7; metadata:attack_target Client_and_Server, created_at 2015_04_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family TrickBot, malware_family Dridex, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .com)"; dns.query; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035762; rev:2; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:command-and-control; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2018_05_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4nmn .com Domain"; flow:established,to_server; http.host; content:".4nmn.com"; endswith; reference:url,alviy.com/redirect/4nmn.com; classtype:bad-unknown; sid:2036469; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For Browser Cryptocurrency Mining Domain"; content:"|06|static|0a|reasedoper|02|pw|00|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/; classtype:trojan-activity; sid:2024779; rev:5; metadata:affected_product Web_Browsers, created_at 2017_09_27, former_category POLICY, malware_family CoinMiner, updated_at 2018_05_23;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 4nmn .com Domain"; dns.query; dotprefix; content:".4nmn.com"; nocase; endswith; reference:url,alviy.com/redirect/4nmn.com; classtype:misc-activity; sid:2036470; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, signature_severity Informational, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Chrome Extension Click Fraud Activity via Websocket"; flow:established,to_client; content:"|7b 22|id|22 3a|"; within:10; content:"|2c 22|data|22 3a 7b 22|method|22 3a 22|GET|22 2c 22|url|22 3a 22|"; distance:0; content:"|22 2c 22|headers|22 3a 7b 22|"; distance:0; content:"|2c 22|timeout|22 3a|30000|2c 22|body|22 3a 22|"; distance:0; fast_pattern; threshold: type both, track by_dst, count 1, seconds 120; reference:url,www.icebrg.io/index.php?p=blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; reference:url,www.icebrg.io/blog/more-extensions-more-money-more-problems; classtype:trojan-activity; sid:2025221; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2018_06_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You could have been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; classtype:social-engineering; sid:2036506; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_06;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain Domain in DNS Lookup (ipbase .com)"; dns.query; content:"ipbase.com"; nocase; bsize:10; classtype:bad-unknown; sid:2036560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET DELETED Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:exploit-kit; sid:2019763; rev:9; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (ipbase .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipbase.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2036561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, signature_severity Major, updated_at 2022_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016853; rev:16; metadata:created_at 2013_05_16, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO External File Sharing Service Domain (api .anonfile .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.anonfile.com"; bsize:16; fast_pattern; classtype:bad-unknown; sid:2036562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_05_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Landing Landing URI Struct (fb set)"; flow:to_server,established; content:!"Cookie|3a|"; content:"Windows NT"; http_header; fast_pattern:only; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^User-agent\x3a\x20[^\r\n]*?(?:MSIE|rv\x3a11|Edge\/)/Hmi"; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?=[a-z\d+]*?[A-Z])(?=[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; content:!"Cookie|3a|"; flowbits:set,Neutrino.URI.Primer; flowbits:noalert; classtype:exploit-kit; sid:2025064; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, tag Neutrino, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External File Sharing Domain in DNS Lookup (anonfile .com)"; dns.query; dotprefix; content:".anonfile.com"; nocase; endswith; classtype:bad-unknown; sid:2036563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:exploit-kit; sid:2017729; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] 4369 (msg:"ET INFO External Host Querying Erlang Port Mapper Daemon"; flow:established,to_server; dsize:3; content:"|00 01 6e|"; fast_pattern; classtype:misc-activity; sid:2036651; rev:1; metadata:created_at 2022_05_23, updated_at 2022_05_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:exploit-kit; sid:2019488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Anonymous File Sharing Service (fromsmash .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fromsmash.com"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Anonymous File Sharing Domain in DNS Lookup (fromsmash .com)"; dns.query; content:"fromsmash.com"; nocase; bsize:13; classtype:bad-unknown; sid:2036666; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_forward"; flow:established,to_client; tls.version:1.2; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 13 02 13 01 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|02|hq|03|h2c|02|h2|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.1|08|http/1.0|08|http/0.9"; content:"|03 03 03 02 03 01|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Wells Fargo Phishing Landing 2018-06-20"; flow:established,to_client; file_data; content:"<title>Wells Fargo |3a| Banking|2c|"; nocase; fast_pattern; content:"content=|22|WELLS FARGO BANK|22|"; nocase; distance:0; classtype:social-engineering; sid:2025624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_reverse"; flow:established,to_client; content:"|16 03 03|"; startswith; content:"|00 05 00 04 00 07 00 c0 00 84 00 ba 00 41 00 9d c0 a1 c0 9d 00 3d 00 35 00 9c c0 a0 c0 9c 00 3c 00 2f 00 0a c0 11 cc 13 13 03 13 04 13 05 cc a8 c0 77 c0 76 c0 61 c0 60 c0 30 c0 28 c0 14 c0 2f c0 27 c0 13 c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; classtype:social-engineering; sid:2025625; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_top_half"; flow:established,to_client; tls.version:1.2; content:"|c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_bottom_half"; flow:established,to_client; tls.version:1.2; content:"|c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|06|spdy/1|06|spdy/2|06|spdy/3|03|h2c|02|hq"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_2018_6892, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_2_middle_out"; flow:established,to_client; tls.version:1.2; content:"|c0 12 c0 13 c0 07 c0 27 cc 14 c0 2f 13 01 c0 14 13 02 c0 28 cc a9 c0 30 c0 73 c0 60 c0 72 c0 61 c0 2c c0 76 c0 af c0 77 c0 ad cc a8 c0 24 13 05 c0 0a 13 04 c0 2b 13 03 c0 ae cc 13 c0 ac c0 11 c0 23 00 0a c0 09 00 2f c0 08 00 3c 00 9a c0 9c 00 c4 c0 a0 00 88 00 9c 00 be 00 35 00 45 00 3d 00 9f c0 9d c0 a3 c0 a1 c0 9f 00 9d 00 6b 00 41 00 39 00 ba 00 9e 00 84 c0 a2 00 c0 c0 9e 00 07 00 67 00 04 00 33 00 05 00 16|"; fast_pattern; content:"|02|hq|03|h2c|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.0|08|http/0.9"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DAMICMS Cross-Site Request Forgery (Add Admin)"; flow:from_server,established; file_data; content:"history.pushState"; content:"/admin.php?s=/Admin/doadd|22| method=|22|POST|22|>"; nocase; fast_pattern; content:"name=|22|username|22|"; content:"name=|22|password|22|"; reference:url,exploit-db.com/exploits/44960/; classtype:web-application-attack; sid:2025771; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_1_middle_out"; flow:established,to_client; tls.version:1.1; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 13 02 13 01 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_forward"; flow:established,to_client; tls.version:1.3; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 13 02 13 01 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 13 05 13 04 13 03 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|02|hq|03|h2c|02|h2|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.1|08|http/1.0|08|http/0.9"; content:"|03 04 03 03 03 02 03 01|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Critical, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_reverse"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|00 05 00 04 00 07 00 c0 00 84 00 ba 00 41 00 9d c0 a1 c0 9d 00 3d 00 35 00 9c c0 a0 c0 9c 00 3c 00 2f 00 0a c0 11 cc 13 13 03 13 04 13 05 cc a8 c0 77 c0 76 c0 61 c0 60 c0 30 c0 28 c0 14 c0 2f c0 27 c0 13 c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03 03 04|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036697; rev:1; metadata:created_at 2022_05_25, updated_at 2022_05_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_reverse"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|00 05 00 04 00 07 00 c0 00 84 00 ba 00 41 00 9d c0 a1 c0 9d 00 3d 00 35 00 9c c0 a0 c0 9c 00 3c 00 2f 00 0a c0 11 cc 13 13 03 13 04 13 05 cc a8 c0 77 c0 76 c0 61 c0 60 c0 30 c0 28 c0 14 c0 2f c0 27 c0 13 c0 12 c0 07 cc 14 13 01 13 02 cc a9 c0 73 c0 72 c0 2c c0 af c0 ad c0 24 c0 0a c0 2b c0 ae c0 ac c0 23 c0 09 c0 08 00 9a 00 c4 00 88 00 be 00 45 00 9f c0 a3 c0 9f 00 6b 00 39 00 9e c0 a2 c0 9e 00 67 00 33 00 16|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03 03 04|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:3; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_invalid"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|00 16 00 33 00 67 c0 9e c0 a2 00 9e 00 39 00 6b c0 9f c0 a3 00 9f 00 45 00 be 00 88 00 c4 00 9a c0 08 c0 09 c0 23 c0 ac c0 ae c0 2b c0 0a c0 24 c0 ad c0 af c0 2c c0 72 c0 73 cc a9 cc 14 c0 07 c0 12 c0 13 c0 27 c0 2f c0 14 c0 28 c0 30 c0 60 c0 61 c0 76 c0 77 cc a8 cc 13 c0 11 00 0a 00 2f 00 3c c0 9c c0 a0 00 9c 00 35 00 3d c0 9d c0 a1 00 9d 00 41 00 ba 00 84 00 c0 00 07 00 04 00 05|"; fast_pattern; content:"|08|http/0.9|08|http/1.0|08|http/1.1|06|spdy/1|06|spdy/2|06|spdy/3|02|h2|03|h2c|02|hq"; content:"|03 01 03 02 03 03 03 04|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036699; rev:1; metadata:created_at 2022_05_25, updated_at 2022_05_25;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_middle_out"; flow:established,to_client; content:"|16 03 01|"; startswith; content:"|c0 12 c0 13 c0 07 c0 27 cc 14 c0 2f 13 01 c0 14 13 02 c0 28 cc a9 c0 30 c0 73 c0 60 c0 72 c0 61 c0 2c c0 76 c0 af c0 77 c0 ad cc a8 c0 24 13 05 c0 0a 13 04 c0 2b 13 03 c0 ae cc 13 c0 ac c0 11 c0 23 00 0a c0 09 00 2f c0 08 00 3c 00 9a c0 9c 00 c4 c0 a0 00 88 00 9c 00 be 00 35 00 45 00 3d 00 9f c0 9d c0 a3 c0 a1 c0 9f 00 9d 00 6b 00 41 00 39 00 ba 00 9e 00 84 c0 a2 00 c0 c0 9e 00 07 00 67 00 04 00 33 00 05 00 16|"; fast_pattern; content:"|02|hq|03|h2c|02|h2|06|spdy/3|06|spdy/2|06|spdy/1|08|http/1.1|08|http/1.0|08|http/0.9"; content:"|03 04 03 03 03 02 03 01|"; endswith; reference:url,engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a; classtype:misc-activity; sid:2036700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_05_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution"; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Bablosoft BAS Related SSL Cert (bablosoft .com)"; flow:established,to_client; tls.cert_subject; content:"CN=bablosoft.com"; bsize:16; fast_pattern; reference:url,team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/; classtype:bad-unknown; sid:2036686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_05_26;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential External VMware vRealize Automation Authentication Bypass Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/SAAS/auth/login/embeddedauthbroker/callback"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"protected_state"; content:"userstore"; content:"username"; content:"password"; content:"userstoreDisplay"; content:"horizonRelayState"; content:"stickyConnectorId"; content:"action"; reference:url,horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive/; classtype:attempted-admin; sid:2036725; rev:1; metadata:affected_product VMware, created_at 2022_05_27, former_category INFO, signature_severity Informational, updated_at 2022_05_27;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a *.ngrok domain (ngrok.io)"; dns.query; content:".ngrok.io"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022642; rev:6; metadata:created_at 2016_03_23, former_category POLICY, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Powershell Base64 Decode Command Inbound"; flow:established,from_server; file.data; content:"[System.Text.Encoding]"; nocase; content:"[System.Convert]::FromBase64String"; nocase; fast_pattern; within:100; classtype:misc-activity; sid:2036760; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_06_02;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Anonymous File Sharing Domain in DNS Lookup (fromsmash .co)"; dns.query; dotprefix; content:".fromsmash.co"; nocase; endswith; classtype:bad-unknown; sid:2036870; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_06;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Anonymous File Sharing Service in SSL Cert (fromsmash .co)"; flow:established,to_client; tls.cert_subject; content:"CN=fromsmash.co"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036871; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category INFO, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_06_06;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Peer-to-Peer File Sharing Service Domain in DNS Lookup (ipfs .io)"; dns.query; content:"ipfs.io"; nocase; bsize:7; classtype:bad-unknown; sid:2036873; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_06_06;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Peer-to-Peer File Sharing Service Domain (ipfs .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipfs.io"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2036874; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_06;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction Domain in DNS Lookup (oast .pro)"; dns.query; dotprefix; content:".oast.pro"; nocase; endswith; classtype:bad-unknown; sid:2036890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction Domain in DNS Lookup (oast .live)"; dns.query; dotprefix; content:".oast.live"; nocase; endswith; classtype:bad-unknown; sid:2036891; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction  Domain in DNS Lookup (oast .online)"; dns.query; dotprefix; content:".oast.site"; nocase; endswith; classtype:bad-unknown; sid:2036892; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction Domain in DNS Lookup (oast .fun)"; dns.query; dotprefix; content:".oast.fun"; nocase; endswith; classtype:bad-unknown; sid:2036893; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction Domain in DNS Lookup (oast .me)"; dns.query; dotprefix; content:".oast.me"; nocase; endswith; classtype:bad-unknown; sid:2036894; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction Domain in DNS Lookup (oastify .com)"; dns.query; dotprefix; content:".oastify.com"; nocase; endswith; classtype:bad-unknown; sid:2036895; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Out-of-Band Interaction Domain in DNS Lookup (requestbin .net)"; dns.query; content:"requestbin.net"; nocase; bsize:14; classtype:bad-unknown; sid:2036896; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_07;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)"; dns.query; content:".linkpc.net"; nocase; endswith; content:!"www.linkpc.net"; classtype:bad-unknown; sid:2034458; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MediaFire file download service access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?"; http.host; content:"mediafire.com"; reference:url,doc.emergingthreats.net/2009303; classtype:policy-violation; sid:2009303; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2022_06_09;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Self-Hosted Git Service Domain in DNS Lookup (gitea .com)"; dns.query; content:"gitea.com"; nocase; bsize:9; classtype:bad-unknown; sid:2036938; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_09;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Self-Hosted Git Service Domain (gitea .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gitea.com"; bsize:9; fast_pattern; classtype:bad-unknown; sid:2036939; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_09;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain in DNS Lookup (ip .bablosoft .com)"; dns.query; content:"ip"; nocase; content:".bablosoft.com"; distance:1; nocase; pcre:"/^ip[23]?\.bablosoft\.com$/"; threshold:type limit,track by_src,count 1,seconds 60; classtype:bad-unknown; sid:2036685; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_06_09;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Psiphon VPN Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Cookie|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.content_type; content:"application/octet-stream"; bsize:24; http.cookie; pcre:"/^[A-Z]=[A-Za-z/+0-9=]{200,400}$/"; reference:md5,912e361d280d881980caca25cd0b80d4; classtype:bad-unknown; sid:2037033; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2022_06_17;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)"; dns.query; content:"ipwho.is"; nocase; bsize:8; classtype:bad-unknown; sid:2037042; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category MALWARE, signature_severity Informational, updated_at 2022_06_21;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Domain in DNS Lookup (ftpupload .net)"; dns.query; content:"ftpupload.net"; nocase; bsize:13; reference:md5,ddc7091a431c36c35adbc0d1ccfbfa3a; classtype:bad-unknown; sid:2037077; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_22;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (sharepointin .com)"; dns.query; dotprefix; content:".sharepointin.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037159; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (templatern .com)"; dns.query; dotprefix; content:".templatern.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037160; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [eSentire] Fake Flash Update 2018-07-09"; flow:established,to_client; file_data; content:"<title>Critical error!"; nocase; fast_pattern; content:"Your player version"; nocase; distance:0; content:"has a critical vulnerability"; nocase; distance:0; content:"FlashPlayer.exe"; nocase; distance:0; classtype:trojan-activity; sid:2025647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (prizegives .com)"; dns.query; dotprefix; content:".prizegives.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (shareholds .com)"; dns.query; dotprefix; content:".shareholds.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037162; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert udp any any -> $HOME_NET 4070 (msg:"ET SCAN HID VertX and Edge door controllers discover"; dsize:<45; content:"discover|3b|013|3b|"; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-recon; sid:2025822; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category SCAN, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (mesharepoint .com)"; dns.query; dotprefix; content:".mesharepoint.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Adobe Phishing Landing 2018-07-04"; flow:from_server,established; content:"<title>PDF Online"; nocase; fast_pattern; content:"Please Enter Your receiving Email Address"; nocase; distance:0; content:"method=|22|post|22|"; nocase; classtype:social-engineering; sid:2025648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Minor, updated_at 2018_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (prizewings .com)"; dns.query; dotprefix; content:".prizewings.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037164; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_11, deployment Perimeter, deployment Datacenter, former_category NETBIOS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (doctricant .com)"; dns.query; dotprefix; content:".doctricant.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [eSentire] Win32/Spy.Banker.ADIO CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2018_07_11;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (sharession .com)"; dns.query; dotprefix; content:".sharession.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 1"; flow:established,to_server; content:"Y21kIC9jIHBvd2Vyc2hlbGwuZXhl"; classtype:attempted-user; sid:2025827; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (sharepointle .com)"; dns.query; dotprefix; content:".sharepointle.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 2"; flow:established,to_server; content:"NtZCAvYyBwb3dlcnNoZWxsLmV4Z"; classtype:attempted-user; sid:2025828; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (mcsharepoint .com)"; dns.query; dotprefix; content:".mcsharepoint.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 3"; flow:established,to_server; content:"jbWQgL2MgcG93ZXJzaGVsbC5leG"; classtype:attempted-user; sid:2025829; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (officenced .com)"; dns.query; dotprefix; content:".officenced.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Execve(/bin/sh) Shellcode"; content:"|31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 b0 0b cd 80|"; classtype:shellcode-detect; sid:2025695; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2018_07_13, deployment Perimeter, former_category SHELLCODE, performance_impact Low, updated_at 2018_07_13;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (templatent .com)"; dns.query; dotprefix; content:".templatent.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $HOME_NET 445 -> any any (msg:"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"; flow:established,to_client; content:"SMB"; depth:8; content:"\\PIPE\\atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (sharepointen .com)"; dns.query; dotprefix; content:".sharepointen.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Executable File Transfer"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.smb.binary; classtype:bad-unknown; sid:2025699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (officence .com)"; dns.query; dotprefix; content:".officence.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025700; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (templateau .com)"; dns.query; dotprefix; content:".templateau.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (sharesbyte .com)"; dns.query; dotprefix; content:".sharesbyte.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (officences .com)"; dns.query; dotprefix; content:".officences.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037175; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (officentry .com)"; dns.query; dotprefix; content:".officentry.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (officested .com)"; dns.query; dotprefix; content:".officested.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|bat|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (prizemons .com)"; dns.query; dotprefix; content:".prizemons.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (prizewel .com)"; dns.query; dotprefix; content:".prizewel.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a DLL File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|dll|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (sharestion .com)"; dns.query; dotprefix; content:".sharestion.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (attemplate .com)"; dns.query; dotprefix; content:".attemplate.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037181; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|sys|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Attack Simulation Training Domain in DNS Lookup (windocyte .com)"; dns.query; dotprefix; content:".windocyte.com"; nocase; endswith; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|s|00|y|00|s|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (sharepointin .com)"; flow:established,to_client; tls.cert_subject; content:"sharepointin.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?sharepointin\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (templatern .com)"; flow:established,to_client; tls.cert_subject; content:"templatern.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?templatern\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1"; flow:established,to_server; content:"base64"; fast_pattern; content:"f0VM"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025716; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (prizegives .com)"; flow:established,to_client; tls.cert_subject; content:"prizegives.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?prizegives\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037185; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2"; flow:established,to_server; content:"base64"; fast_pattern; content:"9FT"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025717; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (shareholds .com)"; flow:established,to_client; tls.cert_subject; content:"shareholds.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?shareholds\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 3"; flow:established,to_server; content:"base64"; fast_pattern; content:"/RU"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025718; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (mesharepoint .com)"; flow:established,to_client; tls.cert_subject; content:"mesharepoint.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?mesharepoint\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (prizewings .com)"; flow:established,to_client; tls.cert_subject; content:"prizewings.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?prizewings\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category EXPLOIT, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (doctricant .com)"; flow:established,to_client; tls.cert_subject; content:"doctricant.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?doctricant\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037189; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web Servers Likely Command Execution 4"; flow:established,to_server; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; classtype:attempted-user; sid:2025732; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (sharession .com)"; flow:established,to_client; tls.cert_subject; content:"sharession.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?sharession\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025392; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (sharepointle .com)"; flow:established,to_client; tls.cert_subject; content:"sharepointle.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?sharepointle\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|w|00|"; nocase; distance:0; content:"|00|h|00|i|00|d|00|d|00|e|00|n|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025720; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (mcsharepoint .com)"; flow:established,to_client; tls.cert_subject; content:"mcsharepoint.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?mcsharepoint\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|p|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025722; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (officenced .com)"; flow:established,to_client; tls.cert_subject; content:"officenced.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?officenced\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025723; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (templatent .com)"; flow:established,to_client; tls.cert_subject; content:"templatent.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?templatent\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037194; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|n|00|i|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025724; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (sharepointen .com)"; flow:established,to_client; tls.cert_subject; content:"sharepointen.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?sharepointen\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025725; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (officence .com)"; flow:established,to_client; tls.cert_subject; content:"officence.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?officence\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 5"; flow:established,to_server; content:"XDE3N1wxMDVcMTE0XDEwN"; classtype:attempted-user; sid:2025832; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (templateau .com)"; flow:established,to_client; tls.cert_subject; content:"templateau.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?templateau\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037197; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 6"; flow:established,to_server; content:"wxNzdcMTA1XDExNFwxMD"; classtype:attempted-user; sid:2025833; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (sharesbyte .com)"; flow:established,to_client; tls.cert_subject; content:"sharesbyte.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?sharesbyte\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 7"; flow:established,to_server; content:"cMTc3XDEwNVwxMTRcMTA2"; classtype:attempted-user; sid:2025834; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (officences .com)"; flow:established,to_client; tls.cert_subject; content:"officences.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?officences\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037199; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Github Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"form action=|22|login.php|22|"; content:"<h1>Sign in to GitHub</h1>"; distance:0; fast_pattern; content:"<input type=|22|text|22 20|name=|22|username|22|"; distance:0; classtype:social-engineering; sid:2025873; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (officentry .com)"; flow:established,to_client; tls.cert_subject; content:"officentry.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?officentry\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037200; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Twitter Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Login to Twitter</title>"; content:"form action=|22|login.php|22|"; distance:0; content:"|20 20 20 20 20 20|name=|22|usernameOrEmail|22 0a|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025874; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (officested .com)"; flow:established,to_client; tls.cert_subject; content:"officested.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?officested\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 8"; flow:established,to_server; content:"XFx4N2ZcXHg0NVxceDRjXFx4ND"; classtype:attempted-user; sid:2025865; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (prizemons .com)"; flow:established,to_client; tls.cert_subject; content:"prizemons.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?prizemons\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 9"; flow:established,to_server; content:"xceDdmXFx4NDVcXHg0Y1xceDQ2"; classtype:attempted-user; sid:2025866; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (prizewel .com)"; flow:established,to_client; tls.cert_subject; content:"prizewel.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?prizewel\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037203; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 10"; flow:established,to_server; content:"cXHg3ZlxceDQ1XFx4NGNcXHg0N"; classtype:attempted-user; sid:2025867; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (sharestion .com)"; flow:established,to_client; tls.cert_subject; content:"sharestion.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?sharestion\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037204; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 11"; flow:established,to_server; content:"|5c|177|5c|105|5c|114|5c|106|5c|"; fast_pattern; classtype:attempted-user; sid:2025868; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (attemplate .com)"; flow:established,to_client; tls.cert_subject; content:"attemplate.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?attemplate\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 12"; flow:established,to_server; content:"|5c 5c|x7f|5c 5c|x45|5c 5c|x4c|5c 5c|x46|5c 5c|"; classtype:attempted-user; sid:2025869; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Microsoft Attack Simulation Training SSL Cert (windocyte .com)"; flow:established,to_client; tls.cert_subject; content:"windocyte.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?windocyte\.com(?!\.)/"; reference:url,docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started; classtype:misc-activity; sid:2037206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"<title>Netflix</title>"; content:"meta content=|22|watch movies"; distance:0; content:"meta content=|22|Watch Netflix movies"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025875; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Delphi JEDI Visual Component Library User-Agent (JEDI-VCL)"; flow:established,to_server; http.host; content:!"apexwin.com"; http.user_agent; content:"JEDI-VCL"; startswith; classtype:misc-activity; sid:2013559; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"class=|22|ie ie6 lte9 lte8 lte7 os-linux|22|>"; content:"<title>LinkedIn|26 23|58|3b 20|Log In or Sign Up</title>"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025876; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Custom Logo Domain Domain in DNS Lookup (logodownload .org)"; dns.query; dotprefix; content:".logodownload.org"; nocase; endswith; classtype:misc-activity; sid:2037269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_07_05;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE passwd file Outbound from WEB SERVER Linux"; flow:established,from_server; file_data; content:"root:x:0:0:root:/root:/bin/"; within:27; classtype:successful-recon-limited; sid:2025879; rev:1; metadata:created_at 2018_07_20, updated_at 2018_07_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert (logodownload .org)"; flow:established,to_client; tls.cert_subject; content:"logodownload.org"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?logodownload\.org(?!\.)/"; classtype:misc-activity; sid:2037270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] DHL Phish Landing July 24 2018"; flow:established,to_client; file_data; content:"<TITLE>Tracking made easy"; nocase; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Sign In With Your Correct Email and Password To Review Package Information"; nocase; distance:0; classtype:social-engineering; sid:2025886; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_07_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET INFO Outbound RRSIG DNS Query Observed"; content:"|00 00 2e 00 01|"; fast_pattern; classtype:bad-unknown; sid:2030555; rev:2; metadata:created_at 2020_07_17, former_category INFO, updated_at 2020_07_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, updated_at 2018_07_24;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to Dynamic DNS Service (giize .com)"; dns.query; dotprefix; content:".giize.com"; nocase; endswith; classtype:bad-unknown; sid:2037725; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_07_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2018_07_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed File Sharing Domain (roamresearch .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"roamresearch.com"; bsize:16; fast_pattern; classtype:bad-unknown; sid:2037763; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, signature_severity Major, updated_at 2022_07_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GoldenRat, tag Android, updated_at 2018_07_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO File Sharing Domain in DNS Lookup (roamresearch .com)"; dns.query; content:"roamresearch.com"; nocase; bsize:16; classtype:bad-unknown; sid:2037764; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK IE Exploit"; flow:established,to_client; file_data; content:"IE=EmulateIE9"; nocase; content:"</head"; nocase; within:200; content:"<body"; nocase; within:200; content:"<script"; nocase; within:200; content:"!!window.ActiveXObject"; nocase; within:200; content:"try"; within:200; content:"parent.parent.setLocalStoreUserData"; nocase; distance:0; pcre:"/^\s*\([\x22\x27][A-F0-9a-f]{32}[\x22\x27]\s*\)\s*\x3b\s*}\s*catch\s*\(e\)\s*\{\s*\}\s*\}\s*<\/script>\s*<\/body>/Rsi"; classtype:exploit-kit; sid:2025911; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Shared File Retrieved (roamresearch .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/|23|/app/cig/page/"; startswith; fast_pattern; http.host; content:"roamresearch.com"; classtype:bad-unknown; sid:2037765; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_07_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"<param"; nocase; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; classtype:exploit-kit; sid:2025914; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_07_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category INFO, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Underminer EK Plugin Check"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"setcallbackfunction"; nocase; content:"<param"; pcre:"/^(?=[^>]*? name\s*=\s*[\x22\x27]movie)[^>]*? value\s*=\s*[\x22\x27]+\+(?P<var>[\w_-]+)\+[^>]+\/>\s*[\x22\x27]+\+(?P<var2>[\w_-]+)\+(?=.+?\b(?P=var)\s*\>\=\s*23\s*&&\s*(?P=var)<\=\s*28\b)(?=.+?\b(?P=var)\s*\>\=\s*17\s*&&\s*(?P=var)<\=\s*18\b)(?=.+?\b(?P=var)\s*\>\=\s*11\s*&&\s*(?P=var)<\=\s*16\b).+?,\s*?(?P=var2)\s*\(\s*\)\s*\)\s*\:(?P=var)\s*\>\=\s*\d/Rsi"; classtype:exploit-kit; sid:2025915; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2018_09_28;)
+#alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .com.ru Domain"; dns.query; dotprefix; content:".com.ru"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:4; metadata:created_at 2010_09_28, former_category INFO, updated_at 2022_07_15;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Deserialization  (CVE-2018-2893)"; flow:established,to_server; content:"t3|20|12"; depth:5; fast_pattern; content:"AS|3a|255"; distance:0; content:"HL|3a|19"; distance:0; content:"MS|3a|10000000"; distance:0; content:"PU|3a|t3|3a|//"; distance:0; reference:cve,2018-2893; reference:url,github.com/pyn3rd/CVE-2018-2893; classtype:attempted-admin; sid:2025929; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_08_01;)
+#alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .com.cn Domain"; dns.query; dotprefix; content:".com.cn"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:4; metadata:created_at 2010_09_28, former_category INFO, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Christian Mingle Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>christian mingle - login</title>"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|data.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025973; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.kr Domain"; dns.query; dotprefix; content:".co.kr"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:4; metadata:created_at 2010_09_28, former_category INFO, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your microsoft account</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025974; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Pastebin-style Service (textbin .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"textbin.net"; bsize:11; fast_pattern; classtype:bad-unknown; sid:2037786; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_07_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>log in to your paypal account</title>"; nocase; fast_pattern; content:"|7a 31 31 38 2e 63 73 73|"; nocase; distance:0; classtype:social-engineering; sid:2025975; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Redirection Service Domain in DNS Lookup (con-ip .com)"; dns.query; dotprefix; content:".con-ip.com"; nocase; endswith; classtype:bad-unknown; sid:2037787; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_07_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Free Mobile Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>free mobile - bienvenue dans votre espace"; nocase; fast_pattern; content:"<img id=|22|fins|22 20|src=|22|fins.png|22|>"; nocase; distance:0; content:"<input type=|22|password|22 20|name=|22|ps|22 20|id=|22|ps|22|"; nocase; distance:0; classtype:social-engineering; sid:2025976; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain"; flow:established,to_server; http.host; content:".misecure.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036077; rev:2; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, deprecation_reason Duplicate, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>adobe pdf</title>"; nocase; fast_pattern; content:"title=|22|you are not signed in yet|22|"; nocase; distance:0; content:"title=|22|login to continue|22|"; nocase; distance:0; content:"adobe pdf online"; nocase; distance:0; content:"email password"; nocase; distance:0; classtype:social-engineering; sid:2025977; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myddns.me Domain"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".myddns.me"; fast_pattern; nocase; endswith; classtype:policy-violation; sid:2027287; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Ajax Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account"; nocase; content:"action: posturl|20|}|22 20|action=|22|connectidx.php|22|"; nocase; distance:0; fast_pattern; content:"privacy.microsoft.com"; nocase; distance:0; classtype:social-engineering; sid:2025978; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"content=|22|alibaba manufacturer directory"; nocase; content:"class=|22|xman"; nocase; distance:0; fast_pattern; content:"id=|22|xman"; nocase; distance:0; content:"<iframe"; nocase; distance:0; classtype:social-engineering; sid:2025979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account</title>"; nocase; content:"onerror=|22|$loader.on(this,true)|22 20|onload=|22|$loader.on(this)"; nocase; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; classtype:social-engineering; sid:2025981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (getavs)"; flow:established,to_client; content:"|00 00 00 00|getavs="; offset:1; depth:11; fast_pattern; reference:md5,0f0f6f48c3ee5f8e7cd3697c40002bc7; classtype:trojan-activity; sid:2036286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Perimeter, former_category MALWARE, malware_family MSIL_Crimson, performance_impact Moderate, signature_severity Major, updated_at 2018_08_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M1 (set)"; flow:established,to_server; ja3.hash; content:"8916410db85077a5460817142dcbc8de"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028828; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
 
-alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Internal, former_category EXPLOIT, signature_severity Minor, updated_at 2018_08_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M2 (set)"; flow:established,to_server; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028830; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDX in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDX-"; within:5; flowbits:set,ET.pdx.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025985; rev:2; metadata:affected_product Adobe_Reader, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metaploit http scanner (tested: 4.11.5 Kali)"; ja3_hash; content:"16f17c896273d1d098314a02e87dd4cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028301; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:not-suspicious; sid:2016394; rev:7; metadata:created_at 2013_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2018_08_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metasploit CCS Scanner"; ja3_hash; content:"950ccdd64d360a7b24c70678ac116a44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028302; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:exploit-kit; sid:2016522; rev:3; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metasploit HeartBleed Scanner"; ja3_hash; content:"ee031b874122d97ab269e0d8740be31a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028303; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Rallovs.A CnC Beacon"; flow:established,to_server; dsize:>1000; content:"|00 00 00 00|2|00|0|00|"; fast_pattern; pcre:"/^[1-9]\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00|-|00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 20 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; within:3; pcre:"/^\d\x00\d/R"; content:"|00 3a 00|"; pcre:"/^\d\x00\d/R"; content:"|00 00|2|00|0|00|"; distance:0; content:"|00|-|00|"; distance:3; within:3; reference:md5,67a039a3139c6ef1bf42424acf658d01; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; classtype:command-and-control; sid:2021117; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag c2, updated_at 2018_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metasploit SSL Scanner"; ja3_hash; content:"6825b330bf9de50ccc8745553cb61b2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028304; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp any any -> $HOME_NET 12397 (msg:"ET SCADA SEIG SYSTEM 9 - Remote Code Execution"; flow:established,to_server; content:"|14 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00 00 00 04 00 00 00 60 00|"; depth:24; content:!"|0d|"; distance:0; content:!"|0a|"; distance:0; content:!"|ff|"; content:!"|00|"; distance:0; reference:url,exploit-db.com/exploits/45218/; reference:cve,2013-0657; classtype:attempted-user; sid:2026003; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - mitmproxy"; ja3_hash; content:"4d01f8b1afc22e138127611b62f1e6ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028308; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:command-and-control; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2018_08_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - mitmproxy"; ja3_hash; content:"8ef6a005eae3d51b652ffe41984f8869"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028309; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp any any -> $HOME_NET 27700 (msg:"ET SCADA SEIG Modbus 3.4 - Remote Code Execution"; flow:established,to_server; content:"|42 42 ff ff 07 03 44 00 64|"; fast_pattern; content:"|90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/45220/; reference:cve,2013-0662; classtype:attempted-user; sid:2026005; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Nikto (tested 2.1.6 - Kali)"; ja3_hash; content:"5eeeafdbc41e5ca7b81c92dbefa03ab7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028327; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-27"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026038; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Nikto (tested 2.1.6 - Kali)"; ja3_hash; content:"f4262963691a8f123d4434c7308ad7fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028328; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:command-and-control; sid:2019202; rev:4; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Nikto (tested v2.1.6)"; ja3_hash; content:"a563bb123396e545f5704a9a2d16bcb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028329; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:".php|22 20|name=|22|chalbhai|22 20|id=|22|chalbhai|22 20|method=|22|post|22|"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - AnglerEK"; ja3_hash; content:"96eba628dcb2b47607192ba74a3b55ba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028360; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"var hea2p ="; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; nocase; distance:0; content:"var hea2t ="; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026043; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - AnglerEK"; ja3_hash; content:"d55e755245ac118f2b1847c1c57b5e03"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028361; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:"name=chalbhai id=chalbhai method=post"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026042; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Boleto Malspam"; ja3_hash; content:"4f635262ad3fb6e634daee798082c788"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028363; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/postmaster.png|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"<img src=|22|./hellion/logos.png|22|"; nocase; distance:0; classtype:social-engineering; sid:2026044; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Boleto Malspam"; ja3_hash; content:"e9273590c7875d6367325f8714890790"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028364; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Document Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<h3>DOCUMENT MANAGEMENT SYSTEM</h3>"; fast_pattern; nocase; content:"javascript:void(0)|3b 22|>Document</a> -> <a href=|22|javascript:void(0)|3b 22|>Important Files</a> -> Current File</div>"; nocase; distance:0; content:"<h3>File to Download</h3>"; content:"USER AUTHENTICATION</h4>"; nocase; distance:0; classtype:social-engineering; sid:2026045; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Dridex"; ja3_hash; content:"67f762b0ffe3aad00dfdb0e4b1acd8b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028365; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; classtype:social-engineering; sid:2026046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Dridex"; ja3_hash; content:"85bedfc1914da556aab4518390798003"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028366; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"jQuery(function($)"; nocase; content:"$('.cc-number').payment('formatCardNumber"; nocase; distance:0; content:"$(|22|#ssn|22|).mask(|22|999-99-9999"; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026049; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Eitest Chrome Popup"; ja3_hash; content:"098f55e27d8c4b0a590102cbdb3a5f3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028367; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Stripe Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Stripe: Login"; nocase; fast_pattern; content:"<form name=|22|appleConnectForm"; nocase; distance:0; content:"onsubmit=|22|if(do_submit(3)) return true|3b 20|"; nocase; distance:0; content:"id=|22|pass0|22|"; nocase; distance:0; classtype:social-engineering; sid:2026050; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Eitest/AnglerEK"; ja3_hash; content:"ff94b48f555edc2f0a4c8256eb0d81de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028368; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function MM_validateForm() { //v"; nocase; content:"email address to view or download"; nocase; distance:0; content:"PDF is protected"; nocase; distance:0; content:"onclick=|22|MM_validateForm('password"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Fake Firefox Font Update"; ja3_hash; content:"2efb07037a97b06201ab4fe7ec0c326e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028369; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"url(Google_docs_files/"; nocase; fast_pattern; content:"href=|22|Google_docs_files/"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"data-description=|22|Sign in with"; nocase; distance:0; classtype:social-engineering; sid:2026052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Fake Firefox Font Update"; ja3_hash; content:"df5c30e670dba99f9270ed36060cf054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028370; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING WeTransfer Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Encrypted Message"; nocase; fast_pattern; content:"<div id=|22|gmail|22|"; nocase; distance:0; content:"<div id=|22|yahoo|22|"; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2026053; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Fake Firefox Font Update"; ja3_hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028371; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>|ce 92 d0 b0 6e 6b 20 d0 be 66 20 ce 91 6d d0 b5 72 d1 96 d1 81 d0 b0 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 92 d0 b0 6e 6b d1 96 6e 67 20 7c 20 d0 85 d1 96 67 6e 20 ce 99 6e 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 99 44|</title>"; classtype:social-engineering; sid:2026054; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - FiestaEK"; ja3_hash; content:"c1fbfd09bd0bab610be60dd6819688f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:exploit-kit; sid:2028372; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; content:"name=|22|generator|22 20|content=|22|WYSIWYG"; nocase; distance:0; content:"href=|22|css/Untitled"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026055; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Gootkit"; ja3_hash; content:"a34e8a810b5f390fc7aa5ed711fa6993"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028373; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Verification"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026056; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Gootkit"; ja3_hash; content:"c6e36d272db78ba559429e3d845606d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028374; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Settings|20 7c 20|Email Upgrade"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026057; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Java Based RAT"; ja3_hash; content:"187dfde7edc8ceddccd3deeccc21daeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028375; rev:2; metadata:created_at 2019_09_10, deprecation_reason False_Positive, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Dropbox|20 7c 20|Sign in"; nocase; fast_pattern; content:"name=|22|generator|22 20|content=|22|Web Page Maker"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position:absolute|3b 20|overflow:hidden|3b 20|left:"; nocase; distance:0; classtype:social-engineering; sid:2026058; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Malspam"; ja3_hash; content:"243a279e5aaae8841edf46d00c05195e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028376; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Sign In|20 7c 20|LinkedIn"; nocase; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22 20|action=|22|login.php|22|>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Malspam"; ja3_hash; content:"e7d705a3286e19ea42f587b344ee6865"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028377; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"51b5c918558a4bfb50ce1ab1d5fddff7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028378; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"852e7534b3f722d893a7750afb5ecdcc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028379; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"a7dfa1673bb090cab6b6658861f43473"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028380; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; classtype:social-engineering; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"aeae3901ecde8396b2f5648c02aeb37f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028381; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"e107ef8ec0296e17c3f82de949b4066c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028382; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; classtype:social-engineering; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"fd6bbdf835788b3c7d33372127470a06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028383; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; classtype:social-engineering; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - NuclearEK"; ja3_hash; content:"fd2273056f386e0ba8004e897c337037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028385; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; classtype:social-engineering; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"1848357994c2851c809cb01bae7d631c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028386; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"2d44457ca7a1e0e754664c8469ce62a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028387; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malfams"; ja3_hash; content:"bafc6b01eae6f4350f5db6805ace208e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028388; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>AT&"; nocase; content:"href=|22|https://home.secureapp.att.net/"; nocase; distance:0; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22|"; nocase; distance:0; content:"|22|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|"; nocase; distance:0; classtype:social-engineering; sid:2026060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - TBot / Skynet Tor Botnet"; ja3_hash; content:"b50f81ae37fb467713e167137cf14540"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028389; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP)"; flow:to_server,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026084; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Trickbot"; ja3_hash; content:"294b2f1dc22c6e6c3231d2fe311d504b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028390; rev:2; metadata:created_at 2019_09_10, former_category JA3, malware_family TrickBot, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt"; flow:to_client,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026085; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex"; ja3_hash; content:"b9103d9d134e0c59cafbe4ae0a8299a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028391; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP)"; flow:to_server,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026086; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"3fab5d0fe3b2408c8b2251b46d3895de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028392; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt"; flow:to_client,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026087; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"6f702efe6480d2a1c9f85b73b8a4794a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028393; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP)"; flow:to_server,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]*\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026088; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"92579701f145605e9edc0b01a901c6d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028394; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt"; flow:to_client,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]+\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026089; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Eitest"; ja3_hash; content:"1074895078955b2db60423ed2bf8ac23"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028395; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026090; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various EK"; ja3_hash; content:"51a7ad14509fd614c7bb3a50c4982b8c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028396; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt"; flow:to_client,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026091; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malspam/RigEK"; ja3_hash; content:"3b483d0b34894548b602e8d18cdc24c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028397; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026092; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malspam/RigEK/Dreambot"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028398; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt"; flow:to_client,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026093; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category EXPLOIT, signature_severity Informational, updated_at 2018_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various RigEK/Cryptowall/Dridex"; ja3_hash; content:"2d8794cb7b52b777bee2695e79c15760"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028399; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2018_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various RigEK/Dridex/Kovter"; ja3_hash; content:"df8bfc363eeba63ab938cb2190ccd7b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028400; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon"; flow:established,to_server; dsize:12; content:"RFB 003.008|0a|"; depth:12; reference:md5,27741793672d8b69803f3d2434743731; reference:md5,076fd584d2fcdf5110f41bcbbd9f2c62; reference:md5,49749ee8fb2a2dab83494ab0e6cf5e7b; classtype:command-and-control; sid:2035893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family PowerSniff, malware_family Punchbuggy_VNC_Module, malware_family Gamaredon, signature_severity Major, tag c2, updated_at 2018_09_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex"; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028401; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)"; flow:established,to_server; dsize:<500; content:"|00 6c 6c|"; depth:6; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/i"; flowbits:set,ETPRO.njratgeneric; reference:md5,d68eaf3b43ba1d26b9067489bbf7ee44; classtype:command-and-control; sid:2033132; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Bladabindi, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_03_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Superfish"; ja3_hash; content:"1b5a75e6d0f679aa312edb060ea8d932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028402; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Superfish"; ja3_hash; content:"cfaa6f79904b33fdca83dbb5d4b537d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028403; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Rapid7 Nexpose"; ja3_hash; content:"c22dea495cef869edbeb3458adaf497f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028413; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - sqlmap (tested: v1.0-dev kali)"; ja3_hash; content:"615788655a0e65b71e47c3ebe2302564"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028467; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic MRxJoker Phishing Landing 2018-09-27"; flow:established,to_client; file_data; content:"content=|22|@importmrxjokercss|22|"; nocase; fast_pattern; content:"name=|22|mrxjokercard|22|"; nocase; distance:0; classtype:social-engineering; sid:2026419; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_09_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - sqlmap (tested: v1.0.7.0 OS X)"; ja3_hash; content:"1ab5d0f756e0692a975fda9a6474969f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028468; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VBScript Redirect Style Exe File Download"; flow:to_client,established; flowbits:isset,ET.Locky; file_data; content:"MZ"; depth:2; fast_pattern; content:"This program"; within:100; classtype:trojan-activity; sid:2026434; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, malware_family Locky, malware_family Emotet, signature_severity Major, updated_at 2018_10_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - WPScan (tested: 2.9 Kali)"; ja3_hash; content:"4c8ff2ddb1890482e5989b80e48b54d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028556; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026437; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"1aa7bf8b97e540ca5edd75f7b8384bfa"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028757; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v1"; flow:established,to_server; content:"/?itwm"; fast_pattern; pcre:"/itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026438; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Quakbot"; ja3_hash; content:"3cda52da4ade09f1f781ad2e82dcfa20"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028758; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v2"; flow:established,to_server; content:"&itwm"; fast_pattern; pcre:"/&itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026439; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Quakbot"; ja3_hash; content:"7dd50e112cd23734a310b90f6f44a7cd"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028759; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert tcp any any <> any any (msg:"ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028760; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category JA3, signature_severity Major, tag Ransomware, updated_at 2019_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC APT28 - Web/request -FILE- contenttype"; flow:established,from_client; content:"-FILE-"; pcre:"/[A-Z0-9\-]{16}-FILE-[^\r\n]+.tmp/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026441; rev:2; metadata:created_at 2018_10_04, former_category MALWARE, updated_at 2018_10_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gootkit"; ja3_hash; content:"c5235d3a8b9934b7fbbd204d50bc058d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028761; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Containing Executable Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2018_10_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"e62a5f4d538cbf169c2af71bec2399b4"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028762; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026465; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adwind"; ja3_hash; content:"d2935c58fe676744fecc8614ee5356c7"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028763; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet"; flow:established,to_server; content:"HELO|20 2a 2e 2a 0d 0a|"; depth:11; classtype:bad-unknown; sid:2026463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_10_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adwind"; ja3_hash; content:"decfb48a53789ebe081b88aabb58ee34"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028764; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file_data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_10_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"51c64c77e60f3980eea90869b68c58a8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028765; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:command-and-control; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"cb98a24ee4b9134448ffb5714fd870ac"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028766; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:command-and-control; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028767; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:command-and-control; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"fb58831f892190644fe44e25bc830b45"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028768; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:command-and-control; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"0cc1e84568e471aa1d62ad4158ade6b5"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028769; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:command-and-control; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"2092e1fffb45d7e4a19a57f9bc5e203a"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028770; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family CaratRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"d18a4da84af59e1108862a39bae7c9d4"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028771; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET $SSH_PORTS -> any any (msg:"ET POLICY Potentially Vulnerable LibSSH Server Observed - Possible Authentication Bypass (CVE-2018-10933)"; flow:from_server,established; content:"SSH-2.0-libssh-0."; depth:17; pcre:"/^[67]\.[01235]/R"; reference:url,www.libssh.org/security/advisories/CVE-2018-10933.txt; reference:url,github.com/blacknbunny/libSSH-Authentication-Bypass; reference:cve,2018-10933; classtype:bad-unknown; sid:2026526; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category POLICY, signature_severity Major, tag CVE_2018_10933, updated_at 2018_10_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"b386946a5a44d1ddcc843bc75336dfce"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028772; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT IE Double Free (CVE-2018-8460)"; flow:to_client,established; file_data; content:"<script"; nocase; content:"CreateElement"; nocase; content:"cssText"; nocase; content:"DOMAttrModified"; fast_pattern; nocase; content:"addEventListener"; nocase; pcre:"/(?P<obj>[^\s]{1,25})\s*=\s*document\s*\.\s*createElement.*?(?P<func>[^\s]{1,25})\s*=\s*function\s*\x28\s*e\s*\x29\s*{[^}]*this\s*\.\s*style\s*\.\s*cssText.*?(?P=obj)\s*\.\s*addEventListener\s*\x28\s*[\x22\x27]\s*DOMAttrModified\s*[\x22\x27]\s*\x2c\s*(?P=func)/si"; reference:cve,2018-8460; classtype:attempted-user; sid:2026531; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category WEB_CLIENT, updated_at 2018_10_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028773; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_11_01, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2018_11_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028774; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:command-and-control; sid:2026579; rev:1; metadata:attack_target Client_and_Server, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellbot_SM, performance_impact Low, signature_severity Major, tag Perl, updated_at 2018_11_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"8991a387e4cc841740f25d6f5139f92d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028775; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2018_11_07;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028776; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mylobot Receiving XOR Encrypted Config (0xde)"; flow:established,from_server; content:"|00 00 00 00|"; depth:4; content:"|b6 aa aa ae e4 f1 f1|"; distance:1; within:7; fast_pattern; content:"|de 00 00 00 00|"; distance:0; reference:url,www.netformation.com/our-pov/mylobot-continues-global-infections/; classtype:trojan-activity; sid:2026613; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Mylobot, performance_impact Low, signature_severity Major, updated_at 2018_11_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028777; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=driversearch.site"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_11_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028778; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Xbalti Phishing Landing 2018-11-26"; flow:established,from_server; file_data; content:"|2d 2d 7e 28 20 20 5c 20 7e 29 29 29 29 29 29 29 29 29 29 29 29 0d 0a 20 20 20 20 2f 20 20 20 20 20 5c 20 20 60 5c 2d 28 28 28 28 28 28 28 28 28|"; within:400; content:"|5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f|"; fast_pattern; classtype:social-engineering; sid:2026650; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_11_26;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028779; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=kortusops.icu"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026659; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_27, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Loader, updated_at 2018_11_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"29085f03f8e8a03f0b399c5c7cf0b0b8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028780; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013491; rev:3; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028781; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Outbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013490; rev:3; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"b13d01846ad7a14a70bf030a16775c78"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028782; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Delphi APT28 Zebrocy/Zekapab Reporting to CnC"; flow:established,to_server; content:"POST"; http_method; content:".php?res="; http_uri; content:"data="; http_client_body; depth:5; content:"%0D%0AHost%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0AOS%20Name|3a|%20%20%20"; http_client_body; distance:0; content:"%0D%0ARegistered%20Owner|3a|%20%20%20"; http_client_body; distance:0; fast_pattern; content:"%0D%0AOriginal%20Install%20Date|3a|%20%20%20"; http_client_body; distance:0; http_protocol; content:"HTTP/1.0"; http_header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category TROJAN, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2018_11_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"698e36219f3979420fa2581b21dac7ec"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028783; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M2"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0A|"; depth:28; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2018_12_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Torrentlocker"; ja3_hash; content:"1712287800ac91b34cadd5884ce85568"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028784; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M1"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; depth:29; fast_pattern; byte_test:1,!=,0x4D,0,relative; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2018_11_26;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"550dce18de1bb143e69d6dd9413b8355"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028785; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"md5"; depth:3; fast_pattern; content:"nnnn"; distance:12; within:4; content:"z"; distance:28; within:1; content:"z"; distance:32; within:1; content:"z"; distance:35; within:1; reference:url,thehackernews.com/2018/12/china-ransomware-wechat.html; classtype:trojan-activity; sid:2026687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2018_12_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"d7150af4514b868defb854db0f62a441"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028786; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 27 (msg:"ET MALWARE ELF/Samba CnC Checkin"; flow:established,to_server; dsize:8; content:"|11 10 10 01 22 32 21 52|"; fast_pattern; reference:url,www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution; classtype:command-and-control; sid:2026717; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category MALWARE, malware_family Samba, performance_impact Low, signature_severity Major, updated_at 2018_12_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"df5c30e670dba99f9270ed36060cf054"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028787; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RedControle Probing Infected System"; flow:established,to_server; dsize:14; content:"SE_ND_CO_NN_EC"; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:trojan-activity; sid:2026723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category TROJAN, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2018_12_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"7dcce5b76c8b17472d024758970a406b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028788; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 64bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|48 FF C5 42 0F B6|"; distance:0; fast_pattern; content:"|32 45|"; distance:2; within:2; content:"|41 88 41 FF|"; distance:1; within:4; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2018_12_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"911479ac8a0813ed1241b3686ccdade9"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028789; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AveMaria Initial CnC Checkin"; flow:established,to_server; dsize:12; content:"|29 bb 66 e4 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,app.any.run/tasks/67362469-76df-4b19-bfda-5d95a2b4d179; classtype:command-and-control; sid:2026736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_15, deployment Perimeter, former_category MALWARE, malware_family AveMaria, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2018_12_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"03e186a7f83285e93341de478334006e"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028790; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Visa Phishing Landing Jan 30 2014"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; http_referer; content:!"http|3a 2f 2f|www.crdbbank.com"; nocase; isdataat:!1,relative; classtype:social-engineering; sid:2018045; rev:6; metadata:created_at 2014_01_30, former_category PHISHING, updated_at 2021_06_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"17fd49722f8d11f3d76dce84f8e099a7"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028791; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Orion Stealer Exfil via FTP"; flow:established,to_server; content:"STOR PC|3a 20|"; depth:9; content:"/Orion Logger - System Details|3a 20|"; distance:0; fast_pattern; reference:md5,007c4edc6e1ca963a9b2e05e136142f2; classtype:trojan-activity; sid:2026741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_21, former_category TROJAN, updated_at 2018_12_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"fb00055a1196aeea8d1bc609885ba953"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028792; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Redirect 2019-01-02"; flow:from_server,established; file_data; content:"<!--"; depth:4; content:"window.top.location='account/?view=login&appIdKey="; nocase; within:150; isdataat:!50,relative; classtype:social-engineering; sid:2026748; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_01_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"098f55e27d8c4b0a590102cbdb3a5f3a"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028793; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET COINMINER Random Hash Pascalcoin Miner Checkin"; flow:established,to_server; content:"{|22|params|22|:[|22|rhminer/"; depth:20; classtype:coin-mining; sid:2026750; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2019_01_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"e3b2ab1f9a56f2fb4c9248f2f41631fa"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028794; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TitanFox Loader CnC Checkin"; flow:established,to_server; dsize:<100; content:"|00 01 00 01 02 02 2b 6e 65 74 2e 74 63 70 3a 2f 2f|"; depth:30; fast_pattern; reference:url,app.any.run/tasks/421691f8-bb33-4be3-abcb-6ee36e772856; classtype:command-and-control; sid:2026759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, malware_family TitanFox, performance_impact Low, signature_severity Major, tag Loader, updated_at 2019_01_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"46efd49abcca8ea9baa932da68fdb529"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028795; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012087; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"b2b61db7b9490a60d270ccb20b462826"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028796; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012091; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"92579701f145605e9edc0b01a901c6d5"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028797; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012093; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"7691297bcb20a41233fd0a0baa0a3628"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028798; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012092; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"1543a7c46633acf71e8401baccbd0568"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028799; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012090; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"d6f04b5a910115f4b50ecec09d40a1df"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028800; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET ![23,25,80,137,139,445] -> $EXTERNAL_NET 20000: (msg:"ET MALWARE Sourtoff Download Simda Request"; flow:established,to_server; dsize:18; content:"|0a 10|"; depth:2; flowbits:set,ET.TROJAN.Sourtoff; flowbits:noalert; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019312; rev:3; metadata:created_at 2014_09_29, updated_at 2019_01_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"93d056782d649deb51cda44ecb714bb0"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028801; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET 853 (msg:"ET INFO DNS Over TLS Request Outbound"; flow:established,to_server; content:"|16 03 01 01|"; depth:4; reference:url,www.linuxbabe.com/ubuntu/ubuntu-stubby-dns-over-tls; classtype:trojan-activity; sid:2026774; rev:2; metadata:created_at 2019_01_10, former_category INFO, updated_at 2019_01_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"5e573c9c9f8ba720ef9b18e9fce2e2f7"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028802; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AtomLogger Exfil via FTP"; flow:established,to_server; content:"Username|3a 20|"; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|Operating System|3a 20|"; distance:0; content:"|0d 0a|IP Address|3a 20|"; distance:0; content:"|0d 0a|Country|3a 20|"; distance:0; content:"|0d 0a|RAM|3a 20|"; distance:0; content:"|0d 0a|Online since|3a 20|"; distance:0; content:"|0d 0a 0d 0a 0d 0a 0d 0a|================================|0d 0a|Keystrokes and Window Log|0d 0a|"; distance:0; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2019_01_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"590a232d04d56409fab72e752a8a2634"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028803; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"849b04bdbd1d2b983f6e8a457e0632a8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028804; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Bitter RAT C2 Response"; flow:established,to_client; stream_size:client,=,1; stream_size:server,=,12; dsize:11; content:"|0b 00 d2 0b 00 00|"; offset:5; depth:6; reference:md5,fc516905e3237f1aa03a38a0dde84b52; classtype:command-and-control; sid:2026826; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family BitterRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"9c2589e1c0e9f533a022c6205f9719e1"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028805; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 85"; flow:established,to_server; content:"|c4 e2 a1 27 66 76 0b 6d bf 25 73|"; depth:11; reference:md5,c00606ac4ed2e1e8a5f503051c555e72; classtype:command-and-control; sid:2026852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"96eba628dcb2b47607192ba74a3b55ba"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028806; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 86"; flow:established,to_server; content:"|ce 4a a7 2f c0 8c 6d 5f 38 20 e9|"; depth:11; reference:md5,f78b75d64e5119f48c0644dfbcffba9d; classtype:command-and-control; sid:2026853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"7c410ce832e848a3321432c9a82e972b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028807; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert udp $HOME_NET 1024:65535 -> [$EXTERNAL_NET,!224.0.0.0/4] 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; reference:url,doc.emergingthreats.net/2009099; classtype:policy-violation; sid:2009099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028808; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 87"; flow:established,to_server; stream_size:server,=, 1; content:"|e9 9d ca 64 2d 84 6e 6b cc 48 16|"; depth:11; reference:md5,872fc6cc16b7ba7e2a74b03927d50e85; classtype:command-and-control; sid:2026862; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2019_01_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Ransomware"; ja3_hash; content:"2d8794cb7b52b777bee2695e79c15760"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028809; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category JA3, signature_severity Major, tag Ransomware, updated_at 2019_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible RTF File With Obfuscated Version Header"; flow:established,to_client; file_data; content:"{|5C|rt"; within:4; content:!"f"; within:1; classtype:bad-unknown; sid:2026863; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2019_01_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"fd80fa9c6120cdeea8520510f3c644ac"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028810; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET MALWARE Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; content:"|20 77 1e 77 19 77 13 77 18 77 00 77 04|"; distance:0; fast_pattern; content:!"|00 00 00 00 00 00|"; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026525; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackCarat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gozi"; ja3_hash; content:"57f3642b4e37e28f5cbe3020c9331b4c"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028811; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; reference:url,doc.emergingthreats.net/2009146; classtype:web-application-activity; sid:2009146; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"906004246f3ba5e755b043c057254a29"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028812; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009147; classtype:web-application-activity; sid:2009147; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"c50f6a8b9173676b47ba6085bd0c6cee"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028813; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:5; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2010_07_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gozi"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028814; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:established,from_server; content:"traderserviceinfo.info"; fast_pattern; tls_cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some|20|Company"; classtype:domain-c2; sid:2026899; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"b90bdbe961a648f0427db21aaa6ccb59"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028815; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:created_at 2019_02_18, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_02_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"9f62c4f26b90d3d757bea609e82f2eaf"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028816; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|e|00|n|00|c|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025721; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Trojan.AndroidOS.Jocker.snt 1"; ja3_hash; content:"2f514a024266e9e8d11f10e779168579"; reference:md5,68841dcaf26d83fc1c2f955e9e363a65; classtype:trojan-activity; sid:2029150; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_12_16, deployment Perimeter, former_category JA3, signature_severity Critical, tag Android, updated_at 2019_12_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:2; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2019_02_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible BAZAR Backdoor CnC"; ja3.hash; content:"f5e62b5a2ed9467df09fae7a8a54dda6"; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:unknown; sid:2030040; rev:1; metadata:created_at 2020_04_28, former_category JA3, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated Script"; flow:established,to_client; file_data; content:"rc4=function|28|key,str|29|"; nocase; content:"key.charCodeAt|28|i%key.length|29|"; fast_pattern; nocase; distance:0; content:"String.fromCharCode|28|str.charCodeAt|28|"; content:"decodeBase64=function"; nocase; distance:0; content:"b64block="; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_02_18;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible POSHC2 Client CnC"; flowbits:set,ET.poshc2.powershellclient; flowbits: noalert; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030366; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, malware_family PoshC2, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated VBS Script"; flow:established,to_client; file_data; content:"RC4|28|byteMessage, strKey|29|"; nocase; content:"function decodeBase64|28|base64|29|"; nocase; distance:0; content:".createElement|28 22|tmp|22 29|"; nocase; distance:0; content:"decoded = decodeBase64|28|"; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible POSHC2 Server Response"; flowbits:isset,ET.poshc2.powershellclient; ja3s.hash; content:"ec74a5c51106f0419184d0dd08fb05bc"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030367; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, malware_family PoshC2, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NoProfile Command Received In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-nop"; nocase; distance:0; classtype:trojan-activity; sid:2026988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Minor, tag PowerShell, updated_at 2019_02_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible InnocenceBot CnC"; ja3.hash; content:"9551e38f83daab8bcbc283ec0806cf65"; reference:md5,6a2749a5ab44dda4ed6459c8ca36ca64; classtype:unknown; sid:2030645; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w"; nocase; distance:0; content:"hidden"; within:17; classtype:trojan-activity; sid:2026989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Remcos 3.x TLS Connection"; flow:established,to_server; ja3.hash; content:"a85be79f7b569f1df5e6087b69deb493"; classtype:command-and-control; sid:2036594; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category JA3, malware_family Remcos, signature_severity Major, updated_at 2021_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-w 1"; nocase; distance:0; classtype:trojan-activity; sid:2026990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible RustyBuer Client Activity"; flowbits:set,ET.rustybuer; flowbits: noalert; ja3.hash; content:"6cc312d5b10bcbc97c4619603a24131b"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032959; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell NonInteractive Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"-noni"; nocase; distance:0; classtype:trojan-activity; sid:2026991; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible RustyBuer Server Response"; flowbits:isset,ET.rustybuer; ja3s.hash; content:"f6dfdd25d1522e4e1c7cd09bd37ce619"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032960; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"FromBase64String|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026993; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Rclone Client Response (Mega Storage)"; flowbits:isset,ET.rclone; ja3s.hash; content:"eb1d94daa7e0344597e756a1fb6e7054"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033055; rev:1; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadFile Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadFile|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Rclone Client Response (Mega Storage)"; flowbits:isset,ET.rclone; ja3s.hash; content:"b607b6456e5d8a98efa7eb7f15029431"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033056; rev:1; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadString Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadString|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible Rclone Client Activity"; flowbits:set,ET.rclone; flowbits:noalert; ja3.hash; content:"d0ee3237a14bbd89ca4d2b5356ab20ba"; tls.sni; content:!"grafana.com"; content:!"grafana.org"; content:!"grafana.net"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033047; rev:2; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell DownloadData Command Common In Powershell Stagers"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"DownloadData|28|"; nocase; distance:0; classtype:trojan-activity; sid:2026996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_02_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible Nessus Client"; ja3.hash; content:"9598288c48f0a784d8e153b0df2b3bd1"; classtype:bad-unknown; sid:2033150; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Informational, updated_at 2021_06_17;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026920; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"eb1d94daa7e0344597e756a1fb6e7054"; reference:url,thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/; classtype:bad-unknown; sid:2033157; rev:1; metadata:created_at 2021_06_22, former_category JA3, updated_at 2021_06_22;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (ctT2J) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"ctT2J"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"aa29d305dff6e6ac9cd244a62c6ad0c2"; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:bad-unknown; sid:2033395; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmp) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmp"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026922; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"ae4edc6faf64d08308082ad26be60767"; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:bad-unknown; sid:2033396; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (V3LU9iam) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"V3LU9iam"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tls $EXTERNAL_NET [!25,!587] -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"649d6810e8392f63dc311eecb6b7098b"; tls.cert_subject; content:!"servicebus.windows.net"; flowbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (XctT2JqZW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"XctT2JqZW"; fast_pattern; distance:0; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026924; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET [465,993] (msg:"ET JA3 HASH - Possible AnchorMail CnC Traffic"; flow:established,to_server; ja3.hash; content:"c216e752cae6f8755fd27f561d031636"; reference:url,securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/; reference:md5,139e70aa7f26f998c1058c270a51783d; classtype:command-and-control; sid:2035359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category JA3, signature_severity Major, updated_at 2022_03_01;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded New-Object (dy1PYmplY3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dy1PYmplY3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (FydC1Qcm9) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FydC1Qcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026926; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJ) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026927; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Psyb0t joining an IRC Channel"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"JOIN #mipsel"; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; classtype:trojan-activity; sid:2009172; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2N) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2N"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"<p>You will receive a log report every "; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; classtype:trojan-activity; sid:2002979; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (RhcnQtUHJvY2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"RhcnQtUHJvY2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; classtype:trojan-activity; sid:2008348; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (GFydC1Qcm9jZX) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GFydC1Qcm9jZX"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001764; classtype:misc-activity; sid:2001764; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Start-Process (YXJ0LVByb2Nlc3) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJ0LVByb2Nlc3"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE Outbound AVISOSVB MSSQL Request"; flow:established,to_server; content:"|54 00 42 00 4c 00 5f 00 41 00 56 00 49 00 53 00 4f 00 53 00 56 00 42 00|"; reference:url,doc.emergingthreats.net/2011199; reference:md5,1f5b6d6d94cc6272c937045e22e6d192; classtype:trojan-activity; sid:2011199; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (Zva2UtV21pTWV) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtV21pTWV"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; reference:url,doc.emergingthreats.net/2010909; classtype:trojan-activity; sid:2010909; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; reference:url,doc.emergingthreats.net/2010910; classtype:trojan-activity; sid:2010910; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXR) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXR"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010911; classtype:trojan-activity; sid:2010911; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (52b2tlLVdtaU1ldG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLVdtaU1ldG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; reference:url,doc.emergingthreats.net/2010912; classtype:trojan-activity; sid:2010912; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (nZva2UtV21pTWV0aG) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtV21pTWV0aG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; reference:url,doc.emergingthreats.net/2010913; classtype:trojan-activity; sid:2010913; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-WmiMethod (dm9rZS1XbWlNZXRob2) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1XbWlNZXRob2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010914; classtype:trojan-activity; sid:2010914; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (Zva2UtQ29) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"Zva2UtQ29"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; reference:url,doc.emergingthreats.net/2010915; classtype:trojan-activity; sid:2010915; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; reference:url,doc.emergingthreats.net/2010916; classtype:trojan-activity; sid:2010916; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (nZva2UtQ29tbW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"nZva2UtQ29tbW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET MALWARE Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; reference:url,doc.emergingthreats.net/2010917; classtype:trojan-activity; sid:2010917; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026941; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Aurora Backdoor (C&C) client connection to CnC"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; flowbits:set,ET.aurora.init; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010695; classtype:command-and-control; sid:2010695; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (dm9rZS1Db21tYW) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"dm9rZS1Db21tYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Aurora Backdoor (C&C) connection CnC response"; flowbits:isset,ET.aurora.init; flow:established,from_server; content:"|cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc|"; depth:16; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010696; classtype:command-and-control; sid:2010696; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE PowerShell Execution String Base64 Encoded Invoke-Command (52b2tlLUNvbW1hbm) in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"52b2tlLUNvbW1hbm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2026943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family DNSlivery, signature_severity Major, updated_at 2019_02_19;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; reference:url,doc.emergingthreats.net/2008465; classtype:command-and-control; sid:2008465; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002974; classtype:trojan-activity; sid:2002974; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"lzIHByb2d"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002975; classtype:trojan-activity; sid:2002975; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3J"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"ET MALWARE Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; reference:url,doc.emergingthreats.net/2007585; classtype:command-and-control; sid:2007585; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"hpcyBwcm9ncm"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; reference:url,doc.emergingthreats.net/2007922; classtype:command-and-control; sid:2007922; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GlzIHByb2dyYW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027031; rev:2; metadata:attack_target DNS_Server, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; reference:url,doc.emergingthreats.net/2007979; classtype:command-and-control; sid:2007979; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aXMgcHJvZ3JhbS"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027032; rev:2; metadata:created_at 2019_03_05, former_category ATTACK_RESPONSE, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; reference:url,doc.emergingthreats.net/2007981; classtype:command-and-control; sid:2007981; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"gAaQBzACAAcAByAG8AZwByAGE"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; reference:url,doc.emergingthreats.net/2007982; classtype:command-and-control; sid:2007982; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027034; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003549; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003550; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"BoAGkAcwAgAHAAcgBvAGcAcgBhAG"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027036; rev:2; metadata:created_at 2019_03_05, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003551; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"GgAaQBzACAAcAByAG8AZwByAGEAbQ"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003552; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16-LE base64 wide string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"aABpAHMAIABwAHIAbwBnAHIAYQBtAC"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family CoinMiner, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003553; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"FyZ29ycCB"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003554; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnA"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003556; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF8 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHN"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003557; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"1hcmdvcnAgc2"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003558; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"WFyZ29ycCBzaW"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003559; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE UTF16 base64 reversed string /This Program/ in DNS TXT Reponse"; content:"|00 00 10 00 01 c0 0c 00 10 00 01|"; content:"YXJnb3JwIHNpaF"; distance:0; fast_pattern; reference:url,github.com/no0be/DNSlivery; classtype:bad-unknown; sid:2027044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_05, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family DNSlivery, signature_severity Major, updated_at 2019_03_05;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003560; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1"; flow:established,from_server; file_data; content:"powershell"; fast_pattern; nocase; content:"|20|-e"; nocase; distance:0; pcre:"/^(?:nc)?\s*(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=)/Ri"; classtype:trojan-activity; sid:2026992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_28, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2019_03_05;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003561; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003562; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003565; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003563; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:trojan-activity; sid:2003564; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory Change Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A6469726563746F7279206368616E6765642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; reference:url,doc.emergingthreats.net/2003936; classtype:trojan-activity; sid:2003936; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A72756E74696D65206368616E67656420746F2072756E74696D65"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_07;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; reference:url,doc.emergingthreats.net/2007957; classtype:command-and-control; sid:2007957; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [AV] EarthWorm/Termite IoT Agent Reporting Infection"; dsize:<500; flow:established,to_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:trojan-activity; sid:2027064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Banker Trojan CnC AddNew Command"; flow:established,to_server; dsize:<120; content:"[S]ADDNEW|7c|"; depth:10; reference:url,doc.emergingthreats.net/2009862; classtype:command-and-control; sid:2009862; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EarthWorm/Termite IoT Agent CnC Response"; dsize:<500; flow:established,from_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:command-and-control; sid:2027065; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Banker Trojan CnC Hello Command"; flow:established,to_server; dsize:12; content:"[S]hello["; depth:9; reference:url,doc.emergingthreats.net/2009863; classtype:command-and-control; sid:2009863; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/EvilOSX Client Receiving Commands"; flow:established,to_client; content:"404"; http_stat_code; file_data; content:"DEBUG"; depth:9; fast_pattern; reference:url,github.com/Marten4n6/EvilOSX/; classtype:trojan-activity; sid:2027066; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family EvilOSX, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET MALWARE Banload Gadu-Gadu CnC Message Detected"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"Uruchomiono trojana, wpisz help aby uzyskac pomoc"; nocase; reference:url,doc.emergingthreats.net/2008320; classtype:command-and-control; sid:2008320; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET ![22,23,25,80,139,443,445] -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_client; dsize:>68; content:"|41 00 00 00 05|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018427; rev:4; metadata:created_at 2014_04_28, former_category TROJAN, updated_at 2019_03_08;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET MALWARE Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008104; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M2"; flow:from_server,established; file_data; content:"|68546147567362474e765a4756425a475279554746795957|"; classtype:attempted-user; sid:2027070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET MALWARE Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008105; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M1"; flow:from_server,established; file_data; content:"|4b464e6f5a5778735932396b5a55466b5a484a5159584a6862|"; classtype:attempted-user; sid:2027069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET MALWARE Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008106; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M3"; flow:from_server,established; file_data; content:"|6f5532686c6247786a6232526c5157526b636c4268636d4674|"; classtype:attempted-user; sid:2027071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET MALWARE Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:command-and-control; sid:2008109; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M1"; flow:from_server,established; file_data; content:"|554778315a326c75524756305a574e30|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Ceckno Keepalive from Controller"; flow:established,from_server; dsize:1; content:"1"; flowbits:isset,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008178; classtype:trojan-activity; sid:2008178; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M2"; flow:from_server,established; file_data; content:"|516248566e615735455a58526c5933|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027073; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Codesoft PW Stealer Email Report Outbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer"; content:"******STEAM PASS STEALER*******"; distance:0; reference:url,doc.emergingthreats.net/2008310; classtype:trojan-activity; sid:2008310; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Landing M3"; flow:from_server,established; file_data; content:"|427364576470626b526c6447566a64|"; content:"-=8))%256)|3b|}"; content:"+=72){"; content:"[0] < 21) return false|3b|"; content:",[0] > 31) return false|3b|"; distance:0; content:"[0] == 31 &&"; content:"[3] > 153) return false|3b|"; distance:0; content:"flash"; nocase; classtype:exploit-kit; sid:2027074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_11, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2019_03_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET MALWARE Conficker.a Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009200; classtype:trojan-activity; sid:2009200; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant Keep-Alive"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:1; within:22; fast_pattern; content:"|ff ff ff ff ff ff ff ff|"; distance:0; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:trojan-activity; sid:2027084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET MALWARE Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; classtype:trojan-activity; sid:2009201; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant CnC Checkin"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00 00 00 00 00 ff 01|"; distance:1; within:9; content:"|ff ff ff ff ff ff ff ff|"; distance:0; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:0; fast_pattern; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:command-and-control; sid:2027083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
+#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009206; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009206; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET [19400:19500] -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.POX Variant CnC"; flow:established,to_client; dsize:4; content:"|6c 69 73 74|"; reference:md5,bb15e442a527a83939d9ff1b835f99dd; classtype:command-and-control; sid:2035057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_03_22;)
+#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009207; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009207; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET HUNTING SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"|0D 0A 0D 0A|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:3; metadata:created_at 2013_12_20, former_category INFO, updated_at 2019_03_27;)
+#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009208; classtype:trojan-activity; sid:2009208; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)"; flow:established,to_server; content:"D2|7c|System|20|Information&"; fast_pattern; depth:22; content:"Manufacturer|3a|"; distance:0; content:"Product|20|Name|3a|"; distance:0; content:"Version|3a 20|"; distance:0; content:"|0a|D3|7c|MemTotal|3a 20|"; distance:0; reference:md5,8438f4abf3bc5844af493d60ea8eb8f6; classtype:coin-mining; sid:2027150; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2019_04_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm CnC Channel Start"; flow:established,to_server; dsize:8; content:"|0b 01 00 00 00 00 00 00|"; flowbits:noalert; flowbits:set,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008805; classtype:command-and-control; sid:2008805; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, created_at 2019_04_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2019_04_04;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm CnC Channel Start Response"; flow:established,from_server; dsize:4; content:"|0b 01|"; depth:2; content:"|00|"; distance:1; within:1; flowbits:isset,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008806; classtype:command-and-control; sid:2008806; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET ATTACK_RESPONSE LaZagne Artifact Outbound in FTP"; flow:established,to_server; content:"The LaZagne Project"; fast_pattern; reference:url,github.com/AlessandroZ/LaZagne; classtype:trojan-activity; sid:2027151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family Stealer, malware_family LaZange, signature_severity Major, updated_at 2019_04_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm Second CnC Channel Start"; flow:established,to_server; dsize:32; content:"|00 00 00 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; reference:url,doc.emergingthreats.net/2008807; classtype:command-and-control; sid:2008807; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown; sid:2027167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_09, deployment Internal, former_category NETBIOS, signature_severity Informational, updated_at 2019_04_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic"; flow:established,to_server; dsize:32; content:"|55 d8 09 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; reference:url,doc.emergingthreats.net/2008808; classtype:command-and-control; sid:2008808; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; classtype:bad-unknown; sid:2027168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; reference:url,doc.emergingthreats.net/2007858; classtype:trojan-activity; sid:2007858; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-nop"; distance:0; classtype:bad-unknown; sid:2027169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Delf CnC Channel Keepalive Pong"; flow:established,to_server; dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; reference:url,doc.emergingthreats.net/2008009; classtype:command-and-control; sid:2008009; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase; within:17; classtype:bad-unknown; sid:2027170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Delf CnC Channel Keepalive Ping"; flow:established,from_server; dsize:22; content:"|12 00 00 00 1c 5e|"; depth:6; reference:url,doc.emergingthreats.net/2008010; classtype:command-and-control; sid:2008010; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass"; nocase; within:18; classtype:bad-unknown; sid:2027171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 Checkin Error"; flow:established,to_server; dsize:350<>450; content:"Erorr File active\;sorry file erorr plaes down file agen"; reference:url,doc.emergingthreats.net/2008905; classtype:command-and-control; sid:2008905; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-enc"; nocase; distance:0; classtype:bad-unknown; sid:2027172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 Egg Request"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileTransfer|7c|"; depth:29; reference:url,doc.emergingthreats.net/2008906; classtype:trojan-activity; sid:2008906; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-noni"; nocase; distance:0; classtype:bad-unknown; sid:2027173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 File Manager Access Report"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileManager|7c|"; depth:30; reference:url,doc.emergingthreats.net/2008907; classtype:trojan-activity; sid:2008907; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd.exe"; nocase; distance:0; classtype:bad-unknown; sid:2027174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Donbot Report to CnC"; flow:established,to_server; content:"HASH|3a 20|"; depth:6; content:"|0d 0a|ID|3a 20|"; distance:0; content:"|0d 0a|Session|31 20|"; distance:0; content:"|0d 0a|RBL|3a 20|"; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; reference:url,doc.emergingthreats.net/2008451; classtype:command-and-control; sid:2008451; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd "; nocase; distance:0; classtype:bad-unknown; sid:2027176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dorf/Win32.Inject.adt C&C Communication Outbound"; flow:established,to_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008031; classtype:command-and-control; sid:2008031; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"%comspec"; nocase; distance:0; classtype:bad-unknown; sid:2027178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Dorf/Win32.Inject.adt C&C Communication Inbound"; flow:established,from_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; reference:url,doc.emergingthreats.net/2008032; classtype:command-and-control; sid:2008032; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|%|00|c|00|o|00|m|00|s|00|p|00|e|00|c|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><"; distance:0; content:"<MEM>"; content:"</MEM><"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007918; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027175; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, updated_at 2019_04_10;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Dropper-497 Yumato Reply from server"; flow:established,from_server; content:"YUMATO|0d 0a|1234"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2007919; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0; classtype:bad-unknown; sid:2027183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (1)"; flow:established,to_server; content:"|08616c2d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007673; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (2)"; flow:established,to_server; content:"|0861312d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007674; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0; classtype:bad-unknown; sid:2027185; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (3)"; flow:established,to_server; content:"|0661726464726104686f737402736b0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007675; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, malware_family CoinMiner, signature_severity Minor, updated_at 2019_04_11;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (4)"; flow:established,to_server; content:"|03777777056a6f2d7566036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007676; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view"; nocase; within:9; classtype:bad-unknown; sid:2027187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert tcp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity TCP (5)"; flow:established,to_server; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007677; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; classtype:bad-unknown; sid:2027188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (1)"; content:"|08616c2d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007678; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027190; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2019_04_11;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (2)"; content:"|0861312d6a696e616e036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007679; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2027191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (3)"; content:"|0661726464726104686f737402736b0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007680; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie|3a 20|mstshash="; distance:5; within:17; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (4)"; content:"|03777777056a6f2d7566036e65740000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007681; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE E-Jihad 3.0 DNS Activity UDP (5)"; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007682; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025726; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE elitekeylogger v1.0 reporting - Inbound"; flow:established,to_server; content:"MAIL FROM|3a|<logs@logs.com>"; reference:url,doc.emergingthreats.net/2002938; classtype:trojan-activity; sid:2002938; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027180; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE elitekeylogger v1.0 reporting - Outbound"; flow:established,to_server; content:"MAIL FROM|3a|<logs@logs.com>"; reference:url,doc.emergingthreats.net/2002941; classtype:trojan-activity; sid:2002941; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic.exe"; nocase; distance:0; classtype:trojan-activity; sid:2027181; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO"; flow:established,to_server; content:"PC INFECTADO COM SUCCESSO"; nocase; reference:url,doc.emergingthreats.net/2002983; classtype:trojan-activity; sid:2002983; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic "; nocase; distance:0; classtype:trojan-activity; sid:2027182; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pass Stealer FTP Upload"; flow:established,to_server; content:"INFECTADO|0d 0a|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|0d 0a|Computador"; depth:64; reference:url,doc.emergingthreats.net/2008237; classtype:trojan-activity; sid:2008237; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027202; rev:1; metadata:created_at 2019_04_16, former_category POLICY, updated_at 2019_04_16;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; reference:url,doc.emergingthreats.net/2008726; classtype:trojan-activity; sid:2008726; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025719; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimmiv Infection Ping Inbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; reference:url,doc.emergingthreats.net/2008727; classtype:trojan-activity; sid:2008727; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:2027203; rev:2; metadata:created_at 2019_04_16, updated_at 2019_04_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: session, 20, packets; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2001743; classtype:trojan-activity; sid:2001743; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET HUNTING Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HackerDefender.HE Root Kit Control Connection"; flow: established,to_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003244; classtype:trojan-activity; sid:2003244; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HackerDefender.HE Root Kit Control Connection Reply"; flow: established,from_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003245; classtype:trojan-activity; sid:2003245; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HotLan.C Spambot C&C download command"; flow:established,from_server; content:"|3B|URL|3A|http|3A 2F 2F|"; pcre:"/\x0D\x0A\x0D\x0ASLP\x3A\d+\x3BMOD\x3A[\S\x3B]+\x3BURL\x3Ahttp\x3A\x2F{2}[^\x3B]+\x3BSRV\x3Aupd\x3B/"; reference:url,doc.emergingthreats.net/2008471; classtype:command-and-control; sid:2008471; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Lateral Movement - File Creation Request in Remote System32 Directory (T1105)"; flow:established,to_server; content:"|05 00|"; offset:16; depth:2; content:"|00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00|"; fast_pattern; classtype:attempted-user; sid:2027267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1105, tag lateral_movement, tag remote_file_copy, updated_at 2019_04_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon CnC Communication (variant bysj)"; flow:established,to_server; dsize:5; content:"HTTP|00|"; reference:url,doc.emergingthreats.net/2008258; classtype:command-and-control; sid:2008258; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible Remote System32 DLL Hijack Command Inbound via HTTP (T1038, T1105)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"copy|20|"; content:".dll"; distance:0; content:"|5c|Windows|5c|System32|5c|"; distance:0; fast_pattern; content:".dll"; distance:0; content:"copy|20|"; pcre:"/^(?P<dll_name>[a-z0-9\-_]{1,20})\.dll\s*\\\\(([0-9]{1,3}\.){3}[0-9]{1,3}|([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})\\\w{1,10}\$\\Windows\\System32\\(?P=dll_name)\.dll/Ri"; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_23, deployment Internal, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, tag T1105, updated_at 2019_04_23;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32.Hupigon Control Server Response"; flow:from_server,established; dsize:16; content:"|03 00 00 00 00 00 00 00 c4 ec 48 f5 5e 00 85 80|"; depth:16; threshold: type both, count 2, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2009350; classtype:trojan-activity; sid:2009350; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJ_INJECT.NI Update Request"; flow:established,to_server; dsize:7; content:"F222222"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T; reference:url,doc.emergingthreats.net/2009077; classtype:trojan-activity; sid:2009077; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00 20 00|"; nocase; distance:0; classtype:bad-unknown; sid:2027177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keylogger PRO GOLD Post"; flow:established,to_server; content:"to="; content:"&from="; within:200; content:"&subject="; within:200; content:"&message="; within:200; content:"Discribtion"; within:14; content:"KEYLOGG+PRO+GOLD+VERSION"; content:"IPHostName"; content:"IPAddress"; content:"YahooMessenger+Passwords"; reference:url,doc.emergingthreats.net/2008642; classtype:trojan-activity; sid:2008642; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin M2"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; content:!"|22|pass|22 3a 22|"; nocase; classtype:policy-violation; sid:2027316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_05_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keylogger.ane Checkin"; flow:established,to_server; content:"Secret Client|00 00 00|"; depth:18; reference:url,doc.emergingthreats.net/2008449; classtype:command-and-control; sid:2008449; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Initial Connection Attempt (005)"; flow:established,to_server; content:"HTTP|2f|1.1|20|005|0d 0a|VERSION|3a 20|"; depth:23; content:"PLATFORM|3a 20|"; distance:0; content:"IPADDRESS|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Koobface BLACKLABEL"; flow:established,from_server; content: "#BLACKLABEL|0d 0a|EXIT"; reference:url,blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html; reference:url,doc.emergingthreats.net/2009407; classtype:trojan-activity; sid:2009407; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET MALWARE Covenant .NET Framework P2P C&C Protocol Gruntsvc Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"g|00|r|00|u|00|n|00|t|00|s|00|v|00|c|00|"; nocase; distance:0; fast_pattern; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:command-and-control; sid:2027326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Covenant, performance_impact Low, signature_severity Major, updated_at 2019_05_07;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Koobface C&C availability check successful"; flowbits:isset,ET.koobfacecheck; flow:established,from_server; content:"|0d 0a 0d 0a|ACH_OK"; nocase; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010152; classtype:command-and-control; sid:2010152; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Anyplace Remote Access Checkin (051)"; flow:established,to_server; content:"HTTP|2f|1.1|20|051"; depth:12; content:"VER|3a 20|"; distance:0; content:"OBJ|3a 20|"; distance:0; content:"FUNC|3a 20|"; distance:0; content:"NAME|3a 20|"; distance:0; content:"ACC|3a 20|"; distance:0; content:"SRV|3a 20|"; distance:0; content:"PRODUCT|3a 20|"; distance:0; fast_pattern; reference:md5,30e4f96590d530ba5dc1762f8b87c16b; classtype:trojan-activity; sid:2027324; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category INFO, malware_family Anyplace, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_05_07;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lethic Spambot CnC Initial Connect"; flow:established,from_server; flowbits:isnotset,ET.lethic.init; flowbits:set,ET.lethic.init; flowbits:noalert; dsize:5; content:"|00 00 00 00 06|"; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010646; classtype:command-and-control; sid:2010646; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/ElectricFish Authentication Packet Observed"; flow:established,to_server; content:"aaaabbbbccccdddd|00 00 00 00 00 00 00 00|"; depth:24; fast_pattern; content:"|00 00 04 00 00 00|"; distance:2; within:6; reference:url,www.us-cert.gov/ncas/analysis-reports/AR19-129A; classtype:trojan-activity; sid:2027340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_09, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family ElectricFish, performance_impact Low, signature_severity Major, tag APT, tag T1090, tag connection_proxy, updated_at 2019_05_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lethic Spambot CnC Initial Connect Bot Response"; flow:established,to_server; flowbits:isset,ET.lethic.init; dsize:5; content:"|00 00 00 00 06|"; flowbits:set,ET.lethic.established; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010647; classtype:command-and-control; sid:2010647; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold: type limit, track by_src, count 2, seconds 600; reference:cve,CVE-2019-0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_21, deployment Perimeter, deployment Internet, deployment Internal, former_category EXPLOIT, malware_family Bluekeep, signature_severity Major, updated_at 2019_05_21;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lethic Spambot CnC Connect Command"; flowbits:isset,ET.lethic.established; flow:established,from_server; dsize:11; content:"|02|"; offset:4; depth:5; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010648; classtype:command-and-control; sid:2010648; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET MALWARE Suspected ExtraPulsar Backdoor"; flow:established,to_server; content:"ExPu"; depth:11; offset:4; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,github.com/zerosum0x0/smbdoor; classtype:trojan-activity; sid:2027370; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_21, deployment Internal, former_category TROJAN, malware_family ExtraPulsar, signature_severity Major, updated_at 2019_05_22;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lethic Spambot CnC Connect Command (port 25 specifically)"; flowbits:isset,ET.lethic.established; flow:established,from_server; dsize:11; content:"|02|"; offset:4; depth:5; content:"|00 19|"; offset:9; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010649; classtype:command-and-control; sid:2010649; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lethic Spambot CnC Bot Command Confirmation"; flow:established,to_server; flowbits:isset,ET.lethic.established; dsize:6; content:"|21 01|"; offset:4; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010650; classtype:command-and-control; sid:2010650; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M3"; flow:established,to_server; urilen:>6; content:"MSIE"; http_user_agent; fast_pattern; pcre:"/^(?:\/(?:(?:af|p66)\/(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}|(?=(?:[a-zA-Z]{0,12}[0-9]|(?=[a-z0-9]{0,12}[A-Z])(?=[A-Z0-9]{0,12}[a-z])))[A-Za-z0-9]{6,13}\?*(?:(?P<var1>[^=&]+)=(?P=var1))?))$/U"; http_header_names; content:!"Referer"; content:!"Cookie"; http_start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; flowbits:set,ET.Locky; flowbits:noalert; classtype:trojan-activity; sid:2026461; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Moderate, signature_severity Major, updated_at 2019_05_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lethic Spambot CnC Bot Transaction Relay"; flow:established,to_server; flowbits:isset,ET.lethic.established; content:"|03|"; offset:4; depth:5; reference:url,www.m86security.com/trace/spambotitem.asp?article=1205; reference:url,doc.emergingthreats.net/2010651; classtype:command-and-control; sid:2010651; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021151; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET MALWARE Looked.P/Gamania/Delf #109/! Style CnC Checkin Response from Server"; flow:established,from_server; dsize:6; content:"#1"; depth:2; content:"/!"; offset:4; pcre:"/^\x23\d\d\d\x2f\x21/"; reference:url,doc.emergingthreats.net/bin/view/Main/Win32Looked; classtype:command-and-control; sid:2008220; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021152; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 6990:6999 (msg:"ET MALWARE Medbod UDP Phone Home Packet"; dsize:<50; content:"ebex"; nocase; pcre:"/\x06\x00?$/"; reference:url,doc.emergingthreats.net/2007949; classtype:trojan-activity; sid:2007949; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_30, deployment Internal, performance_impact Low, signature_severity Minor, updated_at 2019_05_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 2227 (msg:"ET MALWARE Trojan-PSW.Win32.Nilage.crg Checkin"; flow:established,to_server; dsize:32; content:"|00 c0 a8 01 f4 6f 00 00 00|"; depth:12; content:"|00 00 00 05 01 28 0a|"; reference:url,doc.emergingthreats.net/2008481; classtype:command-and-control; sid:2008481; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30"; flow:established,to_client; tls_cert_subject; content:"CN=halatest.info"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:domain-c2; sid:2027414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_05_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Overtoolbar.net Backdoor ICMP Checkin Request"; dsize:9; icode:0; itype:8; content:"Echo This"; reference:url,doc.emergingthreats.net/2009130; classtype:command-and-control; sid:2009130; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Brushaloader Domain in DNS Lookup 2019-05-30"; dns_query; content:"canasikos.info"; nocase; isdataat:!1,relative; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:trojan-activity; sid:2027415; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category CURRENT_EVENTS, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2019_05_31;)
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Overtoolbar.net Backdoor ICMP Checkin Response"; dsize:9; icode:0; itype:0; content:"Echo This"; reference:url,doc.emergingthreats.net/2009131; classtype:command-and-control; sid:2009131; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.HiddenWasp; flowbits:noalert; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027395; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE Prg Trojan Server Reply"; flow:to_client,established; content:"HTTP"; depth:4; content:"|0d0a|Hall|3a|"; depth:512; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003183; classtype:trojan-activity; sid:2003183; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Response"; flow:established,from_server; flowbits:isset,ET.Linux.HiddenWasp; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027396; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1900 (msg:"ET MALWARE Backdoor.Win32/PcClient.ZL Checkin"; flow:established,to_server; content:"|00 00 00 10 c8 00 00 00 b0 ff|"; depth:10; reference:url,doc.emergingthreats.net/2008920; classtype:command-and-control; sid:2008920; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Executable contained in DICOM Medical Image SMB File Transfer"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"DICM"; fast_pattern; distance:126; within:4; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027402; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PcClient Backdoor Checkin Packet 1"; flow:established,to_server; dsize:4; content:"|82 87 99 45|"; flowbits:set,ET.PcClient; flowbits:noalert; reference:url,doc.emergingthreats.net/2009238; classtype:command-and-control; sid:2009238; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET [104,2104,22104] (msg:"ET MALWARE Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027403; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PcClient Backdoor Checkin"; flowbits:isset,ET.PcClient; flow:established,to_server; dsize:248; content:"|52 0d 12 12|"; depth:4; flowbits:noalert; reference:url,doc.emergingthreats.net/2009239; classtype:command-and-control; sid:2009239; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any [104,2104,22104] -> $HOME_NET any (msg:"ET MALWARE Executable contained in DICOM Medical Image Received from PACS DICOM Device"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027404; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PECompact2 Packed Binary - Sometimes Hostile"; flow:from_server,established; content:"|74 65 78 74|"; content:"|50 45 43 32|"; within:40; reference:url,www.bitsum.com/pecompact.shtml; reference:url,bits.packetninjas.org/eblog/?p=306; reference:url,doc.emergingthreats.net/2008547; classtype:trojan-activity; sid:2008547; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 64bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00|6|00|4|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Perfect Keylogger FTP Initial Install Log Upload"; flow:established,to_server; content:"Congratulations! Perfect Kelogger was successfully installed"; depth:63; reference:url,doc.emergingthreats.net/2007973; classtype:trojan-activity; sid:2007973; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Windows 32bit procdump Dump File Exfiltration"; flow:established,to_server; content:"|00 2a 00 2a 00 2a 00 20 00|p|00|r|00|o|00|c|00|d|00|u|00|m|00|p|00 2e 00|e|00|x|00|e"; fast_pattern; reference:url,attack.mitre.org/techniques/T1003/; classtype:attempted-admin; sid:2027436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_05, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1003, tag credential_dumping, updated_at 2019_06_05;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Perfect Keylogger FTP Initial Install Log Upload (Null obfuscated)"; flow:established,to_server; content:"C|00|o|00|n|00|g|00|r|00|a|00|t|00|u|00|l|00|a|00|t|00|i|00|o|00|n|00|s|00|!|00| |00|P|00|e|00|r|00|f|00|e|00|c|00|t|00| |00|K|00|e|00|l|00|o|00|g|00|g|00|e|00|r|00| |00|w|00|a|00|s|00| |00|s|00|u|00|c|00|c|00|e|00|s|00|s|00|f|00|u|00|l|00|l|00|y|00| |00|i|00|n|00|s|00|t|00|a|00|l|00|l|00|e|00|d|00|"; reference:url,doc.emergingthreats.net/2008327; classtype:trojan-activity; sid:2008327; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 3 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Your|20|computer|20|was|20|infected|20|with|20|my|20|private|20|malware"; fast_pattern; content:"malware|20|gave|20|me|20|full"; distance:0; content:"accounts|20 28|see|20|password|20|above|29|"; distance:0; content:"MANY|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RLPacked Binary - Likely Hostile"; flow:from_server,established; content:"|2E 70 61 63 6B 65 64|"; content:"|2E 52 4C 50 61 63 6B|"; within:50; reference:url,rlpack.jezgra.net; reference:url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/; reference:url,doc.emergingthreats.net/2008285; classtype:trojan-activity; sid:2008285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 4 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"infected|20|you|20|with|20|a|20|malware"; content:"malware|20|gave|20|me|20|full"; distance:0; content:"collected|20|everything|20|private|20|from|20|you"; distance:0; content:"FEW|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Trojan.Win32.Regrun.ro FTP connection detected"; flow:established,to_server; content:"RETR k3ylogger.txt|0d 0a|"; depth:21; reference:url,doc.emergingthreats.net/2008733; classtype:trojan-activity; sid:2008733; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535,![3389]] (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:9; metadata:created_at 2010_07_30, updated_at 2019_06_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Saturn Proxy Initial Outbound Checkin (404.txt)"; flow:established,to_server; dsize:<50; content:"GET /404.txt HTTP/1.0"; depth:21; flowbits:set,ET.saturn.checkin; reference:url,doc.emergingthreats.net/2007751; classtype:command-and-control; sid:2007751; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"|20|MSIE|20|"; http_user_agent; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[03478]+)?/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_protocol; content:"HTTP/1."; http_content_len; byte_test:0,>,150,0,string,dec; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035048; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2019_06_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Saturn Proxy C&C Activity"; flow:established,from_server; dsize:12; content:"|2d 00 00 00|"; offset:0; depth:4; content:"|00 00 55 00 00 00|"; distance:2; reference:url,doc.emergingthreats.net/2007753; classtype:command-and-control; sid:2007753; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert dns any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Registrar Nameservers in DNS Response (carbon2u)"; content:"|00 02 00 01|"; content:"|03|ns1|08|carbon2u|03|com|00|"; distance:14; within:18; fast_pattern; classtype:bad-unknown; sid:2027471; rev:1; metadata:created_at 2019_06_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2019_06_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Socks666 Connection Initial Packet"; flow:established,to_server; dsize:24; content:"|9a 02 06 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006395; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (WAIT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|WAIT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027508; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Socks666 Connect Command Packet"; flowbits:isset,BS.BPcheckin; flow:established,from_server; dsize:10; content:"|9a 02 07 00|"; offset:0; depth:4; flowbits:set,BS.BPset; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006396; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027509; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Socks666 Successful Connect Packet Packet"; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:"|9a 02 08 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session,300,seconds; reference:url,doc.emergingthreats.net/2006396; classtype:trojan-activity; sid:2006397; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (DISCONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|DISCONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027510; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Socks666 Checkin Packet"; flow:established,to_server; dsize:30; content:"|9a 02 01 00|"; offset:0; depth:4; flowbits:set,BS.BPcheckin1; flowbits:noalert; reference:url,doc.emergingthreats.net/2006396; classtype:command-and-control; sid:2006398; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CERT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CERT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027511; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Socks666 Checkin Success Packet"; flowbits:isset,BS.BPcheckin1; flow:established,from_server; dsize:4; content:"|9a 02 05 00|"; offset:0; depth:4; reference:url,doc.emergingthreats.net/2006396; classtype:command-and-control; sid:2006399; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<!-- saved from url=("; within:500; content:")https://idm.east.cox.net/"; distance:4; within:26; fast_pattern; classtype:social-engineering; sid:2027535; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert icmp any any -> any any (msg:"ET MALWARE Storm Worm ICMP DDOS Traffic"; itype:8; icode:0; dsize:32; content:"abcdefghijklmnopqr|00 00|"; depth:22; threshold:type both, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2007618; classtype:trojan-activity; sid:2007618; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Miarroba Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 49 6e 73 65 72 74 65 64 20 62 79 20 6d 69 61 72 72 6f 62 61 20 2d 2d 3e|"; classtype:social-engineering; sid:2027561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2019_06_26;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Themida Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 69 64 61 74 61 20 20|"; content:"|54 68 65 6D 64 61 20 00|"; within:49; reference:url,www.oreans.com/themida.php; reference:url,cwsandbox.org/?page=samdet&id=164533&password=wnnpi; reference:url,doc.emergingthreats.net/2008341; classtype:trojan-activity; sid:2008341; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any ![445,138,80] -> any any (msg:"ET HUNTING SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip)  download command"; flow:established,to_client; content:"PRIVMSG|20|"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:5; metadata:created_at 2013_08_13, former_category CURRENT_EVENTS, updated_at 2019_07_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Initial Checkin (ams)"; flow:established,to_server; dsize:3; content:"ams"; reference:url,doc.emergingthreats.net/2008021; classtype:command-and-control; sid:2008021; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jun 2019- Dec 2019) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5d|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027672; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Logs Parse Command (LOGS1)"; flow:established,from_server; dsize:5; content:"LOGS1"; depth:5; reference:url,doc.emergingthreats.net/2008024; classtype:command-and-control; sid:2008024; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Dec 2019- Jul 2020) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5e|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Logs Parse Response Response (LOGS1)"; flow:established,to_server; content:"|08 00 00 00|LOGS1|5b|"; offset:0; depth:10; reference:url,doc.emergingthreats.net/2008025; classtype:command-and-control; sid:2008025; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jul 2020- Jan 2021) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5f|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027674; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Keepalive (BAGLANTI)"; flow:established,to_server; dsize:9; content:"BAGLANTI?"; reference:url,doc.emergingthreats.net/2008026; classtype:command-and-control; sid:2008026; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Jun 2019 - Sep 2020)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 35|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027675; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Browse Drive Command (BROWSC)"; flow:established,from_server; dsize:<100; content:"BROWS"; depth:5; content:"|3a|"; distance:1; within:2; reference:url,doc.emergingthreats.net/2008027; classtype:command-and-control; sid:2008027; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Sep 2020 - Nov 2023)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 36|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C Browse Drive Command Response (metin)"; flow:established,to_server; content:"|00 00|metin|0d 3a|"; offset:2; depth:11; reference:url,doc.emergingthreats.net/2008028; classtype:command-and-control; sid:2008028; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450)"; flow:established,to_client; file_data; content:"localhost|3a|19421/launch?action=join&confno="; reference:url,medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5; reference:cve,2019-13450; classtype:attempted-user; sid:2027696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2019_07_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Turkojan C&C nxt Command Response (nxt)"; flow:established,from_server; dsize:16; content:"nxt|09 00 00 00|"; depth:7; offset:0; reference:url,doc.emergingthreats.net/2008030; classtype:command-and-control; sid:2008030; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Socks5 Proxy to Onion (set)"; flow:established,to_server; flowbits:set,ET.Socks5.OnionReq; content:"|05 01 00 03|"; depth:4; content:".onion|00 50|"; distance:0; fast_pattern; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:policy-violation; sid:2027703; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2019_07_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET MALWARE Win32.Agent.bea C&C connection"; flow:to_server,established; dsize:24; content:"|9a 02 06 00|"; depth:4; reference:url,doc.emergingthreats.net/2007608; classtype:command-and-control; sid:2007608; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Requesting Key/Wallet/Note"; flow:established,to_server; flowbits:isset,ET.Socks5.OnionReq; flowbits:set,ET.QNAPCrypt.DetailReq; content:"GET /api/GetAvailKeysByCampId/"; depth:30; fast_pattern; content:".onion|0d 0a|User-Agent|3a 20|Go-http-client/1.1"; distance:0; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027704; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2019_07_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Inject.zy Checkin Post"; flow:established,to_server; dsize:8; content:"|16 00 00 00 00 00 00 00|"; reference:url,doc.emergingthreats.net/2007966; classtype:command-and-control; sid:2007966; rev:2; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Successful Server Response"; flow:established,from_server; flowbits:isset,ET.QNAPCrypt.DetailReq; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"Content-Type|3a 20|application/json"; distance:0; content:"|7b 22|RsaPublicKey|22 3a 22|-----BEGIN RSA PUBLIC KEY"; content:"|22 7d 2c 7b 22|BtcPublicKey|22 3a 22|"; fast_pattern; content:"|22 7d 2c 7b 22|Readme|22 3a 22|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027705; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_07_11;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Proxy.Win32.Wopla.ag Server Reply"; dsize:12; flow:established,from_server; content:"|0d 00 00 00|"; depth:4; content:"|00 00 00 00 00 00|"; distance:2; within:6; reference:url,doc.emergingthreats.net/2007604; classtype:trojan-activity; sid:2007604; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Miarroba Phish 2019-07-11"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<!-- Inserted by miarroba -->"; fast_pattern; nocase; classtype:credential-theft; sid:2027699; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE XP keylogger v2.1 mail report - Inbound"; flow:established,to_server; content:"X-Mailer|3a| JMail 4.3.0 Free Version by Dimac"; content:"<H2=3EAbout the use of the PC</H2=3E"; reference:url,doc.emergingthreats.net/2002940; classtype:trojan-activity; sid:2002940; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in (set)"; flow:established,to_server; dsize:>65; content:"|41 00 00 00 99|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; reference:md5,3c4a93154378e17e71830ff164bb54c4; classtype:trojan-activity; sid:2029477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Netwire, updated_at 2019_07_16;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE XP keylogger v2.1 mail report - Outbound"; flow:established,to_server; content:"X-Mailer|3a| JMail 4.3.0 Free Version by Dimac"; content:"<H2=3EAbout the use of the PC</H2=3E"; reference:url,doc.emergingthreats.net/2002942; classtype:trojan-activity; sid:2002942; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Checkin"; flow:to_server,established; dsize:200<>300; content:"|32|"; depth:1; content:"|7c 78 01|"; distance:2; within:3; pcre:"/^[0-9]{3}\x7cx/"; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Yoda's Protector Packed Binary - VERY Likely Hostile"; flow:established,from_server; content:"|E8 03 00 00 00 EB 01|"; content:"|BB 55 00 00 00 E8 03 00 00 00 EB 01|"; within:14; reference:url,doc.emergingthreats.net/2009557; classtype:trojan-activity; sid:2009557; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Heartbeat"; flow:to_server,established; dsize:15; content:"|7c 78 01|"; offset:2; depth:3; pcre:"/^[0-9]{2}\x7cx/"; threshold: type both, track by_src, count 5, seconds 60; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Related Fake User-Agent (Apache (compatible...))"; flow:established,to_server; content:"User-Agent|3a| Apache (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; reference:url,doc.emergingthreats.net/2010823; classtype:trojan-activity; sid:2010823; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^[a-f0-9]{40,}$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027729; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client registration"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyMyIP="; within:27; reference:url,doc.emergingthreats.net/2008950; classtype:trojan-activity; sid:2008950; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027730; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Trojan.Win32.Small.yml client command"; flow:established,to_client; content:"|0d 0a|Content-Length|3a| "; depth:500; content:"|0d 0a 0d 0a|xxyysign|0d 0a|xxyyUserNamePassWord="; within:40; reference:url,doc.emergingthreats.net/2008951; classtype:trojan-activity; sid:2008951; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 3"; flow:established,to_server; content:"|20|MSIE|20|"; http_user_agent; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_request_line; content:"POST / HTTP/1."; depth:14; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; http_content_len; byte_test:0,<=,999,0,string,dec; byte_test:0,>,99,0,string,dec; classtype:command-and-control; sid:2035050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2022_04_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Winwebsec User-Agent Detected"; flow:established,to_server; content:"User-Agent|3a| InstallNotify/1.0"; http_header; reference:url,www.f-secure.com/sw-desc/rogue_w32_winwebsec.shtml; reference:url,blogs.technet.com/mmpc/archive/2009/05/13/msrt-tackles-another-rogue.aspx; reference:url,doc.emergingthreats.net/2009896; classtype:trojan-activity; sid:2009896; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH Remote Shell Banner"; flow:established,to_server; dsize:>100; content:"|2a 20|SUPER|20|REMOTE|20|SHELL|20|v2|2e|2|20|SSL"; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:targeted-activity; sid:2027751; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category TROJAN, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state|3a| 0 - zombie is ready for control"; depth:38; reference:url,doc.emergingthreats.net/2008507; classtype:trojan-activity; sid:2008507; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH CnC Checkin"; flow:established,to_server; dsize:64; content:"-SH"; offset:44; depth:3; pcre:"/(?:[0-9A-F]{8}\-){5}\-SH/"; content:"|02 09 01|"; offset:52; depth:3; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027752; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data|3a| "; nocase; content:"Hora|3a| "; nocase; content:"Development by "; nocase; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; reference:url,doc.emergingthreats.net/2002977; classtype:trojan-activity; sid:2002977; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for .co TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|co|00|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2027759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2019_07_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002976; classtype:trojan-activity; sid:2002976; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Adobe Phish 2019-07-29"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<title>Adobe Document Cloud"; fast_pattern; nocase; classtype:credential-theft; sid:2027764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 3 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Subject|3a| INFECT - "; nocase; content:"Data|3a| "; nocase; content:"Windows|3a| Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002980; classtype:trojan-activity; sid:2002980; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert icmp any any -> any any (msg:"ET MALWARE Possible ICMP Backdoor Tunnel Command - whoami"; itype:8; icode:0; content:"whoami"; depth:6; nocase; reference:url,www.hackingarticles.in/command-and-control-tunnelling-via-icmp; classtype:trojan-activity; sid:2027763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002981; classtype:trojan-activity; sid:2002981; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Delf/Hupigon C&C Channel Version Report"; flow:established,to_server; dsize:<25; content:"VERSON|3a|"; depth:7; reference:url,doc.emergingthreats.net/2007930; classtype:command-and-control; sid:2007930; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag"; flags:U+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027768; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_07_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Donbot Connect to CnC"; flow:established,to_server; dsize:7; content:"HALLO|0d 0a|"; depth:7; reference:url,doc.emergingthreats.net/2008450; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; classtype:command-and-control; sid:2008450; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 5 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"one|20|of|20|your|20|passwords|20|is|3a|"; content:"infected|20|with|20|my|20|private|20|malware"; distance:0; content:"I|20|RECORDED|20|YOU|20 28|through|20|your|20|webcam"; distance:0; fast_pattern; content:"bitcoin|20|wallet|20|is|3a|"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_07_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key|3a|"; distance:0; reference:url,doc.emergingthreats.net/2008005; classtype:trojan-activity; sid:2008005; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_08_01;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Likely eCard Malware Laden Email Inbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| You have received an eCard"; nocase; content:"e-card.zip"; nocase; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; reference:url,doc.emergingthreats.net/2008674; classtype:trojan-activity; sid:2008674; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Covenant Framework HTTP Hello World Server Response"; flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Egspy Infection Report Email"; flow:established,to_server; content:"FROM\: EgySpy Victim"; content:"TO|3a| EgySpy User"; distance:0; content:"SUBJECT|3a| E g y S p y KeyLogger"; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008039; classtype:trojan-activity; sid:2008039; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (Grunt.GruntStager)"; flow:established,to_client; file_data; content:".CreateInstance(|27|Grunt.GruntStager|27|)"; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO"; flow:established,to_server; content:"Subject|3a| Microsoft Windows"; nocase; content:"INFECTADO"; nocase; within:20; reference:url,doc.emergingthreats.net/2002982; classtype:trojan-activity; sid:2002982; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (DynamicInvoke)"; flow:established,to_client; file_data; content:"toStream(assembly_str)"; content:"delegate.DynamicInvoke(array.ToArray()).CreateInstance("; distance:0; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE IE Ilookup Trojan"; flow: from_server,established; content:"#@~^/gAAAA==@#@&@#@&7lMP|3a|HVK^P{P[W1Ehn"; content:"#@~^GAIAAA==@#@&\\CMPsX/DD,xPvEU+kmC2"; reference:url,62.131.86.111/analysis.htm; reference:url,doc.emergingthreats.net/2001066; classtype:misc-activity; sid:2001066; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt PowerShell Stager HTTP Download"; flow:established,to_client; file_data; content:"IO.Compression.CompressionMode]|3a 3a|Decompress"; content:".Value.Write("; distance:0; content:"Reflection.Assembly]|3a 3a|Load("; fast_pattern; distance:0; content:".EntryPoint.Invoke("; distance:0; content:"Out-Null"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007611; classtype:trojan-activity; sid:2007611; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt MSBuild Stager HTTP Download"; flow:established,to_client; file_data; content:"System.IO.Compression.CompressionMode.Decompress"; content:"System.Reflection.Assembly.Load("; distance:0; content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3c 2f|UsingTask|3e|"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007612; classtype:trojan-activity; sid:2007612; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M2"; flow:established,to_server; dsize:16; content:"|49 42 d4 b5 38 70 fe 86 2a 4e d2 73 0d 95 79 e5|"; reference:md5,5c12015ebeb755c0b6029468a13e59a9; classtype:command-and-control; sid:2027813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007613; classtype:trojan-activity; sid:2007613; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M1"; flow:established,to_server; dsize:16; content:"|73 08 e2 bc 6d 8c 9d b5 85 52 b1 e1 5d 5a 9a 8e|"; reference:md5,d6db3ac5a8022184f03a34fbfdcb926d; classtype:command-and-control; sid:2027812; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 3|0d 0a|X-Library|3a| Indy "; content:"|0d 0a|MAC......."; nocase; within:20; reference:url,doc.emergingthreats.net/2007614; classtype:trojan-activity; sid:2007614; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 UDP Flood Command Inbound"; flow:established,from_server; content:".udp|20|"; depth:5; fast_pattern; pcre:"/^((?:\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027837; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [587,25] (msg:"ET MALWARE LDPinch Reporting infection via Email"; flow:established,to_server; content:"X-Mailer|3a| Blat v2.6.2 w/GSS encryption, a Win32 SMTP/NNTP mailer http|3a|//www.blat.net|0d 0a|"; content:"|0d 0a|Subject|3a| Contents of file|3a| WINDOWS/system32/"; distance:0; reference:url,doc.emergingthreats.net/2009242; classtype:trojan-activity; sid:2009242; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 DNS Flood Command Inbound"; flow:established,from_server; content:".dns|20|"; depth:5; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027838; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan-PWS.Win32.Small.gs Passwords leak over FTP"; flow:established,to_server; content:"IE7 Passwords|3a|"; depth:14; content:"FF Passwords"; within:500; reference:url,doc.emergingthreats.net/2008841; classtype:trojan-activity; sid:2008841; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 HTTP Flood Command Inbound"; flow:established,from_server; content:".http|20|"; depth:6; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027839; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Perfect Keylogger FTP Log Upload"; flow:established,to_server; content:"Log upload date|3a| "; depth:17; content:"|0d 0a|Time|3a| "; within:40; content:"To view DAT files, please do the following steps|3a|"; distance:0; reference:url,doc.emergingthreats.net/2007974; classtype:trojan-activity; sid:2007974; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 UDP Flood Command Inbound"; flow:established,from_server; content:"LnVkcC"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027840; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Silon Encrypted Data POST to C&C"; flow:established,to_server; content:".php?i="; nocase; http_uri; content:"&k="; nocase; http_uri; pcre:"/\.php\?i=\w+_[0-9A-F]{8}&k=\d+$/Ui"; reference:url,www.trusteer.com/webform/w32silon-malware-analysis; reference:url,doc.emergingthreats.net/2010201; classtype:command-and-control; sid:2010201; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 DNS Flood Command Inbound"; flow:established,from_server; content:"LmRucy"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027841; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snatch Reporting User Activity"; flow:established,to_server; content:"/snatch/module"; http_uri; content:"User-Agent|3a 20|Snatch-System"; http_header; reference:url,doc.emergingthreats.net/2003515; classtype:trojan-activity; sid:2003515; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR UDP Flood Command Inbound"; flow:established,from_server; content:"|fe d5 57 68 f0 44 fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027843; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL"; flow:established,to_server; content:".php?"; http_uri; content:"&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; reference:url,doc.emergingthreats.net/2008280; classtype:command-and-control; sid:2008280; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR DNS Flood Command Inbound"; flow:established,from_server; content:"|fe d6 53 76 f0 7e fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027844; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL (2)"; flow:established,to_server; content:"/?&v="; http_uri; content:"&s="; http_uri; content:"&cip="; http_uri; content:"&lid="; http_uri; reference:url,doc.emergingthreats.net/2008393; classtype:command-and-control; sid:2008393; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR HTTP Flood Command Inbound"; flow:established,from_server; content:"|fe d6 69 33 f7 4f fb c5|"; depth:8; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027845; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 3alupKo/Win32.Socks.n Related Checkin URL (3)"; flow:established,to_server; content:"&ns="; http_uri; content:"&id="; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008395; classtype:command-and-control; sid:2008395; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Exec Command Inbound"; flow:established,from_server; content:"|fe d6 57 37 c9 50 f7|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027846; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zalupko/Koceg/Mandaph manda.php Checkin"; flow:established,to_server; content:"/manda.php?"; nocase; http_uri; content:"ns="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008324; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:md5,b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; classtype:command-and-control; sid:2008324; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Update Command Inbound"; flow:established,from_server; content:"|fe d5 57 74 c9 40 fc 92 e8|"; depth:9; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027847; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake.Googlebar or Softcash.org Related Post-Infection Checkin"; flow:established,to_server; content:"bl="; http_uri; content:"&cuid="; http_uri; content:"&cnid="; http_uri; content:"&luid="; http_uri; content:"&rnd="; http_uri; reference:url,doc.emergingthreats.net/2008236; classtype:command-and-control; sid:2008236; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai.shiina v3 CnC Checkin"; flow:established,to_server; content:"|01 03 03 07 04 02 00 06|"; depth:8; fast_pattern; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027848; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category MALWARE, malware_family Mirai, tag DDoS, updated_at 2019_08_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyguarder.com Fake AV Install Report"; flow:established,to_server; content:"/statscnt.js?scrW="; http_uri; content:"&scrH="; http_uri; content:"&ua="; http_uri; content:"&referer="; http_uri; content:"&ref_id="; http_uri; content:"&cn_id="; http_uri; reference:url,doc.emergingthreats.net/2008911; classtype:trojan-activity; sid:2008911; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.biz Domain"; flow:established,to_server; content:".biz"; fast_pattern; http_host; isdataat:!1,relative; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027872; rev:2; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2019_08_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Ssppyy.com Surveillance Agent Reporting via Email"; flow:established,to_server; content:"|0d 0a|Subject|3a| SSPPYY notification|0d 0a|X=Mailer|3a| Mail|0d 0a|"; content:"The computer you are monitoring has connected online - The module name of"; distance:5; reference:url,doc.emergingthreats.net/2007780; classtype:trojan-activity; sid:2007780; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_test:1,>,SSL.Client_Hello.length,34,relative; threshold: type both, track by_src, count 5, seconds 60; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:2; metadata:created_at 2012_04_24, updated_at 2019_08_13;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Storm Variant HTTP Post (U)"; flow:established,to_server; content:"POST /u/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010442; classtype:trojan-activity; sid:2010442; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:pup-activity; sid:2000587; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Storm Variant HTTP Post (S)"; flow:established,to_server; content:"POST /s/ HTTP"; depth:13; nocase; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; depth:2; content:!"Referer|3a|"; nocase; http_header; reference:url,cyber.secdev.ca/2009/11/russian-malware-bundle; reference:url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf; reference:url,doc.emergingthreats.net/2010441; classtype:trojan-activity; sid:2010441; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:pup-activity; sid:2000589; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stormy Variant HTTP Request"; flow:established,to_server; content:"/zzu/zc.php?l="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&k="; nocase; http_uri; reference:url,doc.emergingthreats.net/2003435; classtype:trojan-activity; sid:2003435; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:pup-activity; sid:2000590; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stpage Checkin (nomodem)"; flow:established,to_server; content:"/nomodem.php"; http_uri; content:"if="; http_uri; content:"&am="; http_uri; content:"&cl={"; http_uri; content:"&id="; http_uri; reference:url,doc.emergingthreats.net/2008522; classtype:command-and-control; sid:2008522; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:pup-activity; sid:2000932; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32.Downloader Tibs.jy Reporting to C&C"; flow:established,to_server; content:"/post.php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0b5a (Win95|3b| I)"; http_header; nocase; content:"data="; nocase; reference:url,doc.emergingthreats.net/2003238; classtype:command-and-control; sid:2003238; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:pup-activity; sid:2001317; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibs Checkin 2"; flow:established,to_server; content:"/cntr.php?e="; nocase; http_uri; content:"&x="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002961; classtype:command-and-control; sid:2002961; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Receiving Config"; flow:established,to_server; http.uri; content:"/config/?"; nocase; content:"v=5"; nocase; content:"n=mm2"; nocase; content:"i="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:pup-activity; sid:2001417; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Spyware Update Download"; flow:established,to_server; content:"/synctl/task.fcgi?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002964; classtype:trojan-activity; sid:2002964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:pup-activity; sid:2001444; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trats.a Post-Infection Checkin"; flow:established,to_server; content:"AID="; http_uri; content:"GUID="; nocase; http_uri; content:"POST"; depth:4; http_method; content:"|0d 0a|SPK|3a| "; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0) WinNT 5.1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008155; classtype:command-and-control; sid:2008155; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:pup-activity; sid:2001459; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BackDoor-EGB Check-in"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp"; http_uri; content:"?username="; http_uri; content:"&serverMac="; http_uri; content:"&edition="; pcre:"/.asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition=/Ui"; reference:url,doc.emergingthreats.net/2009532; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060; classtype:trojan-activity; sid:2009532; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:pup-activity; sid:2001533; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE smain?scout=acxc Generic Download landing"; flow:established,to_server; content:"GET"; depth:3; http_method; nocase; content:"/smain?scout=acxc"; nocase; http_uri; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:md5,513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010822; classtype:trojan-activity; sid:2010822; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; content:"/cgi-bin/PopupV"; http_uri; nocase; content:"?ID={"; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:pup-activity; sid:2001730; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vanquish Trojan HTTP Checkin"; flow:established,to_server; content:"ip="; http_uri; content:"&v=1&s="; http_uri; content:"&h="; http_uri; content:"&kb="; http_uri; content:"&o="; http_uri; content:"&c="; http_uri; content:"&un="; http_uri; content:"&m="; http_uri; content:"&w="; http_uri; content:"&ss="; http_uri; reference:url,doc.emergingthreats.net/2007698; classtype:command-and-control; sid:2007698; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:pup-activity; sid:2001850; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP"; flow:established,to_server; content:"?sid="; http_uri; pcre:"/\?sid=[0-9A-F]{180}/U"; reference:url,doc.emergingthreats.net/2007142; classtype:trojan-activity; sid:2007142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Install"; flow: to_server,established; content:"/downloads/installers/"; http_uri; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:pup-activity; sid:2002003; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP (2)"; flow:established,to_server; content:"php?"; nocase; http_uri; content:"cmp="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&dn_uid="; nocase; http_uri; content:"&dn_affid="; nocase; http_uri; content:"&vm_guid="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&altid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007285; classtype:trojan-activity; sid:2007285; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:pup-activity; sid:2002017; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut Counter/Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".asp?mac="; http_uri; content:"&rw="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009457; classtype:trojan-activity; sid:2009457; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Defs Download"; flow: to_server,established; content:"/geodefs/gdf"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:pup-activity; sid:2002048; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?SoftName="; nocase; http_uri; content:"&SoftVersion="; nocase; http_uri; content:"&UserIP"; nocase; http_uri; content:"&Mac"; nocase; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html; reference:url,www.threatexpert.com/threats/w32-virut-i.html; reference:url,doc.emergingthreats.net/2009829; classtype:trojan-activity; sid:2009829; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:pup-activity; sid:2002093; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo.dam http Update"; flow:established,to_server; content:"/cgi-bin/heartbeat.php"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"&affiliate_id="; nocase; http_uri; content:"&db=1"; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007573; classtype:trojan-activity; sid:2007573; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware config Download"; flow: to_server,established; content:"/config.aspx?did="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:pup-activity; sid:2002099; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo HTTP Pre-Install Checkin"; flow:established,to_server; content:"/app/preinstall.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007989; classtype:command-and-control; sid:2007989; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware versionconfig POST"; flow:to_server,established; content:"/versionconfig.aspx?"; http_uri; content:"&ver="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:pup-activity; sid:2002354; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo HTTP Post-Install Checkin"; flow:established,to_server; content:"/app/install_done.php?"; nocase; http_uri; content:"t_uid="; nocase; http_uri; content:"&t_pid="; nocase; http_uri; content:"&t_mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007990; classtype:command-and-control; sid:2007990; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions Spyware Actionlibs Download"; flow:to_server,established; content:"/actionurls/ActionUrlb"; http_uri; nocase; content:"partnerid="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:pup-activity; sid:2003057; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo HTTP Post-Install Checkin (2)"; flow:established,to_server; content:"?w="; nocase; http_uri; content:"&ucid="; nocase; http_uri; content:"&e=00"; nocase; http_uri; content:"&err="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008082; classtype:command-and-control; sid:2008082; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; content:"/ZangoTBInstaller.exe"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:pup-activity; sid:2003059; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo Variant reporting to Controller via HTTP (1)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/req.html?suid=&cuid="; http_uri; content:"&tid="; http_uri; content:"&cver="; http_uri; content:"&affid="; http_uri; reference:url,doc.emergingthreats.net/2008976; classtype:trojan-activity; sid:2008976; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; content:"/php/uci.php"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:pup-activity; sid:2003061; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vundo Variant reporting to Controller via HTTP (2)"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?cuid="; http_uri; content:"&suid="; http_uri; content:"&affid="; http_uri; reference:url,doc.emergingthreats.net/2008977; classtype:trojan-activity; sid:2008977; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:pup-activity; sid:2003154; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174; classtype:trojan-activity; sid:2009174; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:pup-activity; sid:2003336; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE w32agent.dsi Domain Update"; flow:established,to_server; content:"/getgewinnspiel.php?uid="; http_uri; reference:url,doc.emergingthreats.net/2002782; classtype:trojan-activity; sid:2002782; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:pup-activity; sid:2003496; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE w32agent.dsi Posting Info"; flow:established,to_server; content:"/postgewinnspiel.php"; http_uri; content:"uid="; http_uri; reference:url,doc.emergingthreats.net/2002781; classtype:trojan-activity; sid:2002781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:pup-activity; sid:2003606; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Warezov/Stration Communicating with Controller 2"; flow:established,to_server; content:"/chr/"; nocase; http_uri; content:"/e/"; http_uri; content:"?lid="; nocase; http_uri; pcre:"/\/chr\/\d+\/e\/t\d+\?lid=/Ui"; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html; reference:url,doc.emergingthreats.net/2003436; classtype:trojan-activity; sid:2003436; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP Zango Spyware (tbrequest data post)"; flow: to_server,established; content:"/tbrequest"; http_uri; nocase; content:"&q="; http_uri; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:pup-activity; sid:2003610; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Agent.ajx Trojan Reporting to Server"; flow:established,to_server; content:"/count.php?fid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; content:"&wc="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006448; classtype:trojan-activity; sid:2006448; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET ADWARE_PUP 51yes.com Spyware Reporting User Activity"; flow:established,to_server; content:"/sa.aspx?id="; http_uri; nocase; content:"&refe=http"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:pup-activity; sid:2003620; rev:5; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Agent.cyt (Or variant) HTTP POST Checkin (2)"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".cgi"; http_uri; content:"o=c&s="; http_client_body; reference:url,doc.emergingthreats.net/2008004; classtype:command-and-control; sid:2008004; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; http.uri; content:"?proto="; nocase; content:"&rc="; nocase; content:"&v="; nocase; content:"&abbr="; nocase; content:"&platform="; nocase; content:"&os_version="; nocase; content:"&ac="; nocase; content:"&appid="; nocase; content:"&em="; nocase; content:"&pcid="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:pup-activity; sid:2007664; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_04_18;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Small.yml or Related HTTP Checkin"; flow:established,to_server; content:"/ClientReg.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008949; classtype:command-and-control; sid:2008949; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopcenter.co .kr Spyware Install Report"; flow:established,to_server; http.uri; content:"/RewardInstall.php?mac=0"; content:"&hdd="; content:"&ver="; content:"&ie="; content:"&win="; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:pup-activity; sid:2008370; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Small.yml or Related HTTP Command"; flow:established,to_server; content:"/ClientTask.aspx?mac="; http_uri; content:"&Type="; http_uri; content:"&Sn="; http_uri; pcre:"/mac=([0-9A-F]{2}:){5}([0-9A-F]{2})/Ui"; reference:url,doc.emergingthreats.net/2008952; classtype:trojan-activity; sid:2008952; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET ADWARE_PUP Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:pup-activity; sid:2008402; rev:4; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in HEAD"; flow:established,to_server; content:"HEAD"; depth:4; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; content:"&pid="; http_uri; reference:url,doc.emergingthreats.net/2010240; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010240; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:pup-activity; sid:2009438; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin"; flow:established,to_server; content:"/stat.php?func=install&pid="; http_uri; content:"&ip="; http_uri; content:"&landing="; http_uri; reference:url,doc.emergingthreats.net/2008250; classtype:command-and-control; sid:2008250; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:pup-activity; sid:2010904; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2022_03_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zhelatin Update Detected"; flow:established,to_server; content:".php?l="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&rvz1="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007769; classtype:trojan-activity; sid:2007769; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011517; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zlob HTTP Checkin"; flow:established,to_server; content:"/confirm.php?aid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008386; classtype:command-and-control; sid:2008386; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern; classtype:pup-activity; sid:2011518; rev:4; metadata:created_at 2010_09_27, former_category ADWARE_PUP, updated_at 2022_03_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zlob Initial Check-in Version 2 (confirm.php?sid=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"confirm.php?sid="; nocase; http_uri; content:"&said="; nocase; http_uri; content:"&mn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008396; classtype:trojan-activity; sid:2008396; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET ADWARE_PUP W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; classtype:pup-activity; sid:2013956; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2017_09_21;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE s4t4n1c Trojan Check-in"; flow:established,to_server; content:"POST"; depth:4; http_method; content:".php"; http_uri; content:"continencia="; http_client_body; content:"&versao_kl="; http_client_body; content:"&data="; http_client_body; content:"&hora="; http_client_body; content:"&nome_maquina="; http_client_body; reference:url,doc.emergingthreats.net/2009518; classtype:trojan-activity; sid:2009518; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:pup-activity; sid:2014287; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thespybot.com installation download detected"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php"; http_uri; content:"m="; http_uri; content:"&ydf="; http_uri; content:"&e="; http_uri; content:"&w="; http_uri; content:"&t="; http_uri; content:"&apz="; http_uri; reference:url,doc.emergingthreats.net/2008482; classtype:trojan-activity; sid:2008482; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:coin-mining; sid:2014535; rev:4; metadata:created_at 2012_04_10, former_category ADWARE_PUP, updated_at 2012_04_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon.dkxh Checkin to CnC"; flow:established,to_server; content:"OK|2e 01|200"; fast_pattern; depth:20; offset:13; content:"Windows "; distance:4; within:30; reference:url,doc.emergingthreats.net/2008540; classtype:command-and-control; sid:2008540; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET ADWARE_PUP DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:pup-activity; sid:2018458; rev:4; metadata:created_at 2014_05_09, former_category ADWARE_PUP, updated_at 2022_03_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.wpx or Related Downloader Posting Data"; flow:to_server,established; content:"POST"; http_method; content:"=|22|boturl|22|"; nocase; fast_pattern; content:"=|22|filename|22|"; nocase; content:"=|22|compips|22|"; nocase; content:"=|22|loadername|22|"; nocase; content:"=|22|loaderid|22|"; nocase; content:"=|22|uptime|22|"; nocase; content:"=|22|comptime|22|"; nocase; content:"=|22|winver|22|"; nocase; reference:url,doc.emergingthreats.net/2008319; classtype:trojan-activity; sid:2008319; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:pup-activity; sid:2018617; rev:7; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2016_06_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET MALWARE Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch)"; flow:established,to_server; dsize:<40; content:"viruscatch|00|"; reference:url,doc.emergingthreats.net/2008573; classtype:trojan-activity; sid:2008573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:pup-activity; sid:2020712; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET MALWARE Beizhu/Womble/Vipdataend Controller Keepalive"; flow:established,from_server; dsize:1; content:"d"; reference:url,doc.emergingthreats.net/2008335; classtype:trojan-activity; sid:2008335; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server"; flow:established,from_server; dsize:124; content:"|80 04 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011400; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011399; rev:4; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Execute DDoS Command From CnC Server"; flow:established,from_server; dsize:124; content:"|00 10 00 00|http|3a|//"; depth:11; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011398; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server"; flow:established,from_server; dsize:124; content:"|00 00 00 04|ftp|3a|//"; depth:10; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:command-and-control; sid:2011592; rev:1; metadata:created_at 2010_10_07, former_category MALWARE, updated_at 2010_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeAV SetupSecure Download Attempt SetupSecure"; flow:established,to_server; content:"/download/SetupSecure_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com; classtype:trojan-activity; sid:2011357; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Win32.FraudPack.aweo"; flow:established,to_server; content:"GET"; http_method; content:"update.php?do="; http_uri; content:"&coid="; http_uri; content:"&IP="; http_uri; content:"&fff="; http_uri; content:"&lct="; http_uri; content:"&ttt="; http_uri; content:"&v="; reference:md5,4bc4c32a8d93c29b026bbfb24ccecd14; classtype:trojan-activity; sid:2011294; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2015_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stupid Stealer C&C Communication (1)"; flow:established,to_server; content:"cmd=give&pcname="; nocase; http_uri; content:"&status="; http_uri; nocase; pcre:"/cmd=give&pcname=.+&status=\d+$/U"; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:command-and-control; sid:2011370; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:trojan-activity; sid:2019181; rev:9; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stupid Stealer C&C Communication (2)"; flow:established,to_server; content:"action=add"; nocase; http_uri; content:"&status="; nocase; http_uri; content:"&wmid="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&pcname="; http_uri; nocase; reference:url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb; classtype:command-and-control; sid:2011371; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2022_03_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FakeYak or Related Infection Checkin 2"; flow:established,to_server; content:"&fff="; http_uri; content:"&coid="; http_uri; content:"saf="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:command-and-control; sid:2011397; rev:3; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2010_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:3; metadata:created_at 2015_03_31, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE wisp backdoor detected reporting"; flow:established,to_server; content:"getkys.kys"; nocase; http_uri; content:"hostname="; nocase; http_uri; classtype:trojan-activity; sid:2011395; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018246; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(1)"; flow:established,to_server; content:"GET"; http_header; content:"/gatech.php?pn="; nocase; http_uri; reference:md5,ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011490; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader.Win32.Zlob.bgs Checkin(2)"; flow:established,to_server; content:"GET"; http_method; content:"/gatech.php?id="; nocase; http_uri; reference:md5,ffdcea0ed88d47bc21d71040f9289ef4; classtype:command-and-control; sid:2011491; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso FTP Credential Theft Reported"; flow:to_server,established; content:"/receiver/ftp"; http_uri; nocase; content:"|0d 0a 0d 0a|ftp_uri_0="; nocase; content:"&ftp_source_0="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:md5,348ba619aab3a92b99701335f95fe2a7; reference:md5,8be56dbd057c3bde42ae804bfd647bb6; classtype:trojan-activity; sid:2011470; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:3; metadata:created_at 2013_09_03, former_category CURRENT_EVENTS, updated_at 2013_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Daurso Checkin"; flow:established,to_server; content:"POST"; http_method; content:"receiver/online"; http_uri; content:"|0d 0a 0d 0a|guid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso; reference:url,xanalysis.blogspot.com/2009/07/9121219837-badness.html; reference:md5,348ba619aab3a92b99701335f95fe2a7; reference:md5,8be56dbd057c3bde42ae804bfd647bb6; classtype:command-and-control; sid:2011471; rev:3; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2010_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:3; metadata:created_at 2014_11_26, former_category CURRENT_EVENTS, updated_at 2014_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Small.gen!AQ Communication with Controller"; flow:established,to_server; content:"?uid="; nocase; http_uri; fast_pattern; content:"&action="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&b="; nocase; http_uri; pcre:"/\?uid=[0-9a-f]{40}&action=\w+&v=[\w.]+&b=\d+$/U"; reference:md5,eb3140416c06fa8cb7851076dd100dfb; reference:url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html; reference:md5,8033dffa899dcd16769f389073f9f053; classtype:trojan-activity; sid:2011414; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Vipdataend C&C Traffic Checkin variant 2"; flowbits:set,ET.vipdataend; flow:established,to_server; dsize:<22; content:"|3a|"; depth:5; offset:2; content:"|7c|win "; within:12; reference:url,doc.emergingthreats.net/2009025; classtype:command-and-control; sid:2009025; rev:3; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto Init"; flow:established,from_server; dsize:2; content:"x0"; depth:2; flowbits:noalert; flowbits:set,et.x0proto; classtype:trojan-activity; sid:2012236; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE x0Proto Client Info"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:<128; content:"x0|0c|"; depth:3; classtype:trojan-activity; sid:2012237; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE x0Proto Pong"; flow:established,to_server; flowbits:isset,et.x0proto; dsize:9; content:"x53|0c|"; depth:4; content:"|0c|0|0c|1"; distance:1; within:4; classtype:trojan-activity; sid:2012238; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto Ping"; flow:established,from_server; flowbits:isset,et.x0proto; dsize:7; content:"x53|0c|1|0c|0"; depth:7; classtype:trojan-activity; sid:2012239; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:3; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2014_11_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto Download Cmd"; flow:established,from_server; flowbits:isset,et.x0proto; content:"x74|0c|1|0c|1x"; depth:8; classtype:trojan-activity; sid:2012240; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm Worm HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/?"; http_uri; pcre:"/GET \/\?[0-9a-f]{16}/Ui"; pcre:"/Host\x3a [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2006411; classtype:trojan-activity; sid:2006411; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:3; metadata:created_at 2013_11_26, former_category CURRENT_EVENTS, updated_at 2013_11_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent|3a| Godzilla"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; classtype:trojan-activity; sid:2001711; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2010_07_30;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET DELETED Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; classtype:attempted-dos; sid:2027890; rev:2; metadata:created_at 2019_08_15, former_category SNMP, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CMD Shell"; flow:established,to_server; content:"|68 57 24 13 00 33|Microsoft"; offset:12; depth:15; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012307; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip"; depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027888; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon Server Auth to Bot"; flow:established,from_server; dsize:29; content:"|00 00|password|00 00 00|"; offset:3; depth:13; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012309; rev:1; metadata:created_at 2011_02_11, updated_at 2011_02_11;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip"; depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027889; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon CnC Traffic Inbound 2"; flow:established,from_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012305; rev:5; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:9; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Traffic Outbound 2"; flow:established,to_server; dsize:16; content:"|68 57 24 13|"; offset:12; depth:4; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012306; rev:6; metadata:created_at 2011_02_10, former_category MALWARE, updated_at 2011_02_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:8; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Night Dragon CnC Beacon Outbound"; flow:established,to_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; classtype:command-and-control; sid:2012303; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2011_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon CnC Beacon Inbound"; flow:established,from_server; dsize:16; content:"|01 50 00 00 00 00 00 00 00 00 00 01 68 57 24 13|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:command-and-control; sid:2012304; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2011_02_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:6; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Night Dragon Dropper Download Command"; flow:established,from_server; dsize:5; content:"|01 08 00 00 00|"; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf; classtype:trojan-activity; sid:2012308; rev:2; metadata:created_at 2011_02_11, former_category MALWARE, updated_at 2011_02_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE PWS Banker Trojan Sending Report of Infection"; flow: established,to_server; content:"From|3a 20 22|PC ID|3a|"; nocase; content:"Subject|3a| INFECTED"; nocase; content:"esta infectado"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html; reference:url,doc.emergingthreats.net/2001933; classtype:trojan-activity; sid:2001933; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:5; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3; metadata:created_at 2011_02_22, former_category CURRENT_EVENTS, updated_at 2011_02_22;)
 
-alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Eleonore Exploit pack download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/load/load.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=ultranichehost.com; classtype:trojan-activity; sid:2012446; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:3; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2014_04_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Agent.FakeAV.AVG 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=lr&id="; http_uri; content:"&ver="; http_uri; content:"&bit="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012448; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:4; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Agent.FakeAV.AVG 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=vv&i="; http_uri; content:"&id="; http_uri; content:"&uni="; http_uri; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408; classtype:trojan-activity; sid:2012449; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:5; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009173; classtype:trojan-activity; sid:2009173; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:4; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hiloti loader installed successfully response"; flow:established,from_server; content:"|0d 0a 0d 0a|a|0d 0a|install OK"; classtype:trojan-activity; sid:2012512; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:6; metadata:created_at 2014_04_09, former_category CURRENT_EVENTS, updated_at 2014_04_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus HTTP POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:".php?"; http_uri; content:"zip="; http_uri; content:"type="; http_uri; content:"name="; http_uri; content:"q="; http_uri; content:"item="; http_uri; content:"id="; http_uri; content:"rdp="; http_uri; reference:url,doc.emergingthreats.net/2008661; classtype:trojan-activity; sid:2008661; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:9; metadata:created_at 2014_04_11, former_category CURRENT_EVENTS, updated_at 2014_04_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*|0d 0a|"; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; classtype:trojan-activity; sid:2010348; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:3; metadata:created_at 2014_04_15, former_category CURRENT_EVENTS, updated_at 2014_04_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:5; metadata:created_at 2010_11_16, updated_at 2010_11_16;)
 
-alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:4; metadata:created_at 2014_04_15, former_category CURRENT_EVENTS, updated_at 2014_04_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Inject.ql Checkin Post"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"MAC="; nocase; http_client_body; content:"&IP="; nocase; http_client_body; content:"&NAME="; nocase; http_client_body; content:"&OS="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007803; classtype:command-and-control; sid:2007803; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:6; metadata:created_at 2014_10_15, former_category CURRENT_EVENTS, updated_at 2014_10_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d 0a|Host|3a20|"; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; classtype:trojan-activity; sid:2008434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_10_08, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.small Generic Checkin"; flow:established,to_server; content:"/install.asp?mac="; http_uri; content:"User-Agent|3a| MyAgent"; http_header; classtype:command-and-control; sid:2012541; rev:2; metadata:created_at 2011_03_22, former_category MALWARE, updated_at 2011_03_22;)
 
-alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:9; metadata:created_at 2014_04_11, former_category CURRENT_EVENTS, updated_at 2014_04_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif/DlKroha Trojan Activity HTTP Outbound"; flow:to_server,established; content:".php?"; http_uri; content:"4x4x4x4x4x6x"; http_uri; fast_pattern; reference:url,doc.emergingthreats.net/2009752; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; classtype:trojan-activity; sid:2009752; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; classtype:bad-unknown; sid:2014729; rev:5; metadata:created_at 2012_05_10, former_category CURRENT_EVENTS, updated_at 2012_05_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3; metadata:created_at 2011_04_07, former_category CURRENT_EVENTS, updated_at 2011_04_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; classtype:trojan-activity; sid:2017122; rev:4; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud download"; flow:established,to_server; content:"/peca"; nocase; http_uri; content:".exe"; nocase; http_uri; content:"User-Agent|3a 20|SKOLOVANI"; nocase; http_header; pcre:"/\x2fpeca\d+\x2eexe/Ui"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A; classtype:trojan-activity; sid:2012828; rev:2; metadata:created_at 2011_05_20, updated_at 2011_05_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; classtype:trojan-activity; sid:2017846; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Palevo/BFBot/Mariposa server join acknowledgement"; dsize:8; content:"|40|"; depth:1; flowbits:isset,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010101; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010101; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; classtype:trojan-activity; sid:2019597; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; classtype:trojan-activity; sid:2019599; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.Win32.AutoIt.ai Checkin"; flow:to_server,established; content:"/getpmnum"; http_uri; content:".asp?"; http_uri; content:"id="; http_uri; reference:md5,39d0dbe4f6923ed36864ae339f558963; classtype:command-and-control; sid:2012867; rev:3; metadata:created_at 2011_05_26, former_category MALWARE, updated_at 2011_05_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING! Your PC may not be protected!"; content:"remove malicious malware and adware"; distance:0; classtype:social-engineering; sid:2020588; rev:3; metadata:created_at 2015_03_03, former_category WEB_CLIENT, updated_at 2015_03_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Begman.A Checkin"; flow:established,to_server; content:".php?v="; http_uri; content:"&id="; http_uri; content:"&wv="; http_uri; pcre:"/\.php\?v=[A-Za-z0-9.]+&id=-?\d+&wv=[0-9.]{1,14}$/U"; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A; reference:url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248; classtype:bad-unknown; sid:2012908; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING|3a| Your PC may have a serious virus!"; content:"assistance removing malicious viruses"; classtype:social-engineering; sid:2020589; rev:3; metadata:created_at 2015_03_03, former_category WEB_CLIENT, updated_at 2015_03_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 288 (msg:"ET MALWARE Dropper.Win32.Agent.ahju Checkin"; flow:established,to_server; content:"|44 78 47 54 33 43 6D 42 66 39 73 39 6C 74 62 6A 35 61 4A 7C 0A|"; depth:21; reference:md5,48ad09c574a4bd3bb24d007005382e63; reference:md5,a264690a775a4e1b3d91c2dbcd850ce9; classtype:command-and-control; sid:2012895; rev:2; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - Alert"; flow:established,to_client; file_data; content:"<title>WARNING - SECURITY ALERT</title>"; classtype:trojan-activity; sid:2020710; rev:3; metadata:created_at 2015_03_19, former_category CURRENT_EVENTS, updated_at 2015_03_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bifrose Response from Controller"; flow:established,from_server; dsize:9; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008274; classtype:trojan-activity; sid:2008274; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT</title>"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:social-engineering; sid:2021177; rev:3; metadata:created_at 2015_06_03, former_category WEB_CLIENT, updated_at 2015_06_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose Connect to Controller"; flow:established,to_server; dsize:<20; content:"|09 00 00 9a|"; depth:4; content:"|cc|"; distance:3; within:4; content:"|74|"; distance:3; within:4; reference:url,doc.emergingthreats.net/2008273; classtype:trojan-activity; sid:2008273; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"<title>MICROSOFT WINDOWS SECURITY ALERT</title>"; nocase; fast_pattern; content:"<title>WARNING: VIRUS CHECK</title>"; nocase; distance:0; classtype:social-engineering; sid:2021181; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.ZZSlash/Redosdru.E checkin"; flow:established,to_server; content:"|14 00 00 00 04 00 00 00 78 9C 63 60 60 60 00 00 00 04 00 01|"; depth:20; reference:md5,3b0299d72c853f56a1595c855776f89f; reference:md5,adc3a35d1244c9129be6edd6ccfaec5b; classtype:command-and-control; sid:2012957; rev:2; metadata:created_at 2011_06_08, former_category MALWARE, updated_at 2011_06_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"<title>WARNING: VIRUS CHECK</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:social-engineering; sid:2021182; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot .cb File Extention FTP Upload"; flow:established,to_server; content:"si_"; content:".cb"; distance:10; within:3; pcre:"/si\x5F[a-z]{5}[0-9]{5}\x2Ecb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012974; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"<title>Advised System Support!</title>"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:social-engineering; sid:2021183; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Seclog FTP Upload"; flow:established,to_server; content:"seclog_"; content:".kcb"; within:30; pcre:"/seclog\x5F[a-z]{5}[0-9]{5}\x5F.+\x2Ekcb/smi"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012975; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M2"; flow:established,to_client; file_data; content:"<title>Security Error</title>"; nocase; content:"myFunction|28 29|"; content:"setInterval"; content:"WARNING"; nocase; classtype:social-engineering; sid:2021286; rev:4; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Carberp CnC Reply no tasks"; flow:established,from_server; content:"|0d 0a 0d 0a|no tasks"; classtype:command-and-control; sid:2011851; rev:7; metadata:created_at 2010_10_26, former_category MALWARE, updated_at 2010_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M4"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; content:"onmouseover=|22|myFunction|28 29 3b 22|"; distance:1; content:"onclick=|22|myFunction|28 29 3b 22|"; distance:1; content:"onkeydown=|22|myFunction|28 29 3b 22|"; distance:1; content:"onunload=|22|myFunction|28 29 3b 22|"; distance:1; classtype:social-engineering; sid:2021288; rev:3; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader PWS Module Data Upload Activity"; flow:established,to_server; content:"/grabbers.php"; http_uri; content:"logs="; content:"&module=grabbers"; distance:0; reference:md5,12554e7f2e78daf26e73a2f92d01e7a7; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:md5,3310259795b787210dd6825e7b6d6d28; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:md5,7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013046; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M1"; flow:established,to_client; file_data; content:"/Alert_files/"; nocase; fast_pattern; content:"Due to a third party application"; nocase; distance:0; content:"iOS is crashed"; nocase; distance:0; classtype:social-engineering; sid:2021294; rev:3; metadata:created_at 2015_06_18, former_category WEB_CLIENT, updated_at 2015_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacShield FakeAV CnC Communication"; flow:established,to_server; content:"/mac/soft.php?affid="; nocase; http_uri; fast_pattern:only; reference:url,blog.trendmicro.com/obfuscated-ip-addresses-and-affiliate-ids-in-mac-fakeav/; classtype:command-and-control; sid:2013062; rev:2; metadata:created_at 2011_06_17, former_category MALWARE, updated_at 2011_06_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"a=HT&u="; http_uri; fast_pattern; content:"&clickid="; http_uri; distance:0; content:"&browser="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&device="; http_uri; distance:0; content:"&model="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; classtype:social-engineering; sid:2021295; rev:3; metadata:created_at 2015_06_18, former_category WEB_CLIENT, updated_at 2015_06_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vilsel.ayjv Checkin (aid)"; flow:to_server,established; content:"?aid="; http_uri; content:"&si="; http_uri; content:"&rd="; http_uri; pcre:"/&si=\d+&si=\d+&rd=20\d{11}/U"; classtype:command-and-control; sid:2013122; rev:5; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".php?cid="; http_uri; fast_pattern; content:"-w"; distance:0; http_uri; pcre:"/\.php\?cid=[0-9]+?-w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2021357; rev:5; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeAlert.Rena.n Checkin Flowbit set"; flow:established,to_server; content:"/1020000"; http_uri; depth:8; content:" HTTP/1.0|0d 0a|"; http_header; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:command-and-control; sid:2013135; rev:1; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M2"; flow:established,to_client; file_data; content:"<title>SCANNING.."; fast_pattern; content:"myFunction|28 29|"; distance:0; content:"virus"; nocase; distance:0; classtype:social-engineering; sid:2021358; rev:3; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"c="; http_uri; content:"&wv="; http_uri; content:"&wd="; http_uri; content:"&ie="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/2008347; classtype:successful-recon-limited; sid:2008347; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M3"; flow:established,to_client; file_data; content:"e.ctrlKey &&"; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"IP has been Registed"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2021359; rev:3; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SafeFighter Fake Scanner Installation in Progress"; flow:established,to_server; content:"/safefighter.php"; nocase; http_uri; content:"User-Agent|3a| NSIS"; nocase; http_header; reference:url,doc.emergingthreats.net/2010065; classtype:trojan-activity; sid:2010065; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Stylesheet June 26 2015"; flow:established,to_client; content:"Content-Type|3a 20|text/css"; http_header; file_data; content:".header-warning"; content:".what-to-do"; distance:0; content:"more-about-the-virus"; distance:0; fast_pattern; classtype:social-engineering; sid:2021366; rev:3; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Initial Checkin"; flow:established,to_server; content:"/username.asp?Uid="; http_uri; fast_pattern:only; classtype:command-and-control; sid:2013198; rev:2; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2011_07_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M6"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING|3a|"; nocase; fast_pattern; content:"onbeforeunload"; nocase; distance:0; content:"function|28 29|"; nocase; distance:0; content:"virus"; nocase; distance:0; classtype:social-engineering; sid:2021368; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/IRCBrute Checkin 2"; flow:established,to_server; content:"/Dialer_Min/telcom.asp"; nocase; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-IRB/detailed-analysis.aspx; classtype:command-and-control; sid:2013225; rev:3; metadata:created_at 2011_07_07, former_category MALWARE, updated_at 2011_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M4"; flow:to_client,established; file_data; content:"myFunction|28 29|"; content:"setInterval"; distance:0; content:"alert"; distance:0; content:"gp-msg.mp3"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2021449; rev:3; metadata:created_at 2015_07_20, former_category WEB_CLIENT, updated_at 2015_07_20;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo Download Command"; flow:established,to_server; content:"PRIVMSG #"; depth:9; content:"|3a 5b|d=|22|http|3a|//"; distance:0; reference:md5,2d69d8d243499ab53b840c64f68cc830; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013245; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M1"; flow:to_client,established; file_data; content:"us_win.mp3"; fast_pattern; content:"yourOS|28 29|"; distance:0; content:"myFunction|28 29|"; distance:0; content:"onload_fun|28 29|"; distance:0; classtype:social-engineering; sid:2021500; rev:3; metadata:created_at 2015_07_20, former_category WEB_CLIENT, updated_at 2015_07_20;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo CnC PONG"; flow:established,to_server; content:"PONG |3a|hub.us.com"; depth:16; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:command-and-control; sid:2013246; rev:2; metadata:created_at 2011_07_11, former_category MALWARE, updated_at 2011_07_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Sept 21 2015"; flow:established,to_client; file_data; content:"malware error 895-system 32.exe"; nocase; fast_pattern; content:"RESOLVE THE ISSUE ON TOLL FREE - 1-855-"; nocase; content:"DO NOT SHUT DOWN OR RESTART"; nocase; classtype:social-engineering; sid:2021811; rev:3; metadata:created_at 2015_09_22, former_category WEB_CLIENT, updated_at 2015_09_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Guagua Trojan Update Checkin"; flow:established,to_server; content:"/update_check?version="; http_uri; content:"User-Agent|3A| Update"; http_header; classtype:command-and-control; sid:2013259; rev:3; metadata:created_at 2011_07_13, former_category MALWARE, updated_at 2011_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:".html?a="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2021963; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nekill Checkin"; flow:established,to_server; content:"?v="; http_uri; content:"&mid="; http_uri; content:"&r1="; http_uri; content:"&tm="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&uid="; http_uri; content:"&cht="; http_uri; content:"&sn="; http_uri; reference:url,blog.emergingthreatspro.com/2011/07/bot-of-day-nekilla.html; classtype:command-and-control; sid:2013260; rev:3; metadata:created_at 2011_07_13, former_category MALWARE, updated_at 2011_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:"/scan"; depth:5; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/scan[A-Z][a-z]?\/?$/U"; classtype:social-engineering; sid:2021967; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library|3a| Indy 9"; nocase; content:"Nome Computador|3a| "; nocase; content:"Data|3a| "; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002978; classtype:trojan-activity; sid:2002978; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; classtype:social-engineering; sid:2021974; rev:3; metadata:created_at 2015_10_20, former_category WEB_CLIENT, updated_at 2015_10_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sohanad Checkin via HTTP"; flow:established,to_server; content:"GET"; http_method; content:"/cs/bux/check.php"; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007898; classtype:command-and-control; sid:2007898; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; classtype:social-engineering; sid:2021975; rev:3; metadata:created_at 2015_10_20, former_category WEB_CLIENT, updated_at 2015_10_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cycbot Pay-Per-Install Executable Download"; flow:established,to_server; content:"/adv.php?login="; http_uri; content:"&key="; http_uri; content:"&subacc="; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:trojan-activity; sid:2013291; rev:2; metadata:created_at 2011_07_19, updated_at 2011_07_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING! Windows Update Required"; nocase; fast_pattern; content:"Call US Toll Free|20 3a 20|1-877"; nocase; distance:0; content:"System connected with OVERSEAS IP Address"; nocase; distance:0; content:"YOUR COMPUTER HAS BEEN LOCKED!!"; nocase; distance:0; reference:url,threatglass.com/malicious_urls/funu-info; classtype:social-engineering; sid:2022010; rev:3; metadata:created_at 2015_10_29, former_category WEB_CLIENT, updated_at 2015_10_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cycbot Initial Checkin to CnC"; flow:established,to_server; content:"id="; http_uri; content:"&hwid="; http_uri; content:"&step="; http_uri; content:"&wd="; http_uri; content:"&av="; fast_pattern; http_uri; reference:url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/; classtype:command-and-control; sid:2013292; rev:2; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2011_07_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; classtype:social-engineering; sid:2022012; rev:3; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2015_10_31;)
+#alert udp $HOME_NET [!1720,!1722,!2222,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET MALWARE Possible KEYPLUG/Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,doc.emergingthreats.net/2009205; reference:url,www.mandiant.com/resources/apt41-us-state-governments; reference:md5,b82456963d04f44e83442b6393face47; classtype:trojan-activity; sid:2009205; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; classtype:social-engineering; sid:2022013; rev:3; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2015_10_31;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Google Warning Infected Local User"; flow:established,from_server; content:"<span>It appears that your computer is infected with software that intercepts your connection to Google and other sites.</span>"; classtype:trojan-activity; sid:2013318; rev:1; metadata:created_at 2011_07_26, updated_at 2011_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam JS Landing Nov 4"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; content:"Content-Encoding|3a 20|gzip"; http_header; file_data; content:"tfnnumber"; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"msgencoded"; content:"returnmsgencoded"; distance:0; content:"Base64"; pcre:"/^\s*?\.\s*?decode\s*?\(\s*?msgencoded\s*?\)\s*?\.\s*?replace/Rsi"; classtype:social-engineering; sid:2022031; rev:5; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Ruskill CnC Download Command 1"; flow:established,to_client; content:"|3a|["; depth:2; content:".r.getfile http|3a|//"; distance:0; classtype:command-and-control; sid:2013329; rev:3; metadata:created_at 2011_07_27, former_category MALWARE, updated_at 2011_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam GET Nov 4"; flow:to_server,established; content:"GET"; http_method; content:".html?cid="; nocase; http_uri; fast_pattern; content:"&caid="; http_uri; nocase; distance:0; content:"&oid="; http_uri; nocase; distance:0; content:"&zid="; http_uri; nocase; distance:0; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; content:!"www.google-analytics.com|0d 0a|"; http_header; classtype:social-engineering; sid:2022032; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Ruskill CnC Download Command 2"; flow:established,to_client; content:"|3a|n"; depth:2; content:"on .dl http|3a|//"; distance:0; classtype:command-and-control; sid:2013330; rev:1; metadata:created_at 2011_07_27, former_category MALWARE, updated_at 2011_07_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 11"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 22|"; fast_pattern; content:"onclick=|22|myFunction|28 29 22|"; distance:0; content:"onkeydown=|22|myFunction|28 29 22|"; distance:0; content:"onunload=|22|myFunction|28 29 22|"; distance:0; classtype:social-engineering; sid:2022079; rev:3; metadata:created_at 2015_11_12, former_category WEB_CLIENT, updated_at 2015_11_12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ruskill Reporting on Local Scans"; flow:established,to_server; content:"PRRVMSG"; depth:7; content:"Port Scan started on"; distance:0; content:"with a delay of"; distance:0; classtype:trojan-activity; sid:2013331; rev:1; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,from_server; file_data; content:"Windows Browser"; fast_pattern; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]country[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]isp[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]ip[\x22\x27]/Rsi"; content:"Hello China"; nocase; distance:0; classtype:social-engineering; sid:2022092; rev:3; metadata:created_at 2015_11_16, former_category WEB_CLIENT, updated_at 2015_11_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Dropper.Win32.Agent.bpxo Checkin"; flow:established,to_server; content:"|71 4E 6C 39 34 65 66 59 41 7A 32 32 37 4F 71 45 44 4D 50 0A|"; depth:20; reference:md5,02e447b347a90680e03c8b7d843a8e46; reference:url,www.antivirus365.org/PCAntivirus/37128.html; classtype:command-and-control; sid:2012894; rev:4; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2022103; rev:3; metadata:created_at 2015_11_17, former_category WEB_CLIENT, updated_at 2015_11_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose Client Checkin"; flow:established,to_server; content:"|00 00 99 4F B9 74 E2 75 94 0A 5A|"; offset:2; depth:11; classtype:command-and-control; sid:2013338; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; classtype:social-engineering; sid:2022125; rev:3; metadata:created_at 2015_11_21, former_category WEB_CLIENT, updated_at 2015_11_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"|2f 3f|data="; http_uri; nocase; content:"jpdesk.com|0d 0a|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:md5,08f116cf4feff245dca581244e4f509c; classtype:command-and-control; sid:2013340; rev:2; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2011_08_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M1"; flow:to_client,established; file_data; content:"/windowslogo.jpg"; fast_pattern; nocase; content:"/winborder.html"; nocase; distance:0; content:"bug1.html"; nocase; distance:0; content:"infected your system"; nocase; distance:0; content:"TCP connection already exists"; nocase; distance:0; content:"TOLL FREE"; nocase; distance:0; classtype:social-engineering; sid:2022319; rev:3; metadata:created_at 2015_12_30, former_category WEB_CLIENT, updated_at 2015_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Checkin"; flow:established,to_server; content:"/ping.php?v="; http_uri; content:"&cid="; http_uri; content:"&s="; http_uri; content:"&wid="; http_uri; content:"&fid="; http_uri; content:"&step="; http_uri; classtype:command-and-control; sid:2013366; rev:2; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M2"; flow:to_client,established; file_data; content:"/sound.mp3"; fast_pattern; nocase; content:"function goodbye"; nocase; distance:0; content:"DetectMobile()"; nocase; distance:0; content:"stopPropagation"; nocase; distance:0; content:"preventDefault"; nocase; distance:0; classtype:social-engineering; sid:2022320; rev:3; metadata:created_at 2015_12_30, former_category WEB_CLIENT, updated_at 2015_12_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alunik User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| Alun4ik"; http_header; classtype:trojan-activity; sid:2013377; rev:2; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:social-engineering; sid:2022410; rev:3; metadata:created_at 2016_01_27, former_category WEB_CLIENT, updated_at 2016_01_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 1"; flow:established,to_server; content:"/images/thanks_25.php?id="; fast_pattern:only; content:"HTTP/1.1|0d 0a|User-Agent"; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013383; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:social-engineering; sid:2022528; rev:3; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2016_02_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Accept-encode HTTP header with UA indicating infected host"; flow:established,to_server; content:"Accept-encode|3a| "; fast_pattern; http_header; content:"Accept-Encoding|3a| "; http_header; threshold:type limit, count 1, seconds 360, track by_src; classtype:trojan-activity; sid:2013385; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:social-engineering; sid:2022530; rev:3; metadata:created_at 2016_02_17, former_category WEB_CLIENT, updated_at 2016_02_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent 3653Client"; flow:established,to_server; content:"User-Agent|3A 20|3653Client"; http_header; classtype:trojan-activity; sid:2013390; rev:2; metadata:created_at 2011_08_10, updated_at 2011_08_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022602; rev:3; metadata:created_at 2016_03_07, former_category WEB_CLIENT, updated_at 2016_03_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent|3A 20|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:2; metadata:created_at 2011_08_11, updated_at 2011_08_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022603; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET MALWARE Bancos.DV MSSQL CnC Connection Outbound"; flow:to_server,established; flowbits:isset,ET.MSSQL; content:"|49 00 B4 00 4D 00 20 00 54 00 48 00 45 00 20 00 4D 00 41 00 53 00 54 00 45 00 52 00|"; classtype:command-and-control; sid:2013411; rev:1; metadata:created_at 2011_08_16, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022605; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; classtype:command-and-control; sid:2012961; rev:3; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2011_06_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:social-engineering; sid:2022606; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Chekafe.D Initial Checkin"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&isInst="; http_uri; content:"&lockcode="; http_uri; content:"&pc="; http_uri; content:"&PcType="; http_uri; content:"&AvName="; http_uri; content:"&ProCount="; http_uri; classtype:command-and-control; sid:2013447; rev:3; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2011_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2022607; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
+#alert tcp $EXTERNAL_NET 6000:10000 -> $HOME_NET any (msg:"ET MALWARE Vobfus/Changeup/Chinky Download Command"; flow:to_client,established; content:"|3a 2e|dl http|3a|"; depth:11; reference:url,www.symantec.com/connect/blogs/w32changeup-threat-profile; reference:url,doc.emergingthreats.net/2010973; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2; reference:md5,f8880b851ea5ed92dd97657574fb4f70; classtype:trojan-activity; sid:2010973; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:social-engineering; sid:2022619; rev:3; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2016_03_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Phoenix Landing Page Obfuscated Javascript 2"; flow:established,to_client; content:"<html><body><input|20|type|3d 27|hidden|27 20|value|3d 27|"; pcre:"/\S{20,40}\'\>/R"; classtype:trojan-activity; sid:2013314; rev:5; metadata:created_at 2011_07_26, updated_at 2011_07_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:social-engineering; sid:2022649; rev:3; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2016_03_23;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Pack Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?e="; http_uri; content:"&o="; http_uri; content:"&b="; http_uri; content:"&id="; http_uri; pcre:"/\.php\?e=\d+&o=\w+&b=\w+&id=[0-9a-f]{32}$/U"; reference:url,www.kahusecurity.com/2011/best-pack/; classtype:bad-unknown; sid:2013489; rev:3; metadata:created_at 2011_08_30, updated_at 2011_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:3; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
+alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET MALWARE W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1; metadata:created_at 2011_08_31, updated_at 2011_08_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:social-engineering; sid:2022695; rev:3; metadata:created_at 2016_04_01, former_category WEB_CLIENT, updated_at 2016_04_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bancos Reporting"; flow:established,to_server; content:".php?codigo="; http_uri; content:"&g_id="; http_uri; content:"&g_windows="; http_uri; content:"&func_versao_ie="; http_uri; content:"&firefox="; http_uri; content:"&primeira_versao_update="; http_uri; content:"&ultimo_acesso="; http_uri; classtype:trojan-activity; sid:2013513; rev:2; metadata:created_at 2011_08_31, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022802; rev:3; metadata:created_at 2016_05_11, former_category WEB_CLIENT, updated_at 2016_05_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:social-engineering; sid:2022855; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Fynloski.A Command Request"; flow:to_server,established; content:"#BOT#"; depth:5; pcre:"/^\x23BOT\x23(VisitUrl|OpenUrl|Ping|RunPrompt|CloseServer|SvrUninstall|URLUpate|URLDownload)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013532; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:social-engineering; sid:2022856; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command|Error|Finish|Http\x20Flood|Mass\x20Download|Respond\x20\x5bOK|Syn\x20Flood|UDP\x20Flood|uninstall|Update|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2; metadata:created_at 2011_09_03, updated_at 2011_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:social-engineering; sid:2022857; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host|3A 20|google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013544; rev:2; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:social-engineering; sid:2022926; rev:3; metadata:created_at 2016_06_29, former_category WEB_CLIENT, updated_at 2016_06_29;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 54 (msg:"ET MALWARE Win32.Unknown.UDP.edsm CnC traffic"; content:"|65 f2 9c 64 cf 0a 5e d3 f6 5b 2a 9f 73 3c 91 4d|"; offset:16; depth:16; threshold:type limit, track by_src, count 1, seconds 600; reference:url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef; classtype:command-and-control; sid:2013547; rev:2; metadata:created_at 2011_09_07, former_category MALWARE, updated_at 2011_09_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:social-engineering; sid:2022928; rev:3; metadata:created_at 2016_06_29, former_category WEB_CLIENT, updated_at 2016_06_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fivfrom Downloader (Unitrix)"; flow:established,to_server; content:".php?seller="; http_uri; content:"&hash={"; http_uri; pcre:"/hash=\{[a-f0-9]+-/Ui"; classtype:trojan-activity; sid:2013555; rev:5; metadata:created_at 2011_09_10, updated_at 2011_09_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:social-engineering; sid:2023869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_02_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Program Storm3-607.exe Download Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/Storm3-607.exe"; nocase; http_uri; content:"User-Agent|3a| InnoTools_Downloader"; http_header; classtype:trojan-activity; sid:2013560; rev:3; metadata:created_at 2011_09_12, updated_at 2011_09_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_09, updated_at 2011_08_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:2; metadata:created_at 2011_09_19, updated_at 2011_09_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (touch)"; flow:to_server,established; content:"/touch.php?dir="; http_uri; content:" HTTP/1.1|0d 0a|Host|3a| "; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|Accept|3a| */*|0d 0a 0d 0a|"; within:70; content:!"User-Agent|3a|"; http_header; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013671; rev:2; metadata:created_at 2011_09_19, former_category MALWARE, updated_at 2011_09_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Multibrowser Resource Exhaustion observed in Tech Support Scam"; flow:from_server,established; file_data; content:"var|20|total|20|=|20 22 22 3b|"; nocase; content:"total|20|=|20|total"; nocase; distance:0; content:"history.pushState"; nocase; fast_pattern; distance:0; pcre:"/^\s*\(\s*0\s*,\s*0\s*,\s*total\s*\)/Ri"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1246773; classtype:social-engineering; sid:2024305; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_05_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013686; rev:2; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2011_09_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe - Update Adobe Flash Player</title>"; nocase; classtype:bad-unknown; sid:2024643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:md5,4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:2; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2011_09_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player Update</title>"; nocase; classtype:bad-unknown; sid:2024644; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3306 (msg:"ET MALWARE Win32.Parite Checkin SQL Database"; flow:established,to_server; content:"SHOW COLUMNS FROM webronaldogyn01"; reference:md5,19441bc629e6c1dcb54cb5febdf9a22d; classtype:command-and-control; sid:2013683; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_09_22, deployment Perimeter, former_category MALWARE, malware_family Parite, signature_severity Major, updated_at 2017_07_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player</title>"; nocase; classtype:bad-unknown; sid:2024645; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+#alert http $HOME_NET any ->  $EXTERNAL_NET any (msg:"ET MALWARE Win32.Swisyn Reporting"; flow:to_server,established; content:"/Qvodav.exe"; nocase; http_uri; content:"User-Agent|3a| Av_DVD"; nocase; http_header; reference:url,precisesecurity.com/worms/trojan-win32-swisyn-algm; classtype:trojan-activity; sid:2013766; rev:5; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player|20 7c 20|Free Download</title>"; nocase; classtype:bad-unknown; sid:2024646; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible German Governmental Backdoor/R2D2.A 2"; flow:from_client,established; content:"C3PO-r2d2-POE"; depth:13; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013752; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player Update</title>"; nocase; classtype:bad-unknown; sid:2024647; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible German Governmental Backdoor/R2D2.A 1"; flow:from_client,established; content:"|11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|"; fast_pattern; reference:url,ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013751; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player is outdated</title>"; nocase; classtype:bad-unknown; sid:2024648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Prosti Checkin"; flow:from_client,established; content:"&first& # 0d 0h "; depth:16; reference:md5,5113c6dbd644874482f3a26650970600; classtype:command-and-control; sid:2013769; rev:1; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>flash player might be outdated</title>"; nocase; classtype:bad-unknown; sid:2024649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
+#alert ip 207.158.22.134 any -> $HOME_NET any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1"; threshold:type limit, track by_src,count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/gui/file/be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013755; rev:4; metadata:created_at 2011_10_11, former_category MALWARE, updated_at 2011_10_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam Landing M1 Oct 13 2017"; flow:established,to_client; file_data; content:"<title>Windows Defender</title>"; nocase; fast_pattern; content:"background-color|3a 20|#659e1d"; nocase; distance:0; classtype:social-engineering; sid:2024841; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2017_10_13;)
+#alert ip $HOME_NET any -> 207.158.22.134 any (msg:"ET MALWARE Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1"; threshold:type limit, track by_dst, count 1, seconds 60; reference:url,www.ccc.de/de/updates/2011/staatstrojaner; reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf; reference:url,www.f-secure.com/weblog/archives/00002249.html; reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html; reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545; reference:url,www.ccc.de/en/updates/2011/staatstrojaner; classtype:trojan-activity; sid:2013756; rev:4; metadata:created_at 2011_10_11, updated_at 2011_10_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2018-01-10"; flow:from_server,established; file_data; content:"<title>Security Warning"; nocase; fast_pattern; content:"background-color:#d70000"; nocase; distance:0; classtype:social-engineering; sid:2025197; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_01_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Server ping"; flow:from_server,established; content:"wBmpf3Pb7RJe|0d0a|"; depth:14; dsize:14; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013774; rev:2; metadata:created_at 2011_10_14, updated_at 2011_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 12"; flow:from_server,established; file_data; content:"|57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 41 6c 65 72 74 20 3a 20 5a 65 75 73 20 56 69 72 75 73 20 44 65 74 65 63 74 65 64 20 49 6e 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 20 21 21 3c 2f 68 31 3e|"; fast_pattern; nocase; content:"|3e 50 6c 65 61 73 65 20 44 6f 20 4e 6f 74 20 53 68 75 74 20 44 6f 77 6e 20 6f 72 20 52 65 73 65 74 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 2e 3c 2f 68 33 3e|"; nocase; distance:0; classtype:social-engineering; sid:2025345; rev:3; metadata:created_at 2018_02_12, former_category WEB_CLIENT, updated_at 2018_02_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Outbound"; flow:established,to_server; content:"Ypmw1Syv023QZD"; depth:30; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013771; rev:4; metadata:created_at 2011_10_14, former_category MALWARE, updated_at 2011_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"Microsoft Windows Notification"; nocase; fast_pattern; content:"<audio autoplay=autoplay loop id=audio>"; nocase; distance:0; content:".mp3 type=audio/mpeg"; nocase; distance:0; classtype:social-engineering; sid:2025908; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_07_26;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Cerberus RAT Checkin Response"; flow:established,to_client; content:"Ypmw1Syv023QZD"; depth:30; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:command-and-control; sid:2013772; rev:2; metadata:created_at 2011_10_14, former_category MALWARE, updated_at 2011_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"href=|22|./files/alert.css"; nocase; content:"<audio autoplay=|22|autoplay|22 20|loop=|22|"; nocase; fast_pattern; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Internet Security Alert"; nocase; distance:0; classtype:social-engineering; sid:2025909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_07_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Cerberus RAT Client pong"; flow:from_client,established; content:"wZ2pla"; depth:6; reference:md5,76e084e9420bfaa31c0f0bf000f1c301; classtype:trojan-activity; sid:2013773; rev:2; metadata:created_at 2011_10_14, updated_at 2011_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"<title>Windows Defender"; nocase; fast_pattern; content:"<audio id=|22|play|22 20|loop="; nocase; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Windows Defender Alert"; nocase; distance:0; classtype:social-engineering; sid:2025910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_07_26;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Java"; http_header; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam Landing 2018-09-12"; flow:established,to_client; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern; content:"<strong>VIRUS ALERT FROM MICROSOFT"; nocase; distance:0; content:"<audio autoplay=|22|autoplay|22|"; nocase; distance:0; classtype:social-engineering; sid:2026111; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_09_12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BOT - potential DDoS command (2)"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"ddos"; nocase; pcre:"/ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; reference:url,doc.emergingthreats.net/2003132; classtype:trojan-activity; sid:2003132; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC Activity"; content:"|af 7d a7 38 eb f9 f7 47|"; depth:8; fast_pattern; content:"|00|"; distance:4; within:1; content:"|10 00|"; distance:1; within:2; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.fortinet.com/blog/threat-research/chinese-targeted-trojan-analysis.html; classtype:command-and-control; sid:2027892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_08_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential DDoS command 1"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"floodnet "; pcre:"/floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; reference:url,doc.emergingthreats.net/2002032; classtype:trojan-activity; sid:2002032; rev:22; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> 76.74.9.18 $HTTP_PORTS (msg:"ET DELETED Milw0rm Exploit Launch Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/exploit.php?id="; http_uri; nocase; reference:url,www.milw0rm.com; reference:url,doc.emergingthreats.net/2009586; classtype:misc-activity; sid:2009586; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via http command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:" http|3a|//"; fast_pattern:only; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+http\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2002031; classtype:trojan-activity; sid:2002031; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; http_uri; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002406; classtype:attempted-recon; sid:2002406; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow:to_client,established; content:"|3a|"; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within:40; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002029; classtype:trojan-activity; sid:2002029; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; reference:url,doc.emergingthreats.net/2011241; classtype:not-suspicious; sid:2011241; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE perlb0t/w0rmb0t Response 2"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within: 32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; reference:url,doc.emergingthreats.net/2006911; classtype:trojan-activity; sid:2006911; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Ad Report"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/ad_report.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"protocol="; http_uri; content:"author="; http_uri; content:"login="; http_uri; content:"zone="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011758; classtype:policy-violation; sid:2011758; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC DCC chat request on non-standard port"; flow:to_server,established; content:"PRIVMSG "; nocase; depth:8; content:" |3a|.DCC CHAT chat"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000350; classtype:policy-violation; sid:2000350; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (agtray)"; flow: to_server,established; content:"/pr/agtray.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000569; classtype:policy-violation; sid:2000569; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC DNS request on non-standard port"; flow:to_server,established; content:"USERHOST "; nocase; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2000352; classtype:policy-violation; sid:2000352; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED KitCo Kcast Ticker (autray)"; flow: to_server,established; content:"/pr/autray.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000570; classtype:policy-violation; sid:2000570; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE psyBNC IRC Server Connection"; flow:from_server,established; content:"psyBNC@lam3rz"; depth:33; nocase; flowbits:isset,is_proto_irc; reference:url,en.wikipedia.org/wiki/PsyBNC; reference:url,doc.emergingthreats.net/2003302; classtype:misc-activity; sid:2003302; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $HOME_NET any -> 76.74.9.19 $HTTP_PORTS (msg:"ET DELETED Packetstormsecurity Exploits Of The Month Download"; content:"GET /"; content:"-exploits.tgz"; http_uri; depth:70; flow:to_server,established; reference:url,www.packetstormsecurity.org; reference:url,doc.emergingthreats.net/2008525; classtype:misc-activity; sid:2008525; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot scan/exploit command"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; reference:url,doc.emergingthreats.net/2002030; classtype:trojan-activity; sid:2002030; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid"; flow:established,to_server; content:"/news.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004585; classtype:web-application-attack; sid:2004585; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC potential bot commands"; flow:established,from_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; reference:url,doc.emergingthreats.net/2002384; classtype:trojan-activity; sid:2002384; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/pathwirte.php?"; http_uri; nocase; content:"FSPHP_LIB="; http_uri; nocase; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58317; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010361; classtype:web-application-attack; sid:2010361; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC potential reptile commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; reference:url,doc.emergingthreats.net/2002363; classtype:trojan-activity; sid:2002363; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ch_readalso.php?"; http_uri; nocase; content:"read_xml_include="; http_uri; nocase; pcre:"/read_xml_include=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29251; reference:url,xforce.iss.net/xforce/xfdb/42459; reference:url,milw0rm.com/exploits/5624; reference:url,doc.emergingthreats.net/2010099; classtype:web-application-attack; sid:2010099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Username in IRC (XP-..)"; flow:established,to_server; content:"USER XP-"; depth:8; reference:url,doc.emergingthreats.net/2008123; classtype:trojan-activity; sid:2008123; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/common.php?"; http_uri; nocase; content:"root="; http_uri; nocase; pcre:"/root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/29904; reference:url,milw0rm.com/exploits/7218; reference:url,doc.emergingthreats.net/2008922; classtype:web-application-attack; sid:2008922; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content:"USA"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls"; flow:established,to_server; content:"/modules/noevents/templates/mfa_theme.php?"; http_uri; nocase; content:"tpls["; http_uri; nocase; reference:cve,CVE-2007-2572; reference:url,www.milw0rm.com/exploits/3861; reference:url,doc.emergingthreats.net/2003694; classtype:web-application-attack; sid:2003694; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ruskill/Palevo KCIK IRC Command"; flow:established,to_server; content:"KCIK |7b|"; depth:6; reference:url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362; reference:url,sebdraven.tumblr.com/post/6769853139/palevo-analysises; classtype:trojan-activity; sid:2013247; rev:5; metadata:created_at 2011_07_11, updated_at 2011_07_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username"; flow:established,to_server; content:"/de/pda/dev_logon.asp?"; http_uri; nocase; content:"username="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003894; classtype:web-application-attack; sid:2003894; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Agobot-SDBot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; reference:url,doc.emergingthreats.net/2003157; classtype:trojan-activity; sid:2003157; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp"; flow:established,to_server; content:"/usrmgr/registerAccount.asp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003895; classtype:web-application-attack; sid:2003895; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp"; flow:established,to_server; content:"/de/create_account.asp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003896; classtype:web-application-attack; sid:2003896; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Client Checkin"; flow:established,to_server; content:"|40 1f|"; offset:1; depth:2; content:"|03|"; distance:1; within:1; content:"|20 00 00 00|"; distance:1; within:4; dsize:10; reference:md5,a7f4a7d08fa650a5f09a00519b944b0b; classtype:command-and-control; sid:2013793; rev:1; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/resource_categories_view.php?"; http_uri; nocase; content:"CLASSES_ROOT="; http_uri; nocase; pcre:"/CLASSES_ROOT=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009333; classtype:web-application-attack; sid:2009333; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"|40 1f|"; offset:1; depth:2; content:"|01|"; distance:1; within:1; content:"|10 00 00 00|"; distance:1; within:4; dsize:26; reference:md5,a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1; metadata:created_at 2011_10_24, updated_at 2011_10_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt"; flow: established,from_client; content:"/osticket/include"; http_uri; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438; reference:cve,CAN-2005-1439; reference:url,doc.emergingthreats.net/bin/view/Main/2002702; classtype:web-application-attack; sid:2002702; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.SuspectCRC FakeAV Checkin"; flow:established,to_server; content:"value.php?"; http_uri; content:"md="; http_uri; content:"&pc="; http_uri; content:"User-Agent|3a| sample"; http_header; reference:md5,54c9d51661a05151e5143f4e80cbed86; classtype:command-and-control; sid:2013799; rev:3; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2011_10_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home"; flow:established,to_server; content:"/skins/header.php?"; http_uri; nocase; content:"ote_home="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003741; classtype:web-application-attack; sid:2003741; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home"; flow:established,to_server; content:"/skins/header.php?"; http_uri; nocase; content:"ote_home="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003878; classtype:web-application-attack; sid:2003878; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Warezov/Stration Data Post to Controller"; flow:established,to_server; content:"/cgi-bin/pr.cgi"; http_uri; content:"POST"; http_method; reference:url,www.sophos.com/security/analyses/w32strationbo.html; reference:url,doc.emergingthreats.net/2003180; classtype:trojan-activity; sid:2003180; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/filepool.php?"; http_uri; nocase; content:"oe_classpath="; http_uri; nocase; pcre:"/oe_classpath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31423; reference:url,milw0rm.com/exploits/6585; reference:url,doc.emergingthreats.net/2009164; classtype:web-application-attack; sid:2009164; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Basine Trojan Checkin"; flow:established,to_server; content:"a="; http_client_body; content:"&b=reported"; http_client_body; content:"&d=report"; http_client_body; reference:url,doc.emergingthreats.net/2007692; classtype:command-and-control; sid:2007692; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/modules/core/logger/init.php?"; http_uri; nocase; content:"GLOBALS[preloc]="; http_uri; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009459; classtype:web-application-attack; sid:2009459; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bifrose Connect to Controller (PING PONG)"; flow:stateless; dsize:10; content:"PING |3a|i.|0d 0a|"; flowbits:set,ET.bifrose1; reference:url,doc.emergingthreats.net/2009128; classtype:trojan-activity; sid:2009128; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/newscat.php?"; http_uri; nocase; content:"GLOBALS[preloc]="; http_uri; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009460; classtype:web-application-attack; sid:2009460; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Bifrose Response from Controller (PING PONG)"; flow:stateless; flowbits:isset,ET.bifrose1; dsize:9; content:"PONG |3a|i.|0d|"; reference:url,doc.emergingthreats.net/2009129; classtype:trojan-activity; sid:2009129; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006528; classtype:web-application-attack; sid:2006528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV FakeAlertRena.n Checkin NO Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; content:"Content-Length|3a| 2|0d 0a 0d 0a|NO"; classtype:command-and-control; sid:2013420; rev:4; metadata:created_at 2011_08_18, former_category MALWARE, updated_at 2011_08_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006529; classtype:web-application-attack; sid:2006529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:md5,bf156b649cb5da6603a5f665a7d8f13b; classtype:command-and-control; sid:2013821; rev:2; metadata:created_at 2011_11_04, former_category MALWARE, updated_at 2011_11_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006530; classtype:web-application-attack; sid:2006530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Koobface Variant Initial Checkin"; flow:established,to_server; content:".php?datos=c|3A|"; http_uri; content:"&user="; http_uri; classtype:command-and-control; sid:2013890; rev:2; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2011_11_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006531; classtype:web-application-attack; sid:2006531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Checkin"; flow:from_client,established; dsize:12; content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; depth:12; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:command-and-control; sid:2013891; rev:1; metadata:created_at 2011_11_09, former_category MALWARE, updated_at 2011_11_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006532; classtype:web-application-attack; sid:2006532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Server Reply"; flow:from_server,established; dsize:44; content:"|33 39 0d ff 0a c4 e5 9f d5 ec 58 4a 69|"; depth:13; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013892; rev:1; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006533; classtype:web-application-attack; sid:2006533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Svlk Client Ping"; flow:from_client,established; dsize:7; content:"|33 0D FF 0A C5 F8 C1|"; depth:7; reference:md5,c929e8c75901c7e50685df0445a38bd0; classtype:trojan-activity; sid:2013893; rev:2; metadata:created_at 2011_11_09, updated_at 2011_11_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006534; classtype:web-application-attack; sid:2006534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Yaq Checkin"; flow:established,to_server; content:"/Submit.php?id="; http_uri; content:"&action="; http_uri; within:10; content:"&mac="; http_uri; within:10; content:"&lockcode="; http_uri; within:30; content:"&homepc="; http_uri; within:15; content:"User-Agent|3A 20|getinfo|0D 0A|"; http_header; classtype:command-and-control; sid:2013900; rev:2; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006535; classtype:web-application-attack; sid:2006535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.BlackControl Retrieving IP Information"; flow:established,to_server; content:"/v2/ip_query_country.php?key="; http_uri; content:"&timezone="; http_uri; content:"User-Agent|3A 20|1|0D 0A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2013902; rev:3; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006536; classtype:web-application-attack; sid:2006536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GetFile"; flow:established,to_server; content:"User-Agent|3A 20|GetFile|0D 0A|"; http_header; classtype:trojan-activity; sid:2013903; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006537; classtype:web-application-attack; sid:2006537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rimecud User Agent beat"; flow:established,to_server; content:"User-Agent|3A 20|beat|0D 0A|"; http_header; classtype:trojan-activity; sid:2013904; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006538; classtype:web-application-attack; sid:2006538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:2; metadata:created_at 2011_11_11, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006539; classtype:web-application-attack; sid:2006539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection"; flow:established; content:"maininfo|7c|"; depth:9; nocase; content:"|7c|"; distance:3; reference:url,doc.emergingthreats.net/2008644; classtype:trojan-activity; sid:2008644; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006540; classtype:web-application-attack; sid:2006540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Emp Keepalive to CnC"; flow:established,to_server; content:"|7a 05 61 17 27 f5 09 f9 05 a2 ff 71 e0 49 96 47|"; offset:16; depth:16; dsize:48; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210; classtype:command-and-control; sid:2013922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006541; classtype:web-application-attack; sid:2006541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu2 Keepalive to CnC"; flow:established,to_server; content:"|1c e9 a1 06 39 95 48 0d 64 1f 39 23 21 7f dc 43|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006542; classtype:web-application-attack; sid:2006542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu3 Keepalive to CnC"; flow:established,to_server; content:"|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006543; classtype:web-application-attack; sid:2006543; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu4 Keepalive to CnC"; flow:established,to_server; content:"|ea a2 0d a1 b4 a9 a2 18 12 34 67 eb aa 6f ab 3f|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2013925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_18, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006544; classtype:web-application-attack; sid:2006544; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent|3a| needit|0d 0a|"; http_header; reference:md5,1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006545; classtype:web-application-attack; sid:2006545; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TR/Rimecud.aksa User-Agent (indy)"; flow:to_server,established; content:"User-Agent|3a| indy|0d 0a|"; http_header; reference:md5,1536a7072981ce5140efe6b9c193bb7e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013952; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/converter.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009871; classtype:web-application-attack; sid:2009871; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (counters)"; flow:to_server,established; content:"User-Agent|3a| counters|0d 0a|"; http_header; reference:md5,60ce66bd10fcac3c97151612c8a4d343; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013953; rev:3; metadata:created_at 2011_11_22, updated_at 2011_11_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/messages.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009872; classtype:web-application-attack; sid:2009872; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.A User-Agent (giftz)"; flow:to_server,established; content:"User-Agent|3a| giftz|0d 0a|"; http_header; reference:md5,0f726e84bae5a8d1f166bbf6d09d821b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013954; rev:2; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/settings.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009873; classtype:web-application-attack; sid:2009873; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality User-Agent (Internet Explorer 5.01)"; flow:established,to_server; content:"User-Agent|3A 20|Internet Explorer 5.01|0D 0A|"; http_header; classtype:trojan-activity; sid:2013963; rev:3; metadata:created_at 2011_11_23, updated_at 2011_11_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB Remote Code Execution Attempt"; flow:established,to_server; content:"/viewtopic.php?"; http_uri; pcre:"/highlight=.*?(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})/Ui"; reference:url,secunia.com/advisories/15845/; reference:bugtraq,14086; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; reference:url,doc.emergingthreats.net/2002070; classtype:web-application-attack; sid:2002070; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET MALWARE TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1; metadata:created_at 2011_12_02, updated_at 2011_12_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"phpbb_root_path="; http_uri; nocase; pcre:"/phpbb_root_path=(ftps?|https?|php)/Ui"; reference:url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path; reference:url,doc.emergingthreats.net/2002731; classtype:web-application-attack; sid:2002731; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Jorik DDOS Instructions From CnC Server"; flow:established,to_client; content:"|7C|ddos|7C|"; pcre:"/\x7Cddos\x7C(syn|http)\x7C/"; classtype:command-and-control; sid:2013998; rev:3; metadata:created_at 2011_12_08, former_category MALWARE, updated_at 2011_12_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage1; flowbits:noalert; reference:url,doc.emergingthreats.net/2010890; classtype:attempted-user; sid:2010890; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.dytr Checkin"; flow:to_server,established; content:"/gate.php?id="; http_uri; content:"&pc="; http_uri; content:"&os="; http_uri; content:"&version="; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,090986b0e303779bde1ddad3c65a9d78; classtype:command-and-control; sid:2014003; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"agreed=I+agree+to+these+terms"; content:"change_lang="; content:"creation_time"; content:"form_token"; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage1; flowbits:set,ET.phpBB3_register_stage2; flowbits:noalert; reference:url,doc.emergingthreats.net/2010891; classtype:attempted-user; sid:2010891; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE P2P Zeus Response From CnC"; flow:established,from_server; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74|"; distance:5; within:2; content:"|C1|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:command-and-control; sid:2013912; rev:4; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=confirm"; http_uri; content:"confirm_id="; http_uri; content:"type="; http_uri; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage3; flowbits:noalert; reference:url,doc.emergingthreats.net/2010892; classtype:attempted-user; sid:2010892; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent (Gootkit HTTP Client)"; flow:to_server,established; content:"Gootkit HTTP Client"; http_header; nocase; reference:url,doc.emergingthreats.net/2010718; classtype:command-and-control; sid:2010718; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"email_confirm="; content:"new_password"; content:"password_confirm"; content:"lang="; content:"tz="; content:"confirm_code="; content:"refresh_vc="; content:"confirm_id="; content:"agreed="; content:"change_lang="; content:"confirm_id="; content:"creation_time="; content:"form_token="; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage3; flowbits:set,ET.phpBB3_register_stage4; flowbits:noalert; reference:url,doc.emergingthreats.net/2010893; classtype:attempted-user; sid:2010893; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Infection Report via HTTP"; flow:established,to_server; content:"/keylogkontrol/"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; classtype:trojan-activity; sid:2008047; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^Y$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010894; classtype:web-application-attack; sid:2010894; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET MALWARE Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2014047; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^YYY$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010895; classtype:web-application-attack; sid:2010895; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2013745; rev:5; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Bogus Stage3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=confirm"; http_uri; content:"id="; http_uri; pcre:"/(\?|&)id=/Ui"; content:"type="; http_uri; reference:url,doc.emergingthreats.net/2010898; classtype:web-application-attack; sid:2010898; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y|00|M|00|S|00|G|00 2e 00 2e 00 2e 00 2e 00|"; depth:16; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014055; rev:1; metadata:created_at 2011_12_31, former_category MALWARE, updated_at 2011_12_31;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 multiple login attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=login"; http_uri; threshold: type threshold, track by_src, count 2, seconds 60; reference:url,doc.emergingthreats.net/2010899; classtype:attempted-user; sid:2010899; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_31, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 possible spammer posting attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/posting.php"; http_uri; nocase; content:"mode=post"; http_uri; threshold: type threshold, track by_src, count 2, seconds 30; reference:url,doc.emergingthreats.net/2010900; classtype:web-application-attack; sid:2010900; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:command-and-control; sid:2014056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_12_31, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Possible PHP-Calendar configfile Remote .PHP File Inclusion Arbitrary Code Execution Attempt"; flow:established,to_server; content:"/php-calendar-1.1/update"; http_uri; nocase; content:"configfile="; http_uri; nocase; content:".php"; nocase; pcre:"/\x2Fphp-calendar-1.1\x2Fupdate(08|10)\x2Ephp(\x3F|.*(\x26|\x3B))configfile=[^\x26\x3B]*[^a-zA-Z0-9_]/Ui"; reference:url,securitytracker.com/alerts/2009/Dec/1023375.html; reference:cve,2009-3702; reference:url,doc.emergingthreats.net/2010531; classtype:web-application-attack; sid:2010531; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetProtection Download"; flow:established,from_server; content:"|3b 20|filename=|22|InstallInternetProtection_"; nocase; classtype:trojan-activity; sid:2012696; rev:3; metadata:created_at 2011_04_21, updated_at 2011_04_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid"; flow:established,to_server; content:"/settings.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003879; classtype:web-application-attack; sid:2003879; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV FakeAlertRena.n Checkin Response from Server"; flow:established,from_server; flowbits:isset,ET.fakealert.rena.n; content:"Content-Length|3a| 2|0d 0a|"; content:"|0d 0a 0d 0a|OK"; distance:0; classtype:command-and-control; sid:2013136; rev:6; metadata:created_at 2011_06_29, former_category MALWARE, updated_at 2011_06_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid"; flow:established,to_server; content:"/cat.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003880; classtype:web-application-attack; sid:2003880; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SecurityDefender exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"SecurityDefender"; nocase; within:24; content:".exe"; within:24; classtype:trojan-activity; sid:2013826; rev:3; metadata:created_at 2011_11_05, updated_at 2011_11_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config"; flow:established,to_server; content:"/includes/language.php?"; http_uri; nocase; content:"config="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003742; classtype:web-application-attack; sid:2003742; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Nurech Checkin UA"; flow:from_client,established; content:"User-Agent|3a| ipwf|0d 0a|"; http_header; classtype:command-and-control; sid:2014093; rev:3; metadata:created_at 2012_01_03, former_category MALWARE, updated_at 2012_01_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path"; flow:established,to_server; content:"/layout_admin_cfg.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003743; classtype:web-application-attack; sid:2003743; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Blackshades Payload Download Command"; flow:established,to_client; content:"x74|0C|64|0C|"; depth:7; content:"x49|0C|"; distance:64; classtype:trojan-activity; sid:2014101; rev:2; metadata:created_at 2012_01_05, updated_at 2012_01_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path"; flow:established,to_server; content:"/layout_cfg.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003744; classtype:web-application-attack; sid:2003744; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:command-and-control; sid:2014108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path"; flow:established,to_server; content:"/skins/phpchess/layout_t_top.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003745; classtype:web-application-attack; sid:2003745; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.UFRStealer.A issuing MKD command FTP"; flow:to_server,established; content:"MKD UFR_Stealer"; nocase; depth:15; reference:md5,a251ef38f048d695eae52626e57d617d; classtype:trojan-activity; sid:2014111; rev:6; metadata:created_at 2011_04_20, updated_at 2011_04_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEventMan remote file include"; flow:established,to_server; content:"/controller/"; http_uri; nocase; pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22358; reference:url,doc.emergingthreats.net/2003372; classtype:web-application-attack; sid:2003372; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET MALWARE Cythosia V2 DDoS WebPanel Hosted Locally"; flow:established,from_server; content:"|3C|title|3E|Cythosia|20|V2|20|Bot|20|Webpanel|20 2D 20|Login|3C 2F|title|3E|"; nocase; reference:url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/; classtype:successful-admin; sid:2014118; rev:2; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include"; flow:established,to_server; content:"/block.php?"; http_uri; nocase; content:"Include="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2665; reference:url,www.milw0rm.com/exploits/3906; reference:url,doc.emergingthreats.net/2003740; classtype:web-application-attack; sid:2003740; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 5"; flow:established,to_server; content:"|7A 7A 7A 7A 72 71 71 71 71 73 73 73 73 7D 7D 7D 7D|"; offset:5; depth:17; classtype:trojan-activity; sid:2013526; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/CoupleDB.php?"; http_uri; nocase; content:"DataDirectory="; http_uri; nocase; pcre:"/DataDirectory=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9155; reference:url,packetstormsecurity.org/0907-exploits/phpgenealogy-rfi.txt; reference:url,doc.emergingthreats.net/2010095; classtype:web-application-attack; sid:2010095; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 6"; flow:established,to_server; content:"|B5 B5 B5 B5 BD BE BE BE BE BC BC BC BC B2 B2 B2 B2|"; offset:5; depth:17; classtype:trojan-activity; sid:2013527; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003805; classtype:web-application-attack; sid:2003805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 7"; flow:established,to_server; content:"|6F 6F 6F 6F 67 64 64 64 64 66 66 66 66 68 68 68 68|"; offset:5; depth:17; classtype:trojan-activity; sid:2013528; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UNION SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003806; classtype:web-application-attack; sid:2003806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 8"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013529; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER INSERT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003807; classtype:web-application-attack; sid:2003807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 9"; flow:established,to_server; content:"|0F 0F 0F 0F 07 04 04 04 04 06 06 06 06 08 08 08 08|"; offset:5; depth:17; classtype:trojan-activity; sid:2013530; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER DELETE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003808; classtype:web-application-attack; sid:2003808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ASCII"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003809; classtype:web-application-attack; sid:2003809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 1"; flow:established,to_server; content:"|40 40 40 40 48 4B 4B 4B 4B 49 49 49 49 47 47 47 47|"; offset:5; depth:17; classtype:trojan-activity; sid:2013522; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003810; classtype:web-application-attack; sid:2003810; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 2"; flow:established,to_server; content:"|0B 0B 0B 0B 03 00 00 00 00 02 02 02 02 0C 0C 0C 0C|"; offset:5; depth:17; classtype:trojan-activity; sid:2013523; rev:4; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003811; classtype:web-application-attack; sid:2003811; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 3"; flow:established,to_server; content:"|AC AC AC AC A4 A7 A7 A7 A7 A5 A5 A5 A5 AB AB AB AB|"; offset:5; depth:17; classtype:trojan-activity; sid:2013524; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UNION SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003812; classtype:web-application-attack; sid:2003812; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyeye Data Exfiltration 4"; flow:established,to_server; content:"|DD DD DD DD D5 D6 D6 D6 D6 D4 D4 D4 D4 DA DA DA DA|"; offset:5; depth:17; classtype:trojan-activity; sid:2013525; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS INSERT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003813; classtype:web-application-attack; sid:2003813; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:command-and-control; sid:2014145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_24, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS DELETE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003814; classtype:web-application-attack; sid:2003814; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"|3A 3A 3A 3A 3A 28 20|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1; metadata:created_at 2012_01_24, updated_at 2012_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ASCII"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003815; classtype:web-application-attack; sid:2003815; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; http_uri; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2014029; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003816; classtype:web-application-attack; sid:2003816; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"&ver="; http_client_body; content:"&MAX_EXECUTE_TIME="; http_client_body; fast_pattern; content:"&RELOAD_JOBS="; http_client_body; content:"&BROWSER_DELAY="; http_client_body; content:"&CONTROL_PAGE"; http_client_body; content:"&lastlogcount"; http_client_body; content:"&min_captchasize"; http_client_body; content:"&botid"; http_client_body; content:"&REG_NAME"; http_client_body; content:"&botlogin="; http_client_body; reference:url,doc.emergingthreats.net/2009830; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FWombot.A; classtype:command-and-control; sid:2009830; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib"; flow:established,to_server; content:"/examples/widget8.php?"; http_uri; nocase; content:"phphtmllib="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2614; reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded; reference:url,doc.emergingthreats.net/2003730; classtype:web-application-attack; sid:2003730; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity"; flow:established,to_server; content:".php?param="; http_uri; content:"&socks="; http_uri; content:"User-Agent|3a| Windows Updater"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002775; classtype:trojan-activity; sid:2002775; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local"; flow:established,to_server; content:"/ftp.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003731; classtype:web-application-attack; sid:2003731; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VB.aie Reporting User Activity"; flow:established,to_server; content:"php?iso="; nocase; http_uri; content:"&country="; nocase; http_uri; content:"&proxy="; nocase; http_uri; content:"&tel="; nocase; http_uri; content:"&ftp="; nocase; http_uri; content:"&socks="; nocase; http_uri; content:"&remote="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002857; classtype:trojan-activity; sid:2002857; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local"; flow:established,to_server; content:"/libs/db.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003732; classtype:web-application-attack; sid:2003732; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Checkin to CnC"; flow:to_server,established; content:"user_id="; depth:8; http_client_body; content:"&version_id="; http_client_body; content:"&socks="; fast_pattern; http_client_body; content:"&build="; http_client_body; classtype:command-and-control; sid:2014152; rev:3; metadata:created_at 2012_01_27, former_category MALWARE, updated_at 2012_01_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local"; flow:established,to_server; content:"/libs/ftp.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003733; classtype:web-application-attack; sid:2003733; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing Update Details"; flow:established,to_client; content:"[UPDATE]|0D 0A|VER ="; content:"URL ="; distance:0; content:"[PATTERN]|0D 0A|VER ="; distance:0; content:"URL ="; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014166; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/_conf/core/common-tpl-vars.php?"; http_uri; nocase; content:"confdir="; http_uri; nocase; pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008962; classtype:web-application-attack; sid:2008962; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Mentory CnC Server Providing File Info Details"; flow:established,to_client; content:"[DBINFO]|0D 0A|Info ="; content:"Version ="; distance:0; content:"[TotalCount]|0D 0A|Count ="; distance:0; content:"[GaruYac"; distance:0; reference:md5,6724bb601611dcc0140960c59c7b3393; classtype:command-and-control; sid:2014167; rev:2; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2012_01_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPOutsourcing Zorum prod.php Remote Command Execution Attempt"; flow:to_server,established; content:"/prod.php?"; http_uri; nocase; pcre:"/(argv[1]=\|.+)/"; reference:bugtraq,14601; reference:url,doc.emergingthreats.net/2002314; classtype:web-application-attack; sid:2002314; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:md5,4b8adc7612e984d12b77f197c59827a2; classtype:command-and-control; sid:2012882; rev:4; metadata:created_at 2011_05_27, former_category MALWARE, updated_at 2011_05_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH"; flow:established,to_server; content:"/include/logout.php?"; http_uri; nocase; content:"PSA_PATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2628; reference:url,www.securityfocus.com/bid/23801; reference:url,doc.emergingthreats.net/2003735; classtype:web-application-attack; sid:2003735; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:command-and-control; sid:2014200; rev:4; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2012_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPStore Yahoo Answers id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"cmd=4"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32717/; reference:url,milw0rm.com/exploits/7131; reference:url,doc.emergingthreats.net/2008874; classtype:web-application-attack; sid:2008874; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TLD4 Purple Haze Variant Initial CnC Request for Ad Servers"; flow:established,to_server; content:"trf?q="; http_uri; content:"&edv="; http_uri; content:"&o="; http_uri; content:"&kp="; http_uri; content:"&tk="; http_uri; content:"&fk="; http_uri; content:"&ks="; http_uri; reference:url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html; classtype:command-and-control; sid:2014208; rev:2; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2012_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt"; flow: to_server,established; content:"/modules.php?"; http_uri; content:"name="; http_uri; content:"SCRIPT"; http_uri; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,doc.emergingthreats.net/2001218; classtype:web-application-attack; sid:2001218; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Sykipot SSL Certificate subject emailAddress detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"marry.smith@ltu.edu"; within:400; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014210; rev:1; metadata:attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt"; flow:established,to_server; content:"/iframe.php"; http_uri; nocase; content:"file="; http_uri; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.zone-h.org/en/advisories/read/id=8694/; reference:url,doc.emergingthreats.net/2002800; classtype:web-application-attack; sid:2002800; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Sykipot SSL Certificate serial number detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 ec 32 09 67 c9 34 3f 50|"; within:30; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014209; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt"; flow:established,to_server; content:"/send_reminders.php"; http_uri; nocase; pcre:"/includedir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14651; reference:cve,2005-2717; reference:url,doc.emergingthreats.net/2002898; classtype:web-application-attack; sid:2002898; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Delf/Troxen/Zema controller responding to client"; flow:established,to_client; content:"|0d 0a 0d 0a|wait.<os>"; classtype:trojan-activity; sid:2014216; rev:2; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir"; flow:established,to_server; content:"/plugin/HP_DEV/cms2.php?"; http_uri; nocase; content:"s_dir="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2573; reference:url,www.milw0rm.com/exploits/3860; reference:url,doc.emergingthreats.net/2003693; classtype:web-application-attack; sid:2003693; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Delf/Troxen/Zema controller delivering clickfraud instructions"; flow:established,to_client; content:"|0d 0a 0d 0a|<md5>"; content:"</md5><url>"; distance:16; within:11; classtype:trojan-activity; sid:2014217; rev:3; metadata:created_at 2012_02_07, updated_at 2012_02_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PmWiki Globals Variables Overwrite Attempt"; flow:to_server,established; content:"/pmwiki.php"; http_uri; nocase; content:"GLOBALS[FarmD]="; nocase; pcre:"/GLOBALS\x5bFarmD\x5d\x3d/i"; reference:cve,CVE-2006-0479; reference:bugtraq,16421; reference:nessus,20891; reference:url,doc.emergingthreats.net/2002837; classtype:web-application-attack; sid:2002837; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BB Trojan Communication Protocol detected"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; depth:4; content:"|01 04 01 00 00|"; distance:8; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014227; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004606; classtype:web-application-attack; sid:2004606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE QDIGIT Trojan Protocol detected"; flow:to_server,established; content:"|51 31 39 21 00|"; depth:5; dsize:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014222; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004607; classtype:web-application-attack; sid:2004607; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014247; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004608; classtype:web-application-attack; sid:2004608; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin 5"; flow:established,to_server; content:"?subid="; http_uri; content:"&u="; distance:0; http_uri; pcre:"/\?subid=\d{9}&u=[\w\.\-]{23}$/Ui"; classtype:command-and-control; sid:2014248; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004609; classtype:web-application-attack; sid:2004609; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pasta.IK Checkin"; flow:established,to_server; content:"/data/index.asp?act="; http_uri; content:"&ver=Ver"; http_uri; content:"&a="; http_uri; reference:md5,1a13d56365e864aba54967d4745ab660; classtype:command-and-control; sid:2014263; rev:2; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004610; classtype:web-application-attack; sid:2004610; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IP2B Trojan Communication Protocol detected"; flow:established,to_server; content:"|78 56 34 12 00 10 00 10|"; depth:8; content:"|00 18 09 07 20|"; distance:4; within:5; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014226; rev:2; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004611; classtype:web-application-attack; sid:2004611; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Query for Known Hostile *test.3322.org.cn Domain"; content:"|01 00 00 01 00 00 00 00 00|"; depth:9; offset:2; content:"test|04|3322|03|org|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"order="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2962; reference:url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded; reference:url,doc.emergingthreats.net/2004582; classtype:web-application-attack; sid:2004582; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RShot Checkin"; flow:established,to_server; content:"connected#"; depth:10; content:"#Windows "; content:"##"; distance:0; dsize:<120; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:command-and-control; sid:2014268; rev:1; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System"; flow:established,to_server; content:"/blocks/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003660; classtype:web-application-attack; sid:2003660; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:command-and-control; sid:2014300; rev:1; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2012_03_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System"; flow:established,to_server; content:"/files/blocks/latest_files.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003661; classtype:web-application-attack; sid:2003661; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; content:"|3B 20|Ini download file modue"; nocase; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System"; flow:established,to_server; content:"/forums/blocks/latest_posts.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003662; classtype:web-application-attack; sid:2003662; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; content:"|0d 0a 0d 0a|<xml>"; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:2; metadata:created_at 2012_03_06, updated_at 2012_03_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System"; flow:established,to_server; content:"/groups/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003663; classtype:web-application-attack; sid:2003663; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System"; flow:established,to_server; content:"/filters/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003664; classtype:web-application-attack; sid:2003664; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.Riern.K Checkin Off Port"; flow:established,from_client; content:"|01|new_host_"; depth:10; fast_pattern; content:"|ff ff ff ff ff 00 00 00 00 00 00 00 00|"; distance:0; classtype:command-and-control; sid:2014358; rev:2; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System"; flow:established,to_server; content:"/links/blocks/links.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003665; classtype:web-application-attack; sid:2003665; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy Checkin"; flow:established,to_server; content:"/guidcheck.php?q="; http_uri; content:"&g="; http_uri; content:"&n="; http_uri; content:"&h="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; reference:md5,bb129d433271951abb0e5262060a4583; classtype:command-and-control; sid:2014357; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System"; flow:established,to_server; content:"/menu/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003666; classtype:web-application-attack; sid:2003666; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot-Spyware Access"; flow:established,to_server; content:"/synctl/"; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2002963; classtype:trojan-activity; sid:2002963; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System"; flow:established,to_server; content:"/news/blocks/latest_news.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003667; classtype:web-application-attack; sid:2003667; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System"; flow:established,to_server; content:"/settings/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003668; classtype:web-application-attack; sid:2003668; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download ws.exe"; flow:established,to_server; content:"GET"; http_method; content:"/install/ws.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010051; classtype:trojan-activity; sid:2010051; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System"; flow:established,to_server; content:"/modules/users/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003681; classtype:web-application-attack; sid:2003681; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:command-and-control; sid:2014364; rev:2; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2012_03_13;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004089; classtype:web-application-attack; sid:2004089; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:command-and-control; sid:2006404; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004090; classtype:web-application-attack; sid:2004090; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Antivirus_21.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/Antivirus_"; http_uri; content:".exe"; http_uri; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/2010050; classtype:trojan-activity; sid:2010050; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004091; classtype:web-application-attack; sid:2004091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (codec.exe)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/codec.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010054; classtype:trojan-activity; sid:2010054; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004092; classtype:web-application-attack; sid:2004092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download AntivirusPlus.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/AntivirusPlus"; http_uri; content:".exe"; http_uri; reference:url,doc.emergingthreats.net/2010062; classtype:trojan-activity; sid:2010062; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004093; classtype:web-application-attack; sid:2004093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer."; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; classtype:trojan-activity; sid:2010452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004094; classtype:web-application-attack; sid:2004094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/installer_"; nocase; http_uri; content:".exe"; nocase; http_uri; pcre:"/\/installer_\d+\.exe/Ui"; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; classtype:trojan-activity; sid:2010453; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/basicfogfactory.class.php?"; http_uri; nocase; content:"PATH_TO_CODE="; http_uri; nocase; pcre:"/PATH_TO_CODE=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28588; reference:url,milw0rm.com/exploits/5348; reference:url,doc.emergingthreats.net/2009415; classtype:web-application-attack; sid:2009415; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET"; nocase; http_method; content:"download/install.php"; http_uri; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; classtype:trojan-activity; sid:2010465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/init.php?"; http_uri; nocase; content:"includepath="; http_uri; nocase; pcre:"/includepath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32335; reference:url,milw0rm.com/exploits/7143; reference:url,doc.emergingthreats.net/2008871; classtype:web-application-attack; sid:2008871; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download Setup_2012.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/Setup_"; nocase; http_uri; content:".exe"; nocase; pcre:"/Setup_20\d+\x2Eexe/Ui"; reference:url,doc.emergingthreats.net/xxxxxxx; classtype:trojan-activity; sid:2010684; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/action/rss.php?"; http_uri; nocase; content:"lib="; http_uri; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32465; reference:url,milw0rm.com/exploits/7225; reference:url,doc.emergingthreats.net/2008899; classtype:web-application-attack; sid:2008899; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware Download Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/GR_OLD_CR.EXE"; nocase; http_uri; reference:url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html; reference:url,doc.emergingthreats.net/2011148; classtype:trojan-activity; sid:2011148; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piranha default passwd attempt"; flow:to_server,established; content:"/piranha/secure/control.php3"; http_uri; content:"Authorization\: Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; reference:url,doc.emergingthreats.net/2002331; classtype:attempted-recon; sid:2002331; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Downloader Possible AV KILLER"; flow:established,to_server; content:"GET"; nocase; http_method; content:"SoftName="; http_uri; nocase; content:"SoftVersion="; http_uri; nocase; content:"UserIP="; http_uri; nocase; content:"Mac="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009487; classtype:trojan-activity; sid:2009487; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt"; flow:to_server,established; content:"/prepend.php"; http_uri; nocase; content:"_px_config[manager_path]="; nocase; pcre:"/_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-0725; reference:bugtraq,16662; reference:nessus,20972; reference:url,doc.emergingthreats.net/2002815; classtype:web-application-attack; sid:2002815; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVKiller with Backdoor checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"id="; http_client_body; nocase; content:"&ip_int="; http_client_body; nocase; content:"&os="; http_client_body; nocase; content:"&av="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009812; classtype:command-and-control; sid:2009812; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id"; flow:established,to_server; content:"/Default.aspx?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2555; reference:url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded; reference:url,doc.emergingthreats.net/2003914; classtype:web-application-attack; sid:2003914; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; content:"/?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; http_uri; content:"&a="; http_uri; content:"&l="; http_uri; content:"&addt"; reference:url,doc.emergingthreats.net/2008502; classtype:command-and-control; sid:2008502; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/cms/modules/form.lib.php?"; http_uri; nocase; content:"sourceFolder="; http_uri; nocase; pcre:"/sourceFolder=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,30235; reference:url,juniper.net/security/auto/vulnerabilities/vuln30235.html; reference:url,milw0rm.com/exploits/6078; reference:url,doc.emergingthreats.net/2009898; classtype:web-application-attack; sid:2009898; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; content:"?type=scanner&pin="; http_uri; content:"&lnd="; http_uri; reference:url,doc.emergingthreats.net/2008511; classtype:trojan-activity; sid:2008511; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS select_image.php dir Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; content:"/imagelibrary/select_image.php?"; http_uri; nocase; content:"dir="; http_uri; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009736; classtype:web-application-attack; sid:2009736; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/get_r.php?fid="; http_uri; content:"&mac="; http_uri; within:15; content:"&version="; http_uri; distance:0; content:"&uuid="; http_uri; distance:0; reference:url,doc.emergingthreats.net/2008755; classtype:trojan-activity; sid:2008755; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS admin_theme_remove.php file Parameter Remote Directory Delete"; flow:to_server,established; content:"GET "; depth:4; content:"/admin_includes/admin_theme_remove.php?"; http_uri; nocase; content:"file="; http_uri; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009737; classtype:web-application-attack; sid:2009737; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; depth:55; http_header; content:"Content-Length|3a20|"; http_header; content:"VISITED_URL"; depth:100; http_client_body; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; classtype:trojan-activity; sid:2003937; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php"; flow:established,to_server; content:"/awards.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004587; classtype:web-application-attack; sid:2004587; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"TIPO=CLIENTE&NOME="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2007901; classtype:command-and-control; sid:2007901; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php"; flow:established,to_server; content:"/login.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004588; classtype:web-application-attack; sid:2004588; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.ili HTTP Checkin"; flow:established,to_server; content:"/ctrl/cnt_boot.php?pgv="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007940; classtype:command-and-control; sid:2007940; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php"; flow:established,to_server; content:"/register.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004589; classtype:web-application-attack; sid:2004589; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin"; flow:established,to_server; content:".php?PC="; http_uri; content:"&Data="; http_uri; content:"&Mac="; http_uri; reference:url,doc.emergingthreats.net/2007984; classtype:command-and-control; sid:2007984; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php"; flow:established,to_server; content:"/weapons.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004590; classtype:web-application-attack; sid:2004590; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; content:"/envio.php?"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"tipo="; http_client_body; reference:url,doc.emergingthreats.net/2008267; classtype:command-and-control; sid:2008267; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/server_request.php?"; http_uri; nocase; content:"CONFIG[gameroot]="; http_uri; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009502; classtype:web-application-attack; sid:2009502; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"appdata="; http_uri; nocase; content:"hd="; nocase; http_uri; content:"mac="; nocase; http_uri; content:"computador="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008519; classtype:command-and-control; sid:2008519; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/qlib/smarty.inc.php?"; http_uri; nocase; content:"CONFIG[gameroot]="; http_uri; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009504; classtype:web-application-attack; sid:2009504; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic Banker Trojan Downloader Config to client"; flow:established,to_client; content:"|0d 0a 0d 0a|[Controlinfo]"; nocase; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; reference:url,doc.emergingthreats.net/2009090; classtype:trojan-activity; sid:2009090; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/qte_web.php?"; http_uri; nocase; content:"qte_web_path="; http_uri; nocase; pcre:"/qte_web_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009723; classtype:web-application-attack; sid:2009723; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD"; http_method; nocase; content:".php?action="; http_uri; nocase; content:"&uid="; nocase; http_uri; content:"&locale="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&build="; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; classtype:trojan-activity; sid:2009750; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d"; flow:established,to_server; content:"cp/ps/Main/login/Login"; http_uri; nocase; content:"d="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2802; reference:url,www.secunia.com/advisories/25326; reference:url,doc.emergingthreats.net/2004571; classtype:web-application-attack; sid:2004571; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch Module Download Request"; flow:established,to_server; content:"/dl/AcroIEHelpe"; nocase; http_uri; content:".dll"; http_uri; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; classtype:trojan-activity; sid:2009409; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/display.php?"; http_uri; nocase; content:"path="; http_uri; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,29873; reference:url,milw0rm.com/exploits/5900; reference:url,doc.emergingthreats.net/2009788; classtype:web-application-attack; sid:2009788; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected"; flow:established,to_server; content:"php?mac="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"++++++++"; nocase; content:"&ver="; nocase; http_uri; content:"&ie="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007864; classtype:command-and-control; sid:2007864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/define.php?"; http_uri; nocase; content:"INC_DIR="; http_uri; nocase; pcre:"/INC_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33227; reference:url,milw0rm.com/exploits/7743; reference:url,doc.emergingthreats.net/2009101; classtype:web-application-attack; sid:2009101; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; content:".php"; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"quem="; depth:5; http_client_body; content:"praquem="; http_client_body; fast_pattern; offset:5; nocase; reference:url,doc.emergingthreats.net/2008283; classtype:command-and-control; sid:2008283; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/add_tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009059; classtype:web-application-attack; sid:2009059; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_uri; content:"sys="; http_uri; content:"yp="; http_uri; content:"rand="; http_uri; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; reference:url,doc.emergingthreats.net/2009453; classtype:command-and-control; sid:2009453; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/edit_tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009060; classtype:web-application-attack; sid:2009060; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"c=voip&ord="; nocase; http_uri; content:"=&SCRNSZ"; http_uri; content:"&BRSRSZ="; http_uri; content:"&TIMEZONE="; http_uri; reference:url,doc.emergingthreats.net/2010266; classtype:command-and-control; sid:2010266; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009062; classtype:web-application-attack; sid:2009062; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?type=slg&id="; http_uri; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; classtype:trojan-activity; sid:2009351; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/competitions/add.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009466; classtype:web-application-attack; sid:2009466; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; reference:url,doc.emergingthreats.net/2010790; classtype:trojan-activity; sid:2010790; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/competitions/competitions.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009467; classtype:web-application-attack; sid:2009467; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; content:"action="; nocase; http_uri; content:"&guid="; nocase; http_uri; content:"&rnd="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&entity="; http_uri; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; classtype:trojan-activity; sid:2009354; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/settings/settings.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009468; classtype:web-application-attack; sid:2009468; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Check In"; flow:established,to_server; content:"GET"; nocase; http_method; content:"v="; http_uri; content:"&s="; http_uri; content:"&uid="; http_uri; content:"&p="; http_uri; content:"&q="; content:"User-Agent|3a 0d 0a|"; http_header; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; classtype:trojan-activity; sid:2009360; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s"; flow:established,to_server; content:"/wp-content/themes/redoable/searchloop.php?"; http_uri; nocase; content:"s="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003872; classtype:web-application-attack; sid:2003872; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; content:"ver="; nocase; http_uri; content:"&lg="; nocase; http_uri; content:"&phid="; nocase; http_uri; content:"&r="; http_uri; pcre:"/phid=[A-F0-9]{64}/Ui"; reference:url,doc.emergingthreats.net/2009349; classtype:trojan-activity; sid:2009349; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s"; flow:established,to_server; content:"/wp-content/themes/redoable/header.php?"; http_uri; nocase; content:"s="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003873; classtype:web-application-attack; sid:2003873; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?version="; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&fid="; nocase; http_uri; content:"&vpc="; nocase; http_uri; content:"&run="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008623; classtype:command-and-control; sid:2008623; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv SELECT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003829; classtype:web-application-attack; sid:2003829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cinmus.Checkin 2"; flow:to_server,established; content:"GET"; http_method; nocase; content:"?fid="; nocase; http_uri; content:"&kid="; nocase; http_uri; content:"&cnt="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&kw="; nocase; http_uri; content:"&from="; http_uri; reference:url,doc.emergingthreats.net/2008624; classtype:command-and-control; sid:2008624; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UNION SELECT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003830; classtype:web-application-attack; sid:2003830; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; content:".php?hid=NT"; nocase; http_uri; content:"&wp="; nocase; http_uri; content:"&sp="; nocase; http_uri; content:"&eep="; nocase; http_uri; content:"&edp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008153; classtype:command-and-control; sid:2008153; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv INSERT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003831; classtype:web-application-attack; sid:2003831; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; classtype:trojan-activity; sid:2008739; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv DELETE"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003832; classtype:web-application-attack; sid:2003832; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/a?"; nocase; http_uri; content:"wg="; http_client_body; nocase; content:"&cn="; http_client_body; nocase; content:"&i="; http_client_body; nocase; content:"&panic="; http_client_body; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; reference:url,doc.emergingthreats.net/2008353; classtype:command-and-control; sid:2008353; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv ASCII"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003833; classtype:web-application-attack; sid:2003833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Corpes.j Infection Report"; flow:established,to_server; content:".php?tma="; http_uri; content:"&mode="; http_uri; pcre:"/mode=\d+D[0-9A-F]{150}/U"; reference:url,doc.emergingthreats.net/2008144; classtype:trojan-activity; sid:2008144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003834; classtype:web-application-attack; sid:2003834; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cosmu Process Dump Report"; flow:established,to_server; content:"] Dumping processes {|0d 0a|"; reference:url,doc.emergingthreats.net/2011234; classtype:trojan-activity; sid:2011234; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure"; flow:established,to_server; content:"GET "; depth:4; content:"/download.php?"; http_uri; nocase; content:"filename="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,securityfocus.com/bid/32968; reference:url,milw0rm.com/exploits/7542; reference:url,doc.emergingthreats.net/2009018; classtype:web-application-attack; sid:2009018; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3a| BIE|0d 0a|"; http_header; content:"cname="; http_client_body; reference:url,doc.emergingthreats.net/2009204; classtype:command-and-control; sid:2009204; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004660; classtype:web-application-attack; sid:2004660; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"x="; http_client_body; content:!"User-Agent|3a| "; http_header; pcre:"/^x=[0-9a-zA-Z]{50}/P"; reference:url,doc.emergingthreats.net/2008263; classtype:command-and-control; sid:2008263; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004661; classtype:web-application-attack; sid:2004661; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length|3a| "; depth:50; content:"|0d 0a 0d 0a|"; within:10; reference:url,doc.emergingthreats.net/2008940; classtype:command-and-control; sid:2008940; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004662; classtype:web-application-attack; sid:2004662; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Daonol C&C Communication"; flow:established,to_server; content:"/x/?0"; http_uri; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; classtype:command-and-control; sid:2010164; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004663; classtype:web-application-attack; sid:2004663; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf HTTP Checkin (1)"; flow:established,to_server; content:"/mydown.asp?"; nocase; http_uri; content:"reg="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tgid="; nocase; http_uri; content:"&address="; nocase; http_uri; content:"&mydo="; nocase; http_uri; content:"&flag="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007838; classtype:command-and-control; sid:2007838; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004664; classtype:web-application-attack; sid:2004664; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Download via HTTP"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/mdfexcute/"; http_uri; content:"Windows 98)"; http_header; reference:url,doc.emergingthreats.net/2007911; classtype:trojan-activity; sid:2007911; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004665; classtype:web-application-attack; sid:2004665; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (up)"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&MAC="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007939; classtype:command-and-control; sid:2007939; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost"; flow:established,to_server; content:"/contact/index.php?"; http_uri; nocase; content:"ripeformpost="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2206; reference:url,www.securityfocus.com/bid/23597; reference:url,doc.emergingthreats.net/2003871; classtype:web-application-attack; sid:2003871; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?v="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&=w"; http_uri; nocase; reference:url,doc.emergingthreats.net/2008071; classtype:command-and-control; sid:2008071; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries SELECT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003817; classtype:web-application-attack; sid:2003817; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?macros="; nocase; http_uri; content:"&botstatus="; http_uri; nocase; reference:url,doc.emergingthreats.net/2008090; classtype:command-and-control; sid:2008090; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UNION SELECT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003818; classtype:web-application-attack; sid:2003818; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; classtype:trojan-activity; sid:2009824; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries INSERT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003819; classtype:web-application-attack; sid:2003819; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer"; flow: established,to_server; content:"/getnumtemp.asp?nip=0"; http_uri; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; reference:url,doc.emergingthreats.net/2003083; classtype:trojan-activity; sid:2003083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries DELETE"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003820; classtype:web-application-attack; sid:2003820; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dialer.buv Sending Information Home"; flow:established,to_server; content:"/exit.php?if="; http_uri; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; reference:url,doc.emergingthreats.net/2008430; classtype:trojan-activity; sid:2008430; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries ASCII"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003821; classtype:web-application-attack; sid:2003821; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; content:"login="; nocase; http_uri; content:"&brokerid="; nocase; http_uri; content:"&extlogin="; nocase; http_uri; content:"&autosize="; nocase; http_uri; content:"&icp="; nocase; http_uri; content:"&id_site="; nocase; http_uri; content:"&dl_tracker="; nocase; http_uri; content:"&connection_type="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008490; classtype:command-and-control; sid:2008490; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003822; classtype:web-application-attack; sid:2003822; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert http $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE dlink router access attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1.0|0d 0a 0d 0a|"; content:!"|0d 0a|Host|3a| "; reference:url,doc.emergingthreats.net/2008945; classtype:trojan-activity; sid:2008945; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003858; classtype:web-application-attack; sid:2003858; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Dluca HTTP Checkin"; flow:established,to_server; content:"?id={"; nocase; http_uri; content:"&srv="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&docid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&cstate="; nocase; http_uri; content:"&state="; nocase; http_uri; content:"&flash="; nocase; http_uri; content:"&pin="; nocase; http_uri; content:"&OSInfo2="; nocase; content:"&cinfo="; nocase; http_uri; content:"&smd="; nocase; http_uri; content:"&rts="; nocase; http_uri; content:"&retryattempt="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007595; classtype:command-and-control; sid:2007595; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003859; classtype:web-application-attack; sid:2003859; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent|3a| linkrunner"; nocase; http_header; reference:url,doc.emergingthreats.net/2003648; classtype:trojan-activity; sid:2003648; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003860; classtype:web-application-attack; sid:2003860; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bwr CnC Beacon"; flow:established,to_server; content:"?m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&hdd="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006377; classtype:command-and-control; sid:2006377; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003861; classtype:web-application-attack; sid:2003861; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"wall_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006400; classtype:trojan-activity; sid:2006400; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003862; classtype:web-application-attack; sid:2003862; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"aff_id="; nocase; http_uri; content:"lunch_id="; nocase; http_uri; content:"&maddr=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/2006401; classtype:trojan-activity; sid:2006401; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003863; classtype:web-application-attack; sid:2003863; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Downloader or Virut C&C Ack"; flow:established,to_server; content:"uid="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&actionname="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&success="; nocase; http_uri; content:"&debug="; nocase; http_uri; content:"&nocache="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007587; classtype:command-and-control; sid:2007587; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_css="; http_uri; nocase; pcre:"/_page_css=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009653; classtype:web-application-attack; sid:2009653; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Checkin"; flow:established,to_server; content:"/boot.php/boot.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007952; classtype:command-and-control; sid:2007952; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_javascript="; http_uri; nocase; pcre:"/_page_javascript=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009654; classtype:web-application-attack; sid:2009654; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Install Report"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007953; classtype:trojan-activity; sid:2007953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_content="; http_uri; nocase; pcre:"/_page_content=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009656; classtype:web-application-attack; sid:2009656; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.49651 Online Report"; flow:established,to_server; content:"/up.html?"; nocase; http_uri; content:"set="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007954; classtype:trojan-activity; sid:2007954; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004116; classtype:web-application-attack; sid:2004116; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cygo Checkin"; flow:established,to_server; content:"/count.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"partner="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007955; classtype:command-and-control; sid:2007955; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004117; classtype:web-application-attack; sid:2004117; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; content:"/down"; http_uri; content:"/down/?"; http_uri; content:"s="; http_uri; content:"&t="; http_uri; content:"&v="; http_uri; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; reference:url,doc.emergingthreats.net/2008087; classtype:command-and-control; sid:2008087; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004118; classtype:web-application-attack; sid:2004118; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper User-Agent (XXXwww)"; flow:established,to_server; content:"User-Agent|3a| XXXwww"; http_header; classtype:trojan-activity; sid:2014387; rev:1; metadata:created_at 2012_03_16, updated_at 2012_03_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004119; classtype:web-application-attack; sid:2004119; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.cah Checkin Request"; flow:established,to_server; content:"?v="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&r1="; nocase; http_uri; content:"&tm=201"; nocase; http_uri; content:"&av="; nocase; http_uri; content:"&os=Windows"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"cht="; http_uri; reference:url,doc.emergingthreats.net/2007644; classtype:command-and-control; sid:2007644; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004120; classtype:web-application-attack; sid:2004120; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor|3a|"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; sid:2007987; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004121; classtype:web-application-attack; sid:2004121; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Mdodo"; http_header; reference:url,doc.emergingthreats.net/2008195; classtype:trojan-activity; sid:2008195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form"; flow:established,to_server; content:"/sendcard.php?"; http_uri; nocase; content:"form="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2472; reference:url,www.secunia.com/advisories/25085; reference:url,doc.emergingthreats.net/2003922; classtype:web-application-attack; sid:2003922; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| 6dzone|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008196; classtype:trojan-activity; sid:2008196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/SezHooTabsAndActions.php?"; http_uri; nocase; content:"IP="; http_uri; nocase; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31756; reference:url,www.milw0rm.com/exploits/6751; reference:url,doc.emergingthreats.net/2009123; classtype:web-application-attack; sid:2009123; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Duntek establishing remote connection"; flow:established,to_server; content:"rfe.php?"; nocase; http_uri; content:"cmp=dun_tekfirst"; nocase; http_uri; content:"guid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; reference:url,doc.emergingthreats.net/2003537; classtype:trojan-activity; sid:2003537; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr SELECT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003852; classtype:web-application-attack; sid:2003852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007686; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UNION SELECT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003853; classtype:web-application-attack; sid:2003853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Attacker|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:denial-of-service; sid:2007687; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr INSERT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003854; classtype:web-application-attack; sid:2003854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Egspy Install Report via HTTP"; flow:established,to_server; content:"/control.php?pcad="; nocase; http_uri; content:"&tarih="; nocase; http_uri; content:"&saat="; nocase; http_uri; content:"&veri="; http_uri; reference:url,doc.emergingthreats.net/2008136; classtype:trojan-activity; sid:2008136; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr DELETE"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003855; classtype:web-application-attack; sid:2003855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity"; flow:established,to_server; content:"?spl="; http_uri; content:"&br="; http_uri; content:"&vers="; http_uri; content:"&s="; http_uri; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2010248; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr ASCII"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003856; classtype:web-application-attack; sid:2003856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eleonore Exploit Pack activity variant May 2010"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\?spl=MS[0-9]{2}-[0-9]{3}$/U"; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; classtype:trojan-activity; sid:2011128; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003857; classtype:web-application-attack; sid:2003857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; classtype:trojan-activity; sid:2002773; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gallery="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2679; reference:url,www.securityfocus.com/bid/23534; reference:url,doc.emergingthreats.net/2003746; classtype:web-application-attack; sid:2003746; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; content:"?campaign="; http_uri; content:"&country="; http_uri; content:"&counter="; http_uri; content:"&campaign="; http_uri; content:"&landid="; http_uri; reference:url,doc.emergingthreats.net/2009209; classtype:trojan-activity; sid:2009209; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/slogin_lib.inc.php?"; http_uri; nocase; content:"slogin_path="; http_uri; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; reference:url,doc.emergingthreats.net/2008996; classtype:web-application-attack; sid:2008996; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV HTTP Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"mid="; content:"&wv="; content:"&r="; content:"&tp="; content:"&exe="; fast_pattern; content:"&ls="; content:"&uid="; reference:url,doc.emergingthreats.net/2009514; classtype:trojan-activity; sid:2009514; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005518; classtype:web-application-attack; sid:2005518; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV Encoded data= HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:"data=/CjEfcLas0KCj/"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009553; classtype:trojan-activity; sid:2009553; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005519; classtype:web-application-attack; sid:2005519; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005520; classtype:web-application-attack; sid:2005520; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; content:"|2F|installer|2F|Installer|2E|exe"; nocase; http_uri; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; classtype:trojan-activity; sid:2010221; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005521; classtype:web-application-attack; sid:2005521; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Flystud"; flow:to_server,established; content:"loading.html?fn="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&clientid="; nocase; http_uri; content:"channel="; nocase; http_uri; content:"&stn="; nocase; http_uri; reference:url,doc.emergingthreats.net/2011086; classtype:trojan-activity; sid:2011086; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005522; classtype:web-application-attack; sid:2005522; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (1)"; flow:established,to_server; content:"/config.php?ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&action="; nocase; http_uri; content:"&ras="; nocase; http_uri; content:"&verfull="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008397; classtype:command-and-control; sid:2008397; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005523; classtype:web-application-attack; sid:2005523; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Gamania Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"un="; http_client_body; content:"&pw="; http_client_body; content:"&sn="; http_client_body; content:"&l="; http_client_body; content:"&gd1="; http_client_body; content:"&pn="; http_client_body; reference:url,doc.emergingthreats.net/2008431; classtype:command-and-control; sid:2008431; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005524; classtype:web-application-attack; sid:2005524; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; content:"/Layouts/Landings/CentralLandings/"; nocase; http_uri; content:"/images/"; nocase; http_uri; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010450; classtype:trojan-activity; sid:2010450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005525; classtype:web-application-attack; sid:2005525; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| wget 3.0|0d 0a|"; nocase; http_header; content:"aid="; nocase; http_uri; content:"os="; nocase; http_uri; content:"uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009539; classtype:command-and-control; sid:2009539; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005527; classtype:web-application-attack; sid:2005527; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; content:"cike.php?fid="; nocase; http_uri; content: "&cid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&tid="; nocase; http_uri; content:"&sn="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; classtype:command-and-control; sid:2010138; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005528; classtype:web-application-attack; sid:2005528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; reference:url,doc.emergingthreats.net/2008521; classtype:trojan-activity; sid:2008521; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005529; classtype:web-application-attack; sid:2005529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Spambot HTTP Checkin"; flow:established,to_server; content:"os="; http_uri; content:"&user="; http_uri; content:"&status="; http_uri; content:"&uptime="; http_uri; content:"&cmd="; http_uri; reference:url,doc.emergingthreats.net/2008261; classtype:command-and-control; sid:2008261; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005530; classtype:web-application-attack; sid:2005530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unnamed Generic.Malware http get"; flow:established,to_server; content:"/ww20/script.php?id="; nocase; http_uri; content:"&config="; nocase; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2003431; classtype:trojan-activity; sid:2003431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005531; classtype:web-application-attack; sid:2005531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"Content-Type|3a| text/html"; http_header; content:"Content-type|3a| image/gif"; http_header; reference:url,doc.emergingthreats.net/2010282; classtype:command-and-control; sid:2010282; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005532; classtype:web-application-attack; sid:2005532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimmiv.A.dll Infection"; flow: to_server,established; content:"/test"; http_uri; content:".php"; http_uri; content:"?abc="; http_uri; content:"?def="; http_uri; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; reference:url,doc.emergingthreats.net/2008689; classtype:trojan-activity; sid:2008689; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005533; classtype:web-application-attack; sid:2005533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glacial Dracon C&C Communication"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&ve="; nocase; http_uri; content:"&h="; nocase; http_uri; content:"&c[]="; nocase; depth:5; http_client_body; content:"&t[]="; nocase; http_client_body; content:"&u[]="; nocase; http_client_body; content:"&d[]="; nocase; http_client_body; content:"&p[]="; nocase; http_client_body; reference:md5,fd3d061ee86987e8f3f245c2dc0ceb46; reference:md5,912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,doc.emergingthreats.net/2010163; classtype:command-and-control; sid:2010163; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http any any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Bobax trojan infection"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/reg|3f|u="; http_uri; content:"|26|v="; http_uri; reference:url,www.lurhq.com/bobax.html; reference:url,doc.emergingthreats.net/2001901; classtype:trojan-activity; sid:2001901; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005535; classtype:web-application-attack; sid:2005535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; classtype:command-and-control; sid:2008275; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005536; classtype:web-application-attack; sid:2005536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent|3a| SykO"; http_header; nocase; reference:url,doc.emergingthreats.net/2003649; classtype:trojan-activity; sid:2003649; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005537; classtype:web-application-attack; sid:2005537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent|3a| IE_7.0"; http_header; nocase; reference:url,doc.emergingthreats.net/2003932; classtype:trojan-activity; sid:2003932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005538; classtype:web-application-attack; sid:2005538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".asp?mac="; nocase; http_uri; content:"&xxx="; nocase; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; nocase; reference:url,doc.emergingthreats.net/2009811; classtype:trojan-activity; sid:2009811; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005539; classtype:web-application-attack; sid:2005539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Insidebar.co.kr Related Infection Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"e=inside&s="; http_client_body; content:"&ver="; http_client_body; content:"&p="; http_client_body; reference:url,doc.emergingthreats.net/2008760; classtype:command-and-control; sid:2008760; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005540; classtype:web-application-attack; sid:2005540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Klom.A Connecting to Controller"; flow:established,to_server; content:"/s_13_0?m="; nocase; http_uri; content:"r="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html; reference:url,doc.emergingthreats.net/2003538; classtype:trojan-activity; sid:2003538; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005541; classtype:web-application-attack; sid:2005541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|file|7c|http"; depth:250; nocase; content:"|7c|"; within:150; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010787; classtype:trojan-activity; sid:2010787; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/pcltar.lib.php?"; http_uri; nocase; content:"g_pcltar_lib_dir="; http_uri; pcre:"/g_pcltar_lib_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009180; classtype:web-application-attack; sid:2009180; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Koblu"; flow:established,to_server; content:"GET"; nocase; http_method; content:"sid="; nocase; http_uri; content:"&sa="; nocase; http_uri; content: "&p="; http_uri; content:"&q=cards&rf="; http_uri; content:"&enc="; http_uri; content:"&enk=&xsc=&xsp=&xsm="; http_uri; reference:url,doc.emergingthreats.net/2010230; classtype:trojan-activity; sid:2010230; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"part="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1903; reference:url,www.netvigilance.com/advisory0020; reference:url,doc.emergingthreats.net/2003881; classtype:web-application-attack; sid:2003881; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface fetch C&C command detected"; flow:established, to_server; content:".php"; nocase; http_uri; content:"f=0&a="; fast_pattern; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; content:"&c_tg="; content:"&c_nl="; content:"&c_fu="; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010153; classtype:command-and-control; sid:2010153; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004379; classtype:web-application-attack; sid:2004379; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Korklic.A"; flow:to_server,established; content:"GET"; nocase; http_method; content:"mode=boot&MyValue="; http_uri; content:"&code="; http_uri; pcre:"/MyValue=[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:[a-f0-9]{2}\:/Ui"; reference:url,doc.emergingthreats.net/2009003; classtype:trojan-activity; sid:2009003; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004380; classtype:web-application-attack; sid:2004380; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting Spam"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/sp/post.php"; nocase; http_uri; content:"data="; depth:400; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003190; classtype:trojan-activity; sid:2003190; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004381; classtype:web-application-attack; sid:2004381; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 1025:5000 (msg:"ET MALWARE Possible Web-based DDoS-command being issued"; flow: established,from_server; content: "Server|3a| nginx/0."; offset: 17; depth: 19; content: "Content-Type|3a| text/html"; content:"|3a|80|3b|255.255.255.255"; fast_pattern; reference:url,doc.emergingthreats.net/2003296; classtype:trojan-activity; sid:2003296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004382; classtype:web-application-attack; sid:2004382; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mcboo.com/Bundlext.com related Trojan Checkin URL"; flow:established,to_server; content:"/ack.php?version="; http_uri; content:"&uid="; http_uri; content:"&status="; http_uri; reference:url,doc.emergingthreats.net/2008758; classtype:command-and-control; sid:2008758; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004383; classtype:web-application-attack; sid:2004383; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MEREDROP/micr0s0fts.cn Related Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/update.asp"; http_uri; content:"ver="; http_client_body; depth:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http_client_body; reference:url,doc.emergingthreats.net/2008891; classtype:command-and-control; sid:2008891; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004384; classtype:web-application-attack; sid:2004384; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metajuan trojan checkin"; flow:established,to_server; content:"trafc-2/rfe"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99; reference:url,doc.emergingthreats.net/2007811; classtype:command-and-control; sid:2007811; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; content:"/site_conf.php?"; http_uri; nocase; content:"ordnertiefe="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003705; classtype:web-application-attack; sid:2003705; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.MisleadApp Fake Security Product Install"; flow:established,to_server; content:"GET"; nocase; http_method; content:"hash?http"; nocase; http_uri; pcre:"/\/(ucleaner|udefender|ufixer)\.com\/demo\.php\?/Ui"; reference:url,doc.emergingthreats.net/2007566; classtype:trojan-activity; sid:2007566; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot"; flow:established,to_server; content:"/class.csv.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003706; classtype:web-application-attack; sid:2003706; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Monkif Downloader Checkin"; flow:to_server,established; content:"/cgi/"; http_uri; content:".php?"; nocase; http_uri; content:"x640<x"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C; reference:url,doc.emergingthreats.net/2009126; classtype:command-and-control; sid:2009126; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot"; flow:established,to_server; content:"/produkte_nach_serie.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003707; classtype:web-application-attack; sid:2003707; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nanspy Bot Checkin"; flow:established,to_server; content:"HEAD"; nocase; http_method; content:"/bbcount.php?action="; http_uri; content:"&uid="; http_uri; content:"&locale="; http_uri; content:"&build="; http_uri; reference:url,doc.emergingthreats.net/2010158; classtype:command-and-control; sid:2010158; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; content:"/functionen/ref_kd_rubrik.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003708; classtype:web-application-attack; sid:2003708; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Navipromo related update"; flow:established,to_client; content:"|0d 0a|Server|3a| lighttpd|0d 0a 0d 0a|<HTML><CFG>_SYSTEM_DIR_"; reference:url,doc.emergingthreats.net/2009694; classtype:trojan-activity; sid:2009694; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot"; flow:established,to_server; content:"/hg_referenz_jobgalerie.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003709; classtype:web-application-attack; sid:2003709; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nine Ball Infection ya.ru Post"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/gate/"; http_uri; content:".php"; http_uri; content:"|0d 0a 0d 0a|"; content:"ya.ru/"; distance:67; within:6; reference:url,www.martinsecurity.net/page/3; reference:url,doc.emergingthreats.net/2011186; classtype:trojan-activity; sid:2011186; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot"; flow:established,to_server; content:"/surfer_anmeldung_NWL.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003710; classtype:web-application-attack; sid:2003710; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoBo Downloader Dropper GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NoBo"; http_header; reference:url,www.spynomore.com/trojan-nobo-v1-3.htm; reference:url,doc.emergingthreats.net/2009443; classtype:trojan-activity; sid:2009443; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot"; flow:established,to_server; content:"/produkte_nach_serie_alle.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003711; classtype:web-application-attack; sid:2003711; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel trojan calling home"; flow:established,to_server; content:"/gate.php?hash="; http_uri; content:"/gate.php?hash="; content:" HTTP/1."; distance:8; within:16; reference:url,www.abuse.ch/?p=143; reference:url,doc.emergingthreats.net/2008405; classtype:trojan-activity; sid:2008405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot"; flow:established,to_server; content:"/surfer_aendern.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003712; classtype:web-application-attack; sid:2003712; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response with runurl"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]runurl|3a|"; content:"|7c|taskid|3a|"; within:100; content:"|7c|delay|3a|"; within:30; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010723; classtype:command-and-control; sid:2010723; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; content:"/ref_kd_rubrik.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003715; classtype:web-application-attack; sid:2003715; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]kill|3a|"; content:"|7c|delay|3a|"; within:50; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010724; classtype:command-and-control; sid:2010724; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot"; flow:established,to_server; content:"/module/referenz.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003713; classtype:web-application-attack; sid:2003713; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Oficla Russian Malware Bundle C&C instruction response (2)"; flow:established,to_client; content:"|0d 0a 0d 0a|[info]delay|3a|"; content:"|7c|upd|3a|"; within:20; content:"[/info]"; distance:0; reference:url,malwarelab.org/2009/11/russian-malware-bundle/; reference:url,doc.emergingthreats.net/2010744; classtype:command-and-control; sid:2010744; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot"; flow:established,to_server; content:"/standard/1/lay.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003714; classtype:web-application-attack; sid:2003714; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE onmuz.com Infection Activity"; flow:established,to_server; content:"pid=patchup_notpid_update^on"; http_uri; content:"/logonmuz"; http_uri; reference:url,doc.emergingthreats.net/2008973; classtype:trojan-activity; sid:2008973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot"; flow:established,to_server; content:"/standard/3/lay.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003867; classtype:web-application-attack; sid:2003867; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker Traffic Redirection"; flow:established,to_server; content:"/?do=rphp"; nocase; http_uri; content:"&sub="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&q="; nocase; http_uri; content:"&orig="; nocase; http_uri; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010224; classtype:trojan-activity; sid:2010224; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005567; classtype:web-application-attack; sid:2005567; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST v1"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?2="; http_uri; content:"&n="; http_uri; content:"&v="; http_uri; content:"&i="; http_uri; content:"&sp="; http_uri; content:"&lcp="; http_uri; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007688; classtype:trojan-activity; sid:2007688; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005568; classtype:web-application-attack; sid:2005568; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005569; classtype:web-application-attack; sid:2005569; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET MALWARE LD Pinch Checkin (HTTP POST on port 82)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; nocase; reference:url,doc.emergingthreats.net/2008366; classtype:command-and-control; sid:2008366; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005571; classtype:web-application-attack; sid:2005571; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PWS.Win32.VB.tr Checkin Detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp"; http_uri; content:"id="; content:"&tit="; content:"&comm"; content:"Run|2B|Successfully"; fast_pattern; reference:url,doc.emergingthreats.net/2008506; classtype:command-and-control; sid:2008506; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005572; classtype:web-application-attack; sid:2005572; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic PSW Agent server reply"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"|0d 0a|[Uptade]|0d 0a|Web="; content:"|0d 0a|[Guncellestirme]|0d 0a|Version="; within:100; reference:url,doc.emergingthreats.net/2008662; classtype:trojan-activity; sid:2008662; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp"; flow:established,to_server; content:"/implicit-objects.jsp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2006-7195; reference:url,www.frsirt.com/english/advisories/2007/1729; reference:url,doc.emergingthreats.net/2003902; classtype:web-application-attack; sid:2003902; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PassSickle Reporting User Activity"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&data="; nocase; http_uri; content:"PassSickle"; http_header; nocase; pcre:"/^User-Agent\:[^\n]+PassSickle/Hmi"; reference:url,doc.emergingthreats.net/2002859; classtype:trojan-activity; sid:2002859; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test"; flow:established,to_server; content:"/appdev/sample/web/hello.jsp?"; http_uri; nocase; content:"test="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-1355; reference:url,www.securityfocus.com/bid/24058; reference:url,doc.emergingthreats.net/2004575; classtype:web-application-attack; sid:2004575; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; nocase; http_method; content:".gif?"; content:!"c.gif?"; nocase; http_uri; content:!"__utm.gif?"; http_uri; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; classtype:command-and-control; sid:2009522; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file"; flow:established,to_server; content:"/templates/default/tpl_message.php?"; http_uri; nocase; content:"right_file="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2544; reference:url,www.milw0rm.com/exploits/3854; reference:url,doc.emergingthreats.net/2003669; classtype:web-application-attack; sid:2003669; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - prinimalka.py"; flow:established,to_server; content:"/prinimalka.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009405; classtype:trojan-activity; sid:2009405; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/config.php?"; http_uri; nocase; content:"inc_dir="; http_uri; nocase; pcre:"/inc_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-attack; sid:2009663; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personal Defender 2009 - trash.py"; flow:established,to_server; content:"/trash.py"; http_uri; reference:url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/; reference:url,doc.emergingthreats.net/2009406; classtype:trojan-activity; sid:2009406; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId"; flow:established,to_server; content:"/reportItem.do?"; http_uri; nocase; content:"projId="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2819; reference:url,www.securityfocus.com/bid/24060; reference:url,doc.emergingthreats.net/2004558; classtype:web-application-attack; sid:2004558; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (3)"; flow:established,to_server; content:"/cd/un.php?id="; http_uri; content:"&ver="; http_uri; pcre:"/\/cd\/un\.php.id=[A-F0-9\-]+&ver=/U"; reference:url,doc.emergingthreats.net/2008384; classtype:command-and-control; sid:2008384; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH"; flow:established,to_server; content:"/dosearch.php?"; http_uri; nocase; content:"RESPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2530; reference:url,www.milw0rm.com/exploits/3865; reference:url,doc.emergingthreats.net/2003678; classtype:web-application-attack; sid:2003678; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointfree.co.kr Trojan/Spyware Infection Checkin"; flow:established,to_server; content:"log.php?mac="; http_uri; content:"&hdd="; content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/2008972; classtype:command-and-control; sid:2008972; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"action=play"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32890/; reference:url,milw0rm.com/exploits/7256; reference:url,doc.emergingthreats.net/2008934; classtype:web-application-attack; sid:2008934; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx CnC Beacon"; flow:established,to_server; content:"q.php"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006405; classtype:command-and-control; sid:2006405; rev:4; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path"; flow:established,to_server; content:"/include/payment/payflow_pro.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003687; classtype:web-application-attack; sid:2003687; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"m="; http_uri; content:"&a="; http_uri; content:"&os="; http_uri; pcre:"/&os=[a-f0-9]{50}/U"; reference:url,doc.emergingthreats.net/2008493; classtype:command-and-control; sid:2008493; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path"; flow:established,to_server; content:"/global.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003688; classtype:web-application-attack; sid:2003688; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qhosts Trojan Check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"UserID="; http_client_body; content:"&wv="; http_client_body; content:"&res="; http_client_body; content:"&lng="; http_client_body; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99; reference:url,doc.emergingthreats.net/2009517; classtype:trojan-activity; sid:2009517; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path"; flow:established,to_server; content:"/libsecure.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003689; classtype:web-application-attack; sid:2003689; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rcash.co.kr Bootup Checkin via HTTP"; flow:established,to_server; content:"/install/Boot.asp?macaddr="; nocase; http_uri; content:"&partner="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007807; classtype:command-and-control; sid:2007807; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"l="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2547; reference:url,www.securityfocus.com/bid/23856; reference:url,doc.emergingthreats.net/2003917; classtype:web-application-attack; sid:2003917; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Renos/ssd.com HTTP Checkin"; flow:established,to_server; content:"/dlp.php?"; nocase; http_uri; content:"&m="; nocase; http_uri; content:"&ydf="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&w=___"; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&apzx="; nocase; http_uri; content:"&apz="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007834; classtype:command-and-control; sid:2007834; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile"; flow:established,to_server; content:"/browseCat.php?"; http_uri; nocase; content:"catFile="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003888; classtype:web-application-attack; sid:2003888; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A|  Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile"; flow:established,to_server; content:"/browseSubCat.php?"; http_uri; nocase; content:"catFile="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003889; classtype:web-application-attack; sid:2003889; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST"; nocase; http_method; content:"?mod=log&user="; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008140; classtype:trojan-activity; sid:2008140; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id"; flow:established,to_server; content:"/openTutorial.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003890; classtype:web-application-attack; sid:2003890; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV CnC Checkin cycle_report"; flow:established,to_server; content:"POST"; http_method; content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri; reference:md5,fa078834dd3b4c6604d12823a6f9f17e; classtype:command-and-control; sid:2011820; rev:3; metadata:created_at 2010_10_15, former_category MALWARE, updated_at 2010_10_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id"; flow:established,to_server; content:"/topFrame.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003891; classtype:web-application-attack; sid:2003891; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:4; metadata:created_at 2010_10_25, updated_at 2010_10_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id"; flow:established,to_server; content:"/admin/editListing.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003892; classtype:web-application-attack; sid:2003892; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|"; fast_pattern; content:".php"; nocase; http_uri; content:"|0d 0a|Host|3a 20|"; content:"|0d 0a|Pragma|3a| no-cache|0d 0a|"; distance:0; content:!"|0d 0a|Host|3a| update.nai.com"; distance:0; content:!"|0d 0a|Host|3a 20|toolbarqueries.google."; http_header; content:!".ceipmsn.com|0d 0a|Pragma|3a 20|"; http_header; content:!"Host|3a| stats.mbamupdates.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2011858; rev:12; metadata:created_at 2010_10_27, updated_at 2010_10_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003893; classtype:web-application-attack; sid:2003893; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid|3A|"; nocase; distance:0; content:"password|3A|"; nocase; distance:0; content:"screenid|3A|"; nocase; distance:0; content:"origination|3A|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4; metadata:created_at 2010_10_28, updated_at 2010_10_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt"; flow:to_server,established; content:"INCLUDE"; http_uri; nocase; pcre:"/%INCLUDE\s*{.*rev=\"\d+\|.+\".*}\s*%/i"; reference:bugtraq,14960; reference:url,doc.emergingthreats.net/2002662; classtype:web-application-attack; sid:2002662; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Krap.ar Infection URL Request"; flow:established,to_server; content:"type="; http_uri; nocase; content:"email="; http_uri; nocase; content:"hwinfo="; http_uri; nocase; reference:md5,df29b9866397fd311a5259c5d4bc00dd; classtype:trojan-activity; sid:2012076; rev:2; metadata:created_at 2010_12_18, updated_at 2010_12_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED TxtBlog index.php m Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?m="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,32498; reference:url,milw0rm.com/exploits/7241; reference:url,doc.emergingthreats.net/2008923; classtype:web-application-attack; sid:2008923; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/zok.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"url="; nocase; http_uri; content:"sid="; nocase; http_uri; content:"tm="; nocase; http_uri; content:"hlto="; http_uri; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012114; rev:3; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2010_12_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"serverid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32340; reference:url,milw0rm.com/exploits/7148; reference:url,doc.emergingthreats.net/2008872; classtype:web-application-attack; sid:2008872; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".htm"; http_uri; content:"Host|3a| "; http_header; content:"Content-Length|3a| "; http_header; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:command-and-control; sid:2012137; rev:5; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2011_01_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/include/timesheet.php?"; http_uri; nocase; content:"config[include_dir]="; http_uri; pcre:"/config\[include_dir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010126; classtype:web-application-attack; sid:2010126; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy Banker Outbound Communication Attempt"; flow:established,to_server; content:"praquem="; nocase; content:"titulo="; distance:0; nocase; content:"Dir+System32"; nocase; distance:0; reference:md5,58b3c37b61d27cdc0a55321f4c12ef04; classtype:trojan-activity; sid:2012225; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR"; flow:established,to_server; content:"/watermark.php?"; http_uri; nocase; content:"GALLERY_BASEDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2575; reference:url,www.milw0rm.com/exploits/3857; reference:url,doc.emergingthreats.net/2003692; classtype:web-application-attack; sid:2003692; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Banbra Banking Trojan Communication"; flow:established,to_server; content:"para="; nocase; content:"titulo="; nocase; distance:0; content:"mensagem="; nocase; distance:0; reference:md5,7ce03717d6879444d8e45b7cf6470c67; classtype:trojan-activity; sid:2012226; rev:4; metadata:created_at 2011_01_24, updated_at 2011_01_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type"; flow:established,to_server; content:"/shopcontent.asp?"; http_uri; nocase; content:"type="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2790; reference:url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded; reference:url,doc.emergingthreats.net/2004573; classtype:web-application-attack; sid:2004573; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.AZG Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; nocase; content:"eve="; nocase; http_uri; content:"username="; nocase; http_uri; content:"anma="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; reference:url,doc.emergingthreats.net/2008515; classtype:command-and-control; sid:2008515; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php"; flow:established,to_server; content:"/get_header.php"; http_uri; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636; reference:bugtraq,17358; reference:url,doc.emergingthreats.net/2002899; classtype:web-application-attack; sid:2002899; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Troxen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/report3.ashx?"; http_uri; nocase; content:"m="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"d="; nocase; http_uri; content:"uid="; http_uri; nocase; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts; reference:md5,664a5147e6258f10893c3fd375f16ce4; classtype:trojan-activity; sid:2012289; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php"; flow:established,to_server; content:"/functions_install.php"; http_uri; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:cve,2006-1503; reference:bugtraq,17290; reference:url,doc.emergingthreats.net/2002902; classtype:web-application-attack; sid:2002902; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/inst.php?"; http_uri; nocase; content:"ucode="; nocase; http_uri; content:"pcode="; http_uri; nocase; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012290; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo"; flow:established,to_server; content:"/includes/ajax_listado.php?"; http_uri; nocase; content:"urlModulo="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2541; reference:url,www.milw0rm.com/exploits/3847; reference:url,doc.emergingthreats.net/2003671; classtype:web-application-attack; sid:2003671; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy.Win32.Agent.bijs Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app/count/boot.php?"; nocase; http_uri; content:"ucode="; nocase; http_uri; content:"pcode="; nocase; http_uri; reference:md5,846ac24b003c6d468a833bff58db5f5c; classtype:trojan-activity; sid:2012288; rev:4; metadata:created_at 2011_02_04, updated_at 2011_02_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/admin.googlebase.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32098; reference:url,milw0rm.com/exploits/6975; reference:url,doc.emergingthreats.net/2009877; classtype:web-application-attack; sid:2009877; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?build="; http_uri; content:"&id="; http_uri; content:"&SA=1-0"; http_uri; content:"&SP=1-"; http_uri; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958; reference:url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php; classtype:command-and-control; sid:2012391; rev:3; metadata:created_at 2011_02_28, former_category MALWARE, updated_at 2011_02_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003993; classtype:web-application-attack; sid:2003993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel.akd Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/app_count/ag4_del_count.php?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"pid="; nocase; http_uri; reference:md5,2d6cede13913b17bc2ea7c7f70ce5fa8; classtype:trojan-activity; sid:2012439; rev:4; metadata:created_at 2011_03_08, updated_at 2011_03_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003994; classtype:web-application-attack; sid:2003994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.bqkb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/updata/"; nocase; http_uri; content:"lg1="; nocase; http_uri; content:"lg2="; nocase; http_uri; content:"lg3="; nocase; http_uri; content:"lg5="; nocase; http_uri; content:"lg6="; nocase; http_uri; content:"lg7="; nocase; http_uri; reference:md5,de85ae919d48325189bead995e8052e7; classtype:trojan-activity; sid:2012440; rev:4; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003995; classtype:web-application-attack; sid:2003995; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:command-and-control; sid:2012505; rev:4; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003996; classtype:web-application-attack; sid:2003996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rimecud.B Activity"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&acc=ups"; http_uri; content:"&nick="; http_uri; content:"&botver=Beta&code="; http_uri; content:"User-Agent|3a 20|"; nocase; http_header; content:"|3b 20|es-ES|3b|"; distance:39; http_header; content:"plist|3d 2d 2d 2d|"; depth:9; http_client_body; content:"Passwords"; distance:0; http_client_body; reference:md5,01dd7102b9d36ec8556eed2909b74f52; classtype:trojan-activity; sid:2012517; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003997; classtype:web-application-attack; sid:2003997; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.djrm Checkin"; flow:to_server,established; content:"/index.html?mac="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&dtime="; fast_pattern; http_uri; content:"User-Agent|3a| baidu|0d 0a|"; http_header; reference:md5,b895249cce7d2c27cb9c480feb36560c; reference:md5,f70a5f52d4c0071963602c25b62865cb; classtype:command-and-control; sid:2014399; rev:3; metadata:created_at 2012_03_15, former_category MALWARE, updated_at 2012_03_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Way Of The Warrior crea.php plancia Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"crea.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008825; classtype:web-application-attack; sid:2008825; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS-Banker.gen.b Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/curubacom.php?"; http_uri; nocase; content:"op="; http_uri; nocase; reference:md5,e3fdf31ce57b3807352971a62f85c55b; classtype:trojan-activity; sid:2012592; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"crea.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008826; classtype:web-application-attack; sid:2008826; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best Spyware Scanner FaveAV Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/BestSpywareScanner_Setup.exe"; nocase; http_uri; classtype:trojan-activity; sid:2012590; rev:5; metadata:created_at 2011_03_28, updated_at 2011_03_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/cron.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009307; classtype:web-application-attack; sid:2009307; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; http_method; nocase; content:"|2e|ashx|3f|m|3d|"; http_uri; content:"|2d|"; distance:2; within:1; http_uri; content:"|26|mid|3d|"; http_uri; distance:0; content:"|26|tid|3d|"; http_uri; distance:0; content:"|26|d|3d|"; http_uri; distance:0; content:"|26|uid|3d|"; http_uri; distance:0; content:"|26|t|3d|"; http_uri; distance:0; reference:md5,48432bdd116dccb684c8cef84579b963; classtype:command-and-control; sid:2012839; rev:4; metadata:created_at 2011_05_23, former_category MALWARE, updated_at 2011_05_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_browsers.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009309; classtype:web-application-attack; sid:2009309; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_countries.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009311; classtype:web-application-attack; sid:2009311; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic adClicker Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"web"; http_uri; content:"getinfo"; http_uri; content:".aspx?"; http_uri; content:"ver="; http_uri; content:"User-Agent|3a| Microsoft Internet Explorer"; http_header; classtype:command-and-control; sid:2012934; rev:4; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2011_06_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_platforms.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009313; classtype:web-application-attack; sid:2009313; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WebToolbar.Win32.WhenU.r Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/prod/MEADInst.exe"; http_uri; nocase; reference:md5,27867435a1b6b3f35daf13faac6f77b7; classtype:trojan-activity; sid:2013034; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webCalendar Remote File include"; flow: to_server,established; content:"includedir="; http_uri; pcre:"/\/ws\/(login|get_reminders|get_events)\.php/"; reference:url,www.securityfocus.com/archive/1/462957; reference:url,doc.emergingthreats.net/2003520; classtype:web-application-attack; sid:2003520; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper.MSIL.Agent.ate Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/bot.php?"; http_uri; content:"hwid="; http_uri; content:"pcname="; http_uri; reference:md5,4860e53b7e71cd57956e10ef48342b5f; classtype:command-and-control; sid:2013071; rev:4; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2011_06_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004754; classtype:web-application-attack; sid:2004754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:command-and-control; sid:2014405; rev:10; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2012_02_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004755; classtype:web-application-attack; sid:2004755; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.HV Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/popcode.php?aid="; http_uri; content:"&lc="; http_uri; content:"&domain="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV; classtype:command-and-control; sid:2013456; rev:5; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004756; classtype:web-application-attack; sid:2004756; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:command-and-control; sid:2013451; rev:3; metadata:created_at 2011_08_24, former_category MALWARE, updated_at 2011_08_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004757; classtype:web-application-attack; sid:2004757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; classtype:trojan-activity; sid:2013543; rev:3; metadata:created_at 2011_09_06, updated_at 2011_09_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004758; classtype:web-application-attack; sid:2004758; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Aeausuc P2P Variant Retrieving Peers List"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gameover"; http_uri; pcre:"/gameover(\d+)?\.php/U"; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|X-ID|3a|"; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013740; rev:9; metadata:created_at 2011_10_05, updated_at 2011_10_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004759; classtype:web-application-attack; sid:2004759; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Einstein CnC Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; reference:url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; classtype:command-and-control; sid:2013767; rev:3; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Framework/EmailTemplates.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010092; classtype:web-application-attack; sid:2010092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:md5,07ed70b6e7775a510d725c9f032c70d8; classtype:command-and-control; sid:2013781; rev:4; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2011_10_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Customers/PDPEmailReplaceConstants.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010093; classtype:web-application-attack; sid:2010093; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefbov.E Reporting"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CallBack/SomeScripts/mgsGetMGList.php"; nocase; http_uri; reference:md5,f50d954f1fd38c6eb10e7e399caab480; classtype:trojan-activity; sid:2013868; rev:4; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Admin/ResellersManager.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010094; classtype:web-application-attack; sid:2010094; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a|"; http_header; classtype:command-and-control; sid:2013948; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/include/header.php?"; http_uri; nocase; content:"config_path="; http_uri; nocase; pcre:"/config_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32472; reference:url,milw0rm.com/exploits/7229; reference:url,doc.emergingthreats.net/2008935; classtype:web-application-attack; sid:2008935; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.TIBIA Checkin or Data Post 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV2|0d 0a|"; http_header; classtype:command-and-control; sid:2013949; rev:4; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2011_11_23;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep"; flow:established,to_server; content:"/handlers/page/show.php?"; http_uri; nocase; content:"sous_rep="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2570; reference:url,www.milw0rm.com/exploits/3863; reference:url,doc.emergingthreats.net/2003696; classtype:web-application-attack; sid:2003696; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flow:established,from_server; content:"VirtualProtect|00|"; reference:url,doc.emergingthreats.net/2009080; classtype:trojan-activity; sid:2009080; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name"; flow:established,to_server; content:"/usersettings.php?"; http_uri; nocase; content:"name="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2551; reference:url,www.securityfocus.com/bid/23894; reference:url,doc.emergingthreats.net/2003916; classtype:web-application-attack; sid:2003916; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.PowerPointer checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<packet>"; http_client_body; content:"</packet>"; http_client_body; classtype:command-and-control; sid:2014040; rev:3; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php"; flow:established,to_server; content:"/include/sessionRegister.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2781; reference:url,www.secunia.com/advisories/25308; reference:url,doc.emergingthreats.net/2004574; classtype:web-application-attack; sid:2004574; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; content:"/wp-login.php"; http_uri; nocase; content:"redirect_to"; http_uri; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32.OnlineGames.Bft Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/urlrcv.php?"; nocase; http_uri; content:"mc="; nocase; http_uri; content:"sc="; nocase; http_uri; content:"uuid="; nocase; http_uri; reference:md5,e488fca95cb923a0ecd329642c076e0d; reference:url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131; classtype:trojan-activity; sid:2014084; rev:5; metadata:created_at 2012_01_03, updated_at 2012_01_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH"; flow:established,to_server; content:"/js/wptable-button.php?"; http_uri; nocase; content:"wpPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2484; reference:url,www.milw0rm.com/exploits/3824; reference:url,doc.emergingthreats.net/2003685; classtype:web-application-attack; sid:2003685; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; distance:1; within:51; content:"User-Agent|3a 20|Mozilla"; distance:0; content:"Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache|0d 0a 0d 0a|"; distance:0; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:3; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2012_01_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH"; flow:established,to_server; content:"/wordtube-button.php?"; http_uri; nocase; content:"wpPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2481; reference:url,www.milw0rm.com/exploits/3825; reference:url,doc.emergingthreats.net/2003686; classtype:web-application-attack; sid:2003686; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php"; flow:established,to_server; content:"/sidebar.php?"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2627; reference:url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded; reference:url,doc.emergingthreats.net/2003885; classtype:web-application-attack; sid:2003885; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/function_core.php?"; http_uri; nocase; content:"web_root="; http_uri; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009925; classtype:web-application-attack; sid:2009925; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"data=6Prm67"; depth:11; http_client_body; classtype:command-and-control; sid:2014044; rev:5; metadata:created_at 2011_12_28, former_category MALWARE, updated_at 2011_12_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/templates/layout_lyrics.php?"; http_uri; nocase; content:"web_root="; http_uri; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009927; classtype:web-application-attack; sid:2009927; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014223; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops Articles modules print.php SQL injection attempt"; flow:to_server,established; content:"/print.php?"; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/id=-?\d+.+UNION.+SELECT/Ui"; reference:bugtraq,23160; reference:url,doc.emergingthreats.net/2003516; classtype:web-application-attack; sid:2003516; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?product=windows"; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014224; rev:4; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include"; flow:established,to_server; content:"/header.php?"; http_uri; nocase; content:"set_menu="; http_uri; nocase; pcre:"/set_menu=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,23189; reference:url,doc.emergingthreats.net/2003517; classtype:web-application-attack; sid:2003517; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; classtype:trojan-activity; sid:2014239; rev:3; metadata:created_at 2012_02_18, updated_at 2012_02_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/update_trailer.php?"; http_uri; nocase; content:"context[path_to_root]="; http_uri; nocase; pcre:"/context\[path_to_root\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009190; classtype:web-application-attack; sid:2009190; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/login.aspx?ReturnUrl=/card/Pay_query.aspx"; http_uri; content:"VIEWSTATE="; nocase; http_client_body; content:"EVENTVALIDATION="; nocase; distance:0; http_client_body; content:"&txtUser="; nocase; distance:0; http_client_body; content:"&txtPwd="; nocase; distance:0; http_client_body; content:"&btnEnter="; nocase; distance:0; http_client_body; reference:md5,67c748f3ecc0278f1f94596f86edc509; classtype:command-and-control; sid:2014307; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2012_03_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path"; flow:established,to_server; content:"/includes/common.php?"; http_uri; nocase; content:"root_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2664; reference:url,www.milw0rm.com/exploits/3908; reference:url,doc.emergingthreats.net/2003739; classtype:web-application-attack; sid:2003739; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Dropper.Wlock Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"hardware_id="; http_client_body; content:"&user_id="; http_client_body; content:"&os_ver="; http_client_body; content:"&os_sp="; http_client_body; content:"&os_arch="; http_client_body; reference:md5,881e21645e5ffe1ffb959835f8fdf71d; classtype:command-and-control; sid:2013768; rev:4; metadata:created_at 2011_10_12, former_category MALWARE, updated_at 2011_10_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler SELECT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003981; classtype:web-application-attack; sid:2003981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition|3a| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; content:!"|0d 0a 0d 0a|MZ"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:5; metadata:created_at 2012_02_16, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UNION SELECT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003982; classtype:web-application-attack; sid:2003982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"Accept|3a| */*|0d 0a|If-None-Match|3a| "; fast_pattern; depth:28; http_header; content:"Cache-Control|3a| no-cache|0d 0a|User-Agent|3a| Mozilla"; distance:0; http_header; content:"Connection|3a| Close|0d 0a 0d 0a|"; distance:0; http_header; classtype:command-and-control; sid:2013348; rev:8; metadata:created_at 2011_08_04, former_category MALWARE, updated_at 2011_08_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler INSERT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003983; classtype:web-application-attack; sid:2003983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patcher/Bankpatch V2 Communication with Controller"; flow:established,to_server; content:"id="; nocase; http_uri; content:"&check="; nocase; http_uri; content:"&version2="; http_uri; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z0-9]+&/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O; classtype:trojan-activity; sid:2009408; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler DELETE"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003984; classtype:web-application-attack; sid:2003984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4; metadata:created_at 2011_06_22, updated_at 2011_06_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler ASCII"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003985; classtype:web-application-attack; sid:2003985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary"; flow:established,to_server; content:"/ngt.exe"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014464; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003986; classtype:web-application-attack; sid:2003986; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DwnLdr-JMZ Downloading Binary 2"; flow:established,to_server; content:"/?path=qx200.exe"; http_uri; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx; classtype:trojan-activity; sid:2014465; rev:2; metadata:created_at 2012_04_04, updated_at 2012_04_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php"; flow:established,to_server; content:"/ReadMsg.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2825; reference:url,xforce.iss.net/xforce/xfdb/34376; reference:url,doc.emergingthreats.net/2004557; classtype:web-application-attack; sid:2004557; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be"; flow:established,to_server; content:"Host|3a| zaletelly"; http_header; nocase; content:".be|0d 0a|"; http_header; within:9; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014476; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008966; classtype:web-application-attack; sid:2008966; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:command-and-control; sid:2014477; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2012_04_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/handle/proxy.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008967; classtype:web-application-attack; sid:2008967; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin NewAgent"; flow:to_server,established; content:"/index.dat?"; http_uri; content:" NewAgent|0d 0a|Host|3a| "; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,77d68770fcdc6052bd8d761d14a14f5a; classtype:command-and-control; sid:2014467; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2012_04_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/header.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008968; classtype:web-application-attack; sid:2008968; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor Command Request CnC Checkin"; flow:established,to_server; content:".php?id="; http_uri; content:"&ext="; fast_pattern; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+[a-f0-9]{12}&ext\x3D/Ui"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014528; rev:2; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2012_04_06;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/include.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008969; classtype:web-application-attack; sid:2008969; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:3; metadata:created_at 2012_03_05, updated_at 2012_03_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/workspace.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008970; classtype:web-application-attack; sid:2008970; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli User Agent Detected"; flow:established,to_server; content:"/rpt"; http_uri; fast_pattern; content:"User-Agent|3a| "; http_header; content:!"User-Agent|3a| Mozilla"; http_header; pcre:"/^User-Agent\x3a [a-z0-9]{92}/Hmi"; reference:url,doc.emergingthreats.net/2007646; classtype:trojan-activity; sid:2007646; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/lib.module.php?"; http_uri; nocase; content:"mod_root"; http_uri; nocase; pcre:"/mod_root=\s*(https?|ftps?|php)/Ui"; reference:url,milw0rm.com/exploits/5921; reference:bugtraq,29914; reference:url,doc.emergingthreats.net/2009367; classtype:web-application-attack; sid:2009367; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Winwebsec.B Checkin"; flow:established,to_server; content:"/temp1.jpg"; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; reference:md5,9c9109cea5845272d6abd1b5523c8de7; classtype:command-and-control; sid:2014578; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2012_04_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/_functions.php?"; http_uri; nocase; content:"GLOBALS[prefix]="; http_uri; nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009874; classtype:web-application-attack; sid:2009874; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.Es11 Keepalive to CnC"; flow:established,to_server; content:"|89 e7 52 d4 68 64 a7 73 bd 7e 3f 5c f7 99 3a 2e|"; offset:16; depth:16; dsize:48; reference:md5,4a17e9bd99f496c518ddfaaef93384b0; classtype:command-and-control; sid:2014630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_20, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006951; classtype:web-application-attack; sid:2006951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.E Keepalive to CnC"; flow:established,to_server; dsize:>30; content:"|90 48 5c d5 ec 70 a3 8b 41 72 28 50 ec f6 d5 2a|"; offset:16; depth:16; reference:md5,fc414168a5b4ca074ea6e03f770659ef; classtype:command-and-control; sid:2013337; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_08_01, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006952; classtype:web-application-attack; sid:2006952; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1; metadata:created_at 2012_04_24, updated_at 2012_04_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006953; classtype:web-application-attack; sid:2006953; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:4; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006954; classtype:web-application-attack; sid:2006954; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maljava Dropper for Windows"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.tmp2"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014637; rev:3; metadata:created_at 2012_04_25, updated_at 2012_04_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006955; classtype:web-application-attack; sid:2006955; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 9C 00 00 00|"; distance:31; within:5; fast_pattern; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00|"; distance:2; within:2; content:"|00|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7; metadata:created_at 2012_02_14, updated_at 2012_02_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006956; classtype:web-application-attack; sid:2006956; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006957; classtype:web-application-attack; sid:2006957; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:command-and-control; sid:2013911; rev:9; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2011_11_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006958; classtype:web-application-attack; sid:2006958; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"/rclgx.php?id="; depth:14; http_uri; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:command-and-control; sid:2014719; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006960; classtype:web-application-attack; sid:2006960; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:command-and-control; sid:2014720; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006961; classtype:web-application-attack; sid:2006961; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:command-and-control; sid:2014721; rev:2; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2012_05_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006962; classtype:web-application-attack; sid:2006962; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:2; metadata:created_at 2012_05_08, updated_at 2012_05_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006963; classtype:web-application-attack; sid:2006963; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:command-and-control; sid:2014731; rev:2; metadata:created_at 2012_05_11, former_category MALWARE, updated_at 2012_05_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006964; classtype:web-application-attack; sid:2006964; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving DDoS Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006965; classtype:web-application-attack; sid:2006965; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snap Bot Receiving Download Command"; flow:to_client,established; content:"|0d 0a 0d 0a|"; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:4; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006966; classtype:web-application-attack; sid:2006966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:command-and-control; sid:2014760; rev:2; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006967; classtype:web-application-attack; sid:2006967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:2; metadata:created_at 2012_05_17, updated_at 2012_05_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006968; classtype:web-application-attack; sid:2006968; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3; metadata:created_at 2012_05_19, updated_at 2012_05_19;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/123flashchat.php?"; http_uri; nocase; content:"e107path="; http_uri; nocase; pcre:"/e107path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009435; classtype:web-application-attack; sid:2009435; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2; metadata:created_at 2012_05_24, former_category CURRENT_EVENTS, updated_at 2012_05_24;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index_inc.php?"; http_uri; nocase; content:"inc_ordner="; http_uri; nocase; pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009225; classtype:web-application-attack; sid:2009225; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:command-and-control; sid:2014804; rev:6; metadata:created_at 2011_11_05, former_category MALWARE, updated_at 2011_11_05;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user"; flow:established,to_server; content:"/all_photos.html?"; http_uri; nocase; content:"user="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2724; reference:url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded; reference:url,doc.emergingthreats.net/2003875; classtype:web-application-attack; sid:2003875; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET MALWARE Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; http_uri; pcre:"/\.txt$/U"; content:"User-Agent|3a| Download|0d 0a|"; http_header; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:command-and-control; sid:2014826; rev:5; metadata:created_at 2012_04_09, former_category MALWARE, updated_at 2012_04_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/toolbar.php?"; http_uri; nocase; content:"dirDepth="; http_uri; nocase; pcre:"/dirDepth=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2008/2059; reference:url,milw0rm.com/exploits/6036; reference:url,doc.emergingthreats.net/2009188; classtype:web-application-attack; sid:2009188; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:2; metadata:created_at 2012_06_01, updated_at 2012_06_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; content:"/libs/lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003718; classtype:web-application-attack; sid:2003718; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:5; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR"; flow:established,to_server; content:"/lom_update.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003719; classtype:web-application-attack; sid:2003719; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> any any (msg:"ET MALWARE Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3; metadata:created_at 2012_06_04, updated_at 2012_06_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR"; flow:established,to_server; content:"/scripts/check-lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003720; classtype:web-application-attack; sid:2003720; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Security Reaserch WWEB Group|2c| LLC"; classtype:trojan-activity; sid:2014871; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR"; flow:established,to_server; content:"/scripts/weigh_keywords.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003721; classtype:web-application-attack; sid:2003721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR"; flow:established,to_server; content:"/logout.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003722; classtype:web-application-attack; sid:2003722; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:command-and-control; sid:2014887; rev:2; metadata:created_at 2012_06_12, former_category MALWARE, updated_at 2012_06_12;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR"; flow:established,to_server; content:"/help.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003723; classtype:web-application-attack; sid:2003723; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1; metadata:created_at 2012_06_20, former_category CURRENT_EVENTS, updated_at 2012_06_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003724; classtype:web-application-attack; sid:2003724; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR"; flow:established,to_server; content:"/login.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003725; classtype:web-application-attack; sid:2003725; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; content:"/web/lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003747; classtype:web-application-attack; sid:2003747; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/test/pages/contact.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010191; classtype:web-application-attack; sid:2010191; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/system/pageTemplate.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010192; classtype:web-application-attack; sid:2010192; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,doc.emergingthreats.net/2010246; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010246; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/system/utilities.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010193; classtype:web-application-attack; sid:2010193; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&panic="; fast_pattern; http_client_body; content:"&input="; http_client_body; reference:url,doc.emergingthreats.net/2009287; classtype:command-and-control; sid:2009287; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path"; flow:established,to_server; content:"/faq.php?"; http_uri; nocase; content:"module_root_path="; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2493; reference:url,www.milw0rm.com/exploits/3833; reference:url,doc.emergingthreats.net/2003684; classtype:web-application-attack; sid:2003684; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; content:"|0d 0a 0d 0a|ne_unik"; classtype:command-and-control; sid:2014933; rev:3; metadata:created_at 2012_06_22, former_category MALWARE, updated_at 2012_06_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004469; classtype:web-application-attack; sid:2004469; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:command-and-control; sid:2014955; rev:2; metadata:created_at 2012_06_25, former_category MALWARE, updated_at 2012_06_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004470; classtype:web-application-attack; sid:2004470; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:command-and-control; sid:2014956; rev:1; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004471; classtype:web-application-attack; sid:2004471; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004472; classtype:web-application-attack; sid:2004472; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1; metadata:created_at 2012_06_26, updated_at 2012_06_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004473; classtype:web-application-attack; sid:2004473; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:command-and-control; sid:2014961; rev:2; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2012_06_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004474; classtype:web-application-attack; sid:2004474; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:command-and-control; sid:2015022; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004475; classtype:web-application-attack; sid:2004475; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:6; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004476; classtype:web-application-attack; sid:2004476; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushbot server response"; flow:to_client,established; content:"|0d 0a 0d 0a|ZG%|20|!GX"; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004477; classtype:web-application-attack; sid:2004477; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1; metadata:created_at 2012_07_04, former_category CURRENT_EVENTS, updated_at 2012_07_04;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004478; classtype:web-application-attack; sid:2004478; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Monkif CnC response in fake JPEG"; flow:established,from_server; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:command-and-control; sid:2012507; rev:5; metadata:created_at 2011_03_15, former_category MALWARE, updated_at 2011_03_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004479; classtype:web-application-attack; sid:2004479; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2; metadata:created_at 2012_07_14, updated_at 2012_07_14;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nweb2fax viewrq.php var_filename Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; content:"/viewrq.php?"; http_uri; nocase; content:"format=ps"; http_uri; nocase; content:"var_filename="; http_uri; content:"../"; reference:bugtraq,29804; reference:url,milw0rm.com/exploits/5856; reference:url,doc.emergingthreats.net/2009501; classtype:web-application-attack; sid:2009501; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET MALWARE Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003698; classtype:web-application-attack; sid:2003698; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:command-and-control; sid:2015489; rev:2; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2012_07_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path"; flow:established,to_server; content:"/checkout.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003699; classtype:web-application-attack; sid:2003699; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM|0D 0A|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path"; flow:established,to_server; content:"/libsecure.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003700; classtype:web-application-attack; sid:2003700; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION*"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"repinc="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2558; reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded; reference:url,doc.emergingthreats.net/2003701; classtype:web-application-attack; sid:2003701; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2; metadata:created_at 2012_07_21, updated_at 2012_07_21;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server"; flow:established,to_server; content:"/sqledit.php?"; http_uri; nocase; content:"server="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2865; reference:url,www.securityfocus.com/bid/24115; reference:url,doc.emergingthreats.net/2004552; classtype:web-application-attack; sid:2004552; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/body_comm.inc.php?"; http_uri; nocase; content:"content="; http_uri; nocase; pcre:"/content=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,27952; reference:url,milw0rm.com/exploits/5175; reference:url,doc.emergingthreats.net/2009397; classtype:web-application-attack; sid:2009397; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; nocase; classtype:trojan-activity; sid:2015532; rev:2; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003782; classtype:web-application-attack; sid:2003782; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET MALWARE Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:command-and-control; sid:2008023; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003783; classtype:web-application-attack; sid:2003783; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET MALWARE Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:command-and-control; sid:2008022; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003784; classtype:web-application-attack; sid:2003784; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003785; classtype:web-application-attack; sid:2003785; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Control Checkin"; flow:established,to_server; content:"/track.cgi"; http_uri; content:"POST"; depth:4; http_method; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; content:"&z="; http_client_body; reference:url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix; reference:url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html; reference:url,doc.emergingthreats.net/2009096; classtype:command-and-control; sid:2009096; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003786; classtype:web-application-attack; sid:2003786; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tigger.a/Syzor Checkin"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/track.cgi"; http_uri; content:"u="; http_client_body; depth:2; content:"&t="; http_client_body; content:"&b="; http_client_body; content:"&v="; http_client_body; content:"&f="; http_client_body; reference:url,doc.emergingthreats.net/2009347; classtype:command-and-control; sid:2009347; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003787; classtype:web-application-attack; sid:2003787; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; fast_pattern; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:command-and-control; sid:2014219; rev:4; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2012_02_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/footer.php?"; http_uri; nocase; content:"_path[counter]="; http_uri; nocase; pcre:"/_path\[counter\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009321; classtype:web-application-attack; sid:2009321; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Krunchy/BZub HTTP POST Update"; flow:established,to_server; content:"POST"; nocase; http_method; content:"action="; fast_pattern; http_client_body; depth:7; content:"|25 35 46|script"; http_client_body; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/2007776; classtype:trojan-activity; sid:2007776; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt"; flow:to_server,established; content:"/tiki-featured_link.php?type="; http_uri; nocase; content:"/iframe>"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/450268/30/0; reference:url,doc.emergingthreats.net/2003167; classtype:web-application-attack; sid:2003167; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pandex Trojan Dropper Initial Checkin"; flow:established,to_server; content:"?r="; http_uri; content:"&hdd="; fast_pattern; http_uri; content:"&gen="; http_uri; content:!"User-Agent|3A|"; nocase; http_header; classtype:command-and-control; sid:2013397; rev:3; metadata:created_at 2011_08_10, former_category MALWARE, updated_at 2011_08_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/startup.php?"; http_uri; nocase; content:"CFG[txtsql][class]="; http_uri; nocase; pcre:"/CFG\[txtsql\]\[class\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,30625; reference:url,milw0rm.com/exploits/6224; reference:url,doc.emergingthreats.net/2009416; classtype:web-application-attack; sid:2009416; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:".php?gd="; fast_pattern; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:command-and-control; sid:2013701; rev:2; metadata:created_at 2011_09_28, former_category MALWARE, updated_at 2011_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl"; flow:established,to_server; content:"/printcal.pl?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2745; reference:url,www.securityfocus.com/bid/24022; reference:url,doc.emergingthreats.net/2003874; classtype:web-application-attack; sid:2003874; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Keylogger checkin"; flow:established; content:"GET"; nocase; http_method; content:"?mail="; http_uri; content:"subject=Keylogger"; http_uri; fast_pattern; content:"&body="; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)"; http_header; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; classtype:command-and-control; sid:2008368; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004881; classtype:web-application-attack; sid:2004881; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004882; classtype:web-application-attack; sid:2004882; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"|04 00 00 01 05 00 00 00 00 07 00 01 00|"; reference:md5,7bf026c71d4ca6cdc7b6e543f9a5bb64; classtype:trojan-activity; sid:2014348; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004883; classtype:web-application-attack; sid:2004883; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004884; classtype:web-application-attack; sid:2004884; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX compressed file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004885; classtype:web-application-attack; sid:2004885; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:command-and-control; sid:2015587; rev:2; metadata:created_at 2012_08_08, former_category MALWARE, updated_at 2012_08_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004886; classtype:web-application-attack; sid:2004886; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path"; flow:established,to_server; content:"/header.php?"; http_uri; nocase; content:"path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2542; reference:url,www.milw0rm.com/exploits/3848; reference:url,doc.emergingthreats.net/2003670; classtype:web-application-attack; sid:2003670; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Launch"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/launcher_init.php?"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011748; classtype:policy-violation; sid:2011748; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2; metadata:created_at 2012_08_09, updated_at 2012_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Game Check for Patch"; flow:to_server,established; content:"GET"; offset:0; depth:3; content:"/online_game/patch.php?"; http_uri; content:"game="; http_uri; content:"lang="; http_uri; content:"protocol="; http_uri; content:"distro="; http_uri; content:"osdesc="; http_uri; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011749; classtype:policy-violation; sid:2011749; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:2; metadata:created_at 2012_08_11, updated_at 2012_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetConnectionAndGameParams"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetConnectionAndGameParams</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011750; classtype:policy-violation; sid:2011750; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:command-and-control; sid:2015635; rev:3; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2012_08_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request OpenSession"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>OpenSession</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011751; classtype:policy-violation; sid:2011751; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:md5,9688d1d37a7ced200c53ec2b9332a0ad; reference:md5,81d8a235cb5f7345b5796483abe8145f; reference:md5,47a6dd02ee197f82b28cee0ab2b9bd35; classtype:command-and-control; sid:2012960; rev:8; metadata:created_at 2011_06_09, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request Disconnect"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>Disconnect</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011753; classtype:policy-violation; sid:2011753; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,5310a7d855a14c93b12a36869cd252ec; classtype:trojan-activity; sid:2015653; rev:4; metadata:created_at 2012_02_24, updated_at 2012_02_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetOnlineProfile"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetOnlineProfile</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011754; classtype:policy-violation; sid:2011754; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request GetBuddies"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>GetBuddies</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011755; classtype:policy-violation; sid:2011755; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request SearchNew"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>SearchNew</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011756; classtype:policy-violation; sid:2011756; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:command-and-control; sid:2015616; rev:3; metadata:created_at 2012_08_11, former_category MALWARE, updated_at 2012_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES TrackMania Request LiveUpdate"; flow:to_server,established; content:"POST"; offset:0; depth:4; content:"/online_game/request.php"; http_uri; content:"|0d 0a|User-Agent|3a| GameBox"; content:"<request><name>LiveUpdate</name>"; nocase; reference:url,www.trackmania.com; reference:url,doc.emergingthreats.net/2011757; classtype:policy-violation; sid:2011757; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:command-and-control; sid:2009540; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INAPPROPRIATE Google Image Search, Safe Mode Off"; flow:established,to_server; content:"&safe=off"; http_uri; content:"|0d 0a|Host|3a| images.google.com|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002925; classtype:policy-violation; sid:2002925; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zango Spyware Activity"; flow:to_server,established; content:"/banman/banman.asp?ZoneID="; http_uri; nocase; content:"&Task="; http_uri; nocase; content:"&X="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; classtype:trojan-activity; sid:2003170; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MSUpdater.net Spyware Checkin"; flow:established,to_server; content:"/popsetarray.php?&country="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; classtype:trojan-activity; sid:2002094; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; content:"/progs_traff/"; http_uri; nocase; reference:url,research.sunbelt-software.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; classtype:trojan-activity; sid:2003034; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weatherbug Design60 Upload Activity"; flow:established,to_server; content:"/GetDesign60.aspx?Magic="; http_uri; nocase; content:"?ZipCode="; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; classtype:trojan-activity; sid:2003423; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Crewbox Proxy Scan"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"crewbox.by.ru/crew/"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003156; classtype:attempted-recon; sid:2003156; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Opera/"; http_header; content:"Presto/"; http_header; fast_pattern; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:command-and-control; sid:2013154; rev:5; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2011_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/g"; http_uri; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"Mozilla/4.1"; http_user_agent; depth:11; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:command-and-control; sid:2015713; rev:3; metadata:created_at 2012_09_18, former_category MALWARE, updated_at 2012_09_18;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; content:"/awstats.pl?"; http_uri; nocase; content:"/migrate"; http_uri; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; reference:url,doc.emergingthreats.net/2002900; classtype:web-application-attack; sid:2002900; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:exploit-kit; sid:2015718; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; reference:url,doc.emergingthreats.net/2002362; classtype:web-application-attack; sid:2002362; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; reference:url,doc.emergingthreats.net/2002685; classtype:web-application-attack; sid:2002685; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003086; classtype:web-application-attack; sid:2003086; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:command-and-control; sid:2006403; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003087; classtype:web-application-attack; sid:2003087; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 06 13 02|SE"; distance:3; within:Certs.len; content:"|55 04 08 13 01 20|"; distance:0; content:"|55 04 07 13 01 20|"; distance:0; content:"|55 04 0a 13 01 20|"; distance:0; content:"|55 04 0b 13 01 20|"; distance:0; content:"|55 04 03 13 01 20|"; distance:0; fast_pattern; classtype:exploit-kit; sid:2015742; rev:1; metadata:attack_target Client_Endpoint, created_at 2012_09_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; content:"/configure/"; http_uri; content:"/enable/"; http_uri; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; reference:url,doc.emergingthreats.net/2002721; classtype:web-application-attack; sid:2002721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; dsize:<16; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:command-and-control; sid:2013090; rev:10; metadata:created_at 2010_11_22, former_category MALWARE, updated_at 2010_11_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; content:"/CCMAdmin/serverlist.asp?"; http_uri; nocase; content:"pattern="; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; reference:url,doc.emergingthreats.net/2004556; classtype:web-application-attack; sid:2004556; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:command-and-control; sid:2007980; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET "; depth:4; content:"lastvist.html?"; http_uri; nocase; content:"domain="; http_uri; nocase; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; reference:url,doc.emergingthreats.net/2009484; classtype:web-application-attack; sid:2009484; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; content:"OpenForm"; http_uri; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; reference:url,doc.emergingthreats.net/2002376; classtype:web-application-attack; sid:2002376; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; content:"OpenFrameSet"; http_uri; nocase; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; reference:url,doc.emergingthreats.net/2002377; classtype:web-application-attack; sid:2002377; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/OvCgi/OvWebHelp.exe"; http_uri; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:command-and-control; sid:2008130; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; content:".aspx"; http_uri; nocase; content:"GET"; nocase; depth: 3; content:"%5C"; depth: 200; nocase; content:"aspx"; within:100; reference:url,doc.emergingthreats.net/2001343; classtype:web-application-attack; sid:2001343; rev:23; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:command-and-control; sid:2009300; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; content:"extras/update.php"; http_uri; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002864; classtype:attempted-recon; sid:2002864; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:command-and-control; sid:2007610; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"CUSTOMIZE=/"; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"destype=file"; http_uri; nocase; content:"desformat="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; classtype:web-application-activity; sid:2002132; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com|autoflash\.info)|update\.(?:dyndns\.info|hopto\.org)|app\.serveftp\.com)|flash(?:center\.info|rider\.org)|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015805; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream|oft)|drivers)|(?:rendercode|videosyn)c|flashupdates|syncstream)\.info|194\.192\.14\.125|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:command-and-control; sid:2015806; rev:2; metadata:created_at 2012_10_16, former_category MALWARE, updated_at 2012_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED PHP remote file include exploit attempt"; flow: to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=(https?|ftps?|php)\:\/.{0,100}cmd=/Ui"; reference:url,doc.emergingthreats.net/2001810; classtype:attempted-admin; sid:2001810; rev:29; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED PacketShaper DoS attempt"; flow:to_server,established; content:"/rpttop.htm"; http_uri; pcre:"/MEAS\.TYPE=(?!(link|class)&)/U"; reference:url,doc.emergingthreats.net/2004449; classtype:denial-of-service; sid:2004449; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; content:".php"; http_uri; nocase; content:"=http|3a|/"; http_uri; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009151; classtype:web-application-attack; sid:2009151; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GeckaSeka User-Agent"; flow:established,to_server; content:"GeckaSeka"; http_user_agent; classtype:trojan-activity; sid:2015824; rev:6; metadata:created_at 2012_10_19, updated_at 2012_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED RSA Web Auth Exploit Attempt - Long URL"; flow:to_server,established; content:"/WebID/IISWebAgentIF.dll"; http_uri; content:"?Redirect?"; http_uri; nocase; pcre:"/url=.{8000}/iU"; reference:url,secunia.com/advisories/17281; reference:url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm; reference:url,doc.emergingthreats.net/2002660; reference:url,doc.emergingthreats.net/2002660; classtype:web-application-activity; sid:2002660; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/\x2F\x2A.+\x2A\x2F/U"; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2011040; classtype:web-application-attack; sid:2011040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; content:"/default.aspx?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; reference:url,doc.emergingthreats.net/2003903; classtype:web-application-attack; sid:2003903; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:7; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail"; flow:established,to_server; content:"/contact/contact/index.php?"; http_uri; nocase; content:"form[mail]="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003904; classtype:web-application-attack; sid:2003904; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; content:"|00|"; http_uri; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; reference:url,doc.emergingthreats.net/2003099; classtype:web-application-activity; sid:2003099; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/axis2/services/Version?"; http_uri; nocase; content:"xsd="; http_uri; nocase; content:"../"; depth:200; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; classtype:web-application-attack; sid:2011160; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/softwarefortubeview.40009.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010058; classtype:trojan-activity; sid:2010058; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:6; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; content:"/ssp/loadjavad.php"; http_uri; nocase; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010446; classtype:bad-unknown; sid:2010446; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; content:"/kav"; http_uri; nocase; content:"|0d 0a|accept-encoding|3a| pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type|3a| application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Mozilla"; nocase; content:" Java/"; nocase; within:50; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; classtype:exploit-kit; sid:2010870; rev:7; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:8; metadata:created_at 2012_10_23, updated_at 2012_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif"; flow:established,to_server; content:"/i1000000.gif"; http_uri; nocase; reference:url,doc.emergingthreats.net/2011760; classtype:bad-unknown; sid:2011760; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:exploit-kit; sid:2015837; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; content:"/xml/p.php?id="; http_uri; nocase; pcre:"/\/xml\/p\.php\?id=\d{2,}/Ui"; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; classtype:trojan-activity; sid:2010551; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013976; rev:10; metadata:created_at 2011_12_01, former_category MALWARE, updated_at 2011_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ASPROX Infected Site - ngg.js Request"; flow:established,to_server; content:"/ngg.js"; http_uri; nocase; content:!"nextgen-gallery"; nocase; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; classtype:trojan-activity; sid:2008373; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015868; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/nmap.php?"; http_uri; nocase; content:"target="; http_uri; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:2; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015869; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:command-and-control; sid:2015870; rev:2; metadata:created_at 2012_11_07, former_category MALWARE, updated_at 2012_11_07;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Alms backdoor checkin"; content:"/getnewv.php?keyword=google&id="; http_uri; nocase; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_user_agent; flow:to_server,established; classtype:command-and-control; sid:2012803; rev:5; metadata:created_at 2011_05_11, former_category MALWARE, updated_at 2011_05_11;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"D="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:command-and-control; sid:2014599; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2012_04_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003764; classtype:web-application-attack; sid:2003764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:2; metadata:created_at 2012_11_20, updated_at 2012_11_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware (action url reported)"; flow: to_server,established; content:"/actionurls/ActionUrl"; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; classtype:trojan-activity; sid:2001399; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:2; metadata:created_at 2012_12_08, updated_at 2012_12_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; content:"/scripts/setup.php"; http_uri; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016047; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)"; flow:established,to_server; content:"POST "; depth:5; content:"/scripts/setup.php"; http_uri; nocase; content:"|0D 0A 0D 0A|token="; content:"host"; content:"phpinfo|25|28|25|29|25|3b"; nocase; within:64; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009709; classtype:web-application-attack; sid:2009709; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:2; metadata:created_at 2012_12_18, updated_at 2012_12_18;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003838; classtype:web-application-attack; sid:2003838; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:command-and-control; sid:2016049; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES"; flow:established,to_server; content:"/inc/articles.inc.php?"; http_uri; nocase; content:"GLOBALS[CHEMINMODULES]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2594; reference:url,www.milw0rm.com/exploits/3879; reference:url,doc.emergingthreats.net/2003703; classtype:web-application-attack; sid:2003703; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language|3A| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; distance:0; http_client_body; content:"&name="; distance:0; http_client_body; content:"&email="; http_client_body; distance:0; content:"&pw="; http_client_body; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:5; metadata:created_at 2012_12_18, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore"; flow:established,to_server; content:"/user/turbulence.php?"; http_uri; nocase; content:"GLOBALS[tcore]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2504; reference:url,www.securityfocus.com/bid/23580; reference:url,doc.emergingthreats.net/2003683; classtype:web-application-attack; sid:2003683; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:command-and-control; sid:2016062; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod"; flow:established,to_server; content:"/mod/image/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003672; classtype:web-application-attack; sid:2003672; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:3; metadata:created_at 2012_12_29, updated_at 2012_12_29;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod"; flow:established,to_server; content:"/mod/liens/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003673; classtype:web-application-attack; sid:2003673; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:command-and-control; sid:2016124; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod"; flow:established,to_server; content:"/mod/liste/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003674; classtype:web-application-attack; sid:2003674; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:command-and-control; sid:2016126; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod"; flow:established,to_server; content:"/mod/special/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003675; classtype:web-application-attack; sid:2003675; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:command-and-control; sid:2016127; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_12_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod"; flow:established,to_server; content:"/mod/texte/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003676; classtype:web-application-attack; sid:2003676; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path"; flow:established,to_server; content:"/psg.smarty.lib.php?"; http_uri; nocase; content:"cfg[sys][base_path]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2458; reference:url,www.frsirt.com/english/advisories/2007/1390; reference:url,doc.emergingthreats.net/2003691; classtype:web-application-attack; sid:2003691; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 0d 0a 3c|img border="; nocase; content:"|2f 23|KX8|2E|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:command-and-control; sid:2016428; rev:7; metadata:created_at 2011_03_08, former_category MALWARE, updated_at 2011_03_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path"; flow:established,to_server; content:"/resources/includes/class.Smarty.php?"; http_uri; nocase; content:"cfg[sys][base_path]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2457; reference:url,www.milw0rm.com/exploits/3733; reference:url,doc.emergingthreats.net/2003702; classtype:web-application-attack; sid:2003702; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:targeted-activity; sid:2016438; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/subscription.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009061; classtype:web-application-attack; sid:2009061; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016441; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/plugin/themes/default/init.php?"; http_uri; nocase; content:"apps_path[themes]="; http_uri; nocase; pcre:"/apps_path\[themes\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009086; classtype:web-application-attack; sid:2009086; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2; metadata:created_at 2013_02_20, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/function.php?"; http_uri; nocase; content:"apps_path[libs]="; http_uri; nocase; pcre:"/apps_path\[libs\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009088; classtype:web-application-attack; sid:2009088; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,to_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016443; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=|22|"; content:"|5c|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016448; rev:2; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus Bot Request to CnC"; flow:established,to_server; content:".bin"; http_uri; content:"GET"; depth:3; http_method; content:".bin HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|Host|3a| "; content:!"|0d 0a|Referer|3a|"; nocase; reference:url,doc.emergingthreats.net/2010861; classtype:command-and-control; sid:2010861; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!-- DOCHTMLAuthor"; pcre:"/^\d+\s*-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:targeted-activity; sid:2016449; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:6; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE STARSYPOUND Client Checkin"; flow:established,from_server; content:"*(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016444; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Buzus Posting Data"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/fdsupdate"; http_uri; nocase; content:"|0d 0a 0d 0a|PUTF"; reference:url,doc.emergingthreats.net/2010064; classtype:trojan-activity; sid:2010064; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--|0d 0a|<img border="; pcre:"/^[0-4]\s*src=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,b5e9ce72771217680efaeecfafe3da3f; classtype:targeted-activity; sid:2016455; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Exploit Suspected PHP Injection Attack (name=)"; flow:to_server,established; content:"GET "; nocase; depth:4; content:".php?"; http_uri; nocase; content:"name="; http_uri; nocase; pcre:"/name=(https?|ftps?|php)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2001621; classtype:web-application-attack; sid:2001621; rev:36; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016456; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; content:"/www.metareward.com/mailimg/disclaimer/"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"*!Kt3+v|7c|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:targeted-activity; sid:2016457; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; content:"/access.php?"; http_uri; nocase; content:"w="; http_uri; nocase; content:"&a="; http_uri; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016472; rev:2; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:4; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:command-and-control; sid:2016496; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2013_02_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include"; flow:established,to_server; content:"/includes/includes.php"; http_uri; content:"site_path"; http_uri; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22361; reference:url,doc.emergingthreats.net/2003371; classtype:web-application-attack; sid:2003371; rev:8; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:targeted-activity; sid:2016579; rev:2; metadata:created_at 2013_03_15, former_category MALWARE, updated_at 2013_03_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7; metadata:created_at 2010_09_25, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RevProxy Java  Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3; metadata:created_at 2013_03_19, updated_at 2013_03_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/jmx-console/HtmlAdaptor"; http_uri; nocase; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"|e0 00 00 00 78 9c|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; http_uri; nocase; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; content:"main.php?action=download"; http_uri; nocase; content:"&id="; http_uri; nocase; pcre:"/(\.\.\/){1}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"|40 7e 7e 7e|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/passwiki.php?site_id="; http_uri; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delfinject Check-in"; flow:established,to_server; content: "|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2; metadata:created_at 2013_03_28, updated_at 2013_03_28;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mindset Interactive Ad Retrieval"; flow: to_server,established; content:"/mindset5"; http_uri; nocase; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; classtype:trojan-activity; sid:2000594; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/NSISDL.Downloader CnC Server Response"; flow:established,to_client; file_data; content:"[install 1]"; within:11; content:"Ins="; within:40; classtype:command-and-control; sid:2016746; rev:2; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2013_04_09;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; content:"/error.php?"; http_uri; nocase; content:"err="; http_uri; nocase; content:"_SERVER[REMOTE_ADDR]="; http_uri; nocase; reference:bugtraq,15609; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; classtype:web-application-attack; sid:2002703; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siscos CnC Checkin"; flow:established,to_server; content:".php?getcmd="; fast_pattern:only; http_uri; content:"&uid="; http_uri; content:"User-Agent|3a| "; http_header; content:"|3b| MSlE 6.0|3b|"; distance:23; within:11; http_header; classtype:command-and-control; sid:2013384; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2011_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.U Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"cnt="; http_uri; nocase; content:"&scn="; http_uri; nocase; content:"&inf="; http_uri; nocase; content:"&ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; reference:url,doc.emergingthreats.net/2003070; classtype:trojan-activity; sid:2003070; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:3; metadata:created_at 2012_04_13, updated_at 2012_04_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Korgo.P Reporting"; flow: to_server,established; content:"/index.php?id="; http_uri; nocase; content:"?cnt="; http_uri; nocase; content:"?scn="; http_uri; nocase; content:"?inf="; http_uri; nocase; content:"?ver="; http_uri; nocase; reference:url,www.f-secure.com/v-descs/korgo_p.shtml; reference:url,doc.emergingthreats.net/2008192; classtype:trojan-activity; sid:2008192; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"vb wininet"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, malware_family Bancos, tag Banking_Trojan, updated_at 2018_04_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/Setup_"; http_uri; nocase; content:".exe"; http_uri; nocase; content:!"|0d 0a|Referer|3a| "; nocase; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; classtype:trojan-activity; sid:2010867; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/U"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/codec/197.exe"; http_uri; nocase; reference:url,doc.emergingthreats.net/2010056; classtype:trojan-activity; sid:2010056; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding|3a|"; http_header; nocase; content:"Referer|3a| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Psyb0t Code Download"; flow:established,to_server; content:"/udhcpc.env"; http_uri; nocase; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; classtype:trojan-activity; sid:2009170; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:command-and-control; sid:2014276; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2012_02_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2"; flow:established,to_server; content:"GET "; depth:4; content:"/werber/"; http_uri; nocase; content:"/217.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; classtype:trojan-activity; sid:2010232; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex|0A|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:3; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3"; flow:established,to_server; content:"GET "; depth:4; content:"/item/"; http_uri; nocase; content:"/titem.gif"; http_uri; nocase; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; classtype:trojan-activity; sid:2010233; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK|03|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution"; flow:established,to_server; content:"POST "; depth:5; content:".php/"; http_uri; pcre:"/\/[a-z_]+\.php\/[a-z_]+\.php/U"; reference:url,seclists.org/fulldisclosure/2009/Nov/169; reference:url,seclists.org/fulldisclosure/2009/Nov/170; reference:url,doc.emergingthreats.net/2010341; classtype:web-application-attack; sid:2010341; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT)"; flow:to_server,established; content:"EMSCBVDFRT"; http_user_agent; depth:10; classtype:trojan-activity; sid:2016907; rev:5; metadata:created_at 2012_03_02, updated_at 2022_05_03;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS Hiloti DNS CnC Channel Successful Install Message"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|empty"; nocase; distance:0; content:"|0C|explorer_exe"; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2011911; rev:3; metadata:created_at 2010_11_09, former_category DNS, updated_at 2019_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT)"; flow:to_server,established; content:"MBVDFRESCT"; nocase; depth:10; http_user_agent; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ; classtype:trojan-activity; sid:2016908; rev:5; metadata:created_at 2011_09_09, updated_at 2011_09_09;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Request for Zaletelly CnC Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:command-and-control; sid:2014513; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2019_08_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor Login"; flow:to_server,established; content:"|c4 4c 87 3f 11 1e c4 1a|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2017312; rev:5; metadata:created_at 2013_08_12, former_category MALWARE, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"|ac 09 7b 09 4b 2a 92 bd ac 00|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Possible Hiloti DNS Checkin Message explorer_exe"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2012781; rev:3; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET INFO DNS Query for a Suspicious Malware Related Numerical .in Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012115; rev:7; metadata:created_at 2010_12_30, former_category HUNTING, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Large DNS Query possible covert channel"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; classtype:bad-unknown; sid:2013075; rev:9; metadata:created_at 2011_06_21, updated_at 2019_08_29;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2; metadata:created_at 2013_06_08, former_category MALWARE, updated_at 2013_06_08;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:5; metadata:created_at 2012_08_10, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Srv.SSA-KeyLogger Checkin Traffic"; flow:to_server,established; content:"Srv.SSA-KeyLogger"; http_uri; reference:url,doc.emergingthreats.net/2002175; classtype:command-and-control; sid:2002175; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019454; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_08_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET MALWARE Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019455; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_08_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET MALWARE Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE ELF.MrBlack DOS.TF Malformed Lookup (/lib32/libc.so.6)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|/lib32/libc|02|so|01|6|00|"; fast_pattern; distance:0; nocase; reference:md5,312fa52a7992e58359cb68bb0f029ea7; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022335; rev:3; metadata:created_at 2016_01_07, updated_at 2019_09_03;)
+#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET MALWARE Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2016-12-15 to 2017-05-04)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:gdqg|hdqh|idqi|jdqj|kdqk|ldql|mdqm|ndqn|odqo|pdqp|qdqq|rdqr|sdqs|tdqt|udqu|vdqv|wdqw|xdqx|ydqy|zdqz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
+#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET MALWARE Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2017-05-04 to 2017-11-02)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:adra|bdrb|cdrc|ddrd|edre|fdrf|gdrg|hdrh|idri|jdrj|kdrk|ldrl|mdrm|ndrn|odro|pdrp|qdrq|rdrr|sdrs|tdrt|udru|vdrv|wdrw|xdrx|ydry|zdrz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
+#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS Checkin"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; fast_pattern; pcre:"/^(?!0+30)[0-9A-Z]+30[^0-9]/R"; content:"|00|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022836; rev:4; metadata:created_at 2016_05_24, former_category MALWARE, updated_at 2019_08_29;)
+#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET MALWARE Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .cn Domain Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:pup-activity; sid:2012327; rev:6; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_user_agent; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:command-and-control; sid:2008523; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET ADWARE_PUP All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:pup-activity; sid:2012328; rev:8; metadata:created_at 2011_02_21, former_category ADWARE_PUP, updated_at 2019_08_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016970; rev:4; metadata:created_at 2013_06_05, former_category EXPLOIT_KIT, updated_at 2013_06_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain peocity.com"; dns_query; content:"peocity.com"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016600; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com|0d 0a|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain skyruss.net"; dns_query; content:"skyruss.net"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016602; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain commanal.net"; dns_query; content:"commanal.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016603; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:4; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain natareport.com"; dns_query; content:"natareport.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016604; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogellrey.com"; dns_query; content:"photogellrey.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016605; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain creditrept.com"; dns_query; content:"creditrept.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016608; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pollingvoter.org"; dns_query; content:"pollingvoter.org"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016609; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:3; metadata:created_at 2013_06_22, updated_at 2013_06_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dfasonline.com"; dns_query; content:"dfasonline.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016610; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hudsoninst.com"; dns_query; content:"hudsoninst.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016611; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:command-and-control; sid:2017056; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain wsurveymaster.com"; dns_query; content:"wsurveymaster.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016612; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:command-and-control; sid:2017055; rev:1; metadata:created_at 2013_06_25, former_category MALWARE, updated_at 2013_06_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nhrasurvey.org"; dns_query; content:"nhrasurvey.org"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016613; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pdi2012.org"; dns_query; content:"pdi2012.org"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016614; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_25, updated_at 2013_06_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nceba.org"; dns_query; content:"nceba.org"; depth:9; nocase; fast_pattern; classtype:trojan-activity; sid:2016615; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; http_client_body; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain linkedin-blog.com"; dns_query; content:"linkedin-blog.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016616; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain aafbonus.com"; dns_query; content:"aafbonus.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016617; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain milstars.org"; dns_query; content:"milstars.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016618; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php\?[^\s]*(notdoing|howme|uname)=/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain vatdex.com"; dns_query; content:"vatdex.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016619; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu\.php\?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain applesea.net"; dns_query; content:"applesea.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016621; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledmg.net"; dns_query; content:"appledmg.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016622; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:command-and-control; sid:2016963; rev:5; metadata:created_at 2012_04_13, former_category MALWARE, updated_at 2012_04_13;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appleintouch.net"; dns_query; content:"appleintouch.net"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016623; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<|2F|dudp>"; within:100; content:"<pudp>"; within:50; content:"<|2F|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<|2F|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:command-and-control; sid:2017275; rev:2; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2013_08_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledns.net"; dns_query; content:"appledns.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016625; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:exploit-kit; sid:2017296; rev:5; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain emailserverctr.com"; dns_query; content:"emailserverctr.com"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2016626; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Covert Channel (VERSONEX and Mr.Black)"; content:"VERSONEX|3a|"; depth:64; fast_pattern; content:"Mr.Black"; within:50; classtype:trojan-activity; sid:2017315; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain slashdoc.org"; dns_query; content:"slashdoc.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016629; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; http_method; content:"/ld/"; http_uri; content:".php"; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photosmagnum.com"; dns_query; content:"photosmagnum.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016630; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC"; flow:from_server,established; file_data; content:"c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015902; rev:7; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain resume4jobs.net"; dns_query; content:"resume4jobs.net"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016631; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 2"; flow:from_server,established; file_data; content:"c=idl"; within:5; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015903; rev:5; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2012_09_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain searching-job.net"; dns_query; content:"searching-job.net"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016632; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net add PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain servagency.com"; dns_query; content:"servagency.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016633; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - netsh - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain gsasmartpay.org"; dns_query; content:"gsasmartpay.org"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016634; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - ipconfig - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain tech-att.com"; dns_query; content:"tech-att.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016635; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot -  reg - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Synolocker .onion DNS lookup"; dns_query; content:"cypherxffttr7hho"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018948; rev:3; metadata:created_at 2014_08_18, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.cc"; dns_query; content:"jifr.co.cc"; depth:10; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:4; metadata:created_at 2011_08_29, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.be"; dns_query; content:"qfsl.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.cc"; dns_query; content:"qfsl.co.cc"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.be"; dns_query; content:"jifr.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5; metadata:created_at 2013_08_08, updated_at 2013_08_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Chanitor.A DNS Lookup"; dns_query; content:"svcz25e3m4mwlauz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2019519; rev:3; metadata:created_at 2014_10_27, former_category MALWARE, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:"  <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3; metadata:created_at 2013_08_07, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns_query; content:"r2bv3u64ytfi2ssf"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019979; rev:4; metadata:created_at 2014_12_20, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ATTACKER IRCBot - net user - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4; metadata:created_at 2013_08_07, former_category MALWARE, updated_at 2013_08_07;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"qtrudrukmurps7tc"; depth:16; nocase; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:3; metadata:created_at 2015_01_19, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port|3a|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"tzsvejrzduo52siy"; depth:16; nocase; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:3; metadata:created_at 2015_01_20, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"ohmva4gbywokzqso"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020226; rev:3; metadata:created_at 2015_01_21, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"|39 34 41 35 41 44 30 41 45 46 36 39|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptarv4hcu24ijv Domain - CryptoWall Domains"; dns_query; content:"crptarv4hcu24ijv"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020280; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.APT.9002 CnC Traffic"; flow:to_server,established; dsize:24; content:"|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:targeted-activity; sid:2016398; rev:8; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2012_06_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptbfoi5i54ubez Domain - CryptoWall Domains"; dns_query; content:"crptbfoi5i54ubez"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020281; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.admin@388 Keepalive to CnC"; flow:established,to_server; content:"|b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptcj7wd4oaafdl Domain - CryptoWall Domains"; dns_query; content:"crptcj7wd4oaafdl"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020282; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.th3bug Keepalive to CnC"; flow:established,to_server; content:"|35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Critroni Tor DNS Proxy lookup"; dns_query; content:"23bteufi2kcqza2l"; depth:16; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.keaidestone Keepalive to CnC"; flow:established,to_server; content:"|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"sgqjml3dstgmarn3"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020357; rev:3; metadata:created_at 2015_02_04, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.suzuki Keepalive to CnC"; flow:established,to_server; content:"|d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017353; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain"; dns_query; content:"brk7tda32wtkxjpa"; depth:16; nocase; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:3; metadata:created_at 2015_02_27, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.happyyongzi Keepalive to CnC"; flow:established,to_server; content:"|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (h63rbx7gkd3gygag)"; dns_query; content:"h63rbx7gkd3gygag"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020616; rev:3; metadata:created_at 2015_03_04, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.key@123 Keepalive to CnC"; flow:established,to_server; content:"|ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; dns_query; content:"juf5pjk4sl7uojh4"; depth:16; fast_pattern; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:3; metadata:created_at 2015_03_11, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.gwx@123 Keepalive to CnC"; flow:established,to_server; content:"|6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (4elcqmis624seeo7)"; dns_query; content:"4elcqmis624seeo7"; depth:16; fast_pattern; nocase; reference:url,teknoseyir.com/durum/291421; classtype:trojan-activity; sid:2020685; rev:3; metadata:created_at 2015_03_12, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.wwwst@Admin Keepalive to CnC"; flow:established,to_server; content:"|b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu)"; dns_query; content:"erhitnwfvpgajfbu"; depth:16; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019123; rev:5; metadata:created_at 2014_09_05, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.xiaoxiaohuli Keepalive to CnC"; flow:established,to_server; content:"|4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx)"; dns_query; content:"3bjpwsf3fjcwtnwx"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020727; rev:3; metadata:created_at 2015_03_23, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.smallfish Keepalive to CnC"; flow:established,to_server; content:"|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (otsaa35gxbcwvrqs)"; dns_query; content:"otsaa35gxbcwvrqs"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020759; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.XGstone Keepalive to CnC"; flow:established,to_server; content:"|ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:command-and-control; sid:2017360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_08_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (4bpthx5z4e7n6gnb)"; dns_query; content:"4bpthx5z4e7n6gnb"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020760; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mashigoom/Tranwos/RevProxy ClickFraud - hello"; flow:established,to_server; threshold:type both,track by_src,seconds 60,count 1; dsize:<150; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}/"; classtype:trojan-activity; sid:2016292; rev:6; metadata:created_at 2013_01_26, updated_at 2013_01_26;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (bc3ywvif4m3lnw4o)"; dns_query; content:"bc3ywvif4m3lnw4o"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020761; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool get command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgwKH08DHh4bVURA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017378; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; dns_query; content:"33p5mqkaj22irv4z"; depth:16; fast_pattern; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:3; metadata:created_at 2015_04_15, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool long command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgcABQhLAh4fH1FA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017379; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr)"; dns_query; content:"pf3tlgkpks7pu7yr"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020952; rev:3; metadata:created_at 2015_04_21, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool smart command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhgCCh0fSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017380; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; dns_query; content:"cld7vqwcvn2bii67"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:3; metadata:created_at 2015_05_01, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post1 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtaSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017381; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; dns_query; content:"is6xsotjdy4qtgur"; depth:16; fast_pattern; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:3; metadata:created_at 2015_05_08, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool post2 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtZSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017382; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; dns_query; content:"tlunjscxn5n76iyz"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:3; metadata:created_at 2015_05_19, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgkWHwpL"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017383; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; dns_query; content:"wdthvb6jut2rupu4"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgIMBh9L"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017384; rev:5; metadata:created_at 2013_08_27, updated_at 2013_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; dns_query; content:"xwxwninkssujglja"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017388; rev:3; metadata:created_at 2013_08_28, former_category CURRENT_EVENTS, updated_at 2013_08_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; dns_query; content:"7fa6gldxg64t5wnt"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC ([country|so version|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; dns_query; content:"bpq4dub4rlivvswu"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:3; metadata:created_at 2015_06_19, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (OUTBOUND)"; flow:to_server,established; content:"P[endof]"; dsize:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017418; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; dns_query; content:"gzc7lj4rvmkg25dm"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:3; metadata:created_at 2015_06_19, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!2,relative; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017419; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Variant .onion proxy Domain (kurrmpfx6kgmsopm)"; dns_query; content:"kurrmpfx6kgmsopm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021318; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (File Manager)"; flow:from_server,established; content:"FM|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017420; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlphaCrypt .onion proxy Domain (tkjthigtqlvohs7z)"; dns_query; content:"tkjthigtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021319; rev:3; metadata:created_at 2015_06_22, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (File Manager)"; flow:to_server,established; content:"rn|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017421; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b)"; dns_query; content:"xvha2ctkacx2ug3b"; depth:16; fast_pattern; nocase; reference:url,www.dropboxforum.com/hc/communities/public/questions/203834265-virus; classtype:trojan-activity; sid:2021325; rev:3; metadata:created_at 2015_06_23, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Desktop)"; flow:from_server,established; content:"sc~|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017422; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; dns_query; content:"hlvumvvclxy2nw7j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021534; rev:3; metadata:created_at 2015_07_27, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Desktop)"; flow:to_server,established; content:"scPK|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017423; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; dns_query; content:"vacdgwaw5djp5hmu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021549; rev:3; metadata:created_at 2015_07_29, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017424; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain"; dns_query; content:"des7siw5vfkznjhi"; depth:16; fast_pattern; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:3; metadata:created_at 2015_07_30, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017426; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; dns_query; content:"613cb6owitcouepv"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021561; rev:3; metadata:created_at 2015_07_31, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc|7c 27 7c 27 7c|"; depth:9; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017427; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"7n4p5o6vlkdiqiee"; depth:16; nocase; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:4; metadata:created_at 2015_01_20, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Kill Process)"; flow:from_server,established; content:"k|7c 27 7c 27 7c|"; depth:6; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017428; rev:2; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns_query; content:"h36fhvsupe4mi7mm"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021849; rev:3; metadata:created_at 2015_09_30, updated_at 2019_09_03;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8; metadata:created_at 2012_07_17, updated_at 2012_07_17;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain (tmclybfqzgkaeilm)"; dns_query; content:"tmclybfqzgkaeilm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022145; rev:3; metadata:created_at 2015_11_25, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Leverage.A Checkin"; flow:established,to_server; content:"|00 00|"; offset:0; depth:2; content:"|00 00 00 01|"; distance:2; within:4; content:"RAM|0a 7c|"; pcre:"/^\d+\w+\/\d+\w+ free \(\d+% used\)/R"; classtype:command-and-control; sid:2017525; rev:2; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt .onion Proxy Domain (tw7kaqthui5ojcez)"; dns_query; content:"tw7kaqthui5ojcez"; depth:16; fast_pattern; nocase; reference:md5,45683c29a36ef8a15f216d7c4b2af822; classtype:trojan-activity; sid:2022191; rev:3; metadata:created_at 2015_11_30, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command response"; flow:established,from_server; file_data; content:"send|3c 7c 3e|"; within:7; pcre:"/^[A-Z]\x3a\x5f/R"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017523; rev:5; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Domain (75nzutdjjtnpgscz)"; dns_query; content:"75nzutdjjtnpgscz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022236; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hiloti/Mufanom CnC Response"; flow:established,from_server; flowbits:isset,ET.Hiloti; file_data; content:"<!-- vbe -->"; distance:0; classtype:command-and-control; sid:2017526; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2013_09_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"vf4xdqg4mp3hnw5g"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022237; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:exploit-kit; sid:2017297; rev:6; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2013_08_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"wv55abv6bde65ek6"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022238; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local|3a|_Feb__5_2013_18|3a|26|3a|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2; metadata:created_at 2013_10_05, updated_at 2013_10_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (czc57cr2pn3zfn4b)"; dns_query; content:"czc57cr2pn3zfn4b"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022314; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
+#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET MALWARE Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (o7zeip6us33igmgw)"; dns_query; content:"o7zeip6us33igmgw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022315; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length|3a| 7|0d 0a|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014229; rev:3; metadata:created_at 2012_02_16, former_category MALWARE, updated_at 2012_02_16;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (vr6g2curb2kcidou)"; dns_query; content:"vr6g2curb2kcidou"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022316; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pl|3a|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:4; metadata:created_at 2013_10_23, former_category CURRENT_EVENTS, updated_at 2013_10_23;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; dns_query; content:"pc35hiptpcwqezgs"; depth:16; nocase; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_13, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:command-and-control; sid:2014266; rev:4; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2012_02_21;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xlowfznrg4wf7dli)"; dns_query; content:"xlowfznrg4wf7dli"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022561; rev:3; metadata:created_at 2016_02_23, updated_at 2019_09_03;)
+#alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5; metadata:created_at 2013_11_05, former_category CURRENT_EVENTS, updated_at 2013_11_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; dns_query; content:"yuwurw46taaep6ip"; depth:16; nocase; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:4; metadata:created_at 2013_11_06, updated_at 2013_11_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; dns_query; content:"voooxrrw2wxnoyew"; depth:16; nocase; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption|3a| on|0d 0a|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:command-and-control; sid:2007752; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PadCrypt .onion Payment Domain"; dns_query; content:"gnkltbsaeq35rejl"; depth:16; fast_pattern; nocase; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022569; rev:3; metadata:created_at 2016_02_26, updated_at 2019_09_03;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2; metadata:created_at 2013_11_14, former_category CURRENT_EVENTS, updated_at 2013_11_14;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maktub Locker Payment Domain"; dns_query; content:"bs7aygotd2rnjl4o"; depth:16; fast_pattern; nocase; reference:md5,74add6536cdcfb8b77d10a1e7be6b9ef; classtype:trojan-activity; sid:2022634; rev:3; metadata:created_at 2016_03_21, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"|5b|"; distance:1; within:1; pcre:"/^[A-Z]{3}\|[UA]\|[DL]\|W([78]|_XP|VIS)\|x(86|64)\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3; metadata:created_at 2013_11_15, updated_at 2013_11_15;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns_query; content:"twbers4hmi6dc65f"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert icmp any any -> any any (msg:"ET MALWARE PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This|27|s|20|Ping|20|Packet|21|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:command-and-control; sid:2017724; rev:3; metadata:created_at 2013_11_15, former_category MALWARE, updated_at 2013_11_15;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Coverton Onion Domain Lookup"; dns_query; content:"lnc57humvaxpqfv3"; depth:16; nocase; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022675; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:command-and-control; sid:2017728; rev:2; metadata:created_at 2013_11_20, former_category MALWARE, updated_at 2013_11_20;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xzjvzkgjxebzreap)"; dns_query; content:"xzjvzkgjxebzreap"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022711; rev:3; metadata:created_at 2016_04_06, updated_at 2019_09_03;)
+alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET MALWARE Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6; metadata:created_at 2013_11_16, updated_at 2013_11_16;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"5qgerbbyhdz5bwca"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022764; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS HTTP Target/EXE"; flow:from_server,established; file_data; content:"Z"; within:1; content:"PWh0dHA"; distance:2; within:9; pcre:"/^[a-z0-9\+\/]+={0,2}$/Rsi"; classtype:trojan-activity; sid:2017775; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"yycqx6ay5oedto5f"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022765; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:7; metadata:created_at 2013_11_27, updated_at 2013_11_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"j2pjkgrlaopysagn"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022766; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3; metadata:created_at 2011_09_02, updated_at 2011_09_02;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"i3e5y4ml7ru76n5e"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022767; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"|5b|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:3; metadata:created_at 2013_11_25, updated_at 2013_11_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"iabni66w5xvwawbe"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022768; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"|3c|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:targeted-activity; sid:2016451; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2013_02_20;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (hw5qrh6fxv2tnaqn)"; dns_query; content:"hw5qrh6fxv2tnaqn"; depth:16; fast_pattern; nocase; reference:url,nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/; classtype:trojan-activity; sid:2022806; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:exploit-kit; sid:2011544; rev:7; metadata:created_at 2010_09_27, former_category MALWARE, updated_at 2010_09_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (eqrvbczir5ua2emd)"; dns_query; content:"eqrvbczir5ua2emd"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022817; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE|5c|SOFTWARE|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:command-and-control; sid:2017891; rev:2; metadata:created_at 2013_12_20, former_category MALWARE, updated_at 2013_12_20;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns_query; content:"ajj3a7gfmgwmhhoz"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4; metadata:created_at 2013_12_24, former_category INFO, updated_at 2013_12_24;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"gccxqpuuylioxoip"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin (3)"; flow:established,to_server; content:"a="; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:command-and-control; sid:2007862; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"yuysikankhqvdwdv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET MALWARE Win32.Morix.B checkin"; flow:to_server,established; content:"|00 00 42 42 43 42 43|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:command-and-control; sid:2017922; rev:3; metadata:created_at 2014_01_03, former_category MALWARE, updated_at 2014_01_03;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (f5xraa2y2ybtrefz)"; dns_query; content:"f5xraa2y2ybtrefz"; depth:16; fast_pattern; nocase; reference:md5,5eeeeb093ee02d3769886880f8a58a90; classtype:trojan-activity; sid:2023247; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2; metadata:created_at 2014_01_17, former_category CURRENT_EVENTS, updated_at 2014_01_17;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns_query; content:"anbqjdoyw6wkmpeu"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023328; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive Response"; flow:to_server,established; dsize:<100; content:"pong|7c|"; depth:5; classtype:trojan-activity; sid:2017991; rev:6; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"6kaqkavhpu5dln6x"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023503; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/Jacksbot Check-in"; flow:established,to_server; content:"|00 2d 00 68 00 20 00 32 00 66 00|"; pcre:"/^(?:4\x00[1-9a-f]|5\x00[\da])/Rs"; content:"|00 33 00 61 00|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3; metadata:created_at 2014_01_17, updated_at 2014_01_17;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"mvy3kbqc4adhosdy"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023504; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family XRatLocker, malware_family AiraCrop, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:"27c73bq66y4xqoh7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023578; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Xtrat C2 Response"; flow:established,from_server; content:"S|00|T|00|A|00|R|00|T|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R"; depth:33; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2018027; rev:2; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2014_01_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (goldenhjnqvc2lld)"; dns_query; content:"goldenhjnqvc2lld"; depth:16; fast_pattern; nocase; classtype:command-and-control; sid:2023584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2014_01_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (golden2uqpiqcs6j)"; dns_query; content:"golden2uqpiqcs6j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"|20 7c 20|PLUGIN|3a|"; distance:0; content:"|20 7c 20|BROWSER|3a|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:command-and-control; sid:2018034; rev:1; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2014_01_29;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Popcorn-Time .onion Payment Domain (3hnuhydu4pd247qb)"; dns_query; content:"3hnuhydu4pd247qb"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023589; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5; metadata:created_at 2014_01_30, updated_at 2014_01_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Maktub .onion Payment Domain (maktubebz6z6cgtw)"; dns_query; content:"maktubebz6z6cgtw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023655; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 444 (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading DLL"; flow:to_server,established; content:"SIZE libcurl-4.dll|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018072; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE SHUJIN .onion Payment Page"; dns_query; content:"eqlc75eumpb77ced"; depth:16; fast_pattern; nocase; reference:md5,d59a27b1e0a46cc185f1937ca42f300a; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/; classtype:trojan-activity; sid:2022798; rev:4; metadata:created_at 2016_05_06, updated_at 2019_09_03;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert.FT.gen.Eldorado Downloading VBS"; flow:to_server,established; content:"SIZE explore.vbs|0d 0a|"; reference:md5,0f352448103f7d487e265220006a1c32; classtype:trojan-activity; sid:2018073; rev:2; metadata:created_at 2014_02_05, updated_at 2014_02_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"fmwdvmk2ejgbl5pi"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"hctppfblwfot6ces"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE FTP File Upload - BlackPOS Naming Scheme"; flow:established,to_server; content:"STOR "; depth:5; content:".txt"; pcre:"/data_\d{4}_\d{1,2}_\d{1,2}_\d{1,2}_\d{1,2}\.txt/"; reference:url,www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/; classtype:trojan-activity; sid:2018115; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"j24ojpexpgaorlxj"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop edc User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=edc|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018116; rev:1; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"lmhrmbouhkffosig"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023731; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Remote Desktop micros User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=micros|0d 0a|"; nocase; reference:url,intelcrawler.com/about/press08; classtype:protocol-command-decode; sid:2018124; rev:3; metadata:created_at 2014_02_12, updated_at 2014_02_12;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"neo73ruk6mprlmww"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023732; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A"; flow:established,to_server; content:"GIVEME|7c|"; reference:md5,dc7284b199d212e73c26a21a0913c69d; classtype:trojan-activity; sid:2018133; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"padcrympj5rvgwed"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023733; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1431 (msg:"ET MALWARE Win32/Tapazom.A 2"; flow:established,to_server; content:"GETSERVER|7c|"; reference:md5,030f3840d2729243280d3cea3d99d8e6; classtype:trojan-activity; sid:2018134; rev:1; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"qli26fihoid5qwo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023734; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic CnC"; flow:established,to_server; content:" Mini BackDoor|00|"; offset:9; depth:20; reference:md5,398b6622a2c86d472a4340d3e79e654b; classtype:command-and-control; sid:2018167; rev:1; metadata:created_at 2014_02_21, former_category MALWARE, updated_at 2014_02_21;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"r4i3izmyccncfrsr"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023735; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Trojan CnC 3"; flow:established,to_server; dsize:14; content:"Gh0st"; depth:5; reference:md5,6a814cacb0c4b464d85ab874f68a5344; classtype:command-and-control; sid:2018165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CryptoWall .onion Proxy Domain"; dns_query; content:"rq5w3yn6qgbu4mo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon"; flow:established,to_server; dsize:8; content:"PutToken"; depth:8; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018185; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; dns_query; content:"zbqxpjfvltb6d62m"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:4; metadata:created_at 2015_06_11, former_category TROJAN, updated_at 2019_09_03;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper Initial CnC Beacon Acknowledgement"; flow:established,to_client; dsize:12; content:"TokenRecived"; depth:12; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018186; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"mjs2bcdrttpmm7pp"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/FakeFlash.Dropper PutInformation CnC Beacon"; flow:established,to_server; dsize:18; content:"PutInformation_New"; depth:18; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018187; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"sloryvugp4abxnfu"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE W32/FakeFlash.Dropper GetInformation CnC Beacon Acknowledgement"; flow:established,to_client; dsize:14; content:"GetInformation"; depth:14; reference:md5,43839d131dff01e9b752d91c2c8f68a8; classtype:command-and-control; sid:2018188; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_02_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"u73tcilcw2cw2by5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024112; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.joggver backdoor initialization packet"; flow:established,to_server; dsize:32; content:"|03 01 74 80|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:14; within:14; classtype:trojan-activity; sid:2018189; rev:1; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"xijymvzq4zkyubfe"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024113; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|"; depth:20; pcre:"/^\d+?\x7cOnConnect\x7c/"; reference:url,doc.emergingthreats.net/2008908; reference:md5,3a7f11fbaf815cd2338d633de175e252; classtype:trojan-activity; sid:2008908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zmsr22fviy7kxihf"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024114; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkshell.A Checkin XOR C0 Win XP"; flow:to_server,established; dsize:<512; content:"|e0 e0 e0 e0 97 89 8e 84 8f|"; content:"|98 90 e0|"; distance:2; within:3; classtype:command-and-control; sid:2018229; rev:2; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2014_03_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zuotmsnm7vh2jx77"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024115; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hack.PcClient.g CnC (OUTBOUND) XOR b5"; flow:to_server,established; content:"|d0 cd d0 db d4 d8 d0|"; content:"|d9 da d2 dc db|"; distance:0; content:"|d1 da d6 d8 d1|"; distance:0; content:"|dd da c6 c1 db d4 d8 d0|"; fast_pattern; distance:0; content:"|c2 dc db d1 da c2 c6|"; distance:0; reference:md5,dfd6b93dac698dccd9ef565a172123f3; classtype:command-and-control; sid:2018154; rev:3; metadata:created_at 2014_02_19, former_category MALWARE, updated_at 2014_02_19;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zxungms47m6ecj7t"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024116; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE TDLv4 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|*.city.com"; distance:1; within:11; content:"|55 04 07|"; content:"|06|Cities"; distance:1; within:7; content:"|55 04 0a|"; content:"|0a|State Corp"; distance:1; within:11; classtype:trojan-activity; sid:2018256; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"cze2agbxnpkc5hdk"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024117; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Outbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018275; rev:8; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Cradle Ransomware Onion Domain"; dns_query; content:"pn6fsogszhqlxz4n"; depth:16; nocase; fast_pattern; reference:md5,53f6f9a0d0867c10841b815a1eea1468; classtype:trojan-activity; sid:2024205; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cradle, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE Linux/Onimiki DNS trojan activity long format (Inbound)"; byte_test:1,!&,128,2; content:"|00 01 00 00 00 00 00 00 38|"; offset:4; depth:9; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00\x01\x00\x01/Rsi"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018276; rev:6; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tor based locker .onion Proxy DNS lookup July 31 2014"; dns_query; content:"iet7v4dciocgxhdv"; depth:16; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_09_03;)
+#alert tcp any any -> any $SSH_PORTS (msg:"ET MALWARE Linux/Kimodin SSH backdoor activity"; flow:established,to_server; content:"SSH-2.0-"; depth:8; isdataat:22,relative; pcre:"/^[0-9a-f]{22,46}/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:trojan-activity; sid:2018264; rev:8; metadata:created_at 2014_03_13, updated_at 2014_03_13;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".velodrivve.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.velodrivve\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2012/09/the-story-behind-backdoorlv.html; classtype:command-and-control; sid:2017417; rev:9; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".bedrifg.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bedrifg\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"|0d 0a|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:3; metadata:created_at 2014_01_28, updated_at 2014_01_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".fedbook.org"; fast_pattern; pcre:"/[a-z]{4,10}\.fedbook\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive (flowbit set)"; flow:established,to_server; dsize:2; content:"/P"; depth:2; flowbits:set,WinSpy.KeepAlive; flowbits:noalert; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; reference:md5,815576890789003a7575c2948508c6b1; classtype:trojan-activity; sid:2018291; rev:1; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2014_03_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".goodbird.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.goodbird\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022731; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MultiThreat/Winspy.RAT Keep-Alive Server Response"; flow:established,from_server; dsize:2; content:"/P"; depth:2; flowbits:isset,WinSpy.KeepAlive; threshold:type limit,count 2,track by_src,seconds 300; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018292; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".verekt.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.verekt\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"ET MALWARE MultiThreat/Winspy.RAT SMTP Data Exfiltration"; flow:established,to_server; content:"X-Mailer|3A| SysMon v1.0.0"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018293; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".barrout.org"; fast_pattern; pcre:"/[a-z]{4,10}\.barrout\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET MALWARE MultiThreat/Winspy.RAT FTP File Download Command"; flow:established,to_server; dsize:>0; content:"/CD |5C 5C 5C|"; depth:9; pcre:"/^(?:(?:PCACTIV|ONLIN)ETIME|WEBSITE[DS]|CHATROOM|KEYLOGS)/Ri"; reference:url,www.fireeye.com/blog/technical/2014/03/from-windows-to-droids-an-insight-in-to-multi-vector-attack-mechanisms-in-rats.html; classtype:trojan-activity; sid:2018294; rev:1; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".biojart.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.biojart\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022762; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site trudeausociety"; flow:established,to_client; content:"|12|trudeausociety.com"; fast_pattern:only; classtype:trojan-activity; sid:2018319; rev:1; metadata:created_at 2014_03_25, former_category CURRENT_EVENTS, updated_at 2014_03_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".benefin.org"; fast_pattern; pcre:"/[a-z]{4,10}\.benefin\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisproc"; flow:established,to_server; content:"/page_"; content:"Cookie|3a 20|XX=0|3b 20|BX=0"; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,aaf73666cbd750ed22b80ed836d2b1e4; classtype:trojan-activity; sid:2018320; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Fake AV Phone Scam Long Domain Sept 15 2016"; dns_query; content:"issuefound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2023237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_08_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Bozok.RAT checkin"; flow:to_server; content:"|00 00 00|"; offset:1; depth:4; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:32; content:"|00 7C 00|"; within:64; content:"|00 7C 00|"; within:12; content:"|00 7C 00|"; within:5; content:"|00 7C 00|0|00 7c 00|2|00|"; within:32; reference:md5,a45d3564d1fa27161b33712f035a5962; reference:url,www.fireeye.com/blog/technical/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html; classtype:command-and-control; sid:2018325; rev:3; metadata:created_at 2014_03_26, former_category MALWARE, updated_at 2014_03_26;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M2 Feb 29"; dns_query; content:"errorcode"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022576; rev:4; metadata:created_at 2016_03_01, former_category WEB_CLIENT, updated_at 2019_08_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n|7B|"; nocase; pcre:"/^\S{2,3}\x7c\S+?[au]\x7D\w{2,11}\x0d?\x0a/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:4; metadata:created_at 2013_04_18, updated_at 2013_04_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 15"; dns_query; content:"suspiciousactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022625; rev:4; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M1"; dns_query; content:"errorunauthorized"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022631; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Compromised site kionic"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|kionic.com"; distance:1; within:11; nocase; reference:url,blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html; classtype:trojan-activity; sid:2018351; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M2"; dns_query; content:"drivercrashed"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022632; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FakeAV binary download (setup)"; content:"GET"; http_method; content:"index.php?key="; http_uri; content:"&key2=download"; http_uri; classtype:trojan-activity; sid:2018352; rev:2; metadata:created_at 2014_04_03, former_category CURRENT_EVENTS, updated_at 2014_04_03;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M3"; dns_query; content:"computer-is-locked"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022633; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Goldun Reporting User Activity 2"; flow:established,to_server; content:"?phid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&nn="; nocase; http_uri; content:"User-Agent|3a| z|0d 0a|"; http_header; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; classtype:trojan-activity; sid:2002780; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 23"; dns_query; content:"unauthorized-transaction"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022648; rev:4; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"NetScafe"; http_user_agent; depth:8; reference:url,doc.emergingthreats.net/2003641; classtype:trojan-activity; sid:2003641; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M1"; dns_query; content:"diskissue"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022690; rev:4; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:command-and-control; sid:2012865; rev:11; metadata:created_at 2010_12_22, former_category MALWARE, updated_at 2010_12_22;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M3 Feb 29"; dns_query; content:"yourcomputer"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022739; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Hacktool.Sniffer Successful Install Message"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013199; rev:5; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M1"; dns_query; content:"unusualactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022740; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 1"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"M1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018059; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M2"; dns_query; content:"yoursystem"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022741; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 2"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018060; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M3"; dns_query; content:"howcanwehelp"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022742; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 3"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Mh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018061; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M4"; dns_query; content:"bluescreen"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022743; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 4"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Ml"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018062; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M5"; dns_query; content:"cloud-on"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022744; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 5"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"T1"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018063; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M6"; dns_query; content:"call-now"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022745; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 6"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tf"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018064; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET DNS DNS Lookup for localhost.DOMAIN.TLD"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|09|localhost"; fast_pattern; nocase; classtype:bad-unknown; sid:2011802; rev:6; metadata:created_at 2010_10_13, updated_at 2019_09_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 7"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Th"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018065; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d)"; dns_query; content:"v7lfogalalzc2c4d"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020953; rev:4; metadata:created_at 2015_04_21, updated_at 2019_09_03;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 8"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"Tl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018066; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish (set) 2016-09-12"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Email="; depth:6; nocase; http_client_body; content:"&Next=Next"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.GmailPhish_1; flowbits:noalert; classtype:credential-theft; sid:2027956; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 9"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sh"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018067; rev:3; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:credential-theft; sid:2020224; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA Encoded Data Transferred Over SMB 10"; flow:to_server,established; flowbits:isset,ET.kaptoxa; content:"SMB"; content:"sl"; fast_pattern; distance:0; pcre:"/^[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])[a-zA-Z0-9/]{2}(?:M[1fhl]|T[1fhl]|s[hl])/R"; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018068; rev:2; metadata:created_at 2014_02_04, updated_at 2014_02_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic XBALTI Phishing Landing"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 7c 20 20 20 20 5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f 20 2d 2d 3e|"; fast_pattern; classtype:social-engineering; sid:2027966; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Server Check-in Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00 00 00|"; content:"|40 00 00 00 00|"; distance:1; within:6; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018130; rev:3; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2019_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trojan-Gypikon Sending Data"; flow:established,to_server; content:"@"; pcre:"/^(?:x(?:86|64)@)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; content:" OS|3a 20|Win"; within:8; content:" CPU|3a|"; distance:0; content:"Hz|2c|RAM|3a|"; distance:0; reference:md5,f27bf471d2f2c0a76331d25fc4761e10; reference:md5,792b725b6a2a52e4eecde846b39eea7d; classtype:trojan-activity; sid:2018129; rev:4; metadata:created_at 2014_02_13, updated_at 2014_02_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET"; http_method; content:"/stat/tuk/"; http_uri; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014758; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2012_05_16;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AcroCEF"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027975; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,f6e1583aca310c4c0d55db1dae942b2b; classtype:trojan-activity; sid:2014759; rev:4; metadata:created_at 2012_05_16, updated_at 2012_05_16;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, former_category EXPLOIT, performance_impact Significant, updated_at 2019_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET MALWARE Gh0st_Apple Checkin"; flow:to_server,established; content:"GET"; http_method; content:".gif?pid"; fast_pattern; content:"&v="; content:"Mozilla/4.0("; http_user_agent; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,82644661f6639c9fcb021ad197b565f7; classtype:command-and-control; sid:2017412; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (b)"; ja3_hash; content:"e4adf57bf4a7a2dc08e9495f1b05c0ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027977; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|55 60 67 6c 69 70 9a|"; offset:8; depth:7; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,4f0d365408b439eb9aaf0b2352abb662; classtype:command-and-control; sid:2018390; rev:1; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2014_04_16;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AIM"; ja3_hash; content:"49a6cf42956937669a01438f26e7c609"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027978; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE CryptoDefense DNS Domain Lookup"; content:"|10|rj2bocejarqnpuhm"; nocase; pcre:"/^[^\x00]+?\x00/Rs"; classtype:trojan-activity; sid:2018397; rev:3; metadata:created_at 2014_04_16, updated_at 2014_04_16;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"0bb402a703d08a608bf82763b1b63313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027979; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BitCrypt Ransomware Domain"; flow:established,to_server; content:"bitcrypt.cc"; nocase; http_header; pcre:"/Host\x3a\x20(?:[^\r\n]+\.)?bitcrypt\.cc(?:\x3a\d{1,5})?\r\n/Hmi"; classtype:trojan-activity; sid:2018400; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_04_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AirCanada Android App"; ja3_hash; content:"d5169d6e19447685bf6f1af8c055d94d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027980; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.avan"; flow:to_server,established; content:"mac="; http_uri; content:"&hdid="; http_uri; content:"&wlid="; http_uri; fast_pattern:only; content:"&start="; http_uri; content:"&os="; http_uri; content:"&mem="; http_uri; content:"&alive="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2011236; classtype:trojan-activity; sid:2011236; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Airmail 3"; ja3_hash; content:"561145462cfc7de1d6a97e93d3264786"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027981; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wapomi.AD Variant Checkin"; flow:established,to_server; content:"/passport.asp?ID="; http_uri; content:"&fn="; http_uri; content:"&Var="; http_uri; reference:md5,37ab252df52f5e1a46b3b40e9afb40c0; classtype:command-and-control; sid:2013720; rev:5; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Alation Compose"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027982; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSW.Win32.Ruftar.lon File Stealer FTP File Upload"; flow:established,to_server; content:"CWD Stealer"; classtype:trojan-activity; sid:2013346; rev:4; metadata:created_at 2011_08_02, updated_at 2011_08_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music"; ja3_hash; content:"6003b52942a2e1e1ea72d802d153ec08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027983; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ftpchk3.php possible upload success"; flow:to_client,established; content:"|0d 0a|150 "; content:"ftpchk3.php|0d 0a|226 "; distance:0; nocase; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018417; rev:3; metadata:created_at 2014_04_24, updated_at 2014_04_24;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Amazon Music,Dreamweaver,Spotify"; ja3_hash; content:"eb149984fc9c44d85ed7f12c90d818be"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027984; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,c6d256edcc8879717539f348706061f2; reference:md5,8f17e2a9e7c6cbec772ae56dfffb13cb; classtype:command-and-control; sid:2014272; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android App"; ja3_hash; content:"662fdc668dd6af994a0f903dbcf25d66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027985; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cutwail.BE Checkin 1"; flow:established,from_client; dsize:234; content:"|16 03 00 00 37 01 00 00 33 03 00|"; depth:11; threshold: type limit, track by_src, seconds 60, count 1; reference:md5,4352407efc8891215b514a54db5b8a1d; reference:md5,45ab3554f3d60d07fc5228faff7784e1; classtype:command-and-control; sid:2014271; rev:3; metadata:created_at 2012_02_22, former_category MALWARE, updated_at 2012_02_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Google API Access"; ja3_hash; content:"515601c4141e718865697050a7a1765f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027986; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Backdoor.Win32.RShot Ping Outbound"; icode:0; itype:8; icmp_id:512; dsize:32; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; reference:md5,34477e29f7408966d2703f3471741618; reference:md5,adf4c3a16f5f6d4baa634b2c50bf7454; classtype:trojan-activity; sid:2014270; rev:3; metadata:created_at 2012_02_21, updated_at 2012_02_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"1aab4c2c84b6979c707ed052f724734b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027987; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download April 28 2014"; flow:established,from_server; file_data; content:"|ff d1 4e 8d|"; within:4; classtype:trojan-activity; sid:2018422; rev:3; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"25b72c88f837567856118febcca761e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027988; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/abc.php"; http_uri; fast_pattern; content:"User-Agent|3A 20|Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; http_header; content:"ABC="; http_client_body; depth:4; content:"&XRE="; http_client_body; within:30; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:command-and-control; sid:2014356; rev:5; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2012_03_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"5331a12866e19199b363f6e903381498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027989; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"ID="; http_uri; content:"User-Agent|3a 20 5c 0d 0a|"; pcre:"/ID=\d{24}($|&)/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2011_10_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"855953256ecc8e2b6d2360aff8e5d337"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027990; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Adium 1.5.10 (a)"; ja3_hash; content:"93948924e733e9df15a3bb44404cd909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027976; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_09, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"85bb8aa8e5ba373906348831bdbed41a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027991; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Unrecom Download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Unrecom"; nocase; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018466; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Android Webkit Thing"; ja3_hash; content:"99d8afeec9a4422120336ad720a5d692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027992; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Activity"; flow:established,to_server; content:"|c3 b8 ba ab a0 bc b0 b1 c1 7c|"; depth:10; content:"|7c|N|7c|"; within:200; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018467; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AnypointStudio"; ja3_hash; content:"8e3f1bf87bc652a20de63bfd4952b16a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2027993; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PandoraRat/Refroso.bsp Directory Listing Sent To Server"; flow:established,to_server; content:"|7C|DIR#0#bin|7C|DIR#0"; reference:md5,9972e686d36f1e98ba9bb82b5528255a; classtype:trojan-activity; sid:2018468; rev:4; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Push Notification System, apple.WebKit.Networking,CalendarAgent,Go for Gmail"; ja3_hash; content:"d4693422c5ce1565377aca25940ad80c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027994; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_16, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight Search (OSX)"; ja3_hash; content:"3e404f1e1b5a79e614d7543a79f3a1da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027995; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel"; flow:established,to_server; content:"USER ass localhost localhost"; nocase; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018482; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"69b2859aec70e8934229873fe53902fd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027996; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2"; flow:established,to_server; content:"PASS eYmUrmyAfG"; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018483; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"6b9b64bbe95ea112d02c8812fc2e7ef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027997; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Zendran ELF IRCBot Server Banner"; dsize:>14; flow:established,from_server; content:"|3a|Hell.Network|0d 0a|"; depth:15; reference:url,blog.malwaremustdie.org/2014/05/threat-analysis-zendran-elf-ddos-scheme.html; reference:url,capsop.com/lightaidra-cc-investigation/; classtype:trojan-activity; sid:2018484; rev:2; metadata:created_at 2014_05_19, updated_at 2014_05_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple Spotlight"; ja3_hash; content:"e5e4c0eeb02fdcf30af8235b4de07780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027998; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET MALWARE .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2014_05_21, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple SpotlightNetHelper (OSX)"; ja3_hash; content:"97827640b0c15c83379b7d71a3c2c5b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2027999; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert May 20 2014"; flow:established,from_server; content:"|11|www.myparadis.com"; reference:md5,ba7debd3ff51356135866a76116f595b; reference:md5,8a49c032efb6aa3a347a173d196a8bcb; classtype:trojan-activity; sid:2018492; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Apple usbmuxd iOS socket multiplexer"; ja3_hash; content:"47e42b00af27b87721e526ff85fd2310"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028000; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouder.Header; file_data; content:"MZ"; within:2; byte_jump:4,60,little,from_beginning; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2018464; rev:4; metadata:created_at 2014_05_13, former_category MALWARE, updated_at 2014_05_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"5507277945374659a5b4572e1b6d9b9f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028001; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre Compromised Site hot-buys"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|hot-buys.org"; distance:1; within:14; nocase; reference:md5,bad758023d2e3cc17b61423720cdb5b7; classtype:trojan-activity; sid:2018506; rev:1; metadata:created_at 2014_05_29, updated_at 2014_05_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod"; ja3_hash; content:"f753495f2eab5155c61b760c838018f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028002; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET MALWARE TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2014_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.geod/parsecd,apple.photomoments"; ja3_hash; content:"ba40fea2b2638908a3b3b482ac78d729"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028003; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"474e73aea21d1e0910f25c3e6c178535"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028004; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda 3PARA RAT initial beacon"; flow:established,to_server; content:"|c4 65 f1 b3 cf a5 7e e2 c0 1a d4 7f 78 46 26 b5 86 15 f9 34 9c 3d 67 84 6a 48 aa df dc 30 60 24|"; depth:2000; reference:url,resources.crowdstrike.com/putterpanda/; classtype:trojan-activity; sid:2018555; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_06_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking"; ja3_hash; content:"eeeb5e7485f5e10cbc39db4cfb69b264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028005; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Crafted Request"; flow:established,from_server; content:"|4d 00 02 02 00|"; depth:5; fast_pattern; content:"/"; distance:4; within:5; content:" HTTP/1."; distance:0; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018616; rev:1; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2014_06_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Chatter/FieldServiceApp/socialstudio"; ja3_hash; content:"63de2b6188d5694e79b678f585b13264"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028006; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (bot is ready to start receiving commands)"; flow:established,from_server; dsize:4; flowbits:isset,ET.Tesch; content:"|05 00 01 01|"; depth:4; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018626; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/itunesstored"; ja3_hash; content:"7b343af1092863fdd822d6f10645abfb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028007; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port) 2"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|04 00 06|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018625; rev:5; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2014_07_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - apple.WebKit.Networking/Spotify/WhatsApp/Skype/iTunes"; ja3_hash; content:"a312f9162a08eeedf7feb7a13cd7e9bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028008; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (OK acknowledgement)"; flow:established,to_server; flowbits:isset,ET.Tesch; dsize:3; content:"|0a 00 00|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018622; rev:6; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"1a6ef47ab8325fbb42c447048cea9167"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028009; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command (Proxy command)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:28; content:"|09 00 19|"; depth:3; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:trojan-activity; sid:2018623; rev:5; metadata:created_at 2014_07_02, updated_at 2014_07_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/533.1 (KHTML like Gecko) Version/4.0 Mobile Safari/533.1"; ja3_hash; content:"b677934e592ece9e09805bf36cd68d8a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028010; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE TrojanSpy.Win32/Banker.AMB SQL Checkin"; flow:established,to_server; content:"I|00|N|00|S|00|E|00|R|00|T"; content:"I|00|N|00|T|00|O"; distance:0; content:"B|00|R|00|O|00|W|00|S|00|E|00|R|00|L|00|O|00|G|00|U|00|S|00|B|00|"; reference:md5,dd141287cb45a2067592eeb9d3aa7162; classtype:command-and-control; sid:2018645; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2014_07_07;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30 (KHTML like Gecko) Version/4.0 Safari & Safari Mobile/534.30, AppleWebKit/534.30"; ja3_hash; content:"ef323f542a99ab12d6b5348bf039b7b4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028011; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 999servers.com"; flow:established,to_client; content:"|55 04 03|"; content:"|10|*.999servers.com"; distance:1; within:17; reference:md5,b9ffad739bb47a0e4619b76af51d9a74; classtype:trojan-activity; sid:2018647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.30"; ja3_hash; content:"e1e03b911a28815836d79c5cdd900a20"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028012; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Upatre SSL Cert July 7 2014"; flow:established,from_server; content:"|16 03 00|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"smalbach2424@hotmail.com"; distance:2; within:24; reference:md5,52084660d2ae0ee8f033621a9252cfb9; classtype:trojan-activity; sid:2018651; rev:1; metadata:attack_target Client_Endpoint, created_at 2014_07_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46 Mobile/9A334"; ja3_hash; content:"04e1f90d8719caabafb76d4a7b13c984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028013; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus P2P Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2014_07_11;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/534.46, iOS AppleWebKit/534.46"; ja3_hash; content:"dc08cf4510f70bf16d4106ee22f89197"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028014; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/535 & Ubuntu Product Search"; ja3_hash; content:"4049550d5f57eae67d958440bdc133e4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028015; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert new-install.privatedns.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|1a|new-install.privatedns.com"; distance:1; within:27; fast_pattern; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|1e|ssl@new-install.privatedns.com"; distance:1; within:31; reference:md5,280a3a944878d57bc44ead271a0cc457; classtype:trojan-activity; sid:2018672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12 or 600.1.4"; ja3_hash; content:"ef75a13be2ed7a82f16eefe6e84bc375"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028016; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert July 14 2014"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|groberts.com.au"; distance:1; within:16; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|info@dctreasure.com"; distance:1; within:20; reference:md5,9f48eb74687492978259edb8f79ac397; classtype:trojan-activity; sid:2018673; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AppleWebKit/600.7.12"; ja3_hash; content:"eaa8a172289b09a6789a415d1faac4c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028017; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert faithmentoringandmore.com"; flow:established,to_client; content:"|55 04 03|"; content:"|1d|www.faithmentoringandmore.com"; distance:1; within:31; reference:md5,b5df3ba04c987692929f35d9c64e0c0d; classtype:trojan-activity; sid:2018674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - AT&T Connect"; ja3_hash; content:"c5c11e6105c56fd29cc72c3ac7a2b78b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028018; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DDoS bot Antiq IRC"; flow:established,to_server; content:"PRIVMSG|20|#"; content:"status checking progam online"; within:60; reference:url,deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2018675; rev:1; metadata:created_at 2014_07_14, updated_at 2014_07_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (git library?) (Tested v1.6.21.0)"; ja3_hash; content:"42215ee83bbf3a857a72ef42213cfbd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028019; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Atlassian SourceTree (Tested v1.6.21.0)"; ja3_hash; content:"1c8a17e58c20b49e3786fc61e0533e50"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028020; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_17, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #1"; ja3_hash; content:"4e5e5d9fbc43697be755696191fe649a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028021; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.newdomaininfo.ru"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018692; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - atom.io #2"; ja3_hash; content:"c94858c6eb06de179493b3fac847143e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028022; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|duosecure.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018696; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator (Mystery 3rd) (37.0.2062.99) (OS X)"; ja3_hash; content:"58360f4f663a0f5657f415ac2f47fe1b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028023; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|11|bloggershop.co.vu"; distance:1; within:19; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018494; rev:2; metadata:attack_target Client_and_Server, created_at 2014_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Aviator Updates"; ja3_hash; content:"5149f53b5554a31116f9d86237552ee3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028024; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert twitterbacklinks.com"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.twitterbacklinks.com"; distance:1; within:25; reference:md5,4cb5a748416b9f03d875245437344177; classtype:trojan-activity; sid:2018758; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Battle.net/Dropbox"; ja3_hash; content:"fa030dbcb2e3c7141d3c2803780ee8db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028025; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Serial Number in SSL Cert"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f4 4b cc 89 9e b7 45 a8|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:md5,55f8682aab1089b68a8a391b927d7a74; classtype:trojan-activity; sid:2018759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - bitgo/ShapeShift"; ja3_hash; content:"0ef9ca1c10d3f186f5786e1ef3461a46"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028026; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|sslbl.abuse.ch"; distance:1; within:15; content:"|1b|we_love_selfsigned@abuse.ch"; distance:0; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018767; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Browser (Tested BB10)"; ja3_hash; content:"add211c763889c665ae4ab675165cbc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028027; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious SSL Cert With Script Tags"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"<script>"; content:"</script>"; distance:0; content:"|55 04 03|"; reference:md5,73705a4a8b03e5f866fac821aaec273a; classtype:domain-c2; sid:2018768; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlackBerry Mail Client"; ja3_hash; content:"a921515f014005af03fc1e2c4c9e66ce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028028; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry Messenger (Android) 2"; ja3_hash; content:"4692263d4130929ae222ef50816527ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028029; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cactussports.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cactussports.com"; distance:1; within:17; reference:md5,fe557165290ae68b768591eb746fa1c5; classtype:trojan-activity; sid:2018777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackberry"; ja3_hash; content:"b5d42ca0e68a39d5c0a294134a21f020"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028030; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert yellowdevilgear.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.yellowdevilgear.com"; distance:1; within:24; reference:md5,2def687d8159d7859e86855b6c4a20c8; classtype:trojan-activity; sid:2018778; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Blackbery Messenger (Android)"; ja3_hash; content:"32b0ae286d1612c82cad93b4880ee512"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028031; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert michaelswinecellar.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|www.michaelswinecellar.com"; distance:1; within:27; reference:md5,c9869431ad760912a553a63266173442; classtype:trojan-activity; sid:2018779; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlueCoat Proxy"; ja3_hash; content:"5182f54f9c6e99d117d9dde3fa2b4cff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028032; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert migsparkle.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|migsparkle.com"; distance:1; within:15; reference:md5,bc74dd7e0350ad7ad8f75ca0de6fb9dc; classtype:trojan-activity; sid:2018780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BlueJeans,CEPHtmlEngine"; ja3_hash; content:"cdec81515ccc75a5aa41eb3db22226e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028033; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|0d|fuck@abuse.ch"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018745; rev:4; metadata:attack_target Client_and_Server, created_at 2014_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Ahrefs, hola_svc"; ja3_hash; content:"5c1c89f930122bccc7a97d52f73bea2c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028034; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: GoogleBot"; ja3_hash; content:"a1cb2295baf199acf82d11ba4553b4a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028035; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 1stopmall.us"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.1stopmall.us"; distance:1; within:17; reference:md5,b833914b8171bc8f400b41449c3ef06b; classtype:trojan-activity; sid:2018791; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_28, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BOT: Qwant"; ja3_hash; content:"706567223fbf37d112fba2d95b8ecac3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028036; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.KLPROXY Checkin via SMTP"; flow:to_server,established; content:"Subject|3a|"; content:"C-H-E-G-O A-V-I-S-O! |2e 3a 3a|Infect|3a 3a 2e|"; distance:5; within:33; reference:md5,422ce789b284eb5aa32124a6bbe86000; classtype:command-and-control; sid:2018798; rev:2; metadata:created_at 2014_07_29, former_category MALWARE, updated_at 2014_07_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BrowserShots Script"; ja3_hash; content:"01aead19a1b1780978f732e056b183a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028037; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Browsershots"; ja3_hash; content:"a4dc1c39a68bffec1cc7767472ac85a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028038; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|fxbingpanel.fareexchange.co.uk"; distance:1; within:31; reference:md5,3c4e0c0e4dbe2bf0e4d3ca825b95209c; classtype:trojan-activity; sid:2018803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"93fbcdadc1bf98ff0e3c03e7f921edd1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028039; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert 66h.66hosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|11|66h.66hosting.net"; distance:1; within:18; reference:md5,f9c0bc6e8c08acbe520df0ab6efcd962; classtype:trojan-activity; sid:2018804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (1.6.01)"; ja3_hash; content:"c3ca411515180e79c765dc2c3c8cea88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028040; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert businesswebstudios.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|businesswebstudios.com"; distance:1; within:23; reference:md5,b8ca6c78deeb448421073a65f708c34e; classtype:trojan-activity; sid:2018805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"15617351d807aa3145547d0ad0c976cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028041; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (tested: 1.6.32 Kali)"; ja3_hash; content:"34f8cac266d07bfc6bd3966e99b54d00"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028042; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.senorwooly.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.senorwooly.com"; distance:1; within:19; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - BurpSuite Free (Tested: 1.7.03 on Windows 10), eclipse,JavaApplicationStub,idea"; ja3_hash; content:"8c5a50f1e833ed581e9cfc690814719a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028043; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Candy Crush (testing iOS 8.3)"; ja3_hash; content:"17a40616b856ec472714cd144471e0e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028044; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|badsokspad.in"; distance:1; within:14; reference:md5,c4fe829fc49bb9efec92fe4a8a5d29fc; classtype:domain-c2; sid:2018852; rev:2; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Charles/java/eclipse"; ja3_hash; content:"424008725394c634a4616b8b1f2828a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028045; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chinasemservice.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|chinasemservice.com"; distance:1; within:20; reference:md5,c2ecc111018491cee3853e2c93472bb9; classtype:trojan-activity; sid:2018868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Choqok 1.5 (KDE 4.14.18 Qt 4.8.6 on OpenSUSE 42.1)"; ja3_hash; content:"64bb259b446fe13f66bcd62d1f0d33df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028046; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ns7-777.777servers.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; distance:1; within:23; reference:md5,b5b97b4da688aaa6ddbdb6a6e567ffba; classtype:trojan-activity; sid:2018870; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (iOS)"; ja3_hash; content:"bec8267042d5885aa3acc07b4409cafc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028047; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Possible 41.x)"; ja3_hash; content:"d54a0979516e607a1166e6efd157301c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028048; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #1"; ja3_hash; content:"ac67a2d0e3bd59459c32c996b5985979"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028049; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Command Prompt OUTBOUND"; flow:established,to_server; content:"Microsoft Windows"; content:"[Version|20|"; distance:0; pcre:"/^\d\.\d\.\d{4}\]\r\n\(C\)\x20Copyright\x20\d{4}(\x2d\d{4})?\x20Microsoft Corp(:?\.|oration)/Ri"; content:"|0d 0a 0d 0a|C|3a 5c 3e|"; fast_pattern; distance:0; isdataat:!2,relative; classtype:trojan-activity; sid:2018885; rev:2; metadata:created_at 2014_08_04, updated_at 2014_08_04;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #2"; ja3_hash; content:"34dfce2bb848da7c5dafa4d475f0ba41"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028050; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitcoinMiner C2 SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.webanalyticsystem.com"; distance:1; within:26; reference:url,www.malware-traffic-analysis.net/2014/07/28/index.html; classtype:coin-mining; sid:2018896; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Coinminer, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #3"; ja3_hash; content:"937edefedb6fe13f26d1a425ef1c15a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028051; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #4"; ja3_hash; content:"a342d14afad3a448029ec808295ccce9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028052; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRISM Backdoor"; content:"PRISM v"; pcre:"/^\d+?\.\d+?\sstarted/R"; classtype:trojan-activity; sid:2017314; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (Tested: 47.0.2526.XX & 48.XX (64-bit)) #5"; ja3_hash; content:"71e74faaed87acd177bd3b47a543f476"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028053; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,to_client; content:"|55 04 03|"; content:"|12|alohafriends12.com"; distance:1; within:19; reference:md5,9c98ef776a651cc4269acde3755d3a5a; classtype:domain-c2; sid:2018935; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"1d64ab25ad6f7258581d43077147b9b1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028054; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoWall C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1f|kpai7ycr7jxqkilp.totortoweb.com"; distance:1; within:32; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018939; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"230018e44608686b64907360b6def678"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028055; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ClickFraud Trojan Socks5 Connection"; flow:to_server,established; content:"socks5init|3a|"; depth:11; threshold: type limit,track by_src, count 1, seconds 300; flowbits:set,ET.2018855; reference:md5,2a0e042fdb2d85c2abf8bd35499ee1aa; reference:md5,c4d3db0eadc650372225d0093cd442ba; reference:md5,4c1f7c4f6d00869a6fca9fdcbadc9633; classtype:trojan-activity; sid:2018855; rev:2; metadata:created_at 2014_07_30, updated_at 2014_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome (tested: Version 46.0.2490.86 (64-bit) - OS X)"; ja3_hash; content:"dea05e8c68dfeb28003f21d22efc0aba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028056; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ClickFraud Trojan Socks5 Init Response"; flow:established,from_server; flowbits:isset,ET.2018855; dsize:6<>9; content:"|fe|"; depth:1; content:"|1f|"; distance:4; within:1; reference:md5,de31e17ff4b3791c92a93b72d779e61f; classtype:trojan-activity; sid:2018941; rev:2; metadata:created_at 2014_08_14, updated_at 2014_08_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 10, Chrome 10.0.648.82 (Chromium Portable 9.0)"; ja3_hash; content:"62351d5ea3cd4f21f697965b10a9bbbe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028057; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|koskoskos11.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018942; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 11 - 18, Chrome 11.0.696.16 - 18.0.1025.33  Chrome 11.0.696.16 (Chromium Portable 9.2)"; ja3_hash; content:"a9da823fe77cd3df081644249edbf395"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028058; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|atspotfto.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018943; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 19 - 20, Chrome 19.0.1084.15 - 20.0.1132.57, Chrome 21.0.1180.89, Chrome 22.0.1229.96 - 23.0.1271.64 Safari/537.11"; ja3_hash; content:"df4a50323dfcaf1789f72e4946a7be44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028059; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.securessl.in"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018944; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 22.0.1201.0, Chrome/22.0.1229.96"; ja3_hash; content:"3c8cb61208e191af38b1fbef4eacd502"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028060; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|zao-sky.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018947; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 24.0.1312.57 - 28.0.1500.72 Safari/537.36"; ja3_hash; content:"1ef061c02d85b7e2654e11a9959096f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028061; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ZeroLocker EXE Download"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c|"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018963; rev:2; metadata:created_at 2014_08_19, former_category CURRENT_EVENTS, updated_at 2014_08_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 26.0.1410.43-27.0.1453.110 Safari/537.31"; ja3_hash; content:"89d37026246d4888e78e69af4f8d1147"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028062; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE downloaded malicious SSL certificate (CZ Solutions)"; flow:established,to_client; flowbits:isset,ET.http.binary; file_data; content:"|43 5a 20 53 6f 6c 75 74 69 6f 6e 20 43 6f 2e 2c 20 4c 74 64 2e|"; reference:url,www.fireeye.com/blog/technical/2014/07/the-little-signature-that-could-the-curious-case-of-cz-solution.html; classtype:domain-c2; sid:2018748; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.0"; ja3_hash; content:"206ee819879457f7536d2614695a5029"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028063; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE LDPinch SMTP Password Report with mail client The Bat!"; flow:established,to_server; content:"X-Mailer|3a| The Bat!"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; reference:url,doc.emergingthreats.net/2008411; classtype:trojan-activity; sid:2008411; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"76d36fc79db002baa1b5e741fcd863bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028064; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hoic.zip retrieval"; flow:from_server,established; file_data; content:"Hoic/buttons2/PK"; content:"Hoic/buttons2/buttons.rar"; distance:0; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018976; rev:3; metadata:created_at 2014_08_21, updated_at 2014_08_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 29.0.1547.62"; ja3_hash; content:"bbc3992faa92affc0d835717ea557e99"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028065; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Machete FTP activity"; flow:established,to_server; content:"CWD |2e 2e 2f|KeyLog_History"; depth:21; classtype:trojan-activity; sid:2018980; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.0.0"; ja3_hash; content:"dc3eaee99a9221345698f8a8b2f4fc3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028066; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"|5C 23 2F|"; within:128; content:"|5C 23 2F|"; within:32; content:"|5C 23 2F|"; fast_pattern; within:20; reference:md5,37207835e128516fe17af3dacc83a00c; reference:md5,e7d9bc670d69ad8a6ad2784255324eec; classtype:command-and-control; sid:2016913; rev:5; metadata:created_at 2011_05_17, former_category MALWARE, updated_at 2011_05_17;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 30.0.1599.101"; ja3_hash; content:"53c7ed581cbaf36951559878fcec4559"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028067; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Info Stealer - HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a|Content-Type|3a| multipart/form-data|3b| boundary|3d|"; nocase; content:"name=\"id\"|0d 0a|"; nocase; content:"name=\"upt\"|0d 0a|"; nocase; content:"name=\"mode\"|0d 0a|"; nocase; content:"name=\"version\"|0d 0a|"; nocase; content:"name=\"cpu\"|0d 0a|"; nocase; fast_pattern; content:"name=\"ram\"|0d 0a|"; nocase; content:"name=\"os\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009470; classtype:trojan-activity; sid:2009470; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.57 & 32.0.1700.76 Safari/537.36"; ja3_hash; content:"fb8a6d2441ee9eaee8b560d48a8f59df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028068; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1023: (msg:"ET MALWARE Turkojan C&C nxt Command (nxt)"; flow:established,from_server; dsize:3; content:"nxt"; depth:3; reference:url,doc.emergingthreats.net/2008029; classtype:command-and-control; sid:2008029; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 31.0.1650.63"; ja3_hash; content:"f7c4dc1d9595c27369a183a5df9f7b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028069; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows systeminfo Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Host Name|3a|"; content:"OS Name|3a|"; content:"OS Version|3a|"; content:"OS Manufacturer|3a|"; content:"Microsoft Corporation"; distance:0; content:"OS Configuration|3a|"; content:"OS Build Type|3a|"; content:"Registered Owner|3a|"; content:"Registered Organization|3a|"; content:"Product ID|3a|"; content:"Original Install Date|3a|"; content:"System Up Time|3a|"; content:"System Manufacturer|3a|"; content:"System Model|3a|"; content:"System type|3a|"; content:"Processor|28|s|29 3a|"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019002; rev:1; metadata:created_at 2014_08_26, updated_at 2014_08_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"16d7ebc398d772ef9969d2ed2a15f4c0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028070; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 b8 68 97 9e dc 1f a8 cc|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|local.domain"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019009; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.117"; ja3_hash; content:"f3136cf565acf70dd2f98ca652f43780"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028071; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Vipdataend C&C Traffic - Status OK (variant 2)"; flowbits:isset,ET.vipdataend; flow:established,to_server; dsize:1; content:"1"; depth:1; reference:url,doc.emergingthreats.net/2009026; classtype:command-and-control; sid:2009026; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 33.0.1750.154"; ja3_hash; content:"af0ae1083ab10ac957e394c2e7ec4634"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028072; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Checkin Response"; flow:established,to_client; content:"|a5 46 da 53 0a 00 68 00 65 00 6c 00 6c 00 6f|"; offset:4; depth:15; reference:md5,b61145a54698753cecf8748359c9d81e; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018596; rev:3; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2014_06_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"4807d61f519249470ebed0b633e707cf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028073; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:command-and-control; sid:2008358; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 34.0.1847.116 & 35.0.1916.114 Safari/537.36"; ja3_hash; content:"ef3364da4d76c98a669cb828f2e5283a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028074; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Srizbi requesting template"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"|0d0a|X-Flags|3a20|"; within:200; content:"|0d0a|X-TM|3a20|"; within:20; content:"|0d0a|X-BI|3a20|"; within:20; reference:url,www.secureworks.com/research/threats/ronpaul/; reference:url,doc.emergingthreats.net/2007712; classtype:trojan-activity; sid:2007712; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 & 37.0.2062.102 Safari/537.36"; ja3_hash; content:"5b348680dec77f585cfe82513213ac3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028075; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Universal1337 FTP Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007967; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 36.0.1985.125 - 40.0.2214.93 Safari/537.36"; ja3_hash; content:"52be6e88840d2211a243d9356550c4a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028076; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Universal1337 Email Upload of Compromised Data"; flow:established,to_server; content:"#############|0d 0a|"; content:"###########"; distance:0; content:" Universal1337 "; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337; reference:url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html; classtype:trojan-activity; sid:2007968; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0 Safari & Mobile Safari/537.36"; ja3_hash; content:"5f775bbfc50459e900d464ca1cecd136"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028077; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Downloader likely malicious payload download src=xrun"; flow:established,to_server; content:"/get?src=xrun"; nocase; content:"Request|3a| "; nocase; http_header; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010821; classtype:trojan-activity; sid:2010821; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.0.0"; ja3_hash; content:"a167568462b993d5787488ece82a439a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028078; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Pass Stealer FTP Upload"; flow:established,to_server; dsize:33; content:"STEAM nicht eingespeichert!!!"; reference:url,doc.emergingthreats.net/2008332; classtype:trojan-activity; sid:2008332; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 37.0.2062.120"; ja3_hash; content:"98652faa7e0a4d85f91e37aa6b8c0135"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028079; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirtualProtect Packed Binary - Likely Hostile"; flow:established,from_server; content:"|2E 72 73 72 63|"; content:"|2E 70 61 63 6B 33 32 00|"; within:49; reference:url,bits.packetninjas.org/eblog/?p=3; reference:url,doc.emergingthreats.net/2008509; classtype:trojan-activity; sid:2008509; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 41.0.2272.89"; ja3_hash; content:"8b8322bad90e8bfbd66e664839b7a037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028080; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting to Controller"; flow:established,to_server; dsize:<150; content:"|00 00|Visual Shock Keylogger "; offset:10; depth:34; flowbits:set,ET.vskeylogger; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008601; classtype:trojan-activity; sid:2008601; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"aa9074aa1ff31c65d01c35b9764762b6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028081; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Visual Shock Keylogger Reporting Idle to Controller"; flowbits:isset,ET.vskeylogger; flow:established,to_server; dsize:8; content:"|08 00 00 00 00 00 00 00|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573; reference:url,doc.emergingthreats.net/2008602; classtype:trojan-activity; sid:2008602; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 42.0.2311.135"; ja3_hash; content:"de0963bc1f3a0f70096232b272774025"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028082; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Net Trojan Connection (2)"; flow:established; content:"conectado|7c 0a|"; depth:11; reference:url,doc.emergingthreats.net/2008645; classtype:trojan-activity; sid:2008645; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 43.0.2357.132 & 45.02454.94"; ja3_hash; content:"3bb36ec17fef5d3da04ceeb6287314c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028083; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Infection Reporting"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a| "; http_header; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|"; http_header; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U"; reference:url,www2.gmer.net/mbr/; reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf; reference:url,doc.emergingthreats.net/2008660; reference:url,offensivecomputing.net/?q=node/909; classtype:trojan-activity; sid:2008660; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.116"; ja3_hash; content:"cd3f72760dfd5575b91213a8016c596b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028084; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trash Family - HTTP POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a|"; http_header; nocase; content:"Type="; http_client_body; nocase; content:"&Dvip="; http_client_body; nocase; content:"&Mask="; http_client_body; nocase; content:"&Guid="; http_client_body; nocase; content:"&Addr="; http_client_body; nocase; content:"&Protect="; http_client_body; nocase; content:"Url"; http_client_body; nocase; content:"&OSVer="; http_client_body; nocase; reference:url,www.spywareguide.com/product_show.php?id=1935; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=Trojan.Trash.Gen&tid=178782&cs=03253E96A71C3EE824071E5BE3A32CCD; reference:url,doc.emergingthreats.net/2009449; classtype:trojan-activity; sid:2009449; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 48.0.2564.97"; ja3_hash; content:"5406c4a87aa6cbcb7fc469fee526a206"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028085; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE VMProtect Demo version Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E|rsrc|00|"; content:"vmp0|00|"; within: 50; content:"vmp1|00|"; within:50; reference:url,www.vmprotect.ru; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009019; classtype:trojan-activity; sid:2009019; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 49.0.2623.75"; ja3_hash; content:"503fe06db7ef09b2cbd771c4e784c686"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028086; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008221; classtype:trojan-activity; sid:2008221; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 1"; ja3_hash; content:"bd4267e1672f9df843ada7c963490a0d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028087; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; reference:url,doc.emergingthreats.net/2008222; classtype:trojan-activity; sid:2008222; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 50.0.2661.102 2"; ja3_hash; content:"caeb3b546fc7469776d51f1f54a792ca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028088; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Key Checkin (Clicker.Win32.Delf.afl)"; flow:established,to_server; content:".php?key=???????+????????????"; content:"+Dial-up+??????+?+??????????????"; reference:url,doc.emergingthreats.net/2008666; classtype:command-and-control; sid:2008666; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.106 (test)"; ja3_hash; content:"aa84deda2a937ad225ef94161887b0cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028089; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"lversion="; nocase; http_uri; content:"wversion=&eversion=&fid="; nocase; http_uri; content:"&mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008667; classtype:command-and-control; sid:2008667; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 1"; ja3_hash; content:"473e8bad0e8e1572197be80faa1795c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028090; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; reference:url,doc.emergingthreats.net/2008675; classtype:trojan-activity; sid:2008675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 2"; ja3_hash; content:"e0b0e6c934c686fd18a5727648b3ed4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028091; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 91 -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008676; classtype:trojan-activity; sid:2008676; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 3"; ja3_hash; content:"7ddfe8d6f8b51a90d10ab3fe2587c581"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028092; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 91 (msg:"ET MALWARE Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; reference:url,doc.emergingthreats.net/2008677; classtype:trojan-activity; sid:2008677; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 4"; ja3_hash; content:"bc76a4185cc9bd4c72471620e552618c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028093; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert freeb4u.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|freeb4u.com"; distance:1; within:12; reference:md5,3c140d775b33a5201089e8f8118b7fb5; classtype:trojan-activity; sid:2019025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 5"; ja3_hash; content:"8e3eea71cb5a932031d90cc0fba581bc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028094; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert developmentinn.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.developmentinn.com"; distance:1; within:23; reference:md5,2f17d82e939efe315a89f1aa42e93cf1; classtype:trojan-activity; sid:2019026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 6"; ja3_hash; content:"653924bcb1d6fd09a048a4978574e2c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028095; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert directory92.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|directory92.com"; distance:1; within:16; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019027; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome 51.0.2704.84 7"; ja3_hash; content:"1ef652ecfb8e60e771a4710166afc262"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028096; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert epr-co.ch"; flow:established,from_server; content:"|55 04 03|"; content:"|09|epr-co.ch"; distance:1; within:10; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"8a8159e6abf9fe493ca87efc38855149"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028097; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pouyasazan.org"; flow:established,from_server; content:"|55 04 03|"; content:"|15|linux4.pouyasazan.org"; distance:1; within:22; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 49.0.2623,87 (64-bit) Linux"; ja3_hash; content:"a7f2d0376cdcfde3117bf6a8359b2ab8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028098; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ara-photos.net"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.ara-photos.net"; distance:1; within:19; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028099; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tecktalk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.tecktalk.com"; distance:1; within:17; reference:md5,0181d134ff73743e8dd5e23b9cf7ff51; classtype:trojan-activity; sid:2019031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 57.0.2987.110 (64-bit) Linux"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028100; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert cyclivate.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.cyclivate.com"; distance:1; within:18; reference:md5,b911327d0ba6ce016e8e33ba97e87e83; classtype:trojan-activity; sid:2019032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"94c485bca29d5392be53f2b8cf7f4304"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028101; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mentoringgroup.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.mentoringgroup.com"; distance:1; within:23; reference:md5,444dd80b551ac28e43380c2ef0bc4df0; classtype:trojan-activity; sid:2019033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 60/61.0.3163, Google Chrome"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028102; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert ssshosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ssshosting.net"; distance:1; within:15; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome Version 61.0.3163,100(64-bit) Win10"; ja3_hash; content:"d3b972883dfbd24fd20fc200ad8ab22a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028103; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert erotikturk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|server.erotikturk.com"; distance:1; within:22; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx) - also TextSecure Desktop"; ja3_hash; content:"cafd1f84716def1a414c688943b99faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028104; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mtnoutfitters.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; distance:1; within:18; reference:md5,ebca10e0a4eb99758f0fb3612fa970ba; classtype:trojan-activity; sid:2019037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome WebSockets (48.xxxx)"; ja3_hash; content:"62d8823f52dd8e1ba75a9a83e8748313"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028105; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert jojik-international.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|jojik-international.com"; distance:1; within:24; reference:md5,ffa19cd3be6a89da96bcfb5a1a52b6ae; classtype:trojan-activity; sid:2019038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/30.0.1599.101"; ja3_hash; content:"c405bbbe31c0e53ac4c8448355b2af5b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028106; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert abarsolutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|abarsolutions.com"; distance:1; within:18; reference:md5,029e3713002bd3514b1f2493caea8294; classtype:trojan-activity; sid:2019039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/41.0.2272.89"; ja3_hash; content:"2c3221f495d5e4debbb34935e1717703"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028107; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert eastwoodvalley.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.eastwoodvalley.com"; distance:1; within:23; reference:md5,450b394d88a69f6cb9722a5b56168ce6; classtype:trojan-activity; sid:2019040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/49.0.2623.112 WinXP"; ja3_hash; content:"248bdbc3873396b05198a7e001fbd49a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028108; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert pejlain.se"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|pejlain.se"; distance:1; within:11; reference:md5,1658e12bb1fe8a25127e8bd09b923acd; classtype:trojan-activity; sid:2019042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/56.0.2924.87 Linux/Charles/Google Play Music Desktop Player/Postman/Slack/other desktop programs"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028109; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dominionthe.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dominionthe.com"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/59.0.3071.115 Win10, node.js"; ja3_hash; content:"9811c1bb9f0f6835d5c13a831cca4173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028110; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert delanecanada.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|delanecanada.ca"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chrome/60.0.3112.113 Win10, Chromium"; ja3_hash; content:"def8761e4bcaaf91d99801a22ac6f6d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028111; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert hebergement-solutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|19|hebergement-solutions.com"; distance:1; within:26; reference:md5,e5f8caba2b2832de5c13a16d5b4f6d6f; classtype:trojan-activity; sid:2019045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"be9f1360cf52dc1f61ae025252f192a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028112; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert sportofteniq.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sportofteniq.com"; distance:1; within:17; reference:md5,d06ec89944b566df8dcd959a2196b37c; classtype:trojan-activity; sid:2019046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Chromium"; ja3_hash; content:"fc5cb0985a5f5e295163cc8ffff8a6e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028113; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert adoraacc.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|adoraacc.com"; distance:1; within:13; reference:md5,a938c50d686663f97d62dff812fc575b; classtype:trojan-activity; sid:2019047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client (3.1.09013)"; ja3_hash; content:"7f340e6caa1fa4c979df919227160ff6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028114; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tristacey.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|tristacey.com"; distance:1; within:14; reference:md5,e40ec448fd7cfea641a18fb6b38e4e92; classtype:trojan-activity; sid:2019048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"e7d46c98b078477c4324031e0d3b22f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028115; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert nbc-mail.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nbc-mail.com"; distance:1; within:13; reference:md5,348b8a9e693a6784a6cf26d9afe6fed9; classtype:trojan-activity; sid:2019049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Cisco AnyConnect Secure Mobility Client"; ja3_hash; content:"ed36017db541879619c399c95e22067d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028116; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert tridayacipta.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|tridayacipta.com"; distance:1; within:17; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Receiver 4.4.0.8014"; ja3_hash; content:"203157ed9f587f0cfd265061bf309823"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028117; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert trainthetrainerinternational.com"; flow:established,from_server; content:"|55 04 03|"; content:"|20|trainthetrainerinternational.com"; distance:1; within:33; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Citrix Viewer"; ja3_hash; content:"5ee1a653fb824db7182714897fd3b5df"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028118; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert lingayasuniversity.edu.in"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|www.lingayasuniversity.edu.in"; distance:1; within:30; reference:md5,b2c3bb2b56876e325d86731a693fd138; classtype:trojan-activity; sid:2019052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Covenant Eyes"; ja3_hash; content:"a9d17f74e55dd53fcf7c234f8a240919"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028119; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert uleideargan.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.uleideargan.com"; distance:1; within:20; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - CRAWLER: facebookexternalhit/1.1"; ja3_hash; content:"111da7c75fee7fe934b35a8d88eb350a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028120; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert picklingtank.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|picklingtank.com"; distance:1; within:17; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Creative Cloud"; ja3_hash; content:"c882d9444412c00e71b643f3f54145ff"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028121; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert vcomdesign.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|vcomdesign.com"; distance:1; within:15; reference:md5,9ad86fc9a57b620e96082cd61aa1b494; classtype:trojan-activity; sid:2019055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - cscan"; ja3_hash; content:"bc0608d33dc64506b42f7f5f87958f37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028122; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert technosysuk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|technosysuk.com"; distance:1; within:16; reference:md5,fc23d6cbe926a022cac003214679ec7a; classtype:trojan-activity; sid:2019056; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.22.0 on Linux)"; ja3_hash; content:"764b8952983230b0ac23dbd3741d2bb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028123; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert slmp-550-105.slc.westdc.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|slmp-550-105.slc.westdc.net"; distance:1; within:28; reference:md5,f053b1aa875751944bae74fce67fe965; classtype:trojan-activity; sid:2019057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl (tested: 7.43.0 OS X)"; ja3_hash; content:"9f198208a855994e1b8ec82c892b7d37"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028124; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert itiltrainingcertworkshop.com"; flow:established,from_server; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; distance:1; within:36; reference:md5,f7b715ad4235599ed21179a369279225; classtype:trojan-activity; sid:2019058; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.35.0 (tested Ubuntu 14.x  openssl 1.0.1f)"; ja3_hash; content:"c458ae71119005c8bc26d38a215af68f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028125; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|udderperfection.com"; distance:1; within:20; reference:md5,27938e57f7928e9559e71d384a8fffe6; classtype:trojan-activity; sid:2019059; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl 7.37.0 / links 2.8 / git 2.6.6 (openSUSE Leap 42.1)"; ja3_hash; content:"e14d427fab707af91e4bbd0bf03076f8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028126; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert efind.co.il"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|efind.co.il"; distance:1; within:12; reference:md5,6d8a5b36f61e392aaa048b97b3d9e090; classtype:trojan-activity; sid:2019060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl"; ja3_hash; content:"f672d8f0e827ca1e704a9489b14dd316"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028127; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bloodsoft.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|bloodsoft.com"; distance:1; within:14; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"; ja3_hash; content:"e3891da2a758d67ba921e5eec0b9707d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028128; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert walletmix.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.walletmix.com"; distance:1; within:18; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Customised Postfix - Damnit Matt"; ja3_hash; content:"f865de0807a17e9cb797e618162356db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028129; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert turnaliinsaat.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|turnaliinsaat.com"; distance:1; within:18; reference:md5,feb5304d966a0f1610e642984a64d54c; classtype:trojan-activity; sid:2019063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dashlane"; ja3_hash; content:"0217dc3bd88c696cc15374db0d848de4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028130; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|mdus-pp-wb12.webhostbox.net"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.15)"; ja3_hash; content:"f7baf7d9da27449e823a4003e14cd623"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028131; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert plastics-technology.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|www.plastics-technology.com"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Debian APT-CURL/1.0 (1.2.20+)"; ja3_hash; content:"ec2e8760003621ca668b5f03e616cd57"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028132; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert deserve.org.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|deserve.org.uk"; distance:1; within:15; reference:md5,9d16352f292d86f40236afc7e06bce08; classtype:trojan-activity; sid:2019067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Deezer"; ja3_hash; content:"4fcd1770545298cc119865aeba81daba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028133; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (installer?)"; ja3_hash; content:"ede63467191e9a12300e252c41ca9004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028134; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert paydaypedro.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|11|paydaypedro.co.uk"; distance:1; within:18; reference:md5,39877be17bd3435f275fc54577beaa6e; classtype:trojan-activity; sid:2019075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - DropBox (tested: 3.12.5 - Ubuntu 14.04TS & Win 10)"; ja3_hash; content:"653d342bee5001569662198a672746af"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028135; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert chatso.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|chatso.com"; distance:1; within:11; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox (Win 8.1)"; ja3_hash; content:"482a11a20da1629b77aaadf640478d13"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028136; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/Torpig Checkin"; flow:to_server,established; content:"GET"; http_method; content:"idcomp="; http_uri; content:"MyValue="; http_uri; content:"&load1="; http_uri; content:"&hist=downloaded_user_"; http_uri; pcre:"/MyValue=[a-f0-9]{32}/Ui"; reference:url,doc.emergingthreats.net/2010267; classtype:command-and-control; sid:2010267; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"21ed4c7ee1daeb84c72199ceaf119b24"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028137; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.SillyFDC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php"; nocase; http_uri; content:"getowner=1&uniqueid="; http_uri; content:"User-Agent|3a| WinHttp.WinHttpRequest"; http_header; reference:url,doc.emergingthreats.net/2010268; classtype:command-and-control; sid:2010268; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"30b168d81e38d9a55c474c1e30eaf9f9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028138; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pragma hack Detected Outbound - Likely Infected Source"; flow:established,to_client; content:"Pragma|3a| hack/"; nocase; http_header; classtype:trojan-activity; sid:2010872; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Client"; ja3_hash; content:"f8e42933ba5b3990858ba621489047e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028139; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|00 fc 61 00 6b e6 e5 a0 17|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Setup (tested: 3.10.11 on Win 8.x)"; ja3_hash; content:"2f8363419a9fb80ad46b380778d8eaf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028140; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET MALWARE Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:attempted-dos; sid:2011767; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Splash Pages (Win 10)"; ja3_hash; content:"c1e8322501b4d56d484b50bd7273e798"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028141; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Content-Disposition|3A| form-data|3B| name=|22|MAC|22|"; http_header; nocase; content:"Content-Disposition|3A| form-data|3B| name=|22|IP|22|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:7; metadata:created_at 2010_12_07, updated_at 2010_12_07;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox Windows"; ja3_hash; content:"6c141f98cd79d8b505123e555c1c3119"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028142; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows arp -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Interface|3a|"; content:"--- 0x"; distance:0; content:"Internet Address"; content:"Physical Address"; fast_pattern; distance:0; content:"Type"; content:"dynamic"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019080; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"054c9f9d304b7a2add3d6fa75bc20ae4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028143; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows set Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"ALLUSERSPROFILE="; fast_pattern; content:"APPDATA="; distance:0; content:"CLIENTNAME="; content:"CommonProgramFiles="; distance:0; content:"COMPUTERNAME="; content:"ComSpec="; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019081; rev:1; metadata:created_at 2014_08_28, updated_at 2014_08_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dropbox"; ja3_hash; content:"36bc8c7e10647bbfea3f740e7f05c0f1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028144; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrian Malware Checkin"; flow:established,to_server; content:"|2f|j|7c|n|5c|"; offset:2; depth:5; content:"[endof]"; fast_pattern; distance:0; reference:url,fireeye.com/blog/technical/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html; reference:md5,a8cf815c3800202d448d035300985dc7; classtype:command-and-control; sid:2019084; rev:1; metadata:created_at 2014_08_29, former_category MALWARE, updated_at 2014_08_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Dynalist/Postman/Google Chrome/Franz/GOG Galaxy"; ja3_hash; content:"4c40bf8baa7c301c5dba8a20bc4119e2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028145; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_27, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"0411bbb5ff27ad46e1874a7a8beedacb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028146; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor based locker Ransom Page"; flow:established,to_server; content:"/buy.php?"; http_uri; content:"iet7v4dciocgxhdv."; nocase; fast_pattern; http_header; classtype:trojan-activity; sid:2018873; rev:3; metadata:created_at 2014_08_01, updated_at 2014_08_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"4990c9da08f44a01ecd7ddc3837caf25"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028147; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls 66.147.244.132 any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse"; ja3_hash; content:"fa106fe5beec443af7e211ef8902e7e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028148; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 7a 4e 2c 6d 48 5c a6|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019106; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - eclipse/java"; ja3_hash; content:"d74778f454e2b047e030b291b94dd698"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028149; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 c6 af 2f 81 7b a2 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019107; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Facebook iOS"; ja3_hash; content:"576a1288426703ae0008c42f95499690"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028150; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel"; flow:established,to_client; content:"DZKS"; content:"DZJS"; within:50; reference:url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu; classtype:command-and-control; sid:2014618; rev:3; metadata:created_at 2012_04_20, former_category MALWARE, updated_at 2012_04_20;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Feedly/1.0, java,eclipse,Cyberduck"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028151; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Frosparf.B Downloading Hosts File"; flow:established,from_server; file_data; content:"9.9.9.9 "; within:8; pcre:"/^(?:[a-zA-Z0-9\x2d\x5f]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]*?9\.9\.9\.9\s+?(?:[a-zA-Z0-9\_\-]{1,63}\.)+?[a-zA-Z0-9\x2d\x5f]{1,63}[\r\n]/R"; reference:md5,4ad55877464aa92e49231d913d00eb69; classtype:trojan-activity; sid:2019142; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - fetchmail 6.3.26 (openSUSE Leap 42.1)"; ja3_hash; content:"a698fe6c52d210e3376bb6667729d4d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028152; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019147; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FieldServiceApp/socialstudio"; ja3_hash; content:"1fbe5382f9d8430fe921df747c46d95f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028153; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea c4 eb c7 a8 ae c0 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019148; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 24.0 Iceweasel24.3.0"; ja3_hash; content:"3d99dda4f6992b35fdb16d7ce1b6ccba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028154; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|groundbellsinc2@yahoo.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019149; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 25.0"; ja3_hash; content:"c57914fadb301a73e712378023b4b177"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028155; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 10 d6 2f a9 1d 55 7b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019150; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 26.0, Firefox/26.0"; ja3_hash; content:"755cdaa3496eb8728247a639dee17aad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028156; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 2c 97 86 ef 94 08 62|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019151; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 27.0"; ja3_hash; content:"ff9223b5c9a5d44a8a423833751fa158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028157; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 33 9e 92 b0 3e 35 b8|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019152; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.0.19"; ja3_hash; content:"df9bedd5713fe0cc2e9184d7c16a5913"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028158; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 69 ac|"; within:30; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0f|serveradmin.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019153; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 3.5 - 3.6, Firefox 3.5.19  3.6.27  SeaMonkey 2.0.14"; ja3_hash; content:"4a9bd55341e1ffe6fedb06ad4d3010a0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028159; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_POCARDL.U Possible FTP Login"; flow:established,to_server; content:"USER user drupalzf"; reference:md5,ceb5b99c13b107cf07331bcbddb43b1f; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019159; rev:2; metadata:created_at 2014_09_11, updated_at 2014_09_11;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 40.0.3 (tested Windows 8), Firefox/37.0"; ja3_hash; content:"2872afed8370401ec6fe92acb53e5301"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028160; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|googleforking.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018912; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"46129449560e5731dc9c5106f111a3db"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028161; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_06_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 46.0"; ja3_hash; content:"d06b3234356cb3df0983fc8dd02ece68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028162; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 500.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/500.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012456; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.0 2"; ja3_hash; content:"05ece02fb23acf2efbfff54ce4099a45"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028163; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download desyms.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/desyms.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012458; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 47.x 1 / FireFox 47.x (Windows 7SP1)"; ja3_hash; content:"aa907c2c4720b6f54cd8b67a14cef0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028164; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download 1691.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/1691.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012459; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (dev edition)"; ja3_hash; content:"f586111542f330901d9a3885a9c821b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028165; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp any any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Perl.Shellbot.cd IRC Bot that have DoS/DDoS functions"; flow:from_server,established; flowbits:isset,is_proto_irc; content:"PRIVMSG|20|"; pcre:"/^PRIVMSG.*@(portscan|back|(tcp|udp|http)flood|tsunami|(de)?voice|reset|die|say|join|part|(de)?op)/mi"; reference:url,theprojectxblog.net/another-perl-irc-bot-that-have-dosddos-functions/; classtype:trojan-activity; sid:2025065; rev:3; metadata:created_at 2012_05_22, former_category TROJAN, updated_at 2017_11_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled - I think websockets)"; ja3_hash; content:"1996e434b11323df4e87f8fe0e702209"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028166; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FireFox 49 (TLSv1.3 enabled)"; ja3_hash; content:"8ed0a2cdcad81fc29313910eb94941d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028167; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Tinba Server Response"; flow:established,to_client; flowbits:isset,ET.Tinba.Checkin; file_data; content:"|64 b4 dc a4|"; within:4; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:trojan-activity; sid:2019169; rev:4; metadata:created_at 2014_09_12, updated_at 2014_09_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 49.0a2 Developer TLS 1.3 enabled"; ja3_hash; content:"8b18c5b0c54cba1ffb2438fe24792b63"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028168; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET"; http_method; content:"/pcdef.exe"; http_uri; nocase; classtype:trojan-activity; sid:2010055; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox 63.0"; ja3_hash; content:"b20b44b18b853ef29ab773e921b03422"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028169; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0a81538cf247c104edb677bdb8902ed5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028170; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|chr|0b|santa-inbox|03|com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; classtype:command-and-control; sid:2008531; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"0b6592fd91d4843c823b75e49b43838d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028171; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be .com FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".com.exe"; http_uri; nocase; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011495; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"1c15aca4a38bad90f9c40678f6aface9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028172; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable Download named to be FQDN"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe"; http_uri; nocase; fast_pattern; content:"."; depth:200; content:".exe"; nocase; distance:2; within:6; pcre:"/\/.+(www\.)?[a-z0-9]+\.[a-z]{2,3}\.exe$/Ui"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011496; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"5163bc7c08f57077bc652ec370459c2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028173; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV landing page - sector.hdd.png no-repeat"; flow:established,to_client; content:"sector.hdd.png) no-repeat"; classtype:bad-unknown; sid:2011419; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"a88f1426c4603f2a8cd8bb41e875cb75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028174; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEAV client requesting image - sector.hdd.png"; flow:established,to_server; content:"sector.hdd.png"; nocase; http_uri; classtype:bad-unknown; sid:2011420; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"b03910cc6de801d2fcfa0c3b9f397df4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028175; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:4; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"bfcc1a3891601edb4f137ab7ab25b840"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028176; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download adobe-flash.v"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/adobe-flash.v"; nocase; http_uri; pcre:"/adobe-flash\.v\.\d{5}\.exe/Ui"; reference:url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com; classtype:bad-unknown; sid:2011989; rev:2; metadata:created_at 2010_12_01, updated_at 2010_12_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - firefox"; ja3_hash; content:"f15797a734d0b4f171a86fd35c9a5e43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028177; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious invoice.scr Download Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:4; metadata:created_at 2010_12_02, updated_at 2010_12_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/10.0.11esrpre Iceape/2.7.12"; ja3_hash; content:"55f2bd38d462d74fb6bb72d3630aae16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028178; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.E Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|10 27 60 ea|Linux|20|"; offset:4; depth:64; reference:md5,9a2a00f4bba2f3e0b1211a1f0cb48896; classtype:command-and-control; sid:2019171; rev:2; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2014_09_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/13.0-25.0"; ja3_hash; content:"85c420ab089dac5025034444789a8fb5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028179; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"|0d 0a|Referer|3a|"; nocase; content:"/forum/?"; http_uri; fast_pattern; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:md5,531e84b0894a7496479d186712acd7d2; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:command-and-control; sid:2012248; rev:5; metadata:created_at 2011_01_29, former_category MALWARE, updated_at 2011_01_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/14.0.1 Linux"; ja3_hash; content:"847b0c334fd0f6f85457054fabff3145"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028180; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/25.0"; ja3_hash; content:"e98db583389531a37f2fe8d251f0f7ae"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028181; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b 20|name=|22|sid|22|"; http_client_body; content:"form-data|3b 20|name=|22|ping|22|"; http_client_body; content:"form-data|3b 20|name=|22|guid|22|"; http_client_body; content:"form-data|3b 20|name=|22|GB|22 3b 20|filename=|22|GB.TXT|22|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:command-and-control; sid:2012279; rev:4; metadata:created_at 2011_02_03, former_category MALWARE, updated_at 2011_02_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/27.0-32.0, IceWeasel 31.8.0"; ja3_hash; content:"cc9bcf019b339c01d200515d1cb39092"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028182; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SMTP Malware"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|irs_legalauth-tax_payment_notice_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012319; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/28.0-30.0"; ja3_hash; content:"45d22e6403f053bfb2cc223755588533"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028183; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|IRS-TaxPaymentNotification"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012320; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/31 Linux, firefox"; ja3_hash; content:"ce694315cbb81ce95e6ae4ae8cbafde6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028184; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE IRS Inbound SPAM variant 3"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|Individual_Income_Tax_Rtrn_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012329; rev:2; metadata:created_at 2011_02_21, updated_at 2011_02_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/32.0"; ja3_hash; content:"8df37d4e7430e2d9a291ae9ee500a1a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028185; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|USPS_"; nocase; content:".zip|22|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:2; metadata:created_at 2011_02_27, updated_at 2011_02_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"5ba6ed04b246c96c6839e0268a8b826f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028186; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS"; nocase; content:".zip|22|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-|-Delivery-Notification-Message_)\S*\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:2; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/33.0"; ja3_hash; content:"c5392af25feaf95cfefe858abd01c86b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028187; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:3; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"9250f97ba65d86e7b0e60164c820d91a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028188; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE Post Express Inbound bad attachment"; flow:established,to_server; content:"Post Express|22|"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|Post_Express_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012445; rev:6; metadata:created_at 2011_03_09, updated_at 2011_03_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/34.0-35.00"; ja3_hash; content:"ab834ac5135f2204d473878821979cea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028189; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"|40|dhl.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012492; rev:2; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/37.0, Google Chrome 45.0.2454.85 or FireFox 41-42"; ja3_hash; content:"514058a66606ae870bcc670e95ca7e68"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028190; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET MALWARE DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; content:"|22|filename=dhl_"; nocase; content:".zip|22|"; nocase; classtype:trojan-activity; sid:2012493; rev:3; metadata:created_at 2011_03_12, updated_at 2011_03_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/38 Linux"; ja3_hash; content:"edf844351bc867631b5ebceda318669b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028191; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment|3b 20|filename=|22|InstallInternetDefender_"; nocase; classtype:trojan-activity; sid:2012494; rev:4; metadata:created_at 2011_03_14, updated_at 2011_03_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/40.1 Windows 7"; ja3_hash; content:"05af1f5ca1b87cc9cc9b25185115607d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028192; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32 Banker Trojan CheckIn"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/sys7."; http_uri; fast_pattern; reference:url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY; classtype:command-and-control; sid:2012521; rev:3; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2011_03_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/45.0 Linux, firefox,thunderbird"; ja3_hash; content:"07b4162d4db57554961824a21c4a0fde"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028193; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware PatchPathNewS3.dat Request"; flow:established,to_server; content:"/PatchPathNewS3.dat"; nocase; http_uri; classtype:trojan-activity; sid:2012617; rev:5; metadata:created_at 2011_04_01, updated_at 2011_04_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/51.0 Windows 10, firefox,thunderbird"; ja3_hash; content:"61d0d709fe7ac199ef4b2c52bc8cef75"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028194; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7; metadata:created_at 2011_04_08, updated_at 2011_04_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52 Linux"; ja3_hash; content:"4e66f5ad78f3d9ad8d5c7c88d138db43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028195; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV BestAntivirus2011 Download"; flow:established,from_server; content:"|3b 20|filename=|22|BestAntivirus20"; nocase; classtype:trojan-activity; sid:2012714; rev:4; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/52"; ja3_hash; content:"ca0f3f4c08cbd372720beb1af7d2721f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028196; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain citi-bank.ru Lookup"; content:"|09|citi-bank|02|ru|00|"; nocase; classtype:trojan-activity; sid:2012728; rev:4; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55 Windows 10"; ja3_hash; content:"1885aa9927f99ed538ed895d9335995c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028197; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames.bnye Checkin"; flow:to_server,established; content:"|20|HTTP|2f|1|2e|1|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"|0d 0a|Host|3a 20|"; within:13; content:"|3a|8080|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; http_header; pcre:"/User-Agent\x3a\x20[a-z]{3,4}\x0d\x0a/H"; reference:md5,014945cf93ffc94833f7a3efd92fe263; classtype:command-and-control; sid:2012736; rev:9; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2011_04_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/55/56 Mac/Win/Linux"; ja3_hash; content:"0ffee3ba8e615ad22535e7f771690a28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028198; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS Trojan GET with xxxx_ string"; flow:established,to_server; content:"/xxxx_"; http_uri; pcre:"/\/xxxx_\d+\//U"; classtype:trojan-activity; sid:2012918; rev:4; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/56.0 Windows 10"; ja3_hash; content:"be1a7de97ea176604a3c70622189d78d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028199; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page"; flow:established,to_client; content:"|28|navigator.appVersion.indexof|28 22|Mac|22 29|!=-1|29|"; nocase; content:"window.location="; nocase; within:17; classtype:bad-unknown; sid:2011917; rev:4; metadata:created_at 2010_11_10, updated_at 2010_11_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Firefox/6.0.1 - 12.0"; ja3_hash; content:"2aef69b4ba1938c3a400de4188743185"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028200; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download"; flow:established,from_server; content:"encrypt|3a| function|28|m, e, n|29|"; depth:64; classtype:bad-unknown; sid:2011922; rev:5; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Flux"; ja3_hash; content:"504ecb2d3e5e83a179316f098dadbaeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028201; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropper HTTP POST Check-in"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| NSIS_InetLoad (Mozilla)"; http_header; content:"spill&a="; http_client_body; reference:url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook; classtype:trojan-activity; sid:2013189; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Franz/Google Chrome/Kiwi/Spotify/nwjs/Slack"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028202; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013361; rev:5; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) #1"; ja3_hash; content:"a6090977601dc1345948f101e46d5759"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028203; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:command-and-control; sid:2013362; rev:7; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2011_08_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - FullTilt Poker v16.5 (OS X) or DropBox"; ja3_hash; content:"f1b9f86645cb839bd6992e848d943898"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028204; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE windows_security_update Fake AV download"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:7; metadata:created_at 2011_08_05, updated_at 2011_08_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Fuze"; ja3_hash; content:"900c1fa84b4ea86537e1d148ee16eae8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028205; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; classtype:command-and-control; sid:2013413; rev:3; metadata:created_at 2011_08_16, former_category MALWARE, updated_at 2011_08_16;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"107144b88827da5da9ed42d8776ccdc5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028206; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=|22|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:3; metadata:created_at 2011_12_15, updated_at 2011_12_15;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - geod"; ja3_hash; content:"c46941d4de99445aef6b497679474cf4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028207; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:3; metadata:created_at 2012_01_26, updated_at 2012_01_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - git commandline (tested: 1.9. Linux)"; ja3_hash; content:"3e765b7a69050906e5e48d020921b98e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028208; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1|0d 0a|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:3; metadata:created_at 2012_01_31, updated_at 2012_01_31;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Git-Bash (Tested v2.6.0) / curl 7.47.1 (cygwin)"; ja3_hash; content:"d0df7f7c9ca173059b2cd17ce5c2e5cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028209; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:6; metadata:created_at 2012_03_28, updated_at 2012_03_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GitHub Desktop (tested build 216 on OSX)"; ja3_hash; content:"f8c50bbee59c526ca66da05f3dc4b735"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028210; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a known malware domain (regicsgf.net)"; flow: to_server,established; content:"regicsgf.net|0D 0A|"; http_header; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014570; rev:6; metadata:created_at 2012_04_16, updated_at 2012_04_16;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Glympse Location Tracking??"; ja3_hash; content:"c5cbafbbcf53dfbfc2a803ca3833fce2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028211; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:3; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GMail SMTP Relay"; ja3_hash; content:"a3b2fe29619fdcb7a9422b8fddb37a67"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028212; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3A 20|RAbcLib|0D 0A|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:command-and-control; sid:2014755; rev:4; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2012_05_17;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GNU Wget 1.16.1 built on darwin14.0.0"; ja3_hash; content:"94b94048a438e77122fc4eee3a6a4a26"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028213; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:5; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GNUTLS Commandline"; ja3_hash; content:"0267b752d6a8b5fd195096b41ea5839c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028214; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - golang (tested: 1.4.1)"; ja3_hash; content:"f11b0fca6c063aa69d8d39e0d68b6178"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028215; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015533; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Calendar Agent (Tested on OSX)"; ja3_hash; content:"07ef3a7f5f8ffef08affb186284f2af4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028216; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; fast_pattern; content:!"Accept|3a| "; http_header; classtype:command-and-control; sid:2015534; rev:4; metadata:created_at 2012_07_27, former_category MALWARE, updated_at 2012_07_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (43.0.2357.130 64-bit OSX)"; ja3_hash; content:"abe568de919448adcd756aea9a136aea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028217; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:command-and-control; sid:2015546; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2012_07_31;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (Android)"; ja3_hash; content:"400961c8161ba7661a7029d3f7e8bb95"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028218; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon CnC Data Post (variant abb)"; flow:established,to_server; dsize:>200; content:"Windows "; content:"Service Pack "; distance:0; content:"HACK|00 00|"; fast_pattern; distance:100; reference:url,doc.emergingthreats.net/2008042; classtype:command-and-control; sid:2008042; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"072c0469aa4f2f597bb38bcc17095c51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028219; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 3"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"return |22|PROXY"; pcre:"/^[^\x3b]+\\x(?:[57][0-9a]|4[0-9a-f]|6[1-9a-f]|3[0-9])/Ri"; reference:md5,6f2dc4ba05774f3e5ebf6c502db48a71; classtype:trojan-activity; sid:2019191; rev:13; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"696cd0c8c241e19e3d6336c3d3d9e2e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028220; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 27 b3 4f ab ba bf 8b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019192; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome (tested: 43.0.2357.130 64-bit OSX)"; ja3_hash; content:"c40b51e2a59425b6a2b500d569962a60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028221; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download 2"; flow:from_server,established; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; pcre:"/^(?P<q>[\x22\x27])(?:(?!(?P=q))[^\r\n\x2c])+?(?P=q)\s*?\+\s*?[\x22\x27][^\r\n\x2c]*?[cg][\x22\x27\+\s]*?[o][\x22\x27\+\s]*?[vm][\x22\x27\+\s]*?\.[\x22\x27\+\s]*?b[\x22\x27\+\s]*?r[\x22\x27\+\s]*?\x2c/m"; reference:md5,6e4a990b1540fa6b5896034b976ccecf; classtype:trojan-activity; sid:2019190; rev:14; metadata:created_at 2014_09_18, updated_at 2014_09_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 45.0.2454.101"; ja3_hash; content:"e8aabc4fe1fc8d47c648d37b2df7485f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028222; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !25 (msg:"ET MALWARE Gh0st Trojan CnC 2"; flow:established,to_server; dsize:<250; content:"Gh0st"; offset:8; depth:5; classtype:command-and-control; sid:2017505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71 m"; ja3_hash; content:"7ea3e17d09294aee8425ae05588f0c66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028223; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015719; rev:2; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome 46.0.2490.71"; ja3_hash; content:"a9030ea4837810ce89fb8a3d39ca12ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028224; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:command-and-control; sid:2015720; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"0e46737668fe75092919ee047a0b5945"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028225; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:command-and-control; sid:2015721; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"39fa85654105398ee7ef6a3a1c81d685"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028226; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015722; rev:3; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2012_09_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome Helper"; ja3_hash; content:"4ba7b7022f5f5e1e500bb19199d8b1a4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028227; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:command-and-control; sid:2015728; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"002205d0f96c37c5e660b9f041363c11"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028228; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:command-and-control; sid:2015730; rev:3; metadata:created_at 2012_09_22, former_category MALWARE, updated_at 2012_09_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"073eede15b2a5a0302d823ecbd5ad15b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028229; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:3; metadata:created_at 2012_09_28, updated_at 2012_09_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"0b61c673ee71fe9ee725bd687c455809"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028230; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"Opera/11.1"; depth:10; http_user_agent; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:4; metadata:created_at 2012_12_22, updated_at 2012_12_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"6cd1b944f5885e2cfbe98a840b75eeb8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028231; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00|"; depth:20; classtype:targeted-activity; sid:2016474; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b4f4e6164f938870486578536fc1ffce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028232; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:targeted-activity; sid:2016476; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028233; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications html return 1"; flow:established,to_client; content:"|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a|"; content:"|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a|"; content:"|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a|"; content:"|53 65 74 2d 43 6f 6f 6b 69 65 3a|"; content:"|0d 0a 20 31|"; classtype:targeted-activity; sid:2016477; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"baaac9b6bf25ad098115c71c59d29e51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028234; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:targeted-activity; sid:2016478; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"da949afd9bd6df820730f8f171584a71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028235; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:targeted-activity; sid:2016479; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"fd6314b03413399e4f23d1524d206692"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028237; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:targeted-activity; sid:2016480; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome/Slack"; ja3_hash; content:"5498cef2cca704eb01cf2041cc1089c1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028238; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:targeted-activity; sid:2016482; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive (tested: 1.26.0707.2863 - Win 8.x & Win 10)"; ja3_hash; content:"c1741dd3d2eec548df0bcd89e08fa431"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028239; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:targeted-activity; sid:2016483; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Drive File Stream"; ja3_hash; content:"d27fb8deca6e3b9739db3fda2b229fe3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028240; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:targeted-activity; sid:2016484; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth Linux 7.1.4.1529"; ja3_hash; content:"b16614e71d26ba348c94bfc8e33b1767"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028241; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT crabdance backdoor base64 head"; flow:established,to_client; file_data; content:"MS4nJzJ4cHZyeQ=="; classtype:targeted-activity; sid:2016485; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Earth"; ja3_hash; content:"ae340571b4fd0755c4a0821b18d8fa93"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028242; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:targeted-activity; sid:2016486; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2013_02_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Mail server starttls connection"; ja3_hash; content:"9af622c65a17a0bf90d6e9504be96a43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028243; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET MALWARE CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:targeted-activity; sid:2016488; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2013_02_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Photos Backup"; ja3_hash; content:"f059212ce3de94b1e8253a7522cb1b44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028244; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2012_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - GoogleBot"; ja3_hash; content:"50dfee94717e9640b1c384e5bd78e61e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028245; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zeus Spam Campaign pdf.exe In ZIP - 26th Feb 2014"; flow:established,to_client; file_data; content:"PK"; within:2; content:"pdf.exe"; distance:42; within:500; classtype:trojan-activity; sid:2018182; rev:3; metadata:created_at 2014_02_27, updated_at 2014_02_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - gramblr"; ja3_hash; content:"fd10cc8cce9493a966c57249e074755f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028246; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20][a-z]{13,32}(?:\x03(?:biz|com|net|org)|\x04info|\x02ru)\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,vrt-blog.snort.org/2014/03/decoding-domain-generation-algorithms.html; classtype:trojan-activity; sid:2018316; rev:4; metadata:created_at 2014_03_25, former_category MALWARE, updated_at 2014_03_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Great Firewall of China Probe (via pcaps from https://nymity.ch/active-probing/)"; ja3_hash; content:"e76ac6872939f6ebfdf75f1ea73b4daf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028247; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download"; flow:established,to_client; flowbits:isset,ET.Onelouder.bin; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2018982; rev:2; metadata:created_at 2014_08_22, updated_at 2014_08_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - HipChat"; ja3_hash; content:"d9b07b9095590f4ff910ceee7b6af88a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028248; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Trojan Dropped by Angler Aug 29 2014"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 c4 a8 4b da 47 94 14 c1|"; within:35; content:"|55 04 0b|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|06|office"; distance:1; within:7; classtype:trojan-activity; sid:2019086; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_29, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"3e860202fc555b939e83e7a7ab518c38"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028249; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 e8 dc 5d 2a ee 44 a3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019205; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"54328bd36c14bd82ddaa0c04b25ed9ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028250; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 b7 93 80 9f 87 5d ab|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c 31 30 38 2e 36 31 2e 34 39 2e 33 30|"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019206; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"56ac3a0bef0824c49e4b569941937088"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028251; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/BillGates Checkin"; flow:established,to_server; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 f4 01 00 00 32 00 00 00 e8 03|"; distance:0; content:"|01 01 02 00 00 00 01 00 00 00|"; distance:0; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019207; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"8bd59c4b7f3193db80fd64318429bcec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028252; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/BillGates Checkin Response"; flow:established,from_server; dsize:20; content:"|08 00 00 00 0c 00 00 00 00 00 00 00 00 00 00 00 e8 fd 00 00|"; reference:md5,b4dd0283c73d0b288e7322b95df0cb1b; classtype:command-and-control; sid:2019208; rev:1; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"d1f9f9b224387d2597f02095fcec96d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028253; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/AES.DDoS Sending Real/Fake CPU&BW Info"; flow:established,to_server; content:"INFO|3a|"; depth:5; pcre:"/^\d/R"; content:"|25 7c|"; distance:0; threshold: type both, count 1, seconds 30, track by_src; reference:md5,d8059b555dde05e184c0b16bbff523f1; classtype:trojan-activity; sid:2019177; rev:3; metadata:created_at 2014_09_15, updated_at 2014_09_15;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - hola_svc"; ja3_hash; content:"ff1040ba1e3d235855ef0d7cd9237fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028254; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - HTTRack"; ja3_hash; content:"a1ec6fd012b9ee6f84c50339c4205270"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028255; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 1f ee 3e 8f cb 87 80|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019225; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IDSyncDaemon"; ja3_hash; content:"5af143afdbf58ec11ab3b3d53dd4e5e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028256; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Yangji.A Checkin"; flow:established,to_server; dsize:1024; content:"cngameanti|7c|"; depth:11; pcre:"/^\x2d?\d/R"; reference:md5,b5badeb16414cba66999742601c092b8; classtype:command-and-control; sid:2019229; rev:1; metadata:created_at 2014_09_24, former_category MALWARE, updated_at 2014_09_24;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11 Win10"; ja3_hash; content:"fee8ec956f324c71e58a8c0baf7223ef"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028257; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [443,$HTTP_PORTS] (msg:"ET MALWARE Pushdo v3 Checkin"; flow:established,to_server; dsize:20; content:"|02 00 00 00|"; depth:4; reference:md5,776d6c20a7016cb0f0db354785fe0d71; classtype:command-and-control; sid:2019235; rev:1; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2014_09_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"4cafc7a0acf83a49317ca199b2f25c82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028258; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kuluoz/Asprox CnC Response"; flow:from_server,established; flowbits:isset,ET.Kuluoz; content:"|0d 0a 0d 0a|"; content:"|0d 0a 80 00 00 00|"; distance:2; within:6; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:command-and-control; sid:2019187; rev:5; metadata:created_at 2014_09_17, former_category MALWARE, updated_at 2014_09_17;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - IE 11"; ja3_hash; content:"78273d33877a36c0c30e3fb7578ee9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028259; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert santa.my"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|www.santa.my"; distance:1; within:13; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019277; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - In all the malware samples - Java updater perhaps, java"; ja3_hash; content:"a61299f9b501adcf680b9275d79d4ac6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028260; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Inbox OSX"; ja3_hash; content:"d06acbe8ac31e753f40600a9d6717cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028261; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019279; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - inoreader.com-like FeedFetcher-Google, inoreader.com"; ja3_hash; content:"3ca5d63fa122552463772d3e87d276f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028262; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf ac 1a b8 3d 7f 11 16|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|06|debian"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019280; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11 .0.9600.1731.(Win 8.1)"; ja3_hash; content:"a6776199188c09f5124b46b895772fa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028263; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server; dsize:<24; content:"My IP|3A| "; depth:7; pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:trojan-activity; sid:2019294; rev:1; metadata:created_at 2014_09_29, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.17959"; ja3_hash; content:"a264c0bb146b2fade4410bcd61744b69"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028264; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 75 2c 71 a2 5b fd 9f|"; within:35; content:"|55 04 07|"; distance:0; content:"|07|Houston"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019316; rev:2; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Internet Explorer 11.0.9600.18349 / TeamViewer 10.0.47484P / Notepad++ Update Check / Softperfect Network Scanner Update Check / Wireshark 2.0.4 Update Check"; ja3_hash; content:"d54b3eb800cbeccf99fd5d5cdcd7b5b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028265; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cb f9 86 23 19 20 43 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019317; rev:4; metadata:attack_target Client_and_Server, created_at 2014_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iOS AppleWebKit/536.26"; ja3_hash; content:"06d930b072bf052b10d0a9eea1554f60"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028266; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 7e e9 92 50 35 4f 1e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019328; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iOS Mail App (tested: iOS 9.3.3)"; ja3_hash; content:"99204897b101b15f87e9b07f67453f4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028267; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 90 47 1b dd 5a 78 af e5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019329; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iPad CPU OS 9_3_5 Safari 601.1 Used by many programs - apple.WebKit.Networking"; ja3_hash; content:"a9aecaa66ad9c6cfe1c361da31768506"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028268; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-2)"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M[ACDEFGHKLMNOPQRSTUVWXYZ]|B[ABDEFGHIJLMNOQRSTVWYZ]|S[ABCDEGHIJKLMNORSTVXYZ]|C[ACDFGHIKLMNORUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|A[DEFGILMOQRSTUWXZ]|T[CDFGHJKLMNORTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRUZ]|K[EGHIMNPRWYZ]|L[ABCIKRSTUVY]|I[DELMNOQRST]|E[CEGHRST]|V[ACEGINU]|D[EJKMOZ]|F[IJKMOR]|H[KMNRTU]|U[AGMSYZ]|R[EOSUW]|J[EMOP]|Z[AMW]|W[FS]|Y[ET]|OM|QA)\b/R"; classtype:trojan-activity; sid:2019326; rev:6; metadata:created_at 2014_10_01, former_category MALWARE, updated_at 2014_10_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iPhone OS 10_3_3 Safari 602.1, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7e72698146290dd68239f788a452e7d8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028269; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Bot Nick in IRC (Country Code ISO 3166-1 alpha-3)"; flow:established,to_server; content:"NICK"; depth:5; pcre:"/^[^\r\n]{0,7}\b(?:M(?:A[CFR]|D[AGV]|N[EGP]|L[IT]|Y[ST]|[MS]R|CO|EX|HL|KD|OZ|RT|TQ|US|WI)|S(?:L[BEV]|[DEH]N|[JOP]M|G[PS]|V[KN]|W[EZ]|Y[CR]|[MU]R|AU|RB|SD|TP)|B(?:L[MRZ]|R[ABN]|E[LN]|G[DR]|H[RS]|[FW]A|DI|IH|MU|OL|TN|VT)|C(?:O[DGKLM]|H[ELN]|A[FN]|Y[MP]|[IP]V|[MX]R|CK|RI|UB|ZE)|A(?:R[EGM]|T[AFG]|L[AB]|N[DT]|U[ST]|BW|FG|GO|IA|SM|ZE)|G(?:R[CDL]|U[FMY]|I[BN]|N[BQ]|[AM]B|BR|EO|GY|HA|LP|TM)|T(?:U[NRV]|C[AD]|K[LM]|[GT]O|[HZ]A|[OW]N|JK|LS)|P(?:R[IKTY]|A[KN]|[HO]L|CN|ER|LW|NG|SE|YF)|N(?:[CPZ]L|I[CU]|[EO]R|AM|FK|GA|LD|RU)|L(?:B[NRY]|[CKV]A|[AS]O|IE|TU|UX)|I(?:R[LNQ]|S[LR]|[DM]N|ND|OT|TA)|K(?:[AG]Z|[IO]R|EN|HM|NA|WT)|E(?:S[HPT]|CU|GY|RI|TH)|V(?:[ACU]T|EN|GB|IR|NM)|D(?:[MZ]A|EU|JI|NK|OM)|F(?:R[AO]|IN|JI|LK|SM)|H(?:[MN]D|KG|RV|TI|UN)|U(?:[GS]A|KR|MI|RY|ZB)|J(?:AM|EY|OR|PN)|R(?:[EO]U|US|WA)|Z(?:AF|MB|WE)|W(?:LF|SM)|OMN|QAT|YEM)\b/R"; classtype:trojan-activity; sid:2019327; rev:6; metadata:created_at 2014_10_01, former_category MALWARE, updated_at 2014_10_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #1"; ja3_hash; content:"c6ecc5ba2a6ab724a7430fa4890d957d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028270; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 ea 18 ab 15 ab 25 ad|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019330; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - iTunes/iBooks #2"; ja3_hash; content:"c07295da5465d5705a38f044e53ef7c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028271; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Backdoor.Adwind Download 2"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; pcre:"/^[a-z0-9_-]*?\.class/Rsi"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; classtype:trojan-activity; sid:2018465; rev:6; metadata:created_at 2014_05_13, updated_at 2014_05_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Java 8U91 Update Check, Windows Java Plugin (tested: v8 Update 60), BurpSuite Free (Tested: 1.7.03 on Windows 10), java,studio,eclipse"; ja3_hash; content:"2db6873021f2a95daa7de0d93a1d1bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028272; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"093081b45872912be9a1f2a8163fe041"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028273; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32|29 0D 0A|"; http_header; reference:md5,0cab2e1959a2c9eaa3aed1f2e556bf17; classtype:trojan-activity; sid:2014361; rev:3; metadata:created_at 2012_03_10, updated_at 2012_03_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"2080bf56cb87e64303e27fcd781e7efd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028274; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CryptoLocker TorComponent DL"; flow:from_server,established; flowbits:isset,FakeIEMinimal; file_data; byte_extract:1,0,size,relative; content:"|00 00 00|"; within:3; content:!"|00|"; within:size; content:"|00|"; distance:size; within:1; pcre:"/^.\x00\x00\x00[a-z0-9]+?\x00/s"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019345; rev:2; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2014_10_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"225a24b45f0f1adbc2e245d4624c6e08"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028275; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyClicker.ClickFraud Query Instructions CnC Response"; flow:established,to_client; content:"|0D 0A 0D 0A|{|22|query|22 3A|"; content:"|22|tasks|22 3A|"; distance:0; content:"|22|referer|22 3A|"; distance:0; content:"|22|useragent|22 3A|"; distance:0; content:"|22|clickurl|22 3A|"; distance:0; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019357; rev:2; metadata:created_at 2014_10_06, former_category MALWARE, updated_at 2014_10_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3afe1fb5976d0999abe833b14b7d6485"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028276; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 57 49 5f fb bc c6 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019360; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"3b844830bfbb12eb5d2f8dc281d349a9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028277; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 31 cd 1f 49 b2 be 4c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019361; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"550628650380ff418de25d3d890e836e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028278; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; depth:27; reference:md5,06b522eacdfe51bed5d041fd672e880f; reference:url,doc.emergingthreats.net/2003603; classtype:trojan-activity; sid:2003603; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5b270b309ad8c6478586a15dece20a88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028279; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.reomesoess.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019363; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"5d7abe53ae15b4272a34f10431e06bf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028280; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk"; depth:3; fast_pattern; pcre:"/^\d+[\r\n]*?$/Rs"; classtype:command-and-control; sid:2015835; rev:7; metadata:created_at 2012_10_23, former_category MALWARE, updated_at 2012_10_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"7c7a68b96d2aab15d678497a12119f4f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028281; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Job314 EK Payload Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/knock"; depth:6; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"Mozilla/5.0 (X11|3b| Ubuntu|3b| Linux x86_64|3b| rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; http_user_agent; classtype:command-and-control; sid:2019286; rev:4; metadata:created_at 2014_09_27, former_category MALWARE, updated_at 2014_09_27;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"88afa0dea1608e28f50acbad32d7f195"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028282; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|junrio.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018719; rev:3; metadata:attack_target Client_and_Server, created_at 2014_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"8ce6933b8c12ce931ca238e9420cc5dd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028283; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|whaugirls.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019388; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java"; ja3_hash; content:"a9fead344bf3ac09f62df3cd9b22c268"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028284; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java/eclipse/STS"; ja3_hash; content:"028563cffc7a3a2e32090aee0294d636"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028285; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - java/JavaApplicationStub"; ja3_hash; content:"5f9b53f0d39dc9d940a3b5568fe5f0bb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028286; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB)"; flow:to_client,established; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019398; rev:2; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - JavaApplicationStub"; ja3_hash; content:"c376061f96329e1020865a1dc726927d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028287; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET MALWARE Possible SandWorm INF Download (SMB UNICODE)"; flow:to_client,established; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; fast_pattern; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019399; rev:3; metadata:created_at 2014_10_14, former_category CURRENT_EVENTS, updated_at 2014_10_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - K9 Mail (Android)"; ja3_hash; content:"ced7418dee422dd70d2a6f42bb042432"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028288; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 d5 29 cf 78 44 88 25|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019414; rev:3; metadata:attack_target Client_and_Server, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Kindle/stack/nextcloud"; ja3_hash; content:"e516ad69a423f8e0407307aa7bfd6344"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028289; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|www.arrystreamre.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019466; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 (openSUSE Leap 42.1) 2"; ja3_hash; content:"8194818a46f5533268472f2167ffec70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028290; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 9e 90 15 d2 12 7f c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019477; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.14.18 / Kmail 4.14.18 (openSUSE Leap 42.1) 1"; ja3_hash; content:"78253eb48a1431a4bbbe6bb4358464ac"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028291; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, updated_at 2014_10_20;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Konqueror 4.8, OpenSSL s_client (tested: 1.0.1f - Ubuntu 14.04TS)"; ja3_hash; content:"0e0b798d0208ad365eec733b29da92a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028292; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRC Bot Common PRIVMSG Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?(?:p[ao]rt|udp|c?tcp|http|d(?:ie|ownload)|mail|c?back|(?:msg|notice)?flood)/Ri"; classtype:trojan-activity; sid:2019486; rev:1; metadata:created_at 2014_10_21, updated_at 2014_10_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LeagueClientUx"; ja3_hash; content:"3959d0a1344896e9fb5c0564ca0a2956"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028293; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9a ba cb 13 6d 76 5b 79|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019504; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"0fe51fa93812c2ebb50a655222a57bf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028294; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0b|"; distance:0; content:"|07|NETWORK"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|144.76.119.48"; distance:1; within:14; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection; classtype:trojan-activity; sid:2019505; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LINE Messaging"; ja3_hash; content:"2e094913d88f0ad8dc69447cb7d2ce65"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028295; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon"; flow:established,to_client; content:".hdd_icon"; content:!"nmap.org"; content:!"seclists.org"; classtype:bad-unknown; sid:2011921; rev:7; metadata:created_at 2010_11_11, updated_at 2010_11_11;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - LogMeIn Client"; ja3_hash; content:"193349d34561d1d5d1a270172eb2d97e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028296; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"|38 45 41 34 41 42 30 35 46 41 37 45|"; flowbits:set,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:4; metadata:created_at 2011_07_18, updated_at 2011_07_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mail app iOS"; ja3_hash; content:"0cbbafcdaf63cbf1e490c4a2d903f24b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028297; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert Oct 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 91 76 a5 11 ca 47 2d|"; within:35; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|04|none"; distance:1; within:5; content:"|55 04 08|"; distance:0; content:"|0c|Someprovince"; distance:1; within:13; reference:md5,35f6b510f94bd96ed9bc44e1f7bf7f38; classtype:trojan-activity; sid:2019506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Marble (KDE 5.21.0 QT 5.5.1 openSUSE Leap 42.1)"; ja3_hash; content:"fc5574de96793b73355ca9e555748225"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028298; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_24, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Maxthon"; ja3_hash; content:"d732ca39155f38942f90e9fc2b0f97f7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028299; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC)"; flow:from_server,established; content:"|55 04 08|"; content:"|0a|Some-State"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0d|cyberwise.biz"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019516; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Messenger/Jumpshare"; ja3_hash; content:"c9dbeed362a32f9a50a26f4d9b32bbd8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028300; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|rikitifer.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019517; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Smartscreen"; ja3_hash; content:"bedb7e0ff43a24272eb0a41993c65faf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028305; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/ZxShell Server Checkin Response"; flow:established,from_server; dsize:16; content:"|85 19 00 00 25 04 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019587; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Updater (Windows 7SP1) / TeamViewer 11.0.56083P"; ja3_hash; content:"bff2c7b5c666331bfe9afacefd1bdb51"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028306; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ZxShell Checkin"; flow:established,from_server; dsize:16; content:"|86 19 00 00 04 01 00 00|"; depth:8; reference:url,blogs.cisco.com/talos/opening-zxshell/; classtype:command-and-control; sid:2019588; rev:1; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2014_10_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Microsoft Windows Socket (Tested: Windows 10)"; ja3_hash; content:"48cf5fb702315efbfc88ee3c8c94c6cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028307; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|b6 8b ac d3 d7 e0 e7 36 f0 b5 63 65 1e 1a 31 ae|"; offset:16; depth:16; reference:md5,184a9d13616702154fb10ff9c5d67041; classtype:command-and-control; sid:2019589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mj12bot.com"; ja3_hash; content:"11e1137464a4343105031631d470cd92"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028310; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|01 ec 7e 05 1d 5f 65 ab db 1c df 93 99 cd 06 21|"; offset:16; depth:16; reference:md5,09d4c2f1f24fbdcb1c286b2f4c5589d2; classtype:command-and-control; sid:2019590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mobile Safari/537.35+ BB10"; ja3_hash; content:"87c6dda19108d68e526a72d9ae09fb9e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028311; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset:16; depth:16; reference:md5,2b825e46ae60a9d15b5a731e57410425; classtype:command-and-control; sid:2019592; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mono-sgen/Syncplicity/Axure RP 8/Amazon Drive"; ja3_hash; content:"6acb250ada693067812c3335705dae79"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028312; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Keepalive to CnC (Operation SMN Variant)"; flow:established,to_server; dsize:48; content:"|3e 5c d1 68 e7 8c 47 8c ea 2f da 02 fe 43 62 47|"; offset:16; depth:16; reference:md5,afc4d73bde2a536d7a9b7596288ce180; classtype:command-and-control; sid:2019593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_29, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Sync Services (Android)"; ja3_hash; content:"d65ddade944f9acfe4052b2c9435eb85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028313; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 31.5.0)"; ja3_hash; content:"c2116e5bb14394aafbefe12ade9bd8ab"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028314; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 39 70 34 44 e2 04 31|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019603; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla Thunderbird (tested: 38.3.0), ThunderBird (v38.0.1 OS X)"; ja3_hash; content:"6fd163150b060dd7d07add280f42f4ed"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028315; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND set"; flow:established,from_server; content:"|28 00 00 00 00 01 00 00|"; depth:8; flowbits:set,ET.Zberp; flowbits:noalert; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025068; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Mozilla/4.0 MSIE 6.0 or MSIE 7.0 User-Agent"; ja3_hash; content:"de350869b8c85de67a350c8d186f11e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028316; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ropest.H CnC - INBOUND"; flow:established,from_server; flowbits:isset,ET.Zberp; dsize:24; content:"|10 00 00 00 00 01 00 00|"; depth:8; reference:md5,a0d843b52e33ba4f1dc72f5a28729806; classtype:command-and-control; sid:2025069; rev:1; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2017_11_28;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"5bf43fbca3454853c26df6d996954aca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028317; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses (2)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold:type both, track by_src, count 50, seconds 10; reference:md5,5808cc73c78263a8114eb205f510f6a7; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019609; rev:1; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"888ecd3b5821a497195932b0338f2f12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028318; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible EITest Flash Redirect"; flow:established,to_client; file_data; content:"|20|name=|22|EITest|22 20|"; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2014/10/exposing-the-flash-eitest-malware-campaign/; classtype:trojan-activity; sid:2019610; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Edge"; ja3_hash; content:"8d2e46c9e2b1ee9b1503cab4905cb3e0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028319; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.TrojanProxy Configuration file Download"; flow:established,from_server; file_data; content:"@$@"; fast_pattern; within:3; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x40\x24\x40$/Ri"; reference:url,fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html; classtype:trojan-activity; sid:2019631; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MS Office Components"; ja3_hash; content:"f66b0314f269695fe3528ef39a27c158"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028320; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Download.php HTTP Request"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?nd="; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2013197; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0"; ja3_hash; content:"2201d8e006f8f005a6b415f61e677532"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028321; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ROM/BackOff C2 SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed fd 42 65 de 77 35 ea|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware; classtype:command-and-control; sid:2019635; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 10.0 Trident/6.0)"; ja3_hash; content:"7b3b37883b5e80065b35f27888ed2b04"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028322; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F C2"; flow:to_server,established; content:"JOIN #shock 777"; content:"PRIVMSG #shock|20 3a|uid="; distance:0; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:command-and-control; sid:2019637; rev:1; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2014_11_04;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - MSIE 8.0 & 9.0 Trident/5.0)"; ja3_hash; content:"2baf01616e930d378df97576e2686df3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028323; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole TCP Connection"; flow:to_server; classtype:trojan-activity; sid:2019629; rev:2; metadata:created_at 2014_11_03, updated_at 2014_11_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mutt (tested: 1.5.23 OSX)"; ja3_hash; content:"dc7c914e1817944435dd6b82a8495fbb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028324; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shellshock Backdoor.Perl.Shellbot.F retrieval"; flow:to_client,established; file_data; content:"#you got shellshocked???"; depth:24; reference:url,pastebin.com/JpnznR3j; reference:md5,fc230c9f998c196ac6897a979e08c58d; classtype:trojan-activity; sid:2019644; rev:2; metadata:created_at 2014_11_05, updated_at 2014_11_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - mutt"; ja3_hash; content:"6761a36cfa692fcd3bc7d570b23cc168"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028325; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; fast_pattern; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019645; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - NetFlix App on AppleTV (possibly others also)"; ja3_hash; content:"146c6a6537ba4cc22d874bf8ff346144"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028326; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 33 b2 e5 24 44 a4 09|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019648; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - node-webkit/Kindle"; ja3_hash; content:"3ee4aaac7147ff2b80ada31686db660c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028330; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 08 2f bd 75 7f 25 39|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019649; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - node.js"; ja3_hash; content:"641df9d6dbe7fdb74f70c8ad93def8cc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028331; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e0 62 d9 f2 16 04 d1 be|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019670; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - node.js/Postman/WhatsApp"; ja3_hash; content:"106ecbd3d14b4dc6e413494263720afe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028332; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 de 17 24 ba 29 9a a6 c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019671; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Non-Specific Microsoft Socket"; ja3_hash; content:"1d095e68489d3c535297cd8dffb06cb9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028333; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 db 12 6f 49 21 41 f0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019691; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - NVIDEA GeForce Experience, Windows Diagnostic and Telemetry (also Security Essentials and Microsoft Defender) (Tested Win7)"; ja3_hash; content:"4025f224557638ee81afc4f272fd7577"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028334; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Emotet DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|eu|00|"; distance:19; within:4; fast_pattern; content:"|10|"; distance:-21; within:1; pcre:"/^[a-z]{16}/R"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:trojan-activity; sid:2019692; rev:1; metadata:created_at 2014_11_12, updated_at 2014_11_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - nwjs/Chromium"; ja3_hash; content:"49de9b1c7e60bd3b8e1d4f7a49ba362e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028335; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2014_11_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - One Drive"; ja3_hash; content:"388a4049af7e631f8d36eb0f909de65a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028336; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,from_server; file_data; content:"|7b 22|result|22 3a 7b 22|version|22 3a 22|"; flowbits:isset,ET.WireLurkerUA; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019663; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.01"; ja3_hash; content:"a35c1457421bcfaf5edaccb910bfea1d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028337; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 a5 38 e3 56 d4 39 67|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019708; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - OpenConnect version v7.06 / wget 1.17.1-1 (cygwin)"; ja3_hash; content:"07aa6d7cac645c8845d6e96503f7d985"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028338; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 9b 4d b2 c7 f6 6f f2|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019709; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - openssl s_client / msmtp 1.6.2 (openSUSE Leap 42.1)"; ja3_hash; content:"6fffa2be612102d25dbed5f433b8238c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028339; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded in XML"; flow: established,from_server; file_data; content:"bin.base64"; nocase; content:"<file"; nocase; content:"<stream"; nocase; content:"<?xml"; nocase; content:"TVqQA"; fast_pattern; pcre:"/^[A-Za-z0-9\s/+]{100}/Rs"; classtype:trojan-activity; sid:2019716; rev:9; metadata:created_at 2014_11_15, updated_at 2014_11_15;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 10.53  10.60  11.61  11.64  12.02, Presto 2.5.24  2.6.30  2.10.229  2.10.289"; ja3_hash; content:"4e6f7f036fb2b05a50ee8a686b1176a6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028340; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8003,9004:] (msg:"ET MALWARE W32Autorun.worm.aaeh Checkin"; flow:established,to_server; content:"Host|3a| ns1.help"; pcre:"/^Host\x3a\x20ns1\.help(?:update(?:d\.(?:com?|net?|org?)|k\.(?:at?|eu?|tw)|r\.net|s\.com)|checks\.net)/mi"; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=1607456; classtype:command-and-control; sid:2019711; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 11.11  11.52, Presto 2.8.131  2.9.168"; ja3_hash; content:"ceee08c3603b53be80c8afdc98babdd6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028341; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 60 aa 87 c5 4a 56 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|fvhch6y1sszzgbh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019720; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera 12.14 - 12.16, Presto 2.12.388"; ja3_hash; content:"561271bdcbfe68504ce78b38c957eef0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028342; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ce 63 1a 95 03 94 55 2e|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0c|HAMBURG GMBH"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019721; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 (X11 Linux x86_64 U en) Presto/2.6.30 Version/10.60"; ja3_hash; content:"8b475d6105c72827a234fbd47e25b0a3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028343; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 1"; flow:established,from_server; file_data; content:"$$$$"; within:4; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>/Ri"; classtype:command-and-control; sid:2019757; rev:2; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2014_11_20;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.229 Version/11.62"; ja3_hash; content:"44f37c3ceccb551271bfe0ba6d39426c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028344; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 34 4a fb 16 96 9d 25|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|ewgcetiyu"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019786; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 & Presto/2.10.229"; ja3_hash; content:"a16170ff03466c8ee703dd71feda9bfe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028345; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 90 3b 8c 56 23 94 93|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0b|1234567egeg"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019787; rev:3; metadata:attack_target Client_and_Server, created_at 2014_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.10.289 Version/12.00"; ja3_hash; content:"b237ac4bcc16c142168df03a871677bd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028346; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1913 (msg:"ET MALWARE W32/DoubleTap.APT Downloader Socks5 Setup Request"; flow:established,to_server; content:"|05 01 00|"; depth:3; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019809; rev:2; metadata:created_at 2014_11_26, former_category MALWARE, updated_at 2014_11_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"07715901e2c6fe4c45e7c42587847d5d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028347; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e1 d9 8a 80 b1 c5 98 08|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0f|tvd5w4gytsfheyh"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019810; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Opera/9.80 Presto/2.12.388"; ja3_hash; content:"329ff4616732b84de926caa7fd6777b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028348; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|11|b85937-static.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019811; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - OS X WebSockets"; ja3_hash; content:"43bb6a18756587426681e4964e5ea4bf"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028349; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 b6 2a 4d 61 3d fa c6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|09|vgergvwtd"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019812; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 1"; ja3_hash; content:"3b6da2971936ac24457616e8ad46f362"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028350; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ff 02 6f 9a b5 ff c3 9c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019813; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - osc (python openSUSE Leap 42.1) 2"; ja3_hash; content:"95baa3d2068d8c8da71990a353cf8453"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028351; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f9 f1 2d d7 7c 92 29 6b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019814; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Outlook 2007 (Win 8.1)"; ja3_hash; content:"53eb89fe6147474039c1162e4d9d3dc0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028352; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 5c 3f 2b dc 29 86 c4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019815; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - p4v/owncloud"; ja3_hash; content:"38cbe70b308f42da7c9980c0e1c89656"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028353; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 73 b3 58 98 16 a7 5b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0d|cewceawf2c4ed"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019818; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - PaleMoon Browser"; ja3_hash; content:"d82cbe0b93f2b02d490a14f6bc1d421a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028354; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e7 df 16 fb ce 8d dc 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|0c|wrgw4r3gwrgh"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019819; rev:2; metadata:attack_target Client_and_Server, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - parsecd/apple.geod/apple.photomoments/photoanalysisd/FreedomProxy"; ja3_hash; content:"62448833d8230241227c03b7d441e31b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028355; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|03 15 45 cd|"; within:35; content:"|55 04 03|"; distance:0; content:"|14|static-630567398.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019839; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - php script (tested 5.5.27)"; ja3_hash; content:"16765fe48127809dc0ca406769c9391e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028356; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message"; flow:established,to_client; content:"! SH"; depth:4; pcre:"/^[^\r\n]+?\n$/R"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019298; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pidgin (tested 2.10.11)"; ja3_hash; content:"b74f9ecf158e0575101c16c5265a85b0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028357; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlienSpy RAT Checkin Set"; flow:established,to_server; dsize:4; content:"|ac ed|"; depth:2; flowbits:set,ET.rat.alienspy; flowbits:noalert; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019738; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pocket/Slack/Duo (Android)"; ja3_hash; content:"6ea7cfa450ce959818178b420f59fec4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028358; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE BitCrypt site accessed via .onion SSL Proxy"; flow:established,from_server; content:"|55 04 03|"; content:"kphijmuo2x5expag."; nocase; distance:2; within:17; classtype:trojan-activity; sid:2018399; rev:2; metadata:created_at 2014_04_18, updated_at 2014_04_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Polycom IP Phone Directory Lookup"; ja3_hash; content:"9e41b6bf545347abccf0dc8fd76083a5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028359; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message"; flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019304; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin"; flow:established,to_server; content:"Clientx|2c 20|Version="; fast_pattern; content:"ProClient.Data"; distance:0; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message"; flow:established,to_client; content:"! UDP "; depth:6; pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019300; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin Response"; flow:established,to_client; content:"|2c 20|Version="; content:"BlackRAT.Data"; distance:0; fast_pattern; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message"; flow:established,to_client; content:"! TCP "; depth:6; pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019301; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - postbox-bin"; ja3_hash; content:"e846898acc767ebeb2b4388e58a968d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028404; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message"; flow:established,to_client; content:"! HOLD "; depth:7; pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019302; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Postfix with StartTLS"; ja3_hash; content:"26fa3da4032424ab61dc9be62c8e3ed0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028405; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message"; flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019303; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #1 & Apteligent"; ja3_hash; content:"ef48bf8b2ccaab35642fd0a9f1bbe831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028406; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim C2 Client Check-in"; flow:established,to_server; content:"some_magic_code1"; depth:16; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016772; rev:2; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - PubNub data stream #2"; ja3_hash; content:"8cc24a6ff485c62e3eb213d2ca61cf12"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028407; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SpyBanker Infection Confirmation Email"; flow:established,to_server; content:"From|3A 20 22|Bitch Infected|22|"; reference:md5,007eb53d1b0de237f86750a239cae48e; classtype:trojan-activity; sid:2014668; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Pusherapp API"; ja3_hash; content:"12ad03cb3faa2748e92c9a38faab949f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028408; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock.6870 SSL Cert"; flow:from_server,established; content:"|00 cc 05 c7 80 14 cf 3f 50|"; content:"|55 04 08 13 0c|Someprovince"; distance:0; content:"|55 04 07 13 08|Sometown"; distance:0; classtype:trojan-activity; sid:2015795; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_10_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - py2app application (including box.net & google drive clients)"; ja3_hash; content:"ba502b2f5d64ac3d1d54646c0d6dd4dc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028409; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Python Requests Library 2.4.3"; ja3_hash; content:"c398c55518355639c5a866c15784f969"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028410; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - python-requests/2.7.0 CPython/2.6.6 Linux/2.6.32-504.23.4.el6.x86_64"; ja3_hash; content:"1a9fb04aa1b4439666672be8661f9386"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028411; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET MALWARE Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3; metadata:created_at 2014_09_05, former_category CURRENT_EVENTS, updated_at 2014_09_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Qsync Client"; ja3_hash; content:"a7823092705a5e91ce2b7f561b6e5b98"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028412; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message"; flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019296; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Reported as -"; ja3_hash; content:"4b06b445e3e12cdae777cec815ab90f5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028414; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message"; flow:established,to_client; dsize:12<>15; content:"! SCANNER "; depth:10; pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019297; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RescueTime/Plantronics Hub"; ja3_hash; content:"c048d9f26a79e11ca7276499ef24daf3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028415; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message"; flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019295; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App #2"; ja3_hash; content:"90f755509cba37094eb66be02335b932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028416; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 75 54|"; distance:4; within:12; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019740; rev:2; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RingCentral App"; ja3_hash; content:"7743db23afb26f18d632420e6c36e076"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028417; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message"; flow:established,to_client; content:"! JUNK "; depth:7; pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:url,research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html; reference:cve,2014-6271; classtype:command-and-control; sid:2019299; rev:2; metadata:created_at 2014_09_29, former_category MALWARE, updated_at 2014_09_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - RSiteAuditor"; ja3_hash; content:"35c0a31c481927f022a3b530255ac080"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028418; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET MALWARE W32/DoubleTap.APT Downloader CnC Beacon"; flow:established,to_server; content:"|05 01 00 01 c0 b8 3c e5 00 51|"; depth:10; reference:url,www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html; classtype:targeted-activity; sid:2019808; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_11_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2014_11_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ruby script (tested: 2.0.0p481)"; ja3_hash; content:"688b34ca00a291ece0bc07b264b1344c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028419; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE W32/SCKeyLog.InfoStealer Installation Confirmation Via SMTP"; flow:established,to_server; content:"Subject|3A 20|Installation of SC-KeyLog on host"; nocase; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=910563; reference:md5,cc439073eeb244e6bcecee8b6774b672; classtype:trojan-activity; sid:2014354; rev:2; metadata:created_at 2012_03_09, updated_at 2012_03_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ruby"; ja3_hash; content:"d219efd07cbb8fbe547e6a5335843f0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028420; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 15525 (msg:"ET MALWARE W32/Keylogger.CI Checkin"; flow:established,to_server; dsize:5; content:"|47 00 46 00 49|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpyWin32/Keylogger.CI#tab=2; reference:url,www.virustotal.com/en/file/95c65d44a2dd717b27c8008470f95fe46637f624b20d9e19e0c06573b94d20f9/analysis/; classtype:command-and-control; sid:2019712; rev:2; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2014_11_15;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 525 - 533  534.57.2, Safari 525.21  525.29  531.22.7  533.21.1  534.57.2 / Adobe Reader DC 15.x Updater"; ja3_hash; content:"cbcd1d81f242de31fd683d5acbc70dca"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028421; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2; metadata:created_at 2014_12_05, former_category CURRENT_EVENTS, updated_at 2014_12_05;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34"; ja3_hash; content:"4c551900711d12c864cfe2f95e1c98c2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028422; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Destover RAT Check-in"; flow:established,to_server; content:"|17 03 01 00 0C E2 C4 Fd D9 E8 E3 F2 9F|"; reference:md5,d1c27ee7ce18675974edf42d4eea25c6; reference:url,www.symantec.com/connect/blogs/destover-destructive-malware-has-links-attacks-south-korea; classtype:trojan-activity; sid:2019878; rev:2; metadata:created_at 2014_12_06, updated_at 2014_12_06;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, rekonq1.1  Arora0.11.0"; ja3_hash; content:"30701f5050d504c31805594fb5c083b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028423; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 62 ab fb 64 b9 bc de|"; within:35; content:"|55 04 03|"; distance:0; content:"|05|USTiD"; distance:1; within:6; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019879; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.34, Safari/537.21"; ja3_hash; content:"41ba55231de6643721fbe2ae25fab85d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028424; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cc)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|cc|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019882; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 534.59.8"; ja3_hash; content:"fb1d89e16f4dd558ad99011070785cce"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028425; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.ws)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ws|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019883; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 536.30.1"; ja3_hash; content:"e2a482fbb281f7662f12ff6cc871cfe7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028426; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.to)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|to|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019884; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.71"; ja3_hash; content:"cc5925c4720edb550491a12a35c15d4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028427; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.in)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|in|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019885; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari 537.78.2"; ja3_hash; content:"88770e3ad9e9d85b2e463be2b5c5a026"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028428; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.hk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|hk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019886; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari"; ja3_hash; content:"c36fb08942cf19508c08d96af22d4ffc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028429; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cn)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ck|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019887; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/534.57.2, hola_svc"; ja3_hash; content:"77310efe11f1943306ee317cf02150b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028430; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.tk)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|tk|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019888; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.1.38 Macintosh, Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c07cb55f88702033a8f52c046d23e0b2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028431; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.so)"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|so|00|"; distance:37; within:4; fast_pattern; content:"|22|"; distance:-39; within:1; pcre:"/^[a-z][a-f0-9]{33}/Ri"; threshold:type both, track by_src, count 12, seconds 120; reference:md5,c5d2a2287424ab9508ae15261020e48d; classtype:trojan-activity; sid:2019889; rev:1; metadata:created_at 2014_12_08, updated_at 2014_12_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Safari/604.3.1 Macintosh/apple.WebKit.Networking,itunesstored"; ja3_hash; content:"3e4e87dda5a3162306609b7e330441d2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028432; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ee 63 19 d5 6a 4c 09 cf|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|UA"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019890; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Salesforce Files"; ja3_hash; content:"844166382cc98d98595e6778c470f5d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028433; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Linux.Turla Download"; flow:from_server,established; flowbits:isset,ET.ELFDownload; content:"__we_are_happy__"; content:"__TREX__STOP__STRING__"; distance:0; content:"/dev/random"; distance:1; within:11; reference:url,securelist.com/blog/research/67962/the-penquin-turla-2/; reference:md5,19fbd8cbfb12482e8020a887d6427315; classtype:targeted-activity; sid:2019896; rev:2; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: hoax Firefox/40.1"; ja3_hash; content:"9a35e493f961ac377f948690b5334a9c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028434; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Cridex CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 00 83 69 b1 31 15 7b|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|176.99.6.57"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019906; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCANNER: wordpress wp-login Firefox/40.1"; ja3_hash; content:"ce5f3254611a8c095a3d821d44539877"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028435; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (smartoptionsinc.com)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|05 11 32 08 1d 81|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019923; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SCRAPER: DotBot"; ja3_hash; content:"d8844f000e5571807e9094e0fcd795fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028436; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (ppc.cba.pl)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 00 81 3d 59 00 8d f2 04 04 8c 3a d3 d0 8e 36 d4 2a|"; distance:9; within:40; content:"|55 04 03|"; distance:0; content:"|06|cba.pl"; distance:1; within:7; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019924; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SeznamBot/3.2"; ja3_hash; content:"6cc3c7debc31952d05ecaacb6021925f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028438; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Dalexis.A Possible SSL Cert (cargol.cat)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 a7 5c ad 38 d2 d7 fe|"; distance:9; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Tirabol Produccions"; distance:1; within:20; reference:md5,ef2f9909c76d32b51598c54d5685af7e; classtype:trojan-activity; sid:2019925; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_12, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 1"; ja3_hash; content:"fa8b8ed07b1dd0e4a262bd44d31251ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028439; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE HawkEye Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| HawkEye Keylogger"; nocase; reference:md5,3bbd5ae250b2d912a701f8d74d85353b; classtype:trojan-activity; sid:2019926; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 2"; ja3_hash; content:"c05809230e9f7a6bf627a48b72dc4e1c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028440; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Beastdoor Keylogger Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; content:"Victim IP-"; reference:md5,ad99a0a85e1410559030464aac390969; classtype:trojan-activity; sid:2019927; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ShadowServer Scanner 3"; ja3_hash; content:"0ad94fcb7d3a2c56679fbd004f6b12cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028441; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Probable Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a 20|Keylogger"; classtype:trojan-activity; sid:2019928; rev:2; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0add6ceb611a7613f97329af3b6828d9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028442; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access unicode (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,!&,0x80,6,relative; content:"|00|_|00|A|00|u|00|t|00|o|00|S|00|h|00|a|00|r|00|e|00|$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019929; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"0b63812a99e66c82a20d30c3b9ba6e06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028443; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Net Crawler SMB Share Access ascii (Operation Cleaver)"; flow:established,to_server; content:"|FF|SMB"; offset:4; depth:4; byte_test:1,&,0x80,6,relative; content:"_AutoShare$"; distance:0; reference:md5,8994e16b14cde144a9cebdff685d8676; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019930; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"109dbd9238634b21363c3d62793c029c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028444; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Win32.Espy Report via SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"SUBJECT|3a| I Q - S P Y KeyLogger ["; content:"victim computer name"; reference:md5,1a9a06b11aa537734931f8098bae6b00; classtype:trojan-activity; sid:2019932; rev:1; metadata:created_at 2014_12_13, updated_at 2014_12_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"11e49581344c117df2c9ceb46e5594c4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028445; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 10001 (msg:"ET MALWARE Win32.Bumrat.B Checkin"; flow:established,to_server; dsize:19; content:"|0f 00 00 00|"; depth:4; content:"mconfig_10"; reference:md5,647edeb30a04eeb30b7f8921645c7369; classtype:command-and-control; sid:2019941; rev:1; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2014_12_16;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"302579fd4ba13eca27932664f66725ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028446; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c8 da 58 e3 bc 80 72 25|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019962; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"badc09d74edf43c0204c4827a038c2fa"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028447; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AGENT.NXNX checkin"; flow:established,to_server; content:"|24 5d 3b 30 2e 29 23 28 30 34 3b 14 1e 14 13 02 0a 54 55 59|"; reference:url,ahnlabasec.tistory.com/1007; classtype:command-and-control; sid:2019964; rev:1; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2014_12_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f59a024cf47fdb835053ebf144189a47"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028448; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Syrian.Slideshow Sending Information via SMTP"; flow:established,to_server; content:"Subject|3a 20|repo|0d 0a|"; content:"filename=|22|mxtd|22|"; reference:md5,f8bfb82aa92ea6a8e4e0b378781b3859; reference:url,citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics; classtype:trojan-activity; sid:2019975; rev:1; metadata:created_at 2014_12_18, updated_at 2014_12_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan"; ja3_hash; content:"f8f522671d2d2eba5803e6c002760c05"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028449; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3; metadata:created_at 2014_12_20, former_category CURRENT_EVENTS, updated_at 2014_12_20;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.5.23 - OS X)"; ja3_hash; content:"9d5869f950eeca2e39196c61fdf510c8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028450; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 8c 5b 96 3a e7 56 95|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019987; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Shodan, mutt (tested: 1.6.2 OS X)"; ja3_hash; content:"3fcc12d9ee1f75a0212d1d16f7b9f8ad"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028451; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Wiper 2"; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019994; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Signal (tested: 3.16.0 - Android)"; ja3_hash; content:"7dde4e4f0dceb29f711fb34b4bdbf420"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028452; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 1"; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019995; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Signal Chrome App"; ja3_hash; content:"07931ada5b9dd93ec706e772ee60782d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028453; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 2"; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019996; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SkipFish (tested: v2.10b kali)"; ja3_hash; content:"cfb6d1c72d09d4eaa4c7d2c0b1ecbce7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028454; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 3"; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:trojan-activity; sid:2019997; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (additional Win 10)"; ja3_hash; content:"7a75198d3e18354a6763860d331ff46a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028455; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 4"; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2019998; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (multiple platforms)"; ja3_hash; content:"06207a1730b5deeb207b0556e102ded2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028456; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert ip any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 5"; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:trojan-activity; sid:2019999; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype (tested 7.18(341) on OSX)"; ja3_hash; content:"5ef08bc989a9fcc18d5011f07d953c14"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028457; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 8"; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020002; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Skype"; ja3_hash; content:"49a341a21f4fd4ac63b027ff2b1a331f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028458; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 9"; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020003; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack Desktop App"; ja3_hash; content:"c8ada45922a3e7857e4bfd4fc13e8f64"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028459; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 10"; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020004; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"3d72e4827837391cd5b6f5c6b2d5b1e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028460; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 11"; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020005; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"a5aa6e939e4770e3b8ac38ce414fd0d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028461; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 12"; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020006; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slack"; ja3_hash; content:"cdd8179dc9c0e4802f557b62bae73d43"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028462; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3"; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020009; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Slackbot Link Expander"; ja3_hash; content:"22cca8ed59288f4984724f0ee03484ea"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028463; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any [547,8080,133,117,189,159] -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 7"; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020013; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Spark"; ja3_hash; content:"116ffc8889873efad60457cd55eaf543"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028464; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 2"; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020018; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SpiderOak (tested: 6.0.1)"; ja3_hash; content:"f51156bcd5033603e750c8bd4db254e3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028465; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp any any -> any [8000,8080] (msg:"ET MALWARE US-CERT TA14-353A WIPER4"; flow:established,to_server; dsize:42; content:"|28 00|"; depth:2; content:"|04 00 00 00|"; offset:38; depth:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020020; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SpotlightNetHelper/Safari"; ja3_hash; content:"8db4b0f8e9dd8f2fff38ee7c5a1e4496"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028466; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Operation Poisoned Helmand jar download"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jre7u61windows/x86/Update.class"; reference:url,threatconnect.com/news/operation-poisoned-helmand/; classtype:trojan-activity; sid:2020021; rev:2; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 1"; ja3_hash; content:"24339ea346521d98a8c50fd3713090c9"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028469; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE US-CERT TA14-353A Network Propagation Wiper"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"taskhost"; content:".exe"; distance:2; within:4; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020023; rev:1; metadata:created_at 2014_12_23, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 2"; ja3_hash; content:"ad5d6f490f3819dc60b2a2fbe5bd1cba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028470; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 2"; flow:established,to_server; dsize:27; content:"bestpobeda"; depth:10; pcre:"/^[a-f0-9]+$/R"; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020025; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 3"; ja3_hash; content:"1e9557c377f8ff50b80b7f87b60b1054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028471; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Keep-Alive"; flow:established,to_server; dsize:24; content:"|09 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00|"; depth:20; threshold:type both, track by_src, count 1, seconds 120; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020026; rev:2; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2014_12_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - SSLPing Scanner 4"; ja3_hash; content:"c3c59ec21835721c92571e7742fadb88"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028472; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trojan.Nurjax SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.njaxjs.me"; distance:1; within:14; classtype:trojan-activity; sid:2020033; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_12_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Steam OSX"; ja3_hash; content:"39cf5b7a13a764494de562add874f016"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028473; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5e db d7 9c 6d e0 4f|"; distance:0; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020079; rev:2; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Synology DDNS Beacon"; ja3_hash; content:"cab4a6a0c7ac91c2bd9e93cb0507ad4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028474; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category JA3, signature_severity Major, tag c2, updated_at 2019_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 9090 (msg:"ET MALWARE Win32.Akdoor Reporting MAC Address"; flow:to_server,established; dsize:20; content:"|01 00 00 00 0c 00 00 00|"; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; reference:md5,f5ba42117dd02f50b12542131dcd8b5f; classtype:trojan-activity; sid:2020081; rev:1; metadata:created_at 2014_12_29, updated_at 2014_12_29;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"2d3854d1cbcdceece83eabd85bdcc056"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028475; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|tdmodsecur.pw"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020075; rev:3; metadata:attack_target Client_and_Server, created_at 2014_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"a585c632a2b49be1256881fb0c16c864"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028476; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Ngrbot.lof Join IRC channel"; flow:to_server,established; content:"NICK New|7B|"; nocase; pcre:"/^\S{2,3}\x2d(XP|2K3|VIS|2K8|W7|ERR)\w?\x2d\w+?\x7D\w+?\r\n?/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,dd05fcd2368d8d410a5b85e8d504a435; classtype:trojan-activity; sid:2016849; rev:3; metadata:created_at 2013_05_14, updated_at 2013_05_14;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tableau"; ja3_hash; content:"cd7c06b9459c9cfd4af2dba5696ea930"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028477; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert udp any any -> 1.1.1.0 80 (msg:"ET MALWARE TROJ_WHAIM.A message"; content:"|57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 57 68 6f 20 61 6d 20 49 3f 20 00|"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2020069; rev:3; metadata:created_at 2014_12_26, updated_at 2014_12_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tenable Passive Vulnerability Scanner Plugin Updater"; ja3_hash; content:"24993abb75ddda7eaf0709395e47ab4e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028478; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fd 0c f3 42 0f 46 07 68|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|xx"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020104; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - TextSecure Name Lookup (Tested: Android)"; ja3_hash; content:"97d3b9036d5a4d7f1fe33fe730f38231"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028479; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 86 c7 7d 23 ec c3 18 fb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020149; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v17.0 OS X)"; ja3_hash; content:"207409c2b30e670ca50e1eac016a4831"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028480; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET 9000:10000 -> $HOME_NET any (msg:"ET MALWARE Win32/Recslurp.D C2 Response"; flow:established,from_server; flowbits:isset,ET.Reslurp.D.Client; content:"|e8 03 00 00|"; depth:4; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020155; rev:2; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2015_01_08;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ThunderBird (v38.0.1 OS X), Thunderbird 38.7.0 (openSUSE Leap 42.1)"; ja3_hash; content:"4623da8b4586a8a4b86e31d689aa0c15"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028481; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin"; flow:established,to_server; content:"BUILD "; depth:6; pcre:"/^(?:MIPS(?:EL)?|POWERPC|ARM|X86)\x0a$/R"; flowbits:set,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; classtype:command-and-control; sid:2019242; rev:2; metadata:created_at 2014_09_26, former_category MALWARE, updated_at 2014_09_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (tested: 5.0.1f - May clash with FF38)"; ja3_hash; content:"0ed768d6e3bc66af60d31315afd423f2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028482; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M JUNK command"; flow:established,to_client ; content:"JUNK "; depth:5; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020162; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Browser (v4.5.3 OS X - based on FF 31.8.0)"; ja3_hash; content:"8c9a7fe81ba61dab1454e08f42f0a004"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028483; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M GETLOCALIP command"; flow:established,to_client ; content:"GETLOCALIP "; depth:11; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020163; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6)"; ja3_hash; content:"5b3eee2766b876e623ba05508d269830"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028484; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M SCANNER command"; flow:established,to_client ; content:"SCANNER "; depth:8; pcre:"/^(?:ON|OFF)/R"; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020164; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor Relay Traffic (tested 0.2.7.6), Tor Uplink (via Tails distro)"; ja3_hash; content:"79f0842a32b359d1b683c569bd07f23b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028485; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M KILLATTK command"; flow:established,to_client ; content:"KILLATTK "; depth:9; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020165; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - tor uplink (tested 0.2.2.35)"; ja3_hash; content:"3b8f3ace50a7c7cd5205af210f17bb70"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028486; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Linux/DDoS.M LOLNOGTFO command"; flow:established,to_client ; content:"LOLNOGTFO "; depth:10; flowbits:isset,ET.lizkebab; reference:md5,5924bcc045bb7039f55c6ce29234e29a; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020166; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tor uplink (tested: 0.2.6.10)"; ja3_hash; content:"659007d8bae74d1053f6ca4a329d25a7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028487; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp any any -> any 1024: (msg:"ET MALWARE Linux/DDoS.M Admin console status"; flow:established,to_client ; content:"|1b 5d 30 3b|Bots connected|3a 20|"; content:"|7c 20|Clients connected|3a 20|"; distance:0; threshold: type both, count 1, seconds 10, track by_src; reference:url,github.com/pop-pop-ret/lizkebab; classtype:trojan-activity; sid:2020167; rev:1; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Tracking something (noted with Dropbox Installer & Skype - Win 10)"; ja3_hash; content:"bc329d2a71e749067424502f1f72e13a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028488; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"ET MALWARE Hong Kong SWC Attack PcClient CnC Beacon"; flow:established,to_server; content:"|BB 4E 4E BC BC BC 7E 7E|"; nocase; offset:160; depth:8; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:command-and-control; sid:2020169; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_01_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"2a458dd9c65afbcf591cd8c2a194b804"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028489; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Office Doc with Embedded VBA containing Reverse Meterpreter Shell"; flow:established,from_server; flowbits:isset,et.DocVBAProject; file_data; content:"windows/meterpreter/reverse_"; nocase; reference:url,github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1; classtype:trojan-activity; sid:2020170; rev:2; metadata:created_at 2015_01_13, former_category MALWARE, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Trident/7.0"; ja3_hash; content:"aea96546ac042f29fed1e2203a9b4c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028490; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 7d f1 a1 50 bc 27 18|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020187; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - True Key"; ja3_hash; content:"df65746370dcabc9b4f370c6e14a8156"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028491; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin"; flow:established,to_server; content:"|00 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"MHz|00|"; distance:0; content:"|20 2a 20|"; distance:-12; within:5; pcre:"/^\d+MHz\x00/R"; content:"|20|MB|00|"; distance:0; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3682; classtype:command-and-control; sid:2020188; rev:1; metadata:created_at 2015_01_15, former_category MALWARE, updated_at 2015_01_15;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Twitterbot/1.0"; ja3_hash; content:"edcf2fd479271286879efebd22bc8d16"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028492; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 36 ff 20 e3 b5 4d 15|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020196; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"633e9558d4b25b46e8b1c49e10faaff4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028493; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Win32.ChinaZ.DDoSClient Checkin"; flow:established,to_server; content:"Windows "; depth:8; content:"|20|MHZ|00|"; fast_pattern; distance:0; content:"|00|Win"; distance:0; content:"|00|"; distance:2; within:2; reference:md5,8643a44febdf73159b2d5c437dc40cd3; classtype:command-and-control; sid:2020209; rev:2; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2015_01_20;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Software Center"; ja3_hash; content:"b9b4d1f7283b5ddc59d0b8d15e386106"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028494; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (URLzone CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b9 84 73 78 53 8f 36 69|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020216; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #1"; ja3_hash; content:"ac206b75530d569a0a64cec378eb4b66"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028495; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 91 eb 37 30 e6 41 f6|"; within:35; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|CN"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|ST"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020217; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #2"; ja3_hash; content:"94feb9008aeb393e76bac31b30af6ad0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028496; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e b5 fa 1e d4 7a 9e 36|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020218; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #3"; ja3_hash; content:"f1b7bbeb8b79cecd728c72bba350d173"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028497; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 1c c2 15 72 83 e3 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020219; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Ubuntu Web Socket #4"; ja3_hash; content:"3f00755c412442e642f5572ed4f2eaf2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028498; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ae 79 0b f9 9e bd 14 a1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020220; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"0e580f864235348848418123f96bbaa0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028499; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin 2"; flow:from_client,established; dsize:260; content:"MB|00 00|"; content:"Windows|20|"; distance:0; content:"V1.0|00 00|"; offset:180; fast_pattern; reference:md5,b9096b87cf643c5f86789d995e9e773d; classtype:command-and-control; sid:2020222; rev:1; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2015_01_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"9a1c3fed39b016b8d81cc77dae70f60f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028500; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 24 74 c1 1f 18 de bb|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020242; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UMich Scanner (can use: zgrab)"; ja3_hash; content:"dc76bc3a4e3bc38939dfd90d8b7214b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028501; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Possible SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|10 6d 7a 85 10 89 c8 6f bb 41 41 46 e6 96 f2 68 cd|"; within:45; content:"|55 04 03|"; distance:0; content:"|10|RibbonLocalHTTPS"; distance:1; within:17; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020243; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unidentified attack tool"; ja3_hash; content:"90f6c4b0577fb24a31bea0acc1fcc27d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028502; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Scieron Retrieving Information Response"; flow:established,from_server; file_data; content:"system"; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})system$/R"; flowbits:isset,ET.Trojan.Scieron.Ret; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020297; rev:2; metadata:created_at 2015_01_23, updated_at 2015_01_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown BrowserStack timeframe SMTP STARTLS"; ja3_hash; content:"7bc3475b771c44c764614397da069d28"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028503; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/AGENT.NXNX Checkin 2"; flow:to_server,established; dsize:200; content:"D|3a 00 00 00|"; offset:7; depth:13; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}D\x3a\x00+?$/"; reference:md5,fdcf0e3e3ad69cdd570387c4ce9aa8b3; reference:url,ahnlabasec.tistory.com/1007; reference:url,global.ahnlab.com/global/upload/download/asecreport/ASEC%20Report_Vol.58_Eng.pdf; classtype:command-and-control; sid:2020303; rev:2; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2015_01_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP server (207.46.100.103)"; ja3_hash; content:"23a9b0eb3584e358816a123c208a2c8b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028504; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 12 4e cf d7 61 de 81|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020307; rev:4; metadata:attack_target Client_and_Server, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown SMTP Server (used by Facebook)"; ja3_hash; content:"26cdef14ec70c2d6ebd943fe8069c4da"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028505; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET 1025 -> $HOME_NET any (msg:"ET MALWARE Possible Mailer Dropped by Dyre SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; reference:md5,dbcdaf617e19d2a35f763ac996cf8cd7; classtype:trojan-activity; sid:2020205; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown Something on Android that talks to Google Analytics"; ja3_hash; content:"335ec05b3ddb3800a8df47641c2d8e33"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028506; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|6|00|f|00|b|00|e|00|8|00|7|00|a|00|-|00|4|00|3|00|7|00|2|00|-|00|1|00|f|00|5|00|1|00|-|00|1|00|0|00|1|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|0|00|4|00|3|00|1|00|2|00|7|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020309; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Unknown TLS Scanner"; ja3_hash; content:"18e9afaf91db6f8a2470e7435c2a1d6b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028507; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Regin Hopscotch Module Accessing SMB Named Pipe (Unicode) 2"; flow:to_server,established; content:"|FF|SMB"; offset:4; depth:4; content:"|00|{|00|4|00|4|00|f|00|d|00|g|00|2|00|3|00|a|00|-|00|1|00|5|00|2|00|2|00|-|00|6|00|f|00|9|00|e|00|-|00|d|00|0|00|5|00|d|00|-|00|1|00|a|00|a|00|f|00|0|00|1|00|7|00|6|00|1|00|3|00|8|00|a|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin; classtype:trojan-activity; sid:2020310; rev:1; metadata:created_at 2015_01_26, updated_at 2015_01_26;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - UNVERIFIED: May be BlueCoat proxy"; ja3_hash; content:"f6bae8bacf93b5e97e80b594ffeba859"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028508; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 10 f0 a9 8b a2 9b 82|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020313; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - urlgrabber/3.10 yum/3.4.3"; ja3_hash; content:"37f691b063c10372135db21579643bf1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028509; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 95 bf 9b 4f 7d 85 0e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020314; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many desktop apps,Quip,Spotify,GitHub Desktop"; ja3_hash; content:"84071ea96fc8a60c55fc8a405e214c0f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028510; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9d 98 f4 2b 01 ee fc d3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020322; rev:2; metadata:attack_target Client_and_Server, created_at 2015_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"40fd0a5e81ebdcf0ec82a4710a12dec1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028511; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 97 45 b9 f1 e8 a9 d8 52|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020331; rev:3; metadata:attack_target Client_and_Server, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"618ee2509ef52bf0b8216e1564eea909"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028512; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.PYO Receiving Config"; flow:established,from_server; file_data; content:"path = "; within:7; content:"|0a|delay = "; distance:0; pcre:"/^\d+\n/R"; content:"hash = "; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020335; rev:2; metadata:created_at 2015_01_30, updated_at 2015_01_30;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"799135475da362592a4be9199d258726"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028513; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BePush/Kilim Checkin response"; flow:established,from_server; file_data; content:"Server_ok"; depth:9; flowbits:isset,ET.FB.troj; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020349; rev:2; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2015_02_03;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"7b530a25af9016a9d12de5abc54d9e74"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028514; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin"; flow:to_server,established; content:"BB2FA36AAA9541F0"; depth:500; reference:url,blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html; classtype:command-and-control; sid:2020381; rev:3; metadata:created_at 2015_02_07, former_category MALWARE, malware_family XorDDoS, updated_at 2015_02_07;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"c05de18b01a054f2f6900ffe96b3da7a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028515; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|msuta64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020173; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"e4d448cdfe06dc1243c1eb026c74ac9a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028516; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole64.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020174; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs on OSX,apple.WebKit.Networking"; ja3_hash; content:"f1c5cf087b959cec31bd6285407f689a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028517; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (ASCII)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|5c|ole.dll"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020175; rev:2; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Python/PHP/Git/dotnet/Adobe"; ja3_hash; content:"488b6b601cb141b062d4da7f524b4b22"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028518; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020176; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Aura/Spotify/Chatty"; ja3_hash; content:"f28d34ce9e732f644de2350027d74c3f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028519; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020177; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Quip/Spotify/Dropbox/GitHub Desktop/etc"; ja3_hash; content:"190dfb280fe3b541acc6a2e5f00690e6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028520; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB Traffic (Unicode)"; flow:to_server,established; content:"|FF|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|5c 00|o|00|l|00|e|00|.|00|d|00|l|00|l"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020178; rev:3; metadata:created_at 2015_01_13, updated_at 2015_01_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Used by many programs/Slack/Postman/Spotify/Google Chrome"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028521; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|16 00|"; distance:0; content:"m|00|s|00|u|00|t|00|a|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:21; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020382; rev:5; metadata:created_at 2015_02_07, former_category MALWARE, updated_at 2015_02_07;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #1"; ja3_hash; content:"2d96ffb535c7c7a30cad924b9b9f2b52"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028522; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|12 00|"; distance:0; content:"o|00|l|00|e|00|6|00|4|00|.|00|d|00|l|00|l"; distance:8; within:17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020383; rev:4; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Valve Steam Client #2"; ja3_hash; content:"ab1fa6468096ab057291aa381d5de2b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028523; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"ET MALWARE Skeleton Key Filename in SMB2 Traffic"; flow:established,to_server; content:"|FE|SMB|40|"; offset:4; depth:5; content:"|0e 00|"; distance:0; content:"o|00|l|00|e|00|.|00|d|00|l|00|l"; distance:8; within:13; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis; classtype:trojan-activity; sid:2020384; rev:2; metadata:created_at 2015_02_07, updated_at 2015_02_07;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Viber"; ja3_hash; content:"e0224fc1c33658f2d3d963bfb0a76a85"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028524; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AlienSpy RAT Checkin"; flow:established,to_server; flowbits:isset,ET.rat.alienspy; content:"|78 70|"; depth:2; content:"|1f 8b 08 00 00 00 00 00 00 00 6d|"; distance:4; within:11; pcre:"/^[\x53\x54]/R"; reference:url,contagiodump.blogspot.com/2014/11/alienspy-java-rat-samples-and-traffic.html?m=1; classtype:command-and-control; sid:2019739; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2014_11_18;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VirtualBox Update Poll (tested 5.0.8 r103449)"; ja3_hash; content:"41e3681b7c8c915e33b1f80d275c19d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028525; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE MSIL/Golroted.B Keylogger FTP"; flow:established,to_server; content:"STOR Logger_"; reference:md5,b2b82fd662dd0ddf53aa37bb9025bf92; classtype:trojan-activity; sid:2020411; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VLC"; ja3_hash; content:"81fb3e51bf3f18c5755146c28d07431b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028526; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE Predator Pain Keylogger FTP"; flow:established,to_server; content:"STOR Predator_Pain"; reference:md5,c9025c9835d1b7d6f0dd2390ea7d5e18; classtype:trojan-activity; sid:2020412; rev:1; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Fusion / Workstation / Player Update Check 8.x-12.x"; ja3_hash; content:"cff90930827e8b0f4e5a6fcc17319954"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028527; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components"; flow:established,from_server; flowbits:isset,ET.Gulcrypt; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020421; rev:2; metadata:created_at 2015_02_13, updated_at 2015_02_13;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMWare Update Check 6.x"; ja3_hash; content:"a50a861119aceb0ccc74902e8fddb618"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028528; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 2"; flow:established,to_server; content:"|00 00|OS|3a 20|"; offset:10; depth:6; fast_pattern; content:"|2c 20|Domain|3a 20|"; distance:0; content:"|2c 20|User|3a 20|"; distance:0; content:"|00|"; distance:0; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020456; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - VMware vSphere Client (Tested v4.1.0)"; ja3_hash; content:"48e69b57de145720885af2894f2ab9e7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028529; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert CnC Traffic"; flow:established,from_server; content:"|55 04 0a|"; content:"|0e|Superfish Inc."; distance:1; within:15; content:"|55 04 03|"; distance:0; content:"|19|*.best-deals-products.com"; distance:1; within:26; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020492; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - vpnkit"; ja3_hash; content:"01319090aea981dde6fc8d6ae71ead54"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028530; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbanak APT CnC Beacon 1"; flow:established,to_server; dsize:24; content:"|08|"; depth:1; byte_extract:1,1,Carbanak.Pivot,relative; byte_test:1,!=,Carbanak.Pivot,0,relative; byte_test:1,=,Carbanak.Pivot,3,relative; content:"|00 00 00 02 00 00 00 00 00 00 00 00 00|"; distance:4; within:13; fast_pattern; content:!"|00 00 00|"; within:3; reference:md5,6ae1bb06d10f253116925371c8e3e74b; reference:url,securelist.com/files/2015/02/Carbanak_APT_eng.pdf; classtype:targeted-activity; sid:2020455; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_02_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 1)"; ja3_hash; content:"10a686de1c41107df06c21df245e24cd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028531; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020564; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 2)"; ja3_hash; content:"f13e6d84b915e17f76fdf4ea8c959b4d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028532; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 94 65 e5 77 66 3b be 2b|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020567; rev:2; metadata:attack_target Client_and_Server, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3af (tested: v1.6.54 Kali 3)"; ja3_hash; content:"345b5717dae9006a8bcd4cb1a5f09891"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028533; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET !1433 (msg:"ET MALWARE Unknown Trojan Downloading PE via MSSQL Connection to Non-Standard Port"; flow:from_server,established; flowbits:isset,ET.MSSQL; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,754b48c57a00b7c9f0e0640166ac7bb5; classtype:trojan-activity; sid:2020569; rev:1; metadata:created_at 2015_02_25, updated_at 2015_02_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator"; ja3_hash; content:"74ebac04b642a0cab032dd46e8099fdc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028534; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a5 39 20 2d fb d7 22|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020582; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3c HTML Validator, java,eclipse"; ja3_hash; content:"4056657a50a8a4e5cfac40ba48becfa2"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028535; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m (tested: 0.5.3 OS X)"; ja3_hash; content:"975ef0826e8485f2335db71873cb34c6"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028536; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cd 0b f5 0a 93 34 88 77|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020625; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 (OS X version)"; ja3_hash; content:"6b4b535249a1dcd95e3b4b6e9e572e5e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028537; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 11 9a 92 44 f0 ee 1a|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020647; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - w3m 0.5.3 / lynx 3.2 / svn 1.8.10 (openSUSE Leap 42.1)"; ja3_hash; content:"575771dbc723df24b764ac0303c19d10"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028538; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious Office doc hidden in XML file"; flow:established,from_server; file_data; content:"<?xml"; within:5; content:"<?mso-application progid=|22|Word.Document|22|?>"; nocase; distance:0; content:"macrosPresent=|22|yes|22|"; distance:0; fast_pattern; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Attackers-concealing-malicious-macros-in-XML-files/; classtype:trojan-activity; sid:2020657; rev:2; metadata:created_at 2015_03_10, updated_at 2015_03_10;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Web"; ja3_hash; content:"0172e9e41a8940e6a809967e4835214a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028539; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Firefox Plug-In Download"; flow:to_client,established; file_data; content:"PK|03 04|"; distance:0; content:"/addon-sdk/"; content:"|00 00|resources|2f|numberchangerfirefox|2f|PK"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020653; rev:3; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"58d97971a14d0520c5c56caa75470948"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028540; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 a3 08 37 22 97 2f 50|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - WebKit per Safari 9.0.1 (11601.2.7.2)"; ja3_hash; content:"9ef7a86952e78eeb83590ff4d82a5538"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028541; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 2b 72 5e 83 81 97 47|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - WeeChat"; ja3_hash; content:"8e1172bd5dcc4698928c7eb454a2c3de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028542; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a7 90 ac fd cd 02 3c 0d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020689; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - wget (tested GNU Wget 1.16.1 & 1.17 on OS X)"; ja3_hash; content:"5f1d4c631ddedf942033c9ae919158b8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028543; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 a9 58 45 25 d7 de 84|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020697; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - wget 1.14 (openSUSE Leap 42.1)"; ja3_hash; content:"70663c6da28b3b9ac281d7b31d6b97c3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028544; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.DDoS Checkin"; flow:established,to_server; dsize:1024; content:"VERSONEX|3a|"; depth:9; content:"|7c|Hacker|00 00 00|"; distance:0; reference:md5,0eab12cebbf1c8f25d82c65f34aab9d7; classtype:command-and-control; sid:2019172; rev:4; metadata:created_at 2014_08_19, former_category MALWARE, updated_at 2014_08_19;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Wii-U"; ja3_hash; content:"444434ebe3f52b8453c3803bff077ebd"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028545; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 74 65 6a f0 91 13 26|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020735; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Win default thing a la webkit"; ja3_hash; content:"c8d1364bba308db5a4a20c65c58ffde1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028546; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|su|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020741; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Win10 Mail Client"; ja3_hash; content:"123b8f4705d525caffa3f2b36447f481"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028547; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Hyteod.acox Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|02|ru|00|"; distance:53; within:4; content:"|32|"; distance:-55; within:1; pcre:"/^[a-z0-9]{50}/R"; threshold: type both, track by_src, count 3, seconds 60; classtype:trojan-activity; sid:2020742; rev:1; metadata:created_at 2015_03_25, updated_at 2015_03_25;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 Native Connection"; ja3_hash; content:"aee020803d10a4d39072817184c8eedc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028548; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 72 08 75 83 27 6f ba|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Ltd|2e|"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020745; rev:2; metadata:attack_target Client_and_Server, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #1"; ja3_hash; content:"205200cdaac61b110838556b834070d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028549; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ac 19 e6 fb 11 28 a2 20|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2020802; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 10 WebSockets (inc Edge) #2"; ja3_hash; content:"5a0fa8873e5ffe7d9385647adc8912d7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028550; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 1"; flow:established,to_server; content:"==gKg5XI+BmK"; depth:12; reference:md5,11657162940dcc1c124e607b0f248039; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020807; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Apps Store thing (unconfirmed)"; ja3_hash; content:"a7b2f0639f58f97aec151e015be1f684"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028551; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 2"; flow:established,to_server; content:"|3C 2A 60|"; depth:3; fast_pattern; content:"|60 2A 3E|"; distance:0; pcre:"/^\x3c\x2a\x60[\x20-\x7e]+\x60\x2a\x3e$/"; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020808; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x Builtin Mail Client"; ja3_hash; content:"0d15924fe8f8950a3ec3a916e97c8498"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028552; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive CnC Beacon 3"; flow:established,to_server; content:">Explosive"; offset:4; depth:10; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020809; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows 8.x TLS Socket"; ja3_hash; content:"a8ee937cf82bb0972fecc23d63c9cd82"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028553; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE IRC Bot dropped by Mikey Variant CnC Beacon"; flow:established,to_server; content:"["; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; content:"|0d 0a|NICK|20|"; pcre:"/^[a-z0-9]+\[\d+\]/R"; content:"-"; distance:0; content:"["; distance:0; pcre:"/^\d+\]\r\n$/R"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020836; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Windows Watson WCEI Telemetry Gather"; ja3_hash; content:"2c14bfb3f8a2067fbc88d8345e9f97f3"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028554; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3460 (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Init"; flow:established,to_server; dsize:256; flowbits:set,ET.Poison1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008380; classtype:command-and-control; sid:2008380; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - wineserver"; ja3_hash; content:"84607748f3887541dd60fe974a042c71"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028555; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET 3460 -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Key Exchange with CnC Response"; flow:established,from_server; dsize:256; flowbits:isset,ET.Poison1; reference:url,doc.emergingthreats.net/2008381; classtype:command-and-control; sid:2008381; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"1202a58b454f54a47d2c216567ebd4fb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028557; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PoisonIvy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yahoo! Slurp Indexer"; ja3_hash; content:"de364c46b0dfc283b5e38c79ceae3f8f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028558; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Initial Connection"; flow:established; dsize:12; content:"/FIRSTINF/|0d0a|"; reference:url,doc.emergingthreats.net/2010344; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Yandex Bot, wget 1.18"; ja3_hash; content:"d83881675de3f6aacbcc0b2bae6f8923"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028559; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Chorns/PoisonIvy related Backdoor Keep Alive"; flow:established; dsize:12; content:"/AVAILABL/|0d0a|"; reference:url,doc.emergingthreats.net/2010345; reference:md5,9fbd691ffdb797cebe8761006b26b572; classtype:trojan-activity; sid:2010345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - youtube-dl 2016.06.03 (openSUSE Leap 42.1)"; ja3_hash; content:"11404429d240670cc018bed04e918b6f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028560; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 1 - May collide with Chrome"; ja3_hash; content:"f8f5b71e02603b283e55b50d17ede861"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028561; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_05, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Zite (Android) 2 - May collide with Chome"; ja3_hash; content:"5ae88f37a16f1b054f2edff1c8730471"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028562; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - ZwiftApp"; ja3_hash; content:"c2b4710c6888a5d47befe865c8e6fb19"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028563; rev:1; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Lets Encrypt Free SSL Cert Observed in Possible Coinhive Javascript Cryptocurrency Mining"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; fast_pattern; content:"|55 04 03|"; distance:0; content:"coin-hive"; within:50; nocase; pcre:!"/#http:\/\/cert.*coinhive/i"; reference:url,coin-hive.com; classtype:policy-violation; sid:2024720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_20;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy [victim beacon]"; flow:established; dsize:48; content:"|a160339a8a1b3bc0d1ab956cf98855a8|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2"; flow:established,to_client; http.header; content:"16723708fc9|0d 0a|X-CalculatedBETarget|3a 20|BY2PR06MB549.namprd06.prod.outlook.com"; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PoisonIvy [server response]"; flow:established; dsize:48; content:"|b8abf415033717b74132d503b6ea381d|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)"; flow:established,to_client; http.header; content:"Frontend Proxy|0d 0a|Set-Cookie|3a 20|YSC=LT4ZGGSgKoE|3b|"; fast_pattern; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant FTP upload"; flow:to_server,established; content:"USER "; pcre:"/^(?:(?:menelao|ho[mr]u)s|adair|johan|kweku)\r\n/R"; reference:md5,e175be029dd2b78c059278a567b3ada1; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023911; rev:4; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2017_02_16;)
 
-alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin"; flow:established,to_server; content:"/Update/CC/CC.php"; startswith; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/; classtype:command-and-control; sid:2028604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family GhostMiner, performance_impact Low, signature_severity Major, updated_at 2019_09_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a1 b6 29 6e e4 aa ec fe|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0d\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"|0d 0a|data_before|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_inject|0d 0a|"; distance:0; fast_pattern; content:"|0d 0a|data_end|0d 0a|"; distance:0; content:"|0d 0a|data_after|0d 0a|"; distance:0; content:"|0d 0a|data_end|0d 0a|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:command-and-control; sid:2016771; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2013_04_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x86"; content:"|00 00 00 02 00 00 00 00 00 00 32 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020152; rev:2; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Sending UUID and Processes x64"; content:"|00 00 00 02 00 00 00 00 00 00 64 32|"; depth:12; content:"|7b|"; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\x7d/R"; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:trojan-activity; sid:2020153; rev:3; metadata:created_at 2015_01_07, updated_at 2015_01_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|04|gu2m"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020864; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,465,587] (msg:"ET MALWARE Kriptovor SMTP Traffic"; flow:established,to_server; content:"|0d 0a|PC|3a 20|"; content:"|0d 0a|Text|3a 20|"; distance:0; content:"|0d 0a|IP|3a 20|"; distance:0; content:"|0d 0a|TS|3a 20|"; distance:0; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020884; rev:1; metadata:created_at 2015_04_09, updated_at 2015_04_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:social-engineering; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_server; dsize:>68; content:"|41 00 00 00 03|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018426; rev:2; metadata:created_at 2014_04_28, updated_at 2014_04_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2019_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CoinVault CnC Beacon Response"; flow:established,from_server; file_data; content:"eyJrbm9ja3RpbWUiOj"; within:18; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020909; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:exploit-kit; sid:2023036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_09_26;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unit42 PoisonIvy Keepalive to CnC"; flow:established,to_server; dsize:48; content:"|b8 98 30 04 e8 10 e5 8c e4 06 39 1b e0 51 96 40|"; offset:16; depth:16; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (1)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; within:2048; classtype:trojan-activity; sid:2020929; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (2)"; flow:established,to_client; file_data; content:"|35 8c 0c 43 e2 1c f7 e4|"; distance:40; within:8; classtype:trojan-activity; sid:2020930; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dalexis downloader encrypted binary (3)"; flow:established,to_client; file_data; content:"|fc 6e 8e d1 0a 7a be 86|"; distance:32; within:8; classtype:trojan-activity; sid:2020931; rev:2; metadata:created_at 2015_04_16, updated_at 2015_04_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|10 58 85 8a 21 5a 27 a4 1f be 8f a1 3a f0 13 c5 94|"; within:40; content:"|55 04 03|"; distance:0; content:"|13|www.tennomewerto.ru"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020932; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.iBryte.BO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do/?event="; depth:22; fast_pattern; content:"&user_id="; distance:0; http.user_agent; content:"download manager"; reference:md5,be6363e960d9a40b8e8c5825b13645c7; classtype:pup-activity; sid:2028633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_09_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -s Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Connection Table"; fast_pattern; content:"Local Name"; distance:0; content:"State"; distance:0; content:"In/Out"; distance:0; content:"Remote Host"; distance:0; content:"Input"; distance:0; content:"Output"; distance:0; classtype:trojan-activity; sid:2020957; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Google Chrome"; ja3_hash; content:"f58966d34ff9488a83797b55c804724d"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028236; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -a Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Remote Machine Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020954; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User Agent (pcsafe)"; flow:established,to_server; content:"User-Agent|3a| pcsafe"; reference:url,doc.emergingthreats.net/2006420; classtype:pup-activity; sid:2006420; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows nbtstat -n Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"NetBIOS Local Name Table"; fast_pattern; content:"Name"; distance:0; content:"Type"; content:"Status"; distance:0; classtype:trojan-activity; sid:2020955; rev:2; metadata:created_at 2015_04_21, updated_at 2015_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT HTTP CnC Beacon Response"; flow:established,from_server; file_data; content:"<--"; within:3; pcre:"/^[A-F0-9]{8,12}/R"; content:"-->|0a|<"; fast_pattern; within:5; flowbits:isset,ET.CozyDuke.HTTP; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020965; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body"; flow:established,to_server; content:"|0d 0a|X-Library|3a| Indy "; content:"Nome do Computador.."; nocase; distance:0; reference:url,doc.emergingthreats.net/2007950; classtype:trojan-activity; sid:2007950; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern; classtype:trojan-activity; sid:2021006; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"ludGVybmV0T3Blb"; fast_pattern; classtype:trojan-activity; sid:2021007; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"JbnRlcm5ldE9wZW"; fast_pattern; classtype:trojan-activity; sid:2021008; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 1"; flow:established,to_server; content:"d2luaW5ldC5kbG"; fast_pattern; classtype:trojan-activity; sid:2021009; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 2"; flow:established,to_server; content:"dpbmluZXQuZGxs"; fast_pattern; classtype:trojan-activity; sid:2021010; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Email Contains wininet.dll Call - Potentially Dridex MalDoc 3"; flow:established,to_server; content:"3aW5pbmV0LmRsb"; fast_pattern; classtype:trojan-activity; sid:2021011; rev:2; metadata:created_at 2015_04_24, updated_at 2015_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CORESHELL Malware Response from server"; flow:from_server,established; file_data; content:"O|00|K|00 00 00|"; within:6; pcre:"/^(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:trojan-activity; sid:2019584; rev:3; metadata:created_at 2014_10_29, updated_at 2014_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TorrentLocker SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a3 3c b6 6e 62 16 33|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,8b2b618a463b906a1005ff1ed7d5f875; classtype:trojan-activity; sid:2021014; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|10 05 86 8b f3 dc 2c ad 1f 00 dd ad fa 27 3c ea d0|"; content:"|55 04 03|"; distance:0; content:"|12|thewinesteward.com"; distance:1; within:19; reference:md5,331bec58cb113999f83c866de4976b62; classtype:trojan-activity; sid:2021015; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bf 88 cb e4 d5 79 99 98|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021016; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"SendCommand"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011200; classtype:attempted-user; sid:2011200; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|terriblekira.su"; distance:1; within:16; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021031; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Login"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011201; classtype:attempted-user; sid:2011201; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lidline.com"; distance:1; within:112; reference:md5,f752cfdc6aa1d3eac013201357ada0f6; classtype:domain-c2; sid:2021032; rev:1; metadata:attack_target Client_and_Server, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBOpen"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011203; classtype:attempted-user; sid:2011203; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Trojan.IptabLex Variant Checkin"; flow:to_server,established; dsize:157; content:"|77|"; depth:1; pcre:"/^[\x01\x03\x08\x09\x0b]\x00/R"; content:"|20 40 20|"; distance:0; content:"Hz"; nocase; within:15; reference:md5,019765009f7142a89af15aaaac7400cc; reference:url,blog.malwaremustdie.org/2014/06/mmd-0025-2014-itw-infection-of-elf.html; classtype:command-and-control; sid:2021050; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBClose"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011204; classtype:attempted-user; sid:2011204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Linux.Mumblehard Spam Command CnC"; flow:to_server,established; content:"POST / HTTP/1."; depth:14; content:"|0d 0a 0d 0a 0f 0f|"; pcre:"/^\d{1,3}[0-2]/R"; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021053; rev:1; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"Snapshot"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011202; classtype:attempted-user; sid:2011202; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre Downloading Mailer 2"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0E|3b 20|.NET4.0C|3b 20|rv|3a|11.0) like Gecko|0d 0a|Host|3a|"; http_header; depth:195; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RHi"; pcre:"/\.tar$/U"; reference:url,www.seculert.com/blog/2015/04/new-dyre-version-evades-sandboxes.html; reference:md5,999bc5e16312db6abff5f6c9e54c546f; classtype:trojan-activity; sid:2021056; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"8214B72E-B0CD-466E-A44D-1D54D926038D"; nocase; distance:0; content:"_DownloadPBControl"; nocase; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011205; classtype:attempted-user; sid:2011205; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ursnif SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|athereforeencourage.pw"; distance:1; within:23; classtype:trojan-activity; sid:2021061; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8d 3d d5 97 44 08 33 d8|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021063; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_15, former_category CURRENT_EVENTS, updated_at 2015_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|10 62 16 fe 1e af 85 65 68 82 0d d7 6f 8e 27 33 02|"; content:"|55 04 03|"; distance:0; content:"|0d|mainbytes.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021086; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a5 12 0c 27 cc 24 bb ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021087; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|roobox.info"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ruckguv.A SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|11 21 e9 a1 69 3a 6e e9 a8 fb a3 ba 5b ee 9d 6e 60 02|"; fast_pattern; content:"|55 04 03|"; content:"|15|elyseeinvestments.com"; distance:1; within:22; reference:md5,1225b8c9b52d4828b9031267939e8260; classtype:trojan-activity; sid:2021097; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_14, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rofin.A CnC traffic (OUTBOUND)"; flow:to_server,established; dsize:>11; content:"|dd aa 99 66|"; depth:4; byte_jump:4,4,relative,little,from_beginning, post_offset -2; isdataat:!2,relative; reference:md5,6b71398418c7c6b01cf8abb105bc884d; classtype:command-and-control; sid:2020671; rev:3; metadata:created_at 2015_03_11, former_category MALWARE, updated_at 2015_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|07|Glasgow"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|06|Glasgo"; distance:1; within:7; content:"|55 04 0a|"; distance:0; content:"|0b|Green Peace"; distance:1; within:12; reference:md5,3cecc935eb92ed03dc9908fc96b0f795; classtype:domain-c2; sid:2021102; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea 29 4d 2c d5 53 a8 8e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021109; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|04|donc"; fast_pattern; distance:1; within:5; content:"|55 04 0b|"; content:"|03|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|13|Widgets Numbers PTY"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021112; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|srv2415.domain.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021113; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|11|Facebook Porn PTY"; distance:1; within:18; classtype:domain-c2; sid:2021106; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert ip $HOME_NET any -> [199.2.137.0/24,207.46.90.0/24] any (msg:"ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:4; metadata:created_at 2013_06_11, updated_at 2013_06_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT17 CnC Content in Public Website"; flow:from_server,established; file_data; content:"@MICR0S0FT"; pcre:"/^[a-zA-Z0-9]{8}/R"; content:"C0RP0RATI0N"; within:11; reference:url,github.com/fireeye/iocs/tree/master/APT17; classtype:targeted-activity; sid:2021116; rev:2; metadata:created_at 2015_05_19, former_category MALWARE, updated_at 2015_05_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 19 ef 92 11 51 27 f3|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021121; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaScriptBackdoor SSL Cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b7 2f ae e8 e2 55 b5 bf|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,2a63b3a621d8e555734582d83b5e06a5; classtype:trojan-activity; sid:2021134; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Montana"; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|09|Liverpool"; distance:1; within:10; content:"|55 04 03|"; distance:0; content:"|0e|southnorth.org"; distance:1; within:15; fast_pattern; reference:md5,440e5c0aee33cba3c4707ada0856ff6d; classtype:trojan-activity; sid:2021145; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Linux/Moose Telnet CnC Beacon"; flow:established,to_server; dsize:40; content:"|0e 00 00 00|"; offset:4; depth:4; fast_pattern; content:!"|00|"; within:1; content:!"|00|"; distance:3; within:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:28; content:!"|00 00 00 00|"; depth:4; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021149; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_05_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|ns343677.ip-94-23-16.eu"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021154; rev:3; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Yakes CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bd 4b 4b 98 c9 8b 2f 20|"; within:35; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|webmaster@localhost"; distance:1; within:20; reference:md5,6cdd93dcb1c54a4e2b036d2e13b51216; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021155; rev:2; metadata:attack_target Client_and_Server, created_at 2015_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea d4 96 1c 0a 8b 6f a4|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021175; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (ASCII)"; flow:to_server,established; content:"SMB"; offset:5; depth:4; content:"{AA0EED25-4167-4CBB-BDA8-9A0F5FF93EA8}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021179; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible BlackEnergy Accessing SMB/SMB2 Named Pipe (Unicode)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{|00|A|00|A|00|0|00|E|00|E|00|D|00|2|00|5|00|-|00|4|00|1|00|6|00|7|00|-|00|4|00|C|00|B|00|B|00|-|00|B|00|D|00|A|00|8|00|-|00|9|00|A|00|0|00|F|00|5|00|F|00|F|00|9|00|3|00|E|00|A|00|8|00|}"; distance:0; nocase; reference:url,cyberx-labs.com/wp-content/uploads/2015/05/BlackEnergy-CyberX-Report_27_May_2015_FINAL.pdf; classtype:trojan-activity; sid:2021180; rev:1; metadata:created_at 2015_06_04, updated_at 2015_06_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0b|YouPorn Ltd"; distance:1; within:12; content:"|55 04 03|"; distance:0; content:"|0b|pornhub.xxx"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021186; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawfas.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021192; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 01 dc 12 42 31 23 93|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021193; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Qadars WebInject SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|www.freechristmasgifts2014.com"; distance:1; within:31; reference:md5,06588acf0112a84fe5f684bbafd7dc00; classtype:trojan-activity; sid:2021194; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|01 01|"; distance:18; within:2; content:"|55 04 03|"; distance:0; content:"|0d|web.gibnos.pw"; distance:1; within:14; reference:md5,c8131a48e834291be6c7402647250e73; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021196; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT phoenix exploit kit - admin login page detected"; flow:established,to_client; content:"<title>Phoenix Exploit's Kit - Log In</title>"; classtype:exploit-kit; sid:2011281; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|povawer.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021197; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|laxitr.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021198; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|dazopla.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021199; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|gipladfe.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021208; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|lazeca.biz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021209; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:8; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|zolaxap.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021210; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|babapoti.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021211; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|poknop.us"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021212; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:4; metadata:created_at 2010_09_29, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|10|www.carinsup.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021220; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"7F14A9EE-6989-11D5-8152-00C04F191FCA"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/10767; classtype:attempted-user; sid:2011692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|polasde.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021221; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0a|paxerba.us"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021222; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"DE625294-70E6-45ED-B895-CFFA13AEB044"; nocase; distance:0; content:"SetImage"; nocase; reference:bugtraq,41078; reference:url,doc.emergingthreats.net/2011722; classtype:attempted-user; sid:2011722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|molared.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021223; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|55 04 03|"; content:"|0b|halowsin.us"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021224; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AAFFC4F0-E04B-4C7C-B40A-B45DE971E81E}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021230; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_13, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{AB6172ED-8105-4996-9D2A-597B5F827501}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021231; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{0710880F-3A55-4A2D-AA67-1123384FD859}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021232; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{6C51A4DB-E3DE-4FEB-86A4-32F7F8E73B99}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021233; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"11E7DA45-B56D-4078-89F6-D3D651EC4CD6"; nocase; distance:0; content:".DebugTraceFile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{7F9BCFC0-B36B-45EC-B377-D88597BE5D78}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021234; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (ASCII) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"{57D2DE92-CE17-4A57-BFD7-CD3C6E965C6A}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021235; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_10_02, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 1"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|A|00|F|00|F|00|C|00|4|00|F|00|0|00|-|00|E|00|0|00|4|00|B|00|-|00|4|00|C|00|7|00|C|00|-|00|B|00|4|00|0|00|A|00|-|00|B|00|4|00|5|00|D|00|E|00|9|00|7|00|1|00|E|00|8|00|1|00|E|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021236; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 2"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|A|00|B|00|6|00|1|00|7|00|2|00|E|00|D|00|-|00|8|00|1|00|0|00|5|00|-|00|4|00|9|00|9|00|6|00|-|00|9|00|D|00|2|00|A|00|-|00|5|00|9|00|7|00|B|00|5|00|F|00|8|00|2|00|7|00|5|00|0|00|1|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021237; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 3"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|0|00|7|00|1|00|0|00|8|00|8|00|0|00|F|00|-|00|3|00|A|00|5|00|5|00|-|00|4|00|A|00|2|00|D|00|-|00|A|00|A|00|6|00|7|00|-|00|1|00|1|00|2|00|3|00|3|00|8|00|4|00|F|00|D|00|8|00|5|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021238; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 4"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|6|00|C|00|5|00|1|00|A|00|4|00|D|00|B|00|-|00|E|00|3|00|D|00|E|00|-|00|4|00|F|00|E|00|B|00|-|00|8|00|6|00|A|00|4|00|-|00|3|00|2|00|F|00|7|00|F|00|8|00|E|00|7|00|3|00|B|00|9|00|9|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021239; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 5"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|7|00|F|00|9|00|B|00|C|00|F|00|C|00|0|00|-|00|B|00|3|00|6|00|B|00|-|00|4|00|5|00|E|00|C|00|-|00|B|00|3|00|7|00|7|00|-|00|D|00|8|00|8|00|5|00|9|00|7|00|B|00|E|00|5|00|D|00|7|00|8|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021240; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:4; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+alert tcp any any -> any [139,445] (msg:"ET MALWARE Possible Duqu 2.0 Accessing SMB/SMB2 Named Pipe (Unicode) 6"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|00|{|00|5|00|7|00|D|00|2|00|D|00|E|00|9|00|2|00|-|00|C|00|E|00|1|00|7|00|-|00|4|00|A|00|5|00|7|00|-|00|B|00|F|00|D|00|7|00|-|00|C|00|D|00|3|00|C|00|6|00|E|00|9|00|6|00|5|00|C|00|6|00|A|00|}"; distance:0; nocase; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021241; rev:1; metadata:created_at 2015_06_10, updated_at 2015_06_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:5; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Download June 10 2015"; flow:established,from_server; content:"filename=|22|crypted.120.exe|22|"; http_header; nocase; classtype:trojan-activity; sid:2021244; rev:2; metadata:created_at 2015_06_11, updated_at 2015_06_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:4; metadata:created_at 2011_01_27, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Torrentlocker C2 SSL cert"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b3 b2 82 08 58 32 5e 8e|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,77c99b6f06fe443b72a0efaf8f285e4d; classtype:command-and-control; sid:2021260; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TeslaCrypt MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12 2a 2e|pillspharm24.com"; distance:1; within:19; reference:md5,1b4e97af9f327126146338b8cd21dd86; classtype:domain-c2; sid:2021273; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:4; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Elise SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 03|"; distance:0; content:"|0b|eric-office"; distance:1; within:12; reference:md5,8334f346585aa27ac6ae86e5adcaefa2; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:trojan-activity; sid:2021279; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:2; metadata:created_at 2015_06_19, former_category CURRENT_EVENTS, updated_at 2015_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin Response"; flow:established,from_server; file_data; content:"[Config]|0d 0a|"; within:10; content:"[Process]|0d 0a|1="; distance:0; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021301; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2015_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|howtoe.pw"; distance:1; within:14; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021314; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef ee 78 a7 ef c6 52 20|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|mainsinkhole"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021315; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ DDoS Bot Checkin 2"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; fast_pattern; within:7; content:"MB|00 00 00 00|"; distance:0; content:"M|00 00 00 00|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/R"; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021316; rev:1; metadata:created_at 2015_06_22, former_category MALWARE, updated_at 2015_06_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tcp $HOME_NET any -> [88.53.215.64,217.96.33.164,203.131.222.102,208.105.226.235,212.31.102.100,58.185.154.99,200.87.126.116] any (msg:"ET MALWARE Sony Breach Wiper Callout"; flow:established; threshold:type limit,count 2,track by_src,seconds 300; reference:url,krebsonsecurity.com/2014/12/sony-breach-may-have-exposed-employee-healthcare-salary-data; classtype:trojan-activity; sid:2019848; rev:3; metadata:created_at 2014_12_03, updated_at 2014_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|13|1024sslsecurity.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021339; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|typeofways.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021340; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|digination.info"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021341; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|ssl.savingscore.pw"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021342; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|12|supportupdate.info"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021343; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|17|patient-advertising.com"; distance:1; within:24; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021344; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|pdata-next.ru"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021345; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|live-advert.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021346; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0a|can-ip.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021347; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|pandolin.ru"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021348; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|securebnk.eu"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021349; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|fuxaloba.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021350; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 08|"; distance:0; content:"|07|Indiana"; distance:1; within:8; content:"|55 04 03|"; distance:0; content:"|0d|koalashelp.au"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021353; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8f e3 5b c8 ea 55 d6 4a|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021354; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0b|tsescase.tk"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021355; rev:2; metadata:attack_target Client_and_Server, created_at 2015_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:6; metadata:created_at 2012_08_08, former_category POLICY, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 95 12 ee 90 e8 0f 66|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,22b0d4ff64d3cb3080feb47ce52988e9; classtype:domain-c2; sid:2021375; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Mocelpa Client Hello CnC Beacon"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|54 b4 c9 7b|"; distance:0; content:"|00 00 00 12 00 10 00 00 0d|www.apple.com"; distance:0; reference:url,blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html; classtype:command-and-control; sid:2021379; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon"; content:"|7c 2a 26|"; depth:3; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:16; within:1; content:"|7c|"; distance:0; pcre:"/\x7c[a-f0-9]{16}\x7c\d+\x7c$/"; reference:md5,0075c4d976984436443b30926ad818dd; classtype:command-and-control; sid:2021385; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 30 June 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|Passio dpt"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|0b|romantik.it"; distance:1; within:12; reference:md5,0a977dfcb93301f1841dbe2272d3102b; classtype:trojan-activity; sid:2021370; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:command-and-control; sid:2018423; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex SSL Cert 1 July 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|0a|gay rights"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|07|pace.eu"; distance:1; within:12; reference:md5,865164ef97c50bdd8e8740621234a3cf; classtype:trojan-activity; sid:2021372; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0b|"; distance:0; content:"|08|portable"; distance:1; within:9; content:"|55 04 03|"; distance:0; content:"|0b|nintendo.jp"; distance:1; within:12; classtype:trojan-activity; sid:2021388; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:exploit-kit; sid:2020427; rev:3; metadata:created_at 2015_02_16, updated_at 2019_09_27;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Denisca.A CnC Beacon 2"; dsize:37; content:"|2a 26|"; depth:2; content:"|26 5e|"; distance:22; fast_pattern; reference:md5,aaa4304dd5f22a017930a9eeebc8898f; classtype:command-and-control; sid:2021389; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:exploit-kit; sid:2020563; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|disaronnoterrace.es"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021391; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, updated_at 2019_09_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Outbound)"; flow:to_server,established; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wekby PCRat/Gh0st CnC Beacon (Inbound)"; flow:established,to_client; content:"HTTP|5c|1.1 Sycmentec"; depth:18; reference:md5,cfbcb83f8515bd169afd0b22488b4430; reference:url,www.volexity.com/blog/?p=158; classtype:command-and-control; sid:2021396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Major, tag PCRAT, tag Gh0st, tag RAT, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:exploit-kit; sid:2022962; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_12, deployment Perimeter, malware_family PsuedoDarkLeech, signature_severity Major, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (CryptoLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 84 d3 15 4c 18 a1 18 9f|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021397; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"This program cannot be run in DOS mode"; nocase; classtype:bad-unknown; sid:2011865; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0e|protectthegays"; distance:1; within:15; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|08|gay team"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021393; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, signature_severity Critical, tag Exploit_Kit_Sundown, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 89 56 e5 bd 59 77 67|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,40368db3a68f2db17853750e68cfc662; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021411; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 d3 05 ec 6a a7 12 c5|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021417; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/vulnerabilities---threats/heap-spraying-attackers-latest-weapon-of-choice/d/d-id/1132487; classtype:shellcode-detect; sid:2012252; rev:5; metadata:created_at 2011_02_03, former_category SHELLCODE, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:35; content:"|55 04 03|"; distance:0; content:"|0c|cowsgirlz.es"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021426; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|16|Ubiquiti Networks Inc."; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|04|UBNT"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021427; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; endswith; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:command-and-control; sid:2019601; rev:6; metadata:created_at 2014_10_30, former_category MALWARE, updated_at 2014_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; endswith; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible CVE-2015-2424 RTF Dropping Sofacy"; flow:established,from_server; file_data; content:"D0CF11E0A1B11AE1"; nocase; content:"ffffffffff74303074"; nocase; distance:0; fast_pattern; reference:md5,112c64f7c07a959a1cbff6621850a4ad; reference:url,isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:targeted-activity; sid:2021431; rev:2; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2015_07_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; endswith; classtype:command-and-control; sid:2021057; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|httpsgatevalidator.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021436; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Tsyrval Panda CnC Beacon"; flow:established,to_server; content:"|75 1C 11 10 75 01 14 07 12 58 5F|"; offset:3; depth:14; classtype:command-and-control; sid:2021437; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_07_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|expresstrevel.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021445; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; endswith; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:command-and-control; sid:2023429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family Hworm, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d9 07 45 6b c2 ad 90 a1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021446; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/DDoS.Sotdas/IptabLex Checkin"; flow:to_server,established; dsize:296; content:"|72 8D 90 89 7E D6|"; offset:224; depth:6; fast_pattern; content:"|b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6 b6|"; reference:md5,f7556d9ede5d988400b1edbb1a172634; classtype:command-and-control; sid:2021049; rev:2; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2015_05_04;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Checkin"; flow:established,to_server; content:"|73 72|"; depth:2; content:"|00 05|value"; distance:0; pcre:"/\x00\x05value$/"; classtype:command-and-control; sid:2021503; rev:1; metadata:created_at 2015_07_22, former_category MALWARE, malware_family QRat, updated_at 2018_03_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"zugzwang.me"; nocase; endswith; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving Command 1"; flow:established,from_server; dsize:16; content:"|00 0d|giveClientMac"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021504; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; endswith; threshold: type both, track by_src, count 10, seconds 30; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java/QRat Receiving No Commands"; flow:established,from_server; dsize:10; content:"|00 07|nothing"; offset:1; fast_pattern; classtype:trojan-activity; sid:2021505; rev:1; metadata:created_at 2015_07_22, former_category TROJAN, malware_family QRat, updated_at 2018_03_06;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|06|coffee"; distance:1; within:7; content:"|55 04 0b|"; distance:0; content:"|07|it dept"; distance:1; within:8; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021512; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|eurotranstele.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021515; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category EXPLOIT, malware_family ETERNALBLUE, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0a|littlepony"; distance:1; within:11; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0a|just cause"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021514; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|promotion-statistics.mobi"; distance:1; within:26; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021516; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|data-stats-collector.biz"; distance:1; within:25; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021517; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Dridex SSL Cert"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|04|clan"; distance:1; within:5; content:"|55 04 0b|"; distance:0; content:"|06|bushes"; distance:1; within:7; fast_pattern; reference:md5,a5f7d314e2b996b69751a4e46503c644; classtype:trojan-activity; sid:2021518; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|07|dinasty"; distance:1; within:8; content:"|55 04 0b|"; distance:0; content:"|0d|klintons team"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021519; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Mirai Variant Checkin Response"; flow:established,to_client; content:"|21 2a 20|LOLNOBYE"; endswith; reference:url,www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1; classtype:command-and-control; sid:2027366; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 27 d2 2d d7 bd cb 5c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021525; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1 CnC Checkin"; flow:established,to_server; dsize:7; content:"ilove26"; depth:7; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027834; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xyligan Checkin"; flow:to_server,established; dsize:16; content:"|00 00 00 11 C8 00 00 00|"; depth:8; reference:md5,2190a2c0a3775bc9c60629ec2eb6f3b9; reference:md5,bfbc0b106a440c111a42936906d36643; classtype:command-and-control; sid:2012842; rev:3; metadata:created_at 2011_05_25, former_category MALWARE, updated_at 2011_05_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 CnC Checkin"; flow:established,to_server; dsize:12; content:"aWxvdmUyNg=="; depth:12; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027835; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|09|Microsoft"; distance:1; within:10; fast_pattern; content:"|55 04 0b|"; content:"|0b|Widgits pty"; distance:1; within:12; reference:md5,32230d747829dcf77841f594aa54915a; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021529; rev:3; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin"; flow:established,to_server; dsize:24; content:"d3ec7975f76aefdbfcdc3c3e"; depth:24; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027836; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa ad 0a 9f da 99 c2 e3|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021541; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogalaxyzone.com"; dns_query; content:"photogalaxyzone.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016606; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a4 3d 09 0a 4c 60 be 70|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021546; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insightpublicaffairs.org"; dns_query; content:"insightpublicaffairs.org"; depth:24; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016620; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (VMZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|contactcitywell.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021553; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain seyuieyahooapis.com"; dns_query; content:"seyuieyahooapis.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016624; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|09|democracy"; distance:1; within:10; content:"|55 04 0b|"; distance:0; content:"|09|obamacare"; distance:1; within:10; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021563; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dailynewsjustin.com"; dns_query; content:"dailynewsjustin.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016627; rev:4; metadata:created_at 2013_03_20, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|srvreq.com"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021565; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hi-tecsolutions.org"; dns_query; content:"hi-tecsolutions.org"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016628; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|www.pohiola.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021566; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"njdyqrbioh.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018270; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d8 17 61 5f e5 c3 b3 2c|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021567; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"vqvsaergek.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018265; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 29 bf 95 40 97 37 f9|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021568; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"pbcgmmympm.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018266; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 0e 11 0a 91 e9 ea 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019604; rev:2; metadata:attack_target Client_and_Server, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"tyixfhsfax.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018268; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c0 15 80 14 58 47 62 12|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020961; rev:2; metadata:attack_target Client_and_Server, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qgjhmerjec.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018269; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|uktranstele.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021530; rev:2; metadata:attack_target Client_and_Server, created_at 2015_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"btloxcyrok.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018271; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|safeboxkeyltd.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021592; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"afwyhvinmw.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018272; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|safecitysup.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021593; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"wyfxanxjeu.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018273; rev:11; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|89.104.95.236"; distance:1; within:14; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021594; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|08|Monsanto"; distance:1; within:9; content:"|55 04 0b|"; distance:0; content:"|0b|SmartPhones"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021596; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (regicsgf.net)"; dns_query; content:"regicsgf.net"; depth:12; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:7; metadata:created_at 2012_04_16, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|enfinetoner.com"; distance:1; within:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021598; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.gowin7.com"; dns_query; content:".gowin7.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|ta-portfolio.com"; distance:1; within:17; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021599; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.secuurity.net"; dns_query; content:".secuurity.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gallinj.com"; distance:1; within:12; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021602; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.dataspotlight.net"; dns_query; content:".dataspotlight.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:7; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 e5 ff f2 10 0a 35 d0|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021603; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.datajunction.org"; dns_query; content:".datajunction.org"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:6; metadata:created_at 2012_08_13, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.enfinetoner.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021604; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup hotfix-update.com"; dns_query; content:"hotfix-update.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019570; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker GET CnC Beacon"; flow:established,to_server; content:"GET /"; depth:5; content:".php HTTP/1."; distance:0; fast_pattern; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HOST|3a|"; distance:3; within:5; pcre:"/^[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/Rmi"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021585; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas haarmannsi.cz"; dns_query; content:"haarmannsi.cz"; depth:13; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:4; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; content:"|55 04 0b|"; distance:0; content:"|05|poker"; distance:1; within:6; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021622; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas sanygroup.co.uk"; dns_query; content:"sanygroup.co.uk"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 23 8b 36 d0 72 53 df|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:command-and-control; sid:2021623; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2016_07_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (casinoroyal7.ru)"; dns_query; content:"casinoroyal7.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|presidentjunction.org"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021633; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; dns_query; content:"cryptdomain.dp.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|tradingdelivery.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021635; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru)"; dns_query; content:"it-newsblog.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 e2 af 07 71 4b 6c 75|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021636; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (js-static.ru)"; dns_query; content:"js-static.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Redyms CnC)"; flow:established,from_server; content:"|55 04 06|"; content:"|02|US"; distance:1; within:3; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|0e|MyCompany Inc."; distance:1; within:15; content:"|55 04 03|"; content:"|02|*."; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021634; rev:3; metadata:attack_target Client_and_Server, created_at 2015_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com)"; dns_query; content:"lagosadventures.com"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|lastinstanse.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021686; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru)"; dns_query; content:"lebanonwarrior.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|deliverytrading.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021687; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net)"; dns_query; content:"nigerianbrothers.net"; depth:20; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f3 d9 2f af b4 8c 02 29|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021688; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net)"; dns_query; content:"princeofnigeria.net"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|contrarypresidentstspea.info"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021695; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (royalgourp.org)"; dns_query; content:"royalgourp.org"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0e|mojojantes.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021703; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru)"; dns_query; content:"tweeter-stat.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 91 48 c0 28 b4 2b 86 c7|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021704; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy1-1-1.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|0d|serenyefa.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021705; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy2-2-2.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|1a|becomesthelegislatures.org"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021706; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy3-3-3.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 f0 c2 3d 49 5e bb 16|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021717; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy4-4-4.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilGrab/Vidgrab Checkin"; flow:to_server,established; content:"|7c 28|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"|29 7c|"; within:2; pcre:"/^\d{1,5}/R"; content:"|7c|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:command-and-control; sid:2017413; rev:3; metadata:created_at 2013_09_04, former_category MALWARE, updated_at 2013_09_04;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy5-5-5.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b6 45 0c e4 b7 4c af d5|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021722; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (blackblog.chatnook.com)"; dns_query; content:"blackblog.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|hasselbladolsonson.com"; distance:1; within:23; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021721; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (bulldog.toh.info)"; dns_query; content:"bulldog.toh.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ssldata.ru"; distance:1; within:11; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021720; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (cew58e.xxxy.info)"; dns_query; content:"cew58e.xxxy.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021725; rev:2; metadata:created_at 2015_08_27, former_category EXPLOIT_KIT, updated_at 2015_08_27;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (dynamic.ddns.mobi)"; dns_query; content:"dynamic.ddns.mobi"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon Response"; flow:established,to_client; file_data; content:"---!!!INSERTED!!!---"; within:20; reference:md5,ee90ec9935c7b8e1a5dad364d4545851; classtype:command-and-control; sid:2021724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_08_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (football.mrbasic.com)"; dns_query; content:"football.mrbasic.com"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Aug 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|07|Arizona"; fast_pattern; distance:1; within:8; content:"|55 04 07|"; distance:0; content:"|0a|Scottsdale"; distance:1; within:11; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}\x30/Rs"; classtype:trojan-activity; sid:2021621; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (gjjb.flnet.org)"; dns_query; content:"gjjb.flnet.org"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:targeted-activity; sid:2021726; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (imirnov.ddns.info)"; dns_query; content:"imirnov.ddns.info"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:targeted-activity; sid:2021727; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (jingnan88.chatnook.com)"; dns_query; content:"jingnan88.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:targeted-activity; sid:2021728; rev:2; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2015_08_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (lehnjb.epac.to)"; dns_query; content:"lehnjb.epac.to"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b4 ff d7 c2 ee b9 dd f0|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021731; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.25u.com)"; dns_query; content:"logoff.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d7 5d 30 37 a7 6b 0d 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021732; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ls910329.my03.com)"; dns_query; content:"ls910329.my03.com"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|bri-secure.com"; distance:1; within:15; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021733; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mailru.25u.com)"; dns_query; content:"mailru.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|kingddomdirect.com"; distance:1; within:19; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021734; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (Markshell.etowns.net)"; dns_query; content:"Markshell.etowns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Boaxxe.BR CnC Beacon"; flow:established,to_server; content:"|7c|CM01|7c|CM02|7c|CM03|7c|"; content:!">"; reference:md5,ec38ae7c35be4d7f8103bf1db692d2f8; classtype:command-and-control; sid:2021748; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mydear.ddns.info)"; dns_query; content:"mydear.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ef 7e c0 ae 97 cf ff 23|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021750; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (nazgul.zyns.com)"; dns_query; content:"nazgul.zyns.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d4 45 4d a6 49 0c f1 ed|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021751; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newdyndns.scieron.com)"; dns_query; content:"newdyndns.scieron.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"|0d 0a|Content-Length|3a| "; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trid"; http_header; content:"ent/4.0)|0d 0a 0d 0a 01 02 01 01 01 01 02 01|"; fast_pattern; http_header; within:20; classtype:trojan-activity; sid:2012136; rev:10; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|fiopol.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021767; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (photocard.4irc.com)"; dns_query; content:"photocard.4irc.com"; depth:18; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.creditoc.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021769; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (pricetag.deaftone.com)"; dns_query; content:"pricetag.deaftone.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|static.coopsrv.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021770; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (rubberduck.gotgeeks.com)"; dns_query; content:"rubberduck.gotgeeks.com"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 20 1c 21 75 01 8e 93|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021771; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (shutdown.25u.com)"; dns_query; content:"shutdown.25u.com"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text"; flow:established,from_server; file_data; content:"4D5A"; distance:0; byte_jump:8,114,relative,multiplier 2,little,string,hex; content:"50450000"; distance:-126; within:8; classtype:trojan-activity; sid:2021774; rev:2; metadata:created_at 2015_09_15, updated_at 2015_09_15;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sorry.ns2.name)"; dns_query; content:"sorry.ns2.name"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|stat.coopswiss.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021776; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sskill.b0ne.com)"; dns_query; content:"sskill.b0ne.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|online.centersu.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021777; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-First.flnet.org)"; dns_query; content:"text-First.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2021778; rev:2; metadata:created_at 2015_09_15, former_category EXPLOIT_KIT, updated_at 2015_09_15;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (uudog.4pu.com)"; dns_query; content:"uudog.4pu.com"; depth:13; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|menardgevu.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021779; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (will-smith.dtdns.net)"; dns_query; content:"will-smith.dtdns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|menardgevu.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021780; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ndcinformation.acmetoy.com)"; dns_query; content:"ndcinformation.acmetoy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|feedfeed.name"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021781; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (service.authorizeddns.net)"; dns_query; content:"service.authorizeddns.net"; depth:25; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|my.ubscard.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021782; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-first.trickip.org)"; dns_query; content:"text-first.trickip.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|disaallowmediapartners.mn"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021783; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; dns_query; content:"boltotor.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f2 49 34 bb 25 38 61 40|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021784; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; dns_query; content:"bonytor2.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert tcp any any -> $HOME_NET 80 (msg:"ET MALWARE SYNful Knock Cisco IOS Router Implant CnC Beacon (INBOUND)"; flow:established,to_server; content:"|00 00 00 00|text|00|"; byte_jump:4,0,relative,post_offset -1; isdataat:!2,relative; reference:url,fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html; classtype:command-and-control; sid:2021785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; dns_query; content:"speecostor.com"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Iron Tiger DNSTunnel Retrieving CnC"; flow:established,from_server; file_data; content:"$$$$$$$$$$"; fast_pattern; pcre:"/^(?:#+[A-Z]+)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\${10}/R"; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021789; rev:2; metadata:created_at 2015_09_17, former_category MALWARE, updated_at 2015_09_17;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (expert.4irc.com)"; dns_query; content:"expert.4irc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:5; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
+alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET MALWARE PlugX UDP CnC Beacon"; dsize:36; content:"|00 00 50 00 02 00 00 00 00 04 00 00 00 10 00 00 00 00 00 00|"; depth:20; content:!"|00 00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:13; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021791; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (msupdate.ath.cx)"; dns_query; content:"msupdate.ath.cx"; depth:15; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nntpdinfo.pw"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021797; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; dns_query; content:"karpeskmon.dyndns.org"; depth:21; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|reportingdelivery.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021798; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; dns_query; content:"isaserver.minrex.gov.cu"; depth:23; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|localinstanse.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021799; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (operaa.net)"; dns_query; content:"operaa.net"; depth:10; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:4; metadata:created_at 2015_10_08, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|healthweather.name"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021801; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; dns_query; content:"appeur.gnway.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:4; metadata:created_at 2015_10_16, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f0 83 4c 61 ec 09 e6 03|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021802; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (mail.cbppnews.com)"; dns_query; content:"mail.cbppnews.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:4; metadata:created_at 2015_12_17, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021803; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (kugo.f3322.net)"; dns_query; content:"kugo.f3322.net"; depth:14; nocase; endswith; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f1 03 f7 ce 62 9d fb 5a|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021804; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (yk.ftwxw.com)"; dns_query; content:"yk.ftwxw.com"; depth:12; nocase; endswith; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Rovnix CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|cherniypoyas.ru"; distance:1; within:16; reference:md5,080db9578ea797cd231bc1160d3824f1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021805; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 2"; dns_query; content:"aaa123.spdns.de"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|sslsecureserver.eu"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021809; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 3"; dns_query; content:"accounts.yourturbe.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|uplinkadv.eu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021810; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 4"; dns_query; content:"account.websurprisemail.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Meterpreter or Other Reverse Shell SSL Cert"; flow:established,from_server; content:"|0b|"; content:"|04 08 bb 00 ee|"; distance:23; within:5; fast_pattern; content:"|55 04 06 13 00|"; distance:0; content:"|55 04 08 13 00|"; distance:0; content:"|55 04 07 13 00|"; distance:0; content:"|55 04 0a 13 00|"; distance:0; content:"|55 04 0b 13 00|"; distance:0; content:"|55 04 03 13 00|"; distance:0; reference:md5,c3f76f444edf0b90b887d7979342e9f0; classtype:trojan-activity; sid:2035651; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 5"; dns_query; content:"addi.apple.cloudns.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|55 1d 11|"; content:"|10|blatnoidomen.com"; distance:5; within:22; fast_pattern; reference:url,sslbl.abuse.ch; reference:md5,8217cc4fc3d5781206becbef148154ea; classtype:domain-c2; sid:2021815; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 7"; dns_query; content:"apple.lenovositegroup.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fc 56 1e 02 6c d4 e2 22|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,e448572aea062241c80dd2a15562e968; classtype:domain-c2; sid:2021816; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 8"; dns_query; content:"bailee.alanna.cloudns.biz"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.fortamola.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021817; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business--testing.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021818; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 10"; dns_query; content:"bits.githubs.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 96 99 38 87 d8 6a ee a7|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; reference:md5,ead31d4cbbd79466359d46694a9d56d3; classtype:domain-c2; sid:2021819; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 11"; dns_query; content:"book.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 82 a8 3c 4c d7 28 96 34|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021824; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 12"; dns_query; content:"clean.popqueen.cloudns.org"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|e-securepass.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021825; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 13"; dns_query; content:"desk.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|contactexchangenetwork.biz"; distance:1; within:27; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021826; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 14"; dns_query; content:"detail43.myfirewall.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cserhtmlordi.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021827; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 18"; dns_query; content:"economy.spdns.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 06 34 93 99 f8 54 f2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0b|Companyname"; distance:1; within:12; reference:md5,c7872508eededb17cf864886270fd3e9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021828; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 19"; dns_query; content:"eemete.freetcp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0f|adtejoyo1377.tk"; distance:1; within:17; reference:md5,b40fc2d1f343affad7bc02ae9b37cd89; classtype:domain-c2; sid:2021842; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 21"; dns_query; content:"firewallupdate.firewall-gateway.net"; depth:35; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 b1 f4 fe 4c 79 ed e9 98|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021843; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 22"; dns_query; content:"fish.seafood.cloudns.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|00 9e 0c 1c 4c 8a d4 41 f7|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,bfd8db9ed284deb64c9e4fc5bfa758bd; reference:url,www.csis.dk/da/csis/news/4726/; classtype:domain-c2; sid:2021844; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 23"; dns_query; content:"ftp112.lenta.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|usercheck.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021845; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 28"; dns_query; content:"mail.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 86 21 67 18 96 8a 67 e1|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,4568bc3e9c1a24ba792666ad1c620560; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021863; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 29"; dns_query; content:"mareva.catherine.cloudns.us"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 fa 10 e1 67 c6 9a 67 1b|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:md5,c55a60bb04a449eb8bc182f52124c341; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021864; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 30"; dns_query; content:"mm.lenovositegroup.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|legallyjumps.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021865; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 31"; dns_query; content:"muslim.islamhood.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|inbancosistems.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021866; rev:2; metadata:attack_target Client_and_Server, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 32"; dns_query; content:"news.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d5 f9 a6 1a fa 1e 76 c6|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,0453512c8c3bb940e8c40833d1076353; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021867; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 35"; dns_query; content:"p.klark.cloudns.in"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 eb 96 25 e5 32 57 ee 34|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,77ebe2b014baf75e45c3009b0d42fa5d; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021868; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 36"; dns_query; content:"ppcc.vasilevich.cloudns.info"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 d3 1b a5 8f 1d d7 30 48|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021869; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 37"; dns_query; content:"press.ufoneconference.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|protecteding.su"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021884; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 38"; dns_query; content:"qq.yourturbe.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|convertcodenj.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021885; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 39"; dns_query; content:"sys.firewall-gateway.net"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a2 62 91 f3 d9 eb d2 e8|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021887; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 40"; dns_query; content:"vip.yahoo.cloudns.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 ba bc c3 80 e0 57 54 de|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021888; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 43"; dns_query; content:"www.angleegg.xxxy.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Winlock/Torrentlocker SSL Cert"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; reference:md5,eeda4fa2b6f054acfce0dbc25493c366; reference:url,www.csis.dk/da/csis/news/4726/; classtype:trojan-activity; sid:2021894; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 48"; dns_query; content:"www.uyghuri.MrFace.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 10 44 fc ef 4e 6d 2a|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021895; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 49"; dns_query; content:"youturbe.co.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 dc 1a a4 07 08 2a 43 10|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021896; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 50"; dns_query; content:"yycc.mrbonus.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 2a 97 16 3f bd a5|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021897; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns_query; content:"tally.myfirewall.org"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:4; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|bannerexchangenet.pw"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021898; rev:4; metadata:attack_target Client_and_Server, created_at 2015_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns_query; content:"accountgoogle.firewall-gateway.com"; depth:34; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 95 51 3e 68 35 08 62 53|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021902; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns_query; content:"filegoogle.firewall-gateway.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c6 4e a8 c7 a0 db 38 64|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021903; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; dns_query; content:"spl.noip.me"; depth:11; nocase; endswith; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:4; metadata:created_at 2016_04_19, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|8192bitssl.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021904; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; dns_query; content:"leeh0m.org"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 01 80 9e 81 6b f8 7c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021909; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; dns_query; content:"ur232dkkwpdkwp.xyz"; depth:18; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:command-and-control; sid:2022831; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|1networkgate.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021910; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|golantus.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021911; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 1"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|Priv|20|Version"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021912; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; dns_query; content:"adjust-local-settings.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 2"; flow:established,from_server; content:"NOTICE"; content:"|3a|muBoT|20|says|20|"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021913; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bbc-africa .com)"; dns_query; content:"bbc-africa.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 3"; flow:established,from_server; content:"NOTICE"; content:"|3a|[Apache / PHP 5.x"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021914; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; dns_query; content:"checkinonlinehere.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:command-and-control; sid:2023104; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category MALWARE, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 4"; flow:established,from_server; content:"NOTICE"; content:"FLOOD <target> <port> <secs>"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021915; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (googleplay-store .com)"; dns_query; content:"googleplay-store.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE ELF/muBoT IRC Activity 5"; flow:established,from_server; content:"NOTICE"; content:"|3a|Flooding with TCP"; fast_pattern; distance:0; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021916; rev:1; metadata:created_at 2015_10_06, updated_at 2015_10_06;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; dns_query; content:"turkeynewsupdates.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 f7 36 c4 05 31 ea 21 d3|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021920; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (unonoticias .net)"; dns_query; content:"unonoticias.net"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 88 f8 8a 58 16 c2 f5 89|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021921; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; dns_query; content:".s3clm4lufbmfhmeb"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2023154; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|fidobeta.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021924; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; dns_query; content:"winmeif.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|makaronypolskie.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021925; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; dns_query; content:"samsung.ddns.me"; depth:15; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|crenuva.net"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021926; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; dns_query; content:"gtldsfs.com "; depth:12; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET MALWARE MSIL/Banker.M Requesting Binary from SQL"; flow:established,to_server; content:"S|00|E|00|L|00|E|00|C|00|T|00 20 00|i|00|m|00|g"; content:"F|00|R|00|O|00|M|00 20 00|d|00|b|00|o|00 2e 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 20 00|"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021930; rev:1; metadata:created_at 2015_10_08, updated_at 2015_10_08;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; dns_query; content:"cdnfastnetwork.com"; depth:18; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (HTTPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{HTTPFLOOD}"; fast_pattern; nocase; content:"Started consuming data from host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021872; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021873; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns_query; content:"aterdunst.com"; depth:13; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023330; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021874; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; dns_query; content:"webmail.duia.in"; depth:15; nocase; endswith; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, malware_family Ceatrg, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (AUTH)"; flow:established,from_server; content:"PRIVMSG"; content:"] {AUTH} User"; fast_pattern; distance:0; nocase; content:"logged "; distance:0; pcre:"/^(?:in|out)/R"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021875; rev:5; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"vmdefmnsndoj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RAW)"; flow:established,from_server; content:"PRIVMSG"; content:"{RAW}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021876; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"lvfjcwwobycj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (EXEC)"; flow:established,from_server; content:"PRIVMSG"; content:"{EXEC}"; fast_pattern; nocase; content:"Executing command|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021877; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"qjqubpciajoc.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (CHSERVER)"; flow:established,from_server; content:"PRIVMSG"; content:"{CHSERVER}"; fast_pattern; nocase; content:"Changing server|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021878; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"exvdaajegjur.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (RESTART)"; flow:established,from_server; content:"PRIVMSG"; content:"{RESTART}"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021880; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.online"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 1"; flow:established,from_server; content:"PRIVMSG"; content:"] Process finished => Total bytes read|3a|"; fast_pattern; nocase; content:"Total bytes sent|3a|"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021881; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 2"; flow:established,from_server; content:"PRIVMSG"; content:"Total connections completed|3a|"; fast_pattern; nocase; content:"Total connections failed|3a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021882; rev:4; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.support"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command Complete 3"; flow:established,from_server; content:"PRIVMSG"; content:" MB|2c| Average speed|3a|"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021883; rev:3; metadata:created_at 2015_10_01, updated_at 2015_10_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"nympompksmfx.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|httpsvalidator.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021937; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"xpknpxmywqsrhe.online"; depth:21; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; dsize:100<>300; content:"Gh0st"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:command-and-control; sid:2013214; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"binpt.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|1gateway.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021940; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; dns_query; content:"srv601.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|1networkpoint.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021945; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex SSL Cert Oct 12 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|AU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:trojan-activity; sid:2021946; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; dns_query; content:"hostgatero.ddns.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:to_server,established; dsize:164; content:"|6c 55 55 45 03 10 48 40|"; offset:4; depth:8; reference:md5,dc226166dfbe28eee2576ea5141bc19d; reference:md5,dadee91e0b82fc91a25a66b61bb2f2dc; classtype:command-and-control; sid:2021947; rev:3; metadata:created_at 2015_10_13, former_category MALWARE, updated_at 2015_10_13;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023833; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 c5 52 94 88 a7 4d 68 f4|"; content:"|55 04 06|"; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; content:"|0c|Default City"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021950; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading EXE payload"; flow:from_server,established; flowbits:isset,ET.nemucod.exerequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021954; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023835; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Nemucod.M.gen downloading PDF payload"; flow:from_server,established; flowbits:isset,ET.nemucod.pdfrequest; file_data; content:"%PDF-"; within:5; fast_pattern; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021955; rev:2; metadata:created_at 2015_10_15, updated_at 2015_10_15;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023836; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 d3 0f 9b a5 56 a0 f7 57|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021957; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023837; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 db d0 33 6a 28 4f 39 2c|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021958; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023838; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|best-apps.name"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021959; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023839; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|UK|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; classtype:domain-c2; sid:2021980; rev:1; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023840; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fat.uk-fags.top"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021981; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|14|support@vpn-core.net"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021982; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023842; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetWire Variant - Client Hello"; flow:established,to_server; flowbits:set,ET.NetWire; flowbits:noalert; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021976; rev:2; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023843; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NetWire Variant - Server Directory Listing Request"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01|"; depth:1; content:"|00 00 00 06 43 3A|"; distance:1; within:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021979; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023844; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|FR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021993; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023845; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|volha.xyz"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021994; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023846; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful"; flow:established,to_server; dsize:7; content:"ENDSNAP"; reference:md5,38abba51bdf98347fc4f91642b21b041; classtype:trojan-activity; sid:2021996; rev:1; metadata:created_at 2015_10_23, updated_at 2015_10_23;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023847; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Duuzer Checkin"; flow:established,to_server; content:"|32 a3 56 bb 47 4f 32 00|"; depth:8; fast_pattern; content:"|30 b9 00 00|"; distance:3; within:4; reference:url,symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers; reference:md5,cd7a72be9c16c2ece1140bc461d6226d; classtype:command-and-control; sid:2022000; rev:1; metadata:created_at 2015_10_26, former_category MALWARE, updated_at 2015_10_26;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023848; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request"; flow:established,to_server; content:"NO|7C|CRYPTDESK*"; depth:13; classtype:trojan-activity; sid:2022002; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023849; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Server Response"; flow:established,to_client; content:"GO8_=_8"; dsize:7; classtype:trojan-activity; sid:2022003; rev:1; metadata:created_at 2015_10_26, updated_at 2015_10_26;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023850; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|LU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022004; rev:2; metadata:attack_target Client_and_Server, created_at 2015_10_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023851; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LummoX Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| LummoX Logger"; fast_pattern; nocase; classtype:trojan-activity; sid:2022005; rev:2; metadata:created_at 2015_10_28, updated_at 2015_10_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023852; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoisonIvy HTTP CnC Beacon"; flow:established,to_server; content:"|20|HTTP|3a 2f 2f|"; offset:3; depth:9; content:!"Host|3a|"; distance:0; content:!"User-Agent|3a|"; distance:0; content:!"Accept"; distance:0; content:!"Referer|3a|"; distance:0; content:"HTTP/1.1|0d 0a|Cookie|3a 20|id="; fast_pattern; pcre:"/^[0-9A-F]{12}/R"; reference:md5,1aca09c5eefb37539e86ec86dd3be72f; reference:url,blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authentication-proxies.html; classtype:command-and-control; sid:2021523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, signature_severity Major, tag PoisonIvy, tag c2, updated_at 2016_07_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023853; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 59 43 e2 96 23 5b 17|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c0c8178b7ef2a8c067c68a7fb7dc7ecd; classtype:domain-c2; sid:2022021; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023854; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cybergate/Rebhip/Spyrat Backdoor Keepalive"; flow:from_server,established; dsize:<100; content:"ping|7c|"; depth:5; content:!"|7c|"; within:1; classtype:trojan-activity; sid:2017990; rev:12; metadata:created_at 2011_04_09, updated_at 2011_04_09;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023855; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wrapper/Gholee/Wedex Checkin"; flow:established,to_server; dsize:12; content:"nocookie"; offset:4; depth:8; reference:md5,b7de8927998f3604762096125e114042; reference:url,blog.checkpoint.com/2015/11/09/rocket-kitten-a-campaign-with-9-lives/; classtype:command-and-control; sid:2022047; rev:1; metadata:created_at 2015_11_09, former_category MALWARE, updated_at 2015_11_09;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023856; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023857; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023858; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Registry)"; flow:from_server,established; content:"RG|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017429; rev:4; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023859; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Keylogger)"; flow:from_server,established; content:"kl|7c 27 7c 27 7c|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017430; rev:7; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023860; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Get Passwords)"; flow:to_server,established; content:"pl|7c 27 7c 27 7c|"; depth:7; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017432; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023861; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command (Get Passwords)"; flow:from_server,established; content:"ret|7c 27 7c 27 7c|"; depth:8; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017431; rev:5; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2013_09_05;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023862; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nyctradersacademy.com"; distance:1; within:22; reference:md5,cb690af981b61aa4779624db5d2489e1; reference:md5,040ac83b30a9bd111d06d238f39593fb; classtype:domain-c2; sid:2022056; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023863; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|msupdcheck.com"; distance:1; within:16; reference:md5,4b689f711da45fb8523c95a85679f435; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022057; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023864; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 ae 7c 85 e8 a5 6b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5666cb1caca3fde7dd1c8195b76eac8e; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022058; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023865; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)"; flow:from_client,established; content:"|00|pl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00pl\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022059; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023866; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)"; flow:from_client,established; content:"|00|sc~|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00sc\x7e\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022060; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023867; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)"; flow:from_client,established; content:"|00|scPK|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00scPK\x7c/i"; reference:md5,a42317b9f9d3df375218e650999d48c4; classtype:command-and-control; sid:2022061; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; dns_query; content:"tradeboard.mefound.com"; depth:22; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback Response (File Manager)"; flow:to_client,established; content:"|00|rn|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rn\x7c/i"; classtype:command-and-control; sid:2022062; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; dns_query; content:"movis-es.ignorelist.com"; depth:23; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Get Passwords)"; flow:established; content:"|00|ret|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00ret\x7c/i"; reference:md5,310c26fa0c7d07adbff32b569b1972f1; classtype:command-and-control; sid:2022063; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; dns_query; content:"exbonus.mrbasic.com"; depth:19; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HideWindows.C IRC Checkin"; flow:established,to_server; content:"PASS 6667|0a|"; content:"NICK pr0n|7c 30 0a|"; distance:0; fast_pattern; content:"USER Pmx|20 22 2a 22 20 22|"; distance:0; content:"|22 20 3a|pr0n|0a|"; reference:md5,4645b7883d5c8fee6579cc79dee5f683; reference:url,thisissecurity.net/2015/11/05/low-cost-point-of-sales-pos-hacking/; classtype:command-and-control; sid:2022064; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (bst2bgxin81a.org)"; dns_query; content:"bst2bgxin81a.org"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c1 fb cd cd ff 15 b4 03|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; reference:md5,c493fbc74573c2c125ff57b1bf15e4be; classtype:domain-c2; sid:2022065; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0e|systruster.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; reference:md5,efa5ea2c511b08d0f8259a10a49b27ad; classtype:domain-c2; sid:2022066; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns_query; content:"load.gtpnet.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:4; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2019_09_28;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0c|retsback.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; reference:md5,e5b7fd7eed59340027625ac39bae7c81; classtype:domain-c2; sid:2022067; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns_query; content:"spora.li"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Info Checkin"; flow:from_server,established; content:"inf|7c 4b 69 6c 65 72 7c|"; fast_pattern; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; content:"|7c 4b 69 6c 65 72 7c|"; distance:0; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022069; rev:1; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2015_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:trojan-activity; sid:2028598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
+alert tcp any any -> any any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)"; flow:established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; content:"|00|CAP|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00cap\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019214; rev:2; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (comboratiogferrdto . com)"; dns_query; content:"comboratiogferrdto.com"; depth:22; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00kl\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019222; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"epochatimes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00fm\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019221; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns_query; content:"strangelol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:4; metadata:created_at 2017_10_18, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00proc\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019220; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; dns_query; content:"go.querymo.com"; depth:14; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_09_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019219; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-#alert tls any any -> any any (msg:"ET DELETED Hash - Scraper: yandex.ru based Mozilla 4.0"; ja3_hash; content:"05e15a226e00230c416a8cdefeb483c7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:misc-activity; sid:2028437; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00srv\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019218; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Get2 Downloader Activity"; flow:established,to_server; http.user_agent; content:"CIBA|3b 20|MS-RTC LM 8|29|"; endswith; classtype:trojan-activity; sid:2028642; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00rs\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019217; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2019_10_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00mic\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019215; rev:3; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2014_09_23;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|PSWD|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Possible Chimera Ransomware - Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:md5,b66a864255ad796cf1e82f973f67f556; reference:url,reaqta.com/2015/11/diving-into-chimera-ransomware/; classtype:policy-violation; sid:2022075; rev:1; metadata:attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2015_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic"; flow:established,to_server; content:"-- Client Info --"; fast_pattern; nocase; content:"IP|3a 20|"; content:"HWID|3a 20|"; content:"OS Platform|3a 20|"; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|rozmatis.com"; distance:1; within:13; reference:md5,58b38122ac12b84989914623efe833be; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022076; rev:1; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Logs|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|0d|whoreshop.xyz"; distance:1; within:14; reference:md5,218a9854b7d1ca1f417c59a566b343d9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022077; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Clipboard|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|lingeriesshop.biz"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022087; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Screenshot|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0a|LosAngeles"; distance:1; within:11; content:"|55 04 03|"; distance:0; content:"|11|speednetlocal.com"; distance:1; within:18; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022088; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemours/Proyecto RAT CnC Checkin"; flow:established,to_server; content:"0|7c|New|20|-|20|"; depth:8; fast_pattern; content:"|7c|"; distance:0; content:"|7c|Windows"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; reference:md5,50a9218c891453c00b498029315ac680; classtype:command-and-control; sid:2028648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Nemours, performance_impact Moderate, signature_severity Major, updated_at 2019_10_04;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|02|Ny"; distance:1; within:3; content:"|55 04 03|"; distance:0; content:"|13|securityrealnet.com"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022089; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:23; content:"CN=worldmasterclass.com"; fast_pattern; reference:md5,fe9caf2568d7bbf2bb0e20b8e7dc8971; reference:md5,c5a460fd87ffd50c114fffa684688d01; classtype:domain-c2; sid:2028653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|support@hsshvpn.net"; distance:1; within:20; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022130; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-07"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=mailfueler.com"; fast_pattern; reference:md5,c189cdadd96c148e64912c55c5129d3e; classtype:domain-c2; sid:2028652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Retefe CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|06|Zurich"; distance:1; within:7; content:"|55 04 07|"; distance:0; content:"|06|Zurich"; distance:1; within:7; content:"IT"; distance:0; content:"|55 04 03|"; distance:0; content:"|07|default"; distance:1; within:8; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|12|me@myhost.mydomain"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022129; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, malware_family Retefe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=corpcougar.com"; fast_pattern; reference:md5,73fad17f8054d01488c3ddd67e355bf1; reference:md5,a25591dbf57ac687e2a03f94dcccc35a; classtype:domain-c2; sid:2028654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Rincux CnC (set)"; content:"|01 00 00 00|"; depth:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|Windows"; distance:0; content:"|20 4d 42 00 00 00 00 00|"; fast_pattern; distance:0; content:"|20 4d 48 7a 00 00 00 00 00|"; distance:0; flowbits:set,ET.Rincux; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022131; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-02"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=adityebirla.com"; fast_pattern; reference:md5,61b34d02bb09e5a547251a625ce81f9c; reference:md5,cab127c5b8582c1e3ea8860a239a060b; classtype:domain-c2; sid:2028655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rincux CnC"; content:"|02 00 00 00|"; fast_pattern; depth:4; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/Rs"; content:"|00 00 00 00|"; distance:0; flowbits:isset,ET.Rincux; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-082614-0727-99&tabid=2; classtype:command-and-control; sid:2022132; rev:1; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2015_11_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-01"; flow:established,to_client; tls.cert_subject; bsize:63; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=www.livdecor.pt"; fast_pattern; reference:md5,7baca517af0b93bd3f94910c7b8f10db; reference:md5,efb4951e11baf306f5680a041c214e5b; classtype:domain-c2; sid:2028656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 87 58 1a 93 f4 b1 c2 6b|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022133; rev:2; metadata:attack_target Client_and_Server, created_at 2015_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-09-30"; flow:established,to_client; tls.cert_subject; bsize:12; content:"CN=flozzy.uk"; fast_pattern; reference:md5,6a333c3f54d7fb6efb276cf6e33315c0; reference:md5,ab578cff6c06157aadd5f324a3413973; classtype:domain-c2; sid:2028657; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 6 (SOCKS)"; flow:established,to_server; content:"NOTICE "; content:"|3a|REWRITING|0a|"; fast_pattern; distance:0; content:"|0a|to|0a|"; distance:0; pcre:"/^NOTICE [^\r\n]+? \x3aREWRITING\x0a[^\r\n]+?\x0ato\x0a[^\r\n]+?\x0a/s"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022189; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server) 2019-09-27"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=evershinebd.net"; fast_pattern; reference:md5,c93a2d16dd0cf8dd3afa5ecba111e7c4; reference:md5,23aff33025681263adcdcb480d0e9a95; classtype:domain-c2; sid:2028658; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT IRC Activity 7 (bindshell)"; flow:established,from_server; content:"|0a c2 84 c2 9f|muBoT|c2 84 c2 9f|REMOTE|c2 84 c2 9f|SHELL"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:trojan-activity; sid:2022190; rev:1; metadata:created_at 2015_11_26, updated_at 2015_11_26;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in SNI 2019-09-27"; flow:established,to_server; tls.sni; bsize:11; content:"techxim.com"; reference:md5,5c4e395fc545b5e0c03f960a4145f4ea; classtype:domain-c2; sid:2028659; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3; metadata:created_at 2015_11_09, former_category CURRENT_EVENTS, updated_at 2015_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_24, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern; classtype:shellcode-detect; sid:2013145; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5; metadata:created_at 2012_04_16, former_category CURRENT_EVENTS, updated_at 2012_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013146; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|licensecheck.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022208; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013147; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 81 a8 a0 05 4c c8 8b|"; within:35; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022212; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8; metadata:created_at 2011_03_15, former_category CURRENT_EVENTS, updated_at 2011_03_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/KDefend Checkin"; flow:established,to_server; content:"c|00|h|00|i|00|n|00|a|00 00 00|"; offset:16; depth:12; fast_pattern; content:"|20|MB|00|"; within:10; content:"/proc/stat|00|cpu|00|"; within:21; reference:url,blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html; classtype:command-and-control; sid:2022219; rev:3; metadata:created_at 2015_12_04, former_category MALWARE, updated_at 2015_12_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|baknsystem.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022078; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|coughweb.biz"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022226; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.gooodlaosadf.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022230; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 41 89 47 37 8f 56 41|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022231; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|09|Cyxuzoidv"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022233; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 07|"; content:"|0b|los Angeles"; distance:1; within:12; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0c|*.google.com"; distance:1; within:13; content:"@google.com"; distance:0; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022235; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert udp $HOME_NET any -> any [5060,5061,5600] (msg:"ET MALWARE Ponmocup plugin #2600 (SIP scanner)"; content:"User-Agent|3a| Zoiper for Windows rev.1812|0d0a|"; threshold: type limit, count 1, seconds 3600, track by_src; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022206; rev:2; metadata:created_at 2015_12_02, updated_at 2015_12_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|www.benvenuittopronto.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022248; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca a8 d2 15 e5 c6 b7 72|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022249; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:3; metadata:created_at 2011_08_09, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|theliveguard.net"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022250; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:command-and-control; sid:2013382; rev:4; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|televcheck.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022251; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|welcomefreinds.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022252; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern; reference:arachnids,331; classtype:suspicious-login; sid:2100354; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M1"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|04|Asia"; distance:1; within:5; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022253; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; fast_pattern; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M2"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|North America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022254; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern; classtype:suspicious-login; sid:2100357; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M3"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Africa"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022255; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern; reference:arachnids,330; classtype:suspicious-login; sid:2100358; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M4"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|06|Europe"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022256; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern; reference:arachnids,329; classtype:suspicious-login; sid:2100359; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M5"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|09|Australia"; distance:1; within:10; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022257; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; fast_pattern; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:15; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M6"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0d|South America"; distance:1; within:14; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022258; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M7"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0a|Antarctica"; distance:1; within:11; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022259; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|checkstat99.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022267; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 47 00 43 cf a7 86 ee|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,d90c0177437c4cf588de4e60ab233fe1; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022275; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|lililililililili.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022276; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT_KIT Dadong Exploit Kit Downloaded"; flow:established,from_server; flowbits:set,et.exploitkitlanding; content:"indexOf(|22|dadong=|22|)=="; fast_pattern; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:exploit-kit; sid:2025037; rev:3; metadata:created_at 2012_03_01, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|intelliadsign.net"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022277; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|boistey.biz"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022278; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|ssl-tree.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022286; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|foenglera.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022287; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE Possible Gootkit CnC SSL Cert M8"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|"; distance:1; within:1; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|0f|Central America"; distance:1; within:16; fast_pattern; content:"|55 04 0a|"; pcre:"/^.{3}(?P<var>[a-z]+)\x20.*?\x55\x04\x03.{2}www\.[a-z](?P=var)/Rsm"; content:"|55 04 0b|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; classtype:command-and-control; sid:2022292; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|rommen-haft.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022293; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert ip $HOME_NET any -> [206.72.206.74,206.72.206.75,206.72.206.76,206.72.206.77,206.72.206.78,66.45.241.130,66.45.241.131,66.45.241.132,66.45.241.133,66.45.241.134] any (msg:"ET MALWARE Kelihos CnC Server Activity"; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; reference:url,blog.malwaremustdie.org/2015/12/mmd-0046-2015-kelihos-cnc-activity-on.html; classtype:command-and-control; sid:2022294; rev:1; metadata:created_at 2015_12_22, former_category MALWARE, updated_at 2015_12_22;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|givemyporn.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022301; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2015573; rev:3; metadata:created_at 2012_08_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|qiqiqiqiqiqi.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022302; rev:1; metadata:attack_target Client_and_Server, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015479; rev:4; metadata:created_at 2012_07_17, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ASCII Executable Inside of MSCOFF File DL Over HTTP"; flow:established,from_server; flowbits:isset,et.MCOFF; file_data; content:"|34 64 35 61|"; content:"|35 34 36 38 36 39 37 33 32 30 37 30 37 32 36 66 36 37 37 32 36 31 36 64 32 30|"; distance:38; reference:md5,f4ee917a481e1718ccc749d2d4ceaa0e; classtype:trojan-activity; sid:2022303; rev:3; metadata:created_at 2015_12_23, updated_at 2015_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:exploit-kit; sid:2015604; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 97 ae 20 7e 61 5f 58 15|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022305; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:from_server,established; content:"|09 00 a6 75 8f 19 30 3e 46 58|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022307; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:7; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|monosuflex.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022308; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:exploit-kit; sid:2015678; rev:3; metadata:created_at 2012_09_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powersploit Framework Script Downloaded"; flow:to_client,established; file_data; content:"function Invoke-"; depth:16; content:"|0a 7b 0a 3c 23 0a 2e 53 59 4e 4f 50 53 49 53 0a|"; distance:0; content:"|0a|PowerSploit Function|3a 20|"; distance:0; reference:md5,0aa391dc6d9ebec2f5d0ee6b4a4ba1fa; classtype:trojan-activity; sid:2022309; rev:2; metadata:created_at 2015_12_24, updated_at 2015_12_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:exploit-kit; sid:2015689; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|1terabitbit.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022321; rev:2; metadata:attack_target Client_and_Server, created_at 2015_12_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:exploit-kit; sid:2015690; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|gatecheck.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022322; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT  NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:exploit-kit; sid:2015691; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (BlackEnergy CnC)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 85 9e 1d 11 4a f9 72 62|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021624; rev:2; metadata:attack_target Client_and_Server, created_at 2015_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:exploit-kit; sid:2015694; rev:3; metadata:created_at 2012_09_11, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackEnergy SSL Cert"; flow:from_server,established; content:"|09 00 e3 6e 25 fe 3f fa 53 80|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/; classtype:trojan-activity; sid:2022327; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ibsecurity.info"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022328; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|ibcsec.xyz"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022329; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M2"; itype:8; icode:0; dsize:26<>35; content:"|33|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022330; rev:2; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
 
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoLocker Check-in (ICMP) M1"; itype:8; icode:0; dsize:26<>35; content:"|31|"; depth:1; pcre:"/^(?=[A-F1-9]*?[a-km-zGHJ-NP-Z])[a-km-zA-HJ-NP-Z1-9]{25,34}(?:64)?$/R"; reference:md5,24273ce5ca8e84c52b270b52659304a8; reference:url,blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/; classtype:trojan-activity; sid:2022331; rev:3; metadata:created_at 2016_01_05, updated_at 2016_01_05;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF.MrBlack DOS.TF Variant"; flow:established,to_server; content:"Linux_"; offset:8; depth:6; content:"TF-"; distance:58; within:3; fast_pattern; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022336; rev:2; metadata:created_at 2016_01_07, updated_at 2016_01_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bulta CnC Beacon"; flow:established,to_server; content:"|1f 93 97 d3 94 01 69 49 4d 7b a7 ac f6 7a|"; depth:14; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:command-and-control; sid:2022345; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_01_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2012_04_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.STD.ddos Checkin"; flow:established,to_server; dsize:28; content:"2-1Q3@@4V-9-W$p#=A#9c=#W~,|0d 0a|"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=2747&start=20#p27639; classtype:command-and-control; sid:2022367; rev:2; metadata:created_at 2016_01_14, former_category MALWARE, updated_at 2016_01_14;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|PA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022385; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|relaxsaz.com"; distance:1; within:13; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022386; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|contora24.com"; distance:1; within:14; reference:md5,9b8fed949202b860d49f326d5e33bb35; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022387; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|websecuranalitic.com"; distance:1; within:21; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022388; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|moneyclass24.com"; distance:1; within:17; reference:md5,105213be0a168d5e3eb0e4ff0262cf12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022389; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|07|vle.cli"; distance:1; within:8; reference:md5,678129a67898174fdb7e8c70ebcca6c3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022390; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.nonewhateverplanred.juegos"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022391; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1E|www.removenationalstiff.taipei"; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022392; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|20|www.fightingmotioncertainly.page"; distance:1; within:33; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022393; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|dinuspuka.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022394; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0D|popredrak.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022395; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|vorlager.ru"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022396; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|IR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022397; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kuklovodw.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022404; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|BW|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022408; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS User Agent Observed"; flow:established,to_server; content:"User-Agent|3a 20|IDOSJNDX|0d 0a|"; fast_pattern; flowbits:set,ET.centerpos; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022468; rev:2; metadata:created_at 2016_01_29, updated_at 2019_10_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|buhzgalter.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022474; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0f|docknetwork.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022475; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|macroflex.net"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022476; rev:2; metadata:attack_target Client_and_Server, created_at 2016_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:from_server,established; content:"|55 04 03|"; content:"|13|ashirimi-critism.kz"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022478; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/ChinaZ 2.0 DDoS Bot Checkin 3"; flow:established,to_server; content:"*"; pcre:"/^\d+/R"; content:"MHZ|00 00 00 00|"; within:7; content:"MB|00 00 00 00|"; distance:0; content:"|28|null|29 00 00 00 00|"; fast_pattern; distance:0; reference:url,blog.malwaremustdie.org/2015/06/the-elf-chinaz-reloaded.html; classtype:command-and-control; sid:2021526; rev:2; metadata:created_at 2015_07_23, former_category MALWARE, updated_at 2015_07_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|KM|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:!"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2,3}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022489; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CO|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022508; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|CR|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022509; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|susana24.com"; distance:1; within:13; reference:md5,23cfdb9896cadd54f935ed4e2df2e0a4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022510; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|wartan24.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022511; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|kitoboyka.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022512; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|vestostnord.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022513; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e3 bf f2 e1 26 c5 4c 2c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022514; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|YU|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022521; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; distance:9; within:25; content:"|30 09 06 03 55 04 06 13 02|SA|31|"; distance:0; fast_pattern; content:!"|55 04 08|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s[A-Z]/Rs"; content:"|55 04 03|"; distance:0; pcre:"/^.{2}[a-z]{5,}\.[a-z]{2}[01]/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022522; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00|"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; content:"|55 04 08|"; distance:0; content:"|02|NY"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|08|New York"; distance:1; within:9; fast_pattern; content:"|55 04 03|"; byte_test:1,>,27,1,relative; byte_test:1,<,30,1,relative; pcre:"/^.{2}[a-z]{25}\.[a-z]{2,3}[01]/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022488; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|tatar28.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022536; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|giviklorted.at"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022537; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus Time Check to Microsoft.com"; flow:to_server,established; content:"GET|20 20|HTTP/1.0|0d 0a|"; depth:15; content:"www.microsoft.com"; distance:6; within:23; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:targeted-activity; sid:2022539; rev:2; metadata:created_at 2016_02_18, updated_at 2016_02_18;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible OceanLotus CnC Heartbeat"; flow:to_client,established; dsize:14; content:"|75 7a 76 7e 1a 1b 1b 1b 1b 1b 11 1b 1b 1b|"; fast_pattern; threshold: type limit, count 1, track by_src, seconds 60; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022540; rev:1; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2016_02_18;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FrameworkPOS CnC Server Reporting IP Address To Agent"; flow:established,to_client; file_data; content:"=="; depth:2; content:"=="; within:17; fast_pattern; file_data; content:"=="; depth:2; pcre:"/^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:={2})/R"; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022552; rev:2; metadata:created_at 2016_02_22, former_category MALWARE, updated_at 2016_02_22;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 85 d0 ad 8b ad f1 59|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022553; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Geodo MITM)"; flow:from_server,established; content:"|09 00 a7 ed 6e 63 0f d0 e1 f9|"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022571; rev:2; metadata:attack_target Client_and_Server, created_at 2016_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Download (set)"; flow:to_server,established; content:"GET"; http_method; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/\/\?[A-Z]{10,}$/U"; flowbits:set,ET.andromeda; flowbits:noalert; classtype:trojan-activity; sid:2022572; rev:2; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2016_02_29;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M1"; flow:established,from_server; dsize:17; content:"|0c 00 00 00 00|info=command"; reference:md5,50eb7ae1d3c075dfc9c9e82a9fa9caf5; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:command-and-control; sid:2035903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_07, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2015_10_07;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (dirs list)"; flow:established,from_server; content:"dirs=list"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036283; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (folders list)"; flow:established,from_server; content:"fldr="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036284; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (files list)"; flow:established,from_server; content:"fles="; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; classtype:trojan-activity; sid:2036285; rev:3; metadata:created_at 2016_02_17, former_category MALWARE, updated_at 2016_02_17;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (ping) M1"; flow:established,from_server; content:"clping=Ping"; offset:5; byte_jump:4,0,little,from_beginning,post_offset 4; isdataat:!2,relative; reference:md5,94d29dded4dfd920fc4153f18e82fc6c; reference:md5,40c9031ee6bbf2b2306420e9330727a6; classtype:trojan-activity; sid:2035904; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, malware_family Crimson, performance_impact Low, signature_severity Major, updated_at 2016_02_17;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"&authpass="; distance:0; http_uri; content:"&hostname="; distance:0; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2014795; rev:3; metadata:created_at 2012_05_22, updated_at 2012_05_22;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|0c|dolbyfck.com"; distance:1; within:13; classtype:domain-c2; sid:2022613; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|marinova.am"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022623; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e2 62 fd fd 41 2d 9c a4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022624; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 ASCII"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".locky|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022638; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download Text M2"; flow:established,from_server; file_data; content:"4D5A"; nocase; within:4; content:"50450000"; distance:0; content:"21546869732070726f6772616d"; nocase; fast_pattern; classtype:trojan-activity; sid:2022640; rev:2; metadata:created_at 2016_03_23, updated_at 2016_03_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v1 Unicode"; flow:to_server,established; content:"|ff|SMB|a2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022637; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE IrcBot Downloading Files via FTP"; flow:established,to_server; content:"RETR scrypt13"; depth:13; content:".cl"; distance:2; within:6; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022656; rev:1; metadata:created_at 2016_03_24, updated_at 2016_03_24;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|whaovxeynxctdrvzn.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022685; rev:2; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_03_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; content:"|09 00 e6 7b 40 4f 24 b8 2a f9|"; reference:url,sslbl.abuse.ch; reference:md5,3d8d1a65ce53c6ac2e43523e82a6d471; classtype:domain-c2; sid:2022713; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky JS Downloading Payload"; flow:to_server,established; urilen:<12; content:"GET"; http_method; content:!"Referer|3a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; fast_pattern; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{6,10}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?(?:MSIE|rv\x3a11)/Hm"; flowbits:set,ET.Locky; flowbits:noalert; reference:md5,c6896184db5c07ebadf40115138b2f4c; reference:md5,cb8f78317622f8ae855ac25ef4cf3688; classtype:trojan-activity; sid:2026460; rev:3; metadata:created_at 2016_03_16, former_category MALWARE, updated_at 2018_10_09;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|05|Tampa"; distance:1; within:6; content:"|55 04 0a|"; distance:0; content:"|1b|Realtek Semiconductor Corp."; distance:1; within:28; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022714; rev:3; metadata:attack_target Client_and_Server, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|www.huevo.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022733; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 c4 2f d3 44 ed 20 a4 ab|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022734; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 dd b5 a0 63 d6 36 a8 89|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022735; rev:2; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_raw_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:4; metadata:created_at 2012_07_27, updated_at 2012_07_27;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 0b|"; content:"|16|SomeOrganizationalUnit"; distance:1; within:23; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|0c|root@ua7.com"; distance:1; within:13; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022795; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|microurl.bit"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022796; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Ursnif Injects)"; flow:from_server,established; content:"|55 04 03|"; content:"|16|allowherebarbclient.me"; distance:1; within:23; classtype:domain-c2; sid:2022799; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)"; flow:from_server,established; content:"|60 89 e5 31|"; content:"|64 8b|"; distance:1; within:2; content:"|30 8b|"; distance:1; within:2; content:"|0c 8b 52 14 8b 72 28 0f b7 4a 26 31 ff|"; distance:1; within:13; content:"|ac 3c 61 7c 02 2c 20 c1 cf 0d 01 c7 e2|"; within:15; content:"|52 57 8b 52 10|"; distance:1; within:5; classtype:trojan-activity; sid:2025644; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_05_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category TROJAN, signature_severity Critical, tag Metasploit, updated_at 2018_07_10;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars CnC)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|17|private@sysprivpop.lkdd"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022736; rev:4; metadata:attack_target Client_and_Server, created_at 2016_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|basey.ru"; distance:1; within:10; classtype:domain-c2; sid:2022833; rev:2; metadata:attack_target Client_and_Server, created_at 2016_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32.Agent.bay Variant Covert Channel (VERSONEX)"; flow:established,to_server; content:"VERSONEX|3a|"; depth:9; fast_pattern; byte_test:1,>=,0x30,0,relative; byte_test:1,<=,0x39,0,relative; content:"|7c|"; distance:1; within:1; reference:md5,f80af2735fdad5fe14defc4f1df1cc30; classtype:trojan-activity; sid:2020978; rev:2; metadata:created_at 2015_04_23, updated_at 2015_04_23;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 Unicode"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022838; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v1 ASCII"; flow:to_server,established; content:"|ff|SMB|07|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".crypt|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022839; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Hawkeye Keylogger SMTP Beacon"; flow:established,to_server; content:"Subject|3a 20|"; content:"SGF3a0V5ZSBLZXlsb2dnZXIg"; within:45; reference:md5,dfc2c23663122ac9fc25b708f278c147; classtype:trojan-activity; sid:2021871; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2015_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:command-and-control; sid:2022861; rev:1; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2016_06_06;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|tda-au.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022877; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|forevery0ung.bit"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022878; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9e 99 a3 02 bc 7d 3f 4e|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|10|www.undernet.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022879; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e5 51 a8 51 66 e3 5c 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022880; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1714 (msg:"ET MALWARE Qarallax RAT Keepalive C2 (set)"; flow:to_server,established; content:"|00 00 09 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; flowbits:set,ET.qarallax; flowbits:noalert; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022882; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1714 -> $HOME_NET any (msg:"ET MALWARE Qarallax RAT Keepalive C2"; flow:from_server,established; flowbits:isset,ET.qarallax; content:"|00 00 0c 00 00 00 00 00 00 00|"; depth:10; threshold:type both, track by_src, count 5, seconds 30; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:command-and-control; sid:2022883; rev:1; metadata:created_at 2016_06_08, former_category MALWARE, updated_at 2016_06_08;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:!"Referer|3a|"; http_header; content:"data="; nocase; http_client_body; depth:5; content:"ew0KCSJhZGRyZXNzIiA6"; fast_pattern; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:command-and-control; sid:2022891; rev:2; metadata:created_at 2016_06_13, former_category MALWARE, updated_at 2016_06_13;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE JKDDOS Bot CnC Phone Home Message"; dsize:<510; flow:established,to_server; content:"|10 00 00 00|Windows|20|"; depth:12; reference:md5,d6b3baae9fb476f0cf3196e556cab348; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/; classtype:command-and-control; sid:2012892; rev:3; metadata:created_at 2011_05_31, former_category MALWARE, updated_at 2011_05_31;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 d9 0c 85 30 1c bb ac a0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022920; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|lobemaintaty.space"; fast_pattern; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022921; rev:2; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 cf 74 72 c9 4e 72 20 e4|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022943; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,from_server; content:"|09 00 f8 f1 74 46 04 c2 a4 42|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022944; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Rockloader)"; flow:established,from_server; content:"|55 04 03|"; content:"|55 04 03|"; content:"|08|server29"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Zeus C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|7yh0mdze6ztr7erew835im3w8.info"; fast_pattern; distance:1; within:31; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022946; rev:2; metadata:attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 C2 or Zeus Panda C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|huhu.com"; fast_pattern; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022922; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Bancos C2)"; flow:from_server,established; content:"|55 04 06|"; content:"|02|US"; distance:1; within:4; content:"|55 04 08|"; content:"|02|FL"; distance:1; within:4; content:"|55 04 07|"; content:"|05|Miami"; distance:1; within:7; fast_pattern; content:"|55 04 0a|"; content:"|08|Business"; distance:1; within:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:domain-c2; sid:2022888; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_10, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC)"; flow:established,from_server; content:"|09 00 cc e5 16 49 2c 1e 96 57|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|www.__RANDOM_STR_.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022961; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5; metadata:created_at 2014_02_07, former_category CURRENT_EVENTS, updated_at 2016_07_13;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lethic - Client Alive"; flow:established,to_server; dsize:6; content:"|01 00 21 01|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:3; metadata:created_at 2012_07_25, updated_at 2016_07_26;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ZeuS CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|taxreclaim.am"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Zeus_SSL, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 08|"; content:"|04|Atak"; distance:1; within:5; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023006; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 95 9d ed 5e 9f 95 7f b4|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|09|localhost"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023007; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 9c 26 67 04 e7 9a e0 56|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023008; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|secureit.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023009; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 da e8 83 5e e4 0a d0 5c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023010; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC)"; flow:from_server,established; content:"|09 00 a7 26 cd 4c 62 32 35 26|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023011; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|09 00 b8 a4 f2 db af 86 f7 53|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023012; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|04 26 98 61 57|"; fast_pattern; content:"|55 04 03|"; distance:0; content:"|25|ASA Temporary Self Signed Certificate"; distance:1; within:38; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023013; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M1"; flow:established,from_server; file_data; content:"|43 72 65 61 74 65 54 65 78 74 46 69 6c 65 28 44 72 6f 70 50 61 74 68|"; nocase; content:"|57 53 48 73 68 65 6c 6c 2e 52 75 6e 20 44 72 6f 70 50 61 74 68 2c 20 30|"; nocase; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, malware_family Ramnit, performance_impact Moderate, signature_severity Major, updated_at 2016_08_09;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RAMNIT.A M2"; flow:established,from_server; file_data; content:"|6c 61 6e 67 75 61 67 65 3d 56 42 53 63 72 69 70 74|"; nocase; content:"|57 72 69 74 65 44 61 74 61 20 3d|"; nocase; content:"|22 34 44 35 41 39 30 30|"; nocase; distance:0; content:"|44 72 6f 70 46 69 6c 65 4e 61 6d 65 20 3d 20|"; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FRamnit.A; classtype:trojan-activity; sid:2023029; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2016_08_09;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|www.endeverllcandjohns13.com"; distance:1; within:29; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023030; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16 03 01 00|"; depth:4; content:"|09 00 8e b6 50 28 b2 eb aa d8|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023031; rev:2; metadata:attack_target Client_and_Server, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_08_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxy.Win32.Agent.mx (2)"; flow:established,to_server; content:"q.php"; fast_pattern; nocase; http_uri; content:!".chartbeat.net"; nocase; http_header; content:"&p="; nocase; http_uri; content:"&x="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&t="; nocase; http_uri; content:"&o="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,doc.emergingthreats.net/2006406; classtype:trojan-activity; sid:2006406; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\d+$/"; reference:md5,d4f949f268d00522cfbae5d18cbce933; classtype:trojan-activity; sid:2023091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_08_25;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Client KeepAlive"; flow:established,to_server; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021978; rev:6; metadata:created_at 2015_10_20, updated_at 2016_08_30;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Renaming File via SMB"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|z|00|e|00|p|00|t|00|o|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023147; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Locky Ransomware Writing Instructions via SMB"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"_|00|H|00|E|00|L|00|P|00|_|00|i|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|s|00|.|00|h|00|t|00|m|00|l"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2023148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_04_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $HOME_NET [445,139] (msg:"ET MALWARE Zlader Ransomware Worm Propagating Over SMB v1 ASCII"; flow:to_server,established; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"|24|RECYCLE|2E|BIN|2E 7B|"; nocase; distance:0; fast_pattern; pcre:"/\x24RECYCLE\.BIN\.\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\x5C\x7B[0-9A-F]{8}\x2D(?:[0-9A-F]{4}\x2D){3}[0-9A-F]{12}\x7D\.(?:scr|pif|cmd)/i"; threshold:type limit, track by_src, count 10, seconds 60; reference:url,www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_zlader.b; classtype:trojan-activity; sid:2023149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon Response"; flow:established,from_server; file_data; content:"script|7c|"; within:7; content:"|7c|endscript"; distance:0; fast_pattern; content:"script|7c|"; distance:0; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023156; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2016_09_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|vuinuzhz.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|certificatestatistic.com"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|careersnetworks.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|microsoftstore.local"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|fxpsjcklcqf.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|ywxozojqmcd.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|06|fwafdw"; distance:1; within:7; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023164; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|business-swiss.online"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023165; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|pro-access.cn"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023166; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|securefreeonly.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Hancitor CnC)"; flow:established,from_server; content:"|09 00 ce 75 ce f8 84 a5 7e e5|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|ntracking.sys-optimatic.cloud"; distance:1; within:30; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|secureinishman.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|systemresystem.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023171; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|secureinterrr100.com"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|supergoodvin888.pw"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|statuscheck.online"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|Otakkibigytu"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023175; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC)"; flow:established,from_server; content:"|09 00 cb 68 d8 f0 41 2b 87 4c|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|host-ui.ru"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat"; flow:established,to_client; dsize:<300; content:"200"; offset:9; depth:3; content:"Content-Type|3a 20|text/html"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; flowbits:isset,ET.OSX.Mokes; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023183; rev:2; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2016_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern; classtype:exploit-kit; sid:2015548; rev:8; metadata:created_at 2012_07_31, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"<DIR>"; content:"File(s)"; distance:0; content:"Dir(s)"; content:"bytes free"; fast_pattern; distance:0; classtype:trojan-activity; sid:2023205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_09_14;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error Invalid Argument"; flow:established,to_server; content:"ERROR|3a| Invalid Argument/Option"; fast_pattern; classtype:trojan-activity; sid:2023206; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern; classtype:policy-violation; sid:2015856; rev:6; metadata:created_at 2012_11_01, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not recognized"; flow:established,to_server; content:"|27| is not recognized as an internal or external command|2c|"; content:"operable program or batch file."; fast_pattern; classtype:trojan-activity; sid:2023207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015873; rev:6; metadata:created_at 2012_11_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows Microsoft Windows DOS prompt command Error not found"; flow:established,to_server; content:"The following command was not found|3a 20|"; classtype:trojan-activity; sid:2023208; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics workstation Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Workstation Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015929; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net statistics server Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Server Statistics for |5c 5c|"; fast_pattern; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][A-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/Rsi"; classtype:trojan-activity; sid:2023210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015928; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -v Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Module Name"; content:"Display Name"; content:"Description"; content:"Driver Type"; fast_pattern; classtype:trojan-activity; sid:2023211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015939; rev:4; metadata:created_at 2012_11_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows driverquery -si Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"DeviceName"; fast_pattern; content:"InfName"; content:"IsSigned"; content:"Manufacturer"; classtype:trojan-activity; sid:2023212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:exploit-kit; sid:2015950; rev:3; metadata:created_at 2012_11_28, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows qwinsta Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SESSIONNAME"; fast_pattern; content:"USERNAME"; content:"ID"; content:"STATE"; content:"TYPE"; content:"DEVICE"; classtype:trojan-activity; sid:2023213; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:3; metadata:created_at 2012_11_29, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows quser Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"USERNAME"; fast_pattern; content:"SESSIONNAME"; content:"ID"; content:"STATE"; content:"IDLE TIME"; content:"LOGON TIME"; classtype:trojan-activity; sid:2023214; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:5; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows gpresult Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Operating System Group Policy Result tool v"; fast_pattern; classtype:trojan-activity; sid:2023215; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:exploit-kit; sid:2015981; rev:3; metadata:created_at 2012_12_04, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC OS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Boot Device"; fast_pattern; content:"Build Number"; content:"Build Type"; classtype:trojan-activity; sid:2023217; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern; content:"|22|bhjwfffiorjwe|22|"; classtype:exploit-kit; sid:2015991; rev:5; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC COMPUTERSYSTEM get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdminPasswordStatus"; fast_pattern; content:"AutomaticManagedPagefile"; content:"Build Type"; classtype:trojan-activity; sid:2023218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:3; metadata:created_at 2012_12_06, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NETLOGIN get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccountExpires"; fast_pattern; content:"AuthorizationFlags"; content:"BadPasswordCount"; classtype:trojan-activity; sid:2023219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:exploit-kit; sid:2016012; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC NIC get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AdapterType"; fast_pattern; content:"AdapterTypeId"; content:"AutoSense"; classtype:trojan-activity; sid:2023220; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:4; metadata:created_at 2012_12_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC PROCESS get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"CSCreationClassName"; fast_pattern; content:"CSName"; content:"Description"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016027; rev:6; metadata:created_at 2012_12_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVER get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"BlockingRequestsRejected"; fast_pattern; content:"BytesReceivedPersec"; content:"BytesTotalPersec"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET INFO Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:2; metadata:created_at 2013_01_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SHARE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AccessMask"; fast_pattern; content:"AllowMaximum"; content:"Caption"; content:"Description"; classtype:trojan-activity; sid:2023224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:exploit-kit; sid:2016306; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SYSACCOUNT get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Description"; content:"Domain"; content:"InstallDate"; content:"LocalAccount"; fast_pattern; classtype:trojan-activity; sid:2023225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:6; metadata:created_at 2013_01_30, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC STARTUP get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Caption"; content:"Command"; content:"Description"; content:"Location"; content:"UserSID"; fast_pattern; classtype:trojan-activity; sid:2023226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:exploit-kit; sid:2016319; rev:3; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|curenasriense.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|transadvert.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|service"; nocase; fast_pattern; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|glob-marketing.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023245; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows sc query Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"SERVICE_NAME|3A|"; content:"DISPLAY_NAME|3A|"; content:"TYPE"; content:"STATE"; classtype:trojan-activity; sid:2023246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_16, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2016_09_16;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"|0D 0A|ST|3a|"; nocase; pcre:"/^[^\r\n]*schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas|3a|device"; nocase; fast_pattern; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:2; metadata:created_at 2013_01_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ns-cheap.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023262; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET MALWARE W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:command-and-control; sid:2016331; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|gl-markt.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023263; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern; content:"&token="; http_uri; classtype:exploit-kit; sid:2015962; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|hoonietospeed.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023264; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:exploit-kit; sid:2016412; rev:3; metadata:created_at 2013_02_15, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnbcheck.pw"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023265; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*[\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern; classtype:exploit-kit; sid:2016510; rev:5; metadata:created_at 2013_02_27, former_category INFO, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|statway.online"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016542; rev:4; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|petetongtt.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:exploit-kit; sid:2016543; rev:3; metadata:created_at 2013_03_06, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|09 00 e4 52 b4 b2 9e 40 bd 86|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Synology Inc."; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"|0a|micorsofts|03|net|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016569; rev:4; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|verifybyamexcards.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"|07|hotmal1|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016571; rev:2; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|dnbcheck.site"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"|0a|micorsofts|03|com|00|"; nocase; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016570; rev:3; metadata:created_at 2013_03_14, former_category DNS, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mainmar.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023287; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:exploit-kit; sid:2016026; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK Payload Request"; flow:to_server,established; content:"GET"; http_method; content:".php?e="; http_uri; fast_pattern; content:"&h="; content:!"Referer|3a|"; http_header; pcre:"/\.php\?e=\d{4}\-\d{4}&h=[a-f0-9]{32}$/Ui"; flowbits:set,ET.BleedingLife.Payload; classtype:exploit-kit; sid:2023290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2016_09_23;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016718; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|secursitenot.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|gtldsfs.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016717; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|cdnfastnetwork.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|arcnetcdn.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|sdpvss.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023309; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_28, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_09_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|allenia.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:exploit-kit; sid:2015000; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_07_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|ssltrustcontrol.com"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023320; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern; classtype:exploit-kit; sid:2016805; rev:4; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|usgivememoney.com"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:exploit-kit; sid:2015974; rev:15; metadata:created_at 2012_11_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|p.scgreencharter.org"; distance:1; within:21; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern; classtype:trojan-activity; sid:2016812; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|fastsvpsd.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|csos.brycepeterson.net"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:exploit-kit; sid:2016833; rev:6; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|mgudoor.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|zigerds.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016924; rev:12; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|geernabys.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:exploit-kit; sid:2016928; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c7 b5 8a 8d d7 e8 44 b0|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:exploit-kit; sid:2016929; rev:12; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|facenoplays.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016926; rev:3; metadata:created_at 2013_05_25, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 97 21 dd 62 8b bc 65 25|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:exploit-kit; sid:2016787; rev:4; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bitter RAT TCP CnC Beacon"; flow:established,from_server; content:"BITTER1234"; depth:10; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,6e855944d171a3acbb64635dbe7a9c62; classtype:command-and-control; sid:2023399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2016_10_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:exploit-kit; sid:2016964; rev:3; metadata:created_at 2013_06_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|hlaprise.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern; classtype:attempted-user; sid:2017008; rev:6; metadata:created_at 2013_06_12, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|calmiinity.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:exploit-kit; sid:2016840; rev:6; metadata:created_at 2013_05_09, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|rootenplay.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 89 f7 85 18 43 70 17 d1|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern; http_uri; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017019; rev:3; metadata:created_at 2013_06_15, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|statuscheck.site"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023406; rev:2; metadata:attack_target Client_and_Server, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_25, former_category EXPLOIT, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Cerber Checkin 2"; dsize:<11; content:"hi"; depth:2; fast_pattern; pcre:"/^[a-f0-9]{7,}$/R"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,ac4d7fb5739862e9914556ed5d50f84f; classtype:command-and-control; sid:2023453; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_25, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?!www)\d?[A-Z]?(?:[a-z]{3,20}\.)?[a-z]{5,}(?:\d[a-z]{5,})?\.[a-z]{2,5}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022535; rev:11; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017069; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|ff fe 3f 10 00 00|"; distance:0; byte_test:4,>,100,4,relative,little; byte_extract:4,4,config_len,relative,little; content:!"|00|"; within:config_len; pcre:"/^[^\x00]+(\xff\xd9)?$/R"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021382; rev:11; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:exploit-kit; sid:2017070; rev:3; metadata:created_at 2013_06_27, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 2"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe|"; distance:-10; within:2; byte_test:2,>,100,0,relative,little; byte_extract:2,0,config_len,relative,little; content:!"|00|"; distance:6; within:config_len; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021383; rev:3; metadata:created_at 2015_07_06, updated_at 2016_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:exploit-kit; sid:2017079; rev:4; metadata:created_at 2013_07_02, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zberp/ZeusVM receiving config via image file (steganography) 3"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"0103F|00|"; distance:0; content:"|ff fe ff ff|"; distance:-10; within:4; pcre:"/^0103F\x00[^\x00]+(\xff\xd9)?$/R"; reference:md5,7ba76b0ec1249b19a46e1603e5ab0a90; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021527; rev:5; metadata:created_at 2015_07_23, updated_at 2016_11_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017092; rev:3; metadata:created_at 2013_07_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Linux.Mirai Login Attempt (xc3511)"; flow:to_server,established; content:"xc3511|0d 0a|"; dsize:8; reference:url,www.flashpoint-intel.com/when-vulnerabilities-travel-downstream; classtype:trojan-activity; sid:2023333; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2016_10_10, deployment Datacenter, malware_family ddos_bot, performance_impact Low, signature_severity Major, updated_at 2016_11_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017093; rev:3; metadata:created_at 2013_07_03, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (1111111)"; flow:to_server,established; content:"1111111|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023430; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:exploit-kit; sid:2017099; rev:3; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (54321)"; flow:to_server,established; content:"54321|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023431; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (666666)"; flow:to_server,established; content:"666666|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023432; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2017138; rev:4; metadata:created_at 2013_07_13, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0admin)"; flow:to_server,established; content:"7ujMko0admin|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023433; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:exploit-kit; sid:2017139; rev:3; metadata:created_at 2013_07_13, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (7ujMko0vizxv)"; flow:to_server,established; content:"7ujMko0vizxv|0d 0a|"; nocase; dsize:14; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023434; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:exploit-kit; sid:2017151; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (888888)"; flow:to_server,established; content:"888888|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023435; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:exploit-kit; sid:2017150; rev:13; metadata:created_at 2013_07_16, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (anko)"; flow:to_server,established; content:"anko|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023436; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:exploit-kit; sid:2017106; rev:4; metadata:created_at 2013_07_05, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (dreambox)"; flow:to_server,established; content:"dreambox|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023437; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:exploit-kit; sid:2017153; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (fucker)"; flow:to_server,established; content:"fucker|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023438; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (hi3518)"; flow:to_server,established; content:"hi3518|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023439; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ikwb)"; flow:to_server,established; content:"ikwb|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023440; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:exploit-kit; sid:2016427; rev:8; metadata:created_at 2013_02_19, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (juantech)"; flow:to_server,established; content:"juantech|0d 0a|"; nocase; dsize:10; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023441; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016013; rev:7; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (jvbzd)"; flow:to_server,established; content:"jvbzd|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023442; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016299; rev:11; metadata:created_at 2013_01_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv123)"; flow:to_server,established; content:"klv123|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023443; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:exploit-kit; sid:2016350; rev:5; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (klv1234)"; flow:to_server,established; content:"klv1234|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023444; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/^\/search\/[0-9]{64}/U"; classtype:exploit-kit; sid:2016593; rev:9; metadata:created_at 2013_03_19, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (meinsm)"; flow:to_server,established; content:"meinsm|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023445; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/\/m1[1-6]\.jar$/U"; classtype:exploit-kit; sid:2016708; rev:9; metadata:created_at 2013_04_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (realtek)"; flow:to_server,established; content:"realtek|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023446; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016709; rev:9; metadata:created_at 2013_04_02, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (service)"; flow:to_server,established; content:"service|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023447; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:exploit-kit; sid:2016786; rev:6; metadata:created_at 2013_04_26, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (ubnt)"; flow:to_server,established; content:"ubnt|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023448; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2016804; rev:5; metadata:created_at 2013_05_01, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (vizxv)"; flow:to_server,established; content:"vizxv|0d 0a|"; nocase; dsize:7; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023449; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:exploit-kit; sid:2016943; rev:9; metadata:created_at 2013_05_29, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (xmhdipc)"; flow:to_server,established; content:"xmhdipc|0d 0a|"; nocase; dsize:9; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023450; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_10_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2016965; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_06_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (zlxx)"; flow:to_server,established; content:"zlxx|0d 0a|"; nocase; dsize:6; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023451; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2017038; rev:5; metadata:created_at 2013_06_20, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"ET MALWARE Possible Linux.Mirai Login Attempt (Zte521)"; flow:to_server,established; content:"Zte521|0d 0a|"; nocase; dsize:8; reference:url,krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack; classtype:attempted-admin; sid:2023452; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2016_10_26, deployment Datacenter, signature_severity Major, updated_at 2016_11_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2017041; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|heeriekupman.com"; distance:1; within:17; classtype:domain-c2; sid:2023489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017042; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|infosec256bit.com"; distance:1; within:18; classtype:domain-c2; sid:2023491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017043; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslsecure777.com"; distance:1; within:17; classtype:domain-c2; sid:2023492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern; content:"Java/1.6"; http_user_agent; classtype:exploit-kit; sid:2017044; rev:5; metadata:created_at 2013_06_22, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|dodstersystem.com"; distance:1; within:18; classtype:domain-c2; sid:2023493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:exploit-kit; sid:2017119; rev:5; metadata:created_at 2013_07_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|whatissslnow.com"; distance:1; within:17; classtype:domain-c2; sid:2023494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern; pcre:"/amor\d{0,2}\.jar/U"; classtype:exploit-kit; sid:2015941; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|getifourl.com"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern; classtype:exploit-kit; sid:2015942; rev:5; metadata:created_at 2012_11_27, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:from_server,established; content:"|09 00 d1 c2 e8 fc aa 20 b5 6d|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:exploit-kit; sid:2017152; rev:6; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:from_server,established; content:"|16|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:11; content:"|09 00 ff 41 25 0a bf 95 6d 71|"; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0b|domzino org"; distance:1; within:13; reference:md5,f6e81ae634bbcc309a4a5e01f20e4136; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017272; rev:5; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 eb 14 76 ac 55 37 6b 52|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017273; rev:4; metadata:created_at 2013_08_03, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 82 eb e4 e6 d5 39 9c 05|"; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017022; rev:4; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBoy CnC Beacon"; flow:established,to_server; content:"|8a 00 d1 00 8a 00 6a 00|"; depth:8; reference:url,citizenlab.org/2016/11/parliament-keyboy/; reference:md5,8846d109b457a2ee44ddbf54d1cf7944; classtype:command-and-control; sid:2023527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, malware_family KeyBoy, signature_severity Major, tag c2, updated_at 2016_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_08_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|res1allenia.com"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023528; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017324; rev:3; metadata:created_at 2013_08_13, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|digtheromb.com"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023530; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern; classtype:exploit-kit; sid:2017039; rev:4; metadata:created_at 2013_06_20, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sweatmeat.pw"; distance:1; within:13; classtype:domain-c2; sid:2023537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017372; rev:6; metadata:created_at 2013_08_26, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,from_server; content:"|09 00 b8 d7 6d 5b 44 1a 9f 0a|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|biszweater.pw"; distance:1; within:14; classtype:domain-c2; sid:2023538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|coinf333.info"; distance:1; within:14; classtype:domain-c2; sid:2023539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,from_server; content:"|09 00 bc 7c af f0 e8 ee 0f e8|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,from_server; content:"|09 00 e7 1f b0 eb b2 ae 21 70|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FlokiBot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; content:"|55 04 03|"; distance:0; content:"|08|uspal.cf"; distance:1; within:9; reference:md5,3ddf657800e60a57b884b87e1e8a987c; classtype:domain-c2; sid:2023536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern; http_uri; content:"Java/1."; http_user_agent; classtype:exploit-kit; sid:2017406; rev:6; metadata:created_at 2013_09_03, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 a7 15 36 3b e0 82 35 9b|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017434; rev:3; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.SDB CnC Beacon"; flow:established,to_server; content:"Auth"; depth:4; content:"|20 40 20|"; distance:0; content:"|5c 23 2f|Microsoft|20|"; distance:0; fast_pattern; reference:md5,5a9a8502b87ce1a6a608debd10761957; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2016_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017433; rev:4; metadata:created_at 2013_09_07, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC)"; flow:from_server,established; content:"|09 00 c7 52 05 4b 9d 0e f6 96|"; content:"|55 04 03|"; content:"|09|localhost"; distance:1; within:10; reference:md5,fa224c69088cc331a6b30bc5069fa9d5; classtype:domain-c2; sid:2023550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017468; rev:3; metadata:created_at 2013_09_17, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Flokibot CnC)"; flow:from_server,established; content:"|09 00 9c 56 80 8c 3d 64 03 c6|"; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Flokibot, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:exploit-kit; sid:2015782; rev:6; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|dnsapis.net"; distance:1; within:12; classtype:domain-c2; sid:2023555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:exploit-kit; sid:2016798; rev:4; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|msg.capital"; distance:1; within:12; classtype:domain-c2; sid:2023556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_29, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help|3a|//"; nocase; content:"onlosecapture"; nocase; fast_pattern; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_server; dsize:69; content:"|41 00 00 00 83|"; depth:5; flowbits:set,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:exploit-kit; sid:2016349; rev:6; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in 2"; flow:established,to_client; dsize:69; content:"|41 00 00 00 85|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2025036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category TROJAN, malware_family Netwire_RAT, signature_severity Major, updated_at 2017_11_27;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:exploit-kit; sid:2016348; rev:8; metadata:created_at 2013_02_05, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a0 c9 ee 35 a4 1c 6f 74|"; distance:0; content:"|55 04 06|"; distance:0; content:"|02|AU"; distance:1; within:3; reference:md5,a8139f8c2547f11522c3d7d58b90c422; classtype:domain-c2; sid:2023590; rev:2; metadata:attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zeus OPENSSL Banker Malicious SSL Certificate Detected"; flow:from_server,established; content:"|55 04 03|"; content:"|0B|fleil42.com"; distance:1; within:12; reference:md5,50ede75eb74a0a795500cc7b8c6c9f54; classtype:domain-c2; sid:2023591; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST"; http_method; content:"/iam-ready"; fast_pattern; nocase; content:"|3c 7c 3e|"; http_header; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017518; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|izaberiauto.com"; distance:1; within:16; classtype:domain-c2; sid:2023593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017545; rev:7; metadata:created_at 2013_09_30, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp any 443 -> any any (msg:"ET MALWARE Potential Sefnit C2 traffic (from server)"; flow: from_server,established; content:"SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1"; classtype:command-and-control; sid:2018449; rev:8; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2016_12_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,from_server; content:"|09 00 98 ea a6 c4 99 a7 b3 f7|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023639; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017549; rev:3; metadata:created_at 2013_10_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022627; rev:12; metadata:attack_target Client_and_Server, created_at 2016_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017550; rev:3; metadata:created_at 2013_10_02, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [6789] (msg:"ET MALWARE Possible Linux.Mirai DaHua Default Credentials Login"; flow:to_server,established; content:"888888|0d 0a|888888"; depth:14; content:"busybox telnetd -p"; distance:0; reference:url,isc.sans.edu/diary/21833; classtype:attempted-admin; sid:2023674; rev:1; metadata:attack_target IoT, created_at 2016_12_20, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2016_12_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016549; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, malware_family Angler, signature_severity Critical, tag Angler, tag Exploit_Kit, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M5"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|text/javascript"; file_data; pcre:"/^(?P<v1>\S{1,100})\s+(?P<v2>\S{1,100})\s+=\s+\x22\x22\x3b\s+(?P=v2)\s+\+\=\s+\x27(?P=v1).+?(?P=v1)\x27\x3b.+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27].+?(?P=v2)\s\+=\s[\x22\x27]/R"; classtype:trojan-activity; sid:2023673; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2016_12_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Tinba DGA NXDOMAIN Responses"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; content:"|03|com"; distance:15; within:4; fast_pattern; content:"|0c|"; distance:-17; within:1; pcre:"/^[a-z]{12}/R"; threshold: type both, track by_src, count 50, seconds 10; content:!"|08|sophosxl|03|"; reference:md5,1044af21a7c4cbc291ab418a47de52b4; reference:url,seculert.com/blog/2014/09/tiny-tinba-trojan-could-pose-big-threat.html; reference:url,garage4hackers.com/entry.php?b=3086; classtype:trojan-activity; sid:2019230; rev:2; metadata:created_at 2014_09_24, updated_at 2014_09_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a 20|http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017613; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|09 00 b9 dc 45 b2 1c 85 40 25|"; content:"|55 04 03|"; distance:0; content:"|04|host"; distance:1; within:5; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023689; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 6892 (msg:"ET MALWARE W32/Cerber.Ransomware CnC Checkin M4"; dsize:14; pcre:"/^[a-f0-9]{14}$/"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,1f41be13d5d19e1a5c76b6d7256a8df4; reference:md5,6707e861e377409bd1037452c7c5fa74; classtype:command-and-control; sid:2023695; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category MALWARE, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_01_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_11_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible Locky Ransomware Writing Encrypted File over - SMB and SMB-DS v2"; flow:to_server,established; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:6; within:2; content:"|00|.|00|l|00|o|00|c|00|k|00|y|00 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022639; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_01_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"|0d 0a|Accept"; http_header; content:"Mozilla/4.0 (SEObot)"; depth:20; http_user_agent; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017718; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Venom CnC Beacon"; flow:established,to_server; content:"|9e ab 49 31 08 53 b5 d4|"; depth:8; reference:url,security.web.cern.ch/security/venom.shtml; classtype:command-and-control; sid:2023716; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_Venom, signature_severity Major, tag c2, updated_at 2017_01_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017601; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_17, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|specadv.com"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023717; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:exploit-kit; sid:2017785; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|p.fmsacademy.it"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023718; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]*?\\?\(.+?\\?\)\.keep\.previous[\r\n\s]*?=[\r\n\s]*?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:3; metadata:created_at 2013_11_30, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|17|sc.jacksburgershack.com"; distance:1; within:24; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023719; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017699; rev:4; metadata:created_at 2013_11_09, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|m.williamdegel.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023720; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017863; rev:5; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|cdn.ui-data.cc"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023721; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017862; rev:4; metadata:created_at 2013_12_16, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|baikalsecret.com"; distance:1; within:17; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017864; rev:3; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|disaaxpalallow.me"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017865; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|aucom.pw"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017866; rev:4; metadata:created_at 2013_12_17, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|publicstats.tk"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:3; metadata:created_at 2013_12_18, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Chthonic CnC)"; flow:established,from_server; content:"|09 00 e6 0c cf da 58 8f a7 b2|"; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_01_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (1)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,64,0,relative; classtype:trojan-activity; sid:2018575; rev:3; metadata:created_at 2014_06_17, updated_at 2014_06_17;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Andromeda download with fake Zip header (2)"; flow:to_client,established; file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative; classtype:trojan-activity; sid:2018576; rev:4; metadata:created_at 2014_06_17, updated_at 2017_01_13;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pony DLL Download M2"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|59 55 49 50 57 44 46 49 4c 45 30 59 55 49 50 4b 44 46 49 4c 45 30 59 55 49 43 52 59 50 54 45 44 30 59 55 49|"; classtype:trojan-activity; sid:2023741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, malware_family Pony, signature_severity Major, updated_at 2017_01_13;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil JS Ransomware"; flow:from_server,established; file_data; content:"|5c|u006d|5c|u0065|5c|u0073|5c|u0073|5c|u0061|5c|u0067|5c|u0065"; content:"<html><body|20|bgcolor=|22|#F78181|22|>"; nocase; within:100; content:"Hello.|20|Your|20|UID|3a|"; within:100; content:"|65 76 69 6c 20 72 61 6e 73 6f 6d 77 61 72 65|"; fast_pattern; within:100; content:"|75 6e 69 71 75 65 20 73 74 72 6f 6e 67 65 73 74 20 41 45 53 20 6b 65 79|"; distance:0; content:"|73 65 6e 64 20 6d 65 20 79 6f 75 72 20 55 49 44 20 74 6f|"; distance:0; content:"|4c 69 73 74 20 6f 66 20 65 6e 63 72 79 70 74 65 64 20 66 69 6c 65 73|"; distance:0; reference:md5,b9d81c51c10abd64107edc5e73a26aea; reference:url,www.cert.pl/en/news/single/evil-a-poor-mans-ransomware-in-javascript/; classtype:trojan-activity; sid:2023747; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2017_01_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DustySky PoisonIvy CnC Beacon"; flow:established,to_server; dsize:48; content:"|75 f0 01 ef 23 bf db 30 19 9f 56 74 01 f7 30 a0|"; offset:16; depth:16; reference:md5,2cd8c27bdc88ebba3e36114a1b55cef6; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:command-and-control; sid:2017548; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_04_18;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DustySky QuasarRAT CnC Beacon"; flow:established,from_server; content:"|10 00 00 00 99 9a c7 b8|"; depth:8; reference:md5,a19d4ff89a3f699a6f8237a7905e80e1; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2017_01_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:isset,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:3; metadata:created_at 2013_03_29, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 1"; flow:established,from_server; content:"|55 04 03|"; content:"|14|giftshop.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023902; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 2"; flow:established,from_server; content:"|55 04 03|"; content:"|14|estimate.mefound.com"; distance:1; within:21; classtype:domain-c2; sid:2023903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:9; metadata:created_at 2014_02_11, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 3"; flow:established,from_server; content:"|55 04 03|"; content:"|16|tradeboard.mefound.com"; distance:1; within:23; classtype:domain-c2; sid:2023904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 4"; flow:established,from_server; content:"|55 04 03|"; content:"|1c|referenceblog.ignorelist.com"; distance:1; within:29; classtype:domain-c2; sid:2023905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 5"; flow:established,from_server; content:"|07|Makeups"; content:"|55 04 03|"; distance:0; content:"|12|www.ignorelist.com"; distance:1; within:19; classtype:domain-c2; sid:2023906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:exploit-kit; sid:2018172; rev:3; metadata:created_at 2014_02_25, former_category WEB_CLIENT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 6"; flow:established,from_server; content:"|55 04 03|"; content:"|15|latest.ignorelist.com"; distance:1; within:22; classtype:domain-c2; sid:2023907; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:5; metadata:created_at 2014_02_26, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malicious SSL Cert 7"; flow:established,from_server; content:"|55 04 03|"; content:"|15|tipnews.longmusic.com"; distance:1; within:22; classtype:domain-c2; sid:2023908; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_1)"; flow:established,to_server; content:"IUgyYll"; content:"t"; within:3; content:"L"; within:3; content:"l"; within:3; content:"N"; within:3; content:"3"; within:3; content:"Q"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017774; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_27, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_1_2)"; flow:established,to_server; content:"I"; content:"U"; within:3; content:"g"; within:3; content:"y"; within:3; content:"Y"; within:3; content:"l"; within:3; content:"ltLlN3Q"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:exploit-kit; sid:2018262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_13, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_1)"; flow:established,to_server; content:"FIMmJZ"; content:"b"; within:3; content:"S"; within:3; content:"5"; within:3; content:"T"; within:3; content:"d"; within:3; content:"0"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_2_2)"; flow:established,to_server; content:"F"; content:"I"; within:3; content:"M"; within:3; content:"m"; within:3; content:"J"; within:3; content:"Z"; within:3; content:"bS5Td0"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_1)"; flow:established,to_server; content:"hSDJiWW"; content:"0"; within:3; content:"u"; within:3; content:"U"; within:3; content:"3"; within:3; content:"d"; within:3; content:"A"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018360; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string1_slide_3_2)"; flow:established,to_server; content:"h"; content:"S"; within:3; content:"D"; within:3; content:"J"; within:3; content:"i"; within:3; content:"W"; within:3; content:"W0uU3dA"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017078; rev:7; metadata:created_at 2013_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_1)"; flow:established,to_server; content:"QDM0Zlo"; content:"3"; within:3; content:"R"; within:3; content:"V"; within:3; content:"t"; within:3; content:"w"; within:3; content:"X"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern; content:"eval(function("; classtype:exploit-kit; sid:2018405; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_1_2)"; flow:established,to_server; content:"Q"; content:"D"; within:3; content:"M"; within:3; content:"0"; within:3; content:"Z"; within:3; content:"l"; within:3; content:"o3RVtwX"; within:9; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_22, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_1)"; flow:established,to_server; content:"AzNGZa"; content:"N"; within:3; content:"0"; within:3; content:"V"; within:3; content:"b"; within:3; content:"c"; within:3; content:"F"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:5; metadata:created_at 2014_04_24, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_2_2)"; flow:established,to_server; content:"A"; content:"z"; within:3; content:"N"; within:3; content:"G"; within:3; content:"Z"; within:3; content:"a"; within:3; content:"N0VbcF"; within:8; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:exploit-kit; sid:2018469; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_1)"; flow:established,to_server; content:"AMzRmWj"; content:"d"; within:3; content:"F"; within:3; content:"W"; within:3; content:"3"; within:3; content:"B"; within:3; content:"c"; within:3; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:exploit-kit; sid:2018440; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE MiniDuke CnC Beacon (string2_slide_3_2)"; flow:established,to_server; content:"A"; content:"M"; within:3; content:"z"; within:3; content:"R"; within:3; content:"m"; within:3; content:"W"; within:3; content:"jdFW3Bc"; within:10; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_21, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; classtype:trojan-activity; sid:2023940; rev:2; metadata:created_at 2015_10_14, cve url_researchcenter_paloaltonetworks_com_2017_02_unit42_magic_hound_campaign_attacks_saudi_targets_, updated_at 2017_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:4; metadata:created_at 2014_05_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious PowerSploit PowerShell Script Observed over HTTP"; flow:established,from_server; file_data; content:"CmdletBinding()"; content:"$DoNotZeroMZ"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023947; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, updated_at 2017_02_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely MAGICHOUND.FETCH Receiving PowerSploit PowerShell over HTTP"; flow:established,from_server; content:"$PEBytes"; content:"$PEBytes0=|22|TV"; distance:0; fast_pattern; reference:url,github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1; classtype:trojan-activity; sid:2023949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2017_02_16;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MAGICHOUND.FETCH SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|16|service.chrome-up.date"; distance:1; within:27; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023952; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_related, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.LEASH IRC CnC Beacon"; flow:established,to_server; content:"USER AS_a # # |3a|des|0d 0a|"; depth:20; reference:md5,3c8a142d2e3b84fb0d210250af77cc9b; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_LEASH, signature_severity Major, tag c2, updated_at 2017_02_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern; http_uri; nocase; classtype:exploit-kit; sid:2018540; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:command-and-control; sid:2015019; rev:2; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2012_07_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:command-and-control; sid:2014864; rev:2; metadata:created_at 2012_06_06, former_category MALWARE, updated_at 2012_06_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:exploit-kit; sid:2018592; rev:3; metadata:created_at 2014_06_20, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:trojan-activity; sid:2011769; rev:6; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, updated_at 2019_10_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; byte_test:3,<,1200,0,relative; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+|[a-z](?:\.[A-Za-z]){1,3})\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,13,1,relative; content:!"www."; distance:2; within:4; pcre:"/^.{2}(?P<CN>(?:(?:\d?[A-Z]?|[A-Z]?\d?)(?:[a-z]{3,20}|[a-z]{3,6}[0-9_][a-z]{3,6})\.){0,2}?(?:\d?[A-Z]?|[A-Z]?\d?)[a-z]{3,}(?:[0-9_-][a-z]{3,})?\.(?!com|org|net|tv)[a-z]{2,9})[01].*?(?P=CN)[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; content:!"GoDaddy"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_02_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018614; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|nopassworddomaine.com"; distance:1; within:22; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018615; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|asdallls.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a 20|"; content:"Foi Instalado"; nocase; fast_pattern; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:command-and-control; sid:2018646; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|12|treesaboutword.com"; distance:1; within:19; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Android Marcher C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|randfservices.co.uk"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|radomir.tk"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|ui-images.ru"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018902; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|sopelnas.co"; distance:1; within:12; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:exploit-kit; sid:2018920; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_05_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|nesiron.co"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:exploit-kit; sid:2018928; rev:4; metadata:created_at 2014_08_13, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|securityupdate.at"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:3; metadata:created_at 2014_08_14, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Chthonic MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|Anyverizozovali"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0e\x0f](?!(?:www|ns))[a-z0-9]{2,3}/R"; content:".faisrl.net"; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; pcre:"/^.[\x0a\x0b](?!(?:www|ns))[a-z0-9]{1,2}/R"; content:".kjaro.it"; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024079; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|24brb.tk"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|interface-ui.ru"; distance:1; within:16; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sogelfeld.ws"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|kmeses.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:exploit-kit; sid:2019167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_12, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|sklaaaor.com"; distance:1; within:13; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024085; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014372; rev:6; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|securessl.info"; distance:1; within:15; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014376; rev:4; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|gamagrjoba.at"; distance:1; within:14; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url,blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:exploit-kit; sid:2019194; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|19|c.beccaccechepassione.com"; distance:1; within:26; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:exploit-kit; sid:2019195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_18, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|16|shanycuusenetscape.xyz"; distance:1; within:23; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:6; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2012_09_18, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|userlicensenon.club"; distance:1; within:20; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:5; metadata:created_at 2014_09_03, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|w4ait0.com"; distance:1; within:11; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_03_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:exploit-kit; sid:2019210; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE W32/Kegotip CnC Beacon"; flow:established,to_server; content:"QXNka"; depth:5; reference:url,www.soleranetworks.com/blogs/cryptolocker-kegotip-medfos-malware-triple-threat/; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FKegotip.C; classtype:command-and-control; sid:2017627; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_10_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_04_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:exploit-kit; sid:2019185; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Backdoor.Win32.DarkComet Keepalive Inbound"; flow:from_server,established; dsize:<30; content:"KEEPALIVE"; nocase; depth:9; pcre:"/^KEEPALIVE\x7c?\d/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_04_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:exploit-kit; sid:2019226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (11)"; dsize:13<>32; content:"a"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:exploit-kit; sid:2019288; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (1)"; dsize:13<>32; content:"0"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (10)"; dsize:13<>32; content:"9"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023621; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (12)"; dsize:13<>32; content:"b"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:exploit-kit; sid:2019287; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_09_27, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (13)"; dsize:13<>32; content:"c"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (14)"; dsize:13<>32; content:"d"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern; classtype:bad-unknown; sid:2019285; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (15)"; dsize:13<>32; content:"e"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (16)"; dsize:13<>32; content:"f"; nocase; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (2)"; dsize:13<>32; content:"1"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023613; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_27, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (3)"; dsize:13<>32; content:"2"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (4)"; dsize:13<>32; content:"3"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (5)"; dsize:13<>32; content:"4"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023616; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (6)"; dsize:13<>32; content:"5"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_02, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (7)"; dsize:13<>32; content:"6"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023618; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert smtp any any -> any any (msg:"ET SMTP Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (8)"; dsize:13<>32; content:"7"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:2; metadata:created_at 2014_10_06, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> $EXTERNAL_NET [6892,6893] (msg:"ET MALWARE Ransomware/Cerber Checkin M3 (9)"; dsize:13<>32; content:"8"; depth:1; pcre:"/^[a-f0-9]{13,30}$/Ri"; threshold: type both, track by_src, count 1, seconds 60; reference:md5,42c677d6d8f42acd8736c4b8c75ce505; reference:md5,7f6290c02465625828cfce6a8014c34a; reference:md5,d8b2d2a5f6da2872e147011d2ea85d71; classtype:command-and-control; sid:2023620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2017_04_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:exploit-kit; sid:2018361; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_04_04, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Malicious Gzip PowerShell over HTTP"; flow:established,from_server; file_data; content:"FromBase64String"; content:"H4sIAI"; distance:0; fast_pattern; content:"GzipStream"; nocase; distance:0; classtype:trojan-activity; sid:2024221; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_18, deployment Perimeter, former_category TROJAN, malware_family PowerShell, performance_impact Moderate, signature_severity Major, tag PowerShell, updated_at 2017_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:exploit-kit; sid:2019209; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:exploit-kit; sid:2019359; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ARM Binary Downloaded via WGET Containing GoAhead and Multiple Camera RCE 0Day Vulnerabilities"; flow:from_server,established; flowbits:isset,ET.armwget; content:"/set_ftp.cgi"; fast_pattern; content:"&next_url=ftp.htm&port=21&user=ftp&pwd=ftp&dir=/&mode=PORT&upload_interval=0&svr="; distance:0; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:trojan-activity; sid:2024242; rev:2; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_04_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019371; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL cert (pyteHole Ransomware)"; flow:established,from_server; content:"|55 04 03|"; content:"|13|services.pasmik.net"; distance:1; within:20; reference:md5,f652968bfe0861b56c8bdc111d902512; classtype:trojan-activity; sid:2024246; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category MALWARE, malware_family pyteHole, signature_severity Major, tag Ransomware, updated_at 2017_04_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:targeted-activity; sid:2019368; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_09, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Red Leaves magic packet response detected (APT10 implant)"; flowbits:isset,ncc.apt10.beacon_send; flow:established,to_client; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; threshold:type limit, track by_dst, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024174; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves magic packet detected (APT10 implant)"; flow:established,to_server; dsize:12; content:"|7a 8d 9b dc|"; offset:4; depth:4; flowbits:set,ncc.apt10.beacon_send; threshold:type limit, track by_src, count 1, seconds 600; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, performance_impact Low, signature_severity Major, tag APT10, tag RedLeaves, updated_at 2017_04_28;)
 
-alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE SuperCMD CnC Beacon"; flow:established,to_server; content:"windows update "; depth:15; pcre:"/^[A-F0-9]+\x00/R"; reference:md5,816db8a1916201309d2a24b4a745305b; reference:url,blogs.rsa.com/supercmd-rat/; classtype:command-and-control; sid:2024273; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Known Hostile Domain ant.trenz .pl Lookup"; content:"|03|ant|05|trenz|02|pl|00|"; nocase; classtype:trojan-activity; sid:2024281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_05_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
+alert icmp any any -> any any (msg:"ET MALWARE Philis.J ICMP Sweep (Payload Hello World)"; icode:0; itype:0; dsize:11; content:"Hello,World"; reference:url,vil.nai.com/vil/content/v_141203.htm; reference:url,doc.emergingthreats.net/2008017; classtype:trojan-activity; sid:2008017; rev:4; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_05_11;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern; classtype:trojan-activity; sid:2019518; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET MALWARE MS Terminal Server Single Character Login possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; content:"|0d 0a|"; distance:1; within:2; nocase; pcre:"/Cookie\x3a mstshash=[a-zA-Z]\r\n/"; flowbits:set,ET.RDP.Morto; reference:cve,CAN-2001-0540; classtype:trojan-activity; sid:2021630; rev:2; metadata:created_at 2015_08_14, former_category TROJAN, updated_at 2017_05_11;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE MSIL/May Ransomware SSL Cert Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|13|mayofware.solutions"; distance:1; within:20; reference:md5,9bee9fbe8c87f491ed31e94bb0c2e06f; classtype:trojan-activity; sid:2024304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family May, signature_severity Major, tag Ransomware, updated_at 2017_05_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent Tesla Keylogger Report SMTP"; flow:established,to_server; content:"From|3a|"; nocase; content:"Subject|3a| "; nocase; content:"|5b|Agent Tesla"; fast_pattern; nocase; classtype:trojan-activity; sid:2022006; rev:3; metadata:created_at 2015_10_28, former_category TROJAN, updated_at 2017_05_18;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [445,139] (msg:"ET MALWARE Possible CryptXXX Ransomware Renaming Encrypted File SMB v2"; flow:to_server,established; content:"|FE|SMB"; offset:4; depth:4; content:"|11 00|"; distance:8; within:2; content:"|00|.|00|c|00|r|00|y|00|p|00|t|00|"; nocase; distance:0; fast_pattern; pcre:"/^[^A-Za-z0-9]/R"; classtype:trojan-activity; sid:2022840; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2016_05_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,2525,587] (msg:"ET MALWARE Executioner Ransomware Reporting Infection via SMTP"; flow:established,to_server; dsize:<40; content:"DECRYPT CODE|20 3a 20 20 20 20 20 20 20|"; fast_pattern; depth:21; reference:md5,eec4f84d12139add6d6ebf3b8c72fff7; classtype:trojan-activity; sid:2024351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Executioner, signature_severity Major, tag Ransomware, updated_at 2017_06_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern; reference:cve,2014-2820; classtype:exploit-kit; sid:2018933; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_13, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+alert icmp any any -> any any (msg:"ET MALWARE OpenSSH in ICMP Payload - Possible Covert Channel"; itype:8; icode:0; content:"openssh"; nocase; classtype:trojan-activity; sid:2024366; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2017_06_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DragonOK KHRAT Downloader Receiving Payload"; flow:established,from_server; file_data; content:".DAT,K1|22 0d 0a|fso"; reference:md5,404518f469a0ca85017136b6b5166ae3; classtype:trojan-activity; sid:2024418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category TROJAN, malware_family DragonOK, malware_family KHRAT, performance_impact Low, signature_severity Major, tag Targeted, tag APT, tag CNAPT, updated_at 2017_06_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:exploit-kit; sid:2019676; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Contents Exfil Request"; flow:established,from_server; dsize:9; content:"DLOAD|0c|1|0c|1"; depth:9; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024423; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019679; rev:4; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE x0Proto File Info Request"; flow:established,from_server; dsize:8; content:"REQF|0c|1|0c|1"; depth:8; reference:md5,3d5a4b51ff4ad8534873e02720aeff34; classtype:trojan-activity; sid:2024424; rev:1; metadata:created_at 2017_06_23, updated_at 2017_06_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:exploit-kit; sid:2019358; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus / ELF/RotaJakario CnC Checkin"; flow:established,to_server; content:"|41 61 54 03|"; offset:1; depth:4; fast_pattern; content:"|63 63 63 63 63 63 63 63|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/; reference:url,blog.netlab.360.com/stealth_rotajakiro_backdoor_en; classtype:targeted-activity; sid:2024425; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, tag Targeted, tag APT, tag OceanLotus, tag OSX, updated_at 2017_06_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (HiddenTear Variant CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|wwecuador.com"; distance:1; within:14; reference:md5,02c1da1c668ac71995f56c2c198d7d73; classtype:domain-c2; sid:2024433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_06_28, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_06_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba CnC Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:7; content:"tinba/"; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0|28|compatible|3b| MSIE 10.0|3b| Windows NT 6.1|3b| Trident|2f|6.0|29|"; http_header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024441; rev:2; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2019_10_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Striked Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; depth:4; content:".php|20|HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; content:"|0d 0a|User-Agent|3a 20|python"; distance:0; fast_pattern; content:"|0d 0a 0d 0a|crid="; distance:0; content:"&dta="; distance:0; content:!"Referer|3a|"; reference:md5,80317e3194d8f7fd495b0bf06cae2295; classtype:command-and-control; sid:2024465; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2017_07_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:command-and-control; sid:2019758; rev:3; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Parite.B Checkin 3"; flow:to_server,established; dsize:>1000; content:"|00 00 00 00 9c 00 00 00 06 00 00 00 01 00 00 00|"; offset:0; depth:16; content:"|b1 1d 00 00 02 00 00 00|"; distance:0; reference:md5,d10d6d2a29dd27b44e015dd6bf4cb346; classtype:command-and-control; sid:2024429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internet, former_category MALWARE, malware_family Parite, performance_impact Moderate, signature_severity Major, updated_at 2017_07_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:5; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [442,443,446,447,8001] (msg:"ET MALWARE Win32/Ramnit Checkin"; flow:established,to_server; dsize:6; content:"|00 ff|"; depth:2; content:"|00 00|"; distance:1; within:2; reference:md5,3fc81e102825a74b27faabbcd9408993; reference:url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html; reference:md5,5740a73856128270b37ec4afae870d12; classtype:command-and-control; sid:2018558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_06_06, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2017_07_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:3; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ISMAgent Receiving Commands from CnC Server"; flow:from_server,established; content:"|23|command|23 23|systeminfo"; offset:36; fast_pattern; content:"&&"; distance:0; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024503; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2017_07_31;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019901; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (JS_POWMET)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; content:"|00 00 0c|bogerando.ru"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware; reference:md5,31f83bf81b139bcc69e51df2c76a0bf2; classtype:trojan-activity; sid:2024512; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family JS_POWMET, performance_impact Low, signature_severity Major, updated_at 2017_08_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019902; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBk"; fast_pattern; classtype:trojan-activity; sid:2024534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"EAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZ"; fast_pattern; classtype:trojan-activity; sid:2024535; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"hAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAG"; fast_pattern; classtype:trojan-activity; sid:2024536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern; nocase; content:"|0d 0a|Content-Disposition|3a 20|attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:4; metadata:created_at 2014_12_15, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible AMSI Powershell Bypass Attempt"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"System.Management.Automation.AmsiUtils"; fast_pattern; nocase; content:"amsiInitFailed"; nocase; content:"setvalue"; nocase; content:"$null"; nocase; distance:0; content:"$true"; nocase; distance:0; classtype:trojan-activity; sid:2024537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a 20|Indy"; content:"BIGFONE TOCOU"; fast_pattern; content:"Nome Comp"; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:2; metadata:created_at 2014_12_15, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B641"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"KAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAo"; classtype:trojan-activity; sid:2024538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:exploit-kit; sid:2019315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B642"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"gALAAkACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAK"; classtype:trojan-activity; sid:2024539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Veil Powershell Encoder B643"; flow:established,from_server; file_data; content:"<script"; nocase; content:"powershell"; nocase; distance:0; content:"oACwAJAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnAC"; classtype:trojan-activity; sid:2024540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2017_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019989; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2017_08_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019990; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp [$EXTERNAL_NET,!199.30.201.192/29] any -> $HOME_NET any (msg:"ET MALWARE NetWire / Ozone / Darktrack Alien RAT - Server Hello"; flow:established,to_client; flowbits:isset,ET.NetWire; content:"|01 00 00 00 00|"; depth:5; dsize:6; reference:url,researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic; reference:url,www.circl.lu/pub/tr-23; classtype:trojan-activity; sid:2021977; rev:6; metadata:created_at 2015_10_20, former_category TROJAN, updated_at 2017_08_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2019991; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE LURK Trojan Communication Protocol detected"; flow:established,to_server; content:"LURK|30|"; depth:5; content:"|78 9c|"; distance:8; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014225; rev:3; metadata:created_at 2012_02_14, former_category TROJAN, updated_at 2017_08_21;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP AX M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; file_data; content:"<package"; nocase; distance:0; content:"<component"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; content:"ActiveXObject"; nocase; distance:0; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2017_08_22;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX.Pwnet.A Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|vlone.cc"; distance:1; within:9; reference:url,sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/; classtype:trojan-activity; sid:2024613; rev:1; metadata:created_at 2017_08_23, updated_at 2017_08_23;)
 
-alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Additional Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"more|7c 2d 7c|"; within:30; fast_pattern; pcre:"/^(?:FM|SM|CP|CM|MC|NF|CH|PS|PT)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Checkin to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|LOGIN|7c 2d 7c|"; within:30; fast_pattern; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Commands From CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; fast_pattern; content:"|00 00 02|"; within:30; pcre:"/^(?:Lg|Execute|FLD|Sc)\x7c\x2d\x7c/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CobianRAT Receiving Config Commands from CnC"; flow:from_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"Svr|7c 2d 7c|"; within:100; fast_pattern; pcre:"/^(?:\x40|\x21|\x23|\x7e|\x24)/R"; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CobianRAT Screenshot Exfil to CnC"; flow:to_server,established; content:"|01 00 00 00 FF FF FF FF 01|"; depth:15; content:"|02|Sc|7c 2d 7c|"; within:30; fast_pattern; content:"JFIF"; within:10; reference:md5,94911666a61beb59d2988c4fc7003e5a; reference:url,www.zscaler.com/blogs/research/cobian-rat-backdoored-rat; classtype:command-and-control; sid:2024655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category MALWARE, malware_family CobianRAT, performance_impact Low, signature_severity Major, updated_at 2017_09_01;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Bot CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?hwid="; http_uri; fast_pattern; content:"&os="; http_uri; distance:0; content:"&build="; http_uri; distance:0; content:"&cpu="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024679; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2017_09_08;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Adwind)"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.svx2id6wmwgfxela.net"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Adwind, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (URLzone)"; flow:established,from_server; content:"|55 04 03|"; content:"|08|dicco.at"; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024681; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2018_04_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020024; rev:3; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sslstatsita.info"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:exploit-kit; sid:2020070; rev:4; metadata:created_at 2014_12_26, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|11|fiftyflorston.win"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_30, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|09|lio.party"; distance:1; within:10; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024684; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern; classtype:trojan-activity; sid:2020091; rev:3; metadata:created_at 2015_01_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|115f697a1698.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024686; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020150; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (ZeusPanda MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|7193a37d9d98.bid"; distance:1; within:18; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2024687; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_09_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020151; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Backdoor.Win32/Remcos RAT pkt checker 4"; flow:established, to_server; stream_size:server,<,70; stream_size:client,<,696; stream_size:client,>,0; stream_size:server,>,35; flowbits:isset,FB180732_3; flowbits:unset,FB180732_3; threshold:type limit,track by_src,count 1, seconds 30; reference:url,blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2; classtype:trojan-activity; sid:2024698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2020_11_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET MALWARE Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020154; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 3"; flow:established, to_client; dsize:30<>33; stream_size:server, <,70; stream_size:client, <,610; stream_size:client, >,0; stream_size:server, >,35; flowbits:noalert; flowbits:isset, FB180732_2; flowbits:unset, FB180732_2; flowbits:set, FB180732_3; classtype:trojan-activity; sid:2024697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:targeted-activity; sid:2020158; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 2"; flow:established, to_server; dsize:50<>101; stream_size:server, <,35; stream_size:client, <,610; stream_size:server, >,0; stream_size:client, >,30; flowbits:noalert; flowbits:isset, FB180732_1; flowbits:unset,FB180732_1; flowbits:set,FB180732_2; classtype:trojan-activity; sid:2024696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Significant, signature_severity Major, updated_at 2017_10_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2019894; rev:4; metadata:created_at 2014_12_09, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] pkt checker 1"; flow:established, to_client; dsize:30<>33; stream_size:server,<,35; stream_size:client,<,513; stream_size:server,>,0; stream_size:client,>,30; flowbits:noalert; flowbits:isset,FB180732_0; flowbits:unset, FB180732_0; flowbits:set,FB180732_1; classtype:trojan-activity; sid:2024695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:exploit-kit; sid:2020207; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_19, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] pkt checker 0"; flow:established, to_server; dsize:200<>513; stream_size:client,>,0; stream_size:server,=,1; stream_size:client, <,513; flowbits:noalert; flowbits:set,FB180732_0; classtype:trojan-activity; sid:2024694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category TROJAN, malware_family Remcos, performance_impact Moderate, signature_severity Major, updated_at 2017_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:exploit-kit; sid:2020236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_22, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gh0st RAT Backdoor Checkin"; flow:established,to_server; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; content:"GET /?ocid="; offset:4; depth:11; reference:md5,1a5efd98ee8f8c69f2167ba91095835c; classtype:command-and-control; sid:2036861; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_09_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms"; flow:established,from_server; file_data; content:"|502163174a9069e5f28277c59da7fb141ee82f8e|"; classtype:command-and-control; sid:2035042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2017_09_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|30 82 04|"; depth:300; content:"|30 82 03|"; distance:1; within:3; content:"|a0 03 02 01 02 02 04|"; distance:1; within:7; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 81|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020317; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_27, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 2"; flow:established, to_server; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server, <,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_; flowbits:set, FB332502_0; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020336; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 5"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2224; stream_size:client, >,1476; stream_size:client, <,8722; flowbits:isset, FB332502_2; flowbits:unset, FB332502_2; flowbits:set, FB332502_3; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024755; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_21;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020337; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|vinci-energie.co"; distance:1; within:17; reference:md5,69f8181bfe4a53d9e0b73c81a4ae4587; classtype:domain-c2; sid:2024757; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_and_Server, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MalDoc, updated_at 2017_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020340; rev:6; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|17 03|"; depth:2; content:"|00 50|"; distance:1; within:2; fast_pattern; stream_size:server, >,1889; stream_size:server, <,2436; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024756; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:2; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 1"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 b0|"; distance:1; within:2; fast_pattern; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:set,FB346039_2; flowbits:noalert; classtype:command-and-control; sid:2024774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 0"; flow:established,to_server; content:"|17 03|"; depth:2; content:"|00 a0|"; distance:1; within:2; fast_pattern; stream_size:server,>,4868; stream_size:server,<,5949; stream_size:client,>,424; stream_size:client,<,685; flowbits:isset,FB346039_0; flowbits:unset,FB346039_0; flowbits:set,FB346039_1; flowbits:noalert; classtype:command-and-control; sid:2024773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 2"; flow:established,to_client; content:"|1703|"; depth:2; content:"|0140|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_1; flowbits:unset,FB346039_1; flowbits:unset,FB346039_2; flowbits:set,FB346039_3; flowbits:noalert; classtype:command-and-control; sid:2024775; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:exploit-kit; sid:2020409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 3"; flow:established,to_client; content:"|1703|"; depth:2; content:"|04A0|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_3; flowbits:unset,FB346039_3; flowbits:set,FB346039_4; classtype:command-and-control; sid:2024776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 5"; flow:established,to_client; content:"|1503|"; depth:2; content:"|0020|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,10069; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_4; flowbits:unset,FB346039_4; classtype:command-and-control; sid:2024778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:exploit-kit; sid:2020570; rev:4; metadata:created_at 2015_02_25, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) 4"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|02 00|"; distance:1; within:2; fast_pattern; stream_size:server,>,5000; stream_size:server,<,6500; stream_size:client,>,424; stream_size:client,<,905; flowbits:isset,FB346039_2; flowbits:unset,FB346039_2; classtype:command-and-control; sid:2024777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2017_09_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:exploit-kit; sid:2020643; rev:4; metadata:created_at 2015_03_07, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil FTP STOR"; flow:established,to_server; content:"STOR Black Stealer"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2024791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_10_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020654; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE DNSMessenger Payload (TXT base64 gzip header)"; content:"|00 10 00 01|"; content:"H4sIA"; distance:7; within:5; fast_pattern; reference:url,blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html; classtype:trojan-activity; sid:2024840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category TROJAN, malware_family DNSMessenger, performance_impact Moderate, signature_severity Major, updated_at 2017_10_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020655; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp any any -> any 445 (msg:"ET MALWARE Possible Dragonfly APT Activity - SMB credential harvesting"; flow:established,to_server; content:"|FF|SMB|75 00 00 00 00|"; offset:4; depth:9; content:"|08 00 01 00|"; distance:3; content:"|00 5c 5c|"; distance:2; within:3; content:"|5c|AME_ICON.PNG"; distance:7; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024898; rev:1; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2017_10_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:exploit-kit; sid:2020626; rev:4; metadata:created_at 2015_03_06, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|salegrutboy.eu"; distance:1; within:15; reference:md5,3b79f06be1f6909149bcadfaacfad2d0; classtype:domain-c2; sid:2024902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:3; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Snatch CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|lookmans.eu"; distance:1; within:12; reference:md5,aa50e2ce1fc07ccfbc6b916ccdbfd19b; classtype:domain-c2; sid:2024903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, malware_family Snatch, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:3; metadata:created_at 2014_09_05, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; content:"dnslog.mobi"; http_header; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024864; rev:3; metadata:created_at 2017_10_18, former_category TROJAN, updated_at 2017_10_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5; metadata:created_at 2014_10_24, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [!9997,1024:] (msg:"ET MALWARE Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:command-and-control; sid:2007917; rev:4; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020749; rev:5; metadata:created_at 2015_03_26, former_category MALWARE, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Download"; flow:established,from_server; flowbits:isset,ET.iotreaper; file_data; content:"|7f 45 4c 46|"; depth:4; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024929; rev:1; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020823; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper)"; flow:to_server,established; content:"nethelper"; http_user_agent; fast_pattern:only; pcre:"/\bnethelper\b/Vi"; reference:url,doc.emergingthreats.net/2002877; classtype:trojan-activity; sid:2002877; rev:16; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:exploit-kit; sid:2020824; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_01, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent|3a| cv_v"; http_header; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; reference:url,doc.emergingthreats.net/2003598; classtype:trojan-activity; sid:2003598; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020312; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent|3a| Varlok_"; http_header; nocase; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003931; classtype:trojan-activity; sid:2003931; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2019917; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"User-Agent|3a| WebUpdate|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008074; classtype:trojan-activity; sid:2008074; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020841; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unkown Trojan User-Agent (5.1 ...)"; flow:established,to_server; content:"User-Agent|3a| 5.1 "; http_header; reference:url,doc.emergingthreats.net/2009685; classtype:trojan-activity; sid:2009685; rev:6; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:exploit-kit; sid:2020842; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent i am ddos"; flow: established,to_server; content:"User-Agent|3A| i am ddos"; nocase; depth:300; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011484; rev:5; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2017_10_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:3; metadata:created_at 2015_04_07, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,ET.asproxfakeav; flow:established,to_client; file_data; content:"http|3A|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:3; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2017_11_01;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020849; rev:3; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Fake Page URL Builder Response"; flow:to_client,established; file_data; content:"|7b 22|link|22 3a 22|http"; depth:13; content:"|22|load|22|"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024967; rev:3; metadata:created_at 2017_11_06, former_category TROJAN, updated_at 2017_11_07;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020850; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volex - OceanLotus System Profiling JavaScript (linkStorage.x00SOCKET)"; flow:to_client,established; file_data; content:"linkStorage.x00SOCKET"; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024968; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2017_11_07;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2020851; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dinwod.Dropper Win32/Xtrat.B CnC Beacon"; flow:established,to_server; dsize:<30; content:"myversion|7C|"; depth:10; pcre:"/^\d/R"; reference:md5,dd6a13ba9177a18a8cf16b52ff643abc; classtype:command-and-control; sid:2018101; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2017_11_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:2; metadata:created_at 2015_04_08, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:established,from_server; content:"|09 00 b9 5a 68 02 24 e5 3e 2e|"; fast_pattern; content:"|55 04 03|"; content:"|06|Server"; distance:1; within:7; reference:url,securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research; reference:md5,de4ef2e24306b35d29891b45c1e3fbfd; classtype:domain-c2; sid:2024979; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:exploit-kit; sid:2020985; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 1"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|88 4d 76|"; distance:5; within:3; fast_pattern; pcre:"/[\x04\x06]\x88\x4d\x76$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_13, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern; pcre:"/\/street[1-5]\.php$/U"; classtype:exploit-kit; sid:2020988; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
+alert tcp any any -> any any (msg:"ET MALWARE Lazarus FALLCHILL Fake SSL Checkin 2"; flow:established; dsize:13; content:"|17 03 01 00 08|"; depth:5; content:"|63 70 7b|"; distance:5; within:3; fast_pattern; pcre:"/[\xb0\xb2]\x63\x70\x7b$/"; reference:url,www.us-cert.gov/ncas/alerts/TA17-318A; classtype:command-and-control; sid:2024992; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family FALLCHILL, performance_impact Low, signature_severity Critical, tag Lazarus, updated_at 2017_11_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern; pcre:"/\/XV-\d+\.exe$/U"; classtype:exploit-kit; sid:2020989; rev:3; metadata:created_at 2015_04_24, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M1"; flow:established,from_server; file_data; content:"VwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAw"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern; classtype:exploit-kit; sid:2020992; rev:3; metadata:created_at 2015_04_24, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M2"; flow:established,from_server; file_data; content:"cAdwBCAE8AQQBHAFUAQQBkAEEAQQB1AEEARgBNAEEAWgBRAEIAeQBBAEgAWQBBAGEAUQBCAGoAQQBHAFUAQQBVAEEAQgB2AEEARwBrAEEAYgBnAEIAM"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:exploit-kit; sid:2020951; rev:4; metadata:created_at 2015_04_21, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Double Base64 Unicode Net.ServicePointManager M3"; flow:established,from_server; file_data; content:"XAHcAQgBPAEEARwBVAEEAZABBAEEAdQBBAEYATQBBAFoAUQBCAHkAQQBIAFkAQQBhAFEAQgBqAEEARwBVAEEAVQBBAEIAdgBBAEcAawBBAGIAZwBCAD"; reference:md5,45b0e5a457222455384713905f886bd4; classtype:trojan-activity; sid:2023946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021045; rev:3; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M1"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern; flowbits:set,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021042; rev:6; metadata:created_at 2015_05_01, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M2"; flow:established,from_server; file_data; content:"VwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZ"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023942; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:exploit-kit; sid:2020980; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possibly Malicious Base64 Unicode WebClient DownloadString M3"; flow:established,from_server; file_data; content:"XAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBn"; reference:md5,2a0df97277ddb361cecf8726df6d78ac; classtype:trojan-activity; sid:2023943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2017_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:exploit-kit; sid:2020979; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Possible NanoCore C2 60B"; flow:established,to_server; dsize:60; content:"|38 00 00 00|"; depth:5; pcre:"/^(?!.{0,56}\x00.{0,55}\x00.{0,54}\x00.{0,53}\x00)(?!.{0,54}\x00{2})(?!.{0,50}[A-Za-z0-9]{5})(?!(?P<b1>.).{0,53}(?P=b1).{0,52}(?P=b1).{0,51}(?P=b1).{0,50}(?P=b1))(?!.(?P<b2>.).{0,52}(?P=b2).{0,51}(?P=b2).{0,50}(?P=b2).{0,49}(?P=b2))(?!..(?P<b3>.).{0,51}(?P=b3).{0,50}(?P=b3).{0,49}(?P=b3).{0,48}(?P=b3))(?!...(?P<b4>.).{0,50}(?P=b4).{0,49}(?P=b4).{0,48}(?P=b4).{0,47}(?P=b4))(?!....(?P<b5>.).{0,49}(?P=b5).{0,48}(?P=b5).{0,47}(?P=b5).{0,46}(?P=b5))(?!.....(?P<b6>.).{0,48}(?P=b6).{0,47}(?P=b6).{0,46}(?P=b6).{0,45}(?P=b6))(?!......(?P<b7>.).{0,47}(?P=b7).{0,46}(?P=b7).{0,45}(?P=b7).{0,44}(?P=b7))(?!.......(?P<b8>.).{0,46}(?P=b8).{0,45}(?P=b8).{0,44}(?P=b8).{0,43}(?P=b8))(?!........(?P<b9>.).{0,45}(?P=b9).{0,44}(?P=b9).{0,43}(?P=b9).{0,42}(?P=b9))(?!.........(?P<b10>.).{0,44}(?P=b10).{0,43}(?P=b10).{0,42}(?P=b10).{0,41}(?P=b10))/Rs"; classtype:command-and-control; sid:2025019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MALWARE, malware_family NanoCore, tag Nanocore, updated_at 2017_11_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:exploit-kit; sid:2020983; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure"; flow:to_server,established; content:"GET"; http_method; content:"Accept|3a 20|text/*,|20|application/*|0d 0a|User-Agent|3a 20|"; http_header; depth:44; fast_pattern; content:!"Mozilla"; within:7; http_header; content:"|0d 0a|Host|3a 20|"; distance:0; http_header; content:!"Taitus"; http_header; content:!"Sling/"; http_header; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\n(?:Connection\x3a Keep-Alive\r\n)?(?:\r\n)?$/H"; classtype:trojan-activity; sid:2018394; rev:8; metadata:created_at 2014_04_16, former_category TROJAN, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Possible VirLock Connectivity Check"; flow:established,to_server; dsize:36; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; fast_pattern; threshold:type both,track by_src,count 2,seconds 10; reference:md5,94c9c2fddc99217e310d5c687adfc2f7; classtype:trojan-activity; sid:2020022; rev:3; metadata:created_at 2014_12_23, former_category TROJAN, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Webprefix checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?email="; fast_pattern:only; http_uri; content:!"User-Agent|3a| "; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^Accept\x3a\x20\*\/\*\r\nConnection\x3a\x20close\r\nHost\x3a\x20[^\r\n\x2e]+\x2e[^\r\n\x2e]+(?:\x3a\d{1,5})?\r\n(?:\r\n)?$/H"; reference:md5,8284c2202342102000ae9a04dd07bb76; classtype:command-and-control; sid:2018481; rev:9; metadata:created_at 2012_01_23, former_category MALWARE, updated_at 2017_11_27;)
 
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET HUNTING Suspicious X-mailer Synapse Inbound to SMTP Server"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2021135; rev:2; metadata:created_at 2015_05_21, former_category MALWARE, updated_at 2019_10_08;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Email Attachment Possibly Related to Mydoom.L@mm"; flow:established,to_server; content:"Subject|3a 20|"; nocase; content:"mail"; nocase; within:34; content:"name|3d 22|"; pcre:"/name\x3d\x22(message|letter|.*lebanon\x2donline\x2ecom\x2elb)?\x2ezip\x22\x0d\x0a/"; reference:md5,28110a8ea5c13859ddf026db5a8a864a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2; classtype:trojan-activity; sid:2012932; rev:8; metadata:created_at 2011_06_06, updated_at 2011_06_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:exploit-kit; sid:2021136; rev:3; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls_cert_subject; content:"CN=robervalmotores.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_11_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021150; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (Dd19271927)"; flow:established,to_server; content:"|00|llDd19271927"; fast_pattern; offset:2; depth:14; dsize:<512; reference:md5,18fcc5f04f74737ca8a3fcf65a45629c; classtype:trojan-activity; sid:2025077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_11_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:exploit-kit; sid:2020392; rev:6; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ET.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:3; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2015_04_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:exploit-kit; sid:2021219; rev:5; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent GeneralDownloadApplication"; flow:established,to_server; content:"User-Agent|3A 20|GeneralDownloadApplication"; http_header; classtype:trojan-activity; sid:2013901; rev:3; metadata:created_at 2011_11_11, former_category TROJAN, updated_at 2017_11_29;)
 
-alert tcp any any -> $HOME_NET 443 (msg:"ET MALWARE Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:2; metadata:created_at 2015_06_10, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Atraps Receiving Config via Image File (steganography)"; flow:from_server,established; flowbits:isset,ET.Zberp; file_data; content:"|FF D9 23|"; distance:0; content:"$|3a|1|3a|$"; distance:0; fast_pattern; pcre:"/^[A-Za-z0-9+/=]+\x24\x3a\d+\x3a\x24$/R"; reference:md5,3dce01df285b3570738051672664068d; classtype:trojan-activity; sid:2025070; rev:3; metadata:created_at 2016_04_06, former_category TROJAN, updated_at 2017_11_29;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021254; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns_query; content:"6dtxgqam4crv6rr6"; nocase; depth:16; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:trojan-activity; sid:2022548; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern; content:"long2str"; nocase; content:"str2long"; nocase; classtype:exploit-kit; sid:2021218; rev:4; metadata:created_at 2015_06_09, updated_at 2019_10_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Pseudo Random Domain for Web Malware (.mynumber.org)"; dns_query; content:".mynumber.org"; nocase; isdataat:!1,relative; pcre:"/^[acdefghijlmopqrtwz]{16}\.mynumber\.org$/"; reference:url,blog.lab69.com/2012/12/another-implementation-of-pseudo-random.html; classtype:bad-unknown; sid:2018766; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:exploit-kit; sid:2021033; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBoatRAT CnC Check-in"; flow:established,to_server; dsize:>48; content:"|bc b0 b0 88 88 88 88 88 88 88 88 88|"; depth:12; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/; classtype:command-and-control; sid:2025093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Perimeter, former_category MALWARE, malware_family UBoatRAT, performance_impact Low, signature_severity Major, updated_at 2017_12_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:exploit-kit; sid:2021035; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C1 (no alert)"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.Netwire.HB; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018281; rev:4; metadata:created_at 2014_03_14, updated_at 2014_03_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:exploit-kit; sid:2021037; rev:4; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat S1 (no alert)"; flow:established,from_server; dsize:5; content:"|01 00 00 00 01|"; flowbits:isset,ET.Netwire.HB.1; flowbits:isnotset,ET.Netwire.HB.2; flowbits:unset,ET.Netwire.HB.1; flowbits:set,ET.Netwire.HB.2; flowbits:noalert; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,9475f91a426ac45d1f074373034cbea6; classtype:trojan-activity; sid:2018282; rev:4; metadata:created_at 2014_03_14, former_category TROJAN, updated_at 2017_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:exploit-kit; sid:2021305; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in 2"; flow:established,to_server; dsize:5; content:"|01 00 00 00 02|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,acccfa6107c712a63b1473d524461163; classtype:trojan-activity; sid:2021290; rev:2; metadata:created_at 2015_06_17, former_category TROJAN, updated_at 2017_12_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:exploit-kit; sid:2021308; rev:3; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client HeartBeat"; flow:established,to_server; dsize:5; content:"|01 00 00 00|"; depth:4; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; flowbits:isset,ET.NetwireRAT.Client; threshold: type both,track by_src, count 3, seconds 300; reference:md5,495eef9238282e8f69f2284ca75d2ddc; classtype:trojan-activity; sid:2020566; rev:2; metadata:created_at 2015_02_25, former_category TROJAN, updated_at 2017_12_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern; classtype:exploit-kit; sid:2021310; rev:4; metadata:created_at 2015_06_19, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls_cert_subject; content:"C=AU, ST=f2tee4, L=gf23et65adt, O=tg4r6tds, OU=rst, CN=rvgvtfdf"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2025155; rev:1; metadata:attack_target Client_and_Server, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2017_12_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2021137; rev:4; metadata:created_at 2015_05_22, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Trickbot/Dyre Serial Number in SSL Cert"; flow:established,to_client; tls_cert_serial; content:"89:BF:80:13:42:0A:2E:F5"; classtype:trojan-activity; sid:2025156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2017_12_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:exploit-kit; sid:2021364; rev:3; metadata:created_at 2015_06_29, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M4"; flow:established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"This program must be run under Win"; within:125; fast_pattern; classtype:trojan-activity; sid:2025161; rev:2; metadata:created_at 2017_12_21, former_category TROJAN, updated_at 2017_12_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:exploit-kit; sid:2021373; rev:3; metadata:created_at 2015_07_02, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 20000: -> $HOME_NET 1024: (msg:"ET MALWARE Sourtoff Receiving Simda Payload"; flow:established,from_server; flowbits:isset,ET.TROJAN.Sourtoff; dsize:1300<>1500; content:"|0a c0|"; depth:2; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019313; rev:3; metadata:created_at 2014_09_29, former_category TROJAN, updated_at 2018_01_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:exploit-kit; sid:2021394; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_09, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert dns $HOME_NET any -> [82.163.143.135,82.163.142.137] any (msg:"ET MALWARE OSX/Mami Possible DNS Query to Evil DNS Server"; threshold:type limit, track by_src, count 1, seconds 60; reference:md5,8482fc5dbc6e00da151bea3eba61e360; reference:url,objective-see.com/blog/blog_0x26.html; classtype:trojan-activity; sid:2025200; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2018_01_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SchwSonne CnC Beacon M2"; flow:established,to_server; content:"C|7c|P-UID-"; depth:8; fast_pattern; content:"|7c|Microsoft"; distance:0; content:"|7c|["; distance:0; content:"]|7c|"; distance:0; classtype:command-and-control; sid:2025252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, malware_family SchwartzSonnne, signature_severity Major, tag c2, updated_at 2018_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".dll"; classtype:trojan-activity; sid:2021429; rev:3; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE DDoS Win32/Nitol.A Checkin"; flow:established,to_server; dsize:1000<>1300; content:"|fe ff ff ff|"; content:"|00 00|Win|20|"; fast_pattern; content:"|20|MB"; byte_test:1,>,0x29,-7,relative; byte_test:1,<,0x40,-7,relative; content:"MHz"; distance:0; byte_test:1,>,0x29,-7,relative; byte_test:1,<,0x40,-7,relative; content:"bps"; distance:0; content:"|20|"; distance:-5; within:1; byte_test:1,>,0x29,-2,relative; byte_test:1,<,0x40,-2,relative; reference:md5,990955327075071d4aa1f73c3c6c7e7f; reference:url,blog.netlab.360.com/public-cloud-threat-intelligence-202203/; classtype:command-and-control; sid:2036414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category MALWARE, malware_family Nitol_DDoS, performance_impact Low, signature_severity Major, updated_at 2018_02_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:exploit-kit; sid:2021435; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Response"; flow:established,to_client; dsize:517; content:"|45 36 27 18|"; depth:4; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_02_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:3; metadata:created_at 2015_07_22, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [PTsecurity] DorkBot.Downloader CnC Beacon"; flow:established,to_server; dsize:170; content:"|45 36 27 18 08 20|"; depth:6; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,www.freebuf.com/articles/terminal/153428.html; reference:url,research.checkpoint.com/dorkbot-an-investigation/; classtype:command-and-control; sid:2025153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_02_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:exploit-kit; sid:2021036; rev:5; metadata:created_at 2015_04_30, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:command-and-control; sid:2014135; rev:4; metadata:created_at 2012_01_19, former_category MALWARE, updated_at 2018_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021542; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:6; metadata:created_at 2012_11_09, former_category TROJAN, updated_at 2018_02_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:exploit-kit; sid:2021543; rev:3; metadata:created_at 2015_07_28, updated_at 2019_10_08;)
+#alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:command-and-control; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2011_11_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2018_03_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021571; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] Ursnif Socks Proxy Check-in"; flow:established,to_server; stream_size:server,=,1; content:"|2d|"; offset:8; depth:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d30|"; distance:12; within:2; content:"|0000 0000 0000 0000 0000 0000|"; distance:1; within:12; fast_pattern; pcre:"/^[0-9A-Z]{8}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9]{12}-0[0-9]{1}/"; flowbits:set,PT.UrsnifProxy; flowbits:noalert; classtype:trojan-activity; sid:2025444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021611; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS  -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Socks5 Proxy Connection"; flow:established,from_server; flowbits:isset,PT.UrsnifProxy; stream_size:server,=,5; dsize:3; content:"|050100|"; fast_pattern; depth:3; classtype:trojan-activity; sid:2025445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category TROJAN, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2018_03_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021612; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE QRat.Java.RAT Post-Checkin Request"; flow:established,to_server; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; depth:10; offset:2; fast_pattern; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|2c 22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2018_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2021620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE HawkEye Keylogger FTP"; flow:established,to_server; content:"STOR HawkEye"; nocase; pcre:"/^(?:_|Keylogger)/Ri"; reference:md5,85f3b302afa0989a91053af6092f3882; classtype:trojan-activity; sid:2020410; rev:4; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
 
-#alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern; classtype:exploit-kit; sid:2021637; rev:3; metadata:created_at 2015_08_17, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Variant Checkin"; flow:established,to_server; dsize:9; content:"|00 07|nemesis"; classtype:command-and-control; sid:2025552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_05_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:exploit-kit; sid:2021698; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00|"; within:30; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|0d|IT Department"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|0b|example."; distance:1; within:9; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021013; rev:7; metadata:attack_target Client_and_Server, created_at 2015_04_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family TrickBot, malware_family Dridex, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_05_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:exploit-kit; sid:2021699; rev:3; metadata:created_at 2015_08_21, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vibem.C CnC Activity"; flow:established,to_server; content:"|63 76 c4 52 99 1d 04 80 a9 1b 2d|"; depth:11; content:!"|00|"; reference:md5,bef6faabe3d80037c18fa7b806f4488e; classtype:command-and-control; sid:2025581; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2018_05_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:exploit-kit; sid:2020895; rev:7; metadata:created_at 2015_04_11, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Chrome Extension Click Fraud Activity via Websocket"; flow:established,to_client; content:"|7b 22|id|22 3a|"; within:10; content:"|2c 22|data|22 3a 7b 22|method|22 3a 22|GET|22 2c 22|url|22 3a 22|"; distance:0; content:"|22 2c 22|headers|22 3a 7b 22|"; distance:0; content:"|2c 22|timeout|22 3a|30000|2c 22|body|22 3a 22|"; distance:0; fast_pattern; threshold: type both, track by_dst, count 1, seconds 120; reference:url,www.icebrg.io/index.php?p=blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; reference:url,www.icebrg.io/blog/more-extensions-more-money-more-problems; classtype:trojan-activity; sid:2025221; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2018_06_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, updated_at 2019_10_08;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:md5,119ee859144111dbc5419f4d5fd9b6b1; reference:md5,095d76e0bc48361b40d717b238f11501; reference:md5,5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:3; metadata:created_at 2011_07_09, former_category TROJAN, updated_at 2018_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:exploit-kit; sid:2021764; rev:3; metadata:created_at 2015_09_14, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE [eSentire] Win32/Spy.Banker.ADIO CnC Checkin"; flow:to_server,established; dsize:<35; content:"|3c 7c|"; depth:2; content:"|7c 3e|OPERADOR|3c 7c 3e|"; fast_pattern; distance:0; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2018_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:exploit-kit; sid:2021787; rev:3; metadata:created_at 2015_09_16, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE QRat.Java.RAT Checkin Response"; flow:established,to_client; content:"|7b 22 6d 61 73 6d 61 67 22 3a 22|"; within:48; fast_pattern; content:"|22 2c 22 6d 61 73 76 65 72 22 3a|"; distance:0; content:"|2c 22 6d 61 73 69 64 22 3a 22|"; distance:0; content:"|22 2c 22 6e 65 65 64 2d 6d 6f 72 65 22 3a|"; distance:0; content:"|7b 22 6d 61 67 69 63 22 3a 22|"; distance:0; content:"|22 2c 22 69 6e 64 65 78 22 3a 22|"; distance:0; content:"|22 68 61 73 2d 72 65 71 75 65 73 74 65 72 22 3a|"; distance:0; content:"|22 68 61 73 2d 61 63 63 65 70 74 65 72 22 3a|"; distance:0; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:command-and-control; sid:2025392; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family QRat, signature_severity Major, updated_at 2018_07_18;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:2; metadata:created_at 2015_09_17, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Receiving Command (getavs)"; flow:established,to_client; content:"|00 00 00 00|getavs="; offset:1; depth:11; fast_pattern; reference:md5,0f0f6f48c3ee5f8e7cd3697c40002bc7; classtype:trojan-activity; sid:2036286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, deployment Perimeter, former_category MALWARE, malware_family MSIL_Crimson, performance_impact Moderate, signature_severity Major, updated_at 2018_08_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:targeted-activity; sid:2023910; rev:5; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 26"; flow:established,to_server; stream_size:server,=,1; content:"|5a 95 2a 22 4d 37 9e 51 83 55 8f|"; depth: 11; reference:md5,8f8d778bea33bc542b58c0631cf9d7e0; classtype:command-and-control; sid:2026004; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2018_08_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern; classtype:exploit-kit; sid:2021841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !139 (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2"; flow:to_server,established; content:"|12 12|"; offset:2; depth:2; content:!"|12 12|"; within:2; content:"|12 12|"; distance:2; within:2; content:!"|12 12|"; within:2; content:"|12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12|"; pcre:"/[^\x12][^\x4e\x38\x39\x2f\x6e\x28\x29\x30\x2d\x2e\x2c\x3e\x31\x18][\x40-\x48\x4a-\x4d\x31-\x34\x3a-\x3c\x3f\x50-\x5f\x60-\x6c\x6f\x73-\x7f\x70\x71\x20-\x27\x2a\x2b]{1,14}\x12/R"; reference:md5,00ccc1f7741bb31b6022c6f319c921ee; classtype:command-and-control; sid:2019202; rev:4; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2014_09_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021905; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Ursnif/Gamaredon Related VNC Module CnC Beacon"; flow:established,to_server; dsize:12; content:"RFB 003.008|0a|"; depth:12; reference:md5,27741793672d8b69803f3d2434743731; reference:md5,076fd584d2fcdf5110f41bcbbd9f2c62; reference:md5,49749ee8fb2a2dab83494ab0e6cf5e7b; classtype:command-and-control; sid:2035893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family PowerSniff, malware_family Punchbuggy_VNC_Module, malware_family Gamaredon, signature_severity Major, tag c2, updated_at 2018_09_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:exploit-kit; sid:2021906; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)"; flow:established,to_server; dsize:<500; content:"|00 6c 6c|"; depth:6; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x41-\x5a\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/i"; flowbits:set,ETPRO.njratgeneric; reference:md5,d68eaf3b43ba1d26b9067489bbf7ee44; classtype:command-and-control; sid:2033132; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Bladabindi, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2017_03_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:exploit-kit; sid:2021907; rev:3; metadata:created_at 2015_10_06, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VBScript Redirect Style Exe File Download"; flow:to_client,established; flowbits:isset,ET.Locky; file_data; content:"MZ"; depth:2; fast_pattern; content:"This program"; within:100; classtype:trojan-activity; sid:2026434; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, malware_family Locky, malware_family Emotet, signature_severity Major, updated_at 2018_10_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:4; metadata:created_at 2015_10_01, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent Beacon"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*"; content:!"Host|3a| yandex.ru"; pcre:"/^(?:GET|POST)\/(?:watch|search|find|results|open|search|close)\/\?(?:text=|from=|aq=|ai=|ags=|oe=|btnG=|oprnd=|utm=|channel=|itwm=)/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026437; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:exploit-kit; sid:2021939; rev:6; metadata:created_at 2015_10_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v1"; flow:established,to_server; content:"/?itwm"; fast_pattern; pcre:"/itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026438; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:targeted-activity; sid:2021985; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC XAgent itwm beacon v2"; flow:established,to_server; content:"&itwm"; fast_pattern; pcre:"/&itwm=[A-Za-z0-9\-\_]{29,35}/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026439; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:3; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NCSC APT28 - Web/request -FILE- contenttype"; flow:established,from_client; content:"-FILE-"; pcre:"/[A-Z0-9\-]{16}-FILE-[^\r\n]+.tmp/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026441; rev:2; metadata:created_at 2018_10_04, former_category MALWARE, updated_at 2018_10_04;)
 
-alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 69"; flow:established,to_server; content:"|e3 34 a1 ef b4 32 58 d0 f0 3d 66|"; depth:11; reference:md5,f9dbf2c028d3ad58328c190a6adb3301; classtype:command-and-control; sid:2026509; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:exploit-kit; sid:2022040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 70"; flow:established,to_server; content:"|35 cd 13 07 49 3a 45 81 02 35 bb|"; depth:11; reference:md5,8e99866b89e9349c21b34e6575f2412f; classtype:command-and-control; sid:2026510; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022068; rev:3; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 71"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; reference:md5,24bf188785e18db8fcb7dfa50363b3f5; classtype:command-and-control; sid:2026511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2022072; rev:2; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 72"; flow:established,to_server; content:"|eb e7 a2 ec 6e 3e cc a8 34 b5 91|"; depth:11; reference:md5,98a010ad867f4c36730cc6a87c94528c; classtype:command-and-control; sid:2026512; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO form-data flowbit set (noalert)"; flow:to_server,established; dsize:>0; content:"Content-Type|3a 20|multipart|2f|form-data"; fast_pattern; flowbits:set,ET.formdata; flowbits:noalert; classtype:not-suspicious; sid:2022080; rev:2; metadata:created_at 2015_11_12, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 73"; flow:established,to_server; content:"|2e 11 6e fe 1c 00 92 21 3c ce 31|"; depth:11; reference:md5,9e31ee4bb378d3cf6f80f9f30e9f810f; classtype:command-and-control; sid:2026513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:exploit-kit; sid:2022090; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+#alert tcp any any <> any any (msg:"ET MALWARE NCSC APT28 - CompuTrace_Beacon_UserAgent"; flow:established; content:"|0d0a|TagId|3a|"; fast_pattern; content: "POST / "; content:!"namequery.com"; content:!"Host: 209.53.113."; content:!"dnssearch.org"; content:!"Cookie:"; content:!"fnbcorporate.co.za"; content:!"207.6.98."; pcre:"/Mozilla\/[0-9]{1,2}.[0-9]{1,2}\(compatible\; MSIE [0-9]{1,2}.[0-9]{1,2}\;\)\x0d\x0a/"; reference:url,www.ncsc.gov.uk/content/files/protected_files/article_files/IOC-APT28-malware-advisory.pdf; classtype:targeted-activity; sid:2026440; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2018_10_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/BlackCarat Response from CnC"; flow:established,from_server; dsize:13; content:"|72 50 bf 9e|"; offset:9; depth:4; fast_pattern; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family CaratRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2018_10_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022147; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2018_11_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:exploit-kit; sid:2016923; rev:15; metadata:created_at 2013_05_25, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perl/Shellbot.SM IRC CnC Checkin"; flow:established,to_server; content:"JOIN"; depth:4; content:"Procesor - model name"; distance:0; content:"Numar Procesoare"; distance:0; fast_pattern; content:"|3a|uid="; distance:0; content:"gid="; distance:0; content:"groups="; distance:0; reference:md5,ca42fda581175fd85ba7dab8243204e4; classtype:command-and-control; sid:2026579; rev:1; metadata:attack_target Client_and_Server, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellbot_SM, performance_impact Low, signature_severity Major, tag Perl, updated_at 2018_11_05;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern; classtype:exploit-kit; sid:2020719; rev:5; metadata:created_at 2015_03_20, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screenshot"; flow:established,to_server; dsize:>1000; content:"sc.cap_sep_"; depth:11; nocase; fast_pattern; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026585; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2018_11_07;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022213; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mylobot Receiving XOR Encrypted Config (0xde)"; flow:established,from_server; content:"|00 00 00 00|"; depth:4; content:"|b6 aa aa ae e4 f1 f1|"; distance:1; within:7; fast_pattern; content:"|de 00 00 00 00|"; distance:0; reference:url,www.netformation.com/our-pov/mylobot-continues-global-infections/; classtype:trojan-activity; sid:2026613; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Mylobot, performance_impact Low, signature_severity Major, updated_at 2018_11_15;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:4; metadata:created_at 2015_12_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"md5"; depth:3; fast_pattern; content:"nnnn"; distance:12; within:4; content:"z"; distance:28; within:1; content:"z"; distance:32; within:1; content:"z"; distance:35; within:1; reference:url,thehackernews.com/2018/12/china-ransomware-wechat.html; classtype:trojan-activity; sid:2026687; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2018_12_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:exploit-kit; sid:2022242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 27 (msg:"ET MALWARE ELF/Samba CnC Checkin"; flow:established,to_server; dsize:8; content:"|11 10 10 01 22 32 21 52|"; fast_pattern; reference:url,www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution; classtype:command-and-control; sid:2026717; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category MALWARE, malware_family Samba, performance_impact Low, signature_severity Major, updated_at 2018_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:4; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RedControle Probing Infected System"; flow:established,to_server; dsize:14; content:"SE_ND_CO_NN_EC"; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:trojan-activity; sid:2026723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category TROJAN, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2018_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:3; metadata:created_at 2015_12_16, updated_at 2019_10_08;)
+alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 64bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|48 FF C5 42 0F B6|"; distance:0; fast_pattern; content:"|32 45|"; distance:2; within:2; content:"|41 88 41 FF|"; distance:1; within:4; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2018_12_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:exploit-kit; sid:2022304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_23, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AveMaria Initial CnC Checkin"; flow:established,to_server; dsize:12; content:"|29 bb 66 e4 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,app.any.run/tasks/67362469-76df-4b19-bfda-5d95a2b4d179; classtype:command-and-control; sid:2026736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_15, deployment Perimeter, former_category MALWARE, malware_family AveMaria, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2018_12_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".class"; nocase; fast_pattern; classtype:trojan-activity; sid:2014472; rev:8; metadata:created_at 2012_04_04, updated_at 2019_10_08;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Orion Stealer Exfil via FTP"; flow:established,to_server; content:"STOR PC|3a 20|"; depth:9; content:"/Orion Logger - System Details|3a 20|"; distance:0; fast_pattern; reference:md5,007c4edc6e1ca963a9b2e05e136142f2; classtype:trojan-activity; sid:2026741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_21, former_category TROJAN, updated_at 2018_12_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TitanFox Loader CnC Checkin"; flow:established,to_server; dsize:<100; content:"|00 01 00 01 02 02 2b 6e 65 74 2e 74 63 70 3a 2f 2f|"; depth:30; fast_pattern; reference:url,app.any.run/tasks/421691f8-bb33-4be3-abcb-6ee36e772856; classtype:command-and-control; sid:2026759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, malware_family TitanFox, performance_impact Low, signature_severity Major, tag Loader, updated_at 2019_01_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, updated_at 2019_10_08;)
+alert tcp $HOME_NET ![23,25,80,137,139,445] -> $EXTERNAL_NET 20000: (msg:"ET MALWARE Sourtoff Download Simda Request"; flow:established,to_server; dsize:18; content:"|0a 10|"; depth:2; flowbits:set,ET.TROJAN.Sourtoff; flowbits:noalert; reference:md5,5469af0daa10f8acbe552cd2f1f6a6bb; classtype:trojan-activity; sid:2019312; rev:3; metadata:created_at 2014_09_29, updated_at 2019_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022360; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AtomLogger Exfil via FTP"; flow:established,to_server; content:"Username|3a 20|"; content:"|0d 0a|Machine Name|3a 20|"; distance:0; content:"|0d 0a|Operating System|3a 20|"; distance:0; content:"|0d 0a|IP Address|3a 20|"; distance:0; content:"|0d 0a|Country|3a 20|"; distance:0; content:"|0d 0a|RAM|3a 20|"; distance:0; content:"|0d 0a|Online since|3a 20|"; distance:0; content:"|0d 0a 0d 0a 0d 0a 0d 0a|================================|0d 0a|Keystrokes and Window Log|0d 0a|"; distance:0; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026824; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2019_01_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022361; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Bitter RAT C2 Response"; flow:established,to_client; stream_size:client,=,1; stream_size:server,=,12; dsize:11; content:"|0b 00 d2 0b 00 00|"; offset:5; depth:6; reference:md5,fc516905e3237f1aa03a38a0dde84b52; classtype:command-and-control; sid:2026826; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family BitterRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:3; metadata:created_at 2016_01_20, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 85"; flow:established,to_server; content:"|c4 e2 a1 27 66 76 0b 6d bf 25 73|"; depth:11; reference:md5,c00606ac4ed2e1e8a5f503051c555e72; classtype:command-and-control; sid:2026852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 86"; flow:established,to_server; content:"|ce 4a a7 2f c0 8c 6d 5f 38 20 e9|"; depth:11; reference:md5,f78b75d64e5119f48c0644dfbcffba9d; classtype:command-and-control; sid:2026853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Remcos, updated_at 2019_01_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Remcos RAT Checkin 87"; flow:established,to_server; stream_size:server,=, 1; content:"|e9 9d ca 64 2d 84 6e 6b cc 48 16|"; depth:11; reference:md5,872fc6cc16b7ba7e2a74b03927d50e85; classtype:command-and-control; sid:2026862; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2019_01_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:5; metadata:created_at 2014_02_15, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!25,!445,!1500] (msg:"ET MALWARE Win32/BlackCarat XORed (0x77) CnC Checkin"; flow:established,to_server; dsize:>800; content:"|77 77|"; offset:2; depth:2; content:"|77|"; distance:1; within:1; content:"|77 77 77 77 77 77 77 77 77 77 77 77 77|"; distance:1; within:13; content:"|20 77 1e 77 19 77 13 77 18 77 00 77 04|"; distance:0; fast_pattern; content:!"|00 00 00 00 00 00|"; reference:md5,514AB639CD556CEBD78107B4A68A202A; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2018/AncelKuprins-VB2018-WolfSheep.pdf; classtype:command-and-control; sid:2026525; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackCarat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2019_01_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)"; flow:established,to_client; file_data; content:"PK"; within:2; content:"PK|01 02|"; distance:0; pcre:"/^.{42}[\x20-\x7f]{1,500}\.jsPK\x05\x06.{4}\x01\x00\x01\x00/Rsi"; content:".jsPK|05 06|"; nocase; fast_pattern; classtype:misc-activity; sid:2022636; rev:4; metadata:created_at 2016_03_22, former_category INFO, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:established,from_server; content:"traderserviceinfo.info"; fast_pattern; tls_cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some|20|Company"; classtype:domain-c2; sid:2026899; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:exploit-kit; sid:2022770; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated Script"; flow:established,to_client; file_data; content:"rc4=function|28|key,str|29|"; nocase; content:"key.charCodeAt|28|i%key.length|29|"; fast_pattern; nocase; distance:0; content:"String.fromCharCode|28|str.charCodeAt|28|"; content:"decodeBase64=function"; nocase; distance:0; content:"b64block="; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:exploit-kit; sid:2022772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SharpShooter Framework Generated VBS Script"; flow:established,to_client; file_data; content:"RC4|28|byteMessage, strKey|29|"; nocase; content:"function decodeBase64|28|base64|29|"; nocase; distance:0; content:".createElement|28 22|tmp|22 29|"; nocase; distance:0; content:"decoded = decodeBase64|28|"; nocase; distance:0; reference:url,www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/; reference:url,blog.morphisec.com/sharpshooter-pen-testing-framework-used-in-attacks; classtype:trojan-activity; sid:2026919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_18, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:exploit-kit; sid:2022774; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:7; metadata:created_at 2015_08_11, former_category CURRENT_EVENTS, updated_at 2015_08_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern; content:"campaigns"; http_cookie; classtype:exploit-kit; sid:2022904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Download Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A646F776E6C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:exploit-kit; sid:2022909; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F61642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:exploit-kit; sid:2022910; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Upload Command Error"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A75706C6F6164206661696C65642C"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-alert udp any any -> $HOME_NET 137 (msg:"ET INFO NBNS Name Query Response Possible WPAD Spoof BadTunnel"; byte_test:1,&,0x80,2; byte_test:1,!&,0x40,2; byte_test:1,!&,0x20,2; byte_test:1,!&,0x10,2; byte_test:1,=,0x00,3; content:"|00 00|"; offset:4; depth:2; content:"|46 48 46 41 45 42 45|"; fast_pattern; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022914; rev:2; metadata:created_at 2016_06_23, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Directory Change Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A6469726563746F7279206368616E6765642073756363657373"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Activity - Reporting Sleep Command Success"; flow:established,to_server; content:!"HTTP|2f|"; content:"2A2A72756E74696D65206368616E67656420746F2072756E74696D65"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2019_03_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [AV] EarthWorm/Termite IoT Agent Reporting Infection"; dsize:<500; flow:established,to_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:trojan-activity; sid:2027064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EarthWorm/Termite IoT Agent CnC Response"; dsize:<500; flow:established,from_server; content:"|00 00 00 01|"; offset:1; depth:4; content:"|00 00 00 01 6b 00 00 00 01|"; distance:7; within:9; fast_pattern; content:"agent"; distance:4; within:5; pcre:"/^\x00+?[\x20-\x7f]+?\x00+?$/R"; reference:url,github.com/anhilo/xiaogongju/tree/422136c014ba6b95ad3a746662be88372eb11b09; reference:url,www.alienvault.com/blogs/labs-research/internet-of-termites; classtype:command-and-control; sid:2027065; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family Termite, malware_family EarthWorm, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:social-engineering; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OSX/EvilOSX Client Receiving Commands"; flow:established,to_client; content:"404"; http_stat_code; file_data; content:"DEBUG"; depth:9; fast_pattern; reference:url,github.com/Marten4n6/EvilOSX/; classtype:trojan-activity; sid:2027066; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category TROJAN, malware_family EvilOSX, performance_impact Moderate, signature_severity Major, updated_at 2019_03_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:exploit-kit; sid:2023186; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family EvilTDS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET ![22,23,25,80,139,443,445] -> $HOME_NET any (msg:"ET MALWARE Netwire RAT Check-in"; flow:established,to_client; dsize:>68; content:"|41 00 00 00 05|"; depth:5; flowbits:isset,ET.NetwireRAT.Client; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:2018427; rev:4; metadata:created_at 2014_04_28, former_category TROJAN, updated_at 2019_03_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:exploit-kit; sid:2020311; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_01_26, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant Keep-Alive"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|"; distance:1; within:3; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:1; within:22; fast_pattern; content:"|ff ff ff ff ff ff ff ff|"; distance:0; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:trojan-activity; sid:2027084; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
 
-alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, deployment Datacenter, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/Termite Agent Implant CnC Checkin"; flow:established,to_server; dsize:<600; content:"|00 00 00|"; offset:1; depth:3; content:"|00 00 00 00 00 00 00 ff 01|"; distance:1; within:9; content:"|ff ff ff ff ff ff ff ff|"; distance:0; content:"|00 00 00|This|20|Client|20|Node|00 00 00|"; distance:0; fast_pattern; reference:md5,2820653437d5935d94fcb0c997d6f13c; classtype:command-and-control; sid:2027083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_14, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Termite, performance_impact Low, signature_severity Major, updated_at 2019_03_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET [19400:19500] -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.POX Variant CnC"; flow:established,to_client; dsize:4; content:"|6c 69 73 74|"; reference:md5,bb15e442a527a83939d9ff1b835f99dd; classtype:command-and-control; sid:2035057; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_03_22;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.Initdz.Coinminer C2 Systeminfo (D2)"; flow:established,to_server; content:"D2|7c|System|20|Information&"; fast_pattern; depth:22; content:"Manufacturer|3a|"; distance:0; content:"Product|20|Name|3a|"; distance:0; content:"Version|3a 20|"; distance:0; content:"|0a|D3|7c|MemTotal|3a 20|"; distance:0; reference:md5,8438f4abf3bc5844af493d60ea8eb8f6; classtype:coin-mining; sid:2027150; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2019_04_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
+alert smb any any -> $HOME_NET any (msg:"ET MALWARE Covenant .NET Framework P2P C&C Protocol Gruntsvc Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"g|00|r|00|u|00|n|00|t|00|s|00|v|00|c|00|"; nocase; distance:0; fast_pattern; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:command-and-control; sid:2027326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Covenant, performance_impact Low, signature_severity Major, updated_at 2019_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> any any (msg:"ET MALWARE Win32/ElectricFish Authentication Packet Observed"; flow:established,to_server; content:"aaaabbbbccccdddd|00 00 00 00 00 00 00 00|"; depth:24; fast_pattern; content:"|00 00 04 00 00 00|"; distance:2; within:6; reference:url,www.us-cert.gov/ncas/analysis-reports/AR19-129A; classtype:trojan-activity; sid:2027340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_09, deployment Perimeter, deployment Internal, former_category TROJAN, malware_family ElectricFish, performance_impact Low, signature_severity Major, tag APT, tag T1090, tag connection_proxy, updated_at 2019_05_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern; classtype:exploit-kit; sid:2023302; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family AfraidGate, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024302; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024301; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".sys"; classtype:trojan-activity; sid:2021430; rev:4; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"; flow:established,to_server; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; http_header; fast_pattern:only; content:"Host|3a 20|"; http_header; pcre:"/^[^\s]*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea\.[a-z]{2,5}\x0d\x0a/HRi"; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024299; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2017_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET MALWARE Suspected ExtraPulsar Backdoor"; flow:established,to_server; content:"ExPu"; depth:11; offset:4; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,github.com/zerosum0x0/smbdoor; classtype:trojan-activity; sid:2027370; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_21, deployment Internal, former_category TROJAN, malware_family ExtraPulsar, signature_severity Major, updated_at 2019_05_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern; content:!"|7C|_dynarch_popupCalendar|7C|"; classtype:bad-unknown; sid:2015708; rev:6; metadata:created_at 2012_09_18, former_category INFO, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Sleep"; flow:established,from_server; dsize:8; content:"|16 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021151; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon - Multiple Tunnel"; flow:established,from_server; dsize:8; content:"|17 00|"; depth:2; content:!"|04 00|"; within:2; content:!"|00 00|"; within:2; content:!"|00|"; distance:2; within:1; content:!"|00|"; distance:5; within:1; flowbits:isset,ET.Linux.Moose; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021152; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:exploit-kit; sid:2023587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, malware_family Exploit_Kit_RIG, signature_severity Major, tag Exploit_kit_RIG, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.HiddenWasp; flowbits:noalert; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027395; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023482; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/HiddenWasp CnC Response"; flow:established,from_server; flowbits:isset,ET.Linux.HiddenWasp; content:"|75 63 65 73 00 01|"; depth:6; fast_pattern; reference:url,www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/; reference:md5,5b134e0a1a89a6c85f13e08e82ea35c3; classtype:command-and-control; sid:2027396; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2019_05_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:social-engineering; sid:2023743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Executable contained in DICOM Medical Image SMB File Transfer"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"DICM"; fast_pattern; distance:126; within:4; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027402; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+alert tcp any any -> $HOME_NET [104,2104,22104] (msg:"ET MALWARE Executable contained in DICOM Medical Image PACS DICOM Protocol Transfer"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027403; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:social-engineering; sid:2023745; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, signature_severity Major, updated_at 2019_10_08;)
+alert tcp any [104,2104,22104] -> $HOME_NET any (msg:"ET MALWARE Executable contained in DICOM Medical Image Received from PACS DICOM Device"; flow:established,to_client; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"DICM"; offset:128; depth:4; fast_pattern; reference:url,github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027404; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_31, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2019_05_31;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:exploit-kit; sid:2023547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 3 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Your|20|computer|20|was|20|infected|20|with|20|my|20|private|20|malware"; fast_pattern; content:"malware|20|gave|20|me|20|full"; distance:0; content:"accounts|20 28|see|20|password|20|above|29|"; distance:0; content:"MANY|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lock Emoji In Title - Possible Social Engineering Attempt"; flow:from_server,established; file_data; content:"<title>"; nocase; pcre:"/^(?:(?!<\/title).)*\x26\x23x1F512/Ri"; content:"|26 23|x1F512"; fast_pattern; classtype:trojan-activity; sid:2023749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 4 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"infected|20|you|20|with|20|a|20|malware"; content:"malware|20|gave|20|me|20|full"; distance:0; content:"collected|20|everything|20|private|20|from|20|you"; distance:0; content:"FEW|20|EMBARASSING|20|VIDEOS"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:command-and-control; sid:2023769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE cryptodefense Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a| multipart/form-data|3b 20|boundary="; pcre:"/^[\x2d]+(?P<boundry>[0-9]+)\r\n.+filename\x3d[\x22\x27](?P=boundry)[\x22\x27]/Rsi"; content:!"Referer"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:"filename="; fast_pattern:only; http_client_body; content:"form-data|3b| name="; pcre:"/^[\x22\x27][a-z][\x27\x22]/Ri"; classtype:command-and-control; sid:2018386; rev:3; metadata:created_at 2014_04_14, former_category MALWARE, updated_at 2014_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern; classtype:exploit-kit; sid:2023878; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (WAIT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|WAIT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027508; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:exploit-kit; sid:2023879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027509; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:3; metadata:created_at 2015_04_07, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (DISCONNECT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|DISCONNECT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027510; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern; content:" lonly="; http_cookie; classtype:exploit-kit; sid:2014884; rev:3; metadata:created_at 2012_06_09, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Server Response (CERT)"; flow:established,to_client; flowbits:isset,ET.Linux.Ngioweb; content:" 200 OK|0d 0a|"; content:"|0d 0a 0d 0a|CERT "; distance:0; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027511; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_06_21;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jun 2019- Dec 2019) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5d|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027672; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Dec 2019- Jul 2020) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5e|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Godlua Backdoor Stage-3 Client Heartbeat (Jul 2020- Jan 2021) (set)"; flow:established,to_server; flowbits:set,ET.Godlua.heartbeat; flowbits:noalert; dsize:7; content:"|02 00 04 5f|"; depth:4; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027674; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Jun 2019 - Sep 2020)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 35|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027675; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern; classtype:exploit-kit; sid:2024092; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Godlua Backdoor Stage-3 Server Heartbeat Reply (Sep 2020 - Nov 2023)"; flow:established,to_client; flowbits:isset,ET.Godlua.heartbeat; dsize:13; content:"|02 00 0a 31 36|"; depth:5; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2019_07_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:exploit-kit; sid:2023748; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_19, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2019_10_08;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,from_server; content:"|55 04 06|"; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 08|"; distance:0; pcre:"/^.\x02[A-Z]{2}/Rs"; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x20[A-Z][a-z]+)?[01]/Rs"; content:"|55 04 09|"; fast_pattern; distance:0; pcre:"/^.{2}\d{2,3}(?:\x20[A-Z][a-z]+\.?){1,3}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 0b|"; distance:0; content:"|55 04 03|"; distance:0; pcre:"/^.(.[a-z]{4,12}\.(?:us|org|net|biz|info|mobi|com)[01]).*?\x55\x04\x03.\1/Rs"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022868; rev:5; metadata:attack_target Client_and_Server, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:exploit-kit; sid:2024168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Requesting Key/Wallet/Note"; flow:established,to_server; flowbits:isset,ET.Socks5.OnionReq; flowbits:set,ET.QNAPCrypt.DetailReq; content:"GET /api/GetAvailKeysByCampId/"; depth:30; fast_pattern; content:".onion|0d 0a|User-Agent|3a 20|Go-http-client/1.1"; distance:0; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027704; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2019_07_11;)
 
-alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET INFO SMTP PDF Attachment Flowbit Set"; flow:established,from_server; content:"|0d 0a 0d 0a|JVBERi"; fast_pattern; flowbits:set,ET.pdf.in.smtp.attachment; flowbits:noalert; classtype:bad-unknown; sid:2024236; rev:3; metadata:attack_target SMTP_Server, created_at 2017_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt Successful Server Response"; flow:established,from_server; flowbits:isset,ET.QNAPCrypt.DetailReq; content:"HTTP/1.1 200 OK|0d 0a|"; depth:17; content:"Content-Type|3a 20|application/json"; distance:0; content:"|7b 22|RsaPublicKey|22 3a 22|-----BEGIN RSA PUBLIC KEY"; content:"|22 7d 2c 7b 22|BtcPublicKey|22 3a 22|"; fast_pattern; content:"|22 7d 2c 7b 22|Readme|22 3a 22|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:trojan-activity; sid:2027705; rev:1; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2019_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:command-and-control; sid:2024270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family Kazuar, signature_severity Major, tag APT, tag RUAPT, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Check-in (set)"; flow:established,to_server; dsize:>65; content:"|41 00 00 00 99|"; depth:5; flowbits:set,ET.NetwireRAT.Client; flowbits:noalert; reference:url,www.circl.lu/pub/tr-23/; reference:md5,3c4a93154378e17e71830ff164bb54c4; classtype:trojan-activity; sid:2029477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Netwire, updated_at 2019_07_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:exploit-kit; sid:2020605; rev:6; metadata:created_at 2015_03_04, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Checkin"; flow:to_server,established; dsize:200<>300; content:"|32|"; depth:1; content:"|7c 78 01|"; distance:2; within:3; pcre:"/^[0-9]{3}\x7cx/"; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bingo Exploit Kit Landing May 08 2017"; flow:established,from_server; file_data; content:"+=String.fromCharCode("; pcre:"/^[a-z]\d{3}\[[a-z]\d{3}\]\^[a-z]\d{3}\)\x3breturn [a-z]\d{3}\x3b\}/R"; content:"|29 29 29 5e|"; fast_pattern; content:".text="; pcre:"/^[a-z]\d{3}\x3b[a-z]\d{3}\.getElementsByTagName\([a-z]\d{3}\(new Array\(\d+\,/R"; content:".type="; pcre:"/^[a-z]\d{3}\(new Array\(/R"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:exploit-kit; sid:2025071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_05_10, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacknix CnC Heartbeat"; flow:to_server,established; dsize:15; content:"|7c 78 01|"; offset:2; depth:3; pcre:"/^[0-9]{2}\x7cx/"; threshold: type both, track by_src, count 5, seconds 60; reference:md5,b4e95d3ec39cf8c7347ca1c64cfed631; classtype:command-and-control; sid:2027732; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Blacknix, updated_at 2019_07_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_08;)
+#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury < 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^[a-f0-9]{40,}$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027729; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern; classtype:credential-theft; sid:2024374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_10_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert ssh [94.140.120.163,49.50.70.223,80.82.67.21,125.160.17.32] any -> any any (msg:"ET MALWARE Windigo SSH Connection Received (Ebury > 1.7.0)"; ssh_proto; content:"2.0"; ssh_software; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$$/"; reference:url,security.web.cern.ch/security/advisories/windigo/windigo.shtml; classtype:trojan-activity; sid:2027730; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Windigo, updated_at 2019_07_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 3"; flow:established,to_server; content:"|20|MSIE|20|"; http_user_agent; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_request_line; content:"POST / HTTP/1."; depth:14; fast_pattern; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; http_content_len; byte_test:0,<=,999,0,string,dec; byte_test:0,>,99,0,string,dec; classtype:command-and-control; sid:2035050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin 2"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"|20|MSIE|20|"; http_user_agent; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[03478]+)?/W"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/Ps"; http_protocol; content:"HTTP/1."; http_content_len; byte_test:0,>,150,0,string,dec; http_header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035048; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2019_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27]iddqd?\s*=/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH Remote Shell Banner"; flow:established,to_server; dsize:>100; content:"|2a 20|SUPER|20|REMOTE|20|SHELL|20|v2|2e|2|20|SSL"; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:targeted-activity; sid:2027751; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category TROJAN, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Rip Sep 05 2017 M2"; flow:established,from_server; file_data; content:"iddq"; fast_pattern; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=]*\s*=EB02EB05E8F9FFFFFF/Rsi"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2024661; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family RIG, performance_impact Moderate, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 443 (msg:"ET MALWARE [GIGAMON_ATR] FIN8 BADHATCH CnC Checkin"; flow:established,to_server; dsize:64; content:"-SH"; offset:44; depth:3; pcre:"/(?:[0-9A-F]{8}\-){5}\-SH/"; content:"|02 09 01|"; offset:52; depth:3; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027752; rev:1; metadata:created_at 2019_07_23, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2019_07_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert icmp any any -> any any (msg:"ET MALWARE Possible ICMP Backdoor Tunnel Command - whoami"; itype:8; icode:0; content:"whoami"; depth:6; nocase; reference:url,www.hackingarticles.in/command-and-control-tunnelling-via-icmp; classtype:trojan-activity; sid:2027763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_07_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 5 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"one|20|of|20|your|20|passwords|20|is|3a|"; content:"infected|20|with|20|my|20|private|20|malware"; distance:0; content:"I|20|RECORDED|20|YOU|20 28|through|20|your|20|webcam"; distance:0; fast_pattern; content:"bitcoin|20|wallet|20|is|3a|"; threshold: type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2027769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category TROJAN, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_07_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; classtype:social-engineering; sid:2025682; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Covenant Framework HTTP Hello World Server Response"; flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_dst; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024895; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (Grunt.GruntStager)"; flow:established,to_client; file_data; content:".CreateInstance(|27|Grunt.GruntStager|27|)"; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt Stager HTTP Download (DynamicInvoke)"; flow:established,to_client; file_data; content:"toStream(assembly_str)"; content:"delegate.DynamicInvoke(array.ToArray()).CreateInstance("; distance:0; fast_pattern; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern; classtype:trojan-activity; sid:2025010; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt PowerShell Stager HTTP Download"; flow:established,to_client; file_data; content:"IO.Compression.CompressionMode]|3a 3a|Decompress"; content:".Value.Write("; distance:0; content:"Reflection.Assembly]|3a 3a|Load("; fast_pattern; distance:0; content:".EntryPoint.Invoke("; distance:0; content:"Out-Null"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern; classtype:trojan-activity; sid:2025011; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Covenant Framework Grunt MSBuild Stager HTTP Download"; flow:established,to_client; file_data; content:"System.IO.Compression.CompressionMode.Decompress"; content:"System.Reflection.Assembly.Load("; distance:0; content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3c 2f|UsingTask|3e|"; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, signature_severity Major, updated_at 2019_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern; classtype:trojan-activity; sid:2025012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M2"; flow:established,to_server; dsize:16; content:"|49 42 d4 b5 38 70 fe 86 2a 4e d2 73 0d 95 79 e5|"; reference:md5,5c12015ebeb755c0b6029468a13e59a9; classtype:command-and-control; sid:2027813; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:6; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nyanw0rm CnC Keep-Alive (Outbound) M1"; flow:established,to_server; dsize:16; content:"|73 08 e2 bc 6d 8c 9d b5 85 52 b1 e1 5d 5a 9a 8e|"; reference:md5,d6db3ac5a8022184f03a34fbfdcb926d; classtype:command-and-control; sid:2027812; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Nyanw0rm, updated_at 2019_08_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GrandSoft EK IE Exploit Jan 30 2018"; flow:established,from_server; file_data; content:"|3d 20 22 2c|&h|22|"; nocase; fast_pattern; content:"4d"; nocase; content:"5a"; nocase; within:20; content:"responseBody"; nocase; content:"Dim "; nocase; content:"Dim "; nocase; distance:0; content:"Win32_OperatingSystem"; nocase; classtype:exploit-kit; sid:2025272; rev:3; metadata:created_at 2018_01_30, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 UDP Flood Command Inbound"; flow:established,from_server; content:".udp|20|"; depth:5; fast_pattern; pcre:"/^((?:\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027837; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 DNS Flood Command Inbound"; flow:established,from_server; content:".dns|20|"; depth:5; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027838; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1 HTTP Flood Command Inbound"; flow:established,from_server; content:".http|20|"; depth:6; fast_pattern; pcre:"/^((\d{1,3}\.){3}\d{1,3}|((?:https?\x3a\/\/)?[a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/Ri"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027839; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; content:!"|a9 d5 73 d2 a0 a5 a1 69|"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_06_03, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 UDP Flood Command Inbound"; flow:established,from_server; content:"LnVkcC"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027840; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 DNS Flood Command Inbound"; flow:established,from_server; content:"LmRucy"; depth:6; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027841; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR UDP Flood Command Inbound"; flow:established,from_server; content:"|fe d5 57 68 f0 44 fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027843; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR DNS Flood Command Inbound"; flow:established,from_server; content:"|fe d6 53 76 f0 7e fb|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027844; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:6; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR HTTP Flood Command Inbound"; flow:established,from_server; content:"|fe d6 69 33 f7 4f fb c5|"; depth:8; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027845; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:social-engineering; sid:2021968; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2019_10_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Exec Command Inbound"; flow:established,from_server; content:"|fe d6 57 37 c9 50 f7|"; depth:7; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027846; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022837; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR Update Command Inbound"; flow:established,from_server; content:"|fe d5 57 74 c9 40 fc 92 e8|"; depth:9; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027847; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_08_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017299; rev:8; metadata:created_at 2013_08_08, updated_at 2019_10_08;)
+alert tcp any any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai.shiina v3 CnC Checkin"; flow:established,to_server; content:"|01 03 03 07 04 02 00 06|"; depth:8; fast_pattern; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027848; rev:1; metadata:affected_product Linux, created_at 2019_08_09, former_category MALWARE, malware_family Mirai, tag DDoS, updated_at 2019_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"|5c 5c 3a|"; content:"|5c 5c 3a|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]*?\([^\)]*?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?e(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?f(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?a(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?u(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?l(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?t(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?#(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?V(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?M(?:[\x22\x27][\r\n\s]*?\+[\r\n\s]*?[\x22\x27])?L[\x22\x27]/Rs"; classtype:exploit-kit; sid:2017993; rev:10; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2014_01_22;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014853; rev:6; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length)"; flow:to_server,established; content:"|16 03 00|"; depth:3; content:"|01|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_test:1,>,SSL.Client_Hello.length,34,relative; threshold: type both, track by_src, count 5, seconds 60; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014634; rev:2; metadata:created_at 2012_04_24, updated_at 2019_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern; classtype:exploit-kit; sid:2017014; rev:4; metadata:created_at 2013_06_13, updated_at 2019_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2016_10_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geost.php?bid="; fast_pattern; classtype:command-and-control; sid:2028661; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_10_08, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Geost, updated_at 2019_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) 2019-05-30"; flow:established,to_client; tls_cert_subject; content:"CN=halatest.info"; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,twitter.com/Racco42/status/1134214372996390913; classtype:domain-c2; sid:2027414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_05_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www."; distance:1; within:5; content:".com"; distance:8; within:4; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[a-zA-Z0-9]+\x2e[01]/R"; content:"|55 04 06|"; distance:0; content:"|02|US"; distance:1; within:3; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022480; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=driversearch.site"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026644; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2018_11_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"Egypack"; nocase; http_user_agent; depth:7; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2013176; rev:7; metadata:created_at 2011_07_04, former_category EXPLOIT_KIT, updated_at 2019_10_11;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain)"; flow:from_server,established; tls_cert_subject; content:"CN=kortusops.icu"; nocase; isdataat:!1,relative; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_27, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Loader, updated_at 2018_11_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns.query; content:".ddns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:5; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns.query; content:".ddnsking.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:3; metadata:created_at 2015_05_13, former_category CURRENT_EVENTS, updated_at 2015_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns.query; content:".3utilities.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:3; metadata:created_at 2016_01_07, former_category CURRENT_EVENTS, updated_at 2016_01_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.bounceme .net"; dns.query; content:".bounceme.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028678; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:3; metadata:created_at 2015_01_29, former_category CURRENT_EVENTS, updated_at 2015_01_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net"; dns.query; content:".freedynamicdns.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028679; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:3; metadata:created_at 2015_03_31, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org"; dns.query; content:".freedynamicdns.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028680; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:3; metadata:created_at 2015_03_26, former_category CURRENT_EVENTS, updated_at 2015_03_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hopto .org"; dns.query; content:".hopto.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028681; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET MALWARE Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:2; metadata:created_at 2015_02_03, former_category CURRENT_EVENTS, updated_at 2015_02_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myftp .org"; dns.query; content:".myftp.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028684; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_04_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myvnc .com"; dns.query; content:".myvnc.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028685; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.onthewifi .com"; dns.query; content:".onthewifi.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028686; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.redirectme .net"; dns.query; content:".redirectme.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028687; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servebeer .com"; dns.query; content:".servebeer.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028688; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveblog .net"; dns.query; content:".serveblog.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028689; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com"; dns.query; content:".servecounterstrike.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028690; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveftp .com"; dns.query; content:".serveftp.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028691; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servegame .com"; dns.query; content:".servegame.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028692; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehalflife .com"; dns.query; content:".servehalflife.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028693; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehttp .com"; dns.query; content:".servehttp.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028694; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveirc .com"; dns.query; content:".serveirc.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028695; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net"; dns.query; content:".serveminecraft.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servemp3 .com"; dns.query; content:".servemp3.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028697; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servepics .com"; dns.query; content:".servepics.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028698; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servequake .com"; dns.query; content:".servequake.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028699; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.viewdns .net"; dns.query; content:".viewdns.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028701; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.webhop .me"; dns.query; content:".webhop.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028702; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.zapto .org"; dns.query; content:".zapto.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028703; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.access .ly"; dns.query; content:".access.ly"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028704; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.blogsyte .com"; dns.query; content:".blogsyte.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028705; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.brasilia .me"; dns.query; content:".brasilia.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028706; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.cable-modem .org"; dns.query; content:".cable-modem.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028707; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ciscofreak .com"; dns.query; content:".ciscofreak.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028708; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.collegefan .org"; dns.query; content:".collegefan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028709; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.couchpotatofries .org"; dns.query; content:".couchpotatofries.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028710; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.damnserver .com"; dns.query; content:".damnserver.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028711; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .me"; dns.query; content:".ddns.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028712; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ditchyourip .com"; dns.query; content:".ditchyourip.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028713; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dnsfor .me"; dns.query; content:".dnsfor.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028714; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dnsiskinky .com"; dns.query; content:".dnsiskinky.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028715; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dvrcam .info"; dns.query; content:".dvrcam.info"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028716; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dynns .com"; dns.query; content:".dynns.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028717; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.eating-organic .net"; dns.query; content:".eating-organic.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028718; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE  Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0  48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.fantasyleague .cc"; dns.query; content:".fantasyleague.cc"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028719; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.geekgalaxy .com"; dns.query; content:".geekgalaxy.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028720; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.golffan .us"; dns.query; content:".golffan.us"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028721; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.health-carereform .com"; dns.query; content:".health-carereform.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028722; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.homesecuritymac .com"; dns.query; content:".homesecuritymac.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028723; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.homesecuritypc .com"; dns.query; content:".homesecuritypc.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028724; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_10_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hosthampster .com"; dns.query; content:".hosthampster.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028725; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018246; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2014_03_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hopto .me"; dns.query; content:".hopto.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028726; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL MALWARE BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:7; metadata:created_at 2010_09_23, former_category TROJAN, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ilovecollege .info"; dns.query; content:".ilovecollege.info"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028727; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 1"; flow:established,to_server; content:"STOR|20|FIREPERF.zip"; depth:17; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027888; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.loginto .me"; dns.query; content:".loginto.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028728; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete FTP Exfil 2"; flow:established,to_server; content:"STOR|20|CRHOMEPER.zip"; depth:18; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:trojan-activity; sid:2027889; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category TROJAN, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2019_08_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mlbfan .org"; dns.query; content:".mlbfan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028729; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET MALWARE Win32/Dostre CnC Activity"; content:"|af 7d a7 38 eb f9 f7 47|"; depth:8; fast_pattern; content:"|00|"; distance:4; within:1; content:"|10 00|"; distance:1; within:2; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.fortinet.com/blog/threat-research/chinese-targeted-trojan-analysis.html; classtype:command-and-control; sid:2027892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_08_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mmafan .biz"; dns.query; content:".mmafan.biz"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028730; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Request for Zaletelly CnC Domain"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:command-and-control; sid:2014513; rev:2; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2019_08_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myactivedirectory .com"; dns.query; content:".myactivedirectory.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028731; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|05|ppidn|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2017312; rev:5; metadata:created_at 2013_08_12, former_category MALWARE, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mydissent .net"; dns.query; content:".mydissent.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028732; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Large DNS Query possible covert channel"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|in|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02in\x00/i"; classtype:bad-unknown; sid:2013075; rev:9; metadata:created_at 2011_06_21, updated_at 2019_08_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myeffect .net"; dns.query; content:".myeffect.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028733; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:5; metadata:created_at 2012_08_10, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mymediapc .net"; dns.query; content:".mymediapc.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028734; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 1"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc"; nocase; distance:7; content:"|06|beacon"; nocase; offset:12; fast_pattern; pcre:"/^[\x0e-\x1e](?:[a-f0-9]{2}){1,3}(?:dc(?:[a-f0-9]{2}){1,3}){3}.[a-f0-9]{2}/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019454; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_08_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mypsx .net"; dns.query; content:".mypsx.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028735; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Beacon 2"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"dc978a97"; nocase; distance:6; content:"|05|alert"; nocase; offset:12; fast_pattern; pcre:"/^[\x08-\xFF](?:[a-f0-9]{2})*?dc978a97/Ri"; reference:md5,a5dc57aea5f397c2313e127a6e01aa00; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html; classtype:command-and-control; sid:2019455; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_10_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_08_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .com"; dns.query; content:".mysecuritycamera.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028736; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE ELF.MrBlack DOS.TF Malformed Lookup (/lib32/libc.so.6)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|0b|/lib32/libc|02|so|01|6|00|"; fast_pattern; distance:0; nocase; reference:md5,312fa52a7992e58359cb68bb0f029ea7; reference:url,blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html; classtype:trojan-activity; sid:2022335; rev:3; metadata:created_at 2016_01_07, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .net"; dns.query; content:".mysecuritycamera.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028737; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2016-12-15 to 2017-05-04)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:gdqg|hdqh|idqi|jdqj|kdqk|ldql|mdqm|ndqn|odqo|pdqp|qdqq|rdqr|sdqs|tdqt|udqu|vdqv|wdqw|xdqx|ydqy|zdqz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .org"; dns.query; content:".mysecuritycamera.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028738; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Tofsee DGA (2017-05-04 to 2017-11-02)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|07|dq"; fast_pattern; distance:0; pcre:"/^(?:adra|bdrb|cdrc|ddrd|edre|fdrf|gdrg|hdrh|idri|jdrj|kdrk|ldrl|mdrm|ndrn|odro|pdrp|qdrq|rdrr|sdrs|tdrt|udru|vdrv|wdrw|xdrx|ydry|zdrz)[a-j](?:\x02ch|\x03biz)/R"; threshold: type both, track by_src, count 10, seconds 60; classtype:trojan-activity; sid:2023678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, malware_family Spambot, malware_family Tofse, signature_severity Major, updated_at 2019_08_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.net-freaks .com"; dns.query; content:".net-freaks.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028739; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS Checkin"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; fast_pattern; pcre:"/^(?!0+30)[0-9A-Z]+30[^0-9]/R"; content:"|00|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022836; rev:4; metadata:created_at 2016_05_24, former_category MALWARE, updated_at 2019_08_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.nflfan .org"; dns.query; content:".nflfan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028740; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain peocity.com"; dns_query; content:"peocity.com"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016600; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.nhlfan .net"; dns.query; content:".nhlfan.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028741; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain skyruss.net"; dns_query; content:"skyruss.net"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016602; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.pgafan .net"; dns.query; content:".pgafan.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028742; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain commanal.net"; dns_query; content:"commanal.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016603; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.point2this .com"; dns.query; content:".point2this.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028743; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain natareport.com"; dns_query; content:"natareport.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016604; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.pointto .us"; dns.query; content:".pointto.us"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028744; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogellrey.com"; dns_query; content:"photogellrey.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016605; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.privatizehealthinsurance .net"; dns.query; content:".privatizehealthinsurance.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028745; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain creditrept.com"; dns_query; content:"creditrept.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016608; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.quicksytes .com"; dns.query; content:".quicksytes.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028746; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pollingvoter.org"; dns_query; content:"pollingvoter.org"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016609; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.read-books .org"; dns.query; content:".read-books.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028747; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dfasonline.com"; dns_query; content:"dfasonline.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016610; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.securitytactics .com"; dns.query; content:".securitytactics.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028748; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hudsoninst.com"; dns_query; content:"hudsoninst.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016611; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveexchange .com"; dns.query; content:".serveexchange.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028749; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain wsurveymaster.com"; dns_query; content:"wsurveymaster.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016612; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehumour .com"; dns.query; content:".servehumour.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028750; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nhrasurvey.org"; dns_query; content:"nhrasurvey.org"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016613; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servep2p .com"; dns.query; content:".servep2p.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028751; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain pdi2012.org"; dns_query; content:"pdi2012.org"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016614; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servesarcasm .com"; dns.query; content:".servesarcasm.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028752; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain nceba.org"; dns_query; content:"nceba.org"; depth:9; nocase; fast_pattern; classtype:trojan-activity; sid:2016615; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.stufftoread .com"; dns.query; content:".stufftoread.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028753; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain linkedin-blog.com"; dns_query; content:"linkedin-blog.com"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016616; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ufcfan .org"; dns.query; content:".ufcfan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028754; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain aafbonus.com"; dns_query; content:"aafbonus.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016617; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.unusualperson .com"; dns.query; content:".unusualperson.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028755; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain milstars.org"; dns_query; content:"milstars.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016618; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.workisboring .com"; dns.query; content:".workisboring.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028756; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain vatdex.com"; dns_query; content:"vatdex.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016619; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 M1 (set)"; flow:established,to_server; ja3.hash; content:"eb88d0b3e1961a0562f006e5ce2a0b87"; ja3.string; content:"771,49192-49191-49172-49171"; flowbits:set,ET.cobaltstrike.ja3; flowbits:noalert; classtype:command-and-control; sid:2028831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_10_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain applesea.net"; dns_query; content:"applesea.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016621; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M1 (set)"; flow:established,to_server; ja3.hash; content:"8916410db85077a5460817142dcbc8de"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028828; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledmg.net"; dns_query; content:"appledmg.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016622; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hash - Suspected Meterpreter Reverse Shell (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"e35df3e00ca4ef31d42b34bebaa2f86e"; flowbits:isset,ET.meterpreter.ja3; classtype:command-and-control; sid:2028829; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2021_07_26;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appleintouch.net"; dns_query; content:"appleintouch.net"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016623; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Suspected Meterpreter Reverse Shell M2 (set)"; flow:established,to_server; ja3.hash; content:"72a589da586844d7f0818ce684948eea"; flowbits:set,ET.meterpreter.ja3; flowbits:noalert; classtype:command-and-control; sid:2028830; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Meterpreter, signature_severity Major, updated_at 2019_10_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain appledns.net"; dns_query; content:"appledns.net"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016625; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/AppleJeus Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=beastgoc.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x49.html; classtype:domain-c2; sid:2028827; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain emailserverctr.com"; dns_query; content:"emailserverctr.com"; depth:18; nocase; fast_pattern; classtype:trojan-activity; sid:2016626; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect on ActiveXObject support"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"<script>"; content:"if|20 28|window.ActiveXObject"; distance:0; content:"ActiveXObject|22 20|in window"; within:40; fast_pattern; content:"window|2e|location|2e|href|3d 22|"; within:35; content:"|7d|else|7b|"; within:100; content:"window|2e|location|2e|href|3d 22|"; within:35; classtype:exploit-kit; sid:2028833; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_10_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain slashdoc.org"; dns_query; content:"slashdoc.org"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016629; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Ping Success Code sent to CnC"; flow:established,to_server; content:"|00 00 00 00 00 65 00 00 00 00 00 00 06 00 00 00|"; startswith; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028884; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photosmagnum.com"; dns_query; content:"photosmagnum.com"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2016630; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Ping Error Code sent to CnC"; flow:established,to_server; content:"|00 00 00 00 00 66 00 00 00 00 00 00 06 00 00 00|"; startswith; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain resume4jobs.net"; dns_query; content:"resume4jobs.net"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016631; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Initalisation Bytes Received from CnC"; flow:established,from_server; content:"|FF FF 01 00 00 01 00 00 00 00 00 00|"; startswith; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028863; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain searching-job.net"; dns_query; content:"searching-job.net"; depth:17; nocase; fast_pattern; classtype:trojan-activity; sid:2016632; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - PID Injection Command"; flow:established,to_server; content:"|00 00 00 00 00 05 10|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028886; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain servagency.com"; dns_query; content:"servagency.com"; depth:14; nocase; fast_pattern; classtype:trojan-activity; sid:2016633; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Establishing Connection with New Host"; flow:established,to_server; content:"|00 00 00 00 00 D2 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain gsasmartpay.org"; dns_query; content:"gsasmartpay.org"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2016634; rev:3; metadata:created_at 2013_03_20, updated_at 2019_09_03;)
 
-#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - TCP Relay Successfully Activated on New Host"; flow:established,to_server; content:"|00 00 00 00 00 D4 00 00 00 00 00 00 00 00 00 00|"; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain tech-att.com"; dns_query; content:"tech-att.com"; depth:12; nocase; fast_pattern; classtype:trojan-activity; sid:2016635; rev:3; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_03;)
 
-#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Exchanging RC4 & XOR Encrypted Data with Internal Host"; flow:established,to_server; content:"|00 00 00 00 00 D3 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Synolocker .onion DNS lookup"; dns_query; content:"cypherxffttr7hho"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018948; rev:3; metadata:created_at 2014_08_18, updated_at 2019_09_03;)
 
-#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Socket Command Observed"; flow:established,to_server; content:"|00 00 00 00 00 D6 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.cc"; dns_query; content:"jifr.co.cc"; depth:10; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013483; rev:4; metadata:created_at 2011_08_29, updated_at 2019_09_03;)
 
-#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Named Pipe Command Observed"; flow:established,to_server; content:"|00 00 00 00 00 CF 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.be"; dns_query; content:"qfsl.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013493; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; http.user_agent; content:"Valve/Steam HTTP Client"; depth:23; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2028651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.cc"; dns_query; content:"qfsl.co.cc"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013494; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)"; flow:established,to_server; http.user_agent; content:"MSDW"; depth:4; isdataat:!1,relative; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; classtype:unknown; sid:2027389; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.co.be"; dns_query; content:"jifr.co.be"; depth:10; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013496; rev:4; metadata:created_at 2011_08_30, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; http.uri; content:"/dns/dnslookup?la=en&host="; fast_pattern; content:"&type=A&submit=Resolve"; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0.1|3b 20|"; depth:37; content:"WININET 5.0)"; isdataat:!1,relative; http.host; content:"www.dnswatch.info"; classtype:trojan-activity; sid:2014359; rev:8; metadata:created_at 2012_03_10, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Chanitor.A DNS Lookup"; dns_query; content:"svcz25e3m4mwlauz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2019519; rev:3; metadata:created_at 2014_10_27, former_category MALWARE, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (IExplorer 34)"; flow:established,to_server; http.user_agent; content:"IExplorer 34"; bsize:12; classtype:bad-unknown; sid:2028834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns_query; content:"r2bv3u64ytfi2ssf"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019979; rev:4; metadata:created_at 2014_12_20, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.EGZ Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logo/go.php?id="; fast_pattern; pcre:"/^\d{1,3}$/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; reference:url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787; classtype:command-and-control; sid:2013946; rev:5; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"qtrudrukmurps7tc"; depth:16; nocase; fast_pattern; reference:md5,35a7f70c5e0cd4814224c96e3c62fa42; classtype:trojan-activity; sid:2020206; rev:3; metadata:created_at 2015_01_19, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (reqwest/)"; flow:established,to_server; http.user_agent; content:"reqwest/"; depth:8; reference:md5,be59ae5fab354d29e53f11a08d805db7; classtype:bad-unknown; sid:2028842; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2019_10_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"tzsvejrzduo52siy"; depth:16; nocase; fast_pattern; reference:md5,49e988b04144b478e3f52b2abe8a5572; classtype:trojan-activity; sid:2020210; rev:3; metadata:created_at 2015_01_20, updated_at 2019_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Dyre Downloading Mailer"; flow:established,to_server; content:"GET"; http_method; content:".tar"; http_uri; content:!"Accept"; http_header; content:!"Connection|3a|"; http_header; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| Win64|3b| x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36|0d 0a|Host|3a|"; depth:132; http_header; fast_pattern:50,20; pcre:"/^[^\r\n]+\r\n(?:\r\n)?$/RH"; pcre:"/\.tar$/U"; classtype:trojan-activity; sid:2020308; rev:4; metadata:created_at 2015_01_26, former_category MALWARE, updated_at 2020_08_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"ohmva4gbywokzqso"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020226; rev:3; metadata:created_at 2015_01_21, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Download Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"DownloadTracKRecord"; content:"<mac>"; distance:0; content:"<prgname>"; distance:0; content:"<cpuid>"; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptarv4hcu24ijv Domain - CryptoWall Domains"; dns_query; content:"crptarv4hcu24ijv"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020280; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoftwareTracking Site - Install Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:28; content:"/pspwebservices/service.asmx"; http.header_names; content:"|0d 0a|SOAPAction|0d 0a|"; http.request_body; content:"SSCSM_TraceRecord"; content:"<prgname>"; distance:0; content:"<macid>"; distance:0; content:"<cpuid>"; distance:0; content:"<sysname>"; distance:0; reference:md5,740c2c6573066bf64718ea773f4ad9a7; classtype:pup-activity; sid:2028878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2019_10_18;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptbfoi5i54ubez Domain - CryptoWall Domains"; dns_query; content:"crptbfoi5i54ubez"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020281; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; http.user_agent; content:"Java/"; nocase; pcre:"/^\d\d?\.\d/Ri"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:13; metadata:created_at 2010_07_30, updated_at 2019_10_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious crptcj7wd4oaafdl Domain - CryptoWall Domains"; dns_query; content:"crptcj7wd4oaafdl"; depth:16; fast_pattern; nocase; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020282; rev:3; metadata:created_at 2015_01_23, updated_at 2019_09_03;)
 
-alert smtp $HOME_NET any -> any any (msg:"ET MALWARE Unk Spam Bot Template 1 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|"; pcre:"/^(?:Cek\x20This|miss\x20[A-Za-z0-9]{2,20}|[A-Za-z0-9]{2,20}Porn)\r\n/R"; content:".scr|22 0d 0a 0d 0a|TVqQ"; distance:0; fast_pattern; classtype:trojan-activity; sid:2028892; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_10_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Critroni Tor DNS Proxy lookup"; dns_query; content:"23bteufi2kcqza2l"; depth:16; nocase; reference:md5,194a931aa49583191eedd19478396ebc; classtype:trojan-activity; sid:2019909; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:28; content:"CN=cloudcitytechnologies.com"; reference:md5,9a23881abe27dc70ca42597a1e1de354; classtype:domain-c2; sid:2028894; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"sgqjml3dstgmarn3"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020357; rev:3; metadata:created_at 2015_02_04, updated_at 2019_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobInt CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=fraud-bank.host"; nocase; endswith; classtype:domain-c2; sid:2028905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_23, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain"; dns_query; content:"brk7tda32wtkxjpa"; depth:16; nocase; fast_pattern; reference:md5,34ad24860495397c994f8ae168d0e639; classtype:trojan-activity; sid:2020581; rev:3; metadata:created_at 2015_02_27, updated_at 2019_09_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 HTTP Flood Command Inbound"; flow:established,from_server; dsize:<50; content:"Lmh0dHA"; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027842; rev:2; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_10_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (h63rbx7gkd3gygag)"; dns_query; content:"h63rbx7gkd3gygag"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020616; rev:3; metadata:created_at 2015_03_04, updated_at 2019_09_03;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Orion Logger SMTP Exfil Subject Line"; flow:to_server,established; content:"Subject|3a 20|Orion Logger - System Details - "; reference:md5,a96e8c201599af678926ac84020c87e0; classtype:command-and-control; sid:2028896; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, malware_family Orion_Logger, signature_severity Major, updated_at 2019_10_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (juf5pjk4sl7uojh4)"; dns_query; content:"juf5pjk4sl7uojh4"; depth:16; fast_pattern; nocase; reference:md5,499a46c23afe23de49346adf1b4f3a4f; reference:url,www.mogozobo.com/?p=2371; classtype:trojan-activity; sid:2020670; rev:3; metadata:created_at 2015_03_11, updated_at 2019_09_03;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Orion Logger SMTP Base64 Exfil"; flow:to_server,established; content:"Subject|3a 20|Orion Logger - System Details - "; content:"PT09PT09PT09PXwgT3Jpb24gTG9nZ2VyIC0gU3lzdGVtIERldGFpbHMgfD09PT09PT09"; distance:0; fast_pattern; reference:md5,a96e8c201599af678926ac84020c87e0; classtype:command-and-control; sid:2028897; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, malware_family Orion_Logger, signature_severity Major, updated_at 2019_10_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (4elcqmis624seeo7)"; dns_query; content:"4elcqmis624seeo7"; depth:16; fast_pattern; nocase; reference:url,teknoseyir.com/durum/291421; classtype:trojan-activity; sid:2020685; rev:3; metadata:created_at 2015_03_12, updated_at 2019_09_03;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Ping Command Inbound"; flow:established,from_server; app-layer-protocol:!http; content:"|00 00 00 00 00 FE 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_24;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu)"; dns_query; content:"erhitnwfvpgajfbu"; depth:16; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019123; rev:5; metadata:created_at 2014_09_05, updated_at 2019_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Diezen CnC Checkin M2"; flow:established,to_server; dsize:<400; content:"|20 2d 3e 20|i|20|am|20|here|20|boss|20 21 20 0d 0a|"; fast_pattern; content:"User|20|=|20|"; distance:0; content:"|20 20|MachineName|20|=|20|"; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:command-and-control; sid:2028907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, malware_family Sakabota, malware_family Diezen, performance_impact Low, signature_severity Major, updated_at 2019_10_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain (3bjpwsf3fjcwtnwx)"; dns_query; content:"3bjpwsf3fjcwtnwx"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020727; rev:3; metadata:created_at 2015_03_23, updated_at 2019_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Diezen CnC Checkin M1"; flow:established,to_server; dsize:<400; content:"|40|"; startswith; content:"|40|ID|3a 40|"; distance:0; fast_pattern; content:"|40 20 2d 3e 20|"; distance:0; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:command-and-control; sid:2028908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, malware_family Sakabota, malware_family Diezen, performance_impact Low, signature_severity Major, updated_at 2019_10_25;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (otsaa35gxbcwvrqs)"; dns_query; content:"otsaa35gxbcwvrqs"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020759; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL) 2019-10-24"; flow:established,to_client; tls.cert_subject; bsize:20; content:"CN=www.daftstone.top"; fast_pattern; reference:md5,8868702fb1825a9848eb3dd160a7bea3; classtype:domain-c2; sid:2028911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (4bpthx5z4e7n6gnb)"; dns_query; content:"4bpthx5z4e7n6gnb"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020760; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TOR Consensus Data Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tor/status-vote/current/consensus"; depth:34; classtype:policy-violation; sid:2028914; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_28;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (bc3ywvif4m3lnw4o)"; dns_query; content:"bc3ywvif4m3lnw4o"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020761; rev:3; metadata:created_at 2015_03_27, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Client)"; flow:established,to_server; http.user_agent; content:"Client"; bsize:6; http.header; content:"User-Agent|3a 20|Client|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028912; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_10_28;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (33p5mqkaj22irv4z)"; dns_query; content:"33p5mqkaj22irv4z"; depth:16; fast_pattern; nocase; reference:md5,1c6269fe48cba5f830a64a50bdf4ffe5; reference:url,www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/page-13; classtype:trojan-activity; sid:2020915; rev:3; metadata:created_at 2015_04_15, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Instagram Like Bot (like4u) CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/client/instagram_native/"; fast_pattern; pcre:"/^(?:likes|check|login_status)\.json\?/RU"; reference:md5,00a0737576d711a8c3a0fdf48fef035a; reference:md5,673652533091319b83a02fd82026f826; classtype:command-and-control; sid:2028915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_28;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr)"; dns_query; content:"pf3tlgkpks7pu7yr"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020952; rev:3; metadata:created_at 2015_04_21, updated_at 2019_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Instagram Like Bot (like4u) CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/client/instagram_native/login_with_status.json"; endswith; fast_pattern; reference:md5,00a0737576d711a8c3a0fdf48fef035a; reference:md5,673652533091319b83a02fd82026f826; classtype:command-and-control; sid:2028916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_28;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67)"; dns_query; content:"cld7vqwcvn2bii67"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/650d5a7d247fbe9c7f4d92e901319fec8c83fd07d4f5291f23c30f338a2e2974?environmentId=2#extracted-strings; reference:md5,4a20784de661675d281edbd48a6e2485; classtype:trojan-activity; sid:2021041; rev:3; metadata:created_at 2015_05_01, updated_at 2019_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Instagram Like Bot (like4u) CnC Domain in DNS Lookup"; dns.query; content:"like4u.ru"; bsize:9; nocase; reference:md5,00a0737576d711a8c3a0fdf48fef035a; classtype:domain-c2; sid:2028917; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_28;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (is6xsotjdy4qtgur)"; dns_query; content:"is6xsotjdy4qtgur"; depth:16; fast_pattern; nocase; reference:url,www.malware-traffic-analysis.net/2015/05/06/index.html; reference:url,www.hybrid-analysis.com/sample/99fc04d82877aea0247286d41186b985ab773b19c8cef8786ffc1fa50e35af29?environmentId=1; reference:md5,a08784f5691a0a8ce6249e1981dea82c; classtype:trojan-activity; sid:2021077; rev:3; metadata:created_at 2015_05_08, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metaploit http scanner (tested: 4.11.5 Kali)"; ja3_hash; content:"16f17c896273d1d098314a02e87dd4cb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028301; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz)"; dns_query; content:"tlunjscxn5n76iyz"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3aed0cac4a7f3053e324276c72bbf3aead783da2eb8b53bf99134a0adbcd3267?environmentId=2; reference:md5,2df314974722ef6b5a66d81292679cb4; classtype:trojan-activity; sid:2021115; rev:3; metadata:created_at 2015_05_19, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metasploit CCS Scanner"; ja3_hash; content:"950ccdd64d360a7b24c70678ac116a44"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028302; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (wdthvb6jut2rupu4)"; dns_query; content:"wdthvb6jut2rupu4"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021163; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metasploit HeartBleed Scanner"; ja3_hash; content:"ee031b874122d97ab269e0d8740be31a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028303; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (xwxwninkssujglja)"; dns_query; content:"xwxwninkssujglja"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021164; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Metasploit SSL Scanner"; ja3_hash; content:"6825b330bf9de50ccc8745553cb61b2f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028304; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (7fa6gldxg64t5wnt)"; dns_query; content:"7fa6gldxg64t5wnt"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; reference:md5,91da679f417040558059ccd5b1063688; classtype:trojan-activity; sid:2021165; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - mitmproxy"; ja3_hash; content:"4d01f8b1afc22e138127611b62f1e6ec"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028308; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (bpq4dub4rlivvswu)"; dns_query; content:"bpq4dub4rlivvswu"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021302; rev:3; metadata:created_at 2015_06_19, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - mitmproxy"; ja3_hash; content:"8ef6a005eae3d51b652ffe41984f8869"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028309; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (gzc7lj4rvmkg25dm)"; dns_query; content:"gzc7lj4rvmkg25dm"; depth:16; fast_pattern; nocase; reference:md5,0d7c227d4616254f9ae4976270f2f398; classtype:trojan-activity; sid:2021303; rev:3; metadata:created_at 2015_06_19, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Nikto (tested 2.1.6 - Kali)"; ja3_hash; content:"5eeeafdbc41e5ca7b81c92dbefa03ab7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028327; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Variant .onion proxy Domain (kurrmpfx6kgmsopm)"; dns_query; content:"kurrmpfx6kgmsopm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021318; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Nikto (tested 2.1.6 - Kali)"; ja3_hash; content:"f4262963691a8f123d4434c7308ad7fe"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028328; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlphaCrypt .onion proxy Domain (tkjthigtqlvohs7z)"; dns_query; content:"tkjthigtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021319; rev:3; metadata:created_at 2015_06_22, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Nikto (tested v2.1.6)"; ja3_hash; content:"a563bb123396e545f5704a9a2d16bcb0"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028329; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (xvha2ctkacx2ug3b)"; dns_query; content:"xvha2ctkacx2ug3b"; depth:16; fast_pattern; nocase; reference:url,www.dropboxforum.com/hc/communities/public/questions/203834265-virus; classtype:trojan-activity; sid:2021325; rev:3; metadata:created_at 2015_06_23, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - AnglerEK"; ja3_hash; content:"96eba628dcb2b47607192ba74a3b55ba"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028360; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Poshcoder .onion Proxy Domain (hlvumvvclxy2nw7j)"; dns_query; content:"hlvumvvclxy2nw7j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021534; rev:3; metadata:created_at 2015_07_27, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - AnglerEK"; ja3_hash; content:"d55e755245ac118f2b1847c1c57b5e03"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028361; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (vacdgwaw5djp5hmu)"; dns_query; content:"vacdgwaw5djp5hmu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021549; rev:3; metadata:created_at 2015_07_29, updated_at 2019_09_03;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - Banking Phish"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2030399; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2020_06_26;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain"; dns_query; content:"des7siw5vfkznjhi"; depth:16; fast_pattern; nocase; reference:md5,ca57b9de1cae18bda994aa4bd093c571; reference:url,www.file-analyzer.net/analysis/4825; classtype:trojan-activity; sid:2021551; rev:3; metadata:created_at 2015_07_30, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Boleto Malspam"; ja3_hash; content:"4f635262ad3fb6e634daee798082c788"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028363; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain (613cb6owitcouepv)"; dns_query; content:"613cb6owitcouepv"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021561; rev:3; metadata:created_at 2015_07_31, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Boleto Malspam"; ja3_hash; content:"e9273590c7875d6367325f8714890790"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028364; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns_query; content:"7n4p5o6vlkdiqiee"; depth:16; nocase; fast_pattern; reference:md5,18dfcf3479bbd3878c0f19b80a01e813; classtype:trojan-activity; sid:2020213; rev:4; metadata:created_at 2015_01_20, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Dridex"; ja3_hash; content:"67f762b0ffe3aad00dfdb0e4b1acd8b5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028365; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns_query; content:"h36fhvsupe4mi7mm"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021849; rev:3; metadata:created_at 2015_09_30, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Dridex"; ja3_hash; content:"85bedfc1914da556aab4518390798003"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028366; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni .onion Proxy Domain (tmclybfqzgkaeilm)"; dns_query; content:"tmclybfqzgkaeilm"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022145; rev:3; metadata:created_at 2015_11_25, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Eitest Chrome Popup"; ja3_hash; content:"098f55e27d8c4b0a590102cbdb3a5f3a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028367; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt .onion Proxy Domain (tw7kaqthui5ojcez)"; dns_query; content:"tw7kaqthui5ojcez"; depth:16; fast_pattern; nocase; reference:md5,45683c29a36ef8a15f216d7c4b2af822; classtype:trojan-activity; sid:2022191; rev:3; metadata:created_at 2015_11_30, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Eitest/AnglerEK"; ja3_hash; content:"ff94b48f555edc2f0a4c8256eb0d81de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028368; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Domain (75nzutdjjtnpgscz)"; dns_query; content:"75nzutdjjtnpgscz"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022236; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Fake Firefox Font Update"; ja3_hash; content:"2efb07037a97b06201ab4fe7ec0c326e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028369; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"vf4xdqg4mp3hnw5g"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022237; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Fake Firefox Font Update"; ja3_hash; content:"df5c30e670dba99f9270ed36060cf054"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028370; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Domain"; dns_query; content:"wv55abv6bde65ek6"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2022238; rev:3; metadata:created_at 2015_12_08, updated_at 2019_09_03;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Fake Firefox Font Update"; ja3_hash; content:"a0e9f5d64349fb13191bc781f81f42e1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028371; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (czc57cr2pn3zfn4b)"; dns_query; content:"czc57cr2pn3zfn4b"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022314; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - FiestaEK"; ja3_hash; content:"c1fbfd09bd0bab610be60dd6819688f4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:exploit-kit; sid:2028372; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (o7zeip6us33igmgw)"; dns_query; content:"o7zeip6us33igmgw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022315; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Gootkit"; ja3_hash; content:"a34e8a810b5f390fc7aa5ed711fa6993"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028373; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain (vr6g2curb2kcidou)"; dns_query; content:"vr6g2curb2kcidou"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022316; rev:3; metadata:created_at 2015_12_29, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Gootkit"; ja3_hash; content:"c6e36d272db78ba559429e3d845606d1"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028374; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xlowfznrg4wf7dli)"; dns_query; content:"xlowfznrg4wf7dli"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022561; rev:3; metadata:created_at 2016_02_23, updated_at 2019_09_03;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Java Based RAT"; ja3_hash; content:"187dfde7edc8ceddccd3deeccc21daeb"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028375; rev:2; metadata:created_at 2019_09_10, deprecation_reason False_Positive, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PadCrypt .onion Payment Domain"; dns_query; content:"gnkltbsaeq35rejl"; depth:16; fast_pattern; nocase; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022569; rev:3; metadata:created_at 2016_02_26, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Malspam"; ja3_hash; content:"243a279e5aaae8841edf46d00c05195e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028376; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maktub Locker Payment Domain"; dns_query; content:"bs7aygotd2rnjl4o"; depth:16; fast_pattern; nocase; reference:md5,74add6536cdcfb8b77d10a1e7be6b9ef; classtype:trojan-activity; sid:2022634; rev:3; metadata:created_at 2016_03_21, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Malspam"; ja3_hash; content:"e7d705a3286e19ea42f587b344ee6865"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028377; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns_query; content:"twbers4hmi6dc65f"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"51b5c918558a4bfb50ce1ab1d5fddff7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028378; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Coverton Onion Domain Lookup"; dns_query; content:"lnc57humvaxpqfv3"; depth:16; nocase; fast_pattern; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:trojan-activity; sid:2022675; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"852e7534b3f722d893a7750afb5ecdcc"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028379; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xzjvzkgjxebzreap)"; dns_query; content:"xzjvzkgjxebzreap"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022711; rev:3; metadata:created_at 2016_04_06, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"a7dfa1673bb090cab6b6658861f43473"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028380; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"5qgerbbyhdz5bwca"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022764; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"aeae3901ecde8396b2f5648c02aeb37f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028381; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"yycqx6ay5oedto5f"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022765; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"e107ef8ec0296e17c3f82de949b4066c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028382; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"j2pjkgrlaopysagn"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022766; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Neutrino"; ja3_hash; content:"fd6bbdf835788b3c7d33372127470a06"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028383; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"i3e5y4ml7ru76n5e"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022767; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - NuclearEK/Malspam"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028384; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Retefe Banker .onion Domain"; dns_query; content:"iabni66w5xvwawbe"; depth:16; fast_pattern; nocase; reference:url,isc.sans.edu/diary/Retefe+is+back+in+town/20957; classtype:trojan-activity; sid:2022768; rev:3; metadata:created_at 2016_04_26, malware_family Banking_Trojan, malware_family Retefe, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - NuclearEK"; ja3_hash; content:"fd2273056f386e0ba8004e897c337037"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028385; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (hw5qrh6fxv2tnaqn)"; dns_query; content:"hw5qrh6fxv2tnaqn"; depth:16; fast_pattern; nocase; reference:url,nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/; classtype:trojan-activity; sid:2022806; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"1848357994c2851c809cb01bae7d631c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028386; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (eqrvbczir5ua2emd)"; dns_query; content:"eqrvbczir5ua2emd"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022817; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - RigEK"; ja3_hash; content:"2d44457ca7a1e0e754664c8469ce62a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028387; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns_query; content:"ajj3a7gfmgwmhhoz"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022843; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malfams"; ja3_hash; content:"bafc6b01eae6f4350f5db6805ace208e"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028388; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"gccxqpuuylioxoip"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - TBot / Skynet Tor Botnet"; ja3_hash; content:"b50f81ae37fb467713e167137cf14540"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028389; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns_query; content:"yuysikankhqvdwdv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Trickbot"; ja3_hash; content:"294b2f1dc22c6e6c3231d2fe311d504b"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028390; rev:2; metadata:created_at 2019_09_10, former_category JA3, malware_family TrickBot, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (f5xraa2y2ybtrefz)"; dns_query; content:"f5xraa2y2ybtrefz"; depth:16; fast_pattern; nocase; reference:md5,5eeeeb093ee02d3769886880f8a58a90; classtype:trojan-activity; sid:2023247; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Unknown traffic associated with Dridex"; ja3_hash; content:"b9103d9d134e0c59cafbe4ae0a8299a8"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028391; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns_query; content:"anbqjdoyw6wkmpeu"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023328; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"3fab5d0fe3b2408c8b2251b46d3895de"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028392; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"6kaqkavhpu5dln6x"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023503; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"6f702efe6480d2a1c9f85b73b8a4794a"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028393; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain"; dns_query; content:"mvy3kbqc4adhosdy"; depth:16; nocase; fast_pattern; reference:url,twitter.com/PolarToffee/status/796079699478900736; classtype:trojan-activity; sid:2023504; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family XRatLocker, malware_family AiraCrop, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - USPS Malspam"; ja3_hash; content:"92579701f145605e9edc0b01a901c6d5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028394; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:"27c73bq66y4xqoh7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023578; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Eitest"; ja3_hash; content:"1074895078955b2db60423ed2bf8ac23"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028395; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (goldenhjnqvc2lld)"; dns_query; content:"goldenhjnqvc2lld"; depth:16; fast_pattern; nocase; classtype:command-and-control; sid:2023584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various EK"; ja3_hash; content:"51a7ad14509fd614c7bb3a50c4982b8c"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,raw.githubusercontent.com/salesforce/ja3/master/lists/osx-nix-ja3.csv; classtype:unknown; sid:2028396; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Goldeneye .onion Payment Domain (golden2uqpiqcs6j)"; dns_query; content:"golden2uqpiqcs6j"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malspam/RigEK"; ja3_hash; content:"3b483d0b34894548b602e8d18cdc24c5"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028397; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Popcorn-Time .onion Payment Domain (3hnuhydu4pd247qb)"; dns_query; content:"3hnuhydu4pd247qb"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023589; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Malspam/RigEK/Dreambot"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028398; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Maktub .onion Payment Domain (maktubebz6z6cgtw)"; dns_query; content:"maktubebz6z6cgtw"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023655; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various RigEK/Cryptowall/Dridex"; ja3_hash; content:"2d8794cb7b52b777bee2695e79c15760"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028399; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE SHUJIN .onion Payment Page"; dns_query; content:"eqlc75eumpb77ced"; depth:16; fast_pattern; nocase; reference:md5,d59a27b1e0a46cc185f1937ca42f300a; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/; classtype:trojan-activity; sid:2022798; rev:4; metadata:created_at 2016_05_06, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various RigEK/Dridex/Kovter"; ja3_hash; content:"df8bfc363eeba63ab938cb2190ccd7b7"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028400; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"fmwdvmk2ejgbl5pi"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2023737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex"; ja3_hash; content:"6734f37431670b3ab4292b8f60f29984"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028401; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"hctppfblwfot6ces"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Superfish"; ja3_hash; content:"1b5a75e6d0f679aa312edb060ea8d932"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028402; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"j24ojpexpgaorlxj"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Possible Superfish"; ja3_hash; content:"cfaa6f79904b33fdca83dbb5d4b537d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028403; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"lmhrmbouhkffosig"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023731; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Rapid7 Nexpose"; ja3_hash; content:"c22dea495cef869edbeb3458adaf497f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028413; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"neo73ruk6mprlmww"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023732; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - sqlmap (tested: v1.0-dev kali)"; ja3_hash; content:"615788655a0e65b71e47c3ebe2302564"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028467; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"padcrympj5rvgwed"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023733; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - sqlmap (tested: v1.0.7.0 OS X)"; ja3_hash; content:"1ab5d0f756e0692a975fda9a6474969f"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028468; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware PadCrypt .onion Proxy Domain"; dns_query; content:"qli26fihoid5qwo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023734; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - WPScan (tested: 2.9 Kali)"; ja3_hash; content:"4c8ff2ddb1890482e5989b80e48b54d4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; classtype:unknown; sid:2028556; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"r4i3izmyccncfrsr"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023735; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"1aa7bf8b97e540ca5edd75f7b8384bfa"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028757; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CryptoWall .onion Proxy Domain"; dns_query; content:"rq5w3yn6qgbu4mo5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2023736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Quakbot"; ja3_hash; content:"3cda52da4ade09f1f781ad2e82dcfa20"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028758; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker .onion Proxy Domain (zbqxpjfvltb6d62m)"; dns_query; content:"zbqxpjfvltb6d62m"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:trojan-activity; sid:2021252; rev:4; metadata:created_at 2015_06_11, former_category TROJAN, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Quakbot"; ja3_hash; content:"7dd50e112cd23734a310b90f6f44a7cd"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028759; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"mjs2bcdrttpmm7pp"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Troldesh Ransomware"; ja3_hash; content:"1be3ecebe5aa9d3654e6e703d81f6928"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028760; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category JA3, signature_severity Major, tag Ransomware, updated_at 2019_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"sloryvugp4abxnfu"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gootkit"; ja3_hash; content:"c5235d3a8b9934b7fbbd204d50bc058d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028761; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"u73tcilcw2cw2by5"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024112; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"e62a5f4d538cbf169c2af71bec2399b4"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028762; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"xijymvzq4zkyubfe"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024113; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adwind"; ja3_hash; content:"d2935c58fe676744fecc8614ee5356c7"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028763; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zmsr22fviy7kxihf"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024114; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adwind"; ja3_hash; content:"decfb48a53789ebe081b88aabb58ee34"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028764; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zuotmsnm7vh2jx77"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024115; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"51c64c77e60f3980eea90869b68c58a8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028765; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"zxungms47m6ecj7t"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024116; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"cb98a24ee4b9134448ffb5714fd870ac"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028766; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns_query; content:"cze2agbxnpkc5hdk"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024117; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"f22bdd57e3a52de86cda40da2d84e83b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028767; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Cradle Ransomware Onion Domain"; dns_query; content:"pn6fsogszhqlxz4n"; depth:16; nocase; fast_pattern; reference:md5,53f6f9a0d0867c10841b815a1eea1468; classtype:trojan-activity; sid:2024205; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cradle, signature_severity Major, tag Ransomware, updated_at 2019_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"fb58831f892190644fe44e25bc830b45"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028768; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tor based locker .onion Proxy DNS lookup July 31 2014"; dns_query; content:"iet7v4dciocgxhdv"; depth:16; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018874; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"0cc1e84568e471aa1d62ad4158ade6b5"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028769; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".velodrivve.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.velodrivve\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"2092e1fffb45d7e4a19a57f9bc5e203a"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028770; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".bedrifg.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bedrifg\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"d18a4da84af59e1108862a39bae7c9d4"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028771; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".fedbook.org"; fast_pattern; pcre:"/[a-z]{4,10}\.fedbook\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"b386946a5a44d1ddcc843bc75336dfce"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028772; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".goodbird.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.goodbird\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022731; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"8498fe4268764dbf926a38283e9d3d8f"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028773; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".verekt.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.verekt\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"20dd18bdd3209ea718989030a6f93364"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028774; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".barrout.org"; fast_pattern; pcre:"/[a-z]{4,10}\.barrout\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"8991a387e4cc841740f25d6f5139f92d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028775; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".biojart.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.biojart\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022762; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"e330bca99c8a5256ae126a55c4c725c5"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028776; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns_query; content:".benefin.org"; fast_pattern; pcre:"/[a-z]{4,10}\.benefin\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_08_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"83e04bc58d402f9633983cbf22724b02"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028777; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d)"; dns_query; content:"v7lfogalalzc2c4d"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020953; rev:4; metadata:created_at 2015_04_21, updated_at 2019_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"b8f81673c0e1d29908346f3bab892b9b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028778; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin"; flow:established,to_server; content:"Clientx|2c 20|Version="; fast_pattern; content:"ProClient.Data"; distance:0; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"d551fafc4f40f1dec2bb45980bfa9492"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028779; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] BlackRAT Checkin Response"; flow:established,to_client; content:"|2c 20|Version="; content:"BlackRAT.Data"; distance:0; fast_pattern; content:"data|05|bytes"; distance:0; reference:md5,7aa313d007a538f7453a0f0f3b76ba1f; classtype:command-and-control; sid:2028565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"29085f03f8e8a03f0b399c5c7cf0b0b8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028780; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"bc6c386f480ee97b9d9e52d472b772d8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028781; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (O365 Profile) M2"; flow:established,to_client; http.header; content:"16723708fc9|0d 0a|X-CalculatedBETarget|3a 20|BY2PR06MB549.namprd06.prod.outlook.com"; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"b13d01846ad7a14a70bf030a16775c78"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028782; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Response (YouTube Profile)"; flow:established,to_client; http.header; content:"Frontend Proxy|0d 0a|Set-Cookie|3a 20|YSC=LT4ZGGSgKoE|3b|"; fast_pattern; content:"X-FEServer|3a 20|CY4PR02CA0010"; distance:0; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2019_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"698e36219f3979420fa2581b21dac7ec"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028783; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http any any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible GhostMiner CCBOT Component - CnC Checkin"; flow:established,to_server; content:"/Update/CC/CC.php"; startswith; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/; classtype:command-and-control; sid:2028604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family GhostMiner, performance_impact Low, signature_severity Major, updated_at 2019_09_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Torrentlocker"; ja3_hash; content:"1712287800ac91b34cadd5884ce85568"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028784; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected"; flow:established,to_server; content:"GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase; threshold:type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; classtype:trojan-activity; sid:2011585; rev:4; metadata:created_at 2010_09_29, updated_at 2019_09_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"550dce18de1bb143e69d6dd9413b8355"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028785; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Eclipse.DDOSBot CnC Beacon Response"; flow:established,to_client; file_data; content:"<base>PGNtZD"; within:12; reference:url,www.arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising/; classtype:command-and-control; sid:2018423; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"d7150af4514b868defb854db0f62a441"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028786; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; endswith; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"df5c30e670dba99f9270ed36060cf054"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028787; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"|3a|some_magic_code1"; distance:9; within:29; endswith; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:3; metadata:created_at 2013_04_19, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"7dcce5b76c8b17472d024758970a406b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028788; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE njRAT Variant Outbound CnC Beacon"; flow:established,to_server; content:"|7c|nj-q8"; endswith; classtype:command-and-control; sid:2021057; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"911479ac8a0813ed1241b3686ccdade9"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028789; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE LuminosityLink - Inbound Data Channel CnC Delimiter"; flow:established,to_client; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"03e186a7f83285e93341de478334006e"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028790; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE LuminosityLink - Outbound Data Channel CnC Delimiter"; flow:established,to_server; dsize:<25; content:"8_=_8"; fast_pattern; endswith; reference:md5,ab03070048fdbadbb901ec75b8f9f2e9; classtype:command-and-control; sid:2023242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category MALWARE, malware_family Luminosity_Link, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"17fd49722f8d11f3d76dce84f8e099a7"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028791; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Houdini/Hworm CnC Checkin M1"; flow:established,to_server; content:"new_houdini|0d 0a|"; fast_pattern; offset:4; depth:13; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; endswith; reference:md5,45009c70d362dcd253112c9cf1924f57; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-houdinis-magic-reappearance; classtype:command-and-control; sid:2023429; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family Hworm, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"fb00055a1196aeea8d1bc609885ba953"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028792; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"zugzwang.me"; nocase; endswith; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023599; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"098f55e27d8c4b0a590102cbdb3a5f3a"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028793; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] QRat.Java.RAT (state_alive)"; flow:established,to_server; content:"|00 11 7b 22 73 74 61 74 65 22 3a 22 61 6c 69 76 65 22 7d|"; depth:19; endswith; threshold: type both, track by_src, count 10, seconds 30; reference:md5,3ffbde179d54377d55fcac76ebf314cb; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; reference:url,www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-as-a-Service/; classtype:trojan-activity; sid:2025391; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family QRat, signature_severity Major, tag Qrat, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"e3b2ab1f9a56f2fb4c9248f2f41631fa"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028794; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT CnC Init Activity"; flow:established,to_client; dsize:11; content:"AUT_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"46efd49abcca8ea9baa932da68fdb529"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028795; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (inbound)"; flow:established,to_client; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026582; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"b2b61db7b9490a60d270ccb20b462826"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028796; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Keep-Alive (outbound)"; flow:established,to_server; dsize:11; content:"PNG_packet_"; depth:11; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026583; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"92579701f145605e9edc0b01a901c6d5"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028797; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screen Size"; flow:established,to_client; dsize:13; content:"SC.OP_packet_"; depth:13; endswith; nocase; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026586; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"7691297bcb20a41233fd0a0baa0a3628"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028798; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Mirai Variant Checkin Response"; flow:established,to_client; content:"|21 2a 20|LOLNOBYE"; endswith; reference:url,www.stratosphereips.org/blog/2019/5/17/iot-malware-analysis-series-a-mirai-variant-in-ctu-iot-malware-capture-49-1; classtype:command-and-control; sid:2027366; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"1543a7c46633acf71e8401baccbd0568"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028799; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1 CnC Checkin"; flow:established,to_server; dsize:7; content:"ilove26"; depth:7; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027834; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Dridex"; ja3_hash; content:"d6f04b5a910115f4b50ecec09d40a1df"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028800; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 CnC Checkin"; flow:established,to_server; dsize:12; content:"aWxvdmUyNg=="; depth:12; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027835; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"93d056782d649deb51cda44ecb714bb0"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028801; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Emptiness v2 XOR (b2bb01039307baa2) CnC Checkin"; flow:established,to_server; dsize:24; content:"d3ec7975f76aefdbfcdc3c3e"; depth:24; fast_pattern; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027836; rev:2; metadata:affected_product Linux, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, malware_family Emptiness, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"5e573c9c9f8ba720ef9b18e9fce2e2f7"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028802; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain photogalaxyzone.com"; dns_query; content:"photogalaxyzone.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016606; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"590a232d04d56409fab72e752a8a2634"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028803; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insightpublicaffairs.org"; dns_query; content:"insightpublicaffairs.org"; depth:24; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016620; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"849b04bdbd1d2b983f6e8a457e0632a8"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028804; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain seyuieyahooapis.com"; dns_query; content:"seyuieyahooapis.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016624; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"9c2589e1c0e9f533a022c6205f9719e1"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028805; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain dailynewsjustin.com"; dns_query; content:"dailynewsjustin.com"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016627; rev:4; metadata:created_at 2013_03_20, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"96eba628dcb2b47607192ba74a3b55ba"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028806; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain hi-tecsolutions.org"; dns_query; content:"hi-tecsolutions.org"; depth:19; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2016628; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"7c410ce832e848a3321432c9a82e972b"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028807; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"njdyqrbioh.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018270; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Adware"; ja3_hash; content:"f6fd83a21f9f3c5f9ff7b5c63bbc179d"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028808; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"vqvsaergek.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018265; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Ransomware"; ja3_hash; content:"2d8794cb7b52b777bee2695e79c15760"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028809; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category JA3, signature_severity Major, tag Ransomware, updated_at 2019_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"pbcgmmympm.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018266; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"fd80fa9c6120cdeea8520510f3c644ac"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028810; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"tyixfhsfax.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018268; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gozi"; ja3_hash; content:"57f3642b4e37e28f5cbe3020c9331b4c"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028811; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qgjhmerjec.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018269; rev:9; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"906004246f3ba5e755b043c057254a29"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028812; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"btloxcyrok.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018271; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Trickbot"; ja3_hash; content:"c50f6a8b9173676b47ba6085bd0c6cee"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028813; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"afwyhvinmw.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018272; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Gozi"; ja3_hash; content:"c201b92f8b483fa388be174d6689f534"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028814; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"wyfxanxjeu.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018273; rev:11; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"b90bdbe961a648f0427db21aaa6ccb59"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028815; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns_query; content:"qemyxsdigi.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018274; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - [Abuse.ch] Possible Tofsee"; ja3_hash; content:"9f62c4f26b90d3d757bea609e82f2eaf"; reference:url,sslbl.abuse.ch/ja3-fingerprints/; classtype:unknown; sid:2028816; rev:2; metadata:created_at 2019_10_14, former_category JA3, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (regicsgf.net)"; dns_query; content:"regicsgf.net"; depth:12; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014572; rev:7; metadata:created_at 2012_04_16, updated_at 2019_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in (socket created)"; flow:established,to_server; dsize:5; content:"|01 00 00 00 98|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,b0e58a8f45a3e45fd7ee2b4cc20474b3; classtype:command-and-control; sid:2028918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_29, deployment Perimeter, former_category MALWARE, malware_family Netwire_RAT, performance_impact Moderate, signature_severity Major, updated_at 2019_10_29;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.gowin7.com"; dns_query; content:".gowin7.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED Unk/LNKR CnC Domain Observed in DNS Query"; dns_query; content:"cdn-javascript.net"; nocase; isdataat:!1,relative; classtype:domain-c2; sid:2028923; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_11_05;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.secuurity.net"; dns_query; content:".secuurity.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:6; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; http.request_body; content:"|7b 22|jsonrpc|22 3a 22|"; startswith; content:"/getEnterpriseUser|22|"; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/R"; http.method; content:"POST"; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:1; metadata:created_at 2019_10_31, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2019_10_31;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.dataspotlight.net"; dns_query; content:".dataspotlight.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:7; metadata:created_at 2012_08_10, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Capesand EK Landing"; flow:established,to_client; file_data; content:"NzgzNDI"; fast_pattern; content:"NzgzNDI"; distance:0; content:"NzgzNDI"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; content:"=|22|,|20 0a 22|"; distance:0; pcre:"/^[a-zA-Z0-9]{4}NzgzNDI[a-zA-Z0-9]{8}=\x22/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-capesand-reuses-old-and-new-public-exploits-and-tools-blockchain-ruse/; classtype:exploit-kit; sid:2028937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.datajunction.org"; dns_query; content:".datajunction.org"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:6; metadata:created_at 2012_08_13, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT PluginDetect Observed - Possible EK Activity"; flow:established,to_client; file_data; content:"/* PluginDetect v"; fast_pattern; within:20; content:"PluginDetect={version|3a 22|"; distance:0; content:"getMimeEnabledPlugin:function("; distance:0; classtype:exploit-kit; sid:2028938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup hotfix-update.com"; dns_query; content:"hotfix-update.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019570; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible MSFVenom Exploit via Browser"; flow:established,to_client; file_data; content:"<script"; within:12; content:"ARR_SIZE ="; distance:0; content:"function search_corrupted_array()"; distance:0; content:"//msfvenom -p"; distance:0; fast_pattern; content:"windows/exec cmd="; within:20; classtype:exploit-kit; sid:2028940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2019_11_05;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas haarmannsi.cz"; dns_query; content:"haarmannsi.cz"; depth:13; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019910; rev:4; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Random String)"; flow:established,to_server; http.user_agent; content:"Random String"; bsize:13; reference:md5,a1e56bd465d1c1b5fc19384a3a7ec461; classtype:trojan-activity; sid:2028947; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas sanygroup.co.uk"; dns_query; content:"sanygroup.co.uk"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019911; rev:5; metadata:created_at 2014_12_11, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"www.123456abcgsdwere56463455345435435657222222.com"; bsize:50; nocase; classtype:domain-c2; sid:2028948; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (casinoroyal7.ru)"; dns_query; content:"casinoroyal7.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020045; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"www.abcgsdwere454354435435435354289811111111111.com"; bsize:51; nocase; classtype:domain-c2; sid:2028949; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (cryptdomain.dp.ua)"; dns_query; content:"cryptdomain.dp.ua"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020046; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"vpcpnet.mooo.com"; bsize:16; nocase; classtype:domain-c2; sid:2028950; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru)"; dns_query; content:"it-newsblog.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020049; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"update-rnicrosoft.mooo.com"; bsize:26; nocase; classtype:domain-c2; sid:2028951; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (js-static.ru)"; dns_query; content:"js-static.ru"; depth:12; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020050; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"serve1.mooo.com"; bsize:15; nocase; classtype:domain-c2; sid:2028952; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com)"; dns_query; content:"lagosadventures.com"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020051; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"video.avantvideo.ca"; bsize:19; nocase; classtype:domain-c2; sid:2028953; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru)"; dns_query; content:"lebanonwarrior.ru"; depth:17; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020052; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"vpnet.mooo.com"; bsize:14; nocase; classtype:domain-c2; sid:2028954; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net)"; dns_query; content:"nigerianbrothers.net"; depth:20; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020053; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID WebSocket Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data3.php?"; startswith; fast_pattern; pcre:"/^[0-9A-F]{16}$/R"; http.header; content:"|0d 0a|Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http.header_names; content:"|0d 0a|Host|0d 0a|Upgrade|0d 0a|Connection|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a 0d 0a|"; reference:md5,977a264f70acf703333f298019c3abd4; classtype:command-and-control; sid:2028955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net)"; dns_query; content:"princeofnigeria.net"; depth:19; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020055; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-#alert udp $HOME_NET any -> $HOME_NET 7 (msg:"ET DELETED Ryuk Wake-on-LAN Packet Observed"; dsize:<200; content:"|ff ff ff ff ff ff|"; startswith; fast_pattern; pcre:"/^(?P<mac_addr>[\x00-\xff]{6})(?P=mac_addr){2,}$/R"; reference:url,www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/; classtype:command-and-control; sid:2028943; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_05, deployment Internal, former_category MALWARE, malware_family Ransomware, malware_family Ryuk, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (royalgourp.org)"; dns_query; content:"royalgourp.org"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020056; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AHK Downloader Request Structure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/traff.php"; endswith; fast_pattern; http.user_agent; content:"AutoHotkey"; bsize:10; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2028956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Minor, tag Downloader, updated_at 2019_11_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeter-stat.ru)"; dns_query; content:"tweeter-stat.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020060; rev:4; metadata:created_at 2014_12_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x86)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"confirm.gif?f=1"; endswith; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy1-1-1.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy1-1-1.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020228; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"confirm.gif?f=2"; endswith; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy2-2-2.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy2-2-2.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020229; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Hardcoded String Observed"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy3-3-3.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy3-3-3.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020230; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Proxy Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/proxy"; fast_pattern; endswith; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; content:!"Cache-Control"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:4; metadata:created_at 2015_05_21, updated_at 2019_11_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy4-4-4.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy4-4-4.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020231; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Initial Connection and Report"; flow:established,to_server; flowbits:isnotset,BE.Bandook1.35; dsize:<200; content:"|cf 8f 80 9b 9a 9d cf|"; depth:7; content:"|20 26 26 26|"; distance:50; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:command-and-control; sid:2003555; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2019_11_13;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious proxy5-5-5.i2p Domain - Possible CryptoWall Activity"; dns_query; content:"proxy5-5-5.i2p"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020232; rev:4; metadata:created_at 2015_01_21, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AnteFrigus Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"|20|Gb</br>"; endswith; http.header; content:"|20|Gb</br>|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache"; content:!"Referer"; reference:md5,b34f1592bce63de77b87d1e61bce66e5; classtype:command-and-control; sid:2028966; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_11_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (blackblog.chatnook.com)"; dns_query; content:"blackblog.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020246; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Landing"; flow:established,to_client; file_data; content:"<!DOCTYPE html>|0d 0a|<html>|0d 0a|<head>|0d 0a|<meta charset =|20 22|UTF-8|22|>|0d 0a|<script>|0d 0a|if (window.ActiveXObject|20 7c 7c 20 22|ActiveXObject|22 20|in window){"; within:200; fast_pattern; content:"</html>|0d 0a|<body>|0d 0a|</body>"; distance:0; isdataat:!1,relative; classtype:exploit-kit; sid:2028974; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (bulldog.toh.info)"; dns_query; content:"bulldog.toh.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020247; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Landing - Various Exploits"; flow:established,to_client; file_data; content:"<!DOCTYPE html>|0d 0a|<html>|0d 0a|<head>|0d 0a|<meta charset =|20 22|UTF-8|22|>|0d 0a|<title></title>|0d 0a|<embed src=|22|"; content:".swf|22|></embed>|0d 0a|"; content:"if (window.ActiveXObject|20 7c 7c 20 22|ActiveXObject|22 20|in window){|0d 0a|document.write(unescape("; fast_pattern; classtype:exploit-kit; sid:2028975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2019_11_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (cew58e.xxxy.info)"; dns_query; content:"cew58e.xxxy.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020248; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; urilen:>175; http.uri; content:".php?info=MzE4TZT-"; fast_pattern; http.accept_lang; content:"ko-KR,ko|3b|"; startswith; http.header; content:"upgrade-insecure-requests|3a 20|1|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,12e9b4bbe894ab0bf357182a11d4c535; classtype:command-and-control; sid:2031916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2019_11_14;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (dynamic.ddns.mobi)"; dns_query; content:"dynamic.ddns.mobi"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020251; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M1"; flow:established,to_server; content:"GET"; http_method; content:".swf"; http_uri; isdataat:!1,relative; content:"contype"; http_user_agent; fast_pattern; depth:7; isdataat:!1,relative; content:"__cfduid="; http_cookie; depth:9; content:!".maxmind.com"; http_host; http_accept; content:"*/*"; depth:3; isdataat:!1,relative; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cookie|0d 0a 0d 0a|"; depth:38; isdataat:!1,relative; classtype:exploit-kit; sid:2028972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2019_11_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (football.mrbasic.com)"; dns_query; content:"football.mrbasic.com"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020253; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spelevo Download Payload Landing"; flow:established,to_client; file_data; content:"<title>Please, wait...</title>"; nocase; content:"dgduehue()|3b|"; nocase; distance:0; fast_pattern; content:"catch ("; nocase; distance:0; classtype:trojan-activity; sid:2028866; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Major, updated_at 2019_11_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (gjjb.flnet.org)"; dns_query; content:"gjjb.flnet.org"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020254; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (system_file/2.0)"; flow:established,to_server; content:"system_file/2.0"; http.user_agent; bsize:15; classtype:bad-unknown; sid:2028983; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_11_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (imirnov.ddns.info)"; dns_query; content:"imirnov.ddns.info"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020255; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-11-15)"; flow:established,to_client; tls.cert_subject; content:"CN=sd1-bin.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028985; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (jingnan88.chatnook.com)"; dns_query; content:"jingnan88.chatnook.com"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020256; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=reawk.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (lehnjb.epac.to)"; dns_query; content:"lehnjb.epac.to"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020257; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobInt CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"adminassistance.info"; bsize:20; classtype:domain-c2; sid:2028987; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.25u.com)"; dns_query; content:"logoff.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020258; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobInt CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"bestguesspass.info"; bsize:18; classtype:domain-c2; sid:2028988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ls910329.my03.com)"; dns_query; content:"ls910329.my03.com"; depth:17; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020260; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperSocialat Plugin Backdoor Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content"; startswith; content:"/plugins/super-socialat/super_socialat.php?dl="; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:command-and-control; sid:2028992; rev:1; metadata:affected_product Wordpress_Plugins, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_18;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mailru.25u.com)"; dns_query; content:"mailru.25u.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020261; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC) 2019-11-18"; flow:established,to_client; tls.cert_subject; content:"CN=solvents.ru"; bsize:14; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,e54cbf645b0840c0dd1f212f42cd47fd; classtype:domain-c2; sid:2029001; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (Markshell.etowns.net)"; dns_query; content:"Markshell.etowns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020262; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent Tesla SMTP Clipboard Exfil"; flow:established,to_server; content:"|0d 0a|Time|3a 20|"; content:"<br>User Name|3a 20|"; distance:0; content:"<br>Computer Name|3a 20|"; distance:0; content:"<br>OSFullName|3a|"; distance:0; fast_pattern; content:"<br>CPU|3a 20|"; distance:0; content:"[clipboard]"; distance:0; reference:md5,1632ccd7936d495534257505c8811ece; classtype:trojan-activity; sid:2029002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2019_11_18;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (mydear.ddns.info)"; dns_query; content:"mydear.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020263; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=crabbedly.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029005; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (nazgul.zyns.com)"; dns_query; content:"nazgul.zyns.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020264; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=craypot.live"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029006; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newdyndns.scieron.com)"; dns_query; content:"newdyndns.scieron.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020265; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=indagator.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029007; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (newoutlook.darktech.org)"; dns_query; content:"newoutlook.darktech.org"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020266; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell - RDP Credential Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/report.json?type=rdp&ip="; startswith; fast_pattern; content:"&pass="; distance:0; content:"&t="; distance:0; reference:url,news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/; classtype:command-and-control; sid:2029014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (photocard.4irc.com)"; dns_query; content:"photocard.4irc.com"; depth:18; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020267; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Outbound)"; flow:established,to_server; content:"GET "; depth:4; content:"wget http"; within:200; content:"|20 3b 20|chmod "; within:200; fast_pattern; content:"|20 3b 20|./"; within:100; classtype:bad-unknown; sid:2029010; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2019_11_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (pricetag.deaftone.com)"; dns_query; content:"pricetag.deaftone.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020268; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Inbound)"; flow:established,to_server; content:"GET "; depth:4; content:"wget http"; within:200; content:"|20 3b 20|chmod "; within:200; fast_pattern; content:"|20 3b 20|./"; within:100; classtype:bad-unknown; sid:2029012; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, signature_severity Minor, updated_at 2019_11_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (rubberduck.gotgeeks.com)"; dns_query; content:"rubberduck.gotgeeks.com"; depth:23; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020269; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload - CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?ac="; fast_pattern; content:"&n="; distance:1; within:3; content:"|3a|"; distance:0; content:"|3a|"; distance:0; content:"-bit|29|"; distance:0; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-us"; bsize:5; classtype:command-and-control; sid:2029039; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (shutdown.25u.com)"; dns_query; content:"shutdown.25u.com"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020270; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload Requested M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/community/uploadxx/"; startswith; fast_pattern; pcre:"/^[A-F0-9]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\//R"; content:".jpg"; endswith; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029041; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sorry.ns2.name)"; dns_query; content:"sorry.ns2.name"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020271; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 1"; dsize:69; content:"|00 00 00 00 02 8E A5 64 E2 A5 F7 73 6D 2E F2 86 D3 7B B7 86 E4 7F 0D A7 A0 77 B1 AD 24 49 5B DE D6 DB B7 E1 79|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029042; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (sskill.b0ne.com)"; dns_query; content:"sskill.b0ne.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020272; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 2"; dsize:69; content:"|00 00 00 00 02 93 DA 64 B3 1F 49 1B A4 B5 2D 28 92 49 52 7C 3D 41 D2 4F B2 8B FF 2C ED A2 E7 90 18 4F 9E C0 7B|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029043; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-First.flnet.org)"; dns_query; content:"text-First.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020273; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 3"; dsize:69; content:"|00 00 00 00 02 E8 78 31 C6 55 9A 13 FC AB DB 75 9B A5 B1 D6 05 F2 3A 72 FF 04 B5 9F 7F 5A 8B 12 56 F2 CA 01 5E|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029044; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (uudog.4pu.com)"; dns_query; content:"uudog.4pu.com"; depth:13; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020274; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 4"; dsize:69; content:"|00 00 00 00 02 E7 30 7D 3C BC 93 4A EC ED D8 FD 9F B9 FE 93 B7 F3 53 B3 11 5D F7 C8 CA 0C F8 77 D1 34 CA 37 20|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029045; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (will-smith.dtdns.net)"; dns_query; content:"will-smith.dtdns.net"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020275; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 5"; dsize:69; content:"|00 00 00 00 02 B3 E5 B3 D6 E6 DE 7C 7D 79 40 A5 4F D9 B0 AC 7B 2D C6 CE 69 EF F3 C4 58 F2 98 A8 92 DF 92 9E 0E|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029046; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (ndcinformation.acmetoy.com)"; dns_query; content:"ndcinformation.acmetoy.com"; depth:26; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020276; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/sa.aspx?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"refe="; nocase; http_uri; content:"location="; nocase; http_uri; content:"language="; nocase; http_uri; content:"ua="; nocase; http_uri; reference:md5,0398af3218eb6f21195d701a0b001445; classtype:trojan-activity; sid:2012589; rev:5; metadata:created_at 2011_03_28, updated_at 2019_11_21;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (service.authorizeddns.net)"; dns_query; content:"service.authorizeddns.net"; depth:25; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020277; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cyborg Ransomware - Downloading Desktop Background"; flow:established,to_client; http.stat_code; content:"200"; http.server; bsize:8; content:"HotCores"; http.content_type; bsize:10; content:"image/jpeg"; http.header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|22|Cyborg_DECRYPT.jpg|22 0d 0a|"; fast_pattern; reference:md5,2505b0efde03f5d3c66984e6f7c5bcc1; classtype:trojan-activity; sid:2029052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_11_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (text-first.trickip.org)"; dns_query; content:"text-first.trickip.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020278; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.beahh.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029056; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious boltotor.com Domain - Possible CryptoWall Activity"; dns_query; content:"boltotor.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020285; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.ackng.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029057; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious bonytor2.com Domain -Possible CryptoWall Activity"; dns_query; content:"bonytor2.com"; depth:12; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020286; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.ackng.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious speecostor.com Domain -Possible CryptoWall Activity"; dns_query; content:"speecostor.com"; depth:14; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020287; rev:4; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?q22="; startswith; content:"&q12=&q21="; distance:7; within:10; content:"&q9=&q16=0&q1="; distance:32; within:14; fast_pattern; reference:md5,3c2d90f21b60c5e2132f89120aa0a5e0; classtype:pup-activity; sid:2029075; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_11_27;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (expert.4irc.com)"; dns_query; content:"expert.4irc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020252; rev:5; metadata:created_at 2015_01_23, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?m22="; startswith; content:"&m12=&m21="; distance:7; within:10; content:"&m9=&m16=0&m1="; distance:32; within:14; fast_pattern; reference:md5,6b540ba2fc2e606e9e2c8b72818caa28; classtype:pup-activity; sid:2029076; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_11_27;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (msupdate.ath.cx)"; dns_query; content:"msupdate.ath.cx"; depth:15; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021712; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls_cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls_cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029003; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_19, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2019_12_02;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (karpeskmon.dyndns.org)"; dns_query; content:"karpeskmon.dyndns.org"; depth:21; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021714; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VNCStartServer USR Variant CnC Beacon"; flow:established,to_server; dsize:<100; content:"|00 00 00 19 00 00 00|"; offset:1; depth:7; content:"|01 00 00|"; distance:1; within:3; content:"USR-"; distance:1; within:4; fast_pattern; content:"|00|"; endswith; reference:md5,d66956e0ee70a60e19a4f310339d28a9; classtype:command-and-control; sid:2035523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_12_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Careto Mask DNS Lookup (isaserver.minrex.gov.cu)"; dns_query; content:"isaserver.minrex.gov.cu"; depth:23; nocase; endswith; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3159; classtype:trojan-activity; sid:2021715; rev:4; metadata:created_at 2015_08_25, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=sarymar.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029083; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (operaa.net)"; dns_query; content:"operaa.net"; depth:10; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021936; rev:4; metadata:created_at 2015_10_08, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=benreat.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029084; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc)"; dns_query; content:"appeur.gnway.cc"; depth:15; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021961; rev:4; metadata:created_at 2015_10_16, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=planlamaison.com"; bsize:19; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029085; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (mail.cbppnews.com)"; dns_query; content:"mail.cbppnews.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022272; rev:4; metadata:created_at 2015_12_17, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=teamchuan.com"; bsize:16; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029086; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (kugo.f3322.net)"; dns_query; content:"kugo.f3322.net"; depth:14; nocase; endswith; fast_pattern; reference:md5,8dd612b14a2a448e8b1b6f3d09909e45; classtype:trojan-activity; sid:2022346; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=tedxns.com"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029087; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bulta DNS Lookup (yk.ftwxw.com)"; dns_query; content:"yk.ftwxw.com"; depth:12; nocase; endswith; fast_pattern; reference:md5,5b9a9e363f46f09e7f40c5cde2c90361; classtype:trojan-activity; sid:2022347; rev:5; metadata:created_at 2016_01_09, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=athery.bit"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029088; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 2"; dns_query; content:"aaa123.spdns.de"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022412; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=babloom.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029089; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 3"; dns_query; content:"accounts.yourturbe.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022413; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=floppys.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029090; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 4"; dns_query; content:"account.websurprisemail.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022414; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.request_body; content:"Webcookie="; startswith; pcre:"/^[a-z0-9/%=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:md5,c2262e46153ac59a72bcb96a35c262da; classtype:command-and-control; sid:2029097; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, signature_severity Major, updated_at 2019_12_05;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 5"; dns_query; content:"addi.apple.cloudns.org"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022415; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PrivaZer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hcheck_updates.php?country="; startswith; fast_pattern; content:"&discret="; distance:0; reference:md5,eef867108e44942e9655ac71d0360d53; classtype:pup-activity; sid:2029098; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_06;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 7"; dns_query; content:"apple.lenovositegroup.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022417; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.COG Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mUser.php"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"HWID="; startswith; content:"&USER="; distance:8; within:6; content:"&VER="; distance:0; content:"&TYPE="; distance:0; isdataat:!2,relative; reference:md5,f60c87a80ff2d2fe7e83667a4106e63f; classtype:pup-activity; sid:2029099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_06;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 8"; dns_query; content:"bailee.alanna.cloudns.biz"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022418; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Email Account Phish 2019-12-10"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?yasse="; fast_pattern; content:"&upw="; distance:0; content:"&hidCflag="; distance:0; http.header_names; content:!"Referer"; reference:url,isc.sans.edu/forums/diary/Phishing+with+a+selfcontained+credentialsstealing+webpage/25580/; classtype:credential-theft; sid:2029105; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 9"; dns_query; content:"bee.aoto.cloudns.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022419; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Started"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|started|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029103; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2019_12_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 10"; dns_query; content:"bits.githubs.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022420; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JsOutProx CnC Activity - Outbound"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"5f7c5f"; depth:35; content:"5f7c5f"; distance:72; within:6; content:"5f7c5f4d6963726f736f66742057696e646f7773"; distance:0; fast_pattern; http.content_type; content:"x-www-form-urlencoded"; nocase; threshold:type limit, track by_dst, count 1, seconds 30; classtype:command-and-control; sid:2034289; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family jsoutprox, signature_severity Major, tag RAT, updated_at 2019_12_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 11"; dns_query; content:"book.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022421; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JsOutProx CnC Activity - Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; bsize:<30; content:"5f7c5f"; endswith; fast_pattern; http.content_type; content:"image/jpeg"; bsize:10; threshold:type limit, track by_src, count 1, seconds 30; classtype:command-and-control; sid:2034290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family jsoutprox, signature_severity Major, tag RAT, updated_at 2019_12_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 12"; dns_query; content:"clean.popqueen.cloudns.org"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022422; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Bundalore Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ioffers.tar.gz?ts="; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c; classtype:pup-activity; sid:2029106; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Bundalore, signature_severity Minor, updated_at 2019_12_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 13"; dns_query; content:"desk.websurprisemail.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022423; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to OSX/Bundalore Domain"; dns.query; content:"appsdown.urbanvillager.xyz"; nocase; endswith; classtype:pup-activity; sid:2029107; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Bundalore, signature_severity Minor, updated_at 2019_12_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 14"; dns_query; content:"detail43.myfirewall.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022424; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.3 Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3f 36 90|"; depth:6; content:"|3f 7a cd 3d 69 c0 3d|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 18"; dns_query; content:"economy.spdns.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022428; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.3 Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3f 36 90|"; depth:6; content:"|69 81 60 6b 92 6d 6b|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 19"; dns_query; content:"eemete.freetcp.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022429; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.3 Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3f 36 90|"; depth:6; content:"|92 2c 36 90 3f 3b 90|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029138; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 21"; dns_query; content:"firewallupdate.firewall-gateway.net"; depth:35; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022431; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.2 Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|31 69 f6|"; depth:6; content:"|31 25 ab 33 36 a6 33|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029139; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 22"; dns_query; content:"fish.seafood.cloudns.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022432; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.2 Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|31 69 f6|"; depth:6; content:"|36 e7 6e 34 f4 63 34|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029140; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 23"; dns_query; content:"ftp112.lenta.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022433; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.2 Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|31 69 f6|"; depth:6; content:"|f4 22 69 f6 31 64 f6|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029141; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 28"; dns_query; content:"mail.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022438; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Exfil (2019-12-12)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/info1.php?id=ZG9jdW1lbnRfbmFtZTp"; fast_pattern; http.header_names; content:!"Referer"; reference:url,twitter.com/D3LabIT/status/1205066800054128641; reference:md5,649c2d11a4a58f0101ed016c73355e32; classtype:command-and-control; sid:2029142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 29"; dns_query; content:"mareva.catherine.cloudns.us"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022439; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M1"; flow:established,to_server; http.uri; content:"/ixset.php?ip="; startswith; fast_pattern; content:"&mcid=1"; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 30"; dns_query; content:"mm.lenovositegroup.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022440; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1$/Rsi"; content:"=1"; endswith; http.request_body; content:"info|7c|"; startswith; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 31"; dns_query; content:"muslim.islamhood.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022441; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=zip$/Rsi"; content:"=1&type=zip"; endswith; fast_pattern; http.content_len; byte_test:0,>,800,0,string,dec; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 32"; dns_query; content:"news.firewall-gateway.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022442; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=filter$/Rsi"; content:"=1&type=filter"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029149; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 35"; dns_query; content:"p.klark.cloudns.in"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022445; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 Hash - Trojan.AndroidOS.Jocker.snt 1"; ja3_hash; content:"2f514a024266e9e8d11f10e779168579"; reference:md5,68841dcaf26d83fc1c2f955e9e363a65; classtype:trojan-activity; sid:2029150; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_12_16, deployment Perimeter, former_category JA3, signature_severity Critical, tag Android, updated_at 2019_12_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 36"; dns_query; content:"ppcc.vasilevich.cloudns.info"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022446; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ShivaGood Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ip="; startswith; content:"&pcname="; distance:0; content:"&username="; distance:0; content:"&privatekey="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,ee732410b7389a047177b2e730742f8d; classtype:command-and-control; sid:2029177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family ShivaGood, signature_severity Major, tag Ransomware, updated_at 2019_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 37"; dns_query; content:"press.ufoneconference.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022447; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap1-acl.net"; nocase; endswith; reference:md5,9d71bc8643b0e309ea1d91903aea6555; classtype:domain-c2; sid:2029182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 38"; dns_query; content:"qq.yourturbe.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022448; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DiamondFox HTTP Post CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"="; offset:3; depth:1; content:"&q="; distance:0; content:"&proc="; distance:0; content:"&soft="; distance:0; content:"&rt="; distance:0; content:"&er="; distance:0; isdataat:!2,relative; http.header_names; content:!"Referer"; reference:url,twitter.com/ViriBack/status/1203337492386082816; reference:md5,17a1f7e98731df9b74b98accb650d50e; classtype:command-and-control; sid:2029144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family DiamondFox, performance_impact Moderate, signature_severity Major, updated_at 2019_12_18;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 39"; dns_query; content:"sys.firewall-gateway.net"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022449; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MailerBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"PHPSESSID="; startswith; isdataat:!35,relative; http.request_body; content:"status=0"; bsize:8; fast_pattern; http.header_names; content:!"Referer"; reference:md5,33ae450f091a57c042e9dd99800ff6c8; classtype:command-and-control; sid:2029183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family MailerBot, signature_severity Major, updated_at 2019_12_18;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 40"; dns_query; content:"vip.yahoo.cloudns.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022450; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; http.uri; content:"/appscan_fingerprint/mac_address"; nocase; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:8; metadata:created_at 2010_07_30, updated_at 2019_12_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 43"; dns_query; content:"www.angleegg.xxxy.info"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022453; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - free .ipwhois .io"; flow:established,to_server; http.method; content:"GET"; http.host; content:"free.ipwhois.io"; fast_pattern; classtype:external-ip-check; sid:2029185; rev:2; metadata:created_at 2019_12_20, former_category POLICY, tag IP_address_lookup_website, updated_at 2019_12_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 48"; dns_query; content:"www.uyghuri.MrFace.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022458; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallDisck SMTP Checkin"; flow:established,to_server; content:"Subject: PCInfo:"; fast_pattern; content:"<li>User Name:<b>"; content:"PC Name:<b>"; distance:0; content:"<li>Proxy:<b>"; distance:0; content:"Gateway:<b>"; distance:0; reference:md5,b79640ae0cf9f3ad58b14c15c50f3de3; classtype:pup-activity; sid:2029186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_20;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 49"; dns_query; content:"youturbe.co.cc"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022459; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=full.newcontest.xyz"; nocase; endswith; classtype:domain-c2; sid:2029184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 50"; dns_query; content:"yycc.mrbonus.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022460; rev:4; metadata:created_at 2016_01_27, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak <v20 Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|BODYdmFyIGNvbmZpZyA9IHsNCiA"; startswith; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029194; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns_query; content:"tally.myfirewall.org"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022610; rev:4; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_bm9uY2U9"; fast_pattern; content:"dmVyc2lvbj"; distance:45; content:".html"; endswith; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns_query; content:"accountgoogle.firewall-gateway.com"; depth:34; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022611; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak - Stage 2 - Response - Task"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|TASK|2d 2d|"; startswith; content:"|2d 2d|TVq"; distance:0; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns_query; content:"filegoogle.firewall-gateway.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/03/shifting-tactics/; classtype:trojan-activity; sid:2022612; rev:5; metadata:created_at 2016_03_11, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak - Stage 2 - Response - Plugin"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|PLUGIN|2d 2d|"; startswith; content:"|2d 2d|PD94bWwg"; distance:0; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown PowerShell Loader DNS Lookup (spl.noip.me)"; dns_query; content:"spl.noip.me"; depth:11; nocase; endswith; fast_pattern; reference:url,fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html; classtype:trojan-activity; sid:2022747; rev:4; metadata:created_at 2016_04_19, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak - Plugin Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:>60; content:"bm9uY2UyP"; fast_pattern; content:"cGx1Z2luP"; distance:55; content:".html"; endswith; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029197; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoisonIvy SPIVY DNS Lookup (leeh0m.org)"; dns_query; content:"leeh0m.org"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/; classtype:trojan-activity; sid:2022753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, malware_family PoisonIvy, signature_severity Critical, tag PoisonIvy, updated_at 2019_09_28;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25667,47000] (msg:"ET MALWARE XServer Backdoor Communication Setup Request"; flow:established,to_server; flowbits:set,ET.XServer.cnc; flowbits:noalert; dsize:10; content:"|05 01 00 01|"; depth:4; fast_pattern; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hidden-Tear Ransomware Variant (.bloccato) DNS Request to CnC Domain"; dns_query; content:"ur232dkkwpdkwp.xyz"; depth:18; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/; reference:md5,e586f208a724ba84369b72bc43d92057; classtype:command-and-control; sid:2022831; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET [25667,47000] (msg:"ET MALWARE XServer Backdoor Communication Setup Initiate"; flow:established,to_server; flowbits:isset,ET.XServer.cnc; dsize:2; content:"|18 00|"; depth:2; fast_pattern; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (adjust-local-settings .com)"; dns_query; content:"adjust-local-settings.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023095; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Possible XServer Backdoor Certificate Observed"; flow:established,to_server; content:"|16|"; depth:1; content:"|55 04 06|"; distance:0; content:"|02|US|31|"; distance:1; within:4; content:"|55 04 08|"; distance:0; content:"|02|BA|31|"; distance:1; within:4; content:"|55 04 0a|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; content:"|55 04 0b|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; fast_pattern; content:"|55 04 03|"; distance:0; content:"|04|Root|30|"; distance:1; within:6; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bbc-africa .com)"; dns_query; content:"bbc-africa.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023102; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hidrofilms.com"; bsize:17; fast_pattern; reference:url,twitter.com/prsecurity_/status/1209710600994996224; classtype:domain-c2; sid:2029200; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_26, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (checkinonlinehere .com)"; dns_query; content:"checkinonlinehere.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:command-and-control; sid:2023104; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category MALWARE, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?command="; content:"&vicID="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (googleplay-store .com)"; dns_query; content:"googleplay-store.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023109; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vicID="; fast_pattern; content:"name="; content:"&os="; content:"&antivirus="; content:"&status="; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkeynewsupdates .com)"; dns_query; content:"turkeynewsupdates.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023124; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Upatre CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=vcomdesign.com"; bsize:17; fast_pattern; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (unonoticias .net)"; dns_query; content:"unonoticias.net"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023128; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Upatre CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"poweruphosting.com"; bsize:18; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_27, deployment Perimeter, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_27;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (s3clm4lufbmfhmeb)"; dns_query; content:".s3clm4lufbmfhmeb"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2023154; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.Q Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/v2/events"; fast_pattern; http.request_body; pcre:"/^[A-F0-9]+$/"; http.header_names; bsize:50; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,0ec90cb6e0e3f8cd86d5d1d08f184e5f; classtype:pup-activity; sid:2029210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2019_12_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (winmeif .myq-see.com)"; dns_query; content:"winmeif.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.G Variant Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/1/dg/3/error"; http.request_body; content:"{|22|ApplicationName|22 3a 22|"; startswith; reference:md5,c48e6befa893cb771f0d7b6215240856; classtype:pup-activity; sid:2029211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag PUP, updated_at 2019_12_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (samsung .ddns.me)"; dns_query; content:"samsung.ddns.me"; depth:15; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023259; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2019_09_28;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Netgear DGN1000/DGN2200 Unauthenticated Command Execution Inbound"; flow:established,to_server; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; http_uri; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029214; rev:1; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_01_03;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (gtldsfs .com )"; dns_query; content:"gtldsfs.com "; depth:12; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023297; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ViSystem CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; fast_pattern; content:"&pwd="; content:"&cc="; content:"&fz="; content:"&df="; content:"&wlt="; http.header_names; content:!"Referer"; reference:md5,9b0aa282698db89034d254076dd03e26; classtype:command-and-control; sid:2029212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, former_category MALWARE, malware_family ViSystem, signature_severity Major, updated_at 2019_12_31;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (cdnfastnetwork .com)"; dns_query; content:"cdnfastnetwork.com"; depth:18; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, malware_family Gozi, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lampion CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"plug=NAO&SYS=Windows"; startswith; fast_pattern; content:"&AVS="; distance:0; content:"&USERPC="; distance:0; content:"&NAV="; distance:0; content:"&ORI="; distance:0; reference:url,seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax; classtype:command-and-control; sid:2029221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_01_02;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH SSL Blacklist DNS Lookup (Gozi MITM) (sdpvss .com)"; dns_query; content:"sdpvss.com"; depth:10; nocase; endswith; fast_pattern; reference:url,sslbl.abuse.ch; classtype:trojan-activity; sid:2023310; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Operation Blue Estimate CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"_log.txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|0010::20"; fast_pattern; distance:12; within:62; reference:url,blog.alyac.co.kr/2645; classtype:command-and-control; sid:2029222; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_01_02;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns_query; content:"aterdunst.com"; depth:13; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023330; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2019_09_28;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Checkin"; flow:established,to_server; content:"|7b 22 54 79 70 65 22 3a 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 2c 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 3a 22 43 6c 69 65 6e 74 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:80; content:"|22 2c 22 42 6f 74 4e 61 6d 65 22 3a 22|"; distance:0; content:"|22 2c 22 42 6f 74 4f 53 22 3a 22|"; distance:0; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_02;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown AutoIt Bot DNS Lookup (webmail .duia.in)"; dns_query; content:"webmail.duia.in"; depth:15; nocase; endswith; fast_pattern; reference:url,cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishing-target-indian-government-organizations/; classtype:trojan-activity; sid:2023573; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, malware_family Ceatrg, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlo-analytics.com"; classtype:domain-c2; sid:2029225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"vmdefmnsndoj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlc-analytics.net"; classtype:domain-c2; sid:2029228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"lvfjcwwobycj.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023602; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeoticus Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"supersecretstring?babyDontHeartMe="; depth:40; fast_pattern; http.user_agent; bsize:3; content:"DxD"; reference:url,twitter.com/siri_urz/status/1212724059277914112; classtype:command-and-control; sid:2029231; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"qjqubpciajoc.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023606; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (DxD)"; flow:established,to_server; http.user_agent; bsize:3; content:"DxD"; fast_pattern; classtype:bad-unknown; sid:2029232; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_01_06;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"exvdaajegjur.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023607; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AstroBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.request_body; content:"p="; startswith; content:"&id="; distance:0; isdataat:!20,relative; http.header_names; content:!"Referer"; reference:md5,3b6df3e900f8d0b757441fe682b91a3c; classtype:command-and-control; sid:2029233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, malware_family AstroBot, signature_severity Major, updated_at 2020_01_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.online"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023608; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"m="; startswith; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&u=/Rsi"; content:"&v="; distance:0; content:"&p="; content:"&os="; content:"&os=Windows|20|"; fast_pattern; content:"&bit="; content:"&proc="; content:"&video="; content:"&av="; http.header_names; content:!"Referer"; reference:md5,4cb520ee89598a96a6df92caa8077faf; classtype:command-and-control; sid:2029235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family rarog, signature_severity Major, updated_at 2020_01_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023609; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; bsize:49; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; content:"|0d 0a|PK"; distance:0; content:"screenshot.jpg"; distance:0; http.header_names; content:!"Referer"; reference:md5,6c8357280b50bb1808ec77b0292eb22b; classtype:command-and-control; sid:2029236; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Oski, signature_severity Major, updated_at 2020_01_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"tro69.support"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023610; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magician/M461c14n Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup?c="; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; http.protocol; content:"1.0"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,4839223e68ed38639186038f9b07ef67; classtype:command-and-control; sid:2029237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Magician, signature_severity Major, tag Ransomware, updated_at 2020_01_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"nympompksmfx.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023630; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.NZK Variant"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info=ID:__"; content:"__Key1:__"; distance:0; content:"__Key2:__"; distance:0; reference:md5,c7bbff934bd89ad39e98e2746c6e8af2; reference:url,twitter.com/GrujaRS/status/1214680560834162690; classtype:command-and-control; sid:2029240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_01_08;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"xpknpxmywqsrhe.online"; depth:21; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023631; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (whois .pconline .com .cn)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"whois.pconline.com.cn"; fast_pattern; classtype:external-ip-check; sid:2029243; rev:2; metadata:created_at 2020_01_09, former_category POLICY, performance_impact Low, updated_at 2020_01_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns_query; content:"binpt.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023634; rev:4; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe Style Request"; flow:established,to_server; http.uri; content:"|2f 50 30 75 72 57 61 31 74 33 5f 72 21 65 73 2f|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv601 .ddns.net)"; dns_query; content:"srv601.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=explorer!"; fast_pattern; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"=Microsoft+Windows+"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (hostgatero .ddns.net)"; dns_query; content:"hostgatero.ddns.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2019_09_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=portofino.ug"; bsize:15; fast_pattern; reference:url,twitter.com/lazyactivist192/status/1214662422683885569; reference:md5,49a5cf0633b40d89b139ad3df85778c5; classtype:domain-c2; sid:2029245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (tradeboard .mefound .com)"; dns_query; content:"tradeboard.mefound.com"; depth:22; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023884; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"google-download.com"; nocase; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (movis-es .ignorelist .com)"; dns_query; content:"movis-es.ignorelist.com"; depth:23; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023885; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-google-eu.com"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Banker.Win32.Alreay DNS Lookup (exbonus .mrbasic .com)"; dns_query; content:"exbonus.mrbasic.com"; depth:19; nocase; endswith; fast_pattern; reference:url,niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-oraz-kto-jeszcze-byl-na-celowniku-przestepcow/; classtype:trojan-activity; sid:2023886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, malware_family Alreay_Banking, signature_severity Major, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-gmail-us.com"; nocase; bsize:16; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (bst2bgxin81a.org)"; dns_query; content:"bst2bgxin81a.org"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"mozilla-yahoo.com"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns_query; content:"load.gtpnet.ir"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024245; rev:4; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-mozilla-sn45.com"; nocase; bsize:20; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns_query; content:"spora.li"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,906c51a18073112c4479b3fe4ea329ca; classtype:trojan-activity; sid:2024324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_09_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-digicert-i31.com"; nocase; bsize:20; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENGB)"; bsize:82; classtype:trojan-activity; sid:2028598; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"securecloudbase.com"; nocase; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (comboratiogferrdto . com)"; dns_query; content:"comboratiogferrdto.com"; depth:22; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Request"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p=t&p1="; startswith; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029259; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns_query; content:"epochatimes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024478; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3=Qzpc"; startswith; content:"&p=ip&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns_query; content:"strangelol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024852; rev:4; metadata:created_at 2017_10_18, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3="; startswith; content:"&p5=Qzpc"; distance:0; content:"&p=i&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Passwords"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|PSWD|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Answer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3="; startswith; content:"&p5="; distance:0; content:"&p=a&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger Exfil via SMTP - Generic"; flow:established,to_server; content:"-- Client Info --"; fast_pattern; nocase; content:"IP|3a 20|"; content:"HWID|3a 20|"; content:"OS Platform|3a 20|"; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1178824123293868033; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028644; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Satan/5ss5c Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:40; within:6; content:"&size="; distance:0; content:"&status="; distance:0; content:"&keyhash="; fast_pattern; reference:md5,853358339279b590fb1c40c3dc0cdb72; reference:url,twitter.com/jishuzhain/status/1216368394485800961; classtype:command-and-control; sid:2029269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, signature_severity Major, tag Ransomware, updated_at 2020_01_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Logs"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Logs|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL Cert (Office365 Phish Landing Page 2020-01-09)"; flow:established,to_client; tls.cert_subject; content:"CN=*.lakeshoreemployeetestingservices.com"; nocase; endswith; reference:md5,24a4c5f5033d7f399464df05a072012c; classtype:social-engineering; sid:2029256; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Clipboard"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Clipboard|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Known Key 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p1=P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phoenix Keylogger SMTP Exfil - Screenshot"; flow:established,to_server; content:"Subject|3a 20|PX|20 7c 20|Screenshot|20 7c 20|Client Name|3a 20|"; fast_pattern; reference:md5,1e3ea34762c6301233da7cb8c5e9c45f; reference:url,twitter.com/P3pperP0tts/status/1166325490858303491; classtype:trojan-activity; sid:2028647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_02, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2019_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Known Key 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p1=ybEsTxhqPuN4uVkemt6WjxaJN8jBdAGLxKeY9a4CnMTLSSq2"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemours/Proyecto RAT CnC Checkin"; flow:established,to_server; content:"0|7c|New|20|-|20|"; depth:8; fast_pattern; content:"|7c|"; distance:0; content:"|7c|Windows"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; reference:md5,50a9218c891453c00b498029315ac680; classtype:command-and-control; sid:2028648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Nemours, performance_impact Moderate, signature_severity Major, updated_at 2019_10_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick download ver1 bot"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM=&a=ips"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029272; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, signature_severity Major, updated_at 2020_01_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:23; content:"CN=worldmasterclass.com"; fast_pattern; reference:md5,fe9caf2568d7bbf2bb0e20b8e7dc8971; reference:md5,c5a460fd87ffd50c114fffa684688d01; classtype:domain-c2; sid:2028653; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick download ver2 bot"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?a=irs&x="; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category TROJAN, malware_family PowerTrick, signature_severity Major, updated_at 2020_01_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-07"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=mailfueler.com"; fast_pattern; reference:md5,c189cdadd96c148e64912c55c5129d3e; classtype:domain-c2; sid:2028652; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick download bot known key"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, signature_severity Major, updated_at 2020_01_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-03"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=corpcougar.com"; fast_pattern; reference:md5,73fad17f8054d01488c3ddd67e355bf1; reference:md5,a25591dbf57ac687e2a03f94dcccc35a; classtype:domain-c2; sid:2028654; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Possible PowerSploit/PowerView .ps1 Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"PowerSploit File|3a 20|PowerView.ps1"; within:200; fast_pattern; content:"function New-InMemoryModule"; distance:0; isdataat:5000,relative; classtype:trojan-activity; sid:2029275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-02"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=adityebirla.com"; fast_pattern; reference:md5,61b34d02bb09e5a547251a625ce81f9c; reference:md5,cab127c5b8582c1e3ea8860a239a060b; classtype:domain-c2; sid:2028655; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Double Base64 Encoded Executable Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|"; depth:100; content:"GVYTjBaVzB"; distance:0; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029277; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-01"; flow:established,to_client; tls.cert_subject; bsize:63; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=www.livdecor.pt"; fast_pattern; reference:md5,7baca517af0b93bd3f94910c7b8f10db; reference:md5,efb4951e11baf306f5680a041c214e5b; classtype:domain-c2; sid:2028656; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Possible Base64 Encoded Powershell Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|JE"; depth:100; fast_pattern; isdataat:300,relative; classtype:trojan-activity; sid:2029278; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-09-30"; flow:established,to_client; tls.cert_subject; bsize:12; content:"CN=flozzy.uk"; fast_pattern; reference:md5,6a333c3f54d7fb6efb276cf6e33315c0; reference:md5,ab578cff6c06157aadd5f324a3413973; classtype:domain-c2; sid:2028657; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Base64 Encoded Executable Inbound"; flow:established,to_client; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|TVqQ"; depth:100; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult Cnc Server) 2019-09-27"; flow:established,to_client; tls.cert_subject; bsize:18; content:"CN=evershinebd.net"; fast_pattern; reference:md5,c93a2d16dd0cf8dd3afa5ecba111e7c4; reference:md5,23aff33025681263adcdcb480d0e9a95; classtype:domain-c2; sid:2028658; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Init Activity"; flow:established,to_server; dsize:16; content:"ggin|00 00 00 00 13 3e 00 00 00 00 00 00|"; startswith; endswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029282; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) in SNI 2019-09-27"; flow:established,to_server; tls.sni; bsize:11; content:"techxim.com"; reference:md5,5c4e395fc545b5e0c03f960a4145f4ea; classtype:domain-c2; sid:2028659; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_07, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Activity (Outbound)"; flow:established,to_server; content:"ggin|0b 00 00 00|"; startswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029283; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Sality Executable Pack Digital Signature ASCII Marker"; flow:established,from_server; content:"e#o203kjl,!"; fast_pattern; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf; classtype:trojan-activity; sid:2013381; rev:3; metadata:created_at 2011_08_09, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Activity (Inbound)"; flow:established,from_server; content:"ggin|00 00 00 00 00|"; startswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029284; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fakealert.Rena CnC Checkin 2"; flow:established,to_server; content:"/images/img.php?id="; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; reference:url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php; classtype:command-and-control; sid:2013382; rev:4; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M2"; flow:established,to_server; urilen:11; http.method; content:"GET"; http.uri; content:"/ixpkey.php"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; metadata: former_category MALWARE; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029285; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot update/download via ftp command"; flowbits:isset,is_proto_irc; flow:established,to_client; content:"ftp|3a|//"; fast_pattern; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+ftp\x3a\x2f\x2f/i"; reference:url,doc.emergingthreats.net/2011162; classtype:trojan-activity; sid:2011162; rev:6; metadata:created_at 2010_07_30, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M3"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/ixptexts.php"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET MALWARE W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:command-and-control; sid:2016331; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M4"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/setad.php"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029287; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M5"; flow:established,to_server; urilen:<20; http.method; content:"GET"; http.uri; content:"/ixlive.php?uid="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Greencat SSL Certificate"; flow:established,from_server; content:"|55 04 08 13 05|Ocean"; fast_pattern; classtype:trojan-activity; sid:2016812; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; pcre:"/^[A-Za-z0-9\/\.=]{250,}$/R"; http.user_agent; content:"Naruto Uzumake"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:command-and-control; sid:2029290; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST"; http_method; content:"/iam-ready"; fast_pattern; nocase; content:"|3c 7c 3e|"; http_header; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017518; rev:3; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Nemty Ransomware Payment Page"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<title>Ransom</title>"; content:">Your files are encrypted?<"; distance:0; content:">Upload NEMTY_"; distance:0; fast_pattern; classtype:trojan-activity; sid:2029291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer|3a 20|"; content:!"|0d 0a|Accept"; http_header; content:"Mozilla/4.0 (SEObot)"; depth:20; http_user_agent; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017718; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware Payment Page ID File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|userfile|22 3b 20|filename=|22|NEMTY_"; fast_pattern; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:trojan-activity; sid:2029292; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=borrdrillling.com"; bsize:20; fast_pattern; reference:md5,0407b500adcaafe09cc3280d6d02794f; classtype:domain-c2; sid:2029295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Adzq41ceq52e353512hSfj"; fast_pattern; http.request_body; content:"key|3a|"; startswith; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|payload|22 3b 20|filename=|22|payload|22 0d 0a 0d 0a|PK"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029294; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=az.borrdrillling.com"; bsize:23; fast_pattern; reference:md5,7ad0081f61002bf67b852dc5d212f2e4; classtype:domain-c2; sid:2029296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; dsize:>11; content:"|7b 9e|"; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2eed956920934a78200899ef05ace0d8; classtype:command-and-control; sid:2017548; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_04_18;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_22;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ftpchk3.php upload attempted"; flow:to_server,established; content:"STOR ftpchk3.php|0d 0a|"; nocase; fast_pattern; reference:url,digitalpbk.blogspot.com/2009/10/ftpchk3-virus-php-pl-hacked-website.html; reference:url,labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf; classtype:attempted-admin; sid:2018416; rev:5; metadata:created_at 2014_04_24, updated_at 2019_10_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jqueryextplugin.com"; classtype:domain-c2; sid:2029301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_01_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Urausy.C response"; flow:from_server,established; file_data; content:"|0d 0a|<?xml version="; depth:16; content:"<interval>"; distance:0; content:"</interval>"; distance:0; content:"<timeout>"; distance:0; content:"</timeout>"; distance:0; content:"|d1 81 d1 81 d1 8b d0 bb d0 be d0 ba 20|c&c -->"; fast_pattern; reference:md5,6213597f40ecb3e7cf2ab3ee5c8b1c70; classtype:trojan-activity; sid:2018499; rev:4; metadata:created_at 2014_05_23, updated_at 2019_10_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jquerysmartstack.com"; classtype:domain-c2; sid:2029304; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_01_22;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE SSL Cert Observed with Unkown Trojan (statswas)"; flow:established,from_server; content:"|0c|statswas.com"; nocase; fast_pattern; reference:md5,9c087d528beefd22743666af772465fc; classtype:trojan-activity; sid:2018515; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_06_03, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to IP Logging Service (2no .co)"; flow:established,to_server; http.host; content:"2no.co"; bsize:6; classtype:policy-violation; sid:2029299; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_01_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sharik Checkin"; flow:established,to_server; dsize:10; content:"34feGaeRAd"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018614; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomato Router Default Credentials (admin:admin)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/admin-scripts.asp"; nocase; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4="; fast_pattern; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:attempted-admin; sid:2029317; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_01_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sharik C2 Incoming Traffic"; flow:established,from_server; dsize:18; content:"|0d 00 07 01 00 81 7c e4 04 c0 d4 01 00 19 c0 c2 04 00|"; fast_pattern; reference:md5,f9f30307ca22d092c02701c108aa6402; classtype:command-and-control; sid:2018615; rev:2; metadata:created_at 2014_06_30, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomato Router Default Credentials (root:admin)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/admin-scripts.asp"; endswith; nocase; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDphZG1pbg=="; fast_pattern; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:attempted-admin; sid:2029318; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_01_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Checkin via SMTP"; flow:to_server,established; content:"Subject|3a 20|"; content:"Foi Instalado"; nocase; fast_pattern; pcre:"/^Subject\x3a [^\r\n]+?Foi Instalado/mi"; reference:md5,7f5709c924bb1417a180a4fa8311a2e9; classtype:command-and-control; sid:2018646; rev:2; metadata:created_at 2014_07_07, former_category MALWARE, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik - IRC CnC Checkin"; flow:established,to_server; dsize:<250; content:"NICK|20|"; startswith; content:"|0a|USER|20|muhstik"; distance:0; content:"|20 3a|muhstik-"; distance:0; fast_pattern; pcre:"/^\d+\x0a$/R"; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:command-and-control; sid:2029319; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family Muhstik, performance_impact Low, signature_severity Major, tag IRC, updated_at 2020_01_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|55 04 03|"; content:"|04|kreb"; distance:1; within:5; content:"|0d|kreb|40|kreb.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018902; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:".php?"; content:"=ID:_"; distance:0; content:"___Key|3a|___"; distance:0; fast_pattern; http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan Dropped By Archie.EK"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; pcre:"/^\/[56]\d{4}\x2c.*?\x2c[A-Z]\x3a[\x2f\x5c].+?\.exe/Ui"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; reference:md5,e6c91ab176887e5c79bb59277c651dfd; classtype:exploit-kit; sid:2018928; rev:4; metadata:created_at 2014_08_13, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M2"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"data.php?info="; fast_pattern; pcre:"/^[A-Za-z0-9\?=]{25,}$/Rsi"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious X-mailer Synapse"; flow:established,to_server; content:"produced by Synapse"; fast_pattern; content:"X|2d|mailer|3a 20|Synapse|20 2d 20|Pascal TCP|2f|IP library by Lukas Gebauer"; reference:md5,954acc71ffaa7010c603d74e76dfc70b; reference:url,www.joewein.net/spam/spam-joejob.htm; classtype:trojan-activity; sid:2018936; rev:3; metadata:created_at 2014_08_14, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID:__"; content:"___Key1|3a|___"; content:"___Key2|3a|___"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert udp any 53 -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:command-and-control; sid:2014372; rev:6; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GeoIP Lookup (nydus.battle.net)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:6; content:"/geoip"; http.host; bsize:16; content:"nydus.battle.net"; fast_pattern; reference:md5,446bed079ec0179e82eab6710d55155f; classtype:policy-violation; sid:2029324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_01_28;)
+alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014376; rev:4; metadata:created_at 2012_03_14, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x86 Executable Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1; within:5; content:"|89 01 85 ff 74|"; distance:1; within:5; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029330; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE OneLouder EXE download possibly installing Zeus P2P"; flow:to_client,established; flowbits:isset,ET.OneLouderHeader; file_data; content:"MZ"; within:2; content:"PE|00 00|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019103; rev:5; metadata:created_at 2014_09_03, updated_at 2019_10_08;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x64 Executable Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|33 ff|"; content:"|89 37|"; distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4; content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|"; within:4; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Internal, signature_severity Major, updated_at 2020_01_29;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Reply Sinkhole - irc-sinkhole.cert.pl"; flow:established,from_server; content:"|3a|irc|2d|sinkhole|2e|cert|2e|pl"; nocase; fast_pattern; content:"|3a|End of MOTD command|2e|"; classtype:trojan-activity; sid:2019354; rev:2; metadata:created_at 2014_10_06, updated_at 2019_10_08;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys File Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, signature_severity Major, updated_at 2020_01_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JST Perl IrcBot download"; flow:to_client,established; file_data; content:"JST Perl IrcBot"; fast_pattern; content:!"<html"; reference:url,pastebin.com/HK8riv9Q; reference:url,www.binarydefense.com/bds/active-shellshock-smtp-botnet-campaign/; reference:md5,77a6c50a06b59df0f3d099b1819a01d9; classtype:trojan-activity; sid:2019509; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Chanitor.A Domain in SNI"; flow:established,to_server; content:"svcz25e3m4mwlauz."; fast_pattern; classtype:trojan-activity; sid:2019518; rev:3; metadata:created_at 2014_10_27, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"antivirus-update.top"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/; classtype:domain-c2; sid:2029326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hikit Server Authentication Response"; flow:established; content:"ETag|3a 20|"; content:"75BCD15"; fast_pattern; pcre:"/^ETag\x3a\x20\x22\d+75BCD15\d+\x3a[a-f0-9]{1,6}/mi"; reference:url,www.novetta.com/files/9914/1446/8050/Hikit_Analysis-Final.pdf; classtype:trojan-activity; sid:2019621; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hisoka CnC Domain Observed in DNS Query"; dns.query; content:"google-update.com"; bsize:17; nocase; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029328; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bedep SSL Cert"; flow:established,from_server; content:"|09 00 c9 80 9a 85 50 97 cc 97|"; fast_pattern; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"|0b|Company Ltd"; distance:1; within:12; content:"|55 04 0b|"; content:"|06|office"; distance:1; within:7; reference:url,malware-traffic-analysis.net/2014/11/02/index.html; reference:md5,11837229f834d296342b205433e9bc48; classtype:trojan-activity; sid:2019646; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_11_05, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.AdWare.iBryte.C Install"; flow:established,to_server; http.uri; content:"/config/"; startswith; content:"/offers.json"; distance:0; content:"version="; content:"pid=installer&ts="; fast_pattern; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:pup-activity; sid:2018197; rev:4; metadata:created_at 2014_03_01, former_category ADWARE_PUP, updated_at 2020_01_30;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Archie EK Payload Checkin POST"; flow:established,to_server; content:"POST"; http_method; content:"integritylvl="; depth:13; http_client_body; content:"&osversion="; distance:0; http_client_body; content:"&iselevated="; distance:0; http_client_body; content:"&iever="; distance:0; http_client_body; content:"&isnet20inst="; http_client_body; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019679; rev:4; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO TLS Handshake Failure"; flow:established,to_client; dsize:7; content:"|15|"; depth:1; content:"|00 02 02 28|"; distance:2; within:4; fast_pattern; classtype:bad-unknown; sid:2029340; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_01_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bamital Checkin Response 2"; flow:established,from_server; file_data; content:"$$$$"; fast_pattern; pcre:"/^<(?P<var1>[a-z])>[a-z0-9/]+<\/(?P=var1)><(?P<var2>[a-z])>[a-z0-9/]+<\/(?P=var2)>$$$$/i"; classtype:command-and-control; sid:2019758; rev:3; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Winnti TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, signature_severity Major, updated_at 2020_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.no-ip.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.no-ip.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019789; rev:5; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Winnti TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:".dnslookup.services"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain"; flow:to_server,established; content:"cvredirect.ddns.net"; fast_pattern; http_header; pcre:"/^Host\x3a[^\r\n]+?cvredirect.ddns.net/Hmi"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:bad-unknown; sid:2019791; rev:3; metadata:created_at 2014_11_24, updated_at 2019_10_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti TLS SNI Observed"; flow:established,to_server; tls.sni; content:".dnslookup.services"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin"; flow:established,to_server; dsize:4; content:"|94 00 00 00|"; fast_pattern; flowbits:set,ET.VirLock; flowbits:noalert; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019901; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti TLS SNI Observed"; flow:established,to_server; tls.sni; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE VirRansom/VirLock Checkin Response"; flow:established,from_server; dsize:4; content:"|74 01 00 00|"; fast_pattern; flowbits:isset,ET.VirLock; reference:md5,fbeb6ebd498d85b1f404d7bb4acc3b89; classtype:command-and-control; sid:2019902; rev:2; metadata:created_at 2014_12_10, former_category MALWARE, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan.SpamBanker Report via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|Keylogger"; fast_pattern; nocase; content:"X-Library|3a 20|Indy"; pcre:"/^Keylogger\r$/m"; reference:md5,9c1aac05bd3212a3abcd7cce9c6c4c77; classtype:trojan-activity; sid:2019931; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC - BotKiller Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"BotKiller"; bsize:9; fast_pattern; http.request_body; content:"info=killStatus|3a|"; startswith; content:"|20|remStatus|3a|"; content:"|20|remDLLStatus|3a|"; content:"|20|clearIEStatus|3a|"; content:"|20|regResetStartup|3a|"; content:"|20|regDeleteCred|3a|"; http.header_names; content:!"Referer"; reference:md5,fbf2d69aa6ae5da73a5024f80c593f92; reference:url,fr3d.hk/blog/amadey-malware-default-crededentials; classtype:command-and-control; sid:2029341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Amadey, signature_severity Major, updated_at 2020_01_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Trojan/Downloader.Fosniw.sap Reporting via SMTP"; flow:established,to_server; content:"From|3a|"; content:"Subject|3a 20|keylogger(v0."; fast_pattern; nocase; content:"@UserName"; content:"@ComputerName"; reference:md5,e36469241764b8c954a700146ca4c43f; classtype:trojan-activity; sid:2019933; rev:2; metadata:created_at 2014_12_13, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; pcre:"/^\d{2,4}$/UR"; http_start; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla"; content:"|0d 0a|Host|3a| "; within:100; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:60; http_header_names; content:!"Accept"; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:command-and-control; sid:2013419; rev:5; metadata:created_at 2011_08_18, former_category MALWARE, updated_at 2020_02_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE SpamBanker message"; flow:to_server,established; content:"NEGOCIO_ONLINE|2e|"; fast_pattern; nocase; content:"|0d 0a|Content-Disposition|3a 20|attachment"; content:"filename|3d|"; nocase; distance:0; pcre:"/^[\x22\x27]NEGOCIO_ONLINE(\.(?:zip|exe))[\x27\x22]\x0d\x0a/Ri"; reference:url,tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=36677; classtype:trojan-activity; sid:2019937; rev:4; metadata:created_at 2014_12_15, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Agent.NPP CnC Activity"; flow:established,to_server; http.request_line; bsize:27; content:"GET /show/push.txt HTTP/1.0"; fast_pattern; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,0bec370f25d557e6dd64d2e9391f23f4; classtype:pup-activity; sid:2029350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_02_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Infostealer.Bancos Sending Stolen info SMTP"; flow:to_server,established; content:"X-Library|3a 20|Indy"; content:"BIGFONE TOCOU"; fast_pattern; content:"Nome Comp"; reference:md5,f71c41b816eadf221e188f6618798969; classtype:trojan-activity; sid:2019938; rev:2; metadata:created_at 2014_12_15, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"GET"; http_method; content:"/flow"; fast_pattern; depth:5; http_uri; pcre:"/^\d{1,2}\.php$/UR"; content:".ru"; http_host; isdataat:!1,relative; classtype:exploit-kit; sid:2015897; rev:4; metadata:created_at 2012_11_20, former_category EXPLOIT_KIT, updated_at 2020_02_04;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE ZhCAT.HackTool Operation Cleaver HTTP CnC Beacon"; flow:established,to_server; content:"POST file.php HTTP/1."; depth:21; content:"|20 28 20|compatible"; fast_pattern; reference:url,www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019943; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GreatArcadeHits CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reports/install.php?options="; startswith; fast_pattern; http.user_agent; bsize:9; content:"USERAGENT"; reference:md5,15b2b90540f8b47b3773ce7fe80ae96b; classtype:pup-activity; sid:2029351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_04;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 6"; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020000; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoPatronum Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; startswith; content:"&username="; distance:0; content:"&pname="; distance:0; content:"&kid="; distance:0; fast_pattern; content:"&ppath="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,429ba4a470eb2f3c0ce6678745bc8d8e; classtype:command-and-control; sid:2029349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Listening Implant 7"; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020001; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"finance-usbnc.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029354; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 1"; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020007; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"system-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 2"; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020008; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-issues.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 4"; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020010; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"inztaqram.ga"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any 488 -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 5"; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020011; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"bahaius.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029358; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any 488 (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 6"; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020012; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"malcolmrifkind.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029359; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 8"; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020014; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"instagram-com.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029360; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 9"; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020015; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"recovery-options.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 1"; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020017; rev:2; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"accounts-drive.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT TCP Checkin 1"; flow:established,to_server; dsize:24; content:"|08 00 1b 00 00 00 1b 00 00 00 02 00 00 00 00 00 00 00 00 00|"; fast_pattern; content:"|00 00 00 00 |"; offset:20; depth:4; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020024; rev:3; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"acconut-verify.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Dropped by RIG EK"; flow:established,to_server; content:"/Prack"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|InetURL/1.0|0d 0a|"; http_header; reference:md5,18fa3ab45c6fa9da218dd4c35688c5f4; classtype:exploit-kit; sid:2020070; rev:4; metadata:created_at 2014_12_26, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-activities.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029364; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 32 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020150; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"yah00.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.A Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 64 32|"; fast_pattern; reference:md5,ad7e8dd9140d02f47eca2d8402e2ecc4; classtype:command-and-control; sid:2020151; rev:2; metadata:created_at 2015_01_07, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-activity-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 9000:10000 (msg:"ET MALWARE Win32/Recslurp.D C2 Request (no alert)"; flow:established,to_server; dsize:4; content:"|e8 03 00 00|"; fast_pattern; flowbits:set,ET.Reslurp.D.Client; flowbits:noalert; reference:md5,fcf364abd9c82d89f8d0b4b091276b41; classtype:command-and-control; sid:2020154; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"skynevvs.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mini/Cosmic Duke variant FTP upload"; flow:established,to_server; content:"STOR "; pcre:"/^[A-F0-9]{48}\.bin\r\n/R"; content:".bin|0d 0a|"; fast_pattern; reference:url,f-secure.com/weblog/archives/00002780.html; classtype:targeted-activity; sid:2020158; rev:3; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"drive-accounts.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT connection"; flow:established,to_server; dsize:13; content:"|3c 7c|PRINCIPAL|7c 3e|"; fast_pattern; flowbits:set,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020315; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"cpanel-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KL-Remote / Cryp_Banker14 RAT response"; flow:established,from_server; dsize:6; content:"|3c 7c|OK|7c 3e|"; fast_pattern; flowbits:isset,ET.KLRemote; reference:md5,636edeba541483421e29b81b35f92841; reference:md5,c5763d0ef12dffa213d265596bd1acf9; reference:md5,5e01557b8650616e005a9949cbf5459a; classtype:trojan-activity; sid:2020316; rev:2; metadata:created_at 2015_01_27, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"two-step-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029370; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (stat)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/stat\x03\x08\x0c$/R"; content:"/stat|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020336; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"seisolarpros.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Possible net.tcp CnC Beacon (control)"; flow:established,to_server; content:"net.tcp|3a|//"; offset:7; depth:10; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d+\/control\x03\x08\x0c$/R"; content:"/control|03 08 0c|"; fast_pattern; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:command-and-control; sid:2020337; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"phonechallenges-submit.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029372; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; content:"GET"; http_method; content:".php?admin="; fast_pattern; content:"&id="; http_uri; content:"&nat="; http_uri; content:"&os="; http_uri; content:"&video="; http_uri; content:"&arch_type="; http_uri; content:"&v="; http_uri; content:"&av_list="; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\n(?:\r\n)?$/Hi"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020340; rev:6; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-service.ddns.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Xnote Keep-Alive"; flow:established,to_server; dsize:17; content:"|11 00 00 00 01 00 00 00 78 9c 4b 05 00 00 66 00 66|"; fast_pattern; reference:url,deependresearch.org/2015/02/linuxbackdoorxnote1-indicators.html; classtype:trojan-activity; sid:2020389; rev:2; metadata:created_at 2015_02_11, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"leslettrespersanes.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".asia|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.asia\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020654; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"software-updating-managers.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029375; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2"; flow:to_server,established; content:"/rico.php"; fast_pattern; content:".ru|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+\.ru\r\n/Hmi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020655; rev:4; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"niaconucil.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029376; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> any any (msg:"ET MALWARE US-CERT TA14-353A Lightweight Backdoor 10"; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern; content:"BC435@PRO62384923412!@3!"; nocase; content:!"content|3a 22|BC435@PRO62384923412!@3!|22 3b|"; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020016; rev:3; metadata:created_at 2014_12_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"w3-schools.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Cryptolocker .onion Proxy Domain in SNI"; flow:established,to_server; content:"erhitnwfvpgajfbu."; fast_pattern; nocase; reference:url,www.welivesecurity.com/2014/09/04/torrentlocker-now-targets-uk-royal-mail-phishing/; classtype:trojan-activity; sid:2019124; rev:3; metadata:created_at 2014_09_05, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"unirsd.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a|ok"; fast_pattern; file_data; content:"ok"; within:2; byte_test:1,<,0x1b,0,relative; content:"|00|"; distance:1; within:1; flowbits:isset,ET.Vawtrak; classtype:trojan-activity; sid:2019499; rev:5; metadata:created_at 2014_10_24, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"isis-online.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 2"; flow:from_server,established; file_data; content:"<html><title>"; within:13; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title><\/html>$/R"; content:"</title></html>"; fast_pattern; flowbits:isset,ET.Chroject; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020749; rev:5; metadata:created_at 2015_03_26, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M6 (set)"; flow:established,to_server; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:set,ET.Parallax-6; flowbits:noalert; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x86"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 32|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020849; rev:3; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M6"; flow:established,to_client; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:isset,ET.Parallax-6; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 86|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:command-and-control; sid:2020850; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Patchwork CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; reference:url,twitter.com/blackorbird/status/1225002203221393411; classtype:domain-c2; sid:2029394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin no architecture"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 84|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2020851; rev:2; metadata:created_at 2015_04_08, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 TONEDEAF 2.0 Requesting Commands from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow?ser="; startswith; fast_pattern; pcre:"/^[a-z0-9]{6}$/RUi"; http.user_agent; content:"Windows|20|Phone|20|OS"; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B1 Sending Processes"; content:"Sy|5c|"; content:"wininit|5c|"; distance:0; content:"winlogon|5c|"; fast_pattern; reference:md5,bd69714997e839618a7db82484819552; classtype:trojan-activity; sid:2020852; rev:2; metadata:created_at 2015_04_08, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 TONEDEAF 2.0 Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upl?ser="; startswith; fast_pattern; pcre:"/^=?[a-z0-9]{6}$/RUi"; http.user_agent; content:"Windows|20|Phone|20|OS"; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Uploading Files"; flow:to_server,established; content:"POST"; http_method; urilen:6; content:"/v.php"; http_uri; fast_pattern; content:"|0d 0a|UA-CPU|3a 20|"; http_header; content:"Content-Type|3a 20|application/upload|0d 0a|"; content:"boundary=---------------------------0123456789012"; http_header; content:"name=|22|pf|22 3b|"; http_client_body; reference:url,www.bleepingcomputer.com/forums/t/570390/vaultcrypt-uses-batch-files-and-open-source-gnupg-to-hold-your-files-hostage; classtype:trojan-activity; sid:2020707; rev:4; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT34 TONEDEAF 2.0 User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Windows|20|Phone|20|OS"; content:"|3b 20|IEMoblie|2f|9.0|29|"; endswith; fast_pattern; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029384; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose NAT Traversal CnC Beacon set"; flow:established,to_server; dsize:4; content:"|18 00 00 00|"; fast_pattern; flowbits:set,ET.Linux.Moose; flowbits:noalert; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021150; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MINEBRIDGE/MINEDOOR CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g4t3_indata.php"; endswith; fast_pattern; http.request_body; content:"uuid="; content:"&pass="; distance:0; content:"&username="; distance:0; content:"&pcname="; distance:0; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:command-and-control; sid:2029393; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
+alert tcp any any -> $HOME_NET 443 (msg:"ET MALWARE Possible Duqu 2.0 Accessing backdoor over 443"; flow:to_server,established; content:"romanian.antihacker"; fast_pattern; reference:url,securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/; classtype:trojan-activity; sid:2021242; rev:2; metadata:created_at 2015_06_10, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/cnc/register"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 7d|"; distance:36; within:2; endswith; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Torrentlocker C2 Domain in SNI"; flow:established,to_server; content:"|00 00 0d|krusperon.net"; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/3ebc6999da89eaf44d94195b588cb869d894ca754a248b074893d11f6dd19188?environmentId=4; reference:md5,2c339dbb40b3b19ee275e4c7c1c17a18; classtype:command-and-control; sid:2021254; rev:3; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Sending Task Results"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/cnc/tasks/result"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 2c 22|"; distance:36; within:3; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".dll"; classtype:trojan-activity; sid:2021429; rev:3; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Requesting Task"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/cnc/tasks/request"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 7d|"; distance:36; within:2; endswith; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029397; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 8"; flow:to_server,established; content:"GET"; http_method; content:"/viewphoto.asp?photoid="; http_uri; fast_pattern; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021571; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; distance:0; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:exploit-kit; sid:2016108; rev:4; metadata:created_at 2012_12_28, updated_at 2020_02_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M2"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|22|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021611; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"Cookie"; http.cookie; content:"prov="; startswith; content:"_ga=GA1.2.9924|3b|_gat=1|3b|__qca=P0-214459"; endswith; reference:url,github.com/xx0hcd/Malleable-C2-Profiles; classtype:command-and-control; sid:2029381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M3"; flow:established,to_client; file_data; content:"HTA|3a|APPLICATION"; nocase; fast_pattern; content:"|27|&#x"; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021612; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Satan Cryptor GeoIP Lookup"; flow:established,to_server; content:"GET /json/ HTTP/1.1|0d 0a|Host|3a 20|extreme-ip-lookup.com|0d 0a|User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a 0d 0a|"; depth:107; isdataat:!1,relative; reference:md5,057aad993a3ef50f6b3ca2db37cb928a; classtype:trojan-activity; sid:2029399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Passthru/Kshell Port Redirection Initiation"; flow:to_server,established; dsize:11; content:"chkroot2007"; fast_pattern; reference:md5,f7146691adea573548fa040fb182f4fe; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021796; rev:2; metadata:created_at 2015_09_17, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Wifi Bruter Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/230238982BSBYKDDH938473938HDUI33/index.php"; bsize:43; fast_pattern; http.request_body; content:"c="; startswith; content:"|3a|"; distance:0; http.header_names; content:!"Referer"; reference:url,www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader; classtype:command-and-control; sid:2029398; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_02_07;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CosmicDuke Exfiltrating Data via FTP STOR"; flow:established,to_server; dsize:55<>65; content:"STOR|20|"; depth:5; pcre:"/^[a-z0-9]{1,10}[A-F0-9]+\.bin\r\n$/R"; content:".bin|0d 0a|"; fast_pattern; reference:md5,5080bc705217c614b9cbf67a679979a8; classtype:targeted-activity; sid:2023910; rev:5; metadata:created_at 2015_07_17, former_category MALWARE, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020-02-09"; flow:established,to_client; tls.cert_subject; content:"C=US, CN=thoughtlibrary.top/L=new york/O=new york/OU=new york/ST=new york/emailAddress=admin@thoughtlibrary.top"; bsize:111; fast_pattern; reference:url,twitter.com/P3pperP0tts/status/1226493807061094406; classtype:domain-c2; sid:2029400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/dtool IRC Command (STOP)"; flow:established,from_server; content:"PRIVMSG"; content:"{STOP} Stop command ->"; fast_pattern; nocase; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-activity; sid:2021879; rev:4; metadata:created_at 2015_10_01, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015818; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:targeted-activity; sid:2021985; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern; http_request_line; content:"/ HTTP/1."; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015819; rev:5; metadata:created_at 2012_10_19, former_category EXPLOIT_KIT, updated_at 2020_02_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE KilerRAT CnC - Remote Shell"; flow:from_server,established; content:"rs|7c 4b 69 6c 65 72 7c|"; fast_pattern; pcre:"/\x7c(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/"; reference:md5,51409b4216065c530a94cd7a5687c0d6; reference:url,alienvault.com/open-threat-exchange/blog/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off; classtype:command-and-control; sid:2022068; rev:3; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"GET"; http_method; content:"/stat/load"; http_uri; fast_pattern; content:".php"; http_uri; http_start; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:exploit-kit; sid:2021141; rev:4; metadata:created_at 2015_05_22, updated_at 2020_02_10;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyLoader.B2 Checkin x64"; dsize:12; content:"|00 00 00 00 00 00 00 00 00 00 00 BA|"; fast_pattern; reference:md5,b4ce43e1c9e74c549e2bae8cd77d5af1; classtype:command-and-control; sid:2022072; rev:2; metadata:created_at 2015_11_11, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT40/Dadstache Stage 2 Payload Beacon"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:".png|22 0d 0a|Content-Type: video/JPEG|0d 0a 0d 0a 89 50 4e 47|"; distance:0; fast_pattern; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; reference:md5,9cf5fb135c3cc29e79b2a1c78233934b; classtype:targeted-activity; sid:2029420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 2"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"/img/"; depth:5; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/n"; distance:0; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/n\d+\.png$/U"; content:".png|20|HTTP/1.1|0d 0a|"; fast_pattern; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022147; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader CnC Checkin (getid)"; flow:to_server; content:"$"; content:"-S-"; distance:0; nocase; content:"|05|getid|00 00 10 00 01|"; distance:0; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Flooding 1)"; flow:established,to_server; content:"|20|Flooding|20|"; fast_pattern; content:"|20|for|20|"; content:"|20|seconds."; distance:0; pcre:"/(?:JUNK|HOLD) Flooding (?:\d{1,3}\.){3}\d{1,3} for \d+ seconds.\r?\n/"; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022213; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (gettasks)"; flow:to_server; threshold:type both, track by_src, count 30, seconds 60; content:"|08|gettasks|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029408; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Derusbi/Winnti Receiving Configuration"; flow:established,from_server; file_data; content:"$$$--Hello"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})Wrod--\$\$\$/R"; content:"Wrod--$$$"; fast_pattern; reference:url,blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family; classtype:trojan-activity; sid:2022269; rev:3; metadata:created_at 2015_12_16, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (getupdates)"; flow:to_server; threshold:type both, track by_src, count 30, seconds 60; content:"|0a|getupdates|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 1"; flow:established,to_server; dsize:8; content:"|bf bf af af 7e 00 00 00|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022360; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (reporttask)"; flow:to_server; content:"|0a|reporttask|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029410; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrochilusRAT CnC Beacon 2"; flow:established,to_server; dsize:13; content:"|07 0d 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022361; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (reportupdates)"; flow:to_server; content:"|08|reportupdates|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029411; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.ServStart.D Checkin"; flow:to_server,established; content:"Win|20|"; pcre:"/^(:?[78]|XP)/Ri"; content:"MB|00|"; distance:0; content:"MHz|00|"; distance:0; content:"|20|Mbps|00|"; fast_pattern; reference:md5,ad906500dd344cbbdf37997a4b27389f; reference:url,blog.netlab.360.com/public-cloud-threat-intelligence-202203/; classtype:command-and-control; sid:2036415; rev:2; metadata:created_at 2016_03_15, former_category MALWARE, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious EXE requested with Java UA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; isdataat:!1,relative; http.header; content:"User-Agent|3a 20|Java/"; fast_pattern; classtype:misc-activity; sid:2029421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:3; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2019_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY ABBCCoin Checkin"; flow:to_server,established; content:"_version"; within:14; content:"ABBCCoin"; within:150; fast_pattern; reference:md5,77ec579347955cfa32f219386337f5bb; classtype:misc-activity; sid:2029422; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_02_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netsh advfirewall show allprofiles Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Domain Profile Settings|3a|"; fast_pattern; content:"Firewall Policy"; classtype:trojan-activity; sid:2023216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ABBCCoin Activity Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ABBCCoin"; fast_pattern; reference:md5,77ec579347955cfa32f219386337f5bb; classtype:misc-activity; sid:2029423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, signature_severity Minor, updated_at 2020_02_12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows WMIC SERVICE get Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"AcceptPause"; fast_pattern; content:"AcceptStop"; content:"Caption"; content:"ExecutablePath"; classtype:trojan-activity; sid:2023223; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_15, deployment Perimeter, deployment Datacenter, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [TGI] Entrust Entelligence Security Provider (Flowbits Set)"; flow:established,to_server; flowbits:set,ET.entrust_entelligence; flowbits:noalert; http.user_agent; content:"Entrust Entelligence Security Provider"; threshold:type limit, track by_src, seconds 60, count 1; reference:url,www.entrustdatacard.com/products/pki/entrust-entelligence-security-provider; classtype:trojan-activity; sid:2029424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2014-6332 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 34 2d 36 33 33 32 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023288; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TGI] Possible Cobalt Strike Extra Whitespace HTTP Response"; flow:established,to_client; flowbits:isnotset,ET.entrust_entelligence; http.start; content:"HTTP/1.1|20|200|20|OK|20 0d 0a|Content-Type|3a|"; reference:url,github.com/fox-it/cobaltstrike-extraneous-space; classtype:trojan-activity; sid:2029425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_02_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleedingLife EK CVE-2016-0189 Exploit"; flow:to_server,established; content:"GET"; http_method; content:"|2f 32 30 31 36 2d 30 31 38 39 2e 70 68 70 3f|"; http_uri; fast_pattern; content:"/index.php?ss="; http_header; pcre:"/\.php\?\d{1,4}$/Ui"; classtype:exploit-kit; sid:2023289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Command)"; flow:established,to_client; file.data; content:"dfff0a7fa1a55c8c1a4966c19f6da452|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TheTrick Banking Trojan User-Agent"; flow:to_server,established; content:"User-Agent|3a 20 54 72 69 63 6b 4c 6f 61 64 65 72|"; fast_pattern; reference:md5,f26649fc31ede7594b18f8cd7cdbbc15; classtype:trojan-activity; sid:2023338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Download)"; flow:established,to_client; file.data; content:"51a7a76a7dd5d9e4651fe3d4c74d16d6|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern; content:".sys"; classtype:trojan-activity; sid:2021430; rev:4; metadata:created_at 2015_07_16, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Screenshot)"; flow:established,to_client; file.data; content:"62c92ba585f74ecdbef4c4498a438984|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017"; flow:to_server,established; content:"GET"; http_method; content:"/config.php?id="; http_uri; fast_pattern; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; pcre:"/\/config\.php\?id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/U"; reference:md5,2ccd95bb2e9d8c6e6b6eb68963461f08; classtype:command-and-control; sid:2023769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Activity (Upload)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_multipart_boundary|0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|JkjdaEWQTTTu"; fast_pattern; distance:0; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_02_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazuar CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:"Referer|3a|"; http_header; content:"AuthToken="; depth:10; http_cookie; pcre:"/^AuthToken=[A-Za-z0-9+/]{43}=$/C"; content:"Cookie|3a 20|AuthToken="; fast_pattern; reference:md5,7a778e076e48ff269e91f17a15ea97d5; reference:url,researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/; classtype:command-and-control; sid:2024270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family Kazuar, signature_severity Major, tag APT, tag RUAPT, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/GRIFFON CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=landscapesboxdesign9.com"; nocase; endswith; classtype:domain-c2; sid:2029449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker .onion Proxy domain in SNI July 31 2014"; flow:established,to_server; content:"iet7v4dciocgxhdv."; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018872; rev:3; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X2000M.Agent Checkin Jan 24 2017"; flow:established,to_server; http.user_agent; content:"v7v7v7v7v7v7v7v7v7v7v7v7"; startswith; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 1"; flow:established,from_server; content:"UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAc"; fast_pattern; classtype:trojan-activity; sid:2025010; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=effetka.com"; bsize:14; fast_pattern; reference:url,twitter.com/0xCARNAGE/status/1228109444883664896; classtype:domain-c2; sid:2029469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 2"; flow:established,from_server; content:"MAdABhAHIAdAAtAFAAcgBvAGMAZQBzAH"; fast_pattern; classtype:trojan-activity; sid:2025011; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"indox.php?v="; fast_pattern; pcre:"/^(?:pe|pp|s)$/R"; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent B64 3"; flow:established,from_server; content:"TAHQAYQByAHQALQBQAHIAbwBjAGUAcwBz"; fast_pattern; classtype:trojan-activity; sid:2025012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Exfil"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/scriptPhpServer.php"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:6; metadata:created_at 2015_04_03, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Download"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/IERinstal.a"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:trojan-activity; sid:2029452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/YTDDownloader.F Activity"; flow:established,to_server; http.request_line; content:"GET /offers/offers.php?id="; startswith; fast_pattern; content:" HTTP/1.0"; endswith; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,a53b0c85d4e65e06c59e854b84ad7f17; classtype:pup-activity; sid:2029470; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/Agent.A DNS File Transfer CnC Beacon"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"00"; distance:1; within:2; content:"00000"; distance:0; pcre:"/^[0-9A-Z]+232A/R"; content:"232A"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:command-and-control; sid:2022837; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M7 (set)"; flow:established,to_server; content:"|5e 52 4a 3b|"; startswith; fast_pattern; content:"|11 7f b6|"; distance:1; within:4; flowbits:set,ET.Parallax-7; flowbits:noalert; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:command-and-control; sid:2029455; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_02_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/AppleJeus Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=beastgoc.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x49.html; classtype:domain-c2; sid:2028827; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M7"; flow:established,to_client; content:"|5e 52 4a 3b|"; startswith; fast_pattern; content:"|11 7f b6|"; distance:1; within:4; flowbits:isset,ET.Parallax-7; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:command-and-control; sid:2029456; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_02_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Ping Success Code sent to CnC"; flow:established,to_server; content:"|00 00 00 00 00 65 00 00 00 00 00 00 06 00 00 00|"; startswith; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028884; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sarwent Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits="; distance:0; content:"&av="; distance:0; http.user_agent; content:"Opera"; depth:5; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; depth:42; isdataat:!1,relative; reference:md5,3ddc689e72faa473fa78df7302c708e8; classtype:command-and-control; sid:2029471; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Ping Error Code sent to CnC"; flow:established,to_server; content:"|00 00 00 00 00 66 00 00 00 00 00 00 06 00 00 00|"; startswith; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai User-Agent Observed (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Ankit|0d 0a|"; nocase; fast_pattern; classtype:web-application-attack; sid:2029472; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Initalisation Bytes Received from CnC"; flow:established,from_server; content:"|FF FF 01 00 00 01 00 00 00 00 00 00|"; startswith; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028863; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai User-Agent Observed (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Ankit|0d 0a|"; nocase; fast_pattern; classtype:attempted-admin; sid:2029473; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_02_17, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_02_17;)
+#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - PID Injection Command"; flow:established,to_server; content:"|00 00 00 00 00 05 10|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028886; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin"; flow:established,to_server; flowbits:set,ET.sarwent.1; http.method; content:"GET"; http.uri; content:"/gate/test"; bsize:10; fast_pattern; http.user_agent; content:"Opera"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_02_17;)
+#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Establishing Connection with New Host"; flow:established,to_server; content:"|00 00 00 00 00 D2 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Adobe Reader/O=Adobe"; bsize:23; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,e4224469bd75b63fa0cebd33c53b4d85; classtype:domain-c2; sid:2029491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - TCP Relay Successfully Activated on New Host"; flow:established,to_server; content:"|00 00 00 00 00 D4 00 00 00 00 00 00 00 00 00 00|"; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible NK APT SLICKSHOES Host Checkin"; flow:established,to_server; content:"|41 00 70 00 6f 00 6c 00 6c 00 6f 00 5a 00 65 00 75 00 73 00|"; depth:20; fast_pattern; reference:md5,b57db76cc1c0175c4f18ea059d9e2ab2; reference:url,www.us-cert.gov/ncas/analysis-reports/ar20-045b; classtype:targeted-activity; sid:2029478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_18;)
+#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Exchanging RC4 & XOR Encrypted Data with Internal Host"; flow:established,to_server; content:"|00 00 00 00 00 D3 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"session=Host|20|Name|3a|"; startswith; fast_pattern; content:"|0d 0a|OS Name|3a|"; content:"|0d 0a|Registered|20|Owner|3a|"; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
+#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Socket Command Observed"; flow:established,to_server; content:"|00 00 00 00 00 D6 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"server_module_name="; fast_pattern; content:"&server_task"; content:"&systemtype="; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029495; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
+#alert tcp $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor [TCP Relay Module] - Close Named Pipe Command Observed"; flow:established,to_server; content:"|00 00 00 00 00 CF 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Internal, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID|3a 20|"; content:"|20 20|Key1|3a 20 20|"; content:"|20 20|Key2|3a 20 20|"; fast_pattern; http.user_agent; bsize:38; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,fc78e6e58352151fb77a4b92f239d381; classtype:command-and-control; sid:2029496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.EGZ Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logo/go.php?id="; fast_pattern; pcre:"/^\d{1,3}$/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; reference:url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787; classtype:command-and-control; sid:2013946; rev:5; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2019_10_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2"; flow:established,to_server; dsize:<50; content:"keepAlivePing"; startswith; content:"|40 23 25 5e 4e 59 41 4e 23 21 40 24|"; fast_pattern; endswith; reference:md5,2d03cfb7357ab919e35546adc9db167a; reference:md5,c25b797d6737751936766cd50e26d725; reference:url,twitter.com/Srujank48668412/status/1509520095068192780; classtype:command-and-control; sid:2035885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, malware_family Revenge_RAT, signature_severity Major, updated_at 2020_02_19;)
+alert smtp $HOME_NET any -> any any (msg:"ET MALWARE Unk Spam Bot Template 1 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|"; pcre:"/^(?:Cek\x20This|miss\x20[A-Za-z0-9]{2,20}|[A-Za-z0-9]{2,20}Porn)\r\n/R"; content:".scr|22 0d 0a 0d 0a|TVqQ"; distance:0; fast_pattern; classtype:trojan-activity; sid:2028892; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2019_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logs/dolodos.php?url=http://"; startswith; fast_pattern; content:"&ref="; distance:0; content:"&ip="; distance:0; content:"&bot="; distance:0; content:"&pck="; distance:0; content:"&uagent="; distance:0; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029497; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:28; content:"CN=cloudcitytechnologies.com"; reference:md5,9a23881abe27dc70ca42597a1e1de354; classtype:domain-c2; sid:2028894; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//autoindex.php"; endswith; fast_pattern; http.host; content:".ddns.net"; endswith; http.header_names; content:!"Referer"; reference:url,blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/; classtype:trojan-activity; sid:2029500; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_02_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobInt CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=fraud-bank.host"; nocase; endswith; classtype:domain-c2; sid:2028905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_23, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.top"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029510; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Emptiness v1.1 HTTP Flood Command Inbound"; flow:established,from_server; dsize:<50; content:"Lmh0dHA"; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:trojan-activity; sid:2027842; rev:2; metadata:affected_product Linux, created_at 2019_08_09, former_category TROJAN, malware_family Emptiness, tag DDoS, updated_at 2019_10_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"pervas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029511; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Orion Logger SMTP Exfil Subject Line"; flow:to_server,established; content:"Subject|3a 20|Orion Logger - System Details - "; reference:md5,a96e8c201599af678926ac84020c87e0; classtype:command-and-control; sid:2028896; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, malware_family Orion_Logger, signature_severity Major, updated_at 2019_10_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.icu"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029512; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Orion Logger SMTP Base64 Exfil"; flow:to_server,established; content:"Subject|3a 20|Orion Logger - System Details - "; content:"PT09PT09PT09PXwgT3Jpb24gTG9nZ2VyIC0gU3lzdGVtIERldGFpbHMgfD09PT09PT09"; distance:0; fast_pattern; reference:md5,a96e8c201599af678926ac84020c87e0; classtype:command-and-control; sid:2028897; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, malware_family Orion_Logger, signature_severity Major, updated_at 2019_10_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vtoras.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029513; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT 41 LOWKEY Backdoor - Ping Command Inbound"; flow:established,from_server; app-layer-protocol:!http; content:"|00 00 00 00 00 FE 00|"; startswith; fast_pattern; content:"|00 00 00 00|"; distance:5; within:4; reference:url,www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html; classtype:command-and-control; sid:2028883; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2019_10_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piasuna.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029514; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Diezen CnC Checkin M2"; flow:established,to_server; dsize:<400; content:"|20 2d 3e 20|i|20|am|20|here|20|boss|20 21 20 0d 0a|"; fast_pattern; content:"User|20|=|20|"; distance:0; content:"|20 20|MachineName|20|=|20|"; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:command-and-control; sid:2028907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, malware_family Sakabota, malware_family Diezen, performance_impact Low, signature_severity Major, updated_at 2019_10_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tretas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029515; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Diezen CnC Checkin M1"; flow:established,to_server; dsize:<400; content:"|40|"; startswith; content:"|40|ID|3a 40|"; distance:0; fast_pattern; content:"|40 20 2d 3e 20|"; distance:0; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:command-and-control; sid:2028908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, malware_family Sakabota, malware_family Diezen, performance_impact Low, signature_severity Major, updated_at 2019_10_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"dolodos.top"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029516; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL) 2019-10-24"; flow:established,to_client; tls.cert_subject; bsize:20; content:"CN=www.daftstone.top"; fast_pattern; reference:md5,8868702fb1825a9848eb3dd160a7bea3; classtype:domain-c2; sid:2028911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"medsource.top"; bsize:13; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029517; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Instagram Like Bot (like4u) CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/client/instagram_native/"; fast_pattern; pcre:"/^(?:likes|check|login_status)\.json\?/RU"; reference:md5,00a0737576d711a8c3a0fdf48fef035a; reference:md5,673652533091319b83a02fd82026f826; classtype:command-and-control; sid:2028915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piastas.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029518; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Instagram Like Bot (like4u) CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/client/instagram_native/login_with_status.json"; endswith; fast_pattern; reference:md5,00a0737576d711a8c3a0fdf48fef035a; reference:md5,673652533091319b83a02fd82026f826; classtype:command-and-control; sid:2028916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"semasa.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029519; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Instagram Like Bot (like4u) CnC Domain in DNS Lookup"; dns.query; content:"like4u.ru"; bsize:9; nocase; reference:md5,00a0737576d711a8c3a0fdf48fef035a; classtype:domain-c2; sid:2028917; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_10_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"devata.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029520; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netwire RAT Client Check-in (socket created)"; flow:established,to_server; dsize:5; content:"|01 00 00 00 98|"; flowbits:isset,ET.NetwireRAT.Client; reference:md5,b0e58a8f45a3e45fd7ee2b4cc20474b3; classtype:command-and-control; sid:2028918; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_29, deployment Perimeter, former_category MALWARE, malware_family Netwire_RAT, performance_impact Moderate, signature_severity Major, updated_at 2019_10_29;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vosmas.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029521; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"www.123456abcgsdwere56463455345435435657222222.com"; bsize:50; nocase; classtype:domain-c2; sid:2028948; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?WORD=com_"; fast_pattern; pcre:"/^[0-9A-F]{12,16}/R"; content:"&NOTE="; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; reference:md5,19f24aec5c1017d162e78863cff316fa; classtype:command-and-control; sid:2029453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"www.abcgsdwere454354435435435354289811111111111.com"; bsize:51; nocase; classtype:domain-c2; sid:2028949; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt"; flow: to_server,established; http.uri; content:"/modules.php?"; content:"name="; distance:0; content:"UNION"; distance:0; nocase; content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,www.waraxe.us/?modname=sa&id=036; reference:url,doc.emergingthreats.net/2001202; classtype:web-application-attack; sid:2001202; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"vpcpnet.mooo.com"; bsize:16; nocase; classtype:domain-c2; sid:2028950; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Webhancer Data Post"; flow: to_server,established; http.method; content:"POST"; nocase; http.uri; content:"http|3a|//prime.webhancer.com"; nocase; http.header_names; content:"AgentTag"; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; classtype:pup-activity; sid:2001677; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"update-rnicrosoft.mooo.com"; bsize:26; nocase; classtype:domain-c2; sid:2028951; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Download"; flow: established,to_server; http.uri; content:"/requestimpression.aspx?ver="; nocase; content:"host="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:pup-activity; sid:2001992; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_02_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"serve1.mooo.com"; bsize:15; nocase; classtype:domain-c2; sid:2028952; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PHPs Labyrinth Stage1 CnC)"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=www."; startswith; content:"rilns.com"; endswith; fast_pattern; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029522; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, deployment Datacenter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"video.avantvideo.ca"; bsize:19; nocase; classtype:domain-c2; sid:2028953; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cnumber="; nocase; content:"cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029685; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Keyboy CN APT CnC Domain in DNS Lookup"; dns.query; content:"vpnet.mooo.com"; bsize:14; nocase; classtype:domain-c2; sid:2028954; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_11_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, updated_at 2019_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"num="; nocase; content:"&expm"; nocase; content:"&expy"; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029686; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID WebSocket Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data3.php?"; startswith; fast_pattern; pcre:"/^[0-9A-F]{16}$/R"; http.header; content:"|0d 0a|Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; http.header_names; content:"|0d 0a|Host|0d 0a|Upgrade|0d 0a|Connection|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a 0d 0a|"; reference:md5,977a264f70acf703333f298019c3abd4; classtype:command-and-control; sid:2028955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2019_11_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&mm="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029687; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AHK Downloader Request Structure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/traff.php"; endswith; fast_pattern; http.user_agent; content:"AutoHotkey"; bsize:10; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2028956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Minor, tag Downloader, updated_at 2019_11_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cardnumber="; nocase; content:"&month="; nocase; content:"&year="; nocase; content:"&CVV"; nocase; fast_pattern; classtype:credential-theft; sid:2029688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x86)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"confirm.gif?f=1"; endswith; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&numero_tarjeta="; nocase; content:"&cvv"; nocase; fast_pattern; classtype:credential-theft; sid:2029689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Payload CnC Checkin (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"confirm.gif?f=2"; endswith; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Card="; nocase; content:"MM="; content:"YY="; content:"CVC="; fast_pattern; classtype:credential-theft; sid:2029690; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT - Titanium Hardcoded String Observed"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, malware_family Titanium, performance_impact Low, signature_severity Major, tag PLATINUM, updated_at 2019_11_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21)"; flow:established,to_client; tls.cert_subject; content:"CN=merystol.xyz"; nocase; endswith; classtype:domain-c2; sid:2029525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Proxy Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/proxy"; fast_pattern; endswith; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; content:!"Cache-Control"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021128; rev:4; metadata:created_at 2015_05_21, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 2)"; flow:established,to_client; tls.cert_subject; content:"CN=veqejzkb.xyz"; nocase; endswith; classtype:domain-c2; sid:2029526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Bandook v1.35 Initial Connection and Report"; flow:established,to_server; flowbits:isnotset,BE.Bandook1.35; dsize:<200; content:"|cf 8f 80 9b 9a 9d cf|"; depth:7; content:"|20 26 26 26|"; distance:50; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; classtype:command-and-control; sid:2003555; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2019_11_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 3)"; flow:established,to_client; tls.cert_subject; content:"CN=doolised.xyz"; nocase; endswith; classtype:domain-c2; sid:2029527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AnteFrigus Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"|20|Gb</br>"; endswith; http.header; content:"|20|Gb</br>|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache"; content:!"Referer"; reference:md5,b34f1592bce63de77b87d1e61bce66e5; classtype:command-and-control; sid:2028966; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_11_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED HTTP GET Request on port 53 - Very Likely Hostile"; flow:established,to_server; content:"GET"; nocase; depth:4; content:!".newsinc.com"; reference:url,doc.emergingthreats.net/2008420; classtype:trojan-activity; sid:2008420; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; urilen:>175; http.uri; content:".php?info=MzE4TZT-"; fast_pattern; http.accept_lang; content:"ko-KR,ko|3b|"; startswith; http.header; content:"upgrade-insecure-requests|3a 20|1|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,12e9b4bbe894ab0bf357182a11d4c535; classtype:command-and-control; sid:2031916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2019_11_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent filled with System Details - GET Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_user_agent; depth:4; nocase; content:"&hdid="; distance:0; nocase; http_user_agent; content:"&wlid="; nocase; distance:0; http_user_agent; content:"&start="; nocase; distance:0; http_user_agent; content:"&os="; nocase; distance:0; http_user_agent; content:"&mem="; nocase; distance:0; http_user_agent; content:"&alive"; nocase; distance:0; http_user_agent; content:"&ver="; nocase; distance:0; http_user_agent; content:"&mode="; nocase; distance:0; http_user_agent; content:"&guid"; distance:0; http_user_agent; content:"&install="; nocase; distance:0; http_user_agent; content:"&auto="; nocase; distance:0; http_user_agent; content:"&serveid"; nocase; distance:0; http_user_agent; content:"&area="; nocase; distance:0; http_user_agent; reference:url,doc.emergingthreats.net/2009541; classtype:trojan-activity; sid:2009541; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_02_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-11-15)"; flow:established,to_client; tls.cert_subject; content:"CN=sd1-bin.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028985; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-ware.com"; nocase; endswith; classtype:domain-c2; sid:2029528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=reawk.net"; nocase; endswith; reference:md5,9b1d0537d0734f1ddb53c5567f5d7ab5; classtype:domain-c2; sid:2028986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Heartbeat Packet"; flow:established,to_server; dsize:4; content:"|61 63 6b 00|"; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobInt CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"adminassistance.info"; bsize:20; classtype:domain-c2; sid:2028987; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Checkin"; flow:established,to_server; content:"|3e 57 69 6e 64 6f 77 73 20|"; fast_pattern; content:"|3e|"; distance:0; content:"|3e|"; distance:0; content:"|20|bits|3e|"; distance:0; content:"|3e|"; distance:0; content:"|3e 00|"; distance:0; isdataat:!1,relative; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobInt CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"bestguesspass.info"; bsize:18; classtype:domain-c2; sid:2028988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family CobInt, performance_impact Low, signature_severity Major, updated_at 2019_11_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Bang5mai.BB CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2.gif?x22="; startswith; content:"&x12=&x21="; distance:7; within:10; content:"&x9=&x16=0&x1="; distance:32; within:14; fast_pattern; reference:md5,6b540ba2fc2e606e9e2c8b72818caa28; classtype:pup-activity; sid:2029531; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_02_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperSocialat Plugin Backdoor Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content"; startswith; content:"/plugins/super-socialat/super_socialat.php?dl="; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:command-and-control; sid:2028992; rev:1; metadata:affected_product Wordpress_Plugins, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/RiskWare.YouXun.X CnC Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.header.raw; content:"Server|3a 20 20 20 20 20 20|"; startswith; content:"|20 20 20 20 20 20 20 20|/SERVER IP|3a 20 20 20|SERverWanip|0d 0a|"; within:60; fast_pattern; reference:md5,67d0bacdb3eae462fd5121eeb72e498f; classtype:command-and-control; sid:2029532; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_02_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC) 2019-11-18"; flow:established,to_client; tls.cert_subject; content:"CN=solvents.ru"; bsize:14; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,e54cbf645b0840c0dd1f212f42cd47fd; classtype:domain-c2; sid:2029001; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2020_02_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_02_25;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent Tesla SMTP Clipboard Exfil"; flow:established,to_server; content:"|0d 0a|Time|3a 20|"; content:"<br>User Name|3a 20|"; distance:0; content:"<br>Computer Name|3a 20|"; distance:0; content:"<br>OSFullName|3a|"; distance:0; fast_pattern; content:"<br>CPU|3a 20|"; distance:0; content:"[clipboard]"; distance:0; reference:md5,1632ccd7936d495534257505c8811ece; classtype:trojan-activity; sid:2029002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2019_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CCnumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; classtype:credential-theft; sid:2029691; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=crabbedly.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029005; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Base64 Encoded potential malware"; flow:established,from_server; file.data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; fast_pattern; content:!"<html"; nocase; content:!"<body"; nocase; content:!"<script"; nocase; reference:url,urlhaus.abuse.ch/url/319004/; classtype:misc-activity; sid:2029538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=craypot.live"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029006; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Ostap Maldoc Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?g="; content:"&k="; distance:0; content:"&x="; distance:0; content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*"; fast_pattern; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c53393908f80e993366deec605fe7372; classtype:trojan-activity; sid:2029539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Nukesped CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=indagator.club"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users; classtype:domain-c2; sid:2029007; rev:1; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_11_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Office Phish 2020-02-26"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&submit=Extract+File+Now&sendgo="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029692; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell - RDP Credential Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/report.json?type=rdp&ip="; startswith; fast_pattern; content:"&pass="; distance:0; content:"&t="; distance:0; reference:url,news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/; classtype:command-and-control; sid:2029014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_11_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/CollectorStealer - Returning Client GeoIP Information"; flow:established,to_client; file_data; content:"IP-address|3a 20|"; depth:12; content:"_=_Country|3a 20|"; distance:0; fast_pattern; content:"_=_City|3a 20|"; distance:0; reference:md5,046dcdb20a8358faadc394e786820dd4; classtype:trojan-activity; sid:2034320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_02_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload - CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?ac="; fast_pattern; content:"&n="; distance:1; within:3; content:"|3a|"; distance:0; content:"|3a|"; distance:0; content:"-bit|29|"; distance:0; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-us"; bsize:5; classtype:command-and-control; sid:2029039; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mays-ltd.com"; nocase; endswith; classtype:domain-c2; sid:2029537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload Requested M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/community/uploadxx/"; startswith; fast_pattern; pcre:"/^[A-F0-9]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\//R"; content:".jpg"; endswith; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029041; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, signature_severity Major, updated_at 2019_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoLang Discord Token Grabber Exfil"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Go-http-client/"; startswith; http.header; content:"|0d 0a|Sharkflow|3a 20|"; fast_pattern; pcre:"/^(?:mfa\.[\w-]{84}|[\w-]{24}\.[\w-]{6}\.[\w-]{27})\x0d\x0a/R"; reference:url,twitter.com/sysopfb/status/1232830899370242048; reference:md5,1d2c1b88d8ae94c3f994d07451f6cc23; classtype:trojan-activity; sid:2029542; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category MALWARE, malware_family Stealer, performance_impact Low, signature_severity Major, updated_at 2020_02_27;)
+alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 1"; dsize:69; content:"|00 00 00 00 02 8E A5 64 E2 A5 F7 73 6D 2E F2 86 D3 7B B7 86 E4 7F 0D A7 A0 77 B1 AD 24 49 5B DE D6 DB B7 E1 79|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029042; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ads2Srv Bundle Installer Offer Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bundles.php?cat="; startswith; fast_pattern; content:"&zone="; distance:0; content:"&pid="; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,6ac226609b33b32aa1e1adebb5cfefc0; classtype:pup-activity; sid:2029543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_02_27;)
+alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 2"; dsize:69; content:"|00 00 00 00 02 93 DA 64 B3 1F 49 1B A4 B5 2D 28 92 49 52 7C 3D 41 D2 4F B2 8B FF 2C ED A2 E7 90 18 4F 9E C0 7B|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029043; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (VB OpenUrl)"; flow:to_server,established; http.user_agent; bsize:10; content:"VB OpenUrl"; classtype:bad-unknown; sid:2029544; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_02_27;)
+alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 3"; dsize:69; content:"|00 00 00 00 02 E8 78 31 C6 55 9A 13 FC AB DB 75 9B A5 B1 D6 05 F2 3A 72 FF 04 B5 9F 7F 5A 8B 12 56 F2 CA 01 5E|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029044; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.YoutubeDownloaderGuru.A Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/php/update.php?m="; startswith; fast_pattern; content:"&s="; within:8; isdataat:!6,relative; http.user_agent; bsize:24; content:"Youtube Music Downloader"; http.header_names; bsize:37; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,638aad567ad2f0fc1a3e223eea6fa9a4; classtype:pup-activity; sid:2029545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_02_27;)
+alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 4"; dsize:69; content:"|00 00 00 00 02 E7 30 7D 3C BC 93 4A EC ED D8 FD 9F B9 FE 93 B7 F3 53 B3 11 5D F7 C8 CA 0C F8 77 D1 34 CA 37 20|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029045; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/YTDDownloader.F Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/pixel.gif?action=install&point=start&version="; startswith; fast_pattern; content:"&lngid="; distance:0; content:"&cid="; distance:0; content:"&isn="; distance:0; content:"&kt="; distance:0; content:"&lt=0"; endswith; reference:md5,5e438deb5e2dd34dcf6e96c8c97f8981; classtype:pup-activity; sid:2029546; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_02_27;)
+alert udp $HOME_NET any -> any any (msg:"ET MALWARE ELF/Roboto - Communicating with Hardcoded Peer 5"; dsize:69; content:"|00 00 00 00 02 B3 E5 B3 D6 E6 DE 7C 7D 79 40 A5 4F D9 B0 AC 7B 2D C6 CE 69 EF F3 C4 58 F2 98 A8 92 DF 92 9E 0E|"; startswith; fast_pattern; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029046; rev:1; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2019_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (heil_satan)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|heil_satan|0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,8b643ed45aaaf06b2d4ae99e08f3ae34; classtype:trojan-activity; sid:2029541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, signature_severity Major, updated_at 2020_02_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cyborg Ransomware - Downloading Desktop Background"; flow:established,to_client; http.stat_code; content:"200"; http.server; bsize:8; content:"HotCores"; http.content_type; bsize:10; content:"image/jpeg"; http.header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|22|Cyborg_DECRYPT.jpg|22 0d 0a|"; fast_pattern; reference:md5,2505b0efde03f5d3c66984e6f7c5bcc1; classtype:trojan-activity; sid:2029052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2019_11_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"atooioplapatooioplap.xyz"; bsize:24; classtype:domain-c2; sid:2029547; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.beahh.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029056; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"atooioplap.xyz"; bsize:14; classtype:domain-c2; sid:2029548; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.ackng.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029057; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Qbot/Quakbot Downloader - Requesting Secondary Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f|uid|3d|"; http.user_agent; bsize:7; content:"WebGL3D"; fast_pattern; classtype:trojan-activity; sid:2029551; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category MALWARE, malware_family Qbot, signature_severity Major, updated_at 2020_02_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Beapy CnC Domain in DNS Lookup"; dns.query; content:"info.ackng.com"; bsize:14; nocase; reference:url,content.connect.symantec.com/sites/default/files/2019-04/Beapy_IOCs.txt; classtype:domain-c2; sid:2029058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category MALWARE, malware_family Beapy, performance_impact Low, signature_severity Major, updated_at 2019_11_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Bit.do Shortened Link Request (set)"; flow:established,to_server; flowbits:set,ET.bit.do.shortener; http.method; content:"GET"; http.header; content:"Host|3a 20|bit.do|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:38; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; classtype:misc-activity; sid:2029549; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_02_28;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VNCStartServer USR Variant CnC Beacon"; flow:established,to_server; dsize:<100; content:"|00 00 00 19 00 00 00|"; offset:1; depth:7; content:"|01 00 00|"; distance:1; within:3; content:"USR-"; distance:1; within:4; fast_pattern; content:"|00|"; endswith; reference:md5,d66956e0ee70a60e19a4f310339d28a9; classtype:command-and-control; sid:2035523; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2019_12_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Bit.do Shortened Link Request to EXE"; flow:established,to_client; flowbits:isset,ET.bit.do.shortener; http.stat_code; content:"30"; depth:2; http.location; content:".exe"; isdataat:!1,relative; classtype:misc-activity; sid:2029550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_02_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=sarymar.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029083; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baraka Ransomware CnC activity email SMTP"; flow:established,to_server; content:"|0d 0a 0d 0a|info=/*****/ Drive|20|"; fast_pattern; content:"&key="; distance:0; content:"&userid="; distance:0; classtype:command-and-control; sid:2029552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=benreat.com"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029084; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>600; content:"/ecp/"; startswith; content:"__VIEWSTATEGENERATOR="; distance:0; content:"__VIEWSTATE="; distance:0; reference:url,www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keyscve; reference:cve,2020-0688; reference:url,www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/; classtype:attempted-admin; sid:2029540; rev:2; metadata:affected_product Web_Server_Applications, attack_target SMTP_Server, created_at 2020_02_26, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_03_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=planlamaison.com"; bsize:19; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029085; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Possible Ostap Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?min="; content:"&sin="; distance:0; fast_pattern; content:"&p="; distance:0; content:"&i="; distance:0; content:"k="; distance:0; content:"&r="; distance:0; http.header_names; content:!"Referer"; reference:md5,5824579789e3e7d5c3ad49b8652c80aa; classtype:trojan-activity; sid:2029553; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=teamchuan.com"; bsize:16; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029086; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (\xa4)"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20 a4 0d 0a|"; fast_pattern; http.user_agent; content:"|a4|"; bsize:1; classtype:bad-unknown; sid:2029554; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_03_02, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_03_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=tedxns.com"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029087; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Domain (webscriptly .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"webscriptly.com"; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029567; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=athery.bit"; bsize:13; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029088; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rdmsom.com"; nocase; endswith; classtype:domain-c2; sid:2029555; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=babloom.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029089; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"higamebit.com"; bsize:13; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029561; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (PyXie)"; flow:established,to_client; tls.cert_subject; content:"CN=floppys.bit"; bsize:14; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html; classtype:domain-c2; sid:2029090; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, malware_family PyXie, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"kingdomain.site"; bsize:15; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.request_body; content:"Webcookie="; startswith; pcre:"/^[a-z0-9/%=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:md5,c2262e46153ac59a72bcb96a35c262da; classtype:command-and-control; sid:2029097; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, signature_severity Major, updated_at 2019_12_05;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"bitgamego.com"; bsize:13; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Started"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|started|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029103; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2019_12_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jtbcsupport.site"; bsize:16; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JsOutProx CnC Activity - Outbound"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"5f7c5f"; depth:35; content:"5f7c5f"; distance:72; within:6; content:"5f7c5f4d6963726f736f66742057696e646f7773"; distance:0; fast_pattern; http.content_type; content:"x-www-form-urlencoded"; nocase; threshold:type limit, track by_dst, count 1, seconds 30; classtype:command-and-control; sid:2034289; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family jsoutprox, signature_severity Major, tag RAT, updated_at 2019_12_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"helloking.site"; bsize:14; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JsOutProx CnC Activity - Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; bsize:<30; content:"5f7c5f"; endswith; fast_pattern; http.content_type; content:"image/jpeg"; bsize:10; threshold:type limit, track by_src, count 1, seconds 30; classtype:command-and-control; sid:2034290; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family jsoutprox, signature_severity Major, tag RAT, updated_at 2019_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2020-03-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uskkes1="; depth:8; nocase; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.3 Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3f 36 90|"; depth:6; content:"|3f 7a cd 3d 69 c0 3d|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=into-box.com"; nocase; endswith; classtype:domain-c2; sid:2029568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.3 Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3f 36 90|"; depth:6; content:"|69 81 60 6b 92 6d 6b|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established,to_server; http.user_agent; content:"easyhttp client"; bsize:15; classtype:bad-unknown; sid:2029569; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.3 Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3f 36 90|"; depth:6; content:"|92 2c 36 90 3f 3b 90|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029138; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING EXE Downloaded from Github"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"|0d 0a|X-GitHub-Request-Id|0d 0a|"; fast_pattern; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:misc-activity; sid:2029573; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_03_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.2 Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|31 69 f6|"; depth:6; content:"|31 25 ab 33 36 a6 33|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029139; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|S|00|h|00|a|00|r|00|p|00|E|00|x|00|e|00|c|00 2e 00|e|00|x|00|e|00 20|"; distance:0; fast_pattern; content:"M|00|y|00|P|00|@|00|s|00|s|00|w|00|0|00|r|00|d"; distance:0; reference:url,github.com/anthemtotheego/SharpExec; classtype:trojan-activity; sid:2029574; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.2 Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|31 69 f6|"; depth:6; content:"|36 e7 6e 34 f4 63 34|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029140; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CROSSWALK CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/QUERY/"; http.header; content:"dCy|3a 20|"; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})\d(?:\r\n)?$/RHmi"; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2029570; rev:2; metadata:created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family CROSSWALK, performance_impact Low, signature_severity Major, updated_at 2020_03_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AZORult v3.2 Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|31 69 f6|"; depth:6; content:"|f4 22 69 f6 31 64 f6|"; distance:0; fast_pattern; classtype:command-and-control; sid:2029141; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (avast .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip-info.ff.avast.com"; fast_pattern; classtype:policy-violation; sid:2029575; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Exfil (2019-12-12)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/info1.php?id=ZG9jdW1lbnRfbmFtZTp"; fast_pattern; http.header_names; content:!"Referer"; reference:url,twitter.com/D3LabIT/status/1205066800054128641; reference:md5,649c2d11a4a58f0101ed016c73355e32; classtype:command-and-control; sid:2029142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-data/?m="; fast_pattern; startswith; pcre:"/&p=[a-z0-9]{12}(?:&v=[a-z0-9\.-]{1,24})?$/Ri"; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/103fc941-f115-4731-b6fc-f56a82ed6813/; classtype:trojan-activity; sid:2029583; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M1"; flow:established,to_server; http.uri; content:"/ixset.php?ip="; startswith; fast_pattern; content:"&mcid=1"; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_12;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris botnet"; fast_pattern; classtype:attempted-admin; sid:2029577; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_05, deployment Perimeter, signature_severity Minor, updated_at 2020_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1$/Rsi"; content:"=1"; endswith; http.request_body; content:"info|7c|"; startswith; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polaris Botnet User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris botnet"; fast_pattern; classtype:web-application-attack; sid:2029578; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_05, deployment Perimeter, signature_severity Major, updated_at 2020_03_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=zip$/Rsi"; content:"=1&type=zip"; endswith; fast_pattern; http.content_len; byte_test:0,>,800,0,string,dec; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Magniber Ransomware Retrieving Instructions"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0a 3c|title|3e|My Decryptor|3c 2f|title|3e 0a|"; fast_pattern; content:"MY DECRYPTOR|3c 2f|td|3e|"; distance:0; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:command-and-control; sid:2029579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_03_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=filter$/Rsi"; content:"=1&type=filter"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029149; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2019_12_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.myttae User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Gdog|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2029584; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, signature_severity Major, updated_at 2020_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ShivaGood Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ip="; startswith; content:"&pcname="; distance:0; content:"&username="; distance:0; content:"&privatekey="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,ee732410b7389a047177b2e730742f8d; classtype:command-and-control; sid:2029177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family ShivaGood, signature_severity Major, tag Ransomware, updated_at 2019_12_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (heil_moloch)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|heil_moloch|0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,20d30443181cd84b81f5e041b0eb5143; classtype:trojan-activity; sid:2029585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, signature_severity Major, updated_at 2020_03_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap1-acl.net"; nocase; endswith; reference:md5,9d71bc8643b0e309ea1d91903aea6555; classtype:domain-c2; sid:2029182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.uri.raw; content:"&p1="; http.request_line; content:"GET|20|///?m="; fast_pattern; http.user_agent; content:"Mozilla/5|2e|0|20|(Windows|20|NT|20|6|2e|1|3b||20|Trident/7|2e|0|3b 20|rv|3a|11|2e|0)|20|like|20|Gecko"; reference:url,blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/; classtype:trojan-activity; sid:2029586; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DiamondFox HTTP Post CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"="; offset:3; depth:1; content:"&q="; distance:0; content:"&proc="; distance:0; content:"&soft="; distance:0; content:"&rt="; distance:0; content:"&er="; distance:0; isdataat:!2,relative; http.header_names; content:!"Referer"; reference:url,twitter.com/ViriBack/status/1203337492386082816; reference:md5,17a1f7e98731df9b74b98accb650d50e; classtype:command-and-control; sid:2029144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, malware_family DiamondFox, performance_impact Moderate, signature_severity Major, updated_at 2019_12_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) Domain in TLS SNI (imprintcenter .com)"; flow:established,to_server; tls.sni; content:"imprintcenter.com"; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029598; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MailerBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"PHPSESSID="; startswith; isdataat:!35,relative; http.request_body; content:"status=0"; bsize:8; fast_pattern; http.header_names; content:!"Referer"; reference:md5,33ae450f091a57c042e9dd99800ff6c8; classtype:command-and-control; sid:2029183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category MALWARE, malware_family MailerBot, signature_severity Major, updated_at 2019_12_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wget+http"; within:200; content:"sh+/"; within:200; fast_pattern; content:"rm+-rf"; within:100; classtype:bad-unknown; sid:2029589; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_09, deployment Perimeter, signature_severity Major, updated_at 2020_03_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=full.newcontest.xyz"; nocase; endswith; classtype:domain-c2; sid:2029184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in GET (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wget+http"; within:200; content:"sh+/"; within:200; fast_pattern; content:"rm+-rf"; within:100; classtype:bad-unknown; sid:2029590; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_09, deployment Perimeter, signature_severity Minor, updated_at 2020_03_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak <v20 Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|BODYdmFyIGNvbmZpZyA9IHsNCiA"; startswith; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029194; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"data=DIajqcc5lVuJpjwvr36"; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b48d220f21e545886a08f9686eb0b8c5; reference:url,blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html; classtype:command-and-control; sid:2029588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_03_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_bm9uY2U9"; fast_pattern; content:"dmVyc2lvbj"; distance:45; content:".html"; endswith; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029192; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc 2020-03-09)"; flow:established,to_client; tls.cert_subject; content:"CN=WW/O=YY"; bsize:10; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,bc22e03d068ee58a0b7668fced505b7b; reference:url,twitter.com/JAMESWT_MHT/status/1237028470565240832; classtype:domain-c2; sid:2029596; rev:1; metadata:attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak - Stage 2 - Response - Task"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|TASK|2d 2d|"; startswith; content:"|2d 2d|TVq"; distance:0; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029195; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mattermost API Usage"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/v4/teams/name/"; http.header; content:"|0d 0a|Authorization|3a 20|Bearer|20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; reference:md5,df7e78609dd63fe9f3be87be0e2420fa; classtype:misc-activity; sid:2029599; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_03_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Valak - Stage 2 - Response - Plugin"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|2d 2d|PLUGIN|2d 2d|"; startswith; content:"|2d 2d|PD94bWwg"; distance:0; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; http_start; content:"1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a|"; within:19; classtype:trojan-activity; sid:2015547; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2020_03_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak - Plugin Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:>60; content:"bm9uY2UyP"; fast_pattern; content:"cGx1Z2luP"; distance:55; content:".html"; endswith; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029197; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2019_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029592; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25667,47000] (msg:"ET MALWARE XServer Backdoor Communication Setup Request"; flow:established,to_server; flowbits:set,ET.XServer.cnc; flowbits:noalert; dsize:10; content:"|05 01 00 01|"; depth:4; fast_pattern; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029187; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029593; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET [25667,47000] (msg:"ET MALWARE XServer Backdoor Communication Setup Initiate"; flow:established,to_server; flowbits:isset,ET.XServer.cnc; dsize:2; content:"|18 00|"; depth:2; fast_pattern; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029188; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"jsonp=__mtz_cb_"; fast_pattern; content:"&key="; distance:0; content:"&t="; distance:0; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029600; rev:1; metadata:created_at 2020_03_09, former_category INFO, updated_at 2020_03_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET MALWARE Possible XServer Backdoor Certificate Observed"; flow:established,to_server; content:"|16|"; depth:1; content:"|55 04 06|"; distance:0; content:"|02|US|31|"; distance:1; within:4; content:"|55 04 08|"; distance:0; content:"|02|BA|31|"; distance:1; within:4; content:"|55 04 0a|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; content:"|55 04 0b|"; distance:0; content:"|04|Root|31|"; distance:1; within:6; fast_pattern; content:"|55 04 03|"; distance:0; content:"|04|Root|30|"; distance:1; within:6; reference:url,resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf; classtype:command-and-control; sid:2029190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, signature_severity Major, updated_at 2019_12_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED MonetizeUs Outbound Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/metric/?mid="; startswith; fast_pattern; content:"&wid="; distance:0; content:"&sid="; distance:0; content:"&tid="; distance:0; content:"&rid="; distance:0; pcre:"/^(?:BEFORE_OUTPUT_REQ|FINISHED|LOADED|LAUNCHED)/RU"; threshold:type limit, count 1, seconds 120, track by_src; classtype:bad-unknown; sid:2029601; rev:1; metadata:created_at 2020_03_09, former_category INFO, performance_impact Low, updated_at 2020_03_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (jssLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hidrofilms.com"; bsize:17; fast_pattern; reference:url,twitter.com/prsecurity_/status/1209710600994996224; classtype:domain-c2; sid:2029200; rev:1; metadata:attack_target Client_and_Server, created_at 2019_12_26, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX CnC Activity M1"; flow:established,to_server; http.header; content:"User-Agent|3a 20|viperSoftx_"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat.html; classtype:command-and-control; sid:2029608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, signature_severity Major, updated_at 2020_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?command="; content:"&vicID="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX CnC Activity M2"; flow:established,to_server; http.header; content:"x-header|3a 20|viperSoftx_"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat.html; classtype:command-and-control; sid:2029609; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, signature_severity Major, updated_at 2020_03_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vicID="; fast_pattern; content:"name="; content:"&os="; content:"&antivirus="; content:"&status="; http.header_names; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2019_12_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PXJ Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.php?token_value="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,142ed79d41f3e9551b6d2fa7bcfd1590; reference:url,securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/; classtype:command-and-control; sid:2029615; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Upatre CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=vcomdesign.com"; bsize:17; fast_pattern; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_27, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SandCat Related Communication (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hulk/___"; startswith; fast_pattern; content:".php"; within:15; endswith; http.request_body; content:"u_id="; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; classtype:trojan-activity; sid:2029621; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_12;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Upatre CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"poweruphosting.com"; bsize:18; reference:md5,f83e76c4e5185e17b23b886b3614379f; classtype:domain-c2; sid:2029202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_27, deployment Perimeter, malware_family Upatre, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_12_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipify .org)"; flow:established,to_server; http.uri; content:"/?format="; depth:9; http.host; content:"api.ipify.org"; depth:13; endswith; fast_pattern; classtype:policy-violation; sid:2029622; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ViSystem CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; fast_pattern; content:"&pwd="; content:"&cc="; content:"&fz="; content:"&df="; content:"&wlt="; http.header_names; content:!"Referer"; reference:md5,9b0aa282698db89034d254076dd03e26; classtype:command-and-control; sid:2029212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, former_category MALWARE, malware_family ViSystem, signature_severity Major, updated_at 2019_12_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected Android Youzicheng Proxy Activity"; flow:established,to_server; urilen:17; http.method; content:"POST"; http.uri; content:"/api/socksLog/add"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"|7b 22|channelid|22 3a 22|"; startswith; nocase; fast_pattern; content:"|2c 22|content|22 3a 22|"; distance:0; content:"|2c 22|deviceid|22 3a 22|"; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c907d74ace51cec7cb53b0c8720063e1; classtype:trojan-activity; sid:2029635; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lampion CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"plug=NAO&SYS=Windows"; startswith; fast_pattern; content:"&AVS="; distance:0; content:"&USERPC="; distance:0; content:"&NAV="; distance:0; content:"&ORI="; distance:0; reference:url,seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax; classtype:command-and-control; sid:2029221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_01_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbpcstatf.stat"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c|LV|08|qbpcstatf|04|stat|7d 00|"; fast_pattern; content:"|05|crypt|18 00|"; distance:0; content:"|01 06 0a|list|3c|char|3e|"; distance:0; threshold:type limit, track by_src, count 1, seconds 60; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029632; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Operation Blue Estimate CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"_log.txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|0010::20"; fast_pattern; distance:12; within:62; reference:url,blog.alyac.co.kr/2645; classtype:command-and-control; sid:2029222; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_01_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbkpireportbakf.stat"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c|LV|0e|qbkpireportbakf|04|stat|7d 00|"; fast_pattern; content:"|05|crypt|18 00|"; distance:0; content:"|01 06 0a|list|3c|char|3e|"; distance:0; threshold:type limit, track by_src, count 1, seconds 60; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Checkin"; flow:established,to_server; content:"|7b 22 54 79 70 65 22 3a 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 2c 22 43 6f 6e 6e 65 63 74 69 6f 6e 54 79 70 65 22 3a 22 43 6c 69 65 6e 74 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:80; content:"|22 2c 22 42 6f 74 4e 61 6d 65 22 3a 22|"; distance:0; content:"|22 2c 22 42 6f 74 4f 53 22 3a 22|"; distance:0; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029218; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?logins="; http.request_body; content:"host="; depth:5; content:"&status=["; distance:0; content:"]Microsoft Windows "; distance:0; fast_pattern; content:"&globo="; distance:0; content:"&bk="; distance:0; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlo-analytics.com"; classtype:domain-c2; sid:2029225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?logins="; content:"&s="; distance:0; http.request_body; content:"host="; depth:5; content:"&bk="; distance:0; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_13;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"googlc-analytics.net"; classtype:domain-c2; sid:2029228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_01_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTTPTool User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTTPTool/"; reference:md5,6526946c39fd53dd813a8a206446e491; classtype:trojan-activity; sid:2029637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, signature_severity Major, updated_at 2020_03_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeoticus Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"supersecretstring?babyDontHeartMe="; depth:40; fast_pattern; http.user_agent; bsize:3; content:"DxD"; reference:url,twitter.com/siri_urz/status/1212724059277914112; classtype:command-and-control; sid:2029231; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=corvusaint.com"; nocase; endswith; reference:md5,eea4776399514664d888633ce72a2a8b; classtype:domain-c2; sid:2029639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AstroBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.request_body; content:"p="; startswith; content:"&id="; distance:0; isdataat:!20,relative; http.header_names; content:!"Referer"; reference:md5,3b6df3e900f8d0b757441fe682b91a3c; classtype:command-and-control; sid:2029233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, malware_family AstroBot, signature_severity Major, updated_at 2020_01_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|13.0) Gecko/2010010"; depth:58; fast_pattern; pcre:"/^[A-F0-9]{8}$/Rsi"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,23a30f6afa17f971148d9e955f65ae98; classtype:command-and-control; sid:2029640; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Higasa, signature_severity Major, updated_at 2020_03_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"m="; startswith; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&u=/Rsi"; content:"&v="; distance:0; content:"&p="; content:"&os="; content:"&os=Windows|20|"; fast_pattern; content:"&bit="; content:"&proc="; content:"&video="; content:"&av="; http.header_names; content:!"Referer"; reference:md5,4cb520ee89598a96a6df92caa8077faf; classtype:command-and-control; sid:2029235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family rarog, signature_severity Major, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/SandCat CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hpphhpph.com"; nocase; endswith; classtype:domain-c2; sid:2029642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; bsize:49; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; content:"|0d 0a|PK"; distance:0; content:"screenshot.jpg"; distance:0; http.header_names; content:!"Referer"; reference:md5,6c8357280b50bb1808ec77b0292eb22b; classtype:command-and-control; sid:2029236; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Arkei, malware_family Oski, signature_severity Major, updated_at 2020_01_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SandCat CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"u_id="; depth:5; content:"&username="; content:"&computername="; content:"&arch="; content:"&os=Microsoft Windows|20|"; content:"&local_ip_address="; content:"&global_ip_address="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; classtype:command-and-control; sid:2029643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SandCat, signature_severity Major, updated_at 2020_03_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magician/M461c14n Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup?c="; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; http.protocol; content:"1.0"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,4839223e68ed38639186038f9b07ef67; classtype:command-and-control; sid:2029237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Magician, signature_severity Major, tag Ransomware, updated_at 2020_01_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029645; rev:1; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_18, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_03_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.NZK Variant"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info=ID:__"; content:"__Key1:__"; distance:0; content:"__Key2:__"; distance:0; reference:md5,c7bbff934bd89ad39e98e2746c6e8af2; reference:url,twitter.com/GrujaRS/status/1214680560834162690; classtype:command-and-control; sid:2029240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_01_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polaris Botnet User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029646; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe Style Request"; flow:established,to_server; http.uri; content:"|2f 50 30 75 72 57 61 31 74 33 5f 72 21 65 73 2f|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response"; flow: established,to_client; content:"|0d 0a 0d 0a|MZR-"; isdataat:!180; fast_pattern; http.content_type; content:"text/html|3b 20|charset=UTF-8"; endswith; bsize:24; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029644; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/TransparentTribe CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=explorer!"; fast_pattern; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"!!&"; distance:0; content:"=Microsoft+Windows+"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,77549b8211c05fdf9114b09d38e88d98; classtype:command-and-control; sid:2029242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2020_01_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-14"; flow:established,to_client; file_data; content:"<TITLE>DHL|20 7c 20|Tracking</TITLE>"; nocase; fast_pattern; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Invalid Password."; nocase; distance:0; content:"Please try again using correct details."; nocase; distance:0; classtype:credential-theft; sid:2029654; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=portofino.ug"; bsize:15; fast_pattern; reference:url,twitter.com/lazyactivist192/status/1214662422683885569; reference:md5,49a5cf0633b40d89b139ad3df85778c5; classtype:domain-c2; sid:2029245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"username="; nocase; depth:9; http_client_body; fast_pattern; content:"&pass"; nocase; http_client_body; distance:0; content:!"__utma="; classtype:credential-theft; sid:2031580; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"google-download.com"; nocase; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=get-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029648; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-google-eu.com"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=dysoool.com"; nocase; endswith; classtype:domain-c2; sid:2029649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-gmail-us.com"; nocase; bsize:16; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=clietns-download.com"; nocase; endswith; classtype:domain-c2; sid:2029650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"mozilla-yahoo.com"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=static-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-mozilla-sn45.com"; nocase; bsize:20; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fake World Health Organization COVID-19 Portal 2020-03-20"; flow:established,to_client; file.data; content:"<title>Coronavirus disease (COVID-19"; nocase; fast_pattern; content:"Verify your account details"; distance:0; nocase; content:"COVID-19 SAFETY PORTAL"; distance:0; nocase; classtype:social-engineering; sid:2029695; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_03_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"cdn-digicert-i31.com"; nocase; bsize:20; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT Initial Checkin"; flow:established,to_server; content:"|41 57 2f 44 44 48 63 6b 2f|"; startswith; fast_pattern; content:"|2d 48 63 6b|"; endswith; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif SAIGON Variant CnC Domain"; dns.query; content:"securecloudbase.com"; nocase; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html; classtype:domain-c2; sid:2029252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, malware_family SAIGON, signature_severity Major, updated_at 2020_01_10;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CoreDDRAT CnC Activity"; flow:established,to_client; dsize:18; content:"|69 6e 66 6f 2f 44 44 48 63 6b 2f 2e 44 44 2d 48 63 6b|"; fast_pattern; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Request"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p=t&p1="; startswith; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029259; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT KeepAlive Message"; flow:established,to_server; content:"|74 69 6d 65 2f 44 44 48 63 6b 2f 2e|"; startswith; fast_pattern; content:"|2d 48 63 6b|"; isdataat:!1,relative; threshold:type limit, track by_src, count 1, seconds 600; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3=Qzpc"; startswith; content:"&p=ip&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT Screenshot Exfil"; flow:established,to_server; content:"|40 2f 44 44 48 63 6b 2f 2e|"; startswith; fast_pattern; content:"|2c 2f 44 44 48 63 6b 2f 2e|"; within:100; content:"|4a 46 49 46|"; within:10; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3="; startswith; content:"&p5=Qzpc"; distance:0; content:"&p=i&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NHS Webmail Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.header; content:"nhs"; nocase; http.request_body; content:"usr="; nocase; content:"&pss="; nocase; fast_pattern; content:"formimage1.x="; nocase; content:"formimage1.y="; nocase; classtype:credential-theft; sid:2029701; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Task Answer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p3="; startswith; content:"&p5="; distance:0; content:"&p=a&p1="; distance:0; fast_pattern; content:"&p2="; distance:0; content:"&p9="; distance:48; within:4; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:command-and-control; sid:2029262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, performance_impact Low, signature_severity Major, updated_at 2020_01_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sekhmet Ransomware CnC Activity"; flow:established,to_server; http.start; content:"POST /update.php?id="; startswith; fast_pattern; pcre:"/^\d+\sHTTP\//R"; http.user_agent; bsize:34; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0)"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x00$/"; reference:url,twitter.com/fbgwls245/status/1241179394405621760; reference:md5,b7ad5f7ec71dc812b4771950671b192a; classtype:command-and-control; sid:2029728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Satan/5ss5c Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:40; within:6; content:"&size="; distance:0; content:"&status="; distance:0; content:"&keyhash="; fast_pattern; reference:md5,853358339279b590fb1c40c3dc0cdb72; reference:url,twitter.com/jishuzhain/status/1216368394485800961; classtype:command-and-control; sid:2029269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, signature_severity Major, tag Ransomware, updated_at 2020_01_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"kkjjhhdff.site"; bsize:14; reference:md5,797e835bae78cfcba5fef3d075a92599; reference:md5,d374419d6d9c9c968ece8a4e337515e0; reference:url,sysopfb.github.io/malware,/buer,/smokeloader/2020/03/18/SmokeLoader.html; classtype:command-and-control; sid:2029729; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Known Key 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p1=P4YCVQER8UWpfzxVFmVSDyBLzKL3yV6c"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING UK GOV Identity Verification Phishing Landing"; flow:established,to_client; file.data; content:"|3c 74 69 74 6c 65 3e 50 72 d0 be ce bd d0 b5 20 ce a5 d0 be cf 85 72 20 c6 96 64 d0 b5 6e 74 69 74 79|"; content:"<form action=need.php"; distance:0; content:"method=post"; distance:0; classtype:social-engineering; sid:2029702; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick Known Key 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"p1=ybEsTxhqPuN4uVkemt6WjxaJN8jBdAGLxKeY9a4CnMTLSSq2"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Lets Encrypt Certificate - Possible COVID-19 Related M1"; flow:established,to_client; tls.cert_subject; content:"covid"; nocase; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029703; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick download ver1 bot"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM=&a=ips"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029272; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, signature_severity Major, updated_at 2020_01_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Lets Encrypt Certificate - Possible COVID-19 Related M2"; flow:established,to_client; tls.cert_subject; content:"corona"; nocase; fast_pattern; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick download ver2 bot"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?a=irs&x="; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category TROJAN, malware_family PowerTrick, signature_severity Major, updated_at 2020_01_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M1"; dns.query; content:"covid"; nocase; classtype:bad-unknown; sid:2029709; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_03_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerTrick download bot known key"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?x=UDRZQ1ZRRVI4VVdwZnp4VkZtVlNEeUJMektMM3lWNmM"; reference:url,labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/; classtype:trojan-activity; sid:2029274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family PowerTrick, signature_severity Major, updated_at 2020_01_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Checkin (DesktopPreview)"; flow:established,to_server; content:"DesktopPreview|7c 7c|"; depth:16; fast_pattern; isdataat:1000,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_03_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Possible PowerSploit/PowerView .ps1 Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"PowerSploit File|3a 20|PowerView.ps1"; within:200; fast_pattern; content:"function New-InMemoryModule"; distance:0; isdataat:5000,relative; classtype:trojan-activity; sid:2029275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|"; http.uri; content:"/apply.cgi"; startswith; http.request_body; content:"change_action=gozila_cgi"; fast_pattern; content:"submit_type=language"; content:"&ui_language="; pcre:"/^[(?:\x60|%60)(?:\x27|%27)]/R"; reference:url,nstarke.github.io/0034-linksys-wrt54g-v3.1-writeup.html; classtype:attempted-admin; sid:2029734; rev:1; metadata:created_at 2020_03_24, former_category EXPLOIT, updated_at 2020_03_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Double Base64 Encoded Executable Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|"; depth:100; content:"GVYTjBaVzB"; distance:0; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029277; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Unhidebody Function Observed in Phishing Landing"; flow:established,to_client; file.data; content:"function unhideBody()"; nocase; fast_pattern; content:"var bodyElems = document.getElementsByTagName(|22|body|22|)|3b|"; nocase; content:"bodyElems[0].style.visibility =|20 22|visible|22 3b|"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; content:"method="; nocase; pcre:"/^["']?post/Ri"; classtype:social-engineering; sid:2029732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Containing Possible Base64 Encoded Powershell Inbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|JE"; depth:100; fast_pattern; isdataat:300,relative; classtype:trojan-activity; sid:2029278; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam 2020-03-24"; flow:established,to_client; file.data; content:"<title>Microsoft _Official_Support"; classtype:social-engineering; sid:2029733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_03_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Certificate Base64 Encoded Executable Inbound"; flow:established,to_client; file.data; content:"-----BEGIN CERTIFICATE-----|0d 0a|TVqQ"; depth:100; fast_pattern; isdataat:1000,relative; classtype:trojan-activity; sid:2029280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful World Health Organization COVID-19 Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.request_body; content:"phone="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&contactSubmit=Verify"; distance:0; fast_pattern; isdataat:!1,relative; classtype:credential-theft; sid:2029700; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Init Activity"; flow:established,to_server; dsize:16; content:"ggin|00 00 00 00 13 3e 00 00 00 00 00 00|"; startswith; endswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029282; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn.javacon.eu"; nocase; endswith; classtype:domain-c2; sid:2029730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Activity (Outbound)"; flow:established,to_server; content:"ggin|0b 00 00 00|"; startswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029283; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8000:9000 (msg:"ET MALWARE Win32/RaaLoader CnC Activity"; flow:established,to_server; dsize:12; content:"|12 10 00 00 00 00 00 00  00 00 00 00|"; depth:12; fast_pattern; reference:md5,16b4b114f6ccfff008de265d535656a2; classtype:command-and-control; sid:2029731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family RaaLoader, signature_severity Major, updated_at 2020_03_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/MillionLoader CnC Activity (Inbound)"; flow:established,from_server; content:"ggin|00 00 00 00 00|"; startswith; reference:md5,957f3749d062e76f9cb1f05edf929168; classtype:command-and-control; sid:2029284; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, malware_family MillionLoader, signature_severity Major, updated_at 2020_01_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/n2019cov (COVID-19) Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"n2019cov.000webhostapp.com"; bsize:26; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:domain-c2; sid:2029735; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M2"; flow:established,to_server; urilen:11; http.method; content:"GET"; http.uri; content:"/ixpkey.php"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; metadata: former_category MALWARE; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029285; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Colleagues Quarantined with COVID-19 Phish 2020-03-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"menamn="; depth:7; nocase; content:"&talk="; nocase; distance:0; content:"|25|40"; distance:0; content:"&onehundr="; nocase; distance:0; content:"&pullfilk="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M3"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/ixptexts.php"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"/continue_bnb.php"; nocase; fast_pattern; isdataat:!1,relative; http.header; content:"airbnb"; nocase; content:"covid"; nocase; classtype:credential-theft; sid:2029738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M4"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/setad.php"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029287; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Milum CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|md="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"md="; startswith; content:"&nk="; distance:0; content:"&val="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,17b1a05fc367e52aada7bde07714666b; reference:url,securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/; classtype:command-and-control; sid:2029739; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CrownAdPro CnC Activity M5"; flow:established,to_server; urilen:<20; http.method; content:"GET"; http.uri; content:"/ixlive.php?uid="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:url,twitter.com/ViriBack/status/1204883534764077057; reference:md5,514d11884ed88780710f5a84bbb523c7; classtype:command-and-control; sid:2029288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-26"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<script>parent.location='https://www.airbnb.com/help/article/2701/extenuating-circumstances-policy-and-the-coronavirus"; fast_pattern; classtype:credential-theft; sid:2029747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; pcre:"/^[A-Za-z0-9\/\.=]{250,}$/R"; http.user_agent; content:"Naruto Uzumake"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:command-and-control; sid:2029290; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Havex APT)"; flow:established,to_server; http.request_line; content:"GET|20|/include/template/isx.php|20|HTTP/1.1"; fast_pattern; bsize:38; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.user_agent; content:" Java/"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile; classtype:command-and-control; sid:2029740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Nemty Ransomware Payment Page"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<title>Ransom</title>"; content:">Your files are encrypted?<"; distance:0; content:">Upload NEMTY_"; distance:0; fast_pattern; classtype:trojan-activity; sid:2029291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Magnitude EK)"; flow:established,to_server; urilen:>235; http.request_line; content:"GET|20|/themes/index.php?id="; fast_pattern; http.uri; content:"/themes/index.php?id="; startswith; pcre:"/^[a-z]{200,}$/Rs"; http.accept; content:"image/jpeg, application/*"; bsize:25; reference:url,github.com//rsmudge/Malleable-C2-Profiles/blob/master/crimeware/magnitude.profile; classtype:command-and-control; sid:2029741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemty Ransomware Payment Page ID File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|userfile|22 3b 20|filename=|22|NEMTY_"; fast_pattern; reference:md5,227bd2d9b55951828ebaed09ea561311; classtype:trojan-activity; sid:2029292; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_01_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (xPCAP)"; flow:established,to_server; http.user_agent; content:"xPCAP"; bsize:5; classtype:bad-unknown; sid:2029748; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=borrdrillling.com"; bsize:20; fast_pattern; reference:md5,0407b500adcaafe09cc3280d6d02794f; classtype:domain-c2; sid:2029295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|DVRBOT"; fast_pattern; classtype:attempted-admin; sid:2029759; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_29, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Adzq41ceq52e353512hSfj"; fast_pattern; http.request_body; content:"key|3a|"; startswith; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|DVRBOT"; fast_pattern; classtype:web-application-attack; sid:2029760; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MilkyBoy CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|payload|22 3b 20|filename=|22|payload|22 0d 0a 0d 0a|PK"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,a2f1df729688e1796aa11c426d197aeb; classtype:command-and-control; sid:2029294; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family MilkyBoy, signature_severity Major, updated_at 2020_01_17;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|iamdelta"; fast_pattern; classtype:attempted-admin; sid:2029763; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_30, deployment Perimeter, signature_severity Minor, updated_at 2020_03_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=az.borrdrillling.com"; bsize:23; fast_pattern; reference:md5,7ad0081f61002bf67b852dc5d212f2e4; classtype:domain-c2; sid:2029296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_17, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|iamdelta"; fast_pattern; classtype:web-application-attack; sid:2029764; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_30, deployment Perimeter, signature_severity Major, updated_at 2020_03_30;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns_query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern; http.method; content:"POST"; http.uri; content:"/update_device"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"udid="; startswith; content:"&brand="; distance:0; content:"&model="; distance:0; content:"&os="; distance:0; content:"&osversion="; nocase; distance:0; content:"&x="; distance:0; content:"&y="; distance:0; content:"&sdcard="; distance:0; content:"&cid="; distance:0; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:command-and-control; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family lightspy, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jqueryextplugin.com"; classtype:domain-c2; sid:2029301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_01_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"myinfoart.xyz"; bsize:13; reference:md5,4cc43c345aa4d6e8fd2d0b6747c3d996; classtype:domain-c2; sid:2029751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_30;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jquerysmartstack.com"; classtype:domain-c2; sid:2029304; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Http-connect)"; flow:established,to_server; http.user_agent; content:"Http-connect"; bsize:12; classtype:bad-unknown; sid:2029752; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_30;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik - IRC CnC Checkin"; flow:established,to_server; dsize:<250; content:"NICK|20|"; startswith; content:"|0a|USER|20|muhstik"; distance:0; content:"|20 3a|muhstik-"; distance:0; fast_pattern; pcre:"/^\d+\x0a$/R"; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:command-and-control; sid:2029319; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family Muhstik, performance_impact Low, signature_severity Major, tag IRC, updated_at 2020_01_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Apple-iPhone7C2/1202.466|3b 20|U|3b 20|CPU like Mac OS X|3b 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,8a47ed652ce8c2dee39c8fa8fcb3fa9d; classtype:command-and-control; sid:2029768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:".php?"; content:"=ID:_"; distance:0; content:"___Key|3a|___"; distance:0; fast_pattern; http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|NoIr_x.86/"; fast_pattern; classtype:attempted-admin; sid:2029769; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M2"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"data.php?info="; fast_pattern; pcre:"/^[A-Za-z0-9\?=]{25,}$/Rsi"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|NoIr_x.86/"; fast_pattern; classtype:web-application-attack; sid:2029770; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_31, deployment Perimeter, signature_severity Major, updated_at 2020_03_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID:__"; content:"___Key1|3a|___"; content:"___Key2|3a|___"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.header_names; content:!"Referer"; reference:md5,b3bc3fe63fad42ae8bcd448b8aec3e3e; classtype:command-and-control; sid:2029234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_01_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Shadowcoin Cryptocurrency UA Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ShadowCoin"; fast_pattern; classtype:misc-activity; sid:2029771; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x86 Executable Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1; within:5; content:"|89 01 85 ff 74|"; distance:1; within:5; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029330; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Willowcoin Cryptocurrency UA Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|WillowCoin"; fast_pattern; classtype:misc-activity; sid:2029772; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x64 Executable Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|33 ff|"; content:"|89 37|"; distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4; content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|"; within:4; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Internal, signature_severity Major, updated_at 2020_01_29;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Covid19 Spam Template 1 Active - Outbound Email Spam"; flow:to_server,established; content:"Subject|3a 20|"; pcre:"/^(?:The White House|And increasing numbers|Drivers for a parcel|The Italian region worst hit|Although Interpol issued|President Donald Trump|Restaurants are still allowed|A paper released on Friday)/R"; content:"receive|20|further|20|updates.Please"; distance:0; fast_pattern; byte_test:1,!=,0x20,0,string,hex,relative; classtype:command-and-control; sid:2029773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_03_31, former_category MALWARE, malware_family Tofsee, updated_at 2020_03_31;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys File Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, signature_severity Major, updated_at 2020_01_29;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Malformed Spam Template String"; flow:to_server,established; content:"receive|20|further|20|updates.Please"; fast_pattern; byte_test:1,!=,0x20,0,string,hex,relative; threshold:type threshold, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2029774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_03_31, former_category MALWARE, malware_family Tofsee, updated_at 2020_03_31;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys File Transfer Over SMB"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Unique Email Body Byte Sequence Observed"; flow:to_server,established; content:"|0d 0a 0d 0a 3d 32 30 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 53 0d 0a|"; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2029775; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_03_31, former_category MALWARE, malware_family Tofsee, updated_at 2020_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"antivirus-update.top"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/; classtype:domain-c2; sid:2029326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M2"; flow:to_server,established; content:"coronavirus"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029777; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hisoka CnC Domain Observed in DNS Query"; dns.query; content:"google-update.com"; bsize:17; nocase; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029328; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_01_29;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M3"; flow:to_server,established; content:"covid19"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029778; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Winnti TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, signature_severity Major, updated_at 2020_01_31;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M4"; flow:to_server,established; content:"corona virus"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029779; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Winnti TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:".dnslookup.services"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029343; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M5"; flow:to_server,established; content:"covid-19"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029780; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti TLS SNI Observed"; flow:established,to_server; tls.sni; content:".dnslookup.services"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029344; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Covid19 Themed Email Spam Outbound M6"; flow:to_server,established; content:"sars-cov-2"; nocase; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:bad-unknown; sid:2029781; rev:2; metadata:created_at 2020_03_31, former_category HUNTING, updated_at 2020_03_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti TLS SNI Observed"; flow:established,to_server; tls.sni; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET GAMES Growtopia Hack - WrongGrow CnC Activity"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|20|HeySurfer#1234"; fast_pattern; reference:md5,b76a144f412b680e6a04ee4f4fbcf000; classtype:bad-unknown; sid:2029784; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category GAMES, signature_severity Informational, updated_at 2020_04_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".livehost.live"; nocase; isdataat:!1,relative; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_01_31;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Linux/Agent.HX CnC Activity (set)"; flow:established,to_server; flowbits:set,ET.LinuxAgent.HX; content:"onlineLinux"; startswith; nocase; fast_pattern; content:"|2a 2f 2a|"; distance:0; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029785; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC - BotKiller Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"BotKiller"; bsize:9; fast_pattern; http.request_body; content:"info=killStatus|3a|"; startswith; content:"|20|remStatus|3a|"; content:"|20|remDLLStatus|3a|"; content:"|20|clearIEStatus|3a|"; content:"|20|regResetStartup|3a|"; content:"|20|regDeleteCred|3a|"; http.header_names; content:!"Referer"; reference:md5,fbf2d69aa6ae5da73a5024f80c593f92; reference:url,fr3d.hk/blog/amadey-malware-default-crededentials; classtype:command-and-control; sid:2029341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Amadey, signature_severity Major, updated_at 2022_05_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Linux/Agent.HX CnC Activity M1"; flow:established,to_server; flowbits:isset,ET.LinuxAgent.HX; flowbits:unset,ET.LinuxAgent.HX; dsize:9; content:"beatHeart"; fast_pattern; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029786; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern; pcre:"/^\d{2,4}$/UR"; http_start; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla"; content:"|0d 0a|Host|3a| "; within:100; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:60; http_header_names; content:!"Accept"; flowbits:set,ET.fakealert.rena.n; flowbits:noalert; classtype:command-and-control; sid:2013419; rev:5; metadata:created_at 2011_08_18, former_category MALWARE, updated_at 2020_02_04;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Linux/Agent.HX CnC Activity M2"; flow:established,to_client; flowbits:isset,ET.LinuxAgent.HX; flowbits:unset,ET.LinuxAgent.HX; dsize:9; content:"beatHeart"; fast_pattern; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029787; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoPatronum Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; startswith; content:"&username="; distance:0; content:"&pname="; distance:0; content:"&kid="; distance:0; fast_pattern; content:"&ppath="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,429ba4a470eb2f3c0ce6678745bc8d8e; classtype:command-and-control; sid:2029349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Start+Process"; nocase; distance:0; classtype:credential-theft; sid:2029782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M6 (set)"; flow:established,to_server; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:set,ET.Parallax-6; flowbits:noalert; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability (FR) Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Lancer+le+Processus"; nocase; distance:0; classtype:credential-theft; sid:2029783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M6"; flow:established,to_client; content:"|eb 7d df 9f|"; depth:4; fast_pattern; content:"|32 c3 8a|"; distance:1; within:3; flowbits:isset,ET.Parallax-6; reference:md5,7babfff27d7aee0ceec438080e034fa0; classtype:command-and-control; sid:2029353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, signature_severity Major, updated_at 2020_02_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility Phishing Landing 2020-04-01"; flow:established,to_client; file.data; content:"$(|22|#sin|22|).keyup(function(e){"; nocase; fast_pattern; content:"<title>Confirmez Votre Identit"; nocase; content:"href=|22|./details_files/"; nocase; content:"<input type=|22|tel|22 20|name=|22|SN|22|"; nocase; classtype:social-engineering; sid:2029788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Patchwork CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=CN, ST=neijing, O=Internet Widgits Pty Ltd, emailAddress=s"; bsize:60; reference:url,twitter.com/blackorbird/status/1225002203221393411; classtype:domain-c2; sid:2029394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility Phishing Landing 2020-04-01"; flow:established,to_client; file.data; content:"$(|22|#sin|22|).keyup(function(e){"; nocase; content:"<title>COVID-19 Check your eligibility"; nocase; fast_pattern; content:"href=|22|./details_files/"; nocase; content:"<input type=|22|tel|22 20|name=|22|SN|22|"; nocase; classtype:social-engineering; sid:2029789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 TONEDEAF 2.0 Requesting Commands from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow?ser="; startswith; fast_pattern; pcre:"/^[a-z0-9]{6}$/RUi"; http.user_agent; content:"Windows|20|Phone|20|OS"; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
 
-alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2"; flow:established,to_server; tls.sni; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; classtype:bad-unknown; sid:2029708; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 TONEDEAF 2.0 Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upl?ser="; startswith; fast_pattern; pcre:"/^=?[a-z0-9]{6}$/RUi"; http.user_agent; content:"Windows|20|Phone|20|OS"; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible COVID-19 Domain in SSL Certificate M1"; flow:established,to_client; tls.cert_subject; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; classtype:bad-unknown; sid:2029705; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT34 TONEDEAF 2.0 User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Windows|20|Phone|20|OS"; content:"|3b 20|IEMoblie|2f|9.0|29|"; endswith; fast_pattern; reference:md5,a0324fa4f2d9d2f04ea4edad41160da6; classtype:command-and-control; sid:2029384; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family TONEDEAF, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello/"; fast_pattern; classtype:attempted-admin; sid:2029792; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Minor, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MINEBRIDGE/MINEDOOR CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g4t3_indata.php"; endswith; fast_pattern; http.request_body; content:"uuid="; content:"&pass="; distance:0; content:"&username="; distance:0; content:"&pcname="; distance:0; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:command-and-control; sid:2029393; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, updated_at 2020_02_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello/"; fast_pattern; classtype:web-application-attack; sid:2029793; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:13; content:"/cnc/register"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 7d|"; distance:36; within:2; endswith; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (download command)"; flow:established,to_client; dsize:13; content:"ZG93bmxvYWQ=|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029795; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Sending Task Results"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:17; content:"/cnc/tasks/result"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 2c 22|"; distance:36; within:3; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (upload command)"; flow:established,to_client; dsize:9; content:"dXBsb2Fk|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029796; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork Backdoor - Requesting Task"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/cnc/tasks/request"; fast_pattern; http.request_body; content:"|7b 22|host_identifier|22 3a 22|"; startswith; content:"|22 7d|"; distance:36; within:2; endswith; reference:url,app.any.run/tasks/d6f9aecc-42be-4703-aadd-572ed1f4573f/; reference:url,twitter.com/JAMESWT_MHT/status/1225014535591026688; classtype:command-and-control; sid:2029397; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Backdoor, performance_impact Low, signature_severity Major, tag Patchwork, updated_at 2020_02_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (screenshot command)"; flow:established,to_client; dsize:17; content:"c2NyZWVuc2hvdA==|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029797; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Request (Stackoverflow Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"Cookie"; http.cookie; content:"prov="; startswith; content:"_ga=GA1.2.9924|3b|_gat=1|3b|__qca=P0-214459"; endswith; reference:url,github.com/xx0hcd/Malleable-C2-Profiles; classtype:command-and-control; sid:2029381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (keylogger start)"; flow:established,to_client; dsize:21; content:"a2V5bG9nZ2VyX3N0YXJ0|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029798; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Satan Cryptor GeoIP Lookup"; flow:established,to_server; content:"GET /json/ HTTP/1.1|0d 0a|Host|3a 20|extreme-ip-lookup.com|0d 0a|User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a 0d 0a|"; depth:107; isdataat:!1,relative; reference:md5,057aad993a3ef50f6b3ca2db37cb928a; classtype:trojan-activity; sid:2029399; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Satan_Cryptor, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (persistence enable)"; flow:established,to_client; dsize:25; content:"cGVyc2lzdGVuY2VfZW5hYmxl|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029799; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Wifi Bruter Module Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/230238982BSBYKDDH938473938HDUI33/index.php"; bsize:43; fast_pattern; http.request_body; content:"c="; startswith; content:"|3a|"; distance:0; http.header_names; content:!"Referer"; reference:url,www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader; classtype:command-and-control; sid:2029398; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_07, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_02_07;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (getos)"; flow:established,to_client; dsize:9; content:"Z2V0b3M=|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029800; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TinyNuke Variant CnC) 2020-02-09"; flow:established,to_client; tls.cert_subject; content:"C=US, CN=thoughtlibrary.top/L=new york/O=new york/OU=new york/ST=new york/emailAddress=admin@thoughtlibrary.top"; bsize:111; fast_pattern; reference:url,twitter.com/P3pperP0tts/status/1226493807061094406; classtype:domain-c2; sid:2029400; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (openurl)"; flow:established,to_client; dsize:13; content:"b3BlbnVybA==|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029801; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT40/Dadstache Stage 2 Payload Beacon"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:".png|22 0d 0a|Content-Type: video/JPEG|0d 0a 0d 0a 89 50 4e 47|"; distance:0; fast_pattern; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; reference:md5,9cf5fb135c3cc29e79b2a1c78233934b; classtype:targeted-activity; sid:2029420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ping.php"; endswith; http.request_body; content:"|7b 22|DATA|22 3a 7b 22|DEVICE_ID|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|TAG|22 3a 22|"; within:25; content:"|22|CC_GRABBER|22 3a|"; distance:0; reference:md5,849796248bfe2560039f6986c83f43d6; reference:md5,a8dd3cd7860f3fd2d34a33b0c87bd615; reference:url,twitter.com/PAsinovsky/status/1245790690946285569; classtype:command-and-control; sid:2029811; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_04_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader CnC Checkin (getid)"; flow:to_server; content:"$"; content:"-S-"; distance:0; nocase; content:"|05|getid|00 00 10 00 01|"; distance:0; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBE Script (COVID-19 Phish 2020-04-03)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id=covid"; fast_pattern; depth:8; http.user_agent; content:"Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http.header_names; content:!"Referer"; reference:md5,7d9a1ed7057e1b5c574ddccc9d45c3eb; classtype:trojan-activity; sid:2029812; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (gettasks)"; flow:to_server; threshold:type both, track by_src, count 30, seconds 60; content:"|08|gettasks|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029408; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029790; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Minor, updated_at 2020_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (getupdates)"; flow:to_server; threshold:type both, track by_src, count 30, seconds 60; content:"|0a|getupdates|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029791; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Major, updated_at 2020_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (reporttask)"; flow:to_server; content:"|0a|reporttask|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029410; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; depth:47; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029804; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_04_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mozart Loader Command Request (reportupdates)"; flow:to_server; content:"|08|reportupdates|00 00 10 00 01|"; fast_pattern; reference:md5,cb20d25c5e5e31ffaa8101449d50745a; classtype:domain-c2; sid:2029411; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, malware_family MozartLoader, signature_severity Major, updated_at 2020_02_11;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; depth:47; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029805; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_04_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Command)"; flow:established,to_client; file.data; content:"dfff0a7fa1a55c8c1a4966c19f6da452|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029806; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_04_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Download)"; flow:established,to_client; file.data; content:"51a7a76a7dd5d9e4651fe3d4c74d16d6|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_04_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Response (Screenshot)"; flow:established,to_client; file.data; content:"62c92ba585f74ecdbef4c4498a438984|3b|"; depth:33; isdataat:!1,relative; fast_pattern; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029434; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC BOTNET|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029808; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_03, deployment Perimeter, signature_severity Minor, updated_at 2020_04_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi CnC Activity (Upload)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_multipart_boundary|0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|JkjdaEWQTTTu"; fast_pattern; distance:0; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:command-and-control; sid:2029435; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_02_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC BOTNET|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029809; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_03, deployment Perimeter, signature_severity Major, updated_at 2020_04_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/GRIFFON CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=landscapesboxdesign9.com"; nocase; endswith; classtype:domain-c2; sid:2029449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (cmd_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/cmd_exec"; startswith; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029816; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X2000M.Agent Checkin Jan 24 2017"; flow:established,to_server; http.user_agent; content:"v7v7v7v7v7v7v7v7v7v7v7v7"; startswith; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (powershell_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/powershell_exec"; startswith; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|command|22 0d 0a 0d 0a|"; content:"form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AgentTesla CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=effetka.com"; bsize:14; fast_pattern; reference:url,twitter.com/0xCARNAGE/status/1228109444883664896; classtype:domain-c2; sid:2029469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (rdp_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/rdp_exec?command="; startswith; fast_pattern; content:"&status="; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"indox.php?v="; fast_pattern; pcre:"/^(?:pe|pp|s)$/R"; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (update_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/update_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Exfil"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/scriptPhpServer.php"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:command-and-control; sid:2029451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (download_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/download_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029820; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky Related Download"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/IERinstal.a"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20|(compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5)"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; classtype:trojan-activity; sid:2029452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (update)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHVwZGF0ZX"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M7 (set)"; flow:established,to_server; content:"|5e 52 4a 3b|"; startswith; fast_pattern; content:"|11 7f b6|"; distance:1; within:4; flowbits:set,ET.Parallax-7; flowbits:noalert; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:command-and-control; sid:2029455; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fGRvd25sb2Fkf"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M7"; flow:established,to_client; content:"|5e 52 4a 3b|"; startswith; fast_pattern; content:"|11 7f b6|"; distance:1; within:4; flowbits:isset,ET.Parallax-7; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:command-and-control; sid:2029456; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_02_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (powershell)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHBvd2Vyc2hlbGx8"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sarwent Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits="; distance:0; content:"&av="; distance:0; http.user_agent; content:"Opera"; depth:5; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; depth:42; isdataat:!1,relative; reference:md5,3ddc689e72faa473fa78df7302c708e8; classtype:command-and-control; sid:2029471; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (rdp)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHJkcH"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai User-Agent Observed (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Ankit|0d 0a|"; nocase; fast_pattern; classtype:web-application-attack; sid:2029472; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Billing.php?sslchannel="; fast_pattern; nocase; content:"&sessionid="; distance:0; nocase; http.request_body; content:"name="; depth:5; nocase; content:"&dob="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&telephone="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&town="; nocase; distance:0; content:"&mmn="; nocase; distance:0; classtype:credential-theft; sid:2029850; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin"; flow:established,to_server; flowbits:set,ET.sarwent.1; http.method; content:"GET"; http.uri; content:"/gate/test"; bsize:10; fast_pattern; http.user_agent; content:"Opera"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; classtype:command-and-control; sid:2029474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_02_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M8 (set)"; flow:established,to_server; content:"|7a 3e 71 73|"; depth:4; fast_pattern; content:"|cf 46 80|"; distance:1; within:3; flowbits:set,ET.Parallax-8; flowbits:noalert; reference:md5,b92a8d983864505cfb74ad9c70b3ca48; classtype:command-and-control; sid:2029814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Certificate detected (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Adobe Reader/O=Adobe"; bsize:23; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,e4224469bd75b63fa0cebd33c53b4d85; classtype:domain-c2; sid:2029491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M8"; flow:established,to_client; content:"|7a 3e 71 73|"; depth:4; fast_pattern; content:"|cf 46 80|"; distance:1; within:3; flowbits:isset,ET.Parallax-8; reference:md5,b92a8d983864505cfb74ad9c70b3ca48; classtype:command-and-control; sid:2029815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible NK APT SLICKSHOES Host Checkin"; flow:established,to_server; content:"|41 00 70 00 6f 00 6c 00 6c 00 6f 00 5a 00 65 00 75 00 73 00|"; depth:20; fast_pattern; reference:md5,b57db76cc1c0175c4f18ea059d9e2ab2; reference:url,www.us-cert.gov/ncas/analysis-reports/ar20-045b; classtype:targeted-activity; sid:2029478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful CDC Coronavirus Related Phish 2020-04-07"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location: https://www.cdc.gov"; fast_pattern; classtype:credential-theft; sid:2029827; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"session=Host|20|Name|3a|"; startswith; fast_pattern; content:"|0d 0a|OS Name|3a|"; content:"|0d 0a|Registered|20|Owner|3a|"; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING CDC Coronavirus Related Phishing Landing 2020-04-07"; flow:from_server,established; file.data; content:"<link rel=|22|icon|22 20|href=|22|https://www.cdc.gov/"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"submit=|22|return ValidateContactForm()|3b 22|"; nocase; distance:0; fast_pattern; content:"src=|22|./untitled.png|22|"; nocase; distance:0; content:"Sign in with your email"; nocase; distance:0; classtype:social-engineering; sid:2029828; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Charming Kitten Backdoor CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:19; content:"WinHTTP Example/1.0"; http.request_body; content:"server_module_name="; fast_pattern; content:"&server_task"; content:"&systemtype="; reference:md5,3d67ce57aab4f7f917cf87c724ed7dab; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029495; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Sidewinder APT User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.56)"; bsize:58; reference:url,medium.com/@Sebdraven/apt-sidewinder-complicates-theirs-malwares-4e15683e7e26; classtype:trojan-activity; sid:2029825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2020_04_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mermaid Ransomware Variant CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=ID|3a 20|"; content:"|20 20|Key1|3a 20 20|"; content:"|20 20|Key2|3a 20 20|"; fast_pattern; http.user_agent; bsize:38; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,fc78e6e58352151fb77a4b92f239d381; classtype:command-and-control; sid:2029496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sorano Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; fast_pattern; content:"&ci="; distance:0; content:"&fz="; distance:0; content:"&cr="; distance:0; content:"&ds="; distance:0; content:"&dd="; distance:0; content:"&pd="; distance:0; reference:md5,5905a17da3a04fc4a1f3de2f6d9babe2; reference:url,3xp0rt.xyz/lpmkikVic; classtype:command-and-control; sid:2029838; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Revenge-RAT Keep-Alive Activity (Outbound) M2"; flow:established,to_server; dsize:<50; content:"keepAlivePing"; startswith; content:"|40 23 25 5e 4e 59 41 4e 23 21 40 24|"; fast_pattern; endswith; reference:md5,2d03cfb7357ab919e35546adc9db167a; reference:md5,c25b797d6737751936766cd50e26d725; reference:url,twitter.com/Srujank48668412/status/1509520095068192780; classtype:command-and-control; sid:2035885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, malware_family Revenge_RAT, signature_severity Major, updated_at 2020_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DLL Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.dll; flowbits:unset,http.dottedquadhost; http.request_line; content:".dll HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027250; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Minor, updated_at 2020_04_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logs/dolodos.php?url=http://"; startswith; fast_pattern; content:"&ref="; distance:0; content:"&ip="; distance:0; content:"&bot="; distance:0; content:"&pck="; distance:0; content:"&uagent="; distance:0; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029497; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DOC Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.doc; flowbits:unset,http.dottedquadhost; http.request_line; content:".doc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027251; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//autoindex.php"; endswith; fast_pattern; http.host; content:".ddns.net"; endswith; http.header_names; content:!"Referer"; reference:url,blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/; classtype:trojan-activity; sid:2029500; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host DOCX Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.docx; flowbits:unset,http.dottedquadhost; http.request_line; content:".docx HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027252; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.top"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029510; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host XLS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.xls; flowbits:unset,http.dottedquadhost; http.request_line; content:".xls HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027253; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"pervas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029511; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host XLSX Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.xlsx; flowbits:unset,http.dottedquadhost; http.request_line; content:".xlsx HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027254; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tdreg.icu"; bsize:9; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029512; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PPT Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ppt; flowbits:unset,http.dottedquadhost; http.request_line; content:".ppt HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027255; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vtoras.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029513; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PPTX Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.pptx; flowbits:unset,http.dottedquadhost; http.request_line; content:".pptx HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027256; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piasuna.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029514; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host RTF Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.rtf; flowbits:unset,http.dottedquadhost; http.request_line; content:".rtf HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027257; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tretas.top"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029515; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027258; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, tag Phishing, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"dolodos.top"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029516; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host VBS Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.vbs; flowbits:unset,http.dottedquadhost; http.request_line; content:".vbs HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027260; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"medsource.top"; bsize:13; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029517; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host HTA Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.hta; flowbits:unset,http.dottedquadhost; http.request_line; content:".hta HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027261; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"piastas.gdn"; bsize:11; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029518; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host ZIP Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.zip; flowbits:unset,http.dottedquadhost; http.request_line; content:".zip HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027262; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"semasa.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029519; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host GZ Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.gz; flowbits:unset,http.dottedquadhost; http.request_line; content:".gz HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027263; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"devata.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029520; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host TGZ Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.tgz; flowbits:unset,http.dottedquadhost; http.request_line; content:".tgz HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027264; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PHPs Labyrinth Stage2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vosmas.icu"; bsize:10; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029521; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PDF Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.pdf; flowbits:unset,http.dottedquadhost; http.request_line; content:".pdf HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027265; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?WORD=com_"; fast_pattern; pcre:"/^[0-9A-F]{12,16}/R"; content:"&NOTE="; within:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf; reference:md5,19f24aec5c1017d162e78863cff316fa; classtype:command-and-control; sid:2029453; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host RAR Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.rar; flowbits:unset,http.dottedquadhost; http.request_line; content:".rar HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027266; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2020_04_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PHPs Labyrinth Stage1 CnC)"; flow:established,to_client; tls.cert_subject; bsize:17; content:"CN=www."; startswith; content:"rilns.com"; endswith; fast_pattern; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:domain-c2; sid:2029522; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, deployment Datacenter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-hohm.space"; bsize:23; fast_pattern; reference:url,twitter.com/w3ndige/status/1247547923845578755; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:domain-c2; sid:2029852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21)"; flow:established,to_client; tls.cert_subject; content:"CN=merystol.xyz"; nocase; endswith; classtype:domain-c2; sid:2029525; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky APT Connectivity Check via Document"; flow:established,to_server; http.header; content:".mireene.com|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.user_agent; content:"Microsoft Office Protocol Discovery"; classtype:targeted-activity; sid:2029851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, signature_severity Major, updated_at 2020_04_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 2)"; flow:established,to_client; tls.cert_subject; content:"CN=veqejzkb.xyz"; nocase; endswith; classtype:domain-c2; sid:2029526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.TRM Checkin Response"; flow:established,to_client; http.stat_code; content:"201"; http.start; content:"|0d 0a|Set-Cookie|3a 20|dkv="; fast_pattern; http.cookie; bsize:36; content:"dkv="; startswith; pcre:"/^[a-f0-9]{32}$/R"; reference:url,twitter.com/w3ndige/status/1247547923845578755; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:command-and-control; sid:2029853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-02-21 3)"; flow:established,to_client; tls.cert_subject; content:"CN=doolised.xyz"; nocase; endswith; classtype:domain-c2; sid:2029527; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for EXE via WinHTTP M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2029840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-ware.com"; nocase; endswith; classtype:domain-c2; sid:2029528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for EXE via WinHTTP M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.user_agent; content:"WinHTTP"; startswith; http.header; content:"User-Agent|3a 20|WinHTTP"; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2029841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Heartbeat Packet"; flow:established,to_server; dsize:4; content:"|61 63 6b 00|"; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for EXE via WinHTTP M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.user_agent; content:"WinHttp-Autoproxy-Service/"; startswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2029842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ObliqueRAT CnC Checkin"; flow:established,to_server; content:"|3e 57 69 6e 64 6f 77 73 20|"; fast_pattern; content:"|3e|"; distance:0; content:"|3e|"; distance:0; content:"|20|bits|3e|"; distance:0; content:"|3e|"; distance:0; content:"|3e 00|"; distance:0; isdataat:!1,relative; reference:md5,36903d471c43b5d602aefd791e25c889; reference:url,blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html; classtype:trojan-activity; sid:2029530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_24, deployment Perimeter, former_category MALWARE, malware_family ObliqueRAT, signature_severity Major, updated_at 2020_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Hardware.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Hardware.txt"; nocase; fast_pattern; classtype:bad-unknown; sid:2029843; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Ostap Maldoc Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?g="; content:"&k="; distance:0; content:"&x="; distance:0; content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*"; fast_pattern; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c53393908f80e993366deec605fe7372; classtype:trojan-activity; sid:2029539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Prgrm.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Prgrm.txt"; nocase; fast_pattern; classtype:bad-unknown; sid:2029844; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/CollectorStealer - Returning Client GeoIP Information"; flow:established,to_client; file_data; content:"IP-address|3a 20|"; depth:12; content:"_=_Country|3a 20|"; distance:0; fast_pattern; content:"_=_City|3a 20|"; distance:0; reference:md5,046dcdb20a8358faadc394e786820dd4; classtype:trojan-activity; sid:2034320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (CookiesList.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"CookiesList.txt"; nocase; fast_pattern; classtype:bad-unknown; sid:2029845; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mays-ltd.com"; nocase; endswith; classtype:domain-c2; sid:2029537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.TRM Task Command"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|7b 22|YSC|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|command|22 3a 22|"; within:20; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:command-and-control; sid:2029854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoLang Discord Token Grabber Exfil"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Go-http-client/"; startswith; http.header; content:"|0d 0a|Sharkflow|3a 20|"; fast_pattern; pcre:"/^(?:mfa\.[\w-]{84}|[\w-]{24}\.[\w-]{6}\.[\w-]{27})\x0d\x0a/R"; reference:url,twitter.com/sysopfb/status/1232830899370242048; reference:md5,1d2c1b88d8ae94c3f994d07451f6cc23; classtype:trojan-activity; sid:2029542; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category MALWARE, malware_family Stealer, performance_impact Low, signature_severity Major, updated_at 2020_02_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RocketX Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; content:"&crypto="; fast_pattern; content:"&jabber="; content:"&steam="; content:"&desktop="; content:"&discord="; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; http.header_names; content:!"Referer"; reference:md5,2fd68d384d80d53bcd63585c5a19ba98; classtype:trojan-activity; sid:2029847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, malware_family RocketX, signature_severity Major, updated_at 2020_04_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (heil_satan)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|heil_satan|0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,8b643ed45aaaf06b2d4ae99e08f3ae34; classtype:trojan-activity; sid:2029541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, signature_severity Major, updated_at 2020_02_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell - Install Tracking"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".json?V="; fast_pattern; content:"&ID="; distance:0; content:"&GUID="; distance:0; content:"&MAC="; distance:0; content:"&retry="; distance:0; content:"&pc1="; distance:0; http.header_names; content:!"Referer"; reference:url,news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/; classtype:command-and-control; sid:2029013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"atooioplapatooioplap.xyz"; bsize:24; classtype:domain-c2; sid:2029547; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"&"; distance:0; content:"-"; distance:8; within:1; content:"&"; distance:0; content:"|3a|"; distance:2; within:1; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; http.user_agent; content:"Lemon-Duck-"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,de18418e8b62e03d1feb1f9c5a53b6a0; reference:url,trapx.com/wp-content/uploads/2020/02/TrapX-Labs-Manufacturing-IOT-Report.pdf; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/; classtype:command-and-control; sid:2029848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, malware_family Lemon_Duck, signature_severity Major, updated_at 2020_04_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"atooioplap.xyz"; bsize:14; classtype:domain-c2; sid:2029548; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DACLS RAT Log Collector Download"; flow:established,to_client; file_data; content:"ELF"; offset:1; depth:3; content:"UPX|21|4"; distance:0; content:"|2f|tmp|2f|hdv"; fast_pattern; distance:0; content:"_log"; distance:20; reference:md5,982bf527b9fe16205fea606d1beed7fa; reference:md5,793ed13e95f64aa38adc964efd86f6e6; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:trojan-activity; sid:2029880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Qbot/Quakbot Downloader - Requesting Secondary Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f|uid|3d|"; http.user_agent; bsize:7; content:"WebGL3D"; fast_pattern; classtype:trojan-activity; sid:2029551; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category MALWARE, malware_family Qbot, signature_severity Major, updated_at 2020_02_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2020-04-10"; flow:established,to_client; file.data; content:"<title>Windows_Official_Support"; nocase; fast_pattern; classtype:social-engineering; sid:2029857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Major, updated_at 2020_04_10;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baraka Ransomware CnC activity email SMTP"; flow:established,to_server; content:"|0d 0a 0d 0a|info=/*****/ Drive|20|"; fast_pattern; content:"&key="; distance:0; content:"&userid="; distance:0; classtype:command-and-control; sid:2029552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>OneDrive File Viewer"; nocase; distance:0; fast_pattern; content:"document.write(unescape("; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; classtype:social-engineering; sid:2029858; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Possible Ostap Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?min="; content:"&sin="; distance:0; fast_pattern; content:"&p="; distance:0; content:"&i="; distance:0; content:"k="; distance:0; content:"&r="; distance:0; http.header_names; content:!"Referer"; reference:md5,5824579789e3e7d5c3ad49b8652c80aa; classtype:trojan-activity; sid:2029553; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029859; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Domain (webscriptly .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"webscriptly.com"; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029567; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rdmsom.com"; nocase; endswith; classtype:domain-c2; sid:2029555; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.5 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029861; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"higamebit.com"; bsize:13; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029561; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.5 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029862; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"kingdomain.site"; bsize:15; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT X-Sec Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>X-Sec Shell V."; nocase; fast_pattern; classtype:web-application-attack; sid:2029863; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"bitgamego.com"; bsize:13; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER X-Sec Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>X-Sec Shell V."; nocase; fast_pattern; classtype:web-application-attack; sid:2029864; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jtbcsupport.site"; bsize:16; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 4.2.5 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029867; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoBotKR Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"helloking.site"; bsize:14; reference:url,www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/; classtype:domain-c2; sid:2029565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 4.2.5 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029868; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=into-box.com"; nocase; endswith; classtype:domain-c2; sid:2029568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 4.2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029869; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SharpExec EXE Lateral Movement Tool Downloaded"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|S|00|h|00|a|00|r|00|p|00|E|00|x|00|e|00|c|00 2e 00|e|00|x|00|e|00 20|"; distance:0; fast_pattern; content:"M|00|y|00|P|00|@|00|s|00|s|00|w|00|0|00|r|00|d"; distance:0; reference:url,github.com/anthemtotheego/SharpExec; classtype:trojan-activity; sid:2029574; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_04;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 4.2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029870; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CROSSWALK CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/QUERY/"; http.header; content:"dCy|3a 20|"; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})\d(?:\r\n)?$/RHmi"; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2029570; rev:2; metadata:created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family CROSSWALK, performance_impact Low, signature_severity Major, updated_at 2020_03_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Kageyama Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<H1><center>Shell Kageyama</center></H1>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029871; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-data/?m="; fast_pattern; startswith; pcre:"/&p=[a-z0-9]{12}(?:&v=[a-z0-9\.-]{1,24})?$/Ri"; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/103fc941-f115-4731-b6fc-f56a82ed6813/; classtype:trojan-activity; sid:2029583; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_03_05;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Kageyama Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<H1><center>Shell Kageyama</center></H1>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029872; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polaris Botnet User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris botnet"; fast_pattern; classtype:web-application-attack; sid:2029578; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_05, deployment Perimeter, signature_severity Major, updated_at 2020_03_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029873; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Magniber Ransomware Retrieving Instructions"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0a 3c|title|3e|My Decryptor|3c 2f|title|3e 0a|"; fast_pattern; content:"MY DECRYPTOR|3c 2f|td|3e|"; distance:0; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:command-and-control; sid:2029579; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_03_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029874; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.myttae User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Gdog|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2029584; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, signature_severity Major, updated_at 2020_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MINI MO Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029875; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (heil_moloch)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|heil_moloch|0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,20d30443181cd84b81f5e041b0eb5143; classtype:trojan-activity; sid:2029585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, signature_severity Major, updated_at 2020_03_06;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MINI MO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029876; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.uri.raw; content:"&p1="; http.request_line; content:"GET|20|///?m="; fast_pattern; http.user_agent; content:"Mozilla/5|2e|0|20|(Windows|20|NT|20|6|2e|1|3b||20|Trident/7|2e|0|3b 20|rv|3a|11|2e|0)|20|like|20|Gecko"; reference:url,blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/; classtype:trojan-activity; sid:2029586; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>Share Point Online"; nocase; fast_pattern; content:"ACCESS YOUR DOCUMENT"; nocase; distance:0; content:"///url email getting///"; nocase; distance:0; classtype:social-engineering; sid:2029877; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) Domain in TLS SNI (imprintcenter .com)"; flow:established,to_server; tls.sni; content:"imprintcenter.com"; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029598; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"Instagram Help Center</title>"; nocase; fast_pattern; content:"reviewed and decied your account complaited"; nocase; distance:0; classtype:social-engineering; sid:2029878; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"data=DIajqcc5lVuJpjwvr36"; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b48d220f21e545886a08f9686eb0b8c5; reference:url,blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html; classtype:command-and-control; sid:2029588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_03_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Check)"; flow:established,to_server; content:"|0d 0a 0d 0a|log=check"; fast_pattern; isdataat:!1,relative; http.method; content:"POST"; http.content_len; content:"9"; bsize:1; http.protocol; content:"HTTP/1.0"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64)"; depth:41; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029856; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc 2020-03-09)"; flow:established,to_client; tls.cert_subject; content:"CN=WW/O=YY"; bsize:10; fast_pattern; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; bsize:43; reference:md5,bc22e03d068ee58a0b7668fced505b7b; reference:url,twitter.com/JAMESWT_MHT/status/1237028470565240832; classtype:domain-c2; sid:2029596; rev:1; metadata:attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious CASPER/Mirai UA"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0   (compatible|3b|   MSIE   5.01|3b|   Windows   NT   5.0)"; bsize:63; fast_pattern; reference:url,www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf; reference:md5,ea78869555018cdab3699e2df5d7e7f8; classtype:misc-activity; sid:2029892; rev:1; metadata:created_at 2020_04_13, updated_at 2020_04_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; http_start; content:"1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a|"; within:19; classtype:trojan-activity; sid:2015547; rev:5; metadata:created_at 2012_07_31, former_category MALWARE, updated_at 2020_03_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDG Botnet CnC Slave POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/slave"; bsize:6; http.header_names; content:"X-Hub|0d 0a|X-Relay|0d 0a|X-Uid|0d 0a|"; http.header; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|"; fast_pattern; reference:url,blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/; reference:md5,e956e5b97cd0b73057980d735ee92974; classtype:command-and-control; sid:2029895; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX CnC Activity M1"; flow:established,to_server; http.header; content:"User-Agent|3a 20|viperSoftx_"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat.html; classtype:command-and-control; sid:2029608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, signature_severity Major, updated_at 2020_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDG Botnet CnC Job Request"; flow:established,to_server; http.request_line; content:"GET /jobs"; depth:9; fast_pattern; http.header_names; content:"X-Hub|0d 0a|X-Port|0d 0a|X-Relay|0d 0a|X-Uid|0d 0a|"; http.header; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|"; reference:url,blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/; reference:md5,e956e5b97cd0b73057980d735ee92974; classtype:command-and-control; sid:2029894; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ViperSoftX CnC Activity M2"; flow:established,to_server; http.header; content:"x-header|3a 20|viperSoftx_"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat.html; classtype:command-and-control; sid:2029609; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, signature_severity Major, updated_at 2020_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>"; fast_pattern; classtype:web-application-attack; sid:2029882; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PXJ Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.php?token_value="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,142ed79d41f3e9551b6d2fa7bcfd1590; reference:url,securityintelligence.com/posts/pxj-ransomware-campaign-identified-by-x-force-iris/; classtype:command-and-control; sid:2029615; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDG Botnet Miner Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static"; startswith; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header; content:"Goarch|3a 20|amd64|0d 0a|"; fast_pattern; http.header_names; content:"|0d 0a|X-Hub|0d 0a|"; content:"|0d 0a|X-Relay|0d 0a|"; content:"|0d 0a|X-Uid|0d 0a|"; reference:url,blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/; reference:md5,e956e5b97cd0b73057980d735ee92974; classtype:command-and-control; sid:2029896; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SandCat Related Communication (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hulk/___"; startswith; fast_pattern; content:".php"; within:15; endswith; http.request_body; content:"u_id="; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; classtype:trojan-activity; sid:2029621; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form   method=|20 22|post|22 20|action=|20 22 22|> <input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value="; fast_pattern; classtype:web-application-attack; sid:2029884; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?logins="; http.request_body; content:"host="; depth:5; content:"&status=["; distance:0; content:"]Microsoft Windows "; distance:0; fast_pattern; content:"&globo="; distance:0; content:"&bk="; distance:0; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>"; fast_pattern; classtype:web-application-attack; sid:2029883; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?logins="; content:"&s="; distance:0; http.request_body; content:"host="; depth:5; content:"&bk="; distance:0; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form   method=|20 22|post|22 20|action=|20 22 22|> <input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value="; fast_pattern; classtype:web-application-attack; sid:2029885; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTTPTool User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTTPTool/"; reference:md5,6526946c39fd53dd813a8a206446e491; classtype:trojan-activity; sid:2029637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, signature_severity Major, updated_at 2020_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Anonymous Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>AnonyMous SHell</title>"; nocase; fast_pattern; content:"id=|22|pageheading|22|>AnonyMous SHell"; nocase; distance:0; classtype:web-application-attack; sid:2029886; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Minor, updated_at 2020_04_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=corvusaint.com"; nocase; endswith; reference:md5,eea4776399514664d888633ce72a2a8b; classtype:domain-c2; sid:2029639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Anonymous Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>AnonyMous SHell</title>"; nocase; fast_pattern; content:"id=|22|pageheading|22|>AnonyMous SHell"; nocase; distance:0; classtype:web-application-attack; sid:2029887; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|13.0) Gecko/2010010"; depth:58; fast_pattern; pcre:"/^[A-F0-9]{8}$/Rsi"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,23a30f6afa17f971148d9e955f65ae98; classtype:command-and-control; sid:2029640; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, malware_family Higasa, signature_severity Major, updated_at 2020_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mini Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<tr><td>Current Path : <a href=|22|?path=/"; nocase; content:"<tr class=|22|first|22|>"; nocase; distance:0; content:"<td><center>File/Folder Name</center></td>"; nocase; distance:0; content:"<td><center>Size</center></td>"; nocase; distance:0; content:"<td><center>Permissions</center></td>"; nocase; distance:0; content:"<td><center>Options</center></td>"; nocase; distance:0; content:"<td><center><form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; fast_pattern; content:"<td><a href=|22|?filesrc="; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<option value=|22|edit|22|>Edit</option>"; nocase; distance:0; classtype:web-application-attack; sid:2029888; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/SandCat CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=hpphhpph.com"; nocase; endswith; classtype:domain-c2; sid:2029642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mini Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<tr><td>Current Path : <a href=|22|?path=/"; nocase; content:"<tr class=|22|first|22|>"; nocase; distance:0; content:"<td><center>File/Folder Name</center></td>"; nocase; distance:0; content:"<td><center>Size</center></td>"; nocase; distance:0; content:"<td><center>Permissions</center></td>"; nocase; distance:0; content:"<td><center>Options</center></td>"; nocase; distance:0; content:"<td><center><form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; fast_pattern; content:"<td><a href=|22|?filesrc="; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<option value=|22|edit|22|>Edit</option>"; nocase; distance:0; classtype:web-application-attack; sid:2029889; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SandCat CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"u_id="; depth:5; content:"&username="; content:"&computername="; content:"&arch="; content:"&os=Microsoft Windows|20|"; content:"&local_ip_address="; content:"&global_ip_address="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fe5338aee73b3aae375d7192067dc5c8; classtype:command-and-control; sid:2029643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SandCat, signature_severity Major, updated_at 2020_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>password<br><input type=password name=pass style=|22|background-color:whitesmoke|3b|border:1px solid #fff|3b|outline:none|3b|' required>"; content:"<input type=submit name=|22|watching|22 20|value=|22|submit|22 20|style=|22|border:none|3b|background-color:#56ad15|3b|color:#fff|3b|cursor:pointer|3b 22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029890; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polaris Botnet User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029646; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_18;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>password<br><input type=password name=pass style=|22|background-color:whitesmoke|3b|border:1px solid #fff|3b|outline:none|3b|' required>"; content:"<input type=submit name=|22|watching|22 20|value=|22|submit|22 20|style=|22|border:none|3b|background-color:#56ad15|3b|color:#fff|3b|cursor:pointer|3b 22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029891; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] MZRevenge Ransomware Server Response"; flow: established,to_client; content:"|0d 0a 0d 0a|MZR-"; isdataat:!180; fast_pattern; http.content_type; content:"text/html|3b 20|charset=UTF-8"; endswith; bsize:24; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029644; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2020-04-14"; flow:to_client,established; file.data; content:"class=|22|xx_Z118x"; fast_pattern; nocase; content:"<title>Spotify"; nocase; classtype:social-engineering; sid:2029899; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=get-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029648; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='submit' style='border:none|3b|background-color:#56AD15|3b|color:#fff|3b|cursor:pointer|3b|'></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029900; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=dysoool.com"; nocase; endswith; classtype:domain-c2; sid:2029649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='submit' style='border:none|3b|background-color:#56AD15|3b|color:#fff|3b|cursor:pointer|3b|'></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029901; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Critical, updated_at 2020_04_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=clietns-download.com"; nocase; endswith; classtype:domain-c2; sid:2029650; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form action=|22 22 20|method=|22|post|22|><input type=|22|text|22 20|name=|22|_nv|22|><input type=|22|submit|22 20|value=|22|>>|22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029902; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=static-downloads.com"; nocase; endswith; classtype:domain-c2; sid:2029651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_19, deployment Perimeter, former_category MALWARE, malware_family Get2, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form action=|22 22 20|method=|22|post|22|><input type=|22|text|22 20|name=|22|_nv|22|><input type=|22|submit|22 20|value=|22|>>|22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029903; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT Initial Checkin"; flow:established,to_server; content:"|41 57 2f 44 44 48 63 6b 2f|"; startswith; fast_pattern; content:"|2d 48 63 6b|"; endswith; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Leaf PHPMailer"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2029904; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE CoreDDRAT CnC Activity"; flow:established,to_client; dsize:18; content:"|69 6e 66 6f 2f 44 44 48 63 6b 2f 2e 44 44 2d 48 63 6b|"; fast_pattern; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Leaf PHPMailer"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2029905; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT KeepAlive Message"; flow:established,to_server; content:"|74 69 6d 65 2f 44 44 48 63 6b 2f 2e|"; startswith; fast_pattern; content:"|2d 48 63 6b|"; isdataat:!1,relative; threshold:type limit, track by_src, count 1, seconds 600; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Owl PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Owl PHPMailer"; fast_pattern; content:"function stopSending()"; content:"function startSending()"; classtype:web-application-attack; sid:2029906; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE CoreDDRAT Screenshot Exfil"; flow:established,to_server; content:"|40 2f 44 44 48 63 6b 2f 2e|"; startswith; fast_pattern; content:"|2c 2f 44 44 48 63 6b 2f 2e|"; within:100; content:"|4a 46 49 46|"; within:10; threshold:type limit, track by_src, count 1, seconds 30; reference:md5,f3b3013101e1ae9b0e0ec709f3341cb9; reference:url,twitter.com/pmelson/status/1241914864853008384; classtype:command-and-control; sid:2029727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Owl PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Owl PHPMailer"; fast_pattern; content:"function stopSending()"; content:"function startSending()"; classtype:web-application-attack; sid:2029907; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_04_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sekhmet Ransomware CnC Activity"; flow:established,to_server; http.start; content:"POST /update.php?id="; startswith; fast_pattern; pcre:"/^\d+\sHTTP\//R"; http.user_agent; bsize:34; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0)"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x00$/"; reference:url,twitter.com/fbgwls245/status/1241179394405621760; reference:md5,b7ad5f7ec71dc812b4771950671b192a; classtype:command-and-control; sid:2029728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029908; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader CnC Domain (kkjjhhdff .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"kkjjhhdff.site"; bsize:14; reference:md5,797e835bae78cfcba5fef3d075a92599; reference:md5,d374419d6d9c9c968ece8a4e337515e0; reference:url,sysopfb.github.io/malware,/buer,/smokeloader/2020/03/18/SmokeLoader.html; classtype:command-and-control; sid:2029729; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, performance_impact Low, signature_severity Major, updated_at 2020_03_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029909; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Critical, updated_at 2020_04_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Checkin (DesktopPreview)"; flow:established,to_server; content:"DesktopPreview|7c 7c|"; depth:16; fast_pattern; isdataat:1000,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_03_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.dealctr.com"; bsize:16; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029921; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn.javacon.eu"; nocase; endswith; classtype:domain-c2; sid:2029730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.liveupdt.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029922; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8000:9000 (msg:"ET MALWARE Win32/RaaLoader CnC Activity"; flow:established,to_server; dsize:12; content:"|12 10 00 00 00 00 00 00  00 00 00 00|"; depth:12; fast_pattern; reference:md5,16b4b114f6ccfff008de265d535656a2; classtype:command-and-control; sid:2029731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, malware_family RaaLoader, signature_severity Major, updated_at 2020_03_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap-ms.net"; nocase; endswith; reference:md5,58363311f04f03c6e9ccd17b780d03b2; classtype:domain-c2; sid:2029911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/n2019cov (COVID-19) Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"n2019cov.000webhostapp.com"; bsize:26; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:domain-c2; sid:2029735; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_03_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed DeepFreezeWeb User-Agent"; flow:established,to_server; http.user_agent; content:"DeepFreezeWeb"; bsize:13; classtype:policy-violation; sid:2029912; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Milum CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|md="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"md="; startswith; content:"&nk="; distance:0; content:"&val="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,17b1a05fc367e52aada7bde07714666b; reference:url,securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/; classtype:command-and-control; sid:2029739; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_25;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Mirai Variant CnC Activity"; flow:established,from_server; dsize:9; content:"|21 2a 20 41 72 63 65 75 73|"; reference:md5,8fb3048b2aa6c63f53c031b9abd4879a; classtype:command-and-control; sid:2029913; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Havex APT)"; flow:established,to_server; http.request_line; content:"GET|20|/include/template/isx.php|20|HTTP/1.1"; fast_pattern; bsize:38; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.user_agent; content:" Java/"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/havex.profile; classtype:command-and-control; sid:2029740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Encoded Payload Inbound"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3d fa 61 3c 79 ee de ea 18 90 08 95 55 44 8d 41|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Magnitude EK)"; flow:established,to_server; urilen:>235; http.request_line; content:"GET|20|/themes/index.php?id="; fast_pattern; http.uri; content:"/themes/index.php?id="; startswith; pcre:"/^[a-z]{200,}$/Rs"; http.accept; content:"image/jpeg, application/*"; bsize:25; reference:url,github.com//rsmudge/Malleable-C2-Profiles/blob/master/crimeware/magnitude.profile; classtype:command-and-control; sid:2029741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT [PTsecurity] Grandsoft EK Payload"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|96 08 FA EC DE C0 22 84 66 58 4A BC 2E|"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2018/03/15/index3.html; classtype:exploit-kit; sid:2025437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family GrandSoft_EK, signature_severity Major, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|DVRBOT"; fast_pattern; classtype:web-application-attack; sid:2029760; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSG - Data Exfiltration via DNS"; content:"|00 00 13 00 01|"; endswith; fast_pattern; dns.query; content:".com"; endswith; pcre:"/^[A-Za-z0-9\-_\.]{20,80}\.[a-z]{2}\d{2}\.com$/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:command-and-control; sid:2028631; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_19, deployment Perimeter, deployment Internal, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNS_tunneling, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|iamdelta"; fast_pattern; classtype:web-application-attack; sid:2029764; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_30, deployment Perimeter, signature_severity Major, updated_at 2020_03_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Sending Data"; content:"|00 00 00 00 00 00 3f 38 39|"; fast_pattern; dns.query; content:"89"; depth:2; pcre:"/^[a-fA-F0-9]{61}\.[a-fA-F0-9]{63}\.[a-fA-F0-9]{63}\./R"; reference:md5,130392209b8b1e4aa37fd5c8da8fa6d5; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028880; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"myinfoart.xyz"; bsize:13; reference:md5,4cc43c345aa4d6e8fd2d0b6747c3d996; classtype:domain-c2; sid:2029751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_03_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Prepare to Receive Data"; content:"|00 00 00 00 00 00 2a 38 38|"; fast_pattern; dns.query; content:"88"; depth:2; content:"B9."; nocase; distance:38; within:3; pcre:"/^88[a-fA-F0-9]{38}b9\./i"; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Apple-iPhone7C2/1202.466|3b 20|U|3b 20|CPU like Mac OS X|3b 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,8a47ed652ce8c2dee39c8fa8fcb3fa9d; classtype:command-and-control; sid:2029768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_03_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Receive Data"; content:"|00 00 00 00 00 00 32 38 42|"; fast_pattern; dns.query; content:"8B"; depth:2; nocase; content:"B9."; nocase; distance:46; within:3; pcre:"/^8b[a-fA-F0-9]{46}b9\./i"; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|NoIr_x.86/"; fast_pattern; classtype:web-application-attack; sid:2029770; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_31, deployment Perimeter, signature_severity Major, updated_at 2020_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"port="; fast_pattern; content:"&uname="; distance:0; content:"&uuid="; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017642; rev:4; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2022_04_18;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Covid19 Spam Template 1 Active - Outbound Email Spam"; flow:to_server,established; content:"Subject|3a 20|"; pcre:"/^(?:The White House|And increasing numbers|Drivers for a parcel|The Italian region worst hit|Although Interpol issued|President Donald Trump|Restaurants are still allowed|A paper released on Friday)/R"; content:"receive|20|further|20|updates.Please"; distance:0; fast_pattern; byte_test:1,!=,0x20,0,string,hex,relative; classtype:command-and-control; sid:2029773; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_03_31, former_category MALWARE, malware_family Tofsee, updated_at 2020_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; classtype:web-application-attack; sid:2029916; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_15;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Malformed Spam Template String"; flow:to_server,established; content:"receive|20|further|20|updates.Please"; fast_pattern; byte_test:1,!=,0x20,0,string,hex,relative; threshold:type threshold, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2029774; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_03_31, former_category MALWARE, malware_family Tofsee, updated_at 2020_03_31;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; classtype:web-application-attack; sid:2029917; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Critical, updated_at 2020_04_15;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Unique Email Body Byte Sequence Observed"; flow:to_server,established; content:"|0d 0a 0d 0a 3d 32 30 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 53 0d 0a|"; fast_pattern; threshold:type threshold, count 5, seconds 120, track by_src; classtype:command-and-control; sid:2029775; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_03_31, former_category MALWARE, malware_family Tofsee, updated_at 2020_03_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|description|22 20|content=|22|This Mini Shell"; nocase; content:"<meta name=|22|author|22 20|content=|22|An0n 3xPloiTeR"; fast_pattern; distance:0; nocase; classtype:web-application-attack; sid:2029918; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Major, updated_at 2020_04_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Linux/Agent.HX CnC Activity (set)"; flow:established,to_server; flowbits:set,ET.LinuxAgent.HX; content:"onlineLinux"; startswith; nocase; fast_pattern; content:"|2a 2f 2a|"; distance:0; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029785; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|description|22 20|content=|22|This Mini Shell"; nocase; content:"<meta name=|22|author|22 20|content=|22|An0n 3xPloiTeR"; fast_pattern; distance:0; nocase; classtype:web-application-attack; sid:2029919; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Linux/Agent.HX CnC Activity M1"; flow:established,to_server; flowbits:isset,ET.LinuxAgent.HX; flowbits:unset,ET.LinuxAgent.HX; dsize:9; content:"beatHeart"; fast_pattern; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029786; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT 41 Fake Server Response"; flow:established,from_server; http.stat_code; content:"200"; http.server; content:"Microsoft-IIS|2f 20|10.0|20|Microsoft-HTTPAPI/2.0"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:command-and-control; sid:2028837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2020_04_16;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Linux/Agent.HX CnC Activity M2"; flow:established,to_client; flowbits:isset,ET.LinuxAgent.HX; flowbits:unset,ET.LinuxAgent.HX; dsize:9; content:"beatHeart"; fast_pattern; reference:md5,3176bee52ecd305816b17fdb9db7335e; reference:url,twitter.com/michalmalik/status/1245347696065630210; classtype:command-and-control; sid:2029787; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Implant CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ID="; startswith; content:"&Disks="; content:"&Files="; content:"&Proc_list="; fast_pattern; http.content_type; content:"|3b 20|charset=65001|20 28|UTF-8|29|"; reference:url,meltx0r.github.io/tech/2019/10/24/apt28.html; classtype:command-and-control; sid:2028906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Zebrocy, updated_at 2020_04_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello/"; fast_pattern; classtype:web-application-attack; sid:2029793; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Major, updated_at 2020_04_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (ip. jsontest .com)"; flow:to_server,established; http.host; content:"ip.jsontest.com"; bsize:15; classtype:external-ip-check; sid:2029923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_04_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (download command)"; flow:established,to_client; dsize:13; content:"ZG93bmxvYWQ=|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029795; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"arch=x"; depth:6; content:"&computer%5fname="; distance:0; nocase; fast_pattern; content:"&guid="; distance:0; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&tracking%5ftoken="; distance:0; nocase; content:"&version="; distance:0; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:command-and-control; sid:2029924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2020_04_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (upload command)"; flow:established,to_client; dsize:9; content:"dXBsb2Fk|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029796; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B External IP Check to CnC M2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/2.php"; fast_pattern; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:trojan-activity; sid:2029925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2022_04_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (screenshot command)"; flow:established,to_client; dsize:17; content:"c2NyZWVuc2hvdA==|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029797; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CONFUCIOUS_B CnC)"; flow:established,to_client; tls.cert_serial; content:"00:f9:1c:f7:fd:a7:bc:0a:9a"; bsize:26; fast_pattern; tls.cert_subject; content:"Internet Widgets"; reference:md5,2d2fe787b2728332341166938a25fa26; reference:url,unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites; classtype:domain-c2; sid:2029926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family CONFUCIUS_B, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (keylogger start)"; flow:established,to_client; dsize:21; content:"a2V5bG9nZ2VyX3N0YXJ0|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029798; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil via FTP"; flow:established,to_server; content:"STOR|20|PW_"; depth:8; fast_pattern; content:"_20"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:".html|0d 0a|"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2029927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (persistence enable)"; flow:established,to_client; dsize:25; content:"cGVyc2lzdGVuY2VfZW5hYmxl|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029799; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla HTML System Info Report Exfil via FTP"; flow:established,to_server; content:"<html>Time|3a 20|"; depth:12; content:"<br>User Name|3a 20|"; distance:0; content:"<br>Computer Name|3a 20|"; distance:0; content:"<br>OSFullName|3a 20|"; fast_pattern; distance:0; content:"<br>CPU|3a 20|"; distance:0; content:"<br>RAM|3a 20|"; distance:0; content:"Username|3a|"; distance:0; content:"Password|3a|"; distance:0; content:"</html>"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2029928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2020_04_16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (getos)"; flow:established,to_client; dsize:9; content:"Z2V0b3M=|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029800; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id SELECT"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006547; classtype:web-application-attack; sid:2006547; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected CHAOS CnC Inbound (openurl)"; flow:established,to_client; dsize:13; content:"b3BlbnVybA==|0a|"; reference:url,github.com/tiagorlampert/CHAOS; classtype:command-and-control; sid:2029801; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006548; classtype:web-application-attack; sid:2006548; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBE Script (COVID-19 Phish 2020-04-03)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id=covid"; fast_pattern; depth:8; http.user_agent; content:"Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http.header_names; content:!"Referer"; reference:md5,7d9a1ed7057e1b5c574ddccc9d45c3eb; classtype:trojan-activity; sid:2029812; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id INSERT"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006549; classtype:web-application-attack; sid:2006549; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029791; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Major, updated_at 2020_04_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id DELETE"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006550; classtype:web-application-attack; sid:2006550; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC BOTNET|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2029809; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_03, deployment Perimeter, signature_severity Major, updated_at 2020_04_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ASCII"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006551; classtype:web-application-attack; sid:2006551; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (cmd_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/cmd_exec"; startswith; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029816; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006552; classtype:web-application-attack; sid:2006552; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (powershell_exec)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/powershell_exec"; startswith; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|command|22 0d 0a 0d 0a|"; content:"form-data|3b 20|name=|22|hwid|22 0d 0a 0d 0a|"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029817; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004158; classtype:web-application-attack; sid:2004158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (rdp_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/rdp_exec?command="; startswith; fast_pattern; content:"&status="; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004159; classtype:web-application-attack; sid:2004159; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (update_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/update_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004160; classtype:web-application-attack; sid:2004160; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sarwent CnC Response (download_exec)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate/download_exec?command="; startswith; fast_pattern; content:"&status="; distance:0; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029820; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004161; classtype:web-application-attack; sid:2004161; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (update)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHVwZGF0ZX"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029821; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004162; classtype:web-application-attack; sid:2004162; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fGRvd25sb2Fkf"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UPDATE"; nocase; content:"SET"; distance:0; nocase; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004163; classtype:web-application-attack; sid:2004163; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (powershell)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHBvd2Vyc2hlbGx8"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004936; classtype:web-application-attack; sid:2004936; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sarwent CnC Command (rdp)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|0d 0a|fHJkcH"; reference:md5,184614b60a03355c9a4e668d702fb200; classtype:command-and-control; sid:2029824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004937; classtype:web-application-attack; sid:2004937; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M8 (set)"; flow:established,to_server; content:"|7a 3e 71 73|"; depth:4; fast_pattern; content:"|cf 46 80|"; distance:1; within:3; flowbits:set,ET.Parallax-8; flowbits:noalert; reference:md5,b92a8d983864505cfb74ad9c70b3ca48; classtype:command-and-control; sid:2029814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004938; classtype:web-application-attack; sid:2004938; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M8"; flow:established,to_client; content:"|7a 3e 71 73|"; depth:4; fast_pattern; content:"|cf 46 80|"; distance:1; within:3; flowbits:isset,ET.Parallax-8; reference:md5,b92a8d983864505cfb74ad9c70b3ca48; classtype:command-and-control; sid:2029815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004939; classtype:web-application-attack; sid:2004939; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Sidewinder APT User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.56)"; bsize:58; reference:url,medium.com/@Sebdraven/apt-sidewinder-complicates-theirs-malwares-4e15683e7e26; classtype:trojan-activity; sid:2029825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2020_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004940; classtype:web-application-attack; sid:2004940; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sorano Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; fast_pattern; content:"&ci="; distance:0; content:"&fz="; distance:0; content:"&cr="; distance:0; content:"&ds="; distance:0; content:"&dd="; distance:0; content:"&pd="; distance:0; reference:md5,5905a17da3a04fc4a1f3de2f6d9babe2; reference:url,3xp0rt.xyz/lpmkikVic; classtype:command-and-control; sid:2029838; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004941; classtype:web-application-attack; sid:2004941; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MSIL/Agent.TRM CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft-hohm.space"; bsize:23; fast_pattern; reference:url,twitter.com/w3ndige/status/1247547923845578755; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:domain-c2; sid:2029852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004942; classtype:web-application-attack; sid:2004942; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kimsuky APT Connectivity Check via Document"; flow:established,to_server; http.header; content:".mireene.com|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.user_agent; content:"Microsoft Office Protocol Discovery"; classtype:targeted-activity; sid:2029851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, signature_severity Major, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004943; classtype:web-application-attack; sid:2004943; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.TRM Checkin Response"; flow:established,to_client; http.stat_code; content:"201"; http.start; content:"|0d 0a|Set-Cookie|3a 20|dkv="; fast_pattern; http.cookie; bsize:36; content:"dkv="; startswith; pcre:"/^[a-f0-9]{32}$/R"; reference:url,twitter.com/w3ndige/status/1247547923845578755; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:command-and-control; sid:2029853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004945; classtype:web-application-attack; sid:2004945; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.TRM Task Command"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|7b 22|YSC|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|command|22 3a 22|"; within:20; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; classtype:command-and-control; sid:2029854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004946; classtype:web-application-attack; sid:2004946; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RocketX Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; content:"&crypto="; fast_pattern; content:"&jabber="; content:"&steam="; content:"&desktop="; content:"&discord="; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; http.header_names; content:!"Referer"; reference:md5,2fd68d384d80d53bcd63585c5a19ba98; classtype:trojan-activity; sid:2029847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, malware_family RocketX, signature_severity Major, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004947; classtype:web-application-attack; sid:2004947; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell - Install Tracking"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".json?V="; fast_pattern; content:"&ID="; distance:0; content:"&GUID="; distance:0; content:"&MAC="; distance:0; content:"&retry="; distance:0; content:"&pc1="; distance:0; http.header_names; content:!"Referer"; reference:url,news.sophos.com/en-us/2019/10/01/lemon_duck-powershell-malware-cryptojacks-enterprise-networks/; classtype:command-and-control; sid:2029013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004948; classtype:web-application-attack; sid:2004948; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"&"; distance:0; content:"-"; distance:8; within:1; content:"&"; distance:0; content:"|3a|"; distance:2; within:1; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; http.user_agent; content:"Lemon-Duck-"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,de18418e8b62e03d1feb1f9c5a53b6a0; reference:url,trapx.com/wp-content/uploads/2020/02/TrapX-Labs-Manufacturing-IOT-Report.pdf; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-malware-pcastle-zeroes-back-in-on-china-now-uses-multilayered-fileless-arrival-techniques/; classtype:command-and-control; sid:2029848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, malware_family Lemon_Duck, signature_severity Major, updated_at 2020_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004949; classtype:web-application-attack; sid:2004949; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DACLS RAT Log Collector Download"; flow:established,to_client; file_data; content:"ELF"; offset:1; depth:3; content:"UPX|21|4"; distance:0; content:"|2f|tmp|2f|hdv"; fast_pattern; distance:0; content:"_log"; distance:20; reference:md5,982bf527b9fe16205fea606d1beed7fa; reference:md5,793ed13e95f64aa38adc964efd86f6e6; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:trojan-activity; sid:2029880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004950; classtype:web-application-attack; sid:2004950; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Check)"; flow:established,to_server; content:"|0d 0a 0d 0a|log=check"; fast_pattern; isdataat:!1,relative; http.method; content:"POST"; http.content_len; content:"9"; bsize:1; http.protocol; content:"HTTP/1.0"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64)"; depth:41; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029856; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004951; classtype:web-application-attack; sid:2004951; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDG Botnet CnC Slave POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/slave"; bsize:6; http.header_names; content:"X-Hub|0d 0a|X-Relay|0d 0a|X-Uid|0d 0a|"; http.header; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|"; fast_pattern; reference:url,blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/; reference:md5,e956e5b97cd0b73057980d735ee92974; classtype:command-and-control; sid:2029895; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004952; classtype:web-application-attack; sid:2004952; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDG Botnet CnC Job Request"; flow:established,to_server; http.request_line; content:"GET /jobs"; depth:9; fast_pattern; http.header_names; content:"X-Hub|0d 0a|X-Port|0d 0a|X-Relay|0d 0a|X-Uid|0d 0a|"; http.header; content:"User-Agent|3a 20|Go-http-client/1.1|0d 0a|"; reference:url,blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/; reference:md5,e956e5b97cd0b73057980d735ee92974; classtype:command-and-control; sid:2029894; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004953; classtype:web-application-attack; sid:2004953; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDG Botnet Miner Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static"; startswith; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header; content:"Goarch|3a 20|amd64|0d 0a|"; fast_pattern; http.header_names; content:"|0d 0a|X-Hub|0d 0a|"; content:"|0d 0a|X-Relay|0d 0a|"; content:"|0d 0a|X-Uid|0d 0a|"; reference:url,blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model/; reference:md5,e956e5b97cd0b73057980d735ee92974; classtype:command-and-control; sid:2029896; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004954; classtype:web-application-attack; sid:2004954; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.dealctr.com"; bsize:16; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029921; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert smb any any -> $HOME_NET any (msg:"ET MALWARE 401TRG SMB Create AndX Request For Emotet Spreader"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"\\|00|m|00|y|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; reference:url,www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/; classtype:command-and-control; sid:2029931; rev:1; metadata:attack_target SMB_Client, created_at 2020_04_17, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Malicious Browser Ext CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.liveupdt.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,darkreader.org/blog/attention/; reference:url,github.com/rainyrainyday/HomebrewOverlay; classtype:domain-c2; sid:2029922; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Kratos"; fast_pattern; classtype:attempted-admin; sid:2029929; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_17, deployment Perimeter, signature_severity Minor, updated_at 2020_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ap-ms.net"; nocase; endswith; reference:md5,58363311f04f03c6e9ccd17b780d03b2; classtype:domain-c2; sid:2029911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Kratos"; fast_pattern; classtype:web-application-attack; sid:2029930; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/Mirai Variant CnC Activity"; flow:established,from_server; dsize:9; content:"|21 2a 20 41 72 63 65 75 73|"; reference:md5,8fb3048b2aa6c63f53c031b9abd4879a; classtype:command-and-control; sid:2029913; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029934; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Ursnif Encoded Payload Inbound"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3d fa 61 3c 79 ee de ea 18 90 08 95 55 44 8d 41|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, updated_at 2020_04_15;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029935; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSG - Data Exfiltration via DNS"; content:"|00 00 13 00 01|"; endswith; fast_pattern; dns.query; content:".com"; endswith; pcre:"/^[A-Za-z0-9\-_\.]{20,80}\.[a-z]{2}\d{2}\.com$/"; threshold: type limit, count 1, seconds 60, track by_src; classtype:command-and-control; sid:2028631; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_19, deployment Perimeter, deployment Internal, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNS_tunneling, updated_at 2020_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>DRIV3R KR PRIV8 MAILER"; fast_pattern; nocase; classtype:web-application-attack; sid:2029936; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Sending Data"; content:"|00 00 00 00 00 00 3f 38 39|"; fast_pattern; dns.query; content:"89"; depth:2; pcre:"/^[a-fA-F0-9]{61}\.[a-fA-F0-9]{63}\.[a-fA-F0-9]{63}\./R"; reference:md5,130392209b8b1e4aa37fd5c8da8fa6d5; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028880; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>DRIV3R KR PRIV8 MAILER"; fast_pattern; nocase; classtype:web-application-attack; sid:2029937; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Prepare to Receive Data"; content:"|00 00 00 00 00 00 2a 38 38|"; fast_pattern; dns.query; content:"88"; depth:2; content:"B9."; nocase; distance:38; within:3; pcre:"/^88[a-fA-F0-9]{38}b9\./i"; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|Description|22 20|content=|22|Mr.Rm19"; nocase; content:">Time On Server : <font color="; nocase; distance:0; content:">Server IP : <font color="; nocase; distance:0; content:">Current Dir : </font><a href="; nocase; distance:0; content:">Mass Deface</a>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029938; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Receive Data"; content:"|00 00 00 00 00 00 32 38 42|"; fast_pattern; dns.query; content:"8B"; depth:2; nocase; content:"B9."; nocase; distance:46; within:3; pcre:"/^8b[a-fA-F0-9]{46}b9\./i"; reference:url,technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns; classtype:command-and-control; sid:2028882; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, tag Trickbot, updated_at 2020_04_15;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|Description|22 20|content=|22|Mr.Rm19"; nocase; content:">Time On Server : <font color="; nocase; distance:0; content:">Server IP : <font color="; nocase; distance:0; content:">Current Dir : </font><a href="; nocase; distance:0; content:">Mass Deface</a>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029939; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"port="; fast_pattern; content:"&uname="; distance:0; content:"&uuid="; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017642; rev:4; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>|20 7c 20|Log In|20 7c 20|Power Mailer Inbox"; nocase; content:"</a>Welcome To Power Mailer Inbox"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029940; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT 41 Fake Server Response"; flow:established,from_server; http.stat_code; content:"200"; http.server; content:"Microsoft-IIS|2f 20|10.0|20|Microsoft-HTTPAPI/2.0"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:command-and-control; sid:2028837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, performance_impact Low, signature_severity Major, tag APT41, updated_at 2020_04_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|20 7c 20|Log In|20 7c 20|Power Mailer Inbox"; nocase; content:"</a>Welcome To Power Mailer Inbox"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Implant CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ID="; startswith; content:"&Disks="; content:"&Files="; content:"&Proc_list="; fast_pattern; http.content_type; content:"|3b 20|charset=65001|20 28|UTF-8|29|"; reference:url,meltx0r.github.io/tech/2019/10/24/apt28.html; classtype:command-and-control; sid:2028906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Zebrocy, updated_at 2020_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>F. Mortolino</title>"; nocase; content:"MortoLino - mode*SPAMMER"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029942; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"arch=x"; depth:6; content:"&computer%5fname="; distance:0; nocase; fast_pattern; content:"&guid="; distance:0; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&tracking%5ftoken="; distance:0; nocase; content:"&version="; distance:0; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:command-and-control; sid:2029924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>F. Mortolino</title>"; nocase; content:"MortoLino - mode*SPAMMER"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029943; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CONFUCIUS_B External IP Check to CnC M2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/2.php"; fast_pattern; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,www.researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/; reference:md5,2d2fe787b2728332341166938a25fa26; classtype:trojan-activity; sid:2029925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category TROJAN, malware_family CONFUCIUS_B, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>GwEx Mailer"; nocase; fast_pattern; content:">GwEx Mailer </font>"; nocase; distance:0; classtype:web-application-attack; sid:2029944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CONFUCIOUS_B CnC)"; flow:established,to_client; tls.cert_serial; content:"00:f9:1c:f7:fd:a7:bc:0a:9a"; bsize:26; fast_pattern; tls.cert_subject; content:"Internet Widgets"; reference:md5,2d2fe787b2728332341166938a25fa26; reference:url,unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites; classtype:domain-c2; sid:2029926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family CONFUCIUS_B, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GwEx Mailer"; nocase; fast_pattern; content:">GwEx Mailer </font>"; nocase; distance:0; classtype:web-application-attack; sid:2029945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil via FTP"; flow:established,to_server; content:"STOR|20|PW_"; depth:8; fast_pattern; content:"_20"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:"_"; distance:0; content:".html|0d 0a|"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2029927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2020_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>W0rmVps PRIV8 MAILER"; nocase; fast_pattern; classtype:web-application-attack; sid:2029946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla HTML System Info Report Exfil via FTP"; flow:established,to_server; content:"<html>Time|3a 20|"; depth:12; content:"<br>User Name|3a 20|"; distance:0; content:"<br>Computer Name|3a 20|"; distance:0; content:"<br>OSFullName|3a 20|"; fast_pattern; distance:0; content:"<br>CPU|3a 20|"; distance:0; content:"<br>RAM|3a 20|"; distance:0; content:"Username|3a|"; distance:0; content:"Password|3a|"; distance:0; content:"</html>"; distance:0; isdataat:!1,relative; classtype:trojan-activity; sid:2029928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2020_04_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>W0rmVps PRIV8 MAILER"; nocase; fast_pattern; classtype:web-application-attack; sid:2029947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_20;)
+#alert smb any any -> $HOME_NET any (msg:"ET MALWARE 401TRG SMB Create AndX Request For Emotet Spreader"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"\\|00|m|00|y|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; reference:url,www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/; classtype:command-and-control; sid:2029931; rev:1; metadata:attack_target SMB_Client, created_at 2020_04_17, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>SMTP Mailer</title>"; nocase; fast_pattern; content:">Inbox SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2029948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Kratos"; fast_pattern; classtype:web-application-attack; sid:2029930; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>SMTP Mailer</title>"; nocase; fast_pattern; content:">Inbox SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2029949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download ddos.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ddos.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012457; rev:3; metadata:created_at 2011_03_10, updated_at 2020_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer Inbox"; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2029950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xilcter/Zeus related malware dropper reporting in"; flow:established,to_server; http.uri; content:"subid="; content:"br="; content:"os="; content:"flg="; classtype:trojan-activity; sid:2011827; rev:5; metadata:created_at 2010_10_21, updated_at 2020_04_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer Inbox"; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2029951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=RAT"; bsize:6; fast_pattern; tls.cert_issuer; content:"CN=RAT"; bsize:6; reference:md5,90d126886fa0aef7de91d4033a4261f7; classtype:domain-c2; sid:2029953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004955; classtype:web-application-attack; sid:2004955; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; http.uri; content:"/favicon.ico?0="; content:"&1="; content:"&2="; content:"&3="; content:"&4="; content:"&5="; content:"&6="; content:"&7="; reference:md5,fbcdfecc73c4389e8d3ed7e2e573b6f1; classtype:command-and-control; sid:2012299; rev:4; metadata:created_at 2011_02_07, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004956; classtype:web-application-attack; sid:2004956; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeSysdef Rogue AV Checkin"; flow:established,to_server; http.uri; content:"/dfrg/dfrg"; reference:md5,f0f750e8f195dcfc8623679ff2df1267; reference:md5,e186e530ebf0aec07f0cd2afd706633c; reference:md5,294a729bb6a8fc266990b4c94eb86359; classtype:command-and-control; sid:2012725; rev:10; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004957; classtype:web-application-attack; sid:2004957; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Targeted Activity - CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"dellgenius.hopto.org"; endswith; reference:md5,bedf648063aa10ea2810b2f6b9601326; classtype:domain-c2; sid:2029952; rev:1; metadata:created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004958; classtype:web-application-attack; sid:2004958; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Various Ransomware/Stealer Style External IP Address Check (myip .ch)"; flow:established,to_server; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Host|3a 20|www.myip.ch|0d 0a|Accept|3a 20|*/*|0d 0a|"; bsize:50; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,c596d787d0848722d393a4a5945b3e15; classtype:trojan-activity; sid:2029933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Sepsys, signature_severity Major, tag Ransomware, updated_at 2020_04_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004959; classtype:web-application-attack; sid:2004959; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (dellgenius .hoptop .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"dellgenius.hoptop.org"; bsize:21; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:domain-c2; sid:2029975; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004960; classtype:web-application-attack; sid:2004960; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:277; content:"/api/3.1/query?style="; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header; content:"Referer|3a 20|https://www.google.com|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029977; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/forum.php?"; nocase; content:"GLOBALS[UTE][__tplCollection][a][file]="; nocase; reference:url,www.exploit-db.com/exploits/8841/; reference:url,secunia.com/advisories/35299/; reference:url,doc.emergingthreats.net/2009905; classtype:web-application-attack; sid:2009905; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Skunkx DDOS Bot User-Agent Cyberdog"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Cyberdog"; nocase; reference:url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/; classtype:trojan-activity; sid:2012893; rev:3; metadata:created_at 2011_05_31, former_category USER_AGENTS, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/container.php?"; nocase; content:"theme_directory="; nocase; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009377; classtype:web-application-attack; sid:2009377; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/2.0/modules?"; startswith; fast_pattern; http.header_names; content:!"Referer"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029978; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/news_show.php?"; nocase; content:"newsoffice_directory="; nocase; reference:url,secunia.com/advisories/29797; reference:bugtraq,28748; reference:url,www.exploit-db.com/exploits/5429/; reference:url,doc.emergingthreats.net/2009431; classtype:web-application-attack; sid:2009431; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Update Request"; flow:established,to_server; http.uri; content:"/u/upd_"; content:"cb"; pcre:"/\x2Fu\x2Fupd\x5F(?:cb|.+\x2Ecb)/"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012971; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012420; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Request for Compromised FTP Sites"; flow:established,to_server; http.uri; content:"/cgi-bin/jl/ad03.pl?pv=2&d="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012972; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UNION SELECT"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012421; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader File Download Request Activity"; flow:established,to_server; http.uri; content:"/load.php?file="; pcre:"/^(?:\d+|(?:\w+)?grabbers?|uploader)(?:&luck=\d)?$/R"; reference:md5,12554e7f2e78daf26e73a2f92d01e7a7; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:md5,3310259795b787210dd6825e7b6d6d28; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:md5,7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013045; rev:3; metadata:created_at 2011_06_16, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid INSERT"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012422; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel Checkin"; flow:to_server,established; http.uri; content:"/isup.php?v="; content:"&sox="; reference:url,www.malware-control.com/statics-pages/5de2e2f56e5277cfe3d44299ab496648.php; reference:url,www.malware-control.com/statics-pages/87290c3019b7dbac0d7d2e15f03572ba.php; classtype:command-and-control; sid:2013114; rev:3; metadata:created_at 2011_06_24, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid DELETE"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Communication 2"; flow:established,to_server; http.uri; content:"?user_id="; content:"&version_id="; content:"&sys="; classtype:trojan-activity; sid:2013169; rev:3; metadata:created_at 2011_07_01, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid ASCII"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Initial Checkin"; flow:established,to_server; http.uri; content:"/?uid="; content:"&aid="; content:"&linkuid="; classtype:command-and-control; sid:2013196; rev:3; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012425; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw CnC Checkin Style 2"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013203; rev:3; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php?"; nocase; content:"config="; nocase; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012426; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefnit Initial Checkin"; flow:established,to_server; http.uri; content:"/version.php?ver="; content:"&app="; http.header; content:"User-Agent|3a 20|NSISDL"; classtype:command-and-control; sid:2013221; rev:3; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/administrator/components/com_xcloner-backupandrestore/cloner.cron.php?"; nocase; content:"config="; nocase; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; http.uri; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; reference:url,doc.emergingthreats.net/2008232; classtype:command-and-control; sid:2008232; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012431; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Jadtre Retrieving Cfg File"; flow:established,to_server; http.uri; content:"/tool/mavatarcfg/"; content:".cfg"; pcre:"/\x2F(?:data|main|patch)\x2Ecfg/"; classtype:trojan-activity; sid:2013286; rev:3; metadata:created_at 2011_07_19, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012432; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to_server; http.uri; content:".php?aid="; content:"&uncv="; content:"&skey="; reference:md5,00068992bc003713058a17d50d9e3e14; classtype:command-and-control; sid:2013345; rev:3; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012433; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/info.php?pid="; content:"&bo_table="; content:"&wr_id="; content:"&mac="; classtype:command-and-control; sid:2013375; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012434; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (kill)"; flow:established,to_server; http.uri; content:"/kill/"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013367; rev:5; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012435; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (sleep)"; flow:established,to_server; http.uri; content:"/sleep"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013368; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012436; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (go https)"; flow:established,to_server; http.uri; content:"/https"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013369; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; http.uri; content:".log"; nocase; content:"id="; nocase; content:"softid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; http.uri; content:"==/count.htm"; reference:md5,03abdc31d0f864c7b69b09d6481d3ff7; classtype:command-and-control; sid:2013386; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; http.uri; content:"req.php"; nocase; content:"pid="; nocase; content:"ver="; nocase; content:"area="; nocase; content:"insttime="; nocase; content:"first="; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hupigon.B User Agent TSDownload"; flow:established,to_server; http.header; content:"User-Agent|3A 20|TSDownload"; classtype:trojan-activity; sid:2013392; rev:3; metadata:created_at 2011_08_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download ddos.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ddos.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012457; rev:3; metadata:created_at 2011_03_10, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Skintrim CnC Checkin"; flow:established,to_server; http.uri; content:"/binaries/bin.php?id="; content:"&plateform="; content:"&mh="; content:"&me="; classtype:command-and-control; sid:2013396; rev:3; metadata:created_at 2011_08_10, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; http.uri; content:"/push/androidxml/"; nocase; content:"sim="; nocase; content:"tel="; nocase; content:"imsi="; content:"pid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2029932; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Winshow User Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|WinShow Installer"; classtype:trojan-activity; sid:2013401; rev:3; metadata:created_at 2011_08_11, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012468; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Chekafe.D User-Agent my_check_data On Off HTTP Port"; flow:established,to_server; http.header; content:"User-Agent|3A 20|my_check_data"; classtype:trojan-activity; sid:2013446; rev:3; metadata:created_at 2011_08_22, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UNION SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012469; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/NetShare User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|netsharingsite.com"; classtype:trojan-activity; sid:2013445; rev:4; metadata:created_at 2011_08_22, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu DELETE"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012471; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A or B Worm reporting"; flow:to_server,established; http.uri; content:"/search?q="; pcre:"/^[0-9]{1,3}(?:&aq=7(?:\?[0-9a-f]{8})?)?$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:14; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu ASCII"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012472; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troxen Downloader Checkin"; flow:established,to_server; http.uri; content:"/active_count.php?"; content:"?mac="; content:"&pid="; reference:md5,c936b15a8f7a3732bc16ee36693831ec; classtype:command-and-control; sid:2013450; rev:4; metadata:created_at 2011_08_23, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012473; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Meredrop/Nusump Checkin"; flow:established,to_server; http.uri; content:"?id="; content:"&co="; content:"&us="; content:"&os="; content:"&vr="; content:"&dt="; fast_pattern; reference:md5,463cdec2df12a04d6ea1d015746ee950; reference:md5,ef0616d75bd892ed69fe22a510079686; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857; classtype:command-and-control; sid:2011489; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012478; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lalus Trojan Downloader Checkin"; flow:established,to_server; http.uri; content:".php?guid="; content:"&h="; content:"&v="; content:"&affid="; content:"&update="; content:"&brand="; classtype:command-and-control; sid:2013509; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012480; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lalus Trojan Downloader User Agent (Message Center)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Message Center|0D 0A|"; classtype:trojan-activity; sid:2013510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012481; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request List.php"; flow:established,to_server; http.uri; content:"/list.php?c="; depth:12; content:"&v="; pcre:"/c\x3d[0-9a-f]{100}/i"; classtype:trojan-activity; sid:2013518; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012482; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; http.uri; content:"?op="; content:"&macaddress="; content:"&pcname="; content:"&nomeusuario="; content:"&serialhd="; content:"&versaowindows="; content:"&versaoatual="; content:"&arquivosplugins="; content:"&origem="; classtype:command-and-control; sid:2013546; rev:3; metadata:created_at 2011_09_06, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf SELECT"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012485; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Landing Page"; flow:established,to_server; http.uri; content:".cgi?p="; content:"&i="; content:"&j="; content:"&m="; content:"&h="; content:"&u="; content:"&q="; content:"&t=201"; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23514; classtype:trojan-activity; sid:2013332; rev:5; metadata:created_at 2011_07_27, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UNION SELECT"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012486; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (fsize)"; flow:to_server,established; http.uri; content:"/fsize.php?name="; content:"/WF-update.log"; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013670; rev:3; metadata:created_at 2011_09_19, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf INSERT"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012487; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent BGroom"; flow:established,to_server; http.header; content:"User-Agent|3A 20|BGroom"; classtype:trojan-activity; sid:2013717; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf DELETE"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012488; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (Tiny)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|tiny|0D 0A|"; classtype:trojan-activity; sid:2013718; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012490; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/OnLineGames GetMyIP Style Checkin"; flow:established,to_server; http.uri; content:".asp?ID="; content:"&Action=GetMyIP"; classtype:command-and-control; sid:2013728; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu INSERT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012470; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; http.uri; content:"/gate.php?hwid="; nocase; content:"&pc="; nocase; content:"&localip="; nocase; content:"&winver="; nocase; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:command-and-control; sid:2013748; rev:5; metadata:created_at 2011_09_24, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012479; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Tdss User Agent Detected (Mozzila)"; flow:established,to_server; http.header; content:"User-Agent\: Mozzila"; reference:url,doc.emergingthreats.net/2010889; classtype:trojan-activity; sid:2010889; rev:4; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf ASCII"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012489; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unruy Downloader Checkin"; flow:established,to_server; http.uri; content:".php?U="; content:"@"; pcre:"/\.php\?U=\d+@\d+@\d+@\d+@\d+@[a-f0-9]+$/"; reference:url,ddanchev.blogspot.com/2010/03/copyright-lawsuit-filed-against-you.html; reference:url,isc.sans.org/diary.html?storyid=8497; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.STM&VSect=T; reference:url,doc.emergingthreats.net/2010975; classtype:command-and-control; sid:2010975; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id SELECT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012498; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dofoil.L Checkin"; flow:to_server,established; http.uri; content:"/index.php?cmd="; content:"&login="; content:"&ver="; content:"&bits="; reference:md5,47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:command-and-control; sid:2013917; rev:5; metadata:created_at 2011_09_29, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012499; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality User-Agent (DEBUT.TMP)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|DEBUT.TMP|0D 0A|"; classtype:trojan-activity; sid:2013959; rev:3; metadata:created_at 2011_11_23, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012500; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Put"; flow:established,from_client; http.uri; content:"/kys_allow_put.asp?type="; content:"&hostname="; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:3; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012501; rev:4; metadata:created_at 2011_03_15, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getgrab Command"; flow:established,to_server; http.uri; content:"cmd=getgrab"; classtype:trojan-activity; sid:2014009; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getproxy Command"; flow:established,to_server; http.uri; content:"cmd=getproxy&login="; classtype:trojan-activity; sid:2014010; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; http.method; content:"PUT"; http.header; content:"user-agent|3a|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:3; metadata:created_at 2011_03_16, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getsock Command"; flow:established,to_server; http.uri; content:"cmd=getsocks&login="; classtype:trojan-activity; sid:2014011; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xilcter/Zeus related malware dropper reporting in"; flow:established,to_server; http.uri; content:"subid="; content:"br="; content:"os="; content:"flg="; classtype:trojan-activity; sid:2011827; rev:5; metadata:created_at 2010_10_21, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getload Command"; flow:established,to_server; http.uri; content:"cmd=getload&login="; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012557; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent 2"; flow:established,to_server; http.header; content:"Gootkit ldr"; classtype:command-and-control; sid:2014021; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012556; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Scanner User-Agent Outbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014023; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012558; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; fast_pattern; classtype:trojan-activity; sid:2014001; rev:5; metadata:created_at 2011_12_08, former_category USER_AGENTS, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012559; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nuclear Checkin"; flow:established,to_server; http.uri; content:".htm"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; http.header; content:"HOST|3A 20|"; reference:md5,bd4af162f583899eeb6ce574863b4db6; classtype:command-and-control; sid:2014121; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012560; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Small.agoy Checkin"; flow:to_server,established; http.uri; content:"/?jutr="; fast_pattern; nocase; content:"&oo="; nocase; content:"&ra="; nocase; http.host; pcre:"/^(?:0-9]{1,3}\.){3}\d{1,3}$/"; reference:url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F; reference:md5,e491d25d82f4928138a0d8b3a6365c39; reference:url,doc.emergingthreats.net/2008859; classtype:command-and-control; sid:2008859; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012567; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; http.uri; content:"/gate.php?username="; content:"&country="; content:"&OS="; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:command-and-control; sid:2014164; rev:3; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012568; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/VPEYE Trojan Downloader User-Agent (VP-EYE Downloader)"; flow:established,to_server; http.user_agent; content:"VP-EYE Downloader"; startswith; classtype:trojan-activity; sid:2014193; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012569; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.MSUpdater C&C traffic GET"; flow:from_client,established; http.uri; content:".aspx?ID="; content:"para1="; distance:0; content:"para2="; distance:0; content:"para3="; distance:0; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014175; rev:4; metadata:created_at 2012_01_31, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012570; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater alt checkin to CnC"; flow:established,to_server; http.uri; content:"/microsoft/errorpost/default/connect.aspx?ID="; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014211; rev:3; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/jquery-mega-menu/skin.php?"; nocase; content:"skin="; nocase; reference:url,exploit-db.com/exploits/16250; classtype:web-application-attack; sid:2012571; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater Connectivity Check to Google"; flow:established,to_server; http.uri; content:"/search?qu="; http.user_agent; content:"Firefox/2.0.0.2"; startswith; http.request_body; content:"news"; depth:4; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014213; rev:3; metadata:created_at 2012_02_07, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/Cache/Lite/Output.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/16912; classtype:web-application-attack; sid:2012572; rev:4; metadata:created_at 2011_03_25, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Blackhole Exploit Pack Binary Load Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?f="; fast_pattern; content:"&e="; pcre:"/^[^?#]+?\.php\?f=\w+&e=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:"User-Agent|0d 0a|"; content:"Host|0d 0a|"; distance:0; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012169; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/header.php?"; nocase; content:"row[titledesc]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012573; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trustezeb Checkin to CnC"; flow:established,to_server; http.uri; content:".php?id="; content:"&stat="; fast_pattern; distance:0; pcre:"/id=[A-F0-9]{20}/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; startswith; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=417; classtype:command-and-control; sid:2014283; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/rp-menu.php?"; nocase; content:"_SESSION[sess_user]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012574; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Koobface Variant Checkin Attempt"; flow:established,to_server; http.uri; content:"/ping.php"; http.header; content:" WinHttp.WinHttpRequest.5|29 0d 0a|"; reference:md5,62aa9e798746e586fb1f03459a970104; classtype:command-and-control; sid:2014303; rev:3; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012575; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BlackMonay Checkin"; flow:established,to_server; http.uri; content:".Php?UserName="; nocase; content:"&Bank="; nocase; content:"&Money="; nocase; http.accept_lang; content:"zh-cn"; startswith; reference:md5,4a203e37caa2e04671388341419bda69; classtype:command-and-control; sid:2014306; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012579; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Meciv Checkin"; flow:established,to_server; http.uri; content:"/trandocs/netstat"; nocase; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2013212; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; content:"image="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012581; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Genome.aetqe Checkin"; flow:established,to_server; http.uri; content:"/stats/counterz.php?id="; content:"&stat="; reference:md5,700b7a81d1460a652e5f9f06fc54dcd6; classtype:command-and-control; sid:2014331; rev:2; metadata:created_at 2012_03_07, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012577; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; http.header; content:"User-Agent|3A 20|5.0|0D 0A|"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:3; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012585; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smart Fortress FakeAV/Kryptik.ABNC Checkin"; flow:established,to_server; http.uri; content:"/?&affid="; fast_pattern; http.header; content:"Accept|3a| *//*|0d 0a|"; reference:md5,fa20c17e5f58e7419b4f0eed318fa95a; reference:url,support.kaspersky.com/viruses/rogue/description?qid=208286259; classtype:command-and-control; sid:2014293; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012595; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download InternetAntivirusPro.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/InternetAntivirus"; content:".exe"; reference:url,doc.emergingthreats.net/2010061; classtype:trojan-activity; sid:2010061; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012596; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Win32/Antivirus2008 CnC Beacon"; flow:established,to_server; http.uri; content:"nick="; nocase; content:"&group="; nocase; content:"&os="; http.header; content:"User-Agent|3a 20|Mozilla|0d 0a|"; reference:url,doc.emergingthreats.net/2008483; classtype:command-and-control; sid:2008483; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012597; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asprox Form Submission to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/forum.php"; nocase; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; startswith; reference:url,doc.emergingthreats.net/2009054; classtype:command-and-control; sid:2009054; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012598; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asprox Data Post to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"name=|22|sid|22 0d 0a 0d 0a|"; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; nocase; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; classtype:command-and-control; sid:2010270; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012599; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atya Dropper Possible Rootkit - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"b="; nocase; content:"&idf="; nocase; content:"&v="; nocase; content:"&o="; nocase; reference:url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e; reference:url,doc.emergingthreats.net/2009450; classtype:trojan-activity; sid:2009450; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012600; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rouge Security Software Win32.BHO.egw"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"affid="; nocase; content:"subid="; nocase; content:"guid="; nocase; content:"ver="; nocase; content:"key="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; reference:url,doc.emergingthreats.net/2008461; classtype:trojan-activity; sid:2008461; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; content:"image="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012601; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Win32 Backdoor Checkin POST Packet 1"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.bd1; http.uri; content:"/add.php"; reference:url,doc.emergingthreats.net/2009240; classtype:command-and-control; sid:2009240; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/basicstats.php?"; nocase; content:"AjaxHandler="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012603; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Win32 Backdoor Checkin POST"; flow:established,to_server; flowbits:isset,ET.bd1; http.request_body; content:"Admin="; depth:6; content:"&UserName="; content:"&IsProxy="; reference:url,doc.emergingthreats.net/2009241; classtype:command-and-control; sid:2009241; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_31, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header; content:"Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; nocase; http.request_body; content:"from="; nocase; content:"|26|FromMail="; nocase; content:"|26|destino="; nocase; content:"|26|assunto="; nocase; content:"|26|mensagem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008331; classtype:trojan-activity; sid:2008331; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_12, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"tipo=cli&cli="; reference:url,doc.emergingthreats.net/2009296; classtype:command-and-control; sid:2009296; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Sample"; flow:established,to_server; http.header; content:"User-Agent|3a 20|sample"; nocase; classtype:trojan-activity; sid:2012611; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_31, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWSteal.Bancos Generic Banker Trojan SCR Download"; flow:to_server,established; http.uri; content:"/keylogf.jpg"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009235; classtype:trojan-activity; sid:2009235; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012673; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_BANKER.IDV/Infostealer.Bancos Module Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.header; content:"User-Agent|3a20|Mozilla|2f|4.0|2028|compatible|3b20|MSIE|20|6.0| 3b2020|Windows|20|NT|20|5.1|3b 20|SV1|3b20|.NET|20|CLR|20|1.1.4322| 3b20|.NET|20|CLR|20|2.0.50727|290d0a|Host|3a20|"; fast_pattern; content:"|0d 0a|Accept|3a 20 2a 2f 2a|"; reference:url,doc.emergingthreats.net/2009447; classtype:trojan-activity; sid:2009447; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa INSERT"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012674; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload POST Checkin (dados)"; flow:established,to_server; http.method; content: "POST"; nocase; http.request_body; content:"PC="; nocase; content: "&USER="; nocase; content:"&HASH="; nocase; content:"&DADOS="; nocase; reference:url,doc.emergingthreats.net/2008477; classtype:command-and-control; sid:2008477; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa DELETE"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012675; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Trojan Check-in"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"N="; content:"&ID="; content:"&DATA="; reference:url,doc.emergingthreats.net/2009520; classtype:trojan-activity; sid:2009520; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa ASCII"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012676; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/getcfg.php"; nocase; http.request_body; content:"getp="; content:"id="; content:"ln="; content:"bid="; content:"nt="; content:"cn="; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; classtype:trojan-activity; sid:2010886; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012677; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bravix Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?wmid="; content:"&l="; content:"&it="; content:"&s="; reference:url,doc.emergingthreats.net/2008541; classtype:command-and-control; sid:2008541; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/openBrowser.php?"; nocase; content:"onload="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012678; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (1)"; flow:established,to_server; http.uri; content:"action="; nocase; content:"&entity_list="; nocase; content:"&uid="; nocase; content:"&first="; content:"&guid="; nocase; content:"&rnd="; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; classtype:trojan-activity; sid:2009353; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/we/include/we_modules/shop/edit_shop_editorFrameset.php?"; nocase; content:"onload="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012679; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?ddos=x"; nocase; pcre:"/^(?:x\d{1,2}){5,}/Ri"; reference:url,doc.emergingthreats.net/2010381; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:md5,011d403b345672adc29846074e717865; reference:md5,a5f94577d00d0306e4ef64bad30e5d37; classtype:command-and-control; sid:2010381; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/we/include/we_modules/messaging/messaging_show_folder_content.php?"; nocase; content:"we_transaction="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012680; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?type="; nocase; content:"&affid="; distance:0; nocase; content:"&subid="; distance:0; nocase; reference:url,doc.emergingthreats.net/2010382; reference:md5,8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2010382; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/we/include/weTracking/econda/weEcondaImplement.inc.php?"; nocase; content:"shop_artikelid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012681; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cashout Proxy Bot reg_DST"; flow:to_server,established; http.uri; content:".php?"; content:"lang="; content:"&pal="; content:"&bay="; content:"&gold="; content:"&id="; content:"&param="; content: "&socksport="; content:"&httpport="; reference:url,doc.emergingthreats.net/2008248; classtype:trojan-activity; sid:2008248; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chekafe.A or Related Infection Checkin"; flow:established,to_server; http.uri; content:"isInst="; content:"lockcode="; content:"PcType="; content:"AvName="; content:"ProCount="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32/Chekafe.A; reference:url,doc.emergingthreats.net/2011272; classtype:command-and-control; sid:2011272; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/ckeditor/filemanager/connectors/php/upload.php?"; nocase; content:"CKEditorFuncNum="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/99698/ClanSphere2010.3CKEditor-xss.txt; classtype:web-application-attack; sid:2012669; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/KernelBot/MS08-067 related Trojan Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kernel/zz.htm?"; content:"Ver="; reference:url,doc.emergingthreats.net/bin/view/Main/2008737; classtype:command-and-control; sid:2008737; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/lib/lcUser.php?"; nocase; content:"LIBDIR="; nocase; reference:url,secunia.com/advisories/22484; classtype:web-application-attack; sid:2012668; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Daemonize.ft HTTP Checkin"; flow:established,to_server; http.uri; content:".php?v="; nocase; content:"&rnd="; nocase; content:"&u=00"; nocase; content:"&s="; nocase; content:"&id="; nocase; reference:url,doc.emergingthreats.net/2008086; classtype:command-and-control; sid:2008086; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_mediamall"; nocase; content:"category="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/88439/joomlamediamallfactory-bsql.txt; classtype:web-application-attack; sid:2012667; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer-715 Install Checkin"; flow: established,to_server; http.uri; content:"/perl/invoc_oneway.pl"; nocase; content:"?id_service="; nocase; content:"&nom_exe="; nocase; content:"&skin="; nocase; content:"&id_produit="; nocase; reference:url,doc.emergingthreats.net/2003650; classtype:command-and-control; sid:2003650; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/components/com_smartformer/smartformer.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/95477/joomlasmartformer-rfi.txt; classtype:web-application-attack; sid:2012666; rev:4; metadata:created_at 2011_04_11, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"c="; content:"&v="; content:"&b="; content:"&id="; content:"&cnt="; fast_pattern; content:"&q="; reference:md5,e9f1f226ff86e72c558e9a9da32c796d; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,doc.emergingthreats.net/2007743; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; classtype:command-and-control; sid:2007743; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012664; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Trojan Activity"; flow: to_server,established; http.uri; content:"/dialer_min/getnum.asp?nip"; reference:url,doc.emergingthreats.net/2008345; classtype:trojan-activity; sid:2008345; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012663; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Dialer Variant"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"icp="; content:"&id_site="; content:"&dl_tracker"; content:"&connection_type="; content:"&asked_mdl_id="; content:"&dialer="; reference:url,doc.emergingthreats.net/2008441; classtype:trojan-activity; sid:2008441; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012662; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper Checkin (often scripts.dlv4.com related)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Common/module.php?"; nocase; content:"brokerid="; nocase; content:"&product="; nocase; content:"&customid="; nocase; content:"&mediaid="; nocase; content:"&no_product_name="; nocase; content:"&extlogin="; nocase; reference:url,doc.emergingthreats.net/2010458; classtype:command-and-control; sid:2010458; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012661; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper Checkin 2 (often scripts.dlv4.com related)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Common/module.php?"; nocase; content:"&isautogeneratedpage="; nocase; content:"&dialer="; nocase; content:"&p2e="; nocase; content:"&nohit="; nocase; reference:url,doc.emergingthreats.net/2010932; classtype:command-and-control; sid:2010932; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portel patron Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/portel/libreria/php/decide.php?"; nocase; content:"patron="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/80053/portel-sql.txt; classtype:web-application-attack; sid:2012660; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donkeyp2p Update Detected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"donkeyp2p.php"; content:"?kind="; content:"&args="; content:"&ver="; content:"&uniq="; content:"&dllver="; nocase; reference:url,doc.emergingthreats.net/2008364; classtype:trojan-activity; sid:2008364; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_doqment"; nocase; content:"cid="; nocase; content:"admin.ponygallery.html.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/99278/joomladoqment-rfilfisql.txt; classtype:web-application-attack; sid:2012659; rev:4; metadata:created_at 2011_04_11, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; http.uri; content:"hingDeny="; nocase; content:"&id="; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/"; reference:url,doc.emergingthreats.net/2010334; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; reference:md5,e4664144f8e95cfec510d5efa24a35e7; classtype:trojan-activity; sid:2010334; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt"; flow:established,to_server; http.uri; content:"/templates/recruitment/jobVacancy.php?"; nocase; content:"recruitcode="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47046; classtype:web-application-attack; sid:2012658; rev:4; metadata:created_at 2011_04_11, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bot Backdoor Checkin/registration Request"; flow:established,to_server; http.uri; content:"/remote.php?"; content:"os="; content:"&user="; content:"&status="; content:"&version="; content:"&build="; reference:url,doc.emergingthreats.net/2006366; classtype:command-and-control; sid:2006366; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php?"; nocase; content:"callback="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012656; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Downloader Checkin URL (GUID+)"; flow:established,to_server; http.uri; content:"&version="; nocase; content:"&configversion="; nocase; content:"GUID="; nocase; content:"&cmd="; nocase; content:"&p="; nocase; content:"&i="; nocase; content:"&x="; nocase; reference:url,doc.emergingthreats.net/2007577; classtype:command-and-control; sid:2007577; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader General Bot Checking In via HTTP Post (bot_id push)"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"bot_id="; content:"&build_id="; content:"&sport="; content:"&hport="; content:"&ping="; content:"&speed="; reference:url,doc.emergingthreats.net/2007831; classtype:command-and-control; sid:2007831; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader General Bot Checking In - Possible Win32.Small.htz related"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?id="; nocase; http.user_agent; content:!"User-Agent|0d 0a|"; http.request_body; content:"proc=[System Process]|0d 0a|"; content:"|0d 0a|&size="; reference:url,doc.emergingthreats.net/2007836; classtype:command-and-control; sid:2007836; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012653; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Access Count Tracking URL"; flow:established,to_server; http.uri; content:"/access_count.html?id="; nocase; content:"&MAC=0"; nocase; pcre:"/^[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ri"; reference:url,doc.emergingthreats.net/2008132; classtype:trojan-activity; sid:2008132; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012652; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL"; flow:established,to_server; http.uri; content:"/install_count.html?id="; nocase; content:"&MAC=0"; nocase; pcre:"/^[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ri"; reference:url,doc.emergingthreats.net/2008133; classtype:trojan-activity; sid:2008133; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012651; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/partner/counter/install.php?pid="; nocase; content:"&cid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,ea70e0971cc490a15e53d24ad6564403; reference:url,doc.emergingthreats.net/2008134; classtype:trojan-activity; sid:2008134; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012665; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"a="; nocase; content:"&k="; nocase; content:"&wmid="; nocase; content:"&ucid="; nocase; reference:url,doc.emergingthreats.net/2008182; classtype:trojan-activity; sid:2008182; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012698; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (pid - mac)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"html?"; nocase; content:"set="; nocase; content:"&pid="; nocase; content:"&mac="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008183; classtype:trojan-activity; sid:2008183; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=RAT"; bsize:6; fast_pattern; tls.cert_issuer; content:"CN=RAT"; bsize:6; reference:md5,90d126886fa0aef7de91d4033a4261f7; classtype:domain-c2; sid:2029953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (wmid - ucid)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?a="; nocase; content:"&k="; nocase; content:"&wmid="; nocase; content:"&ucid="; nocase; reference:url,doc.emergingthreats.net/2008194; classtype:trojan-activity; sid:2008194; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/action.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012561; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Trojan HTTP GET Logging"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?type="; nocase; content:"&setup_id="; nocase; content:"&version="; nocase; content:"&os="; nocase; content:"&sp="; nocase; reference:url,www.virustotal.com/analisis/df09ec9ec4e5caa42db9d08e0f9d34b378e301a1eeb3aa1e6dbd0de1aa4a66be-1246158969; reference:url,doc.emergingthreats.net/2009451; classtype:trojan-activity; sid:2009451; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/architecte.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012562; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader Checkin - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"machineid="; nocase; content:"pubuserid="; nocase; content:"checkversion="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009527; classtype:command-and-control; sid:2009527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/avis.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012563; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader checkin (3)"; flow:established,to_server; http.uri; content:".php?"; content:"c_pcode="; content:"c_pid="; content:"c_kind="; content:"c_mac="; reference:url,doc.emergingthreats.net/2010888; classtype:command-and-control; sid:2010888; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/bible.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012564; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"loads.php?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a| "; reference:url,doc.emergingthreats.net/2010626; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010626; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/blocnote.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012565; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/download.pl?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2010627; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010627; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin vbBux vbplaza.php Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vbplaza.php?"; nocase; content:"do="; nocase; content:"name="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/8784/; classtype:web-application-attack; sid:2012566; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/get.pl?l="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2010628; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010628; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod/vm/controller/AccessController.php?"; nocase; content:"global[approot]="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012496; rev:5; metadata:created_at 2011_03_14, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fasec/FakeAV Alert/Keylogger/Dropper/DNSChanger Possible Rootkit - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"Command="; nocase; content:"snNO="; nocase; content:"Encode="; nocase; content:"SFBH"; nocase; reference:url,www.avast.com/eng/win32-fasec.html; reference:url,www.threatexpert.com/threats/virus-win32-fasec.html; reference:url,doc.emergingthreats.net/2009472; classtype:trojan-activity; sid:2009472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod/vm/model/dao.php?"; nocase; content:"global[approot]="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012497; rev:5; metadata:created_at 2011_03_14, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fraudload/FakeAlert/FakeVimes Downloader - POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; fast_pattern; bsize:46; nocase; http.request_body; content:"verint="; nocase; content:"&wv="; nocase; content:"&report="; nocase; content:"&abbr="; nocase; content:"&pid="; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad; reference:url,doc.emergingthreats.net/2009751; classtype:trojan-activity; sid:2009751; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; content:"to_p_dict="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012483; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (2)"; flow:established,to_server; http.uri; content:"/register."; nocase; content:"?id="; nocase; content:"&port="; nocase; content:"&connect="; nocase; content:"&ver="; nocase; content:"ip="; nocase; reference:url,doc.emergingthreats.net/2008398; classtype:command-and-control; sid:2008398; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; content:"to_r_list="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012484; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gaboc Trojan Check-in"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp"; content:"?type="; content:"&machinename="; reference:md5,6e871b9c440d5c77b9158ebcbe3fcd4b; reference:url,doc.emergingthreats.net/2009519; classtype:trojan-activity; sid:2009519; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/rp-menu.php?"; nocase; content:"_SESSION[sess_user]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012474; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Buzus Checkin"; flow:established,to_server; http.uri; content:".php?guid_bot="; content:"&ver_bot="; content:"&stat_bot="; reference:url,doc.emergingthreats.net/2008550; classtype:command-and-control; sid:2008550; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/header.php?"; nocase; content:"row[titledesc]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012475; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Checkin - MSCommonInfoEx"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/MSCommonInfoEx.php"; reference:url,doc.emergingthreats.net/2011179; classtype:command-and-control; sid:2011179; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/folder.php?"; nocase; content:"type="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html; reference:url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt; classtype:web-application-attack; sid:2012476; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"in.php?affid="; content:"&url="; content:"&win="; content:"&sts="; reference:url,doc.emergingthreats.net/2011277; classtype:command-and-control; sid:2011277; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/zotpress/zotpress.image.php?"; nocase; content:"citation="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/98746/WordPressZotpress2.6-xss.txt; classtype:web-application-attack; sid:2012437; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; http.uri; content:"?id="; nocase; content:"&tick="; nocase; content:"&ver="; nocase; content:"&smtp="; nocase; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:command-and-control; sid:2008189; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; http.uri; content:"/push/androidxml/"; nocase; content:"sim="; nocase; content:"tel="; nocase; content:"imsi="; content:"pid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_03_10, signature_severity Critical, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi check-in / update"; flow:established,to_server; http.uri; content:"?user_id="; nocase; content:"&version_id="; nocase; content:"&crc="; nocase; reference:url,www.secureworks.com/research/threats/gozi; reference:url,doc.emergingthreats.net/2009410; classtype:trojan-activity; sid:2009410; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; content:"task=dologin"; nocase; content:"option="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012428; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Illusion Bot (Lussilon) Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?act=online&"; nocase; content:"s4="; nocase; content:"&s5="; nocase; content:"&nickname="; http.request_body; content:"msg_out="; depth:8; nocase; reference:url,doc.emergingthreats.net/2007829; classtype:command-and-control; sid:2007829; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; content:"mosmsg="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012429; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Knockbot Proxy Checkin"; flow:to_server,established; http.uri; content:".php?win="; content:"&id="; content:"&lip="; reference:url,doc.emergingthreats.net/2008249; classtype:command-and-control; sid:2008249; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/administrator/components/com_xcloner-backupandrestore/index2.php?"; nocase; content:"mosmsg="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012430; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Trojan HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"f=0&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l=&ck="; content:"&c_fb="; reference:url,doc.emergingthreats.net/2008864; classtype:command-and-control; sid:2008864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php jahr Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newsscript.php?"; nocase; content:"m=archive"; nocase; content:"jahr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/7741; classtype:web-application-attack; sid:2010028; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Koobface Beaconing (getexe)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?getexe="; content:".exe"; reference:url,doc.emergingthreats.net/2010700; classtype:trojan-activity; sid:2010700; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php idneu Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newsscript.php?"; nocase; content:"m=archive"; nocase; content:"idneu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010122; classtype:web-application-attack; sid:2010122; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Initial Checkin"; flow:established,to_server; http.uri; content:"/cp/rule.php?"; nocase; content:"fstt="; nocase; content:"&b="; nocase; content:"name="; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003187; classtype:command-and-control; sid:2003187; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php newsid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newsscript.php?"; nocase; content:"mailto=ok"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010123; classtype:web-application-attack; sid:2010123; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting"; flow:established,to_server; http.uri; content:"/cp/rule.php?"; nocase; content:"v="; nocase; content:"&b="; nocase; content:"name="; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003188; classtype:trojan-activity; sid:2003188; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news_show.php?"; nocase; content:"newsoffice_directory="; nocase; pcre:"/^\s*(?:https?|ftps?|php)\:\//Ri"; reference:url,secunia.com/advisories/29797; reference:bugtraq,28748; reference:url,www.exploit-db.com/exploits/5429/; reference:url,doc.emergingthreats.net/2009432; classtype:web-application-attack; sid:2009432; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/tba/"; nocase; http.request_body; content:"guid="; content:"&version="; content:"&clientid="; content:"&time="; content:"&idle="; content:"&ticksBoot="; reference:url,doc.emergingthreats.net/2007774; classtype:command-and-control; sid:2007774; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_virtuemart"; content:"page="; content:"substring"; reference:url,exploit-db.com/exploits/17132; classtype:web-application-attack; sid:2012697; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop.gfr/Swizzor HTTP Update/Checkin (usually host-domain-lookup.com related)"; flow:established,to_server; http.uri; content:"/upd/check?"; nocase; content:"&fxp="; reference:url,doc.emergingthreats.net/2008333; classtype:command-and-control; sid:2008333; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012699; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Checkin (kgen_up)"; flow:to_server,established; http.uri; content:"kgen_up.int"; content:"fxp="; pcre:"/^[a-z0-9]{60}/Ri"; reference:url,doc.emergingthreats.net/2008379; classtype:command-and-control; sid:2008379; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012700; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop_com or variant Checkin (9kgen_up)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/9kgen_up.int"; reference:url,www.threatexpert.com/reports.aspx?find=9kgen_up.int; reference:url,doc.emergingthreats.net/2008943; classtype:command-and-control; sid:2008943; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012701; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"?nid_mac="; content:"&nid_os_ver=Windows"; content:"&nid_ie_ver="; reference:url,doc.emergingthreats.net/2008592; classtype:command-and-control; sid:2008592; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012702; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Checkin (1)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"v="; nocase; content:"&id="; nocase; content:"&b="; nocase; content:"&tm="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept-Encoding|0d 0a|"; nocase; reference:md5,f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:command-and-control; sid:2010743; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100324; classtype:web-application-attack; sid:2012703; rev:4; metadata:created_at 2011_04_21, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"to="; content:"Optix Pro v"; content:" Server Online"; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008218; classtype:trojan-activity; sid:2008218; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100325; classtype:web-application-attack; sid:2012704; rev:4; metadata:created_at 2011_04_21, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes Update Detected"; flow:established,to_server; http.uri; content:".php?wm="; nocase; content:"&ucid="; nocase; content:"&e="; reference:url,doc.emergingthreats.net/2007768; classtype:trojan-activity; sid:2007768; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-publication-archive/includes/openfile.php?"; nocase; content:"file="; nocase; reference:url,secunia.com/advisories/43067; reference:url,securelist.com/en/advisories/43067; classtype:web-application-attack; sid:2012705; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Update URL Detected"; flow:established,to_server; http.uri; content:"/40E800"; nocase; content:"C00000"; nocase; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/vtigerservice.php?"; nocase; content:"service="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/100183/vtigerCRM5.2.1-XSS.txt; classtype:web-application-attack; sid:2012706; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parite Setup Connection (tqzn.com related)"; flow:established,to_server; http.uri; content:"/barbindsoft/barsetup.exe?queryid="; reference:url,doc.emergingthreats.net/2009108; classtype:trojan-activity; sid:2009108; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, malware_family Parite, signature_severity Major, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER perl post attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:2101979; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (1)"; flow:established,to_server; http.uri; content:"/cd/cd.php?id="; content:"&ver="; pcre:"/^[A-F0-9\-]+&ver=/R"; reference:url,doc.emergingthreats.net/2008382; classtype:command-and-control; sid:2008382; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/classes/file.class.php?"; nocase; content:"filePath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100525/cituscms-rfi.txt; classtype:web-application-attack; sid:2012724; rev:4; metadata:created_at 2011_04_22, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (2)"; flow:established,to_server; http.uri; content:"/cd/un2.php?id="; content:"&ver="; pcre:"/^[A-F0-9\-]+&ver=/R"; reference:url,doc.emergingthreats.net/2008383; classtype:command-and-control; sid:2008383; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo component com_zoom Blind SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoom"; nocase; content:"Itemid="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/80992/mambozoom-sql.txt; classtype:web-application-attack; sid:2012723; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlayMP3z.biz Related Spyware/Trojan Install Report"; flow:established,to_server; http.uri; content:"?stage=setup&application="; content:"&campaign="; content:"&code="; content:"&version="; reference:url,doc.emergingthreats.net/2008626; classtype:trojan-activity; sid:2008626; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/plugins/socialgrid/static/js/inline-admin.js.php?"; nocase; content:"default_services="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/44256; reference:url,htbridge.ch/advisory/xss_in_socialgrid_wordpress_plugin.html; classtype:web-application-attack; sid:2012722; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBot Phone Home Traffic"; flow:established,to_server; http.uri; content:"ind.php?p="; content:"&uid="; reference:url,doc.emergingthreats.net/2008244; classtype:trojan-activity; sid:2008244; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/filemanager/get_file.php?"; nocase; content:"language="; nocase; reference:url,secunia.com/advisories/39517; classtype:web-application-attack; sid:2012721; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegHelper Installation"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"start="; content:"&Edition="; content:"&RHRTVersion="; nocase; reference:url,doc.emergingthreats.net/2008376; classtype:trojan-activity; sid:2008376; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012719; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE carberp check in"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/first.html"; http.request_body; content:"id="; content:"os="; content:"plist="; classtype:trojan-activity; sid:2011798; rev:4; metadata:created_at 2010_10_09, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012718; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp checkin task"; flow:established,to_server; http.uri; content:"/task.php?id="; fast_pattern; content:"&task="; distance:0; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/"; reference:md5,1d0d38dd63551a30eda664611ed4958b; reference:url,www.honeynet.org/node/578; reference:md5,07d3fbb124ff39bd5c1045599f719e36; reference:md5,31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:md5,6f89b98729483839283d04b82055dc44; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; classtype:command-and-control; sid:2011799; rev:8; metadata:created_at 2010_10_13, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; content:"country_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012717; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp file download"; flow:established,to_server; http.uri; content:"/cfg/"; depth:5; content:".plug"; classtype:trojan-activity; sid:2011850; rev:5; metadata:created_at 2010_10_26, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012716; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp CnC request POST /set/task.html"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/task.html"; depth:14; http.request_body; content:"id=dvlsl"; classtype:command-and-control; sid:2012178; rev:5; metadata:created_at 2011_01_15, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012715; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 2"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012223; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32 Bamital or Backdoor.Win32.Shiz CnC Communication"; flow:established,to_server; http.uri; content:"/favicon.ico?0="; content:"&1="; content:"&2="; content:"&3="; content:"&4="; content:"&5="; content:"&6="; content:"&7="; reference:md5,fbcdfecc73c4389e8d3ed7e2e573b6f1; classtype:command-and-control; sid:2012299; rev:4; metadata:created_at 2011_02_07, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 3"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:"autoidcnt.asp?mer_seq="; content:"&realid="; content:"&mac="; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012224; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/PluginController.php?"; nocase; content:"path="; nocase; reference:url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt; classtype:web-application-attack; sid:2012750; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit TDSS/Alureon Checkin 2"; flow:established,to_server; http.uri; content:"/dx.php?i="; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}&a=/Ri"; content:"&x64="; content:"os="; content:"&f="; reference:url,contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html; classtype:command-and-control; sid:2012314; rev:4; metadata:created_at 2011_02_14, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/extensions/saurus4/captcha_image.php?"; nocase; content:"class_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100461/sauruscms-rfi.txt; classtype:web-application-attack; sid:2012743; rev:4; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/bhanx.php?"; nocase; content:"adv="; nocase; content:"&code1="; nocase; content:"&code2="; nocase; content:"&id="; nocase; content:"&p="; nocase; reference:md5,40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:6; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Publishing Technology id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CollectionContent.asp?"; nocase; content:"id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100822/publishingtechnology-sql.txt; classtype:web-application-attack; sid:2012744; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Banload Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/avisa.php?"; nocase; content:"usuario="; nocase; content:"pc="; nocase; content:"serial="; nocase; content:"versao="; nocase; reference:url,scumware.org/report/89.108.68.81; reference:md5,43b0ddf87c66418053ee055501193abf; classtype:trojan-activity; sid:2012441; rev:5; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012745; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/frame.php?pl=Win32"; nocase; classtype:trojan-activity; sid:2012506; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_15, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012746; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Virut.BN Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"list.php?c="; content:"&v="; distance:0; content:"&t="; distance:0; pcre:"/c\x3d[0-9A-F]{100}/i"; reference:md5,199d9ea754f193194e251415a2f6dd46; classtype:command-and-control; sid:2012533; rev:5; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012747; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.chhq Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/index.php?|30 64 34 30 62 30 3d|"; fast_pattern; http.user_agent; content:"Mozilla/3.0"; startswith; classtype:command-and-control; sid:2012620; rev:10; metadata:created_at 2011_04_01, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012748; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"data=vK6yv+"; classtype:command-and-control; sid:2012686; rev:5; metadata:created_at 2011_04_13, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012749; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Protection FakeAV checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"php?partner_id="; content:"&u="; content:"&log_id="; content:"&os="; reference:md5,7710686d03cd3174b6f644434750b22b; classtype:command-and-control; sid:2012713; rev:4; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user agent string (changhuatong)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|changhuatong"; classtype:trojan-activity; sid:2012751; rev:3; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BestAntivirus2011 Fake AV reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?affid="; content:"&data="; content:"&v="; classtype:trojan-activity; sid:2012727; rev:4; metadata:created_at 2011_04_26, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; http.uri; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; content:"-- AND"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:3; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper/Clicker Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/nxdtic.txt"; classtype:command-and-control; sid:2012931; rev:5; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"GPL POLICY Sun JavaServer default password login attempt"; flow:to_server,established; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; http.uri; content:"/servlet/admin"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:2101859; rev:8; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Webpage Infection Routine POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/jl/ad03.pl"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012973; rev:4; metadata:created_at 2011_06_09, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default password login attempt"; flow:to_server,established; http.header; content:"Authorization|3a 20|OmFkbWlu"; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101860; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Meredrop Checkin"; flow:established, to_server; http.method; content:"POST"; nocase; http.request_body; content:"praquem="; content:"&titulo="; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:command-and-control; sid:2013073; rev:5; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default username and password login attempt"; flow:to_server,established; http.header; content:"Authorization|3a 20|YWRtaW46YWRtaW4"; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101861; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|ICS)"; fast_pattern; http.request_body; content:"para="; depth:5; content:"&subject="; content:"&dados="; reference:md5,c8b3d2bc407b0260b40b7f97e504faa5; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; classtype:command-and-control; sid:2013185; rev:7; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012788; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Internet Connectivity Check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/geo/productid.php"; depth:18; http.header; content:"adobe.com"; content:"Opera/"; content:"Pesto/"; classtype:trojan-activity; sid:2013207; rev:6; metadata:created_at 2011_07_06, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012789; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Papras Banking Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|4e 2a 43 cc 01 c0 2a 77|"; depth:23; reference:md5,85d82c840f4b90fcb6d5311f501374ca; classtype:command-and-control; sid:2013287; rev:6; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012790; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Ponmocup Driveby Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/se/"; nocase; pcre:"/^[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ri"; reference:url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt; classtype:bad-unknown; sid:2013312; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012791; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisproc Variant POST to CnC Server"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/GetGrid.asp"; http.request_body; content:"SN="; depth:3; content:"&SP="; distance:0; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628; classtype:command-and-control; sid:2013342; rev:5; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012792; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV oms.php Data Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/oms.php"; http.request_body; content:"data="; depth:5; classtype:trojan-activity; sid:2013373; rev:3; metadata:created_at 2011_08_05, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-Xoopport Samsara Sections module secid Parameter Blind SQL Injection Exploit"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sections/index.php?"; nocase; content:"op="; nocase; content:"secid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15004; classtype:web-application-attack; sid:2012793; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Momibot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; http.request_body; content:"byE8PCdtbzE6PTU8czo3"; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:command-and-control; sid:2013398; rev:6; metadata:created_at 2011_08_11, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/mods/ckeditor/filemanager/connectors/php/connector.php?"; nocase; content:"Command="; nocase; content:"Type="; nocase; content:"CurrentFolder="; nocase; reference:bugtraq,47636; classtype:web-application-attack; sid:2012794; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Momibot Ping Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; http.request_body; content:"byE8PCdtbyM6PTRzOjdu"; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:command-and-control; sid:2013399; rev:4; metadata:created_at 2011_08_11, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/admin_news_bot.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,securityreason.com/exploitalert/7180; classtype:web-application-attack; sid:2012795; rev:4; metadata:created_at 2011_05_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mnless Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"cpname="; depth:7; content:"&hardid="; distance:0; content:"&netid="; distance:0; content:"&user="; distance:0; content:"&sname="; distance:0; content:"&ver="; distance:0; content:"&val="; distance:0; classtype:command-and-control; sid:2013443; rev:5; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/jscalendar/test.php?"; nocase; content:"lang="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt; classtype:web-application-attack; sid:2012797; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (postit3)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/postit3.php"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013672; rev:4; metadata:created_at 2011_09_19, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeSysdef Rogue AV Checkin"; flow:established,to_server; http.uri; content:"/dfrg/dfrg"; reference:md5,f0f750e8f195dcfc8623679ff2df1267; reference:md5,e186e530ebf0aec07f0cd2afd706633c; reference:md5,294a729bb6a8fc266990b4c94eb86359; classtype:command-and-control; sid:2012725; rev:10; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/Count.asp?UserID="; content:"&MAC="; distance:0; content:"&Process="; distance:0; reference:md5,b3106dbfb3ab114755af311883f33697; reference:md5,7d2eb4b364e15e90cec1ddd7dcb97f64; reference:url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; classtype:command-and-control; sid:2013741; rev:7; metadata:created_at 2011_10_05, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upload-controler.php?"; nocase; content:"atm-regen="; nocase; reference:url,securelist.com/en/advisories/43589; classtype:web-application-attack; sid:2012805; rev:4; metadata:created_at 2011_05_14, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/boot.php?ptr="; nocase; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; reference:md5,b58485c9a221e8bd5b4725e7e19988b0; classtype:command-and-control; sid:2013798; rev:4; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump attempted access"; flow:established,to_server; http.uri; content:"/uploads/"; content:".wordpress.20"; distance:0; content:".xml_.txt"; distance:0; fast_pattern; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:attempted-recon; sid:2012808; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cycbot POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; reference:md5,1f04bd1b4eceb42e6d5859b6330fc7d7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx; classtype:trojan-activity; sid:2013802; rev:4; metadata:created_at 2011_10_26, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs=|27|waitfor"; nocase; content:"delay|27|"; nocase; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0960; classtype:web-application-attack; sid:2012818; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kys_allow_get.asp?"; content:"name=getkys.kys"; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:6; metadata:created_at 2011_12_09, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager advancedfind.do Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/advancedfind.do?extn="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012819; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader.Bancos Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Lead3r_Ship.exe"; nocase; reference:url,symantec.com/security_response/writeup.jsp?docid=2006-061110-0512-99; classtype:trojan-activity; sid:2014070; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_02, deployment Perimeter, former_category TROJAN, malware_family Bancos, signature_severity Major, tag Trojan_Downloader, tag Banking_Trojan, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager deviceInstanceName Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"deviceCapability=deviceCap"; nocase; content:"/iptm/ddv.do?deviceInstanceName="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012820; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32-WebSec Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cb_soft.php?"; nocase; content:"q="; nocase; content:"tj="; nocase; reference:md5,971e560b80e335ab88ef518b416d415a; classtype:trojan-activity; sid:2014085; rev:6; metadata:created_at 2012_01_03, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/eventmon?cmd="; nocase; content:"&dojo.preventCache="; nocase; pcre:"/cmd\x3D(?:filterHelper|getDeviceData\x26group\x3D).+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012821; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Jiwerks.A Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:"/update.aspx"; http.accept_lang; content:"zh-cn"; http.request_body; content:"a="; depth:2; content:"&v="; distance:0; reference:md5,0e47c711d9edee337575b6dbef850514; classtype:command-and-control; sid:2014133; rev:5; metadata:created_at 2012_01_18, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon_wrapper.jsp Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?"; nocase; content:"Name="; nocase; pcre:"/\x2Ejsp\x3F(?:clusterName|deviceName)\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012822; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/118GotYourNo Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/count"; http.request_body; content:"appTitle="; content:"&strLink="; distance:0; content:"&proFirstTime="; distance:0; content:"&proLastTime="; distance:0; content:"&appName="; distance:0; content:"&KillList="; distance:0; classtype:command-and-control; sid:2014191; rev:5; metadata:created_at 2012_02_06, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager clusterName Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/logicalTopo.do?clusterName="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012823; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater POST checkin to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/microsoft/errorpost/default.aspx?ID="; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014212; rev:4; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Common Services Framework Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage"; nocase; pcre:"/^.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0962; classtype:web-application-attack; sid:2012824; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Oracle Java Process Manager access"; flow:to_server,established; http.uri; content:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:2101874; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B POST checkin"; flow:from_client,established; http.method; content:"POST"; nocase; http.header; content:"Mozilla/4.8.20 (compatible|3b 20|MSIE 5.0.2|3b 20|Win32)|0d 0a|Host|3a 20|"; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:command-and-control; sid:2014360; rev:5; metadata:created_at 2012_03_10, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CiscoWorks Help Servlet Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/cwhp/device.center.do?device="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0961; classtype:web-application-attack; sid:2012825; rev:4; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LuckyCat/TROJ_WIMMIE Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php?m="; content:"&n="; within:4; content:"_"; distance:0; content:"@"; distance:0; pcre:"/\.php\?m=\w&n=\w+_\w+(@|@.c|@.t)$/"; reference:url,blog.trendmicro.com/luckycat-redux-inside-an-apt-campaign/; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:command-and-control; sid:2014462; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Targeted Activity - CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"dellgenius.hopto.org"; endswith; reference:md5,bedf648063aa10ea2810b2f6b9601326; classtype:domain-c2; sid:2029952; rev:1; metadata:created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin myAgent"; flow:to_server,established; http.uri; content:"/index.dat?"; pcre:"/^\d{5,9}$/R"; http.header; content:"|20|myAgent|0d 0a|Host|3a 20|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,a51933ee0f2ade7df98feb7207a2ffaf; classtype:command-and-control; sid:2014468; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SepSys/SepSystem Ransomware Style External IP Address Check"; flow:established,to_server; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Host|3a 20|www.myip.ch|0d 0a|Accept|3a 20|*/*|0d 0a|"; bsize:50; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,c596d787d0848722d393a4a5945b3e15; classtype:trojan-activity; sid:2029933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Sepsys, signature_severity Major, tag Ransomware, updated_at 2020_04_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; http.uri; content:"/stat_d/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014522; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (dellgenius .hoptop .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"dellgenius.hoptop.org"; bsize:21; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:domain-c2; sid:2029975; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; http.uri; content:"/stat_n/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014524; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/boaform/admin/formPing"; fast_pattern; http.request_body; content:"target_addr=|3b|"; startswith; reference:url,blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/; reference:url,www.exploit-db.com/exploits/48225; classtype:attempted-admin; sid:2029976; rev:2; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2020_04_20, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K first execution checkin"; flow:established,to_server; http.uri; content:"/stat_svc/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:command-and-control; sid:2014525; rev:5; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android PHONEMONITOR RAT CnC (getsettings)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"PhoneMonitor"; bsize:12; fast_pattern; http.uri; content:"/webpanel/getsettings.php"; bsize:25; reference:md5,09aa3bb05a55b0df864d1e1709c29960; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:command-and-control; sid:2029979; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field"; flow:established,to_server; http.uri; content:".php?id="; content:"121212121212"; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+121212121212/"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014529; rev:3; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (PhoneMonitor)"; flow:established,to_server; http.user_agent; content:"PhoneMonitor"; bsize:12; reference:md5,09aa3bb05a55b0df864d1e1709c29960; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029980; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Balucaf.A Checkin"; flow:to_server,established; http.uri; content:"/setting.ini"; nocase; http.header; content:"User-Agent|3a 20|AutoIt"; nocase; http.header_names; content:!"Accept|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FTupym.A; reference:url,www.securelist.com/en/descriptions/6349329/Worm.Win32.AutoRun.esf; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tupym-D/detailed-analysis.aspx; classtype:command-and-control; sid:2031450; rev:5; metadata:created_at 2011_09_24, former_category MALWARE, updated_at 2020_12_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:277; content:"/api/3.1/query?style="; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header; content:"Referer|3a 20|https://www.google.com|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029977; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I User-Agent"; flow:established,to_server; http.header; content:"|20|WOW64|3b 20|rv|3a|9.0.1|3b 20|sv|3a|"; content:"|20|id|3a|"; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012829; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bzub2 Related RPC/Http Checkin"; flow:established,to_server; http.uri; content:"/rpc.php?a=ftp"; nocase; content:"&b="; nocase; reference:url,doc.emergingthreats.net/2007843; classtype:command-and-control; sid:2007843; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012830; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OS X Backdoor Checkin"; flow:established,to_server; http.header; content:"Accept-Encoding|3a 20|base64,gzip"; fast_pattern; content:"|20|Mac|20|OS|20|X|3a|"; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:command-and-control; sid:2014564; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012831; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.header; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2014579; rev:4; metadata:created_at 2012_04_16, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012832; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashBack Mac OSX malware Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/aaupdate/"; fast_pattern; http.header; content:"User-Agent|3a 20|"; content:!"Mozilla"; within:7; content:!"|0d 0a|"; within:124; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:command-and-control; sid:2014596; rev:6; metadata:created_at 2012_03_01, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012833; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/owncheck/"; classtype:command-and-control; sid:2014597; rev:3; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/core/show.site.php?"; nocase; content:"editprofile"; nocase; content:"mod="; nocase; content:"AND"; nocase; content:"SELECT"; nocase; content:"substring"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/89665/chillycms-sql.txt; reference:url,exploit-db.com/exploits/12643; classtype:web-application-attack; sid:2012834; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; http.uri; content:"/stat.php?w="; content:"&i="; content:"&a="; http.user_agent; content:"Opera/6"; startswith; http.header; content:"|3b 20|LangID="; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:command-and-control; sid:2014604; rev:4; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/ffileman.cgi?"; nocase; content:"direkt="; nocase; reference:url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt; classtype:web-application-attack; sid:2012835; rev:3; metadata:created_at 2011_05_20, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (file upload)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"jembot"; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:3; metadata:created_at 2012_04_18, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/components/com_mgm/help.mgm.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:3; metadata:created_at 2011_05_20, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Requesting Payload 2020-04-21"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".wbk?raw=true"; fast_pattern; endswith; http.user_agent; content:"Microsoft Office Existence Discovery"; bsize:36; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; content:!"Pragma"; reference:md5,dffa1f38375e20e98c8ffaa752936e42; classtype:trojan-activity; sid:2029982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; threshold: type limit, count 2, seconds 40, track by_src; http.header; content:"User-Agent|3a 20|CholTBAgent"; classtype:trojan-activity; sid:2012757; rev:6; metadata:created_at 2011_04_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2.x HTTP Request with Encrypted Variables"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/getcfg.php"; http.request_body; pcre:"/^[a-z]{3,6}\x3d[A-F0-9]{50}/i"; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010885; classtype:trojan-activity; sid:2010885; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/InboxLight.aspx"; depth:21; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008238; classtype:policy-violation; sid:2008238; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitpop.AG/Pophot.az HTTP Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".asp"; content:"|3F|ver="; nocase; content:"|26|tgid="; nocase; content:"|26|address="; nocase; pcre:"/^(?:[0-9A-F][0-9A-F]-){5}(?:[0-9A-F][0-9A-F])/Ri"; reference:url,doc.emergingthreats.net/2008317; classtype:command-and-control; sid:2008317; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/ReadMessageLight.aspx"; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008239; classtype:policy-violation; sid:2008239; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downvision.A Initial Checkin"; flow:established,to_server; http.uri; content:"/up.php?id=201"; http.header; content:"software IPWorks HTTP/S Component - www.nsoftware.com"; reference:url,www.fortiguard.com/av/VID3309956; classtype:command-and-control; sid:2014610; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/EditMessageLight.aspx"; http.header; content:"mail.live.com"; nocase; reference:url,doc.emergingthreats.net/2008240; classtype:policy-violation; sid:2008240; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC"; flow:established,to_server; http.uri; content:"/PostView.nhn?blogId="; fast_pattern; content:"&logNo="; content:"&parentCategoryNo="; content:"&userTopListOpen="; content:"&userTopListManageOpen="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862; reference:md5,8af17164500aac1c0965b842aca3fed7; classtype:command-and-control; sid:2014754; rev:7; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Access Full Mode"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/ApplicationMain"; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008242; classtype:policy-violation; sid:2008242; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (5)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.request_body; content:"email="; nocase; content:"&computador="; distance:0; nocase; content:"&nomfile="; distance:0; nocase; content:"&user="; distance:0; nocase; reference:url,doc.emergingthreats.net/2008044; classtype:command-and-control; sid:2008044; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http any any -> any any (msg:"ET POLICY Cleartext WordPress Login"; flow:established,to_server; http.request_body; content:"log="; content:"&pwd="; content:"&wp-submit="; classtype:policy-violation; sid:2012843; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_25, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hoax.Win32.BadJoke/DownLoader1.57593 Checkin"; flow:established,to_server; http.uri; content:"/agent.htm"; http.header; content:"User-Agent|3a 20|OINC|0d 0a|"; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:command-and-control; sid:2014581; rev:4; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; content:"permLink="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012881; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin"; flow:established,to_server; http.uri; content:"/tx.txt"; http.header; content:" Microsoft URL Control -"; reference:url,doc.emergingthreats.net/2003646; classtype:command-and-control; sid:2003646; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012872; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; http.header; content:"User-Agent|3A 20|zeroup"; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:3; metadata:created_at 2012_05_25, former_category USER_AGENTS, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012873; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"verint="; content:"&uid="; distance:0; content:"&wv="; distance:0; content:"&report="; distance:0; content:"&abbr="; distance:0; content:"&pid="; distance:0; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/"; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012874; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; http.uri; content:"/image/logo.jpg?queryid="; pcre:"/^\d+$/R"; reference:url,doc.emergingthreats.net/2008049; classtype:command-and-control; sid:2008049; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012875; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; http.uri; content:"/newuser.php?saff="; pcre:"/^(?:\d+|x.+)/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012876; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; http.uri; content:"/js/data/encryptedtest.dll"; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:command-and-control; sid:2014962; rev:3; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_handlers/secure_img_handler.php?"; nocase; content:"HANDLERS_DIRECTORY="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012877; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Armageddon CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|ArmageddoN"; nocase; fast_pattern; http.request_body; content:"GetList="; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:command-and-control; sid:2014963; rev:3; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_handlers/secure_img_handler.php?"; nocase; content:"IMAGES_DIRECTORY="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012878; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; http.uri; content:"/api/urls/?ts="; content:"&affid="; http.header; content:"GTB0.0|3b|"; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:6; metadata:created_at 2012_05_24, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_handlers/secure_img_handler.php?"; nocase; content:"imgp="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012879; rev:4; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; http.request_body; content:"CRYPTED0"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:md5,99fab94fd824737393f5184685e8edf2; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; classtype:command-and-control; sid:2013934; rev:6; metadata:created_at 2011_05_19, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; content:"trackback_url="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012880; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/versions.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/versions.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014979; rev:3; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Skunkx DDOS Bot User-Agent Cyberdog"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Cyberdog"; nocase; reference:url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/; classtype:trojan-activity; sid:2012893; rev:3; metadata:created_at 2011_05_31, former_category USER_AGENTS, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC GET /lost.dat"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/lost.dat"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014980; rev:4; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/config.cgi"; nocase; content:"type=command&expand="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,48087; classtype:web-application-attack; sid:2012919; rev:3; metadata:created_at 2011_06_02, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/timestamps.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/timestamps.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014999; rev:3; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; http.uri; content:"/talktome.asmx"; nocase; http.request_body; content:"cell"; nocase; content:"opname"; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:command-and-control; sid:2012924; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; http.uri; content:"/counter/mac_proc.php?cid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015020; rev:3; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service"; flow:to_server,established; urilen:>1400; http.uri; content:"|2F 3F|P|3D 2A 3F 2A 3F 2A 3F 2A 3F 2A 3F|"; pcre:"/(?:\x2a\x3f){700}/"; reference:cve,2011-0419; reference:url,cxib.net/stuff/apr_fnmatch.txt; reference:url,bugzilla.redhat.com/show_bug.cgi?id=703390; classtype:attempted-dos; sid:2012926; rev:4; metadata:created_at 2011_06_02, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; http.uri; content:"/check_counter.php?pid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015021; rev:3; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Smilebox Software/Adware Checkin"; flow:established,to_server; http.uri; content:"/trackClientAction.jsp?beacon="; content:"&os="; content:"&partner="; reference:url,www.smilebox.com/privacy-policy.html; classtype:policy-violation; sid:2012933; rev:4; metadata:created_at 2011_06_06, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.uri.raw; content:"&p1="; pcre:"/^[a-z0-9]{12,14}(?:&p2=(?:[a-z0-9]([\._-])?){1,24}(?:_DROPPER)?)$/Ri"; content:"//?m="; fast_pattern; startswith; reference:url,blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/; classtype:trojan-activity; sid:2029576; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/authenticate/sessions.php?"; nocase; content:"globalIncludeFilePath="; nocase; reference:url,packetstormsecurity.org/files/view/101786/nvisionix-lfi.txt; classtype:web-application-attack; sid:2012945; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; http.header; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"AntiVirus"; within:24; nocase; content:".exe"; within:24; classtype:trojan-activity; sid:2013827; rev:7; metadata:created_at 2011_11_05, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/inline-gallery/browser/browser.php?"; nocase; content:"do="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46781; classtype:web-application-attack; sid:2012946; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - .com.tw/check_version.php"; flow:established,to_server; http.uri; content:"/check_version.php"; content:"&version="; http.host; content:".com.tw"; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015503; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jmsfileseller"; nocase; content:"view="; nocase; reference:url,exploit-db.com/exploits/17338; classtype:web-application-attack; sid:2012948; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - getiplist.php"; flow:established,to_server; http.uri; content:"/getiplist.php"; http.header_names; content:!"User-Agent"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015505; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/scr/soustab.php?"; nocase; content:"dsn[phptype]="; nocase; reference:url,hack0wn.com/view.php?xroot=1440.0&cat=exploits; classtype:web-application-attack; sid:2012949; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - get_servers.php"; flow:established,to_server; http.uri; content:"/get_servers.php?"; http.header_names; content:!"User-Agent"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015506; rev:4; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om  Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"droit.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012950; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - botinfo.php"; flow:established,to_server; http.uri; content:"/botinfo.php?"; http.header_names; content:!"User-Agent"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015508; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/collectivite.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012951; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 3"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?0Q9oBPXEN0uECUg"; classtype:command-and-control; sid:2014857; rev:4; metadata:created_at 2012_06_05, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utilisateur.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012952; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos/Midhos Checkin"; flow:to_server,established; http.uri; content:"/id="; content:"&rt="; distance:0; content:"AAAAAAAAAAA"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:command-and-control; sid:2014722; rev:5; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courrier.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012953; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV POST datan.php"; flow:established,to_server; http.uri; content:"/datan.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; nocase; classtype:trojan-activity; sid:2013206; rev:4; metadata:created_at 2011_07_06, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profil.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012954; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Beomok/PSW - HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?i="; fast_pattern; nocase; content:"&o="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2009448; classtype:trojan-activity; sid:2009448; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/2.0/modules?"; startswith; fast_pattern; http.header_names; content:!"Referer"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,twitter.com/CyberRaiju/status/1249272772963864576; reference:md5,79bbe1365fb7532613823ce3e0cac499; classtype:command-and-control; sid:2029978; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes2 - Checkin - /test.php"; flow:established,to_server; urilen:9; http.uri; content:"/test.php"; fast_pattern; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2015523; rev:4; metadata:created_at 2012_07_25, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; http.uri; content:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackenergy Bot Checkin to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"Cache-Control|3a| no-cache"; http.request_body; content:"id="; content:"&build_id="; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:command-and-control; sid:2007668; rev:18; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Update Request"; flow:established,to_server; http.uri; content:"/u/upd_"; content:"cb"; pcre:"/\x2Fu\x2Fupd\x5F(?:cb|.+\x2Ecb)/"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012971; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; http.uri; content:"/?xclzve_"; startswith; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:2015562; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Request for Compromised FTP Sites"; flow:established,to_server; http.uri; content:"/cgi-bin/jl/ad03.pl?pv=2&d="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012972; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server; http.user_agent; content:"Mozilla"; startswith; content:"|3b 20|MyIE|20|"; fast_pattern; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8; metadata:created_at 2011_03_01, former_category USER_AGENTS, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; http.uri; content:"/hpdiags/frontend2/help/search.php?query="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.JS.QLP Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/read.php?nm="; startswith; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015673; rev:4; metadata:created_at 2012_08_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt"; flow:established,to_server; http.uri; content:"/EmployeeSearch"; nocase; fast_pattern; content:"actionId="; nocase; content:"searchString="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3274; classtype:web-application-attack; sid:2012980; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scheck/"; http.user_agent; pcre:"/^[A-Za-z0-9+\/=]+?$/"; classtype:command-and-control; sid:2014598; rev:7; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_people"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|CE FA AD DE 03 00|"; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:command-and-control; sid:2013819; rev:5; metadata:created_at 2011_11_02, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pear.php?"; nocase; content:"_PEAR_PHPDIR="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012994; rev:3; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirage Campaign checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/result?hl="; depth:11; content:"&meta="; distance:0; http.request_body; content:"Mjtdkj"; depth:6; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:command-and-control; sid:2015714; rev:3; metadata:created_at 2012_09_19, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pear.php?"; nocase; content:"include_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012993; rev:3; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_18, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/addons/kcfinder/browse.php?"; nocase; content:"CKEditorFuncNum="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,autosectools.com/Advisory/Nakid-CMS-1.0.2-Reflected-Cross-site-Scripting-230; classtype:web-application-attack; sid:2012992; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Runner/Bublik Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"G="; nocase; content:"&PG="; nocase; content:"&EPBB="; fast_pattern; nocase; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:command-and-control; sid:2009711; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012991; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Densmail.com Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/cc.php"; nocase; content:"v="; nocase; content:"&rnd="; nocase; distance:0; pcre:"/v=\d+&rnd=\d/i"; reference:url,doc.emergingthreats.net/2007822; classtype:command-and-control; sid:2007822; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012990; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hupigon.dkwt Related Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"htm?mac="; nocase; content:"&os="; nocase; distance:0; content:"&ver="; nocase; distance:0; content:"&id="; nocase; distance:0; pcre:"/\?mac=[0-9]*?&os=[a-z]*?&ver=[0-9]{8}&id=/i"; reference:url,doc.emergingthreats.net/2009704; classtype:command-and-control; sid:2009704; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012989; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamania Trojan Check-in"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; content:"?p4="; nocase; content:"&p5="; fast_pattern; nocase; distance:0; content:"&hs="; nocase; distance:0; pcre:"/p4=\d+&p5=\d+&hs=\d/i"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012988; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Murlo Trojan Checkin"; flow: to_server,established; http.method; content:"GET"; nocase; http.uri; content: ".asp?mac="; nocase; pcre:"/^[a-f0-9]/Ri"; content: "&ver="; nocase; content: "&os="; nocase; reference:url,doc.emergingthreats.net/2009442; classtype:command-and-control; sid:2009442; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012987; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; http.uri; content:"/cp/rule.php?gcu="; nocase; pcre:"/^\d/Ri"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY StumbleUpon Submission Detected"; flow:established,to_server; threshold: type both, count 2, seconds 300, track by_src; http.header; content:"X-SU-Version|3a 20|"; classtype:policy-violation; sid:2013013; rev:4; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Downloader Activity Observed"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&v="; nocase; content:"&tm="; nocase; fast_pattern; content:"&b="; nocase; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/i"; reference:md5,38e1d644e2a16041b5ec1a02826df280; reference:url,doc.emergingthreats.net/2009776; reference:md5,1db0c8d48a76662496af7faf581b1cf0; classtype:trojan-activity; sid:2009776; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=file|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:6; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Counter/Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?mac="; nocase; content:"&ver="; distance:0; nocase; pcre:"/\.asp\?mac=(?:[0-9A-F]{2}-){5}(?:[0-9A-F]{2})+&ver=\d/i"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=php|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shylock Module Data POST"; flow:established,to_server; http.request_body; content:"id="; content:"&bid="; distance:0; content:"&query="; distance:0; content:"&data="; distance:0; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/"; reference:md5,4fda5e7e8e682870e993f97ad26ba6b2; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; classtype:trojan-activity; sid:2013687; rev:5; metadata:created_at 2011_09_22, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftps|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013000; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot requesting update"; flow:to_server,established; http.uri; content:"/modules/docs/upload/calc.exe"; classtype:trojan-activity; sid:2015853; rev:3; metadata:created_at 2012_11_01, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftp Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftp|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012999; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; http.uri; content:"/RebateInformerSetup.exe"; nocase; http.user_agent; content:"Inno Setup Downloader"; startswith; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:4; metadata:created_at 2012_11_02, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible https Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=https|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Wauchos.A CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|stpfu"; http.method; content:"POST"; classtype:trojan-activity; sid:2015895; rev:3; metadata:created_at 2012_11_20, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible zlib Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=zlib|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013014; rev:6; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJ_PROX.AFV POST"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.request_body; content:"=|22|sid|22|"; nocase; content:"=|22|up|22|"; nocase; content:"=|22|wbfl|22|"; nocase; content:"=|22|v|22|"; nocase; content:"=|22|ping|22|"; nocase; content:"=|22|guid|22|"; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; reference:url,doc.emergingthreats.net/2007728; classtype:trojan-activity; sid:2007728; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=data|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013003; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad/?"; startswith; fast_pattern; pcre:"/^[a-z]{1,4}\x3d[a-z0-9]+?$/Ri"; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015958; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible glob Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=glob|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013004; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin 1"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; startswith; http.host; content:".ddns"; fast_pattern; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/^\d{5}\x2eddns[a-z0-9]\x2eeu$/"; http.user_agent; content:"MSIE 7.0|3b|"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:command-and-control; sid:2015968; rev:9; metadata:created_at 2012_11_30, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible phar Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=phar|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013005; rev:6; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/iis/host.aspx"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; http.content_type; content:"application/octet-stream"; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:3; metadata:created_at 2012_12_08, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ssh2 Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ssh2|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013006; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; http.uri; content:"/list.php?db="; fast_pattern; http.accept_lang; content:"ko-kr"; startswith; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016050; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible rar Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=rar|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013007; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SmokeLoader - Init 0x"; flow:established,to_client; http.header; content:"Init|3a| 0x"; classtype:trojan-activity; sid:2016088; rev:3; metadata:created_at 2012_12_22, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ogg Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ogg|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013008; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dexter Infostealer CnC POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"page="; depth:5; content:"&spec="; distance:0; content:"&opt="; distance:0; content:"var="; distance:0; content:"val="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html; classtype:command-and-control; sid:2016095; rev:3; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible expect Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=expect|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013009; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown - Loader - Check .exe Updated"; flow:established,to_server; urilen:<10; http.uri; content:".exe"; fast_pattern; http.header; content:"If-Modified-Since|3a| "; content:"If-None-Match|3a| "; classtype:trojan-activity; sid:2016097; rev:5; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTMLGET User Agent Detected - Often Linux utility based"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTMLGET "; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013018; rev:6; metadata:created_at 2011_06_13, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; flow:established,to_server; http.uri; content:"/status.php?cliver="; content:"&uniqid="; content:"&langid="; classtype:command-and-control; sid:2016125; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; http.uri; content:"/ProtocolGW/"; fast_pattern; nocase; content:"filename="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?php=receipt"; endswith; pcre:"/^\/[A-Z]+\.php\?php=receipt$/"; classtype:trojan-activity; sid:2016147; rev:3; metadata:created_at 2013_01_03, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DLoader File Download Request Activity"; flow:established,to_server; http.uri; content:"/load.php?file="; pcre:"/^(?:\d+|(?:\w+)?grabbers?|uploader)(?:&luck=\d)?$/R"; reference:md5,12554e7f2e78daf26e73a2f92d01e7a7; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB; reference:md5,3310259795b787210dd6825e7b6d6d28; reference:url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml; reference:md5,7af2097d75869aa5aa656cd6e523c8b3; classtype:trojan-activity; sid:2013045; rev:3; metadata:created_at 2011_06_16, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; http.uri; content:"/proxy_info.php"; classtype:command-and-control; sid:2016171; rev:3; metadata:created_at 2013_01_08, former_category MALWARE, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.uri; content:"/api/work/getwork?"; depth:18; http.header; content:"bitcoinplus.com"; classtype:coin-mining; sid:2013059; rev:4; metadata:created_at 2011_06_17, former_category POLICY, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV security_scanner.exe"; flow:established,to_client; http.header; content:"Content-Disposition|3a| "; content:"filename=|22|security_scanner.exe|22|"; fast_pattern; classtype:trojan-activity; sid:2016177; rev:3; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?im="; http.header; content:"User-Agent|3a 20|J2ME/UCWEB"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_06_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Midhos/Medfos downloader"; flow:established,to_server; http.uri; content:"/upload/fid="; content:"AAAAAAAAAAA"; http.header; content:"Host|3a 20|megaupload.com|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0"; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; classtype:trojan-activity; sid:2016189; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; http.uri; content:"/android/android.dbug.php?action=heart"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:command-and-control; sid:2013078; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE METALJACK APT32 CnC Host Checkin"; flow:established,to_server; http.uri; content:".png?CN="; fast_pattern; content:"&UN="; distance:0; content:"&C="; distance:0; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; reference:md5,d739f10933c11bd6bd9677f91893986c; classtype:targeted-activity; sid:2029997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; http.uri; content:"/ss/attachments/files/URLshorter.apk"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (m.topiccore.com)"; dns.query; content:"m.topiccore.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2029998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013080; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (jcdn.jsoid.com)"; dns.query; content:"jcdn.jsoid.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2029999; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (libjs.inquirerjs.com)"; dns.query; content:"libjs.inquirerjs.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2030000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013082; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (vitlescaux.com)"; dns.query; content:"vitlescaux.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2030001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013083; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=m.topiccore.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030002; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013084; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=jcdn.jsoid.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030003; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/templates/admin_default/confirm.tpl.php?"; nocase; content:"nsextt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,seclists.org/bugtraq/2011/Jun/59; classtype:web-application-attack; sid:2013085; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=libjs.inquirerjs.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/xperience.php?"; nocase; content:"sortfield="; nocase; content:"sortorder="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102001/xperience-xss.txt; classtype:web-application-attack; sid:2013086; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=vitlescaux.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/FCKeditor/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013087; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zemra.DDoS.Bot Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/telnet_cmd.php"; fast_pattern; http.user_agent; content:"Opera/9.61"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&c="; distance:0; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html; classtype:command-and-control; sid:2016205; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/tinymce/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013088; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Red October proxy CnC 1"; flow:to_client,established; http.header; content:"ETag|3a 20 22|8c0bf6-ba-4b975a53906e4|22|"; classtype:command-and-control; sid:2016224; rev:4; metadata:created_at 2013_01_17, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Red October proxy CnC 2"; flow:to_client,established; http.header; content:"ETag|3a 20 22|1c824e-ba-4bcd8c8b36340|22|"; classtype:command-and-control; sid:2016225; rev:3; metadata:created_at 2013_01_17, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/nagios/cgi-bin/config.cgi"; nocase; content:"type=command&expand="; fast_pattern; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Red October proxy CnC 3"; flow:to_client,established; http.header; content:"ETag|3a 20|W/|22|186-1333538825000|22|"; classtype:command-and-control; sid:2016226; rev:3; metadata:created_at 2013_01_17, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/security/useredit.action?"; nocase; content:"username="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013099; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of Windows PW Hashes to External Site"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"PSTORE|3a|"; classtype:trojan-activity; sid:2016252; rev:4; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/security/roleedit.action?"; nocase; content:"name="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013100; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of System Info"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"User is SYSTEM|3a|"; classtype:trojan-activity; sid:2016253; rev:4; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/security/userlist!show.action?"; nocase; content:"roleName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013101; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader API Ping CnC Beacon"; flow:established,to_server; http.uri; content:"/api/ping?stage="; content:"&uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:command-and-control; sid:2016273; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/deleteArtifact!doDelete.action?"; nocase; content:"groupId="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013102; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV"; flow:established,to_server; http.uri; content:"/viruslist/?uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016274; rev:3; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addLegacyArtifactPath!commit.action?"; nocase; content:"legacyArtifactPath.path="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013103; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Successful Infection CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/count.php?isOnline=1"; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:command-and-control; sid:2016312; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/deleteNetworkProxy!confirm.action?"; nocase; content:"proxyid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013104; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Second Stage Download List Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Down/list.txt"; depth:14; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016313; rev:4; metadata:created_at 2013_01_30, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addRepository.action"; nocase; content:"repository.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.com/files/101797/; classtype:web-application-attack; sid:2013105; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/SSHDoor.A Reporting Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"port="; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x3A[0-9]{1,5}/R"; content:"|3A|"; content:"&uname="; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016314; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/confirmDeleteRepository.action?"; nocase; content:"repoid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.com/files/101797/; classtype:web-application-attack; sid:2013106; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious user-agent (f**king)"; flow:established,to_server; http.header; content:"fucking|0d 0a|"; fast_pattern; http.user_agent; content:"fucking"; endswith; classtype:trojan-activity; sid:2016317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/editAppearance.action"; nocase; content:"organisationName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013107; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Second Stage Download Request"; flow:established,to_server; http.uri; content:"/ssl/cert.dll"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016330; rev:4; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addLegacyArtifactPath.action"; nocase; content:"legacyArtifactPath.path="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013108; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/sk"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/sk"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016215; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addNetworkProxy.action"; nocase; content:"proxy.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013109; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/dllhost/ac"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016216; rev:7; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/networkProxies.action"; nocase; content:"proxy.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013110; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ServStart.Variant CnC Beacon"; flow:established,to_server; http.uri; content:"&mac="; nocase; content:"type="; nocase; content:"id="; nocase; http.header; content:"User-Agent|3a 20|Google ++|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2016355; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/legacyArtifactPath.action"; nocase; content:"legacyArtifactPath.path="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013111; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StartPage.eba Dropper Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?mac="; content:"&ver="; content:"&t="; http.user_agent; content:"Forthgoer"; reference:url,www.securelist.com/en/descriptions/24621847/Trojan-Dropper.Win32.StartPage.eba; classtype:command-and-control; sid:2016316; rev:4; metadata:created_at 2013_01_30, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/configureAppearance.action"; nocase; content:"organisationName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013112; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/th"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/th"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016214; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Vilsel Checkin"; flow:to_server,established; http.uri; content:"/isup.php?v="; content:"&sox="; reference:url,www.malware-control.com/statics-pages/5de2e2f56e5277cfe3d44299ab496648.php; reference:url,www.malware-control.com/statics-pages/87290c3019b7dbac0d7d2e15f03572ba.php; classtype:command-and-control; sid:2013114; rev:3; metadata:created_at 2011_06_24, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/check"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016217; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/vBTube.php?"; nocase; content:"page="; nocase; content:"do="; nocase; content:"uname="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013134; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/flush"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/flush"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016218; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/vBTube.php?"; nocase; content:"do="; nocase; content:"vidid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013133; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/wcx"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/wcx"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016219; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013129; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/cab"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/cab"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016220; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013128; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/atp.txt"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:command-and-control; sid:2016329; rev:5; metadata:created_at 2013_02_01, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Umbra/Multibot Loader User-Agent (umbra)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|umbra|0d 0a|"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016366; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Umbra/MultiBot Plugin access"; flow:established,to_server; http.uri; content:"/admin/plugins/"; http.header; content:"User-Agent|3a 20|umbra|0d 0a|"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016367; rev:4; metadata:created_at 2013_02_08, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013125; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Request"; flow:established,to_server; http.uri; content:"/upload/img.jpg"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.user_agent; content:" MSIE 6.0|3b| "; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016369; rev:5; metadata:created_at 2013_02_08, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<IMSI>"; nocase; content:"<|2F|IMSI"; nocase; distance:0; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:3; metadata:created_at 2011_06_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Image Request"; flow:established,to_server; http.uri; content:"/upload/mp3.mp3"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.user_agent; content:" MSIE 6.0|3b| "; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016370; rev:4; metadata:created_at 2013_02_08, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZyXEL ZyWALL LoginPassword/HiddenPassword Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/rpAuth"; nocase; content:"nPassword="; nocase; pcre:"/(?:Loging|Hidden)Password\x3D.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:cve,2011-2466; classtype:web-application-attack; sid:2013150; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FloatingCloud.Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/Install/Post.asp?Uid="; nocase; pcre:"/^[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}$/Ri"; reference:url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan; classtype:command-and-control; sid:2016399; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013159; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PDF 0day Communication - agent UA Feb 14 2013"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/param"; http.header; content:"User-Agent|3a| agent|0d 0a|"; fast_pattern; content:"Content-Length|3a|"; reference:url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html; classtype:trojan-activity; sid:2016411; rev:4; metadata:created_at 2013_02_15, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Vundo.Downloader Reporting User Website Session Information"; flow:established,to_server; http.uri; content:"/js.php?ran="; fast_pattern; content:"&t="; content:"&u="; http.accept_lang; content:"ru-RU"; nocase; startswith; reference:url,www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32vundojd; classtype:trojan-activity; sid:2016417; rev:3; metadata:created_at 2013_02_16, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013157; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vundo.OD Checkin"; flow:to_server,established; http.uri; content:"/get.php?"; pcre:"/^(?:id|key)=/Ri"; content:"id="; content:"key="; content:"&os="; content:"&av="; content:"&vm="; content:"&al="; content:"&p="; content:"&z="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD; reference:md5,8840a0d9d7f4dba3953ccb68b17b2d6c; classtype:command-and-control; sid:2016424; rev:6; metadata:created_at 2011_12_17, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webcat web_id Parameter Blind SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ecat/cms_view.php?"; nocase; content:"lang="; nocase; content:"web_id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/17444; classtype:web-application-attack; sid:2013164; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likseput.B Checkin"; flow:established,to_server; http.header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/mi"; http.user_agent; content:"|3b|Trident/4.0 "; fast_pattern; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:command-and-control; sid:2016432; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi Communication 2"; flow:established,to_server; http.uri; content:"?user_id="; content:"&version_id="; content:"&sys="; classtype:trojan-activity; sid:2013169; rev:3; metadata:created_at 2011_07_01, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT HTTP Checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.00|3b 20|Windows 98) KSMM"; fast_pattern; bsize:52; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016440; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013156; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Namsoth.A Checkin/NEWSREELS APT1 Related"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; depth:5; content:"&userid="; distance:0; content:"&other"; distance:4; within:6; pcre:"/&userid=\d{4}&other=[MF]/"; reference:md5,a2cd1189860b9ba214421aab86ecbc8a; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016439; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Genome Initial Checkin"; flow:established,to_server; http.uri; content:"/?uid="; content:"&aid="; content:"&linkuid="; classtype:command-and-control; sid:2013196; rev:3; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Download UA"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.8.0.12) Firefox/1.5.0.12"; fast_pattern; bsize:74; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:command-and-control; sid:2016453; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw CnC Checkin Style 2"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013203; rev:3; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related"; flow:to_server,established; urilen:27; http.uri; content:"/Default.aspx?ID="; pcre:"/^[A-Z]{10}$/R"; http.user_agent; content:!"Mozilla"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,www.mandiant.com/apt1; reference:md5,ba45339da92ca4622b472ac458f4c8f2; classtype:targeted-activity; sid:2016459; rev:6; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; http.uri; content:"/wat.php"; nocase; http.host; content:"incorporateapps.com"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:command-and-control; sid:2013209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-UGX User-Agent (Windows+NT+5.x) APT1"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; depth:12; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016471; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected PROJECTSPY CnC (video)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/index.php?p=showMyAllVideos"; fast_pattern; bsize:32; http.user_agent; content:"Dalvik"; reference:md5,30a2f5b9c9cf01b16aaa4d3f40323faf; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:command-and-control; sid:2029981; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimemo Activity"; flow:established,to_server; http.uri; content:"mainsettings/settings.sol"; http.user_agent; content:" MSIE 7.0|3b|"; classtype:trojan-activity; sid:2016515; rev:5; metadata:created_at 2013_03_04, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sefnit Initial Checkin"; flow:established,to_server; http.uri; content:"/version.php?ver="; content:"&app="; http.header; content:"User-Agent|3a 20|NSISDL"; classtype:command-and-control; sid:2013221; rev:3; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"akk="; depth:4; content:"&client="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016529; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kbcat.cgi?"; nocase; content:"cid="; nocase; content:"or"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt; classtype:web-application-attack; sid:2013234; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Time CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/time/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016533; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013231; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Get New MAC CnC Beacon"; flow:established,to_server; http.uri; content:"/features/get/new/mac/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016534; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013230; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Set Done Day CnC Beacon"; flow:established,to_server; http.uri; content:"/features/set/done/day/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016535; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013229; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Header CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/header/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016536; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013228; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stabuniq Checkin"; flow:to_server,established; http.request_body; content:"id="; depth:3; content:"&varname="; content:"&comp="; content:"&ver="; content:"&xid="; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:command-and-control; sid:2016130; rev:4; metadata:created_at 2012_12_29, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013227; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trustezeb.C CnC Beacon"; flow:established,to_server; http.uri; content:".php?ltype="; content:"&ccr="; content:"&id="; content:"&stat="; content:"&ver="; content:"&loc="; content:"&os="; reference:url,www.abuse.ch/?p=5175; reference:url,www.virusradar.com/Win32_Trustezeb.C/description; classtype:command-and-control; sid:2016552; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/annonce.php?"; nocase; content:"secteur="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013226; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; http.uri; content:"/1234.functions"; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:command-and-control; sid:2016599; rev:5; metadata:created_at 2012_10_26, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; http.uri; content:"/alotWorkTask.aspx?no="; content:"&uid="; content:"&ti="; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameThief Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/count/bindplugin.ini"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:command-and-control; sid:2016637; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stream?id="; http.header; content:"googleusercontent.com|0d 0a|"; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:7; metadata:created_at 2011_06_06, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Depyot.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/pdf.php?id="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740; classtype:command-and-control; sid:2016638; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Suspicious *.cu.cc domain"; flow:to_server,established; http.header; content:".cu.cc|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2013242; rev:4; metadata:created_at 2011_07_09, former_category HUNTING, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus User-Agent(z00sAgent)"; flow:to_server,established; http.user_agent; content:"z00sAgent"; startswith; reference:md5,e94fb19f3a38f9b2a775b925e4c0abe3; classtype:trojan-activity; sid:2016710; rev:4; metadata:created_at 2013_04_02, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; http.uri; content:"?id="; content:"&time="; content:"&imei="; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:4; metadata:created_at 2011_05_26, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; http.stat_code; content:"301"; http.stat_msg; content:"Moved Permanently"; http.location; content:"/update/winword.pkg"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016713; rev:3; metadata:created_at 2013_04_04, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely)"; flow:established,to_server; http.uri; content:"/t/d2hsdWF3OzJ0OHY5Oj0,cyJtI"; reference:url,doc.emergingthreats.net/2008232; classtype:command-and-control; sid:2008232; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Infection or Config URL Request"; flow:established,to_server; http.uri; content:"/file.php|7C|file="; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:3; metadata:created_at 2013_04_09, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Jadtre Retrieving Cfg File"; flow:established,to_server; http.uri; content:"/tool/mavatarcfg/"; content:".cfg"; pcre:"/\x2F(?:data|main|patch)\x2Ecfg/"; classtype:trojan-activity; sid:2013286; rev:3; metadata:created_at 2011_07_19, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel File.php CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/administrator/templates/system/html/file.php"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016739; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; http.user_agent; content:"WORKED"; classtype:trojan-activity; sid:2012909; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Content.php CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/administrator/modules/mod_menu/tmpl/content.php"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016740; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013303; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Pro File.php CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pro/file.php"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016741; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013304; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Citadel Conf.bin Download From CnC Server"; flow:established,to_client; http.header; content:"filename=|22|%2e/files/conf.bin|22|"; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016743; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013305; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Getting Template"; flow:to_server,established; http.uri; content:"/lnd/template="; fast_pattern; pcre:"/\/[a-z0-9]+$/i"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT 5.1|3b|"; classtype:trojan-activity; sid:2016749; rev:3; metadata:created_at 2013_04_10, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013306; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Process List Dump"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&pl=|5b|System|20|Process"; content:"svchost.exe"; content:"&r="; content:"&g="; content:"&s="; content:"&c="; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013307; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent MyAgrent"; flow:established,to_server; http.user_agent; content:"MyAgrent"; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; content:"page="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013308; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TCYWin.Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"TCYWinHTTPDownload"; reference:md5,4cfe5674d9f33804572ae0d14f0c941b; classtype:trojan-activity; sid:2014305; rev:4; metadata:created_at 2012_03_05, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; content:"page="; nocase; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013309; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface C&C availability check"; flow:established,to_server; flowbits:set,ET.koobfacecheck; http.method; content:"POST"; nocase; http.uri; content:"/achcheck.php"; nocase; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010151; classtype:command-and-control; sid:2010151; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; http.uri; content:"/mfc71"; nocase; pcre:"/^[a-z]{2,3}\.dll/Ri"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.request_body; content:"current_version="; pcre:"/^[a-z0-9]{196}/Ri"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; http.uri; content:"/Submit.aspx?ver="; content:"&sys="; content:"&imei="; content:"&ua="; content:"&pro="; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:command-and-control; sid:2013316; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 1"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"JnN1cmk9"; distance:0; fast_pattern; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016793; rev:6; metadata:created_at 2013_04_27, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pamesg/ArchSMS.HL CnC Checkin"; flow:established,to_server; http.uri; content:".php?aid="; content:"&uncv="; content:"&skey="; reference:md5,00068992bc003713058a17d50d9e3e14; classtype:command-and-control; sid:2013345; rev:3; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 2"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"mc3VyaT0"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016814; rev:5; metadata:created_at 2013_05_03, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; http.method; content:"PUT"; http.request_body; content:"<title>.|3a 3a|[+] Defaced by "; nocase; classtype:web-application-attack; sid:2013365; rev:3; metadata:created_at 2011_08_05, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 3"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"ZzdXJpP"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016815; rev:5; metadata:created_at 2013_05_03, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/info.php?pid="; content:"&bo_table="; content:"&wr_id="; content:"&mac="; classtype:command-and-control; sid:2013375; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/login.cgi"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016819; rev:6; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (kill)"; flow:established,to_server; http.uri; content:"/kill/"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013367; rev:5; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"Opera/9.80"; depth:10; content:"Edition Yx|3b| ru"; fast_pattern; distance:0; classtype:trojan-activity; sid:2016034; rev:4; metadata:created_at 2012_12_14, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (sleep)"; flow:established,to_server; http.uri; content:"/sleep"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013368; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/downloads/IPFilter.exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; reference:md5,c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:command-and-control; sid:2016844; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyloggerOnline Keylogger Checkin (go https)"; flow:established,to_server; http.uri; content:"/https"; http.header; content:"User-Agent|3a 20|Internet Explorer|0d 0a|Host|3a 20|"; depth:37; content:!"|0d 0a|Accept"; reference:md5,06b783d348a4f9d72bf743c8262778ef; classtype:command-and-control; sid:2013369; rev:4; metadata:created_at 2011_08_05, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tosct.B UA Mandiant APT1 Related"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:targeted-activity; sid:2016431; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; http.uri; content:"==/count.htm"; reference:md5,03abdc31d0f864c7b69b09d6481d3ff7; classtype:command-and-control; sid:2013386; rev:3; metadata:created_at 2011_08_09, former_category MALWARE, updated_at 2020_04_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[a-z]\/$/Ui"; http.user_agent; content:"(compatible|3b|"; content:"|20|MSIE|20|"; distance:0; content:"(Compatible|3b|"; fast_pattern; distance:0; classtype:command-and-control; sid:2016829; rev:4; metadata:created_at 2013_05_07, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hupigon.B User Agent TSDownload"; flow:established,to_server; http.header; content:"User-Agent|3A 20|TSDownload"; classtype:trojan-activity; sid:2013392; rev:3; metadata:created_at 2011_08_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 1"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad"; depth:3; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/i"; http.user_agent; content:"Microsoft BITS/"; depth:15; classtype:command-and-control; sid:2015957; rev:8; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Skintrim CnC Checkin"; flow:established,to_server; http.uri; content:"/binaries/bin.php?id="; content:"&plateform="; content:"&mh="; content:"&me="; classtype:command-and-control; sid:2013396; rev:3; metadata:created_at 2011_08_10, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; http.user_agent; content:"EMSFRTCBVD"; depth:10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:3; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Winshow User Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|WinShow Installer"; classtype:trojan-activity; sid:2013401; rev:3; metadata:created_at 2011_08_11, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE)"; flow:established,to_server; http.user_agent; content:"DSMBVCTFRE"; nocase; depth:10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016882; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability"; flow:established,to_server; http.uri; content:"/snarf_ajax.php?"; nocase; content:"url="; content:"ajax="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/103179/tikiwiki7-xss.txt; classtype:web-application-attack; sid:2013434; rev:4; metadata:created_at 2011_08_19, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(MBESCVDFRT)"; flow:established,to_server; http.user_agent; content:"MBESCVDFRT"; nocase; depth:10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016883; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jfeedback"; nocase; content:"controller="; nocase; reference:url,xforce.iss.net/xforce/xfdb/57654; classtype:web-application-attack; sid:2013433; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(TCBFRVDEMS)"; flow:established,to_server; http.user_agent; content:"TCBFRVDEMS"; nocase; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016884; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=eshop-orders.php"; nocase; content:"viewemail="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013427; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMOMAKE)"; flow:established,to_server; http.user_agent; content:"DEMOMAKE"; nocase; depth:8; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016885; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=eshop-orders.php"; nocase; content:"action="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013426; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(vbusers)"; flow:established,to_server; http.user_agent; content:"vbusers"; nocase; depth:7; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016891; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=eshop-templates.php"; nocase; content:"eshoptemplate="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013425; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(folderwin)"; flow:established,to_server; http.user_agent; content:"folderwin"; nocase; depth:9; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016892; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Chekafe.D User-Agent my_check_data On Off HTTP Port"; flow:established,to_server; http.header; content:"User-Agent|3A 20|my_check_data"; classtype:trojan-activity; sid:2013446; rev:3; metadata:created_at 2011_08_22, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(smaal)"; flow:established,to_server; http.user_agent; content:"smaal"; nocase; depth:5; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016893; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/NetShare User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|netsharingsite.com"; classtype:trojan-activity; sid:2013445; rev:4; metadata:created_at 2011_08_22, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(nento)"; flow:established,to_server; http.user_agent; content:"User-Agent|3a| nento|0d 0a|"; nocase; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016894; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downadup/Conficker A or B Worm reporting"; flow:to_server,established; http.uri; content:"/search?q="; pcre:"/^[0-9]{1,3}(?:&aq=7(?:\?[0-9a-f]{8})?)?$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; classtype:trojan-activity; sid:2009024; rev:14; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(bugmaal)"; flow:established,to_server; http.user_agent; content:"bugmaal"; nocase; depth:7; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016895; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troxen Downloader Checkin"; flow:established,to_server; http.uri; content:"/active_count.php?"; content:"?mac="; content:"&pid="; reference:md5,c936b15a8f7a3732bc16ee36693831ec; classtype:command-and-control; sid:2013450; rev:4; metadata:created_at 2011_08_23, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"MyHttpClient"; depth:12; http.request_body; content:"tit="; fast_pattern; depth:4; content:"&cont="; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016866; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"/softwareProductLink?"; content:"productSetId="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:3; metadata:created_at 2011_08_24, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(FMBVDFRESCT)"; flow:established,to_server; http.user_agent; content:"FMBVDFRESCT"; nocase; depth:11; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016881; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013471; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registration Rev3"; flow:established,to_server; http.uri; content:"/gate.php?id="; pcre:"/^[a-z]{15}$/R"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016909; rev:4; metadata:created_at 2013_05_22, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013470; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Get Command Rev3"; flow:established,to_server; http.uri; content:"/get"; endswith; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016910; rev:4; metadata:created_at 2013_05_22, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013469; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Safe User Agent Fantasia"; flow:established,to_server; http.user_agent; content:"Fantasia"; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; classtype:trojan-activity; sid:2016934; rev:4; metadata:created_at 2013_05_29, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013468; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vobfus Check-in"; flow:established,to_server; http.uri; content:".php?page="; content:"&style=LED_g&nbdigits="; distance:0; fast_pattern; http.user_agent; content:"Opera"; nocase; depth:5; classtype:trojan-activity; sid:2016940; rev:4; metadata:created_at 2013_05_29, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/guestbook/blocks/control.block.php?"; nocase; content:"lang="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/93285/diycms-rfi.txt; classtype:web-application-attack; sid:2013466; rev:4; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Checkin"; flow:established,to_server; http.uri; content:"/cntr.php?b="; nocase; content:"&c="; nocase; content:"&d="; nocase; reference:url,doc.emergingthreats.net/2002959; classtype:command-and-control; sid:2002959; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sublink.php?"; nocase; content:"langval="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/104292/easysiteedit-rfi.txt; classtype:web-application-attack; sid:2013465; rev:4; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Win32.Bicololo Checkin"; flow:established,to_server; flowbits:set,ET.Bicololo.Request; http.method; content:"GET"; http.uri; content:"/stat/"; nocase; pcre:"/^[a-z]{3,4}\/\d{1,4}$/R"; reference:md5,252c95327ce556a21bdd7e9a322e206c; reference:url,www.virusradar.com/Win32_Bicololo.A/description; classtype:command-and-control; sid:2016946; rev:4; metadata:created_at 2013_05_31, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.doc.exe in HTTP URL"; flow:to_server,established; http.uri; content:".doc.exe"; nocase; classtype:bad-unknown; sid:2013475; rev:3; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Backdoor.Linux.Tsunami Outbound HTTP request"; flow:established,to_server; http.header; content:"|3a|80|0d 0a|"; http.user_agent; content:"Mozilla/4.75 [en] (X11|3b| U|3b| Linux 2.2.16-3 i686)"; reference:url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html; classtype:trojan-activity; sid:2016949; rev:4; metadata:created_at 2013_05_31, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.pdf.exe in HTTP URL"; flow:to_server,established; http.uri; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2013476; rev:3; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/info/privacy_security.htm"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"microsoft.com"; endswith; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:6; metadata:created_at 2013_06_05, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ungallery/source_vuln.php?"; nocase; content:"pic="; nocase; reference:url,packetstormsecurity.org/files/view/99004/RhinOS3.0r1113-lfi.txt; classtype:web-application-attack; sid:2013464; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/picture.php"; endswith; http.header_names; content:!"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; http.connection; content:"Keep-Alive"; bsize:10; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:command-and-control; sid:2016368; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt"; flow:established,to_server; http.header; content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013472; rev:5; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KimJongRAT cnc exe pull"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"subject="; nocase; depth:8; content:"&data="; nocase; pcre:"/^subject=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})_(?:(?:list|que)_done|ini(?:_done)?)&data/"; reference:url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf; classtype:command-and-control; sid:2017009; rev:6; metadata:created_at 2013_06_13, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Meredrop/Nusump Checkin"; flow:established,to_server; http.uri; content:"?id="; content:"&co="; content:"&us="; content:"&os="; content:"&vr="; content:"&dt="; fast_pattern; reference:md5,463cdec2df12a04d6ea1d015746ee950; reference:md5,ef0616d75bd892ed69fe22a510079686; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857; classtype:command-and-control; sid:2011489; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina Checkin"; flow: established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Alina v"; http.request_body; content:"act="; content:"&b="; content:"&c="; content:"&v="; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:command-and-control; sid:2016837; rev:7; metadata:created_at 2013_05_09, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; http.uri; content:"/WiPlayer?movieid="; http.host; content:"movies.netflix.com"; bsize:18; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:3; metadata:created_at 2011_08_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina User-Agent(Alina)"; flow: established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Alina v"; depth:7; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016838; rev:6; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; http.user_agent; content:"Software Update|2F|"; startswith; content:"|20|Darwin|2F|"; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:4; metadata:created_at 2011_08_31, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE VBulletin Backdoor CMD inbound"; flow:established,to_server; http.header; content:"HTTP_ECMDE|3a|"; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017111; rev:5; metadata:created_at 2013_07_05, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lalus Trojan Downloader Checkin"; flow:established,to_server; http.uri; content:".php?guid="; content:"&h="; content:"&v="; content:"&affid="; content:"&update="; content:"&brand="; classtype:command-and-control; sid:2013509; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 URI Structure"; flow:established,to_server; http.uri; content:"/ss?t=f&"; depth:8; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017112; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lalus Trojan Downloader User Agent (Message Center)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Message Center|0D 0A|"; classtype:trojan-activity; sid:2013510; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 Domain"; flow:established,to_server; http.header; content:"adabeupdate.com|0d 0a|"; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017113; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Loader Request List.php"; flow:established,to_server; http.uri; content:"/list.php?c="; depth:12; content:"&v="; pcre:"/c\x3d[0-9a-f]{100}/i"; classtype:trojan-activity; sid:2013518; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_02, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay Checkin"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"filename=|22|"; pcre:"/^\d+?\x22/R"; classtype:command-and-control; sid:2017264; rev:3; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Revolution"; reference:md5,1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:3; metadata:created_at 2011_09_06, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/$/"; http.user_agent; content:"|3b|Windows"; nocase; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:command-and-control; sid:2017262; rev:6; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; http.uri; content:"?op="; content:"&macaddress="; content:"&pcname="; content:"&nomeusuario="; content:"&serialhd="; content:"&versaowindows="; content:"&versaoatual="; content:"&arquivosplugins="; content:"&origem="; classtype:command-and-control; sid:2013546; rev:3; metadata:created_at 2011_09_06, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Outbound Communication"; flow:established,to_server; http.header; content:"Accept-Language|3a 20|en-en|0d 0a|"; http.user_agent; content:"|3b|Windows|20|"; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:16; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Landing Page"; flow:established,to_server; http.uri; content:".cgi?p="; content:"&i="; content:"&j="; content:"&m="; content:"&h="; content:"&u="; content:"&q="; content:"&t=201"; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23514; classtype:trojan-activity; sid:2013332; rev:5; metadata:created_at 2011_07_27, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Rovnix.I Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ld.aspx?key="; startswith; http.header_names; content:!"Accept|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.user_agent; content:"FWVersionTestAgent"; depth:18; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:command-and-control; sid:2017279; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_ext_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/bug_actiongroup_ext_page.php?"; nocase; content:"action="; nocase; classtype:web-application-attack; sid:2013563; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.asp?newsid="; fast_pattern; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:command-and-control; sid:2017326; rev:3; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/bug_actiongroup_page.php?"; nocase; content:"action="; nocase; classtype:web-application-attack; sid:2013564; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/search.asp"; fast_pattern; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:command-and-control; sid:2017325; rev:5; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pranian Group e107 page Parameter Cross Site Scripting Vulnerability Attempt"; flow:established,to_server; http.uri; content:"/plugins/pviewgallery/pviewgallery.php?"; nocase; content:"album="; nocase; content:"page="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; classtype:web-application-attack; sid:2013567; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"[System Process]|0a|"; depth:17; classtype:trojan-activity; sid:2011364; rev:6; metadata:created_at 2010_09_28, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OneFileCMS p parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/onefilecms.php?"; nocase; content:"p="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; classtype:web-application-attack; sid:2013568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Spy.KeyLogger.OCI CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"pcname="; depth:7; content:"&note="; distance:0; content:"&country="; distance:0; content:"&user="; distance:0; content:"&log="; distance:0; reference:url,www.virusradar.com/en/Win32_Spy.KeyLogger.OCI/description; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis/; classtype:command-and-control; sid:2017343; rev:3; metadata:created_at 2013_08_19, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (fsize)"; flow:to_server,established; http.uri; content:"/fsize.php?name="; content:"/WF-update.log"; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013670; rev:3; metadata:created_at 2011_09_19, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Related Lame Updater User-Agent"; flow:established,to_server; http.user_agent; content:"LameUpdater"; depth:11; classtype:trojan-activity; sid:2017347; rev:5; metadata:created_at 2011_04_07, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013673; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Napolar.A Getting URL"; flow:to_server,established; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36|0d 0a|Host"; fast_pattern; depth:126; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017362; rev:3; metadata:created_at 2013_08_21, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013674; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Win32/Napolar.A URL Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"!http|3a|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:3; metadata:created_at 2013_08_22, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013675; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Dirtjump Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"req="; depth:4; pcre:"/^[A-Za-z0-9]{15}(?:[A-Za-z0-9]{19})?$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:command-and-control; sid:2017385; rev:3; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013676; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT-12 Related C2"; flow:to_server,established; http.uri; content:"/url.asp?"; content:"-ShowNewsID-"; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:targeted-activity; sid:2017386; rev:3; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013677; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess P2P Module v6 Reporting"; flow:to_server,established; http.uri; content:"dj02LjAmaWQ9"; offset:13; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,dnsamplificationattacks.blogspot.gr/p/blog-page.html; classtype:trojan-activity; sid:2017462; rev:3; metadata:created_at 2013_09_13, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jr_questionnaire"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt; classtype:web-application-attack; sid:2013678; rev:4; metadata:created_at 2011_09_19, updated_at 2020_04_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M9 (set)"; flow:established,to_server; content:"|a5 20 94 f5|"; depth:4; fast_pattern; content:"|6d 54 21|"; distance:1; within:3; flowbits:set,ET.Parallax-9; flowbits:noalert; reference:md5,1b3f8c92d5d1ace34fa4dc2dd80c3eb7; classtype:command-and-control; sid:2030027; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_25, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2020_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ezrealty"; nocase; content:"task="; nocase; content:"id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt; classtype:web-application-attack; sid:2013680; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M9"; flow:established,to_client; content:"|a5 20 94 f5|"; depth:4; fast_pattern; content:"|6d 54 21|"; distance:1; within:3; flowbits:isset,ET.Parallax-9; reference:md5,1b3f8c92d5d1ace34fa4dc2dd80c3eb7; classtype:command-and-control; sid:2030039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_25, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2020_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS American Bankers Association Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Search2/searchaba.aspx?"; nocase; content:"SearchPhrase="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/103855/aba-xss.txt; classtype:web-application-attack; sid:2013681; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.largefamiliesonpurpose.com"; bsize:31; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030028; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simplis CMS download_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"action=do_download"; nocase; content:"download_file="; nocase; reference:url,packetstormsecurity.org/files/view/99797/simpliscms-disclose.txt; classtype:web-application-attack; sid:2013682; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.monalisapizzeriasi.com"; bsize:27; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030029; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; http.header; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:2100541; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"basa.nutarborg.com"; bsize:18; reference:md5,f461bf12c4d3ed1d25af638d9f21ca0f; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030030; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; threshold:type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 (iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:5; metadata:created_at 2011_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Tr-mail Variant Sending Data To CnC"; flow:established,to_server; http.uri; content:"/gr-mail/tr-mail.php"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017464; rev:4; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; threshold: type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 |28|iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013408; rev:7; metadata:created_at 2011_08_12, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zzinfor.A Retrieving Instructions From CnC Server"; flow:established,to_server; http.uri; content:"/static/hotkey.txt"; http.header_names; content:!"User-Agent"; content:!"Accept-"; reference:md5,7e37a407a8fb0df3b2835419ad16f500; reference:md5,422b926dbbe03d0e4555328282c8f32b; classtype:command-and-control; sid:2017489; rev:4; metadata:created_at 2013_09_19, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013704; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.Mevade.FBV CnC Beacon"; flow:established,to_server; urilen:42; http.uri; content:"/updater/"; pcre:"/^[a-f0-9]{32}\/[0-9]$/Ri"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/; reference:url,blog.damballa.com/archives/2135; classtype:command-and-control; sid:2017490; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_09_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013705; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Reports/install-report.php"; content:"abbr="; http.user_agent; content:"TALWinInetHTTPClient"; reference:url,doc.emergingthreats.net/2010241; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010241; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013706; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT.Agtid callback"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Agtid|3a 20|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2017511; rev:4; metadata:created_at 2013_09_24, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013707; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-sending"; nocase; content:".exe"; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:command-and-control; sid:2017517; rev:6; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013708; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; flowbits:set,ET.Hiloti; http.uri; content:"/get"; nocase; content:".php?c="; nocase; distance:0; content:"&d="; nocase; distance:0; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2010071; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?"; nocase; content:"abspath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt; classtype:web-application-attack; sid:2013709; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mevade Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/attachments/ip.php"; classtype:command-and-control; sid:2017558; rev:4; metadata:created_at 2013_10_05, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upload/tfu_upload.php?"; nocase; content:"workaround_dir="; nocase; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013711; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLocker EXE Download"; flow:to_server,established; http.uri; content:"/crypt_"; content:"sell"; distance:0; content:".exe"; distance:0; pcre:"/\/crypt_[^\/]*?sell[^\/]*?\d\.exe$/"; classtype:trojan-activity; sid:2017583; rev:6; metadata:created_at 2013_10_12, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery install_path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/admin/tfu_login.php?"; nocase; content:"install_path="; nocase; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013712; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan Update officeaddinupdate.xml Request"; flow:established,to_server; http.uri; content:"/officeaddinupdate.xml"; bsize:22; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017586; rev:4; metadata:created_at 2013_10_14, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joostina CMS users component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_users"; nocase; content:"user="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100853/joostinausers-sql.txt; classtype:web-application-attack; sid:2013713; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"name=|22|key|22|"; nocase; content:"filename=|22|key.bin|22|"; nocase; content:"name=|22|data|22|"; nocase; content:"filename=|22|data.bin|22|"; nocase; reference:md5,c71416a9ec5414fe487167b5bfd921ec; classtype:trojan-activity; sid:2017620; rev:5; metadata:created_at 2013_10_21, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent BGroom"; flow:established,to_server; http.header; content:"User-Agent|3A 20|BGroom"; classtype:trojan-activity; sid:2013717; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"X-Sinkhole|3a 20|"; nocase; classtype:trojan-activity; sid:2016803; rev:6; metadata:created_at 2013_05_01, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (Tiny)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|tiny|0D 0A|"; classtype:trojan-activity; sid:2013718; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TRAT proxy component user agent detected"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0.1.3|3b 20|"; nocase; fast_pattern; reference:url,www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html; classtype:trojan-activity; sid:2017646; rev:6; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/OnLineGames GetMyIP Style Checkin"; flow:established,to_server; http.uri; content:".asp?ID="; content:"&Action=GetMyIP"; classtype:command-and-control; sid:2013728; rev:3; metadata:created_at 2011_10_01, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.request_body; content:"b=1&name="; depth:9; fast_pattern; content:"&uuid="; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017643; rev:5; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rokquickcart"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/view/96804/joomlarokquickcart-lfi.txt; classtype:web-application-attack; sid:2013738; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Badur.Spy User Agent lawl"; flow:established,to_server; http.header; content:"User-Agent|3a 20|lawl"; reference:md5,4f5d28c43795b9c4e6257bf26c52bdfe; classtype:trojan-activity; sid:2017655; rev:5; metadata:created_at 2013_11_01, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; http.uri; content:"/gate.php?hwid="; nocase; content:"&pc="; nocase; content:"&localip="; nocase; content:"&winver="; nocase; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:command-and-control; sid:2013748; rev:5; metadata:created_at 2011_09_24, former_category MALWARE, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment"; flow:established,to_client; http.header; content:" filename=|22|%2e/files/"; nocase; pcre:"/^[^\x22\x2f\r\n]+?\x22\r\n/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016742; rev:7; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2"; flow:established,to_server; http.uri; content:"/phpThumb.demo.random.php?"; nocase; content:"dir="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Schneebly Posting ScreenShot"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/viewimage.php?s="; nocase; content:!"&"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"filename="; content:"JFIF"; distance:0; reference:url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017689; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Redirect Component view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_redirect"; content:"view="; nocase; reference:url,packetstormsecurity.org/files/view/96608/joomlaredirect-lfi.txt; classtype:web-application-attack; sid:2013764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Variant CnC Beacon 1"; flow:established,to_server; http.uri; content:"/rssfeed.php?a="; pcre:"/^[^&]+?&\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017690; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013762; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Varient CnC Beacon 2"; flow:established,to_server; http.uri; content:"/psp.php?p="; content:"&g="; content:"&s="; content:"&t="; content:"&r="; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017691; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013760; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FaceBook IM & Web Driven Facebook Trojan Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tsone/ajuno.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"u="; depth:2; content:"&p="; distance:0; content:"&l="; distance:0; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017697; rev:6; metadata:created_at 2013_11_08, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013759; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Download Executable"; flow:established,to_server; http.uri; content:"/gate.php?cmd=getinstallconfig"; fast_pattern; endswith; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016902; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Zingiri webshop plugin Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php?"; nocase; content:"wpabspath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt; classtype:web-application-attack; sid:2013758; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013763; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital checkin"; flow:established,to_server; http.uri; content:".php?subid="; content:"&os="; distance:0; content:"&id="; distance:0; content:"&ver="; distance:0; classtype:command-and-control; sid:2017710; rev:4; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.o)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|o|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029962; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sisproc update"; flow:to_server,established; http.uri; content:"/poll/update.txt"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:6; metadata:created_at 2013_11_16, updated_at 2020_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.chan)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|chan|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029965; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; urilen:10; flowbits:set,et.GENOME.AV; http.method; content:"GET"; http.uri; content:"/other.txt"; fast_pattern; http.header; content:"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:4; metadata:created_at 2013_11_25, updated_at 2020_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.dyn)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|dyn|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029959; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DirCrypt.Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3A| form-data|3B| name=|22|cmd|22|"; content:"Content-Disposition|3A| form-data|3B| name=|22|botid|22|"; fast_pattern; content:"Content-Disposition|3A| form-data|3B| name=|22|lid|22|"; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,johannesbader.ch/2015/03/the-dga-of-dircrypt; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; classtype:command-and-control; sid:2017308; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.lib)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|lib|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029970; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Zbot EXE filename Dec 09 2013"; flow:established,to_server; http.uri; content:"/bc.exe"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2017818; rev:3; metadata:created_at 2013_12_10, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:" OR sqlspider"; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:3; metadata:created_at 2011_10_19, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; startswith; content:"&info="; distance:0; pcre:"/^id=[A-Z0-9]+?&info=[A-Z0-9]+?$/"; classtype:command-and-control; sid:2017839; rev:3; metadata:created_at 2013_12_12, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP Request for gift.exe"; flow:established,to_server; http.uri; content:"/gift.exe"; classtype:trojan-activity; sid:2013780; rev:3; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MovieStar.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p3oahin/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017855; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Paros Proxy Scanner Detected"; flow:to_server,established; http.user_agent; content:"Paros/"; startswith; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; classtype:attempted-recon; sid:2008187; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Snake.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ke3chang/Directx.aspx?r="; depth:25; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017856; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Tdss User Agent Detected (Mozzila)"; flow:established,to_server; http.header; content:"User-Agent\: Mozzila"; reference:url,doc.emergingthreats.net/2010889; classtype:trojan-activity; sid:2010889; rev:4; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/MYWEB/SearchX.ASpX?id1="; depth:24; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017857; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unruy Downloader Checkin"; flow:established,to_server; http.uri; content:".php?U="; content:"@"; pcre:"/\.php\?U=\d+@\d+@\d+@\d+@\d+@[a-f0-9]+$/"; reference:url,ddanchev.blogspot.com/2010/03/copyright-lawsuit-filed-against-you.html; reference:url,isc.sans.org/diary.html?storyid=8497; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.STM&VSect=T; reference:url,doc.emergingthreats.net/2010975; classtype:command-and-control; sid:2010975; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Dream.APT Campaign CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/shfam9y/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017859; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:15; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASNAROK Related Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"sophosefirewallupdate.com"; bsize:25; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030032; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; classtype:policy-violation; sid:2013400; rev:8; metadata:created_at 2011_08_11, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Eourdegh/Swdfrp.ASpX?id1="; depth:26; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a; classtype:targeted-activity; sid:2017860; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/vars.inc.php?"; nocase; content:"_SESSION[SCRIPT_PATH]="; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009181; classtype:web-application-attack; sid:2009181; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Feed404 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/feed404/mysfeeds.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017867; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Rentventory SQL Injection Attempt"; flow:to_server,established; http.uri; content:"/patch/?product="; nocase; content:"&panel=rent/select_time"; nocase; reference:url,www.milw0rm.com/exploits/9081; reference:url,doc.emergingthreats.net/2009513; classtype:web-application-attack; sid:2009513; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Images CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/images/gx.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017868; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/cart.php?"; nocase; content:"a="; nocase; content:"templatefile="; nocase; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; classtype:web-application-attack; sid:2013818; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Get Final Payload Request"; flow:established,to_server; http.uri; content:"/get/"; content:"/final"; http.cookie; content:"ip="; depth:3; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}/R"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017870; rev:4; metadata:created_at 2013_12_17, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wpeasystats/export.php?"; nocase; content:"homep="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/46069; reference:url,spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos; classtype:web-application-attack; sid:2013817; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mevade.Variant CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F(?:policy|cache)$/"; http.header; content:"uuid|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|C8 71 04 ED 87 F6 DD 77 87|"; depth:9; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:command-and-control; sid:2017959; rev:3; metadata:created_at 2014_01_12, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/layout/plain.footer.php?"; nocase; content:"mainnav="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt; classtype:web-application-attack; sid:2013815; rev:4; metadata:created_at 2011_10_31, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kishop.A checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:".php?mark="; content:"&type="; content:"&theos="; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:command-and-control; sid:2017964; rev:3; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; http.host; content:".dlinkddns.com"; endswith; classtype:bad-unknown; sid:2013311; rev:4; metadata:created_at 2011_07_26, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Mozilla|20|"; fast_pattern; http.request_body; content:"m"; depth:1; pcre:"/^(?:ode)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&h(?:wid)?=/R"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017917; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBSng str Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/util/show_multistr.php?"; nocase; content:"str="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,50468; classtype:web-application-attack; sid:2013871; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/wow/wow.asp"; depth:12; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"&WOWID="; depth:7; content:"&Area="; distance:0; content:"&WU="; distance:0; content:"&WP="; distance:0; content:"&MAX="; distance:0; content:"&Gold="; distance:0; content:"&Serv="; distance:0; content:"&rn="; distance:0; content:"&key="; distance:0; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:command-and-control; sid:2017970; rev:4; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mole Group Vacation Estate Listing Script Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/properties_view.php?"; nocase; content:"editid1="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/7626; classtype:web-application-attack; sid:2013872; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye C&C Check-in URI"; flow:established,to_server; http.uri; content:"guid="; content:"ver="; content:"stat="; fast_pattern; content:"ie="; content:"os="; pcre:"/(\?|&)guid=[^!&]+?\!/"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:command-and-control; sid:2011857; rev:7; metadata:created_at 2010_10_27, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013873; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Limitless Logger RAT HTTP Activity"; flow:established,to_server; http.uri; content:"/Limitless/Login/"; http.host; content:"limitlessproducts.org"; classtype:trojan-activity; sid:2018030; rev:3; metadata:created_at 2014_01_28, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013877; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download MessageBox"; flow:established,to_server; http.uri; content:"/MessageBox.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018038; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 1024 CMS filename Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/modules/forcedownload/force_download.php?"; nocase; content:"filename="; reference:url,exploit-db.com/exploits/18000; classtype:web-application-attack; sid:2013885; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download ComputerInfo"; flow:established,to_server; http.uri; content:"/ComputerInfo.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018039; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; pcre:"/abspath=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download WalletSteal"; flow:established,to_server; http.uri; content:"/WalletSteal.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018040; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Second Life setup download"; flow:established,to_server; http.uri; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:4; metadata:created_at 2011_11_11, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forumdisplay.php?fid="; http.request_body; content:"id="; depth:3; content:"&info="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:command-and-control; sid:2018047; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; http.user_agent; content:"Ubuntu APT-HTTP|2F|"; startswith; http.host; content:"repository.backtrack-linux.org"; within:40; reference:url,www.backtrack-linux.org; classtype:targeted-activity; sid:2013914; rev:5; metadata:created_at 2011_11_16, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"crypt"; depth:5; content:"="; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:command-and-control; sid:2018079; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dofoil.L Checkin"; flow:to_server,established; http.uri; content:"/index.php?cmd="; content:"&login="; content:"&ver="; content:"&bits="; reference:md5,47f2b8fcc2873f4dfd573b0e8a77aaa9; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615; classtype:command-and-control; sid:2013917; rev:5; metadata:created_at 2011_09_29, former_category MALWARE, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASNAROK Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ragnarokfromasgard.com"; bsize:22; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030034; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel login"; flow:to_server,established; http.uri; content:"/password.cgi?sptPassword="; classtype:not-suspicious; sid:2013919; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirtJumper Activity"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; http.request_body; content:"&req="; pcre:"/^\d+?=\d+?(?:&ver=\d+?)?&req=\d+?(?:&r=)?$/"; reference:md5,5474129345d9756649c871f9c8b46287; reference:md5,ff5608e00d5e6e81af9c993461479e43; classtype:trojan-activity; sid:2018094; rev:3; metadata:created_at 2014_02_07, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel password change"; flow:to_server,established; http.request_body; content:"pwdOld="; content:"pwNew="; content:"pwCfm="; classtype:not-suspicious; sid:2013920; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<html><body>hi!<|2F|body><|2F|html>"; within:30; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018097; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; http.request_body; content:"pwCfm=Dn5Ch4ng3"; classtype:web-application-attack; sid:2013921; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/uploadb.php?"; fast_pattern; http.request_body; content:"name=|22|archivo|22|"; content:".dmp|22|"; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:command-and-control; sid:2018100; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality User-Agent (DEBUT.TMP)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|DEBUT.TMP|0D 0A|"; classtype:trojan-activity; sid:2013959; rev:3; metadata:created_at 2011_11_23, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Mask C2 Traffic"; flow:established,to_server; http.uri; content:".cgi?Group="; nocase; content:"&Ver="; nocase; content:"&Inst"; nocase; content:"&Ask="; nocase; content:"&Bn="; nocase; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:command-and-control; sid:2018105; rev:3; metadata:created_at 2014_02_11, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?app="; content:"&deviceId="; content:"&mobile="; content:"&country="; content:"&carrier="; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"something"; depth:9; http.request_body; content:"mac="; fast_pattern; depth:4; content:"&t1="; content:"&t2="; pcre:"/^mac=(?:[A-F0-9]{2}-){5}[A-F0-9]{2}&t1=/"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018108; rev:4; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; http.uri; content:"/AndroidService.aspx?imsi="; content:"&mobile="; content:"&pid="; content:"&ownerid="; content:"&testchlid="; content:"&androidver="; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_11_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackbeard Check-in"; flow:established,to_server; http.uri; content:"/task/2000"; endswith; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018120; rev:3; metadata:created_at 2014_02_12, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; http.uri; content:"/search/isavailable"; content:".php?imei="; content:"&ch="; content:"&ver="; http.user_agent; content:"adlib/"; startswith; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linkup Ransomware check-in"; flow:established,to_server; urilen:20; http.method; content:"POST"; http.uri; content:"/uplink.php?logo.jpg"; http.request_body; content:"token="; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:2018122; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tinderbox.mozilla.org showbuilds.cgi Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/showbuilds.cgi?"; nocase; content:"tree=SeaMonkey"; nocase; content:"hours="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstorm.codar.com.br/1111-exploits/tinderbox-xss.txt; classtype:web-application-attack; sid:2013980; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0)"; flow:to_server,established; http.user_agent; content:"Downloader MLR 1.0.0"; depth:20; reference:md5,c9d54e9086357491bd1fdf8d8d804dce; classtype:trojan-activity; sid:2018112; rev:5; metadata:created_at 2013_11_04, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orbis editor-body.php script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/editors/text/editor-body.php?"; nocase; content:"s="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,autosectools.com/Advisory/Orbis-1.0.2-Reflected-Cross-site-Scripting-4; classtype:web-application-attack; sid:2013981; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/FakeKakao checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"md="; content:"&fo="; content:"&ds="; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:command-and-control; sid:2018137; rev:4; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component img Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_img"; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95683/joomlaimg-lfi.txt; classtype:web-application-attack; sid:2013989; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Zapchast Checkin"; flow:to_server,established; http.uri; content:"/files/def"; fast_pattern; endswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:"AutoIt"; depth:6; reference:md5,63586aef2be494150a492d822147055a; classtype:command-and-control; sid:2018142; rev:4; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php INSERT INTO  SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013988; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon"; flow:established,to_server; http.uri; content:"/dnsmake.txt"; fast_pattern; http.user_agent; content:"Indy Library"; reference:md5,dd3e5b41238a73d627c6c48108a15452; classtype:command-and-control; sid:2018150; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013987; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE AntSword Webshell User-Agent Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|antSword/v"; fast_pattern; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030035; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013986; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Query"; dns.query; content:"rythemsjoy.club"; nocase; endswith; classtype:domain-c2; sid:2030038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013985; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoCore RAT CnC 27"; flow:to_server,established; dsize:68; content:"|40 00 00 00 fe 31 80 44 e7 eb 4a 77|"; depth:12; reference:md5,aa73e99d7e1d62265f75ccc0443a1a7f; classtype:command-and-control; sid:2029996; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web File Browser file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/webFileBrowser.php?"; nocase; content:"act=download"; nocase; content:"sortby=name"; nocase; content:"file="; nocase; reference:url,exploit-db.com/exploits/18070/; classtype:web-application-attack; sid:2013982; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?tq="; fast_pattern; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2013865; rev:8; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLix SQL Injection Vector Scan"; flow:established,to_server; http.header; content:"GET"; content:"myVAR=1234"; content:"Windows 98"; distance:36; within:120; reference:url,www.owasp.org/index.php/Category%3aOWASP_SQLiX_Project; reference:url,doc.emergingthreats.net/2008654; classtype:attempted-recon; sid:2008654; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Matsnu.L Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?text="; content:"&img_url=http"; distance:0; content:"&rpt=simage&pos="; distance:0; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:" Windows NT 5.0"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:command-and-control; sid:2018200; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.cyb)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|cyb|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029956; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"|0d 0a 0d 0a|v="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"&c="; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:command-and-control; sid:2018204; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.neo)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|03|neo|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029961; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.uri; content:".exe"; endswith; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b|MSIE 7.0|3b|Windows NT 6.0)|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018224; rev:5; metadata:created_at 2014_03_05, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.geek)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|geek|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029957; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMSHoax Riskware checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"/api.php"; http.request_body; content:"YWx0X2FwaV9iYXNlX3Vy"; depth:20; reference:md5,4b779acb1a0e726cee73fc2ca8a6a0be; classtype:command-and-control; sid:2018230; rev:3; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2020_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oz)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|02|oz|00|"; nocase; distance:0; fast_pattern; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029955; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos Infection Executable Download With Malformed Header"; flow:established,from_server; http.header; content:"Last-Modified|3a|"; http.header.raw; pcre:"/^Last-Modified\x3a(?:\s[^\r\n]{2}|[^\r\n\s]{3}),/m"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018241; rev:3; metadata:created_at 2014_03_09, updated_at 2020_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Put"; flow:established,from_client; http.uri; content:"/kys_allow_put.asp?type="; content:"&hostname="; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:3; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Beacon"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/www/cmd.php"; fast_pattern; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018249; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getgrab Command"; flow:established,to_server; http.uri; content:"cmd=getgrab"; classtype:trojan-activity; sid:2014009; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?"; pcre:"/^\d{5,}$/R"; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018250; rev:4; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getproxy Command"; flow:established,to_server; http.uri; content:"cmd=getproxy&login="; classtype:trojan-activity; sid:2014010; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Activity POST"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/pk/request.flv"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:5; metadata:created_at 2013_10_12, updated_at 2020_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getsock Command"; flow:established,to_server; http.uri; content:"cmd=getsocks&login="; classtype:trojan-activity; sid:2014011; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"gizasector.xyz"; endswith; classtype:domain-c2; sid:2030051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smokeloader getload Command"; flow:established,to_server; http.uri; content:"cmd=getload&login="; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:4; metadata:created_at 2011_12_09, updated_at 2020_04_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fekilopol.xyz"; endswith; classtype:domain-c2; sid:2030052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:3; metadata:created_at 2011_12_10, updated_at 2020_04_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (W32/TrojanDownloader.Agent.FBF Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=analyticsonline.top"; nocase; endswith; reference:md5,c5a467fa017cf4003768e63115fcddae; classtype:domain-c2; sid:2030046; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:3; metadata:created_at 2011_12_10, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HCZR Variant Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?wqasd="; startswith; content:"&qrjatyd=imofugclqu"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,9163f1f4f16ac8ec82eaa0a274850c36; reference:url,twitter.com/3XS0/status/1255491188565688323; classtype:command-and-control; sid:2030054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Checkin User-Agent 2"; flow:established,to_server; http.header; content:"Gootkit ldr"; classtype:command-and-control; sid:2014021; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|flow|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2030049; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014022; rev:3; metadata:created_at 2011_12_13, former_category SCAN, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; http.uri; pcre:"/\?[0-9a-f]{6}$/"; http.cookie; content:"SECID="; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:8; metadata:created_at 2013_04_27, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gootkit Scanner User-Agent Outbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014023; rev:3; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; http.uri; content:"/Default.aspx?INDEX="; pcre:"/\?ID=[A-Z]{10}$/"; http.user_agent; content:!"Mozilla"; startswith; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:md5,ba45339da92ca4622b472ac458f4c8f2; reference:url,intelreport.mandiant.com/; classtype:targeted-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; urilen:37; http.uri; content:"/"; offset:2; depth:3; content:"/"; within:3; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/"; classtype:exploit-kit; sid:2014026; rev:2; metadata:created_at 2011_12_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot Loader Payload Request"; flow:established,to_server; urilen:<11; http.uri; content:".exe"; fast_pattern; http.header; content:"Mozilla/4.0|0D 0A|Host|3a|"; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:6; metadata:created_at 2013_03_15, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; http.header; content:"User-Agent|3A 20|GridinSoft"; classtype:trojan-activity; sid:2013719; rev:4; metadata:created_at 2011_10_01, updated_at 2020_04_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,from_server; http.header; content:"X-Sinkholed-Domain|3a|"; reference:md5,723a90462a417337355138cc6aba2290; classtype:trojan-activity; sid:2017662; rev:4; metadata:created_at 2013_11_04, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Mozilla/5.0|20 28|Windows NT 5.1|20 3B 20|v|2E|"; fast_pattern; classtype:trojan-activity; sid:2014001; rev:5; metadata:created_at 2011_12_08, former_category USER_AGENTS, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/install/"; http.request_body; content:"q="; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018331; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hydra User-Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Hydra)"; nocase; fast_pattern; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:5; metadata:created_at 2010_09_28, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018332; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN McAfee/Foundstone Scanner Web Scan"; flow:established,to_server; threshold: type both, count 2, seconds 120, track by_src; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b 20|Windows NT 6.1|3b 20|en-US)|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|text|0d 0a|"; reference:url,www.mcafee.com/us/products/vulnerability-manager.aspx; classtype:attempted-recon; sid:2013492; rev:5; metadata:created_at 2011_08_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; http.uri; content:"/access.php"; fast_pattern; http.user_agent; content:"sendfile"; depth:8; nocase; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016862; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports"; flow:established,to_server; http.uri; content:"/friendship/email_thank_you.php?"; nocase; content:"folder_id="; nocase; content:"&params_count="; nocase; content:"&nick_name="; nocase; content:"&user_email="; nocase; content:"&user_uin="; nocase; content:"&friend_nickname="; nocase; content:"&friend_contact="; nocase; reference:url,doc.emergingthreats.net/2008351; classtype:policy-violation; sid:2008351; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/install/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018345; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014061; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; http.header; content:"User-Agent|3a 20|gsa-crawler|0d 0a|"; nocase; fast_pattern; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:4; metadata:created_at 2014_01_08, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014062; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Family GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgate.php?n="; pcre:"/^[0-9A-F]{12,24}/Ri"; reference:url,www.f-secure.com/v-descs/virus_w32_virut.shtml; reference:url,doc.emergingthreats.net/2009444; classtype:trojan-activity; sid:2009444; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014063; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GreenDou Downloader User-Agent (hello crazyk)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|hello crazyk"; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; classtype:trojan-activity; sid:2018404; rev:3; metadata:created_at 2014_04_22, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014064; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/404.php?"; nocase; content:"type=stats"; nocase; content:"affid="; nocase; content:"subid="; nocase; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:6; metadata:created_at 2012_01_03, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014065; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check_value.php"; http.user_agent; content:!"User-Agent|0d 0a|"; http.request_body; content:"identifiant="; depth:12; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:command-and-control; sid:2018443; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/details_view.php?"; nocase; content:"event_id="; nocase; content:"date="; nocase; content:"view="; nocase; content:"loc="; nocase; content:"page_info_message="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:4; metadata:created_at 2012_01_02, former_category WEB_SPECIFIC_APPS, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox php.dll.crp POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.host; pcre:"/\x3a\d{1,5}$/"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"id="; depth:3; content:"&code="; fast_pattern; distance:0; content:"&data="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016527; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (poller)"; flow: to_server,established; http.user_agent; content:"Poller"; fast_pattern; reference:url,doc.emergingthreats.net/2002005; classtype:pup-activity; sid:2002005; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap CnC Checkin"; flow:established,to_server; http.uri; content:".cgi?s"; content:"&r="; pcre:"/\.cgi\?s(?:id)?=\d{1,12}&r=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"Cache-Control|3a| no-cache|0d 0a|"; content:"User-Agent|3a 20 2d 0d 0a|"; fast_pattern; classtype:command-and-control; sid:2013201; rev:8; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pet Listing Script type_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/preview.php?"; nocase; content:"controller="; nocase; content:"action=search"; nocase; content:"type_id="; nocase; content:"bedrooms_from="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstorm.foofus.com/1112-exploits/petlisting-xss.txt; classtype:web-application-attack; sid:2014072; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Opera/9.25 (Windows NT 6.0|3b 20|U|3b|"; fast_pattern; http.host; content:"windowsupdate.microsoft.com"; startswith; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:7; metadata:created_at 2014_04_25, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress The-Welcomizer plugin page parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/the-welcomizer/twiz-index.php?"; nocase; content:"page="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,dl.packetstormsecurity.net/1112-exploits/wpthewelcomizer-xss.txt; classtype:web-application-attack; sid:2014073; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/\/(?:[^\x2f]+?\/)?[a-z-_]+?\.(?:php|html)$/i"; http.header; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0)|0d 0a|"; fast_pattern; depth:77; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:command-and-control; sid:2017903; rev:4; metadata:created_at 2013_12_27, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014074; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.BitcoinMiner Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?user="; nocase; content:"&type="; nocase; content:"&id="; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"sysin="; fast_pattern; depth:6; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/05/16/zeuscoiner-detection-zeus-variant-engages-in-bitcoining; classtype:coin-mining; sid:2018504; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_05_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_04_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014075; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent"; flow:established,to_server; http.user_agent; content:"rome0321"; depth:8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018519; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014076; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (SBTCM)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|SBTCM|0d 0a|"; fast_pattern; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018524; rev:3; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014077; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (x09)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 09 0d 0a|"; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018529; rev:3; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014078; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (rhyno321)"; flow:established,to_server; http.user_agent; content:"rhyno321"; depth:8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018523; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"xajax=SelTheme"; nocase; content:"ajaxargs[]="; nocase; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (slayer)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|slayer"; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018525; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (Vulture)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Vulture"; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018526; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt"; flow:established,to_server; http.uri; content:"/RESTART.HTM?"; nocase; content:"NDSContext="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,exploit-db.com/exploits/17114; classtype:web-application-attack; sid:2014086; rev:5; metadata:created_at 2012_01_03, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (VHIbot/1.0)"; flow:established,to_server; http.user_agent; content:"VHIbot/1.0"; depth:10; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018527; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014087; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (xehanort321)"; flow:established,to_server; http.user_agent; content:"xehanort321"; depth:11; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018528; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014088; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Registration Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; content:".jpg"; endswith; pcre:"/^\x2fimage\x2f[A-Za-z0-9\+_-]+\.jpg$/i"; http.header; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; fast_pattern; http.referer; content:"http://www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018546; rev:7; metadata:created_at 2014_06_09, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openads row Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/libraries/lib-view-main.inc.php?"; nocase; content:"row="; nocase; pcre:"/basedir_save=\s*(?:ftps?|https?|php)\x3a\//i"; classtype:web-application-attack; sid:2013562; rev:6; metadata:created_at 2011_09_12, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pandemiya User-Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Hello 2.0"; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants; classtype:trojan-activity; sid:2018553; rev:4; metadata:created_at 2014_06_10, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Checkin"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php|3F|a|3D|QQk"; reference:url,blog.fireeye.com/research/2011/03/the-rise-of-incognito.html; classtype:exploit-kit; sid:2012841; rev:6; metadata:created_at 2011_05_25, former_category EXPLOIT_KIT, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover related campaign Checkin"; flow:established,to_server; http.uri; content:"post.php?filename="; fast_pattern; content:"&folder="; distance:0; pcre:"/\/\/?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0392fb51816dd9583f9cb206a2cf02d9; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:command-and-control; sid:2018566; rev:3; metadata:created_at 2014_06_16, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; http.header; content:"Accept|3a 20|?"; classtype:trojan-activity; sid:2013974; rev:4; metadata:created_at 2011_12_01, former_category POLICY, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.su domain with direct request/fakebrowser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".su"; pcre:"/^(?:\x3a\d{1,5})?$/Ri"; classtype:trojan-activity; sid:2018570; rev:4; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:to_server,established; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; http.uri; content:"/CreatingUserAccounts.aspx"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:4; metadata:created_at 2012_01_03, updated_at 2020_04_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.pw domain with direct request/fake browser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".pw"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/i"; classtype:trojan-activity; sid:2018571; rev:4; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected PROJECTSPY Cookie"; flow:established,to_server; http.start; content:"Cookie|3a 20|projectspy_session="; fast_pattern; reference:md5,e49040a572a2b12e5cb784e4a179d5af; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029993; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_20, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{20,}+$/"; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/i"; http.request_body; content:"<knock>"; fast_pattern; depth:7; content:"<ID>"; within:6; content:"<group>"; distance:0; content:"<version>"; distance:0; content:"<status>"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html; classtype:command-and-control; sid:2018574; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_06_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nuclear Checkin"; flow:established,to_server; http.uri; content:".htm"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; http.header; content:"HOST|3A 20|"; reference:md5,bd4af162f583899eeb6ce574863b4db6; classtype:command-and-control; sid:2014121; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Citadel Download From CnC Server /files/ attachment"; flow:established,to_client; flowbits:isset,et.citadel; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename=|22 25 32 65|/files/"; fast_pattern; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018599; rev:8; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer POSTing Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/bootstrap.php"; http.host; content:".smartiengine.com"; endswith; classtype:policy-violation; sid:2014124; rev:5; metadata:created_at 2012_01_12, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/VBKlip BAN Download"; flow:established,to_server; http.header; content:"Accept|20|Language|3a| en-us|0d 0a|"; fast_pattern; reference:url,cert.pl/news/8478/langswitch_lang/en; classtype:trojan-activity; sid:2018618; rev:3; metadata:created_at 2014_07_01, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Web Crawl - libwww-perl User Agent"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"libwww-perl/"; fast_pattern; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002935; classtype:attempted-recon; sid:2002935; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT Checkin"; flow:to_server,established; http.uri; content:".php?"; content:"email="; content:"&serverid="; content:"User|3a|"; content:"PC|3a|"; http.header_names; content:!"Referer"; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:command-and-control; sid:2018659; rev:3; metadata:created_at 2014_07_10, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P BitTorrent announce request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/announce"; content:"info_hash="; content:"event=started"; classtype:policy-violation; sid:2102180; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT User-Agent (USER_CHECK)"; flow:to_server,established; http.user_agent; content:"USER_CHECK"; depth:10; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018660; rev:4; metadata:created_at 2014_07_10, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER mod_gzip_status access"; flow:to_server,established; http.uri; content:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2102156; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Request"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uuid="; depth:5; nocase; content:"&id="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&pcname="; nocase; distance:0; fast_pattern; content:"&osver="; nocase; distance:0; content:"&timeout="; nocase; distance:0; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER globals.pl access"; flow:to_server,established; http.uri; content:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2102073; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MINEBRIDGE CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"drun_command="; depth:13; fast_pattern; content:"&drun_URL="; content:"&rundll_command="; content:"&rundll_URL="; content:"&update_command="; content:"&update_URL="; content:"&restart_command="; content:"&terminate_command="; content:"&kill_command="; content:"&poweroff_command="; content:"&reboot_command="; content:"&setinterval_command="; content:"&setinterval_time="; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Win32.Small.agoy Checkin"; flow:to_server,established; http.uri; content:"/?jutr="; fast_pattern; nocase; content:"&oo="; nocase; content:"&ra="; nocase; http.host; pcre:"/^(?:0-9]{1,3}\.){3}\d{1,3}$/"; reference:url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F; reference:md5,e491d25d82f4928138a0d8b3a6365c39; reference:url,doc.emergingthreats.net/2008859; classtype:command-and-control; sid:2008859; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rhabdo CnC Activity M1"; flow:established,to_server; content:"|3a|U1Q="; distance:48; within:5; endswith; http.method; content:"GET"; http.uri; content:".php?ID="; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64|3b 20|rv:47.0) Gecko / 20100101 Chrome/73.0.3645.0"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; endswith; reference:url,www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center?utm_medium=social&utm_source=linkedin&utm_content=blog; classtype:targeted-activity; sid:2030069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drivecleaner.com Spyware User-Agent (DriveCleaner Updater)"; flow:to_server,established; http.user_agent; content:"DriveCleaner Updater"; bsize:20; reference:url,www.drivecleaner.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533; reference:url,doc.emergingthreats.net/2003486; classtype:pup-activity; sid:2003486; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_04_21, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rhabdo CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wwwlib/title.php?ID="; depth:21; pcre:"/^[A-Za-z0-9]{48}\x3a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64|3b 20|rv:47.0) Gecko / 20100101 Chrome/73.0.3645.0"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; endswith; reference:url,www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center?utm_medium=social&utm_source=linkedin&utm_content=blog; classtype:targeted-activity; sid:2030070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"Atomic_Email_Hunter/"; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013173; rev:5; metadata:created_at 2011_07_04, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Minirem"; flow: established,to_server; urilen:>18; http.method; content:"GET"; http.uri; content:"/FC001/"; fast_pattern; depth:7; http.user_agent; content:"Microsoft Internet Explorer"; reference:md5,d92075280872b9fe4f541f090bf0076c; classtype:trojan-activity; sid:2018664; rev:7; metadata:created_at 2014_01_22, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"Atomic_Email_Hunter/"; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:5; metadata:created_at 2011_07_04, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct July 15 2014"; flow:established,to_server; http.uri; content:"/0/"; content:"Service Pack "; distance:2; within:13; pcre:"/\/0\/$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,79772d72082a082a0048569ba2dfe5a3; classtype:trojan-activity; sid:2018678; rev:4; metadata:created_at 2014_07_15, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (manager)"; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:"Authorization|3a| Basic bWFuYWdlcjp"; fast_pattern; reference:url,doc.emergingthreats.net/2008455; classtype:web-application-attack; sid:2008455; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Zbot.Variant CnC Response"; flow:established,from_server; flowbits:isset,ET.zbot.ua.2106509; http.stat_code; content:"200"; http.header; content:"Content-Length|3a| 0|0d 0a|Content-Type|3a| text/html|0d 0a|"; fast_pattern; http.header_names; content:"Content-Type|0d 0a 0d 0a|"; endswith; reference:md5,0c4d7d9138de7d7919e3b3c33ac2f851; classtype:command-and-control; sid:2018764; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (tomcat)"; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:"Authorization|3a| Basic dG9tY2F0"; fast_pattern; reference:url,doc.emergingthreats.net/2008454; classtype:web-application-attack; sid:2008454; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swizzor User-Agent (Swizz03r)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Swizz03r Download Agent"; nocase; depth:23; reference:md5,5d232faca6d2b082b450b8ee4e238483; classtype:trojan-activity; sid:2018765; rev:5; metadata:created_at 2013_06_04, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (default)"; flow:established,to_server; http.uri; content:".php"; http.header; content:"User-Agent|3a 20|default|0d 0a|"; fast_pattern; http.request_body; content:"mode="; depth:5; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018522; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /etc/shadow Detected in URI"; flow:to_server,established; http.uri; content:"/etc/shadow"; nocase; reference:url,en.wikipedia.org/wiki/Shadow_password; reference:url,doc.emergingthreats.net/2009485; classtype:attempted-recon; sid:2009485; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Waski.F Locker DL URI Struct Jul 25 2014"; flow:to_server,established; http.uri; content:"/wp-content/themes/"; depth:19; pcre:"/^[^\x2f]+\/[a-z0-9]+$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:3; metadata:created_at 2014_07_26, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Landing Page Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?s="; pcre:"/^[0-9a-fA-F]{25}$/R"; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:exploit-kit; sid:2014147; rev:3; metadata:created_at 2012_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Gatak Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:4; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Binary Load Request"; flow:established,to_server; http.uri; content:"/load.php?spl="; pcre:"/^[-_\w]+$/R"; classtype:exploit-kit; sid:2014148; rev:3; metadata:created_at 2012_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ddex Loader Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?t="; content:"&o="; content:"&i="; content:"&task_id="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf; classtype:trojan-activity; sid:2018895; rev:3; metadata:created_at 2014_08_05, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?h="; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:command-and-control; sid:2014162; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushdo.S CnC response"; flow:established,from_server; flowbits:isset,ET.Pushdo.S; http.header; content:"X-GeoIP-Country-Code|3a| "; content:"X-Real-IP|3a| "; reference:md5,27aef1d328da442d3bd02c50c1a6b651; classtype:command-and-control; sid:2018897; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; http.uri; content:"/gate.php?username="; content:"&country="; content:"&OS="; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:command-and-control; sid:2014164; rev:3; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BITTERBUG Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?compname="; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}_/R"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018900; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; http.uri; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; http.content_type; content:"Multipart"; reference:bugtraq,9978; classtype:web-application-activity; sid:2102547; rev:5; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Downloader Check-in"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lolo/"; startswith; fast_pattern; content:".html"; endswith; pcre:"/^\/lolo\/[0-9]+\/[0-9]+\/[0-9]+\/[0-9]+\.html$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018926; rev:4; metadata:created_at 2014_08_12, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin setinfo access"; flow:to_server,established; http.uri; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2102548; rev:4; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Click fraud Template Request"; flow:to_server,established; http.request_line; content:"GET /log/"; fast_pattern; startswith; http.uri; content:"/?id="; pcre:"/^\/log\/[0-9]+\/[0-9]+\/\?id=[0-9]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"Host|0d 0a|"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018927; rev:3; metadata:created_at 2014_08_12, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN nessus 2.x 404 probe"; flow:to_server,established; http.uri; content:"/NessusTest"; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2102585; rev:4; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nubjub.A HTTP Check-in"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php"; content:"?&mode="; fast_pattern; content:"&id="; content:"&output="; content:"&time="; reference:url,doc.emergingthreats.net/2009521; classtype:trojan-activity; sid:2009521; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/usr/extensions/get_infochannel.inc.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt; classtype:web-application-attack; sid:2014180; rev:4; metadata:created_at 2012_02_06, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Secure-Soft.Stealer Checkin"; flow:to_server,established; http.request_body; content:"|0d 0a|Content-Disposition|3A 20|form-data|3B 20|name|3D 22|programm|22 0d 0a 0d 0a|Windows Key|0d 0a|"; fast_pattern; reference:md5,c86923d90ef91653b0a61eb2fbfae202; reference:md5,0a52131eebbee1df877767875ab32352; classtype:command-and-control; sid:2013026; rev:4; metadata:created_at 2011_06_13, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mod_currencyconverter from Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/modules/mod_currencyconverter/includes/convert.php?"; nocase; content:"from="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|marquee|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109337/Joomla-Currency-Converter-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014179; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Asteria md5)"; flow:to_server,established; http.user_agent; content:"d9d385b3522b242398af91fd425b386d"; depth:32; reference:md5,56c16ad7da8cecb429dccb168aef46b7; classtype:trojan-activity; sid:2018985; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_22, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014184; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; http.uri; content:"/stat_u/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014523; rev:5; metadata:created_at 2012_04_05, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014185; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Ex-filtrating Data"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"POST /"; depth:6; fast_pattern; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018578; rev:8; metadata:created_at 2014_06_13, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014186; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/NAT/"; distance:0; fast_pattern; content:"|20|NAT/"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2a835747b7442b1d58ab30abc90d3b0f; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018683; rev:7; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014187; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"Content-Length|3a 20|59|0d 0a|Host|3a 20|"; depth:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.uri; pcre:"/^\/[\/a-z0-9]+$/i"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:command-and-control; sid:2018771; rev:6; metadata:created_at 2014_07_24, former_category MALWARE, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/VPEYE Trojan Downloader User-Agent (VP-EYE Downloader)"; flow:established,to_server; http.user_agent; content:"VP-EYE Downloader"; startswith; classtype:trojan-activity; sid:2014193; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_02_06, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo Cookie"; flow:established,to_client; http.cookie; content:"tfardci_session="; depth:16; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018770; rev:5; metadata:created_at 2014_07_24, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Being Uploaded to SendSpace File Hosting Site"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"processupload.html"; http.host; content:".sendspace.com"; endswith; fast_pattern; classtype:misc-activity; sid:2014202; rev:3; metadata:created_at 2012_02_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030092; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.MSUpdater C&C traffic GET"; flow:from_client,established; http.uri; content:".aspx?ID="; content:"para1="; distance:0; content:"para2="; distance:0; content:"para3="; distance:0; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014175; rev:4; metadata:created_at 2012_01_31, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:6; metadata:created_at 2011_05_10, updated_at 2020_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater alt checkin to CnC"; flow:established,to_server; http.uri; content:"/microsoft/errorpost/default/connect.aspx?ID="; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014211; rev:3; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HighTide trojan Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?"; depth:2; pcre:"/^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$/"; http.header; content:"Trident/5.0|29 0d 0a|"; fast_pattern; http.referer; content:"http://www.google.com/"; bsize:22; reference:md5,6e59861931fa2796ee107dc27bfdd480; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:command-and-control; sid:2019113; rev:3; metadata:created_at 2014_09_04, former_category MALWARE, updated_at 2020_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater Connectivity Check to Google"; flow:established,to_server; http.uri; content:"/search?qu="; http.user_agent; content:"Firefox/2.0.0.2"; startswith; http.request_body; content:"news"; depth:4; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014213; rev:3; metadata:created_at 2012_02_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Threebyte.APT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/UID"; fast_pattern; depth:4; content:".jsp?"; distance:0; pcre:"/^\/UID\d+\.jsp\?/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:targeted-activity; sid:2019114; rev:3; metadata:created_at 2014_09_04, former_category MALWARE, updated_at 2020_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; http.uri; content:"/ProtocolGW/protocol/commands"; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:command-and-control; sid:2014215; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php?file=cmds/main"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,19484a240a16c7faea84dcac0c38d118; classtype:command-and-control; sid:2019128; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT OSX.XSLCmd CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/compose.aspx?s="; fast_pattern; http.accept_lang; content:"zh-cn"; bsize:5; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; reference:url,fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html; classtype:targeted-activity; sid:2019136; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains passwd= in cleartext"; flow:established,to_server; http.request_body; content:"passwd="; nocase; classtype:policy-violation; sid:2012886; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS User-Agent"; flow:established,to_server; http.user_agent; content:"Decebalv"; depth:8; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019161; rev:4; metadata:created_at 2014_09_11, updated_at 2020_05_04;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY HTTP POST contains pass= in cleartext"; flow:established,to_server; http.request_body; content:"pass="; nocase; classtype:policy-violation; sid:2012887; rev:4; metadata:created_at 2011_05_30, former_category POLICY, updated_at 2020_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-05-05)"; flow:established,to_client; tls.cert_subject; content:"CN=www.astedams.it"; nocase; endswith; reference:md5,9ea365c1714eb500e5f4a749a3ed0fe7; classtype:domain-c2; sid:2030101; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_05_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pwd= in cleartext"; flow:established,to_server; http.request_body; content:"pwd="; nocase; classtype:policy-violation; sid:2012888; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nspps Backdoor CnC Activity"; flow:established,to_server; http.header; content:"|0d 0a|Arch|3a 20|"; content:"|0d 0a|Cores|3a 20|"; content:"|0d 0a|Mem|3a 20|"; content:"|0d 0a|Os|3a 20|"; content:"|0d 0a|Osname|3a 20|"; content:"|0d 0a|Osversion|3a 20|"; fast_pattern; content:"|0d 0a|Root|3a 20|"; content:"|0d 0a|Uuid|3a 20|"; content:"|0d 0a|Version|3a 20|"; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030108; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_05;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains passphrase= in cleartext"; flow:established,to_server; http.request_body; content:"passphrase="; nocase; classtype:policy-violation; sid:2012890; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nspps Backdoor - Sending SOCKS Details"; flow:established,to_server; http.start; content:"POST /s HTTP/1.1|0d 0a|"; http.request_body; content:"|57 7a 74 47 8c 44 c8 7c ed|"; startswith; fast_pattern; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030109; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_05;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pword= in cleartext"; flow:established,to_server; http.request_body; content:"pword="; nocase; classtype:policy-violation; sid:2012891; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE nspps Backdoor - Task Response"; flow:established,to_client; http.stat_code; content:"404"; file_data; bsize:10; content:"|62 37 55 14 af 59 9f 28 ab 34|"; fast_pattern; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030110; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jreactions mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jreactions"; nocase; content:"Itemid="; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/95431/Joomla-Jreactions-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014250; rev:4; metadata:created_at 2012_02_21, updated_at 2020_04_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"ET MALWARE Nazar Implant - Sending Ping Response to CnC"; flow:established,to_server; dsize:9; content:"|31 30 31 3b 30 30 30 30 3b|"; fast_pattern; reference:url,research.checkpoint.com/2020/nazar-spirits-of-the-past/; classtype:command-and-control; sid:2030104; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag NazarAPT, updated_at 2020_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grady Levkov id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/view-search.php?"; nocase; content:"id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109814/Grady-Levkov-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014251; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"ET MALWARE Nazar Implant - Sending Basic System Info to CnC"; flow:established,to_server; dsize:<200; content:"100|3b|"; startswith; fast_pattern; content:"|3b|"; distance:0; content:"|3b 00 00 00 00|"; endswith; reference:url,research.checkpoint.com/2020/nazar-spirits-of-the-past/; classtype:command-and-control; sid:2030105; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag NazarAPT, updated_at 2020_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Membership Site Manager Script key Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/scripts/membershipsite/manager/index.php?"; nocase; content:"action="; nocase; content:"key="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108687/PHP-Membership-Site-Manager-Script-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014252; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M1"; flow:established,to_server; http.start; bsize:22; content:"GET /START_ HTTP/1.1|0d 0a|"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014253; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EVILNUM CnC Response"; flow:established,to_client; http.response_body; content:"jifhruhajsdfg444"; fast_pattern; startswith; content:"jifhruhajsdfg444"; endswith; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030119; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014254; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JsOutProx Variant CnC Activity"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Content-Type|3a 20|application/x-www-Form-urlencoded|3b 20|Charset=UTF-8|0d 0a|"; fast_pattern; http.cookie; pcre:"/^[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; classtype:command-and-control; sid:2030114; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, signature_severity Major, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014255; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Cobalt Strike Stager Domain in DNS Query"; dns.query; content:"cylenceprotect.com"; bsize:18; nocase; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:domain-c2; sid:2030112; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014256; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win.Trojan.Chewbacca connectivity check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,www.symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2019162; rev:5; metadata:created_at 2014_08_18, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014257; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dumador Reporting User Activity"; flow:established,to_server; http.uri; content:".php?p="; nocase; content:"machineid="; nocase; content:"&connection="; nocase; content:"&iplan="; nocase; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; reference:url,doc.emergingthreats.net/2002763; classtype:trojan-activity; sid:2002763; rev:9; metadata:created_at 2010_07_30, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_visa controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_visa"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109214/Joomla-Visa-SQL-Injection-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014258; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download wm.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/wm.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012460; rev:4; metadata:created_at 2011_03_10, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_eventcal mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_eventcal"; nocase; content:"Itemid="; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/94983/Joomla-Eventcal-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014259; rev:4; metadata:created_at 2012_02_21, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download cl.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cl.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012461; rev:4; metadata:created_at 2011_03_10, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; http.uri; content:"/services/javascript.php"; http.cookie; content:"href"; http.request_body; content:"file=open_calendar.js"; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:4; metadata:created_at 2012_02_21, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader requesting payload URL"; flow:established,to_server; http.uri; content:"/lurl.php?affid="; depth:16; classtype:trojan-activity; sid:2012514; rev:4; metadata:created_at 2011_03_16, updated_at 2020_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Blackhole Exploit Pack Binary Load Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?f="; fast_pattern; content:"&e="; pcre:"/^[^?#]+?\.php\?f=\w+&e=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:"User-Agent|0d 0a|"; content:"Host|0d 0a|"; distance:0; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012169; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_07, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab CnC URL Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"controller.php"; nocase; content:"action=bot"; nocase; content:"entity_list="; nocase; content:"uid="; nocase; content:"guid="; nocase; reference:url,blog.fireeye.com/.a/6a00d835018afd53ef013488839529970c-pi; classtype:command-and-control; sid:2011861; rev:5; metadata:created_at 2010_10_28, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trustezeb Checkin to CnC"; flow:established,to_server; http.uri; content:".php?id="; content:"&stat="; fast_pattern; distance:0; pcre:"/id=[A-F0-9]{20}/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; startswith; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=417; classtype:command-and-control; sid:2014283; rev:4; metadata:created_at 2012_02_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue AV Downloader concat URI"; flow:established,to_server; http.uri; content:".php?id="; content:"x="; distance:0; content:"os="; distance:0; content:"n="; distance:0; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:7; metadata:created_at 2010_11_15, updated_at 2020_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; http.uri; content:"/getip.php?action=getip&ip_url="; classtype:external-ip-check; sid:2014292; rev:3; metadata:created_at 2012_02_29, former_category POLICY, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious bot.exe Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot.exe"; nocase; reference:url,www.malwareurl.com/listing.php?domain=19eylulmusikicemiyeti.com; classtype:trojan-activity; sid:2011967; rev:4; metadata:created_at 2010_11_22, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER eval/base64_decode Exploit Attempt Inbound"; flow:established,to_server; http.uri; content:"eval|28|base64_decode|28|"; classtype:web-application-attack; sid:2014296; rev:3; metadata:created_at 2012_02_29, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/license_"; nocase; pcre:"/^[0-9A-F]{550,}\.html/Ri"; classtype:command-and-control; sid:2011969; rev:10; metadata:created_at 2010_11_23, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Koobface Variant Checkin Attempt"; flow:established,to_server; http.uri; content:"/ping.php"; http.header; content:" WinHttp.WinHttpRequest.5|29 0d 0a|"; reference:md5,62aa9e798746e586fb1f03459a970104; classtype:command-and-control; sid:2014303; rev:3; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious flash_player.exe Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/flash_player.exe"; reference:url,www.malwareurl.com/listing.php?domain=newpornmov.info; classtype:bad-unknown; sid:2011982; rev:4; metadata:created_at 2010_11_24, updated_at 2020_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Backdoor.BlackMonay Checkin"; flow:established,to_server; http.uri; content:".Php?UserName="; nocase; content:"&Bank="; nocase; content:"&Money="; nocase; http.accept_lang; content:"zh-cn"; startswith; reference:md5,4a203e37caa2e04671388341419bda69; classtype:command-and-control; sid:2014306; rev:4; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tzl/tzl.php?"; nocase; content:"hl="; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012113; rev:4; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Meciv Checkin"; flow:established,to_server; http.uri; content:"/trandocs/netstat"; nocase; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2013212; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.ini"; flow:established,to_server; http.uri; content:"/setting.ini"; nocase; reference:md5,36d9a446d6311f9a4c19865e2b62f15d; reference:md5,fcb828c0b735ea8d560a45b3bdd29b94; classtype:trojan-activity; sid:2012198; rev:6; metadata:created_at 2011_01_17, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/restAPI/v2/nmap/run/scan/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|ipAddress|22 0d 0a 0d 0a|--script="; fast_pattern; pcre:"/^\/(?:home\/a3user|root)\/agile3\/patches\//R"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029985; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.xls"; flow:established,to_server; http.uri; content:"/setting.xls"; nocase; reference:md5,fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012199; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ButorWiki service Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sso/signin?"; nocase; content:"service="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109852/ButorWiki-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014320; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc"; flow:established,to_server; http.uri; content:"/setting.doc"; nocase; reference:md5,fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012200; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS b2evolution inc_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/blogs/default.php?"; nocase; content:"inc_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014321; rev:4; metadata:created_at 2012_03_06, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cnzz.cn Related Dropper Checkin"; flow:established,to_server; http.uri; content:"?Hook1=1,Setup="; classtype:command-and-control; sid:2013790; rev:6; metadata:created_at 2011_02_27, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS b2evolution skins_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/blogs/default.php?"; nocase; content:"skins_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014322; rev:4; metadata:created_at 2012_03_06, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Download Setup_ exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Setup_"; nocase; content:".exe"; nocase; pcre:"/\/Setup_\d+\.exe$/i"; reference:url,www.malwareurl.com/listing.php?domain=antivirus-live21.com; classtype:trojan-activity; sid:2012392; rev:6; metadata:created_at 2011_03_01, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bch controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bch"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109025/Joomla-BCH-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014323; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakePAV Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/soft-usage/favicon.ico?"; nocase; pcre:"/\?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8=/i"; reference:md5,f5dd61e29eff89a93c591fba7ea14d92; classtype:command-and-control; sid:2012405; rev:5; metadata:created_at 2011_03_01, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fork-CMS js.php module parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/frontend/js.php?"; nocase; content:"file="; nocase; content:"language="; nocase; content:"module="; nocase; reference:url,packetstormsecurity.org/files/109709/Fork-CMS-3.2.4-Cross-Site-Scripting-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014324; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Slugin.A PatchTimeCheck.dat Request"; flow:established,to_server; http.uri; content:"/PatchTimeCheck.dat"; nocase; classtype:trojan-activity; sid:2012616; rev:5; metadata:created_at 2011_04_01, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS starCMS q parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"r="; nocase; content:"lang="; nocase; content:"actionsuche="; nocase; content:"q="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110376/starCMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014327; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Sending Data to Controller 2"; flow:established,to_server; http.uri; content:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:command-and-control; sid:2012800; rev:5; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_boss controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_boss"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108905/Joomla-Boss-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014328; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Tracur.Q HTTP Communication"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"fQ_fQ_fQ_fQ"; reference:url,xml.ssdsandbox.net/view/d2afc3be7357f96834ec684ab329d7e2; classtype:trojan-activity; sid:2013064; rev:4; metadata:created_at 2011_06_17, updated_at 2020_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snipsnap search Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/space/snipsnap-search?"; nocase; content:"query="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109543/Snipsnap-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014329; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.XXZBEN Downloader Activity"; flow:established,to_server; http.start; content:"Cookie|3a 20 0d 0a|Accept|3a 20|"; http.method; content:"GET"; http.uri; content:"/check?ver="; fast_pattern; content:"&os="; distance:0; content:"&binary="; distance:0; content:"&token="; distance:0; content:"&host="; distance:0; content:"&run_time="; distance:0; content:"&once="; distance:0; http.header; content:"|0d 0a|User-Agent|3a 20|User-Agent|3a 20|Mozilla"; reference:md5,113a0256fa05ece2a56b88e6285aff7a; classtype:trojan-activity; sid:2030123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Genome.aetqe Checkin"; flow:established,to_server; http.uri; content:"/stats/counterz.php?id="; content:"&stat="; reference:md5,700b7a81d1460a652e5f9f06fc54dcd6; classtype:command-and-control; sid:2014331; rev:2; metadata:created_at 2012_03_07, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EVILNUM CnC Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tran/check.php?id=&ver="; depth:24; fast_pattern; pcre:"/&ver=\d\.\d$/i"; http.accept; content:"text/html, application/xhtml+xml, */*"; depth:37; endswith; http.header_names; content:!"Referer"; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Coral Web Proxy/Content Distribution Net Use"; flow:to_server,established; http.host; content:".nyud.net"; endswith; reference:url,en.wikipedia.org/wiki/Coral_Content_Distribution_Network; classtype:policy-violation; sid:2014332; rev:2; metadata:created_at 2012_03_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE D-Link ShareCenter (DNS-320/325) RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1="; startswith; fast_pattern; reference:url,roberto.greyhats.it/advisories/20120208-dlink-rce.txt/; classtype:web-application-attack; sid:2030121; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v"; content:"/?v="; content:"&c="; pcre:"/\/v\d\.\d\.\d/"; pcre:"/\/\?v=\d/"; classtype:trojan-activity; sid:2013888; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.HLLW.Autoruner USA_Load UA"; flow:established,to_server; http.user_agent; content:"USA_Load"; depth:8; reference:url,news.drweb.com/show/?i=2440&lng=en&c=5; classtype:trojan-activity; sid:2014752; rev:4; metadata:created_at 2012_05_17, updated_at 2020_05_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coced.PasswordStealer User-Agent 5.0"; flow:established,to_server; http.header; content:"User-Agent|3A 20|5.0|0D 0A|"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:trojan-activity; sid:2014344; rev:3; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame POST"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/wp-content/rss.php"; http.request_body; content:"UNIQUE_NUMBER="; depth:14; fast_pattern; content:"&PASSWORD="; distance:0; content:"&ACTION="; distance:0; reference:url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/; classtype:trojan-activity; sid:2014822; rev:7; metadata:created_at 2012_05_30, updated_at 2020_05_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; http.header; content:"User-Agent|3A 20|UpdateSoft"; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:4; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/vas.php"; reference:md5,3ccc73f049a1de731baf7ea8915c92a8; reference:md5,91ce41376a5b33059744cb58758213bb; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:md5,21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015512; rev:6; metadata:created_at 2012_07_24, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_05_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smart Fortress FakeAV/Kryptik.ABNC Checkin"; flow:established,to_server; http.uri; content:"/?&affid="; fast_pattern; http.header; content:"Accept|3a| *//*|0d 0a|"; reference:md5,fa20c17e5f58e7419b4f0eed318fa95a; reference:url,support.kaspersky.com/viruses/rogue/description?qid=208286259; classtype:command-and-control; sid:2014293; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz/Asprox Activity"; flow:established,to_server; flowbits:set,ET.Kuluoz; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[A-Fa-f0-9]+|index\.php)$/"; http.header_names; content:!"Referer"; http.request_body; content:"|80 00 00 00|"; depth:4; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:9; metadata:created_at 2013_12_24, updated_at 2020_05_08;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Session ID Assignment (set)"; flow:established,to_server; xbits:set,ET.IBMDRM1,track ip_dst, expire 10; noalert; http.method; content:"GET"; http.uri; content:"/albatross/saml/idpSelection"; startswith; fast_pattern; content:"id="; content:"userName="; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029986; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.request_body; content:"cs="; content:"&p="; content:"&m="; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:command-and-control; sid:2019197; rev:3; metadata:created_at 2014_09_19, former_category MALWARE, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command"; flow:established,to_server; http.uri; content:"sp_configure"; nocase; reference:url,technet.microsoft.com/en-us/library/ms188787.aspx; reference:url,technet.microsoft.com/en-us/library/ms190693.aspx; classtype:web-application-attack; sid:2011424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.request_body; content:"cs="; content:"&m="; content:"&ls="; reference:md5,4196c67648003a18f61573a77b6d3be6; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019198; rev:3; metadata:created_at 2014_09_19, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache ?M=D directory list attempt"; flow:to_server,established; http.uri; content:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:2101519; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings POST with Fake UA and Accept Header"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.header; content:"Accept|3a 20 3f 2a 0d 0a|"; depth:12; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019199; rev:3; metadata:created_at 2014_09_19, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat server snoop access"; flow:to_server,established; http.uri; content:"/jsp/snp/"; content:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:2101108; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot UA"; flow:established,to_server; http.user_agent; content:"Windows NT 7.1"; content:"Firefox/9.1.2"; classtype:trojan-activity; sid:2015780; rev:6; metadata:created_at 2012_10_04, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat directory traversal attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:2101055; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; http.uri; content:"/index312.php?ver="; content:"&cam="; content:"&p=spy"; content:"&id="; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:command-and-control; sid:2015850; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~root access"; flow:to_server,established; http.uri; content:"/~root"; nocase; classtype:attempted-recon; sid:2101145; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware CnC Request - status.php"; flow:established,to_server; http.uri; content:"/status.php"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016186; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; http.uri; content:".htaccess"; nocase; classtype:attempted-recon; sid:2101129; rev:9; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware Invalid URI CnC Request"; flow:established,to_server; http.uri; content:"/.ru|60|utr/qiq"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016187; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/ksh"; nocase; classtype:web-application-attack; sid:2011467; rev:6; metadata:created_at 2010_09_10, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BroBot POST"; flow:established,to_server; threshold: type limit, count 1, seconds 300, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 Firefox/3.6.12"; fast_pattern; bsize:26; http.request_body; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/"; classtype:web-application-attack; sid:2016212; rev:5; metadata:created_at 2013_01_16, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/tsh"; nocase; classtype:web-application-attack; sid:2011466; rev:6; metadata:created_at 2010_09_10, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew downloader without user-agent string exe download without User Agent"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"open="; nocase; content:"myid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; classtype:targeted-activity; sid:2016475; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/sh"; nocase; classtype:web-application-attack; sid:2011465; rev:8; metadata:created_at 2010_10_13, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE CommentCrew Possible APT backdoor download logo.png"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/logo.png"; http.accept; content:"*/*,,,,,,"; bsize:9; fast_pattern; classtype:targeted-activity; sid:2016487; rev:6; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/csh"; nocase; classtype:web-application-attack; sid:2011464; rev:5; metadata:created_at 2010_09_10, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/11"; fast_pattern; depth:3; pcre:"/^\/1+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:trojan-activity; sid:2018413; rev:5; metadata:created_at 2014_04_24, updated_at 2020_05_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Fake Antivirus Download InternetAntivirusPro.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/InternetAntivirus"; content:".exe"; reference:url,doc.emergingthreats.net/2010061; classtype:trojan-activity; sid:2010061; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Bossabot DDoS tool RFI attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"php?-d|20|allow_url"; fast_pattern; content:"auto_prepend_file|3d|php|3a 2f|"; http.request_body; content:"<?php|0d 0a|"; depth:7; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823; classtype:trojan-activity; sid:2019212; rev:3; metadata:created_at 2014_09_22, updated_at 2020_05_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Win32/Antivirus2008 CnC Beacon"; flow:established,to_server; http.uri; content:"nick="; nocase; content:"&group="; nocase; content:"&os="; http.header; content:"User-Agent|3a 20|Mozilla|0d 0a|"; reference:url,doc.emergingthreats.net/2008483; classtype:command-and-control; sid:2008483; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/0"; content:"?id="; distance:0; pcre:"/\/0[0-2]\/.+?\/[a-f0-9]+\?id=[a-f0-9]+$/i"; http.header_names; content:!"Referer|0d 0a|"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; fast_pattern; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/i"; classtype:trojan-activity; sid:2019074; rev:5; metadata:created_at 2014_08_27, updated_at 2020_05_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asprox Form Submission to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/forum.php"; nocase; http.content_type; content:"multipart/form-data|3b 20|boundary=1BEF0A57BE110FD467A"; startswith; reference:url,doc.emergingthreats.net/2009054; classtype:command-and-control; sid:2009054; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:".NET|20|"; content:"E9PQ"; distance:2; within:4; fast_pattern; content:!"|20|"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2030151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asprox Data Post to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"name=|22|sid|22 0d 0a 0d 0a|"; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; nocase; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; classtype:command-and-control; sid:2010270; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware Exfil via FTP"; flow:established,to_server; content:"STOR "; depth:5; content:"/UserName="; distance:0; content:"_MachineName="; distance:0; fast_pattern; content:"_"; distance:0; classtype:trojan-activity; sid:2030156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atya Dropper Possible Rootkit - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"b="; nocase; content:"&idf="; nocase; content:"&v="; nocase; content:"&o="; nocase; reference:url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e; reference:url,doc.emergingthreats.net/2009450; classtype:trojan-activity; sid:2009450; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Qbot/Quakbot Checkin via HTTP GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid="; fast_pattern; pcre:"/\/\d+\.png\?uid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.user_agent; content:!"Mozilla"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:59; endswith; classtype:command-and-control; sid:2030157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, signature_severity Major, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rouge Security Software Win32.BHO.egw"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"affid="; nocase; content:"subid="; nocase; content:"guid="; nocase; content:"ver="; nocase; content:"key="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; reference:url,doc.emergingthreats.net/2008461; classtype:trojan-activity; sid:2008461; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taurus Stealer CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/cfg/?post="; fast_pattern; content:"&data="; distance:0; pcre:"/&data=(?:[a-z]\d){7,}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,b9ea305f1d66611ef9603d33217f3dd5; classtype:command-and-control; sid:2030158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Win32 Backdoor Checkin POST Packet 1"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.bd1; http.uri; content:"/add.php"; reference:url,doc.emergingthreats.net/2009240; classtype:command-and-control; sid:2009240; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taurus Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/log/?post="; fast_pattern; content:"&data="; distance:0; pcre:"/&data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.request_body; content:"name=|22|file|22 3b 20|filename=|22|"; pcre:"/^(?:[a-z]\d){7,}\.zip\x22/R"; http.content_type; content:"multipart/form-data|3b 20|boundary="; reference:md5,b9ea305f1d66611ef9603d33217f3dd5; classtype:command-and-control; sid:2030159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Win32 Backdoor Checkin POST"; flow:established,to_server; flowbits:isset,ET.bd1; http.request_body; content:"Admin="; depth:6; content:"&UserName="; content:"&IsProxy="; reference:url,doc.emergingthreats.net/2009241; classtype:command-and-control; sid:2009241; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS Query"; dns.query; content:"teamtnt.red"; nocase; bsize:14; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports; classtype:domain-c2; sid:2030155; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header; content:"Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; nocase; http.request_body; content:"from="; nocase; content:"|26|FromMail="; nocase; content:"|26|destino="; nocase; content:"|26|assunto="; nocase; content:"|26|mensagem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008331; classtype:trojan-activity; sid:2008331; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"id="; depth:3; content:"&bid="; distance:0; fast_pattern; content:"&t="; distance:0; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,72372ffac0ee73dc8b6d237878e119c1; classtype:trojan-activity; sid:2019283; rev:3; metadata:created_at 2014_09_26, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"tipo=cli&cli="; reference:url,doc.emergingthreats.net/2009296; classtype:command-and-control; sid:2009296; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptowall 2.0 DL URI Struct Oct 2 2014"; flow:to_server,established; http.request_line; content:"GET /blog/"; depth:10; pcre:"/^[a-z0-9]+\x20HTTP/R"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11\.0)/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019341; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWSteal.Bancos Generic Banker Trojan SCR Download"; flow:to_server,established; http.uri; content:"/keylogf.jpg"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009235; classtype:trojan-activity; sid:2009235; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Papras.CK file upload"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2f[a-zA-Z]{4,}\x2ephp\x3f[a-zA-Z]{2,10}\x3d(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.request_body; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern; reference:md5,5e7cbe7e62a6c5de45092ad0c4852d1a; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019379; rev:4; metadata:created_at 2014_10_09, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TSPY_BANKER.IDV/Infostealer.Bancos Module Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.header; content:"User-Agent|3a20|Mozilla|2f|4.0|2028|compatible|3b20|MSIE|20|6.0| 3b2020|Windows|20|NT|20|5.1|3b 20|SV1|3b20|.NET|20|CLR|20|1.1.4322| 3b20|.NET|20|CLR|20|2.0.50727|290d0a|Host|3a20|"; fast_pattern; content:"|0d 0a|Accept|3a 20 2a 2f 2a|"; reference:url,doc.emergingthreats.net/2009447; classtype:trojan-activity; sid:2009447; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ursnif Connectivity Check"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/proto/netstrings.txt"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9134651a7c642798414d867874bdfe2f; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019381; rev:4; metadata:created_at 2014_10_09, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload POST Checkin (dados)"; flow:established,to_server; http.method; content: "POST"; nocase; http.request_body; content:"PC="; nocase; content: "&USER="; nocase; content:"&HASH="; nocase; content:"&DADOS="; nocase; reference:url,doc.emergingthreats.net/2008477; classtype:command-and-control; sid:2008477; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:89; reference:md5,68459c32587e08d953d319ceb2d0888b; classtype:command-and-control; sid:2019478; rev:3; metadata:created_at 2014_10_20, former_category MALWARE, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh Trojan Check-in"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"N="; content:"&ID="; content:"&DATA="; reference:url,doc.emergingthreats.net/2009520; classtype:trojan-activity; sid:2009520; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, malware_family URLZone, tag Banking_Trojan, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo GET Checkin"; flow:established,to_server; urilen:>25; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a 0d 0a|"; bsize:73; http.content_type; content:"octet/binary"; bsize:13; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:command-and-control; sid:2018772; rev:6; metadata:created_at 2014_07_24, former_category MALWARE, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/getcfg.php"; nocase; http.request_body; content:"getp="; content:"id="; content:"ln="; content:"bid="; content:"nt="; content:"cn="; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; classtype:trojan-activity; sid:2010886; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/client.asmx/SendData"; http.user_agent; content:"mFramework HTTPGet"; fast_pattern; http.request_body; content:"CFG="; depth:4; content:"&Lng="; distance:0; content:"&sinst="; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:command-and-control; sid:2019498; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bravix Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?wmid="; content:"&l="; content:"&it="; content:"&s="; reference:url,doc.emergingthreats.net/2008541; classtype:command-and-control; sid:2008541; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"=0"; content:"=0000"; distance:3; fast_pattern; pcre:"/=0[0-2](?:&\w+=[a-fA-F0-9]{8}){2}&\w+=[a-fA-F0-9]+$/"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019500; rev:3; metadata:created_at 2014_10_24, updated_at 2020_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab Downloader Communicating With Controller (1)"; flow:established,to_server; http.uri; content:"action="; nocase; content:"&entity_list="; nocase; content:"&uid="; nocase; content:"&first="; content:"&guid="; nocase; content:"&rnd="; nocase; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; classtype:trojan-activity; sid:2009353; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BACKCONFIG CnC Downloader Activity"; flow:established,to_server; http.uri; content:"/request/httpsrequest"; bsize:21; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations; classtype:trojan-activity; sid:2030165; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_13, deployment Perimeter, former_category MALWARE, malware_family APT_HANGOVER, performance_impact Low, signature_severity Major, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?ddos=x"; nocase; pcre:"/^(?:x\d{1,2}){5,}/Ri"; reference:url,doc.emergingthreats.net/2010381; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:md5,011d403b345672adc29846074e717865; reference:md5,a5f94577d00d0306e4ef64bad30e5d37; classtype:command-and-control; sid:2010381; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/0"; content:"0000"; distance:1; within:4; fast_pattern; pcre:"/0[0-2]0000[a-fA-F0-9]{16,}$/"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019501; rev:3; metadata:created_at 2014_10_24, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?type="; nocase; content:"&affid="; distance:0; nocase; content:"&subid="; distance:0; nocase; reference:url,doc.emergingthreats.net/2010382; reference:md5,8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2010382; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wonton-JH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?M00="; fast_pattern; pcre:"/^\d+$/R"; http.header; content:"Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b|)"; bsize:35; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/emerging-threat-alert-cve-2014-4114; reference:md5,37ca2ecb5e1fc89f73c6adc188ff685d; classtype:command-and-control; sid:2019502; rev:3; metadata:created_at 2014_10_24, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cashout Proxy Bot reg_DST"; flow:to_server,established; http.uri; content:".php?"; content:"lang="; content:"&pal="; content:"&bay="; content:"&gold="; content:"&id="; content:"&param="; content: "&socksport="; content:"&httpport="; reference:url,doc.emergingthreats.net/2008248; classtype:trojan-activity; sid:2008248; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OLDBAIT Checkin sptr"; flow:established,to_server; http.uri; content:"/~"; depth:2; content:"/cgi-bin/sptr.cgi?"; content:"_"; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:command-and-control; sid:2019535; rev:4; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chekafe.A or Related Infection Checkin"; flow:established,to_server; http.uri; content:"isInst="; content:"lockcode="; content:"PcType="; content:"AvName="; content:"ProCount="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32/Chekafe.A; reference:url,doc.emergingthreats.net/2011272; classtype:command-and-control; sid:2011272; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OLDBAIT Checkin 2 brvc"; flow:established,to_server; http.uri; content:"/~"; depth:2; content:"/cgi-bin/brvc.cgi?"; content:"_"; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:command-and-control; sid:2019536; rev:3; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conficker/KernelBot/MS08-067 related Trojan Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kernel/zz.htm?"; content:"Ver="; reference:url,doc.emergingthreats.net/bin/view/Main/2008737; classtype:command-and-control; sid:2008737; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chopstick Checkin (APT28 Related)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webhp?rel="; fast_pattern; content:"ai="; distance:0; pcre:"/^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})+/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,6fc8602c8b3a18765bb6d2307d8a4ae1; classtype:targeted-activity; sid:2019537; rev:4; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Daemonize.ft HTTP Checkin"; flow:established,to_server; http.uri; content:".php?v="; nocase; content:"&rnd="; nocase; content:"&u=00"; nocase; content:"&s="; nocase; content:"&id="; nocase; reference:url,doc.emergingthreats.net/2008086; classtype:command-and-control; sid:2008086; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adawareblock.com"; flow:established,to_server; http.header; content:"Host|3a 20|adawareblock.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019546; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer-715 Install Checkin"; flow: established,to_server; http.uri; content:"/perl/invoc_oneway.pl"; nocase; content:"?id_service="; nocase; content:"&nom_exe="; nocase; content:"&skin="; nocase; content:"&id_produit="; nocase; reference:url,doc.emergingthreats.net/2003650; classtype:command-and-control; sid:2003650; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adobeincorp.com"; flow:established,to_server; http.header; content:"Host|3a 20|adobeincorp.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019547; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"c="; content:"&v="; content:"&b="; content:"&id="; content:"&cnt="; fast_pattern; content:"&q="; reference:md5,e9f1f226ff86e72c558e9a9da32c796d; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,doc.emergingthreats.net/2007743; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; classtype:command-and-control; sid:2007743; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request azureon-line.com"; flow:established,to_server; http.header; content:"Host|3a 20|azureon-line.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019548; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.Trojan Activity"; flow: to_server,established; http.uri; content:"/dialer_min/getnum.asp?nip"; reference:url,doc.emergingthreats.net/2008345; classtype:trojan-activity; sid:2008345; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019549; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Dialer Variant"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"icp="; content:"&id_site="; content:"&dl_tracker"; content:"&connection_type="; content:"&asked_mdl_id="; content:"&dialer="; reference:url,doc.emergingthreats.net/2008441; classtype:trojan-activity; sid:2008441; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkwinframe.com"; flow:established,to_server; http.header; content:"Host|3a 20|checkwinframe.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019550; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper Checkin (often scripts.dlv4.com related)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Common/module.php?"; nocase; content:"brokerid="; nocase; content:"&product="; nocase; content:"&customid="; nocase; content:"&mediaid="; nocase; content:"&no_product_name="; nocase; content:"&extlogin="; nocase; reference:url,doc.emergingthreats.net/2010458; classtype:command-and-control; sid:2010458; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request check-fix.com"; flow:established,to_server; http.header; content:"Host|3a 20|check-fix.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019551; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropper Checkin 2 (often scripts.dlv4.com related)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Common/module.php?"; nocase; content:"&isautogeneratedpage="; nocase; content:"&dialer="; nocase; content:"&p2e="; nocase; content:"&nohit="; nocase; reference:url,doc.emergingthreats.net/2010932; classtype:command-and-control; sid:2010932; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request hotfix-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|hotfix-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019552; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donkeyp2p Update Detected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"donkeyp2p.php"; content:"?kind="; content:"&args="; content:"&ver="; content:"&uniq="; content:"&dllver="; nocase; reference:url,doc.emergingthreats.net/2008364; classtype:trojan-activity; sid:2008364; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsofi.org"; flow:established,to_server; http.header; content:"Host|3a 20|microsofi.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019553; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; http.uri; content:"hingDeny="; nocase; content:"&id="; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/"; reference:url,doc.emergingthreats.net/2010334; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:md5,fd2d6bb1d2a9803c49f1e175d558a934; reference:md5,e4664144f8e95cfec510d5efa24a35e7; classtype:trojan-activity; sid:2010334; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsof-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|microsof-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019554; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bot Backdoor Checkin/registration Request"; flow:established,to_server; http.uri; content:"/remote.php?"; content:"os="; content:"&user="; content:"&status="; content:"&version="; content:"&build="; reference:url,doc.emergingthreats.net/2006366; classtype:command-and-control; sid:2006366; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request scanmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|scanmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019555; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Downloader Checkin URL (GUID+)"; flow:established,to_server; http.uri; content:"&version="; nocase; content:"&configversion="; nocase; content:"GUID="; nocase; content:"&cmd="; nocase; content:"&p="; nocase; content:"&i="; nocase; content:"&x="; nocase; reference:url,doc.emergingthreats.net/2007577; classtype:command-and-control; sid:2007577; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request secnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|secnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019556; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader General Bot Checking In via HTTP Post (bot_id push)"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"bot_id="; content:"&build_id="; content:"&sport="; content:"&hport="; content:"&ping="; content:"&speed="; reference:url,doc.emergingthreats.net/2007831; classtype:command-and-control; sid:2007831; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request securitypractic.com"; flow:established,to_server; http.header; content:"Host|3a 20|securitypractic.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019557; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader General Bot Checking In - Possible Win32.Small.htz related"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?id="; nocase; http.user_agent; content:!"User-Agent|0d 0a|"; http.request_body; content:"proc=[System Process]|0d 0a|"; content:"|0d 0a|&size="; reference:url,doc.emergingthreats.net/2007836; classtype:command-and-control; sid:2007836; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testservice24.net"; flow:established,to_server; http.header; content:"Host|3a 20|testservice24.net|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019558; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Access Count Tracking URL"; flow:established,to_server; http.uri; content:"/access_count.html?id="; nocase; content:"&MAC=0"; nocase; pcre:"/^[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ri"; reference:url,doc.emergingthreats.net/2008132; classtype:trojan-activity; sid:2008132; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testsnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|testsnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019559; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL"; flow:established,to_server; http.uri; content:"/install_count.html?id="; nocase; content:"&MAC=0"; nocase; pcre:"/^[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ri"; reference:url,doc.emergingthreats.net/2008133; classtype:trojan-activity; sid:2008133; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatepc.org"; flow:established,to_server; http.header; content:"Host|3a 20|updatepc.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019560; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/partner/counter/install.php?pid="; nocase; content:"&cid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,ea70e0971cc490a15e53d24ad6564403; reference:url,doc.emergingthreats.net/2008134; classtype:trojan-activity; sid:2008134; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatesoftware24.com"; flow:established,to_server; http.header; content:"Host|3a 20|updatesoftware24.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019561; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"a="; nocase; content:"&k="; nocase; content:"&wmid="; nocase; content:"&ucid="; nocase; reference:url,doc.emergingthreats.net/2008182; classtype:trojan-activity; sid:2008182; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request windows-updater.com"; flow:established,to_server; http.header; content:"Host|3a 20|windows-updater.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019562; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (pid - mac)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"html?"; nocase; content:"set="; nocase; content:"&pid="; nocase; content:"&mac="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008183; classtype:trojan-activity; sid:2008183; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.org"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019563; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (wmid - ucid)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?a="; nocase; content:"&k="; nocase; content:"&wmid="; nocase; content:"&ucid="; nocase; reference:url,doc.emergingthreats.net/2008194; classtype:trojan-activity; sid:2008194; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request symanttec.org"; flow:established,to_server; http.header; content:"Host|3a 20|symanttec.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019583; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Trojan HTTP GET Logging"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?type="; nocase; content:"&setup_id="; nocase; content:"&version="; nocase; content:"&os="; nocase; content:"&sp="; nocase; reference:url,www.virustotal.com/analisis/df09ec9ec4e5caa42db9d08e0f9d34b378e301a1eeb3aa1e6dbd0de1aa4a66be-1246158969; reference:url,doc.emergingthreats.net/2009451; classtype:trojan-activity; sid:2009451; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Coreshell Checkin (APT28 Related)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/~xh/sn.cgi?"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,272f0fde35dbdfccbca1e33373b3570d; classtype:targeted-activity; sid:2019539; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader Checkin - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"machineid="; nocase; content:"pubuserid="; nocase; content:"checkversion="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009527; classtype:command-and-control; sid:2009527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request msonlinelive.com"; flow:established,to_server; http.header; content:"Host|3a 20|msonlinelive.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019585; rev:3; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader checkin (3)"; flow:established,to_server; http.uri; content:".php?"; content:"c_pcode="; content:"c_pid="; content:"c_kind="; content:"c_mac="; reference:url,doc.emergingthreats.net/2010888; classtype:command-and-control; sid:2010888; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Strictor Dropper"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; content:"os="; content:"&osbit="; content:"&antiv="; http.user_agent; content:"Access"; depth:6; fast_pattern; reference:md5,909b91071c60fc68c27789d912ccf68a; classtype:trojan-activity; sid:2018964; rev:7; metadata:created_at 2014_08_19, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"loads.php?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a| "; reference:url,doc.emergingthreats.net/2010626; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010626; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request malwarecheck.info"; flow:established,to_server; http.header; content:"Host|3a 20|malwarecheck.info|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019641; rev:3; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/download.pl?code="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2010627; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010627; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; depth:38; http.request_body; content:"act="; depth:4; content:"&atom="; distance:0; fast_pattern; content:"&id="; distance:0; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:command-and-control; sid:2019653; rev:4; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"cgi-bin/get.pl?l="; nocase; pcre:"/^\d+$/Ri"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2010628; reference:md5,f5e907a11831c757a94cde9257b3574c; classtype:command-and-control; sid:2010628; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.FakeMS Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.header; content:!"Referer"; http.request_body; content:"|20|(64|20|=|20|"; content:")|20|EXE|20|=|20|"; distance:1; within:8; pcre:"/^\x5b[^\r\n]+\(64\s=\s\d\)\sEXE\s=/"; reference:md5,e606e56a222f788ab5cbcf40842cbc39; reference:md5,099dc535bdd09d6a7bc4edabc8ded5de; classtype:command-and-control; sid:2019654; rev:7; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fasec/FakeAV Alert/Keylogger/Dropper/DNSChanger Possible Rootkit - HTTP GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"Command="; nocase; content:"snNO="; nocase; content:"Encode="; nocase; content:"SFBH"; nocase; reference:url,www.avast.com/eng/win32-fasec.html; reference:url,www.threatexpert.com/threats/virus-win32-fasec.html; reference:url,doc.emergingthreats.net/2009472; classtype:trojan-activity; sid:2009472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smoke Loader Checkin r=gate"; flow:established,to_server; http.uri; content:".php?r=gate&"; content:"&group="; distance:0; content:"&debug="; distance:0; http.user_agent; content:"5.0 (Windows|3b 20|U|3b 20|MSIE 9"; reference:md5,7ef1e61d9b394a972516cc453bf0ec06; classtype:command-and-control; sid:2014728; rev:7; metadata:created_at 2012_05_10, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fraudload/FakeAlert/FakeVimes Downloader - POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; fast_pattern; bsize:46; nocase; http.request_body; content:"verint="; nocase; content:"&wv="; nocase; content:"&report="; nocase; content:"&abbr="; nocase; content:"&pid="; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad; reference:url,doc.emergingthreats.net/2009751; classtype:trojan-activity; sid:2009751; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mac/update.zip"; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019665; rev:3; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullspace.cc or Related Checkin (2)"; flow:established,to_server; http.uri; content:"/register."; nocase; content:"?id="; nocase; content:"&port="; nocase; content:"&connect="; nocase; content:"&ver="; nocase; content:"ip="; nocase; reference:url,doc.emergingthreats.net/2008398; classtype:command-and-control; sid:2008398; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for www.comeinbaby.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"www.comeinbaby.com"; startswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019666; rev:4; metadata:created_at 2014_11_07, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gaboc Trojan Check-in"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp"; content:"?type="; content:"&machinename="; reference:md5,6e871b9c440d5c77b9158ebcbe3fcd4b; reference:url,doc.emergingthreats.net/2009519; classtype:trojan-activity; sid:2009519; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miuref/Boaxxe Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"bB"; offset:2; depth:2; content:"MqrU"; within:20; content:"VAMU"; within:29; fast_pattern; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:command-and-control; sid:2019683; rev:7; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Buzus Checkin"; flow:established,to_server; http.uri; content:".php?guid_bot="; content:"&ver_bot="; content:"&stat_bot="; reference:url,doc.emergingthreats.net/2008550; classtype:command-and-control; sid:2008550; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; http.uri; content:"/cgi-bin/r.cgi"; nocase; depth:14; content:"p="; nocase; content:"h="; nocase; content:"u="; nocase; content:"q="; nocase; content:"t="; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11; metadata:created_at 2011_07_04, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Checkin - MSCommonInfoEx"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/MSCommonInfoEx.php"; reference:url,doc.emergingthreats.net/2011179; classtype:command-and-control; sid:2011179; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; http.content_type; content:"image/"; depth:6; file.data; content:"Rar!"; within:4; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; classtype:trojan-activity; sid:2008754; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"in.php?affid="; content:"&url="; content:"&win="; content:"&sts="; reference:url,doc.emergingthreats.net/2011277; classtype:command-and-control; sid:2011277; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker User-agent (globalupdate)"; flow:to_server,established; flowbits:set,ET.WireLurkerUA; http.user_agent; content:"globalupdate"; depth:12; reference:url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:2019660; rev:5; metadata:created_at 2014_11_06, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; http.uri; content:"?id="; nocase; content:"&tick="; nocase; content:"&ver="; nocase; content:"&smtp="; nocase; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:command-and-control; sid:2008189; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Asprox Pizza"; flow:established,to_server; http.uri; content:"/title.php?pizza="; pcre:"/^[a-zA-Z0-9+/]{43}/R"; reference:url,www.malware-traffic-analysis.net/2014/10/28/index.html; classtype:trojan-activity; sid:2019713; rev:3; metadata:created_at 2014_11_15, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi check-in / update"; flow:established,to_server; http.uri; content:"?user_id="; nocase; content:"&version_id="; nocase; content:"&crc="; nocase; reference:url,www.secureworks.com/research/threats/gozi; reference:url,doc.emergingthreats.net/2009410; classtype:trojan-activity; sid:2009410; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Photos/Query.cgi?loginid="; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016820; rev:4; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EJBCA issuer Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/publicweb/webdist/certdist?"; nocase; content:"cmd="; nocase; content:"serno="; nocase; content:"issuer="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110683/EJBCA-4.0.7-Cross-Site-Scripting-User-Enumeration.html; classtype:web-application-attack; sid:2014397; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Catelog/login1.cgi"; fast_pattern; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016821; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_phocadownload folder Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_phocadownload"; nocase; content:"view="; nocase; content:"manager="; nocase; content:"tmpl="; nocase; content:"folder="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/100406/Joomla-Phocadownload-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014388; rev:4; metadata:created_at 2012_03_17, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alureon Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:command-and-control; sid:2019717; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_adsmanager mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_adsmanager"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstorm.foofus.com/1012-exploits/joomlaadsmanager-rfi.txt; classtype:web-application-attack; sid:2014389; rev:4; metadata:created_at 2012_03_17, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for manhuaba.com.cn"; flow:established,to_server; http.method; content:"GET"; http.host; content:"manhuaba.com.cn"; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019731; rev:4; metadata:created_at 2014_11_18, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_fundhelp controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_fundhelp"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109023/Joomla-Fundhelp-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014392; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ncsi.txt"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; content:"|0d 0a|Host|0d 0a|"; depth:8; http.user_agent; content:"Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; fast_pattern; classtype:trojan-activity; sid:2019754; rev:4; metadata:created_at 2014_11_20, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rule controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rule"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109026/Joomla-Rule-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014393; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/FakePAV Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?0="; depth:4; fast_pattern; content:"=i"; pcre:"/^\/\?0=(?:[^&]+?&\d+?=)+?[^=&]+?$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6829306e92cfa811b12d9b028eb56a2d; classtype:command-and-control; sid:2019767; rev:5; metadata:created_at 2014_11_21, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_kp controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_kp"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108917/Joomla-KP-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AntiBreach Possible Activation Attempt"; flow:established,to_server; http.uri; content:"/buy.php?id="; content:"&sub_id="; content:"&install_id="; content:"&project_id="; content:"&serial="; reference:url,www.malware-traffic-analysis.net/2014/11/21/index.html; classtype:trojan-activity; sid:2019771; rev:3; metadata:created_at 2014_11_21, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Address Book from Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/preferences.php?"; nocase; content:"from="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110667/PHP-Address-Book-6.2.12-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014395; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault POST M2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer"; http.request_body; content:"func=getemailurl"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019777; rev:3; metadata:created_at 2014_11_24, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Volusion Chat ID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/livechat.aspx?"; nocase; content:"location="; nocase; content:"auto="; nocase; content:"cookieGuid="; nocase; content:"ID="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110811/Volusion-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014396; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coinminer.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:".php?id="; http.user_agent; content:"Mozzilla/4.0 (copmatible|3B|"; fast_pattern; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019826; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Illusion Bot (Lussilon) Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?act=online&"; nocase; content:"s4="; nocase; content:"&s5="; nocase; content:"&nickname="; http.request_body; content:"msg_out="; depth:8; nocase; reference:url,doc.emergingthreats.net/2007829; classtype:command-and-control; sid:2007829; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Wadolin.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/upgrade-functions.php?v="; fast_pattern; content:"&id="; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.1|3B| Windows XP)"; startswith; reference:md5,693c007d651bb5a8c6d2a4f5ed65a69c; classtype:command-and-control; sid:2019827; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Knockbot Proxy Checkin"; flow:to_server,established; http.uri; content:".php?win="; content:"&id="; content:"&lip="; reference:url,doc.emergingthreats.net/2008249; classtype:command-and-control; sid:2008249; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex v2 POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Authorization|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; content:"Authorization|3a 20|Basic"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; reference:url,securityblog.s21sec.com/2014/11/dridex-learns-new-trick-p2p-over-http.html; classtype:command-and-control; sid:2019830; rev:3; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Trojan HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"f=0&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l=&ck="; content:"&c_fb="; reference:url,doc.emergingthreats.net/2008864; classtype:command-and-control; sid:2008864; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TRCrypt.ULPM Downloader CnC Beacon"; flow:established,to_server; http.uri; content:".aspx?id="; content:"&macaddress="; content:"&pcname="; content:"&username="; content:"&osversion="; content:"&versaoatual="; fast_pattern; content:"&winkey="; reference:md5,3b4f77eefd208f699e6a540878e753a8; classtype:command-and-control; sid:2019947; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Koobface Beaconing (getexe)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?getexe="; content:".exe"; reference:url,doc.emergingthreats.net/2010700; classtype:trojan-activity; sid:2010700; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAXV Retrieving key from Pinterest"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pin/"; depth:5; http.header; content:"User-Agent|3a 20|Internet Explorer 6.0|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f25a8e3f5265a57269590b84a506b672; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/; classtype:trojan-activity; sid:2019961; rev:4; metadata:created_at 2014_12_18, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Initial Checkin"; flow:established,to_server; http.uri; content:"/cp/rule.php?"; nocase; content:"fstt="; nocase; content:"&b="; nocase; content:"name="; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003187; classtype:command-and-control; sid:2003187; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css.ashx?"; depth:10; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019985; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting"; flow:established,to_server; http.uri; content:"/cp/rule.php?"; nocase; content:"v="; nocase; content:"&b="; nocase; content:"name="; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003188; classtype:trojan-activity; sid:2003188; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon?"; depth:9; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019986; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop.gfr/Swizzor HTTP Update/Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/tba/"; nocase; http.request_body; content:"guid="; content:"&version="; content:"&clientid="; content:"&time="; content:"&idle="; content:"&ticksBoot="; reference:url,doc.emergingthreats.net/2007774; classtype:command-and-control; sid:2007774; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Generic.5325921 Checkin"; flow:to_server,established; http.uri; content:"?p="; content:"&botmajor="; content:"&botminor="; content:"&osmajor="; content:"&osminor="; reference:md5,203cec547d7d7d7b3a51084ad1abd793; classtype:command-and-control; sid:2020090; rev:4; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop.gfr/Swizzor HTTP Update/Checkin (usually host-domain-lookup.com related)"; flow:established,to_server; http.uri; content:"/upd/check?"; nocase; content:"&fxp="; reference:url,doc.emergingthreats.net/2008333; classtype:command-and-control; sid:2008333; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.header; content:"MASE|0d 0a|"; http.request_body; content:"name=|22|c1|22 0d 0a 0d 0a|c"; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:command-and-control; sid:2020156; rev:8; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Checkin (kgen_up)"; flow:to_server,established; http.uri; content:"kgen_up.int"; content:"fxp="; pcre:"/^[a-z0-9]{60}/Ri"; reference:url,doc.emergingthreats.net/2008379; classtype:command-and-control; sid:2008379; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0000"; offset:2; pcre:"/^\/[^\x2f]+\/0000[A-F0-9]{4}\/0[0-2]\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1a5ee37a6075b5a95faf8f07ad060cc9; classtype:trojan-activity; sid:2025087; rev:3; metadata:created_at 2015_01_09, former_category TROJAN, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lop_com or variant Checkin (9kgen_up)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/9kgen_up.int"; reference:url,www.threatexpert.com/reports.aspx?find=9kgen_up.int; reference:url,doc.emergingthreats.net/2008943; classtype:command-and-control; sid:2008943; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; depth:2; content:"/0000"; distance:2; pcre:"/^\/0[0-2]\/[^\x2f]+\/0000[A-F0-9]{4}\/[^\x2f]+\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2025088; rev:3; metadata:created_at 2015_01_09, former_category TROJAN, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"?nid_mac="; content:"&nid_os_ver=Windows"; content:"&nid_ie_ver="; reference:url,doc.emergingthreats.net/2008592; classtype:command-and-control; sid:2008592; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename svchost.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"svchost.exe"; nocase; fast_pattern; within:11; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]svchost\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020198; rev:6; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Checkin (1)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"v="; nocase; content:"&id="; nocase; content:"&b="; nocase; content:"&tm="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept-Encoding|0d 0a|"; nocase; reference:md5,f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:command-and-control; sid:2010743; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename explorer.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"explorer.exe"; nocase; within:13; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]explorer\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020199; rev:7; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"to="; content:"Optix Pro v"; content:" Server Online"; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008218; classtype:trojan-activity; sid:2008218; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename hkcmd.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"hkcmd.exe"; nocase; within:10; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]hkcmd\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020200; rev:4; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes Update Detected"; flow:established,to_server; http.uri; content:".php?wm="; nocase; content:"&ucid="; nocase; content:"&e="; reference:url,doc.emergingthreats.net/2007768; classtype:trojan-activity; sid:2007768; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename server.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"server.exe"; nocase; within:11; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]server\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020201; rev:3; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pushdo Update URL Detected"; flow:established,to_server; http.uri; content:"/40E800"; nocase; content:"C00000"; nocase; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AutoHotkey Downloader Checkin via IPLogger"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:12; content:"iplogger.org"; http.header; content:"User-Agent|3a 20|(|20|Windows|20|"; fast_pattern; reference:md5,6db987f9e87340ab3c3dd2b6d938e60c; classtype:command-and-control; sid:2030163; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parite Setup Connection (tqzn.com related)"; flow:established,to_server; http.uri; content:"/barbindsoft/barsetup.exe?queryid="; reference:url,doc.emergingthreats.net/2009108; classtype:trojan-activity; sid:2009108; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, malware_family Parite, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/PcClient.AA Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/2015"; depth:5; fast_pattern; pcre:"/^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))?$/Ri"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.2|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50727|3b| InfoPath.1)"; reference:md5,33439543cae709aa7efa58f94e4b2a62; classtype:command-and-control; sid:2019201; rev:12; metadata:created_at 2014_01_31, former_category MALWARE, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Phoenix Exploit Kit Facebook phishing page payload could be ZeuS"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/LoginFacebook.php"; endswith; pcre:"/\/[a-z]{2}[0-9]{3}[a-z]{2}\/LoginFacebook\.php$/"; reference:url,malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html; reference:url,doc.emergingthreats.net/2011121; classtype:exploit-kit; sid:2011121; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Phishing, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall CryptoWall 3.0 Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"http|3a 2f 2f|proxy"; depth:12; fast_pattern; http.header; content:"i2p|0d 0a|"; http.header_names; content:!"|0d 0a|Accept-"; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020233; rev:3; metadata:created_at 2015_01_21, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (1)"; flow:established,to_server; http.uri; content:"/cd/cd.php?id="; content:"&ver="; pcre:"/^[A-F0-9\-]+&ver=/R"; reference:url,doc.emergingthreats.net/2008382; classtype:command-and-control; sid:2008382; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Inception APT malware"; flow:established,to_server; http.header; content:"|0d 0a|username=|22|bimm"; nocase; fast_pattern; content:"/bimm"; distance:0; nocase; reference:url,www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware; classtype:targeted-activity; sid:2020237; rev:3; metadata:created_at 2015_01_22, former_category MALWARE, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Piptea.a Related Trojan Checkin (2)"; flow:established,to_server; http.uri; content:"/cd/un2.php?id="; content:"&ver="; pcre:"/^[A-F0-9\-]+&ver=/R"; reference:url,doc.emergingthreats.net/2008383; classtype:command-and-control; sid:2008383; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.TurlaCarbon.A C2 HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?uid="; content:"&context="; distance:0; content:"&mode=text&"; fast_pattern; distance:0; content:"data="; pcre:"/\?uid=\d+&context=\w+&mode=text&data=\w+$/"; reference:url,blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html; classtype:command-and-control; sid:2020241; rev:3; metadata:created_at 2015_01_22, former_category MALWARE, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlayMP3z.biz Related Spyware/Trojan Install Report"; flow:established,to_server; http.uri; content:"?stage=setup&application="; content:"&campaign="; content:"&code="; content:"&version="; reference:url,doc.emergingthreats.net/2008626; classtype:trojan-activity; sid:2008626; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Upatre.Downloader Encoded Binary Download Request"; flow:established,to_server; http.uri; content:"/mandoc/"; fast_pattern; depth:8; content:".pdf"; distance:0; http.header; content:"Accept|3A| text/*, application/*|0D 0A|User-Agent|3A 20|"; depth:43; reference:url,phishme.com/evolution-upatre-dyre/; classtype:trojan-activity; sid:2020294; rev:3; metadata:created_at 2015_01_23, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBot Phone Home Traffic"; flow:established,to_server; http.uri; content:"ind.php?p="; content:"&uid="; reference:url,doc.emergingthreats.net/2008244; classtype:trojan-activity; sid:2008244; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A UA (HTClient)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTClient|3b|"; fast_pattern; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020298; rev:3; metadata:created_at 2015_01_23, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegHelper Installation"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"start="; content:"&Edition="; content:"&RHRTVersion="; nocase; reference:url,doc.emergingthreats.net/2008376; classtype:trojan-activity; sid:2008376; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\d+$/"; http.header; content:"User-Agent|3a 20|HTClient|3b|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2020299; rev:3; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE carberp check in"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/first.html"; http.request_body; content:"id="; content:"os="; content:"plist="; classtype:trojan-activity; sid:2011798; rev:4; metadata:created_at 2010_10_09, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor User-Agent (ALIZER)"; flow:established,to_server; http.user_agent; content:"ALIZER"; bsize:6; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:3; metadata:created_at 2015_02_03, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp checkin task"; flow:established,to_server; http.uri; content:"/task.php?id="; fast_pattern; content:"&task="; distance:0; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/"; reference:md5,1d0d38dd63551a30eda664611ed4958b; reference:url,www.honeynet.org/node/578; reference:md5,07d3fbb124ff39bd5c1045599f719e36; reference:md5,31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:md5,6f89b98729483839283d04b82055dc44; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; classtype:command-and-control; sid:2011799; rev:8; metadata:created_at 2010_10_13, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DEEP PANDA C2 Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+8.0|3b|+Windows+NT+5.1|3b|+SV1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; http.request_body; content:"|00 00 00 00 00|"; classtype:command-and-control; sid:2020373; rev:6; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp file download"; flow:established,to_server; http.uri; content:"/cfg/"; depth:5; content:".plug"; classtype:trojan-activity; sid:2011850; rev:5; metadata:created_at 2010_10_26, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rovnix.J Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"[0]|0d 0a|LP="; content:"|0a|VID="; distance:0; reference:md5,9471e926eda81b4f797b6cfe273e4e79; classtype:command-and-control; sid:2020396; rev:3; metadata:created_at 2015_02_11, former_category MALWARE, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carberp CnC request POST /set/task.html"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/set/task.html"; depth:14; http.request_body; content:"id=dvlsl"; classtype:command-and-control; sid:2012178; rev:5; metadata:created_at 2011_01_15, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSI 6.0|3b 20|"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020471; rev:3; metadata:created_at 2015_02_18, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 2"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:".asp?prj="; content:"&pid="; content:"&mac="; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012223; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n.php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; depth:3; content:"&Action="; distance:0; fast_pattern; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020474; rev:3; metadata:created_at 2015_02_19, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 3"; flow:established,to_server; content:"winsoft"; nocase; http.uri; content:"autoidcnt.asp?mer_seq="; content:"&realid="; content:"&mac="; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012224; rev:3; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/set.php?ID="; depth:12; content:"&Action="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020489; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; http.uri; content:"/clientRequest.htm?method="; nocase; pcre:"/^(?:update|startcharge)/Ri"; content:"&os="; content:"&brand="; nocase; content:"&sdkVersion="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:command-and-control; sid:2013299; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sys/"; fast_pattern; pcre:"/t=1?\d\/[0-3]?\d\/201\d [0-2]?\d\x3a[0-5]\d\x3a[0-5]\d [AP]M$/"; pcre:"/^\/sys\/(?:who|genid|data|upload|update)/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020431; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious exe.exe request - possible downloader/Oficla"; flow:to_server,established; http.request_line; content:"/exe.exe HTTP/1."; nocase; reference:url,anubis.iseclab.org/?action=result&task_id=11873c8979f34c8d4fd0da512df635cac&format=txt; reference:url,doc.emergingthreats.net/2010741; classtype:trojan-activity; sid:2010741; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/customer/do_it"; fast_pattern; http.user_agent; content:"Internet"; bsize:8; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"pn="; content:"&data="; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020433; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit TDSS/Alureon Checkin 2"; flow:established,to_server; http.uri; content:"/dx.php?i="; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}&a=/Ri"; content:"&x64="; content:"os="; content:"&f="; reference:url,contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html; classtype:command-and-control; sid:2012314; rev:4; metadata:created_at 2011_02_14, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena DDoS Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a=%"; depth:3; fast_pattern; content:"&b="; distance:0; content:"&c="; distance:0; pcre:"/^a=(?:%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(?:%3[dD]){0,2}\x26c=(?:%[0-9A-Fa-f]{2})+$/"; reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:command-and-control; sid:2017633; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/bhanx.php?"; nocase; content:"adv="; nocase; content:"&code1="; nocase; content:"&code2="; nocase; content:"&id="; nocase; content:"&p="; nocase; reference:md5,40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:6; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GandCrab Style External IP Check (Spoofed Yahoo Host)"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|yahoo.com|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; bsize:142; threshold:type both,track by_src, count 10, seconds 30; classtype:trojan-activity; sid:2030168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category POLICY, malware_family GandCrab, signature_severity Major, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Banload Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/avisa.php?"; nocase; content:"usuario="; nocase; content:"pc="; nocase; content:"serial="; nocase; content:"versao="; nocase; reference:url,scumware.org/report/89.108.68.81; reference:md5,43b0ddf87c66418053ee055501193abf; classtype:trojan-activity; sid:2012441; rev:5; metadata:created_at 2011_03_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected USBFERRY CnC"; flow:established,to_server; http.header; content:!"Referer"; content:!"Accept"; http.method; content:"GET"; http.uri; content:".6.jpg"; endswith; http.user_agent; content:"MSIE|28|6.00.2900.5512|20 28|"; fast_pattern; content:"|3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"VR|28|PH"; reference:url,documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf; classtype:command-and-control; sid:2030169; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/frame.php?pl=Win32"; nocase; classtype:trojan-activity; sid:2012506; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_15, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LogPOS Sending Data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?encoding="; fast_pattern; content:"&t="; distance:0; content:"&cc="; distance:0; content:"&process="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,morphick.net/blog/2015/2/27/mailslot-pos; classtype:trojan-activity; sid:2020602; rev:3; metadata:created_at 2015_03_04, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; http.uri; content:"/wg.txt"; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:3; metadata:created_at 2012_03_20, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; content:"/"; distance:0; pcre:"/^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; http.user_agent; content:"MSIE 7.0|3b|"; fast_pattern; content:"Windows NT 6.0"; within:15; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:command-and-control; sid:2019693; rev:6; metadata:created_at 2014_11_12, former_category MALWARE, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Virut.BN Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"list.php?c="; content:"&v="; distance:0; content:"&t="; distance:0; pcre:"/c\x3d[0-9A-F]{100}/i"; reference:md5,199d9ea754f193194e251415a2f6dd46; classtype:command-and-control; sid:2012533; rev:5; metadata:created_at 2011_03_21, former_category MALWARE, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/DecryptStealer Exfil Domain (geroipanel .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"geroipanel.site"; bsize:15; reference:url,app.any.run/tasks/ef44292d-3b2e-4571-8b68-fb49c1db1b1a/; classtype:domain-c2; sid:2030179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.chhq Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/index.php?|30 64 34 30 62 30 3d|"; fast_pattern; http.user_agent; content:"Mozilla/3.0"; startswith; classtype:command-and-control; sid:2012620; rev:10; metadata:created_at 2011_04_01, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ramsay CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?vol="; fast_pattern; content:"&q="; distance:0; content:"&guid=|7b|"; distance:0; content:"|7d|"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:url,github.com/eset/malware-ioc/blob/master/ramsay/samples.sha256; classtype:command-and-control; sid:2030176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family Ramsay, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"data=vK6yv+"; classtype:command-and-control; sid:2012686; rev:5; metadata:created_at 2011_04_13, former_category MALWARE, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ramsay CnC Domain in DNS Query"; dns.query; content:"account-id-managers.com"; nocase; endswith; reference:url,github.com/eset/malware-ioc/blob/master/ramsay/samples.sha256; classtype:domain-c2; sid:2030177; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family Ramsay, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Protection FakeAV checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"php?partner_id="; content:"&u="; content:"&log_id="; content:"&os="; reference:md5,7710686d03cd3174b6f644434750b22b; classtype:command-and-control; sid:2012713; rev:4; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ramsay CnC Domain in DNS Query"; dns.query; content:"service-security-manager.com"; nocase; endswith; reference:url,github.com/eset/malware-ioc/blob/master/ramsay/samples.sha256; classtype:domain-c2; sid:2030178; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family Ramsay, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BestAntivirus2011 Fake AV reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?affid="; content:"&data="; content:"&v="; classtype:trojan-activity; sid:2012727; rev:4; metadata:created_at 2011_04_26, updated_at 2020_04_21;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M10 (set)"; flow:established,to_server; content:"|29 f5 98 f5|"; depth:4; fast_pattern; content:"|65 b3 b3|"; distance:1; within:3; flowbits:set,ET.Parallax-10; flowbits:noalert; reference:md5,9d60d8928bc0478b3029e59024b5f407; classtype:command-and-control; sid:2030180; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006932; classtype:web-application-attack; sid:2006932; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M10"; flow:established,to_client; content:"|29 f5 98 f5|"; depth:4; fast_pattern; content:"|65 b3 b3|"; distance:1; within:3; flowbits:isset,ET.Parallax-10; reference:md5,9d60d8928bc0478b3029e59024b5f407; classtype:command-and-control; sid:2030181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006933; classtype:web-application-attack; sid:2006933; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil Via SMTP"; flow:established,to_server; content:"|0d 0a|Time|3a 20|"; content:"<br>User Name|3a 20|"; distance:0; content:"<br>OSFullName|3a 20|"; distance:0; fast_pattern; reference:md5,b8b71fc1124765b75b3aa3be805e9d12; classtype:trojan-activity; sid:2030171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2020_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011158; classtype:web-application-attack; sid:2011158; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smanage.php?sid="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030188; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011159; classtype:web-application-attack; sid:2011159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client Data POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getjuice.php"; bsize:13; fast_pattern; http.content_type; content:"multipart/form-data|3b| boundary=---------------------"; startswith; http.header; content:"|0d 0a|Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:trojan-activity; sid:2030189; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper/Clicker Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/nxdtic.txt"; classtype:command-and-control; sid:2012931; rev:5; metadata:created_at 2011_06_06, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Interactive Client CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interact.php?slave="; startswith; fast_pattern; content:"&sid="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.referer; content:"clients.php"; endswith; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030190; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Qakbot Webpage Infection Routine POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/jl/ad03.pl"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99; classtype:trojan-activity; sid:2012973; rev:4; metadata:created_at 2011_06_09, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Sent to Client"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"setCommand.nonfunction.php"; fast_pattern; endswith; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; http.request_body; content:"slave="; startswith; content:"&command="; distance:0; content:"&sid="; distance:0; content:"&token="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030191; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Meredrop Checkin"; flow:established, to_server; http.method; content:"POST"; nocase; http.request_body; content:"praquem="; content:"&titulo="; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:command-and-control; sid:2013073; rev:5; metadata:created_at 2011_06_21, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getresponse.php?slave="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030192; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|ICS)"; fast_pattern; http.request_body; content:"para="; depth:5; content:"&subject="; content:"&dados="; reference:md5,c8b3d2bc407b0260b40b7f97e504faa5; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; classtype:command-and-control; sid:2013185; rev:7; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (info)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|info=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Internet Connectivity Check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/geo/productid.php"; depth:18; http.header; content:"adobe.com"; content:"Opera/"; content:"Pesto/"; classtype:trojan-activity; sid:2013207; rev:6; metadata:created_at 2011_07_06, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (id)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&mass="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Papras Banking Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|4e 2a 43 cc 01 c0 2a 77|"; depth:23; reference:md5,85d82c840f4b90fcb6d5311f501374ca; classtype:command-and-control; sid:2013287; rev:6; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamarue/Andromeda Downloading Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:3; metadata:created_at 2015_03_12, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Ponmocup Driveby Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/se/"; nocase; pcre:"/^[a-f0-9]{100,200}\/[a-f0-9]{6,9}\/[A-Z0-9_]{4,200}\.com/Ri"; reference:url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt; classtype:bad-unknown; sid:2013312; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkness DDoS Bot Checkin"; flow:established,to_server; http.uri; content:".php?uid="; nocase; content:"&ver="; distance:0; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(?:&traff=\d+)?$/"; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"darkness"; depth:8; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:md5,7fcebf5bd67cede35d08bedd683e3524; reference:md5,60c84bb1ca03f80ca385f16946322440; reference:md5,778113cc4e758ed65de0123bb79cbd1f; reference:md5,55edeb8742f0c38aaa3d984eb4205c68; reference:url,ef.kaffenews.com/?p=833; classtype:command-and-control; sid:2011996; rev:14; metadata:created_at 2010_12_06, former_category MALWARE, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisproc Variant POST to CnC Server"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/GetGrid.asp"; http.request_body; content:"SN="; depth:3; content:"&SP="; distance:0; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628; classtype:command-and-control; sid:2013342; rev:5; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicepass CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?data="; depth:16; http.header; content:!"User-Agent|3a|"; content:!"Accept"; content:!"Referer|3a|"; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/mi"; reference:md5,5f1997927e94b98982e5ee2cea095956; classtype:command-and-control; sid:2020690; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV oms.php Data Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/oms.php"; http.request_body; content:"data="; depth:5; classtype:trojan-activity; sid:2013373; rev:3; metadata:created_at 2011_08_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE - Fake UA"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".exe"; endswith; http.header_names; content:!"Accept-"; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035044; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Momibot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; http.request_body; content:"byE8PCdtbzE6PTU8czo3"; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:command-and-control; sid:2013398; rev:6; metadata:created_at 2011_08_11, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WMN CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent"; depth:59; fast_pattern; http.request_body; content:"="; offset:4; depth:9; content:"=&"; distance:55; within:2; pcre:"/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/"; reference:md5,3031604f1cf95ee4ccc339c9e4d5b92f; classtype:command-and-control; sid:2020708; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Momibot Ping Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; http.request_body; content:"byE8PCdtbyM6PTRzOjdu"; reference:url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html; classtype:command-and-control; sid:2013399; rev:4; metadata:created_at 2011_08_11, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RocketKitten APT Checkin"; flow:to_server,established; http.uri; content:"/index.php?c="; content:"&r="; distance:0; http.header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+it+off+the+shelf/19123; reference:md5,f89a4d4ae5cca6d69a5256c96111e707; classtype:targeted-activity; sid:2020078; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mnless Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"cpname="; depth:7; content:"&hardid="; distance:0; content:"&netid="; distance:0; content:"&user="; distance:0; content:"&sname="; distance:0; content:"&ver="; distance:0; content:"&val="; distance:0; classtype:command-and-control; sid:2013443; rev:5; metadata:created_at 2011_08_22, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?U3ViamVjdD1"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020718; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (postit3)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/postit3.php"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013672; rev:4; metadata:created_at 2011_09_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"uid="; depth:4; content:"&win="; distance:0; content:"&vers="; distance:0; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:command-and-control; sid:2020724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/Count.asp?UserID="; content:"&MAC="; distance:0; content:"&Process="; distance:0; reference:md5,b3106dbfb3ab114755af311883f33697; reference:md5,7d2eb4b364e15e90cec1ddd7dcb97f64; reference:url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; classtype:command-and-control; sid:2013741; rev:7; metadata:created_at 2011_10_05, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy Checkin"; flow:to_server,established; http.uri; content:"/get_"; content:"did="; http.user_agent; content:"Downloader"; depth:10; reference:md5,73d2dd466df92b77a4c34adcd13e8b50; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces; classtype:command-and-control; sid:2018341; rev:8; metadata:created_at 2013_09_11, former_category MALWARE, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/boot.php?ptr="; nocase; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; reference:md5,b58485c9a221e8bd5b4725e7e19988b0; classtype:command-and-control; sid:2013798; rev:4; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?ext="; within:7; fast_pattern; content:"&pid="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa9542f02b26a554650a9649d2239181; classtype:command-and-control; sid:2020737; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cycbot POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; reference:md5,1f04bd1b4eceb42e6d5859b6330fc7d7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx; classtype:trojan-activity; sid:2013802; rev:4; metadata:created_at 2011_10_26, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"Windows NT"; classtype:trojan-activity; sid:2019457; rev:14; metadata:created_at 2014_10_17, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kys_allow_get.asp?"; content:"name=getkys.kys"; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:6; metadata:created_at 2011_12_09, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B ClickFraud Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/item/fmt?ct="; depth:13; fast_pattern; http.referer; pcre:"/^http\x3a\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r?$/i"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020750; rev:5; metadata:created_at 2015_03_26, updated_at 2020_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Greenpeace.fr filter_dpt Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/incinerateurs/list.php?"; nocase; content:"list_name="; nocase; content:"filter_dpt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110989/Greenpeace.fr-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (ext)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|5|0d 0a 0d 0a|ext=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030185; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WikyBlog which Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php/Special/Main/Templates?"; nocase; content:"cmd="; nocase; content:"which="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110863/WikyBlog-1.7.3RC2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (name)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|name=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OneFileCMS f parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/onefilecms.php?"; nocase; content:"f="; nocase; reference:url,packetstormsecurity.org/files/110906/OneFileCMS-1.1.5-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014425; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JS/Magecart Domain in TLS SNI (manag .icu)"; flow:established,to_server; tls.sni; content:"manag.icu"; bsize:9; reference:url,twitter.com/felixaime/status/1263134882991046658; classtype:domain-c2; sid:2030194; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VTiger CRM module_name parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/modules/com_vtiger_workflow/sortfieldsjson.php?"; nocase; content:"module_name="; nocase; reference:url,packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive Fake User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020810; rev:5; metadata:created_at 2015_03_31, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader.Bancos Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Lead3r_Ship.exe"; nocase; reference:url,symantec.com/security_response/writeup.jsp?docid=2006-061110-0512-99; classtype:trojan-activity; sid:2014070; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_02, deployment Perimeter, former_category TROJAN, malware_family Bancos, signature_severity Major, tag Trojan_Downloader, tag Banking_Trojan, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?win="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020812; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN Win32-WebSec Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cb_soft.php?"; nocase; content:"q="; nocase; content:"tj="; nocase; reference:md5,971e560b80e335ab88ef518b416d415a; classtype:trojan-activity; sid:2014085; rev:6; metadata:created_at 2012_01_03, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?micro="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020813; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Jiwerks.A Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:"/update.aspx"; http.accept_lang; content:"zh-cn"; http.request_body; content:"a="; depth:2; content:"&v="; distance:0; reference:md5,0e47c711d9edee337575b6dbef850514; classtype:command-and-control; sid:2014133; rev:5; metadata:created_at 2012_01_18, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Skyfall fake Skype install link"; flow:established,to_server; http.uri; content:"/video/?n="; depth:10; reference:url,www.windowstechupdates.com/omg-video-httpskypepopvideo-netvideonskype-user-name-virus/; reference:url,securelist.com/blog/incidents/69065/skyfall-meets-skype/; classtype:trojan-activity; sid:2020801; rev:5; metadata:created_at 2015_03_30, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/118GotYourNo Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/count"; http.request_body; content:"appTitle="; content:"&strLink="; distance:0; content:"&proFirstTime="; distance:0; content:"&proLastTime="; distance:0; content:"&appName="; distance:0; content:"&KillList="; distance:0; classtype:command-and-control; sid:2014191; rev:5; metadata:created_at 2012_02_06, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 1"; flow:established,to_server; http.header; content:"Referer|3a 20|HTTP/1.0|0d 0a|"; depth:19; fast_pattern; http.header_names; content:!"Accept-"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020833; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSUpdater POST checkin to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/microsoft/errorpost/default.aspx?ID="; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014212; rev:4; metadata:created_at 2012_02_07, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?N="; content:"["; distance:0; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020835; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bbs/info.asp"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; classtype:command-and-control; sid:2014336; rev:4; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hangover related campaign Response"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:!"Referer|0d 0a|"; file.data; content:"|3a 5c|Bootfile|5c|firewall|5c|1"; pcre:"/^[C-J]\r\n/R"; reference:md5,f761060ced467394a6f87fd2204c6a74; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018567; rev:5; metadata:created_at 2014_06_17, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Protux.B POST checkin"; flow:from_client,established; http.method; content:"POST"; nocase; http.header; content:"Mozilla/4.8.20 (compatible|3b 20|MSIE 5.0.2|3b 20|Win32)|0d 0a|Host|3a 20|"; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:command-and-control; sid:2014360; rev:5; metadata:created_at 2012_03_10, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant C&C activity"; flow:to_server,established; http.uri; content:"&Auth="; content:"&Session="; distance:0; content:"&DataID="; distance:0; content:"&FamilyID="; distance:0; reference:md5,8bbc55ec1a7e86cb21d3cda5ccb43e1e; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023909; rev:5; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/103680/joomlacommunity-sql.txt; classtype:web-application-attack; sid:2013467; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SillyFDC WordPress Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?dm=6b2280e30391615dcaa18e533ccb99a9"; fast_pattern; depth:37; reference:md5,3c10f65f8c1a84c53d94c331a63cad06; classtype:trojan-activity; sid:2020845; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_04_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS University Of Vermont intro Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/magicscript.php?"; nocase; content:"Page="; nocase; content:"intro="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; classtype:web-application-attack; sid:2013569; rev:5; metadata:created_at 2011_09_12, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Retrieving RAR Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|en-us|3b 20|rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; depth:94; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:5; metadata:created_at 2015_04_09, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER DELETE attempt"; flow:to_server,established; http.method; content:"DELETE"; nocase; reference:nessus,10498; classtype:web-application-activity; sid:2101603; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor External IP Lookup checkip.dyndns.org"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Host|3a 20|checkip.dyndns.org|0d 0a|"; depth:26; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv:x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,00e3b69b18bfad7980c1621256ee10fa; classtype:external-ip-check; sid:2020886; rev:6; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_05_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; xbits:isset,ET.IBMDRM1,track ip_dst; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029987; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_11, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/s"; depth:5; classtype:exploit-kit; sid:2014446; rev:3; metadata:created_at 2012_03_31, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LankerBoy HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; http.header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:command-and-control; sid:2020902; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/de/"; depth:4; content:".jar"; distance:32; within:4; classtype:exploit-kit; sid:2014447; rev:7; metadata:created_at 2012_03_31, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020908; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/demo_eventcalendar.php?"; nocase; content:"cal_id="; nocase; content:"cal_month="; nocase; content:"cal_year="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download Jan 02 2014"; flow:established,from_server; http.content_type; content:"text/plain"; bsize:10; file.data; content:"ZZP|00|"; within:4; classtype:trojan-activity; sid:2018055; rev:5; metadata:created_at 2014_02_03, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; urilen:8; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http.method; content:"POST"; http.uri; content:"/service"; classtype:policy-violation; sid:2014459; rev:3; metadata:created_at 2012_04_03, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log.php?id=|5b|"; fast_pattern; content:"|7c|"; distance:0; content:"|5d|"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020919; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LuckyCat/TROJ_WIMMIE Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php?m="; content:"&n="; within:4; content:"_"; distance:0; content:"@"; distance:0; pcre:"/\.php\?m=\w&n=\w+_\w+(@|@.c|@.t)$/"; reference:url,blog.trendmicro.com/luckycat-redux-inside-an-apt-campaign/; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:command-and-control; sid:2014462; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STTip.asp"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020924; rev:4; metadata:created_at 2015_04_16, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin myAgent"; flow:to_server,established; http.uri; content:"/index.dat?"; pcre:"/^\d{5,9}$/R"; http.header; content:"|20|myAgent|0d 0a|Host|3a 20|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276; reference:md5,a51933ee0f2ade7df98feb7207a2ffaf; classtype:command-and-control; sid:2014468; rev:4; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon Fake UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla Firefox/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020934; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; http.uri; content:"/stat_d/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014522; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"key="; depth:4; fast_pattern; pcre:"/^[A-Z]+$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020935; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; http.uri; content:"/stat_n/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014524; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"bit="; depth:4; fast_pattern; pcre:"/^(?:32|64)$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020937; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K first execution checkin"; flow:established,to_server; http.uri; content:"/stat_svc/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:command-and-control; sid:2014525; rev:5; metadata:created_at 2012_04_05, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; pcre:"/\/$/"; http.request_body; content:"unkey="; depth:6; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020938; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field"; flow:established,to_server; http.uri; content:".php?id="; content:"121212121212"; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D.+121212121212/"; reference:url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks; classtype:command-and-control; sid:2014529; rev:3; metadata:created_at 2012_04_06, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  Win32/Tesch.B CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a 20|Internet  Explorer|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-f0-9]+(?:\x20[a-f0-9]+)+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0032395c3a980e09c511b6b41ab3da48; classtype:command-and-control; sid:2020945; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/OpenSiteAdmin/pages/pageHeader.php?"; nocase; pcre:"/^.{0,300}=(?:https?:|ftps?:)/Ri"; reference:url,www.securityfocus.com/bid/36445/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009931; classtype:web-application-attack; sid:2009931; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis Downloading EXE"; flow:established,to_server; http.uri; content:".jpg"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2021017; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Balucaf.A Checkin"; flow:to_server,established; http.uri; content:"/setting.ini"; nocase; http.header; content:"User-Agent|3a 20|AutoIt"; nocase; http.header_names; content:!"Accept|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FTupym.A; reference:url,www.securelist.com/en/descriptions/6349329/Worm.Win32.AutoRun.esf; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tupym-D/detailed-analysis.aspx; classtype:command-and-control; sid:2031450; rev:5; metadata:created_at 2011_09_24, former_category MALWARE, updated_at 2020_12_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:9; depth:3; pcre:"/^\/-?[a-f0-9]{8,9}\/-?\d+(?:\.php|\/)$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:command-and-control; sid:2035045; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I User-Agent"; flow:established,to_server; http.header; content:"|20|WOW64|3b 20|rv|3a|9.0.1|3b 20|sv|3a|"; content:"|20|id|3a|"; within:6; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,vms.drweb.com/virus/?i=1816029; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; classtype:trojan-activity; sid:2014534; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim Checkin"; flow:established,to_server; flowbits:set,ET.FB.troj; http.method; content:"GET"; http.uri; content:"/ok.txt"; endswith; http.user_agent; content:"AutoHotkey"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020348; rev:5; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt"; flow:to_server,established; http.uri; content:"/showGallery.php"; nocase; content:"galid="; nocase; pcre:"/^-?\d+ /Ri"; reference:bugtraq,15313; reference:url,doc.emergingthreats.net/2002671; classtype:web-application-attack; sid:2002671; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"JnB3ZD"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bzub2 Related RPC/Http Checkin"; flow:established,to_server; http.uri; content:"/rpc.php?a=ftp"; nocase; content:"&b="; nocase; reference:url,doc.emergingthreats.net/2007843; classtype:command-and-control; sid:2007843; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"Zwd2Q9"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - request in.cgi"; flow:to_server,established; http.uri; content:"/in.cgi"; classtype:exploit-kit; sid:2014543; rev:3; metadata:created_at 2012_04_12, former_category CURRENT_EVENTS, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"mcHdkP"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:established,to_client; http.header; content:"/in.cgi"; classtype:exploit-kit; sid:2014546; rev:6; metadata:created_at 2012_04_12, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|danutzbaiatfinutz"; fast_pattern; classtype:web-application-attack; sid:2030199; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_05_21, deployment Perimeter, signature_severity Major, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Pretty Link plugin url Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/pretty-link/pretty-bar.php?"; nocase; content:"url="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107551/WordPress-Pretty-Link-1.5.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014554; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SystemdMiner CnC Activity"; dns.query; content:"2iuu6o3zbmwynik2.tor2web."; nocase; depth:25; reference:md5,9270e6df6486937cae29ae2e87b13373; reference:md5,8b606eefd222ee44bc0fcf305bde6340; classtype:trojan-activity; sid:2030200; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress flash-album-gallery plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/flash-album-gallery/facebook.php?"; nocase; content:"i="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107424/WordPress-Flash-Album-Gallery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014555; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BF Botnet CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ver="; content:"&os="; distance:0; content:"&binary="; distance:0; content:"&token="; distance:0; content:"&run_time="; distance:0; fast_pattern; http.header; content:"Pragma|3a 20 20|"; content:"Cache-Control|3a 20 20|"; reference:md5,3c475b319959069053191e740822fcd6; classtype:trojan-activity; sid:2030207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family BFBotnet, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS wordpress thecartpress plugin loop parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/thecartpress/widgets/CustomPostTypeListWidget.class.php?"; nocase; content:"loop="; nocase; reference:url,1337day.com/exploits/18018; classtype:web-application-attack; sid:2014556; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT15/NICKEL KETRUM CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?id="; http.accept; content:"text/html,text/xml,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; fast_pattern; content:"*/*"; distance:0; http.accept_lang; content:"q=0.8,en|3b|q=0.7"; http.header; content:!"Referer"; content:!"User-Agent"; reference:md5,278ac5d64e21a1ab63ec2c590a803253; classtype:command-and-control; sid:2030208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family APT15, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bulkenquery controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bulkenquery"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108913/Joomla-Bulkenquery-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014557; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop Checkin"; flow:established,to_server; http.uri; content:".asp?sn="; content:"&tmac="; distance:0; content:"&action="; distance:0; content:"&ver="; distance:0; http.header; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x30442e9d036a40c8cbd41f8f4c9afab1ba\x20no-cache\r\n(?:\r\n)?$/"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:command-and-control; sid:2021103; rev:3; metadata:created_at 2015_05_15, former_category MALWARE, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_br controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_br"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108948/Joomla-BR-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014558; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop UA LETITGO"; flow:established,to_server; http.header; content:"User-Agent|3a 20|LETITGO|0d 0a|"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021104; rev:3; metadata:created_at 2015_05_15, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free PHP photo gallery script path parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/jadro/libs/adodb/adodb.inc.php?"; nocase; content:"path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/92079/Free-PHP-Photo-Gallery-Script-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014559; rev:4; metadata:created_at 2012_04_13, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop UA single"; flow:established,to_server; http.header; content:"User-Agent|3a 20|single|0d 0a|"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021105; rev:3; metadata:created_at 2015_05_15, updated_at 2020_05_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OS X Backdoor Checkin"; flow:established,to_server; http.header; content:"Accept-Encoding|3a 20|base64,gzip"; fast_pattern; content:"|20|Mac|20|OS|20|X|3a|"; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:command-and-control; sid:2014564; rev:3; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Hellsing Proxy Checker Checkin"; flow:established,to_server; http.uri; content:"/common.asp?action="; content:"&uid="; distance:0; content:"&lan="; distance:0; content:"&hname="; distance:7; within:22; content:"&uname="; distance:1; within:22; content:"&os="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b7e7186d962d562af6a5d10a25d19b02; reference:url,securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/; classtype:targeted-activity; sid:2021108; rev:4; metadata:created_at 2015_05_15, former_category MALWARE, updated_at 2020_05_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY eBook Generator User-Agent (EBook)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|EBook|0d 0a|"; reference:url,malwr.com/analysis/a04b28e21adc70837eb7de811556ff4e/; reference:url,www.ebookgenerator.com/; classtype:policy-violation; sid:2014576; rev:3; metadata:created_at 2012_04_16, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoyah CnC Beacon"; flow:established,to_server; http.header; content:"User-Agent|3a 20|MSIE|28|"; content:"|29 29 3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"|29 20|VR|28|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:command-and-control; sid:2021114; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.header; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2014579; rev:4; metadata:created_at 2012_04_16, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|*/*|0d 0a|"; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE "; content:".0|3B 20|Win32|29 3B 20|"; distance:1; within:15; fast_pattern; pcre:"/^\d+$/R"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:command-and-control; sid:2018462; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress yousaytoo-auto-publishing plugin submit Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?"; nocase; content:"submit="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108470/wpystap-xss.txt; classtype:web-application-attack; sid:2014589; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.Jenxcus.H User Agent"; flow:to_server,established; http.user_agent; content:"Hacked"; depth:6; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021123; rev:4; metadata:created_at 2015_05_20, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_pinboard option Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/components/com_pinboard/popup/popup.php?"; nocase; content:"option="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/94991/Joomla-Pinboard-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014590; rev:3; metadata:created_at 2012_04_16, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Blog Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/blog"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021129; rev:3; metadata:created_at 2015_05_21, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress whois search domain Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-whois/wp-whois-ajax.php?"; nocase; content:"cmd="; nocase; content:"ms="; nocase; content:"domain="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108271/WordPress-Whois-Search-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014591; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Target Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/target"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021130; rev:3; metadata:created_at 2015_05_21, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Facebook-Page-Promoter-Lightbox settings-updated Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/facebook-page-promoter-lightbox/arevico_options.php?"; nocase; content:"settings-updated="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108238/WordPress-Facebook-Page-Promoter-Lightbox-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014592; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Logger Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/botlogger.php"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021131; rev:3; metadata:created_at 2015_05_21, updated_at 2020_05_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashBack Mac OSX malware Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/aaupdate/"; fast_pattern; http.header; content:"User-Agent|3a 20|"; content:!"Mozilla"; within:7; content:!"|0d 0a|"; within:124; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:command-and-control; sid:2014596; rev:6; metadata:created_at 2012_03_01, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; content:"N0BRBh"; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021140; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/owncheck/"; classtype:command-and-control; sid:2014597; rev:3; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon Response"; flow:established,from_server; http.server; content:"Apache/20.2.25 (RedHat)"; fast_pattern; bsize:23; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021148; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; http.uri; content:"/stat.php?w="; content:"&i="; content:"&a="; http.user_agent; content:"Opera/6"; startswith; http.header; content:"|3b 20|LangID="; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:command-and-control; sid:2014604; rev:4; metadata:created_at 2012_03_02, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; content:"&f="; distance:0; content:"&m="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021147; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/images.php?t="; startswith; pcre:"/^\d+$/Ri"; http.header; content:"|29 20|Java/"; classtype:exploit-kit; sid:2014609; rev:3; metadata:created_at 2012_04_17, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.header; content:" rv|3a|11.0"; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.header_names; content:!"|0d 0a|Accept-"; nocase; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (file upload)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"jembot"; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:3; metadata:created_at 2012_04_18, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Payload Instructions"; flow:established,to_server; urilen:45; http.method; content:"GET"; http.uri; content:"/uploads/"; depth:9; fast_pattern; content:".png"; distance:32; within:4; pcre:"/\/[a-f0-9]{32}\.png$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gatak.DR#tab=2; classtype:trojan-activity; sid:2021160; rev:3; metadata:created_at 2015_05_29, updated_at 2020_05_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Requesting Payload 2020-04-21"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".wbk?raw=true"; fast_pattern; endswith; http.user_agent; content:"Microsoft Office Existence Discovery"; bsize:36; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; content:!"Pragma"; reference:md5,dffa1f38375e20e98c8ffaa752936e42; classtype:trojan-activity; sid:2029982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action="; depth:7; content:"&uid="; distance:0; content:"key="; distance:0; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021168; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029989; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IOS.Oneclickfraud HTTP Host"; flow:to_server,established; http.host; content:"eroeroou.com"; startswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-060111-2757-99&tabid=2; classtype:trojan-activity; sid:2021187; rev:3; metadata:created_at 2015_06_05, updated_at 2020_05_22;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass - Session ID Assignment"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/albatross/saml/idpSelection"; startswith; fast_pattern; content:"id="; content:"userName="; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029988; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Databack CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?pn="; fast_pattern; content:"&s="; distance:0; content:"&x="; distance:0; pcre:"/\.php\?pn=[^&]+&s=[0-9]+&x=0\.[0-9]{7}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc7b0c078482b68c1ff89da3ac88949b; classtype:command-and-control; sid:2021189; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_05_22;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/albatross/eurekaservice/fetchLogFiles"; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|logFileNameList|22 3a 22|../"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:trojan-activity; sid:2029990; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IsSpace/Zacom Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.microsoft.com"; bsize:17; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b|Windows NT 5.1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021215; rev:3; metadata:created_at 2015_06_09, updated_at 2020_05_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Apache DDos UA Observed (DDos Apache) Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|DDos Apache"; classtype:attempted-dos; sid:2029983; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_21, deployment Perimeter, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet v2 Exfiltrating Outlook information"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<Information>"; fast_pattern; content:"<id>"; distance:0; content:"<Version>"; distance:0; content:"<profile>"; distance:0; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-analysis/; classtype:trojan-activity; sid:2020900; rev:4; metadata:created_at 2015_04_13, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Apache DDos UA Observed (DDos Apache) Inbound"; flow:established,to_client; http.header; content:"User-Agent|3a 20|DDos Apache"; classtype:attempted-dos; sid:2029984; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_21, deployment Perimeter, signature_severity Major, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/([a-z]{4,9}\/[a-z]{4,12}\?[a-z]{4,7}\=[0-9]{5,7})$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,adb3242f8efad48ca174a7e46991f507; classtype:trojan-activity; sid:2021246; rev:4; metadata:created_at 2015_06_11, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews lib.panier.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/panier/lib.panier.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014628; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/p?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021088; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DokuWiki target parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/doku.php?"; nocase; content:"do="; nocase; content:"id="; nocase; content:"target="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/111939/DocuWiki-2012-01-25-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014621; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"."; distance:1; within:2; content:"_"; distance:0; pcre:"/^\/s\?\d+\x3b\d+\x3b\d{1,2}\.\d_(?:32|64)_\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021257; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 1-jquery-photo-gallery-slideshow-flash plugin page Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-jquery-photo-gallery-slideshow-flash/wp-1pluginjquery.php?"; nocase; content:"page="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107423/WordPress-1-JQuery-Photo-Gallery-Slideshow-Flash-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014622; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/?a="; depth:8; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:command-and-control; sid:2021262; rev:3; metadata:created_at 2015_06_13, former_category MALWARE, updated_at 2020_05_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews rootpath parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/plan/index.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014623; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (checksoffice .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"checksoffice.me"; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030209; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews uploadBigFiles.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/upload/uploadBigFiles.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014624; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (plaintsotherest .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"plaintsotherest.net"; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030210; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews remote.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/ajax/remote.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014625; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (thesawmeinrew .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"thesawmeinrew.net"; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030211; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews class.panier_article.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/panier/class.panier_article.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014626; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni Stage 2 Payload Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?client_id="; fast_pattern; http.request_body; content:"name=|22|fileToUpload|22 3b|"; content:"Upload|20|Image|0d 0a|----"; distance:0; content:"|00 00 00 00 00 00|"; endswith; reference:md5,d41b09aa32633d77a8856dae33b3d7b9; classtype:command-and-control; sid:2030219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Konni, updated_at 2020_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews menu_layers.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/menu/menu_layers.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014627; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-05-27)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anca-aste.it"; nocase; endswith; reference:md5,56470e113479eacda081c2eeead153bf; classtype:domain-c2; sid:2030223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_05_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2.x HTTP Request with Encrypted Variables"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/getcfg.php"; http.request_body; pcre:"/^[a-z]{3,6}\x3d[A-F0-9]{50}/i"; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010885; classtype:trojan-activity; sid:2010885; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Socelars Stealer CnC Activity"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1|0d 0a|"; bsize:17; http.request_body; content:"JSON=d0hy65aW"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,81a7f493c7b5a7c52ac19981a75f57df; classtype:command-and-control; sid:2030224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Soclears, signature_severity Major, updated_at 2020_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup.php"; nocase; http.request_body; content:"action="; nocase; content:"&configuration="; distance:0; content:"PMA"; distance:0; content:"Config"; within:11; pcre:"/source(?:\x22\x3b\w\x3a|%22%3b\w%3a)\d+(?:\x3a\x22|%3a%22)(?:(?:ftps?|%66%74%70(?:%73)?)|(?:https?|%68%74%74%70(?:%73)?)|(?:php|%70%68%70))(?:\x3a|%3A)(?:\x2f|%2f)/Ri"; reference:url,blog.spiderlabs.com/2012/04/honeypot-alert-phpmyadmin-setupphp-rfi-attacks-detected.html; reference:url,phpmyadmin.net/home_page/security/PMASA-2010-4.php; reference:cve,CVE-2010-3055; classtype:web-application-attack; sid:2014633; rev:5; metadata:created_at 2012_04_23, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE COMRAT CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index/index.php?h="; startswith; fast_pattern; content:"&d="; distance:0; http.request_body; content:"form-data|3b 20|name=|22|array|22 0d 0a|"; reference:md5,f7bb82b0e665b494bcebefc7351f46c5; classtype:command-and-control; sid:2030226; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitpop.AG/Pophot.az HTTP Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".asp"; content:"|3F|ver="; nocase; content:"|26|tgid="; nocase; content:"|26|address="; nocase; pcre:"/^(?:[0-9A-F][0-9A-F]-){5}(?:[0-9A-F][0-9A-F])/Ri"; reference:url,doc.emergingthreats.net/2008317; classtype:command-and-control; sid:2008317; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Config Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mac.html?uid="; depth:14; fast_pattern; content:"&sid="; distance:0; content:"&fname="; distance:0; content:"&mac="; distance:0; content:"&os="; distance:0; content:"&pcname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021299; rev:3; metadata:created_at 2015_06_18, updated_at 2020_05_28;)
 
-alert http $HOME_NET any -> $HOME_NET any (msg:"ET POLICY Dlink Soho Router Config Page Access Attempt"; flow:established,to_server; http.uri; content:"/dlink/hwiz.html"; reference:url,doc.emergingthreats.net/2008942; classtype:attempted-admin; sid:2008942; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/archive/"; nocase; offset:9; fast_pattern; content:".html"; nocase; distance:8; within:7; pcre:"/\/[a-f0-9]{8}\/archive\/\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021277; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/images.php?t=81118"; classtype:exploit-kit; sid:2014639; rev:3; metadata:created_at 2012_04_26, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Keatep.B Checkin"; flow:established,to_server; http.uri; content:"&id="; nocase; content:"&v="; pcre:"/\?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Keatep.B; reference:md5,239aacf49bb6381fd71841fda4d4ee58; classtype:command-and-control; sid:2011336; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_05_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_videogallery"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/check?iid="; fast_pattern; content:"kernel="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&kernel=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021334; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_some"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014655; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/compiler?iid="; fast_pattern; content:"username="; distance:0; content:"password="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&username=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021335; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Skysa Official submit parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/skysa-official/skysa.php?"; nocase; content:"submit="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107342/WordPress-Skysa-Official-1.01-1.02-1.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014656; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:to_server,established; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.host; content:!"reg.163.com"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unkown exploit kit pdf download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.uri; content:".php?"; content:"x=x"; fast_pattern; content:"&u="; content:"&s="; content:"&id="; content:"&file="; content:".pdf"; classtype:exploit-kit; sid:2014657; rev:2; metadata:created_at 2012_04_30, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; offset:2; depth:7; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/i"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018681; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; threshold: type limit, track by_src, count 5, seconds 40; http.user_agent; content:"Vega/"; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:4; metadata:created_at 2011_07_11, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/track/?ip="; fast_pattern; depth:11; content:"&data="; distance:0; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D/"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018682; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/wp-custom-pages/wp-download.php?"; nocase; content:"url="; nocase; reference:url,packetstormsecurity.org/files/100047/WordPress-WP-Custom-Pages-0.5.0.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014717; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.request_body; content:"conteudo="; fast_pattern; depth:9; content:"&myFile="; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021404; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/anzeigen_neu.php?"; nocase; content:"bereich="; nocase; content:"kat_id="; nocase; content:"kategorie="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112289/Maxxweb-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014711; rev:4; metadata:created_at 2012_05_04, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Waterspout.APT Backdoor CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"_id="; distance:3; within:4; fast_pattern; pcre:"/\/\d{5}\/(?P<s1>[a-z]{3})[a-z]\.php\?(?P=s1)_id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:targeted-activity; sid:2019115; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wpsc-mijnpress/mijnpress_plugin_framework.php?"; nocase; content:"rwflush="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112324/WordPress-WPsc-MijnPress-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014712; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nymaim Checkin (2)"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; nocase; bsize:33; http.user_agent; content:"|20|MSIE|20|"; http.request_body; content:"filename="; depth:9; fast_pattern; content:"&data="; distance:0; pcre:"/^filename=[a-z]+?\.[a-z]+?&data=/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2016757; rev:11; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_obsuggest"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/103598/Joomla-obSuggest-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014715; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ID_MAQUINA="; depth:11; nocase; fast_pattern; content:"&VERSAO="; distance:0; nocase; content:"&WIN="; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:command-and-control; sid:2021439; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, malware_family Bancos, signature_severity Major, tag Banking_Trojan, tag c2, updated_at 2020_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_joomtouch"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger HTTP Pattern"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/post.php?type="; fast_pattern; content:"&machinename="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3; metadata:created_at 2015_07_20, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|SnadBoy"; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:5; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Rioselx.A Checkin"; flow:established,to_server; http.uri; content:"/access.php"; fast_pattern; http.user_agent; content:!"Mozilla"; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; content:"Content-Length|0d 0a|"; reference:md5,3eb94c397a395f24b84297593f69710a; classtype:command-and-control; sid:2021442; rev:6; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/andromeda.php?"; nocase; content:"q="; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:4; metadata:created_at 2012_05_11, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2 (set)"; flow:established,to_server; flowbits:set,ET.BARTALEX; flowbits:noalert; http.uri; content:".txt"; http.header; content:"WinHttp.WinHttpRequest"; classtype:trojan-activity; sid:2021531; rev:3; metadata:created_at 2015_07_24, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downvision.A Initial Checkin"; flow:established,to_server; http.uri; content:"/up.php?id=201"; http.header; content:"software IPWorks HTTP/S Component - www.nsoftware.com"; reference:url,www.fortiguard.com/av/VID3309956; classtype:command-and-control; sid:2014610; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Potao CnC POST Response"; flow:to_client,established; http.server; content:"nginx"; startswith; file.data; content:"<?xml version=|27|1.0|27|?>"; depth:21; content:"<methodResponse>"; distance:1; content:"<params>|0a|<param>"; distance:1; content:"<value><base64>"; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:command-and-control; sid:2021555; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC"; flow:established,to_server; http.uri; content:"/PostView.nhn?blogId="; fast_pattern; content:"&logNo="; content:"&parentCategoryNo="; content:"&userTopListOpen="; content:"&userTopListManageOpen="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862; reference:md5,8af17164500aac1c0965b842aca3fed7; classtype:command-and-control; sid:2014754; rev:7; metadata:created_at 2012_05_17, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; fast_pattern; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:command-and-control; sid:2021556; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Getting External IP Address - ip2city.asp"; flow:established,to_server; http.uri; content:"/ip2city.asp"; classtype:external-ip-check; sid:2014761; rev:3; metadata:created_at 2012_05_17, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PhantomSuper.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021557; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP Survey and Quiz Tool plugin rowcount Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-survey-and-quiz-tool/javascript/survey_section.php?"; nocase; content:"rowcount="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112685/WordPress-WP-Survey-And-Quiz-Tool-2.9.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014768; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ArrayReplace.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021558; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=catablog-gallery"; nocase; content:"category="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014769; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE URI Struct Observed in Pawn Storm CVE-2015-2950"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?p2="; content:"&recr="; distance:0; fast_pattern; content:"&p3="; distance:0; content:"&as="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021560; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor plugin uploader.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; content:"tab="; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014770; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alina.POS-Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; content:"application/octet-stream"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:"|20|InfoPath|2e|"; distance:0; pcre:"/x20InfoPath\x2e\d[^\x29]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019163; rev:4; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Appointment Booking Pro view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rsappt_pro2"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/103172/Joomla-Appointment-Booking-Pro-Arbitrary-File-Reading.html; classtype:web-application-attack; sid:2014771; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alina.POS-Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|application/octet-stream|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; depth:74; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2021597; rev:5; metadata:created_at 2015_08_05, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_media file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/components/com_media/helpers/media.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/99775/Joomla-Media-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014772; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; pcre:"/\/\d{4,}\.txt$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"Accept|0d 0a|"; content:"Accept-Language|0d 0a|"; reference:md5,545ee3114faa5abd994f9730713f2261; classtype:trojan-activity; sid:2021304; rev:5; metadata:created_at 2015_06_19, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delf Checkin via HTTP (5)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.request_body; content:"email="; nocase; content:"&computador="; distance:0; nocase; content:"&nomfile="; distance:0; nocase; content:"&user="; distance:0; nocase; reference:url,doc.emergingthreats.net/2008044; classtype:command-and-control; sid:2008044; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Initial Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=creation"; fast_pattern; content:"result="; distance:1; content:"&info="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021610; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; http.header; content:"(Nintendo Wii"; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:4; metadata:created_at 2012_05_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VBKrypt.vquj Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; http.request_body; content:"|03 00|"; depth:2; content:"|00 01 00|"; within:4; content:"|00 01 00|"; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:command-and-control; sid:2021605; rev:5; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2020_05_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hoax.Win32.BadJoke/DownLoader1.57593 Checkin"; flow:established,to_server; http.uri; content:"/agent.htm"; http.header; content:"User-Agent|3a 20|OINC|0d 0a|"; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:command-and-control; sid:2014581; rev:4; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX August 11 2015"; flow:to_server,established; http.uri; content:".jpg"; nocase; pcre:"/\/(?:[a-z]+|\d+)\.jpg/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|FSL 7.0.6.01001)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:5; metadata:created_at 2015_08_14, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin"; flow:established,to_server; http.uri; content:"/tx.txt"; http.header; content:" Microsoft URL Control -"; reference:url,doc.emergingthreats.net/2003646; classtype:command-and-control; sid:2003646; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise Style IP Check M2"; flow:to_server,established; urilen:16; http.uri; content:"/myip?format=txt"; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Win32)"; http.host; content:"api.ipaddress.com"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2030229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, signature_severity Major, updated_at 2020_05_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"league_id="; nocase; content:"group="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014812; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/NukeSped Variant CnC Domain (fudcitydelivers .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"fudcitydelivers.com"; bsize:19; reference:md5,7b07ed5338e6288b5cd510c38e2ab8ed; reference:url,twitter.com/ShadowChasing1/status/1267431137023979522; classtype:command-and-control; sid:2030234; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"edit="; nocase; content:"season="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banker.bqba Checkin"; flow:to_server,established; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; fast_pattern; bsize:31; http.request_body; content:"windows="; depth:8; content:"&av="; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:command-and-control; sid:2023693; rev:3; metadata:created_at 2015_08_26, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jesubmit"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014814; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml?"; fast_pattern; pcre:"/\?[a-z0-9]{32}$/"; http.host; content:"www.ecb.europa.eu"; bsize:17; classtype:trojan-activity; sid:2019400; rev:6; metadata:created_at 2014_10_15, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_acooldebate"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014815; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Cheshire Cat CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 4.0)"; fast_pattern; bsize:50; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021719; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; http.host; content:".myftp.biz|0d 0a|"; endswith; classtype:bad-unknown; sid:2013824; rev:5; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PawnStorm Sednit DL Aug 28 2015"; flow:established,to_server; http.uri; content:"/cormac.mcr"; http.header_names; content:!"Referer|0d 0a|"; classtype:targeted-activity; sid:2021729; rev:3; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; http.host; content:".ez-dns.com"; endswith; classtype:bad-unknown; sid:2013846; rev:4; metadata:created_at 2011_11_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/6.0)"; startswith; http.request_body; content:"AQAAA"; fast_pattern; depth:5; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,0f6a9b15bd9fd719bb96491e16eb2f9c; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; classtype:command-and-control; sid:2021739; rev:3; metadata:created_at 2015_08_31, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; http.host; content:".dyndns-web.com"; endswith; classtype:bad-unknown; sid:2013864; rev:4; metadata:created_at 2011_11_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Requesting Module"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.content_type; content:"text/plain"; startswith; http.header_names; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021741; rev:3; metadata:created_at 2015_09_01, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; http.header; content:"User-Agent|3A 20|zeroup"; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:3; metadata:created_at 2012_05_25, former_category USER_AGENTS, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exx"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021742; rev:3; metadata:created_at 2015_09_01, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.3d-game.com Domain"; flow:established,to_server; http.host; content:".3d-game.com"; endswith; classtype:bad-unknown; sid:2014479; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f32f2209a1986c55750ceb6d8066df9f; classtype:trojan-activity; sid:2021754; rev:3; metadata:created_at 2015_09_09, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4irc.com Domain"; flow:established,to_server; http.host; content:".4irc.com"; endswith; classtype:bad-unknown; sid:2014481; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Odlanor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; content:"&v="; distance:0; content:"&os="; distance:0; content:"&c="; distance:0; content:"&u="; distance:0; http.request_body; pcre:"/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ce19c30ffda76cd63a88eeb8af0340f0; reference:url,welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/; classtype:command-and-control; sid:2021800; rev:3; metadata:created_at 2015_09_18, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0ne.com Domain"; flow:established,to_server; http.host; content:".b0ne.com"; endswith; classtype:bad-unknown; sid:2014483; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.request_body; content:"|20 7c 20 22|0x"; fast_pattern; content:"_"; distance:0; content:"|22 20 7c 20|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021814; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.bbsindex.com Domain"; flow:established,to_server; http.host; content:".bbsindex.com"; endswith; classtype:bad-unknown; sid:2014485; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.host; content:"init.icloud-analysis.com"; fast_pattern; bsize:24; reference:url,github.com/XcodeGhostSource/XcodeGhost; classtype:command-and-control; sid:2021822; rev:3; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.chatnook.com Domain"; flow:established,to_server; http.host; content:".chatnook.com"; endswith; classtype:bad-unknown; sid:2014487; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; urilen:6; http.method; content:"GET"; http.uri; content:"/check"; nocase; http.header; content:"User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|Host|3a 20|"; depth:47; fast_pattern; nocase; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue%3AWin32/FakeSpypro; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010597; classtype:trojan-activity; sid:2010597; rev:7; metadata:created_at 2010_07_30, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.darktech.org Domain"; flow:established,to_server; http.host; content:".darktech.org"; endswith; classtype:bad-unknown; sid:2014489; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; http.method; content:"POST"; http.uri; pcre:"/\.[a-z]{3,4}$/"; http.request_body; content:"name=|22|upload_file|22 3b 20|filename=|22|"; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021830; rev:4; metadata:created_at 2015_09_24, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.deaftone.com Domain"; flow:established,to_server; http.host; content:".deaftone.com"; endswith; classtype:bad-unknown; sid:2014491; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|00 00 01|"; content:"|00 65 00 0a 95 3a 10 8a 09 25 4e d7 94 5e e9 70 59 e2 95 79|"; distance:1; within:20; classtype:command-and-control; sid:2021832; rev:3; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.effers.com Domain"; flow:established,to_server; http.host; content:".effers.com"; endswith; classtype:bad-unknown; sid:2014495; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC POST"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021839; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.net Domain"; flow:established,to_server; http.host; content:".etowns.net"; endswith; classtype:bad-unknown; sid:2014497; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Check"; flow:to_server,established; urilen:6; http.method; content:"POST"; http.uri; content:"/check"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021833; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.org Domain"; flow:established,to_server; http.host; content:".etowns.org"; endswith; classtype:bad-unknown; sid:2014499; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/i686?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021834; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.flnet.org Domain"; flow:established,to_server; http.host; content:".flnet.org"; endswith; classtype:bad-unknown; sid:2014501; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mips?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021835; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gotgeeks.com Domain"; flow:established,to_server; http.host; content:".gotgeeks.com"; endswith; classtype:bad-unknown; sid:2014503; rev:4; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/armel?ver="; depth:11; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021836; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.scieron.com Domain"; flow:established,to_server; http.host; content:".scieron.com"; endswith; classtype:bad-unknown; sid:2014505; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mipsel?ver="; depth:12; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021837; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.com Domain"; flow:established,to_server; http.host; content:".slyip.com"; endswith; classtype:bad-unknown; sid:2014507; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Report POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/srv_report?ver="; depth:16; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021838; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain"; flow:established,to_server; http.host; content:".slyip.net"; endswith; classtype:bad-unknown; sid:2014509; rev:5; metadata:created_at 2012_04_05, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/NukeSped Variant CnC Domain (sctemarkets .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"sctemarkets.com"; bsize:15; reference:md5,7b07ed5338e6288b5cd510c38e2ab8ed; reference:url,twitter.com/ShadowChasing1/status/1267431137023979522; classtype:command-and-control; sid:2030235; rev:1; metadata:created_at 2020_06_01, former_category MALWARE, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org"; flow:established,to_server; http.host; content:".2288.org"; endswith; classtype:misc-activity; sid:2014787; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TURLA NETFLASH CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2018/.config/adobe"; bsize:19; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; reference:md5,2b35c299c96d17a1d4b09092b09bf692; reference:url,www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/; reference:url,twitter.com/DrunkBinary/status/1267453886912176130; classtype:command-and-control; sid:2030236; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org"; flow:established,to_server; http.host; content:".6600.org"; endswith; classtype:misc-activity; sid:2014789; rev:5; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higasia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/inter.php"; endswith; http.request_body; content:"&test="; content:"Windows IP Configuration"; distance:0; fast_pattern; content:"Connection-specific DNS Suffix"; distance:0; classtype:trojan-activity; sid:2030233; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, signature_severity Major, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org"; flow:established,to_server; http.host; content:".7766.org"; endswith; classtype:misc-activity; sid:2014790; rev:7; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Style MalDoc .dot Download on freedynamicdns .org"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".dot"; endswith; pcre:"/\/[A-Za-z]{4,9}\.dot$/"; http.host; content:".freedynamicdns.org"; endswith; fast_pattern; reference:md5,2180fa8e767676a6802cf3d5d23ea6de; classtype:trojan-activity; sid:2030232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org"; flow:established,to_server; http.host; content:".8800.org"; endswith; classtype:misc-activity; sid:2014791; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M FSO object created|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021852; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org"; flow:established,to_server; http.host; content:".9966.org"; endswith; classtype:misc-activity; sid:2014792; rev:6; metadata:created_at 2012_05_19, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M STATE|3a 20|INSTALL|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021853; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/framework/modules/pixidou/download.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014840; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"unit_action="; depth:12; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021854; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/plugins/DPGguestbook/guestbookaction.php?"; nocase; content:"PathToRoot="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014836; rev:3; metadata:created_at 2012_06_01, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Retrieving PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.header; content:"Host|3a 20|www.quaverse.com|0d 0a|"; depth:24; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ccdffdc551b36980b7cd04e33d5fb100; classtype:trojan-activity; sid:2021889; rev:3; metadata:created_at 2015_10_02, former_category TROJAN, malware_family QRat, updated_at 2020_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Jotloader component section parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jotloader"; nocase; content:"section="; nocase; reference:url,packetstormsecurity.org/files/96812/Joomla-Jotloader-2.2.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014837; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT User-Agent (I'm a mu mu mu ?)"; flow:established,to_server; http.user_agent; content:"I|27|m a mu mu mu|20 3f|"; fast_pattern; startswith; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021917; rev:3; metadata:created_at 2015_10_06, updated_at 2020_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin type parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/joliprint/joliprint_options_upload.php?"; nocase; content:"type="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014838; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neshta.A Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|file|22 3b 20|filename=|22|Browser"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; nocase; reference:md5,e93e5af213707ef1888784fa1e709004; classtype:trojan-activity; sid:2021923; rev:4; metadata:created_at 2015_10_07, updated_at 2020_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/options-general.php?"; nocase; content:"page=joliprint/joliprint_admin_options.php"; nocase; content:"opt="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014839; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Kinsing Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kinsing"; endswith; fast_pattern; http.user_agent; content:"Wget/"; nocase; startswith; http.header_names; content:!"Referer"; reference:url,blog.redteam.pl/2020/06/kinsing-malware-liferay.html; classtype:trojan-activity; sid:2030244; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; http.uri; content:"/getfile.php?i="; content:"&key="; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/i"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:exploit-kit; sid:2014851; rev:3; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Kinsing Payload Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kinsing2"; endswith; fast_pattern; http.user_agent; content:"Wget/"; nocase; startswith; http.header_names; content:!"Referer"; reference:url,blog.redteam.pl/2020/06/kinsing-malware-liferay.html; classtype:trojan-activity; sid:2030245; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redirect to driveby sid=mix"; flow:to_server,established; http.uri; content:"/go.php?sid=mix"; classtype:exploit-kit; sid:2014866; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:!"pdf="; nocase; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021952; rev:3; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com"; flow:established,to_server; http.host; content:"dns-stuff.com"; endswith; classtype:bad-unknown; sid:2014867; rev:4; metadata:created_at 2012_06_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:"pdf="; nocase; distance:0; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021953; rev:3; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jvb_bridge Itemid Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_jvb_bridge"; nocase; content:"Itemid="; nocase; pcre:"/^.*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/90844/Joomla-JVB-Bridge-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014883; rev:4; metadata:created_at 2012_06_08, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StreamFlaw.A Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:command-and-control; sid:2020947; rev:4; metadata:created_at 2015_04_18, former_category MALWARE, updated_at 2020_06_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jeauto"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014878; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/document.php?rnd="; depth:18; fast_pattern; content:"&id="; distance:0; pcre:"/^\/document\.php\?rnd=[0-9]{4}&id=[A-F0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/malware/js_nemucod.hqk; classtype:trojan-activity; sid:2021956; rev:4; metadata:created_at 2015_10_16, updated_at 2020_06_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jradio controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jradio"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/96751/Joomla-JRadio-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014879; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=consultane.com"; nocase; endswith; reference:md5,9b0af1d42eb9d1e7033a958d5a0870c8; classtype:domain-c2; sid:2030252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-livephp plugin wp-live.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-livephp/wp-live.php?"; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/108282/WordPress-LivePHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014880; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check"; flow:established,to_server; http.request_line; content:"GET|20|/|20|HTTP/1.1"; bsize:14; http.header; content:"User-Agent|3a 20|WinInet|0d 0a|Host|3a 20|api.myip.com|0d 0a|"; bsize:41; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Avaddon, signature_severity Major, tag Ransomware, updated_at 2020_06_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mingle Forum groupid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=mfstructure"; nocase; content:"mingleforum_action="; nocase; content:"groupid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112696/WordPress-Mingle-Forum-1.0.33-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014881; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data 2"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; classtype:trojan-activity; sid:2022016; rev:3; metadata:created_at 2015_11_02, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_catalogue controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_catalogue"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/96190/Joomla-Catalogue-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M1"; flow:established,to_server; urilen:20; http.method; content:"GET"; http.uri; content:"/SL3716/S8437AEB.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036384; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt"; flow:established,to_server; http.uri; content:"|3a|$INDEX_ALLOCATION"; nocase; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html; classtype:bad-unknown; sid:2014886; rev:3; metadata:created_at 2012_06_11, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M2"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/WC413/21FB9FCF.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036385; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/themes.php?"; nocase; content:"page=dynwid-config"; nocase; content:"action="; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014811; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M3"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/WC413/6EE2EFF7.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036386; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; http.uri; content:"@@version"; nocase; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:3; metadata:created_at 2012_06_14, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Dependency Download M4"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/WC413/67B1B02F.DAT"; nocase; fast_pattern; classtype:trojan-activity; sid:2036387; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_ckforms"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014905; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?tag="; depth:16; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"; bsize:112; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030254; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jmsfileseller view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jmsfileseller"; nocase; content:"cat_id="; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/101770/Joomla-JMSFileSeller-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014897; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stat.php?info=SLADE"; fast_pattern; endswith; http.user_agent; content:"Wget/"; nocase; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030255; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_mscomment controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_mscomment"; nocase; content:"controller="; nocase; reference:url,1337day.com/exploits/12246; classtype:web-application-attack; sid:2014898; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"inter.php"; bsize:9; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"&test="; startswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/higaisa/; classtype:command-and-control; sid:2030265; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Sharebar plugin status parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/sharebar/sharebar-admin.php?"; nocase; fast_pattern; content:"status="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112690/WordPress-Sharebar-1.2.1-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014904; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OZH Rat)"; flow:established,to_client; tls.cert_subject; content:"CN=www.ozhsec.com"; nocase; endswith; classtype:domain-c2; sid:2030257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Tinymce Thumbnail Gallery href parameter Remote File Disclosure Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?"; nocase; fast_pattern; content:"href="; nocase; reference:url,packetstormsecurity.org/files/113417/WordPress-Tinymce-Thumbnail-Gallery-1.0.7-File-Disclosure.html; classtype:web-application-attack; sid:2014899; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Silent Miner Changelog Checkin"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; startswith; file.data; content:"Changelog v"; depth:11; fast_pattern; content:"-Added startup folder"; distance:0; content:"-Changed AutoUpdate Mode"; distance:0; content:"|7c 7c|----------------"; distance:0; content:"-Fixed startup .exe without name bug"; distance:0; content:"-Changed files hosting"; distance:0; content:"- Added CPU Threads"; reference:md5,2d51e11a38b7fd448cd0b1d319915e44; classtype:command-and-control; sid:2022034; rev:3; metadata:created_at 2015_11_04, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin pinterest-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?"; nocase; fast_pattern; content:"pinterest-url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014900; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh connectivity check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Host|3a 20|"; depth:6; content:"Content-Length|3a 20|0|0d 0a|"; distance:0; content:"|3a 20|no-cache"; distance:0; http.header_names; content:!"|0d 0a|User-Agent"; content:!"|0d 0a|Accept"; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:5; metadata:created_at 2012_05_18, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?"; nocase; fast_pattern; content:"xing-url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014901; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: !"&ncm="; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:3; metadata:created_at 2015_11_05, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; http.uri; content:"/getfile.php?"; http.user_agent; content:"Java/1"; classtype:exploit-kit; sid:2014924; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: "&ncm="; distance:0; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}&ncm=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022038; rev:3; metadata:created_at 2015_11_05, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"verint="; content:"&uid="; distance:0; content:"&wv="; distance:0; content:"&report="; distance:0; content:"&abbr="; distance:0; content:"&pid="; distance:0; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/"; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"000"; fast_pattern; pcre:"/^\/[a-f0-9]+000[a-f0-9]{37}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,0f41c853a2d522e326f2c30b4b951b04; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022074; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; http.uri; content:"/image/logo.jpg?queryid="; pcre:"/^\d+$/R"; reference:url,doc.emergingthreats.net/2008049; classtype:command-and-control; sid:2008049; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Check"; flow:to_server,established; urilen:6; http.method; content:"GET"; http.uri; content:"/check"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022105; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"board["; fast_pattern; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/i686?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022106; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; http.header; content:"Server|3A 20|DynDNS-CheckIP/"; classtype:external-ip-check; sid:2014932; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mips?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022107; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/perfgraphs/index.php?"; nocase; content:"start="; nocase; content:"end="; nocase; content:"view="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014951; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/armel?ver="; depth:11; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022108; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/smarty/internals/core.write_compiled_include.php?"; nocase; fast_pattern; content:"smarty="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014944; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mipsel?ver="; depth:12; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022109; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHCMS banco Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/gateways/boleto/boleto.php?"; nocase; fast_pattern; content:"banco="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014945; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Report GET"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/srv_report?ver="; depth:16; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022110; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt 2"; flow:established,to_server; http.uri; content:"/includes/smarty/internals/core.process_compiled_include.php?"; nocase; fast_pattern; content:"smarty="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014946; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC GET"; flow:to_server,established; urilen:13; http.method; content:"GET"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022111; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Thinkun Remind Plugin dirPath Remote File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/thinkun-remind/exportData.php?"; nocase; fast_pattern; content:"dirPath="; nocase; reference:url,secunia.com/advisories/49461; classtype:web-application-attack; sid:2014947; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header; content:".in|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022119; rev:3; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/simple-download-button-shortcode/simple-download-button_dl.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,secunia.com/advisories/49462; classtype:web-application-attack; sid:2014948; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:".pw|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022120; rev:3; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/wp-imagezoom/download.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,1337day.com/exploits/18685; classtype:web-application-attack; sid:2014949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&ip="; content:"&os="; content:"&name="; content:"&ram="; content:"&cpu="; content:"&gpu="; content:"&av="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:command-and-control; sid:2022126; rev:2; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; http.uri; content:"/newuser.php?saff="; pcre:"/^(?:\d+|x.+)/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CoinMiner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/\.php\?check=\d$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:coin-mining; sid:2022128; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_06_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; http.uri; content:"/js/data/encryptedtest.dll"; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:command-and-control; sid:2014962; rev:3; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 3"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?/12345"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,24203ba70f584b64a432fb6dad52765d; classtype:command-and-control; sid:2022186; rev:3; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Armageddon CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|ArmageddoN"; nocase; fast_pattern; http.request_body; content:"GetList="; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:command-and-control; sid:2014963; rev:3; metadata:created_at 2012_06_26, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKlip/ClipBanker.P Status Update"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; content:"Mozilla/5.0 (compatible MSIE 9.0 Windows NT 6.1 WOW64 Trident/5.0)"; bsize:66; http.request_body; content:"tekst="; depth:6; fast_pattern; pcre:"/^tekst=\w+$/i"; http.header_names; content:!"Accept-"; reference:md5,ef230777f5b34291ea22bfc3c591ce2d; classtype:trojan-activity; sid:2022192; rev:3; metadata:created_at 2015_11_30, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; http.uri; content:"/api/urls/?ts="; content:"&affid="; http.header; content:"GTB0.0|3b|"; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:6; metadata:created_at 2012_05_24, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:4; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/^\/[a-z]{15}[0-9]\.php$/"; classtype:exploit-kit; sid:2014967; rev:4; metadata:created_at 2012_06_26, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/AZZY Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; http.header; content:"User-Agent|3a 20|MSIE|20|"; depth:17; fast_pattern; pcre:"/^User-Agent\x3a MSIE \d+\.\d+\r\n/i"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7c373c607c8724f8be461d61016ed272; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:url,securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/; classtype:targeted-activity; sid:2019534; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; http.request_body; content:"CRYPTED0"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:md5,99fab94fd824737393f5184685e8edf2; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; classtype:command-and-control; sid:2013934; rev:6; metadata:created_at 2011_05_19, former_category MALWARE, updated_at 2020_04_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/MayhemBruter Inbound Ping From CnC"; flow:established,to_server; http.uri; content:"/wp-content/plugins/"; content:"/libso"; distance:0; pcre:"/\/libso\d{1,4}\.php\?id=[a-zA-Z0-9]+$/"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:command-and-control; sid:2022224; rev:3; metadata:created_at 2015_12_07, former_category MALWARE, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/versions.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/versions.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014979; rev:3; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"workrepair.bazar"; nocase; bsize:16; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030267; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC GET /lost.dat"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/lost.dat"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014980; rev:4; metadata:created_at 2012_06_28, former_category MALWARE, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"realfish.bazar"; bsize:14; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030268; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect"; flow:established,to_server; http.uri; content:"/rds-help/advanced/deferredView.jsp?"; nocase; content:"href="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014986; rev:3; metadata:created_at 2012_06_29, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"eventmoult.bazar"; bsize:16; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/rds-help/advanced/deferredView.jsp?"; nocase; content:"href="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|javascript)/Ri"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014987; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"zirabuo.bazar"; bsize:13; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pliggCMS src parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/thumbnail_plus/thumbs/grab.php?"; nocase; content:"src="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/18854; classtype:web-application-attack; sid:2014988; rev:4; metadata:created_at 2012_06_29, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Sa0aS"; fast_pattern; classtype:web-application-attack; sid:2030274; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_09, deployment Perimeter, signature_severity Major, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor thumbnail parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; fast_pattern; content:"tab="; nocase; content:"thumbnail="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014989; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2015-12-01"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe?"; fast_pattern; nocase; pcre:"/\/[0-9]{2}\.exe\?[0-9]$/i"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; nocase; http.header; content:!"User-Agent|3a 20|BlueCoat"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,77290f994d05ad0add5768c9c040dc55; classtype:trojan-activity; sid:2022207; rev:6; metadata:created_at 2015_12_02, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor tags parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; fast_pattern; content:"tab="; nocase; content:"tags="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014990; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon"; flow:to_server,established; http.request_line; content:"GET /0"; startswith; fast_pattern; http.uri; pcre:"/^\/0[a-f0-9]{48}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,8ae2468d3f208d07fb47ebb1e0e297d7; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022073; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AdaptCMS sitepath parameter Remote File Inclusion Vulnerability"; flow:established,to_server; http.uri; content:"/inc/smarty/libs/init.php?"; nocase; content:"sitepath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/91022/AdaptCMS-2.0.0-Beta-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014993; rev:3; metadata:created_at 2012_06_29, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|log="; fast_pattern; content:"path="; pcre:"/path=[A-Z]\x3a\x5c[A-F0-9]+\r\nlog=/i"; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022244; rev:3; metadata:created_at 2015_12_12, former_category MALWARE, updated_at 2020_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_profile controller parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_profile"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95609/Joomla-Profile-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014994; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"Pn="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; content:"&o="; content:"&av="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:command-and-control; sid:2021919; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/jrss-widget/proxy.php?"; nocase; fast_pattern; content:"url="; nocase; reference:url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014995; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKBEN Ransomware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?btc="; nocase; fast_pattern; content:"&wid="; nocase; distance:0; content:"|3a|TWljcm9zb2Z0IFdpbmR"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,c952a88edc0766adf819b30cd2683ac7; classtype:trojan-activity; sid:2022283; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot CnC POST /common/timestamps.php"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/common/timestamps.php"; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:command-and-control; sid:2014999; rev:3; metadata:created_at 2012_07_03, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRat WebSocket Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?__sails_io_sdk_version"; http.header; content:"vInfo|3a 20|eyJtSWQiO"; fast_pattern; reference:md5,d10966c3a1d0b5694ee9ce0bb73401e2; classtype:command-and-control; sid:2030279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; http.uri; content:"/counter/mac_proc.php?cid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015020; rev:3; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2020_04_21;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Downloader Retrieving Malicious Powershell in DNS Response"; content:"|00 10 00 01|"; offset:2; content:"-match '@(.*)@'){$str +="; content:"[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($matches[1]))}"; fast_pattern; reference:md5,968c50386bdc33286367ce8ee50d029b; reference:url,twitter.com/SBousseaden/status/1270992052055089158; classtype:trojan-activity; sid:2030315; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; http.uri; content:"/check_counter.php?pid="; fast_pattern; content:"&mid="; http.user_agent; content:"internet"; bsize:8; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:command-and-control; sid:2015021; rev:3; metadata:created_at 2012_07_04, former_category MALWARE, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.3.6 CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=C7K-kJipTS1A15X5"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html; classtype:command-and-control; sid:2030313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_06_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT g01pack exploit pack /mix/ payload"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/mix/"; depth:5; content:".php"; content:"fid="; content:"quote="; classtype:exploit-kit; sid:2015011; rev:3; metadata:created_at 2012_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SocGholish Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"public.clickstat360.com"; bsize:23; reference:url,decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions; classtype:trojan-activity; sid:2035896; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; content:"ctask="; nocase; content:"approveImmediately="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ri"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:5; metadata:created_at 2012_07_07, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/Mist Stealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?alias="; fast_pattern; content:"&data="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(Connection\x0d\x0a)?\x0d\x0a$/R"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,5c7638d8247e6da38835daa8a63a0a60; classtype:trojan-activity; sid:2030316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; content:"func="; nocase; content:"root="; nocase; content:"path="; nocase; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:3; metadata:created_at 2012_07_07, updated_at 2020_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=meflying.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030330; rev:1; metadata:attack_target Client_and_Server, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; fast_pattern; content:"page="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for Malicious .dat File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,660d1132888b2a2ff83b695e65452f87; classtype:trojan-activity; sid:2030334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_wisroyq"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Koadic Header Structure"; flow:established,to_server; http.header; content:"|0d 0a|encoder|3a 20|"; content:"|0d 0a|shellchpc|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1afc93c8092b2c7e49a6d3a451629f; classtype:trojan-activity; sid:2030341; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_15, deployment Perimeter, former_category MALWARE, malware_family Koadic, signature_severity Major, updated_at 2020_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rssreader"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015040; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OceanLotus APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=summerevent.webhop.net"; nocase; endswith; classtype:domain-c2; sid:2030343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms options-general.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/options-general.php?"; nocase; content:"page=bb2_options"; nocase; content:"x="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112616/WordPress-Custom-Contact-Forms-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015041; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/safebrowsing/rd/"; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"PREF=ID=U="; depth:10; fast_pattern; pcre:"/^[a-z0-9]{10,}$/Rsi"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS *.doc.exe in HTTP HEADER"; flow:from_server,established; http.header; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; content:".doc.exe"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2013477; rev:10; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRat WebSockets Request M2"; flow:established,to_server; http.start; content:"GET /socket.io/?__sails_io_sdk_version=1.2.1&__sails_io_sdk_platform=node&__sails_io_sdk_language=javascript&EIO=3&transport=websocket HTTP/1.1|0d 0a|Sec-WebSocket-Version|3a 20|13|0d 0a|Sec-WebSocket-Key|3a 20|"; startswith; fast_pattern; http.header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate|3b 20|client_max_window_bits|0d 0a|"; http.header_names; content:"|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a|Connection|0d 0a|Upgrade|0d 0a|"; startswith; content:"Sec-WebSocket-Extensions|0d 0a|Host|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2030346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil"; flow:established,to_server; http.uri.raw; content:"&p1="; pcre:"/^[a-z0-9]{12,14}(?:&p2=(?:[a-z0-9]([\._-])?){1,24}(?:_DROPPER)?)$/Ri"; content:"//?m="; fast_pattern; startswith; reference:url,blog.yoroi.company/research/the-north-korean-kimsuky-apt-keeps-threatening-south-korea-evolving-its-ttps/; classtype:trojan-activity; sid:2029576; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ironhalo CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0(compatible|3b|MSIE 8.0|3b|Windows NT 6.1)"; fast_pattern; bsize:47; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; classtype:command-and-control; sid:2022298; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; nocase; content:".pdf.exe"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2013478; rev:9; metadata:created_at 2011_08_26, former_category POLICY, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"click?sid="; fast_pattern; content:"&cid="; distance:0; pcre:"/\?sid=[a-f0-9]{40}&cid=[0-9]$/"; http.header_names; content:"Referer|0d 0a|"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021251; rev:4; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2020_06_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; http.header; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; content:"AntiVirus"; within:24; nocase; content:".exe"; within:24; classtype:trojan-activity; sid:2013827; rev:7; metadata:created_at 2011_11_05, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT GET request CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022310; rev:3; metadata:created_at 2015_12_24, former_category MALWARE, updated_at 2020_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaflet_marker"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015466; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT POST request CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022311; rev:3; metadata:created_at 2015_12_24, former_category MALWARE, updated_at 2020_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_layer) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaflet_layer"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015467; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot download config - SET"; flow:established,to_server; flowbits:set,ET.zbot.dat; flowbits:noalert; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer"; classtype:trojan-activity; sid:2022317; rev:3; metadata:created_at 2015_12_30, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_jstore controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jstore"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/94689/Joomla-JStore-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015468; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptojoker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; content:"|3a 3a|"; distance:0; http.uri.raw; content:"|4f 4e 4c 25 35 43 6e|"; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.bleepingcomputer.com/news/security/the-cryptojoker-ransomware-is-nothing-to-laugh-about/; reference:md5,904b0888bfa02d200091fa8ad014d016; reference:md5,bca6c1fa9b9a8bf60eecbd91e08d1323; classtype:command-and-control; sid:2022333; rev:3; metadata:created_at 2016_01_06, former_category MALWARE, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Help Center Live file parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/module.php?"; nocase; content:"module=helpcenter"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/88998/Help-Center-Live-2.0.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015469; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky Payload Link Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&token1="; distance:0; content:"&token2="; distance:0; content:"&C="; distance:0; pcre:"/\/[A-Za-z]+\.php\?((?:id|token1|token2|C)=[A-Za-z0-9\/=+%]*={0,2}&?){4}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf; classtype:trojan-activity; sid:2022343; rev:3; metadata:created_at 2016_01_08, former_category MALWARE, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpPollScript include_class Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/php/init.poll.php?"; nocase; content:"include_class="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/81376/phpPollScript-1.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015470; rev:3; metadata:created_at 2012_07_13, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022362; rev:3; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_connect controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_connect"; nocase; content:"view="; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95590/Joomla-Connect-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015472; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zbot download config"; flow:established,from_server; flowbits:isset,ET.zbot.dat; http.stat_code; content:"200"; http.stat_msg; content:"OK"; http.content_type; content:"application/x-ns-proxy-autoconfig"; fast_pattern; startswith; file.data; pcre:"/^(?=[a-zA-Z]*?\d)(?=[a-z0-9]*?[A-Z])[a-zA-Z0-9+/]{30}/R"; classtype:trojan-activity; sid:2022318; rev:4; metadata:created_at 2015_12_30, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=catablog-gallery"; nocase; content:"category="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015473; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?RIGHTS="; fast_pattern; nocase; content:"&WIN="; distance:0; nocase; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022402; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/LavaGame_"; nocase; content:".exe"; nocase; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:8; metadata:created_at 2012_01_02, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Process Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?SSTART="; nocase; content:"&CRYPTED_DATA="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022403; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Newsletter data parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/plugin-newsletter/preview.php?"; nocase; fast_pattern; content:"data="; nocase; reference:url,packetstormsecurity.org/files/113413/WordPress-Newsletter-1.5-File-Disclosure.html; classtype:web-application-attack; sid:2015499; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LeChiffre Ransomware CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sipvoice.php?"; depth:14; fast_pattern; content:"&session="; distance:0; http.header; content:"Keep-Alive|3a 20|300"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4523ccfd191dcceeae8e884f82f5c7ad; reference:url,blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/; classtype:command-and-control; sid:2022406; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin PICA Photo Gallery imgname parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/pica-photo-gallery/picadownload.php?"; nocase; fast_pattern; content:"imgname="; nocase; reference:url,packetstormsecurity.org/files/113404/WordPress-PICA-Photo-Gallery-1.0-File-Disclosure.html; classtype:web-application-attack; sid:2015494; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kaicone.A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Plug="; depth:5; fast_pattern; content:"Instituto="; distance:0; content:"&AV="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0dfaf7a70859ddb86296276dc20ce1ae; classtype:command-and-control; sid:2022407; rev:3; metadata:created_at 2016_01_26, former_category MALWARE, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Edition mod parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/include/we_modules/show.php?"; nocase; content:"mod="; nocase; reference:url,packetstormsecurity.org/files/99789/Web-Edition-6.1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015495; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/safebrowsing/rd/"; fast_pattern; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; bsize:264; content:"PREF=ID="; depth:8; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; http.host; content:!"google.com"; endswith; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress church_admin Plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/church-admin/includes/validate.php?"; nocase; fast_pattern; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,securityfocus.com/bid/54329; classtype:web-application-attack; sid:2015496; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /softServer/req "; startswith; fast_pattern; http.request_body; content:"requestStr=%7B%22"; startswith; reference:md5,edadf30df18e6a7ea190041cf3bd4a0b; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=file-manager/categories"; nocase; content:"cid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015497; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (DiplomatLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=dpi64x.easyllcwi.com"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2030351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_17, deployment Perimeter, signature_severity Major, updated_at 2020_06_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"geoiptool.com"; endswith; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:4; metadata:created_at 2012_07_21, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/start.html"; bsize:11; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8,application/signed-exchange|3b|v=b3"; fast_pattern; bsize:118; http.header_names; content:"Host|0d 0a|Upgrade-Insecure-Requests|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; reference:md5,851a4f13928a5edb3859a21a8041908e; classtype:trojan-activity; sid:2030356; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - .com.tw/check_version.php"; flow:established,to_server; http.uri; content:"/check_version.php"; content:"&version="; http.host; content:".com.tw"; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015503; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DNS Tunneling Observed"; dns.query; content:".aaaaaaaaaaaa"; fast_pattern; pcre:"/^[abcdefghiklmnopqrstvxyz123456789]{62}\.aaaaaaaaaaaa/"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf; classtype:trojan-activity; sid:2030352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, signature_severity Major, updated_at 2020_06_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - getiplist.php"; flow:established,to_server; http.uri; content:"/getiplist.php"; http.header_names; content:!"User-Agent"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015505; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike Malleable C2 Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=time.updateeset.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature; classtype:domain-c2; sid:2030349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - get_servers.php"; flow:established,to_server; http.uri; content:"/get_servers.php?"; http.header_names; content:!"User-Agent"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015506; rev:4; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-06-18)"; flow:established,to_client; tls.cert_subject; content:"CN=armybar.hopto.org"; nocase; endswith; reference:md5,afbe00e755a2cf963f0eedbb4e310198; classtype:domain-c2; sid:2030350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - botinfo.php"; flow:established,to_server; http.uri; content:"/botinfo.php?"; http.header_names; content:!"User-Agent"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015508; rev:3; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.accept; content:"text/html, application/xhtml+xml, */*"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; classtype:trojan-activity; sid:2022467; rev:3; metadata:created_at 2016_01_28, updated_at 2020_06_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious NULL DNS Request"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; fast_pattern; distance:0; classtype:misc-activity; sid:2029994; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Informational, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Delete Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|delplugs|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022470; rev:3; metadata:created_at 2016_01_29, updated_at 2020_06_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern; nocase; content:"title="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Load Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|loadplug|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022471; rev:3; metadata:created_at 2016_01_29, updated_at 2020_06_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"gruppe_id="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Agent.NSU CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/afu.php?zoneid="; startswith; fast_pattern; content:"&var="; isdataat:!2,relative; reference:md5,1924c8edcd59bd9540968305a3ed4988; classtype:command-and-control; sid:2030362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; fast_pattern; distance:0; nocase; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT CnC Checkin"; flow:established,to_server; dsize:<300; content:"ping|7c|STRRAT|7c|"; depth:12; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; classtype:command-and-control; sid:2030358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; http.uri; content:"BULK"; nocase; content:"INSERT"; nocase; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT Initial HTTP Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?lid="; fast_pattern; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; pcre:"/\.php\?lid=[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/"; http.header; content:"User-Agent|3a 20|Java/"; depth:17; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Pragma"; reference:md5,bef4a453c819a453c255569c368972ea; reference:url,gdatasoftware.com/blog/strrat-crimson; classtype:command-and-control; sid:2030359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; http.uri; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; content:".php"; nocase; distance:0; classtype:bad-unknown; sid:2015518; rev:6; metadata:created_at 2012_07_24, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT Requesting License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:"/?hwid="; fast_pattern; content:"&lid="; distance:0; content:"&ht="; distance:0; http.header; content:"User-Agent|3a 20|Java/"; depth:17; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Pragma"; reference:md5,bef4a453c819a453c255569c368972ea; reference:url,gdatasoftware.com/blog/strrat-crimson; classtype:command-and-control; sid:2030360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 3"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?0Q9oBPXEN0uECUg"; classtype:command-and-control; sid:2014857; rev:4; metadata:created_at 2012_06_05, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTPCore CnC Task Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/req_"; content:".txt"; distance:32; within:4; endswith; http.user_agent; bsize:115; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"; reference:url,www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf; classtype:command-and-control; sid:2030363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; http.user_agent; content:"Googlebot-"; fast_pattern; nocase; content:!"Googlebot-News"; startswith; content:!"Googlebot-Image/1.0"; startswith; content:!"Googlebot-Video/1.0"; startswith; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)"; endswith; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:3; metadata:created_at 2012_07_26, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTPCore CnC Task Response"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/resp_"; content:".txt"; distance:32; within:4; endswith; reference:url,www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf; classtype:command-and-control; sid:2030364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; http.uri; content:".ida"; nocase; endswith; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTTPCore CnC Tasking File"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|89 50 4e 57 0d 0a 1a 0a 3c 3c 3c 3c|"; startswith; fast_pattern; reference:url,www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf; classtype:command-and-control; sid:2030365; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; http.uri; content:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Payload CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp"; endswith; fast_pattern; http.request_body; content:"F4"; offset:2; pcre:"/^[A-F0-9]{2}F4[A-F0-9]{2}0(?:1|2|3)[A-F0-9]{8}/"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; classtype:command-and-control; sid:2030377; rev:1; metadata:created_at 2020_06_22, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; http.uri; content:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello, pee"; fast_pattern; classtype:web-application-attack; sid:2030374; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; http.uri; content:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:17; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Meth/"; fast_pattern; classtype:web-application-attack; sid:2030376; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_picasa2gallery controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_picasa2gallery"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/90915/Joomla-Picasa2Gallery-1.2.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015540; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CollectorStealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&cc="; distance:0; content:"&pc="; distance:0; http.header; content:"User-Agent|3a 20|uploader|0d 0a|"; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,e929f02353d22d95523be4f8fbf794c4; classtype:command-and-control; sid:2030368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; http.uri; content:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/CollectorStealer User-Agent M2"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XLCTX|0d 0a|"; classtype:trojan-activity; sid:2034321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; http.uri; content:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/CollectorStealer User-Agent M1"; flow:established,to_server; http.header; content:"User-Agent|3a 20|CLCTR|0d 0a|"; classtype:trojan-activity; sid:2034322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Commentics id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/comments/admin/index.php?"; nocase; content:"page=edit_page"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/113996/Commentics-2.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015541; rev:3; metadata:created_at 2012_07_27, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VikroStealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate?pc_name="; fast_pattern; content:"&ip="; content:"&city="; content:"&countryCode="; content:"&passwords="; content:"&hwid="; content:"&user_id="; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:command-and-control; sid:2030369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress clickdesk-live-support-chat plugin cdwidgetid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?"; nocase; fast_pattern; content:"cdwidgetid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107255/WordPress-Clickdesk-Live-Support-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015542; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VikroStealer Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getSettings?user_id="; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:command-and-control; sid:2030370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; http.uri; content:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed VikroStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vikrostealer-1.site"; bsize:19; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:domain-c2; sid:2030371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpProfiles menu Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/Full_Release/include/body_admin.inc.php?"; nocase; content:"menu="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015543; rev:3; metadata:created_at 2012_07_27, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MASSLOGGER Client Data Exfil (POST)"; flow:established,to_server; content:".zip|22 0d 0a|Content-Type: application/zip|0d 0a 0d 0a|PK"; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"multipart/form-data|3b| boundary=---------------------"; depth:51; http.request_body; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22 3b 20|"; fast_pattern; content:"Log.txt"; content:"PK"; reference:md5,8a1ba030a3bcfde60ad2e067fec8b773; classtype:trojan-activity; sid:2030154; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpProfiles topic_title parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/full_release/community.php?"; nocase; content:"action="; nocase; content:"comm_id="; nocase; content:"topic_title="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015544; rev:3; metadata:created_at 2012_07_27, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SluttyPutty isDebuggerPresent in Fake Putty Executable"; flow:established,to_client; file_data; content:"|4d 5a|"; depth:2; content:"https://www.chiark.greenend.org.uk/~sgtatham/putty/"; fast_pattern; content:"IsDebuggerPresent"; reference:md5,b0dd930c652d1b9350b7c8a29e798cd5; classtype:trojan-activity; sid:2030382; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; http.uri; content:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mokes CnC Keep-Alive"; flow:established,to_server; urilen:3; threshold: type both, count 9, seconds 60, track by_src; http.method; content:"GET"; http.uri; content:"/v1"; depth:3; fast_pattern; http.header; content:"Accept"; content:"User-Agent|3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/; classtype:command-and-control; sid:2022477; rev:3; metadata:created_at 2016_02_01, former_category MALWARE, updated_at 2020_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_pollxt"; nocase; content:"Itemid="; nocase; reference:url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015545; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fluxer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php?id="; fast_pattern; content:"&ver="; distance:0; content:"&m="; distance:0; pcre:"/&m=\d$/i"; http.user_agent; content:"Mozilla"; bsize:7; http.connection; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,648f432b41f3bcebc1a599f529055cf0; classtype:command-and-control; sid:2022492; rev:3; metadata:created_at 2016_02_05, former_category MALWARE, updated_at 2020_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; http.uri; content:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:17; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed VikroStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tracksupporte.site"; bsize:18; reference:md5,851c42ec4709bd59d7610591fc38129a; classtype:domain-c2; sid:2030381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_23, deployment Perimeter, former_category MALWARE, malware_family VikroStealer, signature_severity Major, updated_at 2020_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; http.content_type; content:"image/"; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:4; metadata:created_at 2014_09_11, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; http.uri; content:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GCman.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/s2.cgi"; depth:15; http.request_body; pcre:"/^[a-f0-9]{31}\x3B(?:[a-zA-Z0-9+/=]+)?\r?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8a18846e17244db9af90009ddab341ce; reference:url,securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/; classtype:command-and-control; sid:2022529; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; http.uri; content:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus C2 Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".db?k="; fast_pattern; content:"?q="; distance:0; pcre:"/\?q=[a-f0-9]{32}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022541; rev:3; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; http.uri; content:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:9; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Blockbuster User-Agent (Mozillar)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozillar"; depth:8; nocase; fast_pattern; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,www.operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2022564; rev:4; metadata:created_at 2016_02_24, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; http.uri; content:".cmd?&"; nocase; classtype:web-application-attack; sid:2101003; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely PadCrypt Locker PKG DL"; flow:established,to_server; http.uri; content:".pdcr"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:3; metadata:created_at 2016_02_26, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress featurific-for-wordpress plugin snum parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/featurific-for-wordpress/cached_image.php?"; nocase; fast_pattern; content:"snum="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107256/WordPress-Featurific-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015536; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Base64 Executable"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>TVqQAA/Rsi"; classtype:trojan-activity; sid:2022595; rev:3; metadata:created_at 2016_03_05, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; http.uri; content:".cmd|22|"; nocase; pcre:"/^.*?\x26/Ri"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cstype="; depth:7; content:"&authname="; distance:0; content:"&hostname="; distance:0; content:"&ostype="; distance:0; content:"&owner="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations; classtype:command-and-control; sid:2019831; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos/Midhos Checkin"; flow:to_server,established; http.uri; content:"/id="; content:"&rt="; distance:0; content:"AAAAAAAAAAA"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:command-and-control; sid:2014722; rev:5; metadata:created_at 2012_05_08, former_category MALWARE, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiveRAT CnC Activity M1"; flow:established,to_server; dsize:<300; content:"|7b 73 77 6f 72 64|"; offset:2; depth:6; fast_pattern; threshold:type both, count 10, seconds 60, track by_src; classtype:command-and-control; sid:2030383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_24, deployment Perimeter, former_category MALWARE, malware_family FirebirdRAT, signature_severity Major, updated_at 2020_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV POST datan.php"; flow:established,to_server; http.uri; content:"/datan.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; nocase; classtype:trojan-activity; sid:2013206; rev:4; metadata:created_at 2011_07_06, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Rovnix CnC Domain in DNS Query"; dns.query; content:"bamo.ocry.com"; nocase; endswith; classtype:domain-c2; sid:2030395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"Report?"; fast_pattern; content:"Id="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:4; metadata:created_at 2011_08_24, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RHttpCtrl Backdoor CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ver="; startswith; content:"&id="; distance:0; content:"&random="; distance:0; content:"&hname="; distance:0; content:"&lanip="; distance:0; fast_pattern; content:"&os="; distance:0; reference:md5,ed09b0dba74bf68ec381031e2faf4448; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family APT30, performance_impact Low, signature_severity Critical, updated_at 2020_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Beomok/PSW - HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?i="; fast_pattern; nocase; content:"&o="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2009448; classtype:trojan-activity; sid:2009448; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RCtrl Backdoor CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infos/p"; bsize:8; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; reference:md5,373224fd766cb9b85e3d42d56d1702f3; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family APT30, performance_impact Low, signature_severity Critical, updated_at 2020_06_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pakes2 - Checkin - /test.php"; flow:established,to_server; urilen:9; http.uri; content:"/test.php"; fast_pattern; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2015523; rev:4; metadata:created_at 2012_07_25, former_category MALWARE, updated_at 2020_04_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RCtrl Backdoor CnC Checkin M1"; flow:established,to_client; content:"Jo*Po*Hello"; offset:4; depth:11; fast_pattern; reference:md5,373224fd766cb9b85e3d42d56d1702f3; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030401; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Critical, updated_at 2020_06_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackenergy Bot Checkin to C&C"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"Cache-Control|3a| no-cache"; http.request_body; content:"id="; content:"&build_id="; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:command-and-control; sid:2007668; rev:18; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IndigoDrop/Cobalt Strike Download"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"XHhmY1x4ZThceDg5XHgwMFx4MDBceDAwXHg2MFx4ODlceGU1X"; depth:49; fast_pattern; isdataat:!5000,relative; reference:url,blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html; classtype:trojan-activity; sid:2030400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, signature_severity Major, updated_at 2020_06_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; http.uri; content:"/?xclzve_"; startswith; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:2015562; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LumOffice Checkin"; flow:established,to_server; http.request_line; content:"POST /SMService001.asmx HTTP/1.1"; bsize:32; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/GetAccountConfig|22|"; http.request_body; content:"<soap:Body><GetAccountConfig "; fast_pattern; content:"<userID>"; distance:0; content:"</userID><password>"; distance:0; content:"</password><versionInfo>"; distance:0; content:"</versionInfo><platform>"; distance:0; content:"</onStart></GetAccountConfig>"; distance:0; reference:md5,084995c3cdee01147226542eb63de872; reference:url,lumoffice.com/; classtype:command-and-control; sid:2030407; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEMENOS T24 skin parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/genrequest.jsp?"; nocase; content:"routineName="; nocase; content:"routineArgs="; nocase; content:"compId="; nocase; content:"skin="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/115126/Temenos-T24-R07.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015572; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RezoStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?ip="; content:"&user="; distance:0; content:"&localation="; distance:0; fast_pattern; content:"&windows="; distance:0; content:"&time="; distance:0; http.header_names; content:!"Referer"; reference:url,github.com/3xp0rt/RezoStealer/blob/master/FHwFvbCd/modules/SendToServer.cs; classtype:trojan-activity; sid:2030403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category MALWARE, malware_family RezoStealer, signature_severity Major, updated_at 2020_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Applications Manager attributeToSelect parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/jsp/ThresholdActionConfiguration.jsp?"; nocase; content:"resourceid="; nocase; content:"attributeIDs="; nocase; content:"attributeToSelect="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,securityfocus.com/bid/54759/; classtype:web-application-attack; sid:2015565; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pragmaMx img_url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/imgpopup/img_popup.php?"; nocase; content:"img_url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/113035/pragmaMx-1.12.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015571; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Genome User-Agent (Http Down)"; flow:established,to_server; http.user_agent; content:"Http Down"; fast_pattern; startswith; reference:md5,479306863946029e545a4803b303d74c; classtype:trojan-activity; sid:2022654; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Advanced Text Widget plugin  page parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/advanced-text-widget/advancedtext.php?"; nocase; fast_pattern; content:"page="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107192/WordPress-Advanced-Text-Widget-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015609; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Fantasy Name Gen"; flow:established,to_server; http.host; content:"www.fantasynamegen.com"; fast_pattern; startswith; http.header_names; content:!"User-Agent"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022655; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla je-media-player view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/components/je-media-player.html?"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/91171/Joomla-JE-Media-Player-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015611; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/submit.php"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; http.user_agent; content:"User-Agent|3a|"; startswith; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022665; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dirLIST show_scaled_image.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dirLIST_files/gallery_files/show_scaled_image.php?"; nocase; content:"image_path="; nocase; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015612; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".exe"; http.user_agent; content:"Microsoft BITS/7.5"; fast_pattern; bsize:18; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/(?:xyz|pw)$/"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:5; metadata:created_at 2016_03_30, former_category CURRENT_EVENTS, updated_at 2020_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dirLIST thumb_gen.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dirLIST_files/thumb_gen.php?"; nocase; content:"image_path="; nocase; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015613; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ponmocup.A Checkin"; flow:to_server,established; urilen:10; http.method; content:"GET"; http.uri; content:"/space.php"; fast_pattern; http.header.raw; content:"Accept|3a 20|*/*|0d 0a|Cookie|3a|"; depth:25; content:"User-Agent|3a 20|"; distance:0; content:"Host|3a 20|"; distance:0; http.cookie; content:"uid="; depth:4; content:"|3b 20|VISITOR="; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:command-and-control; sid:2014660; rev:5; metadata:created_at 2012_05_01, former_category MALWARE, updated_at 2020_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BaglerCMS articleID parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/baglercms.php?"; nocase; content:"articleID="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,1337day.com/exploits/18221; classtype:web-application-attack; sid:2015614; rev:3; metadata:created_at 2012_08_10, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Virus-Encoder Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submit=submit&id="; fast_pattern; content:"&guid="; content:"&pc="; content:"&mail="; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,57a69d5130d32da0a278c72137ca58ee; classtype:command-and-control; sid:2022737; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LiveGrounds plugin uid parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/livegrounds/lg_crop.php?"; nocase; fast_pattern; content:"uid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,1337day.com/exploits/18932; classtype:web-application-attack; sid:2015615; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:command-and-control; sid:2022749; rev:3; metadata:created_at 2016_04_20, former_category MALWARE, updated_at 2020_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lanoba-social-plugin/index.php?"; nocase; fast_pattern; content:"action="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015610; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Lyhr0x"; nocase; endswith; classtype:domain-c2; sid:2030409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server; http.user_agent; content:"Mozilla"; startswith; content:"|3b 20|MyIE|20|"; fast_pattern; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8; metadata:created_at 2011_03_01, former_category USER_AGENTS, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/MSIL.DOTHETUK CnC Activity"; flow:established,to_server; http.start; content:"GET /monitorpcsettings/settings.txt HTTP/1.1|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,381cbfba113423382b17f0bb18b9cee9; classtype:command-and-control; sid:2030411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; http.header; content:"User-Agent|3A| SimpleClient "; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_05_26, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:C5:5A:CC:01:BD:A7:5B:DA"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030412; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|adlib/"; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"app-system2-update.com"; endswith; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030413; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/gui/link.php?"; nocase; content:"IP="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015637; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B7:E4:D1:83:71:78:B0:A9"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030414; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"IP="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015638; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"awe232-service-app.com"; endswith; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030415; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"wgDekiPluginPath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015639; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B9:03:54:FD:F4:FF:6D:68"; fast_pattern; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030416; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/web/deki/gui/link.php?"; nocase; content:"IP="; nocase; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015640; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"upd-ncx4-server.com"; endswith; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030417; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"IP="; nocase; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015641; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Glupteba Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|25|"; content:"-rtmd-"; nocase; fast_pattern; content:".exe"; bsize:>50; http.header_names; content:!"Referer"; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; reference:md5,e39362df0a751289b6f65b3448ae38f4; classtype:trojan-activity; sid:2030435; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"wgDekiPluginPath="; nocase; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015642; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Glupteba Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ru5555/"; content:"-fmld-0.exe"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; classtype:trojan-activity; sid:2030436; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_g2bridge"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015645; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glupteba CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; nocase; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ip|22 3a 22|"; startswith; content:",|22|comment|22 3a 22|Opened "; fast_pattern; distance:0; content:"|22|,|22|status|22 3a|"; distance:0; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; reference:md5,ae353f4c6558996e3abc9c016dd86e2c; classtype:command-and-control; sid:2030437; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Likely TDS redirecting to exploit kit"; flow:established,to_server; http.uri; content:".php?go="; pcre:"/^\d$/R"; classtype:exploit-kit; sid:2014854; rev:5; metadata:created_at 2012_06_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucifer CnC Checkin"; flow:established,to_server; content:"INTOGC"; offset:105; depth:6; fast_pattern; content:"ID"; distance:6; within:2; reference:url,unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware; reference:md5,92c3cfee6768ed284310313aa17e0d26; classtype:command-and-control; sid:2030445; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.JS.QLP Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/read.php?nm="; startswith; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015673; rev:4; metadata:created_at 2012_08_30, former_category MALWARE, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".analytics-akadns.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.analytics-akadns\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030440; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Flashback Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scheck/"; http.user_agent; pcre:"/^[A-Za-z0-9+\/=]+?$/"; classtype:command-and-control; sid:2014598; rev:7; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".akamai-analytics.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.akamai-analytics\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030441; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|CE FA AD DE 03 00|"; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:command-and-control; sid:2013819; rev:5; metadata:created_at 2011_11_02, former_category MALWARE, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".akamai-information.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.akamai-information\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030442; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; http.uri; content:"python "; nocase; classtype:web-application-attack; sid:2101350; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".akamai-technologies.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.akamai-technologies\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030443; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; http.uri; content:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:2100952; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".sync-akamai.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.sync-akamai\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030444; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; http.uri; content:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:2100951; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"websitelistbuilder.com"; bsize:22; endswith; classtype:domain-c2; sid:2030448; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100958; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=websitelistbuilder.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030449; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; http.uri; content:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100959; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"traffichi.com"; bsize:13; endswith; classtype:domain-c2; sid:2030450; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100961; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=traffichi.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030451; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100965; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"cofeedback.com"; bsize:14; endswith; classtype:domain-c2; sid:2030452; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; http.uri; content:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:2100994; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cofeedback.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030453; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; http.uri; content:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:2101016; rev:16; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"adsmarketart.com"; bsize:16; endswith; classtype:domain-c2; sid:2030454; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; http.uri; content:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=adsmarketart.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030455; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; http.uri; content:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"advancedanalysis.be"; bsize:19; endswith; classtype:domain-c2; sid:2030456; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:15; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=advancedanalysis.be"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030457; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; http.uri; content:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:2101403; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=advertstv.com"; nocase; endswith; classtype:domain-c2; sid:2030458; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:20; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=amazingdonutco.com"; nocase; endswith; classtype:domain-c2; sid:2030460; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; http.stat_code; content:"403"; classtype:attempted-recon; sid:2101201; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mwebsoft.com"; nocase; endswith; classtype:domain-c2; sid:2030462; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; http.uri; content:"?action=checkPort&port="; http.user_agent; content:"Java/"; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; classtype:trojan-activity; sid:2011667; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rostraffic.com"; nocase; endswith; classtype:domain-c2; sid:2030464; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; threshold:type limit, track by_src, count 1, seconds 300; http.uri; content:"?action=getData&servicePort="; http.user_agent; content:"Java/"; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=typiconsult.com"; nocase; endswith; classtype:domain-c2; sid:2030466; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZmEu|0d 0a|"; classtype:trojan-activity; sid:2012936; rev:4; metadata:created_at 2011_06_07, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Masayki"; fast_pattern; classtype:web-application-attack; sid:2030471; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-blank login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a| Basic YWRtaW46|0d 0a|"; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009218; classtype:attempted-admin; sid:2009218; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?u="; content:"_"; distance:0; content:"&i="; distance:0; http.user_agent; content:"WinHTTP"; depth:7; endswith; http.request_body; content:"p=<br><mark>"; fast_pattern; depth:12; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY iTunes User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"iTunes"; nocase; depth:6; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; classtype:policy-violation; sid:2002878; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/echo.php?req="; fast_pattern; content:"&u="; distance:0; content:"_"; distance:0; http.user_agent; content:"Microsoft WinHttp"; depth:17; endswith; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; http.user_agent; content:"Skype"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Response"; flow:established,to_server; content:"|0d 0a 0d 0a|ci="; fast_pattern; http.method; content:"POST"; http.uri; content:"/rite.php"; http.user_agent; content:"WinHTTP"; depth:7; endswith; http.request_body; content:"ci="; depth:3; content:"&r="; distance:0; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; http.host; content:"stats.norton.com"; endswith; http.user_agent; content:"Install Stub"; depth:12; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zeromax Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=enibenny.space"; nocase; endswith; classtype:domain-c2; sid:2030475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request"; flow:to_server,established; http.uri; content:"/gnutella/"; nocase; content:"?client=BEAR"; nocase; content:"&version="; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; classtype:trojan-activity; sid:2006379; rev:7; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat Initial CnC Activity"; flow:established,to_server; urilen:>100; http.request_line; content:"=c|20|HTTP/1.1"; endswith; fast_pattern; http.method; content:"GET"; http.uri; content:".php?"; content:"=c"; distance:32; within:2; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"Referer"; reference:md5,4467b54917f60b657e0c92df4296cbc1; classtype:command-and-control; sid:2029881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2020_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:19; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity"; flow:established,to_server; urilen:>100; http.method; content:"GET"; http.uri.raw; content:"=%3D"; fast_pattern; http.uri; content:".php?"; pcre:"/^\/[^\r\n]+\.php\?[a-f0-9]{32}(?:=(?:%3D|\x3d)*[A-Za-z0-9%\/]+&[a-f0-9]{32}){4,}=(?:%3D|\x3d)*[A-Za-z0-9%\/]+$/si"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; content:!"Referer"; content:!"Accept"; content:!"Cache"; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,4467b54917f60b657e0c92df4296cbc1; classtype:command-and-control; sid:2029897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2020_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Absinthe SQL Injection Tool HTTP Header Detected"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Absinthe"; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; classtype:attempted-recon; sid:2009555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TaurusStealer CnC)"; flow:established,to_client; tls.cert_serial; content:"0E:7F:A1:8D:53:1A"; endswith; classtype:domain-c2; sid:2030476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"|20|yum|2F|"; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:4; metadata:created_at 2011_09_02, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gaudox Checkin"; flow:to_server,established; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; fast_pattern; bsize:66; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:command-and-control; sid:2022505; rev:5; metadata:created_at 2016_02_12, former_category MALWARE, updated_at 2020_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; http.method; content:"TRACE"; nocase; reference:url,doc.emergingthreats.net/2010766; classtype:bad-unknown; sid:2010766; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/al?"; depth:4; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022756; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus User Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Nessus"; nocase; depth:40; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; classtype:attempted-recon; sid:2002664; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?---"; pcre:"/\?---[A-Z]$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022757; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Blizzard"; reference:url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html; reference:url,doc.emergingthreats.net/2011708; classtype:policy-violation; sid:2011708; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackmoon/Banbra Configuration Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; http.header; content:"Accept|3a 20|*/*|0d 0d 0a|User-Agent"; fast_pattern; http.host; content:".qq.com"; endswith; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,bbcbd3dc203829c9cdbf7d1b057f0e79; classtype:trojan-activity; sid:2022759; rev:3; metadata:created_at 2016_04_25, updated_at 2020_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|AOLToolbar"; reference:url,doc.emergingthreats.net/bin/view/Main/2003469; classtype:policy-violation; sid:2003469; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku Initial C2 Checkin"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"uid={"; depth:5; fast_pattern; content:"&v="; distance:0; content:"&pi="; distance:0; content:",&if="; distance:0; reference:url,forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022788; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2020_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY ApacheBenchmark Tool User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"User-Agent|3a 20|ApacheBench"; nocase; reference:url,httpd.apache.org/docs/2.0/programs/ab.html/; reference:url,doc.emergingthreats.net/2010725; classtype:attempted-recon; sid:2010725; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperKillerX Checkin Activity"; flow:established,to_server; dsize:20; content:"|1c 70 b6 f8 00 00 00 00 14 00 00 00|"; offset:4; depth:12; fast_pattern; reference:md5,081483cb25a69cd5b4de2368a4e67910; reference:md5,83b851067e1331a81e35b29c8a1ff151; classtype:command-and-control; sid:2030478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; http.user_agent; content:"Carbonite Installer"; nocase; depth:19; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperKillerX CnC Activity"; flow:established,to_server; dsize:312; content:"|1c 70 b6 f8 f5 01 00 00 38 01 00 00|"; offset:4; depth:12; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:md5,081483cb25a69cd5b4de2368a4e67910; reference:md5,83b851067e1331a81e35b29c8a1ff151; classtype:command-and-control; sid:2030479; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; http.header.raw; content:"|0d 0a|Cookie|3a|"; content:"%3D|3b 20|cc2="; distance:0; content:"%3D|3b 20|cc3="; content:"%3D|3b 20|cc4="; content:"|20|Java/"; classtype:exploit-kit; sid:2013695; rev:5; metadata:created_at 2011_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware BMP Download"; flow:established,to_server; content:".bmp HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^\/help(?:me)?\.bmp$/"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:url,labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/; reference:md5,c78a9c6affbfbfabfc50fae515675c6a; reference:md5,acbf8739dce846472a7715c975dc8b40; classtype:trojan-activity; sid:2030485; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category MALWARE, malware_family hakbit, malware_family thanos, signature_severity Major, tag Ransomware, updated_at 2020_07_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mslfiedjssfdes.com"; nocase; endswith; classtype:domain-c2; sid:2030486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; http.user_agent; content:"Brutus/AET"; classtype:attempted-recon; sid:2015702; rev:4; metadata:created_at 2012_09_17, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRAT Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myO?gId="; startswith; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept-"; reference:md5,f1638d4cd6286b69cb29d8002478d0c1; classtype:trojan-activity; sid:2030494; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Brutus Scan Inbound"; flow:established,to_server; http.user_agent; content:"Brutus/AET"; classtype:attempted-recon; sid:2015703; rev:4; metadata:created_at 2012_09_17, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus APT Related Valefor/VSingle CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/1"; content:".php?ufw="; distance:0; fast_pattern; pcre:"/\/[a-z0-9]{16}\.php\?ufw=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b|"; depth:40; reference:md5,67f4dad1a94ed8a47283c2c0c05a7594; reference:url,blogs.jpcert.or.jp/en/2022/07/vsingle.html; classtype:targeted-activity; sid:2037275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Stonefly, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent Recuva (Recuva)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Recuva"; reference:url,doc.emergingthreats.net/2011090; reference:url,www.piriform.com/; classtype:trojan-activity; sid:2011090; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRAT Downloader Error Report POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/myOR?info=LoadFirstError"; startswith; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept-"; reference:md5,f1638d4cd6286b69cb29d8002478d0c1; classtype:trojan-activity; sid:2030495; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirage Campaign checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/result?hl="; depth:11; content:"&meta="; distance:0; http.request_body; content:"Mjtdkj"; depth:6; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:command-and-control; sid:2015714; rev:3; metadata:created_at 2012_09_19, former_category MALWARE, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)"; flow:established,to_server; dsize:5; content:"|33 66 99 01|"; depth:4; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030490; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2020_07_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (buddy list)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/buddy_list.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010785; classtype:policy-violation; sid:2010785; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/BASHLITE vbot Variant CnC"; flow:established,to_server; content:"ver|3a|1.500000|3a|null|3a|"; fast_pattern; reference:md5,65cc35e68e3834b1955115737ff3c55e; classtype:trojan-activity; sid:2030496; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"POST"; http.uri; content:"/wp-login.php"; nocase; http.request_body; content:"log|3d|"; content:"pwd|3d|"; classtype:attempted-recon; sid:2014020; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DTStealer CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|ip="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ip="; depth:3; content:"&country="; distance:0; content:"&date="; distance:0; content:"&report="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,4ab065354c6156380645c905823cafde; classtype:trojan-activity; sid:2030497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_13, deployment Perimeter, former_category MALWARE, malware_family DTStealer, signature_severity Major, updated_at 2020_07_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VMware User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|vmware"; reference:url,www.vmware.com; classtype:policy-violation; sid:2013749; rev:6; metadata:created_at 2011_10_11, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (ps1)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; content:"orphic.ps1"; endswith; fast_pattern; reference:url,github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030516; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu exploit scanner"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"Made by ZmEu"; depth:12; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:10; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (exe)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; fast_pattern; pcre:"/(?:BrowsingHistoryView|WebBrowserPassView)\.exe$/Ri"; reference:url,github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030517; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; http.user_agent; content:"BingBar"; depth:7; classtype:policy-violation; sid:2013715; rev:5; metadata:created_at 2011_10_01, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Joanap CnC Checkin"; flow:to_server,established; http.uri; content:".ico"; http.user_agent; content:"Mozillar"; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,operationblockbuster.com/resources/index.html; classtype:command-and-control; sid:2021730; rev:4; metadata:created_at 2015_08_31, former_category MALWARE, updated_at 2020_07_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"attachment"; nocase; file.data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:7; metadata:created_at 2012_04_06, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 4 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/access.cgi"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; content:"User-Agent|3a|"; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,53859b74ab0ed0e98065982462f4e575; classtype:command-and-control; sid:2022844; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"/nano.php?x="; classtype:exploit-kit; sid:2015734; rev:4; metadata:created_at 2012_09_25, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?profile="; content:"&ddager="; distance:0; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4027e40dc474f595d46a59f2eaaa4e8d; classtype:command-and-control; sid:2028919; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; http.user_agent; content:"ZDM/4.0|3B| Windows Mobile 7.0|3B|"; depth:28; classtype:not-suspicious; sid:2013784; rev:7; metadata:created_at 2011_10_20, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Initial Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=new&username="; distance:0; content:"&computername="; distance:0; content:"&os="; distance:0; content:"&architecture="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:command-and-control; sid:2022862; rev:3; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2020_07_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_18, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Version Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=noupdate&ver="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:command-and-control; sid:2022863; rev:3; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; http.user_agent; content:"APT-HTTP|2F|"; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:6; metadata:created_at 2011_08_31, former_category POLICY, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Sending Status Logs"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=statuslog&log="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022864; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Runner/Bublik Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"G="; nocase; content:"&PG="; nocase; content:"&EPBB="; fast_pattern; nocase; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:command-and-control; sid:2009711; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Software Update Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=update&username="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022865; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Densmail.com Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/cc.php"; nocase; content:"v="; nocase; content:"&rnd="; nocase; distance:0; pcre:"/v=\d+&rnd=\d/i"; reference:url,doc.emergingthreats.net/2007822; classtype:command-and-control; sid:2007822; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Reporting Error Code"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"&log=GetLastError"; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022866; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Hupigon.dkwt Related Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"htm?mac="; nocase; content:"&os="; nocase; distance:0; content:"&ver="; nocase; distance:0; content:"&id="; nocase; distance:0; pcre:"/\?mac=[0-9]*?&os=[a-z]*?&ver=[0-9]{8}&id=/i"; reference:url,doc.emergingthreats.net/2009704; classtype:command-and-control; sid:2009704; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Successful Software Update Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"&log=CheckedForUpdate"; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022867; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamania Trojan Check-in"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; content:"?p4="; nocase; content:"&p5="; fast_pattern; nocase; distance:0; content:"&hs="; nocase; distance:0; pcre:"/p4=\d+&p5=\d+&hs=\d/i"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Sending Keystrokes"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"key&log=TWND"; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022871; rev:3; metadata:created_at 2016_06_07, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Murlo Trojan Checkin"; flow: to_server,established; http.method; content:"GET"; nocase; http.uri; content: ".asp?mac="; nocase; pcre:"/^[a-f0-9]/Ri"; content: "&ver="; nocase; content: "&os="; nocase; reference:url,doc.emergingthreats.net/2009442; classtype:command-and-control; sid:2009442; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS RAM Scraper Sending Details"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"add&log="; distance:0; content:"&foundin="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022872; rev:3; metadata:created_at 2016_06_07, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; http.uri; content:"/cp/rule.php?gcu="; nocase; pcre:"/^\d/Ri"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Criptobit/Mobef Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a="; pcre:"/\.php\?a=\d{5,10}.+\x3a\d\x3a\d\x3a\d\.\d\x3a\d$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) Edge/13.10586"; fast_pattern; bsize:55; reference:md5,c90a8039f330ba6660a91113f6c53685; classtype:command-and-control; sid:2022845; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oficla Downloader Activity Observed"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&v="; nocase; content:"&tm="; nocase; fast_pattern; content:"&b="; nocase; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/i"; reference:md5,38e1d644e2a16041b5ec1a02826df280; reference:url,doc.emergingthreats.net/2009776; reference:md5,1db0c8d48a76662496af7faf581b1cf0; classtype:trojan-activity; sid:2009776; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor/CryptON Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=8ACEFC"; offset:1; depth:7; fast_pattern; pcre:"/=8ACEFC[0-9A-F]{150,}$/"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,5ee28035c56c048580c64b67ec4f2124; classtype:command-and-control; sid:2022875; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Counter/Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?mac="; nocase; content:"&ver="; distance:0; nocase; pcre:"/\.asp\?mac=(?:[0-9A-F]{2}-){5}(?:[0-9A-F]{2})+&ver=\d/i"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qarallax RAT Downloading Modules"; flow:to_server,established; http.method; content:"GET"; http.host; content:"qarallax.com"; endswith; fast_pattern; http.user_agent; content:"Java/"; startswith; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022881; rev:3; metadata:created_at 2016_06_08, updated_at 2020_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; http.uri; content:"/show.php?"; nocase; content:"id="; nocase; content:"UNION"; distance:0; nocase; pcre:"/id=-?\d+\s+UNION\s/i"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bolek HTTP Checkin"; flow: to_server,established; http.method; content:"GET"; http.uri; pcre:"/\?[a-f0-9]{32}$/i"; http.user_agent; content:"Client 1.2"; fast_pattern; bsize:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:command-and-control; sid:2022889; rev:3; metadata:created_at 2016_06_10, former_category MALWARE, updated_at 2020_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/picmgmt.inc.php?"; nocase; content:"output="; nocase; pcre:"/output=\w/i"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:5; metadata:created_at 2011_02_25, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"ps0="; depth:4; fast_pattern; content:"&ps1="; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:command-and-control; sid:2017371; rev:12; metadata:created_at 2013_05_16, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/picmgmt.inc.php?"; nocase; content:"retva="; nocase; pcre:"/^\w/Ri"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:5; metadata:created_at 2011_02_25, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Validate/valsrv"; bsize:16; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030526; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config/custom/base.ini.php?"; nocase; content:"x="; nocase; pcre:"/^\w/Ri"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:5; metadata:created_at 2011_04_22, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EvilNum CnC Checkin Response"; flow:established,to_client; http.response_body; content:"youwillnotfindthisanywhare"; bsize:<50; fast_pattern; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030527; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/src/slooz.php?"; nocase; content:"file="; nocase; pcre:"/^\w/Ri"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:4; metadata:created_at 2011_05_20, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getid"; bsize:15; fast_pattern; http.request_body; content:"action="; startswith; content:"&computer_name="; distance:0; content:"&username="; distance:0; content:"&version="; distance:0; content:"&cli="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030528; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/is-human/engine.php?"; nocase; content:"action="; nocase; content:"type="; nocase; pcre:"/^\w/Ri"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getcommand"; bsize:20; fast_pattern; http.request_body; content:"action="; startswith; content:"&uid="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030529; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/telecharger.php?"; nocase; content:"Fichier_a_telecharger="; nocase; pcre:"/^\w/Ri"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:4; metadata:created_at 2011_06_07, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getid"; bsize:15; fast_pattern; http.request_body; content:"action="; startswith; content:"&uid="; distance:0; content:"&antivirus="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030530; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/awstatstotals.php?"; nocase; content:"sort="; nocase; pcre:"/^\w/Ri"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:4; metadata:created_at 2011_06_10, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/"; startswith; http.request_body; content:"action=error&uid="; startswith; fast_pattern; content:"&data="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030531; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shylock Module Data POST"; flow:established,to_server; http.request_body; content:"id="; content:"&bid="; distance:0; content:"&query="; distance:0; content:"&data="; distance:0; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/"; reference:md5,4fda5e7e8e682870e993f97ad26ba6b2; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; classtype:trojan-activity; sid:2013687; rev:5; metadata:created_at 2011_09_22, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Banker.DH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|ru|3b 20|rv|3a|1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"; fast_pattern; bsize:104; http.request_body; content:"id="; depth:3; nocase; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,39519ff5bddd6d0eee032232349fe0a6; classtype:command-and-control; sid:2022811; rev:4; metadata:created_at 2016_05_17, former_category MALWARE, updated_at 2020_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; content:"cmd="; nocase; pcre:"/cmd=\w/i"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:6; metadata:created_at 2012_01_02, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypren/Zcrypt Ransomware Checkin"; flow:established,to_server; http.uri; content:".php?computerid="; pcre:"/\.php\?computerid=[a-fA-F0-9]{32}&(?:public|private)=\d$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7efb738c2b04aacdd3354d590cb3df47; classtype:command-and-control; sid:2022897; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,CVE-2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/RAA Ransomware check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"|20|- RAA"; fast_pattern; http.header; content:"WinHttp.WinHttpRequest"; reference:md5,535494aa6ce3ccef7346b548da5061a9; classtype:trojan-activity; sid:2022899; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent inbound (bot)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.header; content:"User-Agent|3a 20|bot/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:2008228; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MASSLOGGER Client Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[^_]+_[^\_]+_[A-F0-9]{10}_[0-9]{2}-[0-9]{2}-20[0-9]{2}\s[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2}\./R"; content:"zip|22 0d 0a|Content-Type: application/zip|0d 0a 0d 0a|PK"; within:41; content:"/Log.txt"; distance:0; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,79efca38c3230aaae9dd8bb11f15fe43; classtype:trojan-activity; sid:2030550; rev:2; metadata:created_at 2020_07_16, former_category MALWARE, updated_at 2020_07_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell)"; flow:from_server,established; http.content_type; content:"image/"; startswith; file.data; content:"eval(gzinflate(base64_decode("; distance:0; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html; classtype:attempted-user; sid:2015755; rev:4; metadata:created_at 2012_10_02, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BYOB - Python Backdoor Stager Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a 27|Stager|20 28|Build Your Own Botnet|29 27 0a|"; fast_pattern; reference:md5,76117987409f341b5272958e27dd9ac5; classtype:command-and-control; sid:2030551; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2"; flow:to_server,established; http.user_agent; content:"AskTb"; depth:5; classtype:policy-violation; sid:2015757; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BYOB - Python Backdoor Loader Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a 27|Loader|20 28|Build Your Own Botnet|29 27 0a|"; fast_pattern; reference:md5,76117987409f341b5272958e27dd9ac5; classtype:command-and-control; sid:2030552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; isdataat:64,relative; content:"="; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/"; classtype:exploit-kit; sid:2015781; rev:3; metadata:created_at 2012_10_05, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,443,587,9997] (msg:"ET MALWARE APT33/CharmingKitten Shellcode Communicating with CnC"; flow:established,to_server; dsize:<150; content:"|16 03|"; depth:2; content:"|00|"; distance:1; within:1; content:"|01 00 00|"; distance:1; within:3; content:"|03|"; distance:1; within:1; content:"|5b e0 37|"; distance:1; within:3; fast_pattern; content:"|00|"; distance:0; content:"|00|"; distance:1; within:1; content:"|00|"; distance:1; within:1; threshold: type limit, count 1, seconds 30, track by_dst; content:!"mtalk.google.com"; reference:md5,a60f127a06e5b3dcacd1ec346f7995c5; classtype:targeted-activity; sid:2026576; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellcode, performance_impact Low, signature_severity Major, tag APT33_CharmingKitten, tag Shellcode, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"heritrix"; nocase; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:5; metadata:created_at 2012_10_12, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NEWPASS CnC Client Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"newpass="; startswith; content:"&server_page="; distance:0; content:"&passdb="; distance:0; content:"&targetlogin="; distance:0; fast_pattern; content:"&table_data="; distance:0; reference:url,www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/; classtype:command-and-control; sid:2030557; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_17, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; http.uri; content:"/phptax/"; nocase; content:"&pfilez="; nocase; classtype:web-application-attack; sid:2015794; rev:3; metadata:created_at 2012_10_12, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Satana Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/add.php"; http.request_body; content:"id="; depth:3; content:"&code="; distance:0; content:"&sdata="; distance:0; content:"&name="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,d236fcc8789f94f085137058311e848b; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware; classtype:command-and-control; sid:2022929; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebResource.axd"; nocase; content:!"&t="; nocase; content:!"&amp|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:7; metadata:created_at 2010_10_13, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ranscam Ransomware Contact Form"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; http.cookie; content:"visitz="; file.data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:3; metadata:created_at 2012_10_18, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Razy.azv Downloading Content"; flow:established,to_server; http.uri; content:".so"; endswith; pcre:"/\/(?:tr(?:_w)?|ft)\.so$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept"; nocase; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022969; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, malware_family Razy, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; http.user_agent; content:"FHScan Core 1."; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:6; metadata:created_at 2012_04_12, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,886] (msg:"ET MALWARE Win32/PSW.Agent.OIN CnC Activity"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.9|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36|0d 0a|Content-Length|3a 20|"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:!"&"; pcre:"/^(?:[a-zA-Z0-9+/\x20]{4})*(?:[a-zA-Z0-9+/\x20]{2}==|[a-zA-Z0-9+/\x20]{3}=|[a-zA-Z0-9+/\x20]{4})$/"; reference:md5,4589aaf8f84c91c5e290ddebcc368342; classtype:command-and-control; sid:2030560; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot requesting update"; flow:to_server,established; http.uri; content:"/modules/docs/upload/calc.exe"; classtype:trojan-activity; sid:2015853; rev:3; metadata:created_at 2012_11_01, updated_at 2020_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)"; flow:established,to_server; content:"|23 23 24 23 23 0d 0a|"; within:20; dsize:<190; reference:md5,f50a94513fd739f5f40a57879e2f3cff; classtype:trojan-activity; sid:2030558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; http.uri; content:"/RebateInformerSetup.exe"; nocase; http.user_agent; content:"Inno Setup Downloader"; startswith; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:4; metadata:created_at 2012_11_02, updated_at 2020_04_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)"; flow:established,to_client; content:"|23 23 24 23 23 0d 0a|"; within:20; dsize:<190; reference:md5,f50a94513fd739f5f40a57879e2f3cff; classtype:trojan-activity; sid:2030559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; http.uri; content:"/Dot.class"; classtype:exploit-kit; sid:2015885; rev:3; metadata:created_at 2012_11_14, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Project Plague CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; content:"&ip="; distance:0; content:"&os=Microsoft"; distance:0; fast_pattern; content:"&ram="; distance:0; content:"&cpu="; distance:0; content:"&av="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,0934bf4d962c598c405f8f085377529d; reference:url,twitter.com/c3rb3ru5d3d53c/status/1371174503129219081; classtype:command-and-control; sid:2032004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Wauchos.A CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|stpfu"; http.method; content:"POST"; classtype:trojan-activity; sid:2015895; rev:3; metadata:created_at 2012_11_20, former_category MALWARE, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"funnymemos.shop"; bsize:15; classtype:domain-c2; sid:2030561; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJ_PROX.AFV POST"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; nocase; http.request_body; content:"=|22|sid|22|"; nocase; content:"=|22|up|22|"; nocase; content:"=|22|wbfl|22|"; nocase; content:"=|22|v|22|"; nocase; content:"=|22|ping|22|"; nocase; content:"=|22|guid|22|"; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; reference:url,doc.emergingthreats.net/2007728; classtype:trojan-activity; sid:2007728; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"trythisshop.club"; bsize:16; classtype:domain-c2; sid:2030562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data\; name=|22|a|22|"; content:"form-data\; name=|22|c|22|"; content:"form-data\; name=|22|p1|22|"; classtype:attempted-user; sid:2015920; rev:3; metadata:created_at 2012_11_21, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"buytheone.best"; bsize:14; classtype:domain-c2; sid:2030563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java payload request /5-digit"; flow:established,to_server; urilen:6; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/\d{5}$/"; http.user_agent; content:"|29 20|Java/"; classtype:exploit-kit; sid:2015923; rev:4; metadata:created_at 2012_11_24, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"shopoholics.best"; bsize:16; classtype:domain-c2; sid:2030564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|from|22|"; content:"form-data|3b| name=|22|realname|22|"; content:"form-data|3b| name=|22|amount|22|"; classtype:web-application-activity; sid:2015924; rev:3; metadata:created_at 2012_11_24, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (PHP)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=@eval"; depth:9; content:"base64_decode"; distance:0; content:"&action="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022976; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|formSubmited|22|"; content:"form-data|3b| name=|22|scriptPassword|22|"; classtype:misc-activity; sid:2015937; rev:8; metadata:created_at 2012_11_27, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (aspx)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=Response.Write"; depth:18; fast_pattern; content:"eval"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022977; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; http.uri; content:"/core/DataTable/Filter/Megre.php"; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:3; metadata:created_at 2012_11_28, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil Monero Cryptocurrency Miner Request Pools"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<HTML>|0d 0a|<HEAD>|0d 0a|<BODY>|0d 0a|<DIV"; depth:28; content:"|0d 0a|899@"; distance:0; content:"0.rn,9.re9899@n&9,bgggs"; distance:0; fast_pattern; reference:md5,848720742b957d27f6ee94b9fe4126f0; reference:url,www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-miner.html; classtype:trojan-activity; sid:2022982; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PIWIK Backdoored Version calls home"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/x.php"; http.host; content:"prostoivse.com"; endswith; http.request_body; content:"reff="; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:5; metadata:created_at 2012_11_28, former_category WEB_SERVER, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"circleoccupy.best"; bsize:17; classtype:domain-c2; sid:2030566; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad/?"; startswith; fast_pattern; pcre:"/^[a-z]{1,4}\x3d[a-z0-9]+?$/Ri"; http.header_names; content:!"User-Agent|0d 0a|"; classtype:command-and-control; sid:2015958; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"papuanewguinew.club"; bsize:19; classtype:domain-c2; sid:2030567; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack PDF Request"; flow:established,to_server; http.uri; content:"/p5.php?t=u00"; content:"&oh="; classtype:exploit-kit; sid:2015961; rev:12; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"loaderoverlord.casa"; bsize:19; classtype:domain-c2; sid:2030568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin 1"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; startswith; http.host; content:".ddns"; fast_pattern; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/^\d{5}\x2eddns[a-z0-9]\x2eeu$/"; http.user_agent; content:"MSIE 7.0|3b|"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:command-and-control; sid:2015968; rev:9; metadata:created_at 2012_11_30, former_category MALWARE, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mramoritto.top"; bsize:14; classtype:domain-c2; sid:2030569; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; http.uri; content:".html"; endswith; pcre:"/\/[0-9]{2}\.html$/"; http.user_agent; content:" Java/1"; classtype:exploit-kit; sid:2015990; rev:3; metadata:created_at 2012_12_06, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"loaderprototype.casa"; bsize:20; classtype:domain-c2; sid:2030570; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/iis/host.aspx"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; http.content_type; content:"application/octet-stream"; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:3; metadata:created_at 2012_12_08, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cutterfighter.club"; bsize:18; classtype:domain-c2; sid:2030571; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/tests/test_tools/functional_tests.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"almostcruze.best"; bsize:16; classtype:domain-c2; sid:2030572; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/demos/time-tracker/tests/functional.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"loadberlin.casa"; bsize:15; classtype:domain-c2; sid:2030573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; http.uri; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; pcre:"/(?:\?|&)(?:host|service|opt|end|start)=[^&]+?\x60.+?\x60/i"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fujacks Variant CnC Activity"; flow:established,to_server; http.start; content:"GET /down1.txt HTTP/1.1|0d 0a|User-Agent|3a 20|ErrCode|0d 0a|Host|3a 20|"; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Connection|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; reference:md5,54b72be155b057f693508c0d15fc6d00; classtype:command-and-control; sid:2030580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising FlashPost - POST to *.stats"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".stats"; http.request_body; content:"pageURL="; classtype:bad-unknown; sid:2016023; rev:4; metadata:created_at 2012_12_13, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Scylla/"; fast_pattern; classtype:web-application-attack; sid:2030584; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_23, deployment Perimeter, signature_severity Major, updated_at 2020_07_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; fast_pattern; content:"wpp="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Radonskra.B C2 Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&os=Windows"; nocase; content:"&mac="; nocase; content:"&lua="; nocase; content:"&firewall="; nocase; content:"&antivirus="; nocase; content:"&antispyware"; nocase; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,9d6b99e87faa3f7a23adef5031bd598b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fRadonskra.B; classtype:command-and-control; sid:2023033; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?"; nocase; fast_pattern; content:"wpp="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016038; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v"; depth:2; content:"/lady_"; distance:0; fast_pattern; pcre:"/^\/v\d+\/lady_[ix]/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023035; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/includes/download.php?"; nocase; content:"f="; nocase; reference:url,packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016042; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Executable Download Purporting to be JavaScript likely 2nd stage Infection"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/x-javascript"; nocase; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:trojan-activity; sid:2013352; rev:5; metadata:created_at 2011_08_04, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/windows/code.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016043; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=SendFileZIPBoundary|0d 0a|"; depth:65; http.user_agent; content:"uploader"; depth:8; endswith; http.request_body; content:"form-data|3b 20|name=|22|fileToUpload|22 3b 20|filename=|22|zipfile.zip"; fast_pattern; reference:md5,fe15986992ef7dd209047deec2851e2e; classtype:command-and-control; sid:2034324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/windows/function.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016044; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; content:"&2="; distance:0; content:"&4="; distance:0; content:"&5="; distance:0; content:"&6="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023076; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase; fast_pattern; content:"headline="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2016045; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo C2 Response"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; http.uri; content:"/list.php?db="; fast_pattern; http.accept_lang; content:"ko-kr"; startswith; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016050; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo C2 Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; content:!"&2="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023078; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; http.user_agent; content:"poclbm/"; nocase; startswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016068; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker Downloading Modules"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/system/MA-"; depth:11; fast_pattern; content:".dll"; pcre:"/\/(?:IUpdate|fbclient|IETask|Mixeds|Ubuntu10)\.dll$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,260a7aab3d29ed4bce9ac35002361a87; classtype:trojan-activity; sid:2023082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=video-lead-form"; nocase; fast_pattern; content:"errMsg="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016076; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 2"; flow:established,to_server; http.uri; content:".html?a="; fast_pattern; content:"&b="; distance:0; content:"&nocache="; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023132; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plist.php?albumid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016077; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 5"; flow:established,to_server; http.uri; content:"Tring to download bundle(try|3a|"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023136; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/force-download.php?file="; nocase; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016078; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 1"; flow:established,to_server; http.uri; content:".html&nocache="; content:!"&"; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023131; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS simple machines forum include parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"action=admin"; nocase; content:"include="; nocase; reference:url,packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016079; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DMA Locker CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action="; fast_pattern; content:!".aspx"; pcre:"/\?action=\d(&botId=[A-F0-9]{32})?$/i"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,050f04ed78e96418179228272998d87d; classtype:command-and-control; sid:2022873; rev:4; metadata:created_at 2016_06_07, former_category MALWARE, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016080; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot?bid="; depth:9; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023155; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/zp-core/zp-extensions/zenpage/admin-news-articles.php?"; nocase; content:"date="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 4"; flow:established,to_server; http.uri; content:".html?s="; fast_pattern; content:"&d="; distance:0; pcre:"/^[^&]+?\.html\?s=[^&]+?&d=$/"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023134; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit page XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=tokenmanageredit"; nocase; fast_pattern; content:"tid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016082; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat Request (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.OSX.Mokes; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/v1"; http.header; content:"Safari/7046A194A|0d 0a|"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023182; rev:3; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit page XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=tokenmanagertypeedit"; nocase; fast_pattern; content:"tid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016083; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plasmabot CnC Host Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"crypt="; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/plasma-http-botnet-steals-stored-passwords-chrome-filezilla; reference:md5,ffbf380abaa7c56b45edd2784feecf36; classtype:command-and-control; sid:2018393; rev:5; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script Insertion Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dbInfo"; nocase; content:"dbInfoRequest"; nocase; content:"searchStr"; nocase; pcre:"/(?:\x3c|\x253c)dbInfo(?:\x3e|\x253e)[\r\n\s]*?(?:\x3c|\x253c)dbInfoRequest(?:\x3e|\x253e).+?(?:\x3c|\x253c)searchStr(?:\x3e|\x253e)((?!(?:\x3c|\x253c)(?:\/|\x252f)searchStr(?:\x3e|\x253e)).)+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=)).+?(?:\x3c|\x253c)(?:\/|\x252f)searchStr(?:\x3e|\x253e)/si"; reference:url,securelist.com/en/advisories/51615; reference:url,seclists.org/bugtraq/2012/Dec/110; classtype:web-application-attack; sid:2016086; rev:3; metadata:created_at 2012_12_21, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Quant Loader Download Response"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"dll=http"; depth:8; nocase; fast_pattern; content:"|3b|exe=http"; distance:0; nocase; content:"|3b|dll=http"; distance:0; nocase; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SmokeLoader - Init 0x"; flow:established,to_client; http.header; content:"Init|3a| 0x"; classtype:trojan-activity; sid:2016088; rev:3; metadata:created_at 2012_12_22, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"os_version="; depth:11; fast_pattern; content:"os_version_full="; distance:0; content:"processorId="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,190c607ef81fa0c27fb1313df5f05266; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:command-and-control; sid:2023292; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; http.uri; content:"KAhFXlx9"; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/"; classtype:exploit-kit; sid:2016091; rev:3; metadata:created_at 2012_12_28, former_category EXPLOIT_KIT, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Ostap CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?as="; content:"&kl="; distance:0; content:"&ed="; distance:0; content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:trojan-activity; sid:2030601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, signature_severity Major, updated_at 2020_07_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; http.uri; content:"/phone_getinfokou_android.php"; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_12_28, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS/Ostap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=pro100zver.mskhost.pro"; nocase; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:domain-c2; sid:2030602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dexter Infostealer CnC POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"page="; depth:5; content:"&spec="; distance:0; content:"&opt="; distance:0; content:"var="; distance:0; content:"val="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html; classtype:command-and-control; sid:2016095; rev:3; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-07-29)"; flow:established,to_client; tls.cert_subject; content:"CN=robotica.cl"; nocase; endswith; reference:md5,f68456251ffe11d49ccdd845bcc55365; classtype:domain-c2; sid:2030607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory"; flow:established,to_server; http.uri; content:"/wp-content/w3tc/dbcache"; nocase; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:trojan-activity; sid:2016100; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Anuna PHP Backdoor Sucessful Exploit"; flow:established,from_server; flowbits:isset,ET.Anuna.Backdoor; http.stat_code; content:"200"; file.data; content:"cookie=4"; within:8; classtype:trojan-activity; sid:2023306; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_07_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown - Loader - Check .exe Updated"; flow:established,to_server; urilen:<10; http.uri; content:".exe"; fast_pattern; http.header; content:"If-Modified-Since|3a| "; content:"If-None-Match|3a| "; classtype:trojan-activity; sid:2016097; rev:5; metadata:created_at 2012_12_28, updated_at 2020_04_22;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-07-30)"; flow:established,to_client; tls.cert_subject; content:"CN=ne-ba.org"; nocase; endswith; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/wp-property/third-party/uploadify/uploadify.php"; nocase; http.request_body; content:"Filedata"; nocase; reference:url,www.securityfocus.com/bid/53787/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php; classtype:web-application-attack; sid:2016109; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus APT MalDoc DL Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ne-ba.org"; bsize:9; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2020_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/?cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016114; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OILRIG CnC POST"; flow:established,to_server; content:"|3a 20|chrome|0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; content:"/?v="; startswith; http.header_names; content:"From|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.user_agent; content:"chrome"; bsize:6; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; reference:md5,acaff6cb817399848887caef0104bd03; classtype:command-and-control; sid:2030634; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Child_Page?"; nocase; content:"cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016115; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"|0d 0a|User-Agent|3a 20|app|0d 0a|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|browser["; content:"]|22 3b 0d 0a|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot.png|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Admin_Theme_Content?"; nocase; content:"cmd=edittext"; nocase; fast_pattern; content:"key="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016116; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=bobpaceideas.xyz"; nocase; endswith; classtype:domain-c2; sid:2030627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/pages/links.php?"; nocase; content:"configpath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016120; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/HadesLocker Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hwid="; depth:5; fast_pattern; content:"&tracking_id="; distance:0; content:"&usercomputername="; distance:0; content:"&ip="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,6970847bedab9ab83e69630d065ba67b; classtype:command-and-control; sid:2023481; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase; fast_pattern; content:"ru_folder="; nocase; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016121; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Infostealer.Snifula File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cgi"; http.header; content:"User-Agent|3a 20|IE|0d 0a|Host"; http.request_body; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be16b8d1b85843c89301f189b35c4963; classtype:trojan-activity; sid:2023337; rev:3; metadata:created_at 2016_10_14, updated_at 2020_07_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/asktheoracle.php?"; nocase; fast_pattern; content:"type="; nocase; content:"oracle_query="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016122; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/victim.php?info="; fast_pattern; content:"&ip="; distance:0; pcre:"/\/victim\.php\?info=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&ip=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:command-and-control; sid:2023345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; fast_pattern; content:"path="; nocase; reference:url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016123; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware Encrypting File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/savekey.php?file="; fast_pattern; content:"&id="; distance:0; pcre:"/\/savekey\.php\?file=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryPy, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; flow:established,to_server; http.uri; content:"/status.php?cliver="; content:"&uniqid="; content:"&langid="; classtype:command-and-control; sid:2016125; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|3d 30 78 30 36 2c 30 78 30 32 2c 30 78 30 30 2c 30 78 30 30|"; fast_pattern; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2022683; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2"; flow:to_server,established; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/brightmail/admin/restore/download.do?"; content:"&localBackupFileSelection="; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00; classtype:attempted-user; sid:2016119; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Jackpot Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?HWInfo="; nocase; content:"}&Time="; nocase; distance:0; http.user_agent; content:"My Session"; fast_pattern; startswith; http.request_body; content:"|2e 00 70 00 68 00 70 00 3f 00 48 00 57 00 49 00 6e 00 66 00 6f 00 3d|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5624c920b1fd3da3a451d564bb7488d3; classtype:command-and-control; sid:2023465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Jackpot, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?php=receipt"; endswith; pcre:"/^\/[A-Z]+\.php\?php=receipt$/"; classtype:trojan-activity; sid:2016147; rev:3; metadata:created_at 2013_01_03, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/index.shtml"; http.host; content:"b4secure.com"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:external-ip-check; sid:2023470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, former_category MALWARE, malware_family Emissary, malware_family Lotus_Blossom, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Advanced Custom Fields Remote File Inclusion"; flow:established,to_server; http.uri; content:"/wp-content/plugins/advanced-custom-fields/core/actions/export.php"; nocase; fast_pattern; http.request_body; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; classtype:attempted-user; sid:2016148; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Razy Variant Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?m="; content:"&a="; content:"&os="; content:"&ComPut="; fast_pattern; http.header; content:!"360safe.com"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008433; classtype:command-and-control; sid:2008433; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mail/filters/editfilter.html?"; nocase; content:"account="; nocase; content:"filtername="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57061; classtype:web-application-attack; sid:2016157; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Dreambot File Upload (No Data Sent)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/images/"; content:"_2"; pcre:"/\/images\/.*_2[FB].*\.(?:avi|gif|bmp|jpeg|png)$/i"; http.header; content:"User-Agent|3a 20|"; depth:12; content:"Content-Length|3a 20|2|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022970; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, malware_family ursnif, malware_family Dreambot, malware_family ISFB, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/google-document-embedder/libs/pdf.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CerberTear Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/^[A-F0-9]{8}$/Ri"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.connection; content:"Keep-Alive"; nocase; bsize:10; reference:md5,7d181574893ec9cb2795166623f8e531; classtype:command-and-control; sid:2023505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CerberTear, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability"; flow:established,to_server; http.uri; content:"/SSI.php?ssi_function="; nocase; reference:url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html; classtype:web-application-attack; sid:2016159; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Alcatrez Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?user="; fast_pattern; content:"&try="; distance:0; content:"&status="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; nocase; reference:md5,1cb51c130e6f75f11c095b122e008bbc; classtype:command-and-control; sid:2023506; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alcatrez_Locker, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/green/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016163; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLuck / YafunnLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&hi"; distance:0; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)"; fast_pattern; bsize:28; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,59109839de42d2acb44fbd7ff151fe0c; classtype:command-and-control; sid:2023533; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family YafunnLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/blue/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016164; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CHIP Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a)?/"; http.request_body; content:"-----BEGIN CERTIFICATE-----"; depth:27; fast_pattern; content:"-----END CERTIFICATE-----"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,18189daa96e711777158d7cb599c13b1; reference:url,malware-traffic-analysis.net/2016/11/17/index.html; classtype:command-and-control; sid:2023534; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/x3/files/dir.html?"; nocase; fast_pattern; content:"showhidden="; nocase; content:"dir="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57064; classtype:web-application-attack; sid:2016165; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS CnC Beacon"; flow:established,to_server; http.uri; content:".php"; endswith; http.header; content:"Windows NT"; http.accept; content:"application/x-www-form-urlencoded"; fast_pattern; bsize:33; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,570ea00465a45bf7b4e7e0b7007b87a1; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030357; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; nocase; http.uri; content:"/CFIDE/wizards/common/_logintowizard.cfm"; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:5; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; pcre:"/\.cgi$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023552; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/archives/index.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011359; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BXC CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cg="; fast_pattern; content:"&b="; distance:0; content:"&gt="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d199b13d4676080073eaeb4e0ff39a75; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/enter.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Loader Receiving Payload"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00|"; distance:1; within:1; content:"|00|MZ"; distance:1; within:3; content:"This program must be run under Win32"; distance:0; fast_pattern; reference:md5,65c7426b056482fcda962a7a14e86601; classtype:trojan-activity; sid:2023567; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, malware_family Sharik, malware_family Smoke_Loader, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; http.uri; content:"/proxy_info.php"; classtype:command-and-control; sid:2016171; rev:3; metadata:created_at 2013_01_08, former_category MALWARE, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/kb/"; depth:4; fast_pattern; pcre:"/^\/kb\/\d{4,8}$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,193494912a6f549c0da40bf22c3384ee; classtype:trojan-activity; sid:2018677; rev:4; metadata:created_at 2014_07_15, updated_at 2020_08_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY trymedia.com User-Agent (Macrovision_DM)"; flow:established,to_server; http.host; content:"trymedia.com"; endswith; http.user_agent; content:"Macrovision_DM"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity Check 2"; flow:established,to_server; urilen:24; http.method; content:"POST"; http.uri; content:"/go/flashplayer_support/"; fast_pattern; http.host; content:"www.adobe.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022025; rev:4; metadata:created_at 2015_11_03, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - JSP File Admin - POST Structure - dir"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dir="; content:"&sort="; content:"&command="; content:"&Submit="; classtype:attempted-user; sid:2016153; rev:4; metadata:created_at 2013_01_04, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Java Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.host; content:"java.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022026; rev:4; metadata:created_at 2015_11_03, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FakeAV security_scanner.exe"; flow:established,to_client; http.header; content:"Content-Disposition|3a| "; content:"filename=|22|security_scanner.exe|22|"; fast_pattern; classtype:trojan-activity; sid:2016177; rev:3; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity Check 3"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.host; content:"www.adobe.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022027; rev:4; metadata:created_at 2015_11_03, updated_at 2020_08_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion adminapi access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/adminapi"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016183; rev:5; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:1; pcre:"/\.[a-z]{3}\?[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.user_agent; content:"Mozilla/5.0 (MSIE 7.1|3b 20|Windows NT 6.0)"; fast_pattern; bsize:38; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion componentutils access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/componentutils"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016182; rev:7; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Qadars Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"AAAA"; offset:10; depth:4; fast_pattern; content:"="; offset:7; depth:1; pcre:"/^[a-zA-Z]{7}=(?:[A-Za-z0-9+/]|%2[FB]){2}AAAA[a-z]A[^\s=]+=?=?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Accept"; reference:md5,d611a633e8ceabdc9c2f5b0b9dd4f19e; reference:md5,a55b312d4e2006b5698e8f5ae8e5d735; reference:md5,3b4c2d3447bc49f057d76a92e7cae96b; reference:md5,08833cd7564f29f7f499a65a7be82d02; reference:url,www.lexsi-leblog.com/cert-en/qadars-new-banking-malware-with-fraudulent-mobile-application-component.html; classtype:command-and-control; sid:2023588; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_10, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/administrator"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:6; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"value="; depth:6; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Midhos/Medfos downloader"; flow:established,to_server; http.uri; content:"/upload/fid="; content:"AAAAAAAAAAA"; http.header; content:"Host|3a 20|megaupload.com|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 6.0"; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; classtype:trojan-activity; sid:2016189; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?-----BEGIN|20|CERTIFICATE-----"; fast_pattern; content:"-----END|20|CERTIFICATE-----"; distance:0; pcre:"/END\x20CERTIFICATE-----$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/nextgen-gallery/nggallery.php?"; nocase; fast_pattern; content:"test-head="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016194; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla PWS HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"type="; depth:5; content:"&hwid="; content:"&time="; content:"&pcname="; content:"&logdata="; fast_pattern; content:"&screen="; content:"&ipadd="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,21d3c7d099aceff2a1f16d8ae0f38731; classtype:command-and-control; sid:2023144; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/browser-rejector/rejectr.js.php?"; nocase; fast_pattern; content:"wppath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51739/; classtype:web-application-attack; sid:2016195; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=supercombinating.com"; nocase; endswith; classtype:domain-c2; sid:2030635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; content:"topic="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Towerweb Ransomware Landing Page"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"T8hlGOo9"; fast_pattern; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:"AAAAAAAA"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030007; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|uid|22|"; content:"form-data|3b 20|name=|22|uname|22|"; content:"form-data|3b 20|name=|22|cname|22|"; content:"form-data|3b 20|name=|22|ltime|22|"; content:"form-data|3b 20|name=|22|uright|22|"; content:"form-data|3b 20|name=|22|sysinfo|22|"; fast_pattern; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; pcre:"/(?:\x0a|\\n)\/s1Caa6/"; content:"J1Ls9RWH"; fast_pattern; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030009; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; content:"|47 65 74 52 41 4d 3a|"; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://44449"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030010; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackmoon/Banbra Configuration Request M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; fast_pattern; http.header; content:"keep-alive|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,56b8f9428b2171f45dc447fb9fa1b03f; classtype:trojan-activity; sid:2023694; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_04, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://84371"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030011; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop Dropper Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nconfirm.php?"; fast_pattern; content:"rev="; distance:0; content:"code="; content:"param="; content:"num="; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2013808; rev:5; metadata:created_at 2011_04_07, former_category MALWARE, updated_at 2020_08_03;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://87756"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030012; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; http.header; content:"Content-Type|3a 20|text/plain|3b|charset=UTF-8|0d 0a|Host|3a 20|"; depth:46; fast_pattern; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,31cf042e91de7492c86e1ad02dc9eaec; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023811; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://94654"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030013; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shafttt MySQL Bruteforce Bot CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"get="; fast_pattern; depth:4; pcre:"/^get=\d+(?:$|&)/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:52; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb4ab17468984f1b292adac9f745cb2b; classtype:command-and-control; sid:2023815; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Shafttt, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE METALJACK APT32 CnC Host Checkin"; flow:established,to_server; http.uri; content:".png?CN="; fast_pattern; content:"&UN="; distance:0; content:"&C="; distance:0; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; reference:md5,d739f10933c11bd6bd9677f91893986c; classtype:targeted-activity; sid:2029997; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Turla Kopiluwak User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64)|3b 20|"; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:targeted-activity; sid:2023868; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, malware_family Turla_Kopiluwak, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (m.topiccore.com)"; dns.query; content:"m.topiccore.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2029998; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/assets/"; fast_pattern; content:"."; distance:100; pcre:"/\/assets(?:\/[a-zA-Z0-9_]+)+\.(?:jpeg|gif)$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.user_agent; pcre:"/^(?:Mozilla\/|Shockwave)/i"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:command-and-control; sid:2023870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (jcdn.jsoid.com)"; dns.query; content:"jcdn.jsoid.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2029999; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible iKittens OSX MacDownloader CNC Beacon"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/Servermac.php"; depth:14; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:command-and-control; sid:2023876; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category MALWARE, malware_family MacDownloader, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (libjs.inquirerjs.com)"; dns.query; content:"libjs.inquirerjs.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2030000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoShield Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id="; depth:3; content:"&numbers=-----"; content:"BEGIN|20|PRIVATE|20|KEY"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,ef815146b802cfd6a5fb67d1f9267745; classtype:command-and-control; sid:2023814; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE METALJACK APT32 DNS Lookup (vitlescaux.com)"; dns.query; content:"vitlescaux.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:trojan-activity; sid:2030001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.RETRIEVER CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asmx"; http.request_body; content:"<ip>"; content:"</ip><mac>"; distance:0; content:"</mac><host>"; distance:0; fast_pattern; content:"</host>"; distance:0; reference:md5,012f79570f720b997b9ef4ef327dd2da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023950; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=m.topiccore.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030002; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar CnC Beacon"; flow:established,to_server; http.uri; content:"=11&"; content:"=2"; distance:1; within:8; content:"&"; distance:6; within:7; content:"=410&"; distance:1; within:11; content:"=650&"; distance:1; within:11; fast_pattern; content:"=51"; distance:1; within:9; pcre:"/=11&[^&]{1,7}?=2[^&]{6,12}&[^&]{1,7}?=410&[^&]{1,7}?=650&[^&]{1,7}?=51$/"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=jcdn.jsoid.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030003; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?apikey="; content:"&compuser="; distance:0; content:"&sid="; distance:0; content:"&phase="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ad8a7a383971ce0f5fc51e909e406996; classtype:command-and-control; sid:2024120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=libjs.inquirerjs.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?comp="; nocase; depth:16; fast_pattern; content:"&id="; nocase; distance:0; content:"_{"; distance:0; reference:md5,58aee970b06e67c9047836710f28e205; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024022; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (APT32 METALJACK)"; flow:established,to_client; tls.cert_subject; content:"CN=vitlescaux.com"; reference:url,www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html; classtype:targeted-activity; sid:2030005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Backdoor CnC POST"; flow:to_server,established; http.method; content:"POST"; http.header; content:"|42 30 75 4e 64 34 52 79 5f 24 0d 0a|"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|uuid|22|"; reference:md5,58aee970b06e67c9047836710f28e205; reference:md5,8d6d246c5c660691c59405ee2914a020; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024023; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/src/userchange.php?"; nocase; content:"op=changeview"; nocase; fast_pattern; content:"viewid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,secunia.com/advisories/51816/; classtype:web-application-attack; sid:2016199; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Variant 1 Backdoor Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.request_body; content:"comp="; nocase; depth:5; fast_pattern; content:"&id="; distance:0; nocase; content:"_{"; distance:0; nocase; content:"}_"; distance:0; nocase; content:"&sysinfo="; distance:0; nocase; reference:md5,c56c677b52e795710e77aa2d4f12b70a; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024024; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016200; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Variant 2 Backdoor Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.request_body; content:"fid="; depth:4; nocase; content:"&versiya="; nocase; distance:0; fast_pattern; content:"&comp="; nocase; distance:0; content:"&id="; nocase; distance:0; content:"&sysinfo="; nocase; distance:0; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024025; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/edit.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016201; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Variant 3 Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?fid="; depth:15; content:"&versiya="; nocase; distance:0; fast_pattern; content:"&comp="; nocase; distance:0; content:"&id="; nocase; distance:0; content:"&sysinfo="; nocase; distance:0; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024026; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/upload.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016202; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon File Stealer POST"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|filename|22|"; nocase; content:"form-data|3b 20|name=|22|compname|22|"; distance:0; nocase; content:"form-data|3b 20|name=|22|serial|22|"; distance:0; nocase; fast_pattern; content:"form-data|3b 20|name=|22|w|22|"; distance:0; nocase; content:"form-data|3b 20|name=|22|filesize|22|"; distance:0; nocase; content:"form-data|3b 20|name=|22|file|22|"; distance:0; nocase; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,1a81516780c2c5a966261cc47478133c; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024027; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category TROJAN, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/gallery-plugin/gallery-plugin.php?"; nocase; fast_pattern; content:"filename_1="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57256/; classtype:web-application-attack; sid:2016203; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 1"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/Hello"; http.request_body; content:"varname="; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023654; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zemra.DDoS.Bot Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/telnet_cmd.php"; fast_pattern; http.user_agent; content:"Opera/9.61"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&c="; distance:0; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html; classtype:command-and-control; sid:2016205; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server User-Agent"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0|3b|"; fast_pattern; bsize:12; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category TROJAN, malware_family TeleBots_payload, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geturl.aspx?email="; content:"&lat="; content:"&lon="; content:"&mobile="; content:"&group="; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:command-and-control; sid:2016209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; fast_pattern; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/i"; classtype:trojan-activity; sid:2022519; rev:5; metadata:created_at 2016_02_13, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; http.uri; pcre:"/\x2F[0-9]{3}\.pdf$/"; http.request_line; content:".pdf HTTP/1."; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:exploit-kit; sid:2016210; rev:3; metadata:created_at 2013_01_15, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor User-Agent (.net backdoor)"; flow:to_server,established; http.user_agent; content:"|2e|net backdor"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022245; rev:3; metadata:created_at 2015_12_12, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin scanning"; flow:established,to_server; http.request_line; content:"GET <title>"; startswith; classtype:web-application-attack; sid:2016222; rev:3; metadata:created_at 2013_01_16, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; distance:0; content:"&builddate="; distance:0; content:"&q="; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021226; rev:3; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Red October proxy CnC 1"; flow:to_client,established; http.header; content:"ETag|3a 20 22|8c0bf6-ba-4b975a53906e4|22|"; classtype:command-and-control; sid:2016224; rev:4; metadata:created_at 2013_01_17, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Post to C&C footer.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/footer.php"; http.header_names; content:!"Accept-"; classtype:command-and-control; sid:2016328; rev:3; metadata:created_at 2013_02_01, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Red October proxy CnC 2"; flow:to_client,established; http.header; content:"ETag|3a 20 22|1c824e-ba-4bcd8c8b36340|22|"; classtype:command-and-control; sid:2016225; rev:3; metadata:created_at 2013_01_17, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/UltimateDefender.FakeAV Checkin"; flow:established,to_server; http.uri; content:"/show_module.php?IsAutoGeneratedPage="; content:"&asked_billing_id="; content:"&original_asked_billing_id="; content:"&brokerid="; content:"&country="; content:"&customid="; content:"&product="; content:"&custom_param="; content:"&extparam="; content:"&nums="; reference:md5,cec40236236466a1acb33aca3220eebe; classtype:command-and-control; sid:2014566; rev:4; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Red October proxy CnC 3"; flow:to_client,established; http.header; content:"ETag|3a 20|W/|22|186-1333538825000|22|"; classtype:command-and-control; sid:2016226; rev:3; metadata:created_at 2013_01_17, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"data=domain%253a"; depth:16; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Age Verification plugin redirect_to Parameter URI Redirection"; flow:established,to_server; http.uri; content:"/wp-content/plugins/age-verification/age-verification.php?"; nocase; fast_pattern; content:"redirect_to="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/51357/; classtype:web-application-attack; sid:2016230; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&count="; distance:0; fast_pattern; pcre:"/^id=[0-9A-Z]+&count=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,116fbce554b25829b17b6e47990821b4; classtype:command-and-control; sid:2024056; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cartweaver 3 Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/helpfiles/AdminHelp.php?"; nocase; content:"helpFileName="; nocase; reference:url,packetstormsecurity.com/files/117370/Cartweaver-3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016231; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ACUT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; bsize:38; http.request_body; content:"plugin="; depth:7; content:"&windows="; content:"&user="; content:"&av="; content:"&bs="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,219cf8b022d3933ba46f482478450f49; classtype:command-and-control; sid:2024099; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Banload, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mu Perspectives Cms id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/site_news.php?id="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/116148/Mu-Perspectives-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016234; rev:4; metadata:created_at 2013_01_18, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino ping"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_src; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|7|0d 0a|"; nocase; http.request_body; content:"ping=1|0a|"; depth:7; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2019211; rev:5; metadata:created_at 2014_09_22, former_category TROJAN, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Security.php XSS Attempt"; flow:established,to_server; http.uri; content:"/com_incapsula/assets/tips/en/Security.php?"; nocase; fast_pattern; content:"token="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016238; rev:3; metadata:created_at 2013_01_18, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Cookie"; flow:to_server,established; http.cookie; content:"=21232f297a57a5a743894a0e4a801fc3"; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020093; rev:5; metadata:created_at 2015_01_05, former_category TROJAN, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Performance.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/com_incapsula/assets/tips/en/Performance.php?"; nocase; fast_pattern; content:"token="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016239; rev:3; metadata:created_at 2013_01_18, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Neutrino Bot Fake 404 Checkin Response"; flow:to_client,established; http.stat_code; content:"404"; file.data; content:"<!--"; distance:0; content:"NCMD|3a|"; within:6; reference:url,blog.fortinet.com/post/hiding-malicious-traffic-under-the-http-404-error; classtype:command-and-control; sid:2020949; rev:4; metadata:created_at 2015_04_20, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bit controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bit"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.com/files/118943/Joomla-Bit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016232; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"auth=1"; bsize:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2022462; rev:4; metadata:created_at 2016_01_27, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_ztautolink controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_ztautolink"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.com/files/118944/Joomla-ZtAutoLink-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016233; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin 3"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"exec=1&task_id="; depth:15; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2022463; rev:4; metadata:created_at 2016_01_27, former_category MALWARE, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT StyX Landing Page"; flow:established,to_server; urilen:>100; flowbits:set,et.exploitkitlanding; http.uri; content:"/i.html?0x"; startswith; pcre:"/^\d{1,2}=[a-zA-Z0-9+=]{100}/R"; classtype:exploit-kit; sid:2016248; rev:7; metadata:created_at 2013_01_22, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin 6"; flow:to_server,established; http.method; content:"POST"; http.cookie; content:"authkeys="; http.request_body; content:"auth=1"; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,656766ad934aa482cbe78f1bca6dadc2; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2024179; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Neutrino, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of Windows PW Hashes to External Site"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"PSTORE|3a|"; classtype:trojan-activity; sid:2016252; rev:4; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mole Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"guid="; depth:5; fast_pattern; content:"&ver="; distance:0; pcre:"/^guid=[^&]+?&ver=[^&]+?(?:&fc=[^\r\n]+)?$/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/; reference:md5,31c2e85ef5e4c0009e1f18794527b4ca; classtype:command-and-control; sid:2024203; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Mole, signature_severity Major, tag c2, updated_at 2020_08_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; http.uri; content:"/"; depth:1; content:".jar"; distance:1; within:4; endswith; pcre:"/^\/[a-z]\.jar$/"; reference:url,malware.dontneedcoffee.com/; classtype:exploit-kit; sid:2016254; rev:3; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Hidden-Tear Variant Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?rid=ClsgIFVzZXItSUQgIF0gID"; fast_pattern; pcre:"/\.php\?rid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.header; content:"Ransom|3a 20|Client|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b991a99335b01bed8da4401fee1f2d45; classtype:command-and-control; sid:2024204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, signature_severity Major, tag Ransomware, updated_at 2020_08_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; http.uri; content:"/cve2012xxxx/Gondvv.class"; classtype:exploit-kit; sid:2016256; rev:3; metadata:created_at 2013_01_24, former_category EXPLOIT_KIT, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nuke Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Expect|3a 20|100-continue"; http.request_body; content:"machine="; depth:8; fast_pattern; pcre:"/^machine=[^&]+$/Pi"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.spyware-techie.com/nuke-ransomware-removal-guide; reference:md5,ff0e42146794f0d080df0467337b2d01; classtype:command-and-control; sid:2023335; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Nuke, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown POST of System Info"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a|"; http.request_body; content:"User is SYSTEM|3a|"; classtype:trojan-activity; sid:2016253; rev:4; metadata:created_at 2013_01_24, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE YAHOOYLO Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"|50 4b 03 04|"; startswith; content:"Information.txt"; distance:0; content:"=Hardware Info==========================|0d 0a|Username|3a 20|"; distance:0; fast_pattern; reference:md5,437e3fb3c14f32644df9c6168ca4fa2c; classtype:command-and-control; sid:2030648; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family YAHOOYLO, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_05;)
 
-alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Win32"; nocase; classtype:trojan-activity; sid:2012249; rev:5; metadata:created_at 2011_02_02, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID Observed Domain (loadfreeman .casa in TLS SNI)"; flow:established,to_server; tls.sni; content:"loadfreeman.casa"; bsize:16; reference:url,twitter.com/James_inthe_box/status/1290773214520434690; reference:md5,fd9a5b9781fc31c32ce8cf2ce54633ff; classtype:trojan-activity; sid:2030653; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS - in.php"; flow:established,to_server; http.uri; content:"/in.php?s="; classtype:exploit-kit; sid:2016272; rev:3; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (deactivate .best in TLS SNI)"; flow:established,to_server; tls.sni; content:"deactivate.best"; bsize:15; reference:md5,67b0f8b2b72d43842dabb735c0e400d3; classtype:trojan-activity; sid:2030654; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader API Ping CnC Beacon"; flow:established,to_server; http.uri; content:"/api/ping?stage="; content:"&uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:command-and-control; sid:2016273; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (deactivate .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"deactivate.pw"; bsize:13; reference:md5,67b0f8b2b72d43842dabb735c0e400d3; classtype:trojan-activity; sid:2030655; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV"; flow:established,to_server; http.uri; content:"/viruslist/?uid="; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016274; rev:3; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (80frontluzkher .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"80frontluzkher.xyz"; bsize:18; reference:md5,6ee6c4ec4ad96b7ca27ae2bde4d6cd3b; classtype:trojan-activity; sid:2030656; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin.php?_g=filemanager/language"; nocase; fast_pattern; content:"loc="; nocase; reference:url,packetstormsecurity.com/files/119082/CubeCart-4.4.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016284; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (bruzilovv .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"bruzilovv.top"; bsize:13; reference:md5,6ee6c4ec4ad96b7ca27ae2bde4d6cd3b; classtype:trojan-activity; sid:2030657; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GetSimple CMS path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/filebrowser.php?"; nocase; fast_pattern; content:"path="; nocase; reference:url,packetstormsecurity.com/files/115302/GetSimple-CMS-3.1.2-Local-File-Inclusion-Path-Disclosure.html; classtype:web-application-attack; sid:2016285; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown AutoIt Bot - Initial Server Response"; flow:established,to_server; dsize:14; content:"Hi we see you!"; reference:md5,79c018b6e7fccef4d014721b5fd99088; classtype:command-and-control; sid:2030649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, malware_family Autoit, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Banana Dance name Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/functions/ajax.php?"; nocase; content:"action="; nocase; content:"name="; nocase; reference:url,packetstormsecurity.com/files/118964/Banana-Dance-B.2.6-Inclusion-Access-Control-SQL-Injection.html; classtype:web-application-attack; sid:2016287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (ldrtoyota .casa in TLS SNI)"; flow:established,to_server; tls.sni; content:"ldrtoyota.casa"; bsize:14; reference:md5,b5e40801df5010e6c18e0ad81806adf7; classtype:trojan-activity; sid:2030658; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/data/file/edit.php?"; nocase; content:"hybridid="; nocase; content:"result="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016282; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=nellscorp.com"; nocase; endswith; classtype:domain-c2; sid:2030647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/users/users.php?"; nocase; content:"type="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016283; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; http.header; content:"Expires|3A 20|Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; fast_pattern; classtype:trojan-activity; sid:2024229; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/post_message_form.asp?"; nocase; content:"ForumID="; nocase; content:"ThreadPage="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016290; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ARM Binary Requested via WGET to Known IoT Malware Domain"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/"; http.user_agent; content:"Wget/"; depth:5; http.host; content:"ntp.gtpnet.ir"; startswith; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024243; rev:3; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/phpminiadmin.php?"; nocase; fast_pattern; content:"XSS="; nocase; content:"db="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,cxsecurity.com/issue/WLB-2013010179; classtype:web-application-attack; sid:2016291; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ Default HTTP Headers"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Referrer|3a 20|"; content:"|0d 0a|TlEo|3a 20|"; fast_pattern; classtype:trojan-activity; sid:2024247; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"script"; nocase; content:"Submit"; nocase; content:"Runtime"; nocase; content:"getRuntime"; nocase; distance:0; content:".exec"; nocase; classtype:attempted-user; sid:2016294; rev:11; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a|0000"; http.request_body; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; fast_pattern; offset:0; classtype:trojan-activity; sid:2024248; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell)"; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"cmd.exe"; fast_pattern; classtype:attempted-user; sid:2016295; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saker UA"; flow:established,to_server; http.user_agent; content:"Mozilla/"; depth:8; content:"|20|MSIE|20|"; distance:0; content:"|3b 20|Wis NT|20|"; distance:0; fast_pattern; content:"|3b 20|.NET CLR|20|"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:7; metadata:created_at 2014_03_26, former_category TROJAN, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"/bin/sh"; fast_pattern; classtype:attempted-user; sid:2016296; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NewHT Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?computerName="; fast_pattern; content:"&userName="; distance:0; content:"&key="; distance:0; content:"&id="; distance:0; content:"&time="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2e0ebb7a21d16ab6fa908f74bee260d6; classtype:command-and-control; sid:2024280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family NewHT, signature_severity Major, tag Ransomware, updated_at 2020_08_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/forum_members.asp?"; nocase; content:"find="; nocase; content:"ForumID="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016289; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Accept-Language HTTP Header zh-cn likely Kernelbot/Conficker Trojan Related"; flow:established,to_server; flowbits:set,ET.ms08067_header; flowbits:noalert; http.header; content:"Accept-Language|3A 20|zh|2D|cn"; reference:url,doc.emergingthreats.net/bin/view/Main/2008738; classtype:not-suspicious; sid:2008738; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Non-Standard HTML page in Joomla /com_content/ dir"; flow:established,to_server; http.uri; content:"/components/com_content/"; content:!"index.html"; nocase; within:10; content:".html"; nocase; distance:0; classtype:bad-unknown; sid:2016311; rev:7; metadata:created_at 2013_01_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Landing Page (aid sid)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?aid="; nocase; fast_pattern; content:"&sid="; nocase; pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/i"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; reference:url,doc.emergingthreats.net/2010625; classtype:trojan-activity; sid:2010625; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Successful Infection CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/count.php?isOnline=1"; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:command-and-control; sid:2016312; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snake rootkit usermode-centric encrypted command from server"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"|01 00 00 00 00 00 00 00|1dM3uu4j7Fw4sjnb"; fast_pattern; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018248; rev:4; metadata:created_at 2014_03_11, former_category TROJAN, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloaderAgent.fajk Second Stage Download List Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Down/list.txt"; depth:14; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016313; rev:4; metadata:created_at 2013_01_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 OCSP Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/oscp/"; fast_pattern; depth:6; pcre:"/^\/oscp\/[a-z]+$/"; http.header; content:"Host|3a 20|ocsp.verisign.com|0d 0a|Accept"; depth:31; content:"Microsoft-CryptoAPI/6.1"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2ba2e7af1246da08e4fd7345c7207b59; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/oscp.profile; classtype:command-and-control; sid:2032750; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_08_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/SSHDoor.A Reporting Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"port="; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x3A[0-9]{1,5}/R"; content:"|3A|"; content:"&uname="; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:command-and-control; sid:2016314; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/EasyLocker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/(?:countdown|check)\/[a-f0-9]{30,45}\/(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?$/i"; http.host; content:"noobcrypt"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,980342a5a783d7f6ce188c575d9ca97a; classtype:command-and-control; sid:2024320; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family EasyLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious user-agent (f**king)"; flow:established,to_server; http.header; content:"fucking|0d 0a|"; fast_pattern; http.user_agent; content:"fucking"; endswith; classtype:trojan-activity; sid:2016317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_01_30, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?key="; fast_pattern; content:"&string="; distance:0; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:\x3a\x3a[^\x3a]+?){5,}$/i"; http.user_agent; content:"Mozilla/"; startswith; http.request_body; content:"key="; depth:4; content:"&string="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:command-and-control; sid:2024321; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family ASPC_Bot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Second Stage Download Request"; flow:established,to_server; http.uri; content:"/ssl/cert.dll"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016330; rev:4; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload May 23 2017 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"|2e|"; http.user_agent; content:"Mozilla/5.2 (Windows NT 6.2|3b 20|rv|3a|50.2) Gecko/20200103 Firefox/50.2"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,502cb33a03c29a96a4c32ec26dce5395; classtype:trojan-activity; sid:2024325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_23, deployment Perimeter, former_category TROJAN, malware_family Dridex, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass file Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=upgrade"; nocase; content:"file="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016334; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fireball Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?clients="; content:"&reqs=visit."; distance:0; http.user_agent; content:"RookIE/"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection; reference:md5,69ffdf99149d19be7dc1c52f33aaa651; classtype:trojan-activity; sid:2024348; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_03, deployment Perimeter, former_category TROJAN, malware_family Fireball, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 1"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=enable_category"; nocase; fast_pattern; content:"id="; nocase; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016335; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Unk.HT-Based Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hostname=csharp-"; depth:16; fast_pattern; content:"&enckey="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2aa11c090fd0737e52cd532418c1211e; classtype:command-and-control; sid:2024352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 2"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=edit_category_post"; nocase; fast_pattern; content:"id="; nocase; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016336; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?key="; content:"&string="; distance:0; fast_pattern; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:(?:\x3a\x3a|3A3A)[^\x3a]+?){5,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:command-and-control; sid:2024322; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family ASPC_Bot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern; nocase; content:"h="; nocase; content:"src="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spectre Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?mode="; content:"&crypted="; distance:0; content:"&id="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8af7ef13b6ced37d08dce0f747d7d8b; classtype:command-and-control; sid:2024373; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Spectre, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMSQLITE id parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/mediaAdmin.php?"; nocase; content:"id="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016339; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE X-Malware-Sinkhole Header in HTTP Response"; flow:from_server,established; http.header; content:"X-Malware-Sinkhole|3a 20|"; classtype:trojan-activity; sid:2024378; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMSQLITE mediaAdmin.php file Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/mediaAdmin.php?"; nocase; content:"d="; nocase; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016340; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; content:"passwords.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2035015; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_06, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/sk"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/sk"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016215; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Windows Scam ScreenLocker"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lock.php"; endswith; http.user_agent; content:"MyAgent"; fast_pattern; bsize:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,6443d8351f5ed62836003f103d8de20e; classtype:social-engineering; sid:2024417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category MALWARE, malware_family Screenlocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/dllhost/ac"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016216; rev:7; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Naoinstalad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?MD="; fast_pattern; content:"Naoinstalado"; nocase; http.user_agent; content:!"Mozilla"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,f136f9ec7f7f8cb1a12a9b835183be59; reference:url,www.malware-traffic-analysis.net/2017/06/08/index.html; classtype:command-and-control; sid:2024427; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WSO WebShell Activity POST structure 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:" name=|22|c|22|"; content:"name=|22|p1|22|"; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/i"; classtype:attempted-user; sid:2016354; rev:4; metadata:created_at 2013_02_05, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lockscreen Ransomware Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:"/?page_id=93"; endswith; fast_pattern; http.request_body; content:"&page_title=Windows Security Warning&"; within:100; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/; classtype:trojan-activity; sid:2030665; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ServStart.Variant CnC Beacon"; flow:established,to_server; http.uri; content:"&mac="; nocase; content:"type="; nocase; content:"id="; nocase; http.header; content:"User-Agent|3a 20|Google ++|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2016355; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda CnC Activity"; flow:established,to_server; content:".dat HTTP/1.1|0d 0a|User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|"; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf; reference:md5,2ec79d0605a4756f4732aba16ef41b22; classtype:command-and-control; sid:2030671; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; http.uri; content:"/controls.php"; http.user_agent; content:"Dalvik/"; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flexym.myarena.site"; bsize:19; reference:md5,2e2a6ca2a4058c8a141ff23c3433bcc6; classtype:domain-c2; sid:2030669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StartPage.eba Dropper Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?mac="; content:"&ver="; content:"&t="; http.user_agent; content:"Forthgoer"; reference:url,www.securelist.com/en/descriptions/24621847/Trojan-Dropper.Win32.StartPage.eba; classtype:command-and-control; sid:2016316; rev:4; metadata:created_at 2013_01_30, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Petya Conn Check"; flow:established,to_server; urilen:1; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36"; fast_pattern; http.host; content:"myip.com.ua"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,twitter.com/V_Baczynski/status/881051849700364288; classtype:trojan-activity; sid:2024443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/nt/th"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/nt/th"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016214; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Agent.QJK Stealer Data Exfil Via HTTP"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; fast_pattern; pcre:"/^(?:(?:Passwords|PCinformation)\.txt|(?:Data|GrabbedTxtFiles)\.zip)\x22\r\n/Ri"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family Unknown, performance_impact Moderate, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/check"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/check"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016217; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"2.php?jpg="; fast_pattern; content:!"&"; distance:0; pcre:"/\/[a-z]+2\.php\?jpg=[^&]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024482; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, signature_severity Major, tag Targeted, tag APT, tag DarkHotel, tag c2, updated_at 2020_08_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/ms/flush"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/ms/flush"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016218; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|banner|22 0d 0a|"; fast_pattern; content:"name=|22|jpg|22 0d 0a|"; distance:0; content:"name=|22|userfile|22 3b 0d 0a|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, signature_severity Major, tag Targeted, tag APT, tag DarkHotel, tag c2, updated_at 2020_08_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/wcx"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/wcx"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016219; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain (nothingtodo .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"nothingtodo.co"; bsize:14; classtype:domain-c2; sid:2030670; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red October/Win32.Digitalia Checkin cgi-bin/win/cab"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi-bin/win/cab"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:command-and-control; sid:2016220; rev:4; metadata:created_at 2013_01_16, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDTESS Backdoor User-Agent"; flow:established,to_server; http.user_agent; content:"XXXXXXXXXXXXXXXXX/5.0 (Windows NT 6.1 WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv:11.0) like Gecko"; reference:md5,113ca319e85778b62145019359380a08; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024498; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SecVerif.Downloader Initial Checkin"; flow:established,to_server; http.uri; content:"/atp.txt"; fast_pattern; http.header; content:"Accept-Language|3A| de-at"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:command-and-control; sid:2016329; rev:5; metadata:created_at 2013_02_01, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revcode RAT CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"WinHttpRequest"; http.request_body; content:"keyauth="; fast_pattern; depth:8; content:"&key="; distance:0; content:"&uid="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:command-and-control; sid:2024500; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Umbra/Multibot Loader User-Agent (umbra)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|umbra|0d 0a|"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016366; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revcode RAT CnC 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"WinHttpRequest"; http.request_body; content:"mode="; fast_pattern; depth:5; content:"&data="; distance:0; content:"&key="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:command-and-control; sid:2024501; rev:3; metadata:created_at 2017_07_27, former_category MALWARE, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Umbra/MultiBot Plugin access"; flow:established,to_server; http.uri; content:"/admin/plugins/"; http.header; content:"User-Agent|3a 20|umbra|0d 0a|"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016367; rev:4; metadata:created_at 2013_02_08, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISMAgent CnC Checkin 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/action2/"; fast_pattern; http.user_agent; content:"Firefox"; bsize:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024502; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Request"; flow:established,to_server; http.uri; content:"/upload/img.jpg"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.user_agent; content:" MSIE 6.0|3b| "; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016369; rev:5; metadata:created_at 2013_02_08, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/201"; depth:4; content:"/?c="; distance:1; within:4; fast_pattern; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&f="; distance:0; content:"&mi="; distance:0; content:"&b="; distance:0; content:"&t="; distance:0; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/; classtype:command-and-control; sid:2031410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Image Request"; flow:established,to_server; http.uri; content:"/upload/mp3.mp3"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.user_agent; content:" MSIE 6.0|3b| "; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016370; rev:4; metadata:created_at 2013_02_08, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d=201"; depth:10; fast_pattern; content:"&t="; distance:0; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; classtype:command-and-control; sid:2031411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Audio Player Plugin playerID parameter XSS attempt in swf"; flow:established,to_server; http.uri; content:"/wp-content/plugins/audio-player/assets/player.swf?"; nocase; fast_pattern; content:"playerID="; nocase; pcre:"/^.+\)\)\}catch\(.+\)\{/Ri"; reference:url,packetstormsecurity.com/files/120129/WordPress-Audio-Player-SWF-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016383; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.ATS CnC Activity"; flow:established,to_server; http.uri; content:"php?Hwid=S-"; fast_pattern; content:"-"; distance:0; content:"-"; distance:0; content:"-"; distance:0; pcre:"/\.php\?Hwid=[^&]+[0-9](?:&(?:Pc|Etat)=[^&]+)?(?:&user=[^&]+&Ip=[^&]+&Ping=[^&]+&v=[^&]+&Ville=[^&]+&Pays=[^&]+&Region=[^&]+)?$/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,53d3ee595bc5df7e97403906f1415c21; classtype:command-and-control; sid:2024528; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/extra/contacts/DownloadMailAttach.php?"; nocase; content:"file="; nocase; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016388; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1|"; depth:48; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024533; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category TROJAN, malware_family ursnif, malware_family Gozi, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo OpenFolder parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/extra/StyleManager/EditFile.php?"; nocase; content:"OpenFolder="; nocase; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016389; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Pharma Spam Template Active - Outbound Email Spam"; flow:to_server,established; content:"Subject|3a 20|Rx|20|Discount|20|"; fast_pattern; content:"Special|20|for|20|you|20|-----"; distance:0; classtype:command-and-control; sid:2030675; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family Tofsee, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Glossword gw_admin.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/1.8/gw_admin.php?a="; nocase; fast_pattern; content:"t="; nocase; pcre:"/a\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.com/files/120045/Glossword-1.8.12-XSS-CSRF-Shell-Upload-Database-Disclosure.html; classtype:web-application-attack; sid:2016390; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP"; flow:to_server,established; content:"|0d 0a 0d 0a|jui=0D=0A=0D=0Atre|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a 2e 0d 0a|"; distance:0; isdataat:!1,relative; reference:md5,3bb560cb690a91134508910178928973; classtype:trojan-activity; sid:2030672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family JobCrypter, signature_severity Major, tag Ransomware, updated_at 2020_08_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin dompdf RFI Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-ecommerce-shop-styling/includes/generate-pdf.php?"; nocase; fast_pattern; content:"dompdf="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51707/; classtype:web-application-attack; sid:2016381; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Datper CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"="; within:9; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:command-and-control; sid:2024601; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/FloatingCloud.Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/Install/Post.asp?Uid="; nocase; pcre:"/^[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}$/Ri"; reference:url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan; classtype:command-and-control; sid:2016399; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; content:"Passwords.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2035016; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PDF 0day Communication - agent UA Feb 14 2013"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/param"; http.header; content:"User-Agent|3a| agent|0d 0a|"; fast_pattern; content:"Content-Length|3a|"; reference:url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html; classtype:trojan-activity; sid:2016411; rev:4; metadata:created_at 2013_02_15, updated_at 2020_04_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (More_eggs CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=belum.uk.com"; nocase; endswith; classtype:domain-c2; sid:2030674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Vundo.Downloader Reporting User Website Session Information"; flow:established,to_server; http.uri; content:"/js.php?ran="; fast_pattern; content:"&t="; content:"&u="; http.accept_lang; content:"ru-RU"; nocase; startswith; reference:url,www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32vundojd; classtype:trojan-activity; sid:2016417; rev:3; metadata:created_at 2013_02_16, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gazer HTTP POST Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:(?:a(?:(?:lbu|d)m|ccount|uthor)|c(?:ont(?:ac|en)|lien)t|p(?:artners|hoto)|(?:memb|us)er|session|video|hash|key|id)=[a-z0-9]{6,12}&){4}/Ri"; http.request_body; content:"|ff ff ff ff 00 00 00 00|"; depth:8; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf; classtype:command-and-control; sid:2024637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vundo.OD Checkin"; flow:to_server,established; http.uri; content:"/get.php?"; pcre:"/^(?:id|key)=/Ri"; content:"id="; content:"key="; content:"&os="; content:"&av="; content:"&vm="; content:"&al="; content:"&p="; content:"&z="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD; reference:md5,8840a0d9d7f4dba3953ccb68b17b2d6c; classtype:command-and-control; sid:2016424; rev:6; metadata:created_at 2011_12_17, former_category MALWARE, updated_at 2020_04_23;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (RansomBlocker CnC)"; flow:established,to_server; tls.sni; content:"4fp2u2ue4pyqdpfu"; fast_pattern; reference:md5,2067d1cb1a25c6d6d371339fad9123ba; classtype:command-and-control; sid:2024485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarext32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dragonfly Backdoor.Goodor Go Implant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:2; content:"="; distance:3; within:1; content:"&"; distance:32; within:1; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-f0-9]{32}&[a-z0-9]{3}=[^&]+&[a-z0-9]{3}=[a-f0-9]{32}$/"; http.header; content:"Go-http-client/1.1|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8943e71a8c73b5e343aa9d2e19002373; classtype:command-and-control; sid:2024894; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Targeted, tag c2, updated_at 2020_08_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarhlp32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:4; metadata:created_at 2013_02_15, former_category CURRENT_EVENTS, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&pname="; content:"&uname="; content:"&pkey="; content:"&aekey="; content:"&ppub="; content:"&userx=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likseput.B Checkin"; flow:established,to_server; http.header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/mi"; http.user_agent; content:"|3b|Trident/4.0 "; fast_pattern; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:command-and-control; sid:2016432; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&crypto=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SEASALT HTTP Checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.00|3b 20|Windows 98) KSMM"; fast_pattern; bsize:52; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:command-and-control; sid:2016440; rev:3; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.FVVZ Variant CnC Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&taskid="; distance:0; content:"&status="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Namsoth.A Checkin/NEWSREELS APT1 Related"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; depth:5; content:"&userid="; distance:0; content:"&other"; distance:4; within:6; pcre:"/&userid=\d{4}&other=[MF]/"; reference:md5,a2cd1189860b9ba214421aab86ecbc8a; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016439; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?string="; fast_pattern; pcre:"/\.php\?string=[a-zA-Z0-9+=]+$/i"; http.user_agent; content:"Mozilla/"; startswith; http.request_body; content:"string="; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f392c55f636e93f4b72f1a2aa5022730; classtype:command-and-control; sid:2024625; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Download UA"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.8.0.12) Firefox/1.5.0.12"; fast_pattern; bsize:74; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:command-and-control; sid:2016453; rev:3; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_12, former_category TROJAN, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related"; flow:to_server,established; urilen:27; http.uri; content:"/Default.aspx?ID="; pcre:"/^[A-Z]{10}$/R"; http.user_agent; content:!"Mozilla"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,www.mandiant.com/apt1; reference:md5,ba45339da92ca4622b472ac458f4c8f2; classtype:targeted-activity; sid:2016459; rev:6; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|m3th/"; fast_pattern; classtype:web-application-attack; sid:2030677; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_12, deployment Perimeter, signature_severity Major, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-UGX User-Agent (Windows+NT+5.x) APT1"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; depth:12; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016471; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.FC CnC Activity"; flow:established,to_server; http.start; content:"POST /loader/gate HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.user_agent; content:!"|20|"; http.referer; content:!"|2e|"; http.request_body; content:"data="; startswith; pcre:"/^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})$/R"; reference:md5,d8dbaecab080b40e7782b10affb630f4; classtype:command-and-control; sid:2030678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x)"; flow:to_server,established; http.user_agent; content:"Enhanced-CTorrent"; reference:url,www.rahul.net/dholmes/ctorrent; reference:url,doc.emergingthreats.net/2011703; classtype:policy-violation; sid:2011703; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] TR/Spy.Banker.agdtw Checkin"; flow:established,to_server; http.uri; content:"page"; http.method; content:"POST"; http.header; content:"Connection|3a 20|"; content:"Content-Type|3a 20|multipart"; nocase; distance:0; content:"Content-Length|3a 20|"; nocase; distance:0; content: "Accept|3a 20|"; distance:0; content: "Accept-Encoding|3a 20|"; nocase; distance:0; content:"User-Agent|3a 20|"; distance:0; http.request_body; content:"name=|22|ing|22|"; fast_pattern; depth:300; content:"name=|22|AT|22|"; within:300; content:"ver"; within:300; content:"name=|22|MD|22|"; within:300; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Opera/10.x)"; flow:to_server,established; http.user_agent; content:"Opera BitTorrent, Opera/"; reference:url,www.opera.com; reference:url,doc.emergingthreats.net/2011701; classtype:policy-violation; sid:2011701; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Formgrabber Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"c="; depth:2; content:"&v="; distance:0; content:"&h="; distance:0; content:"&t="; fast_pattern; distance:0; pcre:"/^c=[A-F0-9]{10,}&v=[^&]+&h=[^&]+&t=[0-9]$/si"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb066c5625aa85957d6b8d4caef4e497; reference:url,thisissecurity.stormshield.com/2017/09/28/analyzing-form-grabber-malware-targeting-browsers; classtype:trojan-activity; sid:2024781; rev:3; metadata:created_at 2017_09_28, former_category TROJAN, updated_at 2020_08_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"fetch"; depth:50; nocase; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002827; classtype:attempted-recon; sid:2002827; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.JS.Agent.dwz Checkin"; flow:established,to_server; http.request_body; content:!"|00|"; content:"|61 3d|"; depth:2; fast_pattern; byte_extract:2,12,byte0,relative; byte_test:2,=,byte0,30,relative; isdataat:!33,relative; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f886dbf6bd47a0a015ef40fc2bed03a2; classtype:command-and-control; sid:2024848; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; http.user_agent; content:"Cisco-torch"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"auth255|3a 20|login"; fast_pattern; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{30,60})$/R"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024849; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; http.user_agent; content:"core-project/1.0"; classtype:web-application-activity; sid:2008529; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"sqlmapff.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024855; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Android_SMS/receiving.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:command-and-control; sid:2016513; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"strangelol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024851; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gimemo Activity"; flow:established,to_server; http.uri; content:"mainsettings/settings.sol"; http.user_agent; content:" MSIE 7.0|3b|"; classtype:trojan-activity; sid:2016515; rev:5; metadata:created_at 2013_03_04, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"ssrsec.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024853; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"|0d 0a 0d 0a|act="; fast_pattern; http.method; content:"POST"; http.request_body; content:"act="; depth:4; content:"&d="; within:20; classtype:attempted-user; sid:2016516; rev:3; metadata:created_at 2013_03_04, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"outerlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024857; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"akk="; depth:4; content:"&client="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016529; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"microsoftsec.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024859; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Time CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/time/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016533; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"martianlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024861; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Get New MAC CnC Beacon"; flow:established,to_server; http.uri; content:"/features/get/new/mac/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016534; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"dnslog.mobi"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024863; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Set Done Day CnC Beacon"; flow:established,to_server; http.uri; content:"/features/set/done/day/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; content:!"Connection|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016535; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"alienlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024866; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TrojanSpy.MSIL Fetch Header CnC Beacon"; flow:established,to_server; http.uri; content:"/features/fetch/header/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-"; content:!"Accept-"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:command-and-control; sid:2016536; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tordal/Hancitor/Chanitor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"GUID="; depth:5; fast_pattern; content:"&BUILD="; distance:0; content:"&INFO="; distance:0; content:"&IP="; distance:0; content:"&TYPE="; distance:0; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2034127; rev:6; metadata:created_at 2016_04_28, former_category MALWARE, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stabuniq Checkin"; flow:to_server,established; http.request_body; content:"id="; depth:3; content:"&varname="; content:"&comp="; content:"&ver="; content:"&xid="; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:command-and-control; sid:2016130; rev:4; metadata:created_at 2012_12_29, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination (google-searching .com)"; flow:established,to_server; http.host; content:"google-searching.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024875; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; http.header; content:!".jar"; nocase; file.data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; classtype:exploit-kit; sid:2016540; rev:4; metadata:created_at 2013_03_06, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"awsstatics.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024876; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trustezeb.C CnC Beacon"; flow:established,to_server; http.uri; content:".php?ltype="; content:"&ccr="; content:"&id="; content:"&stat="; content:"&ver="; content:"&loc="; content:"&os="; reference:url,www.abuse.ch/?p=5175; reference:url,www.virusradar.com/Win32_Trustezeb.C/description; classtype:command-and-control; sid:2016552; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"immigrantlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024877; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*="; flow:established,to_server; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016575; rev:4; metadata:created_at 2013_03_14, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky Intermediate Downloader"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"Windows-Update-Agent"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Locky, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*="; flow:established,to_client; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016576; rev:3; metadata:created_at 2013_03_14, updated_at 2020_04_23;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (cscc)"; flow:established,to_server; urilen:16; http.method; content:"PROPFIND"; http.uri; content:"/admin$/cscc.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024905; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, malware_family BadRabbit, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar2)"; flow:established,to_server; http.uri; content:"varchar2("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2016596; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_03_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_23;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (infpub)"; flow:established,to_server; urilen:18; http.method; content:"PROPFIND"; http.uri; content:"/admin$/infpub.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, malware_family BadRabbit, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; http.uri; content:"/1234.functions"; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:command-and-control; sid:2016599; rev:5; metadata:created_at 2012_10_26, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M1 (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sa"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024924; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameThief Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/count/bindplugin.ini"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:command-and-control; sid:2016637; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M2 (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sm"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024925; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Depyot.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/pdf.php?id="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740; classtype:command-and-control; sid:2016638; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M3 (set)"; flow:established,to_server; urilen:5; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/xget"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024926; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; http.uri; content:"/Android_SMS/installing.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M4 (set)"; flow:established,to_server; urilen:4; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sa5"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024927; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"?id="; content:"&msg="; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:6; metadata:created_at 2012_01_23, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible BACKSWING JS Framework POST Observed"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Access-Control-Allow-Methods|3a 20|POST"; http.content_type; content:"application/json"; startswith; file.data; content:"|7b 22|InjectionType|22 3a|"; depth:17; fast_pattern; content:"|22|InjectionString|22 3a 22|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024932; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"mssql_query"; classtype:bad-unknown; sid:2016664; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (hhh)"; flow:established,to_server; http.user_agent; content:"hhh"; depth:3; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2004442; classtype:trojan-activity; sid:2004442; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"mssql_query"; classtype:bad-unknown; sid:2016665; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; http.user_agent; content:"Brontok"; depth:7; nocase; reference:url,doc.emergingthreats.net/2006999; classtype:trojan-activity; sid:2006999; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"pgsql_query"; classtype:bad-unknown; sid:2016666; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser)"; flow:established,to_server; http.user_agent; content:"CustomExchangeBrowser"; reference:url,doc.emergingthreats.net/2007824; classtype:trojan-activity; sid:2007824; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"pgsql_query"; classtype:bad-unknown; sid:2016667; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)"; flow:established,to_server; http.user_agent; content:"Joseray"; depth:7; nocase; reference:url,doc.emergingthreats.net/2008765; classtype:trojan-activity; sid:2008765; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"mysql_query"; classtype:bad-unknown; sid:2016668; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer - User-Agent (Ucheck)"; flow:established,to_server; http.user_agent; content:"Opera/9.10"; content:"|3b 20|Ucheck"; fast_pattern; reference:url,doc.emergingthreats.net/2009081; classtype:trojan-activity; sid:2009081; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"mysql_query"; classtype:bad-unknown; sid:2016669; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Mozilla/4.0 (SPGK)"; fast_pattern; nocase; bsize:18; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"SqlException"; classtype:bad-unknown; sid:2016670; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729))"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|na|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)|0d0a|"; fast_pattern; startswith; reference:url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter; reference:url,doc.emergingthreats.net/2009810; classtype:trojan-activity; sid:2009810; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"SqlException"; classtype:bad-unknown; sid:2016671; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 2.1|3b 20|SV3)|0d0a|"; fast_pattern; startswith; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"error in your SQL syntax"; classtype:bad-unknown; sid:2016673; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vundo User-Agent Check-in"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0) WinNT 5.1"; fast_pattern; bsize:44; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99; reference:url,doc.emergingthreats.net/2010490; classtype:trojan-activity; sid:2010490; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; http.request_body; content:"netsh"; nocase; fast_pattern; content:"firewall"; within:15; classtype:bad-unknown; sid:2016681; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent kav"; flow: established,to_server; http.user_agent; content:"kav"; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011482; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE"; flow:established,to_server; http.request_body; content:"reg"; nocase; content:"HKEY_LOCAL_MACHINE"; nocase; within:80; classtype:bad-unknown; sid:2016682; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan with /? and Indy Library User-Agent"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/?"; depth:2; http.header; content:"Indy Library)"; fast_pattern; content:"Accept-Encoding|3a 20|identity|0D 0A|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; content:!".ensignsoftware.com"; classtype:trojan-activity; sid:2012312; rev:8; metadata:created_at 2011_02_14, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - wget http - POST"; flow:established,to_server; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:bad-unknown; sid:2016683; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS User-Agent CMD"; flow:established,to_server; http.user_agent; content:"|20|(compatible|3b 20|MSIE 1.0|3b 20|Windows NT|3b 20|"; fast_pattern; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:9; metadata:created_at 2011_02_21, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User Agent Ryeol HTTP Client Class"; flow:established,to_server; http.user_agent; content:"Ryeol HTTP Client Class"; classtype:trojan-activity; sid:2013387; rev:5; metadata:created_at 2011_08_10, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV User-Agent XML"; flow:established,to_server; http.user_agent; content:"XML"; bsize:3; classtype:trojan-activity; sid:2013374; rev:4; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"ERROR|3a|  syntax error at or near"; classtype:bad-unknown; sid:2016674; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dynamer Trojan Dropper User-Agent VB Http"; flow:established,to_server; http.user_agent; content:"VB Http"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDynamer!dtc; classtype:trojan-activity; sid:2013507; rev:4; metadata:created_at 2011_08_31, former_category USER_AGENTS, updated_at 2020_08_13;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"ERROR|3a|  syntax error at or near"; classtype:bad-unknown; sid:2016675; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Second Stage Download Location Request"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.asproxfakeav; http.uri; content:"/api/urls/?ts="; content:"&affid="; pcre:"/\x26affid\x3D[0-9]{4,7}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016530; rev:4; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/0"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/0"; fast_pattern; nocase; classtype:bad-unknown; sid:2016695; rev:3; metadata:created_at 2013_04_02, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qudox CnC Actiivty"; flow:established,to_server; http.start; content:"GET /gate.php HTTP/1.1|0d 0a|Host|3a 20|"; http.request_body; content:"0WmkD4"; startswith; fast_pattern; http.header_names; bsize:26; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,4806ceacf1f9ae4faddbace5201d36f0; classtype:command-and-control; sid:2030682; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; http.cookie; content:"visited=TRUE|3b 20|mutex="; startswith; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014408; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub cloud.auth Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"Y2xvdWQuYXV0aA=="; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; content:"|22|name|22|"; content:"|22|serverid|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030683; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus User-Agent(z00sAgent)"; flow:to_server,established; http.user_agent; content:"z00sAgent"; startswith; reference:md5,e94fb19f3a38f9b2a775b925e4c0abe3; classtype:trojan-activity; sid:2016710; rev:4; metadata:created_at 2013_04_02, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub file Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|ZmlsZQ==|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030684; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; http.stat_code; content:"301"; http.stat_msg; content:"Moved Permanently"; http.location; content:"/update/winword.pkg"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016713; rev:3; metadata:created_at 2013_04_04, former_category MALWARE, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub monitor Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|bW9uaXRvcg==|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030685; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Infection or Config URL Request"; flow:established,to_server; http.uri; content:"/file.php|7C|file="; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:3; metadata:created_at 2013_04_09, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub shell Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|c2hlbGw=|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030686; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel File.php CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/administrator/templates/system/html/file.php"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016739; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub tunnel Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|dHVubmVs|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030687; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Content.php CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/administrator/modules/mod_menu/tmpl/content.php"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016740; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SAD Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&osname="; content:"&pcname="; content:"&key="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f4c2f65b5b89d4f4e74099571b40c0d5; classtype:command-and-control; sid:2024954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category MALWARE, malware_family SAD_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel Pro File.php CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pro/file.php"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016741; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Randrew!rfn CnC Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 30; http.request_body; content:"botversion="; depth:11; content:"xfor="; within:22; content:"winver="; within:33; reference:md5,74dd0e38deaf778e621434a2ca9c7c74; reference:url,microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win32/Randrew.A!bit; classtype:command-and-control; sid:2024955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Citadel Conf.bin Download From CnC Server"; flow:established,to_client; http.header; content:"filename=|22|%2e/files/conf.bin|22|"; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016743; rev:3; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Load (connect.js)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"connect.js?timestamp="; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024966; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Getting Template"; flow:to_server,established; http.uri; content:"/lnd/template="; fast_pattern; pcre:"/\/[a-z0-9]+$/i"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT 5.1|3b|"; classtype:trojan-activity; sid:2016749; rev:3; metadata:created_at 2013_04_10, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; content:!"&"; distance:0; http.request_body; content:"form-data|3b 20|name=|22|unit|22 3b 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,68aab6163c29183ad8da1cf27a5a47c5; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families; classtype:command-and-control; sid:2023545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown_gmf EK - pdfx.html"; flow:established,to_server; http.uri; content:"/pdfx.html"; classtype:exploit-kit; sid:2016055; rev:4; metadata:created_at 2012_12_18, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected REDCURL CnC Activity M1"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".bat"; endswith; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Depth|0d 0a|translate|0d 0a|Content-Length|0d 0a|Host|0d 0a|"; bsize:68; fast_pattern; content:!"Referer"; content:!"Accept"; reference:url,www.group-ib.com/resources/threat-research/red-curl.html; reference:md5,9691daebab79c6ab48adac73bda0a84a; classtype:command-and-control; sid:2030697; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Bitcoin Mining Extensions Header"; flow:to_server,established; http.method; content:"POST"; http.header; content:"X-Mining-Extensions|3a|"; classtype:coin-mining; sid:2016758; rev:5; metadata:created_at 2013_04_16, former_category POLICY, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible KONNI URI Path Observed"; flow:established,to_server; http.uri; content:"/weget/"; depth:7; fast_pattern; content:".php"; within:12; http.header_names; content:!"Referrer|0d 0a|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa20-227a; classtype:targeted-activity; sid:2030690; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - Haxplorer URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=dir&dir="; classtype:attempted-user; sid:2016761; rev:3; metadata:created_at 2013_04_16, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZASE"; fast_pattern; classtype:web-application-attack; sid:2030693; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=con"; classtype:attempted-user; sid:2016762; rev:3; metadata:created_at 2013_04_17, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/DarkStealer Variant CnC Exfil"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?chatid="; content:"&username="; content:"&machineName="; content:"&Country="; content:"&HWID="; content:"&ip="; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Files"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,fed2a8736c84eda9dcc8533b5019f7d8; classtype:trojan-activity; sid:2030688; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category MALWARE, malware_family DarkStealer, malware_family Ecehlon, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Process List Dump"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&pl=|5b|System|20|Process"; content:"svchost.exe"; content:"&r="; content:"&g="; content:"&s="; content:"&c="; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected REDCURL CnC Activity M2"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".jpg"; endswith; http.user_agent; content:"curl/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; bsize:30; content:!"Referer"; reference:url,www.group-ib.com/resources/threat-research/red-curl.html; reference:md5,12ec7e6876dc86f158f448ebfba9e0eb; classtype:command-and-control; sid:2030689; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RCAP CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/callback.php?k="; fast_pattern; content:"&x="; distance:0; http.connection; content:"close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3410af519f791af5f9554cbff7ece24a; classtype:command-and-control; sid:2024984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"MZ"; content:"|00 00 00 00|"; distance:0; content:"PE|00 00|"; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:3; metadata:created_at 2013_04_19, updated_at 2020_04_23;)
+alert http $EXTERNAL_NET any  -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/TinyNuke Payload ACF40 Inbound"; flow:established,to_client; flowbits:isset,ET.TinyNuke; http.stat_code; content:"200"; http.content_type; content:"text|2F|html"; startswith; file.data; byte_extract:8,896,byte0; byte_extract:8,904,byte1; byte_extract:8,912,byte2; byte_extract:8,920,byte3; byte_extract:8,928,byte4; byte_test:8,=,byte0,936; byte_test:8,!=,byte0,944; byte_test:8,=,byte1,944; byte_test:8,!=,byte1,952; byte_test:8,=,byte2,952; byte_test:8,!=,byte2,960; byte_test:8,=,byte3,960; byte_test:8,=,byte4,968; content:!"MZ"; depth:2; pcre:"/[\x80-\xff]{16}/"; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024513; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family TinyNuke, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; http.user_agent; content:"|3b 20|Silk/"; pcre:"/^\d+\.\d/R"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:5; metadata:created_at 2012_01_04, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2017930; rev:11; metadata:created_at 2014_01_04, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myrahost/list.aspx?"; nocase; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader (P2P Zeus dropper UA)"; flow:established,to_server; http.user_agent; content:"Updates downloader"; classtype:trojan-activity; sid:2017726; rev:6; metadata:created_at 2013_11_16, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent MyAgrent"; flow:established,to_server; http.user_agent; content:"MyAgrent"; reference:md5,75c2f3168eca26e10bd5b2f3f0e2a8c5; classtype:trojan-activity; sid:2014165; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.header_names; content:!"Referer"; content:!"Content-Type"; classtype:trojan-activity; sid:2016858; rev:11; metadata:created_at 2013_05_16, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TCYWin.Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"TCYWinHTTPDownload"; reference:md5,4cfe5674d9f33804572ae0d14f0c941b; classtype:trojan-activity; sid:2014305; rev:4; metadata:created_at 2012_03_05, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2016173; rev:10; metadata:created_at 2013_01_08, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface C&C availability check"; flow:established,to_server; flowbits:set,ET.koobfacecheck; http.method; content:"POST"; nocase; http.uri; content:"/achcheck.php"; nocase; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010151; classtype:command-and-control; sid:2010151; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonster.Downloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy Library)"; endswith; fast_pattern; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:md5,70a6d9cb37e346b4dfd28bd4ea1f8671; classtype:command-and-control; sid:2017656; rev:6; metadata:created_at 2013_11_01, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"mfunc"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/i"; classtype:attempted-user; sid:2016788; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Win32.Sality-GR Checkin"; flow:established,to_server; http.uri; content:".gif?"; fast_pattern; pcre:"/^[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$/R"; http.header_names; content:"|0d 0a|User-Agent"; depth:12; content:!"Accept"; content:!"Referer"; reference:md5,3a03a20bfefe3fdd01659d47d2ed76c8; classtype:command-and-control; sid:2018340; rev:11; metadata:created_at 2013_06_07, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"mclude"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/i"; classtype:attempted-user; sid:2016789; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; urilen:32; http.uri; content:".php?id="; offset:6; depth:8; pcre:"/^[A-Z0-9]{18}$/R"; http.user_agent; content:"MSIE 6.0|3b|"; reference:md5,f4b8b51b75f67e68d0c1a9639e2488c3; classtype:command-and-control; sid:2015808; rev:7; metadata:created_at 2012_10_17, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"dynamic-cached-content"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/i"; classtype:attempted-user; sid:2016790; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.accept; content:"*/*"; http.accept_lang; content:"en-us"; http.content_type; content:"application/octet-stream"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; content:!"Referer"; flowbits:set,ET.Pushdo.S; threshold: type threshold,track by_src,count 1,seconds 60; threshold: type limit,track by_src,count 1,seconds 600; classtype:command-and-control; sid:2016867; rev:6; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:4; metadata:created_at 2013_04_27, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw MacTryCnt CnC Style Checkin"; flow:established,to_server; http.uri; content:"&logdata=MacTryCnt|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013202; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.request_body; content:"current_version="; pcre:"/^[a-z0-9]{196}/Ri"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot POST CnC Beacon"; flow:established,to_server; urilen:<33; http.method; content:"POST"; http.uri; content:"/b/"; fast_pattern; pcre:"/^[a-z]{3,4}\x2F[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018098; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; http.uri; content:"CHAR("; nocase; pcre:"/^[0-9]{2,3}\)char\([^\x0d\x0a\x20]{98}/Ri"; classtype:attempted-admin; sid:2014352; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?email="; fast_pattern; http.accept; http.accept; content:"*/*"; http.connection; http.connection; content:"close"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:command-and-control; sid:2025020; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 1"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"JnN1cmk9"; distance:0; fast_pattern; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016793; rev:6; metadata:created_at 2013_04_27, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pykspa.C Public IP Check"; flow:established,to_server; urilen:1; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.9.1.3) Gecko/20090824 Firefox/3.5.3"; fast_pattern; http.host; content:"myip"; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,b94e213153a1929db2f414f23d891d76; reference:md5,324ff262da1233ef874ff29213cf8f19; classtype:trojan-activity; sid:2018773; rev:5; metadata:created_at 2014_07_24, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 2"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"mc3VyaT0"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016814; rev:5; metadata:created_at 2013_05_03, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (GenericHttp/VER_STR_COMMA)"; flow:established,to_server; http.user_agent; content:"GenericHttp/VER_STR_COMMA"; classtype:trojan-activity; sid:2013737; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 3"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"ZzdXJpP"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016815; rev:5; metadata:created_at 2013_05_03, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 1"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&logdata="; http.host; content:"winsoft"; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012222; rev:4; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/login.cgi"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016819; rev:6; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Requesting exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?"; offset:2; depth:11; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:15; metadata:created_at 2012_11_30, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/7"; flow:established,to_server; http.user_agent; content:"Mozilla/7"; depth:9; nocase; classtype:bad-unknown; sid:2016692; rev:5; metadata:created_at 2013_04_02, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Single char EXE direct download likely trojan (multiple families)"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/\/[a-z0-9A-Z]\.exe$/i"; classtype:trojan-activity; sid:2018581; rev:4; metadata:created_at 2014_06_18, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; http.user_agent; content:"Mozilla/9"; depth:9; nocase; classtype:bad-unknown; sid:2016694; rev:5; metadata:created_at 2013_04_02, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs/Harnig Downloader Activity"; flow:established,to_server; http.uri; content:".php?adv=adv"; http.user_agent; content:")ver"; fast_pattern; pcre:"/^\d+$/R"; reference:md5,2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"Opera/9.80"; depth:10; content:"Edition Yx|3b| ru"; fast_pattern; distance:0; classtype:trojan-activity; sid:2016034; rev:4; metadata:created_at 2012_12_14, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Checkin"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/home/"; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer"; reference:md5,6afc848066d274d8632c742340560a67; classtype:command-and-control; sid:2017584; rev:9; metadata:created_at 2013_10_12, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSISDL Iplookup.php IPCheck"; flow:established,to_server; http.uri; content:"/iplookup.php"; fast_pattern; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:policy-violation; sid:2016744; rev:6; metadata:created_at 2013_04_09, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor EXE Download Common Header Order"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.user_agent; content:"MSIE"; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:76; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2018254; rev:5; metadata:created_at 2014_03_12, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion password.properties access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"password.properties"; nocase; reference:url,cxsecurity.com/issue/WLB-2013050065; classtype:web-application-attack; sid:2016836; rev:4; metadata:created_at 2013_05_08, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Retrieving Domains via JS"; flow:established,to_server; http.uri; content:".txt?dummy="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"Mozilla"; depth:7; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; classtype:trojan-activity; sid:2020031; rev:5; metadata:created_at 2014_12_23, updated_at 2020_08_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER  ColdFusion path disclosure to get the absolute path"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/administrator/analyzer/index.cfm"; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:5; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; urilen:16<>402; http.method; content:"GET"; nocase; http.uri; pcre:"/^\/[a-z0-9+\/=]{16,400}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE"; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; depth:19; content:"Host|0d 0a|"; distance:0; content:!"Accept"; classtype:command-and-control; sid:2011894; rev:20; metadata:created_at 2010_11_06, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduletasks access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduletasks.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016842; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Solarbot Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v="; depth:2; content:"&u="; content:"&w="; content:"&c="; pcre:"/&s=\{?[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}\}?(?:&|$)/i"; http.header_names; content:!"Referer"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017742; rev:5; metadata:created_at 2013_11_22, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduleedit access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduleedit.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016843; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/system/"; depth:8; nocase; fast_pattern; pcre:"/^(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ri"; http.header_names; content:!"Referer"; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:6; metadata:created_at 2016_05_24, former_category CURRENT_EVENTS, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/downloads/IPFilter.exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; reference:md5,c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:command-and-control; sid:2016844; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z0-9.&-]+(?:[a-z0-9]{4}-){3}[a-z0-9.&+-]+$/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-"; classtype:command-and-control; sid:2019756; rev:5; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTPing Usage Inbound"; flow:established,to_server; http.user_agent; content:"HTTPing"; depth:7; reference:url,www.vanheusden.com/httping/; classtype:policy-violation; sid:2016845; rev:4; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-03-31"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?ad="; nocase; content:"="; distance:0; pcre:"/=\d+$/"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,c5ad81d8d986c92f90d0462bc06ac9c6; classtype:trojan-activity; sid:2022692; rev:4; metadata:created_at 2016_03_31, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tosct.B UA Mandiant APT1 Related"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:targeted-activity; sid:2016431; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comisproc Checkin"; flow:to_server,established; http.uri; content:".asp?mac="; content:"&ver="; distance:0; http.user_agent; content:"Google"; nocase; depth:6; reference:md5,9378ef5f2fb2e71e5eeed20f9f21d8dd; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910; reference:url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html; classtype:command-and-control; sid:2017066; rev:9; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_08_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[a-z]\/$/Ui"; http.user_agent; content:"(compatible|3b|"; content:"|20|MSIE|20|"; distance:0; content:"(Compatible|3b|"; fast_pattern; distance:0; classtype:command-and-control; sid:2016829; rev:4; metadata:created_at 2013_05_07, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ixeshe/Mecklow Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&"; content:"."; content:"sp?"; distance:1; within:3; pcre:"/\/[A-Z0-9]+\.[aj]sp\?[a-zA-Z0-9+/\x20=]+$/"; http.user_agent; content:"MSIE 5.01|3b 20|Windows NT 5.0|29|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:md5,3422e76cf4c99ec1091f8c342a3aedaa; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; classtype:command-and-control; sid:2018379; rev:12; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyposit Ransomware Checkin 1"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/ad"; depth:3; pcre:"/^\/ad[^\x2f]*?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/i"; http.user_agent; content:"Microsoft BITS/"; depth:15; classtype:command-and-control; sid:2015957; rev:8; metadata:attack_target Client_Endpoint, created_at 2012_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 1"; flow:established,to_server; http.uri; content:".php?w="; content:"&i="; distance:0; content:"&a="; distance:0; pcre:"/\.php\?w=\d+&i=[0-9a-f]{32}&a=\d+$/"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013685; rev:4; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; http.user_agent; content:"EMSFRTCBVD"; depth:10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:3; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (GRIFFON CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fashionableeder.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030700; rev:1; metadata:attack_target Client_and_Server, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 0"; nocase; classtype:trojan-activity; sid:2016880; rev:7; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ixeshe/Mecklow Checkin 2"; flow:established,to_server; http.header_names; content:"|0d 0a|x_bigfix_client_string|0d 0a|"; depth:26; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,df9ce5d06498419a3c93ad95a2ed82fd; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf; classtype:command-and-control; sid:2018380; rev:8; metadata:created_at 2012_06_19, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE)"; flow:established,to_server; http.user_agent; content:"DSMBVCTFRE"; nocase; depth:10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016882; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015"; flow:established,to_server; http.user_agent; content:"Mazilla/"; depth:8; fast_pattern; reference:url,malware-traffic-analysis.net/2015/01/15/index.html; classtype:trojan-activity; sid:2020235; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(MBESCVDFRT)"; flow:established,to_server; http.user_agent; content:"MBESCVDFRT"; nocase; depth:10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016883; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; http.uri; content:"/stat"; content:".php?w="; content:"&i=00000000000"; fast_pattern; content:"&a="; http.user_agent; content:"Opera/6 (Windows NT 5.1|3b 20|"; classtype:command-and-control; sid:2013907; rev:5; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(TCBFRVDEMS)"; flow:established,to_server; http.user_agent; content:"TCBFRVDEMS"; nocase; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016884; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface HTTP Request (2)"; flow:established,to_server; http.uri; content:"?action="; nocase; content:"&v="; nocase; distance:0; pcre:"/\?action=\w+gen&v=\d/"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMOMAKE)"; flow:established,to_server; http.user_agent; content:"DEMOMAKE"; nocase; depth:8; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016885; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WS/JS Downloader Mar 07 2017 M1"; flow:established,to_server; http.uri; content:"/counter/"; fast_pattern; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2024035; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(vbusers)"; flow:established,to_server; http.user_agent; content:"vbusers"; nocase; depth:7; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016891; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M3"; flow:established,to_client; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; content:"Content-Disposition|3a 20|"; pcre:"/^[^\r\n]+\.(?:jpe?g|gif|png)\r\n/R"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023671; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(folderwin)"; flow:established,to_server; http.user_agent; content:"folderwin"; nocase; depth:9; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016892; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX/Destory HTTP traffic"; flow:established,to_server; http.request_line; content:"POST|20|"; depth:5; http.header_names; content:"X-Sn"; fast_pattern; content:"X-Session"; content:"X-Status"; content:"X-Size"; reference:url,circl.lu/pub/tr-24/; classtype:trojan-activity; sid:2018541; rev:4; metadata:created_at 2014_06_06, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(smaal)"; flow:established,to_server; http.user_agent; content:"smaal"; nocase; depth:5; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016893; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?resid="; fast_pattern; content:"&photoid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021201; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(nento)"; flow:established,to_server; http.user_agent; content:"User-Agent|3a| nento|0d 0a|"; nocase; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016894; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M4"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; http.content_type; content:"image|2f|"; depth:6; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023672; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(bugmaal)"; flow:established,to_server; http.user_agent; content:"bugmaal"; nocase; depth:7; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016895; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; depth:7; content:"&id="; distance:0; content:"&pc="; distance:0; content:"&tail="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:command-and-control; sid:2021685; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"MyHttpClient"; depth:12; http.request_body; content:"tit="; fast_pattern; depth:4; content:"&cont="; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016866; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gatak CnC"; flow:established,to_server; http.uri; content:"/report"; depth:7; fast_pattern; pcre:"/^\/report[0-9]?_(?:v[0-9])?[A-Z]?[A-F0-9_-]+_[0-9]{1,3}_(?:st(?:arted|ep)|already|mark|p(?:rocess|a(?:ge|yload))|watch2|http|image|gdiplus|crc|DIRRR|finished|(?:ex(cept|ecuted)))/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,636a911cc059415963da7009277bae17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/; classtype:command-and-control; sid:2021268; rev:11; metadata:created_at 2015_06_15, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (ChilkatUpload)"; flow:to_server,established; http.user_agent; content:"ChilkatUpload"; depth:13; nocase; reference:url,chilkatsoft.com; classtype:trojan-activity; sid:2016904; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 6"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:".php?"; pcre:"/\/[a-z]+\.php\?[A-F0-9]{250,}$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|Trident/7.0|3b 20|Touch|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022300; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(FMBVDFRESCT)"; flow:established,to_server; http.user_agent; content:"FMBVDFRESCT"; nocase; depth:11; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016881; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot/Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; content:"|08 00|"; distance:16; within:2; isdataat:!1,relative; reference:url,github.com/sysopfb/open_mal_analysis_notes/blob/master/546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a.md; classtype:trojan-activity; sid:2030698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family Anchor, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registration Rev3"; flow:established,to_server; http.uri; content:"/gate.php?id="; pcre:"/^[a-z]{15}$/R"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016909; rev:4; metadata:created_at 2013_05_22, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 3"; flow:to_server,established; http.method; content:"GET"; http.header; content:!"Taitus"; pcre:"/^Accept\x3a\x20text\/\*,\x20application\/\*\r\nUser-Agent\x3a\x20[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\nConnection\x3a Keep-Alive\r\nHost\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.user_agent; content:!"Mozilla"; depth:7; http.accept; content:"text/*,|20|application/*"; depth:21; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|"; fast_pattern; content:"|0d 0a|Connection|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2020295; rev:7; metadata:created_at 2015_01_23, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Get Command Rev3"; flow:established,to_server; http.uri; content:"/get"; endswith; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(compatible|3b| Synapse)"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016910; rev:4; metadata:created_at 2013_05_22, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 5"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/misc.php?"; fast_pattern; pcre:"/^[A-F0-9]{250,}$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022284; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 2."; nocase; classtype:policy-violation; sid:2016873; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/shoe/"; depth:8; fast_pattern; pcre:"/^\d+?$/R"; http.user_agent; content:"Mozilla/4.0|20|"; depth:12; http.header_names; content:!"Referer"; reference:md5,e1cbdba0c57ddb5ab70aa1306dbacaa9; classtype:command-and-control; sid:2018643; rev:5; metadata:created_at 2014_02_28, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 3."; nocase; classtype:policy-violation; sid:2016872; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUSPICIOUS UA (iexplore)"; flow:established,to_server; http.user_agent; content:"iexplore"; depth:8; fast_pattern; nocase; http.host; content:!"su.pctools.com"; content:!".advent.com"; reference:md5,b0e8ce16c42dee20d2c1dfb1b87b3afc; classtype:bad-unknown; sid:2017365; rev:12; metadata:created_at 2013_08_21, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/0."; nocase; classtype:policy-violation; sid:2016875; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webhp"; nocase; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; depth:34; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013076; rev:10; metadata:created_at 2011_06_22, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/1."; nocase; classtype:policy-violation; sid:2016876; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls.cert_subject; content:"CN=processamentos.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/2."; nocase; classtype:policy-violation; sid:2016877; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host checkin"; flow:established,to_server; http.uri; content:"/search"; depth:7; content:"?fr=altavista&itag="; within:30; content:"&kls="; distance:0; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2011365; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 4."; nocase; classtype:policy-violation; sid:2016878; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Knock.php Shiz or Rohimafo CnC Server Contact URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"knock.php?n="; nocase; content:"=seller-"; nocase; distance:0; http.header_names; content:!"User-Agent"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011520; rev:6; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 5.0"; nocase; classtype:policy-violation; sid:2016879; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/DarkStealer Variant CnC Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?chatid="; content:"&username="; content:"&machineName="; fast_pattern; content:"&Country="; content:"&HWID="; content:"&ip="; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,fed2a8736c84eda9dcc8533b5019f7d8; classtype:trojan-activity; sid:2030699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family DarkStealer, malware_family EchelonStealer, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 1."; nocase; classtype:policy-violation; sid:2016874; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Oliga Fake User Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.75 [en]"; depth:17; content:!"Linux"; classtype:trojan-activity; sid:2013372; rev:6; metadata:created_at 2011_08_05, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Gapz MSIE 9 on Windows NT 5"; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 9.0|3b| Windows NT 5."; fast_pattern; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:trojan-activity; sid:2016897; rev:8; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct Dec 01 2014"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"-SP"; fast_pattern; content:"/0/"; distance:0; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:md5,fd0f57fd1f93c13b7bd63f811ac7939e; classtype:trojan-activity; sid:2019847; rev:14; metadata:created_at 2014_12_03, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious MSIE 10 on Windows NT 5"; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 10.0|3b| Windows NT 5."; fast_pattern; classtype:trojan-activity; sid:2016898; rev:7; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic -POST To file.php w/Extended ASCII Characters"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file.php"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2016172; rev:10; metadata:created_at 2013_01_08, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; http.request_body; content:"_ajax_nonce="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; flowbits:set,ET.Chroject; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:1; content:"="; distance:0; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/"; http.user_agent; content:"|20|like Gecko|29 20|Chrome/"; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020747; rev:9; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Safe User Agent Fantasia"; flow:established,to_server; http.user_agent; content:"Fantasia"; depth:8; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; classtype:trojan-activity; sid:2016934; rev:4; metadata:created_at 2013_05_29, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 1"; flow:established,to_server; http.uri; content:".asp?imageid="; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2016139; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vobfus Check-in"; flow:established,to_server; http.uri; content:".php?page="; content:"&style=LED_g&nbdigits="; distance:0; fast_pattern; http.user_agent; content:"Opera"; nocase; depth:5; classtype:trojan-activity; sid:2016940; rev:4; metadata:created_at 2013_05_29, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.BAAB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/trace/"; fast_pattern; pcre:"/^\/debug\/trace\/(?:Fw(?:Downloaded|Check)|N(?:oFw|sis))$/"; http.user_agent; content:"NSISDL/1.2|20|(Mozilla)"; depth:20; http.header_names; content:!"Referer"; content:"Accept"; reference:md5,406fea6262d8ee05e0ab4247c1083443; reference:url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/; classtype:command-and-control; sid:2017946; rev:5; metadata:created_at 2014_01_08, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Checkin"; flow:established,to_server; http.uri; content:"/cntr.php?b="; nocase; content:"&c="; nocase; content:"&d="; nocase; reference:url,doc.emergingthreats.net/2002959; classtype:command-and-control; sid:2002959; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?q="; http.header; content:"redirect|3a|"; fast_pattern; content:"version|3a 20|"; content:"aid|3a 20|"; content:"builddate|3a 20|"; content:"pid|3a 20|"; http.header_names; content:!"Referer"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021227; rev:4; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Possible Win32.Bicololo Checkin"; flow:established,to_server; flowbits:set,ET.Bicololo.Request; http.method; content:"GET"; http.uri; content:"/stat/"; nocase; pcre:"/^[a-z]{3,4}\/\d{1,4}$/R"; reference:md5,252c95327ce556a21bdd7e9a322e206c; reference:url,www.virusradar.com/Win32_Bicololo.A/description; classtype:command-and-control; sid:2016946; rev:4; metadata:created_at 2013_05_31, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cohhoc RAT CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"gAAAA"; offset:2; depth:5; content:"AAAAAAAAAAAAAAMjAx"; distance:1; within:18; content:"MiR"; distance:4; within:3; http.header_names; content:!"Referer"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019625; rev:5; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Backdoor.Linux.Tsunami Outbound HTTP request"; flow:established,to_server; http.header; content:"|3a|80|0d 0a|"; http.user_agent; content:"Mozilla/4.75 [en] (X11|3b| U|3b| Linux 2.2.16-3 i686)"; reference:url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html; classtype:trojan-activity; sid:2016949; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Checkin"; flow:established,to_server; http.uri; content:"update.php?"; content:"&key="; distance:0; content:"&dummy="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2; classtype:command-and-control; sid:2020034; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; http.user_agent; content:"WindowsNT"; http.host; content:!".rview.com"; content:!".mobizen.com"; classtype:trojan-activity; sid:2013721; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; http.request_body; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; classtype:attempted-user; sid:2016954; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?num="; fast_pattern; content:"&rev="; distance:0; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/"; http.header_names; content:!"Referer"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2014112; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; http.uri; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)"; flow:established,from_server; tls.cert_subject; content:"O=MyCompany Ltd."; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2015560; rev:9; metadata:attack_target Client_and_Server, created_at 2012_08_02, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_08_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; http.request_body; content:"java.lang.Runtime@getRuntime().exec("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic gate .php GET with minimal headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:4; metadata:created_at 2016_05_18, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; http.request_body; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDSServ or Tidserv variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/crcmds/main"; nocase; reference:url,www.threatexpert.com/reports.aspx?find=%2Fcrcmds%2Fmain; reference:url,doc.emergingthreats.net/2008944; classtype:command-and-control; sid:2008944; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; http.uri; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?resid="; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021200; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/info/privacy_security.htm"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"microsoft.com"; endswith; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:6; metadata:created_at 2013_06_05, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:command-and-control; sid:2016089; rev:6; metadata:created_at 2012_12_22, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; http.uri; content:"/phppath/php"; pcre:"/^\b/R"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:attempted-admin; sid:2016983; rev:3; metadata:created_at 2013_06_06, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rerdom/Asprox CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/pkg/"; fast_pattern; pcre:"/^[A-Za-z0-9]{14,15}$/R"; reference:url,malware-traffic-analysis.net/2014/08/24/index.html; reference:url,www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf; classtype:command-and-control; sid:2019760; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour"; flow:established,to_server; http.uri; content:"/tmp/"; depth:5; content:".exe"; distance:0; pcre:"/^\/tmp\/.+\.exe$/"; classtype:bad-unknown; sid:2016985; rev:3; metadata:created_at 2013_06_07, updated_at 2020_04_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall .onion Proxy Domain"; dns.query; content:"3wzn5p2yiumh7akj"; depth:16; nocase; reference:url,www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names; classtype:trojan-activity; sid:2022048; rev:3; metadata:created_at 2015_11_09, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013033; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious user agent (V32)"; flow:to_server,established; http.user_agent; content:"V"; depth:1; pcre:"/^\d{2}$/R"; classtype:trojan-activity; sid:2014090; rev:8; metadata:created_at 2011_06_07, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toby.N Multilocker Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/picture.php"; endswith; http.header_names; content:!"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; http.connection; content:"Keep-Alive"; bsize:10; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:command-and-control; sid:2016368; rev:4; metadata:created_at 2013_02_08, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emold.C Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?v="; fast_pattern; content:"&rs="; distance:0; content:"&n="; distance:0; pcre:"/\.php\?v\x3d\d+?\x26rs\x3d(?:(?:\d+?\x2d){3})?\d+?\x26n\x3d\d/i"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; reference:md5,49205774f0ff7605c226828e080238f3; classtype:command-and-control; sid:2016251; rev:7; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KimJongRAT cnc exe pull"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"subject="; nocase; depth:8; content:"&data="; nocase; pcre:"/^subject=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})_(?:(?:list|que)_done|ini(?:_done)?)&data/"; reference:url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf; classtype:command-and-control; sid:2017009; rev:6; metadata:created_at 2013_06_13, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jorik FakeAV GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/britix/a"; http.user_agent; content:"Internet Explorer"; classtype:trojan-activity; sid:2013807; rev:5; metadata:created_at 2011_10_31, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Scieron Retrieving Information"; flow:established,to_server; urilen:7; flowbits:set,ET.Trojan.Scieron.Ret; http.method; content:"GET"; http.uri; content:"/ip.txt"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:4; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (Google page)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Google page"; classtype:trojan-activity; sid:2017067; rev:6; metadata:created_at 2011_05_31, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gulpix/PlugX Client Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"1|3a 20|"; content:"2|3a 20|"; distance:0; content:"3|3a 20|"; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/m"; http.header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:6; metadata:created_at 2014_02_21, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina Checkin"; flow: established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Alina v"; http.request_body; content:"act="; content:"&b="; content:"&c="; content:"&v="; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:command-and-control; sid:2016837; rev:7; metadata:created_at 2013_05_09, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?id="; nocase; content:"&rnd="; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:7; metadata:created_at 2016_02_03, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alina User-Agent(Alina)"; flow: established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Alina v"; depth:7; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016838; rev:6; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/"; pcre:"/^[0-9a-f]{32}\.php/R"; http.request_body; content:"Data="; fast_pattern; depth:5; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2014370; rev:5; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa= in cleartext"; flow:established,to_server; http.request_body; content:"pasa="; pcre:"/^(?!&)./R"; classtype:policy-violation; sid:2017080; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"bn1="; depth:4; fast_pattern; content:"&sk1="; pcre:"/^[A-F0-9]{30}/R"; classtype:command-and-control; sid:2014218; rev:7; metadata:created_at 2012_02_10, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http any any -> any any (msg:"ET INFO HTTP URI contains pasa="; flow:established,to_server; http.uri; content:"pasa="; nocase; pcre:"/(?<=(?:\?|&))pasa=(?!&)./i"; classtype:policy-violation; sid:2017081; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?cookie="; fast_pattern; content:"&type="; content:"&vid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021569; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> any any (msg:"ET INFO HTTP POST contains pasa form"; flow:established,to_server; http.request_body; content:"name=|22|pasa|22|"; classtype:policy-violation; sid:2017082; rev:3; metadata:created_at 2013_07_02, former_category INFO, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; http.uri; content:"/b/eve/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018096; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> any any (msg:"ET WEB_SERVER WebShell - GODSpy - Cookie"; flow:established; http.cookie; content:"godid="; classtype:trojan-activity; sid:2017085; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; fast_pattern; depth:4; isdataat:!2,relative; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2015976; rev:4; metadata:created_at 2012_12_04, former_category MALWARE, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSPy - Auth Creds"; flow:established,to_server; http.request_body; content:"ctr="; content:"haz=pasa"; classtype:trojan-activity; sid:2017088; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GORGON APT Download Activity"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; bsize:10; file_data; content:"set OMYORANTICATO = createobject(|22|"; fast_pattern; reference:url,www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/; reference:md5,08828db7a600e573d5dd61315e3e2af1; classtype:trojan-activity; sid:2030701; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family GORGON, performance_impact Low, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - raiz"; flow:established,to_server; http.uri; content:".asp?raiz="; classtype:trojan-activity; sid:2017090; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GORGON APT Download Activity M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; bsize:10; file_data; content:"|24|X1=|27|GEX|27 2e|replace|28 27|G|27 2c 27|I|27 29 3b|sal|20|g|20 24|X1|3b|"; fast_pattern; reference:url,www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/; reference:md5,1cc6e550e2e414d143e835b0f5f53f41; classtype:trojan-activity; sid:2030706; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"Leaf PHPMailer</title>"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2030015; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:"<CPUI>"; content:"</CPUI><"; within:27; content:"<MEMI>"; content:"</MEMI><"; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2009052; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"Leaf PHPMailer</title>"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2030016; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banito/Agent.pb Pass Stealer Email Report Outbound"; flow:established,to_server; content:"Subject|3a| Vip Passw0rds|0d 0a 0d 0a|Victim Name |3a| "; content:"|0d 0a|######## ICQ PASSWORDS ########"; within:70; reference:url,doc.emergingthreats.net/2008551; classtype:trojan-activity; sid:2008551; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on Compromised External Server"; flow:established,to_client; file.data; content:"<title>D3V1l H4X0R Priv8 Shell"; fast_pattern; classtype:web-application-attack; sid:2030017; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Shark Pass Stealer Email Report"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer "; content:"|0d 0a 0d 0a|Codesoft PW Stealer File "; distance:0; content:"filename=|22|"; distance:0; content:".log|22 0d 0a|"; within:20; reference:url,doc.emergingthreats.net/2007992; classtype:trojan-activity; sid:2007992; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"<title>D3V1l H4X0R Priv8 Shell"; fast_pattern; classtype:web-application-attack; sid:2030018; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1029; content:"|01 00 00 00|"; depth:4; content:!"|26|"; within:1; content:"|26|"; distance:1; within:1; content:"|26|"; distance:61; within:1; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:204; within:20; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:12; within:20; classtype:command-and-control; sid:2014601; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on Compromised External Server"; flow:established,to_client; file.data; content:"Upload File : <input type=|22|file|22 20|name=|22|file|22|"; fast_pattern; nocase; content:">Name</center></td>"; nocase; distance:0; content:">Size</center></td>"; nocase; distance:0; content:">Permissions</center></td>"; nocase; distance:0; content:">Options</center></td>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; classtype:web-application-attack; sid:2030019; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject|3a| Passes from"; nocase; fast_pattern; content:"application/octet-stream|3b|"; content:".bin"; within:100; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"Upload File : <input type=|22|file|22 20|name=|22|file|22|"; fast_pattern; nocase; content:">Name</center></td>"; nocase; distance:0; content:">Size</center></td>"; nocase; distance:0; content:">Permissions</center></td>"; nocase; distance:0; content:">Options</center></td>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; classtype:web-application-attack; sid:2030020; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Karagany C&C Response"; flow:from_server,established; file_data; content:"work|3a|"; depth:5; content:"|7c|downexec|20|"; within:20; content:".jpg|3b 0d 0a|"; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf; classtype:command-and-control; sid:2018629; rev:3; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on Compromised External Server"; flow:established,to_client; file.data; content:"title>-:- Stupidc0de Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2030021; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert disenart.info"; flow:established,from_server; content:"|55 04 03|"; content:"|0c 0d|disenart.info"; within:15; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"<title>-:- Stupidc0de Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2030022; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"|01 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"|00|"; distance:1; within:1; content:"|00|"; distance:61; within:1; content:"|00 00 00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:12; within:20; classtype:command-and-control; sid:2014600; rev:7; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE VBulletin Backdoor CMD inbound"; flow:established,to_server; http.header; content:"HTTP_ECMDE|3a|"; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017111; rev:5; metadata:created_at 2013_07_05, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:3; metadata:created_at 2014_08_19, updated_at 2020_08_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 URI Structure"; flow:established,to_server; http.uri; content:"/ss?t=f&"; depth:8; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017112; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet to Server"; flow:established,to_server; dsize:20; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; flowbits:set,ET.onlinegames.ajok; reference:url,doc.emergingthreats.net/2008291; classtype:command-and-control; sid:2008291; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE VBulletin Backdoor C2 Domain"; flow:established,to_server; http.header; content:"adabeupdate.com|0d 0a|"; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:command-and-control; sid:2017113; rev:5; metadata:created_at 2013_07_05, former_category MALWARE, updated_at 2020_04_24;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from_server; flowbits:isset,ET.onlinegames.ajok; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; reference:url,doc.emergingthreats.net/2008292; classtype:command-and-control; sid:2008292; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; http.stat_code; content:"502"; http.stat_msg; content:"Bad gateway"; file.data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:4; metadata:created_at 2013_07_16, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 f3 e5 76 ad 16 4c 88 ff|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019069; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ProtocolGW/protocol/"; nocase; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/i"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:7; metadata:created_at 2011_06_16, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9a a1 97 0b 99 2b 46 07|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|03|GER"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019070; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; http.stat_code; content:"200"; http.stat_msg; content:"OK"; file.data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:3; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b2 a7 52 d6 65 0d 28 9f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019108; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; http.uri; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/i"; http.user_agent; content:"Java/1."; fast_pattern; content:"Mozilla"; depth:7; classtype:trojan-activity; sid:2014912; rev:7; metadata:created_at 2012_06_16, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 c0 04 78 81 0c 5a 2d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019109; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Watering Hole applet name AppletHigh.jar"; flow:established,to_server; http.uri; content:"/AppletHigh.jar"; http.user_agent; content:"Java/1."; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:exploit-kit; sid:2016639; rev:5; metadata:created_at 2013_03_22, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 15 14 ca 74 7c 3d 96|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019120; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; http.request_line; content:".zip HTTP/1."; http.uri; pcre:"/\/[a-f0-9]+\.zip$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016839; rev:7; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 11 bb c5 32 1e 9d 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019121; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; http.uri; content:"/app.jar"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017096; rev:5; metadata:created_at 2013_07_04, former_category EXPLOIT_KIT, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bc 2a 7f f9 ef 67 4e ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019122; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; http.uri; content:"/jot.class"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2016556; rev:7; metadata:created_at 2013_03_08, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a5 72 6e 95 1a 1d 22|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019135; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Serialized Data request"; flow:established,to_server; http.uri; content:".ser"; endswith; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016504; rev:5; metadata:created_at 2013_02_26, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 2d 8e ea 67 c4 08 ea|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019305; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; http.uri; content:"java.lang.ProcessBuilder("; nocase; classtype:attempted-user; sid:2017172; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8b 77 b3 d1 92 8c 7d 48|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019306; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:5; metadata:created_at 2013_07_24, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b f5 c0 6b 03 3a 00 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,510b4db9aa400583e7927afa5f956179; classtype:trojan-activity; sid:2019307; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; http.uri; content:!"/404."; depth:5; pcre:"/^\/\d{2,}\.[a-z0-9]+$/i"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017199; rev:5; metadata:created_at 2013_07_26, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FireEye.STX RAT Checkin"; flow:established,to_server; content:"GET /WinData.DLL?HELO-STX-1*"; depth:28; content:"$|0D 0A|"; within:40; reference:url,blog.fireeye.com/research/2012/04/spear-phished-by-fireeye.html; reference:md5,89217de164ffca0f0fed54a8003eb98f; classtype:command-and-control; sid:2014632; rev:3; metadata:created_at 2012_04_23, former_category MALWARE, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; http.uri; content:"/img/info.php?info="; nocase; classtype:trojan-activity; sid:2017257; rev:3; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LinuxNet.perlbot Checkin Via IRC"; flow:to_server,established; content:"NICK|20 7c|GNU|7c 0a|"; depth:12; fast_pattern; content:"USER|20|GNU|20|"; within:9; pcre:"/(?:\d{1,3}\.){3}\d{1,3} (?:\d{1,3}\.){3}\d{1,3} \x3a(?:Linux|FreeBSD|SunOS)/R"; content:"|0a|JOIN|20|"; distance:0; classtype:command-and-control; sid:2019921; rev:3; metadata:created_at 2014_12_11, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; http.request_body; content:"|0D 0A|"; content:"<%"; within:5; fast_pattern; content:"%>"; distance:0; pcre:"/<%[\x00-\x7f]{20}/"; classtype:trojan-activity; sid:2017260; rev:12; metadata:created_at 2013_07_31, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Activity (STD attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[STD]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022215; rev:3; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay Checkin"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"filename=|22|"; pcre:"/^\d+?\x22/R"; classtype:command-and-control; sid:2017264; rev:3; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Activity (UNK attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[UNK]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022216; rev:3; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/$/"; http.user_agent; content:"|3b|Windows"; nocase; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:command-and-control; sid:2017262; rev:6; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_04_24;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M2"; flow:from_server,established; file_data; content:"|76 7e 72 20 7e 20 3d 20 22 22 3b 20 7e 20 2b 3d|"; within:17; content:"0."; distance:0; pcre:"/^\d+[\x22\x27]/R"; content:"|27 3b 20 7e 20 2b 3d 20 27|"; within:500; content:"|27 3b 20 7e 20 2b 3d 20 27|"; within:500; classtype:trojan-activity; sid:2023598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comfoo Outbound Communication"; flow:established,to_server; http.header; content:"Accept-Language|3a 20|en-en|0d 0a|"; http.user_agent; content:"|3b|Windows|20|"; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:16; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Tinba Banker CnC Response"; flow:established,from_server; file_data; content:"|00 00 00 00 48 65 61 44|"; depth:8; fast_pattern; content:"|00 00|"; within:5; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024442; rev:4; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; http.uri; content:"?&"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"User-Agent|3a 20|Update"; fast_pattern; classtype:trojan-activity; sid:2017281; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2022_03_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32/Nitol.B Checkin"; flow:established,to_server; dsize:>1000; content:"|88 88 08 00|"; depth:4; fast_pattern; content:"|2E|"; distance:1; within:1; content:"|2F 73|"; distance:2; within:2; content:"|00 00 00 00 00 00 00 00|"; within:15; reference:md5,f078e099b1f8afc7c43eb05b4badf9e7; classtype:command-and-control; sid:2021111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, malware_family Nitol_DDoS, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Rovnix.I Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ld.aspx?key="; startswith; http.header_names; content:!"Accept|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; http.user_agent; content:"FWVersionTestAgent"; depth:18; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:command-and-control; sid:2017279; rev:4; metadata:created_at 2013_08_06, former_category MALWARE, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (HAMAD versions)"; flow:established,to_server; dsize:<200; content:"|00|"; depth:4; content:"HAMAD"; fast_pattern; within:10; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,cc18ad38eccdf096f0ac5840f380ef4f; classtype:trojan-activity; sid:2025074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Bladabindi, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; http.request_body; content:"4d5a"; nocase; content:"50450000"; distance:0; classtype:bad-unknown; sid:2017293; rev:3; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:command-and-control; sid:2025136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Adobe.Site.Download; flowbits:noalert; http.uri; content:"pkg"; http.host; content:"platformdl.adobe.com"; bsize:20; classtype:misc-activity; sid:2017294; rev:4; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Botnet Nitol.B Checkin"; flow:established,to_server,no_stream; dsize:<400; content:"|00 00 77 00 00 00|"; depth:30; fast_pattern; content:"MHz"; within:350; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:120; classtype:command-and-control; sid:2025135; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category MALWARE, malware_family nitol, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/flowplayer-3.1.1.min.js"; nocase; reference:url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html; classtype:trojan-activity; sid:2017280; rev:4; metadata:created_at 2013_08_06, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; within:30; content:"|26 70 72 69 76 3d|"; within:20; content:"|26 63 72 65 64 3d|"; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:command-and-control; sid:2025408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, former_category MALWARE, malware_family FlawedAmmyy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.asp?newsid="; fast_pattern; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:command-and-control; sid:2017326; rev:3; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2020_04_24;)
+alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 32bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; within:60; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|41 8A 14 02 8B 45|"; distance:0; content:"|32 14 30 88 16 3B CB 72|"; distance:1; within:8; fast_pattern; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/search.asp"; fast_pattern; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:command-and-control; sid:2017325; rev:5; metadata:created_at 2013_08_13, former_category MALWARE, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Inbound PowerShell via Invoke-PSImage Stego"; flow:established,to_client; file_data; content:"|89 50 4e 47|"; depth:8; content:"c2FsIGEgTmV3LU9iamVjdDt"; within:75; fast_pattern; reference:url,github.com/peewpw/Invoke-PSImage/blob/master/Invoke-PSImage.ps1; classtype:trojan-activity; sid:2027085; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"[System Process]|0a|"; depth:17; classtype:trojan-activity; sid:2011364; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/DataMilk Stealer Communicating with CnC"; flow:established,to_server; content:"net|2e|tcp"; depth:15; content:"|2f|IModuleGetter"; within:40; fast_pattern; reference:url,app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e; classtype:command-and-control; sid:2027112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, malware_family DataMilk, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; http.uri; content:"/PirateBrowser"; content:".exe"; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:3; metadata:created_at 2013_08_15, updated_at 2020_04_24;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Template 1 Active - Malicious Outbound Email Spam"; flow:established,to_server; content:"Subject|3a 20|"; content:"Canada|20|Post"; within:80; content:"To|20|download|20|the|20|tracking|20|number"; distance:0; content:"in|20|the|20|zip|20|file.."; distance:0; fast_pattern; content:"Click|20|here|20|to|20|download|20|your|20|Tracking|20|Number"; distance:0; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:trojan-activity; sid:2027811; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category TROJAN, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker User-Agent (CNET TechTracker)"; flow:established,to_server; http.user_agent; content:"CNET TechTracker"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2014574; rev:5; metadata:created_at 2012_04_16, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/MayhemBruter Checkin"; flow:established,to_server; content:"{|0a 20 20 22|id|22 3a 20 22|"; depth:11; fast_pattern; content:"|22 0a|}|00|"; within:36; endswith; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:command-and-control; sid:2022223; rev:3; metadata:created_at 2015_12_07, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Connection From Cisco IOS Device"; flow:established,to_server; http.header; content:"User-Agent|3a 20|cisco-IOS"; nocase; classtype:misc-activity; sid:2014201; rev:4; metadata:created_at 2012_02_07, updated_at 2020_04_24;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Powershell Trojan)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 e6 05 e6 06 e6 17 3f|"; fast_pattern; reference:url,pastebin.com/7wYupkJL; reference:md5,4c5c9014f2d18f11ca62848876551323; classtype:domain-c2; sid:2023342; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_17, deployment Perimeter, former_category MALWARE, malware_family PowerShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Spy.KeyLogger.OCI CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"pcname="; depth:7; content:"&note="; distance:0; content:"&country="; distance:0; content:"&user="; distance:0; content:"&log="; distance:0; reference:url,www.virusradar.com/en/Win32_Spy.KeyLogger.OCI/description; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis/; classtype:command-and-control; sid:2017343; rev:3; metadata:created_at 2013_08_19, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"pipka="; within:20; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028993; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Related Lame Updater User-Agent"; flow:established,to_server; http.user_agent; content:"LameUpdater"; depth:11; classtype:trojan-activity; sid:2017347; rev:5; metadata:created_at 2011_04_07, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M1"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"authorizenet_cc_number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028994; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Napolar.A Getting URL"; flow:to_server,established; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36|0d 0a|Host"; fast_pattern; depth:126; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017362; rev:3; metadata:created_at 2013_08_21, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M2"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"ctl00_PageContent_tbCardNumber"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028995; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO InetSim Response from External Source Possible SinkHole"; flow:from_server,established; http.server; content:"INetSim HTTP Server"; bsize:19; classtype:bad-unknown; sid:2017363; rev:3; metadata:created_at 2013_08_21, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M3"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"input-cc-number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028996; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M4"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"|27|cc_number|27|"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028997; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.uri; content:".action?"; content:"redirectAction|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M5"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"paypal_direct_cc_number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028998; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:5; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M6"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"ECommerce_DF_paymentMethod_number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Win32/Napolar.A URL Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"!http|3a|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:3; metadata:created_at 2013_08_22, updated_at 2020_04_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M7"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"input|5b|id$=|7c|x27_CardNumber|7c|x27|5d|"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2029000; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Dirtjump Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"req="; depth:4; pcre:"/^[A-Za-z0-9]{15}(?:[A-Za-z0-9]{19})?$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:command-and-control; sid:2017385; rev:3; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=txt$/Rsi"; content:"=1&type=txt"; endswith; http.request_body; content:"---------------------- ["; startswith; fast_pattern; content:"] ----------------------"; within:40; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029147; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT-12 Related C2"; flow:to_server,established; http.uri; content:"/url.asp?"; content:"-ShowNewsID-"; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:targeted-activity; sid:2017386; rev:3; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_24;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerSploit/PowerView SMTP Data Exfil"; flow:established,to_server; content:"Subject|3a 20|DC|3a|"; content:"|20|PC|3a|"; within:10; content:"|20|SRV|3a|"; within:10; content:"|20|DA|3a|"; within:10; content:"|20|AV|3a|"; within:10; content:"Full report"; distance:0; content:"Domain"; distance:0; content:"Domain Admins"; distance:0; content:"Antivirus Software"; distance:0; fast_pattern; classtype:command-and-control; sid:2029276; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"txtpath="; depth:8; content:"&cmd="; classtype:trojan-activity; sid:2017392; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Group 21 Payload CnC Checkin"; flow:established,to_server; dsize:<400; content:"|3a 3a|MAC|3a 3a|"; startswith; content:"|3a 3a|HOSTNAME/USERNAME|3a 3a|"; within:100; fast_pattern; content:"|3a 3a|U-FILE|3a 3a|"; within:100; reference:md5,6a271282fe97322d49e9692891332ad7; classtype:trojan-activity; sid:2035061; rev:3; metadata:created_at 2020_01_16, former_category MALWARE, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?upload=@&txtpath="; http.request_body; content:"Upload !"; classtype:trojan-activity; sid:2017393; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nexus Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"Mozilla"; http.request_body; content:"{"; startswith; content:"|7e 3b 5e 3b|Windows|20|"; within:50; fast_pattern; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; http.header_names; content:!"Referer"; reference:md5,8bd8582155ef003b8a24d341d75f1d7f; classtype:command-and-control; sid:2029298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_21, deployment Perimeter, former_category MALWARE, malware_family Nexus, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential|-station|prowler)\.net|s?explained\.com)|iate(?:explained|info)\.com)|(?:o(?:rado-springs-jobs|nexplained)|umnexplore)\.com)|m(?:p(?:uter(?:explained\.com|themes\.net)|assiondefinition\.com)|m(?:oditylingerie|unesinfo|ercekid)\.com)|n(?:ce(?:rtparis\.net|ptsets\.com)|trolwedding\.com)|(?:(?:rnell|upon)explained|peguide)\.com|7\.us)|a(?:(?:(?:mpaign|talog|det)explained|n(?:cersexplained|adadaycore)|p(?:itali[sz]eguide|ricornhi)|b(?:leexplained|indynamic))\.com|r(?:(?:tograph(?:yanalysis|erwhat)|cinomas?explained|scratch-remover|eblack)\.com|insurance-compare\.net)|ce\.us)|h(?:(?:a(?:r(?:med-episodes|les-proxy|tpixel)|p(?:elsinfo|terball)|nnelexplained)|ristmas(?:gift-ideas|motion)|inesenewyearboom|eckingwatch)\.com|(?:orizo|urros)\.es)|(?:e(?:l(?:lularexplained|iac-diet)|ntigrade(?:explained|info))|(?:li(?:nical|ck)|ustomized)explained|r(?:uiseshipdating|iticsmart)|pu-benchmark|nc-cs)\.com|8\.biz|z\.cc)|a(?:(?:ll(?:about(?:(?:(?:collegi|gradu)at|yal)e|s(?:eminary|tudent)|(?:facul|varsi)ty|bestsellers|academic|teaching|harvard|ucla|pro)|babyours)|n(?:(?:tipodesbi|alyzelan)d|onymous-film)|(?:mericas-nexttopmode|gentsbal)l|r(?:chitectureice|lingtonwriter)|c(?:ademicexplaine|tionmo)d|ero(?:flotinfo|bicfund))\.com|u(?:(?:toma(?:tedexplained|kers24)|stralia-airlines|xiliaryverb)\.com|di(?:t(?:jewellery\.com|report\.net)|o-planet\.com))|p(?:(?:rilfools(?:hotel|spin)|ple-airport)\.com|[fh]i\.biz)|ir(?:(?:bnb-coupon|waysinfo)\.com|portshuttleseattle\.net)|v(?:enue(?:domain|hello)\.com|li\.biz)|\.e\.gy)|b(?:(?:a(?:c(?:helorexplained|kpackscope)|by(?:online-shop|revision)|(?:rcelonarea|ggagecoo)l|s(?:icexplained|escope)|ttle-field-3)|e(?:(?:st-hoteldeal|er-calorie|t-award)s|nefitexplained)|u(?:y-invite|dgetyep)|logger-com)\.com|r(?:(?:o(?:adbandinternet-providers|king(?:explained|guide))|unomarsalbum|yan-college)\.com|ea(?:st(?:cancertattoos\.net|explained\.com)|dmachine-recipes\.com))|o(?:(?:(?:om(?:ing|s)|nd)explained|tany(?:explained|info)|dybuildingdomains|rrowings?24)\.com|stoncolleges\.net)|irthcertificatetemplate\.net|3g\.biz)|d(?:e(?:(?:(?:(?:benture|posit)explaine|alershipislan)d|n(?:guefevertreatment|verhowto)|ductguide|veloptea)\.com|(?:xterstreaming|ciduoustrees)\.net)|o(?:(?:ctorate(?:s?explained|info)|llar-converter|gwalking-jobs|texplained|mainsknow)\.com|wnload(?:starcraft|-films|ubuntu)\.net)|(?:a(?:ncecentralsonglist|rtmouthexplained)|na-replication|hcp-server|vd-codec|rivewww)\.com|i(?:(?:s(?:count|ease)explained|nnerparty-recipes|walifile)\.com|rect-golf\.net))|e(?:(?:a(?:r(?:fulexplained|th-clinic)|sy(?:-costumes|repayment))|conomic(?:save|24))\.com|\.gy)|4(?:(?:4qs|h5)\.com|[jp]\.org|ql\.biz)|3(?:vt\.info|gb\.biz|q\.org)|2(?:eat\.com|sf\.biz|u\.se)|8(?:c1\.net|x\.biz)|7(?:c\.org|p\.biz)|11r\.(?:biz|us))(\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017457; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin CnC Response"; flow:established,from_server; flowbits:isset,ET.sarwent.1; http.stat_code; content:"200"; http.response_body; content:"|20|IP|20|"; pcre:"/^[^\x20-\x7e\r\n]/R"; content:"|20 2e 20 2e 20 2e 20 2e 20 2e 20|"; within:50; content:"DNS-"; distance:0; pcre:"/^[^\x20-\x7e\r\n]/R"; content:"|20 2e 20 2e 20 2e 20 3a 20|"; distance:0; pcre:"/^(?:[a-f0-9]{2}-){5}[a-f0-9]{2}/R"; content:"|0d 0a 20 20 20|DHCP|20|"; within:10; fast_pattern; classtype:command-and-control; sid:2029475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained|e-bok)|(?:ncy-font|ke-nail)s|ir(?:explained|fuse)|shion-wallpaper|lterguide)|i(?:nanc(?:i(?:al|ng)explained|epets)|rm(?:explained|s24)|lter-coffee)|o(?:r(?:umexplained|ecastbooks|ceestate)|x-drama)|udaninfo)\.com|re(?:e(?:-(?:(?:(?:foodcoupon|angrybird)s|s(?:oundclips|tock)|photoeditor)\.com|music-download\.net)|(?:p(?:owerpointthem|roduct-sampl)es|dom-ofspeech)\.com|fileconverter\.net)|snoever\.com)|l(?:a(?:shplayerdownload\.net|tbelly-diet\.com)|oridaunemploymentclaim\.com|v-downloader\.net)|e(?:rtility-calculator\.net|stivalexplained\.com)|b(?:-smileys\.com|skins\.net))|l(?:(?:i(?:n(?:k(?:explained|master)|colnsbirthdaytea)|(?:ability|ver)explained|(?:berty-saf|ftmov)e|stings(?:biz|red)|teraturemulti)|u(?:ng(?:explained|abscess)|ggageboom)|o(?:cationssecure|ndon-riots|gback))\.com|e(?:(?:a(?:singexplained|ther-trousers)|(?:edsunited-new|d-candle)s|cturer(?:explained|info)|nd(?:ing|er)explained|isure-diving)\.com|u(?:kemiaexplained\.com|e\.biz)|tup\.org)|a(?:guay\.(?:com|es)|-gazzetta\.com)|6\.org)|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained|24)|explained)|ancesexplained)|ide-film)\.com|(?:pection-camera|taflex)\.net)|d(?:e(?:pendenceday(?:portal|realty)|mnityexplained)\.com|ividual-healthinsurance\.net)|t(?:er(?:estexplained\.com|trigo\.net)|ranet(?:explained|pm)\.com)|(?:(?:vestment|centive)explained|expensivehyper)\.com|f(?:ections?explained\.com|o\.se))|(?:(?:mmersio|sd)nexplained|ronmancom|pone-5)\.com|i(?:nkai|lg)\.biz)|m(?:(?:e(?:tropolis(?:(?:cruis|fac|mov)e|pixel)|(?:lanoma|dical)explained|r(?:idiantotal|cedes-cls)|ntal-healthjobs|morialdaycon|ssenger-mac|ansgift)|i(?:ami(?:-holidays|what)|di-editor)|baexplained)\.com|a(?:r(?:(?:tial-empires|ket-hq)\.com|iogames-online\.net)|n(?:(?:agejoin|ualzap)\.com|ipal-university\.net)|(?:lignanthypertension|gazinedownload)\.net|s(?:on(?:wave|car)|tersexplained)\.com|c2\.org))|e(?:(?:s(?:ta(?:tes(?:mob|fx)|blishstyle)|lexplained)|mploy(?:e(?:eexplained|r24)|mentexplained))\.com|n(?:(?:(?:gagement-photo|able-cookie)s|rollexplained)\.com|trepreneur-ideas\.net)|x(?:(?:(?:hibition|po)explained|ecutive-decision)\.com|tremedeal\.net)|l(?:ect(?:ronicexplained|orate123)\.com|guay\.(?:com|es))|q(?:uityexplained\.com|8\.biz))|g(?:(?:o(?:a(?:d(?:minister|vertize|just)|cademic|llocate)|(?:thic-literatur|handl)e|(?:bailou|conduc)t|govern)|r(?:a(?:duate(?:explained|sinfo)|ndparentsdayplan)|oceryexplained|4)|ym(?:glas|car)s|m[69])\.com|a(?:(?:(?:llaudet|te)explained|mevelocity|rnerguide)\.com|511\.net)|cwsa\.org)|h(?:o(?:(?:me(?:made-biscuits|pageexplained)|(?:nours|tline|using)explained|6)\.com|stel-barcelona\.net)|a(?:r(?:dback(?:city|yoga)|vardexplained)|n(?:dlechange|ukkahbio)|lloweenorange)\.com|y(?:perthyroidsymptoms\.net|d\.me)|ellokittypictures\.net)|j(?:(?:o(?:urnalism(?:explained|info)|hn-grisham|ker-tattoo)|query-examples)\.com|a(?:cksonvillepath\.com|vacollection\.net)|(?:vvg|6)\.org)|k(?:ilometersreach|udosexplained|jyg)\.com)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017458; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer - Uploading System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&cc="; content:"&pc="; content:"&hash="; http.user_agent; content:"uploader"; bsize:8; http.header; content:"User-Agent|3a 20|uploader|0d 0a|"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"PK"; distance:0; http.header_names; content:!"Referer"; reference:md5,046dcdb20a8358faadc394e786820dd4; classtype:trojan-activity; sid:2034323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net|winters\.com)|y-(?:singapore|rental)\.net)|(?:fessors|state)explained\.com)|e(?:miums(?:e(?:xplained|ek)|guide)|(?:acher|cinct|late)sinfo|pexplained)\.com|i(?:va(?:te(?:car-sales|explained)\.com|do\.info)|nceton\.me))|e(?:(?:n(?:sionexplained|thousepal|cetruck)|diatricsexplained)\.com|rsonal(?:trainer-certification\.net|-injuryclaims\.com)|tardo\.es)|o(?:(?:wer(?:borrowings?|repayment|debts)|rt(?:land-holidays|alexplained)|intexplained|litical24)\.com|kertexas-holdem\.net)|a(?:(?:ss(?:engersinfo|agepix)|ge(?:explained|as)|cemaker-surgery|ttinson-robert|rk-edu)\.com|loaltocollege\.net)|(?:u(?:blicationgift|pils?info)|ickups(?:articles|gen)|neumoniaexplained|sychologyquotes|lus-sign)\.com|h(?:o(?:toedit(?:orfreedownload\.net|ingsite\.com)|neexplained\.com)|pbb-themes\.com|yscology\.net)|cbp\.net|9\.org)|o(?:n(?:line(?:(?:(?:f(?:o(?:ster|rce)|irstborn|raternal|ulltime)|b(?:r(?:idegroom|owse)|oxoffice)|e(?:(?:valuat|xpress)e|fficient)|-(?:collegecourse|radiostation)|d(?:escendant|aughter|iscusse)|v(?:illage|acant)|re(?:sidence|al))s|c(?:(?:r(?:iti(?:c(?:ize|al)|que)|ew)|o(?:nsider|usin)|a(?:pture|meo)|elluloid)s|ha(?:racters|teau))|a(?:(?:(?:vailabl|doptiv|llianc|pprais)e|ss(?:esse|ay)|unt)s|n(?:(?:cestor|alyze)s|imated)|way)|per(?:sonal-trainer|manents))\.com|mediaconverter\.net)|e-lyrics\.com|amia\.biz)|(?:ver(?:seasexplained|drawnreal)|(?:wnership|ffline)explained|cean(?:ic-cable|you)|rphanagesinfo|klahomafuse)\.com|a(?:klandour\.com|pg\.org))|r(?:e(?:(?:s(?:idenc(?:e(?:attorney|dating|cook|food)|yexplained)|erves(?:development|core))|(?:c(?:o(?:ver(?:ing|ed)|up)|laim)guid|laxationhyp|bateventur)e|g(?:i(?:on(?:private|mentor)|stercommunity)|ainguide)|t(?:r(?:ainingexplained|ieveguide)|ailexplained)|motecontrol-helicopter|viewwinters|payment24)\.com|alestate-perth\.net)|(?:a(?:cetracksinfo|veexplained|iserepair|tetask)|ising-antivirus|bnnetwork)\.com|o(?:(?:o(?:m(?:sfootball|mateco)|fcute)|admodern)\.com|yallondonhospital\.net))|s(?:(?:o(?:(?:lventsourc|ftenguid)e|urceexplained|cietiesinfo|ng-india)|a(?:n(?:antoniosource|diegodiscover)|l(?:aryexplaine|euploa)d)|ta(?:nford(?:explained|info)|(?:bilis|v)eguide|r-treck)|p(?:ecialtyexplained|iralwatch|orts-tab)|ch(?:oolexplained|eduleedu)|ites?explained)\.com|e(?:(?:minar(?:y(?:explained|info)|explained)|c(?:(?:urities|tor)explained|what)|aworld-coupons)\.com|rvertransfer\.net)|m(?:ier\.org|oz\.us)|hellgascard\.net|gba\.biz)|m(?:o(?:(?:t(?:oristsinfo|iveshare)|ntre-breitling|dernexplained|squesinfo)\.com|hamed\.me)|(?:y(?:borrowings|-husband)|ultimediaexplained|inistriesinfo)\.com|mcd\.us)|n(?:(?:a(?:ming(?:mac|our)|uticalfit|vigateadd)|e(?:tworkexplained|w-college))\.com|8\.biz))(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017459; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound MonetizeUs/LNKR Struct"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|28|function"; depth:50; content:"g=|22|"; distance:0; pcre:"/^[a-f0-9]{18}\x22/R"; content:"=|5b 22|mid=|22 2c 22|wid="; distance:0; fast_pattern; content:"|22|sid=|22 2c 22|tid="; within:30; content:"|22|rid="; distance:0; content:"monetizationsConfig|3a|"; distance:0; threshold:type limit, count 1, seconds 120, track by_src; reference:md5,0866447a440f1e01a391ccb1c0ab150d; classtype:command-and-control; sid:2029591; rev:2; metadata:affected_product Web_Browsers, created_at 2020_03_09, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; http.host; pcre:"/^[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained|comsguide)|learth)|n(?:ured(?:explained|info)|nis-ranking))\.com|mp(?:l(?:ates-gratis\.com|ecollege\.net)|converter\.net)|a(?:ching(?:-certificate\.net|explained\.com)|m\.pro))|r(?:a(?:(?:(?:nsferbyt|de-)e|in(?:eesinf|ge)o|mray)\.com|vel(?:insurance-comparison\.net|agentnerd\.com))|e(?:k-bicycles|nd-online)\.net|uckstool\.com|onco\.es)|(?:o(?:wn(?:housepic|study|euro|meta)|(?:tal-tool|memap)s|pgamebook|olboxsol)|u(?:mors?explained|lsatrain|rn-ons)|attoo-websites|ype-racer|wainfo)\.com|h(?:(?:anksgivinggaming|riftexplained)\.com|e(?:sis-examples\.com|atreparis\.net))|i(?:mezonevendor\.com|dl\.net)|cmn\.biz)|w(?:e(?:b(?:(?:b(?:estseller|ailout)|administer)\.com|site(?:downloader\.net|explained\.com)|developertoolbar\.net)|(?:l(?:lesley|fare)explained|akenguide)\.com)|or(?:th(?:voice|war)\.com|ld-records\.net)|ater(?:front-property\.net|-plants\.com)|(?:riterpics|hoiscan)\.com|pbh\.org|sse\.us)|s(?:(?:t(?:ud(?:ent(?:financecontact|s?explained)|yexplained)|r(?:eetmaphub|ongat)|patricksweightloss|onewhat)|wissairinfo)\.com|u(?:(?:mmertimelyrics|nset-wallpaper|per-committee|itegraphic)\.com|b\.(?:name|cat|es)))|v(?:(?:i(?:llage(?:(?:in|na)no|crystal)|deo(?:-mediaset|explained)|ta(?:minssms|lwow)|rtualexplained)|o(?:lumesynergy|ucheragent|ters24)|a(?:rsityexplained|lentinesproxy)|entureexplained)\.com|qtel\.net|f1\.us)|u(?:n(?:i(?:versityexplained\.com|nstalltool\.net|\.me)|(?:(?:secured|am)explained|ravelguide)\.com|limited-web-hosting\.net)|(?:cla(?:explained|info)|s-inflation|alinfo|zdom)\.com|[04]\.org)|y(?:(?:o(?:u(?:ngstersinfo|rbroking)|mkippursocial)|(?:eshiva|ale)explained|vxs)\.com|nna\.biz)|zwr\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2017460; rev:4; metadata:created_at 2013_09_13, former_category INFO, updated_at 2021_08_13;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE MalDoc Retrieving msiexec Commands via DNS TXT"; content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"|00 10|"; distance:0; content:"msiexec|20 2f|"; within:40; fast_pattern; nocase; reference:md5,029e926243feed488754cd21a69b5528; classtype:trojan-activity; sid:2029607; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess P2P Module v6 Reporting"; flow:to_server,established; http.uri; content:"dj02LjAmaWQ9"; offset:13; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,dnsamplificationattacks.blogspot.gr/p/blog-page.html; classtype:trojan-activity; sid:2017462; rev:3; metadata:created_at 2013_09_13, updated_at 2020_04_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Reporting Network Info"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"x="; depth:2; content:"&info="; within:10; content:"&an=["; distance:0; content:"] WAN "; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M9 (set)"; flow:established,to_server; content:"|a5 20 94 f5|"; depth:4; fast_pattern; content:"|6d 54 21|"; distance:1; within:3; flowbits:set,ET.Parallax-9; flowbits:noalert; reference:md5,1b3f8c92d5d1ace34fa4dc2dd80c3eb7; classtype:command-and-control; sid:2030027; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_25, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2020_04_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF_BASHLITE.SMB Dropping Files"; flow:established,to_server; http.uri; content:"/.ni|67 67|ers/bin"; fast_pattern; content:".sh"; within:5; http.user_agent; content:"Wget/"; depth:5; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/; classtype:trojan-activity; sid:2019747; rev:5; metadata:created_at 2014_11_19, updated_at 2020_08_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M9"; flow:established,to_client; content:"|a5 20 94 f5|"; depth:4; fast_pattern; content:"|6d 54 21|"; distance:1; within:3; flowbits:isset,ET.Parallax-9; reference:md5,1b3f8c92d5d1ace34fa4dc2dd80c3eb7; classtype:command-and-control; sid:2030039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_25, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2020_04_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Konni Encrypted Stage 2 Payload Inbound via HTTP"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MhyTiDJJJJ"; startswith; content:"JJJJJJJLeJJJJJJJJJJeI4"; within:150; fast_pattern; reference:md5,d41b09aa32633d77a8856dae33b3d7b9; classtype:command-and-control; sid:2030220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Konni, updated_at 2020_08_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.largefamiliesonpurpose.com"; bsize:31; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030028; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Godzilla Loader Base64 Filename"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>[a-zA-Z0-9+/=]{28}/Rsi"; content:"</div>"; within:6; classtype:trojan-activity; sid:2022594; rev:5; metadata:created_at 2016_03_05, updated_at 2020_08_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"line.monalisapizzeriasi.com"; bsize:27; reference:md5,c09e51350aa0a023136542d0b613755e; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030029; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/NR42 Bot Parsing Config From Webpage"; flow:established,from_server; threshold:type both, track by_src, count 60, seconds 60; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<sendusername>"; fast_pattern; content:"</sendusername>"; within:30; content:"<guser>"; distance:0; content:"</guser>"; distance:0; content:"<files>"; distance:0; content:"</files>"; distance:0; content:"<cmdua>"; distance:0; content:"</cmdua>"; distance:0; content:"<cmdkmt>"; distance:0; reference:md5,32730022593ebd2c93126d34bc60b654; classtype:trojan-activity; sid:2024182; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi ISFB)"; flow:established,to_server; tls.sni; content:"basa.nutarborg.com"; bsize:18; reference:md5,f461bf12c4d3ed1d25af638d9f21ca0f; reference:url,twitter.com/JAMESWT_MHT/status/1250391330192269314; classtype:domain-c2; sid:2030030; rev:1; metadata:attack_target Client_and_Server, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] JS.Trojan-Downloader.Nemucod.yo HTTP POST (:Exec:)"; flow: established, to_server; threshold:type limit, track by_src, count 1, seconds 30; http.request_body; content:"|3a 3a 3a|Exec|3a 3a 3a|http"; depth:40; fast_pattern; content:"|3a|//"; within:4; content:".exe|3a 3a|"; within:100; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Internet, former_category TROJAN, malware_family Nemucod, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Tr-mail Variant Sending Data To CnC"; flow:established,to_server; http.uri; content:"/gr-mail/tr-mail.php"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017464; rev:4; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoalaBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a|"; content:"KAMA NT"; within:50; fast_pattern; content:"BULLET|3b|"; within:20; content:"REGION|3b|"; within:20; http.request_body; pcre:"/^[A-Za-z0-9]{10,}[\-\)\(]{1,2}/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,523de838dd44cdd6f212d36c142d830c; classtype:command-and-control; sid:2024531; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category MALWARE, malware_family CoalaBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srev.asp"; http.request_body; content:"action="; depth:7; content:"&b_name="; distance:0; content:"&b_conter="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:command-and-control; sid:2017466; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_09_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:command-and-control; sid:2009297; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zzinfor.A Retrieving Instructions From CnC Server"; flow:established,to_server; http.uri; content:"/static/hotkey.txt"; http.header_names; content:!"User-Agent"; content:!"Accept-"; reference:md5,7e37a407a8fb0df3b2835419ad16f500; reference:md5,422b926dbbe03d0e4555328282c8f32b; classtype:command-and-control; sid:2017489; rev:4; metadata:created_at 2013_09_19, former_category MALWARE, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:command-and-control; sid:2008442; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader.Mevade.FBV CnC Beacon"; flow:established,to_server; urilen:42; http.uri; content:"/updater/"; pcre:"/^[a-f0-9]{32}\/[0-9]$/Ri"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/; reference:url,blog.damballa.com/archives/2135; classtype:command-and-control; sid:2017490; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_09_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:10; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Reports/install-report.php"; content:"abbr="; http.user_agent; content:"TALWinInetHTTPClient"; reference:url,doc.emergingthreats.net/2010241; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010241; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DRIVEBY Generic - *.com.exe HTTP Attachment"; flow:established,to_client; http.header; content:".com.exe"; nocase; file.data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:6; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT.Agtid callback"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Agtid|3a 20|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2017511; rev:4; metadata:created_at 2013_09_24, former_category MALWARE, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; http_method; nocase; content:"data=mIqWm8"; http_client_body; depth:11; classtype:command-and-control; sid:2014428; rev:7; metadata:created_at 2012_03_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Statistic.js"; flow:established,to_server; http.uri; content:"/statistic.js?k="; content:"&d="; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017512; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; http_client_body; depth:9; fast_pattern; content:"%3D%0D%0A"; http_client_body; offset:109; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:command-and-control; sid:2014347; rev:6; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-sending"; nocase; content:".exe"; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:command-and-control; sid:2017517; rev:6; metadata:created_at 2013_08_28, former_category MALWARE, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:5; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; flowbits:set,ET.Hiloti; http.uri; content:"/get"; nocase; content:".php?c="; nocase; distance:0; content:"&d="; nocase; distance:0; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2010071; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:4; metadata:created_at 2011_08_04, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mevade Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/attachments/ip.php"; classtype:command-and-control; sid:2017558; rev:4; metadata:created_at 2013_10_05, former_category MALWARE, updated_at 2020_04_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value"; flow:to_server,established; http.uri; content:".php?"; nocase; content:"=AES_ENCRYPT("; nocase; distance:0; reference:url,localhost.re/p/whmcs-527-vulnerability; classtype:attempted-admin; sid:2017560; rev:5; metadata:created_at 2013_10_05, updated_at 2020_04_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLocker EXE Download"; flow:to_server,established; http.uri; content:"/crypt_"; content:"sell"; distance:0; content:".exe"; distance:0; pcre:"/\/crypt_[^\/]*?sell[^\/]*?\d\.exe$/"; classtype:trojan-activity; sid:2017583; rev:6; metadata:created_at 2013_10_12, updated_at 2020_04_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17; classtype:successful-user; sid:2014531; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan Update officeaddinupdate.xml Request"; flow:established,to_server; http.uri; content:"/officeaddinupdate.xml"; bsize:22; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017586; rev:4; metadata:created_at 2013_10_14, updated_at 2020_04_27;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> any any (msg:"ET SCAN NETWORK Outgoing Masscan detected"; flow:established,to_server; http.user_agent; content:"masscan/"; depth:8; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017615; rev:6; metadata:created_at 2013_10_18, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:20; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET SCAN NETWORK Incoming Masscan detected"; flow:established,to_server; http.user_agent; content:"masscan/"; depth:8; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017616; rev:6; metadata:created_at 2013_10_18, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; http_client_body; nocase; fast_pattern; pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:8; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"name=|22|key|22|"; nocase; content:"filename=|22|key.bin|22|"; nocase; content:"name=|22|data|22|"; nocase; content:"filename=|22|data.bin|22|"; nocase; reference:md5,c71416a9ec5414fe487167b5bfd921ec; classtype:trojan-activity; sid:2017620; rev:5; metadata:created_at 2013_10_21, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2014105; rev:5; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection"; flow:established,to_server; http.uri; content:"[sqltype]="; nocase; content:"[value]="; nocase; content:".php?"; nocase; reference:url,localhost.re/res/whmcs2.py; classtype:attempted-admin; sid:2017622; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_10_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:command-and-control; sid:2013440; rev:7; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"X-Sinkhole|3a 20|"; nocase; classtype:trojan-activity; sid:2016803; rev:6; metadata:created_at 2013_05_01, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Asynchronous WinHTTP"; http_user_agent; depth:20; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:command-and-control; sid:2015753; rev:4; metadata:created_at 2012_10_01, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Web Crawl using Wget"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"Wget"; nocase; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; classtype:attempted-recon; sid:2002823; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:command-and-control; sid:2014014; rev:7; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits"; flow:established,to_client; http.content_type; content:"application/java-archive"; fast_pattern; http.header; content:"X-Powered-By|3a 20|PHP/"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2017637; rev:4; metadata:created_at 2013_10_28, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; fast_pattern:only; nocase; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:command-and-control; sid:2010565; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell in POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eval"; content:"mcrypt_decrypt"; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017641; rev:5; metadata:created_at 2013_10_28, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"|34 44 35 41|"; depth:4; content:"|35 30 34 35 30 30|"; distance:0; classtype:trojan-activity; sid:2017962; rev:5; metadata:created_at 2014_01_13, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TRAT proxy component user agent detected"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0.1.3|3b 20|"; nocase; fast_pattern; reference:url,www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html; classtype:trojan-activity; sid:2017646; rev:6; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2020_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 3"; flow:from_server,established; file_data; content:"c=rdl&u="; depth:8; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015904; rev:7; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.request_body; content:"b=1&name="; depth:9; fast_pattern; content:"&uuid="; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017643; rev:5; metadata:created_at 2013_10_30, former_category MALWARE, updated_at 2020_04_27;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018478; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Badur.Spy User Agent lawl"; flow:established,to_server; http.header; content:"User-Agent|3a 20|lawl"; reference:md5,4f5d28c43795b9c4e6257bf26c52bdfe; classtype:trojan-activity; sid:2017655; rev:5; metadata:created_at 2013_11_01, updated_at 2020_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; classtype:trojan-activity; sid:2011991; rev:4; metadata:created_at 2010_12_01, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment"; flow:established,to_client; http.header; content:" filename=|22|%2e/files/"; nocase; pcre:"/^[^\x22\x2f\r\n]+?\x22\r\n/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:command-and-control; sid:2016742; rev:7; metadata:created_at 2013_04_09, former_category MALWARE, updated_at 2022_04_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:6; metadata:created_at 2011_01_21, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])pwd=/i"; pcre:"/(?:^|[\n\&])name=(?:%\d{2}|[^%&]){129}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017684; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; classtype:trojan-activity; sid:2012227; rev:7; metadata:created_at 2011_01_24, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])name=/i"; pcre:"/(?:^|[\n\&])pwd=(?:%\d{2}|[^%&]){25}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017685; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; content:"etup.exe"; nocase; classtype:trojan-activity; sid:2012318; rev:7; metadata:created_at 2011_02_18, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/close_window.cgi"; nocase; http.request_body; content:"sess_sid="; nocase; pcre:"/(?:^|[\n\&])sess_sid=(?:%\d{2}|[^%&]){21}/"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017686; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; http_uri; content:"a=Windows"; nocase; http_uri; content:"&b="; http_uri; content:"&c="; http_uri; content:"&f="; http_uri; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/iU"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:command-and-control; sid:2012631; rev:6; metadata:created_at 2011_04_05, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/close_window.cgi"; nocase; http.request_body; content:"ACT="; nocase; pcre:"/(?:^|[\n\&])ACT=(?:%\d{2}|[^%&]){21}/i"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017687; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; content:".exe"; within:32; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:6; metadata:created_at 2011_10_12, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cgi/url_redirect.cgi"; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017688; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Schneebly Posting ScreenShot"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/viewimage.php?s="; nocase; content:!"&"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"filename="; content:"JFIF"; distance:0; reference:url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017689; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:3; metadata:created_at 2014_08_26, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Variant CnC Beacon 1"; flow:established,to_server; http.uri; content:"/rssfeed.php?a="; pcre:"/^[^&]+?&\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017690; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $HOME_NET any -> 195.22.26.192/26 any (msg:"ET MALWARE AnubisNetworks Sinkhole UDP Connection";  classtype:trojan-activity; sid:2019632; rev:5; metadata:created_at 2014_11_03, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Citadel.Arx Varient CnC Beacon 2"; flow:established,to_server; http.uri; content:"/psp.php?p="; content:"&g="; content:"&s="; content:"&t="; content:"&r="; http.header_names; content:!"Referer|0d 0a|"; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:command-and-control; sid:2017691; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_11_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019216; rev:4; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Magnitude IE EK Payload Nov 8 2013"; flow:established,to_server; urilen:34; http.uri; content:"/?"; depth:2; fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:exploit-kit; sid:2017694; rev:7; metadata:created_at 2013_11_08, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:3; metadata:created_at 2014_08_28, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FaceBook IM & Web Driven Facebook Trojan Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tsone/ajuno.php"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"u="; depth:2; content:"&p="; distance:0; content:"&l="; distance:0; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017697; rev:6; metadata:created_at 2013_11_08, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017678; rev:4; metadata:created_at 2013_11_06, former_category HUNTING, updated_at 2021_06_23;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:17; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Download Executable"; flow:established,to_server; http.uri; content:"/gate.php?cmd=getinstallconfig"; fast_pattern; endswith; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016902; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_27;)
+alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA DDoS Handshake Success"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:2024382; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
+alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA Botnet C2 Host Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:command-and-control; sid:2024383; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; threshold: type both, count 5, seconds 60, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.request_body; content:"login="; depth:6; content:"$pass="; within:50; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:4; metadata:created_at 2013_11_15, updated_at 2020_04_27;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern; flowbits:set,FB346039_0; flowbits:noalert; classtype:command-and-control; sid:2024772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital checkin"; flow:established,to_server; http.uri; content:".php?subid="; content:"&os="; distance:0; content:"&id="; distance:0; content:"&ver="; distance:0; classtype:command-and-control; sid:2017710; rev:4; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_04_27;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sisproc update"; flow:to_server,established; http.uri; content:"/poll/update.txt"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:6; metadata:created_at 2013_11_16, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; pcre:"/[^A-Za-z0-9+/]TVqQA/"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:12; metadata:created_at 2014_07_31, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; http.uri; content:"/post.php?referanceMod="; nocase; content:"java"; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:5; metadata:created_at 2013_11_20, updated_at 2020_04_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:command-and-control; sid:2020860; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; urilen:10; flowbits:set,et.GENOME.AV; http.method; content:"GET"; http.uri; content:"/other.txt"; fast_pattern; http.header; content:"User-Agent|3a 20|NSIS_Inetc|20|(Mozilla)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:4; metadata:created_at 2013_11_25, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Scriptlet Invoking Powershell Likely Malicious"; flow:established,from_server; file_data; content:"WScript.shell"; nocase; fast_pattern; content:"ActiveXObject"; nocase; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; distance:0; pcre:"/^.{1,1000}p(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?o(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?w(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?r(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?s(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?h(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l/Rsi"; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; http.user_agent; content:"Zollard"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:3; metadata:created_at 2013_12_05, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1$/Rsi"; content:"=1"; endswith; http.request_body; content:"ping|7c|"; bsize:5; fast_pattern; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029145; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; nocase; http.uri; content:"/ctc/"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017802; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.QQPass.OZV Variant Checkin"; flow:established,to_server; http.uri; content:"/cpa"; content:".asp?mac="; distance:2; within:9; content:"&os="; distance:0; content:"&ip="; distance:0; content:"&dz="; distance:0; content:"&ver="; distance:0; reference:md5,12ff8df1941f941bab531f60a5a97556; classtype:command-and-control; sid:2029244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=system"; nocase; content:"j_password=Passw0rd"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017803; rev:5; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"kulkarni.bounceme.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=system"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017804; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"byfleur.myftp.org"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=monitor"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017805; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"dynamics.ddnsking.com"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Operator Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=operator"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017806; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"accountsx.bounceme.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029415; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt"; flow:to_server,established; http.uri; content:"select"; nocase; content:"mysql.user"; nocase; distance:1; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017807; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"invoke.ml"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:to_server,established; http.uri; content:"information_schema"; nocase; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017808; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"vvavesltd.servebeer.com"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DirCrypt.Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3A| form-data|3B| name=|22|cmd|22|"; content:"Content-Disposition|3A| form-data|3B| name=|22|botid|22|"; fast_pattern; content:"Content-Disposition|3A| form-data|3B| name=|22|lid|22|"; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,johannesbader.ch/2015/03/the-dga-of-dircrypt; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; classtype:command-and-control; sid:2017308; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_04_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"capitana.onthewifi.com"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029418; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Safe/CritX/FlashPack URI Struct .php?id=Hex"; flow:established,to_server; http.uri; content:".php?id="; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=/"; classtype:exploit-kit; sid:2017814; rev:4; metadata:created_at 2013_12_06, former_category EXPLOIT_KIT, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"thestar.serveblog.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Zbot EXE filename Dec 09 2013"; flow:established,to_server; http.uri; content:"/bc.exe"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2017818; rev:3; metadata:created_at 2013_12_10, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gen/actual_domain_my.php?pck="; startswith; fast_pattern; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029498; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Connection To Known Sinkhole Domain sinkdns.org"; flow:to_server,established; http.host; content:".sinkdns.org"; pcre:"/^(\x3a\d{1,5})?$/R"; classtype:trojan-activity; sid:2017838; rev:3; metadata:created_at 2013_12_12, updated_at 2020_04_27;)
+#alert udp $HOME_NET 1234 -> $EXTERNAL_NET any (msg:"ET MALWARE NAZAR EYService File exfiltrate response"; id:1; content:"---"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030057; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; startswith; content:"&info="; distance:0; pcre:"/^id=[A-Z0-9]+?&info=[A-Z0-9]+?$/"; classtype:command-and-control; sid:2017839; rev:3; metadata:created_at 2013_12_12, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.3.5 CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=njgGCEgbkXQIgexSr"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html; classtype:command-and-control; sid:2030314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/lib/admin/media-upload"; pcre:"/^(?:-lncthumb|-sq_button)?\.php/Ri"; http.request_body; content:"<?"; content:".php"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017853; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage M2"; flow:established,to_server; content:"|0d 0a 0d 0a|"; distance:0; byte_extract:1,4,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; http.host; pcre:"/^(?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+\.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}$/"; http.start; content:"POST / HTTP/1.1|0d 0a|"; depth:17; fast_pattern; reference:md5,148112df459ba40b9127f7d4f1c08df2; classtype:trojan-activity; sid:2020825; rev:8; metadata:created_at 2015_04_01, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MovieStar.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p3oahin/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017855; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matiex Keylogger Exfil Via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; content:"|20|Matiex|20|Keylogger|20|"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|document|22 3b 20|filename=|22|MatiexPasswords.txt|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1289205457559547910; reference:md5,1275d29213c2580894371739beb16148; classtype:command-and-control; sid:2030633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Snake.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ke3chang/Directx.aspx?r="; depth:25; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017856; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/main.php"; fast_pattern; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http.header_names; content:!"Referer"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:command-and-control; sid:2022538; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Campaign CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/MYWEB/SearchX.ASpX?id1="; depth:24; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017857; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Havex Checkin"; flow:established,to_server; http.uri; content:".php?id="; fast_pattern; pcre:"/^\d{30}\w{6}-\d{2}-\d{3}-\d{9}$/R"; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/; classtype:command-and-control; sid:2020083; rev:4; metadata:created_at 2014_12_30, former_category MALWARE, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.Dream.APT Campaign CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/shfam9y/"; depth:9; content:".aspx?r="; distance:0; content:"&a="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017859; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Ratenjay POST with System Information"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NetSupport Manager/1.3"; depth:22; http.request_body; content:"CMD="; depth:4; content:"CLIENT_ADDR="; distance:0; fast_pattern; content:"PORT="; distance:0; content:"MACADDRESS="; distance:0; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,78c80a33f77d5efd69969b5ddf93e348; classtype:trojan-activity; sid:2035894; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Ratenjay, performance_impact Moderate, signature_severity Major, updated_at 2020_08_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASNAROK Related Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"sophosefirewallupdate.com"; bsize:25; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030032; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 1"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; depth:41; nocase; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_12, deployment Perimeter, former_category TROJAN, malware_family wannacry, signature_severity Critical, tag Ransomware, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Eourdegh/Swdfrp.ASpX?id1="; depth:26; content:"&id2="; distance:0; content:"&id3="; distance:0; content:"&id4="; distance:0; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a; classtype:targeted-activity; sid:2017860; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns.query; content:"epmhyca5ol6plmx3"; nocase; depth:16; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/antidisestablishmentarianism"; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; classtype:attempted-recon; sid:2008416; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns.query; content:"7tno4hib47vlep5o"; nocase; depth:16; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Feed404 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/feed404/mysfeeds.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017867; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-gov.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030720; rev:1; metadata:attack_target Client_and_Server, created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_08_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Images CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/images/gx.php"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:command-and-control; sid:2017868; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mekotio HTTP Method (111SA)"; flow:established,to_server; http.method; content:"111SA"; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030719; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Get Final Payload Request"; flow:established,to_server; http.uri; content:"/get/"; content:"/final"; http.cookie; content:"ip="; depth:3; pcre:"/^[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}/R"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017870; rev:4; metadata:created_at 2013_12_17, updated_at 2020_04_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=BitRAT"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=BitRAT"; nocase; endswith; reference:url,krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/; classtype:domain-c2; sid:2030724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_22, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"(compatible|3b| Google Desktop)"; fast_pattern; nocase; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:15; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker/Janicab CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=add&cn="; fast_pattern; content:"&un="; distance:0; content:"&v="; distance:0; content:"&av="; distance:0; content:"&an="; distance:0; reference:url,securelist.com/deathstalker-mercenary-triumvirate/98177/; classtype:command-and-control; sid:2030725; rev:1; metadata:created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Janicab, signature_severity Major, tag APT, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; flowbits:set,ET.autoit.ua; http.header; content:"User-Agent|3a 20|AutoIt"; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker/Powersing CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|un|22 3a|"; content:"|22|cn|22 3a|"; distance:0; content:"|22|av|22 3a|"; distance:0; content:"|22|dob|22 3a|"; distance:0; fast_pattern; content:"|22|os|22 3a|"; distance:0; content:"|22|ou|22 3a|"; distance:0; content:"|22|dc|22 3a|"; distance:0; reference:url,securelist.com/deathstalker-mercenary-triumvirate/98177/; classtype:command-and-control; sid:2030726; rev:1; metadata:created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Powersing, signature_severity Major, tag APT, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; http.request_body; content:"Jm9zX2ZsYXZvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed APT/SideWinder CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cdn-gov.net"; bsize:11; reference:md5,a59df006d000b2ad5fb328e23a05ff43; classtype:domain-c2; sid:2030723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; http.request_body; content:"Zvc19mbGF2b3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.ACBD CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_len; bsize:3; content:"364"; http.request_body; content:"OE1utcJ1hOpXDXMMv7v6fEB0TE58D8zB2PFvgXLL"; startswith; reference:md5,26382278c3d185d750203d6a600f8ae9; classtype:command-and-control; sid:2030727; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; http.request_body; content:"mb3NfZmxhdm9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Downloader Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/buildings.php"; endswith; fast_pattern; http.content_len; content:"11"; bsize:2; http.host; pcre:"/(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a31e3b8d2f5e0369be8f3dbb7e23120b; reference:url,twitter.com/Vishnyak0v/status/1269651391980736513; classtype:trojan-activity; sid:2030728; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS FOCA User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"User-Agent|3a 20|FOCA"; fast_pattern; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017949; rev:6; metadata:created_at 2014_01_10, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9/+]{171}=/R"; http.header_names; content:!"Referer"; reference:md5,d3f53580f7ce72caf9be799106ad89ca; classtype:targeted-activity; sid:2033713; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; http.request_body; content:"work_dir="; content:"command="; content:"submit_btn=Execute+Command"; classtype:web-application-attack; sid:2017952; rev:3; metadata:created_at 2014_01_11, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; http.uri; content:"/im"; content:"?id="; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:(?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; fast_pattern; pcre:"/ms-?office/"; http.host; content:!".money-media.com"; content:!"ad.payclick.it"; content:!"sellercore.com"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:8; metadata:created_at 2015_08_19, former_category TROJAN, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Mevade.Variant CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F(?:policy|cache)$/"; http.header; content:"uuid|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|C8 71 04 ED 87 F6 DD 77 87|"; depth:9; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:command-and-control; sid:2017959; rev:3; metadata:created_at 2014_01_12, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?machine_id="; fast_pattern; content:"&x64"; distance:0; content:"&version="; distance:0; content:"&video_card="; distance:0; content:"&cpu="; distance:0; content:"&junk="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:command-and-control; sid:2025148; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Bot_Sezin, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; http.header; content:"X-Stratum|3A|"; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:coin-mining; sid:2017960; rev:3; metadata:created_at 2014_01_12, former_category POLICY, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qtloader encrypted check-in Oct 19 M1"; flow:established,to_server; http.request_body; content:"|2c 45 32 4d f1 38 55|"; depth:7; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kishop.A checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:".php?mark="; content:"&type="; content:"&theos="; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:command-and-control; sid:2017964; rev:3; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.header; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; fast_pattern; http.header_names; content:"|0d 0a|x-user-agent|0d 0a|"; content:"|0d 0a|x-whoami|0d 0a|"; content:"|0d 0a|x-pwd|0d 0a|"; content:"|0d 0a|x-hostname|0d 0a|"; content:"|0d 0a|x-isadm|0d 0a|"; content:"|0d 0a|x-is64Env|0d 0a|"; content:!"User-Agent"; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:command-and-control; sid:2025157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, malware_family YesMaster, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Mozilla|20|"; fast_pattern; http.request_body; content:"m"; depth:1; pcre:"/^(?:ode)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&h(?:wid)?=/R"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:command-and-control; sid:2017917; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WooSIP Downloader CnC CreateFolderOnServer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/process_ad.php?sDir="; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:command-and-control; sid:2025165; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/wow/wow.asp"; depth:12; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"&WOWID="; depth:7; content:"&Area="; distance:0; content:"&WU="; distance:0; content:"&WP="; distance:0; content:"&MAX="; distance:0; content:"&Gold="; distance:0; content:"&Serv="; distance:0; content:"&rn="; distance:0; content:"&key="; distance:0; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:command-and-control; sid:2017970; rev:4; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WooSIP Downloader CnC DeleteFileOnServer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/process_ad.php?fileDel="; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:command-and-control; sid:2025166; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye C&C Check-in URI"; flow:established,to_server; http.uri; content:"guid="; content:"ver="; content:"stat="; fast_pattern; content:"ie="; content:"os="; pcre:"/(\?|&)guid=[^!&]+?\!/"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:command-and-control; sid:2011857; rev:7; metadata:created_at 2010_10_27, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WooSIP Downloader CnC WriteMetadataOnServer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/write_meta.php?sDir="; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:command-and-control; sid:2025167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/reportMessage"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smurf2 CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0"; http.request_body; content:"teststr="; depth:8; nocase; fast_pattern; content:"&testval="; nocase; distance:0; http.accept; content:"??"; reference:md5,e2d136bb63edc092d2f3d26885b239d9; classtype:command-and-control; sid:2025168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/getTask"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018003; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Executable Sent When Remote Host Claims to Send a RAR Archive"; flow:established,from_server; http.content_type; content:"application/rar"; nocase; fast_pattern; bsize:15; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2022874; rev:4; metadata:created_at 2016_06_08, former_category INFO, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Vagaa peer-to-peer (Transfer)"; flow:from_client,established; http.header; content:"VAGAA-OPERATION|3a| Transfer|0d 0a|"; reference:url,en.wikipedia.org/wiki/Vagaa; classtype:policy-violation; sid:2018012; rev:3; metadata:created_at 2014_01_27, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Executable Downloaded With Image Content-Type Header"; flow:established,to_client; http.content_type; content:"image/"; depth:6; file.data; content:"This program must be run under Win"; within:125; fast_pattern; classtype:trojan-activity; sid:2025169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Limitless Logger RAT HTTP Activity"; flow:established,to_server; http.uri; content:"/Limitless/Login/"; http.host; content:"limitlessproducts.org"; classtype:trojan-activity; sid:2018030; rev:3; metadata:created_at 2014_01_28, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M1"; flow:established,to_server; http.request_line; content:"GET|20|/api/up.php|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Content-Type"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download MessageBox"; flow:established,to_server; http.uri; content:"/MessageBox.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018038; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; http.uri; content:".php?mac="; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download ComputerInfo"; flow:established,to_server; http.uri; content:"/ComputerInfo.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018039; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 9"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025178; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarBot Plugin Download WalletSteal"; flow:established,to_server; http.uri; content:"/WalletSteal.bin"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018040; rev:3; metadata:created_at 2014_01_30, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oilrig Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?version="; fast_pattern; pcre:"/^[0-9]+lu[0-9]+d[0-9]+$/Ri"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub; classtype:command-and-control; sid:2025182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, malware_family OilRig, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forumdisplay.php?fid="; http.request_body; content:"id="; depth:3; content:"&info="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:command-and-control; sid:2018047; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_01_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)"; flow:established,to_server; http.user_agent; content:"binary_getter"; depth:13; classtype:bad-unknown; sid:2025203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nikto Web App Scan in Progress"; flow:to_server,established; threshold: type both, count 5, seconds 60, track by_src; http.user_agent; content:"(Nikto"; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:2002677; rev:14; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; threshold:type limit, track by_src, count 1, seconds 30; http.stat_code; content:"200"; file.data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; http.uri; content:"/iconfig.txt"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MoneroPay Ransomware Payment Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/paid?id="; fast_pattern; pcre:"/^[a-f0-9]{16}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Blackshades/Shadesrat Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"crypt"; depth:5; content:"="; within:3; reference:md5,9d11cfb7799089823483b72daec5fd2b; reference:md5,a01451eae2d47872ce796bb85f116710; classtype:command-and-control; sid:2018079; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Gozi/Ursnif Payload v14"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|d9 2c c6 af f6 26 56 bb 73 f5 c4 68 0f 90 d9 d4|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2025205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_17, deployment Perimeter, former_category TROJAN, malware_family ursnif, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASNAROK Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ragnarokfromasgard.com"; bsize:22; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030034; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_27;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Adwind SSL Certificate Observed"; flow:established,from_server; tls.cert_issuer; content:"hgfyuilijhk"; tls.cert_serial; content: "70:FE:E3:2F"; fast_pattern; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4; classtype:trojan-activity; sid:2025209; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, malware_family Adwind, malware_family Qarallex, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/register"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018000; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Chrome Extension Requesting Websocket"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Upgrade|3a 20|websocket|0d 0a|"; content:"Origin|3a 20|chrome-extension|3a|//ppmibgfeefcglejjlpeihfdimbkfbbnm|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025220; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/login"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018001; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Drun Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Host|3a 20|"; depth:6; http.request_body; content:"kind="; depth:5; fast_pattern; content:"&id="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:url,twitter.com/securitydoggo/status/954337767751905280; classtype:command-and-control; sid:2025225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2018_01_19, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/report"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018002; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Formbook 0.3 Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla"; depth:7; http.request_body; content:"dat="; depth:4; nocase; fast_pattern; pcre:"/^[a-z0-9_\/+-]{1000}/Ri"; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:command-and-control; sid:2024436; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category MALWARE, malware_family Password_Stealer, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_07, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS.ARS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?os=windows"; nocase; fast_pattern; content:"&user="; distance:0; content:"&av="; distance:0; content:"&fw="; distance:0; content:"&hwid="; distance:0; content:"&x="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/B_H101/status/954984729329184768; classtype:command-and-control; sid:2025230; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirtJumper Activity"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; http.request_body; content:"&req="; pcre:"/^\d+?=\d+?(?:&ver=\d+?)?&req=\d+?(?:&r=)?$/"; reference:md5,5474129345d9756649c871f9c8b46287; reference:md5,ff5608e00d5e6e81af9c993461479e43; classtype:trojan-activity; sid:2018094; rev:3; metadata:created_at 2014_02_07, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/5.0"; fast_pattern; bsize:11; http.request_body; content:"l"; depth:1; content:"=OTl"; within:8; content:"&e"; distance:0; content:"="; within:6; content:"&m"; distance:0; content:"="; within:6; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:command-and-control; sid:2025234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, malware_family travle, malware_family PYLOT, malware_family Rodecap, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon Acknowledgement"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<html><body>hi!<|2F|body><|2F|html>"; within:30; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018097; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?act=hi&uid="; fast_pattern; content:"&ver="; content:"&dotnetver="; content:"&onwork="; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:command-and-control; sid:2025235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rshot.Backdoor File Upload CnC Beacon"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/uploadb.php?"; fast_pattern; http.request_body; content:"name=|22|archivo|22|"; content:".dmp|22|"; distance:0; reference:md5,08881eb702a1525f7792c3fef19ae9ff; classtype:command-and-control; sid:2018100; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SamMiner CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?act=info&uid="; fast_pattern; content:"&ver="; http.request_body; content:"info="; depth:5; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:command-and-control; sid:2025237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Mask C2 Traffic"; flow:established,to_server; http.uri; content:".cgi?Group="; nocase; content:"&Ver="; nocase; content:"&Inst"; nocase; content:"&Ask="; nocase; content:"&Bn="; nocase; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:command-and-control; sid:2018105; rev:3; metadata:created_at 2014_02_11, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Embarcadero URI Client/1.0"; http.request_body; content:"AS100="; fast_pattern; content:"AS200="; distance:0; reference:md5,94cd521945da6ab73bc7a1462283d22a; classtype:command-and-control; sid:2025241; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Jar name JavaUpdate.jar"; flow:established,to_server; http.uri; content:"/JavaUpdate.jar"; nocase; http.user_agent; content:"Java/1."; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018106; rev:4; metadata:created_at 2014_02_11, former_category HUNTING, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p="; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; content:"|0d 0a|Downloading files|0d 0a|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:command-and-control; sid:2025251; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"something"; depth:9; http.request_body; content:"mac="; fast_pattern; depth:4; content:"&t1="; content:"&t2="; pcre:"/^mac=(?:[A-F0-9]{2}-){5}[A-F0-9]{2}&t1=/"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018108; rev:4; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?token="; fast_pattern; pcre:"/^[0-9]{2,6}$/R"; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Rs"; http.content_len; byte_test:0,>,200,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:command-and-control; sid:2025254; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Recon-ng User-Agent"; flow: established,to_server; http.user_agent; content:"Recon-ng"; reference:url,itbucket.org/LaNMaSteR53/recon-ng/overview; classtype:attempted-recon; sid:2018118; rev:4; metadata:created_at 2014_02_12, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php?user="; fast_pattern; content:"&hwid="; distance:0; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,485069677e997ff6ce193be7258c783f; classtype:command-and-control; sid:2025266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackbeard Check-in"; flow:established,to_server; http.uri; content:"/task/2000"; endswith; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018120; rev:3; metadata:created_at 2014_02_12, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kb/"; depth:4; fast_pattern; pcre:"/^\d{4,8}$/R"; http.user_agent; content:!"Microsoft Outlook"; http.header_names; content:!"Referer"; content:"User-Agent"; content:!"Accept"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Smoke_Loader, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linkup Ransomware check-in"; flow:established,to_server; urilen:20; http.method; content:"POST"; http.uri; content:"/uplink.php?logo.jpg"; http.request_body; content:"token="; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:2018122; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_02_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise Style IP Check"; flow:to_server,established; urilen:16; http.uri; content:"/myip?format=txt"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; http.host; content:"api.ipaddress.com"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, malware_family elise, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/Win32.FraudPack User-Agent (Downloader MLR 1.0.0)"; flow:to_server,established; http.user_agent; content:"Downloader MLR 1.0.0"; depth:20; reference:md5,c9d54e9086357491bd1fdf8d8d804dce; classtype:trojan-activity; sid:2018112; rev:5; metadata:created_at 2013_11_04, updated_at 2020_04_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Flashpoint] Possible CVE-2018-4878 Check-in"; flow:established,to_server; http.uri; content:"?id="; nocase; content:"&fp_vs="; nocase; distance:0; fast_pattern; content:"&os_vs="; nocase; distance:0; reference:url,www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/; reference:cve,2018-4878; classtype:trojan-activity; sid:2025305; rev:4; metadata:created_at 2018_02_02, cve cve_2018_4878, former_category TROJAN, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/FakeKakao checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"md="; content:"&fo="; content:"&ds="; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:command-and-control; sid:2018137; rev:4; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup)"; dns.query; content:"kdvm5fd6tn6jsbwh"; nocase; depth:16; classtype:command-and-control; sid:2025332; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_08, deployment Perimeter, former_category MALWARE, malware_family Shurl0ckr, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&token="; depth:7; content:"&target="; depth:8; content:"&rd="; depth:4; content:"&fo="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action="; content:"&hwid="; distance:0; content:"&access="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:command-and-control; sid:2025344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_12, deployment Perimeter, former_category MALWARE, malware_family Ars_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"filter.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer Retrieving CnC Information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Project-Evrial-C2-DOMAIN-"; fast_pattern; nocase; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:command-and-control; sid:2025346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"history.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&ds="; depth:4; content:"&sg="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?response="; content:"&cpu="; distance:0; content:"&gpu="; distance:0; content:"&ram="; distance:0; content:"&name="; distance:0; content:"&os="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:command-and-control; sid:2025359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category MALWARE, malware_family Agent_BIC, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Zapchast Checkin"; flow:to_server,established; http.uri; content:"/files/def"; fast_pattern; endswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:"AutoIt"; depth:6; reference:md5,63586aef2be494150a492d822147055a; classtype:command-and-control; sid:2018142; rev:4; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2020_04_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Redirector in DNS Lookup (vip.rm028 .cn)"; dns.query; content:"vip.rm028.cn"; nocase; reference:url,blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/; classtype:trojan-activity; sid:2025382; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_23, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dadobra.Downloader/DNSChanger Dnsmake CnC Beacon"; flow:established,to_server; http.uri; content:"/dnsmake.txt"; fast_pattern; http.user_agent; content:"Indy Library"; reference:md5,dd3e5b41238a73d627c6c48108a15452; classtype:command-and-control; sid:2018150; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Redirector in DNS Lookup (by007 .cn)"; dns.query; content:"by007.cn"; nocase; reference:url,blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/; classtype:trojan-activity; sid:2025383; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_23, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible BAZAR Backdoor CnC"; ja3.hash; content:"f5e62b5a2ed9467df09fae7a8a54dda6"; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:unknown; sid:2030040; rev:1; metadata:created_at 2020_04_28, former_category JA3, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai/OMG Proxy Variant CnC in DNS Lookup (ccnew.mm .my)"; dns.query; content:"ccnew.mm.my"; nocase; reference:url,blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-proxy-servers5a8e05ccc4f85; classtype:command-and-control; sid:2025384; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2018_02_23, deployment Perimeter, former_category MALWARE, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE AntSword Webshell User-Agent Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|antSword/v"; fast_pattern; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030035; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai/OMG Proxy Variant CnC in DNS Lookup (rpnew.mm .my)"; dns.query; content:"rpnew.mm.my"; nocase; reference:url,blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-proxy-servers5a8e05ccc4f85; classtype:command-and-control; sid:2025385; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2018_02_23, deployment Perimeter, former_category MALWARE, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER AntSword Webshell Commands Inbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|antSword/v"; fast_pattern; http.request_body; content:"cmd="; depth:4; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030036; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (steamdesktopauthenticator)"; dns.query; content:"steamdesktopauthenticator.com"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025386; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER Possible AntSword Webshell Commands Inbound"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Response.Write(|25|22"; within:50; nocase; content:"eval(System.Text.Encoding.GetEncoding(|25|22"; nocase; distance:0; content:"|25|22).GetString(System.Convert.FromBase64String(|25|22"; nocase; distance:0; content:")|25|3BResponse.End()|25|3B&"; nocase; distance:0; fast_pattern; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030037; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (lightalex)"; dns.query; content:"lightalex.ru"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025389; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Query"; dns.query; content:"rythemsjoy.club"; nocase; endswith; classtype:domain-c2; sid:2030038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (steamdesktop)"; dns.query; content:"steamdesktop.com"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; http.host; content:!"google-analytics.com"; content:!"mail.ru"; content:!"79xs.com"; content:!"paoshuba.cc"; content:!"dajiadu.net"; reference:md5,8494d82ddb37a3780a41da22c07c59dc; reference:url,otx.alienvault.com/indicator/domain/medialogger.ru; reference:url,otx.alienvault.com/pulse/5cc049114824559b525887ec; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012801; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader installed successfully request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/install.php?affid="; depth:19; http.request_body; content:"|64 61 74 61 3d|"; depth:5; content:"|30 31 30|"; distance:64; within:3; fast_pattern; content:"|31|"; distance:1; within:1; classtype:trojan-activity; sid:2012513; rev:5; metadata:created_at 2011_03_16, former_category TROJAN, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:3; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehh.to"; nocase; endswith; classtype:domain-c2; sid:2030733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:4; metadata:created_at 2014_02_19, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaeho.ws"; nocase; endswith; classtype:domain-c2; sid:2030734; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:3; metadata:created_at 2014_02_22, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.top"; nocase; endswith; classtype:domain-c2; sid:2030735; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NanoCore RAT CnC 27"; flow:to_server,established; dsize:68; content:"|40 00 00 00 fe 31 80 44 e7 eb 4a 77|"; depth:12; reference:md5,aa73e99d7e1d62265f75ccc0443a1a7f; classtype:command-and-control; sid:2029996; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.ws"; nocase; endswith; classtype:domain-c2; sid:2030736; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING URL Observed in PDF Downloaded via Dropbox"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"x-dropbox-request-id|3a|"; file.data; content:"|25 50 44 46|"; depth:4; content:"/Type /Action /S /URI"; fast_pattern; nocase; classtype:misc-activity; sid:2030047; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_28, deployment SSLDecrypt, signature_severity Informational, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehz.top"; nocase; endswith; classtype:domain-c2; sid:2030737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ConsoleServlet?ActionType=ConsoleLog"; http.request_body; content:"Content-Type|3a| text/xml|0d 0a|"; nocase; content:"|3c 21|DOCTYPE"; nocase; content:"http|3a|//127.0.0.1|3a|9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum="; nocase; content:"&Parameter="; nocase; reference:cve,2013-5014; reference:cve,2013-5015; reference:url,cxsecurity.com/issue/WLB-2014020199; classtype:web-application-attack; sid:2018176; rev:4; metadata:created_at 2014_02_26, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugh.to"; nocase; endswith; classtype:domain-c2; sid:2030738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?tq="; fast_pattern; pcre:"/\.(?:(?:jp|pn)g|cgi|gif)\?tq=/"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2013865; rev:8; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugo.ws"; nocase; endswith; classtype:domain-c2; sid:2030739; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Matsnu.L Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?text="; content:"&img_url=http"; distance:0; content:"&rpt=simage&pos="; distance:0; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; http.user_agent; content:" Windows NT 5.0"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=TROJAN%3AWIN32/MATSNU.L; reference:md5,38b1862a42a6453d8ccdf1c2d2eff018; classtype:command-and-control; sid:2018200; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.top"; nocase; endswith; classtype:domain-c2; sid:2030740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Qakbot.Bot Version 8 CnC Beacon"; flow:established,to_server; urilen:7<>32; content:"|0d 0a 0d 0a|v="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[b-u][A-Za-z0-9]{6,25}\.php$/"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"&c="; reference:url,www.anubisnetworks.com/the-return-of-qakbot/; reference:md5,e9201c8b126ac40229e9ce3f82f5c608; reference:md5,749a7bf2ad84212bd78e46d240a4f434; classtype:command-and-control; sid:2018204; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.ws"; nocase; endswith; classtype:domain-c2; sid:2030741; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Inbound GoldenEye DoS attack"; flow:established,to_server; threshold: type both, track by_src, count 100, seconds 300; http.uri; content:"/?"; fast_pattern; depth:2; content:"="; distance:3; within:11; pcre:"/^\/\?[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20}(?:&[a-zA-Z0-9]{3,10}=[a-zA-Z0-9]{3,20})*?$/"; http.header; content:"Keep|2d|Alive|3a|"; content:"Connection|3a| keep|2d|alive"; content:"Cache|2d|Control|3a|"; pcre:"/^Cache-Control\x3a\x20(?:max-age=0|no-cache)\r?$/m"; content:"Accept|2d|Encoding|3a|"; reference:url,github.com/jseidl/GoldenEye; classtype:denial-of-service; sid:2018208; rev:3; metadata:created_at 2014_03_05, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugz.top"; nocase; endswith; classtype:domain-c2; sid:2030742; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.info Domain"; flow:established,to_server; http.host; content:".ddns.info"; endswith; classtype:bad-unknown; sid:2018220; rev:6; metadata:created_at 2011_12_15, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuh.to"; nocase; endswith; classtype:domain-c2; sid:2030743; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ddns.name Domain"; flow:established,to_server; http.host; content:".ddns.name"; endswith; classtype:bad-unknown; sid:2018221; rev:6; metadata:created_at 2011_12_15, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030744; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY InstallIQ Updater Software request"; flow:to_server,established; http.uri; content:"/api/detectionrequest.aspx?keyid=1&shortname="; content:"&langid="; http.host; content:".installiq.com"; endswith; classtype:policy-violation; sid:2018222; rev:4; metadata:created_at 2012_02_13, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnur.top"; nocase; endswith; classtype:domain-c2; sid:2030745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.uri; content:".exe"; endswith; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b|MSIE 7.0|3b|Windows NT 6.0)|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018224; rev:5; metadata:created_at 2014_03_05, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuz.top"; nocase; endswith; classtype:domain-c2; sid:2030746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SWF filename used in IE 2014-0322 Watering Hole Attacks"; flow:established,to_server; http.uri; content:"/Tope.swf"; classtype:exploit-kit; sid:2018223; rev:4; metadata:created_at 2014_03_05, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuh.to"; nocase; endswith; classtype:domain-c2; sid:2030747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMSHoax Riskware checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"/api.php"; http.request_body; content:"YWx0X2FwaV9iYXNlX3Vy"; depth:20; reference:md5,4b779acb1a0e726cee73fc2ca8a6a0be; classtype:command-and-control; sid:2018230; rev:3; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030748; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Image - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"image/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018233; rev:3; metadata:created_at 2014_03_08, former_category INFO, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuur.top"; nocase; endswith; classtype:domain-c2; sid:2030749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Sent Claiming To Be Text Content - Likely Exploit Kit"; flow:established,to_client; flowbits:isset,ET.http.javaclient; http.content_type; content:"text/"; startswith; file.data; content:"PK"; within:2; content:".class"; fast_pattern; distance:10; within:500; classtype:exploit-kit; sid:2018234; rev:3; metadata:created_at 2014_03_08, former_category INFO, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuz.top"; nocase; endswith; classtype:domain-c2; sid:2030750; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kelihos Infection Executable Download With Malformed Header"; flow:established,from_server; http.header; content:"Last-Modified|3a|"; http.header.raw; pcre:"/^Last-Modified\x3a(?:\s[^\r\n]{2}|[^\r\n\s]{3}),/m"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2018241; rev:3; metadata:created_at 2014_03_09, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbh.to"; nocase; endswith; classtype:domain-c2; sid:2030751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Beacon"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/www/cmd.php"; fast_pattern; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018249; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbo.ws"; nocase; endswith; classtype:domain-c2; sid:2030752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PointOfSales.Misc CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?"; pcre:"/^\d{5,}$/R"; http.user_agent; content:"Browser"; depth:7; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018250; rev:4; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbr.top"; nocase; endswith; classtype:domain-c2; sid:2030753; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Activity POST"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/pk/request.flv"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:5; metadata:created_at 2013_10_12, updated_at 2020_04_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbz.top"; nocase; endswith; classtype:domain-c2; sid:2030754; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"gizasector.xyz"; endswith; classtype:domain-c2; sid:2030051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeh.to"; nocase; endswith; classtype:domain-c2; sid:2030755; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fekilopol.xyz"; endswith; classtype:domain-c2; sid:2030052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeo.ws"; nocase; endswith; classtype:domain-c2; sid:2030756; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (W32/TrojanDownloader.Agent.FBF Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=analyticsonline.top"; nocase; endswith; reference:md5,c5a467fa017cf4003768e63115fcddae; classtype:domain-c2; sid:2030046; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_04_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.top"; nocase; endswith; classtype:domain-c2; sid:2030757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HCZR Variant Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?wqasd="; startswith; content:"&qrjatyd=imofugclqu"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,9163f1f4f16ac8ec82eaa0a274850c36; reference:url,twitter.com/3XS0/status/1255491188565688323; classtype:command-and-control; sid:2030054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.ws"; nocase; endswith; classtype:domain-c2; sid:2030758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|flow|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2030048; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_29, deployment Perimeter, signature_severity Minor, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaez.top"; nocase; endswith; classtype:domain-c2; sid:2030759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|flow|0d 0a|"; fast_pattern; classtype:web-application-attack; sid:2030049; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjh.to"; nocase; endswith; classtype:domain-c2; sid:2030760; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS BeeMovie Related Activity"; flow:to_server,established; http.header; content:"User-Agent|3a 20|BeeMovie/"; classtype:misc-activity; sid:2030050; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjo.ws"; nocase; endswith; classtype:domain-c2; sid:2030761; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (h55u4u4u5uii5)"; flow:established,to_server; http.user_agent; content:"h55u4u4u5uii5"; bsize:13; reference:url,www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/; classtype:trojan-activity; sid:2030058; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.top"; nocase; endswith; classtype:domain-c2; sid:2030762; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; http.uri; pcre:"/\?[0-9a-f]{6}$/"; http.cookie; content:"SECID="; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:8; metadata:created_at 2013_04_27, former_category CURRENT_EVENTS, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.ws"; nocase; endswith; classtype:domain-c2; sid:2030763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_05_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjz.top"; nocase; endswith; classtype:domain-c2; sid:2030764; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; http.uri; content:"/Default.aspx?INDEX="; pcre:"/\?ID=[A-Z]{10}$/"; http.user_agent; content:!"Mozilla"; startswith; reference:md5,8dd6a7fe83bd9682187d956f160ffb47; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:md5,ba45339da92ca4622b472ac458f4c8f2; reference:url,intelreport.mandiant.com/; classtype:targeted-activity; sid:2016460; rev:8; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieh.to"; nocase; endswith; classtype:domain-c2; sid:2030765; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot Loader Payload Request"; flow:established,to_server; urilen:<11; http.uri; content:".exe"; fast_pattern; http.header; content:"Mozilla/4.0|0D 0A|Host|3a|"; reference:md5,3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:6; metadata:created_at 2013_03_15, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieo.ws"; nocase; endswith; classtype:domain-c2; sid:2030766; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,from_server; http.header; content:"X-Sinkholed-Domain|3a|"; reference:md5,723a90462a417337355138cc6aba2290; classtype:trojan-activity; sid:2017662; rev:4; metadata:created_at 2013_11_04, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.top"; nocase; endswith; classtype:domain-c2; sid:2030767; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; http.header; content:"User-Agent|3A 20|toys|3A 3A|file"; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:4; metadata:created_at 2012_03_09, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.ws"; nocase; endswith; classtype:domain-c2; sid:2030768; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Install CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/install/"; http.request_body; content:"q="; depth:2; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018331; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgiez.top"; nocase; endswith; classtype:domain-c2; sid:2030769; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018332; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiih.to"; nocase; endswith; classtype:domain-c2; sid:2030770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; http.uri; content:"/access.php"; fast_pattern; http.user_agent; content:"sendfile"; depth:8; nocase; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016862; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiio.ws"; nocase; endswith; classtype:domain-c2; sid:2030771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN IBM NSA User Agent"; flow:established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Network-Services-Auditor"; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; reference:url,doc.emergingthreats.net/2003171; classtype:attempted-recon; sid:2003171; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.top"; nocase; endswith; classtype:domain-c2; sid:2030772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hi)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|hi|0d 0a|"; nocase; classtype:trojan-activity; sid:2018381; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_10, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.ws"; nocase; endswith; classtype:domain-c2; sid:2030773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpeedingUpMyPC.Rootkit Successful Install GET Type CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/install/?q="; http.user_agent; content:"win32"; depth:5; reference:md5,cb6cb201eab321f7a827bb3cb1b311b6; classtype:command-and-control; sid:2018345; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiiz.top"; nocase; endswith; classtype:domain-c2; sid:2030774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; http.header; content:"User-Agent|3a 20|gsa-crawler|0d 0a|"; nocase; fast_pattern; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:4; metadata:created_at 2014_01_08, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzth.to"; nocase; endswith; classtype:domain-c2; sid:2030775; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virut Family GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgate.php?n="; pcre:"/^[0-9A-F]{12,24}/Ri"; reference:url,www.f-secure.com/v-descs/virus_w32_virut.shtml; reference:url,doc.emergingthreats.net/2009444; classtype:trojan-activity; sid:2009444; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzto.ws"; nocase; endswith; classtype:domain-c2; sid:2030776; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GreenDou Downloader User-Agent (hello crazyk)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|hello crazyk"; reference:md5,67d52ae285ac82f959b3675550de8a2d; reference:md5,e668a501bd107de161378a9fd9c5d1f2; classtype:trojan-activity; sid:2018404; rev:3; metadata:created_at 2014_04_22, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztr.top"; nocase; endswith; classtype:domain-c2; sid:2030777; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.A.FakeAV Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/404.php?"; nocase; content:"type=stats"; nocase; content:"affid="; nocase; content:"subid="; nocase; reference:url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc; reference:md5,ac0ba9e186aee9cf9889d71158485715; classtype:trojan-activity; sid:2014083; rev:6; metadata:created_at 2012_01_03, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztz.top"; nocase; endswith; classtype:domain-c2; sid:2030778; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; http.uri; content:"/Generic/BEX/iexplore_exe/"; content:"/vgx_dll_unloaded/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooh.to"; nocase; endswith; classtype:domain-c2; sid:2030779; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2"; flow:established,to_server; http.uri; content:"/StageOne/iexplore_exe/"; content:"/vgx_dll/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018436; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooo.ws"; nocase; endswith; classtype:domain-c2; sid:2030780; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check_value.php"; http.user_agent; content:!"User-Agent|0d 0a|"; http.request_body; content:"identifiant="; depth:12; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:command-and-control; sid:2018443; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokoor.top"; nocase; endswith; classtype:domain-c2; sid:2030781; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; http.header; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; content:"|0d 0a|X-Powered-By|3a 20|PHP"; file.data; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:exploit-kit; sid:2018451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooz.top"; nocase; endswith; classtype:domain-c2; sid:2030782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox php.dll.crp POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.host; pcre:"/\x3a\d{1,5}$/"; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; http.request_body; content:"id="; depth:3; content:"&code="; fast_pattern; distance:0; content:"&data="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016527; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoh.to"; nocase; endswith; classtype:domain-c2; sid:2030783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap CnC Checkin"; flow:established,to_server; http.uri; content:".cgi?s"; content:"&r="; pcre:"/\.cgi\?s(?:id)?=\d{1,12}&r=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"Cache-Control|3a| no-cache|0d 0a|"; content:"User-Agent|3a 20 2d 0d 0a|"; fast_pattern; classtype:command-and-control; sid:2013201; rev:8; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoo.ws"; nocase; endswith; classtype:domain-c2; sid:2030784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030059; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.top"; nocase; endswith; classtype:domain-c2; sid:2030785; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030060; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.ws"; nocase; endswith; classtype:domain-c2; sid:2030786; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"SCRIPT MAILER INBOX"; content:">SMTP Login:</font></div>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030061; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoz.top"; nocase; endswith; classtype:domain-c2; sid:2030787; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"SCRIPT MAILER INBOX"; content:">SMTP Login:</font></div>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030062; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrbox.ws"; nocase; endswith; classtype:domain-c2; sid:2030788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Check Accessed on Internal Server"; flow:established,to_client; file.data; content:"Upload is <b><"; content:"Check  Mailling ..<br>"; nocase; distance:0; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrnet.top"; nocase; endswith; classtype:domain-c2; sid:2030789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<form method=post style=|22|font-family:fantasy|3b 22|>"; content:"Password: <input type=password name=pass style=|22|background-color|3a|whitesmoke|3b|border|3a|1px solid #FFF|3b 22|><input type=submit value='>>' style=|22|border|3a|none|3b|background-color|3a|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030065; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdh.to"; nocase; endswith; classtype:domain-c2; sid:2030790; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<form method=post style=|22|font-family:fantasy|3b 22|>"; content:"Password: <input type=password name=pass style=|22|background-color|3a|whitesmoke|3b|border|3a|1px solid #FFF|3b 22|><input type=submit value='>>' style=|22|border|3a|none|3b|background-color|3a|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030066; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdo.ws"; nocase; endswith; classtype:domain-c2; sid:2030791; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.InfoStealer WindowsUpdate Connectivity Check With Opera UA"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Opera/9.25 (Windows NT 6.0|3b 20|U|3b|"; fast_pattern; http.host; content:"windowsupdate.microsoft.com"; startswith; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa696180cd0369e264ed8e9137a4f254; classtype:trojan-activity; sid:2018419; rev:7; metadata:created_at 2014_04_25, updated_at 2020_04_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.top"; nocase; endswith; classtype:domain-c2; sid:2030792; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Sinkhole banner"; flow:established,to_client; http.header; content:"Server|3a 20|You got served|21|"; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2013/12/30/detecting-sinkholed-domains-in-your-environment; classtype:trojan-activity; sid:2018117; rev:4; metadata:created_at 2014_02_12, updated_at 2020_04_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.ws"; nocase; endswith; classtype:domain-c2; sid:2030793; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/\/(?:[^\x2f]+?\/)?[a-z-_]+?\.(?:php|html)$/i"; http.header; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| Trident/5.0)|0d 0a|"; fast_pattern; depth:77; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:command-and-control; sid:2017903; rev:4; metadata:created_at 2013_12_27, former_category MALWARE, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdz.top"; nocase; endswith; classtype:domain-c2; sid:2030794; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.BitcoinMiner Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?user="; nocase; content:"&type="; nocase; content:"&id="; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"sysin="; fast_pattern; depth:6; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/05/16/zeuscoiner-detection-zeus-variant-engages-in-bitcoining; classtype:coin-mining; sid:2018504; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_05_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_04_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/vstudio"; fast_pattern; http.host; content:"msdn.microsoft.com"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category TROJAN, malware_family Smoke_Loader, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent"; flow:established,to_server; http.user_agent; content:"rome0321"; depth:8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018519; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/visualstudio/"; fast_pattern; http.host; content:"www.microsoft.com"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category TROJAN, malware_family Smoke_Loader, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (SBTCM)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|SBTCM|0d 0a|"; fast_pattern; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018524; rev:3; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/\d+\/$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:command-and-control; sid:2025441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category MALWARE, malware_family Smoke_Loader, signature_severity Major, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (x09)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 09 0d 0a|"; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018529; rev:3; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Certificate Observed M2"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=SneHose, O=Googls, OU=IT, CN=fff"; reference:md5,8430d8cf1b1edd6c49092a7dd6412a8a; classtype:trojan-activity; sid:2035063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_02_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (rhyno321)"; flow:established,to_server; http.user_agent; content:"rhyno321"; depth:8; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018523; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|47 49 46 38 39 61 10 00 10 00 91 00 00 f7 f7 f7 ff ff ff c0 c0 c0 00 00 00 21 f9 04 00 00 00 00 5f 05 95 95 96 96 96 96 92 92 92 92 6d 92 92 92 2a 2a 2a 2a 2a 2a 2a 2a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a|"; depth:92; classtype:command-and-control; sid:2025457; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (slayer)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|slayer"; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018525; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trickbot C2 (networkDll module)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=Arasfjasu7|0d 0a|"; http.request_body; content:"name=|22|proclist|22|"; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2032217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (Vulture)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Vulture"; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018526; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pontoeb CnC"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; fast_pattern; http.request_body; content:"mode="; depth:5; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:command-and-control; sid:2025484; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_04_11, deployment Perimeter, former_category MALWARE, malware_family Pontoeb, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (VHIbot/1.0)"; flow:established,to_server; http.user_agent; content:"VHIbot/1.0"; depth:10; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018527; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"{|22|encry|22 3a 22|"; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; distance:0; content:"|22|guid|22 3a 22|"; distance:0; content:"|22|start|22 3a 22|"; distance:0; content:"|22|market|22 3a 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:command-and-control; sid:2025486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_12, deployment Perimeter, former_category MALWARE, malware_family Iron_Locker, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (xehanort321)"; flow:established,to_server; http.user_agent; content:"xehanort321"; depth:11; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018528; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_04_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls.cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:domain-c2; sid:2025485; rev:4; metadata:attack_target Client_and_Server, created_at 2018_04_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Registration Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; content:".jpg"; endswith; pcre:"/^\x2fimage\x2f[A-Za-z0-9\+_-]+\.jpg$/i"; http.header; content:"User-Agent|3a| Mozilla/5.0 |28|compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/5.0|29 0d 0a|"; fast_pattern; http.referer; content:"http://www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018546; rev:7; metadata:created_at 2014_06_09, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Cryptocurrency Wallet Exfiltration Detected"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 26 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024311; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pandemiya User-Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Hello 2.0"; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants; classtype:trojan-activity; sid:2018553; rev:4; metadata:created_at 2014_06_10, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 27 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024312; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover related campaign Checkin"; flow:established,to_server; http.uri; content:"post.php?filename="; fast_pattern; content:"&folder="; distance:0; pcre:"/\/\/?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0392fb51816dd9583f9cb206a2cf02d9; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:command-and-control; sid:2018566; rev:3; metadata:created_at 2014_06_16, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Request for C2 Commands Detected M1"; flow:established,to_server; flowbits:set,ET.LokiBot; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 28 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:command-and-control; sid:2024313; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.su domain with direct request/fakebrowser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".su"; pcre:"/^(?:\x3a\d{1,5})?$/Ri"; classtype:trojan-activity; sid:2018570; rev:4; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot File Exfiltration Detected"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 29 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024314; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Request to a *.pw domain with direct request/fake browser (multiple families flowbit set)"; flow:to_server,established; flowbits:noalert; flowbits:set,ET.Suspicious.Domain.Fake.Browser; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept-Language|0d 0a|"; http.host; content:".pw"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/i"; classtype:trojan-activity; sid:2018571; rev:4; metadata:created_at 2014_06_17, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Keylogger Data Exfiltration Detected M1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 2b 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; classtype:trojan-activity; sid:2024315; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.Bot Knock Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{20,}+$/"; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/i"; http.request_body; content:"<knock>"; fast_pattern; depth:7; content:"<ID>"; within:6; content:"<group>"; distance:0; content:"<version>"; distance:0; content:"<status>"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html; classtype:command-and-control; sid:2018574; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_06_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_04_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Screenshot Exfiltration Detected"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 2c 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024316; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Optimum Installer User-Agent IE6 on Windows XP"; flow:established,to_server; http.user_agent; content:"IE6 on Windows XP"; startswith; fast_pattern; classtype:pup-activity; sid:2012629; rev:6; metadata:created_at 2011_04_05, former_category USER_AGENTS, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/i"; http.request_body; content:"|00 27 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024317; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; http.uri; content:"/load_module.php?e="; classtype:exploit-kit; sid:2014705; rev:5; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Request for C2 Commands Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\nContent-Length\x3a\x20[^\r\n]+\r\nConnection\x3a\x20close/i"; http.request_body; content:"|00 28 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024318; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; http.uri; content:"/download_file.php?e="; classtype:exploit-kit; sid:2014706; rev:4; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Keylogger Data Exfiltration Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/i"; http.request_body; content:"|00 2b 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024319; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; http.header; content:"filename=payload.exe.exe|0d 0a|"; classtype:exploit-kit; sid:2014707; rev:5; metadata:created_at 2012_05_04, updated_at 2020_04_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IcedID/Emotet Certificate Observed M1"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Texas, L=Phenix, O=Yahos, OU=IT, CN=foror2"; reference:md5,8430d8cf1b1edd6c49092a7dd6412a8a; classtype:trojan-activity; sid:2035051; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, malware_family IcedID, signature_severity Major, tag Emotet, tag IcedID, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; http.uri; content:"/wsman/simple_auth.passwd"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:5; metadata:created_at 2014_06_20, updated_at 2020_04_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Quant Loader Download Response M2"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"exe=http://"; within:30; nocase; fast_pattern; content:"|2e|exe|3b|"; distance:0; nocase; reference:md5,aa0b114a64683d89f62d26a088e164f6; classtype:trojan-activity; sid:2024206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Citadel Download From CnC Server /files/ attachment"; flow:established,to_client; flowbits:isset,et.citadel; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename=|22 25 32 65|/files/"; fast_pattern; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018599; rev:8; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/GravityRAT Requesting Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Value=13&idPayload="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Crawler"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.user_agent; content:"PHPCrawl"; depth:8; reference:url,phpcrawl.cuab.de/; classtype:attempted-user; sid:2018607; rev:3; metadata:created_at 2014_06_26, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Value="; content:"UserCode="; distance:0; content:"MacId="; distance:0; content:"HitDate="; distance:0; content:"FingerPrint="; distance:0; fast_pattern; content:"CurrentIp="; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; content:!"Connection"; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/VBKlip BAN Download"; flow:established,to_server; http.header; content:"Accept|20|Language|3a| en-us|0d 0a|"; fast_pattern; reference:url,cert.pl/news/8478/langswitch_lang/en; classtype:trojan-activity; sid:2018618; rev:3; metadata:created_at 2014_07_01, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?VALUE=2&Type="; fast_pattern; content:"&SIGNATUREHASH="; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP Plug-in MailPoet  Arbitrary File Upload/Auth Bypass Vulnerability"; flow:established,to_server; http.uri; content:"/wp-admin/admin-post.php"; content:"page=wysija_campaigns"; content:"action=themes"; http.request_body; content:"|0d 0a|PK"; content:"style.css"; reference:url,www.exploit-db.com/exploits/33991/; classtype:web-application-attack; sid:2018648; rev:4; metadata:created_at 2014_07_08, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Value=11&FileName="; fast_pattern; content:"&FileSize="; distance:0; content:"&Macid="; distance:0; content:"&UserCode="; distance:0; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle Event Processing FileUploadServlet Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wlevs/visualizer/upload"; http.request_body; content:"filename"; pcre:"/^\s*?=\s*?[\x22\x27]?[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; reference:url,www.exploit-db.com/exploits/33989/; reference:cve,2014-2424; classtype:web-application-attack; sid:2018652; rev:4; metadata:created_at 2014_07_08, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik Attempting to Download Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?port="; fast_pattern; http.user_agent; content:"wget/"; http.header_names; content:!"Referer"; reference:url,blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/; classtype:trojan-activity; sid:2025575; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_05_11, deployment Perimeter, former_category TROJAN, malware_family Muhstik, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT Checkin"; flow:to_server,established; http.uri; content:".php?"; content:"email="; content:"&serverid="; content:"User|3a|"; content:"PC|3a|"; http.header_names; content:!"Referer"; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:command-and-control; sid:2018659; rev:3; metadata:created_at 2014_07_10, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"data.php?id="; fast_pattern; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/i"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:command-and-control; sid:2024239; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family Karmen_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CyberGate RAT User-Agent (USER_CHECK)"; flow:to_server,established; http.user_agent; content:"USER_CHECK"; depth:10; reference:md5,24d9f082b849b4c698e6b012500d441a; classtype:trojan-activity; sid:2018660; rev:4; metadata:created_at 2014_07_10, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pterodo.CL CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"versiya="; depth:8; content:"&comp="; distance:0; content:"&sysinfo="; distance:0; fast_pattern; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Referer"; content:!"Cache"; reference:md5,46C4A755E80EE4DF590C87C98115A5C7; classtype:command-and-control; sid:2034343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family Pterodo, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Request"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uuid="; depth:5; nocase; content:"&id="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&pcname="; nocase; distance:0; fast_pattern; content:"&osver="; nocase; distance:0; content:"&timeout="; nocase; distance:0; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin via HTTP"; flow:established,to_server; http.user_agent; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; fast_pattern; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:command-and-control; sid:2021336; rev:6; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2015_06_24, deployment Perimeter, former_category MALWARE, malware_family DDoS_XOR, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MINEBRIDGE CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"drun_command="; depth:13; fast_pattern; content:"&drun_URL="; content:"&rundll_command="; content:"&rundll_URL="; content:"&update_command="; content:"&update_URL="; content:"&restart_command="; content:"&terminate_command="; content:"&kill_command="; content:"&poweroff_command="; content:"&reboot_command="; content:"&setinterval_command="; content:"&setinterval_time="; reference:md5,7d22d5b7cac4c8789f3fe7102e459edd; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:targeted-activity; sid:2030068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/-"; distance:0; content:"&hwid="; distance:0; http.header_names; content:!"Referer"; reference:md5,31d65e315115c823f619a381576984f8; classtype:command-and-control; sid:2025586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_30, deployment Perimeter, former_category MALWARE, malware_family Aurora, malware_family OneKeyLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rhabdo CnC Activity M1"; flow:established,to_server; content:"|3a|U1Q="; distance:48; within:5; endswith; http.method; content:"GET"; http.uri; content:".php?ID="; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64|3b 20|rv:47.0) Gecko / 20100101 Chrome/73.0.3645.0"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; endswith; reference:url,www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center?utm_medium=social&utm_source=linkedin&utm_content=blog; classtype:targeted-activity; sid:2030069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet CnC Checkin (POST)"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"POST"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; depth:65; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2035053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rhabdo CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wwwlib/title.php?ID="; depth:21; pcre:"/^[A-Za-z0-9]{48}\x3a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64|3b 20|rv:47.0) Gecko / 20100101 Chrome/73.0.3645.0"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; endswith; reference:url,www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center?utm_medium=social&utm_source=linkedin&utm_content=blog; classtype:targeted-activity; sid:2030070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackshadesRAT Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/alive.php?"; nocase; content:"key="; nocase; content:"pcuser="; nocase; content:"pcname="; nocase; content:"hwid="; nocase; content:"country="; nocase; reference:md5,85a9f25c9b6614a8ad16dd7f3363a247; classtype:trojan-activity; sid:2012587; rev:6; metadata:created_at 2011_03_28, former_category TROJAN, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/webviewAdReq"; nocase; depth:13; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_11, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Paradise Ransomware Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v1="; depth:3; content:"v2="; distance:0; content:"start_e="; distance:0; content:"end_e="; distance:0; content:"files_count="; distance:0; fast_pattern; content:"key="; distance:0; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2025631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category MALWARE, malware_family Paradise, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Minirem"; flow: established,to_server; urilen:>18; http.method; content:"GET"; http.uri; content:"/FC001/"; fast_pattern; depth:7; http.user_agent; content:"Microsoft Internet Explorer"; reference:md5,d92075280872b9fe4f541f090bf0076c; classtype:trojan-activity; sid:2018664; rev:7; metadata:created_at 2014_01_22, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?username="; fast_pattern; content:"&password="; distance:0; content:"&id="; distance:0; content:"&comp="; distance:0; content:"&user="; distance:0; pcre:"/^(?:(?:(?:[a-f0-9]){2}){16})/R"; http.header_names; content:"Accept|0d 0a|Accept-Language|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection"; content:!"Referer"; classtype:command-and-control; sid:2025633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family SpyAgent_Raptor, performance_impact Low, signature_severity Major, tag Spyware, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|uTorrent"; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; classtype:policy-violation; sid:2011706; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"raptor_un="; depth:10; content:"raptor_pw_hash="; distance:0; fast_pattern; content:"logtype="; distance:0; content:"raptor_account_id="; distance:0; content:"computer_username="; distance:0; content:"computer_name="; distance:0; content:"capture_timestamp="; distance:0; content:"submit="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; classtype:command-and-control; sid:2025634; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family SpyAgent_Raptor, performance_impact Low, signature_severity Major, tag Spyware, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct July 15 2014"; flow:established,to_server; http.uri; content:"/0/"; content:"Service Pack "; distance:2; within:13; pcre:"/\/0\/$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,79772d72082a082a0048569ba2dfe5a3; classtype:trojan-activity; sid:2018678; rev:4; metadata:created_at 2014_07_15, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 2"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:md5,99FAB94FD824737393F5184685E8EDF2; classtype:command-and-control; sid:2014411; rev:13; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Adobe Flash Player Rosetta Flash compressed CWS in URI"; flow:established,to_server; urilen:>70; http.uri; content:"callback=CWS"; nocase; pcre:"/^[a-z0-9\.\_]{5}hC[a-z0-9\.\_]{50}/Ri"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018740; rev:3; metadata:created_at 2014_07_18, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/update"; fast_pattern; http.host; pcre:"/^[a-z0-9]+\.(?:biz|com|net|org)/"; http.header_names; content:!"User-Agent"; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:5; metadata:created_at 2014_07_11, former_category TROJAN, updated_at 2020_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta EK randomized javascript Gate Jul 18 2014"; flow:established,to_server; urilen:23<>85; http.method; content:"GET"; http.uri; content:".js?"; fast_pattern; content:"="; distance:7; within:26; content:!"&"; pcre:"/^\/[A-Za-z0-9]{6,16}\.js\?[a-zA-Z0-9]{7,32}=(?![0-9]+$)[a-f0-9]{5,30}$/U"; http.header; pcre:"/^Host\x3a\x20[^\.\r\n]+?\.[a-z]{2,4}\r\n/mi"; classtype:exploit-kit; sid:2018741; rev:3; metadata:created_at 2014_07_18, former_category EXPLOIT_KIT, updated_at 2020_04_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] PS/TrojanDownloader.Agent.NNR XORed Zip payload (key 0x91)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|c1 da 92 95 85 91 91 99 99 91|"; depth:10; fast_pattern; reference:url,dctoralves.wordpress.com/2018/05/03/phishing-report-policia-civil/; classtype:trojan-activity; sid:2025583; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_23, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016582; rev:6; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Berbew Check-in"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:".NET CLR 00000000"; classtype:trojan-activity; sid:2017128; rev:8; metadata:created_at 2013_07_11, former_category TROJAN, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016581; rev:5; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AutoHotKey offthewall Downloader Requesting Payload"; flow:established,to_server; http.start; content:"GET /brazi/"; startswith; fast_pattern; content:".exe HTTP/1.1"; http.host; content:".top"; endswith; http.user_agent; bsize:10; content:"AutoHotkey"; reference:md5,2b1dc86b6a28ea6ddc7c272773b7472c; classtype:command-and-control; sid:2030664; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; http.user_agent; content:"Java/1."; classtype:bad-unknown; sid:2016933; rev:6; metadata:created_at 2013_05_29, former_category INFO, updated_at 2020_04_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anubiscode.fun"; nocase; endswith; classtype:domain-c2; sid:2030729; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Zbot.Variant CnC Response"; flow:established,from_server; flowbits:isset,ET.zbot.ua.2106509; http.stat_code; content:"200"; http.header; content:"Content-Length|3a| 0|0d 0a|Content-Type|3a| text/html|0d 0a|"; fast_pattern; http.header_names; content:"Content-Type|0d 0a 0d 0a|"; endswith; reference:md5,0c4d7d9138de7d7919e3b3c33ac2f851; classtype:command-and-control; sid:2018764; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; content:".exe"; fast_pattern; pcre:"/^(?:\?[0-9])?/R"; pcre:"/\/wp-(?:content|admin|includes)\//"; http.header_names; content:!"Referer"; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Wordpress, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swizzor User-Agent (Swizz03r)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Swizz03r Download Agent"; nocase; depth:23; reference:md5,5d232faca6d2b082b450b8ee4e238483; classtype:trojan-activity; sid:2018765; rev:5; metadata:created_at 2013_06_04, updated_at 2020_04_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS Sniffer Framework Sending to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?image_id="; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.header_names; content:"Accept"; content:"Accept-"; content:!"Referer"; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:command-and-control; sid:2025881; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_25;)
 
-alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1"; flow:established,to_server; content:"_prep_auth_info"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030071; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AZORult Variant.4 Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|4a 2f fb|"; fast_pattern; content:"|2f fb|"; depth:11; http.header_names; content:!"Referer"; reference:md5,0ac55b5056364cdac63aaf05f9d7f654; reference:url,twitter.com/James_inthe_box/status/1020522733984100352?s=03; classtype:command-and-control; sid:2025885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category MALWARE, malware_family AZORult, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2"; flow:established,to_server; content:"_send_pub"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030072; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|upload|22 3b 20|filename=|22|temp.gif|22 0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048a; classtype:command-and-control; sid:2025991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Genol Shell"; nocase; fast_pattern; content:"><b>Uname|20 3a 20|Linux|20|"; nocase; distance:0; classtype:web-application-attack; sid:2030073; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_05_01, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 11"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:command-and-control; sid:2025993; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, signature_severity Major, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Genol Shell"; nocase; fast_pattern; content:"><b>Uname|20 3a 20|Linux|20|"; nocase; distance:0; classtype:web-application-attack; sid:2030074; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_05_01, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Spy.Agent.PMJ (MICROPSIA)"; flow:established, to_server; http.method; content:"POST"; http.request_body; content:"daenerys="; depth:9; fast_pattern; content:"betriebssystem="; distance:0; content:"anwendung="; distance:0; content:"AV="; distance:0; content:"frankie="; distance:0; classtype:trojan-activity; sid:2025994; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title> Mailer Created By"; nocase; fast_pattern; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|Enviar|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) HTTP Header"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_len; byte_test:0,>,1000,0,string,dec; byte_test:0,<,2000,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; classtype:trojan-activity; sid:2026001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title> Mailer Created By"; nocase; fast_pattern; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|Enviar|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sosdoudou_V3/"; fast_pattern; http.user_agent; content:"WinHttp.WinHttpRequest"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,98376de10118892f0773617da137c2be; reference:md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity; sid:2024499; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_26, deployment Perimeter, former_category TROJAN, malware_family Banload, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>alexusMailer 2.0</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Monero Miner CnC Channel TXT Lookup"; threshold:type limit, track by_src, count 1, seconds 300; dns.query; content:".c2kgw8jt5869nspr4.com"; fast_pattern; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:command-and-control; sid:2026097; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>alexusMailer 2.0</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Monero Miner CnC Channel Secondary Domain Lookup"; threshold:type limit, track by_src, count 1, seconds 300; dns.query; content:"mylog.icu"; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:command-and-control; sid:2026098; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Stolen Credentials Accessed on External Server"; flow:established,to_client; file.data; content:"---------0nline Inf0---------------"; nocase; fast_pattern; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:web-application-attack; sid:2030079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aura Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"{KIARA}"; fast_pattern; http.request_body; content:"id="; depth:3; content:"&guid="; http.header_names; content:!"Referer"; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:command-and-control; sid:2026099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Stolen Credentials Accessed on Internal Server"; flow:established,to_client; file.data; content:"---------0nline Inf0---------------"; nocase; fast_pattern; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:web-application-attack; sid:2030080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Eredel Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; content:"&os="; content:"&cookie="; content:"&pswd="; fast_pattern; content:"&telegram="; content:"&version=v"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,4b5e27e843e1b26aedec66f9e87c9960; classtype:command-and-control; sid:2025982; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category MALWARE, malware_family Eredel, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Stolen Credentials Accessed on External Server"; flow:established,to_client; file.data; content:">E-MAIL INFORMATION</font> ]-_-_-_-_-_-_-"; nocase; fast_pattern; content:">INFO VICTIM</font> ]-_-_-_-_-_-_-"; nocase; distance:0; classtype:web-application-attack; sid:2030081; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.logsbanks.xyz"; nocase; endswith; classtype:domain-c2; sid:2030730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Stolen Credentials Accessed on Internal Server"; flow:established,to_client; file.data; content:">E-MAIL INFORMATION</font> ]-_-_-_-_-_-_-"; nocase; fast_pattern; content:">INFO VICTIM</font> ]-_-_-_-_-_-_-"; nocase; distance:0; classtype:web-application-attack; sid:2030082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Cpanel Cracker Accessed on External Server"; flow:established,to_client; file.data; content:"<title>HEx CPanel Cracker"; nocase; fast_pattern; content:"<strong>CPanelCracker Script"; nocase; distance:0; classtype:web-application-attack; sid:2030083; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x70|5c|x6F|5c|x77|5c|x65|5c|x72|5c|x73|5c|x68|5c|x65|5c|x6C|5c|x6C|5c|x2E|5c|x65|5c|x78|5c|x65"; content:"|5c|x2D|5c|x65|5c|x78|5c|x65|5c|x63|5c|x75|5c|x74|5c|x69|5c|x6F|5c|x6E|5c|x70|5c|x6F|5c|x6C|5c|x69|5c|x63|5c|x79|5c|x20|5c|x62|5c|x79|5c|x70|5c|x61|5c|x73|5c|x73"; distance:0; fast_pattern; content:"|5c|x2D|5c|x77|5c|x69|5c|x6E|5c|x64|5c|x6F|5c|x77|5c|x73|5c|x74|5c|x79|5c|x6C|5c|x65|5c|x20|5c|x68|5c|x69|5c|x64|5c|x64|5c|x65|5c|x6E"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026331; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Cpanel Cracker Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>HEx CPanel Cracker"; nocase; fast_pattern; content:"<strong>CPanelCracker Script"; nocase; distance:0; classtype:web-application-attack; sid:2030084; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Pro Mailer V2</title>"; nocase; classtype:web-application-attack; sid:2030085; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; pcre:"/\.(?:bmp|png|gif|jpg)$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.request_body; content:"wfKD6iudumBkmp"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_type; content:"multipart/form-data"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2025638; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_04, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Pro Mailer V2</title>"; nocase; classtype:web-application-attack; sid:2030086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS_D0wnl0ad3r Screenshot Upload"; flow:to_server,established; http.method; content:"POST"; http.header; content:"boundary=MS_D0wnl0ad3r"; reference:md5,f40248a592ed711d95eb8b48b31a1ed8; classtype:trojan-activity; sid:2026361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category TROJAN, malware_family Downloader, signature_severity Major, updated_at 2020_08_25;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"AAAAAAAA"; content:"AAAAATEy"; content:"EA"; pcre:"/^(?:\\r\\n|\x0d\x0a)AABI/R"; content:"$|0e ce a0 d4 c7 cb 08|"; content:"T8hlGOo9"; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:!"|0d 0a|/9j/4S"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030006; rev:3; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS_D0wnl0ad3r Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?hwid="; http.header; content:"en-gb|5c|Accept"; http.user_agent; content:"Gecko/20070725 Firefox/2.0.0.6"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026363; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
 
-alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"3r0TRZfh"; fast_pattern; content:"AAAAAAAA"; content:"|00 41 00 41 00 41 00 41|"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030008; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected DNS2TCP Auth"; dns.query; content:".=auth."; fast_pattern; pcre:"/^[A-Za-z0-9\/\-\+]{40,}\.=auth\./"; classtype:trojan-activity; sid:2026416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category TROJAN, malware_family DNS2TCP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya C2 User-Agent (default)"; flow:established,to_server; http.uri; content:".php"; http.header; content:"User-Agent|3a 20|default|0d 0a|"; fast_pattern; http.request_body; content:"mode="; depth:5; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,www.arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya/; classtype:command-and-control; sid:2018522; rev:4; metadata:created_at 2014_06_04, former_category MALWARE, updated_at 2020_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected DNS2TCP Connect"; dns.query; content:".=connect."; fast_pattern; pcre:"/^[A-Za-z0-9\/\-\+]{10,}\.=connect\./"; classtype:trojan-activity; sid:2026417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category TROJAN, malware_family DNS2TCP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internet Scanning Project HTTP scan"; flow:established,to_server; http.user_agent; content:"research-scanner/"; startswith; http.host; content:"internetscanningproject.org"; reference:url,www.internetscanningproject.org; classtype:attempted-recon; sid:2018782; rev:3; metadata:created_at 2014_07_25, updated_at 2020_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected fraud-bridge DNS Tunnel"; threshold:type both, track by_src, count 60, seconds 10; dns.query; content:"AAAA--."; pcre:"/^[A-Za-z0-9\/\-\+]{10,}AAAA--\./s"; classtype:trojan-activity; sid:2026418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category TROJAN, malware_family fraud_bridge, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Waski.F Locker DL URI Struct Jul 25 2014"; flow:to_server,established; http.uri; content:"/wp-content/themes/"; depth:19; pcre:"/^[^\x2f]+\/[a-z0-9]+$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:md5,dc4d0bd7fb9e647501c3b0d75aa2be65; classtype:trojan-activity; sid:2018787; rev:3; metadata:created_at 2014_07_26, former_category MALWARE, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Password Stealer User Agent Detected (RookIE)"; flow:established,to_server; http.user_agent; content:"RookIE"; depth:6; http.host; content:!"www.ugee.com.cn"; reference:url,doc.emergingthreats.net/2003635; classtype:trojan-activity; sid:2003635; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; http.user_agent; content:"chroot-apach0day"; nocase; depth:16; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; classtype:attempted-recon; sid:2018800; rev:5; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware End Activity"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|End"; distance:0; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Gatak Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:4; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Payment Domain (gandcrab in DNS Lookup)"; dns.query; content:"gandcrab"; depth:8; nocase; pcre:"/^[a-z0-9]{8}/R"; classtype:trojan-activity; sid:2025496; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/path/DeviceManager.php"; nocase; depth:23; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"func="; depth:5; content:"&deviceid="; distance:0; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_04, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Chacha.DDoS/Xor.DDoS Stage 2 CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"LuaSocket|20|"; depth:10; fast_pattern; http.request_body; content:"macaddress="; depth:11; content:"&device="; distance:0; content:"&type="; distance:0; content:"&version="; distance:0; http.connection; content:"close,|20|TE"; depth:9; http.header_names; content:"TE|0d 0a 0d 0a|"; content:!"Referer"; reference:url,www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/; classtype:command-and-control; sid:2026523; rev:2; metadata:affected_product Linux, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family ChaChaDDoS, malware_family XorDDoS, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2020_08_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ddex Loader Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?t="; content:"&o="; content:"&i="; content:"&task_id="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng_final.pdf; classtype:trojan-activity; sid:2018895; rev:3; metadata:created_at 2014_08_05, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Backdoor CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.user_agent; content:"Mozilla v5.1 (Windows NT 6.1|3b 20|rv|3a|6.0.1) Gecko/20100101 Firefox/6.0.1"; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.)\d{1,3}$/"; http.request_body; content:"%0D%0AHost%20Name|3a|"; reference:md5,961e79a33f432ea96d2c8bf9eb010006; classtype:command-and-control; sid:2026527; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Zebrocy, updated_at 2020_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Pushdo.S CnC response"; flow:established,from_server; flowbits:isset,ET.Pushdo.S; http.header; content:"X-GeoIP-Country-Code|3a| "; content:"X-Real-IP|3a| "; reference:md5,27aef1d328da442d3bd02c50c1a6b651; classtype:command-and-control; sid:2018897; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_05_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Get2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"box-cdn.com"; bsize:11; classtype:domain-c2; sid:2030795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_08_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BITTERBUG Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?compname="; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}_/R"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018900; rev:3; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_05_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Get2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"first-destin.com"; bsize:16; classtype:domain-c2; sid:2030796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_08_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear Exploit Kit exe.exe Payload"; flow:established,to_client; http.header; content:"Content-disposition|3a 20|attachment|3b 20|filename=exe.exe"; fast_pattern; reference:url,www.malware-traffic-analysis.net/2014/08/06/index.html; classtype:exploit-kit; sid:2018914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_08, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader_x.EJK!tr CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.request_body; content:"VM|3a 20|"; startswith; content:"|0a|WINDOWS|3a 20|"; distance:0; content:"|0a|COMPNAME|3a 20|"; distance:0; fast_pattern; content:"|0a|dhcp|3a 20|"; distance:0; reference:md5,0241deba165817083c66fae17e09d68f; classtype:command-and-control; sid:2030797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Downloader Check-in"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lolo/"; startswith; fast_pattern; content:".html"; endswith; pcre:"/^\/lolo\/[0-9]+\/[0-9]+\/[0-9]+\/[0-9]+\.html$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018926; rev:4; metadata:created_at 2014_08_12, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Grandoreiro Downloader Activity"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"DIM PASTADOSISTEMACOMPLETA|2c|"; fast_pattern; content:"Http_LM.Open|20 22|GET|22 2c|SjjjjJJfhJ|20 2c|"; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; classtype:trojan-activity; sid:2030801; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lurk Click fraud Template Request"; flow:to_server,established; http.request_line; content:"GET /log/"; fast_pattern; startswith; http.uri; content:"/?id="; pcre:"/^\/log\/[0-9]+\/[0-9]+\/\?id=[0-9]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"Host|0d 0a|"; reference:url,secureworks.com/cyber-threat-intelligence/threats/malware-analysis-of-the-lurk-downloader/; classtype:trojan-activity; sid:2018927; rev:3; metadata:created_at 2014_08_12, updated_at 2020_05_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT28 DOC Uploader SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=mvtband.net"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; tls.cert_serial; content:"03:04:FF:5D:C9:BB:AC:50:C1:7B:3E:4C:1C:68:26:15:F0:3E"; reference:md5,9b10685b774a783eabfecdb6119a8aa3; classtype:targeted-activity; sid:2026539; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT28, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkTequila SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=OH, O=International Security Depart, CN=the-ebooks-store.com/emailAddress=contact@infws.com"; tls.cert_issuer; content:"O=International Security Depart, emailAddress=contact@infws.com, L=Greater Cleveland, ST=OH, C=US, CN=International Security Depart Ca"; tls.cert_serial; content:"00:ED"; reference:md5,9fbdc5eca123e81571e8966b9b4e4a1e; classtype:trojan-activity; sid:2026540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag DarkTequila, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nubjub.A HTTP Check-in"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php"; content:"?&mode="; fast_pattern; content:"&id="; content:"&output="; content:"&time="; reference:url,doc.emergingthreats.net/2009521; classtype:trojan-activity; sid:2009521; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?query="; fast_pattern; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/i"; http.request_body; content:"eyJpZCI6"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.content_type; content:"multipart/form-data|3b|"; http.protocol; content:"HTTP/1.0"; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Secure-Soft.Stealer Checkin"; flow:to_server,established; http.request_body; content:"|0d 0a|Content-Disposition|3A 20|form-data|3B 20|name|3D 22|programm|22 0d 0a 0d 0a|Windows Key|0d 0a|"; fast_pattern; reference:md5,c86923d90ef91653b0a61eb2fbfae202; reference:md5,0a52131eebbee1df877767875ab32352; classtype:command-and-control; sid:2013026; rev:4; metadata:created_at 2011_06_13, former_category MALWARE, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag Fake_404, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Asteria md5)"; flow:to_server,established; http.user_agent; content:"d9d385b3522b242398af91fd425b386d"; depth:32; reference:md5,56c16ad7da8cecb429dccb168aef46b7; classtype:trojan-activity; sid:2018985; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_08_22, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M1"; flow:established,to_server; threshold: type both, count 1, seconds 30, track by_dst; http.method; content:"GET"; http.uri; content:".aspx"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Win32|29|"; fast_pattern; http.cookie; pcre:"/^[A-F0-9]{50,}$/"; http.header_names; content:"Date"; content:"Connection"; content:"Pragma"; content:"Cache-Control"; reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:command-and-control; sid:2026565; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; http.uri; content:"/stat_u/"; endswith; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014523; rev:5; metadata:created_at 2012_04_05, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.BackNet Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=%7B%22host_key%22%3A%22"; depth:28; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,aebb382b54e1521ad1309f66d29a1d1c; classtype:command-and-control; sid:2026572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category MALWARE, malware_family Stealer, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Ex-filtrating Data"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"POST /"; depth:6; fast_pattern; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:trojan-activity; sid:2018578; rev:8; metadata:created_at 2014_06_13, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lordix Stealer Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hw="; content:"&ps="; distance:0; content:"&ck="; distance:0; content:"&fl="; distance:0; http.request_body; content:"log.txt"; content:"cookies/Chrome_Cookies.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category TROJAN, malware_family Lordix, performance_impact Low, signature_severity Major, tag RAT, tag Stealer, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/NAT/"; distance:0; fast_pattern; content:"|20|NAT/"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2a835747b7442b1d58ab30abc90d3b0f; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018683; rev:7; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_05_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT33/CharmingKitten Encrypted Payload Inbound"; flow:established,from_server; flowbits:isset,ET.APT33CharmingKitten.1; http.stat_code; content:"200"; http.header; content:"|0d 0a|CacheControl|3a 20|"; fast_pattern; file.data; pcre:"/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i"; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026578; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; http.header; content:"Content-Length|3a 20|59|0d 0a|Host|3a 20|"; depth:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.uri; pcre:"/^\/[\/a-z0-9]+$/i"; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:command-and-control; sid:2018771; rev:6; metadata:created_at 2014_07_24, former_category MALWARE, updated_at 2020_05_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT29 CozyBear/SeaDaddy SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=Cnyunwei.CNC/emailAddress=root@Cnyunwei.CNC"; fast_pattern; tls.cert_serial; content:"46:76"; classtype:targeted-activity; sid:2026538; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag CozyBear, tag SeaDaddy, tag APT29, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo Cookie"; flow:established,to_client; http.cookie; content:"tfardci_session="; depth:16; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:trojan-activity; sid:2018770; rev:5; metadata:created_at 2014_07_24, updated_at 2020_05_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Kraken.v2 HTTP Pattern"; flow:established,to_server; http.user_agent; content:"Kraken web request agent/"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,e1aee9ef64d71e0c9bb8eee9742efdef; reference:url,securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/; classtype:trojan-activity; sid:2026588; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_09, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030092; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd"; tls.cert_serial; content:"00:BD:98:61:EE:0E:3E:D9:1D"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026589; rev:2; metadata:attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030093; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Minor, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=gooqleasadservices.com"; tls.cert_serial; content:"3E:B7:66:78:6D:FB:52:ED:59:7A:DD:25:52:47:04:A8"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//netcore_get.cgi"; depth:17; fast_pattern; http.cookie; content:"homeFirstShow=yes"; reference:url,www.exploit-db.com/exploits/48384; classtype:attempted-admin; sid:2030095; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"C=RU, OU=Domain Control Validated, CN=www.magento.name"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026602; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; http.user_agent; content:"Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 5 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=localhost.localdomain"; tls.cert_serial; content:"00:FF:A1:F0:8C:C1:45:51:3E"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis"; flow:established,to_server; http.user_agent; content:"pavuk"; nocase; reference:url,pavuk.sourceforge.net/about.html; reference:url,doc.emergingthreats.net/2009827; classtype:attempted-recon; sid:2009827; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik Bot Reporting Vulnerable Server to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pma.php?ip="; depth:12; fast_pattern; pcre:"/^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])$/R"; reference:url,www.intezer.com/muhstik-botnet-reloaded-new-variants-targeting-phpmyadmin-servers/; classtype:command-and-control; sid:2026607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_14, deployment Perimeter, former_category MALWARE, malware_family Muhstik, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WITOOL SQL Injection Scan"; flow:to_server,established; threshold: type threshold, track by_dst, count 2, seconds 30; http.uri.raw; content:"union+select"; content:"select+user"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|MyIE2"; fast_pattern; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; classtype:attempted-recon; sid:2009833; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik Scanner Module Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?lang=en-utf-8&"; fast_pattern; http.header; content:"Keep-Alive|3a 20|300|0d 0a|"; http.user_agent; content:"Windows NT 10.0|3b 20|Win64|3b 20|x64"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; reference:url,www.intezer.com/muhstik-botnet-reloaded-new-variants-targeting-phpmyadmin-servers/; classtype:trojan-activity; sid:2026610; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Muhstik, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; flow:established,to_server; http.user_agent; content:"Mysqloit"; reference:url,code.google.com/p/mysqloit/; classtype:attempted-recon; sid:2009882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Baby Coin syschk CnC Communication"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = --------------------------- 7dab371b0124"; fast_pattern; bsize:74; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.alyac.co.kr/1640; classtype:command-and-control; sid:2026609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected"; flow:established,to_server; http.uri; content:"+UNION+select+'BENCHMARK(10000000,SHA1(1))"; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009883; classtype:attempted-recon; sid:2009883; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT29)"; flow:from_server,established; tls.cert_subject; content:"CN=pandorasong.com"; classtype:domain-c2; sid:2026618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT29, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_start_job attempt"; flow:to_server,established; http.uri; content:"sp_start_job"; nocase; reference:url,doc.emergingthreats.net/2010004; classtype:attempted-user; sid:2010004; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hades APT Downloader Attempting to Retrieve Stage 2 Payload"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/check/index"; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:url,research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/; classtype:targeted-activity; sid:2026619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag Hades, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt"; flow:established,to_server; http.uri; content:"INTO"; nocase; content:"OUTFILE"; nocase; distance:0; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010037; classtype:web-application-attack; sid:2010037; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Renos/Artro Trojan Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; content:"=v"; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/"; http.user_agent; content:"wget"; nocase; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:md5,01ca25570659c2e1b8b887a3229ef421; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:command-and-control; sid:2013186; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SQL Injection Attempt (Agent uil2pn)"; flow:to_server,established; http.user_agent; content:"uil2pn"; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; classtype:web-application-attack; sid:2010215; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HackTool.Linux.SSHBRUTE.A Haiduc Initial Compromise C2 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php"; http.user_agent; content:"curl/"; fast_pattern; http.request_body; content:"info="; depth:5; content:"&data="; distance:0; classtype:command-and-control; sid:2026642; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Springenwerk XSS Scanner User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Springenwerk"; reference:url,springenwerk.org/; reference:url,doc.emergingthreats.net/2010508; classtype:attempted-recon; sid:2010508; rev:6; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DNSpionage Commands Embedded in Webpage Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d|eyJjIjogI"; fast_pattern; content:"|3c 21 2d 2d|"; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:targeted-activity; sid:2026672; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_28, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNSpionage, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; http.user_agent; content:"CZ32ts"; nocase; reference:url,doc.emergingthreats.net/2009029; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2010621; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE L0rdix Stealer CnC Sending Screenshot"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?h="; fast_pattern; content:"&o="; content:"&c="; content:"&g="; content:"&w="; content:"&p="; content:"&r="; content:"&f="; content:"&rm="; content:"&d="; http.request_body; content:"img="; depth:4; http.header_names; content:!"Referer"; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:command-and-control; sid:2026670; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_28, deployment Perimeter, former_category MALWARE, malware_family L0rdix, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit"; flow:established,to_server; http.uri; content:"/bin/bash"; reference:url,doc.emergingthreats.net/2010667; classtype:web-application-attack; sid:2010667; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE L0rdix Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hw="; fast_pattern; content:"&ps="; content:"&ck="; content:"&fl="; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http.header_names; content:!"Referer"; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:command-and-control; sid:2026671; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_28, deployment Perimeter, former_category MALWARE, malware_family L0rdix, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; http.uri; content:"/thisdoesnotexistahaha.php"; reference:url,doc.emergingthreats.net/2010720; classtype:web-application-attack; sid:2010720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Saving Base64 Decoded Payload to Temp M1 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String|28|"; nocase; content:"Set-Content"; distance:0; nocase; content:"C|3a 5c|Windows|5c|Temp"; distance:0; nocase; fast_pattern; content:"-Encoding"; distance:0; nocase; content:"|0a 0a 0a|"; pcre:"/^(?P<js>\$[a-z0-9]{1,15})\s*=\s*\[System\.Text\.Encoding\]::ASCII\.GetString\(\[System\.Convert\]::FromBase64String\((?P=js)\)\)\s*Set-Content\s*(?:-Path\s*C:\\Windows\\Temp\\[a-z0-9]{1,15}\.[a-z0-9]{2,4}\s*|-Value\s*(?P=js)\s*|-Encoding\s*ASCII){3}/Ri"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026675; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".old"; http.header; content:"Range|3A| bytes=0-199999"; http.user_agent; content:"Mozilla/5.0 SF/"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Saving Base64 Decoded Payload to Temp M2 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String|28|"; nocase; content:"Set-Content"; distance:0; nocase; content:"C|3a 5c|Windows|5c|Temp"; distance:0; nocase; fast_pattern; content:"-Encoding"; distance:0; nocase; content:"|0a 0a|"; pcre:"/^(?P<content>\$[a-z0-9]{1,15})\s*=\s*\[System\.Convert\]::FromBase64String\(\$[a-z0-9]{1,15}\)\s*Set-Content\s*(?:-Path\s*C:\\Windows\\Temp\\[a-z0-9]{1,15}\.vbe\s*|-Value\s*(?P=content)\s*|-Encoding\s*Byte){3}/Ri"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026676; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN crimscanner User-Agent detected"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"crimscanner/"; nocase; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:2010954; rev:6; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?res="; http.request_body; content:"data="; depth:5; content:"Host|20|Name|3a|"; distance:0; content:"OS|20|Name|3a|"; distance:0; content:"OS|20|Configuration|3a|"; distance:0; content:"Original|20|Install|20|Date|3a|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; http.user_agent; content:"Casper Bot"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) HttpHeader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAA"; endswith; http.header; content:"Accept|3a 20|*/*"; depth:11; content:"Accept-Encoding|3a 20|gzip, deflate"; within:32; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; within:192; content:"Host|3a 20|r.photo.store.qq.com"; fast_pattern; within:28; content:"Connection|3a 20|Keep-Alive"; within:24; isdataat:!3,relative; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2026688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/w3af/remoteFileInclude.html"; nocase; http.host; content:"w3af.sourceforge.net"; startswith; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanaBot Harvesting Email Addresses 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getemail.php?lang="; fast_pattern; content:"&s="; distance:0; content:"&n="; distance:0; content:"&em="; distance:0; content:"@"; distance:0; content:"|3b|"; distance:0; reference:url,www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/; classtype:trojan-activity; sid:2026720; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_11, deployment Perimeter, former_category TROJAN, malware_family Danabot, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/<invalid>hello.html"; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanaBot Harvesting Email Addresses 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e.php?s=itfullemail&n="; fast_pattern; content:"&b="; distance:0; content:"&_="; distance:0; reference:url,www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/; classtype:trojan-activity; sid:2026721; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_11, deployment Perimeter, former_category TROJAN, malware_family Danabot, signature_severity Major, updated_at 2020_08_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/exe.php?x=mdac"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"exe.php?x=mdac"; nocase; classtype:exploit-kit; sid:2011908; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?sys="; content:"&c_type="; distance:0; content:"&dis_type="; distance:0; fast_pattern; content:"&num="; distance:0; content:"&user="; distance:0; content:"&ver="; distance:0; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:command-and-control; sid:2026725; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; flowbits:set,et.ddwrt.infodis; http.uri; content:"/Info.live.htm"; nocase; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:6; metadata:created_at 2010_12_30, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?res="; http.request_body; content:"data="; depth:5; content:"Host+Name%3A"; distance:0; content:"OS+Name%3A"; distance:0; content:"OS+Configuration%3A"; distance:0; content:"Original+Install+Date%3A"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI"; flow:established,to_server; http.uri; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012150; rev:4; metadata:created_at 2011_01_06, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id_name="; fast_pattern; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"attach="; depth:7; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Sofacy, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 8.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:6; metadata:created_at 2011_05_10, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Downloader Error POST"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; depth:15; http.host; content:"google.com"; depth:10; http.request_body; content:"project=%"; depth:9; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"(internal dummy connection)"; classtype:trojan-activity; sid:2012937; rev:4; metadata:created_at 2011_06_07, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Secondary Payload CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; depth:15; fast_pattern; http.request_body; content:"l="; depth:2; content:!"%"; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,3773150aeee03783a6da0820a8feb752; classtype:targeted-activity; sid:2026754; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/rfiinc.txt"; http.host; content:"cirt.net"; bsize:8; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:5; metadata:affected_product Any, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Zebrocy/Zekapab Reporting to CnC M3"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla|20|v5.1|20 28|Windows"; depth:21; http.request_body; content:"regid="; depth:6; content:"%20FIXED,%20TOTAL|3a|%20"; distance:0; content:"%0AHost%20Name|3a|%20%20%20%20%20%20"; distance:0; content:"%0AOS%20Name|3a|%20%20%20%20%20"; fast_pattern; content:"%0AOS%20Version|3a|%20%20%20%20%20%20"; distance:0; reference:url,unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/; classtype:targeted-activity; sid:2026762; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HighTide trojan Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?"; depth:2; pcre:"/^\/\?\d(?:[A-Za-z0-9~_]{4})*(?:[A-Za-z0-9~_]{2}--|[A-Za-z0-9~_]{3}-|[A-Za-z0-9~_]{4})$/"; http.header; content:"Trident/5.0|29 0d 0a|"; fast_pattern; http.referer; content:"http://www.google.com/"; bsize:22; reference:md5,6e59861931fa2796ee107dc27bfdd480; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:command-and-control; sid:2019113; rev:3; metadata:created_at 2014_09_04, former_category MALWARE, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 2 - CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmp/Cobra_"; fast_pattern; content:!"&"; content:!"."; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Threebyte.APT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/UID"; fast_pattern; depth:4; content:".jsp?"; distance:0; pcre:"/^\/UID\d+\.jsp\?/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:targeted-activity; sid:2019114; rev:3; metadata:created_at 2014_09_04, former_category MALWARE, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; tls.cert_serial; content:"0E:06:ED:F2:C3:91"; classtype:domain-c2; sid:2026616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iplookup/iplookup.php?format="; fast_pattern; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:external-ip-check; sid:2019126; rev:3; metadata:created_at 2014_09_05, former_category POLICY, updated_at 2020_05_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper RAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checksolutions.pw"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:domain-c2; sid:2026767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_09, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bravix.Dropper CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php?file=cmds/main"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,19484a240a16c7faea84dcac0c38d118; classtype:command-and-control; sid:2019128; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader 7zip Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/support.html"; fast_pattern; http.host; content:"www.7-zip.org"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,9bea24aadc1061d39ec15707a1f9b87b; classtype:trojan-activity; sid:2026805; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File Download"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php"; content:"action=revslider_show_image"; http.uri.raw; content:"img=|2e 2e 2f|"; reference:url,exploit-db.com/exploits/34511/; classtype:web-application-attack; sid:2019137; rev:3; metadata:created_at 2014_09_08, updated_at 2020_05_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; threshold: type both, count 5, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?TIe="; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d\x7b\x7d]+$/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer"; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; reference:md5,8d42c01180be7588a2a68ad96dd0cf85; classtype:command-and-control; sid:2025198; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT OSX.XSLCmd CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/compose.aspx?s="; fast_pattern; http.accept_lang; content:"zh-cn"; bsize:5; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; reference:url,fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html; classtype:targeted-activity; sid:2019136; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE W32/Emotet CnC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.cookie; pcre:"/^[0-9]{3,5}\s*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Cookie|3a 20|"; http.header_names; content:"|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; depth:40; fast_pattern; content:!"Referer"; content:!"Accept"; reference:md5,d51ce75c66d1ac9f071b45b67fb8066c; classtype:command-and-control; sid:2035052; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS User-Agent"; flow:established,to_server; http.user_agent; content:"Decebalv"; depth:8; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019161; rev:4; metadata:created_at 2014_09_11, updated_at 2020_05_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Backdoor.Win32.TeamBot / RTM C2 Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<RESULT>true</RESULT>"; depth:21; classtype:command-and-control; sid:2026854; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Teambot, updated_at 2020_08_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-05-05)"; flow:established,to_client; tls.cert_subject; content:"CN=www.astedams.it"; nocase; endswith; reference:md5,9ea365c1714eb500e5f4a749a3ed0fe7; classtype:domain-c2; sid:2030101; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_05_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreDn CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib.asp?id="; fast_pattern; pcre:"/^[a-z0-9]{3,10}$/Ri"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Referer"; content:!"Cache"; reference:url,blog.talosintelligence.com/2019/01/fake-korean-job-posting.html; classtype:command-and-control; sid:2026865; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family CoreDn, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nspps Backdoor CnC Activity"; flow:established,to_server; http.header; content:"|0d 0a|Arch|3a 20|"; content:"|0d 0a|Cores|3a 20|"; content:"|0d 0a|Mem|3a 20|"; content:"|0d 0a|Os|3a 20|"; content:"|0d 0a|Osname|3a 20|"; content:"|0d 0a|Osversion|3a 20|"; fast_pattern; content:"|0d 0a|Root|3a 20|"; content:"|0d 0a|Uuid|3a 20|"; content:"|0d 0a|Version|3a 20|"; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030108; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreDn CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib.asp?search="; fast_pattern; pcre:"/^[a-z0-9]{5,30}$/Ri"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Referer"; content:!"Cache"; reference:url,blog.talosintelligence.com/2019/01/fake-korean-job-posting.html; classtype:command-and-control; sid:2026866; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family CoreDn, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE nspps Backdoor - Sending SOCKS Details"; flow:established,to_server; http.start; content:"POST /s HTTP/1.1|0d 0a|"; http.request_body; content:"|57 7a 74 47 8c 44 c8 7c ed|"; startswith; fast_pattern; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030109; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Grandoreiro CnC Activity (vbs)"; flow:established,to_server; urilen:15<>21; http.method; content:"GET"; http.uri; content:"/spain/index.php"; endswith; fast_pattern; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; reference:md5,2cb39126dd8f22ffdf2ad2b679405653; classtype:command-and-control; sid:2030807; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE nspps Backdoor - Task Response"; flow:established,to_client; http.stat_code; content:"404"; file_data; bsize:10; content:"|62 37 55 14 af 59 9f 28 ab 34|"; fast_pattern; reference:url,ironnet.com/blog/malware-analysis-nspps-a-go-rat-backdoor/; reference:md5,435716b4f56cf94fdb7f6085dced41e5; classtype:command-and-control; sid:2030110; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Babax Stealer Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument?chat_id="; distance:0; content:"&caption=%E2%98%A0%EF%B8%8F%20Brought%20you%20by%20Babax"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"|2e|logs|22 0d 0a|Content-Type|3a 20|application/x-ms-dos-executable|0d 0a 0d 0a|PK"; reference:md5,7413dfd6fc0eed1927e1d44c23b80571; reference:url,twitter.com/Pyhoma07/status/1279758745560584195; classtype:command-and-control; sid:2030805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Babax, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT NEC SL2100 - Session Enumeration Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PyxisUaMenu.htm?sessionId="; startswith; pcre:"/^\d{3}/R"; content:"&MAINFRM|28|444,-1,591|29|"; distance:0; fast_pattern; threshold:type threshold, count 5, seconds 60, track by_dst; reference:url,www.exploit-db.com/exploits/48425; classtype:attempted-recon; sid:2030102; rev:2; metadata:attack_target Server, created_at 2020_05_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Minor, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AgentTesla Variant Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument"; distance:0; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"name|3d 22|caption|22 0d 0a 0d 0a|New PW Recovered!|0d 0a 0d 0a|User Name|3a 20|"; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1298742352069054464; reference:md5,0c22e92073fc56a574a6c860ddef1c2d; classtype:command-and-control; sid:2030806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Image Manager 5.2.4 - RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"index.php?&p="; content:"/backup/uploadRestore"; endswith; fast_pattern; http.request_body; content:"<?"; reference:url,www.exploit-db.com/exploits/48423; classtype:attempted-admin; sid:2030103; rev:1; metadata:affected_product PHP, attack_target Server, created_at 2020_05_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GoldenSpy Domain Observed"; dns.query; content:"ningzhidata.com"; nocase; endswith; reference:url,trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf; classtype:trojan-activity; sid:2030803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"ET MALWARE Nazar Implant - Sending Ping Response to CnC"; flow:established,to_server; dsize:9; content:"|31 30 31 3b 30 30 30 30 3b|"; fast_pattern; reference:url,research.checkpoint.com/2020/nazar-spirits-of-the-past/; classtype:command-and-control; sid:2030104; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag NazarAPT, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?b9zd1="; fast_pattern; content:"&cid="; distance:0; content:"&sid="; distance:0; content:"&v_id="; distance:0; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026910; rev:2; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 4000 (msg:"ET MALWARE Nazar Implant - Sending Basic System Info to CnC"; flow:established,to_server; dsize:<200; content:"100|3b|"; startswith; fast_pattern; content:"|3b|"; distance:0; content:"|3b 00 00 00 00|"; endswith; reference:url,research.checkpoint.com/2020/nazar-spirits-of-the-past/; classtype:command-and-control; sid:2030105; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag NazarAPT, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?campid="; fast_pattern; content:"&model="; distance:0; content:"&os="; distance:0; content:"&city="; distance:0; content:"&ip="; distance:0; content:"&ua="; distance:0; content:"&language="; distance:0; content:"&isp="; distance:0; content:"&carrier="; distance:0; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026912; rev:3; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT BlogEngine 3.3 - syndication.axd XXE Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/syndication.axd?apml="; fast_pattern; pcre:"/^(?:https?:\/\/|(\d{1,3}\.){3}\d{1,3}|([a-z0-9-]+\.)+[a-z]{1,8})/Ri"; reference:url,www.exploit-db.com/exploits/48422; classtype:attempted-admin; sid:2030106; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_05_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sd/?c="; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&u="; distance:0; content:"&s="; distance:0; content:"&o="; distance:0; content:"&b="; distance:0; pcre:"/^\d{3,15}$/R"; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026913; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DELETED Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Online%20Scheduling%20System/"; http.request_body; content:"username=0&password=0&lgn=Login"; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030107; rev:1; metadata:attack_target Server, created_at 2020_05_05, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirectsX CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAAAAAAAAAA"; pcre:"/^\/(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.header; content:"X-MU-Session-ID|3a 20|"; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2026916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family DirectsX, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M1"; flow:established,to_server; http.start; bsize:22; content:"GET /START_ HTTP/1.1|0d 0a|"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (LazarusGroup CnC)"; flow:from_server,established; tls.cert_serial; content:"01:90:17:98:AF:94:1C:5E"; classtype:domain-c2; sid:2026944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Lazarus, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EVILNUM CnC Response"; flow:established,to_client; http.response_body; content:"jifhruhajsdfg444"; fast_pattern; startswith; content:"jifhruhajsdfg444"; endswith; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030119; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hp.php?"; depth:8; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible MPC Sharj 3.11.1 - Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; fast_pattern; pcre:"/^(?:==[A-Z0-9+/]{2}|=[A-Z0-9+/]{3}|[A-Z0-9+/]{4})(?:[A-Z0-9+/]{4})*$/Ri"; content:"L"; endswith; reference:url,www.exploit-db.com/exploits/48433; classtype:attempted-admin; sid:2030115; rev:1; metadata:attack_target Web_Server, created_at 2020_05_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Grandoreiro CnC Activity (iso)"; flow:established,to_client; content:"|2e|iso|22 3b 0d 0a 0d 0a|VUVzREJCUUFBQUFJQU5sRUJWSHBLeVltQlY0OEFBQzh6QXNRQ"; fast_pattern; http.stat_code; content:"200"; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; reference:md5,2cb39126dd8f22ffdf2ad2b679405653; classtype:command-and-control; sid:2030808; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JsOutProx Variant CnC Activity"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Content-Type|3a 20|application/x-www-Form-urlencoded|3b 20|Charset=UTF-8|0d 0a|"; fast_pattern; http.cookie; pcre:"/^[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; classtype:command-and-control; sid:2030114; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, signature_severity Major, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/set.html?"; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Cobalt Strike Stager Domain in DNS Query"; dns.query; content:"cylenceprotect.com"; bsize:18; nocase; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:domain-c2; sid:2030112; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.htm?"; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET POLICY Observed iesnare/iovation Tracking Activity"; flow:established,to_server; dsize:22; content:"|47 45 54 20 2f 73 70 61 63 65 20 20 48 54 54 50 2f 31 2e 30 0a 0a|"; classtype:policy-violation; sid:2030113; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_05_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"faxpctodaymessage"; nocase; pcre:"/^\.(?:space|press|website)$/R"; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026952; rev:3; metadata:created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win.Trojan.Chewbacca connectivity check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,www.symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:trojan-activity; sid:2019162; rev:5; metadata:created_at 2014_08_18, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei Stealer Client Data Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|hwid|22|"; nocase; content:"form-data|3b 20|name=|22|os|22|"; nocase; content:"form-data|3b 20|name=|22|platform|22|"; nocase; content:"form-data|3b 20|name=|22|user|22|"; nocase; content:"form-data|3b 20|name=|22|cccount|22|"; nocase; reference:md5,72bcbfd1020d002d2e20e0707b8ef700; classtype:trojan-activity; sid:2025431; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dumador Reporting User Activity"; flow:established,to_server; http.uri; content:".php?p="; nocase; content:"machineid="; nocase; content:"&connection="; nocase; content:"&iplan="; nocase; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; reference:url,doc.emergingthreats.net/2002763; classtype:trojan-activity; sid:2002763; rev:9; metadata:created_at 2010_07_30, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"BCDEF="; content:"&MNOPQ="; content:"&GHIJ="; content:"&UVWXYZ="; fast_pattern; content:"&st="; reference:md5,7cc0b212d1b8ceb808c250495d83bae4; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2026740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS LOIC Javascript DDoS Outbound"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"/?id="; fast_pattern; depth:5; content:"&msg="; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:6; metadata:created_at 2012_01_23, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArtraDownloader/TeleRAT Checkin"; flow:to_server,established; http.uri; content:".php?a="; content:"&b="; distance:0; content:"&c="; distance:0; content:"Windows|20|"; distance:0; fast_pattern; content:"&d="; distance:0; content:"&e="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,a1bdb1889d960e424920e57366662a59; classtype:command-and-control; sid:2026641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family RAT, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC POST"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.request_body; content:"13"; depth:2; content:"=MSG"; fast_pattern; distance:11; within:4; pcre:"/^13\d{11}/"; classtype:web-application-attack; sid:2016030; rev:5; metadata:created_at 2012_12_14, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArtraDownloader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"dwnack.php?cId="; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026985; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_26, deployment Perimeter, former_category MALWARE, malware_family ArtraDownloader, performance_impact Low, signature_severity Major, tag Patchwork, tag DonotGroup, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS LOIC GET"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"GET"; http.uri; content:"/?msg=MSG"; classtype:web-application-attack; sid:2016031; rev:4; metadata:created_at 2012_12_14, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Landing M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hyllkjit/"; depth:10; fast_pattern; content:"/?n="; pcre:"/^\/hyllkjit\/[a-f0-9]{8}\/\?n=\d{4,10}$/i"; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026911; rev:3; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|ru|3b 20|rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011821; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer Malicious Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/d1833/"; depth:7; fast_pattern; content:"/?software="; distance:0; content:"&title="; content:"&clickid="; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:trojan-activity; sid:2026986; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category TROJAN, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|ru|3b 20|rv|3a|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011822; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Spy.RTM/Redaman IP Check"; flow: established, to_server; http.method; content:"GET"; http.uri; content:"/index_small.php"; fast_pattern; endswith; http.header; content:"Cache-Control|3a 20|no-cache"; depth:24; content:"Connection|3a 20|Close"; within:19; content:"Pragma|3a 20|no-cache"; within:18; content:"Accept|3a 20|text/html, application/xhtml+xml, */*"; within:47; content:"Accept-Language|3a 20|en-US"; within:24; content:"Host|3a 20|"; within:8; isdataat:!35,relative; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2027025; rev:3; metadata:created_at 2019_03_04, former_category TROJAN, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected outbound 2"; flow:established,to_server; http.user_agent; content:"Opera/9.02 (Windows NT 5.1|3b 20|U|3b 20|ru)"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011823; rev:4; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Windows|20|NT|20|6,2"; content:"Gecko|2f|201001o1|20|Firef0x/19,0"; distance:0; fast_pattern; http.request_body; content:"9"; depth:1; pcre:"/^9(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027057; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS User-Agent used in known DDoS Attacks Detected inbound 2"; flow:established,to_server; http.user_agent; content:"Opera/9.02 (Windows NT 5.1|3b 20|U|3b 20|ru)"; reference:url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/; classtype:denial-of-service; sid:2011824; rev:5; metadata:created_at 2010_10_18, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Gecko|2f|201001o1|20|Firef0x/19,0"; fast_pattern; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:trojan-activity; sid:2027060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category USER_AGENTS, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download wm.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/wm.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012460; rev:4; metadata:created_at 2011_03_10, former_category MALWARE, updated_at 2020_05_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gootkit CnC)"; flow:from_server,established; content:"|82 1c|ws.diminishedvalueoregon.com"; tls.cert_serial; content:"0E:1F:E3:45:FC:89"; classtype:domain-c2; sid:2027101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family Gootkit, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible JKDDOS download cl.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cl.exe"; nocase; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012461; rev:4; metadata:created_at 2011_03_10, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] -> $HOME_NET any (msg:"ET MALWARE Win32/Emotet CnC Checkin Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; depth:24; http.content_len; content:"132"; file.data; content:"|78 63 e0 c7 31 a5 dd f1 f4 55 30 e4 67 f7 ab f2 c6 68 a2 26|"; fast_pattern; reference:md5,129ed9c08c8ba6dc62d48ff2c3fc6a50; reference:md5,4ca520895d86beb6f8cab93639f26f50; classtype:command-and-control; sid:2035054; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Emotet, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader requesting payload URL"; flow:established,to_server; http.uri; content:"/lurl.php?affid="; depth:16; classtype:trojan-activity; sid:2012514; rev:4; metadata:created_at 2011_03_16, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RocketMan Win32/Drun"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Host|3a 20|"; depth:6; http.request_body; content:"|20|name=|22|kind|22|"; fast_pattern; content:"|20|name=|22|fname|22|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,twitter.com/securitydoggo/status/954337767751905280; classtype:trojan-activity; sid:2025224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category TROJAN, malware_family Drun, performance_impact Moderate, signature_severity Major, tag RocketMan, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit malware payload download"; flow:established,to_server; http.uri; content:".php?deserialize="; reference:url,doc.emergingthreats.net/2011183; classtype:exploit-kit; sid:2011183; rev:6; metadata:created_at 2010_07_30, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaseBot CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?btc="; depth:30; fast_pattern; content:"&login="; distance:0; content:"&pwd="; distance:0; http.header_names; content:"Host|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; classtype:command-and-control; sid:2027113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, malware_family ChaseBot, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/auto_update/HideMyIP/update.dat"; nocase; classtype:policy-violation; sid:2011311; rev:6; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoinMiner Performing System Checkin"; flow:established,to_server; http.uri; content:"/ReportSpeed"; endswith; fast_pattern; http.request_body; content:"|2c 22|GpuDriver|22 3a 22|"; content:"|2c 22|OSName|22 3a 22|"; content:"|2c 22|DiskSpace|22 3a 22|"; reference:md5,0bdfccd5aab30f98e212abde79d923ef; classtype:coin-mining; sid:2030812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cz.cc domain"; flow:to_server,established; http.host; content:".cz.cc"; endswith; classtype:bad-unknown; sid:2011375; rev:5; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE C3Pool CoinMiner Setup Script Download"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"echo C3Pool mining setup script v%VERSION%."; depth:200; fast_pattern; reference:md5,57d01da1ecf73b6ac9564c180e1363c6; classtype:coin-mining; sid:2030813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bredolab CnC URL Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"controller.php"; nocase; content:"action=bot"; nocase; content:"entity_list="; nocase; content:"uid="; nocase; content:"guid="; nocase; reference:url,blog.fireeye.com/.a/6a00d835018afd53ef013488839529970c-pi; classtype:command-and-control; sid:2011861; rev:5; metadata:created_at 2010_10_28, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dorv Stealer Exfiltrating Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla|2f|3.0"; http.request_body; content:"name=|22|files|22 3b|"; content:"|0d 0a 0d 0a|PK"; distance:0; content:"|2f|BSSID.txt"; distance:0; content:"|2f|Screenshot."; distance:0; fast_pattern; http.request_line; content:".php HTTP/1.0"; reference:md5,888864c2ea27babf978d5feda40b3b2f; reference:url,twitter.com/wdsecurity/status/1105992405629583362; classtype:command-and-control; sid:2027087; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Win32_Dorv, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT exploit kit x/load/svchost.exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"load/svchost.exe"; nocase; classtype:exploit-kit; sid:2011906; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound JasperLoader Using Array Push Obfuscation"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|=|20|new|20|Array|28 29 3b|"; depth:50; content:".push|28 22|"; distance:0; pcre:"/^(?:\x22|[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?<pushvar>\.push\x28\x22)(?:\x22|[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?P=pushvar)(?:[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?P=pushvar)(?:[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?P=pushvar)/Ri"; content:".push|28 22 22 29 0d 0a|"; fast_pattern; content:"eval|28|"; distance:0; classtype:trojan-activity; sid:2027102; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue AV Downloader concat URI"; flow:established,to_server; http.uri; content:".php?id="; content:"x="; distance:0; content:"os="; distance:0; content:"n="; distance:0; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:7; metadata:created_at 2010_11_15, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/VBS.SLoad.Backdoor Initial Base64 Encoded OK Server Response"; flow:established,to_client; http.header; content:"Authorization|3a 20|b2sgb2s="; reference:url,www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html; reference:md5,3aabc9767d02c75ef44df6305bc6a41f; classtype:trojan-activity; sid:2027118; rev:3; metadata:created_at 2019_03_27, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious bot.exe Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot.exe"; nocase; reference:url,www.malwareurl.com/listing.php?domain=19eylulmusikicemiyeti.com; classtype:trojan-activity; sid:2011967; rev:4; metadata:created_at 2010_11_22, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (lessie)"; flow:established,to_server; http.user_agent; content:"lessie"; nocase; depth:6; pcre:"/^lessie(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027129; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Post-infection Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/license_"; nocase; pcre:"/^[0-9A-F]{550,}\.html/Ri"; classtype:command-and-control; sid:2011969; rev:10; metadata:created_at 2010_11_23, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Cakle)"; flow:established,to_server; http.user_agent; content:"Cakle"; nocase; depth:5; pcre:"/^Cakle(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027131; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious flash_player.exe Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/flash_player.exe"; reference:url,www.malwareurl.com/listing.php?domain=newpornmov.info; classtype:bad-unknown; sid:2011982; rev:4; metadata:created_at 2010_11_24, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Damien)"; flow:established,to_server; http.user_agent; content:"Damien"; nocase; depth:6; pcre:"/^Damien(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027133; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BackDoor-DRV.gen.c Reporting-1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tzl/tzl.php?"; nocase; content:"hl="; nocase; reference:md5,d5ff6df296c068fcc0ddd303984fa6b9; classtype:trojan-activity; sid:2012113; rev:4; metadata:created_at 2010_12_30, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Solar)"; flow:established,to_server; http.user_agent; content:"Solar"; nocase; depth:5; pcre:"/^Solar(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027135; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.ini"; flow:established,to_server; http.uri; content:"/setting.ini"; nocase; reference:md5,36d9a446d6311f9a4c19865e2b62f15d; reference:md5,fcb828c0b735ea8d560a45b3bdd29b94; classtype:trojan-activity; sid:2012198; rev:6; metadata:created_at 2011_01_17, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (muhstik)"; flow:established,to_server; http.user_agent; content:"muhstik"; nocase; depth:7; pcre:"/^muhstik(?:-scan)?(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027137; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.xls"; flow:established,to_server; http.uri; content:"/setting.xls"; nocase; reference:md5,fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012199; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Shaolin)"; flow:established,to_server; http.user_agent; content:"Shaolin"; nocase; depth:7; pcre:"/^Shaolin(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027139; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Worm W32.Svich or Other Infection Request for setting.doc"; flow:established,to_server; http.uri; content:"/setting.doc"; nocase; reference:md5,fb789b067c2809c25fb36abb677cdfcd; classtype:trojan-activity; sid:2012200; rev:5; metadata:created_at 2011_01_17, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Rift)"; flow:established,to_server; http.user_agent; content:"Rift"; nocase; depth:4; pcre:"/^Rift(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027119; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cnzz.cn Related Dropper Checkin"; flow:established,to_server; http.uri; content:"?Hook1=1,Setup="; classtype:command-and-control; sid:2013790; rev:6; metadata:created_at 2011_02_27, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Tsunami)"; flow:established,to_server; http.user_agent; content:"Tsunami"; nocase; depth:7; pcre:"/^Tsunami(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027121; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Download Setup_ exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Setup_"; nocase; content:".exe"; nocase; pcre:"/\/Setup_\d+\.exe$/i"; reference:url,www.malwareurl.com/listing.php?domain=antivirus-live21.com; classtype:trojan-activity; sid:2012392; rev:6; metadata:created_at 2011_03_01, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Yowai)"; flow:established,to_server; http.user_agent; content:"Yowai"; nocase; depth:5; pcre:"/^Yowai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027123; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakePAV Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/soft-usage/favicon.ico?"; nocase; pcre:"/\?0=.*\&1=.*\&2=.*\&3=.*\&4=.*\&5=.*\&6=.*\&7=.*\&8=/i"; reference:md5,f5dd61e29eff89a93c591fba7ea14d92; classtype:command-and-control; sid:2012405; rev:5; metadata:created_at 2011_03_01, former_category MALWARE, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Yakuza)"; flow:established,to_server; http.user_agent; content:"Yakuza"; nocase; depth:6; pcre:"/^Yakuza(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027125; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.gv.vg domain"; flow:established,to_server; http.host; content:".gv.vg"; endswith; classtype:bad-unknown; sid:2012542; rev:6; metadata:created_at 2011_03_24, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027127; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ce.ms domain"; flow:established,to_server; http.host; content:".ce.ms"; endswith; classtype:bad-unknown; sid:2012593; rev:6; metadata:created_at 2011_03_29, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil PDF Retrieving Emotet Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?InvoiceType=Regular&date="; fast_pattern; pcre:"/\/[A-Za-z0-9]{2,8}[-_][a-zA-Z0-9-_]+\/\?InvoiceType=Regular&date=[0-9-_]+$/"; reference:md5,136dca58d0a0802c7abfce8dce4b7526; classtype:trojan-activity; sid:2035060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Slugin.A PatchTimeCheck.dat Request"; flow:established,to_server; http.uri; content:"/PatchTimeCheck.dat"; nocase; classtype:trojan-activity; sid:2012616; rev:5; metadata:created_at 2011_04_01, updated_at 2020_05_06;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Data Exfil SMTP"; flow:established,to_server; content:"Subject|3a 20|MassLogger|20 7c 20|"; fast_pattern; reference:md5,862b6b45307a816ac1e3321ec66b212d; classtype:command-and-control; sid:2030809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cw.cm domain"; flow:established,to_server; http.host; content:".cw.cm"; endswith; classtype:bad-unknown; sid:2012737; rev:5; metadata:created_at 2011_04_28, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ServHelper CnC Inital Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"key="; depth:4; nocase; content:"&sysid="; nocase; distance:0; fast_pattern; content:"&resp="; nocase; distance:0; content:"&misc="; distance:0; classtype:command-and-control; sid:2026772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Sending Data to Controller 2"; flow:established,to_server; http.uri; content:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:command-and-control; sid:2012800; rev:5; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A Fake HTTP 500 Containing Encoded Commands Inbound"; flow:established,from_server; http.header; content:"charset=UTF-8"; http.response_line; content:"HTTP|2f|1.0|20|500|20|Internal|20|Server|20|Error"; file.data; content:"500|20|Internal|20|Server|20|Error|3c 21 2d 2d|"; fast_pattern; pcre:"/^[A-F0-9]+\x2d\x2d\x3e(?:\r\n)?$/R"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:trojan-activity; sid:2027156; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category TROJAN, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ae.am domain"; flow:to_server,established; http.host; content:".ae.am"; endswith; classtype:bad-unknown; sid:2012896; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with Base64 ps PowerShell Command Output M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SGFuZGxlcyAgTlBNKEspICAgIFBNKEspICAgICAgV1MoSykgVk0oTSkgICBDUFUo"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; reference:url,attack.mitre.org/techniques/T1132/; classtype:trojan-activity; sid:2027211; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, tag T1086, tag T1057, tag T1132, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.noc.su domain"; flow:to_server,established; http.host; content:".noc.su"; endswith; classtype:bad-unknown; sid:2012897; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with Base64 ps PowerShell Command Output M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hhbmRsZXMgIE5QTShLKSAgICBQTShLKSAgICAgIFdTKEspIFZNKE0pICAgQ1BVKH"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; reference:url,attack.mitre.org/techniques/T1132/; classtype:trojan-activity; sid:2027212; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, tag T1086, tag T1057, tag T1132, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.be.ma domain"; flow:to_server,established; http.host; content:".be.ma"; endswith; classtype:bad-unknown; sid:2012898; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with Base64 ps PowerShell Command Output M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"IYW5kbGVzICBOUE0oSykgICAgUE0oSykgICAgICBXUyhLKSBWTShNKSAgIENQVSh"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; reference:url,attack.mitre.org/techniques/T1132/; classtype:trojan-activity; sid:2027213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, tag T1086, tag T1057, tag T1132, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.qc.cx domain"; flow:to_server,established; http.host; content:".qc.cx"; endswith; classtype:bad-unknown; sid:2012899; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"domainoutlet.site"; distance:0; nocase; fast_pattern; pcre:"/^CN=(?:help|g(?:ui(?:de|ld)|round))\.domainoutlet\.site$/"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)"; flow:established,to_server; http.host; content:"ianxz6zefk72ulzz.onion"; endswith; classtype:policy-violation; sid:2013015; rev:4; metadata:created_at 2011_06_13, updated_at 2020_05_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drivethrough.top"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:jasper|qwe|alter|car|param|bike|genwar)\.)?drivethrough\.top$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Tracur.Q HTTP Communication"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"fQ_fQ_fQ_fQ"; reference:url,xml.ssdsandbox.net/view/d2afc3be7357f96834ec684ab329d7e2; classtype:trojan-activity; sid:2013064; rev:4; metadata:created_at 2011_06_17, updated_at 2020_05_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drinkeatgood.space"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:justin|digest)\.)?drinkeatgood\.space$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; http.host; content:".co.be"; endswith; classtype:bad-unknown; sid:2013123; rev:6; metadata:created_at 2011_06_29, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Cobalt Strike payload"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:5; within:4; file.data; content:"|fc e8 00 00 00 00 eb|"; depth:7; fast_pattern; classtype:targeted-activity; sid:2024771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.co.com.au domain"; flow:to_server,established; http.host; content:".co.com.au"; endswith; classtype:bad-unknown; sid:2013412; rev:4; metadata:created_at 2011_08_16, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mac="; content:"&av="; distance:0; content:"&os="; distance:0; content:"&ver="; distance:0; content:"&bit="; distance:0; content:"bit&flag2="; distance:0; fast_pattern; content:"&domain="; distance:0; content:"&user="; distance:0; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027148; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cz.tf domain"; flow:to_server,established; http.host; content:".cz.tf"; endswith; classtype:bad-unknown; sid:2013415; rev:4; metadata:created_at 2011_08_17, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?id="; content:"&mac="; distance:0; content:"&OS="; distance:0; content:"&BIT="; distance:0; content:"bit&IT="; distance:0; fast_pattern; content:"&VER="; distance:0; content:"&mpass="; distance:0; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Python, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.c0m.li domain"; flow:to_server,established; http.host; content:".c0m.li"; endswith; classtype:bad-unknown; sid:2013460; rev:4; metadata:created_at 2011_08_26, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megumin v2 Stealer User-Agent"; flow:established,to_server; http.user_agent; content:"Megumin/2."; depth:10; reference:md5,7310e691d1d32b18114b5f0a8105e082; classtype:trojan-activity; sid:2027293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Megumin, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.int.tf domain"; flow:to_server,established; http.host; content:".int.tf"; endswith; classtype:bad-unknown; sid:2013829; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=1BEF0A57BE110FD467A"; fast_pattern; reference:md5,dd5e5142ba2ab5f31e5518396c45ba1f; classtype:trojan-activity; sid:2034813; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.edu.tf domain"; flow:to_server,established; http.host; content:".edu.tf"; endswith; classtype:bad-unknown; sid:2013830; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ServHelper CnC Command (Net User)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"shell^net user /domain"; depth:22; fast_pattern; reference:md5,8efa9d3c901234f24659a8ea9c3fee14; reference:url,www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware; classtype:command-and-control; sid:2027301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.us.tf domain"; flow:to_server,established; http.host; content:".us.tf"; endswith; classtype:bad-unknown; sid:2013831; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ServHelper CnC Command (Reg Add)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"shell^reg add|20|"; depth:14; fast_pattern; reference:md5,8efa9d3c901234f24659a8ea9c3fee14; reference:url,www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware; classtype:command-and-control; sid:2027302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ca.tf domain"; flow:to_server,established; http.host; content:".ca.tf"; endswith; classtype:bad-unknown; sid:2013832; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ServHelper CnC Command (Whoami)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"shell^whoami"; depth:12; fast_pattern; reference:md5,8efa9d3c901234f24659a8ea9c3fee14; reference:url,www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware; classtype:command-and-control; sid:2027303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.bg.tf domain"; flow:to_server,established; http.host; content:".bg.tf"; endswith; classtype:bad-unknown; sid:2013833; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JAR/Qealler Stealer HTTP Headers Observed"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|q-qealler-id|0d 0a|q-qealler-stub-id|0d 0a|"; fast_pattern; content:!"Referer"; reference:url,www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer; classtype:trojan-activity; sid:2027311; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_02, deployment Perimeter, former_category TROJAN, malware_family Qealler, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ru.tf domain"; flow:to_server,established; http.host; content:".ru.tf"; endswith; classtype:bad-unknown; sid:2013834; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/Unk.EB.Spreader CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=----------"; depth:15; content:"----|0a|COMPUTER|20|NAME|3a 20|"; distance:0; fast_pattern; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:command-and-control; sid:2027334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, former_category MALWARE, malware_family ETERNALBLUE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pl.tf domain"; flow:to_server,established; http.host; content:".pl.tf"; endswith; classtype:bad-unknown; sid:2013835; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq Executing New Processes"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; http.request_body; content:"<?xml"; depth:5; content:"<Message>X1|20|is|20|running|20|in|20|PC"; distance:0; fast_pattern; content:"<|2f|Message>"; distance:0; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:trojan-activity; sid:2027354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_13, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.tf domain"; flow:to_server,established; http.host; content:".de.tf"; endswith; classtype:bad-unknown; sid:2013837; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTA.BabyShark Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/expres.php?op="; fast_pattern; pcre:"/^\d/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.referer; content:".hta"; reference:md5,94b60cf91e550e1d981aaf9962d52e18; classtype:command-and-control; sid:2027365; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family BabyShark, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.at.tf domain"; flow:to_server,established; http.host; content:".at.tf"; endswith; classtype:bad-unknown; sid:2013838; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEIE Minimal Headers (flowbit set)"; flow:to_server,established; flowbits:set,FakeIEMinimal; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019344; rev:7; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ch.tf domain"; flow:to_server,established; http.host; content:".ch.tf"; endswith; classtype:bad-unknown; sid:2013839; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Vobfus Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f|"; offset:2; depth:20; pcre:"/^\/[a-zA-Z0-9]{1,19}\/?\?[abdefijhgv\x22](?:\x7C\x2d?\d+?[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14})?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.host; content:!"www.pinterest.com"; http.header_names; content:!"Accept-Language"; content:!"Referer"; reference:md5,3ed744b12a77359576af10a265154081; reference:md5,a2049adc2834d797b37f45382608f2b4; classtype:command-and-control; sid:2018958; rev:20; metadata:created_at 2013_03_25, former_category MALWARE, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.sg.tf domain"; flow:to_server,established; http.host; content:".sg.tf"; endswith; classtype:bad-unknown; sid:2013840; rev:7; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:2<>5; flowbits:set,ET.Onelouder.bin; flowbits:noalert; http.method; content:"GET"; http.uri; pcre:"/^\/(?P<n>\d)(?P=n){1,2}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-Language"; classtype:trojan-activity; sid:2018981; rev:6; metadata:created_at 2014_08_22, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.nl.ai domain"; flow:to_server,established; http.host; content:".nl.ai"; endswith; classtype:bad-unknown; sid:2013841; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:1<>7; flowbits:set,ET.OneLouderHeader; flowbits:noalert; http.uri; pcre:"/\/\d+$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-Language"; content:!"Referer"; classtype:trojan-activity; sid:2018983; rev:9; metadata:created_at 2014_08_22, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.xe.cx domain"; flow:to_server,established; http.host; content:".xe.cx"; endswith; classtype:bad-unknown; sid:2013842; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Geodo Checkin"; flow:established,to_server; urilen:16<>20; http.method; content:"POST"; http.uri; content:"/"; offset:8; depth:2; content:"/"; offset:16; depth:3; pcre:"/^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,fa50062b7763487b3dd6f9ed0a2f3549; reference:url,pastebin.com/qnLmpKuQ; classtype:command-and-control; sid:2018496; rev:11; metadata:created_at 2014_05_22, former_category MALWARE, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.orge.pl Domain"; flow:established,to_server; http.host; content:".orge.pl"; endswith; classtype:bad-unknown; sid:2013844; rev:5; metadata:created_at 2011_11_05, updated_at 2020_05_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTA.BabyShark HTTP Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php"; http.request_body; content:"filename=|22|ttmp1.log|22|"; fast_pattern; content:"BEGIN|20|CERTIFICATE"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,94b60cf91e550e1d981aaf9962d52e18; classtype:trojan-activity; sid:2027377; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category TROJAN, malware_family BabyShark, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 1"; flow:established,to_server; http.uri; content:"/Google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013895; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Quasar Related)"; flow:established,to_client; tls.cert_subject; content:"CN=MSGQ Server CA"; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:trojan-activity; sid:2027381; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (moanmyip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moanmyip.com"; fast_pattern; classtype:policy-violation; sid:2030126; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; http.start; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.XXZBEN Downloader Activity"; flow:established,to_server; http.start; content:"Cookie|3a 20 0d 0a|Accept|3a 20|"; http.method; content:"GET"; http.uri; content:"/check?ver="; fast_pattern; content:"&os="; distance:0; content:"&binary="; distance:0; content:"&token="; distance:0; content:"&host="; distance:0; content:"&run_time="; distance:0; content:"&once="; distance:0; http.header; content:"|0d 0a|User-Agent|3a 20|User-Agent|3a 20|Mozilla"; reference:md5,113a0256fa05ece2a56b88e6285aff7a; classtype:trojan-activity; sid:2030123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ProtonBot User-Agent"; flow:established,to_server; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027384; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category TROJAN, malware_family ProtonBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EVILNUM CnC Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tran/check.php?id=&ver="; depth:24; fast_pattern; pcre:"/&ver=\d\.\d$/i"; http.accept; content:"text/html, application/xhtml+xml, */*"; depth:37; endswith; http.header_names; content:!"Referer"; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin"; flow:established,to_server; http.header; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a[03478]+/mi"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.start; content:"POST / HTTP/1.1|0d 0a|User-Agent|3a 20|"; depth:29; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035047; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_24, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted D-Link ShareCenter (DNS-320/325) RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1="; startswith; fast_pattern; reference:url,roberto.greyhats.it/advisories/20120208-dlink-rce.txt/; classtype:web-application-attack; sid:2030120; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_05_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin Post"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; classtype:command-and-control; sid:2017948; rev:4; metadata:created_at 2014_01_10, former_category MALWARE, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE D-Link ShareCenter (DNS-320/325) RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1="; startswith; fast_pattern; reference:url,roberto.greyhats.it/advisories/20120208-dlink-rce.txt/; classtype:web-application-attack; sid:2030121; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG-P Variant CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jpg"; pcre:"/_[A-F0-9]{12}\.jpg$/i"; http.request_body; content:"H|00|O|00|S|00|T|00 20 00|N|00|A|00|M|00|E|00 3a|"; depth:19; fast_pattern; reference:url,speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt; classtype:command-and-control; sid:2027431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_04, deployment Perimeter, former_category MALWARE, malware_family ICEFOG_P, performance_impact Low, signature_severity Major, tag APT, tag IceFog, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/"; fast_pattern; content:".cnf"; nocase; endswith; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:15; metadata:created_at 2010_09_23, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG-P Variant CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jpg"; pcre:"/_[A-F0-9]{12}&filename=\w{1,20}\.jpg$/i"; http.request_body; content:"|00 3a 00 7c 00|d|00|i|00|s|00|k|00|"; depth:15; fast_pattern; reference:url,speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt; classtype:command-and-control; sid:2027432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_04, deployment Perimeter, former_category MALWARE, malware_family ICEFOG_P, performance_impact Low, signature_severity Major, tag APT, tag IceFog, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle WebLogic CVE-2020-2551 Scanning"; flow:established,to_server; content:"|47 49 4f 50 01 02 00 03 00 00 00 17 00 00 00 02 00 00 00 00 00 00 00 0b 4e 61 6d 65 53 65 72 76 69 63 65|"; startswith; fast_pattern; reference:url,www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2020-2551; reference:url,github.com/hktalent/CVE-2020-2551/blob/master/CVE-2020-2551.py; classtype:attempted-admin; sid:2030128; rev:1; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PLATINUM Steganographic HTTP Response Page Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21|--1234567890--"; fast_pattern; content:"|3c|td|20|bgcolor=|22|"; distance:0; content:"|3c|td|20|align=|22|"; distance:0; content:"|20 20 20 20 09|"; distance:0; content:"|20 20 20 20|"; distance:0; content:"--1234567890--|3e|"; distance:0; reference:url,securelist.com/platinum-is-back/91135/; classtype:trojan-activity; sid:2027434; rev:3; metadata:created_at 2019_06_05, former_category TROJAN, malware_family PLATINUM, tag T1001, tag data_obfuscation, tag T1140, tag deobfuscate_decode_payload, updated_at 2020_08_31;)
 
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Oracle T3 Requests Inbound"; flow:established,to_server; content:"t3|20|"; startswith; content:"|0a|AS|3a|"; distance:0; fast_pattern; content:"|0a|HL|3a|"; distance:0; content:"|0a 0a|"; endswith; classtype:policy-violation; sid:2030129; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WSHRAT CnC Checkin"; flow:established,to_server; flowbits:set,ET.WSHRAT.1; http.method; content:"POST"; http.user_agent; content:"WSHRAT|7c|"; depth:7; fast_pattern; content:"|20|-|20|"; distance:0; classtype:command-and-control; sid:2027447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, former_category MALWARE, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable Version (12.2.1)"; flow:established,from_server; content:"HELO|3a|12.2.1"; startswith; fast_pattern; classtype:policy-violation; sid:2030130; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WSHRAT Keylogger Module Download Command Inbound"; flow:established,from_server; flowbits:isset,ET.WSHRAT.1; http.stat_code; content:"200"; file.data; content:"offline-keylogger|7c|"; depth:18; fast_pattern; classtype:trojan-activity; sid:2027448; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable Version (10.3.6)"; flow:established,from_server; content:"HELO|3a|10.3.6"; startswith; fast_pattern; classtype:policy-violation; sid:2030131; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WSHRAT Credential Dump Module Download Command Inbound"; flow:established,from_server; flowbits:isset,ET.WSHRAT.1; http.stat_code; content:"200"; file.data; content:"get-pass-offline|7c|"; depth:17; fast_pattern; classtype:trojan-activity; sid:2027449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
 
-alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable Version (12.1.3)"; flow:established,from_server; content:"HELO|3a|12.1.3"; startswith; fast_pattern; classtype:policy-violation; sid:2030132; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"BURAN"; fast_pattern; bsize:5; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027446; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipchicken .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ipchicken.com"; fast_pattern; classtype:policy-violation; sid:2030137; rev:1; metadata:created_at 2020_05_08, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Encoded Wide PowerShell (IEX) in Certificate Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"-----BEGIN|20|CERTIFICATE-----|0d 0a|YVFCb"; depth:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/; classtype:trojan-activity; sid:2027462; rev:2; metadata:created_at 2019_06_12, cve CVE_2019_2725, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 2"; flow:established,to_server; http.uri; content:"google_setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013896; rev:5; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Request to gate.php Dotted-Quad"; flow:established,to_server; http.uri; content:"/gate.php"; nocase; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 3"; flow:established,to_server; http.uri; content:"/FaceBook_Complemento.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013897; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"BF:98:15:9B:69:48:D8:F8"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:domain-c2; sid:2027463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 4"; flow:established,to_server; http.uri; content:"/YouTube_Setup.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013898; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"9F:E8:45:03:13:A0:52:D7"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:domain-c2; sid:2027464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED google.com.br DNS Poisoning redirecting to exploit kit 5"; flow:established,to_server; http.uri; content:"/google2.exe"; reference:url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780; reference:url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil; classtype:exploit-kit; sid:2013899; rev:4; metadata:created_at 2011_11_10, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vools Variant CnC Checkin"; flow:established,to_server; http.uri; content:".html?mac="; fast_pattern; content:"&ip="; distance:0; content:"&host="; distance:0; content:"&tick="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/; classtype:command-and-control; sid:2027470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family Vools, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Maldoc CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Cricking Merrily Sandoval/O=Appertained Screened/L=Regulation Icbm/ST=New York/C=US"; reference:url,twitter.com/jfslowik/status/1135567258472853505; classtype:command-and-control; sid:2027477; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a 3322.org.cn Domain"; flow:to_server,established; http.host; content:".3322.org.cn"; endswith; classtype:bad-unknown; sid:2014289; rev:4; metadata:created_at 2012_02_28, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Packed Perl with Eval Statement"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"eval unpack u=>"; depth:15; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor; reference:md5,0f166e74fd008eef8e54f8bc28af8a82; classtype:trojan-activity; sid:2027478; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_14, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.HLLW.Autoruner USA_Load UA"; flow:established,to_server; http.user_agent; content:"USA_Load"; depth:8; reference:url,news.drweb.com/show/?i=2440&lng=en&c=5; classtype:trojan-activity; sid:2014752; rev:4; metadata:created_at 2012_05_17, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PowerShell Empire Activity Outbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; depth:1; pcre:"/^(?:login\/process|admin\/get|news)\.php$/R"; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"; http.cookie; content:"session="; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.start; content:".php|20|HTTP|2f|1.1|0d 0a|Cookie|3a 20|session="; fast_pattern; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_24, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag PowerShell_Empire, tag T1086, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame POST"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/wp-content/rss.php"; http.request_body; content:"UNIQUE_NUMBER="; depth:14; fast_pattern; content:"&PASSWORD="; distance:0; content:"&ACTION="; distance:0; reference:url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/; classtype:trojan-activity; sid:2014822; rev:7; metadata:created_at 2012_05_30, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Command Output to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=res&R="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/vas.php"; reference:md5,3ccc73f049a1de731baf7ea8915c92a8; reference:md5,91ce41376a5b33059744cb58758213bb; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:md5,21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015512; rev:6; metadata:created_at 2012_07_24, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Registering with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=reg&UU="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz/Asprox Activity"; flow:established,to_server; flowbits:set,ET.Kuluoz; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[A-Fa-f0-9]+|index\.php)$/"; http.header_names; content:!"Referer"; http.request_body; content:"|80 00 00 00|"; depth:4; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; reference:url,blog.fortinet.com/post/changes-in-the-asprox-botnet; classtype:trojan-activity; sid:2017895; rev:9; metadata:created_at 2013_12_24, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Tok="; content:"&newsUID="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.request_body; content:"cs="; content:"&p="; content:"&m="; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:command-and-control; sid:2019197; rev:3; metadata:created_at 2014_09_19, former_category MALWARE, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA/TrojanDownloader.Agent.PAC Retreiving Malicious VBScript"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/open?id="; fast_pattern; depth:9; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,7489fb981cd054c665e442dfea8ef203; reference:url,blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html; classtype:trojan-activity; sid:2027697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.request_body; content:"cs="; content:"&m="; content:"&ls="; reference:md5,4196c67648003a18f61573a77b6d3be6; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019198; rev:3; metadata:created_at 2014_09_19, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.VBScript Requesting Instruction from CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/open?topics=s9"; fast_pattern; depth:15; pcre:"/^[0-9]{3}$/R"; http.header_names; content:!"Referer"; reference:md5,7489fb981cd054c665e442dfea8ef203; reference:url,blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html; classtype:command-and-control; sid:2027698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewPosThings POST with Fake UA and Accept Header"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; http.header; content:"Accept|3a 20 3f 2a 0d 0a|"; depth:12; reference:md5,ae9899722707fc2c9716138580787026; reference:url,arbornetworks.com/asert/2014/09/lets-talk-about-newposthings/; classtype:trojan-activity; sid:2019199; rev:3; metadata:created_at 2014_09_19, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"%DESKTOP%|5c 3b|*.txt|3a|*.dat|3a|*wallet*.*|3a|*2fa*.*|3a|*backup*.*|3a|*code*.*|3a|*password*.*|3a|*auth*.*|3a|*google*.*|3a|*utc*.*|3a|*UTC*.*|3a|*crypt*.*|3a|*key*.*|3b|"; fast_pattern; classtype:trojan-activity; sid:2035911; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, tag Megumin, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot UA"; flow:established,to_server; http.user_agent; content:"Windows NT 7.1"; content:"Firefox/9.1.2"; classtype:trojan-activity; sid:2015780; rev:6; metadata:created_at 2012_10_04, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=srv75"; tls.cert_issuer; content:"CN=srv75"; tls.cert_serial; content:"00:D2:68:75:C1:88:0D:92:50"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; http.uri; content:"/index312.php?ver="; content:"&cam="; content:"&p=spy"; content:"&id="; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:command-and-control; sid:2015850; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vps"; tls.cert_issuer; content:"CN=vps"; tls.cert_serial; content:"00:82:BA:B9:98:69:CD:2D:63"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Component SQLi Attempt"; flow:established,to_server; http.uri; content:"option=com_"; nocase; content:"union"; nocase; distance:0; content:"select"; nocase; distance:0; content:"from"; nocase; distance:0; content:"jos_users"; distance:0; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:4; metadata:created_at 2012_12_05, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vm19622"; tls.cert_issuer; content:"CN=vm19622"; tls.cert_serial; content:"00:B0:B9:E1:42:A0:E9:1A:C7"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Simple Slowloris Flooder"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.header; content:"Content-length|3a 20|5235|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:5; metadata:created_at 2012_12_14, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vs27367.pivps.com"; tls.cert_issuer; content:"CN=vs27367.pivps.com"; tls.cert_serial; content:"00:B7:E8:9E:97:46:C0:42:69"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware CnC Request - status.php"; flow:established,to_server; http.uri; content:"/status.php"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016186; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vs27367.pivps.com"; tls.cert_issuer; content:"CN=vs27367.pivps.com"; tls.cert_serial; content:"00:CB:64:0E:B9:89:F8:B5:0D"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027717; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Tobfy.Ransomware Invalid URI CnC Request"; flow:established,to_server; http.uri; content:"/.ru|60|utr/qiq"; http.host; content:".my-files-download.ru"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:command-and-control; sid:2016187; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=debian"; tls.cert_issuer; content:"CN=debian"; tls.cert_serial; content:"00:B5:72:87:4F:73:49:1F:AC"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027718; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BroBot POST"; flow:established,to_server; threshold: type limit, count 1, seconds 300, track by_src; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 Firefox/3.6.12"; fast_pattern; bsize:26; http.request_body; pcre:"/^(?:c(?:omment|_id)|m(?:jdu)?)=/"; classtype:web-application-attack; sid:2016212; rev:5; metadata:created_at 2013_01_16, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vs14265.pivps.com"; tls.cert_issuer; content:"CN=vs14265.pivps.com"; tls.cert_serial; content:"00:9C:9E:D0:2E:CE:16:27:E2"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027719; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:8; metadata:created_at 2013_01_30, updated_at 2020_05_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vps.server.com"; tls.cert_issuer; content:"CN=vps.server.com"; tls.cert_serial; content:"00:B2:51:A1:E9:9C:0E:FB:8B"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027720; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommentCrew downloader without user-agent string exe download without User Agent"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"open="; nocase; content:"myid="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; classtype:targeted-activity; sid:2016475; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Proyecto RAT Variant - Yopmail Stage 2 CnC Retrieval"; flow:established,from_server; flowbits:isset,ET.Proyecto.YopmailLogin; http.stat_code; content:"200"; http.response_body; content:"|3c|span class|3d 22|lms|22 3e c2 a1|"; fast_pattern; content:"|c2 a1|</span>"; within:30; reference:md5,295d31fd532ed0257149b191146b5236; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:command-and-control; sid:2027735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE CommentCrew Possible APT backdoor download logo.png"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/logo.png"; http.accept; content:"*/*,,,,,,"; bsize:9; fast_pattern; classtype:targeted-activity; sid:2016487; rev:6; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proyecto RAT Variant - Yopmail Login attempt (set)"; flow:established,to_server; flowbits:set,ET.Proyecto.YopmailLogin; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/es/inbox.php?login="; content:"&p="; content:"&d=&ctrl=&scrl=&spam=true&yf="; distance:1; within:29; fast_pattern; http.host; content:"www.yopmail.com"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,295d31fd532ed0257149b191146b5236; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:trojan-activity; sid:2027734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/11"; fast_pattern; depth:3; pcre:"/^\/1+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; classtype:trojan-activity; sid:2018413; rev:5; metadata:created_at 2014_04_24, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA"; flow:to_server,established; http.user_agent; content:"|3c 7c 3e|"; fast_pattern; content:"|3c 7c 3e|"; distance:0; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017994; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Bossabot DDoS tool RFI attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"php?-d|20|allow_url"; fast_pattern; content:"auto_prepend_file|3d|php|3a 2f|"; http.request_body; content:"<?php|0d 0a|"; depth:7; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3476&p=23965#p23965; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823; classtype:trojan-activity; sid:2019212; rev:3; metadata:created_at 2014_09_22, updated_at 2020_05_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ketrican CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx?a1="; fast_pattern; pcre:"/^[a-f0-9]{8}$/R"; http.request_body; content:"AA"; depth:2; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.content_len; content:"88"; reference:url,www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf; reference:md5,e46d8f510c09f09e2e6b958b84190d8b; reference:md5,03a2f5ea0cea83e77770a4018c4469ab; classtype:command-and-control; sid:2027728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ketrican, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/0"; content:"?id="; distance:0; pcre:"/\/0[0-2]\/.+?\/[a-f0-9]+\?id=[a-f0-9]+$/i"; http.header_names; content:!"Referer|0d 0a|"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; fast_pattern; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/i"; classtype:trojan-activity; sid:2019074; rev:5; metadata:created_at 2014_08_27, updated_at 2020_05_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LooCipher Ransomware Onion Domain"; dns.query; content:"hcwyo5rfapkytajg"; nocase; depth:16; reference:md5,0c7e59536a7be4a446bbe8b4f22e5880; classtype:trojan-activity; sid:2027754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, tag LooCipher, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (address .works)"; flow:to_server,established; http.host; content:"address.works"; endswith; fast_pattern; classtype:policy-violation; sid:2030152; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeamBot CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?gate&hwid="; content:"&id="; content:"&pwd="; content:"&info="; content:"|7b 22|os|22 3a 22|"; distance:0; content:"Windows"; within:50; content:"comment|22 3a 22|hTV_bot_[v"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,99d4feab94f7cda70110a1dc98f470d3; classtype:command-and-control; sid:2026851; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, malware_family TeamBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Check Domain Domain (address .works in TLS SNI)"; flow:established,to_server; tls.sni; content:"address.works"; bsize:13; classtype:policy-violation; sid:2030153; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework Default HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; content:"|0d 0a 0d 0a|i="; fast_pattern; http.method; content:"POST"; http.uri; content:"/en-us/"; depth:7; http.request_body; content:"i="; depth:2; content:"&data="; distance:0; content:"&session="; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027792; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Possible QBot User-Agent"; flow:established,to_server; http.user_agent; bsize:14; content:"MelindaMelinda"; reference:md5,d5129d51bf982b055ee00fe7ef4da3c0; classtype:trojan-activity; sid:2030149; rev:1; metadata:created_at 2020_05_11, updated_at 2020_05_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.request_body; content:"=eyJHVUlEIjoi"; fast_pattern; pcre:"/^.+(IlR5cGUiO|JUeXBlIj|iVHlwZSI6)/R"; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SSL/TLS Certificate Observed (Betcity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.boxberry1.ru"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/ReBensk/status/1259146097978564609; classtype:domain-c2; sid:2030150; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_05_11, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Requesting Additional Modules"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?&1001="; fast_pattern; content:"&99="; distance:1; within:5; content:"&f2="; distance:0; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:trojan-activity; sid:2027809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category TROJAN, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING French Government COVID-19 Landing Page"; flow:established,to_client; content:"<title>Info Coronavirus COVID-19|20 7c 20|Gouvernement.fr"; fast_pattern; content:"Informations <strong>Coronavirus </strong></h1>"; distance:0; content:"method=|22|post|22 20|action=|22|"; pcre:"/^(?:(?!\.php).+)\.php\x22/R"; classtype:social-engineering; sid:2030145; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OceanLotus System Profiling JavaScript HTTP Request"; flow:established,to_server; http.uri; content:".jpg?v="; fast_pattern; content:"&d="; distance:0; pcre:"/\.jpg\?v=\d+&d=(?!\d{8}T\d{6}Z)(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/"; http.host; content:!"c.shld.net"; content:!"scholtzskys.com"; reference:url,www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024969; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Critical, tag OceanLotus, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:".NET|20|"; content:"E9PQ"; distance:2; within:4; fast_pattern; content:!"|20|"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2030151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in HTTP Response M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"BSM1cr0S0ft"; fast_pattern; reference:url,content.fireeye.com/apt-41/rpt-apt41; classtype:targeted-activity; sid:2027858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category MALWARE, malware_family BLACKCOFFEE, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING NHS Gov UK COVID-19 Landing Page"; flow:established,to_client; content:"<title>NHS COVID19 Relieve - GOV.UK"; fast_pattern; content:"COVID-19 Relieve system"; distance:0; content:"Apply for COVID-19 Relieve"; distance:0; content:"method=|22|post|22|"; distance:0; classtype:social-engineering; sid:2030146; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in HTTP Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"SBM1cr0Soft"; fast_pattern; reference:url,content.fireeye.com/apt-41/rpt-apt41; classtype:targeted-activity; sid:2027859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category MALWARE, malware_family BLACKCOFFEE, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS COVID-19 Landing Page"; flow:established,to_client; content:"<title>Get My Payment"; fast_pattern; content:"title=|22|Go to IRS Home Page|22|"; content:".php|22 20|method=|22|post|22|"; distance:0; content:"discovered that you are eligible for an instant amount"; distance:0; content:"credited to your confirmed financial institution in a timeframe of"; distance:0; classtype:social-engineering; sid:2030147; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; http.user_agent; content:"InstallCapital"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022246; rev:5; metadata:created_at 2015_12_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware Exfil via FTP"; flow:established,to_server; content:"STOR "; depth:5; content:"/UserName="; distance:0; content:"_MachineName="; distance:0; fast_pattern; content:"_"; distance:0; classtype:trojan-activity; sid:2030156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_05_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre User-Agent"; flow:established,to_server; http.user_agent; content:"onlymacros"; depth:10; endswith; reference:md5,b4ddb47165bf5362f0b33ed907b1ee08; classtype:command-and-control; sid:2030818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Upatre, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Complaint Management System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Complaint%20Management%20System/admin/"; http.request_body; content:"username=%27%3D%27%27or%27&password="; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48452; classtype:attempted-admin; sid:2030160; rev:1; metadata:attack_target Web_Server, created_at 2020_05_12, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Jan 7 2015"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pops"; offset:1; fast_pattern; content:".php"; within:5; pcre:"/^\/[^\x2f]+\/pops[a-z]?\.php$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2020148; rev:6; metadata:created_at 2015_01_07, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Qbot/Quakbot Checkin via HTTP GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid="; fast_pattern; pcre:"/\/\d+\.png\?uid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.user_agent; content:!"Mozilla"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:59; endswith; classtype:command-and-control; sid:2030157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, signature_severity Major, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dana/home.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:5; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taurus Stealer CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/cfg/?post="; fast_pattern; content:"&data="; distance:0; pcre:"/&data=(?:[a-z]\d){7,}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,b9ea305f1d66611ef9603d33217f3dd5; classtype:command-and-control; sid:2030158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/"; distance:0; content:"&hwid="; distance:0; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:command-and-control; sid:2025931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category MALWARE, malware_family Aurora_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taurus Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate/log/?post="; fast_pattern; content:"&data="; distance:0; pcre:"/&data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.request_body; content:"name=|22|file|22 3b 20|filename=|22|"; pcre:"/^(?:[a-z]\d){7,}\.zip\x22/R"; http.content_type; content:"multipart/form-data|3b 20|boundary="; reference:md5,b9ea305f1d66611ef9603d33217f3dd5; classtype:command-and-control; sid:2030159; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Coinminer Download"; flow:established,to_server; urilen:39; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/WPSystem/dl.php?a="; depth:38; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c5d5608df7519c44358fa87bd046b553; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:coin-mining; sid:2027894; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, tag Stealer, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed TrojanSpy.SH.HADGLIDER.A Exfil Domain in DNS Query"; dns.query; content:"teamtnt.red"; nocase; bsize:14; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/virtualization-and-cloud/coinminer-ddos-bot-attack-docker-daemon-ports; classtype:domain-c2; sid:2030155; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with ps PowerShell Command Output"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|48 61 6e 64 6c 65 73 20 20 4e 50 4d 28 4b 29 20 20 20 20 50 4d 28 4b 29 20 20 20 20 20 20 57 53 28 4b 29|"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; classtype:trojan-activity; sid:2027210; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, performance_impact Low, tag T1086, tag T1057, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"id="; depth:3; content:"&bid="; distance:0; fast_pattern; content:"&t="; distance:0; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,72372ffac0ee73dc8b6d237878e119c1; classtype:trojan-activity; sid:2019283; rev:3; metadata:created_at 2014_09_26, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete HTTP CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"namepc="; content:"nadir="; content:"menrut0="; content:"menfile0="; fast_pattern; content:"mens0="; http.header_names; content:!"Referer"; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:command-and-control; sid:2027887; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"; flow:established,to_server; http.cookie; content:"|28 29 20 7b|"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019239; rev:5; metadata:created_at 2014_09_25, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BalkanDoor CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s="; fast_pattern; content:"&cn="; pcre:"/\.php\?s=\d+&cn=/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/; reference:md5,f70ef75fb0a51b05c43aaec973ac0bc1; classtype:command-and-control; sid:2027897; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetConnect.aspx"; content:"&tIMEI="; content:"&tIMSI="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:3; metadata:attack_target Mobile_Client, created_at 2014_10_01, former_category MOBILE_MALWARE, updated_at 2020_05_12, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BalkanDoor CnC Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"[CFG]|0d 0a|di="; fast_pattern; depth:10; content:"|0d 0a|cn="; content:"|0d 0a|du="; content:"|0d 0a|int="; content:"|0d 0a|rip="; content:"|0d 0a|rpo="; content:"|0d 0a|scr_dur="; content:"|0d 0a|scr_int="; reference:url,www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/; reference:md5,f70ef75fb0a51b05c43aaec973ac0bc1; classtype:command-and-control; sid:2027898; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetUploadGps.aspx"; content:"tmac="; content:"&JZ="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE TwoFace WebShell Detected"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.cookie; content:"data=pro#=#"; fast_pattern; reference:url,www.emanueledelucia.net/a-dive-into-apt34-aka-oilrig-aka-cobalt-gypsy-twoface-webshell/; classtype:targeted-activity; sid:2027903; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/TargetUploadFile.aspx"; content:"tmac="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/update/utu.dat"; reference:md5,6fd8cdee653c0fde769e6c48d65e28bd; classtype:command-and-control; sid:2013913; rev:5; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; urilen:18; http.method; content:"GET"; nocase; http.uri; content:"/CheckLibrary.aspx"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:3; metadata:attack_target Mobile_Client, created_at 2014_10_01, former_category MOBILE_MALWARE, updated_at 2020_05_12, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"SNI="; content:"&UME="; fast_pattern; content:"&IVR="; content:"&st="; reference:md5,eec2828cb4a9032ab1177bb472f1977b; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2027771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ArtraDownloader, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptowall 2.0 DL URI Struct Oct 2 2014"; flow:to_server,established; http.request_line; content:"GET /blog/"; depth:10; pcre:"/^[a-z0-9]+\x20HTTP/R"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11\.0)/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019341; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2020_05_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LYCEUM MSIL/DanBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?id="; http.header; content:"Accept-Enconding|3a 20|gzip,deflate"; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|&|29|"; reference:md5,9df776b9933fbf95e3d462e04729d074; classtype:command-and-control; sid:2027921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, malware_family DanBot, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; http.method; content:"HEAD"; classtype:bad-unknown; sid:2013927; rev:5; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Domen SocEng Redirect - Landing Page Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"=|20 5b 27|Mobile|27 5d 3b|"; content:"|2f 2f 20|All|20 7c 20|Mobile|20 7c 20|Desktop"; content:"|2f 2f 20|1|20|-|20|Browser|20|Update|20 7c 20|2|20|-|20|Font"; fast_pattern; content:"var|20|_0x"; distance:0; classtype:social-engineering; sid:2027935; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, malware_family SocEng, malware_family Domen, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; http.method; content:"PROPFIND"; classtype:bad-unknown; sid:2013928; rev:5; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TR/Spy.Gen checkin via dns ANY query"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:md5,2519bdb5459bc9f59f59cd7ccb147d23; classtype:command-and-control; sid:2013516; rev:4; metadata:created_at 2011_09_02, former_category MALWARE, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; http.method; content:"POST"; http.header; content:!".etrade.com|3a|443|0d 0a|"; classtype:bad-unknown; sid:2013926; rev:9; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain rusview.net"; dns.query; content:"rusview.net"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016601; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; http.method; content:"DELETE"; classtype:bad-unknown; sid:2013931; rev:4; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insdet.com"; dns.query; content:"insdet.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016607; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY 2Downloadz.com File Sharing User-Agent"; flow:established,to_server; http.user_agent; content:"2Downloadz.com Agent"; depth:20; classtype:policy-violation; sid:2019366; rev:4; metadata:created_at 2014_10_08, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall .onion Proxy DNS lookup"; dns.query; content:"kpai7ycr7jxqkilp"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018609; rev:4; metadata:created_at 2014_06_27, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Papras.CK file upload"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2f[a-zA-Z]{4,}\x2ephp\x3f[a-zA-Z]{2,10}\x3d(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.request_body; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern; reference:md5,5e7cbe7e62a6c5de45092ad0c4852d1a; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019379; rev:4; metadata:created_at 2014_10_09, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.net"; dns.query; content:"qfsl.net"; depth:8; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013480; rev:5; metadata:created_at 2011_08_29, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ursnif Connectivity Check"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/proto/netstrings.txt"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9134651a7c642798414d867874bdfe2f; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019381; rev:4; metadata:created_at 2014_10_09, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jaifr.com"; dns.query; content:"jaifr.com"; depth:9; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013481; rev:5; metadata:created_at 2011_08_29, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:89; reference:md5,68459c32587e08d953d319ceb2d0888b; classtype:command-and-control; sid:2019478; rev:3; metadata:created_at 2014_10_20, former_category MALWARE, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jaifr.net"; dns.query; content:"jifr.net"; depth:8; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013482; rev:6; metadata:created_at 2011_08_29, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex/Bugat/Feodo GET Checkin"; flow:established,to_server; urilen:>25; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a 0d 0a|"; bsize:73; http.content_type; content:"octet/binary"; bsize:13; reference:md5,2ddb6cb347eb7939545a1801c72f1f3f; classtype:command-and-control; sid:2018772; rev:6; metadata:created_at 2014_07_24, former_category MALWARE, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.info"; dns.query; content:"jifr.info"; depth:9; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013495; rev:5; metadata:created_at 2011_08_30, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/24x7Help.ScareWare CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/client.asmx/SendData"; http.user_agent; content:"mFramework HTTPGet"; fast_pattern; http.request_body; content:"CFG="; depth:4; content:"&Lng="; distance:0; content:"&sinst="; distance:0; reference:md5,8d2dec745b9ac380beb2a0ea66427d06; classtype:command-and-control; sid:2019498; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup"; dns.query; content:"server4love.ru"; depth:14; nocase; fast_pattern; reference:md5,8d2e901583b60631dc333d4b396e158b; classtype:trojan-activity; sid:2019396; rev:5; metadata:created_at 2014_10_14, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"=0"; content:"=0000"; distance:3; fast_pattern; pcre:"/=0[0-2](?:&\w+=[a-fA-F0-9]{8}){2}&\w+=[a-fA-F0-9]+$/"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019500; rev:3; metadata:created_at 2014_10_24, updated_at 2020_05_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall 2.0 .onion Proxy domain lookup"; dns.query; content:"paytordmbdekmizq"; depth:16; fast_pattern; nocase; reference:url,malware-traffic-analysis.net/2014/11/14/index.html; classtype:trojan-activity; sid:2019736; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Crackswin Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.host; content:"crackswin.com"; fast_pattern; reference:md5,1cabe67554195a5caf87a3c385e5aa23; classtype:pup-activity; sid:2030164; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_13, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Known OphionLocker Domain"; dns.query; content:"smu743glzfrxsqcl"; depth:16; fast_pattern; nocase; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:4; metadata:created_at 2014_12_13, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BACKCONFIG CnC Downloader Activity"; flow:established,to_server; http.uri; content:"/request/httpsrequest"; bsize:21; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations; classtype:trojan-activity; sid:2030165; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_13, deployment Perimeter, former_category MALWARE, malware_family APT_HANGOVER, performance_impact Low, signature_severity Major, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns.query; content:"ymleyd4xs3it55m7"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019984; rev:5; metadata:created_at 2014_12_20, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/0"; content:"0000"; distance:1; within:4; fast_pattern; pcre:"/0[0-2]0000[a-fA-F0-9]{16,}$/"; http.header; content:"Content-Type|3a 20|application/octet-stream|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019501; rev:3; metadata:created_at 2014_10_24, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spy.Obator .onion Proxy Domain"; dns.query; content:"t2upiokua37wq2cx"; depth:16; nocase; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3671; classtype:trojan-activity; sid:2020168; rev:4; metadata:created_at 2015_01_13, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wonton-JH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?M00="; fast_pattern; pcre:"/^\d+$/R"; http.header; content:"Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b|)"; bsize:35; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/emerging-threat-alert-cve-2014-4114; reference:md5,37ca2ecb5e1fc89f73c6adc188ff685d; classtype:command-and-control; sid:2019502; rev:3; metadata:created_at 2014_10_24, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall 3.0 .onion Proxy Domain"; dns.query; content:"paytoc4gtpn5czl2"; depth:16; nocase; fast_pattern; reference:url,malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html; classtype:trojan-activity; sid:2020182; rev:4; metadata:created_at 2015_01_15, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; http.uri; content:"/base_stat_common.php"; nocase; fast_pattern; content:"BASE_path="; nocase; pcre:"/^(?:(?:ht|f)tps?|data|php)/Ri"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:2019524; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_09_23, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"3fdzgtam4qk625n6"; depth:16; nocase; fast_pattern; reference:md5,adb0de790bd3fb88490a60f0dddd90fa; classtype:trojan-activity; sid:2020358; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WEB-PHP phpinfo access"; flow:to_server,established; http.uri; content:"/phpinfo.php"; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:2019526; rev:5; metadata:created_at 2010_09_23, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"rmxlqabmvfnw4wp4"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020359; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT Google Talk Version Check"; flow: established,to_server; http.uri; content:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype:policy-violation; sid:2100876; rev:5; metadata:created_at 2010_09_23, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"jssestaew3e7ao3q"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020360; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OLDBAIT Checkin sptr"; flow:established,to_server; http.uri; content:"/~"; depth:2; content:"/cgi-bin/sptr.cgi?"; content:"_"; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; classtype:command-and-control; sid:2019535; rev:4; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"fizxfsi3cad3kn7v"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020361; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OLDBAIT Checkin 2 brvc"; flow:established,to_server; http.uri; content:"/~"; depth:2; content:"/cgi-bin/brvc.cgi?"; content:"_"; reference:md5,3983c859a217740bf9c5dd67a4647a9d; reference:md5,771bfe5d64138ef4e11e969b408ee0d7; reference:url,thegoldenmessenger.blogspot.de/2012/12/3-disclosure-of-another-0day-malware.html; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:command-and-control; sid:2019536; rev:3; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor Variant .onion Proxy Domain"; dns.query; content:"ukzo73z4inzpenmq"; depth:16; nocase; fast_pattern; reference:md5,53752a41ed21172343f678423d6c9a44; classtype:trojan-activity; sid:2020458; rev:4; metadata:created_at 2015_02_17, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chopstick Checkin (APT28 Related)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webhp?rel="; fast_pattern; content:"ai="; distance:0; pcre:"/^(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})+/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,6fc8602c8b3a18765bb6d2307d8a4ae1; classtype:targeted-activity; sid:2019537; rev:4; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (3v6e2oe5y5ruimpe)"; dns.query; content:"3v6e2oe5y5ruimpe"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020615; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adawareblock.com"; flow:established,to_server; http.header; content:"Host|3a 20|adawareblock.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019546; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain"; dns.query; content:"mmc65z4xsgbcbazl"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020684; rev:5; metadata:created_at 2015_03_12, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request adobeincorp.com"; flow:established,to_server; http.header; content:"Host|3a 20|adobeincorp.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019547; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; dns.query; content:"iezqmd4s2fflmh7n"; depth:16; fast_pattern; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:4; metadata:created_at 2015_03_25, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request azureon-line.com"; flow:established,to_server; http.header; content:"Host|3a 20|azureon-line.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019548; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (llgerw4plyyff446)"; dns.query; content:"llgerw4plyyff446"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020762; rev:4; metadata:created_at 2015_03_27, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019549; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Filecoder Ransomware Variant .onion Proxy Domain (tkj3higtqlvohs7z)"; dns.query; content:"tkj3higtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020942; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, malware_family Filecoder, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkwinframe.com"; flow:established,to_server; http.header; content:"Host|3a 20|checkwinframe.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019550; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; dns.query; content:"l7gbml27czk3kvr5"; depth:16; fast_pattern; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:5; metadata:created_at 2015_03_25, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request check-fix.com"; flow:established,to_server; http.header; content:"Host|3a 20|check-fix.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019551; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (zoqowm4kzz4cvvvl)"; dns.query; content:"zoqowm4kzz4cvvvl"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020958; rev:4; metadata:created_at 2015_04_21, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request hotfix-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|hotfix-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019552; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall .onion Proxy Domain (7oqnsnzwwnm6zb7y)"; dns.query; content:"7oqnsnzwwnm6zb7y"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020959; rev:4; metadata:created_at 2015_04_21, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsofi.org"; flow:established,to_server; http.header; content:"Host|3a 20|microsofi.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019553; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy/NionSpy .onion Proxy Domain (z3mm6cupmtw5b2xx)"; dns.query; content:"z3mm6cupmtw5b2xx"; depth:16; nocase; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:2021019; rev:4; metadata:created_at 2015_04_28, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request microsof-update.com"; flow:established,to_server; http.header; content:"Host|3a 20|microsof-update.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019554; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; dns.query; content:"iq3ahijcfeont3xx"; depth:16; fast_pattern; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:4; metadata:created_at 2015_05_09, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request scanmalware.info"; flow:established,to_server; http.header; content:"Host|3a 20|scanmalware.info|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019555; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (toxicola7qwv37qj)"; dns.query; content:"toxicola7qwv37qj"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; classtype:trojan-activity; sid:2021204; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request secnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|secnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019556; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ascrirac .onion proxy Domain (5sse6j4kdaeh3yus)"; dns.query; content:"5sse6j4kdaeh3yus"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021317; rev:4; metadata:created_at 2015_06_22, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request securitypractic.com"; flow:established,to_server; http.header; content:"Host|3a 20|securitypractic.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019557; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"decryptoraveidf7"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:4; metadata:created_at 2015_07_28, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testservice24.net"; flow:established,to_server; http.header; content:"Host|3a 20|testservice24.net|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019558; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"encryptor3awk6px"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:4; metadata:created_at 2015_07_29, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request testsnetcontrol.com"; flow:established,to_server; http.header; content:"Host|3a 20|testsnetcontrol.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019559; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup messagewild"; dns.query; content:"messagewild.com"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2021642; rev:4; metadata:created_at 2015_08_18, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatepc.org"; flow:established,to_server; http.header; content:"Host|3a 20|updatepc.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019560; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (kb63vhjuk3wh4ex7)"; dns.query; content:"kb63vhjuk3wh4ex7"; depth:16; nocase; fast_pattern; reference:md5,a9f29924410a14dea1eef8d75fed3b39; reference:url,www.malware-traffic-analysis.net/2015/08/24/index2.html; classtype:trojan-activity; sid:2021711; rev:4; metadata:created_at 2015_08_25, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request updatesoftware24.com"; flow:established,to_server; http.header; content:"Host|3a 20|updatesoftware24.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019561; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)"; dns.query; content:"djdkduep62kz4nzx"; depth:16; fast_pattern; nocase; reference:md5,1dd542bf3c1781df9a335f74eacc82a4; reference:url,malwr.com/analysis/YjllZWEzNmQ0MDA4NGNhNGIxYzIzNjU3YjczOTYxZjg/; classtype:trojan-activity; sid:2021363; rev:5; metadata:created_at 2015_06_29, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request windows-updater.com"; flow:established,to_server; http.header; content:"Host|3a 20|windows-updater.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019562; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns.query; content:"7vhbukzxypxh3xfy"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021850; rev:4; metadata:created_at 2015_09_30, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request checkmalware.org"; flow:established,to_server; http.header; content:"Host|3a 20|checkmalware.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019563; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (4nauizsaaopuj3qj)"; dns.query; content:"4nauizsaaopuj3qj"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022398; rev:4; metadata:created_at 2016_01_22, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request symanttec.org"; flow:established,to_server; http.header; content:"Host|3a 20|symanttec.org|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019583; rev:2; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(yez2o5lwqkmlv5lc)"; dns.query; content:"yez2o5lwqkmlv5lc"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022490; rev:4; metadata:created_at 2016_02_04, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Coreshell Checkin (APT28 Related)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/~xh/sn.cgi?"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+?$/R"; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:md5,272f0fde35dbdfccbca1e33373b3570d; classtype:targeted-activity; sid:2019539; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(fwgrhsao3aoml7ej)"; dns.query; content:"fwgrhsao3aoml7ej"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022501; rev:4; metadata:created_at 2016_02_10, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request msonlinelive.com"; flow:established,to_server; http.header; content:"Host|3a 20|msonlinelive.com|0d 0a|"; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019585; rev:3; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Payment DNS Lookup"; dns.query; content:"javajvlsworf3574"; depth:16; nocase; fast_pattern; reference:md5,ff50a331feec575b505976cb0506ebfd; classtype:trojan-activity; sid:2022507; rev:4; metadata:created_at 2016_02_12, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER printenv access"; flow:to_server,established; http.uri; content:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:2101877; rev:11; metadata:created_at 2010_09_23, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"twbers4hmi6dx65f"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/02b21d4a90a2a50506711a9c120b1e51f77084eba25688f7db2b9571037465dc?environmentId=1; classtype:trojan-activity; sid:2022560; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta Flash Exploit URI Struct"; flow:established,to_server; urilen:>68; http.uri; content:"|3b|1"; offset:60; content:"|3b|"; distance:5; within:1; content:!"="; content:!"&"; pcre:"/\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}$/"; classtype:exploit-kit; sid:2019612; rev:8; metadata:created_at 2014_10_31, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"i3ezlvkoi7fwyood"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022589; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta SilverLight 5.x Exploit URI Struct"; flow:established,to_server; urilen:>68; http.uri; content:"|3b|5"; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b5[0-1]\d{5}$/"; classtype:exploit-kit; sid:2019624; rev:3; metadata:created_at 2014_11_03, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"lpholfnvwbukqwye"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022590; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Strictor Dropper"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; content:"os="; content:"&osbit="; content:"&antiv="; http.user_agent; content:"Access"; depth:6; fast_pattern; reference:md5,909b91071c60fc68c27789d912ccf68a; classtype:trojan-activity; sid:2018964; rev:7; metadata:created_at 2014_08_19, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 1"; dns.query; content:"lclebb6kvohlkcml"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022598; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http 195.22.26.192/26 any -> $HOME_NET any (msg:"ET MALWARE AnubisNetworks Sinkhole HTTP Response - 195.22.26.192/26"; flow:established,to_client; http.header; content:"Server|3A|HTTPServerX"; file.data; content:"14|0D 0A|"; within:4; content:"|0D 0A|0|0D 0A 0D 0A|"; distance:0; classtype:trojan-activity; sid:2019630; rev:3; metadata:created_at 2014_11_03, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 2"; dns.query; content:"bmacyzmea723xyaz"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022599; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy HTTP Request malwarecheck.info"; flow:established,to_server; http.header; content:"Host|3a 20|malwarecheck.info|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019641; rev:3; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 3"; dns.query; content:"nejdtkok7oz5kjoc"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ABCG Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/3.0 (compatible|3b| Indy Library)"; depth:38; http.request_body; content:"act="; depth:4; content:"&atom="; distance:0; fast_pattern; content:"&id="; distance:0; reference:md5,acad4be4c587b9db9f39268cc4c0c192; reference:md5,b07a6a590c729fcd47ebce37fdd6c90b; classtype:command-and-control; sid:2019653; rev:4; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 4"; dns.query; content:"fiwf4kwysm4dpw5l"; depth:16; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/; classtype:command-and-control; sid:2022601; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.FakeMS Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.header; content:!"Referer"; http.request_body; content:"|20|(64|20|=|20|"; content:")|20|EXE|20|=|20|"; distance:1; within:8; pcre:"/^\x5b[^\r\n]+\(64\s=\s\d\)\sEXE\s=/"; reference:md5,e606e56a222f788ab5cbcf40842cbc39; reference:md5,099dc535bdd09d6a7bc4edabc8ded5de; classtype:command-and-control; sid:2019654; rev:7; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(k7tlx3ghr3m4n2tu)"; dns.query; content:"k7tlx3ghr3m4n2tu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022614; rev:4; metadata:created_at 2016_03_15, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yjcontactus"; content:"view="; nocase; reference:url,packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt; classtype:web-application-attack; sid:2013816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns.query; content:"32kl2rwsjvqjeui7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022660; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smoke Loader Checkin r=gate"; flow:established,to_server; http.uri; content:".php?r=gate&"; content:"&group="; distance:0; content:"&debug="; distance:0; http.user_agent; content:"5.0 (Windows|3b 20|U|3b 20|MSIE 9"; reference:md5,7ef1e61d9b394a972516cc453bf0ec06; classtype:command-and-control; sid:2014728; rev:7; metadata:created_at 2012_05_10, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TeslaCrypt Payment)"; dns.query; content:"kkd47eh4hdjshb5t"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mac/update.zip"; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019665; rev:3; metadata:created_at 2014_11_07, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"rzss2zfue73dfvmj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for www.comeinbaby.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"www.comeinbaby.com"; startswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019666; rev:4; metadata:created_at 2014_11_07, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"vrvis6ndra5jeggj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022664; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miuref/Boaxxe Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"bB"; offset:2; depth:2; content:"MqrU"; within:20; content:"VAMU"; within:29; fast_pattern; reference:md5,79d1c8c33062324388d3d563f193a43b; reference:md5,ee3c562151cc9181c6d87602bbf0a285; reference:md5,a42797315c50e335f3de87f6cea61b77; classtype:command-and-control; sid:2019683; rev:7; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky Possible Payment Page"; dns.query; content:"25z5g623wpqpdwis"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022680; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:4; metadata:created_at 2014_11_11, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"stgg5jv6mqiibmax"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022728; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; http.uri; content:"/cgi-bin/r.cgi"; nocase; depth:14; content:"p="; nocase; content:"h="; nocase; content:"u="; nocase; content:"q="; nocase; content:"t="; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:11; metadata:created_at 2011_07_04, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"ahsqbeospcdrngfv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022761; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fiesta URI Struct"; flow:established,to_server; urilen:>64; flowbits:set,ET.Fiesta.Exploit.URI; http.uri; content:"|3b|"; offset:63; fast_pattern; content:!"="; content:!"&"; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/"; classtype:exploit-kit; sid:2018407; rev:10; metadata:created_at 2014_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"rrcspgfghsjnklts"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022777; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; http.content_type; content:"image/"; depth:6; file.data; content:"Rar!"; within:4; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; classtype:trojan-activity; sid:2008754; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky Domain"; dns.query; content:"ycvcjbhgkmsiyhdd"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022778; rev:4; metadata:created_at 2016_05_03, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker User-agent (globalupdate)"; flow:to_server,established; flowbits:set,ET.WireLurkerUA; http.user_agent; content:"globalupdate"; depth:12; reference:url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; classtype:trojan-activity; sid:2019660; rev:5; metadata:created_at 2014_11_06, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"bddadevlpkwrrmud"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022870; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Asprox Pizza"; flow:established,to_server; http.uri; content:"/title.php?pizza="; pcre:"/^[a-zA-Z0-9+/]{43}/R"; reference:url,www.malware-traffic-analysis.net/2014/10/28/index.html; classtype:trojan-activity; sid:2019713; rev:3; metadata:created_at 2014_11_15, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (mphtadhci5mrdlju)"; dns.query; content:"mphtadhci5mrdlju"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022917; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; http.uri; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:4; metadata:created_at 2014_05_21, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"kvyatmujksksbcgx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Photos/Query.cgi?loginid="; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016820; rev:4; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"mz7oyb3v32vshcvk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DEEP PANDA Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Catelog/login1.cgi"; fast_pattern; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:command-and-control; sid:2016821; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"xhrnfffaixawpuob"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023002; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alureon Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; content:"winver="; depth:7; content:"&ver="; distance:0; pcre:"/^winver=\d+&ver=\d+$/"; reference:md5,2155b7942ddc6d7a82e7d96a8c594501; classtype:command-and-control; sid:2019717; rev:3; metadata:created_at 2014_11_18, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"zjfq4lnfbs7pncr5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker HTTP Request for manhuaba.com.cn"; flow:established,to_server; http.method; content:"GET"; http.host; content:"manhuaba.com.cn"; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019731; rev:4; metadata:created_at 2014_11_18, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (5n7y4yihirccftc5)"; dns.query; content:"5n7y4yihirccftc5"; depth:16; fast_pattern; nocase; reference:md5,d7cb55e90dee7777fe7b77b079d51513; classtype:trojan-activity; sid:2023084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ncsi.txt"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; content:"|0d 0a|Host|0d 0a|"; depth:8; http.user_agent; content:"Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; fast_pattern; classtype:trojan-activity; sid:2019754; rev:4; metadata:created_at 2014_11_20, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fpashgkepwtoqdjg"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023178; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.Win32/FakePAV Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?0="; depth:4; fast_pattern; content:"=i"; pcre:"/^\/\?0=(?:[^&]+?&\d+?=)+?[^=&]+?$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6829306e92cfa811b12d9b028eb56a2d; classtype:command-and-control; sid:2019767; rev:5; metadata:created_at 2014_11_21, former_category MALWARE, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"vrympoqs5ra34nfo"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AntiBreach Possible Activation Attempt"; flow:established,to_server; http.uri; content:"/buy.php?id="; content:"&sub_id="; content:"&install_id="; content:"&project_id="; content:"&serial="; reference:url,www.malware-traffic-analysis.net/2014/11/21/index.html; classtype:trojan-activity; sid:2019771; rev:3; metadata:created_at 2014_11_21, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fqoapcjolfwwenqx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023261; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault POST M2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer"; http.request_body; content:"func=getemailurl"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019777; rev:3; metadata:created_at 2014_11_24, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns.query; content:"4w5wihkwyhsav2ha"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023327; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"php|3a 2f 2f|input"; fast_pattern; http.request_body; content:"<?"; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:4; metadata:created_at 2014_11_25, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky Payment Domain Detected"; dns.query; content:"jhomitevd2abj3fk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023329; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinHttpRequest (flowbits no alert)"; flow:established,to_server; flowbits:set,et.WinHttpRequest; flowbits:noalert; http.host; content:!".microsoft.com"; endswith; content:!".qq.com"; endswith; http.user_agent; content:"WinHttp.WinHttpRequest"; fast_pattern; classtype:trojan-activity; sid:2019821; rev:9; metadata:created_at 2014_12_01, updated_at 2020_05_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ffoqr3ug7m726zou"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Coinminer.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:".php?id="; http.user_agent; content:"Mozzilla/4.0 (copmatible|3B|"; fast_pattern; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019826; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"lfdachijzuwx4bc4"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Wadolin.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/upgrade-functions.php?v="; fast_pattern; content:"&id="; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.1|3B| Windows XP)"; startswith; reference:md5,693c007d651bb5a8c6d2a4f5ed65a69c; classtype:command-and-control; sid:2019827; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ojmekzw4mujvqeju"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex v2 POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Authorization|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; content:"Authorization|3a 20|Basic"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; reference:url,securityblog.s21sec.com/2014/11/dridex-learns-new-trick-p2p-over-http.html; classtype:command-and-control; sid:2019830; rev:3; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xrhwryizf5mui7a5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Cryptexplorer API Check - Potential CoinMiner Traffic"; flow:established,to_server; http.uri; content:"/api/"; startswith; content:"coin/balance/"; distance:0; fast_pattern; pcre:"/^\/api\/(?:bit|lite)coin\/balance\//"; reference:md5,8e29a15caef546aab0f19a9a81732163; classtype:coin-mining; sid:2019825; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"avsxrcoq2q5fgrw2"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023579; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; http.uri.raw; content:"%252E%252E%252F"; nocase; classtype:misc-attack; sid:2019880; rev:5; metadata:created_at 2014_12_06, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"fnmi62725zfti2vy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Insomnia Shell HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.request_body; content:"txtRemoteHost="; fast_pattern; content:"txtRemotePort="; distance:0; content:"txtBindPort="; distance:0; content:"txtPipeName="; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019899; rev:3; metadata:created_at 2014_12_09, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ftoxmpdipwobp4qy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023581; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/pandora_console/mobile/index.php"; http.request_body; content:"action=login"; fast_pattern; content:"user="; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:4; metadata:created_at 2014_12_10, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"pe2cku7pebkpgeko"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023582; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"p27dokhpz2n7nvgr"; depth:16; nocase; fast_pattern; reference:md5,c2f7595a1c394f1dac2e418815c54fd2; classtype:trojan-activity; sid:2023690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"qcwbrevxrotoepsp"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"ztuw5bvuuapzdfya"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"xqraoaoaph4d545r"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024118; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_22, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"underdj5ziov3ic7"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024119; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; http.header; content:"QHN5c3Rl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:7; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"x5sbb5gesp6kzwsh"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; reference:md5,f09e72e3c1c36192b22e15b59a13ee1c; reference:url,blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html; classtype:command-and-control; sid:2023998; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family Torrentlocker, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TRCrypt.ULPM Downloader CnC Beacon"; flow:established,to_server; http.uri; content:".aspx?id="; content:"&macaddress="; content:"&pcname="; content:"&username="; content:"&osversion="; content:"&versaoatual="; fast_pattern; content:"&winkey="; reference:md5,3b4f77eefd208f699e6a540878e753a8; classtype:command-and-control; sid:2019947; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"jpre3ta3x2csggd4"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024189; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; http.uri; content:"?cmd=ZXhpdA=="; fast_pattern; http.user_agent; content:"Mozilla 5"; startswith; reference:url,seclists.org/fulldisclosure/2014/Nov/78; classtype:bad-unknown; sid:2019951; rev:3; metadata:created_at 2014_12_16, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"cmzr4dz3begkpwa2"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024190; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; http.request_body; content:"name=|22|softwareVersion|22|"; nocase; content:"name=|22|isEnc|22|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019959; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"hjhqmbxyinislkkt"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024104; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; http.user_agent; content:"UAC/"; depth:4; fast_pattern; content:"|28|Android|20|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:4; metadata:created_at 2014_12_17, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"z2luqg4xu5r6zm6o"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024263; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAXV Retrieving key from Pinterest"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pin/"; depth:5; http.header; content:"User-Agent|3a 20|Internet Explorer 6.0|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f25a8e3f5265a57269590b84a506b672; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/malware-campaign-targets-south-korean-banks-uses-pinterest-as-cc-channel/; classtype:trojan-activity; sid:2019961; rev:4; metadata:created_at 2014_12_18, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"zyuc6ucewfwgnhvg"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024264; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Accept|3a 20|acunetix"; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:2019963; rev:3; metadata:created_at 2014_12_18, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy DNS lookup July 31 2014"; dns.query; content:"zxjfcvfvhqfqsrpz"; depth:16; fast_pattern; nocase; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:5; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css.ashx?"; depth:10; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019985; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE UIWIX Ransomware .onion Payment Domain (4ujngbdqqm6t2c53)"; dns.query; content:"4ujngbdqqm6t2c53"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024323; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family UIWIX, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tendrit CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon?"; depth:9; http.uri.raw; pcre:"/^[a-z]{2,}=(?:%[A-F0-9]{2})+&/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,755dad1f37a9d3fae1352dbbc409102c; reference:url,pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-christmas-from-an-apt-actor.html; classtype:command-and-control; sid:2019986; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"iuieylpvfurcvmpk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024437; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Generic.5325921 Checkin"; flow:to_server,established; http.uri; content:"?p="; content:"&botmajor="; content:"&botminor="; content:"&osmajor="; content:"&osminor="; reference:md5,203cec547d7d7d7b3a51084ad1abd793; classtype:command-and-control; sid:2020090; rev:4; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"cpawdrtxfjkwrkkl"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024438; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; http.uri; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:3; metadata:created_at 2015_01_05, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"qfjhpgbefuhenjp7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024439; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; http.request_body; content:"user=CRACKER"; classtype:trojan-activity; sid:2020097; rev:3; metadata:created_at 2015_01_06, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xpcx6erilkjced3j"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024440; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; http.server; content:"RomPager"; nocase; startswith; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:3; metadata:created_at 2015_01_06, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Reyptson Ransomware CnC)"; dns.query; content:"37z2akkbd3vqphw5"; depth:16; nocase; fast_pattern; reference:md5,2f60c2dc9b89a78a450839ded2a1737a; classtype:command-and-control; sid:2024469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Reyptson, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Lockbit Ransomware Payment Domain"; flow:established,to_server; http.host; content:"lockbit-decryptor.com"; endswith; fast_pattern; classtype:trojan-activity; sid:2030166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_14, deployment Perimeter, former_category POLICY, malware_family LockBit, signature_severity Major, tag Ransomware, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wgxpsgshk3hbmyzb"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_14, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check ip-addr.es"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip-addr.es"; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020105; rev:3; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"tptbibuegry2nvuh"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024517; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check curlmyip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"curlmyip.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020106; rev:3; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"fgb45ft3pqamyji7"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024518; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.header; content:"MASE|0d 0a|"; http.request_body; content:"name=|22|c1|22 0d 0a 0d 0a|c"; reference:md5,37d530ffa0bf1129f2db63b75fccce28; classtype:command-and-control; sid:2020156; rev:8; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"gebdp3k7bolalnd4"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024519; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?"; content:"system|28|"; distance:0; classtype:web-application-attack; sid:2020102; rev:5; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"2irbar3mjvbap6gt"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024520; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0000"; offset:2; pcre:"/^\/[^\x2f]+\/0000[A-F0-9]{4}\/0[0-2]\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1a5ee37a6075b5a95faf8f07ad060cc9; classtype:trojan-activity; sid:2025087; rev:3; metadata:created_at 2015_01_09, former_category TROJAN, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"qg6m5wo7h3id55ym"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024521; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; depth:2; content:"/0000"; distance:2; pcre:"/^\/0[0-2]\/[^\x2f]+\/0000[A-F0-9]{4}\/[^\x2f]+\/[A-F0-9]{8}$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2025088; rev:3; metadata:created_at 2015_01_09, former_category TROJAN, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xvnk7q32kmvcvx5x"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024522; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename svchost.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"svchost.exe"; nocase; fast_pattern; within:11; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]svchost\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020198; rev:6; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xzfsqbdlb3cssp4t"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename explorer.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"explorer.exe"; nocase; within:13; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]explorer\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020199; rev:7; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wqfhdgpdelcgww4g"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename hkcmd.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"hkcmd.exe"; nocase; within:10; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]hkcmd\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020200; rev:4; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"yvvu3fqglfceuzfu"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Filename server.exe Download - Common Hostile Filename"; flow:established,to_client; http.header; content:"filename="; content:"server.exe"; nocase; within:11; fast_pattern; pcre:"/^Content-Disposition\x3a attachment\x3b filename=[\x27\x22]server\.exe[\x22\x27]\r\n/mi"; classtype:trojan-activity; sid:2020201; rev:3; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain"; dns.query; content:"cr7icbfqm64hixta"; depth:16; nocase; fast_pattern; reference:md5,c714c3fe13e515a85774b03787ee9d85; classtype:command-and-control; sid:2024543; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category MALWARE, malware_family GlobeImposter, malware_family Gryphon, performance_impact Moderate, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AutoHotkey Downloader Checkin via IPLogger"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:12; content:"iplogger.org"; http.header; content:"User-Agent|3a 20|(|20|Windows|20|"; fast_pattern; reference:md5,6db987f9e87340ab3c3dd2b6d938e60c; classtype:command-and-control; sid:2030163; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"5pr6hirtlfan3j76"; depth:16; nocase; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2024603; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; http.header; content:"filename="; content:".exe"; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/i"; classtype:trojan-activity; sid:2020202; rev:3; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"ilcmjtvnrw2hostl"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, deployment Internet, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/PcClient.AA Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/2015"; depth:5; fast_pattern; pcre:"/^\d+?\/(?:\d+?\/-?\d+?\.(?:php|jsp))?$/Ri"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.2|3b| .NET CLR 1.1.4322|3b| .NET CLR 2.0.50727|3b| InfoPath.1)"; reference:md5,33439543cae709aa7efa58f94e4b2a62; classtype:command-and-control; sid:2019201; rev:12; metadata:created_at 2014_01_31, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"uvgnugc3nvdgboc2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall CryptoWall 3.0 Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"http|3a 2f 2f|proxy"; depth:12; fast_pattern; http.header; content:"i2p|0d 0a|"; http.header_names; content:!"|0d 0a|Accept-"; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020233; rev:3; metadata:created_at 2015_01_21, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vg6xusopmzu7m2ce"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Inception APT malware"; flow:established,to_server; http.header; content:"|0d 0a|username=|22|bimm"; nocase; fast_pattern; content:"/bimm"; distance:0; nocase; reference:url,www.bluecoat.com/security-blog/2015-01-20/reversing-inception-apt-malware; classtype:targeted-activity; sid:2020237; rev:3; metadata:created_at 2015_01_22, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vgyruvtmjabu7llq"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.TurlaCarbon.A C2 HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?uid="; content:"&context="; distance:0; content:"&mode=text&"; fast_pattern; distance:0; content:"data="; pcre:"/\?uid=\d+&context=\w+&mode=text&data=\w+$/"; reference:url,blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html; classtype:command-and-control; sid:2020241; rev:3; metadata:created_at 2015_01_22, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vozupq6ewgxyn4ct"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Upatre.Downloader Encoded Binary Download Request"; flow:established,to_server; http.uri; content:"/mandoc/"; fast_pattern; depth:8; content:".pdf"; distance:0; http.header; content:"Accept|3A| text/*, application/*|0D 0A|User-Agent|3A 20|"; depth:43; reference:url,phishme.com/evolution-upatre-dyre/; classtype:trojan-activity; sid:2020294; rev:3; metadata:created_at 2015_01_23, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vqrqlt4t2kcmyrkb"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024631; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A UA (HTClient)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTClient|3b|"; fast_pattern; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020298; rev:3; metadata:created_at 2015_01_23, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vs74c53whr5kisk2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024632; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\d+$/"; http.header; content:"User-Agent|3a 20|HTClient|3b|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2020299; rev:3; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vsy7udjnodbqwp7l"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024633; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Possible WordPress Pingback DDoS in Progress (Inbound)"; flow:established,to_server; threshold:type both, track  by_src, count 5, seconds 90; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; classtype:attempted-dos; sid:2018277; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_03_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vvuymthse6kj4vl4"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024634; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030175; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_05_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"oqwygprskqv65j72"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024635; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_15, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"toytyaclucomunit"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor User-Agent (ALIZER)"; flow:established,to_server; http.user_agent; content:"ALIZER"; bsize:6; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:trojan-activity; sid:2020344; rev:3; metadata:created_at 2015_02_03, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cryptolocker Payment Page (de2nuvwegoo32oqv)"; dns.query; content:"de2nuvwegoo32oqv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022800; rev:5; metadata:created_at 2016_05_09, former_category TROJAN, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/input_data_get_contact.asp?user="; content:"&pwd="; content:"&addr="; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:command-and-control; sid:2020353; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_05_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Initial Check In"; dns.query; content:".grp"; nocase; offset:8; depth:4; content:".ping.adm"; fast_pattern; within:15; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022559; rev:4; metadata:created_at 2016_02_23, former_category MALWARE, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WPScan User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"WPScan v"; depth:8; reference:url,github.com/wpscanteam/wpscan; classtype:web-application-attack; sid:2020338; rev:4; metadata:created_at 2015_01_30, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".freemooon.org"; fast_pattern; pcre:"/^[a-z]{4,10}\.freemooon\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; http.uri; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"XAgent/1."; depth:9; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:4; metadata:attack_target Mobile_Client, created_at 2015_02_05, former_category MOBILE_MALWARE, updated_at 2020_05_15, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".olimpian.org"; fast_pattern; pcre:"/[a-z]{4,10}\.olimpian\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; http.user_agent; content:"XAgent/1."; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:4; metadata:created_at 2015_02_05, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".sunsay.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.sunsay\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022720; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DEEP PANDA C2 Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+8.0|3b|+Windows+NT+5.1|3b|+SV1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; http.request_body; content:"|00 00 00 00 00|"; classtype:command-and-control; sid:2020373; rev:6; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".feellgood.org"; fast_pattern; pcre:"/[a-z]{4,11}\.feellgood\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022721; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rovnix.J Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"[0]|0d 0a|LP="; content:"|0a|VID="; distance:0; reference:md5,9471e926eda81b4f797b6cfe273e4e79; classtype:command-and-control; sid:2020396; rev:3; metadata:created_at 2015_02_11, former_category MALWARE, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".kinomix.org"; fast_pattern; pcre:"/[a-z]{4,11}\.kinomix\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Retrieving reseed info"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/netdb/"; nocase; depth:7; fast_pattern; http.user_agent; content:"Wget/1.11.4"; bsize:11; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:policy-violation; sid:2019898; rev:4; metadata:created_at 2014_12_09, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".beneton.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.beneton\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022755; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSI 6.0|3b 20|"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020471; rev:3; metadata:created_at 2015_02_18, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bigdoggi.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.bigdoggi\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Babar POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n.php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"id="; depth:3; content:"&Action="; distance:0; fast_pattern; reference:url,motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france; classtype:trojan-activity; sid:2020474; rev:3; metadata:created_at 2015_02_19, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bjksfohseaguu.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bjksfohseaguu\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022801; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin EK Jar URI Struct"; flow:established,to_server; http.uri; content:".jar"; pcre:"/(?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2020476; rev:4; metadata:created_at 2015_02_19, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".closedoors.net"; fast_pattern; pcre:"/[a-z]{4,10}\.closedoors\.net$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/set.php?ID="; depth:12; content:"&Action="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020489; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 4"; dns.query; content:"iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024295; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sys/"; fast_pattern; pcre:"/t=1?\d\/[0-3]?\d\/201\d [0-2]?\d\x3a[0-5]\d\x3a[0-5]\d [AP]M$/"; pcre:"/^\/sys\/(?:who|genid|data|upload|update)/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020431; rev:5; metadata:created_at 2015_02_16, former_category MALWARE, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 5"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024296; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/customer/do_it"; fast_pattern; http.user_agent; content:"Internet"; bsize:8; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"pn="; content:"&data="; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020433; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 2"; dns.query; content:"ifferfsodp9ifjaposdfjhgosurijfaewrwergwea"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024293; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_14, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)"; flow:established,from_server; flowbits:isset,exe.no.referer; http.header; content:"Server|3a 20|HFS"; fast_pattern; file.data; content:"MZ"; within:2; classtype:exploit-kit; sid:2020500; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_23, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_05_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 3"; dns.query; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024294; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_15, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed"; flow:established,to_server; http.request_body; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020556; rev:3; metadata:created_at 2015_02_24, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nitlove POS CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"nit_love"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html; classtype:command-and-control; sid:2021144; rev:4; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2020_09_01;)
 
-alert http any any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; http.header; content:"ing|3a| identity|0D 0A|Host|3a|"; http.cookie; content:"SESS="; content:"|3B| SID="; distance:0; content:"|3B| PREF="; distance:0; content:"|3B|SSID="; distance:0; classtype:trojan-activity; sid:2020557; rev:3; metadata:created_at 2015_02_24, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pterodo CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"versiya="; depth:8; fast_pattern; content:"&comp="; distance:0; content:"&id="; distance:0; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Referer"; content:!"Cache"; reference:md5,9d8daf70dff4d5bcf791d5f68ba01d7c; classtype:command-and-control; sid:2034345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Athena DDoS Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a=%"; depth:3; fast_pattern; content:"&b="; distance:0; content:"&c="; distance:0; pcre:"/^a=(?:%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(?:%3[dD]){0,2}\x26c=(?:%[0-9A-Fa-f]{2})+$/"; reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:command-and-control; sid:2017633; rev:5; metadata:created_at 2013_04_26, former_category MALWARE, updated_at 2020_05_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; flowbits:isnotset,ET.Mcafee.Site.Download; http.content_type; content:"text/plain"; nocase; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:24; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GandCrab Style External IP Check (Spoofed Yahoo Host)"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|yahoo.com|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; bsize:142; threshold:type both,track by_src, count 10, seconds 30; classtype:trojan-activity; sid:2030168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category POLICY, malware_family GandCrab, signature_severity Major, updated_at 2020_05_15;)
+alert http any any -> any any (msg:"ET MALWARE ELF/LiLocked Ransom Note in HTTP Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"ENCRYPTED|20|ALL|20|YOUR|20|SENSITIVE"; depth:200; content:"STRONG|20|ENCRYPTION"; distance:0; content:"BUY|20|A|20|DECRYPTION|20|KEY"; distance:0; fast_pattern; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027968; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category TROJAN, malware_family LiLocked, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected USBFERRY CnC"; flow:established,to_server; http.header; content:!"Referer"; content:!"Accept"; http.method; content:"GET"; http.uri; content:".6.jpg"; endswith; http.user_agent; content:"MSIE|28|6.00.2900.5512|20 28|"; fast_pattern; content:"|3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"VR|28|PH"; reference:url,documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf; classtype:command-and-control; sid:2030169; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=mail.paolemahta.icu/emailAddress=root@mail.paolemahta.icu"; bsize:139; fast_pattern; reference:md5,4fd5867c45716f0a25c74f3510984cf2; reference:url,twitter.com/bryceabdo/status/1300787997755891712; classtype:domain-c2; sid:2030820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_01, deployment Perimeter, former_category MALWARE, malware_family Bazar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:established,to_server; http.user_agent; content:"MSIE|28|6.00.2900.5512|20 28|"; fast_pattern; content:"|3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"VR|28|PH"; reference:url,documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf; classtype:trojan-activity; sid:2030170; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck CnC Activity"; flow:established,to_server; http.uri; content:"/ln/core.png?"; startswith; http.host; content:"t.amynx.com"; bsize:11; fast_pattern; reference:url,github.com/sophoslabs/IoCs/blob/master/Trojan-LDMiner.csv; classtype:command-and-control; sid:2030827; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Create - POST Structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Fname="; depth:6; content:"&cmd="; classtype:trojan-activity; sid:2020572; rev:4; metadata:created_at 2015_02_25, updated_at 2020_05_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"sucuil.net"; bsize:10; reference:url,twitter.com/felixaime/status/1301090258671542272; classtype:trojan-activity; sid:2030828; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Activation"; flow:established,to_server; http.uri; content:"activation_api.php?"; http.user_agent; content:"ActivationRequestSendingSession"; fast_pattern; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020578; rev:3; metadata:created_at 2015_02_27, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TURLA APT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/scripts/m/query.php?id="; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf; classtype:command-and-control; sid:2030829; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Checkin"; flow:established,to_server; http.uri; content:"/safecontent.php?"; http.user_agent; content:"Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US)"; fast_pattern; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020579; rev:3; metadata:created_at 2015_02_27, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zyklon CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"token="; startswith; fast_pattern; content:"&hwid="; distance:44; within:6; threshold: type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/500mk500/status/1301173604072202248; reference:md5,3c8afeb46c1e1a217c0f108c3fb5f4f4; classtype:command-and-control; sid:2030823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LogPOS Sending Data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?encoding="; fast_pattern; content:"&t="; distance:0; content:"&cc="; distance:0; content:"&process="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,morphick.net/blog/2015/2/27/mailslot-pos; classtype:trojan-activity; sid:2020602; rev:3; metadata:created_at 2015_03_04, updated_at 2020_05_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"huhunadekil.top"; bsize:15; classtype:domain-c2; sid:2030824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; content:"/"; distance:0; pcre:"/^\/[A-Za-z0-9]+\/[A-Za-z0-9]+\/$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; http.user_agent; content:"MSIE 7.0|3b|"; fast_pattern; content:"Windows NT 6.0"; within:15; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,3083b68cb5c2a345972a5f79e735c7b9; classtype:command-and-control; sid:2019693; rev:6; metadata:created_at 2014_11_12, former_category MALWARE, updated_at 2020_05_15;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Linux Shell Script CnC Activity"; flow:established,to_server; http.uri; content:"/ln/a.asp?"; startswith; fast_pattern; content:"_"; distance:0; reference:url,github.com/sophoslabs/IoCs/blob/master/Trojan-LDMiner.csv; classtype:command-and-control; sid:2030826; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pandora Usage"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 3600; http.method; content:"POST"; http.uri; content:"/radio/xmlrpc/"; http.host; content:"pandora.com"; endswith; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:4; metadata:created_at 2012_07_03, updated_at 2020_05_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:34:1C:D9:8B:86"; classtype:domain-c2; sid:2028566; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> any any (msg:"ET DELETED Possible Netlink XPON 1GE Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr="; startswith; content:"&waninf="; distance:0; reference:url,www.exploit-db.com/exploits/48470; classtype:attempted-admin; sid:2030167; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_05_14, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TransparentTribe APT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_isolated_codes/C0n_eections/"; fast_pattern; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/DecryptStealer Exfil Domain (geroipanel .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"geroipanel.site"; bsize:15; reference:url,app.any.run/tasks/ef44292d-3b2e-4571-8b68-fb49c1db1b1a/; classtype:domain-c2; sid:2030179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
+alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028572; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ramsay CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?vol="; fast_pattern; content:"&q="; distance:0; content:"&guid=|7b|"; distance:0; content:"|7d|"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:url,github.com/eset/malware-ioc/blob/master/ramsay/samples.sha256; classtype:command-and-control; sid:2030176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family Ramsay, performance_impact Low, signature_severity Major, updated_at 2020_05_18;)
+alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&file&upload"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028573; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ramsay CnC Domain in DNS Query"; dns.query; content:"account-id-managers.com"; nocase; endswith; reference:url,github.com/eset/malware-ioc/blob/master/ramsay/samples.sha256; classtype:domain-c2; sid:2030177; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family Ramsay, signature_severity Major, updated_at 2020_05_18;)
+alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028574; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ramsay CnC Domain in DNS Query"; dns.query; content:"service-security-manager.com"; nocase; endswith; reference:url,github.com/eset/malware-ioc/blob/master/ramsay/samples.sha256; classtype:domain-c2; sid:2030178; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family Ramsay, signature_severity Major, updated_at 2020_05_18;)
+alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&close"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028575; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M10 (set)"; flow:established,to_server; content:"|29 f5 98 f5|"; depth:4; fast_pattern; content:"|65 b3 b3|"; distance:1; within:3; flowbits:set,ET.Parallax-10; flowbits:noalert; reference:md5,9d60d8928bc0478b3029e59024b5f407; classtype:command-and-control; sid:2030180; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_18;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Possible Tunna Proxy Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|All|20|good|20|to|20|go"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028576; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M10"; flow:established,to_client; content:"|29 f5 98 f5|"; depth:4; fast_pattern; content:"|65 b3 b3|"; distance:1; within:3; flowbits:isset,ET.Parallax-10; reference:md5,9d60d8928bc0478b3029e59024b5f407; classtype:command-and-control; sid:2030181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_18;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Possible Tunna Proxy Closing Connection"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|Closing|20|the|20|connection|20|"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028577; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Exfil Via SMTP"; flow:established,to_server; content:"|0d 0a|Time|3a 20|"; content:"<br>User Name|3a 20|"; distance:0; content:"<br>OSFullName|3a 20|"; distance:0; fast_pattern; reference:md5,b8b71fc1124765b75b3aa3be805e9d12; classtype:trojan-activity; sid:2030171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, signature_severity Major, updated_at 2020_05_18;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028578; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to NOIP DynDNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030172; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M2 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&file&upload"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028579; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to ChangeIP Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M3 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028580; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030174; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M4 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&close"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028581; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smanage.php?sid="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030188; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
+alert http any any -> $HOME_NET any (msg:"ET MALWARE Possible Tunna Proxy Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|All|20|good|20|to|20|go"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028582; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Client Data POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getjuice.php"; bsize:13; fast_pattern; http.content_type; content:"multipart/form-data|3b| boundary=---------------------"; startswith; http.header; content:"|0d 0a|Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:trojan-activity; sid:2030189; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
+alert http any any -> $HOME_NET any (msg:"ET MALWARE Possible Tunna Proxy Closing Connection"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|Closing|20|the|20|connection|20|"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028583; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Interactive Client CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interact.php?slave="; startswith; fast_pattern; content:"&sid="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.referer; content:"clients.php"; endswith; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030190; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)"; flow:established,to_server; http.uri; content:"/owa/?wa="; startswith; content:"&path=/calendar"; endswith; http.cookie; content:"MicrosoftApplicationsTelemetryDeviceId="; startswith; content:"|3b|ClientId="; distance:0; content:"|3b|MSPAuth="; distance:0; content:"|3b|xid="; distance:0; content:"|3b|wla42="; distance:0; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Sent to Client"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"setCommand.nonfunction.php"; fast_pattern; endswith; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; http.request_body; content:"slave="; startswith; content:"&command="; distance:0; content:"&sid="; distance:0; content:"&token="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030191; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/news?"; startswith; pcre:"/^[a-z]=[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028599; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NORTHSTAR Command Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getresponse.php?slave="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.referer; content:"interact.php?slave="; content:"&sid="; distance:0; reference:url,github.com/EnginDemirbilek/NorthStarC2/; classtype:command-and-control; sid:2030192; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index?"; startswith; pcre:"/^[a-z]=[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028600; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (info)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|info=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Default.aspx?"; startswith; pcre:"/^[a-z]=[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028601; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (id)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&mass="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp?m="; startswith; pcre:"/^[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/spywall/timeConfig.php"; bsize:23; fast_pattern; http.user_agent; content:"XTC"; http.request_body; content:"posttime="; content:"&saveForm="; content:"&timesync="; content:"&ntpserver="; content:"wget"; content:"/tmp/viktor|29 3b|"; content:"timezone="; reference:url,unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/; classtype:attempted-user; sid:2030193; rev:1; metadata:attack_target Web_Server, created_at 2020_05_19, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XLS DDE rar Drop Attempt (.live)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.header; content:".live|0d 0a|Conne"; fast_pattern; http.host; content:!"parrot.live"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"cmd="; fast_pattern; nocase; pcre:"/[&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/i"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:9; metadata:created_at 2010_07_30, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/SysKit CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"&"; content:!"."; http.request_body; content:"ip="; depth:3; content:"#"; distance:0; content:"&os="; distance:0; content:"#"; distance:0; content:"&os_name="; distance:0; fast_pattern; content:"#"; distance:0; content:"&mac="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain; classtype:command-and-control; sid:2028618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamarue/Andromeda Downloading Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/[a-z]+\/[a-z]+\.exe$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; reference:md5,85d925a76909f29c3f370f35faedb9ea; classtype:trojan-activity; sid:2020683; rev:3; metadata:created_at 2015_03_12, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/GMERA.B CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/link.php?"; depth:10; fast_pattern; content:"&"; distance:0; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/R"; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:command-and-control; sid:2028620; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Darkness DDoS Bot Checkin"; flow:established,to_server; http.uri; content:".php?uid="; nocase; content:"&ver="; distance:0; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(?:&traff=\d+)?$/"; http.header_names; content:!"Accept|0d 0a|"; http.user_agent; content:"darkness"; depth:8; fast_pattern; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:md5,7fcebf5bd67cede35d08bedd683e3524; reference:md5,60c84bb1ca03f80ca385f16946322440; reference:md5,778113cc4e758ed65de0123bb79cbd1f; reference:md5,55edeb8742f0c38aaa3d984eb4205c68; reference:url,ef.kaffenews.com/?p=833; classtype:command-and-control; sid:2011996; rev:14; metadata:created_at 2010_12_06, former_category MALWARE, updated_at 2020_05_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"skillsnew.top"; nocase; endswith; classtype:domain-c2; sid:2028625; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_09_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicepass CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?data="; depth:16; http.header; content:!"User-Agent|3a|"; content:!"Accept"; content:!"Referer|3a|"; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/mi"; reference:md5,5f1997927e94b98982e5ee2cea095956; classtype:command-and-control; sid:2020690; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DeadlyKiss APT)"; flow:established,from_server; tls.cert_subject; content:"CN=iluvshopping.com"; fast_pattern; tls.cert_serial; content:"27:93"; classtype:domain-c2; sid:2028626; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DeadlyKiss, updated_at 2020_09_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE - Fake UA"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".exe"; endswith; http.header_names; content:!"Accept-"; content:!"Referer|3a|"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035044; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2020_05_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS Query"; dns.query; content:"lowyat.biz"; nocase; endswith; classtype:targeted-activity; sid:2028627; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WMN CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent"; depth:59; fast_pattern; http.request_body; content:"="; offset:4; depth:9; content:"=&"; distance:55; within:2; pcre:"/^[a-z]{4,12}=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{3}=&[a-z]{4,12}=[A-Za-z0-9+/]{4}/"; reference:md5,3031604f1cf95ee4ccc339c9e4d5b92f; classtype:command-and-control; sid:2020708; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS Query"; dns.query; content:"tawaranmurah.com"; nocase; endswith; classtype:targeted-activity; sid:2028628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RocketKitten APT Checkin"; flow:to_server,established; http.uri; content:"/index.php?c="; content:"&r="; distance:0; http.header; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Rocket+Kitten+Is+it+still+APT+if+you+can+buy+it+off+the+shelf/19123; reference:md5,f89a4d4ae5cca6d69a5256c96111e707; classtype:targeted-activity; sid:2020078; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_05_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PHPStudy CnC Domain in DNS Lookup"; dns.query; content:".360se.net"; pcre:"/^(?:www|bbs|cms|down|up|file|ftp)/"; reference:url,github.com/blackorbird/APT_REPORT/tree/master/phpstudyGhost; reference:url,twitter.com/blackorbird/status/1175951448678420480; classtype:domain-c2; sid:2028630; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?U3ViamVjdD1"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020718; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Social-bos.biz related trojan checkin (trackid=hex)"; flow:established,to_server; http.uri; content:".php?trackid="; content:"706172616D3D636D64266C616E673D"; reference:url,doc.emergingthreats.net/2008545; classtype:command-and-control; sid:2008545; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Payload URI Struct March 20 2015"; flow:established,to_server; urilen:>220; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2020720; rev:3; metadata:created_at 2015_03_21, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Theoreon.com Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/firststart.php?pid="; nocase; content:"&dt="; nocase; content:"&v="; nocase; reference:url,doc.emergingthreats.net/2007832; classtype:command-and-control; sid:2007832; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyLogger related to FindPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"uid="; depth:4; content:"&win="; distance:0; content:"&vers="; distance:0; reference:md5,593af622a90f2038e35ee980e09c1c3c; reference:url,researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:command-and-control; sid:2020724; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Downloader Tibs.jy Reporting to C&C (2)"; flow:established,to_server; http.uri; content:"/rule.php?"; nocase; content:"name="; nocase; content:"b="; nocase; content:"w="; nocase; reference:url,doc.emergingthreats.net/2003239; classtype:command-and-control; sid:2003239; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; http.uri; content:"/api/log.html|3f|"; fast_pattern; content:"c="; content:"&o="; content:"&n="; http.user_agent; content:"Apache-HttpClient"; depth:18; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Torpig Reporting User Activity (x25)"; flow:established,to_server; http.uri; content:"/x25.php"; nocase; content:"?id="; nocase; content:"&sv="; nocase; content:"&ip="; nocase; content:"&sport="; nocase; content:"&hport="; nocase; content:"&os="; nocase; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; classtype:trojan-activity; sid:2002762; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy Checkin"; flow:to_server,established; http.uri; content:"/get_"; content:"did="; http.user_agent; content:"Downloader"; depth:10; reference:md5,73d2dd466df92b77a4c34adcd13e8b50; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces; classtype:command-and-control; sid:2018341; rev:8; metadata:created_at 2013_09_11, former_category MALWARE, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Torpig Reporting User Activity (wur8)"; flow:established,to_server; http.uri; content:"/wur8.php"; nocase; content:"?id="; nocase; content:"&sv="; nocase; content:"&ip="; nocase; content:"&sport="; nocase; content:"&hport="; nocase; content:"&os="; nocase; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; classtype:trojan-activity; sid:2003066; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?ext="; within:7; fast_pattern; content:"&pid="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa9542f02b26a554650a9649d2239181; classtype:command-and-control; sid:2020737; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virtumod/Agent.ufv/Virtumonde Get Request"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; nocase; content:"ver="; nocase; content:"aid="; nocase; content:"uid="; nocase; content:"adm="; nocase; reference:url,doc.emergingthreats.net/2008377; classtype:trojan-activity; sid:2008377; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"b3NfbmFtZT"; depth:10; fast_pattern; pcre:"/^[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP (3)"; flow:established,to_server; http.uri; content:"dll.html?"; nocase; content:"affid="; nocase; content:"&uid="; nocase; content:"&guid="; nocase; reference:url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html; reference:url,doc.emergingthreats.net/2008863; classtype:trojan-activity; sid:2008863; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Jm9zX3ZlbmRvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Virut - GET"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"?n="; nocase; content:"&lastid="; nocase; content:"&Version"; nocase; content:"&smartpic="; nocase; content:"&rand="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut; reference:url,www.avast.com/eng/win32-virut.html; reference:url,free.avg.com/66558; reference:url,www.threatexpert.com/threats/virus-win32-virut-ce.html; reference:url,doc.emergingthreats.net/2009808; classtype:trojan-activity; sid:2009808; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Zvc192ZW5kb3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.cyt (Or variant) HTTP POST Checkin"; flow:established,to_server; http.method; content:"POST"; depth:4; http.uri; content:".cgi"; http.request_body; content:"o=i&k="; reference:url,doc.emergingthreats.net/2008003; classtype:command-and-control; sid:2008003; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"mb3NfdmVuZG9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Cloaker Related Post Infection Checkin"; flow:established,to_server; http.uri; content:"/log/proc.php?key="; pcre:"/\/log\/proc\.php.key=[a-z0-9]{11}/i"; reference:url,doc.emergingthreats.net/2008185; classtype:command-and-control; sid:2008185; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"Windows NT"; classtype:trojan-activity; sid:2019457; rev:14; metadata:created_at 2014_10_17, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.AB or related Post-infection checkin"; flow:established,to_server; http.uri; content:"/work.php?"; nocase; content:"method="; nocase; content:"&port="; nocase; content:"&type="; nocase; content:"&winver="; nocase; reference:url,doc.emergingthreats.net/2008321; classtype:command-and-control; sid:2008321; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B ClickFraud Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/item/fmt?ct="; depth:13; fast_pattern; http.referer; pcre:"/^http\x3a\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r?$/i"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:trojan-activity; sid:2020750; rev:5; metadata:created_at 2015_03_26, updated_at 2020_05_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/reports/get_product_domains.php?abbr="; content:"&pid="; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010242; classtype:trojan-activity; sid:2010242; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (ext)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|5|0d 0a 0d 0a|ext=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030185; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zhelatin npopup Update Detected"; flow:established,to_server; http.method; content:"POST"; depth:4; http.uri; content:"/server/npopup/"; nocase; http.request_body; content:"data="; nocase; content:"&key="; nocase; reference:url,doc.emergingthreats.net/2007787; classtype:trojan-activity; sid:2007787; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (name)"; flow:established,to_server; content:"|0d 0a|Content-Length|3a 20|6|0d 0a 0d 0a|name=1"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2020_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob Updating via HTTP"; flow:established,to_server; http.uri; content:".php?code="; nocase; content:"&hash="; nocase; pcre:"/code=[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}/i"; reference:url,doc.emergingthreats.net/2007568; classtype:trojan-activity; sid:2007568; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JS/Magecart Domain in TLS SNI (manag .icu)"; flow:established,to_server; tls.sni; content:"manag.icu"; bsize:9; reference:url,twitter.com/felixaime/status/1263134882991046658; classtype:domain-c2; sid:2030194; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE xpsecuritycenter.com Fake AntiVirus GET-Install Checkin"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; content:"wmid="; nocase; content:"|26|l="; nocase; content:"|26|it="; nocase; content:"|26|s="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-051910-0118-99&tabid=1; reference:url,doc.emergingthreats.net/2008329; classtype:command-and-control; sid:2008329; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Remote Access - RView - Host - *.rview.com"; flow:established,to_server; http.host; content:".rview.com"; endswith; classtype:policy-violation; sid:2020804; rev:4; metadata:created_at 2015_03_31, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli HTTP Checkin Activity"; flow: to_server,established; http.uri; content:"/getmac.asp?x="; content:"&y="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:command-and-control; sid:2009215; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive Fake User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020810; rev:5; metadata:created_at 2015_03_31, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac Beacon Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.user_agent; content:"Mozilla"; bsize:7; http.request_body; content:"a="; nocase; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?win="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020812; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon"; flow:established,to_server; threshold: type both, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?cId="; fast_pattern; content:"&hos"; distance:0; content:"Name="; distance:0; content:"Info="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:command-and-control; sid:2023400; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive HTTP CnC Beacon 1"; flow:established,to_server; http.uri; content:".php?micro="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 2.0.50727)"; depth:80; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:command-and-control; sid:2020813; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PLATINUM Dipsind CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ud7LDjtsTHe2tWeC8DYo8A**"; fast_pattern; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:command-and-control; sid:2024369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Dipsind, malware_family PLATINUM, signature_severity Major, tag APT, tag PLATINUM, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Skyfall fake Skype install link"; flow:established,to_server; http.uri; content:"/video/?n="; depth:10; reference:url,www.windowstechupdates.com/omg-video-httpskypepopvideo-netvideonskype-user-name-virus/; reference:url,securelist.com/blog/incidents/69065/skyfall-meets-skype/; classtype:trojan-activity; sid:2020801; rev:5; metadata:created_at 2015_03_30, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent (Opera/8.89)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Opera/8.89 (Windows NT 6.0|3b 20|U|3b 20|en)|0d0a|"; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009530; classtype:trojan-activity; sid:2009530; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; http.method; content:"POST"; http.host; content:"www.bravica.net"; bsize:15; http.request_body; content:"name="; content:"&cmd="; distance:0; classtype:external-ip-check; sid:2020830; rev:5; metadata:created_at 2015_04_02, former_category POLICY, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent Generic CnC Pattern"; flow:established,to_server; http.uri; content:"/rest/v"; content:"/clients/client?"; distance:0; content:"&agent_id="; distance:0; fast_pattern; http.user_agent; content:!"Mozilla"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; http.host; content:"ip-whois.net"; bsize:12; classtype:external-ip-check; sid:2020831; rev:5; metadata:created_at 2015_04_02, former_category POLICY, updated_at 2020_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Check-in Response"; flow:established,to_client; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"|6C 95 32 CB|"; within:4; classtype:trojan-activity; sid:2015896; rev:5; metadata:created_at 2012_11_20, former_category TROJAN, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 1"; flow:established,to_server; http.header; content:"Referer|3a 20|HTTP/1.0|0d 0a|"; depth:19; fast_pattern; http.header_names; content:!"Accept-"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020833; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus or Related Infection Checkin"; flow:established,to_server; http.uri; content:"btn="; content:"q="; http.request_body; content:"SOFT"; reference:url,doc.emergingthreats.net/2008665; classtype:command-and-control; sid:2008665; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?N="; content:"["; distance:0; content:"]"; distance:0; content:"["; distance:0; content:"]"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020835; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"lang="; nocase; content:"&socksport="; nocase; content:"&httpport="; nocase; content:"&ver="; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:md5,e787c4437ff67061983cd08458f71c94; reference:md5,d86b9eaf9682d60cb8b928dc6ac40954; reference:md5,1777f0ffa890ebfcc7587957f2d08dca; reference:url,doc.emergingthreats.net/2002790; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; classtype:trojan-activity; sid:2002790; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Hangover related campaign Response"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:!"Referer|0d 0a|"; file.data; content:"|3a 5c|Bootfile|5c|firewall|5c|1"; pcre:"/^[C-J]\r\n/R"; reference:md5,f761060ced467394a6f87fd2204c6a74; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:trojan-activity; sid:2018567; rev:5; metadata:created_at 2014_06_17, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon URL Infection Checkin Detected"; flow:established,to_server; http.uri; content:"?mac="; nocase; content:"&ver="; nocase; content:"&user="; nocase; content:"&md5="; nocase; content:"&pc="; nocase; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,doc.emergingthreats.net/2007592; classtype:command-and-control; sid:2007592; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke variant C&C activity"; flow:to_server,established; http.uri; content:"&Auth="; content:"&Session="; distance:0; content:"&DataID="; distance:0; content:"&FamilyID="; distance:0; reference:md5,8bbc55ec1a7e86cb21d3cda5ccb43e1e; reference:url,www.f-secure.com/static/doc/labs_global/Whitepapers/cosmicduke_whitepaper.pdf; classtype:targeted-activity; sid:2023909; rev:5; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; http.user_agent; content:"RAV"; nocase; depth:3; pcre:"/^RAV\d\.\d\d/"; reference:url,doc.emergingthreats.net/2007661; classtype:trojan-activity; sid:2007661; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent STORMDDOS"; flow: established,to_server; http.user_agent; content:"STORMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011480; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SillyFDC WordPress Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?dm=6b2280e30391615dcaa18e533ccb99a9"; fast_pattern; depth:37; reference:md5,3c10f65f8c1a84c53d94c331a63cad06; classtype:trojan-activity; sid:2020845; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_04_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent IAMDDOS"; flow: established,to_server; http.user_agent; content:"IAMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011481; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/goformFOO/AlFrame?"; content:"/goformFOO/AlFrame?"; distance:0; content:"Gateway.Wan.dnsAddress1="; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent YTDDOS"; flow: established,to_server; http.user_agent; content:"YTDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011483; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1="; distance:0; content:"action_mode=apply"; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020862; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TaskPerformer Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Ox0001="; depth:7; nocase; content:"&Ox0010="; nocase; distance:0; content:"&Ox0011="; nocase; distance:0; content:"&Ox0100="; nocase; distance:0; content:"&Ox0101="; nocase; distance:0; fast_pattern; reference:md5,d89560ec4dbb0ca75734b39009d089e5; classtype:command-and-control; sid:2030831; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1_x="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Juliens Botnet CnC Activity M1"; flow:established,to_server; http.start; content:"GET /data.php?a="; startswith; fast_pattern; content:"&b="; distance:0; content:"HTTP/1.1|0d 0a|Authorization|3a 20|Basic|20|"; reference:md5,73ed84016746f0b53889d20cbdbb6f07; classtype:command-and-control; sid:2030834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/webcm?"; fast_pattern; content:"getpage="; distance:0; content:"&var|3a|lang="; http.uri.raw; content:"|2e 2e|/html/menus/menu2.html"; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:5; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pridecdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030838; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; urilen:26; http.method; content:"POST"; http.uri; content:"/apply.cgi?/BAS_update.htm"; http.request_body; content:"submit_flag=ether"; depth:17; fast_pattern; content:"&ether_dnsaddr1="; distance:0; nocase; content:"&Apply=Apply"; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:5; metadata:created_at 2015_04_08, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ordercheck.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030839; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; fast_pattern; content:"dnsserver="; distance:0; content:"&dnsserver2="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apisquere.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030840; rev:2; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/basic/uiViewIPAddr="; fast_pattern; content:"&uiViewDns1Mark="; distance:0; content:"&uiViewDns2Mark="; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=quicdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030841; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prim.htm?"; depth:10; fast_pattern; nocase; content:"i00110004="; distance:0; content:"&i00110005="; distance:0; nocase; content:"&i00035007="; distance:0; nocase; reference:url,www.gnucitizen.org/blog/router-hacking-challenge; classtype:attempted-admin; sid:2020873; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apienclave.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030842; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup_dns.stm?page=setup_dns"; content:"&dns1_1="; reference:url,www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4; classtype:attempted-admin; sid:2020875; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquery-cycle.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030843; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/LanDhcpServerRpm.htm?"; fast_pattern; content:"dhcpserver=1"; content:"&dnsserver="; content:"&Save="; reference:url,www.exploit-db.com/exploits/34584; classtype:attempted-admin; sid:2020878; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=b-metric.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030844; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Basic.tri?"; fast_pattern; content:"&dns0_0="; content:"&dns0_1="; reference:url,sebug.net/paper/Exploits-Archives/2008-exploits/0803-exploits/linksys-bypass.txt; classtype:attempted-admin; sid:2020879; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/Wellness CnC Host Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.cookie; content:".+"; fast_pattern; isdataat:100,relative; content:".+"; distance:0; content:".+"; distance:0; content:"%3a"; nocase; content:"%2c"; nocase; http.request_body; pcre:"/^(?:[a-z0-9:.,]{3,10}\s){50,}[a-z0-9:.,]{3,10}\s*$/i"; reference:md5,98fe909510c79b21e740fec32fb6b1a0; reference:url,blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html; classtype:targeted-activity; sid:2030846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_08;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanStaticIpCfgRpm.htm"; fast_pattern; content:"&dnsserver="; content:"&Save=Save"; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:4; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.PZE Variant CnC Activity"; flow:established,to_server; content:"|00 03|UPDATE users SET uname|20 3d 20 27|"; offset:3; depth:28; fast_pattern; content:"|27 20|WHERE hwid|20 3d 20 27|"; content:"|27 20|LIMIT 1|3b|"; endswith; reference:md5,39d55aa51967c001b7cc85f539055637; classtype:command-and-control; sid:2030848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Retrieving RAR Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|en-us|3b 20|rv:1.9.2.3) Gecko/20100401 YFF35 Firefox/3.6.3"; depth:94; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,c3ab87f85ca07a7d026d3cbd54029bbe; classtype:trojan-activity; sid:2020885; rev:5; metadata:created_at 2015_04_09, updated_at 2020_05_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup"; dns.query; content:"vtboss.yolox.net"; nocase; endswith; reference:md5,060b0ce9e6d625b57abd2ba23d38d513; reference:url,blog.talosintelligence.com/2017/03/threat-roundup-0306-0310.html; classtype:domain-c2; sid:2028632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor External IP Lookup checkip.dyndns.org"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Host|3a 20|checkip.dyndns.org|0d 0a|"; depth:26; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv:x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,00e3b69b18bfad7980c1621256ee10fa; classtype:external-ip-check; sid:2020886; rev:6; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9]{20}/R"; reference:url,doc.emergingthreats.net/2007650; classtype:command-and-control; sid:2007650; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180 Solutions (Zango Installer) User Agent"; flow:to_server,established; http.user_agent; content:"SAIv"; fast_pattern; reference:url,doc.emergingthreats.net/2003062; classtype:pup-activity; sid:2003062; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/"; http.user_agent; content:"chrome/9.0"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:command-and-control; sid:2014163; rev:11; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_11, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)"; flow:established,to_server; http.uri; content:"/watch?v=iRXJXaLV0n4"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)|20|"; startswith; http.host; content:"www.youtube.com"; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LankerBoy HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; http.header; content:"User-Agent|3a 20|us|0d 0a|Host"; depth:20; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,db2c617a6e53a24fa887e6ecf60a076d; classtype:command-and-control; sid:2020902; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.zhack.ca"; distance:20; within:11; endswith; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:url,github.com/ettic-team/dnsbin; classtype:command-and-control; sid:2028634; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_27, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eyJib3RpbmZvIjp7InVwbG9hZElkIjo"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020908; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo - Data Inbound"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".i.zhack.ca"; distance:20; within:11; endswith; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:url,github.com/ettic-team/dnsbin; classtype:command-and-control; sid:2028635; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_27, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Upatre Binary Download Jan 02 2014"; flow:established,from_server; http.content_type; content:"text/plain"; bsize:10; file.data; content:"ZZP|00|"; within:4; classtype:trojan-activity; sid:2018055; rev:5; metadata:created_at 2014_02_03, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Cosmu.xet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"GoGo.ashx?Mac="; content:"&UserId="; content:"&Bate="; reference:md5,f39554f3afe92dca3597efc1f7709ad4; classtype:command-and-control; sid:2011278; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log.php?id=|5b|"; fast_pattern; content:"|7c|"; distance:0; content:"|5d|"; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020919; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Stuxnet index.php"; flow:to_server,established; http.uri; content:"/index.php?data=66a96e28"; nocase; reference:url,research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html; classtype:trojan-activity; sid:2011300; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STTip.asp"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:trojan-activity; sid:2020924; rev:4; metadata:created_at 2015_04_16, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (2)"; flow:established,to_server; http.uri; content:"/?rnd="; nocase; content:"&id="; pcre:"/\/\?rnd=\d+&id=\d+$/"; reference:md5,579f2e29434218d62d31625d369cbc42; reference:md5,76cf08503cdd036850bcc4f29f64022f; classtype:trojan-activity; sid:2011337; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon Fake UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla Firefox/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020934; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeYak or Related Infection Checkin 1"; flow:established,to_server; http.uri; content:"&fff="; content:"&coid="; content:"do="; content:"&IP="; nocase; content:"lct="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:command-and-control; sid:2011396; rev:5; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"key="; depth:4; fast_pattern; pcre:"/^[A-Z]+$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020935; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Checkin"; flow:established,to_server; http.uri; content:".php?id="; nocase; content:"&ver="; nocase; content:"&up="; nocase; content:"&os="; nocase; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,doc.emergingthreats.net/2010791; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011791; rev:6; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"bit="; depth:4; fast_pattern; pcre:"/^(?:32|64)$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020937; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; http.uri; content:"/socks.php?"; nocase; content:"name="; nocase; content:"&port="; nocase; pcre:"/port=[1-9]{1,5}/i"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011523; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; pcre:"/\/$/"; http.request_body; content:"unkey="; depth:6; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020938; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (1)"; flow:established,to_server; http.uri; content:"v="; nocase; content:"&step="; nocase; content:"&hostid="; nocase; reference:url,www.abuse.ch/?p=2796; reference:url,www.abuse.ch/?p=2740; reference:md5,c59cdd1366dd5c2f448c03738ec0dc88; reference:md5,b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011577; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  Win32/Tesch.B CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a 20|Internet  Explorer|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-f0-9]+(?:\x20[a-f0-9]+)+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0032395c3a980e09c511b6b41ab3da48; classtype:command-and-control; sid:2020945; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (2)"; flow:established,to_server; http.uri; content:"/getfile.php?r="; nocase; content:"&p="; nocase; pcre:"/\/getfile\.php\?r=-?\d+&p=/"; reference:url,www.abuse.ch/?p=2796; reference:url,www.abuse.ch/?p=2740; reference:md5,c59cdd1366dd5c2f448c03738ec0dc88; reference:md5,b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011578; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".jpg"; endswith; content:!"upload.wikimedia.org"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:11; metadata:created_at 2010_07_30, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; http.uri; content:"/manda.php?"; content:"id="; nocase; content:"&v="; nocase; pcre:"/\/manda\.php\?id=(-)?\d{8,10}&v=\w/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,doc.emergingthreats.net/2010765; reference:md5,b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; classtype:command-and-control; sid:2010765; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access"; flow:established,to_server; http.uri; content:"Adminhtml"; nocase; content:!"|2f|admin|2f|"; nocase; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:attempted-admin; sid:2021005; rev:3; metadata:created_at 2015_04_24, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hst="; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:md5,dfd424684f3a5c44ff425c7fe425ca8b; classtype:command-and-control; sid:2030853; rev:1; metadata:created_at 2020_09_11, former_category MALWARE, performance_impact Low, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis Downloading EXE"; flow:established,to_server; http.uri; content:".jpg"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2021017; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Opera 8.11 UA related to Trojan Activity"; flow:established,to_server; http.header; content:"|20|HTTP/1.0|0d 0a|"; content:"|0d 0a|User-Agent|3a 20|opera/8.11|0d 0a|"; classtype:trojan-activity; sid:2012315; rev:4; metadata:created_at 2011_02_18, former_category USER_AGENTS, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible ThousandEyes User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; fast_pattern; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021025; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"enfiniql2buev6o.m.pipedream.net"; bsize:31; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:domain-c2; sid:2030851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET INFO Possible ThousandEyes User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 AppleWebKit/999.0 (KHTML, like Gecko) Chrome/99.0 Safari/999.0|0d 0a|"; fast_pattern; reference:url,thousandeyes.com; classtype:misc-activity; sid:2021026; rev:3; metadata:created_at 2015_04_28, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reimageplus Ransomware Checkin"; flow:established,to_server; http.request_line; content:"GET /?computer_name="; startswith; content:"&userName="; content:"&allow=ransom HTTP/1.1"; endswith; fast_pattern; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:command-and-control; sid:2030852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:9; depth:3; pcre:"/^\/-?[a-f0-9]{8,9}\/-?\d+(?:\.php|\/)$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:command-and-control; sid:2035045; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?dn"; nocase; content:"&flrdr="; fast_pattern; nocase; content:"&nxte="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008639; classtype:trojan-activity; sid:2008639; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim Checkin"; flow:established,to_server; flowbits:set,ET.FB.troj; http.method; content:"GET"; http.uri; content:"/ok.txt"; endswith; http.user_agent; content:"AutoHotkey"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:command-and-control; sid:2020348; rev:5; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3A|"; content:"X-Size|3A|"; content:"X-Sn|3A|"; fast_pattern; classtype:trojan-activity; sid:2014232; rev:5; metadata:created_at 2012_02_16, updated_at 2020_09_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".swf"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/m"; file.data; content:"WS"; within:3; classtype:exploit-kit; sid:2020981; rev:4; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (3)"; flow:established,to_server; http.uri; content:"/?id"; nocase; content:"&rnd="; pcre:"/\/\?id(\d+)?&rnd=\d+$/"; http.header; content:!"Windows NT"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,438bcb3c4a304b65419674ce8775d8a3; classtype:trojan-activity; sid:2011338; rev:6; metadata:created_at 2010_09_28, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; fast_pattern; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:3; metadata:created_at 2015_05_06, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?V="; fast_pattern; content:"&U="; distance:0; http.header; content:"Windows NT"; content:"Referer|3a|"; content:".php|0d 0a|"; distance:0; http.header_names; content:!"Accept-"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024176; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, signature_severity Major, tag Felismus, tag c2, updated_at 2020_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; http.header; content:!"|0d 0a|x-avast"; file.data; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:5; metadata:created_at 2012_09_28, updated_at 2020_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; http.stat_code; content:"404"; http.stat_msg; content:"Not Found"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"JnB3ZD"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz"; flow:established,to_client; http.cookie; content:"snkz="; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/R"; classtype:trojan-activity; sid:2018141; rev:5; metadata:created_at 2014_02_15, former_category TROJAN, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"Zwd2Q9"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell GIF"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027738; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?callback="; content:"&data=bG9nP"; distance:0; fast_pattern; content:"mcHdkP"; distance:0; content:"&_="; distance:0; pcre:"/&_=\d+$/"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:3; metadata:created_at 2015_05_09, former_category CURRENT_EVENTS, updated_at 2020_05_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell JPEG"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027739; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|danutzbaiatfinutz"; fast_pattern; classtype:attempted-admin; sid:2030198; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_05_21, deployment Perimeter, signature_severity Minor, updated_at 2020_05_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MassLogger Domain in TLS SNI (ecigroup-tw .com)"; flow:established,to_server; tls.sni; content:"ecigroup-tw.com"; bsize:15; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030879; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|danutzbaiatfinutz"; fast_pattern; classtype:web-application-attack; sid:2030199; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_05_21, deployment Perimeter, signature_severity Major, updated_at 2020_05_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (enoyq5xy70oq .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"enoyq5xy70oq.x.pipedream.net"; bsize:28; reference:md5,033abc4e8a618e545e4e84e0504f853d; classtype:coin-mining; sid:2030872; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SystemdMiner CnC Activity"; dns.query; content:"2iuu6o3zbmwynik2.tor2web."; nocase; depth:25; reference:md5,9270e6df6486937cae29ae2e87b13373; reference:md5,8b606eefd222ee44bc0fcf305bde6340; classtype:trojan-activity; sid:2030200; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_05_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 1"; flow:established,to_client; http.cookie; content:"ci_session="; file.data; content:"ne_unik"; fast_pattern; within:7; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:4; metadata:created_at 2013_05_31, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M1 (encrypted token)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; http.request_body; content:"etc/config/.app_token"; fast_pattern; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030201; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M10"; flow:established,to_server; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:"Referer|0d 0a|"; distance:0; reference:md5,ba2e4a231652f8a492feb937b1e96e71; classtype:trojan-activity; sid:2030868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Pre-Auth Local File Disclosure Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; fast_pattern; http.header; content:"QMS_SID="; http.request_body; content:"./../"; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030202; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=peernew.com"; nocase; endswith; reference:md5,f3ead1eef8ee0d3b4aceaef10b7b4a9c; classtype:domain-c2; sid:2030867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M2 (plaintext token)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; http.request_body; content:"__thumb/ps.app.token"; fast_pattern; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030203; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoLang Dropper Domain (en7dftkjiipor .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en7dftkjiipor.x.pipedream.net"; bsize:29; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:md5,a1de4ff7292f4557a7b133d90e2ec538; classtype:domain-c2; sid:2030873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Authenticated Session Tampering Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"sysRequest.cgi"; endswith; http.request_body; content:"smtp_fw_update="; startswith; fast_pattern; content:"=<?"; distance:0; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030204; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_05_21;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (endpsbn1u6m8f .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"endpsbn1u6m8f.x.pipedream.net"; bsize:29; reference:md5,0789fc10c0b2e34b4d780b147ae98759; classtype:coin-mining; sid:2030874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BF Botnet CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ver="; content:"&os="; distance:0; content:"&binary="; distance:0; content:"&token="; distance:0; content:"&run_time="; distance:0; fast_pattern; http.header; content:"Pragma|3a 20 20|"; content:"Cache-Control|3a 20 20|"; reference:md5,3c475b319959069053191e740822fcd6; classtype:trojan-activity; sid:2030207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family BFBotnet, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (en24zuggh3ywlj .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en24zuggh3ywlj.x.pipedream.net"; bsize:30; reference:md5,785a7a47010d58638b874f29c4a1f0ad; classtype:coin-mining; sid:2030875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT15/NICKEL KETRUM CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?id="; http.accept; content:"text/html,text/xml,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; fast_pattern; content:"*/*"; distance:0; http.accept_lang; content:"q=0.8,en|3b|q=0.7"; http.header; content:!"Referer"; content:!"User-Agent"; reference:md5,278ac5d64e21a1ab63ec2c590a803253; classtype:command-and-control; sid:2030208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family APT15, performance_impact Low, signature_severity Major, updated_at 2020_05_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030876; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop Checkin"; flow:established,to_server; http.uri; content:".asp?sn="; content:"&tmac="; distance:0; content:"&action="; distance:0; content:"&ver="; distance:0; http.header; pcre:"/^User-Agent\x3a[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x30442e9d036a40c8cbd41f8f4c9afab1ba\x20no-cache\r\n(?:\r\n)?$/"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:command-and-control; sid:2021103; rev:3; metadata:created_at 2015_05_15, former_category MALWARE, updated_at 2020_05_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Inbound"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".i.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030877; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop UA LETITGO"; flow:established,to_server; http.header; content:"User-Agent|3a 20|LETITGO|0d 0a|"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021104; rev:3; metadata:created_at 2015_05_15, updated_at 2020_05_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sage Ransomware Checkin"; flow:established,from_server; flowbits:isset,ET.Sage.Primer; http.header; content:"Content-Length|3a 20|1|0d 0a|"; file.data; content:"k"; within:1; endswith; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FrauDrop UA single"; flow:established,to_server; http.header; content:"User-Agent|3a 20|single|0d 0a|"; reference:md5,0442e9d036a40c8cbd41f8f4c9afab1b; classtype:trojan-activity; sid:2021105; rev:3; metadata:created_at 2015_05_15, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FF-RAT Stage 1 CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?hdr_ctx="; fast_pattern; pcre:"/\.php\?hdr_ctx=[0-9]{1,5}_[0-9]{1,5}$/"; http.user_agent; content:"Mozilla/5.0"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html; classtype:command-and-control; sid:2024419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Hellsing Proxy Checker Checkin"; flow:established,to_server; http.uri; content:"/common.asp?action="; content:"&uid="; distance:0; content:"&lan="; distance:0; content:"&hname="; distance:7; within:22; content:"&uname="; distance:1; within:22; content:"&os="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b7e7186d962d562af6a5d10a25d19b02; reference:url,securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/; classtype:targeted-activity; sid:2021108; rev:4; metadata:created_at 2015_05_15, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LockPOS CnC"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"lock"; fast_pattern; endswith; http.request_body; content:"|00 00 00|"; offset:1; depth:3; reference:md5,0ad35a566cfb60959576835ede75983b; reference:url,www.arbornetworks.com/blog/asert/lockpos-joins-flock/; classtype:command-and-control; sid:2024461; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, malware_family PoS, signature_severity Major, tag POS, tag LockPOS, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yahoyah CnC Beacon"; flow:established,to_server; http.header; content:"User-Agent|3a 20|MSIE|28|"; content:"|29 29 3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"|29 20|VR|28|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf; classtype:command-and-control; sid:2021114; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dragonfly APT Activity HTTP URI OPTIONS"; flow:established,to_server; http.method; content:"OPTIONS"; http.uri; content:"/ame_icon.png"; fast_pattern; endswith; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024899; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fsysna.Downloader CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; content:"Content-Type|3a 20|*/*|0d 0a|"; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE "; content:".0|3B 20|Win32|29 3B 20|"; distance:1; within:15; fast_pattern; pcre:"/^\d+$/R"; reference:url,blogs.mcafee.com/mcafee-labs/targeted-attacks-japanese-firm-use-old-activex-vulnerability; reference:md5,2b91011e122364148698a249c2f4b7fe; reference:md5,6c040be9d91083ffba59405f9b2c89bf; classtype:command-and-control; sid:2018462; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M5 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/server.armel"; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024928; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; http.uri; content:"/timezone/"; depth:10; http.host; content:"www.earthtools.org"; bsize:18; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:policy-violation; sid:2021120; rev:3; metadata:created_at 2015_05_20, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Shiz.fxm/Agent-TBT Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 2.0|3b|"; depth:34; fast_pattern; http.referer; content:"http://www.google.com"; depth:21; endswith; classtype:command-and-control; sid:2013435; rev:6; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.Jenxcus.H User Agent"; flow:to_server,established; http.user_agent; content:"Hacked"; depth:6; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021123; rev:4; metadata:created_at 2015_05_20, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vflooder.C Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"google.com"; fast_pattern; depth:10; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2021337; rev:5; metadata:created_at 2015_06_24, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Blog Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/blog"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021129; rev:3; metadata:created_at 2015_05_21, updated_at 2020_05_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup"; dns.query; content:"ilo.brenz.pl"; nocase; endswith; classtype:trojan-activity; sid:2012730; rev:7; metadata:created_at 2011_04_27, former_category TROJAN, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Target Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/target"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021130; rev:3; metadata:created_at 2015_05_21, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xtrat.A Checkin"; flow:established,to_server; http.uri; content:".functions"; fast_pattern; endswith; pcre:"/^\/\d+\.functions$/"; http.host; content:!"microsoft.com"; http.header_names; content:!"Referer"; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2016275; rev:12; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blue Bot DDoS Logger Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/botlogger.php"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; reference:md5,7d9411f7204782fdbcd0fd0f20956bbc; reference:url,research.zscaler.com/2015/05/rig-exploit-kit-infection-cycle-analysis.html; classtype:trojan-activity; sid:2021131; rev:3; metadata:created_at 2015_05_21, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 2"; flow:established,to_server; urilen:>1; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; http.method; content:"POST"; http.uri; content:"/"; endswith; http.content_len; byte_test:0,>,99,0,string,dec; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; content:!"User-Agent"; content:!"Accept"; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:command-and-control; sid:2020418; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:to_server,established; http.uri.raw; content:"/_plugin/"; fast_pattern; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:5; metadata:created_at 2015_05_22, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.Rean Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; pcre:"/\/\d{10}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; fast_pattern; endswith; http.protocol; content:"HTTP/1.0"; reference:md5,0a998a070beb287524f9be6dd650c959; classtype:command-and-control; sid:2013339; rev:8; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; content:"N0BRBh"; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021140; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check"; flow:established,to_server; urilen:1; http.user_agent; content:"|3b 20|MSIE|20|"; fast_pattern; http.host; content:"www.google.com"; depth:14; endswith; http.accept; content:"*/*"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:59; endswith; classtype:trojan-activity; sid:2018242; rev:7; metadata:created_at 2014_03_10, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon Response"; flow:established,from_server; http.server; content:"Apache/20.2.25 (RedHat)"; fast_pattern; bsize:23; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021148; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.host; content:"api.wipmania.com"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; classtype:trojan-activity; sid:2015800; rev:10; metadata:created_at 2012_10_13, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Moose HTTP CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; content:"&f="; distance:0; content:"&m="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf; classtype:command-and-control; sid:2021147; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; dns.query; content:"networksecurityx.hopto.org"; endswith; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:6; metadata:created_at 2014_01_24, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in M2"; flow:established,to_server; urilen:<110; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.header; content:" rv|3a|11.0"; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:62; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.header_names; content:!"|0d 0a|Accept-"; nocase; content:!"Referer|0d 0a|"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2020855; rev:4; metadata:created_at 2015_04_08, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kelihos.F EXE Download Common Structure"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:12; metadata:created_at 2013_10_15, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Payload Instructions"; flow:established,to_server; urilen:45; http.method; content:"GET"; http.uri; content:"/uploads/"; depth:9; fast_pattern; content:".png"; distance:32; within:4; pcre:"/\/[a-f0-9]{32}\.png$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan:Win32/Gatak.DR#tab=2; classtype:trojan-activity; sid:2021160; rev:3; metadata:created_at 2015_05_29, updated_at 2020_05_22;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.me"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030881; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action="; depth:7; content:"&uid="; distance:0; content:"key="; distance:0; fast_pattern; pcre:"/&(?:un)?key=[A-Z]+$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021168; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.net"; bsize:9; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030882; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_06_05, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_22, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Exfil Domain (imags .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"imags.pw"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030883; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IOS.Oneclickfraud HTTP Host"; flow:to_server,established; http.host; content:"eroeroou.com"; startswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-060111-2757-99&tabid=2; classtype:trojan-activity; sid:2021187; rev:3; metadata:created_at 2015_06_05, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:!"driftmania"; http.user_agent; content:"Mozilla"; depth:7; http.host; content:!"coreftp.com"; http.request_body; content:"data="; depth:5; fast_pattern; pcre:"/^[A-F0-9]{100,}$/R"; http.header_names; content:!"Referer"; reference:md5,a3440b6117f3783989683753c9f394dd; classtype:command-and-control; sid:2022504; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alphacrypt, malware_family TeslaCrypt, signature_severity Major, tag Ransomware, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Databack CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?pn="; fast_pattern; content:"&s="; distance:0; content:"&x="; distance:0; pcre:"/\.php\?pn=[^&]+&s=[0-9]+&x=0\.[0-9]{7}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc7b0c078482b68c1ff89da3ac88949b; classtype:command-and-control; sid:2021189; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Headers - Likely CnC Beacon"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Connection|0d 0a|"; depth:28; content:!"Referer"; content:!"Accept-"; content:"User-Agent|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2019755; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IsSpace/Zacom Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.microsoft.com"; bsize:17; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b|Windows NT 5.1)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:trojan-activity; sid:2021215; rev:3; metadata:created_at 2015_06_09, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_articles"; depth:13; fast_pattern; content:"/"; endswith; http.header_names; content:"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:md5,9a705a2c25a8b30de80e59dbb9adab83; classtype:command-and-control; sid:2018644; rev:6; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Xpopup Instant Messenger Downloading Configuration"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/xpopinfo.dat"; fast_pattern; http.user_agent; content:"Mozilla/4.1 (compatible|3b 20|"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c7abe2297ee64362e33584f9f654ebd; classtype:policy-violation; sid:2021205; rev:5; metadata:created_at 2015_06_09, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Checkin 2"; flow:to_server,established; urilen:20; http.method; content:"POST"; http.uri; content:"/forum/viewtopic.php"; endswith; http.user_agent; content:"Windows 98)"; endswith; fast_pattern; http.content_type; content:"application/octet-stream"; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:command-and-control; sid:2016550; rev:8; metadata:created_at 2013_01_12, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet v2 Exfiltrating Outlook information"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<Information>"; fast_pattern; content:"<id>"; distance:0; content:"<Version>"; distance:0; content:"<profile>"; distance:0; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/analysis/69560/the-banking-trojan-emotet-detailed-analysis/; classtype:trojan-activity; sid:2020900; rev:4; metadata:created_at 2015_04_13, updated_at 2020_05_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain .ntkrnlpa.info Lookup"; dns.query; content:".ntkrnlpa.info"; nocase; endswith; classtype:trojan-activity; sid:2012729; rev:6; metadata:created_at 2011_04_27, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gatak.DR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/([a-z]{4,9}\/[a-z]{4,12}\?[a-z]{4,7}\=[0-9]{5,7})$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,adb3242f8efad48ca174a7e46991f507; classtype:trojan-activity; sid:2021246; rev:4; metadata:created_at 2015_06_11, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VBKrypt.cugq/Umbra Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bot.php"; nocase; fast_pattern; endswith; http.request_body; content:"mode="; nocase; pcre:"/^\d/Ri"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya; classtype:command-and-control; sid:2018518; rev:10; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/p?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"|3b|"; distance:0; pcre:"/^\/p\?\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021088; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin"; flow:established,to_server; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z-_]+?\.(php|html)$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016553; rev:6; metadata:created_at 2013_03_08, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s?"; depth:3; fast_pattern; content:"|3b|"; distance:0; content:"|3b|"; distance:0; content:"."; distance:1; within:2; content:"_"; distance:0; pcre:"/^\/s\?\d+\x3b\d+\x3b\d{1,2}\.\d_(?:32|64)_\d+(?:\x3b\d+){4}$/"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021257; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Simda.C Checkin"; flow:established,to_server; http.uri; content:"/?"; nocase; http.uri.raw; content:"=%96%"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Trident/4.0|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 3.0.04506.590|3b 20|.NET CLR 3.0.04506.648|3b 20|.NET CLR 3.5.21022|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:command-and-control; sid:2016300; rev:7; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/?a="; depth:8; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:command-and-control; sid:2021262; rev:3; metadata:created_at 2015_06_13, former_category MALWARE, updated_at 2020_05_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak HTTP CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"PHPSESSID="; depth:10; fast_pattern; pcre:"/^[A-F0-9]{32}$/R"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; depth:24; endswith; http.header_names; content:!"IBM-PROXY-WTE"; nocase; classtype:command-and-control; sid:2022225; rev:10; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET [!$HTTP_PORTS,!445,!22] -> any any (msg:"ET EXPLOIT Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:5; metadata:created_at 2014_04_08, former_category CURRENT_EVENTS, updated_at 2020_05_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppift.net"; dns.query; content:"ppift.net"; nocase; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015460; rev:6; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request for ISO File Direct to IP"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d+)?$/"; http.request_line; content:".iso HTTP/1."; fast_pattern; classtype:misc-activity; sid:2030205; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_05_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup fasternation"; dns.query; content:"fasternation.net"; nocase; endswith; classtype:trojan-activity; sid:2019695; rev:4; metadata:created_at 2014_11_12, updated_at 2020_09_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (checksoffice .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"checksoffice.me"; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030209; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice11.ru)"; dns.query; content:"ddnservice11.ru"; nocase; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020065; rev:5; metadata:created_at 2014_12_24, former_category MALWARE, updated_at 2020_09_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (plaintsotherest .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"plaintsotherest.net"; bsize:19; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030210; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork DNS Tunneling (nsn1.winodwsupdates .me)"; dns.query; content:".nsn1.winodwsupdates.me"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MAZE Ransomware CnC Domain (thesawmeinrew .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"thesawmeinrew.net"; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:command-and-control; sid:2030211; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_05_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (randreports .org in DNS Lookup)"; dns.query; content:"randreports.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025073; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni Stage 2 Payload Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?client_id="; fast_pattern; http.request_body; content:"name=|22|fileToUpload|22 3b|"; content:"Upload|20|Image|0d 0a|----"; distance:0; content:"|00 00 00 00 00 00|"; endswith; reference:md5,d41b09aa32633d77a8856dae33b3d7b9; classtype:command-and-control; sid:2030219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Konni, updated_at 2020_05_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (rannd .org in DNS Lookup)"; dns.query; content:"rannd.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Uploader Accessed on External Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030212; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic .bin download from Dotted Quad"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; endswith; http.user_agent; content:!"McAfee Agent"; content:!"NetClient/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; classtype:trojan-activity; sid:2018752; rev:12; metadata:created_at 2014_07_23, updated_at 2020_09_15;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Uploader Accessed on Internal Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030213; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Critical, updated_at 2020_05_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (blacklister .nl in DNS Lookup)"; dns.query; content:"blacklister.nl"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025079; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity"; flow:established,to_server; http.start; content:"POST /qy/g"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"js=DhIhAwgjKRsxKCJdJjgcAjIzMREiAQQcJyghAjEsIgIkASoYIg"; startswith; fast_pattern; reference:md5,92a0de9944b6d180f072c4bce5250ec8; classtype:pup-activity; sid:2030222; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (bigboatreps .pw in DNS Lookup)"; dns.query; content:"bigboatreps.pw"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025078; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Security Phishing Landing Page"; flow:to_client,established; file.data; content:"href=|22|/public/campaign/"; content:"src=|22|/public/campaign/"; distance:0; content:"no connection or relationship between the trademark owner and Lucy Security or the LUCY Security customer"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2030214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_05_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs Common POST Header Structure"; flow:established,to_server; urilen:10<>20; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:!"NSIS|5f|Inetc |28|Mozilla|29|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:62; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,d11a453d4de6e6fd991967d67947c0d7; classtype:trojan-activity; sid:2021995; rev:5; metadata:created_at 2015_10_23, updated_at 2020_09_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion . ly)"; dns.query; content:".onion.ly"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2030215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_05_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.google.com"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|Host|0d 0a|Pragma|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:command-and-control; sid:2012645; rev:7; metadata:created_at 2011_04_06, former_category MALWARE, updated_at 2020_09_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY .onion.ly Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.ly"; fast_pattern; classtype:policy-violation; sid:2030216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake AV Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; endswith; http.request_body; content:"data="; fast_pattern; depth:5; pcre:"/^data=[a-zA-Z0-9+\/]{64}/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2011912; rev:9; metadata:created_at 2010_11_09, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Witch3r Mini Shell"; nocase; fast_pattern; content:"Mini-Shell</h1></font>"; nocase; distance:0; classtype:web-application-attack; sid:2030217; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Critical, updated_at 2020_05_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; depth:30; http.request_body; content:"data="; depth:5; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|Host|0d 0a|"; depth:30; content:"User-Agent|0d 0a|"; distance:0; content:"Content-Length|0d 0a|"; distance:0; classtype:trojan-activity; sid:2012627; rev:5; metadata:created_at 2011_04_04, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Witch3r Mini Shell"; nocase; fast_pattern; content:"Mini-Shell</h1></font>"; nocase; distance:0; classtype:web-application-attack; sid:2030218; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jadtree Downloader rar"; flow:established,to_server; http.uri; content:".rar"; nocase; endswith; http.user_agent; bsize:4; pcre:"/^\d{4}$/"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:5; metadata:created_at 2014_01_30, updated_at 2020_09_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-05-27)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anca-aste.it"; nocase; endswith; reference:md5,56470e113479eacda081c2eeead153bf; classtype:domain-c2; sid:2030223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_05_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?v"; content:"&tq="; pcre:"/\.(jpg|png|gif)\?v[0-9]{1,2}=[0-9]+&tq=/"; http.user_agent; content:"mozilla/2.0"; fast_pattern; depth:11; endswith; classtype:command-and-control; sid:2012939; rev:10; metadata:created_at 2011_06_07, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Socelars Stealer CnC Activity"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1|0d 0a|"; bsize:17; http.request_body; content:"JSON=d0hy65aW"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,81a7f493c7b5a7c52ac19981a75f57df; classtype:command-and-control; sid:2030224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, malware_family Soclears, signature_severity Major, updated_at 2020_05_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; http.uri; content:"od"; offset:2; depth:2; nocase; content:".exe"; nocase; endswith; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/i"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:7; metadata:created_at 2014_04_16, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE COMRAT CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index/index.php?h="; startswith; fast_pattern; content:"&d="; distance:0; http.request_body; content:"form-data|3b 20|name=|22|array|22 0d 0a|"; reference:md5,f7bb82b0e665b494bcebefc7351f46c5; classtype:command-and-control; sid:2030226; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_05_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup intohave"; dns.query; content:"intohave.com"; nocase; endswith; classtype:trojan-activity; sid:2019694; rev:4; metadata:created_at 2014_11_12, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Terse Numeric .dat File"; flow:established,to_server; http.start; content:".dat|20|HTTP/1.1|0d 0a|"; fast_pattern; http.uri; pcre:"/\/[0-9]{1,2}\.dat$/"; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; classtype:bad-unknown; sid:2030225; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_05_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"post="; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022280; rev:5; metadata:created_at 2015_12_18, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Config Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mac.html?uid="; depth:14; fast_pattern; content:"&sid="; distance:0; content:"&fname="; distance:0; content:"&mac="; distance:0; content:"&os="; distance:0; content:"&pcname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:trojan-activity; sid:2021299; rev:3; metadata:created_at 2015_06_18, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi Remote File Injector Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/ggu.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; depth:11; endswith; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:command-and-control; sid:2016967; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO User-Agent (wininet)"; flow:established,to_server; flowbits:set,ET.wininet.UA; flowbits:noalert; http.header; content:"User-Agent|3a 20|wininet|0d 0a|"; classtype:misc-activity; sid:2021311; rev:4; metadata:created_at 2015_06_19, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; pcre:"/\/[0-9]{2}\.exe$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:5; metadata:created_at 2016_02_03, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/archive/"; nocase; offset:9; fast_pattern; content:".html"; nocase; distance:8; within:7; pcre:"/\/[a-f0-9]{8}\/archive\/\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021277; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.connection; content:"Close"; endswith; http.content_type; content:"octet/binary"; endswith; http.header_names; content:!"Referer"; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:command-and-control; sid:2019891; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, malware_family Dridex, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Keatep.B Checkin"; flow:established,to_server; http.uri; content:"&id="; nocase; content:"&v="; pcre:"/\?[0-9a-f]{5,}=\d+&id=\d+&v=\d+$/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Keatep.B; reference:md5,239aacf49bb6381fd71841fda4d4ee58; classtype:command-and-control; sid:2011336; rev:6; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_05_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 42"; dns.query; content:"www.37513.cn"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022452; rev:4; metadata:created_at 2016_01_27, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/check?iid="; fast_pattern; content:"kernel="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&kernel=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021334; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/userinfo.php"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022769; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/compiler?iid="; fast_pattern; content:"username="; distance:0; content:"password="; distance:0; pcre:"/iid=[a-fA-F0-9]{32}&username=/"; reference:url,blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/#more-33072; classtype:command-and-control; sid:2021335; rev:3; metadata:created_at 2015_06_24, former_category MALWARE, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart JS Retrieval"; flow:established,to_server; http.uri; content:"/122002/assets/js/widget.js"; bsize:27; fast_pattern; http.host; content:"mcdnn"; startswith; pcre:"/\.(?:me|net)$/WR"; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030884; rev:1; metadata:created_at 2020_09_15, former_category MALWARE, performance_impact Low, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:to_server,established; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.host; content:!"reg.163.com"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_05_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com)"; dns.query; content:"wh47f2as19.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?p="; fast_pattern; offset:2; depth:7; pcre:"/^\x2F[a-z]\x2Ephp\x3Fp\x3D[a-z0-9]{30,}$/i"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018681; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com)"; dns.query; content:"7hwr34n18.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020844; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kazy.325252 Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/track/?ip="; fast_pattern; depth:11; content:"&data="; distance:0; pcre:"/^\x2Ftrack\x2F\x3Fip\x3D\d&data\x3D/"; http.header; content:"Accept|3A 20|text/*, application/*, */*|0D 0A|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,87cdd25ac537280cc6751050050cae9c; classtype:command-and-control; sid:2018682; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 9d 26 66 9a 26 66 9d 42 70 9d 31 10 ed 26 66 98 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; http.uri; content:"viewtopic.php"; nocase; content:"highlight="; nocase; http.uri.raw; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:3; metadata:created_at 2015_07_07, updated_at 2020_05_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart Exfil URI"; flow:established,to_server; http.uri; content:"/502.jsp"; fast_pattern; http.host; content:"imags.pw"; endswith; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030885; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.request_body; content:"conteudo="; fast_pattern; depth:9; content:"&myFile="; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021404; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Waterspout.APT Backdoor CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"_id="; distance:3; within:4; fast_pattern; pcre:"/\/\d{5}\/(?P<s1>[a-z]{3})[a-z]\.php\?(?P=s1)_id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html; classtype:targeted-activity; sid:2019115; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 66 8b 30 61 8b 30 66 ef 26 66 9c 46 16 8b 30 63 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nymaim Checkin (2)"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; nocase; bsize:33; http.user_agent; content:"|20|MSIE|20|"; http.request_body; content:"filename="; depth:9; fast_pattern; content:"&data="; distance:0; pcre:"/^filename=[a-z]+?\.[a-z]+?&data=/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2016757; rev:11; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 96 26 66 98 40 70 9d 30 11 e8 40 70 9d 34 70 9c 47|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos.AMM CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ID_MAQUINA="; depth:11; nocase; fast_pattern; content:"&VERSAO="; distance:0; nocase; content:"&WIN="; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f52ff1dc059f1df95781830d84a12869; classtype:command-and-control; sid:2021439; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_20, deployment Perimeter, former_category MALWARE, malware_family Bancos, signature_severity Major, tag Banking_Trojan, tag c2, updated_at 2020_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3b 70 9d 35 16 8b 30 66 ea 45 16 8b 30 62 8b 31 11|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger HTTP Pattern"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/post.php?type="; fast_pattern; content:"&machinename="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3; metadata:created_at 2015_07_20, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6d 8b 30 63 ed 26 66 9d 47 13 ed 26 66 99 26 67 ea|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Rioselx.A Checkin"; flow:established,to_server; http.uri; content:"/access.php"; fast_pattern; http.user_agent; content:!"Mozilla"; within:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; content:"Content-Length|0d 0a|"; reference:md5,3eb94c397a395f24b84297593f69710a; classtype:command-and-control; sid:2021442; rev:6; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 99 26 66 9c 47 70 9d 35 70 9d 34 70 9d 3a 17 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2 (set)"; flow:established,to_server; flowbits:set,ET.BARTALEX; flowbits:noalert; http.uri; content:".txt"; http.header; content:"WinHttp.WinHttpRequest"; classtype:trojan-activity; sid:2021531; rev:3; metadata:created_at 2015_07_24, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 34 70 9d 31 11 8b 30 63 8b 30 62 8b 30 6c ec 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Potao CnC POST Response"; flow:to_client,established; http.server; content:"nginx"; startswith; file.data; content:"<?xml version=|27|1.0|27|?>"; depth:21; content:"<methodResponse>"; distance:1; content:"<params>|0a|<param>"; distance:1; content:"<value><base64>"; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:command-and-control; sid:2021555; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 62 8b 30 67 ea 26 66 98 26 66 99 26 66 97 41 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyre CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; fast_pattern; pcre:"/_W\d+\.[A-F0-9]+\/\d+\/[^\x2f]+\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,3e215dfa84c271bb431b3de2e5da016a; classtype:command-and-control; sid:2021556; rev:3; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 46 70 9d 36 70 9d 37 70 9d 37 17 8b 30 60 8b 30 62 8b 30 61 8b 31 11|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PhantomSuper.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021557; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 10 8b 30 60 8b 30 61 8b 30 61 ec 26 66 9b 26 66 99 26 66 9a 26 67 ea|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ArrayReplace.class"; fast_pattern; http.header; content:"Java/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021558; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 eb 26 66 9b 26 66 9a 26 66 9a 41 70 9d 36 70 9d 34 70 9d 37 70 9c 47|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE URI Struct Observed in Pawn Storm CVE-2015-2950"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?p2="; content:"&recr="; distance:0; fast_pattern; content:"&p3="; distance:0; content:"&as="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/; classtype:trojan-activity; sid:2021560; rev:3; metadata:created_at 2015_07_31, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alina.POS-Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; content:"application/octet-stream"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:"|20|InfoPath|2e|"; distance:0; pcre:"/x20InfoPath\x2e\d[^\x29]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019163; rev:4; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Alina.POS-Trojan Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Accept|3a 20|application/octet-stream|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; depth:74; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2021597; rev:5; metadata:created_at 2015_08_05, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; pcre:"/\/\d{4,}\.txt$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"Accept|0d 0a|"; content:"Accept-Language|0d 0a|"; reference:md5,545ee3114faa5abd994f9730713f2261; classtype:trojan-activity; sid:2021304; rev:5; metadata:created_at 2015_06_19, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 40 70 9d 32 14 e8 47 17 8b 30 65 ef 26 67 ea|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Initial Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=creation"; fast_pattern; content:"result="; distance:1; content:"&info="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021610; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_05_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 16 8b 30 64 ef 45 11 ec 26 66 9e 42 70 9c 47|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/submit_net_debug.cgi"; nocase; http.request_body; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:4; metadata:created_at 2015_08_18, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ed 26 66 9f 42 13 ea 41 70 9d 33 14 8b 31 11|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish 2015-08-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"onlineid="; depth:9; fast_pattern; content:"&passcode="; distance:0; content:"&fullname="; distance:0; content:"&address="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031761; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 41 11 8b 30 65 8b 30 6d 8b 30 61 8b 30 61 8b 30 63 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VBKrypt.vquj Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; http.request_body; content:"|03 00|"; depth:2; content:"|00 01 00|"; within:4; content:"|00 01 00|"; within:4; reference:md5,0c420e1eef4b1f097ffec8d0c0ff438a; classtype:command-and-control; sid:2021605; rev:5; metadata:created_at 2015_08_10, former_category MALWARE, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 17 ea 26 66 9e 26 66 96 26 66 9a 26 66 9a 26 66 98 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX August 11 2015"; flow:to_server,established; http.uri; content:".jpg"; nocase; pcre:"/\/(?:[a-z]+|\d+)\.jpg/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|FSL 7.0.6.01001)"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,1bcea0364088c5308ed217649eeef4d9; classtype:trojan-activity; sid:2021625; rev:5; metadata:created_at 2015_08_14, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ec 47 70 9d 33 70 9d 3b 70 9d 37 70 9d 37 70 9d 35 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise Style IP Check M2"; flow:to_server,established; urilen:16; http.uri; content:"/myip?format=txt"; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Win32)"; http.host; content:"api.ipaddress.com"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2030229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, signature_severity Major, updated_at 2020_05_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.AR Variant Winifixer.com Related Checkin URL"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?affid="; nocase; content:"&uid="; nocase; distance:0; content:"&tm="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; fast_pattern; reference:url,doc.emergingthreats.net/2008277; classtype:command-and-control; sid:2008277; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Server Lookup (nntime)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"nntime.com"; bsize:10; reference:md5,a09f817656ca4336581140fe81921f71; classtype:misc-activity; sid:2030230; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_05_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeXPA Checkin URL"; flow:established,to_server; http.uri; content:"/firstrun.php?product="; nocase; fast_pattern; content:"&aff="; nocase; distance:0; content:"&update="; nocase; distance:0; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/2008152; classtype:command-and-control; sid:2008152; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/NukeSped Variant CnC Domain (fudcitydelivers .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"fudcitydelivers.com"; bsize:19; reference:md5,7b07ed5338e6288b5cd510c38e2ab8ed; reference:url,twitter.com/ShadowChasing1/status/1267431137023979522; classtype:command-and-control; sid:2030234; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; http.uri; content:"/"; content:".exe"; distance:1; within:8; fast_pattern; endswith; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/"; http.header; content:!"koggames"; http.host; content:!"download.bitdefender.com"; endswith; content:!".appspot.com"; endswith; content:!"kaspersky.com"; endswith; content:!".sophosxl.net"; endswith; http.header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:12; metadata:created_at 2014_11_15, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banker.bqba Checkin"; flow:to_server,established; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; fast_pattern; bsize:31; http.request_body; content:"windows="; depth:8; content:"&av="; reference:md5,838d43239ba2c28bd968f8a7da64d340; classtype:command-and-control; sid:2023693; rev:3; metadata:created_at 2015_08_26, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SluttyPutty Maldoc User-Agent"; flow:established,to_server; http.user_agent; content:"come-tome"; depth:9; endswith; classtype:trojan-activity; sid:2025118; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag MalDoc, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml?"; fast_pattern; pcre:"/\?[a-z0-9]{32}$/"; http.host; content:"www.ecb.europa.eu"; bsize:17; classtype:trojan-activity; sid:2019400; rev:6; metadata:created_at 2014_10_15, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Injected WP Keylogger/Coinminer Domain Detected (cloudflare .solutions in DNS Lookup)"; dns.query; content:"cloudflare.solutions"; endswith; reference:url,blog.sucuri.net/2017/12/cloudflare-solutions-keylogger-on-thousands-of-infected-wordpress-sites.html; classtype:coin-mining; sid:2025141; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Cheshire Cat CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 4.0)"; fast_pattern; bsize:50; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3981; classtype:targeted-activity; sid:2021719; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:command-and-control; sid:2025142; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PawnStorm Sednit DL Aug 28 2015"; flow:established,to_server; http.uri; content:"/cormac.mcr"; http.header_names; content:!"Referer|0d 0a|"; classtype:targeted-activity; sid:2021729; rev:3; metadata:created_at 2015_08_28, former_category CURRENT_EVENTS, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup)"; dns.query; content:"0cf5ff34.ngrok.io"; endswith; reference:url,twitter.com/struppigel/status/940239612324319232; classtype:command-and-control; sid:2025143; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/6.0)"; startswith; http.request_body; content:"AQAAA"; fast_pattern; depth:5; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,0f6a9b15bd9fd719bb96491e16eb2f9c; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; classtype:command-and-control; sid:2021739; rev:3; metadata:created_at 2015_08_31, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zeus Panda CnC Domain (in DNS Lookup)"; dns.query; content:"pprulispikosqcsiwef.info"; nocase; endswith; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:command-and-control; sid:2025177; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Requesting Module"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.content_type; content:"text/plain"; startswith; http.header_names; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021741; rev:3; metadata:created_at 2015_09_01, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qasar Variant Domain (datapeople-cn .com in DNS Lookup)"; dns.query; content:"datapeople-cn.com"; endswith; reference:url,twitter.com/blu3_team/status/947858470816112640; classtype:trojan-activity; sid:2025179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category TROJAN, malware_family Qasar_Rat, performance_impact Moderate, signature_severity Major, tag Patchwork, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exx"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f7dff17acec6b79f3cdad6259cfb2d2c; classtype:trojan-activity; sid:2021742; rev:3; metadata:created_at 2015_09_01, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python Monero Miner CnC DNS Query"; dns.query; content:".zsw8.cc"; endswith; pcre:"/^[a-z]\./"; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:command-and-control; sid:2025183; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Cryptominer, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Landing URI Struct March 20 2015"; flow:established,to_server; http.uri; content:"/?"; depth:2; content:"=l3S"; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/"; classtype:exploit-kit; sid:2020722; rev:4; metadata:created_at 2015_03_21, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mami CnC Checkin"; flow:established,to_server; http.header; content:"User-Agent|3a 20 0d 0a|"; fast_pattern; http.request_body; content:"r="; depth:2; content:"&rc="; distance:0; http.request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; endswith; http.header_names; content:!"Referer"; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:command-and-control; sid:2025199; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_14, deployment Perimeter, former_category MALWARE, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful EDF Account Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; fast_pattern; content:"&nom"; distance:0; content:"&adresse1="; distance:0; content:"&ville="; distance:0; classtype:credential-theft; sid:2031769; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corebot Module Download 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|15.0) Gecko/20100101 Firefox/15.0.1"; fast_pattern; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; reference:url,securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/; reference:md5,f32f2209a1986c55750ceb6d8066df9f; classtype:trojan-activity; sid:2021754; rev:3; metadata:created_at 2015_09_09, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Chrome Extension Domain Request (change-request .info in DNS Lookup)"; dns.query; content:"change-request.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025216; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; http.uri; content:"/NEI_ModuleDispatch.php"; content:"module=NEI_AdvancedConfig"; distance:0; content:"&function=HapiGetFileContents"; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/i"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_10, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in DNS Lookup)"; dns.query; content:"projectevrial.ru"; nocase; endswith; classtype:trojan-activity; sid:2025228; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - net user"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net"; nocase; content:!"work"; within:4; nocase; content:"user"; nocase; within:11; content:!"-agent"; nocase; within:6; pcre:"/net(?:%(?:25)?20|\s)+user/i"; classtype:bad-unknown; sid:2016680; rev:7; metadata:created_at 2013_03_27, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns.query; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:4; metadata:created_at 2018_01_29, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Spartan/Nuclear EK Payload"; flow:established,from_server; http.header; content:"nginx"; content:"X-Powered-By|3a|"; content:"application/octet-stream"; content:"Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; fast_pattern; classtype:exploit-kit; sid:2021765; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"projectevrial.ru"; endswith; nocase; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:4; metadata:created_at 2018_01_29, former_category TROJAN, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Odlanor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; content:"&v="; distance:0; content:"&os="; distance:0; content:"&c="; distance:0; content:"&u="; distance:0; http.request_body; pcre:"/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ce19c30ffda76cd63a88eeb8af0340f0; reference:url,welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/; classtype:command-and-control; sid:2021800; rev:3; metadata:created_at 2015_09_18, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M1"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"superasdc.pw"; depth:12; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025287; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Battle.net Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?"; http.request_body; content:"accountName="; depth:12; fast_pattern; content:"&password="; distance:0; content:"&persistLogin="; distance:0; content:"&csrftoken="; distance:0; classtype:credential-theft; sid:2031729; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M2"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"caforyn.pw"; depth:10; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Amazon Phish 2015-09-22"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"<title>|0a 20 20 20 20|! successful"; fast_pattern; content:"successful !"; distance:0; content:"Data has been successfully updated"; distance:0; classtype:credential-theft; sid:2031770; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns.query; content:"getfreshnews.com"; nocase; endswith; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.request_body; content:"|20 7c 20 22|0x"; fast_pattern; content:"_"; distance:0; content:"|22 20 7c 20|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021814; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report -|20|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:19; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:command-and-control; sid:2025375; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.host; content:"init.icloud-analysis.com"; fast_pattern; bsize:24; reference:url,github.com/XcodeGhostSource/XcodeGhost; classtype:command-and-control; sid:2021822; rev:3; metadata:created_at 2015_09_23, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Princess Ransomware Payment Domain (royal25fphqilqft in DNS Lookup)"; dns.query; content:"royal25fphqilqft"; nocase; endswith; classtype:trojan-activity; sid:2025404; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_02, deployment Perimeter, former_category MALWARE, malware_family Princess_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; urilen:6; http.method; content:"GET"; http.uri; content:"/check"; nocase; http.header; content:"User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|Host|3a 20|"; depth:47; fast_pattern; nocase; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue%3AWin32/FakeSpypro; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010597; classtype:trojan-activity; sid:2010597; rev:7; metadata:created_at 2010_07_30, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (politiaromana .bit in DNS Lookup)"; dns.query; content:"politiaromana.bit"; nocase; endswith; classtype:command-and-control; sid:2025405; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Data Exfil"; flow:established,to_server; urilen:>125; http.method; content:"POST"; http.uri; pcre:"/\.[a-z]{3,4}$/"; http.request_body; content:"name=|22|upload_file|22 3b 20|filename=|22|"; fast_pattern; content:".bin|22 0d 0a|"; distance:4; within:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021830; rev:4; metadata:created_at 2015_09_24, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (gdcb .bit in DNS Lookup)"; dns.query; content:"gdcb.bit"; nocase; endswith; classtype:command-and-control; sid:2025407; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XcodeGhost CnC M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|00 00 01|"; content:"|00 65 00 0a 95 3a 10 8a 09 25 4e d7 94 5e e9 70 59 e2 95 79|"; distance:1; within:20; classtype:command-and-control; sid:2021832; rev:3; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (malwarehunterteam .bit in DNS Lookup)"; dns.query; content:"malwarehunterteam.bit"; nocase; endswith; classtype:command-and-control; sid:2025406; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC POST"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021839; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; endswith; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:domain-c2; sid:2025433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_03_14, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Check"; flow:to_server,established; urilen:6; http.method; content:"POST"; http.uri; content:"/check"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021833; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Sofacy CnC Domain (ndpmedia24 .com in DNS Lookup)"; dns.query; content:"ndpmedia24.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency; classtype:targeted-activity; sid:2025434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category MALWARE, malware_family Sofacy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/i686?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021834; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns.query; content:"chlenaverasiskihe.sex"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mips?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021835; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ninjagames .top)"; dns.query; content:"ninjagames.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/armel?ver="; depth:11; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021836; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ajdhsfhiudsfhsi .top)"; dns.query; content:"ajdhsfhiudsfhsi.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture POST 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mipsel?ver="; depth:12; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021837; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".js"; endswith; http.user_agent; content:"curl/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025464; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Report POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/srv_report?ver="; depth:16; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2021838; rev:4; metadata:created_at 2015_09_25, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (ssl .arkouthrie .com)"; dns.query; content:"ssl.arkouthrie.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025466; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/NukeSped Variant CnC Domain (sctemarkets .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"sctemarkets.com"; bsize:15; reference:md5,7b07ed5338e6288b5cd510c38e2ab8ed; reference:url,twitter.com/ShadowChasing1/status/1267431137023979522; classtype:command-and-control; sid:2030235; rev:1; metadata:created_at 2020_06_01, former_category MALWARE, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (s3 .hiahornber .com)"; dns.query; content:"s3.hiahornber.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025467; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TURLA NETFLASH CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2018/.config/adobe"; bsize:19; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; reference:md5,2b35c299c96d17a1d4b09092b09bf692; reference:url,www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/; reference:url,twitter.com/DrunkBinary/status/1267453886912176130; classtype:command-and-control; sid:2030236; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (widget .shoreoa .com)"; dns.query; content:"widget.shoreoa.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025468; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higasia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/inter.php"; endswith; http.request_body; content:"&test="; content:"Windows IP Configuration"; distance:0; fast_pattern; content:"Connection-specific DNS Suffix"; distance:0; classtype:trojan-activity; sid:2030233; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, signature_severity Major, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&bit="; content:"&info=Windows|3a 20|"; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Style MalDoc .dot Download on freedynamicdns .org"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".dot"; endswith; pcre:"/\/[A-Za-z]{4,9}\.dot$/"; http.host; content:".freedynamicdns.org"; endswith; fast_pattern; reference:md5,2180fa8e767676a6802cf3d5d23ea6de; classtype:trojan-activity; sid:2030232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Task Status"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&taskId="; distance:0; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025471; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|sudo"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030237; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; http.stat_code; content:"404"; file.data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; endswith; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_10, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|wget"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030238; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .com in DNS Lookup)"; dns.query; content:"msoftupdates.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025542; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WordPress Plugin BBPress 2.5 - Unauthenticated Priv Esc Attempt (CVE-2020-13693)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user_login"; content:"user_pass"; distance:0; content:"|22|bbp_keymaster|22|"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/48534; reference:cve,2020-13693; classtype:attempted-admin; sid:2030239; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .eu in DNS Lookup)"; dns.query; content:"msoftupdates.eu"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; flowbits:set,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (mylogisoft .com in DNS Lookup)"; dns.query; content:"mylogisoft.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,from_server; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; flowbits:isset,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M1"; http.host; content:".bit"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert icmp $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Zephyr RTOS ICMPv4 Stack Buffer Overflow"; icode:0; dsize:>120; content:"|30 31 32 07 80|"; fast_pattern; content:"|00|"; endswith; reference:url,research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment/; classtype:bad-unknown; sid:2030242; rev:1; metadata:created_at 2020_06_02, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M2"; http.host; content:".coin"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector Sep 29 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/snitch?default|5f|keyword="; depth:24; fast_pattern; content:"&referrer="; distance:0; content:"&se_referrer="; distance:0; content:"&source="; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"ransomware.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M FSO object created|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021852; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"zonealarm.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A Successfully Installed CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"M STATE|3a 20|INSTALL|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021853; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"carder.bit"; endswith; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 3"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"unit_action="; depth:12; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8a1012e3afc6eabb7819ce4d8e2b93b; classtype:command-and-control; sid:2021854; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; classtype:targeted-activity; sid:2025557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT10, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading To EK Sep 30 2015"; flow:to_server,established; urilen:5; http.uri; content:"/052F"; classtype:exploit-kit; sid:2021870; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns.query; content:"y5mogzal2w25p6bn.ml"; endswith; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hola VPN Activity - X-Hola-* Headers"; flow:established,to_server; threshold:type limit,track by_src,seconds 300,count 1; http.header; content:"|0d 0a|X-Hola-"; classtype:policy-violation; sid:2021886; rev:3; metadata:created_at 2015_10_02, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending Machine Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"infobot"; depth:7; endswith; http.request_body; content:"|7b 22|bits|22 3a 20 22|"; depth:10; content:"|22|cpun|22 3a 20 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java/QRat Retrieving PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.header; content:"Host|3a 20|www.quaverse.com|0d 0a|"; depth:24; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ccdffdc551b36980b7cd04e33d5fb100; classtype:trojan-activity; sid:2021889; rev:3; metadata:created_at 2015_10_02, former_category TROJAN, malware_family QRat, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check.php"; endswith; fast_pattern; http.request_body; content:"m="; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/si"; http.header_names; content:!"Referer"; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:command-and-control; sid:2025580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; http.method; content:"OPTIONS"; classtype:bad-unknown; sid:2013929; rev:6; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header INetSim"; flow:established,from_server; http.content_type; content:"x-msdos-program"; file.data; content:"MZ|0a|Sinkholed|0a|"; depth:13; fast_pattern; endswith; classtype:trojan-activity; sid:2025585; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; http.method; content:"TRACE"; classtype:bad-unknown; sid:2013932; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031412; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, malware_family Formbook, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; http.method; content:"PUT"; classtype:bad-unknown; sid:2013930; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Donut Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.request_body; content:"pc_id="; depth:6; content:"pc_key="; distance:0; content:"win_ver="; fast_pattern; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; classtype:command-and-control; sid:2025595; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_19, deployment Perimeter, former_category MALWARE, malware_family Donut, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; http.method; content:"CONNECT"; classtype:bad-unknown; sid:2013933; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in DNS Lookup)"; dns.query; content:"debasuin.nl"; endswith; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025596; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"TRACE"; http.uri; content:".jsf"; nocase; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:4; metadata:created_at 2011_06_09, updated_at 2020_06_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in TLS SNI)"; flow:established,to_server; tls.sni; content:"debasuin.nl"; endswith; nocase; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025597; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/muBoT User-Agent (I'm a mu mu mu ?)"; flow:established,to_server; http.user_agent; content:"I|27|m a mu mu mu|20 3f|"; fast_pattern; startswith; reference:url,pastebin.com/EH1SH9aL; classtype:trojan-activity; sid:2021917; rev:3; metadata:created_at 2015_10_06, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in DNS Lookup)"; dns.query; content:"tpddata.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025599; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neshta.A Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|file|22 3b 20|filename=|22|Browser"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; nocase; reference:md5,e93e5af213707ef1888784fa1e709004; classtype:trojan-activity; sid:2021923; rev:4; metadata:created_at 2015_10_07, updated_at 2020_06_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"tpddata.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.jsp?e="; fast_pattern; depth:10; content:"&s="; distance:0; content:"&g="; distance:0; content:"&versionCode="; distance:0; content:"&osVersion="; distance:0; content:"&countryCode="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_10_08, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_06_02, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in DNS Lookup)"; dns.query; content:"www.anlway.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025601; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TeamViewer Dyngate User-Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 120, track by_src; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|DynGate)"; fast_pattern; depth:43; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:12; metadata:created_at 2010_07_30, updated_at 2020_06_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.anlway.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025602; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear Multiple Router Auth Bypass"; flow:to_server,established; http.uri; content:"/BRS_netgear_success.html"; depth:25; nocase; fast_pattern; reference:url,www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html; classtype:attempted-admin; sid:2021944; rev:3; metadata:created_at 2015_10_12, former_category CURRENT_EVENTS, updated_at 2020_06_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in DNS Lookup)"; dns.query; content:"www.ap8898.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025603; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Potential Spyware Domain (app .hubstaff .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"app.hubstaff.com"; bsize:16; classtype:policy-violation; sid:2030248; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ap8898.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/xDrop Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"slave.php"; endswith; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE ("; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f154d5596ecb8f63de1e7319e31ad369; classtype:command-and-control; sid:2030243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in DNS Lookup)"; dns.query; content:"www.apshenyihl.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025605; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Kinsing Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kinsing"; endswith; fast_pattern; http.user_agent; content:"Wget/"; nocase; startswith; http.header_names; content:!"Referer"; reference:url,blog.redteam.pl/2020/06/kinsing-malware-liferay.html; classtype:trojan-activity; sid:2030244; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.apshenyihl.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Kinsing Payload Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kinsing2"; endswith; fast_pattern; http.user_agent; content:"Wget/"; nocase; startswith; http.header_names; content:!"Referer"; reference:url,blog.redteam.pl/2020/06/kinsing-malware-liferay.html; classtype:trojan-activity; sid:2030245; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php1"; endswith; fast_pattern; pcre:"/\/[0-9]{10}.php1$/"; http.user_agent; content:"Microsoft BITS/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_10;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Email Spoofing Tool Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Email Spoofer"; content:"id=|22|title|22|>Email Spoofer"; content:"id=|22|from|22 20|placeholder=|22 20|Email Spoofed"; content:"id=|22|name|22 20|placeholder=|22|Name Spoofed"; content:"var mailist = $(|22|#to|22|).val().split("; classtype:web-application-attack; sid:2030246; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_03, deployment Perimeter, signature_severity Critical, updated_at 2020_06_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Email Spoofing Tool Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Email Spoofer"; content:"id=|22|title|22|>Email Spoofer"; content:"id=|22|from|22 20|placeholder=|22 20|Email Spoofed"; content:"id=|22|name|22 20|placeholder=|22|Name Spoofed"; content:"var mailist = $(|22|#to|22|).val().split("; classtype:web-application-attack; sid:2030247; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_03, deployment Perimeter, signature_severity Major, updated_at 2020_06_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rostpay Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"Rostpay Downloader"; nocase; depth:18; endswith; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Qjwmonkey.H Variant CnC Activity M2"; flow:established,to_server; http.start; content:"POST /qy/g"; depth:10; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"js=|7b 22|appid|22 3a|"; startswith; fast_pattern; content:"|2c 22|avs|22 3a|"; distance:0; reference:md5,efa431afc414c52d0703392a19c9fa2e; classtype:pup-activity; sid:2030250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"www.cpuproc.com"; endswith; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:command-and-control; sid:2025891; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Web App Phish 2015-10-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"app=o365&"; nocase; depth:9; fast_pattern; content:"&name="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031731; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; urilen:<100; http.method; content:"POST"; http.request_body; content:"|81 b2 a8 97 7e a3 1b 91|"; depth:8; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:command-and-control; sid:2025923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Magento Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/magmi-importer/web/"; fast_pattern; content:"download_file.php?file="; distance:0; http.uri.raw; content:"|2e 2e 2f|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:3; metadata:created_at 2015_10_15, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 4"; dns.query; content:"euiro8966.organiccrap.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:!"pdf="; nocase; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021952; rev:3; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 3"; dns.query; content:"kted56erhg.dynssl.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:"pdf="; nocase; distance:0; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021953; rev:3; metadata:created_at 2015_10_15, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 2"; dns.query; content:"www.hosting.tempors.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StreamFlaw.A Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/6.0 (compatible|3b 20|MSIE 6.0"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,981672cd969fe8cb1f887d0526b1ecf2; classtype:command-and-control; sid:2020947; rev:4; metadata:created_at 2015_04_18, former_category MALWARE, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 1"; dns.query; content:"jennifer998.lookin.at"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; http.uri; content:"?"; content:"-"; fast_pattern; distance:0; pcre:"/(?:\/(?:php)?|\.php)\?[\s\+]*\-[A-Za-z]/i"; http.uri.raw; content:!"="; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:8; metadata:created_at 2012_05_04, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 5"; dns.query; content:"games.my-homeip.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod Downloading Payload 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/document.php?rnd="; depth:18; fast_pattern; content:"&id="; distance:0; pcre:"/^\/document\.php\?rnd=[0-9]{4}&id=[A-F0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/malware/js_nemucod.hqk; classtype:trojan-activity; sid:2021956; rev:4; metadata:created_at 2015_10_16, updated_at 2020_06_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker C2)"; flow:established,to_client; tls.cert_subject; content:"CN=uiaoduiiej.chimkent.su"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:domain-c2; sid:2025995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"arHandle="; nocase; fast_pattern; content:"method="; nocase; content:"btask="; nocase; pcre:"/btask\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/i"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:5; metadata:created_at 2012_07_07, updated_at 2020_06_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker Injects)"; flow:established,to_client; tls.cert_subject; content:"CN=urimchi3dt4.website"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:domain-c2; sid:2025996; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; http.uri; content:"/index.php?"; content:"="; distance:1; within:1; content:!"=aHR0"; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2030249; rev:7; metadata:created_at 2013_10_02, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in DNS Lookup)"; dns.query; content:"uiaoduiiej.chimkent.su"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; reference:cve,2015-7297; reference:cve,2015-7587; reference:cve,2015-7858; classtype:attempted-admin; sid:2021992; rev:3; metadata:created_at 2015_10_22, former_category WEB_SPECIFIC_APPS, updated_at 2020_06_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in TLS SNI)"; flow:established,to_server; tls.sni; content:"uiaoduiiej.chimkent.su"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"legalfirstname="; depth:15; nocase; content:"&legallastname="; nocase; distance:0; content:"&date_ob="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; classtype:credential-theft; sid:2031782; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in DNS Lookup)"; dns.query; content:"urimchi3dt4.website"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2025999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"cardNumber="; depth:11; nocase; content:"&date_ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&btn_card=Continue"; nocase; distance:0; classtype:credential-theft; sid:2031732; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"urimchi3dt4.website"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2026000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-28 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"bankname="; depth:9; nocase; content:"&accountid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&accounnumber="; nocase; distance:0; classtype:credential-theft; sid:2031733; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns.query; content:"bigboss.x24hr.com"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Cushion Redirection"; flow:established,to_server; http.uri; content:"/index.php?"; content:"="; distance:1; within:1; content:!"=aHR0"; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:7; metadata:created_at 2013_10_02, updated_at 2020_06_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns.query; content:"secured-links.org"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=consultane.com"; nocase; endswith; reference:md5,9b0af1d42eb9d1e7033a958d5a0870c8; classtype:domain-c2; sid:2030252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Payload Download Nov 11 2014"; flow:established,to_server; http.uri; content:"/bin.exe"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019696; rev:5; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check"; flow:established,to_server; http.request_line; content:"GET|20|/|20|HTTP/1.1"; bsize:14; http.header; content:"User-Agent|3a 20|WinInet|0d 0a|Host|3a 20|api.myip.com|0d 0a|"; bsize:41; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Avaddon, signature_severity Major, tag Ransomware, updated_at 2020_06_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.FakeEzQ.kr Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"MyAgent"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:command-and-control; sid:2026071; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Directory Traversal via HTTP Cookie (CVE-2020-9484)"; flow:established,to_server; http.cookie; content:"JSESSIONID=../"; startswith; fast_pattern; reference:url,github.com/masahiro331/CVE-2020-9484/blob/master/README.md; reference:cve,2020-9484; classtype:attempted-recon; sid:2030256; rev:1; metadata:affected_product Tomcat, attack_target Server, created_at 2020_06_05, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in DNS Lookup)"; dns.query; content:"www.megaopac.host"; endswith; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, deployment Perimeter, former_category TROJAN, malware_family Stealer, signature_severity Minor, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data 2"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:"/0"; content:"/0000"; distance:1; fast_pattern; pcre:"/\/0[0-2](?:\/[^\/]*?)?\/0000[a-fA-F0-9]{4}(?:\/[^\/]*?)?\/[a-fA-F0-9]{8}(?:\?\w+=[a-fA-F0-9]+)?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; classtype:trojan-activity; sid:2022016; rev:3; metadata:created_at 2015_11_02, updated_at 2020_06_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.megaopac.host"; endswith; nocase; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026073; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, former_category TROJAN, malware_family Stealer, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish Oct 30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"1="; depth:2; content:"&2="; nocase; distance:0; content:"Log+In=Log+In"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022017; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (defender-update .com)"; dns.query; content:"defender-update.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"name="; depth:5; content:"&adress1="; nocase; distance:0; content:"&phone="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022018; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (windowspatch .com)"; dns.query; content:"windowspatch.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"chldr="; depth:7; content:"&ccnum="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022019; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pser?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}(?:BBZ|BBY)[A-F0-9]{,1000}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026081; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?tag="; depth:16; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36"; bsize:112; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030254; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tahw?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blaze/Supreme Bot Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stat.php?info=SLADE"; fast_pattern; endswith; http.user_agent; content:"Wget/"; nocase; http.header_names; content:!"Referer"; reference:url,dfir.it/blog/2019/02/26/the-supreme-backdoor-factory; classtype:trojan-activity; sid:2030255; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_05;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/khc?"; depth:5; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Higaisa CnC (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"inter.php"; bsize:9; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"&test="; startswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/higaisa/; classtype:command-and-control; sid:2030265; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aura Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"{KIARA}"; depth:7; endswith; fast_pattern; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M1 (CVE-2020-0796)"; flow:established,to_server; content:"|41 8B 47 3C 4C 01 F8 8B 80 88 00 00 00 4C 01 F8 50|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030263; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=baways.com"; nocase; endswith; reference:url,riskiq.com/blog/labs/magecart-british-airways-breach; classtype:domain-c2; sid:2026110; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_11, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert smb any any -> $HOME_NET any (msg:"ET DELETED Possible Attempted SMB RCE Exploitation M2 (CVE-2020-0796)"; flow:established,to_server; content:"|FF C9 8B 34 8B 4C 01 FE|"; fast_pattern; reference:url,github.com/chompie1337/SMBGhost_RCE_PoC; reference:cve,2020-0796; classtype:attempted-admin; sid:2030264; rev:2; metadata:affected_product SMBv3, created_at 2020_06_08, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag SMBGhost, updated_at 2021_07_29;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil)"; flow:established,to_client; tls.cert_subject; content:"CN=info-stat.ws"; nocase; endswith; reference:url,bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script; classtype:domain-c2; sid:2026112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Malvertising Communication"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?rand_key="; fast_pattern; content:"&packagename="; distance:0; content:"&imei="; distance:0; content:"&login="; distance:0; http.user_agent; content:"|20|U|3b 20|Android|20|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/; reference:md5,c73cf82c0043463f8079d0540b2634e0; classtype:trojan-activity; sid:2030266; rev:1; metadata:attack_target Mobile_Client, created_at 2020_06_08, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=neweggstats.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-newegg; classtype:domain-c2; sid:2026215; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OZH Rat)"; flow:established,to_client; tls.cert_subject; content:"CN=www.ozhsec.com"; nocase; endswith; classtype:domain-c2; sid:2030257; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot Blockchain Based CnC DNS Lookup (musl .lib)"; dns.query; content:"musl.lib"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026323; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Archer C5 v4 (CVE-2019-7405)"; flow:established,to_server; http.uri; content:"/cgi/setPwd?pwd="; http.referer; bsize:14; content:"tplinkwifi.net"; fast_pattern; reference:cve,2019-7405; reference:url,securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/; classtype:attempted-admin; sid:2029181; rev:3; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2019_12_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (ukrainianhorseriding .com)"; dns.query; content:"ukrainianhorseriding.com"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026324; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:to_server,established; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; startswith; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (rippr .cc)"; dns.query; content:"rippr.cc"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026325; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276"; flow:to_server,established; urilen:19; http.method; content:"POST"; http.uri; content:"/ws/rest/v1/concept"; fast_pattern; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; reference:url,www.rapid7.com/db/modules/exploit/multi/http/openmrs_deserialization; reference:cve,2018-19276; classtype:attempted-admin; sid:2030258; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (censys .xyz)"; dns.query; content:"censys.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026326; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple Router RCE Routersploit"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view/IPV6/ipv6networktool/traceroute/ping.php?text_target="; depth:59; fast_pattern; content:"&text_pingcount="; distance:0; content:"&text_packetsize="; distance:0; content:"|7c|"; distance:0; reference:url,github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/netsys/multi_rce.py; classtype:attempted-admin; sid:2030259; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (leakingprivacy .tk)"; dns.query; content:"leakingprivacy.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026327; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/goform/mp"; fast_pattern; content:"command=%7C%7C+"; depth:15; reference:url,www.exploit-db.com/exploits/48318; classtype:attempted-admin; sid:2030260; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (realnewstime .xyz)"; dns.query; content:"realnewstime.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Technicolor TD5130.2 - Remote Command Execution"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/mnt_ping.cgi"; fast_pattern; http.request_body; content:"isSubmit=1&addrType=3&pingAddr=|3b|"; depth:32; reference:url,www.exploit-db.com/exploits/47651; classtype:attempted-admin; sid:2030261; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (scanaan .tk)"; dns.query; content:"scanaan.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026329; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Xfinity Gateway - Remote Code Execution"; flow:to_server,established; urilen:48; http.method; content:"POST"; http.uri; content:"/actionHandler/ajax_network_diagnostic_tools.php"; fast_pattern; http.request_body; content:"test_connectivity=true&destination_address=www.comcast.net|20 7c 7c 20|"; depth:62; reference:url,www.exploit-db.com/exploits/40856; classtype:attempted-admin; sid:2030262; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, signature_severity Major, updated_at 2020_06_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (blockbitcoin .com)"; dns.query; content:"blockbitcoin.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026330; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-11-03 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"FN="; depth:3; nocase; fast_pattern; content:"&LN="; nocase; distance:0; content:"&ST="; nocase; distance:0; content:"&AL="; nocase; distance:0; content:"&CT="; nocase; distance:0; content:"&SA="; nocase; distance:0; content:"&CN="; nocase; distance:0; content:"&Code="; nocase; distance:0; classtype:credential-theft; sid:2031734; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (vfk2k5s5tfjr27tz .tk)"; dns.query; content:"vfk2k5s5tfjr27tz.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-11-03 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"CC="; depth:3; nocase; fast_pattern; content:"&EM="; nocase; distance:0; content:"&EY="; nocase; distance:0; content:"&CV="; nocase; distance:0; content:"&SC="; nocase; distance:0; content:"&BD="; nocase; distance:0; content:"&SN="; nocase; distance:0; content:"&SO="; nocase; distance:0; classtype:credential-theft; sid:2031735; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (3g2upl4pq6kufc4m .tk)"; dns.query; content:"3g2upl4pq6kufc4m.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d$/i"; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VPNFilter htpx Module C2 Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; http.header_names; content:"Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:command-and-control; sid:2026429; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Silent Miner Changelog Checkin"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; startswith; file.data; content:"Changelog v"; depth:11; fast_pattern; content:"-Added startup folder"; distance:0; content:"-Changed AutoUpdate Mode"; distance:0; content:"|7c 7c|----------------"; distance:0; content:"-Fixed startup .exe without name bug"; distance:0; content:"-Changed files hosting"; distance:0; content:"- Added CPU Threads"; reference:md5,2d51e11a38b7fd448cd0b1d319915e44; classtype:command-and-control; sid:2022034; rev:3; metadata:created_at 2015_11_04, former_category MALWARE, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns.query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026432; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, signature_severity Major, tag APT37, tag Reaper, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh connectivity check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Host|3a 20|"; depth:6; content:"Content-Length|3a 20|0|0d 0a|"; distance:0; content:"|3a 20|no-cache"; distance:0; http.header_names; content:!"|0d 0a|User-Agent"; content:!"|0d 0a|Accept"; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:5; metadata:created_at 2012_05_18, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?MachineId="; content:"&InfoSo="; distance:0; content:"&Index="; distance:0; content:"&Account="; distance:0; content:"&List="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Host|20|Process|20|Update"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026431; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, performance_impact Low, signature_severity Major, tag APT37, tag ReaperGroup, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting EXE payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: !"&ncm="; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022037; rev:3; metadata:created_at 2015_11_05, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:domain-c2; sid:2026467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banker, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-11-02"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"POST"; http.uri; content:"redir.php"; nocase; http.request_body; content: "jndj="; fast_pattern; content: "&ncm="; distance:0; pcre:"/^[a-zA-Z]{4,}=0\.[0-9]{10,}&jndj=[a-zA-Z0-9]{4,}&ncm=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,f77e7cac3793136bcd1d77ec6a00d8e2; classtype:trojan-activity; sid:2022038; rev:3; metadata:created_at 2015_11_05, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowswsusonline.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:domain-c2; sid:2026468; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banker, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible vBulletin object injection vulnerability Attempt"; flow:established,to_server; http.uri; content:"/api/hook/decodeArguments"; nocase; content:"arguments="; nocase; content:"|7b|"; distance:0; content:"|3a|"; distance:0; content:"|3b|"; distance:0; content:"free_result"; nocase; distance:0; reference:url,blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html; classtype:attempted-admin; sid:2022039; rev:3; metadata:created_at 2015_11_05, former_category CURRENT_EVENTS, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (weekendstrips .net)"; dns.query; content:"weekendstrips.net"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Data Submitted to Weebly.com - Possible Phishing"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"weebly.net|0d 0a|"; fast_pattern; content:"X-W-DC|3a 20|"; http.content_type; content:"text/html"; startswith; file.data; content:"{|22|success|22 3a|true"; distance:0; content:"|22|action|22 3a 22|finished|22|"; distance:1; content:"Your information has been submitted"; nocase; distance:0; classtype:trojan-activity; sid:2031785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (shelves-design .com)"; dns.query; content:"shelves-design.com"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Weebly Phishing Landing Observed 2015-11-10"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"weebly.net|0d 0a|"; fast_pattern; content:"X-W-DC|3a 20|"; http.content_type; content:"text/html"; startswith; file.data; content:"form enctype=|22|multipart/form-data|22|"; nocase; content:"VERIFY YOUR ACCOUNT BELOW FOR NEW UPGRADE"; nocase; distance:0; content:"U$er Name"; nocase; distance:0; content:"PASSW0RD"; nocase; distance:0; content:"CONFIRM PASSW0RD"; nocase; distance:0; classtype:social-engineering; sid:2031786; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious XLS DDE rar Drop Fake 404 Response"; flow:established,to_client; flowbits:isset,ET.xls.dde.drop; http.stat_code; content:"200"; file.data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; endswith; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"000"; fast_pattern; pcre:"/^\/[a-f0-9]+000[a-f0-9]{37}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,0f41c853a2d522e326f2c30b4b951b04; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022074; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls.sni; content:"samwinchester.club"; endswith; nocase; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; http.host; content:"download.cloudsota.com"; startswith; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.uri; content:"/api/hazard/"; depth:12; fast_pattern; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026547; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Check"; flow:to_server,established; urilen:6; http.method; content:"GET"; http.uri; content:"/check"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022105; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"common|20|soon"; depth:11; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/i686?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022106; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"loub"; depth:4; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mips?ver="; depth:10; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022107; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; fast_pattern; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/armel?ver="; depth:11; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022108; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware Initial Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?check$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Architecture GET 4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mipsel?ver="; depth:12; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022109; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?servers"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?servers$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026542; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC Report GET"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/srv_report?ver="; depth:16; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022110; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE r0 CnC GET"; flow:to_server,established; urilen:13; http.method; content:"GET"; http.uri; content:"/r0/index.php"; fast_pattern; http.header; content:"Expect|3a 20|100-continue"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|36.0) Gecko/20100101 Firefox/36.0"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/; classtype:command-and-control; sid:2022111; rev:4; metadata:created_at 2015_11_17, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/red/info.php"; depth:13; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-17"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Keep-Alive|3a 20|timeout="; http.content_type; content:"text/html"; startswith; file.data; content:"To view document"; nocase; fast_pattern; content:"select your email provider"; nocase; distance:0; content:"select other email provider"; nocase; distance:0; content:"Sign In"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031787; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"EXIT|3b|"; depth:5; fast_pattern; endswith; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header; content:".in|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022119; rev:3; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; content:".DAT|22 3b 0d 0a|"; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:command-and-control; sid:2026559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category MALWARE, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nymaim.BA CnC M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"/"; offset:1; content:!"|2e|"; pcre:"/^\/[a-z0-9]+\?[a-z0-9]+(?:=[a-z0-9&=]+)?$/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:".pw|0d 0a|User-Agent|3a 20|"; fast_pattern; content:"Cache-Control|3a 20|no-cache"; content:"Pragma|3a 20|no-cache"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,3831e58cd22cc9bdf06f18f843cdfee9; reference:url,techhelplist.com/spam-list/974-intuit-browsers-update-malware; classtype:command-and-control; sid:2022120; rev:3; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?dns="; fast_pattern; pcre:"/^[a-f0-9]{8}$/Rs"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&ip="; content:"&os="; content:"&name="; content:"&ram="; content:"&cpu="; content:"&gpu="; content:"&av="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:command-and-control; sid:2022126; rev:2; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; fast_pattern; content:"&i="; distance:0; content:"&p="; distance:0; pcre:"/\.aspx\?m=[A-F0-9]{3,40}&i=[A-F0-9]{3,40}&p=[A-F0-9]{3,40}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; endswith; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/ja/2018/10/tscookie-1.html; classtype:command-and-control; sid:2026568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_01, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP CoinMiner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/\.php\?check=\d$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; classtype:coin-mining; sid:2022128; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_06_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/WellMess CnC Activity"; flow:established,to_server; content:"+++|0d 0a|"; fast_pattern; urilen:1; http.method; content:"POST"; http.cookie; content:"+++"; endswith; http.request_body; pcre:"/^(?:[\x3a\x2c\x2e]?[A-Za-z0-9]{1,8}[\x3a\x2c\x2e]?[\x3a\x2c\x2e]?\s*){50,}$/si"; http.header_names; content:!"Referer"; reference:md5,861879f402fe3080ab058c0c88536be4; reference:url,ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf; classtype:trojan-activity; sid:2030534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, malware_family WellMess, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Spartan/Nuclear EK Payload"; flow:established,from_server; http.server; content:"nginx"; startswith; http.header; content:"Accept-Ranges|3a 20|bytes|0d 0a|Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; fast_pattern; pcre:"/\x20filename=\r\n(?:\r\n)?$/"; http.content_type; content:"application/octet-stream"; startswith; classtype:exploit-kit; sid:2022135; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?anti="; content:"&cliname="; distance:0; fast_pattern; http.accept; content:"*/*"; endswith; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:targeted-activity; sid:2026575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SFR Phishing 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; distance:0; nocase; content:"&remember-me="; distance:0; nocase; content:"&identifier="; distance:0; nocase; classtype:credential-theft; sid:2031790; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; flowbits:set,ET.APT33CharmingKitten.1; http.method; content:"GET"; http.uri; content:"/images/static/content/"; depth:23; fast_pattern; endswith; http.header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Phishing Landing Uri 2015-11-25"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?usernms="; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/i"; classtype:social-engineering; sid:2022185; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns.query; content:"mynetwork.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026573; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 3"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?/12345"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,24203ba70f584b64a432fb6dad52765d; classtype:command-and-control; sid:2022186; rev:3; metadata:created_at 2015_11_25, former_category MALWARE, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns.query; content:"mypsh.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026574; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBKlip/ClipBanker.P Status Update"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; content:"Mozilla/5.0 (compatible MSIE 9.0 Windows NT 6.1 WOW64 Trident/5.0)"; bsize:66; http.request_body; content:"tekst="; depth:6; fast_pattern; pcre:"/^tekst=\w+$/i"; http.header_names; content:!"Accept-"; reference:md5,ef230777f5b34291ea22bfc3c591ce2d; classtype:trojan-activity; sid:2022192; rev:3; metadata:created_at 2015_11_30, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 12"; flow:established,to_server; urilen:<6; http.method; content:"POST"; http.uri; content:"/"; endswith; content:!"."; content:!"&"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; depth:2; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:command-and-control; sid:2026555; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family SmokeLoader, signature_severity Major, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; http.request_body; content:!"&date="; content:"code="; depth:5; content:"&submit="; distance:0; classtype:trojan-activity; sid:2017389; rev:7; metadata:created_at 2013_08_28, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArrobarLoader CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; fast_pattern; http.request_body; content:"0"; endswith; http.header_names; content:!"Referer"; content:!"Cache"; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:command-and-control; sid:2026528; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category MALWARE, malware_family ArrobarLoader, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Zmap User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; fast_pattern; bsize:21; classtype:network-scan; sid:2030345; rev:3; metadata:created_at 2015_12_01, former_category SCAN, updated_at 2020_06_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magento.si-shell.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:4; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlinestatus.site"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline"; nocase; content:".exe"; content:"load/"; fast_pattern; file.data; content:"MZ"; depth:2; classtype:exploit-kit; sid:2014314; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_06, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=s3-us-west.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/AZZY Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; offset:1; http.header; content:"User-Agent|3a 20|MSIE|20|"; depth:17; fast_pattern; pcre:"/^User-Agent\x3a MSIE \d+\.\d+\r\n/i"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7c373c607c8724f8be461d61016ed272; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf; reference:url,securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/; classtype:targeted-activity; sid:2019534; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=maxijs.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\.jpg(?:\?\d+)?$/"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:102; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022220; rev:3; metadata:created_at 2015_12_05, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=allacarts.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; depth:9; content:"servlet/"; http.request_body; content:"org.jboss.invocation.MarshalledValue"; http.content_type; content:"application/x-java-serialized-object|3b|"; endswith; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:3; metadata:created_at 2015_12_09, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=googiecloud.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026596; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/MayhemBruter Inbound Ping From CnC"; flow:established,to_server; http.uri; content:"/wp-content/plugins/"; content:"/libso"; distance:0; pcre:"/\/libso\d{1,4}\.php\?id=[a-zA-Z0-9]+$/"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:command-and-control; sid:2022224; rev:3; metadata:created_at 2015_12_07, former_category MALWARE, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=braintform.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026597; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&is_valid_email="; nocase; distance:0; classtype:credential-theft; sid:2031795; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlineshopsecurity.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026598; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2015-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"t1="; depth:3; nocase; content:"&login="; fast_pattern; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2031796; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magecreativetech.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026599; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"workrepair.bazar"; nocase; bsize:16; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030267; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=busnguard.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026600; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"realfish.bazar"; bsize:14; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030268; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cloud-privacy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026601; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"eventmoult.bazar"; bsize:16; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JunkMiner Downloader Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Microsoft Windows"; depth:17; fast_pattern; endswith; http.request_body; content:"&JSONQUERY="; depth:11; content:"&SHA1="; distance:0; content:"&SHA2="; distance:0; content:"&SHA3="; distance:0; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026608; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_14, deployment Perimeter, former_category MALWARE, malware_family JunkMiner, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (BazarLoader/Team9 Backdoor CnC Domain)"; dns.query; content:"zirabuo.bazar"; bsize:13; nocase; endswith; reference:url,blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family; classtype:domain-c2; sid:2030270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Mystery Baby syschk CnC Communication"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = -------- 1650502037"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/m/1963; classtype:command-and-control; sid:2026614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Observed Suspicious UA (Callstranger Vulnerability Checker)"; flow:established,to_server; http.user_agent; content:"Callstranger Vulnerability Checker"; bsize:34; reference:url,github.com/yunuscadirci/CallStranger; classtype:attempted-recon; sid:2030271; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category SCAN, signature_severity Informational, updated_at 2020_06_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Inject Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=opzioni.at"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; nocase; http.header; content:"CALLBACK|3a 20|"; fast_pattern; content:"NT|3a 20|"; reference:cve,2020-12695; reference:url,kb.cert.org/vuls/id/339275; classtype:attempted-recon; sid:2030272; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category SCAN, signature_severity Informational, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"scsnewstoday.com"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026611; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Sa0aS"; fast_pattern; classtype:attempted-admin; sid:2030273; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_09, deployment Perimeter, signature_severity Minor, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"thyssenkrupp-marinesystems.org"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026612; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Sa0aS"; fast_pattern; classtype:web-application-attack; sid:2030274; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_09, deployment Perimeter, signature_severity Major, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT29 Domain in DNS Lookup (pandorasong .com)"; dns.query; content:"pandorasong.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT29, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2015-12-01"; flow:to_server,established; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe?"; fast_pattern; nocase; pcre:"/\/[0-9]{2}\.exe\?[0-9]$/i"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; nocase; http.header; content:!"User-Agent|3a 20|BlueCoat"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,77290f994d05ad0add5768c9c040dc55; classtype:trojan-activity; sid:2022207; rev:6; metadata:created_at 2015_12_02, updated_at 2020_06_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hades APT Domain in DNS Lookup (findupdatems .com)"; dns.query; content:"findupdatems.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag HadesAPT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bookworm CnC Beacon"; flow:to_server,established; http.request_line; content:"GET /0"; startswith; fast_pattern; http.uri; pcre:"/^\/0[a-f0-9]{48}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,8ae2468d3f208d07fb47ebb1e0e297d7; reference:url,researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/; classtype:command-and-control; sid:2022073; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkGate CNC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ET.DarkGate.1; http.method; content:"POST"; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; endswith; fast_pattern; http.request_body; content:"id="; depth:3; content:"&data="; distance:0; content:"&action="; distance:0; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|log="; fast_pattern; content:"path="; pcre:"/path=[A-Z]\x3a\x5c[A-F0-9]+\r\nlog=/i"; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022244; rev:3; metadata:created_at 2015_12_12, former_category MALWARE, updated_at 2020_06_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; flowbits:isset,ET.DarkGate.1; http.stat_code; content:"200"; file.data; content:"getbotdata"; depth:10; fast_pattern; endswith; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"Pn="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; content:"&o="; content:"&av="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,07fd870e4ea8dd6b9503a956b5bb47f3; classtype:command-and-control; sid:2021919; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (akamai .la)"; dns.query; content:"akamai.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO possible .jpg download by VBA macro"; flow:established,to_server; flowbits:set,ET.vba-jpg-dl; flowbits:noalert; http.method; content:"GET"; http.uri; content:".jpg"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Range|3a 20|"; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022262; rev:4; metadata:created_at 2015_12_15, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (hardwarenet .cc)"; dns.query; content:"hardwarenet.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKBEN Ransomware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?btc="; nocase; fast_pattern; content:"&wid="; nocase; distance:0; content:"|3a|TWljcm9zb2Z0IFdpbmR"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,c952a88edc0766adf819b30cd2683ac7; classtype:trojan-activity; sid:2022283; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (awsamazon.cc)"; dns.query; content:"awsamazon.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; depth:1; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE"; startswith; http.request_body; content:"{|22|data|22 3A|"; depth:8; content:"|22|password old|22 3A|"; fast_pattern; distance:0; content:"|22|login|22 3A|"; content:"|22|type|22 3A|"; distance:0; content:"|22|login old|22 3A|"; distance:0; content:"|22|password|22 3A|"; distance:0; content:"|22|name|22 3A|"; distance:0; content:"|22|code|22 3A|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (battlenet .la)"; dns.query; content:"battlenet.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-06-10"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2030275; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"gazanew.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026621; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fastweb Fastgate 0.00.81 - Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/status.cgi?cmd="; content:"&act=nvset&service=usb_remove&mount="; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/47654; classtype:attempted-admin; sid:2030276; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcu.pw"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026622; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple DLink Routers Remote Code Execution CVE-2019-16920"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/apply_sec.cgi"; http.request_body; content:"html_response_page=login_pic.asp&action=ping_test&ping_ipaddr="; fast_pattern; reference:cve,2019-16920; reference:url,www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce; classtype:attempted-admin; sid:2030277; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"hostingcloud.science"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026623; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin-igd/netcore_set.cgi"; http.request_body; content:"mode_name=netcore_set&tools_type=2&tools_ip_url=|7c|+"; fast_pattern; content:"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"; distance:0; reference:cve,2019-19356; reference:url,www.exploit-db.com/exploits/48149; classtype:attempted-admin; sid:2030278; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, signature_severity Minor, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"mining711.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026624; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRat WebSocket Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?__sails_io_sdk_version"; http.header; content:"vInfo|3a 20|eyJtSWQiO"; fast_pattern; reference:md5,d10966c3a1d0b5694ee9ce0bb73401e2; classtype:command-and-control; sid:2030279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"src-ips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026625; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert tcp any any -> any 62522 (msg:"ET EXPLOIT Cisco AnyConnect Path Traversal Priv Esc (CVE-2020-3153)"; flow:established,to_server; content:"OCSC"; depth:4; content:"vpndownloader.exe"; distance:0; content:"|5c 2e 2e 2f|dbghelp.dll"; fast_pattern; distance:0; reference:url,ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal; reference:url,gist.github.com/ykoster/aeaa893d68adbc5004aa873b3290acd1; reference:cve,2020-3153; classtype:attempted-admin; sid:2030280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_10, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_06_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcip.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns any any -> $HOME_NET any (msg:"ET MALWARE Downloader Retrieving Malicious Powershell in DNS Response"; content:"|00 10 00 01|"; offset:2; content:"-match '@(.*)@'){$str +="; content:"[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($matches[1]))}"; fast_pattern; reference:md5,968c50386bdc33286367ce8ee50d029b; reference:url,twitter.com/SBousseaden/status/1270992052055089158; classtype:trojan-activity; sid:2030315; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in TLS SNI"; flow:established,to_server; tls.sni; content:"srcip.com"; endswith; nocase; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026627; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.3.6 CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=C7K-kJipTS1A15X5"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html; classtype:command-and-control; sid:2030313; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026628; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SocGholish Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"public.clickstat360.com"; bsize:23; reference:url,decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions; classtype:trojan-activity; sid:2035896; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (cdn-ampproject .com)"; dns.query; content:"cdn-ampproject.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026645; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - CenturyLink Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|syn_login_form|22 20|method=|22|post|22 20|action=|22|check.php|22|>"; classtype:social-engineering; sid:2030281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (bootstraplink .com)"; dns.query; content:"bootstraplink.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026646; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|login-form|22 20|method=|22|post|22 20|autocomplete=|22|off|22 20|action=|22|mask.php|22 20|>"; classtype:social-engineering; sid:2030282; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (sskimresources .com)"; dns.query; content:"sskimresources.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026647; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic T.Goe Phishing Landing"; flow:established,to_client; file.data; content:"######...........####....####...######..........######..######...####...##...##."; fast_pattern; content:"..##............##......##..##..##................##....##......##..##..###.###"; distance:0; content:"##.###..##..##..####..............##....####....######..##.#.##"; distance:0; classtype:social-engineering; sid:2030283; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (widgets-wp .com)"; dns.query; content:"widgets-wp.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - SunTrust Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|log.php|22 20|id=|22|formcredentials|22 20|method=|22|post|22 20|class=|22 22|>"; classtype:social-engineering; sid:2030284; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv6"; nocase; endswith; tls.cert_serial; content:"E2:56:45:9F:06:BC:8C:B9"; classtype:domain-c2; sid:2026666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Instagram Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|id=|22|login-form|22 20|class=|22|adjacent|22 20|action=|22|post.php|22|>"; classtype:social-engineering; sid:2030285; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"B6:9B:45:06:EE:69:DE:58"; classtype:domain-c2; sid:2026667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"facebook"; nocase; content:"<form method=|22|post|22 20|action=|22|logs.php|22 20|class=|22|bd be|22 20|id=|22|login_form|22 20|novalidate=|22|1|22|>"; distance:0; classtype:social-engineering; sid:2030286; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"CB:E2:F0:46:19:AE:BE:40"; classtype:domain-c2; sid:2026668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"facebook"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|novalidate=|22|1|22 20|onsubmit=|22 22|>"; classtype:social-engineering; sid:2030287; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv4"; nocase; endswith; tls.cert_serial; content:"86:80:0E:21:37:91:42:A3"; classtype:domain-c2; sid:2026669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Webmail Mini Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"/login_files/"; nocase; content:"<form action=|22|login.php|22 20|method=|22|post|22 20|novalidate=|22|novalidate|22|>"; classtype:social-engineering; sid:2030288; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=amorenvena.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:domain-c2; sid:2026678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|logon.php?header=1&enroll=|22 20|method=|22|post|22 20|action=|22|log.php|22 20|id=|22|logon.php?header=1&enroll=|22 20|autocomplete=|22|off|22|>"; classtype:social-engineering; sid:2030289; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=andresocana.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:domain-c2; sid:2026679; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|challenge.php|22 20|id=|22|login-username-form|22 20|method=|22|post|22 20|class=|22|username-challenge|20 22|>"; classtype:social-engineering; sid:2030290; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSpionage Requesting Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Login?id=Fy"; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:targeted-activity; sid:2026681; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNSpionage, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Cox Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form class=|22|form|22 20|id=|22|consolidated-signin|22 20|name=|22|sign-in|22 20|action=|22|1.php|22 20|method=|22|post|22 20|enctype=|22|application/x-www-form-urlencoded|22|>"; classtype:social-engineering; sid:2030291; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".0ffice36o.com"; nocase; endswith; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:command-and-control; sid:2026557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Linkedin Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|myform|22 20|action=|22|mail.php|22 20|onsubmit=|22|return validateform()|22 20|method=|22|post|22|>"; classtype:social-engineering; sid:2030292; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"g-analytics.com"; nocase; depth:15; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026685; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - SunTrust Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|formcredentials|22 20|method=|22|post|22 20|action=|22|log.php|22 20|class=|22|suntrust-login-form ng-untouched ng-pristine ng-valid|22|>"; classtype:social-engineering; sid:2030293; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"jquery-js.com"; nocase; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026686; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Whatsapp/Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"whatsapp"; nocase; content:"<form action=|22|check.php|22 20|method=|22|post|22|>"; distance:0; classtype:social-engineering; sid:2030294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.ayar.biz"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026689; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - M&T Bank Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"M&amp|3b|T Bank"; nocase; content:"<form action=|22|email1.php|22 20|method=|22|post|22 20|id=|22|aspnetform|22|>"; distance:0; classtype:social-engineering; sid:2030295; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|data|22 20|action=|22|wapg2gapp.php|22 20|id=|22|login-username-form|22 20|method=|22|post|22 20|class=|22|username-challenge|20 22|>"; classtype:social-engineering; sid:2030296; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-message.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026691; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Paypal Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form for="; content:"xmarvelxdcxcomic"; distance:0; content:"|22 20|action=|22|1.php|22 20|method=|22|post|22 20|class=|22|"; distance:0; fast_pattern; content:"|22 20|name=|22|login|22|>"; classtype:social-engineering; sid:2030297; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-screenfonts.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Multibrand Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|send.php|22 20|method=|22|post|22 20|onclick=|22|check(this.form)|22 20|onsubmit=|22|check(this.form)|22|>"; classtype:social-engineering; sid:2030298; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"docsdriver.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Instagram Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form class=|22|_3jvtb|22 20|action=|22|login.php|22 20|method=|22|post|22|>"; classtype:social-engineering; sid:2030299; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"grsvps.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026694; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - SunTrust Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|1.php|22 20|class=|22|lggfrm|22 20|name=|22|regfrm|22 20|id=|22|regfrm|22 20|method=|22|post|22 20|autocomplete=|22|off|22|>"; classtype:social-engineering; sid:2030300; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"pqexport.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - VK Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|authorization|22 20|action=|22|check.php|22 20|method=|22|post|22|>"; content:"href=|22|https://new.vk.com/"; distance:0; classtype:social-engineering; sid:2030301; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"scaurri.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026696; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Possible Generic Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; classtype:social-engineering; sid:2030302; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"secozco.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026697; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|login-form|22 20|method=|22|post|22 20|autocomplete=|22|off|22 20|action=|22|jero.php|22|>"; classtype:social-engineering; sid:2030303; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.pw"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026698; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Instagram Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form class=|22|_3jvtb|22 20|method=|22|post|22 20|action=|22|./burner.php|22|>"; classtype:social-engineering; sid:2030304; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.us"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026699; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Netease Webmail Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<title>163"; content:"<form action=|22|waka-login.php|22 20|id=|22|lg-form|22 20|name=|22|lg-form|22 20|method=|22|post|22|>"; distance:0; classtype:social-engineering; sid:2030305; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"tempdomain8899.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Paypal Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<title>log in to your paypal"; content:"<form action=|22|login.php|22 20|method=|22|post|22 20|class=|22|proceed maskable|22 20|autocomplete=|22|off|22 20|name=|22|login|22|autocomplete=|22|off|22 20|novalidate>"; distance:0; classtype:social-engineering; sid:2030306; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"world-paper.net"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Microsoft Account Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|f1|22 20|id=|22|i0281|22 20|method=|22|post|22 20|action=|22|password.php|22|>"; classtype:social-engineering; sid:2030307; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"zwfaxi.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|name=|22|login_form|22 20|id=|22|login_form|22 20|action=|22|./skz.php|22 20|class=|22|pure-form pure-form-stacked mbr-login-form|22|>"; classtype:social-engineering; sid:2030308; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Group/More_Eggs CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=safesecurefiles.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:domain-c2; sid:2026703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT-N56U/RT-AC66U Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?current_page=Main_AdmStatus_Content.asp&next_page=Main_AdmStatus_Content.asp&next_host=&sid_list=FirewallConfig%3B&group_id=&modified=0&action_mode=+Refresh+&first_time=&action_script=&preferred_lang=EN&SystemCmd="; fast_pattern; content:"&action=Refresh"; distance:0; reference:url,www.ise.io/research/studies-and-papers/asus_rtn56u/; classtype:attempted-admin; sid:2030310; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursa Loader CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; http.request_body; pcre:"/^[a-z]{1,10}=[A-Z]+(?:&[a-z]{1,10}=[A-Z]+){2,}$/s"; http.request_line; content:"POST / HTTP/1.0"; depth:15; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:md5,d05af060e3e104dea638f17c4bceb5ac; classtype:command-and-control; sid:2026756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Ursa_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"&sns=sns&grant=1&guest_user_id=guid&timeout="; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018-13023; classtype:attempted-admin; sid:2030311; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_06_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=afgdhjkrm.pw"; nocase; endswith; reference:md5,603dc6ff2a0f28cdf7693050a62f2355; classtype:domain-c2; sid:2026769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi TV Integration Remote Code Execution CVE-2018???16130"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"/api/xqsmarthome/request_mitv?payload={"; distance:0; content:"$("; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018???16130; classtype:attempted-admin; sid:2030312; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID WebSocket Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?"; pcre:"/^[A-F0-9]{16}$/R"; http.header; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, malware_family IcedID, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/qsr_server/device/getThumbnail?sourceUri="; fast_pattern; content:"'&targetUri="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2030317; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2020_06_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MongoLock Variant CnC Domain (s .rapid7 .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.rapid7.xyz"; endswith; reference:md5,fa64390d7ffa4ee604dd944bbcf0bc09; classtype:command-and-control; sid:2026722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/Mist Stealer CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?alias="; fast_pattern; content:"&data="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(Connection\x0d\x0a)?\x0d\x0a$/R"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,5c7638d8247e6da38835daa8a63a0a60; classtype:trojan-activity; sid:2030316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Persistence Setup File"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushBatch"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=meflying.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030330; rev:1; metadata:attack_target Client_and_Server, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Main Payload"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushAgent"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026729; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>anaLTEAM"; nocase; fast_pattern; content:"name=|22|command|22 20|value=|22|Crotz|22|"; nocase; distance:0; content:"value=|22|Upload Bos"; nocase; distance:0; classtype:web-application-attack; sid:2030318; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon V3 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?selection="; http.user_agent; content:"Mozilla/13.0|20 28|MSIE|20|7.0|3b 20|Windows|20|NT|20|6.0|29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/; classtype:command-and-control; sid:2026730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, performance_impact Low, signature_severity Major, tag APT, tag Wiper, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>anaLTEAM"; nocase; fast_pattern; content:"name=|22|command|22 20|value=|22|Crotz|22|"; nocase; distance:0; content:"value=|22|Upload Bos"; nocase; distance:0; classtype:web-application-attack; sid:2030319; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=vesecase.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_18, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>b374k"; nocase; fast_pattern; content:"class='inputz' type='password"; nocase; distance:0; content:"class='inputzbut' type='submit'"; nocase; distance:0; classtype:web-application-attack; sid:2030320; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Domain (gandcrab .bit)"; dns.query; content:"gandcrab.bit"; nocase; endswith; reference:md5,023f078d5eb70bcbf4c5ad5b87df9710; classtype:trojan-activity; sid:2026737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_18, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>b374k"; nocase; fast_pattern; content:"class='inputz' type='password"; nocase; distance:0; content:"class='inputzbut' type='submit'"; nocase; distance:0; classtype:web-application-attack; sid:2030321; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.pointsoft.pw"; nocase; endswith; reference:md5,5b7244c47104f169b0840440cdede788; classtype:domain-c2; sid:2026771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_21, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title> By Gentoo"; nocase; fast_pattern; content:"<h2>Gentoo @ MyHack"; nocase; distance:0; content:"function ChMod(chdir, file) {var o = prompt('Chmod:"; nocase; distance:0; classtype:web-application-attack; sid:2030322; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 1"; dns.query; content:"flux2key.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title> By Gentoo"; nocase; fast_pattern; content:"<h2>Gentoo @ MyHack"; nocase; distance:0; content:"function ChMod(chdir, file) {var o = prompt('Chmod:"; nocase; distance:0; classtype:web-application-attack; sid:2030323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 2"; dns.query; content:"string2me.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026745; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form></pre>"; fast_pattern; classtype:web-application-attack; sid:2030324; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"project=%3C%230%3E"; depth:18; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026755; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form></pre>"; fast_pattern; classtype:web-application-attack; sid:2030325; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SedUploader)"; flow:established,to_client; tls.cert_subject; content:"CN=photopoststories.com"; nocase; endswith; classtype:domain-c2; sid:2026757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form|20 20 20|method=|20 22|post|22 20|action=|20 22 22|>|20|<input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value=|20 22|&gt|3b 22|/>"; fast_pattern; classtype:web-application-attack; sid:2030326; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Operation Cobra Venom Stage 1 DNS Lookup"; dns.query; content:"my-homework.890m.com"; nocase; fast_pattern; endswith; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form|20 20 20|method=|20 22|post|22 20|action=|20 22 22|>|20|<input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value=|20 22|&gt|3b 22|/>"; fast_pattern; classtype:web-application-attack; sid:2030327; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - CnC Checkin"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=a"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<h1>PAYLEETS - TESTER"; fast_pattern; nocase; content:">Check  Mailling ..</font>"; nocase; distance:0; content:"type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030328; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - File Decode Completed"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=e"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible D-Link Command Injection Attempt Inbound (CVE-2020-13782)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_ajax_explorer.sgi?action="; fast_pattern; content:"&path="; distance:0; content:"&where="; distance:0; content:"&en=|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/; reference:cve,2020-13782; classtype:attempted-admin; sid:2030335; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_06_15, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 1"; dns.query; content:"0ffice365.agency"; nocase; endswith; classtype:targeted-activity; sid:2026775; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5405)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%28_%29..%28_%29"; fast_pattern; reference:url,tanzu.vmware.com/security/cve-2020-5405; reference:cve,2020-5405; classtype:attempted-admin; sid:2030336; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 2"; dns.query; content:"0nedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026776; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%252F..%252F"; nocase; fast_pattern; reference:url,xz.aliyun.com/t/7877; reference:cve,2020-5410; classtype:attempted-admin; sid:2030337; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 3"; dns.query; content:"corewindows.agency"; nocase; endswith; classtype:targeted-activity; sid:2026777; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Centreon 20.04 Authenticated RCE (CVE-2020-12688)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/main.get.php?p="; content:"&command_id="; distance:0; content:"&command_name=../"; distance:0; fast_pattern; content:"|3b|&command_line="; distance:0; reference:url,github.com/TheCyberGeek/Centreon-20.04; reference:cve,2020-12688; classtype:attempted-admin; sid:2030338; rev:1; metadata:attack_target Web_Server, created_at 2020_06_15, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 4"; dns.query; content:"microsoftonline.agency"; nocase; endswith; classtype:targeted-activity; sid:2026778; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
 
-#alert tls any any -> $HTTP_SERVERS any (msg:"ET INFO GnuTLS Cryptographic Flaw Observed (CVE-2020-13777)"; flow:to_server,established; content:"|16|"; startswith; content:"|00 23|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:2; within:16; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; reference:url,corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/; classtype:attempted-recon; sid:2030340; rev:2; metadata:created_at 2020_06_15, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Significant, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 5"; dns.query; content:"onedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026779; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for Malicious .dat File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,660d1132888b2a2ff83b695e65452f87; classtype:trojan-activity; sid:2030334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 6"; dns.query; content:"sharepoint.agency"; nocase; endswith; classtype:targeted-activity; sid:2026780; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Koadic Header Structure"; flow:established,to_server; http.header; content:"|0d 0a|encoder|3a 20|"; content:"|0d 0a|shellchpc|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1afc93c8092b2c7e49a6d3a451629f; classtype:trojan-activity; sid:2030341; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_15, deployment Perimeter, former_category MALWARE, malware_family Koadic, signature_severity Major, updated_at 2020_06_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 7"; dns.query; content:"skydrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026781; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OceanLotus APT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=summerevent.webhop.net"; nocase; endswith; classtype:domain-c2; sid:2030343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 8"; dns.query; content:"0ffice365.life"; nocase; endswith; classtype:targeted-activity; sid:2026782; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/safebrowsing/rd/"; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"PREF=ID=U="; depth:10; fast_pattern; pcre:"/^[a-z0-9]{10,}$/Rsi"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 9"; dns.query; content:"0ffice365.services"; nocase; endswith; classtype:targeted-activity; sid:2026783; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRat WebSockets Request M2"; flow:established,to_server; http.start; content:"GET /socket.io/?__sails_io_sdk_version=1.2.1&__sails_io_sdk_platform=node&__sails_io_sdk_language=javascript&EIO=3&transport=websocket HTTP/1.1|0d 0a|Sec-WebSocket-Version|3a 20|13|0d 0a|Sec-WebSocket-Key|3a 20|"; startswith; fast_pattern; http.header; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate|3b 20|client_max_window_bits|0d 0a|"; http.header_names; content:"|0d 0a|Sec-WebSocket-Version|0d 0a|Sec-WebSocket-Key|0d 0a|Connection|0d 0a|Upgrade|0d 0a|"; startswith; content:"Sec-WebSocket-Extensions|0d 0a|Host|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2030346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 10"; dns.query; content:"skydrive.services"; nocase; endswith; classtype:targeted-activity; sid:2026784; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; classtype:attempted-user; sid:2030348; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 11"; dns.query; content:"akdns.live"; nocase; endswith; classtype:targeted-activity; sid:2026785; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ironhalo CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0(compatible|3b|MSIE 8.0|3b|Windows NT 6.1)"; fast_pattern; bsize:47; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html; classtype:command-and-control; sid:2022298; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 12"; dns.query; content:"akamaiedge.live"; nocase; endswith; classtype:targeted-activity; sid:2026786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M4"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"click?sid="; fast_pattern; content:"&cid="; distance:0; pcre:"/\?sid=[a-f0-9]{40}&cid=[0-9]$/"; http.header_names; content:"Referer|0d 0a|"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021251; rev:4; metadata:created_at 2015_06_11, former_category MALWARE, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 13"; dns.query; content:"akamaiedge.services"; nocase; endswith; classtype:targeted-activity; sid:2026787; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; http.host; content:"jackdojacksgot.ru"; startswith; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 14"; dns.query; content:"edgekey.live"; nocase; endswith; classtype:targeted-activity; sid:2026788; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ZoneAlarm Download Flowbit Set"; flow:established,to_server; http.uri; content:"pkg"; http.host; content:"zonealarm.com"; endswith; flowbits:set,ET.ZoneAlarm.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2022285; rev:3; metadata:created_at 2015_12_18, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 15"; dns.query; content:"akamaized.live"; nocase; endswith; classtype:targeted-activity; sid:2026789; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; flowbits:set,et.exploitkitlanding; http.header; content:!"smartsvn.com"; file.data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; classtype:exploit-kit; sid:2017181; rev:7; metadata:created_at 2013_07_24, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 16"; dns.query; content:"trafficmanager.live"; nocase; endswith; classtype:targeted-activity; sid:2026790; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT GET request CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022310; rev:3; metadata:created_at 2015_12_24, former_category MALWARE, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 17"; dns.query; content:"cloudfronts.services"; nocase; endswith; classtype:targeted-activity; sid:2026791; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT POST request CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022311; rev:3; metadata:created_at 2015_12_24, former_category MALWARE, updated_at 2020_06_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 18"; dns.query; content:"hotmai1.com"; nocase; endswith; classtype:targeted-activity; sid:2026792; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-24 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login_cmd="; nocase; depth:10; fast_pattern; content:"&login_params="; nocase; distance:0; content:"&racho"; nocase; distance:0; content:"&submit.x="; nocase; distance:0; classtype:credential-theft; sid:2031799; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 19"; dns.query; content:"microsoftonline.services"; nocase; endswith; classtype:targeted-activity; sid:2026793; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot download config - SET"; flow:established,to_server; flowbits:set,ET.zbot.dat; flowbits:noalert; http.method; content:"GET"; http.uri; content:".dat"; endswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer"; classtype:trojan-activity; sid:2022317; rev:3; metadata:created_at 2015_12_30, updated_at 2020_06_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 20"; dns.query; content:"nsatc.agency"; nocase; endswith; classtype:targeted-activity; sid:2026794; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptojoker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; content:"|3a 3a|"; distance:0; http.uri.raw; content:"|4f 4e 4c 25 35 43 6e|"; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.bleepingcomputer.com/news/security/the-cryptojoker-ransomware-is-nothing-to-laugh-about/; reference:md5,904b0888bfa02d200091fa8ad014d016; reference:md5,bca6c1fa9b9a8bf60eecbd91e08d1323; classtype:command-and-control; sid:2022333; rev:3; metadata:created_at 2016_01_06, former_category MALWARE, updated_at 2020_06_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 21"; dns.query; content:"phicdn.world"; nocase; endswith; classtype:targeted-activity; sid:2026795; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Sign In</title>"; nocase; fast_pattern; content:"value=|22|Account Summary|22|"; nocase; distance:0; content:"value=|22|Transfer|22|"; nocase; distance:0; content:"value=|22|Brokerage|22|"; nocase; distance:0; content:"value=|22|Trade|22|"; nocase; distance:0; content:"value=|22|MessageAlerts|22|"; nocase; distance:0; classtype:social-engineering; sid:2031956; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 22"; dns.query; content:"t-msedge.world"; nocase; endswith; classtype:targeted-activity; sid:2026796; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wells Fargo Phish Loading Page 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Please Wait</title>"; nocase; fast_pattern; content:"http-equiv="; distance:0; nocase; content:"Refresh"; nocase; distance:1; within:8; content:"Verifying Your Account"; nocase; distance:0; content:"Please wait"; nocase; distance:0; classtype:credential-theft; sid:2031957; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 23"; dns.query; content:"akadns.live"; nocase; endswith; classtype:targeted-activity; sid:2026797; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DustySky Payload Link Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&token1="; distance:0; content:"&token2="; distance:0; content:"&C="; distance:0; pcre:"/\/[A-Za-z]+\.php\?((?:id|token1|token2|C)=[A-Za-z0-9\/=+%]*={0,2}&?){4}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf; classtype:trojan-activity; sid:2022343; rev:3; metadata:created_at 2016_01_08, former_category MALWARE, updated_at 2020_06_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 24"; dns.query; content:"azureedge.today"; nocase; endswith; classtype:targeted-activity; sid:2026798; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invalid/Suspicious User-Agent (PHP)"; flow:to_server,established; http.user_agent; content:"PHP/5."; nocase; fast_pattern; startswith; pcre:"/^\{\d(?:\|\d){1,}\}\.\{\d(?:\|\d){1,}\}\{\d(?:\|\d){1,}\}/R"; classtype:web-application-attack; sid:2022350; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_06_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=memail.mea.com.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026800; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:command-and-control; sid:2022362; rev:3; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_06_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=webmail.finance.gov.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026801; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Successful Generic Phish (set) 2016-01-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031862; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.apc.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026802; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"GOVERNMENT SYSTEM IS FOR AUTHORIZED"; fast_pattern; content:"Use of this system constitutes"; nocase; distance:0; content:"Internal Revenue Service"; nocase; distance:0; content:"Electronic Filing PIN"; nocase; distance:0; content:"foreignPostalLbl"; nocase; distance:0; classtype:social-engineering; sid:2031958; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.mgov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026803; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Update Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"form action=|22|http|3a|//www.formbuddy.com"; nocase; distance:0; content:"Name|3a|"; nocase; distance:0; content:"E-Mail|3a|"; nocase; distance:0; content:"Password|3a|"; fast_pattern; nocase; distance:0; content:"Submit Form"; nocase; distance:0; classtype:social-engineering; sid:2031959; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=adpvpn.adpolice.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026804; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Zbot download config"; flow:established,from_server; flowbits:isset,ET.zbot.dat; http.stat_code; content:"200"; http.stat_msg; content:"OK"; http.content_type; content:"application/x-ns-proxy-autoconfig"; fast_pattern; startswith; file.data; pcre:"/^(?=[a-zA-Z]*?\d)(?=[a-z0-9]*?[A-Z])[a-zA-Z0-9+/]{30}/R"; classtype:trojan-activity; sid:2022318; rev:4; metadata:created_at 2015_12_30, updated_at 2020_06_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ServHelper RAT CnC Domain Observed in SNI"; flow:established,to_server; tls.sni; content:"arhidsfderm.pw"; endswith; nocase; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:command-and-control; sid:2026768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chrome Extension Phishing HTTP Request"; flow:to_server,established; http.host; content:"chrome-extension."; startswith; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022373; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Awad Bot CnC Domain (hawad .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hawad.000webhostapp.com"; endswith; reference:md5,5872fde3bf4b5a30a64837a35d1ec5fd; classtype:command-and-control; sid:2026799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family AwadBot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-01-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webscr?cmd=_"; nocase; fast_pattern; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"email="; nocase; content:"password="; nocase; distance:0; classtype:credential-theft; sid:2031960; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 25"; dns.query; content:"data-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026812; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-01-15 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webscr?cmd=_"; nocase; fast_pattern; content:"&account_card="; distance:0; nocase; content:"&session="; nocase; distance:0; http.header; content:"&account_address="; nocase; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"address_1="; nocase; depth:10; content:"&address_2="; nocase; distance:0; classtype:credential-theft; sid:2031961; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 26"; dns.query; content:"asimov-win-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026813; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-01-15 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Submit"; nocase; http.header; content:"/webscr?cmd=_"; nocase; content:"&account_card="; nocase; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"cc_holder="; nocase; depth:10; fast_pattern; content:"&cc_number="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; classtype:credential-theft; sid:2031962; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 27"; dns.query; content:"iecvlist-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026814; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Webeden.co.uk (set) 2016-01-22"; flow:to_server,established; urilen:1; flowbits:set,ET.webeden.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"webeden.co.uk"; endswith; fast_pattern; classtype:social-engineering; sid:2031963; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 28"; dns.query; content:"onecs-live.services"; nocase; endswith; classtype:targeted-activity; sid:2026815; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Initial Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?RIGHTS="; fast_pattern; nocase; content:"&WIN="; distance:0; nocase; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022402; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cryptor Ransomware CnC Domain (e3kok4ekzalzapsf .onion .ws in TLS SNI)"; flow:established,to_server; tls.sni; content:"e3kok4ekzalzapsf.onion.ws"; endswith; reference:md5,4b6f0113007cddea4ad31237add23786; classtype:command-and-control; sid:2026806; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family CryptorRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/7ev3n Ransomware Process Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?SSTART="; nocase; content:"&CRYPTED_DATA="; nocase; distance:0; fast_pattern; content:"&ID="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,9f8bc96c96d43ecb69f883388d228754; classtype:command-and-control; sid:2022403; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TrumpHead Ransomware CnC Domain (6bbsjnrzv2uvp7bp .onion .pet in TLS SNI)"; flow:established,to_server; tls.sni; content:"6bbsjnrzv2uvp7bp.onion.pet"; endswith; reference:md5,49fdb7e267c00249e736aad5258788d2; classtype:command-and-control; sid:2026807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family TrumpHeadRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LeChiffre Ransomware CnC"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sipvoice.php?"; depth:14; fast_pattern; content:"&session="; distance:0; http.header; content:"Keep-Alive|3a 20|300"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4523ccfd191dcceeae8e884f82f5c7ad; reference:url,blog.malwarebytes.org/intelligence/2016/01/draft-lechiffre-a-manually-run-ransomware/; classtype:command-and-control; sid:2022406; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency Phishing Landing 2016-01-25"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"DEBUT DE L|27|EN-TETE"; nocase; fast_pattern; content:"DU GABARIT NSI"; nocase; distance:0; content:"<title>Get Tax Refund"; nocase; distance:0; content:"Canada Revenue Agency"; nocase; distance:0; classtype:social-engineering; sid:2031965; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"bodyshoppechiropractic.com"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kaicone.A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Plug="; depth:5; fast_pattern; content:"Instituto="; distance:0; content:"&AV="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0dfaf7a70859ddb86296276dc20ce1ae; classtype:command-and-control; sid:2022407; rev:3; metadata:created_at 2016_01_26, former_category MALWARE, updated_at 2020_06_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERRATANKBA CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:domain-c2; sid:2026817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag Lazarus, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Safebrowse Profile) GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/safebrowsing/rd/"; fast_pattern; depth:17; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_lang; content:"en-US,en|3b|q=0.5"; bsize:14; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; bsize:264; content:"PREF=ID="; depth:8; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:70; content:!"Referer"; http.host; content:!"google.com"; endswith; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile; classtype:command-and-control; sid:2030347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:domain-c2; sid:2026819; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /softServer/req "; startswith; fast_pattern; http.request_body; content:"requestStr=%7B%22"; startswith; reference:md5,edadf30df18e6a7ea190041cf3bd4a0b; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=content-delivery.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:domain-c2; sid:2026820; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (DiplomatLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=dpi64x.easyllcwi.com"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2030351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_17, deployment Perimeter, signature_severity Major, updated_at 2020_06_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"cdn-content.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026821; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/start.html"; bsize:11; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8,application/signed-exchange|3b|v=b3"; fast_pattern; bsize:118; http.header_names; content:"Host|0d 0a|Upgrade-Insecure-Requests|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; reference:md5,851a4f13928a5edb3859a21a8041908e; classtype:trojan-activity; sid:2030356; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"deliveryjs.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026822; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.VrBrothers.AI Variant CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/SubmitUsageInfor "; startswith; fast_pattern; http.user_agent; bsize:24; content:"Mozilla/4.0 (compatible)"; http.request_body; content:"data="; startswith; reference:md5,b0e8fed85cf0ae29fe921508e9c60fb9; classtype:pup-activity; sid:2030353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"nolkbacteria.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026855; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DNS Tunneling Observed"; dns.query; content:".aaaaaaaaaaaa"; fast_pattern; pcre:"/^[abcdefghiklmnopqrstvxyz123456789]{62}\.aaaaaaaaaaaa/"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf; classtype:trojan-activity; sid:2030352; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, signature_severity Major, updated_at 2020_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"2searea0.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026856; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaDrug CnC Activity"; flow:established,to_server; http.request_line; content:"GET /client.config/?format=json&advert_key="; startswith; fast_pattern; http.uri; content:"&app="; content:"&oslang="; content:"&uid="; reference:md5,d739e41e0ba4f1d72f9283c6fcb2f761; classtype:pup-activity; sid:2030354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"touristsila1.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026857; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike Malleable C2 Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=time.updateeset.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature; classtype:domain-c2; sid:2030349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Donot Group/APT-C-35 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=.sessions4life.pw"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026859; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_28, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-06-18)"; flow:established,to_client; tls.cert_subject; content:"CN=armybar.hopto.org"; nocase; endswith; reference:md5,afbe00e755a2cf963f0eedbb4e310198; classtype:domain-c2; sid:2030350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=driverconnectsearch.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,2bd9a6ea29182f5ec6acafe032fbeaab; classtype:domain-c2; sid:2026861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_29, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SUPERAntiSpyware Install Checkin"; flow:established,to_server; http.uri; content:"&sEventData=tag:SUPERAntiSpyware.exe"; fast_pattern; http.user_agent; bsize:10; content:"SUPERSetup"; reference:md5,7f97a26e10500250b00e1f3c0240882a; classtype:pup-activity; sid:2030355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zepakab CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Seven DSert SHA2 CA"; nocase; endswith; tls.cert_issuer; content:"C=US, ST=Some-State, O=Seven Ltd, CN=Seven DSert SHA2 CA"; reference:url,blog.yoroi.company/research/sofacys-zepakab-downloader-spotted-in-the-wild/; classtype:domain-c2; sid:2026864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family Zekapab, malware_family Zepakab, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.accept; content:"text/html, application/xhtml+xml, */*"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; classtype:trojan-activity; sid:2022467; rev:3; metadata:created_at 2016_01_28, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=syn.browserstime.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Delete Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|delplugs|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022470; rev:3; metadata:created_at 2016_01_29, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.webhop.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CenterPOS Load Plugins"; flow:to_client,established; flowbits:isset,ET.centerpos; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|7c|loadplug|20|"; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:trojan-activity; sid:2022471; rev:3; metadata:created_at 2016_01_29, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=office.windown-update.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026871; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Navy Federal Credit Union Phishing Landing 2016-01-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Navy Federal Credit Union"; fast_pattern; nocase; content:"Armed Forces Loans"; nocase; distance:0; classtype:social-engineering; sid:2031966; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.homeip.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026872; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible POSHC2 Client CnC"; flowbits:set,ET.poshc2.powershellclient; flowbits: noalert; ja3.hash; content:"c12f54a3f91dc7bafd92cb59fe009a35"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030366; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, malware_family PoshC2, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=e.browsersyn.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026873; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible POSHC2 Server Response"; flowbits:isset,ET.poshc2.powershellclient; ja3s.hash; content:"ec74a5c51106f0419184d0dd08fb05bc"; reference:url,labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/; classtype:unknown; sid:2030367; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category JA3, malware_family PoshC2, performance_impact Low, signature_severity Major, updated_at 2020_06_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=word.webhop.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026874; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Agent.NSU CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/afu.php?zoneid="; startswith; fast_pattern; content:"&var="; isdataat:!2,relative; reference:md5,1924c8edcd59bd9540968305a3ed4988; classtype:command-and-control; sid:2030362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cortana.homelinux.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026875; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT CnC Checkin"; flow:established,to_server; dsize:<300; content:"ping|7c|STRRAT|7c|"; depth:12; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; classtype:command-and-control; sid:2030358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peppy/KeeOIL Google Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"google/dance"; depth:12; fast_pattern; endswith; http.host; content:"www.google.com"; depth:14; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026884; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category TROJAN, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, tag Connectivity_Check, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT Initial HTTP Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?lid="; fast_pattern; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; pcre:"/\.php\?lid=[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/"; http.header; content:"User-Agent|3a 20|Java/"; depth:17; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Pragma"; reference:md5,bef4a453c819a453c255569c368972ea; reference:url,gdatasoftware.com/blog/strrat-crimson; classtype:command-and-control; sid:2030359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CDC Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"NCDC-19-PoS"; depth:11; endswith; classtype:policy-violation; sid:2026893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_08, deployment Perimeter, former_category MALWARE, malware_family CDCRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE STRRAT Requesting License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:"/?hwid="; fast_pattern; content:"&lid="; distance:0; content:"&ht="; distance:0; http.header; content:"User-Agent|3a 20|Java/"; depth:17; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Pragma"; reference:md5,bef4a453c819a453c255569c368972ea; reference:url,gdatasoftware.com/blog/strrat-crimson; classtype:command-and-control; sid:2030360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, malware_family STRRAT, signature_severity Major, updated_at 2020_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/rpt"; pcre:"/\/rpt\d/"; http.user_agent; content:!"Mozilla"; depth:7; http.host; content:!".apple.com"; endswith; content:!".pandora.com"; endswith; content:!"microsoft.com"; endswith; reference:url,doc.emergingthreats.net/2008233; classtype:command-and-control; sid:2008233; rev:18; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTPCore CnC Task Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/req_"; content:".txt"; distance:32; within:4; endswith; http.user_agent; bsize:115; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"; reference:url,www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf; classtype:command-and-control; sid:2030363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE BrushaLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"traderserviceinfo.info"; endswith; classtype:command-and-control; sid:2026900; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTPCore CnC Task Response"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/resp_"; content:".txt"; distance:32; within:4; endswith; reference:url,www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf; classtype:command-and-control; sid:2030364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Astaroth User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|SLCC1)"; depth:57; endswith; reference:md5,589d2d33825a0329f61406f0af709469; reference:url,www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research; classtype:trojan-activity; sid:2026906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Astaroth, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTTPCore CnC Tasking File"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|89 50 4e 57 0d 0a 1a 0a 3c 3c 3c 3c|"; startswith; fast_pattern; reference:url,www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf; classtype:command-and-control; sid:2030365; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_06_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cayosin/Mirai CnC Domain in DNS Lookup"; dns.query; content:"hostnamepxssy.club"; nocase; endswith; reference:url,perchsecurity.com/perch-news/threat-report-sunday-february-3rd-2019/; classtype:command-and-control; sid:2026915; rev:3; metadata:created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Payload CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp"; endswith; fast_pattern; http.request_body; content:"F4"; offset:2; pcre:"/^[A-F0-9]{2}F4[A-F0-9]{2}0(?:1|2|3)[A-F0-9]{8}/"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; classtype:command-and-control; sid:2030377; rev:1; metadata:created_at 2020_06_22, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_06_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Punto Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/klog.php"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"text|2f|html|3b|q=0|2e|7|2c 20 2a 2f 2a 3b|q=1"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, malware_family Punto, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
 
-#alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11896/CVE-2020-11898 Fragments inside IP-in-IP tunnel"; ip_proto:4; fragbits:M; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030385; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FBot Downloader Generic GET for ARM Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fbot.arm"; depth:9; fast_pattern; content:".u"; endswith; pcre:"/^\/fbot\.arm\d{1}\.u$/i"; http.protocol; content:"HTTP/1.0"; reference:url,blog.netlab.360.com/the-new-developments-of-the-fbot-en/; classtype:trojan-activity; sid:2026951; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_21, deployment Perimeter, former_category TROJAN, malware_family Fbot, performance_impact Low, signature_severity Major, tag Downloader, tag DDoS, updated_at 2020_09_16;)
 
-#alert ipv6 any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11897 IPv6 deprecated RH Type 0 source routing attack"; decode-event:ipv6.rh_type_0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030386; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"cheapairlinediscount.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026953; rev:3; metadata:created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert ipv6 any any -> ff00::/8 any (msg:"ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read";  reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030387; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"emailerservo.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026954; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-#alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030388; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"fazadminmessae.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026955; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11902 ICMPv4 parameter problem with tunnel inside"; itype:12; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030389; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"housecleaning.press"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026956; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11910 anomalous ICMPv4 type 3,code 4 Path MTU Discovery"; itype:3; icode:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030390; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"hrent.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026957; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-1191 anomalous ICMPv4 Address Mask Reply message (type 18, code 0)"; itype:18; icode:0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030391; rev:1; metadata:created_at 2020_06_22, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"irepare.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026958; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2020-06-22"; flow:established,to_client; file.data; content:"name=|22|chalbhai|22 20|id=|22|chalbhai|22 20|method=|22|get|22|"; fast_pattern; classtype:social-engineering; sid:2030372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"macmall.fun"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026959; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello, pee"; fast_pattern; classtype:attempted-admin; sid:2030373; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, signature_severity Minor, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"managerdriver.website"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026960; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello, pee"; fast_pattern; classtype:web-application-attack; sid:2030374; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mantorsagcoloms.club"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026961; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Meth/"; fast_pattern; classtype:attempted-admin; sid:2030375; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mediaaplayer.win"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026962; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Meth/"; fast_pattern; classtype:web-application-attack; sid:2030376; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mobileshoper.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026963; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CollectorStealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&cc="; distance:0; content:"&pc="; distance:0; http.header; content:"User-Agent|3a 20|uploader|0d 0a|"; fast_pattern; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,e929f02353d22d95523be4f8fbf794c4; classtype:command-and-control; sid:2030368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"ppservice.stream"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026964; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/CollectorStealer User-Agent M2"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XLCTX|0d 0a|"; classtype:trojan-activity; sid:2034321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"searchidriverip.space"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026965; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/CollectorStealer User-Agent M1"; flow:established,to_server; http.header; content:"User-Agent|3a 20|CLCTR|0d 0a|"; classtype:trojan-activity; sid:2034322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemai.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026966; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VikroStealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate?pc_name="; fast_pattern; content:"&ip="; content:"&city="; content:"&countryCode="; content:"&passwords="; content:"&hwid="; content:"&user_id="; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:command-and-control; sid:2030369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemaining.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026967; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VikroStealer Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getSettings?user_id="; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:command-and-control; sid:2030370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026968; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed VikroStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"vikrostealer-1.site"; bsize:19; reference:md5,15c587698be36a72f4015b2758442e3c; classtype:domain-c2; sid:2030371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmailer.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026969; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MASSLOGGER Client Data Exfil (POST)"; flow:established,to_server; content:".zip|22 0d 0a|Content-Type: application/zip|0d 0a 0d 0a|PK"; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"multipart/form-data|3b| boundary=---------------------"; depth:51; http.request_body; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22 3b 20|"; fast_pattern; content:"Log.txt"; content:"PK"; reference:md5,8a1ba030a3bcfde60ad2e067fec8b773; classtype:trojan-activity; sid:2030154; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailelit.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026970; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SluttyPutty isDebuggerPresent in Fake Putty Executable"; flow:established,to_client; file_data; content:"|4d 5a|"; depth:2; content:"https://www.chiark.greenend.org.uk/~sgtatham/putty/"; fast_pattern; content:"IsDebuggerPresent"; reference:md5,b0dd930c652d1b9350b7c8a29e798cd5; classtype:trojan-activity; sid:2030382; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerpro.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026971; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mokes CnC Keep-Alive"; flow:established,to_server; urilen:3; threshold: type both, count 9, seconds 60, track by_src; http.method; content:"GET"; http.uri; content:"/v1"; depth:3; fast_pattern; http.header; content:"Accept"; content:"User-Agent|3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/; classtype:command-and-control; sid:2022477; rev:3; metadata:created_at 2016_02_01, former_category MALWARE, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerprogres.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026972; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Webeden.co.uk M1 2016-01-22"; flow:to_client,established; flowbits:isset,ET.webeden.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2031964; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servespromail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026973; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Compromised Webserver Retriving Inject"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; pcre:"/^\/blog\/\?[a-z]+&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\x3a\d{1,5})?$/"; classtype:trojan-activity; sid:2022485; rev:3; metadata:created_at 2016_02_03, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servicemaile.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026974; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Download Request Containing Suspicious Filename - Crypted"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"crypted.exe"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ff823130efcdf8ab267cad92eb5b90d7; reference:md5,e953e6b3be506c5b8ca80fbcd79c065e; reference:md5,1e2fa2e401cd2295a03ba8d8d3d3698b; classtype:trojan-activity; sid:2022491; rev:3; metadata:created_at 2016_02_04, former_category MALWARE, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serviveemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026975; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fluxer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php?id="; fast_pattern; content:"&ver="; distance:0; content:"&m="; distance:0; pcre:"/&m=\d$/i"; http.user_agent; content:"Mozilla"; bsize:7; http.connection; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,648f432b41f3bcebc1a599f529055cf0; classtype:command-and-control; sid:2022492; rev:3; metadata:created_at 2016_02_05, former_category MALWARE, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servoemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026976; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed VikroStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tracksupporte.site"; bsize:18; reference:md5,851c42ec4709bd59d7610591fc38129a; classtype:domain-c2; sid:2030381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_23, deployment Perimeter, former_category MALWARE, malware_family VikroStealer, signature_severity Major, updated_at 2020_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servomail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026977; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Banload Downloading Executable"; flow:established,from_server; flowbits:isset,ET.autoit.ua; http.content_type; content:"image/"; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:md5,838ab7aacac590ea2e170888b2502a63; classtype:trojan-activity; sid:2019165; rev:4; metadata:created_at 2014_09_11, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"progresservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026978; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USPS Phishing Landing 2016-02-10"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>USPS.com|c2 ae 20|- Sign In</title>"; nocase; fast_pattern; content:"Create a USPS.com"; nocase; distance:0; classtype:social-engineering; sid:2031967; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026979; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; http.method; content:"POST"; nocase; http.uri; content:"/setSystemCommand"; nocase; http.request_body; content:"SystemCommand="; nocase; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:3; metadata:created_at 2016_02_13, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmailing.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026980; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.request_body; content:"redirect|3a|"; content:"{"; distance:0; pcre:"/\bredirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BabyShark CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fmchr.in"; endswith; reference:url,unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/; classtype:command-and-control; sid:2026981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_25, deployment Perimeter, former_category MALWARE, malware_family BabyShark, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.request_body; content:"redirectAction|3a|"; content:"{"; pcre:"/\bredirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"aroundtheworld123.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026983; rev:4; metadata:created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.request_body; content:"action|3a|"; content:"{"; distance:0; pcre:"/\baction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"frameworksupport.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GCman.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/s2.cgi"; depth:15; http.request_body; pcre:"/^[a-f0-9]{31}\x3B(?:[a-zA-Z0-9+/=]+)?\r?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8a18846e17244db9af90009ddab341ce; reference:url,securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/; classtype:command-and-control; sid:2022529; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dittm.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:domain-c2; sid:2026997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your e-mail account will be verify"; nocase; fast_pattern; content:"DO NOT RESEND"; nocase; distance:0; content:"MESSAGE IS FROM THE SYSTEM ADMIN"; nocase; distance:0; classtype:credential-theft; sid:2031968; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=google-analytics.is"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:domain-c2; sid:2026998; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Maps Phishing Landing 2016-02-17"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Google Maps"; nocase; fast_pattern; content:"ultrozoic_rotating_by_dragontunders"; nocase; distance:0; content:"Please enter your email"; nocase; distance:0; content:"Please enter your email password"; nocase; distance:0; classtype:social-engineering; sid:2031969; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=whoama.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2026999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript 2016-02-09"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv"; content:"refresh"; nocase; distance:1; within:8; content:"content="; nocase; distance:0; pcre:"/^\x22[0-9]+?[^\x22]/Rsi"; content:"url=data|3a|text/html,http"; fast_pattern; nocase; distance:0; pcre:"/^[^\x22]+<\s*?script\s*?.+data\x3atext/html\x3bbase64,/Rsi"; classtype:social-engineering; sid:2031970; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdnnote.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027000; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022533; rev:3; metadata:created_at 2016_02_17, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checkfreedom.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027001; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible OceanLotus C2 Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".db?k="; fast_pattern; content:"?q="; distance:0; pcre:"/\?q=[a-f0-9]{32}$/i"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.alienvault.com/open-threat-exchange/blog/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:command-and-control; sid:2022541; rev:3; metadata:created_at 2016_02_18, former_category MALWARE, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=connectionstatistics.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 1"; nocase; content:!"0"; within:1; pcre:"/^[^0-9]/R"; classtype:trojan-activity; sid:2015898; rev:5; metadata:created_at 2012_11_20, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conveeir.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Blockbuster User-Agent (Mozillar)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozillar"; depth:8; nocase; fast_pattern; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,www.operationblockbuster.com/resources/index.html; classtype:trojan-activity; sid:2022564; rev:4; metadata:created_at 2016_02_24, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryers.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027004; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely PadCrypt Locker PKG DL"; flow:established,to_server; http.uri; content:".pdcr"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b6d25a5629221041e857266b9188ea3b; classtype:trojan-activity; sid:2022568; rev:3; metadata:created_at 2016_02_26, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryflagonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027005; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2016-02-26"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"google-site-verification|22 20|content=|22|ixTkEWd_UcMhrL39nLaMLEq66o3Ecdwa-btSiATF0Uc"; content:"<title>USAA / Welcome to USAA"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2031971; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=crowlock.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027006; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-01 M3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Account Verification"; fast_pattern; nocase; content:"Your Apple ID"; nocase; distance:0; content:"Account Verification Complete"; nocase; distance:0; content:"restore your account"; nocase; distance:0; classtype:credential-theft; sid:2031972; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=i-checkme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2016-03-01 M2"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>iCloud"; fast_pattern; nocase; content:"Sign in"; nocase; distance:0; content:"Apple ID"; nocase; distance:0; content:"Activation"; nocase; distance:0; content:"Privacy Policy"; nocase; distance:0; classtype:social-engineering; sid:2031973; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magedefacto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027008; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2016-03-01 M3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".form input[type=email]"; nocase; content:".form input[type=password]"; nocase; distance:0; content:"Apple ID"; fast_pattern; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Sign In"; nocase; distance:0; classtype:social-engineering; sid:2031974; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mageenergy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027009; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-01 M5"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".form input[type=email]"; nocase; content:".form input[type=password]"; nocase; distance:0; content:"password are invalid"; fast_pattern; nocase; distance:0; content:"Apple ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Sign In"; nocase; distance:0; classtype:credential-theft; sid:2031975; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mnewage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex Base64 Executable"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>TVqQAA/Rsi"; classtype:trojan-activity; sid:2022595; rev:3; metadata:created_at 2016_03_05, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=my-that.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027011; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Custom Content Type Manager WP Backdoor Access"; flow:established,to_server; http.uri; content:"/plugins/custom-content-type-manager/auto-update.php"; fast_pattern; nocase; reference:url,blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html; classtype:trojan-activity; sid:2022596; rev:4; metadata:created_at 2016_03_07, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=phatem.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Syndicasec.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cstype="; depth:7; content:"&authname="; distance:0; content:"&hostname="; distance:0; content:"&ostype="; distance:0; content:"&owner="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations; classtype:command-and-control; sid:2019831; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=s1all.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiveRAT CnC Activity"; flow:established,to_server; dsize:<300; content:"|7b 73 77 6f 72 64|"; offset:2; depth:6; fast_pattern; threshold:type both, count 10, seconds 60, track by_src; classtype:command-and-control; sid:2030383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_24, deployment Perimeter, former_category MALWARE, malware_family FirebirdRAT, signature_severity Major, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=scripteco.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027014; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse Request for .bmp"; flow:established,to_server; content:".bmp|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".bmp"; endswith; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache-"; content:!"Pragma"; content:!"Referer"; classtype:bad-unknown; sid:2030384; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_06_24, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_06_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=secureqbrowser.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027015; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Rovnix CnC Domain in DNS Query"; dns.query; content:"bamo.ocry.com"; nocase; endswith; classtype:domain-c2; sid:2030395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_06_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=security-mage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027016; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse Request for .pif"; flow:established,to_server; content:".pif|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".pif"; endswith; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache-"; content:!"Pragma"; content:!"Referer"; classtype:bad-unknown; sid:2030392; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_06_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sysproperties.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027017; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RHttpCtrl Backdoor CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ver="; startswith; content:"&id="; distance:0; content:"&random="; distance:0; content:"&hname="; distance:0; content:"&lanip="; distance:0; fast_pattern; content:"&os="; distance:0; reference:md5,ed09b0dba74bf68ec381031e2faf4448; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family APT30, performance_impact Low, signature_severity Critical, updated_at 2020_06_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=teflag.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027018; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RCtrl Backdoor CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infos/p"; bsize:8; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; reference:md5,373224fd766cb9b85e3d42d56d1702f3; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family APT30, performance_impact Low, signature_severity Critical, updated_at 2020_06_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=topstatshop.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027019; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE RCtrl Backdoor CnC Checkin M1"; flow:established,to_client; content:"Jo*Po*Hello"; offset:4; depth:11; fast_pattern; reference:md5,373224fd766cb9b85e3d42d56d1702f3; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030401; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Critical, updated_at 2020_06_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=usvalidly.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027020; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY COCCOC Browser (VN) Installed"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Coccoc Update/"; startswith; http.uri; content:"/service/update"; http.host; content:"browser.coccoc.com"; reference:md5,332d6a746c3107910df1345d887f99ee; classtype:not-suspicious; sid:2030402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_06_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=validlyglobal.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Hash - Possible Malware - Banking Phish"; ja3_hash; content:"10ee8d30a5d01c042afd7b2b205facc4"; reference:url,github.com/trisulnsm/trisul-scripts/blob/master/lua/frontend_scripts/reassembly/ja3/prints/ja3fingerprint.json; reference:url,www.malware-traffic-analysis.net; classtype:unknown; sid:2028362; rev:2; metadata:created_at 2019_09_10, former_category JA3, updated_at 2020_06_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=youlikedme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IndigoDrop/Cobalt Strike Download"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"XHhmY1x4ZThceDg5XHgwMFx4MDBceDAwXHg2MFx4ODlceGU1X"; depth:49; fast_pattern; isdataat:!5000,relative; reference:url,blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html; classtype:trojan-activity; sid:2030400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, signature_severity Major, updated_at 2020_06_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=zstatonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Lucy Server Phish"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"Server|3a 20|Lucy|0d 0a|"; fast_pattern; content:"/account|0d 0a|"; reference:url,lucysecurity.com/download/; classtype:credential-theft; sid:2030404; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup/Patchwork CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=car.drivethrough.top"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, tag APT_C_35, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wombat Phishing Test"; flow:established,to_client; file.data; content:"been phished!</title>"; fast_pattern; content:"<form action=|22|/training/acceptance"; distance:0; content:"name=|22|training_ack|22 20|type=|22|submit|22|>Acknowledge"; distance:0; content:"href=|22|https://www.wombatsecurity.com/"; distance:0; classtype:misc-activity; sid:2030405; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M1"; flow:established,to_server; http.user_agent; content:"Cayosin/2.0"; depth:11; fast_pattern; endswith; classtype:trojan-activity; sid:2026876; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING T-Mobile Phishing Landing"; flow:established,to_client; file.data; content:"src=|22|./T-Mobile QuikView_ Please Login_files/"; fast_pattern; content:"href=|22|./T-Mobile QuikView_ Please Login_files/"; distance:0; content:".php|22 20|method=|22|post|22|"; distance:0; classtype:social-engineering; sid:2030406; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M2"; flow:established,to_server; http.user_agent; content:"Cock/2.0"; depth:8; fast_pattern; endswith; classtype:trojan-activity; sid:2026877; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LumOffice Checkin"; flow:established,to_server; http.request_line; content:"POST /SMService001.asmx HTTP/1.1"; bsize:32; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/GetAccountConfig|22|"; http.request_body; content:"<soap:Body><GetAccountConfig "; fast_pattern; content:"<userID>"; distance:0; content:"</userID><password>"; distance:0; content:"</password><versionInfo>"; distance:0; content:"</versionInfo><platform>"; distance:0; content:"</onStart></GetAccountConfig>"; distance:0; reference:md5,084995c3cdee01147226542eb63de872; reference:url,lumoffice.com/; classtype:command-and-control; sid:2030407; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"|2f|"; depth:1; content:"--"; content:"|5c|"; content:"-service.html"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Python, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LumOffice Uploading Screenshot"; flow:established,to_server; http.request_line; content:"POST /SMService001.asx HTTP/1.1"; bsize:32; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/PushScreen|22|"; http.request_body; content:"<soap:Body><PushScreen "; content:"<accountID>"; content:"</accountID><activityID>"; content:"</activityID><time>"; content:"</time><screen>/9j/"; fast_pattern; reference:md5,084995c3cdee01147226542eb63de872; reference:url,lumoffice.com/; classtype:policy-violation; sid:2030408; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win10-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027054; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RezoStealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?ip="; content:"&user="; distance:0; content:"&localation="; distance:0; fast_pattern; content:"&windows="; distance:0; content:"&time="; distance:0; http.header_names; content:!"Referer"; reference:url,github.com/3xp0rt/RezoStealer/blob/master/FHwFvbCd/modules/SendToServer.cs; classtype:trojan-activity; sid:2030403; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category MALWARE, malware_family RezoStealer, signature_severity Major, updated_at 2020_06_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win7-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder CnC DNS Query"; dns.query; content:"cdn-load.net"; nocase; endswith; reference:url,s.tencent.com/research/report/659.html; classtype:command-and-control; sid:2027056; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Sidewinder, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Genome User-Agent (Http Down)"; flow:established,to_server; http.user_agent; content:"Http Down"; fast_pattern; startswith; reference:md5,479306863946029e545a4803b303d74c; classtype:trojan-activity; sid:2022654; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FIN6 StealerOne CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"contactlistsagregator.com"; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027058; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Fantasy Name Gen"; flow:established,to_server; http.host; content:"www.fantasynamegen.com"; fast_pattern; startswith; http.header_names; content:!"User-Agent"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022655; rev:3; metadata:created_at 2016_03_24, updated_at 2020_06_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN6 StealerOne CnC DNS Query"; dns.query; content:"akamaitechnologies.kz"; nocase; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/submit.php"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; http.user_agent; content:"User-Agent|3a|"; startswith; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022665; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getInfoAfterInstall"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; flowbits:set,ET.RIGEKExploit; http.uri; content:"/index.php?"; depth:11; content:"=l3S"; fast_pattern; offset:26; depth:4; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/"; http.header; content:"/?"; content:"=l3S"; classtype:exploit-kit; sid:2020721; rev:4; metadata:created_at 2015_03_21, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/applyingpoliciesrules"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via MyFreeSites.com (set) 2016-03-31"; flow:to_server,established; urilen:1; flowbits:set,ET.myfreesites.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"myfreesites.net"; fast_pattern; endswith; classtype:social-engineering; sid:2031976; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 JEShell CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=stream.playnetflix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027068; rev:3; metadata:affected_product Java, attack_target Client_and_Server, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family JEShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via MyFreeSites.com M2 2016-03-31"; flow:to_client,established; flowbits:isset,ET.myfreesites.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2031977; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|1|2f|0|2f|0"; endswith; pcre:"/^\/[A-F0-9]{30,60}\/1\/0\/0$/"; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".exe"; http.user_agent; content:"Microsoft BITS/7.5"; fast_pattern; bsize:18; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/(?:xyz|pw)$/"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:5; metadata:created_at 2016_03_30, former_category CURRENT_EVENTS, updated_at 2020_06_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Retadup Success Response from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|donnn|3a 3a|"; depth:9; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com M2 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2031979; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PirateMatryoshka CnC DNS Query"; dns.query; content:"mobilekey.pw"; nocase; endswith; reference:url,securelist.com/piratebay-malware/89740/; classtype:command-and-control; sid:2027080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Tripod.com Phish 2016-03-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".ajax?m="; content:"&type=Form"; distance:0; content:"&a=addResponse"; distance:0; http.header; content:".tripod.com/|0d 0a|"; http.request_body; content:"data%5Bresponse%5D"; depth:18; fast_pattern; content:"&data%5Bresponse%5D"; distance:0; content:"&data%5Bresponse%5D"; distance:0; pcre:"/=[A-Za-z0-9._+-]+%40[A-Za-z0-9.-]+\.[A-Za-z]{2,6}&data/"; classtype:credential-theft; sid:2031980; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ciscoupdt.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/ddb59d8cc93688bbf4925c7d27462b70e53225cb/; classtype:domain-c2; sid:2027082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com M1 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; fast_pattern; nocase; content:"mail"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2031978; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Dorv InfoStealer CnC DNS Query"; dns.query; content:"googleservice-info.ru"; nocase; endswith; reference:md5,888864c2ea27babf978d5feda40b3b2f; reference:url,twitter.com/wdsecurity/status/1105992405629583362; classtype:command-and-control; sid:2027088; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Win32_Dorv, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/data.ria?CfgType=get_homeCfg&file="; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:3; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=poladidlei.website"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/008d33ce2e5d3583d8ebb115f72b250975757018/; classtype:domain-c2; sid:2027086; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:3; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PlugX Common Header Struct"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a 20|61456|0d 0a|"; fast_pattern; http.user_agent; content:!"Dickson/"; depth:8; http.host; content:!".googleapis.com"; endswith; http.content_len; content:!"61456"; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:9; metadata:created_at 2014_03_06, former_category TROJAN, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:4; metadata:created_at 2016_04_05, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowHammer DNS Lookup"; dns.query; content:"asushotfix.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027109; rev:3; metadata:created_at 2019_03_25, former_category TROJAN, malware_family ShadowHammer, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OWA Phishing Landing 2016-04-04 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>WebMail"; fast_pattern; nocase; content:"@$_GET[|22|email"; nocase; content:"ldCookie(|27|username"; nocase; content:"Secure my account"; nocase; content:"This is a private computer"; nocase; distance:0; content:"By selecting this option"; nocase; distance:0; classtype:social-engineering; sid:2031981; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"simplexoj.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027111; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email System Manager Phishing Landing 2016-04-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"pixi_grey_blue.gif"; fast_pattern; nocase; content:"E-mail System Manager"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; classtype:social-engineering; sid:2031982; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"homeabcd.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PhishMe.com Phishing Exercise - Client Plugins"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/plugin_surveys"; fast_pattern; http.cookie; content:"_phishme.com_session_id="; classtype:trojan-activity; sid:2022729; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ShadowHammer CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asushotfix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,securelist.com/operation-shadowhammer/89992/; classtype:domain-c2; sid:2027116; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag ShadowHammer, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; http.header; content:"Cookie|3a 20|visited=TRUE"; http.header.raw; content:"Cookie|3a 20|mutex="; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:exploit-kit; sid:2014407; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JasperLoader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?b="; content:"&v="; distance:0; content:"&psver="; distance:0; fast_pattern; isdataat:!2,relative; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; classtype:command-and-control; sid:2027100; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ponmocup.A Checkin"; flow:to_server,established; urilen:10; http.method; content:"GET"; http.uri; content:"/space.php"; fast_pattern; http.header.raw; content:"Accept|3a 20|*/*|0d 0a|Cookie|3a|"; depth:25; content:"User-Agent|3a 20|"; distance:0; content:"Host|3a 20|"; distance:0; http.cookie; content:"uid="; depth:4; content:"|3b 20|VISITOR="; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:command-and-control; sid:2014660; rev:5; metadata:created_at 2012_05_01, former_category MALWARE, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kribat-A Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Command"; depth:7; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,78184ca66e1774598b96188f977f0687; classtype:trojan-activity; sid:2027024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Virus-Encoder Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submit=submit&id="; fast_pattern; content:"&guid="; content:"&pc="; content:"&mail="; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,57a69d5130d32da0a278c72137ca58ee; classtype:command-and-control; sid:2022737; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Request for Payload (TA505 Related)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".tmp"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.start; content:".tmp|20|HTTP/1."; fast_pattern; content:"|0d 0a|Host|3a 20|"; distance:1; within:8; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:25; classtype:trojan-activity; sid:2027143; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Quicktime User-Agent EOL With Known Bugs"; flow:established,to_server; threshold: type limit, count 1, seconds 600, track by_src; http.user_agent; content:"QuickTime"; content:"os=Windows NT"; fast_pattern; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA16-105A; classtype:policy-violation; sid:2022738; rev:4; metadata:created_at 2016_04_18, updated_at 2020_06_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&string="; depth:8; fast_pattern; pcre:"/^[A-F0-9]+$/R"; http.content_type; content:"|20|Charset=UTF-8"; endswith; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:command-and-control; sid:2027155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category MALWARE, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022342; rev:4; metadata:created_at 2016_01_08, updated_at 2020_06_30;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pedraz12ziniphoto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/16e06a88dbb10c75077780d4baed6d0b2733f985/; classtype:domain-c2; sid:2027157; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_05, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"this is UP"; depth:10; fast_pattern; content:"|00 00 00 00|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:command-and-control; sid:2022749; rev:3; metadata:created_at 2016_04_20, former_category MALWARE, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ga"; nocase; endswith; classtype:trojan-activity; sid:2027158; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Lyhr0x"; nocase; endswith; classtype:domain-c2; sid:2030409; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_06_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.gq"; nocase; endswith; classtype:trojan-activity; sid:2027159; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Predator Anti Ban CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; bsize:11; content:"TrinitySeal"; fast_pattern; http.request_body; content:"&programtoken="; content:"&session_id="; distance:0; content:"&session_salt="; distance:0; reference:md5,2423133b438fdc9ef479d73ca0364060; classtype:pup-activity; sid:2030410; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ml"; nocase; endswith; classtype:trojan-activity; sid:2027160; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/MSIL.DOTHETUK CnC Activity"; flow:established,to_server; http.start; content:"GET /monitorpcsettings/settings.txt HTTP/1.1|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,381cbfba113423382b17f0bb18b9cee9; classtype:command-and-control; sid:2030411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.gq"; nocase; endswith; classtype:trojan-activity; sid:2027161; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (CODE)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.ml"; nocase; endswith; classtype:trojan-activity; sid:2027162; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:C5:5A:CC:01:BD:A7:5B:DA"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030412; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.cf"; nocase; endswith; classtype:trojan-activity; sid:2027163; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"app-system2-update.com"; endswith; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030413; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.ml"; nocase; endswith; classtype:trojan-activity; sid:2027164; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B7:E4:D1:83:71:78:B0:A9"; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030414; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.tk"; nocase; endswith; classtype:trojan-activity; sid:2027165; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"awe232-service-app.com"; endswith; reference:url,www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf; classtype:domain-c2; sid:2030415; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"paltyr.tk"; nocase; endswith; classtype:trojan-activity; sid:2027166; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"00:B9:03:54:FD:F4:FF:6D:68"; fast_pattern; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030416; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag StrongPity, updated_at 2020_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (time-loss .dns05 .com)"; dns.query; content:"time-loss.dns05.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"upd-ncx4-server.com"; endswith; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030417; rev:1; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (dji-msi .2waky .com)"; dns.query; content:"dji-msi.2waky.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027209; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Glupteba Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|25|"; content:"-rtmd-"; nocase; fast_pattern; content:".exe"; bsize:>50; http.header_names; content:!"Referer"; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; reference:md5,e39362df0a751289b6f65b3448ae38f4; classtype:trojan-activity; sid:2030435; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drivethrough .top)"; dns.query; content:"drivethrough.top"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Glupteba Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ru5555/"; content:"-fmld-0.exe"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; classtype:trojan-activity; sid:2030436; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drinkeatgood .space)"; dns.query; content:"drinkeatgood.space"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027218; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glupteba CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; nocase; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ip|22 3a 22|"; startswith; content:",|22|comment|22 3a 22|Opened "; fast_pattern; distance:0; content:"|22|,|22|status|22 3a|"; distance:0; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; reference:md5,ae353f4c6558996e3abc9c016dd86e2c; classtype:command-and-control; sid:2030437; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreDn/BLINDINGCAN Activity)"; flow:established,to_client; tls.cert_subject; content:"CN=www.curiofirenze.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucifer CnC Checkin"; flow:established,to_server; content:"INTOGC"; offset:105; depth:6; fast_pattern; content:"ID"; distance:6; within:2; reference:url,unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware; reference:md5,92c3cfee6768ed284310313aa17e0d26; classtype:command-and-control; sid:2030445; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=microsoftonline-secure-login.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027221; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".analytics-akadns.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.analytics-akadns\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030440; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (xsecuremail .com)"; dns.query; content:"xsecuremail.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027224; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".akamai-analytics.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.akamai-analytics\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030441; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (wipro365 .com)"; dns.query; content:"wipro365.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027225; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".akamai-information.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.akamai-information\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030442; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (microsoftonline-secure-login .com)"; dns.query; content:"microsoftonline-secure-login.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027226; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".akamai-technologies.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.akamai-technologies\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030443; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secure-message .online)"; dns.query; content:"secure-message.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027227; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlinaPOS Exfiltration via DNS"; dns.query; content:".sync-akamai.com"; nocase; endswith; pcre:"/^[A-Z0-9_-]+\.sync-akamai\.com$/i"; reference:url,blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/; classtype:command-and-control; sid:2030444; rev:1; metadata:created_at 2020_07_02, deployment Perimeter, former_category MALWARE, malware_family AlinaPOS, performance_impact Low, signature_severity Major, updated_at 2020_07_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypt-email .online)"; dns.query; content:"encrypt-email.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027228; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY go-external-ip library User-Agent"; flow:established,to_server; http.user_agent; content:"go-external-ip (github.com/glendc/go-external-ip)"; threshold: type limit, track by_src, count 1, seconds 5; reference:md5,f33271282bc9aadadf2eff4bc0bad8a4; classtype:external-ip-check; sid:2030468; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_07_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secured-mail .online)"; dns.query; content:"secured-mail.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027229; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"websitelistbuilder.com"; bsize:22; endswith; classtype:domain-c2; sid:2030448; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (internal-message .app)"; dns.query; content:"internal-message.app"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027230; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=websitelistbuilder.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030449; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypted-message .cloud)"; dns.query; content:"encrypted-message.cloud"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027231; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Predator the Thief Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Predator The Thief"; fast_pattern; nocase; content:"<form method=|22|POST|22 20|class=|22|sign-box|22|"; nocase; distance:0; content:"<input type=|22|text|22 20|class=|22|form-control|22 20|name=|22|login|22 20|value=|22 22 20|placeholder="; nocase; distance:0; content:"<input type=|22|password|22 20|class=|22|form-control|22 20|name=|22|password|22 20|placeholder="; nocase; distance:0; classtype:web-application-attack; sid:2030446; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, signature_severity Major, updated_at 2020_07_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealerNeko CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"country="; depth:8; content:"&cc="; content:"&autof="; content:"&cookies="; content:"&filezilla="; fast_pattern; content:"&passwords="; content:"&telegram="; content:"&wallet="; content:"winver="; content:"&pidgin="; http.header_names; content:!"Referer"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027239; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, malware_family StealerNeko, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Predator the Thief Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Predator The Thief"; fast_pattern; nocase; content:"<form method=|22|POST|22 20|class=|22|sign-box|22|"; nocase; distance:0; content:"<input type=|22|text|22 20|class=|22|form-control|22 20|name=|22|login|22 20|value=|22 22 20|placeholder="; nocase; distance:0; content:"<input type=|22|password|22 20|class=|22|form-control|22 20|name=|22|password|22 20|placeholder="; nocase; distance:0; classtype:web-application-attack; sid:2030447; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, signature_severity Critical, updated_at 2020_07_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"kuternull.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"traffichi.com"; bsize:13; endswith; classtype:domain-c2; sid:2030450; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"rimrun.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=traffichi.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030451; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SideWinder CnC Domain in DNS Lookup (cdn-in. net)"; dns.query; content:"cdn-in.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Sidewinder, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"cofeedback.com"; bsize:14; endswith; classtype:domain-c2; sid:2030452; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire POST M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2027283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cofeedback.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030453; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire GET M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2027284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"adsmarketart.com"; bsize:16; endswith; classtype:domain-c2; sid:2030454; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SideWinder CnC Domain in DNS Lookup (cdn-dl. cn)"; dns.query; content:"cdn-dl.cn"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Sidewinder, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=adsmarketart.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030455; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"data-backup.online"; nocase; endswith; classtype:command-and-control; sid:2027290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:to_server,established; tls.sni; content:"advancedanalysis.be"; bsize:19; endswith; classtype:domain-c2; sid:2030456; rev:1; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_07_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"fontsupdate.com"; nocase; endswith; classtype:command-and-control; sid:2027291; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=advancedanalysis.be"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2030457; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"akamaihub.stream"; nocase; endswith; classtype:command-and-control; sid:2027292; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=advertstv.com"; nocase; endswith; classtype:domain-c2; sid:2030458; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Novaloader Stage 2 VBS Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cabaco2.txt"; fast_pattern; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,www.zscaler.com/blogs/research/novaloader-yet-another-brazilian-banking-malware-family; reference:md5,4ef89349a52f9fcf9a139736e236217e; classtype:trojan-activity; sid:2027289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_29, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Novaloader, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=amazingdonutco.com"; nocase; endswith; classtype:domain-c2; sid:2030460; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:"coldfart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027280; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mwebsoft.com"; nocase; endswith; classtype:domain-c2; sid:2030462; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"mystrylust.pw"; nocase; endswith; classtype:command-and-control; sid:2027295; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=rostraffic.com"; nocase; endswith; classtype:domain-c2; sid:2030464; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Stage 2 CnC Domain in DNS Lookup"; dns.query; content:"new.listenmusic.pw"; nocase; endswith; classtype:command-and-control; sid:2027296; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=typiconsult.com"; nocase; endswith; classtype:domain-c2; sid:2030466; rev:1; metadata:attack_target Client_and_Server, created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup Stage 2 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=new.listenmusic.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027297; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CommandCam Download"; flow:established,to_client; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"CommandCam "; fast_pattern; reference:url,github.com/tedburke/CommandCam; classtype:policy-violation; sid:2030474; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_07_06;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mystrylust.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027298; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Masayki"; fast_pattern; classtype:attempted-admin; sid:2030470; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_06, deployment Perimeter, signature_severity Minor, updated_at 2020_07_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"houusha33.icu"; nocase; endswith; classtype:command-and-control; sid:2027304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Masayki"; fast_pattern; classtype:web-application-attack; sid:2030471; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"joisff333.icu"; nocase; endswith; classtype:command-and-control; sid:2027305; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?u="; content:"_"; distance:0; content:"&i="; distance:0; http.user_agent; content:"WinHTTP"; depth:7; endswith; http.request_body; content:"p=<br><mark>"; fast_pattern; depth:12; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"aasdkkkdsa3442.icu"; nocase; endswith; classtype:command-and-control; sid:2027306; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/echo.php?req="; fast_pattern; content:"&u="; distance:0; content:"_"; distance:0; http.user_agent; content:"Microsoft WinHttp"; depth:17; endswith; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"fjiisiis33.icu"; nocase; endswith; classtype:command-and-control; sid:2027307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Response"; flow:established,to_server; content:"|0d 0a 0d 0a|ci="; fast_pattern; http.method; content:"POST"; http.uri; content:"/rite.php"; http.user_agent; content:"WinHTTP"; depth:7; endswith; http.request_body; content:"ci="; depth:3; content:"&r="; distance:0; reference:md5,d22d9ce61e6aea72aa9a8a233530db43; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:trojan-activity; sid:2033402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_07_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"afsafasdarm.icu"; nocase; endswith; classtype:command-and-control; sid:2027308; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<h1>PAYLEETS - TESTER"; fast_pattern; nocase; content:">Check  Mailling ..</font>"; nocase; distance:0; content:"type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030329; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Critical, updated_at 2020_07_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"cdnavupdate.icu"; nocase; endswith; classtype:command-and-control; sid:2027309; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, signature_severity Major, updated_at 2020_07_06;)
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE AridViper CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"tatsumifoughtogre.club"; endswith; classtype:targeted-activity; sid:2027312; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_SNI, tag AridViper, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_06, deployment Perimeter, signature_severity Critical, updated_at 2020_07_06;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Krypton Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Client"; depth:6; endswith; http.request_body; content:"id="; depth:3; content:"&message="; distance:0; fast_pattern; reference:md5,825afad02d07063689b7b59e8cf46809; classtype:command-and-control; sid:2027313; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, deployment Perimeter, former_category MALWARE, malware_family Krypton, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zeromax Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=enibenny.space"; nocase; endswith; classtype:domain-c2; sid:2030475; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IcedID Fake Resume Server in DNS Lookup"; dns.query; content:"browse-resumes.com"; nocase; endswith; classtype:trojan-activity; sid:2027314; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, former_category TROJAN, malware_family IcedID, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat Initial CnC Activity"; flow:established,to_server; urilen:>100; http.request_line; content:"=c|20|HTTP/1.1"; endswith; fast_pattern; http.method; content:"GET"; http.uri; content:".php?"; content:"=c"; distance:32; within:2; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"Referer"; reference:md5,4467b54917f60b657e0c92df4296cbc1; classtype:command-and-control; sid:2029881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2020_07_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (ReactGet Group)"; dns.query; content:"ebitbr.com"; depth:10; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity"; flow:established,to_server; urilen:>100; http.method; content:"GET"; http.uri.raw; content:"=%3D"; fast_pattern; http.uri; content:".php?"; pcre:"/^\/[^\r\n]+\.php\?[a-f0-9]{32}(?:=(?:%3D|\x3d)*[A-Za-z0-9%\/]+&[a-f0-9]{32}){4,}=(?:%3D|\x3d)*[A-Za-z0-9%\/]+$/si"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; content:!"Referer"; content:!"Accept"; content:!"Cache"; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,4467b54917f60b657e0c92df4296cbc1; classtype:command-and-control; sid:2029897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2020_07_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ReactGet Group)"; flow:established,to_client; tls.cert_subject; content:"CN=ebitbr.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:domain-c2; sid:2027318; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_06, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (TaurusStealer CnC)"; flow:established,to_client; tls.cert_serial; content:"0E:7F:A1:8D:53:1A"; endswith; classtype:domain-c2; sid:2030476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Mirrorthief Group)"; dns.query; content:"cloudmetric-analytics.com"; depth:25; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027321; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Gaudox Checkin"; flow:to_server,established; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; fast_pattern; bsize:66; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:command-and-control; sid:2022505; rev:5; metadata:created_at 2016_02_12, former_category MALWARE, updated_at 2020_07_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Mirrortheif group)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudmetric-analytics.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:domain-c2; sid:2027322; rev:4; metadata:attack_target Client_and_Server, created_at 2019_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/al?"; depth:4; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022756; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%3D"; endswith; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,156e021f890dd6eb6f271c2ad9b0316e; classtype:command-and-control; sid:2035056; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT.Fwits CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?---"; pcre:"/\?---[A-Z]$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,24d76abbc0a10e4c977a28b33c879248; reference:url,baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html; classtype:targeted-activity; sid:2022757; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,*/*|3b|q=0.8"; depth:74; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,430,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:130; reference:md5,4ca520895d86beb6f8cab93639f26f50; classtype:command-and-control; sid:2035055; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackmoon/Banbra Configuration Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; http.header; content:"Accept|3a 20|*/*|0d 0d 0a|User-Agent"; fast_pattern; http.host; content:".qq.com"; endswith; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,bbcbd3dc203829c9cdbf7d1b057f0e79; classtype:trojan-activity; sid:2022759; rev:3; metadata:created_at 2016_04_25, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,bda5b754bb079eec4389a9f43d16c903; classtype:command-and-control; sid:2035058; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/tmUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018132; rev:5; metadata:created_at 2014_02_13, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,bda5b754bb079eec4389a9f43d16c903; classtype:command-and-control; sid:2035059; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/hndUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,exploit-db.com/exploits/31683/; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018155; rev:5; metadata:created_at 2014_02_19, updated_at 2020_07_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-analytics.com"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:domain-c2; sid:2027342; rev:5; metadata:attack_target Client_and_Server, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M1 2016-04-25"; flow:established,to_client; flowbits:isset,ET.wpphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your session has timed out"; fast_pattern; nocase; content:"sign in e-mail and continue"; nocase; distance:0; classtype:social-engineering; sid:2031983; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC Domain in DNS Lookup"; dns.query; content:"magento-analytics.com"; nocase; endswith; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:command-and-control; sid:2027343; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M2 2016-04-25"; flow:established,to_client; flowbits:isset,ET.wpphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; fast_pattern; nocase; content:"Confirm your identity"; distance:0; nocase; content:"account to view document"; distance:0; nocase; classtype:social-engineering; sid:2031984; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_07;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextd.at"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:domain-c2; sid:2027355; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Document Phish 2016-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php?login="; nocase; fast_pattern; pcre:"/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}$/"; http.header; content:".php?login="; nocase; http.request_body; content:"email="; depth:6; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2031985; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC in DNS Lookup"; dns.query; content:"jqueryextd.at"; nocase; endswith; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:command-and-control; sid:2027356; rev:3; metadata:created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Linux/Tsunami DOS User-Agent (x00_-gawa.sa.pilipinas.2015) INBOUND"; flow:to_server,established; http.user_agent; content:"x00_-gawa.sa.pilipinas.2015"; reference:url,vms.drweb.com/virus/?i=4656268; classtype:attempted-dos; sid:2022760; rev:3; metadata:created_at 2016_04_26, updated_at 2020_07_07;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech Plead CnC in DNS Lookup"; dns.query; content:"ssmailer.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.ssmailer\.com$/"; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:command-and-control; sid:2027362; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist Phish 2016-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"step=confirmation&rt="; depth:21; fast_pattern; content:"&rp="; distance:0; content:"&username="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031986; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; depth:3; endswith; http.start; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:command-and-control; sid:2022609; rev:5; metadata:created_at 2016_03_10, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS BLEXBot User-Agent"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 300; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|BLEXBot/"; fast_pattern; startswith; reference:url,webmeup.com/about.html; classtype:misc-activity; sid:2022775; rev:3; metadata:created_at 2016_05_02, former_category MALWARE, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in"; flow:established,to_server; urilen:<134; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:18; metadata:created_at 2014_05_05, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Magento Shoplift Exploit Inbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin/Cms_Wysiwyg/directive/index/"; http.request_body; content:"filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0w"; fast_pattern; depth:100; reference:url,blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html; reference:url,packetstormsecurity.com/files/133327/Magento-Add-Administrator-Account.html; classtype:web-application-attack; sid:2022776; rev:3; metadata:created_at 2016_05_03, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Check-in"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z]+\/)?$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; classtype:trojan-activity; sid:2019881; rev:6; metadata:created_at 2014_12_06, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku Initial C2 Checkin"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"uid={"; depth:5; fast_pattern; content:"&v="; distance:0; content:"&pi="; distance:0; content:",&if="; distance:0; reference:url,forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022788; rev:3; metadata:created_at 2016_05_04, former_category MALWARE, updated_at 2020_07_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT DNS Lookup (bulk .fun)"; dns.query; content:"bulk.fun"; nocase; endswith; classtype:targeted-activity; sid:2034146; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_05_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperKillerX Checkin Activity"; flow:established,to_server; dsize:20; content:"|1c 70 b6 f8 00 00 00 00 14 00 00 00|"; offset:4; depth:12; fast_pattern; reference:md5,081483cb25a69cd5b4de2368a4e67910; reference:md5,83b851067e1331a81e35b29c8a1ff151; classtype:command-and-control; sid:2030478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shade Ransomware Payment Domain in DNS Lookup"; dns.query; content:"cryptsen7f043rr6.onion"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/; classtype:trojan-activity; sid:2027379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category MALWARE, malware_family Shade, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperKillerX CnC Activity"; flow:established,to_server; dsize:312; content:"|1c 70 b6 f8 f5 01 00 00 38 01 00 00|"; offset:4; depth:12; fast_pattern; threshold: type limit, track by_src, count 1, seconds 120; reference:md5,081483cb25a69cd5b4de2368a4e67910; reference:md5,83b851067e1331a81e35b29c8a1ff151; classtype:command-and-control; sid:2030479; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_07;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware Sending Encrypted Filelist"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; http.request_body; content:"name=|22|uploadfile|22 3b 20|filename=|22|C|3a 5c|"; content:"|0d 0a|[ALL]|0d 0a|"; distance:0; content:"|0d 0a|[ALL_END]|0d 0a 0d 0a|[PRIORITY]|0d 0a|"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,e5293a4da4b67be6ff2893f88c8ef757; classtype:trojan-activity; sid:2024178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> any any (msg:"ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1"; flow:established,to_server; http.uri; content:"/tmui/login.jsp"; depth:15; fast_pattern; content:"|3b|"; distance:0; reference:cve,2020-5902; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_05, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Critical, updated_at 2020_07_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProtonBot Stealer Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"&clip=get"; distance:12; within:9; endswith; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027383; rev:3; metadata:created_at 2019_05_28, former_category TROJAN, malware_family ProtonBot, updated_at 2020_09_17;)
 
-alert http any any -> any any (msg:"ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2"; flow:established,to_server; http.uri; content:"/hsqldb"; depth:7; fast_pattern; content:"|3b|"; distance:0; reference:cve,2020-5902; reference:url,www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030483; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_08, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Critical, updated_at 2020_07_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".microsofts.org"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027385; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Dragon Raja Activity"; flow:established,to_server; http.uri; bsize:14; content:"/setup/dir.txt"; http.user_agent; bsize:16; content:"DragonRajaOrigin"; fast_pattern; reference:md5,33200121c71932220c67b9f3ccc57d60; classtype:misc-activity; sid:2030484; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Major, updated_at 2020_07_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".kaspresksy.com"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027386; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hakbit/Thanos Ransomware BMP Download"; flow:established,to_server; content:".bmp HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^\/help(?:me)?\.bmp$/"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:url,labs.sentinelone.com/thanos-ransomware-riplace-bootlocker-and-more-added-to-feature-set/; reference:md5,c78a9c6affbfbfabfc50fae515675c6a; reference:md5,acbf8739dce846472a7715c975dc8b40; classtype:trojan-activity; sid:2030485; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_08, deployment Perimeter, former_category MALWARE, malware_family hakbit, malware_family thanos, signature_severity Major, tag Ransomware, updated_at 2020_07_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".tencentchat.net"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=mslfiedjssfdes.com"; nocase; endswith; classtype:domain-c2; sid:2030486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_09, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (php)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"|0d 0a 0d 0a|php"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^php.{0,500}[\x80-\xff]/s"; http.header_names; content:!"Content-Type"; content:!"Referer"; content:!"Cookie:"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022901; rev:5; metadata:created_at 2016_06_15, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRAT Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myO?gId="; startswith; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept-"; reference:md5,f1638d4cd6286b69cb29d8002478d0c1; classtype:trojan-activity; sid:2030494; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SeaDuke CnC Beacon"; flow:established,to_server; content:"|0d 0a 0d 0a|Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/"; http.header_names; content:!"Accept"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:targeted-activity; sid:2021413; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FRAT Downloader Error Report POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/myOR?info=LoadFirstError"; startswith; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept-"; reference:md5,f1638d4cd6286b69cb29d8002478d0c1; classtype:trojan-activity; sid:2030495; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Content-Type\x3a[^\r\n]+\r\n)?(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; classtype:command-and-control; sid:2021418; rev:12; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Inbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030487; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_07_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Payload Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|29 20|A"; endswith; http.request_body; content:"filename=|22|"; content:"|3a 5c|Windows|5c|"; distance:1; within:10; pcre:"/^[A-F0-9]{8}_[A-F0-9]{8}\.sql/Ri"; content:"|00|.|00|i|00|n|00|k|00|"; distance:0; fast_pattern; http.request_line; content:".php|20|HTTP/1.0"; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027398; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, tag APT, tag DarkHotel, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Outbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030488; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"pwsmbx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027399; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)"; flow:established,to_server; dsize:5; content:"|33 66 99 01|"; depth:4; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030490; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2020_07_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"reuqest-userauth.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027400; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potentially Malicious .cab Inbound (CVE-2020-1300)"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MSCF"; startswith; content:"../../"; distance:0; fast_pattern; pcre:"/^[a-z0-9\-_\.\/]+\x00/Ri"; reference:url,www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files; classtype:attempted-admin; sid:2030493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_10, deployment Perimeter, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"vgmtx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027401; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/BASHLITE vbot Variant CnC"; flow:established,to_server; content:"ver|3a|1.500000|3a|null|3a|"; fast_pattern; reference:md5,65cc35e68e3834b1955115737ff3c55e; classtype:trojan-activity; sid:2030496; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"schooltillhungryprocess.com"; nocase; endswith; classtype:targeted-activity; sid:2027406; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (grab)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|grab|0d 0a|"; classtype:bad-unknown; sid:2030492; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"maylaytravelgroup.com"; nocase; endswith; classtype:targeted-activity; sid:2027407; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing M1 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:social-engineering; sid:2025677; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"reasonwithusefulpolicy.com"; nocase; endswith; classtype:targeted-activity; sid:2027408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing M2 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Email Upgrade</title>"; nocase; fast_pattern; content:"Confirm your account"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:social-engineering; sid:2025676; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"streetunderrelevantpeople.com"; nocase; endswith; classtype:targeted-activity; sid:2027409; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SQLi Attempt in User Agent (Outbound)"; flow:established,from_client; http.user_agent; content:"select"; nocase; fast_pattern; content:"from"; nocase; within:20; pcre:"/select[^\r\n]+from/i"; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022815; rev:3; metadata:created_at 2016_05_17, updated_at 2020_07_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"experiencewithweakkid.com"; nocase; endswith; classtype:targeted-activity; sid:2027410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ping.cgi?pingIpAddress="; fast_pattern; content:"|3b|"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/; reference:cve,2020-10173; classtype:attempted-admin; sid:2030502; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_07_13, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_07_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"systembeforeniceparent.com"; nocase; endswith; classtype:targeted-activity; sid:2027411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DTStealer CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|ip="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ip="; depth:3; content:"&country="; distance:0; content:"&date="; distance:0; content:"&report="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,4ab065354c6156380645c905823cafde; classtype:trojan-activity; sid:2030497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_13, deployment Perimeter, former_category MALWARE, malware_family DTStealer, signature_severity Major, updated_at 2020_07_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Sending System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FiercePhish Password Prompt Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FiercePhish"; fast_pattern; content:"/fiercephish_logo.png|22 20|alt=|22|FiercePhish"; content:"placeholder=|22|Username|22|"; content:"<input type=|22|password|22|"; classtype:web-application-attack; sid:2030498; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Minor, updated_at 2020_07_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (BURAN)"; flow:established,to_server; http.user_agent; content:"BURAN"; depth:5; endswith; classtype:trojan-activity; sid:2027443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FiercePhish Password Prompt Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FiercePhish"; fast_pattern; content:"/fiercephish_logo.png|22 20|alt=|22|FiercePhish"; content:"placeholder=|22|Username|22|"; content:"<input type=|22|password|22|"; classtype:web-application-attack; sid:2030499; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Minor, updated_at 2020_07_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (GHOST)"; flow:established,to_server; http.user_agent; content:"GHOST"; depth:5; endswith; classtype:trojan-activity; sid:2027444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=|22|POST|22|>|0d 0a|"; content:"Password|3a 0d 0a|"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|auth|22 20|value=|22|"; distance:0; content:"<input type=|22|password|22 20|name=|22|password|22|>|0d 0a|"; distance:0; content:"<input type=|22|submit|22 20|value=|22|>>|22|>|0d 0a|"; fast_pattern; distance:0; classtype:web-application-attack; sid:2030500; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Major, updated_at 2020_07_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"GHOST"; depth:5; endswith; fast_pattern; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027445; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=|22|POST|22|>|0d 0a|"; content:"Password|3a 0d 0a|"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|auth|22 20|value=|22|"; distance:0; content:"<input type=|22|password|22 20|name=|22|password|22|>|0d 0a|"; distance:0; content:"<input type=|22|submit|22 20|value=|22|>>|22|>|0d 0a|"; fast_pattern; distance:0; classtype:web-application-attack; sid:2030501; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Major, updated_at 2020_07_13;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemerty-cdn-cloud.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027465; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (ps1)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; content:"orphic.ps1"; endswith; fast_pattern; reference:url,github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030516; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"cdn-amaznet.club"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027466; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supercharge Component Download (exe)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"quantumcore"; fast_pattern; pcre:"/(?:BrowsingHistoryView|WebBrowserPassView)\.exe$/Ri"; reference:url,github.com/quantumcore/test/blob/master/; classtype:trojan-activity; sid:2030517; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"reservecdn.pro"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027467; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to DuckDNS Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".duckdns."; fast_pattern; classtype:bad-unknown; sid:2031581; rev:1; metadata:created_at 2020_07_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"wsuswin10.us"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027468; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZoomInfo Contact Contributor Install"; flow:established,to_server; http.request_line; content:"GET /client/installopen?client_id={"; startswith; fast_pattern; content:"} HTTP/"; distance:36; within:7; reference:md5,b2e902c566dda9a77d9dfe1adfc9de59; reference:url,smallbiztrends.com/2010/05/zoominfo-provides-free-sales-prospecting-tool-to-small-businesses-and-entrepreneurs.html; classtype:command-and-control; sid:2030515; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemetry.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027469; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST to MEGA Userstorage"; flow:established,to_server; http.method; content:"POST"; http.host; content:".userstorage.mega.co.nz"; endswith; fast_pattern; classtype:policy-violation; sid:2030504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; http.cookie; content:"ci_session="; fast_pattern; file.data; content:"ok"; depth:2; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:5; metadata:created_at 2013_05_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to NOIP DynDNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/\/[a-z-_]{75,}\.php$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016809; rev:8; metadata:created_at 2013_05_02, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to NOIP DynDNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zberp receiving config via image file - SET"; flow:to_server,established; flowbits:set,ET.Zberp; flowbits:noalert; http.uri; content:".jpg"; endswith; http.request_line; content:".jpg HTTP/1."; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021381; rev:10; metadata:created_at 2015_07_06, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ww1-filecloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027472; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-imgcloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027473; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=font-assets.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027474; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2030510; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=wix-cloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027475; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Hostinger Domains"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; classtype:misc-activity; sid:2030511; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=js-cloudhost.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027476; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to Hostinger Domains"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; classtype:misc-activity; sid:2030512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREK"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,<=,255,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027479; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to .tk domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Protocol Discovery"; depth:35; endswith; http.host; content:".tk"; endswith; fast_pattern; classtype:misc-activity; sid:2030513; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC (Modified CAB)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREC"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,>=,256,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027480; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Malicious Document Request to .tk domain"; flow:to_server,established; http.user_agent; content:"Microsoft Office Existence Discovery"; depth:36; endswith; http.host; content:".tk"; endswith; fast_pattern; classtype:misc-activity; sid:2030514; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"nvidia-services.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027481; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citizenbank Phish 2016-05-24 M1"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"CSRF_TOKEN="; depth:11; content:"&initlogin="; distance:0; content:"&UserID="; distance:0; nocase; content:"&passs="; distance:0; fast_pattern; content:"&btnLogin="; distance:0; classtype:credential-theft; sid:2031987; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-css.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027482; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citizenbank Phish 2016-05-24 M2"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"&UserID=|25|3C|25|3Fphp+echo|25|28|25|24Username"; fast_pattern; content:"&email="; distance:0; content:"&epass="; distance:0; content:"&Q1="; distance:0; classtype:credential-theft; sid:2031988; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-airlinesolutions.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027483; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious File Download Post-Phishing 2016-05-25"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"howLongToWait"; fast_pattern; nocase; content:"urlOfDownloadContent"; nocase; distance:0; content:"triggerDownload"; nocase; distance:0; content:"urlOfRedirectLocation"; nocase; distance:0; content:"startRedirect"; nocase; distance:0; classtype:social-engineering; sid:2031990; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unfrocked.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2027485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-05-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"Processing.php?"; fast_pattern; nocase; http.request_body; content:"EM="; nocase; depth:3; content:"&PS="; nocase; distance:0; classtype:credential-theft; sid:2031991; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla Domain (vision2030 .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"vision2030.tk"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027501; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Joanap CnC Checkin"; flow:to_server,established; http.uri; content:".ico"; http.user_agent; content:"Mozillar"; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/incidents/73914/operation-blockbuster-revealed/; reference:url,operationblockbuster.com/resources/index.html; classtype:command-and-control; sid:2021730; rev:4; metadata:created_at 2015_08_31, former_category MALWARE, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla DNS Lookup (vision2030 .cf)"; dns.query; content:"vision2030.cf"; nocase; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027502; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 4 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/access.cgi"; fast_pattern; http.header; content:"www-form-urlencoded|0d 0a|"; content:"User-Agent|3a|"; http.request_body; pcre:"/[\x80-\xff]/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,53859b74ab0ed0e98065982462f4e575; classtype:command-and-control; sid:2022844; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/key?k="; depth:11; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; pcre:"/^[^\x20-\x7e\r\n]{2}$/R"; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:command-and-control; sid:2027497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Danabot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M1"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 22 7c|"; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022846; rev:3; metadata:created_at 2016_06_01, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"webdynamicname.com"; nocase; endswith; classtype:command-and-control; sid:2027498; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M2"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022847; rev:3; metadata:created_at 2016_06_01, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"obuhov2k.beget.tech"; nocase; endswith; classtype:command-and-control; sid:2027499; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Avast Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"is infected with"; nocase; content:"Your email will be shutdown"; fast_pattern; nocase; distance:0; content:"ForeColor"; distance:0; content:"It is finally here"; nocase; distance:0; content:"advised to run a total scan"; nocase; distance:0; classtype:social-engineering; sid:2031992; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot UA Observed"; flow:established,to_server; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:trojan-activity; sid:2027500; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Login Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Email-login"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"Powered By|3a|"; nocase; distance:0; content:"Sign in to your account"; nocase; distance:0; content:"Email address|3a|"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; classtype:social-engineering; sid:2031993; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Client Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.Ngioweb; flowbits:noalert; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:59.0|29 20|Gecko/20100101 Firefox/59.0"; endswith; http.start; content:"GET|20|/min.js?h=aWQ9"; depth:18; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027507; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?profile="; content:"&ddager="; distance:0; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4027e40dc474f595d46a59f2eaaa4e8d; classtype:command-and-control; sid:2028919; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_07_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious UA (Skuxray)"; flow:established,to_server; http.user_agent; content:"Skuxray"; depth:7; endswith; reference:md5,cc46f255297ef0366dd447bbcde841ac; classtype:bad-unknown; sid:2027505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category TROJAN, malware_family Skuxray, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Initial Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=new&username="; distance:0; content:"&computername="; distance:0; content:"&os="; distance:0; content:"&architecture="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:command-and-control; sid:2022862; rev:3; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2020_07_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HYDSEVEN VBS CnC Host Information Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Authorization|3a 20|SUQ6"; fast_pattern; http.accept; content:"*.*"; depth:3; endswith; reference:url,www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html; reference:url,www.lac.co.jp/lacwatch/pdf/20190619_cecreport_sp.pdf; classtype:command-and-control; sid:2027515; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Version Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=noupdate&ver="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:command-and-control; sid:2022863; rev:3; metadata:created_at 2016_06_06, former_category MALWARE, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT CnC Domain in DNS Lookup"; dns.query; content:"sessions4life.pw"; nocase; endswith; classtype:targeted-activity; sid:2027564; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Sending Status Logs"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=statuslog&log="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022864; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"adfs-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027567; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Software Update Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"=update&username="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022865; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"b2bmerchant.online"; nocase; endswith; classtype:command-and-control; sid:2027568; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Reporting Error Code"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"&log=GetLastError"; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022866; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"bhnetwork.online"; nocase; endswith; classtype:command-and-control; sid:2027569; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Successful Software Update Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"&log=CheckedForUpdate"; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022867; rev:3; metadata:created_at 2016_06_06, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cert-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027570; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS Sending Keystrokes"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"key&log=TWND"; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022871; rev:3; metadata:created_at 2016_06_07, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn-client.com"; nocase; endswith; classtype:command-and-control; sid:2027571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FastPOS RAM Scraper Sending Details"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cdosys.php?"; fast_pattern; content:"add&log="; distance:0; content:"&foundin="; distance:0; reference:url,documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf; classtype:trojan-activity; sid:2022872; rev:3; metadata:created_at 2016_06_07, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn.online"; nocase; endswith; classtype:command-and-control; sid:2027572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Criptobit/Mobef Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a="; pcre:"/\.php\?a=\d{5,10}.+\x3a\d\x3a\d\x3a\d\.\d\x3a\d$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) Edge/13.10586"; fast_pattern; bsize:55; reference:md5,c90a8039f330ba6660a91113f6c53685; classtype:command-and-control; sid:2022845; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"corporate-ciscovpn.com"; nocase; endswith; classtype:command-and-control; sid:2027573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor/CryptON Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"=8ACEFC"; offset:1; depth:7; fast_pattern; pcre:"/=8ACEFC[0-9A-F]{150,}$/"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,5ee28035c56c048580c64b67ec4f2124; classtype:command-and-control; sid:2022875; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ducacorp.com"; nocase; endswith; classtype:command-and-control; sid:2027574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DrSpam Phishing Landing 2016-06-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"drspam_form"; nocase; fast_pattern; content:"drspam_mail"; nocase; distance:0; content:"drspam_pass"; nocase; distance:0; content:"haxor"; nocase; distance:0; classtype:social-engineering; sid:2031994; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"efaxmakeronline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DrSpam Phishing Landing CSS 2016-06-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"input.drspam"; nocase; fast_pattern; content:"select.drspam"; nocase; distance:0; content:"input.haxor"; nocase; distance:0; content:".boody"; nocase; distance:0; content:".contens"; nocase; distance:0; classtype:social-engineering; sid:2031995; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Quasar CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Quasar Server CA"; nocase; fast_pattern; endswith; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/f87d2aff4148f98f014460ab709c77587ea1e430/; classtype:domain-c2; sid:2027619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DrSpam Phish 2016-06-08 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"drspam_mail="; nocase; depth:12; fast_pattern; content:"&drspam_pass="; nocase; distance:0; classtype:credential-theft; sid:2031996; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=tupeska.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DrSpam Phish 2016-06-08 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"drspam_name="; nocase; depth:12; fast_pattern; content:"&drspam_dob"; nocase; distance:0; content:"&drspam_adrs"; nocase; distance:0; content:"&drspam_acc"; nocase; distance:0; classtype:credential-theft; sid:2031997; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"backupnet.ddns.net"; nocase; endswith; classtype:targeted-activity; sid:2027622; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qarallax RAT Downloading Modules"; flow:to_server,established; http.method; content:"GET"; http.host; content:"qarallax.com"; endswith; fast_pattern; http.user_agent; content:"Java/"; startswith; reference:md5,cf178c55c0572d8fea89137c62afdc98; reference:url,labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/; classtype:trojan-activity; sid:2022881; rev:3; metadata:created_at 2016_06_08, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hyperservice.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027623; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; http.uri; content:".exe"; http.host; content:"a.pomf.cat"; fast_pattern; bsize:10; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:3; metadata:created_at 2016_06_09, former_category CURRENT_EVENTS, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mynetwork.cf"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027624; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-06-09 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; nocase; fast_pattern; content:"&reason="; nocase; distance:0; content:"&portal="; nocase; distance:0; content:"&dltoken"; nocase; distance:0; http.header; content:".php?LOB="; http.request_body; content:"user="; nocase; depth:5; content:"&pass="; nocase; classtype:credential-theft; sid:2032016; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mywinnetwork.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027625; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-06-09 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; nocase; fast_pattern; content:"&reason="; nocase; distance:0; content:"&portal="; nocase; distance:0; content:"&dltoken"; nocase; distance:0; http.header; content:".php?LOB="; http.request_body; content:"acct1="; nocase; depth:6; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032017; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remote-server.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027626; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bolek HTTP Checkin"; flow: to_server,established; http.method; content:"GET"; http.uri; pcre:"/\?[a-f0-9]{32}$/i"; http.user_agent; content:"Client 1.2"; fast_pattern; bsize:10; reference:md5,e89ff40a8832cd27d2aae48ff7cd67d2; reference:url,malware-traffic-analysis.net/2016/06/09/index2.html; classtype:command-and-control; sid:2022889; rev:3; metadata:created_at 2016_06_10, former_category MALWARE, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remserver.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027627; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"ps0="; depth:4; fast_pattern; content:"&ps1="; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($|\&[a-z]s\d=)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:command-and-control; sid:2017371; rev:12; metadata:created_at 2013_05_16, former_category MALWARE, updated_at 2020_07_14;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"securityupdated.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027628; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Validate/valsrv"; bsize:16; fast_pattern; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030526; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"servhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027629; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EvilNum CnC Checkin Response"; flow:established,to_client; http.response_body; content:"youwillnotfindthisanywhare"; bsize:<50; fast_pattern; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030527; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"service-avant.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getid"; bsize:15; fast_pattern; http.request_body; content:"action="; startswith; content:"&computer_name="; distance:0; content:"&username="; distance:0; content:"&version="; distance:0; content:"&cli="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030528; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"srvhost.servehttp.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027631; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getcommand"; bsize:20; fast_pattern; http.request_body; content:"action="; startswith; content:"&uid="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030529; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"fucksaudi.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027632; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Client Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/getid"; bsize:15; fast_pattern; http.request_body; content:"action="; startswith; content:"&uid="; distance:0; content:"&antivirus="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030530; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"googlechromehost.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027633; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EvilNum CnC Error Report"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Validate/"; startswith; http.request_body; content:"action=error&uid="; startswith; fast_pattern; content:"&data="; distance:0; reference:md5,0823457bcb82afff15c900f949e325f4; reference:url,www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/; classtype:command-and-control; sid:2030531; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"younesadams.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027634; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ma Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2030518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category INFO, performance_impact Significant, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"teamnj.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027635; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ma Domain 2020-07-15"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ma"; endswith; fast_pattern; classtype:credential-theft; sid:2030519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"bistbotsproxies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp any any -> any 53 (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M1"; flow:established,to_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030524; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hellocookies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027637; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp any 53 -> any any (msg:"ET INFO Possible NOP Sled Observed in Large DNS over TCP Packet M2"; flow:established,from_server; dsize:>1200; content:"|90 90 90 90 90 90 90 90|"; fast_pattern; classtype:attempted-admin; sid:2030525; rev:1; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"n3tc4t.hopto.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Banker.DH Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 6.1|3b 20|ru|3b 20|rv|3a|1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)"; fast_pattern; bsize:104; http.request_body; content:"id="; depth:3; nocase; http.content_type; content:"application/x-www-form-urlencoded"; startswith; reference:md5,39519ff5bddd6d0eee032232349fe0a6; classtype:command-and-control; sid:2022811; rev:4; metadata:created_at 2016_05_17, former_category MALWARE, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"newhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027639; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypren/Zcrypt Ransomware Checkin"; flow:established,to_server; http.uri; content:".php?computerid="; pcre:"/\.php\?computerid=[a-fA-F0-9]{32}&(?:public|private)=\d$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7efb738c2b04aacdd3354d590cb3df47; classtype:command-and-control; sid:2022897; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"njrat12.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/RAA Ransomware check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"|20|- RAA"; fast_pattern; http.header; content:"WinHttp.WinHttpRequest"; reference:md5,535494aa6ce3ccef7346b548da5061a9; classtype:trojan-activity; sid:2022899; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"svcexplores.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027641; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"id="; nocase; depth:3; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031568; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"trojan1117.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027642; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031566; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_12_25, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"update-sec.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Termination Phishing Landing 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Protect"; nocase; distance:0; fast_pattern; content:"TERMINATION REQUEST"; nocase; distance:0; content:"Enter Your Email"; nocase; distance:0; content:"Disable Your Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2032018; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"windowsx.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027644; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Phishing Landing 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title> Webmail|20 3a 3a|"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"account from virus threats"; nocase; distance:0; content:"Secured by Webmail Security Systems"; nocase; distance:0; classtype:social-engineering; sid:2032019; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"wwwgooglecom.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027645; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wildblue/CenturyLink Phish 2015-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&source="; nocase; distance:0; classtype:credential-theft; sid:2031794; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"xtreme.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027646; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Vmware/Zimbra Phish 2015-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"username="; depth:9; fast_pattern; content:"&username"; distance:0; content:"&password="; distance:0; content:"&client="; distance:0; classtype:credential-theft; sid:2031730; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"za158155.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027647; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Microsoft Encrypted Email Phishing Landing 2016-06-23"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/microsoft.secure.encrypted"; fast_pattern; nocase; classtype:social-engineering; sid:2032020; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (helegedada .github .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"helegedada.github.io"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Data Submitted to yolasite.com"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.header; content:"forms.yola.com"; fast_pattern; http.request_body; content:"user"; nocase; content:"word"; distance:0; nocase; classtype:social-engineering; sid:2032021; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027663; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2016-06-27"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Signin Template"; nocase; fast_pattern; content:"Please upgrade your mailbox"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"upgrade account"; nocase; distance:0; classtype:social-engineering; sid:2032022; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M1"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Upgrade"; nocase; fast_pattern; content:"form class=|22|form-signin"; nocase; distance:0; content:"Please wait"; nocase; distance:0; content:"id=|22|success"; nocase; distance:0; content:"Email account upgraded"; nocase; distance:0; classtype:credential-theft; sid:2032023; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; http.header; content:".php?userid="; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&submit=upgrade+account"; nocase; distance:0; classtype:credential-theft; sid:2032024; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to MyFreeSites.com - Possible Phishing"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/form/Submit"; fast_pattern; http.header; content:"myfreesites.net|0d 0a|"; content:"X-Requested-With|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; content:"{|22|siteID|22 3a|"; depth:10; http.accept; content:"application/json, text/javascript"; startswith; http.content_type; content:"application/json"; startswith; classtype:trojan-activity; sid:2032025; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027667; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET USER_AGENTS SAP CVE-2020-6287 PoC UA Observed"; flow:established,to_server; http.user_agent; content:"CVE-2020-6287|20|PoC"; endswith; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; classtype:attempted-recon; sid:2030548; rev:1; metadata:created_at 2020_07_16, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert tcp any 53 -> any any (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1 (CVE-2020-1350)"; flow:established,from_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; content:"|00 00 18|"; distance:12; within:64; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030533; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, former_category EXPLOIT, performance_impact Significant, signature_severity Critical, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.kemostarlogistics.co.ke"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027651; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp any any -> any 53 (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2 (CVE-2020-1350)"; flow:established,to_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030532; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, former_category EXPLOIT, performance_impact Significant, signature_severity Critical, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.terryhill.top"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027652; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MASSLOGGER Client Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[^_]+_[^\_]+_[A-F0-9]{10}_[0-9]{2}-[0-9]{2}-20[0-9]{2}\s[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2}\./R"; content:"zip|22 0d 0a|Content-Type: application/zip|0d 0a 0d 0a|PK"; within:41; content:"/Log.txt"; distance:0; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,79efca38c3230aaae9dd8bb11f15fe43; classtype:trojan-activity; sid:2030550; rev:2; metadata:created_at 2020_07_16, former_category MALWARE, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"mail.jaguarline.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027653; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BYOB - Python Backdoor Stager Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a 27|Stager|20 28|Build Your Own Botnet|29 27 0a|"; fast_pattern; reference:md5,76117987409f341b5272958e27dd9ac5; classtype:command-and-control; sid:2030551; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"search.webstie.net"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027654; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BYOB - Python Backdoor Loader Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|0a 27|Loader|20 28|Build Your Own Botnet|29 27 0a|"; fast_pattern; reference:md5,76117987409f341b5272958e27dd9ac5; classtype:command-and-control; sid:2030552; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"dns.domain-resolve.org"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"name=|22|author|22 20|content=|22|Mr.IN130X"; content:"Mini Shell</title>"; fast_pattern; classtype:web-application-attack; sid:2030535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Major, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif POSTing Log Message to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_logs.php"; depth:19; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"name=|22|author|22 20|content=|22|Mr.IN130X"; content:"Mini Shell</title>"; fast_pattern; classtype:web-application-attack; sid:2030536; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Submitting Output of Command to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_cmd_res.php"; depth:22; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027657; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|"; content:"type=submit name='watching' value='submit' style='border|3a|none|3b|background-color|3a|#"; fast_pattern; classtype:web-application-attack; sid:2030537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Major, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cl_client_cmd.php"; depth:18; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|"; content:"type=submit name='watching' value='submit' style='border|3a|none|3b|background-color|3a|#"; fast_pattern; classtype:web-application-attack; sid:2030538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_online.php"; depth:21; endswith; http.request_body; content:"Q29tcHV0ZXJOYW1lPV"; depth:18; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; reference:md5,516ad28f8fa161f086be7ca122351edf; classtype:targeted-activity; sid:2027659; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>"; content:"Password: <input type=password name=pass><input type=submit value='>>'>"; fast_pattern; classtype:web-application-attack; sid:2030539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Major, updated_at 2020_07_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Tripoli Related CnC Checkin"; flow:established,to_server; http.user_agent; content:"30909D51946D672A48B1729580088C4F"; depth:32; fast_pattern; endswith; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>"; content:"Password: <input type=password name=pass><input type=submit value='>>'>"; fast_pattern; classtype:web-application-attack; sid:2030540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla/APT34 CnC Domain Domain (dubaiexpo2020 .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"dubaiexpo2020.cf"; endswith; reference:md5,4079500faa93e32a2622e1593ad94738; classtype:targeted-activity; sid:2027669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"cmd{background-color|3a|"; content:"SCROLLBAR-DARKSHADOW-COLOR|3a|"; distance:0; content:"<body style=|22|FILTER|3a 20|progid|3a|DXImageTransform.Microsoft.Gradient("; distance:0; content:"gradientType=0,startColorStr="; content:"<input name='envlpass' type='password'"; fast_pattern; classtype:web-application-attack; sid:2030541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla/APT34 CnC Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft.updatemeltdownkb7234.com"; nocase; endswith; reference:md5,2a8672b0fd29dc3b6f49935691b648bc; classtype:domain-c2; sid:2027670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"cmd{background-color|3a|"; content:"SCROLLBAR-DARKSHADOW-COLOR|3a|"; distance:0; content:"<body style=|22|FILTER|3a 20|progid|3a|DXImageTransform.Microsoft.Gradient("; distance:0; content:"gradientType=0,startColorStr="; content:"<input name='envlpass' type='password'"; fast_pattern; classtype:web-application-attack; sid:2030542; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Server in DNS Lookup (updatecache .com)"; dns.query; content:"updatecache.com"; nocase; endswith; classtype:trojan-activity; sid:2027678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>:: Mailer Inbox"; fast_pattern; content:"document.getElementById(|22|emails|22|"; distance:0; content:"document.getElementById(|22|txtml|22|"; distance:0; classtype:web-application-attack; sid:2030543; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jokerlol.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027687; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,443,587,9997] (msg:"ET MALWARE APT33/CharmingKitten Shellcode Communicating with CnC"; flow:established,to_server; dsize:<150; content:"|16 03|"; depth:2; content:"|00|"; distance:1; within:1; content:"|01 00 00|"; distance:1; within:3; content:"|03|"; distance:1; within:1; content:"|5b e0 37|"; distance:1; within:3; fast_pattern; content:"|00|"; distance:0; content:"|00|"; distance:1; within:1; content:"|00|"; distance:1; within:1; threshold: type limit, count 1, seconds 30, track by_dst; content:!"mtalk.google.com"; reference:md5,a60f127a06e5b3dcacd1ec346f7995c5; classtype:targeted-activity; sid:2026576; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, malware_family Shellcode, performance_impact Low, signature_severity Major, tag APT33_CharmingKitten, tag Shellcode, updated_at 2020_07_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kusasukusa.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>:: Mailer Inbox"; fast_pattern; content:"document.getElementById(|22|emails|22|"; distance:0; content:"document.getElementById(|22|txtml|22|"; distance:0; classtype:web-application-attack; sid:2030544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"tracker-visitors.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027689; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"Priv8 (Mailer Inbox Sender"; distance:0; content:"SMTP SETUP</font>"; distance:0; classtype:web-application-attack; sid:2030545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-web.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027690; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"Priv8 (Mailer Inbox Sender"; distance:0; content:"SMTP SETUP</font>"; distance:0; classtype:web-application-attack; sid:2030546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-stats.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027691; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NEWPASS CnC Client Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"newpass="; startswith; content:"&server_page="; distance:0; content:"&passdb="; distance:0; content:"&targetlogin="; distance:0; fast_pattern; content:"&table_data="; distance:0; reference:url,www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/; classtype:command-and-control; sid:2030557; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_17, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jsreload.pw"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027692; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Outbound RRSIG DNS Query Observed"; content:"|00 00 2e 00 01|"; fast_pattern; classtype:bad-unknown; sid:2030555; rev:1; metadata:created_at 2020_07_17, updated_at 2020_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=started"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027701; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Cpanel Cracker Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">CPANEL CRACKER</font><font color="; fast_pattern; content:"color=white>--==[[Greetz to]]==--"; distance:0; content:"####### Coded By"; distance:0; classtype:web-application-attack; sid:2030553; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_17, deployment Perimeter, signature_severity Major, updated_at 2020_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Done"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=done"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027702; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Cpanel Cracker Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">CPANEL CRACKER</font><font color="; fast_pattern; content:"color=white>--==[[Greetz to]]==--"; distance:0; content:"####### Coded By"; distance:0; classtype:web-application-attack; sid:2030554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_17, deployment Perimeter, signature_severity Major, updated_at 2020_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC POST"; flow:to_server,established; urilen:>40; http.method; content:"POST"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; http.request_body; content:"AAAAAAAAAAAAAAAAAAAA"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ALFA TEaM Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"ALFA TEaM Shell"; nocase; fast_pattern; pcre:"/^\s*\-\s*/R"; classtype:web-application-attack; sid:2029865; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC GET"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (justupdate)"; flow:established,to_server; http.user_agent; bsize:10; content:"justupdate"; reference:md5,7a814300b204e14467deff69c1159cbe; classtype:bad-unknown; sid:2030556; rev:1; metadata:created_at 2020_07_17, former_category USER_AGENTS, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SLUB Domain in DNS Lookup"; dns.query; content:"toni132.pen.io"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/; classtype:trojan-activity; sid:2027722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ALFA TEaM Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"ALFA TEaM Shell"; nocase; fast_pattern; pcre:"/^\s*\-\s*/R"; classtype:web-application-attack; sid:2029866; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"gamework.ddns.net"; nocase; depth:17; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027724; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Satana Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/add.php"; http.request_body; content:"id="; depth:3; content:"&code="; distance:0; content:"&sdata="; distance:0; content:"&name="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,d236fcc8789f94f085137058311e848b; reference:url,blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware; classtype:command-and-control; sid:2022929; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"workan.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027725; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Landing 2016-07-05"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.uri; content:"/usaa.com"; pcre:"/\/usaa\.com(?:\.|-)(?:sec(?:ure)?|inet|ent)(?:\.|-)/i"; classtype:social-engineering; sid:2032026; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"clsass.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027726; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Excel Add-in Download M1"; flow:to_server,established; http.uri; content:".xla"; nocase; endswith; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"kotl.space"; nocase; depth:10; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027727; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS Excel Add-in Download M2"; flow:to_server,established; http.header; content:".xla"; nocase; pcre:"/Content-Disposition\x3a[^\r\n]*?\.xla[\s\x22\x27]/i"; reference:url,blogs.mcafee.com/mcafee-labs/patch-now-simple-office-protected-view-bypass-could-have-big-impact/; classtype:bad-unknown; sid:2022966; rev:3; metadata:created_at 2016_07_13, former_category INFO, updated_at 2020_07_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nurlamurla.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_22, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Hotmail Phish 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login="; depth:6; content:"&passwd="; fast_pattern; nocase; distance:0; content:"&SI=Sign+in"; nocase; distance:0; classtype:credential-theft; sid:2032027; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"subarnakan.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027741; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ranscam Ransomware Contact Form"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"action=|22|http|3a|//www.tectite.com"; fast_pattern; nocase; content:"EmailAddr|3a|Your email address"; nocase; distance:0; content:"Message|3a|Your message"; nocase; distance:0; content:"Use your real email if you want a response"; nocase; distance:0; content:"spam folder if you do not receive"; nocase; distance:0; reference:md5,926a8d1c842964b2b81f5f94f6ae73b1; reference:url,blog.talosintel.com/2016/07/ranscam.html; classtype:trojan-activity; sid:2022968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_07_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"asilofsen.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Razy.azv Downloading Content"; flow:established,to_server; http.uri; content:".so"; endswith; pcre:"/\/(?:tr(?:_w)?|ft)\.so$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; content:!"Accept"; nocase; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022969; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, malware_family Razy, performance_impact Low, signature_severity Major, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"manrodoerkes.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027743; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Synchronize Email Account Phishing Landing 2016-07-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Login to continue"; nocase; fast_pattern; content:"Global E-mail Server"; nocase; distance:0; content:"Synchronize your e-mail"; nocase; distance:0; content:"avoid deactivation"; nocase; distance:0; content:"registered email"; nocase; distance:0; content:"enter the matching password"; nocase; distance:0; content:"Synchronize My Account"; nocase; distance:0; classtype:social-engineering; sid:2032028; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"ashkidiore.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027744; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail account"; nocase; fast_pattern; content:"Webmail Account"; nocase; distance:0; content:"for upgrade in your webmail"; nocase; distance:0; content:"check the required"; nocase; distance:0; content:"Confirm Passw"; nocase; distance:0; classtype:social-engineering; sid:2032029; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"druhanostex.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027745; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Account Phish 2016-07-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?src="; content:"&username="; nocase; distance:0; http.referer; content:".php?src="; nocase; content:"&username="; nocase; http.request_body; content:"username="; depth:9; fast_pattern; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032030; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"kapintarama.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,886] (msg:"ET MALWARE Win32/PSW.Agent.OIN CnC Activity"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.9|0d 0a|User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36|0d 0a|Content-Length|3a 20|"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:!"&"; pcre:"/^(?:[a-zA-Z0-9+/\x20]{4})*(?:[a-zA-Z0-9+/\x20]{2}==|[a-zA-Z0-9+/\x20]{3}=|[a-zA-Z0-9+/\x20]{4})$/"; reference:md5,4589aaf8f84c91c5e290ddebcc368342; classtype:command-and-control; sid:2030560; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"moreflorecast.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027747; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)"; flow:established,to_server; content:"|23 23 24 23 23 0d 0a|"; within:20; dsize:<190; reference:md5,f50a94513fd739f5f40a57879e2f3cff; classtype:trojan-activity; sid:2030558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, signature_severity Major, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"preploadert.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027748; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)"; flow:established,to_client; content:"|23 23 24 23 23 0d 0a|"; within:20; dsize:<190; reference:md5,f50a94513fd739f5f40a57879e2f3cff; classtype:trojan-activity; sid:2030559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"troxymuntisex.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Project Plague CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; content:"&ip="; distance:0; content:"&os=Microsoft"; distance:0; fast_pattern; content:"&ram="; distance:0; content:"&cpu="; distance:0; content:"&av="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,0934bf4d962c598c405f8f085377529d; reference:url,twitter.com/c3rb3ru5d3d53c/status/1371174503129219081; classtype:command-and-control; sid:2032004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"nduropasture.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027750; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"funnymemos.shop"; bsize:15; classtype:domain-c2; sid:2030561; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nlgyscgika"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=nlgyscgika"; classtype:domain-c2; sid:2027753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"trythisshop.club"; bsize:16; classtype:domain-c2; sid:2030562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Lookup"; dns.query; content:"b0t.to"; depth:6; nocase; endswith; classtype:command-and-control; sid:2027756; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"buytheone.best"; bsize:14; classtype:domain-c2; sid:2030563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 2"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.2; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a 0d 0a|"; depth:60; endswith; reference:url,www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf; reference:md5,cd22fa7c9d9e61b4aeac6acd10790d10; reference:md5,82332d2a0cf8330f8de608865508713d; classtype:targeted-activity; sid:2020029; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"shopoholics.best"; bsize:16; classtype:domain-c2; sid:2030564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_20, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newsocks5.php"; depth:14; fast_pattern; endswith; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|10.0|3b 20|Win64"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; content:!"Connection"; reference:md5,03b6c8d49c70df01afc0765f8fa51d0c; classtype:command-and-control; sid:2028920; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category MALWARE, malware_family Phoriex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Tripod/Lycos Form Submission - Possible Successful Phish"; flow:from_client,established; http.method; content:"POST"; http.uri; content:"/_zbl.ajax?m="; depth:13; fast_pattern; content:"&a=addResponse"; distance:0; http.header; content:".tripod.com|0d 0a|"; content:".tripod.com"; http.request_body; content:"data|25|5Bresponse|25|5D|25|5B"; depth:21; classtype:credential-theft; sid:2032015; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=linddiederich462.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027799; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com (set) 2016-03-31"; flow:to_server,established; flowbits:set,ET.tripod.phish; flowbits:noalert; http.method; content:"GET"; http.header; content:"tripod.com|0d 0a|"; fast_pattern; classtype:social-engineering; sid:2032012; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=lambada.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (PHP)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=@eval"; depth:9; content:"base64_decode"; distance:0; content:"&action="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022976; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uberalles.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Cknife Shell Command Struct Inbound (aspx)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|Java"; depth:16; http.request_body; content:"=Response.Write"; depth:18; fast_pattern; content:"eval"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.recordedfuture.com/web-shell-analysis-part-2; classtype:trojan-activity; sid:2022977; rev:3; metadata:attack_target Web_Server, created_at 2016_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm.php"; fast_pattern; endswith; http.request_body; content:"k="; depth:2; pcre:"/^\d{5,10}$/R"; http.accept_lang; content:"en-US|3b|q=0.5,en|3b|q=0.3"; http.header_names; content:!"Referer"; content:"Content"; content:"User-Agent"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-20"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|3a 3a|WEBMAIL"; nocase; fast_pattern; content:"Sign in to Update Your Account"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Webmail Admin"; nocase; distance:0; classtype:social-engineering; sid:2032031; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"artisticday.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027819; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2016-07-21 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern; nocase; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; classtype:social-engineering; sid:2022980; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"astonishingwill.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027820; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Evil Monero Cryptocurrency Miner Request Pools"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<HTML>|0d 0a|<HEAD>|0d 0a|<BODY>|0d 0a|<DIV"; depth:28; content:"|0d 0a|899@"; distance:0; content:"0.rn,9.re9899@n&9,bgggs"; distance:0; fast_pattern; reference:md5,848720742b957d27f6ee94b9fe4126f0; reference:url,www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-miner.html; classtype:trojan-activity; sid:2022982; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_07_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"directfood.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027821; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"circleoccupy.best"; bsize:17; classtype:domain-c2; sid:2030566; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"gradualrain.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027822; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"papuanewguinew.club"; bsize:19; classtype:domain-c2; sid:2030567; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"proapp.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027823; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"loaderoverlord.casa"; bsize:19; classtype:domain-c2; sid:2030568; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"provincialwake.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027824; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mramoritto.top"; bsize:14; classtype:domain-c2; sid:2030569; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"shrek.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027825; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"loaderprototype.casa"; bsize:20; classtype:domain-c2; sid:2030570; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"thinstop.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027826; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cutterfighter.club"; bsize:18; classtype:domain-c2; sid:2030571; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"entreprisecommande.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027827; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"almostcruze.best"; bsize:16; classtype:domain-c2; sid:2030572; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emp.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"loadberlin.casa"; bsize:15; classtype:domain-c2; sid:2030573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fujacks Variant CnC Activity"; flow:established,to_server; http.start; content:"GET /down1.txt HTTP/1.1|0d 0a|User-Agent|3a 20|ErrCode|0d 0a|Host|3a 20|"; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Connection|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; reference:md5,54b72be155b057f693508c0d15fc6d00; classtype:command-and-control; sid:2030580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027851; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Vulnerable Response"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; flowbits:isset,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030577; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emptiness.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027852; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<baData>PHJvb3Q+ICA8dXNlcj4"; fast_pattern; flowbits:set,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030578; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"version2.ilove26.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027853; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Success"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; content:"Add|20|user|20|success"; distance:0; flowbits:isset,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030579; rev:1; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"luckyhere.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027854; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Saved Website Comment Observed"; flow:established,to_client; flowbits:isset,ET.genericphish; file.data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https?\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:credential-theft; sid:2030574; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"imtesting.shiina.ga"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027855; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Probe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CTCWebService/CTCWebServiceBean"; fast_pattern; flowbits:set,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030576; rev:2; metadata:created_at 2020_07_22, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"ggwp.emptiness.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027856; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY EXE File Downloaded from Discord"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/attachments/"; depth:13; content:".exe"; endswith; http.host; content:".discordapp.com"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:misc-activity; sid:2030575; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Major, updated_at 2020_07_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Mirai.shiina CnC Domain in DNS Query"; dns.query; content:"shiina.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027857; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read  (CVE-2020-3452) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/+CSCO"; fast_pattern; content:"=.."; distance:0; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030585; rev:1; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_07_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"abc="; depth:4; pcre:"/^[a-z0-9/%=]{100,}$/Ri"; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2027861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Scylla/"; fast_pattern; classtype:attempted-admin; sid:2030583; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_23, deployment Perimeter, signature_severity Minor, updated_at 2020_07_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)"; flow:established,to_server; flowbits:set,ET.PhpMyAdminBrute.1; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:"?worker=php_b"; fast_pattern; endswith; http.user_agent; content:"Ubuntu|3b 20|Linux|20|x86_64"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1c315f9487ad20c3ac72747f13968507; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:trojan-activity; sid:2033717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family PhpMyAdminBrute, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Scylla/"; fast_pattern; classtype:web-application-attack; sid:2030584; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_23, deployment Perimeter, signature_severity Major, updated_at 2020_07_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gw?worker="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1b8052d60de7ce8a9d281cf43d8d3091; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Redeye Phish 2020-07-24"; flow:to_server,established; flowbits:isset,ET.genericphish; http.uri; content:"/redeye/"; fast_pattern; nocase; content:".php"; distance:0; isdataat:!1,relative; classtype:credential-theft; sid:2030587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/knock?worker="; fast_pattern; content:"&os="; content:"&version="; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,bcb7d4fdee2023ad62132ebdf794baa4; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033719; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>[ RC-SHELL v"; nocase; fast_pattern; classtype:web-application-attack; sid:2030590; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP"; flow:established,to_server; content:"|0d 0a|Subject: PW_"; content:"filename|3d 22|PW_"; content:"_"; distance:0; content:"_"; distance:4; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:".html|22 0d 0a 0d 0a|VGltZTog"; distance:2; within:18; fast_pattern; reference:md5,61181c9665789225439d04d6eef5527f; classtype:command-and-control; sid:2030887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>[ RC-SHELL v"; nocase; fast_pattern; classtype:web-application-attack; sid:2030591; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Critical, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/i"; http.header; content:!"MstarUpdate"; http.user_agent; content:!"Mozilla/"; http.host; content:!".bitdefender.com"; content:!".homestead.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:10; metadata:created_at 2015_04_01, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|0d 0a 09|<form method=|22|POST|22|>|0d 0a 09 09|Password|3a 20 0d 0a 09 09|"; nocase; content:"name=|22|password|22|>|0d 0a 09 09|<input type=|22|submit|22 20|value=|22|>>|22|>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030592; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Exfiltration Activity"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/up.php"; depth:37; fast_pattern; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploadfile|22 3b 20|filename|3d 22|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:18; within:47; http.content_type; content:"multipart/form-data|3b|"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:trojan-activity; sid:2027895; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category TROJAN, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|0d 0a 09|<form method=|22|POST|22|>|0d 0a 09 09|Password|3a 20 0d 0a 09 09|"; nocase; content:"name=|22|password|22|>|0d 0a 09 09|<input type=|22|submit|22 20|value=|22|>>|22|>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030593; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Critical, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - CnC Checkin"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/load.php"; depth:39; fast_pattern; endswith; http.request_body; pcre:"/^[a-zA-Z0-9]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:!"Referer"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:command-and-control; sid:2027893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (.NET Framework Client)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|.NET Framework Client|0d 0a|"; classtype:bad-unknown; sid:2030586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"routingzen.com"; nocase; depth:14; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027693; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Website Ransomnote Accessed on External Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030595; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/down.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027900; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Website Ransomnote Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030596; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/vers.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027901; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish 2020-07-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; startswith; content:"&paswd="; distance:0; classtype:credential-theft; sid:2031874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/64.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027902; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"ja=userAgent"; nocase; depth:12; fast_pattern; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032032; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"mail="; nocase; depth:5; fast_pattern; content:"&name="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&address="; nocase; distance:0; classtype:credential-theft; sid:2032033; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"ssn="; nocase; depth:4; fast_pattern; content:"&cnum="; nocase; distance:0; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032034; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Alpha Stealer v1.5 PWS Exfil via HTTP"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[A-Za-z]+?/Rsi"; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:0; content:"Screen.jpg"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a55bd3cc5caa47cb45355e9f79d4fc47; classtype:trojan-activity; sid:2027917; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category TROJAN, malware_family Alpha_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Mobile Phishing Landing 2016-08-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"content=|22|Please verify"; nocase; content:"<meta name=|22|apple-mobile"; nocase; distance:0; content:"<title>Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; classtype:social-engineering; sid:2025670; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.co.za"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027922; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Radonskra.B C2 Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&os=Windows"; nocase; content:"&mac="; nocase; content:"&lua="; nocase; content:"&firewall="; nocase; content:"&antivirus="; nocase; content:"&antispyware"; nocase; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,9d6b99e87faa3f7a23adef5031bd598b; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fRadonskra.B; classtype:command-and-control; sid:2023033; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.org"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027923; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v"; depth:2; content:"/lady_"; distance:0; fast_pattern; pcre:"/^\/v\d+\/lady_[ix]/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023035; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"excsrvcdn.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027924; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/EMS Documents Phishing Landing 2016-08-10"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>EMS |7c 20|Tracking"; fast_pattern; nocase; content:"<title>TRADE FILE"; nocase; distance:0; content:"Sign In Your"; nocase; distance:0; content:"example777@domain.com"; nocase; distance:0; content:"PASSWORD"; nocase; distance:0; classtype:social-engineering; sid:2032035; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"online-analytic.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Credential POST to FormBuddy.com - Possible Phishing Aug 10 2016"; flow:to_server,established; urilen:16; http.method; content:"POST"; http.uri; content:"/cgi-bin/form.pl"; fast_pattern; http.host; content:"formbuddy.com"; endswith; http.request_body; content:"username="; depth:9; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:social-engineering; sid:2032036; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-traffic.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Tectite Web Form Abuse"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=|22|bad_url|22|"; fast_pattern; content:"name=|22|subject|22|"; content:"name=|22|recipients|22|"; content:"name=|22|env_report|22|"; content:"REMOTE_HOST,REMOTE_ADDR"; content:"AUTH_TYPE,REMOTE_USER"; content:"name=|22|good_url|22|"; content:"<input type=|22|password"; classtype:social-engineering; sid:2032037; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-statistics.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Tectite Web Form Submission - Possible Phishing"; flow:from_server,established; http.stat_code; content:"302"; file.data; content:"<title>Form Submission Succeeded"; fast_pattern; content:"Please wait while you are redirected"; distance:0; content:"www.tectite.com"; distance:0; classtype:credential-theft; sid:2032038; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscachecloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing Common CSS 2016-08-10"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"background-color|3a 20|#EAEAEA"; nocase; content:"#pdf_holder"; nocase; distance:0; content:"background-color|3a 20|#DADADA"; nocase; distance:0; content:"background-color|3a 20|#069"; nocase; distance:0; content:"#errfnn"; fast_pattern; nocase; distance:0; content:"background-color|3a 20|#A51505"; nocase; distance:0; classtype:social-engineering; sid:2032039; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscloudservice.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027929; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Gmail Phish M1 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Gmail Veri"; fast_pattern; nocase; content:"All of Google"; nocase; distance:0; content:"Verified, secured and updated"; nocase; distance:0; content:"You will will be instructed to login shortly"; nocase; distance:0; classtype:credential-theft; sid:2032040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"opendnscloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027930; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (err.mp3) 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2023055; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"solkoptions.host"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026858; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (msg.mp3) 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2023056; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; dns.query; content:"provide.yourtrap.com"; depth:20; fast_pattern; nocase; endswith; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:command-and-control; sid:2016135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:social-engineering; sid:2023057; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Chewbacca CnC Server"; dns.query; content:"5ji235jysrvwfgmb.onion"; depth:22; fast_pattern; endswith; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:command-and-control; sid:2018114; rev:5; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:social-engineering; sid:2023058; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns.query; content:"jmxkowzoen.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018267; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Executable Download Purporting to be JavaScript likely 2nd stage Infection"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/x-javascript"; nocase; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:trojan-activity; sid:2013352; rev:5; metadata:created_at 2011_08_04, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; dns.query; content:"zpwibfsmoowehdsm.onion"; depth:22; nocase; endswith; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:5; metadata:created_at 2014_07_15, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Storage Upgrade Phishing Landing 2016-08-15"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:social-engineering; sid:2023062; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Query to Known CnC Domain msnsolution.nicaze.net"; dns.query; content:"icaze.net"; depth:9; fast_pattern; endswith; reference:md5,89332c92d0360095e2dda8385d400258; classtype:command-and-control; sid:2014139; rev:8; metadata:created_at 2012_01_21, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (cctv.mtv)"; flow:established,to_server; http.user_agent; bsize:8; content:"cctv.mtv"; reference:md5,deffb804976c0531144d999ded0df8b9; classtype:bad-unknown; sid:2030598; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (sektori.org)"; dns.query; content:"sektori.org"; depth:11; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014573; rev:9; metadata:created_at 2012_04_16, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (cso)"; flow:established,to_server; http.user_agent; content:"cso v"; startswith; fast_pattern; pcre:"/^[0-9][0-9]?\.[0-9][0-9]?$/R"; reference:md5,5640851c35221c3ae7bbde053d1bb38e; reference:url,app.any.run/tasks/d94c1428-253d-432a-be65-53ea3a0505f4/; classtype:trojan-activity; sid:2030600; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.bestcomputeradvisor.com"; dns.query; content:".bestcomputeradvisor.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:8; metadata:created_at 2012_08_10, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=SendFileZIPBoundary|0d 0a|"; depth:65; http.user_agent; content:"uploader"; depth:8; endswith; http.request_body; content:"form-data|3b 20|name=|22|fileToUpload|22 3b 20|filename=|22|zipfile.zip"; fast_pattern; reference:md5,fe15986992ef7dd209047deec2851e2e; classtype:command-and-control; sid:2034324; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"chrom-update.online"; nocase; endswith; classtype:command-and-control; sid:2027936; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Symantec Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Symantec.Site.Download; flowbits:noalert; http.host; content:".symantec.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:misc-activity; sid:2023067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, performance_impact Low, signature_severity Minor, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"mnmnmnmnmnmn.club"; nocase; endswith; classtype:command-and-control; sid:2027937; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing M1 2016-08-16"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Confirm your identity"; nocase; distance:0; content:"data|3a|image/jpeg|3b|base64"; nocase; distance:0; classtype:social-engineering; sid:2032042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"asasasqwqq.xyz"; nocase; endswith; classtype:command-and-control; sid:2027938; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2016-08-17"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:social-engineering; sid:2023073; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.guest-access.net"; dns.query; content:".guest-access.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:8; metadata:created_at 2012_08_10, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Docusign Phish M1 2016-08-17"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta HTTP-EQUIV="; nocase; content:"refresh"; nocase; distance:1; within:8; content:"<title>Error"; nocase; fast_pattern; distance:0; content:"MM_preloadImages"; nocase; distance:0; content:"Try Again"; nocase; distance:0; content:"This page will redirect"; nocase; distance:0; classtype:credential-theft; sid:2032043; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Known Reveton Domain whatwillber.com"; dns.query; content:"whatwillber.com"; depth:15; nocase; endswith; classtype:bad-unknown; sid:2015875; rev:9; metadata:created_at 2012_11_09, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; content:"&2="; distance:0; content:"&4="; distance:0; content:"&5="; distance:0; content:"&6="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023076; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup msonlinelive.com"; dns.query; content:"msonlinelive.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019586; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo C2 Response"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup malwarecheck.info"; dns.query; content:"malwarecheck.info"; depth:17; fast_pattern; nocase; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019640; rev:5; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aveo C2 Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?id="; depth:14; fast_pattern; content:"&1="; distance:0; content:!"&2="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ae2b5bd70945b1622fb27496ec9e15fe; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/; classtype:command-and-control; sid:2023078; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category MALWARE, malware_family Aveo, malware_family FormerFirstRAT, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain www.comeinbaby.com"; dns.query; content:"comeinbaby.com"; depth:14; fast_pattern; nocase; endswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019667; rev:7; metadata:created_at 2014_11_07, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing 2016-08-19"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe"; nocase; fast_pattern; content:"MM_reloadPage"; nocase; distance:0; content:"someone@example.com"; nocase; distance:0; classtype:social-engineering; sid:2032044; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, performance_impact Low, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain manhuaba.com.cn"; dns.query; content:"manhuaba.com.cn"; depth:15; fast_pattern; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019718; rev:5; metadata:created_at 2014_11_18, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Universal Webmail Phishing Landing 2016-08-19"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Universal Webmail"; fast_pattern; content:"de e-mail e senha para verificar"; nocase; distance:0; content:"/CMD_LOST_PASSWORD"; nocase; distance:0; classtype:social-engineering; sid:2032045; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, performance_impact Low, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.no-ip.net"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019788; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker Downloading Modules"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/system/MA-"; depth:11; fast_pattern; content:".dll"; pcre:"/\/(?:IUpdate|fbclient|IETask|Mixeds|Ubuntu10)\.dll$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,260a7aab3d29ed4bce9ac35002361a87; classtype:trojan-activity; sid:2023082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.ddns.net"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019790; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Data Submitted to yolasite.com M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; http.request_body; content:"user"; nocase; content:"pass"; distance:0; nocase; classtype:social-engineering; sid:2032046; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adobeincorp.com"; dns.query; content:"adobeincorp.com"; depth:15; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019565; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Email Account Phishing Landing 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Recover Account"; fast_pattern; nocase; content:"Account Might Become Blocked"; nocase; distance:0; content:"these are all due to end user misuse"; nocase; distance:0; content:"email validation takes after one hour"; nocase; distance:0; classtype:social-engineering; sid:2032047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"doosan-job.com"; depth:14; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019851; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Blocked Email Account Phish M2 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Recover Account"; fast_pattern; nocase; content:"Account Might Become Blocked"; nocase; distance:0; content:"has been fixed successfully"; nocase; distance:0; content:"making us serve you better"; nocase; distance:0; classtype:credential-theft; sid:2032048; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"downloadsservers.com"; depth:20; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019852; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Targeted Office 365 Phishing Landing 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<html dir=|22|ltr|22|"; content:"microsoftonline-p.com"; nocase; distance:0; content:"|61 63 74 69 6f 6e 3d 22 2f 61 75 74 68 74 72 75 65 2e 61 73 70 78 3f|"; fast_pattern; distance:0; classtype:social-engineering; sid:2032049; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"drivercenterupdate.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019853; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Password Strength Phishing Landing 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Confirm Password Strength"; fast_pattern; nocase; content:"yimg.com"; nocase; distance:0; content:"Yahoo Mail"; nocase; distance:0; content:"Strengthen your account"; nocase; distance:0; content:"confirm your password strength"; nocase; distance:0; classtype:social-engineering; sid:2032050; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"easyresumecreatorpro.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019854; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Password Strength Phish M1 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&.scrumb="; nocase; distance:0; content:"&.partner="; nocase; distance:0; classtype:credential-theft; sid:2032051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019855; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Yahoo Password Strength Phish M2 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Success"; fast_pattern; nocase; content:"mail.yahoo.com"; nocase; distance:0; content:"Account Authenticated"; nocase; distance:0; content:"confirming your password"; nocase; distance:0; content:"secured by Yahoo"; nocase; distance:0; classtype:credential-theft; sid:2032053; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.net"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019856; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Team IPwned Phish 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"=Team&"; nocase; content:"=IPwned&"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032052; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftactiveservices.com"; depth:27; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019858; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2016-08-25"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Function disabled by ALIBOBO"; nocase; content:"<title>My Drive"; fast_pattern; nocase; content:"You are not logged in"; nocase; distance:0; classtype:social-engineering; sid:2032054; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftmiddleast.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019859; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 2"; flow:established,to_server; http.uri; content:".html?a="; fast_pattern; content:"&b="; distance:0; content:"&nocache="; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023132; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsserverupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019869; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 5"; flow:established,to_server; http.uri; content:"Tring to download bundle(try|3a|"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023136; rev:3; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowssecurityupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019868; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M1 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/chaseonline.chase.com/"; nocase; fast_pattern; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2032055; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"northropgrumman.net"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019865; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M3 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/online.chase.com/"; nocase; fast_pattern; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2032056; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsupdate.net"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019864; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M4 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__LASTFOCUS="; depth:12; fast_pattern; content:"&auth_userId="; nocase; distance:0; content:"&auth_contextId=login"; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032057; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowscentralupdate.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019867; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Form Data Submitted to yolasite.com - Possible Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; classtype:trojan-activity; sid:2023139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"teledyne-jobs.com"; depth:17; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019866; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 1"; flow:established,to_server; http.uri; content:".html&nocache="; content:!"&"; distance:0; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023131; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftserverupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019861; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Logging in - PayPal"; nocase; fast_pattern; content:"<meta http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; content:"url=websc-"; nocase; distance:0; classtype:credential-theft; sid:2032059; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftonlineupdates.com"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019860; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Websc Phishing Page 2016-02-05"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/websc-"; nocase; fast_pattern; pcre:"/^(?:l(?:o(?:ading|gin)|imited)|(?:proccess|card)ing|b(?:illing|ank)|success)\.php/R"; classtype:social-engineering; sid:2032014; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsresources.com"; depth:29; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019863; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/w00tw00t."; nocase; depth:10; reference:url,doc.emergingthreats.net/2010794; classtype:attempted-recon; sid:2010794; rev:9; metadata:created_at 2010_07_30, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsupdateserver.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019870; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DMA Locker CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action="; fast_pattern; content:!".aspx"; pcre:"/\?action=\d(&botId=[A-F0-9]{32})?$/i"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,050f04ed78e96418179228272998d87d; classtype:command-and-control; sid:2022873; rev:4; metadata:created_at 2016_06_07, former_category MALWARE, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"gesunddurchsjahr.de"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019871; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish OWA Credentials 2016-08-16"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"destination="; depth:12; nocase; fast_pattern; content:"&flags="; distance:0; nocase; content:"&forcedownlevel="; distance:0; nocase; content:"&trusted="; distance:0; nocase; content:"password"; distance:0; nocase; classtype:credential-theft; sid:2032041; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.org"; dns.query; content:"checkmalware.org"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019582; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TeamIPwned/Hellion Phishing Landing 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"HELLION PROUDLY PRESENTS"; fast_pattern; content:"brought to you by Hellion"; nocase; distance:0; content:"teamipwned"; nocase; distance:0; content:"Do not touch anything"; nocase; distance:0; classtype:social-engineering; sid:2032060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatesoftware24.com"; dns.query; content:"updatesoftware24.com"; depth:20; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019580; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TeamIPwned Phish 2016-08-30"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"hellion.php"; nocase; fast_pattern; classtype:credential-theft; sid:2025003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup windows-updater.com"; dns.query; content:"windows-updater.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019581; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful CIBC Phish 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Online Banking"; fast_pattern; nocase; content:"Online Banking Verification"; nocase; distance:0; content:"Verifying your CIBC Online Banking"; nocase; distance:0; content:"Please enter your personal information"; nocase; distance:0; content:"Social Insurance Number"; nocase; distance:0; classtype:credential-theft; sid:2032061; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftupdateserver.net"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-loading.php?Go=_Login_Success"; depth:36; fast_pattern; http.header; content:"/websc-"; http.request_body; content:"&Log+In=Log+In"; classtype:credential-theft; sid:2032062; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatepc.org"; dns.query; content:"updatepc.org"; depth:12; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019579; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>DHL|20 7c 20|"; nocase; fast_pattern; content:"<title>TRADE FILE"; nocase; distance:0; content:"Secured To Your Email"; nocase; distance:0; content:"Enter Your Email Password"; nocase; distance:0; classtype:social-engineering; sid:2032063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testsnetcontrol.com"; dns.query; content:"testsnetcontrol.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019578; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; content:"dropbox.com"; nocase; distance:0; content:"<title>Loading"; fast_pattern; nocase; distance:0; content:"Please Wait"; nocase; distance:0; content:"servers are currently busy"; nocase; distance:0; classtype:credential-theft; sid:2032064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testservice24.net"; dns.query; content:"testservice24.net"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019577; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Yahoo Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Yahoo - login"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"origin-when-cross-origin"; content:!"var MBR_config = {"; classtype:social-engineering; sid:2032058; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup symanttec.org"; dns.query; content:"symanttec.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019576; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Google Docs Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Google Docs"; fast_pattern; within:20; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"<title>|0a 20 20 20 20 20 20|Google Docs"; classtype:social-engineering; sid:2025669; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup securitypractic.com"; dns.query; content:"securitypractic.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019575; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phish Landing 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; classtype:social-engineering; sid:2025684; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup secnetcontrol.com"; dns.query; content:"secnetcontrol.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019574; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe PDF"; fast_pattern; nocase; content:"formbreeze_email"; nocase; distance:0; content:"formbreeze_filledin"; nocase; distance:0; content:"emailCheck"; nocase; distance:0; classtype:social-engineering; sid:2032065; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup scanmalware.info"; dns.query; content:"scanmalware.info"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019573; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing M2 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Authentication Is Required"; nocase; distance:0; content:"For security reasons"; nocase; distance:0; content:"confirm your email to view document"; nocase; distance:0; classtype:social-engineering; sid:2032066; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsof-update.com"; dns.query; content:"microsof-update.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019572; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Alibaba"; nocase; fast_pattern; content:"validateForm"; nocase; distance:0; content:"Password is Empty"; nocase; distance:0; content:"Password is Too Short"; nocase; distance:0; content:"Login to Message Center"; nocase; distance:0; classtype:social-engineering; sid:2032067; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsofi.org"; dns.query; content:"microsofi.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019571; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook 365 Encrypted Email Phishing Landing M1 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Sign in - Encrypted mail"; nocase; fast_pattern; content:".password-revealer"; nocase; distance:0; content:"microsoftonline-p.com"; nocase; classtype:social-engineering; sid:2032068; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkwinframe.com"; dns.query; content:"checkwinframe.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019568; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to Webeden.co.uk - Possible Phishing"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/_form/submit"; fast_pattern; http.request_body; content:"PageID="; depth:7; classtype:trojan-activity; sid:2032069; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup check-fix.com"; dns.query; content:"check-fix.com"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019569; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to Weebly.com - Possible Phishing"; flow:to_server,established; urilen:27; http.method; content:"POST"; http.uri; content:"/weebly/apps/formSubmit.php"; fast_pattern; http.host; content:"weebly.com"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; classtype:trojan-activity; sid:2032070; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adawareblock.com"; dns.query; content:"adawareblock.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019564; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; http.server; file.data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family IEiExploit, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup azureon-line.com"; dns.query; content:"azureon-line.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019566; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passw"; distance:0; nocase; content:"=Sign+In"; distance:0; nocase; classtype:credential-theft; sid:2032071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.info"; dns.query; content:"checkmalware.info"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019567; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M1 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"LOB=Logon"; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&ChangePassword"; distance:0; nocase; content:"NewPassword"; distance:0; nocase; classtype:credential-theft; sid:2032072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"kundenpflege.menrad.de"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019857; rev:7; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M2 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Change password"; nocase; fast_pattern; content:"ChangePasswordForm"; nocase; distance:0; content:"Outlook WebApp"; nocase; distance:0; content:"O365_MainLink"; nocase; distance:0; content:"ChangePasswordControl_PasswordRequirementText"; nocase; distance:0; content:"Incorrect password entered"; classtype:credential-theft; sid:2032073; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas ecolines.es"; dns.query; content:"ecolines.es"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019912; rev:6; metadata:created_at 2014_12_11, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M3 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Change password"; nocase; fast_pattern; content:"Outlook WebApp"; nocase; distance:0; content:"O365_MainLink"; nocase; distance:0; content:"Remember your new password"; nocase; distance:0; content:"close this browser"; nocase; distance:0; classtype:credential-theft; sid:2032074; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas blackberry-support.herokuapp.com"; dns.query; content:"blackberry-support.herokuapp.com"; depth:32; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019913; rev:6; metadata:created_at 2014_12_11, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Facebook - Log In"; fast_pattern; nocase; content:"background-image"; nocase; distance:0; content:"form-group"; nocase; distance:0; content:"class=|22|form-control|22|"; nocase; distance:0; content:"formValidation"; nocase; distance:0; classtype:social-engineering; sid:2032075; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (great-codes.com)"; dns.query; content:"great-codes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020035; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Facebook Phish 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Facebook - Verification"; fast_pattern; nocase; content:"background-image"; nocase; distance:0; content:"<form name="; nocase; distance:0; content:"<input name="; nocase; distance:0; content:"Continue"; nocase; distance:0; classtype:credential-theft; sid:2032076; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (adguard.name)"; dns.query; content:"adguard.name"; depth:12; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020036; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; content:"_Product-UserID&userid="; distance:0; fast_pattern; http.request_body; content:"email="; depth:6; nocase; content:"&pass"; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (coral-trevel.com)"; dns.query; content:"coral-trevel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020037; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/www.chase.com/"; fast_pattern; http.request_body; content:"&pas"; nocase; classtype:credential-theft; sid:2032102; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice10.ru)"; dns.query; content:"ddnservice10.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020038; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Validator Phish M2 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>..|3a 3a|Thank you"; nocase; fast_pattern; content:"email address|3a 3a|..</title>"; nocase; distance:0; classtype:credential-theft; sid:2032103; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (paradise-plaza.com)"; dns.query; content:"paradise-plaza.com"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020039; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Validator Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail Client Validator"; nocase; fast_pattern; content:"validate your account"; nocase; distance:0; content:"render your account"; nocase; distance:0; content:"Username"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2032104; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (worldnewsonline.pw)"; dns.query; content:"worldnewsonline.pw"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020040; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING iCloud Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2024230; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (update-java.net)"; dns.query; content:"update-java.net"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:targeted-activity; sid:2020041; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/LuaBot CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot?bid="; depth:9; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html; classtype:command-and-control; sid:2023155; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family Linux_LuaBot, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (allwayshappy.ru)"; dns.query; content:"allwayshappy.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020044; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Account Update Phishing Landing 2016-09-06"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Update Your User"; nocase; fast_pattern; content:"update your email"; nocase; distance:0; content:"Username"; nocase; distance:0; content:"Email Address"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm password"; nocase; distance:0; content:"Update My Details"; nocase; distance:0; classtype:social-engineering; sid:2032105; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (deadwalk32.ru)"; dns.query; content:"deadwalk32.ru"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020047; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/\x3b[a-f0-9]{32}/"; http.request_body; content:"eml="; depth:4; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032106; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (doubleclickads.net)"; dns.query; content:"doubleclickads.net"; depth:18; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020048; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 4"; flow:established,to_server; http.uri; content:".html?s="; fast_pattern; content:"&d="; distance:0; pcre:"/^[^&]+?\.html\?s=[^&]+?&d=$/"; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023134; rev:4; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_07_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (octoberpics.ru)"; dns.query; content:"octoberpics.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020054; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Minimal HTTP Refresh to Googledrive.com - Possible Phishing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; http.header; pcre:"/Content\-Length\x3a\x20\d{3}\x0d\x0a/mi"; file.data; content:"<META HTTP-EQUIV="; nocase; content:"refresh"; distance:1; nocase; content:"googledrive.com"; distance:0; nocase; fast_pattern; within:50; classtype:trojan-activity; sid:2032107; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (server38.info)"; dns.query; content:"server38.info"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020057; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fedex Javascript Phishing Landing 2016-09-08"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; startswith; file.data; content:"click_to_download"; fast_pattern; nocase; content:"make_the_delay"; nocase; distance:0; content:"redirect_the"; nocase; distance:0; content:"now_download"; nocase; distance:0; content:"ajax"; nocase; distance:0; content:"POST"; nocase; distance:0; classtype:social-engineering; sid:2032108; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (ssl-server24.ru)"; dns.query; content:"ssl-server24.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020058; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Microsoft Live Email Account Phish 2016-09-08"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"live.com"; within:50; content:"<title>Loading"; nocase; distance:0; fast_pattern; content:"verified successfully"; nocase; distance:0; classtype:credential-theft; sid:2032109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeterplanet.ru)"; dns.query; content:"tweeterplanet.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020059; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mokes.A CnC Heartbeat Request (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.OSX.Mokes; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/v1"; http.header; content:"Safari/7046A194A|0d 0a|"; fast_pattern; http.connection; content:"Close"; bsize:5; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:url,securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered; classtype:command-and-control; sid:2023182; rev:3; metadata:affected_product Mac_OSX, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, tag OSX_Malware, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (updatemyhost.ru)"; dns.query; content:"updatemyhost.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020061; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plasmabot CnC Host Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"crypt="; depth:6; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/plasma-http-botnet-steals-stored-passwords-chrome-filezilla; reference:md5,ffbf380abaa7c56b45edd2784feecf36; classtype:command-and-control; sid:2018393; rev:5; metadata:created_at 2014_04_16, former_category MALWARE, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (walkingdead32.ru)"; dns.query; content:"walkingdead32.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020062; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"MAHDI_1="; depth:8; nocase; fast_pattern; content:"&MAHDI_2="; nocase; distance:0; classtype:credential-theft; sid:2032110; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (worldnews247.net)"; dns.query; content:"worldnews247.net"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020063; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SeniorPeopleMeet Phish M1 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"SkipCSSVerif="; depth:13; nocase; fast_pattern; content:"&FromLocation="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032111; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (financialnewsonline.pw)"; dns.query; content:"financialnewsonline.pw"; depth:22; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020066; rev:6; metadata:created_at 2014_12_24, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SeniorPeopleMeet Phish M2 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name="; depth:5; nocase; fast_pattern; content:"&cc1="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&s1="; nocase; distance:0; classtype:credential-theft; sid:2032112; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hong Kong SWC Attack DNS Lookup (aoemvp.com)"; dns.query; content:"aoemvp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020171; rev:5; metadata:created_at 2015_01_13, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Quant Loader Download Response"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"dll=http"; depth:8; nocase; fast_pattern; content:"|3b|exe=http"; distance:0; nocase; content:"|3b|dll=http"; distance:0; nocase; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (apple.dynamic-dns.net)"; dns.query; content:"apple.dynamic-dns.net"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020244; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M1 2016-09-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:social-engineering; sid:2023235; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (autocar.ServeUser.com)"; dns.query; content:"autocar.ServeUser.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020245; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M2 2016-09-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:social-engineering; sid:2023236; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (coastnews.darktech.org)"; dns.query; content:"coastnews.darktech.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020249; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful View Samples Phish 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action=submit_form"; depth:19; nocase; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (demon.4irc.com)"; dns.query; content:"demon.4irc.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020250; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M2 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"lobIndicator="; depth:13; nocase; fast_pattern; content:"&ssn"; nocase; distance:0; content:"&acctnum="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; classtype:credential-theft; sid:2032115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.ddns.info)"; dns.query; content:"logoff.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020259; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"u_p="; depth:4; nocase; content:"&LOB="; nocase; distance:0; content:"&origination="; nocase; distance:0; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032114; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (yellowblog.flnet.org)"; dns.query; content:"yellowblog.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020279; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-09-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; content:"&password="; nocase; distance:0; content:"&requestCmdId="; nocase; distance:0; fast_pattern; content:"&reqcrda="; nocase; distance:0; content:"&NONCE="; nocase; distance:0; content:"&userType="; nocase; distance:0; classtype:credential-theft; sid:2032116; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious tolotor.com Domain - Possible CryptoWall Activity"; dns.query; content:"tolotor.com"; depth:11; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020284; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Square Enix Phishing Domain 2016-08-15"; flow:to_server,established; http.method; content:"GET"; http.host; content:"square-enix.com"; fast_pattern; content:!"square-enix.com"; endswith; http.referer; content:!"square-enix.com"; classtype:social-engineering; sid:2023065; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (pstcmedia.com)"; dns.query; content:"pstcmedia.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020444; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-09-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?excel="; http.header; content:".php?excel="; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&excel="; nocase; distance:0; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2032117; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mixedwork.com)"; dns.query; content:"mixedwork.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020445; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"os_version="; depth:11; fast_pattern; content:"os_version_full="; distance:0; content:"processorId="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,190c607ef81fa0c27fb1313df5f05266; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:command-and-control; sid:2023292; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ahmedfaiez.info)"; dns.query; content:"ahmedfaiez.info"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020446; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M1"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupdate.com)"; dns.query; content:"flushupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020447; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M2"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030604; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupate.com)"; dns.query; content:"flushupate.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020448; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M3"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030605; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ineltdriver.com)"; dns.query; content:"ineltdriver.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020449; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M4"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030606; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mediahitech.info)"; dns.query; content:"mediahitech.info"; depth:16; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020450; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Ostap CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?as="; content:"&kl="; distance:0; content:"&ed="; distance:0; content:"@@"; distance:0; content:"@@"; distance:0; content:"@@*"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:trojan-activity; sid:2030601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, signature_severity Major, updated_at 2020_07_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (plmedgroup.com)"; dns.query; content:"plmedgroup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020451; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS/Ostap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=pro100zver.mskhost.pro"; nocase; reference:md5,f5cf9ca73dd30caf43d75dd19240a79e; classtype:domain-c2; sid:2030602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_28, deployment Perimeter, former_category MALWARE, malware_family Ostap, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (advtravel.info)"; dns.query; content:"advtravel.info"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020452; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?ID=login&Key="; fast_pattern; content:"&path="; distance:0; http.request_body; content:"xuser="; depth:6; nocase; content:"&xpass="; nocase; distance:0; content:"&xbtn="; nocase; distance:0; classtype:credential-theft; sid:2032118; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (fpupdate.info)"; dns.query; content:"fpupdate.info"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020453; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030608; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_07_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (linksis.info)"; dns.query; content:"linksis.info"; depth:12; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020454; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030609; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (linkedim.in)"; dns.query; content:"linkedim.in"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020459; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Captcha Check"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Security Check"; content:"function verifyCaptcha()"; distance:0; content:"var blockerurl"; distance:0; content:"email_par"; distance:0; content:"window.location.replace(blockerurl+"; fast_pattern; distance:0; content:".php|22 20|onsubmit=|22|return verifyCaptcha()"; distance:0; classtype:social-engineering; sid:2030610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (androcity.com)"; dns.query; content:"androcity.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020461; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (liptona.net)"; dns.query; content:"liptona.net"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020462; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nauss-lab.com)"; dns.query; content:"nauss-lab.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020464; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2020-07-29)"; flow:established,to_client; tls.cert_subject; content:"CN=robotica.cl"; nocase; endswith; reference:md5,f68456251ffe11d49ccdd845bcc55365; classtype:domain-c2; sid:2030607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nice-mobiles.com)"; dns.query; content:"nice-mobiles.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020465; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Anuna PHP Backdoor Sucessful Exploit"; flow:established,from_server; flowbits:isset,ET.Anuna.Backdoor; http.stat_code; content:"200"; file.data; content:"cookie=4"; within:8; classtype:trojan-activity; sid:2023306; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_07_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (facebook-emoticons.bitblogoo.com)"; dns.query; content:"facebook-emoticons.bitblogoo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020466; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?getinfo"; fast_pattern; http.request_body; content:"comid="; depth:6; nocase; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (abuhmaid.net)"; dns.query; content:"abuhmaid.net"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020467; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?action"; nocase; fast_pattern; http.request_body; content:"loginId="; depth:8; nocase; content:"&loginPd="; nocase; distance:0; classtype:credential-theft; sid:2032121; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (blogging-host.info)"; dns.query; content:"blogging-host.info"; depth:18; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020468; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.cookie; content:"__cfduid"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&pass="; nocase; distance:0; content:"&="; nocase; distance:0; classtype:credential-theft; sid:2032122; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (tvgate.rocks)"; dns.query; content:"tvgate.rocks"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020469; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Postbank Online Banking Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_loginForm_hf_0="; depth:21; nocase; content:"&jsDisabled="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&nutzername="; nocase; distance:0; fast_pattern; content:"&kennwort="; nocase; distance:0; content:"&loginButton="; nocase; distance:0; classtype:credential-theft; sid:2032123; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (iwork-sys.com)"; dns.query; content:"iwork-sys.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020472; rev:6; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Postbank Online Banking Phish M2 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_loginForm_hf_0="; depth:21; nocase; content:"&jsDisabled="; nocase; distance:0; content:"&validation="; nocase; distance:0; content:"&vorname="; nocase; distance:0; content:"&nachname="; nocase; distance:0; fast_pattern; content:"&street="; nocase; distance:0; content:"&plz="; nocase; distance:0; content:"&ort="; nocase; distance:0; content:"&bday="; nocase; distance:0; content:"&mobilenr="; nocase; distance:0; content:"&telepinalt="; nocase; distance:0; content:"&telepinneu="; nocase; distance:0; content:"&loginButton="; nocase; distance:0; classtype:credential-theft; sid:2032124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE 9002 RAT C&C DNS request"; dns.query; content:"cache.dnsde.com"; depth:15; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2020713; rev:5; metadata:created_at 2015_03_19, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M1 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (saveweb.wink.ws)"; dns.query; content:"saveweb.wink.ws"; depth:15; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020814; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M2 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032098; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (carima2012.site90.com)"; dns.query; content:"carima2012.site90.com"; depth:21; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020815; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M3 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"E-mail"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032099; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (explorerdotnt.info)"; dns.query; content:"explorerdotnt.info"; depth:18; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020816; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-01-26"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2032100; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotnetexplorer.info)"; dns.query; content:"dotnetexplorer.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020817; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M1 2016-10-03"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"user name"; nocase; content:"email"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032125; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotntexplorere.info)"; dns.query; content:"dotntexplorere.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020818; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-10-03"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Nazwa uzytkownika"; nocase; content:"Email"; nocase; content:"Haslo"; fast_pattern; nocase; classtype:social-engineering; sid:2032126; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (xploreredotnet.info)"; dns.query; content:"xploreredotnet.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020819; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Byethost Phishing Redirect 2016-10-04"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Zhtml>"; depth:6; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"REFRESH"; nocase; distance:1; content:"|3b|url=http"; nocase; distance:0; content:"ZBODY>"; distance:0; classtype:social-engineering; sid:2032127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (erdotntexplore.info)"; dns.query; content:"erdotntexplore.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020820; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"&email="; nocase; distance:0; http.request_body; content:"curl="; depth:5; nocase; content:"&flags="; nocase; distance:0; content:"&forcedownlevel="; nocase; distance:0; content:"&formdir="; nocase; distance:0; content:"&trusted="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&SubmitCreds="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"aa.hostasa.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:6; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic OWA Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp"; nocase; pcre:"/\.asp$/"; http.header; content:".asp?form_id="; http.request_body; content:"form-data|3b 20|name=|22|submit|22|"; nocase; content:"form-data|3b 20|name=|22|form_id|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|depart_id|22|"; nocase; distance:0; content:"gadgetStyleBOO"; nocase; fast_pattern; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns1.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; content:"&id="; nocase; content:"&session="; nocase; http.request_body; content:"provider="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2023964; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns2.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.header; content:!"X-Trend-ActiveUpdate"; content:!"HTTrack"; http.user_agent; content:"Windows 98"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:22; metadata:created_at 2010_07_30, updated_at 2020_07_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns3.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing (DE) 2016-10-04"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>Mot de passe - PayPal"; nocase; fast_pattern; content:"PayPal est le moyen"; nocase; distance:0; content:"Bitte geben Sie Ihr Passwort"; nocase; distance:0; classtype:social-engineering; sid:2032129; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns4.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Fake Copyright Infringement Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"copyright infringement"; nocase; content:"Instagram account"; nocase; distance:0; content:"powered-by-000webhost"; distance:0; fast_pattern; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gh.dsaj2a1.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Script Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"<!-- SCRIPT BY"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php"; within:100; content:"powered-by-000webhost"; distance:0; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"navert0p.com"; depth:12; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Let's Encrypt Certificate containing Instagram"; flow:established,to_client; tls.cert_subject; content:"instagram"; nocase; fast_pattern; tls.cert_issuer; content:"Let's Encrypt"; classtype:social-engineering; sid:2030619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"wangzongfacai.com"; depth:17; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Webmail Phishing Landing"; flow:to_client,established; file.data; content:"<title>EmaiI Securlty"; nocase; fast_pattern; classtype:credential-theft; sid:2030620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gggatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc DL 2020-07-30)"; flow:established,to_client; tls.cert_subject; content:"CN=ne-ba.org"; nocase; endswith; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"xxxatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus APT MalDoc DL Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ne-ba.org"; bsize:9; reference:md5,738ea366df7366a3c55f5673a58bf714; classtype:domain-c2; sid:2030615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"v8.f1122.org"; depth:12; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2021443; rev:5; metadata:created_at 2015_07_20, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phone Support Scam/Phishing Landing M1"; flow:established,to_client; file.data; content:"EBRX1:6X76D"; nocase; fast_pattern; content:"Your account is blocked"; nocase; classtype:social-engineering; sid:2030621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"GroUndHog.MapSnode.CoM"; depth:22; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2021444; rev:5; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phone Support Scam/Phishing Landing M2"; flow:established,to_client; file.data; content:"EBRX1:6X76D"; nocase; fast_pattern; content:"Due to suspicious activity"; nocase; classtype:social-engineering; sid:2030622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; dns.query; content:"drometic.suroot.com"; depth:19; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021576; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (firefox)"; flow:established,to_server; http.user_agent; content:"firefox"; bsize:7; fast_pattern; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; classtype:trojan-activity; sid:2030623; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; dns.query; content:"docume.sysbloger.com"; depth:20; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021577; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (chrome)"; flow:established,to_server; http.user_agent; content:"chrome"; bsize:6; fast_pattern; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; classtype:trojan-activity; sid:2030624; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_07_30;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; dns.query; content:"ohio.sysbloger.com"; depth:18; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021578; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY XenArmor Password Recovery License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xen-check-portable-license.php?key="; fast_pattern; http.user_agent; content:"Software License Checker"; bsize:24; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2030616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; dns.query; content:"specs.dnsrd.com"; depth:15; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021579; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OILRIG CnC POST"; flow:established,to_server; content:"|3a 20|chrome|0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; content:"/?v="; startswith; http.header_names; content:"From|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.user_agent; content:"chrome"; bsize:6; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; reference:md5,acaff6cb817399848887caef0104bd03; classtype:command-and-control; sid:2030634; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; dns.query; content:"np3.Jkub.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021580; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FormatFactory Install Checkin"; flow:established,to_server; http.request_line; content:"GET /ff/inst_stat?"; startswith; http.host; bsize:21; content:"server.pcfreetime.com"; reference:md5,3efa61c1ad1bc3a700563f54870676c3; classtype:pup-activity; sid:2030632; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; dns.query; content:"ns8.ddns1.com"; depth:13; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021581; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Attempted Netgear Buffer Overflow into RCE Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade_check.cgi"; bsize:18; http.content_len; byte_test:0,>,4000,0,string,dec; http.request_body; content:"mknod|20 2f|dev/ptyp"; fast_pattern; reference:url,github.com/grimm-co/NotQuite0dayFriday/blob/master/2020.06.15-netgear/exploit.py; classtype:attempted-admin; sid:2030630; rev:1; metadata:affected_product Netgear_Router, created_at 2020_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (books.mrface.com)"; dns.query; content:"books.mrface.com"; depth:16; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021582; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Attempted Netgear Buffer Overflow into RCE Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade_check.cgi"; bsize:18; fast_pattern; http.content_len; byte_test:0,>,1000,0,string,dec; http.request_body; content:"/bin/"; reference:url,github.com/grimm-co/NotQuite0dayFriday/blob/master/2020.06.15-netgear/exploit.py; classtype:attempted-admin; sid:2030631; rev:1; metadata:affected_product Netgear_Router, created_at 2020_07_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; dns.query; content:"kieti.ipsecsl.net"; depth:17; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021583; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST Form Submitted to 123formbuilder Free Hosting"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/form-"; depth:6; http.host; content:"www.123formbuilder.com"; depth:22; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag Phishing, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"s-p-o-o-f-e-d.h-o-s-t.name"; depth:26; fast_pattern; nocase; endswith; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST Form Submitted to Weebly Free Hosting"; flow:established,to_server; urilen:27; http.method; content:"POST"; http.uri; content:"/weebly/apps/formSubmit.php"; http.host; content:"www.weebly.com"; depth:14; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; dns.query; content:"xssok.blogspot.com"; depth:18; nocase; endswith; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"|0d 0a|User-Agent|3a 20|app|0d 0a|"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|browser["; content:"]|22 3b 0d 0a|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot.png|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Gh0ST/PlugX/Various Backdoors DNS Lookup (gameofthrones.ddns.net)"; dns.query; content:"gameofthrones.ddns.net"; depth:22; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=bobpaceideas.xyz"; nocase; endswith; classtype:domain-c2; sid:2030627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_07_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Likely PlugX DNS Lookup (chrome.servehttp.com)"; dns.query; content:"chrome.servehttp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021793; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/HadesLocker Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hwid="; depth:5; fast_pattern; content:"&tracking_id="; distance:0; content:"&usercomputername="; distance:0; content:"&ip="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,6970847bedab9ab83e69630d065ba67b; classtype:command-and-control; sid:2023481; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Backdoor.GTalkTrojan DNS Lookup (update.gtalklite.com)"; dns.query; content:"update.gtalklite.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021794; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish M1 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; http.request_body; content:"showRmrMe="; depth:10; nocase; fast_pattern; content:"&openid.pape.max_auth_age="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&create="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032130; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger HTTPBrowser DNS Lookup (trendmicro-update.org)"; dns.query; content:"trendmicro-update.org"; depth:21; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021795; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; http.request_body; content:"cazanova_qus1="; depth:14; nocase; fast_pattern; content:"_ans1="; nocase; distance:0; content:"_qus2="; nocase; distance:0; content:"_ans2="; nocase; distance:0; content:"_mail="; nocase; distance:0; content:"_pass="; nocase; distance:0; classtype:credential-theft; sid:2032131; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-analysis.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021806; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orange (FR) Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"co="; depth:3; nocase; content:"&tt="; nocase; distance:0; content:"&tp="; nocase; distance:0; content:"&rl="; nocase; distance:0; content:"&sv="; nocase; distance:0; content:"&dp="; nocase; distance:0; content:"&rt="; nocase; distance:0; content:"&isconn="; nocase; distance:0; content:"&credential="; nocase; distance:0; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032132; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-diagnostics.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021807; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Supplier Portal Phish 2016-10-07"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>WebMail</title>"; fast_pattern; content:"<h1>Login Error"; nocase; distance:0; content:"go back and login again"; nocase; distance:0; content:"valid information"; nocase; distance:0; content:"datasheet with your company profile"; nocase; distance:0; content:"<!-- 0 -->"; distance:0; classtype:credential-theft; sid:2032133; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.crash-analytics.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021808; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"UserID&userid="; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032134; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Naikon DNS Lookup (greensky27.vicp.net)"; dns.query; content:"greensky27.vicp.net"; depth:19; nocase; endswith; fast_pattern; reference:url,threatconnect.com/camerashy-resources/; classtype:trojan-activity; sid:2021831; rev:5; metadata:created_at 2015_09_24, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (FR) M1 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; content:"apple"; nocase; http.request_body; content:"donnee1="; depth:8; nocase; fast_pattern; content:"&donnee2="; nocase; distance:0; classtype:credential-theft; sid:2032135; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (googlemanage.com)"; dns.query; content:"googlemanage.com"; depth:16; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021935; rev:5; metadata:created_at 2015_10_08, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (FR) M2 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032136; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (websecexp.com)"; dns.query; content:"websecexp.com"; depth:13; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021960; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-10"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=3d3d3d3d3d3d3d3d3d"; nocase; fast_pattern; distance:0; content:"4f6e6c6e654944"; nocase; distance:0; content:"50617373636f6465"; distance:0; content:"456d61696c"; nocase; distance:0; classtype:credential-theft; sid:2032137; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup (mailsecurityservice.com)"; dns.query; content:"mailsecurityservice.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2015/10/targeted-attacks-ngo-burma/; classtype:trojan-activity; sid:2021962; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&passwd="; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032138; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"softupdates.info"; depth:16; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022121; rev:5; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M2 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?email="; nocase; http.request_body; content:"continue="; depth:9; nocase; content:"&bgresponse="; nocase; distance:0; fast_pattern; content:"&phone="; nocase; distance:0; content:"&altemail="; nocase; distance:0; content:"&go="; nocase; distance:0; classtype:credential-theft; sid:2032139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"drivres-update.info"; depth:19; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022122; rev:5; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Webeden.net 2016-10-13"; flow:to_client,established; flowbits:isset,ET.webeden.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"User name"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032140; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (alhadath.mobi)"; dns.query; content:"alhadath.mobi"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022148; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Infostealer.Snifula File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cgi"; http.header; content:"User-Agent|3a 20|IE|0d 0a|Host"; http.request_body; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be16b8d1b85843c89301f189b35c4963; classtype:trojan-activity; sid:2023337; rev:3; metadata:created_at 2016_10_14, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (big-windowss.com)"; dns.query; content:"big-windowss.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022149; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&service="; nocase; distance:0; content:"&ltmpl="; nocase; distance:0; content:"&Taju="; nocase; distance:0; fast_pattern; content:"&Tope="; nocase; distance:0; content:"&signIn="; nocase; distance:0; classtype:credential-theft; sid:2032141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (cacheupdate14.com)"; dns.query; content:"cacheupdate14.com"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022150; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.cookie; content:"PHPSESSID="; http.request_body; content:"login_email="; depth:12; nocase; fast_pattern; content:"&login_password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; content:"&fso="; nocase; distance:0; classtype:credential-theft; sid:2032142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.space)"; dns.query; content:"fbstatic-a.space"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022151; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; fast_pattern; content:"&DownTimeMessage="; nocase; distance:0; classtype:credential-theft; sid:2032143; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.xyz)"; dns.query; content:"fbstatic-a.xyz"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022152; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/victim.php?info="; fast_pattern; content:"&ip="; distance:0; pcre:"/\/victim\.php\?info=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&ip=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:command-and-control; sid:2023345; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-akamaihd.com)"; dns.query; content:"fbstatic-akamaihd.com"; depth:21; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022153; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryPy Ransomware Encrypting File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/savekey.php?file="; fast_pattern; content:"&id="; distance:0; pcre:"/\/savekey\.php\?file=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&id=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.user_agent; content:"Python-urllib"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,8bd7cd1eee4594ad4886ac3f1a05273b; reference:url,nakedsecurity.sophos.com/2016/10/18/data-stealing-crpy-ransomware/; classtype:trojan-activity; sid:2023346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryPy, signature_severity Major, tag Ransomware, updated_at 2020_07_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (gmailtagmanager.com)"; dns.query; content:"gmailtagmanager.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022154; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS User Agent (SQLi Injection / Scanning)"; flow:established,to_server; http.user_agent; content:"testitest"; fast_pattern; startswith; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2023351; rev:3; metadata:attack_target SQL_Server, created_at 2016_10_19, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz.link)"; dns.query; content:"haaretz.link"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022155; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Webmail Phish 2016-10-21"; flow:established,from_server; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail</title>"; nocase; distance:0; fast_pattern; content:"<div class=|22|error"; nocase; distance:0; content:"Please enter a valid email"; nocase; distance:0; content:"Supported Email Providers"; nocase; distance:0; classtype:credential-theft; sid:2032144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz-news.com)"; dns.query; content:"haaretz-news.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022156; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&securityquestion="; nocase; distance:0; content:"&Answer="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&Password="; nocase; distance:0; content:"&Submit.x="; nocase; distance:0; content:"&Submit.y="; nocase; distance:0; classtype:credential-theft; sid:2032145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (heartax.info)"; dns.query; content:"heartax.info"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022157; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|3d 30 78 30 36 2c 30 78 30 32 2c 30 78 30 30 2c 30 78 30 30|"; fast_pattern; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; content:"|2c 3c 62 72 3e 30 78|"; distance:0; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2022683; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (img.gmailtagmanager.com)"; dns.query; content:"img.gmailtagmanager.com"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022158; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"countrycode="; depth:12; nocase; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&.persistent="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; classtype:credential-theft; sid:2032146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (kernel4windows.in)"; dns.query; content:"kernel4windows.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022159; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".jsp"; nocase; http.request_body; content:"inputCampo1="; depth:12; nocase; content:"&trpm=aHR0cDov"; nocase; distance:0; fast_pattern; content:"&inputCampo"; nocase; distance:0; classtype:credential-theft; sid:2032147; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (main.windowskernel14.com)"; dns.query; content:"main.windowskernel14.com"; depth:24; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022160; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-25"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Windows Live ID"; nocase; fast_pattern; content:"If page do not re-direct automatically"; nocase; distance:0; content:"login.live.com"; nocase; distance:0; classtype:credential-theft; sid:2032148; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (micro-windows.in)"; dns.query; content:"micro-windows.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022161; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"xUserName="; depth:10; nocase; content:"&xPassWord="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032149; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate15.com)"; dns.query; content:"mswordupdate15.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022162; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"UserID="; depth:7; nocase; content:"&Password="; nocase; distance:0; content:"&fullnaxme="; nocase; distance:0; fast_pattern; content:"&homeadd1="; nocase; distance:0; content:"&citybma="; nocase; distance:0; content:"&staten="; nocase; distance:0; content:"&zip1co="; nocase; distance:0; content:"&home1phone="; nocase; distance:0; content:"&sn1="; nocase; distance:0; content:"&mamanx="; nocase; distance:0; content:"&do1="; nocase; distance:0; content:"&emailxnx="; nocase; distance:0; content:"&emailpassx="; nocase; distance:0; content:"&ccnumber"; nocase; distance:0; content:"&cvv"; nocase; distance:0; content:"&accten="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032150; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate16.com)"; dns.query; content:"mswordupdate16.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022163; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful 163.com Email Account Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"account_name="; depth:13; nocase; fast_pattern; content:"&domain="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&all_secure="; nocase; distance:0; content:"&secure="; nocase; distance:0; classtype:credential-theft; sid:2032151; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate17.com)"; dns.query; content:"mswordupdate17.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022164; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Jackpot Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?HWInfo="; nocase; content:"}&Time="; nocase; distance:0; http.user_agent; content:"My Session"; fast_pattern; startswith; http.request_body; content:"|2e 00 70 00 68 00 70 00 3f 00 48 00 57 00 49 00 6e 00 66 00 6f 00 3d|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5624c920b1fd3da3a451d564bb7488d3; classtype:command-and-control; sid:2023465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Jackpot, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mywindows24.in)"; dns.query; content:"mywindows24.in"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022165; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&ctx="; nocase; distance:0; content:"&flowToken="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch7-windows.com)"; dns.query; content:"patch7-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022166; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful American Express Phish M1 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"Face="; depth:5; nocase; content:"&Logon="; nocase; distance:0; content:"&acctSelected="; nocase; distance:0; fast_pattern; content:"&acctSelectedURL="; nocase; distance:0; content:"&TARGET="; nocase; distance:0; content:"&USERID="; nocase; distance:0; content:"&PWD="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch8-windows.com)"; dns.query; content:"patch8-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022167; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful American Express Phish M2 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"UserID="; depth:7; nocase; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailp="; nocase; distance:0; content:"&title="; nocase; distance:0; content:"&FName="; nocase; distance:0; content:"&MName="; nocase; distance:0; content:"&SName="; nocase; distance:0; content:"&dobyyyy="; nocase; distance:0; fast_pattern; content:"&mobileNo="; nocase; distance:0; content:"&homePhNo="; nocase; distance:0; classtype:credential-theft; sid:2032154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patchthiswindows.com)"; dns.query; content:"patchthiswindows.com"; depth:20; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022168; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"login="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&Salvc="; nocase; distance:0; content:"&salton="; nocase; distance:0; fast_pattern; content:"&cnum="; nocase; distance:0; content:"&cmonth="; nocase; distance:0; content:"&cyear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&dobmonth="; nocase; distance:0; classtype:credential-theft; sid:2032155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (u.mywindows24.in)"; dns.query; content:"u.mywindows24.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022169; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"EM="; depth:3; nocase; content:"&PS="; nocase; distance:0; content:"&CN="; nocase; distance:0; content:"=Login"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032156; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (walla.link)"; dns.query; content:"walla.link"; depth:10; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022170; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&Passwd="; nocase; distance:0; content:"&signIn=Sign+in&rmShown="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032120; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wethearservice.com)"; dns.query; content:"wethearservice.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022171; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup - b4secure .com"; flow:established,to_server; urilen:12; http.uri; content:"/index.shtml"; http.host; content:"b4secure.com"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:external-ip-check; sid:2023469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, former_category POLICY, malware_family Emissary, malware_family Lotus_Blossom, signature_severity Informational, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wheatherserviceapi.info)"; dns.query; content:"wheatherserviceapi.info"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022172; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Emissary External IP Lookup"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/index.shtml"; http.host; content:"b4secure.com"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:external-ip-check; sid:2023470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, former_category MALWARE, malware_family Emissary, malware_family Lotus_Blossom, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowkernel.com)"; dns.query; content:"windowkernel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022173; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Razy Variant Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?m="; content:"&a="; content:"&os="; content:"&ComPut="; fast_pattern; http.header; content:!"360safe.com"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008433; classtype:command-and-control; sid:2008433; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-10patch.in)"; dns.query; content:"windows-10patch.in"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022174; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cards_json.php"; endswith; http.request_body; content:"bot_id="; depth:7; fast_pattern; content:"&info="; content:"cardNum"; pcre:"/^bot_id=[a-f0-9]{32}&/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows24-kernel.in)"; dns.query; content:"windows24-kernel.in"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022175; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Dreambot File Upload (No Data Sent)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/images/"; content:"_2"; pcre:"/\/images\/.*_2[FB].*\.(?:avi|gif|bmp|jpeg|png)$/i"; http.header; content:"User-Agent|3a 20|"; depth:12; content:"Content-Length|3a 20|2|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,e17b1d84da1d2c684f3e67adff7ef582; classtype:trojan-activity; sid:2022970; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, malware_family ursnif, malware_family Dreambot, malware_family ISFB, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-drive20.com)"; dns.query; content:"windows-drive20.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022176; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/mi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:5; metadata:created_at 2015_04_13, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-india.in)"; dns.query; content:"windows-india.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022177; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CerberTear Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/^[A-F0-9]{8}$/Ri"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.connection; content:"Keep-Alive"; nocase; bsize:10; reference:md5,7d181574893ec9cb2795166623f8e531; classtype:command-and-control; sid:2023505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CerberTear, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel.in)"; dns.query; content:"windowskernel.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022178; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Alcatrez Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?user="; fast_pattern; content:"&try="; distance:0; content:"&status="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; nocase; reference:md5,1cb51c130e6f75f11c095b122e008bbc; classtype:command-and-control; sid:2023506; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alcatrez_Locker, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-kernel.in)"; dns.query; content:"windows-kernel.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022179; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/RequestActionsToExecute"; fast_pattern; pcre:"/\/RequestActionsToExecute$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|CommandLine|22 3a|"; depth:15; content:",|22|CurrentDirectory|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_08_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel14.com)"; dns.query; content:"windowskernel14.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022180; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/\/[a-f0-9]{32}\/\?\d$/i"; http.cookie; content:"PHPSESSID"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032157; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowslayer.in)"; dns.query; content:"windowslayer.in"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022181; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/\/[a-f0-9]{32}\/\?\d$/i"; http.cookie; content:"PHPSESSID"; http.request_body; content:"fullname="; depth:9; nocase; content:"&ccnumber="; nocase; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; classtype:credential-theft; sid:2032158; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-my50.com)"; dns.query; content:"windows-my50.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022182; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoLuck / YafunnLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&hi"; distance:0; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)"; fast_pattern; bsize:28; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,59109839de42d2acb44fbd7ff151fe0c; classtype:command-and-control; sid:2023533; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family YafunnLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowssup.in)"; dns.query; content:"windowssup.in"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022183; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; classtype:social-engineering; sid:2025672; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowsupup.com)"; dns.query; content:"windowsupup.com"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022184; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Business Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"emailcheck="; depth:11; nocase; fast_pattern; content:"&Psword="; nocase; distance:0; classtype:credential-theft; sid:2032159; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (inocnation.com)"; dns.query; content:"inocnation.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022273; rev:5; metadata:created_at 2015_12_17, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Email Update Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?user"; nocase; fast_pattern; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&red="; nocase; distance:0; content:"&comment="; nocase; distance:0; classtype:credential-theft; sid:2032160; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilGrab or APT.9002 DNS Lookup (secvies.com)"; dns.query; content:"secvies.com"; depth:11; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:targeted-activity; sid:2022355; rev:6; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Shared Adobe PDF Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&Upgrade="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032190; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TrochilusRAT DNS Lookup (security-centers.com)"; dns.query; content:"security-centers.com"; depth:20; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022356; rev:6; metadata:created_at 2016_01_13, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CHIP Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a)?/"; http.request_body; content:"-----BEGIN CERTIFICATE-----"; depth:27; fast_pattern; content:"-----END CERTIFICATE-----"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,18189daa96e711777158d7cb599c13b1; reference:url,malware-traffic-analysis.net/2016/11/17/index.html; classtype:command-and-control; sid:2023534; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (aynfksddnnfwkd)"; dns.query; content:".aynfksddnnfwkd"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022399; rev:5; metadata:created_at 2016_01_22, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:to_server,established; http.uri; content:"|24 7b|"; content:"|25 7b|"; distance:0; content:"|7d|"; distance:0; pcre:"/\${\s*?%{/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2023535; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2016_11_18, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (krfdnhfnsai3d)"; dns.query; content:".krfdnhfnsai3d"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022400; rev:5; metadata:created_at 2016_01_22, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS CnC Beacon"; flow:established,to_server; http.uri; content:".php"; endswith; http.header; content:"Windows NT"; http.accept; content:"application/x-www-form-urlencoded"; fast_pattern; bsize:33; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,570ea00465a45bf7b4e7e0b7007b87a1; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030357; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 1"; dns.query; content:"9i7ffdgvffibow7.vrnserver.ru"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022411; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; pcre:"/\.cgi$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023552; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 6"; dns.query; content:"admin.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022416; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue Phish 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?form=Tax"; nocase; content:"&sslchannel="; nocase; distance:0; content:"&sessionid="; nocase; distance:0; content:"&securessl="; nocase; distance:0; http.header; content:".php?form=Tax"; nocase; content:"&sslchannel="; nocase; distance:0; content:"&sessionid="; nocase; distance:0; http.request_body; content:"form-data|3b 20|name=|22|ccname|22|"; nocase; content:"form-data|3b 20|name=|22|ccno|22|"; nocase; content:"form-data|3b 20|name=|22|ccexp|22|"; nocase; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032193; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 15"; dns.query; content:"dolat.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022425; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; nocase; http.request_body; content:"surname="; depth:8; nocase; content:"&membershipNumber="; nocase; distance:0; fast_pattern; content:"&debitCardSet1="; nocase; distance:0; content:"&sortCodeSet1="; nocase; distance:0; content:"&accountNumber="; nocase; distance:0; classtype:credential-theft; sid:2032194; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 16"; dns.query; content:"dolet.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022426; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BXC CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cg="; fast_pattern; content:"&b="; distance:0; content:"&gt="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d199b13d4676080073eaeb4e0ff39a75; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; classtype:command-and-control; sid:2023546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 17"; dns.query; content:"economy.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022427; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"compte"; nocase; http.request_body; content:"comid="; depth:6; nocase; content:"&compw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032189; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 20"; dns.query; content:"firefox.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022430; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"formtex"; nocase; depth:7; fast_pattern; content:"&formtex"; nocase; distance:0; content:"&formtex"; nocase; distance:0; classtype:credential-theft; sid:2031572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 24"; dns.query; content:"github.ignorelist.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022434; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-"; nocase; content:".php?SessionID-xb="; nocase; fast_pattern; within:40; classtype:credential-theft; sid:2023558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 25"; dns.query; content:"islam.youtubesitegroup.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022435; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe Online PDF Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.header; content:"&Email="; nocase; http.request_body; content:"feedback="; depth:9; nocase; content:"&feedbacknow="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032195; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 26"; dns.query; content:"kissecurity.firewall-gateway.net"; depth:32; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022436; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Loader Receiving Payload"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00|"; distance:1; within:1; content:"|00|MZ"; distance:1; within:3; content:"This program must be run under Win32"; distance:0; fast_pattern; reference:md5,65c7426b056482fcda962a7a14e86601; classtype:trojan-activity; sid:2023567; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, malware_family Sharik, malware_family Smoke_Loader, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 27"; dns.query; content:"liumingzhen.myftp.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022437; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/kb/"; depth:4; fast_pattern; pcre:"/^\/kb\/\d{4,8}$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,193494912a6f549c0da40bf22c3384ee; classtype:trojan-activity; sid:2018677; rev:4; metadata:created_at 2014_07_15, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 33"; dns.query; content:"opero.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022443; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity Check 2"; flow:established,to_server; urilen:24; http.method; content:"POST"; http.uri; content:"/go/flashplayer_support/"; fast_pattern; http.host; content:"www.adobe.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022025; rev:4; metadata:created_at 2015_11_03, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 34"; dns.query; content:"otcgk.border.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022444; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Java Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.host; content:"java.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022026; rev:4; metadata:created_at 2015_11_03, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 41"; dns.query; content:"webmail.yourturbe.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022451; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity Check 3"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.host; content:"www.adobe.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,aa42c4ee46136d4125bebf93e9b2776c; classtype:trojan-activity; sid:2022027; rev:4; metadata:created_at 2015_11_03, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns.query; content:"www.googmail.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022455; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible COVID-19 Domain in SSL Certificate M2"; flow:established,to_client; tls.cert_subject; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; classtype:bad-unknown; sid:2029706; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns.query; content:"www.gorlan.cloudns.pro"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022456; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:1; pcre:"/\.[a-z]{3}\?[a-z]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.user_agent; content:"Mozilla/5.0 (MSIE 7.1|3b 20|Windows NT 6.0)"; fast_pattern; bsize:38; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns.query; content:"www.uyghur.25u.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022457; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"LOB=RBGLogon"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&pass="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; fast_pattern; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032196; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 44"; dns.query; content:"zjhao.dtdns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022461; rev:6; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla GoogleMaps Plugin Open Proxy Access"; flow:established,to_server; http.uri; content:"/plugins/system/plugin_googlemap2_proxy.php?url="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,bnshosting.net/googlemap-proxy-vulnerability; classtype:web-application-attack; sid:2023574; rev:3; metadata:affected_product Joomla, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CustomRAT DNS lookup"; dns.query; content:"www729448908.f3322.org"; depth:22; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022473; rev:5; metadata:created_at 2016_01_29, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Phish M2 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"ci="; depth:3; nocase; content:"&path="; nocase; distance:0; content:"&vbpass="; nocase; distance:0; fast_pattern; content:"&userEmail="; nocase; distance:0; content:"&accNum="; nocase; distance:0; classtype:credential-theft; sid:2032197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.absentvodka.com)"; dns.query; content:"updates.absentvodka.com"; depth:23; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022555; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Qadars Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"AAAA"; offset:10; depth:4; fast_pattern; content:"="; offset:7; depth:1; pcre:"/^[a-zA-Z]{7}=(?:[A-Za-z0-9+/]|%2[FB]){2}AAAA[a-z]A[^\s=]+=?=?$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Accept"; reference:md5,d611a633e8ceabdc9c2f5b0b9dd4f19e; reference:md5,a55b312d4e2006b5698e8f5ae8e5d735; reference:md5,3b4c2d3447bc49f057d76a92e7cae96b; reference:md5,08833cd7564f29f7f499a65a7be82d02; reference:url,www.lexsi-leblog.com/cert-en/qadars-new-banking-malware-with-fraudulent-mobile-application-component.html; classtype:command-and-control; sid:2023588; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_10, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.mintylinux.com)"; dns.query; content:"updates.mintylinux.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022556; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Free Mobile (FR) Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?clientid="; nocase; http.header; content:".php?clientid="; nocase; http.request_body; content:"fuser="; depth:6; nocase; content:"&fpass="; nocase; distance:0; fast_pattern; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032198; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (eggstrawdinarry.mylittlerepo.com)"; dns.query; content:"eggstrawdinarry.mylittlerepo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022557; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Oct 10 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save.asp"; nocase; fast_pattern; http.header; content:"apple"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2023592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (linuxmint.kernel-org.org)"; dns.query; content:"linuxmint.kernel-org.org"; depth:24; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022558; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"CN="; depth:3; nocase; content:"&DOB="; nocase; distance:0; content:"&CCN="; nocase; distance:0; fast_pattern; content:"&EXP="; nocase; distance:0; content:"&CVV="; nocase; distance:0; content:"&SSN="; nocase; distance:0; content:"&PAS="; nocase; distance:0; content:"&valider="; nocase; distance:0; classtype:credential-theft; sid:2032199; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suckfly/Nidiran Backdoor DNS Lookup"; dns.query; content:"microsoft-security-center.com"; depth:29; nocase; endswith; fast_pattern; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120123-5521-99; classtype:trojan-activity; sid:2022626; rev:5; metadata:created_at 2016_03_16, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Javascript XOR Encoding - Observed in Apple Phishing 2016-12-09"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"strHTML=|22 22 3b|"; nocase; within:100; fast_pattern; content:"strHTML+=|22|"; within:11; content:"function XOR"; nocase; distance:0; content:"strPass"; nocase; distance:0; content:"binl2b64"; nocase; distance:0; content:"core_hmac_md5"; nocase; distance:0; content:"hex_hmac_md5"; nocase; distance:0; classtype:social-engineering; sid:2032200; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerShell/Agent.A DNS Lookup (go0gIe.com)"; dns.query; content:"go0gIe.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022835; rev:5; metadata:created_at 2016_05_24, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Password Protected AMEX Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&pw="; nocase; distance:0; content:"&AC1="; nocase; distance:0; content:"&AC2="; nocase; distance:0; content:"&AC3="; nocase; distance:0; content:"&CV="; nocase; distance:0; content:"&CSC="; nocase; distance:0; content:"&EM="; nocase; distance:0; content:"&EY="; nocase; distance:0; content:"&MN="; nocase; distance:0; content:"&MM="; nocase; distance:0; content:"&DD="; nocase; distance:0; content:"&BP="; nocase; distance:0; content:"&SCH="; nocase; distance:0; fast_pattern; content:"&SPN="; nocase; distance:0; content:"&EA="; nocase; distance:0; content:"&EP="; nocase; distance:0; classtype:credential-theft; sid:2032201; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (khh5cmzh5q7yp7th)"; dns.query; content:".khh5cmzh5q7yp7th"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022947; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R7000 Command Injection Exploit"; flow:established,to_server; http.uri; content:"/cgi-bin/"; depth:9; content:"$IFS"; fast_pattern; distance:0; content:"|3b|"; reference:url,www.kb.cert.org/vuls/id/582384; classtype:attempted-user; sid:2023628; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2016_12_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"g5wcesdfjzne7255.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022950; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Updating Billing Address"; nocase; fast_pattern; content:"Paypal"; nocase; distance:0; content:"Resolution Center"; nocase; distance:0; content:"Confirm my Billing"; nocase; distance:0; classtype:credential-theft; sid:2032203; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"r2elajikcosf7zee.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022951; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>PayPal Service Update"; nocase; fast_pattern; content:"Paypal"; nocase; distance:0; content:"Resolution Center"; nocase; distance:0; classtype:credential-theft; sid:2032204; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (rapidcomments.com)"; dns.query; content:"rapidcomments.com"; depth:17; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_fn="; depth:4; nocase; content:"&_ln="; nocase; distance:0; content:"&_birthd="; nocase; distance:0; content:"&_birthm="; nocase; distance:0; content:"&_birthy="; nocase; distance:0; content:"&_add1="; nocase; distance:0; content:"&_add2="; nocase; distance:0; content:"&_countr="; nocase; distance:0; fast_pattern; content:"&_ct="; nocase; distance:0; content:"&_st="; nocase; distance:0; content:"&_zipc="; nocase; distance:0; content:"&_ph="; nocase; distance:0; classtype:credential-theft; sid:2032205; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (bikessport.com)"; dns.query; content:"bikessport.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023021; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M4 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_fulln="; depth:7; nocase; content:"&_ccn="; nocase; distance:0; content:"&_ccv="; nocase; distance:0; content:"&_expm="; nocase; distance:0; content:"&_expy="; nocase; distance:0; content:"&_3d="; nocase; distance:0; content:"&_drv="; nocase; distance:0; content:"&_sortc="; nocase; distance:0; fast_pattern; content:"&_ssn1="; nocase; distance:0; content:"&_ssn2="; nocase; distance:0; content:"&_ssn3="; nocase; distance:0; classtype:credential-theft; sid:2032206; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (flowershop22.110mb.com)"; dns.query; content:"flowershop22.110mb.com"; depth:22; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; classtype:trojan-activity; sid:2023023; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M5 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_bkid="; depth:6; nocase; content:"&_bkpass="; nocase; distance:0; fast_pattern; content:"&_accn="; nocase; distance:0; content:"&_routn="; nocase; distance:0; classtype:credential-theft; sid:2032207; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (wildhorses.awardspace.info)"; dns.query; content:"wildhorses.awardspace.info"; depth:26; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023024; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Shared PDF Phish 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function delayer"; content:"adobe.com"; nocase; within:50; content:"<title>PDF ONLINE"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032208; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply-wsu.ebizx.net)"; dns.query; content:"apply-wsu.ebizx.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023059; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-13"; flow:from_server,established; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Update Billing Information"; nocase; fast_pattern; content:"chase.com"; nocase; distance:0; classtype:credential-theft; sid:2032209; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply.ebizx.net)"; dns.query; content:"apply.ebizx.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023060; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"value="; depth:6; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (aalaan .tv)"; dns.query; content:"aalaan.tv"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023093; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Deactivation Phishing Landing 2016-12-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Server Message"; nocase; fast_pattern; content:"logo.png"; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:social-engineering; sid:2032210; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (accounts .mx)"; dns.query; content:"accounts.mx"; depth:11; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023094; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Deactivation Phish 2016-12-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Email Settings"; nocase; fast_pattern; content:"Processing."; nocase; distance:0; content:"Please wait"; nocase; distance:0; content:"update your account"; nocase; distance:0; classtype:credential-theft; sid:2032211; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alawaeltech .com)"; dns.query; content:"alawaeltech.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?-----BEGIN|20|CERTIFICATE-----"; fast_pattern; content:"-----END|20|CERTIFICATE-----"; distance:0; pcre:"/END\x20CERTIFICATE-----$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alljazeera .co)"; dns.query; content:"alljazeera.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"isJsEnabled="; depth:12; nocase; content:"&session_key="; nocase; distance:0; content:"&session_password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&session_redirect="; nocase; distance:0; content:"&trk="; nocase; distance:0; content:"&loginCsrfParam="; nocase; distance:0; content:"&fromEmail="; nocase; distance:0; classtype:credential-theft; sid:2032191; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararabiya .co)"; dns.query; content:"asrararabiya.co"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Unconfigured nginx Access"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"|3C|title|3E|Welcome to nginx|213C2F|title|3E|"; classtype:bad-unknown; sid:2023668; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararablya .com)"; dns.query; content:"asrararablya.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023099; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla PWS HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"type="; depth:5; content:"&hwid="; content:"&time="; content:"&pcname="; content:"&logdata="; fast_pattern; content:"&screen="; content:"&ipadd="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,21d3c7d099aceff2a1f16d8ae0f38731; classtype:command-and-control; sid:2023144; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrarrarabiya .com)"; dns.query; content:"asrarrarabiya.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023100; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - Served Inline HTTP"; flow:to_client,established; http.header; content:"Content-Disposition"; nocase; content:"inline"; nocase; file.data; content:"MZ"; depth:2; fast_pattern; classtype:misc-activity; sid:2014519; rev:8; metadata:created_at 2012_04_06, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bahrainsms .co)"; dns.query; content:"bahrainsms.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023101; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; http.server; content:"dbws"; bsize:4; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:10; metadata:created_at 2012_03_06, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bulbazaur .com)"; dns.query; content:"bulbazaur.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023103; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=supercombinating.com"; nocase; endswith; classtype:domain-c2; sid:2030635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (cnn-africa .co)"; dns.query; content:"cnn-africa.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023105; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"donnee"; depth:6; nocase; content:"&donnee"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032192; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (damanhealth .online)"; dns.query; content:"damanhealth.online"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023106; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"data1="; depth:6; nocase; content:"&data"; nocase; distance:0; content:"&data"; nocase; distance:0; content:"&donnee"; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032212; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (emiratesfoundation .net)"; dns.query; content:"emiratesfoundation.net"; depth:22; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023107; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Towerweb Ransomware Landing Page"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"WRITE THIS INFORMATION DOWN---------------<br>|0a|Ransom Id|3a|"; fast_pattern; content:"BTC Address|3a 20|"; distance:0; content:"|0a|Email|3a 20|"; distance:0; reference:md5,fb279dc7e47adefb3a9f1c78297c5870; reference:url,www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/; classtype:trojan-activity; sid:2022906; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (fb-accounts .com)"; dns.query; content:"fb-accounts.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023108; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Phish 2016-12-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032213; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icloudcacher .com)"; dns.query; content:"icloudcacher.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023110; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?php"; fast_pattern; content:"|5c 22 20|"; content:"-X"; content:".php"; content:"@"; http.content_type; content:"multipart/form-data|3b|"; startswith; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:3; metadata:affected_product PHPMailer, attack_target Web_Server, created_at 2016_12_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icrcworld .com)"; dns.query; content:"icrcworld.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023111; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"continue="; nocase; content:"&service="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"&signIn="; nocase; distance:0; content:"&PersistentCookie="; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (manoraonline .net)"; dns.query; content:"manoraonline.net"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023112; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banamex Bank Phish 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&USERID="; nocase; content:"&PASSWORD="; nocase; distance:0; content:"&AHN="; nocase; distance:0; content:"&BANK+ID="; nocase; distance:0; fast_pattern; content:"&PRODUCT+NAME="; nocase; distance:0; content:"&LANGUAGE+ID="; nocase; distance:0; content:"&EXTRA1="; nocase; distance:0; content:"&GROUP="; nocase; distance:0; content:"&PIN="; nocase; distance:0; classtype:credential-theft; sid:2032214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mz-vodacom .info)"; dns.query; content:"mz-vodacom.info"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023113; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Archie EK Payload Checkin GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/log?log="; depth:9; http.host; content:!"gigwise.com"; endswith; content:!"cleanerapp.net"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,41c0cdde6be5166606008b2d02f3a128; classtype:exploit-kit; sid:2019680; rev:6; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2022_04_22;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (newtarrifs .net)"; dns.query; content:"newtarrifs.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023114; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"form-data|3b 20|name=|22|uid|22|"; content:"form-data|3b 20|name=|22|uname|22|"; content:"form-data|3b 20|name=|22|cname|22|"; content:"form-data|3b 20|name=|22|ltime|22|"; content:"form-data|3b 20|name=|22|uright|22|"; content:"form-data|3b 20|name=|22|sysinfo|22|"; fast_pattern; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ooredoodeals .com)"; dns.query; content:"ooredoodeals.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023115; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MRCR1 Ransomware Checkin M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|43 50 55 20 4d 6f 64 65 6c 3a|"; fast_pattern; content:"|43 50 55 20 43 6f 75 6e 74 3a|"; content:"|47 65 74 52 41 4d 3a|"; content:"|5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d|"; content:"|5b 50 72 6f 67 72 61 6d 6d 73 5d|"; reference:md5,fc57a660e24d9c91cb5464b2ece30756; reference:md5,a1d83e290429477f05c0eaddafdb0355; classtype:command-and-control; sid:2023692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (pickuchu .com)"; dns.query; content:"pickuchu.com"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023116; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login_email"; depth:11; nocase; fast_pattern; content:"login_pass"; nocase; distance:0; classtype:credential-theft; sid:2024572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (redcrossworld .com)"; dns.query; content:"redcrossworld.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023117; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackmoon/Banbra Configuration Request M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/fcg-bin/cgi_get_portrait.fcg?uins="; depth:35; fast_pattern; http.header; content:"keep-alive|0d 0a|User-Agent"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackmoon-campaign; reference:md5,56b8f9428b2171f45dc447fb9fa1b03f; classtype:trojan-activity; sid:2023694; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_04, deployment Perimeter, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sabafon .info)"; dns.query; content:"sabafon.info"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023118; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"p="; depth:2; nocase; content:"&a2="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&conta="; nocase; distance:0; fast_pattern; content:"&aa="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&age="; nocase; distance:0; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2023696; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smser .net)"; dns.query; content:"smser.net"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023119; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"form"; nocase; fast_pattern; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; classtype:credential-theft; sid:2024565; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sms .webadv.co)"; dns.query; content:"sms.webadv.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023120; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union/Paypal Phish 2016-09-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login_email="; depth:12; nocase; fast_pattern; content:"&login_password="; nocase; distance:0; content:"&image.x="; nocase; distance:0; classtype:credential-theft; sid:2032182; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (topcontactco .com)"; dns.query; content:"topcontactco.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023121; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ID="; depth:3; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024573; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (tpcontact .co.uk)"; dns.query; content:"tpcontact.co.uk"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023122; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SLEEP|28|"; nocase; distance:0; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (track-your-fedex-package .org)"; dns.query; content:"track-your-fedex-package.org"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023123; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024574; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkishairines .info)"; dns.query; content:"turkishairines.info"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023125; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user_id="; depth:8; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024575; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (uaenews .online)"; dns.query; content:"uaenews.online"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023126; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"countrycode="; depth:12; nocase; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&signin="; nocase; distance:0; content:"&_uuid="; nocase; distance:0; content:"&_seqid="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032188; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (univision .click)"; dns.query; content:"univision.click"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023127; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Account Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032187; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (whatsapp-app .com)"; dns.query; content:"whatsapp-app.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023129; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop Dropper Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nconfirm.php?"; fast_pattern; content:"rev="; distance:0; content:"code="; content:"param="; content:"num="; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2013808; rev:5; metadata:created_at 2011_04_07, former_category MALWARE, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (y0utube .com.mx)"; dns.query; content:"y0utube.com.mx"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023130; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"Warning|3a|"; nocase; distance:0; fast_pattern; content:"Call Microsoft"; nocase; classtype:social-engineering; sid:2023751; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (bigcrashcar.net)"; dns.query; content:"bigcrashcar.net"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2023142; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websrc"; fast_pattern; endswith; http.request_body; content:"email"; nocase; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2023759; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (collge .myq-see.com)"; dns.query; content:"collge.myq-see.com"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action=export_admin_table"; content:"&filename=../"; fast_pattern; reference:url,cpr-zero.checkpoint.com/vulns/cprid-2148/; reference:cve,2020-6008; classtype:attempted-admin; sid:2030644; rev:1; metadata:created_at 2020_08_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (sara2011 .no-ip.biz)"; dns.query; content:"sara2011.no-ip.biz"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023258; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible InnocenceBot CnC"; ja3.hash; content:"9551e38f83daab8bcbc283ec0806cf65"; reference:md5,6a2749a5ab44dda4ed6459c8ca36ca64; classtype:unknown; sid:2030645; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (wininit .myq-see.com)"; dns.query; content:"wininit.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com Mar 31 M3"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"mail"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032013; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (appleupdate .com)"; dns.query; content:"appleupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023299; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; http.header; content:"Content-Type|3a 20|text/plain|3b|charset=UTF-8|0d 0a|Host|3a 20|"; depth:46; fast_pattern; content:"Expect|3a 20|100-continue|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,31cf042e91de7492c86e1ad02dc9eaec; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:command-and-control; sid:2023811; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family DustSky_related_Implant, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (apple-iclouds .net)"; dns.query; content:"apple-iclouds.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023300; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shafttt MySQL Bruteforce Bot CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"get="; fast_pattern; depth:4; pcre:"/^get=\d+(?:$|&)/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:52; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb4ab17468984f1b292adac9f745cb2b; classtype:command-and-control; sid:2023815; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Shafttt, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (itunes-helper .net)"; dns.query; content:"itunes-helper.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023301; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"GALX="; fast_pattern; content:"bgresponse="; nocase; distance:0; content:"Email="; nocase; distance:0; content:"Passwd="; nocase; distance:0; classtype:credential-theft; sid:2032179; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"bonmawp.at"; depth:10; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023331; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows Update/Microsoft FP Flowbit"; flow:established,to_server; flowbits:set,ET.INFO.WindowsUpdate; flowbits:noalert; http.host; content:".windowsupdate.com"; endswith; classtype:trojan-activity; sid:2023818; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"wallymac.com"; depth:12; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023332; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phishing 2016-12-12"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"chaseonline.chase.com"; nocase; content:"<title>Chase Online"; nocase; fast_pattern; classtype:credential-theft; sid:2032202; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed AgentTesla Domain Request"; dns.query; content:"agenttesla.com"; depth:14; nocase; endswith; fast_pattern; reference:md5,32f3fa6b80904946621551399be32207; classtype:trojan-activity; sid:2023354; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, malware_family Keylogger, malware_family AgentTesla, malware_family Backdoor, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear WNR2000v5 Possible Serial Number Leak"; flow:to_server,established; http.uri; content:"/BRS_netgear_success.html"; nocase; reference:cve,2016-10175; reference:url,cve.circl.lu/cve/CVE-2016-10175; classtype:attempted-recon; sid:2023830; rev:3; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftsupp .com)"; dns.query; content:"microsoftsupp.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023355; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login"; depth:5; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024560; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (aljazeera-news .com)"; dns.query; content:"aljazeera-news.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023356; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e-mail="; depth:7; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024566; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ausameetings .com)"; dns.query; content:"ausameetings.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023357; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"feedback="; depth:9; fast_pattern; nocase; content:"&feedback"; nocase; distance:0; content:"&feedback"; nocase; distance:0; classtype:credential-theft; sid:2024567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (bbc-press .org)"; dns.query; content:"bbc-press.org"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023358; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Editbox1="; depth:9; nocase; content:"&Editbox2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024568; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cnnpolitics .eu)"; dns.query; content:"cnnpolitics.eu"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023359; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailyforeignnews .com)"; dns.query; content:"dailyforeignnews.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023360; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"name"; depth:7; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024570; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailypoliticsnews .com)"; dns.query; content:"dailypoliticsnews.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023361; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defenceiq .us)"; dns.query; content:"defenceiq.us"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023362; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Turla Kopiluwak User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64)|3b 20|"; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:targeted-activity; sid:2023868; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, malware_family Turla_Kopiluwak, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defencereview .eu)"; dns.query; content:"defencereview.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023363; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/assets/"; fast_pattern; content:"."; distance:100; pcre:"/\/assets(?:\/[a-zA-Z0-9_]+)+\.(?:jpeg|gif)$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.user_agent; pcre:"/^(?:Mozilla\/|Shockwave)/i"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:command-and-control; sid:2023870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (diplomatnews .org)"; dns.query; content:"diplomatnews.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023364; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible iKittens OSX MacDownloader CNC Beacon"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/Servermac.php"; depth:14; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:command-and-control; sid:2023876; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category MALWARE, malware_family MacDownloader, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euronews24 .info)"; dns.query; content:"euronews24.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023365; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (Redirect to Download PDF) 2016-02-08"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<META HTTP-EQUIV="; nocase; within:100; fast_pattern; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:25; content:"url="; nocase; within:25; content:".php"; nocase; within:25; classtype:credential-theft; sid:2032176; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euroreport24 .com)"; dns.query; content:"euroreport24.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023366; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Action=SecurityCheck"; nocase; fast_pattern; http.header; content:".php?Action="; http.request_body; content:"csc="; depth:4; nocase; classtype:credential-theft; sid:2032183; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kg-news .org)"; dns.query; content:"kg-news.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023367; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Microsoft Official Support"; nocase; fast_pattern; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:social-engineering; sid:2023889; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (military-info .eu)"; dns.query; content:"military-info.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M2 Feb 13 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"#dob"; nocase; content:".mask"; within:10; content:"#ccexp"; nocase; distance:0; content:".mask"; within:10; content:"#ssn"; nocase; distance:0; content:".mask"; within:10; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; classtype:social-engineering; sid:2025667; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryadviser .org)"; dns.query; content:"militaryadviser.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Secure redirect"; nocase; fast_pattern; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; classtype:social-engineering; sid:2025675; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryobserver .net)"; dns.query; content:"militaryobserver.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoShield Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"id="; depth:3; content:"&numbers=-----"; content:"BEGIN|20|PRIVATE|20|KEY"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,ef815146b802cfd6a5fb67d1f9267745; classtype:command-and-control; sid:2023814; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-hq .com)"; dns.query; content:"nato-hq.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023371; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.RETRIEVER CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asmx"; http.request_body; content:"<ip>"; content:"</ip><mac>"; distance:0; content:"</mac><host>"; distance:0; fast_pattern; content:"</host>"; distance:0; reference:md5,012f79570f720b997b9ef4ef327dd2da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023950; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-news .com)"; dns.query; content:"nato-news.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023372; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type both,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/userRpm/"; depth:9; fast_pattern; content:"&dnsserver="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023995; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natoint .com)"; dns.query; content:"natoint.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023373; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar CnC Beacon"; flow:established,to_server; http.uri; content:"=11&"; content:"=2"; distance:1; within:8; content:"&"; distance:6; within:7; content:"=410&"; distance:1; within:11; content:"=650&"; distance:1; within:11; fast_pattern; content:"=51"; distance:1; within:9; pcre:"/=11&[^&]{1,7}?=2[^&]{6,12}&[^&]{1,7}?=410&[^&]{1,7}?=650&[^&]{1,7}?=51$/"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023965; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natopress .com)"; dns.query; content:"natopress.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023374; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sucessful Generic Phish (set) 2020-08-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&form_item"; fast_pattern; content:"&form_item"; distance:0; classtype:credential-theft; sid:2030646; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-info .com)"; dns.query; content:"osce-info.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023375; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"locked.php"; nocase; content:"Account-Unlock"; nocase; distance:0; fast_pattern; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-press .org)"; dns.query; content:"osce-press.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023376; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&txtCelular="; nocase; content:"&txtSenhaCartao="; nocase; distance:0; fast_pattern; content:"btnLogIn"; nocase; distance:0; classtype:credential-theft; sid:2024002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (pakistan-mofa .net)"; dns.query; content:"pakistan-mofa.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023377; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicalreview .eu)"; dns.query; content:"politicalreview.eu"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023378; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Opera Adblocker Update Flowbit Set"; flow:established,to_server; flowbits:set,ET.opera.adblock; flowbits:noalert; http.host; content:"get.geo.opera.com.global.prod.fastly.net"; bsize:40; classtype:not-suspicious; sid:2024006; rev:3; metadata:created_at 2017_02_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicsinform .com)"; dns.query; content:"politicsinform.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023379; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?apikey="; content:"&compuser="; distance:0; content:"&sid="; distance:0; content:"&phase="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; fast_pattern; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ad8a7a383971ce0f5fc51e909e406996; classtype:command-and-control; sid:2024120; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (reuters-press .com)"; dns.query; content:"reuters-press.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"self.location.replace("; within:100; fast_pattern; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:social-engineering; sid:2024007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (shurl .biz)"; dns.query; content:"shurl.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023381; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"step=confirmation"; depth:17; nocase; content:"&rt="; nocase; distance:0; content:"&rp="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&whichForm="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Parola="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024009; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (stratforglobal .net)"; dns.query; content:"stratforglobal.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NumarCard="; depth:10; nocase; fast_pattern; content:"&CVV="; nocase; distance:0; content:"&Luna="; nocase; distance:0; content:"&NumeCard="; nocase; distance:0; content:"&PrenumeCard="; nocase; distance:0; content:"&NumedeContact="; nocase; distance:0; content:"&NumardeTelefon="; nocase; distance:0; content:"&EmaildeContact="; nocase; distance:0; content:"&cryptedStepCheck="; nocase; distance:0; classtype:credential-theft; sid:2024010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (thediplomat-press .com)"; dns.query; content:"thediplomat-press.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023383; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/webapps/"; content:"/websrc"; distance:5; within:7; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/i"; classtype:social-engineering; sid:2024018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (theguardiannews .org)"; dns.query; content:"theguardiannews.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023384; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?comp="; nocase; depth:16; fast_pattern; content:"&id="; nocase; distance:0; content:"_{"; distance:0; reference:md5,58aee970b06e67c9047836710f28e205; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024022; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (trend-news .org)"; dns.query; content:"trend-news.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023385; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Backdoor CnC POST"; flow:to_server,established; http.method; content:"POST"; http.header; content:"|42 30 75 4e 64 34 52 79 5f 24 0d 0a|"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|uuid|22|"; reference:md5,58aee970b06e67c9047836710f28e205; reference:md5,8d6d246c5c660691c59405ee2914a020; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024023; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unian-news .info)"; dns.query; content:"unian-news.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023386; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Variant 1 Backdoor Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.request_body; content:"comp="; nocase; depth:5; fast_pattern; content:"&id="; distance:0; nocase; content:"_{"; distance:0; nocase; content:"}_"; distance:0; nocase; content:"&sysinfo="; distance:0; nocase; reference:md5,c56c677b52e795710e77aa2d4f12b70a; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024024; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unitednationsnews .eu)"; dns.query; content:"unitednationsnews.eu"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Variant 2 Backdoor Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.request_body; content:"fid="; depth:4; nocase; content:"&versiya="; nocase; distance:0; fast_pattern; content:"&comp="; nocase; distance:0; content:"&id="; nocase; distance:0; content:"&sysinfo="; nocase; distance:0; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024025; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (virusdefender .org)"; dns.query; content:"virusdefender.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023388; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pteranodon Variant 3 Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?fid="; depth:15; content:"&versiya="; nocase; distance:0; fast_pattern; content:"&comp="; nocase; distance:0; content:"&id="; nocase; distance:0; content:"&sysinfo="; nocase; distance:0; reference:md5,2f0f78038c8a2f6177d266c62cadd756; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:command-and-control; sid:2024026; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldmilitarynews .org)"; dns.query; content:"worldmilitarynews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023389; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon File Stealer POST"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|filename|22|"; nocase; content:"form-data|3b 20|name=|22|compname|22|"; distance:0; nocase; content:"form-data|3b 20|name=|22|serial|22|"; distance:0; nocase; fast_pattern; content:"form-data|3b 20|name=|22|w|22|"; distance:0; nocase; content:"form-data|3b 20|name=|22|filesize|22|"; distance:0; nocase; content:"form-data|3b 20|name=|22|file|22|"; distance:0; nocase; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,1a81516780c2c5a966261cc47478133c; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/; classtype:trojan-activity; sid:2024027; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category TROJAN, malware_family Gamaredon, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldpoliticsnews .org)"; dns.query; content:"worldpoliticsnews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023390; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?model="; nocase; content:"&brand="; nocase; distance:0; content:"&osversion="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&voluumdata=BASE64"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024033; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_03_06, deployment Internet, former_category CURRENT_EVENTS, malware_family Fake_Alert, signature_severity Minor, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (capisp .com)"; dns.query; content:"capisp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023391; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M1 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"liamguname="; depth:11; nocase; fast_pattern; content:"&Button1="; distance:0; nocase; classtype:credential-theft; sid:2032181; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dataclen .org)"; dns.query; content:"dataclen.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023392; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"liamgphn="; depth:9; nocase; content:"&liamgrecoveryem="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032185; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (mscoresvw .com)"; dns.query; content:"mscoresvw.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023393; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Bank (FR) Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"origine="; nocase; content:"&situationTravail="; nocase; distance:0; content:"&canal="; nocase; distance:0; content:"&typeAuthentification="; nocase; distance:0; content:"&idUnique="; nocase; distance:0; content:"&caisse="; nocase; distance:0; content:"&CCCRYC="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032186; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowscheckupdater .net)"; dns.query; content:"windowscheckupdater.net"; depth:23; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023394; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern; classtype:social-engineering; sid:2025662; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (acledit .com)"; dns.query; content:"acledit.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023395; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"aqsatv.ps"; startswith; reference:url,nctc.gov/site/groups/hamas.html; classtype:policy-violation; sid:2023874; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (biocpl .org)"; dns.query; content:"biocpl.org"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023396; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots VBS Backdoor CnC Beacon 1"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/Hello"; http.request_body; content:"varname="; depth:8; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:command-and-control; sid:2023654; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category MALWARE, malware_family TeleBots_payload, signature_severity Major, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ciscohelpcenter .com)"; dns.query; content:"ciscohelpcenter.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeleBots BCS-server User-Agent"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0|3b|"; fast_pattern; bsize:12; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/; classtype:trojan-activity; sid:2023653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category TROJAN, malware_family TeleBots_payload, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (timezoneutc .com)"; dns.query; content:"timezoneutc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shared Document Base64 Phishing Landing 2016-01-20"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|base64"; nocase; fast_pattern; content:"PCFET0NUWVBFIGh0bWw+"; distance:1; within:21; reference:md5,0c9a677efd2762c4d5d759c294bc00d7; classtype:social-engineering; sid:2032175; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (inteldrv64 .com)"; dns.query; content:"inteldrv64.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023409; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; fast_pattern; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/i"; classtype:trojan-activity; sid:2022519; rev:5; metadata:created_at 2016_02_13, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (advpdxapi .com)"; dns.query; content:"advpdxapi.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023410; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-free.ru Domain"; flow:to_server,established; http.host; content:".dns-free.com"; endswith; classtype:bad-unknown; sid:2022380; rev:4; metadata:created_at 2016_01_20, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cloudflarecdn .com)"; dns.query; content:"cloudflarecdn.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023411; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyn-dns.ru Domain"; flow:to_server,established; http.host; content:".dyn-dns.ru"; endswith; classtype:bad-unknown; sid:2022379; rev:4; metadata:created_at 2016_01_20, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (driversupdate .info)"; dns.query; content:"driversupdate.info"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsip.ru Domain"; flow:to_server,established; http.host; content:".dnsip.ru"; endswith; classtype:bad-unknown; sid:2022378; rev:3; metadata:created_at 2016_01_20, former_category INFO, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kenlynton .com)"; dns.query; content:"kenlynton.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsalias.ru Domain"; flow:to_server,established; http.host; content:".dnsalias.ru"; endswith; classtype:bad-unknown; sid:2022377; rev:4; metadata:created_at 2016_01_20, former_category INFO, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftdriver .com)"; dns.query; content:"microsoftdriver.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NetBackdoor User-Agent (.net backdoor)"; flow:to_server,established; http.user_agent; content:"|2e|net backdor"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022245; rev:3; metadata:created_at 2015_12_12, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsofthelpcenter .info)"; dns.query; content:"microsofthelpcenter.info"; depth:24; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Lookup Geoip.co.uk"; flow:established,to_server; urilen:1; http.host; content:"www.geoip.co.uk"; startswith; reference:md5,fa05d4f1558a9581a14936c0ab3723f7; classtype:external-ip-check; sid:2022123; rev:3; metadata:created_at 2015_11_20, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nortonupdate .org)"; dns.query; content:"nortonupdate.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023416; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; distance:0; content:"&builddate="; distance:0; content:"&q="; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021226; rev:3; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (softwaresupportsv .com)"; dns.query; content:"softwaresupportsv.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023417; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/8"; flow:established,to_server; http.user_agent; content:"Mozilla/8"; nocase; depth:9; classtype:bad-unknown; sid:2016693; rev:6; metadata:created_at 2013_04_02, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (symantecsupport .org)"; dns.query; content:"symantecsupport.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023418; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeuS Post to C&C footer.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/footer.php"; http.header_names; content:!"Accept-"; classtype:command-and-control; sid:2016328; rev:3; metadata:created_at 2013_02_01, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatecenter .name)"; dns.query; content:"updatecenter.name"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023419; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Fragus Exploit jar Download"; flow:established,to_server; http.uri; content:"_.jar?"; pcre:"/\w_\.jar\?[a-f0-9]{8}$/"; classtype:exploit-kit; sid:2014802; rev:4; metadata:created_at 2012_05_23, former_category CURRENT_EVENTS, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatesystems .net)"; dns.query; content:"updatesystems.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023420; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/UltimateDefender.FakeAV Checkin"; flow:established,to_server; http.uri; content:"/show_module.php?IsAutoGeneratedPage="; content:"&asked_billing_id="; content:"&original_asked_billing_id="; content:"&brokerid="; content:"&country="; content:"&customid="; content:"&product="; content:"&custom_param="; content:"&extparam="; content:"&nums="; reference:md5,cec40236236466a1acb33aca3220eebe; classtype:command-and-control; sid:2014566; rev:4; metadata:created_at 2012_04_16, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updmanager .com)"; dns.query; content:"updmanager.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023421; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.tv domain"; flow:to_server,established; http.host; content:".co.tv"; endswith; classtype:bad-unknown; sid:2012955; rev:5; metadata:created_at 2011_06_08, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowsappstore .net)"; dns.query; content:"windowsappstore.net"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023422; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql"; flow:established,to_server; http.uri; content:"/setting.nql"; nocase; reference:md5,a70aad8f27957702febfa162556dc5b5; classtype:trojan-activity; sid:2012201; rev:5; metadata:created_at 2011_01_17, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"securityprotectingcorp.com"; depth:26; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023658; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_03, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Hide IP Installation file download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/proxyshell_hide_ip_setup.exe"; nocase; reference:url,www.browserdefender.com/file/484661/site/putas18.info/; reference:url,doc.emergingthreats.net/2010792; classtype:policy-violation; sid:2010972; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .about.jkub.com)"; dns.query; content:"www.about.jkub.com"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Anonymous Access Connection"; flow:established,to_server; http.uri; content:"/services/get_proxies/"; reference:url,doc.emergingthreats.net/2010969; classtype:policy-violation; sid:2010969; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .eleven.mypop3.org)"; dns.query; content:"www.eleven.mypop3.org"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n/"; pcre:"/\/n\/\d{15}$/"; http.request_body; content:"content=eyJ"; depth:11; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:command-and-control; sid:2018630; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .backus.myftp.name)"; dns.query; content:"www.backus.myftp.name"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>System Virus Alert"; nocase; fast_pattern; content:"|3a|-webkit-full-screen"; nocase; distance:0; classtype:social-engineering; sid:2024042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (tibetvoices .com)"; dns.query; content:"tibetvoices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023526; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&entrada_1="; nocase; distance:0; fast_pattern; content:"&entrada_2="; nocase; distance:0; content:"&entrada_3="; nocase; distance:0; content:"&entrada_4="; nocase; distance:0; content:"&looking1="; nocase; distance:0; classtype:credential-theft; sid:2023697; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"microsoftfont.com"; depth:17; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023666; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3"; flow:to_server,established; http.header; content:"Content-Type|3a 20|%{(#"; nocase; fast_pattern; content:"multipart/form-data"; classtype:web-application-attack; sid:2024045; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"xpknpxmywqsr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023601; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Mar 13 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"aliasDispatcher="; depth:16; nocase; content:"&indBNCFunds="; nocase; distance:0; content:"&accountNumber1="; nocase; distance:0; content:"&cardExpirDate="; nocase; distance:0; fast_pattern; content:"&registrationMode="; nocase; distance:0; content:"&cardActionTypeSelected="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&clientIpAdress="; nocase; distance:0; content:"&clientUserAgent="; nocase; distance:0; content:"&clientScreenResolution="; nocase; distance:0; classtype:credential-theft; sid:2024047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bwhrdaumwuvn.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023603; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; classtype:social-engineering; sid:2025679; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bpmsfckfkrpr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023604; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Instagram Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cek=login"; depth:9; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2024051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"oornsduuwjli.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023605; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_cmd="; depth:10; nocase; content:"&login_params="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kedbuffigfjs.online"; depth:19; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023632; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appid="; depth:6; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pwd"; nocase; distance:0; classtype:credential-theft; sid:2024060; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"srrys.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023633; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; nocase; content:"&dob="; nocase; distance:0; content:"&cchn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expdate="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; classtype:credential-theft; sid:2024061; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kciap.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023635; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"data=domain%253a"; depth:16; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"mziep.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023636; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; classtype:social-engineering; sid:2025664; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"tr069.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023637; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 / Revenge Ransomware Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&count="; distance:0; fast_pattern; pcre:"/^id=[0-9A-Z]+&count=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,116fbce554b25829b17b6e47990821b4; classtype:command-and-control; sid:2024056; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_08_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv602 .ddns.net)"; dns.query; content:"srv602.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023642; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; http.header; content:"JGFyZ3MgPSBh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:7; metadata:created_at 2011_11_22, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (updatesync .com)"; dns.query; content:"updatesync.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023643; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; http.header; content:"QHB5dGhvbl9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:6; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (svnservices .com)"; dns.query; content:"svnservices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023644; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.ACUT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; bsize:38; http.request_body; content:"plugin="; depth:7; content:"&windows="; content:"&user="; content:"&av="; content:"&bs="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,219cf8b022d3933ba46f482478450f49; classtype:command-and-control; sid:2024099; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category MALWARE, malware_family Banload, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (mynetenergy .com)"; dns.query; content:"mynetenergy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023645; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; http.header; content:"multipart/form-data"; nocase; http.request_body; content:"Content-Disposition|3a|"; nocase; content:"filename"; nocase; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/mi"; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:4; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (windriversupport .com)"; dns.query; content:"windriversupport.com"; depth:20; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023646; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 22 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"identif="; depth:8; nocase; content:"&elserr="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (truecrypte .org)"; dns.query; content:"truecrypte.org"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023647; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&K1="; nocase; distance:0; content:"&Q1="; nocase; distance:0; classtype:credential-theft; sid:2024101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (edicupd002 .com)"; dns.query; content:"edicupd002.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023648; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)"; flow:to_server,established; http.header; content:"If|3a 20 3c|"; pcre:"/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/mi"; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:3; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2017_03_28, cve cve_2017_7269, deployment Datacenter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (jourrapid .com)"; dns.query; content:"jourrapid.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023649; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino ping"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_src; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|7|0d 0a|"; nocase; http.request_body; content:"ping=1|0a|"; depth:7; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2019211; rev:5; metadata:created_at 2014_09_22, former_category TROJAN, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (true-crypte .website)"; dns.query; content:"true-crypte.website"; depth:19; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023650; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Cookie"; flow:to_server,established; http.cookie; content:"=21232f297a57a5a743894a0e4a801fc3"; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020093; rev:5; metadata:created_at 2015_01_05, former_category TROJAN, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (myrappid .com)"; dns.query; content:"myrappid.com"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023651; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Neutrino Bot Fake 404 Checkin Response"; flow:to_client,established; http.stat_code; content:"404"; file.data; content:"<!--"; distance:0; content:"NCMD|3a|"; within:6; reference:url,blog.fortinet.com/post/hiding-malicious-traffic-under-the-http-404-error; classtype:command-and-control; sid:2020949; rev:4; metadata:created_at 2015_04_20, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice.B DNS Lookup (appexsrv .net)"; dns.query; content:"appexsrv.net"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family DealersChoice_B, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"auth=1"; bsize:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2022462; rev:4; metadata:created_at 2016_01_27, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"globalresearching.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023659; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin 3"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"exec=1&task_id="; depth:15; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,25bd222c947fcbb7e1fb9f6e176ea53f; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2022463; rev:4; metadata:created_at 2016_01_27, former_category MALWARE, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"shcserv.com"; depth:11; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023660; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024133; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobeupgradeflash.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023661; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024134; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"gpufps.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023662; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024135; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobe-flash-updates.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023663; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024136; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"versiontask.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023664; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024137; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"webcdelivery.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023665; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024138; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/SEDNIT Uploader Variant DNS Lookup"; dns.query; content:"postlkwarn.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023667; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.bz"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; classtype:trojan-activity; sid:2023728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024140; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (gtranm .com)"; dns.query; content:"gtranm.com"; depth:10; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023761; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024141; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (zpfgr .com)"; dns.query; content:"zpfgr.com"; depth:9; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023762; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; http.stat_code; content:"302"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; pcre:"/^\d+[\r\n\x2f]/mi"; http.content_type; content:"text/html"; startswith; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:exploit-kit; sid:2024142; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RIG, signature_severity Major, tag Redirector, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX Backdoor Quimitchin DNS Lookup"; dns.query; content:"eidk.hopto.org"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/; reference:md5,e4744b9f927dc8048a19dca15590660c; classtype:trojan-activity; sid:2023763; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, malware_family Quimitchin, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin 6"; flow:to_server,established; http.method; content:"POST"; http.cookie; content:"authkeys="; http.request_body; content:"auth=1"; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,656766ad934aa482cbe78f1bca6dadc2; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2024179; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Neutrino, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (webfile .myq-see.com)"; dns.query; content:"webfile.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023777; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Accessed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:".php"; endswith; http.request_body; content:"password="; startswith; content:"&action=login&hide="; fast_pattern; distance:0; content:"&username="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030650; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadmyhost .zapto.org)"; dns.query; content:"downloadmyhost.zapto.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023778; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?ganteng"; endswith; fast_pattern; http.referer; content:".php?ganteng"; endswith; http.request_body; content:"key=password&method="; startswith; content:"&submit="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030651; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (help2014 .linkpc.net)"; dns.query; content:"help2014.linkpc.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023779; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnumber="; depth:8; nocase; fast_pattern; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&cname="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024185; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (safara .sytes.net)"; dns.query; content:"safara.sytes.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023780; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Archer C2 and Archer C20i Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi?"; nocase; http.header; content:"/mainFrame.htm"; http.request_body; content:"IPPING"; nocase; content:"X_TP_ConnName=ewan_ipoe_s"; fast_pattern; reference:url,github.com/reverse-shell/routersploit/blob/master/routersploit/modules/exploits/tplink/archer_c2_c20i_rce.py; classtype:command-and-control; sid:2024191; rev:3; metadata:affected_product TPLINK, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (exportball .servegame.org)"; dns.query; content:"exportball.servegame.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023781; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File Download Flowbit Set"; flow:established,to_client; flowbits:set,et.http.hta; flowbits:noalert; http.content_type; content:"application/hta"; fast_pattern; startswith; classtype:not-suspicious; sid:2024195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (viewnet .better-than.tv)"; dns.query; content:"viewnet.better-than.tv"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023782; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mole Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"guid="; depth:5; fast_pattern; content:"&ver="; distance:0; pcre:"/^guid=[^&]+?&ver=[^&]+?(?:&fc=[^\r\n]+)?$/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/; reference:md5,31c2e85ef5e4c0009e1f18794527b4ca; classtype:command-and-control; sid:2024203; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Mole, signature_severity Major, tag c2, updated_at 2020_08_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (down .downloadoneyoutube.co.vu)"; dns.query; content:"down.downloadoneyoutube.co.vu"; depth:29; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023783; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Hidden-Tear Variant Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?rid=ClsgIFVzZXItSUQgIF0gID"; fast_pattern; pcre:"/\.php\?rid=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; http.header; content:"Ransom|3a 20|Client|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b991a99335b01bed8da4401fee1f2d45; classtype:command-and-control; sid:2024204; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, signature_severity Major, tag Ransomware, updated_at 2020_08_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (netstreamag .publicvm.com)"; dns.query; content:"netstreamag.publicvm.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023784; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nuke Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Expect|3a 20|100-continue"; http.request_body; content:"machine="; depth:8; fast_pattern; pcre:"/^machine=[^&]+$/Pi"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.spyware-techie.com/nuke-ransomware-removal-guide; reference:md5,ff0e42146794f0d080df0467337b2d01; classtype:command-and-control; sid:2023335; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Nuke, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (subsidiaryohio .linkpc.net)"; dns.query; content:"subsidiaryohio.linkpc.net"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE YAHOOYLO Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"|50 4b 03 04|"; startswith; content:"Information.txt"; distance:0; content:"=Hardware Info==========================|0d 0a|Username|3a 20|"; distance:0; fast_pattern; reference:md5,437e3fb3c14f32644df9c6168ca4fa2c; classtype:command-and-control; sid:2030648; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family YAHOOYLO, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (helpyoume .linkpc.net)"; dns.query; content:"helpyoume.linkpc.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023787; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID Observed Domain (loadfreeman .casa in TLS SNI)"; flow:established,to_server; tls.sni; content:"loadfreeman.casa"; bsize:16; reference:url,twitter.com/James_inthe_box/status/1290773214520434690; reference:md5,fd9a5b9781fc31c32ce8cf2ce54633ff; classtype:trojan-activity; sid:2030653; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadtesting .com)"; dns.query; content:"downloadtesting.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023788; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (deactivate .best in TLS SNI)"; flow:established,to_server; tls.sni; content:"deactivate.best"; bsize:15; reference:md5,67b0f8b2b72d43842dabb735c0e400d3; classtype:trojan-activity; sid:2030654; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com)"; dns.query; content:"gameoolines.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023789; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (deactivate .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"deactivate.pw"; bsize:13; reference:md5,67b0f8b2b72d43842dabb735c0e400d3; classtype:trojan-activity; sid:2030655; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (onlinesoft .space)"; dns.query; content:"onlinesoft.space"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023790; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (80frontluzkher .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"80frontluzkher.xyz"; bsize:18; reference:md5,6ee6c4ec4ad96b7ca27ae2bde4d6cd3b; classtype:trojan-activity; sid:2030656; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (newphoneapp .com)"; dns.query; content:"newphoneapp.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023791; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (bruzilovv .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"bruzilovv.top"; bsize:13; reference:md5,6ee6c4ec4ad96b7ca27ae2bde4d6cd3b; classtype:trojan-activity; sid:2030657; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gamestoplay .bid)"; dns.query; content:"gamestoplay.bid"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown AutoIt Bot - Initial Server Response"; flow:established,to_server; dsize:14; content:"Hi we see you!"; reference:md5,79c018b6e7fccef4d014721b5fd99088; classtype:command-and-control; sid:2030649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, malware_family Autoit, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (smartsftp .pw)"; dns.query; content:"smartsftp.pw"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023793; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID Domain (ldrtoyota .casa in TLS SNI)"; flow:established,to_server; tls.sni; content:"ldrtoyota.casa"; bsize:14; reference:md5,b5e40801df5010e6c18e0ad81806adf7; classtype:trojan-activity; sid:2030658; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxysupdates .com)"; dns.query; content:"galaxysupdates.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=nellscorp.com"; nocase; endswith; classtype:domain-c2; sid:2030647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxy-s .com)"; dns.query; content:"galaxy-s.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023795; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt"; flow:to_server,established; urilen:1; http.method; content:"PROPFIND"; http.header; content:"Content-Length|3a 20|0|0d 0a|Host|3a 20|"; depth:25; content:"|0d 0a|If|3a 20|<http"; fast_pattern; classtype:trojan-activity; sid:2024222; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2017_04_18, deployment Perimeter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (datasamsung .com)"; dns.query; content:"datasamsung.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023796; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office UA FB SET"; flow:established,to_server; flowbits:set,Office.UA; flowbits:noalert; http.user_agent; content:"Microsoft Office"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (progsupdate .com)"; dns.query; content:"progsupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023797; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Home/Save"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest"; nocase; http.request_body; content:"u="; depth:2; fast_pattern; nocase; content:"&p="; distance:0; nocase; classtype:credential-theft; sid:2031793; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (topgamse .com)"; dns.query; content:"topgamse.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; http.header; content:"Expires|3A 20|Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; fast_pattern; classtype:trojan-activity; sid:2024229; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (bandtester .com)"; dns.query; content:"bandtester.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023799; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:3; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (speedbind .com)"; dns.query; content:"speedbind.com"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023800; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Requested via WGET (set)"; flow:to_server,established; flowbits:set,ET.armwget; flowbits:noalert; http.method; content:"GET"; http.uri; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/"; http.user_agent; content:"Wget/"; depth:5; fast_pattern; classtype:policy-violation; sid:2024240; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ukgames .tech)"; dns.query; content:"ukgames.tech"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ARM Binary Requested via WGET to Known IoT Malware Domain"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/\.(?:arm(?:5n|7)?|m(?:ips|psl))$/"; http.user_agent; content:"Wget/"; depth:5; http.host; content:"ntp.gtpnet.ir"; startswith; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024243; rev:3; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .publicvm.com)"; dns.query; content:"wallanews.publicvm.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023802; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful OWA Phish Apr 25 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:credential-theft; sid:2024999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .sytes.net)"; dns.query; content:"wallanews.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ Default HTTP Headers"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Referrer|3a 20|"; content:"|0d 0a|TlEo|3a 20|"; fast_pattern; classtype:trojan-activity; sid:2024247; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (noredirecto .redirectme.net)"; dns.query; content:"noredirecto.redirectme.net"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DANDERSPRITZ HTTP Beacon"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a|0000"; http.request_body; content:"|f0 00 00 00 45 ff 11 ff f0 44 00 00|"; fast_pattern; offset:0; classtype:trojan-activity; sid:2024248; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (dynamicipaddress .linkpc.net)"; dns.query; content:"dynamicipaddress.linkpc.net"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saker UA"; flow:established,to_server; http.user_agent; content:"Mozilla/"; depth:8; content:"|20|MSIE|20|"; distance:0; content:"|3b 20|Wis NT|20|"; distance:0; fast_pattern; content:"|3b 20|.NET CLR|20|"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html; reference:md5,b362f833c9d6e5bed19aeec5a5b868ea; classtype:trojan-activity; sid:2018321; rev:7; metadata:created_at 2014_03_26, former_category TROJAN, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadlog .linkpc.net)"; dns.query; content:"downloadlog.linkpc.net"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3"; flow:to_server,established; http.header; content:"substr{"; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/mi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024279; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (havan .qhigh.com)"; dns.query; content:"havan.qhigh.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023807; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2"; flow:to_server,established; http.uri; content:"action=lostpassword"; nocase; fast_pattern; http.header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/mi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024278; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (kolabdown .sytes.net)"; dns.query; content:"kolabdown.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023808; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NewHT Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?computerName="; fast_pattern; content:"&userName="; distance:0; content:"&key="; distance:0; content:"&id="; distance:0; content:"&time="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2e0ebb7a21d16ab6fa908f74bee260d6; classtype:command-and-control; sid:2024280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family NewHT, signature_severity Major, tag Ransomware, updated_at 2020_08_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (rotter2 .publicvm.com)"; dns.query; content:"rotter2.publicvm.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023809; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-03-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appleId="; nocase; fast_pattern; content:"accountPassword="; nocase; content:"appIdKey="; nocase; classtype:credential-theft; sid:2032178; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ftpserverit .otzo.com)"; dns.query; content:"ftpserverit.otzo.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"sort="; nocase; pcre:"/sort\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE iKittens OSX MacDownloader DNS Lookup (officialswebsites .info)"; dns.query; content:"officialswebsites.info"; depth:22; nocase; endswith; fast_pattern; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:trojan-activity; sid:2023877; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family MacDownloader, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"orderby="; nocase; pcre:"/orderby\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Miniproxy Cloned Page - Possible Phishing Landing"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<!-- Proxified page constructed by miniProxy"; fast_pattern; nocase; within:100; reference:url,github.com/joshdick/miniProxy; classtype:social-engineering; sid:2024283; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (websecuranalityc.com)"; dns.query; content:"websecuranalityc.com"; depth:20; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023894; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Edge on Windows 10 SET"; flow:established,to_server; flowbits:set,ET_EDGE_UA; flowbits:noalert; http.user_agent; content:"Windows NT 10."; content:"Edge/12."; distance:0; fast_pattern; classtype:misc-activity; sid:2023197; rev:5; metadata:affected_product Microsoft_Edge_Browser, created_at 2016_09_13, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, tag User_Agent, updated_at 2020_08_05;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (liveskansys.com)"; dns.query; content:"liveskansys.com"; depth:15; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023895; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HOME_NET [16992,16993,623,664] (msg:"ET EXPLOIT Intel AMT Login Attempt Detected (CVE 2017-5689)"; flow:to_server,established; http.header; content:"Authorization|3a 20|Digest"; content:"username=|22|"; content:"response="; fast_pattern; pcre:"/^\s*\x22{2}/R"; reference:url,mjg59.dreamwidth.org/48429.html; reference:url,www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability; reference:cve,2017-5689; classtype:attempted-admin; sid:2024287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_10, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (iusacell-movil .com.mx)"; dns.query; content:"iusacell-movil.com.mx"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023898; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL Injection Scanner"; flow:established,to_server; http.user_agent; content:"SQL"; nocase; depth:200; content:"Inject"; nocase; distance:0; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; classtype:attempted-recon; sid:2010087; rev:8; metadata:affected_product Web_Server_Applications, affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, former_category HUNTING, signature_severity Major, tag SQL_Injection, tag User_Agent, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smsmensaje .mx)"; dns.query; content:"smsmensaje.mx"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023899; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner"; flow:established,to_server; http.user_agent; content:"web"; nocase; depth:200; content:"scan"; nocase; distance:0; reference:url,doc.emergingthreats.net/2010088; classtype:attempted-recon; sid:2010088; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (zkdef09i7ola.net)"; dns.query; content:"zkdef09i7ola.net"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023932; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan"; flow:established,to_server; http.user_agent; content:"security"; nocase; content:"scan"; nocase; distance:0; reference:url,doc.emergingthreats.net/2010089; classtype:attempted-recon; sid:2010089; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (chrome-up .date)"; dns.query; content:"chrome-up.date"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023953; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Accept-Language HTTP Header zh-cn likely Kernelbot/Conficker Trojan Related"; flow:established,to_server; flowbits:set,ET.ms08067_header; flowbits:noalert; http.header; content:"Accept-Language|3A 20|zh|2D|cn"; reference:url,doc.emergingthreats.net/bin/view/Main/2008738; classtype:not-suspicious; sid:2008738; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (timezone .live)"; dns.query; content:"timezone.live"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023954; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Landing Page (aid sid)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?aid="; nocase; fast_pattern; content:"&sid="; nocase; pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/i"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; reference:url,doc.emergingthreats.net/2010625; classtype:trojan-activity; sid:2010625; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (servicesystem .serveirc.com)"; dns.query; content:"servicesystem.serveirc.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023955; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Snake rootkit usermode-centric encrypted command from server"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"|01 00 00 00 00 00 00 00|1dM3uu4j7Fw4sjnb"; fast_pattern; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018248; rev:4; metadata:created_at 2014_03_11, former_category TROJAN, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (analytics-google .org)"; dns.query; content:"analytics-google.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023956; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork)"; flow:established,to_server; http.user_agent; content:"plaNETWORK Bot"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011243; classtype:web-application-attack; sid:2011243; rev:8; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-adm .in)"; dns.query; content:"com-adm.in"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023957; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER UA WordPress probable DDOS-Attack"; flow:established,to_server; http.user_agent; content:"Wordpress/"; depth:10; reference:url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html; reference:url,pastebin.com/NP64hTQr; classtype:bad-unknown; sid:2017528; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_09_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag Wordpress, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (microsoftexplorerservices .cloud)"; dns.query; content:"microsoftexplorerservices.cloud"; depth:31; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Bitcoin QR Code Generated via Btcfrog.com"; flow:established,to_server; http.uri; content:"/qr/bitcoinPNG.php?address="; fast_pattern; http.host; content:"www.btcfrog.com"; bsize:15; classtype:coin-mining; sid:2024292; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_05_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (msservice .site)"; dns.query; content:"msservice.site"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023959; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 OCSP Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/oscp/"; fast_pattern; depth:6; pcre:"/^\/oscp\/[a-z]+$/"; http.header; content:"Host|3a 20|ocsp.verisign.com|0d 0a|Accept"; depth:31; content:"Microsoft-CryptoAPI/6.1"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2ba2e7af1246da08e4fd7345c7207b59; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/oscp.profile; classtype:command-and-control; sid:2032750; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_08_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-ho .me)"; dns.query; content:"com-ho.me"; depth:9; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023960; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/EasyLocker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/(?:countdown|check)\/[a-f0-9]{30,45}\/(?:[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})?$/i"; http.host; content:"noobcrypt"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,980342a5a783d7f6ce188c575d9ca97a; classtype:command-and-control; sid:2024320; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family EasyLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (ntg-sa .com)"; dns.query; content:"ntg-sa.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023961; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?key="; fast_pattern; content:"&string="; distance:0; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:\x3a\x3a[^\x3a]+?){5,}$/i"; http.user_agent; content:"Mozilla/"; startswith; http.request_body; content:"key="; depth:4; content:"&string="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:command-and-control; sid:2024321; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family ASPC_Bot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (briefl .ink)"; dns.query; content:"briefl.ink"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023962; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload May 23 2017 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"|2e|"; http.user_agent; content:"Mozilla/5.2 (Windows NT 6.2|3b 20|rv|3a|50.2) Gecko/20200103 Firefox/50.2"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,502cb33a03c29a96a4c32ec26dce5395; classtype:trojan-activity; sid:2024325; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_23, deployment Perimeter, former_category TROJAN, malware_family Dridex, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 1"; dns.query; content:"backup.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023968; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post><input type=password name=ps><input type=submit value='>>'></form>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030659; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 2"; dns.query; content:"dataserver.cmonkey3.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023969; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post><input type=password name=ps><input type=submit value='>>'></form>"; classtype:web-application-attack; sid:2030660; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 3"; dns.query; content:"google-helps.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023970; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password<br><input type=password name=pass"; nocase; content:"background-color|3a|whitesmoke|3b|border"; distance:0; content:"type=submit name='watching' value='Login'"; distance:0; fast_pattern; classtype:web-application-attack; sid:2030661; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 4"; dns.query; content:"kpupdate.amz80.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password<br><input type=password name=pass"; nocase; content:"background-color|3a|whitesmoke|3b|border"; distance:0; content:"type=submit name='watching' value='Login'"; distance:0; fast_pattern; classtype:web-application-attack; sid:2030662; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 5"; dns.query; content:"mail-help.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; depth:5; nocase; content:"|25|40"; distance:0; content:"senha"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024576; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 6"; dns.query; content:"mail-issue.top"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023973; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha6="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; classtype:credential-theft; sid:2024328; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 7"; dns.query; content:"microsoftupdating.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023974; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2024329; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 8"; dns.query; content:"microsoftwww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023975; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"handle="; depth:7; nocase; fast_pattern; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024577; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 9"; dns.query; content:"ns1.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023976; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing May 31 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; nocase; content:"Select your email provider"; nocase; fast_pattern; distance:0; content:"Gmail"; nocase; distance:0; content:"Yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 10"; dns.query; content:"ns1.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; classtype:credential-theft; sid:2024578; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 11"; dns.query; content:"ns1.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017 M2"; flow:established,from_server; http.header; content:"Content-Description|3a 20|File Transfer"; content:"Expires|3a 20|0"; pcre:"/Content-Disposition\x3a[^\r\n]+\.exe-rc4\.exe\r\n/i"; http.cookie; content:"ci_session"; file.data; content:!"MZ"; within:2; classtype:exploit-kit; sid:2024345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 12"; dns.query; content:"ns2.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023979; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fireball Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?clients="; content:"&reqs=visit."; distance:0; http.user_agent; content:"RookIE/"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection; reference:md5,69ffdf99149d19be7dc1c52f33aaa651; classtype:trojan-activity; sid:2024348; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_03, deployment Perimeter, former_category TROJAN, malware_family Fireball, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 13"; dns.query; content:"ns2.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023980; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SUSPICIOUS Request for Grey Advertising Often Leading to EK"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?&tid="; fast_pattern; content:"&red="; distance:0; content:"&abt="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024350; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 14"; dns.query; content:"ns2.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023981; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Unk.HT-Based Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"hostname=csharp-"; depth:16; fast_pattern; content:"&enckey="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,2aa11c090fd0737e52cd532418c1211e; classtype:command-and-control; sid:2024352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_06, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Hidden_Tear, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 15"; dns.query; content:"qr1.3jd90dsj3df.website"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023982; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; content:"&Pass"; nocase; distance:0; content:"formimage"; nocase; fast_pattern; classtype:credential-theft; sid:2024579; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 16"; dns.query; content:"r4.microsoftupdating.org"; depth:24; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?key="; content:"&string="; distance:0; fast_pattern; pcre:"/\.php\?key=[^\r\n]+&string=[^\r\n]+?(?:(?:\x3a\x3a|3A3A)[^\x3a]+?){5,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,15167239effdfb68bb10467eeea2f24d; classtype:command-and-control; sid:2024322; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_18, deployment Perimeter, former_category MALWARE, malware_family ASPC_Bot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 17"; dns.query; content:"rouji.xssr.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTRS Installation Dialog (after auth) attempt"; flow:to_server,established; http.uri; content:"/otrs/index.pl?Action=Installer"; nocase; reference:cve,2017-9324; classtype:web-application-attack; sid:2024368; rev:3; metadata:affected_product OTRS, attack_target Web_Server, created_at 2017_06_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 18"; dns.query; content:"t2z0n9.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023985; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; content:"&conta="; nocase; distance:0; content:"&senha_eletronica="; nocase; distance:0; fast_pattern; content:"&senha_cartao="; nocase; distance:0; content:"&celular="; nocase; distance:0; classtype:credential-theft; sid:2024371; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 19"; dns.query; content:"temp.mail-issue.top"; depth:19; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spectre Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?mode="; content:"&crypted="; distance:0; content:"&id="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8af7ef13b6ced37d08dce0f747d7d8b; classtype:command-and-control; sid:2024373; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Spectre, signature_severity Major, tag Ransomware, updated_at 2020_08_06, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 20"; dns.query; content:"time-service.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hostinger Generic Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"wb_form_id="; nocase; depth:11; fast_pattern; content:"&message=&wb_input_0="; nocase; distance:8; within:21; content:"&wb_input_0="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; classtype:credential-theft; sid:2024375; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 21"; dns.query; content:"update.microsoftwww.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"save"; content:".asp"; within:6; pcre:"/\.asp$/"; http.request_body; content:"u="; depth:2; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2032177; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 22"; dns.query; content:"updatecz.mykorean.net"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023989; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnum="; depth:5; nocase; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024377; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 23"; dns.query; content:"uriupdate.newsbs.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023990; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE X-Malware-Sinkhole Header in HTTP Response"; flow:from_server,established; http.header; content:"X-Malware-Sinkhole|3a 20|"; classtype:trojan-activity; sid:2024378; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 24"; dns.query; content:"wwgooglewww.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; http.user_agent; content:"|20|Nmap"; fast_pattern; classtype:web-application-attack; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 25"; dns.query; content:"www.microsoftwww.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|YTS"; file.data; content:"<title>Yahoo - login"; fast_pattern; nocase; classtype:social-engineering; sid:2024390; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 26"; dns.query; content:"wwwgooglewww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023993; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; content:"passwords.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2035015; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_06, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 27"; dns.query; content:"zy.xssr.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023994; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|YTS"; file.data; content:"<title>Yahoo! Mail"; fast_pattern; nocase; classtype:social-engineering; sid:2024398; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FakeM SSL DNS Lookup (islamhood .net)"; dns.query; content:"islamhood.net"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2024005; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, malware_family FakeM_SSL, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ad-"; pcre:"/\/ad-(?:strat|devi)\/$/"; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"RgQ7"; depth:4; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_06_19, deployment Perimeter, former_category MOBILE_MALWARE, tag Android_07012016, updated_at 2020_08_06, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (63ghdye17.com)"; dns.query; content:"63ghdye17.com"; depth:13; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020839; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_03, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible SharePoint XSS (CVE-2017-8514) Inbound"; flow:to_server,established; http.uri; content:"FollowSite="; nocase; fast_pattern; content:"SiteName="; nocase; content:"-confirm"; nocase; distance:0; reference:url,respectxss.blogspot.fr/2017/06/a-look-at-cve-2017-8514-sharepoints.html; classtype:attempted-user; sid:2024412; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_06_19, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)"; dns.query; content:"2kjb7.net"; depth:9; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024105; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF HTTP Get Outbound"; flow:to_server,established; threshold: type limit, track by_src, seconds 300, count 1; http.uri; content:".js?BEEFHOOK="; fast_pattern; reference:url,beefproject.com; classtype:attempted-user; sid:2024416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1e100 .tech)"; dns.query; content:"1e100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024143; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Windows Scam ScreenLocker"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lock.php"; endswith; http.user_agent; content:"MyAgent"; fast_pattern; bsize:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,6443d8351f5ed62836003f103d8de20e; classtype:social-engineering; sid:2024417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_20, deployment Perimeter, former_category MALWARE, malware_family Screenlocker, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1m100 .tech)"; dns.query; content:"1m100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024144; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Naoinstalad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?MD="; fast_pattern; content:"Naoinstalado"; nocase; http.user_agent; content:!"Mozilla"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,f136f9ec7f7f8cb1a12a9b835183be59; reference:url,www.malware-traffic-analysis.net/2017/06/08/index.html; classtype:command-and-control; sid:2024427; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ads-youtube .online)"; dns.query; content:"ads-youtube.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024145; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lockscreen Ransomware Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:"/?page_id=93"; endswith; fast_pattern; http.request_body; content:"&page_title=Windows Security Warning&"; within:100; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/; classtype:trojan-activity; sid:2030665; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (akamaitechnology .com)"; dns.query; content:"akamaitechnology.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024146; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownLoadAdmin Activity"; flow:established,to_server; http.uri; content:"/install.php?bc="; startswith; fast_pattern; content:"&d="; content:"&cb="; http.header_names; content:"|0d 0a|user-agent|0d 0a|x-webinstallcode|0d 0a|"; reference:md5,cff290dcb07183541783bbc9ce7056b4; classtype:pup-activity; sid:2030663; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_07;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (alkamaihd .net)"; dns.query; content:"alkamaihd.net"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024147; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032180; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (azurewebsites .tech)"; dns.query; content:"azurewebsites.tech"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024148; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-08-07"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; content:"&paswd="; fast_pattern; distance:0; classtype:credential-theft; sid:2031871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (broadcast-microsoft .tech)"; dns.query; content:"broadcast-microsoft.tech"; depth:24; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024149; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda CnC Activity"; flow:established,to_server; content:".dat HTTP/1.1|0d 0a|User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|"; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf; reference:md5,2ec79d0605a4756f4732aba16ef41b22; classtype:command-and-control; sid:2030671; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (chromeupdates .online)"; dns.query; content:"chromeupdates.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024150; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:!"</title>"; nocase; within:20; content:"|26 23|x"; within:20; content:"|3b 26 23|x"; distance:2; within:4; fast_pattern; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024432; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (cloudmicrosoft .net)"; dns.query; content:"cloudmicrosoft.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024151; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flexym.myarena.site"; bsize:19; reference:md5,2e2a6ca2a4058c8a141ff23c3433bcc6; classtype:domain-c2; sid:2030669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (dnsserv .host)"; dns.query; content:"dnsserv.host"; depth:12; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024152; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY External IP Lookup SSL/TLS Certificate (ifconfig .me)"; flow:established,to_client; tls.cert_subject; content:"CN=ifconfig.me"; classtype:external-ip-check; sid:2030666; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, signature_severity Minor, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (elasticbeanstalk .tech)"; dns.query; content:"elasticbeanstalk.tech"; depth:21; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024153; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS vBulletin RCE Inbound (CVE-2019-16759 Bypass)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"subWidgets|5b|"; content:"|3b|"; distance:0; reference:url,blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/; classtype:attempted-admin; sid:2030667; rev:1; metadata:attack_target Web_Server, created_at 2020_08_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (fdgdsg .xyz)"; dns.query; content:"fdgdsg.xyz"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024154; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,from_server; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Teamviewer, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .net)"; dns.query; content:"jguery.net"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024155; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Mobile Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|67|3b 26 23|104|3b 26 23|97|3b 26 23|115|3b 26 23|101|3b 26 23|32|3b 26 23|66|3b 26 23|97|3b 26 23|110|3b 26 23|107|3b|"; within:70; fast_pattern; content:"</title>"; distance:0; classtype:social-engineering; sid:2025691; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .online)"; dns.query; content:"jguery.online"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024156; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Petya Conn Check"; flow:established,to_server; urilen:1; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36"; fast_pattern; http.host; content:"myip.com.ua"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,twitter.com/V_Baczynski/status/881051849700364288; classtype:trojan-activity; sid:2024443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-ds .com)"; dns.query; content:"microsoft-ds.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024157; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"b2="; depth:3; nocase; content:"&b1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024580; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-security .host)"; dns.query; content:"microsoft-security.host"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024158; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Blockchain title over non SSL Jul 10 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"bitcoin wallet - blockchain"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024450; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (nameserver .win)"; dns.query; content:"nameserver.win"; depth:14; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024159; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&pd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024581; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (newsfeeds-microsoft .press)"; dns.query; content:"newsfeeds-microsoft.press"; depth:25; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024160; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"IDToken"; depth:7; nocase; content:"&IDToken"; nocase; distance:0; fast_pattern; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; classtype:credential-theft; sid:2024582; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (owa-microsoft .online)"; dns.query; content:"owa-microsoft.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024161; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Agent.QJK Stealer Data Exfil Via HTTP"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; fast_pattern; pcre:"/^(?:(?:Passwords|PCinformation)\.txt|(?:Data|GrabbedTxtFiles)\.zip)\x22\r\n/Ri"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4bc4b071d9a7e482f3ecf8b2cbe10873; classtype:trojan-activity; sid:2024455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category MALWARE, malware_family Unknown, performance_impact Moderate, signature_severity Major, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (primeminister-goverment-techcenter .tech)"; dns.query; content:"primeminister-goverment-techcenter.tech"; depth:39; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024162; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; content:"password="; nocase; content:"View+PDF+Document"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032235; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (qoldenlines .net)"; dns.query; content:"qoldenlines.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024163; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Credit Card"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ccnum"; fast_pattern; content:"&exp"; distance:0; content:"&cvv"; distance:0; classtype:credential-theft; sid:2021692; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (sharepoint-microsoft .co)"; dns.query; content:"sharepoint-microsoft.co"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024164; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"q1="; content:"&answer1="; distance:0; fast_pattern; content:"&q2="; distance:0; content:"&answer2="; distance:0; content:"&q3="; distance:0; content:"&answer3="; distance:0; classtype:credential-theft; sid:2021693; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ssl-gstatic .online)"; dns.query; content:"ssl-gstatic.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024165; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Epass Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?email="; fast_pattern; http.request_body; content:"epass="; depth:6; nocase; classtype:credential-theft; sid:2032237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (trendmicro .tech)"; dns.query; content:"trendmicro.tech"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024166; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Phish M1 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"acc3="; depth:5; nocase; content:"&acc1="; nocase; distance:0; fast_pattern; content:"&acc2="; nocase; distance:0; content:"&isUtf8="; nocase; distance:0; classtype:credential-theft; sid:2032263; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns.query; content:"ntp.gtpnet.ir"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024244; rev:5; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern; content:"password-revealer"; nocase; distance:0; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:social-engineering; sid:2023047; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla Snake OSX DNS Lookup (car-service .effers.com)"; dns.query; content:"car-service.effers.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/; classtype:targeted-activity; sid:2024271; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family Snake, performance_impact Low, signature_severity Critical, tag APT, tag RUAPT, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish Aug 15 2016"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?cmd=login_submit"; nocase; fast_pattern; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2023061; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.B DNS Lookup"; dns.query; content:"handbrake.biz"; depth:13; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x1D.html; classtype:trojan-activity; sid:2024284; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family OSX_Proton, performance_impact Low, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"redirect="; depth:9; nocase; content:"&txtState="; nocase; distance:0; content:"&txtCount="; nocase; distance:0; content:"&txtOneTime="; nocase; distance:0; content:"&Account_ID="; nocase; distance:0; content:"&active_Password="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2023698; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla SHIRIME DNS Lookup"; dns.query; content:"tnsc.webredirect.org"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; classtype:targeted-activity; sid:2024286; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family SHIRIME, performance_impact Low, tag APT, tag 0day, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"firstName="; depth:10; nocase; content:"&lastName="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&securityCode="; nocase; distance:0; fast_pattern; content:"&SubmitButton="; nocase; distance:0; content:"&msg_agree="; nocase; distance:0; classtype:credential-theft; sid:2024462; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (fkksjobnn43 . org)"; dns.query; content:"fkksjobnn43.org"; depth:15; fast_pattern; endswith; nocase; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024289; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&ROLLOUT="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023770; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"check.paidprefund.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024330; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2015-12-10"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&checkedDomains="; nocase; fast_pattern; content:"&checkConnection="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"Download+Document"; nocase; distance:0; classtype:credential-theft; sid:2031797; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"syn.timeizu.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024331; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"sitedomain="; depth:11; content:"&isSiteStateEncoded="; nocase; distance:0; classtype:credential-theft; sid:2021322; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"blog.docksugs.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024332; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hotmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017753; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"news.lightpress.info"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024333; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"&_task=login&_action=login"; nocase; classtype:credential-theft; sid:2021324; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"mobile.pagmobiles.info"; depth:22; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024334; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Complete+Apple+ID+Verification"; nocase; fast_pattern; classtype:credential-theft; sid:2031755; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (orhangazitur . com)"; dns.query; content:"orhangazitur.com"; depth:16; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024339; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Fedex Phish 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc_lang="; depth:8; content:"&afterwardsURL"; fast_pattern; distance:0; content:"https%3A%2F%2Fwww.fedex.com"; distance:1; content:"&username="; distance:0; content:"&password="; distance:0; content:"&login=Login"; distance:0; classtype:credential-theft; sid:2031753; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (secure-access10 .mx)"; dns.query; content:"secure-access10.mx"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024405; rev:5; metadata:created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phish M1 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; content:"&phone="; distance:0; content:"View+Document"; distance:0; fast_pattern; classtype:credential-theft; sid:2031751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (network190 .com)"; dns.query; content:"network190.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024406; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phish 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"pcode="; depth:6; fast_pattern; content:"&Submit=Validate"; distance:0; classtype:credential-theft; sid:2031752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mymensaje-sms .com)"; dns.query; content:"mymensaje-sms.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024407; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful ABSA Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"AccessAccount="; depth:14; nocase; fast_pattern; content:"&PIN="; nocase; distance:0; content:"&Operator="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032257; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smscentro .com)"; dns.query; content:"smscentro.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024408; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Account Update Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&emailpassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031768; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ideas-telcel .com.mx)"; dns.query; content:"ideas-telcel.com.mx"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024409; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Account Update Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&user"; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"Update+My+Details"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032238; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (twiitter .com.mx)"; dns.query; content:"twiitter.com.mx"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024410; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&locale="; nocase; distance:0; content:"=Sign+in"; distance:0; nocase; classtype:credential-theft; sid:2031764; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (resume .immigrantlol .com)"; dns.query; content:"resume.immigrantlol.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024458; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.header; content:".php?X1="; fast_pattern; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; classtype:credential-theft; sid:2032243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (job .yoyakuweb .technology)"; dns.query; content:"job.yoyakuweb.technology"; depth:24; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024457; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-04-29"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"client_id="; fast_pattern; content:"callback="; content:"&client_redirect="; distance:0; content:"&denied_callback="; distance:0; content:"&display="; distance:0; classtype:credential-theft; sid:2032227; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (vps2java .securitytactics .com)"; dns.query; content:"vps2java.securitytactics.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024456; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2015-08-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"client_id="; depth:10; fast_pattern; content:"&callback="; distance:0; content:"&email="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031767; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (macos .exoticlol .com)"; dns.query; content:"macos.exoticlol.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024459; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish M1 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; nocase; depth:6; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&authSrc=AdobeID"; nocase; distance:0; classtype:credential-theft; sid:2032229; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (css .google-statics .com)"; dns.query; content:"css.google-statics.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024460; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; content:"&pword="; nocase; distance:0; fast_pattern; content:"&login"; nocase; distance:0; content:"&ip_address="; nocase; distance:0; content:"&action=login"; nocase; distance:0; classtype:credential-theft; sid:2032233; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Fenrir Ransomware CnC Domain"; dns.query; content:"fenrir-ransomware.000webhostapp.com"; depth:35; nocase; endswith; fast_pattern; reference:md5,a5ecf27bfab7fbb1ace3ec9a390b23bd; classtype:command-and-control; sid:2024467; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Fenrir, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"adobe"; nocase; content:".php"; distance:0; http.header; content:"adobe"; nocase; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpres.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024472; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Form Names 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"formselect1="; depth:12; nocase; fast_pattern; content:"&formtext1="; nocase; distance:0; content:"&formtext2="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024473; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-10"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit=View+Document"; nocase; distance:0; classtype:credential-theft; sid:2032234; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.org"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024474; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish Jun 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&vi="; nocase; distance:0; classtype:credential-theft; sid:2021296; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpross.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024475; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; content:"&pswd="; nocase; distance:0; fast_pattern; content:"&Button1="; nocase; distance:0; classtype:credential-theft; sid:2021297; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"datalink.one"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"server="; depth:7; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2021298; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"secuerserver.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024477; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OGNL Expression Injection (CVE-2017-9791)"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"multipart"; content:"form-data"; distance:1; within:11; content:"ognl.OgnlContext"; distance:1; fast_pattern; content:"DEFAULT_MEMBER_ACCESS"; distance:1; within:23; content:"java.lang.ProcessBuilder"; distance:1; content:".start"; distance:1; reference:url,securityonline.info/tutorial-cve-2017-9791-apache-struts2-s2-048-remote-code-execution-vulnerability/; reference:cve,2017-9791; classtype:attempted-user; sid:2024468; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_07_14, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"vnews.hk"; depth:8; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024479; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-05-04"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&password="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&ip_em="; nocase; distance:0; classtype:credential-theft; sid:2032228; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (v5t5z6a55ksmt3oh)"; dns.query; content:".v5t5z6a55ksmt3oh"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024491; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&message="; nocase; distance:0; content:"View+Document"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032262; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (ojdue4474qghybjb)"; dns.query; content:".ojdue4474qghybjb"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024492; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"frm-email="; depth:10; nocase; fast_pattern; content:"&frm-pass="; nocase; distance:0; content:"&frm-submit="; nocase; distance:0; content:"&frm-ac-tok="; nocase; distance:0; classtype:credential-theft; sid:2032246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 1 (winupdate64 . com)"; dns.query; content:"winupdate64.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024495; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Credential Phish 2015-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; content:"&Psword1="; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2031777; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 2 (twiter-statics . info)"; dns.query; content:"twiter.statics.info"; depth:19; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024496; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_cs"; depth:3; nocase; content:"&action="; nocase; distance:0; content:"&event_submit_do_verify_email="; nocase; distance:0; fast_pattern; content:"&tryTimes="; nocase; distance:0; content:"&em"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032255; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"cloudflare.analyse.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:targeted-activity; sid:2024497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-12-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"noCsrfToken="; depth:12; nocase; content:"&xloginCheckToken="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032264; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Tunneling (microsoft-publisher . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"microsoft-publisher.com"; depth:23; nocase; endswith; fast_pattern; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024504; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category TROJAN, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"xloginPass"; depth:10; nocase; fast_pattern; content:"&xloginCheckToken="; nocase; distance:0; classtype:credential-theft; sid:2032256; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Reborn/Ovidiy Stealer CnC Domain"; dns.query; content:"stealur.info"; depth:12; nocase; endswith; fast_pattern; reference:md5,4daca05b0015efeaacebc58d007c32c4; classtype:command-and-control; sid:2024506; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_31, deployment Perimeter, former_category MALWARE, malware_family Reborn_Stealer, malware_family Ovidiy_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&xloginPassport="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032245; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"coffeinoffice.xyz"; depth:17; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024488; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"noCsrfToken="; depth:12; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&epass"; nocase; distance:0; classtype:credential-theft; sid:2032247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"french-cooking.com"; depth:18; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024487; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sec="; depth:4; nocase; content:"&noCsrfToken="; nocase; distance:0; content:"&loginId="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&Psword1="; nocase; distance:0; fast_pattern; content:"&checkcode="; nocase; distance:0; classtype:credential-theft; sid:2032260; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac DNS Query Observed"; dns.query; content:"api.mughthesec.com"; depth:18; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2024529; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; content:"&login.y="; nocase; distance:0; classtype:credential-theft; sid:2025021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac Rogue Search Engine DNS Query Observed"; dns.query; content:"default27061330-a.akamaihd.net"; depth:30; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:2024530; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&password="; nocase; distance:0; content:"&cvv1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 1"; dns.query; content:"nylalobghyhirgh.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024588; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access1="; depth:8; nocase; fast_pattern; content:"&next.x="; nocase; distance:0; content:"&next.y="; nocase; distance:0; classtype:credential-theft; sid:2025023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 2"; dns.query; content:"ribotqtonut.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024589; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access2="; depth:8; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025024; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 3"; dns.query; content:"jkvmdmjyfcvkf.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024590; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&emailpass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025025; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 4"; dns.query; content:"bafyvoruzgjitwr.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024591; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing Jul 19 2017"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"function getSystemInfo"; nocase; distance:0; content:"OnChatTextKeyDown"; nocase; distance:0; fast_pattern; content:"function scrollcheck"; nocase; distance:0; content:"function callconv"; nocase; distance:0; content:"function istyping"; nocase; distance:0; content:"function dochat"; nocase; distance:0; classtype:social-engineering; sid:2024480; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 5"; dns.query; content:"xmponmzmxkxkh.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024592; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PHOEN!X Apple Phish M2 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hold="; nocase; depth:5; fast_pattern; content:"&numb="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&submit.x=Validate"; nocase; distance:0; classtype:credential-theft; sid:2031802; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 6"; dns.query; content:"tczafklirkl.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024593; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon (UK) Phish 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appActionToken="; depth:15; nocase; fast_pattern; content:"&appAction="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032254; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 7"; dns.query; content:"notped.com"; depth:10; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"2.php?jpg="; fast_pattern; content:!"&"; distance:0; pcre:"/\/[a-z]+2\.php\?jpg=[^&]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024482; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, signature_severity Major, tag Targeted, tag APT, tag DarkHotel, tag c2, updated_at 2020_08_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 8"; dns.query; content:"dnsgogle.com"; depth:12; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024595; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Downloader CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|banner|22 0d 0a|"; fast_pattern; content:"name=|22|jpg|22 0d 0a|"; distance:0; content:"name=|22|userfile|22 3b 0d 0a|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,labs.bitdefender.com/2017/07/inexsmar-an-unusual-darkhotel-campaign/; classtype:targeted-activity; sid:2024483; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, signature_severity Major, tag Targeted, tag APT, tag DarkHotel, tag c2, updated_at 2020_08_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 9"; dns.query; content:"operatingbox.com"; depth:16; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024596; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"emaillo="; depth:8; fast_pattern; content:"&create="; distance:0; content:"&passcode="; distance:0; classtype:credential-theft; sid:2031762; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 10"; dns.query; content:"paniesx.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FullName"; nocase; depth:8; content:"&Address"; nocase; distance:0; content:"&StateN="; nocase; distance:0; content:"&enterAddressIsDomestic="; nocase; distance:0; fast_pattern; content:"&isDomestic="; nocase; distance:0; classtype:credential-theft; sid:2031763; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 11"; dns.query; content:"techniciantext.com"; depth:18; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024598; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"showRmrMe="; depth:10; nocase; fast_pattern; content:"&openid.pape.max_auth_age="; nocase; distance:0; content:"&fullname="; nocase; distance:0; content:"&add1="; nocase; distance:0; content:"&add2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032251; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT12 THREEBYTE DNS Lookup"; dns.query; content:"bsksac.au-syd.mybluemix.net"; depth:27; nocase; endswith; fast_pattern; reference:url,blog.macnica.net/blog/2017/08/post-fb81.html; classtype:targeted-activity; sid:2024619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category MALWARE, malware_family THREEBYTE, performance_impact Low, signature_severity Major, tag APT, tag APT12, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish 2015-11-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NameonCards="; nocase; fast_pattern; content:"&Cardanumber="; nocase; distance:0; content:"&CVV2="; nocase; distance:0; content:"&Expiredate"; nocase; distance:0; classtype:credential-theft; sid:2031784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Lookup (msoffice-cdn . com)"; dns.query; content:"msoffice-cdn.com"; depth:16; nocase; endswith; fast_pattern; reference:md5,812d3c4fddf9bb81d507397345a29bb0; reference:url,www.clearskysec.com/ismagent/; classtype:trojan-activity; sid:2024620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ameli.fr Phish M1 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&dob1="; nocase; distance:0; content:"&mail="; nocase; distance:0; content:"&Pwd="; nocase; distance:0; content:"&adresse="; nocase; distance:0; fast_pattern; content:"&ville="; nocase; distance:0; content:"&tel="; nocase; distance:0; classtype:credential-theft; sid:2032258; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (soligro . com)"; dns.query; content:"soligro.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024641; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ameli.fr Phish M2 Oct 26 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bank="; depth:5; nocase; content:"&ccnum="; nocase; distance:0; content:"&expMonth="; nocase; distance:0; content:"&expYear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&account="; nocase; distance:0; content:"&ghazcisse="; nocase; distance:0; fast_pattern; content:"&Valider="; nocase; distance:0; classtype:credential-theft; sid:2032259; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (mydreamhoroscope . com)"; dns.query; content:"mydreamhoroscope.com"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024642; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Dec 8 2015"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; fast_pattern; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; content:"=Login"; nocase; distance:0; classtype:credential-theft; sid:2031565; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Zloader CnC Domain Detected"; dns.query; content:".chinaandkoreacriminalaffairs"; fast_pattern; endswith; nocase; reference:md5,7a57fcc1afab791f9995fbc479fe340e; classtype:command-and-control; sid:2024680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Anonisma Paypal Phish 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&ps="; nocase; distance:0; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031801; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"lookingpersonals.top"; depth:20; fast_pattern; endswith; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M1 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"firstnameoncard="; depth:16; fast_pattern; content:"&address"; nocase; distance:0; content:"&city"; nocase; distance:0; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032230; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (chromup)"; dns.query; content:"chromup.com"; depth:11; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024730; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M1 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"paymenttype="; depth:12; fast_pattern; content:"&cardtype"; nocase; distance:0; content:"&nameoncard"; nocase; distance:0; content:"&cvv"; nocase; distance:0; classtype:credential-theft; sid:2032231; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (securityupdated)"; dns.query; content:"securityupdated.com"; depth:19; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M3 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"question="; depth:9; fast_pattern; content:"&answer"; nocase; distance:0; content:"&ScreenName"; nocase; distance:0; content:"&Password"; nocase; distance:0; classtype:credential-theft; sid:2032232; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor / NanoCore CnC (microsoftupdated)"; dns.query; content:"microsoftupdated.net"; depth:20; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024733; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"openiForgotInNewWindow="; depth:23; nocase; fast_pattern; content:"&fdcBrowserData="; nocase; distance:0; content:"&appIdKey="; nocase; distance:0; classtype:credential-theft; sid:2032250; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (syn.broadcaster)"; dns.query; content:"syn.broadcaster.rocks"; depth:21; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024734; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish M1 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email-ali1="; depth:11; nocase; content:"&password-ali"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032249; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (googlmail)"; threshold: type both, track by_src, count 1, seconds 5; dns.query; content:"googlmail.net"; depth:13; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; fast_pattern; nocase; content:"&pass"; distance:0; nocase; content:"&oemail="; distance:0; nocase; classtype:credential-theft; sid:2031792; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 1"; dns.query; content:"download.ns360.info"; depth:19; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"FirstName="; depth:10; nocase; content:"&LastName="; nocase; distance:0; content:"&DOBM="; nocase; distance:0; content:"&AreaCode="; nocase; distance:0; content:"&Phone="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; fast_pattern; content:"&securityCode="; nocase; distance:0; content:"&VBV="; nocase; distance:0; classtype:credential-theft; sid:2032248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 2"; dns.query; content:"update.craftx.biz"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain (nothingtodo .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"nothingtodo.co"; bsize:14; classtype:domain-c2; sid:2030670; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 3"; dns.query; content:"mozilla.tftpd.net"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDTESS Backdoor User-Agent"; flow:established,to_server; http.user_agent; content:"XXXXXXXXXXXXXXXXX/5.0 (Windows NT 6.1 WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv:11.0) like Gecko"; reference:md5,113ca319e85778b62145019359380a08; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024498; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 4"; dns.query; content:"checkupdates.flashserv.net"; depth:26; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revcode RAT CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"WinHttpRequest"; http.request_body; content:"keyauth="; fast_pattern; depth:8; content:"&key="; distance:0; content:"&uid="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:command-and-control; sid:2024500; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"ssrsec.com"; depth:10; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024854; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revcode RAT CnC 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"WinHttpRequest"; http.request_body; content:"mode="; fast_pattern; depth:5; content:"&data="; distance:0; content:"&key="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3f652d9bc17a4be3c0e497ea19848344; classtype:command-and-control; sid:2024501; rev:3; metadata:created_at 2017_07_27, former_category MALWARE, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"sqlmapff.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024856; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISMAgent CnC Checkin 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/action2/"; fast_pattern; http.user_agent; content:"Firefox"; bsize:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:command-and-control; sid:2024502; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"outerlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024858; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mobile Device Posting Phone Number"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"&Phone"; fast_pattern; nocase; content:"Number="; nocase; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/i"; classtype:policy-violation; sid:2013208; rev:4; metadata:created_at 2011_07_06, former_category MOBILE_MALWARE, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"microsoftsec.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024860; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:to_client,established; http.header_names; content:!"Content-Type|0d 0a|text/xml|0d 0a|"; content:!"Content-Type|0d 0a|application/xml|0d 0a|"; file.data; content:"preserve"; nocase; content:"redim|20|"; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"martianlol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024862; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/201"; depth:4; content:"/?c="; distance:1; within:4; fast_pattern; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&f="; distance:0; content:"&mi="; distance:0; content:"&b="; distance:0; content:"&t="; distance:0; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/; classtype:command-and-control; sid:2031410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"dnslog.mobi"; depth:11; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024865; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d=201"; depth:10; fast_pattern; content:"&t="; distance:0; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; classtype:command-and-control; sid:2031411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"alienlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024867; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"//configure destination URL"; nocase; fast_pattern; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2029660; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"yoyakuweb.technology"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024869; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"exoticlol.com"; depth:13; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024870; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|"; classtype:trojan-activity; sid:2024193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-statics .com)"; dns.query; content:"google-statics.com"; depth:18; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024871; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Address (monip.outils-rezo. info)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/text"; http.host; content:"monip.outils-rezo.info"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2024526; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-searching .com)"; dns.query; content:"google-searching.com"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024872; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.ATS CnC Activity"; flow:established,to_server; http.uri; content:"php?Hwid=S-"; fast_pattern; content:"-"; distance:0; content:"-"; distance:0; content:"-"; distance:0; pcre:"/\.php\?Hwid=[^&]+[0-9](?:&(?:Pc|Etat)=[^&]+)?(?:&user=[^&]+&Ip=[^&]+&Ping=[^&]+&v=[^&]+&Ville=[^&]+&Pays=[^&]+&Region=[^&]+)?$/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,53d3ee595bc5df7e97403906f1415c21; classtype:command-and-control; sid:2024528; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"awsstatics.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024873; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UID_input="; depth:10; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024616; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"immigrantlol.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024874; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Gozi/Ursnif Payload v12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1|"; depth:48; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024533; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category TROJAN, malware_family ursnif, malware_family Gozi, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (myhomemusic. com)"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023022; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, former_category TROJAN, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address_1="; depth:10; nocase; fast_pattern; content:"&address_2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&postal="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&number_1="; nocase; distance:0; content:"&number_2="; nocase; distance:0; content:"&number_3="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:command-and-control; sid:2022842; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Square Phish Nov 16 2015"; flow:to_server,established; http.method; content:"POST"; http.header; content:"cmd=_identifier_Demarrer_ID="; nocase; fast_pattern; http.request_body; content:"&submit.x="; nocase; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2024547; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; dns.query; content:"inter-ctrip.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.forcepoint.com/blog/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:7; http.method; content:"GET"; nocase; http.uri; content:"/status"; fast_pattern; http.header; content:"Host|3a|"; nocase; content:"|3b|"; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/mi"; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:2024548; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_08_14, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; dns.query; content:".29a.de"; nocase; fast_pattern; endswith; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.29a\.de$/"; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:5; metadata:created_at 2015_07_15, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&mobile="; nocase; distance:0; content:"&ccnumber="; nocase; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; classtype:credential-theft; sid:2032252; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Maldoc CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/software-protection/app.php"; startswith; fast_pattern; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:url,blog.telsy.com/zebrocy-dropbox-remote-injection/; classtype:targeted-activity; sid:2027939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"spyuser="; depth:8; nocase; fast_pattern; content:"&spypass="; nocase; distance:0; classtype:credential-theft; sid:2032239; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Laturo Stealer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.header; content:"Os|3a 20|WIN_"; nocase; fast_pattern; content:"Hwid|3a 20|"; nocase; content:"Elevated|3a 20|"; nocase; content:"Arch|3a 20|"; nocase; content:"Special|3a 20|"; nocase; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,06a1eaa62d8de97aec8a151f2ca6569b; classtype:command-and-control; sid:2027944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, malware_family Laturo, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"apple_login="; depth:12; nocase; fast_pattern; content:"&apple_password="; nocase; distance:0; classtype:credential-theft; sid:2032253; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain (venoxcontrol .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"venoxcontrol.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"GivenName="; depth:10; nocase; fast_pattern; content:"&Surname="; nocase; distance:0; content:"&StreetAddress="; nocase; distance:0; content:"&ZipCode="; nocase; distance:0; content:"&TelephoneNumber="; nocase; distance:0; content:"&SSN="; nocase; distance:0; classtype:credential-theft; sid:2032240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"okonewacon.com"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"CCNumber="; nocase; fast_pattern; content:"&CCExpires="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&CVV"; nocase; distance:0; classtype:credential-theft; sid:2032241; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"bigtext.club"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; fast_pattern; content:"&trackdata="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2031780; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"blackempirebuild.com"; nocase; depth:20; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027949; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Oct 31 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appleId="; depth:8; nocase; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032261; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"clubhouse.site"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027950; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M1 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login-id="; depth:9; nocase; content:"&id-passwd="; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032265; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"nxtfdata.xyz"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027951; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M2 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name-re="; depth:8; nocase; content:"&city-add="; nocase; distance:0; content:"&zip-add="; nocase; distance:0; content:"&state-code="; nocase; distance:0; content:"&country-code="; nocase; distance:0; content:"&question-se="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032266; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"lienews.world"; nocase; depth:13; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027952; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M3 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&pass="; nocase; distance:0; content:"&pays="; nocase; distance:0; content:"&first_name="; nocase; distance:0; content:"&ville="; nocase; distance:0; content:"&cpostal="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&cvnum="; nocase; distance:0; fast_pattern; content:"&isvbv="; nocase; distance:0; classtype:credential-theft; sid:2032267; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"phonemus.net"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027953; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M4 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bank_name="; depth:10; nocase; content:"&d3_code="; nocase; distance:0; fast_pattern; content:"&bin_ext="; nocase; distance:0; classtype:credential-theft; sid:2032268; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"takebad1.com"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Transaction Cancellation Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd=_flow&"; depth:10; content:"&first_name="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&credit_card_type="; nocase; distance:0; fast_pattern; content:"&ccnumber="; nocase; distance:0; content:"&accno="; nocase; distance:0; classtype:credential-theft; sid:2032236; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http any any -> any any (msg:"ET MALWARE HTTP Request for Possible ELF/LiLocked Ransomware Note"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"README.lilocked"; fast_pattern; endswith; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027967; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, malware_family LiLocked, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Credential Phish 2015-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:".tries="; depth:7; fast_pattern; nocase; content:"&.challenge="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2031776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Generic Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/start_cache1.php"; fast_pattern; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027969; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish M1 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag="; depth:3; nocase; content:"&ct="; nocase; distance:0; content:"&infor="; nocase; distance:0; content:"&limpar="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032308; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"r=register_shutdown_function"; startswith; fast_pattern; content:"&d="; distance:0; content:"&s="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027970; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish M2 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag="; depth:3; nocase; content:"&ct="; nocase; distance:0; content:"&infor="; nocase; distance:0; content:"&telefone="; nocase; distance:0; fast_pattern; content:"&telefone"; nocase; distance:0; content:"&senha"; nocase; distance:0; content:"&bt"; nocase; distance:0; classtype:credential-theft; sid:2032309; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-pre.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:domain-c2; sid:2028567; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; content:"&ssn="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailpassword="; nocase; distance:0; fast_pattern; content:"&form1="; nocase; distance:0; content:"&form2="; nocase; distance:0; content:"&form3="; nocase; distance:0; content:"&form4="; nocase; distance:0; content:"&form5="; nocase; distance:0; classtype:credential-theft; sid:2032305; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-can.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:domain-c2; sid:2028568; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&sitekeyChallengeAnswer1="; nocase; distance:0; fast_pattern; content:"&question2="; nocase; distance:0; content:"&sitekeyChallengeAnswer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&sitekeyChallengeAnswer3="; nocase; distance:0; content:"&sitekeyDeviceBind="; nocase; distance:0; classtype:credential-theft; sid:2032301; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception Group CnC Observed in DNS Query (ms-check-new-update .com)"; dns.query; content:"ms-check-new-update.com"; nocase; endswith; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"has been blocked"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2022925; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key"; flow:established,to_server; threshold: type limit, track by_dst, seconds 60, count 1; http.method; content:"GET"; http.uri; content:"/get.php?pid="; fast_pattern; content:"&first=true"; distance:32; within:11; endswith; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,13f04ff944fa65eddd3e911740837a8a; reference:md5,c0672f0359afba1c24ab0f90f568bdc0; classtype:trojan-activity; sid:2036334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&cn1="; nocase; distance:0; content:"&cn2="; nocase; distance:0; classtype:credential-theft; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Maldoc CnC Checkin"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"relay=y"; startswith; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Connection"; content:!"Accept"; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028569; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&pin="; nocase; distance:0; content:"&ccin="; nocase; distance:0; fast_pattern; content:"&mmn="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&ssn2="; nocase; distance:0; content:"&ssn3="; nocase; distance:0; content:"&dl="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=suport.worldupdate.site"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cardnumber="; depth:11; nocase; fast_pattern; content:"&expirymonth="; nocase; distance:0; content:"&expiryyear="; nocase; distance:0; content:"&securitycode="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032306; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=full.devinelive.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"account_state_held="; depth:19; nocase; fast_pattern; content:"&onlineid="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&___signon_js="; nocase; distance:0; classtype:credential-theft; sid:2032300; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"suport.worldupdate.site"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028586; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&q1="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&q2="; nocase; distance:0; content:"&a2="; nocase; distance:0; content:"&q3="; nocase; distance:0; content:"&a3="; nocase; distance:0; content:"&q4="; nocase; distance:0; content:"&a4="; nocase; distance:0; content:"&q5="; nocase; distance:0; content:"&a5="; nocase; distance:0; content:"&passcode="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032302; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"full.devinelive.top"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M3 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&code="; nocase; distance:0; content:"&q1="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&creditcard="; nocase; distance:0; fast_pattern; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; content:"&ccv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&fullname="; nocase; distance:0; content:"&add1="; nocase; distance:0; content:"&accnum="; nocase; distance:0; content:"&routing="; nocase; distance:0; classtype:credential-theft; sid:2032303; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"roundworld.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"creditcard="; fast_pattern; content:"expyear="; content:"ccv="; content:"pin="; classtype:credential-theft; sid:2015907; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"postnews.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic PII Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&phone3="; content:"&ssn3="; fast_pattern; content:"&dob3="; classtype:credential-theft; sid:2015908; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"fstyline.xyz"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic SSN Phish"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:!"LabTech Agent"; http.request_body; content:"ssn1="; fast_pattern; content:"ssn2="; content:"ssn3="; classtype:credential-theft; sid:2015952; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"weekdanys.com"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M4 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"REMOTE_ADDR="; depth:12; nocase; content:"&Sequence="; nocase; distance:0; content:"&fname="; nocase; distance:0; content:"&card="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&emailid="; nocase; distance:0; content:"&idpass="; nocase; distance:0; fast_pattern; content:"&alemail="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&dlisence="; nocase; distance:0; classtype:credential-theft; sid:2032304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-09-17 1)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=dapoerwedding.com"; endswith; fast_pattern; reference:url,twitter.com/jeFF0Falltrades/status/1173300902242988032; reference:md5,db51f2715c81c4357d11d69ac96bf582; classtype:domain-c2; sid:2028596; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"onlineid="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; content:"&email"; nocase; classtype:credential-theft; sid:2031789; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028606; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2015-10-02"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"accountstate="; nocase; depth:13; fast_pattern; content:"&onlineid="; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"nexcesscdh.net"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028607; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017750; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"ossmaxcdn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028608; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aoluser="; content:"aolpassword="; classtype:credential-theft; sid:2015910; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028609; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-order.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028610; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"gmailuser="; content:"gmailpassword="; classtype:credential-theft; sid:2015912; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".online"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hotmailuser="; content:"hotmailpassword="; classtype:credential-theft; sid:2015913; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".club"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bsodsupport.icu"; nocase; endswith; classtype:domain-c2; sid:2028614; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"otheruser="; content:"otherpassword="; classtype:credential-theft; sid:2015914; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"en-content.com"; nocase; endswith; pcre:"/(?:^|\.)en-content\.com$/"; classtype:domain-c2; sid:2028615; rev:3; metadata:created_at 2019_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/HMH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asmx/GetUpdate?val="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; classtype:command-and-control; sid:2028617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"yahoouser="; content:"yahoopassword="; classtype:credential-theft; sid:2015911; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/GMERA.A CnC Domain (appstockfolio .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"appstockfolio.com"; depth:17; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:domain-c2; sid:2028619; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M1 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Login.php?sslchannel="; depth:22; fast_pattern; content:"&sessionid="; distance:0; http.header; content:"/Login.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032280; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=skillsnew.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M2 2016-03-29"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Verify.php?sslchannel="; depth:23; fast_pattern; content:"&sessionid="; distance:0; http.header; content:"/Login.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032281; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"windsecdown.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M3 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Checkcc.php?&sessionid="; depth:24; fast_pattern; content:"&securessl="; distance:0; http.header; content:"/Verify.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032282; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"downloadsecurity.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M4 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/vbv.php?&sessionid="; depth:20; fast_pattern; content:"&securessl="; distance:0; http.header; content:"/Checkcc.php?&sessionid="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032283; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"tratatata.space"; nocase; endswith; reference:md5,e5eeb5560fcea89abdfb3ea8ec2091ec; classtype:command-and-control; sid:2028640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:".tries="; nocase; depth:7; content:"&.challenge="; nocase; distance:0; classtype:credential-theft; sid:2021323; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"rmedia15.ru"; nocase; endswith; reference:md5,3f9f8a007ad6982b14fb74d4583bdd4b; classtype:command-and-control; sid:2028641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Interac Phish Aug 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Esion CnC Checkin"; flow:established,to_server; http.uri; content:"/bot/gate.php"; fast_pattern; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2; classtype:command-and-control; sid:2013211; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"stateo="; depth:7; nocase; fast_pattern; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2031781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iebar Spyware User Agent (iebar)"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"|3b 20|iebar"; fast_pattern; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032294; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Ixeshe"; flow:to_server,established; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|"; nocase; http.uri; content:"/ym/Attachments?YY="; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:7; metadata:created_at 2012_03_22, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Scotland Phish M1 2015-11-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&frmLogin=frmLogin&submitToken="; nocase; content:"&target="; nocase; distance:0; content:"&hdn_mobile="; nocase; distance:0; content:"&dclinkjourid="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2031783; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 1"; flow:established,to_server; urilen:10; http.method; content:"GET"; nocase; http.uri; content:"/support/s"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; classtype:command-and-control; sid:2014855; rev:5; metadata:created_at 2012_06_05, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banque Populaire (FR) Phish 2016-12-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"departement="; depth:12; nocase; fast_pattern; content:"&CCPTE="; nocase; distance:0; content:"&CCCRYC="; nocase; distance:0; content:"&SAMLResponse="; nocase; distance:0; classtype:credential-theft; sid:2032310; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lile.A DoS Outbound"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.header; content:"UserAgent|3a|"; content:"Windows 98"; fast_pattern; http.host; content:"www.fbi.gov"; startswith; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:5; metadata:created_at 2012_08_07, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cclast="; depth:7; nocase; fast_pattern; content:"&pinsentry1="; nocase; distance:0; content:"&pinsentry2="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&memorable="; nocase; distance:0; classtype:credential-theft; sid:2032295; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/uid.php"; fast_pattern; reference:md5,3ccc73f049a1de731baf7ea8915c92a8; reference:md5,91ce41376a5b33059744cb58758213bb; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:md5,21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015623; rev:4; metadata:created_at 2012_08_14, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"screenName="; depth:11; nocase; content:"&surname="; nocase; distance:0; content:"&membershipNumber="; nocase; distance:0; fast_pattern; content:"&accountNumber="; nocase; distance:0; classtype:credential-theft; sid:2032290; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; http.uri; content:"/iLog.php?dl="; fast_pattern; content:"&log="; http.user_agent; content:"IE"; startswith; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:command-and-control; sid:2013534; rev:9; metadata:created_at 2011_09_03, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address="; depth:8; nocase; content:"&address2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&postcode="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&Year="; nocase; distance:0; content:"&mmn="; nocase; distance:0; content:"&b3d="; nocase; distance:0; content:"&tbp="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; content:"&ccv="; nocase; distance:0; classtype:credential-theft; sid:2032296; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; http.uri; content:"ch=1"; fast_pattern; pcre:"/ch=1$/"; http.request_body; content:"ch=1"; depth:4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:md5,99fab94fd824737393f5184685e8edf2; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; classtype:command-and-control; sid:2015799; rev:8; metadata:created_at 2012_10_13, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M2 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"car2="; depth:5; nocase; fast_pattern; content:"&pn1="; nocase; distance:0; content:"&pn2="; nocase; distance:0; content:"&p1n="; nocase; distance:0; classtype:credential-theft; sid:2032291; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; urilen:39; http.method; content:"POST"; http.uri; content:"/?ptrxcz_"; fast_pattern; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:command-and-control; sid:2015807; rev:5; metadata:created_at 2012_10_05, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M3 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"requestid="; depth:10; nocase; fast_pattern; content:"&tpin="; nocase; distance:0; content:"&exp="; nocase; distance:0; content:"&mmn="; nocase; distance:0; classtype:credential-theft; sid:2032292; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fujacks Activity"; flow:to_server,established; http.header; content:".whboy.net|0d 0a|"; nocase; fast_pattern; http.user_agent; content:"QQ"; bsize:2; classtype:trojan-activity; sid:2015814; rev:14; metadata:created_at 2012_10_18, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BBVA Compass Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale="; depth:7; nocase; fast_pattern; content:"&question1="; nocase; distance:0; content:"&answer1="; nocase; distance:0; content:"&emailadd="; distance:0; content:"&emailpass="; nocase; classtype:credential-theft; sid:2031765; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot initial checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?ver="; content:"&p=cert123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015854; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blackboard Account Phish 2015-10-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&login=Login"; nocase; distance:0; content:"&action=login"; nocase; distance:0; content:"&new_loc="; nocase; distance:0; classtype:credential-theft; sid:2031778; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot checkin"; flow:to_server,established; http.uri; content:".php?ver="; content:"&p=bot123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015855; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blocked Email Account Phish M1 2016-08-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&Login=Submit+Now"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032288; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeBot grab data plaintext"; flow:established,to_server; http.request_body; content:"cmd=grab&data="; fast_pattern; content:"&login="; classtype:trojan-activity; sid:2016011; rev:6; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Pharma Spam Template Active - Outbound Email Spam"; flow:to_server,established; content:"Subject|3a 20|Rx|20|Discount|20|"; fast_pattern; content:"Special|20|for|20|you|20|-----"; distance:0; classtype:command-and-control; sid:2030675; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family Tofsee, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/run1/pr.php?p1="; fast_pattern; content:"&p2="; content:"&id="; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016206; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/JobCrypter Ransomware Checkin via SMTP"; flow:to_server,established; content:"|0d 0a 0d 0a|jui=0D=0A=0D=0Atre|3a 20|"; fast_pattern; content:"|0d 0a 0d 0a 2e 0d 0a|"; distance:0; isdataat:!1,relative; reference:md5,3bb560cb690a91134508910178928973; classtype:trojan-activity; sid:2030672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family JobCrypter, signature_severity Major, tag Ransomware, updated_at 2020_08_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H work_troy.php CnC Request"; flow:established,to_server; http.uri; content:"/work_troy.php?id="; fast_pattern; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016207; rev:5; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"xxx="; depth:4; nocase; content:"&yyy="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload"; flow:established,to_server; http.uri; content:"/pir/bfg.php?dll="; fast_pattern; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2016208; rev:5; metadata:created_at 2013_01_15, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Datper CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"="; within:9; pcre:"/\.php\?[a-z]{3,8}=[a-f0-9]{16}[01][a-z]+$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eae5b16bef5f7dc37909ec91367fa807; reference:url,blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html; classtype:command-and-control; sid:2024601; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Beebus HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/s/asp?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3B 20 29 0D 0A|"; startswith; reference:url,blog.fireeye.com/research/2013/02/operation-beebus.html; classtype:command-and-control; sid:2016342; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Hancitor/Tordal Document Inbound"; flow:established,from_server; flowbits:isset,ET.Hancitor; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".doc"; distance:0; http.content_type; content:"application/msword|3b|"; startswith; file.data; content:"|d0 cf 11 e0|"; depth:4; fast_pattern; classtype:exploit-kit; sid:2024605; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; http.uri; content:"/forum/images.php?id"; nocase; fast_pattern; http.user_agent; content:"Mozilla/6"; depth:9; content:"|20|MSIE|20|"; distance:0; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:7; metadata:created_at 2013_02_19, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M1"; flow:established,to_server; urilen:>41; flowbits:set,ET.DisDain.EK; http.uri; content:".php"; offset:38; depth:4; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/[a-zA-Z0-9]{12}\.php(?:\?[^&=]+=(?:[a-zA-Z0-9]{8}|0(?:189|037)|flash|2(?:551|419)|6332))?$/"; classtype:exploit-kit; sid:2024606; rev:3; metadata:created_at 2017_08_23, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBeplay Downloading Design"; flow:established,to_server; http.uri; content:".CAB.bin"; fast_pattern; pcre:"/[a-z]{2}\.CAB.bin/"; http.header; content:"|20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)|0d 0a|"; classtype:trojan-activity; sid:2016489; rev:6; metadata:created_at 2013_02_22, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2"; flow:established,to_server; urilen:34; flowbits:set,ET.DisDain.EK; http.uri; content:"/test.mp3"; offset:25; depth:9; pcre:"/^\/(?=[a-z0-9]{0,22}[A-Z]+?[a-z0-9])(?=[A-Z0-9]{0,22}[a-z]+?[A-Z0-9])[a-zA-Z0-9]{24}\/test\.mp3$/"; classtype:exploit-kit; sid:2024607; rev:3; metadata:created_at 2017_08_23, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw CnC Configuration File Request"; flow:established,to_server; http.uri; content:"&id="; content:"&inst="; content:"&net"; content:"&cmd=cfg"; fast_pattern; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016508; rev:4; metadata:created_at 2013_02_27, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"receipt="; nocase; fast_pattern; pcre:"/\.php\?(print_)?receipt=(s00|\d{3})_\d+$/i"; classtype:trojan-activity; sid:2016359; rev:5; metadata:created_at 2013_02_07, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; content:"Passwords.txt"; distance:0; nocase; fast_pattern; classtype:trojan-activity; sid:2035016; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; http.uri; pcre:"/\.html\?[0-9]{10}$/"; http.user_agent; content:"sleep|20|"; fast_pattern; startswith; pcre:"/^sleep \d+[\r\x2c]/"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:targeted-activity; sid:2016568; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (More_eggs CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=belum.uk.com"; nocase; endswith; classtype:domain-c2; sid:2030674; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; http.uri; content:"/news/show.asp?id1="; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1"; startswith; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016572; rev:4; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gazer HTTP POST Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:(?:a(?:(?:lbu|d)m|ccount|uthor)|c(?:ont(?:ac|en)|lien)t|p(?:artners|hoto)|(?:memb|us)er|session|video|hash|key|id)=[a-z0-9]{6,12}&){4}/Ri"; http.request_body; content:"|ff ff ff ff 00 00 00 00|"; depth:8; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf; classtype:command-and-control; sid:2024637; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Galock Ransomware Check-in"; flow:established,to_server; http.uri; content:"&os="; content:"&hostname="; content:"&codepage="; content:"&account"; http.header; content:"|3a 20|Mozilla/4.1|20|"; fast_pattern; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain SSL Cert in SNI (RansomBlocker CnC)"; flow:established,to_server; tls.sni; content:"4fp2u2ue4pyqdpfu"; fast_pattern; reference:md5,2067d1cb1a25c6d6d371339fad9123ba; classtype:command-and-control; sid:2024485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"svchost.exe"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.01|3b 20|Windows NT 5.0)"; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:command-and-control; sid:2016707; rev:6; metadata:created_at 2013_04_01, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?"; content:"csrfmiddlewaretoken="; nocase; distance:0; content:"username="; nocase; content:"&password="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024638; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Data Exfiltration POST to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adserv/get.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016727; rev:4; metadata:created_at 2013_04_05, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dragonfly Backdoor.Goodor Go Implant CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"."; content:"?"; distance:3; within:2; content:"="; distance:3; within:1; content:"&"; distance:32; within:1; pcre:"/\.(?:aspx|txt)\?[a-z0-9]{3}=[a-f0-9]{32}&[a-z0-9]{3}=[^&]+&[a-z0-9]{3}=[a-f0-9]{32}$/"; http.header; content:"Go-http-client/1.1|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8943e71a8c73b5e343aa9d2e19002373; classtype:command-and-control; sid:2024894; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Targeted, tag c2, updated_at 2020_08_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/adserv/logo.jpg"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016728; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"&os="; content:"&bot_id="; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id=/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)"; flow:to_server,established; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; content:".exec"; distance:0; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024664; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Activity"; flow:established,to_server; http.uri; content:".php?id="; content:"&gr"; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&pname="; content:"&uname="; content:"&pkey="; content:"&aekey="; content:"&ppub="; content:"&userx=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity 2"; flow:established,to_server; http.uri; content:"param="; content:"&socksport="; content:"&httpport="; fast_pattern; content:"&uptime"; content:"&uid="; content:"&ver="; reference:md5,e787c4437ff67061983cd08458f71c94; reference:md5,1777f0ffa890ebfcc7587957f2d08dca; reference:md5,d86b9eaf9682d60cb8b928dc6ac40954; reference:url,doc.emergingthreats.net/2002929; reference:md5,0995ecb8bb78f510ae995a50be0c351a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; classtype:trojan-activity; sid:2002929; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ApolloLocker Ransomware CnC Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:3; content:"&crypto=ApolloCrypto"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,8acaa375c2146224d628bb408c3902ff; classtype:command-and-control; sid:2024667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_06, deployment Perimeter, former_category MALWARE, malware_family ApolloLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|AMD-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aAMD-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:9; metadata:created_at 2012_10_13, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"eXNvc2VyaWFsL"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024668; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|INT-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aINT-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:10; metadata:created_at 2012_10_13, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"lzb3NlcmlhbC"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024669; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos Connectivity Check"; flow:established,to_server; http.uri; content:"/uploading/id="; fast_pattern; http.uri.raw; pcre:"/^\/uploading\/id=\d{2,20}&u=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:misc-activity; sid:2016800; rev:8; metadata:created_at 2013_05_01, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"5c29zZXJpYWwv"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024670; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cookies/Cookiebag Checkin"; flow:to_server,established; http.uri; content:"/indexs.zip"; fast_pattern; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:command-and-control; sid:2016808; rev:4; metadata:created_at 2013_05_02, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|79 76 36 36 76|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024671; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Activity"; flow:established,to_server; http.uri; content:".php?version="; fast_pattern; content:"&user="; content:"&server="; content:"&crc="; pcre:"/user=[a-f0-9]{31,32}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6; metadata:created_at 2012_02_24, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|72 2b 75 72|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024672; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Zusy.45802 Checkin"; flow:to_server,established; http.uri; content:".php?uid="; fast_pattern; content:"&affid="; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; pcre:"/^$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2016816; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|4b 2f 72 71 2b|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024673; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Fake Opera 10 User-Agent"; flow:established,to_server; http.user_agent; content:"Opera/10|20|"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:2016823; rev:6; metadata:created_at 2013_05_04, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024674; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A CnC"; flow:established,to_server; http.uri; content:"/favicon.iso?"; fast_pattern; reference:url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:command-and-control; sid:2016850; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024675; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger Checkin"; flow:established,to_server; http.uri; content:".php?fol="; fast_pattern; content:"&ac="; content:"AVs"; content:"OS"; content:"SystemDT"; content:"AppVersion"; content:"DropPath"; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016861; rev:4; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit HFS Actor"; flow:established,from_server; http.server; content:"HFS"; startswith; file.data; content:"triggerBug"; nocase; fast_pattern; content:"exploit"; nocase; content:"intToStr"; nocase; content:"strToInt"; nocase; classtype:trojan-activity; sid:2024677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Critical, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; http.uri; content:"/hyper/fm.php?tp=in"; fast_pattern; content:"&tg="; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016863; rev:4; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.FVVZ Variant CnC Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&taskid="; distance:0; content:"&status="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,92c3157d76c67668ca815541c6bb3ba8; classtype:command-and-control; sid:2024692; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; http.uri; content:"/wakeup/access.php"; fast_pattern; http.user_agent; content:"UPHTTP"; depth:6; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016864; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ASPC Bot CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?string="; fast_pattern; pcre:"/\.php\?string=[a-zA-Z0-9+=]+$/i"; http.user_agent; content:"Mozilla/"; startswith; http.request_body; content:"string="; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f392c55f636e93f4b72f1a2aa5022730; classtype:command-and-control; sid:2024625; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registering Client"; flow:established,to_server; http.uri; content:"/gate.php?reg="; fast_pattern; pcre:"/\/gate\.php\?reg=(?:[a-z]{10}|[A-Za-z]{15})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016899; rev:6; metadata:created_at 2013_05_21, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M1 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"connect.sid"; file.data; content:"<title>Manage your Apple ID</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2024703; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Briba CnC POST Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index"; depth:6; content:".asp"; distance:9; within:4; http.header; content:"Content-Length|3a 20|00"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.host; content:"update.microsoft.com"; startswith; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:command-and-control; sid:2016911; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M2 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"connect.sid"; file.data; content:"mainController as mainCtrl"; nocase; content:"mainCtrl.username"; nocase; distance:0; content:"mainCtrl.password"; nocase; distance:0; content:"mainCtrl.submitCreds"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2024704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; http.uri; content:"/smadstat.php?mac="; fast_pattern; content:"&key="; content:"&name="; content:"&os="; content:"&build="; content:"&old="; content:"&comp="; http.user_agent; content:"Smart-RTP"; depth:9; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:md5,a80f33c94c44556caa2ef46cd5eb863c; classtype:command-and-control; sid:2016914; rev:5; metadata:created_at 2013_05_23, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zbot Activity Common Download Struct"; flow:to_server,established; http.uri; content:".bin"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"passport.net"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:trojan-activity; sid:2017836; rev:5; metadata:created_at 2013_12_12, former_category TROJAN, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Trup.CX Checkin 1"; flow:to_server,established; http.uri; content:"/sms/do|2e|php?userid="; nocase; fast_pattern; content:"&time="; nocase; content:"&msg="; nocase; content:"&pauid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE; classtype:command-and-control; sid:2016951; rev:7; metadata:created_at 2011_03_14, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?country.x="; nocase; content:"&locale.x="; nocase; distance:0; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031576; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"AuthenticAMD|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:12; metadata:created_at 2013_06_01, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zipCode="; nocase; distance:0; content:"&nameoncard="; nocase; distance:0; content:"&cardnumber="; nocase; distance:0; fast_pattern; content:"&c_type="; nocase; distance:0; content:"&c_valid="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&csc="; nocase; distance:0; classtype:credential-theft; sid:2031577; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"GenuineIntel|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:13; metadata:created_at 2013_06_01, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"imsi="; nocase; classtype:bad-unknown; sid:2012849; rev:5; metadata:created_at 2011_05_25, former_category POLICY, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Travnet.A Checkin"; flow:to_server,established; http.uri; content:".asp?hostid="; content:"&hostname="; content:"&hostip="; content:"&filename="; content:"&filestart="; content:"&filetext=begin|3a 3a|"; fast_pattern; pcre:"/\?hostid=[0-9A-F]+?&/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:command-and-control; sid:2016968; rev:7; metadata:created_at 2013_03_01, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sep 19 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"pass="; depth:5; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tobfy.S"; flow:established,from_client; http.uri; content:"/upload/img.jpg"; fast_pattern; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:6; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER OptionsBleed (CVE-2017-9798)"; flow:from_server; http.header; content:"Allow|3a 20|"; pcre:"/^[^\n]+(?:[^ -~\x0d\x0a]|,\x20*,)/R"; reference:cve,CVE-2017-9798; classtype:misc-activity; sid:2024760; rev:5; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_09_19, deployment Datacenter, former_category WEB_SERVER, performance_impact Significant, signature_severity Minor, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TripleNine RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/999"; fast_pattern; bsize:4; http.header; content:".0|0d 0a|Host"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2017021; rev:7; metadata:created_at 2013_06_15, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|m3th/"; fast_pattern; classtype:attempted-admin; sid:2030676; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_12, deployment Perimeter, signature_severity Minor, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor"; flow:established,to_server; http.user_agent; content:"SEX/1"; nocase; fast_pattern; startswith; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017026; rev:4; metadata:created_at 2013_06_18, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|m3th/"; fast_pattern; classtype:web-application-attack; sid:2030677; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_12, deployment Perimeter, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; http.method; content:"GET"; nocase; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/"; http.header; content:"User-Agent|3a|"; depth:11; http.user_agent; content:"|20|MSIE 6.0|3b|"; content:".NET CLR 1.1.4322"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:targeted-activity; sid:2017036; rev:5; metadata:created_at 2013_06_20, former_category MALWARE, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.FC CnC Activity"; flow:established,to_server; http.start; content:"POST /loader/gate HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.user_agent; content:!"|20|"; http.referer; content:!"|2e|"; http.request_body; content:"data="; startswith; pcre:"/^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})$/R"; reference:md5,d8dbaecab080b40e7782b10affb630f4; classtype:command-and-control; sid:2030678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; http.uri; content:".php?ver="; content:"&cver="; fast_pattern; content:"&id="; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:7; metadata:created_at 2010_10_25, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish 2015-10-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sitedomain="; depth:11; nocase; fast_pattern; content:"&loginId="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031779; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Loader default URI struct"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pony"; fast_pattern; content:"/gate.php"; nocase; classtype:trojan-activity; sid:2017065; rev:6; metadata:created_at 2013_06_25, former_category CURRENT_EVENTS, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Dec 4 2015 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hidCflag="; nocase; depth:9; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; distance:0; nocase; content:"sign"; nocase; distance:0; classtype:credential-theft; sid:2022217; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay.P Ransomware"; flow:established,to_server; urilen:33; http.uri; pcre:"/^\/[a-f0-9]{32}$/"; http.user_agent; content:"MSIE 9.0|3b|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2017269; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Sep 28 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"number"; depth:6; nocase; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&FormsButton"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025029; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Configuration File Request"; flow:established,to_server; flowbits:set,et.stealrat.config; http.uri; content:"/lts.txt"; fast_pattern; pcre:"/^\x2Flts\x2Etxt$/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017274; rev:4; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Banking Phish (BR) 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; fast_pattern; content:"conta="; nocase; content:"digito="; nocase; classtype:credential-theft; sid:2032293; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Email Template Request"; flow:established,to_server; http.uri; content:"/ae1.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017276; rev:4; metadata:created_at 2013_08_05, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"address="; depth:8; fast_pattern; content:"&driver="; distance:0; content:"&employer="; distance:0; content:"&submitBtn=Continue"; distance:0; classtype:credential-theft; sid:2031760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco Reporting Hacked Accounts"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bruteres.php"; fast_pattern; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; classtype:trojan-activity; sid:2017311; rev:5; metadata:created_at 2013_08_12, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"sin1="; depth:5; fast_pattern; content:"&amount="; distance:0; content:"&name="; distance:0; content:"&submitBtn=Continue"; distance:0; classtype:credential-theft; sid:2031759; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxychecker Lookup"; flow:established,to_server; http.uri; content:"/proxy/proxychecker/"; nocase; fast_pattern; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis; classtype:trojan-activity; sid:2017344; rev:5; metadata:created_at 2013_08_19, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ccname="; depth:7; fast_pattern; content:"&cc="; nocase; distance:0; content:"&ccmm="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&sin1="; nocase; distance:0; content:"&atm="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"=Submit+Form"; nocase; distance:0; classtype:credential-theft; sid:2032289; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Troj.Cidox Checkin"; flow:established,to_server; http.uri; content:".php?sign="; fast_pattern; content:"&key="; content:"&av="; content:"&os="; content:"&vm="; content:"&digital="; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:command-and-control; sid:2017349; rev:5; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Carribean International Bank Account Phish 2015-08-25"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"secq1="; depth:6; nocase; fast_pattern; content:"&ans1="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&email="; distance:0; nocase; classtype:credential-theft; sid:2031766; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegSubsDat Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2014310; rev:7; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CenturyLink Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.header; content:!"www.nwcable.net"; http.request_body; content:"domain="; depth:7; nocase; content:"&bounceto="; nocase; distance:0; content:"&submitted_data="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&email_domain="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032297; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitcoin variant Checkin"; flow:to_server,established; http.uri; content:"/register_slave.php"; fast_pattern; http.header_names; content:!"|0d 0a|Referer"; nocase; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; classtype:coin-mining; sid:2017369; rev:4; metadata:created_at 2013_08_23, former_category MALWARE, updated_at 2020_09_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-16"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hdnPrevSelectedRadio="; depth:21; nocase; content:"&hdnRHSLinkClicked="; nocase; distance:0; content:"&SESSION="; nocase; distance:0; content:"&__EVENTTARGET="; nocase; distance:0; content:"&__EVENTVALIDATION="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&epass="; nocase; distance:0; fast_pattern; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032311; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Vabushky.A Malicious driver download"; flow:established,to_server; http.uri; content:".bmp.gz"; fast_pattern; pcre:"/\/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}|default)\.bmp\.gz$/i"; reference:url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/; classtype:trojan-activity; sid:2017377; rev:4; metadata:created_at 2013_08_27, updated_at 2020_09_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&auth_userId="; nocase; fast_pattern; content:"&auth_passwd="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&branch_assist="; nocase; distance:0; classtype:credential-theft; sid:2031798; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac FACEPUNCH Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.header; content:"X-Request-Kind-Code|3a 20|"; fast_pattern; http.user_agent; content:"Mozilla"; startswith; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf; classtype:trojan-activity; sid:2017455; rev:8; metadata:created_at 2013_09_11, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M1 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__EVENTTARGET="; depth:14; nocase; content:"&auth_userId="; nocase; distance:0; fast_pattern; content:"&auth_passwd="; nocase; distance:0; content:"&auth_passwd_org="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dipverdle.A Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cp/?"; nocase; fast_pattern; pcre:"/\/cp\/\?(?:logo\.jpg|adm)/i"; http.request_body; content:"token="; nocase; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:4; metadata:created_at 2013_09_17, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hdnPrevSelectedRadio="; depth:21; nocase; content:"&hdnRHSLinkClicked="; nocase; distance:0; fast_pattern; content:"&inptUserId"; nocase; distance:0; content:"&ip_header="; nocase; distance:0; content:"&BirthMonth="; nocase; distance:0; content:"&exp_mon="; nocase; distance:0; content:"&exp_year="; nocase; distance:0; content:"&ccv"; nocase; distance:0; classtype:credential-theft; sid:2032307; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unicorn Stealer Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename="; content:"form-data|3b 20|name=|22|filename|22 0d 0a|"; content:"form-data|3b 20|name=|22|submit|22 0d 0a|"; content:"form-data|3b 20|name=|22|id|22 0d 0a|"; content:"form-data|3b 20|name=|22|src|22 0d 0a|"; fast_pattern; content:"form-data|3b 20|name=|22|type|22 0d 0a|"; content:"form-data|3b 20|name=|22|on|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1307025445536239616; reference:md5,852646191db6768157a7fddcc13afed2; classtype:trojan-activity; sid:2030894; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032299; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw Requesting Additional Modules From CnC"; flow:established,to_server; http.uri; content:"/ping.html?r="; fast_pattern; content:!"/utils/"; pcre:"/\x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$/"; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016507; rev:7; metadata:created_at 2013_02_27, former_category MALWARE, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] TR/Spy.Banker.agdtw Checkin"; flow:established,to_server; http.uri; content:"page"; http.method; content:"POST"; http.header; content:"Connection|3a 20|"; content:"Content-Type|3a 20|multipart"; nocase; distance:0; content:"Content-Length|3a 20|"; nocase; distance:0; content: "Accept|3a 20|"; distance:0; content: "Accept-Encoding|3a 20|"; nocase; distance:0; content:"User-Agent|3a 20|"; distance:0; http.request_body; content:"name=|22|ing|22|"; fast_pattern; depth:300; content:"name=|22|AT|22|"; within:300; content:"ver"; within:300; content:"name=|22|MD|22|"; within:300; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024780; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-driver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-driver"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017519; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 29 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Google Security"; nocase; fast_pattern; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; classtype:social-engineering; sid:2022992; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-process)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-process"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017521; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Formgrabber Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"c="; depth:2; content:"&v="; distance:0; content:"&h="; distance:0; content:"&t="; fast_pattern; distance:0; pcre:"/^c=[A-F0-9]{10,}&v=[^&]+&h=[^&]+&t=[0-9]$/si"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cb066c5625aa85957d6b8d4caef4e497; reference:url,thisissecurity.stormshield.com/2017/09/28/analyzing-form-grabber-malware-targeting-browsers; classtype:trojan-activity; sid:2024781; rev:3; metadata:created_at 2017_09_28, former_category TROJAN, updated_at 2020_08_12;)
+alert  http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-cmd-shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-cmd-shell"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017522; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M1 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agg="; depth:4; nocase; content:"&acc="; nocase; distance:0; content:"&ss"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DATA-BROKER BOT Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"g="; depth:2; content:"&cmd="; fast_pattern; pcre:"/^g=[A-Z0-9]+&cmd=/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:5; metadata:created_at 2013_09_25, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan tools.ini Request"; flow:established,to_server; http.uri; content:"/tools.ini"; fast_pattern; bsize:10; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017585; rev:5; metadata:created_at 2013_10_14, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M3 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cvv="; depth:4; nocase; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kovter Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?mode="; nocase; content:"&OS="; nocase; content:"&OSbit="; nocase; fast_pattern; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:14; metadata:attack_target Client_Endpoint, created_at 2013_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_21, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022497; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Egobot Checkin"; flow:to_server,established; http.uri; content:".php?arg1="; nocase; fast_pattern; content:"&arg2="; pcre:"/&arg2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$)/i"; reference:url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; classtype:command-and-control; sid:2017600; rev:4; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_09_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Phish M3 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Webmail|20 3a 3a 20|Verify"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"has been successfully verified"; nocase; distance:0; content:"Thank you for using our"; nocase; distance:0; content:"We will redirect you shortly"; nocase; distance:0; content:"Webmail Security Systems"; nocase; distance:0; classtype:credential-theft; sid:2032286; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Install"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/stats/debug/"; fast_pattern; content:"/?ts="; content:"&ver="; content:"&group="; content:"&token="; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:4; metadata:created_at 2013_10_30, updated_at 2020_09_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Phish M2 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Webmail|20 3a 3a 20|Verify"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"Please Provide your phone number used in creation"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; content:"Webmail Security Systems"; nocase; distance:0; classtype:credential-theft; sid:2032285; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?computer-name="; fast_pattern; content:"&username="; distance:0; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Cache"; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030895; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing M1 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Manage your Apple"; nocase; fast_pattern; content:"si-password"; nocase; distance:0; content:"si-remember-password"; nocase; distance:0; classtype:credential-theft; sid:2032279; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-sharepoint.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030896; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Rampant_Kitten, updated_at 2020_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"em="; nocase; depth:3; fast_pattern; content:"&psw="; nocase; content:"&sub="; nocase; classtype:credential-theft; sid:2032284; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-onedrive.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030897; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Rampant_Kitten, updated_at 2020_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Phish 2015-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"feedback="; nocase; depth:9; fast_pattern; content:"&feedbacknow="; nocase; distance:0; classtype:credential-theft; sid:2031774; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Usrname="; fast_pattern; content:"&0S-Name="; distance:0; content:"&Pt-Name="; distance:0; content:"&ToolsIsActive"; endswith; http.user_agent; content:"Python-urllib/"; startswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030898; rev:1; metadata:created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:6; content:"&pass"; nocase; distance:0; content:"&formimage1.x="; fast_pattern; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032287; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Stitur Secondary Download"; flow:established,from_server; http.header; content:".file|0d 0a|"; fast_pattern; content:"Content-Description|3a 20|File Transfer|0d 0a|"; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a|"; pcre:"/filename=[a-f0-9]{13}\.file\r\n/"; classtype:trojan-activity; sid:2017700; rev:5; metadata:created_at 2013_11_09, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UK Tax Phishing M2 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; fast_pattern; content:"&securessl="; distance:0; http.request_body; content:"username="; depth:9; nocase; content:"&password="; distance:0; nocase; reference:md5,8a14eb5764c7c9d01b2b64430933036d; classtype:credential-theft; sid:2032278; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Monitor Request CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/monitor.php?resp=ID|3a|"; fast_pattern; content:"Target|3a|"; content:"Message|3a|"; pcre:"/\/monitor\.php\?resp=ID\x3a[A-Za-z]{15}/"; http.user_agent; content:"Mozilla/4.0 (SEObot)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017717; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UK Tax Phishing M1 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; fast_pattern; content:"&securessl="; distance:0; http.request_body; content:"form-data|3b 20|name=|22|email|22|"; content:"form-data|3b 20|name=|22|ccexp|22|"; nocase; distance:0; reference:md5,8a14eb5764c7c9d01b2b64430933036d; classtype:credential-theft; sid:2032277; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Command Request CnC Beacon"; flow:established,to_server; http.uri; content:"/gate.php?cmd="; fast_pattern; pcre:"/\/gate\.php\?cmd=(?:get(?:installconfig|exe)|urls)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017723; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M1 Mar 25 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your session has timed out"; fast_pattern; nocase; content:"Click OK to sign in and continue"; nocase; distance:0; classtype:social-engineering; sid:2025694; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kryptik Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&bot_id="; nocase; fast_pattern; pcre:"/\.php\?(q|name)=/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:attempted-user; sid:2017741; rev:5; metadata:created_at 2013_11_22, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cpf="; depth:4; nocase; fast_pattern; content:"&s6="; nocase; distance:0; classtype:credential-theft; sid:2024800; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; urilen:35<>37; http.method; content:"POST"; http.uri; content:".aspx?Random="; fast_pattern; pcre:"/^\x2F(?:acheb|bajree|cyacrin|dauber|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$/i"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017858; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag_ct="; depth:6; nocase; content:"&ct_ct="; nocase; distance:0; content:"&us_user="; nocase; distance:0; content:"&us_pant="; nocase; distance:0; fast_pattern; content:"&sender="; nocase; distance:0; content:"&btn_now="; nocase; distance:0; classtype:credential-theft; sid:2024802; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; threshold:type both,track by_src,count 2,seconds 60; http.method; content:"POST"; http.uri; content:"/201"; fast_pattern; content:".jsp"; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)"; bsize:101; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:command-and-control; sid:2017967; rev:5; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-12-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"onlineID1="; depth:10; nocase; content:"&passcode1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG JAVAFOG JAR checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"?title=2.0_-"; fast_pattern; http.user_agent; content:"Java"; startswith; http.request_body; content:"content=HostName|3a 20|"; depth:18; content:"|0d 0a|Java Version|3a 20|"; distance:0; content:"|0d 0a 20|HostIp|3a 20|"; distance:0; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:command-and-control; sid:2017972; rev:6; metadata:created_at 2014_01_15, former_category MALWARE, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish Outlook Credentials Oct 01 2015"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"outlookuser="; depth:12; nocase; fast_pattern; content:"outlookpassword="; nocase; distance:0; classtype:credential-theft; sid:2021890; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; http.method; content:"GET"; http.uri; content:"/reboot/index.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:command-and-control; sid:2018023; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passwd"; distance:0; nocase; classtype:credential-theft; sid:2022967; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StoredBt.A Activity"; flow:to_server,established; http.uri; content:".php?a1="; fast_pattern; pcre:"/\.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,e8e9eb1cd4be7ab27743887be2aa28e9; classtype:trojan-activity; sid:2018074; rev:4; metadata:created_at 2014_02_05, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&forgotPassword="; nocase; distance:0; content:"&lat="; nocase; distance:0; content:"&userName="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022978; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin 2"; flow:to_server,established; http.uri; content:"/post/echo"; fast_pattern; bsize:10; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018128; rev:4; metadata:created_at 2014_02_13, former_category MALWARE, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&bankId="; fast_pattern; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&q1="; nocase; distance:0; classtype:credential-theft; sid:2022979; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alman Dropper Checkin"; flow:established,to_server; http.uri; content:"?action=post&HD="; fast_pattern; content:"&OT="; content:"&IV="; pcre:"/&HD=[A-F0-9]{32}&/"; reference:url,doc.emergingthreats.net/2009203; classtype:command-and-control; sid:2009203; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"holdername="; nocase; depth:11; fast_pattern; content:"&numcard"; nocase; distance:0; content:"&ccv"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2023043; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin 2"; flow:to_server,established; http.uri; content:"/cmd?version="; fast_pattern; content:"&aid="; content:"&id="; content:"&os="; pcre:"/&id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018198; rev:6; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Common /mpp/ Phishing URI Structure 2016-02-08"; flow:to_server,established; http.uri; content:"/mpp/"; fast_pattern; pcre:"/(?:\/mpp\/[0-9a-f]{32}\/|\/[0-9a-f]{32}\/mpp\/)/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:social-engineering; sid:2032370; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Geral Checkin"; http.uri; content:".asp?MAC="; nocase; fast_pattern; content:"&ver="; nocase; pcre:"/\.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f01260fff3d6fb705fc8afaa3ea54564; classtype:command-and-control; sid:2018201; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AirCanada Phish 2015-08-06"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"aircanada"; nocase; fast_pattern; classtype:credential-theft; sid:2031757; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin"; flow:to_server,established; http.uri; content:"/log?"; content:"|7c|aid="; fast_pattern; content:"|7c|version="; content:"|7c|id="; content:"|7c|os="; pcre:"/\/log\?(start|install)\x7caid=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018205; rev:5; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish Oct 10 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Password1="; depth:10; nocase; fast_pattern; classtype:credential-theft; sid:2025031; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?r=cmd"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,e47a296bac49284371ac396a053a8488; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030904; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"FNAME="; nocase; depth:6; fast_pattern; content:"&LNAME="; nocase; distance:0; content:"&Address="; nocase; distance:0; content:"&SSN="; nocase; distance:0; classtype:credential-theft; sid:2031772; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RDP Brute Force Bot Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cmd.php"; http.user_agent; content:"Browser"; depth:7; http.request_body; content:"name=|22|data|22|"; content:"{ |22|bad|22 20 3a 20|"; content:", |22|bruting|22 20 3a 20|"; fast_pattern; content:", |22|checked|22 20 3a 20|"; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018253; rev:8; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=3d3d3d3d3d3d3d3d3d"; nocase; fast_pattern; distance:0; content:"5573657220496e666f"; nocase; distance:0; content:"557365724944"; distance:0; content:"50617373776f7264"; nocase; distance:0; classtype:credential-theft; sid:2031773; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Expiro.CD Check-in"; flow:established,to_server; http.uri; content:"/gate.php?user="; fast_pattern; content:"&id="; nocase; content:"&type="; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:4; metadata:created_at 2014_03_12, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS DOC Download from commonly abused file share site"; flow:to_server,established; http.uri; content:".doc"; http.host; content:"a.pomf.cat"; fast_pattern; bsize:10; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024836; rev:3; metadata:created_at 2017_10_11, former_category CURRENT_EVENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_SLOTH.A Checkin"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/help.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:command-and-control; sid:2018285; rev:6; metadata:created_at 2014_03_17, former_category MALWARE, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"isJsEnabled="; depth:12; nocase; content:"&source_app="; nocase; distance:0; content:"&tryCount="; nocase; distance:0; content:"pass"; nocase; distance:0; content:"&loginCsrfParam="; nocase; distance:0; fast_pattern; content:"&sourceAlias="; nocase; distance:0; classtype:credential-theft; sid:2032411; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus GameOver Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a 20|"; http.host; content:"default"; fast_pattern; startswith; content:!"."; reference:md5,bd850c21254c33cd9f6be41aafc6bf46; classtype:command-and-control; sid:2018296; rev:4; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"countrycode="; depth:12; fast_pattern; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2032400; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; fast_pattern; tls.cert_issuer; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; reference:url,twitter.com/bryceabdo/status/1308802052487774210; classtype:domain-c2; sid:2030901; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M1 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"pass1="; depth:6; fast_pattern; nocase; content:"&pass2="; nocase; distance:0; content:"&email="; nocase; distance:0; classtype:credential-theft; sid:2032382; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nlog/nlog"; fast_pattern; content:".php"; http.header; content:"Content-Length|3a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017465; rev:6; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M2 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"Password Reset"; nocase; distance:0; content:"<meta http-equiv="; nocase; content:"REFRESH"; nocase; distance:1; within:7; content:"loader.gif"; distance:0; classtype:credential-theft; sid:2032383; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=conwaytools.me"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/bryceabdo/status/1308743381099646976; classtype:domain-c2; sid:2030902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M3 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"Password Reset"; nocase; distance:0; content:"<meta http-equiv="; nocase; content:"REFRESH"; nocase; distance:1; within:7; content:"Your account is safe"; distance:0; classtype:credential-theft; sid:2032384; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mal/Ransom-CE Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/windows"; fast_pattern; endswith; http.user_agent; content:"MSIE"; http.host; content:"www.microsoft.com"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,6faa7077de347ee0fa8c991934c2c3a5; reference:md5,a1fe3a7ff1ec997411b71212483eea33; reference:md5,97c0000473c5004d2e8c0464e322f429; classtype:trojan-activity; sid:2018295; rev:5; metadata:created_at 2014_03_18, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"IDUser="; nocase; depth:7; fast_pattern; content:"&Passcode="; nocase; distance:0; content:"&Token="; nocase; distance:0; classtype:credential-theft; sid:2031771; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=TR, ST=Istanbul, L=Istanbul Buyuksehir Belediyesi, O=EsT Country, OU=ESTTKEY, CN=alahuakber"; bsize:93; fast_pattern; reference:url,twitter.com/bryceabdo/status/1308778721797640195; classtype:domain-c2; sid:2030903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing CSS 2015-12-01"; flow:established,to_client; http.content_type; content:"text/css"; startswith; file.data; content:"|2e|Anonisma"; fast_pattern; nocase; classtype:social-engineering; sid:2031791; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/counter.img?theme="; fast_pattern; content:"&digits="; content:"&siteId="; http.user_agent; content:"Opera/9 (Windows NT"; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:command-and-control; sid:2015723; rev:6; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing CSS 2015-12-29"; flow:established,from_server; http.content_type; content:"text/css"; startswith; file.data; content:".ANON-000-ISMA"; nocase; fast_pattern; classtype:social-engineering; sid:2031800; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=moist.company"; nocase; endswith; classtype:domain-c2; sid:2030899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&sms"; nocase; distance:0; classtype:credential-theft; sid:2024838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (Download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"seCurEstrInGTogloBALAlLoCUnicOdE|28 20 24 28 27|76492d1116743f0423413b16050a5345MgB8A"; nocase; fast_pattern; reference:md5,fc30e902d1098b7efd85bd2651b2293f; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030905; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2024839; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?p="; fast_pattern; content:"&s="; content:"&v="; distance:0; content:"uid="; distance:0; content:"&q="; distance:0; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2009299; classtype:trojan-activity; sid:2009299; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-05-26"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<META HTTP-EQUIV="; nocase; content:"Refresh"; distance:1; nocase; content:"wellsfargo.com"; nocase; content:"Authenticating Account"; fast_pattern; nocase; distance:0; content:"information submitted successfully"; nocase; distance:0; classtype:credential-theft; sid:2032385; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE hacker87 checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/AppEn.php"; fast_pattern; http.request_body; content:"parameter="; depth:10; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:command-and-control; sid:2018420; rev:4; metadata:created_at 2014_04_25, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Windows Settings Phishing Landing Jul 22 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:social-engineering; sid:2024098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest - Post Data Form 01"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/post.aspx?"; fast_pattern; pcre:"/^\/post\.aspx\?[^&]+=[0-9]{9,10}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018425; rev:4; metadata:created_at 2014_04_28, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Am3Refh Obfuscated Phishing Landing 2016-02-23"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Am3Refh.Com -->"; nocase; fast_pattern; content:"document.write"; nocase; distance:0; classtype:social-engineering; sid:2032371; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.qgxi Checkin"; flow:to_server,established; http.uri; content:".php?bot="; fast_pattern; http.cookie; content:"bot="; depth:4; reference:md5,0b450a92f29181065bc6601333f01b07; reference:md5,548fbf4dde27e725c0a1544f61362b50; reference:url,arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising; classtype:command-and-control; sid:2018412; rev:10; metadata:created_at 2013_10_31, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shipping Document Phishing Landing 2016-06-23"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>SHIPPING DOCUMENT"; nocase; fast_pattern; content:"Login Your Email To View Bill"; nocase; distance:0; content:"Lading and Invoice Document"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"<!-- Payment form -->"; nocase; distance:0; classtype:social-engineering; sid:2032395; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin"; flow:established,to_server; http.uri; content:"/0001"; fast_pattern; pcre:"/^\/j\/[a-f0-9]{8}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{12}\/0001\/?$/"; reference:url,www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103; classtype:command-and-control; sid:2018448; rev:5; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2016-03-10"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Send &amp|3b 20|Receive"; fast_pattern; nocase; content:"Adobe SendNow"; nocase; distance:0; content:"Click to Select Provider"; nocase; distance:0; content:"value=|22|gmail"; nocase; distance:0; classtype:social-engineering; sid:2032373; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Register CnC Beacon"; flow:established,to_server; urilen:55; http.uri; content:"/el/sregister.php?name="; fast_pattern; pcre:"/^\x2Fel\x2Fsregister\x2Ephp\x3Fname\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018474; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing 2016-05-02"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe Online"; fast_pattern; nocase; content:"form method="; nocase; distance:0; content:"post"; nocase; distance:1; content:"someone@example.com"; nocase; distance:0; reference:md5,29e993483411a58d51b9032676a623a2; classtype:social-engineering; sid:2032381; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Login CnC Beacon"; flow:established,to_server; urilen:51; http.uri; content:"/el/slogin.php?uid="; fast_pattern; pcre:"/^\x2Fel\x2Fslogin\x2Ephp\x3Fuid\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018475; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Cloud Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe File"; fast_pattern; nocase; content:"require sign in with your receiving email"; nocase; distance:0; content:"Adobe Document Cloud"; nocase; distance:0; classtype:social-engineering; sid:2032386; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hicrazyk.A Downloader Install CnC Beacon"; flow:established,to_server; http.uri; content:"/setup/?name="; fast_pattern; content:"&ini="; content:"&v="; http.user_agent; content:"NSISDL/"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FHicrazyk.A&ThreatID=-2147281007; reference:md5,ddb8110ec415b7b6f43c0ef2b4076d45; classtype:command-and-control; sid:2018435; rev:9; metadata:attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phishing 2015-11-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; content:"&password="; nocase; distance:0; content:"&ip_address="; nocase; distance:0; fast_pattern; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:credential-theft; sid:2031788; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Agent.ksja"; flow:established,to_server; http.uri; content:".php?m="; fast_pattern; pcre:"/\.php\?m=[A-F0-9]{12}/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b 29 0d 0a|Host|3a|"; depth:54; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,3b440e052da726942763d11cf9e3f72c; classtype:trojan-activity; sid:2018507; rev:5; metadata:created_at 2014_05_29, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"reason="; nocase; depth:7; fast_pattern; content:"Access_ID="; nocase; distance:0; content:"Current_Passcode="; nocase; distance:0; classtype:credential-theft; sid:2015909; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypt.nc Checkin"; flow:to_server,established; http.uri; content:".php?l"; content:"&rvz1="; fast_pattern; content:"&rvz2="; pcre:"/&rvz1=\d+&rvz2=\d+?$/"; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2008567; classtype:command-and-control; sid:2008567; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/myform.php"; classtype:credential-theft; sid:2016327; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.Agent.U3D7V0 Checkin"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/getc"; content:"/?c="; fast_pattern; pcre:"/^\/getc(?:loud|onf)\/\?c=/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,97572a7a0690ba1643525bf6666b74c6; classtype:command-and-control; sid:2018530; rev:5; metadata:created_at 2014_06_05, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fname="; content:"lname="; content:"hnum="; content:"snam="; classtype:credential-theft; sid:2018305; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Etumbot.B Requesting RC4 Key"; flow:to_server,established; http.uri; content:"/home/index.asp?typeid="; nocase; fast_pattern; pcre:"/^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$/i"; http.referer; content:"http|3a|//www.google.com/"; bsize:22; reference:md5,82d4850a02375a7447d2d0381b642a72; reference:md5,ff5a7a610746ab5492cc6ab284138852; reference:url,arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf; classtype:trojan-activity; sid:2018552; rev:5; metadata:created_at 2014_06_09, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012"; flow:established,to_server; http.uri; content:"/Logon.php?LOB=RBG"; content:"&_pageLabel=page_"; classtype:social-engineering; sid:2015938; rev:4; metadata:created_at 2012_11_27, former_category PHISHING, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar Downloader Request"; flow:established,to_server; http.uri; content:"/tasksz.php?"; fast_pattern; pcre:"/\/tasksz\.php\?(?:dc|load)/"; http.user_agent; content:"Google Bot"; bsize:10; reference:url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml; reference:url,doc.emergingthreats.net/2010288; classtype:trojan-activity; sid:2010288; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 30 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_email="; content:"login_password="; content:"target_page="; classtype:credential-theft; sid:2015972; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; http.uri; content:"/bb.php"; nocase; fast_pattern; content:"id="; nocase; content:"v="; nocase; content:"tm="; nocase; content:"b="; nocase; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; reference:url,doc.emergingthreats.net/2010756; classtype:trojan-activity; sid:2010756; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Dec 19 2012"; flow:established,to_server; http.request_body; content:"login_email="; content:"login_password="; content:"browser_version="; content:"operating_system="; fast_pattern; classtype:credential-theft; sid:2016063; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?secue="; fast_pattern; content:"&pro="; content:"|2c|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/; reference:md5,1c29b24d4d4ef7568f519c470b51bbed; classtype:targeted-activity; sid:2018631; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.request_body; content:"theAccountName="; content:"theAccountPW="; classtype:credential-theft; sid:2018304; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 2"; flow:established,to_server; http.uri; content:".php?file"; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Ffile(?:index\x3D[A-Z]|n\x3Dnoexist|wh\x3Dfalse)/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018632; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL/PayPal Phish Nov 24 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"1="; content:"2="; content:"submit.x=Login"; classtype:credential-theft; sid:2019781; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 3"; flow:established,to_server; http.uri; content:".php?Re="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3FRe\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018633; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish Oct 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"expm="; nocase; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025030; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 4"; flow:established,to_server; http.uri; content:".php?verify="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Fverify\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018634; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Jan 23 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale.x="; nocase; content:"&processSignin="; nocase; distance:0; fast_pattern; content:"email="; nocase; distance:0; content:"password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2023760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Exorcist 2.0 Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header.raw; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)|20 0d 0a|"; fast_pattern; http.request_body; content:"d="; depth:2; isdataat:100,relative; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; http.header_names; content:!"Referer"; reference:md5,9e5c89c84cdbf460fc6857c4e32dafdf; classtype:command-and-control; sid:2030906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family Exorcist_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Revalidation Phish Landing Nov 13 2015"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Revalidation</title>"; fast_pattern; nocase; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; content:"REVALIDATION"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:social-engineering; sid:2022086; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/SunCrypt Ransomware CnC Activity"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"|19 10 03 41 24 29 70 24|"; depth:8; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,c171bcd34151cbcd48edbce13796e0ed; classtype:command-and-control; sid:2030907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family SunCrypt, signature_severity Major, tag Ransomware, updated_at 2020_09_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"fName="; depth:6; nocase; content:"&lName="; nocase; distance:0; content:"&ZIPCode="; nocase; distance:0; classtype:credential-theft; sid:2022498; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/black/?"; fast_pattern; http.request_body; content:"tipo="; depth:5; content:"&cliente="; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:command-and-control; sid:2018641; rev:5; metadata:created_at 2014_07_04, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"ccNum="; depth:6; nocase; content:"&NameOnCard="; nocase; distance:0; content:"&CVV="; nocase; distance:0; classtype:credential-theft; sid:2022499; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; pcre:"/\.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018649; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Suspended Account Phishing Landing Aug 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Log in to my account"; nocase; fast_pattern; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:social-engineering; sid:2023044; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.request_body; content:"OPC="; nocase; fast_pattern; pcre:"/^OPC=\d/i"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018653; rev:4; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phishing Landing Aug 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:social-engineering; sid:2023045; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".hlp"; nocase; fast_pattern; pcre:"/^\/[^\x2f]+?\.hlp$/i"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018654; rev:5; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; nocase; content:"pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024554; rev:8; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auth.cgi?mode="; fast_pattern; content:"&id="; content:"&serv="; distance:0; content:"&lang="; distance:0; content:"&q="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018669; rev:4; metadata:created_at 2014_07_12, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&address"; nocase; fast_pattern; content:"&cc"; nocase; content:"&cvv"; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2024556; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 2"; flow:established,to_server; http.uri; content:"/default.asp?act="; fast_pattern; content:"&id="; content:"&item="; distance:0; content:"&cln="; distance:0; content:"&flt="; distance:0; content:"&serv="; distance:0; content:"&t="; distance:0; content:"&mode="; distance:0; content:"&lang="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018670; rev:5; metadata:created_at 2014_07_12, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&email="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024557; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya Credit Card Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"&ccnum="; fast_pattern; content:"mode="; depth:5; content:"&compinfo="; distance:0; content:"&type="; distance:0; content:"&track="; distance:0; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; reference:url,fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf; classtype:trojan-activity; sid:2018680; rev:4; metadata:created_at 2014_07_16, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; fast_pattern; nocase; content:"pwd"; nocase; distance:0; classtype:credential-theft; sid:2024558; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin 2"; flow:established,to_server; urilen:7; http.method; content:"GET"; http.uri; content:"/u.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:command-and-control; sid:2018687; rev:4; metadata:created_at 2014_07_17, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; fast_pattern; nocase; content:"pwd="; nocase; distance:0; classtype:credential-theft; sid:2024561; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz / Asprox checkin"; flow:established,to_server; http.uri; content:"/api/"; fast_pattern; pcre:"/^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$/"; reference:url,garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html; reference:url,blog.malcovery.com/blog/more-information-on-this-weeks-e-zpass-scam; classtype:command-and-control; sid:2018739; rev:4; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"jar"; nocase; depth:3; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&login="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024562; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asterope Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; content:"&id="; distance:0; content:"&os="; distance:0; content:"&res="; distance:0; http.header; content:"Accept-Asterope|3a|"; fast_pattern; reference:md5,19190ef53877979191f6889c6a795f31; classtype:command-and-control; sid:2018750; rev:5; metadata:created_at 2014_06_23, former_category MALWARE, updated_at 2020_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024563; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win.Trojan.Agent-29225 Checkin"; flow:to_server,established; http.uri; content:"/proxy.exe"; nocase; fast_pattern; http.user_agent; content:"Java/1"; nocase; reference:url,virustotal.com/file/17b1639c08352cc37baac08f23137563546750292131896f37fd8be8c9412407/analysis/; classtype:command-and-control; sid:2018763; rev:6; metadata:created_at 2013_01_22, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formtext"; nocase; content:"&formtext"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024564; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kbot.Backdoor Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat.php"; nocase; http.request_body; content:"id="; depth:3; content:"&build_id="; fast_pattern; pcre:"/&build_id=[A-F0-9]+$/i"; reference:md5,1df0ceab582ae94c83d7d2c79389e178; classtype:command-and-control; sid:2018078; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Docusign Phish 2015-07-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; fast_pattern; content:"&Password="; distance:0; content:"&EmailLinkId="; distance:0; content:"RedirectUrl="; distance:0; classtype:credential-theft; sid:2031749; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff POS Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"&op="; depth:4; content:"&id="; content:"&ui="; content:"&wv="; fast_pattern; content:"&bv="; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:command-and-control; sid:2018857; rev:8; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Phish Fake Document Loading Error 2015-07-27"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|2f 2f|configure destination URL"; nocase; content:"VERIFYING LOGIN"; fast_pattern; nocase; content:"LOGIN ACCEPTED"; nocase; distance:0; content:"|2f 2f|Do not edit below this line"; nocase; classtype:credential-theft; sid:2031750; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 1"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/project/check.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,12854bb8d1e6a590e1bd578267e4f8c9; classtype:command-and-control; sid:2018882; rev:6; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-30"; flow:to_server,established; http.method; content:"POST"; http.header; content:"apple.com"; nocase; http.request_body; content:"user="; depth:5; nocase; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 2"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/dr.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,c0656b66b9f4180e59e1fd2f9f1a85f2; classtype:command-and-control; sid:2018883; rev:5; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2015-07-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"password="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2031756; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pgift.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:targeted-activity; sid:2018869; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Credential Phish 2015-08-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?rand="; content:"&email="; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2031758; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/qsc.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:command-and-control; sid:2018884; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Renew Phish 2015-08-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; nocase; depth:6; content:"&emailpassword="; nocase; distance:0; fast_pattern; content:"&submit=Submit"; nocase; distance:0; classtype:credential-theft; sid:2031813; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 1"; flow:established,to_server; urilen:17; http.method; content:"HEAD"; http.uri; content:"/GlobalUpdate.upt"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018889; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN struts-pwn User-Agent"; flow:established,to_server; http.user_agent; content:"struts-pwn"; depth:10; fast_pattern; reference:url,github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py; reference:cve,2017-9805; reference:url,paladion.net/paladion-cyber-labs-discovers-a-new-ransomware/; classtype:attempted-user; sid:2024843; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_16, deployment Datacenter, former_category SCAN, performance_impact Moderate, signature_severity Minor, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 2"; flow:established,to_server; urilen:9; http.method; content:"HEAD"; http.uri; content:"/all.wipe"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018890; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (FR) Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; content:"&mdp="; nocase; distance:0; content:"&toppl="; nocase; distance:0; fast_pattern; content:"Paypal"; nocase; distance:0; classtype:credential-theft; sid:2024847; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upfornow/connect.php"; fast_pattern; http.header; content:"Content-Length|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f085395253a40ce8ca077228c2322010; reference:url,securityblog.s21sec.com/2014/08/kronos-is-here.html; classtype:command-and-control; sid:2018891; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rememberMeStatus="; depth:17; fast_pattern; content:"&userId="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031832; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  BITTERBUG Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/vtris"; fast_pattern; content:".php?srs="; pcre:"/\/vtris\d?\.php\?srs=\d{1,10}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018901; rev:4; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"usernms="; nocase; depth:8; content:"&pswds="; nocase; distance:0; classtype:credential-theft; sid:2031834; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Config Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/soft"; content:".dll"; fast_pattern; pcre:"/\/soft(?:32|64)\.dll$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; content:"User-Agent|3a|"; http.header_names; content:!"Referer"; reference:md5,5a99a6a6cd8600ea88a8fcc1409b82f4; classtype:trojan-activity; sid:2018661; rev:5; metadata:created_at 2014_07_10, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-11-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; content:"&DownTimeMessage="; nocase; distance:0; classtype:credential-theft; sid:2031856; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OneLouder Common URI Struct"; flow:established,to_server; http.uri; content:"/ord/"; fast_pattern; content:".exe"; nocase; pcre:"/\/ord\/[^\x2f]+?\.exe$/i"; classtype:trojan-activity; sid:2018929; rev:4; metadata:created_at 2014_08_13, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; content:"&password="; fast_pattern; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032399; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Steam.NBP Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?file="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,17d2b62f2fa20f407485437de17787fb; reference:md5,bec091077138a1cac49db00495d456e7; classtype:command-and-control; sid:2018949; rev:5; metadata:created_at 2014_08_18, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>DHL"; nocase; fast_pattern; content:"Dowloading"; nocase; content:"Click OK to continue"; nocase; distance:0; content:"Beginning of IP Script"; nocase; distance:0; classtype:social-engineering; sid:2032363; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Downloading Config"; flow:established,to_server; http.uri; content:"/zConfig/"; fast_pattern; pcre:"/\/zConfig\/\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-99; classtype:trojan-activity; sid:2018960; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.JS.Agent.dwz Checkin"; flow:established,to_server; http.request_body; content:!"|00|"; content:"|61 3d|"; depth:2; fast_pattern; byte_extract:2,12,byte0,relative; byte_test:2,=,byte0,30,relative; isdataat:!33,relative; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f886dbf6bd47a0a015ef40fc2bed03a2; classtype:command-and-control; sid:2024848; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/zImprimer/"; fast_pattern; pcre:"/\/zImprimer\/\d+-/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018961; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"auth255|3a 20|login"; fast_pattern; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{30,60})$/R"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024849; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/enc/1"; fast_pattern; pcre:"/\/enc\/1$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018962; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OX App Suite Phish 2017-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"location="; depth:9; nocase; content:"&loginpage="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2029663; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python.Ragua Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebCam/Cam.txt"; nocase; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; nocase; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66108/el-machete/; reference:md5,a8602b4c35f426107c9667d804470745; classtype:command-and-control; sid:2018968; rev:5; metadata:created_at 2014_08_20, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"sqlmapff.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024855; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX variant"; flow:to_server,established; threshold: type both, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"/p/"; depth:3; pcre:"/^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/"; http.header; content:"code.google.com"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,f92e9e3e86856b5c0ee465f77a440abb; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:9; metadata:created_at 2014_08_22, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"strangelol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024851; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xema dropping file"; flow:to_server,established; http.uri; content:"/pruebas.doc"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f5fbdb120594f4da7f638122d6635933; classtype:trojan-activity; sid:2018994; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"ssrsec.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024853; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Tuscas"; flow:established,to_server; http.uri; content:"?version="; fast_pattern; content:"&group="; content:"&client="; content:"&computer="; content:"&os="; content:"&latency="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:2018999; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"outerlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024857; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/publickey/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b61145a54698753cecf8748359c9d81e; classtype:command-and-control; sid:2018579; rev:9; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"microsoftsec.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024859; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bapy.Downloader PE Download Request"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/tmps."; fast_pattern; pcre:"/[a-z]\d{2}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:4; metadata:created_at 2014_09_05, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"martianlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024861; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; http.host; content:"windowsupdate.microsoft.com"; bsize:27; http.connection; content:"Close"; fast_pattern; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:4; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"dnslog.mobi"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024863; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?&co="; fast_pattern; content:"&us="; content:"&av="; content:"&os="; content:"&tr2="; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019160; rev:4; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"alienlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024866; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; http.request_body; content:"|AB AB|"; depth:2; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; fast_pattern; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:4; metadata:created_at 2014_09_11, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tordal/Hancitor/Chanitor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"GUID="; depth:5; fast_pattern; content:"&BUILD="; distance:0; content:"&INFO="; distance:0; content:"&IP="; distance:0; content:"&TYPE="; distance:0; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2034127; rev:6; metadata:created_at 2016_04_28, former_category MALWARE, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; http.uri; content:"/images2/"; nocase; fast_pattern; pcre:"/\/images2\/[0-9a-fA-F]{500}/"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:command-and-control; sid:2012799; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination (google-searching .com)"; flow:established,to_server; http.host; content:"google-searching.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024875; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Predator Variant Dropper Activity"; flow:established,to_server; http.request_line; content:"GET|20|/FDpb|20|HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3679a900a8895e242e97e9d54cd2f5fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-268a; reference:url,twitter.com/craiu/status/1309449368559378432; classtype:trojan-activity; sid:2030908; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"awsstatics.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024876; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/key/index.php"; fast_pattern; http.request_body; content:"dir="; depth:4; content:"&data="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:command-and-control; sid:2019179; rev:4; metadata:created_at 2014_09_16, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"immigrantlol.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024877; rev:3; metadata:created_at 2017_10_18, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader GetBooks UA"; flow:established,to_server; http.user_agent; content:"GetBooks"; nocase; fast_pattern; classtype:trojan-activity; sid:2015756; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_10_03, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_25;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"newcollection/config"; http.request_body; content:"|22|add-listener|22|"; content:"|22|event|22 3a 22|postCommit|22|"; content:"|22|class|22|"; content:"RunExecutableListener|22 2c|"; fast_pattern; content:"|22|exe|22|"; content:"|22|dir|22|"; content:"|22|args|22|"; http.content_type; content:"application/json"; startswith; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024884; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos.K Executable Download DGA"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:".ru"; offset:7; depth:6; endswith; pcre:"/^(?:u(?:wf(?:ekfyj|ubpeb)|d(?:xowub|zycaf)|h(?:duxic|zubvo)|x(?:fokur|osgik)|celgos|ggifym|mpefan|qlahaf)|s(?:u(?:t(?:fasof|imjy)|kbewli)|i(?:ttanyg|webheb|hemuj)|e(?:suhror|xjereh)|o(?:haxim|qvaqo)|axyjuw)|r(?:i(?:zsebym|firac|sytfa|trios)|e(?:bfelqi|kvyfo)|u(?:xymqic|jfeag)|y(?:buhoq|kafeh)|acadpuh)|j(?:y(?:meegom|vvozoz|kyvca|torqu)|a(?:mwazer|ibzup)|e(?:btelyx|dytlu)|o(?:dkymy|kenqi))|o(?:t(?:geguuz|xolpow|pipug)|q(?:lapjim|jogxi)|cgaextu|gdowkys|jpaxlam|vquqaip|smuryf)|i(?:r(?:ojvuqu|hegre)|v(?:kikcop|nuvuk)|hmytog|kevzaq|mgohut|pdehas|wvahin|zxirfy)|b(?:y(?:(?:cmolh|vbym)y|gotbys|jlegta)|i(?:pulte|wuvba)|o(?:pwyeb|wbaiv))|p(?:e(?:dugtap|gyrgun|vhyvys)|y(?:nxomoj|ykxug)|a(?:gube|waha)v|ogwytfy)|d(?:e(?:afesqy|hjujuq)|o(?:hwapih|xilik)|a(?:lwoza|rabub)|inymak)|t(?:a(?:hfifak|ixcih)|i(?:wciwu|koqo)x|ecviqir|ozfyma|uriwil)|g(?:i(?:jevsog|nnyjyb)|olhysux|ywilhof|azuzoz|edopan|ubahvi)|y(?:(?:n(?:japru|kicy)|kocna)r|bsahov|dabxag|xyqwiz|zsabuq)|h(?:a(?:hsekju|poneg)|e(?:ztymut|dybih)|uquqxov|itakat)|w(?:a(?:pifnu|rkafo)c|e(?:tifjam|fecfo)|ibveces|yjenqo)|a(?:d(?:nedat|tesok)|qzepylu|baxhad|smukuf|wewsip)|l(?:u(?:(?:fseki|pylzu)m|ditla)|eqgugom|opoqyv)|z(?:u(?:pivzed|qijcel)|aefofin|idamuk|ylhomu)|v(?:u(?:njuet|ohsub)|ijsixem|otqygiq|euwhyz)|m(?:u(?:zupdyg|hipew|wosiv)|osjinme|abuhos)|x(?:o(?:fsimi|gitaj|moqol)|ikmonej|enacoz)|f(?:e(?:vnotow|tucxo)|i(?:dedhah|xavpu))|k(?:u(?:btyhuz|irfufo)|ejejib|ycufvy)|n(?:(?:iliqri|obzeky)x|eluzjiv)|c(?:ylqiduh|aqxaro|itsibe)|q(?:aijroke|iquzcy|uohdit)|e(?:gnisje|stesgo|vdyvaz))\.ru$/"; classtype:trojan-activity; sid:2016029; rev:5; metadata:created_at 2012_12_13, updated_at 2020_09_25;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI)"; flow:to_server,established; flowbits:set,ET.CVE-2017-12629; http.uri; content:"?q=|7b 21|xmlparser"; content:"|3d 27 3c 21|DOCTYPE"; nocase; distance:0; fast_pattern; pcre:"/^(?:(?!\x0d\x0a).)+\x22(?:https?|file):\x2f\x2f/R"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024885; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.Variant Fake MSIE 6.0 UA"; flow:to_server,established; flowbits:set,ET.zbot.ua.2106509; http.uri; content:".htm?"; fast_pattern; pcre:"/\/[a-z]\.htm\?[A-Za-z0-9]+$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:trojan-activity; sid:2016509; rev:7; metadata:created_at 2013_02_27, updated_at 2020_09_25;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 1)"; flow:to_server,established; flowbits:isset,ET.CVE-2017-12629; http.method; content:"GET"; http.uri; content:"newcollection/config"; content:"|22|add-listener|22 3a|"; distance:0; content:"|22|event|22 3a 22|postCommit|22|"; distance:0; content:"|22|class|22|"; distance:0; content:"RunExecutableListener|22 2c 22|exe|22|"; distance:0; fast_pattern; content:"|22|dir|22|"; content:"|22|args|22|"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024886; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Kia.exe Request"; flow:established,to_server; http.uri; content:"/kia.exe"; fast_pattern; classtype:trojan-activity; sid:2018081; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 2)"; flow:to_server,established; flowbits:isset,ET.CVE-2017-12629; http.method; content:"GET"; http.uri; content:"?q="; content:"update?"; distance:0; content:"stream.body="; content:"commit="; content:"overwrite="; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024887; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Wav.exe Request"; flow:established,to_server; http.uri; content:"/wav.exe"; fast_pattern; classtype:trojan-activity; sid:2018082; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Go HTTP Client User-Agent"; flow:established,to_server; http.user_agent; content:"Go-http-client"; nocase; fast_pattern; classtype:misc-activity; sid:2024897; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Heap.exe Request"; flow:established,to_server; http.uri; content:"/heap.exe"; fast_pattern; classtype:trojan-activity; sid:2018083; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky Intermediate Downloader"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"Windows-Update-Agent"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Locky, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ppp/ta.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:command-and-control; sid:2018183; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-11-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; offset:4; depth:3; nocase; content:"&codepass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031855; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ccc/tab.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:command-and-control; sid:2018384; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (cscc)"; flow:established,to_server; urilen:16; http.method; content:"PROPFIND"; http.uri; content:"/admin$/cscc.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024905; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, malware_family BadRabbit, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Downloader 2p (Zeus) May 07 2014"; flow:to_server,established; http.uri; content:"2p/"; fast_pattern; pcre:"/\/p?2p\/[a-z]{3}$/"; http.header_names; content:!"Accept-Language"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018453; rev:7; metadata:created_at 2014_05_08, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Activity Via WebDAV (infpub)"; flow:established,to_server; urilen:18; http.method; content:"PROPFIND"; http.uri; content:"/admin$/infpub.dat"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV"; depth:16; classtype:trojan-activity; sid:2024906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, malware_family BadRabbit, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/333"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018894; rev:8; metadata:created_at 2014_08_05, updated_at 2020_09_25;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE BadRabbit Ransomware Payment Onion Domain"; dns.query; content:"caforssztxqzf2nm."; reference:md5,fbbdc39af1139aebba4da004475e8839; classtype:trojan-activity; sid:2024910; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/222"; fast_pattern; http.header; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018971; rev:5; metadata:created_at 2014_08_20, updated_at 2020_09_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; http.method; content:"POST"; http.uri; content:"/hedwig.cgi"; fast_pattern; http.request_body; content:"DEVICE.ACCOUNT"; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2 POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; content:"&bid="; content:"&dv="; content:"&dpv="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:4; metadata:created_at 2014_09_26, updated_at 2020_09_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution"; flow:to_server,established; http.uri; content:"/board.cgi?cmd="; depth:15; reference:url,blogs.securiteam.com/index.php/archives/3445; classtype:attempted-recon; sid:2024915; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Boleteiro checking stolen boleto payment information"; flow:to_server,established; http.uri; content:"Vencimento="; fast_pattern; content:"&Valor="; content:"&Sacado="; content:"&URL="; content:"&Browser=Chrome"; reference:md5,3cffb955c08f6c1546bfeae37a215787; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-091718-2034-99&tabid=2; classtype:command-and-control; sid:2019243; rev:6; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Command Execution"; flow:to_server,established; http.uri; content:"/setup.cgi?next_file="; nocase; content:"&todo=syscmd&cmd="; nocase; distance:0; content:"currentsetting.htm"; nocase; fast_pattern; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyClicker.ClickFraud CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/feed.dll?pub_id="; fast_pattern; content:"&ua="; offset:17; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019355; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices"; flow:to_server,established; http.uri; content:"/Search.cgi?action=cgi_query"; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024917; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/usdeclar.txt"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:6; metadata:created_at 2014_10_09, updated_at 2020_09_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024918; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest Request URI Struct"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?sid="; fast_pattern; pcre:"/\/\d\.php\?sid=[0-9A-F]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019384; rev:5; metadata:created_at 2014_10_10, updated_at 2020_09_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in adcommand.cgi"; urilen:33; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/supervisor/adcommand.cgi"; nocase; fast_pattern; http.request_body; content:"DoShellCmd"; nocase; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024919; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BlackEnergy Dirconf CnC Beacon"; flow:established,to_server; http.uri; content:"/dirconf/check.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/mi"; reference:url,www.f-secure.com/weblog/archives/00002721.html; classtype:command-and-control; sid:2019412; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in PwdGrp.cgi"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/PwdGrp.cgi?action="; nocase; depth:38; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024920; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_jshoppi"; fast_pattern; pcre:"/^\/mod_jshoppi(?:-|ng|\/)/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019459; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M1 (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sa"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024924; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 1"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M2 (set)"; flow:established,to_server; urilen:3; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sm"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024925; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 2"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M3 (set)"; flow:established,to_server; urilen:5; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/xget"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024926; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 3"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M4 (set)"; flow:established,to_server; urilen:4; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/sa5"; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024927; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 4"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:5; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; threshold:type limit, track by_src, seconds 3600, count 1; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:web-application-attack; sid:2024930; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_10_26, deployment Datacenter, former_category WEB_SERVER, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE vSkimmer.PoS Checkin"; flow:to_server,established; http.uri; content:"/process.php?xy="; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a99d5d1652dfcda190c3d412828dcf6d; reference:md5,82d9cab2692ae13fc5b835ea2cbb36d7; reference:url,anubis.iseclab.org/action=result&task_id=1b92f08cdbfb73e64450fd07ec88849b3; classtype:command-and-control; sid:2018109; rev:6; metadata:created_at 2013_03_12, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"lg="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025032; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siggen.Dropper CnC Beacon"; flow:established,to_server; http.uri; content:".jpg?log="; fast_pattern; content:"&ts="; offset:11; content:"&act="; distance:0; http.header; content:"client|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ee363de2168aab353c829434189350e4; classtype:command-and-control; sid:2019515; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible BACKSWING JS Framework POST Observed"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Access-Control-Allow-Methods|3a 20|POST"; http.content_type; content:"application/json"; startswith; file.data; content:"|7b 22|InjectionType|22 3a|"; depth:17; fast_pattern; content:"|22|InjectionString|22 3a 22|"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024932; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoBot Downloading Files"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"btc"; fast_pattern; pcre:"/\/[a-z]+\.k(?:ey)?btc$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3563; classtype:trojan-activity; sid:2019607; rev:4; metadata:created_at 2014_10_30, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header"; flow:to_server,established; threshold: type limit, count 5, seconds 300, track by_src; http.header; content:"X-OSSProxy|3a 20|OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:13; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=start&id="; fast_pattern; pcre:"/&id=[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d8e7983004c5545df6de868bc0c5a947; classtype:command-and-control; sid:2019636; rev:4; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"action=SIGNIN"; http.request_body; content:"email="; depth:6; fast_pattern; content:"&password="; distance:0; content:"&oemail="; distance:0; classtype:credential-theft; sid:2031814; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iOS/WireLurker CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getversion.php?v="; fast_pattern; content:"&adid="; offset:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019664; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Account Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"destination="; depth:12; fast_pattern; content:"&user"; distance:0; content:"&pass"; distance:0; content:"&screenid="; distance:0; content:"&origination="; distance:0; classtype:credential-theft; sid:2031815; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/view.php"; fast_pattern; pcre:"/\/images\/view\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019687; rev:4; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish M3 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NameonCards="; depth:12; fast_pattern; content:"&Cardanumber="; distance:0; content:"&CVV"; distance:0; content:"&Expiredate"; distance:0; classtype:credential-theft; sid:2031817; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related WinRAR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|2e 8a 83 32 1f 36 bb 08 cb fc 19 52 92 2e c3 3c|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,4994952020da28bb0aa023d236a6bf3b; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030913; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Horde Webmail Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Horde="; nocase; fast_pattern; content:"&actionID"; nocase; distance:0; content:"&imapuser"; nocase; distance:0; content:"&pass="; distance:0; content:"&loginButton="; nocase; classtype:credential-theft; sid:2031821; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related Flash Installer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|c3 d6 21 f6 77 d7 95 61 2a 27 22 8b 2a d4 c9 16|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,a55aa68518586381213cd85441aa4e16; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030914; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Woodforest Bank Phish M1 2015-08-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"X-ForwardTo="; depth:12; fast_pattern; content:"&principal="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031823; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/txt/read.php"; fast_pattern; pcre:"/\/txt\/read\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019688; rev:4; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"loginNow="; fast_pattern; nocase; depth:9; content:"&loginSalt="; nocase; distance:0; content:"&userStrId="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032401; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"<email_accounts_list>"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:command-and-control; sid:2019704; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; http.user_agent; content:")ver"; fast_pattern; pcre:"/\)ver\d/"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker Checkin"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/mac_log/?appid="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019661; rev:5; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (hhh)"; flow:established,to_server; http.user_agent; content:"hhh"; depth:3; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2004442; classtype:trojan-activity; sid:2004442; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/getversion.php?sn="; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019662; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; http.user_agent; content:"Brontok"; depth:7; nocase; reference:url,doc.emergingthreats.net/2006999; classtype:trojan-activity; sid:2006999; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Autorun.J Checkin"; flow:established,to_server; http.uri; content:".asp?i=0&v=o10.1"; fast_pattern; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FAutorun.J#tab=2; classtype:command-and-control; sid:2019710; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-agent DownloadNetFile Win32.small.hsh downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"DownloadNetFile"; nocase; bsize:15; reference:url,doc.emergingthreats.net/2007778; classtype:trojan-activity; sid:2007778; rev:15; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Matsnu.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"id="; content:"&mynum="; content:"&ver="; content:"&cvr="; content:"&threadid="; fast_pattern; content:"&lang="; content:"&os="; reference:url,www.seculert.com/blog/2014/11/dgas-a-domain-generation-evolution.html; classtype:command-and-control; sid:2019741; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser)"; flow:established,to_server; http.user_agent; content:"CustomExchangeBrowser"; reference:url,doc.emergingthreats.net/2007824; classtype:trojan-activity; sid:2007824; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault POST M1"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&func="; fast_pattern; pcre:"/^hwid=[A-F0-9]{4}(?:-[A-F0-9]{4}){7}&func=/"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019776; rev:4; metadata:created_at 2014_11_24, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (chek)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"chek"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008253; classtype:trojan-activity; sid:2008253; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:web-application-attack; sid:2030910; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AutoHotkey)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!".ahk4.net|0d 0a|"; http.user_agent; content:"AutoHotkey"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008259; classtype:trojan-activity; sid:2008259; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".html"; fast_pattern; pcre:"/\/[A-Za-z0-9-_]{75,}\.html$/"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE|20|"; depth:42; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016567; rev:8; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"|20|loader"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.header; content:"|0d 0a|Accept-Language|3a 20|zh-cn|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; bsize:50; http.request_body; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern; content:".zip|22 0d 0a|"; content:"Content-Type|3a 20|application/x-zip-compressed|0d 0a|"; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:command-and-control; sid:2019828; rev:5; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ErrCode)"; flow:established,to_server; http.user_agent; content:"ErrCode"; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; classtype:trojan-activity; sid:2008378; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HompesA Activity"; flow:established,to_server; http.uri; content:"/me/"; fast_pattern; pcre:"/^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,8cc58bc4d63f4b78b635d45aa69108f7; classtype:trojan-activity; sid:2019838; rev:4; metadata:created_at 2014_12_02, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)"; flow:established,to_server; http.user_agent; content:"Joseray"; depth:7; nocase; reference:url,doc.emergingthreats.net/2008765; classtype:trojan-activity; sid:2008765; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/MSIL.bfsx Checkin"; flow:to_server,established; http.uri; content:"/infect"; fast_pattern; content:".php"; offset:7; pcre:"/\/infect(?:-\d)?\.php$/"; http.user_agent; content:"Microsoft"; bsize:9; reference:md5,506cd65bdd06f41f8219cd1ed78eac7d; reference:md5,0c39b39ee4a59a8ac5fc1df500da2a88; classtype:command-and-control; sid:2019840; rev:6; metadata:created_at 2014_12_03, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer - User-Agent (Ucheck)"; flow:established,to_server; http.user_agent; content:"Opera/9.10"; content:"|3b 20|Ucheck"; fast_pattern; reference:url,doc.emergingthreats.net/2009081; classtype:trojan-activity; sid:2009081; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sony Breach Wiper Malware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/igfxtpers.exe"; fast_pattern; reference:url,logfile.packetninjas.net/related-malware-to-sony-breach; classtype:trojan-activity; sid:2019849; rev:4; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Loands) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: Loands|0d 0a|"; reference:url,doc.emergingthreats.net/2009537; classtype:trojan-activity; sid:2009537; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?i="; content:"&data="; distance:0; content:"&hash="; fast_pattern; pcre:"/&hash=[^&]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:5; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: ms_ie|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009538; classtype:trojan-activity; sid:2009538; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fin4.InfoStealer Uploading User Credentials CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?msg="; fast_pattern; content:"&uname="; content:"&pword="; reference:url,www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html; classtype:command-and-control; sid:2019829; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: Forthgoner|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009547; classtype:trojan-activity; sid:2009547; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas Request to WebDAV CloudMe"; flow:established,to_server; http.uri; content:"/CloudDrive/"; nocase; pcre:"/^\/(?:b(?:i(?:llder1405|mm4276)|rowner8674935)|c(?:arter0648|h(?:ak2488|hloe7400)|orn6814)|d(?:aw0996|epp3353)|fr(?:anko7046|ogs6352)|garristone|hurris4124867|james9611|lisa\.walker|parker2339915|sa(?:mantha2064|nmorinostar)|tem5842|young0498814)\/CloudDrive\//i"; http.header; content:"webdav.cloudme.com"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/mi"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019915; rev:4; metadata:created_at 2014_12_11, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Mozilla/4.0 (SPGK)"; fast_pattern; nocase; bsize:18; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none; reference:url,www.threatexpert.com/threats/virus-win32-luder-b.html; reference:url,doc.emergingthreats.net/2009805; classtype:trojan-activity; sid:2009805; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas CnC Beacon"; flow:established,to_server; urilen:10; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"POST"; http.uri; content:"/check.jsp"; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:command-and-control; sid:2019919; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729))"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|na|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)|0d0a|"; fast_pattern; startswith; reference:url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter; reference:url,doc.emergingthreats.net/2009810; classtype:trojan-activity; sid:2009810; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkupdate.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http.request_body; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http.header_names; content:!"|0d 0a|Accept"; content:!"Referer|0d 0a|"; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019942; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0|3b 20|Windows NT 2.1|3b 20|SV3)|0d0a|"; fast_pattern; startswith; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Agent.AIXD Checkin"; flow:to_server,established; http.uri; content:"/cnc.php?id="; fast_pattern; content:"&uid="; http.user_agent; content:"AppleMac"; bsize:8; reference:md5,801e450679e9d60f8c64675c432aab33; reference:md5,ad2e8210ca7c2b4b433b3fba65e87b94; reference:md5,f6ea10f719885fbcfb6743724faa94f7; classtype:command-and-control; sid:2019945; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vundo User-Agent Check-in"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0) WinNT 5.1"; fast_pattern; bsize:44; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99; reference:url,doc.emergingthreats.net/2010490; classtype:trojan-activity; sid:2010490; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi.46846 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5dc2a4ee8aa084c9da42cd2d1ded2e; classtype:command-and-control; sid:2019948; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent kav"; flow: established,to_server; http.user_agent; content:"kav"; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011482; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks.A Checkin 2"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; content:"&builddate="; distance:0; content:"&q="; distance:0; content:"&ua="; content:"&lang="; content:"&wt="; content:"&lr="; distance:0; content:"&ls="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019966; rev:4; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Si25f_302 User-Agent"; flow:established,to_server; http.user_agent; content:"Si25"; depth:4; classtype:trojan-activity; sid:2012310; rev:7; metadata:created_at 2011_02_14, former_category TROJAN, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Ransom Page"; flow:established,to_server; http.uri; content:"/buy.php?user_code="; fast_pattern; content:"&user_pass="; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019978; rev:4; metadata:created_at 2014_12_20, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan with /? and Indy Library User-Agent"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/?"; depth:2; http.header; content:"Indy Library)"; fast_pattern; content:"Accept-Encoding|3a 20|identity|0D 0A|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; content:!".ensignsoftware.com"; classtype:trojan-activity; sid:2012312; rev:8; metadata:created_at 2011_02_14, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M1"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/googleyou_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TDSS User-Agent CMD"; flow:established,to_server; http.user_agent; content:"|20|(compatible|3b 20|MSIE 1.0|3b 20|Windows NT|3b 20|"; fast_pattern; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:9; metadata:created_at 2011_02_21, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M2"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/winfoxupdate_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Im Luo"; flow:established,to_server; http.user_agent; content:"Im|27|Luo"; startswith; classtype:trojan-activity; sid:2012586; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_28, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda Checkin"; flow:established,to_server; dsize:50<>400; content:"|46 45 79 4e 56 59 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:md5,07328ad6efcf16b532499cbb8daa7633; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:trojan-activity; sid:2030920; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MacShield User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"MacShield"; startswith; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:5; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tel/1214"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; bsize:26; http.accept; content:"image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; bsize:56; reference:md5,3009db32ca8895a0f15f724ba12a6711; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:command-and-control; sid:2030921; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV User-Agent XML"; flow:established,to_server; http.user_agent; content:"XML"; bsize:3; classtype:trojan-activity; sid:2013374; rev:4; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_08_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; flowbits:isset,ET.Anunanak.HTTP.1; http.header; content:"Content-Length|3a 20|11|0d 0a|"; file.data; content:"no commands"; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020028; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SpeedRunner User-Agent SRRemove"; flow:established,to_server; http.user_agent; content:"SRRemove"; startswith; classtype:pup-activity; sid:2013394; rev:4; metadata:created_at 2011_08_10, former_category USER_AGENTS, updated_at 2020_08_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2"; flow:established,from_server; flowbits:isset,ET.Anunanak.HTTP.2; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"no result"; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020030; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent _updater_agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|_updater_agent"; classtype:trojan-activity; sid:2013395; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_10, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Downloading PE"; flow:established,to_server; http.uri; content:".exe?dummy="; fast_pattern; pcre:"/\.exe\?dummy=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6b7759565454fb7d02fb5bc638136f31; classtype:trojan-activity; sid:2020032; rev:4; metadata:created_at 2014_12_23, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Onescan FraudWare User-Agent"; flow:established,to_server; http.user_agent; content:"test_hInternet"; startswith; classtype:pup-activity; sid:2013444; rev:5; metadata:created_at 2011_08_22, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/connect.php?a=1"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type|0d 0a|"; classtype:command-and-control; sid:2020077; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dynamer Trojan Dropper User-Agent VB Http"; flow:established,to_server; http.user_agent; content:"VB Http"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDynamer!dtc; classtype:trojan-activity; sid:2013507; rev:4; metadata:created_at 2011_08_31, former_category USER_AGENTS, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Length|3a 20|74|0d 0a|"; fast_pattern; http.request_body; pcre:"/^(?P<v1>.).{33}(?P=v1).{9}(?P<v2>.)(?:.{4}(?P=v2)){3}/s"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type"; classtype:command-and-control; sid:2020080; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MadeByLc)"; flow:established,to_server; http.user_agent; content:"MadeBy"; startswith; classtype:trojan-activity; sid:2013512; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/uploads/images/201"; fast_pattern; pcre:"/\.png$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:md5,5f50e810668942e8d694faeabab08260; reference:url,blog.0x3a.com/post/107195908164/analysis-of-steam-stealers-and-the-steam-stealer; classtype:trojan-activity; sid:2020095; rev:5; metadata:created_at 2015_01_06, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; http.user_agent; content:"LockXLS"; startswith; classtype:trojan-activity; sid:2013724; rev:4; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISRStealer Checkin"; flow:to_server,established; http.uri; content:"?action="; content:"&username="; content:"&password="; content:"&app="; content:"&pcname="; fast_pattern; content:"&sitename="; reference:md5,44be7c6d4109ae5fb0ceb2824facf2dd; reference:url,cert.pl/news/8706/langswitch_lang/en; classtype:command-and-control; sid:2016941; rev:8; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FULLSTUFF)"; flow: established,to_server; http.user_agent; content:"FULLSTUFF"; nocase; startswith; reference:url,threatexpert.com/reports.aspx?find=mrb.mail.ru; classtype:trojan-activity; sid:2013880; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Codenox.gyezu CnC Activity"; flow:established,to_server; http.request_line; content:"GET /__wendaoQuery.ashx?t=getcoklist&area="; startswith; fast_pattern; content:"&tb="; content:"&min="; content:"&rnd="; content:" HTTP/1.1"; distance:18; within:9; endswith; reference:md5,2c8495e13ba334324574be52dbdce173; classtype:command-and-control; sid:2030918; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (MediaLabsSiteInstaller)"; flow:established,to_server; http.user_agent; content:"MediaLabsSiteInstaller"; startswith; classtype:pup-activity; sid:2013889; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?page="; content:"&enckey="; fast_pattern; pcre:"/\x26enckey\x3D[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:command-and-control; sid:2020293; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HardCore Software For)"; flow:to_server,established; http.user_agent; content:"HardCore Software For"; depth:21; nocase; classtype:trojan-activity; sid:2018608; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action=get_"; fast_pattern; pcre:"/^\/action\.php\?action=get_(?:mails|red)$/"; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020330; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Oct 30 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; fast_pattern; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; classtype:credential-theft; sid:2025033; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Update"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data_updater.dat"; fast_pattern; pcre:"/\/data_updater\.dat$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020333; rev:4; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (moreoffer .life)"; dns.query; content:"moreoffer.life"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024940; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data.cfg"; fast_pattern; pcre:"/\/data\.cfg$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020334; rev:4; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.FakeAV Affiliate Second Stage Download Location Request"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.asproxfakeav; http.uri; content:"/api/urls/?ts="; content:"&affid="; pcre:"/\x26affid\x3D[0-9]{4,7}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016530; rev:4; metadata:created_at 2013_03_05, former_category TROJAN, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Download"; flow:to_server,established; http.uri; content:"/bn_versions/"; fast_pattern; content:".exe"; pcre:"/\/bn_versions\/\d+?\.exe$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020341; rev:6; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (cloudns .club)"; dns.query; content:"download.data-server.cloudns.club"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024937; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast C2 Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?cstring="; fast_pattern; content:"&tom="; content:"&id="; distance:0; http.request_body; content:"|00 00 00 00|"; depth:4; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020378; rev:4; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_09_29;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (topsite .life)"; dns.query; content:"ping.topsite.life"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024938; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"checkip.dyndns.org"; fast_pattern; http.header; pcre:"/^(?:Accept\x3a\x20text\/\*, application\/\*\r\n)?User-Agent\x3a[^\r\n\x3b\x28\x29]+\r\nHost\x3a[^\r\n]+checkip\.dyndns\.org\r\nCache-Control\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2020370; rev:6; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Downeks/Quasar DNS Lookup (updatesforme .club)"; dns.query; content:"signup.updatesforme.club"; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mayhem Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"Pragma|3a 20|1337|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:command-and-control; sid:2018456; rev:5; metadata:created_at 2014_05_08, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Free.fr Phish 2016-03-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?get="; fast_pattern; http.request_body; content:"comid="; nocase; depth:6; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/newage.txt"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:command-and-control; sid:2019467; rev:5; metadata:created_at 2014_10_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qudox CnC Actiivty"; flow:established,to_server; http.start; content:"GET /gate.php HTTP/1.1|0d 0a|Host|3a 20|"; http.request_body; content:"0WmkD4"; startswith; fast_pattern; http.header_names; bsize:26; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; threshold: type limit, track by_src, count 1, seconds 60; reference:md5,4806ceacf1f9ae4faddbace5201d36f0; classtype:command-and-control; sid:2030682; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/0/"; fast_pattern; pcre:"/\/(?:5[12]|6[0-3])\/0\/[A-Z]*$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020419; rev:5; metadata:created_at 2015_02_13, former_category CURRENT_EVENTS, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Microsoft Hosted Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server|3a 20|Windows-Azure-Web/"; file.data; content:"<!-- saved from url=("; within:100; fast_pattern; classtype:social-engineering; sid:2030680; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components - set"; flow:established,to_server; urilen:8; flowbits:set,ET.Gulcrypt; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/manager"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020420; rev:4; metadata:created_at 2015_02_13, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Microsoft Hosted Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server|3a 20|Windows-Azure-Web/"; file.data; content:".php|22 20|method=|22|post|22|"; fast_pattern; classtype:social-engineering; sid:2030681; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; pcre:"/&user=\d+$/"; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020434; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub cloud.auth Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"Y2xvdWQuYXV0aA=="; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; content:"|22|name|22|"; content:"|22|serverid|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030683; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Exfiltrating files"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"account="; depth:8; content:"&name="; content:"&folder="; fast_pattern; content:"&fname="; content:"&s="; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020435; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub file Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|ZmlsZQ==|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030684; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checking filename"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"path="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020437; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub monitor Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|bW9uaXRvcg==|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030685; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
+alert udp any any -> any any (msg:"ET MALWARE Mozi Botnet DHT Config Sent"; flow:established,to_client; content:"|64 31 3a 72 64 32 3a 69 64 32 30 3a 38 38 38 38 38 38 38 38|"; content:"|3a 6e 6f 64 65 73 36 32 34 3a 15 15|"; distance:13; within:12; reference:url,blog.netlab.360.com/mozi-another-botnet-using-dht/; reference:url,securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/; reference:md5,5616a3471565d34d779b5b3d0520bb70; reference:md5,891158b3c43e621956558cd0b5b41e81; classtype:command-and-control; sid:2030919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, malware_family Mozi, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub shell Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|c2hlbGw=|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030686; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT File information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; content:"&file="; distance:0; content:"&type="; distance:0; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020438; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Drovorub tunnel Module Server Response"; flow:established,to_client; file_data; content:"|7b 22|children|22|"; startswith; content:"|22|name|22|"; content:"|22|module|22|"; content:"|22|dHVubmVs|22|"; distance:0; fast_pattern; content:"|22|name|22|"; content:"|22|action|22|"; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:targeted-activity; sid:2030687; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Serial"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&serial="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020439; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Raiffeisen Phishing Domain Nov 03 2017"; dns.query; content:"banking.raiffeisen.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024943; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Date"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&date="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020440; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Sparkasse Phishing Domain Nov 03 2017"; dns.query; content:"netbanking.sparkasse.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024944; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (SK)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"SK"; nocase; fast_pattern; bsize:2; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020441; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Raiffeisen Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skype)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skype"; nocase; fast_pattern; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020442; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"netbanking.sparkasse.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024948; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skypee)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skypee"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020443; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024950; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_rtemp.php?n="; fast_pattern; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5efc02d416b15554b25d9acec362148e; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020436; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Sparkasse Bank Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"netbanking.sparkasse.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024951; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Beaugrit.gen.AAAA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/attach/1759CB3B5124F217143044"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fbfe6c2673aec9098e1fc9bf6d7fc059; classtype:trojan-activity; sid:2020479; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - BankAustria Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"online.bankaustria.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024952; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.NSIS.Comame.A Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/9.php?safe="; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a15f19a3ccd05f74537464e6df64dab; classtype:command-and-control; sid:2020480; rev:5; metadata:created_at 2015_02_19, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Austrian Bank Targeting"; flow:to_client,established; flowbits:isset,ET.marcherphish; http.stat_code; content:"200"; http.header; content:"application/vnd.android.package-archive"; fast_pattern; content:"Content-Description|3a 20|File Transfer"; file.data; content:"PK"; depth:2; classtype:trojan-activity; sid:2024953; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/verify.php?version="; fast_pattern; content:"&GUID=|7b|"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020490; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; http.stat_code; content:"403"; file.data; content:"<script"; nocase; depth:512; content:!"location.replace|28 22|https|3a 2f 2f|block.opendns.com"; distance:0; reference:url,doc.emergingthreats.net/2010515; classtype:web-application-attack; sid:2010515; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign GET Keepalive"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php/customer/onlin"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020432; rev:7; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SAD Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; content:"&osname="; content:"&pcname="; content:"&key="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f4c2f65b5b89d4f4e74099571b40c0d5; classtype:command-and-control; sid:2024954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category MALWARE, malware_family SAD_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC Beacon 2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/cou.php"; fast_pattern; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020504; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Randrew!rfn CnC Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 30; http.request_body; content:"botversion="; depth:11; content:"xfor="; within:22; content:"winver="; within:33; reference:md5,74dd0e38deaf778e621434a2ca9c7c74; reference:url,microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win32/Randrew.A!bit; classtype:command-and-control; sid:2024955; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xunpf.A Retrieving DLL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web_"; fast_pattern; content:".jpg"; pcre:"/\/web_[0-9A-F]{12}\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfb7dd8b6975b73dc9c731319a05f86d; classtype:trojan-activity; sid:2020601; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Volex - OceanLotus JavaScript Load (connect.js)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"connect.js?timestamp="; reference:url,volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024966; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_11_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Downloading Module"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".pack"; nocase; fast_pattern; endswith; http.user_agent; content:"Mozilla"; startswith; pcre:"/^Mozilla(?:\/4\.0)?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:7; metadata:created_at 2014_06_25, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; http.stat_code; content:"302"; http.header; content:"|0d 0a|location|3a 20|"; fast_pattern; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/Ri"; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2025006; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor Based Locker Page (Torrentlocker)"; flow:established,to_server; http.uri; content:"/buy.php?"; fast_pattern; http.header; pcre:"/Host\x3a\x20[a-z0-9]{16}\.[^\r\n]*?(?:tor|onion)/mi"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018951; rev:6; metadata:created_at 2014_08_18, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Delf.BVP Win32/BioData CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; content:!"&"; distance:0; http.request_body; content:"form-data|3b 20|name=|22|unit|22 3b 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,68aab6163c29183ad8da1cf27a5a47c5; reference:url,securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/; reference:url,researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families; classtype:command-and-control; sid:2023545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Post Infection CnC Beacon"; flow:established,to_server; http.uri; content:"/rp?"; fast_pattern; content:"v="; content:"a="; content:"u="; content:"d="; pcre:"/^\/(?:[^\x2f]+\/)?rp\?[a-z]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fc962cb08f62e3d6368500a8e747cf73; classtype:command-and-control; sid:2020645; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Browser Plugin Detect - Observed in Apple Phishing"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/ping.html"; http.header; content:".html?appIdKey="; http.request_body; content:"data=eyJwbHVnaW4i"; depth:17; fast_pattern; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; classtype:bad-unknown; sid:2024978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_08, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Onkods.A Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)*?[a-z]+\.exe$/"; http.header; content:"User-Agent|3a 20|"; depth:12; pcre:"/^User-Agent\x3a\x20(?=\d*[a-z])[a-z0-9]+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fb570e6d68e708daeceae5dfc544fba2; classtype:command-and-control; sid:2018121; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected REDCURL CnC Activity M1"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".bat"; endswith; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Depth|0d 0a|translate|0d 0a|Content-Length|0d 0a|Host|0d 0a|"; bsize:68; fast_pattern; content:!"Referer"; content:!"Accept"; reference:url,www.group-ib.com/resources/threat-research/red-curl.html; reference:md5,9691daebab79c6ab48adac73bda0a84a; classtype:command-and-control; sid:2030697; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaoutra.ru)"; flow:to_server,established; http.header; content:"bagacaoutra.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaoutra\.ru\r\n/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020650; rev:6; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible KONNI URI Path Observed"; flow:established,to_server; http.uri; content:"/weget/"; depth:7; fast_pattern; content:".php"; within:12; http.header_names; content:!"Referrer|0d 0a|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa20-227a; classtype:targeted-activity; sid:2030690; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, signature_severity Major, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacavoltou.ru)"; flow:to_server,established; http.header; content:"bagacavoltou.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacavoltou\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020651; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible KONNI CnC Activity"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"User-Agent|3a 20|HTTP|0d 0a|"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/alerts/aa20-227a; classtype:targeted-activity; sid:2030691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, signature_severity Major, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaveia.ru)"; flow:to_server,established; http.header; content:"bagacaveia.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaveia\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020652; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZASE"; fast_pattern; classtype:attempted-admin; sid:2030692; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_17, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Checkin"; flow:established,to_server; http.uri; content:"v="; content:"a="; content:"u="; content:"i=0"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)?[a-z_]+\?[a-z]=/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,baf71ace207afd3f330c4aba3784e074; classtype:command-and-control; sid:2020646; rev:6; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZASE"; fast_pattern; classtype:web-application-attack; sid:2030693; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Checkin"; flow:established,to_server; http.uri; content:"/?user="; fast_pattern; content:"os="; content:"&os2="; content:"&ver="; content:"&host="; content:!"|2e|"; content:"type="; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019678; rev:5; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BitNinja IO Security Check"; flow:established,to_client; http.stat_code; content:"403"; http.header; content:"BitNinja Captcha Server"; fast_pattern; file.data; content:"<title>Waiting for the redirectiron..."; classtype:misc-activity; sid:2030694; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|13|0d 0a|"; fast_pattern; http.request_body; content:"|00 04 00 00 00|"; offset:4; depth:5; content:!"|00 00 00 00|"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:command-and-control; sid:2020568; rev:6; metadata:created_at 2015_02_25, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/DarkStealer Variant CnC Exfil"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?chatid="; content:"&username="; content:"&machineName="; content:"&Country="; content:"&HWID="; content:"&ip="; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Files"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,fed2a8736c84eda9dcc8533b5019f7d8; classtype:trojan-activity; sid:2030688; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category MALWARE, malware_family DarkStealer, malware_family Ecehlon, signature_severity Major, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; fast_pattern; pcre:"/\.php\?id=\d+$/"; http.header; content:!"Content-T"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:command-and-control; sid:2020706; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected REDCURL CnC Activity M2"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".jpg"; endswith; http.user_agent; content:"curl/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; bsize:30; content:!"Referer"; reference:url,www.group-ib.com/resources/threat-research/red-curl.html; reference:md5,12ec7e6876dc86f158f448ebfba9e0eb; classtype:command-and-control; sid:2030689; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FindPOS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"oprat="; fast_pattern; content:"&uid="; content:"&uinfo="; content:"&win="; content:"&vers="; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:command-and-control; sid:2020723; rev:5; metadata:created_at 2015_03_21, former_category MALWARE, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish - Observed in Apple/Bank of America/Amazon 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; nocase; content:"&securessl="; nocase; distance:0; http.header; content:".php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032406; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fileless infection dropped by EK CnC Beacon"; flow:established,to_server; http.uri; content:"hl="; content:"source="; content:"aq="; content:"aqi="; content:"aql="; fast_pattern; content:"oq="; http.header; content:!"google."; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:49; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020734; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Nov 09 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025034; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"ext="; content:"&pid="; content:"&country="; content:"&regd="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020738; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Telstra Phish M1 2015-09-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"goto="; depth:5; nocase; fast_pattern; content:"&encoded="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031828; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/state"; fast_pattern; content:".php?"; pcre:"/\/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020717; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Commonwealth Bank Phish 2015-08-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; content:"&dob1="; distance:0; content:"&ccnum="; distance:0; content:"&submit1.x="; fast_pattern; distance:0; classtype:credential-theft; sid:2031816; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hyteod CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.header; content:"|5f 5e 5b 8b e5 5d|"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; bsize:63; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept-"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f2ad19a08063171b039accd24b0c27ca; classtype:command-and-control; sid:2020821; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish M1 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass"; distance:0; content:"&adress"; distance:0; nocase; fast_pattern; content:"&adress"; distance:0; nocase; classtype:credential-theft; sid:2031818; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 2"; flow:established,to_server; http.header; content:"Accept|3a 20|*/*,|20|"; content:", MZ"; fast_pattern; pcre:"/^Accept\x3a\x20\*\/\*,[^\r\n]+, MZ/mi"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020834; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish M2 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&postale="; nocase; distance:0; content:"&passtess="; nocase; distance:0; content:"&ccnum="; distance:0; nocase; fast_pattern; classtype:credential-theft; sid:2031819; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F exe Download 2"; flow:to_server,established; urilen:<13; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/^\/[^\x2f]+?\.exe$/i"; http.host; content:".ru"; endswith; http.header; content:".ru|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:8; metadata:created_at 2013_07_24, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/submit"; pcre:"/\/submit$/"; http.request_body; content:"form-data|3b 20|name=|22|todo|22|"; nocase; fast_pattern; content:"|0d 0a|submit|0d 0a|"; nocase; distance:0; content:"form-data|3b 20|name=|22|Email|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|Text field"; distance:0; nocase; http.content_type; content:"multipart/form-data|3b 20|boundary=-------"; startswith; classtype:credential-theft; sid:2031820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.sanlorenzoyacht.com"; bsize:23; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2015-08-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"charset_test="; depth:13; fast_pattern; content:"&email="; distance:0; content:"&pass="; nocase; distance:0; content:"&charset_test="; distance:0; nocase; classtype:credential-theft; sid:2031822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .automercado .co .cr in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.automercado.co.cr"; bsize:21; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RCAP CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/callback.php?k="; fast_pattern; content:"&x="; distance:0; http.connection; content:"close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3410af519f791af5f9554cbff7ece24a; classtype:command-and-control; sid:2024984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ne-ba.org"; bsize:13; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
 
-alert http $EXTERNAL_NET any  -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/TinyNuke Payload ACF40 Inbound"; flow:established,to_client; flowbits:isset,ET.TinyNuke; http.stat_code; content:"200"; http.content_type; content:"text|2F|html"; startswith; file.data; byte_extract:8,896,byte0; byte_extract:8,904,byte1; byte_extract:8,912,byte2; byte_extract:8,920,byte3; byte_extract:8,928,byte4; byte_test:8,=,byte0,936; byte_test:8,!=,byte0,944; byte_test:8,=,byte1,944; byte_test:8,!=,byte1,952; byte_test:8,=,byte2,952; byte_test:8,!=,byte2,960; byte_test:8,=,byte3,960; byte_test:8,=,byte4,968; content:!"MZ"; depth:2; pcre:"/[\x80-\xff]{16}/"; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2024513; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_02, deployment Perimeter, former_category TROJAN, malware_family TinyNuke, performance_impact Moderate, signature_severity Major, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/loader.php?name="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:command-and-control; sid:2020883; rev:7; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M1 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"usr"; nocase; depth:3; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032377; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Worm Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.c.php?request="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,volexity.com/blog/?p=118; classtype:command-and-control; sid:2020887; rev:4; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M2 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"user"; nocase; depth:4; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032378; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; pcre:"/\/gate\.php$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http.request_body; content:"id="; depth:3; pcre:"/^[A-F0-9]+$/R"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020890; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M3 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"email"; nocase; depth:5; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032379; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault Mailer CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/redirect.php?loc=mail"; fast_pattern; pcre:"/\/redirect\.php\?loc=mail$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,af0e5a5df0be279aa517e2fd65cadd5c; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020906; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M5 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"email"; nocase; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032380; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&knock="; distance:0; content:"&keylog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020907; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"username"; nocase; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2025000; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ruckguv.A Requesting Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/id.exe"; fast_pattern; http.user_agent; content:"MSIE"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,227365242cc97fa611fdac295b732d82; reference:md5,b9eec5be1d2f5d0007bd94fdd8c7ea57; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3801; classtype:trojan-activity; sid:2020910; rev:5; metadata:created_at 2015_04_14, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to ukit domain - Possible Phishing M2 2016-06-29"; flow:to_server,established; urilen:19; http.method; content:"POST"; http.uri; content:"/api/feedBack/check"; fast_pattern; http.host; pcre:"/(?:udo\.photo|ulcraft\.com|biennale\.info|topstyle\.me|urest\.org|ukit\.me)$/"; classtype:trojan-activity; sid:2032398; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ttint XORed CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.connection; content:"Upgrade"; http.request_body; content:"|a1 8a ee 02 e8 91 ff 04 be ac f7 09 b3 9c|"; offset:8; fast_pattern; reference:url,blog.netlab.360.com/ttint-an-iot-rat-uses-two-0-days-to-spread/; classtype:command-and-control; sid:2030924; rev:2; metadata:affected_product IoT, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, malware_family Ttint, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to ukit domain - Possible Phishing M1 2016-06-29"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/api/feedBack"; fast_pattern; http.host; pcre:"/(?:udo\.photo|ulcraft\.com|biennale\.info|topstyle\.me|urest\.org|ukit\.me)$/"; classtype:trojan-activity; sid:2032397; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?id="; fast_pattern; content:"&os="; content:"&com="; content:"&ver="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020918; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2024835; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/keylogger.php?id="; fast_pattern; content:"&com="; content:"&key="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020920; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2024834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?fn="; fast_pattern; pcre:"/&(?:uid|name|file)=[a-f0-9]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020921; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"craigslist.org"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023880; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?fn="; fast_pattern; http.request_body; content:"name=|22|file|22|"; content:"name=|22|path|22|"; distance:0; content:"name=|22|submit|22|"; distance:0; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020922; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023829; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bioazih RAT Checkin"; flow:to_server,established; http.header; content:"Hostname|3a|"; content:"Ip|3a|"; content:"Os|3a|"; content:"Proxy|3a|"; fast_pattern; content:"Vm|3a|"; http.user_agent; content:"Pass|3a|"; startswith; reference:md5,7bc5451341a684aca80a59a463bad973; reference:md5,5443cf2b6c010c57cf740356c9167b77; reference:url,blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe.aspx; classtype:command-and-control; sid:2020927; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023828; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".asp?HostID="; fast_pattern; pcre:"/\?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$/"; http.header; content:"Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 0d 0a|"; reference:md5,e397a68bf4fbb7a9b4d1b6da1fe2172b; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020928; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023827; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?bit="; fast_pattern; content:"&version="; pcre:"/\/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020939; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023826; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 6"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?check"; fast_pattern; pcre:"/\/\?check$/"; http.user_agent; content:"Example"; bsize:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020940; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"drive.google.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023825; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|uploaded|22 3b 20|filename=|22|"; fast_pattern; content:".jpg"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; nocase; classtype:command-and-control; sid:2020933; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023824; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor Downloading Dridex"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.user_agent; content:"MSIE"; http.connection; content:"close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2020960; rev:4; metadata:created_at 2015_04_22, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023823; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; flowbits:set,ET.CozyDuke.HTTP; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020963; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?$/"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:61; http.request_body; pcre:"/^\w+=(?:[a-zA-Z0-9/+=]{1,30}&\w+=)?[a-zA-Z0-9+/]{0,13}[A-Z]{200}/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020964; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023821; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BUILDINGCAN CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:69; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) Chrome/28.0.1500.95 Safari/537.36"; fast_pattern; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.request_body; content:"id="; startswith; pcre:"/(?:&(?:boardid|bbsNo|strBoardID|userid|bbs|filename|code|pid|seqNo|ReportID|v|PageNumber|num|view|read|action|page|mode|idx|cateId|bbsId|pType|pcode|index|tbl|idx_num|act|bbs_id|bbs_form|bid|bbscate|menu|tcode|b_code|bname|tb|borad01|borad02|borad03|mid|newsid|table|Board_seq|bc_idx|seq|ArticleID|B_Notice|nowPage|webid|boardDiv|sub_idxa)=[^&]+){3}$/R"; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:targeted-activity; sid:2030932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin"; flow:to_server,established; urilen:7; http.method; content:"GET"; http.uri; content:"/dw/gtk"; fast_pattern; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021028; rev:4; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.header; content:!"autodiscover"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023819; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin 2"; flow:to_server,established; urilen:>107; http.method; content:"GET"; http.uri; content:"/setup/"; fast_pattern; pcre:"/\/setup\/[a-zA-Z0-9!-]{100,}$/"; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021029; rev:4; metadata:created_at 2015_04_29, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim payload retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/app.exe"; fast_pattern; pcre:"/\/app\.exe$/"; http.user_agent; content:"Wget"; depth:4; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020350; rev:6; metadata:created_at 2015_02_03, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; content:"&host="; content:"&browser="; content:"&post="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:command-and-control; sid:2021055; rev:6; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish 2016-12-23"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:"postepay"; fast_pattern; classtype:credential-theft; sid:2032416; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC GET"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"docs/"; fast_pattern; pcre:"/^\/(?:tran|http)docs\//"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021080; rev:4; metadata:created_at 2015_05_09, former_category MALWARE, updated_at 2020_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Checkin"; flow:to_server,established; urilen:6; http.method; content:"GET"; http.uri; content:"/v.vlt"; fast_pattern; http.header; content:"|0d 0a|UA-CPU|3a 20|"; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:command-and-control; sid:2021091; rev:4; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Cartasi Phishing Domain Nov 08 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023495; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_09, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putty SSH Credential Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=c3NoOi8v"; fast_pattern; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:4; metadata:created_at 2015_05_14, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.host; content:"drive.google.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023092; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Tmanger Checkin"; flow:established,to_server; content:"|8f 98 45 59 08 12 b2 aa ea 9d 7b 27 15 96 5f 00 2b b5 00|"; offset:8; depth:19; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023066; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Infostealer CnC Host Checkin"; flow:established,to_server; content:"|54 0b 54|"; offset:16; depth:3; fast_pattern; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|08 00|"; distance:0; content:"|01|"; endswith; reference:md5,a5a4046989fa0f99c2076aec3ea0ab2a; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030939; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon.com Phish M1 2016-06-27"; flow:to_server,established; http.method; content:"POST"; http.host; content:"amazon.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032396; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?"; fast_pattern; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/"; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,a69ac85c7e723ae37377516d7054fa0b; classtype:command-and-control; sid:2021118; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032393; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?wd="; fast_pattern; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,1beb162fc327101c01b07240a924202f; classtype:command-and-control; sid:2021119; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032392; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.Jenxcus.H URL Structure"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/is-rinoy"; fast_pattern; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021122; rev:4; metadata:created_at 2015_05_20, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&guid="; content:"&version="; distance:0; pcre:"/&version=\d+$/"; http.header; content:"WinHttp.WinHttpRequest."; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021132; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032390; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; pcre:"/^[A-Za-z0-9/_]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021139; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain 2016-06-14"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"itunes.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032389; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos URL Structure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/infects/"; fast_pattern; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:4; metadata:created_at 2015_05_22, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible HMRC Phishing Domain 2016-06-08"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"online.hmrc.gov.uk"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032387; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Autorun.AD Checkin"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/loglogin.html"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:command-and-control; sid:2021143; rev:6; metadata:created_at 2015_05_23, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022618; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Red-Is-Sus Server"; nocase; endswith; reference:md5,de232dfbef55fa3803b15f4fa01c9f95; classtype:domain-c2; sid:2030935; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022617; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action=getuid"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021166; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022616; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&uid="; content:"&bit="; content:"&version="; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021167; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022615; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Backspace CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.header; content:"HOST|3a 20|"; http.user_agent; content:"SJZJ (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ddf0981aebeea6ba9abdae6ddf8ed4e2; classtype:targeted-activity; sid:2021184; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Formbuddy Credential Phish Submission 2016-01-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"www.formbuddy.com"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&reqd="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032364; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?type=notification&machinename="; fast_pattern; content:"&machinetime="; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:command-and-control; sid:2021188; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (App4)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"App"; depth:3; fast_pattern; pcre:"/^\d/R"; http.host; content:!"liveupdate.symantecliveupdate.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".py"; fast_pattern; endswith; http.user_agent; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021213; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M2 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:credential-theft; sid:2024998; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; fast_pattern; pcre:"/\.asp$/"; http.header; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021214; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; dns.query; content:".no-ip."; classtype:bad-unknown; sid:2013743; rev:5; metadata:created_at 2011_10_05, former_category HUNTING, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Retrieving Config"; flow:to_server,established; urilen:22; http.method; content:"GET"; http.uri; content:"/css/bootstrap.min.css"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/i"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:4; metadata:created_at 2015_06_13, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2017930; rev:11; metadata:created_at 2014_01_04, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload"; flow:established,to_server; http.uri; content:"/lns.txt"; fast_pattern; pcre:"/\/lns.txt$/"; http.user_agent; content:"WinHttp.WinHttpRequest"; reference:md5,0ed66982890ec483c3bc6f883e2424fb; classtype:trojan-activity; sid:2021284; rev:5; metadata:created_at 2015_06_17, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader (P2P Zeus dropper UA)"; flow:established,to_server; http.user_agent; content:"Updates downloader"; classtype:trojan-activity; sid:2017726; rev:6; metadata:created_at 2013_11_16, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".ini?"; fast_pattern; pcre:"/^\/[a-z]+?\.*?ini\?\d+$/i"; http.header_names; content:!"|0d 0a|Accept-"; content:!"User-Agent|0d 0a|"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021300; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.header_names; content:!"Referer"; content:!"Content-Type"; classtype:trojan-activity; sid:2016858; rev:11; metadata:created_at 2013_05_16, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/page_"; nocase; fast_pattern; content:".html"; nocase; pcre:"/\/[a-f0-9]{8}\/page_\d{8,10}\.html$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0"; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021274; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2016173; rev:10; metadata:created_at 2013_01_08, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.DES.Downloader Request"; flow:to_server,established; http.uri; content:"/ad.php?id="; fast_pattern; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b 20|Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10|0d 0a|Accept-Encoding|3a 20|deflate|0d 0a|Accept-Language|3a 20|en-us|0d 0a|HOST|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021352; rev:4; metadata:created_at 2015_06_26, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonster.Downloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy Library)"; endswith; fast_pattern; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:md5,70a6d9cb37e346b4dfd28bd4ea1f8671; classtype:command-and-control; sid:2017656; rev:6; metadata:created_at 2013_11_01, former_category MALWARE, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Checkin"; flow:established,to_server; http.uri; content:"/up_docx.php"; fast_pattern; http.header_names; content:!"Referer"; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:command-and-control; sid:2021376; rev:4; metadata:created_at 2015_07_02, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Win32.Sality-GR Checkin"; flow:established,to_server; http.uri; content:".gif?"; fast_pattern; pcre:"/^[0-9a-f]{4,8}\x3d\x2d?\d+(?:&id\x3d\d+)?$/R"; http.header_names; content:"|0d 0a|User-Agent"; depth:12; content:!"Accept"; content:!"Referer"; reference:md5,3a03a20bfefe3fdd01659d47d2ed76c8; classtype:command-and-control; sid:2018340; rev:11; metadata:created_at 2013_06_07, former_category MALWARE, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Download"; flow:established,to_server; http.uri; content:"/WINWORD32.exe"; fast_pattern; http.header_names; content:!"Referer"; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:trojan-activity; sid:2021377; rev:5; metadata:created_at 2015_07_02, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; urilen:32; http.uri; content:".php?id="; offset:6; depth:8; pcre:"/^[A-Z0-9]{18}$/R"; http.user_agent; content:"MSIE 6.0|3b|"; reference:md5,f4b8b51b75f67e68d0c1a9639e2488c3; classtype:command-and-control; sid:2015808; rev:7; metadata:created_at 2012_10_17, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matsnu Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; bsize:70; http.request_body; content:"="; depth:7; content:"AA"; distance:3; within:2; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.connection; content:"Keep-AliveCache-Control|3a 20|no-cache"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:command-and-control; sid:2021399; rev:5; metadata:created_at 2015_07_10, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.accept; content:"*/*"; http.accept_lang; content:"en-us"; http.content_type; content:"application/octet-stream"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; content:!"Referer"; flowbits:set,ET.Pushdo.S; threshold: type threshold,track by_src,count 1,seconds 60; threshold: type limit,track by_src,count 1,seconds 600; classtype:command-and-control; sid:2016867; rev:6; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm/contador.php"; fast_pattern; http.user_agent; content:"Firefox/15.0.1"; bsize:14; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021403; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fosniw MacTryCnt CnC Style Checkin"; flow:established,to_server; http.uri; content:"&logdata=MacTryCnt|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B; classtype:command-and-control; sid:2013202; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SLOTHFULMEDIA RAT CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v?m="; startswith; fast_pattern; content:"&i="; distance:0; http.accept; content:"application/octet-stream,application/xhtml"; bsize:42; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-275a; reference:md5,448838b2a60484ee78c2198f2c0c9c85; classtype:command-and-control; sid:2030960; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; dns.query; content:".dyndns."; nocase; classtype:misc-activity; sid:2012758; rev:6; metadata:created_at 2011_05_02, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 2"; flow:to_server,established; urilen:12; http.method; content:"GET"; http.uri; content:"/checkupdate"; fast_pattern; http.header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/mi"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; startswith; http.cookie; content:"A="; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/m"; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021502; rev:4; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot POST CnC Beacon"; flow:established,to_server; urilen:<33; http.method; content:"POST"; http.uri; content:"/b/"; fast_pattern; pcre:"/^[a-z]{3,4}\x2F[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018098; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 1"; flow:to_server,established; http.uri; content:"/status"; fast_pattern; http.header; pcre:"/^[a-f0-9]{32}\.org/R"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; startswith; http.host; content:"jdk."; startswith; http.cookie; content:"SSID="; content:"A="; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/"; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021501; rev:5; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?email="; fast_pattern; http.accept; http.accept; content:"*/*"; http.connection; http.connection; content:"close"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Host|0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept-"; reference:md5,a80440b3d9cb09898c0f12aaa05980c0; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:command-and-control; sid:2025020; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/"; fast_pattern; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/"; http.header; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/mi"; http.request_body; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021520; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pykspa.C Public IP Check"; flow:established,to_server; urilen:1; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|1.9.1.3) Gecko/20090824 Firefox/3.5.3"; fast_pattern; http.host; content:"myip"; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,b94e213153a1929db2f414f23d891d76; reference:md5,324ff262da1233ef874ff29213cf8f19; classtype:trojan-activity; sid:2018773; rev:5; metadata:created_at 2014_07_24, updated_at 2020_08_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern; http.stat_code; content:"200"; file.data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:4; metadata:created_at 2015_07_24, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; http.host; content:".dyndns."; fast_pattern; content:!"checkip."; pcre:"/\.dyndns\.(biz|info|org|tv)$/"; classtype:bad-unknown; sid:2013097; rev:9; metadata:created_at 2011_06_22, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 7"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?vid="; fast_pattern; pcre:"/\.jpg\?vid=\d+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021570; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (GenericHttp/VER_STR_COMMA)"; flow:established,to_server; http.user_agent; content:"GenericHttp/VER_STR_COMMA"; classtype:trojan-activity; sid:2013737; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Androm.gnlb Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?ver="; fast_pattern; nocase; content:"&mac="; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c7e6ebf91c03a2bcaa8053f149870fad; classtype:command-and-control; sid:2021608; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Presto)"; flow:established,to_server; http.user_agent; content:"Opera/10.60 Presto/2.2.30"; http.header_names; content:!"Accept"; classtype:trojan-activity; sid:2012491; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?id="; fast_pattern; pcre:"/\?id=[a-f0-9]{8}$/"; http.header; content:"Accept|3a 20|*/*|0d 0a|"; pcre:"/^[^\x3a]+\x3a\x20\d+\r\n[^\x3a]+\x3a\x20\d+\r\n[^\x3a]+\x3a\x20\d+\r\n[^\x3a]+\x3a\x20\d+\r\nUser-Agent\x3a/Ri"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,076ae76dcd0946ff913a9ce033e0ca55; classtype:command-and-control; sid:2036858; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup sina.com.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iplookup.php"; http.host; content:"dpool.sina.com.cn"; fast_pattern; classtype:external-ip-check; sid:2021438; rev:4; metadata:created_at 2015_07_20, former_category POLICY, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest CnC Beacon"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?"; content:"/0"; content:"=0000"; fast_pattern; content:"=?"; pcre:"/\.php\?[a-z]+=0000[a-fA-F0-9]{4}&[a-z]+=\?[A-F0-9]+&[a-z]=\d{4}&[a-z]=\d{4}$/"; http.header; content:"Accept"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1b820dda5833f802be829d468884884e; classtype:command-and-control; sid:2025089; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WildTangent User-Agent (WT Games App)"; flow:established,to_server; http.header; content:"|0d 0a|WT-User-Agent|3a 20|WT|20|Games|20|App|20|"; classtype:policy-violation; sid:2021384; rev:3; metadata:created_at 2015_07_07, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Sending Debug Messages"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?usid="; fast_pattern; content:"&txt=00"; distance:0; pcre:"/^[0-9a-f]+$/R"; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)"; flow:established,to_server; threshold:type limit, count 2, seconds 300, track by_src; http.user_agent; content:"OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:36; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Files"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lup.php?name="; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoft.E Checkin 1"; flow:established,to_server; http.uri; content:".asp?prj="; content:"&pid="; content:"&logdata="; http.host; content:"winsoft"; reference:md5,d773d063d8cf35166831af0dae13a4b7; reference:url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39; classtype:command-and-control; sid:2012222; rev:4; metadata:created_at 2011_01_24, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending File Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|file|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Requesting exe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?"; offset:2; depth:11; pcre:"/^\/[a-z0-9]{1,10}\/?\?.+?$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:15; metadata:created_at 2012_11_30, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending Screenshot Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|src|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/data/"; content:".xd"; isdataat:!2,relative; http.user_agent; bsize:17; content:"internet explorer"; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; http.host; content:"api.wipmania.com"; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:external-ip-check; sid:2014304; rev:5; metadata:created_at 2012_03_05, former_category POLICY, updated_at 2020_08_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FinSpy Domain (browserupdate .download in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".browserupdate.download"; endswith; fast_pattern; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; reference:url,github.com/AmnestyTech/investigations/blob/master/2020-09-25_finfisher/domains.txt; classtype:domain-c2; sid:2030962; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; http.uri; content:"/app/geoip.js"; fast_pattern; http.host; content:"maxmind.com"; classtype:policy-violation; sid:2015878; rev:4; metadata:created_at 2012_11_13, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 3"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/r.php?"; fast_pattern; pcre:"/\/r\.php\?[A-F0-9]+=?$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0a4d0e5d0b69560414bbd20127bd8176; classtype:command-and-control; sid:2021723; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Single char EXE direct download likely trojan (multiple families)"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/\/[a-z0-9A-Z]\.exe$/i"; classtype:trojan-activity; sid:2018581; rev:4; metadata:created_at 2014_06_18, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; pcre:"/\.asp$/"; http.request_body; content:"m="; depth:2; content:"AA=="; fast_pattern; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:command-and-control; sid:2018685; rev:5; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Our_Agent)"; flow:established,to_server; http.user_agent; content:"Our_Agent"; classtype:trojan-activity; sid:2012278; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Reconyc.equo Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; content:"&mac="; fast_pattern; content:"&auth="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,32c17edee5b29e41f31eda05e78b2241; classtype:command-and-control; sid:2021744; rev:5; metadata:created_at 2015_09_04, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:established,to_server; http.user_agent; content:"MSDW"; depth:4; http.host; content:"watson.microsoft.com"; classtype:policy-violation; sid:2018170; rev:6; metadata:created_at 2014_02_24, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt Connectivity Check 1"; flow:established,to_server; urilen:4; http.uri; content:"/raw"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,d0e3471f4963496cefd73744e98340aa; classtype:trojan-activity; sid:2021775; rev:4; metadata:created_at 2015_09_15, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs/Harnig Downloader Activity"; flow:established,to_server; http.uri; content:".php?adv=adv"; http.user_agent; content:")ver"; fast_pattern; pcre:"/^\d+$/R"; reference:md5,2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron Tiger Backdoor.GCloud CnC Beacon"; flow:established,to_server; http.uri; content:"/user?pid="; fast_pattern; content:"&data="; http.user_agent; content:"WinHTTP Example/1.0"; bsize:19; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021790; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Checkin"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/home/"; http.header_names; content:!"Accept-"; content:!"Content-Type"; content:!"Referer"; reference:md5,6afc848066d274d8632c742340560a67; classtype:command-and-control; sid:2017584; rev:9; metadata:created_at 2013_10_12, former_category MALWARE, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upx/"; fast_pattern; pcre:"/\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021812; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor EXE Download Common Header Order"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.user_agent; content:"MSIE"; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:76; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2018254; rev:5; metadata:created_at 2014_03_12, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"P"; depth:1; nocase; content:"myPath =|20|"; nocase; content:"iFold =|20|"; nocase; content:"wallPath =|20|"; nocase; fast_pattern; content:"listPath =|20|"; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021851; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Retrieving Domains via JS"; flow:established,to_server; http.uri; content:".txt?dummy="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"Mozilla"; depth:7; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; classtype:trojan-activity; sid:2020031; rev:5; metadata:created_at 2014_12_23, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Created wallet -|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021855; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; urilen:16<>402; http.method; content:"GET"; nocase; http.uri; pcre:"/^\/[a-z0-9+\/=]{16,400}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE"; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; depth:19; content:"Host|0d 0a|"; distance:0; content:!"Accept"; classtype:command-and-control; sid:2011894; rev:20; metadata:created_at 2010_11_06, former_category MALWARE, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M RecursiveFileSearch"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021856; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Solarbot Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v="; depth:2; content:"&u="; content:"&w="; content:"&c="; pcre:"/&s=\{?[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}\}?(?:&|$)/i"; http.header_names; content:!"Referer"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017742; rev:5; metadata:created_at 2013_11_22, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Scan folder|3a 20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021857; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE)"; flow:to_server,established; http.user_agent; content:"ClickAdsByIE"; depth:12; reference:url,doc.emergingthreats.net/2010220; classtype:pup-activity; sid:2010220; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Saved cryptor key -|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021858; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/system/"; depth:8; nocase; fast_pattern; pcre:"/^(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ri"; http.header_names; content:!"Referer"; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:6; metadata:created_at 2016_05_24, former_category CURRENT_EVENTS, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"|29 20|Encrypt|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021859; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z0-9.&-]+(?:[a-z0-9]{4}-){3}[a-z0-9.&+-]+$/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-"; classtype:command-and-control; sid:2019756; rev:5; metadata:created_at 2014_11_20, former_category MALWARE, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Files encrypted,"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021860; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; http.host; pcre:"/\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022896; rev:6; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M STATE|3a 20|CRYPTED_"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021861; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-03-31"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?ad="; nocase; content:"="; distance:0; pcre:"/=\d+$/"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,c5ad81d8d986c92f90d0462bc06ac9c6; classtype:trojan-activity; sid:2022692; rev:4; metadata:created_at 2016_03_31, updated_at 2020_08_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Free disk space|3a 20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021862; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comisproc Checkin"; flow:to_server,established; http.uri; content:".asp?mac="; content:"&ver="; distance:0; http.user_agent; content:"Google"; nocase; depth:6; reference:md5,9378ef5f2fb2e71e5eeed20f9f21d8dd; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910; reference:url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html; classtype:command-and-control; sid:2017066; rev:9; metadata:created_at 2011_10_06, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage Userclass HTTP Request"; flow:established,to_server; urilen:10; http.uri; content:"/Userclass"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; content:!"Referer"; reference:md5,92ecb8cedb226a27e354b45a56f0353f; classtype:trojan-activity; sid:2021922; rev:4; metadata:created_at 2015_10_07, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ixeshe/Mecklow Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&"; content:"."; content:"sp?"; distance:1; within:3; pcre:"/\/[A-Z0-9]+\.[aj]sp\?[a-zA-Z0-9+/\x20=]+$/"; http.user_agent; content:"MSIE 5.01|3b 20|Windows NT 5.0|29|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:md5,3422e76cf4c99ec1091f8c342a3aedaa; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; classtype:command-and-control; sid:2018379; rev:12; metadata:created_at 2011_04_26, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Nemim Checkin"; flow:to_server,established; http.uri; content:".php?a1="; nocase; fast_pattern; content:"&a2="; nocase; content:"&a3="; nocase; pcre:"/\.php\?a1=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&a2=[a-f0-9]{32}&a3=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve; classtype:command-and-control; sid:2017599; rev:6; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 1"; flow:established,to_server; http.uri; content:".php?w="; content:"&i="; distance:0; content:"&a="; distance:0; pcre:"/\.php\?w=\d+&i=[0-9a-f]{32}&a=\d+$/"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:command-and-control; sid:2013685; rev:4; metadata:created_at 2011_09_22, former_category MALWARE, updated_at 2020_08_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"&act="; fast_pattern; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:4; metadata:created_at 2015_10_28, updated_at 2020_10_05;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (GRIFFON CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fashionableeder.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030700; rev:1; metadata:attack_target Client_and_Server, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family GRIFFON, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malvertising Malicious PE Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adobe_flashplayer_7.exe"; fast_pattern; reference:md5,d9b91aa8c66c4a701f5558bdca805eec; reference:url,otx.alienvault.com/pulse/5637202b4637f2388aaec61c/; classtype:trojan-activity; sid:2022020; rev:4; metadata:created_at 2015_11_03, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ixeshe/Mecklow Checkin 2"; flow:established,to_server; http.header_names; content:"|0d 0a|x_bigfix_client_string|0d 0a|"; depth:26; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,df9ce5d06498419a3c93ad95a2ed82fd; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fMecklow.A&ThreatID=-2147325849; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf; classtype:command-and-control; sid:2018380; rev:8; metadata:created_at 2012_06_19, former_category MALWARE, updated_at 2020_08_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MosaicRegressor WinHTTP Downloader)"; flow:established,to_client; tls.cert_subject; content:"CN=ezan.yikongjian.cc"; bsize:21; fast_pattern; tls.cert_issuer; content:"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA"; bsize:86; reference:url,securelist.com/mosaicregressor/98849/; reference:url,74DB88B890054259D2F16FF22C79144D; classtype:domain-c2; sid:2030963; rev:1; metadata:attack_target Client_and_Server, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mazilla Suspicious User-Agent Jan 15 2015"; flow:established,to_server; http.user_agent; content:"Mazilla/"; depth:8; fast_pattern; reference:url,malware-traffic-analysis.net/2015/01/15/index.html; classtype:trojan-activity; sid:2020235; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Ransom.Win32.Blocker.dham Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ID="; content:"&Serial="; content:"&acao="; content:"&Log="; content:"&PCInfo="; fast_pattern; reference:md5,e15b38251aed80298ba07169eb6ee2fa; classtype:command-and-control; sid:2022091; rev:4; metadata:created_at 2015_11_13, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; http.uri; content:"/stat"; content:".php?w="; content:"&i=00000000000"; fast_pattern; content:"&a="; http.user_agent; content:"Opera/6 (Windows NT 5.1|3b 20|"; classtype:command-and-control; sid:2013907; rev:5; metadata:created_at 2011_11_11, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/menu.php"; fast_pattern; endswith; http.user_agent; content:"rv|3a|20.0"; content:"Firefox/20.0"; distance:0; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020891; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface HTTP Request (2)"; flow:established,to_server; http.uri; content:"?action="; nocase; content:"&v="; nocase; distance:0; pcre:"/\?action=\w+gen&v=\d/"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP/LuciferHTTP Client Action"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/\.php\?hwid=[A-F0-9]{16}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; reference:md5,d543973bd33d45d515e8dfc251411c4b; classtype:trojan-activity; sid:2022127; rev:4; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious UA (^IE[\d\s])"; flow:established,to_server; http.header; content:!"symantec"; nocase; content:!"norton"; nocase; http.user_agent; content:"IE"; depth:2; nocase; fast_pattern; pcre:"/^[\d\s]/R"; http.host; content:!".bing.com"; reference:md5,209e6701da137084c2f60c90d64505f2; classtype:trojan-activity; sid:2018010; rev:6; metadata:created_at 2014_01_24, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 1"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"/img/"; depth:5; content:"/"; distance:32; within:1; content:"/general.png"; endswith; fast_pattern; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/general\.png$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022146; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!".blackberry.com"; content:!".nokia.com"; content:!".sonyericsson.com"; http.request_body; content:"<IMEI>"; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; distance:0; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:10; metadata:created_at 2011_06_30, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST 2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\d+$/"; http.user_agent; content:"Sony|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,f184c13be617754e394ecb8c972c8861; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2022188; rev:4; metadata:created_at 2015_11_26, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Google Chrome Credential Stealing via SCF file Reflected Request"; flow:to_server,established; http.uri; content:"shell"; nocase; content:"IconFile"; nocase; http.uri.raw; content:"|5c 5c|"; pcre:"/Shell.*%0a\s*IconFile\s*=\s*\x5c\x5c/i"; reference:url,defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf; classtype:attempted-recon; sid:2025060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&prv_ip="; fast_pattern; content:".doc"; content:".xls"; content:".ppt"; content:".sql"; content:".pdf"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Web Downloader Install Detected"; flow: established,to_server; http.user_agent; content: "Blizzard Web Client"; nocase; depth:19; classtype:policy-violation; sid:2012170; rev:4; metadata:created_at 2011_01_10, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Evil Macro Downloading Trojan Dec 16 2015 Post to EXE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/^[\x2fa-z\d]+\.exe$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|Connection|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022270; rev:4; metadata:created_at 2015_12_17, former_category CURRENT_EVENTS, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WS/JS Downloader Mar 07 2017 M1"; flow:established,to_server; http.uri; content:"/counter/"; fast_pattern; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2024035; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProPoS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Pro PoS"; fast_pattern; startswith; http.accept; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.talosintel.com/2015/12/pro-pos.html; classtype:command-and-control; sid:2022282; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; http.host; content:".dyndns-"; pcre:"/(?:at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com/R"; classtype:bad-unknown; sid:2013096; rev:6; metadata:created_at 2011_06_22, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; http.uri; content:"/444.jpg"; fast_pattern; http.host; content:"postimg.org"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:7; metadata:created_at 2014_01_28, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-api.com"; flow:established,to_server; http.host; content:"ip-api.com"; classtype:external-ip-check; sid:2022082; rev:4; metadata:created_at 2015_11_13, former_category POLICY, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Htbot.B Checkin"; flow:to_server,established; http.uri; content:".php?command="; fast_pattern; pcre:"/\.php\?command=(?:g(?:hl|et(?:ip|id|backconnect))|update2?|dl|log)(?:$|&)/"; http.user_agent; content:"pb"; bsize:2; reference:md5,bdd2328d466e563a650bb7ccdb9aca79; reference:md5,ba1404af71ecf3ca8b0e30a2b365f6fd; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FHtbot.B; classtype:command-and-control; sid:2020089; rev:6; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; http.host; content:".no-ip.com"; fast_pattern; content:!"www.no-ip.com"; classtype:bad-unknown; sid:2013744; rev:10; metadata:created_at 2011_10_05, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Downloader fake image zip"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".zip"; endswith; nocase; fast_pattern; pcre:"/\.(?:gif|jpe?g)\.zip$/i"; http.content_type; content:"text/plain|3b 20|Charset=UTF-8"; bsize:25; reference:md5,7b678a25c533652dbb0c2a2ac37cf1e3; classtype:trojan-activity; sid:2022334; rev:4; metadata:created_at 2016_01_06, updated_at 2020_10_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain"; dns.query; content:".duckdns."; nocase; classtype:misc-activity; sid:2022918; rev:3; metadata:created_at 2016_06_27, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Checkin"; flow:established,to_server; http.uri; content:"/logo.gif?sessd="; fast_pattern; content:"&sessc="; content:"&sessk="; distance:0; http.header; pcre:"/^(?:zh-CN|en-US)\x3b rv\x3a1\.7\.6\)\r\n/R"; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|"; startswith; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:command-and-control; sid:2022358; rev:5; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M3"; flow:established,to_client; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; content:"Content-Disposition|3a 20|"; pcre:"/^[^\r\n]+\.(?:jpe?g|gif|png)\r\n/R"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023671; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC HTTP Pattern"; flow:established,to_server; http.method; content:"GET"; http.uri; content:",0x"; fast_pattern; pcre:"/(?:,0x[0-9a-f]{2}){10}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,8df8d0cd70f96538211c65fb6361704d; classtype:command-and-control; sid:2022494; rev:4; metadata:created_at 2016_02_08, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX/Destory HTTP traffic"; flow:established,to_server; http.request_line; content:"POST|20|"; depth:5; http.header_names; content:"X-Sn"; fast_pattern; content:"X-Session"; content:"X-Status"; content:"X-Size"; reference:url,circl.lu/pub/tr-24/; classtype:trojan-activity; sid:2018541; rev:4; metadata:created_at 2014_06_06, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 1"; flow:established,to_server; urilen:11; http.method; content:"GET"; http.uri; content:"/flamme.php"; fast_pattern; http.header; content:"Cache-Control|3a 20|no-cache"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; classtype:command-and-control; sid:2022495; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP Referer C Drive Path"; flow:established,to_server; http.referer; http.referer; content:"res|3a 2f 2f|c|3a 5c|"; depth:9; nocase; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:5; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Microsoft"; nocase; content:"/default.asp"; distance:0; content:"?tmp="; fast_pattern; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:command-and-control; sid:2018554; rev:6; metadata:created_at 2014_06_11, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?resid="; fast_pattern; content:"&photoid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021201; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.cookie; content:"PHPSESSID="; pcre:"/(?:[a-z]+=\d{3,4}\x3b\x20){4}/"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; bsize:37; classtype:command-and-control; sid:2021718; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M4"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; http.content_type; content:"image|2f|"; depth:6; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023672; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton Checkin"; flow:to_server,established; http.uri; content:".php?ch="; fast_pattern; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-length|3a 20|0|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022676; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 1"; flow:established; urilen:7; http.method; content:"GET"; http.uri; content:"/HNAP1/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; classtype:trojan-activity; sid:2018131; rev:6; metadata:created_at 2014_02_13, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 1"; flow:to_server,established; http.request_body; content:"task=report&id="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022677; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BandarChor Ransomware Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; depth:7; content:"&id="; distance:0; content:"&pc="; distance:0; content:"&tail="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,fba4af888ae0e838dd083d4cfebc8f39; reference:md5,d32b6c067e64c141b0c239d23ab1ffd1; reference:url,f-secure.com/weblog/archives/00002795.html; classtype:command-and-control; sid:2021685; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 2"; flow:to_server,established; http.request_body; content:"task=knock&pub="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022678; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gatak CnC"; flow:established,to_server; http.uri; content:"/report"; depth:7; fast_pattern; pcre:"/^\/report[0-9]?_(?:v[0-9])?[A-Z]?[A-F0-9_-]+_[0-9]{1,3}_(?:st(?:arted|ep)|already|mark|p(?:rocess|a(?:ge|yload))|watch2|http|image|gdiplus|crc|DIRRR|finished|(?:ex(cept|ecuted)))/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|Trident/4.0)"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,636a911cc059415963da7009277bae17; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-stealthy-information-stealer/; classtype:command-and-control; sid:2021268; rev:11; metadata:created_at 2015_06_15, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.TreasureHunter Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; content:"request=true"; fast_pattern; http.request_body; content:"request="; depth:8; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; reference:md5,070e9a317ee53ac3814eb86bc7d5bf49; reference:url,isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/; classtype:command-and-control; sid:2022681; rev:3; metadata:created_at 2016_03_29, former_category MALWARE, updated_at 2020_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 6"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:".php?"; pcre:"/\/[a-z]+\.php\?[A-F0-9]{250,}$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|Trident/7.0|3b 20|Touch|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022300; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-sale.com"; bsize:18; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030969; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_10_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot/Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; content:"|08 00|"; distance:16; within:2; isdataat:!1,relative; reference:url,github.com/sysopfb/open_mal_analysis_notes/blob/master/546bf4fc684c5d1e17b204a28c795a414124335b6ef7cbadf52ae8fbadcb2a4a.md; classtype:trojan-activity; sid:2030698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family Anchor, signature_severity Major, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".html"; nocase; fast_pattern; pcre:"/\/\d{8,10}\.html$/i"; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:!"www.youdao.com"; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cfa7954722d4277d26e96edc3289a4ce; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021276; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 3"; flow:to_server,established; http.method; content:"GET"; http.header; content:!"Taitus"; pcre:"/^Accept\x3a\x20text\/\*,\x20application\/\*\r\nUser-Agent\x3a\x20[^\r\n]+\r\n(?:Pragma|Cache-Control)\x3a\x20no-cache\r\nConnection\x3a Keep-Alive\r\nHost\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.user_agent; content:!"Mozilla"; depth:7; http.accept; content:"text/*,|20|application/*"; depth:21; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|"; fast_pattern; content:"|0d 0a|Connection|0d 0a|Host|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2020295; rev:7; metadata:created_at 2015_01_23, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:external-ip-check; sid:2022688; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 5"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/misc.php?"; fast_pattern; pcre:"/^[A-F0-9]{250,}$/R"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,66bbfc1e5b027eb48c76078129194015; classtype:command-and-control; sid:2022284; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.request_body; content:"|40 24|"; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:command-and-control; sid:2022689; rev:4; metadata:created_at 2016_03_30, former_category MALWARE, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/shoe/"; depth:8; fast_pattern; pcre:"/^\d+?$/R"; http.user_agent; content:"Mozilla/4.0|20|"; depth:12; http.header_names; content:!"Referer"; reference:md5,e1cbdba0c57ddb5ab70aa1306dbacaa9; classtype:command-and-control; sid:2018643; rev:5; metadata:created_at 2014_02_28, former_category MALWARE, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Keepalive"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".asp"; http.header; content:"Content-Length|3a 20|2|0d 0a|"; fast_pattern; http.request_body; content:"ok"; depth:2; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022363; rev:5; metadata:created_at 2016_01_13, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUSPICIOUS UA (iexplore)"; flow:established,to_server; http.user_agent; content:"iexplore"; depth:8; fast_pattern; nocase; http.host; content:!"su.pctools.com"; content:!".advent.com"; reference:md5,b0e8ce16c42dee20d2c1dfb1b87b3afc; classtype:bad-unknown; sid:2017365; rev:12; metadata:created_at 2013_08_21, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Keepalive 2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".asp"; http.header; content:"Content-Length|3a 20|5|0d 0a|"; fast_pattern; http.request_body; content:"READY"; depth:5; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022750; rev:4; metadata:created_at 2016_04_20, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)"; flow:established,to_server; http.user_agent; content:"Transmission/"; depth:13; reference:url,www.transmissionbt.com; reference:url,doc.emergingthreats.net/2011699; classtype:policy-violation; sid:2011699; rev:7; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader.Banload.XDL Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/okok/Notify.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; reference:md5,70adf5506c767590e11bdc473c91bb38; classtype:command-and-control; sid:2022754; rev:4; metadata:created_at 2016_04_22, former_category MALWARE, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webhp"; nocase; http.connection; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; depth:34; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013076; rev:10; metadata:created_at 2011_06_22, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ga.php?analytic=WyJ1cmwl"; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Brazilian Banker SSL Cert"; flow:established,from_server; tls.cert_subject; content:"CN=processamentos.com.br"; fast_pattern; nocase; classtype:trojan-activity; sid:2025075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Upgilf CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"2E"; content:"2E"; distance:0; content:"2E"; distance:0; content:"00000000000000000000"; fast_pattern; pcre:"/^\/[A-F0-9]+$/"; http.user_agent; content:"Windows NT"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,c049f2884bf2dfca9496f075216af431; classtype:command-and-control; sid:2036993; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sinowal/sinonet/mebroot/Torpig infected host checkin"; flow:established,to_server; http.uri; content:"/search"; depth:7; content:"?fr=altavista&itag="; within:30; content:"&kls="; distance:0; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2011365; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/"; http.header; content:"Range"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; classtype:trojan-activity; sid:2022500; rev:7; metadata:created_at 2016_02_10, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Knock.php Shiz or Rohimafo CnC Server Contact URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"knock.php?n="; nocase; content:"=seller-"; nocase; distance:0; http.header_names; content:!"User-Agent"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011520; rev:6; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality-GR Checkin 2"; flow:to_server,established; http.uri; content:".png?"; fast_pattern; pcre:"/\.png\x3f[0-9a-f]{4,8}\x3d\d+?$/"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,99d614964eafe83ec4ed1a4537be35b9; classtype:command-and-control; sid:2022804; rev:4; metadata:created_at 2016_05_13, former_category MALWARE, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup api.ipify.org"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"api.ipify.org"; fast_pattern; reference:md5,79809fd3e05a852581b897cc4b06aa32; classtype:external-ip-check; sid:2021997; rev:4; metadata:created_at 2015_10_23, former_category POLICY, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; fast_pattern; endswith; http.header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021079; rev:5; metadata:created_at 2015_05_09, former_category MALWARE, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST to WP Theme Directory Without Referer"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/themes/"; fast_pattern; pcre:"/^[^&=?]*\/wp-content\/themes\//i"; http.host; content:!"citytv.com"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2020822; rev:7; metadata:created_at 2015_03_31, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b|)"; http.accept; content:"*/*"; bsize:3; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:4; metadata:created_at 2016_05_19, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Echelon/DarkStealer Variant CnC Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?chatid="; content:"&username="; content:"&machineName="; fast_pattern; content:"&Country="; content:"&HWID="; content:"&ip="; http.request_body; content:".zip|22 0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,fed2a8736c84eda9dcc8533b5019f7d8; classtype:trojan-activity; sid:2030699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family DarkStealer, malware_family EchelonStealer, signature_severity Major, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M1"; flow:to_server,established; urilen:5; http.method; content:"GET"; http.uri; content:"/EPWD"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022851; rev:4; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Oliga Fake User Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/4.75 [en]"; depth:17; content:!"Linux"; classtype:trojan-activity; sid:2013372; rev:6; metadata:created_at 2011_08_05, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M2"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/PWD"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022852; rev:4; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"OpenVAS"; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:6; metadata:created_at 2011_04_26, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".pdf/?"; fast_pattern; pcre:"/\.pdf\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023912; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct Dec 01 2014"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"-SP"; fast_pattern; content:"/0/"; distance:0; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:md5,fd0f57fd1f93c13b7bd63f811ac7939e; classtype:trojan-activity; sid:2019847; rev:14; metadata:created_at 2014_12_03, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".zip/?"; fast_pattern; pcre:"/\.zip\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023913; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic -POST To file.php w/Extended ASCII Characters"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file.php"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2016172; rev:10; metadata:created_at 2013_01_08, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".htm/?"; fast_pattern; pcre:"/\.htm\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023914; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client User-Agent"; flow:established,to_server; http.user_agent; content:"DynDNS-Client"; classtype:not-suspicious; sid:2014092; rev:4; metadata:created_at 2012_01_03, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".xml/?"; fast_pattern; pcre:"/\.xml\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023915; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; flowbits:set,ET.Chroject; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:1; content:"="; distance:0; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/"; http.user_agent; content:"|20|like Gecko|29 20|Chrome/"; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020747; rev:9; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header; content:"Range"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022895; rev:4; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE webr00t WebShell Access"; flow:established,to_server; http.uri; content:"/?webr00t="; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:5; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRatReporter check-in"; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php?filename="; fast_pattern; http.header; content:"Accept: */*"; http.accept_enc; content:"utf-8"; bsize:5; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022903; rev:4; metadata:created_at 2016_06_15, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; http.user_agent; content:"Deluge"; depth:6; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit Connectivity Check 0 Byte POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"=http"; content:"/?"; pcre:"/\.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0D 0A|"; fast_pattern; http.host; content:"google."; within:10; pcre:"/^(?:www\.)?google(?:\.[a-z]{2,3})+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used; classtype:targeted-activity; sid:2021506; rev:6; metadata:created_at 2015_07_22, former_category MALWARE, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 1"; flow:established,to_server; http.uri; content:".asp?imageid="; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2016139; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SFG Client Information POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".log"; pcre:"/\.log$/"; http.host; content:"nullptr"; fast_pattern; bsize:7; reference:url,sentinelone.com/blogs/sfg-furtims-parent/; classtype:trojan-activity; sid:2022963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, malware_family Futrim, malware_family SFG, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; http.uri; content:"/wp-content/uploads/optpress/images_"; fast_pattern; content:".php"; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/i"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:4; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server; http.uri; content:!".exe"; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/"; http.user_agent; content:"Microsoft BITS"; startswith; fast_pattern; http.host; content:!".microsoft.com"; endswith; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2022_04_18;)
 
-alert http any any -> any any (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/passwordrecovered.cgi?id="; nocase; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:5; metadata:created_at 2014_01_15, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pm.sh?"; fast_pattern; pcre:"/^\/pm\.sh\?\d+$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023034; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client IP Check"; flow:established,to_server; http.user_agent; content:"DynDNS-Client"; depth:13; http.host; content:"checkip.dyndns."; classtype:not-suspicious; sid:2014091; rev:4; metadata:created_at 2012_01_03, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dw.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, malware_family MONSOON, malware_family Tinytyphon, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected"; flow:established,to_server; http.user_agent; content:"wget 3.0"; classtype:trojan-activity; sid:2013178; rev:6; metadata:created_at 2011_07_04, former_category TROJAN, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon Exfiltrating Docs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|MD5|22|"; content:"name=|22|fname|22|"; distance:0; content:"name=|22|compname|22|"; distance:0; content:"name=|22|uploadedfile|22 3b|"; fast_pattern; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; http.uri; content:"/rom-0"; nocase; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:4; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker.BR Checkin"; flow:established,to_server; http.uri; content:".asp?m="; fast_pattern; content:"&v="; pcre:"/\.asp\?m=(?:INS|UAC)(?:&p=&a=)?&i=201\d{11}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,bd389eb9cf03e55013eaf07970288f08; classtype:command-and-control; sid:2023081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Agent.BAAB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/trace/"; fast_pattern; pcre:"/^\/debug\/trace\/(?:Fw(?:Downloaded|Check)|N(?:oFw|sis))$/"; http.user_agent; content:"NSISDL/1.2|20|(Mozilla)"; depth:20; http.header_names; content:!"Referer"; content:"Accept"; reference:md5,406fea6262d8ee05e0ab4247c1083443; reference:url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/; classtype:command-and-control; sid:2017946; rev:5; metadata:created_at 2014_01_08, former_category MALWARE, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET MALWARE PNScan.2 Inbound Status Check - set"; flow:established,to_server; urilen:6; flowbits:set,ET.PNScan.2; flowbits:noalert; http.uri; content:"/check"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023087; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?q="; http.header; content:"redirect|3a|"; fast_pattern; content:"version|3a 20|"; content:"aid|3a 20|"; content:"builddate|3a 20|"; content:"pid|3a 20|"; http.header_names; content:!"Referer"; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021227; rev:4; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET 9000 -> $EXTERNAL_NET any (msg:"ET MALWARE PNScan.2 Inbound Status Check Response"; flow:established,from_server; flowbits:isset,ET.PNScan.2; http.header; content:"Content-Length|3a 20|12|0d 0a|"; file.data; content:"{|22|status|22 3a|1}"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023088; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 7 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 7"; nocase; fast_pattern; classtype:trojan-activity; sid:2015820; rev:5; metadata:created_at 2012_10_19, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srv_report?ver="; fast_pattern; pcre:"/\?ver=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023090; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cohhoc RAT CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"gAAAA"; offset:2; depth:5; content:"AAAAAAAAAAAAAAMjAx"; distance:1; within:18; content:"MiR"; distance:4; within:3; http.header_names; content:!"Referer"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019625; rev:5; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?ver="; fast_pattern; pcre:"/^\/(?:i686|arm|mips(?:el)?)\?ver=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023089; rev:5; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Checkin"; flow:established,to_server; http.uri; content:"update.php?"; content:"&key="; distance:0; content:"&dummy="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,1837561f9537d2fcc2b4f0ea6fd3a095; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-121000-1027-99&tabid=2; classtype:command-and-control; sid:2020034; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 3"; flow:established,to_server; http.uri; content:"/final111?&nocache="; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023133; rev:5; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; http.user_agent; content:"WindowsNT"; http.host; content:!".rview.com"; content:!".mobizen.com"; classtype:trojan-activity; sid:2013721; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_10_01, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:web-application-attack; sid:2030965; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dooptroop CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?num="; fast_pattern; content:"&rev="; distance:0; pcre:"/^\/[a-z]+\.php\?num=\d+&rev=/"; http.header_names; content:!"Referer"; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:command-and-control; sid:2014112; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Card Skimmer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".tags-manager.com"; endswith; fast_pattern; reference:url,blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-credit-card-form-to-steal-sensitive-data.html; classtype:domain-c2; sid:2031205; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2022_03_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Likely Shylock/URLzone/Gootkit/Zeus Panda C2)"; flow:established,from_server; tls.cert_subject; content:"O=MyCompany Ltd."; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2015560; rev:9; metadata:attack_target Client_and_Server, created_at 2012_08_02, deployment Perimeter, former_category MALWARE, malware_family URLZone, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_08_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer JavaScript Inbound"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"var SendFlag = []|3b 0a|function Base64Function(e) {|0d|"; startswith; fast_pattern; content:"|0a|function SendData(vals){|0a|"; distance:0; content:"var b = document.createElement|28 22|img|22 29 3b|b.width = |22|1px|22 3b|b.height = |22|1px|22 3b 20|b.id = img_id|3b|b.src = atob|28 22|"; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic gate .php GET with minimal headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad4045887298439f5a21700bdbc7a311; classtype:trojan-activity; sid:2022818; rev:4; metadata:created_at 2016_05_18, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UsefulTyphon CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image?i="; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; pcre:"/&u=[a-f0-9]{16}&p=/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,768c84100d6e3181a26fa50261129287; classtype:command-and-control; sid:2036502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; http.user_agent; content:"DirBuster"; depth:9; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:2008186; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UsefulTyphon CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".down"; fast_pattern; pcre:"/\/[a-f0-9]{16}\.down$/"; http.header_names; content:!"Referer"; reference:md5,768c84100d6e3181a26fa50261129287; classtype:command-and-control; sid:2036503; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TDSServ or Tidserv variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/crcmds/main"; nocase; reference:url,www.threatexpert.com/reports.aspx?find=%2Fcrcmds%2Fmain; reference:url,doc.emergingthreats.net/2008944; classtype:command-and-control; sid:2008944; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=z55gc.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cu.cc domain"; flow:established,to_server; http.host; content:".cu.cc"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:bad-unknown; sid:2013170; rev:6; metadata:created_at 2011_07_02, updated_at 2020_08_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Reporting Adfraud Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/data"; fast_pattern; pcre:"/\.php\/data$/"; http.request_body; content:"http|3a 2f 2f|"; offset:20; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cdfb7e5544c9aa49c17217fdfe04e854; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023293; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?resid="; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; classtype:command-and-control; sid:2021200; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot URI Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/catalog/"; fast_pattern; pcre:"/\/catalog\/\d{3,}$/"; http.header; content:!"nap.edu|0d 0a|"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:5; metadata:created_at 2014_10_17, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV checkin"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 7.1|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Accept"; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:command-and-control; sid:2016089; rev:6; metadata:created_at 2012_12_22, former_category MALWARE, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Anuna PHP Backdoor Attempt"; flow:established,to_server; flowbits:set,ET.Anuna.Backdoor; http.uri; content:".php?cookie=1"; fast_pattern; pcre:"/\.php\?cookie=1$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023305; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Ufasoft bitcoin Related User-Agent"; flow:established,to_server; http.user_agent; content:"Ufasoft"; depth:7; classtype:trojan-activity; sid:2013391; rev:6; metadata:created_at 2011_08_10, former_category TROJAN, updated_at 2020_08_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Aerial Keylogger DNS Request"; dns.query; content:"aerial-keylogger.com"; nocase; endswith; classtype:trojan-activity; sid:2030983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rerdom/Asprox CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/pkg/"; fast_pattern; pcre:"/^[A-Za-z0-9]{14,15}$/R"; reference:url,malware-traffic-analysis.net/2014/08/24/index.html; reference:url,www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf; classtype:command-and-control; sid:2019760; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Checkin"; flow:established,to_server; flowbits:set,et.citadel; http.method; content:"POST"; http.uri; content:"/file.php"; fast_pattern; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/"; http.header; content:"Content-Length|3a 20|128|0d 0a|"; nocase; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; depth:25; http.header_names; content:!"Referer"; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018598; rev:5; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_10_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall .onion Proxy Domain"; dns.query; content:"3wzn5p2yiumh7akj"; depth:16; nocase; reference:url,www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names; classtype:trojan-activity; sid:2022048; rev:3; metadata:created_at 2015_11_09, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20 70 6f 73 74 5f 65 78 61 6d 70 6c 65|"; fast_pattern; http.request_body; content:"=0x"; content:"|2c|0x"; distance:2; within:5; content:"|3c 62 72 3e|"; distance:0; reference:md5,ad2c80611ebc7f6d45bd3e46de38b776; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2023397; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_10_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious user agent (V32)"; flow:to_server,established; http.user_agent; content:"V"; depth:1; pcre:"/^\d{2}$/R"; classtype:trojan-activity; sid:2014090; rev:8; metadata:created_at 2011_06_07, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Tor Module Download"; flow:established,to_server; http.uri; content:"/tor/"; fast_pattern; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/i"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emold.C Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?v="; fast_pattern; content:"&rs="; distance:0; content:"&n="; distance:0; pcre:"/\.php\?v\x3d\d+?\x26rs\x3d(?:(?:\d+?\x2d){3})?\d+?\x26n\x3d\d/i"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; reference:md5,49205774f0ff7605c226828e080238f3; classtype:command-and-control; sid:2016251; rev:7; metadata:created_at 2011_10_19, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M1"; flow:to_server,established; urilen:1; content:"PP|3b 20|nhash="; fast_pattern; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|nhash="; distance:0; content:"|3b 20|chash="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023477; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer Checking For Update"; flow:established,to_server; http.uri; content:"/service/updater.php"; http.host; content:".smartiengine.com"; classtype:policy-violation; sid:2014123; rev:4; metadata:created_at 2012_01_12, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Moose CnC Response"; flow:from_server,established; content:"PP|3b 20|expires="; fast_pattern; http.stat_code; content:"200"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|expires="; distance:0; content:"WL="; content:"PP|3b 20|expires="; distance:0; http.content_type; content:"text/html"; startswith; file.data; content:"<html><body><h1>It works!</h1>"; nocase; depth:30; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023478; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jorik FakeAV GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/britix/a"; http.user_agent; content:"Internet Explorer"; classtype:trojan-activity; sid:2013807; rev:5; metadata:created_at 2011_10_31, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?id="; fast_pattern; pcre:"/\.jpg\?id=\d+$/"; http.header; content:!"tagesschau.de"; http.user_agent; content:!"ClipOrganizer"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2021203; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Scieron Retrieving Information"; flow:established,to_server; urilen:7; flowbits:set,ET.Trojan.Scieron.Ret; http.method; content:"GET"; http.uri; content:"/ip.txt"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; reference:md5,a36db258d0f6f085e8e5030d8e9a9bf4; classtype:trojan-activity; sid:2020296; rev:4; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/APT28/Sofacy Delphocy CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"as_q="; content:"as_ft="; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.welivesecurity.com/post_paper/en-route-with-sednit-part-3-a-mysterious-downloader/; classtype:targeted-activity; sid:2023486; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Sofacy, malware_family Sednit_Delphocy, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gulpix/PlugX Client Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"1|3a 20|"; content:"2|3a 20|"; distance:0; content:"3|3a 20|"; distance:0; pcre:"/^(?P<vname>[^\r\n\x3a]+)(?P<n1>[0-4])\x3a\x20\d+\r\n(?P=vname)(?P<n2>((?!(?P=n1))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?P<n3>((?!((?P=n1)|(?P=n2)))[0-4]))\x3a\x20\d+\r\n(?P=vname)(?:(?!((?P=n1)|(?P=n2)))[0-4])\x3a\x20\d+\r\n/m"; http.header_names; content:!"Referer"; reference:md5,663d7774b6727a070b558676cee9fe43; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html; classtype:trojan-activity; sid:2018169; rev:6; metadata:created_at 2014_02_21, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity check"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/support/main.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,3a128a9e8668c0181d214c20898f4a00; classtype:trojan-activity; sid:2018676; rev:6; metadata:created_at 2014_07_15, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-01-28"; flow:to_server,established; urilen:>82; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:"/counter/?id="; nocase; content:"&rnd="; nocase; pcre:"/\/counter\/\?id=[A-Z0-9_-]{60,}&rnd=\d{1,}$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,d5c5cc9cae2e9a7a2d3a77efcb526e4c; classtype:trojan-activity; sid:2022483; rev:7; metadata:created_at 2016_02_03, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fwlink/?LinkId="; fast_pattern; http.header; content:!"SOAPAction|3a|"; http.user_agent; content:!"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http.host; content:"go.microsoft.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,467b786f7c645c73d5c29347d35cae11; classtype:trojan-activity; sid:2022124; rev:8; metadata:created_at 2015_11_20, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum/"; pcre:"/^[0-9a-f]{32}\.php/R"; http.request_body; content:"Data="; fast_pattern; depth:5; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; classtype:command-and-control; sid:2014370; rev:5; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?shinu="; fast_pattern; pcre:"/\.php\?shinu=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023570; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"bn1="; depth:4; fast_pattern; content:"&sk1="; pcre:"/^[A-F0-9]{30}/R"; classtype:command-and-control; sid:2014218; rev:7; metadata:created_at 2012_02_10, former_category MALWARE, updated_at 2020_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE User-Agent (Visbot)"; flow:to_server,established; http.user_agent; content:"Visbot"; fast_pattern; startswith; reference:url,www.bleepingcomputer.com/news/security/visbot-malware-found-on-6-691-magento-online-stores/; classtype:trojan-activity; sid:2023575; rev:4; metadata:affected_product Magento, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, malware_family Visbot, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?cookie="; fast_pattern; content:"&type="; content:"&vid="; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3cd598e8e2fd033134d8784251eff59e; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021569; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin HTTP Pattern"; flow:to_server,established; http.method; content:"POST"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; fast_pattern; content:"www-form-urlencoded|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023577; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MSIE"; depth:4; http.host; content:!"www.msftncsi.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Click Fraud Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/link.txt?"; fast_pattern; pcre:"/^\/link\.txt\?[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{1,2}/"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; classtype:command-and-control; sid:2023669; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox.ClickFraudBot CnC Beacon"; flow:established,to_server; urilen:31; http.uri; content:"/b/eve/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{24}$/Ri"; reference:url,research.zscaler.com/2014/02/new-zbot-variant-goes-above-and-beyond.html; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/465-asprox-botnet-advertising-fraud-general-overview-1; reference:md5,df5ab239bdf09a8716cabbdfa1d6a724; classtype:command-and-control; sid:2018096; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Braincrypt Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?uuid="; fast_pattern; pcre:"/\.php\?uuid=[a-z0-9]{32}$/i"; http.user_agent; content:"Go-http-client/"; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,6b938ca31a55e743112ab34dc540a076; classtype:command-and-control; sid:2023675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Braincrypt, signature_severity Major, tag Ransomware, updated_at 2020_10_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/1/?"; fast_pattern; depth:4; isdataat:!2,relative; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1|3b 20|SV1)"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2015976; rev:4; metadata:created_at 2012_12_04, former_category MALWARE, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upd.php"; fast_pattern; endswith; http.header; pcre:"/^(?:Referer\x3a[^\r\n]+\r\n)?Host\x3a[^\r\n]+[\r\n]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020503; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Win32.Socks.s HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"proc=[System Process]|0a|"; depth:22; reference:url,doc.emergingthreats.net/2008020; classtype:trojan-activity; sid:2008020; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Strongpity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=7ea7494e71e9"; nocase; endswith; reference:md5,989af6e0bb7fa4d62815f4fdc4696b85; classtype:domain-c2; sid:2030982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GORGON APT Download Activity"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; bsize:10; file_data; content:"set OMYORANTICATO = createobject(|22|"; fast_pattern; reference:url,www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/; reference:md5,08828db7a600e573d5dd61315e3e2af1; classtype:trojan-activity; sid:2030701; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_18, deployment Perimeter, former_category MALWARE, malware_family GORGON, performance_impact Low, signature_severity Major, updated_at 2020_08_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Second Stage VBS Downloader with URL Padding"; flow:established,to_server; http.uri; content:".exe???????????????"; nocase; fast_pattern; pcre:"/\.exe\?+$/i"; http.user_agent; content:"WinHttp.WinHttpRequest."; reference:md5,57ce6f966c6b441fe82a211647c6e863; classtype:trojan-activity; sid:2023739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE GORGON APT Download Activity M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; bsize:10; file_data; content:"|24|X1=|27|GEX|27 2e|replace|28 27|G|27 2c 27|I|27 29 3b|sal|20|g|20 24|X1|3b|"; fast_pattern; reference:url,www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/; reference:md5,1cc6e550e2e414d143e835b0f5f53f41; classtype:trojan-activity; sid:2030706; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x32)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X32.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002843; classtype:attempted-dos; sid:2002843; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X64.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; within:4; content:"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; classtype:attempted-dos; sid:2003370; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?f="; fast_pattern; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; within:20; reference:cve,2005-3277; reference:bugtraq,15136; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; classtype:attempted-user; sid:2002852; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tonto_SPM Backdoor CnC Activity"; flow:to_server,established; http.uri; content:"spm=xx{}:>*()_!"; endswith; classtype:trojan-activity; sid:2030990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, signature_severity Major, updated_at 2020_10_08;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003250; classtype:attempted-admin; sid:2003250; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Variant CnC Beacon via WebDAV"; flow:established,to_server; http.uri; content:"/catalog/outgoing"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV-MiniRedir/"; startswith; reference:md5,f3459924f8b657359cb0bd0984a1d0fa; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:"<CPUI>"; content:"</CPUI><"; within:27; content:"<MEMI>"; content:"</MEMI><"; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; classtype:trojan-activity; sid:2009052; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH Retrieving Malicious PowerShell"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/pro.bat"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,97454efcab28e64ac5400e63780af764; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/; classtype:trojan-activity; sid:2023948; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2020_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|quem=dodoi&tit="; content:"&txt="; within:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - Evil Twitter Callback"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/api/asyncTwitter.php"; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
 
-#alert tcp any any -> $HOME_NET 3000 (msg:"ET DOS ntop Basic-Auth DOS inbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011511; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant Fake Request to Google"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/\?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.host; content:"google.com"; bsize:10; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023917; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, updated_at 2020_10_08;)
 
-#alert tcp $HOME_NET any -> any 3000 (msg:"ET DOS ntop Basic-Auth DOS outbound"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"/configNtop.html"; within:20; nocase; content:"Authorization|3a|"; nocase; content: "Basic"; within:20; content:"=="; within:100; reference:url,www.securityfocus.com/bid/36074; reference:url,www.securityfocus.com/archive/1/505862; reference:url,www.securityfocus.com/archive/1/505876; classtype:denial-of-service; sid:2011512; rev:2; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; http.uri; content:".php?cn"; content:"&str="; fast_pattern; content:"&file="; pcre:"/\.php\?cn(ame)?=/"; http.user_agent; content:"WinInetGet/"; depth:11; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016912; rev:7; metadata:created_at 2012_12_12, former_category MALWARE, updated_at 2020_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Banito/Agent.pb Pass Stealer Email Report Outbound"; flow:established,to_server; content:"Subject|3a| Vip Passw0rds|0d 0a 0d 0a|Victim Name |3a| "; content:"|0d 0a|######## ICQ PASSWORDS ########"; within:70; reference:url,doc.emergingthreats.net/2008551; classtype:trojan-activity; sid:2008551; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mutter Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.aspx?i="; fast_pattern; http.header; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/i"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:command-and-control; sid:2016773; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2020_10_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Shark Pass Stealer Email Report"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer "; content:"|0d 0a 0d 0a|Codesoft PW Stealer File "; distance:0; content:"filename=|22|"; distance:0; content:".log|22 0d 0a|"; within:20; reference:url,doc.emergingthreats.net/2007992; classtype:trojan-activity; sid:2007992; rev:4; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; fast_pattern; pcre:"/\.php\?file=(?:64|86)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024064; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, malware_family MagikPOS, performance_impact Low, signature_severity Major, tag POS, updated_at 2020_10_08;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; within:500; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; classtype:web-application-attack; sid:2003328; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/?act=in"; fast_pattern; pcre:"/\/api\/\?act=in$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, signature_severity Major, tag POS, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:2; metadata:created_at 2010_12_15, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (slimip .accesscam .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"slimip.accesscam.org"; bsize:20; fast_pattern; reference:url,blog.talosintelligence.com/2020/10/poetrat-update.html; classtype:domain-c2; sid:2030991; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
 
-alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:3; metadata:created_at 2010_12_22, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Directory Listting"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; startswith; content:"&usid="; distance:0; fast_pattern; content:"&part="; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:2; metadata:created_at 2010_12_23, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; http.uri; content:"/search?hl="; content:"q="; content:"meta="; fast_pattern; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/"; http.host; content:!"sogou.com"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category TROJAN, malware_family HIMAN, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:to_server,established; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:3; metadata:created_at 2010_12_23, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd="; content:"version="; content:"quality="; fast_pattern; content:"av="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2018580; rev:7; metadata:created_at 2014_06_18, former_category MALWARE, updated_at 2020_10_09;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino CC dump"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dumpgrab="; fast_pattern; content:"track_type="; content:"track_data="; content:"process_name="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:5; metadata:created_at 2015_01_05, former_category TROJAN, updated_at 2020_10_09;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:3; metadata:created_at 2011_01_06, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mang.bbk"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Moderate, signature_severity Major, updated_at 2020_10_09;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/png/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; classtype:web-application-attack; sid:2008315; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy Request Outbound"; flow:established,to_server; http.uri; content:"/?"; content:"&ai="; fast_pattern; content:!"&adurl="; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/"; http.user_agent; content:"Windows NT"; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2019545; rev:1238; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_10_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Betabot Checkin 5"; flow:established,to_server; http.uri; content:"/order.php"; fast_pattern; pcre:"/\.php$/"; http.request_body; pcre:"/(?:^|=)[A-F0-9]{70,}(?:$|&)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/gif/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; classtype:web-application-attack; sid:2008314; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Unknown Possibly Ransomware (Dropped by RIG) CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Accept|3a 20|*|0d 0a|"; fast_pattern; http.request_body; content:"|0a|"; offset:64; depth:1; pcre:"/^[A-Za-z0-9+/]{64}\x0a/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:md5,26b21902548e3b821387c90d729bace6; classtype:command-and-control; sid:2024233; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; within:70; classtype:bad-unknown; sid:2015578; rev:3; metadata:created_at 2012_08_07, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Abnormal HTTP Headers high likelihood of Poweliks infection"; flow:established,to_server; http.method; content:"GET"; http.header; content:"builddate|3a 20|"; fast_pattern; content:"version|3a 20|"; content:"id|3a 20|"; classtype:trojan-activity; sid:2019606; rev:6; metadata:created_at 2014_10_30, former_category TROJAN, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; http.host; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024298; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2020_10_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; within:50; classtype:exploit-kit; sid:2015788; rev:3; metadata:created_at 2012_10_10, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; http.host; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2020_10_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:5; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest/Vawtrak Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/viewforum.php?f="; fast_pattern; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/"; http.content_type; content:"application/octet-stream"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:5; metadata:created_at 2014_06_07, former_category CURRENT_EVENTS, updated_at 2020_10_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:9; metadata:created_at 2011_01_05, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Madness Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mk="; fast_pattern; content:"&rs="; content:"&rq="; content:"&ver="; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-zA-Z]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,f1ed53c4665d2893fd116a5b0297fc68; classtype:command-and-control; sid:2018028; rev:6; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2020_10_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find |22|"; content:"|20|Please Click Here to install......"; within:85; classtype:trojan-activity; sid:2017301; rev:3; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M1"; flow:established,to_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.uri; content:".sct"; nocase; fast_pattern; endswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1029; content:"|01 00 00 00|"; depth:4; content:!"|26|"; within:1; content:"|26|"; distance:1; within:1; content:"|26|"; distance:61; within:1; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:204; within:20; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:12; within:20; classtype:command-and-control; sid:2014601; rev:5; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"text/scriptlet"; nocase; fast_pattern; startswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET COINMINER PrimeCoinMiner.Protominer"; flow:established,to_server; content:"|01 27 00 00 05 00 00 00 09|"; depth:9; content:"node"; nocase; within:4; content:"Protominer"; distance:14; within:10; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:coin-mining; sid:2018014; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2020_08_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M3"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; content:"Content-Disposition|3a 20|"; nocase; content:".sct"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]*\.sct[\x22\x27\s\r\n]/mi"; classtype:trojan-activity; sid:2024552; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_11_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject|3a| Passes from"; nocase; fast_pattern; content:"application/octet-stream|3b|"; content:".bin"; within:100; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/HTA Downloader Behavior M3"; flow:to_server,established; http.uri; content:".php?cmd=p&id="; fast_pattern; content:"&rnd="; pcre:"/\.php\?cmd=p&id=\w+.*?&rnd=[\x2e\d]+$/i"; http.header_names; content:!"Referer"; reference:md5,d3abaa6736d7d549eca8644c67e9fcfe; classtype:trojan-activity; sid:2023485; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_07, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible  MS CMD Shell opened on local system 2"; dsize:<200; content:"Microsoft Windows "; depth:40; content:"[Version"; within:10; content:"Copyright (c) 2009"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2018392; rev:2; metadata:created_at 2014_04_16, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba Checkin 4"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|157"; nocase; fast_pattern; http.request_body; content:"|00 80 00 00 00|"; offset:24; depth:5; http.header_names; content:!"Content-Type"; nocase; content:!"Accept"; nocase; content:!"Referer:"; nocase; content:!"User-Agent|0d 0a|"; nocase; reference:md5,ade4d8f0447dac5a8edd14c3d44f410d; classtype:command-and-control; sid:2024659; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family Tinba, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trojan.Karagany C&C Response"; flow:from_server,established; file_data; content:"work|3a|"; depth:5; content:"|7c|downexec|20|"; within:20; content:".jpg|3b 0d 0a|"; distance:0; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf; classtype:command-and-control; sid:2018629; rev:3; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Andromeda File Request"; flow:established,to_server; http.uri; content:"myguy"; fast_pattern; pcre:"/myguy\.(?:xls(?:\.hta)?|exe)$/"; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference:cve,2017-0199; classtype:trojan-activity; sid:2024490; rev:5; metadata:created_at 2017_07_21, former_category TROJAN, updated_at 2020_10_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre SSL Cert disenart.info"; flow:established,from_server; content:"|55 04 03|"; content:"|0c 0d|disenart.info"; within:15; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_29, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan User-Agent (FileNolja)"; flow:established,to_server; http.user_agent; content:"FileNolja"; nocase; fast_pattern; classtype:trojan-activity; sid:2013376; rev:5; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_10_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"|01 00 00 00|"; depth:4; content:!"|00|"; within:1; content:"|00|"; distance:1; within:1; content:"|00|"; distance:61; within:1; content:"|00 00 00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:12; within:20; classtype:command-and-control; sid:2014600; rev:7; metadata:created_at 2012_04_17, former_category MALWARE, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Book of Eli CnC Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header; content:"CharSet|3a 20|windows-1256|0d 0a|"; http.request_body; content:"id_serial="; depth:10; content:"&id_cpu="; content:"&go_and_fuck_this_life="; content:"&system__="; fast_pattern; content:"&hard_id="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,blog.eset.ie/2016/09/22/malware-in-libya-book-of-eli-african-targeted-attacks/; reference:md5,25e5744979b365dc58cce23d377b3835; reference:md5,d22857cebad4200c3b1e8ec17836b451; reference:url,www.virustotal.com/en/file/faa20341f7a7277114f5c61e5013b9871ab2b0356f383b6798013ce333a30ae5/analysis/; classtype:command-and-control; sid:2023254; rev:6; metadata:created_at 2013_05_17, former_category MALWARE, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ShellBot.C retrieval"; flow:from_server,established; file_data; content:"my $processo"; content:"my @adms="; distance:0; content:"my @canais="; distance:0; content:"|23|gh|30|sts"; within:10; reference:md5,3e44252394078c8fd792da1583525d0c; reference:url,pastebin.com/0dAciksC; reference:url,pastebin.com/C0arvGxU; classtype:trojan-activity; sid:2018953; rev:3; metadata:created_at 2014_08_19, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Invoice EXE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/invoice"; nocase; fast_pattern; pcre:"/\/invoice[^a-z\/]*?\.(?:exe|zip|7z|rar|com|vbs|ps1)$/i"; reference:md5,bdf12366779ce94178c2d1e495565d2b; classtype:trojan-activity; sid:2019158; rev:7; metadata:created_at 2014_09_11, former_category TROJAN, updated_at 2020_10_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet to Server"; flow:established,to_server; dsize:20; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; flowbits:set,ET.onlinegames.ajok; reference:url,doc.emergingthreats.net/2008291; classtype:command-and-control; sid:2008291; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kazy Checkin"; flow:established,to_server; urilen:65; http.uri; content:"AAA=="; endswith; fast_pattern; pcre:"/\/[\x2f\x2bA-Za-z0-9]{59}AAA==$/"; http.host; content:!"mvds1.org"; classtype:command-and-control; sid:2018401; rev:5; metadata:created_at 2014_04_18, former_category MALWARE, updated_at 2020_10_09;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Win32.Onlinegames.ajok CnC Packet from Server"; flow:established,from_server; flowbits:isset,ET.onlinegames.ajok; content:"|7e 7e 7e|"; depth:4; content:"|7e 7e 7e|"; within:4; reference:url,doc.emergingthreats.net/2008292; classtype:command-and-control; sid:2008292; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Checkin"; flow:to_server,established; http.uri; content:"/create.php?"; fast_pattern; pcre:"/^\/[^\x2f]+?\/create\.php\?[a-z0-9]+\x3d[a-z0-9\x5f\x2d]+?$/i"; http.host; content:!"maplelegends.com"; content:!"violinlab.com"; reference:url,welivesecurity.com/2014/05/20/miniduke-still-duking/; classtype:targeted-activity; sid:2018491; rev:7; metadata:created_at 2014_05_21, former_category MALWARE, updated_at 2020_10_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 f3 e5 76 ad 16 4c 88 ff|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019069; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"valor="; depth:6; content:"verde"; content:"branco"; content:"vermelho"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:command-and-control; sid:2018516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9a a1 97 0b 99 2b 46 07|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|03|GER"; distance:1; within:4; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019070; rev:3; metadata:attack_target Client_and_Server, created_at 2014_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Key|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; startswith; nocase; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:command-and-control; sid:2025381; rev:6; metadata:created_at 2015_11_24, former_category MALWARE, updated_at 2020_10_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:4; metadata:created_at 2010_12_27, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Download non Jar file"; flow:established,to_server; flowbits:set,ET.JavaNotJar; flowbits:noalert; http.uri; content:!".jar"; nocase; content:!".jnlp"; nocase; content:!".hpi"; nocase; http.user_agent; content:"Java/1."; fast_pattern; content:!"ArduinoIDE/"; classtype:bad-unknown; sid:2016539; rev:9; metadata:created_at 2013_03_06, former_category CURRENT_EVENTS, updated_at 2020_10_10;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b2 a7 52 d6 65 0d 28 9f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019108; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Spy/TVRat Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&stat="; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:command-and-control; sid:2021747; rev:12; metadata:created_at 2015_09_05, former_category MALWARE, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c9 c0 04 78 81 0c 5a 2d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019109; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/is-ready"; fast_pattern; nocase; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2013_08_28, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 15 14 ca 74 7c 3d 96|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019120; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SA Banker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?role="; fast_pattern; content:"&os="; content:"&bits="; content:"&av="; content:"&host="; content:"&plugins="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d42c4395cb4cfa3cd6c4798b8c5e493a; classtype:command-and-control; sid:2023424; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ed 11 bb c5 32 1e 9d 79|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019121; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mera Keylogger POSTing keystrokes"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/log/index.php"; fast_pattern; http.request_body; content:"text="; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,techhelplist.com/index.php/spam-list/695-financial-statement-malware; classtype:trojan-activity; sid:2019965; rev:5; metadata:created_at 2014_12_18, former_category TROJAN, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 bc 2a 7f f9 ef 67 4e ef|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019122; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoetRAT Upload via HTTP"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Max-Downloads|0d 0a|Max-Days|0d 0a|"; fast_pattern; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:command-and-control; sid:2031002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, malware_family PoetRat, performance_impact Moderate, signature_severity Major, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ea a5 72 6e 95 1a 1d 22|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2019135; rev:3; metadata:attack_target Client_and_Server, created_at 2014_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:web-application-attack; sid:2030996; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb 2d 8e ea 67 c4 08 ea|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019305; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Possible TA410 APT FlowCloud Dependency Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".DAT"; endswith; pcre:"/\/[A-Z0-9]{4,8}\/[A-Z0-9]{8}\.DAT$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:25; http.host.raw; content:"|3a|"; classtype:trojan-activity; sid:2036388; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2020_10_12;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8b 77 b3 d1 92 8c 7d 48|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edaaaa6527a6f42c96f27ce2e427cd39; classtype:trojan-activity; sid:2019306; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex DL Pattern Feb 18 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?."; fast_pattern; pcre:"/\.exe\?\.\d+$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022549; rev:6; metadata:created_at 2016_02_19, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyre SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b f5 c0 6b 03 3a 00 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,510b4db9aa400583e7927afa5f956179; classtype:trojan-activity; sid:2019307; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_09_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; http.method; content:"GET"; http.uri; content:".exe"; endswith; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:5; metadata:created_at 2015_04_17, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
 
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; within:50; content:!"|00|"; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:3; metadata:created_at 2010_12_14, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Lanfiltrator Checkin"; flow:established,to_server; http.uri; content:"/ralog.cgi?action="; nocase; fast_pattern; content:"&ip="; nocase; content:"&servertype="; nocase; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:command-and-control; sid:2009078; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FireEye.STX RAT Checkin"; flow:established,to_server; content:"GET /WinData.DLL?HELO-STX-1*"; depth:28; content:"$|0D 0A|"; within:40; reference:url,blog.fireeye.com/research/2012/04/spear-phished-by-fireeye.html; reference:md5,89217de164ffca0f0fed54a8003eb98f; classtype:command-and-control; sid:2014632; rev:3; metadata:created_at 2012_04_23, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE indux.php check-in"; flow:established,to_server; http.uri; content:"/indux.php?U="; nocase; fast_pattern; content:"@"; http.referer; content:"http|3a|//www.google.com"; nocase; bsize:21; classtype:trojan-activity; sid:2011387; rev:8; metadata:created_at 2010_09_28, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LinuxNet.perlbot Checkin Via IRC"; flow:to_server,established; content:"NICK|20 7c|GNU|7c 0a|"; depth:12; fast_pattern; content:"USER|20|GNU|20|"; within:9; pcre:"/(?:\d{1,3}\.){3}\d{1,3} (?:\d{1,3}\.){3}\d{1,3} \x3a(?:Linux|FreeBSD|SunOS)/R"; content:"|0a|JOIN|20|"; distance:0; classtype:command-and-control; sid:2019921; rev:3; metadata:created_at 2014_12_11, former_category MALWARE, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/products.php?"; fast_pattern; pcre:"/\.php\?[a-z]{15,}$/"; http.header; content:"Referer|3a|"; content:"/products.php|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024177; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, signature_severity Major, tag Felismus, tag c2, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle"; fast_pattern; content:"Driver"; within:12; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020530; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2015_02_24, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"new.odgarsupport.world"; nocase; endswith; classtype:domain-c2; sid:2028660; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_13;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:3; metadata:created_at 2015_03_03, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows-updates.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028662; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from Cisco ooh323"; flow:to_server,established; content:"|28 06|cisco|00|"; offset:14; depth:8; content:"|b8 00 00 27 05|ooh323|06|"; within:60; reference:url,videonationsltd.co.uk/2015/04/h-323-cisco-spam-calls/; classtype:misc-attack; sid:2021066; rev:2; metadata:created_at 2015_05_07, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows64x.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Activity (STD attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[STD]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022215; rev:3; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".firewallsupports.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Adobe_Coldfusion, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/STDbot CnC Activity (UNK attack)"; flow:established,to_server; content:"PRIVMSG|20|"; content:"|20 3a|[UNK]Hitting|20|"; fast_pattern; distance:0; content:"!|0a|"; within:40; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022216; rev:3; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".winx64-microsoft.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028665; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; within:40; classtype:social-engineering; sid:2023239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:22; content:"CN=superlatinradio.com"; fast_pattern; reference:md5,ce879fb552e7740bb2e940c65746aad2; classtype:domain-c2; sid:2028672; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; within:50; classtype:social-engineering; sid:2023557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; content:"CN=corpcougar.in"; endswith; fast_pattern; reference:md5,f7a490fcf756f9ddbaedc2441fbc3c0c; classtype:domain-c2; sid:2028673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M2"; flow:from_server,established; file_data; content:"|76 7e 72 20 7e 20 3d 20 22 22 3b 20 7e 20 2b 3d|"; within:17; content:"0."; distance:0; pcre:"/^\d+[\x22\x27]/R"; content:"|27 3b 20 7e 20 2b 3d 20 27|"; within:500; content:"|27 3b 20 7e 20 2b 3d 20 27|"; within:500; classtype:trojan-activity; sid:2023598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET MALWARE Downloader.Win32.Small CnC Beacon"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSDN SurfBear"; depth:13; endswith; reference:url,doc.emergingthreats.net/2011269; classtype:command-and-control; sid:2011269; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell Download"; flow:established,to_client; file_data; content:"eval"; content:"mcrypt_decrypt"; within:30; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017640; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2013_10_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; http.user_agent; content:"VERTEXNET"; depth:9; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:5; metadata:created_at 2011_03_31, former_category USER_AGENTS, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Crypto Coin Miner Login"; flow:to_server,established; content:"|7b 22|method|22 3a|"; depth:10; fast_pattern; content:"|22|login|22 2c|"; within:9; content:"|22|params|22 3a|"; within:10; content:"|7b 22|login"; nocase; within:8; content:"agent|22 3a|"; nocase; distance:0; reference:md5,d1082e445f932938366a449631b82946; reference:md5,33d7a82fe13c9737a103bcc4a21f9425; reference:md5,ebe1aeb5dd692b222f8cf964e7785a55; classtype:coin-mining; sid:2022886; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, performance_impact Low, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yandexbot Request Outbound"; flow:established,to_server; http.user_agent; content:"YandexBot"; depth:9; classtype:trojan-activity; sid:2013254; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Informational, tag WebCrawler, updated_at 2020_10_13, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Tinba Banker CnC Response"; flow:established,from_server; file_data; content:"|00 00 00 00 48 65 61 44|"; depth:8; fast_pattern; content:"|00 00|"; within:5; reference:md5,d360ee49950e7da3978379494667260c; classtype:command-and-control; sid:2024442; rev:4; metadata:created_at 2017_07_05, former_category MALWARE, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (MSDN Query Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&ac="; content:!"&refinement="; content:"/Search/en-US?query="; content:"&pgArea=header"; distance:150; endswith; content:!"."; pcre:"/^\/Search\/en-US\?query=[a-z]{200,400}&pgArea=header$/"; http.header; content:"|0d 0a|Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|"; fast_pattern; http.cookie; content:"MUID="; depth:5; content:"|3b|"; distance:32; within:1; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032747; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.Win32/Nitol.B Checkin"; flow:established,to_server; dsize:>1000; content:"|88 88 08 00|"; depth:4; fast_pattern; content:"|2E|"; distance:1; within:1; content:"|2F 73|"; distance:2; within:2; content:"|00 00 00 00 00 00 00 00|"; within:15; reference:md5,f078e099b1f8afc7c43eb05b4badf9e7; classtype:command-and-control; sid:2021111; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_16, deployment Perimeter, former_category MALWARE, malware_family Nitol_DDoS, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Data Exfil via Telegram"; flow:established,to_server; http.host; bsize:16; content:"api.telegram.org"; http.uri; content:"/sendMessage?chat_id="; content:"text=|0a|"; content:"|20 f0 9f|"; distance:0; content:"*|0a|Date|3a 20|"; distance:0; content:"|0a|System|3a 20|"; content:"|20|Bit)|0a|Username|3a 20|"; reference:md5,00171267979ca2e972336e751a5725b7; reference:url,github.com/LimerBoy/StormKitty; classtype:command-and-control; sid:2031009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Bladabindi/njRAT (HAMAD versions)"; flow:established,to_server; dsize:<200; content:"|00|"; depth:4; content:"HAMAD"; fast_pattern; within:10; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,cc18ad38eccdf096f0ac5840f380ef4f; classtype:trojan-activity; sid:2025074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Bladabindi, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; http.uri; content:"/envia.php"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; nocase; http.request_body; content:"praquem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:command-and-control; sid:2008256; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njRAT/Bladabindi Variant (Lime) CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|ll"; within:6; content:"TGltZV8"; within:30; fast_pattern; pcre:"/^[0-9]{2,3}\x00\x6c\x6c(?P<var>[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e][\x20-\x7e]+?[\x20-\x2f\x30-\x39\x3a-\x40\x5b-\x60\x7b-\x7e])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?P=var)[^\r\n]+(?P=var)$/s"; reference:md5,ce37b5b473377810bc76e0491533b4e7; classtype:command-and-control; sid:2025136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (??)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 3f 3f 0d 0a|"; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish M2 2016-10-27"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<script language=javascript>"; nocase; within:100; content:"window.location"; nocase; fast_pattern; within:200; classtype:credential-theft; sid:2032408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"|0d 0a|Request|3a 20|"; nocase; content:"run|0d 0a|"; within:5; http.uri; content:"/get?src="; nocase; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest"; nocase; depth:54; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Botnet Nitol.B Checkin"; flow:established,to_server,no_stream; dsize:<400; content:"|00 00 77 00 00 00|"; depth:30; fast_pattern; content:"MHz"; within:350; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:120; classtype:command-and-control; sid:2025135; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category MALWARE, malware_family nitol, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zentom FakeAV Checkin"; flow:established,to_server; http.uri; content:".php?prodclass="; fast_pattern; content:"&coid="; content:"&fff="; content:"&IP="; content:"&lct="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; classtype:command-and-control; sid:2013785; rev:5; metadata:created_at 2011_10_20, former_category MALWARE, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Credit Mutuel de Bretagne (FR) Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Cr|c3 a9|dit Mutuel de Bretagne"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B Connectivity check"; flow:from_client,established; http.method; content:"GET"; http.uri; content:"/search?qu="; fast_pattern; http.header; content:"Content-Length|3a 20|4|0D 0A|"; http.user_agent; content:"Firefox/2.0.0.2"; depth:15; endswith; http.host; content:"www.google.com"; distance:0; bsize:14; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; classtype:trojan-activity; sid:2014173; rev:5; metadata:created_at 2012_01_31, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; within:30; content:"|26 70 72 69 76 3d|"; within:20; content:"|26 63 72 65 64 3d|"; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:command-and-control; sid:2025408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, former_category MALWARE, malware_family FlawedAmmyy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; http.uri; content:".com.exe"; fast_pattern; http.user_agent; content:"GetRight/"; depth:9; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:command-and-control; sid:2014290; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Docusign Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"DocuSlgn"; nocase; within:10; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025476; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Graybird Checkin"; flow:to_server,established; http.uri; content:"/count.asp?mac="; content:"&os="; content:"&av="; http.user_agent; content:"Post"; depth:4; endswith; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:command-and-control; sid:2014365; rev:5; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Badoo Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Sign in to Badoo</title>"; fast_pattern; content:"<label for=|22|emaill"; distance:0; pcre:"/^\d{5,20}\x22/QR"; content:"<label for=|22|password"; pcre:"/^\d{5,20}\x22/QR"; content:">Password</label>"; within:40; content:">Sign me in!</span>"; distance:0; classtype:social-engineering; sid:2025870; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Banker.PWS POST Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"IDMAQUINA="; reference:url,doc.emergingthreats.net/2009127; classtype:command-and-control; sid:2009127; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING GitLab Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Sign in|20 c2 b7 20|GitLab</title>"; fast_pattern; content:"|20|action=|22|login.php|22 20|"; distance:0; content:"|20|name=|22|username|22 20|"; distance:0; content:"type=|22|password|22|"; distance:0; content:"|20|name=|22|password|22 20|"; within:17; classtype:social-engineering; sid:2025871; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos/Banker Info Stealer Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; nocase; http.request_body; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OilRig QUADAGENT DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|04|mail|06|"; distance:0; nocase; pcre:"/^\d{6}/Ri"; content:"|07|cpuproc|03|com|00|"; fast_pattern; within:13; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025894; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category TROJAN, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"guid="; nocase; content:"ver="; nocase; content:"stat="; nocase; content:"ie="; nocase; content:"os="; nocase; content:"ut="; nocase; content:"cpu="; nocase; fast_pattern; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; endswith; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; classtype:command-and-control; sid:2009550; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> any 22 (msg:"ET INFO Plaintext SSH Authentication Identified (Encryption set to None)"; flow:established,to_server; content:"|00 00 00|"; content:"|00 00 00|"; within:50; content:"|0e|ssh-connection|00 00 00 08|password|00 00 00 00|"; within:31; content:"|00 00 00 00 00 00 00 00 00|"; distance:0; reference:url,hamwan.org/Standards/Network%20Engineering/Authentication/SSH%20Without%20Encryption.html; classtype:attempted-user; sid:2026643; rev:3; metadata:attack_target Client_and_Server, created_at 2018_11_21, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"tipo="; reference:url,doc.emergingthreats.net/2007863; classtype:command-and-control; sid:2007863; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert smb $HOME_NET any -> $HOME_NET any (msg:"ET MALWARE Shamoon v3 32bit Propagating Internally via SMB"; flow:to_server,established; content:"|00 00 00 00 00 00|"; within:60; content:"MZ"; distance:2; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|41 8A 14 02 8B 45|"; distance:0; content:"|32 14 30 88 16 3B CB 72|"; distance:1; within:8; fast_pattern; reference:url,www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/new-version-of-disk-wiping-shamoon-disttrack-spotted-what-you-need-to-know; classtype:trojan-activity; sid:2026732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2018_12_14, deployment Perimeter, former_category TROJAN, malware_family Shamoon, performance_impact Low, signature_severity Major, tag SMB, tag Worm, tag Wiper, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; http.user_agent; content:"clk_jdfhid"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008399; classtype:command-and-control; sid:2008399; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Inbound PowerShell via Invoke-PSImage Stego"; flow:established,to_client; file_data; content:"|89 50 4e 47|"; depth:8; content:"c2FsIGEgTmV3LU9iamVjdDt"; within:75; fast_pattern; reference:url,github.com/peewpw/Invoke-PSImage/blob/master/Invoke-PSImage.ps1; classtype:trojan-activity; sid:2027085; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DMSpammer HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat"; content:".php"; pcre:"/\/stat\d+\.php/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; fast_pattern; http.request_body; content:"x|9c|"; reference:url,doc.emergingthreats.net/2008271; classtype:command-and-control; sid:2008271; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/DataMilk Stealer Communicating with CnC"; flow:established,to_server; content:"net|2e|tcp"; depth:15; content:"|2f|IModuleGetter"; within:40; fast_pattern; reference:url,app.any.run/tasks/f435d89d-30a5-465b-8a8d-b7a042665e0e; classtype:command-and-control; sid:2027112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, malware_family DataMilk, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (MzApp)"; flow:established,to_server; http.user_agent; content:"MzApp"; depth:5; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2009988; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP"; flow:established,from_server; content:"explorer.exe|20|"; nocase; content:"shell|3a 3a 3a 7b|"; within:20; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]\x7d/Ri"; classtype:trojan-activity; sid:2027201; rev:3; metadata:created_at 2019_04_15, former_category POLICY, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"mode="; content:"&PartID="; content:"&mac="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2007913; classtype:command-and-control; sid:2007913; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert tcp any any -> $HOME_NET 135 (msg:"ET RPC DCERPC SVCCTL - Remote Service Control Manager Access"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00|"; content:"|13 00 0d 81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; within:100; classtype:attempted-user; sid:2027237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category RPC, performance_impact Low, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; http.user_agent; content:"MSID ["; nocase; depth:6; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; within:12; fast_pattern; content:"|7d 7d 40|"; distance:0; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:4; metadata:attack_target SMTP_Server, created_at 2019_06_07, cve 2019_10149, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; http.user_agent; content:"IRC-U v"; depth:7; nocase; reference:url,doc.emergingthreats.net/2003647; classtype:trojan-activity; sid:2003647; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Template 1 Active - Malicious Outbound Email Spam"; flow:established,to_server; content:"Subject|3a 20|"; content:"Canada|20|Post"; within:80; content:"To|20|download|20|the|20|tracking|20|number"; distance:0; content:"in|20|the|20|zip|20|file.."; distance:0; fast_pattern; content:"Click|20|here|20|to|20|download|20|your|20|Tracking|20|Number"; distance:0; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:trojan-activity; sid:2027811; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category TROJAN, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&serial="; nocase; content:"ver="; nocase; http.user_agent; content:"WinInetHTTP"; depth:11; endswith; nocase; reference:md5,0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,doc.emergingthreats.net/2009804; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; classtype:trojan-activity; sid:2009804; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"routestring"; fast_pattern; content:"ajax"; within:100; content:"render"; within:9; content:"widget_php"; within:13; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; classtype:attempted-admin; sid:2028621; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV/Security Application Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?url="; nocase; content:"&affid="; fast_pattern; nocase; pcre:"/\?url=[0-9]&affid=[0-9]{5}/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows XP)"; depth:46; endswith; nocase; reference:url,doc.emergingthreats.net/2009554; classtype:command-and-control; sid:2009554; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; within:400; content:!"|22|"; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003326; classtype:attempted-admin; sid:2003326; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FraudLoad.aww HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/instlog/?"; nocase; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient"; depth:45; reference:url,doc.emergingthreats.net/2008322; classtype:command-and-control; sid:2008322; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; within:400; content:!"|27|"; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003327; classtype:attempted-admin; sid:2003327; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; reference:url,doc.emergingthreats.net/2009455; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WebHack Control Center User-Agent Inbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; content:"WHCC"; fast_pattern; nocase; within:50; pcre:"/User-Agent\:[^\n]+WHCC/i"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; classtype:trojan-activity; sid:2003924; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fruspam polling for IP likely infected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/automation/n09230945.asp"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|U|3b 20|Linux i686|3b 20|en-US|3b 20|rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0"; depth:85; endswith; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/MayhemBruter Checkin"; flow:established,to_server; content:"{|0a 20 20 22|id|22 3a 20 22|"; depth:11; fast_pattern; content:"|22 0a|}|00|"; within:36; endswith; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:command-and-control; sid:2022223; rev:3; metadata:created_at 2015_12_07, former_category MALWARE, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lost Door Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"subject=Lost|20|door|20|"; fast_pattern; content:"by|20|OussamiO"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008340; classtype:command-and-control; sid:2008340; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
 
-alert udp $EXTERNAL_NET any -> any 11211 (msg:"ET DOS Possible Memcached DDoS Amplification Query (set)"; content:"|00 00 00 00 00 01 00|"; depth:7; fast_pattern; content:"|0d 0a|"; within:20; endswith; threshold: type both, count 100, seconds 60, track by_dst; flowbits:set,ET.memcached.ddos; reference:url,blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/; classtype:attempted-dos; sid:2025401; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Server, created_at 2018_03_01, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mac User-Agent Typo INBOUND Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Macintosh|3b|"; depth:23; content:"(KHTML, like Geco,"; distance:0; fast_pattern; reference:url,doc.emergingthreats.net/2008955; classtype:trojan-activity; sid:2008955; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
 
-alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with TLS Security Protocol Requested"; flow:established,to_server; dsize:<30; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 01 00 00 00|"; within:15; fast_pattern; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel Downloader Request"; flow: established,to_server; http.uri; content:".php?id="; pcre:"/\.php\?id=[0-9a-f]{8}$/"; http.user_agent; content:"ie"; bsize:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T; reference:url,doc.emergingthreats.net/2010244; classtype:trojan-activity; sid:2010244; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
 
-alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested"; flow:established,to_server; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 00 00 00 00|"; within:15; fast_pattern; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poebot Related User Agent (SPM_ID=)"; flow:established,to_server; http.user_agent; content:"SPM_ID="; depth:7; nocase; reference:url,doc.emergingthreats.net/2006391; classtype:trojan-activity; sid:2006391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Powershell Trojan)"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 e6 05 e6 06 e6 17 3f|"; fast_pattern; reference:url,pastebin.com/7wYupkJL; reference:md5,4c5c9014f2d18f11ca62848876551323; classtype:domain-c2; sid:2023342; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_10_17, deployment Perimeter, former_category MALWARE, malware_family PowerShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3a|"; content:"X-Size|3a|"; content:"X-Sn|3a|"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b|SV1|3b |"; depth:54; endswith; classtype:trojan-activity; sid:2014231; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; http.request_body; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028825; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; http.uri; content:"/search"; content:"?h1="; fast_pattern; content:"&h2="; distance:0; content:"&h3="; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b|"; depth:24; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014174; rev:6; metadata:created_at 2012_01_31, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; content:"&widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028826; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fullstuff Initial Checkin"; flow:established,to_server; http.uri; content:"/version.txt?type="; content:"&GUID="; content:"&rfr="; content:"&bgn="; http.user_agent; content:"FULLSTUFF"; depth:9; classtype:command-and-control; sid:2013887; rev:5; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer CnC Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"pipka="; within:20; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028993; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (register machine)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/registraMaquina"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014952; rev:5; metadata:created_at 2012_06_23, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M1"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"authorizenet_cc_number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028994; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (update machine status)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/updMaqStatus"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014953; rev:5; metadata:created_at 2012_06_23, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M2"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"ctl00_PageContent_tbCardNumber"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028995; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 1"; flow:established,to_server; urilen:7; http.uri; content:"/plg3.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015458; rev:4; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M3"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"input-cc-number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028996; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 2"; flow:established,to_server; urilen:7; http.uri; content:"/ext1.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015459; rev:4; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M4"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"|27|cc_number|27|"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028997; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Playtech Downloader Online Gaming Checkin"; flow:to_server,established; http.uri; content:"/client_update_urls.php"; http.user_agent; content:"Playtech|20|"; depth:9; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:command-and-control; sid:2008365; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M5"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"paypal_direct_cc_number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028998; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; http.uri; content:"/data.asp?mydata="; content:"&uid="; content:"&state="; http.user_agent; content:"you"; depth:3; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:command-and-control; sid:2015632; rev:6; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M6"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"ECommerce_DF_paymentMethod_number"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2028999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|7.0|3b 20|Windows|20|NT|20|6"; startswith; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|DNT|0d 0a|Connection|0d 0a|"; startswith; content:"Referer|0d 0a|"; reference:md5,f4b00ffce71b197865071073dec5068d; classtype:trojan-activity; sid:2035077; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Pipka JS Skimmer - Skimmer Payload Observed M7"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|27|scriptId|27 3a 20 27|#script|27|"; content:"|27|gate|27 3a|"; within:100; content:"input|5b|id$=|7c|x27_CardNumber|7c|x27|5d|"; within:500; fast_pattern; reference:url,usa.visa.com/dam/VCOM/global/support-legal/documents/pfd-identifies-new-javascript-skimmer.pdf; classtype:command-and-control; sid:2029000; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Pipka, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Exfil via AnonFiles"; flow:established,to_server; http.start; content:"POST /upload?token=43a7df2f0395152e HTTP/1.1|0d 0a|Content-Type|3a 20|multipart/form-data|3b|"; startswith; fast_pattern; http.host; content:"api.anonfiles.com"; bsize:17; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:command-and-control; sid:2031020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer Data Exfil M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1&type=txt$/Rsi"; content:"=1&type=txt"; endswith; http.request_body; content:"---------------------- ["; startswith; fast_pattern; content:"] ----------------------"; within:40; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029147; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; isdataat:!1,relative; http.host; content:".000webhostapp.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2031013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_14;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerSploit/PowerView SMTP Data Exfil"; flow:established,to_server; content:"Subject|3a 20|DC|3a|"; content:"|20|PC|3a|"; within:10; content:"|20|SRV|3a|"; within:10; content:"|20|DA|3a|"; within:10; content:"|20|AV|3a|"; within:10; content:"Full report"; distance:0; content:"Domain"; distance:0; content:"Domain Admins"; distance:0; content:"Antivirus Software"; distance:0; fast_pattern; classtype:command-and-control; sid:2029276; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"6."; depth:2; pcre:"/^6\.[0-2]\x20\d\d\x3a\d\d\x20/i"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016433; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Group 21 Payload CnC Checkin"; flow:established,to_server; dsize:<400; content:"|3a 3a|MAC|3a 3a|"; startswith; content:"|3a 3a|HOSTNAME/USERNAME|3a 3a|"; within:100; fast_pattern; content:"|3a 3a|U-FILE|3a 3a|"; within:100; reference:md5,6a271282fe97322d49e9692891332ad7; classtype:trojan-activity; sid:2035061; rev:3; metadata:created_at 2020_01_16, former_category MALWARE, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"0"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016435; rev:7; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nexus Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"Mozilla"; http.request_body; content:"{"; startswith; content:"|7e 3b 5e 3b|Windows|20|"; within:50; fast_pattern; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; content:"|7e 3b 5e 3b|"; distance:0; http.header_names; content:!"Referer"; reference:md5,8bd8582155ef003b8a24d341d75f1d7f; classtype:command-and-control; sid:2029298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_21, deployment Perimeter, former_category MALWARE, malware_family Nexus, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"1"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016436; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code"; flow:established,to_client; file.data; content:"src="; nocase; content:"file|3a 2f 2f 2f 5c 5c|"; distance:0; nocase; fast_pattern; within:10; content:"|5f|C$|5f|"; nocase; within:50; content:"visibility|3a|"; nocase; within:50; content:"hidden"; within:8; content:"src="; pcre:"/^\s*[\x22\x27]\s*file\x3a\x2f\x2f\x2f\x5c\x5c[^\x20]+\x5cC\$\x5c\s*[\x22\x27]/Rsi"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:attempted-user; sid:2029329; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"2"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016437; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Powershell Downloader with Start-Process Inbound M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"new-object System.Net.WebClient"; nocase; fast_pattern; content:".DownloadFile("; distance:0; content:"Start-Process"; within:500; reference:md5,b510f48b9ac735a197093ad5fb99b0ee; classtype:bad-unknown; sid:2029339; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; http.uri; content:"?rands="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:command-and-control; sid:2016446; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sarwent Initial Checkin CnC Response"; flow:established,from_server; flowbits:isset,ET.sarwent.1; http.stat_code; content:"200"; http.response_body; content:"|20|IP|20|"; pcre:"/^[^\x20-\x7e\r\n]/R"; content:"|20 2e 20 2e 20 2e 20 2e 20 2e 20|"; within:50; content:"DNS-"; distance:0; pcre:"/^[^\x20-\x7e\r\n]/R"; content:"|20 2e 20 2e 20 2e 20 3a 20|"; distance:0; pcre:"/^(?:[a-f0-9]{2}-){5}[a-f0-9]{2}/R"; content:"|0d 0a 20 20 20|DHCP|20|"; within:10; fast_pattern; classtype:command-and-control; sid:2029475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_17, deployment Perimeter, former_category MALWARE, malware_family Sarwent, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WARP Win32/Barkiofork.A"; flow:established,to_server; http.uri; content:"/s/asp?"; fast_pattern; content:"p=1"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:4; metadata:created_at 2013_02_20, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer - Uploading System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&cc="; content:"&pc="; content:"&hash="; http.user_agent; content:"uploader"; bsize:8; http.header; content:"User-Agent|3a 20|uploader|0d 0a|"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"PK"; distance:0; http.header_names; content:!"Referer"; reference:md5,046dcdb20a8358faadc394e786820dd4; classtype:trojan-activity; sid:2034323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-DIV UA"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer Exelon|20|"; depth:35; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:command-and-control; sid:2016454; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound MonetizeUs/LNKR Struct"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"|28|function"; depth:50; content:"g=|22|"; distance:0; pcre:"/^[a-f0-9]{18}\x22/R"; content:"=|5b 22|mid=|22 2c 22|wid="; distance:0; fast_pattern; content:"|22|sid=|22 2c 22|tid="; within:30; content:"|22|rid="; distance:0; content:"monetizationsConfig|3a|"; distance:0; threshold:type limit, count 1, seconds 120, track by_src; reference:md5,0866447a440f1e01a391ccb1c0ab150d; classtype:command-and-control; sid:2029591; rev:2; metadata:affected_product Web_Browsers, created_at 2020_03_09, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; http.user_agent; content:"IPHONE"; depth:6; pcre:"/^IPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/i"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016461; rev:6; metadata:created_at 2011_06_28, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns any any -> $HOME_NET any (msg:"ET MALWARE MalDoc Retrieving msiexec Commands via DNS TXT"; content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"|00 10|"; distance:0; content:"msiexec|20 2f|"; within:40; fast_pattern; nocase; reference:md5,029e926243feed488754cd21a69b5528; classtype:trojan-activity; sid:2029607; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-RAVE UA"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; depth:33; endswith; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:command-and-control; sid:2016458; rev:5; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/TrojanDownloader.Agent.SEB Reporting Network Info"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"x="; depth:2; content:"&info="; within:10; content:"&an=["; distance:0; content:"] WAN "; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3d0471796957b847decd635942e6cd10; classtype:command-and-control; sid:2029625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO)"; flow:established,to_server; http.user_agent; content:"DEMO"; nocase; depth:4; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016886; rev:4; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF_BASHLITE.SMB Dropping Files"; flow:established,to_server; http.uri; content:"/.ni|67 67|ers/bin"; fast_pattern; content:".sh"; within:5; http.user_agent; content:"Wget/"; depth:5; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/; classtype:trojan-activity; sid:2019747; rev:5; metadata:created_at 2014_11_19, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP)"; flow:established,to_server; http.user_agent; content:"UPHTTP"; nocase; depth:6; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016887; rev:7; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT UCM6202 1.0.18.13 - Remote Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=sendPasswordEmail&user_name="; startswith; fast_pattern; content:"|27|"; within:40; content:"|60 3b 60|"; within:100; reference:url,www.exploit-db.com/exploits/48247; classtype:attempted-admin; sid:2030206; rev:2; metadata:created_at 2020_05_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sv="; fast_pattern; content:"&tq="; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/i"; http.user_agent; content:"chrome/9.0"; depth:10; classtype:command-and-control; sid:2013795; rev:11; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Konni Encrypted Stage 2 Payload Inbound via HTTP"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MhyTiDJJJJ"; startswith; content:"JJJJJJJLeJJJJJJJJJJeI4"; within:150; fast_pattern; reference:md5,d41b09aa32633d77a8856dae33b3d7b9; classtype:command-and-control; sid:2030220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Konni, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Blackbeard Downloader"; flow:established,to_server; http.uri; content:"/load"; content:"p="; content:"&t="; pcre:"/[\?&]p=\d&t=\d(&|$)/"; http.user_agent; content:"IE"; depth:2; endswith; fast_pattern; reference:md5,2f6f13eced7fce495168059530246d77; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018110; rev:7; metadata:created_at 2014_01_23, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Godzilla Loader Base64 Filename"; flow:from_server,established; http.stat_code; content:"200"; http.cookie; content:"|47 4f 44 5a 49 4c 4c 41|"; file.data; content:"<div style=|22|display|3a|none|22 20|id=|22|"; depth:30; fast_pattern; pcre:"/^(?P<id>[a-z])\x22\sname=\x22(?P=id)\x22>[a-zA-Z0-9+/=]{28}/Rsi"; content:"</div>"; within:6; classtype:trojan-activity; sid:2022594; rev:5; metadata:created_at 2016_03_05, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Ping"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/history/"; fast_pattern; depth:9; content:".asp"; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Outbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030520; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot PUT File Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/docs/name="; fast_pattern; depth:11; pcre:"/^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018549; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
 
-#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP GET Request on Port 53 Inbound"; flow:established,to_server; content:"GET|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030521; rev:2; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Command Status Message"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tech/s.asp?m="; fast_pattern; depth:14; pcre:"/^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018548; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
 
-#alert tcp $HOME_NET any -> any 53 (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Outbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; within:50; classtype:bad-unknown; sid:2030522; rev:3; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Initial Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manage/asp/item.asp?id="; fast_pattern; depth:24; pcre:"/^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018550; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
 
-#alert tcp any 53 -> [$HOME_NET,$HTTP_SERVERS,$DNS_SERVERS] any (msg:"ET INFO Suspicious HTTP POST Request on Port 53 Inbound"; flow:established,to_server; content:"POST|20|"; startswith; content:"|20|HTTP|2f|"; within:50; fast_pattern; classtype:bad-unknown; sid:2030523; rev:3; metadata:affected_product Windows_DNS_server, created_at 2020_07_15, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Data Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/article/30441/Review.asp?id="; fast_pattern; depth:29; pcre:"/^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018551; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Compound Refresh - Possible Phishing Redirect 2016-06-09"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta HTTP-Equiv="; nocase; content:"refresh"; nocase; distance:1; within:8; content:"content="; nocase; distance:0; content:"URL="; nocase; within:10; content:"text/javascript"; nocase; distance:0; content:"self.location.replace"; fast_pattern; nocase; distance:0; content:"window.location"; nocase; within:30; classtype:social-engineering; sid:2032388; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XPSecurityCenter FakeAV Checkin"; flow:to_server,established; http.uri; content:"/XPSecurityCenter/"; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:md5,1c5eb2ea27210cf19c6ab24b7cc104b9; classtype:command-and-control; sid:2018761; rev:5; metadata:created_at 2012_07_14, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT SAP NetWeaver AS Directory Traversal Attempt Inbound (CVE-2020-6286)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<soapenv"; startswith; content:"<sessionID>"; distance:0; content:"../../../"; within:10; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; reference:cve,2020-6286; classtype:attempted-user; sid:2030549; rev:2; metadata:created_at 2020_07_16, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.DF Checkin"; flow:to_server,established; urilen:7; http.uri; content:"/ip.txt"; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:command-and-control; sid:2018762; rev:5; metadata:created_at 2012_07_14, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-03-17"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:30; content:"URL=data|3a|text/html|3b|base64,"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2027899; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 1.1.2150)"; depth:69; endswith; fast_pattern; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:8; metadata:created_at 2012_05_29, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Office 365 Phishing Landing 2016-08-24"; flow:established,from_server; threshold:type limit, track by_src, count 1, seconds 30; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; within:50; classtype:social-engineering; sid:2025673; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Rivest)"; flow:established,to_server; http.user_agent; content:"Rivest"; depth:6; endswith; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:4; metadata:created_at 2015_01_13, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - JS Redirect to PDF 2016-08-24"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script>"; nocase; content:"window.location.href"; nocase; distance:0; fast_pattern; content:".pdf"; nocase; distance:0; content:"</script>"; nocase; within:30; classtype:credential-theft; sid:2032402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"spShopId="; content:"&spShopPaymentId="; fast_pattern; distance:0; content:"&spCurrency="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish 2016-10-27"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script type=|22|text/javascript|22|>"; nocase; within:50; content:"window.location"; nocase; fast_pattern; within:30; classtype:credential-theft; sid:2032407; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"action=showPaymentForm&"; fast_pattern; content:"psAgreement="; distance:0; content:"&paymentSystemId="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Email Settings Phish 2016-10-28"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<html><head><base target=|22|_blank|22|>"; depth:34; content:"Your report has been received"; nocase; distance:0; fast_pattern; content:"you will be notified once"; nocase; within:30; content:"problem is resolved"; nocase; within:30; content:"<br>----------------<br>"; nocase; distance:0; classtype:credential-theft; sid:2032409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xoxofuck.cyou"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; within:50; content:"incoming emails"; nocase; within:50; content:"error in your SSL settings"; nocase; distance:0; classtype:social-engineering; sid:2025687; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"locker_ver="; fast_pattern; content:"&i_firstboot="; distance:0; content:"&harddiskserial="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:command-and-control; sid:2020829; rev:4; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Wembail Phish M2 2016-11-18"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>validationOK"; nocase; fast_pattern; content:"Process completed"; nocase; within:50; content:"previous Mail"; nocase; within:50; classtype:credential-theft; sid:2032412; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 Fake Mozilla UA"; flow:established,to_server; http.user_agent; content:"Moziea/"; depth:7; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020901; rev:4; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/NR42 Bot Parsing Config From Webpage"; flow:established,from_server; threshold:type both, track by_src, count 60, seconds 60; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<sendusername>"; fast_pattern; content:"</sendusername>"; within:30; content:"<guser>"; distance:0; content:"</guser>"; distance:0; content:"<files>"; distance:0; content:"</files>"; distance:0; content:"<cmdua>"; distance:0; content:"</cmdua>"; distance:0; content:"<cmdkmt>"; distance:0; reference:md5,32730022593ebd2c93126d34bc60b654; classtype:trojan-activity; sid:2024182; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flathommy.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] JS.Trojan-Downloader.Nemucod.yo HTTP POST (:Exec:)"; flow: established, to_server; threshold:type limit, track by_src, count 1, seconds 30; http.request_body; content:"|3a 3a 3a|Exec|3a 3a 3a|http"; depth:40; fast_pattern; content:"|3a|//"; within:4; content:".exe|3a 3a|"; within:100; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_12, deployment Internet, former_category TROJAN, malware_family Nemucod, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"minishtab.cyou"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031023; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoalaBot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"User-Agent|3a|"; content:"KAMA NT"; within:50; fast_pattern; content:"BULLET|3b|"; within:20; content:"REGION|3b|"; within:20; http.request_body; pcre:"/^[A-Za-z0-9]{10,}[\-\)\(]{1,2}/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,523de838dd44cdd6f212d36c142d830c; classtype:command-and-control; sid:2024531; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category MALWARE, malware_family CoalaBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Fake UA CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 |"; depth:69; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020925; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022597; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FormerFirstRAT HTTP POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"|3a|443|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322)"; depth:69; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020926; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/xml.xml"; nocase; http_uri; content:"<request"; nocase; http_client_body; content:"<key "; nocase; http_client_body; reference:cve,2006-0230; reference:bugtraq,17637; reference:url,doc.emergingthreats.net/bin/view/Main/2002896; classtype:attempted-recon; sid:2002896; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ldrpeset.casa"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
 
-#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:5; metadata:created_at 2010_09_27, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?"; content:"localip="; distance:0; content:"&macaddr="; distance:0; content:"&program="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; fast_pattern; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase; pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?program="; content:"&q="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:trojan-activity; sid:2021101; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_20;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"smalleryurta.club"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda User-Agent"; flow:established,to_server; http.header; content:!"Host|3a 20|iecvlist.microsoft.com"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|29 |"; depth:158; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020380; rev:5; metadata:created_at 2015_02_06, updated_at 2020_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013142; rev:4; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2020_08_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS Fake User-Agent"; flow:established,to_server; http.user_agent; content:"UserAgent|3a|Mozilla/5.0(Windows|20|"; depth:30; fast_pattern; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030361; rev:4; metadata:created_at 2016_06_03, former_category MALWARE, updated_at 2020_10_15;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; pcre:"/^\/[A-Za-z0-9-_]{30,}\/$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 |"; depth:46; endswith; http.request_body; content:"RECV"; depth:4; fast_pattern; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:command-and-control; sid:2019841; rev:5; metadata:created_at 2014_12_03, former_category MALWARE, updated_at 2020_10_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:6; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious UA Mozilla / 4.0"; flow:to_server,established; http.host; content:!"captive.apple.com"; endswith; content:!".google.com"; endswith; http.user_agent; content:"Mozilla / 4.0"; nocase; bsize:13; classtype:trojan-activity; sid:2013964; rev:6; metadata:created_at 2011_11_23, updated_at 2020_10_15;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:13; metadata:created_at 2010_09_23, updated_at 2022_03_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Xmaker)"; flow:to_server,established; http.user_agent; content:"Xmaker"; depth:6; reference:url,www.pcapanalysis.com/tag/trickster-google-drive-malware-trojan-pcap-file-download-traffic-sample/; classtype:trojan-activity; sid:2023746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent|3a| Internet Explorer|0d 0a|"; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:command-and-control; sid:2009297; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; http.user_agent; content:"build"; depth:5; pcre:"/^build\d/"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; http_client_body; content:"&affid="; http_client_body; content:"="; http_client_body; content:"&subid="; http_client_body; content:"=="; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:command-and-control; sid:2008442; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; http.user_agent; content:"Rescue/9.11"; depth:11; reference:url,doc.emergingthreats.net/2003645; classtype:trojan-activity; sid:2003645; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST"; nocase; http_method; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"r="; http_client_body; content:"&i="; http_client_body; content:"&v="; http_client_body; content:"&os="; http_client_body; content:"&s="; http_client_body; content:"&h="; http_client_body; content:"&d="; http_client_body; content:"&panic"; http_client_body; content:"&ie="; http_client_body; content:"&input="; http_client_body; content:"&c="; http_client_body; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; classtype:trojan-activity; sid:2008443; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Ms)"; flow:established,to_server; http.user_agent; content:"Ms"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; classtype:trojan-activity; sid:2003933; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&hAssunto=infect-"; http_client_body; content:"&hCorpo="; http_client_body; content:"&hPara="; http_client_body; reference:url,doc.emergingthreats.net/2008984; classtype:trojan-activity; sid:2008984; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; http.user_agent; content:"ExampleDL"; depth:9; reference:url,doc.emergingthreats.net/2004440; classtype:trojan-activity; sid:2004440; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Knockbot Proxy Response From Controller (empty command)"; flow:established,from_server; content:"|0d 0a 0d 0a|command|7c|"; nocase; reference:url,www.malwaredomainlist.com/mdl.php?search=knock.php; reference:url,doc.emergingthreats.net/2010788; classtype:trojan-activity; sid:2010788; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Mz)"; flow:established,to_server; http.user_agent; content:"Mz"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP"; flow:established,to_client; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"EnableExecuteProtectionSupport"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012777; rev:6; metadata:created_at 2011_05_03, former_category POLICY, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; http.user_agent; content:"Ismazo"; nocase; depth:6; reference:url,doc.emergingthreats.net/2007633; classtype:trojan-activity; sid:2007633; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyEye Checkin version 1.3.25 or later 3"; flow:established,to_server; content:"POST"; http_method; nocase; content:"data=mIqWm8"; http_client_body; depth:11; classtype:command-and-control; sid:2014428; rev:7; metadata:created_at 2012_03_26, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; http.user_agent; content:"WINDOWS_LOADS"; depth:13; reference:url,doc.emergingthreats.net/2007699; classtype:trojan-activity; sid:2007699; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_26, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windoss NT"; depth:45; fast_pattern; reference:url,doc.emergingthreats.net/2007742; classtype:trojan-activity; sid:2007742; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; http_client_body; depth:9; fast_pattern; content:"%3D%0D%0A"; http_client_body; offset:109; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:command-and-control; sid:2014347; rev:6; metadata:created_at 2012_03_09, former_category MALWARE, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neonaby.com Related Trojan User-Agent (neonabyupdate)"; flow:established,to_server; http.user_agent; content:"neonabyupdate"; depth:13; endswith; nocase; reference:url,doc.emergingthreats.net/2007825; classtype:trojan-activity; sid:2007825; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX  Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kpang.com Related Trojan User-Agent (alertup)"; flow:established,to_server; http.user_agent; content:"alertup"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007849; classtype:trojan-activity; sid:2007849; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; http.user_agent; content:"Yhrbg"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007912; classtype:trojan-activity; sid:2007912; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 1"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/"; urilen:1; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.google.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:85; fast_pattern; content:"PREF=ID="; http_cookie; depth:8; classtype:trojan-activity; sid:2013349; rev:5; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; http.user_agent; content:"Digital"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2007923; classtype:trojan-activity; sid:2007923; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 2"; flow:to_server,established; content:"GET"; content:"/whois/usgoodluck.com"; http_uri; fast_pattern:only; urilen:21; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.whois-search.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; depth:91; classtype:trojan-activity; sid:2013350; rev:4; metadata:created_at 2011_08_04, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; http.user_agent; content:"downloaded"; depth:10; endswith; nocase; reference:url,doc.emergingthreats.net/2007924; classtype:trojan-activity; sid:2007924; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential  Buffer Overflow Attempt 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_01, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; http.user_agent; content:"wnames"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2007925; classtype:trojan-activity; sid:2007925; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO EXE - OSX Executable Download - Multi Arch w/Intel"; flow:established,to_client; content:"|0d 0a 0d 0a CA FE BA BE|"; content:"|CE FA ED FE|"; distance:0; content:"__TEXT"; distance:0; classtype:misc-activity; sid:2014514; rev:8; metadata:created_at 2012_04_06, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keypack.co.kr Related Trojan User-Agent Detected"; flow:established,to_server; http.user_agent; content:"keypack"; depth:7; reference:url,doc.emergingthreats.net/2008339; classtype:trojan-activity; sid:2008339; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"|5c|xa2|5c|xa2HttpClient"; depth:18; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Response"; flow:established; content:"|00 01 00 01|stdapi_"; offset:11; depth:11; classtype:successful-user; sid:2014532; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow:established,to_server; http.user_agent; content:"AV1"; depth:3; endswith; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:11; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter core_channel_* Command Request"; flow:established; content:"|00 01 00 01|core_channel_"; offset:12; depth:17; classtype:successful-user; sid:2014531; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (NOPE)"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369; reference:url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734; classtype:trojan-activity; sid:2013702; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Metasploit Meterpreter stdapi_* Command Request"; flow:established; content:"|00 01 00 01|stdapi_"; offset:12; depth:11; classtype:successful-user; sid:2014530; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot)"; flow:to_server,established; http.user_agent; content:"Aldi Bot"; nocase; depth:8; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013747; rev:7; metadata:created_at 2011_09_24, former_category USER_AGENTS, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:20; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1-|20|"; depth:56; fast_pattern; reference:url,doc.emergingthreats.net/2010868; classtype:bad-unknown; sid:2010868; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keylogger Pro Update Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<root><clnt>"; http_client_body; content:"</clnt><code>CheckUpdate</code>"; http_client_body; nocase; fast_pattern; pcre:"/<root><clnt>\d{8}-\d{4}-\d{4}-\d{4}-[0-9A-F]{12}</clnt><code>CheckUpdate</code>/P"; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009533; classtype:trojan-activity; sid:2009533; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Steal0r"; flow:established,to_server; http.uri; content:"info=Steam|20|Steal0r|20|"; fast_pattern; content:"&acc="; content:"&pw="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008360; classtype:trojan-activity; sid:2008360; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virusremover2008.com Checkin"; flow:to_server,established; http.method; content:"GET"; depth:3; nocase; http.uri; content:"?action="; nocase; content:"pc_id="; nocase; content:"abbr="; http.user_agent; content:"Statistican"; depth:11; reference:url,doc.emergingthreats.net/2008527; classtype:command-and-control; sid:2008527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock User-Agent Detected"; flow:established,to_server; http.user_agent; content:"xSock Config"; depth:12; nocase; reference:url,doc.emergingthreats.net/2007609; classtype:trojan-activity; sid:2007609; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
 
-#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.pt User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Machaon"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007663; classtype:trojan-activity; sid:2007663; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2014105; rev:5; metadata:created_at 2012_01_10, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/9.28 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009474; classtype:trojan-activity; sid:2009474; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:command-and-control; sid:2013440; rev:7; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/8.81 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009525; classtype:trojan-activity; sid:2009525; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:16; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus Dropper Infection - /loads.php"; flow:established,to_server; http.uri; content:"/loads.php"; content:"?r="; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; http.host; content:"knocker"; startswith; reference:url,doc.emergingthreats.net/2009213; classtype:trojan-activity; sid:2009213; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DriveBy, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; http.user_agent; content:"VIP20"; depth:5; nocase; reference:url,doc.emergingthreats.net/2008156; classtype:trojan-activity; sid:2008156; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:26; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Related msndown"; flow:established,to_server; http.user_agent; content:"msndown"; depth:7; endswith; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; classtype:trojan-activity; sid:2012221; rev:5; metadata:created_at 2011_01_22, former_category USER_AGENTS, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"Asynchronous WinHTTP"; http_user_agent; depth:20; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:command-and-control; sid:2015753; rev:4; metadata:created_at 2012_10_01, former_category MALWARE, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Hostname"; dns.query; bsize:>30; content:"61643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}6164(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){5,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:20; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Number of Queries"; dns.query; bsize:>30; content:"63643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6364(?:3[0-9]){4}\d{1,3}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_28, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Initial Hello Beacon"; dns.query; bsize:>30; content:"64643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6464(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:".definition|28|"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:20; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Finished Sending Results"; dns.query; bsize:>30; content:"66643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6664(?:3[0-9]){4}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:12; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Getting CnC Data"; dns.query; bsize:>30; content:"68643"; offset:5; depth:5; content:"31303"; distance:7; within:5; content:"|2e|"; distance:1; within:1; pcre:"/^[a-zA-Z0-9]{5}6864(?:3[0-9]){4}31303[0-9]\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2015922; rev:7; metadata:created_at 2012_11_24, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Command Results"; dns.query; bsize:>30; content:"72643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}7264(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){10,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028671; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:command-and-control; sid:2014014; rev:7; metadata:created_at 2011_12_09, former_category MALWARE, updated_at 2022_03_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Request Command Beacon"; dns.query; bsize:>30; content:"71643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}7164(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028674; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:exploit-kit; sid:2017547; rev:4; metadata:created_at 2013_10_01, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent (securityinternet)"; flow:established,to_server; http.user_agent; content:"securityinternet"; depth:16; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; fast_pattern:only; nocase; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:command-and-control; sid:2010565; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (Winlogon)"; flow:established,to_server; http.user_agent; content:"Winlogon"; depth:8; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:20; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; http.user_agent; content:"internetsecurity"; depth:16; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017075; rev:6; metadata:created_at 2013_06_28, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Goolbot.E Checkin UA Detected iamx"; flow:established,to_server; http.user_agent; content:"iamx/"; depth:5; classtype:trojan-activity; sid:2012246; rev:7; metadata:created_at 2011_01_27, former_category USER_AGENTS, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"|34 44 35 41|"; depth:4; content:"|35 30 34 35 30 30|"; distance:0; classtype:trojan-activity; sid:2017962; rev:5; metadata:created_at 2014_01_13, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JEUSD CnC Domain Observed in DNS Query"; dns.query; content:"beastgoc.com"; nocase; endswith; classtype:domain-c2; sid:2031622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Kuluoz.B CnC 3"; flow:from_server,established; file_data; content:"c=rdl&u="; depth:8; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,96255178f15033362c81fb6d9b9c3ce4; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2015904; rev:7; metadata:created_at 2012_09_25, former_category MALWARE, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"stopsms.biz"; nocase; endswith; classtype:domain-c2; sid:2028817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase; content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:5; metadata:created_at 2013_07_24, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"infospress.com"; nocase; endswith; classtype:domain-c2; sid:2028818; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; fast_pattern; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"hmizat.co"; nocase; endswith; classtype:domain-c2; sid:2028819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 1"; flow:established,to_server; dsize:51; content:"|03 00 30 01 01 00|"; fast_pattern; depth:6; flowbits:set,ET.Tesch; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018478; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"revolution-news.co"; nocase; endswith; classtype:domain-c2; sid:2028820; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh-"; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:11; metadata:created_at 2010_07_30, updated_at 2021_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"videos-download.co"; nocase; endswith; classtype:domain-c2; sid:2028821; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH2 Based SSH Connection - Often used as a BruteForce Tool"; flow:established,to_server; ssh.software; content:"libssh2_"; threshold: type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:4; metadata:created_at 2014_07_17, updated_at 2021_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"business-today.info"; nocase; endswith; classtype:domain-c2; sid:2028822; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=systempack"; classtype:trojan-activity; sid:2011991; rev:4; metadata:created_at 2010_12_01, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda Payload - CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?wd="; pcre:"/^[a-f0-9]{8}$/Ri"; http.header_names; content:"x-debug"; content:"x-request"; content:"x-content"; content:"x-storage"; reference:url,www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations; classtype:command-and-control; sid:2028823; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV CryptMEN pack.exe Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| attachment|3b| filename="; content:"|22|pack.exe|22|"; classtype:trojan-activity; sid:2012208; rev:6; metadata:created_at 2011_01_21, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT MustangPanda CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Adobe Reader"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=Adobe Reader"; tls.cert_serial; content:"62:CA:BE:68"; classtype:domain-c2; sid:2028824; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MustangPanda, updated_at 2020_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV Gemini softupdate*.exe download"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=softupdate"; classtype:trojan-activity; sid:2012227; rev:7; metadata:created_at 2011_01_24, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"xp101.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKEAV download (AntiSpyWareSetup.exe)"; flow:established,to_client; content:"Content-Disposition|3a| attachment|3b| filename=AntiSpy"; nocase; content:"etup.exe"; nocase; classtype:trojan-activity; sid:2012318; rev:7; metadata:created_at 2011_02_18, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"svn-dns.ahnlabinc.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028839; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinese Bootkit Checkin"; flow:established,to_server; content:".aspx"; http_uri; content:"a=Windows"; nocase; http_uri; content:"&b="; http_uri; content:"&c="; http_uri; content:"&f="; http_uri; content:"&k="; pcre:"/c=[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}-[a-z0-9]{2}/iU"; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:command-and-control; sid:2012631; rev:6; metadata:created_at 2011_04_05, former_category MALWARE, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"dns1-1.7release.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028840; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE USPS Spam/Trojan Executable Download"; flow:from_server,established; content:"filename=USPS_Invoice"; content:".exe"; within:32; reference:url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235; classtype:trojan-activity; sid:2013770; rev:6; metadata:created_at 2011_10_12, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"ssl.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028841; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"|06 03 55 04 0a|"; content:!"|03|cnc"; distance:1; within:4; pcre:"/^.{2}(?P<fake_org>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_line; content:"/log HTTP/1."; distance:0; fast_pattern; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:command-and-control; sid:2016014; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows netstat Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Active Connections|0d|"; content:"Proto"; content:"Local Address"; content:"Foreign Address"; content:"State"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019003; rev:3; metadata:created_at 2014_08_26, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.EGZ Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/b.php?id="; fast_pattern; pcre:"/^\d{1,3}$/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:command-and-control; sid:2013947; rev:6; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=carlossaldanhacertificado"; bsize:28; fast_pattern; tls.cert_issuer; content:"CN=carlossaldanhacertificado"; bsize:28; classtype:domain-c2; sid:2031059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET HUNTING Suspicious Quotation Mark Usage in FTP Username"; flow:established,to_server; content:"USER "; depth:5; content:"|22|"; distance:0; pcre:"/^USER [^\r\n]*?\x22/"; reference:url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html; classtype:bad-unknown; sid:2011488; rev:3; metadata:created_at 2010_09_29, former_category FTP, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=PatataDorito"; bsize:15; fast_pattern; tls.cert_issuer; content:"CN=PatataDorito"; bsize:15; classtype:domain-c2; sid:2031060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:exploit-kit; sid:2019643; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (bollywoods .co .in in DNS Lookup)"; dns.query; content:"bollywoods.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:exploit-kit; sid:2019751; rev:7; metadata:created_at 2014_11_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chat2hire .net in DNS Lookup)"; dns.query; content:"chat2hire.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT_KIT Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:exploit-kit; sid:2019770; rev:6; metadata:created_at 2014_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chuki .mozillaupdates .us in DNS Lookup)"; dns.query; content:"chuki.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:7; metadata:created_at 2015_01_20, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (click2chat .org in DNS Lookup)"; dns.query; content:"click2chat.org"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015501; rev:7; metadata:created_at 2012_07_21, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (cvstyler .co .in in DNS Lookup)"; dns.query; content:"cvstyler.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; nocase; pcre:"/\/(?:(?:article|contact|new)s|(?:fo|tu)r|public|read)\/pics\/image\.gif$/U"; classtype:exploit-kit; sid:2016279; rev:7; metadata:created_at 2013_01_25, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (daily .windowsupdates .eu in DNS Lookup)"; dns.query; content:"daily.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:7; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (dailybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"dailybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (enigma .net .in in DNS Lookup)"; dns.query; content:"enigma.net.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; http_raw_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gozap .co .in in DNS Lookup)"; dns.query; content:"gozap.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:3; metadata:created_at 2015_03_24, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gyzu .mozillaupdates .us in DNS Lookup)"; dns.query; content:"gyzu.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; nocase; fast_pattern; pcre:"/^\d{1,6}\x00msg\x7c/i"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:command-and-control; sid:2019216; rev:4; metadata:created_at 2014_09_23, former_category MALWARE, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (melodymate .co .in in DNS Lookup)"; dns.query; content:"melodymate.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:exploit-kit; sid:2022869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nortonupdates .online in DNS Lookup)"; dns.query; content:".nortonupdates.online"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightly .windowsupdates .eu in DNS Lookup)"; dns.query; content:"nightly.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightlybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"nightlybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (orangevault .net in DNS Lookup)"; dns.query; content:"orangevault.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:2; metadata:created_at 2016_06_30, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sake .mozillaupdates .us in DNS Lookup)"; dns.query; content:"sake.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs"; content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag CVE_2016_0189, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (savitabhabi .co .in in DNS Lookup)"; dns.query; content:"savitabhabi.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sharify .co .in in DNS Lookup)"; dns.query; content:"sharify.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|12|do.tntcentral.mobi"; fast_pattern:only; tls.fingerprint:"75:02:e5:5d:eb:4d:19:b9:6e:a9:61:26:34:82:4b:2f:b6:ad:96:6d"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018760; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (strongbox .in in DNS Lookup)"; dns.query; content:"strongbox.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (ZeuS MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|15|daznukhurebkolsek.net"; distance:1; within:22; tls.fingerprint:"b6:d7:85:2a:e1:ca:32:5f:77:28:d4:64:12:44:8b:01:41:94:0b:c9"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018807; rev:5; metadata:attack_target Client_and_Server, created_at 2014_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (teraspace .co .in in DNS Lookup)"; dns.query; content:"teraspace.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak MITM)"; flow:established,from_server; content:"|55 04 03|"; content:"|14|expert-256bitssl.com"; distance:1; within:21; tls.fingerprint:"ca:2e:43:5b:b8:83:60:81:ff:a6:1c:90:2d:b0:5a:4e:0e:11:c7:8f"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018913; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (titaniumx .co .in in DNS Lookup)"; dns.query; content:"titaniumx.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2)"; flow:established,from_server; content:"|2a 86 48 86 f7 0d 01 09 01|"; content:"|19|siefrra1967ga@outlook.com"; distance:1; within:26; tls.fingerprint:"b5:ff:48:e0:d2:15:2e:04:83:f1:8d:50:60:41:46:7a:55:d1:fb:a8"; reference:url,sslbl.abuse.ch; reference:md5,7832ac3ad8275695b8051ab70432e161; classtype:domain-c2; sid:2018917; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (msoftserver .eu in DNS Lookup)"; dns.query; content:".msoftserver.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre C2)"; flow:established,from_server; content:"|55 04 07|"; content:"|05|miami"; distance:1; within:6; content:"|55 04 03|"; distance:0; content:"|0c|94.23.236.54"; distance:1; within:13; tls.fingerprint:"b2:ca:f5:a1:82:79:c1:cb:10:da:17:4c:58:1a:71:38:ff:8b:0c:f2"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2018940; rev:4; metadata:attack_target Client_and_Server, created_at 2014_08_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_01_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (microsoftupdate .in in DNS Lookup)"; dns.query; content:".microsoftupdate.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (wesharex .net in DNS Lookup)"; dns.query; content:"wesharex.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (x-trust .net in DNS Lookup)"; dns.query; content:"x-trust.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:exploit-kit; sid:2023200; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_13, deployment Perimeter, malware_family RIG, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (zen .mozillaupdates .us in DNS Lookup)"; dns.query; content:"zen.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Route Table"; content:"Active Routes|3a|"; fast_pattern; content:"Network Destination"; content:"Netmask"; content:"Gateway"; content:"Interface"; content:"Metric"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019082; rev:3; metadata:created_at 2014_08_28, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GravityRAT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"signatureHash="; fast_pattern; content:"signatureString="; content:"userName="; content:"pcName="; content:"macId="; content:"cpuId="; content:"agent="; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:command-and-control; sid:2031061; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, signature_severity Major, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enosch.A gtalk connectivity check"; flow:to_server; http.uri; content:"/index.html"; http.user_agent; content:"gtalk"; fast_pattern; bsize:5; http.host; content:"www.google.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,b13db8b21289971b3c88866d202fad49; classtype:trojan-activity; sid:2018508; rev:5; metadata:created_at 2014_05_30, updated_at 2020_10_19;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Dojos Downloader Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"|3a 3a|"; content:"|3a 3a 2f 2e|"; distance:0; fast_pattern; reference:md5,be75ac1d9f26bee3cfdc7bdd977c0cdd; classtype:trojan-activity; sid:2035025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_22, cve CVE_2015_0016, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/php.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; http.user_agent; content:"Mozilla/4.0 (compatible)"; depth:24; reference:md5,cb53a6e8d65d86076fc0c94dac62aa77; classtype:command-and-control; sid:2019946; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=jspri.co"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028835; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cssjs.co"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028836; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"acciaio.com.br"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:domain-c2; sid:2028843; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"ceycarb.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028844; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"coachandcook.at"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028845; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"fisioterapiabb.it"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:3; metadata:created_at 2014_06_13, former_category CURRENT_EVENTS, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"lorriratzlaff.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:exploit-kit; sid:2023307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, malware_family EvilTDS, malware_family EITest, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"mavin21c.dothome.co.kr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028848; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:exploit-kit; sid:2023473; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, malware_family DNSEK, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"motherlodebulldogclub.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"powerpolymerindustry.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert tcp any 445 -> $HOME_NET any (msg:"ET DOS Excessive Large Tree Connect Response"; flow:from_server,established; byte_test:  3,>,1000,1; content: "|fe 53 4d 42 40 00|"; offset: 4; depth: 6; content: "|03 00|"; offset: 16; depth:2; reference:url,isc.sans.edu/forums/diary/Windows+SMBv3+Denial+of+Service+Proof+of+Concept+0+Day+Exploit/22029/; classtype:attempted-dos; sid:2023831; rev:3; metadata:affected_product SMBv3, attack_target Client_and_Server, created_at 2017_02_03, deployment Datacenter, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"publiccouncil.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase; content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:3; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"rulourialuminiu.co.uk"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET MALWARE IRC Private message on non-standard port"; flow:to_server,established; dsize:<128; content:"PRIVMSG "; depth:8; content:!".twitch.tv"; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000347; classtype:trojan-activity; sid:2000347; rev:17; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"sistemikan.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA DDoS Handshake Success"; dsize:6; flow:established,to_server; content:"|18 17 e9 e9 e9 e9|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:2024382; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"varuhusmc.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028854; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert tcp any any -> any any (msg:"ET MALWARE DPRK HIDDEN COBRA Botnet C2 Host Beacon"; flow:established,to_server; content:"|1b 17 e9 e9 e9 e9|"; depth:6; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:command-and-control; sid:2024383; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"ecolesndmessines.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:3; metadata:attack_target IoT, created_at 2017_06_16, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"salesappliances.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert"; flow:established,to_client; content:"|30 82|"; depth:300; content:"|a0 03 02 01 02 02|"; distance:6; within:6; content:"|63 50 61 6e 65 6c 2c 20 49 6e 63|"; distance:60; within:120; fast_pattern; flowbits:set,FB346039_0; flowbits:noalert; classtype:command-and-control; sid:2024772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Upatre, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"busseylawoffice.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"fairfieldsch.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING s0m3 Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"href=|22|s0m3/"; nocase; content:"href=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; classtype:social-engineering; sid:2025477; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"ministernetwork.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:!"[Adblock Plus"; depth:13; content:"/in.cgi?"; distance:0; flowbits:isnotset,ET.opera.adblock; classtype:exploit-kit; sid:2014545; rev:8; metadata:created_at 2012_04_12, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"skagenyoga.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028860; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"src=|22|signin_files/"; nocase; distance:0; content:"href=|22|signin_files/"; nocase; distance:0; classtype:social-engineering; sid:2026048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"westmedicalgroup.net"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028861; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)"; flow:from_server,established; dsize:11; content:"DOWNLOAD1|0d 0a|"; depth:11; reference:md5,f45991556122b07d501fa995bd4e74a7; classtype:command-and-control; sid:2025651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LiteDuke Domain Observed"; dns.query; content:"bandabonga.fr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028862; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable base64 encoded"; flow: established,from_server; file_data; content:"TVqQA"; pcre:"/^[A-Za-z0-9]{3}(?:[A-Za-z0-9+/]{4}|\s){100}/Rs"; pcre:"/[^A-Za-z0-9+/]TVqQA/"; reference:md5,49aca228674651cba776be727bdb7e60; classtype:trojan-activity; sid:2018856; rev:12; metadata:created_at 2014_07_31, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"encryptit.qc.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET ADWARE_PUP [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative; isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; classtype:pup-activity; sid:2024793; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecure.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; classtype:web-application-attack; sid:2008789; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; endswith; classtype:trojan-activity; sid:2024214; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"privatehd.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028874; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:exploit-kit; sid:2017023; rev:7; metadata:created_at 2013_06_18, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"sex17.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:exploit-kit; sid:2016498; rev:11; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|0B 87 06 53 DF 3A|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028876; rev:2; metadata:created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Office Doc CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/im"; http_uri; content:"g"; distance:0; http_uri; content:".php?id="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:"MSOffice"; http_header; content:!"Outlook"; http_header; pcre:"/\/im(?:age|g)\.php\?id=\d+$/U"; reference:md5,27cd0a3db18fbb6d316fb4542c3a51f3; classtype:command-and-control; sid:2020860; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|5C 99 13 6F F2 52|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028877; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:social-engineering; sid:2023742; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, malware_family EITest, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkRAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"request=YUhkcFpEM"; depth:17; fast_pattern; pcre:"/^[A-Za-z0-9\/\+\=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:command-and-control; sid:2027886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_20;)
 
-alert udp any any -> $HOME_NET 50000 (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:3; metadata:attack_target Client_and_Server, created_at 2017_06_12, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=.extrafeature.xyz"; nocase; endswith; reference:md5,9d479cec86ea919694dab765bba9abbd; classtype:domain-c2; sid:2028893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_06, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Scriptlet Invoking Powershell Likely Malicious"; flow:established,from_server; file_data; content:"WScript.shell"; nocase; fast_pattern; content:"ActiveXObject"; nocase; content:"<registration"; nocase; distance:0; content:"progid"; distance:0; nocase; content:"<script"; nocase; distance:0; content:"<![CDATA["; nocase; distance:0; pcre:"/^.{1,1000}p(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?o(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?w(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?r(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?s(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?h(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?e(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?(?:\^(?:[\x22\x27]\s*[\x26\x2b]\s*[\x22\x27])?)?l/Rsi"; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024549; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework"; flow:established,to_server; http.uri; pcre:"/\.(?:txt|gif|exe|bmp)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32|29|"; depth:41; http.header_names; content:!"Referer"; content:!"Accept"; content:"|0d 0a|User-Agent|0d 0a|HOST|0d 0a|"; depth:20; fast_pattern; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020897; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_10_20;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL Over FTP"; flow:established,from_server; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Critical, updated_at 2020_08_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE R980/CRYPBEE.A Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/assets/timepicker/x.php?"; fast_pattern; http.user_agent; content:"cpp"; depth:3; reference:md5,a38e156b5c7b337ffbde6cc1ddab1004; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/; classtype:trojan-activity; sid:2023085; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_10_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 1"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:".run"; nocase; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackTech Plead Encrypted Payload Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|91 00 13 87 33 00 90 06 19|"; fast_pattern; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:trojan-activity; sid:2027364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn.redirectme.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028898; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious UA (Windows)"; flow:established,to_server; http.user_agent; content:"Windows"; bsize:7; http.header; content:"User-Agent|3a 20|Windows|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028879; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"czinfo.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028899; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.BrowserStealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/^(?:-[0-9]+|[A-F0-9]{32})=1$/Rsi"; content:"=1"; endswith; http.request_body; content:"ping|7c|"; bsize:5; fast_pattern; http.header_names; content:!"Referer"; reference:md5,32642964fff0c97179d75086f515f5fe; classtype:command-and-control; sid:2029145; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"pegasusco.net"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028900; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.QQPass.OZV Variant Checkin"; flow:established,to_server; http.uri; content:"/cpa"; content:".asp?mac="; distance:2; within:9; content:"&os="; distance:0; content:"&ip="; distance:0; content:"&dz="; distance:0; content:"&ver="; distance:0; reference:md5,12ff8df1941f941bab531f60a5a97556; classtype:command-and-control; sid:2029244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"smilekeepers.co"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028901; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"kulkarni.bounceme.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"crabbedly.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"byfleur.myftp.org"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"indagator.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"dynamics.ddnsking.com"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029414; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"craypot.live"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"accountsx.bounceme.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029415; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"microsofte-update.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"invoke.ml"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"pasta58.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"vvavesltd.servebeer.com"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029417; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"study---hard.medianewsonline.com"; nocase; endswith; classtype:domain-c2; sid:2028921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"capitana.onthewifi.com"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029418; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"sportsgame.mypressonline.com"; nocase; endswith; classtype:domain-c2; sid:2028922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT40/Dadstache Related DNS Lookup"; dns.query; content:"thestar.serveblog.net"; nocase; isdataat:!1,relative; reference:url,www.mycert.org.my/portal/advisory?id=MA-774.022020; classtype:targeted-activity; sid:2029419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"cdnpps.us"; nocase; endswith; classtype:domain-c2; sid:2028924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Glitch.me Phishing Domain"; dns.query; content:".glitch.me"; nocase; isdataat:!1,relative; pcre:"/^[a-z]+\-[a-z]+\-[a-z0-9]{8,11}\.glitch\.me$/"; classtype:trojan-activity; sid:2029493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"thisadsfor.us"; nocase; endswith; classtype:domain-c2; sid:2028925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage2 CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gen/actual_domain_my.php?pck="; startswith; fast_pattern; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029498; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?token="; fast_pattern; content:"&computername="; distance:0; content:"&username="; distance:0; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031072; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adv,/cgi-bin/weblogin.cgi?username="; startswith; fast_pattern; content:"|27 3b|"; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029616; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?api=40"; fast_pattern; endswith; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031073; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, tag RedDelta, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adv,/cgi-bin/weblogin.cgi"; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"|27 3b|"; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029617; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; reference:url,twitter.com/malwrhunterteam/status/1318904041590718469; reference:md5,45ed8898bead32070cf1eb25640b414c; classtype:domain-c2; sid:2031069; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/client/v1/mdmLogUploader?udid=si|5c|..|5c|..|5c|..|5c|webapps|5c|DesktopCentral|5c|_chart&filename="; startswith; fast_pattern; http.request_body; content:"|ac ed 00 05 73 72 00 17 6a 61 76 61 2e 75 74 69 6c 2e 50 72 69 6f 72 69 74 79 51 75 65 75 65 94|"; startswith; reference:url,twitter.com/steventseeley/status/1235635108498948096; reference:cve,2020-10189; reference:url,www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html; classtype:attempted-admin; sid:2029618; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_12, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"0E:4D:5A:5C:F8:C9"; classtype:domain-c2; sid:2028926; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipstack .com)"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"api.ipstack.com"; fast_pattern; http.uri; content:"?access_key="; classtype:external-ip-check; sid:2029694; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity CnC Domain Observed in DNS Query"; dns.query; content:"upd32-secure-serv4.com"; nocase; endswith; classtype:trojan-activity; sid:2028927; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (explorersvc)"; flow:established,to_server; http.user_agent; bsize:11; content:"explorersvc"; classtype:bad-unknown; sid:2029749; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer IP Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=getIP"; fast_pattern; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (KtulhuBrowser)"; flow:established,to_server; http.user_agent; bsize:13; content:"KtulhuBrowser"; nocase; classtype:bad-unknown; sid:2029750; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Screenshot Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|screenshot_"; content:".jpeg|22|"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
 
-#alert udp $HOME_NET 1234 -> $EXTERNAL_NET any (msg:"ET MALWARE NAZAR EYService File exfiltrate response"; id:1; content:"---"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030057; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Systeminfo Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|system.info|22|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www. netikus .net)"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"www.netikus.net"; fast_pattern; http.uri; bsize:13; content:"/show_ip.html"; classtype:external-ip-check; sid:2030187; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptInject.BE!MTB Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logs=ey"; startswith; fast_pattern; isdataat:10000,relative; http.header_names; content:!"Referer"; reference:md5,644b45001c0e0af1c0a208ffad79e316; classtype:command-and-control; sid:2028932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SmailMax PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"SmailMax SMTP Mailer</title>"; fast_pattern; content:"SERVER SETUP</font>"; content:"SMTP Login:</font>"; classtype:web-application-attack; sid:2030227; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Critical, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Connectivity Check"; flow:established,to_server; urilen:15; http.method; content:"HEAD"; http.uri; content:"/view/index.php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SmailMax PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"SmailMax SMTP Mailer</title>"; fast_pattern; content:"SERVER SETUP</font>"; content:"SMTP Login:</font>"; classtype:web-application-attack; sid:2030228; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_28, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view/index.php?id="; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.3.5 CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=njgGCEgbkXQIgexSr"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html; classtype:command-and-control; sid:2030314; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo.NG Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"versiya="; fast_pattern; content:"comp="; content:"id="; http.header_names; content:!"Referer"; reference:md5,a7183477c46a767a72caebee066dce39; classtype:command-and-control; sid:2034344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_29, deployment Perimeter, former_category MALWARE, malware_family Stealer, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage M2"; flow:established,to_server; content:"|0d 0a 0d 0a|"; distance:0; byte_extract:1,4,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/R"; http.host; pcre:"/^(?=[a-z0-9]{0,19}[A-Z])(?:(?=[A-Z0-9]{0,19}[a-z])|(?=[A-Za-z]{0,19}\d)|(?=[A-Z]+\.))[a-zA-Z0-9]{3,20}[\x2e\x20][a-z]{2,3}$/"; http.start; content:"POST / HTTP/1.1|0d 0a|"; depth:17; fast_pattern; reference:md5,148112df459ba40b9127f7d4f1c08df2; classtype:trojan-activity; sid:2020825; rev:8; metadata:created_at 2015_04_01, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsme.info"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028944; rev:2; metadata:attack_target Client_and_Server, created_at 2019_11_05, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)"; flow:to_server,established; http.uri; content:"/kerbynet?"; nocase; fast_pattern; content:"Action="; nocase; content:"Section="; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"|3b 20|Win64|3b 20|x64|3b 20|rv|3a|42.0"; http.header; content:"AcceptanceID|3a|"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag PLATINUM, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Check Accessed on External Server"; flow:established,to_client; file.data; content:"Check  Mailling ..<br>"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030063; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-set.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028961; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matiex Keylogger Exfil Via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; content:"|20|Matiex|20|Keylogger|20|"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|document|22 3b 20|filename=|22|MatiexPasswords.txt|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1289205457559547910; reference:md5,1275d29213c2580894371739beb16148; classtype:command-and-control; sid:2030633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-office.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028962; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"signon_form="; depth:12; nocase; content:"trusteeCompatible="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"card-nickname="; nocase; distance:0; fast_pattern; content:"enter_sol="; nocase; distance:0; classtype:credential-theft; sid:2024326; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; fast_pattern; http.request_body; content:"<?xml"; depth:5; content:"<PCName>"; distance:0; content:"<|2f|PCName>"; distance:0; content:!"<SiteID>"; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:command-and-control; sid:2027353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_10_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [401TRG] DropBox Access via API (SNI)"; flow:established,to_server; tls.sni; content:"content.dropboxapi.com"; nocase; reference:url,github.com/dropbox/dbxcli; classtype:policy-violation; sid:2030702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Extraction"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=exe"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_11_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [401TRG] DropBox Access via API (Certificate)"; flow:established,from_server; tls.cert_subject; content:"CN=content.dropboxapi.com"; reference:url,github.com/dropbox/dbxcli; classtype:policy-violation; sid:2030703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Informational, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=run"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028965; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2020-08-19"; flow:established,to_client; file.data; content:"opener.location = gourl|3b|"; content:"onbeforeunload=function()"; distance:0; content:"Press ESC, to close this page!"; distance:0; content:"Scanning... <strong>Folders"; distance:0; fast_pattern; content:"Scanning... <strong>Documents"; distance:0; content:"Scanning... <strong>System Files"; distance:0; classtype:social-engineering; sid:2030704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Minor, updated_at 2020_08_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2020-08-19"; flow:established,to_client; file.data; content:"<strong>VIRUS ALERT FROM MICROSOFT"; fast_pattern; content:"<b>This computer is BLOCKED"; distance:0; content:"<strong>Microsoft Security"; distance:0; classtype:social-engineering; sid:2030705; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Minor, updated_at 2020_08_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible APT33 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dyn-intl.world-careers.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT33, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; tls.cert_subject; content:"CN=*.onion."; nocase; pcre:"/^(?:sh|lu|to)/Ri"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"office-crash.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028969; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/main.php"; fast_pattern; http.request_body; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/s"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; byte_test:0,>=,100,0,string,dec; http.header_names; content:!"Referer"; reference:md5,b06d9dd17c69ed2ae75d9e40b2631b42; classtype:command-and-control; sid:2022538; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls.cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO NetSupport Remote Admin Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NetSupport Manager"; depth:18; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035892; rev:4; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asd.stylesheet.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029004; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; http.user_agent; content:"libwww-perl/"; depth:12; nocase; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:5; metadata:created_at 2011_06_14, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (lol)"; flow:established,to_client; tls.cert_subject; content:", O=lol, "; fast_pattern; tls.cert_issuer; content:", O=lol, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031133; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY possible Xiaomi phone data leakage HTTP"; flow:to_server,established; http.host; content:"api.account.xiaomi.com"; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018919; rev:4; metadata:created_at 2014_08_11, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarSys CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /login.php "; startswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"; bsize:114; fast_pattern; http.request_body; content:"id="; nocase; startswith; pcre:"/^[A-F0-9]{128}$/R"; reference:url,blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/; classtype:command-and-control; sid:2031070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; tls.cert_subject; content:"LogMeIn, Inc."; fast_pattern; content:"join.me"; classtype:policy-violation; sid:2022551; rev:4; metadata:created_at 2016_02_22, updated_at 2020_08_20;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity"; flow:established,to_client; dsize:41; content:"|00 27 00 00 00 01 00 00 00 15 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 65 73 6b 74 6f 70 00 00 00 05 2a 2e 74 78 74 05|"; fast_pattern; reference:url,twitter.com/executemalware/status/1318689700882821120; reference:md5,aac706fe42b4a03cac17330bfcd8d9ea; classtype:trojan-activity; sid:2031074; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible IP Check api.ipify.org"; flow:established,from_server; tls.cert_subject; content:"CN=api.ipify.org"; classtype:policy-violation; sid:2019512; rev:4; metadata:created_at 2014_10_27, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible T-RAT Encrypted Zip Request M1"; flow:established,to_server; http.uri; content:".jpg"; offset:7; depth:4; http.accept; content:"*/*"; bsize:3; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20 2e|NET4.0C|3b 20 2e|NET4.0E|3b 20 2e|NET CLR 2.0.50727|3b 20 2e|NET CLR 3.0.30729|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.3)"; bsize:162; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1304006897729761280; reference:url,www.gdatasoftware.com/blog/trat-control-via-smartphone; classtype:command-and-control; sid:2031081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Havex Checkin"; flow:established,to_server; http.uri; content:".php?id="; fast_pattern; pcre:"/^\d{30}\w{6}-\d{2}-\d{3}-\d{9}$/R"; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/64-bit-version-of-havex-spotted/; classtype:command-and-control; sid:2020083; rev:4; metadata:created_at 2014_12_30, former_category MALWARE, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ID|22 3a 22|"; startswith; content:"|22 2c 22|User|22 3a 22|"; content:"|22 2c 22|Country|22 3a 22|"; content:"|22 2c 22|Date|22 3a 22|"; content:"|22 2c 22|Image|22 3a|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030878; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M2"; flow:established,from_server; tls.cert_serial; content:"0A:E1:E6:BD:51:FB:3D:8F:06:BE:0D:B5:5E:BD:E9:DF"; classtype:policy-violation; sid:2024786; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/pause"; bsize:10; http.header; content:"Update|3a 20|/act/pause|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,1c3dde885aa3cc2d7c24b7e13cccc941; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031084; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.top domain"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.host; content:".top"; fast_pattern; pcre:"/^(\x3a\d{1,5})?$/R"; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023882; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/resume"; bsize:11; http.header; content:"Update|3a 20|/act/resume|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031085; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"USER"; nocase; pcre:"/SELECT[^a-z]+USER/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2010963; classtype:web-application-attack; sid:2010963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=generalmusician.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"76:DC:D7:09:68:53:16:74:BB:A8:7B:CC:DE:C4:9D:66:77:43:34:DC"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; http.content_type; content:"application/java-archive"; depth:24; fast_pattern; http.content_len; byte_test:0,<=,30000,0,string,dec; file.data; content:"PK"; within:2; classtype:bad-unknown; sid:2017639; rev:8; metadata:created_at 2013_10_28, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:4F:8B:2C:65:0A"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Ratenjay POST with System Information"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NetSupport Manager/1.3"; depth:22; http.request_body; content:"CMD="; depth:4; content:"CLIENT_ADDR="; distance:0; fast_pattern; content:"PORT="; distance:0; content:"MACADDRESS="; distance:0; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,78c80a33f77d5efd69969b5ddf93e348; classtype:trojan-activity; sid:2035894; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Ratenjay, performance_impact Moderate, signature_severity Major, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible Godlua CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fullmeshnet.eu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029050; rev:3; metadata:attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family Godlua, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing"; flow:established,from_server; tls.cert_subject; content:"xn--"; tls.cert_issuer; content:"O=Let's Encrypt"; reference:url,isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024227; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (ph0ne)"; flow:established,to_server; http.user_agent; content:"ph0ne"; startswith; classtype:trojan-activity; sid:2028989; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; http.header_names; content:"pw"; nocase; classtype:policy-violation; sid:2012870; rev:4; metadata:created_at 2011_05_26, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029027; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|Firefox/"; nocase; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Encoding"; content:!"Referer"; content:!"X-Requested-With"; nocase; classtype:bad-unknown; sid:2018359; rev:4; metadata:created_at 2014_04_04, former_category INFO, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:web-application-attack; sid:2029028; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?m="; content:"&a="; content:"&os="; content:!"&ComPut="; http.header_names; content:!"User-Agent"; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:web-application-attack; sid:2029029; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"select"; nocase; distance:0; fast_pattern; content:"from"; nocase; within:20; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022816; rev:4; metadata:created_at 2016_05_17, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:web-application-attack; sid:2029030; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Unencrypted Connection to BASE Console"; flow:to_server,established; http.uri; content:"/base_main.php"; reference:url,base.secureideas.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008570; classtype:misc-activity; sid:2008570; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:web-application-attack; sid:2029031; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"VERSION"; nocase; distance:1; reference:url,support.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:web-application-attack; sid:2029032; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M2"; flow:established,to_server; http.content_type; content:"multipart/form-data"; content:"{"; distance:0; content:"}"; distance:15; classtype:web-application-attack; sid:2024044; rev:5; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2017_03_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:web-application-attack; sid:2029033; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)"; flow:established,to_server; http.header; content:"apache"; http.content_type; content:"ProcessBuilder"; content:".struts"; distance:0; reference:cve,2017-5638; reference:url,github.com/rapid7/metasploit-framework/issues/8064; classtype:web-application-attack; sid:2024038; rev:4; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_08, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Kayla"; fast_pattern; startswith; classtype:web-application-attack; sid:2029035; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"l2.io"; fast_pattern; nocase; classtype:external-ip-check; sid:2024833; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Informational, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:web-application-attack; sid:2029036; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M2"; flow:established,from_server; tls.cert_serial; content:"00:E7:F9:B6:DE:A6:57:93:E2:44:6A:3B:95:C6:B3:EC:DF"; classtype:policy-violation; sid:2024788; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029038; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 1"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; depth:41; nocase; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_12, deployment Perimeter, former_category TROJAN, malware_family wannacry, signature_severity Critical, tag Ransomware, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (lessie)"; flow:established,to_server; http.user_agent; content:"lessie"; nocase; depth:6; pcre:"/^lessie(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027130; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; http.uri; content:".asp|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010592; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Cakle)"; flow:established,to_server; http.user_agent; content:"Cakle"; nocase; depth:5; pcre:"/^Cakle(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027132; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; tls.sni; content:"check.torproject.org"; nocase; classtype:external-ip-check; sid:2017928; rev:4; metadata:created_at 2014_01_04, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Damien)"; flow:established,to_server; http.user_agent; content:"Damien"; nocase; depth:6; pcre:"/^Damien(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027134; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; http.uri; content:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011141; classtype:attempted-recon; sid:2011141; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Solar)"; flow:established,to_server; http.user_agent; content:"Solar"; nocase; depth:5; pcre:"/^Solar(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027136; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M1"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"ProcessBuilder"; nocase; distance:0; fast_pattern; content:"java"; nocase; content:"lang"; nocase; pcre:"/=\s*\x25\s*\{\s*.+?\bProcessBuilder\b/i"; classtype:attempted-admin; sid:2024814; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (muhstik)"; flow:established,to_server; http.user_agent; content:"muhstik"; nocase; depth:7; pcre:"/^muhstik(?:-scan)?(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027138; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TraceMyIP IP lookup"; flow:established,to_server; http.host; content:"tracemyip.org"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:policy-violation; sid:2017933; rev:4; metadata:created_at 2014_01_06, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Shaolin)"; flow:established,to_server; http.user_agent; content:"Shaolin"; nocase; depth:7; pcre:"/^Shaolin(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027140; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; threshold: type limit, count 2, seconds 40, track by_src; http.user_agent; content:"sqlmap"; depth:6; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Rift)"; flow:established,to_server; http.user_agent; content:"Rift"; nocase; depth:4; pcre:"/^Rift(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt"; flow:established,to_server; http.uri; content:"/system32/"; nocase; reference:url,doc.emergingthreats.net/2009362; classtype:attempted-recon; sid:2009362; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Tsunami)"; flow:established,to_server; http.user_agent; content:"Tsunami"; nocase; depth:7; pcre:"/^Tsunami(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027122; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3)"; dns.query; content:"epmhyca5ol6plmx3"; nocase; depth:16; reference:md5,a6061196c9df9364d48c01bea83d6cb7; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~EccKrypt-D/detailed-analysis.aspx; classtype:trojan-activity; sid:2020882; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yowai)"; flow:established,to_server; http.user_agent; content:"Yowai"; nocase; depth:5; pcre:"/^Yowai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027124; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; http.user_agent; content:"MJ12bot/"; classtype:trojan-activity; sid:2013256; rev:5; metadata:created_at 2011_07_12, updated_at 2020_08_20;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yakuza)"; flow:established,to_server; http.user_agent; content:"Yakuza"; nocase; depth:6; pcre:"/^Yakuza(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027126; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o)"; dns.query; content:"7tno4hib47vlep5o"; nocase; depth:16; reference:md5,9377710d4787d1a9ee1c724dce8bf13a; classtype:trojan-activity; sid:2024106; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027128; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET"; flow:established,to_server; http.uri; content:"UDID"; pcre:"/[0-9a-f]{40}[^0-9a-f]/"; http.user_agent; content:"|20|CFNetwork/"; fast_pattern; content:"|20|Darwin/"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013290; rev:5; metadata:created_at 2011_07_19, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/"; depth:8; http.host; content:!"login.live.com"; endswith; content:!"google.com"; endswith; content:!"www.bing.com"; endswith; content:!"yandex.ru"; endswith; content:!"linkedin.com"; endswith; http.connection; content:"close"; nocase; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:25; metadata:created_at 2010_10_02, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu IM Login Server Request"; flow:established,to_server; http.uri; content:"/appsvc/appmsg"; nocase; content:".asp"; nocase; content:"fmnumber="; content:"&version="; content:"&fmt="; http.host; content:"appmsg.gadu-gadu."; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:8; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Various Crimeware)"; flow:established,to_client; tls.cert_subject; content:"CN=uloab.com"; endswith; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; classtype:trojan-activity; sid:2029053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu Chat Client Checkin via HTTP"; flow:established,to_server; http.uri; content:"/appsvc/appmsg"; nocase; content:"fmnumber="; nocase; content:"&version="; nocase; content:"&fmt="; nocase; content:"&lastmsg="; nocase; reference:url,doc.emergingthreats.net/2007866; classtype:trojan-activity; sid:2007866; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Mylegion666)"; flow:established,to_server; http.user_agent; content:"Mylegion666"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Phishing - Form submitted to submit-form Form Hosting"; flow:established,to_server; http.method; content:"POST"; http.host; content:"submit-form.com"; endswith; classtype:credential-theft; sid:2030707; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_20, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-gov.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030720; rev:1; metadata:attack_target Client_and_Server, created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_08_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (salmonella-symptome)"; flow:established,to_server; http.user_agent; content:"salmonella-symptome"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to .php on Appspot Hosting - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; isdataat:!1,relative; http.host; content:".appspot.com"; isdataat:!1,relative; fast_pattern; classtype:misc-activity; sid:2030708; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_08_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (suspira)"; flow:established,to_server; http.user_agent; content:"suspiria"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GET Request to Appspot Hosting (set)"; flow:established,to_server; flowbits:set,ET.appspothosted; flowbits:noalert; http.method; content:"GET"; http.host; content:".appspot.com"; fast_pattern; endswith; classtype:social-engineering; sid:2030709; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (lilith)"; flow:established,to_server; http.user_agent; content:"lilith"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Sign in to your account</title>"; nocase; fast_pattern; content:"URL=https://login.microsoftonline.com/"; distance:0; classtype:social-engineering; sid:2030710; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (legion)"; flow:established,to_server; http.user_agent; content:"legion"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Sign in to Outlook</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2030711; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (the devil)"; flow:established,to_server; http.user_agent; content:"The devil come to me"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>&#x53|3b|&#x69|3b|&#x67|3b|&#x6E|3b|&#x20|3b|&#x69|3b|&#x6E|3b|&#x20|3b|&#x74|3b|&#x6F|3b|&#x20|3b|&#x79|3b|&#x6F|3b|&#x75|3b|&#x72|3b|&#x20|3b|&#x4D|3b|&#x69|3b|&#x63|3b|&#x72|3b|&#x6F|3b|&#x73|3b|&#x6F|3b|&#x66|3b|&#x74|3b|&#x20|3b|&#x61|3b|&#x63|3b|&#x63|3b|&#x6F|3b|&#x75|3b|&#x6E|3b|&#x74|3b|"; nocase; fast_pattern; classtype:social-engineering; sid:2030712; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"fuck u"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webapp Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Signin Outlook WebApp"; nocase; fast_pattern; classtype:social-engineering; sid:2030713; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Amen)"; flow:established,to_server; http.user_agent; content:"Amen"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>LinkedIn Login"; nocase; fast_pattern; classtype:social-engineering; sid:2030714; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (satan)"; flow:established,to_server; http.user_agent; content:"satan"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Personal cloud storage - Microsoft OneDrive"; nocase; fast_pattern; classtype:social-engineering; sid:2030715; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (neva-project)"; flow:established,to_server; http.user_agent; content:"neva-project"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"window.location.href|20|=|20 22|index1.php?EmailAdd=|22 20|+ hash.split('#')[1]|3b|"; nocase; fast_pattern; classtype:social-engineering; sid:2030716; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Magecart)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=marketplace-magento.com"; fast_pattern; tls.cert_issuer; content:"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"; classtype:trojan-activity; sid:2029072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Sign in to your account</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; distance:0; content:"action=|22|popup.php|22|"; distance:0; classtype:social-engineering; sid:2030717; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Pavica.FH Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?t=1&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT)"; reference:md5,704f7e92de304744ad8b3a839550084c; reference:url,app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/; reference:url,twitter.com/jstrosch/status/1319704698031640577; classtype:command-and-control; sid:2031096; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<script language=javascript>document.write(unescape("; nocase; content:"%3Ctitle%3ELoading%2099%...%3C/title%3E%20%3Cscript"; distance:0; fast_pattern; content:"var%20LIB_view%20%3D%20%27PGRpdiBjbGFzcz0iY29udGFpbm"; distance:0; classtype:social-engineering; sid:2030718; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Magecart Credit Card Information JS Script"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; depth:22; endswith; file.data; content:"|20|Sxml_cc_cid"; nocase; content:"Sxml_cc_number"; nocase; distance:0; content:"Sxml_expiration_yr"; nocase; distance:0; content:"ccnum+|22 3b 22|+exp_m+|22 3b 22|+exp_y+|22 3b 22|+cvv"; distance:0; fast_pattern; nocase; classtype:credential-theft; sid:2029073; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspected Mekotio User-Agent (MyCustomUser)"; flow:established,to_server; http.user_agent; content:"MyCustomUser"; bsize:12; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030721; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"marketplace-magento.com"; nocase; endswith; classtype:domain-c2; sid:2029074; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspected Mekotio User-Agent (4M5yC6u4stom5U8se3r)"; flow:established,to_server; http.user_agent; content:"4M5yC6u4stom5U8se3r"; bsize:19; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030722; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup BROLER.F CnC Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:!"&"; distance:0; content:"=google"; endswith; fast_pattern; http.request_body; pcre:"/^[a-zA-Z/+=]$/"; http.content_len; content:"72"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,285e25e31b498dd1c0827286e9b44cfe; classtype:command-and-control; sid:2029092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mekotio HTTP Method (111SA)"; flow:established,to_server; http.method; content:"111SA"; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030719; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup ABK Backdoor CnC Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?uid="; fast_pattern; content:"&pid="; distance:0; pcre:"/\?uid=[A-F0-9]{15,}&pid=\d+$/i"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,ed363efd32984ed21e67cf618758b635; classtype:command-and-control; sid:2029093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=BitRAT"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=BitRAT"; nocase; endswith; reference:url,krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/; classtype:domain-c2; sid:2030724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_22, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Snack CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"WinHTTP AutoProxy Sample/1.0"; depth:28; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:34; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker/Janicab CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=add&cn="; fast_pattern; content:"&un="; distance:0; content:"&v="; distance:0; content:"&av="; distance:0; content:"&an="; distance:0; reference:url,securelist.com/deathstalker-mercenary-triumvirate/98177/; classtype:command-and-control; sid:2030725; rev:1; metadata:created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Janicab, signature_severity Major, tag APT, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Coolbee/Avenger CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id="; content:"&group="; distance:0; content:"&class="; distance:0; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,507daf07c6f8f0080b5c4f818cfe77cb; classtype:command-and-control; sid:2029095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker/Powersing CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|un|22 3a|"; content:"|22|cn|22 3a|"; distance:0; content:"|22|av|22 3a|"; distance:0; content:"|22|dob|22 3a|"; distance:0; fast_pattern; content:"|22|os|22 3a|"; distance:0; content:"|22|ou|22 3a|"; distance:0; content:"|22|dc|22 3a|"; distance:0; reference:url,securelist.com/deathstalker-mercenary-triumvirate/98177/; classtype:command-and-control; sid:2030726; rev:1; metadata:created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Powersing, signature_severity Major, tag APT, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Casper CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|"; depth:38; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed APT/SideWinder CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cdn-gov.net"; bsize:11; reference:md5,a59df006d000b2ad5fb328e23a05ff43; classtype:domain-c2; sid:2030723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:established,from_server; tls.cert_serial; content:"00:B3:4B:42:19:50:7A:3B:55:78:3D:6D:FD:12:54:C8:88"; classtype:domain-c2; sid:2029102; rev:2; metadata:attack_target Client_and_Server, created_at 2019_12_09, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.ACBD CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_len; bsize:3; content:"364"; http.request_body; content:"OE1utcJ1hOpXDXMMv7v6fEB0TE58D8zB2PFvgXLL"; startswith; reference:md5,26382278c3d185d750203d6a600f8ae9; classtype:command-and-control; sid:2030727; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-statistics.com"; nocase; endswith; classtype:domain-c2; sid:2029100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Zebrocy Downloader Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/buildings.php"; endswith; fast_pattern; http.content_len; content:"11"; bsize:2; http.host; pcre:"/(?:\d{1,3}\.){3}\d{1,3}/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a31e3b8d2f5e0369be8f3dbb7e23120b; reference:url,twitter.com/Vishnyak0v/status/1269651391980736513; classtype:trojan-activity; sid:2030728; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"strds.ru"; nocase; bsize:8; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028639; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_10_24;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; dsize:<350; content:"|00|ll"; depth:8; fast_pattern; content:"Win|20|"; distance:0;  pcre:"/^\d{1,5}\x00ll/i"; reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:command-and-control; sid:2021176; rev:5; metadata:created_at 2015_06_02, former_category MALWARE, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=upgrade-ms-home.com"; classtype:trojan-activity; sid:2029108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9/+]{171}=/R"; http.header_names; content:!"Referer"; reference:md5,d3f53580f7ce72caf9be799106ad89ca; classtype:targeted-activity; sid:2033713; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updateinfos.com"; nocase; endswith; classtype:domain-c2; sid:2029114; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BankAustria Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"online.bankaustria.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024949; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updatemain.com"; nocase; endswith; classtype:domain-c2; sid:2029115; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING BankAustria Phishing Domain Nov 03 2017"; dns.query; content:"online.bankaustria.at."; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024946; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-statistics.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029128; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gdn) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gdn"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/"; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023458; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=solomontoosas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029116; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emailphone="; depth:11; nocase; fast_pattern; content:"&emailphone2="; nocase; distance:0; classtype:credential-theft; sid:2025099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=colordrawyx.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029117; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; flowbits:set,ET.wpphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; fast_pattern; http.header_names; content:!"Referer"; classtype:social-engineering; sid:2025696; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=potronisl.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029118; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontromosals.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY localtunnel Sucessful Connection Setup"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b 22|port|22 3a|"; content:"|22|max_conn_count|22 3a|"; distance:0; content:"|22|id|22 3a|"; distance:0; content:"|22|url|22 3a|"; distance:0; content:"localtunnel.me|22 7d|"; distance:0; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025117; rev:2; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontrolimon.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET 52869 (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/picdesc.xml"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category EXPLOIT, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motylino.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029130; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco de la Nacion Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"transaccion="; depth:12; nocase; content:"&HrTrx="; nocase; distance:0; content:"&validar="; nocase; distance:0; content:"&txtNumeroTarjeta="; nocase; distance:0; classtype:credential-theft; sid:2032405; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motorlafd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029131; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; http.uri; content:"/im"; content:"?id="; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:(?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; fast_pattern; pcre:"/ms-?office/"; http.host; content:!".money-media.com"; content:!"ad.payclick.it"; content:!"sellercore.com"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:8; metadata:created_at 2015_08_19, former_category TROJAN, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantoropols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032404; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=janfioooslls.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Shutdown Phishing Landing 2017-12-11"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>"; nocase; depth:300; content:"Secure Email Server|20 3a 3a|"; fast_pattern; nocase; within:100; classtype:social-engineering; sid:2025678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=golitrops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029133; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2015-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031859; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=giltipolsfols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029134; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bot.Sezin CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?machine_id="; fast_pattern; content:"&x64"; distance:0; content:"&version="; distance:0; content:"&video_card="; distance:0; content:"&cpu="; distance:0; content:"&junk="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,73611bd5d1d0ad865cd26b003aa525b4; classtype:command-and-control; sid:2025148; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Bot_Sezin, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=finogorosod.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic L33bo Phish - URI Contents (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php?"; content:"sslchannel="; distance:0; fast_pattern; content:"sessionid="; content:"securessl="; classtype:credential-theft; sid:2031863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for APT40 Possible DADSTACHE CnC Domain"; dns.query; content:"nethosting.viewdns.net"; nocase; bsize:22; reference:md5,2e8d758b9bce51d25ea500d7b4ce4774; classtype:domain-c2; sid:2029151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, malware_family APT40, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qtloader encrypted check-in Oct 19 M1"; flow:established,to_server; http.request_body; content:"|2c 45 32 4d f1 38 55|"; depth:7; fast_pattern; reference:md5,4f03e360be488a3811d40c113292bc01; classtype:trojan-activity; sid:2024908; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon HEAD Request for .dot file on ddns.net"; http.method; content:"HEAD"; http.uri; content:".dot"; endswith; http.user_agent; content:"Microsoft Office"; fast_pattern; http.host; content:".ddns.net"; endswith; reference:md5,dbf4f92852cdae17aa3f2b1234f0140e; reference:md5,b221647d110bd2be2c6e9c5d727ca8db; classtype:command-and-control; sid:2028967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify/"; pcre:"/\/notify\/(?:single|mass)$/i"; http.request_body; content:"defacer|3d|"; depth:8; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:15; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TinyNuke CnC Checkin"; flow:established,to_server; flowbits:set,ET.TinyNuke; http.method; content:"POST"; http.uri; content:!"&"; content:".php?"; pcre:"/\.php\?[A-F0-9]{15,25}$/i"; http.header; content:"|0d 0a|Content-Length|3a 20|9|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,917124e4d53057324aa129520fca73fb; classtype:command-and-control; sid:2024991; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-20"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ma="; depth:3; nocase; content:"&mp="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031865; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amarula IRC Botnet Connection Request"; flow:established,to_server; content:"|55 53 45 52 20|"; startswith; content:"|20 3a 5a 75 4d 62 49 0a|"; endswith; fast_pattern; reference:md5,603841f6a7036311fa5bbc44d7435f83; reference:url,github.com/hackerama/Amarula-Python-Botnet/; classtype:command-and-control; sid:2031117; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.YesMaster CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.header; content:"x-user-agent|3a 20|YesMaster|0d 0a|"; fast_pattern; http.header_names; content:"|0d 0a|x-user-agent|0d 0a|"; content:"|0d 0a|x-whoami|0d 0a|"; content:"|0d 0a|x-pwd|0d 0a|"; content:"|0d 0a|x-hostname|0d 0a|"; content:"|0d 0a|x-isadm|0d 0a|"; content:"|0d 0a|x-is64Env|0d 0a|"; content:!"User-Agent"; reference:md5,4941501aca63cb8bdc86dadeffc9c29c; classtype:command-and-control; sid:2025157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category MALWARE, malware_family YesMaster, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"arcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; content:"&locale.x="; nocase; distance:0; content:"&processSignin="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024846; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"aucdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031102; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phish Landing 2017-12-21"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"jQuery(function($)"; nocase; fast_pattern; content:"#dob"; nocase; distance:0; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#ssn"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#sortcode"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; classtype:social-engineering; sid:2025663; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"frcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031103; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WooSIP Downloader CnC CreateFolderOnServer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/process_ad.php?sDir="; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:command-and-control; sid:2025165; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WooSIP Downloader CnC DeleteFileOnServer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/process_ad.php?fileDel="; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:command-and-control; sid:2025166; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtag.site"; nocase; endswith; classtype:trojan-activity; sid:2031105; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WooSIP Downloader CnC WriteMetadataOnServer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/write_meta.php?sDir="; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,1cd356ab1943f120b04ad21afd9dcdb3; classtype:command-and-control; sid:2025167; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtage.site"; nocase; endswith; classtype:trojan-activity; sid:2031106; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smurf2 CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0"; http.request_body; content:"teststr="; depth:8; nocase; fast_pattern; content:"&testval="; nocase; distance:0; http.accept; content:"??"; reference:md5,e2d136bb63edc092d2f3d26885b239d9; classtype:command-and-control; sid:2025168; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtamanag.site"; nocase; endswith; classtype:trojan-activity; sid:2031107; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Executable Sent When Remote Host Claims to Send a RAR Archive"; flow:established,from_server; http.content_type; content:"application/rar"; nocase; fast_pattern; bsize:15; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2022874; rev:4; metadata:created_at 2016_06_08, former_category INFO, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows Executable Downloaded With Image Content-Type Header"; flow:established,to_client; http.content_type; content:"image/"; depth:6; file.data; content:"This program must be run under Win"; within:125; fast_pattern; classtype:trojan-activity; sid:2025169; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtgcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M1"; flow:established,to_server; http.request_line; content:"GET|20|/api/up.php|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Content-Type"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025170; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtmcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031110; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Activity"; flow:established,to_server; http.uri; content:".php?mac="; fast_pattern; pcre:"/^[0-9A-F]{12}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; pcre:"/^(?:Connection\r\n)?\r\n$/R"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"usacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yobit Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&psw1="; nocase; distance:0; content:"&psw2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025174; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"uscdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HitBTC Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__csrf__="; depth:9; nocase; content:"&utc_offset_hours="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2025175; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse Upload to Free Image Hosting Provider (uploads .im) - Likely Malware"; flow:established,to_server; http.request_line; content:"POST /api?upload"; startswith; http.host; content:"uploads.im"; bsize:10; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,897a5b60d609501e0feb06ff8e54d424; classtype:command-and-control; sid:2031118; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Liqui Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_type%5Bemail%5D="; depth:22; nocase; content:"&login_type%5Bpassword%5D="; nocase; distance:0; content:"&login_type%5BtwoFactorKey%5D="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025176; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magesource.su"; nocase; endswith; classtype:trojan-activity; sid:2029203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 9"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025178; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2020_08_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"magesource.su"; classtype:trojan-activity; sid:2029204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Chase Phishing Landing 2016-03-23"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"document.write"; pcre:"/^\s*?\(\s*?unescape\s*?\(/Rsi"; content:"|25 32 45 25 36 33 25 36 38 25 36 31 25 37 33 25 36 35 25 32 45 25 36 33 25 36 46 25 36 44|"; fast_pattern; classtype:social-engineering; sid:2032375; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magesource.su"; nocase; fast_pattern; classtype:domain-c2; sid:2029205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Landing 2016-03-29"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Login.php?sslchannel="; depth:22; fast_pattern; content:"&sessionid="; distance:0; http.cookie; content:"PHPSESSID"; classtype:social-engineering; sid:2032376; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Nexus IoT Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:web-application-attack; sid:2029209; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PhishMe.com Phishing Landing Exercise"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"_phishme.com_session_id="; file.data; content:"<!-- ORGANIZATION LOGO"; nocase; fast_pattern; classtype:social-engineering; sid:2022730; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"fuck u"; nocase; bsize:6; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2028991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M3 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; startswith; file.data; content:"this.submitCreds"; nocase; fast_pattern; content:"username|3a 20|this.username"; nocase; distance:0; content:"password|3a 20|this.password"; nocase; distance:0; content:"apple.com"; nocase; distance:0; classtype:social-engineering; sid:2024705; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"autizm"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,0a73a5bf772fde4868283ce7d5228901; classtype:command-and-control; sid:2029101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:social-engineering; sid:2023712; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20 63 6f 63 6b 0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,5a4384f5e18cfbd993a135301141243e; classtype:command-and-control; sid:2029176; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Phishing Landing 2016-12-19"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3B|base64"; nocase; content:"PCFET0NUWVBFIEhUTUw"; nocase; distance:0; content:"PHRpdGxlPlNpZ24gSW48L3RpdGxlPg"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2032415; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"get_you"; nocase; fast_pattern; bsize:7; http.header_names; content:!"Referer"; reference:md5,6d6a438b1687645b48cea729f235963e; classtype:command-and-control; sid:2029220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-01-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025180; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (carlos_castaneda)"; flow:established,to_server; http.user_agent; content:"carlos_castaneda"; nocase; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,35d17e42e314a5ebf6ddd4a3d0b47712; classtype:command-and-control; sid:2029223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-02-26"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"eval(unescape(|27|"; nocase; content:"%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74"; fast_pattern; nocase; distance:0; content:"eval(unescape(|27|%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; distance:0; reference:url,www.proofpoint.com/sites/default/files/proofpoint-obfuscation-techniques-phishing-attacks-threat-insight-en-v1.pdf; classtype:social-engineering; sid:2032372; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlo-analytics.com"; nocase; endswith; classtype:domain-c2; sid:2029224; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oilrig Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?version="; fast_pattern; pcre:"/^[0-9]+lu[0-9]+d[0-9]+$/Ri"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXB85f6VL_Zm79wtTK59xADKh6MG0G7hSBZi8cPOiQVWAIie0/pub; classtype:command-and-control; sid:2025182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, malware_family OilRig, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlo-analytics.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029226; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - POST structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&c="; content:"&p1="; content:"&p2="; content:"&p3="; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/"; classtype:attempted-user; sid:2015906; rev:4; metadata:created_at 2012_11_21, former_category CURRENT_EVENTS, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlc-analytics.net"; nocase; endswith; classtype:domain-c2; sid:2029227; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox/Docusign Phish 2016-10-28"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"pro="; depth:4; nocase; fast_pattern; classtype:credential-theft; sid:2032410; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlc-analytics.net"; nocase; fast_pattern; classtype:domain-c2; sid:2029229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module.php?module=osTicket&file=../"; fast_pattern; reference:url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt; classtype:web-application-attack; sid:2011941; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bestbuy.zapto.org"; nocase; endswith; classtype:domain-c2; sid:2029230; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Possible Trojan.Downloader UserAgent (binary_getter)"; flow:established,to_server; http.user_agent; content:"binary_getter"; depth:13; classtype:bad-unknown; sid:2025203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain Observed in DNS Query"; dns.query; content:"comodo.world"; nocase; endswith; classtype:domain-c2; sid:2029239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Trojan.Downloader VBA Script obfuscation (binary_getter)"; flow:established,to_client; threshold:type limit, track by_src, count 1, seconds 30; http.stat_code; content:"200"; file.data; content:"(Chr((((asc(Mid("; depth:300; content:",1,1))-65))*25+(asc(Mid("; within:100; content:",2,1))-65)-"; within:100; reference:md5,bad07f85a7baaeaa8aeb72997712aa98; classtype:trojan-activity; sid:2025202; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"pussy"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029238; rev:2; metadata:created_at 2020_01_08, former_category MALWARE, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MoneroPay Ransomware Payment Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/paid?id="; fast_pattern; pcre:"/^[a-f0-9]{16}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; content:!"Connection"; content:!"Referer"; reference:md5,14ea53020b4d0cb5acbea0bf2207f3f6; classtype:trojan-activity; sid:2025204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] PS/PowDesk Checkin (APT34)"; flow:to_server,established; http.uri; content:".php?devicename="; fast_pattern; content:"&result="; pcre:"/^(?:Sucessful|Failed|Missing\x20CBA8|Missing\x20LANDesk\x20Agent)$/R"; reference:url,www.clearskysec.com/powdesk-apt34/; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:targeted-activity; sid:2029253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Gozi/Ursnif Payload v14"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|d9 2c c6 af f6 26 56 bb 73 f5 c4 68 0f 90 d9 d4|"; depth:16; fast_pattern; reference:url,github.com/ptresearch/AttackDetection; classtype:trojan-activity; sid:2025205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_17, deployment Perimeter, former_category TROJAN, malware_family ursnif, malware_family Gozi, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"mimestyle.xyz"; nocase; endswith; classtype:domain-c2; sid:2029254; rev:3; metadata:created_at 2020_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Adwind SSL Certificate Observed"; flow:established,from_server; tls.cert_issuer; content:"hgfyuilijhk"; tls.cert_serial; content: "70:FE:E3:2F"; fast_pattern; reference:md5,f2bf38a25919e24f0c96d9ec30e4e8d4; classtype:trojan-activity; sid:2025209; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, malware_family Adwind, malware_family Qarallex, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig APT PowDesk Powershell Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reclaimlandesk.php?devicename="; fast_pattern; content:"&result="; distance:0; http.uri.raw; content:!"Missing%20LANDESK"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:url,twitter.com/ClearskySec/status/1209055280090288131; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:command-and-control; sid:2029189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Chrome Extension Requesting Websocket"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Upgrade|3a 20|websocket|0d 0a|"; content:"Origin|3a 20|chrome-extension|3a|//ppmibgfeefcglejjlpeihfdimbkfbbnm|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025220; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,1400,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\shttp\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.0\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:64; classtype:command-and-control; sid:2029279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Drun Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Host|3a 20|"; depth:6; http.request_body; content:"kind="; depth:5; fast_pattern; content:"&id="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:url,twitter.com/securitydoggo/status/954337767751905280; classtype:command-and-control; sid:2025225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2018_01_19, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMS-Bomber Activity"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&v="; depth:3; http.referer; content:"SMS-Bomber"; fast_pattern; startswith; reference:md5,65ee077b7917f85234061082806f0352; classtype:trojan-activity; sid:2029281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Formbook 0.3 Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla"; depth:7; http.request_body; content:"dat="; depth:4; nocase; fast_pattern; pcre:"/^[a-z0-9_\/+-]{1000}/Ri"; reference:md5,6886a2ebbde724f156a8f8dc17a6639c; classtype:command-and-control; sid:2024436; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_29, deployment Perimeter, former_category MALWARE, malware_family Password_Stealer, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Group 21 CnC Domain Observed in DNS Query"; dns.query; content:"quwa-paf.servehttp.com"; nocase; endswith; classtype:domain-c2; sid:2029289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Group21, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 20 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"x1="; depth:3; nocase; fast_pattern; content:"&x2="; nocase; distance:0; classtype:credential-theft; sid:2025013; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl.cccccsssss.com"; nocase; endswith; reference:md5,0224334fbec16d74b4101c270a3566bf; classtype:domain-c2; sid:2031119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS.ARS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?os=windows"; nocase; fast_pattern; content:"&user="; distance:0; content:"&av="; distance:0; content:"&fw="; distance:0; content:"&hwid="; distance:0; content:"&x="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/B_H101/status/954984729329184768; classtype:command-and-control; sid:2025230; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart CnC Domain Observed in DNS Query"; dns.query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029297; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rodecap/Travle/PYLOT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/5.0"; fast_pattern; bsize:11; http.request_body; content:"l"; depth:1; content:"=OTl"; within:8; content:"&e"; distance:0; content:"="; within:6; content:"&m"; distance:0; content:"="; within:6; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,ba6dcea82f59799d86111fa28ae95641; reference:url,securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/83455; classtype:command-and-control; sid:2025234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, malware_family travle, malware_family PYLOT, malware_family Rodecap, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ELF/Rekoobe CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kooktijd.acc.dynapps.be"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029307; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; content:"?cmd=login_submit&id="; nocase; distance:0; fast_pattern; content:"&session="; nocase; distance:64; within:9; isdataat:!65,relative; classtype:social-engineering; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Rekoobe CnC Observed in DNS Query"; dns.query; content:"huawel.site"; nocase; endswith; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029309; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SamMiner CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?act=hi&uid="; fast_pattern; content:"&ver="; content:"&dotnetver="; content:"&onwork="; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:command-and-control; sid:2025235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextplugin.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SamMiner CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?act=info&uid="; fast_pattern; content:"&ver="; http.request_body; content:"info="; depth:5; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,baa89d17522df0e05a16fa2c23d58f58; classtype:command-and-control; sid:2025237; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"jquerysmartstack.com"; nocase; endswith; classtype:domain-c2; sid:2029303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Embarcadero URI Client/1.0"; http.request_body; content:"AS100="; fast_pattern; content:"AS200="; distance:0; reference:md5,94cd521945da6ab73bc7a1462283d22a; classtype:command-and-control; sid:2025241; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request"; flow:established,to_server; http.request_line; content:"GET /getrandombase64.php?get="; fast_pattern; content:"|20|HTTP/1.1"; distance:32; within:9; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031127; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M1"; flow:established,from_server; http.content_type; content:"text/plain"; startswith; file.data; content:"cG93ZXJzaGVsbC5leG"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025238; rev:4; metadata:created_at 2018_01_22, former_category INFO, updated_at 2020_08_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DTLoader Encoded Binary - Server Response"; flow:established,to_client; http.response_body; content:"<html><head></head><body><p>Code|3a 20|"; startswith; fast_pattern; content:"</p><p>@@@"; distance:32; within:10; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M2"; flow:established,from_server; http.content_type; content:"text/plain"; startswith; file.data; content:"Bvd2Vyc2hlbGwuZXhl"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025239; rev:4; metadata:created_at 2018_01_22, updated_at 2020_08_24;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Domain (ahgwqrq .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"ahgwqrq.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:domain-c2; sid:2031129; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Base64 Encoded powershell.exe in HTTP Response M3"; flow:established,from_server; http.content_type; content:"text/plain"; startswith; file.data; content:"wb3dlcnNoZWxsLmV4Z"; fast_pattern; reference:url,otx.alienvault.com/pulse/5a1348416dd9eb0c92d9897a; classtype:bad-unknown; sid:2025240; rev:4; metadata:created_at 2018_01_22, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerysmartstack.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/TooEasy Miner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p="; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|msg|22|"; content:"|0d 0a|Downloading files|0d 0a|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,dc62dd14321dfa9f14c094a7b1e20979; classtype:command-and-control; sid:2025251; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Observed in DNS Query"; dns.query; content:"masseffect.space"; nocase; endswith; classtype:domain-c2; sid:2029310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Gamaredon, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user"; nocase; pcre:!"/^agent/PRi"; content:"pass"; nocase; fast_pattern; classtype:credential-theft; sid:2024555; rev:8; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=askkkkkkassaa.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029311; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?token="; fast_pattern; pcre:"/^[0-9]{2,6}$/R"; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Rs"; http.content_len; byte_test:0,>,200,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie"; reference:md5,aedf80c426fb649bb258e430a3830d85; classtype:command-and-control; sid:2025254; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantropoliops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029312; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php?user="; fast_pattern; content:"&hwid="; distance:0; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,485069677e997ff6ce193be7258c783f; classtype:command-and-control; sid:2025266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=prontosloshop.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029313; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kb/"; depth:4; fast_pattern; pcre:"/^\d{4,8}$/R"; http.user_agent; content:!"Microsoft Outlook"; http.header_names; content:!"Referer"; content:"User-Agent"; content:!"Accept"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:trojan-activity; sid:2025120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Smoke_Loader, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=miiiiisdkkkksd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029314; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise Style IP Check"; flow:to_server,established; urilen:16; http.uri; content:"/myip?format=txt"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; http.host; content:"api.ipaddress.com"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:trojan-activity; sid:2025289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, malware_family elise, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=faniposlskd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029315; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing Oct 23 2017"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=chalbhai"; fast_pattern; nocase; content:"method=post"; nocase; within:50; classtype:social-engineering; sid:2025655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ferilppdslos.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029316; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Flashpoint] Possible CVE-2018-4878 Check-in"; flow:established,to_server; http.uri; content:"?id="; nocase; content:"&fp_vs="; nocase; distance:0; fast_pattern; content:"&os_vs="; nocase; distance:0; reference:url,www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/; reference:cve,2018-4878; classtype:trojan-activity; sid:2025305; rev:4; metadata:created_at 2018_02_02, cve cve_2018_4878, former_category TROJAN, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Generic RAT over Telegram API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"Microsoft"; nocase; content:"Windows"; nocase; content:"Pass"; nocase; http.header; content:"|0d 0a|Host|3a 20|api.telegram.org|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2029323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HMRC Phish Oct 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&email="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&ccn"; nocase; distance:0; content:"&ccexp="; nocase; distance:0; content:"&secode="; nocase; distance:0; content:"&sort"; nocase; distance:0; classtype:credential-theft; sid:2024850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Unk.PowerShell Loader CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"internationalrule.com"; bsize:21; reference:url,app.any.run/tasks/9b18c721-13b2-4151-9a1d-22b5c8478ad4; classtype:domain-c2; sid:2029325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=xn--myeth"; depth:12; fast_pattern; classtype:social-engineering; sid:2025317; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"6google.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyMonero Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=xn--mymo"; depth:11; fast_pattern; classtype:social-engineering; sid:2025318; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".dnslookup.services"; nocase; endswith; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029347; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Ebay Phishing Landing 2018-02-07"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.host; content:"signin.eby.de."; depth:14; pcre:"/^[a-z0-9]{15}\./R"; classtype:social-engineering; sid:2025321; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrongPity Host Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|name=v"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name=v"; depth:6; content:"_kt"; within:5; content:"p"; within:3; content:"_"; distance:1; within:1; pcre:"/^name=v[0-9]{1,2}_kt[0-9]{1,2}p[0-9]{1}_[0-9]{8,10}$/i"; reference:md5,e4758783b146b506e0ec42e98ad9e65c; reference:md5,98cca7f2f6ad00771f50e97f97b5b38e; reference:url,twitter.com/HONKONE_K/status/1505920551503626242; classtype:targeted-activity; sid:2035541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shurl0ckr Ransomware CnC (kdvm5fd6tn6jsbwh .onion .to in DNS Lookup)"; dns.query; content:"kdvm5fd6tn6jsbwh"; nocase; depth:16; classtype:command-and-control; sid:2025332; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_08, deployment Perimeter, former_category MALWARE, malware_family Shurl0ckr, signature_severity Major, tag Ransomware, updated_at 2020_08_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"mangasiso.top"; nocase; endswith; classtype:trojan-activity; sid:2029348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SPARS/ARS Stealer Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action="; content:"&hwid="; distance:0; content:"&access="; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,76516b465b3589547a9c7c7d955238d8; classtype:command-and-control; sid:2025344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_12, deployment Perimeter, former_category MALWARE, malware_family Ars_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 2"; flow:established,to_server; content:"|01 02 01 01|"; fast_pattern; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".htm HTTP/1.1"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"Host|0d 0a|"; content:"Content-Length|0d 0a|"; classtype:command-and-control; sid:2012139; rev:10; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer Retrieving CnC Information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Project-Evrial-C2-DOMAIN-"; fast_pattern; nocase; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cookie"; reference:md5,540c736b7e11287805ddd4f3a9d37934; classtype:command-and-control; sid:2025346; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lici Initial Checkin"; flow:established,to_server; http.uri; content:".php?email="; content:"&lici="; content:"&ver="; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:command-and-control; sid:2014119; rev:5; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.BIC Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?response="; content:"&cpu="; distance:0; content:"&gpu="; distance:0; content:"&ram="; distance:0; content:"&name="; distance:0; content:"&os="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:md5,C6C781F0ED065476A4297C2AC96A6D83; classtype:command-and-control; sid:2025359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category MALWARE, malware_family Agent_BIC, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos/Hlux GET jucheck.exe from CnC"; flow:established,to_server; http.uri; content:"/jucheck.exe"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.abuse.ch/?p=3658; classtype:command-and-control; sid:2014330; rev:5; metadata:created_at 2012_03_07, former_category MALWARE, updated_at 2020_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M1 2017-02-13"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"jQuery(function($)"; nocase; content:"cc-number"; within:50; nocase; fast_pattern; content:"formatCardNumber"; within:50; content:"cc-exp"; nocase; distance:0; content:"formatCardExpiry"; within:50; content:"cc-cvc"; nocase; distance:0; content:"formatCardCVC"; within:50; classtype:social-engineering; sid:2025658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32.Autorun HTTP Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"cbID="; content:"cbVer="; distance:0; content:"cbTit="; distance:0; http.request_body; content:"cbBody="; depth:7; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; reference:url,doc.emergingthreats.net/2009516; classtype:trojan-activity; sid:2009516; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cli"; depth:4; http.header; content:"Side|3a 20|upload"; http.request_body; content:"JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJ"; fast_pattern; reference:url,blogs.securiteam.com/index.php/archives/3171; reference:cve,2017-1000353; reference:url,research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/; classtype:attempted-user; sid:2025376; rev:3; metadata:created_at 2018_02_21, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonBot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.protocol; content:"HTTP/1.0"; reference:url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/; classtype:command-and-control; sid:2013047; rev:6; metadata:created_at 2011_06_16, former_category MALWARE, updated_at 2020_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [Deepend Research] BestaBid FakeFlash Redirect"; http.stat_code; content:"302"; http.location; content:"/?pcl="; nocase; content:".&cid="; fast_pattern; nocase; distance:40; pcre:"/^[^\r\n]+\/\?pcl=(?:[a-zA-Z0-9_-]{86}|[a-zA-Z0-9_-]{43})\x2e{1,2}&cid=/i"; reference:url,www.deependresearch.org/2018/02/yaff-yet-another-fake-flash-campaign.html; classtype:bad-unknown; sid:2025374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag FakeFlash, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.request_body; content:"botver="; content:"&build="; content:"&profile="; reference:md5,be3aed34928cb826030b462279a1c453; classtype:command-and-control; sid:2013168; rev:7; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Redirector in DNS Lookup (vip.rm028 .cn)"; dns.query; content:"vip.rm028.cn"; nocase; reference:url,blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/; classtype:trojan-activity; sid:2025382; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_23, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Bing checking Internet connectivity"; flow:established,to_server; http.header; content:"|3a 20|no-cache"; http.host; content:"www.bing.com"; depth:12; endswith; http.start; content:"GET / HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|"; depth:60; http.header_names; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013488; rev:5; metadata:created_at 2011_08_30, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Redirector in DNS Lookup (by007 .cn)"; dns.query; content:"by007.cn"; nocase; reference:url,blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/; classtype:trojan-activity; sid:2025383; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_23, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.MUD Variant Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/total_visitas.php"; fast_pattern; http.start; content:".php HTTP/1.1|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:6; metadata:created_at 2012_01_11, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai/OMG Proxy Variant CnC in DNS Lookup (ccnew.mm .my)"; dns.query; content:"ccnew.mm.my"; nocase; reference:url,blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-proxy-servers5a8e05ccc4f85; classtype:command-and-control; sid:2025384; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2018_02_23, deployment Perimeter, former_category MALWARE, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3b 20|name=|22|bot_id|22 0d 0a 0d 0a|"; fast_pattern; content:"|3b 20|name=|22|os_version|22 0d 0a 0d 0a|"; distance:0; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:command-and-control; sid:2014269; rev:7; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai/OMG Proxy Variant CnC in DNS Lookup (rpnew.mm .my)"; dns.query; content:"rpnew.mm.my"; nocase; reference:url,blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-proxy-servers5a8e05ccc4f85; classtype:command-and-control; sid:2025385; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2018_02_23, deployment Perimeter, former_category MALWARE, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:".php"; pcre:"/^\/[a-z]\.php/"; http.user_agent; content:"Indy Library"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015504; rev:6; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (steamdesktopauthenticator)"; dns.query; content:"steamdesktopauthenticator.com"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025386; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/news/?s="; fast_pattern; pcre:"/^\d{1,6}$/R"; http.header_names; content:!"Referer"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:trojan-activity; sid:2011825; rev:11; metadata:created_at 2010_10_18, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (lightalex)"; dns.query; content:"lightalex.ru"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025389; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses"; flow:established,to_server; http.uri; content:"/distrib_serv/ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013536; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SteamStealer DNS Lookup (steamdesktop)"; dns.query; content:"steamdesktop.com"; nocase; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025390; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_08_24;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M2"; flow:established,to_client; dsize:1051; content:"|04 19 00 00 00 1a 00 00 00 17 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 6f 63 75 6d 65 6e 74 73 00 00 00 08 55 54 43 2d 2d|"; depth:42; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031131; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spoofed MSIE 7 User-Agent Likely Ponmocup"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|en-US)"; fast_pattern; http.host; content:!"google-analytics.com"; content:!"mail.ru"; content:!"79xs.com"; content:!"paoshuba.cc"; content:!"dajiadu.net"; reference:md5,8494d82ddb37a3780a41da22c07c59dc; reference:url,otx.alienvault.com/indicator/domain/medialogger.ru; reference:url,otx.alienvault.com/pulse/5cc049114824559b525887ec; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012801; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_08_24;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M3"; flow:established,to_server; dsize:8; content:"|0c 00 0f 0a 0b 0a 0b 0a|"; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031132; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-02-26 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formID="; depth:7; nocase; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031866; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server"; flow:established,to_server; http.uri; content:"/search=ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013537; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-08"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&eps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031867; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server"; flow:established,to_server; http.uri; content:"/search="; fast_pattern; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013538; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Secondary Flash Request Seen (no alert)"; flow:established,to_server; flowbits:set,ET.SecondaryFlash.Req; flowbits:noalert; http.referer; content:"/[[DYNAMIC]]/1"; fast_pattern; http.header_names; content:"x-flash-version"; classtype:trojan-activity; sid:2025411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_09, deployment Perimeter, former_category INFO, signature_severity Major, tag Sundown_EK, updated_at 2020_08_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; http.uri; content:"knock.php?ver="; fast_pattern; content:"&sid="; distance:0; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013539; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psw="; nocase; distance:0; classtype:credential-theft; sid:2025417; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (listdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/listdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013668; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful O2 Phish 2018-03-12"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"sendTo="; depth:7; nocase; content:"www.o2.co.uk"; nocase; distance:0; content:"&fu="; nocase; distance:0; classtype:credential-theft; sid:2025419; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (mkdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mkdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013669; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2018-03-12"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"save-username="; depth:14; nocase; content:"&origin=cob&userPrefs="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; content:"&LOB="; nocase; distance:0; content:"&loginMode="; nocase; distance:0; content:"&serviceType="; nocase; distance:0; content:"&screenid="; nocase; distance:0; content:"&origination="; nocase; distance:0; content:"&TPB="; nocase; distance:0; content:"&msgId="; nocase; distance:0; content:"&platform="; nocase; distance:0; content:"&alternatesignon="; nocase; distance:0; content:"&destination="; nocase; distance:0; content:"&j_username="; nocase; distance:0; content:"&j_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025420; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT34 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=manygoodnews.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029385; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family APT34, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; depth:3; content:"|25|40"; distance:0; content:"&pas="; nocase; distance:0; classtype:credential-theft; sid:2025354; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fiffaslslslld.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029386; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-13"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; content:"&o6="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025425; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=loppappsas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029387; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com 2016-06-22"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"Passw"; nocase; content:"sign in"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032394; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conversia91.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029388; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Page Redirection"; nocase; fast_pattern; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:social-engineering; sid:2023638; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=123faster.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029389; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MikroTik RouterOS Chimay Red Remote Code Execution Probe"; flow:to_server,established; urilen:8; http.method; content:"POST"; http.uri; content:"/jsproxy"; fast_pattern; http.header; content:"Content-Length|3a 20|"; depth:16; reference:url,www.exploit-db.com/exploits/44284/; reference:url,www.exploit-db.com/exploits/44283/; classtype:attempted-admin; sid:2025426; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_03_13, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fatoftheland.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029390; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (CustomStringHere)"; flow:established,to_server; http.user_agent; content:"CustomStringHere"; reference:md5,7a8cb1223e006bc7e70169c060d7057b; classtype:misc-activity; sid:2025436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_19, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=creatorz123.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029391; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hiloti loader installed successfully request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/install.php?affid="; depth:19; http.request_body; content:"|64 61 74 61 3d|"; depth:5; content:"|30 31 30|"; distance:64; within:3; fast_pattern; content:"|31|"; distance:1; within:1; classtype:trojan-activity; sid:2012513; rev:5; metadata:created_at 2011_03_16, former_category TROJAN, updated_at 2020_08_24;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=compilator333.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029392; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehh.to"; nocase; endswith; classtype:domain-c2; sid:2030733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; http.uri; content:"/Default.asp"; http.header; content:"Accept: image/gif,image/x-xbitmap"; content:"|20|MSIE|20|"; http.cookie; content:"PREF=86845632017245"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:targeted-activity; sid:2016452; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaeho.ws"; nocase; endswith; classtype:domain-c2; sid:2030734; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"VBTagEdit"; depth:9; nocase; http.protocol; content:"HTTP/1.0"; reference:url,doc.emergingthreats.net/2010439; classtype:command-and-control; sid:2010439; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.top"; nocase; endswith; classtype:domain-c2; sid:2030735; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; http.content_type; content:"audio|2F|"; startswith; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:11; metadata:created_at 2011_08_22, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehr.ws"; nocase; endswith; classtype:domain-c2; sid:2030736; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; http.uri; content:"/search?query="; depth:14; content:"&sort=relevance"; within:15; pcre:"/^[A-Z0-9]{8}/R"; http.host; content:"groups.yahoo.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:4; metadata:created_at 2013_08_22, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefieiaehfiaehz.top"; nocase; endswith; classtype:domain-c2; sid:2030737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.MyDNS DNSChanger - HTTP POST"; flow:established,to_server; content:"|0d 0a 0d 0a|r="; fast_pattern; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.request_body; content:"r="; depth:2; nocase; content:"&f="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&u="; nocase; distance:0; content:"&i="; nocase; distance:0; content:"&g="; nocase; distance:0; reference:url,doc.emergingthreats.net/2009813; classtype:trojan-activity; sid:2009813; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugh.to"; nocase; endswith; classtype:domain-c2; sid:2030738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE possible OneLouder header structure"; flow:to_server,established; flowbits:set,ET.OneLouder.Header; flowbits:noalert; http.header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b|)|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018463; rev:11; metadata:created_at 2014_05_13, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugo.ws"; nocase; endswith; classtype:domain-c2; sid:2030739; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|k="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"k="; depth:2; pcre:"/^\d{15}/R"; http.protocol; content:"HTTP/1.0"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:command-and-control; sid:2013439; rev:12; metadata:created_at 2011_08_03, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.top"; nocase; endswith; classtype:domain-c2; sid:2030740; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HB_Banker16 Get"; flow:to_server,established; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|text/html|0d 0a|Host|3a|"; depth:30; fast_pattern; content:!"Indy Library"; http.user_agent; content:"Firefox/12.0"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:44; endswith; classtype:trojan-activity; sid:2019608; rev:6; metadata:created_at 2014_10_30, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugr.ws"; nocase; endswith; classtype:domain-c2; sid:2030741; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fb 28 39 fc 28 39 fb 4c 2f fb 3f 4f 8b 28 38 8c 28 39 fe|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aefofhhfouahugz.top"; nocase; endswith; classtype:domain-c2; sid:2030742; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3e 2f fb 39 2f fb 3e 4b ed 3e 38 8d 4e 2f fa 49 2f fb 3b|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuh.to"; nocase; endswith; classtype:domain-c2; sid:2030743; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 39 ed 3e 3e ed 3e 39 89 28 39 fa 48 49 ed 3f 4e ed 3e 3c|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030744; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/?8080"; fast_pattern; http.request_body; content:"name=|22|action|22 0d 0a 0d 0a|"; pcre:"/^(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/R"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; pcre:"/^(?:winload(?:32)?|cmms)\x0d\x0a/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018257; rev:6; metadata:created_at 2014_03_12, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnur.top"; nocase; endswith; classtype:domain-c2; sid:2030745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FortDisco Reporting Status"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cmd.php"; fast_pattern; endswith; http.user_agent; content:"|3b 20|Synapse"; http.request_body; content:"status="; depth:7; pcre:"/^\d$/R"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:6; metadata:created_at 2013_08_12, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"aeufhnfueunfnuz.top"; nocase; endswith; classtype:domain-c2; sid:2030746; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin"; flow:established,to_server; flowbits:set,ETGamut; http.uri; content:"file=SenderClient.conf"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018245; rev:6; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuh.to"; nocase; endswith; classtype:domain-c2; sid:2030747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuo.ws"; nocase; endswith; classtype:domain-c2; sid:2030748; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Almanahe.B Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"ClientUpdate"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:command-and-control; sid:2018123; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuur.top"; nocase; endswith; classtype:domain-c2; sid:2030749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan with Fake Java User-Agent"; flow:established,to_server; http.user_agent; content:"Java/"; depth:5; http.request_line; content:"GET /1.php HTTP/1.1"; fast_pattern; http.accept; content:"text/html, image/gif, image/jpeg, *|3b 20|q=.2, */*|3b 20|q=.2"; depth:52; endswith; http.connection; content:"keep-alive"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2018640; rev:7; metadata:created_at 2014_07_04, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bageiaiefuefuuz.top"; nocase; endswith; classtype:domain-c2; sid:2030750; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; content:"&so="; nocase; content:"&user"; nocase; content:"&versao"; nocase; content:"&pcname="; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018650; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbh.to"; nocase; endswith; classtype:domain-c2; sid:2030751; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Fake Server Header"; flow:established,to_client; http.protocol; content:"HTTP/1."; http.server; content:"Stalin"; fast_pattern; startswith; reference:md5,7e3e28320d209a586917668e3b8eac40; classtype:trojan-activity; sid:2018775; rev:6; metadata:created_at 2014_07_25, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbo.ws"; nocase; endswith; classtype:domain-c2; sid:2030752; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Initial Macro Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?u="; content:"&h="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbr.top"; nocase; endswith; classtype:domain-c2; sid:2030753; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage"; flow:established,to_server; http.host; pcre:"/^[^\r\n]+\x20[a-z]/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"POST / HTTP/1.1"; fast_pattern; reference:md5,6948d4f22e8d57369988be219ab70335; classtype:trojan-activity; sid:2020470; rev:8; metadata:created_at 2015_02_18, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"bfiuaebeufbefbz.top"; nocase; endswith; classtype:domain-c2; sid:2030754; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"username="; content:"memory_total="; content:"os_caption="; content:"os_serialnumber="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021133; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeh.to"; nocase; endswith; classtype:domain-c2; sid:2030755; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Errorcontent CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ip="; fast_pattern; content:"&referer="; distance:0; content:"&ua="; pcre:"/^\/[a-z]+\/\?ip=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/diary/Possible+Wordpress+Botnet+C&C:+errorcontent.com/19733; classtype:command-and-control; sid:2021153; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_05_27, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Wordpress, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaeo.ws"; nocase; endswith; classtype:domain-c2; sid:2030756; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-folder)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-fa"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017520; rev:6; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.top"; nocase; endswith; classtype:domain-c2; sid:2030757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Initial Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern; depth:67; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021051; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaer.ws"; nocase; endswith; classtype:domain-c2; sid:2030758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Command Status CnC"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/"; fast_pattern; depth:45; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021052; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"eaougheofhuoaez.top"; nocase; endswith; classtype:domain-c2; sid:2030759; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/6."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020944; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjh.to"; nocase; endswith; classtype:domain-c2; sid:2030760; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/7."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020946; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjo.ws"; nocase; endswith; classtype:domain-c2; sid:2030761; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type="; fast_pattern; pcre:"/^(?:update_hash|js|key|arsiv_(?:hash|link))$/R"; http.user_agent; content:!"Mozilla|2f|"; http.host; content:!"threatseeker.com"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:command-and-control; sid:2021030; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.top"; nocase; endswith; classtype:domain-c2; sid:2030762; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Scanbox Sending Host Data"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\/(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})\.jpg$/"; http.cookie; content:"recordid="; fast_pattern; depth:9; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2021229; rev:5; metadata:created_at 2015_06_10, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjr.ws"; nocase; endswith; classtype:domain-c2; sid:2030763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor Intial Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|28|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-z0-9]{11}=\d{16}$/"; http.header_names; content:!"Accept"; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:command-and-control; sid:2020345; rev:5; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"egihaehefiejfjz.top"; nocase; endswith; classtype:domain-c2; sid:2030764; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potao CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22|?>"; depth:21; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; fast_pattern; http.content_type; content:"application/xml"; classtype:command-and-control; sid:2021554; rev:4; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieh.to"; nocase; endswith; classtype:domain-c2; sid:2030765; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC"; flow:established,to_server; flowbits:set,ET.centerpos; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&osname="; nocase; distance:0; content:"&compname="; nocase; distance:0; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022469; rev:4; metadata:created_at 2016_01_29, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgieo.ws"; nocase; endswith; classtype:domain-c2; sid:2030766; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC 2"; flow:established,to_server; flowbits:set,ET.centerpos; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&comid="; nocase; fast_pattern; distance:0; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022472; rev:4; metadata:created_at 2016_01_29, former_category MALWARE, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.top"; nocase; endswith; classtype:domain-c2; sid:2030767; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no accept headers"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Accept"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022985; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgier.ws"; nocase; endswith; classtype:domain-c2; sid:2030768; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; flowbits:set,ET.Sage.Primer; flowbits:noalert; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"fnenfmnieehgiez.top"; nocase; endswith; classtype:domain-c2; sid:2030769; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Bancos ProxyChanger Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//admin/imagens/icones/new/get.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,d34912a19473fe41abdd4764e7bec5f9; classtype:command-and-control; sid:2024028; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag Banking_Trojan, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiih.to"; nocase; endswith; classtype:domain-c2; sid:2030770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ldrctl.php"; endswith; http.request_body; content:"os="; depth:3; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; nocase; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:command-and-control; sid:2010217; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiio.ws"; nocase; endswith; classtype:domain-c2; sid:2030771; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (123faster .top)"; dns.query; content:"123faster.top"; nocase; bsize:13; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.top"; nocase; endswith; classtype:domain-c2; sid:2030772; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)"; dns.query; content:"conversia91.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiir.ws"; nocase; endswith; classtype:domain-c2; sid:2030773; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (fatoftheland .top)"; dns.query; content:"fatoftheland.top"; nocase; bsize:16; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"hugrhusghufiiiz.top"; nocase; endswith; classtype:domain-c2; sid:2030774; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)"; dns.query; content:"creatorz123.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzth.to"; nocase; endswith; classtype:domain-c2; sid:2030775; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (compilator333 .top)"; dns.query; content:"compilator333.top"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfzto.ws"; nocase; endswith; classtype:domain-c2; sid:2030776; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f0 28 39 fe 4e 2f fb 3e 4e 8e 4e 2f fa 49 2f fb 3a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029436; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztr.top"; nocase; endswith; classtype:domain-c2; sid:2030777; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 35 2f fb 3b 49 ed 3e 39 8c 4b 49 ed 3f 4e ed 3e 3d|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"izezggefgegfztz.top"; nocase; endswith; classtype:domain-c2; sid:2030778; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 32 ed 3e 3c 8b 28 39 fb 49 4c 8b 28 38 8c 28 39 ff|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooh.to"; nocase; endswith; classtype:domain-c2; sid:2030779; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (Texsa)"; flow:established,to_client; tls.cert_subject; content:", L=Texsa, "; fast_pattern; tls.cert_issuer; content:", L=Texsa, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooo.ws"; nocase; endswith; classtype:domain-c2; sid:2030780; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Mountainvew)"; flow:established,to_client; tls.cert_subject; content:", L=Mountainvew, "; nocase; fast_pattern; tls.cert_issuer; content:", L=Mountainvew, "; nocase; reference:md5,5c1fce8fa3e228b8f2641bb1f7a29c3f; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; classtype:targeted-activity; sid:2031136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokoor.top"; nocase; endswith; classtype:domain-c2; sid:2030781; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 ff 28 39 fa 49 2f fb 3b 2f fb 3a 2f fb 34 48 ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lkoeafoekfokooz.top"; nocase; endswith; classtype:domain-c2; sid:2030782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3a 2f fb 3f 4e ed 3e 3c ed 3e 3d ed 3e 33 8a 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoh.to"; nocase; endswith; classtype:domain-c2; sid:2030783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 3d ed 3e 38 8c 28 39 fe 28 39 ff 28 39 f1 4f 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoo.ws"; nocase; endswith; classtype:domain-c2; sid:2030784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE POWERTON CnC Domain in DNS Lookup"; dns.query; content:"dailystudy.org"; nocase; bsize:14; reference:url,blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/; classtype:domain-c2; sid:2029448; rev:2; metadata:created_at 2020_02_13, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.top"; nocase; endswith; classtype:domain-c2; sid:2030785; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Grimagent CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Keep-Alive|3a 20|"; content:"|0d 0a|Connection|3a 20|keep-alive|0d 0a|Referer|3a 20|https|3a 2f 2f|www."; distance:3; within:50; pcre:"/^(?:(?:youtub|googl)e|microsoft|amazon|ebay).com\x0d\x0a/Rsi"; http.request_body; content:!"&"; pcre:"/^[A-Za-z0-9]{3,25}=[a-f0-9]{28,}$/s"; reference:md5,d0ef174669abc7d6358531002e458df1; classtype:trojan-activity; sid:2034179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuor.ws"; nocase; endswith; classtype:domain-c2; sid:2030786; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi Backdoor Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cname="; depth:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"&av="; within:40; content:"&osversion="; within:50; content:"&aname="; within:50; fast_pattern; content:"&ver="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:targeted-activity; sid:2029431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"lwoekouututeuoz.top"; nocase; endswith; classtype:domain-c2; sid:2030787; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:web-application-attack; sid:2029034; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrbox.ws"; nocase; endswith; classtype:domain-c2; sid:2030788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware.Hidden-Tear Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,5ae92b52b0a6df8a64a5f98700bc290f; classtype:command-and-control; sid:2034675; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"tldrnet.top"; nocase; endswith; classtype:domain-c2; sid:2030789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 2f fb 38 2f fb 39 2f fb 39 48 ed 3e 3f ed 3e 3d ed 3f 4e ed 3e 3e|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdh.to"; nocase; endswith; classtype:domain-c2; sid:2030790; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f ed 3e 3f ed 3e 3e ed 3e 3e 8a 28 39 fd 28 39 ff 28 38 8c 28 39 fc|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029458; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdo.ws"; nocase; endswith; classtype:domain-c2; sid:2030791; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8d 28 39 fd 28 39 fc 28 39 fc 4f 2f fb 38 2f fb 3a 2f fa 49 2f fb 39|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.top"; nocase; endswith; classtype:domain-c2; sid:2030792; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f1 28 39 fc 28 39 f9 28 39 fc 28 39 f1 28 39 f8 28 39 ff 28 38 8c 4c|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdr.ws"; nocase; endswith; classtype:domain-c2; sid:2030793; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 34 2f fb 39 2f fb 3c 2f fb 39 2f fb 34 2f fb 3d 2f fb 3a 2f fa 49 4b|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Query"; dns.query; content:"ufhuehfuigiijdz.top"; nocase; endswith; classtype:domain-c2; sid:2030794; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029465; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (=Mozilla)"; flow:established,to_server; http.header; content:"User-Agent|3a|=Mozilla/5"; fast_pattern; classtype:trojan-activity; sid:2025456; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_03_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (vighik .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"vighik.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031150; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing M1 Dec 28 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:social-engineering; sid:2025657; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (cntrhum .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cntrhum.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031151; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/vstudio"; fast_pattern; http.host; content:"msdn.microsoft.com"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025439; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category TROJAN, malware_family Smoke_Loader, signature_severity Major, updated_at 2020_08_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (doldig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"doldig.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/visualstudio/"; fast_pattern; http.host; content:"www.microsoft.com"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:trojan-activity; sid:2025440; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category TROJAN, malware_family Smoke_Loader, signature_severity Major, updated_at 2020_08_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (sh78bug .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"sh78bug.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031153; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/\d+\/$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,e297f2ed2d162ad925ac140915a21405; classtype:command-and-control; sid:2025441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category MALWARE, malware_family Smoke_Loader, signature_severity Major, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (dghns .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"dghns.xyz"; bsize:9; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Emotet Certificate Observed M2"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=SneHose, O=Googls, OU=IT, CN=fff"; reference:md5,8430d8cf1b1edd6c49092a7dd6412a8a; classtype:trojan-activity; sid:2035063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_02_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (bigjamg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigjamg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031155; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] W32/Rodecap.StealRat C2 Payload (GIF)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|47 49 46 38 39 61 10 00 10 00 91 00 00 f7 f7 f7 ff ff ff c0 c0 c0 00 00 00 21 f9 04 00 00 00 00 5f 05 95 95 96 96 96 96 92 92 92 92 6d 92 92 92 2a 2a 2a 2a 2a 2a 2a 2a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a 6a|"; depth:92; classtype:command-and-control; sid:2025457; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (numklo .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"numklo.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NYU Internet HTTP/SSL Census Scan"; flow:to_server,established; http.user_agent; content:"NYU Internet Census (https://scan.lol|3b 20|research@scan.lol)"; reference:url,scan.lol; classtype:network-scan; sid:2025460; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_03, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (gut45bg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gut45bg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phish Landing Jun 22 2017"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"Amazon Sign In</title>"; nocase; content:"account is connected with Amazon"; distance:0; nocase; content:"name=|22|signin|22 20|method=|22|post|22 20|novalidate action=|22 22|"; nocase; distance:0; content:"type=|22|password|22 20|id=|22|ap_password"; nocase; distance:0; classtype:social-engineering; sid:2024422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (moig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"moig.xyz"; bsize:8; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NYU Internet Census UA Inbound"; http.user_agent; content:"NYU Internet Census"; depth:19; reference:url,scan.lol; classtype:network-scan; sid:2025461; rev:3; metadata:created_at 2018_04_03, deployment Perimeter, deployment Datacenter, former_category SCAN, signature_severity Informational, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA67 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?v="; content:"&g="; distance:0; http.user_agent; content:"Mozilla/5.0 Gecko/41.0 Firefox/41.0"; bsize:35; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3e5d4de6c6e2c18da8c1f75b10ca9cac; classtype:trojan-activity; sid:2031146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Trickbot C2 (networkDll module)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=Arasfjasu7|0d 0a|"; http.request_body; content:"name=|22|proclist|22|"; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2032217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Parallax RAT CnC Domain Observed in DNS Query"; dns.query; content:"vahlallha.duckdns.org"; nocase; bsize:21; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:domain-c2; sid:2029454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-08 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"bassimo"; depth:7; nocase; fast_pattern; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; classtype:credential-theft; sid:2031860; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4e 2f fb 3c 4b 8e 49 48 ed 3e 3a ed 3f 4e 89|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029479; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pontoeb CnC"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; fast_pattern; http.request_body; content:"mode="; depth:5; reference:md5,1a44b59105e584bac969408f9617133f; reference:url,urlhaus.abuse.ch/url/4452/; classtype:command-and-control; sid:2025484; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_04_11, deployment Perimeter, former_category MALWARE, malware_family Pontoeb, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|49 ed 3e 3b 89 4b 4e 8a 28 39 f8 28 38 8c 4c|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029480; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron/Maktub Locker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"{|22|encry|22 3a 22|"; depth:10; fast_pattern; content:"|22|randk|22 3a 22|"; distance:0; content:"|22|guid|22 3a 22|"; distance:0; content:"|22|start|22 3a 22|"; distance:0; content:"|22|market|22 3a 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,1e60050db59e3d977d2a928fff3d34a6; reference:url,bartblaze.blogspot.com/2018/04/maktub-ransomware-possibly-rebranded-as.html; classtype:command-and-control; sid:2025486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_12, deployment Perimeter, former_category MALWARE, malware_family Iron_Locker, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8b 28 39 f9 4c 4c 8c 4f 2f fb 3d 2f fa 49 4b|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreBot C2)"; flow:established,from_server; tls.cert_subject; content:"CN=ok.investments"; fast_pattern; nocase; reference:md5,75368c9240a3c238aa3b5518906a3cdb; classtype:domain-c2; sid:2025485; rev:4; metadata:attack_target Client_and_Server, created_at 2018_04_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f 4e ed 3e 3a ed 3e 32 ed 3e 3e ed 3e 3e ed 3e 3c ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/user/register"; http.request_body; content:"drupal"; pcre:"/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/i"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 8c 28 39 f8 28 39 f0 28 39 fc 28 39 fc 28 39 fe 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Cryptocurrency Wallet Exfiltration Detected"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 26 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024311; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8a 49 2f fb 3d 2f fb 35 2f fb 39 2f fb 39 2f fb 3b 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 27 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024312; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ReactorBot .bin Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi/"; content:".bin"; fast_pattern; endswith; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"kankan.com"; endswith; content:!"aocdn.net"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:5; metadata:created_at 2016_05_27, former_category CURRENT_EVENTS, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Request for C2 Commands Detected M1"; flow:established,to_server; flowbits:set,ET.LokiBot; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 28 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:command-and-control; sid:2024313; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_dispatch.php"; fast_pattern; endswith; http.header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/si"; http.content_type; content:"www-form-urlencoded"; endswith; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:command-and-control; sid:2022952; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot File Exfiltration Detected"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 29 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024314; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar V2 CnC Beacon"; flow:established,to_server; http.header; content:"=12&"; content:"=2"; distance:1; within:8; content:"=="; distance:12; within:6; content:"=="; distance:18; within:10; http.request_line; content:".php? HTTP/1."; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023966; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, signature_severity Major, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Keylogger Data Exfiltration Detected M1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 2b 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; classtype:trojan-activity; sid:2024315; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GET Request to Jaff Domain (orhangazitur . com)"; flow:to_server,established; http.method; content:"GET"; http.host; content:"orhangazitur.com"; fast_pattern; bsize:16; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024338; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Screenshot Exfiltration Detected"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"(Charon|3b 20|Inferno)"; http.request_body; content:"|00 2c 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; classtype:trojan-activity; sid:2024316; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"comboratiogferrdto.com"; fast_pattern; bsize:22; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:command-and-control; sid:2024340; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_10_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/i"; http.request_body; content:"|00 27 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024317; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; distance:0; fast_pattern; pcre:"/\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024306; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Request for C2 Commands Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\nContent-Length\x3a\x20[^\r\n]+\r\nConnection\x3a\x20close/i"; http.request_body; content:"|00 28 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024318; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Posting Host Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?id="; content:"&act="; fast_pattern; distance:0; pcre:"/\?id=\d+&act=\d$/"; http.host; content:!".money-media.com"; http.request_body; content:"rprt="; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024307; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Keylogger Data Exfiltration Detected M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Key|3a 20|"; content:"|0d 0a|"; distance:8; within:2; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\nAccept\x3a\x20[^\r\n]+\r\nContent-Type\x3a\x20application\x2foctet-stream\r\nContent-Encoding\x3a\x20binary\r\nContent-Key\x3a\x20[A-Z0-9]{8}\r\n/i"; http.request_body; content:"|00 2b 00|"; offset:1; depth:3; pcre:"/^[\x00-\x01]\x00.\x00[\x00-\x01]\x00.\x00.{4}\x01\x00.\x00{3}.{48}\x05\x00{3}/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2024319; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, malware_family lokibot, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cpuproc.com"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:domain-c2; sid:2025892; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IcedID/Emotet Certificate Observed M1"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Texas, L=Phenix, O=Yahos, OU=IT, CN=foror2"; reference:md5,8430d8cf1b1edd6c49092a7dd6412a8a; classtype:trojan-activity; sid:2035051; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, malware_family IcedID, signature_severity Major, tag Emotet, tag IcedID, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:domain-c2; sid:2025918; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_27, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"gender="; depth:7; nocase; fast_pattern; content:"&name1="; nocase; distance:0; content:"&name2="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BadPatch CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; depth:16; http.request_body; content:"="; pcre:"/^(?:[A-F0-9]{2}%3A){5}[A-F0-9]{2}&/R"; content:"=Py+version+"; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html; classtype:command-and-control; sid:2028913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, malware_family BadPatch, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com"; flow:established,to_server; http.host; content:"myip.dnsomatic.com"; bsize:18; classtype:external-ip-check; sid:2016754; rev:4; metadata:created_at 2013_04_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Various Malicious AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; http.uri; content:!"="; content:!"&"; content:!"?"; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022503; rev:5; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M1 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"tc="; depth:3; nocase; content:"&sms="; nocase; distance:0; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025503; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xwo CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Charset|3a 20|ISO-8859-1"; http.request_body; content:"wanip="; depth:6; fast_pattern; content:"&username="; distance:0; content:"&password="; distance:0; content:"&lanip="; distance:0; content:"&port="; distance:0; reference:url,www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner; reference:md5,fd67a98599b08832cf8570a641712301; classtype:command-and-control; sid:2027144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Xwo, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M2 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"FakeCustomerName="; depth:17; nocase; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025504; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spark Backdoor CnC Domain Query"; dns.query; content:"nysura.com"; nocase; bsize:10; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one; classtype:domain-c2; sid:2029492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DenizBank Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&tc="; nocase; content:"&sms="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; fast_pattern; content:"&login_parola_card="; nocase; distance:0; classtype:credential-theft; sid:2025506; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdnlib.at"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029501; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-04-17"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ui="; depth:3; nocase; content:"&pw="; nocase; distance:0; fast_pattern; pcre:"/^ui=[^&]+&pw=/i"; classtype:credential-theft; sid:2025513; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=storefrontcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029502; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; http.user_agent; content:"Morfeus"; nocase; depth:7; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2003466; rev:16; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=e4.ms"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029503; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Quant Loader Download Response M2"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"exe=http://"; within:30; nocase; fast_pattern; content:"|2e|exe|3b|"; distance:0; nocase; reference:md5,aa0b114a64683d89f62d26a088e164f6; classtype:trojan-activity; sid:2024206; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029504; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing 2018-04-26"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-Powered-By|3a 20|PHP"; nocase; file.data; content:"<title"; nocase; content:"Outlook Web App"; nocase; within:30; fast_pattern; classtype:social-engineering; sid:2025532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=opendoorcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing Feb 18 2016"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=|22|chalbhai|22|"; fast_pattern; nocase; content:"id=|22|chalbhai|22|"; nocase; content:"method=|22|post|22|"; nocase; classtype:social-engineering; sid:2025654; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=wappallyzer.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029506; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/?q=node"; content:"delete&destination="; pcre:"/(?:%(?:25)?23|#)/"; http.request_body; content:"form_id=node_delete_confirm"; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours; reference:cve,2018-7602; classtype:attempted-user; sid:2025533; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, tag drupalgeddon, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdn.su"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029507; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"user/password"; pcre:"/(?:%(?:25)?23|#)\s*(access_callback|pre_render|post_render|lazy_builder)/"; http.request_body; content:"_triggering_element_name"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025534; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, tag drupalgeddon, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=toplevelstatic.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029508; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/GravityRAT Requesting Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Value=13&idPayload="; fast_pattern; http.header_names; content:!"Referer"; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query"; dns.query; content:"accounts.protonvpn.store"; nocase; bsize:24; reference:url,securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/; classtype:command-and-control; sid:2029523; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G2 Stealer/GravityRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Value="; content:"UserCode="; distance:0; content:"MacId="; distance:0; content:"HitDate="; distance:0; content:"FingerPrint="; distance:0; fast_pattern; content:"CurrentIp="; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; content:!"Connection"; reference:md5,6899c2219764bac56007ce80021bfcbf; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python/PBot Browser Hijacker Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?streamId="; fast_pattern; content:"&isAdvpp="; distance:0; content:".js?streamId="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&isAdvpp=(?:true|false)$/Rsi"; http.header; content:"|0d 0a|Origin|3a 20|http"; reference:md5,f741a2febf0630407ba17945362f3bce; classtype:trojan-activity; sid:2031148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GX Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?VALUE=2&Type="; fast_pattern; content:"&SIGNATUREHASH="; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Cache"; reference:md5,ec629f648434fc3d17e9561532d038c8; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025541; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=stat-group.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.goggleheadedhacker.com/blog/post/16; classtype:domain-c2; sid:2029524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/G1 Stealer/GravityRAT Uploading File"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Value=11&FileName="; fast_pattern; content:"&FileSize="; distance:0; content:"&Macid="; distance:0; content:"&UserCode="; distance:0; reference:md5,783a48640c0776932fc81925962f273b; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:trojan-activity; sid:2025538; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category TROJAN, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apkv6.endurecif.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031162; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Aug 21 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&UserName="; nocase; content:"&Password="; nocase; distance:0; fast_pattern; http.host; content:!"absolutdata.com"; content:!"absolutresearch.com"; classtype:credential-theft; sid:2025026; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fif0.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031163; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; urilen:1; threshold: type limit, count 2, seconds 300, track by_src; http.method; content:"POST"; http.header; content:"TagId|3a 20|"; fast_pattern; content:!".namequery.com|0d 0a|"; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=seahome.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031164; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; nocase; depth:4; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=inapturst.top"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2031165; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pww="; nocase; distance:0; fast_pattern; content:"&image.x="; nocase; distance:0; content:"&image.y="; nocase; distance:0; classtype:credential-theft; sid:2025562; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; urilen:10; content:"/hello.php"; fast_pattern; http.method; content:"GET"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020339; rev:5; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; http.method; content:"GET"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:social-engineering; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Duqu 2.0 Request"; flow:established,to_server; http.start; content:"Cookie|3a 20|COUNTRY="; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat; classtype:trojan-activity; sid:2021247; rev:5; metadata:created_at 2015_06_11, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TSB Bank Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:credential-theft; sid:2025564; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGk"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2c727910738e0a381acf00fd0e1d636d; classtype:trojan-activity; sid:2030139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Elite Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.jsp"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021626; rev:9; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us1="; depth:4; nocase; content:"&ps1="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025566; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Scout Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021627; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
 
-alert http any any -> $HTTP_SERVERS 8161 (msg:"ET WEB_SPECIFIC_APPS Apache ActiveMQ File Upload RCE (CVE-2016-3088)"; flow:established,to_server; http.method; content:"MOVE"; http.header; content:"Destination|3a 20|"; reference:cve,2016-3088; reference:url,www.exploit-db.com/exploits/42283/; classtype:attempted-admin; sid:2025574; rev:3; metadata:attack_target Web_Server, created_at 2018_05_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Android Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Android"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021628; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik Attempting to Download Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?port="; fast_pattern; http.user_agent; content:"wget/"; http.header_names; content:!"Referer"; reference:url,blog.netlab.360.com/gpon-exploit-in-the-wild-i-muhstik-botnet-among-others-en/; classtype:trojan-activity; sid:2025575; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_05_11, deployment Perimeter, former_category TROJAN, malware_family Muhstik, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021629; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InfoBot)"; flow:to_server,established; http.user_agent; content:"InfoBot"; nocase; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 3"; flow:to_server,established; urilen:4; http.header; content:"Empty|0d 0a|"; http.request_line; content:"GET /cl1"; depth:8; fast_pattern; http.referer; content:"1|3a|"; depth:2; pcre:"/^\d\.\d_(?:64|32)_\d\x3a/R"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021259; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-16 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025579; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE jFect HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping"; http.user_agent; content:"Java/"; depth:5; http.request_body; content:"uid="; depth:4; content:"&group="; content:"&lan="; content:"&nameAtPc="; fast_pattern; nocase; content:"&os="; content:"&country="; content:"&uptime="; content:"&installDate="; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d19261cf449afc52532028cca110eb36; classtype:command-and-control; sid:2022582; rev:4; metadata:created_at 2016_03_02, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Karmen Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"data.php?id="; fast_pattern; pcre:"/\.php\?id=[A-Za-z0-9]{10,20}(?:&key=[A-Za-z0-9]{10,30})?$/i"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,05427ed1c477cc01910eb9adbf35068d; classtype:command-and-control; sid:2024239; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category MALWARE, malware_family Karmen_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; http.request_body; content:"vit="; nocase; distance:0; content:"&bk="; nocase; distance:0; content:"&dados="; fast_pattern; nocase; distance:0; reference:url,doc.emergingthreats.net/2007999; classtype:command-and-control; sid:2007999; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pterodo.CL CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"versiya="; depth:8; content:"&comp="; distance:0; content:"&sysinfo="; distance:0; fast_pattern; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Referer"; content:!"Cache"; reference:md5,46C4A755E80EE4DF590C87C98115A5C7; classtype:command-and-control; sid:2034343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family Pterodo, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KLog Nick Keylogger Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy|20|Library)"; depth:38; http.request_body; content:"Nick+Key+Ativado"; fast_pattern; reference:url,doc.emergingthreats.net/2008338; classtype:command-and-control; sid:2008338; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin via HTTP"; flow:established,to_server; http.user_agent; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; fast_pattern; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:command-and-control; sid:2021336; rev:6; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2015_06_24, deployment Perimeter, former_category MALWARE, malware_family DDoS_XOR, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?action=add&a="; fast_pattern; content:"&c="; distance:0; content:"&u="; distance:0; content:"&l="; distance:0; content:"&p="; distance:0; http.host; content:!"whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:command-and-control; sid:2009458; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTPie User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"HTTPie/"; depth:7; reference:url,httpie.org; classtype:attempted-recon; sid:2025584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"15438.xyz"; nocase; endswith; pcre:"/(?:^|\.)15438\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029534; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora/OneKeyLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/-"; distance:0; content:"&hwid="; distance:0; http.header_names; content:!"Referer"; reference:md5,31d65e315115c823f619a381576984f8; classtype:command-and-control; sid:2025586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_30, deployment Perimeter, former_category MALWARE, malware_family Aurora, malware_family OneKeyLocker, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"12724.xyz"; nocase; endswith; pcre:"/(?:^|\.)12724\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029535; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-31"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"21736.xyz"; nocase; endswith; pcre:"/(?:^|\.)21736\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029536; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-11"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"gate="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&push="; nocase; distance:0; classtype:credential-theft; sid:2025588; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; http.method; content:"GeT"; http.protocol; content:"HttP"; http.header_names; content:"HoST|0d 0a|"; content:"UsER-AgENt|0d 0a|"; fast_pattern; reference:url,doc.emergingthreats.net/2010129; classtype:trojan-activity; sid:2010129; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet CnC Checkin (POST)"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"POST"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; depth:65; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2035053; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/html"; depth:9; nocase; content:!"application"; nocase; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025591; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/css"; depth:8; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:12; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Paypal Phish Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2e 2e 2e 2e 21 5b 31 5d 20 53 2f 4d 2f 41 2f 49 2f 4c 2f 4d 2f 41 2f 58 21 2e 2e 2e 2e|"; classtype:social-engineering; sid:2025592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; pcre:"/^[a-f0-9]+\x08\x00$/Rs"; reference:md5,3690c361f7f2bdb1d1aed67c142bb90b; classtype:trojan-activity; sid:2031159; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, malware_family Anchor, signature_severity Major, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackshadesRAT Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/alive.php?"; nocase; content:"key="; nocase; content:"pcuser="; nocase; content:"pcname="; nocase; content:"hwid="; nocase; content:"country="; nocase; reference:md5,85a9f25c9b6614a8ad16dd7f3363a247; classtype:trojan-activity; sid:2012587; rev:6; metadata:created_at 2011_03_28, former_category TROJAN, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LolliCrypt Ransomware Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"key="; depth:4; fast_pattern; content:"&id="; distance:100; content:"&date="; distance:0; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rs"; http.header_names; content:!"Referer"; reference:md5,8e23b560b66134dcc4e21c461ed1a399; classtype:trojan-activity; sid:2031160; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M2"; flow:to_server,established; http.header; content:"BwYXNzdGhydSgn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025593; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, former_category WEB_SERVER, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE D1onis Stealer Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&p1="; content:"&p2="; content:"&region="; fast_pattern; content:"&ip="; content:"&p3="; content:"&p4="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,6cf4f85e3907d4f0a0c1e653d6c6943f; classtype:trojan-activity; sid:2031161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family D1onis, signature_severity Major, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M3"; flow:to_server,established; http.header; content:"AcGFzc3RocnUoJ"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025594; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, former_category WEB_SERVER, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] MSIL/Biskvit.A Check-in"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/api/auth/token"; http.header; content:"Authorization|3a 20 0d 0a|"; depth:18; fast_pattern; content:"Expect|3a 20|100-continue"; http.request_body; content:"{|22|ApiKey|22 3a 22|"; depth:11; isdataat:!100,relative; http.connection; content:"Keep-Alive"; depth:10; http.content_type; content:"application/json"; depth:16; http.header_names; content:"|0d 0a|Authorization|0d 0a|"; depth:17; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_22, deployment Perimeter, former_category MALWARE, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Santander Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 54 55 44 4f 20 2d 2d 3e|"; content:"|3c 21 2d 2d 20 46 45 49 58 41 4e 44 4f 20 54 55 44 4f 20 2d 2d 3e|"; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025607; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M1"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022197; rev:6; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Santander Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 63 6f 72 70 6f 20 67 65 72 61 6c 20 2d 2d 3e|"; content:"|3c 21 2d 2d 20 66 65 78 61 6e 64 6f 20 63 6f 72 70 6f 20 67 65 72 61 6c 20 2d 2d 3e|"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025608; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022198; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Sign in to your Microsoft account"; nocase; content:"|3c 21 2d 2d 20 20 2d 2d 3e|"; distance:0; content:"|3c 21 2d 2d 20 2f 6b 6f 20 2d 2d 3e|"; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025609; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M3"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022199; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Online Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"function popupwnd(url,"; nocase; content:"CLICK ON YOUR EMAIL PROVIDER BELOW"; nocase; distance:0; content:"javascript|3a|popupwnd("; nocase; distance:0; content:"|3c 21 2d 2d 4d 6f 64 65 64 20 42 79 20 41 6e 74 68 72 61 78 2d 2d 3e|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M4"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022200; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banque et Assurances Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Banque et Assurances"; nocase; content:"|3c 21 2d 2d 20 2f 20 4e 44 37 20 45 4e 43 4f 44 41 47 45 20 44 45 53 49 47 4e 20 26 20 58 53 41 4d 20 4a 53 20 45 4e 43 4f 44 41 47 45 20 2f 20 2d 2d 3e|"; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M5"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022201; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING iTunes Connect Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>iTunes Connect"; nocase; content:"|3c 21 2d 2d 20 50 48 4f 45 4e 21 58 20 2d 2d 3e|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M6"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022202; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 20 20 53 63 61 6d 20 4d 61 64 65 20 42 79 20 74 68 65 20 6b 69 6e 67|"; fast_pattern; content:"<title>Bienvenue sur Facebook"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025613; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M7"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022203; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>sign in to your account"; nocase; fast_pattern; content:"src=|22|https|3a|//secure.aadcdn.microsoftonline-p.com/"; nocase; distance:0; content:"src=|22|files/"; nocase; distance:0; content:"href=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M8"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022204; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2f 67 2d 7a 31 31 38 2e 63 73 73|"; content:"|2f 62 2d 7a 31 31 38 2e 63 73 73|"; distance:0; content:"|63 6c 61 73 73 3d 22 48 65 61 64 65 72 5a 31 31 38|"; distance:0; content:"|63 6c 61 73 73 3d 22 47 2d 46 69 65 6c 64 73 5a 31 31 38|"; distance:0; fast_pattern; content:"|63 6c 61 73 73 3d 22 46 69 65 6c 64 73 5a 31 31 38|"; distance:0; classtype:social-engineering; sid:2025615; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M9"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022205; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Assurance Maladie Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"href=|22|ficherss/"; nocase; content:"<title>Compte ameli - mon espace personnel"; nocase; distance:0; content:"src=|22|ficherss/"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025616; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"fkksjobnn43.org"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,942c6a039724ed5326c3c247bfce3461; classtype:command-and-control; sid:2024288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"src=|22|2Sign|25|20in|25|20-|25|20Adobe|25|20ID_files/"; nocase; fast_pattern; content:"href=|22|2Sign|25|20in|25|20-|25|20Adobe|25|20ID_files/"; nocase; distance:0; classtype:social-engineering; sid:2025617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enigma Locker Checkin"; flow:to_server,established; urilen:8; http.method; content:"GET"; http.uri; content:"/get.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/i"; http.connection; content:"close"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:command-and-control; sid:2023334; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Enigma, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"background|3a|url(Logon_Files/"; nocase; fast_pattern; content:"href=|22|Logon_Files/"; nocase; distance:0; content:"<title>Capitalone"; nocase; distance:0; content:"href=|22|Logon_Files/"; nocase; distance:0; classtype:social-engineering; sid:2025618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|0d 0a 0d 0a 0d 0a 2f 2f 2f 2f 2f 2f 2f|"; content:"System Infomation"; within:30; content:"|0d 0a 0d 0a|Boot Device|3a 20 5c|"; fast_pattern; content:"|0d 0a|Build Number|3a 20|"; distance:0; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING US Bank Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"href=|22|index|25|5D_files/"; nocase; content:"src=|22|index|25|5D_files/"; nocase; distance:0; fast_pattern; content:"<title>PersonalID Step"; nocase; distance:0; classtype:social-engineering; sid:2025619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"up.php?id="; pcre:"/^[A-Z]+$/R"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:"01234567890"; fast_pattern; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING American Express Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>American Express"; nocase; content:"href=|22|./index_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./index_files/"; nocase; distance:0; classtype:social-engineering; sid:2025620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor Secondary Payload Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=news&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0."; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING HM Revenue Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>HM Revenue"; nocase; content:"href=|22|file/"; nocase; distance:0; fast_pattern; content:"<h1>Tax Refund"; nocase; distance:0; content:"<!-- DEVELOPMENT ONLY -->"; nocase; distance:0; classtype:social-engineering; sid:2025621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky CSPY Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"dwn.php?van="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|7c 20 7c 5c 2f 7c 20 7c 20 2f 20 5f 5f 7c 20 5f 5f 2f 20 5f 20 5c 20 27 5f 5f 7c 20 20 5c 5f 5f 5f 20 5c 7c 20 27 5f 20 5c 7c 20 7c 20 7c 20 7c|"; content:"|68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 30 30 37 4d 72 53 70 79|"; distance:0; fast_pattern; content:"|73 72 63 3d 22 4a 73 5f 53 70 79 2f|"; distance:0; classtype:social-engineering; sid:2025622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; content:"&ver=x"; distance:3; within:6; fast_pattern; pcre:"/^(?:64|86)$/R"; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<meta name=|22|generator|22 20|content=|22|WYSIWYG|22|"; nocase; content:"<link href=|22|Untitled1.css|22|"; nocase; distance:0; fast_pattern; content:"<div id=|22|wb_Image1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:"<div id=|22|wb_Form1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|password|22 20|id=|22|Editbox2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025623; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M2"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"|3b 20|nhash="; distance:0; content:"|3b 20|chash="; fast_pattern; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a 0d 0a|"; depth:76; endswith; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023479; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpLDAPadmin LDAP Injection"; flow:to_server,established; http.uri; content:"!(()&&!|7c|*|7c|*|7c|"; nocase; classtype:web-application-attack; sid:2025733; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_06_22, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WS/JS Downloader Mar 07 2017 M2"; flow:established,to_server; http.uri; content:"/counter/?"; fast_pattern; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2024036; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution"; flow:to_server,established; http.uri; content:"/wps.setup.json"; fast_pattern; nocase; http.request_body; content:"operation=write"; content:"option=connect"; content:"wps_setup_pin="; content:"%2Fbin%2Fsh"; reference:url,exploit-db.com/exploits/44912/; classtype:web-application-attack; sid:2025735; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_22, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-06"; flow:established,to_server; http.uri; content:".vbn"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2023875; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family Nemucod, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpMyAdmin 4.8.1 - Local File Inclusion"; flow:to_server,established; http.uri; content:"db_sql.php"; nocase; http.uri.raw; content:"|2e 2e 2f|"; classtype:web-application-attack; sid:2025734; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_06_22, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Xtunnel Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; pcre:"/^\/(?:\w+\/){1,5}\?[a-z]{1,6}=[a-z0-9]{2,40}(?:&[a-z]{1,6}=(?:[a-z0-9]){1,40}(%3D){0,2}){1,4}$/i"; http.header; content:"deflate,sdch|0d 0a|Accept|3a 20|text|2f|html,application|2f|xhtml"; fast_pattern; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|MSIE|20|7.0"; http.connection; content:"Close"; http.header_names; content:!"Referer"; content:!"Cache"; classtype:targeted-activity; sid:2027405; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family XTunnel, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin iThemes Security SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; content:"&orderby="; fast_pattern; pcre:"/&orderby=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/i"; classtype:web-application-attack; sid:2025738; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_25, cve cve_2018_12636, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Onliner Receiving Commands from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|id|3a|"; depth:4; pcre:"/^\d{5,10}\x7d/R"; content:"|7b|ok|3a 5b|task|5d|"; distance:0; fast_pattern; content:"|7b|urls|7d|"; distance:0; content:"|7b|tasks|7d|"; distance:0; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027808; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Generic Phish 2018-06-15"; flow:to_server,established; flowbits:isset,ET.genericphish; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Check-in Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 60; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|10.0) like Gecko"; fast_pattern; depth:61; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.connection; content:"Close"; depth:5; endswith; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"Connection|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:md5,ac6ea1e500de772341a2075a7d916d63; classtype:trojan-activity; sid:2020064; rev:5; metadata:created_at 2014_12_23, updated_at 2020_11_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Personalized Phish 2018-06-15"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?email="; nocase; content:"&password="; nocase; distance:0; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".html"; nocase; endswith; pcre:"/\/\d{8,10}\.html$/i"; http.cookie; content:"BX="; http.start; content:"Cookie|3a 20|XX="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021278; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/_config/query_servers/cmd"; reference:cve,2017-12636; classtype:attempted-user; sid:2025741; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"webscriptly.com"; nocase; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029566; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/_temp_view?limit="; http.request_body; content:"|22|cmd|22|"; fast_pattern; reference:cve,2017-12636; classtype:attempted-user; sid:2025742; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=huivaritaslloa.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 4"; flow:established,to_server; http.method; content:"DELETE"; http.uri; content:"/_config/query_servers/cmd"; fast_pattern; reference:cve,2017-12636; classtype:attempted-user; sid:2025743; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=infinitydevelooperspes.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 3"; flow:established,to_server; http.uri; content:"/index.php?option=com_ekrishta&view="; nocase; content:"&cid="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025746; rev:3; metadata:affected_product Joomla, attack_target Client_Endpoint, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unverifiedintigoosjai.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 2"; flow:established,to_server; http.uri; content:"/ekrishta/index.php/login/sign-in"; nocase; fast_pattern; http.request_body; content:"username="; nocase; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025745; rev:3; metadata:affected_product Joomla, attack_target Web_Server, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"app.dynamicrosoft.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029559; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 1"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc"; nocase; fast_pattern; http.request_body; content:"name="; nocase; pcre:"/^(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/Ri"; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025748; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"home.mwbsys.org"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029560; rev:3; metadata:affected_product Web_Browsers, affected_product Linux, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 2"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?form_id="; nocase; content:"&send_header="; nocase; distance:0; content:"&action="; nocase; distance:0; http.request_body; content:"search_labels="; fast_pattern; pcre:"/^(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/Ri"; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025749; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; http.method; content:"POST"; nocase; http.request_body; content:"&z"; pcre:"/^\d{1,3}=/Ri"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:5; metadata:created_at 2013_08_12, updated_at 2020_11_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Enable Guest Network)"; flow:established,to_server; http.uri; content:"/cgi?2&2&2&2&2"; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN_MULTISSID"; fast_pattern; content:"multiSSIDEnable"; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025752; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot POST Request to C2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla"; depth:32; fast_pattern; pcre:"/(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:44; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:command-and-control; sid:2019141; rev:5; metadata:created_at 2014_09_09, former_category MALWARE, updated_at 2020_11_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Reboot Router)"; flow:established,to_server; http.uri; content:"/cgi?7"; http.header; content:"mainFrame.htm"; http.request_body; content:"ACT_REBOOT"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025754; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; http.method; content:"POST"; http.content_len; byte_test:0,>,99,0,string,dec; http.start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:command-and-control; sid:2019168; rev:7; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2020_11_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (GET conf.bin)"; flow:established,to_server; http.uri; content:"/cgi/conf.bin"; http.header; content:"/mainFrame.htm"; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025753; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Dervec.gen Connectivity Check to Google"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00 00 00|"; offset:35; depth:10; http.header; content:"HOST|3a 20|www.google.com|0d 0a|"; depth:22; fast_pattern; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; classtype:trojan-activity; sid:2019129; rev:12; metadata:created_at 2012_06_12, updated_at 2020_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 1"; flow:established,to_server; http.uri; content:"home/requested_user/Sent interest/"; nocase; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:cve,2018-12254; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025744; rev:4; metadata:affected_product Joomla, attack_target Web_Server, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=sucuritester.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029571; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Cryptolocker Payment Domain (3qbyaoohkcqkzrz6)"; dns.query; content:"3qbyaoohkcqkzrz6"; depth:16; classtype:trojan-activity; sid:2022647; rev:3; metadata:created_at 2016_03_23, former_category TROJAN, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=reportgns.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B - OS Command Injection"; flow:established,to_server; http.uri; content:"/login.cgi?cli="; pcre:"/^[ a-zA-Z0-9+_]*[\x27\x3b]/Ri"; reference:url,exploit-db.com/exploits/44760/; classtype:attempted-user; sid:2025756; rev:3; metadata:attack_target IoT, created_at 2018_06_27, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?n="; fast_pattern; content:"&m="; distance:0; content:"&i="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,ed9e14a932b28f1ebdc4cd5b549af9da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023951; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; http.method; content:"head"; nocase; content:!"HEAD"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:4; metadata:created_at 2012_03_15, former_category POLICY, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:!"google.com"; endswith; http.start; content:".1|0d 0a|User-Agent|3a 20|Mozi"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023916; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 1"; flow:established,to_server; http.uri; content:"/wp-admin/post.php?post="; http.request_body; content:"action=editattachment&_wpnonce="; fast_pattern; content:"&thumb=../../"; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025757; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2018_06_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:".php?wShell="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.2)"; endswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 2"; flow:established,to_server; http.uri; content:"/wp-admin/post.php?post="; http.request_body; content:"action=delete&_wpnonce="; fast_pattern; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025758; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2018_06_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil M3"; flow:established,to_server; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Content-Type|0d 0a|"; reference:md5,1e14ded758c5dd7b41fe20297935eeef; classtype:targeted-activity; sid:2035444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Exec Backdoor"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"|7b 22|action|22 3a 20 22|exec|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025761; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spora Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"=XDATABASE64ENCRYPTED"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_11_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Install Backdoor"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"|7b 22|action|22 3a 20 22|install|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025762; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WSF/JS Downloader Jan 30 2017 M1"; flow:to_server,established; urilen:>65; http.uri; content:"/counter/?"; fast_pattern; depth:10; content:"a="; content:"i="; pcre:"/[&?]i=[A-Za-z0-9_-]{50,}(?:&|$)/"; pcre:"/[&?]a=(?:[a-zA-Z0-9_-]{25,}|(?:0\.)?\d+)(?:&|$)/"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,852cbd70766feb96923a79b210e94646; classtype:trojan-activity; sid:2023816; rev:4; metadata:created_at 2017_01_31, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco Adaptive Security Appliance - Path Traversal"; flow:established,to_server; http.uri; content:"+CSCOE+/files/file_list.json?path=+CSCOE+"; fast_pattern; http.uri.raw; content:"../"; reference:url,exploit-db.com/exploits/44956/; reference:cve,2018-0296; classtype:attempted-user; sid:2025764; rev:2; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_06_29, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kimsuky Sending Encrypted System Information to CnC"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"WebKitFormBoundarywhpFxMBe19cSjFnG"; endswith; fast_pattern; reference:md5,92001e9cebec0f0f0ac2b7c7e04f017d; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Paradise Ransomware Check-in"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"v1="; depth:3; content:"v2="; distance:0; content:"start_e="; distance:0; content:"end_e="; distance:0; content:"files_count="; distance:0; fast_pattern; content:"key="; distance:0; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2025631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category MALWARE, malware_family Paradise, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky WildCommand CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"4cef22e90f"; endswith; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031180; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-06-29"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; content:"&ps="; nocase; distance:0; classtype:credential-theft; sid:2025632; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony Payload DL"; flow:established,to_server; http.uri; content:"/inst.exe"; fast_pattern; endswith; http.host; content:!"360safe.com"; endswith; content:!"qhcdn.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept-"; content:"User-Agent|0d 0a|"; content:"Accept|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2023740; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, former_category TROJAN, malware_family Pony, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin Dec 5 M1"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/checkupdate"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/s"; classtype:command-and-control; sid:2023576; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"name="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/name=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kwampirs Outbound GET request"; flow:to_server,established; urilen:>21; http.method; content:"GET"; http.uri; content:"?q=KT"; fast_pattern; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/"; http.user_agent; content:"Mozilla/"; depth:8; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Geutebruck Remote Command Execution"; flow:established,to_server; http.uri; content:"/uapi-cgi/viewer/simple_loglistjs.cgi?"; fast_pattern; content:"/bin/sh"; reference:url,exploit-db.com/exploits/44957/; reference:cve,2018-7520; classtype:attempted-user; sid:2025769; rev:2; metadata:attack_target IoT, created_at 2018_07_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baldr Stealer Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Encrypted.zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; fast_pattern; content:!"PK"; within:25; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family BALDR, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dolibarr ERP CRM PHP Code Injection"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"&db_name="; content:"%5C%27%3Bsystem(%24_GET%5B"; fast_pattern; reference:url,exploit-db.com/exploits/44964/; classtype:web-application-attack; sid:2025770; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/imageload.cgi"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/s"; reference:md5,40ebefdec6870263827ce6425702e785; classtype:command-and-control; sid:2026517; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"client?mac_address="; content:"&agent_id="; distance:0; content:"agent_file_version"; http.user_agent; content:"cpprestsdk/"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026435; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution"; flow:established,to_server; http.uri; content:"/ajaxhelper.php?cmd=getxicoreajax"; fast_pattern; http.uri.raw; content:"&opts=%7b%22func%22%3a%22get_hoststatus_table%22%7d"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025774; rev:2; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; content:!"|00 00|"; depth:30; content:"|00 00|"; offset:34; depth:2; content:"|00 00|"; distance:2; within:2; content:"|00 00|"; distance:2; within:2; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be312fdb94f3a3c783332ea91ef00ebd; classtype:trojan-activity; sid:2026002; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/graphApi.php?host="; fast_pattern; http.uri.raw; content:"%3bsudo%20../profile/getprofile.sh%20%23"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025773; rev:3; metadata:attack_target Server, created_at 2018_07_02, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:".css"; endswith; http.user_agent; content:"curl/"; http.cookie; content:"m_pixel_ratio="; fast_pattern; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/R"; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025465; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?username="; fast_pattern; content:"&password="; distance:0; content:"&id="; distance:0; content:"&comp="; distance:0; content:"&user="; distance:0; pcre:"/^(?:(?:(?:[a-f0-9]){2}){16})/R"; http.header_names; content:"Accept|0d 0a|Accept-Language|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection"; content:!"Referer"; classtype:command-and-control; sid:2025633; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family SpyAgent_Raptor, performance_impact Low, signature_severity Major, tag Spyware, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Delf Checkin"; flow:established,to_server; http.uri; content:"/autoupdate/versaoatual.txt"; fast_pattern; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:command-and-control; sid:2025283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category MALWARE, malware_family Dropper, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/SpyAgent.Raptor (realtime-spy) CnC activity 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"raptor_un="; depth:10; content:"raptor_pw_hash="; distance:0; fast_pattern; content:"logtype="; distance:0; content:"raptor_account_id="; distance:0; content:"computer_username="; distance:0; content:"computer_name="; distance:0; content:"capture_timestamp="; distance:0; content:"submit="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; classtype:command-and-control; sid:2025634; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family SpyAgent_Raptor, performance_impact Low, signature_severity Major, tag Spyware, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent when remote host claims to send an image"; flow:established,from_server; http.content_type; content:"image/jpeg"; startswith; file.data; content:"New-Object"; nocase; content:"System.Net.WebClient"; nocase; content:"Start-Process"; fast_pattern; classtype:trojan-activity; sid:2025007; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category MALWARE, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Payload Request"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/i"; http.start; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Set DB User Root"; flow:established,to_server; http.uri; content:"/admin/settings.php"; http.request_body; content:"txtRootPath="; content:"&txtBasePath="; content:"&selProtocol="; content:"&txtTempdir="; content:"&selLanguage="; content:"&txtEncoding="; content:"&txtDBserver="; content:"&txtDBport="; content:"&txtDBname="; content:"&txtDBuser=root"; fast_pattern; content:"&txtDBpass="; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025777; rev:2; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Adding Administrative User"; flow:established,to_server; http.uri; content:"/api/v1/system/user"; http.request_body; content:"username="; content:"&password="; content:"&name="; content:"&email="; content:"&auth_level=admin&force_pw_change=0"; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025778; rev:2; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloader Aug 18 2017"; flow:established,to_server; http.uri; content:"/s.php?id="; depth:10; pcre:"/^\/s\.php\?id=[a-z0-9]{2,6}$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,5285f1adfc0013fa86218a7d76c0016d; classtype:trojan-activity; sid:2024600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ntop-ng Authentication Bypass via Session ID Guessing"; flow:established,to_server; threshold: type threshold, track by_dst, count 255, seconds 10; http.uri; content:"/lua/network_load.lua"; fast_pattern; http.cookie; content:"session="; content:"user="; reference:cve,2018-12520; reference:url,exploit-db.com/exploits/44973/; classtype:attempted-recon; sid:2025780; rev:3; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hancitor/Tordal Document Request"; flow:established,to_server; flowbits:set,ET.Hancitor; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?d="; fast_pattern; pcre:"/\.php\?d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie"; classtype:trojan-activity; sid:2024604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 2"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Content-Encoding|3a 20|binary|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|identity,|20 2a 3b|q=0|0d 0a|"; http.user_agent; content:"|20|MSIE|20|"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:md5,99FAB94FD824737393F5184685E8EDF2; classtype:command-and-control; sid:2014411; rev:13; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; http.header_names; content:!"Cookie|0d 0a|"; file.data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*<iframe src\s*=\s*[\x22\x27]http\:\/\/[^\x22\x27]+\.php[\x22\x27]\s*style\s*=\s*[\x22\x27]display\x3a\s*none\x3b\s*[\x22\x27]>\s*<\/iframe\>\s*$/Rsi"; classtype:trojan-activity; sid:2024678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ADB Broadband Authorization Bypass"; flow:established,to_server; http.uri; content:"/ui/dboard/settings/management/"; fast_pattern; http.uri.raw; content:"/management//"; reference:cve,2018-13109; reference:url,exploit-db.com/exploits/44982/; classtype:web-application-attack; sid:2025785; rev:2; metadata:attack_target IoT, created_at 2018_07_05, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?root="; fast_pattern; pcre:"/^[a-f0-9]{16}$/Ri"; http.accept; content:"text/plain"; depth:10; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:command-and-control; sid:2024489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_21, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Bitshifter, signature_severity Major, tag Ransomware, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection"; flow:established,to_server; http.uri; content:"/view_eletronic_download.php?class_name="; fast_pattern; content:"&cddocument="; pcre:"/^[a-z0-9A-Z]+[^&]+[\x27\x22]/Ri"; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44981/; classtype:web-application-attack; sid:2025786; rev:2; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; content:"&il="; distance:0; nocase; content:"&vr="; distance:0; nocase; content:"&bt="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Exchange Reporter Plus Remote Code Execution"; flow:established,to_server; http.uri; content:"/servlet/ADSHACluster"; fast_pattern; http.request_body; content:"MTCALL=nativeClient"; content:"&BCP_RLL=0102"; content:"&BCP_EXE=4d5a"; reference:url,exploit-db.com/exploits/44975/; classtype:attempted-user; sid:2025787; rev:2; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucifer Loader Requesting Payload"; flow:established,to_server; urilen:15; http.uri; content:"/demonsgate.php"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,74a3c324a8565d7f567763bee960bcca; classtype:trojan-activity; sid:2024719; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, malware_family Lucifer_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Airties AIR5444TT - Cross-Site Scripting"; flow:established,to_server; http.uri; content:"/top.html?page=main&productboardtype="; fast_pattern; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,exploit-db.com/exploits/44986/; reference:cve,2018-8738; classtype:attempted-user; sid:2025789; rev:3; metadata:attack_target Web_Server, created_at 2018_07_06, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader June 12 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Firefox/51.0"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, performance_impact Low, signature_severity Major, tag WS_JS_Downloader, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M1 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name"; nocase; content:"mail"; nocase; content:"Password"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032366; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin M1"; flow:to_server,established; urilen:4; http.request_line; content:"GET /a5/ HTTP/1."; depth:16; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:command-and-control; sid:2024290; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M2 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; nocase; content:"mail"; nocase; content:"Password"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032367; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Webbug Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"_utm.gif?utmac="; fast_pattern; content:"&utmcn="; distance:0; content:"&utmcs="; distance:0; content:"&utmsr="; distance:0; content:"&utmsc="; distance:0; content:"&utmul="; distance:0; http.host; content:!"www.google-analytics.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc65cbf12622eb55f0fd382e0fe250c5; classtype:command-and-control; sid:2032748; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M3 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032368; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.cookie; content:"skin=noskin"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc65cbf12622eb55f0fd382e0fe250c5; classtype:command-and-control; sid:2032749; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M4 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name"; nocase; content:"mail"; nocase; content:"Passw0rd"; fast_pattern; nocase; content:"<div class=|22|wsite-form-field|22|"; classtype:social-engineering; sid:2032369; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/OzazaLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?key="; fast_pattern; content:"&value="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8c6d686249fc3c6df3dc88ea2cddf02; classtype:command-and-control; sid:2024276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family OzazaLocker, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus P2P Variant Check-in"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/update"; fast_pattern; http.host; pcre:"/^[a-z0-9]+\.(?:biz|com|net|org)/"; http.header_names; content:!"User-Agent"; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018667; rev:5; metadata:created_at 2014_07_11, former_category TROJAN, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32|3b 20|Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR601 2.02 Credential Disclosure"; flow:established,to_server; http.uri; content:"/my_cgi.cgi"; http.request_body; content:"request=no_auth"; content:"request=load_settings"; content:"table_name=admin_user"; fast_pattern; content:"table_name=user_user"; content:"table_name=wireless_settings"; content:"table_name=wireless_security"; content:"table_name=wireless_wpa_settings"; reference:url,exploit-db.com/exploits/45002/; classtype:attempted-recon; sid:2025823; rev:3; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 1"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Elektronischer Leitz-Ordner 10 - SQL Injection"; flow:established,to_server; http.uri; content:"/social/api/feed/aggregation"; fast_pattern; content:"ticket="; pcre:"/^[^&]*[\x22\x27\x28]/Ri"; reference:url,exploit-db.com/exploits/44999/; classtype:attempted-user; sid:2025819; rev:3; metadata:attack_target Web_Server, created_at 2018_07_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443] (msg:"ET MALWARE W32.Geodo/Emotet Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host"; fast_pattern; http.cookie; pcre:"/[a-z0-9]{3,4}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; depth:10; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2024272; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] PS/TrojanDownloader.Agent.NNR XORed Zip payload (key 0x91)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|c1 da 92 95 85 91 91 99 99 91|"; depth:10; fast_pattern; reference:url,dctoralves.wordpress.com/2018/05/03/phishing-report-policia-civil/; classtype:trojan-activity; sid:2025583; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_23, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Runsome Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?name="; content:"&key=ENC"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,70c27926e54732a579b0004ede566fc6; reference:url,github.com/ShaneNolan/Runsome; classtype:command-and-control; sid:2024223; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Runsome, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"user/password&name"; nocase; fast_pattern; content:"markup|5d 3d|"; nocase; distance:0; pcre:"/^\[(?:%(?:25)?23|#)\s*(?:access_callback|pre_render|post_render|lazy_builder)/Ri"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025646; rev:2; metadata:affected_product Drupal_Server, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".boyput.site"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dicoogle PACS 2.5.0 - Directory Traversal"; flow:established,to_server; http.uri; content:"/exportFile?UID="; fast_pattern; content:"|2e 2e 5c|"; reference:url,exploit-db.com/exploits/45007/; classtype:attempted-user; sid:2025825; rev:3; metadata:attack_target Web_Server, created_at 2018_07_11, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".byteson.space"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029581; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IBM QRadar SIEM Unauthenticated Remote Code Execution"; flow:established,to_server; http.uri; content:"/ForensicsAnalysisServlet/?"; fast_pattern; content:"[pcap]=$("; content:"/bin/bash"; reference:url,exploit-db.com/exploits/45005/; classtype:attempted-user; sid:2025826; rev:2; metadata:attack_target Server, created_at 2018_07_11, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Turla Carbon Paper CnC Beacon (Fake User-Agent)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"."; distance:1; within:2; content:".0|3b 20|Windows NT|20|"; distance:0; content:"Trident/"; distance:0; http.user_agent; pcre:"/^Mozilla\/4\.0\x20\(compatible\x3b\x20MSIE\x20\d{1,2}\.0\.\d+\.\d+\.0\x3b\x20Windows\x20NT\x20/"; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; startswith; http.start; content:"Cookie|3a 20|PHPSESSID="; fast_pattern; http.header_names; content:"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/; classtype:command-and-control; sid:2024183; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution"; flow:established,to_server; http.uri; content:"p="; content:".git&a="; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; pcre:"/(?:Y21kIC9jIHBvd2Vyc2hlbGwuZXhl|NtZCAvYyBwb3dlcnNoZWxsLmV4Z|jbWQgL2MgcG93ZXJzaGVsbC5leG)/Ri"; reference:cve,2018-5955; reference:url,exploit-db.com/exploits/44356/; classtype:attempted-user; sid:2025830; rev:2; metadata:attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves HTTP CnC Beacon (APT10 implant)"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/index.php"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,28}[^\x20-\x7e\r\n]/s"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Keep-Alive"; depth:10; endswith; http.start; content:"dex.php|20|HTTP/1.1|0d 0a|Co"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024175; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, signature_severity Major, tag APT, tag APT10, tag RedLeaves, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; http.uri; content:"/init.do?"; content:"java.util"; content:"Runtime.getRuntime().exec"; fast_pattern; content:"cmd"; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; http.method; content:"GET"; http.uri; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/"; http.user_agent; content:"Firefox"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category TROJAN, malware_family Downloader, malware_family Locky_JS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Stripe Phishing Landing Dec 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Stripe|3a|"; nocase; fast_pattern; content:"|2f 2a 20 56 4f 44 4b 41 20 2a 2f|"; distance:0; classtype:social-engineering; sid:2025668; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/index.php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023203; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; http.uri; content:"/amf"; http.request_body; content:"sun.rmi.server.UnicastRef"; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:3; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pottieq.A Check-in"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20 7b|"; fast_pattern; http.user_agent; pcre:"/^\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}$/i"; http.request_body; content:"pc="; content:"mail="; content:"guid="; nocase; pcre:"/(?:^|&)id=\d+(?:$|&)/"; http.header_names; content:!"Accept"; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, malware_family Pottieq, performance_impact Low, signature_severity Major, tag Pottieq, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>/bin/sh"; content:"<string>-c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dll"; http.header; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; fast_pattern; http.user_agent; content:"MSIE 7"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>cmd</string>"; content:"<string>/c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; http.uri; content:"/~"; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/i"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Berbew Check-in"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:".NET CLR 00000000"; classtype:trojan-activity; sid:2017128; rev:8; metadata:created_at 2013_07_11, former_category TROJAN, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony DLL Download"; flow:established,to_server; http.uri; content:"/pm"; pcre:"/^\d?\.dll$/R"; http.request_line; content:".dll HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:6; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Job Manager Stored Cross-Site Scripting"; flow:established,to_server; http.uri; content:"/?step=|00|"; content:"submit-job-form"; fast_pattern; content:"enctype=|22|multipart/form-data|22|"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,exploit-db.com/exploits/45031/; classtype:attempted-user; sid:2025839; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Downloading .old"; flow:established,to_server; http.start; content:".old|20|HTTP/1.1|0d 0a|Host"; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022657; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AutoHotKey offthewall Downloader Requesting Payload"; flow:established,to_server; http.start; content:"GET /brazi/"; startswith; fast_pattern; content:".exe HTTP/1.1"; http.host; content:".top"; endswith; http.user_agent; bsize:10; content:"AutoHotkey"; reference:md5,2b1dc86b6a28ea6ddc7c272773b7472c; classtype:command-and-control; sid:2030664; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Downloading Binary"; flow:established,to_server; urilen:8; http.uri; content:"/crond"; fast_pattern; pcre:"/^(?:32|64)$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|18.0) Gecko/20100101 Firefox/18.0"; endswith; depth:72; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:trojan-activity; sid:2022357; rev:5; metadata:created_at 2016_01_13, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Webmail Phishing Landing Utilizing Clearbit"; flow:established,to_client; file.data; content:"webmail"; nocase; content:"<img src=|22|https://logo.clearbit.com/"; fast_pattern; classtype:social-engineering; sid:2030731; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; http.method; content:"GET"; http.uri; content:!"."; content:"/en-us/"; depth:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/R"; content:!"/im/"; http.start; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:10; metadata:created_at 2015_03_25, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request to Image with User-Agent Ending in .exe"; flow:established,to_server; http.uri; pcre:"/\.(?:gif|jpe?g|png)$/i"; http.user_agent; content:".exe"; endswith; fast_pattern; classtype:misc-activity; sid:2030732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, signature_severity Informational, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework POST"; flow:established,to_server; content:"|0d 0a 0d 0a|"; byte_jump:4,1,relative,little,post_offset -6; isdataat:!2,relative; http.method; content:"POST"; http.header; content:"|20 28|compatible|3b 20|MSIE 6.0|3b 20|Win32|29 0d 0a|HOST|3a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020898; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hadoop YARN ResourceManager Unauthenticated Command Execution"; flow:established,to_server; http.uri; content:"/ws/v1/cluster/apps"; fast_pattern; http.request_body; content:"|22|application-type|22 3a 22|YARN|22|"; content:"|22 3a 7b 22|commands|22 3a 7b 22|command|22 3a 22|"; pcre:"/(?:f0VM|9FT|\/RU)/R"; content:"base64"; reference:url,exploit-db.com/exploits/45025/; classtype:attempted-user; sid:2025840; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:6; content:"/"; distance:1; within:2; content:"/"; distance:1; within:1; content:"/"; distance:1; within:1; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/"; http.host.raw; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}$/i"; http.start; content:"|20|HTTP/1.1|0d 0a|User-Agent"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020369; rev:6; metadata:created_at 2015_02_05, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; http.uri; content:"/download.sh?script=/cgi-bin/"; content:"/system-editor.sh&path=/etc/"; fast_pattern; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025845; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"|0d 0a 0d 0a|env="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^env=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:4; metadata:created_at 2015_12_18, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; http.uri; content:"/IPn4G.config"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025847; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; http.uri; content:"/pict."; fast_pattern; content:"?id="; distance:0; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:6; metadata:created_at 2015_10_28, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; http.uri; content:"/cgi-bin/system.conf"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025846; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/admin/get.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http.cookie; pcre:"/^SESSIONID=[A-Z0-9]{16}/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.powershellempire.com; classtype:command-and-control; sid:2021616; rev:5; metadata:created_at 2015_08_12, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Stop"; flow:established,to_server; http.uri; content:"/system-services.sh?service="; fast_pattern; content:"&action=stop"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-dos; sid:2025848; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST CnC Beacon 2"; flow:established,to_server; urilen:1; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|text/css|0d 0a|Accept|3a 20|image/**|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020301; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Process Kill"; flow:established,to_server; http.uri; content:"/status-processes.sh"; http.request_body; content:"signal=SIGILL&pid="; fast_pattern; content:"&kill=+Send+"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-dos; sid:2025849; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cohhoc RAT CnC Response"; flow:established,from_server; http.header; content:"Content-Length|3a 20|64|0d 0a|"; file.data; content:"gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; offset:1; depth:63; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019626; rev:7; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service start"; flow:established,to_server; http.uri; content:"/system-services.sh?service="; fast_pattern; content:"&action=start"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025850; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ursnif Checkin"; flow:established,to_server; content:"no-cache|0d 0a 0d 0a 0d 0a|"; endswith; http.method; content:"POST"; http.uri; pcre:"/^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019377; rev:8; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Enable"; flow:established,to_server; http.uri; content:"/system-services.sh?service="; fast_pattern; content:"&action=enable"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025851; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stobox Connectivity Check"; flow:established,to_server; threshold: type both, count 5, seconds 300, track by_src; http.uri; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; fast_pattern; http.host; content:"update.microsoft.com"; depth:20; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:7; metadata:created_at 2014_09_11, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Change Admin Passwd"; flow:established,to_server; http.uri; content:"/system-acl.sh"; fast_pattern; http.request_body; content:"pw1"; content:"pw2"; content:"passwdchange"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025852; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake rootkit usermode-centric client request"; flow:to_server,established; http.uri; content:"/1/6b-558694705129b01c0"; fast_pattern; http.connection; content:"Keep-Alive"; depth:10; endswith; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018247; rev:5; metadata:created_at 2014_03_11, former_category TROJAN, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Admin Passwd"; flow:established,to_server; http.uri; content:"/system-acl.sh"; fast_pattern; http.request_body; content:"pw1"; content:"pw2"; content:"user_add"; content:"password_add"; content:"mhadd_user"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025853; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banking Trojan HTTP Cookie"; flow:established,to_server; http.cookie; content:"tcpopunder"; fast_pattern; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/updates-to-the-citadel-trojan/; classtype:trojan-activity; sid:2018119; rev:5; metadata:created_at 2014_02_12, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Root Htpasswd"; flow:established,to_server; http.uri; content:"/system-editor.sh"; fast_pattern; http.request_body; content:"pw1"; content:"/etc"; content:"htpasswd"; content:"root:"; content:"Save Changes"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025854; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) CnC Domain in DNS Lookup"; dns.query; content:"imprintcenter.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029597; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Crontab"; flow:established,to_server; http.uri; content:"/system-crontabs.sh"; fast_pattern; http.request_body; content:"Save Changes"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025856; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"cybermon.fortigatecloud.com"; nocase; depth:27; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029587; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Startup Script"; flow:established,to_server; http.uri; content:"/system-startup.sh"; fast_pattern; http.request_body; content:"/etc/init.d"; content:"#!/bin/sh"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025857; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=mikkymax.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Disable Firewall"; flow:established,to_server; http.uri; content:"/system-crontabs.sh"; fast_pattern; http.request_body; content:"/etc/init.d/firewall stop"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025858; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=linkojager.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029595; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Start the Microhard Sh (msshc) service"; flow:established,to_server; http.uri; content:"/system-services.sh?service=msshc&action=start"; fast_pattern; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025859; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeLoader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; nocase; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^\d+$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; classtype:command-and-control; sid:2017261; rev:7; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Auto-enable the Microhard Sh (msshc) service"; flow:established,to_server; http.uri; content:"/system-services.sh?service=msshc&action=enable"; fast_pattern; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025860; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alina Server Response Code"; flow: established,from_server; http.response_line; content:"|20|666 OK"; fast_pattern; endswith; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:7; metadata:created_at 2013_06_08, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 9.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/9."; reference:url,www.oracle.com/technetwork/java/javase/documentation/9u-relnotes-3704429.html; classtype:bad-unknown; sid:2025314; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Kazy.174106 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?T="; http.user_agent; content:"Tesla"; fast_pattern; startswith; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:command-and-control; sid:2016939; rev:5; metadata:created_at 2013_05_29, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic YWRtaW46YWRtaW4="; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025855; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Redyms.A Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; offset:6; depth:7; http.header; content:".net|0d 0a|Content-Length|3a 20|128|0d 0a|"; fast_pattern; http.start; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; classtype:command-and-control; sid:2016759; rev:4; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_11_05;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.anubiscode.fun"; nocase; endswith; classtype:domain-c2; sid:2030729; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt"; flow:to_server,established; http.uri; content:"/pics/"; content:".asp?id="; distance:0; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SP Q"; depth:55; http.header_names; content:"|0d 0a|Cookies|0d 0a|"; fast_pattern; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016573; rev:5; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; content:".exe"; fast_pattern; pcre:"/^(?:\?[0-9])?/R"; pcre:"/\/wp-(?:content|admin|includes)\//"; http.header_names; content:!"Referer"; reference:md5,adabe1b995e6633dee19fdd2fdc4957a; classtype:trojan-activity; sid:2021697; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Wordpress, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/COOKIEBAG Cookie APT1 Related"; flow:established,to_server; http.start; content:"|0a|Cookie|3a 20|CAQGBgoFD1Y"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016434; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-07-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pswd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet Empty CnC Beacon"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; depth:111; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; reference:md5,627f3572e9c37de307b3511925934fb9; classtype:command-and-control; sid:2035046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-07-19"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025864; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer Requesting Config"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config"; endswith; content:!"."; http.header; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|id|22 3b 0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XML External Entity Information Disclosure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22 20|encoding="; content:"<!DOCTYPE"; content:"<!ENTITY"; content:"SYSTEM |22|file|3a|///etc/"; fast_pattern; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-recon; sid:2025877; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|spamerhash|22 3b 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2031181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XML External Entity Remote Code Execution"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22 20|encoding="; content:"<!DOCTYPE"; content:"<!ENTITY"; content:"SYSTEM |22|php|3a|//"; fast_pattern; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-user; sid:2025878; rev:3; metadata:attack_target Web_Server, created_at 2018_07_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kuarela.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029602; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS Sniffer Framework Sending to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?image_id="; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.header_names; content:"Accept"; content:"Accept-"; content:!"Referer"; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:command-and-control; sid:2025881; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=gabardina.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029603; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE MSF Check"; flow:to_server,established; http.uri; content:"/shell?echo+"; depth:12; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025882; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Minor, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=almagel.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029604; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE"; flow:to_server,established; http.uri; content:"/shell?"; depth:7; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025883; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsnnguyrygfu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029605; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple CCTV-DVR Vendors RCE"; flow:to_server,established; http.uri; content:"/language/Swedish${IFS}&&"; depth:25; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025884; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Minor, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ofiughfuu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029610; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AZORult Variant.4 Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|4a 2f fb|"; fast_pattern; content:"|2f fb|"; depth:11; http.header_names; content:!"Referer"; reference:md5,0ac55b5056364cdac63aaf05f9d7f654; reference:url,twitter.com/James_inthe_box/status/1020522733984100352?s=03; classtype:command-and-control; sid:2025885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category MALWARE, malware_family AZORult, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kiparis.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029611; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic Unrestricted File Upload (CVE-2018-2894)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ws_utc/resources/setting/keystore"; fast_pattern; http.request_body; content:"ks_filename="; reference:url,github.com/LandGrey/CVE-2018-2894/blob/master/CVE-2018-2894.py; reference:cve,2018-2894; classtype:attempted-admin; sid:2025907; rev:3; metadata:attack_target Server, created_at 2018_07_25, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dfsgu747hugr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029612; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising Redirect to EK M1"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; file.data; content:"<script|20|"; content:"new Date()).getTime()|3b|"; nocase; distance:0; content:".php?JBOSSESSION="; distance:0; fast_pattern; content:"window.location.href="; distance:0; content:"<script|20|"; pcre:"/^\s*type\s*=\s*[\x22\x27]\s*text\/javascript\s*[\x22\x27]\s*>\s+var\s*(?P<timestamp>[A-Za-z0-9]{1,25})\s*=\s*\(new\sDate\(\)\)\.getTime\(\)\;\s+(?P<url>[A-Za-z0-9]{1,25})\s*=\s*[\x22\x27]\s*[^\r\n]+\.php\?JBOSSESSION=\s*[\x22\x27]\s+(?P<urlvar2>[A-Za-z0-9]{1,25})\s*=\s*(?P=url)\s*\+\s*(?P=timestamp)\s+window\.location\.href\s*=\s*(?P=urlvar2)\s+/Rsi"; content:"</script>"; distance:0; classtype:exploit-kit; sid:2025912; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sgahugu4ijgji.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029613; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution < 2.6.4 phpthumb.php RCE Attempt"; flow:established,to_server; urilen:31; http.method; content:"POST"; http.uri; content:"/connectors/system/phpthumb.php"; fast_pattern; http.request_body; content:"<?php"; nocase; content:"($_SERVER"; nocase; distance:0; reference:url,exploit-db.com/exploits/45055/; classtype:web-application-attack; sid:2025917; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_27, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asggh554tgahhr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029614; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Underminer EK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7|0d 0a|"; file.data; content:"style=|22|width|3a|1px|3b|height|3a|1px|22|"; nocase; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; nocase; content:"px|3b 20|width|3a 20|1px|3b 20|height|3a 20|1px|3b 22|"; within:40; content:"<!--[if lte IE 6]>"; nocase; distance:0; fast_pattern; content:"if(!!window.ActiveXObject && typeof("; nocase; distance:0; content:"<!--[if gte IE 7]>"; nocase; distance:0; content:"if(!!window.ActiveXObject && typeof("; nocase; distance:0; pcre:"/^[^\r\n]+\s*\)\s*\!==\s*[\x22\x27]undefined[\x22\x27]\s*\)\{\s+var\s+(?P<var>[A-Za-z0-9]{1,25})\s*=\s*[^\.]+\.getElementById\s*\([\x22\x2][^\x22\x27]+[\x22\x27]\s*\)\s*\x3b\s+(?P=var)\s*\.\s*elements\[[\x22\x27][^\x22\x27]+[\x22\x27]\]\.value\s*=\s*[0-9]{1,15}\s*\;/Rsi"; content:"src="; nocase; distance:0; pcre:"/^\s*[\x22\x27][^\r\n]+\/[a-z0-9]{20,40}\.js[\x22\x27]\s*>\s*<\/script>\s*<\/body>/Rs"; classtype:exploit-kit; sid:2025916; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; depth:2; classtype:trojan-activity; sid:2015050; rev:6; metadata:created_at 2012_07_12, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-07-30"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/customer-IDPP00"; fast_pattern; content:"/myaccount/signin/"; nocase; distance:0; classtype:social-engineering; sid:2025919; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex Post to CnC"; flow:established,to_server; content:"|0d 0a 0d 0a de ad be ef|"; fast_pattern; http.method; content:"POST"; http.uri; content:!"."; http.host; content:!"hbi-ingest.net"; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:command-and-control; sid:2015028; rev:8; metadata:created_at 2012_07_06, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Volexity - JS Sniffer Data Theft Beacon Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"=WyJ1cmw"; distance:0; fast_pattern; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:trojan-activity; sid:2025880; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Stealer, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; fast_pattern; http.accept_enc; content:"*|3b|q=0"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2014562; rev:5; metadata:created_at 2012_04_13, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check whatismyip.com Automation Page"; flow:established,to_server; http.uri; content:"/automation/n09230945.asp"; reference:url,doc.emergingthreats.net/2008985; classtype:attempted-recon; sid:2008985; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; http.host; content:!"pandora.com"; content:!"wordpress.com"; http.start; content:"= HTTP/1.1|0D 0A|Host|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:command-and-control; sid:2014409; rev:8; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"whatismyip."; classtype:attempted-recon; sid:2008986; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 60"; flow:established,to_server; content:"|30 d0 52 71 74 3c 46 41 ac f3 4e|"; depth:11; fast_pattern; content:"|4e 3b|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026500; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"showip."; fast_pattern; pcre:"/^[^\r\n]+showip\.[a-z]+(?:\x3a\d{1,5})?$/"; reference:url,doc.emergingthreats.net/2008987; classtype:attempted-recon; sid:2008987; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 28"; flow:established,to_server; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:command-and-control; sid:2026018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)"; flow:to_server,established; http.host; content:"showmyipaddress.com"; classtype:policy-violation; sid:2025920; rev:4; metadata:created_at 2012_12_12, former_category POLICY, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 63"; flow:established,to_server; content:"|d1 ef 79 30 f1 d3 16 52 6d e9 f3|"; depth:11; fast_pattern; content:"|25 fc|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026503; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".ipchicken.com"; reference:url,doc.emergingthreats.net/2009020; classtype:attempted-recon; sid:2009020; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 67"; flow:established,to_server; content:"|0b 7e 42 80 62 68 98 84 a8 66 28|"; depth:11; fast_pattern; content:"|39 f3|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (icanhazip. com in HTTP Host)"; flow:established,to_server; http.host; content:"icanhazip.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:attempted-recon; sid:2017398; rev:6; metadata:created_at 2013_08_30, former_category POLICY, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos RAT Checkin 23"; flow:established,to_server; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:command-and-control; sid:2025637; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-01"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&t2="; nocase; distance:0; content:"&t3="; nocase; distance:0; content:"&t4="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025932; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 58"; flow:established,to_server; content:"|05 3b 09 6a f6 9e f9 65 e5 38 b3|"; depth:11; fast_pattern; content:"|4d 70|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Downloader (JEUSD) CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|upload|22 3b 20|filename=|22|temp.gif|22 0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.360.cn/blog/apt-c-26/; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048a; classtype:command-and-control; sid:2025991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 62"; flow:established,to_server; content:"|46 4f 3e 16 69 12 4c e2 9a c2 28|"; depth:11; fast_pattern; content:"|a3 09|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP_CONNECT_)"; flow:established,to_server; http.user_agent; content:"HTTP_Connect_"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; classtype:bad-unknown; sid:2007821; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 30"; flow:established,to_server; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026020; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 11"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,d110be58537aa8420a9c25f4879ca77b; classtype:command-and-control; sid:2025993; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family Smoke_Loader, malware_family SmokeLoader, signature_severity Major, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:command-and-control; sid:2025984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_09, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Spy.Agent.PMJ (MICROPSIA)"; flow:established, to_server; http.method; content:"POST"; http.request_body; content:"daenerys="; depth:9; fast_pattern; content:"betriebssystem="; distance:0; content:"anwendung="; distance:0; content:"AV="; distance:0; content:"frankie="; distance:0; classtype:trojan-activity; sid:2025994; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 55"; flow:established,to_server; content:"|2f 81 e4 ab 65 ab 1c 0d b9 8c e8|"; depth:11; fast_pattern; content:"|b6 13|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026495; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) HTTP Header"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_len; byte_test:0,>,1000,0,string,dec; byte_test:0,<,2000,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; classtype:trojan-activity; sid:2026001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 109"; flow:established,to_server; content:"|5b bc 1f 13 45 60 61 fd 0d 43 7f|"; depth:11; fast_pattern; content:"|3e 41|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish Phish 2018-08-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2026006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 29"; flow:established,to_server; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026019; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET SCAN Geutebrueck re_porter 7.8.974.20 Information Disclosure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/statistics/gscsetup.xml"; reference:cve,2018-15534; reference:url,exploit-db.com/exploits/45240/; classtype:attempted-recon; sid:2026008; rev:2; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 56"; flow:established,to_server; content:"|7d b5 14 83 61 23 20 d9 44 8a a7|"; depth:11; fast_pattern; content:"|2c da|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 1"; flow:established,to_server; http.uri; content:"/modifychannel/exec?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026009; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 27"; flow:established,to_server; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026017; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 2"; flow:established,to_server; http.uri; content:"/images/IOMemoryPool.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026010; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,98202283d7752779abd092665e80af71; classtype:command-and-control; sid:2025921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, former_category MALWARE, malware_family Remcos, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 3"; flow:established,to_server; http.uri; content:"/images/Statistics.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026011; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 59"; flow:established,to_server; content:"|ed d1 72 f7 67 72 6f 57 ec 23 3c|"; depth:11; fast_pattern; content:"|59 73|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 4"; flow:established,to_server; http.uri; content:"/images/GLIBBackground.jpg?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026012; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 61"; flow:established,to_server; content:"|f3 85 1c e5 6c 10 d9 78 fa 64 de|"; depth:11; fast_pattern; content:"|78 49|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026501; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 5"; flow:established,to_server; http.uri; content:"/images/MainMemoryPool.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026013; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 54"; flow:established,to_server; content:"|bc f5 5e 86 40 fa 48 95 a8 9e 28|"; depth:11; fast_pattern; content:"|ba 38|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 6"; flow:established,to_server; http.uri; content:"/images/ProcessMemory.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026014; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 57"; flow:established,to_server; content:"|56 1e 2c fa 6e cc e4 74 40 48 df|"; depth:11; fast_pattern; content:"|22 30|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET SCAN Hikvision IP Camera 5.4.0 Information Disclosure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/System/configurationFile?auth=YWRtaW46MTEK"; reference:url,exploit-db.com/exploits/45231/; classtype:attempted-recon; sid:2026015; rev:2; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 26"; flow:established,to_server; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026016; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI M2"; flow:to_server,established; http.uri; content:"java.lang.Runtime|25|40getRuntime().exec("; nocase; classtype:attempted-user; sid:2026024; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 64"; flow:established,to_server; content:"|d7 9e f0 38 3f f1 9a ab d6 74 00|"; depth:11; fast_pattern; content:"|15 46|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1"; flow:to_server,established; http.uri; content:"memberAccess"; content:"allowStaticMethodAccess"; distance:0; content:"java.lang.Runtime|25|40getRuntime().exec("; nocase; fast_pattern; distance:0; content:".getInputStream()"; content:"java.io.InputStreamReader("; content:"java.io.BufferedReader("; content:".read("; content:"org.apache.struts2.ServletActionContext"; content:"getResponse().getWriter()"; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026025; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 84"; flow:established,to_server; content:"|d5 c2 f9 4e 0a 7b 1c 62  a1 49 05|"; depth:11; fast_pattern; content:"|5d fe|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,12346b292b752af5ad924239eac02a09; classtype:command-and-control; sid:2026901; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2"; flow:to_server,established; http.uri; content:"memberAccess"; content:"allowStaticMethodAccess"; distance:0; content:"java.lang.Runtime@getRuntime().exec("; nocase; fast_pattern; distance:0; content:".getInputStream"; content:"java.io.InputStreamReader"; content:"java.io.BufferedReader"; content:".read"; content:"@org.apache.struts2.ServletActionContext@getResponse"; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026026; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 66"; flow:established,to_server; content:"|12 37 57 b2 1e 20 12 3d f1 8a 24|"; depth:11; fast_pattern; content:"|d3 86|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Unix)"; flow:established,to_server; content:"|5c 5c|x73|5c 5c|x68|5c 5c|x20|5c 5c|x2d|5c 5c|x63"; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026028; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 68"; flow:established,to_server; content:"|62 8d 57 43 81 41 32 36 55 5e 26|"; depth:11; fast_pattern; content:"|ec 50|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Linux)"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; content:".deb"; content:"/var/lib/sdn/uploads"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026029; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 65"; flow:established,to_server; content:"|ba e7 11 d6 b7 9f b5 c9 1d 10 58|"; depth:11; fast_pattern; content:"|4f 3a|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts inbound .getWriter OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:".getWriter"; fast_pattern; distance:0; reference:cve,2018-11776; classtype:attempted-admin; sid:2026032; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download (Security)"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"security"; fast_pattern; nocase; within:50; content:!"ALLOW-FROM www.onecallnow.com"; pcre:"/filename\x3D\x22[^\r\n]*security[^\n]+\.exe/i"; http.content_type; content:!"text/xml"; depth:8; classtype:trojan-activity; sid:2012981; rev:7; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts java.lang inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:"java|2E|lang"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026033; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"feb.kkooppt.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts inbound .getClass OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:".getClass"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026034; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"compdate.my03.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029627; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway SQL Injection"; flow:established,to_server; http.uri; content:"/enginelist.php"; fast_pattern; http.request_body; content:"appkey="; pcre:"/^[a-z0-9A-Z]+\x252[270]/R"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb; classtype:attempted-user; sid:2026036; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_08_24, cve cve_2018_12464, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"jocoly.esvnpe.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway Remote Code Execution"; flow:established,to_server; http.uri; content:"/manage_domains_save_data.json.php?cache="; http.request_body; content:"%24%28"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb; classtype:attempted-user; sid:2026037; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_08_24, cve cve_2018_12465, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bmy.hqoohoa.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_Fan WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|win32_fan"; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bur.vueleslie.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (MSAcpi_ThermalZoneTemperature WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|MSAcpi_ThermalZoneTemperature"; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026075; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"wind.windmilldrops.com"; bsize:22; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_PointingDevice WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_PointingDevice"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026076; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Joia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ABCDIMQ"; depth:7; fast_pattern; http.start; content:".php|20|HTTP/1.0|0d 0a|Host|3a 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,7e10e615edd111a5b77266c862aca78a; classtype:command-and-control; sid:2029641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_DiskDevice WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_DiskDevice"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MZRevenge Ransomware CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.request_body; content:"filename|3d 22|TVpS"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=--------"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029647; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_BaseBoard WMI)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_BaseBoard"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026078; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag Enumeration, tag Anti_VM, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms M2"; flow:established,from_server; http.stat_code; content:"404"; http.header; content:"Content-Length|3a 20|148|0d 0a|"; fast_pattern; http.content_type; content:"text/html"; depth:9; file.data; content:!"<html"; nocase; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|23|_memberAccess"; fast_pattern; content:".getWriter"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026094; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:web-application-attack; sid:2029037; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"com|2E|opensymphony"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026095; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
+alert tcp-pkt $HOME_NET any -> any any (msg:"ET MALWARE Pay2Key Ransomware - Sending RSA Key"; flow:established,to_server; dsize:286; content:"|10 10 00 00 00 00 14 01 00 00 06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00|"; startswith; reference:url,research.checkpoint.com/2020/ransomware-alert-pay2key/; classtype:command-and-control; sid:2031192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|2E|getWriter"; fast_pattern; content:"symphony|2E|"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026096; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"546874.tk"; nocase; endswith; classtype:domain-c2; sid:2029715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BanloadDownloader.XZY Retrieving Payload"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sosdoudou_V3/"; fast_pattern; http.user_agent; content:"WinHttp.WinHttpRequest"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,98376de10118892f0773617da137c2be; reference:md5,599ea45f5420f948e0836239eb3ce772; classtype:trojan-activity; sid:2024499; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_26, deployment Perimeter, former_category TROJAN, malware_family Banload, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a54cf56.tk"; nocase; endswith; classtype:domain-c2; sid:2029716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Monero Miner CnC Channel TXT Lookup"; threshold:type limit, track by_src, count 1, seconds 300; dns.query; content:".c2kgw8jt5869nspr4.com"; fast_pattern; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:command-and-control; sid:2026097; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0x4fc271.tk"; nocase; endswith; classtype:domain-c2; sid:2029717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Monero Miner CnC Channel Secondary Domain Lookup"; threshold:type limit, track by_src, count 1, seconds 300; dns.query; content:"mylog.icu"; reference:md5,2a2219f1dbb6039f52a5792a87cf760a; classtype:command-and-control; sid:2026098; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"change-password.ml"; nocase; endswith; classtype:domain-c2; sid:2029718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aura Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"{KIARA}"; fast_pattern; http.request_body; content:"id="; depth:3; content:"&guid="; http.header_names; content:!"Referer"; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:command-and-control; sid:2026099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id24556.tk"; nocase; endswith; classtype:domain-c2; sid:2029719; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Eredel Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; content:"&os="; content:"&cookie="; content:"&pswd="; fast_pattern; content:"&telegram="; content:"&version=v"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,4b5e27e843e1b26aedec66f9e87c9960; classtype:command-and-control; sid:2025982; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category MALWARE, malware_family Eredel, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id451295.com"; nocase; endswith; classtype:domain-c2; sid:2029720; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SonicWall Global Management System - XMLRPC set_time_zone Command Injection (CVE-2018-9866)"; flow:established,to_server; http.request_body; content:"<methodName>set_time_"; fast_pattern; content:"<string>|22 60|"; distance:0; reference:url,exploit-db.com/exploits/45124/; reference:cve,2018-9866; classtype:attempted-user; sid:2026023; rev:4; metadata:attack_target Server, created_at 2018_08_23, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"yahoo-change-password.com"; endswith; classtype:domain-c2; sid:2029721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution M2"; flow:to_server,established; http.uri; content:"/board.cgi"; fast_pattern; http.request_body; content:"cmd="; depth:4; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,blogs.securiteam.com/index.php/archives/3445; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026103; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a5.tk"; nocase; endswith; classtype:domain-c2; sid:2029722; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT EnGenius EnShare IoT Gigabit Cloud Service RCE"; flow:to_server,established; http.uri; content:"/usbinteract.cgi"; http.request_body; content:"action=7&path="; fast_pattern; depth:14; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026104; rev:3; metadata:created_at 2018_09_10, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id6589.com"; nocase; endswith; classtype:domain-c2; sid:2029723; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:to_server,established; http.uri; content:"/cgi-bin/luci/"; content:"stok="; content:"/nslookup?nslookup_button=nslookup_button&"; fast_pattern; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; nocase; pcre:"/^[A-F0-9]{30}$/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025164; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NetGain Enterprise Manager 7.2.562 Ping Command Injection"; flow:to_server,established; http.uri; content:"/exec.jsp"; http.request_body; content:"command=cmd"; fast_pattern; content:"ping&argument="; distance:0; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026106; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?cx="; nocase; fast_pattern; content:"&b="; nocase; distance:0; content:"&gt="; nocase; distance:0; content:"&tx="; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+&gt=[A-F0-9]+&tx=[A-F0-9]+$/i"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025163; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection M2"; flow:to_server,established; http.uri; content:"/cgi_system?cmd=saveconfig"; http.request_body; content:"bfolder="; pcre:"/(?:\x60|\x24)/"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026108; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Initial Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?t="; depth:4; content:"&&s="; distance:0; content:"&&p="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:65; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027439; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AnubisStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.logsbanks.xyz"; nocase; endswith; classtype:domain-c2; sid:2030730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_25, deployment Perimeter, former_category MALWARE, malware_family AnubisStealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027440; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded WScript.Shell Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x57|5c|x53|5c|x63|5c|x72|5c|x69|5c|x70|5c|x74|5c|x2E|5c|x53|5c|x68|5c|x65|5c|x6C|5c|x6C"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConstructorWin32/Agent.V"; flow:to_server,established; http.header; content:"|0d 0a|Pragma|3a 20|no-catch|0d 0a|"; http.request_line; content:"GET http://"; depth:11; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"X-HOST|0d 0a|"; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:10; metadata:created_at 2012_04_26, updated_at 2020_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PowerShell Args Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x70|5c|x6F|5c|x77|5c|x65|5c|x72|5c|x73|5c|x68|5c|x65|5c|x6C|5c|x6C|5c|x2E|5c|x65|5c|x78|5c|x65"; content:"|5c|x2D|5c|x65|5c|x78|5c|x65|5c|x63|5c|x75|5c|x74|5c|x69|5c|x6F|5c|x6E|5c|x70|5c|x6F|5c|x6C|5c|x69|5c|x63|5c|x79|5c|x20|5c|x62|5c|x79|5c|x70|5c|x61|5c|x73|5c|x73"; distance:0; fast_pattern; content:"|5c|x2D|5c|x77|5c|x69|5c|x6E|5c|x64|5c|x6F|5c|x77|5c|x73|5c|x74|5c|x79|5c|x6C|5c|x65|5c|x20|5c|x68|5c|x69|5c|x64|5c|x64|5c|x65|5c|x6E"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026331; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"System Idle Process"; fast_pattern; content:"|49 6d 61 67 65 20 4e 61 6d 65|"; content:"|50 49 44 20 53 65 73 73 69 6f 6e 20 4e 61 6d 65|"; distance:0; content:"|53 65 73 73 69 6f 6e 23|"; distance:0; content:"|4d 65 6d 20 55 73 61 67 65|"; distance:0; content:"svchost.exe"; content:"winlogon.exe"; classtype:trojan-activity; sid:2018886; rev:4; metadata:created_at 2014_08_04, updated_at 2020_11_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/Xbash Hex Encoded PS WebClient Object Inbound - Stage 1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5c|x73|5c|x79|5c|x73|5c|x74|5c|x65|5c|x6D|5c|x2E|5c|x6E|5c|x65|5c|x74|5c|x2E|5c|x77|5c|x65|5c|x62|5c|x63|5c|x6C|5c|x69|5c|x65|5c|x6E|5c|x74|5c|x29|5c|x2E|5c|x64|5c|x6F|5c|x77|5c|x6E|5c|x6C|5c|x6F|5c|x61|5c|x64|5c|x66|5c|x69|5c|x6C|5c|x65|5c|x28"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; reference:md5,3b5baecd61190e12a526c51d5ecccbbe; classtype:trojan-activity; sid:2026333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category TROJAN, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/n2019cov (COVID-19) Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"usuario="; startswith; content:"|20|-|20|"; distance:0; content:"|20|-|20|"; distance:0; content:"&llave1="; distance:0; content:"&llave2="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:command-and-control; sid:2029736; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2026360; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Meterpreter)"; flow:established,to_server; http.uri; pcre:"/^\/ucD[A-Za-z0-9_\/\-+]{171}$/"; http.request_line; content:"GET|20|/ucD"; fast_pattern; content:"|20|HTTP/1.1"; distance:171; within:9; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/meterpreter.profile; classtype:command-and-control; sid:2029742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-24"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"account="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2026362; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Adobe RTMP)"; flow:established,to_server; http.user_agent; content:"Shockwave Flash"; bsize:15; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.request_line; content:"GET|20|/idle/1376547834/1|20|HTTP/1.1"; fast_pattern; bsize:31; http.content_type; content:"application/x-fcs"; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/rtmp.profile; classtype:command-and-control; sid:2029744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; pcre:"/\.(?:bmp|png|gif|jpg)$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.request_body; content:"wfKD6iudumBkmp"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_type; content:"multipart/form-data"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:command-and-control; sid:2025638; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_04, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_08_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Plurox Backdoor CnC Checkin"; flow:established,to_server; content:"|aa 95 82 71|"; depth:4; content:"|01 00 00 00 00 00 00 00|"; distance:4; within:8; content:"|95 82 71 aa 95 82 71|"; endswith; fast_pattern; reference:md5,c5b42399a6636de5014e2934ef08278f; reference:url,securelist.com/plurox-modular-backdoor/91213/; classtype:command-and-control; sid:2027506; rev:4; metadata:created_at 2019_06_21, former_category MALWARE, updated_at 2020_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS_D0wnl0ad3r Screenshot Upload"; flow:to_server,established; http.method; content:"POST"; http.header; content:"boundary=MS_D0wnl0ad3r"; reference:md5,f40248a592ed711d95eb8b48b31a1ed8; classtype:trojan-activity; sid:2026361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category TROJAN, malware_family Downloader, signature_severity Major, updated_at 2020_08_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Check Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK>"; endswith; fast_pattern; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>$/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027707; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS_D0wnl0ad3r Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?hwid="; http.header; content:"en-gb|5c|Accept"; http.user_agent; content:"Gecko/20070725 Firefox/2.0.0.6"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026363; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"system0_update04driver_roots.dynamic-dns.net"; bsize:44; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct)"; flow:established,from_server; threshold:type limit, count 1, seconds 60, track by_src; http.stat_code; content:"200"; file.data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|AntiVirusProduct"; distance:0; fast_pattern; nocase; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Enumeration, updated_at 2020_08_25;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"sys_andriod20_designer.dynamic-dns.net"; bsize:38; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct)"; flow:established,from_server; threshold:type limit, count 1, seconds 60, track by_src; http.stat_code; content:"200"; file.data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|AntiSpywareProduct"; distance:0; fast_pattern; nocase; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026414; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Enumeration, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (jquery Profile)"; flow:established,to_server; http.cookie; bsize:179; content:"session-"; depth:8; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/R"; http.start; content:"GET|20|/jquery.min.js|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|session-"; startswith; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (FirewallProduct)"; flow:established,from_server; threshold:type limit, count 1, seconds 60, track by_src; http.stat_code; content:"200"; file.data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|FirewallProduct"; distance:0; fast_pattern; nocase; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_26, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Enumeration, updated_at 2020_08_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common RAT Connectivity Check Observed"; flow:to_server,established; urilen:6; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; depth:65; http.host; content:"ip-api.com"; depth:10; endswith; http.request_line; content:"GET /json/"; depth:10; fast_pattern; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:34; endswith; reference:md5,69aeb53d5d8792e5479966aeed917bc4; classtype:trojan-activity; sid:2036383; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family Qasar_Rat, malware_family AZORult, malware_family VoidRat, signature_severity Major, updated_at 2020_11_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected DNS2TCP Auth"; dns.query; content:".=auth."; fast_pattern; pcre:"/^[A-Za-z0-9\/\-\+]{40,}\.=auth\./"; classtype:trojan-activity; sid:2026416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category TROJAN, malware_family DNS2TCP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil"; flow:established,to_server; content:"|50 4b 03 04 14 00|"; depth:6; content:"Desktop.png"; distance:0; fast_pattern; reference:md5,20f025a45247cc0289e666057149c28e; reference:md5,7f053ba33d6e4bf07a15ee65dd2b0d92; reference:url,twitter.com/3xp0rtblog/status/1455134317710090248; reference:md5,490f0cff27a1cff0aead0ca3864e15d6; classtype:command-and-control; sid:2031198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, malware_family HunterStealer, malware_family AlfonsoStealer, malware_family PhoenixStealer, signature_severity Major, updated_at 2020_11_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected DNS2TCP Connect"; dns.query; content:".=connect."; fast_pattern; pcre:"/^[A-Za-z0-9\/\-\+]{10,}\.=connect\./"; classtype:trojan-activity; sid:2026417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category TROJAN, malware_family DNS2TCP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-standard.com"; bsize:22; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030966; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected fraud-bridge DNS Tunnel"; threshold:type both, track by_src, count 60, seconds 10; dns.query; content:"AAAA--."; pcre:"/^[A-Za-z0-9\/\-\+]{10,}AAAA--\./s"; classtype:trojan-activity; sid:2026418; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category TROJAN, malware_family fraud_bridge, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=bing-analytics.com"; bsize:21; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030967; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Key POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/"; content:".html"; distance:26; within:5; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/"; http.cookie; content:"token="; depth:6; http.request_body; content:"{|22|mode|22 3a|10,|22|key|22 3a 22|"; nocase; depth:18; fast_pattern; http.content_type; content:"text/plain|3b|charset=UTF-8"; classtype:exploit-kit; sid:2026421; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-money.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030968; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Resource File Download M1"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/static/tinyjs.min.js"; fast_pattern; http.header; content:"/"; content:".html|0d 0a|"; distance:26; within:7; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/i"; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2026422; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-assist.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030970; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK Resource File Download M2"; flow:established,to_server; urilen:22; http.method; content:"GET"; http.uri; content:"/static/encrypt.min.js"; fast_pattern; http.header; content:"/"; content:".html|0d 0a|"; distance:26; within:7; http.referer; content:".html"; endswith; pcre:"/^[^\r\n]+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html/i"; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2026423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-debit.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030971; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Plugin Check"; flow:established,to_client; http.header; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; file.data; content:"name:location.hostname,init:function()"; nocase; within:300; content:"document.body.appendChild(UserData.userData)"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:".setAttribute(|22|type|22|,|22|application/x-shockwave-flash|22|)"; nocase; distance:0; content:".test(navigator.userAgent)?function"; nocase; distance:0; content:"map([|22|ShockwaveFlash.ShockwaveFlash|22|,|22|AcroPDF.PDF|22|,|22|PDF.PdfCtrl|22|,|22|QuickTime.QuickTime|22|,|22|RealPlayer|22|,|22|SWCtl.SWCtl|22|,|22|WMPlayer.OCX|22|,|22|AgControl.AgControl|22|,|22|Skype.Detection|22|]"; nocase; fast_pattern; classtype:exploit-kit; sid:2026424; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=connect-facebook.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030972; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Underminer EK Flash/WAV Loader"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|private|3b 20|no-store|3b 20|no-cache|0d 0a|"; content:"Content-Encoding|3a 20|gzip|0d 0a|"; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7"; file.data; content:"function getSalt(){"; nocase; content:"function getAudioResource(){"; nocase; distance:0; fast_pattern; content:"/"; distance:0; content:".wav|22 3b|"; nocase; distance:26; within:6; content:"<param name=|22|movie|22 20|value=|22|"; nocase; distance:0; content:"/"; distance:0; content:".swf|22|"; nocase; distance:26; within:5; content:"<embed src=|22|"; nocase; distance:0; content:"/"; distance:0; content:".swf|22 20|allowScriptAccess=|22|always|22 20|type=|22|application/x-shockwave-flash|22|"; nocase; distance:26; within:69; classtype:exploit-kit; sid:2026425; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_08_25;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn-jquery.com"; bsize:17; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030973; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Password Stealer User Agent Detected (RookIE)"; flow:established,to_server; http.user_agent; content:"RookIE"; depth:6; http.host; content:!"www.ugee.com.cn"; reference:url,doc.emergingthreats.net/2003635; classtype:trojan-activity; sid:2003635; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-assistant.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030974; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hello Peppa! Scan Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"=die(|27|Hello, Peppa!|27|"; fast_pattern; reference:url,isc.sans.edu/diary/rss/23860; classtype:attempted-recon; sid:2026464; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category SCAN, malware_family Hello_Peppa, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypalapiobjects.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030975; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026466; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-tasks.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030976; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware End Activity"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|End"; distance:0; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aEnd(?:\x3a[0-9]{1,5})?$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026473; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=jquery-insert.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030977; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php?clickid="; fast_pattern; pcre:"/^[a-z0-9]{6,15}$/Ri"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Coinminer, tag SocEng, tag CoinMinerCampaign, updated_at 2020_08_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=googleapimanager.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.6.0_"; content:!"211"; within:3; reference:url,www.oracle.com/technetwork/articles/javase/overview-156328.html; classtype:bad-unknown; sid:2011582; rev:55; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (info)"; flow:established,from_server; dsize:<50; content:"info|7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; distance:0; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^id=[^&%]+%40[^&]+&pass=/i"; classtype:credential-theft; sid:2026492; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF Linux/Dnsamp.AB Variant CnC"; flow:established,to_server; dsize:84; content:"|54|"; depth:1; content:"|11|"; distance:6; within:1; content:"|95 08 00 00 01 00 00 00|"; distance:68; within:8; fast_pattern; isdataat:!1,relative; reference:md5,b1fcab441a1221b33206924f12af64a0; reference:url,intezer.com/blog/ddos/chinaz-updates-toolkit-by-introducing-new-undetected-malware/; classtype:command-and-control; sid:2029839; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (302) 2016-12-16"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a|"; nocase; pcre:"/^\s*(?:\./|\.\./)*(?:s(?:e(?:curity(?:-check|cvv)|rver|condpage)|uccess)|l(?:o(?:ad(?:ing|er)|g(?:off))|iamg)|d(?:e(?:livery|tails)|one|hl)|i(?:d(?:entity)?|ndex2|i)|p(?:ro(?:cess(?:ing)?|file)|hone|ass|in|ayment)|w(?:e(?:iter|bsc)|ait)|t(?:hanky[o0]u|racking)|v(?:alidate|erify?|bv)|L(?:oginVerification|L1|2|ogin2)|f(?:orward|irst|in(?:al|ish))|b(?:illing2?|ank)|e(?:rror|xcel|nd)|questions|1loader|account|recova|confirm|outlook|update(?:bill|card)?|good|SS|verification|qes|upgrade2?|activation|check(?:ing)?|ex|indexx|warning|re(?:name|try))\./Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2029657; rev:28; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE M3RAT CnC Checkin Outbound"; flow:established,to_server; content:"infoHacKed*"; depth:11; fast_pattern; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*Beta"; isdataat:!1,relative; reference:md5,5627e7aba7168aefe878e9251392542e; classtype:command-and-control; sid:2030144; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family M3RAT, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (aw)"; flow:established,to_server; dsize:<50; content:"aw|7c 7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Credential POST to Ngrok.io"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ngrok.io"; fast_pattern; classtype:credential-theft; sid:2026516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (in)"; flow:established,from_server; dsize:<50; content:"in|7c 7c|Screen_Numbers|7c 7c|"; nocase; depth:20; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2030141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Payment Domain (gandcrab in DNS Lookup)"; dns.query; content:"gandcrab"; depth:8; nocase; pcre:"/^[a-z0-9]{8}/R"; classtype:trojan-activity; sid:2025496; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (ds)"; flow:established,to_server; dsize:<50; content:"ds|7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c 7c|"; distance:0; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Chacha.DDoS/Xor.DDoS Stage 2 CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"LuaSocket|20|"; depth:10; fast_pattern; http.request_body; content:"macaddress="; depth:11; content:"&device="; distance:0; content:"&type="; distance:0; content:"&version="; distance:0; http.connection; content:"close,|20|TE"; depth:9; http.header_names; content:"TE|0d 0a 0d 0a|"; content:!"Referer"; reference:url,www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/; classtype:command-and-control; sid:2026523; rev:2; metadata:affected_product Linux, created_at 2018_10_18, deployment Perimeter, former_category MALWARE, malware_family ChaChaDDoS, malware_family XorDDoS, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2020_08_26;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Screenshot Outbound"; flow:established,to_server; content:"|40 7c 7c|"; depth:3; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01|"; within:100; content:"|7c|Boss2019|7c|"; fast_pattern; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030143; rev:3; metadata:affected_product Windows_DNS_server, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-18"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2026518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer Init Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"guid="; depth:5; content:"&crederror="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows XP)"; flow:to_server,established; http.user_agent; content:"Windows XP"; depth:10; classtype:bad-unknown; sid:2026519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Download URI Struct with no referer"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\d+\/\d+\.exe$/"; http.user_agent; content:!"LogitechUpdate"; depth:14; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2021245; rev:9; metadata:created_at 2015_06_10, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 8)"; flow:to_server,established; http.user_agent; content:"Windows 8"; depth:9; classtype:bad-unknown; sid:2026520; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - MAL_REFERER"; flow:established,to_server; http.method; content:"GET"; http.header; content:"&bvm=bv.81"; fast_pattern; content:"|2c|d."; distance:6; within:3; content:"|0d 0a|"; distance:3; within:2; content:"Referer|3a 20|https|3a|//www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd="; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R"; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}\r\n/R"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2024004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 7)"; flow:to_server,established; http.user_agent; content:"Windows 7"; depth:9; classtype:bad-unknown; sid:2026522; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|7c 20|Processor|3a 20|"; content:"|7c 20|Cores|3a 20|"; distance:0; content:"|7c 20|Videocard|3a 20|"; distance:0; content:"|7c 20|SmartScreen|3a 20|"; distance:0; content:"|7c 20|Defender|3a 20|"; distance:0; content:"|7c 20|Antivirus|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer; classtype:command-and-control; sid:2029813; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_05_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Backdoor CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.user_agent; content:"Mozilla v5.1 (Windows NT 6.1|3b 20|rv|3a|6.0.1) Gecko/20100101 Firefox/6.0.1"; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.)\d{1,3}$/"; http.request_body; content:"%0D%0AHost%20Name|3a|"; reference:md5,961e79a33f432ea96d2c8bf9eb010006; classtype:command-and-control; sid:2026527; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Zebrocy, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ModPipe CnC Activity (POST)"; flow:established,to_server; http.start; content:"POST /robots.txt HTTP/1."; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 8.0|3b 20|Windows|20|NT|20|6.1|3b 20|Trident/4.0)"; depth:63; isdataat:!1,relative; http.header_names; content:"Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/; classtype:command-and-control; sid:2031208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Get2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"box-cdn.com"; bsize:11; classtype:domain-c2; sid:2030795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot downloader Installing Zeus"; flow:to_server,established; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.uri; content:".exe"; fast_pattern; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; depth:30; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 29 0d 0a|Host|3a 20|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; endswith; classtype:trojan-activity; sid:2018421; rev:5; metadata:created_at 2014_04_25, updated_at 2020_11_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Get2 CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"first-destin.com"; bsize:16; classtype:domain-c2; sid:2030796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, malware_family Get2, signature_severity Major, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Lazarus Nukesped Downloader"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.header; content:"Accept-Language|3a 20|ko-KR|3b|q="; http.request_body; content:"fn="; depth:3; nocase; content:".gif&code="; nocase; distance:0; fast_pattern; pcre:"/^fn=[^&]*\.gif&code=\d+$/i"; reference:url,www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/; classtype:command-and-control; sid:2031207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, signature_severity Major, updated_at 2020_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader_x.EJK!tr CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.request_body; content:"VM|3a 20|"; startswith; content:"|0a|WINDOWS|3a 20|"; distance:0; content:"|0a|COMPNAME|3a 20|"; distance:0; fast_pattern; content:"|0a|dhcp|3a 20|"; distance:0; reference:md5,0241deba165817083c66fae17e09d68f; classtype:command-and-control; sid:2030797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/util.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,5aa703c714e3fa012289bb521687cb0f; classtype:command-and-control; sid:2029837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, malware_family KPOT_Stealer, signature_severity Major, updated_at 2020_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallCore.GF CnC Activity"; flow:established,to_server; http.request_line; content:"GET /installer/configs/"; startswith; fast_pattern; content:" HTTP/1.0"; endswith; http.user_agent; bsize:20; content:"NSISDL/1.2 (Mozilla)"; reference:md5,37cbc5d7eaa9ce6a097950aa051080b5; classtype:pup-activity; sid:2030798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category ADWARE_PUP, malware_family InstallCore, signature_severity Minor, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Server Reporting)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"log=save&session_id="; depth:20; fast_pattern; content:"&value="; distance:0; pcre:"/^log=save&session_id=[^&]+&value=[^&]+$/"; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Grandoreiro Downloader Activity"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"DIM PASTADOSISTEMACOMPLETA|2c|"; fast_pattern; content:"Http_LM.Open|20 22|GET|22 2c|SjjjjJJfhJ|20 2c|"; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; classtype:trojan-activity; sid:2030801; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.AAIB Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.user_agent; content:"WinHttpClient"; bsize:13; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; reference:md5,0e3b41da52382744e5b2c1c38be00f04; reference:url,www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf; classtype:command-and-control; sid:2029893; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Packity Proxy Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".packity.com"; endswith; reference:md5,47a200e64ea11b25efc9bf78c4b03a1c; classtype:domain-c2; sid:2030799; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_26;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 2"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; depth:65; http.host; content:"freegeoip.net"; depth:13; http.request_line; content:"GET /xml/ HTTP/1."; fast_pattern; depth:17; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:34; reference:md5,69aeb53d5d8792e5479966aeed917bc4; classtype:trojan-activity; sid:2036859; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family Qasar_Rat, malware_family VoidRat, signature_severity Major, updated_at 2020_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Packity Proxy Connection"; flow:established,to_server; http.start; content:"CONNECT /PROVIDER/PROXY2 HTTP/1.1|0d 0a|Host|3a 20|"; startswith; fast_pattern; content:"|0d 0a|Proxy-Authorization|3a 20|Basic "; distance:0; content:"=|0d 0a|"; distance:119; within:3; reference:md5,9d245ac24d0dad591d01d2ef52da3ead; classtype:bad-unknown; sid:2030800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_08_26;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Redkeeper Ransomware Domain"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwex.com"; nocase; endswith; classtype:domain-c2; sid:2029898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; pcre:"/^id=[^&]+&ps=/i"; classtype:credential-theft; sid:2026530; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/JSSLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=domenuscdm.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029920; rev:2; metadata:attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT28 DOC Uploader SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=mvtband.net"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; tls.cert_serial; content:"03:04:FF:5D:C9:BB:AC:50:C1:7B:3E:4C:1C:68:26:15:F0:3E"; reference:md5,9b10685b774a783eabfecdb6119a8aa3; classtype:targeted-activity; sid:2026539; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT28, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Malicious (HTA-VBS-PowerShell) obfuscated command"; flow: established,to_client; http.stat_code; content:"200"; file.data; content:"<?xml"; depth:5; content:"|22|JScript|22|><![CDATA[ eval("; within:500; fast_pattern; pcre:"/%comSpec%\s\/c\s(?:(?:\\x50)|(?:\\x70)|[Pp])\^?(?:(?:\\x4f)|(?:\\x5f)|[Oo])\^?(?:(?:\\x57)|(?:\\x77)|[Ww])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x52)|(?:\\x72)|[Rr])\^?(?:(?:\\x53)|(?:\\x73)|[Ss])\^?(?:(?:\\x48)|(?:\\x68)|[Hh])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x2e)|\.)\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x58)|(?:\\x78)|[Xx])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?\s/R"; classtype:trojan-activity; sid:2025558; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_11_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkTequila SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=OH, O=International Security Depart, CN=the-ebooks-store.com/emailAddress=contact@infws.com"; tls.cert_issuer; content:"O=International Security Depart, emailAddress=contact@infws.com, L=Greater Cleveland, ST=OH, C=US, CN=International Security Depart Ca"; tls.cert_serial; content:"00:ED"; reference:md5,9fbdc5eca123e81571e8966b9b4e4a1e; classtype:trojan-activity; sid:2026540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag DarkTequila, updated_at 2020_08_27;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ModPipe CnC Activity (Response)"; flow:established,to_client; http.stat_code; content:"405"; file.data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d|"; fast_pattern; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector; classtype:command-and-control; sid:2031209; rev:1; metadata:created_at 2020_11_16, former_category MALWARE, performance_impact Moderate, updated_at 2020_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?query="; fast_pattern; pcre:"/^\/[a-z]\.php\?query=[a-f0-9]{32}$/i"; http.request_body; content:"eyJpZCI6"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.content_type; content:"multipart/form-data|3b|"; http.protocol; content:"HTTP/1.0"; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.host; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_len; byte_test:0,>,4000,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:command-and-control; sid:2025455; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharik/Smoke Fake 404 Response with Payload Location"; flow:established,from_server; http.stat_code; content:"404"; file.data; content:"|00 00|Location|3a 20|"; depth:12; fast_pattern; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:trojan-activity; sid:2026556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag Fake_404, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"Accept-Language|3a 20|"; distance:0; content:"auth255|3a 20|login"; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; content:"Accept-Encoding|3a 20|gzip, deflate"; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{2}){23,60}$/R"; classtype:command-and-control; sid:2025530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Cryptocurrency Exchange Phish (set) 2018-10-25"; flow:established,to_server; flowbits:set,ET.Cryptocurrency_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"private_key="; depth:12; nocase; fast_pattern; classtype:credential-theft; sid:2026554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check"; flow:established,to_server; http.method; content:"GET"; urilen:1; http.header; content:"User-Agent|3a 20|WinHTTP loader/"; fast_pattern; http.host; bsize:21; content:"checkip.amazonaws.com"; http.header_names; content:!"Referer"; reference:md5,730b66cd89c8b4751dbe2c5158701a0b; classtype:trojan-activity; sid:2032216; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, malware_family AnchorTrickBot, signature_severity Major, updated_at 2020_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M1"; flow:established,to_server; threshold: type both, count 1, seconds 30, track by_dst; http.method; content:"GET"; http.uri; content:".aspx"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Win32|29|"; fast_pattern; http.cookie; pcre:"/^[A-F0-9]{50,}$/"; http.header_names; content:"Date"; content:"Connection"; content:"Pragma"; content:"Cache-Control"; reference:url,blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html; classtype:command-and-control; sid:2026565; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> [92.63.0.0/16,91.218.114.0/24,149.56.245.196] any (msg:"ET MALWARE Maze/ID Ransomware Activity"; flow:established,to_server; urilen:>1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv|3a|11.0) like Gecko"; depth:72; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,f83fb9ce6a83da58b20685c1d7e1e546; reference:md5,9823800f063a1d4ee7a749961db7540f; classtype:trojan-activity; sid:2027392; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, tag Maze, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.BackNet Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=%7B%22host_key%22%3A%22"; depth:28; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,aebb382b54e1521ad1309f66d29a1d1c; classtype:command-and-control; sid:2026572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category MALWARE, malware_family Stealer, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"clipbutton.com.br"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029991; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lordix Stealer Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hw="; content:"&ps="; distance:0; content:"&ck="; distance:0; content:"&fl="; distance:0; http.request_body; content:"log.txt"; content:"cookies/Chrome_Cookies.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:trojan-activity; sid:2026571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category TROJAN, malware_family Lordix, performance_impact Low, signature_severity Major, tag RAT, tag Stealer, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"tivents.de"; nocase; bsize:10; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029992; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT33/CharmingKitten Encrypted Payload Inbound"; flow:established,from_server; flowbits:isset,ET.APT33CharmingKitten.1; http.stat_code; content:"200"; http.header; content:"|0d 0a|CacheControl|3a 20|"; fast_pattern; file.data; pcre:"/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i"; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026578; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader - HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"mac="; fast_pattern; nocase; content:"key="; content:"ver="; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,doc.emergingthreats.net/2009549; classtype:trojan-activity; sid:2009549; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT29 CozyBear/SeaDaddy SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=Cnyunwei.CNC/emailAddress=root@Cnyunwei.CNC"; fast_pattern; tls.cert_serial; content:"46:76"; classtype:targeted-activity; sid:2026538; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag CozyBear, tag SeaDaddy, tag APT29, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Set"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/count.php?m=c&n="; content:"_"; distance:0; content:"@"; distance:0; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:trojan-activity; sid:2014803; rev:9; metadata:created_at 2011_11_05, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Kraken.v2 HTTP Pattern"; flow:established,to_server; http.user_agent; content:"Kraken web request agent/"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,e1aee9ef64d71e0c9bb8eee9742efdef; reference:url,securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/; classtype:trojan-activity; sid:2026588; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_09, deployment Perimeter, former_category TROJAN, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_22, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=GB, ST=Berkshire, L=Newbury, O=My Company Ltd"; tls.cert_serial; content:"00:BD:98:61:EE:0E:3E:D9:1D"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026589; rev:2; metadata:attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Win32/Cridex Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z0-9+]+?\/){3}$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Host|3a 20|"; depth:19; content:"Cache-Control|3a 20|no-cache"; distance:0; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080$/"; http.connection; content:"Keep-Alive"; bsize:10; http.content_len; byte_test:0,>,99,0,string,dec; byte_test:0,<,1000,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:command-and-control; sid:2017305; rev:5; metadata:created_at 2013_08_09, former_category MALWARE, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=gooqleasadservices.com"; tls.cert_serial; content:"3E:B7:66:78:6D:FB:52:ED:59:7A:DD:25:52:47:04:A8"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK Related Domain in DNS Lookup"; dns.query; content:"sophosfirewallupdate.com"; nocase; bsize:24; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030031; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"C=RU, OU=Domain Control Validated, CN=www.magento.name"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026602; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK CnC Domain in DNS Lookup"; dns.query; content:"sophosproductupdate.com"; nocase; bsize:23; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030033; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 5 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=localhost.localdomain"; tls.cert_serial; content:"00:FF:A1:F0:8C:C1:45:51:3E"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"forgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030041; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M1 (Enable Registration)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin-ajax.php"; http.request_body; content:"action=wpgdprc_"; fast_pattern; content:"users_can_register|22|,|22|value|22 3a 22|1"; distance:0; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026605; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag PrivilegeEsc, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"bestgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030042; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M2 (Set as Administrator)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin-ajax.php"; http.request_body; content:"action=wpgdprc_"; fast_pattern; content:"default_role|22|,|22|value|22 3a 22|administrator"; distance:0; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026606; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag PrivilegeEsc, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"thegame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030043; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik Bot Reporting Vulnerable Server to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pma.php?ip="; depth:12; fast_pattern; pcre:"/^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])$/R"; reference:url,www.intezer.com/muhstik-botnet-reloaded-new-variants-targeting-phpmyadmin-servers/; classtype:command-and-control; sid:2026607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_14, deployment Perimeter, former_category MALWARE, malware_family Muhstik, performance_impact Low, signature_severity Major, tag DDoS, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"newgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030044; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Muhstik Scanner Module Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?lang=en-utf-8&"; fast_pattern; http.header; content:"Keep-Alive|3a 20|300|0d 0a|"; http.user_agent; content:"Windows NT 10.0|3b 20|Win64|3b 20|x64"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; reference:url,www.intezer.com/muhstik-botnet-reloaded-new-variants-targeting-phpmyadmin-servers/; classtype:trojan-activity; sid:2026610; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2018_11_15, deployment Perimeter, former_category TROJAN, malware_family Muhstik, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"portgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030045; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Baby Coin syschk CnC Communication"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = --------------------------- 7dab371b0124"; fast_pattern; bsize:74; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.alyac.co.kr/1640; classtype:command-and-control; sid:2026609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.dev"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT29)"; flow:from_server,established; tls.cert_subject; content:"CN=pandorasong.com"; classtype:domain-c2; sid:2026618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT29, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.xyz"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hades APT Downloader Attempting to Retrieve Stage 2 Payload"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/check/index"; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; reference:url,research.checkpoint.com/new-strain-of-olympic-destroyer-droppers/; classtype:targeted-activity; sid:2026619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag Hades, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IXWARE Stealer CnC Activity"; flow:established,to_server; http.request_body; content:"checkAcc="; startswith; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.start; content:"POST /stubCheck HTTP/"; depth:21; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:command-and-control; sid:2030098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Renos/Artro Trojan Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; content:"=v"; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/"; http.user_agent; content:"wget"; nocase; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:md5,01ca25570659c2e1b8b887a3229ef421; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:command-and-control; sid:2013186; rev:21; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE WEBMONITOR RAT CnC Domain in DNS Lookup (dabmaster.wm01 .to)"; dns.query; content:"dabmaster.wm01.to"; nocase; bsize:17; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/?web_view=true; classtype:command-and-control; sid:2030100; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HackTool.Linux.SSHBRUTE.A Haiduc Initial Compromise C2 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php"; http.user_agent; content:"curl/"; fast_pattern; http.request_body; content:"info="; depth:5; content:"&data="; distance:0; classtype:command-and-control; sid:2026642; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EVILNUM CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register.php"; http.request_body; content:"av="; depth:3; content:"&cpu-name="; fast_pattern; distance:0; content:"&ref="; distance:0; content:"&user="; distance:0; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030125; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DNSpionage Commands Embedded in Webpage Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d|eyJjIjogI"; fast_pattern; content:"|3c 21 2d 2d|"; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:targeted-activity; sid:2026672; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_28, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNSpionage, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal CnC Checkin"; flow:established,to_server; http.uri; content:".txt"; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:command-and-control; sid:2025922; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE L0rdix Stealer CnC Sending Screenshot"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?h="; fast_pattern; content:"&o="; content:"&c="; content:"&g="; content:"&w="; content:"&p="; content:"&r="; content:"&f="; content:"&rm="; content:"&d="; http.request_body; content:"img="; depth:4; http.header_names; content:!"Referer"; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:command-and-control; sid:2026670; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_28, deployment Perimeter, former_category MALWARE, malware_family L0rdix, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain in DNS Lookup"; dns.query; content:"aoacugmutagkwctu.onion"; nocase; bsize:22; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030133; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE L0rdix Stealer CnC Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hw="; fast_pattern; content:"&ps="; content:"&ck="; content:"&fl="; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; http.header_names; content:!"Referer"; reference:url,blog.ensilo.com/l0rdix-attack-tool; reference:md5,dde99135aba4eb5e78852a1c16499c99; classtype:command-and-control; sid:2026671; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_28, deployment Perimeter, former_category MALWARE, malware_family L0rdix, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain DNS Lookup"; dns.query; content:"mazedecrypt.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030134; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Saving Base64 Decoded Payload to Temp M1 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String|28|"; nocase; content:"Set-Content"; distance:0; nocase; content:"C|3a 5c|Windows|5c|Temp"; distance:0; nocase; fast_pattern; content:"-Encoding"; distance:0; nocase; content:"|0a 0a 0a|"; pcre:"/^(?P<js>\$[a-z0-9]{1,15})\s*=\s*\[System\.Text\.Encoding\]::ASCII\.GetString\(\[System\.Convert\]::FromBase64String\((?P=js)\)\)\s*Set-Content\s*(?:-Path\s*C:\\Windows\\Temp\\[a-z0-9]{1,15}\.[a-z0-9]{2,4}\s*|-Value\s*(?P=js)\s*|-Encoding\s*ASCII){3}/Ri"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026675; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=VwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcg"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f1864d53ba7512471182cd100fb96c4b; classtype:trojan-activity; sid:2030148; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Saving Base64 Decoded Payload to Temp M2 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String|28|"; nocase; content:"Set-Content"; distance:0; nocase; content:"C|3a 5c|Windows|5c|Temp"; distance:0; nocase; fast_pattern; content:"-Encoding"; distance:0; nocase; content:"|0a 0a|"; pcre:"/^(?P<content>\$[a-z0-9]{1,15})\s*=\s*\[System\.Convert\]::FromBase64String\(\$[a-z0-9]{1,15}\)\s*Set-Content\s*(?:-Path\s*C:\\Windows\\Temp\\[a-z0-9]{1,15}\.vbe\s*|-Value\s*(?P=content)\s*|-Encoding\s*Byte){3}/Ri"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026676; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_08_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/download.php?listfiles="; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,cd74438c04b09baa5c32ad0e5a0306e7; classtype:command-and-control; sid:2020157; rev:4; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?res="; http.request_body; content:"data="; depth:5; content:"Host|20|Name|3a|"; distance:0; content:"OS|20|Name|3a|"; distance:0; content:"OS|20|Configuration|3a|"; distance:0; content:"Original|20|Install|20|Date|3a|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_30, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header CERT.PL"; flow:established,from_server; http.content_len; byte_test:0,=,24,0,string,dec; file.data; content:"Sinkholed by CERT.PL"; within:24; fast_pattern; classtype:trojan-activity; sid:2020172; rev:4; metadata:created_at 2015_01_13, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cookie Based BackDoor Used in Drupal Attacks"; flow:established,to_server; http.cookie; content:"preg_replace"; nocase; reference:url,www.kahusecurity.com/posts/drupal_7_sql_injection_info.html; classtype:attempted-user; sid:2019627; rev:4; metadata:created_at 2014_11_03, former_category WEB_SERVER, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (irc.eleethub .com)"; dns.query; content:"irc.eleethub.com"; nocase; bsize:16; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030195; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) HttpHeader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAA"; endswith; http.header; content:"Accept|3a 20|*/*"; depth:11; content:"Accept-Encoding|3a 20|gzip, deflate"; within:32; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"; within:192; content:"Host|3a 20|r.photo.store.qq.com"; fast_pattern; within:28; content:"Connection|3a 20|Keep-Alive"; within:24; isdataat:!3,relative; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2026688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Stealer, signature_severity Major, tag Ransomware, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (ghost.eleethub .com)"; dns.query; content:"ghost.eleethub.com"; nocase; bsize:18; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030196; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com)"; dns.query; content:"eleethub.com"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:trojan-activity; sid:2030197; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanaBot Harvesting Email Addresses 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getemail.php?lang="; fast_pattern; content:"&s="; distance:0; content:"&n="; distance:0; content:"&em="; distance:0; content:"@"; distance:0; content:"|3b|"; distance:0; reference:url,www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/; classtype:trojan-activity; sid:2026720; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_11, deployment Perimeter, former_category TROJAN, malware_family Danabot, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Avaddon Ransomware Payment Domain"; dns.query; content:"avaddonbotrxmuyl.onion.pet"; bsize:26; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Avaddon, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanaBot Harvesting Email Addresses 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e.php?s=itfullemail&n="; fast_pattern; content:"&b="; distance:0; content:"&_="; distance:0; reference:url,www.bleepingcomputer.com/news/security/danabot-banking-trojan-gets-into-spam-business/; classtype:trojan-activity; sid:2026721; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_11, deployment Perimeter, former_category TROJAN, malware_family Danabot, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"yourcontents.xyz"; nocase; endswith; classtype:domain-c2; sid:2030333; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?sys="; content:"&c_type="; distance:0; content:"&dis_type="; distance:0; fast_pattern; content:"&num="; distance:0; content:"&user="; distance:0; content:"&ver="; distance:0; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:command-and-control; sid:2026725; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2020_08_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"filepage.icu"; nocase; endswith; classtype:domain-c2; sid:2030332; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Fake Login - Possible Phishing - 2018-12-31"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fakeLogin="; depth:10; nocase; content:"&fakePassword="; nocase; distance:0; fast_pattern; classtype:suspicious-login; sid:2026746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_12_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"datasecure.icu"; nocase; endswith; classtype:domain-c2; sid:2030331; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Generic Login - Possible Successful Phish 2019-01-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"myusername="; depth:11; nocase; content:"&mypassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,200,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO maas.io Image Download Flowbit Set"; flow:established,to_server; flowbits:set,ET.Maas.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"maas/2.3."; http.host; content:"images.maas.io"; classtype:trojan-activity; sid:2026747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_02, former_category INFO, signature_severity Informational, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.accept; content:"text/html, */*"; depth:14; endswith; http.accept_enc; content:"identity"; depth:8; endswith; http.content_len; byte_test:0,>,50000,0,string,dec; byte_test:0,<,120000,0,string,dec; http.start; content:".php HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Length|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5b2eca6abe1903955d1dfd41e301e0af; classtype:targeted-activity; sid:2030122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL APT28 Zebrocy/Zekapab Reporting to CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?res="; http.request_body; content:"data="; depth:5; content:"Host+Name%3A"; distance:0; content:"OS+Name%3A"; distance:0; content:"OS+Configuration%3A"; distance:0; content:"Original+Install+Date%3A"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf; classtype:targeted-activity; sid:2026751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Staging Domain in DNS Query"; dns.query; content:"dnsresolve.live"; nocase; endswith; classtype:domain-c2; sid:2030378; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Patchwork, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bynamail="; depth:9; nocase; content:"&bynapass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032414; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil Google Drive Download"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; http.host; content:"drive.google.com"; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030438; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id_name="; fast_pattern; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"attach="; depth:7; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Sofacy, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms6-upload-serv3.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030418; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Downloader Error POST"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; depth:15; http.host; content:"google.com"; depth:10; http.request_body; content:"project=%"; depth:9; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"updt-servc-app2.com"; bsize:19; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030419; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Secondary Payload CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; depth:15; fast_pattern; http.request_body; content:"l="; depth:2; content:!"%"; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,3773150aeee03783a6da0820a8feb752; classtype:targeted-activity; sid:2026754; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cdn2-system3-secrv.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030420; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO External Host Probing for ChromeCast Devices"; flow:established,to_server; urilen:18; http.method; content:"GET"; http.uri; content:"/setup/eureka_info"; fast_pattern; reference:url,www.theverge.com/2019/1/2/18165386/pewdiepie-chromecast-hack-tseries-google-chromecast-smart-tv; classtype:trojan-activity; sid:2026758; rev:3; metadata:attack_target IoT, created_at 2019_01_04, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, tag Enumeration, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"file3-netwk-system.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030421; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Zebrocy/Zekapab Reporting to CnC M3"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla|20|v5.1|20 28|Windows"; depth:21; http.request_body; content:"regid="; depth:6; content:"%20FIXED,%20TOTAL|3a|%20"; distance:0; content:"%0AHost%20Name|3a|%20%20%20%20%20%20"; distance:0; content:"%0AOS%20Name|3a|%20%20%20%20%20"; fast_pattern; content:"%0AOS%20Version|3a|%20%20%20%20%20%20"; distance:0; reference:url,unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/; classtype:targeted-activity; sid:2026762; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, malware_family Zekapab, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"service-net2-file.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030422; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 2 - CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmp/Cobra_"; fast_pattern; content:!"&"; content:!"."; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-access-sec43.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030423; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_issuer; content:"C=AU, ST=Some-State, L=City, O=Some Company"; tls.cert_serial; content:"0E:06:ED:F2:C3:91"; classtype:domain-c2; sid:2026616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"network-msx-system33.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030424; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper RAT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checksolutions.pw"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:domain-c2; sid:2026767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_09, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mx3-rewc-state.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030425; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sharik/Smoke Loader 7zip Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/support.html"; fast_pattern; http.host; content:"www.7-zip.org"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,9bea24aadc1061d39ec15707a1f9b87b; classtype:trojan-activity; sid:2026805; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category TROJAN, malware_family Sharik, malware_family SmokeLoader, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd3-srv-system-app.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030426; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon M2"; flow:established,to_server; threshold: type both, count 5, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?TIe="; fast_pattern; pcre:"/^[a-zA-Z0-9\x21\x2a\x2f\x2e\x3b\x3a\x5b\x5d\x7b\x7d]+$/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer"; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/10/malspam-delivers-bitter-rat-07-01-2018; reference:md5,cc58dd8592555ff6275196e62af3242e; reference:md5,8d42c01180be7588a2a68ad96dd0cf85; classtype:command-and-control; sid:2025198; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"syse-update-app4.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030427; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kibana Attempted LFI Exploitation (CVE-2018-17246)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/console/api_server?sense_version="; depth:38; fast_pattern; content:"SENSE_VERSION&apis="; pcre:"/^(?:\.\.\/){2,}/R"; reference:url,www.bleepingcomputer.com/news/security/file-inclusion-bug-in-kibana-console-for-elasticsearch-gets-exploit-code/; classtype:attempted-user; sid:2026739; rev:4; metadata:attack_target Web_Server, created_at 2018_12_19, cve 2018_17246, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-cdn5-mx8.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030428; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE W32/Emotet CnC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.cookie; pcre:"/^[0-9]{3,5}\s*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.start; content:"GET|20|/|20|HTTP/1.1|0d 0a|Cookie|3a 20|"; http.header_names; content:"|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; depth:40; fast_pattern; content:!"Referer"; content:!"Accept"; reference:md5,d51ce75c66d1ac9f071b45b67fb8066c; classtype:command-and-control; sid:2035052; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"secure-upd21-app2.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030429; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER jQuery File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; http.request_body; content:"name=|22|files|22 3b|"; content:"<?php"; nocase; reference:url,github.com/lcashdol/Exploits/tree/master/CVE-2018-9206; reference:cve,2018-9206; classtype:web-application-attack; sid:2026552; rev:4; metadata:affected_product PHP, attack_target Server, created_at 2018_10_25, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms21-app3-upload.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030430; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Python Eval Compile seen in HTTP Request Headers"; flow:established,to_server; http.header; content:"eval(compile("; reference:url,sethsec.blogspot.com/2016/11/exploiting-python-code-injection-in-web.html; classtype:bad-unknown; sid:2026848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"apt5-secure3-state.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030431; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET POLICY WinRM wsman Access - Possible Lateral Movement"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman?"; depth:7; fast_pattern; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026849; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_23, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd8-sys2-apt.com"; bsize:17; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030432; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Backdoor.Win32.TeamBot / RTM C2 Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<RESULT>true</RESULT>"; depth:21; classtype:command-and-control; sid:2026854; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Teambot, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"update5-sec3-system.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030433; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/certificate_handle2.htm?type="; http.request_body; content:"page=self_generator.htm&totalRules="; depth:35; fast_pattern; content:"|25 32 37 25 32 34 25 32 38|"; distance:0; reference:url,seclists.org/fulldisclosure/2019/Jan/54; classtype:trojan-activity; sid:2026860; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_01_29, cve 2019_1652, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"state-awe3-apt.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030434; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-01-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"off8900="; depth:8; nocase; content:"&offpa738="; nocase; distance:0; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029668; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"advertstv.com"; bsize:13; classtype:domain-c2; sid:2030459; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-01-30"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"passwd="; depth:7; nocase; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2031868; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"amazingdonutco.com"; bsize:18; classtype:domain-c2; sid:2030461; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Pando Client User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Pando/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008625; classtype:policy-violation; sid:2008625; rev:8; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mwebsoft.com"; bsize:12; classtype:domain-c2; sid:2030463; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreDn CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib.asp?id="; fast_pattern; pcre:"/^[a-z0-9]{3,10}$/Ri"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Referer"; content:!"Cache"; reference:url,blog.talosintelligence.com/2019/01/fake-korean-job-posting.html; classtype:command-and-control; sid:2026865; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family CoreDn, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"rostraffic.com"; bsize:14; classtype:domain-c2; sid:2030465; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoreDn CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib.asp?search="; fast_pattern; pcre:"/^[a-z0-9]{5,30}$/Ri"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Referer"; content:!"Cache"; reference:url,blog.talosintelligence.com/2019/01/fake-korean-job-posting.html; classtype:command-and-control; sid:2026866; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family CoreDn, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"typiconsult.com"; bsize:15; classtype:domain-c2; sid:2030467; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Nimiq Miner Initiating Mining Session with Skypool"; flow:established,to_server; http.method; content:"GET"; http.host; content:"nimiq.skypool.org"; fast_pattern; http.header_names; content:"Upgrade"; content:"Sec-WebSocket-Version"; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category POLICY, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cddn .site)"; dns.query; content:"cddn.site"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030480; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AppControls.com User-Agent"; flow:established,to_server; http.user_agent; content:"auHTTP component (AppControls.com)"; classtype:pup-activity; sid:2026880; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cxizi .net)"; dns.query; content:"cxizi.net"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030481; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AppControls.com User-Agent"; flow:established,to_server; http.user_agent; content:"AutoUpgrader component (AppControls.com)"; classtype:pup-activity; sid:2026881; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (yzxi .net)"; dns.query; content:"yzxi.net"; nocase; bsize:8; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030482; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; flowbits:set,ET.eduphish; http.method; content:"GET"; http.uri; content:"user"; nocase; content:"pass"; distance:0; nocase; fast_pattern; http.host; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/"; classtype:social-engineering; sid:2025113; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TaurusStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"zyvcin.xyz"; bsize:10; classtype:domain-c2; sid:2030477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.icu) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".icu"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2026891; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_27;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 6 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|YOU|20|BETTER|20|READ|20|THIS|0d|"; fast_pattern; content:"COLLECTED|20|ALL|20|YOUR|20|FILES"; content:"in|20|Bitcoin"; nocase; content:"receiving|20|the|20|Bitcoin"; nocase; threshold: type limit, count 1, seconds 30, track by_src; classtype:command-and-control; sid:2031210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_11_17, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Grandoreiro CnC Activity (vbs)"; flow:established,to_server; urilen:15<>21; http.method; content:"GET"; http.uri; content:"/spain/index.php"; endswith; fast_pattern; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; reference:md5,2cb39126dd8f22ffdf2ad2b679405653; classtype:command-and-control; sid:2030807; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ThiefQuest CnC Domain in DNS Lookup"; dns.query; content:"andrewka6.pythonanywhere.com"; nocase; bsize:28; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/updates-on-thiefquest-the-quickly-evolving-macos-malware/; classtype:command-and-control; sid:2030613; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cloud-sources .com)"; dns.query; content:"cloud-sources.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030636; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Babax Stealer Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument?chat_id="; distance:0; content:"&caption=%E2%98%A0%EF%B8%8F%20Brought%20you%20by%20Babax"; fast_pattern; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"|2e|logs|22 0d 0a|Content-Type|3a 20|application/x-ms-dos-executable|0d 0a 0d 0a|PK"; reference:md5,7413dfd6fc0eed1927e1d44c23b80571; reference:url,twitter.com/Pyhoma07/status/1279758745560584195; classtype:command-and-control; sid:2030805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Babax, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cdn-filestorm .com)"; dns.query; content:"cdn-filestorm.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030637; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET To gate.php with no Referer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gate.php"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2030802; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.cnaweb.mrslove .com)"; dns.query; content:"www.cnaweb.mrslove.com"; nocase; bsize:22; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030642; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AgentTesla Variant Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument"; distance:0; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"name|3d 22|caption|22 0d 0a 0d 0a|New PW Recovered!|0d 0a 0d 0a|User Name|3a 20|"; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1298742352069054464; reference:md5,0c22e92073fc56a574a6c860ddef1c2d; classtype:command-and-control; sid:2030806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.infonew.dubya .net)"; dns.query; content:"www.infonew.dubya.net"; nocase; bsize:21; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030643; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Xnore Fake Facebook Login Credentials Collected"; flow:established,to_server; http.method; content:"POST"; http.header; content:"xnore.com"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"app_id="; depth:7; fast_pattern; content:"&cemail="; distance:0; content:"&cpass="; distance:0; http.header_names; content:"Origin"; content:"Referer"; classtype:trojan-activity; sid:2026907; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_02_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Xnore, performance_impact Low, signature_severity Major, tag Spyware, updated_at 2020_08_27;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"cdnapis.com"; nocase; endswith; depth:11; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GoldenSpy Domain Observed"; dns.query; content:"ningzhidata.com"; nocase; endswith; reference:url,trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf; classtype:trojan-activity; sid:2030803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.1; content:"Accept|3a 20 2a 2f 2a 0d 0a 0d 0a|"; fast_pattern; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/"; http.method; content:"GET"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.host; content:!".imodules.com"; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; depth:30; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020027; rev:7; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^mail=[^\x25]+\x2540[^&]+&pass=[^&]+$/i"; classtype:credential-theft; sid:2026902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ave Maria RAT CnC Domain in DNS Lookup (uknwn.linkpc .net)"; dns.query; content:"uknwn.linkpc.net"; nocase; bsize:16; reference:url,twitter.com/James_inthe_box/status/1293267162258272256?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email; reference:url,app.any.run/tasks/49ba0acb-fd7a-47ec-9998-cacc6eb875d5/; classtype:command-and-control; sid:2030679; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; fast_pattern; distance:0; pcre:"/^a=[^\x25]+\x2540[^&]+&b=[^&]+/i"; classtype:credential-theft; sid:2026903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GratefulPOS Covert DNS CnC Initial Checkin"; dns.query; content:".grp"; within:12; content:"ping.adm."; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:command-and-control; sid:2025144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Grateful_POS, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&epass="; nocase; fast_pattern; distance:0; pcre:"/^email=[^\x25]+\x2540[^&]+&epass=[^&]+/i"; classtype:credential-theft; sid:2026905; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; depth:5; content:"&pt="; within:20; fast_pattern; http.user_agent; pcre:"/^[a-f0-9]{32}$/i"; http.request_body; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:command-and-control; sid:2025598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, malware_family Autoit_NU, performance_impact Low, signature_severity Major, tag Dropper, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious SSN Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&ssn="; nocase; classtype:trojan-activity; sid:2026908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:command-and-control; sid:2026113; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_14, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious CVV Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&cvv="; nocase; classtype:trojan-activity; sid:2026909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pvtchat.live"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031215; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?b9zd1="; fast_pattern; content:"&cid="; distance:0; content:"&sid="; distance:0; content:"&v_id="; distance:0; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026910; rev:2; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Executing Base64 Decoded VBE from Temp 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String"; nocase; content:"-Path|20|C|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; content:"start-process|20|c|3a 5c|windows|5c|system32|5c|wscript.exe|20|-ArgumentList|20 22|c|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; fast_pattern; content:".vbe|22|"; within:20; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026677; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?campid="; fast_pattern; content:"&model="; distance:0; content:"&os="; distance:0; content:"&city="; distance:0; content:"&ip="; distance:0; content:"&ua="; distance:0; content:"&language="; distance:0; content:"&isp="; distance:0; content:"&carrier="; distance:0; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026912; rev:3; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/LamePyre Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?uid="; pcre:"/^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$/Ri"; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|scr|22 3b 20|filename=|22|"; fast_pattern; content:".png|22 0d 0a|"; within:30; http.header_names; content:!"Referer"; reference:md5,1dc949fbb35b816b3046731d8db98a3d; reference:url,objective-see.com/blog/blog_0x3C.html; classtype:trojan-activity; sid:2026823; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family LamePyre, performance_impact Moderate, signature_severity Major, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sd/?c="; depth:7; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&u="; distance:0; content:"&s="; distance:0; content:"&o="; distance:0; content:"&b="; distance:0; pcre:"/^\d{3,15}$/R"; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026913; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"REDIR|3b|"; depth:15; content:"|7c 2d 7c|http"; within:50; fast_pattern; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SFML User-Agent (libsfml-network)"; flow:established,to_server; http.user_agent; content:"libsfml-network/"; depth:16; fast_pattern; reference:url,github.com/SFML; classtype:trojan-activity; sid:2026914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wide HTA with PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/hta"; file.data; content:"W|00|s|00|c|00|r|00|i|00|p|00|t"; nocase; content:"S|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; content:"p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; fast_pattern; content:"h|00|i|00|d|00|d|00|e|00|n"; within:200; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DirectsX CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"AAAAAAAAAAAAAA"; pcre:"/^\/(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.header; content:"X-MU-Session-ID|3a 20|"; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2026916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family DirectsX, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"=|20|ReadSmbResponse|28|"; content:"|20|==|20|0x72|20|&&|20|"; within:400; fast_pattern; content:"|20|==|20|00"; within:400; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027336; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (LazarusGroup CnC)"; flow:from_server,established; tls.cert_serial; content:"01:90:17:98:AF:94:1C:5E"; classtype:domain-c2; sid:2026944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Lazarus, updated_at 2020_08_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|=|20|new|20|byte|5b 5d|"; content:"0xff,0x53,0x4d,0x42"; within:300; fast_pattern; content:"0x01,0x28"; distance:0; content:"0x02,0x4c,0x41,0x4e"; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hp.php?"; depth:8; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"powershell"; nocase; content:"-e"; within:40; nocase; content:".Get|28 22|Win32_ProcessStartup|22 29|"; distance:0; nocase; fast_pattern; content:"Process.Create|28|"; distance:0; nocase; reference:md5,f17e15a9d28a85bd41d74233859d4df4; classtype:trojan-activity; sid:2027374; rev:4; metadata:created_at 2019_05_23, former_category CURRENT_EVENTS, tag Loader, updated_at 2020_11_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Grandoreiro CnC Activity (iso)"; flow:established,to_client; content:"|2e|iso|22 3b 0d 0a 0d 0a|VUVzREJCUUFBQUFJQU5sRUJWSHBLeVltQlY0OEFBQzh6QXNRQ"; fast_pattern; http.stat_code; content:"200"; reference:url,app.any.run/tasks/aa328aa8-e521-429f-9c42-9583f7e87c76/; reference:md5,2cb39126dd8f22ffdf2ad2b679405653; classtype:command-and-control; sid:2030808; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Filecoder.STOP Variant Public Key Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|7b 22|public_key|22 3a 22|-----BEGIN|26 23 31 36 30 3b|PUBLIC|26 23 31 36 30 3b|KEY-----"; depth:51; fast_pattern; content:"-----END|26 23 31 36 30 3b|PUBLIC|26 23 31 36 30 3b|KEY-----"; content:"|22 2c 22|id|22 3a 22|"; within:12; reference:md5,13f04ff944fa65eddd3e911740837a8a; reference:md5,c0672f0359afba1c24ab0f90f568bdc0; classtype:trojan-activity; sid:2036335; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/set.html?"; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending LAN Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; depth:12; fast_pattern; content:"|22 7d|"; within:3; endswith; http.header_names; content:!"Referer"; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup Datper CnC Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.htm?"; fast_pattern; pcre:"/^[a-z]{3,10}=[a-z0-9]+$/R"; http.accept; content:"*/*"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:url,blogs.jpcert.or.jp/ja/2019/02/tick-activity.html; classtype:command-and-control; sid:2026949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, malware_family Datper, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scarsi Variant CnC Activity"; flow:to_server,established; http.uri; content:"/WP"; content:".php"; within:50; endswith; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/i"; http.header; content:"Content-Length|3a 20|"; byte_test:1,>,0x30,0,relative; http.request_body; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/si"; http.content_type; content:"application/x-www-form-urlencoded|3b 20|Charset=UTF-8"; fast_pattern; bsize:48; http.header_names; content:!"Referer|0d 0a|"; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:command-and-control; sid:2024758; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"faxpctodaymessage"; nocase; pcre:"/^\.(?:space|press|website)$/R"; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026952; rev:3; metadata:created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"name=|22|kerna|22 3b 20|filename"; fast_pattern; content:".his|22 0d 0a|"; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; distance:0; content:"JFIF"; within:15; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Cost Estimator Plugin AFI Vulnerability"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?action=lfb_upload_form"; nocase; reference:url,www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/; classtype:web-application-attack; sid:2026950; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_02_21, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Godlua Backdoor Downloading Encrypted Lua"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; http.user_agent; content:"Mozilla|2f|5.0|20 28|"; pcre:"/^(?:i686|x86_64|arm|mipsel)\-(?:static-linux|w64|iamsatan)\-(?:mingw32|uclibc(?:gnueabi)?)/R"; content:"|29 20|Chrome|2f|20"; within:11; http.referer; content:"https://www.google.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Referer|0d 0a 0d 0a|"; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027677; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei Stealer Client Data Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|hwid|22|"; nocase; content:"form-data|3b 20|name=|22|os|22|"; nocase; content:"form-data|3b 20|name=|22|platform|22|"; nocase; content:"form-data|3b 20|name=|22|user|22|"; nocase; content:"form-data|3b 20|name=|22|cccount|22|"; nocase; reference:md5,72bcbfd1020d002d2e20e0707b8ef700; classtype:trojan-activity; sid:2025431; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; threshold: type both, track by_src, count 2, seconds 60; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&group="; fast_pattern; content:"&os="; content:"&cpu="; http.header_names; content:!"Referer|0d 0a|"; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:command-and-control; sid:2025253; rev:6; metadata:created_at 2018_01_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"BCDEF="; content:"&MNOPQ="; content:"&GHIJ="; content:"&UVWXYZ="; fast_pattern; content:"&st="; reference:md5,7cc0b212d1b8ceb808c250495d83bae4; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2026740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls.cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArtraDownloader/TeleRAT Checkin"; flow:to_server,established; http.uri; content:".php?a="; content:"&b="; distance:0; content:"&c="; distance:0; content:"Windows|20|"; distance:0; fast_pattern; content:"&d="; distance:0; content:"&e="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,a1bdb1889d960e424920e57366662a59; classtype:command-and-control; sid:2026641; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_21, deployment Perimeter, former_category MALWARE, malware_family RAT, signature_severity Major, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls.cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArtraDownloader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"dwnack.php?cId="; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026985; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_26, deployment Perimeter, former_category MALWARE, malware_family ArtraDownloader, performance_impact Low, signature_severity Major, tag Patchwork, tag DonotGroup, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Google)"; tls.cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer CnC Landing M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hyllkjit/"; depth:10; fast_pattern; content:"/?n="; pcre:"/^\/hyllkjit\/[a-f0-9]{8}\/\?n=\d{4,10}$/i"; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:command-and-control; sid:2026911; rev:3; metadata:affected_product Mac_OSX, created_at 2019_02_14, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls.cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; tls.cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Shlayer Malicious Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/d1833/"; depth:7; fast_pattern; content:"/?software="; distance:0; content:"&title="; content:"&clickid="; reference:url,www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/; classtype:trojan-activity; sid:2026986; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category TROJAN, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer IP Lookup"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; http.host; content:"ip-api.com"; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Spy.RTM/Redaman IP Check"; flow: established, to_server; http.method; content:"GET"; http.uri; content:"/index_small.php"; fast_pattern; endswith; http.header; content:"Cache-Control|3a 20|no-cache"; depth:24; content:"Connection|3a 20|Close"; within:19; content:"Pragma|3a 20|no-cache"; within:18; content:"Accept|3a 20|text/html, application/xhtml+xml, */*"; within:47; content:"Accept-Language|3a 20|en-US"; within:24; content:"Host|3a 20|"; within:8; isdataat:!35,relative; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2027025; rev:3; metadata:created_at 2019_03_04, former_category TROJAN, updated_at 2020_08_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer Config Download Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/grubConfig"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)"; flow:established,to_server; http.user_agent; content:"Clever Internet Suite"; classtype:trojan-activity; sid:2027045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_05, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:5; metadata:created_at 2015_07_20, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Windows|20|NT|20|6,2"; content:"Gecko|2f|201001o1|20|Firef0x/19,0"; distance:0; fast_pattern; http.request_body; content:"9"; depth:1; pcre:"/^9(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027057; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Checkin via POST"; flow: to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"f="; content:"&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:command-and-control; sid:2009156; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Gecko|2f|201001o1|20|Firef0x/19,0"; fast_pattern; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:trojan-activity; sid:2027060; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category USER_AGENTS, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; http.method; content:"GET"; http.uri; content:"/cfg.bin"; nocase; fast_pattern; endswith; http.header; content:"no-cache|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:15; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?images/"; pcre:"/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/i"; http.request_body; content:"XWebPageName=diag&diag"; depth:22; fast_pattern; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:2; metadata:attack_target IoT, created_at 2019_03_06, cve 2018_10561, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update.php"; endswith; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rsi"; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025171; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-03-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Eml="; depth:4; fast_pattern; content:"&Password="; distance:0; classtype:credential-theft; sid:2027046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"xyz="; depth:4; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2025187; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Mailbox Phish 2019-03-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"akoko="; depth:6; nocase; content:"|25|40"; distance:0; content:"&ekeji="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029670; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot User-Agent"; flow:established,to_server; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category TROJAN, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO [eSentire] Possible Kali Linux Updates"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"APT-HTTP|2f|"; http.host; content:"kali.org"; fast_pattern; pcre:"/^[a-z0-9.]+\.kali\.org/"; classtype:policy-violation; sid:2025627; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Cobalt Strike Beacon"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025635; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-03-11"; flow:established,to_server; http.method; content:"POST"; http.header; content:".php?userid="; fast_pattern; content:"@"; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2029671; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> any any (msg:"ET MALWARE [PT MALWARE] Hacked Mikrotik C2 Request"; flow:established, to_server; threshold:type threshold, track by_src, count 1, seconds 35; http.method; content:"GET"; http.uri; content:"/mikrotik.php"; endswith; http.user_agent; content:"Mikrotik/6.x Fetch"; depth:18; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,forum.mikrotik.com/viewtopic.php?t=137217; classtype:command-and-control; sid:2026027; rev:5; metadata:created_at 2018_08_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PirateBay Phish - Possibly PirateMatryoshka Related"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c|p|3e|In order to continue the install"; content:"enter your Piratebay user and pass below"; distance:0; content:"If u don't have an PirateBay"; distance:0; fast_pattern; reference:url,securelist.com/piratebay-malware/89740/; classtype:social-engineering; sid:2027081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category PHISHING, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.center"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027576; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; threshold: type both, count 1, seconds 300, track by_src; http.header; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:13; metadata:created_at 2010_07_30, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027577; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; threshold: type both, count 1, seconds 300, track by_src; http.header; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:14; metadata:created_at 2010_07_30, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encryptedmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027578; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt"; flow:established,to_server; http.accept; content:"../"; reference:url,github.com/mpgn/CVE-2019-5418; classtype:web-application-attack; sid:2027096; rev:3; metadata:attack_target Web_Server, created_at 2019_03_19, cve 2019_5418, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027579; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZTE ZXV10 H108L Router Root RCE Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getpage.gch?pid="; depth:17; content:"&Host=|3b|"; distance:0; fast_pattern; content:"&DataBlockSize="; distance:0; reference:url,github.com/stasinopoulos/ZTExploit/blob/master/ZTExploit_Source/ztexploit.py; classtype:attempted-user; sid:2027098; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveypro.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027580; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gootkit CnC)"; flow:from_server,established; content:"|82 1c|ws.diminishedvalueoregon.com"; tls.cert_serial; content:"0E:1F:E3:45:FC:89"; classtype:domain-c2; sid:2027101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family Gootkit, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveyservice.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027581; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] -> $HOME_NET any (msg:"ET MALWARE Win32/Emotet CnC Checkin Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; depth:24; http.content_len; content:"132"; file.data; content:"|78 63 e0 c7 31 a5 dd f1 f4 55 30 e4 67 f7 ab f2 c6 68 a2 26|"; fast_pattern; reference:md5,129ed9c08c8ba6dc62d48ff2c3fc6a50; reference:md5,4ca520895d86beb6f8cab93639f26f50; classtype:command-and-control; sid:2035054; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Emotet, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ifileupload.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027582; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027103; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"passwords.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027105; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-secure.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027584; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RocketMan Win32/Drun"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Host|3a 20|"; depth:6; http.request_body; content:"|20|name=|22|kind|22|"; fast_pattern; content:"|20|name=|22|fname|22|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,twitter.com/securitydoggo/status/954337767751905280; classtype:trojan-activity; sid:2025224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category TROJAN, malware_family Drun, performance_impact Moderate, signature_severity Major, tag RocketMan, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027585; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaseBot CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?btc="; depth:30; fast_pattern; content:"&login="; distance:0; content:"&pwd="; distance:0; http.header_names; content:"Host|0d 0a 0d 0a|"; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; classtype:command-and-control; sid:2027113; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, malware_family ChaseBot, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"internal-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027586; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"wallet.dat"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027114; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"itunesrewardscode.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027587; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027107; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafeeonlinescanner.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027588; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoinMiner Performing System Checkin"; flow:established,to_server; http.uri; content:"/ReportSpeed"; endswith; fast_pattern; http.request_body; content:"|2c 22|GpuDriver|22 3a 22|"; content:"|2c 22|OSName|22 3a 22|"; content:"|2c 22|DiskSpace|22 3a 22|"; reference:md5,0bdfccd5aab30f98e212abde79d923ef; classtype:coin-mining; sid:2030812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafee-scan.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027589; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE C3Pool CoinMiner Setup Script Download"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"echo C3Pool mining setup script v%VERSION%."; depth:200; fast_pattern; reference:md5,57d01da1ecf73b6ac9564c180e1363c6; classtype:coin-mining; sid:2030813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_08_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"online-microsoft-update.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fedex Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>FedEx|20 7c 20|"; fast_pattern; classtype:social-engineering; sid:2030810; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"outlook-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (boostsoftware-urlexists)"; flow:established,to_server; http.user_agent; bsize:23; content:"boostsoftware-urlexists"; classtype:bad-unknown; sid:2030814; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"searscorporategiftcard.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GET Request to Googleapis Hosting (set)"; flow:established,to_server; flowbits:set,ET.appspothosted; flowbits:noalert; http.method; content:"GET"; http.host; content:".googleapis.com"; fast_pattern; isdataat:!1,relative; classtype:social-engineering; sid:2030811; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category PHISHING, signature_severity Informational, tag Phishing, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-corp.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027593; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dorv Stealer Exfiltrating Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla|2f|3.0"; http.request_body; content:"name=|22|files|22 3b|"; content:"|0d 0a 0d 0a|PK"; distance:0; content:"|2f|BSSID.txt"; distance:0; content:"|2f|Screenshot."; distance:0; fast_pattern; http.request_line; content:".php HTTP/1.0"; reference:md5,888864c2ea27babf978d5feda40b3b2f; reference:url,twitter.com/wdsecurity/status/1105992405629583362; classtype:command-and-control; sid:2027087; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Win32_Dorv, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027594; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026102; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Informational, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-online.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027595; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound JasperLoader Using Array Push Obfuscation"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|=|20|new|20|Array|28 29 3b|"; depth:50; content:".push|28 22|"; distance:0; pcre:"/^(?:\x22|[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?<pushvar>\.push\x28\x22)(?:\x22|[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?P=pushvar)(?:[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?P=pushvar)(?:[\x20-\x7e]{0,70}\x22)\x29\x3b\s*[^\.]+(?P=pushvar)/Ri"; content:".push|28 22 22 29 0d 0a|"; fast_pattern; content:"eval|28|"; distance:0; classtype:trojan-activity; sid:2027102; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/VBS.SLoad.Backdoor Initial Base64 Encoded OK Server Response"; flow:established,to_client; http.header; content:"Authorization|3a 20|b2sgb2s="; reference:url,www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html; reference:md5,3aabc9767d02c75ef44df6305bc6a41f; classtype:trojan-activity; sid:2027118; rev:3; metadata:created_at 2019_03_27, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secmail-us.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027597; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (lessie)"; flow:established,to_server; http.user_agent; content:"lessie"; nocase; depth:6; pcre:"/^lessie(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027129; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secureimailonline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027598; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Cakle)"; flow:established,to_server; http.user_agent; content:"Cakle"; nocase; depth:5; pcre:"/^Cakle(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027131; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-data.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027599; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Damien)"; flow:established,to_server; http.user_agent; content:"Damien"; nocase; depth:6; pcre:"/^Damien(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027133; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027600; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Solar)"; flow:established,to_server; http.user_agent; content:"Solar"; nocase; depth:5; pcre:"/^Solar(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027135; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027601; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (muhstik)"; flow:established,to_server; http.user_agent; content:"muhstik"; nocase; depth:7; pcre:"/^muhstik(?:-scan)?(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027137; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-ssl.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027602; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Shaolin)"; flow:established,to_server; http.user_agent; content:"Shaolin"; nocase; depth:7; pcre:"/^Shaolin(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027139; rev:2; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securessl-vpn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027603; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Rift)"; flow:established,to_server; http.user_agent; content:"Rift"; nocase; depth:4; pcre:"/^Rift(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027119; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-vpn.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027604; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Tsunami)"; flow:established,to_server; http.user_agent; content:"Tsunami"; nocase; depth:7; pcre:"/^Tsunami(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027121; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-account.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Yowai)"; flow:established,to_server; http.user_agent; content:"Yowai"; nocase; depth:5; pcre:"/^Yowai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027123; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-login.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Yakuza)"; flow:established,to_server; http.user_agent; content:"Yakuza"; nocase; depth:6; pcre:"/^Yakuza(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027125; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-secure.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027607; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027127; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-upgrade.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027608; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil PDF Retrieving Emotet Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?InvoiceType=Regular&date="; fast_pattern; pcre:"/\/[A-Za-z0-9]{2,8}[-_][a-zA-Z0-9-_]+\/\?InvoiceType=Regular&date=[0-9-_]+$/"; reference:md5,136dca58d0a0802c7abfce8dce4b7526; classtype:trojan-activity; sid:2035060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_28, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssofiles.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027609; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"csrss.exe"; content:"explorer.exe"; fast_pattern; content:"svchost.exe"; content:"lsass.exe"; classtype:trojan-activity; sid:2027117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Suspicious_POST_body, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027610; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Data Exfil SMTP"; flow:established,to_server; content:"Subject|3a 20|MassLogger|20 7c 20|"; fast_pattern; reference:md5,862b6b45307a816ac1e3321ec66b212d; classtype:command-and-control; sid:2030809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ServHelper CnC Inital Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"key="; depth:4; nocase; content:"&sysid="; nocase; distance:0; fast_pattern; content:"&resp="; nocase; distance:0; content:"&misc="; distance:0; classtype:command-and-control; sid:2026772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vpn-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027612; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Flash Exploit Attempt"; flow:established,to_server; urilen:38; http.uri; content:"/?s="; depth:4; fast_pattern; pcre:"/^\/\?s=[a-f0-9]{32}[a-z]{2}$/"; http.header; content:"/?s="; content:"|0d 0a|"; distance:34; within:2; content:"x-flash-version|3a|"; http.referer; pcre:"/^http\:\/\/[^\r\n\x2f]+\/\?s=[a-f0-9]{32}[a-z]{2}$/i"; classtype:exploit-kit; sid:2027145; rev:3; metadata:affected_product Adobe_Flash, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Spelevo_EK, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vsecuremail.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027613; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http any any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2027153; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-cloud.net"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027614; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/BasBanke CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=NewClient"; depth:14; fast_pattern; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,79cf391a3ae2477cd804c68850dba80d; reference:url,securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/; classtype:command-and-control; sid:2027154; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_04_04, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BasBanke, tag Banker, updated_at 2020_08_28, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027615; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A Fake HTTP 500 Containing Encoded Commands Inbound"; flow:established,from_server; http.header; content:"charset=UTF-8"; http.response_line; content:"HTTP|2f|1.0|20|500|20|Internal|20|Server|20|Error"; file.data; content:"500|20|Internal|20|Server|20|Error|3c 21 2d 2d|"; fast_pattern; pcre:"/^[A-F0-9]+\x2d\x2d\x3e(?:\r\n)?$/R"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:trojan-activity; sid:2027156; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category TROJAN, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"wu-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with Base64 ps PowerShell Command Output M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SGFuZGxlcyAgTlBNKEspICAgIFBNKEspICAgICAgV1MoSykgVk0oTSkgICBDUFUo"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; reference:url,attack.mitre.org/techniques/T1132/; classtype:trojan-activity; sid:2027211; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, tag T1086, tag T1057, tag T1132, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027617; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with Base64 ps PowerShell Command Output M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hhbmRsZXMgIE5QTShLKSAgICBQTShLKSAgICAgIFdTKEspIFZNKE0pICAgQ1BVKH"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; reference:url,attack.mitre.org/techniques/T1132/; classtype:trojan-activity; sid:2027212; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, tag T1086, tag T1057, tag T1132, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027618; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with Base64 ps PowerShell Command Output M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"IYW5kbGVzICBOUE0oSykgICAgUE0oSykgICAgICBXUyhLKSBWTShNKSAgIENQVSh"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; reference:url,attack.mitre.org/techniques/T1132/; classtype:trojan-activity; sid:2027213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, tag T1086, tag T1057, tag T1132, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey CnC Check-In"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; nocase; content:"&vs="; nocase; content:"&ar="; nocase; content:"&bi="; nocase; content:"&lv="; nocase; content:"&os="; nocase; content:"&av="; nocase; fast_pattern; reference:md5,a83a58cbcd200461b1a80de45e436d9c; classtype:command-and-control; sid:2027700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Amadey, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request with Double Cache-Control"; flow:established,to_server; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Cache-Control|3a 20|no-cache"; classtype:trojan-activity; sid:2027207; rev:2; metadata:created_at 2019_04_16, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Usteal.B Checkin"; flow:to_server,established; http.uri; content:"/ufr.php"; fast_pattern; http.request_body; content:"name="; content:"filename="; content:"UFR|21|"; reference:md5,3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:command-and-control; sid:2014616; rev:8; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING JS Obfuscation - Possible Phishing 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022578; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:established,to_server; urilen:<13; http.method; content:"GET"; http.uri; content:".htm"; fast_pattern; pcre:"/^\/[^\x2f]+?\.htm$/"; http.header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; http.user_agent; content:!"BridgitAgent"; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:command-and-control; sid:2017191; rev:6; metadata:created_at 2013_07_24, former_category MALWARE, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"domainoutlet.site"; distance:0; nocase; fast_pattern; pcre:"/^CN=(?:help|g(?:ui(?:de|ld)|round))\.domainoutlet\.site$/"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/replace/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018749; rev:9; metadata:created_at 2014_07_21, former_category MALWARE, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drivethrough.top"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:jasper|qwe|alter|car|param|bike|genwar)\.)?drivethrough\.top$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Checkin"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/random.php"; fast_pattern; http.user_agent; content:"Mozilla/5."; pcre:"/^\d{2,7}$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:command-and-control; sid:2019353; rev:6; metadata:created_at 2014_10_03, former_category MALWARE, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"drinkeatgood.space"; distance:0; nocase; fast_pattern; content:"CN="; pcre:"/^CN=(?:(?:justin|digest)\.)?drinkeatgood\.space$/s"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:domain-c2; sid:2027216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family StealJob, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_08_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Cobalt Strike payload"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:5; within:4; file.data; content:"|fc e8 00 00 00 00 eb|"; depth:7; fast_pattern; classtype:targeted-activity; sid:2024771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action="; fast_pattern; content:"&sent_all="; content:"&sent_success="; distance:0; content:"&active_connections="; distance:0; content:"&queue_connections="; distance:0; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020329; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish Jan 14 2016"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; content:!"domain=.facebook.com|3b|"; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.nl)|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2025005; rev:15; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Bayrob Keepalive"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/isup.php"; fast_pattern; http.header.raw; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:6; metadata:created_at 2015_03_05, updated_at 2022_05_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|IKEEXT"; content:"copy|20|wlbsctrl.dll"; content:"|5c|Windows|5c|System32|5c|wlbsctrl.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027232; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.asp?search="; fast_pattern; http.header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/mi"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:command-and-control; sid:2020913; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|SessionEnv"; content:"copy|20|TSMSISrv.dll"; content:"|5c|Windows|5c|System32|5c|TSMSISrv.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027233; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; pcre:"/\.php$/"; http.header; content:"HOST|3a|"; depth:5; content:"User-Agent|3a|"; distance:0; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/mi"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021584; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|I|00|K|00|E|00|E|00|X|00|T|00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|w|00|l|00|b|00|s|00|c|00|t|00|r|00|l|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|w|00|l|00|b|00|s|00|c|00|t|00|r|00|l|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027234; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; http.uri; content:"&downlink="; content:"&uplink="; content:"&id="; content:"&statpass="; fast_pattern; content:"&version="; content:"&features="; content:"&guid="; content:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:command-and-control; sid:2013293; rev:7; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|S|00|e|00|s|00|s|00|i|00|o|00|n|00|E|00|n|00|v|00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_21, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, tag T1038, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; http.user_agent; content:"(Charon|3b 20|Inferno)"; fast_pattern; classtype:trojan-activity; sid:2021641; rev:9; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2022_05_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command Inbound via HTTP M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"stop|20|"; content:"copy|20|TSVIPSrv.dll"; content:"|5c|Windows|5c|System32|5c|TSVIPSrv.dll"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027236; rev:3; metadata:created_at 2019_04_22, former_category ATTACK_RESPONSE, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.header; content:"WinHttp.WinHttpRequest."; http.host; content:!"download.nai.com"; classtype:trojan-activity; sid:2022658; rev:8; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ud="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pd="; nocase; fast_pattern; distance:0; pcre:"/^ud=[^&]*&pd=[^&]*/i"; classtype:credential-theft; sid:2026904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_19;)
 
-alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows SCM DLL Hijack Command (UTF-16) Inbound via HTTP M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|00|s|00|t|00|o|00|p|00 20 00|"; content:"|00|c|00|o|00|p|00|y|00 20 00|T|00|S|00|V|00|I|00|P|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; content:"|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|S|00|y|00|s|00|t|00|e|00|m|00|3|00|2|00 5c 00|T|00|S|00|M|00|S|00|I|00|S|00|r|00|v|00|.|00|d|00|l|00|l|00|"; distance:0; fast_pattern; reference:url,posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992; classtype:attempted-user; sid:2027238; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin Dec 29 2014"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_body; content:"EPF#"; depth:4; fast_pattern; http.connection; content:"close"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:command-and-control; sid:2020076; rev:5; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"cookie.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; http.request_line; content:"POST / 1.1"; depth:10; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; depth:28; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021632; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"ccdata.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"l=dj0"; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/Rs"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (google_chrome_default_) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"google_chrome_default_"; distance:26; within:100; nocase; fast_pattern; pcre:"/^(?:logins|c(?:cdata|ookie))/Ri"; classtype:trojan-activity; sid:2027276; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86)"; flow:established,to_server; http.user_agent; content:!"OuijaBoardWigi"; content:"Ouija"; startswith; classtype:trojan-activity; sid:2028990; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK"; depth:2; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027278; rev:2; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Microsoft Update GET)"; flow:established,to_server; urilen:220; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; startswith; fast_pattern; content:".cab"; distance:171; endswith; http.user_agent; content:"Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40"; bsize:58; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/microsoftupdate_getonly.profile; classtype:command-and-control; sid:2032752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mac="; content:"&av="; distance:0; content:"&os="; distance:0; content:"&ver="; distance:0; content:"&bit="; distance:0; content:"bit&flag2="; distance:0; fast_pattern; content:"&domain="; distance:0; content:"&user="; distance:0; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027148; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag PowerShell, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.hostareas.com"; nocase; bsize:17; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030891; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/Beapy CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?id="; content:"&mac="; distance:0; content:"&OS="; distance:0; content:"&BIT="; distance:0; content:"bit&IT="; distance:0; fast_pattern; content:"&VER="; distance:0; content:"&mpass="; distance:0; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027149; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Python, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.jsquerys.net"; nocase; bsize:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Aria2 User-Agent"; flow:to_server,established; http.user_agent; content:"aria2/"; depth:6; fast_pattern; reference:url,github.com/aria2/aria2; reference:md5,eb042fe28b8a235286df2c7f4ed1d8a8; classtype:trojan-activity; sid:2027286; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"web.miscrosaft.com"; nocase; bsize:18; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megumin v2 Stealer User-Agent"; flow:established,to_server; http.user_agent; content:"Megumin/2."; depth:10; reference:md5,7310e691d1d32b18114b5f0a8105e082; classtype:trojan-activity; sid:2027293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Megumin, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"cnc.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=1BEF0A57BE110FD467A"; fast_pattern; reference:md5,dd5e5142ba2ab5f31e5518396c45ba1f; classtype:trojan-activity; sid:2034813; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"back.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2019-04-30 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"|25|40"; distance:0; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"q9uvveypiB.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"**ACE**"; offset:7; depth:7; fast_pattern; content:"|00|"; distance:0; pcre:"/^(?:(\S\:\\){2,}|\S\:\\\S\:\S\:|S\:\\\\\\([0-9]{1,3}\.){3}[0-9]{1,3}|\S\:\\\\\\([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/R"; classtype:attempted-admin; sid:2027310; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_05_01, cve 2018_20250, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, tag WinRAR, tag ACE, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint Update CnC Domain in DNS Query"; dns.query; content:"uhyg8v.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ServHelper CnC Command (Net User)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"shell^net user /domain"; depth:22; fast_pattern; reference:md5,8efa9d3c901234f24659a8ea9c3fee14; reference:url,www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware; classtype:command-and-control; sid:2027301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Checkin CnC in DNS Query"; dns.query; content:"log.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ServHelper CnC Command (Reg Add)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"shell^reg add|20|"; depth:14; fast_pattern; reference:md5,8efa9d3c901234f24659a8ea9c3fee14; reference:url,www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware; classtype:command-and-control; sid:2027302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Staging CnC in DNS Query"; dns.query; content:"box.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ServHelper CnC Command (Whoami)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"shell^whoami"; depth:12; fast_pattern; reference:md5,8efa9d3c901234f24659a8ea9c3fee14; reference:url,www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware; classtype:command-and-control; sid:2027303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoetRAT CnC Domain in DNS Lookup"; dns.query; content:"volt220.kozow.com"; nocase; bsize:17; reference:url,twitter.com/ShadowChasing1/status/1314847032155074562; classtype:domain-c2; sid:2031007; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, malware_family PoetRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JAR/Qealler Stealer HTTP Headers Observed"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|q-qealler-id|0d 0a|q-qealler-stub-id|0d 0a|"; fast_pattern; content:!"Referer"; reference:url,www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer; classtype:trojan-activity; sid:2027311; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_02, deployment Perimeter, former_category TROJAN, malware_family Qealler, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_08_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (office)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; fast_pattern; tls.cert_issuer; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; reference:md5,880a45ff31bc540e80ecf2cf93134c12; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031134; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wp-admin/admin-post.php?swp_debug=load_options&swp_url="; fast_pattern; pcre:"/^https?:\/\//R"; reference:url,www.exploit-db.com/exploits/46794; classtype:attempted-admin; sid:2027315; rev:3; metadata:affected_product Wordpress_Plugins, created_at 2019_05_03, cve 2019_9978, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"duke6.tk"; nocase; bsize:8; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/Unk.EB.Spreader CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=----------"; depth:15; content:"----|0a|COMPUTER|20|NAME|3a 20|"; distance:0; fast_pattern; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:command-and-control; sid:2027334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, former_category MALWARE, malware_family ETERNALBLUE, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"wekanda.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031138; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible JS Credit Card Stealer Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Month|3a 20|"; content:"Year|3a 20|"; content:"CVV|3a 20|"; content:"Holder|27 5d 20|===|20|undefined|20 7c 7c 20 24|"; fast_pattern; content:"CVV|20|!==|20|null|20|&&"; distance:0; content:".SendData|28 29|"; classtype:trojan-activity; sid:2027344; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"sanitar.ml"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScript"; distance:0; content:"|40|ASTTest"; distance:0; content:"Runtime|2e|getRuntime|28 29 2e|exec|28 22|"; distance:0; content:"|22 29 7d 29 0a|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027350; rev:3; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"branter.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq Executing New Processes"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; http.request_body; content:"<?xml"; depth:5; content:"<Message>X1|20|is|20|running|20|in|20|PC"; distance:0; fast_pattern; content:"<|2f|Message>"; distance:0; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:trojan-activity; sid:2027354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_13, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"bronerg.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Interac Phish 2019-05-15"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029674; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"crusider.tk"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/JNAP/"; depth:6; http.header; content:"X-JNAP-Action|3a 20|http|3a 2f 2f|"; fast_pattern; pcre:"/^(?:www\.)?(cisco|linksys)\.com\/jnap\//Ri"; http.request_body; content:"|7b 7d|"; depth:2; reference:url,raw.githubusercontent.com/zeropwn/Linksys-Smart-WiFi-Information-Disclosure/master/nss.py; classtype:attempted-recon; sid:2027357; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DonotGroup CnC in DNS Query"; dns.query; content:"pvtchat.live"; nocase; endswith; classtype:domain-c2; sid:2031216; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AppControls.com User-Agent"; flow:established,to_server; http.user_agent; content:"acHTTP component (AppControls.com)"; classtype:pup-activity; sid:2027359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (TrevorForget Profile)"; flow:established,to_server; http.request_line; content:"GET /us/ky/louisville/312-s-fourth-st.html HTTP/1.1"; bsize:51; fast_pattern; http.cookie; bsize:171; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/"; http.referer; content:"https://locations.smashburger.com/us/ky/louisville.html"; bsize:55; reference:md5,d2c8f1a8b5fc9bf4fe8bde43e88f04a0; classtype:command-and-control; sid:2032754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTA.BabyShark Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/expres.php?op="; fast_pattern; pcre:"/^\d/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.referer; content:".hta"; reference:md5,94b60cf91e550e1d981aaf9962d52e18; classtype:command-and-control; sid:2027365; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_20, deployment Perimeter, former_category MALWARE, malware_family BabyShark, signature_severity Major, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Content-Length|3a 20|95|0d 0a|"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Pragma"; content:!"Referer"; reference:md5,a3c4951687b39e58550309dbbf2e5c85; reference:md5,1c1d7bf3ad926f3cdf0befbc5205a1fe; classtype:trojan-activity; sid:2031233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET Minimal HTTP Headers Flowbit Set"; flow:established,to_server; flowbits:set,min.gethttp; flowbits:noalert; http.method; content:"GET"; http.header_names; content:!"Accept"; content:!"If-"; content:!"Referer"; content:!"User-Agent"; content:!"Content"; classtype:bad-unknown; sid:2016537; rev:4; metadata:created_at 2013_03_06, updated_at 2020_08_28;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackrota Domain (blackrato .ga in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackrato.ga"; bsize:12; fast_pattern; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031235; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_11_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; depth:4; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Blackrota)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; fast_pattern; tls.cert_issuer; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; reference:md5,04dab9530bbcb7679ff5498400417e40; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031236; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKEIE Minimal Headers (flowbit set)"; flow:to_server,established; flowbits:set,FakeIEMinimal; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:37; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019344; rev:7; metadata:created_at 2014_10_03, former_category CURRENT_EVENTS, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Geocon CnC Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.0|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENUS)"; fast_pattern; bsize:76; http.cookie; bsize:172; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; reference:url,github.com/darkr4y/geacon/blob/5d9a9101c1f3b7dfb71484a58db5cc51ea279583/cmd/packet/http.go; reference:md5,6e020db51665614f4a2fd84fb0f83778; classtype:command-and-control; sid:2031237; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Win32.Vobfus Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3f|"; offset:2; depth:20; pcre:"/^\/[a-zA-Z0-9]{1,19}\/?\?[abdefijhgv\x22](?:\x7C\x2d?\d+?[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14})?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.host; content:!"www.pinterest.com"; http.header_names; content:!"Accept-Language"; content:!"Referer"; reference:md5,3ed744b12a77359576af10a265154081; reference:md5,a2049adc2834d797b37f45382608f2b4; classtype:command-and-control; sid:2018958; rev:20; metadata:created_at 2013_03_25, former_category MALWARE, updated_at 2020_08_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|proclist|22|"; content:"svchost.exe"; content:"name=|22|sysinfo|22|"; content:"ipconfig"; content:"net view /all"; fast_pattern; content:"nltest"; distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:command-and-control; sid:2031241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:2<>5; flowbits:set,ET.Onelouder.bin; flowbits:noalert; http.method; content:"GET"; http.uri; pcre:"/^\/(?P<n>\d)(?P=n){1,2}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-Language"; classtype:trojan-activity; sid:2018981; rev:6; metadata:created_at 2014_08_22, updated_at 2020_08_28;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc 2020-11-30)"; flow:established,to_client; tls.cert_subject; content:"CN=filestream.download"; nocase; endswith; reference:md5,1e0d96c551ca31a4055491edc17ce2dd; classtype:domain-c2; sid:2031240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_11_30, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:1<>7; flowbits:set,ET.OneLouderHeader; flowbits:noalert; http.uri; pcre:"/\/\d+$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-Language"; content:!"Referer"; classtype:trojan-activity; sid:2018983; rev:9; metadata:created_at 2014_08_22, updated_at 2020_08_28;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Blackrota Domain"; dns.query; content:"blackrato.ga"; nocase; bsize:12; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031234; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Geodo Checkin"; flow:established,to_server; urilen:16<>20; http.method; content:"POST"; http.uri; content:"/"; offset:8; depth:2; content:"/"; offset:16; depth:3; pcre:"/^\/[a-f0-9]{7,8}\/[a-f0-9]{7,8}\/$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,fa50062b7763487b3dd6f9ed0a2f3549; reference:url,pastebin.com/qnLmpKuQ; classtype:command-and-control; sid:2018496; rev:11; metadata:created_at 2014_05_22, former_category MALWARE, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"european-who.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031246; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; http.method; content:"post"; nocase; fast_pattern; content:!"POST"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:6; metadata:created_at 2012_03_15, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"who-international.com"; nocase; bsize:21; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031247; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027375; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"office-pulgin.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031248; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027376; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"health-world-org.com"; nocase; bsize:20; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031249; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTA.BabyShark HTTP Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php"; http.request_body; content:"filename=|22|ttmp1.log|22|"; fast_pattern; content:"BEGIN|20|CERTIFICATE"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,94b60cf91e550e1d981aaf9962d52e18; classtype:trojan-activity; sid:2027377; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category TROJAN, malware_family BabyShark, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"adverting-cdn.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031250; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Quasar Related)"; flow:established,to_client; tls.cert_subject; content:"CN=MSGQ Server CA"; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:trojan-activity; sid:2027381; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot .accesscam .org)"; dns.query; content:"hotspot.accesscam.org"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031252; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS ShellWindows/AddInProcess Win10 DeviceGuardBypass Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|9BA05972-F6A8-11CF-A442-00A0C90A8F39|7d|"; nocase; fast_pattern; content:"AddInProcess"; content:"|2f|guid|3a|"; distance:0; content:"|2f|pid|3a|"; distance:0; content:"Windows|5c 5c|Microsoft.Net|5c 5c|"; distance:0; classtype:trojan-activity; sid:2027378; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag DeviceGuard, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn .webredirect .org)"; dns.query; content:"highcolumn.webredirect.org"; nocase; bsize:26; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031253; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfa/Alpha Ransomware Checkin"; flow:established,to_server; urilen:33; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Cache-Control"; content:!"Pragma"; content:!"Referer"; content:!"User-Agent"; http.start; pcre:"/^GET\x20\/[A-F0-9]{32}\x20HTTP\/1\.1\r\nHost\x3a\x20[^\r\n]+\r\n\r\n$/"; reference:md5,0601d824d188a42bc530f349926f1f95; reference:md5,900cacbd18f1e21cf6b5a9f842c23b72; reference:url,www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/; classtype:command-and-control; sid:2023083; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire .org)"; dns.query; content:"ethdns.mywire.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031254; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ProtonBot User-Agent"; flow:established,to_server; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027384; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category TROJAN, malware_family ProtonBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian .webredirect .org)"; dns.query; content:"theguardian.webredirect.org"; nocase; bsize:27; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031255; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.Fedex_DHL_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2026529; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (allmedicalpro .com)"; dns.query; content:"allmedicalpro.com"; nocase; bsize:17; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031256; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 25 40 20|Page|20|Language=|22|Jscript|22 25 3e 3c 25|eval|28|"; fast_pattern; content:"FromBase64String"; distance:0; nocase; content:"|25 3e|"; distance:0; classtype:trojan-activity; sid:2027393; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_05_29, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (mediqhealthcare .com)"; dns.query; content:"mediqhealthcare.com"; nocase; bsize:19; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031257; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PowerShell Internet Connectivity Check via Network GUID Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|GetTypeFromCLSID"; nocase; content:"|5b|Guid|5d 27 7b|DCB00C01-570F-4A9B-8D69-199FDBA5723B|7d 27 29 29|.IsConnectedToInternet"; distance:0; nocase; fast_pattern; reference:md5,036180b14dce975a055e62902e5f3567; classtype:trojan-activity; sid:2027394; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (gofinancesolutions .com)"; dns.query; content:"gofinancesolutions.com"; nocase; bsize:22; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031258; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080,80] (msg:"ET MALWARE W32/Emotet.v4 Checkin"; flow:established,to_server; http.header; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a[03478]+/mi"; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/s"; http.start; content:"POST / HTTP/1.1|0d 0a|User-Agent|3a 20|"; depth:29; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; content:!"Cookie"; content:!"TagId"; classtype:command-and-control; sid:2035047; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_24, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkIRC Bot CnC Domain Lookup"; dns.query; content:"cnc."; startswith; fast_pattern; content:".xyz"; endswith; bsize:22; pcre:"/^cnc\.[a-fA-F0-9]{14}.xyz$/"; reference:url,blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability; classtype:command-and-control; sid:2031260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LDPinch Checkin Post"; flow:established,to_server; content:"|0d 0a 0d 0a|a="; fast_pattern; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; classtype:command-and-control; sid:2017948; rev:4; metadata:created_at 2014_01_10, former_category MALWARE, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; pcre:"/^[^&]+&[a-z]=[^&]+&[a-z]=[A-F0-9]+$/Rsi"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32)"; bsize:41; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,2250fec29baf44d9d2c123ae037fce9c; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036308; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ECSHOP user.php SQL INJECTION via Referer"; flow:established,to_server; http.uri; content:"/user.php"; http.referer; content:"SELECT"; nocase; content:"UNION"; nocase; content:",4,5,6,7,8,0x"; fast_pattern; reference:url,github.com/theLSA/ecshop-getshell; reference:url,github.com/Hzllaga/EcShop_RCE_Scanner/; reference:url,xz.aliyun.com/t/2689?from=groupmessage; classtype:web-application-attack; sid:2027416; rev:2; metadata:attack_target Web_Server, created_at 2019_05_31, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information"; flow:established,to_server; http.uri; content:"?q=7b2268776964223a22"; nocase; fast_pattern; content:"222c22706e223a22"; nocase; distance:0; content:"222c226f73223a2257696e646f7773"; nocase; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:trojan-activity; sid:2030393; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2020_12_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ThinkPHP RCE Exploitation Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index"; content:"/invokefunction&function=call_user_func_array"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/45978; classtype:attempted-admin; sid:2026731; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_12_14, deployment Perimeter, deployment Datacenter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, tag ThinkPHP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (gogohid .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogohid.com"; bsize:11; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG-P Variant CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jpg"; pcre:"/_[A-F0-9]{12}\.jpg$/i"; http.request_body; content:"H|00|O|00|S|00|T|00 20 00|N|00|A|00|M|00|E|00 3a|"; depth:19; fast_pattern; reference:url,speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt; classtype:command-and-control; sid:2027431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_04, deployment Perimeter, former_category MALWARE, malware_family ICEFOG_P, performance_impact Low, signature_severity Major, tag APT, tag IceFog, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (blackl1vesmatter .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackl1vesmatter.org"; bsize:20; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG-P Variant CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jpg"; pcre:"/_[A-F0-9]{12}&filename=\w{1,20}\.jpg$/i"; http.request_body; content:"|00 3a 00 7c 00|d|00|i|00|s|00|k|00|"; depth:15; fast_pattern; reference:url,speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt; classtype:command-and-control; sid:2027432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_04, deployment Perimeter, former_category MALWARE, malware_family ICEFOG_P, performance_impact Low, signature_severity Major, tag APT, tag IceFog, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (vincentolife .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vincentolife.com"; bsize:16; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031263; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-06-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&CcNumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv"; nocase; classtype:credential-theft; sid:2029675; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Qbot CnC Activity M2"; flow:established,to_server; http.request_line; content:"POST|20|/t4|20|HTTP/1.1"; bsize:17; fast_pattern; http.accept; content:"application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*"; bsize:70; http.request_body; pcre:"/^[A-Za-z0-9]{3,20}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.header_names; content:!"Referer"; reference:md5,3ceb36fc3607df3d67d9eb0f1d00fea0; classtype:command-and-control; sid:2035525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Qbot, performance_impact Low, signature_severity Major, updated_at 2020_12_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PLATINUM Steganographic HTTP Response Page Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21|--1234567890--"; fast_pattern; content:"|3c|td|20|bgcolor=|22|"; distance:0; content:"|3c|td|20|align=|22|"; distance:0; content:"|20 20 20 20 09|"; distance:0; content:"|20 20 20 20|"; distance:0; content:"--1234567890--|3e|"; distance:0; reference:url,securelist.com/platinum-is-back/91135/; classtype:trojan-activity; sid:2027434; rev:3; metadata:created_at 2019_06_05, former_category TROJAN, malware_family PLATINUM, tag T1001, tag data_obfuscation, tag T1140, tag deobfuscate_decode_payload, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sofacy Zebrocy CnC DNS Lookup (support-cloud .life)"; dns_query; content:"support-cloud.life"; nocase; bsize:18; reference:url,www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/; classtype:domain-c2; sid:2031315; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WSHRAT CnC Checkin"; flow:established,to_server; flowbits:set,ET.WSHRAT.1; http.method; content:"POST"; http.user_agent; content:"WSHRAT|7c|"; depth:7; fast_pattern; content:"|20|-|20|"; distance:0; classtype:command-and-control; sid:2027447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, former_category MALWARE, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi/?SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031314; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WSHRAT Keylogger Module Download Command Inbound"; flow:established,from_server; flowbits:isset,ET.WSHRAT.1; http.stat_code; content:"200"; file.data; content:"offline-keylogger|7c|"; depth:18; fast_pattern; classtype:trojan-activity; sid:2027448; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi?SoID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031313; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WSHRAT Credential Dump Module Download Command Inbound"; flow:established,from_server; flowbits:isset,ET.WSHRAT.1; http.stat_code; content:"200"; file.data; content:"get-pass-offline|7c|"; depth:17; fast_pattern; classtype:trojan-activity; sid:2027449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_10, deployment Perimeter, former_category TROJAN, malware_family WSHRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 - Stage 2 - Request"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_aWQ9"; fast_pattern; content:".html"; endswith; pcre:"/_aWQ9[a-zA-Z0-9\/]{43,46}(?:JmdpZD|Z2lkP|ZnaWQ9)/"; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"BURAN"; fast_pattern; bsize:5; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027446; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Trojan.APT.9002 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]+$/"; http.user_agent; content:"lynx"; depth:4; isdataat:!1,relative; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:targeted-activity; sid:2017702; rev:4; metadata:created_at 2013_11_11, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-14"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; pcre:"/^uname=[^&]+&psw=/i"; classtype:credential-theft; sid:2031869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[A-F0-9]{24}$/"; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; depth:13; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017714; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_12_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Encoded Wide PowerShell (IEX) in Certificate Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"-----BEGIN|20|CERTIFICATE-----|0d 0a|YVFCb"; depth:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-2725-exploited-and-certificate-files-used-for-obfuscation-to-deliver-monero-miner/; classtype:trojan-activity; sid:2027462; rev:2; metadata:created_at 2019_06_12, cve CVE_2019_2725, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage1 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?host="; fast_pattern; content:"&password="; distance:0; pcre:"/\.php\?host=[^&]+&password=[a-f0-9]{32}$/"; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029499; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Request to gate.php Dotted-Quad"; flow:established,to_server; http.uri; content:"/gate.php"; nocase; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kuluoz.B Request"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-f0-9]+$/i"; http.header; content:"Windows NT 9.0|3b|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:6; metadata:created_at 2012_12_05, updated_at 2020_12_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"BF:98:15:9B:69:48:D8:F8"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:domain-c2; sid:2027463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox CnC Beacon"; flow:established,to_server; http.host; pcre:"/\x3a\d{1,5}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016528; rev:8; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 ShellTea CnC)"; flow:from_server,established; tls.cert_serial; content:"9F:E8:45:03:13:A0:52:D7"; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:domain-c2; sid:2027464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family ShellTea, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag FIN8, updated_at 2020_08_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/Oceanlotus Maldoc CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?"; content:"=e010000127"; distance:0; fast_pattern; content:".exe|3b|"; nocase; pcre:"/^[^\r\n]+\.exe(?:\x3b)?$/Ri"; reference:md5,e2511f009b1ef8843e527f765fd875a7; reference:md5,cc2027319a878ee18550e35d9b522706; reference:url,twitter.com/HONKONE_K/status/1290511333343993856; classtype:command-and-control; sid:2030652; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vools Variant CnC Checkin"; flow:established,to_server; http.uri; content:".html?mac="; fast_pattern; content:"&ip="; distance:0; content:"&host="; distance:0; content:"&tick="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/; classtype:command-and-control; sid:2027470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_13, deployment Perimeter, former_category MALWARE, malware_family Vools, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MontysThree HTTPTransport Module Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|image|22 3b 20|filename=|22|image.jpg|22|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1f0461dba1aefdd124f8333afe7f5982; reference:url,twitter.com/Int2e_/status/1314479575523446784; classtype:trojan-activity; sid:2030994; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Maldoc CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Cricking Merrily Sandoval/O=Appertained Screened/L=Regulation Icbm/ST=New York/C=US"; reference:url,twitter.com/jfslowik/status/1135567258472853505; classtype:command-and-control; sid:2027477; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"."; pcre:"/\.(?:gif|bmp|jpeg|png)$/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021829; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Packed Perl with Eval Statement"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"eval unpack u=>"; depth:15; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor; reference:md5,0f166e74fd008eef8e54f8bc28af8a82; classtype:trojan-activity; sid:2027478; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_14, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M6"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023679; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027453; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M7"; flow:from_server,established; flowbits:isset,min.gethttp; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023711; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027452; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 3"; flow:to_server,established; content:"/rico.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020656; rev:5; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; depth:23; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027461; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:104; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|Content-Length|3a 20|"; distance:0; pcre:"/User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a)[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nContent-Length\x3a\x20\d+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/m"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021631; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; depth:23; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027460; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[^\x2e\x3f\x3d\x26]+\.[^\x2e\x2f\x3f\x3d\x26]+$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.referer; pcre:"/^http\x3a\x2f\x2f[^\x2f]+\x2f$/"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FCM-MB40 Attempted Remote Command Execution as Root"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/camctrl_save_profile.cgi"; depth:33; fast_pattern; content:"num="; distance:0; content:"name="; distance:0; content:"a|20|-e|20|s|2f 5e|"; distance:0; content:"|20 2e 2e|/cgi-bin/ddns.cgi|20|"; distance:0; content:"&save=profile"; distance:0; reference:url,xor.cat/2019/06/19/fortinet-forticam-vulns/; classtype:attempted-admin; sid:2027513; rev:3; metadata:attack_target IoT, created_at 2019_06_24, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.start; content:".php|20|HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; http.host; content:!".360.cn"; reference:md5,518d189f8922280c81ab123604076dfd; classtype:command-and-control; sid:2035075; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PowerShell Empire Activity Outbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; depth:1; pcre:"/^(?:login\/process|admin\/get|news)\.php$/R"; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"; http.cookie; content:"session="; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.start; content:".php|20|HTTP|2f|1.1|0d 0a|Cookie|3a 20|session="; fast_pattern; http.header_names; content:!"Referer"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_24, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag PowerShell_Empire, tag T1086, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Passwords.txt"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2029846; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Observed FxCodeShell Web Shell Password"; flow:established,to_server; http.request_body; content:"FxxkMyLie1836710Aa"; classtype:trojan-activity; sid:2027514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category WEB_SERVER, malware_family FxCodeShell, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getPolicy?a="; fast_pattern; startswith; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031320; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned EWE Telecom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login-tk.ewe.de/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M1"; flow:established,to_server; http.uri; content:"/swip/Events"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned La Banque Postale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://voscomptesenligne.labanquepostale.fr/"; distance:4; within:46; fast_pattern; classtype:social-engineering; sid:2027520; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M2"; flow:established,to_server; http.uri; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ATB Bank Online Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.atbonline.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027521; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M3"; flow:established,to_server; http.uri; content:"swip/Upload.ashx"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031339; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned RBC Royal Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www1.royalbank.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027522; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M4"; flow:established,to_server; http.uri; content:"/swip/upd/"; within:75; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibc.mobi/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027523; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to digitalcollege .org"; flow:established,to_server; http.host; dotprefix; content:".digitalcollege.org"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://ib.absa.co.za/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to freescanonline .com"; flow:established,to_server; http.host; dotprefix; content:".freescanonline.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027525; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to deftsecurity .com"; flow:established,to_server; http.host; dotprefix; content:".deftsecurity.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031349; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://instagram.com/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to thedoccloud .com"; flow:established,to_server; http.host; dotprefix; content:".thedoccloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Spotify Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.spotify.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to virtualdataserver .com"; flow:established,to_server; http.host; dotprefix; content:".virtualdataserver.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ADP Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://runpayroll.adp.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M2"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Server: nginx/1.14.0 (Ubuntu)"; content:"Connection|3a 20|close"; distance:0; content:"Cache-Control|3a 20|max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options|3a 20|nosniff"; distance:0; content:"X-AspNetMvc-Version|3a 20|3.0"; fast_pattern; distance:0; content:"X-AspNet-Version|3a 20|4.0.30319"; distance:0; content:"X-Powered-By|3a 20|ASP.NET"; distance:0; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:6; within:4; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Westpac Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://bank.westpac.co.nz/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M3"; flow:established,from_server; file.data; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Simplii Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://mobile.simplii.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027530; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M4"; flow:established,from_server; file.data; content:"<p>Companies-Best-Man-Vendors-Best</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibconline.cibc.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027531; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M5"; flow:established,from_server; file.data; content:"<meta name=|22|msvalidate.01|22| content=|22|ECEE9516DDABFC7CCBBF1EACC04CAC20|22|>"; content:"<meta name=|22|google-site-verification|22| content=|22|CD5EF1FCB54FE29C838ABCBBE0FA57AE|22|>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Chase Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure05c.chase.com/"; distance:4; within:29; fast_pattern; classtype:social-engineering; sid:2027532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M6"; flow:from_server,established; file.data; content:"<p>Million-Support-Years-Week-Agents</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Scotiabank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.scotiaonline.scotiabank.com/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027533; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|"; content:"|22 3b|filename=|22|"; content:"|22 0a|Content-Type|3a|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031323; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cox.com/"; distance:4; within:21; fast_pattern; classtype:social-engineering; sid:2027534; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .com)"; dns_query; content:"tocaoonline.com"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031372; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://idm.xfinity.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027536; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (qh2020 .org)"; dns_query; content:"qh2020.org"; nocase; bsize:10; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031373; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telstra Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.my.telstra.com.au/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027537; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tinmoivietnam .com)"; dns_query; content:"tinmoivietnam.com"; nocase; bsize:17; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031374; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.xfinity.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027538; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .org)"; dns_query; content:"tocaoonline.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031375; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Itscom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://webmail.itscom.net/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027539; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (facebookdeck .com)"; dns_query; content:"facebookdeck.com"; nocase; bsize:16; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031376; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://staticweb.bankofamerica.com/"; distance:4; within:37; fast_pattern; classtype:social-engineering; sid:2027540; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (nhansudaihoi13 .org)"; dns_query; content:"nhansudaihoi13.org"; nocase; bsize:18; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031377; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.bankofamerica.com/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (thundernews .org)"; dns_query; content:"thundernews.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031378; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure.bankofamerica.com/"; distance:4; within:34; fast_pattern; classtype:social-engineering; sid:2027542; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to thedoccloud .com"; dns.query; content:"thedoccloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Microsoft Office Apps Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://odc.officeapps.live.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027543; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to deftsecurity .com"; dns.query; content:"deftsecurity.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://accounts.login.idm.telekom.com/"; distance:4; within:40; fast_pattern; classtype:social-engineering; sid:2027544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to freescanonline .com"; dns.query; content:"freescanonline.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Fidelity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.fidelity.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to websitetheme .com"; dns.query; content:"websitetheme.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031328; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Societe Generale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://particuliers.societegenerale.fr/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027546; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to highdatabase .com"; dns.query; content:"highdatabase.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031329; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Impots Gouv FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from cfspart.impots.gouv.fr"; within:500; classtype:social-engineering; sid:2027547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to incomeupdate .com"; dns.query; content:"incomeupdate.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031330; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Godaddy Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from sso.godaddy.com"; within:500; classtype:social-engineering; sid:2027548; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to databasegalore .com"; dns.query; content:"databasegalore.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031331; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Dropbox Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.dropbox.com"; within:500; classtype:social-engineering; sid:2027549; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to panhardware .com"; dns.query; content:"panhardware.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned American Express Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from online.americanexpress.com"; within:500; classtype:social-engineering; sid:2027550; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to zupertech .com"; dns.query; content:"zupertech.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.absa.co.za"; within:500; classtype:social-engineering; sid:2027551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to virtualdataserver .com"; dns.query; content:"virtualdataserver.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Match Dating Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from secure.match.com"; within:500; classtype:social-engineering; sid:2027552; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to digitalcollege .org"; dns.query; content:"digitalcollege.org"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from accounts.login.idm.telekom.com"; within:500; classtype:social-engineering; sid:2027553; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Grabber CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/datarecord/"; endswith; http.request_body; content:"username="; startswith; content:"&content=IP%3a+"; distance:0; fast_pattern; content:"%0a"; endswith; reference:md5,635b08c141465abf86eaec88391b5ee6; classtype:command-and-control; sid:2030599; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned South State Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.southstatebank.com"; within:500; classtype:social-engineering; sid:2027554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (thedoccloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".thedoccloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Google Tools Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from tools.google.com"; within:500; classtype:social-engineering; sid:2027555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (incomeudpate .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".incomeupdate.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Yahoo Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from login.yahoo.com"; within:500; classtype:social-engineering; sid:2027556; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (panhardware .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".panhardware.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Discover Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from card.discover.com"; within:500; classtype:social-engineering; sid:2027557; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (freescanonline .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".freescanonline.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031365; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Linkedin Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.linkedin.com"; within:500; classtype:social-engineering; sid:2027558; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (databasegalore .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".databasegalore.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031366; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned NAB Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.nab.com.au"; within:500; classtype:social-engineering; sid:2027559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (highdatabase .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".highdatabase.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Ziggo NL Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.ziggo.nl"; within:500; classtype:social-engineering; sid:2027560; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (websitetheme .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".websitetheme.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Goth Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 47 4f 54 48 20 42 4f 59 20 43 4c 49 51 55 45 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 2d 2d 3e|"; classtype:social-engineering; sid:2027563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (zupertech .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".zupertech.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Zeus365 Encoding"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 68 74 6d 6c 20 65 6e 63 72 79 70 74 69 6f 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 7a 65 75 73 33 36 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2027562; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (deftsecurity .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".deftsecurity.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/struts2"; http.content_type; content:"|25 7b 28 23|"; isdataat:500,relative; content:"cmd.exe"; fast_pattern; content:"@java.lang.System@getProperty(|27|os.name|27|)"; reference:cve,2017-9805; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027516; rev:2; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Googlebot/2.1|3b 20|+http|3a 2f 2f|www.google|2e|com/bot.html)"; bsize:72; http.request_body; content:"="; depth:25; content:"&"; distance:0; content:"="; distance:0; within:25; content:"=V2luZG93cy"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/pymicropsia/; classtype:trojan-activity; sid:2031371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Fake Mozilla User-Agent String Observed (M0zilla)"; flow:established,to_server; http.user_agent; content:"M0zilla|2f|"; depth:8; fast_pattern; content:"."; distance:1; within:1; reference:md5,c6c1292bf7dd1573b269afb203134b1d; classtype:trojan-activity; sid:2027565; rev:2; metadata:created_at 2019_06_26, former_category USER_AGENTS, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to solartrackingsystem .net"; dns.query; dotprefix; content:".solartrackingsystem.net"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031387; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ThinkPHP Attempted Bypass and Payload Retrieval"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/public/hydra.php?xcmd=cmd.exe"; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027518; rev:2; metadata:attack_target Server, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to lcomputers .com"; dns.query; dotprefix; content:".lcomputers.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031389; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING SSL/TLS Certificate Observed (Lucy Phishing Awareness Default Certificate)"; flow:established,to_client; tls.cert_issuer; content:"C=CH, ST=Thalwil, L=Thalwil, O=LUCY Phishing GmbH, OU=LUCY Phishing GmbH"; reference:url,cdn.riskiq.com/wp-content/uploads/2019/06/Gift-Cardsharks-Intelligence-Report-2019-RiskIQ.pdf; reference:url,lucysecurity.com; classtype:misc-activity; sid:2027621; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to seobundlekit .com"; dns.query; dotprefix; content:".seobundlekit.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031390; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful France Ministry of Action and Public Accounts Phish 2019-07-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"rfr="; nocase; content:"&teledec="; nocase; fast_pattern; content:"&spi="; nocase; content:"&AK09="; nocase; classtype:credential-theft; sid:2027679; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to kubecloud .com"; dns.query; dotprefix; content:".kubecloud.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031391; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING France Ministry of Action and Public Accounts Phish Landing"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"cardcc|27 29|.mask|28 20 22|9999"; fast_pattern; content:"<title>Remboursement<|2f|title>"; distance:0; content:"id=|22|impotsgouv|22|"; distance:0; classtype:social-engineering; sid:2027680; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to globalnetworkissues .com"; dns.query; dotprefix; content:".globalnetworkissues.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031392; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Command Output to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=res&R="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027682; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (solartrackingsystem .net in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031393; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Registering with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=reg&UU="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027683; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031394; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Tok="; content:"&newsUID="; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027685; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (lcomputers .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031395; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-07-09"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&epass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (seobundlekit .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031396; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBA/TrojanDownloader.Agent.PAC Retreiving Malicious VBScript"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/open?id="; fast_pattern; depth:9; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,7489fb981cd054c665e442dfea8ef203; reference:url,blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html; classtype:trojan-activity; sid:2027697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.VBScript Requesting Instruction from CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/open?topics=s9"; fast_pattern; depth:15; pcre:"/^[0-9]{3}$/R"; http.header_names; content:!"Referer"; reference:md5,7489fb981cd054c665e442dfea8ef203; reference:url,blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html; classtype:command-and-control; sid:2027698; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (globalnetworkissues .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"%DESKTOP%|5c 3b|*.txt|3a|*.dat|3a|*wallet*.*|3a|*2fa*.*|3a|*backup*.*|3a|*code*.*|3a|*password*.*|3a|*auth*.*|3a|*google*.*|3a|*utc*.*|3a|*UTC*.*|3a|*crypt*.*|3a|*key*.*|3b|"; fast_pattern; classtype:trojan-activity; sid:2035911; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Megumin, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (solartrackingsystem .net)"; flow:established,to_client; tls.cert_subject; content:"CN=solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031380; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|cp_appbooking_pform_process|22|"; fast_pattern; content:"form-data|3b 20|name=|22|email_1|22 0d 0a 0d 0a 3c|script|3e|"; distance:0; reference:cve,CVE-2019-13505; reference:url,github.com/ivoschyk-cs/CVE-s/blob/master/Appointment%20Hour%20Booking%20%E2%80%93%20WordPress%20Booking%20Plugin%20--%20stored%20XSS; classtype:web-application-attack; sid:2027706; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2019_07_12, deployment Internet, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (webcodez .com)"; flow:established,to_client; tls.cert_subject; content:"CN=webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031381; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=srv75"; tls.cert_issuer; content:"CN=srv75"; tls.cert_serial; content:"00:D2:68:75:C1:88:0D:92:50"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (lcomputers .com)"; flow:established,to_client; tls.cert_subject; content:"CN=lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031382; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vps"; tls.cert_issuer; content:"CN=vps"; tls.cert_serial; content:"00:82:BA:B9:98:69:CD:2D:63"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit .com)"; flow:established,to_client; tls.cert_subject; content:"CN=seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031383; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vm19622"; tls.cert_issuer; content:"CN=vm19622"; tls.cert_serial; content:"00:B0:B9:E1:42:A0:E9:1A:C7"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027715; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (kubecloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031384; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vs27367.pivps.com"; tls.cert_issuer; content:"CN=vs27367.pivps.com"; tls.cert_serial; content:"00:B7:E8:9E:97:46:C0:42:69"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (globalnetworkissues .com)"; flow:established,to_client; tls.cert_subject; content:"CN=globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031385; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vs27367.pivps.com"; tls.cert_issuer; content:"CN=vs27367.pivps.com"; tls.cert_serial; content:"00:CB:64:0E:B9:89:F8:B5:0D"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027717; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (panhardware .com)"; flow:established,to_client; tls.cert_subject; content:"CN=panhardware.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=debian"; tls.cert_issuer; content:"CN=debian"; tls.cert_serial; content:"00:B5:72:87:4F:73:49:1F:AC"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027718; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (deftsecurity .com)"; flow:established,to_client; tls.cert_subject; content:"CN=deftsecurity.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vs14265.pivps.com"; tls.cert_issuer; content:"CN=vs14265.pivps.com"; tls.cert_serial; content:"00:9C:9E:D0:2E:CE:16:27:E2"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027719; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (thedoccloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=thedoccloud.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (StrongPity)"; flow:established,to_client; tls.cert_subject; content:"CN=vps.server.com"; tls.cert_issuer; content:"CN=vps.server.com"; tls.cert_serial; content:"00:B2:51:A1:E9:9C:0E:FB:8B"; fast_pattern; reference:url,www.alienvault.com/blogs/labs-research/newly-identified-strongpity-operations; classtype:trojan-activity; sid:2027720; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, tag StrongPity, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (virtualdataserver .com)"; flow:established,to_client; tls.cert_subject; content:"CN=virtualdataserver.com"; bsize:24; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Proyecto RAT Variant - Yopmail Stage 2 CnC Retrieval"; flow:established,from_server; flowbits:isset,ET.Proyecto.YopmailLogin; http.stat_code; content:"200"; http.response_body; content:"|3c|span class|3d 22|lms|22 3e c2 a1|"; fast_pattern; content:"|c2 a1|</span>"; within:30; reference:md5,295d31fd532ed0257149b191146b5236; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:command-and-control; sid:2027735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (incomeupdate .com)"; flow:established,to_client; tls.cert_subject; content:"CN=incomeupdate.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proyecto RAT Variant - Yopmail Login attempt (set)"; flow:established,to_server; flowbits:set,ET.Proyecto.YopmailLogin; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/es/inbox.php?login="; content:"&p="; content:"&d=&ctrl=&scrl=&spam=true&yf="; distance:1; within:29; fast_pattern; http.host; content:"www.yopmail.com"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,295d31fd532ed0257149b191146b5236; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:trojan-activity; sid:2027734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (digitalcollege .org)"; flow:established,to_client; tls.cert_subject; content:"CN=digitalcollege.org"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031342; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA"; flow:to_server,established; http.user_agent; content:"|3c 7c 3e|"; fast_pattern; content:"|3c 7c 3e|"; distance:0; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017994; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2014_01_22, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech .com)"; flow:established,to_client; tls.cert_subject; content:"CN=zupertech.com"; bsize:16; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ketrican CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx?a1="; fast_pattern; pcre:"/^[a-f0-9]{8}$/R"; http.request_body; content:"AA"; depth:2; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.content_len; content:"88"; reference:url,www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf; reference:md5,e46d8f510c09f09e2e6b958b84190d8b; reference:md5,03a2f5ea0cea83e77770a4018c4469ab; classtype:command-and-control; sid:2027728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ketrican, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (databasegalore .com)"; flow:established,to_client; tls.cert_subject; content:"CN=databasegalore.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031354; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell GIF Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027736; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (freescanonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=freescanonline.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell JPEG Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027737; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (websitetheme .com)"; flow:established,to_client; tls.cert_subject; content:"CN=websitetheme.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LooCipher Ransomware Onion Domain"; dns.query; content:"hcwyo5rfapkytajg"; nocase; depth:16; reference:md5,0c7e59536a7be4a446bbe8b4f22e5880; classtype:trojan-activity; sid:2027754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, tag LooCipher, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (highdatabase .com)"; flow:established,to_client; tls.cert_subject; content:"CN=highdatabase.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeamBot CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?gate&hwid="; content:"&id="; content:"&pwd="; content:"&info="; content:"|7b 22|os|22 3a 22|"; distance:0; content:"Windows"; within:50; content:"comment|22 3a 22|hTV_bot_[v"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,99d4feab94f7cda70110a1dc98f470d3; classtype:command-and-control; sid:2026851; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_24, deployment Perimeter, former_category MALWARE, malware_family TeamBot, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] Observed SUNBURST DGA Request"; dns.query; content:".appsync-api."; nocase; content:".avsvmcloud.com"; distance:9; within:15; endswith; nocase; fast_pattern; pcre:"/^[a-z0-9]+\.appsync-api\.(?:eu|us)-(?:ea|we)st-[12]\.avsvmcloud\.com$/"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031359; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; fast_pattern; http.request_body; content:"|3c|u|3a|AddPortMapping"; content:"|3c|NewRemoteHost|3e|"; distance:0; content:"|3c|NewInternalClient"; distance:0; content:"|3c 2f|NewInternalClient|3e|"; distance:0; content:"NewEnabled|3e|1"; distance:0; classtype:trojan-activity; sid:2027339; rev:3; metadata:attack_target IoT, created_at 2019_05_08, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031449; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (extreme-ip-lookup .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"extreme-ip-lookup.com"; depth:21; classtype:external-ip-check; sid:2027765; rev:3; metadata:created_at 2019_07_29, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"&"; http.request_body; content:"="; within:15; content:"|00 00 00 00 00 00|"; fast_pattern; isdataat:!1,relative; pcre:"/=[a-z0-9\(_~\-\.\x00]{300,}\x00$/i"; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.connection; content:"close"; depth:5; endswith; http.content_len; byte_test:0,>,300,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Content-Length|0d 0a|"; depth:36; reference:md5,6f5d2b42f4a74886ac3284fa9a414a87; classtype:command-and-control; sid:2031413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2021_02_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Observed LordEK HTTP POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; depth:2; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.request_body; content:"|7b 22|flash|22 3a|"; depth:9; fast_pattern; content:"|22|ip_address|22 3a 22|"; distance:0; content:"|22|country|22 3a 22|"; distance:0; http.header_names; content:"Referer"; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:exploit-kit; sid:2027788; rev:2; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"baldwin-gonzalez.live"; depth:21; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit (CVE-2018-15982)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application|2f|x-shockwave-flash"; file.data; content:"FWS"; depth:3; content:"cmd.exe|20 2f|c"; distance:0; nocase; fast_pattern; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:attempted-user; sid:2027789; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d="; startswith; fast_pattern; content:"&v="; distance:0; content:"&t="; distance:0; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,d01bcca6255a4f062fc59a014f407532; reference:md5,2d459929135993959cacceb0dd81a813; classtype:command-and-control; sid:2031417; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit with Stack-Based wininet"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application|2f|x-shockwave-flash"; file.data; content:"FWS"; depth:3; content:"hnet|00|hwini"; fast_pattern; distance:0; nocase; within:1000; content:".exe|00|"; pcre:"/^.{1,10}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/R"; classtype:attempted-user; sid:2027790; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_02, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/en/?2"; startswith; fast_pattern; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; http.request_body; content:"f="; startswith; content:"&c="; distance:0; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&mi="; distance:0; content:"&t="; distance:0; content:"&txt="; distance:0; content:"&e=EOF"; endswith; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,2d459929135993959cacceb0dd81a813; reference:md5,d01bcca6255a4f062fc59a014f407532; classtype:command-and-control; sid:2031418; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<!--|20|Lord|20|EK|20|-|20|Landing|20|page"; depth:60; nocase; fast_pattern; classtype:exploit-kit; sid:2027791; rev:2; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jaime-martinez.info"; depth:19; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<head>|0d 0a|<|2f|head>|0d 0a|<body>|0d 0a 20 20 20 20|<script>|0d 0a|var|20|"; depth:60; fast_pattern; pcre:"/^(?P<vars>[a-z0-9]{1,20})\s*=\s*new\s*Array\x3b\r\n(?:(?P=vars)\[\d{1,3}\]\s*=\s*\d{4,12}\x3b\r\n){5,40}/Ri"; content:"String.fromCharCode|28|"; nocase; content:"document.write|28|"; nocase; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:exploit-kit; sid:2027787; rev:3; metadata:created_at 2019_08_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family LordEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"judystevenson.info"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework Default HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; content:"|0d 0a 0d 0a|i="; fast_pattern; http.method; content:"POST"; http.uri; content:"/en-us/"; depth:7; http.request_body; content:"i="; depth:2; content:"&data="; distance:0; content:"&session="; distance:0; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027792; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"robert-keegan.life"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Covenant Framework HTTP Beacon"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.request_body; content:"=eyJHVUlEIjoi"; fast_pattern; pcre:"/^.+(IlR5cGUiO|JUeXBlIj|iVHlwZSI6)/R"; reference:url,github.com/cobbr/Covenant; reference:url,posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462; classtype:trojan-activity; sid:2027793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"benyallen.club"; depth:14; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:!"SlimBrowser"; http.host; content:!".taobao.com"; content:!".dict.cn"; content:!".avg.com"; content:!".weather.hao.360.cn"; content:!"es.f.360.cn"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; fast_pattern; classtype:trojan-activity; sid:2012612; rev:18; metadata:created_at 2011_03_31, former_category TROJAN, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"chad-jessie.info"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor Module Download Request"; flow:to_server,established; http.uri; content:"/?uuid="; content:"&ptype="; content:"&cacheFrom="; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027803; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Critical, tag Android, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"escanor.live"; depth:12; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Requesting Additional Modules"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?&1001="; fast_pattern; content:"&99="; distance:1; within:5; content:"&f2="; distance:0; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:trojan-activity; sid:2027809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category TROJAN, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"krasil-anthony.icu"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OceanLotus System Profiling JavaScript HTTP Request"; flow:established,to_server; http.uri; content:".jpg?v="; fast_pattern; content:"&d="; distance:0; pcre:"/\.jpg\?v=\d+&d=(?!\d{8}T\d{6}Z)(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/"; http.host; content:!"c.shld.net"; content:!"scholtzskys.com"; reference:url,www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/; classtype:targeted-activity; sid:2024969; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Critical, tag OceanLotus, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"nicoledotson.icu"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT XHR POST Request - Possible Form Grabber Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"info="; depth:5; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&hostname="; distance:0; fast_pattern; content:"&key="; distance:0; http.content_type; content:"application|2f|x-www-form-urlencoded"; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027818; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"samwinchester.club"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tatsumifoughtogre.club"; depth:22; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031409; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (vgca.homeunix .org)"; dns.query; content:"vgca.homeunix.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031431; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Caixa Phishing Landing"; flow:established,to_client; file.data; content:"<title>int_e_r-n___et___B_aNking---- :::____CAIXA"; nocase; fast_pattern; classtype:social-engineering; sid:2030817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (office365.blogdns .com)"; dns.query; content:"office365.blogdns.com"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031432; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))"; flow:established,to_server; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; reference:url,doc.emergingthreats.net/2011227; classtype:bad-unknown; sid:2011227; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertrex20.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031419; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator Agent Traffic"; flow:to_server,established; http.user_agent; content:"Gator/"; depth:6; reference:url,doc.emergingthreats.net/2000026; classtype:pup-activity; sid:2000026; rev:39; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"gentexman37.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in HTTP Response M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"BSM1cr0S0ft"; fast_pattern; reference:url,content.fireeye.com/apt-41/rpt-apt41; classtype:targeted-activity; sid:2027858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category MALWARE, malware_family BLACKCOFFEE, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertsp74.xyz"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT Related - BLACKCOFFEE Command Delimiters in HTTP Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"SBM1cr0Soft"; fast_pattern; reference:url,content.fireeye.com/apt-41/rpt-apt41; classtype:targeted-activity; sid:2027859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category MALWARE, malware_family BLACKCOFFEE, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"shopweb95.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031422; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Uri Structure 2015-12-29"; flow:to_server,established; http.uri; content:".php?cmd=_"; nocase; fast_pattern; content:"account_limited="; distance:0; nocase; content:"&session="; nocase; distance:0; pcre:"/=[a-f0-9]{32}&session=[a-f0-9]{40}$/i"; classtype:social-engineering; sid:2031861; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"mexstat128.com"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; threshold:type limit, track by_src, count 2, seconds 360; http.user_agent; content:"Microsoft Internet Explorer"; depth:28; http.host; content:!"bbc.co.uk"; content:!"vmware.com"; content:!"rc.itsupport247.net"; content:!"msn.com"; content:!"msn.es"; content:!"live.com"; content:!"gocyberlink.com"; content:!"ultraedit.com"; content:!"windowsupdate.com"; content:!"cyberlink.com"; content:!"lenovo.com"; content:!"itsupport247.net"; content:!"msn.co.uk"; content:!"support.weixin.qq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:37; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"sdadvert197.com"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Pre-Auth Messages Payload Buffer Overflow (CVE-2018-13381)"; flow:established,to_server; http.request_body; content:"&msg=%26%23%3c"; fast_pattern; nocase; pcre:"/(?:\%3C){1000}/Ri"; http.start; content:"POST /message HTTP/1.1"; reference:cve,CVE-2018-13381; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027884; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.com"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; depth:33; fast_pattern; pcre:"/A{1000}/R"; content:"python -c"; distance:0; content:"socket"; distance:0; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remote/fgt_lang?lang=/../"; depth:35; isdataat:30,relative; fast_pattern; reference:cve,CVE-2018-13379; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027883; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.com"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator/Claria Data Submission"; flow: to_server,established; http.method; content:"POST"; nocase; http.uri; content:"gs_trickler"; nocase; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:pup-activity; sid:2000596; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.xyz"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino on Net Reporting Data"; flow: to_server,established; http.uri; content:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:pup-activity; sid:2001031; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"&log=passwords|3a 20|"; depth:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Regnow.com Access"; flow: to_server,established; http.uri; content:"/softsell/visitor.cgi?"; nocase; content:"affiliate="; nocase; reference:url,www.regnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; classtype:pup-activity; sid:2001223; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"************************"; depth:24; content:"************************"; distance:0; content:"************************"; distance:0; content:"username|3a 20|"; distance:0; content:"password|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gator/Clarian Agent"; flow: to_server,established; http.uri; content:"/gbsf/"; nocase; content:"gtrg2ze"; nocase; reference:url,malware.wikia.com/wiki/Claria_Corporation; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; classtype:pup-activity; sid:2001306; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Nitol.K Variant CnC"; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; content:"Windows|20|"; distance:4; within:8; content:"|00|"; within:5; content:"|7c b4 ab b2 a5 7c|"; fast_pattern; reference:md5,56bff68317a0af08f749a1c717125cf3; classtype:command-and-control; sid:2022337; rev:4; metadata:created_at 2016_01_07, former_category MALWARE, updated_at 2020_12_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Websearch.com Spyware"; flow: to_server,established; http.uri; content:"/sitereview.asmx/GetReview"; nocase; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; classtype:pup-activity; sid:2001325; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?A="; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/R"; http.header; content:"Accept-Language|3a 20|zh-TW"; http.header_names; content:"Referer|0d 0a|"; content:!"Cache"; reference:md5,344c04216840312cad17b6610b723825; classtype:command-and-control; sid:2025145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Randrew_A, performance_impact Low, signature_severity Major, updated_at 2020_12_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Install .exe"; flow: to_server,established; http.uri; content:"/install/eZinstall.exe"; nocase; http.user_agent; content:"eZula"; depth:5; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; classtype:pup-activity; sid:2001334; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; http.uri; content:".html"; pcre:"/^\/\d+?\/\d+?\.html$/i"; http.header; content:"From|3a| "; depth:6; pcre:"/^\d+?\r\n/Ri"; content:"Via|3a| "; content:!"1|2e|"; within:2; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:command-and-control; sid:2015786; rev:5; metadata:created_at 2012_10_10, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BInet Information Upload"; flow: to_server,established; http.uri; content:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; classtype:pup-activity; sid:2001339; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M5"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__io_r="; fast_pattern; http.cookie; content:"__io_r="; startswith; content:"|3b 20|__io_vl="; distance:0; content:"|3b 20|__io_bl="; distance:0; content:"|3b 20|Session_id="; distance:0; content:"|3b 20|__io_uniq="; distance:0; content:"|3b 20|__io_f="; isdataat:!38,relative; pcre:"/^__io_r=[0-9]{10}_[01]_[0-9]{4,5}_[0-9]{7,8}_[0-9]{1,2}\x3b\x20__io_vl=[0-9]_[0-9]{6}_[0-9]{3}_[0-9]{2}\x3b\x20__io_bl=[0-9]{1,2}:[0-9]:[0-9]{4,5}:[0-9]{2}\x3b\x20Session_id=[0-9A-F]{12}\x3b\x20__io_uniq=[0-9A-F]{8,22}_[0-9A-F]{12,20}\x3b\x20__io_f=[0-9]{2}::[0-9]{10}::[0-9]{9,10}::[0-9]{9,10}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; classtype:command-and-control; sid:2031298; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2020_12_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; http.uri; content:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; classtype:pup-activity; sid:2001395; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http any any -> any any (msg:"ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logoimagehandler.ashx"; content:"clazz="; fast_pattern; content:"method="; content:"args="; content:"codes="; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect; reference:url,unit42.paloaltonetworks.com/solarstorm-supernova; classtype:trojan-activity; sid:2031436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_12_21, deployment Perimeter, former_category MALWARE, malware_family Solorigate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP E2give Related Downloading Code"; flow: to_server,established; http.uri; content:"/soft/unstall.exe"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; classtype:pup-activity; sid:2001418; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?c="; fast_pattern; pcre:"/\.php\?c=[a-f0-9]{160}$/"; http.referer; content:".php?q="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021228; rev:4; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MediaTickets Download"; flow: to_server,established; http.uri; content:"MediaTicketsInstaller.cab"; http.host; content:"www.mt-download.com"; startswith; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:pup-activity; sid:2001448; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent in Referer Field - Likely Malware"; flow:established,to_server; http.referer; content:"Mozilla/4.0|20|"; startswith; classtype:trojan-activity; sid:2013423; rev:10; metadata:created_at 2011_08_18, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Xpire.info Spyware Install Reporting"; flow: to_server,established; http.uri; content:"/report.php?user_id="; fast_pattern; content:"&status="; content:"&country_id="; http.user_agent; content:"Windows Internet"; depth:16; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:pup-activity; sid:2001472; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check (2)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/timezone/0/0"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:"www.earthtools.org"; bsize:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/09/09/index.html; classtype:trojan-activity; sid:2020491; rev:10; metadata:created_at 2015_02_20, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (prog)"; flow: to_server,established; http.uri; content:"/dkprogs/dktibs.php"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:pup-activity; sid:2001474; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks GET Request"; flow:established,to_server; urilen:4; http.method; content:"GET"; http.uri; content:"/dll"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/08/01/index3.html; classtype:trojan-activity; sid:2019138; rev:6; metadata:created_at 2014_09_08, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Receiving Commands"; flow: to_server,established; http.uri; content:"/xpsystem/commands.ini"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:pup-activity; sid:2001475; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zeprox.B Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a=n|60|e|3e|"; fast_pattern; http.header; content:"Proxy-Connection|3a|"; http.header_names; content:!"Referer|0d 0a|"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,bc27f28e5fe47b78202fd3108d39aac1; reference:md5,38c89cca7806fde08bba82b3cb533e5a; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32/Zeprox.B; classtype:command-and-control; sid:2020203; rev:8; metadata:created_at 2015_01_16, former_category MALWARE, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (systime)"; flow: to_server,established; http.uri; content:"/dkprogs/systime.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:pup-activity; sid:2001480; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"coms.documentmeda.com"; nocase; bsize:21; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031446; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmeup Spyware Install (mstask)"; flow: to_server,established; http.uri; content:"/dkprogs/mstasks3.txt"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:pup-activity; sid:2001483; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"freenow.chickenkiller.com"; nocase; bsize:25; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031447; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tibsystems Spyware Download"; flow: to_server,established; http.uri; content:"/d4.fcgi?v="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:pup-activity; sid:2001488; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PhantomNet/Smanager CnC)"; flow:established,to_client; tls.cert_subject; content:"C=AU, ST=Hello, L=China, O=Microsoft, OU=dirweb, CN=secfire/emailAddress=iunkown1987@gmail.com"; bsize:94; fast_pattern; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031448; rev:1; metadata:attack_target Client_and_Server, created_at 2020_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; http.uri; content:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; classtype:pup-activity; sid:2001494; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT LuckyMouse BlueTraveller CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/home/"; startswith; pcre:"/^[0-9]{4}\/[0-9]{4}\/[^\r\n]+(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; pcre:"/Cache-Control\r\n(?:\r\n|Cookie\r\n\r\n)$/"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031316; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Moderate, signature_severity Major, updated_at 2020_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; http.uri; content:"/campaigns"; nocase; http.header; content:"outerinfo.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; classtype:pup-activity; sid:2001496; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,9000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:96; reference:md5,73f8864c7dfee8445205d0d233f20707; classtype:trojan-activity; sid:2035076; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_12_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Activity"; flow: to_server,established; http.host; content:"campaigns.outerinfo.com"; startswith; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; classtype:pup-activity; sid:2001497; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031453; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer Activity User-Agent (IOKernel)"; flow: to_server,established; http.user_agent; content:"|20|IOKernel/"; reference:url,doc.emergingthreats.net/2001498; classtype:pup-activity; sid:2001498; rev:32; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in TLS SNI (mobilnweb .com)"; flow:established,to_server; tls.sni; content:"mobilnweb.com"; bsize:13; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Look2me Spyware Activity (1)"; flow: to_server,established; http.referer; content:"Look2Me"; nocase; startswith; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; classtype:pup-activity; sid:2001499; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in DNS Query"; dns_query; content:"mobilnweb.com"; nocase; depth:13; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Clickspring.net Spyware Reporting"; flow: to_server,established; http.uri; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:pup-activity; sid:2001500; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sephardimension .com)"; dns.query; content:"sephardimension.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031454; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; http.uri; content:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:pup-activity; sid:2001534; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (besaintegration .com)"; dns.query; content:"besaintegration.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031455; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; http.uri; content:"/protector.exe"; http.host; content:"install.searchmiracle.com"; startswith; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:pup-activity; sid:2001535; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (dmnadmin .com)"; dns.query; content:"dmnadmin.com"; nocase; bsize:12; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031456; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BInet Information Install Report"; flow: to_server,established; http.uri; content:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:pup-activity; sid:2001576; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sendbits .m2stor4ge .xyz)"; dns.query; content:"sendbits.m2stor4ge.xyz"; nocase; bsize:22; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031457; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; http.user_agent; content:"AproposClient AutoLoader"; reference:url,doc.emergingthreats.net/2001703; classtype:pup-activity; sid:2001703; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (myrric-uses .singlejets .com)"; dns.query; content:"myrric-uses.singlejets.com"; nocase; bsize:26; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031458; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware Install"; flow: established,to_server; http.uri; content:"/AproposClientInstaller.exe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:pup-activity; sid:2001704; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"securebestapp20.com"; bsize:19; fast_pattern; reference:md5,222792d2e75782516d653d5cccfcf33b; classtype:domain-c2; sid:2032958; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category MALWARE, malware_family DarkSide, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_12_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfSidekick Activity"; flow: established,to_server; http.uri; content:"/Bundling/SskUpdater"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:pup-activity; sid:2001731; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE NuggetPhantom Module Download Request"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:".moe"; endswith; fast_pattern; pcre:"/^\/[a-fA-F0-9]{8}\.moe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf; classtype:command-and-control; sid:2031467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (UCmore)"; flow: to_server,established; http.user_agent; content:"|20|UCmore"; reference:url,doc.emergingthreats.net/2001736; classtype:pup-activity; sid:2001736; rev:273; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"Cookie|3a 20|dkv="; fast_pattern; http.cookie; content:"dkv="; startswith; content:"|3b|YSC="; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; http.header_names; content:!"Referer"; content:!"Content-Type"; http.request_body; content:"DQpIb3N0IE5hbWU6"; startswith; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:command-and-control; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; http.user_agent; content:"HelperH"; reference:url,doc.emergingthreats.net/2001746; classtype:pup-activity; sid:2001746; rev:37; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in TLS SNI (cs .lg22l .com)"; flow:established,to_server; tls.sni; content:"cs.lg22l.com"; bsize:12; reference:md5,774419bb738a2a4fa18aacee88850d2c; classtype:domain-c2; sid:2031469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ABX Toolbar ActiveX Install"; flow: to_server,established; http.uri; content:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; classtype:pup-activity; sid:2001761; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag ActiveX, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Azula Logger CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=azula+logger&avatar_url="; startswith; fast_pattern; reference:md5,7ad3777dfb916150e21e9414dd24c1da; reference:url,github.com/CythosaSec/Azula-Logger; classtype:command-and-control; sid:2031470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Media Pass ActiveX Install"; flow: to_server,established; http.uri; content:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; classtype:pup-activity; sid:2001783; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag ActiveX, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mykessef .com)"; dns.query; content:"mykessef.com"; nocase; bsize:12; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031474; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Spyware User-Agent (FunWebProducts)"; flow:established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"FunWebProducts"; reference:url,doc.emergingthreats.net/2001855; classtype:pup-activity; sid:2001855; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mihannevis .com)"; dns.query; content:"mihannevis.com"; nocase; bsize:14; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Spyware User-Agent (Hotbar)"; flow: established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"|3b 20|Hotbar"; reference:url,doc.emergingthreats.net/2001858; classtype:pup-activity; sid:2001858; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (idtpl .org)"; dns.query; content:"idtpl.org"; nocase; bsize:9; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031476; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Visicom Spyware User-Agent (Visicom)"; flow: established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"Visicom"; reference:url,doc.emergingthreats.net/2001872; classtype:pup-activity; sid:2001872; rev:31; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA1C Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?REQ="; fast_pattern; content:"&ID="; distance:0; http.user_agent; content:"|29 20|WindowsPowerShell/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,b100f0ab63a2b74a5d5ff54d533fc60f; classtype:trojan-activity; sid:2031477; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; http.uri; content:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; classtype:pup-activity; sid:2001890; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.uri; content:"?i=7B226964223A22"; nocase; fast_pattern; content:"222C2268776964223A22"; nocase; distance:0; content:"227D"; nocase; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; reference:md5,a9c8b293fdb84ceb9478f8043ff19b71; classtype:trojan-activity; sid:2031481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2021_01_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware Reporting"; flow: to_server,established; http.uri; content:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; classtype:pup-activity; sid:2001995; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XSL file download (FTP)"; flow:established,to_server; content:"RETR|20|/frog/usoprive.xsl"; fast_pattern; reference:md5,dd0124264f131a203ecfc70314dcec04; reference:url,asec.ahnlab.com/ko/19439/; classtype:trojan-activity; sid:2031482; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; http.user_agent; content:"IEP"; depth:3; reference:url,doc.emergingthreats.net/2002021; classtype:pup-activity; sid:2002021; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ElectroRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|go-resty/"; content:"|20|(https|3a|//github.com/go-resty/resty)|0d 0a|"; distance:0; within:50; http.request_body; content:"{|22|id|22 3a 22|"; depth:7; content:"|22 2c 22|mac_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os_version|22 3a 22|"; nocase; fast_pattern; distance:0; content:"|22 2c 22|user_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os|22 3a 22|"; nocase; distance:0; http.header_names; content:!"Referer"; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shopathomeselect .com Spyware User-Agent (WebDownloader)"; flow: to_server,established; http.user_agent; content:"WebDownloader"; reference:url,doc.emergingthreats.net/2002038; classtype:pup-activity; sid:2002038; rev:251; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Screenshot)"; flow:established,from_server; content:"{|22|type|22 3a 22|Screenshot|22 2c 22|uid|22 3a|"; offset:2; depth:27; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031479; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; http.uri; content:"/protector.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:pup-activity; sid:2002092; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Get folder content)"; flow:established,from_server; content:"{|22|type|22 3a 22|Get folder content|22 2c 22|uid|22 3a|"; offset:2; depth:35; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031480; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; http.uri; content:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:pup-activity; sid:2002098; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat Backdoor Checkin"; flow:established,to_server; http.request_line; content:"GET /users.php?"; startswith; fast_pattern; pcre:"/^(?:resp|onl|pr)=/R"; content:"|3a|windows|20|"; distance:0; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; reference:md5,dae90ae7fe103fc7e1866b4e13389101; classtype:command-and-control; sid:2031486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; http.uri; content:"/sd?s="; nocase; pcre:"/\/sd\?s=\d+&f=\d/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:pup-activity; sid:2002196; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat CnC Acitivty M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/execuser.php?login="; startswith; fast_pattern; content:"&pass="; content:"&user="; http.user_agent; content:"Java/"; startswith; reference:url,malwaretips.com/threads/jphp-icerat-analysis.105233/; reference:md5,5e864667d91e3867a29df90dbcadb6b2; classtype:command-and-control; sid:2031487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iframebiz - loadadv***.exe"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/i"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; classtype:pup-activity; sid:2002710; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.ULH CnC Activity"; flow:established,to_server; http.start; content:"GET /swidget/d23r523t4id HTTP/1.1|0d 0a|Host|3a 20|whos.amung.us|0d 0a 0d 0a|"; bsize:58; fast_pattern; reference:md5,2679be8b6b76fb765191c9854af39e9f; classtype:command-and-control; sid:2031496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Adware 2"; flow: to_server,established; http.uri; content:"/cl/clienthost"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:pup-activity; sid:2002735; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC"; flow:established,to_server; http.request_line; content:"POST //"; depth:7; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&cred="; fast_pattern; distance:0; content:"|7c|"; within:10; pcre:"/^id=\d+&cred=[a-z]+\x7c/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ca467e332368cbae652245faa4978aa4; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/; classtype:command-and-control; sid:2031498; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_01_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenotecnico Spyware Install Report"; flow: to_server,established; http.uri; content:"/instreport"; http.header; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:pup-activity; sid:2002737; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ElegyRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=ElegyRAT Server"; fast_pattern; endswith; tls.cert_issuer; content:"CN=ElegyRAT Server"; endswith; reference:md5,a24cae9f6cf137e0e72817a1879f0acf; classtype:domain-c2; sid:2031497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, malware_family ElegyRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; http.user_agent; content:"|20|iDownloadAgent"; reference:url,doc.emergingthreats.net/2002739; classtype:pup-activity; sid:2002739; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup"; dns.query; content:"sery.brushupdata.com"; nocase; bsize:20; reference:url,twitter.com/KorbenD_Intel/status/1346193938277949443; reference:md5,a587a2af22c7e18a0260cab5c06d980d; classtype:domain-c2; sid:2031520; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_01_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP My Search Spyware Config Download"; flow: to_server,established; http.uri; content:"/ms"; nocase; content:"cfg.jsp?"; content:"v="; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; classtype:pup-activity; sid:2002839; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Kryptos Logic"; flow:to_client,established; file.data; content:"<title>Sinkholed by Kryptos Logic"; fast_pattern; content:"<h1>Sinkholed!</h1><p>This domain has been sinkholed"; distance:0; classtype:misc-activity; sid:2031515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CWS Trafcool.biz Related Installer"; flow:established,to_server; http.uri; content:"/progs_traff/"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; classtype:pup-activity; sid:2002931; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MassLogger)"; flow:established,to_client; tls.cert_subject; content:"CN=bestpccare.best"; bsize:18; fast_pattern; reference:url,twitter.com/jorgemieres/status/1306608136623718401; classtype:domain-c2; sid:2031521; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_13, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Tibs Checkin"; flow:established,to_server; http.uri; content:"/adv/"; nocase; content:".php?a1="; nocase; content:"&a2=Type of Processor|3a|"; nocase; content:"&a3=Windows version is|20|"; nocase; content:"&a4=Build|3a|"; nocase; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:pup-activity; sid:2002955; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Key Exchange Request"; flow:established,to_server; dsize:28; stream_size:client,=,29; content:"|24 01 00 00 00 00 00 00 00 00 00 00|"; startswith; classtype:command-and-control; sid:2034465; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category MALWARE, malware_family Danabot, signature_severity Major, updated_at 2021_01_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Elitemediagroup.net Spyware Config Download"; flow:established,to_server; http.uri; content:"/bundle.php?aff="; nocase; reference:url,elitemediagroup.net; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; classtype:pup-activity; sid:2002966; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; http.header_names; content:!"Referer"; http.host; content:!".webex.com"; endswith; classtype:trojan-activity; sid:2017259; rev:15; metadata:created_at 2013_07_31, updated_at 2021_01_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dollarrevenue.com Spyware Code Download"; flow:established,to_server; http.uri; content:"/bundle/drsmartload.exe"; nocase; reference:url,dollarrevenue.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; classtype:pup-activity; sid:2002967; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/checkupdate.js?id="; startswith; fast_pattern; content:"&token="; distance:0; content:"&platform="; distance:0; reference:url,github.com/BenChaliah/Arbitrium-RAT/; classtype:command-and-control; sid:2031528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Megaupload Spyware User-Agent (Megaupload)"; flow:to_server,established; http.user_agent; content:"Megaupload"; depth:10; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; classtype:pup-activity; sid:2003224; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT Observed User-Agent (JustKidding)"; flow:established,to_server; http.user_agent; content:"JustKidding"; bsize:11; reference:url,github.com/BenChaliah/Arbitrium-RAT; classtype:command-and-control; sid:2031529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; http.uri; content:"/upd/check?version="; nocase; content:"&localeId="; nocase; content:"&affid="; nocase; content:"&updatevalue="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; classtype:pup-activity; sid:2003344; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FFDroider CnC Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/poe.php?e="; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d5b7b65cd6e3fa8c8ac4ebe39bb5ffef; reference:url,www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users; classtype:trojan-activity; sid:2035795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyGlobalSearch Spyware bar update"; flow:established,to_server; http.uri; content:"/images/mysearchbar/highlight"; http.header; content:"|20|MySearch)"; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:pup-activity; sid:2003351; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/WizardUpdate Domain in TLS SNI ( .dlvplayer .com)"; flow:established,to_server; tls.sni; content:".dlvplayer.com"; endswith; reference:md5,6a76ee693b3d43ed385ce4b930fe3e30; classtype:domain-c2; sid:2031530; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyGlobalSearch Spyware bar update 2"; flow:established,to_server; http.uri; content:"/images/mysearchbar/customize"; http.header; content:"|20|MySearch)"; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:pup-activity; sid:2003352; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WizardUpdate CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/checknew"; nocase; endswith; http.request_body; content:"{|22|machine_id|22 3a 20 22|"; depth:16; content:"|22 2c 20 22|model_name|22 3a 20 22|"; fast_pattern; distance:0; content:"|22 2c 20 22|os|22 3a 20 22|"; distance:0; content:"|22 2c 20 22|os_version|22 3a 20 22|"; distance:0; content:"|22 2c 20 22|model_ident"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a76ee693b3d43ed385ce4b930fe3e30; classtype:trojan-activity; sid:2031531; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware Download"; flow: to_server,established; http.uri; content:"/WebServices/DesktopManager/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; classtype:pup-activity; sid:2003356; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Freakout IRC Checkin"; flow:established,to_server; content:"NICK|20|[HAX|7c|"; depth:10; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; classtype:command-and-control; sid:2031534; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Tools Spyware User-Agent (hbtools)"; flow:to_server,established; http.user_agent; content:"|3b 20|HbTools"; fast_pattern; reference:url,doc.emergingthreats.net/2003383; classtype:pup-activity; sid:2003383; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST /info/"; startswith; fast_pattern; pcre:"/(?:retdl|fb|step) HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"info="; startswith; content:!"&"; reference:md5,acd347a1839ee422d9393a09b5302ea2; classtype:command-and-control; sid:2031927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dialno Dialer User-Agent (dialno)"; flow:to_server,established; threshold: type limit, count 5, seconds 60, track by_src; http.user_agent; content:"dialno"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003387; classtype:pup-activity; sid:2003387; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A MalDoc Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{6,16}-(?:pro|xl2|us1)$/s"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Connection"; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SurfAccuracy.com Spyware Updating"; flow:to_server,established; http.uri; content:"/sacc/sacc.cfg.php?"; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:pup-activity; sid:2003390; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [401TRG] SUNBURST Related DNS Lookup to infinitysoftwares .com"; dns.query; content:"infinitysoftwares.com"; nocase; endswith; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; http.user_agent; content:"CS Fingerprint Module"; nocase; reference:url,doc.emergingthreats.net/2003425; classtype:pup-activity; sid:2003425; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain (infinitysoftwares .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"infinitysoftwares.com"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Outerinfo.com Spyware Checkin"; flow: to_server,established; http.uri; content:"/notify.php?"; nocase; content:"pid="; nocase; content:"&module="; nocase; content:"&v="; nocase; content:"&result="; nocase; content:"&message="; nocase; http.header; content:"outerinfo.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:pup-activity; sid:2003426; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound (infinitysoftwares .com)"; flow:established,to_client; tls.cert_subject; content:"CN=infinitysoftwares.com"; bsize:24; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Reporting"; flow:established,to_server; http.uri; content:"/reportaddon.cgi?"; nocase; content:"report.cgi?"; nocase; content:"user="; nocase; content:"software="; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:pup-activity; sid:2003440; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [401TRG] SUNBURST Related DNS Lookup to bigtopweb .com"; dns.query; content:"bigtopweb.com"; nocase; endswith; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deskwizz.com Spyware Install INI Download"; flow: to_server,established; http.uri; content:"/GetAd/tekID"; nocase; content:".ini"; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:pup-activity; sid:2003445; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain (bigtopweb .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigtopweb.com"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; http.user_agent; content:"TBONAS"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:pup-activity; sid:2003501; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound (bigtopweb .com)"; flow:established,to_client; tls.cert_subject; content:"CN=bigtopweb.com"; bsize:16; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Security-updater.com Spyware Posting Data"; flow:established,to_server; http.uri; content:"/SA/receive_data.php3?tcpc="; http.header; content:"security-updater.com"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; classtype:pup-activity; sid:2003576; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Sysn.cdjy CnC Activity"; flow:established,to_server; http.uri; content:".php?logik="; content:".txt&info=Time|3a|"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; reference:md5,9842e0a710a5b820f6ceb687fa079721; classtype:command-and-control; sid:2031544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; http.user_agent; content:"User-Agent|3a 20|"; depth:12; nocase; content:!"SogouMobileTool"; nocase; http.host; content:!".lge.com"; content:!".kugou.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:bad-unknown; sid:2003626; rev:17; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Silver"; bsize:9; fast_pattern; tls.cert_issuer; content:"CN=Silver"; bsize:9; reference:md5,949f4223f86d23ec243d1e23dd0a28c9; reference:url,twitter.com/reecdeep/status/1345411411829260289; classtype:domain-c2; sid:2031545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; http.user_agent; content:"KUKU"; nocase; depth:4; reference:url,doc.emergingthreats.net/2003636; classtype:pup-activity; sid:2003636; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (angeldonationblog .com)"; flow:established,to_client; tls.cert_subject; content:"CN=angeldonationblog.com"; bsize:24; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031548; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; http.user_agent; content:"mc_v1"; depth:5; reference:url,www.f-secure.com/v-descs/rizo.shtml; reference:url,doc.emergingthreats.net/2003656; classtype:pup-activity; sid:2003656; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (codevexillium .org)"; flow:established,to_server; tls.sni; content:"codevexillium.org"; bsize:17; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031549; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; http.user_agent; content:"QQGame"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003658; classtype:pup-activity; sid:2003658; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (investbooking .de)"; flow:established,to_client; tls.cert_subject; content:"CN=investbooking.de"; bsize:19; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031550; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; http.user_agent; content:"SpyLocked"; nocase; classtype:pup-activity; sid:2005322; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (krakenfolio .com)"; flow:established,to_server; tls.sni; content:"krakenfolio.com"; bsize:15; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031551; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear)"; flow:established,to_server; http.user_agent; content:"AntiVirGear"; reference:url,doc.emergingthreats.net/2007697; classtype:pup-activity; sid:2007697; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (opsonew3org .sg)"; flow:established,to_client; tls.cert_subject; content:"CN=opsonew3org.sg"; bsize:17; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031552; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP host-domain-lookup.com spyware related Start Report"; flow:established,to_server; http.uri; content:"?udata="; content:"program_started|3a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; classtype:pup-activity; sid:2007750; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (transferwiser .io)"; flow:established,to_server; tls.sni; content:"transferwiser.io"; bsize:16; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031553; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Theinstalls.com Initial Checkin"; flow:established,to_server; http.uri; content:"/plist.php?uid="; http.host; content:"theinstalls.com"; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; classtype:pup-activity; sid:2007788; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (transplugin .io)"; flow:established,to_server; tls.sni; content:"transplugin.io"; bsize:14; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031554; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; http.user_agent; content:"Locus|20|"; depth:6; reference:url,doc.emergingthreats.net/2007845; classtype:pup-activity; sid:2007845; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (rninhsss .com)"; dns.query; content:"www.rninhsss.com"; nocase; bsize:16; reference:md5,3dbf62639a63001daee68b25fadf4f10; classtype:domain-c2; sid:2031555; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP System-defender.com Fake AV Install Checkin"; flow:established,to_server; http.uri; content:"?wmid="; nocase; content:"&mid="; nocase; content:"&lndid="; nocase; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; classtype:pup-activity; sid:2007856; rev:6; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (dexercisep .com)"; dns.query; content:"www.dexercisep.com"; nocase; bsize:18; reference:md5,cd14c71626f022781cfd2192bd8b454e; classtype:domain-c2; sid:2031556; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; http.host; content:"0x"; depth:2; pcre:"/^0x[0-9a-f]+$/"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:pup-activity; sid:2007951; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (blog .br0vvnn .io)"; flow:established,to_server; tls.sni; content:"blog.br0vvnn.io"; bsize:15; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031557; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; http.user_agent; content:"SnoopStick|20|"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; classtype:pup-activity; sid:2007956; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeamTNT Gattling Gun AWS Creds Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/incoming/access_data/aws.php"; endswith; fast_pattern; reference:url,www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques; reference:url,twitter.com/Suprn8/status/1349938276623384576; classtype:command-and-control; sid:2031585; rev:2; metadata:attack_target Client_and_Server, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow:to_server,established; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Alexa Toolbar"; reference:url,doc.emergingthreats.net/2008085; classtype:pup-activity; sid:2008085; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeamTNT Gattling Gun CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".borg.wtf"; nocase; endswith; reference:url,www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques; reference:url,twitter.com/Suprn8/status/1349938276623384576; classtype:domain-c2; sid:2031586; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP vaccine-program.co.kr Related Spyware User-Agent (vaccine)"; flow:established,to_server; http.user_agent; content:"vaccine"; depth:7; reference:url,doc.emergingthreats.net/2008200; classtype:pup-activity; sid:2008200; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sn0wsLogger CnC Exfil M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|RestSharp/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22 0d 0a 0d 0a|token_"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|name|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|text|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,644038dbb036d00f45969afb7992e762; classtype:trojan-activity; sid:2031582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, malware_family Sn0wsLogger, signature_severity Major, updated_at 2021_01_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adaware.BarACE Checkin and Update"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"|2E|php|3F|zone="; nocase; content:"|26|name="; nocase; content:"|26|bpid="; nocase; content:"|26|bnum="; nocase; content:"|26|pid="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; classtype:pup-activity; sid:2008318; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sn0wsLogger CnC Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|RestSharp/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:"-payment.txt|22 0d 0a|"; within:40; fast_pattern; http.header_names; content:!"Referer"; reference:md5,644038dbb036d00f45969afb7992e762; classtype:trojan-activity; sid:2031583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, malware_family Sn0wsLogger, signature_severity Major, updated_at 2021_01_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; http.user_agent; content:"ZCOM"; depth:4; classtype:pup-activity; sid:2008503; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Magecart/Skimmer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=google-conversion.com"; bsize:24; fast_pattern; reference:url,twitter.com/jeromesegura/status/1354598447022653442; classtype:domain-c2; sid:2031593; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2021_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; http.user_agent; content:"iWin|20|"; depth:5; reference:url,doc.emergingthreats.net/2008558; classtype:pup-activity; sid:2008558; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Poison Ivy Variant CnC Domain in DNS Lookup (cdn. cloudistcdn .com)"; dns.query; content:"cdn.cloudistcdn.com"; nocase; bsize:19; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031595; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ezday.co .kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; http.user_agent; content:"Ezshop"; reference:url,doc.emergingthreats.net/2008594; classtype:pup-activity; sid:2008594; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (q. cloudistcdn .com)"; dns.query; content:"q.cloudistcdn.com"; nocase; bsize:17; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031597; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; nocase; content:"action=stat&wmid="; nocase; content:"&event="; nocase; content:"&uid="; nocase; content:"&i1"; nocase; content:"&i2"; nocase; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:pup-activity; sid:2008732; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (update .boshiamys .com)"; dns.query; content:"update.boshiamys.com"; nocase; bsize:20; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031598; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".asp?rnd="; http.request_body; content:"uid="; depth:4; content:"&ref="; content:"&clid="; content:"&umode="; content:"&cn="; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; classtype:pup-activity; sid:2008798; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot maserv Module Command"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mass/"; depth:30; fast_pattern; pcre:"/^(?:81|freq|domains|over|rate|npcap\.exe)\/?\s*[^\/]*$/si"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:url,www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/; reference:md5,ff57c02b09cd9df4d1cac5090e01a5d2; classtype:trojan-activity; sid:2031600; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_02_02;)
 
-alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; http.uri; content:!"/?rnd="; depth:6; http.header; content:!"citrixonline.com"; http.user_agent; content:"Mozilla/4.0 (compatible)"; fast_pattern; bsize:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:pup-activity; sid:2008974; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot maserv Module CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/81"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|source|22 0d 0a 0d 0a|PORT|20|scan|0d 0a|"; nocase; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/; reference:md5,ff57c02b09cd9df4d1cac5090e01a5d2; classtype:trojan-activity; sid:2031601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Simbar Spyware User-Agent Detected"; flow:established,to_server; http.user_agent; content:"|3b 20|SIMBAR={"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; classtype:pup-activity; sid:2009005; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_31;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin"; flow:established,to_server; dsize:100; content:"ordata|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:1; depth:47; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2031599; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SystemBC, signature_severity Major, updated_at 2021_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AgavaDwnl) - Possibly Xema"; flow:established,to_server; http.user_agent; content:"AgavaDwnl"; reference:url,doc.emergingthreats.net/2009445; classtype:pup-activity; sid:2009445; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake Keylogger CnC Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; http.request_body; content:"PC Name|3a|"; content:"Snake|20|Keylogger"; fast_pattern; content:"Snake|20|Keylogger"; distance:0; http.host; content:"telegram.org"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2031604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_03, deployment Perimeter, former_category MALWARE, malware_family Snake_Keylogger, signature_severity Major, updated_at 2021_02_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downloader Checkin - Downloads Rogue Adware"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"AreaID="; nocase; content:"MediaID="; nocase; content:"AdNo="; nocase; content:"OriginalityID="; nocase; content:"Url"; nocase; content:"Mac="; nocase; content:"Version="; nocase; content:"ValidateCode="; nocase; content:"ParentName="; nocase; reference:url,doc.emergingthreats.net/2009526; classtype:pup-activity; sid:2009526; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PivNoxy CnC Activity"; flow:established,to_server; urilen:17; http.cookie; content:"id="; startswith; bsize:15; http.header_names; content:"|0d 0a|Accept|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.uri; pcre:"/^\/[0-9a-f]{16}$/"; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; reference:md5,77a06a18015ee2d509d8e89000489eb6; reference:md5,7fd7b1c218d7df7a3f09a8f06f141c71; classtype:command-and-control; sid:2031596; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (_TEST_)"; flow: to_server,established; http.user_agent; content:"_TEST_"; nocase; reference:url,doc.emergingthreats.net/2009545; classtype:unknown; sid:2009545; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Small.AWO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"boxfid.php?&mac="; fast_pattern; content:"&action="; distance:12; within:8; content:"&disk="; distance:0; content:"&md5="; distance:0; isdataat:!33,relative; reference:md5,047719e7aae5c1466db7c82a18726828; classtype:command-and-control; sid:2031605; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W3i Related Adware/Spyware"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"shortname="; nocase; content:"os="; nocase; content:"v="; nocase; content:"browsers="; nocase; content:"readable="; nocase; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; classtype:pup-activity; sid:2009705; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Detplock Checkin via SMTP"; flow:established,to_server; content:"Subject|3a 20|Virus Infection Monitor|0d 0a|"; fast_pattern; content:"Content|2d|type|3a 20|multipart|2f|mixed|3b 20|boundary|3d 22 23|BOUNDARY|23 22 0d 0a|"; reference:md5,6ac14ccd294d75e340d48d19aa74be09; classtype:trojan-activity; sid:2031608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; http.user_agent; content:"IEToolbar"; reference:url,doc.emergingthreats.net/2009766; classtype:pup-activity; sid:2009766; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer Installer Started"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"type=install&seller="; startswith; fast_pattern; content:"&price="; content:"&guid="; content:"&ver="; content:"&origin="; reference:md5,e2d3f779d8d646f7287dc58976e79494; classtype:command-and-control; sid:2031928; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"IpAddr="; nocase; content:"&OS="; nocase; content:"&RegistryChanged="; nocase; content:"&RegistryUpdate="; nocase; content:"&NewInstallation="; nocase; content:"&utilMissing="; nocase; content:"&Basedir="; nocase; content:"&BundleID="; nocase; content:"&InitInstalled="; nocase; content:"&Interval="; nocase; content:"&LastInitRun="; nocase; content:"&LastInitVer="; nocase; content:"&LastSrngRun="; nocase; content:"&LastUtilRun="; nocase; content:"&SrngInstalled="; nocase; content:"&SrngVer="; nocase; content:"&UtilInstalled="; nocase; content:"&UtilVer="; nocase; content:"&PCID"; nocase; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; classtype:pup-activity; sid:2009807; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader Domain (officewestunionbank .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"officewestunionbank.com"; bsize:23; fast_pattern; reference:md5,61e213e717cc8e156cec79a7c1cd0c64; classtype:domain-c2; sid:2031610; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_10, deployment Perimeter, former_category MALWARE, malware_family Buer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; http.user_agent; content:"RichCasino"; nocase; depth:10; reference:url,doc.emergingthreats.net/2009831; classtype:pup-activity; sid:2009831; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Download Request"; flow:established,to_server; urilen:>200; flowbits:set,ETPRO.wacatac.b.download; http.method; content:"GET"; http.uri; content:"/api/download/"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (MyIE/1.0)"; flow:established,to_server; http.user_agent; content:"MyIE/"; depth:5; reference:url,doc.emergingthreats.net/2009991; classtype:pup-activity; sid:2009991; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Buer Loader Successful Payload Download"; flow:established,to_client; flowbits:isset,ETPRO.wacatac.b.download; http.stat_code; content:"200"; http.content_type; content:"application/*"; fast_pattern; bsize:13; http.content_len; byte_test:0,>,500000,0,string,dec; byte_test:0,<,3000000,0,string,dec; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (M0zilla)"; flow:established,to_server; http.user_agent; content:"M0zilla/4.0|20|(compatible)"; startswith; reference:url,doc.emergingthreats.net/2010265; classtype:pup-activity; sid:2010265; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sq?"; startswith; fast_pattern; http.cookie; content:"woocommerce_cart_hash="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,4d1d20d5691af20be3592ddc1936a8c0; classtype:command-and-control; sid:2032756; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (MSIE7 na)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|na|3b 20|)"; fast_pattern; reference:url,doc.emergingthreats.net/2010461; classtype:pup-activity; sid:2010461; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RELEASE?"; startswith; fast_pattern; http.cookie; content:"woocommerce_items_in_cart="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,631bcc2f0885acb960fd500ca574a796; classtype:command-and-control; sid:2032757; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent Mozilla/3.0"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Internet Explorer)"; reference:url,doc.emergingthreats.net/2010599; classtype:pup-activity; sid:2010599; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evil Keitaro TDS Redirection Domain (fiberswatch .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fiberswatch.com"; bsize:15; fast_pattern; classtype:domain-c2; sid:2031615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category MALWARE, malware_family KeitaroTDS, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Generic Adware Install Report"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/nsi_install.php?inst_result=success&aff_id="; content:"&id="; nocase; reference:url,doc.emergingthreats.net/2010630; classtype:pup-activity; sid:2010630; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mobilelink.buzz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"O=Let's Encrypt"; classtype:domain-c2; sid:2031617; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (browserbob.com)"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1|3b 20|Made with www.browserbob.com)"; fast_pattern; bsize:85; classtype:pup-activity; sid:2011279; rev:5; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoderVir Stealer Zip Upload"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|LOG|5f|"; fast_pattern; pcre:"/^[A-F0-9]{24}/R"; content:"|2e|zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; within:53; reference:md5,35ff637ac2748789925a34f893376545; classtype:command-and-control; sid:2031620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; fast_pattern; bsize:46; classtype:pup-activity; sid:2011283; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin"; bsize:6; http.cookie; content:"wordpress_"; startswith; pcre:"/^[a-z0-9]{32}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; fast_pattern; reference:md5,e75bef518faea38765cb91b71ba6c8a8; classtype:command-and-control; sid:2032755; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ASKTOOLBAR.DLL Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/toolbarv/askBarCfg?"; nocase; content:"v="; nocase; content:"e="; nocase; reference:md5,3f6413475b1466964498c8450de4062f; classtype:pup-activity; sid:2012000; rev:5; metadata:created_at 2010_12_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /data/receive "; depth:19; fast_pattern; http.request_body; content:"ectid="; depth:6; content:"&taxCode="; distance:0; http.host; content:!"i-xinnuo.com"; endswith; reference:md5,be1a7bbc42d5d6f3a3270201906a68d9; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030394; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (AdVantage)"; flow:established,to_server; http.user_agent; content:"AdVantage"; startswith; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:pup-activity; sid:2012104; rev:6; metadata:created_at 2010_12_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Fancy Bear (APT28) Maldoc CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; bsize:22; http.request_body; content:"IB="; startswith; fast_pattern; content:"&log="; distance:0; reference:url,twitter.com/RedDrip7/status/1362343352759250946?s=20; reference:md5,c9a43fd6623bf0bc287012b6ee10a98e; reference:md5,49696043b51acca6ced2ab213bd4abef; classtype:command-and-control; sid:2031628; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Fancy_Bear, performance_impact Low, signature_severity Major, updated_at 2021_02_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdVantage Malware URL Infection Report"; flow:established,to_server; http.uri; content:"cfg_ver="; nocase; content:"hwd="; nocase; content:"campaign="; nocase; content:"ver="; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:pup-activity; sid:2012105; rev:5; metadata:created_at 2010_12_27, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak Staging Domain in DNS Lookup (civilizationidium .com)"; dns.query; content:"civilizationidium.com"; nocase; bsize:21; reference:url,twitter.com/z0ul_/status/1361698529228578816; reference:md5,17735bdf3f19b51eaa45d6375f943f97; classtype:trojan-activity; sid:2031629; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family Carbanak, malware_family Carbanak_JScript, performance_impact Low, signature_severity Major, updated_at 2021_02_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; classtype:pup-activity; sid:2012298; rev:5; metadata:created_at 2011_02_07, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Activity (Windows Variant)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"wMKBUqjC7ZMG5A5g"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; reference:md5,48971e0e71300c99bb585d328b08bc88; classtype:command-and-control; sid:2031623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"mozilla/2.0"; depth:11; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:pup-activity; sid:2012642; rev:9; metadata:created_at 2011_04_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Activity (OSX Variant)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"jGzAcN6k4VsTRn9"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; reference:md5,6058368894f25b7bc8dd53d3a82d9146; classtype:command-and-control; sid:2031624; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; http.host; content:".ru"; endswith; fast_pattern; content:!"101.ru"; content:!"9366858.ru"; pcre:"/^[^a-z]*?[0-9]{2,30}\.ru$/"; classtype:pup-activity; sid:2012649; rev:7; metadata:created_at 2011_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Domain in DNS Lookup (jmttrading .org)"; dns.query; content:"jmttrading.org"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; classtype:domain-c2; sid:2031625; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP overtls.com adware request"; flow:to_server,established; http.uri; content:"/sidebar.asp?bn=0&qy="; http.header; content:"EmbeddedWB"; classtype:pup-activity; sid:2012693; rev:5; metadata:created_at 2011_04_19, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Union Crypto CnC Domain in DNS Lookup (unioncrypto .vip)"; dns.query; content:"unioncrypto.vip"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048c; classtype:domain-c2; sid:2031626; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Possible FakeAV Binary Download"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"antiv"; fast_pattern; nocase; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/i"; classtype:pup-activity; sid:2012753; rev:8; metadata:created_at 2011_04_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - Union Crypto CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"auth_timestamp"; content:"rlz="; content:"&ei="; distance:0; content:"&act=check"; distance:0; fast_pattern; reference:md5,da17802bc8d3eca26b7752e93f33034b; reference:md5,629b9de3e4b84b4a0aa605a3e9471b31; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048c; classtype:command-and-control; sid:2031627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; http.uri; content:"php?type=stats&affid="; content:"&subid="; content:"&version="; content:"&adwareok"; reference:md5,8d1b47452307259f1e191e16ed23cd35; classtype:pup-activity; sid:2013149; rev:4; metadata:created_at 2011_06_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup (levelframeblog .com)"; dns.query; content:"levelframeblog.com"; nocase; bsize:18; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; reference:md5,17ab2927a235a0b98480945285767bcf; classtype:domain-c2; sid:2031631; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidetab or Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/install.asp?"; content:"version="; content:"&id="; content:"&mac="; http.header; content:".co.kr|0d 0a|"; classtype:pup-activity; sid:2013182; rev:3; metadata:created_at 2011_07_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup (kupaywallet .com)"; dns.query; content:"kupaywallet.com"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; classtype:domain-c2; sid:2031630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.EZula Adware Reporting Successful Install"; flow:established,to_server; http.uri; content:"/installer.cfc?res=success&hwid="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FEzula.F; classtype:pup-activity; sid:2013195; rev:5; metadata:created_at 2011_07_05, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.request_body; content:"ver="; startswith; content:"&timestamp="; fast_pattern; isdataat:!11,relative; reference:md5,60c2efdafbffc5bd6709c8e461f7b77d; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; classtype:command-and-control; sid:2031632; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SweetIM Install in Progress"; flow:established,to_server; http.uri; content:"/download/install/silent/SSweetIMSetup.CIS"; nocase; classtype:pup-activity; sid:2013243; rev:4; metadata:created_at 2011_07_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - CoinGoTrade CnC Domain in DNS Lookup (coingotrade .com)"; dns.query; content:"coingotrade.com"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,149a696472d4a189f5896336ab16cc34; classtype:domain-c2; sid:2031633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; http.user_agent; content:"MM|20|"; startswith; pcre:"/^MM \d\.\d+$/"; classtype:pup-activity; sid:2013388; rev:6; metadata:created_at 2011_08_10, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (airbseeker .com)"; dns.query; content:"airbseeker.com"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031634; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family NukeSped, signature_severity Major, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (go-diva)"; flow:to_server,established; http.user_agent; content:"go-diva"; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:pup-activity; sid:2013452; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (globalkeystroke .com)"; dns.query; content:"globalkeystroke.com"; nocase; bsize:19; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031635; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family NukeSped, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 1"; flow:established,to_server; http.uri; content:"?gname="; content:"&pid="; content:"&m="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; reference:md5,81a119f7f47663c03053e76146f54fe9; classtype:pup-activity; sid:2013556; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/NukeSped Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"N9dLfqxHNUUw8qaUPqggVTpX"; fast_pattern; reference:md5,451c23709ecd5a8461ad060f6346930c; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; classtype:command-and-control; sid:2031637; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 2"; flow:established,to_server; http.uri; content:"inst.php?"; content:"pcode="; content:"&ucode="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; classtype:pup-activity; sid:2013557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (woodmate .it)"; dns.query; content:"woodmate.it"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031636; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family NukeSped, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UBar Trojan/Adware Checkin 3"; flow:established,to_server; http.uri; content:"size.php?"; content:"file="; http.header; content:"|20|from|3a 20|http|3a|//www.bsalsa.com/ EmbeddedWB|20|"; classtype:pup-activity; sid:2013558; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Dorusio CnC Domain in DNS Lookup (dorusio .com)"; dns.query; content:"dorusio.com"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048f; reference:md5,d620c699a5b1828aca699b5aee77e5e6; reference:md5,0f39312e8eb5702647664e9ae8502ceb; classtype:domain-c2; sid:2031638; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Tool.InstallToolbar.24 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; content:"TbId="; nocase; content:"TUID="; nocase; content:"Action_Type="; nocase; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:pup-activity; sid:2014060; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup (ants2whale .com)"; dns.query; content:"ants2whale.com"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048g; classtype:domain-c2; sid:2031639; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gen5 Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cmd/report.php?"; nocase; content:"PartnerId="; nocase; content:"OfferId="; nocase; content:"action="; nocase; content:"program="; nocase; reference:md5,90410d783f6321c8684ccb9ff0613a51; classtype:pup-activity; sid:2014071; rev:6; metadata:created_at 2012_01_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup (qnalytica .com)"; dns.query; dotprefix; content:".qnalytica.com"; nocase; endswith; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048g; reference:md5,d4d1bcdfb67ee30303f30137db752b94; classtype:domain-c2; sid:2031640; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OpenCandy Adware Checkin"; flow:established,to_server; http.uri; content:"clientv="; content:"&cltzone="; content:"&mstime="; content:"&os="; content:"&product_key="; http.host; content:"opencandy.com"; fast_pattern; classtype:pup-activity; sid:2014122; rev:6; metadata:created_at 2012_01_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.4.x CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=Ghc7XJ5OVyh_"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html; reference:md5,7831a9eebbb485ab4850460e33185cb3; classtype:command-and-control; sid:2031641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2021_02_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Common Adware Library ISX User Agent Detected"; flow:established,to_server; http.user_agent; content:"ISX Download DLL"; fast_pattern; startswith; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:pup-activity; sid:2014137; rev:5; metadata:created_at 2012_01_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS SNI"; flow:established,to_server; tls_sni; content:"specialattributes.s3.amazonaws.com"; bsize:34; reference:url,redcanary.com/blog/clipping-silver-sparrows-wings; classtype:domain-c2; sid:2031642; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; http.user_agent; content:"Open3"; startswith; classtype:pup-activity; sid:2014190; rev:4; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS SNI"; flow:established,to_server; tls_sni; content:"mobiletraits.s3.amazonaws.com"; bsize:29; reference:url,redcanary.com/blog/clipping-silver-sparrows-wings; classtype:domain-c2; sid:2031644; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/MediaGet Checkin"; flow:established,to_server; http.request_body; content:"<mediagetInstaller statVersion="; content:"mediagetIsAlreadyInstalled="; classtype:pup-activity; sid:2014192; rev:5; metadata:created_at 2012_02_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WRAT Dropper (TLS SNI)"; flow:established,to_server; tls.sni; content:"alsalaf.info"; reference:md5,7831f12dac1d4ef7dcd6e3218b8dad68; classtype:trojan-activity; sid:2031646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WRAT, updated_at 2021_02_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; http.uri; content:"/install.xml?pid="; http.header; content:"gameplaylabs.com|0d 0a|"; classtype:pup-activity; sid:2014249; rev:6; metadata:created_at 2012_02_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (WRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=alsalaf.info"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,7831f12dac1d4ef7dcd6e3218b8dad68; classtype:trojan-activity; sid:2031645; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category TROJAN, signature_severity Major, tag WRAT, updated_at 2021_02_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PlaySushi User-Agent"; flow:established,to_server; http.user_agent; content:"psi|20|"; startswith; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:pup-activity; sid:2014261; rev:4; metadata:created_at 2012_02_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Keylogger.ENJ Variant CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; depth:19; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=New+User+open+your+virus&content=%60%60%60%0aUser+name+%3a+"; startswith; fast_pattern; reference:md5,9b48e6da117f45841cb629964af7e463; classtype:command-and-control; sid:2031648; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware Checkin"; flow:established,to_server; http.uri; content:"/inst.asp?d="; content:"&cl="; content:"&l="; content:"&e="; content:"&v="; content:"&uid="; content:"&time="; content:"&win="; content:"&ac="; content:"&ti="; content:"&xv="; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014339; rev:4; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VoidRay Downloader CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?UID="; fast_pattern; content:"_"; distance:8; within:1; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; reference:md5,082b7a27b2e75bbcde189fab82b0fe72; classtype:trojan-activity; sid:2031649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/GameVance Adware User Agent"; flow:established,to_server; http.user_agent; content:"zz_"; depth:3; pcre:"/^[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Ri"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:pup-activity; sid:2014340; rev:8; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ares Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/panel/connect.php?a="; startswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,372184b84d8a35ae1c5d756c69d1d0a2; classtype:trojan-activity; sid:2032947; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP W32/MediaGet.Adware Installer Download"; flow:established,to_client; flowbits:isnotset,ET.Adobe.Site.Download; http.header.raw; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:pup-activity; sid:2014353; rev:8; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (billionaireshore .top)"; dns.query; content:"billionaireshore.top"; nocase; bsize:20; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031655; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; http.user_agent; content:"Softonic Downloader/"; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:pup-activity; sid:2014355; rev:5; metadata:created_at 2012_03_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (vikingsofnorth .top)"; dns.query; content:"vikingsofnorth.top"; nocase; bsize:18; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031656; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/LoudMo.Adware Checkin"; flow:established,to_server; http.uri; content:"/?aff="; http.host; content:"www.gamebound.com"; startswith; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:pup-activity; sid:2014400; rev:5; metadata:created_at 2012_03_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (realityarchitector .top)"; dns.query; content:"realityarchitector.top"; nocase; bsize:22; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031657; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; http.user_agent; content:"pcsetup_"; pcre:"/^\w+pcsetup_\w+/"; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:pup-activity; sid:2014583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (gentlebouncer .top)"; dns.query; content:"gentlebouncer.top"; nocase; bsize:17; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031658; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Dialer.Adultchat Checkin"; flow:established,to_server; http.uri; content:"/getclientid.wnk?srv="; content:"&ver="; content:"&pin="; content:"&OSInfo2="; content:"&cinfo="; content:"retryattempt="; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:pup-activity; sid:2014667; rev:4; metadata:created_at 2012_05_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (brainassault .top)"; dns.query; content:"brainassault.top"; nocase; bsize:16; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031659; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/rdc/rnd.php"; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:pup-activity; sid:2014767; rev:7; metadata:created_at 2012_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (greatersky .top)"; dns.query; content:"greatersky.top"; nocase; bsize:14; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031660; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/OnlineGames Checkin"; flow:established,to_server; http.uri; content:"/game"; content:"/diary/item/"; http.user_agent; content:"getURLDown"; bsize:10; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:pup-activity; sid:2015017; rev:6; metadata:created_at 2012_07_04, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (unicornhub .top)"; dns.query; content:"unicornhub.top"; nocase; bsize:14; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031661; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP suspicious User-Agent (vb   wininet)"; flow:established,to_server; http.user_agent; content:"vb|20 20 20|wininet"; depth:12; classtype:pup-activity; sid:2016069; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (corporatelover .top)"; dns.query; content:"corporatelover.top"; nocase; bsize:18; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031662; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; http.uri; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern; content:"&x_format="; content:"&x_pub_id="; content:"&tag="; http.user_agent; content:"Mozilla/4.0  (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest.5)"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:pup-activity; sid:2016546; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_03_07, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (bloggersglobbers .top)"; dns.query; content:"bloggersglobbers.top"; nocase; bsize:20; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; http.uri; content:"?data="; content:"&version="; distance:0; http.user_agent; content:"win32"; depth:5; fast_pattern; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:pup-activity; sid:2016780; rev:6; metadata:created_at 2013_04_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (simsimsalabim .top)"; flow:established,to_server; tls.sni; content:"simsimsalabim.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.MSIL.Solimba.b GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/dmr/access/"; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:pup-activity; sid:2016905; rev:6; metadata:created_at 2013_05_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (perfectscenario .top)"; flow:established,to_server; tls.sni; content:"perfectscenario.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2031653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.MSIL.Solimba.b POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/dmr/exception"; http.user_agent; content:"DownloadMR"; depth:10; nocase; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:pup-activity; sid:2016906; rev:6; metadata:created_at 2013_05_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mariofart8 .top)"; flow:established,to_server; tls.sni; content:"mariofart8.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Smart-RTP"; flow: established,to_server; http.user_agent; content:"Smart-RTP"; depth:9; nocase; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:md5,a80f33c94c44556caa2ef46cd5eb863c; classtype:pup-activity; sid:2016915; rev:7; metadata:created_at 2013_05_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin"; fast_pattern; bsize:43; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031664; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; http.user_agent; content:"Custom_56562_HttpClient/VER_STR_COMMA"; depth:37; nocase; classtype:pup-activity; sid:2016916; rev:5; metadata:created_at 2013_05_23, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~8f3g4yogufey8g7yfg/~dfb375y8ufg34gfyu.bin"; fast_pattern; bsize:43; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031665; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware pricepeep Adware.Shopper.297"; flow: established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/logger/software/hit/"; nocase; content:"/?v."; nocase; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:pup-activity; sid:2016917; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_05_23, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~munhgy8fw6egydubh/9gh3yrubhdkgfby43.php"; fast_pattern; bsize:41; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031666; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Gamevance.AV Checkin"; flow:established,to_server; http.uri; content:"/aj/"; fast_pattern; content:".php?p="; http.header_names; content:!"Referer"; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:pup-activity; sid:2017136; rev:7; metadata:created_at 2013_07_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=flickry.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"O=Let's Encrypt"; classtype:domain-c2; sid:2031672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2021_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2021_02_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Crossrider Spyware Checkin"; flow:established,to_server; http.uri; content:"/updater/"; depth:9; content:"/update.json?rnd="; distance:32; within:18; http.header_names; content:!"User-Agent"; classtype:pup-activity; sid:2017196; rev:6; metadata:created_at 2013_07_26, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaBackdoor Variant CnC Activity M4"; flow:established,to_server; urilen:36; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; content:!"&"; http.cookie; content:"group="; depth:6; isdataat:!2,relative; fast_pattern; pcre:"/^\d$/R"; http.uri; pcre:"/^\/[a-z0-9]{32}\/\d\/$/i"; reference:url,twitter.com/lazyactivist192/status/1364668631460827142; reference:md5,8488d9be18308a7f4e83b7c39fc79d17; classtype:command-and-control; sid:2031673; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Wajam.Adware Successful Install"; flow:established,to_server; http.uri; content:"/wajam_install.exe?aid="; http.user_agent; content:"NSIS_Inetc"; startswith; classtype:pup-activity; sid:2017561; rev:6; metadata:created_at 2013_10_05, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gameredon Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64|3a 3a|"; startswith; fast_pattern; content:"|3a 3a|"; distance:2; endswith; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; reference:md5,04490fb43c9adbfdee9d7918e3db0af5; classtype:trojan-activity; sid:2031676; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/?step_id="; content:"&publisher_id="; content:"&page_id="; content:"&country_code="; content:"&browser_id="; content:"&download_id="; content:"&hardware_id="; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017911; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (ms-officeupdate .com)"; dns.query; content:"ms-officeupdate.com"; nocase; bsize:19; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031677; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?report_version="; http.request_body; content:"data="; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:pup-activity; sid:2017912; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (newmsoffice .com)"; dns.query; content:"newmsoffice.com"; nocase; bsize:15; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031678; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; http.uri; content:"/updater/"; http.user_agent; content:"UpdaterResponse"; depth:15; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018024; rev:5; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/OceanLotus Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Collection Info/1.0"; bsize:19; fast_pattern; http.request_body; content:"data1="; startswith; reference:md5,864eace6e6f67b77163d7ed5da4498c8; reference:url,github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam; reference:url,www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/; classtype:trojan-activity; sid:2031683; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/AdLoad.Downloader Download"; flow:established,to_server; http.uri; content:"/v"; content:"&product_name="; content:"&installer_file_name="; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:pup-activity; sid:2018048; rev:5; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark CnC Activity M2"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php?u="; fast_pattern; content:"_"; distance:0; content:"&i="; distance:0; http.user_agent; content:"Microsoft BITS/"; startswith; reference:md5,d30484a523fe3d8a883738f4ec06a952; reference:md5,f9509755c5781f87788ffdf9efad075d; reference:url,twitter.com/reddrip7/status/1366703445990723585?s=21; classtype:trojan-activity; sid:2031748; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_03_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent EXE2"; flow: established,to_server; http.user_agent; content:"EXE2"; nocase; depth:4; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:pup-activity; sid:2018049; rev:5; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (cook32.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cook32.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_03_02, former_category MALWARE, malware_family ursnif, updated_at 2021_03_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; http.method; content:"GET"; http.uri; content:".txt"; http.user_agent; content:"EXE2"; depth:4; fast_pattern; nocase; http.header_names; content:!"Accept|0d 0a|"; nocase; content:!"Referer|0d 0a|"; nocase; content:!"Connection|0d 0a|"; nocase; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:pup-activity; sid:2018050; rev:6; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (cook64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cook64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031744; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User Agent Mozi11a"; flow: established,to_server; http.user_agent; content:"Mozi11a"; depth:7; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:pup-activity; sid:2018051; rev:6; metadata:created_at 2014_01_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab32.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab32.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031745; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (gettingAnswer)"; flow: established,to_server; http.user_agent; content:"gettingAnswer"; depth:13; nocase; reference:md5,c305a0af3fe84525a993130b7854e3e0; classtype:pup-activity; sid:2018084; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_02_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag User_Agent, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BetterInstaller"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?v="; content:"&uid="; content:"&muid="; pcre:"/[a-f0-9]{32}\?v=/i"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:pup-activity; sid:2018195; rev:5; metadata:created_at 2014_01_15, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mt?"; startswith; fast_pattern; content:"="; distance:0; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,0d2c5bbf711058f31cd8ce81da30e870; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031806; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"&OSversion="; content:"&Slv="; content:"&Sysid="; content:"&Sysid1="; content:"&admin="; content:"&browser="; content:"&exe="; content:"&ffver="; content:"&lang_DfltUser="; content:"&ver="; content:"&ts="; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:pup-activity; sid:2018324; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"fabulouscityofbruges.top"; bsize:24; fast_pattern; classtype:domain-c2; sid:2031805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bundle/"; content:"/?p="; http.user_agent; content:"zz_afi"; depth:6; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:pup-activity; sid:2018333; rev:6; metadata:created_at 2014_03_28, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".css"; endswith; http.cookie; content:"lu="; fast_pattern; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,ce73caaa42bd465a37802ad3457d2081; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"?v="; fast_pattern; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:pup-activity; sid:2018368; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_04_07, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (teastycandycoffe .top)"; flow:established,to_server; tls.sni; content:"teastycandycoffe.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.MultiInstaller"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"?s1="; fast_pattern; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/"; http.header_names; content:!"Referer"; reference:md5,26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:pup-activity; sid:2018512; rev:8; metadata:created_at 2014_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUNSHUTTLE CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"HjELmFxKJc="; fast_pattern; content:"P5hCrabkKf="; content:"iN678zYrXMJZ="; reference:url,www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html; classtype:command-and-control; sid:2031811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadGuide.A"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/1/dg/3"; fast_pattern; http.request_body; content:"{|22|BuildId|22 3a|"; content:"|22|Campaign|22|"; content:"|22|TrackBackUrl|22|"; http.content_type; content:"application/json"; startswith; http.header_names; content:!"Referer"; reference:md5,37b91123a58a48975770241445392aeb; classtype:pup-activity; sid:2018513; rev:6; metadata:created_at 2014_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (thereisnoscheme .top)"; flow:established,to_server; tls.sni; content:"thereisnoscheme.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2031876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Checkin"; flow: established, to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla|29|"; depth:20; http.request_body; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; content:"|22|machine_ID|22 3a 22|"; distance:0; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:pup-activity; sid:2018557; rev:8; metadata:created_at 2014_06_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.MultiInstaller checkin 2"; flow:established, to_server; http.method; content:"GET"; http.uri; content:"/entrance?s1="; depth:13; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:pup-activity; sid:2018590; rev:4; metadata:created_at 2014_06_20, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OptimizerPro Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/op?sid="; content:"&dt="; distance:0; content:"&gid="; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:pup-activity; sid:2018742; rev:5; metadata:created_at 2013_12_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (nyqualitypizza .top)"; flow:established,to_server; tls.sni; content:"nyqualitypizza.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/SearchSuite Install CnC Beacon"; flow:established,to_server; urilen:23; http.method; content:"POST"; http.uri; content:"/install_statistics.php"; fast_pattern; depth:23; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|MSIE|3B 20|Win32)"; startswith; http.request_body; content:"XML="; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:pup-activity; sid:2018753; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_23, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"woocommerce_cart_hash="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,7502041ccf809668e2dce5a38fa0a2a5; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031881; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.A checkin"; flow:to_server,established; http.uri; content:"get/?ver="; content:"&aid="; distance:0; content:"&hid="; distance:0; content:"&rid="; distance:0; content:"&data="; distance:0; content:"&report="; distance:0; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:pup-activity; sid:2018867; rev:4; metadata:created_at 2014_08_01, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (thelegendofberia .top)"; flow:established,to_server; tls.sni; content:"thelegendofberia.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/BrowseFox.H Checkin 2"; flow:established,to_server; urilen:3; http.method; content:"POST"; http.uri; content:"/rs"; http.request_body; content:"alpha="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,437a5cb57567c2691ce61a700682eab7; classtype:pup-activity; sid:2018899; rev:6; metadata:created_at 2014_07_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (hitfromthebong .top)"; flow:established,to_server; tls.sni; content:"hitfromthebong.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maxpower-static/templates/"; depth:27; http.header_names; content:!"Referer"; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:pup-activity; sid:2019143; rev:7; metadata:created_at 2014_07_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (autopartslarry .top)"; flow:established,to_server; tls.sni; content:"autopartslarry.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MAC/Conduit Component Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/installer?dp="; content:"&sdp="; content:"&f="; content:"&id="; content:"&v="; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019144; rev:4; metadata:created_at 2014_09_10, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/RedXOR CnC Checkin"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031934; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, former_category MALWARE, malware_family RedXOR, signature_severity Major, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SoftPulse.H Checkin"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/__dmp__/"; fast_pattern; http.request_body; content:"data={"; depth:6; http.header_names; content:!"Accept"; content:!"Connection"; content:!"Referer"; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:pup-activity; sid:2019228; rev:6; metadata:created_at 2014_09_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/RedXOR CnC Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031935; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, former_category MALWARE, malware_family RedXOR, signature_severity Major, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/ELEX Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v"; depth:2; content:"?update"; fast_pattern; distance:0; pcre:"/^[0-9]?=[a-z]+/Ri"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,2fed7fe9d055ebb63897bc2c8996676d; reference:md5,e2fd0d2c44e96cab5017bb8a68ca92a6; classtype:pup-activity; sid:2019779; rev:8; metadata:created_at 2014_11_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mynameisgarfield .top)"; flow:established,to_server; tls.sni; content:"mynameisgarfield.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/CloudScout Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/QualityCheck/"; fast_pattern; content:".php"; distance:0; pcre:"/\.php$/"; http.request_body; content:"dp="; depth:3; content:"&sdp="; distance:0; content:"&a="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c732b52b245444e3f568d372ce399911; classtype:pup-activity; sid:2019780; rev:10; metadata:created_at 2014_11_24, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mansizeprofile .top)"; flow:established,to_server; tls.sni; content:"mansizeprofile.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DomaIQ Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"&OSversion="; content:"&Sysid="; content:"&Sysid1="; content:"&X64="; content:"&exe="; content:"&ffver="; content:"&lang_DfltSys="; content:"&lang_DfltUser="; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:pup-activity; sid:2019944; rev:5; metadata:created_at 2014_12_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (letsmakesome .fun)"; flow:established,to_server; tls.sni; content:"letsmakesome.fun"; bsize:16; fast_pattern; classtype:domain-c2; sid:2031948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP W32/DownloadGuide.D"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config-from-production"; http.request_body; content:"{|22|os|22 3A 22|"; depth:7; content:"|22|lang|22 3A 22|"; distance:0; content:"|22|uid|22 3A 22|"; distance:0; content:"|22|prod|22 3A 22|"; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:pup-activity; sid:2019974; rev:4; metadata:created_at 2014_12_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (gogowormdealer .top)"; flow:established,to_server; tls.sni; content:"gogowormdealer.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/iBryte.Adware Installer Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?mode="; content:"&sf="; content:"&browser="; content:"&useragent="; http.header_names; content:!"Referer"; reference:md5,4c80e5f72a2ab8324b981e37b3b0e5d1; classtype:pup-activity; sid:2020197; rev:7; metadata:created_at 2015_01_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Maldoc CnC"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/shop_testbr/localization/dir_photoes/"; startswith; fast_pattern; content:".php?"; distance:0; http.user_agent; content:"Office"; http.host; content:"www.dronerc.it"; reference:url,twitter.com/h2jazi/status/1370024802791096320; reference:md5,6c7fb32d476b7a367df0403b6a8c950f; reference:md5,31d748392f447001ba275361fbe65695; classtype:command-and-control; sid:2031951; rev:1; metadata:created_at 2021_03_11, former_category MALWARE, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.Win32.BoBrowser User-Agent (LogEvents)"; flow:established,to_server; http.user_agent; content:"LogEvents"; fast_pattern; bsize:9; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:pup-activity; sid:2020238; rev:4; metadata:created_at 2015_01_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (seattlecarwash .fun)"; flow:established,to_server; tls.sni; content:"seattlecarwash.fun"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.Win32.BoBrowser User-Agent (VersionDwl)"; flow:established,to_server; http.user_agent; content:"VersionDwl"; fast_pattern; bsize:10; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:pup-activity; sid:2020239; rev:4; metadata:created_at 2015_01_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX/Korplug CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; bsize:7; http.request_body; content:"v="; startswith; fast_pattern; content:"&id="; distance:0; content:"&uid="; distance:0; content:"&vs="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; reference:md5,26e442aa18fcea38e4c652d346627238; classtype:command-and-control; sid:2032001; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.Win32.BoBrowser User-Agent (BoBrowser)"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 180; http.header; content:"User-Agent|3a 20|"; http.user_agent; content:"|20|BoBrowser/"; fast_pattern; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:pup-activity; sid:2020240; rev:5; metadata:created_at 2015_01_22, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad CnC Domain in DNS Lookup (ns .rtechs .org)"; dns.query; content:"ns.rtechs.org"; nocase; bsize:13; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; classtype:command-and-control; sid:2032002; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/MultiPlug.Adware Adfraud Traffic"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"/?rmbs="; within:8; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"; bsize:108; http.header_names; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:pup-activity; sid:2020457; rev:4; metadata:created_at 2015_02_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad CnC Domain in DNS Lookup (soft .mssysinfo .xyz)"; dns.query; content:"soft.mssysinfo.xyz"; nocase; bsize:18; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; classtype:command-and-control; sid:2032003; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&ts="; content:"&dlip="; content:"&dlid="; content:"&proto="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020627; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (pleaseletmesleep .fun)"; flow:established,to_server; tls.sni; content:"pleaseletmesleep.fun"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api.cgi?act="; fast_pattern; content:"&appid="; content:"&proto="; http.user_agent; content:"WinWrapper"; depth:10; http.request_body; content:"{|22|appId|22 3a 22|"; content:"|22|uuId|22 3a 22|"; http.header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020628; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_03_06, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (return2monkey .fun)"; flow:established,to_server; tls.sni; content:"return2monkey.fun"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; http.user_agent; content:"WinWrapper"; depth:10; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:pup-activity; sid:2020629; rev:6; metadata:created_at 2015_03_06, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasmin Ransomware C2 Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"machine_name="; startswith; fast_pattern; content:"&computer_user="; nocase; distance:0; content:"&systemid="; nocase; distance:0; content:"&os="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&time="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&location="; nocase; distance:0; content:"&password="; nocase; distance:0; reference:md5,eabb920f75c2943113713849878a6dfb; reference:url,twitter.com/c3rb3ru5d3d53c/status/1370740134937772037; classtype:command-and-control; sid:2032010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/log/?"; fast_pattern; content:"="; distance:1; within:1; content:"&d="; distance:0; content:"&o="; content:"&r="; content:"&s="; content:"&t="; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:pup-activity; sid:2020701; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (youaresoslow .top)"; flow:established,to_server; tls.sni; content:"youaresoslow.top"; bsize:16; fast_pattern; classtype:domain-c2; sid:2032011; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; http.user_agent; content:"Sendori-Client"; depth:14; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:pup-activity; sid:2020881; rev:5; metadata:created_at 2015_04_09, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saint Bot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header; content:"Accept|3a 20|text/plain"; http.request_body; content:"transfer="; depth:9; fast_pattern; pcre:"/^transfer=[A-Za-z0-9/+=]+$/"; reference:md5,b1f40eac7ca6d66ba9b11dcf77f1a259; reference:url,blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/; classtype:trojan-activity; sid:2032753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sentry_version="; content:"&sentry_client="; distance:0; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:pup-activity; sid:2021027; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ZHtrap CnC Checkin"; flow:established,to_server; content:"|05 01 00|"; startswith; content:".onion"; distance:0; fast_pattern; isdataat:!3,relative; flowbits:set,ET.zhtrap1; reference:url,blog.netlab.360.com/new_threat_zhtrap_botnet_en/; classtype:command-and-control; sid:2032083; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.request_body; content:"postInstallReport"; fast_pattern; content:"machineId|22 3a 22|"; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:pup-activity; sid:2021094; rev:5; metadata:created_at 2015_05_14, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ZHtrap CnC Response - Connection Successfully Established"; flow:established,from_server; content:"|05 00 00 01 00 00 00 00 00 00|"; startswith; fast_pattern; flowbits:isset,ET.zhtrap1; reference:url,blog.netlab.360.com/new_threat_zhtrap_botnet_en/; classtype:command-and-control; sid:2032084; rev:2; metadata:attack_target Client_and_Server, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP.GigaClicks Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ver/"; content:"/sid/"; http.request_body; content:"instlog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:pup-activity; sid:2021099; rev:4; metadata:created_at 2015_05_15, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (followmeasap13 .top)"; flow:established,to_server; tls.sni; content:"followmeasap13.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?uid="; content:"&affid="; distance:0; content:"&inst_date="; distance:0; fast_pattern; content:"&prod="; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:pup-activity; sid:2021173; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any 666 -> any any (msg:"ET MALWARE ELF/BASHLITE CnC Activity (Response)"; flow:established,to_client; content:"|21 20|DUP"; content:"epoll_"; distance:0; isdataat:!1,relative; fast_pattern; reference:md5,d76cebc82c79b9d7c56bced94c03c9e8; classtype:trojan-activity; sid:2032080; rev:2; metadata:created_at 2021_03_16, former_category MALWARE, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v2/"; depth:4; fast_pattern; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/"; http.header_names; content:"X-Crypto-Version"; content:!"User-Agent"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:pup-activity; sid:2021282; rev:5; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Request Cookie"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"_gads="; depth:7; content:"_gat="; distance:0; content:"_ga="; distance:0; content:"_u="; distance:0; content:"_io="; distance:0; content:"_gid="; distance:0; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; reference:url,www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html; classtype:trojan-activity; sid:2032086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX ADWARE/Mackeeper Checkin"; flow:established,to_server; http.uri; content:"/landings/"; depth:10; http.user_agent; content:"Macintosh|3b|"; http.host; content:"mackeeper"; startswith; http.cookie; content:"ldrBrowser=|25|22Safari|25|22|3b|"; content:"ldrOs=|25|22Mac+OS+X|25|22|3b|"; classtype:pup-activity; sid:2021548; rev:5; metadata:created_at 2015_07_29, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=su94Cb2b5Ed89d7c.su"; bsize:22; fast_pattern; classtype:domain-c2; sid:2032093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; http.user_agent; content:"Installer(ref=["; fast_pattern; content:"|3b|windows="; distance:0; content:"|3b|uac="; distance:0; content:"|3b|elevated="; distance:0; content:"|3b|dotnet="; distance:0; content:"|3b|startTime="; distance:0; content:"|3b|pid="; distance:0; classtype:pup-activity; sid:2021564; rev:5; metadata:created_at 2015_07_31, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ru94cb2b5ed89d7c.ru"; bsize:22; fast_pattern; classtype:domain-c2; sid:2032094; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?pcrc="; depth:7; fast_pattern; content:"&v="; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:pup-activity; sid:2021618; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (finalcountdown .top)"; flow:established,to_server; tls.sni; content:"finalcountdown.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032174; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 2"; flow:established,to_server; http.uri; content:"/?v="; depth:4; content:"&pcrc="; distance:0; content:"&LSVRDT="; distance:0; fast_pattern; content:"&ty="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; classtype:pup-activity; sid:2021619; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netbounce Related Activity (Program Wrapper)"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/json"; bsize:16; file.data; content:"|5c 5c|Trackingfolder084|5c 5c|start.txt|22 0a|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1daccddd902156737587a2041224b46b; classtype:trojan-activity; sid:2032222; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; content:"&pcrc="; content:"&LUDT="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:pup-activity; sid:2021643; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce User-Agent (Netbounce)"; flow:established,to_server; http.user_agent; content:"Netbounce/1.0"; bsize:13; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; classtype:trojan-activity; sid:2032223; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Boxore User-Agent"; flow:to_server,established; http.user_agent; content:"BoxoreClent"; depth:11; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:pup-activity; sid:2021700; rev:5; metadata:created_at 2015_08_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M4"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__gads="; fast_pattern; http.cookie; content:"__gads="; startswith; content:"|3b 20|_gat="; distance:0; content:"|3b 20|_ga="; distance:0; content:"|3b 20|_u="; distance:0; content:"|3b 20|__io="; distance:0; content:"|3b 20|_gid="; isdataat:!13,relative; pcre:"/^__gads=\d{9,10}:[01]:\d+:\d+(?::\d{2,4})?\x3b\s_gat=(?:10|6)\.[0-3]\.\d{4,6}\.(?:32|64)\x3b\s_ga=\d\.\d+\.\d+\.\d+\x3b\s_u=[0-9A-F]+:[0-9A-F]+\x3b\s__io=\d{2}_\d{9,10}_\d{9,10}_\d{9,10}\x3b\s_gid=[0-9A-F]{12}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; classtype:command-and-control; sid:2030053; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; content:"/FMP.dmg?download_browser="; distance:0; fast_pattern; content:"&app_id="; distance:0; content:"&campaign="; distance:0; content:"&cargoType="; distance:0; content:"&oname=FMP.dmg"; distance:0; classtype:pup-activity; sid:2021984; rev:4; metadata:created_at 2015_10_21, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mydrinksare .top)"; flow:established,to_server; tls.sni; content:"mydrinksare.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; http.user_agent; content:"InstallCapital"; startswith; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:command-and-control; sid:2022246; rev:5; metadata:created_at 2015_12_12, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Proxy Activity"; flow:established,to_server; http.start; content:"CONNECT|20|/_controlPath/|20|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032224; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DealPly Adware CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; fast_pattern; content:"&pcrc="; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:pup-activity; sid:2022354; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Proxy User-Agent (idk)"; flow:established,to_server; http.user_agent; content:"idk"; bsize:3; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032225; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/v"; depth:2; content:".asp"; pcre:"/\/v\d\/[^.]+\.asp$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; bsize:38; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:pup-activity; sid:2022694; rev:4; metadata:created_at 2016_04_01, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Ransomware HTTP POST to Onion Link Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".onion.link"; endswith; fast_pattern; http.request_body; content:"data="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-076a; classtype:command-and-control; sid:2032219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".sh?do="; content:"&d="; content:"&inj="; content:"&cl="; content:"&cs="; content:"&id="; content:"&se="; http.user_agent; content:"Mozilla/5.0"; fast_pattern; bsize:11; http.header_names; content:!"Referer|0d 0a|"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022716; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Program Wrapper Download"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.uri; content:"/progwrapper.exe"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; content:!"Connect"; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032226; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?mid="; fast_pattern; pcre:"/\/(cld|update-effect)\?mid=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&(ct|st)=[a-z0-9]+$/i"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022717; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userid="; startswith; fast_pattern; pcre:"/^[A-Z]{256}$/R"; http.header; content:"Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,435f83b1ab70c68e34bd523bae4217e0; reference:url,twitter.com/bryceabdo/status/1372895643102969861; classtype:trojan-activity; sid:2032274; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.user_agent; content:"curl/"; startswith; http.request_body; content:"vs_mid="; depth:7; fast_pattern; content:"&br_mid="; content:"&event_type="; content:"diss URL"; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022718; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MALWARECAT Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|MALWARECAT"; fast_pattern; reference:md5,bc45f9e3b0a681fb7bc08dbf3c44bcf3; classtype:command-and-control; sid:2032271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit Web Injects"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mu?id="; fast_pattern; content:"&d="; content:"&cl="; pcre:"/\/mu\?id=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&d=[A-Za-z]+&cl=\d+$/i"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:pup-activity; sid:2022719; rev:4; metadata:created_at 2016_04_08, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (habbybearshop .top)"; flow:established,to_server; tls.sni; content:"habbybearshop.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 3"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/u/?"; depth:4; fast_pattern; content:"&c="; distance:0; content:"&r="; distance:0; pcre:"/^\/u\/\?[a-z]=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&r=[0-9]{17,}$/"; reference:url,blog.malwarebytes.org/cybercrime/2016/01/trojan-dnschanger-circumvents-powershell-restrictions/; classtype:pup-activity; sid:2022722; rev:4; metadata:created_at 2016_04_11, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (youcanfindmeonthe .top)"; flow:established,to_server; tls.sni; content:"youcanfindmeonthe.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/InstallCore Initial Install Activity 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?v="; depth:4; content:"&subver="; fast_pattern; distance:0; content:"&pcrc="; distance:0; pcre:"/^\/\?v=[\d\.]{3,4}&subver=[\d\.]{4,5}&pcrc=\d+$/"; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,0a6a0baf77b80706cab665754ecadac9; classtype:pup-activity; sid:2022807; rev:4; metadata:created_at 2016_05_16, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/tmp?q=6"; endswith; fast_pattern; http.user_agent; content:"|20|Office|20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/ShadowChasing1/status/1372464570183208961; reference:md5,1670bb091dba017606ea5e763072d45f; classtype:trojan-activity; sid:2032275; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_03_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Successful QuizScope Installation"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qscope/ithankyou"; depth:17; fast_pattern; reference:md5,4dae2a394b792c36936a88cfc296f9b9; classtype:pup-activity; sid:2022812; rev:4; metadata:created_at 2016_05_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (chMiner/RAT)"; flow:established,to_client; tls.cert_subject; content:"CN=8Yq1.qSt3.S5It.Lbp0"; bsize:22; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1374080723032887297; reference:md5,102362f98b67ece5b9b3607bebf4125a; classtype:domain-c2; sid:2032276; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SearchProtect PUA User-Agent Observed"; flow:established,to_server; http.user_agent; content:"SearchProtect|3b|"; depth:14; reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87; classtype:pup-activity; sid:2022813; rev:4; metadata:created_at 2016_05_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (nameyourcatlikeshedeserved .top)"; flow:established,to_server; tls.sni; content:"nameyourcatlikeshedeserved.top"; bsize:30; fast_pattern; classtype:domain-c2; sid:2032312; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_23, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Conduit Trovi Adware/PUA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?gd="; depth:5; fast_pattern; content:"&ctid="; distance:0; content:"&octid="; distance:0; content:"&SSPV="; distance:0; reference:md5,069ce8c2a553f9bc5a9599d7541943ce; classtype:pup-activity; sid:2022814; rev:4; metadata:created_at 2016_05_17, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; fast_pattern; reference:url,twitter.com/z0ul_/status/1374121916143919106; reference:md5,4cf6fb8514073319e7759b4f66d13f08; classtype:domain-c2; sid:2032313; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M1"; flow:established,to_server; http.uri; content:"/gettrk_l?partner="; depth:18; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022821; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert smtp any any -> any any (msg:"ET MALWARE Suspected Jobcrypter Ransomware Exfil (SMTP)"; flow:to_server,established; content:"|0d 0a|RTEE="; fast_pattern; content:"RRRTC|3a 20|"; pcre:"/^[0-9]{90,180}\r\n/R"; distance:0; reference:md5,4de76198ea4488eae192d0ca4e4bd66b; reference:url,twitter.com/guelfoweb/status/1374042649322209283; classtype:trojan-activity; sid:2032318; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M2"; flow:established,to_server; http.uri; content:"/install-report?"; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022822; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Girostat Stealer (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; http.request_body; content:"name=|22|info|22 0d 0a|"; content:"name=|22|debug1|22 0d 0a|"; distance:0; content:"name=|22|debug2|22 0d 0a|"; fast_pattern; content:"filename=|22|"; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,934058124782476cdbe7866c4ceed167; classtype:trojan-activity; sid:2032319; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M3"; flow:established,to_server; http.uri; content:"/event-report?"; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022823; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (onthewire1 .top)"; flow:established,to_server; tls.sni; content:"onthewire1.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP InstallCore PUA/Adware Activity M4"; flow:established,to_server; http.uri; content:"?type=off"; content:"&topic="; distance:0; http.user_agent; content:"WinHTTP/1.0"; fast_pattern; bsize:11; classtype:pup-activity; sid:2022824; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (companyllc .top)"; flow:established,to_server; tls.sni; content:"companyllc.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toolbar User-Agent (BrandThunderHelper)"; flow:established,to_server; http.user_agent; content:"BrandThunderHelper"; fast_pattern; bsize:18; classtype:pup-activity; sid:2022825; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (rpirpiwhyyouleaveyourhorse .top)"; flow:established,to_server; tls.sni; content:"rpirpiwhyyouleaveyourhorse.top"; bsize:30; fast_pattern; classtype:domain-c2; sid:2032317; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Toolbar.WIDGI User-Agent (WidgiToolbar-)"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"WidgiToolbar-"; depth:13; reference:md5,1785f9784cb4e7400ed6f2c8f0e421c2; classtype:pup-activity; sid:2022826; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiddenTears Ransomware Activity (GET)"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/alertmsg.zip"; fast_pattern; http.host; content:".tk"; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,eabb920f75c2943113713849878a6dfb; reference:md5,28b0ef0c832916a852ddf0c3c5427be3; classtype:trojan-activity; sid:2032320; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2021_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP/DriverRestore Sending System Information to Affiliate"; flow:established,to_server; http.uri; content:".jsp?leadTrackerId="; content:"|22|ComputerName|22|"; distance:0; content:"|22|UserName|22|"; distance:0; content:"|22|IsAdmin|22|"; distance:0; http.user_agent; content:"DriverRestore/"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4f7f497668e3e716a6f4a53af0924a25; classtype:pup-activity; sid:2022827; rev:4; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atom Logger exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|["; content:"|20 7c 20|Atom Logger"; within:100; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026825; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2021_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TopTools PUP Install Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_install.cgi"; http.user_agent; content:"BIDUI18N"; bsize:8; http.request_body; content:"name=|22|ufile01|22 3b 20|filename=|22|boundary|22|"; fast_pattern; content:"Content-Type|3a 20|application/octet-stream"; distance:0; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,3e464cff8690c7a2f57542688a278c62; classtype:pup-activity; sid:2022829; rev:4; metadata:created_at 2016_05_19, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/MID/32546678/dn.php?client_id="; fast_pattern; startswith; content:"&prefix="; distance:0; reference:url,twitter.com/ShadowChasing1/status/1374750091001491458; reference:md5,c578189efd31c06b494b78c168cf84dd; classtype:trojan-activity; sid:2032329; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?alpha="; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/"; http.user_agent; content:"NSIS_Inetc"; depth:10; fast_pattern; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:pup-activity; sid:2022850; rev:5; metadata:created_at 2016_06_02, former_category ADWARE_PUP, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity"; flow:established,to_server; http.method; content:"GET"; http.start; content:".js|20|HTTP/1.1|0d 0a|Cookie|3a 20|SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r\n/R"; reference:md5,653b45c576c89c00a164b51e23732957; reference:url,twitter.com/z0ul_/status/1374724622508245008; classtype:trojan-activity; sid:2032330; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL/Adload.AT Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/impression.do"; fast_pattern; content:"source="; content:"&event="; content:"&implementation_id="; content:"user_id="; content:"&useragent="; content:"&sgn="; content:"&subid2="; content:"&ts="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:pup-activity; sid:2022893; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, former_category ADWARE_PUP, malware_family MSIL_Adload, signature_severity Major, tag Adware, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Black KingDom Ransomware Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpn-service/"; startswith; content:"crunchyroll-vpn"; endswith; fast_pattern; pcre:"/^\/vpn-service\/[a-z]{15}\/crunchyroll-vpn$/"; reference:url,news.sophos.com/en-us/2021/03/23/black-kingdom/; classtype:trojan-activity; sid:2032331; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LoadMoney Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; pcre:"/^Downloader\s\d+\.\d+$/"; content:"Downloader|20|"; startswith; http.request_body; content:"|0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2022987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FFDroider CnC Activity M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/seemorebty/"; fast_pattern; content:".php?e="; distance:0; http.referer; content:"https://www.facebook.com"; reference:md5,ffceece2e297cf5769a35bf387c310ef; reference:url,www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users; classtype:command-and-control; sid:2035798; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Chrome Extension"; flow:established,to_server; http.uri; content:"page?url="; fast_pattern; content:"/user/"; content:"iframe="; http.header_names; content:!"Referer|0d 0a|"; classtype:pup-activity; sid:2023015; rev:4; metadata:affected_product Web_Browser_Plugins, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2016_08_05, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/boxes?nid="; fast_pattern; startswith; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,91b9c9db4916b7e416da074e29a36082; classtype:trojan-activity; sid:2032332; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; http.method; content:"GET"; http.uri; content:"/?q="; fast_pattern; depth:4; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/"; http.uri.raw; content:"+"; http.host; content:!"map24.com"; content:!"aptrk.com"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:pup-activity; sid:2023707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PUA, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Small.CLJ CnC Activity"; flow:established,to_server; http.start; content:"GET /"; startswith; content:"|20|HTTP/1.1|0d 0a|Referer|3a 20|Microsoft|20|Windows|20|"; fast_pattern; http.user_agent; content:"@"; http.header_names; content:"|0d 0a|Referer|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:43; reference:md5,fb7f916531e239c8a705249d93b48598; classtype:trojan-activity; sid:2032328; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 1"; flow:established,to_server; http.uri; content:"/get_xml?"; fast_pattern; pcre:"/\/get_xml\?(?:file_id|stb)=/i"; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024250; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/copyright.js"; bsize:13; fast_pattern; http.cookie; content:"SSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,653b45c576c89c00a164b51e23732957; classtype:trojan-activity; sid:2032337; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 2"; flow:established,to_server; http.uri; content:"/download.php?id="; fast_pattern; content:"&f="; http.user_agent; content:"tiny-dl"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024251; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_12_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forums?listinfo="; fast_pattern; startswith; http.cookie; content:"made_write_conn="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,49ebd0be7e33c59ee584cb8601093775; classtype:trojan-activity; sid:2032338; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 4"; flow:to_server,established; http.uri; content:"/get_file_info.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_23, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (videomart .top)"; flow:established,to_server; tls.sni; content:"videomart.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_03_26, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 8"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&chromeLog="; fast_pattern; content:"&ffLog="; distance:0; content:"&operaLog="; distance:0; content:"&notAdmin="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_05, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ku?disable="; startswith; fast_pattern; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,661bdbab0140cf3bed508a14c2c5804a; classtype:trojan-activity; sid:2032339; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 2"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/launch_info"; http.user_agent; content:"Downloader|20|"; depth:11; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024259; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Files Stealer CnC Exfil Activity M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/log.php"; endswith; http.request_body; content:"form-data|3b 20|name=userfile|3b 20|filename="; content:"Stealer|5c|"; distance:0; fast_pattern; reference:md5,b572ed0bf3030cbb18d8af16e2c7e2c2; classtype:trojan-activity; sid:2032333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_26, former_category MALWARE, signature_severity Major, updated_at 2021_03_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 4"; flow:established,to_server; http.uri; content:"/data_files="; depth:12; fast_pattern; content:"&rnd="; distance:0; http.user_agent; content:"Downloader 1"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024262; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; content:"|20|/logo|20|HTTP/1."; fast_pattern; http.method; content:"GET"; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|"; startswith; reference:md5,45ec8cee2c028e47d3bba2e14a93a957; classtype:trojan-activity; sid:2032336; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ProxyGearPro Proxy Tool PUA"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Proxy|20|Gear|20|Pro/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:pup-activity; sid:2024484; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|SSID="; fast_pattern; pcre:"/^SSID=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/C"; http.method; content:"GET"; http.uri; content:".css"; endswith; http.header_names; content:"User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,9e97ace1f585b0914f99fde7014ed8c5; classtype:trojan-activity; sid:2032335; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Adware Chrome Extension Detected (1)"; flow:to_server,established; http.uri; content:"/hostedsearch?"; fast_pattern; content:"subid"; distance:0; content:"&keyword="; distance:0; http.header; content:"User-Agent|3a 20|"; content:"Upgrade-Insecure-Requests|3a 20|"; content:"Accept"; content:"Connection|3a 20|"; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Valyria Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/naw15?"; fast_pattern; pcre:"/^(?:id|tfzT)=/R"; http.header_names; content:!"Referer"; reference:md5,0c4578dac4ae278beabbfe18a8c37efb; reference:md5,5154a6f3a5c93337a8a390e63b1448f8; classtype:trojan-activity; sid:2032343; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Malicious Adware Chrome Extension Detected (2)"; flow:to_server,established; http.uri; content:"/?keyword="; fast_pattern; content:"&id="; distance:0; content:"&sysid="; distance:0; http.header; content:"User-Agent|3a 20|"; content:"Upgrade-Insecure-Requests|3a 20|"; content:"Accept"; content:"Connection|3a 20|"; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024727; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Unk Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=arganaif.org"; bsize:15; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:domain-c2; sid:2032341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] WebToolbar.Win32.Searchbar.k HTTP JSON Artifact"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|7b 22|lib_version|22 3a 22|"; depth:16; content:"|22 2c 22|lib_url|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|bin_version|22 3a 22|"; distance:0; content:"|22 2c 22|bin_url|22 3a 22|"; distance:0; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:pup-activity; sid:2024761; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; http.user_agent; content:!"Mozilla/"; content:"-"; offset:4; depth:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; bsize:19; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032349; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware.SearchGo (start_page)"; flow:established,to_server; urilen: >100; http.method; content:"GET"; http.uri.raw; content:"/%f3%07%27%f6%46%d3"; depth:19; http.header; content:!"Content-Length|3a|"; http.user_agent; content:"start_page"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:pup-activity; sid:2024762; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_22, deployment Perimeter, former_category ADWARE_PUP, malware_family Searchgo, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; http.accept_lang; content:"ru|2d|RU|2c|ru|3b|q|3d|0|2e|9|2c|en|3b|q|3d|0|2e|8"; bsize:23; http.user_agent; content:"TAKEMIX"; bsize:7; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware.FileFinder Activity"; flow:established, to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/?i="; http.request_body; content:"report=AAA"; depth:20; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:pup-activity; sid:2024904; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Amazon Profile) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/g/rfer=nmn_fr_gees_1/42-332638-0264389/field-keywords=toys"; fast_pattern; http.cookie; content:"skin=noskin|3b|"; startswith; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,5ac5656269d2dd45405a153dca591ede; classtype:trojan-activity; sid:2032353; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.LoadMoney User Agent 2"; flow:established,to_server; http.user_agent; content:"s|20|2.8"; depth:5; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2025302; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Related Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ZP/MIKV.php"; bsize:12; fast_pattern; http.user_agent; content:"Embarcadero|20|URI|20|Client/1.0"; bsize:26; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/ESETresearch/status/1376490532445294594; reference:md5,ad8fd5461bec26b97cdfc0b05028bfc0; reference:md5,1e4b45e2ab5c679f9e983da1c135ab5e; reference:md5,34db9c98f3149d98bf0a562ce2ef5344; classtype:trojan-activity; sid:2032356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/LoadMoney Adware Activity M2"; flow:to_server,established; flowbits:set,ETPTadmoney; http.method; content:"GET"; http.uri; content:"/software_install?sid="; fast_pattern; content:"&sub_id="; distance:0; content:"&hash="; distance:0; content:"&mid="; distance:0; content:"&fname="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,844e53381099d572c3864c7a42ddbbf1; classtype:pup-activity; sid:2025303; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?usersearch="; fast_pattern; http.cookie; content:"reg_fb_gate="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:url,twitter.com/z0ul_/status/1377385770470703106; reference:md5,c5668ee76cb9a9a5c4837eb0049c005b; classtype:trojan-activity; sid:2032360; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lavasoft PUA/Adware Client Install"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/event-stat?ProductID="; fast_pattern; content:"&Type=StubStart"; distance:0; http.host; content:"lavasoft.com"; classtype:pup-activity; sid:2025537; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Adware, updated_at 2020_08_31;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".wm01.to"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/; reference:md5,b44898666f0f07e9fae379b6e88a331c; reference:md5,e91bbe677636002682dbcc430fc1065b; classtype:domain-c2; sid:2032361; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WiseCleaner Installed (PUA)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?p=install_statistics"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http.host; content:"wisecleaner.net"; fast_pattern; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:pup-activity; sid:2025589; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_08_31, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".gif?utmac="; fast_pattern; content:"&utmcn="; distance:0; content:"&utmcs="; distance:0; http.header_names; content:!"Referer"; reference:url,twitter.com/MichalKoczwara/status/1377651431478595588; reference:md5,db9214c2f8340ceba664800481f0ca08; classtype:trojan-activity; sid:2032362; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antibody Software Installed (PUA)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"version.php?ver="; nocase; content:"&newinstall="; nocase; distance:0; http.user_agent; content:"Embarcadero URI Client/1.0"; http.host; content:"antibody-software.com"; fast_pattern; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:pup-activity; sid:2025590; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_12, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Nitro Stealer Exfil Activity (Response)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"is_bot|22 3a|"; content:"|2c 22|username|22 3a 22|nitronotification_bot|22|"; fast_pattern; reference:url,app.any.run/tasks/ab993f27-958c-4ab4-8da4-0bcd7fe35fcd/; reference:url,twitter.com/James_inthe_box/status/1378044484089376768; reference:md5,95b98ecb440a23daefc5c12d0edfa048; classtype:trojan-activity; sid:2032418; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP [eSentire] Win32/Adware.Adposhel.lgvk CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/inst?data="; nocase; http.user_agent; content:"Installer event sender/"; depth:23; fast_pattern; isdataat:!3,relative; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,e7c2c1b796dad6210165110b7e8cda7d; classtype:pup-activity; sid:2025645; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category ADWARE_PUP, malware_family Adposhel, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A Ransomware CnC Init Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?gen&session-id="; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Rs"; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; content:!"User-Agent"; reference:md5,b306115dc9c137b0fa455a9ce1708917; classtype:trojan-activity; sid:2032419; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Luxsoft Win32/ICLoader User-Agent"; flow:to_server,established; http.user_agent; content:"Medunja Solodunnja"; depth:18; nocase; reference:url,fortinet.com/blog/threat-research/cookie-maker-inside-the-google-docs-malicious-network.html; classtype:pup-activity; sid:2026114; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?submit"; http.request_body; content:"session-id="; depth:11; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/Rs"; content:"&id="; distance:0; within:4; content:"&country="; content:"&operatingSystem="; content:"&cpuModel="; content:"&machineName="; content:"&randomAccessMemory="; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; content:!"User-Agent"; reference:md5,b306115dc9c137b0fa455a9ce1708917; classtype:trojan-activity; sid:2032420; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Fake Adobe Update Download"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"filename=readerdc"; fast_pattern; nocase; pcre:"/(_[a-z]{2}){1,3}_[a-z]{3}_install\.exe/Ri"; content:!"Server|3a 20 20|Apache"; content:"Set-Cookie|3a 20|session="; classtype:pup-activity; sid:2026734; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Template Download"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jack/"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9]{32}\.dot$/R"; http.user_agent; content:"Microsoft Office"; http.header_names; content:!"Referer"; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:md5,8cc87eb3667aecc1bd41018f00aca559; reference:md5,d4b45f7a937139e05f386a8ad0aba04e; reference:md5,5fdcbb85733f9e8686d582b2f1459961; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032483; rev:1; metadata:created_at 2021_04_05, former_category MALWARE, malware_family DonotGroup, updated_at 2021_04_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Adobe Update Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/en"; nocase; content:"/reader/download/?installer=Reader_DC_20"; nocase; within:45; pcre:"/\d{2}\.0\d{2}\.200\d{2}_English(?:_for)?_Windows/R"; http.host; content:!"get.adobe.com"; classtype:pup-activity; sid:2026735; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (lifemaindecision .top)"; flow:established,to_server; tls.sni; content:"lifemaindecision.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2032524; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for validate-site.js"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/validate-site.js?uid="; fast_pattern; content:"&r="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027418; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pult Downloader Activity"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|UserAgent|3a|Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|"; fast_pattern; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032525; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2021_04_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M2"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/optout/get?jsonp="; depth:18; fast_pattern; content:"&key="; distance:16; within:23; content:"&t="; distance:18; within:21; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027420; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Related VBS Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xx/f_Skoifa.vbs"; fast_pattern; bsize:16; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; reference:url,www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt; reference:md5,27d85a6aff129deb07048a735de1c884; classtype:trojan-activity; sid:2032530; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Molerats, performance_impact Low, signature_severity Major, updated_at 2021_04_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M4"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"/optout/set/lat?jsonp="; fast_pattern; content:"key="; distance:16; within:27; content:"cv="; distance:18; within:27; content:"t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027428; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Python RAT (Aurora Campaign))"; flow:established,to_client; tls.cert_subject; content:"C=MK, ST=MikoState, L=MikoCity, O=Miko LLC, OU=Miko, CN=Foo Bar"; bsize:63; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/; classtype:domain-c2; sid:2032528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/Agent.NDV Receiving Task Config File"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Settings|5d 0d 0a|"; depth:12; content:"post_page0="; distance:0; fast_pattern; reference:md5,c6c1292bf7dd1573b269afb203134b1d; classtype:pup-activity; sid:2027566; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_26, deployment Perimeter, former_category ADWARE_PUP, malware_family Agent_NDV, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT)"; flow:established,to_client; tls.cert_issuer; content:"CN=DcRat Server"; fast_pattern; reference:md5,c57460b4d595a97fd37211e5087b2557; classtype:domain-c2; sid:2034847; rev:1; metadata:attack_target Client_and_Server, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getblob?v="; fast_pattern; content:"&cache="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027828; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (heroofthe .top)"; flow:established,to_server; tls.sni; content:"heroofthe.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre User-Agent"; flow:established,to_server; http.user_agent; content:"onlymacros"; depth:10; endswith; reference:md5,b4ddb47165bf5362f0b33ed907b1ee08; classtype:command-and-control; sid:2030818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Upatre, updated_at 2020_08_31;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hierarchicalfiles .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hierarchicalfiles.com"; bsize:21; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032534; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Zonebac Traffic Redirect"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; http.request_body; content:"ic="; startswith; fast_pattern; content:"&fb="; distance:0; reference:md5,23ad5529074fa0fba3258b155440659f; classtype:pup-activity; sid:2030821; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (resolutionplatform .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resolutionplatform.com"; bsize:22; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032535; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MS Office Macro Dridex Download URI Jan 7 2015"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pops"; offset:1; fast_pattern; content:".php"; within:5; pcre:"/^\/[^\x2f]+\/pops[a-z]?\.php$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2020148; rev:6; metadata:created_at 2015_01_07, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (pulmonyarea .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pulmonyarea.com"; bsize:15; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032536; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dana/home.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:5; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hardwareoption .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hardwareoption.com"; bsize:18; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (shehootastayonwhatshelirned .top)"; flow:established,to_server; tls.sni; content:"shehootastayonwhatshelirned.top"; bsize:31; fast_pattern; classtype:domain-c2; sid:2032538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (applicationrepo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"applicationrepo.com"; bsize:19; fast_pattern; reference:md5,60e9f401ea30605d57cdc821533d9675; reference:url,twitter.com/RedBeardIOCs/status/1379422249590128646; classtype:targeted-activity; sid:2032539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2012-4792 EIP in URI M1"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%88%92"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:4; metadata:created_at 2012_12_31, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (uppertrainingtool .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"uppertrainingtool.com"; bsize:21; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1347357947307778049?s=20; classtype:targeted-activity; sid:2032540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2012-4792 EIP in URI M2"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%82%AB"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:5; metadata:created_at 2013_01_08, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hostoperationsystems .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hostoperationsystems.com"; bsize:24; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1347357947307778049?s=20; classtype:targeted-activity; sid:2032541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aurora Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?generate="; fast_pattern; content:"/"; distance:0; content:"&hwid="; distance:0; reference:md5,2409c058a86cd8743abb10a5735ef487; classtype:command-and-control; sid:2025931; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category MALWARE, malware_family Aurora_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ozone/Darktrack RAT Variant - Client Hello (set)"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.OzoneRAT; content:"|2c ef 3a e7 89 fe 48 af ac f8|"; depth:10; dsize:110<>113; reference:md5,583de02ec747f0316fb7b0e59bd858bd; classtype:trojan-activity; sid:2032542; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Coinminer Download"; flow:established,to_server; urilen:39; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/WPSystem/dl.php?a="; depth:38; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c5d5608df7519c44358fa87bd046b553; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:coin-mining; sid:2027894; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, tag Stealer, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ozone/Darktrack RAT Variant - Server Hello"; flow:established,to_client; flowbits:isset,ET.OzoneRAT; dsize:666; content:"|53 53 48 2d 32 2e 30 2d 64 72 6f 70 62 65 61 72 5f 32 30 31 37 2e 37 35 0d 0a|"; reference:md5,583de02ec747f0316fb7b0e59bd858bd; classtype:trojan-activity; sid:2032543; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound POST Request with ps PowerShell Command Output"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|48 61 6e 64 6c 65 73 20 20 4e 50 4d 28 4b 29 20 20 20 20 50 4d 28 4b 29 20 20 20 20 20 20 57 53 28 4b 29|"; fast_pattern; reference:url,attack.mitre.org/techniques/T1057/; reference:url,attack.mitre.org/techniques/T1086/; classtype:trojan-activity; sid:2027210; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category TROJAN, performance_impact Low, tag T1086, tag T1057, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig SideTwist CnC Domain in DNS Lookup (sarmsoftware .com)"; dns.query; content:"sarmsoftware.com"; nocase; bsize:16; reference:url,research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/; classtype:domain-c2; sid:2032640; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Py.Machete HTTP CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"namepc="; content:"nadir="; content:"menrut0="; content:"menfile0="; fast_pattern; content:"mens0="; http.header_names; content:!"Referer"; reference:url,travisgreen.net/2019/08/14/machete-malware.html; classtype:command-and-control; sid:2027887; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family Machete, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (lomhasnopryiyome .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"lomhasnopryiyome.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2032639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_09, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; content:"select password"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (tapewormorchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"tapewormorchestra.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/i"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (belochkaneprihoditodna .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"belochkaneprihoditodna.top"; bsize:26; fast_pattern; classtype:domain-c2; sid:2032743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player malware binary requested"; flow:established,to_server; http.uri; content:"&filename=Flash Player|20|"; content:".exe"; classtype:trojan-activity; sid:2017123; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"tkyjzgbqfwk3gr55."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024981; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; http.uri; content:"/styles/javaupdate.css"; classtype:trojan-activity; sid:2017845; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u7duee44hwu5lf7r."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024983; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; http.uri; content:"windows-firewall.png"; classtype:trojan-activity; sid:2019598; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u2sg7pqxmmrhnzms."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024982; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - png"; flow:established,to_server; http.uri; content:"gp-warning-img.png"; classtype:trojan-activity; sid:2020711; rev:4; metadata:created_at 2015_03_19, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns.query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2021_04_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>*** Security Error Code 0x80070424</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2021255; rev:5; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (whatsthescore .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"whatsthescore.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"isp="; content:"&browser="; distance:0; content:"&browserversion"; distance:0; fast_pattern; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&osversion="; distance:0; classtype:social-engineering; sid:2021367; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLine - GetArguments Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|SOAPAction|3a 20 22|http://tempuri.org/"; http.request_body; content:"|3c 73 3a|Body|3e 3c|GetArguments|20|xmlns=|22|http|3a 2f 2f|tempuri|2e|org|2f 22 2f|"; fast_pattern; reference:md5,9a3ac9f18c1222e7a77a47db01b1f597; classtype:command-and-control; sid:2034361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Redline, signature_severity Major, updated_at 2021_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"index.html?city="; fast_pattern; content:"&ip="; distance:0; content:"&isp="; distance:0; http.header_names; content:!"Referer|0d 0a|"; classtype:social-engineering; sid:2021447; rev:4; metadata:created_at 2015_07_20, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"&&user="; fast_pattern; distance:0; content:"ZxxZ"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,59b043a913014a1f03258c695b9333af; classtype:trojan-activity; sid:2036652; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:social-engineering; sid:2022608; rev:4; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?filename=corona"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest|2e|5)"; bsize:57; http.header_names; content:!"Referer"; reference:md5,0821884168a644f3c27176a52763acc9; reference:url,twitter.com/ShadowChasing1/status/1382509560179531782; classtype:trojan-activity; sid:2032770; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:social-engineering; sid:2022854; rev:4; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - AngryBeaver Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"cgi-bin/index.php"; endswith; http.content_type; content:"application/x-www-form-urlencoded|3b|charset=utf-8"; bsize:47; http.request_body; content:"0="; startswith; content:"&1="; distance:0; content:"&2=enc02"; endswith; fast_pattern; reference:url,twitter.com/rootprivilege/status/1376899513592336391?s=20; reference:url,lukeleal.com/research/posts/magento2-angrybeaver-skimmer/; classtype:trojan-activity; sid:2032769; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"your-computer-is-locked-"; nocase; fast_pattern; content:"your-computer-is-locked-"; distance:0; nocase; classtype:social-engineering; sid:2022927; rev:4; metadata:created_at 2016_06_29, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (annafraudy .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"annafraudy.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (warning.mp3) Jan 24 2017"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"warning.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2024365; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category WEB_CLIENT, malware_family Tech_Support_Scam, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (youareperfect2day .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"youareperfect2day.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M2 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"microsoft official support"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024444; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (mindbreaker .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"mindbreaker.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M1 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"security error 0x00759b"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024445; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos 3.x Unencrypted Checkin"; flow:established,to_server; content:"|24 04 ff 00|"; startswith; content:"|4b 00 00 00|"; distance:4; within:4; content:"|7c 1e 1e 1f 7c|"; distance:0; fast_pattern; reference:md5,d27f70216d11b769c937a961fc1b1c81; classtype:command-and-control; sid:2032776; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M3 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"virus warning alert"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024446; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Remcos 3.x Unencrypted Server Response"; flow:established,to_client; content:"|24 04 ff 00|"; startswith; content:"|01 00 00 00 30 7c 1e 1e 1f 7c|"; distance:4; within:10; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:md5,d27f70216d11b769c937a961fc1b1c81; classtype:command-and-control; sid:2032777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Tech Support Phone Scam Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"official apple support"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024447; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (attentionmagnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"attentionmagnet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M4 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"windows official support"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024448; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk Downloader CnC Activity"; flow:established,to_server; http.request_line; content:"GET /"; startswith; content:"image.php?id="; fast_pattern; pcre:"/^[0-9A-F]{21,22}\x20HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:command-and-control; sid:2032342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Oct 16 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm="; nocase; content:"Error"; nocase; distance:0; fast_pattern; content:"-"; distance:0; pcre:"/^WWW-Authenticate\x3a\x20Basic\x20realm=[\x22\x27][^\r\n]*Error[^\r\n]*-/mi"; classtype:social-engineering; sid:2024844; rev:5; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon MalDoc CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"Mozilla/"; startswith; content:"|3a 3a|"; distance:0; content:"|3a 3a 2f 2e|"; within:50; fast_pattern; http.header_names; content:!"Referer"; content:!"Cache-"; reference:md5,bbfef3fcb75449889e544601f7975b34; classtype:command-and-control; sid:2035024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING 16Shop Phishing Kit Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>16SHOP"; fast_pattern; nocase; content:"<label>Public Key"; distance:0; nocase; content:"<label>Password"; distance:0; nocase; classtype:web-application-attack; sid:2029914; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos Builder License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"logaccess.php?DATA="; fast_pattern; pcre:"/^[0-9A-F]+$/R"; http.user_agent; content:"Remcos"; bsize:6; classtype:trojan-activity; sid:2032783; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Software Update Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Adobe - Update"; nocase; fast_pattern; content:"href=|22|flashfiles/"; nocase; distance:0; content:"src=|22|flashfiles/"; nocase; distance:0; content:"function getUrl(url)"; nocase; distance:0; reference:url,www.malware-traffic-analysis.net/2018/07/05/index.html; classtype:trojan-activity; sid:2025715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Wacapew.A!ml Domain in TLS SNI (zytrox .tk)"; flow:established,to_server; tls.sni; content:"zytrox.tk"; bsize:9; classtype:domain-c2; sid:2032778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2018-07-18"; flow:established,to_client; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|Microsoft has detected suspicious activity"; fast_pattern; classtype:social-engineering; sid:2025831; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Tech_Support_Scam, updated_at 2020_09_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Cobalt Strike Stager Time Check M1"; flow:established,to_server; dsize:11; content:"GET|20|driver|0a|"; fast_pattern; reference:md5,e566c853fe8555fc255bd643f96ba574; classtype:trojan-activity; sid:2032784; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M2 2019-04-15"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"createOscillator|28 29|"; content:"createGain|28 29|"; distance:0; content:"|3e|System|20|Warning!|3c 2f|span|3e|"; distance:0; fast_pattern; content:"|3c|b|3e|Windows|20|Version"; distance:0; classtype:social-engineering; sid:2027198; rev:3; metadata:created_at 2019_04_15, former_category WEB_CLIENT, tag Tech_Support_Scam, tag Malvertising, updated_at 2020_09_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Cobalt Strike Stager Time Check M2"; flow:established,to_server; dsize:8; content:"GET|20|drv|0a|"; fast_pattern; reference:md5,e566c853fe8555fc255bd643f96ba574; classtype:trojan-activity; sid:2032785; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER 16Shop Phishing Kit Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>16SHOP"; fast_pattern; nocase; content:"<label>Public Key"; nocase; distance:0; content:"<label>Password"; nocase; distance:0; classtype:web-application-attack; sid:2029915; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Critical, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - _try_action Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".png"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.request_body; content:"cid="; startswith; fast_pattern; content:"&host="; reference:url,lukeleal.com/research/posts/cdn-frontend-skimmer/; classtype:trojan-activity; sid:2032788; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BalkanDoor CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s="; fast_pattern; content:"&cn="; pcre:"/\.php\?s=\d+&cn=/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/; reference:md5,f70ef75fb0a51b05c43aaec973ac0bc1; classtype:command-and-control; sid:2027897; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart/Skimmer - _try_action CnC Domain (cdn-frontend .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cdn-frontend.com"; bsize:16; fast_pattern; reference:url,lukeleal.com/research/posts/cdn-frontend-skimmer/; classtype:domain-c2; sid:2032789; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2021_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BalkanDoor CnC Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"[CFG]|0d 0a|di="; fast_pattern; depth:10; content:"|0d 0a|cn="; content:"|0d 0a|du="; content:"|0d 0a|int="; content:"|0d 0a|rip="; content:"|0d 0a|rpo="; content:"|0d 0a|scr_dur="; content:"|0d 0a|scr_int="; reference:url,www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/; reference:md5,f70ef75fb0a51b05c43aaec973ac0bc1; classtype:command-and-control; sid:2027898; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (newageiscoming .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"newageiscoming.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/../dana/html5acc/guacamole/../"; depth:39; fast_pattern; isdataat:10,relative; reference:url,packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html; reference:cve,CVE-2019-11510; classtype:trojan-activity; sid:2027904; rev:3; metadata:affected_product Pulse_Secure, created_at 2019_08_22, former_category EXPLOIT, updated_at 2020_09_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Possibly SLIGHTPULSE Related - Suspicious POST to Specific URI Path"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"meeting_testjs.cgi"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-admin; sid:2032787; rev:1; metadata:created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_04_20;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE TwoFace WebShell Detected"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.cookie; content:"data=pro#=#"; fast_pattern; reference:url,www.emanueledelucia.net/a-dive-into-apt34-aka-oilrig-aka-cobalt-gypsy-twoface-webshell/; classtype:targeted-activity; sid:2027903; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
+alert tls $EXTERNAL_NET ![443,587] -> $HOME_NET any (msg:"ET MALWARE Observed Qbot Style SSL Certificate"; flow:established,from_server; tls.cert_issuer; content:"C="; depth:2; content:",|20|ST="; distance:2; within:5; content:",|20|L="; distance:2; within:4; content:",|20|O="; within:20; content:",|20|CN="; within:50; pcre:"/^C=(?:M[ACDEGHKLMNOPQRSTUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|B[ABDEFGHIJMNORSTVWZ]|A[DEFGILMNOQRSTUWXZ]|S[ABCEGHIJKLMNRTUVZ]|C[ACFHIKLMNORSVXYZ]|T[CDFGHJKMNOPRTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRTUZ]|K[EGHIMNRWYZ]|L[ACIKSTUVY]|I[DELMNOST]|E[CEGHRST]|F[IJKMORX]|U[AGKMSYZ]|V[ACEGINU]|D[EJKMOZ]|H[KMNRTU]|R[EOSUW]|J[EMOP]|W[FS]|Y[ET]|Z[AM]|OM|QA),\sST=(?!(?:M[ADEINOST]|N[CDEHJMVY]|A[KLRZ]|I[ADLN]|W[AIVY]|C[AOT]|O[HKR]|[GLP]A|K[SY]|S[CD]|T[NX]|V[AT]|[HR]I|DE|FL|UT))[A-Z]{2},\sL=[A-Z][a-z]{2,15}(?:\s[A-Z][a-z]{2,10})?,\sO=[A-Z][a-z]{2,25}\s[A-Z][a-z]{2,25}(?:\s[A-Z][a-z]{2,25})?(?:\s[A-Z][a-z]{2,25})?(?:\s(?:Inc|LLC)\.)?,\sCN=[a-z]{4,11}\.[a-z]{2,4}$/"; classtype:trojan-activity; sid:2035530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Qbot, performance_impact Significant, signature_severity Major, updated_at 2021_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Tor Get Server Request"; flow:established,to_server; http.uri; content:"/tor/server/"; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008113; classtype:policy-violation; sid:2008113; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HabitsRAT Checkin"; flow:established,to_server; http.request_line; content:"POST /checkin"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.request_body; content:"goarch="; content:"goos="; content:"hostname="; content:"no_replay="; content:"public_key="; reference:url,www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers; reference:md5,2177fb8f49934333a201197d6f55378d; classtype:command-and-control; sid:2032791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family HabitsRAT, performance_impact Low, signature_severity Major, updated_at 2021_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004011; classtype:web-application-attack; sid:2004011; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Possible STEADYPULSE Webshell Accessed M1"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<form action=|22||22| method=|22|GET|22|>"; content:"<input type=|22|text|22| name=|22|cmd|22| "; distance:0; content:"<input type=|22|text|22| name=|22|serverid|22| "; distance:0; fast_pattern; content:"<input type=|22|submit|22| value=|22|Run|22|>"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-user; sid:2032801; rev:1; metadata:created_at 2021_04_21, former_category MALWARE, updated_at 2021_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/photosmash-galleries/index.php?"; nocase; content:"action="; nocase; pcre:"/action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/99089/photosmash-xss.txt; classtype:web-application-attack; sid:2012670; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_01;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Possible STEADYPULSE Webshell Accessed M2"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"|0d 0a|Results of|20 27|"; content:"'|27 20|execution|3a 0a 0a|"; distance:1; within:256; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-user; sid:2032800; rev:1; metadata:created_at 2021_04_21, former_category MALWARE, updated_at 2021_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:command-and-control; sid:2013210; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (gimmegimmejimmy .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"gimmegimmejimmy.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032802; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:to_server,established; http.uri; content:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:2101009; rev:10; metadata:created_at 2010_09_23, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Request for uac.exe With Minimal Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uac.exe"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"|0d 0a|Host|0d 0a|"; depth:10; isdataat:!20,relative; bsize:<31; reference:md5,fd66c2729efe28d54dbbdca62490b936; classtype:trojan-activity; sid:2032794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; http.uri; content:"/servlet/JavascriptProbe"; nocase; content:"documentElement=true"; nocase; content:"regexp=true"; nocase; content:"frames=true"; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; classtype:web-application-attack; sid:2010622; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)"; dns.query; content:"vorulenuke.us"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/update/utu.dat"; reference:md5,6fd8cdee653c0fde769e6c48d65e28bd; classtype:command-and-control; sid:2013913; rev:5; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)"; dns.query; content:"horulenuke.us"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032799; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 44 Caliber Stealer Data Exfil via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"multipart/form-data|3b 20|boundary=|22|"; startswith; http.request_body; content:"form-data|3b 20|name=content|0d 0a 0d 0a 5c|n|20 3a|spy|3a 20|NEW LOG FROM - "; fast_pattern; content:"|20 30|person_in_manual_wheelchair|3a 0d 0a 5c|n|20 3a|eye|3a 20|IP|3a 20|"; distance:0; content:"|5c|n|20 3a|desktop|3a 20|"; distance:0; reference:md5,5d8135dc3f85bee9dd93456a9445fa35; reference:url,twitter.com/nao_sec/status/1370702500798418946; classtype:command-and-control; sid:2032803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArtraDownloader Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http.request_body; content:"SNI="; content:"&UME="; fast_pattern; content:"&IVR="; content:"&st="; reference:md5,eec2828cb4a9032ab1177bb472f1977b; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan; classtype:command-and-control; sid:2027771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ArtraDownloader, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil via Discord M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:".lunar|22 3b 20|filename=|22|"; content:"|0d 0a 0d 0a|<UsernameSplit><UsernameSplit><TimeHackedSplit>"; reference:md5,11ca4e678716a5aa177bd8506f0e109f; classtype:command-and-control; sid:2032804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-08-23"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usuario="; fast_pattern; content:"&clave="; distance:0; classtype:credential-theft; sid:2027911; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|[dw0rd]_"; fast_pattern; content:"Information.txt"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,51e8f4abbb4ba18a39e302edad171b71; classtype:trojan-activity; sid:2032805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Secutech Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1="; fast_pattern; content:"&ds2="; distance:0; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027909; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (linda-callaghan .icu)"; dns.query; content:"linda-callaghan.icu"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AOX Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ReadAllTracks.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"{|22|contacts|22 3a|"; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/; classtype:trojan-activity; sid:2027920; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_27, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (mikkelbourke .pro)"; dns.query; content:"mikkelbourke.pro"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LYCEUM MSIL/DanBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?id="; http.header; content:"Accept-Enconding|3a 20|gzip,deflate"; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|&|29|"; reference:md5,9df776b9933fbf95e3d462e04729d074; classtype:command-and-control; sid:2027921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, malware_family DanBot, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (scorerabbate .site)"; dns.query; content:"scorerabbate.site"; nocase; bsize:17; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&get=Zaloguj"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029677; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (overingtonray .info)"; dns.query; content:"overingtonray.info"; nocase; bsize:18; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - *.tar.gz in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:".tar.gz"; nocase; classtype:bad-unknown; sid:2016992; rev:4; metadata:created_at 2013_06_08, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (marwapetersson .info)"; dns.query; content:"marwapetersson.info"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Apple iPhone Implant - Boundary Observed"; flow:established,to_server; http.header; content:"multipart/form-data|3b 20|charset=utf-8|3b|boundary=9ff7172192b7"; nocase; fast_pattern; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027931; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2019_08_30, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (belcherjacky .info)"; dns.query; content:"belcherjacky.info"; nocase; bsize:17; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Apple iPhone Implant - Upload Files"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload/info"; nocase; depth:12; http.request_body; content:"Content-disposition|3a 20|form-data|3b 20|name="; content:"--9ff7172192b7--"; distance:0; fast_pattern; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027932; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2019_08_30, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (gallant-william .icu)"; dns.query; content:"gallant-william.icu"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Apple iPhone Implant - Command Executed"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/list/suc?name="; nocase; depth:15; fast_pattern; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027933; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2019_08_30, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (ansonwhitmore .live)"; dns.query; content:"ansonwhitmore.live"; nocase; bsize:18; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Domen SocEng Redirect - Landing Page Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"=|20 5b 27|Mobile|27 5d 3b|"; content:"|2f 2f 20|All|20 7c 20|Mobile|20 7c 20|Desktop"; content:"|2f 2f 20|1|20|-|20|Browser|20|Update|20 7c 20|2|20|-|20|Font"; fast_pattern; content:"var|20|_0x"; distance:0; classtype:social-engineering; sid:2027935; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, malware_family SocEng, malware_family Domen, performance_impact Low, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (irenewansley .icu)"; dns.query; content:"irenewansley.icu"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (bridges.torproject .org in DNS lookup)"; dns.query; content:"bridges.torproject.org"; depth:22; nocase; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:external-ip-check; sid:2017925; rev:6; metadata:created_at 2014_01_04, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (norayowell .info)"; dns.query; content:"norayowell.info"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.noc.su domain"; dns.query; content:".noc.su"; fast_pattern; classtype:bad-unknown; sid:2012901; rev:5; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to MoserPass Download Domain (passwordstate-18ed2 .kxcdn .com)"; dns.query; content:"passwordstate-18ed2.kxcdn.com"; bsize:29; fast_pattern; reference:url,www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain; classtype:domain-c2; sid:2032806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad)"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; classtype:policy-violation; sid:2013016; rev:5; metadata:created_at 2011_06_13, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"D5wdnvX3A="; startswith; content:"&WgJEo7TIB=c2xsZ3JhdA&"; distance:0; fast_pattern; reference:md5,bbe4dddc09dcef160db0fd4c24c4f052; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:command-and-control; sid:2032821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TR/Spy.Gen checkin via dns ANY query"; dns.query; content:"ianxz6zefk72ulzz.onion"; depth:22; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:md5,2519bdb5459bc9f59f59cd7ccb147d23; classtype:command-and-control; sid:2013516; rev:4; metadata:created_at 2011_09_02, former_category MALWARE, updated_at 2020_09_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/MosaiqueRAT CnC Checkin"; flow:established,to_server; dsize:<400; content:"|e1 00 00 00|"; startswith; content:"|00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00|Client|20|"; isdataat:!4,relative; reference:url,github.com/thdal/MosaiqueRAT; classtype:trojan-activity; sid:2032807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Query to a *.opengw.net Open VPN Relay Domain"; dns.query; content:".opengw.net"; nocase; fast_pattern; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:8; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.uri; content:"/logo.html"; bsize:10; http.cookie; content:"wordpress_logged_in="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,6517eadd2e4fb8fdf1f64a601e5a2b59; reference:url,twitter.com/MichalKoczwara/status/1385679642791665668; classtype:trojan-activity; sid:2032824; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain rusview.net"; dns.query; content:"rusview.net"; depth:11; nocase; fast_pattern; classtype:trojan-activity; sid:2016601; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Screenshot Upload M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|jpxnk|22 3b 20|filename="; fast_pattern; content:"|22 0d 0a|Content-Type|3a 20|utf-8|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF"; within:40; http.header_names; content:!"Referer"; reference:md5,7833c0f413c1611f7281ac303bcef4b3; classtype:command-and-control; sid:2032822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sykipot Domain insdet.com"; dns.query; content:"insdet.com"; depth:10; nocase; fast_pattern; classtype:trojan-activity; sid:2016607; rev:4; metadata:created_at 2013_03_20, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Screenshot Upload M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|vcqmxylcv|22|"; fast_pattern; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF"; distance:0; within:40; reference:md5,7833c0f413c1611f7281ac303bcef4b3; classtype:command-and-control; sid:2032823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall .onion Proxy DNS lookup"; dns.query; content:"kpai7ycr7jxqkilp"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2018609; rev:4; metadata:created_at 2014_06_27, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (birdmilk .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"birdmilk.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2032825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY tor4u tor2web .onion Proxy DNS  lookup"; dns.query; content:"tor4u.net"; depth:9; nocase; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018875; rev:4; metadata:created_at 2014_08_01, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (footballstar .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"footballstar.top"; bsize:16; fast_pattern; classtype:domain-c2; sid:2032826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain qfsl.net"; dns.query; content:"qfsl.net"; depth:8; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013480; rev:5; metadata:created_at 2011_08_29, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stockme .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"stockme.top"; bsize:11; fast_pattern; classtype:domain-c2; sid:2032827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jaifr.com"; dns.query; content:"jaifr.com"; depth:9; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013481; rev:5; metadata:created_at 2011_08_29, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PHP Skimmer CnC Domain in DNS Lookup (secure-authorize .net)"; dns.query; content:"secure-authorize.net"; nocase; bsize:20; reference:url,lukeleal.com/research/posts/secure-authorize-dot-net-skimmer/; classtype:domain-c2; sid:2032828; rev:1; metadata:affected_product Web_Server_Applications, affected_product Magento, attack_target Web_Server, created_at 2021_04_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jaifr.net"; dns.query; content:"jifr.net"; depth:8; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013482; rev:6; metadata:created_at 2011_08_29, updated_at 2020_09_01;)
+alert http [$HTTP_SERVERS,$HOME_NET] any -> $EXTERNAL_NET any (msg:"ET MALWARE PHP Skimmer Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".dll"; endswith; http.content_type; content:"text/plain"; bsize:10; http.request_body; content:"|22|cc_type|22|"; content:"|22|cc_number|22|"; fast_pattern; content:"|22|ip|22|"; content:"|22|cc_cid|22|"; content:"|22|site|22|"; reference:url,lukeleal.com/research/posts/secure-authorize-dot-net-skimmer/; classtype:command-and-control; sid:2032829; rev:2; metadata:affected_product Web_Server_Applications, affected_product Magento, attack_target Web_Server, created_at 2021_04_26, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Morto RDP worm related domain jifr.info"; dns.query; content:"jifr.info"; depth:9; fast_pattern; reference:url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html; classtype:bad-unknown; sid:2013495; rev:5; metadata:created_at 2011_08_30, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SharpNoPSExec EXE Lateral Movement Tool Downloaded"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"S|00|h|00|a|00|r|00|p|00|N|00|o|00|P|00|S|00|E|00|x|00|e|00|c|00 2e 00|e|00|x|00|e"; distance:0; fast_pattern; content:"Z|00|Q|00|B|00|j|00|A|00|G|00|g|00|A|00|b|00|w|00|A|00|g|00|A|00|E|00|c|00|A|00|b|00|w|00|B|00|k|00|A|00|C|00|A|00|A|00|Q|00|g|00|B|00|s|00|A|00|G|00|U|00|A|00|c|00|w|00|B|00|z|00|A|00|C|00|A|00|A|00|W|00|Q|00|B|00|v|00|A|00|H|00|U|00|A|00|I|00|Q|00|A|00 3d|"; distance:0; reference:url,github.com/juliourena/SharpNoPSExec/; classtype:trojan-activity; sid:2032875; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for try2check.me Carder Tool"; dns.query; content:"try2check.me"; depth:12; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:6; metadata:created_at 2012_02_24, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (blogsolutions .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogsolutions.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a *.slyip.net Dynamic DNS Domain"; dns.query; content:".try2check.me"; fast_pattern; nocase; classtype:bad-unknown; sid:2014508; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lunar Builder Domain (lunarbuilder .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lunarbuilder.000webhostapp.com"; bsize:30; fast_pattern; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:domain-c2; sid:2032877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup"; dns.query; content:"server4love.ru"; depth:14; nocase; fast_pattern; reference:md5,8d2e901583b60631dc333d4b396e158b; classtype:trojan-activity; sid:2019396; rev:5; metadata:created_at 2014_10_14, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|account|22 3b 20|filename=|22|"; content:".lunar|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|<UsernameSplit>"; distance:0; fast_pattern; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:command-and-control; sid:2032878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely CryptoWall 2.0 .onion Proxy domain lookup"; dns.query; content:"paytordmbdekmizq"; depth:16; fast_pattern; nocase; reference:url,malware-traffic-analysis.net/2014/11/14/index.html; classtype:trojan-activity; sid:2019736; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Koubbeh Sending Windows System Info"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/api/ping//?"; startswith; fast_pattern; http.user_agent; content:"|3b| WinHttp.WinHttpRequest.5|29|"; reference:md5,3883ea48ee84f9b084e0920bc185bc39; classtype:trojan-activity; sid:2032882; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for Known OphionLocker Domain"; dns.query; content:"smu743glzfrxsqcl"; depth:16; fast_pattern; nocase; reference:url,f-secure.com/weblog/archives/00002777.html; reference:md5,e17da8702b71dfb0ee94dbc9e22eed8d; classtype:trojan-activity; sid:2019934; rev:4; metadata:created_at 2014_12_13, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<UsernameSplit>"; nocase; fast_pattern; content:"<TimeHackedSplit>"; nocase; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:command-and-control; sid:2032879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker .onion Proxy Domain"; dns.query; content:"ymleyd4xs3it55m7"; depth:16; fast_pattern; nocase; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019984; rev:5; metadata:created_at 2014_12_20, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.SpyEyes.bllw CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; distance:0; content:".zip|22 0d 0a|"; distance:0; within:50; content:"passwords.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c818013b12aedef81965f4dd98634ea8; classtype:trojan-activity; sid:2035017; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spy.Obator .onion Proxy Domain"; dns.query; content:"t2upiokua37wq2cx"; depth:16; nocase; fast_pattern; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3671; classtype:trojan-activity; sid:2020168; rev:4; metadata:created_at 2015_01_13, updated_at 2020_09_01;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (plugin)"; flow:established,from_server; content:"plugin|7c 7c|"; depth:8; fast_pattern; content:"|7c 7c|"; within:100; isdataat:1000,relative; app-layer-protocol:!http; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029699; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptowall 3.0 .onion Proxy Domain"; dns.query; content:"paytoc4gtpn5czl2"; depth:16; nocase; fast_pattern; reference:url,malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html; classtype:trojan-activity; sid:2020182; rev:4; metadata:created_at 2015_01_15, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magelib.com"; bsize:11; nocase; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_04_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"3fdzgtam4qk625n6"; depth:16; nocase; fast_pattern; reference:md5,adb0de790bd3fb88490a60f0dddd90fa; classtype:trojan-activity; sid:2020358; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA471 Malicious AutoIT File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upld/"; startswith; http.content_type; content:"multipart/form-data|3b| boundary=----WebKitFormBoundary"; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|"; depth:14; content:!"Accept-Enc"; reference:md5,75d6f57cfba0ebc3633a49a8412a43e5; reference:md5,304d1ac0296fedec694a097480b341d9; classtype:trojan-activity; sid:2032886; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"rmxlqabmvfnw4wp4"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020359; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1; within:5; content:"|89 01 85 ff 74|"; distance:1; within:5; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"jssestaew3e7ao3q"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020360; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|"; distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4; content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|"; within:4; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Critroni Variant .onion Proxy Domain"; dns.query; content:"fizxfsi3cad3kn7v"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020361; rev:4; metadata:created_at 2015_02_04, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SupremeLogger CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"machineID="; startswith; nocase; content:"&guid={"; content:"&ver="; content:"&os=Windows"; nocase; content:"&platform="; content:"&username="; content:"&display_resolution="; content:"processor="; content:"&cpu_count="; fast_pattern; content:"&install_path="; http.header_names; content:!"Referer"; reference:md5,0f1ab52a8d9c2d23412e0badc4515cb3; classtype:trojan-activity; sid:2032885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Middle Earth Illegal Marketplace Tor Hidden Service DNS Query"; dns.query; content:"mango7u3rivtwxy7"; depth:16; nocase; fast_pattern; classtype:policy-violation; sid:2020417; rev:4; metadata:created_at 2015_02_12, updated_at 2020_09_01;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDropper.Agent.RLO CnC Acitivty"; flow:established,to_server; dsize:576; content:"|5f 53 40 59 32 32 32 32 32 32 32 32 32 32|"; offset:298; depth:14; fast_pattern; content:"|65 5b 5c|"; offset:564; depth:3; reference:md5,a6d36df7ee6cb5407853aeacfd818ac9; classtype:command-and-control; sid:2032887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor Variant .onion Proxy Domain"; dns.query; content:"ukzo73z4inzpenmq"; depth:16; nocase; fast_pattern; reference:md5,53752a41ed21172343f678423d6c9a44; classtype:trojan-activity; sid:2020458; rev:4; metadata:created_at 2015_02_17, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious lnk Activity"; flow:established,to_client; file.data; content:"ExpandEnvironmentStrings|28 22 25|Temp|25 5c|MaGiaiNenNe.txt|22 29|"; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1387602989033017346; reference:md5,57f02fe8fa9d096e5ac9b6c9be66f05b; classtype:trojan-activity; sid:2032891; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (3v6e2oe5y5ruimpe)"; dns.query; content:"3v6e2oe5y5ruimpe"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2020615; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (realonlinetrend .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"realonlinetrend.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy Domain"; dns.query; content:"mmc65z4xsgbcbazl"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020684; rev:5; metadata:created_at 2015_03_12, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PurpleFox EK Landing Page Domain in SNI"; flow:to_server,established; tls.sni; content:"lingering-math-ec29.7axrg.workers.dev"; endswith; classtype:exploit-kit; sid:2032889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2021_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (iezqmd4s2fflmh7n)"; dns.query; content:"iezqmd4s2fflmh7n"; depth:16; fast_pattern; nocase; reference:md5,1d578c11069c7446ca6d05ff7623a972; classtype:trojan-activity; sid:2020740; rev:4; metadata:created_at 2015_03_25, updated_at 2020_09_01;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/XRat.AT Variant CnC Activity"; flow:established,to_server; content:"0|7c|SS Client ID|7c|"; startswith; fast_pattern; content:"Windows"; distance:0; reference:md5,35b93cc523e0ac8c9bb922a236416d6f; classtype:command-and-control; sid:2032888; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vawtrak/NeverQuest .onion Proxy Domain (llgerw4plyyff446)"; dns.query; content:"llgerw4plyyff446"; depth:16; nocase; fast_pattern; reference:url,now.avg.com/banking-trojan-vawtrak-harvesting-passwords-worldwide/; classtype:trojan-activity; sid:2020762; rev:4; metadata:created_at 2015_03_27, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (baroquetees .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"baroquetees.com"; bsize:15; fast_pattern; reference:url,twitter.com/Bank_Security/status/1387787132249518087; reference:md5,54f99323245d439893539eb6c7cd0239; classtype:domain-c2; sid:2032894; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family DarkSide, signature_severity Major, tag Ransomware, updated_at 2021_04_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Filecoder Ransomware Variant .onion Proxy Domain (tkj3higtqlvohs7z)"; dns.query; content:"tkj3higtqlvohs7z"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020942; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, malware_family Filecoder, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer - DomainInfo User-Agent"; flow:established,to_server; http.user_agent; content:"|6e 71 71 66 34 3a 33 35 25 2d 46 75 75 71 6a 32 6e 55 6d 74 73 6a 3c 48 37 34 36 37 35 37 33 39 3b 3b 40 25 5a 40 25 48 55 5a 25 71 6e 70 6a 25 52 66 68 25 54 58 25 5d 40 25 6a 73 2e 25 46 75 75 71 6a 5c 6a 67 50 6e 79 34 39 37 35 30 25 2d 50 4d 59 52 51 31 25 71 6e 70 6a 25 4c 6a 68 70 74 2e 25 5b 6a 77 78 6e 74 73 34 38 33 35 25 52 74 67 6e 71 6a 34 36 46 3a 39 38 25 58 66 6b 66 77 6e 34 39 36 3e 33 38|"; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:trojan-activity; sid:2032892; rev:1; metadata:created_at 2021_04_30, former_category MALWARE, malware_family Buer, updated_at 2021_04_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chanitor .onion Proxy Domain (l7gbml27czk3kvr5)"; dns.query; content:"l7gbml27czk3kvr5"; depth:16; fast_pattern; nocase; reference:md5,83c0b99427c026aad36b0d8204377702; classtype:trojan-activity; sid:2020739; rev:5; metadata:created_at 2015_03_25, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/DarkNexus User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|checker/v"; fast_pattern; http.user_agent; content:"checker/v"; startswith; content:"/p"; distance:0; http.header_names; content:!"Referer"; reference:md5,81150784e5cef98bf6e56638da5fe5f3; classtype:trojan-activity; sid:2032895; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoLocker .onion Proxy Domain (zoqowm4kzz4cvvvl)"; dns.query; content:"zoqowm4kzz4cvvvl"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020958; rev:4; metadata:created_at 2015_04_21, updated_at 2020_09_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected PULSECHECK Webshell Access Inbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|x_cmd|3a 20|"; nocase; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; http.header_names; content:"|0d 0a|x_key|0d 0a|"; nocase; content:"|0d 0a|x_cnt|0d 0a|"; nocase; content:"|0d 0a|x_cmd|0d 0a|"; nocase; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-admin; sid:2032786; rev:3; metadata:attack_target Server, created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall .onion Proxy Domain (7oqnsnzwwnm6zb7y)"; dns.query; content:"7oqnsnzwwnm6zb7y"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2020959; rev:4; metadata:created_at 2015_04_21, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [FIREEYE] PULSECHECK Webshell Access Outbound"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|X-CMD|0d 0a|"; nocase; content:"|0d 0a|X-CNT|0d 0a|"; nocase; content:"|0d 0a|X-KEY|0d 0a|"; nocase; content:!"|0d 0a|Referer|0d 0a|"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032907; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy/NionSpy .onion Proxy Domain (z3mm6cupmtw5b2xx)"; dns.query; content:"z3mm6cupmtw5b2xx"; depth:16; nocase; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/taking-a-close-look-at-data-stealing-nionspy-file-infector; classtype:trojan-activity; sid:2021019; rev:4; metadata:created_at 2015_04_28, updated_at 2020_09_01;)
+#alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M1"; flow:established,to_server; flowbits:isnotset,ET.slightpulse; flowbits:noalert; flowbits:set,ET.slightpulseM1; http.method; content:"POST"; http.request_body; content:"cert="; startswith; fast_pattern; content:"&md5="; distance:16; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032908; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (iq3ahijcfeont3xx)"; dns.query; content:"iq3ahijcfeont3xx"; depth:16; fast_pattern; nocase; reference:md5,c3e567e9f45d0b4c1396f3d646598204; classtype:trojan-activity; sid:2021084; rev:4; metadata:created_at 2015_05_09, updated_at 2020_09_01;)
+#alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M2"; flow:established,to_server; flowbits:isnotset,ET.slightpulse; flowbits:noalert; flowbits:set,ET.slightpulseM1; http.method; content:"POST"; http.request_body; content:"md5="; startswith; content:"&cert="; fast_pattern; distance:16; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032909; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to TOX Ransomware onion (toxicola7qwv37qj)"; dns.query; content:"toxicola7qwv37qj"; depth:16; fast_pattern; nocase; reference:url,blogs.mcafee.com/mcafee-labs/meet-tox-ransomware-for-the-rest-of-us; classtype:trojan-activity; sid:2021204; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2"; flow:established,to_client; flowbits:isset,ET.slightpulseM2; http.stat_code; content:"200"; http.content_type; content:"application/x-download"; bsize:22; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename=tmp|0d 0a|"; fast_pattern; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032912; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Ascrirac .onion proxy Domain (5sse6j4kdaeh3yus)"; dns.query; content:"5sse6j4kdaeh3yus"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2021317; rev:4; metadata:created_at 2015_06_22, updated_at 2020_09_01;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M3"; flow:established,to_client; flowbits:isset,ET.slightpulseM2; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.content_type; content:"image/gif"; bsize:9; fast_pattern; file.data; content:!"<br>"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032913; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"decryptoraveidf7"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021545; rev:4; metadata:created_at 2015_07_28, updated_at 2020_09_01;)
+#alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1"; flow:established,to_client; flowbits:isset,ET.slightpulseM1; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:"|0d 0a|Content-Type|0d 0a 0d 0a|"; endswith; fast_pattern; file.data; content:!"<br>"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032914; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EncryptorRaas .onion Proxy Domain"; dns.query; content:"encryptor3awk6px"; depth:16; nocase; fast_pattern; reference:md5,d87ba0bfce1cdb17fd243b8b1d247e88; classtype:trojan-activity; sid:2021547; rev:4; metadata:created_at 2015_07_29, updated_at 2020_09_01;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected HARDPULSE Request"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/dana-na/auth/recover.cgi?token="; startswith; fast_pattern; http.request_body; content:"checkcode"; content:"hashid"; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032915; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup messagewild"; dns.query; content:"messagewild.com"; depth:15; nocase; fast_pattern; classtype:trojan-activity; sid:2021642; rev:4; metadata:created_at 2015_08_18, updated_at 2020_09_01;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M1"; flow:established,to_server; flowbits:isnotset,ET.slightpulseM2; flowbits:noalert; flowbits:set,ET.slightpulseM2; http.method; content:"POST"; http.request_body; content:"img="; startswith; fast_pattern; content:"&name="; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032910; rev:3; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain (kb63vhjuk3wh4ex7)"; dns.query; content:"kb63vhjuk3wh4ex7"; depth:16; nocase; fast_pattern; reference:md5,a9f29924410a14dea1eef8d75fed3b39; reference:url,www.malware-traffic-analysis.net/2015/08/24/index2.html; classtype:trojan-activity; sid:2021711; rev:4; metadata:created_at 2015_08_25, updated_at 2020_09_01;)
+alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M2"; flow:established,to_server; flowbits:isnotset,ET.slightpulseM2; flowbits:noalert; flowbits:set,ET.slightpulseM2; http.method; content:"POST"; http.request_body; content:"name="; startswith; fast_pattern; content:"&img="; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032911; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AlphaCrypt .onion Proxy Domain (djdkduep62kz4nzx)"; dns.query; content:"djdkduep62kz4nzx"; depth:16; fast_pattern; nocase; reference:md5,1dd542bf3c1781df9a335f74eacc82a4; reference:url,malwr.com/analysis/YjllZWEzNmQ0MDA4NGNhNGIxYzIzNjU3YjczOTYxZjg/; classtype:trojan-activity; sid:2021363; rev:5; metadata:created_at 2015_06_29, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"download.riseknite.life"; bsize:23; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032920; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Proxy Domain"; dns.query; content:"7vhbukzxypxh3xfy"; depth:16; nocase; fast_pattern; classtype:trojan-activity; sid:2021850; rev:4; metadata:created_at 2015_09_30, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"onedrive-upload.ikpoo.cf"; bsize:24; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032921; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (4nauizsaaopuj3qj)"; dns.query; content:"4nauizsaaopuj3qj"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022398; rev:4; metadata:created_at 2016_01_22, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"alps.travelmountain.ml"; bsize:22; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032922; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(yez2o5lwqkmlv5lc)"; dns.query; content:"yez2o5lwqkmlv5lc"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022490; rev:4; metadata:created_at 2016_02_04, updated_at 2020_09_01;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Exep Command Issued"; dsize:>787; itype:8; content:"exep"; depth:4; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032934; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(fwgrhsao3aoml7ej)"; dns.query; content:"fwgrhsao3aoml7ej"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022501; rev:4; metadata:created_at 2016_02_10, updated_at 2020_09_01;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Shell Command Issued"; dsize:>787; itype:8; content:"shell"; depth:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032916; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Payment DNS Lookup"; dns.query; content:"javajvlsworf3574"; depth:16; nocase; fast_pattern; reference:md5,ff50a331feec575b505976cb0506ebfd; classtype:trojan-activity; sid:2022507; rev:4; metadata:created_at 2016_02_12, updated_at 2020_09_01;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Download Command Issued"; dsize:>787; itype:8; content:"download"; depth:8; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032917; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"twbers4hmi6dx65f"; depth:16; fast_pattern; nocase; reference:url,www.hybrid-analysis.com/sample/02b21d4a90a2a50506711a9c120b1e51f77084eba25688f7db2b9571037465dc?environmentId=1; classtype:trojan-activity; sid:2022560; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Upload Command Issued"; dsize:>787; itype:8; content:"upload"; depth:6; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032918; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"i3ezlvkoi7fwyood"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022589; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Exec Command Issued"; dsize:>787; itype:8; content:"exec"; depth:4; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032919; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain"; dns.query; content:"lpholfnvwbukqwye"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022590; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback OK Issued"; dsize:>787; itype:8; content:"OK"; depth:2; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032935; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 1"; dns.query; content:"lclebb6kvohlkcml"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022598; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE lolzilla JS/PHP WebSkimmer - Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_hash|22 0d 0a 0d 0a|eydyZWZlcmVyJzo"; fast_pattern; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; classtype:command-and-control; sid:2032927; rev:1; metadata:affected_product Magento, attack_target Client_and_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 2"; dns.query; content:"bmacyzmea723xyaz"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022599; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE zgRAT Activity"; flow:established,to_server; flowbits:isset,ET.zgRAT; content:"|01 00 00 00 1f 8b 08 00 00 00 00 00 04 00 33 04 00 b7 ef dc 83 01 00 00 00|"; dsize:25; reference:md5,b18a7e266eee1977ef3a145369589d5c; classtype:command-and-control; sid:2033108; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 3"; dns.query; content:"nejdtkok7oz5kjoc"; depth:16; nocase; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer; classtype:command-and-control; sid:2022600; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (number1g .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"number1g.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2032933; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/KeRanger Ransomware CnC DNS Request 4"; dns.query; content:"fiwf4kwysm4dpw5l"; depth:16; fast_pattern; nocase; reference:url,researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/; classtype:command-and-control; sid:2022601; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected SombRAT DNS Activity (TXT)"; pcre:"/\x1c(?:[a-z0-9]{28})[^\r\n]+(?:\x03(?:net|com)|\x02in)/"; content:"|00 10 00 01|"; fast_pattern; endswith; threshold:type both, track by_src,count 10, seconds 300; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-126a; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; reference:md5,05e133f34e44d75e596811bffba24156; classtype:trojan-activity; sid:2032942; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(k7tlx3ghr3m4n2tu)"; dns.query; content:"k7tlx3ghr3m4n2tu"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022614; rev:4; metadata:created_at 2016_03_15, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (UNC2447)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-includes/po.php"; endswith; fast_pattern; http.cookie; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; classtype:trojan-activity; sid:2032943; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_05_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky Payment)"; dns.query; content:"32kl2rwsjvqjeui7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022660; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (catsdegree .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"catsdegree.com"; bsize:14; fast_pattern; reference:md5,f00aded4c16c0e8c3b5adfc23d19c609; classtype:domain-c2; sid:2032939; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TeslaCrypt Payment)"; dns.query; content:"kkd47eh4hdjshb5t"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022661; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (temisleyes .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"temisleyes.com"; bsize:14; fast_pattern; reference:md5,f00aded4c16c0e8c3b5adfc23d19c609; classtype:domain-c2; sid:2032940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"rzss2zfue73dfvmj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (UNC2447)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htm"; endswith; http.user_agent; content:"|20 28|compatible|3b 20|"; content:"|3b 20|.NET4.0E|20 29|"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; classtype:trojan-activity; sid:2032944; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_05_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"vrvis6ndra5jeggj"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022664; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (rumahsia .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"rumahsia.com"; bsize:12; fast_pattern; reference:md5,979692cd7fc638beea6e9d68c752f360; classtype:domain-c2; sid:2032941; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky Possible Payment Page"; dns.query; content:"25z5g623wpqpdwis"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022680; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.CoinMiner Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; http.header; content:"User-Agent|3a 20|Win|3a|"; http.user_agent; content:"Win|3a|"; startswith; content:"|20 7c 20|CPU|3a 20|"; fast_pattern; content:"|20 7c 20|Cores|3a 20|"; content:"|20 7c 20|GPU|3a 20|"; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Accept"; content:!"Connection"; reference:md5,403913dda79d0b739a8046022d2e3b37; classtype:trojan-activity; sid:2032937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"stgg5jv6mqiibmax"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022728; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed (MASB UA)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0|20|(compatible|3b 20|MSIE 9.0|3b 20|Windows NT|20|6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|MASB)"; bsize:76; fast_pattern; http.cookie; pcre:"/^[a-zA-Z0-9/+]{171}=$/"; http.header_names; content:!"Referer"; reference:md5,8079676dd62582da4d2e9d2448c1142d; classtype:command-and-control; sid:2032945; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"ahsqbeospcdrngfv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022761; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tnega Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/hit.php?a=|25|"; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f019d3031c3aaf45dbd3630a33ab0991; classtype:trojan-activity; sid:2032949; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_05_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"rrcspgfghsjnklts"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022777; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Ares Loader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/panel/upload/"; startswith; content:".cmp"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:25; reference:md5,b3cdb7135bf99a921376870898b22155; reference:url,www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan; classtype:trojan-activity; sid:2032950; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky Domain"; dns.query; content:"ycvcjbhgkmsiyhdd"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022778; rev:4; metadata:created_at 2016_05_03, updated_at 2020_09_01;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com"; bsize:74; fast_pattern; tls.cert_issuer; content:"C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com"; bsize:74; reference:md5,b210c0f7687a9199de870e0cc11996c1; classtype:domain-c2; sid:2032952; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"bddadevlpkwrrmud"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022870; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (security-desk .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"security-desk.com"; bsize:17; fast_pattern; reference:md5,efb5212c17a7cd05e087ef7a5655b4aa; classtype:domain-c2; sid:2032955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (mphtadhci5mrdlju)"; dns.query; content:"mphtadhci5mrdlju"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2022917; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fam_newspaper"; startswith; http.accept; content:"image/*"; bsize:7; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 8.0.0|3b 20|SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202"; bsize:112; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,efb5212c17a7cd05e087ef7a5655b4aa; classtype:command-and-control; sid:2032956; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"kvyatmujksksbcgx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remove"; startswith; fast_pattern; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 7.0|3b 20|Pixel C Build/NRD90M|3b 20|wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"; bsize:109; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,bf8061539abbe6664924e37489a3751c; classtype:command-and-control; sid:2032957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"mz7oyb3v32vshcvk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win32|3b 20|x32|3b 20|rv|3a|87.0b4) Gecko/201001 Firefox/87.0|0d 0a|"; reference:md5,9f2fe567dfe655efe8da577990aac077; classtype:trojan-activity; sid:2032951; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2021_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"xhrnfffaixawpuob"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023002; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|DNT|3a 20|1|0d 0a|"; http.cookie; content:"OSID="; startswith; pcre:"/^OSID=[a-zA-Z0-9\/+]{171}=$/"; reference:md5,b210c0f7687a9199de870e0cc11996c1; classtype:command-and-control; sid:2032953; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"zjfq4lnfbs7pncr5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remote Desktop Spy Install Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"tn=remote-desktop-spy"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,4b25cfe19ea5e3778de80058fc99e531; classtype:command-and-control; sid:2032961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware Locky .onion Payment Domain (5n7y4yihirccftc5)"; dns.query; content:"5n7y4yihirccftc5"; depth:16; fast_pattern; nocase; reference:md5,d7cb55e90dee7777fe7b77b079d51513; classtype:trojan-activity; sid:2023084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VenusLocker Associated User-Agent Activity"; flow:established,to_server; http.user_agent; content:"gooGgleee"; bsize:9; fast_pattern; reference:md5,9aa3cc9d7c641ea22cfa3e5233e13c94; classtype:trojan-activity; sid:2032967; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family VenusLocker, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fpashgkepwtoqdjg"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023178; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VenusLocker Activity"; flow:established,to_server; http.uri; content:"/dumbdumb?"; startswith; fast_pattern; pcre:"/\=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"text/*"; bsize:6; http.header_names; content:!"Referer"; content:!"Connect"; reference:md5,9aa3cc9d7c641ea22cfa3e5233e13c94; classtype:trojan-activity; sid:2032968; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family VenusLocker, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"vrympoqs5ra34nfo"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (zolo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"zolo.pw"; bsize:7; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/; classtype:trojan-activity; sid:2032969; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, signature_severity Major, updated_at 2021_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"fqoapcjolfwwenqx"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023261; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Locky, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (pathc .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"pathc.space"; bsize:11; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/; classtype:trojan-activity; sid:2032970; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, signature_severity Major, updated_at 2021_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH TorrenLocker Payment Domain Detected"; dns.query; content:"4w5wihkwyhsav2ha"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023327; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (dimentos .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dimentos.com"; bsize:12; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; reference:md5,4ffbffbde361609d7f2ea1c410d8272e; classtype:domain-c2; sid:2032963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky Payment Domain Detected"; dns.query; content:"jhomitevd2abj3fk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023329; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (btn_bg)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/btn_bg"; http.request_body; content:"paper="; startswith; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:command-and-control; sid:2032964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ffoqr3ug7m726zou"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023425; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)"; flow:established,to_server; http.cookie; content:"__session__id="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:command-and-control; sid:2032965; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"lfdachijzuwx4bc4"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023426; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (bg)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bg"; bsize:3; http.cookie; content:"SSID="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032966; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ojmekzw4mujvqeju"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Collector/2.0/settings/"; startswith; fast_pattern; content:"events="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xrhwryizf5mui7a5"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023428; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M2"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Authentication|3a 20|skypetoken=eyJhbGciOi"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"avsxrcoq2q5fgrw2"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023579; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CL, L=Santiago, O=Tigomemo Uteendtu GP, OU=Touintsanc Ft4an, CN=cess3wessr.mq"; bsize:79; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032992; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"fnmi62725zfti2vy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=LC, L=Castries, O=Isesem Cooperative, OU=Tinarthar and tha6mate narobiaof and t5he, CN=Udngt5rlura.my"; bsize:103; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"ftoxmpdipwobp4qy"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023581; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecryptmyFiles Ransomware CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"decryptmyfiles.top"; bsize:18; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:command-and-control; sid:2032994; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"pe2cku7pebkpgeko"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023582; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DecryptmyFiles Ransomware User-Agent (uniquesession)"; flow:established,to_server; http.user_agent; content:"uniquesession"; bsize:13; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:trojan-activity; sid:2032995; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"p27dokhpz2n7nvgr"; depth:16; nocase; fast_pattern; reference:md5,c2f7595a1c394f1dac2e418815c54fd2; classtype:trojan-activity; sid:2023690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware_Cerber, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RiskWare.YouXun.AD CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sc="; content:!"&"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"; bsize:101; fast_pattern; reference:md5,2292c6acb1e5f139900b9d1942b14b08; classtype:command-and-control; sid:2032977; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"qcwbrevxrotoepsp"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2023705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Ymacco.AA36 User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|deus vult|0d 0a|"; reference:md5,bde62aedd46fcbf7520a22e7375b6254; classtype:trojan-activity; sid:2032972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker Payment)"; dns.query; content:"ztuw5bvuuapzdfya"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2023706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Bizarro Banker Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|MSIE 6.0|3b 20|Windows|20|NT|20|5.0"; bsize:48; fast_pattern; reference:url,securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/; classtype:trojan-activity; sid:2032998; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"xqraoaoaph4d545r"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024118; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns any any -> any any (msg:"ET MALWARE Suspected Sliver DNS CnC"; content:"|00 10 00 01|"; isdataat:!1,relative; dns.query; content:"_"; startswith; pcre:"/^[a-z0-9_]{6}[^a-z0-9_]/R"; content:"_domainkey"; distance:8; fast_pattern; reference:url,github.com/BishopFox/sliver; classtype:trojan-activity; sid:2032936; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, malware_family Sliver, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"underdj5ziov3ic7"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024119; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Discord Token Grabber"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"**Account Info**"; fast_pattern; content:"**Token**"; distance:0; content:"NightfallGT"; distance:0; reference:md5,0adc114f1b8ed3336d73d4d0521c39f5; reference:url,github.com/NightfallGT/Token-Grabber-Builder/; classtype:command-and-control; sid:2032999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:"x5sbb5gesp6kzwsh"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; reference:md5,f09e72e3c1c36192b22e15b59a13ee1c; reference:url,blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html; classtype:command-and-control; sid:2023998; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family Torrentlocker, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Discord Nitro Ransomware"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"**Program executed**"; fast_pattern; content:"Status|3a 20|Active|20|"; distance:0; content:"PC|20|Name|3a 20|"; distance:0; content:"IP|20|Address|3a 20|"; distance:0; reference:md5,0adc114f1b8ed3336d73d4d0521c39f5; reference:url,github.com/NightfallGT/Nitro-Ransomware; classtype:command-and-control; sid:2033000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"jpre3ta3x2csggd4"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024189; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Silver Implant Domain (raspoly .biz in TLS SNI)"; flow:established,to_server; tls.sni; content:"raspoly.biz"; bsize:11; fast_pattern; reference:md5,13816c3ba10d4a3ca4b4c97f248a985f; classtype:domain-c2; sid:2032996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, signature_severity Major, updated_at 2021_05_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"cmzr4dz3begkpwa2"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024190; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Silver Implant)"; flow:established,to_client; tls.cert_subject; content:"CN=raspoly.biz"; bsize:14; fast_pattern; reference:md5,13816c3ba10d4a3ca4b4c97f248a985f; classtype:domain-c2; sid:2032997; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"hjhqmbxyinislkkt"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024104; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M2"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 41|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"z2luqg4xu5r6zm6o"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024263; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M1"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 40|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"zyuc6ucewfwgnhvg"; depth:16; fast_pattern; nocase; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024264; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; startswith; content:".min.js"; endswith; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Referer|3a 20|"; startswith; fast_pattern; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,4547d3404ceb0436585e11f317eadb7c; classtype:command-and-control; sid:2033008; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zbot .onion Proxy DNS lookup July 31 2014"; dns.query; content:"zxjfcvfvhqfqsrpz"; depth:16; fast_pattern; nocase; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018893; rev:5; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response"; flow:established,to_client; file.data; content:"/*!|20|jQuery|20|v"; startswith; content:"if|28|e|5b|n|5d 3d 3d 3d|t|29|return n|3b|return|2d|1|7d 2c|P|3d 22|"; fast_pattern; distance:0; content:!"checked"; within:7; reference:md5,09773b90da8f3688faf54750b6a5ecf5; classtype:command-and-control; sid:2033009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE UIWIX Ransomware .onion Payment Domain (4ujngbdqqm6t2c53)"; dns.query; content:"4ujngbdqqm6t2c53"; depth:16; fast_pattern; nocase; classtype:trojan-activity; sid:2024323; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family UIWIX, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Kimsuky Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"list.php?query=1"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; bsize:57; http.header_names; content:!"Referer"; reference:md5,04a0505cc45d2dac4be9387768efcb7c; reference:md5,d8e817abd5ad765bf7acec5d672cbb8d; classtype:trojan-activity; sid:2033012; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"iuieylpvfurcvmpk"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024437; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (number2g .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"number2g.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2033014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (Locky C2)"; dns.query; content:"cpawdrtxfjkwrkkl"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2024438; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (genericalphabet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"genericalphabet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2033015; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"qfjhpgbefuhenjp7"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024439; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Activity M14"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"_"; distance:0; content:"*"; distance:0; http.host; content:"bb3u9.com"; fast_pattern; classtype:command-and-control; sid:2033019; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware/Cerber Onion Domain Lookup"; dns.query; content:"xpcx6erilkjced3j"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024440; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Cerber, signature_severity Major, tag Ransomware, tag Ransomware_Cerber, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?&"; fast_pattern; content:"&"; distance:0; content:"-"; distance:0; content:"&"; distance:0; content:"|3a|"; distance:2; within:1; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,293b4a6f18fdf5146b92e87e51cf8aa1; classtype:command-and-control; sid:2033020; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Reyptson Ransomware CnC)"; dns.query; content:"37z2akkbd3vqphw5"; depth:16; nocase; fast_pattern; reference:md5,2f60c2dc9b89a78a450839ded2a1737a; classtype:command-and-control; sid:2024469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Reyptson, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Activity M15"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"_"; distance:0; content:"*"; distance:0; http.host; content:"t."; startswith; fast_pattern; pcre:"/^[a-z0-9]{5}\.com$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; classtype:command-and-control; sid:2033021; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wgxpsgshk3hbmyzb"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024516; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_14, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M1"; flow:established,to_server; content:"sbyc"; startswith; fast_pattern; content:"/000"; distance:20; within:4; content:"JFIF"; distance:0; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033016; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"tptbibuegry2nvuh"; depth:16; fast_pattern; nocase; reference:url,twitter.com/benkow_/status/884322124504211456; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024517; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M2"; flow:established,to_server; content:"|0d 0a|clinet|20|utc|20|time|3a 3a 20|"; fast_pattern; content:"Hard|20|Disk|20|Used|20|Sizes|3a 3a|"; nocase; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"fgb45ft3pqamyji7"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024518; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M3"; flow:established,to_server; content:"|00 00|encrypted|20|local|20|size|20 3a|"; nocase; fast_pattern; content:"|0d 0a|Encrypted|20|Network|20|size|20 3a|"; nocase; distance:0; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"gebdp3k7bolalnd4"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024519; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/files-"; offset:25; content:"/data?d="; distance:0; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,344b7370c6e61812eeb1cf1d737f27f3; reference:url,twitter.com/ShadowChasing1/status/1396809305194590211; classtype:trojan-activity; sid:2033032; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"2irbar3mjvbap6gt"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024520; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/MapperState CnC Domain in DNS Lookup"; dns.query; content:"web.mapperstate.com"; nocase; bsize:19; reference:url,twitter.com/ConfiantIntel/status/1393215825931288580; classtype:domain-c2; sid:2033030; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"qg6m5wo7h3id55ym"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024521; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/MapperState CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"ms"; offset:7; depth:2; content:"|20|(unknown|20|version)|20|"; http.request_body; content:"smc31000"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,twitter.com/ConfiantIntel/status/1393215825931288580; classtype:trojan-activity; sid:2033031; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xvnk7q32kmvcvx5x"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024522; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaLoader CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; http.header; http.header; content:"Date|3a 20|"; content:"GMT|0d 0a|"; distance:0; pcre:"/^[a-z]{3,15}\x3a\x20/Rs"; content:"|0d 0a|User-Agent|3a 20|apiutwq|0d 0a|"; fast_pattern; distance:100; http.header_names; content:!"Referer"; reference:md5,96764a0a62e66a147a3d4db0e59a6e34; classtype:command-and-control; sid:2033033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, signature_severity Major, updated_at 2021_05_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"xzfsqbdlb3cssp4t"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; fast_pattern; tls.cert_issuer; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; reference:md5,4cca9a1ec4b92df89a8bc992a6ba961f; classtype:domain-c2; sid:2033034; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"wqfhdgpdelcgww4g"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".py?action=update&app=WebAssistant/1.0&db=Database/1.0"; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033038; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptON/Nemesis/X3M Ransomware Onion Domain"; dns.query; content:"yvvu3fqglfceuzfu"; depth:16; fast_pattern; nocase; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category MALWARE, malware_family Crypton, malware_family Nemesis, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups (officemodel .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"officemodel.org"; bsize:15; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033039; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Gryphon CnC Domain / GlobeImposter Payment Domain"; dns.query; content:"cr7icbfqm64hixta"; depth:16; nocase; fast_pattern; reference:md5,c714c3fe13e515a85774b03787ee9d85; classtype:command-and-control; sid:2024543; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category MALWARE, malware_family GlobeImposter, malware_family Gryphon, performance_impact Moderate, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/verify_/.php?flag=false"; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033040; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"5pr6hirtlfan3j76"; depth:16; nocase; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2024603; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups (tcahf .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"tcahf.org"; bsize:9; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:domain-c2; sid:2033041; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"ilcmjtvnrw2hostl"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, deployment Internet, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups Domain (unohcr .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"unohcr.org"; bsize:10; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:domain-c2; sid:2033042; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"uvgnugc3nvdgboc2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024627; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups CnC Activity"; flow:established,to_server; http.uri; content:"/verify_.php?uuid="; startswith; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:command-and-control; sid:2033043; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vg6xusopmzu7m2ce"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024628; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".theyardservice.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; classtype:domain-c2; sid:2033050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vgyruvtmjabu7llq"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".worldhomeoutlet.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; classtype:domain-c2; sid:2033051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vozupq6ewgxyn4ct"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apricot/"; fast_pattern; http.user_agent; content:"Microsoft|20|Internet|20|Explorer"; bsize:27; reference:md5,d843b58f31c687d22de09a6765b3ba3b; reference:url,twitter.com/ShadowChasing1/status/1395274704366145539; reference:url,research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/; classtype:trojan-activity; sid:2033054; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vqrqlt4t2kcmyrkb"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024631; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JSSLoader Domain (deprivationant .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"deprivationant.com"; bsize:18; fast_pattern; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:domain-c2; sid:2033058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, signature_severity Major, updated_at 2021_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vs74c53whr5kisk2"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024632; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike C2 Profile (news_indexedimages)"; flow:established,to_server; http.request_line; content:"GET /news_indexedimages_autrzd/"; startswith; fast_pattern; content:"&usqp=CAU HTTP/1.1"; endswith; http.referer; content:"http://www.google.com"; bsize:21; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|compatible|3b 20|MSIE|20|8|2e|0|3b 20|Windows|20|NT|20|6|2e|1|3b 20|Trident|2f|5|2e|0|29|"; bsize:63; reference:md5,8ece22e6b6e564e3cbfb190bcbd5d3b9; classtype:command-and-control; sid:2033065; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vsy7udjnodbqwp7l"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024633; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike Loader Domain (cybersecyrity .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cybersecyrity.com"; bsize:17; fast_pattern; reference:md5,611d4c566575d5657661766e27292d28; classtype:domain-c2; sid:2033060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware Domain Detected"; dns.query; content:"vvuymthse6kj4vl4"; depth:16; fast_pattern; nocase; reference:url,files.deependresearch.org/feeds/ransomware/ransomware-payment-sites.txt; classtype:trojan-activity; sid:2024634; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (defendersecyrity .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defendersecyrity.com"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033061; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"oqwygprskqv65j72"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024635; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile)"; flow:established,to_server; http.user_agent; content:"sendFile"; nocase; depth:8; http.host; content:!".tannereda.com"; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016888; rev:6; metadata:created_at 2013_05_21, updated_at 2021_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cerber Ransomware Domain Detected"; dns.query; content:"toytyaclucomunit"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analitycs .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analitycs.site"; bsize:21; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033067; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.guide)"; dns.query; content:".onion.guide"; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024662; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analytics .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analytics.online"; bsize:23; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033068; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.link)"; dns.query; content:".onion.link"; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2022332; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analytics .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analytics.website"; bsize:24; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033069; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.top)"; dns.query; content:".onion.top"; fast_pattern; nocase; classtype:policy-violation; sid:2024665; rev:6; metadata:created_at 2017_09_06, former_category POLICY, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googletagsmanager .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"googletagsmanager.website"; bsize:25; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033070; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Cryptolocker Payment Page (de2nuvwegoo32oqv)"; dns.query; content:"de2nuvwegoo32oqv"; depth:16; fast_pattern; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2022800; rev:5; metadata:created_at 2016_05_09, former_category TROJAN, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evilnum Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/actions/authenticate.php"; bsize:25; fast_pattern; http.cookie; content:"_gid="; startswith; reference:url,twitter.com/ShadowChasing1/status/1399697694491254798; reference:md5,3f230856172f211d5c9ed44ea783f850; classtype:trojan-activity; sid:2033071; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.cab)"; dns.query; content:".onion.cab"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018876; rev:6; metadata:created_at 2014_08_01, former_category POLICY, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[a-zA-z]{5,10}_[A-F0-9]{12}$/R"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:trojan-activity; sid:2033072; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FrameworkPOS Covert DNS CnC Initial Check In"; dns.query; content:".grp"; nocase; offset:8; depth:4; content:".ping.adm"; fast_pattern; within:15; reference:url,threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs-43000-credits-cards-from-point-of-sale-systems; reference:md5,591e820591e10500fe939d6bd50e6776; classtype:command-and-control; sid:2022559; rev:4; metadata:created_at 2016_02_23, former_category MALWARE, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JSSLoader Variant Domain (legislationient .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"legislationient.com"; bsize:19; fast_pattern; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,58e9f9575c6d908fb32b528064e14004; classtype:domain-c2; sid:2033073; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".freemooon.org"; fast_pattern; pcre:"/^[a-z]{4,10}\.freemooon\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[a-zA-z]{5,10}_[A-F0-9]{12}$/R"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:trojan-activity; sid:2033074; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".olimpian.org"; fast_pattern; pcre:"/[a-z]{4,10}\.olimpian\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar Stealer - FaceIt Checkin Response"; flow:established,to_client; file.data; content:"|7b 22|result|22 3a 22|ok|22 2c 22|payload|22 3a 7b 22|country|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|about|22 3a 22|"; pcre:"/^[^\"]+\x7c\x22\x2c\x22/R"; reference:url,medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed; classtype:command-and-control; sid:2033066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2021_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".sunsay.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.sunsay\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022720; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; content:"&formid="; distance:0; http.header_names; content:!"Referer"; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,twitter.com/360CoreSec/status/1408348476660797440; classtype:trojan-activity; sid:2033083; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".feellgood.org"; fast_pattern; pcre:"/[a-z]{4,11}\.feellgood\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022721; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CNRarypt Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HOW_TO_BACK_YOUR_FILES.txt"; endswith; fast_pattern; http.user_agent; content:"CertUtil URL Agent"; bsize:18; http.header_names; content:!"Referer"; reference:md5,62292df897bf304872aad2dc92c96d70; classtype:trojan-activity; sid:2033075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".kinomix.org"; fast_pattern; pcre:"/[a-z]{4,11}\.kinomix\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022726; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT34 Related DNS Tunneling Activity"; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".dnsstatus.org"; endswith; threshold: type both, track by_src, count 3, seconds 5; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,twitter.com/360CoreSec/status/1408348476660797440; classtype:trojan-activity; sid:2033084; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".beneton.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.beneton\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022755; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lyceum Group Activity (DNS)"; threshold: type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderlive.com"; endswith; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,securelist.com/lyceum-group-reborn/104586/; classtype:trojan-activity; sid:2033085; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bigdoggi.biz"; fast_pattern; pcre:"/[a-z]{4,10}\.bigdoggi\.biz$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Maldoc Activity"; flow:established,to_server; http.uri; content:"/Apricot"; startswith; http.user_agent; content:"Office"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/; reference:md5,1e9f1746c2dbea0df5017afdf8b94189; classtype:trojan-activity; sid:2033086; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".bjksfohseaguu.org"; fast_pattern; pcre:"/[a-z]{4,10}\.bjksfohseaguu\.org$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022801; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (analiticsweb .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"analiticsweb.site"; bsize:17; fast_pattern; reference:url,twitter.com/rootprivilege/status/1400850998063632389; reference:url,lukeleal.com/research/posts/analiticsweb-skimmer/; classtype:trojan-activity; sid:2033098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected (TorrentLocker C2)"; dns.query; content:".closedoors.net"; fast_pattern; pcre:"/[a-z]{4,10}\.closedoors\.net$/"; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2022832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FatalRAT CnC Activity"; flow:established,to_server; stream_size:server,=,1; content:"|bf bc 95|"; depth:3; content:"|8e 8e|"; distance:2; within:2; content:"|8e 8e 2c 1b 80 8e e6 02|"; distance:2; within:8; fast_pattern; reference:md5,99fc53d3d4c2c31fd5b5f0f15dbdeab4; reference:url,twitter.com/c3rb3ru5d3d53c/status/1400075253695537155; classtype:command-and-control; sid:2033093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family FatalRAT, signature_severity Major, updated_at 2021_06_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 4"; dns.query; content:"iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024295; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE sysrv.ELF Exploit Success Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ldr.sh"; endswith; fast_pattern; http.user_agent; pcre:"/^(?:curl|wget)_?(?:c(?:ve_20(?:1(?:(?:7_1161|8_760)0|9_10758)|20_16846)|url_xxljobUnauth)|tp5)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,mblogs.akamai.com/sitr/2021/03/another-golang-crypto-miner-on-the-loose.html; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:trojan-activity; sid:2033094; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 5"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024296; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ALFA Shell APT33 DNS Lookup (solevisible .com)"; dns.query; content:"solevisible.com"; nocase; endswith; threshold:type limit,count 1,track by_src,seconds 120; reference:url,fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:domain-c2; sid:2033095; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 2"; dns.query; content:"ifferfsodp9ifjaposdfjhgosurijfaewrwergwea"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024293; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_14, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/SkinnyBoy Payload Request"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Opera"; bsize:5; http.request_body; content:"id="; startswith; content:"#"; distance:0; content:"#"; distance:0; content:"&cmd=y"; endswith; fast_pattern; reference:url,cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf; classtype:command-and-control; sid:2033097; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family SkinnyBoy, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 3"; dns.query; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024294; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_15, deployment Perimeter, former_category TROJAN, malware_family wannacry, performance_impact Moderate, signature_severity Critical, tag Ransomware, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NoCry Ransomware Checkin Via Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=username|0d 0a|"; content:"Content-Disposition: form-data|3b 20|name=content|0d 0a 0d 0a|**New Victim**|0d 0a|"; fast_pattern; distance:0; content:"ID|20 3a 20|"; distance:0; content:"Key|20 3a 20|"; content:"Date&Time|20 3a 20|"; http.header_names; content:!"Referer"; reference:md5,682b432662affb2812ece6b940f5be51; classtype:trojan-activity; sid:2033099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Query to Generic 107 Phishing Domain"; threshold:type limit, track by_src, count 1, seconds 30; dns.query; content:"login"; nocase; content:"107sbtd9cbhsbt"; fast_pattern; distance:0; nocase; classtype:social-engineering; sid:2024464; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlagueBot User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|PlagueBot|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2142ed343d1020dca9dec439933c1877; classtype:trojan-activity; sid:2033100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M2"; dns.query; content:"avirus"; fast_pattern; nocase; isdataat:100,relative; content:!"spotify.com"; classtype:social-engineering; sid:2022691; rev:6; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ETag HTTP Header Observed at JPCERT Sinkhole"; flow:established,to_client; http.header; content:"ETag|3a 20 22|9-525c24c725e00|22|"; classtype:bad-unknown; sid:2033103; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M1 Feb 29"; dns.query; content:"helpdesk"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022575; rev:5; metadata:created_at 2016_03_01, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ETag HTTP Header Observed at CNCERT Sinkhole"; flow:established,to_client; http.header; content:"ETag|3a 20 22|2b1-55fb5d562c37c|22|"; classtype:bad-unknown; sid:2033104; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M1 Mar 3"; dns.query; content:"errorfound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022591; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"Server|3a 20|malware-sinkhole"; nocase; classtype:trojan-activity; sid:2033105; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M2 Mar 3"; dns.query; content:"unattendedfile"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022592; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"Server|3a 20|360Netlab-sinkhole"; nocase; classtype:trojan-activity; sid:2033106; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M3 Mar 3"; dns.query; content:"internetsituation"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022593; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uy.txt"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1402239834819743746; reference:md5,dfbe17d9dfa3f3bb715e1d8348bd1f50; classtype:trojan-activity; sid:2033116; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 4"; dns.query; content:"callasap"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022696; rev:5; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Puzzlemaker Remote Shell Domain (media-seoengine .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"media-seoengine.com"; bsize:19; fast_pattern; reference:url,securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; reference:md5,d6b850c950379d5ee0f254f7164833e8; classtype:domain-c2; sid:2033127; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=counter&app_key="; depth:23; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_18, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Puzzlemaker Remote Shell Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/analytics"; bsize:10; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:34; fast_pattern; http.user_agent; content:"Win64|3b|"; content:"Chrome/"; reference:md5,d6b850c950379d5ee0f254f7164833e8; reference:url,securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; classtype:trojan-activity; sid:2033128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nitlove POS CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"nit_love"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html; classtype:command-and-control; sid:2021144; rev:4; metadata:created_at 2015_05_26, former_category MALWARE, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rose/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,3c71395a0863fcc262e9e819ba4907b1; reference:url,twitter.com/ShadowChasing1/status/1402417050174164993; classtype:trojan-activity; sid:2033129; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FR Carte Bleue / BCP Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ques="; depth:5; nocase; content:"&login="; nocase; distance:0; fast_pattern; content:"&motdepass"; nocase; distance:0; classtype:credential-theft; sid:2032403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".hkbusupport.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033123; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pterodo CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Wget/"; depth:5; http.request_body; content:"versiya="; depth:8; fast_pattern; content:"&comp="; distance:0; content:"&id="; distance:0; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Referer"; content:!"Cache"; reference:md5,9d8daf70dff4d5bcf791d5f68ba01d7c; classtype:command-and-control; sid:2034345; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".4vw37z.cn"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033124; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download - Set"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McHttpH"; fast_pattern; http.host; content:"download.mcafee.com"; classtype:not-suspicious; sid:2027945; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".boshiamys.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033125; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; flowbits:isnotset,ET.Adobe.Site.Download; flowbits:isnotset,ET.ZoneAlarm.Site.Download; flowbits:isnotset,ET.QuickenUpdater; flowbits:isnotset,ET.Symantec.Site.Download; flowbits:isnotset,ET.Maas.Site.Download; flowbits:isnotset,ET.Mcafee.Site.Download; http.content_type; content:"text/plain"; nocase; startswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:24; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_09_01;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".96html.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033126; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (set) 2016-03-01"; flow:to_server,established; flowbits:set,ET.applephish; flowbits:noalert; http.method; content:"POST"; http.header; content:"Referer|3a|"; http.request_body; content:"u="; depth:2; nocase; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2027955; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!6180,!80,!443,!8080,!8443,!25,!587,!2525] (msg:"ET MALWARE QuasarRAT/zgRAT C2 Activity (set)"; flow:established,to_server; flowbits:set,ET.zgRAT; flowbits:noalert; content:"|19 00 00 00|"; dsize:4; reference:md5,4e893ea0874f70f4972fa93fed96e77c; classtype:command-and-control; sid:2033107; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_10, deployment Perimeter, former_category MALWARE, malware_family Quasar, malware_family VoidRat, malware_family zgRAT, signature_severity Major, updated_at 2021_06_10;)
 
-alert tls any any -> any any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2"; flow:established,to_server; tls.sni; content:"|5c 00|"; fast_pattern; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_01;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Maldoc CnC Domain (shopweblive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopweblive.com"; bsize:15; fast_pattern; reference:url,twitter.com/360CoreSec/status/1402920149754155010; reference:md5,4fb3bd661331b10fbd01e5f3e72f476c; reference:md5,b7dbb3bef80d04e4b8981ab4011f4bfe; classtype:domain-c2; sid:2033135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2021_06_10;)
 
-alert http any any -> any any (msg:"ET MALWARE ELF/LiLocked Ransom Note in HTTP Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"ENCRYPTED|20|ALL|20|YOUR|20|SENSITIVE"; depth:200; content:"STRONG|20|ENCRYPTION"; distance:0; content:"BUY|20|A|20|DECRYPTION|20|KEY"; distance:0; fast_pattern; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027968; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category TROJAN, malware_family LiLocked, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_01;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/SkinnyBoy Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Opera"; bsize:5; http.request_body; content:"id="; startswith; content:"#"; distance:0; content:"#"; distance:0; content:"&current="; distance:0; fast_pattern; content:"&total="; distance:0; content:"&data="; distance:0; reference:url,cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf; classtype:command-and-control; sid:2033096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family SkinnyBoy, performance_impact Low, signature_severity Major, updated_at 2021_06_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Joker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/api/report"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"eyJ"; depth:3; http.header_names; content:!"Referer|0d 0a|"; reference:md5,058865332bfae541e82b55e4a7e63aaf; reference:url,medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451; classtype:trojan-activity; sid:2027965; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_09, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Joker, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN7 CnC Domain (injuryless .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"injuryless.com"; bsize:14; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1403150596849295362; reference:md5,1ac719c744d22f42e4978e7b55828435; reference:md5,526d56017ef5105277fe0d366c95c39d; classtype:domain-c2; sid:2033138; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_06_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious HTTP POST to 404.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/404.php"; endswith; fast_pattern; classtype:misc-activity; sid:2030819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_01, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK Campaign)"; flow:established,to_client; tls.cert_fingerprint; content:"b3:03:81:01:fd:0e:8b:11:c5:19:f7:39:f1:2c:7e:9b:60:23:4d:3b"; classtype:domain-c2; sid:2033140; rev:2; metadata:attack_target Client_and_Server, created_at 2021_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=mail.paolemahta.icu/emailAddress=root@mail.paolemahta.icu"; bsize:139; fast_pattern; reference:md5,4fd5867c45716f0a25c74f3510984cf2; reference:url,twitter.com/bryceabdo/status/1300787997755891712; classtype:domain-c2; sid:2030820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_01, deployment Perimeter, former_category MALWARE, malware_family Bazar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ba.html"; bsize:8; fast_pattern; http.cookie; content:"woocommerce_items_in_cart="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,68abb4a9c6203acca940a49157264497; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033141; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck CnC Activity"; flow:established,to_server; http.uri; content:"/ln/core.png?"; startswith; http.host; content:"t.amynx.com"; bsize:11; fast_pattern; reference:url,github.com/sophoslabs/IoCs/blob/master/Trojan-LDMiner.csv; classtype:command-and-control; sid:2030827; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?inc="; fast_pattern; http.cookie; content:"affiliate_id="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b3d1ca6f439f2b2014643cc8fad9a55; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033142; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"sucuil.net"; bsize:10; reference:url,twitter.com/felixaime/status/1301090258671542272; classtype:trojan-activity; sid:2030828; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.uri; content:"/ny.js"; bsize:6; fast_pattern; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,93b24d6de3e38fe3112554355a1ba98f; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033143; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TURLA APT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/scripts/m/query.php?id="; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf; classtype:command-and-control; sid:2030829; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart Skimmer Websocket Domain in DNS Lookup"; dns.query; content:"hotjar.info"; nocase; bsize:11; reference:url,lukeleal.com/research/posts/hotjar-dot-info-skimmer/; reference:url,twitter.com/rootprivilege/status/1404595455065870336; classtype:trojan-activity; sid:2033144; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zyklon CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"token="; startswith; fast_pattern; content:"&hwid="; distance:44; within:6; threshold: type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/500mk500/status/1301173604072202248; reference:md5,3c8afeb46c1e1a217c0f108c3fb5f4f4; classtype:command-and-control; sid:2030823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload 2021-06-15"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\.[0-9]{6,18}\.dat$/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"huhunadekil.top"; bsize:15; classtype:domain-c2; sid:2030824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".css?open="; fast_pattern; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,c49f5361c91208f95a3f4d8a9cccf5cc; reference:url,twitter.com/_brettfitz/status/1404438059962208256; classtype:trojan-activity; sid:2033145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Linux Shell Script CnC Activity"; flow:established,to_server; http.uri; content:"/ln/a.asp?"; startswith; fast_pattern; content:"_"; distance:0; reference:url,github.com/sophoslabs/IoCs/blob/master/Trojan-LDMiner.csv; classtype:command-and-control; sid:2030826; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php|20|SSL3.4"; fast_pattern; startswith; reference:url,securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/; reference:md5,569246a3325effa11cb8ff362428ab2c; classtype:command-and-control; sid:2033146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_16, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, signature_severity Major, tag Backdoor, updated_at 2021_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Xetapp Installer Checkin"; flow:established,to_server; http.request_line; content:"GET /settings/launches.php?name="; startswith; fast_pattern; content:"&site="; distance:0; content:"&campaign="; distance:0; reference:md5,e9c4c9048651f62d39b12220d19dd936; classtype:pup-activity; sid:2030825; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_02, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_02;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andariel Backdoor Actvity (Response)"; flow:established,to_client; content:"HTTP|20|1.1|20|200|20|OK|20|SSL2.1"; fast_pattern; startswith; reference:url,securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/; reference:md5,569246a3325effa11cb8ff362428ab2c; classtype:command-and-control; sid:2033147; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_16, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2021_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Java/1."; http.host; pcre:"/\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?$/"; classtype:bad-unknown; sid:2016583; rev:6; metadata:created_at 2013_03_15, former_category HUNTING, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (extension.css)"; flow:established,to_server; http.uri; content:"/extension.css?goto="; startswith; http.cookie; content:"lu="; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:trojan-activity; sid:2033148; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:34:1C:D9:8B:86"; classtype:domain-c2; sid:2028566; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 BEACON Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html|20|/"; content:".html?auth=uid"; distance:0; fast_pattern; http.user_agent; content:"ms-office|3b 20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html; reference:md5,5f1e9ae81c6a3797bf16b9ee469dc66a; classtype:command-and-control; sid:2033149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TransparentTribe APT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_isolated_codes/C0n_eections/"; fast_pattern; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028570; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 Malicious MSHTA Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ID-508260156241"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html; classtype:trojan-activity; sid:2033151; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028572; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Operation Sidecopy lnk Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/font/js/images/"; startswith; fast_pattern; content:"/css"; endswith; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.host; content:".in"; endswith; reference:url,twitter.com/ShadowChasing1/status/1406959698142666756; reference:md5,e05468aaa0c436e953116989ccf9703b; classtype:trojan-activity; sid:2033153; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&file&upload"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028573; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Matanbuchus CnC Domain in DNS Lookup (eonsabode .at)"; dns.query; content:"eonsabode.at"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/; classtype:domain-c2; sid:2033154; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028574; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gelsemium CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=IH, L=IH, O=IH, OU=IH, CN=IH"; bsize:37; fast_pattern; tls.cert_issuer; content:"C=US, ST=CA, L=CA, O=CA, OU=CA, CN=CA"; bsize:37; reference:md5,87eb0975758ecef44e8368914cffe151; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http any any -> $HOME_NET any (msg:"ET MALWARE Suspected Tunna Proxy M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&close"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028575; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Klingon RAT)"; flow:established,to_client; tls.cert_subject; content:"emailAddress=trump@whitehouse.xyz"; tls.cert_issuer; content:"C=US, ST=Washington, L=Washington, O=White House, OU=Mr President, CN=whitehouse.xyz/emailAddress=trump@whitehouse.xyz"; bsize:118; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/; classtype:command-and-control; sid:2033156; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_22;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Possible Tunna Proxy Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|All|20|good|20|to|20|go"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028576; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile wordpress_ Cookie Test"; flow:established,to_server; http.cookie; content:"wordpress"; fast_pattern; pcre:"/^_?=?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:url,thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/; classtype:trojan-activity; sid:2033158; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Possible Tunna Proxy Closing Connection"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|Closing|20|the|20|connection|20|"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028577; rev:2; metadata:created_at 2019_09_12, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity (wget)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/supermicro_cr.gz"; bsize:21; fast_pattern; http.user_agent; content:"Wget/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033159; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028578; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity (curl)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.php?apirequests="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033160; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M2 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&file&upload"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028579; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Telegram Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1322235264:AAE7QI-f1GtAF_huVz8E5IBdb5JbWIIiGKI/sendMessage?chat_id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; content:"api.telegram.org"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033161; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M3 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&port="; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028580; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity Attack Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_attack/0.txt"; bsize:19; fast_pattern; http.user_agent; content:"Wget/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033162; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspected Tunna Proxy M4 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?proxy&close"; endswith; fast_pattern; http.accept_enc; content:"gzip"; startswith; endswith; http.header_names; content:!"Referer"; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028581; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/arm/template.php"; bsize:17; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:"winxpo.live"; bsize:11; reference:url,twitter.com/ShadowChasing1/status/1407636259367899138; reference:md5,e8e866e522b66c16d2ed8e345e48f524; classtype:trojan-activity; sid:2033169; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
 
-alert http any any -> $HOME_NET any (msg:"ET MALWARE Possible Tunna Proxy Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|All|20|good|20|to|20|go"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028582; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a 0d 0a|"; content:".zip|0d 0a|"; distance:0; within:50; content:"|0d 0a|PK"; distance:0; content:"system.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8124a572f854007e63cc7337547a37af; reference:md5,673410a381f324b0209abf1175415206; reference:url,3xp0rt.com/posts/mars-stealer; classtype:trojan-activity; sid:2033163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_23;)
 
-alert http any any -> $HOME_NET any (msg:"ET MALWARE Possible Tunna Proxy Closing Connection"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|5b|Server|5d 20|Closing|20|the|20|connection|20|"; startswith; fast_pattern; reference:url,github.com/SECFORCE/Tunna; classtype:trojan-activity; sid:2028583; rev:2; metadata:created_at 2019_09_13, deployment Perimeter, former_category MALWARE, malware_family Tunna, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Downloading from Dropbox via API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2/files/download"; http.header; content:"Authorization|3a 20|Bearer|20|FLtUsbS3oqcAAAAAAAAAAZ_86BAKGkKPNHeBSV8ETDcqFjlDgagrviCEw0VV6Ecn|0d 0a|"; content:"/Energy/staging/debugps"; fast_pattern; http.host; content:"content.dropboxapi.com"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1407540607954743297; reference:md5,f123a68eea92b34d76f0ca0b677419bd; classtype:trojan-activity; sid:2033170; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (O365 Profile)"; flow:established,to_server; http.uri; content:"/owa/?wa="; startswith; content:"&path=/calendar"; endswith; http.cookie; content:"MicrosoftApplicationsTelemetryDeviceId="; startswith; content:"|3b|ClientId="; distance:0; content:"|3b|MSPAuth="; distance:0; content:"|3b|xid="; distance:0; content:"|3b|wla42="; distance:0; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,a26722fc7e5882b5a273239cddfe755f; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_ttp"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,532acbadb8151944650aaecc0a397965; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033171; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DLink DNS 320 Remote Code Execution (CVE-2019-16057)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/login_mgr.cgi"; fast_pattern; content:"cmd|3d|login"; distance:0; content:"&port="; distance:0; pcre:"/^\d{2,5}+(?!\&|\d)/R"; reference:cve,2019-16057; reference:url,blog.cystack.net/d-link-dns-320-rce/; classtype:attempted-admin; sid:2028603; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_09_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore CnC Activity"; flow:established,to_server; content:"|3c 7c|"; startswith; content:"SOCKET|7c 3e|"; distance:0; fast_pattern; content:"|3c 7c|END|7c 3e|"; endswith; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; reference:md5,8f8bad9fb9a1f333bd3380e2698b4236; classtype:command-and-control; sid:2033173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family AllaKore, signature_severity Major, tag RAT, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/news?"; startswith; pcre:"/^[a-z]=[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028599; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaChi RAT Client CnC (POST)"; flow:established,to_server; flowbits:set,ET.chachirat; http.method; content:"POST"; http.uri; content:"/cert/trust"; bsize:11; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index?"; startswith; pcre:"/^[a-z]=[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028600; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ChaChi RAT Server Response"; flow:established,to_client; flowbits:isset,ET.chachirat; http.stat_code; content:"200"; file.data; content:"-zig"; endswith; fast_pattern; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Default.aspx?"; startswith; pcre:"/^[a-z]=[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028601; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaChi RAT Client CnC (POST)"; flow:established,to_server; flowbits:set,ET.chachirat; http.method; content:"POST"; http.uri; content:"/time/sync"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Plead TSCookie CnC Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp?m="; startswith; pcre:"/^[A-F0-9]+$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"*/*"; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html; classtype:command-and-control; sid:2028602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, tag BlackTech, tag Plead, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|43 21 f0 39 ff 82 2c 1c 54 06|"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,63c6febaeff62391187077b5e2f781e7; reference:md5,33a68137c05b0e2c2ee2ca559e038358; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033174; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.DJC CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check.php?action="; depth:18; http.user_agent; content:"biteye4ever"; reference:md5,3dae205d72cb80d1c6ca4f796b28e384; classtype:pup-activity; sid:2028612; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_t_t_p"; fast_pattern; bsize:8; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,63c6febaeff62391187077b5e2f781e7; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033175; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious BITS EXE DL From Dotted Quad"; flow:established,to_server; http.uri; content:".exe"; nocase; content:!".gvt1.com/"; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"download.windowsupdate.com"; content:!"download.adobe.com"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; classtype:misc-activity; sid:2022858; rev:6; metadata:created_at 2016_06_03, former_category INFO, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9]{5,12}&a=/R"; content:"&a=Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XLS DDE rar Drop Attempt (.live)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.header; content:".live|0d 0a|Conne"; fast_pattern; http.host; content:!"parrot.live"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026514; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu00.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Picker.aspx?PickerDialogType=Microsoft.SharePoint"; nocase; http.request_body; content:"ctl00|25|24PlaceHolderDialogBodySection|25|24ctl05|25|24hiddenSpanData|3d5f5f|"; nocase; fast_pattern; reference:url,www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability; classtype:attempted-admin; sid:2027345; rev:4; metadata:attack_target Web_Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu03.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/SysKit CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"&"; content:!"."; http.request_body; content:"ip="; depth:3; content:"#"; distance:0; content:"&os="; distance:0; content:"#"; distance:0; content:"&os_name="; distance:0; fast_pattern; content:"#"; distance:0; content:"&mac="; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain; classtype:command-and-control; sid:2028618; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu01.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/GMERA.B CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/link.php?"; depth:10; fast_pattern; content:"&"; distance:0; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/R"; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:command-and-control; sid:2028620; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu02.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"skillsnew.top"; nocase; endswith; classtype:domain-c2; sid:2028625; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response"; flow:established,to_client; file.data; content:"cmd"; nocase; startswith; content:"new%2520ActiveXObject%2528%2522WinHttp.WinHttpRequest.5.1"; distance:0; content:"GET%2522%252Cunescape"; distance:0; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033181; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Suspicious SSL Cert (Minerpool - CoinMining)"; flow:from_server,established; tls.cert_subject; content:"CN=eu.minerpool.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:coin-mining; sid:2028623; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?query=5"; bsize:9; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:84; reference:md5,b567f7aac1574b2ba3a769702d2f6a1e; reference:md5,815c690bfc097b82a8f1d171cd00e775; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033192; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DeadlyKiss APT)"; flow:established,from_server; tls.cert_subject; content:"CN=iluvshopping.com"; fast_pattern; tls.cert_serial; content:"27:93"; classtype:domain-c2; sid:2028626; rev:2; metadata:attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DeadlyKiss, updated_at 2020_09_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS WebSkimmer Exfil Site)"; flow:established,to_client; tls.cert_subject; content:"hotjar.info"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hotjar\.info(?!\.)/"; reference:url,lukeleal.com/research/posts/hotjar-dot-info-skimmer/; classtype:domain-c2; sid:2033188; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS Query"; dns.query; content:"lowyat.biz"; nocase; endswith; classtype:targeted-activity; sid:2028627; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (init)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=init"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033193; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible DeadlyKiss APT CnC Domain Observed in DNS Query"; dns.query; content:"tawaranmurah.com"; nocase; endswith; classtype:targeted-activity; sid:2028628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (down)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=down"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033194; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE MOONSHINE payload C2 activity"; flow:established,to_server; http.uri; content:"/ws?whisky_id|3d|"; fast_pattern; http.header; content:"Upgrade|3a 20|websocket"; http.user_agent; content:"hots|20|scot"; depth:9; reference:url,citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits; classtype:trojan-activity; sid:2028622; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Moonshine, signature_severity Critical, tag Android, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (ping)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=ping"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033195; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PHPStudy CnC Domain in DNS Lookup"; dns.query; content:".360se.net"; pcre:"/^(?:www|bbs|cms|down|up|file|ftp)/"; reference:url,github.com/blackorbird/APT_REPORT/tree/master/phpstudyGhost; reference:url,twitter.com/blackorbird/status/1175951448678420480; classtype:domain-c2; sid:2028630; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/?d="; fast_pattern; http.uri; pcre:"/^\/\?d=[a-f0-9]{16}$/"; http.header_names; content:"|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|"; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AOL Webmail Message Send"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/compose_frame.adp"; reference:url,doc.emergingthreats.net/bin/view/Main/2000571; classtype:policy-violation; sid:2000571; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Related Downloader User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|TAKEMIXTWO|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,23f169e4be475e3eec4dcb9d9a344649; classtype:trojan-activity; sid:2033186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Tor Get Status Request"; flow:established,to_server; http.uri; content:"/tor/status/"; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008115; classtype:policy-violation; sid:2008115; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malware Delivery Landing Page via JS Redirect (2021-06-24)"; flow:established,to_client; file.data; content:"|3c|title|3e|File Download|3c 2f|title|3e|"; content:"|24 2e|getJSON|28 20 22|https|3a 2f 2f|"; distance:0; content:"|2f 22 2c 20|function|28|res|29 20 7b 0d 0a 0d 0a|"; within:300; content:"|7d 29 2e|done|28|function|28|res|29 20 7b 0d 0a|"; within:40; content:"params|2e|url|20 3d 20 22|https|3a 2f 2f|"; within:120; fast_pattern; content:"|22 20 2b 20|res|2e|data"; within:300; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:trojan-activity; sid:2033189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Myspace Login Attempt"; flow:established,to_server; http.uri; content:"/index.cfm?fuseaction=login"; http.header; content:"secure.myspace.com"; reference:url,doc.emergingthreats.net/2002872; classtype:policy-violation; sid:2002872; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malware Delivery Domain (analyticsnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"analyticsnet.top"; bsize:16; fast_pattern; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:domain-c2; sid:2033190; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 300; http.host; content:"www.orkut.com"; startswith; reference:url,doc.emergingthreats.net/2003458; classtype:policy-violation; sid:2003458; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malware Delivery Landing Page Domain (bigeront .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigeront.top"; bsize:12; fast_pattern; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:domain-c2; sid:2033191; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; http.uri; content:"/ui/"; nocase; content:"/getlatestversion?ver="; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?m="; fast_pattern; offset:4; pcre:"/^[a-z]{1}/R"; content:"&p1="; distance:0; content:"&p2="; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:53; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,739d14336826d078c40c9580e3396d15; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033199; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Social-bos.biz related trojan checkin (trackid=hex)"; flow:established,to_server; http.uri; content:".php?trackid="; content:"706172616D3D636D64266C616E673D"; reference:url,doc.emergingthreats.net/2008545; classtype:command-and-control; sid:2008545; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-23 Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mehro"; endswith; fast_pattern; http.request_body; content:"celal="; startswith; content:"&type="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Connect"; reference:md5,738886d83e8dc379fc463e3869c74217; classtype:trojan-activity; sid:2033200; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Theoreon.com Related Trojan Checkin"; flow:established,to_server; http.uri; content:"/firststart.php?pid="; nocase; content:"&dt="; nocase; content:"&v="; nocase; reference:url,doc.emergingthreats.net/2007832; classtype:command-and-control; sid:2007832; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE REvil Exfil SFTP Certificate Inbound"; flow:to_client,established; content:"Kanzas City"; nocase; fast_pattern; content:"System IT Inc"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; classtype:targeted-activity; sid:2033205; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Downloader Tibs.jy Reporting to C&C (2)"; flow:established,to_server; http.uri; content:"/rule.php?"; nocase; content:"name="; nocase; content:"b="; nocase; content:"w="; nocase; reference:url,doc.emergingthreats.net/2003239; classtype:command-and-control; sid:2003239; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Valyria Downloader Activity"; flow:established,to_client; file.data; content:"|5c|Temp|5c|regles2.cmd|22|"; fast_pattern; content:"|5c|Temp|5c|CMSTPBypass.exe"; distance:0; content:"|5c|Temp|5c|regles.cmd"; distance:0; reference:url,twitter.com/James_inthe_box/status/1409980230379311105; reference:md5,4f8c9ac36ca0268eb7c9ccec4f9d76f5; classtype:trojan-activity; sid:2033206; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Torpig Reporting User Activity (x25)"; flow:established,to_server; http.uri; content:"/x25.php"; nocase; content:"?id="; nocase; content:"&sv="; nocase; content:"&ip="; nocase; content:"&sport="; nocase; content:"&hport="; nocase; content:"&os="; nocase; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; classtype:trojan-activity; sid:2002762; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/index.php?member="; startswith; fast_pattern; content:"|20|SSL3.3"; distance:0; reference:url,twitter.com/360CoreSec/status/1405790277034418177; reference:md5,c827d95429b644e918d53b24719dbe6e; classtype:command-and-control; sid:2033207; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Torpig Reporting User Activity (wur8)"; flow:established,to_server; http.uri; content:"/wur8.php"; nocase; content:"?id="; nocase; content:"&sv="; nocase; content:"&ip="; nocase; content:"&sport="; nocase; content:"&hport="; nocase; content:"&os="; nocase; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; classtype:trojan-activity; sid:2003066; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Mercurial Grabber"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; http.request_body; content:"|2c 22|username|22 3a 20 22|Mercurial|20|Grabber|22 2c 20 22|"; fast_pattern; reference:md5,252689e3688229ce5e3e26a2ef0a5bf1; reference:url,github.com/NightfallGT/Mercurial-Grabber; classtype:command-and-control; sid:2033197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virtumod/Agent.ufv/Virtumonde Get Request"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; nocase; content:"ver="; nocase; content:"aid="; nocase; content:"uid="; nocase; content:"adm="; nocase; reference:url,doc.emergingthreats.net/2008377; classtype:trojan-activity; sid:2008377; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reborn Stealer 2021 Exfil attempt via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; content:"|26|caption|3d|"; content:"|f0 9f 8f b4 20|IP|3a 20|"; distance:0; content:"|20|BASIC|20|INFORMATION|3a 0a 20 20 20 e2 88 9f 20|Passwords|20 2d 20|"; distance:0; fast_pattern; reference:md5,f925449e1f939ca70b5f842d4fc55921; reference:url,github.com/alikaptanoglu/Reborn-Stealer-2021-SOURCE/; classtype:command-and-control; sid:2033209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virtumonde Variant Reporting to Controller via HTTP (3)"; flow:established,to_server; http.uri; content:"dll.html?"; nocase; content:"affid="; nocase; content:"&uid="; nocase; content:"&guid="; nocase; reference:url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html; reference:url,doc.emergingthreats.net/2008863; classtype:trojan-activity; sid:2008863; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!6180,!80,!443,!8080,!8443,!25,!587,!2525] (msg:"ET MALWARE QuasarRAT/zgRAT C2 Activity (set)"; flow:established,to_server; flowbits:set,ET.zgRAT; flowbits:noalert; content:"|40 00 00 00|"; dsize:4; reference:md5,43a2f0f6fb1b858e9d7997ba8317df03; reference:url,twitter.com/James_inthe_box/status/1410260077861249028; classtype:command-and-control; sid:2033211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Virut - GET"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"?n="; nocase; content:"&lastid="; nocase; content:"&Version"; nocase; content:"&smartpic="; nocase; content:"&rand="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut; reference:url,www.avast.com/eng/win32-virut.html; reference:url,free.avg.com/66558; reference:url,www.threatexpert.com/threats/virus-win32-virut-ce.html; reference:url,doc.emergingthreats.net/2009808; classtype:trojan-activity; sid:2009808; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE zgRAT Activity M2"; flow:established,to_server; flowbits:isset,ET.zgRAT; content:"|2b 00 00 00 1f 8b 08 00 00 00 00 00 04 00 33 b6 51 51 b5 b7|"; depth:20; isdataat:!45,relative; reference:md5,43a2f0f6fb1b858e9d7997ba8317df03; reference:url,twitter.com/James_inthe_box/status/1410260077861249028; classtype:command-and-control; sid:2033212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.cyt (Or variant) HTTP POST Checkin"; flow:established,to_server; http.method; content:"POST"; depth:4; http.uri; content:".cgi"; http.request_body; content:"o=i&k="; reference:url,doc.emergingthreats.net/2008003; classtype:command-and-control; sid:2008003; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (toolser .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"toolser.pw"; bsize:10; fast_pattern; reference:url,lukeleal.com/research/posts/magecart-group-12-toolser-skimmer/; classtype:trojan-activity; sid:2033213; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, signature_severity Major, updated_at 2021_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32 Cloaker Related Post Infection Checkin"; flow:established,to_server; http.uri; content:"/log/proc.php?key="; pcre:"/\/log\/proc\.php.key=[a-z0-9]{11}/i"; reference:url,doc.emergingthreats.net/2008185; classtype:command-and-control; sid:2008185; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT xCaon/Textpadx Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/kw.asp"; endswith; fast_pattern; http.request_body; content:"d="; startswith; content:"&k="; distance:0; content:"&w="; distance:0; http.header_names; content:!"Referer"; reference:md5,3562bf97997c54d74f58d4c1ad84fcea; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033219; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.AB or related Post-infection checkin"; flow:established,to_server; http.uri; content:"/work.php?"; nocase; content:"method="; nocase; content:"&port="; nocase; content:"&type="; nocase; content:"&winver="; nocase; reference:url,doc.emergingthreats.net/2008321; classtype:command-and-control; sid:2008321; rev:5; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT BoxCaon DropBox Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/2/files/create_folder_v2"; bsize:25; http.header; content:"Authorization|3a 20|Bearer|20|iioKFUvLMX0AAAAAAAAAARDKLMS9uW1ax9ogdxWVqMC582VLW-CVofMpeFTEVfhU|0d 0a|"; fast_pattern; http.host; content:"api.dropboxapi.com"; bsize:18; reference:md5,974201f7895967bff0b018b95d5f5f4b; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033220; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV get_product_domains.php"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/reports/get_product_domains.php?abbr="; content:"&pid="; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010242; classtype:trojan-activity; sid:2010242; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TontoTeam APT Related Bisonal CnC Activity"; flow:established,to_server; content:"\\r\\nConnection|3a 20|keep-alive\\r\\nAccept"; fast_pattern; http.method; content:"GET"; http.uri; content:"/index.php?strPageID="; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,80987dcdb36e7cb52bb03f00261aa2bd; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:trojan-activity; sid:2037722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_07_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zhelatin npopup Update Detected"; flow:established,to_server; http.method; content:"POST"; depth:4; http.uri; content:"/server/npopup/"; nocase; http.request_body; content:"data="; nocase; content:"&key="; nocase; reference:url,doc.emergingthreats.net/2007787; classtype:trojan-activity; sid:2007787; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BnpOnspQwtjCA"; endswith; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob Updating via HTTP"; flow:established,to_server; http.uri; content:".php?code="; nocase; content:"&hash="; nocase; pcre:"/code=[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}-[0-9a-f]{2}/i"; reference:url,doc.emergingthreats.net/2007568; classtype:trojan-activity; sid:2007568; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Register M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BnpOnspQwtjCA/register"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE xpsecuritycenter.com Fake AntiVirus GET-Install Checkin"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:".php?"; content:"wmid="; nocase; content:"|26|l="; nocase; content:"|26|it="; nocase; content:"|26|s="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-051910-0118-99&tabid=1; reference:url,doc.emergingthreats.net/2008329; classtype:command-and-control; sid:2008329; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Register M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register"; http.request_body; content:"cid="; content:"&group="; distance:0; content:"ip_local="; distance:0; content:"&ip_local2="; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; threshold:type limit, track by_src, count 2, seconds 360; http.header; content:"Host|3a 20|"; content:"myway.com"; nocase; http.referer; content:"http|3a|//dell"; startswith; reference:url,doc.emergingthreats.net/2008051; classtype:not-suspicious; sid:2008051; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Key Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/key"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 300; http.host; content:"www.metacafe.com"; startswith; reference:url,doc.emergingthreats.net/2003457; classtype:policy-violation; sid:2003457; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Services Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/services"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033227; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY RemoteSpy.com Upload Detect"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.php"; http.host; content:"www.remotespy.com"; startswith; reference:url,doc.emergingthreats.net/2008406; classtype:trojan-activity; sid:2008406; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Priority Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/priority"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Smilebox Spyware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smilebox/SmileboxInstaller.exe"; nocase; reference:url,www.smilebox.com/info/privacy.html; reference:url,doc.emergingthreats.net/2009998; classtype:policy-violation; sid:2009998; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Ignore Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/ignore"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CBS Streaming Video"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/innertube/player.php?"; http.header; content:"Host|3a|"; nocase; content:"cbs.com"; nocase; reference:url,doc.emergingthreats.net/2007763; classtype:policy-violation; sid:2007763; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Ext Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/ext"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".smil"; endswith; nocase; http.host; content:"video.nbcuni.com"; startswith; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Wipe Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/wipe"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by Acrobat"; flow:established,to_server; http.uri; content:".php?exp=PDF"; classtype:exploit-kit; sid:2011815; rev:4; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Landing Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/landing"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SEO Exploit Kit - client exploited by SMB"; flow:established,to_server; http.uri; content:".php?exp=SMB"; classtype:exploit-kit; sid:2011814; rev:5; metadata:created_at 2010_10_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol HTTP Cookie Observed"; flow:established,to_server; http.cookie; content:"diavol_session="; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Farfli HTTP Checkin Activity"; flow: to_server,established; http.uri; content:"/getmac.asp?x="; content:"&y="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:command-and-control; sid:2009215; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain"; dns.query; content:".indexsinas.me"; endswith; fast_pattern; reference:url,www.guardicore.com/labs/smb-worm-indexsinas/; classtype:domain-c2; sid:2033234; rev:1; metadata:created_at 2021_07_05, former_category TROJAN, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac Beacon Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.user_agent; content:"Mozilla"; bsize:7; http.request_body; content:"a="; nocase; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231; reference:url,doc.emergingthreats.net/2008958; classtype:trojan-activity; sid:2008958; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain"; dns.query; content:"a.ccmd.website"; endswith; fast_pattern; reference:url,www.guardicore.com/labs/smb-worm-indexsinas/; classtype:domain-c2; sid:2033235; rev:1; metadata:created_at 2021_07_05, former_category TROJAN, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/l.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/l.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011907; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Initial CnC Checkin Outbound"; flow:established,to_server; dsize:8; content:"|3e c7 e3 1e 37 47 61 20|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033237; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED exploit kit x/index.php?s=dexc"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"x/index.php?s=dexc"; nocase; classtype:exploit-kit; sid:2011905; rev:4; metadata:created_at 2010_11_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Initial CnC Checkin Inbound"; flow:established,to_server; dsize:8; content:"|3e c7 e3 1e 37 47 61 20|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033238; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Phoenix Exploit Kit - PROPFIND AVI"; flow:established,to_server; http.method; content:"PROPFIND"; http.uri; content:".avi"; classtype:exploit-kit; sid:2011513; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Bot Upload Command Outbound"; flow:established,from_server; dsize:8; content:"|b1 2f de ce cb 89 e1 a0|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033239; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - tmp/flash.swf"; flow:established,to_server; http.uri; content:"tmp/flash.swf"; classtype:exploit-kit; sid:2011514; rev:5; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Info Submission Outbound"; flow:established,to_server; dsize:<300; content:"|3a 31 34 b5 02 00|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033240; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Phoenix Exploit Kit - collab.pdf"; flow:established,to_server; http.uri; content:"collab.pdf"; classtype:exploit-kit; sid:2011515; rev:6; metadata:created_at 2010_09_27, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Info Submission Inbound"; flow:established,to_server; dsize:<300; content:"|3a 31 34 b5 02 00|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033241; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter RAT HTTP CnC Beacon"; flow:established,to_server; threshold: type both, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:".php?cId="; fast_pattern; content:"&hos"; distance:0; content:"Name="; distance:0; content:"Info="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; reference:md5,2b07e054a1abb2941e5e70fba652a211; classtype:command-and-control; sid:2023400; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Bitter_implant, signature_severity Major, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Attack Command Outbound"; flow:established,from_server; dsize:<70; content:"|ad af fe 7f|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033242; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PLATINUM Dipsind CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ud7LDjtsTHe2tWeC8DYo8A**"; fast_pattern; reference:md5,0cc901350eaffb8f84b920691460921f; classtype:command-and-control; sid:2024369; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category MALWARE, malware_family Dipsind, malware_family PLATINUM, signature_severity Major, tag APT, tag PLATINUM, tag c2, updated_at 2020_09_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Bot Upload Command Inbound"; flow:established,from_server; dsize:8; content:"|b1 2f de ce cb 89 e1 a0|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033244; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST to Free Webhost - Possible Successful Phish (site40 . net) Jul 18 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"site40.net"; endswith; fast_pattern; classtype:credential-theft; sid:2024470; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kaseya VSA Exploit Activity M1 (SET)"; flow:established,to_server; http.request_line; content:"POST|20|/dl.asp|20|"; fast_pattern; startswith; http.user_agent; content:"curl/"; startswith; flowbits:set,ET.kaseya1; flowbits:noalert; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033248; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent (Opera/8.89)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Opera/8.89 (Windows NT 6.0|3b 20|U|3b 20|en)|0d0a|"; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009530; classtype:trojan-activity; sid:2009530; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kaseya VSA Exploit Activity M2 (SET)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/KUpload.asp"; fast_pattern; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:set,ET.kaseya2; flowbits:noalert; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033249; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"showmyip."; reference:url,doc.emergingthreats.net/2008989; classtype:attempted-recon; sid:2008989; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/done.asp"; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:isset,ET.kaseya1; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033250; rev:1; metadata:affected_product Kaseya_VSA, attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO TRR DNS over HTTPS detected"; flow:established,to_server; http.header; content:"application/dns-udpwireformat"; reference:url,tools.ietf.org/html/draft-ietf-doh-dns-over-https-02; classtype:misc-activity; sid:2025980; rev:3; metadata:created_at 2018_08_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/done.asp"; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:isset,ET.kaseya2; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent Generic CnC Pattern"; flow:established,to_server; http.uri; content:"/rest/v"; content:"/clients/client?"; distance:0; content:"&agent_id="; distance:0; fast_pattern; http.user_agent; content:!"Mozilla"; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026436; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit URI Structure Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userFilterTableRpt.asp"; fast_pattern; endswith; http.method; http.user_agent; content:"curl/"; startswith; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033252; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; http.uri; content:"/trackedevent.aspx?"; nocase; content:"ver="; nocase; content:"&ver="; nocase; content:"&rnd="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:pup-activity; sid:2003306; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Payload 2021-07-06"; flow:established, to_server; http.uri; pcre: "/\.(?:exe|dll)$/"; http.header; content:"User-Agent|3a 20|charris"; fast_pattern; content:"UA-CPU|3a|"; http.header_names; content:!"Referer"; reference:md5,fda11c3ab0a8f8fb190456842974583c; classtype:trojan-activity; sid:2033253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Check-in Response"; flow:established,to_client; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"|6C 95 32 CB|"; within:4; classtype:trojan-activity; sid:2015896; rev:5; metadata:created_at 2012_11_20, former_category TROJAN, updated_at 2020_09_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE Possible Siloscape IRC CnC JOIN Command Observed"; flow:established,to_server; content:"JOIN|20|#WindowsKubernetes"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/siloscape/; classtype:command-and-control; sid:2033266; rev:1; metadata:created_at 2021_07_07, former_category MALWARE, updated_at 2021_07_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; http.uri; content:"/aanval/flex/AanvalFlex"; nocase; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; classtype:misc-activity; sid:2008561; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC Channel join on non-standard port"; flow:to_server,established; content:"JOIN|20 3a 20|#"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; classtype:policy-violation; sid:2000351; rev:12; metadata:created_at 2010_07_30, updated_at 2021_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011378; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET MALWARE IRC Bot Download http Command"; flow:established,from_server; content:"JOIN|20 3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:5; metadata:created_at 2012_03_28, updated_at 2021_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011380; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WaterDropX PRISM CnC Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"@@"; fast_pattern; offset:1; content:"@@"; distance:1; within:2; content:"@@"; distance:0; within:50; isdataat:!6,relative; flowbits:isset,ET.waterdropx; classtype:command-and-control; sid:2033271; rev:2; metadata:created_at 2021_07_07, former_category MALWARE, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WaterDropX PRISM CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x?v="; content:"&act="; http.user_agent; content:"agent-waterdropx"; fast_pattern; flowbits:set,ET.waterdropx; classtype:command-and-control; sid:2033270; rev:2; metadata:created_at 2021_07_07, former_category MALWARE, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sharebusiness.xyz"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033277; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/csstidy/css_optimiser.php?"; nocase; content:"url="; nocase; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; classtype:web-application-attack; sid:2011383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=elwoodasset.xyz"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033278; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(?:ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/5609; reference:url,vupen.com/english/advisories/2009/2136; classtype:web-application-attack; sid:2011384; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.header; pcre:"/^Date\x3a\x20[^\r\n]+[0-9]{2}::[0-9]{2}\x20/"; http.header_names; content:"|0d 0a|Date|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; content:!"Accept"; http.user_agent; content:"Win"; bsize:3; reference:md5,f75e5710a5c84cec8e06b9b5c99e5400; reference:url,twitter.com/malware_traffic/status/1412914497338097664; classtype:trojan-activity; sid:2033279; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2021_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_noticeboard"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/12427; classtype:web-application-attack; sid:2011385; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_02;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (NHS UK Covid Passport Phish)"; flow:from_server,established; tls.cert_subject; content:"CN=nhs.applyonline20.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033286; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004132; classtype:web-application-attack; sid:2004132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8000: (msg:"ET MALWARE Malicious Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn/"; startswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.header_names; content:!"Referer"; reference:md5,0e0c65c206e1244987db350f3fefabd6; reference:md5,e31b4fb81764e4dd6bacab9baba266b4; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033289; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004133; classtype:web-application-attack; sid:2004133; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/updates"; bsize:8; http.cookie; content:"user="; startswith; fast_pattern; pcre:"/^[A-P]{256}$/R"; http.header_names; content:!"Referer"; reference:md5,5dfb7f863cd291544b9dfdb3de25162f; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033290; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004134; classtype:web-application-attack; sid:2004134; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Connection|3a 20|Keel-Alive"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59d23f4da9837474d3f2d9f6816bd716; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033291; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004135; classtype:web-application-attack; sid:2004135; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BIOPASS RAT Related Domain in DNS Lookup (0x3s .com)"; dns.query; content:"0x3s.com"; nocase; bsize:8; reference:url,www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:domain-c2; sid:2033292; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/device.rsp?opt=user&cmd=list"; depth:29; fast_pattern; http.cookie; content:"uid=admin"; nocase; reference:url,github.com/ezelf/CVE-2018-9995_dvr_credentials; reference:cve,2018-9995; classtype:attempted-admin; sid:2027971; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BIOPASS RAT Python Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/res/"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.host; content:"flashdownloadserver.oss-cn-hongkong.aliyuncs.com"; reference:md5,f0b96efe2f714e7bddf76cc90a8b8c88; reference:url,trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:trojan-activity; sid:2033293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_07_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Imposter USPS Domain"; flow:established,to_server; http.host; content:".usps.com."; fast_pattern; classtype:bad-unknown; sid:2015848; rev:5; metadata:created_at 2012_10_27, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BIOPASS RAT Go Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/res/"; startswith; fast_pattern; content:".exe"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.host; content:"flashdownloadserver.oss-cn-hongkong.aliyuncs.com"; reference:md5,f0b96efe2f714e7bddf76cc90a8b8c88; reference:url,trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:trojan-activity; sid:2033310; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_07_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Buffer Overflow in Builtin Web Server"; flow:established,to_server; urilen:>200; http.start; content:"GET|20 01 10 8f e2 11 ff|"; depth:10; fast_pattern; content:"aaaaaaaa"; distance:0; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:attempted-admin; sid:2027972; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DCRat CnC Exfil"; flow:established,to_server; urilen:>150; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^[a-f0-9]{32}\r\n\r\nPK/Rsi"; content:"Browsers/"; fast_pattern; distance:0; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3aa17643535d17db367447e1104e12d9; classtype:trojan-activity; sid:2033087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_07_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; http.user_agent; content:"Java/1."; http.host; pcre:"/\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?$/"; classtype:bad-unknown; sid:2016580; rev:6; metadata:created_at 2013_03_15, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SideWinder APT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.pakmarines.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033313; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004136; classtype:web-application-attack; sid:2004136; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WildPressure/Milum CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|pk="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20|Python-urllib/"; http.request_body; content:"pk="; startswith; content:"&value="; distance:0; pcre:"/^pk=[A-Za-z0-9]{8,50}&value=[a-f0-9]{50,500}$/s"; http.header_names; content:!"Referer"; reference:url,securelist.com/wildpressure-targets-macos/103072/; reference:md5,92a11f0dcb973d1a58d45c995993d854; classtype:trojan-activity; sid:2033316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004137; classtype:web-application-attack; sid:2004137; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation SpoofedScholars Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect/?memberemailid="; startswith; fast_pattern; pcre:"/^[A-Z]{2}-[A-Z0-9]{10,20}-[A-Z0-9]{6,10}-[A-Z0-9]{2,8}-[A-Z0-9]{2,8}-[0-9]{2,5}$/R"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2033317; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004138; classtype:web-application-attack; sid:2004138; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Maldoc/Zloader CnC)"; flow:from_server,established; content:"|0f|heavenlygem.com"; nocase; fast_pattern; content:"|2a|.heavenlygem.com"; classtype:domain-c2; sid:2033318; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004139; classtype:web-application-attack; sid:2004139; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)"; flow:established,to_client; file.data; content:"RhinoSoft"; content:"Serv-U"; distance:0; content:"\\r\\nCRhinoUintAttr\\r\\nLastHour\\r\\n"; fast_pattern; content:".Archive"; content:"Serv-U-Tray.exe"; content:"window.close|28 29|"; reference:md5,2443968bb4d1c9f5e99d4dd09fd754af; reference:url,www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211; classtype:trojan-activity; sid:2033321; rev:2; metadata:attack_target Server, created_at 2021_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id SELECT"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004647; classtype:web-application-attack; sid:2004647; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/otproc.asp"; bsize:11; http.user_agent; content:"Indy|20|Library|29|"; endswith; http.request_body; content:"sGbn="; startswith; fast_pattern; content:"&sGbn1="; distance:0; content:"&n5uid="; distance:0; http.header_names; content:!"Referer"; reference:md5,bf0c3851bd0cdd2bbdd3902326e37688; classtype:trojan-activity; sid:2033322; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004648; classtype:web-application-attack; sid:2004648; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AZORult CnC Domain (miscrosoftworrd .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"miscrosoftworrd.000webhostapp.com"; bsize:33; fast_pattern; reference:md5,6610271aeae6daa7df27641cba63115a; classtype:domain-c2; sid:2033323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_14, deployment Perimeter, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id INSERT"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004649; classtype:web-application-attack; sid:2004649; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Connectivity Check M2"; flow:to_server,established; http.uri; content:"/proxy.php"; endswith; fast_pattern; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3b 20|Win64|3b 20|x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/90.0.4430.85 Safari/537.36 OPR/76.0.4017.94"; bsize:131; http.host; content:"zennolab.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc171ee77dc2d657e0c018fcad17608f; classtype:trojan-activity; sid:2033324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id DELETE"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004650; classtype:web-application-attack; sid:2004650; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Connectivity Check M3"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3b 20|Win64|3b 20|x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/90.0.4430.85 Safari/537.36 OPR/76.0.4017.94"; bsize:131; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc171ee77dc2d657e0c018fcad17608f; classtype:trojan-activity; sid:2033325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ASCII"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004651; classtype:web-application-attack; sid:2004651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/htt_p"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,f85752f580eabe38362bea8e9bb61297; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:command-and-control; sid:2033327; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004652; classtype:web-application-attack; sid:2004652; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (msstore .io)"; dns.query; content:"msstore.io"; nocase; bsize:10; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033328; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft SELECT"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005304; classtype:web-application-attack; sid:2005304; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (adtracker .link)"; dns.query; content:"adtracker.link"; nocase; bsize:14; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033329; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UNION SELECT"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005305; classtype:web-application-attack; sid:2005305; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (cdnmobile .io)"; dns.query; content:"cdnmobile.io"; nocase; bsize:12; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033330; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft INSERT"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005306; classtype:web-application-attack; sid:2005306; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.DPRK MalDoc SysInfo CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|MAX_FILE_SIZE|22 0d 0a|"; content:"name=|22|userfile|22 3b 20|filename=|22|yo|22 0d 0a|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,8a7686430d9ad2832e8a4c3992186b36; classtype:trojan-activity; sid:2033331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft DELETE"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005307; classtype:web-application-attack; sid:2005307; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Checkin M1"; flow:established,to_server; content:"|00 44 a2 62 97 ec 0b db 04 08 1c 3c 59 32 28 08 b7|"; offset:3; depth:17; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ASCII"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005308; classtype:web-application-attack; sid:2005308; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Outbound M1"; flow:established,to_server; content:"|31 36 00 ba fe ef fa 6f d3 df bf 95 83 64 32 67 88 bc 83|"; dsize:19; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005309; classtype:web-application-attack; sid:2005309; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Inbound M1"; flow:established,to_client; content:"|31 36 00 da 1b 70 b5 96 ed a6 4a 18 8e ce 90 cc 5a fc 71|"; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay SELECT"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005310; classtype:web-application-attack; sid:2005310; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Checkin M2"; flow:established,to_server; content:"|00 93 2d 95 a9 6e fb 6c fb e0 02 ba 4b 2a a9 d9 e5|"; offset:3; depth:17; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UNION SELECT"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005187; classtype:web-application-attack; sid:2005187; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Outbound M2"; flow:established,to_server; content:"|31 36 00 0d 47 53 7a 9b 6b b1 37 a8 9b a9 97 b3 e6 8f 1d|"; dsize:19; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay INSERT"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005188; classtype:web-application-attack; sid:2005188; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Inbound M2"; flow:established,to_client; content:"|31 36 00 29 73 c4 34 06 b6 62 c3 2e d4 0f 86 fb f3 35 c0|"; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay DELETE"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005189; classtype:web-application-attack; sid:2005189; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket CnC Checkin"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/cert/trust"; bsize:11; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033339; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family Gasket, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ASCII"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005190; classtype:web-application-attack; sid:2005190; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket Requesting Commands from CnC"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/time/sync"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033340; rev:1; metadata:created_at 2021_07_15, former_category MALWARE, malware_family Gasket, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005191; classtype:web-application-attack; sid:2005191; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket Submitting Logs to CnC"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/cert/dist"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033341; rev:1; metadata:created_at 2021_07_15, former_category MALWARE, malware_family Gasket, updated_at 2021_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009838; classtype:web-application-attack; sid:2009838; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mespinoza Ransomware - Pre-Encryption File Exfil to CnC"; flow:established,to_server; http.uri; content:"/upload-"; startswith; fast_pattern; content:"?token="; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; content:"&id="; distance:0; content:"&fullPath="; distance:0; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family Mespinoza, signature_severity Major, tag Ransomware, updated_at 2021_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/archive.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009839; classtype:web-application-attack; sid:2009839; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; startswith; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:targeted-activity; sid:2009486; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_07_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/Archive.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009840; classtype:web-application-attack; sid:2009840; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_tt_p"; fast_pattern; bsize:7; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,14a2b8af48b6db92f047525d893eaeb8; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033172; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/comments.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009841; classtype:web-application-attack; sid:2009841; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"all-brain-company.xyz"; bsize:21; fast_pattern; reference:md5,997e848955296560d80ae65a1ec073d5; classtype:domain-c2; sid:2033344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/Comments.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009842; classtype:web-application-attack; sid:2009842; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"steven-gerrard-liverpool-future-dalglish--goal-"; http.host; content:!"www.liverpool.com"; reference:md5,10f8195621113f9c8de63ba139e91cff; classtype:command-and-control; sid:2033356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009843; classtype:web-application-attack; sid:2009843; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroStealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|nitropacked.zip|22 0d 0a|"; fast_pattern; content:"screenshot"; nocase; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,367ef1b1579a6987d5648bb95f7c9a10; classtype:trojan-activity; sid:2033361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/News.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009844; classtype:web-application-attack; sid:2009844; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/@/"; startswith; content:"/tele.txt"; fast_pattern; http.host; content:"microsoft-updates.servehttp.com"; bsize:31; reference:md5,f23dd9acbf28f324b290b970fbc40b30; classtype:trojan-activity; sid:2033363; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/SendFriend.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009845; classtype:web-application-attack; sid:2009845; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Telegram API Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1624838777:AAGjNO7By4SqVdmXRlSPcde2DRinvDNYbzA/"; fast_pattern; startswith; http.host; content:"api.telegram.org"; bsize:16; reference:md5,f23dd9acbf28f324b290b970fbc40b30; classtype:trojan-activity; sid:2033364; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key SELECT"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005949; classtype:web-application-attack; sid:2005949; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.sherifu/.k4m3l0t"; bsize:18; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:md5,99639dffa18356f683dbbbf4a6d3d023; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; classtype:trojan-activity; sid:2033366; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UNION SELECT"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005950; classtype:web-application-attack; sid:2005950; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Loader Activity M1 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.mini/.report_system"; bsize:21; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; reference:md5,92ea08fb8af71468bd74d19b1b9994cd; classtype:trojan-activity; sid:2033367; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key INSERT"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005951; classtype:web-application-attack; sid:2005951; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Loader Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.sherifu/"; startswith; fast_pattern; pcre:"/^\.(?:93joshua|purrple|black)$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; classtype:trojan-activity; sid:2033368; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key DELETE"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005952; classtype:web-application-attack; sid:2005952; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer Domain (cheapfacechange .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"cheapfacechange.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2033378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ASCII"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005953; classtype:web-application-attack; sid:2005953; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\.[A-F0-9]{32}\//"; http.header; content:"Accept|3a 20|*/*"; depth:12; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b 20|Windows NT 6.1|3b|"; content:"Host|3a 20|"; pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])/R"; content:"Connection|3a 20|close"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; pcre:"/Content-Disposition\x3a\x20form-data\x3b\s*name=\x22(?:source|formdata|billinfo|cardinfo)\x22/m"; content:"=|22|billinfo|22|"; fast_pattern; classtype:trojan-activity; sid:2026738; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_19, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005954; classtype:web-application-attack; sid:2005954; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nova_assets/Sys/_Getcode/keywords="; fast_pattern; startswith; http.cookie; content:"skin="; startswith; content:"sparrow_init="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"cfruid="; distance:0; reference:url,twitter.com/mojoesec/status/1403072399860506638; reference:md5,4ba24c8dd87c35c1d7492eb31a14c2bd; classtype:trojan-activity; sid:2033384; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004253; classtype:web-application-attack; sid:2004253; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BOUNCEBEAM Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"/api/getTask?uniqid="; startswith; http.host; content:"cloudflare.5156game.com"; fast_pattern; bsize:23; reference:url,twitter.com/ESETresearch/status/1415542465176735748; reference:md5,429914c2cf45355ca4baa95a1dcdffab; reference:md5,19b8681e4dd4f9698ec324606a642dd6; reference:md5,bded44bf177a52a9ffbd13d077f8747d; classtype:command-and-control; sid:2033389; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004254; classtype:web-application-attack; sid:2004254; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BOUNCEBEAM Backdoor CnC Domain (cloudflare .5156game .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloudflare.5156game.com"; bsize:23; fast_pattern; reference:url,twitter.com/ESETresearch/status/1415542465176735748; reference:md5,429914c2cf45355ca4baa95a1dcdffab; reference:md5,bded44bf177a52a9ffbd13d077f8747d; reference:md5,19b8681e4dd4f9698ec324606a642dd6; classtype:command-and-control; sid:2033390; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004255; classtype:web-application-attack; sid:2004255; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)"; flow:established,to_server; dsize:<34; content:"|33 66 99|"; depth:3; byte_test:1,>=,2,3; byte_test:1,<=,30,3; byte_extract:1,4,length; isdataat:!length,relative; pcre:"/^[A-Za-z0-9_-]+$/Rsi"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030491; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2021_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004256; classtype:web-application-attack; sid:2004256; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; http.host; content:!"7zip.org"; content:!".bloomberg.com"; content:!".bitdefender.com"; content:!".microsoft.com"; endswith; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022550; rev:20; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2021_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004257; classtype:web-application-attack; sid:2004257; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible DarkRats Tor Traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; xbits:isset,ET.ipcheck,track ip_dst; xbits:isset,ET.dropsite,track ip_dst; classtype:trojan-activity; sid:2033387; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004258; classtype:web-application-attack; sid:2004258; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=UA, ST=Kyev, L=Kyev, O=GG UKR, OU=UA System, CN=monblan.ua"; bsize:60; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1418253931080163328; reference:md5,4d171ef3656ef56354ba8f336eab2cca; classtype:domain-c2; sid:2033391; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest search.php search parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?"; nocase; content:"searchfields[0]=ownerid"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33097; reference:url,milw0rm.com/exploits/7659; reference:url,doc.emergingthreats.net/2009058; classtype:web-application-attack; sid:2009058; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (krinsop .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"krinsop.com"; bsize:11; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; reference:md5,2232b445760712242a0e5ea456fcc700; classtype:domain-c2; sid:2033392; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page SELECT"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006455; classtype:web-application-attack; sid:2006455; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (charity-wallet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"charity-wallet.com"; bsize:18; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; reference:md5,a83083f276326a7a4e77416bb0cb1537; classtype:domain-c2; sid:2033393; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UNION SELECT"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006456; classtype:web-application-attack; sid:2006456; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (gmbfrom .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmbfrom.com"; bsize:11; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:domain-c2; sid:2033394; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page INSERT"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006457; classtype:web-application-attack; sid:2006457; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,1ea7d46d94299fa8bad4043c13100df0; classtype:command-and-control; sid:2033397; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page DELETE"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006458; classtype:web-application-attack; sid:2006458; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (cloudflare-cdnjs .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloudflare-cdnjs.com"; bsize:20; fast_pattern; reference:url,twitter.com/MBThreatIntel/status/1416101496022724609; reference:url,twitter.com/AffableKraut/status/1408512205289660429; classtype:domain-c2; sid:2033398; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page ASCII"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006459; classtype:web-application-attack; sid:2006459; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (static-zdassets .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"static-zdassets.com"; bsize:19; fast_pattern; reference:url,twitter.com/MBThreatIntel/status/1416101496022724609; reference:url,twitter.com/AffableKraut/status/1408512205289660429; classtype:domain-c2; sid:2033399; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006460; classtype:web-application-attack; sid:2006460; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dmechant Exfil Cryptowallets via SMTP"; flow:established,to_server; content:"|0d 0a|Subject|3a 20|Cryptowallets|3a 3a 3a 3a|"; reference:md5,e2da54028e5172ac42c89bc2271a2bb8; reference:url,www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials; classtype:command-and-control; sid:2033413; rev:1; metadata:created_at 2021_07_25, former_category TROJAN, updated_at 2021_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num SELECT"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005955; classtype:web-application-attack; sid:2005955; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dmechant Exfil Passwords via SMTP"; flow:established,to_server; content:"|0d 0a|Subject|3a 20|Passwords|3a 3a 3a 3a|"; fast_pattern; content:"Username|3a 20|"; distance:0; content:"CompName|3a 20|"; distance:0; content:"Password|20 3a 20|"; distance:0; content:"Application|20 3a 20|"; distance:0; content:"========"; reference:md5,e2da54028e5172ac42c89bc2271a2bb8; reference:url,www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials; classtype:command-and-control; sid:2033414; rev:1; metadata:created_at 2021_07_25, former_category TROJAN, updated_at 2021_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UNION SELECT"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005956; classtype:web-application-attack; sid:2005956; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RustyBuer CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"shipmentofficedepot.com"; endswith; classtype:domain-c2; sid:2033415; rev:1; metadata:created_at 2021_07_25, former_category MALWARE, updated_at 2021_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num INSERT"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005957; classtype:web-application-attack; sid:2005957; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Webshell Landing Outbound - Possibly Iran-based"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>filesystembrowser<|2f|title>"; content:"action=|22|?operation=upload|22|"; distance:0; fast_pattern; content:"<br>Auth|20|Key|3a|"; distance:0; within:100; classtype:command-and-control; sid:2033416; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num DELETE"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005958; classtype:web-application-attack; sid:2005958; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Upload Command Inbound - Possibly Iran-based"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?operation=upload"; fast_pattern; http.request_body; content:"name=|22|authKey|22|"; content:"name=|22|file|22|"; distance:0; classtype:command-and-control; sid:2033417; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ASCII"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005959; classtype:web-application-attack; sid:2005959; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Access with Known Password Inbound - Possibly Iran-based"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|authKey|22 0d 0a 0d 0a|woanware|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2033418; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005960; classtype:web-application-attack; sid:2005960; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Execute Command Inbound - Possibly Iran-based M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__VIEWSTATE="; startswith; content:"&txtAuthKey=20TyG6eQqEopbFMB&txtCommand="; fast_pattern; classtype:command-and-control; sid:2033419; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Unencrypted Connection to Ossec WUI"; flow:established,to_server; http.uri; content:"/ossec/"; content:"js/calendar-setup.js"; reference:url,www.ossec.net; reference:url,doc.emergingthreats.net/2008569; classtype:misc-activity; sid:2008569; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS stickseed Variant CnC Checkin"; dns.query; content:"efkezwpdxpsq3l"; startswith; fast_pattern; pcre:"/\.[dghbcijklmnfqrwxyz23stuopaev4569]{26}\.[a-z0-9_-]{1,50}\.[a-z]{2,8}$/"; classtype:command-and-control; sid:2033420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_26, former_category MALWARE, signature_severity Major, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005961; classtype:web-application-attack; sid:2005961; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malsmoke Staging Domain in SNI"; flow:to_server,established; tls.sni; content:"premiumpornotubes.com"; endswith; classtype:social-engineering; sid:2033421; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005962; classtype:web-application-attack; sid:2005962; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"yuidskadjna.com"; endswith; classtype:trojan-activity; sid:2033422; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005963; classtype:web-application-attack; sid:2005963; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"odjdnhsaj.com"; endswith; classtype:trojan-activity; sid:2033423; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005964; classtype:web-application-attack; sid:2005964; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Activity M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?u="; http.user_agent; content:"WinHTTP"; bsize:7; http.request_body; content:"p=<br><mark>Hello|3a 20|"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1fe34d84a058156296e86888ddd5cac9; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:command-and-control; sid:2033429; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005965; classtype:web-application-attack; sid:2005965; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (clank .hazari .ru)"; dns.query; content:"clank.hazari.ru"; nocase; bsize:15; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; reference:md5,ff95a2f9d3f40802afaa528f563feeee; classtype:domain-c2; sid:2033432; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005966; classtype:web-application-attack; sid:2005966; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (lump .semara .ru)"; dns.query; content:"lump.semara.ru"; nocase; bsize:14; reference:md5,919b119827ca1a947602096fb6328ba3; reference:md5,8959c893438f4a2d34f6eafcbc6f5e4d; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033433; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; http.header; content:"USER-Agent|3a 20|Domain Dossier utility (http|3a|//CentralOps.net/)"; nocase; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003623; classtype:policy-violation; sid:2003623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (lovers .semara .ru)"; dns.query; content:"lovers.semara.ru"; nocase; bsize:16; reference:md5,b2193f0fb8b5ee8b2fe161cde30f4d65; reference:md5,557a2e80b2a070bb2f873b6489b026ee; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033434; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY python.urllib User Agent Web Crawl"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.header; content:"User-Agent|3a 20|"; nocase; content:"python.urllib/"; nocase; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002943; classtype:attempted-recon; sid:2002943; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (aconitum .xyz)"; dns.query; content:"aconitum.xyz"; nocase; bsize:12; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033435; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; http.uri; content:"/debug.cgi"; http.header; content:"Authorization|3a 20|Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; classtype:attempted-admin; sid:2011669; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (blattodea .ru)"; dns.query; content:"blattodea.ru"; nocase; bsize:12; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033436; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011794; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (hierodula .online)"; dns.query; content:"hierodula.online"; nocase; bsize:16; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033437; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2005177; classtype:web-application-attack; sid:2005177; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (tomond .ru)"; dns.query; content:"tomond.ru"; nocase; bsize:9; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033438; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id DELETE"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004549; classtype:web-application-attack; sid:2004549; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ClipBanker Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/report7.4.php"; bsize:14; fast_pattern; http.request_body; content:"p="; startswith; http.header_names; content:!"Referer"; reference:md5,64db07d60025e04128de8b508673b6fe; reference:url,www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf; classtype:trojan-activity; sid:2033439; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/login"; nocase; content:"login_username="; nocase; pcre:"/(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:cve,2009-1798; reference:url,doc.emergingthreats.net/2010862; classtype:web-application-attack; sid:2010862; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil via Discord M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:".lunar"; content:"|3b 20|filename="; within:12; content:"|0d 0a 0d 0a|[Username]"; distance:0; content:"[Username][TimeHacked]"; distance:0; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:command-and-control; sid:2033440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UNION SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006826; classtype:web-application-attack; sid:2006826; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Lunar Builder Exfil Response"; flow:established,to_client; http.content_type; content:"application/json"; bsize:16; file.data; content:"|22|title|22 3a 20 22|Lunar|20|Builder|22|"; fast_pattern; content:"|22|name|22 3a 20 22|Stolen|20|From|22 2c|"; distance:0; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:command-and-control; sid:2033449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf INSERT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006851; classtype:web-application-attack; sid:2006851; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com)"; dns.query; content:"page.googledocpage.com"; nocase; bsize:22; reference:md5,bcb4a8f190f2124be57496649078e0ae; reference:url,twitter.com/ShadowChasing1/status/1417324113840857092; classtype:domain-c2; sid:2033450; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login DELETE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006978; classtype:web-application-attack; sid:2006978; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity Sending Windows User Info (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uralchem/"; startswith; fast_pattern; pcre:"/^[a-zA-z]{8}\./R"; http.header_names; content:!"Referer"; reference:md5,7a7bc6e080657fc77acbcf91d1892d31; reference:url,twitter.com/ShadowChasing1/status/1417650046485495808; classtype:trojan-activity; sid:2033454; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006345; classtype:web-application-attack; sid:2006345; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 44Calibar Variant Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument"; distance:0; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"name|3d|caption|0d 0a 0d 0a|"; content:"44CALIBER"; nocase; within:15; fast_pattern; content:"Grabbed Software|3a|"; distance:0; reference:md5,fc489c5343f6db7d1be798a3ee331bdf; classtype:command-and-control; sid:2033455; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006346; classtype:web-application-attack; sid:2006346; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity Sending Windows User Info (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eabr/"; startswith; fast_pattern; pcre:"/^[a-zA-z]{8}\./R"; http.header_names; content:!"Referer"; reference:md5,c7f14020934ebcc55546fbd73a6e49d0; reference:url,twitter.com/ShadowChasing1/status/1417650046485495808; classtype:trojan-activity; sid:2033457; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006348; classtype:web-application-attack; sid:2006348; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (stg .pesrado .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"stg.pesrado.com"; bsize:15; fast_pattern; reference:url,twitter.com/mojoesec/status/1418625292105654275; reference:md5,69519748fdb0bedaab25c702bfd0ed9a; classtype:domain-c2; sid:2033458; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006349; classtype:web-application-attack; sid:2006349; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view.php?id=21504"; fast_pattern; http.host; content:"kr2959.atwebpages.com"; http.header_names; content:!"Referer"; reference:md5,72d43ff8f9ee0819e96ed7fd7d9a551a; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033590; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006350; classtype:web-application-attack; sid:2006350; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/report.php?key="; startswith; fast_pattern; http.host; content:"kr2959.atwebpages.com"; http.header_names; content:!"Referer"; reference:md5,72d43ff8f9ee0819e96ed7fd7d9a551a; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033591; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006351; classtype:web-application-attack; sid:2006351; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Heracles Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"cwyuno1c7n82bc201et81t627c8e6912r"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; threshold:type limit, track by_src, count 1, seconds 120; reference:md5,e0c6208936aa0cccd6867214145433b3; reference:url,tria.ge/210728-48w5bjla3x; classtype:command-and-control; sid:2033592; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006352; classtype:web-application-attack; sid:2006352; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Heracles Variant CnC Domain (stainless .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"stainless.fun"; bsize:13; fast_pattern; reference:md5,e0c6208936aa0cccd6867214145433b3; reference:url,tria.ge/210728-48w5bjla3x; classtype:domain-c2; sid:2033593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006795; classtype:web-application-attack; sid:2006795; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/expres.php?op=2"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,be4ab3c46d87b1900137647814f0f305; classtype:trojan-activity; sid:2033594; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UNION SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006796; classtype:web-application-attack; sid:2006796; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?who="; fast_pattern; content:"&secure="; distance:0; content:"&v="; distance:0; content:".exe|20|"; distance:0; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,5b2355014f72dc2714dc5a5f04fe9519; classtype:trojan-activity; sid:2033595; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi INSERT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006797; classtype:web-application-attack; sid:2006797; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?w="; fast_pattern; content:"&v="; distance:0; content:".exe|20|"; distance:0; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,d7b717134358bbeefc5796b5912369f0; classtype:trojan-activity; sid:2033596; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi DELETE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006798; classtype:web-application-attack; sid:2006798; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Script Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/list.php?query=1"; fast_pattern; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,78bdd34f641fb2d1992c8651298f4aff; classtype:trojan-activity; sid:2033597; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ASCII"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006799; classtype:web-application-attack; sid:2006799; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (HEAD)"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".dotm?q=6"; endswith; fast_pattern; http.user_agent; content:"Office"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a9b6cf8d8d0a67da4eea269dab16fe99; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033598; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006800; classtype:web-application-attack; sid:2006800; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat CnC Domain (dud-shotline .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dud-shotline.000webhostapp.com"; bsize:30; fast_pattern; reference:md5,a8c6a612108ac2266263c6a6be7a58cc; classtype:domain-c2; sid:2033608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, malware_family DCRat, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006801; classtype:web-application-attack; sid:2006801; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".netcatkit.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UNION SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006802; classtype:web-application-attack; sid:2006802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".sqlnetcat.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre INSERT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006803; classtype:web-application-attack; sid:2006803; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".b69kq.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033611; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre DELETE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006804; classtype:web-application-attack; sid:2006804; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zz3r0.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ASCII"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006805; classtype:web-application-attack; sid:2006805; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ackng.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006806; classtype:web-application-attack; sid:2006806; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zer9g.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005603; classtype:web-application-attack; sid:2005603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".pp6r1.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005604; classtype:web-application-attack; sid:2005604; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hwqloan.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005605; classtype:web-application-attack; sid:2005605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".amynx.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033617; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005606; classtype:web-application-attack; sid:2005606; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".bb3u9.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005607; classtype:web-application-attack; sid:2005607; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".js88.ag"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005608; classtype:web-application-attack; sid:2005608; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cdnimages.xyz"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant SELECT"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007006; classtype:web-application-attack; sid:2007006; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdn.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033625; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UNION SELECT"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007007; classtype:web-application-attack; sid:2007007; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdnw5.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033624; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant INSERT"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007008; classtype:web-application-attack; sid:2007008; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=git-api.com"; nocase; fast_pattern; classtype:domain-c2; sid:2033623; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant DELETE"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007009; classtype:web-application-attack; sid:2007009; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=104-168-237-21.sslip.io"; nocase; fast_pattern; classtype:domain-c2; sid:2033622; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ASCII"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007010; classtype:web-application-attack; sid:2007010; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Meterpreter Paranoid Mode CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Texas, L=Austin, O=Development, CN=www.example.com"; bsize:59; fast_pattern; tls.cert_issuer; content:"C=US, ST=Texas, L=Austin, O=Development, CN=www.example.com"; bsize:59; reference:md5,7f969b888db2ac8aec19f2997167253e; reference:url,titanwolf.org/Network/Articles/Article?AID=97b8845a-85d0-407a-b14b-8dc773ed551b; classtype:domain-c2; sid:2033626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007011; classtype:web-application-attack; sid:2007011; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/USA/precision.dot"; fast_pattern; bsize:18; http.host; content:"usa-national.info"; bsize:17; reference:md5,26b29c539d0d35fd414e36884c380e0e; classtype:trojan-activity; sid:2033627; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007012; classtype:web-application-attack; sid:2007012; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer Domain (hellowoodie .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"hellowoodie.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2033628; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UNION SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007013; classtype:web-application-attack; sid:2007013; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CandyOpen/UniClient Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uniplatform/getVersion"; fast_pattern; bsize:23; http.host; content:"uniplatform.snyzt.org"; bsize:21; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf; reference:md5,2ad8bfde025d1a739eee02f3b23365c9; reference:url,www.hybrid-analysis.com/sample/a94d56067aa15f28f66a139eecc90e49b008bfa1f0faf7d65721ecfb68a6a6a2; classtype:trojan-activity; sid:2033629; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup INSERT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007014; classtype:web-application-attack; sid:2007014; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CandyOpen/UniClient Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uniplatform/getUniclientVersion"; fast_pattern; bsize:32; http.header_names; content:"|0d 0a|accept|0d 0a|User-Agent|0d 0a 0d 0a|"; bsize:24; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf; reference:md5,2ad8bfde025d1a739eee02f3b23365c9; reference:url,www.hybrid-analysis.com/sample/a94d56067aa15f28f66a139eecc90e49b008bfa1f0faf7d65721ecfb68a6a6a2; classtype:trojan-activity; sid:2033631; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup DELETE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007015; classtype:web-application-attack; sid:2007015; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M1"; flow:established,to_client; tls.cert_subject; content:"C=IL, O=StartCom Ltd., CN="; startswith; isdataat:!20,relative; tls.cert_subject; content:"CN=*"; endswith; reference:url,community.riskiq.com/article/541a465f; classtype:command-and-control; sid:2033632; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ASCII"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007016; classtype:web-application-attack; sid:2007016; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M2"; flow:established,to_client; tls.cert_subject; content:"C=KR, O=SGssl, CN="; startswith; isdataat:!20,relative; tls.cert_subject; content:"CN=*"; endswith; reference:url,community.riskiq.com/article/541a465f; classtype:command-and-control; sid:2033633; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007017; classtype:web-application-attack; sid:2007017; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M3"; flow:established,to_client; tls.cert_subject; content:"C=US, O=GMO GlobalSign, Inc"; startswith; fast_pattern; tls.cert_issuer; content:"C=US, O=GMO GlobalSign, Inc, CN=*"; bsize:33; reference:url,community.riskiq.com/article/642d186e; classtype:command-and-control; sid:2033634; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007018; classtype:web-application-attack; sid:2007018; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)"; dns.query; content:"paymenthacks.com"; nocase; bsize:16; reference:url,twitter.com/Arkbird_SOLG/status/1421984944792944643; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:domain-c2; sid:2033635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UNION SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007019; classtype:web-application-attack; sid:2007019; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)"; dns.query; content:"mojobiden.com"; nocase; bsize:13; reference:url,twitter.com/Arkbird_SOLG/status/1421984944792944643; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:domain-c2; sid:2033636; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup INSERT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007020; classtype:web-application-attack; sid:2007020; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackMatter CnC Activity"; flow:established,to_server; http.request_line; content:"POST /?"; startswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|keep-alive|0d 0a|Accept-Encoding|3a 20|gzip, deflate, br|0d 0a|Content-Type|3a 20|text/plain|0d 0a|User-Agent|3a 20|"; startswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:104; http.user_agent; content:"/"; content:!"/"; distance:0; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:command-and-control; sid:2033643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup DELETE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007021; classtype:web-application-attack; sid:2007021; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (www .msfthelpdesk .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.msfthelpdesk.com"; bsize:20; fast_pattern; reference:md5,37c44fe692371563ebc10fade5142918; reference:url,twitter.com/mojoesec/status/1421198691742986243; classtype:domain-c2; sid:2033644; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ASCII"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007022; classtype:web-application-attack; sid:2007022; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/success?q=7b226964223a22"; nocase; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html; reference:md5,e3bd6b1694b35bef352b2303b46ce522; classtype:trojan-activity; sid:2033646; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007023; classtype:web-application-attack; sid:2007023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![445,139] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND)"; flow:to_server,established; dsize:248; content:"|18 18|"; offset:2; depth:2; content:!"|18 18|"; within:2; content:"|18 18|"; distance:2; within:2; content:!"|18 18|"; within:2; content:"|18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18|"; pcre:"/[^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18/R"; reference:md5,16549f8a09fd5724f2107a8f18dca10b; classtype:command-and-control; sid:2019204; rev:11; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Miva Merchant Cross Site Scripting Attack"; flow:to_server,established; http.uri; content:"merchant.mv"; nocase; content:"customer_login"; nocase; pcre:"/customer_login.*\">/i"; reference:bugtraq,14828; reference:url,smallbusiness.miva.com/products/mia/; reference:url,www.frsirt.com/english/advisories/2005/1758; reference:url,doc.emergingthreats.net/2002371; classtype:web-application-activity; sid:2002371; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Jupyter Stealer Related Activity (GET)"; flow:established,to_server; http.start; content:"GET /get/"; startswith; content:".ps1 HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,e3bd6b1694b35bef352b2303b46ce522; classtype:trojan-activity; sid:2033645; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/viewsource.php?"; nocase; content:"dirn="; nocase; reference:url,milw0rm.com/exploits/5394; reference:url,secunia.com/advisories/29685; reference:bugtraq,28659; reference:url,doc.emergingthreats.net/2009437; classtype:web-application-attack; sid:2009437; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Rootkit Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/safe/"; startswith; content:"?appid="; distance:0; content:"&m="; distance:0; content:"&nonce_str="; distance:0; content:"&time_stamp="; distance:0; content:"&sign="; distance:0; http.user_agent; content:"Http-connect"; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033647; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/viewsource.php?"; nocase; content:"fname="; nocase; reference:url,milw0rm.com/exploits/5394; reference:url,secunia.com/advisories/29685; reference:bugtraq,28659; reference:url,doc.emergingthreats.net/2009430; classtype:web-application-attack; sid:2009430; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Rootkit Checkin Activity (getSystemInfo)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/system/getSystemInfo"; bsize:25; fast_pattern; http.user_agent; content:"Http-connect"; bsize:12; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033648; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004635; classtype:web-application-attack; sid:2004635; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xml/"; bsize:5; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; bsize:65; http.host; content:"freegeoip.net"; bsize:13; fast_pattern; http.header_names; content:!"Referer"; reference:md5,aabf88d786c8a58cccae674621277a54; classtype:trojan-activity; sid:2033649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004714; classtype:web-application-attack; sid:2004714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SSV Agent CnC Activity"; flow:established,to_server; http.request_body; content:"|00 00 00 01 00 00 00 01 00 00 00|"; offset:1; depth:11; fast_pattern; pcre:"/^[A-F0-9]{32}/R"; reference:url,github.com/ptresearch/AttackDetection/tree/master/APT31; reference:md5,db1673a1e8316287cb940725bb6caa68; classtype:command-and-control; sid:2033650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c SELECT"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004164; classtype:web-application-attack; sid:2004164; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (edgecloudc .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".edgecloudc.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004165; classtype:web-application-attack; sid:2004165; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (be-government .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".be-government.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c INSERT"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004166; classtype:web-application-attack; sid:2004166; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (gitcloudcache .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".gitcloudcache.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c DELETE"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004167; classtype:web-application-attack; sid:2004167; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (hostupoeui .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".hostupoeui.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004169; classtype:web-application-attack; sid:2004169; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (drmtake .tk in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".drmtake.tk"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName SELECT"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005778; classtype:web-application-attack; sid:2005778; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (rsnet-devel .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".rsnet-devel.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UNION SELECT"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005779; classtype:web-application-attack; sid:2005779; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (flushcdn .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".flushcdn.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName INSERT"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005780; classtype:web-application-attack; sid:2005780; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup"; dns.query; content:"cloud-documents.com"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName DELETE"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005781; classtype:web-application-attack; sid:2005781; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc CnC Domain (cloud-documents .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloud-documents.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033664; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ASCII"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005782; classtype:web-application-attack; sid:2005782; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (gopstoporchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"gopstoporchestra.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033667; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005783; classtype:web-application-attack; sid:2005783; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (onlineworkercz .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"onlineworkercz.com"; bsize:18; fast_pattern; reference:url,thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/; classtype:domain-c2; sid:2033668; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/global.php?"; nocase; content:"pfad="; nocase; pcre:"/(?:\.\.\/){1,}/"; reference:url,secunia.com/advisories/32986/; reference:url,milw0rm.com/exploits/7335; reference:url,doc.emergingthreats.net/2008938; classtype:web-application-attack; sid:2008938; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; urilen:3; http.method; content:"GET"; http.cookie; content:"reg_fb_gate="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,bed512b1b901f03d421d39132a6c75b6; reference:url,thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/; classtype:trojan-activity; sid:2033669; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Multiple Membership Script id parameter SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sitepage.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33019/; reference:url,milw0rm.com/exploits/7346; reference:url,doc.emergingthreats.net/2008994; classtype:web-application-attack; sid:2008994; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Thallium  CnC Domain in DNS Lookup"; dns.query; content:"tksrpdl.atwebpages.com"; nocase; bsize:22; reference:url,twitter.com/cyberwar_15/status/1422692746909786112; classtype:domain-c2; sid:2033670; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start INSERT"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005855; classtype:web-application-attack; sid:2005855; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrickBot Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/r/tomkruzback.bazar"; fast_pattern; bsize:20; http.host; content:"dns."; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad938b03f3719bf14f1e14c90a73ff2b; classtype:trojan-activity; sid:2033660; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004461; classtype:web-application-attack; sid:2004461; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup (societyf500 .ddns .net)"; dns.query; content:"societyf500.ddns.net"; nocase; bsize:20; reference:url,twitter.com/JAMESWT_MHT/status/1422813422828331009; classtype:domain-c2; sid:2033671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004683; classtype:web-application-attack; sid:2004683; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideCopy Group Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css/css/b/l/i2.php"; bsize:19; fast_pattern; http.accept_enc; content:"gzip,|20|deflate"; bsize:13; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1422914152381616134; reference:url,twitter.com/c3rb3ru5d3d53c/status/1422982036365750275; reference:md5,896793b5a446fb3a648a7f290a2b38cd; reference:md5,8e07953b96ffa7ee7f5d0fa6fea71a6a; classtype:trojan-activity; sid:2033680; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp INSERT"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006083; classtype:web-application-attack; sid:2006083; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload Requested M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roboto."; fast_pattern; pcre:"/^tt[cf]$/R"; http.user_agent; content:!"Windows"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029040; rev:3; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2021_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp SELECT"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006093; classtype:web-application-attack; sid:2006093; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Observed SSL/TLS Cert (Splashtop Remote Support)"; flow:from_server,established; tls.cert_subject; content:"CN=Splashtop Inc. Self CA"; nocase; fast_pattern; classtype:domain-c2; sid:2033685; rev:1; metadata:attack_target Client_and_Server, created_at 2021_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/section.php?"; nocase; content:"Module_Text="; nocase; content:"ID="; nocase; content:"Lang="; nocase; content:"Nav="; nocase; content:"Module="; nocase; reference:url,packetstormsecurity.org/1005-exploits/724cms459-lfi.txt; classtype:web-application-attack; sid:2011828; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"mariamistado.com"; nocase; bsize:16; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/classes/flash_mp3_player/extras/external_feeds/getfeed.php?"; nocase; content:"file="; nocase; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011829; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"arctiusa.com"; nocase; bsize:12; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php?"; nocase; content:"file="; nocase; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011830; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"onecoloradosport.com"; nocase; bsize:20; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/admin.lib.inc.php?"; nocase; content:"site_path="; nocase; pcre:"/site_path=\s*(?:ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/1010-exploits/cmsboard-rfi.txt; classtype:web-application-attack; sid:2011831; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"fivefkl.com"; nocase; bsize:11; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011832; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"amusient.com"; nocase; bsize:12; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011833; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"fondfbr.com"; nocase; bsize:11; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011834; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yuxicu.com"; bsize:10; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt; classtype:domain-c2; sid:2033699; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011835; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gojihu.com"; bsize:10; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt; classtype:domain-c2; sid:2033700; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011836; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TeamTNT Linux Miner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s3f715/"; startswith; http.host; content:"oracle.htxreceive.top"; fast_pattern; bsize:21; reference:url,blog.netlab.360.com/wei-xie-kuai-xun-teamtntxin-huo-dong-tong-guo-gan-ran-wang-ye-wen-jian-ti-gao-chuan-bo-neng-li/; classtype:trojan-activity; sid:2033702; rev:1; metadata:attack_target Linux_Unix, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?"; nocase; content:"mosConfig_live_site="; nocase; pcre:"/mosConfig_live_site=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,19198; reference:cve,CVE-2006-3930; classtype:web-application-attack; sid:2011837; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Campo Loader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/campo/"; startswith; fast_pattern; pcre:"/^[a-z](?:[0-9])?\/[a-z](?:[0-9]?)$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/; reference:md5,c865db24e6a0ca317424eb1c1543426e; reference:md5,dd6c4275c1b7b761b6f96a7e1e2f3607; classtype:trojan-activity; sid:2032352; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011838; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Injects)"; flow:established,to_client; tls.cert_subject; content:"inbizintesansanpaolo.com"; bsize:24; fast_pattern; classtype:domain-c2; sid:2033703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011840; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Malicious VBS Script Activity"; flow:established,to_server; http.uri; content:"/user/get/"; startswith; fast_pattern; http.user_agent; content:"Microsoft BITS/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blog.group-ib.com/prometheus-tds; classtype:trojan-activity; sid:2033704; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011841; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IIStealer CnC Domain in DNS Lookup (xinxx .allsoulu .com)"; dns.query; content:"xinxx.allsoulu.com"; nocase; bsize:18; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; reference:url,www.welivesecurity.com/2021/08/06/iistealer-server-side-threat-ecommerce-transactions/; classtype:command-and-control; sid:2033705; rev:1; metadata:attack_target Web_Server, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011842; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIStealer Inbound Exfil Request"; flow:established,to_server; http.uri; content:"/privacy.aspx"; bsize:13; http.header; content:"|0d 0a|X-IIS-Data|3a 20|"; fast_pattern; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; classtype:trojan-activity; sid:2033706; rev:1; metadata:attack_target Server, created_at 2021_08_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/baconmap/admin/updatelist.php?"; nocase; content:"filepath="; nocase; reference:url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt; classtype:web-application-attack; sid:2011843; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIStealer Inbound Exfil Request M2"; flow:established,to_server; http.uri; content:"/checkout/Payment.aspx"; bsize:22; http.header; content:"|0d 0a|X-IIS-Data|3a 20|"; fast_pattern; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; classtype:trojan-activity; sid:2033707; rev:1; metadata:attack_target Server, created_at 2021_08_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/com_rwcards/rwcards.advancedate.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt; classtype:web-application-attack; sid:2011844; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown DPRK Threat Actor Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccom"; startswith; pcre:"/^(?:[1-3]?)\/download\.php\?filename=ccom/R"; http.host; content:".atwebpages.com"; endswith; reference:url,asec.ahnlab.com/ko/26183; reference:md5,833794f663ddecd3533c661c9ac5fef6; reference:md5,857a0eb7dcd9c63f4474a069012a3389; classtype:trojan-activity; sid:2033708; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/html/11-login.asp?"; nocase; content:"intPassedLocationID="; nocase; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,43865; classtype:web-application-attack; sid:2011845; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DownloadAdmin Activity"; flow:established,to_server; http.uri; content:"install|3f|"; nocase; content:"country|3d|"; nocase; http.user_agent; content:"Tightrope Bundle Manager"; nocase; http.header_names; content:"|0d 0a|x|2d|webinstallcode|0d 0a|"; nocase; content:"|0d 0a|x|2d|exename|0d 0a|"; nocase; content:"|0d 0a|x|2d|webinstallurl|0d 0a|"; nocase; threshold: type limit, track by_src, seconds 180, count 1; reference:md5,36d8c484882c961b2f351bb4c73536e1; classtype:trojan-activity; sid:2033709; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"uniqcode=KPI"; nocase; content:"menu_no_top=performance"; nocase; content:"uri="; nocase; reference:url,exploit-db.com/exploits/15232; classtype:web-application-attack; sid:2011846; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http any any -> any any (msg:"ET MALWARE Suspected Praying Mantis Threat Actor Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0+(Windows+NT+10.0|3b|+WOW64|3b|+Trident/7.0|3b|+rv|3a|11.0)+like+Gecko"; bsize:69; fast_pattern; reference:url,f.hubspotusercontent30.net/hubfs/8776530/TG1021%20-%20Praying%20Mantis%20Threat%20Actor.pdf; classtype:trojan-activity; sid:2033710; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/real_estate/index.php?"; nocase; content:"option=com_jomestate"; nocase; content:"task="; nocase; pcre:"/task=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/12835; classtype:web-application-attack; sid:2011847; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (msresearchcenter .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"msresearchcenter.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033714; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_08_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/news/search.php3?"; nocase; content:"bn="; nocase; pcre:"/bn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011852; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Server Response"; flow:established,to_client; dsize:10; content:"|7e 62 6c 61 63 6b 20 68 61 74|"; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; classtype:command-and-control; sid:2033715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_08_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/detail.php?"; nocase; content:"siteid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,frsirt.com/english/advisories/2008/3079; reference:bugtraq,32191; reference:url,doc.emergingthreats.net/2008838; classtype:web-application-attack; sid:2008838; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Chinese Threat Actor Malicious Redirect Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/public/"; startswith; fast_pattern; pcre:"/^x?\/jquery\.min\.js\?ver=[0-9a-f]{24}$/R"; http.referer; content:"/s/02B"; pcre:"/^[a-z]$/R"; reference:url,imp0rtp3.wordpress.com/2021/08/12/tetris/; classtype:trojan-activity; sid:2033720; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID DELETE"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006138; classtype:web-application-attack; sid:2006138; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown Chinese Threat Actor CnC Domain in DNS Lookup"; dns.query; content:"googledrivers.com"; nocase; bsize:17; reference:url,imp0rtp3.wordpress.com/2021/08/12/tetris/; classtype:domain-c2; sid:2033721; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006158; classtype:web-application-attack; sid:2006158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (office360-expert .online)"; dns.query; content:"office360-expert.online"; nocase; bsize:23; reference:md5,fbc037e68f5988df9190cdadf7424752; reference:url,twitter.com/NinjaOperator/status/1354526362627936258; classtype:domain-c2; sid:2033722; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bazar/picturelib.php?"; nocase; content:"cat="; nocase; pcre:"/cat=\s*(?:ftps?|https?|php)\x3a\//i"; reference:cve,CVE-2010-2315; reference:url,exploit-db.com/exploits/12855/; classtype:web-application-attack; sid:2011880; rev:4; metadata:created_at 2010_10_29, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sell/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:md5,fbc037e68f5988df9190cdadf7424752; reference:url,twitter.com/NinjaOperator/status/1354526362627936258; classtype:trojan-activity; sid:2033723; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/loadplugin.php?"; nocase; content:"load="; nocase; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; classtype:web-application-attack; sid:2011884; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (ntc-pk .sytes .net)"; dns.query; content:"ntc-pk.sytes.net"; nocase; bsize:16; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; reference:md5,dc7044f273b0a161279ddce8c5dff0a7; classtype:domain-c2; sid:2033724; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Scan in Progress"; flow:established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.uri; content:"/thereIsNoWayThat-You-CanBeThere"; nocase; reference:url,www.owasp.org/index.php/Category%3aOWASP_DirBuster_Project; classtype:attempted-recon; sid:2011914; rev:3; metadata:created_at 2010_11_09, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-48 Related Activity Retrieving ConsoleHost (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Index-out/"; startswith; content:"/raw/main/ConsoleHost"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.host; content:"github.com"; bsize:10; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; reference:md5,2d8a0bd2b45683d9c00d7e1cb0999e3a; classtype:trojan-activity; sid:2033725; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/classes/BxDolGzip.php?"; nocase; content:"file="; nocase; reference:url,secunia.com/advisories/42108; reference:url,exploit-db.com/exploits/15400/; classtype:web-application-attack; sid:2011936; rev:4; metadata:created_at 2010_11_19, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (nitb .pk-gov .org)"; dns.query; content:"nitb.pk-gov.org"; nocase; bsize:15; reference:md5,1255eb3e81ec17d030da6884e0d3c724; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; classtype:domain-c2; sid:2033726; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/thumbnailformpost.inc.php?"; nocase; content:"adminlangfile="; nocase; reference:url,exploit-db.com/exploits/15345/; classtype:web-application-attack; sid:2011928; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCRat/Gh0st CnC Beacon Request (Xfire variant)"; flow:established,to_server; stream_size:server,=,1; content:"|58 66 69 72 65|"; startswith; content:!"|00 00|"; within:2; content:"|00 00|"; distance:2; within:2; content:!"|00 00|"; within:2; content:"|00 00|"; distance:2; within:2; byte_jump:4,5,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:md5,7a55388f877ce40d2abf72ea5ee2a6b8; classtype:command-and-control; sid:2033731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011930; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Agent.OMP Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.request_body; content:"pc="; startswith; content:"&g-passwds="; fast_pattern; distance:0; reference:md5,61f9fc4c3fe06dca2fcaa678144bb59a; classtype:command-and-control; sid:2033732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011931; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"sparrowsgroup.org"; nocase; bsize:17; classtype:domain-c2; sid:2035799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"electroboard.net"; nocase; bsize:16; classtype:domain-c2; sid:2035800; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php?"; nocase; content:"gid="; nocase; pcre:"/gid\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42195; classtype:web-application-attack; sid:2011942; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"exprogroup.org"; nocase; bsize:14; classtype:domain-c2; sid:2035801; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011943; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"elecresearch.org"; nocase; bsize:16; classtype:domain-c2; sid:2035802; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011944; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 65535 (msg:"ET MALWARE DarkWay Client Checkin"; flow:established,to_server; content:"|1f 8b 08 00 00 00 00 00 04 00|"; startswith; fast_pattern; content:"|00 00|"; endswith; reference:md5,afe88d8042a796816c8a7251a6e2fddc; reference:md5,bf95d7062c1c7df67ce9fff64a213cf2; reference:url,twitter.com/_jsoo_/status/1423975922164633601; classtype:command-and-control; sid:2033737; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011946; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLUELIGHT Payload Domain (storage .jquery .services in TLS SNI)"; flow:established,to_server; tls.sni; content:"storage.jquery.services"; bsize:23; fast_pattern; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:domain-c2; sid:2033739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, signature_severity Major, updated_at 2021_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011947; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BLUELIGHT OAuth Login Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth20_token.srf"; bsize:18; nocase; http.request_body; content:"client_id=b893cacd-9d41-4457-9e7d-47081a065095&client_secret=KT_onD~A9uRpIyjzoL_O1w3pDZ~1Zz488C"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,0b649bc5dbbf21801c21aaa5e5f79fc6; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:trojan-activity; sid:2033740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BLUELIGHT, signature_severity Major, updated_at 2021_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/includes/window_top.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011948; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BLUELIGHT OAuth Login Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth20_token.srf"; bsize:18; nocase; http.header; content:"|0d 0a|User-Agent|3a 20|Myapp|0d 0a|"; fast_pattern; http.request_body; content:"client_id="; startswith; content:"&client_secret="; distance:36; within:15; content:"&refresh_token="; distance:0; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,0b649bc5dbbf21801c21aaa5e5f79fc6; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:trojan-activity; sid:2033741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, former_category MALWARE, malware_family BLUELIGHT, signature_severity Major, updated_at 2021_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/control/common.php?"; nocase; content:"lang_file="; nocase; pcre:"/lang_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011949; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.DNL CnC Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|TaskResult|22|"; content:"|22|Date|22|"; content:"|22|owner|22|"; fast_pattern; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:command-and-control; sid:2033743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/header.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011950; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.DNL Server Response Task (whoami)"; flow:established,to_client; http.content_type; content:"application/json|3b|"; startswith; file.data; content:"|7b 22|command|22 3a 22|d2hvYW1p|22 7d|"; bsize:22; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Date|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:40; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:command-and-control; sid:2033744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011932; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Malgent!MSR Dropper Requesting Payload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; endswith; http.request_body; content:"4F440D71527A05240C72440216527C015109"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,4c1e57a0388a703307319d17ae5e9039; classtype:trojan-activity; sid:2033746; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Malgent!MSR User-Agent"; flow:established,to_server; http.user_agent; content:"Not a Virus Download A"; bsize:22; fast_pattern; http.header_names; content:!"Referer"; reference:md5,4c1e57a0388a703307319d17ae5e9039; classtype:trojan-activity; sid:2033747; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011945; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; http.uri; content:".exe"; fast_pattern; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/"; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.host; content:!".bloomberg.com"; content:!"leg1.state.va.us"; content:!"7-zip.org"; content:!"virginia.gov"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:45; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022566; rev:8; metadata:created_at 2016_02_26, former_category MALWARE, updated_at 2021_08_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softbiz Article Directory Script sbiz_id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/server/article_details.php?"; nocase; content:"sbiz_id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/14910/; classtype:web-application-attack; sid:2011987; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp any ![902] -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 3"; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020019; rev:3; metadata:created_at 2014_12_23, updated_at 2021_08_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Metasploit WMAP GET len 0 and type"; flow:established,to_server; threshold: type limit, track by_src,count 1,seconds 60; http.method; content:"GET"; http.header; content:"|0d 0a|Content-Type|3A 20|text/plain|0d 0a|Content-Length|3A 20|0|0d 0a|"; classtype:attempted-recon; sid:2011974; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_11_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?q="; content:"o543n"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.request_body; content:"|7b 22|Data|22 3a 5b 22|"; startswith; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; content:"|22 5d 7d|"; classtype:command-and-control; sid:2033762; rev:1; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006494; classtype:web-application-attack; sid:2006494; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/images/"; fast_pattern; content:".gif"; distance:100; pcre:"/\/images(?:\/[a-zA-Z0-9_]+)+\.gif$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/mi"; http.user_agent; content:!"ms-office"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021813; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006501; classtype:web-application-attack; sid:2006501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .magicalgirlonlive .com)"; dns.query; content:"www.magicalgirlonlive.com"; nocase; bsize:25; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033763; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004147; classtype:web-application-attack; sid:2004147; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .getkiplayer .com)"; dns.query; content:"www.getkiplayer.com"; nocase; bsize:19; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033764; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids SELECT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004666; classtype:web-application-attack; sid:2004666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .supapureigemu .com)"; dns.query; content:"www.supapureigemu.com"; nocase; bsize:21; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033765; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012001; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .chirigame .com)"; dns.query; content:"www.chirigame.com"; nocase; bsize:17; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033766; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012002; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|D3|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012003; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|D4|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012004; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M3"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|BUNIFU|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033770; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012005; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M4"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|EXE|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Base/example_1.php?"; nocase; content:"GLOBALS[MM_ROOT_DIRECTORY]="; nocase; pcre:"/GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15441/; classtype:web-application-attack; sid:2012006; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware CnC Checkin"; http.method; content:"POST"; http.uri; content:"|2f|key|2f|"; http.host; content:"karen|2e|"; startswith; fast_pattern; http.user_agent; content:"Go|2d|http|2d|client"; http.request_body; content:"id|3d|"; startswith; content:"|2d|"; distance:8; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|26|key|3d|"; distance:12; within:5; isdataat:!513,relative; pcre:"/id\x3d[a-z0-9]{8}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{12}\x26key\x3d[a-z0-9]{512}/"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; pcre:"/skin_file=\s*(ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012007; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware Powershell Loader"; http.method; content:"GET"; http.uri; content:"|2f|loader|2f|loader2.ps1"; fast_pattern; http.host; content:"karen|2e|"; startswith; http.user_agent; content:"Go|2d|http|2d|client"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Apache2 Memory Corruption Inbound (CVE-2020-9490)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Cache-Digest|3a 20|EA"; fast_pattern; pcre:"/^(?:8=|9BQQ==)\r?\n?/R"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2030&q=apache&can=1; reference:cve,2020-9490; classtype:attempted-admin; sid:2030830; rev:1; metadata:created_at 2020_09_03, cve CVE_2020_9490, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_03;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware Domain (karen .h07 .wlh .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"karen.h07.wlh.io"; bsize:16; fast_pattern; reference:url,twitter.com/fbgwls245/status/1427610307283677186; reference:url,F155EC35D67F746593CE8CC4E64D33E5; classtype:trojan-activity; sid:2033774; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-09-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; content:"&submit=Next"; fast_pattern; nocase; isdataat:!1,relative; pcre:"/^password=[^&]*&submit=Next$/i"; classtype:trojan-activity; sid:2031872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; fast_pattern; http.request_body; content:"g="; startswith; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033776; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?di="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033777; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/feedlist/handler_image.php?"; nocase; content:"i="; nocase; pcre:"/i\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42197/; reference:url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56; classtype:web-application-attack; sid:2012009; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; fast_pattern; http.request_body; content:"silly=./"; startswith; content:"&kusr="; distance:0; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033778; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/initsystem.php?"; nocase; content:"loader_file="; nocase; reference:url,secunia.com/advisories/42101/; classtype:web-application-attack; sid:2012010; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE a310Logger Stealer Exfil (SMTP)"; flow:established,to_server; content:"Subject|3a 20|Passwords:::"; fast_pattern; content:"CompName|3a 20|"; content:"Windows|20|Version|3a 20|"; content:"Url"; content:"============================="; reference:md5,3ad8fcbd4c1f1d525207679eb23f3e3c; reference:url,twitter.com/James_inthe_box/status/1407463890078691331; reference:url,app.any.run/tasks/f403243a-ee3c-4797-ba30-616c766d6005/; classtype:trojan-activity; sid:2033167; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/fetchmailprefs.php?"; nocase; content:"actionID=fetchmail_prefs_save"; nocase; content:"fm_driver=imap"; nocase; content:"fm_id="; nocase; pcre:"/fm_id\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt; classtype:web-application-attack; sid:2012011; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Clipboard Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Keylogger|3a 3a 3a|"; fast_pattern; content:"[CLIPBOARD]"; distance:0; reference:md5,5f04cfa0c174af13b9825337bfa7691f; classtype:trojan-activity; sid:2033779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/api/download_launch.php?"; nocase; content:"filename="; nocase; reference:url,exploit-db.com/exploits/13966/; classtype:web-application-attack; sid:2012012; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Data Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Data|3a 3a 3a|"; fast_pattern; content:".zip|22 0d 0a 0d 0a|UEsDB"; distance:0; reference:md5,5f04cfa0c174af13b9825337bfa7691f; classtype:trojan-activity; sid:2033780; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_smf/smf.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt; classtype:web-application-attack; sid:2012013; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS Lookup"; dns.query; content:"update.facebookint.workers.dev"; nocase; bsize:30; reference:url,www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:domain-c2; sid:2033784; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Winnti_related, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jimtawl"; nocase; content:"Itemid="; nocase; content:"task="; nocase; reference:url,expbase.com/WebApps/13388.html; reference:url,secunia.com/advisories/42324/; classtype:web-application-attack; sid:2012014; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS Lookup"; dns.query; content:"cdn.cloudfiare.workers.dev"; nocase; bsize:26; reference:url,www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:domain-c2; sid:2033785; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Winnti_related, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/viewver.php?"; nocase; content:"doc_root="; nocase; pcre:"/doc_root=\s*(?:ftps?|https?|php)\:\//i"; reference:url,expbase.com/WebApps/13387.html; reference:url,xforce.iss.net/xforce/xfdb/63343; classtype:web-application-attack; sid:2012015; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft .microcaft .xyz)"; dns.query; content:"microsoft.microcaft.xyz"; nocase; bsize:23; reference:url,twitter.com/Timele9527/status/1430351736921681928; classtype:domain-c2; sid:2033786; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012016; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft .com-view .space)"; dns.query; content:"microsoft.com-view.space"; nocase; bsize:24; reference:url,twitter.com/Timele9527/status/1430351736921681928; classtype:domain-c2; sid:2033787; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012017; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni RAT Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?name="; fast_pattern; http.request_body; content:"name=|22|fileToUpload|22 3b|"; content:"Upload|20|Image|0d 0a|----"; distance:0; content:"|00 00 00 00 00 00|"; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/; classtype:command-and-control; sid:2033791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012018; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sinresby.B Downloader CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /?c=Public&a=get_config"; startswith; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|9|2e|0|3b 20|Windows|20|NT|20|6|2e|1|29|"; bsize:50; http.referer; content:"/?c=Public&a=get_config"; endswith; reference:md5,8049009d9675d5ac345ce96d1a7c9e67; classtype:command-and-control; sid:2033792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012019; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sinresby.B Downloader CnC Activity M2"; flow:established,to_server; content:"|00 00 00 7b 22 63 67 69 22 3a 31|"; offset:1; depth:11; content:"|22|data|22 3a 7b 22|mac|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|pc|22 3a 22|"; distance:0; reference:md5,8049009d9675d5ac345ce96d1a7c9e67; classtype:command-and-control; sid:2033793; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Malware Protection User-Agent Observed"; flow:to_server,established; http.user_agent; content:"MpCommunication"; depth:15; classtype:misc-activity; sid:2030835; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_03, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni RAT Querying CnC for Commands"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&prefix=tt"; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/; classtype:trojan-activity; sid:2033794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012020; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; content:"&user="; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"-"; offset:2; depth:1; content:"-"; distance:2; within:1; content:"-"; distance:2; within:1; content:"-"; distance:2; within:1; content:"-"; distance:1; within:1; isdataat:!2,relative; bsize:15; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:command-and-control; sid:2033795; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"action=gallery.list"; nocase; content:"id_gallery="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15595/; reference:url,secunia.com/advisories/42334/; classtype:web-application-attack; sid:2012021; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip,|20|deflate,|20|br|0d 0a|sec-fetch-dest|3a 20|empty|0d 0a|"; http.cookie; content:"ANID="; startswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:md5,4d9798fee3636a228dc420d338fd6f59; classtype:command-and-control; sid:2033796; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_cbe"; nocase; content:"task=userProfile"; nocase; content:"user="; nocase; content:"ajaxdirekt="; nocase; content:"tabname="; nocase; reference:url,exploit-db.com/exploits/15222/; classtype:web-application-attack; sid:2012022; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (windowsupdatesc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"windowsupdatesc.com"; bsize:19; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033797; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/home_1?"; nocase; content:"HomeCurrent_Date="; nocase; pcre:"/HomeCurrent_Date\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42344/; reference:url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html; classtype:web-application-attack; sid:2012023; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (securityupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"securityupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033798; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gbookmx/gbook.php?"; nocase; content:"newlangsel="; nocase; pcre:"/newlangsel=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/10986/; classtype:web-application-attack; sid:2012024; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (defenderupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defenderupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..//"; depth:200; http.method; content:"GET"; http.uri; content:"/download.php?"; nocase; content:"filesec=sitemap"; nocase; content:"filetype=text"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt; classtype:web-application-attack; sid:2012025; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Default CobaltStrike SSL Certificate"; flow:established,to_client; tls.cert_issuer; content:"C=Earth"; nocase; content:"ST=Cyberspace"; nocase; content:"L=Somewhere"; nocase; content:"O=cobaltstrike"; nocase; content:"OU=AdvancedPenTesting"; nocase; content:"CN=Major Cobalt Strike"; nocase; fast_pattern; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:trojan-activity; sid:2030111; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012026; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.cookie; content:"wordpress_"; startswith; fast_pattern; pcre:"/^(?:[a-f0-9]{32})=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; reference:md5,926ecee0190a5211a9670f369007ec3a; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:command-and-control; sid:2033810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012027; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdn .net)"; dns.query; content:"api-cdn.net"; nocase; bsize:11; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012028; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (git-api .com)"; dns.query; content:"git-api.com"; nocase; bsize:11; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033812; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012029; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdnw5 .net)"; dns.query; content:"api-cdnw5.net"; nocase; bsize:13; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033813; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012030; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type=text"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,db7ffa8d3fa480e489c9062b18067f36; classtype:command-and-control; sid:2033814; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012032; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"onedrivelive.me"; nocase; bsize:15; classtype:domain-c2; sid:2035796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/login.php?"; nocase; content:"default_login_language="; nocase; reference:url,secunia.com/advisories/39144/; reference:url,1337db.com/exploits/11446; classtype:web-application-attack; sid:2012033; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"librarycollection.org"; nocase; bsize:21; classtype:domain-c2; sid:2035797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012034; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Displays malicious download page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|22 26|gt|3b 26|lt|3b|div|26|gt|3b 26|lt|3b|h1|26|gt|3b|Your|20|download|20|will|20|start|20|shortly|2e 26|lt|3b 2f|h1|26|gt|3b 26|lt|3b|p|26|gt|3b|If|20|your|20|download|20|does|20|not|20|start|2c 20|please|20 26|lt|3b|a|20|href|3d 22|"; fast_pattern; reference:url,www,bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033815; rev:2; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2021_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012035; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (ywbgrcrupasdiqxknwgceatlnbvmezti .com)"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033822; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (pdjwebrfgdyzljmwtxcoyomapxtzchvn .com)"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033828; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012037; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (etzndtcvqvyxajpcgwkzsoweaubilflh .com)"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033831; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012038; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/br.ico"; fast_pattern; http.header; content:"Connection|3a 20|Close|0d 0a|"; http.user_agent; content:"Mozilla/5.0|20|(iPhone|3b 20|CPU|20|iPhone|20|OS|20|12_0|20|like Mac|20|OS|20|X)|20|AppleWebKit/605.1.15|20|(KHTML,|20|like|20|Gecko)|20|Version/12.0"; bsize:108; http.header_names; content:!"Referer"; http.accept; content:"image/*"; bsize:7; reference:md5,efcf2797aaa1ff0bb8914aba8e3a5e15; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033820; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=en_Home"; nocase; content:"car="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15135/; classtype:web-application-attack; sid:2012039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/fam_newspaper.ico"; fast_pattern; http.header; content:"Connection|3a 20|Close|0d 0a|"; http.user_agent; content:"Mozilla/5.0|20|(Linux|3b 20|Android|20|7.0|3b 20|Pixel|20|C|20|Build/NRD90M|3b 20|wv)|20|AppleWebKit/537.36|20|(KHTML,|20|like|20|Gecko)|20|Version/4.0"; bsize:109; http.header_names; content:!"Referer"; reference:md5,3dd7eb4707c960948f24367ecd652971; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033821; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/en/front_content.php?"; nocase; content:"idart="; nocase; pcre:"/idart\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42440/; classtype:web-application-attack; sid:2012040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Document Stealer Exfil"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|nnnnnnnmmmmmmmmmmmeeeee|0d 0a|"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header; content:"__IIIIMMMMM|0d 0a|"; fast_pattern; reference:md5,8df25eee669d222ab9e002ac7d81228f; classtype:trojan-activity; sid:2033818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010018; classtype:web-application-attack; sid:2010018; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenCBL.XS CnC Activity"; flow:established,to_server; content:"|30 32 bc|"; startswith; content:"|bc 4d 4a 56 3a 20|"; distance:0; content:"|20 31 20 2d 20 42 75 69 6c 64 20 3a 20|"; distance:0; fast_pattern; reference:md5,9dfd2f831b3672dc0c50b98550d3aa06; classtype:command-and-control; sid:2033819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012073; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SysNt Corp DotNetRAT CnC Activity"; flow:established,to_server; content:"|e8 03 00 00 00 00 00 00 10 00 00 00|"; fast_pattern; startswith; content:"|90 01 00 00 66 00 00 00|"; distance:0; content:"|2d|"; distance:12; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|7c|"; distance:12; within:1; content:"|7c|"; distance:0; content:"|7c|"; distance:2; within:1; reference:md5,98ee48860712d3c06c3a4aa31c14de3a; classtype:command-and-control; sid:2036611; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012074; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (esnoptdkkiirzewlpgmccbwuynvxjumf .name)"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033832; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Goatzapszu Header from unknown Scanning Tool"; flow:established,to_server; http.header; content:"Goatzapszu|3a|"; nocase; classtype:attempted-recon; sid:2012077; rev:4; metadata:created_at 2010_12_18, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (nfcomizsdseqiomzqrxwvtprxbljkpgd .name)"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033829; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_billyportfolio"; nocase; content:"view=billyportfolio"; nocase; content:"catid="; nocase; content:"and"; nocase; content:"if("; nocase; distance:0; reference:url,exploit-db.com/exploits/15721/; classtype:web-application-attack; sid:2012099; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (hkxpqdtgsucylodaejmzmtnkpfvojabe .com)"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; bsize:36; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033830; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php INSERT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006750; classtype:web-application-attack; sid:2006750; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (ruciplbrxwjscyhtapvlfskoqqgnxevw .name)"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033825; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus or Related Infection Checkin"; flow:established,to_server; http.uri; content:"btn="; content:"q="; http.request_body; content:"SOFT"; reference:url,doc.emergingthreats.net/2008665; classtype:command-and-control; sid:2008665; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (yhgrffndvzbtoilmundkmvbaxrjtqsew .com)"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; bsize:36; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033823; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:8; metadata:created_at 2010_09_23, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (wcmbqxzeuopnvyfmhkstaretfciywdrl .name)"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033824; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"lang="; nocase; content:"&socksport="; nocase; content:"&httpport="; nocase; content:"&ver="; nocase; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:md5,e787c4437ff67061983cd08458f71c94; reference:md5,d86b9eaf9682d60cb8b928dc6ac40954; reference:md5,1777f0ffa890ebfcc7587957f2d08dca; reference:url,doc.emergingthreats.net/2002790; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; classtype:trojan-activity; sid:2002790; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Cobalt Strike Beacon Activity (DNS)"; threshold: type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderupdateav.com"; endswith; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033817; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon URL Infection Checkin Detected"; flow:established,to_server; http.uri; content:"?mac="; nocase; content:"&ver="; nocase; content:"&user="; nocase; content:"&md5="; nocase; content:"&pc="; nocase; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/i"; reference:url,doc.emergingthreats.net/2007592; classtype:command-and-control; sid:2007592; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/44Caliber Stealer Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"44CALIBER|20|MODIFIED|20|BY"; nocase; fast_pattern; content:"Build|3a 20|"; distance:0; content:"PC|3a 20|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1431366451231801346; reference:url,app.any.run/tasks/366ad91a-2b9d-4ca0-8e1d-269f61558aa6/; reference:md5,32595ac79386e97e05f876c5dd2ab874; classtype:command-and-control; sid:2033833; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013876; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vodkagats Loader Requesting Payload"; flow:established,to_server; urilen:<50; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.header; content:"User-Agent|3a 20|Microsoft Internet Explorer|0d 0a|"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; reference:md5,29feb71dc6e5eeb6dbeeaebee647a5b3; classtype:trojan-activity; sid:2036333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013875; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:command-and-control; sid:2020780; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013874; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:command-and-control; sid:2020770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/goform/formLogin"; nocase; http.request_body; content:"Login="; nocase; content:!"|0A|"; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/i"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; reference:url,doc.emergingthreats.net/2010699; classtype:web-application-attack; sid:2010699; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:command-and-control; sid:2020773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; http.uri; content:"/nessus_is_probing_you_"; reference:arachnids,301; classtype:web-application-attack; sid:2101102; rev:12; metadata:created_at 2010_09_23, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9f/s"; content:!"POST /"; content:!"microsoft.com"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:command-and-control; sid:2020786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; http.user_agent; content:"RAV"; nocase; depth:3; pcre:"/^RAV\d\.\d\d/"; reference:url,doc.emergingthreats.net/2007661; classtype:trojan-activity; sid:2007661; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xc3\x70/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:command-and-control; sid:2019083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Medusa User-Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Teh Forest Lobster"; fast_pattern; nocase; startswith; reference:url,www.foofus.net/~jmk/medusa/medusa.html; classtype:attempted-recon; sid:2011887; rev:4; metadata:created_at 2010_10_31, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:command-and-control; sid:2020789; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DotDotPwn User-Agent"; flow:established,to_server; threshold:type limit, track by_src,count 1, seconds 60; http.user_agent; content:"DotDotPwn"; nocase; startswith; reference:url,dotdotpwn.sectester.net; classtype:attempted-recon; sid:2011915; rev:4; metadata:created_at 2010_11_09, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:established,to_server; stream_size:server,<,5; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; fast_pattern; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017916; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011876; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2018880; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011877; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:command-and-control; sid:2018166; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011878; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:command-and-control; sid:2020791; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011879; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"HALF"; bsize:4; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032351; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"owa_action="; nocase; fast_pattern; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:command-and-control; sid:2020775; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"owa_do="; nocase; fast_pattern; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011883; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:command-and-control; sid:2018193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"site=static"; nocase; fast_pattern; content:"staticID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15152/; classtype:web-application-attack; sid:2011886; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_31, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type limit,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/router/UserPassSet.cgi?"; depth:24; fast_pattern; content:"new_user_name="; content:"password1="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023996; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internal, performance_impact Moderate, signature_severity Major, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:established,to_server; stream_size:server,<,5; dsize:8; content:"|00 00|"; offset:2; depth:2; content:"|00 00|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017935; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery cat_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery_category.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008830; classtype:web-application-attack; sid:2008830; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xda\x41/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:command-and-control; sid:2020607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M2"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"getRunTime"; nocase; distance:0; fast_pattern; content:"exec"; nocase; pcre:"/=\s*\x25\s*\{\s*(?=.+?\bgetRunTime\b).+?\bexec\b/i"; classtype:attempted-admin; sid:2024815; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:command-and-control; sid:2020788; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent STORMDDOS"; flow: established,to_server; http.user_agent; content:"STORMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011480; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3f\xa6/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:command-and-control; sid:2020696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent IAMDDOS"; flow: established,to_server; http.user_agent; content:"IAMDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011481; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:command-and-control; sid:2020792; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IMDDOS Botnet User-Agent YTDDOS"; flow: established,to_server; http.user_agent; content:"YTDDOS"; nocase; startswith; reference:url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf; classtype:trojan-activity; sid:2011483; rev:7; metadata:created_at 2010_09_29, former_category USER_AGENTS, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:command-and-control; sid:2020614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"useRawIMoutput"; content:"IMresizedData"; content:"config_prefer_imagemagick"; fast_pattern; reference:cve,2018-1000207; reference:url,www.exploit-db.com/exploits/45055; classtype:attempted-admin; sid:2025930; rev:3; metadata:attack_target Web_Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:command-and-control; sid:2018032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Kraddare Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"strID="; content:"strPC="; classtype:pup-activity; sid:2011492; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Pegasus Domain (hooklevel .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hooklevel.com"; bsize:13; fast_pattern; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/dm-albums/template/album.php?"; nocase; content:"SECURITY_FILE="; nocase; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010025; classtype:web-application-attack; sid:2010025; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Pegasus Domain (api1r3f4 .redirectweburl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".api1r3f4.redirectweburl.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033865; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ECShop user.php order_sn Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/user.php?"; nocase; content:"act=order_query"; nocase; content:"order_sn="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34733; reference:url,milw0rm.com/exploits/8548; reference:url,doc.emergingthreats.net/2009716; classtype:web-application-attack; sid:2009716; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (start-anew .net)"; dns.query; content:"start-anew.net"; nocase; bsize:14; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033866; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005647; classtype:web-application-attack; sid:2005647; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (news-now .co)"; dns.query; content:"news-now.co"; nocase; bsize:11; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UNION SELECT"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004481; classtype:web-application-attack; sid:2004481; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (reunionlove .net)"; dns.query; content:"reunionlove.net"; nocase; bsize:15; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033868; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_digistore (pid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_digistore"; nocase; content:"pid="; nocase; pcre:"/(?:\?|&)pid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0903-exploits/joomladigistore-sql.txt; reference:url,doc.emergingthreats.net/2010539; classtype:web-application-attack; sid:2010539; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (helpusfind .biz)"; dns.query; content:"helpusfind.biz"; nocase; bsize:14; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jbook (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_jbook"; nocase; content:"Itemid="; nocase; pcre:"/(?:\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/filedesc/joomlajbook-sql.txt.html; reference:url,doc.emergingthreats.net/2010540; classtype:web-application-attack; sid:2010540; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"wp-extension.cloud"; nocase; bsize:18; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS nicLOR CMS-School showarticle.php aID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showarticle.php?"; nocase; content:"aID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32112; reference:url,milw0rm.com/exploits/6982; reference:url,xforce.iss.net/xforce/xfdb/46330; reference:url,doc.emergingthreats.net/2009335; classtype:web-application-attack; sid:2009335; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"wp-extension.work"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033871; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005675; classtype:web-application-attack; sid:2005675; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.business"; nocase; bsize:20; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033872; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UNION SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005676; classtype:web-application-attack; sid:2005676; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.org"; nocase; bsize:15; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category INSERT"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005677; classtype:web-application-attack; sid:2005677; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.us"; nocase; bsize:14; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033874; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category DELETE"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005678; classtype:web-application-attack; sid:2005678; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"xenapp.blog"; nocase; bsize:11; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ASCII"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005679; classtype:web-application-attack; sid:2005679; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.quest"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005680; classtype:web-application-attack; sid:2005680; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"data-update.site"; nocase; bsize:16; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nitrotech members.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/members.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32458; reference:url,doc.emergingthreats.net/2008921; classtype:web-application-attack; sid:2008921; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"data-log.site"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005015; classtype:web-application-attack; sid:2005015; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"ticket-stat.site"; nocase; bsize:16; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005016; classtype:web-application-attack; sid:2005016; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"cdn-plugin.us"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id INSERT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005017; classtype:web-application-attack; sid:2005017; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"google-stats.work"; nocase; bsize:17; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id DELETE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005018; classtype:web-application-attack; sid:2005018; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"pro-cdn2.site"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ASCII"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005019; classtype:web-application-attack; sid:2005019; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"google-info.us"; nocase; bsize:14; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033884; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005020; classtype:web-application-attack; sid:2005020; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"formstats.us"; nocase; bsize:12; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.php?"; nocase; content:"newlang=kacper"; nocase; content:"languages[kacper][file]="; nocase; reference:url,milw0rm.com/exploits/8504; reference:bugtraq,34636; reference:url,doc.emergingthreats.net/2009728; classtype:web-application-attack; sid:2009728; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response"; flow:established,to_client; dsize:3; content:"|33 66 99|"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030489; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/dhost/modules"; nocase; content:"dconserv.dlm="; nocase; pcre:"/(?:script|img|src|onmouse|onkey|onload)/i"; reference:url,www.securityfocus.com/bid/36567/info; reference:url,doc.emergingthreats.net/2010031; classtype:web-application-attack; sid:2010031; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:command-and-control; sid:2020779; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006591; classtype:web-application-attack; sid:2006591; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:command-and-control; sid:2020771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UNION SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006592; classtype:web-application-attack; sid:2006592; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"kuroro"; depth:6; byte_jump:4,0,relative,little,from_beginning; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2022885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid INSERT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006593; classtype:web-application-attack; sid:2006593; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:command-and-control; sid:2020767; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid DELETE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006594; classtype:web-application-attack; sid:2006594; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017913; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ASCII"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006595; classtype:web-application-attack; sid:2006595; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:command-and-control; sid:2020764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TaskPerformer Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Ox0001="; depth:7; nocase; content:"&Ox0010="; nocase; distance:0; content:"&Ox0011="; nocase; distance:0; content:"&Ox0100="; nocase; distance:0; content:"&Ox0101="; nocase; distance:0; fast_pattern; reference:md5,d89560ec4dbb0ca75734b39009d089e5; classtype:command-and-control; sid:2030831; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,little,post_offset -10; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5,}.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2021716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT vBulletin 5.6.2 widget_tabbedContainer_tab_panel Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/render/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"echo%20shell_exec("; reference:url,www.exploit-db.com/exploits/48743; classtype:attempted-admin; sid:2030832; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_04, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:command-and-control; sid:2020769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT vBulletin 5.6.2 widget_tabbedContainer_tab_panel Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/render/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"echo%20shell_exec("; reference:url,www.exploit-db.com/exploits/48743; classtype:attempted-admin; sid:2030833; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_04, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:command-and-control; sid:2020606; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Juliens Botnet CnC Activity M1"; flow:established,to_server; http.start; content:"GET /data.php?a="; startswith; fast_pattern; content:"&b="; distance:0; content:"HTTP/1.1|0d 0a|Authorization|3a 20|Basic|20|"; reference:md5,73ed84016746f0b53889d20cbdbb6f07; classtype:command-and-control; sid:2030834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[A-Z]{14}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/; reference:md5,bf23c48d111f5a2d3169062428940b1c; classtype:trojan-activity; sid:2033889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN7, updated_at 2021_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006596; classtype:web-application-attack; sid:2006596; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)"; dns.query; content:"nowautomation.com"; nocase; bsize:17; reference:url,twitter.com/James_inthe_box/status/1433481199939297308; reference:md5,18c7c940bc6a4e778fbdf4a3e28151a8; classtype:domain-c2; sid:2033892; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006597; classtype:web-application-attack; sid:2006597; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x71\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:command-and-control; sid:2018085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006598; classtype:web-application-attack; sid:2006598; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!11000,!11001,!12000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9e|"; fast_pattern; pcre:"/^[\x20-\x7e]*?.{8}\x79\x9e/s"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017707; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass INSERT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006599; classtype:web-application-attack; sid:2006599; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7c\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:command-and-control; sid:2018153; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass DELETE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006600; classtype:web-application-attack; sid:2006600; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:command-and-control; sid:2020611; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ASCII"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006601; classtype:web-application-attack; sid:2006601; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa5/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:command-and-control; sid:2018638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006602; classtype:web-application-attack; sid:2006602; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:command-and-control; sid:2020799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004307; classtype:web-application-attack; sid:2004307; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!7,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017934; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_01_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004308; classtype:web-application-attack; sid:2004308; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:established,to_server; stream_size:server,<,5; flowbits:isset,ET.gh0stFmly; content:"|78 9c 0b cf cc|"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017936; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004309; classtype:web-application-attack; sid:2004309; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7d\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2018287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_03_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004310; classtype:web-application-attack; sid:2004310; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:command-and-control; sid:2020794; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004311; classtype:web-application-attack; sid:2004311; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:command-and-control; sid:2018485; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004312; classtype:web-application-attack; sid:2004312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enemyfear Stealer Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?act="; http.content_type; content:"multipart/form-data"; startswith; http.request_body; content:".zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; content:"Stealer|20|Work|2e|txt"; fast_pattern; reference:md5,8206d5fdc88e2c8c07fe2731d6ffeac3; classtype:command-and-control; sid:2033895; rev:1; metadata:created_at 2021_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php SELECT"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004736; classtype:web-application-attack; sid:2004736; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Hack Browser Data Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; bsize:90; pcre:"/^multipart/form-data\x3b\x20boundary=[a-f0-9]{60}$/"; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|"; content:"_=_"; distance:0; fast_pattern; content:"_=_"; distance:0; content:"_=_"; distance:0; content:"_=_"; distance:0; content:".json|22 0d 0a|"; distance:0; reference:md5,4a13256c1c9701146ad9ce6682b1a12e; classtype:command-and-control; sid:2033899; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004737; classtype:web-application-attack; sid:2004737; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 Related CnC Domain in DNS Lookup (tnskvggujjqfcskwk .com)"; dns.query; content:"tnskvggujjqfcskwk.com"; nocase; bsize:21; fast_pattern; reference:url,www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor; reference:url,twitter.com/Circuitous__/status/1433516145752035331; reference:url,twitter.com/JAMESWT_MHT/status/1433706754555138066; classtype:domain-c2; sid:2033897; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag FIN7, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php INSERT"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004738; classtype:web-application-attack; sid:2004738; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 Related CnC Domain in DNS Lookup (bypassociation .com)"; dns.query; content:"bypassociation.com"; nocase; bsize:18; fast_pattern; reference:url,www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor; reference:url,twitter.com/Circuitous__/status/1433516145752035331; reference:url,twitter.com/JAMESWT_MHT/status/1433706754555138066; classtype:domain-c2; sid:2033898; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag FIN7, updated_at 2021_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php DELETE"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004739; classtype:web-application-attack; sid:2004739; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleachGap Ransomware Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|username|22 3a 20 22|BleachGap|20|"; content:"|22|name|22 3a 20 22|Hacker$quad|22|"; content:"discord.gg"; reference:md5,4809f621c6dbaf0c93f1a92def0f592e; classtype:trojan-activity; sid:2033902; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php ASCII"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004740; classtype:web-application-attack; sid:2004740; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (share .bloomcloud .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"share.bloomcloud.org"; bsize:20; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1433807018867912705; reference:md5,a224350ce67eea6a8d818b85436c5309; reference:md5,02904e802b5dc2f85eec83e3c1948374; reference:md5,bac4acc2544626bac6377fb32c5f244c; classtype:command-and-control; sid:2033903; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_09_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004741; classtype:web-application-attack; sid:2004741; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bingoml!tr CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/message?mac="; startswith; bsize:30; fast_pattern; content:!"="; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,82732a7bdac99e2a9ce4e9a706947423; classtype:command-and-control; sid:2033912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid SELECT"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006807; classtype:web-application-attack; sid:2006807; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Beapy/Lemon_Duck CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ID="; content:"&GUID="; distance:0; content:"&MAC="; distance:0; content:"&OS=Win"; distance:0; content:"&BIT="; distance:0; content:"&CARD="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,21e49843502325b063b4d52e8c297f79; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027147; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UNION SELECT"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006808; classtype:web-application-attack; sid:2006808; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Coinminer Checkin"; flow:established,to_server; content:"|7b 22|CPU_Model|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|Elevated|22 3a|"; distance:0; content:"|22|GPU_Model|22 3a 22|"; distance:0; content:"|22|Identity|22 3a 22|"; distance:0; reference:md5,a98df471bde22b7b2d25aae974237363; classtype:coin-mining; sid:2033906; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Haken Clicker CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api_v5/facebook_api.php?n="; fast_pattern; reference:url,research.checkpoint.com/2020/android-app-fraud-haken-clicker-and-joker-premium-dialer/; reference:md5,02939b68596873ad1835d1062ee8836a; classtype:command-and-control; sid:2030836; rev:1; metadata:attack_target Mobile_Client, created_at 2020_09_04, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Android/iprdr.php"; fast_pattern; bsize:18; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033914; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid INSERT"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006809; classtype:web-application-attack; sid:2006809; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apple/script.php?a="; fast_pattern; startswith; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033915; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2021_09_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid DELETE"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006810; classtype:web-application-attack; sid:2006810; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?q="; content:"&qi="; distance:0; content:"&q1="; distance:0; content:"&q2="; distance:0; content:"&q3="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.header_names; content:"If-None-Match|0d 0a|Sec-Fetch-Dest|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-User|0d 0a|"; nocase; http.header; content:"Sec-Fetch-Dest|3a 20|document|0d|"; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; reference:url,www.clearskysec.com/siamesekitten/; classtype:command-and-control; sid:2033760; rev:2; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_09_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ASCII"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006811; classtype:web-application-attack; sid:2006811; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IceRat CnC Acitivty"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow_"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Java/"; startswith; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; classtype:trojan-activity; sid:2031485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006812; classtype:web-application-attack; sid:2006812; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Stitch Variant Backdoor CnC"; flow:established,to_server; content:"|00 00 00 0f|stitch626hctits"; fast_pattern; content:!"Referer|3a 20|"; content:!"User-Agent|3a 20|"; content:!"Connection|3a 20|"; content:!"Host|3a 20|"; content:!"Keep-Alive:|3a 20|"; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; reference:md5,ec993ff561cbc175953502452bfa554a; classtype:command-and-control; sid:2029794; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, malware_family Stitch, performance_impact Low, signature_severity Major, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/fonctions_racine.php?"; nocase; content:"chemin_lib="; nocase; pcre:"/chemin_lib\s*=\s*(?:https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57869; reference:url,secunia.com/advisories/36658/; reference:url,doc.emergingthreats.net/2010355; classtype:web-application-attack; sid:2010355; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:command-and-control; sid:2018486; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/resource_categories_view.php?"; nocase; content:"CLASSES_ROOT="; nocase; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009332; classtype:web-application-attack; sid:2009332; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:command-and-control; sid:2020763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010652; classtype:web-application-attack; sid:2010652; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x31\xad/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:command-and-control; sid:2020693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010653; classtype:web-application-attack; sid:2010653; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x40\xa3/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:command-and-control; sid:2020766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010654; classtype:web-application-attack; sid:2010654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:command-and-control; sid:2020798; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010655; classtype:web-application-attack; sid:2010655; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:command-and-control; sid:2020371; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010656; classtype:web-application-attack; sid:2010656; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9d/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:command-and-control; sid:2020796; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ADM_Pagina.php?"; nocase; content:"Tipo="; nocase; pcre:"/Tipo=\s*(?:https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-5063; reference:url,vupen.com/english/advisories/2008/3093; reference:url,secunia.com/advisories/32645; reference:url,doc.emergingthreats.net/2009395; classtype:web-application-attack; sid:2009395; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ADM_Pagina.php?"; nocase; content:"Tipo="; reference:cve,CVE-2008-5063; reference:url,vupen.com/english/advisories/2008/3093; reference:url,secunia.com/advisories/32645; reference:url,doc.emergingthreats.net/2009396; classtype:web-application-attack; sid:2009396; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !5800 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}\x70\x94[\x20-\x7e]/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:command-and-control; sid:2018057; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id SELECT"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005597; classtype:web-application-attack; sid:2005597; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xda/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:command-and-control; sid:2018636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005598; classtype:web-application-attack; sid:2005598; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x30\xa5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:command-and-control; sid:2020790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id INSERT"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005599; classtype:web-application-attack; sid:2005599; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:command-and-control; sid:2020787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id DELETE"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005600; classtype:web-application-attack; sid:2005600; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:command-and-control; sid:2020776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ASCII"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005601; classtype:web-application-attack; sid:2005601; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:command-and-control; sid:2020781; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005602; classtype:web-application-attack; sid:2005602; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:command-and-control; sid:2020774; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp SELECT"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004450; classtype:web-application-attack; sid:2004450; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:command-and-control; sid:2018054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004451; classtype:web-application-attack; sid:2004451; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:command-and-control; sid:2020609; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp INSERT"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004452; classtype:web-application-attack; sid:2004452; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x2e\x96/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:command-and-control; sid:2020691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp DELETE"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004453; classtype:web-application-attack; sid:2004453; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9c/s"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2021753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp ASCII"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004454; classtype:web-application-attack; sid:2004454; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:command-and-control; sid:2020778; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004455; classtype:web-application-attack; sid:2004455; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|4a ae|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xae/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ba6eaf301344de6fe1e079fa960bc698; classtype:command-and-control; sid:2022773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Grades parents.php ADD Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/parents/parents.php?"; nocase; content:"func=mailto"; nocase; content:"ADD="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35304/; reference:url,milw0rm.com/exploits/8844; reference:url,doc.emergingthreats.net/2009906; classtype:web-application-attack; sid:2009906; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:command-and-control; sid:2021065; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2005186; classtype:web-application-attack; sid:2005186; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; fast_pattern; byte_jump:4,0,little,post_offset 1; isdataat:!2,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017876; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004846; classtype:web-application-attack; sid:2004846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; fast_pattern; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017877; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004847; classtype:web-application-attack; sid:2004847; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:established,to_server; stream_size:server,<,5; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"|08 01|"; offset:2; depth:2; content:"|79 94|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:command-and-control; sid:2017944; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004848; classtype:web-application-attack; sid:2004848; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x84\x60/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:command-and-control; sid:2020586; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004849; classtype:web-application-attack; sid:2004849; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x40\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:command-and-control; sid:2020783; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004850; classtype:web-application-attack; sid:2004850; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:command-and-control; sid:2020793; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/lib-remotehost.inc.php?"; nocase; content:"phpAds_geoPlugin="; nocase; pcre:"/phpAds_geoPlugin=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14432/; reference:url,inj3ct0r.com/exploits/13426; reference:url,doc.emergingthreats.net/2011274; classtype:web-application-attack; sid:2011274; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:command-and-control; sid:2017974; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011057; classtype:web-application-attack; sid:2011057; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:command-and-control; sid:2018488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011058; classtype:web-application-attack; sid:2011058; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:command-and-control; sid:2020765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011059; classtype:web-application-attack; sid:2011059; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:command-and-control; sid:2020610; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011060; classtype:web-application-attack; sid:2011060; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7e\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:command-and-control; sid:2020782; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011061; classtype:web-application-attack; sid:2011061; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2017988; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/faces/jsf/tips.jsp?"; nocase; content:"context="; nocase; pcre:"/context\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/14369/; reference:url,secunia.com/advisories/40605; reference:url,doc.emergingthreats.net/2011268; classtype:web-application-attack; sid:2011268; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\x99/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:command-and-control; sid:2020800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/modules/core/security/init.php?"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009461; classtype:web-application-attack; sid:2009461; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa2/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:command-and-control; sid:2020797; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/stage1.php"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009462; classtype:web-application-attack; sid:2009462; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:command-and-control; sid:2018637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/stage4.php?"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009463; classtype:web-application-attack; sid:2009463; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:command-and-control; sid:2020692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/stage6.php?"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009464; classtype:web-application-attack; sid:2009464; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:command-and-control; sid:2020772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate SELECT"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005937; classtype:web-application-attack; sid:2005937; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:command-and-control; sid:2020695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UNION SELECT"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005938; classtype:web-application-attack; sid:2005938; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x44\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:command-and-control; sid:2020694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate INSERT"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005939; classtype:web-application-attack; sid:2005939; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:command-and-control; sid:2018639; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate DELETE"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005940; classtype:web-application-attack; sid:2005940; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:command-and-control; sid:2018013; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ASCII"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005941; classtype:web-application-attack; sid:2005941; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x83\x7f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:command-and-control; sid:2019602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005942; classtype:web-application-attack; sid:2005942; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7c\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:command-and-control; sid:2018076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp SELECT"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005943; classtype:web-application-attack; sid:2005943; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:command-and-control; sid:2020768; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005944; classtype:web-application-attack; sid:2005944; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !5938 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 104"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; depth:21; fast_pattern; byte_test:4,<,65535,-14,relative,little; byte_test:4,<,65535,-10,relative,little; byte_jump:4,-10,relative,little,post_offset 3; isdataat:!2,relative; pcre:"/^.{9,28}\x78\x9c/s"; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2022401; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp INSERT"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005945; classtype:web-application-attack; sid:2005945; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2021012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp DELETE"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005946; classtype:web-application-attack; sid:2005946; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xd5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:command-and-control; sid:2020785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp ASCII"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005947; classtype:web-application-attack; sid:2005947; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:command-and-control; sid:2020608; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005948; classtype:web-application-attack; sid:2005948; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:command-and-control; sid:2020613; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Daily add_postit.php id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add_postit.php?"; nocase; content:"mode=rep"; nocase; content:"id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32408; reference:url,milw0rm.com/exploits/6833; reference:url,doc.emergingthreats.net/2009065; classtype:web-application-attack; sid:2009065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{10}\x7a\x5d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:command-and-control; sid:2018077; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Daily delete.php id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/delete.php?"; nocase; content:"mode=postit"; nocase; content:"id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32/32408; reference:url,milw0rm.com/exploits/6833; reference:url,doc.emergingthreats.net/2009066; classtype:web-application-attack; sid:2009066; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:command-and-control; sid:2018487; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/members.php?"; nocase; content:"sortby="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,33156; reference:url,milw0rm.com/exploits/7697; reference:url,doc.emergingthreats.net/2009067; classtype:web-application-attack; sid:2009067; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443,9000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:established,to_server; stream_size:server,<,5; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!8,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; content:"|7c 9e|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2017938; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip SELECT"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004241; classtype:web-application-attack; sid:2004241; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UNION SELECT"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004242; classtype:web-application-attack; sid:2004242; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:command-and-control; sid:2020612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip INSERT"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004243; classtype:web-application-attack; sid:2004243; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:command-and-control; sid:2020777; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip DELETE"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004244; classtype:web-application-attack; sid:2004244; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x47\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:command-and-control; sid:2020784; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ASCII"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004245; classtype:web-application-attack; sid:2004245; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:command-and-control; sid:2017914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004246; classtype:web-application-attack; sid:2004246; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:command-and-control; sid:2018181; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/previews.php?"; nocase; content:"browse="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; reference:url,doc.emergingthreats.net/2009068; classtype:web-application-attack; sid:2009068; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!5721,!5938] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"PWHDR"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:command-and-control; sid:2016922; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reviews.php?"; nocase; content:"browse="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; reference:url,doc.emergingthreats.net/2009069; classtype:web-application-attack; sid:2009069; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?.{2}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2018075; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006510; classtype:web-application-attack; sid:2006510; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x96\x71/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:command-and-control; sid:2020214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006511; classtype:web-application-attack; sid:2006511; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:command-and-control; sid:2020795; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006512; classtype:web-application-attack; sid:2006512; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.WOW.NLZ CnC Activity"; flow:established,to_server; http.request_line; content:"GET /in/3/"; startswith; content:"?d56tdrf2z="; distance:0; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,2bf730c712910a18f09e4d53750594d2; classtype:command-and-control; sid:2033918; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006513; classtype:web-application-attack; sid:2006513; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.microsoft-secure-cdn.com"; bsize:51; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; reference:md5,83d664b0078d46952baf9ee1d8732d7a; classtype:domain-c2; sid:2033919; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006514; classtype:web-application-attack; sid:2006514; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.brian-krebs-erectile-dysfunction.com"; bsize:63; fast_pattern; reference:md5,83d664b0078d46952baf9ee1d8732d7a; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033920; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006515; classtype:web-application-attack; sid:2006515; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.krebsonsecurity.info"; bsize:47; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; reference:md5,83d664b0078d46952baf9ee1d8732d7a; classtype:domain-c2; sid:2033921; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Cisco Jabber RCE Inbound (CVE-2020-3495)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CLIENT_REQUEST/"; http.request_body; content:".CallCppFunction|28|"; fast_pattern; reference:url,watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/; reference:cve,2020-3495; classtype:attempted-admin; sid:2030837; rev:1; metadata:created_at 2020_09_05, cve CVE_2020_3495, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_05;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.krebsonfellatio.net"; bsize:46; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033922; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pridecdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030838; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.552-39-1658.com"; bsize:42; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033923; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ordercheck.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030839; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M1"; flow:established,to_server; http.request_line; content:"GET /delonl.php?hwid="; startswith; content:!"&"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033924; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apisquere.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030840; rev:2; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M2"; flow:established,to_server; http.request_line; content:"GET /gateonl.php?hwid="; startswith; fast_pattern; content:"&cpuname="; distance:0; content:"&gpuname="; distance:0; content:"&cpu="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=quicdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030841; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M3"; flow:established,to_server; http.request_line; content:"GET /del.php?hwid="; startswith; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apienclave.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030842; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"&info="; http.user_agent; content:"REBOL"; startswith; fast_pattern; reference:md5,3a8a6702523f9f53866fb2682fdaaf66; classtype:command-and-control; sid:2034012; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquery-cycle.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030843; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/topstories"; bsize:11; fast_pattern; http.cookie; content:"__cfduid="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 6.1|29 20|Gecko/14.0|20|Firefox/14.0"; bsize:52; reference:md5,432e0676db09997f78e133263737b401; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033927; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Baka Skimmer Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=b-metric.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030844; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; bsize:20; fast_pattern; http.cookie; content:"__cfduid="; startswith; http.user_agent; content:"Mozilla/5.0|20 28|Windows|20|NT|20|6.3|3b 20|Trident/7.0|3b 20|rv|3a|11.0|29 20|like|20|Gecko"; bsize:61; reference:md5,b3f3de10b3c1c15491c53223f1b5979f; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033928; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/NixScare Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.request_body; content:"zipx=UEs"; startswith; fast_pattern; reference:md5,b04981c338165b27fc2e1e19c9713379; classtype:command-and-control; sid:2030845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_07, deployment Perimeter, former_category MALWARE, malware_family NixScare, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lv?access=true"; bsize:15; fast_pattern; http.cookie; content:"SSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; http.host; content:".workers.dev"; endswith; reference:md5,9dca269e64ebea04fe6060afe0015820; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033929; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/Wellness CnC Host Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.cookie; content:".+"; fast_pattern; isdataat:100,relative; content:".+"; distance:0; content:".+"; distance:0; content:"%3a"; nocase; content:"%2c"; nocase; http.request_body; pcre:"/^(?:[a-z0-9:.,]{3,10}\s){50,}[a-z0-9:.,]{3,10}\s*$/i"; reference:md5,98fe909510c79b21e740fec32fb6b1a0; reference:url,blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html; classtype:targeted-activity; sid:2030846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Checkin"; flow:established,to_server; content:"|7e 5c 77 6f 72 6d 73 5c 2e 42 6c 61 63 6b 20 48 61 74 20 57 6f 72 6d|"; startswith; content:"|62 6c 61 63 6b 20 68 61 74|"; distance:0; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; classtype:command-and-control; sid:2033716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006516; classtype:web-application-attack; sid:2006516; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vermilion Stager Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/microsoft/en-us/logo.aspx"; bsize:26; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,6310a2c9f45fd46cd405e31eda2ad7d3; reference:url,www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/; classtype:trojan-activity; sid:2033930; rev:1; metadata:created_at 2021_09_13, former_category MALWARE, updated_at 2021_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006517; classtype:web-application-attack; sid:2006517; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vermilion Stager Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/g.pixel"; bsize:8; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:"|0d 0a|Content-Type|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.cookie; pcre:"/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,6310a2c9f45fd46cd405e31eda2ad7d3; reference:url,www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/; classtype:trojan-activity; sid:2033931; rev:1; metadata:created_at 2021_09_13, former_category MALWARE, updated_at 2021_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006518; classtype:web-application-attack; sid:2006518; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Server Response"; flow:established,to_client; stream_size:client,<,5; content:"|2d 62 6c 61 63 6b 20 68 61 74|"; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; reference:md5,42c130f8d037d6cc0ca4342b6e8794b4; classtype:command-and-control; sid:2033932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006519; classtype:web-application-attack; sid:2006519; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenKryptik.FKJZ CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&pass="; content:"&cookie="; content:"&cc="; content:"&chrome="; content:"&firefox="; content:"&binancepass="; fast_pattern; content:"&paypalpass="; content:"&hwid="; content:"&bit="; http.request_body; content:"PK|03 04|"; reference:md5,b369e6f7f7ed1771110e9017741be7b3; classtype:trojan-activity; sid:2033936; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006520; classtype:web-application-attack; sid:2006520; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:established,to_server; content:"|20 5b 20|"; content:"|20 5b 20|"; distance:0; content:"[endof]"; endswith; reference:md5,8db6655c0a5cb219c3bbc4bb5fc92e1a; classtype:command-and-control; sid:2033938; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006521; classtype:web-application-attack; sid:2006521; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroStealer/exoStub CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Upload.zip|22 0d 0a|"; fast_pattern; nocase; content:"screenshot"; nocase; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,3594572488e00679a144001e24c675ab; classtype:trojan-activity; sid:2032417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006522; classtype:web-application-attack; sid:2006522; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/btn_bg.html?contact=true"; fast_pattern; bsize:25; http.cookie; content:"HSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1437787000690683911; reference:url,github.com/pan-unit42/tweets/blob/master/2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt; reference:md5,3963abbca3932a7d1e2b77cef1f6d57e; classtype:trojan-activity; sid:2033948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006523; classtype:web-application-attack; sid:2006523; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M1"; flow:established,to_server; stream_size:server,<,5; content:"|3d 22 3f 4b 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006524; classtype:web-application-attack; sid:2006524; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M2"; flow:established,to_server; stream_size:server,<,5; dsize:4; content:"|6d 35 30 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006525; classtype:web-application-attack; sid:2006525; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=netfoundationmtgcorp.com"; nocase; endswith; reference:md5,9845a9edb7484874171c80e3cb26135d; reference:url,twitter.com/benkow_/status/1437376463305596929; classtype:domain-c2; sid:2033951; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006526; classtype:web-application-attack; sid:2006526; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M1"; flow:established,to_server; http.request_line; content:"GET|20|/?s="; startswith; fast_pattern; content:"&q="; distance:0; content:"&g="; distance:0; pcre:"/^[a-f0-9]{32}/R"; http.header_names; content:!"User-Agent"; content:!"Accept|0d 0a|"; reference:md5,9284526d864c785b1d6bedd7830e8c19; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033953; rev:1; metadata:created_at 2021_09_15, updated_at 2021_09_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006527; classtype:web-application-attack; sid:2006527; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?arch="; content:"&s="; distance:0; content:"&q="; distance:0; http.request_body; content:"continuebtn="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,9284526d864c785b1d6bedd7830e8c19; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033954; rev:2; metadata:created_at 2021_09_15, updated_at 2021_09_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005967; classtype:web-application-attack; sid:2005967; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M3"; flow:established,to_server; http.request_line; content:"GET|20|/?s="; startswith; fast_pattern; content:"&q="; distance:0; content:"&hmac="; distance:0; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005968; classtype:web-application-attack; sid:2005968; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe Related CnC Activity"; flow:established,to_server; content:"x999"; startswith; fast_pattern; content:">"; distance:0; pcre:"/>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}>/"; content:"|20|>>"; reference:md5,ae20da9a88c7624a6b3f81a20bc8065c; reference:url,twitter.com/s1ckb017/status/1435888576710029315; reference:url,blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/; classtype:trojan-activity; sid:2033962; rev:1; metadata:created_at 2021_09_16, former_category MALWARE, malware_family TransparentTribe, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005969; classtype:web-application-attack; sid:2005969; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal Backdoor CnC Domain in DNS Lookup"; dns.query; content:"ergencucur.com"; nocase; bsize:14; reference:url,twitter.com/nao_sec/status/1438460553479921665; reference:md5,60490ea995531924f77af5f1bfb38eec; classtype:domain-c2; sid:2033963; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005970; classtype:web-application-attack; sid:2005970; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal Backdoor CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/post.asp"; endswith; http.host; content:".com#.com"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,60490ea995531924f77af5f1bfb38eec; reference:url,twitter.com/nao_sec/status/1438460553479921665; classtype:trojan-activity; sid:2033964; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Bisonal, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005971; classtype:web-application-attack; sid:2005971; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/ZuRu Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u.php?id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,objective-see.com/blog/blog_0x66.html; reference:md5,2786ebc3b917866d30e622325fc6f5f3; classtype:trojan-activity; sid:2033965; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005972; classtype:web-application-attack; sid:2005972; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain (phonefix .bar in TLS SNI)"; flow:established,to_server; tls.sni; content:"phonefix.bar"; bsize:12; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566?s=20; reference:url,tria.ge/210913-nebwkaded5; classtype:domain-c2; sid:2033972; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006969; classtype:web-application-attack; sid:2006969; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//l/f/"; startswith; fast_pattern; pcre:"/^[A-Za-z0-9_]{20}\/[a-f0-9]{40}$/R"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033973; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006970; classtype:web-application-attack; sid:2006970; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.content_type; content:"multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV"; fast_pattern; bsize:62; reference:md5,8b45338ac11f819c85dd86d13a1cc2bb; classtype:command-and-control; sid:2033974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006971; classtype:web-application-attack; sid:2006971; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v4/api_t.php?id="; startswith; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034038; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006972; classtype:web-application-attack; sid:2006972; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v4/down/"; startswith; fast_pattern; http.host; content:".cc"; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034039; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006973; classtype:web-application-attack; sid:2006973; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v4/api_t.php"; bsize:13; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.request_body; content:"id="; startswith; content:"&mid="; distance:0; content:"&username="; distance:0; content:"&os_info="; distance:0; content:"&version="; distance:0; content:"&computername="; distance:0; content:"&memory="; distance:0; content:"&screen="; distance:0; content:"&drives="; distance:0; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034040; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006974; classtype:web-application-attack; sid:2006974; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v4/api_t.php"; bsize:13; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.request_body; content:"id="; startswith; content:"&mid="; distance:0; content:"&cmd_id="; distance:0; content:"&msg_id="; distance:0; content:"&msg="; distance:0; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034041; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/website.php?"; nocase; content:"page="; nocase; reference:bugtraq,30176; reference:url,milw0rm.com/exploits/6037; reference:url,doc.emergingthreats.net/2009743; classtype:web-application-attack; sid:2009743; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazed/alternative.jng"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; http.host; content:".ru"; endswith; reference:md5,0c6eb0ff9121eae3ce6e15f7af8f9909; reference:url,twitter.com/s1ckb017/status/1438458210147520514; classtype:trojan-activity; sid:2033981; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004041; classtype:web-application-attack; sid:2004041; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Bitter Related CnC Domain in DNS Lookup"; dns.query; content:"olmajhnservice.com"; nocase; bsize:18; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:domain-c2; sid:2033986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, signature_severity Major, updated_at 2021_09_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004042; classtype:web-application-attack; sid:2004042; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=sammitng.com"; nocase; endswith; reference:md5,b656845e2755920db24364b42ce2ea18; reference:url,thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/; classtype:domain-c2; sid:2033988; rev:1; metadata:attack_target Client_and_Server, created_at 2021_09_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004043; classtype:web-application-attack; sid:2004043; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Socelars.S CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST|20|/base/api/getData.php|20|HTTP/1.1"; startswith; fast_pattern; http.request_body; content:"data="; startswith; isdataat:50,relative; http.header_names; content:!"Referer"; reference:md5,064f0d6900675bed580da1291a566cfa; classtype:trojan-activity; sid:2034192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004044; classtype:web-application-attack; sid:2004044; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK Server Response"; flow:established,to_client; file.data; content:"|ce f8 f4 fc fb c8 98 9f|"; startswith; fast_pattern; content:"|98 9f|"; content:"|98 9f|"; endswith; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004045; classtype:web-application-attack; sid:2004045; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike)"; flow:established,to_client; tls.cert_subject; content:"CN=systemmentorsec.com"; bsize:22; fast_pattern; reference:url,twitter.com/Unit42_Intel/status/1440027013595766784; reference:url,www.malware-traffic-analysis.net/2021/09/20/index.html; classtype:domain-c2; sid:2033993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004046; classtype:web-application-attack; sid:2004046; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:!"Mozilla"; content:"-"; offset:2; depth:1; content:"-"; distance:0; http.header_names; content:!"Referer"; reference:md5,064f0d6900675bed580da1291a566cfa; classtype:command-and-control; sid:2033995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004695; classtype:web-application-attack; sid:2004695; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot Generic URI/Header Struct .bin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"aocdn.net"; content:!"kankan.com"; endswith; content:!"conf.v.xunlei.com"; endswith; content:!"burstek.com"; endswith; http.request_line; content:".bin HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018052; rev:11; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004696; classtype:web-application-attack; sid:2004696; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ntuser.txt"; bsize:11; fast_pattern; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; bsize:20; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004697; classtype:web-application-attack; sid:2004697; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/max.txt"; bsize:8; fast_pattern; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; bsize:20; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004698; classtype:web-application-attack; sid:2004698; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.host; content:"|2e|"; offset:16; depth:1; pcre:"/^[a-f0-9]{16}\./"; http.request_body; content:"info="; startswith; fast_pattern; pcre:"/^[A-Za-z0-9\-_~]{75,}$/R"; http.header_names; content:!"Referer"; reference:md5,b0110812a72552902f0bd69d640b8e1c; classtype:trojan-activity; sid:2031926; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004699; classtype:web-application-attack; sid:2004699; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith; classtype:command-and-control; sid:2033984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, signature_severity Major, updated_at 2021_09_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004700; classtype:web-application-attack; sid:2004700; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Monitor.PCTattletale.A Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Prod/api/pctt/devices/"; fast_pattern; bsize:23; http.header_names; content:!"Referer"; content:!"User-Agent"; http.request_body; content:"{|22|MemberID|22 3a|"; startswith; content:"|22 2c 22|DeviceName|22 3a 22|"; distance:0; content:"|22 2c 22|DeviceDescription|22 3a 22|"; distance:0; content:"|22 2c 22|SoftwareVersion|22 3a 22|"; distance:0; reference:md5,d76d32487a84bb529a94ee39444f8212; reference:url,www.vice.com/en/article/m7ezj8/stalkerware-leaking-phone-screenshots-pctattletale; classtype:trojan-activity; sid:2034013; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Joker CnC Configuration Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/ckwkc2?icc="; startswith; fast_pattern; http.user_agent; content:"(Linux|3b 20|U|3b 20|Android"; http.header_names; content:!"Referer"; reference:url,research.checkpoint.com/2020/android-app-fraud-haken-clicker-and-joker-premium-dialer/; classtype:command-and-control; sid:2030849; rev:2; metadata:attack_target Mobile_Client, created_at 2020_09_08, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/FamousSparrow Activity (POST)"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.host; content:"credits.offices-analytics.com"; bsize:29; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Host|0d 0a|"; content:!"Referer"; reference:url,www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/; reference:url,twitter.com/ESETresearch/status/1441013111469879300; classtype:trojan-activity; sid:2034015; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid SELECT"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005784; classtype:web-application-attack; sid:2005784; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/FamousSparrow CnC Domain in DNS Lookup (credits.offices-analytics .com)"; dns.query; content:"credits.offices-analytics.com"; nocase; bsize:29; reference:url,twitter.com/ESETresearch/status/1441013111469879300; reference:url,www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/; classtype:domain-c2; sid:2034016; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UNION SELECT"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005785; classtype:web-application-attack; sid:2005785; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyTurla CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Title|0d 0a|"; fast_pattern; http.header; content:"Title|3a 20|"; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"|0d 0a|"; distance:12; within:2; reference:url,blog.talosintelligence.com/2021/09/tinyturla.html; classtype:command-and-control; sid:2034018; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid INSERT"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005786; classtype:web-application-attack; sid:2005786; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=bmFtZT"; fast_pattern; pcre:"/(?:JmJ1aWxkP|YnVpbGQ9|ZidWlsZD)/R"; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid DELETE"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005787; classtype:web-application-attack; sid:2005787; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=dXVpZD"; fast_pattern; content:"LT"; distance:18; within:2; content:"t"; distance:5; within:1; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034023; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid ASCII"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005788; classtype:web-application-attack; sid:2005788; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup (r .significantbyte .com)"; dns.query; content:"r.significantbyte.com"; fast_pattern; nocase; bsize:21; reference:url,twitter.com/h2jazi/status/1440418522950107140; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; classtype:domain-c2; sid:2034029; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2021_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005789; classtype:web-application-attack; sid:2005789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc Domain in DNS Lookup (aljazeera .cc)"; dns.query; content:"aljazeera.cc"; fast_pattern; nocase; bsize:12; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; reference:url,twitter.com/h2jazi/status/1440418522950107140; classtype:domain-c2; sid:2034030; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2021_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Million Pixel Ad Script tops_top.php id_cat parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tops_top.php?"; nocase; content:"id_cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/31626/; reference:url,milw0rm.com/exploits/6044; reference:url,doc.emergingthreats.net/2009139; classtype:web-application-attack; sid:2009139; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Sending Windows System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/t/"; startswith; content:".php?"; http.host; content:"r.significantbyte.com"; fast_pattern; bsize:21; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; reference:url,twitter.com/h2jazi/status/1440418522950107140; classtype:trojan-activity; sid:2034031; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_conf/core/common-tpl-vars.php?"; nocase; content:"lang="; nocase; pcre:"/(?:\.\.\/){1,}/"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008961; classtype:web-application-attack; sid:2008961; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sabsik.FL.B!ml CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"|ef bc 9a|"; depth:40; content:"Memorytotal|ef bc 9a|"; fast_pattern; content:"|ef bc 9a 5b|System|20|Process|5d 20|"; distance:0; reference:md5,84fffb6b0ee44238261a21a0af066c12; classtype:command-and-control; sid:2034032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/DB_adodb.class.php?"; nocase; content:"PHPOF_INCLUDE_PATH="; nocase; pcre:"/PHPOF_INCLUDE_PATH=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,25541; reference:url,doc.emergingthreats.net/2009051; classtype:web-application-attack; sid:2009051; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FoggyWeb Backdoor Incoming Request (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adfs/portal/images/theme/light01/"; startswith; content:".webp"; endswith; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034034; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Realty dpage.php docID parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dpage.php?"; nocase; content:"docID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/31484/; reference:url,packetstorm.linuxsecurity.com/0808-exploits/phprealty-sql.txt; reference:url,doc.emergingthreats.net/2009137; classtype:web-application-attack; sid:2009137; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FoggyWeb Backdoor Incoming Request (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/portal/images/theme/light01/"; startswith; content:".webp"; endswith; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Windows Vista UA - Commonly Abused"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; classtype:misc-activity; sid:2030847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FoggyWeb Backdoor Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/webp"; bsize:10; file.data; content:"|52 49 46 46|"; startswith; content:"|57 45 42 50 56 50 38 20|"; distance:4; within:8; content:"|10 32 00 9d 01 2a|"; distance:4; within:6; fast_pattern; pcre:"/^[\x80|\x40]\x00[\x80|\x40]\x00\x00\x00/R"; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPStore Wholesales id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/track.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32741/; reference:url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt; reference:url,doc.emergingthreats.net/2008873; classtype:web-application-attack; sid:2008873; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer CnC Checkin"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a 20|"; startswith; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:38; fast_pattern; http.content_len; byte_test:0,>=,200,0,string,dec; byte_test:0,<=,999,0,string,dec; http.connection; content:"Keep-Alive"; bsize:10; http.request_body; content:!"|0d 0a|"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:url,blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer; reference:md5,c4772d76029004a5512ea6e2ff3be39b; classtype:command-and-control; sid:2034024; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Jupyter, performance_impact Significant, signature_severity Major, updated_at 2021_09_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004701; classtype:web-application-attack; sid:2004701; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReflectiveGnome Download Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; endswith; http.user_agent; content:"msie"; bsize:4; fast_pattern; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2034042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004702; classtype:web-application-attack; sid:2004702; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=check&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/Rs"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:md5,9bf1574b794c7937cdbd12a9ff6fba76; classtype:command-and-control; sid:2034049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php INSERT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005180; classtype:web-application-attack; sid:2005180; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session/downexlog/cd/"; fast_pattern; startswith; http.header_names; content:!"Refer"; classtype:trojan-activity; sid:2034883; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php DELETE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004703; classtype:web-application-attack; sid:2004703; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fa 28 39 fb 28 39 f9 4c 48 8d 28 39 fe 28 38 8c 4f|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034050; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php ASCII"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004704; classtype:web-application-attack; sid:2004704; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3f 2f fb 3e 2f fb 3c 4b 8a 48 2f fb 3b 2f fa 49 48|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005181; classtype:web-application-attack; sid:2005181; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 38 ed 3e 39 ed 3e 3b 89 4f 4f ed 3e 3c ed 3f 4e 8a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Lance show.php catid SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/show.php?catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/Advisories/32027/; reference:url,www.milw0rm.com/exploits/6605; reference:url,doc.emergingthreats.net/2008614; classtype:web-application-attack; sid:2008614; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|26 67 ea 26 66 9c 26 66 9d 26 66 9f 42 17 eb 26 66 98 41 70 9c 47|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPNuke SQL injection attempt"; flow: to_server,established; http.uri; content:"/modules.php?"; content:"name=Search"; content:"instory="; reference:url,www.waraxe.us/index.php?modname=sa&id=35; reference:url,doc.emergingthreats.net/2001197; classtype:web-application-attack; sid:2001197; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|70 9c 47 70 9d 31 70 9d 30 70 9d 32 14 ec 46 70 9d 35 17 8b 31 11|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang SELECT"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004325; classtype:web-application-attack; sid:2004325; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|8b 31 11 8b 30 67 8b 30 66 8b 30 64 ef 41 10 8b 30 63 ec 26 67 ea|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UNION SELECT"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004326; classtype:web-application-attack; sid:2004326; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megalodon/Gomorrah/CosaNostra HTTP Bot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; isdataat:!17,relative; http.request_body; content:".txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"|22|PC Name|22|"; content:"|22|Operating System|22|"; content:"|22|Anti virus|22|"; fast_pattern; content:"|22|Firewall|22|"; content:"|22|Processor|22|"; content:"|22|Memory|20|(RAM)|22|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/moneermasoud/CosaNostra-HTTP-Botnet/blob/master/stub/keylogger/keylogger/Form1.vb; reference:md5,0dad0861840cb73b4cefce3dcce28fa5; classtype:command-and-control; sid:2034056; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang INSERT"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004327; classtype:web-application-attack; sid:2004327; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-ajaxSuccess.js"; fast_pattern; bsize:22; http.cookie; content:"__cfduid="; startswith; pcre:"/^[a-zA-Z0-9_-]{171}$/R"; reference:md5,cc13942c46fb85a5754570c2b2c06e35; classtype:trojan-activity; sid:2034057; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang DELETE"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004328; classtype:web-application-attack; sid:2004328; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .me)"; dns.query; dotprefix; content:".samuelblog.me"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034058; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.PZE Variant CnC Activity"; flow:established,to_server; content:"|00 03|UPDATE users SET uname|20 3d 20 27|"; offset:3; depth:28; fast_pattern; content:"|27 20|WHERE hwid|20 3d 20 27|"; content:"|27 20|LIMIT 1|3b|"; endswith; reference:md5,39d55aa51967c001b7cc85f539055637; classtype:command-and-control; sid:2030848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .site)"; dns.query; dotprefix; content:".samuelblog.site"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034059; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang ASCII"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004329; classtype:web-application-attack; sid:2004329; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .info)"; dns.query; dotprefix; content:".samuelblog.info"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034060; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004330; classtype:web-application-attack; sid:2004330; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .website)"; dns.query; dotprefix; content:".samuelblog.website"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034061; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004851; classtype:web-application-attack; sid:2004851; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .xyz)"; dns.query; dotprefix; content:".samuelblog.xyz"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034062; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UNION SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004852; classtype:web-application-attack; sid:2004852; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert smb any any -> $HOME_NET any (msg:"ET MALWARE CobaltStrike SMB P2P Default Msagent Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"|5c 00|m|00|s|00|a|00|g|00|e|00|n|00|t|00|_|00|"; nocase; distance:0; fast_pattern; content:!"s|00|p|00|_|00|M|00|S|00|a|00|g|00|e|00|n|00|t|00|_|00|"; reference:url,blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/; reference:url,www.cobaltstrike.com/help-malleable-c2; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:targeted-activity; sid:2027325; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004853; classtype:web-application-attack; sid:2004853; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018243; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id DELETE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004854; classtype:web-application-attack; sid:2004854; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:5; content:"|33 00|FCC"; fast_pattern; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034063; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id ASCII"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004855; classtype:web-application-attack; sid:2004855; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE S400 RAT Server Response"; flow:established,to_client; stream_size:client,<,10; content:"|7c|S400|7c|"; within:16; content:"|7c|S400|7c|"; distance:32; within:6; content:"|7c|S400|7c|"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2021_09_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004856; classtype:web-application-attack; sid:2004856; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034067; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active SELECT"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005456; classtype:web-application-attack; sid:2005456; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034068; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005457; classtype:web-application-attack; sid:2005457; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034069; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active INSERT"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005458; classtype:web-application-attack; sid:2005458; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034070; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active DELETE"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005459; classtype:web-application-attack; sid:2005459; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034071; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ASCII"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005460; classtype:web-application-attack; sid:2005460; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034072; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005461; classtype:web-application-attack; sid:2005461; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034073; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005462; classtype:web-application-attack; sid:2005462; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034074; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005463; classtype:web-application-attack; sid:2005463; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034075; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005464; classtype:web-application-attack; sid:2005464; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (newtrendmicro .com)"; dns.query; dotprefix; content:".newtrendmicro.com"; fast_pattern; nocase; endswith; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; reference:md5,cbbd0addd5eb6cab479a1f188f7f5af0; reference:md5,897bfb316d2e8ff72031a3332842be0f; classtype:domain-c2; sid:2034076; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005465; classtype:web-application-attack; sid:2005465; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (centralgoogle .com)"; dns.query; dotprefix; content:".centralgoogle.com"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; reference:md5,38bf0d130c73fd59c950a2fdac1b70e3; classtype:domain-c2; sid:2034077; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005466; classtype:web-application-attack; sid:2005466; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (microsoft-support .net)"; dns.query; dotprefix; content:".microsoft-support.net"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:domain-c2; sid:2034078; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005467; classtype:web-application-attack; sid:2005467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (cdn-chrome .com)"; dns.query; dotprefix; content:".cdn-chrome.com"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:domain-c2; sid:2034079; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005468; classtype:web-application-attack; sid:2005468; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (mcafee-upgrade .com)"; dns.query; dotprefix; content:".mcafee-upgrade.com"; nocase; endswith; fast_pattern; content:!"www"; classtype:domain-c2; sid:2034080; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005469; classtype:web-application-attack; sid:2005469; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Home.aspx"; bsize:10; http.host; content:"www.funding-exchange.org"; bsize:24; fast_pattern; http.cookie; content:"ASP.NET_SessionId="; startswith; http.header_names; content:"Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|DNT|0d 0a|Cache-Control|0d 0a|"; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034081; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005470; classtype:web-application-attack; sid:2005470; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/L._SX2_.jpg"; bsize:19; http.host; content:"static.mhysl.org"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0)|20|like|20|Gecko"; bsize:68; http.header_names; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034082; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005471; classtype:web-application-attack; sid:2005471; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (JPEG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|ff d8 ff|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005472; classtype:web-application-attack; sid:2005472; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (PNG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|89 50 4e 47|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005473; classtype:web-application-attack; sid:2005473; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (RIFF)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|52 49 46 46|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005474; classtype:web-application-attack; sid:2005474; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ELENAPC/principles/"; startswith; nocase; content:".mp3"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/s1ckb017/status/1443950604968149010; reference:md5,b345a53a6a432fa2467a0f7931bd79ae; classtype:trojan-activity; sid:2034087; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005475; classtype:web-application-attack; sid:2005475; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MachO.Netwire Connectivity Check"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; endswith; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.netwire; classtype:trojan-activity; sid:2034088; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005476; classtype:web-application-attack; sid:2005476; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Netwire Connectivity Check"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; endswith; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.netwire; classtype:trojan-activity; sid:2034089; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005477; classtype:web-application-attack; sid:2005477; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securetourspd .com)"; dns.query; content:"securetourspd.com"; nocase; bsize:17; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034101; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005479; classtype:web-application-attack; sid:2005479; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (secure-daddy .com)"; dns.query; content:"secure-daddy.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; classtype:domain-c2; sid:2034102; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005480; classtype:web-application-attack; sid:2005480; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"http"; pcre:"/\/[0-9A-Za-z]{8,13}\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; fast_pattern; http.host; content:!".freeip.com"; http.content_len; byte_test:0,<,2000,0,string,dec; http.request_body; pcre:"/(?:Q(?:k(?:MIdh|UMcR)|0IPdR)|(?:DQg91|FRghw)F|(?:NCD3U|VGCHA)X|C(?:Qwh2E|RQxxF)|J(?:DCHYT|FDHEW)|R(?:UYIcB|kIJcR)|GQglxE|ZCCXEQ)/"; reference:md5,2933e342334bdb24ba99f70c15506294; reference:md5,e4f16cbac43141987a39f9841642fe90; reference:url,twitter.com/ffforward/status/1437688494017728516; reference:url,twitter.com/ffforward/status/1437473409542262795; classtype:trojan-activity; sid:2033939; rev:6; metadata:created_at 2021_09_13, former_category MALWARE, malware_family SQUIRRELWAFFLE, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005481; classtype:web-application-attack; sid:2005481; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (centr-security .com)"; dns.query; content:"centr-security.com"; nocase; bsize:18; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034103; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005482; classtype:web-application-attack; sid:2005482; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securemanag .com)"; dns.query; content:"securemanag.com"; nocase; bsize:15; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034104; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005483; classtype:web-application-attack; sid:2005483; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:".xml"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034105; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005484; classtype:web-application-attack; sid:2005484; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:".txt"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034106; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005485; classtype:web-application-attack; sid:2005485; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Retrieving Task"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"/getcommand?username="; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034107; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005486; classtype:web-application-attack; sid:2005486; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"/getanswer.php?username="; nocase; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034108; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005487; classtype:web-application-attack; sid:2005487; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Client Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; fast_pattern; pcre:"/(?:fCxTeXN0ZW0gSWRsZS|wsU3lzdGVtIElkbGUg|8LFN5c3RlbSBJZGxlI)/R"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,254022730f51ee770452015b6987b939; reference:url,twitter.com/rcwht_/status/1443867650686439489; classtype:command-and-control; sid:2034091; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Moderate, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005489; classtype:web-application-attack; sid:2005489; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"serverHttpRequest"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034109; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Microsoft Malware Protection User-Agent Observed to Non-Microsoft Domain"; flow:to_server,established; http.user_agent; content:"MpCommunication"; depth:15; fast_pattern; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:misc-activity; sid:2030850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_09, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".rb|0d 0a|"; within:32; http.cookie; content:"XSRF-TOKEN=eyJpdiI6I"; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; content:"load_session=eyJpdiI6I"; fast_pattern; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; classtype:command-and-control; sid:2034110; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_10_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005490; classtype:web-application-attack; sid:2005490; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known PUA Host Domain"; dns.query; content:"givemeyourpasswords.ninja"; endswith; fast_pattern; classtype:bad-unknown; sid:2034112; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005491; classtype:web-application-attack; sid:2005491; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed HTTP Request to Known PUA Host Domain"; http.host; content:"honeypoc.io"; endswith; fast_pattern; classtype:bad-unknown; sid:2034113; rev:1; metadata:created_at 2021_10_05, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005492; classtype:web-application-attack; sid:2005492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed HTTP Request to Known PUA Host Domain"; http.host; content:"givemeyourpasswords.ninja"; endswith; fast_pattern; classtype:bad-unknown; sid:2034114; rev:1; metadata:created_at 2021_10_05, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat SELECT"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005585; classtype:web-application-attack; sid:2005585; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Retrieving Commands"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/../users/"; fast_pattern; startswith; content:".php"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005586; classtype:web-application-attack; sid:2005586; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\.(?:com|eu|va|lt|sk|)\//"; content:".php?v="; fast_pattern; pcre:"/^[0-9a-f]{64}$/R"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034116; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat INSERT"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005587; classtype:web-application-attack; sid:2005587; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M5 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\.(?:com|eu|va|lt|sk|)\//"; content:".nsf?v="; fast_pattern; pcre:"/^[0-9a-f]{64}$/R"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034117; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat DELETE"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005588; classtype:web-application-attack; sid:2005588; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (get-europe-group .bar)"; flow:established,to_server; tls.sni; content:"get-europe-group.bar"; bsize:20; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; classtype:domain-c2; sid:2034120; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ASCII"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005589; classtype:web-application-attack; sid:2005589; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (download-serv-234116 .xyz)"; flow:established,to_server; tls.sni; content:"download-serv-234116.xyz"; bsize:24; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; reference:md5,157105990ae7e4673035fd9224b793c9; classtype:domain-c2; sid:2034121; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005590; classtype:web-application-attack; sid:2005590; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (manholi .xyz)"; flow:established,to_server; tls.sni; content:"manholi.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; reference:md5,03a80daa82c29b55aa02a276ff58e22e; classtype:domain-c2; sid:2034122; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006927; classtype:web-application-attack; sid:2006927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (phonefix .bar)"; flow:established,to_server; tls.sni; content:"phonefix.bar"; bsize:12; fast_pattern; classtype:domain-c2; sid:2034123; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006928; classtype:web-application-attack; sid:2006928; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 756"; flow:established,to_server; content:"|bf cd 35 03 80 a5 a0 21 05 b6 42|"; startswith; fast_pattern; content:"|8c 21|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2034236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006929; classtype:web-application-attack; sid:2006929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp any [!80] -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Attack Command Inbound"; flow:established,to_server; dsize:<70; content:"|ad af fe 7f|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033243; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid DELETE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006930; classtype:web-application-attack; sid:2006930; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (sharemanage .elwoodasset .xyz)"; dns.query; content:"sharemanage.elwoodasset.xyz"; nocase; bsize:27; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034131; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid ASCII"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006931; classtype:web-application-attack; sid:2006931; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dshellelink .gcloud-share .com)"; dns.query; content:"dshellelink.gcloud-share.com"; nocase; bsize:28; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034132; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UNION SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006934; classtype:web-application-attack; sid:2006934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dev .sslsharecloud .net)"; dns.query; content:"dev.sslsharecloud.net"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034133; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid DELETE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006936; classtype:web-application-attack; sid:2006936; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (signverydn .sharebusiness .xyz)"; dns.query; content:"signverydn.sharebusiness.xyz"; nocase; bsize:28; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034134; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid ASCII"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006937; classtype:web-application-attack; sid:2006937; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (gsheet .gdocsdown .com)"; dns.query; content:"gsheet.gdocsdown.com"; nocase; bsize:20; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006938; classtype:web-application-attack; sid:2006938; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Client Request M2"; flow:established,to_server; http.request_line; content:"GET /?data="; startswith; fast_pattern; content:!"="; distance:0; content:"|3a|"; within:17; content:"|3a|"; distance:0; isdataat:!261; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8b6199f5d5465c327c8c30ac9fdfd23a; classtype:command-and-control; sid:2034136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Moderate, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid SELECT"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007176; classtype:web-application-attack; sid:2007176; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (share .devprocloud .com)"; dns.query; content:"share.devprocloud.com"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007177; classtype:web-application-attack; sid:2007177; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (product .onlinedoc .dev)"; dns.query; content:"product.onlinedoc.dev"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034138; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid INSERT"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007178; classtype:web-application-attack; sid:2007178; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (www .googlesheetpage .org)"; dns.query; content:"www.googlesheetpage.org"; nocase; bsize:23; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034139; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid DELETE"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007179; classtype:web-application-attack; sid:2007179; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ESPecter Bootkit Initialization Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Heart.aspx?ti="; startswith; fast_pattern; content:"&tn="; distance:0; content:"&tg="; distance:0; content:"&tv="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/; classtype:trojan-activity; sid:2034145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ASCII"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007180; classtype:web-application-attack; sid:2007180; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ELENAPC/"; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,05aca0e7e247224adebecc3239a4cfbc; reference:md5,4f70faa3c0ad89de6a862f729678fc77; reference:url,twitter.com/s1ckb017/status/1445704873345896455; reference:url,twitter.com/s1ckb017/status/1445706513956306950; classtype:trojan-activity; sid:2034147; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007181; classtype:web-application-attack; sid:2007181; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2"; flow:established,to_server; http.request_line; content:"POST|20|/service/communication.php|20|HTTP/1.1"; startswith; fast_pattern; http.request_body; content:"data="; startswith; isdataat:50,relative; http.header_names; content:!"Referer"; reference:md5,9a112488064fd03d4a259e0f1db9d323; classtype:trojan-activity; sid:2034202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Module Emporium SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"name=Shopping_Cart"; nocase; content:"category_id="; nocase; pcre:"/(?:\?|&)category_id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,milw0rm.com/exploits/3334; reference:url,packetstormsecurity.org/0912-exploits/phpnukeemporium-sql.txt; reference:url,doc.emergingthreats.net/2010553; classtype:web-application-attack; sid:2010553; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup  Related Domain in DNS Lookup (ppadoaolnwod .xyz)"; dns.query; dotprefix; content:".ppadoaolnwod.xyz"; nocase; endswith; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034148; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011133; classtype:web-application-attack; sid:2011133; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (officeframework .online)"; dns.query; dotprefix; content:".officeframework.online"; nocase; endswith; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011134; classtype:web-application-attack; sid:2011134; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PR_KYY/"; fast_pattern; startswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1445115785454788615; reference:md5,00f61bdf5d04a8551b5e15c1f74083c0; reference:md5,ab4ac6236cb487fed4768e1e4d2dd8b6; reference:md5,92b9a1db86b631fc9de68915de446756; classtype:trojan-activity; sid:2034156; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011135; classtype:web-application-attack; sid:2011135; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BEST-KOMP/"; fast_pattern; startswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1445115787870707715; classtype:trojan-activity; sid:2034157; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011136; classtype:web-application-attack; sid:2011136; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (mimeversion .top)"; dns.query; content:"mimeversion.top"; nocase; bsize:15; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034158; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011137; classtype:web-application-attack; sid:2011137; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $EXTERNAL_NET !5665 -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:command-and-control; sid:2018283; rev:8; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011168; classtype:web-application-attack; sid:2011168; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious FIN12 Related SSL Cert (serviceswork .net)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=serviceswork, OU=, CN=serviceswork.net"; bsize:62; fast_pattern; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; reference:md5,f1c35cf848d984785e9c0621958fe5ae; classtype:trojan-activity; sid:2034163; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011169; classtype:web-application-attack; sid:2011169; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/AhMyth RAT Init Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/socket.io/?model="; startswith; fast_pattern; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport=polling&release="; distance:0; content:"&manf="; distance:0; http.header_names; content:!"Referer"; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034164; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011170; classtype:web-application-attack; sid:2011170; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/AhMyth RAT WebSocket Session"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport=websocket&manf="; distance:0; content:"&sid="; distance:0; http.header_names; content:!"Referer"; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034165; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011171; classtype:web-application-attack; sid:2011171; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Location Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000lm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034166; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011172; classtype:web-application-attack; sid:2011172; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Contacts Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000cn|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034167; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Realtor v_cat SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view_cat.php?v_cat="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/6694; reference:url,secunia.com/advisories/32149/; reference:url,doc.emergingthreats.net/2008649; classtype:web-application-attack; sid:2008649; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (SMS Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000sm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034168; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ReVou Micro Blogging user_updates.php user Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/user_updates.php?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7925; reference:bugtraq,33540; reference:url,doc.emergingthreats.net/2009140; classtype:web-application-attack; sid:2009140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Call Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000cl|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034169; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005901; classtype:web-application-attack; sid:2005901; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Files Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000fm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034170; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005902; classtype:web-application-attack; sid:2005902; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Camera Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000fm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034171; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005903; classtype:web-application-attack; sid:2005903; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (docs .gsheetpage .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"docs.gsheetpage.com"; bsize:19; fast_pattern; reference:md5,42e6310ffbdd24cf9a2b5d200190359e; reference:url,twitter.com/ShadowChasing1/status/1447900397935362053; classtype:trojan-activity; sid:2034176; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, signature_severity Major, updated_at 2021_10_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005904; classtype:web-application-attack; sid:2005904; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious FIN12 Related SSL Cert"; flow:established,to_client; tls.cert_subject; content:"OU=Delegated Licensor,KYP SDT LTD"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?OU=Delegated\ Licensor,KYP\ SDT\ LTD(?!\.)/"; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034177; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005905; classtype:web-application-attack; sid:2005905; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN12 Related Cobalt Strike Domain (netrie .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"netrie.com"; bsize:10; fast_pattern; reference:md5,21b4d9c046db511738232582b41f453c; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:command-and-control; sid:2034180; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005906; classtype:web-application-attack; sid:2005906; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related ICECANDLE/Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-includes/admin.gif"; fast_pattern; bsize:22; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:49; reference:md5,256fa0ae50b4e199b631047f2fe98b58; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034181; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005907; classtype:web-application-attack; sid:2005907; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN12 Related Domain (hdhuge .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hdhuge.com"; bsize:10; fast_pattern; reference:md5,cf3027fa4e3d5597487691dff1831b97; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:domain-c2; sid:2034182; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, signature_severity Major, updated_at 2021_10_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005908; classtype:web-application-attack; sid:2005908; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related WHITEDAGGER/Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/files/remove.gif|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:57; reference:md5,cf3027fa4e3d5597487691dff1831b97; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034185; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005909; classtype:web-application-attack; sid:2005909; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related WEIRDLOOP/Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/image-directory/bn.ico|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; reference:md5,fd81452a3a8f9460ffac8aff6e20431a; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034186; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005910; classtype:web-application-attack; sid:2005910; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:"www.onlinedocpage.org"; bsize:21; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c44d866adf8c6845b7dda742c59c6b59; reference:url,twitter.com/ShadowChasing1/status/1448150917912559616; classtype:trojan-activity; sid:2034187; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_10_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005911; classtype:web-application-attack; sid:2005911; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Limbozar Ransomware Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postme"; bsize:7; http.header; content:"|0d 0a|from|3a 20|me|0d 0a|"; fast_pattern; content:"|0d 0a|user-agent|3a 20|libsfml-network/"; http.request_body; content:"&ip="; startswith; content:"&disk="; distance:0; content:"&id="; distance:0; content:"&mail="; distance:0; http.header_names; content:!"Referer"; reference:url,securelist.com/cis-ransomware/104452/; reference:md5,91332f289d3e577b57d878b55c5cf18a; classtype:trojan-activity; sid:2034195; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_10_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005912; classtype:web-application-attack; sid:2005912; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/MysterySnail RAT CnC Domain in DNS Lookup"; dns.query; content:"http.ddspadus.com"; nocase; bsize:17; reference:url,securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/; reference:md5,e2f2d2832da0facbd716d6ad298073ca; classtype:domain-c2; sid:2034197; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, signature_severity Major, updated_at 2021_10_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005913; classtype:web-application-attack; sid:2005913; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.RTQ CnC Activity"; flow:established,to_server; content:"|0b 00 00 00|"; startswith; content:"|57 69 6e 64 6f 77 73 20|"; distance:4; within:8; content:"|00 00 00 cc ec b7 a3 20 56 65 72 20|"; distance:0; fast_pattern; reference:md5,1f2d30b383d332972d8a36b23d1d726e; classtype:command-and-control; sid:2034193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005914; classtype:web-application-attack; sid:2005914; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRAT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content: "&"; pcre: "/^(?:[a-f0-9]{2}){16}=(?:[a-f0-9]{2}){16}&(?:[a-f0-9]{2}){16}=(?=[a-z0-9A-Z]{0,32}[A-Z][a-z][A-Z][a-z][A-Z])/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:56; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1448751827046985746; reference:md5,60cf8c1093d596a44dc997d00caae463; classtype:trojan-activity; sid:2034194; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005915; classtype:web-application-attack; sid:2005915; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mummyvich.xyz"; fast_pattern; classtype:domain-c2; sid:2034209; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005916; classtype:web-application-attack; sid:2005916; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dxb/mx_cmd.php"; endswith; classtype:command-and-control; sid:2034210; rev:1; metadata:created_at 2021_10_17, former_category MALWARE, updated_at 2021_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005917; classtype:web-application-attack; sid:2005917; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dxb/mx_jscript.php"; endswith; classtype:command-and-control; sid:2034211; rev:1; metadata:created_at 2021_10_17, former_category MALWARE, updated_at 2021_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005918; classtype:web-application-attack; sid:2005918; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit Variant Data Exfil M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".html"; http.request_body; content:"&filesize="; content:"&framesize="; fast_pattern; content:"&framenum="; content:"&filecrc="; content:"&filename="; content:"&pcname="; reference:md5,f05af511670dba679d845e3d477e789d; reference:url,twitter.com/James_inthe_box/status/1425921372987944961; reference:url,blog.reversinglabs.com/blog/data-exfiltrator; classtype:command-and-control; sid:2033727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005919; classtype:web-application-attack; sid:2005919; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit Variant Data Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".html"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"key="; startswith; fast_pattern; content:"&data="; within:100; pcre:"/^key=\w+\&data=/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1425921372987944961; reference:url,blog.reversinglabs.com/blog/data-exfiltrator; classtype:command-and-control; sid:2033728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005920; classtype:web-application-attack; sid:2005920; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.feedbackfileweb.club"; fast_pattern; classtype:domain-c2; sid:2034214; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005921; classtype:web-application-attack; sid:2005921; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.iserunifish.club"; fast_pattern; classtype:domain-c2; sid:2034215; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005922; classtype:web-application-attack; sid:2005922; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"gsterangsic.buzz"; endswith; classtype:domain-c2; sid:2034216; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005923; classtype:web-application-attack; sid:2005923; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"oscanonamik.club"; endswith; classtype:domain-c2; sid:2034217; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005924; classtype:web-application-attack; sid:2005924; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"riderskop.top"; endswith; classtype:domain-c2; sid:2034218; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/chat/dac.php?"; nocase; content:"sendChatData="; nocase; reference:url,milw0rm.com/exploits/8268; reference:bugtraq,34213; reference:url,doc.emergingthreats.net/2009390; classtype:web-application-attack; sid:2009390; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wiki0509.html"; fast_pattern; bsize:14; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1438602464765386757; reference:md5,41dacae2a33ee717abcc8011b705f2cb; classtype:trojan-activity; sid:2034221; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt"; flow:established,to_server; http.uri; content:"/home.php?page=http\:"; nocase; reference:url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt; reference:url,doc.emergingthreats.net/2009892; classtype:web-application-attack; sid:2009892; rev:6; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/FontOnLake Related CnC Domain in DNS Lookup (hm2 .yrnykx .com)"; dns.query; content:"hm2.yrnykx.com"; nocase; bsize:14; reference:url,www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf; reference:md5,fa73b2fd914a0cfd5e7d3161af903b6c; reference:md5,5ecf30b7a6221af8f209a7b6681f91f9; classtype:domain-c2; sid:2034222; rev:1; metadata:created_at 2021_10_18, former_category MALWARE, updated_at 2021_10_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_words.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009073; classtype:web-application-attack; sid:2009073; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Harvester Group Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/Values_V2/Getting3210"; bsize:26; fast_pattern; http.host; content:".azurewebsites.net"; endswith; http.header_names; content:"|0d 0a|MC|0d 0a|Ath|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia; reference:md5,2578bf48da48c262e4a83e2a9ae47c68; classtype:trojan-activity; sid:2034223; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_groups_reapir.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009074; classtype:web-application-attack; sid:2009074; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty M2"; flow:established,to_server; http.request_line; content:"GET /?opt=put&mq=loader_tx_report"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.uri; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,c52f17b858b143310dc1cb218feca5c8; classtype:command-and-control; sid:2034220; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_smilies.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009075; classtype:web-application-attack; sid:2009075; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Graphon Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/Values_V1/AuthAsyncComplete_V1?Identity="; fast_pattern; startswith; http.uri.raw; content:"=%3E"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:30; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia; reference:md5,ff81a65150e318c1ffbeaba7a56bb09f; classtype:command-and-control; sid:2034224; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id SELECT"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004930; classtype:web-application-attack; sid:2004930; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE [CISA AA21-291A] Possible BlackMatter Ransomware Lateral Movement"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; fast_pattern; detection_filter:track by_src, count 4, seconds 1; classtype:command-and-control; sid:2034225; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family BlackMatter, signature_severity Major, tag Ransomware, updated_at 2021_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004931; classtype:web-application-attack; sid:2004931; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=swissarny.store"; fast_pattern; classtype:domain-c2; sid:2034226; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id INSERT"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004932; classtype:web-application-attack; sid:2004932; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=rtpdn14.com"; fast_pattern; classtype:domain-c2; sid:2034227; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id DELETE"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004933; classtype:web-application-attack; sid:2004933; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan:Win32/Sabsik.FL.B!ml CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|0c 22 38 4e 5a 7b 2d 43 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; content:"//"; distance:0; reference:md5,956e62df6ea59dfc9a459ea85d7bb2eb; classtype:command-and-control; sid:2034229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id ASCII"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004934; classtype:web-application-attack; sid:2004934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034230; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004935; classtype:web-application-attack; sid:2004935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034231; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006730; classtype:web-application-attack; sid:2006730; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker Checkin M1"; flow:established,to_server; stream_size:server,<,5; dsize:11; content:"#PRINCIPAL#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034238; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006731; classtype:web-application-attack; sid:2006731; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker Server Response M1"; flow:established,to_client; stream_size:server,<,40; dsize:9; content:"#Convite#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034239; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_25, former_category MALWARE, malware_family Ousaban, tag Banker, updated_at 2021_10_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006732; classtype:web-application-attack; sid:2006732; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker Checkin M2"; flow:established,to_server; stream_size:server,<,40; content:"#ConvitRC#<#>"; startswith; content:"<#>"; distance:0; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006733; classtype:web-application-attack; sid:2006733; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker Server Response M2"; flow:established,to_client; stream_size:server,<,40; content:"#SocketMain#<#>"; startswith; pcre:"/^\d+$/R"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006734; classtype:web-application-attack; sid:2006734; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker KeepAlive"; flow:established,to_client; dsize:9; content:"#ON-LINE#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006735; classtype:web-application-attack; sid:2006735; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker KeepAlive Response"; flow:established,to_server; dsize:11; content:"#strPingOk#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/message_class.php?"; nocase; content:"pfadhier="; nocase; reference:bugtraq,33718; reference:url,milw0rm.com/exploits/8030; reference:url,doc.emergingthreats.net/2009168; classtype:web-application-attack; sid:2009168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session/downexlog/cdfd/"; fast_pattern; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034884; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ParsBlogger blog.asp wr parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/blog.asp?"; nocase; content:"wr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7239; reference:bugtraq,32488; reference:url,doc.emergingthreats.net/2008930; classtype:web-application-attack; sid:2008930; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/WinDealer CnC Activity (Checkin)"; dsize:<200; content:"|06 81 da 91 ce c7 9f 43|"; startswith; fast_pattern; content:"|14 00|"; distance:4; within:4; reference:url,blogs.jpcert.or.jp/en/2021/10/windealer.html; reference:md5,5a7a90ceb6e7137c753d8de226fc7947; classtype:trojan-activity; sid:2034254; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid SELECT"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004259; classtype:web-application-attack; sid:2004259; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (magento-plugin .com)"; dns.query; content:"magento-plugin.com"; nocase; bsize:18; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034264; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UNION SELECT"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004260; classtype:web-application-attack; sid:2004260; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (cdn-cgi .net)"; dns.query; content:"cdn-cgi.net"; nocase; bsize:11; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034265; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid INSERT"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004261; classtype:web-application-attack; sid:2004261; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (trustdomains .net)"; dns.query; content:"trustdomains.net"; nocase; bsize:16; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034266; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid DELETE"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004262; classtype:web-application-attack; sid:2004262; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/loadercrypt_"; startswith; fast_pattern; content:".php?vid="; distance:32; within:9; isdataat:171,relative; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1)|20|AppleWebKit/587.38"; bsize:47; reference:url,twitter.com/malwrhunterteam/status/1452992872928661512; reference:md5,aa1add403d79f0ae38f8b0aed2fcb0c2; classtype:trojan-activity; sid:2034267; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_10_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid ASCII"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004263; classtype:web-application-attack; sid:2004263; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Middle East Threat Group Domain in DNS Lookup (liveupdatedriver .com)"; dns.query; dotprefix; content:".liveupdatedriver.com"; nocase; endswith; reference:url,twitter.com/kyleehmke/status/1453352660766269451; classtype:domain-c2; sid:2034268; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004264; classtype:web-application-attack; sid:2004264; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Middle East Threat Group Domain in DNS Lookup (dnsnamefinder .com)"; dns.query; dotprefix; content:".dnsnamefinder.com"; nocase; endswith; reference:url,twitter.com/kyleehmke/status/1453352660766269451; classtype:domain-c2; sid:2034269; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month SELECT"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005216; classtype:web-application-attack; sid:2005216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/SVCReady Loader User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|svc/1.0|0d 0a|"; fast_pattern; reference:md5,e4430c33d343d9f4af57225b90600a3d; classtype:trojan-activity; sid:2036855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family SVCReady, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UNION SELECT"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005217; classtype:web-application-attack; sid:2005217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?zs="; fast_pattern; content:"&t="; isdataat:!2,relative; pcre:"/\.php\?zs=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&t=[0-9]{1,2}$/Usi"; http.header_names; content:!"Referer"; content:!"Accept-"; reference:md5,e4430c33d343d9f4af57225b90600a3d; reference:md5,1036e57d1c8cde25a6680430354aa801; classtype:trojan-activity; sid:2036856; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family SVCReady, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month INSERT"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005218; classtype:web-application-attack; sid:2005218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader Requesting Payload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?zs="; content:"&t="; isdataat:!2,relative; http.request_body; content:"Downloading|20|file|20|"; startswith; nocase; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept-"; reference:md5,e4430c33d343d9f4af57225b90600a3d; reference:md5,1036e57d1c8cde25a6680430354aa801; classtype:trojan-activity; sid:2036857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family SVCReady, signature_severity Major, updated_at 2021_10_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month DELETE"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005219; classtype:web-application-attack; sid:2005219; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TinyNuke VNC Checkin"; flow:established,to_server; dsize:7; content:"MELTED|00|"; fast_pattern; reference:url,app.any.run/tasks/cad45c57-d1fd-4e3b-9e1f-4e6742affb56/; reference:md5,e82aae34a54d0398bd099a0c33db9266; reference:url,twitter.com/Jane_0stin/status/1453441977014497280; classtype:trojan-activity; sid:2034281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family TinyNuke, signature_severity Major, tag RAT, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month ASCII"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005220; classtype:web-application-attack; sid:2005220; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CloudAtlas APT Related Domain (checklicensekey .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"checklicensekey.com"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:domain-c2; sid:2034282; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005221; classtype:web-application-attack; sid:2005221; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CloudAtlas APT Related CnC Domain in DNS Lookup (checklicensekey .com)"; dns.query; content:"checklicensekey.com"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:domain-c2; sid:2034283; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment SELECT"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004618; classtype:web-application-attack; sid:2004618; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CloudAtlas APT Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dotm"; endswith; http.host; content:"checklicensekey.com"; fast_pattern; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:trojan-activity; sid:2034284; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UNION SELECT"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004619; classtype:web-application-attack; sid:2004619; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DonotGroup Maldoc Related Domain (digitalresolve .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"digitalresolve.live"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034285; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment INSERT"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004620; classtype:web-application-attack; sid:2004620; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Maldoc Related Domain in DNS Lookup (digitalresolve .live)"; dns.query; content:"digitalresolve.live"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034286; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment DELETE"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004621; classtype:web-application-attack; sid:2004621; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Application.ThunderN.A Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|1b 00 0c|"; startswith; content:"Startup102_embedding|ea 03 01 00 00 00|"; endswith; fast_pattern; reference:md5,1f1ef30f55a9b69bf0b8706e479beca0; classtype:command-and-control; sid:2034275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ASCII"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004622; classtype:web-application-attack; sid:2004622; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; urilen:80<>90; http.method; content:"GET"; http.host; content:"digitalresolve.live"; bsize:19; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:trojan-activity; sid:2034287; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004623; classtype:web-application-attack; sid:2004623; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE slock Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/slock.php?ip="; fast_pattern; content:"&&user="; distance:0; content:"&&host="; distance:0; content:"&&domain="; distance:0; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|10|2e|0|3b 20|WOW64|3b 20|Trident|2f|7|2e|0|3b 20|rv|3a|11|2e|0|29 20|like|20|Gecko"; bsize:69; reference:md5,45a430e2bcba867f4d8a537354a98a73; classtype:command-and-control; sid:2034291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid SELECT"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004924; classtype:web-application-attack; sid:2004924; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casbaneiro CnC Host Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?AT="; fast_pattern; content:"Microsoft Windows"; distance:0; content:"&MD="; distance:0; content:!"&"; distance:0; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,6716f7a0e6f96617c9ba4b47ff9f41eb; classtype:trojan-activity; sid:2034292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Casbaneiro, performance_impact Low, signature_severity Major, tag Banker, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UNION SELECT"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004925; classtype:web-application-attack; sid:2004925; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (croperdate .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"croperdate.com"; bsize:14; fast_pattern; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; reference:md5,67c916ed405a3163d19f7642734d94be; classtype:domain-c2; sid:2034302; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004926; classtype:web-application-attack; sid:2004926; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (kaslose .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaslose.com"; bsize:11; fast_pattern; reference:md5,0b10e6fe7db4421f4807e08bd3b5982a; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; classtype:domain-c2; sid:2034303; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid DELETE"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004927; classtype:web-application-attack; sid:2004927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (cdnwin .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cdnwin.xyz"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; classtype:domain-c2; sid:2034304; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid ASCII"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004928; classtype:web-application-attack; sid:2004928; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"from=CIA"; startswith; content:"|26|body|3d|Your|20|Subject|20|is|20|Online|20 3a|P|20|Victim|20|Name|3a 20|"; fast_pattern; content:"Clients|20|Conneted|3a 20|"; distance:0; reference:md5,7055137624d83f3c6025caf1e62e85f6; classtype:command-and-control; sid:2034293; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004929; classtype:web-application-attack; sid:2004929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=log&ip="; content:"&usrname="; distance:0; content:"&server=C|2e|I|2e|A"; distance:0; fast_pattern; reference:md5,7055137624d83f3c6025caf1e62e85f6; classtype:command-and-control; sid:2034294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pilot Online Training Solution news_read.php id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/news_read.php?id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/31969/; reference:url,www.milw0rm.com/exploits/6613; reference:url,doc.emergingthreats.net/2008616; classtype:web-application-attack; sid:2008616; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - GetTasks Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//get-tasks.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|HWID|0d 0a|Host|0d 0a 0d 0a|"; bsize:16; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034299; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pixel8 Web Photo Album AlbumID SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Photo.asp?"; nocase; content:"AlbumID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33373/; reference:url,milw0rm.com/exploits/7627; reference:url,doc.emergingthreats.net/2009056; classtype:web-application-attack; sid:2009056; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - Report Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//report.php"; endswith; http.header; content:"IPINFO|3a 20 7b 22|status|22 3a 22|"; fast_pattern; http.header_names; content:"|0d 0a|UN|0d 0a|MN|0d 0a|"; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pligg check_url.php url parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/evb/check_url.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7544; reference:bugtraq,32970; reference:url,doc.emergingthreats.net/2009055; classtype:web-application-attack; sid:2009055; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NO Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:76; content:"MB|00 00|"; offset:32; depth:9; content:"|32 2e 32 d5 fd ca bd b0 e6 00 00 00|"; endswith; fast_pattern; reference:md5,e09e70ae301e0816355ad0bfa0ab8707; classtype:command-and-control; sid:2034301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger plog-download.php checked Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/plog-download.php?"; nocase; content:"checked[]="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,30547; reference:url,xforce.iss.net/xforce/xfdb/44233; reference:url,milw0rm.com/exploits/6204; reference:url,doc.emergingthreats.net/2009936; classtype:web-application-attack; sid:2009936; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UWW Variant Activity (Retrieving Commands)"; flow:established,to_server; http.request_line; content:"GET|20|/console.php|20|HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:34; reference:md5,c028d598f8ba842bc03631f92bc6f242; reference:url,twitter.com/malwrhunterteam/status/1454160943471079425; classtype:trojan-activity; sid:2034305; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/classes/pctemplate.php?"; nocase; content:"pcConfig[smartyPath]="; nocase; pcre:"/pcConfig\[smartyPath\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt; reference:url,doc.emergingthreats.net/2010466; classtype:web-application-attack; sid:2010466; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UWW Variant Activity (Sending System Information)"; flow:established,to_server; http.request_line; content:"POST|20|/console.php|20|HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.request_body; content:"FROM|20|"; startswith; content:"User|20|accounts|20|for"; content:"Directory|20|of|20|"; http.header_names; content:!"Referer"; reference:md5,c028d598f8ba842bc03631f92bc6f242; reference:url,twitter.com/malwrhunterteam/status/1454160943471079425; classtype:trojan-activity; sid:2034306; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id SELECT"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004905; classtype:web-application-attack; sid:2004905; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander .com)"; dns.query; content:"cnc.pinklander.com"; nocase; bsize:18; reference:url,blog.netlab.360.com/pink-en/; classtype:domain-c2; sid:2034317; rev:1; metadata:attack_target IoT, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004906; classtype:web-application-attack; sid:2004906; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sabsik.FL.B!ml Checkin"; flow:established,to_server; content:"|02|"; startswith; content:"|05 4c 41 75 74 6f 20 28|"; offset:5; depth:8; fast_pattern; content:"|29|"; distance:0; isdataat:!30,relative; reference:md5,0792e225ebae5021f0dd6c333026ee00; classtype:command-and-control; sid:2034313; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id INSERT"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004907; classtype:web-application-attack; sid:2004907; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/PSW.Agent_AGen.A Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:!"-"; distance:0; http.user_agent; content:"GRequests/0.10"; bsize:14; http.request_body; content:"|5c 5c 2f|arch|2e|zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; reference:md5,662002d61f1aebd64fc204ce40fd65f2; classtype:command-and-control; sid:2034315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id DELETE"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004908; classtype:web-application-attack; sid:2004908; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual CnC Activity"; flow:established,to_server; urilen:<50; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]+/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"vl="; startswith; pcre:"/^[0-9D]+$/R"; reference:md5,b0ab12a5a4c232c902cdeba421872c37; classtype:command-and-control; sid:2034325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag TA450, updated_at 2021_11_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id ASCII"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004909; classtype:web-application-attack; sid:2004909; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-59 Related Domain in DNS Lookup"; dns.query; content:"itoxtlthpw.com"; nocase; bsize:14; reference:url,otx.alienvault.com/pulse/61811ddc259f23fdd630e196; classtype:domain-c2; sid:2034334; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, malware_family apt_c_59, signature_severity Major, updated_at 2021_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004910; classtype:web-application-attack; sid:2004910; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Vv/"; fast_pattern; startswith; pcre:"/\.(dll|exe|zip|json)$/i"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005621; classtype:web-application-attack; sid:2005621; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST"; flow:established,to_server; http.request_line; content:"POST /log HTTP/1.1"; fast_pattern; startswith; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UNION SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005622; classtype:web-application-attack; sid:2005622; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Related Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/details.php?image="; fast_pattern; content:".PRJ"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1455489336850325519; reference:md5,606695bae4f0eb5ba0f35b8897b9f57a; classtype:trojan-activity; sid:2034342; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid INSERT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005623; classtype:web-application-attack; sid:2005623; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /EbhM HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(compatible|3b 20|MSIE|20|9.0|3b 20|Windows|20|NT|20|6.0|3b 20|Trident/5.0)"; bsize:63; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,72dac7c7f9c50d8ab420acb75132f631; reference:url,twitter.com/BlackLotusLabs/status/1456314419215020043; classtype:trojan-activity; sid:2034346; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid DELETE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005624; classtype:web-application-attack; sid:2005624; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /9Wla HTTP/1.1"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,ac45cc9b586d30836bb2997745a5208e; reference:url,twitter.com/malwrhunterteam/status/1455885521905934339; classtype:trojan-activity; sid:2034347; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid ASCII"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005625; classtype:web-application-attack; sid:2005625; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SolarMarker Backdoor Related Domain in DNS Lookup (noelfpar .com)"; dns.query; content:"noelfpar.com"; nocase; bsize:12; reference:url,twitter.com/MBThreatIntel/status/1456395490820440065; classtype:domain-c2; sid:2034348; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005626; classtype:web-application-attack; sid:2005626; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (bitsadmin .ddns .net)"; dns.query; content:"bitsadmin.ddns.net"; nocase; bsize:18; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:targeted-activity; sid:2034350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005627; classtype:web-application-attack; sid:2005627; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (list-sert .ddns .net)"; dns.query; content:"list-sert.ddns.net"; nocase; bsize:18; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:domain-c2; sid:2034351; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UNION SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005628; classtype:web-application-attack; sid:2005628; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon CnC Activity (Sending Windows System Information)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_540AD80E/walt.html"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid INSERT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005629; classtype:web-application-attack; sid:2005629; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon Activity (Retrieving Remote .dot)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prior/energy/bidding.dot"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid DELETE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005630; classtype:web-application-attack; sid:2005630; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9]{9,12}\/t\.html$/U"; http.request_line; content:"/t.html HTTP/1.1"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; startswith; content:!"Referer"; reference:md5,1b18012902faa7670ceef2b6a12953f8; reference:md5,1a23e15c82ebc19f52a4da440cec596e; reference:url,twitter.com/Max_Mal_/status/1456555275326996497; classtype:trojan-activity; sid:2034355; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid ASCII"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005631; classtype:web-application-attack; sid:2005631; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/BlackNet Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"?key="; content:!"?token="; content:!"/index.php"; content:!"act=bkw9"; nocase; content:!"?data="; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:16; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005632; classtype:web-application-attack; sid:2005632; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Certificate (cloudflace-network .digital)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudflace-network.digital"; bsize:29; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/; classtype:domain-c2; sid:2034356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid SELECT"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005633; classtype:web-application-attack; sid:2005633; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital)"; flow:established,to_server; tls.sni; content:"stackpatc-technologies.digital"; bsize:30; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; classtype:domain-c2; sid:2034357; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UNION SELECT"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005634; classtype:web-application-attack; sid:2005634; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oscp/"; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:57; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; reference:md5,f790bea81673806479e30337629fa605; classtype:trojan-activity; sid:2034358; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid INSERT"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005635; classtype:web-application-attack; sid:2005635; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital)"; dns.query; content:"rackspare-technology.digital"; nocase; bsize:28; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034391; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid DELETE"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005636; classtype:web-application-attack; sid:2005636; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Cert (asurecloud .tech)"; flow:established,to_client; tls.cert_subject; content:"CN=asurecloud.tech"; bsize:18; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034392; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid ASCII"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005637; classtype:web-application-attack; sid:2005637; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain (asureupdate .tech in TLS SNI)"; flow:established,to_server; tls.sni; content:"asureupdate.tech"; bsize:16; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; reference:md5,80447e4ec87e319bdc6895e04b18363e; classtype:domain-c2; sid:2034393; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005638; classtype:web-application-attack; sid:2005638; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (asureupdate .pro)"; dns.query; content:"asureupdate.pro"; nocase; bsize:15; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034394; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/user/User_ChkLogin.asp?"; nocase; content:"ComeUrl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39696; reference:url,secunia.com/advisories/39627; reference:url,doc.emergingthreats.net/2011117; classtype:web-application-attack; sid:2011117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Beacon)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"s6rt&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034367; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerNews news.php newsid parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33363/; reference:url,milw0rm.com/exploits/7641; reference:url,doc.emergingthreats.net/2009057; classtype:web-application-attack; sid:2009057; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Download)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"xrtf&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/footer.inc.php?"; nocase; content:"settings[footer]="; nocase; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009659; classtype:web-application-attack; sid:2009659; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Upload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"o543n&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/header.inc.php?"; nocase; content:"settings[header]="; nocase; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009660; classtype:web-application-attack; sid:2009660; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M1"; flow:established,to_server; http.uri; content:"/?proto="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Auctions id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gotourl.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/6839; reference:url,secunia.com/advisories/32373; reference:url,doc.emergingthreats.net/2008786; classtype:web-application-attack; sid:2008786; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:"/?kind="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/Script/store_info.php?"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.securityfocus.com/bid/37541/info; reference:url,doc.emergingthreats.net/2010604; classtype:web-application-attack; sid:2010604; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M3"; flow:established,to_server; http.uri; content:"/?pt="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034372; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Podcast Portal tour.php id SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Tour.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32563/; reference:url,milw0rm.com/exploits/6997; reference:url,doc.emergingthreats.net/2008823; classtype:web-application-attack; sid:2008823; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LNK/Agent.GX CnC Traffic"; flow:established,to_server; http.method; content:"GET"; http.header; content:!"Referer"; content:"UA-CPU"; http.uri; pcre:"/^\/[a-zA-Z0-9+=]{29,44}.{0,8}=$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|Trident|2f|7.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.0.30729|3b 20|.NET CLR 3.5.30729)"; bsize:156; fast_pattern; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034410; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006354; classtype:web-application-attack; sid:2006354; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WBK Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".wbk"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".wbk HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2034396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006355; classtype:web-application-attack; sid:2006355; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".digitalmarketingagency.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034373; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006356; classtype:web-application-attack; sid:2006356; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".centosupdatecdn.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034374; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/include/prodler.class.php?"; nocase; content:"sPath="; nocase; pcre:"/sPath\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/58298; reference:url,doc.emergingthreats.net/2010276; classtype:web-application-attack; sid:2010276; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".wsuslink.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rating/rate.php?"; nocase; content:"id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009672; classtype:web-application-attack; sid:2009672; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hpesystem.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034376; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rating/postcomments.php?"; nocase; content:"id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009673; classtype:web-application-attack; sid:2009673; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ndianmombais.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034377; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PozScripts Business Directory Script cid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcategory.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,frsirt.com/english/advisories/2008/3118; reference:url,milw0rm.com/exploits/7098; reference:url,doc.emergingthreats.net/2008865; classtype:web-application-attack; sid:2008865; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".micrsoftonline.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/server_request.php?"; nocase; content:"CONFIG[gameroot]="; nocase; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009503; classtype:web-application-attack; sid:2009503; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnscdn.org"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/qlib/smarty.inc.php?"; nocase; content:"CONFIG[gameroot]="; nocase; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009505; classtype:web-application-attack; sid:2009505; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".uctpostgraduate.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/qte_web.php?"; nocase; content:"qte_web_path="; nocase; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009746; classtype:web-application-attack; sid:2009746; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zonestatistic.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/bin/qte_init.php?"; nocase; content:"qte_root="; nocase; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009724; classtype:web-application-attack; sid:2009724; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".akastatus.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010185; classtype:web-application-attack; sid:2010185; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".updatecdn.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010186; classtype:web-application-attack; sid:2010186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".sysadminnews.info"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034384; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010187; classtype:web-application-attack; sid:2010187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".windowsupdatecdn.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034385; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010188; classtype:web-application-attack; sid:2010188; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnsanalizer.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034386; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010189; classtype:web-application-attack; sid:2010189; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".defenderstatus.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034387; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RS-CMS rscms_mod_newsview.php key Parameter Processing Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rscms_mod_newsview.php?"; nocase; content:"key="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/9000; reference:url,vupen.com/english/advisories/2009/1658; reference:url,doc.emergingthreats.net/2010021; classtype:web-application-attack; sid:2010021; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".checkinternet.org"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034388; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/top_graph_header.php?"; nocase; content:"config[library_path]="; nocase; pcre:"/config\[library_path\]=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,14030; reference:url,doc.emergingthreats.net/2010097; classtype:web-application-attack; sid:2010097; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".securednsservice.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034389; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rakhi Software Price Comparison Script product.php subcategory_id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/product.php?"; nocase; content:"subcategory_id="; nocase; content:"UNION"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32504; reference:url,milw0rm.com/exploits/7250; reference:url,doc.emergingthreats.net/2008924; classtype:web-application-attack; sid:2008924; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnscatalog.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034390; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id SELECT"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005681; classtype:web-application-attack; sid:2005681; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; dotprefix; content:".ncdn.space"; nocase; endswith; classtype:trojan-activity; sid:2031111; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2021_11_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005682; classtype:web-application-attack; sid:2005682; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat .app)"; dns.query; content:"akastat.app"; nocase; bsize:11; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034398; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id INSERT"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005683; classtype:web-application-attack; sid:2005683; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious Cobalt Strike SSL Cert (cdnengine .biz)"; flow:established,to_client; tls.cert_subject; content:"CN=cdnengine.biz"; bsize:16; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034399; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id DELETE"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005684; classtype:web-application-attack; sid:2005684; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (azurestat .app in TLS SNI)"; flow:established,to_server; tls.sni; content:"azurestat.app"; bsize:13; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034400; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id ASCII"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005685; classtype:web-application-attack; sid:2005685; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech)"; dns.query; content:"akamaclouds.tech"; nocase; bsize:16; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034401; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005686; classtype:web-application-attack; sid:2005686; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rpc"; bsize:4; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; reference:md5,f7810878118c08539c0cb0c60e4a23b7; reference:md5,8ccc051bbaf6dc9cb76bfea2bbd8f6d4; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:trojan-activity; sid:2034402; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005021; classtype:web-application-attack; sid:2005021; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious Cobalt Strike SSL Cert (setupfastonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=setupfastonline.com"; bsize:22; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034403; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005022; classtype:web-application-attack; sid:2005022; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akamalupdate .site)"; dns.query; content:"akamalupdate.site"; nocase; bsize:17; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034404; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user INSERT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005023; classtype:web-application-attack; sid:2005023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible SombRAT Initial DNS Lookup"; dns.query; content:!".amazonaws.com"; content:"images"; nocase; depth:6; fast_pattern; content:!"images."; depth:7; content:"."; distance:8; within:1; pcre:"/^images[a-f0-9]{8}\./i"; reference:md5,f43377b04b66d1aed783cd6037e3298d; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; classtype:trojan-activity; sid:2031251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user DELETE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005024; classtype:web-application-attack; sid:2005024; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg)"; dns.query; content:"c2.hax.vg"; nocase; bsize:9; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034405; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user ASCII"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005025; classtype:web-application-attack; sid:2005025; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http.content_len; byte_test:0,>,60,0,string,dec; byte_test:0,<,150,0,string,dec; http.connection; content:"close"; bsize:5; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/i"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,41c33fdb9a95353a3b109393543f90dd; classtype:command-and-control; sid:2016223; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005026; classtype:web-application-attack; sid:2005026; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech)"; dns.query; content:"azuresecure.tech"; nocase; bsize:16; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034406; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005027; classtype:web-application-attack; sid:2005027; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud)"; dns.query; content:"securesurvey.cloud"; nocase; bsize:18; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034407; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UNION SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005028; classtype:web-application-attack; sid:2005028; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox .tech)"; dns.query; content:"akabox.tech"; nocase; bsize:11; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034408; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password INSERT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005029; classtype:web-application-attack; sid:2005029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com)"; dns.query; content:"electronicwhosaleonline.com"; nocase; bsize:27; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034409; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password DELETE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005030; classtype:web-application-attack; sid:2005030; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_cmd.php"; distance:3; within:11; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password ASCII"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005031; classtype:web-application-attack; sid:2005031; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_jscript.php"; distance:3; within:15; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005032; classtype:web-application-attack; sid:2005032; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uaic.nl"; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:domain-c2; sid:2034429; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005093; classtype:web-application-attack; sid:2005093; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M14"; flow:established,to_client; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:isset,ET.Parallax-14; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032527; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005094; classtype:web-application-attack; sid:2005094; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M14"; flow:established,to_server; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:set,ET.Parallax-14; flowbits:noalert; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032526; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id INSERT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005095; classtype:web-application-attack; sid:2005095; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity (set) M16"; flow:established,to_server; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:set,ET.Parallax-16; flowbits:noalert; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034432; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id DELETE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005096; classtype:web-application-attack; sid:2005096; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M15"; flow:established,to_client; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:isset,ET.Parallax-15; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ASCII"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005097; classtype:web-application-attack; sid:2005097; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M15"; flow:established,to_server; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:set,ET.Parallax-15; flowbits:noalert; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005098; classtype:web-application-attack; sid:2005098; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (lurkingnet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lurkingnet.com"; bsize:14; fast_pattern; classtype:domain-c2; sid:2034434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005099; classtype:web-application-attack; sid:2005099; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (autoconfirmations .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"autoconfirmations.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005100; classtype:web-application-attack; sid:2005100; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (singlefunctionapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"singlefunctionapp.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass INSERT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005101; classtype:web-application-attack; sid:2005101; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M16"; flow:established,to_client; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:isset,ET.Parallax-16; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass DELETE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005102; classtype:web-application-attack; sid:2005102; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Compromised  Domain (cryptoarenastore .com in TLS SNI) (2021-11-12)"; flow:established,to_server; tls.sni; dotprefix; content:".cryptoarenastore.com"; endswith; fast_pattern; reference:md5,4965ac0316d652fe5026b4b92d563672; classtype:trojan-activity; sid:2034441; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ASCII"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005103; classtype:web-application-attack; sid:2005103; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=Sfgh"; bsize:7; fast_pattern; tls.cert_issuer; content:"CN=Sfgh"; bsize:7; reference:md5,353bf835f7858ee5a1a77e70cef01607; classtype:domain-c2; sid:2034456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005104; classtype:web-application-attack; sid:2005104; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Emotet CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header_names; content:"|0d 0a|Cookie|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.cookie; bsize:>250; pcre:"/^[A-Za-z0-9]{1,15}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:md5,bc3532085a0b4febd9eed51aac2180d0; classtype:command-and-control; sid:2034459; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2021_11_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Real Estate Manager realestate-index.php cat_id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"realestate-index.php?"; nocase; content:"&cat_id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32049/; reference:url,www.milw0rm.com/exploits/6599; reference:url,doc.emergingthreats.net/2008615; classtype:web-application-attack; sid:2008615; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (awsmcafee .com)"; dns.query; content:"awsmcafee.com"; nocase; bsize:13; reference:md5,a8e97752bb385cc263d89350518633c2; reference:url,twitter.com/fr0s7_/status/1458150977278726147; classtype:domain-c2; sid:2034462; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RealtyListings type.asp iType Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/type.asp?"; nocase; content:"iType="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009049; classtype:web-application-attack; sid:2009049; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M5"; flow:established,to_server; http.request_line; content:"GET /jquery-3.3.2.slim.min.js HTTP/1.1"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:47; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,twitter.com/fr0s7_/status/1458150977278726147; reference:md5,a8e97752bb385cc263d89350518633c2; classtype:trojan-activity; sid:2034463; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009050; classtype:web-application-attack; sid:2009050; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M1"; dsize:16; flow:established,to_server; stream_size:client,>,200; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 c9|"; reference:md5,0428de20539f8341f0987457bc96fd9f; reference:md5,57e582c2a00cfb50a748b78b6c17ee74; classtype:command-and-control; sid:2035632; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid SELECT"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006939; classtype:web-application-attack; sid:2006939; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"=eyIzQ0VrIjoi"; fast_pattern; pcre:"/(?:IiwiM2ZlMTEiOi|IsIjNmZTExIjoi|iLCIzZmUxMSI6I)/R"; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034466; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UNION SELECT"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006940; classtype:web-application-attack; sid:2006940; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"=eyIzbTd4Ijoi"; fast_pattern; pcre:"/(?:IiwiYXU1byI6I|IsImF1NW8iOi|iLCJhdTVvIjoi)/R"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:trojan-activity; sid:2034469; rev:1; metadata:created_at 2021_11_16, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid INSERT"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006941; classtype:web-application-attack; sid:2006941; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Matanbuchus Loader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<,100,0,string,dec; http.response_body; content:"eyJoc3pBIjoi"; startswith; fast_pattern; pcre:"/(?:ifQ==|In0=|J9)$/"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034470; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid DELETE"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006942; classtype:web-application-attack; sid:2006942; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Post)"; flow:established,to_server; http.uri; content:!"/uup.php"; http.header; content:!".360.cn|0d 0a|"; content:!".360.com|0d 0a|"; content:!".360safe.com|0d 0a|"; http.user_agent; content:"Post"; fast_pattern; bsize:4; classtype:trojan-activity; sid:2014366; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2021_11_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ASCII"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006943; classtype:web-application-attack; sid:2006943; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg .knonwsec .com)"; dns.query; content:"bg.knonwsec.com"; nocase; bsize:15; reference:url,twitter.com/malwrhunterteam/status/1425771461499920385; reference:md5,e31a96ce2760c27a4f1cf83a0b5da83b; classtype:domain-c2; sid:2034473; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006944; classtype:web-application-attack; sid:2006944; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; pcre:"/^[a-z]{256}-\.jpg$/R"; http.header_names; content:"|0d 0a|Referer|0d 0a|Accept|0d 0a|Pragma|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; reference:md5,e31a96ce2760c27a4f1cf83a0b5da83b; reference:url,twitter.com/malwrhunterteam/status/1425771461499920385; classtype:trojan-activity; sid:2034474; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid SELECT"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006945; classtype:web-application-attack; sid:2006945; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WIN-"; startswith; content:"/source.jng"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,5aba4f68dcb7107f921d12410b62b538; reference:url,twitter.com/h2jazi/status/1457759124037439491; classtype:trojan-activity; sid:2034475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UNION SELECT"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006946; classtype:web-application-attack; sid:2006946; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Associated Activity (GET)"; flow:established,to_server; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Power Off"; bsize:9; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/spike-danabot-malware-activity; classtype:trojan-activity; sid:2034471; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid INSERT"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006947; classtype:web-application-attack; sid:2006947; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Unattributed WebShell Access - File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"exec_code=put"; fast_pattern; content:"delimiter="; content:"dst="; reference:url,thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/; classtype:attempted-admin; sid:2034500; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid DELETE"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006948; classtype:web-application-attack; sid:2006948; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Unattributed WebShell Access - Command Execution"; flow:established,to_server; http.uri; content:"exec_code=put"; fast_pattern; content:"delimiter="; content:!"dst="; reference:url,thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/; classtype:attempted-admin; sid:2034501; rev:1; metadata:created_at 2021_11_18, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid ASCII"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006949; classtype:web-application-attack; sid:2006949; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/AbcBot CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; fast_pattern; http.request_body; content:"OS|3a|"; content:"CPU|3a|"; distance:0; content:"os-name|3a|"; distance:0; content:"lanip|3a|"; distance:0; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:command-and-control; sid:2034502; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, malware_family AbcBot, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006950; classtype:web-application-attack; sid:2006950; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/AbcBot Requesting Commands from CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/getlist"; fast_pattern; http.content_len; content:"1"; bsize:1; http.request_body; content:"1"; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:command-and-control; sid:2034503; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, malware_family AbcBot, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/addons/version/pages/index.inc.php?"; nocase; content:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//i"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011254; classtype:web-application-attack; sid:2011254; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA408 Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?query=5 HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:!"Referer"; reference:url,twitter.com/AhnLab_SecuInfo/status/1460101266760089600; reference:md5,e521c68ac280c00b0e27cbd2fed4c9c4; classtype:trojan-activity; sid:2034511; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_18, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/pages/specials.inc.php?"; nocase; content:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//i"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011255; classtype:web-application-attack; sid:2011255; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:!"&"; content:"=ey"; depth:13; fast_pattern; pcre:"/^[IJKL].*(?:PT0iLC|09Iiwi|9PSIsI)[a-zA-Z0-9+\/]+(?:PT0iLC|09Iiwi|9PSIsI)/R"; http.header_names; content:!"Referer"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034468; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rematic CMS referenzdetail.php id parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/referenzdetail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; reference:url,doc.emergingthreats.net/2009011; classtype:web-application-attack; sid:2009011; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9]{5,12}&a=/R"; content:"&a=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; reference:md5,a86f56aa7d6ce07b9639cf34e798b102; classtype:command-and-control; sid:2034516; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_19, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rematic CMS produkte.php id parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/produkte.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; reference:url,doc.emergingthreats.net/2009012; classtype:web-application-attack; sid:2009012; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response M2"; flow:established,to_client; http.response_body; content:"/d/s/c"; depth:20; fast_pattern; content:"node.exe"; distance:0; content:"7C%"; distance:0; content:"7C%"; within:10; content:"ActiveXObject"; distance:0; content:"252Cunescape%25"; distance:0; content:"WScript"; within:23; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp; reference:md5,79b9a5e7b2e87ad7f99fbcd7d7d0a9ed; classtype:command-and-control; sid:2034517; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_19, deployment Perimeter, former_category MALWARE, malware_family lu0bot, signature_severity Major, updated_at 2021_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php SELECT"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004600; classtype:web-application-attack; sid:2004600; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SHLAYER CnC"; flow:established,to_server; http.request_line; content:"POST http://"; fast_pattern; http.uri; content:"/l"; bsize:2; http.host; content:"api."; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; http.request_body; content:"cs="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,4d86ae25913374cfcb80a8d798b9016e; reference:url,securelist.com/shlayer-for-macos/95724/; classtype:command-and-control; sid:2030231; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UNION SELECT"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004601; classtype:web-application-attack; sid:2004601; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Requesting Command"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand.php?id="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029180; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php INSERT"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004602; classtype:web-application-attack; sid:2004602; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (llink .link)"; dns.query; content:"llink.link"; nocase; bsize:10; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034522; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php DELETE"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004603; classtype:web-application-attack; sid:2004603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .app)"; dns.query; content:"cuturl.app"; nocase; bsize:10; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034523; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php ASCII"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004604; classtype:web-application-attack; sid:2004604; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (url-tiny .co)"; dns.query; content:"url-tiny.co"; nocase; bsize:11; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034524; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004605; classtype:web-application-attack; sid:2004605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (bitly .tel)"; dns.query; content:"bitly.tel"; nocase; bsize:9; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034525; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID SELECT"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005687; classtype:web-application-attack; sid:2005687; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (instagrarn .co)"; dns.query; content:"instagrarn.co"; nocase; bsize:13; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034526; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005688; classtype:web-application-attack; sid:2005688; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .space)"; dns.query; content:"cuturl.space"; nocase; bsize:12; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034527; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID INSERT"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005689; classtype:web-application-attack; sid:2005689; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/3"; bsize:6; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:65; reference:md5,c3c7bfb6c4f0e5c7a455ee1066893552; reference:url,blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html; classtype:trojan-activity; sid:2034528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID DELETE"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005690; classtype:web-application-attack; sid:2005690; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/2"; bsize:6; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:49; reference:md5,1cc3c8d9bdc43fd4f792b40fdf1333bc; reference:url,blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html; classtype:trojan-activity; sid:2034529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID ASCII"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005691; classtype:web-application-attack; sid:2005691; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; dns.query; content:"crpt"; fast_pattern; depth:4; pcre:"/^[a-zA-Z0-9]{12}\.onion/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:5; metadata:created_at 2015_01_23, updated_at 2021_11_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005692; classtype:web-application-attack; sid:2005692; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex CnC Request - Spam/Worm Component"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PJ3ZQWVJPYCYDCA9A6Q2Y6YA"; bsize:25; fast_pattern; classtype:command-and-control; sid:2034532; rev:1; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID SELECT"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005693; classtype:web-application-attack; sid:2005693; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam Module"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"@"; content:"|22|,|22|"; pcre:"/^\x7b(?:\x22[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.[a-z]{2,10}\x22,){4}\x22[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.[a-z]{2,10}\x22\x7d$/"; flowbits:isset,ET.Dridex.Email.Sets.1; classtype:command-and-control; sid:2034534; rev:1; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005694; classtype:web-application-attack; sid:2005694; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SideCopy Related Domain in DNS Lookup (securedesk .one)"; dns.query; content:"securedesk.one"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1460744936635224064; reference:md5,a42ea41f21e36173bb0fc268262a15ae; classtype:domain-c2; sid:2034538; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_11_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID INSERT"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005695; classtype:web-application-attack; sid:2005695; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (a .pwn-t .tk)"; dns.query; content:"a.pwn-t.tk"; nocase; bsize:10; reference:url,twitter.com/TheDFIRReport/status/1463175512000368640; reference:md5,36be5b491426de64f9ac85c50f85808c; classtype:domain-c2; sid:2034539; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID DELETE"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005696; classtype:web-application-attack; sid:2005696; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; pcre:"/^[a-z]{256}\.gif$/R"; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*l|3b|q=0.8|0d 0a|"; fast_pattern; reference:url,twitter.com/TheDFIRReport/status/1463175512000368640; reference:md5,36be5b491426de64f9ac85c50f85808c; classtype:trojan-activity; sid:2034540; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID ASCII"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005697; classtype:web-application-attack; sid:2005697; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Snojan.BNQKZQH User-Agent"; flow:established,to_server; http.user_agent; content:"|29 20|leee Maxwe"; endswith; nocase; reference:md5,83d2fa0e16b39ee2280dea9d8f89aa48; classtype:command-and-control; sid:2034536; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005698; classtype:web-application-attack; sid:2005698; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Snojan.BNQKZQH CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action="; content:"&id="; distance:0; isdataat:!18,relative; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"eyJwYXNzIjoi"; startswith; fast_pattern; reference:md5,83d2fa0e16b39ee2280dea9d8f89aa48; classtype:command-and-control; sid:2034537; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005699; classtype:web-application-attack; sid:2005699; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (zuppohealth .com)"; dns.query; content:"zuppohealth.com"; nocase; bsize:15; reference:url,github.com/pan-unit42/tweets/blob/master/2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt; reference:url,twitter.com/Unit42_Intel/status/1463178309160906753; classtype:domain-c2; sid:2034541; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005700; classtype:web-application-attack; sid:2005700; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 29|"; fast_pattern; endswith; http.header_names; content:!"BlueCoat"; nocase; http.host; content:!".bluecoat.com"; classtype:trojan-activity; sid:2014002; rev:12; metadata:created_at 2011_12_08, updated_at 2021_11_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005701; classtype:web-application-attack; sid:2005701; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/InfoTester Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"JTU3JTY5JTZFJTY0JTZGJTc3JTczJTNBJTIw"; startswith; fast_pattern; pcre:"/(?:JTBEJTBBJTBEJTBBJTREJTY1JTZEJTZGJTcyJTc5JTNBJTIw|UwRCUwQSUwRCUwQSU0RCU2NSU2RCU2RiU3MiU3OSUzQSUyM|lMEQlMEElMEQlMEElNEQlNjUlNkQlNkYlNzIlNzklM0ElMj)/R"; reference:md5,1d081e356b0593df10bcb12de2931ffa; classtype:command-and-control; sid:2034543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005702; classtype:web-application-attack; sid:2005702; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (wordfile .live)"; dns.query; content:"wordfile.live"; nocase; bsize:13; reference:md5,5c45a038846aea315595b97b0a619f1a; reference:md5,67abe8b04f62eb55b6b880668fb8a634; reference:url,twitter.com/ShadowChasing1/status/1463498326481932289; classtype:domain-c2; sid:2034544; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2021_11_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005703; classtype:web-application-attack; sid:2005703; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Dotted Quad CnC Request (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; pcre:"/^[A-Z0-9]{15,40}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d+)?$/"; flowbits:set,ET.Dridex.Email.Sets.1; flowbits:noalert; classtype:command-and-control; sid:2034533; rev:2; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005704; classtype:web-application-attack; sid:2005704; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex CnC Request - Spam/Worm Component"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG"; bsize:38; fast_pattern; classtype:command-and-control; sid:2034542; rev:1; metadata:created_at 2021_11_24, former_category MALWARE, updated_at 2021_11_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005705; classtype:web-application-attack; sid:2005705; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9]{9,12}\/x\.html$/"; http.request_line; content:"/x.html HTTP/1.1"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; startswith; content:!"Referer"; reference:md5,d868b389f2f824a32367767a17b397b8; reference:url,www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html; classtype:trojan-activity; sid:2034546; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_11_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005706; classtype:web-application-attack; sid:2005706; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Bobik CnC Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?key="; http.user_agent; content:"test-upload"; bsize:11; fast_pattern; http.request_body; content:"lang="; startswith; content:"&image=iVBORw"; distance:0; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:command-and-control; sid:2034547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005707; classtype:web-application-attack; sid:2005707; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (checkauj .com)"; dns.query; content:"checkauj.com"; nocase; bsize:12; reference:md5,ab3a744545a12ba2f6789e94b789666a; reference:url,thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/; classtype:domain-c2; sid:2034551; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005708; classtype:web-application-attack; sid:2005708; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VNCStartServer BOT Variant CnC Beacon"; flow:established,to_server; dsize:<100; content:"|00 00 00 19 00 00 00|"; offset:1; depth:7; content:"|01 00 00|"; distance:1; within:3; content:"BOT-"; distance:1; within:7; fast_pattern; content:"|00|"; endswith; reference:md5,d66956e0ee70a60e19a4f310339d28a9; classtype:command-and-control; sid:2035524; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005709; classtype:web-application-attack; sid:2005709; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity Sending Windows Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php?"; startswith; content:"=C|3a 5c|Program"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.request_body; content:"v="; startswith; content:"|20|svchost.exe|20|"; content:"&r="; reference:md5,40de99fb06e52e3364f2cd70f100ff71; reference:url,twitter.com/h2jazi/status/1465402736996933640; classtype:trojan-activity; sid:2034560; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005710; classtype:web-application-attack; sid:2005710; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.DarkVNC Variant Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|4a 01 4f 97 00 1c 84 df cd 3f 1f eb 14 28 b1 ba fa 0e 7e de 22 e0 33 cb a5 8c 23 75 ea e4 e4 3e|"; startswith; fast_pattern; reference:md5,1e081d3f09f24a81194327628a25c214; reference:url,www.malware-traffic-analysis.net/2021/11/05/index.html; classtype:command-and-control; sid:2034557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005711; classtype:web-application-attack; sid:2005711; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stanculinaryblog .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"stanculinaryblog.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2034558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005712; classtype:web-application-attack; sid:2005712; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5938,!1935,!3265,!2394,!1514] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; stream_size:server,<,5; dsize:>11; content:"|00 00|"; offset:2; depth:2; content:!"|00 00|"; depth:2; content:"|9c 4b|"; offset:8; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -9; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,edc84c505d101301459dafab296fb743; classtype:command-and-control; sid:2023349; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Major, tag Gh0st, updated_at 2021_11_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat INSERT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005713; classtype:web-application-attack; sid:2005713; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart Exfil Domain in DNS Lookup (convert-server .com)"; dns.query; content:"convert-server.com"; nocase; bsize:18; reference:url,twitter.com/rootprivilege/status/1465763408901337092; classtype:trojan-activity; sid:2034568; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat DELETE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005714; classtype:web-application-attack; sid:2005714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder APT Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.rtf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,e096b33467e6018944c05fb6e4bb03a0; reference:url,twitter.com/ShadowChasing1/status/1466001768765018116; classtype:trojan-activity; sid:2034569; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat ASCII"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005715; classtype:web-application-attack; sid:2005715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (ny .silvergatehr .com)"; dns.query; content:"ny.silvergatehr.com"; nocase; bsize:19; reference:md5,69c9881a6b7b89a648074328292da7e8; reference:md5,84dd7ccb69d0010c97c1fc336650d5e2; reference:url,twitter.com/ShadowChasing1/status/1465998020734898176; classtype:domain-c2; sid:2034570; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_12_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005716; classtype:web-application-attack; sid:2005716; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/September/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,3182b68be6c01537d466415d4eda7933; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034571; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005717; classtype:web-application-attack; sid:2005717; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sequence/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6cc602c79e906a64af6c30581ca77906; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034572; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UNION SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005718; classtype:web-application-attack; sid:2005718; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Windows-AzureAD-Authentication-Provider/"; startswith; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034467; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword INSERT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005719; classtype:web-application-attack; sid:2005719; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Agent.NL Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getconfig.php?r="; fast_pattern; pcre:"/^[0-9]+$/R"; http.content_type; content:"application/json"; bsize:16; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|7b 22|data|22 3a 22|"; startswith; content:!"|3a|"; distance:0; reference:md5,d37bb6fc88cd71f86a3d4211a064d80b; classtype:command-and-control; sid:2034580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword DELETE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005720; classtype:web-application-attack; sid:2005720; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Communicating with CnC Server"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"p="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9%+\/]{4,6})*(?:[A-Za-z0-9%+\/]{2}==|[A-Za-z0-9%+\/]{3}=|[A-Za-z0-9%+\/]{4})$/R"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,274ff72c29b0711d01254c95770ca193; classtype:command-and-control; sid:2034579; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2021_12_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword ASCII"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005721; classtype:web-application-attack; sid:2005721; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; classtype:trojan-activity; sid:2035803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005722; classtype:web-application-attack; sid:2005722; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hancitor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; http.request_body; content:"DATA="; startswith; base64_decode:bytes 156, relative; base64_data; content:"GUID="; content:"&BUILD="; distance:20; content:"&INFO="; distance:0; fast_pattern; content:"&EXT="; distance:0; content:"&IP="; distance:0; content:"&TYPE="; distance:0; content:"&WIN="; distance:0; reference:md5,655d778bd44bf0c6660f92f69e48fd64; reference:url,twitter.com/Jane_0stin/status/1467804081708318722; reference:url,app.any.run/tasks/ca223281-a12f-4f03-b0f7-d152747baefb/; classtype:trojan-activity; sid:2034585; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family Hancitor, signature_severity Major, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005723; classtype:web-application-attack; sid:2005723; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WIN32/KOVTER.B Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"DoPost"; nocase; http.host; content:!".foxitservice.com"; http.content_len; byte_test:0,<,1000,0,string,dec; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:command-and-control; sid:2020181; rev:11; metadata:created_at 2015_01_15, former_category MALWARE, performance_impact Significant, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UNION SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005724; classtype:web-application-attack; sid:2005724; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA505 P2P CnC Checkin"; flow:established,to_server; http.uri; content:"/c/p1/dnsc.php?n="; fast_pattern; reference:url,research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/; classtype:command-and-control; sid:2034584; rev:1; metadata:created_at 2021_12_06, former_category TROJAN, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area INSERT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005725; classtype:web-application-attack; sid:2005725; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (afrepublic .xyz)"; dns.query; content:"afrepublic.xyz"; nocase; bsize:14; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034586; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area DELETE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005726; classtype:web-application-attack; sid:2005726; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (newsroom247 .xyz)"; dns.query; content:"newsroom247.xyz"; nocase; bsize:15; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034587; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area ASCII"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005727; classtype:web-application-attack; sid:2005727; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (afghannewsnetwork .com)"; dns.query; content:"afghannewsnetwork.com"; nocase; bsize:21; reference:md5,e9647fa7c1b4a2403b32689298fdee53; reference:md5,99dc4221019a3892c612356d8e9b6ef1; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034588; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005728; classtype:web-application-attack; sid:2005728; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (republicofaf .xyz)"; dns.query; content:"republicofaf.xyz"; nocase; bsize:16; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034589; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005729; classtype:web-application-attack; sid:2005729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM (TA421) EnvyScout Fingerprint Checkin"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|7b 22|io|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|tu|22 3a 22|"; distance:0; content:"|22 2c 22|sd|22 3a 22|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:command-and-control; sid:2033052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family EnvyScout, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005730; classtype:web-application-attack; sid:2005730; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".doggroomingnews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005731; classtype:web-application-attack; sid:2005731; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cityloss.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034603; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005732; classtype:web-application-attack; sid:2005732; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ideasofbusiness.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005733; classtype:web-application-attack; sid:2005733; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".trendignews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034605; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005734; classtype:web-application-attack; sid:2005734; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".giftbox4u.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034606; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005735; classtype:web-application-attack; sid:2005735; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".rchosts.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UNION SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005736; classtype:web-application-attack; sid:2005736; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".businesssalaries.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin INSERT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005738; classtype:web-application-attack; sid:2005738; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stonecrestnews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin DELETE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005739; classtype:web-application-attack; sid:2005739; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dailydews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin ASCII"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005740; classtype:web-application-attack; sid:2005740; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".newminigolf.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034611; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005741; classtype:web-application-attack; sid:2005741; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".celebsinformation.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005742; classtype:web-application-attack; sid:2005742; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".newstepsco.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005743; classtype:web-application-attack; sid:2005743; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stockmarketon.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005744; classtype:web-application-attack; sid:2005744; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".tacomanewspaper.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005745; classtype:web-application-attack; sid:2005745; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".alifemap.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005746; classtype:web-application-attack; sid:2005746; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".myexpertforum.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034617; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005747; classtype:web-application-attack; sid:2005747; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".teachingdrive.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005748; classtype:web-application-attack; sid:2005748; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hanproud.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005749; classtype:web-application-attack; sid:2005749; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".enpport.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005750; classtype:web-application-attack; sid:2005750; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cbdnewsandreviews.net"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034621; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005751; classtype:web-application-attack; sid:2005751; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stonecrestnews.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034622; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005752; classtype:web-application-attack; sid:2005752; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".nordicmademedia.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005753; classtype:web-application-attack; sid:2005753; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".theandersonco.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005754; classtype:web-application-attack; sid:2005754; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".tomasubiera.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034625; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005755; classtype:web-application-attack; sid:2005755; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".midcitylanews.com"; nocase; endswith; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:domain-c2; sid:2034867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005756; classtype:web-application-attack; sid:2005756; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dom-news.com"; nocase; endswith; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:domain-c2; sid:2034869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005757; classtype:web-application-attack; sid:2005757; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M1"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; content:"v1.5472"; endswith; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:command-and-control; sid:2034868; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005758; classtype:web-application-attack; sid:2005758; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (set)"; flow:established,to_server; flowbits:set,ET.maldoc.trick; flowbits:noalert; http.method; content:"GET"; http.uri; content:".png"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; content:"|0d 0a|Connection|0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,e6258c27362df0668295258b69a5a74d; classtype:trojan-activity; sid:2034631; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005759; classtype:web-application-attack; sid:2005759; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Maldoc Retrieving Binary"; flow:established,to_client; flowbits:isset,ET.maldoc.trick; http.start; content:"HTTP/1.1 200 OK|0d 0a|Server|3a 20|fasthttp|0d 0a|"; fast_pattern; file.data; content:"MZ"; startswith; reference:md5,e6258c27362df0668295258b69a5a74d; reference:md5,91314d1cdd3bfb38daba9273730ed1a4; classtype:trojan-activity; sid:2034632; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005760; classtype:web-application-attack; sid:2005760; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL KETRUM CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?q="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; startswith; reference:md5,002267297066965505e5e2ea1db867b4; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe; classtype:trojan-activity; sid:2034633; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2021_12_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005761; classtype:web-application-attack; sid:2005761; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL Related CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?newfrs"; startswith; fast_pattern; content:"setssion="; distance:0; http.header_names; content:!"Referer"; http.accept; content:"Accept|3a 20|"; reference:md5,95507bd09d464582e82ed0b2fdf46a31; reference:md5,8a5e766065ea81d1470e4955f0c7f402; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/; classtype:trojan-activity; sid:2034645; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005762; classtype:web-application-attack; sid:2005762; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static-directory/bn.png"; fast_pattern; bsize:24; http.header_names; content:!"Referer"; http.user_agent; content:"Linux|3b 20|Android|20|"; reference:url,twitter.com/kienbigmummy/status/1468836018560192512; reference:md5,f3e31cd5f0972e4dbc789807ad2d129b; classtype:trojan-activity; sid:2034646; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005763; classtype:web-application-attack; sid:2005763; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET ![443,80] -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Keep Alive"; flow:established,to_client; dsize:4; content:"|13 11 18 19|"; threshold:type threshold, count 4, seconds 40, track by_src; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034639; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005764; classtype:web-application-attack; sid:2005764; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET ![443,80] -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response M2"; flow:established,to_client; dsize:<48; content:"|00 00 00 3c|"; startswith; fast_pattern; content:"|01|"; distance:1; within:1; content:"|20|"; distance:4; within:1; pcre:"/^[\x01-\x04]/R"; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034640; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005765; classtype:web-application-attack; sid:2005765; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![443,80] (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M3"; flow:established,to_server; stream_size:server,<,5; dsize:6; content:"|13 11 18 19 01 68|"; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034638; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment SSLDecrypt, former_category MALWARE, signature_severity Minor, updated_at 2021_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011155; classtype:web-application-attack; sid:2011155; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![5938,1433] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|14 24|"; offset:8; fast_pattern; content:!"|00 00|"; distance:-10; within:2; content:"|00 00|"; distance:-4; within:2; byte_jump:4,-8,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2023611; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Major, tag Gh0st, updated_at 2021_12_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011156; classtype:web-application-attack; sid:2011156; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,9127505386ade0774a1671e146e40ed7; classtype:trojan-activity; sid:2034679; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011157; classtype:web-application-attack; sid:2011157; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideCopy APT Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /ab.vbs HTTP/1.1"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"powershell/"; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,64fff1f62c8771e2f558e5cb8694326f; classtype:trojan-activity; sid:2034680; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt"; flow:established,to_server; http.uri; content:"/modules/admincp.php?"; nocase; content:"admin="; nocase; pcre:"/(\?|&)admin=[^\x26\x3B]*([\x2F\x5C\x00]|\x2E\x2E)/i"; reference:url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt; reference:url,doc.emergingthreats.net/2010610; classtype:web-application-attack; sid:2010610; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"ausq.inaver.org"; nocase; bsize:15; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034688; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/load_lang.php?"; nocase; content:"_SERWEB[configdir]="; nocase; pcre:"/_SERWEB\[configdir\]=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010124; classtype:web-application-attack; sid:2010124; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"wnqd.navercloud.org"; nocase; bsize:19; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034689; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/main_prepend.php?"; nocase; content:"_SERWEB[functionsdir]="; nocase; pcre:"/_SERWEB\[functionsdir\]=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010125; classtype:web-application-attack; sid:2010125; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related FTP File Download"; flow:established,to_server; content:"RETR|20|/board/"; fast_pattern; pcre:"/[a-z]{8}.(:?psd|dib)/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcategory.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6903; reference:url,doc.emergingthreats.net/2008815; classtype:web-application-attack; sid:2008815; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php?dhk="; fast_pattern; content:"&user="; distance:0; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/software-description.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6915; reference:url,doc.emergingthreats.net/2008816; classtype:web-application-attack; sid:2008816; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kimsuky Related Malicious VBScript Inbound M3"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"reg add"; nocase; fast_pattern; content:"ftp://"; distance:0; within:200; pcre:"/[a-z]{8}.(:?dib|psd)/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/track.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; reference:url,secunia.com/advisories/32552/; reference:url,milw0rm.com/exploits/6910; reference:url,doc.emergingthreats.net/2008793; classtype:web-application-attack; sid:2008793; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kimsuky Related Malicious VBScript Inbound M4"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"open"; nocase; content:"GET"; distance:0; within:10; content:".php?dhk="; fast_pattern; content:"&user="; content:"&fore="; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/admin/device_admin.php?"; nocase; content:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; reference:url,doc.emergingthreats.net/2011209; classtype:web-application-attack; sid:2011209; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/https:\/\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.[a-z]{3,12}.com\/[a-z]{3,4}\/[a-z0-9]{6}_[a-z0-9]{32}/"; content:".xls?dn="; fast_pattern; content:".xls"; endswith; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp SELECT"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004463; classtype:web-application-attack; sid:2004463; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ugd/"; fast_pattern; pcre:"/^[a-z0-9]{6}_[a-z0-9]{32}/R"; content:".txt"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:md5,d74f268b986fecfa03b81029dd134811; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004464; classtype:web-application-attack; sid:2004464; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"naver.com"; content:"naver"; fast_pattern; pcre:"/\.php\?[a-z]{3}=(baby|child|adult)/i"; content:"&user="; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp INSERT"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004465; classtype:web-application-attack; sid:2004465; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gasti.tm Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|blob|22 0d 0a|"; fast_pattern; content:"name|3d 22|blob|5f|num|22 0d 0a|"; distance:0; content:"name|3d 22|blob|5f|num|22|name|3d 22|total|5f|blob|5f|num|22 0d 0a|"; distance:0; content:"name|3d 22|hashCode|22 0d 0a 0d 0a|"; content:"|0d 0a 2d 2d|"; distance:32; within:4; reference:md5,0b7504c8770d109f0bc326c1dd4cbee4; classtype:command-and-control; sid:2034678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_12_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp DELETE"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004466; classtype:web-application-attack; sid:2004466; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup"; dns.query; content:"api.musicbee.getlist.destinycraftpe.com"; nocase; bsize:39; reference:url,twitter.com/Unit42_Intel/status/1470778363254128651; reference:md5,b873bfa8dec8c3a1f62c30903e59e849; classtype:domain-c2; sid:2034725; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ASCII"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004467; classtype:web-application-attack; sid:2004467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /azure/v2/api HTTP/1.1"; fast_pattern; http.user_agent; content:"MusicBee/3.4"; bsize:12; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|"; startswith; http.cookie; content:"HSID="; startswith; reference:url,twitter.com/Unit42_Intel/status/1470778363254128651; reference:md5,b873bfa8dec8c3a1f62c30903e59e849; classtype:trojan-activity; sid:2034726; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, tag c2, updated_at 2021_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004468; classtype:web-application-attack; sid:2004468; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (bqtconsulting .com)"; dns.query; content:"bqtconsulting.com"; nocase; bsize:17; reference:url,twitter.com/malware_traffic/status/1470812160427233294; reference:md5,c681c785d6055a1d5a8fe74403c9dfe9; classtype:domain-c2; sid:2034727; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/classes/excel/class.writeexcel_workbook.inc.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010922; classtype:web-application-attack; sid:2010922; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /image-directory/templates.mp3 HTTP/1.1"; fast_pattern; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/malware_traffic/status/1470812160427233294; reference:md5,c681c785d6055a1d5a8fe74403c9dfe9; classtype:trojan-activity; sid:2034728; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/classes/excel/class.writeexcel_worksheet.inc.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010923; classtype:web-application-attack; sid:2010923; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Khonsri Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zambos_caldo_de_p.txt"; startswith; fast_pattern; http.header_names; content:!"User-Agent"; reference:url,businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild; classtype:command-and-control; sid:2034723; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_12_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004493; classtype:web-application-attack; sid:2004493; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .carelessnessing .com)"; dns.query; content:"www.carelessnessing.com"; nocase; bsize:23; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; reference:md5,2f602c6feaa750e7d3b64276b630498a; classtype:domain-c2; sid:2034733; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004494; classtype:web-application-attack; sid:2004494; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .weekendorg .com)"; dns.query; content:"www.weekendorg.com"; nocase; bsize:18; reference:md5,04662666c8a97998fb1b2fcf907526e8; reference:md5,1454d4feacdd503c0542f70f44a8edc1; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004495; classtype:web-application-attack; sid:2004495; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .aexhausts .com)"; dns.query; content:"www.aexhausts.com"; nocase; bsize:17; reference:md5,23d4cfceb70d19cf5dc15ea0e8ea1acd; reference:md5,1f3a2e8058411cc04f474a68501b3045; reference:md5,fa80669685cf12de62b4e3156b997553; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034735; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004496; classtype:web-application-attack; sid:2004496; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (news .networkslaoupdate .com)"; dns.query; content:"news.networkslaoupdate.com"; nocase; bsize:26; reference:md5,b9fecf531ebd323cd25b4dbb179a8969; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034736; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, malware_family TAG_33, signature_severity Major, updated_at 2021_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004497; classtype:web-application-attack; sid:2004497; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (koltary .com)"; dns.query; content:"koltary.com"; nocase; bsize:11; reference:md5,91cde71b55ae86e9d64f4ea2c233790f; classtype:domain-c2; sid:2034737; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004498; classtype:web-application-attack; sid:2004498; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9=]{5,12}&ap=/R"; content:"&ap=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,twitter.com/benkow_/status/1469238517066838018; reference:md5,8e343598ba830d20ffc22d2a9c82ad5a; classtype:command-and-control; sid:2034738; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004499; classtype:web-application-attack; sid:2004499; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Muhstik Botnet CnC Activity"; flow:established,to_server; content:"NICK|20|"; content:"USER|20|"; content:"|3a|muhstik-"; fast_pattern; pcre:"/^[0-9]{8}$/Rm"; reference:md5,81fbe69a36650504b88756074a36c183; reference:md5,d20478a01344026a0ecd60b0b29e9bc1; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034743; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Muhstik, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004500; classtype:web-application-attack; sid:2004500; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Mirai Botnet CnC Activity"; flow:established,to_server; dsize:11; content:"SWATunknown"; fast_pattern; reference:md5,1348a00488a5b3097681b6463321d84c; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_12_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004501; classtype:web-application-attack; sid:2004501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Octopus Backdoor Related Domain in DNS Lookup"; dns.query; content:"movetolight.xyz"; nocase; bsize:15; classtype:command-and-control; sid:2034746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004502; classtype:web-application-attack; sid:2004502; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BazarLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header; content:"User-Agent|3a 20|Win|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; reference:md5,c70d6690d2d6fcead1e752195985fc54; classtype:trojan-activity; sid:2034752; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, signature_severity Major, updated_at 2021_12_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004503; classtype:web-application-attack; sid:2004503; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (gawocag .com)"; dns.query; dotprefix; content:".gawocag.com"; nocase; endswith; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:trojan-activity; sid:2034753; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004504; classtype:web-application-attack; sid:2004504; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hiduwu .com)"; dns.query; content:"hiduwu.com"; nocase; bsize:10; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:domain-c2; sid:2034754; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004505; classtype:web-application-attack; sid:2004505; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /dequeue/paypal"; startswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,b96171a46e7a83815b90271f711727aa; reference:url,twitter.com/malwrhunterteam/status/1471915892980264962/; classtype:trojan-activity; sid:2034756; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004506; classtype:web-application-attack; sid:2004506; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /alpha_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034773; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004507; classtype:web-application-attack; sid:2004507; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /beta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034774; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004508; classtype:web-application-attack; sid:2004508; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gamma_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034775; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004509; classtype:web-application-attack; sid:2004509; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /delta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034776; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004510; classtype:web-application-attack; sid:2004510; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /epsilon_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034777; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004511; classtype:web-application-attack; sid:2004511; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /zeta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034778; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004512; classtype:web-application-attack; sid:2004512; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart Skimmer Domain in DNS Lookup (bootstrap2 .xyz)"; dns.query; content:"bootstrap2.xyz"; nocase; bsize:14; reference:url,twitter.com/MBThreatIntel/status/1472995976507916290; classtype:domain-c2; sid:2034779; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_12_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004513; classtype:web-application-attack; sid:2004513; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup"; dns.query; content:"s3crt.biz"; nocase; bsize:9; reference:url,securelist.com/owowa-credential-stealer-and-remote-access/105219/; classtype:domain-c2; sid:2034833; rev:1; metadata:attack_target Server, created_at 2021_12_21, deployment Perimeter, signature_severity Major, updated_at 2021_12_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004514; classtype:web-application-attack; sid:2004514; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php="; fast_pattern; startswith; content:"SSL3."; distance:0; reference:url,threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/; classtype:command-and-control; sid:2034837; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_22, deployment Perimeter, former_category MALWARE, malware_family Andariel, signature_severity Major, updated_at 2021_12_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004515; classtype:web-application-attack; sid:2004515; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality.3 Checkin"; flow:established,to_server; http.uri; content:"/?f"; fast_pattern; endswith; http.header; content:!"broadcastify.com"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cache-Control|0d 0a|"; reference:md5,df9516919e75853742e63db318e7d346; classtype:command-and-control; sid:2020505; rev:6; metadata:created_at 2015_02_24, deprecation_reason Relevance, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004516; classtype:web-application-attack; sid:2004516; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Retrieving Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id=1"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,51fa8bf006d80f5e140d84df313c650f; reference:url,twitter.com/ShadowChasing1/status/1465549330744414215; classtype:trojan-activity; sid:2034840; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004517; classtype:web-application-attack; sid:2004517; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.host; content:"content.dropboxapi.com"; bsize:22; http.header_names; content:"Authorization: Bearer 88THpJioM6QAAAAAAAAAAQKMa4g-5-qcnYv1lIQi3ue3U41FJvH_p23jQR_5c146"; fast_pattern; classtype:command-and-control; sid:2035120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004518; classtype:web-application-attack; sid:2004518; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats External IP Lookup Activity"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"api.ipstack.com"; http.uri; content:"?access_key=5b9ed178f9687b4a92d196168c0282ca="; fast_pattern; classtype:external-ip-check; sid:2035121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004519; classtype:web-application-attack; sid:2004519; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Malware Domain in DNS Lookup"; dns.query; dotprefix; content:".easyuploadservice.com"; nocase; endswith; classtype:domain-c2; sid:2035122; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004520; classtype:web-application-attack; sid:2004520; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Malware Domain in DNS Lookup"; dns.query; dotprefix; content:".uggboots4sale.com"; nocase; endswith; classtype:domain-c2; sid:2035123; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004521; classtype:web-application-attack; sid:2004521; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected MuddyWater Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getTargetInfo?guid="; startswith; fast_pattern; content:"&status="; distance:0; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034845; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2021_12_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004522; classtype:web-application-attack; sid:2004522; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EUPUDS.A Requests for Boleto replacement"; flow:established,to_server; urilen:10; http.request_line; content:"POST /index.php HTTP/1."; fast_pattern; http.header_names; content:"Content-Type|0d 0a|"; content:"Content-Length|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Cache-Control|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; http.host; content:!"antia-client-log.puzzleplusgames.net"; bsize:36; reference:url,blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf; classtype:trojan-activity; sid:2018793; rev:7; metadata:created_at 2014_07_28, former_category MALWARE, updated_at 2021_12_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011726; classtype:web-application-attack; sid:2011726; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/X-Files Stealer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.content_len; byte_test:0,>,90000,0,string,dec; http.request_body; content:"zipx="; startswith; fast_pattern; reference:md5,43379d3c3faf5d7e37df398de90ee58b; reference:url,twitter.com/h2jazi/status/1476292943027871755; reference:url,twitter.com/3xp0rtblog/status/1473323635469438978; classtype:trojan-activity; sid:2034848; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_30, deployment Perimeter, former_category MALWARE, malware_family X_Files, signature_severity Major, updated_at 2021_12_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011727; classtype:web-application-attack; sid:2011727; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /googleapi HTTP/1.1"; fast_pattern; http.referer; content:"http|3a 2f 2f|code.google.com/"; bsize:23; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; reference:md5,f7ac5192404c8dea43fdeedf01d1d66e; reference:url,twitter.com/malwrhunterteam/status/1476211484103524366; classtype:trojan-activity; sid:2034849; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011728; classtype:web-application-attack; sid:2011728; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"h378576.atwebpages.com"; nocase; bsize:22; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011729; classtype:web-application-attack; sid:2011729; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"i758769.atwebpages.com"; nocase; bsize:22; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011730; classtype:web-application-attack; sid:2011730; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"455686.c1.biz"; nocase; bsize:13; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011731; classtype:web-application-attack; sid:2011731; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:"?=1"; within:7; fast_pattern; pcre:"/^[678]\d{8}$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,c398b504f74500d6a1a47f72bb45bc83; classtype:command-and-control; sid:2034859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid SELECT"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006309; classtype:web-application-attack; sid:2006309; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; http.cookie; content:"HFS_SID_="; startswith; http.response_body; content:"Rar!|1a 07 01 00|"; startswith; content:"rundll3222.exe"; within:150; fast_pattern; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:trojan-activity; sid:2034856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_01_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UNION SELECT"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006310; classtype:web-application-attack; sid:2006310; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:".zip?="; within:7; fast_pattern; pcre:"/^(?:0|1[678]\d{8})$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,465dae978a41d566c7fabc9f5808487c; classtype:command-and-control; sid:2034871; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid INSERT"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006311; classtype:web-application-attack; sid:2006311; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|37 39 78|"; startswith; content:"|98 98 98|"; distance:1; within:3; content:"|98 98|"; distance:2; within:2; content:"|98 98 98 20 fc|"; distance:1; within:5; fast_pattern; reference:md5,465dae978a41d566c7fabc9f5808487c; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Low, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid DELETE"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006312; classtype:web-application-attack; sid:2006312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/latest/"; startswith; fast_pattern; pcre:"/^(?:update|designs)$/R"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,447e3c337f206ff59a727223bddd13ad; reference:md5,2bac793cfaf071a37366d3331cc99518; reference:url,twitter.com/ShadowChasing1/status/1480493639545470976; classtype:trojan-activity; sid:2034875; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ASCII"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006313; classtype:web-application-attack; sid:2006313; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Maldoc Activity"; flow:established,to_server; http.uri; content:"/nt.php/?dt="; startswith; content:"-EX-1&ct="; distance:0; fast_pattern; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:trojan-activity; sid:2033987; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006314; classtype:web-application-attack; sid:2006314; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Related Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userlog.php?id="; fast_pattern; content:"&&user="; distance:0; content:"&&OsI="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,cc7ddf9ed230ad4e060dfd0f32389efb; reference:url,twitter.com/ShadowChasing1/status/1478259210110775297; classtype:command-and-control; sid:2034876; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/SearchResults.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2008-6242; reference:bugtraq,32039; reference:url,milw0rm.com/exploits/6922; reference:url,doc.emergingthreats.net/2009727; classtype:web-application-attack; sid:2009727; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Sidewinder CnC Domain in DNS Lookup (afcat .xyz)"; dns.query; content:"afcat.xyz"; nocase; bsize:9; reference:url,twitter.com/h2jazi/status/1479502335328112645; reference:md5,e7c7916f7bf0ddc511466ce106137e66; classtype:domain-c2; sid:2034877; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/deptdisplay.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7610; reference:bugtraq,33040; reference:url,doc.emergingthreats.net/2009048; classtype:web-application-attack; sid:2009048; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Donot Group CnC Domain in DNS Lookup (request .soundedge .live)"; dns.query; content:"request.soundedge.live"; nocase; bsize:22; reference:md5,209050f85af2786248bd4d7ec0f5a808; reference:url,twitter.com/h2jazi/status/1476946007741108249; reference:md5,7be9832a01b3004f02ff5bc0691d1700; classtype:domain-c2; sid:2034878; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004415; classtype:web-application-attack; sid:2004415; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Donot Group Checkin Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /access/fps_ips_cp_ifpcspf_ifis_p HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,209050f85af2786248bd4d7ec0f5a808; reference:md5,7be9832a01b3004f02ff5bc0691d1700; reference:url,twitter.com/h2jazi/status/1476946007741108249; classtype:command-and-control; sid:2034879; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004416; classtype:web-application-attack; sid:2004416; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".inject1byte.com"; nocase; endswith; reference:url,twitter.com/malwrhunterteam/status/1479767752885874688; classtype:trojan-activity; sid:2034880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004417; classtype:web-application-attack; sid:2004417; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".black-crystal.net"; nocase; endswith; reference:url,twitter.com/malwrhunterteam/status/1479767752885874688; classtype:trojan-activity; sid:2034881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004418; classtype:web-application-attack; sid:2004418; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|2e|zip|3b 20|filename="; distance:1; within:15; content:"|2e|zip"; distance:1; within:4; endswith; http.response_body; content:"PK|03 04|"; startswith; content:"|2e|exe"; within:150; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Significant, signature_severity Major, updated_at 2022_01_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004419; classtype:web-application-attack; sid:2004419; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0standavalue0 .xyz)"; dns.query; dotprefix; content:".0standavalue0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034886; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004420; classtype:web-application-attack; sid:2004420; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0storageatools0 .xyz)"; dns.query; dotprefix; content:".0storageatools0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034887; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SHOP-INET show_cat2.php grid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show_cat2.php?"; nocase; content:"grid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,33471; reference:url,milw0rm.com/exploits/7874; reference:url,secunia.com/advisories/33660/; reference:url,doc.emergingthreats.net/2010020; classtype:web-application-attack; sid:2010020; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0brandaeyes0 .xyz)"; dns.query; dotprefix; content:".0brandaeyes0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034888; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopMaker product.php id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/product.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,www.milw0rm.com/exploits/6799; reference:bugtraq,31854; reference:url,doc.emergingthreats.net/2008723; classtype:web-application-attack; sid:2008723; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http.uri; content:"/Api/"; startswith; http.request_body; content:"Data="; startswith; http.header_names; content:!"Referer"; content:"|0d 0a|Content-type|0d 0a|Content-length|0d 0a|"; fast_pattern; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:trojan-activity; sid:2034889; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT35, malware_family CharmingKitten, malware_family Phosphorus, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID SELECT"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005790; classtype:web-application-attack; sid:2005790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 Related Activity (FTP)"; flow:established,to_server; content:"VICTIM-PC__"; fast_pattern; content:"/screen/"; content:".jpg"; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:trojan-activity; sid:2034890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UNION SELECT"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005791; classtype:web-application-attack; sid:2005791; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jersydok .com)"; dns.query; dotprefix; content:".jersydok.com"; nocase; endswith; reference:url,medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489; classtype:domain-c2; sid:2034891; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID INSERT"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005792; classtype:web-application-attack; sid:2005792; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zloader Related Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/processingSetRequest"; fast_pattern; content:"/?servername="; distance:3; http.user_agent; content:"powershell"; nocase; http.header_names; content:!"Referer"; reference:md5,06ca129910fd79de8bdc7a319949fb25; reference:url,medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489; classtype:trojan-activity; sid:2034892; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID DELETE"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005793; classtype:web-application-attack; sid:2005793; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Emotet HTML Template Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b|charset=UTF-8"; depth:24; file.data; content:"id|3d 22|uid|22 3e 3c 2f|h1|3e 3c|br|3e|"; content:"File|20 27|Preview Complaint Report in XLS|27 3c|br|3e|is|20|ready|20|for|20|open"; fast_pattern; content:"|22 3e|Preview XLS"; distance:0; content:"getElementById|28 27|uid|27 29 2e|innerHTML|20 3d 20 27|Name|3a 20 27|"; classtype:command-and-control; sid:2034882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2022_01_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ASCII"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005794; classtype:web-application-attack; sid:2005794; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.TJJ Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getcfg?id="; fast_pattern; pcre:"/^\d$/R"; http.user_agent; content:"Mozilla|2f|3|2e|0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,0751e43ec2a6ce78407b95b1d0326776; classtype:command-and-control; sid:2034900; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2022_01_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005795; classtype:web-application-attack; sid:2005795; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TellYouThePass Ransomware Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery.js?v="; startswith; fast_pattern; pcre:"/^[0-9]{2,8}$/R"; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a80$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,39a9b92a69a191db0a7e2bc1e78d55e4; reference:md5,c05f8b395c6356bf99aad9c84c13a867; reference:url,www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/; reference:md5,b99c4684f7eac1f2af37e6de609e936c; classtype:trojan-activity; sid:2034904; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Customer contact.php SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/contact.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,28852; reference:url,doc.emergingthreats.net/2008722; classtype:web-application-attack; sid:2008722; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (solo-hoy .com)"; dns.query; content:"solo-hoy.com"; nocase; bsize:12; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034917; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username SELECT"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004779; classtype:web-application-attack; sid:2004779; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mobile-analytics .netweb-cloud-services .com)"; dns.query; content:"mobile-analytics.netweb-cloud-services.com"; nocase; bsize:42; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034918; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UNION SELECT"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004780; classtype:web-application-attack; sid:2004780; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (deportes24-7 .com)"; dns.query; content:"deportes24-7.com"; nocase; bsize:16; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034919; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username INSERT"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004781; classtype:web-application-attack; sid:2004781; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain"; dns.query; content:"informados24h.com"; nocase; bsize:32; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034920; rev:2; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username DELETE"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004782; classtype:web-application-attack; sid:2004782; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain"; dns.query; content:"info-urbano.com"; nocase; bsize:15; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034921; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username ASCII"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004783; classtype:web-application-attack; sid:2004783; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Related CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|db f6 94 f6 9f f6 82 f6 f6 f6|"; fast_pattern; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 f6 f6|"; distance:3; within:3; endswith; reference:url,twitter.com/ShadowChasing1/status/1480853604609126403; reference:md5,1cdc2c0f6834b37da085c0deb9d3461a; classtype:targeted-activity; sid:2034909; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004784; classtype:web-application-attack; sid:2004784; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Additional Resources (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Profile.html"; bsize:13; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/; reference:md5,eb47824fe3b93f30e6805938814b9cca; classtype:trojan-activity; sid:2034911; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username SELECT"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004785; classtype:web-application-attack; sid:2004785; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SysJoker Retrieving CnC Information (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uc?id="; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"WinHttpClient"; bsize:13; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; http.host; content:"drive.google.com"; fast_pattern; bsize:16; reference:md5,53f1bb23f670d331c9041748e7e8e396; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034922; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UNION SELECT"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004786; classtype:web-application-attack; sid:2004786; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Dropper Related Domain in DNS Lookup (github .url-mini .com)"; dns.query; content:"github.url-mini.com"; nocase; bsize:19; reference:md5,d71e1a6ee83221f1ac7ed870bc272f01; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034923; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username INSERT"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004787; classtype:web-application-attack; sid:2004787; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (bookitlab .tech)"; dns.query; content:"bookitlab.tech"; nocase; bsize:14; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034924; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username DELETE"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004788; classtype:web-application-attack; sid:2004788; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (graphic-updater .com)"; dns.query; content:"graphic-updater.com"; nocase; bsize:19; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034925; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username ASCII"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004789; classtype:web-application-attack; sid:2004789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (office360-update .com)"; dns.query; content:"office360-update.com"; nocase; bsize:20; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034926; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004790; classtype:web-application-attack; sid:2004790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (winaudio-tools .com)"; dns.query; content:"winaudio-tools.com"; nocase; bsize:18; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034927; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id SELECT"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005871; classtype:web-application-attack; sid:2005871; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT Related Domain in DNS Lookup (gooeglle .mypressonline .com)"; dns.query; content:"gooeglle.mypressonline.com"; nocase; bsize:26; reference:md5,2de3ab14e582ed83da376345abfb81da; reference:url,twitter.com/ShadowChasing1/status/1482976392958865413; classtype:domain-c2; sid:2034933; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005872; classtype:web-application-attack; sid:2005872; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus APT Related Domain in DNS Lookup (confusion-cerulean-samba .glitch .me)"; dns.query; content:"confusion-cerulean-samba.glitch.me"; nocase; bsize:34; reference:md5,92f5f40db8df7cbb1c7c332087619afa; reference:url,twitter.com/ShadowChasing1/status/1483011032612499460; classtype:domain-c2; sid:2034934; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2022_01_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id INSERT"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005873; classtype:web-application-attack; sid:2005873; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Sending System Information (POST)"; flow:established,to_server; http.request_line; content:"POST /proxy HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"NewFolderName="; startswith; pcre:"/\*\*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\*\*/R"; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034935; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id DELETE"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005874; classtype:web-application-attack; sid:2005874; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NQT!tr CnC Activity"; flow:established,to_server; content:"|49 4d 49 4e 20|"; startswith; fast_pattern; content:"|40|"; distance:0; content:"|0a|"; endswith; reference:md5,07d0d60fbcf30f7ab7861ad9981a2eed; classtype:command-and-control; sid:2034931; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id ASCII"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005875; classtype:web-application-attack; sid:2005875; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /publish HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"token="; startswith; content:"&Category="; distance:0; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034939; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005876; classtype:web-application-attack; sid:2005876; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /bills HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|App-Logic|0d 0a|Authorization|0d 0a|Session|0d 0a|"; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034940; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/main/forum/komentar.php?"; nocase; content:"site_path="; nocase; pcre:"/site_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,23334; reference:url,doc.emergingthreats.net/2010564; classtype:web-application-attack; sid:2010564; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (lm-career .com)"; dns.query; content:"lm-career.com"; nocase; bsize:13; reference:md5,3f326da2affb0f7f2a4c5c95ffc660cc; reference:url,twitter.com/h2jazi/status/1483521532433473536; classtype:domain-c2; sid:2034942; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/login.tpl.php?"; nocase; content:"TplSuffix="; nocase; reference:bugtraq,33092; reference:url,doc.emergingthreats.net/2009070; classtype:web-application-attack; sid:2009070; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (printerjobs .xyz)"; dns.query; dotprefix; content:".printerjobs.xyz"; nocase; endswith; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034943; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.tpl.php?"; nocase; content:"theme="; nocase; pcre:"/theme=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,33092; reference:url,doc.emergingthreats.net/2009071; classtype:web-application-attack; sid:2009071; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (seasonsbackup .xyz)"; dns.query; dotprefix; content:".seasonsbackup.xyz"; nocase; endswith; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:url,github.com/eset/malware-ioc/tree/master/donot; classtype:domain-c2; sid:2034944; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SlimCMS edit.php pageid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/edit.php?"; nocase; content:"pageID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32300; reference:url,doc.emergingthreats.net/2008867; classtype:web-application-attack; sid:2008867; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (submitonline .club)"; dns.query; dotprefix; content:".submitonline.club"; nocase; endswith; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005542; classtype:web-application-attack; sid:2005542; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (oceansurvey .club)"; dns.query; content:"oceansurvey.club"; nocase; bsize:16; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005543; classtype:web-application-attack; sid:2005543; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Injector.VVP Downloader Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/wp\x2dcontent\/[a-z]{3}\/[0-9]{16}\.exe$/U"; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT|3b 20|Windows NT 6.1|3b 20|en-US|29 20|WindowsPowerShell/5.1.14409.1005"; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:md5,009934cd29110745347705ec4f877b6d; classtype:trojan-activity; sid:2034949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005544; classtype:web-application-attack; sid:2005544; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (dataupdates .live)"; dns.query; content:"dataupdates.live"; nocase; bsize:16; reference:md5,43a909814aa5467cb45f8e59ed2fd3b0; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034951; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005545; classtype:web-application-attack; sid:2005545; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Suspected Reverse Shell Connection"; flow:established,to_server; content:"Microsoft|20|Windows|20|"; content:"|5b|Version|20|"; distance:0; content:"|5d|"; content:"|20|Microsoft|20|Corp"; fast_pattern; content:"|43 3a 5c|"; content:"|3e|"; content:!"Host"; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:md5,039d8e77b65faae44d5e7e39d4cc9c59; classtype:trojan-activity; sid:2034945; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005546; classtype:web-application-attack; sid:2005546; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /api/market HTTP/1.1"; fast_pattern; http.cookie; content:"nyt-a="; startswith; pcre:"/^[A-Za-z0-9-_]{176}$/R"; reference:md5,31b8467ad176116d238afa2fa6bf6497; reference:url,twitter.com/h2jazi/status/1483504922003968003; classtype:trojan-activity; sid:2034941; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005547; classtype:web-application-attack; sid:2005547; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup (kinopoisksu .com)"; dns.query; dotprefix; content:".kinopoisksu.com"; nocase; endswith; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034952; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family APT41, signature_severity Major, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005548; classtype:web-application-attack; sid:2005548; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup (glbaitech .com)"; dns.query; dotprefix; content:".glbaitech.com"; nocase; endswith; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034953; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family APT41, signature_severity Major, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005549; classtype:web-application-attack; sid:2005549; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (m .necemarket .com)"; dns.query; content:"m.necemarket.com"; nocase; bsize:16; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034954; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005550; classtype:web-application-attack; sid:2005550; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (holdmem .dbhubspi .com)"; dns.query; content:"holdmem.dbhubspi.com"; nocase; bsize:20; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034955; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005551; classtype:web-application-attack; sid:2005551; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Maldoc Related Domain in DNS Lookup (markettrendingcenter .com)"; dns.query; content:"markettrendingcenter.com"; nocase; bsize:24; reference:md5,a27a9324d282d920e495832933d486ee; reference:url,twitter.com/s1ckb017/status/1484451637653614592; classtype:domain-c2; sid:2034956; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family Lazarus, signature_severity Major, updated_at 2022_01_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005552; classtype:web-application-attack; sid:2005552; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type="; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|22|mac|22 3a 22|"; content:"|22|pcname|22 3a 22|"; distance:14; within:10; reference:md5,4e24d219ba1790b93347110fd1bfcb6b; classtype:trojan-activity; sid:2034959; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005553; classtype:web-application-attack; sid:2005553; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/irq"; startswith; fast_pattern; bsize:8; pcre:"/^\/\.x\/irq\d$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer"; classtype:trojan-activity; sid:2034685; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005554; classtype:web-application-attack; sid:2005554; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.PSAttack Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/powershell_attack.txt"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,f9eb044f8b537aa5d9164b1784d618a2; classtype:trojan-activity; sid:2032793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005555; classtype:web-application-attack; sid:2005555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spark Backdoor Related Domain in DNS Lookup (bundanesia .com)"; dns.query; dotprefix; content:".bundanesia.com"; nocase; endswith; reference:url,www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east; classtype:domain-c2; sid:2034963; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005556; classtype:web-application-attack; sid:2005556; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/"; startswith; fast_pattern; bsize:7; content:"sh"; endswith; pcre:"/^\/\.x\/\dsh$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034683; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005557; classtype:web-application-attack; sid:2005557; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (portal .gfinanzen .net)"; dns.query; content:"portal.gfinanzen.net"; nocase; bsize:20; reference:md5,b371e1c2ca2e5718e151760bc4664366; reference:url,twitter.com/czy_1116/status/1485813878550597632; classtype:domain-c2; sid:2034964; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005558; classtype:web-application-attack; sid:2005558; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup (wordkeyvpload .net)"; dns.query; content:"wordkeyvpload.net"; nocase; bsize:17; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; reference:md5,8e2f8c95b1919651fcac7293cb704c1c; classtype:domain-c2; sid:2034966; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005559; classtype:web-application-attack; sid:2005559; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup"; dns.query; content:"wordkeyvpload.org"; nocase; bsize:17; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; classtype:domain-c2; sid:2034967; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005560; classtype:web-application-attack; sid:2005560; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup (jimbeam .live)"; dns.query; content:"jimbeam.live"; nocase; bsize:12; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; classtype:domain-c2; sid:2034968; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005561; classtype:web-application-attack; sid:2005561; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/portals/office/log.php?Data="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; reference:url,twitter.com/ShadowChasing1/status/1485514043679199233; reference:md5,9521e4138fd0e6996072778cd4f1f06a; reference:md5,2ee3ae478e7d1f2f473b191b1be5e14f; classtype:trojan-activity; sid:2034969; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005562; classtype:web-application-attack; sid:2005562; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DazzleSpy Related Domain in DNS Lookup"; dns.query; content:"fightforhk.com"; nocase; bsize:14; reference:url,www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/; classtype:trojan-activity; sid:2034975; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005563; classtype:web-application-attack; sid:2005563; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DazzleSpy Related Domain in DNS Lookup"; dns.query; content:"amnestyhk.org"; nocase; bsize:13; reference:url,www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/; classtype:trojan-activity; sid:2034976; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005564; classtype:web-application-attack; sid:2005564; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 109"; flow:established,to_server; stream_size:server,<,5; dsize:<250; content:"|00 00 01 78 9c|"; offset:10; depth:5; fast_pattern; byte_jump:2,0,little,from_beginning, post_offset 3; isdataat:!2,relative; pcre:"/^(?<len>.{2})\xc0\xff(?P=len)\x00\x00.{2}\x00\x00\x01\x78\x9c/s"; reference:md5,edacdc76bb11e8db5c1a1b8917b5deb0; classtype:command-and-control; sid:2034977; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, malware_family Gh0st, performance_impact Moderate, signature_severity Major, updated_at 2022_01_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005566; classtype:web-application-attack; sid:2005566; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded"; flow:established,to_client; http.content_type; content:"text/plain"; startswith; http.response_body; content:"RUNPE"; nocase; content:"31,139,8,0,0,0,0,0,4,0,237,189,7,96"; within:50; fast_pattern; content:"82,101,109,111,116,101,83,105,103,110,101,100"; distance:0; reference:url,blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader; classtype:trojan-activity; sid:2034980; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/pcltar.lib.php?"; nocase; content:"g_pcltar_lib_dir="; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009182; classtype:web-application-attack; sid:2009182; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GrandaMisha Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload?tags="; startswith; fast_pattern; content:"&pass="; distance:0; content:"&cookie="; distance:0; content:"&cc="; distance:0; content:"&hwid="; distance:0; content:"&ip="; distance:0; http.user_agent; content:"ureq/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|document|22 3b 20|filename="; content:"Content-Type|3a 20|application/x-ms-dos-executable"; reference:md5,256ad62aa30b6dfb7755627698d31156; reference:url,twitter.com/benkow_/status/1486700404482134021; classtype:trojan-activity; sid:2034988; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004863; classtype:web-application-attack; sid:2004863; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (docusign .agency)"; dns.query; dotprefix; content:".docusign.agency"; nocase; endswith; reference:md5,993cecde0cd707f795e00181414d97bd; reference:url,twitter.com/ShadowChasing1/status/1486530954382348290; classtype:domain-c2; sid:2034991; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004864; classtype:web-application-attack; sid:2004864; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (yourblogcenter .com)"; dns.query; content:"yourblogcenter.com"; nocase; bsize:18; reference:md5,8df7777ac7315c5e256ce35ea36cc73f; reference:url,twitter.com/h2jazi/status/1486448926081302536; classtype:domain-c2; sid:2034989; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_01_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id INSERT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004865; classtype:web-application-attack; sid:2004865; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (allinfostudio .com)"; dns.query; content:"allinfostudio.com"; nocase; bsize:17; reference:md5,8df7777ac7315c5e256ce35ea36cc73f; reference:url,twitter.com/h2jazi/status/1486448926081302536; classtype:domain-c2; sid:2034990; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004866; classtype:web-application-attack; sid:2004866; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/principles/"; fast_pattern; content:".mp3"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,4c61eeb1745d24e2c4ee67c6e56af8f3; reference:url,twitter.com/500mk500/status/1486791607311548423; classtype:trojan-activity; sid:2035006; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004867; classtype:web-application-attack; sid:2004867; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perfectly/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,74c22fd7a20072c8719cd7cfbc4abe84; reference:url,twitter.com/500mk500/status/1486791607311548423; classtype:trojan-activity; sid:2035007; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004868; classtype:web-application-attack; sid:2004868; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PowerShell Script Downloading Emotet DLL"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"image/png"; bsize:9; http.response_body; content:"|24|path"; startswith; content:".dll"; distance:0; within:200; pcre:"/\x24url[0-9]{1}\s=\s'(http|https):\/\/[^']*\x27\x3b/i"; content:"((Get-Item |24|path).Length -ge 30000)"; nocase; fast_pattern; reference:md5,c3cb504f97c7c7df9c25b0957dd60d9f; classtype:trojan-activity; sid:2035000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SocialEngine browse_classifieds.php Remote SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/browse_classifieds.php?"; nocase; content:"classifiedcat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33474/; reference:url,milw0rm.com/exploits/7730; reference:url,doc.emergingthreats.net/2009100; classtype:web-application-attack; sid:2009100; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater Rat CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"example/1.0"; bsize:11; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"-----"; startswith; content:"name=|22|token|22|"; content:"name=|22|tid|22|"; distance:0; content:"name=|22|apiData|22|"; distance:0; reference:url,cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; classtype:trojan-activity; sid:2035031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/content/themes/softsaurus_default/pages/subHeader.php?"; nocase; content:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011051; classtype:web-application-attack; sid:2011051; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Possible Raspberry Robin Activity (GET)"; flow:established,to_server; urilen:>25; http.method; content:"GET"; http.uri; pcre:"/^\/[A-Za-z0-9]{10,11}\//"; content:!"|2e|"; http.header; content:"Connection|3a 20|Keep|2d|Alive|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|User|2d|Agent|3a 20|Windows|20|Installer|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:42; reference:md5,0bdae8ec9a8fd2a6dd9a39eae00c9834; reference:url,redcanary.com/blog/raspberry-robin; classtype:trojan-activity; sid:2037761; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/content/themes/softsaurus_stretched/pages/subHeader.php?"; nocase; content:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011052; classtype:web-application-attack; sid:2011052; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|tid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|apiData|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 3b 20|filename=|22|data|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; classtype:command-and-control; sid:2035040; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent SELECT"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006129; classtype:web-application-attack; sid:2006129; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Variant.Zusy.402698 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?serial="; pcre:"/\.php\?serial=[a-z0-9]{16}/U"; http.user_agent; content:"Some USER-AGENT"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; reference:md5,8b9464c10764e08d5939d149dfa451b4; classtype:trojan-activity; sid:2035041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UNION SELECT"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006130; classtype:web-application-attack; sid:2006130; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related VBS Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/help_"; fast_pattern; pcre:"/^[0-3]{2}_[0-2]{2}\.php$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; reference:md5,2e70b2b0cf4e2d3ac2ed6d1ea967f18e; reference:url,www.trendmicro.com/en_us/research/20/d/gamaredon-apt-group-use-covid-19-lure-in-campaigns.html; classtype:trojan-activity; sid:2035039; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Moderate, signature_severity Major, updated_at 2022_02_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent INSERT"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006131; classtype:web-application-attack; sid:2006131; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.DSQR CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; pcre:"/^dBrowser\x20\d\x20CallGetResponse\x3a\d$/"; http.header_names; content:!"Referer"; http.request_body; content:"data|3d 7b 22|msg|22 3a 22|DataRecivied|2d 3e 7b 5c 22|message|5c 22 3a 5c 22|JSON.parse|5c|"; fast_pattern; startswith; reference:url,otx.alienvault.com/indicator/file/ded76741a5f551fac777d384b089db408565f666ddf33669d6b8eefd8f3d34c3; classtype:command-and-control; sid:2034936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent DELETE"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006132; classtype:web-application-attack; sid:2006132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ClipBanker.OC CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/exp.php?usr="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0"; startswith; http.header_names; content:!"Referer"; reference:md5,40b3c1644d3bd1702fdde6eb08f961d2; classtype:trojan-activity; sid:2034982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ASCII"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006133; classtype:web-application-attack; sid:2006133; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ClipBanker.OC CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\w$/Um"; http.user_agent; content:"MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400"; endswith; fast_pattern; http.content_len; content:"784"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; reference:md5,40b3c1644d3bd1702fdde6eb08f961d2; classtype:trojan-activity; sid:2034983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006134; classtype:web-application-attack; sid:2006134; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SManager Backdoor Domain in DNS Lookup"; dns.query; content:"aiwqi.aurobindos.com"; nocase; bsize:20; reference:url,twitter.com/TI_ESC/status/1489182130982825987; classtype:domain-c2; sid:2035091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SManager, malware_family PhantomNet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php SELECT"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006479; classtype:web-application-attack; sid:2006479; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SManager Backdoor Domain in DNS Lookup"; dns.query; content:"fuji1.aurobindos.com"; nocase; bsize:20; reference:url,twitter.com/TI_ESC/status/1489182130982825987; classtype:domain-c2; sid:2035092; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_02_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SManager, malware_family PhantomNet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UNION SELECT"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006480; classtype:web-application-attack; sid:2006480; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DNS Lookup (upload-dropbox .com)"; dns.query; dotprefix; content:".upload-dropbox.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/; classtype:trojan-activity; sid:2024658; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family KHRAT, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php INSERT"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006481; classtype:web-application-attack; sid:2006481; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacOS/UpdateAgent.A CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wrte?maid="; startswith; fast_pattern; pcre:"/^\/wrte\?maid=[A-Z0-9]{8}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{12}$/U"; http.user_agent; content:"curl"; startswith; http.header_names; content:!"Referer"; reference:md5,5dc4e1b8610aacc5941ccf68f823f366; reference:url,microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression; classtype:trojan-activity; sid:2035085; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php DELETE"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006482; classtype:web-application-attack; sid:2006482; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacOS/UpdateAgent.A CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/service?uuid="; depth:20; fast_pattern; pcre:"/^\/[a-z0-9]{1,3}\/service\?uuid=[A-Z0-9]{8}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{12}$/U"; http.user_agent; content:"curl"; startswith; http.header_names; content:!"Referer"; reference:md5,5dc4e1b8610aacc5941ccf68f823f366; reference:url,microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression; classtype:trojan-activity; sid:2035086; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php ASCII"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006484; classtype:web-application-attack; sid:2006484; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; http_content_type; content:"text/html"; http_content_len; byte_test:0,<=,999999,0,string,dec; byte_test:0,>,99999,0,string,dec; file_data; content:!"<html"; nocase; depth:1024; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035065; rev:1; metadata:created_at 2022_02_03, former_category MALWARE, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006485; classtype:web-application-attack; sid:2006485; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Office Macro Emotet Download URI Nov 24 2021"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|3b 20|Windows|20|NT|20|6|2e|1|3b 20|en-US|29 20|WindowsPowerShell|2f|5.1.14409.1005"; fast_pattern; bsize:80; http.header; content:!"Referer"; http.connection; content:"Keep-Alive"; http.uri; pcre:"/^\/wp-includes\/[A-Za-z0-9]{10}\/$/U"; reference:md5,67ec9f81dd3970e3e5f66121a3502b5d; classtype:trojan-activity; sid:2035064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sonicwall NSA E7500 XSS attempt (fwReg parameter)"; flow:established,to_server; http.uri; content:"/servlet/dea/register?"; nocase; content:"pwd="; nocase; content:"fwReg="; nocase; content:"sn="; nocase; pcre:"/\/servlet\/dea\/register\?fwReg=[>\"]/i"; reference:url,securiteam.com/exploits/6O00C1FQAS.html; reference:url,doc.emergingthreats.net/2010509; classtype:web-application-attack; sid:2010509; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (deangelomcnay .news)"; dns.query; content:"deangelomcnay.news"; nocase; bsize:18; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035079; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sonicwall Global Management System XSS attempt (scrn_name parameter)"; flow:established,to_server; http.uri; content:"/sgms/caption.jsp?"; nocase; content:"scrn_name="; nocase; pcre:"/\/sgms\/caption\.jsp\?.*scrn_name=.*[>\"]/i"; reference:url,securiteam.com/exploits/6P00D1FQAG.html; reference:url,doc.emergingthreats.net/2010511; classtype:web-application-attack; sid:2010511; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (earlahenry .com)"; dns.query; content:"earlahenry.com"; nocase; bsize:14; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035080; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/example_clientside_javascript.php?"; nocase; content:"neededFiles[patForms]="; nocase; pcre:"/neededFiles\[patForms\]=\s*(ftps?|https?|php)\:\//i"; reference:url,doc.emergingthreats.net/2009144; classtype:web-application-attack; sid:2009144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (nicholasuhl .website)"; dns.query; content:"nicholasuhl.website"; nocase; bsize:19; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035081; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004816; classtype:web-application-attack; sid:2004816; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (cooperron .me)"; dns.query; content:"cooperron.me"; nocase; bsize:12; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035082; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004817; classtype:web-application-attack; sid:2004817; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (dorothymambrose .live)"; dns.query; content:"dorothymambrose.live"; nocase; bsize:20; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035083; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004818; classtype:web-application-attack; sid:2004818; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (juliansturgill .info)"; dns.query; content:"juliansturgill.info"; nocase; bsize:19; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035084; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004819; classtype:web-application-attack; sid:2004819; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M17 (set)"; flow:established,to_server; content:"|46 6f fb 85|"; startswith; fast_pattern; content:"|86 b8 83|"; distance:1; within:3; flowbits:set,ET.Parallax-17; flowbits:noalert; reference:md5,65a0ec476aaefcf6aeb328ac1641ed29; classtype:command-and-control; sid:2035066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004820; classtype:web-application-attack; sid:2004820; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M17"; flow:established,to_client; content:"|46 6f fb 85 |"; startswith; fast_pattern; content:"|86 b8 83|"; distance:1; within:3; flowbits:isset,ET.Parallax-17; reference:md5,65a0ec476aaefcf6aeb328ac1641ed29; classtype:command-and-control; sid:2035067; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004821; classtype:web-application-attack; sid:2004821; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Subterranean Security Domain in DNS Lookup"; dns.query; content:"subterranean-security.pw"; nocase; bsize:24; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; reference:md5,10729e87fa72432fbc009a15314d670b; classtype:trojan-activity; sid:2035068; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005152; classtype:web-application-attack; sid:2005152; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - AssignID Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_assignID"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005153; classtype:web-application-attack; sid:2005153; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - FileManager List Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"FILEMANAGER_list"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005155; classtype:web-application-attack; sid:2005155; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - FileManager pwd Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"FILEMANAGER_pwd"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005154; classtype:web-application-attack; sid:2005154; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - GetClientLog Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_getClientLog"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005156; classtype:web-application-attack; sid:2005156; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Subterranean Crimson Rat - Client Traffic"; flow:established,to_server; content:"crimson.universal.containers.Message"; nocase; fast_pattern; content:"java.lang.Object|3b|"; within:50; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005157; classtype:web-application-attack; sid:2005157; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - GetInfo Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_getInfo"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SunByte e-Flower popupproduct.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/popupproduct.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7323; reference:bugtraq,32589; reference:url,doc.emergingthreats.net/2008932; classtype:web-application-attack; sid:2008932; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET MALWARE W32.Geodo/Emotet Checkin Fake 404 Response"; flow:established,from_server; flowbits:isset,ETPRO.Emotet; http.stat_code; content:"404"; file.data; content:!"<html"; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SuperNews valor.php noticia Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/valor.php?"; nocase; content:"noticia="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8255; reference:bugtraq,34195; reference:url,doc.emergingthreats.net/2009744; classtype:web-application-attack; sid:2009744; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyNuke VNC Checkin M2"; flow:established,to_server; dsize:10; content:"AVE_MARIA|00|"; fast_pattern; reference:url,asec.ahnlab.com/en/27346/; classtype:trojan-activity; sid:2035094; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat SELECT"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004822; classtype:web-application-attack; sid:2004822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyNuke VNC Checkin M3"; flow:established,to_server; dsize:13; content:"LIGHT'S BOMB|00|"; fast_pattern; reference:url,asec.ahnlab.com/en/27346/; classtype:trojan-activity; sid:2035095; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004823; classtype:web-application-attack; sid:2004823; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Win32/Hancitor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum.php"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"DATA="; startswith; reference:md5,d90f5bb9e103ea6935e453a8bafe4a66; reference:url,twitter.com/james_inthe_box/status/1488521848467959810; classtype:trojan-activity; sid:2035096; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat INSERT"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004824; classtype:web-application-attack; sid:2004824; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?company_id="; depth:25; fast_pattern; content:"&lua="; distance:0; http.user_agent; content:"Installed"; startswith; http.header_names; content:!"Referer"; reference:md5,f1c404760bfac3c952d0f10dfa21e659; classtype:trojan-activity; sid:2035098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat DELETE"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004825; classtype:web-application-attack; sid:2004825; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pteranodon CnC Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/deep-"; depth:20; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; http.request_body; content:"username="; startswith; content:"&cart="; distance:0; content:"&deep-"; distance:0; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021; reference:md5,b5120dcc0f2682cb6fb2a4f68dcbbb0b; classtype:trojan-activity; sid:2035099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat ASCII"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004826; classtype:web-application-attack; sid:2004826; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?type=ping&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/R"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"Referer"; reference:md5,a56fea310f3cf5e724ee4a9990047b78; reference:url,twitter.com/3xp0rtblog/status/1489245446883069954; classtype:command-and-control; sid:2035107; rev:1; metadata:created_at 2022_02_05, former_category MALWARE, updated_at 2022_02_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004827; classtype:web-application-attack; sid:2004827; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?type=update&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; startswith; content:!"Referer"; reference:md5,a56fea310f3cf5e724ee4a9990047b78; reference:url,twitter.com/3xp0rtblog/status/1489245446883069954; classtype:command-and-control; sid:2035108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_05, deployment Perimeter, former_category MALWARE, malware_family Colibri, signature_severity Major, updated_at 2022_02_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp SELECT"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006633; classtype:web-application-attack; sid:2006633; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus APT Related Domain (designautocad .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"designautocad.org"; bsize:17; fast_pattern; reference:url,twitter.com/s1ckb017/status/1489591023030448129; reference:md5,16b9ced590e449446f12c733f3e0b808; classtype:domain-c2; sid:2035115; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, signature_severity Major, updated_at 2022_02_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006634; classtype:web-application-attack; sid:2006634; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (designautocad .org)"; dns.query; content:"designautocad.org"; nocase; bsize:17; reference:md5,16b9ced590e449446f12c733f3e0b808; reference:url,twitter.com/s1ckb017/status/1489591023030448129; classtype:domain-c2; sid:2035116; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_02_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp INSERT"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006635; classtype:web-application-attack; sid:2006635; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pteranodon CnC Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer"; http.request_body; content:"username="; startswith; content:"_"; within:255; content:"&cart=FV&"; fast_pattern; distance:0; content:"-"; within:12; content:"="; within:12; pcre:"/^\d+$/R"; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021; reference:md5,b5120dcc0f2682cb6fb2a4f68dcbbb0b; classtype:trojan-activity; sid:2035119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp DELETE"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006636; classtype:web-application-attack; sid:2006636; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[A-Za-z0-9]{30}\.php$/U"; http.header_names; content:!"Referer"; http.request_body; content:"aW50ZXJuYWwgY2xhc3M"; startswith; fast_pattern; content:"IHs"; distance:0; within:20; content:"cHVibGljIHN0cmluZw"; within:20; classtype:trojan-activity; sid:2035112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_02_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp ASCII"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006637; classtype:web-application-attack; sid:2006637; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Payload Downloaded"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"import base64|0a|from datetime import date"; startswith; fast_pattern; content:"timestamp = date.today|28 29 2e|strftime|28 22 25|m|25|d|25|Y|22 29|"; distance:0; content:"base64.b64encode(bytes(timestamp"; distance:0; content:"print|28 22|http"; content:"|2f 25 73 25 73 22 20 25 20 28 22 52 22 2c 20 75 72 69 29 29|"; distance:0; classtype:trojan-activity; sid:2035113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_02_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006638; classtype:web-application-attack; sid:2006638; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (sdilok .com)"; dns.query; content:"sdilok.com"; nocase; bsize:10; reference:url,news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/; classtype:domain-c2; sid:2035127; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp SELECT"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006639; classtype:web-application-attack; sid:2006639; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (world .healthamericacu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"world.healthamericacu.com"; bsize:25; fast_pattern; reference:md5,314a879c4cae8ae7c08d5fc207a5a22d; classtype:domain-c2; sid:2035128; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006640; classtype:web-application-attack; sid:2006640; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (world .healthamericacu .com)"; dns.query; content:"world.healthamericacu.com"; nocase; bsize:25; reference:md5,314a879c4cae8ae7c08d5fc207a5a22d; classtype:domain-c2; sid:2035129; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp INSERT"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006641; classtype:web-application-attack; sid:2006641; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?provider="; fast_pattern; http.cookie; content:"wordpress_"; startswith; http.user_agent; content:"Windows|20|NT|20|7.1|3b 20|"; http.header_names; content:!"Referer"; reference:md5,b4c716f08907cd4e848bb9ab541dc449; classtype:trojan-activity; sid:2035130; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp DELETE"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006642; classtype:web-application-attack; sid:2006642; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader Related Domain (lkjhgfgsdshja .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lkjhgfgsdshja.com"; bsize:17; fast_pattern; reference:url,research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/; classtype:domain-c2; sid:2035133; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, signature_severity Major, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp ASCII"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006643; classtype:web-application-attack; sid:2006643; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc Domain in DNS Lookup (travelcrimea .info)"; dns.query; dotprefix; content:".travelcrimea.info"; nocase; endswith; reference:md5,126110a4b240f1fedba2ff8d3d8e2ebe; reference:url,twitter.com/h2jazi/status/1490829405106569217; classtype:domain-c2; sid:2035134; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_02_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006644; classtype:web-application-attack; sid:2006644; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (shopapptech .com)"; dns.query; content:"shopapptech.com"; nocase; bsize:15; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035158; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006645; classtype:web-application-attack; sid:2006645; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (shopapptech .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopapptech.com"; bsize:15; fast_pattern; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035159; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006646; classtype:web-application-attack; sid:2006646; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (shopapppro .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopapppro.com"; bsize:14; fast_pattern; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035160; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006647; classtype:web-application-attack; sid:2006647; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (shopapppro .com)"; dns.query; content:"shopapppro.com"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035161; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006648; classtype:web-application-attack; sid:2006648; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (www .datacentre .center)"; dns.query; content:"www.datacentre.center"; nocase; bsize:21; reference:md5,26cb5fdcbdfccfa05399709d7dc12319; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035162; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006649; classtype:web-application-attack; sid:2006649; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc Domain (travelcrimea .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"travelcrimea.info"; bsize:20; fast_pattern; reference:md5,126110a4b240f1fedba2ff8d3d8e2ebe; reference:url,twitter.com/h2jazi/status/1490829405106569217; classtype:domain-c2; sid:2035135; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID SELECT"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006651; classtype:web-application-attack; sid:2006651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (datacentre .center in TLS SNI)"; flow:established,to_server; tls.sni; content:"datacentre.center"; bsize:17; fast_pattern; reference:md5,26cb5fdcbdfccfa05399709d7dc12319; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035163; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006652; classtype:web-application-attack; sid:2006652; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"http://surname192.temp.swtest.ru"; nocase; bsize:32; reference:url,twitter.com/IntezerLabs/status/1491033616519876617; classtype:command-and-control; sid:2035172; rev:1; metadata:created_at 2022_02_09, former_category MALWARE, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID INSERT"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006653; classtype:web-application-attack; sid:2006653; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE sLoad Related CnC Domain in DNS Lookup (angedionisu .eu)"; dns.query; content:"angedionisu.eu"; nocase; bsize:14; reference:url,twitter.com/JAMESWT_MHT/status/1491058829903429640; reference:md5,73284816cf3182f446536c380f805b1f; classtype:domain-c2; sid:2035164; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID DELETE"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006654; classtype:web-application-attack; sid:2006654; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>150; content:"_2B"; content:"_2B"; fast_pattern; distance:0; content:!"&"; content:!"?"; content:!"="; content:!"/tr/v1/"; startswith; http.host; dotprefix; content:!".surveymonkey.com"; endswith; http.host; dotprefix; content:!".cisco.com"; endswith; content:!".trendmicro.com"; endswith; http.connection; content:"Keep-Alive"; http.header_names; http.user_agent; content:!"TMUFE"; bsize:5; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033203; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Moderate, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ASCII"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006655; classtype:web-application-attack; sid:2006655; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed sLoad Related Domain (angedionisu .eu in TLS SNI)"; flow:established,to_server; tls.sni; content:"angedionisu.eu"; bsize:14; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1491058829903429640; reference:md5,73284816cf3182f446536c380f805b1f; classtype:domain-c2; sid:2035165; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006656; classtype:web-application-attack; sid:2006656; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".h264"; fast_pattern; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6361957001782ae7fa09ae213eca2625; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035166; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cgi/surgeftpmgr.cgi?"; nocase; content:"cmd=class&"; nocase; content:"classid="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/38097; reference:url,packetstormsecurity.org/1001-exploits/surgeftp-xss.txt; reference:url,doc.emergingthreats.net/2011065; classtype:web-application-attack; sid:2011065; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazing.dot"; fast_pattern; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; reference:md5,937a55cd5d63b81b3ca6f19f2bda2573; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035171; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/preview.php?"; nocase; content:"synTarget="; nocase; reference:url,www.milw0rm.com/exploits/7977; reference:bugtraq,33601; reference:url,doc.emergingthreats.net/2009145; classtype:web-application-attack; sid:2009145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>150; content:"_2F"; fast_pattern; content:"_2F"; distance:0; content:"_2F"; distance:0; content:!"&"; content:!"?"; content:!"="; content:!"/tr/v1/"; startswith; http.host; dotprefix; content:!".surveymonkey.com"; endswith; content:!"cisco.com"; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Moderate, signature_severity Major, updated_at 2022_02_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Telephone Directory 2008 edit1.php code Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/edit1.php?"; nocase; content:"action=confirm_data"; nocase; content:"code="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,29614; reference:url,xforce.iss.net/xforce/xfdb/42972; reference:url,milw0rm.com/exploits/5764; reference:url,doc.emergingthreats.net/2010098; classtype:web-application-attack; sid:2010098; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Redline Stealer Related Domain in DNS Lookup (windows-upgraded .com)"; dns.query; content:"windows-upgraded.com"; nocase; bsize:20; reference:url,threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/; classtype:domain-c2; sid:2035174; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006003; classtype:web-application-attack; sid:2006003; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)"; dns.query; content:"fouratlinks.com"; nocase; bsize:15; reference:url,intel471.com/blog/privateloader-malware; classtype:trojan-activity; sid:2035175; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006004; classtype:web-application-attack; sid:2006004; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PrivateLoader Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:"privacytoolzfor-you"; startswith; fast_pattern; reference:url,intel471.com/blog/privateloader-malware; classtype:trojan-activity; sid:2035176; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006005; classtype:web-application-attack; sid:2006005; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)"; flow:established,to_client; file_data; content:"|3c|meta|20|name|3d 22|twitter|3a|description|22 20|content|3d 22|"; pcre:"/^[a-f0-9]{5}(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})[a-f0-9]{2}-v[a-f0-9]{2}\x0a\x22\x3e\x0a\x3c/R"; content:"|3c|meta|20|name|3d 22|twitter|3a|app|3a|id|3a|iphone|22 20|content|3d 22|686449807|22|"; fast_pattern; reference:md5,0b2463e542ff395417ecb1cd37f77556; classtype:command-and-control; sid:2034960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006006; classtype:web-application-attack; sid:2006006; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?h="; fast_pattern; content:"|2a|"; distance:0; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; reference:md5,1d7d9b2c46bd733f5270d34c4dd748e9; reference:url,twitter.com/h2jazi/status/1491852987324637185; classtype:trojan-activity; sid:2035180; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006007; classtype:web-application-attack; sid:2006007; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:75; http.content_type; content:"text/plain|3b 20|charset=UTF-8"; bsize:25; http.request_body; content:"T7"; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})$/"; reference:md5,108757a3cc9c5e9d529ca1a94f1432b2; classtype:command-and-control; sid:2035177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006008; classtype:web-application-attack; sid:2006008; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin Response M4"; flow:established,to_client; file_data; content:"2HVWm7UNyz"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9+\/]+(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})$/"; reference:md5,108757a3cc9c5e9d529ca1a94f1432b2; classtype:command-and-control; sid:2035178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006009; classtype:web-application-attack; sid:2006009; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin Response M5"; flow:established,to_client; file_data; content:"VqiRa2vbXS"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9+\/]+(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})$/"; reference:md5,3acb8e439a1bd66a8a42c6bd5d8930b4; classtype:command-and-control; sid:2035179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006010; classtype:web-application-attack; sid:2006010; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ledikexive .com)"; dns.query; content:"ledikexive.com"; nocase; bsize:14; reference:md5,6b707cd8b8061a6d268812cff1d1f505; reference:url,twitter.com/Unit42_Intel/status/1492160514109149193; classtype:domain-c2; sid:2035181; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006011; classtype:web-application-attack; sid:2006011; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Anubis Registration Activity"; dsize:<400; content:"|54 67 69 2f 40|"; within:50; content:"|4f 6b 65 74 71 75 71 68 76 22 59 6b 70 66 71 79 75 22 5d 58 67 74 75 6b 71 70|"; fast_pattern; reference:md5,1f21b8e9ebc3b7480cc67ced7504916f; reference:url,medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e; classtype:trojan-activity; sid:2035184; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006012; classtype:web-application-attack; sid:2006012; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Go/Anubis CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /callback HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"callback="; startswith; content:"&reginfo="; distance:0; reference:md5,1f21b8e9ebc3b7480cc67ced7504916f; reference:url,medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e; classtype:command-and-control; sid:2035185; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006013; classtype:web-application-attack; sid:2006013; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkWatchman Checkin Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"X-Client-Id|0d 0a|"; content:"X-Client-Controller|0d 0a|"; fast_pattern; content:"X-Client-Ut|0d 0a|"; http.request_body; content:"os="; startswith; content:"&cn="; distance:0; content:"&un="; distance:0; content:"&b="; distance:0; content:"&l="; distance:0; content:"av="; distance:0; reference:url,prevailion.com/darkwatchman-new-fileness-techniques/; reference:md5,2ccc9637823753de9cdcdf76a1d22725; classtype:trojan-activity; sid:2034745; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006014; classtype:web-application-attack; sid:2006014; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkWatchman Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /index.php HTTP/1.1"; fast_pattern; http.header; content:"|0d 0a|X-Client-Id|3a 20|"; pcre:"/^[a-z0-9]{8}\r\n/R"; http.host; content:".top"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/5.0(Windows NT|20|"; startswith; reference:md5,2ccc9637823753de9cdcdf76a1d22725; classtype:trojan-activity; sid:2035186; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006015; classtype:web-application-attack; sid:2006015; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Socelars.S CnC Activity M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/base/api/"; startswith; content:".php"; endswith; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"???bll"; bsize:6; fast_pattern; http.header_names; content:!"Referer"; reference:md5,119501b9e0c53984d4af54644d7a7b47; classtype:trojan-activity; sid:2035188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_14, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006016; classtype:web-application-attack; sid:2006016; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Domain (judgebryantweekes .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"judgebryantweekes.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2035195; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_02_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006017; classtype:web-application-attack; sid:2006017; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Domain (lawyeryouwant .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"lawyeryouwant.com"; bsize:17; fast_pattern; classtype:domain-c2; sid:2035196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_02_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006018; classtype:web-application-attack; sid:2006018; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected RULER.Hacktool HTML Payload"; flow:established,to_client; file.data; content:"OutlookApplication"; nocase; content:"CreateObject"; nocase; content:"0006F063-0000-0000-C000-000000000046"; nocase; reference:url,www.mandiant.com/resources/overruled-containing-a-potentially-destructive-adversary; reference:url,github.com/sensepost/ruler; classtype:trojan-activity; sid:2035187; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006019; classtype:web-application-attack; sid:2006019; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interference/"; fast_pattern; content:".mqo"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,64ce44c092145dfc80375159eaef5461; classtype:trojan-activity; sid:2035197; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006020; classtype:web-application-attack; sid:2006020; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intercourse/"; fast_pattern; content:".mdl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,20bb6aec6889f9135d29ad40f4a25c23; classtype:trojan-activity; sid:2035198; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006021; classtype:web-application-attack; sid:2006021; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".stc"; endswith; fast_pattern; http.host; content:".ru"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,20bb6aec6889f9135d29ad40f4a25c23; classtype:trojan-activity; sid:2035199; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006023; classtype:web-application-attack; sid:2006023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perceived/"; fast_pattern; content:".ts"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,7c75bd80374fed96018416a531983548; classtype:trojan-activity; sid:2035200; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006024; classtype:web-application-attack; sid:2006024; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (doc .filesaves .cloud)"; dns.query; content:"doc.filesaves.cloud"; nocase; bsize:19; reference:md5,85fe6affdb218b2d09a59e08e80eb1fa; reference:md5,de097c5ab5e31ac16b4466cd56e9bd2d; reference:url,twitter.com/h2jazi/status/1493598324053712915; classtype:domain-c2; sid:2035201; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006025; classtype:web-application-attack; sid:2006025; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?query=1"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; reference:md5,52f79913a72c1afe1cd6b22445aab3e5; reference:url,twitter.com/ShadowChasing1/status/1493902034453479431; classtype:trojan-activity; sid:2035206; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006026; classtype:web-application-attack; sid:2006026; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GenKryptik.FQRH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vbc.exe"; endswith; fast_pattern; pcre:"/^\/\d{2,3}\/vbc.exe$/U"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,180defaf66190b475e636e0d7bcf0aed; classtype:trojan-activity; sid:2035207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006027; classtype:web-application-attack; sid:2006027; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Moses Staff APT Related Domain in DNS Lookup (techzenspace .com)"; dns.query; content:"techzenspace.com"; nocase; bsize:16; reference:url,www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard; classtype:domain-c2; sid:2035209; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, malware_family MosesStaff, signature_severity Major, updated_at 2022_02_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006028; classtype:web-application-attack; sid:2006028; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET 222 -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/QuasarRAT CnC Traffic"; flow:established,to_client; content:"|40 00 00 00|"; startswith; dsize:68; fast_pattern; stream_size:server,<,210; reference:url,twitter.com/James_inthe_box/status/1494023718741286915; classtype:trojan-activity; sid:2035211; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006029; classtype:web-application-attack; sid:2006029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MosesStaff APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"boundary=----BoundrySign"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard; classtype:trojan-activity; sid:2035210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, malware_family MosesStaff, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006030; classtype:web-application-attack; sid:2006030; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M2"; flow:established,to_server; http.method; content:"GET"; http.cookie; bsize:>170; content:".html"; endswith; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:command-and-control; sid:2035216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_02_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006031; classtype:web-application-attack; sid:2006031; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_"; content:"/office.txt"; within:26; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,97d3d3fe312514f33a44dcd9d5887b54; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006032; classtype:web-application-attack; sid:2006032; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/declaration.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"name="; startswith; content:"&count="; distance:0; reference:md5,c2e7a48d6bcf0c875d911f3e6c3896ee; reference:url,raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/2022_02_Gamaredon_UPDATE.txt; classtype:trojan-activity; sid:2035219; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006033; classtype:web-application-attack; sid:2006033; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/revers.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"name="; startswith; content:"&count="; distance:0; reference:md5,8c65c945a395d633f15b138e9aaf06f9; reference:url,raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/2022_02_Gamaredon_UPDATE.txt; classtype:trojan-activity; sid:2035220; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006034; classtype:web-application-attack; sid:2006034; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prevent/counter.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,5db3abc526fc334034f30e988a10c02a; classtype:trojan-activity; sid:2035221; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006035; classtype:web-application-attack; sid:2006035; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wsusa HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f8af71e85f5bee6b3fee2fcfd15da893; classtype:trojan-activity; sid:2035222; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006036; classtype:web-application-attack; sid:2006036; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc OneDrive Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/"; fast_pattern; startswith; http.user_agent; content:"MyAgent"; bsize:7; http.host; content:"api.onedrive.com"; bsize:16; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:url,twitter.com/cyberwar_15/status/1435260403127255043; reference:md5,baa9b34f152076ecc4e01e35ecc2de18; classtype:trojan-activity; sid:2033908; rev:2; metadata:created_at 2021_09_07, former_category MALWARE, updated_at 2022_02_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006037; classtype:web-application-attack; sid:2006037; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rejoice/clank.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,655f383e817a989e3114250232d0cd07; classtype:trojan-activity; sid:2035253; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006038; classtype:web-application-attack; sid:2006038; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/quietly/seedlings.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,9985bd33a8d129aba66feb1dd553fd22; classtype:trojan-activity; sid:2035254; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006039; classtype:web-application-attack; sid:2006039; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sense/guarded.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,7b62f40f5986be36f783863fa45a9946; classtype:trojan-activity; sid:2035255; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006040; classtype:web-application-attack; sid:2006040; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /refrigerator.dot HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,c36939365d244081d6860f42779a1503; classtype:trojan-activity; sid:2035256; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006041; classtype:web-application-attack; sid:2006041; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /prediction.dot HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f37095018deff37c70065ed5cf37e06b; classtype:trojan-activity; sid:2035257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006042; classtype:web-application-attack; sid:2006042; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /pre.dot HTTP/1.1"; fast_pattern; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,a9260f7ae7939637b9ae43dec8e03abb; classtype:trojan-activity; sid:2035265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006043; classtype:web-application-attack; sid:2006043; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /barrier.dot HTTP/1.1"; fast_pattern; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,b55956fbc3cda1481c07fe08ce254706; classtype:trojan-activity; sid:2035266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006044; classtype:web-application-attack; sid:2006044; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intake/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fa882c526ba36ec4219698ab6e64e699; classtype:trojan-activity; sid:2035267; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006045; classtype:web-application-attack; sid:2006045; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (tobaccosafe .xyz)"; dns.query; content:"tobaccosafe.xyz"; nocase; bsize:15; reference:md5,0faee3dfee432f821ceabeaa0f2d234c; reference:url,twitter.com/ShadowChasing1/status/1496054996177240068; classtype:domain-c2; sid:2035268; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006046; classtype:web-application-attack; sid:2006046; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (font .backuplogs .xyz)"; dns.query; content:"font.backuplogs.xyz"; nocase; bsize:19; reference:md5,92a78894568e2e7869ef7ec454c52db3; reference:md5,b4dcb52e46cfc0ed7deb25ff72bdf521; reference:url,twitter.com/JAMESWT_MHT/status/1496139517736148994; reference:url,twitter.com/malwrhunterteam/status/1496129802239201289; classtype:domain-c2; sid:2035269; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006047; classtype:web-application-attack; sid:2006047; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (srvrfontsdrive .xyz)"; dns.query; content:"srvrfontsdrive.xyz"; nocase; bsize:18; reference:md5,92a78894568e2e7869ef7ec454c52db3; reference:md5,b4dcb52e46cfc0ed7deb25ff72bdf521; reference:url,twitter.com/JAMESWT_MHT/status/1496139517736148994; reference:url,twitter.com/malwrhunterteam/status/1496129802239201289; classtype:domain-c2; sid:2035270; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006048; classtype:web-application-attack; sid:2006048; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/TrojanDownloader.Agent.TXV CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postUP.php"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.connection; content:"keep-alive"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1496172957726560257; classtype:trojan-activity; sid:2035271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006049; classtype:web-application-attack; sid:2006049; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRat 2.0 CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"="; http.request_body; content:"|ed bb a7 14 24 02 2e cc 3f f4|"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8306b6dee8aca5ad5b3368cd070d5729; reference:url,twitter.com/malwrhunterteam/status/1494650167877935104; classtype:trojan-activity; sid:2035275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, signature_severity Major, updated_at 2022_02_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006050; classtype:web-application-attack; sid:2006050; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .cc)"; dns.query; dotprefix; content:".microsofts.cc"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006051; classtype:web-application-attack; sid:2006051; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (08mma .com)"; dns.query; dotprefix; content:".08mma.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006052; classtype:web-application-attack; sid:2006052; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .top)"; dns.query; dotprefix; content:".microsofts.top"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006053; classtype:web-application-attack; sid:2006053; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (3mmlq .com)"; dns.query; dotprefix; content:".3mmlq.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006054; classtype:web-application-attack; sid:2006054; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (7cnbo .com)"; dns.query; dotprefix; content:".7cnbo.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006055; classtype:web-application-attack; sid:2006055; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /chd.php HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,0981f1145c1cec6a5de51c7d585affe3; reference:md5,bcbcc87f61fad5d558b25c1200b2c34d; reference:md5,ab8a866434329d643273b3dab0473bbc; classtype:trojan-activity; sid:2035283; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_24, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006056; classtype:web-application-attack; sid:2006056; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php"; bsize:8; fast_pattern; http.host; pcre:"/^[0-9]{6,10}\./"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; reference:md5,2dd5a4237122e73027404a91276f0235; reference:md5,9c8f6b38035c72421e1c71d2bb21ced9; reference:md5,860137d224440fd7c1cb3652199dcd58; classtype:trojan-activity; sid:2035288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006057; classtype:web-application-attack; sid:2006057; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/junk.flv?"; startswith; fast_pattern; http.user_agent; content:"junk/"; http.header_names; content:!"Referer"; reference:md5,61c4a0ab7b156744fcc24fb0813fb9b3; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/apt_gamaredon.txt; classtype:trojan-activity; sid:2035289; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006058; classtype:web-application-attack; sid:2006058; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Buhtrap SourSnack Domain in DNS Lookup (widget .forum-pokemon .com)"; dns.query; content:".widget.forum-pokemon.com"; nocase; endswith; reference:url,cert.gov.ua/article/37246; reference:md5,4ac6e6c6668cac064b16cf786e3cab6f; classtype:domain-c2; sid:2035286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family SourSnack, performance_impact Low, signature_severity Major, tag Buhtrap, updated_at 2022_02_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006059; classtype:web-application-attack; sid:2006059; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious lnk Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /joking.html HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; content:".ru"; endswith; reference:md5,d6b182c825d961154b5415de1a061ae0; classtype:trojan-activity; sid:2035290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006060; classtype:web-application-attack; sid:2006060; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /joking.html HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; content:".ru"; endswith; reference:md5,d6b182c825d961154b5415de1a061ae0; classtype:trojan-activity; sid:2035291; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006061; classtype:web-application-attack; sid:2006061; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected PlugX Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-z]{14}\//U"; content:"/update.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,ab96e541284afe6ffc3fcf4d05bc971e; reference:url,twitter.com/vupt_bka/status/1497147010927194112; classtype:trojan-activity; sid:2035292; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_02_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006062; classtype:web-application-attack; sid:2006062; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-zA-z]{14}\//U"; content:"/plplpMj.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; http.request_body; content:"1="; startswith; reference:md5,ab96e541284afe6ffc3fcf4d05bc971e; reference:url,twitter.com/vupt_bka/status/1497147010927194112; classtype:trojan-activity; sid:2035293; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_02_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006063; classtype:web-application-attack; sid:2006063; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SunSeed Lua Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{9,10}$/"; http.header_names; content:"|0d 0a|host|0d 0a|te|0d 0a|connection|0d 0a|user-agent|0d 0a 0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"LuaSocket|20|"; fast_pattern; startswith; classtype:trojan-activity; sid:2035360; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006064; classtype:web-application-attack; sid:2006064; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SunSeed Downloader Retrieving Binary (set)"; flow:established,to_server; flowbits:set,ETPRO.SunSeed.Downloader; flowbits:noalert; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Windows Installer"; bsize:17; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2035361; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006065; classtype:web-application-attack; sid:2006065; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SunSeed Download Retrieving Binary"; flow:established,to_client; flowbits:isset,ETPRO.SunSeed.Downloader; http.response_line; content:"HTTP/1.1 200 OK"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".msi|0d 0a|"; distance:0; file.data; content:"http.lua"; fast_pattern; classtype:trojan-activity; sid:2035362; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006066; classtype:web-application-attack; sid:2006066; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PurpleFox Backdoor Related Domain in DNS Lookup (qq .c1c .ren)"; dns.query; content:"qq.c1c.ren"; nocase; bsize:10; reference:md5,757e04a9da1083b797b9dadc94300937; reference:url,twitter.com/0xrb/status/1496747426505531398; classtype:domain-c2; sid:2035307; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006067; classtype:web-application-attack; sid:2006067; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trickbot Checkin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; bsize:10; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; nocase; file.data; content:"/1/"; depth:3; endswith; reference:md5,5d2d59d6cbff1dc1d108bdcae0294c51; classtype:command-and-control; sid:2032218; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006068; classtype:web-application-attack; sid:2006068; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,dddd77f42bfb365f36762ad4db4a741e; reference:md5,f4e7c05fde022ec76f8c2f0a4cf2e1b3; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035309; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006069; classtype:web-application-attack; sid:2006069; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; http.user_agent; content:!"Android"; content:!"Linux"; reference:md5,dddd77f42bfb365f36762ad4db4a741e; reference:md5,f4e7c05fde022ec76f8c2f0a4cf2e1b3; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006070; classtype:web-application-attack; sid:2006070; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /set.lgo/"; startswith; fast_pattern; content:!".php"; content:!".asp"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; reference:md5,30342cff84f9b4ea94b0415cd26e2ee2; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035312; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006071; classtype:web-application-attack; sid:2006071; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /index.arc/"; startswith; fast_pattern; content:!".php"; content:!".asp"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; reference:md5,0d7d8cc1756b932854e20dbe5d233afd; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035311; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006072; classtype:web-application-attack; sid:2006072; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-stream $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/Agent.UHC CnC Activity"; flow:established,to_client; stream_size:client,<,40; content:"|2e 2e 61 58 63 66|"; fast_pattern; reference:md5,042261407926beaaf0e3ed8bba5307cc; classtype:command-and-control; sid:2034219; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006073; classtype:web-application-attack; sid:2006073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (gen)"; flow:established,to_server; content:"|0d 0a 0d 0a|gen="; fast_pattern; http.request_body; content:!"&syncID="; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2022_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006074; classtype:web-application-attack; sid:2006074; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleFox Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /i.php?i="; fast_pattern; startswith; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7f757563585debbbccc3e34664de04fe; reference:md5,c793425d192af8f89b1b8c7e1ea6f792; reference:url,twitter.com/Max_Mal_/status/1498351091066589184; classtype:trojan-activity; sid:2035313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_02_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName SELECT"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006075; classtype:web-application-attack; sid:2006075; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected PlugX Checkin Activity (udp)"; dsize:24; content:"|30 00|"; startswith; content:"|00 00 00 bf 68|"; distance:1; within:5; content:"|00 04 00 00 00 10 00 00 00 00 00 00|"; distance:4; within:12; fast_pattern; threshold: type limit, count 1, seconds 20, track by_src; reference:md5,3db876a7ab11ce98687d381ec9207256; reference:md5,98b2faafb027cc4c225d9de1616f430c; reference:url,twitter.com/0xrb/status/1496747426505531398; classtype:trojan-activity; sid:2035308; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UNION SELECT"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006076; classtype:web-application-attack; sid:2006076; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Daxin CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?htpmgcid="; startswith; fast_pattern; http.header_names; content:"Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; content:!"Referer"; reference:md5,fb7c61ef427f9b2fdff3574ee6b1819b; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage; classtype:command-and-control; sid:2035365; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName INSERT"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006077; classtype:web-application-attack; sid:2006077; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M3"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|source|22 0d 0a 0d 0a|"; distance:0; content:"|20|cookies|0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName DELETE"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006078; classtype:web-application-attack; sid:2006078; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Maldoc Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,cc088f6cdcc6536404d1527f5addbde6; reference:md5,3543111b570bd274ba5d0f1a10268c84; reference:url,twitter.com/500mk500/status/1497837117572980740; classtype:trojan-activity; sid:2035363; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName ASCII"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006079; classtype:web-application-attack; sid:2006079; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Filename in Outbound POST Request (Browsers/Cookies/Microsoft Edge_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Browsers/Cookies/Microsoft Edge_"; fast_pattern; reference:md5,758f815f3775e1b063eba3ab33479a9f; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035366; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006080; classtype:web-application-attack; sid:2006080; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Telegram Activity"; flow:established,to_server; http.uri; content:"/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/"; fast_pattern; startswith; http.host; content:"api.telegram.com"; bsize:16; reference:url,www.ic3.gov/Media/News/2022/220224.pdf; classtype:trojan-activity; sid:2035364; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/export.php?"; nocase; content:"export_to="; nocase; reference:bugtraq,33731; reference:url,milw0rm.com/exploits/8029; reference:url,doc.emergingthreats.net/2009169; classtype:web-application-attack; sid:2009169; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?username="; bsize:<16; startswith; fast_pattern; pcre:"/^\/\x3fusername\x3d[a-z0-9]{2,3}_\d$/U"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,f1006f3968f9edf76090e34702e647e6; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035368; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/examples/tbs_us_examples_0view.php?"; nocase; content:"script="; nocase; reference:url,milw0rm.com/exploits/8667; reference:url,vupen.com/english/advisories/2009/1304; reference:url,doc.emergingthreats.net/2009789; classtype:web-application-attack; sid:2009789; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|source|22 0d 0a 0d 0a|"; distance:0; content:"|20|passwords|0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shop_display_products.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2009-0296; reference:url,secunia.com/advisories/33661/; reference:url,milw0rm.com/exploits/7873; reference:url,doc.emergingthreats.net/2009199; classtype:web-application-attack; sid:2009199; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M4"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|formdata|22 0d 0a 0d 0a 7b|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|billinfo|22 0d 0a 0d 0a 7b|"; distance:0; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|cardinfo|22 0d 0a 0d 0a 7b|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TorrentTrader Classic delreq.php categ Parameter Sql Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/torrenttrader109/delreq.php?"; nocase; content:"categ="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8958; reference:bugtraq,35369; reference:url,doc.emergingthreats.net/2010026; classtype:web-application-attack; sid:2010026; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/case"; bsize:5; fast_pattern; http.cookie; content:"wordpress_52345768e930f1ec699e4f12ab015a4f="; startswith; http.header_names; content:!"Referer"; http.header; content:"User-Agent|3a 20|Opera/9.61|20|(Windows|20|NT|20|5.1|3b 20|U|3b 20|ru)|20|Presto/2.1.1"; reference:md5,6b8d63299b70fb04a71bcadcf2f5f72b; reference:md5,2069c823d67e2d5d59606b3d8f6a7e22; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:trojan-activity; sid:2035370; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.php?"; nocase; content:"inc_dir="; nocase; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009726; classtype:web-application-attack; sid:2009726; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jquery-3.3.2.min.js?__cfduid="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|"; reference:url,twitter.com/Unit42_Intel/status/1498802280992227330?s=20&t=iDY6vP8NF3muXpkS4ERenw; classtype:trojan-activity; sid:2035376; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/cms_detect.php?"; nocase; content:"include="; nocase; reference:url,milw0rm.com/exploits/8503; reference:bugtraq,34634; reference:url,doc.emergingthreats.net/2009729; classtype:web-application-attack; sid:2009729; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miras C2 Activity"; flow:established,to_server; dsize:<1000; content:"|36 36 36 36 58 36 36 36|"; offset:2; depth:8; reference:md5,98a3a68f76ed2eba763eb7bfb6648562; classtype:command-and-control; sid:2018979; rev:3; metadata:created_at 2014_08_22, former_category MALWARE, updated_at 2022_03_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tours Manager cityview.php cityid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cityview.php?"; nocase; content:"cityid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32503/; reference:url,milw0rm.com/exploits/6988; reference:url,doc.emergingthreats.net/2008821; classtype:web-application-attack; sid:2008821; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT BabyShark Related Domain in DNS Lookup (worldinfocontact .club)"; dns.query; content:"worldinfocontact.club"; nocase; bsize:21; reference:md5,fe3ad944d07b66c83dc433c39fc054f4; reference:url,www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood; classtype:domain-c2; sid:2035374; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TurnkeyForms Business Survey Pro id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/survey_results_text.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32561/; reference:url,milw0rm.com/exploits/7029; reference:url,doc.emergingthreats.net/2008827; classtype:web-application-attack; sid:2008827; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (cop .osonlines .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"cop.osonlines.co"; bsize:16; fast_pattern; reference:url,twitter.com/cyber__sloth/status/1498698178585104385; classtype:domain-c2; sid:2035382; rev:1; metadata:created_at 2022_03_02, updated_at 2022_03_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcategory.php?"; nocase; content:"cid="; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32568/; reference:url,milw0rm.com/exploits/7027; reference:url,doc.emergingthreats.net/2008828; classtype:web-application-attack; sid:2008828; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related  Domain in DNS Lookup"; dns.query; content:"cop.osonlines.co"; nocase; bsize:16; reference:url,twitter.com/cyber__sloth/status/1498698178585104385; classtype:domain-c2; sid:2035383; rev:1; metadata:created_at 2022_03_02, updated_at 2022_03_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/listtest.php?"; nocase; content:"r="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32591/; reference:url,milw0rm.com/exploits/7035; reference:url,doc.emergingthreats.net/2008829; classtype:web-application-attack; sid:2008829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mtl"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,11d19db057c4eee965878dd92181803e; reference:url,twitter.com/500mk500/status/1498769941998223366; classtype:trojan-activity; sid:2035375; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id SELECT"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004869; classtype:web-application-attack; sid:2004869; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PurpleFox Related Domain in DNS Lookup"; dns.query; content:"oip.xioerabn.site"; nocase; bsize:17; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:domain-c2; sid:2035384; rev:1; metadata:attack_target Client_and_Server, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004870; classtype:web-application-attack; sid:2004870; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/PurpleFox Retrieving File (GET)"; flow:established,to_server; http.request_line; content:"GET /conf.dat HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 6.0|3b 20|Windows|20|NT|20|5.0)"; bsize:50; http.header_names; content:!"Referer"; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:trojan-activity; sid:2035385; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id INSERT"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004871; classtype:web-application-attack; sid:2004871; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PlugX Related Domain in DNS Lookup"; dns.query; content:"aoisudoisadn.kkb.tv"; nocase; bsize:19; reference:md5,1634d4a7ffdd698f6ccb541719fbff5c; reference:url,twitter.com/0xrb/status/1499287458500194304; classtype:domain-c2; sid:2035386; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id DELETE"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004872; classtype:web-application-attack; sid:2004872; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Domain in DNS Lookup"; dns.query; content:"diet-days.com"; nocase; bsize:13; reference:md5,b76199c0aaaa9c676ac7c6041f73be57; classtype:domain-c2; sid:2035394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id ASCII"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004873; classtype:web-application-attack; sid:2004873; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Domain in DNS Lookup"; dns.query; content:"socialskinclub.com"; nocase; bsize:18; reference:md5,b76199c0aaaa9c676ac7c6041f73be57; classtype:domain-c2; sid:2035395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004874; classtype:web-application-attack; sid:2004874; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BumbleBee Loader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gate HTTP/1.1"; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; http.request_body; content:"|22|client_id|22|"; content:"|22|group_name|22|"; distance:0; content:"|22|sys_version|22|"; distance:0; content:"User name|3a 20|"; distance:0; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; classtype:trojan-activity; sid:2035387; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug SELECT"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004672; classtype:web-application-attack; sid:2004672; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jaxebiridi .com)"; dns.query; content:"jaxebiridi.com"; nocase; bsize:14; reference:md5,07d3e518022aec38af7cb4cb709fd4e3; reference:md5,1cd603a9c0f9f251552e070d16591bef; classtype:domain-c2; sid:2035388; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UNION SELECT"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004673; classtype:web-application-attack; sid:2004673; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wp-includes/RELEASE.gif HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 6.0|3b 20|HTC One X10 Build/MRA58K|3b 20|wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"; bsize:113; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:57; reference:md5,07d3e518022aec38af7cb4cb709fd4e3; reference:md5,1cd603a9c0f9f251552e070d16591bef; classtype:trojan-activity; sid:2035389; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug INSERT"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004674; classtype:web-application-attack; sid:2004674; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/descent.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"name="; startswith; content:"_"; distance:0; content:"&count="; distance:8; reference:md5,8184d72f1ce59bba32afc7a2b5953d52; classtype:trojan-activity; sid:2035390; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug DELETE"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004675; classtype:web-application-attack; sid:2004675; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Arkei Stealer CnC Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tratata.php"; startswith; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; http.header; content:"Cache-Control: no-cache"; reference:url,blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu; classtype:trojan-activity; sid:2035392; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ASCII"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004676; classtype:web-application-attack; sid:2004676; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Arkei Stealer CnC Checkin (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tratata.php"; startswith; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; http.header; content:"Cache-Control: no-cache"; reference:url,blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu; classtype:trojan-activity; sid:2035393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004677; classtype:web-application-attack; sid:2004677; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".maxc"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer"; reference:md5,8842acb150e1625ff20a84190073ece6; reference:url,twitter.com/500mk500/status/1498769941998223366; classtype:trojan-activity; sid:2035391; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s SELECT"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004678; classtype:web-application-attack; sid:2004678; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; http.method; content:"POST"; nocase; http.host; content:!".bitdefender.net"; http.content_len; byte_test:0,<=,200,0,string,dec; http.request_body; content:"id="; nocase; startswith; content:"&cn="; nocase; content:"&bid="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,doc.emergingthreats.net/2010875; classtype:command-and-control; sid:2010875; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_03_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UNION SELECT"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2005185; classtype:web-application-attack; sid:2005185; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE CobaltStrike DNS Beacon Response"; content:"|81 80 00 01 00 01 00 00 00 00|"; offset:2; depth:10; content:"|c0 0c 00 01 00 01 00 00 00 00 00 04 00 00 00 00|"; endswith; threshold: type both, count 10, seconds 90, track by_dst; content:!"|06|nessus|03|org"; content:!"trr|03|dns|07|nextdns|02|io"; content:!"|08|cloudapp|03|net"; reference:url,www.youtube.com/watch?v=zAB5G-QOyx8; classtype:targeted-activity; sid:2026040; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2022_03_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s INSERT"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004679; classtype:web-application-attack; sid:2004679; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/BlackGuard Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?user="; content:"&coockieCount="; distance:0; fast_pattern; content:"&searche="; distance:0; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 28|"; content:"|29 5f 5b|"; within:255; content:"|5d 2e|"; within:255; content:"|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; within:53; reference:url,app.any.run/tasks/3c8c54c1-d39f-4a14-af0c-242fd364ef15/; reference:md5,bb5f22fc74149158b637a2bac5064ddb; classtype:command-and-control; sid:2035398; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s DELETE"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004680; classtype:web-application-attack; sid:2004680; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin"; flow:established,to_server; content:"|09 12 3b 42|"; depth:4; content:"|33 a2 44|"; distance:1; within:3; content:"|01 86 73|"; distance:1; within:3; threshold: type limit, count 1, seconds 120, track by_src; reference:md5,8322266fc84da79419adc44d3acc49c3; classtype:command-and-control; sid:2036734; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family AveMaria, performance_impact Low, signature_severity Major, tag RAT, updated_at 2022_03_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ASCII"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004681; classtype:web-application-attack; sid:2004681; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2"; flow:established,to_client; http.response_body; content:"W1sibmFtZSIsICJmaXJzdG5hbWUiL"; offset:50; depth:40; fast_pattern; content:"WyJuYW1lIiwgImxhc3RuYW1lIiw"; distance:0; content:"WyJuYW1lIiwgInN0cmVldFs"; distance:0; content:"WyJpZCIsICJhdXRobmV0Y2ltLWNjLW51bWJlciIs"; distance:0; content:"BbImlkIiwgImF1dGhuZXRjaW0tY2MtZXhwLXllYXI"; distance:0; reference:url,twitter.com/felixaime/status/1500812201262829568?s=20&t=xfD8gOOJuH7IZav4YxGkcw; reference:md5,a41474baac5a91c8033cfee943cea903; classtype:trojan-activity; sid:2035400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2022_03_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004682; classtype:web-application-attack; sid:2004682; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SystemBC Powershell bot registration"; flow:established,to_server; dsize:100; content: "|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31|"; offset: 0; depth: 50; reference:md5,d1fb59de13a2394622c84aca8d963071; reference:url,medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c; classtype:command-and-control; sid:2035399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid SELECT"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005233; classtype:web-application-attack; sid:2005233; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online)"; dns.query; content:"xbeta.online"; nocase; bsize:12; reference:url,cert.gov.ua/article/37626; reference:md5,e34d6387d3ab063b0d926ac1fca8c4c4; reference:url,twitter.com/h2jazi/status/1500607147989684224; classtype:domain-c2; sid:2035404; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UNION SELECT"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005234; classtype:web-application-attack; sid:2005234; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/BlackGuard Stealer Variant Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; depth:4; content:"/sendDocument?chat_id="; distance:0; content:"&caption="; distance:0; content:"|e2 9a 99 ef b8 8f 20|Windows|20|"; distance:0; fast_pattern; content:"BROWSER|3a 0a|"; distance:0; content:"|0a 0a 20|Link|20|"; distance:0; http.host; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|document|22 3b 20|filename|3d 22|"; content:".zip|22 0d 0a|Content-Type|3a 20|application/x-ms-dos-executable"; distance:0; reference:md5,d4e02002916f18576204a3f1722a958b; reference:md5,eb6c563af372d1af92ac2b60438d076d; reference:md5,ae84bf01058b29c178ae724df445c0c8; reference:url,twitter.com/3xp0rtblog/status/1499748871362261001; classtype:command-and-control; sid:2035397; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BlackGuard, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid INSERT"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005235; classtype:web-application-attack; sid:2005235; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual/STARWHALE Beacon Activity (POST)"; flow:established,to_server; urilen:>15; http.method; content:"POST"; http.uri; content:!".asp"; content:!".php"; content:!".htm"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:"|0d 0a|CharSet|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.request_body; content:"vl="; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035407; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family TA450, signature_severity Major, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid DELETE"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005236; classtype:web-application-attack; sid:2005236; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArmyOfUkraine Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET / HTTP/1.1"; bsize:14; http.header; content:"accept|3a 20 2a 2f 2a 0d 0a|"; content:"host|3a|"; http.host; content:".ru"; endswith; http.header_names; content:"|0d 0a|accept|0d 0a|host|0d 0a 0d 0a|"; fast_pattern; bsize:18; threshold:type both, seconds 600, count 20, track by_src; reference:md5,62d49fed7c54621b507a02541ee55066; reference:url,twitter.com/GossiTheDog/status/1497681806094737411; classtype:trojan-activity; sid:2035421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ASCII"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005237; classtype:web-application-attack; sid:2005237; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual/STARWHALE GoLang Beacon Activity (POST)"; flow:established,to_server; urilen:>15; http.method; content:"POST"; http.uri; content:!".asp"; content:!".php"; content:!".htm"; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.content_type; content:"application/json"; bsize:16; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.request_body; content:"|7b 22|vl|22 3a 22|"; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035408; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family TA450, signature_severity Major, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005238; classtype:web-application-attack; sid:2005238; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 GRAMDOOR Telegram CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"api.telegram.org"; bsize:16; http.uri; content:"/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/sendMessage?"; fast_pattern; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035409; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci SELECT"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006886; classtype:web-application-attack; sid:2006886; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TransparentTribe CnC Domain in DNS Lookup"; dns.query; content:"swissaccount.ddns.net"; nocase; bsize:21; reference:url,twitter.com/0xrb/status/1501061897604730881; classtype:domain-c2; sid:2035410; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UNION SELECT"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006887; classtype:web-application-attack; sid:2006887; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TransparentTribe CnC Domain in DNS Lookup"; dns.query; content:"sunjaydut.ddns.net"; nocase; bsize:18; reference:url,twitter.com/0xrb/status/1501061897604730881; classtype:domain-c2; sid:2035411; rev:1; metadata:created_at 2022_03_08, updated_at 2022_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci INSERT"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006888; classtype:web-application-attack; sid:2006888; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (gmy .cimadlicks .net)"; dns.query; dotprefix; content:".gmy.cimadlicks.net"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035412; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci DELETE"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006889; classtype:web-application-attack; sid:2006889; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (community .weblives .net)"; dns.query; dotprefix; content:".community.weblives.net"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ASCII"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006890; classtype:web-application-attack; sid:2006890; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (app .tomelife .com)"; dns.query; dotprefix; content:".app.tomelife.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006891; classtype:web-application-attack; sid:2006891; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msn-msn/log/2/debug?tim="; startswith; fast_pattern; http.host; content:"trc.taboola.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; reference:md5,9a32e5a45336e705d23adc865bd30704; classtype:command-and-control; sid:2035415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, malware_family SoulSearcher, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006892; classtype:web-application-attack; sid:2006892; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/en-my/CMSStyles/style.csx?k="; startswith; fast_pattern; http.host; content:"c.s-microsoft.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:command-and-control; sid:2035416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UNION SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006893; classtype:web-application-attack; sid:2006893; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB2 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|22 00|"; distance:0; content:"|63 00|"; distance:8; within:2; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, performance_impact Moderate, signature_severity Major, updated_at 2022_03_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci INSERT"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006894; classtype:web-application-attack; sid:2006894; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB1 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|a2|"; within:1; content:"|27 00 00 5c 00 63 00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci DELETE"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006895; classtype:web-application-attack; sid:2006895; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".asp"; content:!".htm"; content:!".php"; http.header; content:"|0d 0a|CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"c="; startswith; http.header_names; content:!"Referer"; reference:md5,69ff29b86ab5444197aeb0cf5eba0967; reference:url,blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html; classtype:trojan-activity; sid:2035425; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_10, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, malware_family TA450, signature_severity Major, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ASCII"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006896; classtype:web-application-attack; sid:2006896; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/protocol/function.php?page="; fast_pattern; startswith; http.header; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html; classtype:trojan-activity; sid:2035426; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_10, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, malware_family TA453, signature_severity Major, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006897; classtype:web-application-attack; sid:2006897; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert smb any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE HermeticWizard - File Copy via SMB"; flow:established,to_server; content:"Wizard|2e|dll|00|DllInstall|00|DllRegisterServer|00|DllUnregisterServer"; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035424; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp SELECT"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005003; classtype:web-application-attack; sid:2005003; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - SMB Spreader - Remote Process Creation"; flow:established,to_server; content:"|05 00 00|"; content:"cmd|20 2f|c|20|start|20|regsvr32|20 2f|s|20 2f|i"; distance:0; fast_pattern; content:"|5c|c"; within:8; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dat|20 26 20|start|20|cmd|20 2f|c|20 22|ping|20|localhost|20 2d|n|20|7|20 26 20|wevtutil|20|cl|20|System|22|"; within:62; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005004; classtype:web-application-attack; sid:2005004; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp INSERT"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005005; classtype:web-application-attack; sid:2005005; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - SMB Spreader - File Copy via SMB1 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|a2|"; within:1; content:"|12 00 63|"; distance:0; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dat|00|"; within:5; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035437; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, performance_impact Moderate, signature_severity Major, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp DELETE"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005006; classtype:web-application-attack; sid:2005006; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT41 KEYPLUG Related Domain in DNS Lookup"; dns.query; content:"afdentry.workstation.eu.org"; nocase; bsize:27; reference:url,www.mandiant.com/resources/apt41-us-state-governments; classtype:domain-c2; sid:2035440; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, signature_severity Major, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp ASCII"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005007; classtype:web-application-attack; sid:2005007; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x32)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc e8 89 00 00 00 60 89 e5 31 d2 64 8b 52 30 8b 52 0c 8b|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005008; classtype:web-application-attack; sid:2005008; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc 48 83 e4 f0 eb 33 5d 8b 45 00 48 83 c5 04 8b|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007283; classtype:web-application-attack; sid:2007283; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc 48 83 e4 f0 e8 c0 00 00 00 41 51 41 50|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007200; classtype:web-application-attack; sid:2007200; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 781"; flow:established,to_server; content:"|b1 1a 8f 90 16 1e ff 80 76 38 01|"; startswith; fast_pattern; content:"|31 28|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2035438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007201; classtype:web-application-attack; sid:2007201; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,to_client; tls.cert_subject; content:"CN=celasllc.com"; bsize:15; fast_pattern; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; reference:url,crt.sh/?id=492527550; classtype:trojan-activity; sid:2025990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2022_03_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007202; classtype:web-application-attack; sid:2007202; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,to_client; tls.cert_subject; content:"CN=4b7gf8bngf877"; bsize:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022919; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007203; classtype:web-application-attack; sid:2007203; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,to_client; tls.cert_subject; content:"CN=WIN-K462BJ3GEEC"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007204; classtype:web-application-attack; sid:2007204; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,to_client; tls.cert_serial; content:"00:CF:DD:B8:9F:9D:14:26:AD"; tls.cert_subject; content:"CN=localhost.localdomain"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007205; classtype:web-application-attack; sid:2007205; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,to_client; tls.cert_serial; content:"00:86:C5:19:74:50:39:69:7A"; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020372; rev:4; metadata:attack_target Client_and_Server, created_at 2015_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007206; classtype:web-application-attack; sid:2007206; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Denial, L=Springfield, O=Dis,"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021938; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007207; classtype:web-application-attack; sid:2007207; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,to_client; tls.cert_subject; content:"CN=sni237731.cloudflaressl.com"; fast_pattern; classtype:domain-c2; sid:2023490; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007208; classtype:web-application-attack; sid:2007208; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,to_client; tls.cert_subject; content:"C="; pcre:"/^(?P<letter>[a-z])(?P=letter)\,/R"; content:"L=Default City"; content:"O=Default Company Ltd"; fast_pattern; content:!"CN="; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023496; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007209; classtype:web-application-attack; sid:2007209; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"=certs_division@sslslf.info"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022100; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007210; classtype:web-application-attack; sid:2007210; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.hot-sex-tube.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022101; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/include/timesheet.php?"; nocase; content:"config[include_dir]="; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010127; classtype:web-application-attack; sid:2010127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"O=International Security Depart"; content:"CN=www.mgid.org"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022102; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname SELECT"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005669; classtype:web-application-attack; sid:2005669; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,to_client; tls.cert_serial; content:"00:99:60:FE:ED:86:B8:81:83"; tls.cert_subject; content:"O=Sinkhole.Ru"; fast_pattern; content:"CN=*"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022907; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UNION SELECT"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005670; classtype:web-application-attack; sid:2005670; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=Sinkhole Party"; fast_pattern; content:"CN=sinkhole"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022908; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname INSERT"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005671; classtype:web-application-attack; sid:2005671; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=jmfbrtbsmth.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023161; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname DELETE"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005672; classtype:web-application-attack; sid:2005672; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls.cert_serial; content:"00:AC:80:A0:72:11:64:DF:3F"; tls.cert_subject; content:"CN=localhost.localdomain"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ASCII"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005673; classtype:web-application-attack; sid:2005673; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,to_client; tls.cert_subject; content:"O=Agency Protocols Management of Internet"; content:"CN=bestylish.com"; fast_pattern; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022209; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005674; classtype:web-application-attack; sid:2005674; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,to_client; tls.cert_subject; content:"O=Agency Protocols Management of Internet"; content:"=info@apmi.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022211; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VS Panel showcat.php Cat_ID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcat.php?"; nocase; content:"Cat_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,34648; reference:url,milw0rm.com/exploits/8506; reference:url,doc.emergingthreats.net/2009731; classtype:web-application-attack; sid:2009731; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,to_client; tls.cert_subject; content:"CN=server.domain.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022229; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user SELECT"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006603; classtype:web-application-attack; sid:2006603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cmod"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,833cd8302870af5a50b3a09af0420297; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035448; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006604; classtype:web-application-attack; sid:2006604; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".ndf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,eecaecd170ef3d7a5976d435f6d03ef8; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035449; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user INSERT"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006605; classtype:web-application-attack; sid:2006605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=google.com"; content:"@google.com"; fast_pattern; tls.cert_issuer; content:"CN=google.com"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022234; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user DELETE"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006606; classtype:web-application-attack; sid:2006606; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Wureuzisen"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022684; rev:3; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ASCII"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006607; classtype:web-application-attack; sid:2006607; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,to_client; tls.cert_subject; content:!"ST="; content:!"L="; content:"C=CH"; fast_pattern; pcre:"/O=(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)\.?,.+CN=[a-z]{5,}\.[a-z]{2,3}(?:$|,)/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022279; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006608; classtype:web-application-attack; sid:2006608; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=NY, L=NY"; fast_pattern; content:"CN="; distance:0; content:"=admin@"; distance:0; pcre:"/[eE]mail(?:Address)?=admin@/"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022534; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/editor/edit_htmlarea.php?"; nocase; content:"highlighter="; nocase; pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57679; reference:url,doc.emergingthreats.net/2010254; classtype:web-application-attack; sid:2010254; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,to_client; tls.cert_subject; content:"OU=obama team"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021513; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/debugger/debug_php.php?"; nocase; content:"_GET[filename]="; nocase; reference:url,osvdb.org/show/osvdb/57680; reference:url,doc.emergingthreats.net/2010255; classtype:web-application-attack; sid:2010255; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/%D0"; startswith; content:"-%D0%9F"; distance:0; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,91c27abec8fda1410e2fae396f592e93; reference:md5,8d1ce6280d2f66ff3e4fe1644bf24247; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035450; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Venalsur Booking Centre HotelID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/hotel_habitaciones.php?"; nocase; content:"HotelID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7253; reference:bugtraq,32512; reference:url,doc.emergingthreats.net/2008926; classtype:web-application-attack; sid:2008926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup (tvasahi .online)"; dns.query; content:"tvasahi.online"; nocase; bsize:14; reference:url,ti.qianxin.com/blog/articles/Analysis-of-ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/; classtype:domain-c2; sid:2035451; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006279; classtype:web-application-attack; sid:2006279; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT29 Cache_DLL SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=private.directinvesting.com"; fast_pattern; reference:md5,8f154d23ac2071d7f179959aaba37ad5; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023931; rev:3; metadata:created_at 2017_02_16, former_category MALWARE, malware_family APT29_Cache_DLL, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UNION SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006280; classtype:web-application-attack; sid:2006280; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate"; flow:established,from_server; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod INSERT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006281; classtype:web-application-attack; sid:2006281; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/44Caliber Stealer Discord Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/943188844625428520/64LwO5Gsh0pUZCcm80BNwTcVPihRnEmr1rZOPj02k6T5sRc5Lq4sdaB2KyttNgJHeX3T"; fast_pattern; bsize:101; http.host; content:"discord.com"; endswith; reference:md5,0238e5a4b41c4dcff77e8b01e88bed22; reference:url,twitter.com/c3rb3ru5d3d53c/status/1503449439868014592; classtype:trojan-activity; sid:2035471; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod DELETE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006282; classtype:web-application-attack; sid:2006282; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup"; dns.query; content:"multilogin.online"; nocase; bsize:17; reference:url,ti.qianxin.com/blog/articles/Analysis-of-ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/; classtype:domain-c2; sid:2035457; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod ASCII"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006283; classtype:web-application-attack; sid:2006283; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/B1txor20 Backdoor Related Domain in DNS Lookup"; dns.query; dotprefix; content:".webserv.systems"; nocase; endswith; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/; classtype:command-and-control; sid:2035458; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006284; classtype:web-application-attack; sid:2006284; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/tst/ins_cont.php"; startswith; bsize:17; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006285; classtype:web-application-attack; sid:2006285; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Webdor.NAC Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?m="; content:"&c="; distance:0; content:"&v="; distance:0; content:"&myID="; content:"/"; within:255; content:"/"; within:10; http.user_agent; content:"Catalyst"; bsize:8; fast_pattern; reference:md5,1e2a28d5f4f03420df7a6766e0e4277c; classtype:trojan-activity; sid:2035456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UNION SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006286; classtype:web-application-attack; sid:2006286; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn.php"; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header; content:"DNT: 1"; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|DNT|0d 0a|Connection|0d 0a 0d 0a|"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; bsize:61; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick INSERT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006287; classtype:web-application-attack; sid:2006287; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M1"; flow:established,to_server; content:"|05 00 00|"; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; distance:0; content:"C|00|r|00|e|00|a|00|t|00|e|00|"; within:200; content:"regsvr32|2e|exe|20 2f|s|20 2f|i|20|"; distance:0; fast_pattern; content:"|5c|c"; within:500; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dll|00|"; within:5; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick DELETE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006288; classtype:web-application-attack; sid:2006288; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls [195.22.26.192/26,195.22.28.192/27,195.38.137.100,195.22.4.21,195.157.15.100,212.61.180.100] 443 -> $HOME_NET any (msg:"ET MALWARE AnubisNetworks Sinkhole SSL Cert lolcat - specific IPs"; flow:established,to_client; tls.cert_subject; content:"CN=lolcat"; fast_pattern; flowbits:isnotset,ET.invalid.cab; classtype:trojan-activity; sid:2019628; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick ASCII"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006289; classtype:web-application-attack; sid:2006289; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE rat-test CnC Response"; flow:established,to_client; dsize:8; content:"d|00|o|00|n|00|e|00|"; nocase; flowbits:isset,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; reference:url,twitter.com/James_inthe_box/status/1501604645759709186; classtype:trojan-activity; sid:2035477; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006290; classtype:web-application-attack; sid:2006290; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX Related Activity"; flow:established,to_server; dsize:6; content:"feiji."; fast_pattern; reference:url,twitter.com/0xrb/status/1503983616321552384; reference:md5,ff82ecc7bee903f3eb2e168855598d37; reference:md5,ae0bd618eedec0b1ba9f149333d08837; classtype:trojan-activity; sid:2035473; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006291; classtype:web-application-attack; sid:2006291; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!80,!443,!25,!22,!110] (msg:"ET MALWARE SideCopy APT MargulasRAT Related Activity"; flow:established,to_server; dsize:19; content:"|31 36 00 2b 9c 02 0d 6e 46 11 42 7e e5 8f 99 94 1d fe 24|"; fast_pattern; reference:md5,b361a415cb5fe33f54957b1aa58fffd6; reference:md5,ae29fbacb0a0aba4b8f82924551fae4d; classtype:trojan-activity; sid:2035474; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UNION SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006292; classtype:web-application-attack; sid:2006292; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TA471/UNC2589 Go Downloader User-Agent (-hobot-)"; flow:established,to_server; http.user_agent; content:"-hobot-"; bsize:7; reference:md5,15c525b74b7251cfa1f7c471975f3f95; reference:url,cert.gov.ua/article/37704; classtype:trojan-activity; sid:2035468; rev:1; metadata:created_at 2022_03_16, former_category MALWARE, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick INSERT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006293; classtype:web-application-attack; sid:2006293; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in DNS Lookup (nirsoft .me)"; dns.query; content:"nirsoft.me"; nocase; bsize:10; reference:url,cert.gov.ua/article/37704; reference:md5,aa5e8268e741346c76ebfd1f27941a14; classtype:domain-c2; sid:2035469; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick DELETE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006294; classtype:web-application-attack; sid:2006294; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Stike CnC  Domain (nirsoft .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"nirsoft.me"; bsize:10; fast_pattern; reference:md5,aa5e8268e741346c76ebfd1f27941a14; reference:url,cert.gov.ua/article/37704; classtype:domain-c2; sid:2035470; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick ASCII"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006295; classtype:web-application-attack; sid:2006295; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Server Banner)"; flow:established,from_server; content:"***|0d 0a|*|20 20 20 20 20 20 20 20|WELCOME TO THE BALL PIT|20 20 20 20 20 20 20 20|*|0d 0a|"; fast_pattern; content:"*|20 20 20 20 20|Now with|20|"; distance:0; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022214; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006296; classtype:web-application-attack; sid:2006296; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32.Genome.boescz Checkin"; flow:to_server,established; content:"|0d 0a|Subject|3a 20|TenInfect"; fast_pattern; content:"|0d 0a 0d 0a|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:command-and-control; sid:2018033; rev:4; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006297; classtype:web-application-attack; sid:2006297; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:3; metadata:created_at 2015_05_15, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UNION SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006298; classtype:web-application-attack; sid:2006298; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Predator Pain Sending Data over SMTP"; flow:established,to_server; content:"Subject|3a 20|Predator Pain v"; fast_pattern; reference:md5,e774a7e6ca28487db649458f48230199; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018688; rev:4; metadata:created_at 2014_07_17, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod INSERT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006299; classtype:web-application-attack; sid:2006299; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:4; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod DELETE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006300; classtype:web-application-attack; sid:2006300; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made by UltimateHackerzTeam)"; http_header; fast_pattern; reference:url,doc.emergingthreats.net/2010346; classtype:trojan-activity; sid:2010346; rev:7; metadata:created_at 2010_07_30, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod ASCII"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006301; classtype:web-application-attack; sid:2006301; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.G Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Linux|20|"; offset:2; depth:21; fast_pattern; pcre:"/^\d/R"; reference:md5,917a2a3d8c30282acbe7b1ff121a4336; classtype:command-and-control; sid:2018808; rev:2; metadata:created_at 2014_07_30, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006302; classtype:web-application-attack; sid:2006302; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BleedingLife EK Payload Delivered"; flow:from_server,established; flowbits:isset,ET.BleedingLife.Payload; content:"200"; http_stat_code; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2023291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VidShare Pro listing_video.php catid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/listing_video.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8737; reference:bugtraq,35033; reference:url,doc.emergingthreats.net/2009794; classtype:web-application-attack; sid:2009794; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; urilen:6; content:".htm"; http_uri; content:"Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.0|3B| Trident/5.0)"; fast_pattern; http_user_agent; pcre:"/^\x2F[a-z]{1}\x2Ehtm$/U"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html; reference:url,www.fortiguard.com/latest/av/4057936; reference:md5,92899c20da4d9db5627af89998aadc58; classtype:command-and-control; sid:2016211; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005493; classtype:web-application-attack; sid:2005493; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|PrototypeB|0d 0a|"; http_header; fast_pattern; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UNION SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005494; classtype:web-application-attack; sid:2005494; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Cam)"; flow:to_server,established; content:"USB Video Device[endof]"; depth:23; fast_pattern; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017425; rev:3; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid INSERT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005495; classtype:web-application-attack; sid:2005495; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin"; flow:to_server,established; content:"/index.dat?"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|0D 0A|Host|3a| "; fast_pattern; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; classtype:command-and-control; sid:2014466; rev:5; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid DELETE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005496; classtype:web-application-attack; sid:2005496; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2017784; rev:5; metadata:created_at 2013_11_27, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ASCII"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005497; classtype:web-application-attack; sid:2005497; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Checkin Activity 2"; flow:established,to_server; urilen:20<>100; content:!"Referer|3a|"; http_header; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^Host\x3a\x20(?=[a-z0-9]{0,19}[A-Z])(?=[A-Z0-9]{0,19}[a-z])[a-zA-Z0-9]{4,20}\.[a-z]{2,3}/H"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|Mozilla/"; http_header; within:41; fast_pattern; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020302; rev:7; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005498; classtype:web-application-attack; sid:2005498; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net start Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"These Windows services are started|3a 0d|"; fast_pattern; content:"The command completed successfully|2e|"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019001; rev:2; metadata:created_at 2014_08_26, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005499; classtype:web-application-attack; sid:2005499; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Limitless Logger|20 3a 20 3a|"; nocase; fast_pattern; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:3; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UNION SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005500; classtype:web-application-attack; sid:2005500; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Stoberox.B"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"Host|3a|"; http_header; depth:5; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Accept-Encoding|3a 20|none|0d 0a|"; http_header; fast_pattern; content:!"Referer"; http_header; pcre:"/^[a-zA-Z0-9\+\/]+={0,2}$/P"; reference:md5,6ca1690720b3726bc76ef0e7310c9ee7; classtype:trojan-activity; sid:2018300; rev:4; metadata:created_at 2014_03_20, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id INSERT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005501; classtype:web-application-attack; sid:2005501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent|3a| Microsoft|20|Internet|20|Updater|0d 0a|"; http_header; fast_pattern; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:5; metadata:created_at 2012_07_26, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id DELETE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005502; classtype:web-application-attack; sid:2005502; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Download"; flow:from_server,established; flowbits:isset,ET.andromeda; content:"200"; http_stat_code; content:"Server|3a 20|nginx"; http_header; content:"Content-Description|3a 20|File Transfer|0d 0a|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:"Content-Transfer-Encoding|3a| binary|0d 0a|"; fast_pattern; pcre:"/filename=[a-f0-9]{32}v\.(?:docm|zip)\x0d\x0a/Hmi"; classtype:trojan-activity; sid:2022573; rev:3; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ASCII"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005503; classtype:web-application-attack; sid:2005503; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|25|www.signliquideducationdaughter.final"; distance:1; within:38; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022247; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005504; classtype:web-application-attack; sid:2005504; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; fast_pattern; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:10; metadata:created_at 2010_07_30, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005505; classtype:web-application-attack; sid:2005505; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:2; metadata:created_at 2014_02_04, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UNION SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005506; classtype:web-application-attack; sid:2005506; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA"; flow:established,to_server; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32|3b|Google|3b|)|0d 0a|Host|3a| "; fast_pattern; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:70; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:2016429; rev:5; metadata:created_at 2011_08_05, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id INSERT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005507; classtype:web-application-attack; sid:2005507; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows ipconfig Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Windows IP Configuration|0d|"; fast_pattern; content:"Ethernet adapter Local Area Connection|3a|"; distance:0; content:"Physical Address"; content:"IP Address"; content:"Subnet Mask"; content:"Default Gateway"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019000; rev:4; metadata:created_at 2014_08_26, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id DELETE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005508; classtype:web-application-attack; sid:2005508; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:6; metadata:created_at 2011_10_20, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ASCII"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005509; classtype:web-application-attack; sid:2005509; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"|0d 0a|User-Agent|3a 20|Opera/9 (Windows"; fast_pattern; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:command-and-control; sid:2014777; rev:3; metadata:created_at 2012_05_18, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005510; classtype:web-application-attack; sid:2005510; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:5; metadata:created_at 2010_09_28, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id SELECT"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005889; classtype:web-application-attack; sid:2005889; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; fast_pattern; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:command-and-control; sid:2014757; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005890; classtype:web-application-attack; sid:2005890; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET MALWARE Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Predator Logger|20|"; fast_pattern; reference:md5,91f885e08d627097fb1116a3d4634b82; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018017; rev:4; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id INSERT"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005891; classtype:web-application-attack; sid:2005891; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Pain File Stealer sending wallet.dat via SMTP"; flow:to_server,established; content:"Subject|3a| Pain File Stealer"; fast_pattern; content:"Content|2d|Type|3a 20|application|2f|octet|2d|stream|3b 20|name|3d|wallet.dat"; reference:url,www.cyphort.com/blog/nighthunter-massive-campaign-steal-credentials-revealed; classtype:trojan-activity; sid:2018738; rev:2; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id DELETE"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005892; classtype:web-application-attack; sid:2005892; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M1"; flow:to_client,established; file_data; content:"eval|28|"; pcre:"/^[a-z]\x29/Rsi"; content:"Problems in loading internet explorer"; distance:0; content:"Try again after update your systems."; distance:0; fast_pattern; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021609; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ASCII"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005893; classtype:web-application-attack; sid:2005893; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive External IP Leak"; flow:established,from_server; file_data; content:"<span id=|22|lblIPBehindProxy|22|>{"; within:29; fast_pattern; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:external-ip-check; sid:2020811; rev:4; metadata:created_at 2015_03_31, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005894; classtype:web-application-attack; sid:2005894; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)"; flow:established,to_server; content:"|41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 74 65 78 74 2F 70 6C 61 69 6E 2C 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 2A 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 61 63 68 65|"; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:command-and-control; sid:2023032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vlog System note parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/blog.php?"; nocase; content:"user="; nocase; content:"note="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32784/; reference:url,www.milw0rm.com/exploits/7186; reference:url,doc.emergingthreats.net/2008875; classtype:web-application-attack; sid:2008875; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CazinoSilver Checkin"; flow:established,to_server; content:".php?key="; http_uri; content:"User-Agent|3A 20|DMFR|0D 0A|"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013511; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat SELECT"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007416; classtype:web-application-attack; sid:2007416; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 1"; flow:from_server,established; file_data; content:"/title><script>window.setTimeout(function () { window.location="; fast_pattern; content:"<title>"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title/R"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020748; rev:8; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007417; classtype:web-application-attack; sid:2007417; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE PredatorPain Keylogger FTP Activity"; flow:established,to_server; dsize:21; content:"USER|20|panzerhund2015|0d 0a|"; fast_pattern; reference:url,malwareconfig.com/stats/PredatorPain; reference:md5,e5ddca929924e4f34cb18692f09ac424; classtype:trojan-activity; sid:2021745; rev:2; metadata:created_at 2015_09_04, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat INSERT"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007418; classtype:web-application-attack; sid:2007418; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|CigiCigi Logger"; fast_pattern; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:3; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat DELETE"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007419; classtype:web-application-attack; sid:2007419; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Connectivity Check to Google"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Host|3a| google.com|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|29 0d 0a 0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2019729; rev:4; metadata:created_at 2014_11_18, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ASCII"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007420; classtype:web-application-attack; sid:2007420; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 3"; flow:to_server,established; content:"GET"; http_method; content:"/images/logo.gif"; http_uri; urilen:16; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.study-centers.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; fast_pattern; depth:92; classtype:trojan-activity; sid:2013351; rev:4; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007421; classtype:web-application-attack; sid:2007421; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"ET MALWARE MSIL/Banker.M Downloading Binary from SQL"; flow:established,to_client; content:"|03 00|d|00|b|00|o|00 09 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 03|i|00|m|00|g"; fast_pattern; content:"This program cannot be run"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021931; rev:2; metadata:created_at 2015_10_08, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007422; classtype:web-application-attack; sid:2007422; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6)"; flow:established,to_server; content:"X-Mailer|3a| XimianEvolution1.4.6"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; content:!"X-Barracuda-"; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/438-asprox-botnet-trojan-run-malware-spamming-1; reference:url,stopmalvertising.com/tag/asprox.html; classtype:trojan-activity; sid:2018336; rev:6; metadata:created_at 2014_03_31, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007423; classtype:web-application-attack; sid:2007423; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/"; startswith; fast_pattern; http.cookie; content:"PREF=ID="; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,aa5e8268e741346c76ebfd1f27941a14; reference:url,cert.gov.ua/article/37704; classtype:trojan-activity; sid:2035508; rev:2; metadata:created_at 2022_03_17, former_category MALWARE, malware_family Cobalt_Strike, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007424; classtype:web-application-attack; sid:2007424; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loki Locker Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"Loki/"; startswith; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035510; rev:1; metadata:created_at 2022_03_17, former_category MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007425; classtype:web-application-attack; sid:2007425; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup"; dns.query; content:"loki-locker.one"; nocase; bsize:15; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:domain-c2; sid:2035511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007426; classtype:web-application-attack; sid:2007426; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup"; dns.query; content:"maritimepakistan.kpt-pk.net"; nocase; bsize:27; reference:md5,bbc955b1289b4f90fdfb8906606597e9; reference:url,twitter.com/ShadowChasing1/status/1504347312838959106; classtype:domain-c2; sid:2035516; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007427; classtype:web-application-attack; sid:2007427; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loki Locker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"unique-id="; fast_pattern; content:"disk-size="; content:"|20|GB&"; within:10; content:"user="; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007428; classtype:web-application-attack; sid:2007428; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.response_body; content:"bgABExk3KwQzPic3bF9YcnJuHz02Jz4nI"; fast_pattern; content:"259Hz02Jz4nIWxfWHJybhcqIj08NzwmbBMDExBufRcqIj08NzwmbF9Ybn0AARMZNysEMz4nN2w="; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007429; classtype:web-application-attack; sid:2007429; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perceive.cfg"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1504444062425747456; reference:md5,ef5017d8e7724f73d370e1b77d276d3c; classtype:trojan-activity; sid:2035517; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007430; classtype:web-application-attack; sid:2007430; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.B Domain in SNI"; flow:established,to_server; tls.sni; content:"handbrake.biz"; bsize:13; fast_pattern; classtype:trojan-activity; sid:2024285; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007431; classtype:web-application-attack; sid:2007431; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"eltima.in"; bsize:9; fast_pattern; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007432; classtype:web-application-attack; sid:2007432; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"handbrakestore.com"; bsize:18; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024891; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007433; classtype:web-application-attack; sid:2007433; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake org name)"; flow:established,from_server; tls.cert_subject; content:"C=AU"; content:"ST=Some-State"; fast_pattern; tls.certs; content:"|06 03 55 04 0a|"; distance:0; pcre:"/^.{2}(?=[a-z]{0,15}\d)(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=var)/Rs"; reference:md5,c35b37203859b9c0be0e3255a79ed64d; classtype:trojan-activity; sid:2019832; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007434; classtype:web-application-attack; sid:2007434; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2"; flow:established,to_server; dsize:51; content:"|01 00 30 01 01 00|"; fast_pattern; startswith; flowbits:set,ET.Tesch; reference:md5,872763d48730506af7eee0bf22c2f47b; classtype:command-and-control; sid:2018620; rev:6; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007435; classtype:web-application-attack; sid:2007435; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA471/UNC2589 Related Activity (GET)"; flow:established,to_server; urilen:2; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z]$/"; http.user_agent; content:"-hobot-"; bsize:7; fast_pattern; http.accept_enc; content:"gzip"; bsize:4; http.header_names; content:!"Referer"; reference:md5,1b161170a6b025b3f44746e20afd130f; reference:url,www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/; classtype:trojan-activity; sid:2035531; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007436; classtype:web-application-attack; sid:2007436; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (runfs .icu)"; dns.query; content:"runfs.icu"; nocase; bsize:9; reference:url,isc.sans.edu/diary/rss/28448; classtype:domain-c2; sid:2035532; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007437; classtype:web-application-attack; sid:2007437; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/B1txor20 Backdoor Connectivity Check"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 00 00 01|"; distance:1; within:16; endswith; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; classtype:trojan-activity; sid:2035526; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007438; classtype:web-application-attack; sid:2007438; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Backdoor Related Activity"; flow:established,to_server; dsize:3; content:"|03 00 dc|"; fast_pattern; threshold: type both, count 2, seconds 5, track by_src; reference:md5,bd054c4f43808ef37352f36129bf0c3d; reference:md5,06a7eccd74a6aa5aa12755cd48829f90; reference:md5,532345089619a1881176588a587d3cf1; reference:url,ShadowChasing1/status/1504833720489951234; classtype:trojan-activity; sid:2035533; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007439; classtype:web-application-attack; sid:2007439; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply"; flow:established,to_client; content:"|02 00 06|"; startswith; content:"|01 BB|"; endswith; fast_pattern; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018477; rev:2; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007440; classtype:web-application-attack; sid:2007440; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|02 00 06|"; startswith; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018624; rev:6; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007441; classtype:web-application-attack; sid:2007441; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [8000:8001] (msg:"ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil"; flow:established,to_server; dsize:571; content:"|b9 b6 b5 c8 f1 ef ef d3 f1 ef ef ee ef ef ef 2c|"; startswith; fast_pattern; content:"|99 91 31 a9 39 97 27 81 f1|"; endswith; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,782cbc8660ff9e94e584adfcbc4cb961; reference:url,asec.ahnlab.com/en/32572; classtype:trojan-activity; sid:2035536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Gh0stCringe, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007442; classtype:web-application-attack; sid:2007442; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Pult Downloader Activity (POST)"; flow:established,to_server; urilen:8<>25; http.method; content:"POST"; http.uri; content:!".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"batac="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:!"Linux|3b|"; content:!"iPhone|3b|"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,765c01936caae2ba1b1b50ae1ed76cc0; classtype:trojan-activity; sid:2035534; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007443; classtype:web-application-attack; sid:2007443; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Empty Payload (set)"; flow:established,to_server; flowbits:set,ET.facefish; flowbits:noalert; dsize:8; content:"|00 00 00 02 00 00 00 00|"; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033109; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007444; classtype:web-application-attack; sid:2007444; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ELF/Facefish Server Response (201)"; flow:established,to_client; flowbits:isset,ET.facefish; dsize:8; content:"|18 00 01 02|"; startswith; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033110; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007445; classtype:web-application-attack; sid:2007445; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Client Response (202)"; flow:established,to_server; flowbits:set,ET.facefish; dsize:8; content:"|08 00 02 02|"; startswith; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033111; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007446; classtype:web-application-attack; sid:2007446; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Session Closing (400)"; flow:established,to_server; flowbits:isset,ET.facefish; dsize:8; content:"|00 00 00 04 00 00 00 00|"; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033112; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007447; classtype:web-application-attack; sid:2007447; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EMAIL SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"2F:09:DD:E0:FF:81:B7:6C:BF:2F:17:92:0C:D8:BD:57"; tls.cert_subject; content:"CN=EMAIL"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016464; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007448; classtype:web-application-attack; sid:2007448; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M1"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZwc"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035527; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007449; classtype:web-application-attack; sid:2007449; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M2"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZzH"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035528; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007450; classtype:web-application-attack; sid:2007450; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M3"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZxA"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035529; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007451; classtype:web-application-attack; sid:2007451; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:92:87:8F:35:B4:AA:08:D1"; tls.cert_subject; content:"L=Taipei"; fast_pattern; classtype:trojan-activity; sid:2020289; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004128; classtype:web-application-attack; sid:2004128; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^[A-Za-z0-9]{4}$/"; http.user_agent; content:"FunWebProducts|3b|IE0006_ver1|3b|EN_GB"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/; classtype:trojan-activity; sid:2035546; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004129; classtype:web-application-attack; sid:2004129; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/submit.php?id="; startswith; http.user_agent; content:"|3b 20|MANM|3b 20|MANM)"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"Cookie"; reference:url,unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/; classtype:trojan-activity; sid:2035547; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004130; classtype:web-application-attack; sid:2004130; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (grace-fraser .site)"; dns.query; content:"grace-fraser.site"; nocase; bsize:17; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035548; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004131; classtype:web-application-attack; sid:2004131; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (pam-beesly .site)"; dns.query; content:"pam-beesly.site"; nocase; bsize:15; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035549; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006975; classtype:web-application-attack; sid:2006975; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (mozelllittel .com)"; dns.query; content:"mozelllittel.com"; nocase; bsize:16; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035550; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UNION SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006976; classtype:web-application-attack; sid:2006976; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Mustang Panda APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newtap.css"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,twitter.com/StillAzureH/status/1505823479945625604; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; classtype:trojan-activity; sid:2035551; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login INSERT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006977; classtype:web-application-attack; sid:2006977; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Invitation.jpg"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,twitter.com/StillAzureH/status/1505823479945625604; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; classtype:trojan-activity; sid:2035552; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login ASCII"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006979; classtype:web-application-attack; sid:2006979; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wp-content/plugins/akismet/control/en/en.jpg HTTP/1.1"; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,854903e0b284ef78322082de46dcd160; reference:url,twitter.com/h2jazi/status/1505965580075114498; classtype:trojan-activity; sid:2035545; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006980; classtype:web-application-attack; sid:2006980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LAME SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"0E:97:88:1C:6C:A1:37:96:42:03:BC:45:42:24:75:6C"; tls.cert_subject; content:"CN=LM-68AB71FBD8F5"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016465; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006981; classtype:web-application-attack; sid:2006981; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity APT Related Domain in DNS Lookup (sessionprotocol .com)"; dns.query; content:"sessionprotocol.com"; nocase; bsize:19; reference:md5,98cca7f2f6ad00771f50e97f97b5b38e; reference:url,twitter.com/HONKONE_K/status/1505920551503626242; classtype:domain-c2; sid:2035553; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family StrongPity, signature_severity Major, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UNION SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006982; classtype:web-application-attack; sid:2006982; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake loc)"; flow:established,from_server; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"; classtype:trojan-activity; sid:2018457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Significant, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password INSERT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006983; classtype:web-application-attack; sid:2006983; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NS SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"72:A2:5C:8A:B4:18:71:4e:BF:C6:6F:3F:98:D6:F7:74"; tls.cert_subject; content:"CN=NS"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016466; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password DELETE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006984; classtype:web-application-attack; sid:2006984; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKE AOL SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"7C:A2:74:D0:FB:C3:D1:54:B3:D1:A3:00:62:E3:7E:F6"; tls.cert_subject; content:"CN=mail.aol.com"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016469; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password ASCII"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006985; classtype:web-application-attack; sid:2006985; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake IBM SSL Cert APT1"; flow:established,to_client; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; content:"CN=IBM"; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; content:"CN=IBM"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016463; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006986; classtype:web-application-attack; sid:2006986; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Virtually SSL Cert APT1"; flow:established,to_client; tls.cert_issuer; content:"O=www.virtuallythere.com"; content:"OU=new"; content:"CN=new"; tls.cert_subject; content:"O=www.virtuallythere.com"; fast_pattern; content:"OU=new"; content:"CN=new"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016462; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid SELECT"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006987; classtype:web-application-attack; sid:2006987; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKE YAHOO SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"0A:38:C9:27:08:6F:96:4B:BE:75:DC:9F:C0:1A:C6:28"; tls.cert_subject; content:"CN=mail.yahoo.com"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016470; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006988; classtype:web-application-attack; sid:2006988; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely CryptoWall .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"kpai7ycr7jxqkilp."; fast_pattern; startswith; classtype:trojan-activity; sid:2018610; rev:3; metadata:created_at 2014_06_27, former_category MALWARE, updated_at 2022_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid INSERT"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006989; classtype:web-application-attack; sid:2006989; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.content_len; byte_test:0,<=,1000,0,string,dec; http.response_body; content:"|7b 22|public|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|message|5f|id|22 3a 22|"; distance:0; content:!"|22 2c 22|"; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid DELETE"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006990; classtype:web-application-attack; sid:2006990; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)"; flow:established,to_server; http.user_agent; content:"aimxxhwpcc"; bsize:10; fast_pattern; reference:md5,1f1969481fe9bca52d5c01e1a093c1b8; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:trojan-activity; sid:2035556; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ASCII"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006991; classtype:web-application-attack; sid:2006991; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (product2020 .mrbasic .com)"; dns.query; content:"product2020.mrbasic.com"; nocase; bsize:23; reference:url,twitter.com/h2jazi/status/1505887653111209994; reference:md5,1af894a5f23713b557c23078809ed01c; reference:md5,1aba36f72685c12e60fb0922b606417c; classtype:domain-c2; sid:2035557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006992; classtype:web-application-attack; sid:2006992; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT ID Command Observed"; flow:established,to_server; content:"|3c 7c|ID|7c 3e|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid SELECT"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006993; classtype:web-application-attack; sid:2006993; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore RAT CnC Checkin"; flow:established,to_server; content:"|3c 7c|mainzsoccer|7c|"; fast_pattern; startswith; classtype:attempted-admin; sid:2035542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006994; classtype:web-application-attack; sid:2006994; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidecopy APT Backdoor Related Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /logs_files HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:trojan-activity; sid:2035558; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid INSERT"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006995; classtype:web-application-attack; sid:2006995; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup (kokotech .xyz)"; dns.query; content:"kokotech.xyz"; nocase; bsize:12; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:domain-c2; sid:2035559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid DELETE"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006996; classtype:web-application-attack; sid:2006996; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SUR SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"20:82:92:3F:43:2C:8F:75:B7:EF:0F:6A:D9:3C:8E:5D"; fast_pattern; tls.cert_subject; content:"CN=SUR"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016468; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ASCII"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006997; classtype:web-application-attack; sid:2006997; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".kdc/"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; content:"&cacogenics="; distance:0; reference:md5,1182940dca705e0b3a8349c9fdf99e10; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006998; classtype:web-application-attack; sid:2006998; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT Set Keep-Alive Observed"; flow:established,to_server; content:"|3c 7c|SETPING|7c|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID SELECT"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007070; classtype:web-application-attack; sid:2007070; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mesh"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UNION SELECT"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007071; classtype:web-application-attack; sid:2007071; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FlawedGrace CnC Activity"; flow:to_server,established; dsize:14; content:"|47 43 52 47|"; offset:4; depth:4; threshold: type both, track by_src, count 10, seconds 60; reference:md5,2b1215fb65d33fc6206ab227a3b7e75a; classtype:command-and-control; sid:2026773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID INSERT"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007072; classtype:web-application-attack; sid:2007072; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response abuse.ch"; flow:established,to_client; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern; classtype:trojan-activity; sid:2020223; rev:4; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID DELETE"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007073; classtype:web-application-attack; sid:2007073; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:CD:2D:4A:53:08:27:AA:B4"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021289; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ASCII"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007074; classtype:web-application-attack; sid:2007074; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:80:5C:5F:EC:50:39:a2:14"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021772; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007075; classtype:web-application-attack; sid:2007075; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9F:B1:5C:37:90:8A:2E:B7"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022095; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wazzum Dating Software profile_view.php userid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"profile_view.php"; nocase; content:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7877; reference:url,secunia.com/Advisories/33654/; reference:url,doc.emergingthreats.net/2009122; classtype:web-application-attack; sid:2009122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:81:32:F4:D9:2C:39:C3:06"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wbstreet show.php id parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7337; reference:bugtraq,32635; reference:url,doc.emergingthreats.net/2008939; classtype:web-application-attack; sid:2008939; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:B4:78:3D:3F:BF:60:B9:94"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022097; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/cron.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009306; classtype:web-application-attack; sid:2009306; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,to_client; tls.cert_serial; content:"00:B4:E9:29:AF:96:2B:99:E2"; fast_pattern; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022098; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ST_browsers.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009308; classtype:web-application-attack; sid:2009308; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; fast_pattern; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:3; metadata:created_at 2013_02_20, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ST_countries.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009310; classtype:web-application-attack; sid:2009310; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; tls.sni; content:"zxjfcvfvhqfqsrpz."; fast_pattern; startswith; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:4; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2022_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ST_platforms.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009312; classtype:web-application-attack; sid:2009312; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,to_client; tls.cert_subject; content:"C=Unknown, ST=Unknown, L=Unknown, O=Send-Safe, OU=Unknown, CN=Send-Safe"; bsize:71; fast_pattern; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id SELECT"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004760; classtype:web-application-attack; sid:2004760; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed"; flow:established,to_server; tls.sni; content:"v5t5z6a55ksmt3oh.onion"; startswith; fast_pattern; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004761; classtype:web-application-attack; sid:2004761; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Spora Ransomware SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=spora.bz"; fast_pattern; classtype:trojan-activity; sid:2024043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id INSERT"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004762; classtype:web-application-attack; sid:2004762; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SteamStealer Domain in SNI"; flow:established,to_server; tls.sni; content:"steamdesktopauthenticator.com"; bsize:29; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id DELETE"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004763; classtype:web-application-attack; sid:2004763; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SteamStealer Malicious SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=steamdesktopauthenticator.com"; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:domain-c2; sid:2025388; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id ASCII"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004764; classtype:web-application-attack; sid:2004764; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StrongPity APT SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=mevlut.oncu.example.com"; fast_pattern; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:targeted-activity; sid:2025416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004765; classtype:web-application-attack; sid:2004765; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConPtyShell Client Response"; flow:established,to_server; content:"|1b 5b 32 4a 1b 5b 6d 1b 5b 48 1b 5b 48 1b 5d 30 3b|"; startswith; fast_pattern; content:"|5b 32 33 58 1b 5b 32 33|"; distance:0; content:"|43 0d 0a 1b 5b 38 30 58 1b 5b 38 30 43 0d 0a 1b|"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro art.php idm Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/art.php"; nocase; content:"idm="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009013; classtype:web-application-attack; sid:2009013; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Command (whoami)"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"whoami"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro rub.php idr Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rub.php"; nocase; content:"idr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009014; classtype:web-application-attack; sid:2009014; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Close Shell"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"exit"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php ida Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/galeri_info.php?"; nocase; content:"ida="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009015; classtype:web-application-attack; sid:2009015; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,to_client; tls.cert_issuer; content:"O=Superfish, Inc."; content:"CN=Superfish, Inc."; fast_pattern; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php lang Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/galeri_info.php?"; nocase; content:"lang="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009016; classtype:web-application-attack; sid:2009016; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11; content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro rubrika.php idr Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rubrika.php?"; nocase; content:"idr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009017; classtype:web-application-attack; sid:2009017; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; endswith; classtype:trojan-activity; sid:2022707; rev:3; metadata:created_at 2016_04_06, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID SELECT"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004911; classtype:web-application-attack; sid:2004911; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022709; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UNION SELECT"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004912; classtype:web-application-attack; sid:2004912; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022710; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID INSERT"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004913; classtype:web-application-attack; sid:2004913; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; nocase; endswith; classtype:trojan-activity; sid:2024790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, malware_family BlackStealer, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID DELETE"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004914; classtype:web-application-attack; sid:2004914; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026581; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID ASCII"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004915; classtype:web-application-attack; sid:2004915; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004916; classtype:web-application-attack; sid:2004916; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id SELECT"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004772; classtype:web-application-attack; sid:2004772; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winnti Payload - XORed Check-in to Infected System (0xd4413890)"; flow:established,to_server; dsize:<300; content:"|b0 1c 03 d4 90 38 41 d4 2a b4 80 7f|"; depth:12; content:"|04 00|"; endswith; reference:url,medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a; classtype:trojan-activity; sid:2027361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag APT, tag Winnti, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004773; classtype:web-application-attack; sid:2004773; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC USR Init Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 12 01 00 00 2d 55 53 52|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027831; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id INSERT"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004774; classtype:web-application-attack; sid:2004774; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022780; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id DELETE"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004775; classtype:web-application-attack; sid:2004775; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022781; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id ASCII"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004776; classtype:web-application-attack; sid:2004776; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022782; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004778; classtype:web-application-attack; sid:2004778; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022783; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp SELECT"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004224; classtype:web-application-attack; sid:2004224; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022784; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004225; classtype:web-application-attack; sid:2004225; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022785; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp INSERT"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004226; classtype:web-application-attack; sid:2004226; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|g|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022786; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp DELETE"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004227; classtype:web-application-attack; sid:2004227; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|v|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022787; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp ASCII"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004228; classtype:web-application-attack; sid:2004228; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SDBbot CnC Checkin"; flow:established,to_server; content:"|00 00 de c0|"; depth:4; content:"ver="; distance:0; content:"|0a|domain="; distance:0; content:"|0a|pc="; distance:0; content:"|0a|geo="; distance:0; content:"|0a|os="; distance:0; content:"|0a|rights="; distance:0; content:"|0a|proxyenabled="; distance:0; fast_pattern; content:"|0a|"; endswith; reference:md5,892be85dc60df6bc82568384e83b9b4c; classtype:command-and-control; sid:2031217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, malware_family SDBbot, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004229; classtype:web-application-attack; sid:2004229; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/1xxbot CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|<EOM>Windows|20|"; startswith; fast_pattern; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOF>"; endswith; reference:md5,9eb50c6cdb59d11b01ca9f069e8ba79d; classtype:command-and-control; sid:2028984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family 1xxbot, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name SELECT"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004230; classtype:web-application-attack; sid:2004230; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Reporting Error to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=hmo"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UNION SELECT"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004231; classtype:web-application-attack; sid:2004231; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Submitting Encrypted Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=A1f"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name INSERT"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004232; classtype:web-application-attack; sid:2004232; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Finished"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|finished|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name DELETE"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004233; classtype:web-application-attack; sid:2004233; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Init"; flow:established,from_server; dsize:<150; content:"|7b 22 54 79 70 65 22 3a 22 45 6e 63 72 79 70 74 69 6f 6e 53 74 61 74 75 73 22 2c 22 53 74 61 74 75 73 22 3a|"; fast_pattern; depth:80; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ASCII"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004439; classtype:web-application-attack; sid:2004439; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Keep-Alive"; flow:established,from_server; dsize:<100; content:"|7b 22 54 79 70 65 22 3a 22 53 65 73 73 69 6f 6e 49 44 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:50; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029219; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004234; classtype:web-application-attack; sid:2004234; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealRat Checkin"; flow:established,to_server; http.uri; content:"/d/"; startswith; fast_pattern; content:".jpg"; endswith; pcre:"/^\/d\/[a-z]+\d+\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"www.google.com"; bsize:14; classtype:command-and-control; sid:2017263; rev:4; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004235; classtype:web-application-attack; sid:2004235; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Woai.Dropper Config Request"; flow:established,to_server; http.uri; content:"/client/config.ini"; fast_pattern; http.user_agent; content:"MSIE"; content:"|3B 29|"; endswith; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:7; metadata:created_at 2014_02_10, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004236; classtype:web-application-attack; sid:2004236; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; http.uri; content:"2p/"; content:".exe"; fast_pattern; endswith; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:7; metadata:created_at 2014_02_27, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004237; classtype:web-application-attack; sid:2004237; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; http.uri; content:"/2p/"; depth:4; content:".exe"; endswith; fast_pattern; pcre:"/^\/2p\/[a-z]{1,2}\.exe$/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:5; metadata:created_at 2014_04_11, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004238; classtype:web-application-attack; sid:2004238; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/payment_gateway/"; startswith; content:".gz"; endswith; pcre:"/\/[a-z0-9]{3,}\.gz$/"; http.user_agent; content:"OperaMini"; depth:9; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:command-and-control; sid:2019824; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004239; classtype:web-application-attack; sid:2004239; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE rechnung zip file download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rechnung"; fast_pattern; nocase; content:".zip"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020622; rev:5; metadata:created_at 2015_03_05, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004240; classtype:web-application-attack; sid:2004240; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/mss"; fast_pattern; content:".exe"; endswith; pcre:"/\/mss\d+\.exe$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035043; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/html.php?"; nocase; content:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009690; classtype:web-application-attack; sid:2009690; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/ftp/grabftp"; fast_pattern; content:".bin"; endswith; pcre:"/^\/download\/ftp\/(?:grabftp|grabftp64)\.bin$/"; http.header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3B 20|x64)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:4; metadata:created_at 2015_06_23, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/html2.php?"; nocase; content:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009691; classtype:web-application-attack; sid:2009691; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedControle Communicating with CnC"; flow:established,to_server; content:"SE_ND_CO_NN_EC|23|"; depth:15; fast_pattern; content:"|23|"; within:20; content:"|23|"; endswith; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:command-and-control; sid:2026724; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010167; classtype:web-application-attack; sid:2010167; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 3"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; content:"Windows 98)"; fast_pattern; endswith; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; classtype:command-and-control; sid:2014234; rev:14; metadata:created_at 2012_02_17, former_category MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"FileName="; nocase; pcre:"/Filename\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010168; classtype:web-application-attack; sid:2010168; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; http.uri; content:"/image/"; depth:7; content:".exe"; endswith; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/i"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:6; metadata:created_at 2016_03_16, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010169; classtype:web-application-attack; sid:2010169; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ho"; content:"ping/mod_"; within:10; fast_pattern; content:"/"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:8; metadata:created_at 2014_11_20, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010170; classtype:web-application-attack; sid:2010170; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config"; fast_pattern; content:".jpg"; endswith; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/"; http.header; content:"Cache-Control|3a 20|no-cache"; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:8; metadata:created_at 2015_07_23, former_category TROJAN, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010171; classtype:web-application-attack; sid:2010171; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Intial Check-in"; flow:established,to_server; http.user_agent; content:"Windows NT 5.1|3b 20|ru|3b|"; content:"Gecko/20100722 Firefox/3.6.12"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2016748; rev:6; metadata:created_at 2013_04_10, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010172; classtype:web-application-attack; sid:2010172; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; depth:1; content:"/"; endswith; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025119; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010173; classtype:web-application-attack; sid:2010173; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/"; http.cookie; content:"=|3b 20|"; content:"=|3b 20|"; distance:0; content:"=|3b|"; endswith; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:command-and-control; sid:2025291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category MALWARE, malware_family elise, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"Dictionary="; nocase; pcre:"/Dictionary\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010174; classtype:web-application-attack; sid:2010174; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware Start Activity 1"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|Begin"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"Scoring="; nocase; pcre:"/Scoring\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010175; classtype:web-application-attack; sid:2010175; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|StartU"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aStartU$/"; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2026472; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"MessagePart="; nocase; pcre:"/MessagePart\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010176; classtype:web-application-attack; sid:2010176; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/"; depth:9; content:"/true/true/done"; fast_pattern; endswith; http.user_agent; content:"WinHttp.WinHttpRequest."; http.header_names; content:"Referer"; content:!"Cache"; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag VBS, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010177; classtype:web-application-attack; sid:2010177; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".microsoftonedrive.org"; nocase; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:command-and-control; sid:2026680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010178; classtype:web-application-attack; sid:2010178; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"outlooklive.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026704; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010179; classtype:web-application-attack; sid:2010179; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.toshiba.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010180; classtype:web-application-attack; sid:2010180; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.fujitsu.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID SELECT"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005227; classtype:web-application-attack; sid:2005227; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.asus.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UNION SELECT"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005228; classtype:web-application-attack; sid:2005228; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.miria.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026708; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID INSERT"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005229; classtype:web-application-attack; sid:2005229; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"cloudpallets32.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026709; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID DELETE"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005230; classtype:web-application-attack; sid:2005230; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"contents.bz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026710; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ASCII"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005231; classtype:web-application-attack; sid:2005231; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"usasecurefiles.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026711; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005232; classtype:web-application-attack; sid:2005232; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"freecloud.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026712; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order SELECT"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004140; classtype:web-application-attack; sid:2004140; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"alotile.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UNION SELECT"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004141; classtype:web-application-attack; sid:2004141; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"transef.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order INSERT"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004142; classtype:web-application-attack; sid:2004142; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"fundsxe.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order DELETE"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004143; classtype:web-application-attack; sid:2004143; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"document.cdn-one.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ASCII"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004144; classtype:web-application-attack; sid:2004144; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=begin"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004145; classtype:web-application-attack; sid:2004145; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucky Ransomware Reporting Successful File Encryption"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=done"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026727; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php SELECT"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004247; classtype:web-application-attack; sid:2004247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|0|0d|"; http.user_agent; content:"xmsSofts_1.0.0_"; depth:15; fast_pattern; content:"|5c|"; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026760; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UNION SELECT"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004248; classtype:web-application-attack; sid:2004248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"4D53473A213A"; content:"20457865637574656420417320"; distance:0; fast_pattern; content:"0D0A"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php INSERT"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004249; classtype:web-application-attack; sid:2004249; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"secure-message.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027222; rev:5; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php DELETE"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004250; classtype:web-application-attack; sid:2004250; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"internal-message.app"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027223; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php ASCII"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004251; classtype:web-application-attack; sid:2004251; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Screenshot to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=sc&i="; distance:0; fast_pattern; content:".png"; endswith; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004252; classtype:web-application-attack; sid:2004252; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|command|2f|"; depth:9; fast_pattern; content:".cmd"; endswith; pcre:"/^\/command\/[A-Fa-f0-9]{8}\-(?:[A-Fa-f0-9]{4}\-){3}[A-Fa-f0-9]{12}\.cmd$/"; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid SELECT"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004997; classtype:web-application-attack; sid:2004997; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK><COMMAND>"; distance:0; fast_pattern; content:"</COMMAND>"; endswith; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UNION SELECT"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004998; classtype:web-application-attack; sid:2004998; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eris Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/check"; depth:13; fast_pattern; endswith; http.request_body; content:"|7b 22 75 69 64 22 3a 22|"; depth:8; content:"|22 7d|"; endswith; pcre:"/^\{\x22uid\x22\x3a\x22[a-f0-9]+\x22\}$/si"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,a4eeec442799c56c3e1aa9761661fb42; reference:url,www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/; classtype:command-and-control; sid:2027802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family Eris, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid INSERT"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004999; classtype:web-application-attack; sid:2004999; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlitchPOS CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gate.php?ped="; fast_pattern; content:"&s=1"; endswith; http.header_names; content:!"Referer"; reference:md5,8cfa2adde150918062eb5d6af59d0e2a; classtype:command-and-control; sid:2027912; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid DELETE"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005000; classtype:web-application-attack; sid:2005000; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; dns.query; content:"asrgd-uz"; fast_pattern; depth:8; content:".weedns.com"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid ASCII"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005001; classtype:web-application-attack; sid:2005001; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; dns.query; content:"sx4-ws42"; fast_pattern; depth:8; content:".yi.org"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005002; classtype:web-application-attack; sid:2005002; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005280; classtype:web-application-attack; sid:2005280; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tflower Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&state=start"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,53c923d4e39b966ab951f9a3b9d090be; reference:url,www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/; classtype:command-and-control; sid:2028597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Tflower_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005281; classtype:web-application-attack; sid:2005281; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; depth:8; content:".min.js"; endswith; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|Accept"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"__cfduid="; depth:9; isdataat:!172,relative; pcre:"/^[A-Za-z0-9_-]{171}$/Rs"; reference:md5,8c9903db02a29847d04d0fd81dd67046; classtype:command-and-control; sid:2033658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005282; classtype:web-application-attack; sid:2005282; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Requesting Module"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/start?session="; depth:20; fast_pattern; content:"&imsi="; within:20; content:".exe"; endswith; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005283; classtype:web-application-attack; sid:2005283; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; content:"/final.html"; endswith; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:5; metadata:created_at 2013_12_17, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005284; classtype:web-application-attack; sid:2005284; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"Cookie|3a 20|A="; fast_pattern; http.method; content:"GET"; http.uri; content:"/"; offset:9; depth:1; content:".html"; nocase; endswith; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021275; rev:9; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005285; classtype:web-application-attack; sid:2005285; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:!"?"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; pcre:"/^[A-Za-z]{5,20}\x22\x3b\x20filename=\x22[A-Za-z]{5,20}\x22/R"; content:"|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; within:44; content:"|2d 2d 00 00 00 00 00 00 00 00 00 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; pcre:"/^\d{15}$/R"; http.content_len; byte_test:0,<,5000,0,string,dec; byte_test:0,>,4000,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}\/){1,10})\sHTTP\/1\.1\r\nReferer\x3a\x20http:\/\/(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:59; classtype:command-and-control; sid:2029380; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005286; classtype:web-application-attack; sid:2005286; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Mailer Module Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?&1001="; fast_pattern; content:"&req="; distance:1; within:5; content:"&"; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005287; classtype:web-application-attack; sid:2005287; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GanDownloader CnC Checkin"; flow:established,to_server; http.request_body; content:"|2f 00 00 00|"; depth:4; content:"_"; distance:6; content:"202020202020|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; fast_pattern; pcre:"/^\x2f\x00{3}[A-Z0-9]{6}_[a-f0-9]+\x00{16}$/s"; http.request_line; content:"POST / HTTP/1.1"; depth:15; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,8f0017ed89c2f6639cc2a08bc1e83f1e; classtype:command-and-control; sid:2026946; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005288; classtype:web-application-attack; sid:2005288; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server-Key|3a 20|"; pcre:"/[A-Za-z0-9]{62}/R"; file.data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; endswith; classtype:command-and-control; sid:2025458; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family SocStealer, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005289; classtype:web-application-attack; sid:2005289; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Youk$$"; fast_pattern; content:"Youk"; endswith; pcre:"/^(?:php)?Yuok\$\$\d\d/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:6; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005290; classtype:web-application-attack; sid:2005290; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Data$$"; fast_pattern; content:"Data"; endswith; pcre:"/Data\$\$\d\d/"; http.header_names; content:!"Content-Type"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:9; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005291; classtype:web-application-attack; sid:2005291; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot CnC Initial Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"/5/file/"; endswith; fast_pattern; http.user_agent; content:"curl/"; depth:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2033659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit SELECT"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006921; classtype:web-application-attack; sid:2006921; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (OneDrive)"; flow:established,to_server; http.cookie; content:"E=P|3a|"; content:"=|3a|PFzM9cj"; endswith; fast_pattern; http.request_line; content:"GET|20|/preload?manifest=wac|20|HTTP/1.1"; bsize:34; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile; classtype:command-and-control; sid:2029743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UNION SELECT"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006922; classtype:web-application-attack; sid:2006922; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/ProtonBot CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"newtask|3b|"; depth:8; fast_pattern; content:"|3b|1|3b|http"; within:15; content:".exe"; endswith; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:command-and-control; sid:2027382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit INSERT"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006923; classtype:web-application-attack; sid:2006923; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; urilen:8; threshold: type limit, track by_dst, seconds 30, count 1; http.method; content:"POST"; http.uri; content:"/waiting"; fast_pattern; http.user_agent; content:"BC_Vic_"; depth:7; content:"BC_SPL"; endswith; http.header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:command-and-control; sid:2025370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Small, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit DELETE"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006924; classtype:web-application-attack; sid:2006924; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud .com"; dns.query; content:".appsync-api."; content:"avsvmcloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ASCII"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006925; classtype:web-application-attack; sid:2006925; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to avsvmcloud .com"; flow:established,to_server; http.host; content:".appsync-api."; dotprefix; content:".avsvmcloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006926; classtype:web-application-attack; sid:2006926; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (avsvmcloud .com)"; flow:established,to_client; tls.cert_subject; content:".appsync-api."; content:".avsvmcloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004403; classtype:web-application-attack; sid:2004403; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bestof/"; content:".exe"; within:20; endswith; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2184931b6412cc900837890a6c5685f6; classtype:trojan-activity; sid:2033044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004404; classtype:web-application-attack; sid:2004404; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Bing Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search/?q="; startswith; content:"&go=Search&qs=bs&form="; distance:0; fast_pattern; http.cookie; content:"DUP="; startswith; content:"&T="; distance:0; content:"&A="; distance:0; content:"&IG"; endswith; http.header_names; content:!"Referer"; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,18b0ca0508f92c5ac6e75b9865b77a51; classtype:trojan-activity; sid:2032354; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004405; classtype:web-application-attack; sid:2004405; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM Win32/VaporRage Loader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class-chll.php?session_info=60"; content:"5d"; distance:0; content:"&session="; distance:0; content:"&view_type=12"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4183.83 Safari/537.36"; bsize:102; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:trojan-activity; sid:2033057; rev:2; metadata:created_at 2021_06_01, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004406; classtype:web-application-attack; sid:2004406; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"content=S-400+RAT+%3a"; startswith; fast_pattern; content:"%0d%0ainformation"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004407; classtype:web-application-attack; sid:2004407; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC BOT Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 13 01 00 00 2d 42 4f 54|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004408; classtype:web-application-attack; sid:2004408; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ALEXANDR/"; fast_pattern; startswith; content:".rmvb"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,0fee6bb95bfbfeee768f742387d3ddce; reference:md5,81ada96074cbc01655fc3b9b570308cd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035117; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004654; classtype:web-application-attack; sid:2004654; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/clamp/"; fast_pattern; content:".cbl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fac3f024711fc5fd3e1d69b994b159bd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035118; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004655; classtype:web-application-attack; sid:2004655; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/globe/"; fast_pattern; content:".cam"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035131; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004656; classtype:web-application-attack; sid:2004656; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courageous/"; fast_pattern; content:".eft"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035132; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004657; classtype:web-application-attack; sid:2004657; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/endless/"; fast_pattern; content:".arj"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,2a0269cf18f2f1c055153408f85ab4c6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035167; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004658; classtype:web-application-attack; sid:2004658; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allocation/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,1579a5a8bdca4eda62315116e418b9d6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035168; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004659; classtype:web-application-attack; sid:2004659; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sour/"; fast_pattern; content:".kdp"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,bb1c8ad9f422a39ce6329e93dc060438; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035169; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005657; classtype:web-application-attack; sid:2005657; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pretend/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,ca9fa910806f5aafd33f0dd48fdc8415; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035170; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005658; classtype:web-application-attack; sid:2005658; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService Pong response"; id:1; content:"101|3b|0000|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030055; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005659; classtype:web-application-attack; sid:2005659; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService OSInfo response"; id:1; content:"100|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030056; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005660; classtype:web-application-attack; sid:2005660; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (theskoolieblog .com)"; dns.query; content:"theskoolieblog.com"; nocase; bsize:18; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035596; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005661; classtype:web-application-attack; sid:2005661; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (ernesttheskoolie .com)"; dns.query; content:"ernesttheskoolie.com"; nocase; bsize:20; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035597; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005662; classtype:web-application-attack; sid:2005662; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:C1:3B:57:1A:83:A5:B1:4A"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022099; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/st_newsletter/stnl_iframe.php"; nocase; content:"?newsletter="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,milw0rm.com/exploits/6777; reference:url,secunia.com/advisories/32336; reference:url,doc.emergingthreats.net/2008725; classtype:web-application-attack; sid:2008725; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F2:66:4A:29:E0:7E:C2:78"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022227; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/js/wptable-tinymce.php?"; nocase; content:"ABSPATH="; nocase; pcre:"/ABSPATH\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/56763; reference:url,doc.emergingthreats.net/2010473; classtype:web-application-attack; sid:2010473; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:E0:78:4E:9C:A4:AD:AB:24"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2022228; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/wp-content/plugins/nextgen-gallery/xml/media-rss.php"; nocase; content:"mode="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.coresecurity.com/content/nextgen-gallery-xss-vulnerability; reference:cve,2010-1186; reference:url,doc.emergingthreats.net/2011006; classtype:web-application-attack; sid:2011006; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F6:DA:A5:22:B2:8B:91:BE"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022232; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011044; classtype:web-application-attack; sid:2011044; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9D:A8:74:C5:50:98:DD:09"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022306; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011045; classtype:web-application-attack; sid:2011045; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_issuer; content:"AsyncRAT Server"; reference:md5,f69cadedae72d9d1a1d1578b56c39404; classtype:domain-c2; sid:2030673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011071; classtype:web-application-attack; sid:2011071; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_subject; content:"AsyncRAT Server"; nocase; classtype:domain-c2; sid:2035607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011046; classtype:web-application-attack; sid:2011046; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=g5wcesdfjzne7255.onion.to"; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:domain-c2; sid:2022953; rev:3; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2016_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag TROJAN_OSX_Keydnap, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011047; classtype:web-application-attack; sid:2011047; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fecommand.acm"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035605; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-cumulus/tagcloud.swf"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,doc.emergingthreats.net/2011107; classtype:web-application-attack; sid:2011107; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=infosec.jp"; fast_pattern; content:"CN=www.infosec.jp"; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022323; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004343; classtype:web-application-attack; sid:2004343; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zs_url.txt?dl=0"; endswith; fast_pattern; http.host; content:"dl.dropboxusercontent.com"; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004344; classtype:web-application-attack; sid:2004344; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SERVER SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"52:55:38:16:FB:0D:1A:8A:4B:45:04:CB:06:BC:C4:AF"; tls.cert_subject; content:"CN=SERVER"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016467; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004345; classtype:web-application-attack; sid:2004345; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern; content:"|0B 00|"; startswith; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018479; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004346; classtype:web-application-attack; sid:2004346; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"uid="; startswith; content:"&avtype="; distance:0; content:"&majorv="; fast_pattern; content:"&minorv="; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:command-and-control; sid:2035592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004347; classtype:web-application-attack; sid:2004347; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound)"; flow:established,to_client; dsize:<20; content:"|69 6e 66 32 6f 3d 63 6f 64 61 6e 64|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035598; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004348; classtype:web-application-attack; sid:2004348; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound)"; flow:established,to_client; dsize:<20; content:"|67 65 74 32 61 76 73 3d 61 76 70 72 6f|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035599; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005117; classtype:web-application-attack; sid:2005117; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound)"; flow:established,to_server; dsize:<120; content:"|69 6e 73 35 66 6f 3d 75 73 66 73 65 72 3b|"; fast_pattern; depth:20; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005118; classtype:web-application-attack; sid:2005118; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GhostWriter APT Related Cobalt Strike Domain (ao3 .hmgo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"ao3.hmgo.pw"; bsize:11; fast_pattern; reference:url,cert.gov.ua/article/38155; reference:url,twitter.com/netresec/status/1506990534547709972; reference:url,tria.ge/220324-p4dl5adghn; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:domain-c2; sid:2035601; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id INSERT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005119; classtype:web-application-attack; sid:2005119; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS Lookup (hmgo .pw)"; dns.query; dotprefix; content:".hmgo.pw"; nocase; endswith; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; reference:url,tria.ge/220324-p4dl5adghn; classtype:domain-c2; sid:2035602; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id DELETE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005120; classtype:web-application-attack; sid:2005120; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/works"; endswith; http.header; content:"Accept|3a 20|application/json|0d 0a|Content-Type|3a 20|application/json|3b 20|charset=UTF-8|0d 0a|"; http.cookie; content:"_token"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:url,cert.gov.ua/article/38155; reference:url,tria.ge/220324-p4dl5adghn; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:trojan-activity; sid:2035603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id ASCII"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005121; classtype:web-application-attack; sid:2005121; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; tls.sni; content:"knowledgewiki.info"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005122; classtype:web-application-attack; sid:2005122; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; tls.cert_serial; content:"5f:31"; startswith; tls.cert_subject; content:"C=--"; startswith; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:targeted-activity; sid:2020974; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005123; classtype:web-application-attack; sid:2005123; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in TLS SNI (www. rare-coisns. com)"; flow:established,to_server; tls.sni; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005124; classtype:web-application-attack; sid:2005124; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from INSERT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005125; classtype:web-application-attack; sid:2005125; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20| MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035617; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from DELETE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005126; classtype:web-application-attack; sid:2005126; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,a5bad2da096e9ebbb90845dbadec91fe; reference:md5,253cb5361e43bfb1931fa115336e7c16; reference:md5,dd6d09e0e565ea18b85a18af8e95eb75; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from ASCII"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005127; classtype:web-application-attack; sid:2005127; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,6f743e8fda2031db9907a8d6bd0a41a8; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005128; classtype:web-application-attack; sid:2005128; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup"; dns.query; content:"securmeawards.com"; nocase; bsize:17; reference:md5,0cd9c62063026d4199c941b5f644c5ce; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:domain-c2; sid:2035610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005129; classtype:web-application-attack; sid:2005129; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"2c:2f"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:targeted-activity; sid:2020972; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005130; classtype:web-application-attack; sid:2005130; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"09:a9"; fast_pattern; depth:5; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q INSERT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005131; classtype:web-application-attack; sid:2005131; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; tls.cert_serial; content:"03:5f"; depth:5; tls.cert_subject; content:"*.corp.utilitytelephone.com"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:targeted-activity; sid:2020970; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q DELETE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005132; classtype:web-application-attack; sid:2005132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"0f:0d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:targeted-activity; sid:2020969; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q ASCII"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005133; classtype:web-application-attack; sid:2005133; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"1b:3c"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:targeted-activity; sid:2020968; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005134; classtype:web-application-attack; sid:2005134; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"65:5d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:targeted-activity; sid:2020967; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/includes/function_core.php?"; nocase; content:"web_root="; nocase; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009926; classtype:web-application-attack; sid:2009926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"31:d5"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:targeted-activity; sid:2020966; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/templates/layout_lyrics.php?"; nocase; content:"web_root="; nocase; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009928; classtype:web-application-attack; sid:2009928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential-Hiloti/FakeAV site access"; flow:established,to_server; content:"?p=p52dcW"; http_uri; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:5; metadata:created_at 2010_10_06, former_category MALWARE, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/mini.php?"; nocase; content:"help_file="; nocase; reference:url,milw0rm.com/exploits/6592; reference:bugtraq,31460; reference:url,doc.emergingthreats.net/2009194; classtype:web-application-attack; sid:2009194; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=CN, ST=ST"; fast_pattern; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x06\x03\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XAMPP showcode.php TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/xampp/showcode.php?"; nocase; content:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:bugtraq,37997; reference:url,doc.emergingthreats.net/2011138; classtype:web-application-attack; sid:2011138; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M1 (L O)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XAMPP xamppsecurity.phpp TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/xampp/xamppsecurity.php?"; nocase; content:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:bugtraq,37997; reference:url,doc.emergingthreats.net/2011139; classtype:web-application-attack; sid:2011139; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M2 (L CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-BLC get_read.php section Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/get_read.php?"; nocase; content:"section="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8258; reference:bugtraq,34197; reference:url,doc.emergingthreats.net/2009738; classtype:web-application-attack; sid:2009738; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M3 (O CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004857; classtype:web-application-attack; sid:2004857; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; pcre:"/C=[A-Z]{2}\,/"; content:"ST="; distance:0; content:"L="; distance:0; content:"O="; distance:0; pcre:"/CN=[A-Z]/"; content:"OU="; distance:0; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_03, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UNION SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004858; classtype:web-application-attack; sid:2004858; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smoke/loader/uploads/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,bfbf171b4ebc5286c78d718e445c65fb; classtype:trojan-activity; sid:2035623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album INSERT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004859; classtype:web-application-attack; sid:2004859; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; fast_pattern; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:6; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album DELETE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004860; classtype:web-application-attack; sid:2004860; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.request_body; content:"symetric="; startswith; fast_pattern; content:"&unsyms="; distance:0; content:"&polls="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cbcc3485f4286098b3a111ceec8ce54; reference:md5,14a7002d7787ebc78d76479c73fc2856; classtype:trojan-activity; sid:2035624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album ASCII"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004861; classtype:web-application-attack; sid:2004861; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TransparentTribe APT Related Backdoor Activity"; flow:established,to_server; dsize:6; content:"|36 6e 46 74 24 31|"; fast_pattern; reference:md5,bc2ef641fc8d709f4c111937353c0ac2; reference:md5,b03e0568a5f26addc51c8a3e32baeb7f; reference:md5,9dadf9ce41994f869e8c35e1917b8238; classtype:trojan-activity; sid:2035625; rev:2; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004862; classtype:web-application-attack; sid:2004862; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|dll"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/activities/workflow-activities.php?"; nocase; content:"include_directory="; nocase; pcre:"/include_directory=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-3399; reference:url,milw0rm.com/exploits/6131; reference:url,xforce.iss.net/xforce/xfdb/43992; reference:url,doc.emergingthreats.net/2009870; classtype:web-application-attack; sid:2009870; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M4"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|lnk"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035622; rev:1; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id SELECT"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005378; classtype:web-application-attack; sid:2005378; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver .xyz)"; dns.query; content:"ntpserver.xyz"; fast_pattern; nocase; bsize:13; reference:md5,09c120d23f986040af202607db6157f0; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035626; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005379; classtype:web-application-attack; sid:2005379; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)"; dns.query; content:"cxks8.com"; fast_pattern; nocase; bsize:9; reference:md5,99ee1e21a34b0536b120d4a6977fd252; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035627; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id INSERT"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005380; classtype:web-application-attack; sid:2005380; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"12:85"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021591; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id DELETE"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005381; classtype:web-application-attack; sid:2005381; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 2"; flow:established,from_server; tls.cert_subject; content:"www.visionresearch.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021419; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id ASCII"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005382; classtype:web-application-attack; sid:2005382; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 5"; flow:established,from_server; tls.cert_subject; content:"extranet.qualityplanning.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021422; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005383; classtype:web-application-attack; sid:2005383; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 6"; flow:established,from_server; tls.cert_subject; content:"edadmin.kearsney.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021423; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid SELECT"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005384; classtype:web-application-attack; sid:2005384; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 7"; flow:established, from_server; tls.cert_subject; content:"redbluffchamber.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021424; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UNION SELECT"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005385; classtype:web-application-attack; sid:2005385; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,to_client; tls.cert_subject; content:"Connectads.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid INSERT"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005386; classtype:web-application-attack; sid:2005386; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"3d:d6"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021420; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid DELETE"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005387; classtype:web-application-attack; sid:2005387; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Group SSL Certificate Detected"; flow:established,from_server; tls.cert_subject; content:"dns-verifon.com"; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:targeted-activity; sid:2025438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_26, deployment Perimeter, former_category TROJAN, malware_family Cobalt_Group, performance_impact Low, signature_severity Major, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid ASCII"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005388; classtype:web-application-attack; sid:2005388; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"swordoke.com"; bsize:12; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005389; classtype:web-application-attack; sid:2005389; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)"; dns.query; content:"swordoke.com"; fast_pattern; nocase; bsize:12; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035644; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006486; classtype:web-application-attack; sid:2006486; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS Lookup (dost .igov-service .net)"; dns.query; content:"dost.igov-service.net"; fast_pattern; nocase; bsize:21; reference:url,decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/; reference:md5,49e8853801554d9de4dd281828094c8a; classtype:domain-c2; sid:2035646; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006487; classtype:web-application-attack; sid:2006487; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (wikipedia-book .vote)"; dns.query; content:"wikipedia-book.vote"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; reference:md5,e98774bee4ed490089f6c63b6c676112; classtype:domain-c2; sid:2035652; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2022_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id INSERT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006488; classtype:web-application-attack; sid:2006488; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon User Agent Observed"; flow:established,to_server; http.user_agent; content:"VerbleConnectTM"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035659; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id DELETE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006489; classtype:web-application-attack; sid:2006489; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)"; flow:established,to_server; tls.sni; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id ASCII"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006490; classtype:web-application-attack; sid:2006490; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035663; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006491; classtype:web-application-attack; sid:2006491; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XOOPS Makale Module id SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/makale.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,secunia.com/advisories/32347/; reference:url,www.milw0rm.com/exploits/6795; reference:url,doc.emergingthreats.net/2008688; classtype:web-application-attack; sid:2008688; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)"; flow:established,to_server; tls.sni; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035667; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/qas/aviso.php?"; nocase; content:"codigo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/9249; reference:url,xforce.iss.net/xforce/xfdb/51985; reference:url,doc.emergingthreats.net/2010121; classtype:web-application-attack; sid:2010121; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Retrieving Task (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"R0VUVEFTSyUlJQ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035642; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dictionary/detail.php?"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt; reference:url,doc.emergingthreats.net/2010607; classtype:web-application-attack; sid:2010607; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Sending Task Status (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"UFVUVEFTSyUlJ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035643; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news SELECT"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006213; classtype:web-application-attack; sid:2006213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"SU5JVCUl"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035641; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UNION SELECT"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006214; classtype:web-application-attack; sid:2006214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; content:!"microsoft.com|03|"; classtype:trojan-activity; sid:2029995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news INSERT"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006215; classtype:web-application-attack; sid:2006215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)"; dns.query; content:"eterprx.net"; nocase; bsize:11; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035683; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news DELETE"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006216; classtype:web-application-attack; sid:2006216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)"; dns.query; content:"eternitypr.net"; nocase; bsize:14; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035684; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news ASCII"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006217; classtype:web-application-attack; sid:2006217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eternitypr.net"; bsize:14; fast_pattern; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035685; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006218; classtype:web-application-attack; sid:2006218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eterprx.net"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; reference:md5,21ccad42f936524b311a8bc102b16752; classtype:domain-c2; sid:2035686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder SELECT"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005609; classtype:web-application-attack; sid:2005609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eternity Stealer Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/accounts HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"growid="; startswith; content:"&password="; distance:0; content:"&stub_token="; distance:0; content:"&mac="; distance:0; content:"&token="; distance:0; content:"&creds="; distance:0; content:"&pcname="; distance:0; content:"&scrurl="; distance:0; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:trojan-activity; sid:2035687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UNION SELECT"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005610; classtype:web-application-attack; sid:2005610; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX/Talisman Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"MCookie|3a 20|"; fast_pattern; pcre:"/^[0-9]-[0-9]-[0-9]{5}-[0-9]\r\n/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ecab63b6de18073453310a9c4551074b; reference:url,www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html; classtype:trojan-activity; sid:2035689; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder INSERT"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005611; classtype:web-application-attack; sid:2005611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lightning Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|LogChromes|22 3a|"; content:"|22|LogGecko|22 3a|"; content:"|22|Screen|22 3a 7b|"; fast_pattern; content:"|22|Width|22 3a 22|"; distance:0; content:"|22|ScreenshotBase64|22 3a 22|"; distance:0; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:trojan-activity; sid:2035679; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Stealer, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder DELETE"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005612; classtype:web-application-attack; sid:2005612; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"panelss.xyz"; bsize:11; fast_pattern; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:domain-c2; sid:2035680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ASCII"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005613; classtype:web-application-attack; sid:2005613; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MustangPanda APT Dropper Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:46; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:">"; offset:8; content:">"; distance:1; within:1; content:">"; distance:7; within:1; content:"|2e|exe|5c|"; distance:0; fast_pattern; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:url,twitter.com/StillAzureH/status/1505823479945625604; classtype:trojan-activity; sid:2035682; rev:2; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005614; classtype:web-application-attack; sid:2005614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Killav.CM CnC Response"; flow:to_client,established; dsize:11; content:"|09 01 00 00 00 00 0b 00 00 00 00|"; startswith; fast_pattern; classtype:trojan-activity; sid:2035693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/update_trailer.php?"; nocase; content:"context[path_to_root]="; nocase; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009191; classtype:web-application-attack; sid:2009191; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Killav.CM Checkin M2"; dsize:<50; flow:to_server,established; content:"|04 00 00 00 00|"; startswith; content:"|00 00 7E 00 00 00 7E 00|"; distance:0; fast_pattern; content:"|00 00|"; endswith; classtype:trojan-activity; sid:2035694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/last_gallery.php?"; nocase; content:"YAPIG_PATH="; nocase; pcre:"/YAPIG_PATH=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/11708; reference:url,doc.emergingthreats.net/2011098; classtype:web-application-attack; sid:2011098; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Downloader User-Agent (mozilla_horizon) GET request observed"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"mozilla_horizon"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,62d52076d41ab6e429a976d48173f29d; classtype:trojan-activity; sid:2035703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/class_yapbbcooker.php?"; nocase; content:"cfgIncludeDirectory="; nocase; pcre:"/cfgIncludeDirectory=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30686; reference:url,doc.emergingthreats.net/2009316; classtype:web-application-attack; sid:2009316; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda CnC Check-In"; flow:established,to_server; content:"CGKU"; fast_pattern; offset:16; depth:4; content:"MB|00 00|"; distance:128; within:4; content:"Win|20|"; distance:24; within:4; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/autoresponderhosting/tr.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6938; reference:url,doc.emergingthreats.net/2008817; classtype:web-application-attack; sid:2008817; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.response_body; content:"Get-WMIObject"; startswith; content:"|24|miner_url"; distance:0; fast_pattern; content:"|24|miner_name"; distance:0; content:"|24|miner_cfg_url"; content:"|24|miner_cfg_path"; distance:0; reference:md5,6447bc87415b35532d9c8237a376ba70; classtype:trojan-activity; sid:2035695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_04_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Reminder Service tr.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reminderservice/tr.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6943; reference:url,doc.emergingthreats.net/2008818; classtype:web-application-attack; sid:2008818; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (win .mirtonewbacker .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/classifiedsblaster/tr.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6944; reference:url,doc.emergingthreats.net/2008819; classtype:web-application-attack; sid:2008819; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru) in TLS SNI"; flow:established,to_server; tls.sni; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/cuenta/cuerpo.php?"; nocase; content:"base_archivo="; nocase; reference:url,milw0rm.com/exploits/6117; reference:bugtraq,30345; reference:url,secunia.com/advisories/31161; reference:url,doc.emergingthreats.net/2009393; classtype:web-application-attack; sid:2009393; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (greenblguard .shop) in TLS SNI"; flow:established,to_server; tls.sni; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035713; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/locales.php?"; nocase; content:"next="; nocase; content:"srclang="; nocase; reference:url,secunia.com/advisories/34091/; reference:url,milw0rm.com/exploits/8140; reference:bugtraq,33965; reference:url,doc.emergingthreats.net/2009329; classtype:web-application-attack; sid:2009329; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in TLS SNI"; flow:established,to_server; tls.sni; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS zeeproperty adid Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bannerclick.php?adid="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32333/; reference:url,milw0rm.com/exploits/6780; reference:url,doc.emergingthreats.net/2008686; classtype:web-application-attack; sid:2008686; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackGuard_v2 Data Exfiltration Observed"; flow:established,to_server; content:"POST"; content:"?user="; content:"&hwid="; distance:0; content:"&antivirus="; distance:0; content:"&os=Windows"; distance:0; content:"&passCount="; distance:0; content:"&coockieCount="; distance:0; fast_pattern; content:"&walletCount="; distance:0; content:"&telegramCount="; distance:0; content:"&vpnCount="; distance:0; content:"&ftpCount="; distance:0; content:"&country="; content:"multipart/form-data|3b 20|boundary="; distance:0; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; http.uri; content:"/zport/dmd/ZenUsers/admin"; nocase; content:"defaultAdminLevel"; nocase; content:"manage_editUserSettings"; nocase; content:"method=Save"; nocase; content:"password="; nocase; content:"zenScreenName=editUserSettings"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010761; classtype:web-application-attack; sid:2010761; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /async/newtab_ogb HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-Dest|0d 0a|"; content:!"Referer|0d 0a|"; http.cookie; content:"1P_JAR="; startswith; content:"NID="; distance:6; within:4; pcre:"/^[A-Za-z0-9\/_\-\+]{171}=$/R"; reference:md5,e98774bee4ed490089f6c63b6c676112; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:trojan-activity; sid:2035653; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; http.uri; content:"/zport/dmd/userCommands/ping"; nocase; content:"commandId=ping"; nocase; content:"manage_editUserCommand"; nocase; content:"ScreenName=userCommandDetail"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010763; classtype:web-application-attack; sid:2010763; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".modestoobgyn.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id SELECT"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004803; classtype:web-application-attack; sid:2004803; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".chyprediction.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004804; classtype:web-application-attack; sid:2004804; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".againcome.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id INSERT"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004805; classtype:web-application-attack; sid:2004805; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".myshortbio.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id DELETE"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004806; classtype:web-application-attack; sid:2004806; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".bestsecure2020.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ASCII"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004807; classtype:web-application-attack; sid:2004807; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".findoutcredit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004808; classtype:web-application-attack; sid:2004808; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".estetictrance.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005192; classtype:web-application-attack; sid:2005192; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".internethabit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005193; classtype:web-application-attack; sid:2005193; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (Query)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"UVVFUlk="; bsize:8; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035729; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id INSERT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005194; classtype:web-application-attack; sid:2005194; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (INIT)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"SU5JVA=="; depth:8; fast_pattern; content:"TWljcm9zb2Z0IFdpbmRvd3M"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id DELETE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005195; classtype:web-application-attack; sid:2005195; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".incongruousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ASCII"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005196; classtype:web-application-attack; sid:2005196; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".fashionableeder.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005197; classtype:web-application-attack; sid:2005197; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".electroncador.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005198; classtype:web-application-attack; sid:2005198; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".spontaneousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005199; classtype:web-application-attack; sid:2005199; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LOADOUT CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:6.0) Gecko/20110101 Firefox/69.0"; http.header_names; content:"|0d 0a|content-type|0d 0a|"; content:"|0d 0a|user-agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"yoyo="; depth:5; fast_pattern; reference:md5,4d56a1ca28d9427c440ec41b4969caa2; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass INSERT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005200; classtype:web-application-attack; sid:2005200; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035748; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass DELETE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005201; classtype:web-application-attack; sid:2005201; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035749; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ASCII"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005202; classtype:web-application-attack; sid:2005202; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jsessid=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035692; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005203; classtype:web-application-attack; sid:2005203; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jcookie=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035766; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005204; classtype:web-application-attack; sid:2005204; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.USB Variant CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|2e d4 d6 19 57 d4 85 ba 0e 9d e5 56 fa 72 db af e5 17 e8 3e 3b 21 b7 26 fc 59 03 db d2 36 32 bb c3 c4 ab 7b 66 74 c4 68 ac 23 5b a3 fc e7 82 6a|"; offset:7; depth:48; reference:md5,c911d93b90bdef05be681a3b31c81679; reference:url,twitter.com/0xrb/status/1509396448387153920; classtype:trojan-activity; sid:2035752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005205; classtype:web-application-attack; sid:2005205; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.content_type; content:"text/plain"; startswith; http.response_body; content:"Remove known miners by known process names"; content:"Write-Output|20 22|Miner Running|22|"; fast_pattern; reference:md5,6ae2d7ab6701bd9b46efe7f5d52b2c46; classtype:trojan-activity; sid:2035753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass INSERT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005206; classtype:web-application-attack; sid:2005206; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=thechinastyle.com"; bsize:20; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass DELETE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005207; classtype:web-application-attack; sid:2005207; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=divorceradio.com"; bsize:19; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ASCII"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005208; classtype:web-application-attack; sid:2005208; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=physiciansofficenews.com"; bsize:27; fast_pattern; reference:md5,3985b60c6aba7cb38998e3f898fba79a; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035756; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005209; classtype:web-application-attack; sid:2005209; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android Infostealer CnC Check-In"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?"; fast_pattern; startswith; content:"model="; content:"EIO="; content:"id="; content:"transport="; content:"release="; content:"manf="; reference:url,lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/; reference:md5,4f5617ec4668e3406f9bd82dfcf6df6b; classtype:command-and-control; sid:2035770; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005210; classtype:web-application-attack; sid:2005210; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035772; rev:1; metadata:created_at 2022_04_06, former_category MALWARE, updated_at 2022_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005211; classtype:web-application-attack; sid:2005211; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT28/Sednit SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=ngefqevwe"; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023423; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id INSERT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005212; classtype:web-application-attack; sid:2005212; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.hona-alrabe3.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035863; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id DELETE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005213; classtype:web-application-attack; sid:2005213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .org)"; dns.query; dotprefix; content:".enerflex.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ASCII"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005214; classtype:web-application-attack; sid:2005214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com)"; dns.query; dotprefix; content:".supportskype.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005215; classtype:web-application-attack; sid:2005215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (alharbitelecom .co)"; dns.query; dotprefix; content:".alharbitelecom.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005979; classtype:web-application-attack; sid:2005979; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co)"; dns.query; dotprefix; content:".cortanaupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005980; classtype:web-application-attack; sid:2005980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com)"; dns.query; dotprefix; content:".cortanaservice.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035808; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005981; classtype:web-application-attack; sid:2005981; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co)"; dns.query; dotprefix; content:".cloudgoogle.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005982; classtype:web-application-attack; sid:2005982; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me)"; dns.query; dotprefix; content:".onedrivelive.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035810; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005983; classtype:web-application-attack; sid:2005983; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com)"; dns.query; dotprefix; content:".edge-cloudservices.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005984; classtype:web-application-attack; sid:2005984; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com)"; dns.query; dotprefix; content:".online-audible.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/artmedic_print.php?"; nocase; content:"date="; nocase; reference:url,secunia.com/advisories/28927/; reference:url,milw0rm.com/exploits/5116; reference:url,doc.emergingthreats.net/2009661; classtype:web-application-attack; sid:2009661; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net)"; dns.query; dotprefix; content:".updatedefender.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view_messages.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010771; classtype:web-application-attack; sid:2010771; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org)"; dns.query; dotprefix; content:".sparrowsgroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view_blog_comments.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010772; classtype:web-application-attack; sid:2010772; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com)"; dns.query; dotprefix; content:".helpdesk-product.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view_blog_archives.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010773; classtype:web-application-attack; sid:2010773; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net)"; dns.query; dotprefix; content:".defenderupdate.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/add_comments.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010774; classtype:web-application-attack; sid:2010774; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net)"; dns.query; dotprefix; content:".enerflex.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/downloads.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010775; classtype:web-application-attack; sid:2010775; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (linkedinz .me)"; dns.query; dotprefix; content:".linkedinz.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/emailsender.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010776; classtype:web-application-attack; sid:2010776; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co)"; dns.query; dotprefix; content:".khaleejtimes.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/left_menu.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010777; classtype:web-application-attack; sid:2010777; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info)"; dns.query; dotprefix; content:".microsoftdefender.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php SELECT"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005324; classtype:web-application-attack; sid:2005324; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live)"; dns.query; dotprefix; content:".outlookde.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UNION SELECT"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005325; classtype:web-application-attack; sid:2005325; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)"; dns.query; dotprefix; content:".lukoil.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php INSERT"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005326; classtype:web-application-attack; sid:2005326; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (careers-finder .com)"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php DELETE"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005327; classtype:web-application-attack; sid:2005327; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live)"; dns.query; dotprefix; content:".online-chess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php ASCII"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005328; classtype:web-application-attack; sid:2005328; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org)"; dns.query; dotprefix; content:".exprogroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005329; classtype:web-application-attack; sid:2005329; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (saipem .org)"; dns.query; dotprefix; content:".saipem.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bcoos adresses module viewcat.php cid Parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/adresses/viewcat.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32870/; reference:url,milw0rm.com/exploits/7317; reference:url,doc.emergingthreats.net/2008929; classtype:web-application-attack; sid:2008929; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com)"; dns.query; dotprefix; content:".mastergatevpn.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/arch.php?"; nocase; content:"arch="; nocase; reference:url,milw0rm.com/exploits/8680; reference:bugtraq,34968; reference:url,secunia.com/advisories/35059/; reference:url,doc.emergingthreats.net/2009790; classtype:web-application-attack; sid:2009790; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com)"; dns.query; dotprefix; content:".sauditourismguide.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk SELECT"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005766; classtype:web-application-attack; sid:2005766; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com)"; dns.query; dotprefix; content:".listen-books.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035829; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UNION SELECT"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005767; classtype:web-application-attack; sid:2005767; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co)"; dns.query; dotprefix; content:".updateservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk INSERT"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005768; classtype:web-application-attack; sid:2005768; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co)"; dns.query; dotprefix; content:".microsoftcdn.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk DELETE"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005769; classtype:web-application-attack; sid:2005769; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me)"; dns.query; dotprefix; content:".office-shop.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk ASCII"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005770; classtype:web-application-attack; sid:2005770; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com)"; dns.query; dotprefix; content:".sharepointnotify.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035833; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005771; classtype:web-application-attack; sid:2005771; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in)"; dns.query; dotprefix; content:".globaltalent.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/frontend/x3/files/fileop.html?"; nocase; content:"fileop="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,37394; reference:url,vupen.com/english/advisories/2009/3608; reference:url,doc.emergingthreats.net/2011115; classtype:web-application-attack; sid:2011115; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com)"; dns.query; dotprefix; content:".savemoneytrick.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cfagcms right.php title Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/right.php"; nocase; content:"title="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32851; reference:url,milw0rm.com/exploits/7483; reference:url,doc.emergingthreats.net/2009045; classtype:web-application-attack; sid:2009045; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vidar Stealer CnC Domain in DNS Lookup"; dns.query; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006171; classtype:web-application-attack; sid:2006171; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info)"; dns.query; dotprefix; content:".microsoftedgesh.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UNION SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006172; classtype:web-application-attack; sid:2006172; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com)"; dns.query; dotprefix; content:".outlookdelivery.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035837; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse INSERT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006173; classtype:web-application-attack; sid:2006173; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com)"; dns.query; dotprefix; content:".remgrogroup.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035838; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse DELETE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006174; classtype:web-application-attack; sid:2006174; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net)"; dns.query; dotprefix; content:".onedriveupdate.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035839; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ASCII"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006175; classtype:web-application-attack; sid:2006175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI"; flow:established,to_server; tls.sni; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035873; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006176; classtype:web-application-attack; sid:2006176; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net)"; dns.query; dotprefix; content:".getadobe.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006177; classtype:web-application-attack; sid:2006177; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co)"; dns.query; dotprefix; content:".googleservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UNION SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006178; classtype:web-application-attack; sid:2006178; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org)"; dns.query; dotprefix; content:".librarycollection.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas INSERT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006179; classtype:web-application-attack; sid:2006179; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (freechess .live)"; dns.query; dotprefix; content:".freechess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas DELETE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006180; classtype:web-application-attack; sid:2006180; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org)"; dns.query; dotprefix; content:".elecresearch.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035844; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ASCII"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006181; classtype:web-application-attack; sid:2006181; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com)"; dns.query; dotprefix; content:".applytalents.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006182; classtype:web-application-attack; sid:2006182; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net)"; dns.query; dotprefix; content:".updateddns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_if_nexus&"; nocase; content:"controller="; nocase; pcre:"/controller\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10754; reference:url,doc.emergingthreats.net/2010847; classtype:web-application-attack; sid:2010847; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com)"; dns.query; dotprefix; content:".mideasthiring.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category SELECT"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004053; classtype:web-application-attack; sid:2004053; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online)"; dns.query; dotprefix; content:".appslocallogin.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UNION SELECT"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004054; classtype:web-application-attack; sid:2004054; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com)"; dns.query; dotprefix; content:".apply-jobs.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category INSERT"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004055; classtype:web-application-attack; sid:2004055; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online)"; dns.query; dotprefix; content:".funnychess.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035850; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category DELETE"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004056; classtype:web-application-attack; sid:2004056; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org)"; dns.query; dotprefix; content:".talent-recruitment.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category ASCII"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004057; classtype:web-application-attack; sid:2004057; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleupdate .co)"; dns.query; dotprefix; content:".googleupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004058; classtype:web-application-attack; sid:2004058; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net)"; dns.query; dotprefix; content:".updatedns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer SELECT"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004101; classtype:web-application-attack; sid:2004101; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net)"; dns.query; dotprefix; content:".thefreemovies.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UNION SELECT"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004102; classtype:web-application-attack; sid:2004102; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net)"; dns.query; dotprefix; content:".talktalky.azurewebsites.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer INSERT"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004103; classtype:web-application-attack; sid:2004103; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com)"; dns.query; dotprefix; content:".etisalatonline.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035856; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer DELETE"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004104; classtype:web-application-attack; sid:2004104; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .net)"; dns.query; dotprefix; content:".getadobe.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ASCII"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004105; classtype:web-application-attack; sid:2004105; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".host.skybad.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004106; classtype:web-application-attack; sid:2004106; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".s2.yk.hyi8mc.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/_functions.php?"; nocase; content:"GLOBALS[prefix]="; nocase; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009875; classtype:web-application-attack; sid:2009875; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Farfli.CUY CnC Server Response"; flow:established,to_client; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 11|"; dsize:16; startswith; fast_pattern; stream_size:server,=,17; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:command-and-control; sid:2035879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005033; classtype:web-application-attack; sid:2005033; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M2"; flow:established,to_server; content:"|68 78 20 cf 01 00 00 c0 01 00 00 01 00 00 00 cb|"; startswith; fast_pattern; stream_size:client,>,200; reference:md5,87100cb600d876bd022a4d93ce6305a0; classtype:command-and-control; sid:2035880; rev:2; metadata:created_at 2022_04_08, updated_at 2022_04_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005034; classtype:web-application-attack; sid:2005034; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c|mega http|2d|equiv|3d|"; fast_pattern; content:"|3c 2f|head|3e 3c|body|3e|"; within:200; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018244; rev:5; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005035; classtype:web-application-attack; sid:2005035; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/resolve?name=gw.denonia.xyz&type=A"; bsize:35; endswith; fast_pattern; http.host; content:"dns.google.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035891; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005036; classtype:web-application-attack; sid:2005036; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dns-query?name=gw.denonia.xyz&type=A"; bsize:37; endswith; fast_pattern; http.host; content:"cloudflare-dns.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035886; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005037; classtype:web-application-attack; sid:2005037; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ACMS/"; pcre:"/[a-zA-Z0-9]{8}\//UR"; content:"blockchainTemplate"; fast_pattern; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035902; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005038; classtype:web-application-attack; sid:2005038; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain"; dns.query; dotprefix; content:".naveicoip"; pcre:"/^[a-z]\.(?:tech|online)$/R"; reference:md5,ecd47e596048ad1af9973a21af303465; reference:url,twitter.com/jaydinbas/status/1506987283630768138; classtype:trojan-activity; sid:2035604; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006615; classtype:web-application-attack; sid:2006615; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co)"; dns.query; dotprefix; content:".securetunnel.co"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, signature_severity Major, updated_at 2022_04_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UNION SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006616; classtype:web-application-attack; sid:2006616; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xghk.exe"; bsize:9; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc INSERT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006617; classtype:web-application-attack; sid:2006617; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snatch Ransomware Checkin (POST)"; flow:established,to_server; http.request_line; content:"POST /news HTTP/1.1"; fast_pattern; http.request_body; content:"|22|pid|22 3a|"; content:"|22|host|22 3a|"; distance:0; content:"|22|type|22 3a|"; distance:0; content:"|22|username|22 3a|"; distance:0; reference:md5,5a9ae5f51c41f2de4f3eca94ddb4ccfd; classtype:trojan-activity; sid:2035898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc DELETE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006618; classtype:web-application-attack; sid:2006618; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (mail .igov-service .net)"; dns.query; content:"mail.igov-service.net"; nocase; bsize:21; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035914; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc ASCII"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006619; classtype:web-application-attack; sid:2006619; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"Version=defaultSession-Id="; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9-_]{171}$/R"; http.user_agent; content:!"Android"; content:!"Linux"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:trojan-activity; sid:2035915; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006620; classtype:web-application-attack; sid:2006620; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (mail .igov-service .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail.igov-service.net"; bsize:21; fast_pattern; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035916; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006621; classtype:web-application-attack; sid:2006621; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (ebook .port25 .biz)"; dns.query; content:"ebook.port25.biz"; nocase; bsize:16; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,bb505ef946a80d9d0ff64923a6ca79d9; classtype:domain-c2; sid:2035912; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UNION SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006622; classtype:web-application-attack; sid:2006622; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (mert .my03 .com)"; dns.query; content:"mert.my03.com"; nocase; bsize:13; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,acd062593f70c00e310c47a3e7873df4; classtype:domain-c2; sid:2035913; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut INSERT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006623; classtype:web-application-attack; sid:2006623; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ACMS/"; fast_pattern; content:"?"; distance:16; within:10; pcre:"/[a-z0-9]{8}\/.*\?[a-z0-9]{3,10}=[a-z0-9]{8,11}$/Ui"; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035901; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut DELETE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006624; classtype:web-application-attack; sid:2006624; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com)"; dns.query; dotprefix; content:".showsvc.com"; nocase; endswith; classtype:trojan-activity; sid:2035918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut ASCII"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006625; classtype:web-application-attack; sid:2006625; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com)"; dns.query; dotprefix; content:".wicommerece.com"; nocase; endswith; classtype:trojan-activity; sid:2035919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006626; classtype:web-application-attack; sid:2006626; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com)"; dns.query; dotprefix; content:".upservicemc.com"; nocase; endswith; classtype:trojan-activity; sid:2035920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 resetcore.php SQL Injection attempt"; flow:to_server,established; http.uri; content:"/resetcore.php?"; nocase; pcre:"/a_name='/i"; reference:bugtraq,15125; reference:url,doc.emergingthreats.net/2002663; classtype:web-application-attack; sid:2002663; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com)"; dns.query; dotprefix; content:".netpixelds.com"; nocase; endswith; classtype:trojan-activity; sid:2035921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 BLOG Engine macgurublog.php uid Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/macgurublog.php?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,29344; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008788; classtype:web-application-attack; sid:2008788; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com)"; dns.query; dotprefix; content:".allmyad.com"; nocase; endswith; classtype:trojan-activity; sid:2035922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lyrics_song.php?"; nocase; content:"l_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32477/; reference:url,milw0rm.com/exploits/6885; reference:url,doc.emergingthreats.net/2008813; classtype:web-application-attack; sid:2008813; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com)"; dns.query; dotprefix; content:".ananoka.com"; nocase; endswith; classtype:trojan-activity; sid:2035923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/123flashchat.php?"; nocase; content:"e107path="; nocase; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009436; classtype:web-application-attack; sid:2009436; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com)"; dns.query; dotprefix; content:".gvgnci.com"; nocase; endswith; classtype:trojan-activity; sid:2035924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eFiction toplists.php list Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/toplists.php?"; nocase; content:"list="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/30606/; reference:url,milw0rm.com/exploits/5785; reference:url,doc.emergingthreats.net/2009227; classtype:web-application-attack; sid:2009227; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com)"; dns.query; dotprefix; content:".msfbckupsc.com"; nocase; endswith; classtype:trojan-activity; sid:2035925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/libraries/database.php?"; nocase; content:"="; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36411/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009932; classtype:web-application-attack; sid:2009932; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com)"; dns.query; dotprefix; content:".polanicia.com"; nocase; endswith; classtype:trojan-activity; sid:2035926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005925; classtype:web-application-attack; sid:2005925; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org)"; dns.query; dotprefix; content:".informaxima.org"; nocase; endswith; classtype:trojan-activity; sid:2035927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UNION SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005926; classtype:web-application-attack; sid:2005926; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com)"; dns.query; dotprefix; content:".worldchangeos.com"; nocase; endswith; classtype:trojan-activity; sid:2035928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did INSERT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005927; classtype:web-application-attack; sid:2005927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com)"; dns.query; dotprefix; content:".liongracem.com"; nocase; endswith; classtype:trojan-activity; sid:2035929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did DELETE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005928; classtype:web-application-attack; sid:2005928; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com)"; dns.query; dotprefix; content:".jmarrycs.com"; nocase; endswith; classtype:trojan-activity; sid:2035930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did ASCII"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005929; classtype:web-application-attack; sid:2005929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com)"; dns.query; dotprefix; content:".am-reader.com"; nocase; endswith; classtype:trojan-activity; sid:2035931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005930; classtype:web-application-attack; sid:2005930; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"@"; content:".php"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.request_body; content:".exe|25|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9d7e0af85fd918dd5daf1b50bf649f6; reference:md5,68d73d596a7103e517967f7f4e22cecb; reference:url,blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html; classtype:trojan-activity; sid:2035917; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005931; classtype:web-application-attack; sid:2005931; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=error"; fast_pattern; content:"Sand="; content:"Data="; content:"Em="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005932; classtype:web-application-attack; sid:2005932; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=fail"; fast_pattern; content:"Sand="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid INSERT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005933; classtype:web-application-attack; sid:2005933; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".webm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,af944c93405d60adc350f94e24a3d5a1; reference:url,twitter.com/souiten/status/1511552820863852544; classtype:trojan-activity; sid:2036210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid DELETE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005934; classtype:web-application-attack; sid:2005934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Cache=error&Sand="; startswith; fast_pattern; content:"&Data="; distance:0; content:"&Em="; distance:50; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:url,asec.ahnlab.com/ko/33141/; classtype:trojan-activity; sid:2036211; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid ASCII"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005935; classtype:web-application-attack; sid:2005935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNominatus Ransomware Related Domain in DNS Lookup"; dns.query; content:"i-love-evilnominatuscrypt.000webhostapp.com"; nocase; bsize:43; reference:url,www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf; classtype:domain-c2; sid:2036212; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005936; classtype:web-application-attack; sid:2005936; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/seized.xml"; endswith; fast_pattern; http.user_agent; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:".ru"; endswith; reference:md5,d6fe6243a9b4293db6384f22524ff709; reference:url,cert.gov.ua/article/39386; classtype:trojan-activity; sid:2036213; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion"; flow:to_server,established; content:"../"; http.uri; content:"/index_inc.php?"; nocase; content:"inc_ordner="; nocase; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009224; classtype:web-application-attack; sid:2009224; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"details="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/3rdparty/adminpart/add3rdparty.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008849; classtype:web-application-attack; sid:2008849; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Requesting Commands"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; http.request_body; content:"news="; content:"&request_for_read="; fast_pattern; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/polling/adminpart/addpolling.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008850; classtype:web-application-attack; sid:2008850; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Submitting Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"answer="; content:"&cid="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/contact/adminpart/addcontact.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008851; classtype:web-application-attack; sid:2008851; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon APT Related Malicious Shortcut Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon.ico"; endswith; http.host; content:"military-ukraine."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c0d3a0ab9b47ab9bc81cf5d831053431; reference:md5,7b20e3ac2a4ebf507f6c8358245d5db5; classtype:trojan-activity; sid:2036214; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/brandnews/adminpart/addbrandnews.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008852; classtype:web-application-attack; sid:2008852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supership .dynv6 .net)"; dns.query; content:"supership.dynv6.net"; nocase; bsize:19; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/newsletter/adminpart/addnewsletter.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008853; classtype:web-application-attack; sid:2008853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (greatsong .soundcast .me)"; dns.query; content:"greatsong.soundcast.me"; nocase; bsize:22; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/game/adminpart/addgame.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008854; classtype:web-application-attack; sid:2008854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supermarket .ownip .net)"; dns.query; content:"supermarket.ownip.net"; nocase; bsize:21; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/tour/adminpart/addtour.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008855; classtype:web-application-attack; sid:2008855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fodcha Bot CnC Client Heartbeat"; flow:established,to_client; dsize:5; content:"|69 00 00 96 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035940; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/articles/adminpart/addarticles.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008856; classtype:web-application-attack; sid:2008856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Heartbeat Response"; flow:established,to_server; dsize:5; content:"|70 00 00 8f ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035941; rev:2; metadata:created_at 2022_04_13, former_category MALWARE, malware_family Fodcha, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/product/adminpart/addproduct.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008857; classtype:web-application-attack; sid:2008857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"fridgexperts.cc"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035943; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/plain/adminpart/addplain.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008858; classtype:web-application-attack; sid:2008858; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Connectivity Check"; flow:established,to_server; http.method; http.request_line; content:"POST /GO/"; fast_pattern; content:".php"; endswith; http.accept_enc; bsize:1; content:"*"; http.content_len; bsize:1; content:"0"; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:command-and-control; sid:2035957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/e-pay/src/a_affil.php?"; nocase; content:"_REQUEST[read]="; nocase; pcre:"/_REQUEST\[read\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10697; reference:url,doc.emergingthreats.net/2010661; classtype:web-application-attack; sid:2010661; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2 .live)"; dns.query; content:"bnt2.live"; nocase; bsize:9; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036231; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which SELECT"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007374; classtype:web-application-attack; sid:2007374; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (signin .dedyn .io)"; dns.query; content:"signin.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036232; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UNION SELECT"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007375; classtype:web-application-attack; sid:2007375; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (archery .dedyn .io)"; dns.query; content:"archery.dedyn.io"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036233; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which INSERT"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007376; classtype:web-application-attack; sid:2007376; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .vinam .me)"; dns.query; content:"market.vinam.me"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036234; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which DELETE"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007377; classtype:web-application-attack; sid:2007377; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .dedyn .io)"; dns.query; content:"market.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036235; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which ASCII"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007378; classtype:web-application-attack; sid:2007378; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".db2"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,db9df7f1bcfba0346d9e7de729c018a2; reference:url,twitter.com/500mk500/status/1515002456882786310; classtype:trojan-activity; sid:2036228; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007379; classtype:web-application-attack; sid:2007379; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hojimizeg .com)"; dns.query; content:"hojimizeg.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036238; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat SELECT"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007380; classtype:web-application-attack; sid:2007380; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (notixow .com)"; dns.query; content:"notixow.com"; nocase; bsize:11; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036239; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UNION SELECT"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007381; classtype:web-application-attack; sid:2007381; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (rewujisaf .com)"; dns.query; content:"rewujisaf.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:trojan-activity; sid:2036240; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat INSERT"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007382; classtype:web-application-attack; sid:2007382; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matrix Max Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"zipx=UEsDBBQ"; startswith; fast_pattern; reference:md5,e8573f06d342ae05ece8d1be111669c4; reference:url,twitter.com/James_inthe_box/status/1516049381539004418; classtype:trojan-activity; sid:2036245; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment SSLDecrypt, former_category MALWARE, malware_family Matrix_Max, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat DELETE"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007383; classtype:web-application-attack; sid:2007383; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updateb)"; flow:established,to_server; http.uri; content:"/updateb.php?p="; nocase; pcre:"/updateb\.php\?p=\d/i"; flowbits:isset,BT.ppagent.updatea; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat ASCII"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007384; classtype:web-application-attack; sid:2007384; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; http.uri; content:"php?i="; content:"&v="; content:"&win=Windows"; content:"&un="; content:"&uv="; content:"&s="; content:"&onl="; content:"&ip="; content:"&f="; reference:url,doc.emergingthreats.net/2007700; classtype:command-and-control; sid:2007700; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007385; classtype:web-application-attack; sid:2007385; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Rat CnC Exfil"; flow:established,to_server; content:"|00 00 00|ent4rme"; offset:2; depth:10; fast_pattern; content:"|20 7c 20|"; distance:0; content:"|23|runtimebroker"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007386; classtype:web-application-attack; sid:2007386; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointpack.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"php?"; content:"kind="; content:"&pid="; content:"&ver="; content:"&uniq="; content:"&addresses="; content:"&hdmacid="; content:"&dllver="; content:"&subv="; reference:url,doc.emergingthreats.net/2008260; classtype:command-and-control; sid:2008260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007387; classtype:web-application-attack; sid:2007387; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; http.uri; content:"m="; content:"&a="; content:"&r="; content:"&os="; content:"00000"; pcre:"/\/s_\d\d_\d+\?/"; pcre:"/&os=[0-9a-z]{40}/i"; reference:url,doc.emergingthreats.net/2008412; classtype:command-and-control; sid:2008412; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007388; classtype:web-application-attack; sid:2007388; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"pass="; content:"type="; content:"host="; content:"port="; content:"name="; content:"pc="; content:"user="; content:"ip="; content:"version="; http.header; content:"User-Agent|3a| NR"; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007389; classtype:web-application-attack; sid:2007389; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Family GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"szclientid="; content:"szmac="; content:"szusername="; content:"szver="; content:"mode="; content:"value="; content:"systype="; content:"rid="; content:"szname="; content:"szpaname="; content:"palen="; content:"szpapaname="; content:"chksum="; reference:md5,ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:7; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007390; classtype:web-application-attack; sid:2007390; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirus2010 Checkin port 8082"; flow:established,to_server; http.uri; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:command-and-control; sid:2011473; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007391; classtype:web-application-attack; sid:2007391; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java Archive sent when remote host claims to send an image"; flow:established,to_client; http.content_type; content:!"application/java-archive"; content:"image"; nocase; startswith; file.data; content:"PK"; depth:2; content:"META-INF/MANIFEST"; distance:0; fast_pattern; classtype:trojan-activity; sid:2014288; rev:6; metadata:created_at 2012_02_28, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid SELECT"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004108; classtype:web-application-attack; sid:2004108; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".aspx"; http.user_agent; content:!"SmadavStat"; http.host; content:!"lavasoft.com"; http.request_body; content:!"Zerto.ZVM"; content:!"id1="; content:"1="; content:"2="; distance:0; content:"3="; distance:0; content:"4="; distance:0; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer"; content:!"Accept"; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category TROJAN, malware_family Neurevt, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid INSERT"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004110; classtype:web-application-attack; sid:2004110; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)"; flow:established,to_client; tls.cert_serial; content:"1F:23:9D:BD"; tls.cert_subject; content:"O=assylias.Inc"; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; reference:md5,b102c26e04e97bda97b11bfe7366e61e; classtype:trojan-activity; sid:2020728; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid DELETE"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004111; classtype:web-application-attack; sid:2004111; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004113; classtype:web-application-attack; sid:2004113; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889; stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1; flowbits:set, FB332502_2; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005807; classtype:web-application-attack; sid:2005807; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; dns.query; content:"dyoravdkiavfkbkx"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025507; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005808; classtype:web-application-attack; sid:2005808; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; dns.query; content:"dypmoywmjrevboat"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025508; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id INSERT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005804; classtype:web-application-attack; sid:2005804; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; dns.query; content:"jjjooyeohgghgtwn"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025509; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id DELETE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005806; classtype:web-application-attack; sid:2005806; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; dns.query; content:"lvanwwbyabcfevyi"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025510; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id ASCII"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005809; classtype:web-application-attack; sid:2005809; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; dns.query; content:"uxwavkmttywsuynt"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025511; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005810; classtype:web-application-attack; sid:2005810; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; dns.query; content:"yaynawvtuqcarjwc"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025512; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005811; classtype:web-application-attack; sid:2005811; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns.query; content:"3whyfziey2vr41yq"; depth:16; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UNION SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005812; classtype:web-application-attack; sid:2005812; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server; stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:command-and-control; sid:2026433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie INSERT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005813; classtype:web-application-attack; sid:2005813; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in DNS Lookup)"; dns.query; content:"kraken656kn6wyyx"; depth:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1030.pdf; classtype:command-and-control; sid:2026640; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie DELETE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005814; classtype:web-application-attack; sid:2005814; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Agent.NZH CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"File not found.|0a 3c 21 2d 2d|"; within:30; fast_pattern; content:"-->"; distance:0; classtype:command-and-control; sid:2026987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ASCII"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005815; classtype:web-application-attack; sid:2005815; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"aptgetgxqs3secda"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027351; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005816; classtype:web-application-attack; sid:2005816; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"rapid7cpfqnwxodo"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027352; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id SELECT"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005817; classtype:web-application-attack; sid:2005817; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) Pico/"; startswith; classtype:trojan-activity; sid:2029306; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005818; classtype:web-application-attack; sid:2005818; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gootkit Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?"; startswith; fast_pattern; pcre:"/^[1-z]{13}=[0-9]{16}$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http.header_names; content:!"Referer"; reference:md5,82ddc740b8ff3aa4d818d1b421e0231e; classtype:trojan-activity; sid:2033022; rev:2; metadata:created_at 2021_05_24, former_category MALWARE, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id INSERT"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005819; classtype:web-application-attack; sid:2005819; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Win32/Numando Banker CnC Activity"; flow:established,to_server; content:"<|7c|>1<|7c|>"; offset:7; content:"<|7c|>Microsoft|20|Windows"; distance:0; content:"<|7c|>0<|7c|>"; distance:0; reference:md5,fec2f560619b88d9846fe03db6841e91; reference:url,www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/; classtype:trojan-activity; sid:2033983; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id DELETE"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005820; classtype:web-application-attack; sid:2005820; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kimsuky Related Malicious VBScript"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.response_body; content:"language|3d|javascript|3e|document|2e|write|28|unescape|28 27|"; content:"%47%65%74%4F%62%6A%65%63%74%28%22%22%6E%65%77%3A"; content:"%2E%76%62%73%20%26%40%65%63%68%6F%20%55%52%4C%20%3D%20%22%22"; distance:0; within:285; fast_pattern; content:"%73%65%6C%66%2E%63%6C%6F%73%65"; reference:md5,d74f268b986fecfa03b81029dd134811; classtype:trojan-activity; sid:2034697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ASCII"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005821; classtype:web-application-attack; sid:2005821; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Maldoc Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand?guid="; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034844; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005822; classtype:web-application-attack; sid:2005822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST)"; flow:established,to_server; http.request_line; content:"POST /up/up.php HTTP/1.1"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"form-data|3b 20|name=|22|file|22 3b|"; reference:md5,a023ece310a490a87e77c9bb28b6415b; classtype:trojan-activity; sid:2034962; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005823; classtype:web-application-attack; sid:2005823; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Valyria.6015 CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eln-images/"; startswith; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; http.header_names; content:!"Referer"; reference:md5,a118a3030807156eca8f805b8b83ce1f; classtype:trojan-activity; sid:2035223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005824; classtype:web-application-attack; sid:2005824; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Rat CnC Server Response"; flow:established,to_client; content:"|00 00 00|ent2rmezi="; offset:2; depth:13; fast_pattern; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005825; classtype:web-application-attack; sid:2005825; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g1nzo.php?"; startswith; fast_pattern; content:"data="; content:"countc="; content:"countp="; content:"country="; content:"ip="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036246; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005826; classtype:web-application-attack; sid:2005826; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow .online) in TLS SNI"; flow:established,to_server; tls.sni; content:"ritmflow.online"; bsize:15; fast_pattern; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036247; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005827; classtype:web-application-attack; sid:2005827; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M3"; flow:established,to_client; dsize:18; content:"|0d 00 00 00 00|inf2o=command"; threshold:type limit,track by_dst, count 5,seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005828; classtype:web-application-attack; sid:2005828; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Client Command Response (info)"; flow:established,to_server; content:"|00 00 00 00|"; offset:1; depth:4; content:"inx7fo=usder"; distance:0; fast_pattern; content:"|00 00 00 00 7c|"; distance:1; within:5; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/gallery_show.asp?"; nocase; content:"GID="; nocase; pcre:"/(\?|&)GID=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt; reference:url,doc.emergingthreats.net/2010608; classtype:web-application-attack; sid:2010608; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow .online)"; dns.query; content:"ritmflow.online"; nocase; bsize:15; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036248; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS icash Click&BaneX user_menu.asp ID parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/user_menu.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856; reference:url,doc.emergingthreats.net/2008997; classtype:web-application-attack; sid:2008997; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"nominally.ru"; bsize:12; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:domain-c2; sid:2036249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/tools/filemanager/skins/mobile/admin1.template.php?"; nocase; content:"net2ftp_globals[application_skinsdir]="; nocase; pcre:"/net2ftp_globals\[application_skinsdir\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,packetstorm.foofus.com/1003-exploits/ispcp-rfi.txt; reference:bugtraq,38644; reference:url,doc.emergingthreats.net/2010979; classtype:web-application-attack; sid:2010979; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|ginzoarchive|2e|zip|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor SELECT"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004840; classtype:web-application-attack; sid:2004840; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Downloading Additional Payloads"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; dotprefix; content:".nominally.ru"; endswith; fast_pattern; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UNION SELECT"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004841; classtype:web-application-attack; sid:2004841; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M1"; flow:established,to_server; http.uri; content:".asp?prd_fld=racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor INSERT"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004842; classtype:web-application-attack; sid:2004842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M2"; flow:established,to_server; http.uri; content:".jsp?prd_fld_racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036258; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor DELETE"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004843; classtype:web-application-attack; sid:2004843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom .dev)"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036259; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor ASCII"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004844; classtype:web-application-attack; sid:2004844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais .com)"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036261; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004845; classtype:web-application-attack; sid:2004845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais .com)"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/users/payment.php?"; nocase; content:"order_id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt; reference:url,doc.emergingthreats.net/2009671; classtype:web-application-attack; sid:2009671; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo .com)"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036263; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myEvent viewevent.php SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/viewevent.php?eventdate="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,31773; reference:url,www.milw0rm.com/exploits/6760; reference:url,doc.emergingthreats.net/2008668; classtype:web-application-attack; sid:2008668; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet .com)"; dns.query; content:"esilet.com"; nocase; bsize:10; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/modules/comments.php?"; nocase; content:"templates_dir="; nocase; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009719; classtype:web-application-attack; sid:2009719; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (vasepinay .com)"; dns.query; content:"vasepinay.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/modules/comments.php?"; nocase; content:"template="; nocase; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009720; classtype:web-application-attack; sid:2009720; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dixavokij .com)"; dns.query; content:"dixavokij.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gunaysoft.php?"; nocase; content:"icerikyolu="; nocase; pcre:"/icerikyolu=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009325; classtype:web-application-attack; sid:2009325; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"c__"; content:"ENTERWindows"; distance:0; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:trojan-activity; sid:2036277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gunaysoft.php?"; nocase; content:"sayfaid="; nocase; pcre:"/sayfaid=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009326; classtype:web-application-attack; sid:2009326; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club)"; dns.query; content:"beastmodser.club"; nocase; bsize:16; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:domain-c2; sid:2036278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gunaysoft.php?"; nocase; content:"uzanti="; nocase; pcre:"/uzanti=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009327; classtype:web-application-attack; sid:2009327; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Macro_Opened_"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; classtype:trojan-activity; sid:2036279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010615; classtype:web-application-attack; sid:2010615; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin"; flow:established,to_server; http.uri; content:"/apiv8/"; startswith; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010616; classtype:web-application-attack; sid:2010616; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike X-Client Header (notevil)"; flow:established,to_server; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010617; classtype:web-application-attack; sid:2010617; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//alert/7/"; bsize:10; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,d2e2f0a2e553075d7968e55e15cd49a1; classtype:command-and-control; sid:2036318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010618; classtype:web-application-attack; sid:2010618; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin?ver="; fast_pattern; content:"&lip="; distance:0; content:"&mac="; isdataat:!13,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 29|"; bsize:76; reference:md5,014d2e1a31ce397e7a5e3ba8edc45344; classtype:trojan-activity; sid:2036276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010619; classtype:web-application-attack; sid:2010619; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity (PUT)"; flow:established,to_server; http.uri; pcre:"/^\/[A-F0-9]{33}$/"; http.method; content:"PUT"; http.request_body; content:"DAV2"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/; reference:url,www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool; classtype:trojan-activity; sid:2036280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid SELECT"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004899; classtype:web-application-attack; sid:2004899; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M1"; flow:established,to_server; http.uri; content:"/baby.php"; startswith; content:"/baby"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0)"; startswith; content:"::/.beagle/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UNION SELECT"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004900; classtype:web-application-attack; sid:2004900; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M2"; flow:established,to_server; http.uri; content:"/begun.php"; startswith; bsize:10; http.user_agent; content:"Mozilla/5.0 (Linux"; startswith; content:"::/.balance/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid INSERT"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004901; classtype:web-application-attack; sid:2004901; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5612 (msg:"ET MALWARE Win32/Pterodo CnC VNC Connect Request"; flow:established,to_server; content:"|49 44 3a|"; depth:3; pcre:"/^\d+?\x00/R"; content:"|3a 5c|"; distance:0; content:"\\Contacts|00|Driver"; fast_pattern; distance:0; content:"Hood.exe"; distance:0; within:10; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:command-and-control; sid:2036293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid DELETE"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004902; classtype:web-application-attack; sid:2004902; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CrimsonRAT Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /indexer.php HTTP/1.1"; http.request_body; content:"q="; startswith; content:"|7c|ver="; distance:0; fast_pattern; content:"|7c 7c|"; within:4; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,twitter.com/0xrb/status/1517052777167732736?s=21&t=zTZ6AqU3_DB36dZ3DE1HCg; reference:md5,41702a1959b1b7038237d75330b904b6; classtype:trojan-activity; sid:2036290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family CrimsonRAT, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid ASCII"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004903; classtype:web-application-attack; sid:2004903; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Extention Payload Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/archive.zip?iver="; startswith; bsize:<20; fast_pattern; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004904; classtype:web-application-attack; sid:2004904; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/un?iver="; startswith; fast_pattern; content:"&did="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"p=phpinfo()"; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010902; classtype:web-application-attack; sid:2010902; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"search?ext=properties&is"; startswith; fast_pattern; content:"&q="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"c="; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010903; classtype:web-application-attack; sid:2010903; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Sync"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"sync?ext=Properties&ver="; startswith; fast_pattern; content:"&dd="; distance:0; content:"&info="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt"; flow:to_server,established; http.uri; content:"rootagenda="; nocase; pcre:"/(agendaplace(2?)|infoevent|agenda(2?))\.php3\?/i"; pcre:"/rootagenda=(https?|ftps?|php)/i"; reference:cve,2006-2009; reference:bugtraq,17670; reference:url,doc.emergingthreats.net/2002879; classtype:web-application-attack; sid:2002879; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"hb?ext="; startswith; fast_pattern; content:"&ver="; distance:0; content:"&is="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/addedit-render.php?"; nocase; content:"editform="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774; reference:url,doc.emergingthreats.net/2008992; classtype:web-application-attack; sid:2008992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035881; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/assets/plugins/mp3_id/mp3_id.php?"; nocase; content:"GLOBALS[BASE]="; nocase; pcre:"/GLOBALS\[BASE\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt; reference:url,doc.emergingthreats.net/2010485; classtype:web-application-attack; sid:2010485; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker (getAd)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ad?ext=Properties"; startswith; fast_pattern; content:"&ver="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004170; classtype:web-application-attack; sid:2004170; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035882; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004171; classtype:web-application-attack; sid:2004171; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035883; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004172; classtype:web-application-attack; sid:2004172; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035884; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004173; classtype:web-application-attack; sid:2004173; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei/Vidar/Mars Stealer Variant"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile_id|22|"; fast_pattern; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|hwid|22|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1517238542434414592; reference:md5,21e2215738a8e9c9d1ed1e1f66cff10e; classtype:trojan-activity; sid:2036316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2022_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004174; classtype:web-application-attack; sid:2004174; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackCat Ransomware Related Domain in TLS SNI (updatedaemon .com)"; flow:established,to_server; tls.sni; content:"updatedaemon.com"; startswith; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036312; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004175; classtype:web-application-attack; sid:2004175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackCat Ransomware Related Domain in DNS Lookup (updatedaemon .com)"; dns.query; content:"updatedaemon.com"; fast_pattern; endswith; nocase; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004176; classtype:web-application-attack; sid:2004176; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed BlackCat Ransomware Related SSL Cert (updatedaemon .com)"; flow:established,to_client; tls.cert_subject; content:"CN=updatedaemon.com"; bsize:19; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036314; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004177; classtype:web-application-attack; sid:2004177; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kratos Silent Miner Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"|22|name|22 3a 22|Kratos|20|Silent|20|"; fast_pattern; content:"|22|name|22 3a 22|PC|20|Name|3a 22 2c 22|value|22 3a 22|"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:command-and-control; sid:2036305; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004178; classtype:web-application-attack; sid:2004178; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?m="; fast_pattern; pcre:"/^[0-9]{10}$/R"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|8.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036315; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004179; classtype:web-application-attack; sid:2004179; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Command List Fetch"; flow:established,to_server; http.request_line; content:"GET /ginzolist.txt HTTP/1.1"; bsize:27; fast_pattern; isdataat:!1,relative; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,twitter.com/struppigel/status/1506933328599044100; reference:md5,5009e04920d5fb95f8a02265f89d25a5; classtype:trojan-activity; sid:2036317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, malware_family Ginzo, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004180; classtype:web-application-attack; sid:2004180; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/call?key="; bsize:42; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:69; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"ProcessList.txt"; fast_pattern; distance:0; content:"Screenshot.png"; distance:0; reference:md5,3f9c1455992239f4efe31f0e56773433; classtype:trojan-activity; sid:2036321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004181; classtype:web-application-attack; sid:2004181; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/ping|20|"; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.content_len; byte_test:0,=,36,0,string,dec; http.request_body; content:"key="; startswith; pcre:"/^key=[A-F0-9]{32}$/"; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036306; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004182; classtype:web-application-attack; sid:2004182; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk)"; dns.query; dotprefix; content:".forummanazera.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036322; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004183; classtype:web-application-attack; sid:2004183; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk)"; dns.query; dotprefix; content:".reality.skarabeus.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036323; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004184; classtype:web-application-attack; sid:2004184; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz)"; dns.query; content:"msrousinov.cz"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036324; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004185; classtype:web-application-attack; sid:2004185; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (googleprovider .ru)"; dns.query; content:"googleprovider.ru"; nocase; bsize:17; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036325; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004186; classtype:web-application-attack; sid:2004186; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit .stuba .sk)"; dns.query; content:"profiit.fiit.stuba.sk"; nocase; bsize:21; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036326; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004187; classtype:web-application-attack; sid:2004187; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (freetips .php5 .sk)"; dns.query; content:"freetips.php5.sk"; nocase; bsize:16; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036327; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004188; classtype:web-application-attack; sid:2004188; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (sivpici .php5 .sk)"; dns.query; content:"sivpici.php5.sk"; nocase; bsize:15; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036328; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004189; classtype:web-application-attack; sid:2004189; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss .eu)"; dns.query; content:"hotel-boss.eu"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036329; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id INSERT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004190; classtype:web-application-attack; sid:2004190; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (limousine-service .cz)"; dns.query; content:"limousine-service.cz"; nocase; bsize:20; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036330; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id DELETE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004191; classtype:web-application-attack; sid:2004191; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (ms .rousinov .cz)"; dns.query; content:"ms.rousinov.cz"; nocase; bsize:14; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036331; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id ASCII"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004192; classtype:web-application-attack; sid:2004192; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf .cz)"; dns.query; content:"vavave.xf.cz"; nocase; bsize:12; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036332; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004193; classtype:web-application-attack; sid:2004193; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M1"; flow:established,to_server; http.request_line; content:"POST|20|/call?key="; fast_pattern; pcre:"/^[a-f0-9]{32}\x20/R"; http.header; content:"Content|2d|Type|3a 20|multipart|2f|form|2d|data|3b 20|boundary|3d|"; pcre:"/^[a-f0-9]{60}\x0d\x0a/R"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 5b|"; distance:0; content:"|5d 20|"; distance:2; within:2; content:"|20 5b|"; distance:32; within:2; content:"|5d 22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; distance:19; within:50; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004194; classtype:web-application-attack; sid:2004194; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech FlagPro Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htmld?flag"; fast_pattern; pcre:"/^(?:pro)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b39dcc5de43d2840d6992a561e34eec; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036309; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004195; classtype:web-application-attack; sid:2004195; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (windows11-upgrade .com)"; dns.query; content:"windows11-upgrade"; startswith; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036363; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004196; classtype:web-application-attack; sid:2004196; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (windows-11info .com)"; dns.query; content:"windows-11info"; startswith; fast_pattern; pcre:"/\d{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036364; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004197; classtype:web-application-attack; sid:2004197; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (windows11-infoserver .com)"; dns.query; content:"windows11-infoserver"; fast_pattern; startswith; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036365; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004198; classtype:web-application-attack; sid:2004198; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows11-upgrade .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows11-upgrade"; startswith; fast_pattern; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036366; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004199; classtype:web-application-attack; sid:2004199; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows-11info .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows-11info"; startswith; fast_pattern; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036367; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004200; classtype:web-application-attack; sid:2004200; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows11-infoserver .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows11-infoserver"; startswith; fast_pattern; pcre:"/[0-9]{1,2}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036368; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004201; classtype:web-application-attack; sid:2004201; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (StatusTime)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&statustime="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036354; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id INSERT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004202; classtype:web-application-attack; sid:2004202; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert for IRS Credential Phish Domain (supportmicrohere .com)"; flow:established,to_client; tls.cert_subject; content:"supportmicrohere.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?supportmicrohere\.com(?!\.)/"; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:domain-c2; sid:2036360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id DELETE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004203; classtype:web-application-attack; sid:2004203; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert IRS Credential Phish Domain (jbdelmarket .com)"; flow:established,to_client; tls.cert_subject; content:"jbdelmarket.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?jbdelmarket\.com(?!\.)/"; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:domain-c2; sid:2036361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id ASCII"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004204; classtype:web-application-attack; sid:2004204; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Comands)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&comands="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036355; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004205; classtype:web-application-attack; sid:2004205; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin (Checkupdate)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&chekupdate="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004206; classtype:web-application-attack; sid:2004206; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.VAZ Bot CnC Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"botid="; startswith; fast_pattern; content:"&botip="; distance:0; content:"&botcountry="; distance:0; content:"&botcc="; distance:0; content:"&status"; distance:0; content:"&statustime="; distance:0; content:"&version="; distance:0; reference:url,twitter.com/3xp0rtblog/status/1517792795481755648; reference:md5,61e3920e4a8e3f84d3e53d12bb454036; classtype:trojan-activity; sid:2036357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UNION SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004207; classtype:web-application-attack; sid:2004207; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (main .dailynk .us)"; dns.query; content:"main.dailynk.us"; nocase; bsize:15; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036369; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id INSERT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004208; classtype:web-application-attack; sid:2004208; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GOLDBACKDOOR Domain in DNS Lookup (lit-peak-25706 .herokuapp .com)"; dns.query; content:"lit-peak-25706.herokuapp.com"; nocase; bsize:28; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036370; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id DELETE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004209; classtype:web-application-attack; sid:2004209; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GOLDBACKDOOR Domain (main .dailynk .us) in TLS SNI"; flow:established,to_server; tls.sni; content:"main.dailynk.us"; bsize:15; fast_pattern; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036371; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id ASCII"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004210; classtype:web-application-attack; sid:2004210; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GOLDBACKDOOR Domain (lit-peak-25706 .herokuapp .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"lit-peak-25706.herokuapp.com"; bsize:28; fast_pattern; reference:url,stairwell.com/wp-content/uploads/2022/04/Stairwell-threat-report-The-ink-stained-trail-of-GOLDBACKDOOR.pdf; classtype:targeted-activity; sid:2036372; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family GOLDBACKDOOR, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004211; classtype:web-application-attack; sid:2004211; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup (seventyfor .site)"; dns.query; content:"seventyfor.site"; nocase; bsize:15; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; classtype:trojan-activity; sid:2036373; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004212; classtype:web-application-attack; sid:2004212; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Innostealer Domain in DNS Lookup windows-server031 .com)"; dns.query; content:"windows-server"; fast_pattern; startswith; pcre:"/[0-9]{1,3}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036374; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004213; classtype:web-application-attack; sid:2004213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (windows-server031 .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"windows-server"; fast_pattern; startswith; pcre:"/[0-9]{1,3}/R"; content:".com"; endswith; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036375; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id INSERT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004214; classtype:web-application-attack; sid:2004214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Innostealer Domain (seventyfor .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"seventyfor.site"; bsize:15; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1517822757567971329; reference:url,www.bleepingcomputer.com/news/security/unofficial-windows-11-upgrade-installs-info-stealing-malware/; classtype:trojan-activity; sid:2036376; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, malware_family Innostealer, performance_impact Low, signature_severity Major, updated_at 2022_04_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id DELETE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004215; classtype:web-application-attack; sid:2004215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (alticgo .com) in DNS Lookup"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036394; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id ASCII"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004216; classtype:web-application-attack; sid:2004216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (cryptais .com) in DNS Lookup"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036395; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004217; classtype:web-application-attack; sid:2004217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (tokenais .com) in DNS Lookup"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036396; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004218; classtype:web-application-attack; sid:2004218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (aideck .net) in DNS Lookup"; dns.query; content:"aideck.net"; nocase; bsize:10; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036397; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004219; classtype:web-application-attack; sid:2004219; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (www .esilet .com) in DNS Lookup"; dns.query; content:"www.esilet.com"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036398; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004220; classtype:web-application-attack; sid:2004220; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (creaideck .com) in DNS Lookup"; dns.query; content:"creaideck.com"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036399; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004221; classtype:web-application-attack; sid:2004221; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TraderTraitor CnC Domain (dafom .dev) in DNS Lookup"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; classtype:domain-c2; sid:2036400; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004222; classtype:web-application-attack; sid:2004222; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (alticgo .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"alticgo.com"; bsize:11; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036401; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004223; classtype:web-application-attack; sid:2004223; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (cryptais .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"cryptais.com"; bsize:12; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036402; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProjectButler RFI attempt"; flow:established,to_server; http.uri; content:"/pda_projects.php?offset=http\:"; nocase; reference:url,www.sans.org/top20/; reference:url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt; reference:url,doc.emergingthreats.net/2009887; classtype:web-application-attack; sid:2009887; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (tokenais .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"tokenais.com"; bsize:12; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036403; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/_footer.php?"; nocase; content:"skin_path="; nocase; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009320; classtype:web-application-attack; sid:2009320; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (aideck .net) in TLS SNI"; flow:established,to_server; tls.sni; content:"aideck.net"; bsize:10; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036404; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/templater.php?"; nocase; content:"config[template]="; reference:url,milw0rm.com/exploits/6287; reference:bugtraq,30785; reference:url,doc.emergingthreats.net/2009331; classtype:web-application-attack; sid:2009331; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (www .esilet .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"www.esilet.com"; bsize:14; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036405; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005663; classtype:web-application-attack; sid:2005663; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (creaideck .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"creaideck.com"; bsize:13; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036406; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005664; classtype:web-application-attack; sid:2005664; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TraderTraitor Domain (dafom .dev) in TLS SNI"; flow:established,to_server; tls.sni; content:"dafom.dev"; bsize:9; fast_pattern; reference:url,gist.github.com/travisbgreen/ae016d1b17da164d10935f84c61754fb; reference:url,www.ic3.gov/Media/News/2022/220418.pdf; classtype:trojan-activity; sid:2036407; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, malware_family TraderTraitor, malware_family Lazurus, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005665; classtype:web-application-attack; sid:2005665; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:".exe_svchost.exe_"; fast_pattern; content:"ENTER"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/souiten/status/1519167359918911488; reference:md5,1dd007b44034bb3ce127b553873171e5; classtype:trojan-activity; sid:2036390; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005666; classtype:web-application-attack; sid:2005666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TraderTraitor dafom CnC Checkin M1 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth/checkupdate.php"; content:"os="; content:"email="; http.user_agent; content:"dafom"; nocase; fast_pattern; reference:url,gist.github.com/travisbgreen/01e1fdf239a9d302b14584bc82f68a2a; reference:url,www.cisa.gov/uscert/ncas/alerts/aa22-108a; classtype:trojan-activity; sid:2036408; rev:1; metadata:created_at 2022_04_27, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005667; classtype:web-application-attack; sid:2005667; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TraderTraitor dafom CnC Checkin M2 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update/"; content:"os="; content:"email="; http.user_agent; content:"dafom"; nocase; fast_pattern; reference:url,gist.github.com/travisbgreen/01e1fdf239a9d302b14584bc82f68a2a; reference:url,www.cisa.gov/uscert/ncas/alerts/aa22-108a; classtype:trojan-activity; sid:2036409; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005668; classtype:web-application-attack; sid:2005668; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TraderTraitor AlticGO CnC Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update/"; http.user_agent; content:"AlticGO/1.1.0"; nocase; fast_pattern; reference:url,gist.github.com/travisbgreen/01e1fdf239a9d302b14584bc82f68a2a; reference:url,www.cisa.gov/uscert/ncas/alerts/aa22-108a; classtype:trojan-activity; sid:2036410; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005348; classtype:web-application-attack; sid:2005348; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT FlowCloud Hardcoded Request (POST)"; flow:established,to_server; content:"|0d 0a|X-Requested-With|3a 20|ShockwaveFlash/20.0.0.306|0d 0a|"; http.request_line; content:"POST /messagebroker/amf HTTP/1.1"; fast_pattern; http.referer; content:"http|3a 2f 2f|s.peheavens.com/html/portlet/ext/draco/resources/draco_manager.swf/"; http.cookie; content:"COOKIE_SUPPORT="; startswith; content:"JSESSIONID="; distance:0; content:"COMPANY_ID="; distance:0; content:"ID="; distance:0; content:"PASSWORD="; distance:0; content:"LOGIN="; distance:0; content:"SCREEN_NAME"; distance:0; content:"GUEST_LANGUAGE_ID="; distance:0; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; classtype:trojan-activity; sid:2036391; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_27, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2022_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UNION SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005349; classtype:web-application-attack; sid:2005349; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA410 APT LookBack Client HTTP Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/status.php?r="; http.accept; content:"text/html, application/xhtml+xml, */*"; bsize:37; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; endswith; http.request_body; content:"id=1&op=report&status="; fast_pattern; startswith; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; classtype:trojan-activity; sid:2036412; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php INSERT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005350; classtype:web-application-attack; sid:2005350; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [ESET] TA410 APT LookBack HTTP Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/gif"; bsize:9; http.header; pcre:"/^ETag\x3a\x20[0-9]{6}-[0-9]{3,5}-[0-9]{8}\r\n/m"; file.data; content:"|c2 2e ab 48|"; depth:4; fast_pattern; reference:url,www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/; reference:url,github.com/eset/malware-ioc/tree/master/ta410; classtype:trojan-activity; sid:2036413; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, malware_family TA410, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php DELETE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005351; classtype:web-application-attack; sid:2005351; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MoneroOcean Installer Batch Script Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"echo MoneroOcean mining"; content:"set WALLET="; content:"|3a|WALLET_LEN_OK"; content:"|22|EXP_MONERO_HASHRATE%"; fast_pattern; classtype:trojan-activity; sid:2036411; rev:1; metadata:created_at 2022_04_28, former_category MALWARE, updated_at 2022_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php ASCII"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005352; classtype:web-application-attack; sid:2005352; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nobelium APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/1/members/me/boards?key=664f145b65b9ea751df4dd21a96601f0&token=39daa5890c85fba874a352473b2fa9a97c7839223422411c22f22970f3b71ecc"; fast_pattern; http.host; content:"api.trello.com"; bsize:14; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"(iPad|3b 20|CPU|20|OS|20|"; reference:md5,c4df0507f56e30b264c848c6096b69ae; reference:url,inquest.net/blog/2022/04/18/nobelium-israeli-embassy-maldoc; classtype:trojan-activity; sid:2036417; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Nobelium, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005353; classtype:web-application-attack; sid:2005353; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE China Based APT Related Domain in DNS Lookup (p1 .offline-microsoft .com)"; dns.query; content:"p1.offline-microsoft.com"; nocase; bsize:24; reference:md5,04b8a9e6f70e567a99ea728b9f0dee18; reference:md5,ee3f5fa62fc6faa7d130c26e03e148e2; reference:url,twitter.com/h2jazi/status/1519769346867879938; classtype:domain-c2; sid:2036418; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VBulletin 4.0.1 SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/misc.php?"; content:"sub=profilename"; content:"name="; nocase; content:"|27|"; pcre:"/[\?&]name=[^&\;\?]+\x27/i"; reference:url,www.packetstormsecurity.org/1001-exploits/vbulletin401-sql.txt; reference:url,doc.emergingthreats.net/2010701; classtype:web-application-attack; sid:2010701; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE China Based APT Related Domain in DNS Lookup (portal .super-encrypt .com)"; dns.query; content:"portal.super-encrypt.com"; nocase; bsize:24; reference:md5,5897e67e491a9d8143f6d45803bc8ac8; reference:url,twitter.com/h2jazi/status/1519769346867879938; classtype:domain-c2; sid:2036419; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005354; classtype:web-application-attack; sid:2005354; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/WindowsDefender Bypass Download Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/kill.bat"; bsize:9; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.connection; content:"Keep-Alive"; nocase; reference:md5,a59277f422139a3c2341eee166eda629; classtype:trojan-activity; sid:2035696; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UNION SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005355; classtype:web-application-attack; sid:2005355; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nerbian RAT CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pub/health_check.php"; fast_pattern; bsize:21; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:39; reference:md5,9cca59eec5af63e42cd845b67cf6df89; reference:md5,5d5bc970f975341558b8d2c225ca0115; reference:url,twitter.com/pr0xylife/status/1519704793593307136; classtype:trojan-activity; sid:2036426; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid INSERT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005356; classtype:web-application-attack; sid:2005356; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nerbian RAT Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pub/health_check.php"; fast_pattern; bsize:21; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header_names; content:!"Referer|0d 0a|"; http.content_type; content:"multipart/form-data|3b 20|boundary="; depth:30; pcre:"/[a-f0-9]{60}$/R"; http.request_body; content:"name=|22|addr_post|22|"; content:"name=|22|port_post|22|"; content:"name=|22|auth_post|22|"; content:"name=|22|session_key|22|"; content:"name=|22|data_post|22|"; reference:md5,9cca59eec5af63e42cd845b67cf6df89; reference:md5,5d5bc970f975341558b8d2c225ca0115; reference:url,twitter.com/pr0xylife/status/1519704793593307136; classtype:trojan-activity; sid:2036427; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid DELETE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005357; classtype:web-application-attack; sid:2005357; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET [1024:] (msg:"ET MALWARE Win32/Farfli.BAL CnC Activity"; flow:established,to_server; http.request_line; content:"GET /2112.html|20|"; startswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:md5,32547c9f7c7c870ee12fdf944e8afb34; classtype:trojan-activity; sid:2036453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ASCII"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005358; classtype:web-application-attack; sid:2005358; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET [:1024] (msg:"ET MALWARE Likely Mirai Related Outbound Shell Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bins.sh"; bsize:8; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; threshold:type threshold, track by_src, count 5, seconds 60; reference:md5,66767161f67d5fdf18ab25e292aece88; classtype:trojan-activity; sid:2036454; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_29, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005359; classtype:web-application-attack; sid:2005359; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA452 Related Domain in DNS Lookup"; dns.query; dotprefix; content:".joexpediagroup.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/; classtype:domain-c2; sid:2036557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_02, deployment Perimeter, former_category MALWARE, malware_family APT34, malware_family TA452, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004748; classtype:web-application-attack; sid:2004748; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA452 Related Domain in DNS Lookup"; dns.query; dotprefix; content:".asiaworldremit.com"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/apt34-targets-jordan-government-using-new-saitama-backdoor/; classtype:domain-c2; sid:2036558; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_02, deployment Perimeter, former_category MALWARE, malware_family APT34, malware_family TA452, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UNION SELECT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004749; classtype:web-application-attack; sid:2004749; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA452 Related Domain in DNS Lookup"; dns.query; dotprefix; content:".uber-asia.com"; nocase; endswith; classtype:domain-c2; sid:2036559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_02, deployment Perimeter, former_category MALWARE, malware_family APT34, malware_family TA452, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic INSERT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004750; classtype:web-application-attack; sid:2004750; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Interactsh Control Panel (DNS)"; threshold: type both, track by_src, count 1, seconds 600; dns.query; pcre:"/^[a-z0-9]{33}/"; content:".interact.sh"; endswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:trojan-activity; sid:2034201; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic DELETE"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004751; classtype:web-application-attack; sid:2004751; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com)"; dns.query; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035614; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic ASCII"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004752; classtype:web-application-attack; sid:2004752; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; pcre:"/^[qbedm]{1}[a-zA-Z]{1,3}646[a-zA-Z0-9]{1,3}+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_05_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004753; classtype:web-application-attack; sid:2004753; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"login-service.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035860; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005239; classtype:web-application-attack; sid:2005239; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)"; dns.query; content:"al7erak247.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035779; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005240; classtype:web-application-attack; sid:2005240; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)"; dns.query; content:"arabia-islamion.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035782; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005241; classtype:web-application-attack; sid:2005241; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)"; dns.query; content:"al-nusr.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035776; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005242; classtype:web-application-attack; sid:2005242; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"khilafah-islamic.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035866; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005243; classtype:web-application-attack; sid:2005243; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com)"; dns.query; content:"vpn2.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035704; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005244; classtype:web-application-attack; sid:2005244; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"fserverone.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035944; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005245; classtype:web-application-attack; sid:2005245; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.al7eraknews.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035865; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005246; classtype:web-application-attack; sid:2005246; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop)"; dns.query; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005247; classtype:web-application-attack; sid:2005247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"talabatt.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035862; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005248; classtype:web-application-attack; sid:2005248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)"; dns.query; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035662; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005249; classtype:web-application-attack; sid:2005249; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)"; dns.query; content:"akhbarnew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035775; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005250; classtype:web-application-attack; sid:2005250; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)"; dns.query; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035664; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005251; classtype:web-application-attack; sid:2005251; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win .mirtonewbacker .com)"; dns.query; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005312; classtype:web-application-attack; sid:2005312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"cmaildowninvoice.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035945; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005252; classtype:web-application-attack; sid:2005252; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com)"; dns.query; content:"svn1.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005253; classtype:web-application-attack; sid:2005253; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"unsubscribe-now.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035868; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005254; classtype:web-application-attack; sid:2005254; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mobiles-security.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035867; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005255; classtype:web-application-attack; sid:2005255; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)"; dns.query; content:"alrainew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035781; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005158; classtype:web-application-attack; sid:2005158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mangoutlet.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035869; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005159; classtype:web-application-attack; sid:2005159; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)"; dns.query; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005160; classtype:web-application-attack; sid:2005160; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)"; dns.query; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035771; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005161; classtype:web-application-attack; sid:2005161; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)"; dns.query; content:"al-taleanews.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035777; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005162; classtype:web-application-attack; sid:2005162; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com)"; dns.query; content:"akhbar-islamyah.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035774; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005163; classtype:web-application-attack; sid:2005163; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"cozmo-store.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035864; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS z1exchange edit.php site parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/edit.php?"; nocase; content:"site="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32556; reference:url,milw0rm.com/exploits/7311; reference:url,doc.emergingthreats.net/2008928; classtype:web-application-attack; sid:2008928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software)"; dns.query; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035666; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/catalogo.php?"; nocase; content:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru)"; dns.query; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; content:"src="; nocase; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011573; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"rss-me.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035861; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; content:"w="; nocase; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011574; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Buer - DomainInfo Domain"; flow:established,to_server; dns.query; content:"officewestunionbank.com"; bsize:23; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:domain-c2; sid:2032893; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family Buer, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; content:"h="; nocase; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011572; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)"; dns.query; content:"akhbar-almasdar.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035773; rev:3; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/addressbook.cgi?"; nocase; content:"show=search"; nocase; content:"page="; nocase; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13944; classtype:web-application-attack; sid:2011566; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)"; dns.query; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035660; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dompdf.php?"; nocase; content:"input_file="; nocase; pcre:"/input_file=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14851/; classtype:web-application-attack; sid:2011565; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net)"; dns.query; content:"al-taleanewsonline.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035778; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class.phpmailer.php?"; nocase; content:"lang_path="; nocase; pcre:"/lang_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14893/; classtype:web-application-attack; sid:2011564; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send)"; dns.query; bsize:>22; content:"266"; offset:3; depth:8; pcre:"/^[zjr9x]{1}[tmdhpz]{1}[0-9a-z]{1,6}266(?:[a-zA-Z0-9]{1,6})?+\./"; content:!".trendmicro.com"; content:!"cnr.io"; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; classtype:command-and-control; sid:2031194; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/content/dynpage_load.php?"; nocase; content:"file="; nocase; reference:url,secunia.com/advisories/41317/; classtype:web-application-attack; sid:2011563; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com)"; dns.query; content:"giga.gnisoft.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/oldnews_reader.php?"; nocase; content:"lang="; nocase; reference:url,exploit-db.com/exploits/13899/; classtype:web-application-attack; sid:2011562; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:established,to_server; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/"; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:7; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011557; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njRAT CnC Command (ll)"; flow:established,to_server; dsize:<350; content:"|00|ll"; depth:8; fast_pattern; content:"Win|20|"; distance:0; pcre:"/^\d{1,5}\x00ll/i"; reference:md5,ac7b1fdc679fdbd3cb0cd8a3e30ecddb; classtype:command-and-control; sid:2021176; rev:6; metadata:created_at 2015_06_02, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011558; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=Te"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:command-and-control; sid:2025147; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Downloader_Small_BIL, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011559; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw)"; flow:established,to_client; dsize:<50; content:"aw|7c 7c 7c|"; fast_pattern; nocase; depth:5; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011560; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moist Stealer CnC Exfil"; flow:established,to_server; http.uri; content:".php?id="; content:"&caption="; distance:0; content:"|20|Moist|20|Stealer|20|gate|20|detected|20|new|20|log!"; nocase; distance:0; fast_pattern; content:"User|3a|"; nocase; distance:0; content:"IP|3a|"; nocase; distance:0; http.request_body; content:"].zip|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,f855dffcbd21d4e4a59eed5a7a392af9; classtype:command-and-control; sid:2030900; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Moist_Stealer, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011561; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8"; bsize:85; content:!"application/signed-exchange"; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 4.1.1|3b 20|Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari"; bsize:123; content:!"Safari/535.19"; http.cookie; content:"__guid="; depth:7; content:"|3b|opqopq="; distance:0; fast_pattern; content:"|3b|QiHooGUID="; distance:0; content:"|3b|"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; classtype:command-and-control; sid:2032746; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jphone"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/14964/; classtype:web-application-attack; sid:2011554; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LIST)"; flow:established,to_server; tls.sni; content:"LIST-"; startswith; fast_pattern; pcre:"/^LIST-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/familynews.php?"; nocase; content:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011552; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LS)"; flow:established,to_server; tls.sni; content:"LS-"; startswith; fast_pattern; pcre:"/^LS-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/settings.php?"; nocase; content:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011553; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (SIZE)"; flow:established,to_server; tls.sni; content:"SIZE-"; startswith; fast_pattern; pcre:"/^SIZE-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033802; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AlstraSoft AskMe que_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/forum_answer.php?"; nocase; content:"que_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,exploit-db.com/exploits/14979/; classtype:web-application-attack; sid:2011547; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LD)"; flow:established,to_server; tls.sni; content:"LD-"; startswith; fast_pattern; pcre:"/^LD-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/gnupg/json.php?"; nocase; content:"task=send_key"; nocase; content:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/i"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CB)"; flow:established,to_server; tls.sni; content:"CB-"; startswith; fast_pattern; pcre:"/^CB-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033804; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_del.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/13665; classtype:web-application-attack; sid:2011377; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CD)"; flow:established,to_server; tls.sni; content:"CD-"; startswith; fast_pattern; pcre:"/^CD-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033805; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cacti/utilities.php"; nocase; content:"tail_lines="; nocase; content:"message_type="; nocase; content:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EX)"; flow:established,to_server; tls.sni; content:"EX-"; startswith; fast_pattern; pcre:"/^EX-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033806; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (ALIVE)"; flow:established,to_server; tls.sni; content:"ALIVE-"; startswith; fast_pattern; pcre:"/^ALIVE-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EXIT)"; flow:established,to_server; tls.sni; content:"EXIT-"; startswith; fast_pattern; pcre:"/^EXIT-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033808; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41204; classtype:web-application-attack; sid:2011428; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (finito)"; flow:established,to_server; tls.sni; content:"finito-"; startswith; fast_pattern; pcre:"/^finito-[A-Za-z0-9]{16}\./"; reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011429; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Click and Removal of Download Element"; flow:established, to_client; http.stat_code; content:"200"; file.data; content:"e|2e|setAttribute|28 22|download|22 2c 22 22 29|"; fast_pattern; content:"e|2e|click|28 29 2c|e|2e|remove|28 29|"; distance:0; reference:url,www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033816; rev:2; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011450; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in XML HTML Title Tags Inbound"; flow:established,to_client; content:"|3c 3f|xml"; content:"|3c|title|20|type|3d 27|text|27 3e 40|"; distance:0; fast_pattern; content:"|40 3c 2f|title|3e|"; distance:0; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jgrid"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/40987/; reference:url,exploit-db.com/exploits/14656/; classtype:web-application-attack; sid:2011451; rev:4; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mingloa CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page=querycpc/items/&duid="; fast_pattern; content:"&pid="; distance:0; content:"&time="; distance:0; content:"&hash="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service; classtype:command-and-control; sid:2033913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/dailyview.php?"; nocase; content:"date="; nocase; pcre:"/date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13770; classtype:web-application-attack; sid:2011452; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewalk CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|gtuvid|0d 0a|"; fast_pattern; content:"|0d 0a|gtsid|0d 0a|"; reference:url,welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:command-and-control; sid:2033937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/maincore.php?"; nocase; content:"folder_level="; nocase; reference:url,inj3ct0r.com/exploits/13709; classtype:web-application-attack; sid:2011453; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; pcre:"/^.{4}(?:R(?:k(?:Z(?:GQkBG|CQEY)|BCRUVG)|0FFRkFH|UJDQUE)|Q(?:U(?:V(?:CQ0FB|GQUc)|NCRkI)|kFDQkZC|EJFRUY)|(?:Z(?:AQkVF|GRkJA)R|JBQ0JGQ)g|FFQkNBQQ|dBRUZBRw)/R"; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith; reference:url,twitter.com/jaydinbas/status/1437708323038564352; classtype:command-and-control; sid:2033982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, performance_impact Moderate, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/global.php?"; nocase; content:"db_servertype="; nocase; pcre:"/db_servertype=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:4; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Spy.Agent.AW Download"; flow:established,to_client; http.response_body; content:"var"; startswith; content:"|5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34 5c 78 35 46 5c 78 36 36 5c 78 36 46 5c 78 37 32 5c 78 36 44 5c 78 35 46 5c 78 36 33 5c 78 36 33 5c 78 37 33 5c 78 36 31 5c 78 37 36 5c 78 36 35|"; within:90; fast_pattern; content:"|5c 78 36 35 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 35 46 5c 78 37 33 5c 78 36 35 5c 78 36 33 5c 78 37 35 5c 78 37 32 5c 78 36 35 5c 78 35 46 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34|"; distance:62; within:76; reference:md5,ade43b2b2cf95ca908b82fe0e76ea54d; classtype:trojan-activity; sid:2034020; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011493; classtype:web-application-attack; sid:2011493; rev:6; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; http.user_agent; content:"unknown"; fast_pattern; bsize:7; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,fd59dd7bb54210a99c1ed677bbfc03a8; classtype:trojan-activity; sid:2034048; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/tmp-upload-images"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011494; classtype:web-application-attack; sid:2011494; rev:6; metadata:created_at 2010_09_29, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits=x"; distance:0; content:"&av="; distance:0; http.header_names; content:!"Referer"; reference:url,blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html; classtype:command-and-control; sid:2034083; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007277; classtype:web-application-attack; sid:2007277; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yawero.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:command-and-control; sid:2034099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007048; classtype:web-application-attack; sid:2007048; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sazoya.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007059; classtype:web-application-attack; sid:2007059; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Tomiris C2 (init)"; flow:established,to_server; content:"|74 00 2b 00 77 00 6c 00 7c 00 76 00 76 00 27 00 30 00 79 00 20 00 29 00|"; offset:0; reference:url,securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/; classtype:trojan-activity; sid:2034119; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007125; classtype:web-application-attack; sid:2007125; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"gloderuniok.website"; bsize:19; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007126; classtype:web-application-attack; sid:2007126; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"vloderuniok.website"; bsize:19; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UNION SELECT"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004109; classtype:web-application-attack; sid:2004109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Gojihu.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid ASCII"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004112; classtype:web-application-attack; sid:2004112; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Yuxicu.com"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034143; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"functions_navlinks.php?"; nocase; content:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008880; classtype:web-application-attack; sid:2008880; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sabsik Config Downloader"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_body; content:"|24|url|3d 22|http|3a 2f 2f|"; startswith; content:"|2e|txt|22 3b 0d 0a 24|web|20 3d 20|New|2d|Object|20|System|2e|Net|2e|WebClient|3b|"; distance:0; within:63; fast_pattern; reference:md5,49eb944fb7f86a9d6649c6a190c782e8; classtype:trojan-activity; sid:2034288; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"profile_send.php?"; nocase; content:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008881; classtype:web-application-attack; sid:2008881; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Google Chrome Notifications Installer"; flow:established,to_client; http.response_body; content:"|28|function|20 28 29|"; startswith; content:"callbackName|3a 20 27|onSubInit|27|"; distance:0; content:"workerName|3a 20 27|"; distance:0; content:"serverUrl|3a 20 27|"; distance:0; content:"applicationServerKey|3a 20|"; distance:0; content:"cookieNameS|3a 20 27|notify|2d|p|27|"; fast_pattern; distance:0; reference:url,rapid7.com/blog/post/2021/10/28/sneaking-through-windows-infostealer-malware-masquerades-as-windows-application; reference:md5,45602bfa86ee9a5e31758a24a0d5cd08; classtype:trojan-activity; sid:2034307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/plugin/gateway/gnokii/init.php?"; nocase; content:"apps_path[plug]="; nocase; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009085; classtype:web-application-attack; sid:2009085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Windows Defender"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"reg|20|delete|20 22|HKLM|5c|Software|5c|Policies|5c|Microsoft|5c|Windows|20|Defender|22 20 2f|f"; distance:0; fast_pattern; classtype:trojan-activity; sid:2034338; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/plugin/themes/default/init.php?"; nocase; content:"apps_path[themes]="; nocase; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009087; classtype:web-application-attack; sid:2009087; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Real Time Monitoring"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"powershell.exe Set-MpPreference -DisableRealtimeMonitoring|20 24|true"; within:66; fast_pattern; classtype:trojan-activity; sid:2034339; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"viewtopic_PM-link.php?"; nocase; content:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008882; classtype:web-application-attack; sid:2008882; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"GetObject|28 22|winmgmts|3a 22 2b 22 7b|impersonationLevel=impersonate|7d 22 2b 22|"; fast_pattern; distance:0; content:"ExecQuery|28 22|Select|20 2a 20 22 2b 22|from|20 22 2b 22|Win32|5f 22 2b 22|Process|22 29 3b|"; distance:0; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034359; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/lib/function.php?"; nocase; content:"apps_path[libs]="; nocase; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009089; classtype:web-application-attack; sid:2009089; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"|3d 22|Explore|22 3b|"; distance:0; content:"|22|W|22 2b 22|scr"; distance:0; content:"|2b 22|ipt|22 2b 22 2e|S|22 3b|"; distance:0; content:"|3d 22|aHR0cHM6Ly9kb2NzLmdvb2dsZS5jb20vc3ByZWFkc2hlZXRzL2Qv"; distance:0; fast_pattern; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/1011-exploits/joomlaxplorer-rfi.txt; classtype:web-application-attack; sid:2011935; rev:6; metadata:created_at 2010_11_19, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded Script Disables Firewall/Antivirus"; flow:established,to_client; http.content_type; content:"text/plain"; file.data; content:"|22|C:|5c|Windows|5c|debug|5c|m|5c|winlogon.exe|22|"; content:"netsh advfirewall set allprofiles state off"; within:45; fast_pattern; content:"name like |27 25|Eset|25 27 22| call uninstall /nointeractive"; reference:md5,fcfc0feed527d188d6b2ed3445758511; classtype:trojan-activity; sid:2034395; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006650; classtype:web-application-attack; sid:2006650; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|29 2a 28|"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034437; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; pcre:"/ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012031; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET MALWARE Possible NGLite Backdoor C2 Traffic (NKN)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"|22|address|22 3a|"; content:"|2e|monitor_03|2e|"; within:20; reference:url,unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:command-and-control; sid:2034438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family NGLite, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005834; classtype:web-application-attack; sid:2005834; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Application"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id SELECT"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004005; classtype:web-application-attack; sid:2004005; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Name"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004006; classtype:web-application-attack; sid:2004006; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Email"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id INSERT"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004007; classtype:web-application-attack; sid:2004007; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Server"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id DELETE"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004008; classtype:web-application-attack; sid:2004008; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Secured"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id ASCII"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004009; classtype:web-application-attack; sid:2004009; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Type"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004010; classtype:web-application-attack; sid:2004010; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=User"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034448; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/auktion.php?"; nocase; content:"id_auk="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12026/; classtype:web-application-attack; sid:2012189; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Password"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=SMTP"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034450; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004012; classtype:web-application-attack; sid:2004012; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|2f 2a 5c|"; fast_pattern; reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004013; classtype:web-application-attack; sid:2004013; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/s"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004014; classtype:web-application-attack; sid:2004014; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET|20|CLR|20|2.0.50727|3b 20|.NET|20|CLR|20|3.0.30729|3b 20|.NET|20|CLR|20|3.5.30729|3b 20|InfoPath.3)"; fast_pattern; bsize:162; http.header_names; content:!"Referer"; reference:md5,8eb1525db6bdadce7dae53b15f544bd2; classtype:trojan-activity; sid:2034464; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004015; classtype:web-application-attack; sid:2004015; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (stop)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73746f707d1|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034479; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004016; classtype:web-application-attack; sid:2004016; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET 26800 (msg:"ET MALWARE ABCbot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; bsize:11; http.header_names; content:!"Referer"; http.connection; content:"close"; http.content_type; content:"application/x-www-form-url encoded"; http.request_body; content:"OS|3a 20|"; startswith; content:"CPU:"; distance:0; content:"os-name:"; fast_pattern; distance:0; content:"lanip:"; distance:0; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034483; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013761; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (syn)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73796e|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034484; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; http.uri; content:"/modules.php"; nocase; reference:bugtraq,7193; classtype:web-application-attack; sid:2102654; rev:7; metadata:created_at 2010_09_23, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (dns)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"646e73|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034485; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/body_default.php?"; nocase; content:"GOODS[no]="; nocase; content:"GOODS[gs_input]="; nocase; content:"shop_this_skin_path="; nocase; pcre:"/shop_this_skin_path=\s*(https?|ftps?|php)\:\//i"; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; reference:url,doc.emergingthreats.net/2009229; classtype:web-application-attack; sid:2009229; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (bigudp)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"626967756470|7c|"; fast_pattern; startswith; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034486; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/body_default.php?"; nocase; content:"GOODS[no]="; nocase; content:"GOODS[gs_input]="; nocase; content:"shop_this_skin_path="; nocase; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; reference:url,doc.emergingthreats.net/2009230; classtype:web-application-attack; sid:2009230; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (hello)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=hello"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034562; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup"; dns.query; content:"vtboss.yolox.net"; nocase; endswith; reference:md5,060b0ce9e6d625b57abd2ba23d38d513; reference:url,blog.talosintelligence.com/2017/03/threat-roundup-0306-0310.html; classtype:domain-c2; sid:2028632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_26, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (command)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=command"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034563; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mac Trojan HTTP Checkin (accept-language violation)"; flow:established,to_server; http.method; content:"GET"; http.start; content:"|20|HTTP/1.1|0d 0a|Accept-Language|3a 20|"; fast_pattern; pcre:"/^[a-zA-Z0-9]{20}/R"; reference:url,doc.emergingthreats.net/2007650; classtype:command-and-control; sid:2007650; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (result)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=result"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\x2E(p(hp|ng)|jpe?g|cgi|gif)\x3F(v\d{1,2}|pr)\x3D/"; http.user_agent; content:"chrome/9.0"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:command-and-control; sid:2014163; rev:11; metadata:created_at 2012_01_28, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (file)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=file"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer"; reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Chinotto, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [TGI] Cobalt Strike Malleable C2 Request (YouTube Profile)"; flow:established,to_server; http.uri; content:"/watch?v=iRXJXaLV0n4"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1)|20|"; startswith; http.host; content:"www.youtube.com"; http.header_names; content:!"Referer"; content:"Cookie"; reference:md5,69c6e302cc4394cae7ed8c6f7b288e92; reference:url,attack.mitre.org/groups/G0080/; classtype:command-and-control; sid:2028591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Request)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"update.php?id="; fast_pattern; pcre:"/^[0-9]{9}/R"; content:"&stat="; pcre:"/^[0-9a-zA-Z]{32}/R"; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034573; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.zhack.ca"; distance:20; within:11; endswith; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:url,github.com/ettic-team/dnsbin; classtype:command-and-control; sid:2028634; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_27, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Response)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|21|lexec|3b|http"; startswith; fast_pattern; content:"|2e|exe"; endswith; reference:md5,fbfd9afac42ae8e86193a8e4be085eaf; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo - Data Inbound"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".i.zhack.ca"; distance:20; within:11; endswith; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:url,github.com/ettic-team/dnsbin; classtype:command-and-control; sid:2028635; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_09_27, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/var/run/tty"; startswith; fast_pattern; pcre:"/^\/\.x\/var\/run\/tty\d$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034684; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; flowbits:set,ET.ass.request; flowbits:noalert; http.uri; content:".ass"; nocase; reference:url,doc.emergingthreats.net/2010757; classtype:not-suspicious; sid:2010757; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/var/"; startswith; content:"pty"; fast_pattern; endswith; bsize:11; pcre:"/^\/var\/(?:run|tmp)\/pty$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer"; classtype:trojan-activity; sid:2034686; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ardeaCore/lib/core/ardeaInit.php?"; nocase; content:"pathForArdeaCore="; nocase; pcre:"/pathForArdeaCore=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,40811; reference:url,vupen.com/english/advisories/2010/1444; reference:url,exploit-db.com/exploits/13832/; reference:url,doc.emergingthreats.net/2011214; classtype:web-application-attack; sid:2011214; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity M11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data=active"; endswith; fast_pattern; pcre:"/^\/[a-z0-9]{45,60}\/[a-z0-9]{35,65}\/[a-z0-9]{38,60}\.php\?data=active$/U"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034739; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Cosmu.xet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"GoGo.ashx?Mac="; content:"&UserId="; content:"&Bate="; reference:md5,f39554f3afe92dca3597efc1f7709ad4; classtype:command-and-control; sid:2011278; rev:5; metadata:attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_setdata&__ds_setdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034740; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET MALWARE Stuxnet index.php"; flow:to_server,established; http.uri; content:"/index.php?data=66a96e28"; nocase; reference:url,research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html; classtype:trojan-activity; sid:2011300; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_getdata&__ds_getdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection"; reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034741; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (2)"; flow:established,to_server; http.uri; content:"/?rnd="; nocase; content:"&id="; pcre:"/\/\?rnd=\d+&id=\d+$/"; reference:md5,579f2e29434218d62d31625d369cbc42; reference:md5,76cf08503cdd036850bcc4f29f64022f; classtype:trojan-activity; sid:2011337; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeamTNT Related Domain in DNS Lookup (chimaera .cc)"; dns.query; content:"chimaera.cc"; nocase; bsize:11; reference:url,blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html; classtype:domain-c2; sid:2036455; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_03, deployment Perimeter, former_category MALWARE, malware_family TeamTNT, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeYak or Related Infection Checkin 1"; flow:established,to_server; http.uri; content:"&fff="; content:"&coid="; content:"do="; content:"&IP="; nocase; content:"lct="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak; classtype:command-and-control; sid:2011396; rev:5; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M5"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9-]{8,40}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0684d80e91581730f814e831f703bf5b; reference:url,twitter.com/s1ckb017/status/1507316584079142915; classtype:trojan-activity; sid:2035611; rev:2; metadata:created_at 2022_03_25, former_category MALWARE, malware_family Kimsuky, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz/Rohimafo Checkin"; flow:established,to_server; http.uri; content:".php?id="; nocase; content:"&ver="; nocase; content:"&up="; nocase; content:"&os="; nocase; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,doc.emergingthreats.net/2010791; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011791; rev:6; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pripyat Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/endpoint.php"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"cpp-httplib/0.9"; bsize:15; http.request_body; content:"|22|computername|22 3a 22|"; content:"|22|username|22 3a 22|"; distance:0; content:"|22|hashrate|22 3a|"; distance:0; reference:md5,ffb7bbf6e3e3199555b979b46d3789a6; reference:url,twitter.com/3xp0rtblog/status/1501330153900703745; reference:md5,a12ba07fcdb4eb1c1ea65e8fa49ec4ad; classtype:trojan-activity; sid:2035420; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; http.uri; content:"/socks.php?"; nocase; content:"name="; nocase; content:"&port="; nocase; pcre:"/port=[1-9]{1,5}/i"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:md5,0bb4662b54f02c989edc520314fc20ea; reference:md5,a671eb9979505119f4106a990c4ef7ab; reference:md5,3614d4f6527d512b61c27c4e213347a6; classtype:command-and-control; sid:2011523; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (onlinestockwatch .net)"; dns.query; content:"onlinestockwatch.net"; nocase; bsize:20; reference:url,twitter.com/ESETresearch/status/1521735320852643840; classtype:domain-c2; sid:2036459; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutManager.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011666; classtype:web-application-attack; sid:2011666; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT PebbleDash Related Activity (GET)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/test.php"; bsize:9; fast_pattern; http.accept; content:"|2a 2f 2a|"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; http.request_body; content:"sep="; startswith; content:"&uid="; distance:0; reference:md5,946f787c129bf469298aa881fb0843f4; classtype:trojan-activity; sid:2036509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutParser.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011167; classtype:web-application-attack; sid:2011167; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DeathStalker APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?req="; startswith; http.host; content:".pythonanywhere.com"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,871d64d8330d956593545dfff069194e; reference:md5,6161845ad2c2a2e830f249df4e0c502a; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; reference:url,usa.kaspersky.com/about/press-releases/2020_infamous-hacker-for-hire-group-death-stalker-hits-the-americas-and-europe-with-new-power-pepper-malware; classtype:trojan-activity; sid:2036462; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DeathStalker, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/2fly_gift.php?"; nocase; content:"gameid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/36294/; reference:url,osvdb.org/show/osvdb/57136; reference:url,doc.emergingthreats.net/2010196; classtype:web-application-attack; sid:2010196; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dotx?v="; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/ShadowChasing1/status/1522181041489776641; reference:md5,a49bcddba6ec46c5868b46db6202cb76; classtype:trojan-activity; sid:2036463; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004059; classtype:web-application-attack; sid:2004059; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (daji8 .me)"; dns.query; dotprefix; content:".daji8.me"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036477; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004060; classtype:web-application-attack; sid:2004060; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (fbi .am)"; dns.query; dotprefix; content:".fbi.am"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036478; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating INSERT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004061; classtype:web-application-attack; sid:2004061; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (11i .me)"; dns.query; dotprefix; content:".11i.me"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036479; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating DELETE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004062; classtype:web-application-attack; sid:2004062; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (shopingchina .net)"; dns.query; dotprefix; content:".shopingchina.net"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036480; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating ASCII"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004063; classtype:web-application-attack; sid:2004063; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (googie .ph)"; dns.query; dotprefix; content:".googie.ph"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036481; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004064; classtype:web-application-attack; sid:2004064; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (daj8 .me)"; dns.query; dotprefix; content:".daj8.me"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036482; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004071; classtype:web-application-attack; sid:2004071; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (rootkit .tools)"; dns.query; dotprefix; content:".rootkit.tools"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036483; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004072; classtype:web-application-attack; sid:2004072; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (github .wiki)"; dns.query; dotprefix; content:".github.wiki"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036484; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id INSERT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004073; classtype:web-application-attack; sid:2004073; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (mircrosoftscoulds .com)"; dns.query; dotprefix; content:".mircrosoftscoulds.com"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036485; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id DELETE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004074; classtype:web-application-attack; sid:2004074; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (whoamis .info)"; dns.query; dotprefix; content:".whoamis.info"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036486; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id ASCII"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004075; classtype:web-application-attack; sid:2004075; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (adobe .name)"; dns.query; dotprefix; content:".adobe.name"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036487; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004076; classtype:web-application-attack; sid:2004076; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (dajuw .com)"; dns.query; dotprefix; content:".dajuw.com"; nocase; endswith; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036488; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007217; classtype:web-application-attack; sid:2007217; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (adobe-flash .wiki)"; dns.query; content:"adobe-flash.wiki"; nocase; bsize:16; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036489; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007218; classtype:web-application-attack; sid:2007218; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (update .adobe .wiki)"; dns.query; content:"update.adobe.wiki"; nocase; bsize:17; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036490; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007219; classtype:web-application-attack; sid:2007219; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (flash .wy886066 .com)"; dns.query; content:"flash.wy886066.com"; nocase; bsize:18; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036491; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007220; classtype:web-application-attack; sid:2007220; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux .wy01 .vip)"; dns.query; content:"linux.wy01.vip"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036492; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007221; classtype:web-application-attack; sid:2007221; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (exmail .googie .com .ph)"; dns.query; content:"exmail.googie.com.ph"; nocase; bsize:20; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036494; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007222; classtype:web-application-attack; sid:2007222; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (linux .wy01 .com)"; dns.query; content:"linux.wy01.com"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036495; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod ASCII"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005061; classtype:web-application-attack; sid:2005061; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (mmimdown .oss-cn-hongkong .aliyuncs .com)"; dns.query; content:"mmimdown.oss-cn-hongkong.aliyuncs.com"; nocase; bsize:37; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036496; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005062; classtype:web-application-attack; sid:2005062; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup (agph .ivi66 .net)"; dns.query; content:"agph.ivi66.net"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036497; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005573; classtype:web-application-attack; sid:2005573; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup"; dns.query; content:"|66 75 63 6b 65 72|youmm.nmb.bet"; nocase; bsize:19; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036493; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UNION SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005574; classtype:web-application-attack; sid:2005574; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka CnC Domain in DNS Lookup"; dns.query; content:"fbi.|66 75 63 6b|bc.com"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036498; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name INSERT"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005575; classtype:web-application-attack; sid:2005575; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tt/ll"; bsize:6; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; content:!"User-Agent"; reference:md5,71eae5c5a8c5a466c73f6a83b92dbfbc; classtype:trojan-activity; sid:2036468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, former_category MALWARE, malware_family PoshC2, signature_severity Major, updated_at 2022_05_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name DELETE"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005576; classtype:web-application-attack; sid:2005576; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager Related Domain in DNS Lookup"; dns.query; content:"ny.nsd-gov-pk.com"; nocase; bsize:17; reference:md5,a0ffa124d3d275874380728224980ca8; reference:url,twitter.com/nao_sec/status/1521453116024971264; classtype:domain-c2; sid:2036507; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ASCII"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005577; classtype:web-application-attack; sid:2005577; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Cryxos Stealer Variant Sending Data to Telegram (POST)"; flow:established,to_server; http.uri; content:"/bot1257337675:AAHDZVp72afEEmv4n6WqVFZ-_CxfvOedcso/"; fast_pattern; startswith; http.host; content:"api.telegram."; startswith; classtype:trojan-activity; sid:2036508; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005578; classtype:web-application-attack; sid:2005578; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eternity Stealer Screen Capture Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/clipper/"; startswith; fast_pattern; content:"install="; content:"wallets="; content:"user="; content:"comp="; content:"ip="; content:"country="; content:"city="; http.host; content:".onion"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Proxy-Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"|ff d8 ff e0|"; content:"JFIF"; distance:2; within:4; reference:md5,c4b46a2d0898e9ba438366f878cd74bd; classtype:trojan-activity; sid:2036541; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category MALWARE, malware_family Eternity_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005579; classtype:web-application-attack; sid:2005579; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Eternity Stealer Data Exfiltration Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/stealer/"; startswith; fast_pattern; content:"pwds="; content:"cards="; content:"wlts="; content:"files="; content:"user="; content:"comp="; content:"ip="; content:"country="; content:"city="; content:"tag="; content:"domains="; content:"ad="; http.host; content:".onion"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Proxy-Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"Information.txt"; distance:0; reference:md5,c4b46a2d0898e9ba438366f878cd74bd; classtype:trojan-activity; sid:2036542; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, former_category MALWARE, malware_family Eternity_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UNION SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005580; classtype:web-application-attack; sid:2005580; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M1"; flow:established,to_server; http.uri; content:"/utag/lbg/main/prod/utag.15.js/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036510; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did INSERT"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005581; classtype:web-application-attack; sid:2005581; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Eternity Stealer CnC Domain in DNS Lookup (wasabiwallet .online)"; dns.query; content:"wasabiwallet.online"; nocase; bsize:19; reference:md5,c4b46a2d0898e9ba438366f878cd74bd; classtype:trojan-activity; sid:2036543; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, malware_family Eternity_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did DELETE"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005582; classtype:web-application-attack; sid:2005582; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M2"; flow:established,to_server; http.uri; content:"/babel-polyfill/6.3.14/polyfill.min.js=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036511; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ASCII"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005583; classtype:web-application-attack; sid:2005583; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M3"; flow:established,to_server; http.uri; content:"/adServingData/PROD/TMClient/6/8736/"; startswith;fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036512; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005584; classtype:web-application-attack; sid:2005584; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert udp $HOME_NET any -> any ![80,443] (msg:"ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic"; dsize:24; content:"|30 00|"; startswith; content:"|00 04 00 00 00 10 00 00 00 00 00 00|"; distance:9; fast_pattern; endswith; threshold:type limit, count 1, seconds 120, track by_src; reference:url,www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html; classtype:trojan-activity; sid:2036499; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_05, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Win32_DLOADR_TIOIBEPQ, performance_impact Low, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011215; classtype:web-application-attack; sid:2011215; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M4"; flow:established,to_server; http.uri; content:"/advanced_search/"; startswith;fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036513; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011216; classtype:web-application-attack; sid:2011216; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M5"; flow:established,to_server; http.uri; content:"/async/newtab/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036514; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011217; classtype:web-application-attack; sid:2011217; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M6"; flow:established,to_server; http.uri; content:"/bh/sync/aol/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036515; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011218; classtype:web-application-attack; sid:2011218; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M7"; flow:established,to_server; http.uri; content:"/bootstrap/3.1.1/bootstrap.min.js/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036516; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011219; classtype:web-application-attack; sid:2011219; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M8"; flow:established,to_server; http.uri; content:"/branch-locator/search.asp/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036517; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007510; classtype:web-application-attack; sid:2007510; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M9"; flow:established,to_server; http.uri; content:"/business/home.asp&ved=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036518; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007511; classtype:web-application-attack; sid:2007511; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M10"; flow:established,to_server; http.uri; content:"/cdba"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036519; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007512; classtype:web-application-attack; sid:2007512; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M11"; flow:established,to_server; http.uri; content:"/classroom/sharewidget/widget_stable.html"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036520; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007513; classtype:web-application-attack; sid:2007513; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M12"; flow:established,to_server; http.uri; content:"/client_204/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036521; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007514; classtype:web-application-attack; sid:2007514; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M13"; flow:established,to_server; http.uri; content:"/load/pages/index.php/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036522; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007515; classtype:web-application-attack; sid:2007515; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M15"; flow:established,to_server; http.uri; content:"/TOS/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036523; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007516; classtype:web-application-attack; sid:2007516; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M16"; flow:established,to_server; http.uri; content:"/trader-update/history&pd=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036524; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007517; classtype:web-application-attack; sid:2007517; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M17"; flow:established,to_server; http.uri; content:"/types/translation/v1/articles/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036525; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007518; classtype:web-application-attack; sid:2007518; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M18"; flow:established,to_server; http.uri; content:"/uasclient/0.1.34/modules/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036526; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007519; classtype:web-application-attack; sid:2007519; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M19"; flow:established,to_server; http.uri; content:"/usersync/tradedesk/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036527; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007520; classtype:web-application-attack; sid:2007520; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M20"; flow:established,to_server; http.uri; content:"/webhp/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036528; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007521; classtype:web-application-attack; sid:2007521; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M21"; flow:established,to_server; http.uri; content:"/work/embedded/search/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036529; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007522; classtype:web-application-attack; sid:2007522; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M22"; flow:established,to_server; http.uri; content:"/GoPro5/black/2018/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036530; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007523; classtype:web-application-attack; sid:2007523; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M23"; flow:established,to_server; http.uri; content:"/Philips/v902/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036531; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007524; classtype:web-application-attack; sid:2007524; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M24"; flow:established,to_server; http.uri; content:"/cisben/marketq/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036532; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007525; classtype:web-application-attack; sid:2007525; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M25"; flow:established,to_server; http.uri; content:"/qqzddddd/2018/load.php/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036533; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007526; classtype:web-application-attack; sid:2007526; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M26"; flow:established,to_server; http.uri; content:"/vfe01s/1/vsopts.js/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036534; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007527; classtype:web-application-attack; sid:2007527; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M27"; flow:established,to_server; http.uri; content:"/vssf/wppo/site/bgroup/visitor/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036535; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007528; classtype:web-application-attack; sid:2007528; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M28"; flow:established,to_server; http.uri; content:"/putil/2018/0/11/po.html/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036536; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; classtype:web-application-attack; sid:2007529; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M29"; flow:established,to_server; http.uri; content:"/wpaas/load.php/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036537; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007530; classtype:web-application-attack; sid:2007530; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M30"; flow:established,to_server; http.uri; content:"/web/20110920084728/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036538; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007531; classtype:web-application-attack; sid:2007531; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M31"; flow:established,to_server; http.uri; content:"/business/retail-business/insurance.asp/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036539; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007532; classtype:web-application-attack; sid:2007532; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoshC2 - Observed Default URI Structure M32"; flow:established,to_server; http.uri; content:"/status/995598521343541248/query=/"; startswith; fast_pattern; content:"/?"; within:38; isdataat:!16,relative; reference:url,github.com/nettitude/PoshC2/; reference:url,poshc2.readthedocs.io/en/latest/; classtype:command-and-control; sid:2036540; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family PoshC2, signature_severity Major, tag c2, updated_at 2022_05_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007533; classtype:web-application-attack; sid:2007533; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Stonefly APT Related Domain in DNS Lookup (semiconductboard .com)"; dns.query; content:"semiconductboard.com"; nocase; bsize:20; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage; classtype:domain-c2; sid:2036544; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category MALWARE, malware_family Stonefly, signature_severity Major, updated_at 2022_05_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007534; classtype:web-application-attack; sid:2007534; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Stonefly APT Related Domain in DNS Lookup (tecnojournals .com)"; dns.query; content:"tecnojournals.com"; nocase; bsize:17; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage; classtype:domain-c2; sid:2036545; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category MALWARE, malware_family Stonefly, signature_severity Major, updated_at 2022_05_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007535; classtype:web-application-attack; sid:2007535; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacatac.B Loader CnC Checkin"; flow:established,to_server; content:"REELIP>"; distance:0; fast_pattern; content:"SETMAC>"; distance:0; content:"SETCOMPUTERNAME>"; distance:0; content:"SETPARENT>"; distance:0; content:"SETOS>"; distance:0; content:"SETDATE>"; distance:0; content:"CLIENTID>"; distance:0; content:"CHECKVERSION>"; distance:0; reference:md5,f787cefe0e82f5605fb91d6987781a6b; classtype:trojan-activity; sid:2036564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_05_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007536; classtype:web-application-attack; sid:2007536; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BluStealer Related Domain in DNS Lookup (premium12 .web-hosting .com)"; dns.query; content:"premium12.web-hosting.com"; nocase; bsize:25; reference:url,blog.minerva-labs.com/a-new-blustealer-loader-uses-direct-syscalls-to-evade-edrs; reference:md5,953b2013a8b0d4be5368a65fc74c93f4; classtype:bad-unknown; sid:2036552; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007537; classtype:web-application-attack; sid:2007537; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup (eleed .cloud)"; dns.query; content:"eleed.cloud"; nocase; bsize:11; reference:url,securelist.com/a-new-secret-stash-for-fileless-malware/106393/; classtype:domain-c2; sid:2036553; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007538; classtype:web-application-attack; sid:2007538; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup (eleed .online)"; dns.query; content:"eleed.online"; nocase; bsize:12; reference:url,securelist.com/a-new-secret-stash-for-fileless-malware/106393/; classtype:domain-c2; sid:2036554; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007539; classtype:web-application-attack; sid:2007539; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/SilentBreak Related Domain in DNS Lookup"; dns.query; content:"opswat.info"; nocase; bsize:11; reference:url,securelist.com/a-new-secret-stash-for-fileless-malware/106393/; classtype:domain-c2; sid:2036555; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_10, deployment Perimeter, signature_severity Major, updated_at 2022_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007540; classtype:web-application-attack; sid:2007540; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; stream_size:server,<,30; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:3; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2022_05_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007541; classtype:web-application-attack; sid:2007541; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Wacatac.B Payload Download"; flow:established,to_client; content:"DOWNLOADANDEXECUTE>"; fast_pattern; reference:md5,f787cefe0e82f5605fb91d6987781a6b; classtype:trojan-activity; sid:2036565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007542; classtype:web-application-attack; sid:2007542; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Throwback CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; endswith; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"pd="; fast_pattern; startswith; pcre:"/^(?:[A-Za-z0-9~+/]{4})*(?:[A-Za-z0-9~+/]{2}==|[A-Za-z0-9~+/]{3}=|[A-Za-z0-9~+/]{4})$/R"; reference:url,github.com/silentbreaksec/Throwback; classtype:trojan-activity; sid:2036590; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family Throwback, signature_severity Major, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007543; classtype:web-application-attack; sid:2007543; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Throwback Server Response (Incoming)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>404 Not Found</title>"; content:"<h1>Not Found</h1>"; distance:0; content:"<hidden stup1fy|20|"; distance:0; fast_pattern; reference:url,github.com/silentbreaksec/Throwback; classtype:trojan-activity; sid:2036591; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family Throwback, signature_severity Major, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007544; classtype:web-application-attack; sid:2007544; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Get2 Downloader Activity"; flow:established,to_server; http.user_agent; content:"CIBA|3b 20|MS-RTC LM 8|29|"; endswith; http.method; content:"POST"; classtype:trojan-activity; sid:2028642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007545; classtype:web-application-attack; sid:2007545; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp any any -> any 443 (msg:"ET MALWARE Malicious ELF Activity"; dsize:<50; content:"OpenSSL-1.0.0-fipps"; startswith; fast_pattern; reference:md5,eb7ba9f7424dffdb7d695b00007a3c6d; classtype:trojan-activity; sid:2036592; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007546; classtype:web-application-attack; sid:2007546; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader - Logs"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|7b 22|method|22 3a 22|log|22 2c 22|params|22 3a 7b 22|logs|22 3a 5b 22|"; startswith; fast_pattern; content:"|2c 22|stage|22 3a 22|"; distance:0; reference:md5,e6b33ddaa9583216013b112b00317d0a; classtype:command-and-control; sid:2036864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family SVCReady, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007547; classtype:web-application-attack; sid:2007547; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader - SysInfo M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|7b 22|method|22 3a 22|sysinfo|5f|short|22 2c 22|params|22 3a 7b|"; startswith; fast_pattern; content:"|22|osinfo|22 3a|"; distance:0; content:"|22|osver|22 3a|"; distance:0; content:"|22|systeminfo|22 3a|"; distance:0; reference:md5,e6b33ddaa9583216013b112b00317d0a; classtype:command-and-control; sid:2036865; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family SVCReady, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007548; classtype:web-application-attack; sid:2007548; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader - SysInfo M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|7b 22|method|22 3a 22|sysinfo|22 2c 22|params|22 3a 7b|"; startswith; fast_pattern; content:"|22|osinfo|22 3a|"; distance:0; content:"|22|osver|22 3a|"; distance:0; content:"|2c 22|stage|22 3a 22|sysinfo|22|"; distance:0; reference:md5,e6b33ddaa9583216013b112b00317d0a; classtype:command-and-control; sid:2036866; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family SVCReady, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007549; classtype:web-application-attack; sid:2007549; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader - Screenshot"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|7b 22|method|22 3a 22|screenshot|22 2c 22|params|22 3a|"; startswith; fast_pattern; content:"|2c 22|stage|22 3a 22|init|22|"; distance:0; content:"|89 50 4e 47 0d 0a|"; distance:0; reference:md5,e6b33ddaa9583216013b112b00317d0a; classtype:command-and-control; sid:2036867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family SVCReady, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007550; classtype:web-application-attack; sid:2007550; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SVCReady Loader CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|g|0d 0a|"; content:"|0d 0a|pr|0d 0a|"; content:"|0d 0a|sg|0d 0a|"; fast_pattern; http.header; pcre:"/^g\x3a\x20[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}[\r\n]+$/m"; pcre:"/^sg\x3a\x20[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}[\r\n]+$/m"; reference:md5,e6b33ddaa9583216013b112b00317d0a; classtype:command-and-control; sid:2036863; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category MALWARE, malware_family SVCReady, signature_severity Major, tag c2, updated_at 2022_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007551; classtype:web-application-attack; sid:2007551; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M4"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\?m=[a-z]&p1=[a-z0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; content:"/?m="; fast_pattern; content:"&p1="; distance:1; within:4; content:!","; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,2d1f1132ab7e80a6a8546dd2ac45bd89; reference:url,download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf; classtype:targeted-activity; sid:2035564; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_05_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007552; classtype:web-application-attack; sid:2007552; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PennyWise Stealer Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getfile"; bsize:8; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"*PennyWise v"; fast_pattern; content:"*Browsers:*"; distance:0; content:"*Wallets:*"; distance:0; content:"*YouTube:*"; distance:0; content:"*Grabber:*"; distance:0; content:"PK|03 04|"; distance:0; byte_test:1,<=,20,0,relative; content:"Information.txt"; distance:0; reference:md5,6aa187bd65ee038e2e8c895a0b6a2977; classtype:trojan-activity; sid:2036597; rev:1; metadata:created_at 2022_05_16, former_category MALWARE, malware_family pennywise_stealer, updated_at 2022_05_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007553; classtype:web-application-attack; sid:2007553; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Borr Stealer Variant Sending System Information"; flow:established,to_server; content:"Content-length|3a|"; content:!"|20|"; distance:0; within:1; content:"UserId|3a|"; content:!"|20|"; distance:0; within:1; content:"Crypto|3a|"; content:!"|20|"; distance:0; within:1; content:"Passworld|3a|"; fast_pattern; content:!"|20|"; distance:0; within:1; content:"Cookies|3a|"; content:!"|20|"; distance:0; within:1; content:"PK"; distance: 200; content:"Processes.txt"; distance:0; content:"User Information.txt"; distance:0; reference:url,twitter.com/3xp0rtblog/status/1522491866834472960; reference:md5,d4d4b796efaf717170edf1a90eeb2a0d; reference:md5,69aef5f237246dec6ef82dda0982e46b; reference:md5,c7175f875b79020acc88eda29100e6d7; classtype:trojan-activity; sid:2036595; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007554; classtype:web-application-attack; sid:2007554; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceApple User-Agent observed"; flow:established,to_server; http.user_agent; content:"Microsoft Office/16.0 |28|Windows NT 10.0|3b 20|Microsoft Outlook 16.0.4551|3b 20|Pro|29|"; http.header_names; content:!"Referer"; reference:url,www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf; classtype:trojan-activity; sid:2036602; rev:2; metadata:attack_target Server, created_at 2022_05_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IceApple, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007555; classtype:web-application-attack; sid:2007555; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .differentfor .com)"; dns.query; dotprefix; content:"..differentfor.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007556; classtype:web-application-attack; sid:2007556; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .mbusabc .com)"; dns.query; dotprefix; content:"..mbusabc.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036604; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007557; classtype:web-application-attack; sid:2007557; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .disknxt .com)"; dns.query; dotprefix; content:"..disknxt.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036605; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007558; classtype:web-application-attack; sid:2007558; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .officehoster .com)"; dns.query; dotprefix; content:"..officehoster.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036606; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007560; classtype:web-application-attack; sid:2007560; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .spffusa .org)"; dns.query; dotprefix; content:"..spffusa.org"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036607; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007561; classtype:web-application-attack; sid:2007561; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .sseekk .xyz)"; dns.query; dotprefix; content:"..sseekk.xyz"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007562; classtype:web-application-attack; sid:2007562; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Restylink Domain in DNS Lookup ( .youmiuri .com)"; dns.query; dotprefix; content:"..youmiuri.com"; nocase; endswith; reference:url,insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies; classtype:trojan-activity; sid:2036609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, malware_family Restylink, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007563; classtype:web-application-attack; sid:2007563; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SiMay RAT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"&shareKey=cfae45c9e7cc8a7734b72abe98235dd1 HTTP/1.0"; fast_pattern; endswith; http.host; content:"note.youdao.com"; reference:md5,a641b3b81153936c6a3d3d99fe8d9736; reference:md5,8205ccb910dc783efcd7d480ef1bd7d9; reference:url,www.sentinelone.com/wp-content/uploads/2022/04/SiMay-RAT.pdf; classtype:trojan-activity; sid:2036600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, former_category MALWARE, malware_family SiMayRAT, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 212cafe Board view.php qID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view.php?"; nocase; content:"qID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31426; reference:url,xforce.iss.net/xforce/xfdb/45428; reference:url,milw0rm.com/exploits/6578; reference:url,doc.emergingthreats.net/2009734; classtype:web-application-attack; sid:2009734; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlueShtorm Infostealer Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"filename|3d 22|Log.zip|22 0d 0a|"; fast_pattern; content:"PK|03 04|"; distance:0; byte_test:1,<=,20,0,relative; content:"System Info.txt"; distance:0; reference:md5,1b02c34f6a49e9ba0c9b9a834a052c13; reference:url,twitter.com/3xp0rtblog/status/1526603444898959362; classtype:trojan-activity; sid:2036610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, former_category MALWARE, malware_family BlueShtorm_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_05_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/page/pageDescriptionObject.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011164; reference:cve,2010-1922; classtype:web-application-attack; sid:2011164; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NetDooka Framework Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"|0d 0a|Expect|3a 20|100-continue|0d 0a|"; http.request_body; content:"get_address"; bsize:11; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,b9ec139e567f88cf9287676ac431c4ab; classtype:trojan-activity; sid:2036612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutHeaderFuncs.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011165; classtype:web-application-attack; sid:2011165; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending Session ID"; flow:established,to_server; dsize:12; content:"|e8 03 00 00|"; startswith; fast_pattern; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,e13d4a4b5eaef60643ce56013fe94344; classtype:trojan-activity; sid:2036613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod SELECT"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005057; classtype:web-application-attack; sid:2005057; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending System Information M1"; flow:established,to_server; content:"|90 01 00 00|"; fast_pattern; pcre:"/(?:[0-9A-F]{2}(?:-)?){16}\x7c/R"; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,e13d4a4b5eaef60643ce56013fe94344; classtype:trojan-activity; sid:2036614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UNION SELECT"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005058; classtype:web-application-attack; sid:2005058; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending File"; flow:established,to_server; dsize:12; content:"|13 00 00 00|"; startswith; fast_pattern; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,e13d4a4b5eaef60643ce56013fe94344; classtype:trojan-activity; sid:2036615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod INSERT"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005059; classtype:web-application-attack; sid:2005059; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Powershell/CustomRAT CnC Domain in DNS Lookup (kleinm .de)"; dns.query; content:"kleinm.de"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/; classtype:trojan-activity; sid:2036622; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, malware_family PowerShell_CustomRAT, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod DELETE"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005060; classtype:web-application-attack; sid:2005060; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PowerShell/CustomRAT Domain (kleinm .de) in TLS SNI"; flow:established,to_server; tls.sni; content:"kleinm.de"; bsize:9; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/; classtype:trojan-activity; sid:2036623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, malware_family PowerShell_CustomRAT, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UNION SELECT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004542; classtype:web-application-attack; sid:2004542; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PowerShell/CustomRAT CnC Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; http.header_names; content:!"Referer"; content:"X-Request-ID"; fast_pattern; http.request_body; content:"type"; content:"newclient"; distance:0; content:"result"; content:"pwd"; content:"cuser"; content:"hostname"; content:"clientid"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/; classtype:trojan-activity; sid:2036624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid INSERT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004543; classtype:web-application-attack; sid:2004543; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/NetDooka Framework RAT Sending System Information M2"; flow:established,to_server; content:"|90 01 00 00|"; fast_pattern; pcre:"/(?:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\x7c/R"; reference:url,www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html; reference:md5,ff672b6d51815ef9c86e163bfd23f1a5; classtype:trojan-activity; sid:2036616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid DELETE"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004544; classtype:web-application-attack; sid:2004544; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Credit Card Scraper Domain in DNS Lookup (authorizen .net)"; dns.query; content:"authorizen.net"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220516.pdf; classtype:credential-theft; sid:2036625; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ASCII"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004545; classtype:web-application-attack; sid:2004545; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr?q="; startswith; fast_pattern; http.cookie; content:"SRCHD=AF=NOFORM|3b|_SS="; startswith; pcre:"/^[A-Za-z0-9+=/]{172}$/R"; http.user_agent; content:"Mozilla/5.0|20|"; startswith; reference:md5,50b3fb6a2cf209d4bcbea0546e82f58f; reference:url,blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html; classtype:trojan-activity; sid:2036632; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id SELECT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004547; classtype:web-application-attack; sid:2004547; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReVBShell Command Response"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cmd"; bsize:4; http.header_names; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:72; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|cmd|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|result|22 3b 20|filename=|22|cmdoutput|22|"; reference:url,github.com/bitsadmin/ReVBShell; classtype:trojan-activity; sid:2036636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category MALWARE, malware_family ReVBShell, performance_impact Low, signature_severity Major, updated_at 2022_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id INSERT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004548; classtype:web-application-attack; sid:2004548; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Transparent Tribe APT Related Domain in DNS Lookup"; dns.query; content:"millitarytocorp.com"; nocase; bsize:19; reference:md5,7f3d3a055ecb5a6f787b0afbd373af88; reference:url,twitter.com/h2jazi/status/1527331543206617101; classtype:domain-c2; sid:2036633; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id ASCII"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004550; classtype:web-application-attack; sid:2004550; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DCRat Related CnC Domain in DNS Lookup"; dns.query; content:"dcrat.ru"; nocase; bsize:8; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004551; classtype:web-application-attack; sid:2004551; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DCRat Related CnC Domain in DNS Lookup"; dns.query; content:"crystalfiles.ru"; nocase; bsize:15; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible APC Switched Rack PDU Web Administration Interface Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/Forms/login1?login_username="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2009/Dec/1023331.html; reference:url,doc.emergingthreats.net/2010507; classtype:web-application-attack; sid:2010507; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DCRat)"; flow:established,to_client; tls.cert_subject; content:"CN=*.dcrat.ru"; bsize:13; fast_pattern; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036639; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid SELECT"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006819; classtype:web-application-attack; sid:2006819; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat Related Domain (crystalfiles .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"crystalfiles.ru"; bsize:15; fast_pattern; reference:url,blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains; classtype:domain-c2; sid:2036640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UNION SELECT"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006820; classtype:web-application-attack; sid:2006820; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE oRAT Related CnC Domain in DNS Lookup"; dns.query; content:"darwin.github.wiki"; nocase; bsize:18; reference:url,www.sentinelone.com/blog/from-the-front-lines-unsigned-macos-orat-malware-gambles-for-the-win; reference:md5,bb1b4d6fe8940438ecbe94e54fdee0af; classtype:trojan-activity; sid:2036641; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family oRAT, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid INSERT"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006821; classtype:web-application-attack; sid:2006821; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE J-Spy JSP webshell response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"File Manager"; content:"Database Manager"; content:"Port Scan"; content:"Execute Command"; content:"J-spy Root"; fast_pattern; reference:url,github.com/dingody/jspy; classtype:trojan-activity; sid:2036647; rev:1; metadata:attack_target Web_Server, created_at 2022_05_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid DELETE"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006822; classtype:web-application-attack; sid:2006822; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE J-Spy JSP webshell request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.referer; content:".jsp"; endswith; http.request_body; content:"action="; fast_pattern; startswith; pcre:"/^(?:FileManager|PortScan|ExecuteCommand|DatabaseManager)/R"; reference:url,github.com/dingody/jspy; classtype:trojan-activity; sid:2036648; rev:1; metadata:attack_target Web_Server, created_at 2022_05_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family J_spy, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid ASCII"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006823; classtype:web-application-attack; sid:2006823; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Related Domain in DNS Lookup (emshedulersvc .com)"; dns.query; content:"emshedulersvc.com"; nocase; bsize:17; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:domain-c2; sid:2036642; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006824; classtype:web-application-attack; sid:2006824; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Related Domain in DNS Lookup (huandocimama .com)"; dns.query; dotprefix; content:".huandocimama.com"; nocase; endswith; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:domain-c2; sid:2036643; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006825; classtype:web-application-attack; sid:2006825; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Related Domain in DNS Lookup (diyefosterfeeds .com)"; dns.query; content:"diyefosterfeeds.com"; nocase; bsize:19; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:trojan-activity; sid:2036644; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak INSERT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006827; classtype:web-application-attack; sid:2006827; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profiles.php?profiles="; fast_pattern; pcre:"/^[A-Za-z]{15,20}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:trojan-activity; sid:2036645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak DELETE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006828; classtype:web-application-attack; sid:2006828; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vis.php?st="; fast_pattern; http.user_agent; content:"Windows Installer"; bsize:17; reference:md5,6e4b4eb701f3410ebfb5925db32b25dc; reference:url,twitter.com/k3yp0d/status/1527656133837594624; classtype:trojan-activity; sid:2036646; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_20, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_05_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006830; classtype:web-application-attack; sid:2006830; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup"; dns.query; content:"mailcantonfair.cssc.info"; nocase; bsize:24; reference:url,mp.weixin.qq.com/s/qsGxZIiTsuI7o-_XmiHLHg; classtype:domain-c2; sid:2036653; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler SELECT"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006831; classtype:web-application-attack; sid:2006831; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (img .elliotterusties .com)"; dns.query; content:"img.elliotterusties.com"; nocase; bsize:23; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036655; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UNION SELECT"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006832; classtype:web-application-attack; sid:2006832; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .miniboxmail .com)"; dns.query; content:"www.miniboxmail.com"; nocase; bsize:19; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036656; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler INSERT"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006833; classtype:web-application-attack; sid:2006833; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .microtreely .com)"; dns.query; content:"www.microtreely.com"; nocase; bsize:19; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036657; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ASCII"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006835; classtype:web-application-attack; sid:2006835; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TWISTEDPANDA CnC Domain in DNS Lookup (www .minzdravros .com)"; dns.query; content:"www.minzdravros.com"; nocase; bsize:19; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036658; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006836; classtype:web-application-attack; sid:2006836; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .miniboxmail .com)"; flow:established,to_server; tls.sni; content:"www.miniboxmail.com"; bsize:19; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036659; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006837; classtype:web-application-attack; sid:2006837; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .microtreely .com)"; flow:established,to_server; tls.sni; content:"www.microtreely.com"; bsize:19; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036660; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UNION SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006838; classtype:web-application-attack; sid:2006838; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (www .minzdravros .com)"; flow:established,to_server; tls.sni; content:"www.minzdravros.com"; bsize:19; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi INSERT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006839; classtype:web-application-attack; sid:2006839; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TWISTEDPANDA Domain in TLS SNI (img .elliotterusties .com)"; flow:established,to_server; tls.sni; content:"img.elliotterusties.com"; bsize:23; fast_pattern; reference:url,research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/; classtype:targeted-activity; sid:2036662; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, malware_family TwistedPanda, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi DELETE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006840; classtype:web-application-attack; sid:2006840; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:!"Taitus"; content:!"Sling/"; content:!"Updexer/"; content:!"Lightworks"; http.host; content:!"sophosupd.com"; content:!"sophosupd.net"; http.accept; content:"text/*,|20|application/*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:15; metadata:created_at 2014_07_03, former_category MALWARE, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ASCII"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006841; classtype:web-application-attack; sid:2006841; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars Stealer Resources Download"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|50 4b|"; startswith; content:"softokn3.dll"; distance:28; within:12; fast_pattern; bsize:>15000; reference:md5,880924e5583978c615dd03ff89648093; reference:url,twitter.com/X__Junior/status/1528046444963323904; classtype:trojan-activity; sid:2036654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006842; classtype:web-application-attack; sid:2006842; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /request HTTP/1.1"; bsize:21; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; bsize:33; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.cookie; content:"PHPSESSID="; startswith; pcre:"/^PHPSESSID=[a-z0-9]{26}$/C"; reference:md5,880924e5583978c615dd03ff89648093; reference:url,twitter.com/X__Junior/status/1528046444963323904; classtype:trojan-activity; sid:2036667; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno SELECT"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006843; classtype:web-application-attack; sid:2006843; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python CTX Library Backdoor Domain in DNS Lookup (anti-theft-web .herokuapp .com)"; dns.query; content:"anti-theft-web.herokuapp.com"; nocase; bsize:28; reference:url,isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/; classtype:trojan-activity; sid:2036670; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UNION SELECT"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006844; classtype:web-application-attack; sid:2006844; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Python CTX Library Backdoor Domain (anti-theft-web .herokuapp .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"anti-theft-web.herokuapp.com"; bsize:28; fast_pattern; reference:url,isc.sans.edu/forums/diary/ctx+Python+Library+Updated+with+Extra+Features/28678/; classtype:trojan-activity; sid:2036671; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno INSERT"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006845; classtype:web-application-attack; sid:2006845; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Rust Crate Related Domain in DNS Lookup (api .kakn .li)"; dns.query; content:"api.kakn.li"; nocase; bsize:11; reference:md5,95413bef1d4923a1ab88dddfacf8b382; reference:md5,1c9418a81371c351c93165c427e70e8d; reference:url,www.sentinelone.com/labs/cratedepression-rust-supply-chain-attack-infects-cloud-ci-pipelines-with-go-malware/; reference:url,github.com/MythicAgents/poseidon; classtype:domain-c2; sid:2036664; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ASCII"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006847; classtype:web-application-attack; sid:2006847; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE GuLoader Domain in DNS Lookup (zoneofzenith .com)"; dns.query; dotprefix; content:".zoneofzenith.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader; classtype:trojan-activity; sid:2036674; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, malware_family GuLoader, performance_impact Low, signature_severity Major, updated_at 2022_05_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006848; classtype:web-application-attack; sid:2006848; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader/Win.MalXll.R466354 Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intelpro/"; startswith; content:".exe"; endswith; within:10; http.accept; content:"|2a 2f 2a|"; http.header; http.connection; content:"Keep-Alive"; bsize:10; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:md5,70cf3943b421f495fe56a9573d513eba; reference:url,asec.ahnlab.com/ko/34497/; classtype:trojan-activity; sid:2036681; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006849; classtype:web-application-attack; sid:2006849; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SiMay RAT Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"&shareKey=f83f6c6da089d58ea8538c71344b8e64 HTTP/1.0"; fast_pattern; endswith; http.host; content:"note.youdao.com"; reference:md5,d99b6ea197ed91d2a3348b03bb56514d; reference:md5,8205ccb910dc783efcd7d480ef1bd7d9; reference:url,www.sentinelone.com/wp-content/uploads/2022/04/SiMay-RAT.pdf; classtype:trojan-activity; sid:2036679; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family SiMayRAT, signature_severity Major, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UNION SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006850; classtype:web-application-attack; sid:2006850; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fwlink"; bsize:7; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|MATM)"; bsize:76; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036675; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf DELETE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006852; classtype:web-application-attack; sid:2006852; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/visit.js"; bsize:9; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|yie9)"; bsize:76; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036676; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ASCII"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006853; classtype:web-application-attack; sid:2006853; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cm"; bsize:3; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENUSMSE)"; bsize:78; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036677; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006854; classtype:web-application-attack; sid:2006854; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ptj"; bsize:4; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|3b 20|FunWebProducts|3b 20|IE0006_ver1|3b|EN_GB)"; bsize:98; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/; classtype:trojan-activity; sid:2036678; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_05_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006855; classtype:web-application-attack; sid:2006855; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNum APT Related Domain in DNS Lookup (bookaustriavisit .com)"; dns.query; content:"bookaustriavisit.com"; nocase; bsize:20; reference:md5,0b4f0ead0482582f7a98362dbf18c219; reference:url,www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets; classtype:domain-c2; sid:2037148; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family EvilNum, signature_severity Major, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006856; classtype:web-application-attack; sid:2006856; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork APT Related Domain in DNS Lookup (dayspringdesk .xyz)"; dns.query; content:"dayspringdesk.xyz"; nocase; bsize:17; reference:md5,729dd4604fda4b19146d8f33509a43f6; reference:url,twitter.com/ShadowChasing1/status/1529423701913251840; reference:url,twitter.com/katechondic/status/1529378164237008896; classtype:domain-c2; sid:2036680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family Patchwork, signature_severity Major, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006857; classtype:web-application-attack; sid:2006857; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"uuid="; startswith; fast_pattern; content:"&fname="; distance:0; content:"&fcat="; distance:0; content:"&fsize="; distance:0; content:"&fdata="; distance:0; content:"&Isping="; distance:0; content:"&Status="; distance:0; reference:md5,729dd4604fda4b19146d8f33509a43f6; reference:url,twitter.com/RedDrip7/status/1529403598165004289; reference:url,twitter.com/katechondic/status/1529378164237008896; classtype:trojan-activity; sid:2036683; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family Patchwork, signature_severity Major, tag RAT, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik DELETE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006858; classtype:web-application-attack; sid:2006858; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Patchwork APT Related Activity M2 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"IP="; startswith; fast_pattern; content:"&User="; distance:0; content:"&uuid="; distance:0; content:"&Isping="; distance:0; reference:md5,729dd4604fda4b19146d8f33509a43f6; reference:url,twitter.com/RedDrip7/status/1529403598165004289; reference:url,twitter.com/katechondic/status/1529378164237008896; classtype:trojan-activity; sid:2036684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_25, deployment Perimeter, former_category MALWARE, malware_family Patchwork, signature_severity Major, tag RAT, updated_at 2022_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik ASCII"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006859; classtype:web-application-attack; sid:2006859; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SocGholish Related Domain in DNS Lookup (irsbusinessaudit .net)"; dns.query; content:"irsbusinessaudit.net"; nocase; bsize:20; reference:url,medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee; classtype:domain-c2; sid:2036687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, malware_family SocGholish, signature_severity Major, updated_at 2022_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006860; classtype:web-application-attack; sid:2006860; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SocGholish Related Domain in DNS Lookup (irsgetwell .net)"; dns.query; content:"irsgetwell.net"; nocase; bsize:14; reference:url,medium.com/walmartglobaltech/socgholish-campaigns-and-initial-access-kit-4c4283fea8ee; classtype:domain-c2; sid:2036688; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, malware_family SocGholish, signature_severity Major, updated_at 2022_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username SELECT"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005105; classtype:web-application-attack; sid:2005105; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Maldoc Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,9f89075a81920a6602f8ed5faccd8854; reference:url,twitter.com/500mk500/status/1529825325609168896; classtype:trojan-activity; sid:2036682; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UNION SELECT"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005106; classtype:web-application-attack; sid:2005106; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Agent.CVT CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.host; content:".onion"; endswith; http.request_line; content:".onion/stealer/"; fast_pattern; http.uri; content:"/stealer/"; startswith; content:"?pwds="; distance:8; content:"&cards="; within:12; content:"&wlts="; within:8; content:"&files="; within:10; content:"&user="; distance:0; content:"&ip="; distance:0; reference:md5,c5ba2308ef1f4c2735f61c249076622d; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036689; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username INSERT"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005107; classtype:web-application-attack; sid:2005107; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (cugdwpnykghx .ru) in DNS Lookup"; dns.query; content:"cugdwpnykghx.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036712; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username DELETE"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005108; classtype:web-application-attack; sid:2005108; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (zpuxmwmwdxxk .ru) in DNS Lookup"; dns.query; content:"zpuxmwmwdxxk.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036713; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ASCII"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005109; classtype:web-application-attack; sid:2005109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (rhjebiuujydv .ru) in DNS Lookup"; dns.query; content:"rhjebiuujydv.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036714; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005110; classtype:web-application-attack; sid:2005110; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (rwwmefkauiaa .ru) in DNS Lookup"; dns.query; content:"rwwmefkauiaa.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036715; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id SELECT"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005164; classtype:web-application-attack; sid:2005164; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (sanlygeljek .ru) in DNS Lookup"; dns.query; content:"sanlygeljek.ru"; nocase; bsize:14; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036716; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005165; classtype:web-application-attack; sid:2005165; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (sinelnikovd .ru) in DNS Lookup"; dns.query; content:"sinelnikovd.ru"; nocase; bsize:14; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036717; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id INSERT"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005166; classtype:web-application-attack; sid:2005166; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (wzqyuwtdxyee .ru) in DNS Lookup"; dns.query; content:"wzqyuwtdxyee.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036718; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id DELETE"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005167; classtype:web-application-attack; sid:2005167; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (zyzkikpfewuf .ru) in DNS Lookup"; dns.query; content:"zyzkikpfewuf.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036719; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id ASCII"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005168; classtype:web-application-attack; sid:2005168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (ckrddvcveumq .ru) in DNS Lookup"; dns.query; content:"ckrddvcveumq.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036720; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005169; classtype:web-application-attack; sid:2005169; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (dwrfqitgvmqn .ru) in DNS Lookup"; dns.query; content:"dwrfqitgvmqn.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036721; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user SELECT"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005170; classtype:web-application-attack; sid:2005170; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (aztkiryhetxx .ru) in DNS Lookup"; dns.query; content:"aztkiryhetxx.ru"; nocase; bsize:15; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036722; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005171; classtype:web-application-attack; sid:2005171; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Tandem Espionage CnC Domain (dvizhdom .ru) in DNS Lookup"; dns.query; content:"dvizhdom.ru"; nocase; bsize:11; reference:url,inquest.net/blog/2022/05/25/tandem-espionage; classtype:trojan-activity; sid:2036723; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user INSERT"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005172; classtype:web-application-attack; sid:2005172; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Grandoreiro Banking Trojan DGA Domain in DNS Lookup (freedynamicdns. org)"; dns.query; content:"iuc1"; fast_pattern; startswith; pcre:"/^[\da-z]{11}/R"; content:".freedynamicdns.org"; distance:0; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/grandoreiro-banking-malware-resurfaces-for-tax-season/; classtype:trojan-activity; sid:2036724; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user DELETE"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005173; classtype:web-application-attack; sid:2005173; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paknavy .comsats .xyz)"; dns.query; content:"paknavy.comsats.xyz"; nocase; bsize:19; reference:md5,251ff44ae978e2140dd02f00b3f093a0; reference:url,twitter.com/ShadowChasing1/status/1530002383392350208; reference:url,twitter.com/__0XYC__/status/1529707301979947009; classtype:domain-c2; sid:2036706; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_05_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user ASCII"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005174; classtype:web-application-attack; sid:2005174; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nim Based Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/version"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Save-Data|0d 0a|Host|0d 0a 0d 0a|"; endswith; http.header; content:"Save-Data|3a 20|"; fast_pattern; reference:url,twitter.com/h2jazi/status/1531312666987347968; reference:md5,bf80b998a00cbb3705e23c3314498d61; classtype:trojan-activity; sid:2036733; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_05_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005175; classtype:web-application-attack; sid:2005175; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Pandorahvnc/Pikolo RAT Checkin Activity"; flow:established,to_server; content:"|00 01 00 00 00|"; offset:8; content:"|7c|Windows|20|"; fast_pattern; distance:0; content:"|7c 0b|"; endswith; reference:url,www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category MALWARE, malware_family PandoraHVNC, signature_severity Major, tag RAT, updated_at 2022_06_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005883; classtype:web-application-attack; sid:2005883; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert udp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Suspected BPFDoor UDP Magic Packet (Inbound)"; content:"|72 55|"; startswith; fast_pattern; reference:url,exatrack.com/public/Tricephalic_Hellkeeper.pdf; reference:url,elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/; classtype:trojan-activity; sid:2036751; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category MALWARE, malware_family BPFDoor, signature_severity Major, updated_at 2022_06_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005884; classtype:web-application-attack; sid:2005884; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound)"; flow:established; content:"|52 93|"; startswith; fast_pattern; reference:url,exatrack.com/public/Tricephalic_Hellkeeper.pdf; reference:url,elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/; classtype:trojan-activity; sid:2036752; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category MALWARE, malware_family BPFDoor, signature_severity Major, updated_at 2022_06_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005885; classtype:web-application-attack; sid:2005885; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert icmp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Suspected BPFDoor ICMP Magic Packet (Inbound)"; content:"|72 55|"; startswith; fast_pattern; reference:url,exatrack.com/public/Tricephalic_Hellkeeper.pdf; reference:url,elastic.github.io/security-research/intelligence/2022/05/04.bpfdoor/article/; classtype:trojan-activity; sid:2036753; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category MALWARE, malware_family BPFDoor, signature_severity Major, updated_at 2022_06_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005886; classtype:web-application-attack; sid:2005886; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mustang Panda APT PlugX Related Domain in DNS Lookup (myanmarnewsonline .org)"; dns.query; dotprefix; content:".myanmarnewsonline.org"; nocase; endswith; reference:url,twitter.com/kienbigmummy/status/1532305081676464128; reference:md5,1a5aee6e33385b69b7ca46229fb64b8b; classtype:domain-c2; sid:2036754; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family PlugX, malware_family MustangPanda, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005887; classtype:web-application-attack; sid:2005887; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mustang Panda APT PlugX Related Domain in DNS Lookup (hilifimyanmar .com)"; dns.query; dotprefix; content:".hilifimyanmar.com"; nocase; endswith; reference:url,twitter.com/kienbigmummy/status/1532305081676464128; reference:md5,1a5aee6e33385b69b7ca46229fb64b8b; reference:md5,af5f76941888e2c081123a2218a05e09; classtype:domain-c2; sid:2036755; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family PlugX, malware_family MustangPanda, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005888; classtype:web-application-attack; sid:2005888; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA457 Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GO/"; startswith; fast_pattern; content:".php"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Accept-Encoding|0d 0a|Content-Type|0d 0a 0d 0a|"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,f8c29040122cf892190bcf3665975d2f; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2036756; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family TA457, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID SELECT"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007000; classtype:web-application-attack; sid:2007000; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (chrom3 .net)"; dns.query; dotprefix; content:".chrom3.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036764; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007001; classtype:web-application-attack; sid:2007001; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pakgov .net)"; dns.query; dotprefix; content:".pakgov.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036765; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID INSERT"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007002; classtype:web-application-attack; sid:2007002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (aspbin .net)"; dns.query; dotprefix; content:".aspbin.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036766; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID DELETE"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007003; classtype:web-application-attack; sid:2007003; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-edu .net)"; dns.query; dotprefix; content:".cdn-edu.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036767; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID ASCII"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007004; classtype:web-application-attack; sid:2007004; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (s3-cdn .net)"; dns.query; dotprefix; content:".s3-cdn.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036768; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007005; classtype:web-application-attack; sid:2007005; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (bitlyy .me)"; dns.query; dotprefix; content:".bitlyy.me"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036769; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view.asp?"; nocase; content:"entry="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33693; reference:url,milw0rm.com/exploits/8012; reference:url,doc.emergingthreats.net/2009185; classtype:web-application-attack; sid:2009185; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (tin-url .com)"; dns.query; dotprefix; content:".tin-url.com"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036770; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt"; flow:established,to_server; http.uri; content:"CONFIG[PATH]="; nocase; pcre:"/(join|lostpw)\.php\?/i"; pcre:"/&CONFIG\x5bpath\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158; reference:url,doc.emergingthreats.net/2002901; classtype:web-application-attack; sid:2002901; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (nrots .net)"; dns.query; dotprefix; content:".nrots.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036771; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004319; classtype:web-application-attack; sid:2004319; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (gov-pok .net)"; dns.query; dotprefix; content:".gov-pok.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036772; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004320; classtype:web-application-attack; sid:2004320; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (govpk-mail .net)"; dns.query; dotprefix; content:".govpk-mail.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036773; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid INSERT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004321; classtype:web-application-attack; sid:2004321; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (d01fa .net)"; dns.query; dotprefix; content:".d01fa.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036774; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid DELETE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004322; classtype:web-application-attack; sid:2004322; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (kdf-mail .com)"; dns.query; dotprefix; content:".kdf-mail.com"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036775; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004323; classtype:web-application-attack; sid:2004323; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-aws .net)"; dns.query; dotprefix; content:".cdn-aws.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036776; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004324; classtype:web-application-attack; sid:2004324; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-top .net)"; dns.query; dotprefix; content:".cdn-top.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036777; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid SELECT"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007392; classtype:web-application-attack; sid:2007392; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-src .net)"; dns.query; dotprefix; content:".cdn-src.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036778; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UNION SELECT"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007393; classtype:web-application-attack; sid:2007393; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (filesrvr .net)"; dns.query; dotprefix; content:".filesrvr.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036779; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid INSERT"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007394; classtype:web-application-attack; sid:2007394; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cdn-pak .net)"; dns.query; dotprefix; content:".cdn-pak.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036780; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid DELETE"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007395; classtype:web-application-attack; sid:2007395; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (dawnpk .org)"; dns.query; dotprefix; content:".dawnpk.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036781; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ASCII"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007396; classtype:web-application-attack; sid:2007396; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ap1-port .net)"; dns.query; dotprefix; content:".ap1-port.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036782; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007397; classtype:web-application-attack; sid:2007397; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (vpn-secure .co)"; dns.query; dotprefix; content:".vpn-secure.co"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036783; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007398; classtype:web-application-attack; sid:2007398; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (sd1-bin .net)"; dns.query; dotprefix; content:".sd1-bin.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036784; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007399; classtype:web-application-attack; sid:2007399; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA457 Related Activity M2 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GO/"; startswith; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.header; content:"|0d 0a|Authorization|3a 20|auth_token="; fast_pattern; http.request_body; content:"details="; startswith; content:"&news="; distance:0; http.header_names; content:!"Referer"; reference:md5,f8c29040122cf892190bcf3665975d2f; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2036757; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family TA457, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007400; classtype:web-application-attack; sid:2007400; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA457 Related Activity M3 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GO/"; startswith; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.header; content:"|0d 0a|Authorization|3a 20|auth_token="; fast_pattern; http.request_body; content:"news="; startswith; content:"&request_for_read="; distance:0; http.header_names; content:!"Referer"; reference:md5,f8c29040122cf892190bcf3665975d2f; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2036758; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family TA457, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007401; classtype:web-application-attack; sid:2007401; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SideWinder APT antibot script"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"const encriptedData|20 3d 20|encode|28|finalData, secretKey|29 3b|"; content:"Body|3a 20|encriptedData"; distance:0; fast_pattern; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036786; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007402; classtype:web-application-attack; sid:2007402; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paf-gov .net)"; dns.query; dotprefix; content:".paf-gov.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036787; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007403; classtype:web-application-attack; sid:2007403; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (docuserve .ltd)"; dns.query; dotprefix; content:".docuserve.ltd"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036788; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010132; classtype:web-application-attack; sid:2010132; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (fileserve .work)"; dns.query; dotprefix; content:".fileserve.work"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036789; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010135; classtype:web-application-attack; sid:2010135; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cvix .live)"; dns.query; dotprefix; content:".cvix.live"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036790; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/debugger.php?"; nocase; content:"config_atkroot="; nocase; pcre:"/config_atkroot\s*=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,36822; reference:url,doc.emergingthreats.net/2010354; classtype:web-application-attack; sid:2010354; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (edu-cx .org)"; dns.query; dotprefix; content:".edu-cx.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036791; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID SELECT"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007476; classtype:web-application-attack; sid:2007476; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paknvay-pk .net)"; dns.query; dotprefix; content:".paknvay-pk.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036792; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UNION SELECT"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007477; classtype:web-application-attack; sid:2007477; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ministry-pk .net)"; dns.query; dotprefix; content:".ministry-pk.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036793; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID INSERT"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007478; classtype:web-application-attack; sid:2007478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ppinewsagency .live)"; dns.query; dotprefix; content:".ppinewsagency.live"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036794; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID DELETE"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007479; classtype:web-application-attack; sid:2007479; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cr20g .org)"; dns.query; dotprefix; content:".cr20g.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036795; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007480; classtype:web-application-attack; sid:2007480; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (iugur .live)"; dns.query; dotprefix; content:".iugur.live"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036796; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; classtype:web-application-attack; sid:2007481; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (moma-pk .org)"; dns.query; dotprefix; content:".moma-pk.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036797; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007482; classtype:web-application-attack; sid:2007482; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (mod-pk .com)"; dns.query; dotprefix; content:".mod-pk.com"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036798; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007483; classtype:web-application-attack; sid:2007483; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (cloud-apt .net)"; dns.query; dotprefix; content:".cloud-apt.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036799; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007564; classtype:web-application-attack; sid:2007564; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew .org)"; dns.query; dotprefix; content:".ksew.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036800; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007484; classtype:web-application-attack; sid:2007484; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (bahariafoundation .org)"; dns.query; dotprefix; content:".bahariafoundation.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036801; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007485; classtype:web-application-attack; sid:2007485; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (bbcnew .cn)"; dns.query; dotprefix; content:".bbcnew.cn"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036802; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007486; classtype:web-application-attack; sid:2007486; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pak-gov .com)"; dns.query; dotprefix; content:".pak-gov.com"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036803; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID SELECT"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007487; classtype:web-application-attack; sid:2007487; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pakgov .org)"; dns.query; dotprefix; content:".pakgov.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036804; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UNION SELECT"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007488; classtype:web-application-attack; sid:2007488; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (csd-pk .co)"; dns.query; dotprefix; content:".csd-pk.co"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036805; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID INSERT"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007489; classtype:web-application-attack; sid:2007489; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (fdn-trace .net)"; dns.query; dotprefix; content:".fdn-trace.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036806; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007490; classtype:web-application-attack; sid:2007490; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pakmarines .com)"; dns.query; dotprefix; content:".pakmarines.com"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036807; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; classtype:web-application-attack; sid:2007491; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pkrepublic .org)"; dns.query; dotprefix; content:".pkrepublic.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036808; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007492; classtype:web-application-attack; sid:2007492; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pafwa .info)"; dns.query; dotprefix; content:".pafwa.info"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036809; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID SELECT"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007493; classtype:web-application-attack; sid:2007493; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (int-secure .org)"; dns.query; dotprefix; content:".int-secure.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036810; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UNION SELECT"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007494; classtype:web-application-attack; sid:2007494; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (kpt-pk .net)"; dns.query; dotprefix; content:".kpt-pk.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036811; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID INSERT"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007495; classtype:web-application-attack; sid:2007495; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (gov-mail .net)"; dns.query; dotprefix; content:".gov-mail.net"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036812; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID DELETE"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007496; classtype:web-application-attack; sid:2007496; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (krlwin .org)"; dns.query; dotprefix; content:".krlwin.org"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036813; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ASCII"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007497; classtype:web-application-attack; sid:2007497; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (pak-web .com)"; dns.query; dotprefix; content:".pak-web.com"; nocase; endswith; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; reference:url,blog.group-ib.com/sidewinder-antibot; classtype:targeted-activity; sid:2036814; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, malware_family Sidewinder, performance_impact Low, signature_severity Major, updated_at 2022_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007498; classtype:web-application-attack; sid:2007498; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/users/"; startswith; content:"/endpoints/events/poll"; endswith; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; http.accept; content:"json"; bsize:4; http.header; content:"|0d 0a|Authentication|3a 20|skypetoken=eyJhbGciOi"; fast_pattern; content:"|0d 0a|x-ms-session-id|3a 20|f73c3186-057a-d996-3b63-"; reference:md5,2daf4f1dbdc4a3d9726f9b447225113a; reference:url,tarlogic.com/blog/hidding-cobalt-strike-traffic; classtype:trojan-activity; sid:2036824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query SELECT"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007499; classtype:web-application-attack; sid:2007499; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Collector/2.0/settings/?qsp="; startswith; fast_pattern; content:"&client-id="; distance:4; within:12; content:"sdk-version"; distance:0; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; http.accept; content:"json"; bsize:4; reference:md5,2daf4f1dbdc4a3d9726f9b447225113a; reference:url,tarlogic.com/blog/hidding-cobalt-strike-traffic; classtype:trojan-activity; sid:2036825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UNION SELECT"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007500; classtype:web-application-attack; sid:2007500; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Darkme CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=zot4slot.com"; bsize:15; fast_pattern; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:domain-c2; sid:2036832; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family Darkme, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query INSERT"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007501; classtype:web-application-attack; sid:2007501; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Darkme CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ragustudio.it"; bsize:16; fast_pattern; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:domain-c2; sid:2036833; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family Darkme, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query DELETE"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007502; classtype:web-application-attack; sid:2007502; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Darkme CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=santucciluigi47832.net"; bsize:25; fast_pattern; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:domain-c2; sid:2036834; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family Darkme, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ASCII"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007503; classtype:web-application-attack; sid:2007503; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Darkme Trojan Checkin M1"; flow:established,to_server; content:"92|a9 a9 a9|"; startswith; fast_pattern; pcre:"/^[A-Z]{2}/R"; content:"|a9|"; distance:0; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007565; classtype:web-application-attack; sid:2007565; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Darkme Trojan Checkin M2"; flow:established,to_server; content:"92|3f 3f 3f|"; startswith; fast_pattern; pcre:"/^[A-Z]{2}/R"; content:"|3f|"; distance:0; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AdaptWeb a_index.php CodigoDisciplina Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/a_index.php?"; nocase; content:"CodigoDisciplina="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2009-2152; reference:url,en.securitylab.ru/nvd/381723.php; reference:url,milw0rm.com/exploits/8954; reference:url,doc.emergingthreats.net/2010022; classtype:web-application-attack; sid:2010022; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (muasaashshaj .com)"; dns.query; content:"muasaashshaj.com"; nocase; bsize:16; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036837; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Flex/index.template.html"; nocase; pcre:"/index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:cve,2009-1879; reference:url,securitytracker.com/alerts/2009/Aug/1022748.html; reference:url,doc.emergingthreats.net/2010214; classtype:web-application-attack; sid:2010214; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (pallomnareraebrazo .com)"; dns.query; content:"pallomnareraebrazo.com"; nocase; bsize:22; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036838; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/EditUrl.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008785; classtype:web-application-attack; sid:2008785; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (aka7newmalp23 .com)"; dns.query; content:"aka7newmalp23.com"; nocase; bsize:17; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036839; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AjaxPortal ajaxp_backend.php page Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ajaxp_backend.php?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/8341; reference:bugtraq,34338; reference:url,doc.emergingthreats.net/2009424; classtype:web-application-attack; sid:2009424; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (8as1s2 .com)"; dns.query; content:"8as1s2.com"; nocase; bsize:10; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036840; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/install/di.php?"; nocase; content:"pathtoserverdata="; nocase; pcre:"/pathtoserverdata\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/55485; reference:url,doc.emergingthreats.net/2010362; classtype:web-application-attack; sid:2010362; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (938jss .com)"; dns.query; content:"938jss.com"; nocase; bsize:10; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036841; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id SELECT"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004887; classtype:web-application-attack; sid:2004887; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (kalpoipolpmi .net)"; dns.query; content:"kalpoipolpmi.net"; nocase; bsize:16; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036842; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004888; classtype:web-application-attack; sid:2004888; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (cspapop110 .com)"; dns.query; content:"cspapop110.com"; nocase; bsize:14; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036843; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id INSERT"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004889; classtype:web-application-attack; sid:2004889; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Darkme CnC Domain in DNS Lookup (csmmmsp099q .com)"; dns.query; content:"csmmmsp099q.com"; nocase; bsize:15; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036844; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family Darkme, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id DELETE"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004890; classtype:web-application-attack; sid:2004890; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (bukjut11 .com)"; dns.query; content:"bukjut11.com"; nocase; bsize:12; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036845; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ASCII"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004891; classtype:web-application-attack; sid:2004891; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (puccino .altervista .org)"; dns.query; content:"puccino.altervista.org"; nocase; bsize:22; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036846; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004892; classtype:web-application-attack; sid:2004892; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (storangefilecloud .vip)"; dns.query; content:"storangefilecloud.vip"; nocase; bsize:21; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036848; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004893; classtype:web-application-attack; sid:2004893; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain (bukjut11 .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"bukjut11.com"; bsize:12; fast_pattern; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036849; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; classtype:web-application-attack; sid:2004894; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain (puccino .altervista .org) in TLS SNI"; flow:established,to_server; tls.sni; content:"puccino.altervista.org"; bsize:22; fast_pattern; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036850; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004895; classtype:web-application-attack; sid:2004895; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain (storangefilecloud .vip) in TLS SNI"; flow:established,to_server; tls.sni; content:"storangefilecloud.vip"; bsize:21; fast_pattern; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036851; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid DELETE"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004896; classtype:web-application-attack; sid:2004896; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DOUBLEBACK CnC Domain (bestcake .ca in TLS SNI)"; flow:established,to_server; tls.sni; content:"bestcake.ca"; bsize:11; fast_pattern; reference:url,twitter.com/k3dg3/status/1532454383631450115; classtype:domain-c2; sid:2036822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ASCII"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004897; classtype:web-application-attack; sid:2004897; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE WatchDog Coinminer Payload Delivery Domain in DNS Lookup (oracle .zzhreceive .top)"; dns.query; content:"oracle.zzhreceive.top"; nocase; bsize:21; reference:url,www.cadosecurity.com/tales-from-the-honeypot-watchdog-evolves-with-a-new-multi-stage-cryptojacking-attack/; classtype:coin-mining; sid:2036854; rev:1; metadata:created_at 2022_06_03, performance_impact Significant, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004898; classtype:web-application-attack; sid:2004898; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DOUBLEBACK CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin"; startswith; content:"/client.php"; within:11; endswith; fast_pattern; pcre:"/^\/admin[0-9]?\/client\.php$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.content_type; content:"multipart/form-data"; bsize:19; reference:url,twitter.com/k3dg3/status/1532454383631450115; reference:url,www.mandiant.com/resources/unc2529-triple-double-trifecta-phishing-campaign; classtype:command-and-control; sid:2036823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel poll_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cp_polls_results.php?"; nocase; content:"poll_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/6854; reference:url,secunia.com/advisories/32431; reference:url,doc.emergingthreats.net/2008787; classtype:web-application-attack; sid:2008787; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polonium CreepyDrive Download Request"; flow:established,to_server; http.method; content:"GET"; http.host; content:"graph.microsoft.com"; startswith; http.uri; content:"/v1.0/me/drive/root|3a|/Downloaded/"; startswith; fast_pattern; content:"|3a|/content"; endswith; reference:url,microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/; classtype:trojan-activity; sid:2036828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/album.php?"; nocase; content:"UID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-3386; reference:url,www.milw0rm.com/exploits/6092; reference:url,secunia.com/advisories/31134/; reference:url,doc.emergingthreats.net/2009228; classtype:web-application-attack; sid:2009228; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA401 Arid Viper CnC Domain in DNS Lookup (sknzy-mysl .vip)"; dns.query; content:"sknzy-mysl.vip"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1532388531141808129; classtype:trojan-activity; sid:2036831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004717; classtype:web-application-attack; sid:2004717; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Deathstalker/Evilnum Delivery Domain in DNS Lookup (1b)"; dns.query; content:"1b"; nocase; bsize:2; reference:url,blog.nsfocus.net/darkcasino-apt-evilnum; classtype:trojan-activity; sid:2036847; rev:2; metadata:attack_target Client_and_Server, created_at 2022_06_03, deployment Perimeter, former_category MALWARE, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2022_06_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004718; classtype:web-application-attack; sid:2004718; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Transparent Tribe APT Related Backdoor Receiving Command (Inbound)"; flow:established,to_client; dsize:17; content:"|0c 00 00 00 00|inf"; startswith; fast_pattern; content:"o="; distance:1; within:2; reference:url,twitter.com/RedDrip7/status/1533659387277221888; reference:md5,70635541c80cd5a237ff789abcce4e27; reference:md5,30bc987b05c707e89f1a0b06e022459e; reference:md5,ac4944bec64b6d40f3bb16d6ed3f06e8; classtype:trojan-activity; sid:2036868; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004719; classtype:web-application-attack; sid:2004719; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Transparent Tribe APT Related Backdoor Sending System Information"; flow:established,to_server; content:"|0c 00 00 00 00|in"; startswith; fast_pattern; content:"fo="; distance:2; within:3; content:"|7c|"; within:20; content:"|7c 7c|"; within:20; reference:url,twitter.com/RedDrip7/status/1533659387277221888; reference:md5,70635541c80cd5a237ff789abcce4e27; reference:md5,30bc987b05c707e89f1a0b06e022459e; reference:md5,ac4944bec64b6d40f3bb16d6ed3f06e8; classtype:trojan-activity; sid:2036869; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004720; classtype:web-application-attack; sid:2004720; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!8080,1024:] (msg:"ET MALWARE Fodcha Bot CnC Checkin"; flow:established,to_server; dsize:5; content:"|ee 00 00 11 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035939; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004721; classtype:web-application-attack; sid:2004721; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Stealer Config Download Request"; flow:established,to_server; http.request_line; content:"POST /"; startswith; http.user_agent; content:"record"; bsize:6; fast_pattern; http.request_body; content:"machineId="; startswith; content:"&configId="; distance:0; reference:md5,0a7b32e75a01764ef5389a1d9e72ed63; classtype:trojan-activity; sid:2036882; rev:1; metadata:created_at 2022_06_06, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004723; classtype:web-application-attack; sid:2004723; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic Stealer Config from Server"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"wallets|3b 2a 3b 2d|"; content:"|3b|Local|20|Extension|20|Settings"; distance:0; content:"azne|2e|exe|7c 25|TEMP|25 5c 7c|exe"; distance:0; fast_pattern; content:"pm|2e|exe|7c 25|TEMP|25 5c 7c|exe"; distance:0; content:"cc|2e|exe|7c 25|TEMP|25 5c 7c|exe"; distance:0; content:"rc|2e|exe|7c 25|TEMP|25 5c 7c|exe"; distance:0; reference:md5,0a7b32e75a01764ef5389a1d9e72ed63; classtype:trojan-activity; sid:2036883; rev:1; metadata:created_at 2022_06_06, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006560; classtype:web-application-attack; sid:2006560; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Earth Berberoka Domain in DNS Lookup"; dns.query; dotprefix; content:".fuckbc.com"; nocase; endswith; reference:url,documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt; classtype:domain-c2; sid:2036872; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006561; classtype:web-application-attack; sid:2006561; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polonium CreepyDrive Client CnC Response"; flow:established,to_server; http.method; content:"POST"; http.host; content:"graph.microsoft.com"; startswith; http.uri; content:"/v1.0/me/drive/root|3a|/Documents/response.json|3a|/"; startswith; fast_pattern; reference:url,microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/; classtype:trojan-activity; sid:2036829; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; classtype:web-application-attack; sid:2006562; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polonium CreepyDrive Implant Request"; flow:established,to_server; http.method; content:"GET"; http.host; content:"graph.microsoft.com"; startswith; http.uri; content:"/v1.0/me/drive/root|3a|/Documents/data.txt|3a|/content"; fast_pattern; reference:url,microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/; classtype:trojan-activity; sid:2036826; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006564; classtype:web-application-attack; sid:2006564; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Polonium CreepyDrive Upload Request"; flow:established,to_server; http.method; content:"POST"; http.host; content:"graph.microsoft.com"; startswith; http.uri; content:"/v1.0/me/drive/root|3a|/Uploaded/"; startswith; fast_pattern; content:"|3a|/content"; endswith; reference:url,microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/; classtype:trojan-activity; sid:2036827; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006565; classtype:web-application-attack; sid:2006565; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (nod-update .it)"; dns.query; dotprefix; content:".nod-update.it"; nocase; endswith; reference:url,cert.gov.ua/article/40559; classtype:trojan-activity; sid:2036875; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006566; classtype:web-application-attack; sid:2006566; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/siteindex/b/?filter="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/"; http.header_names; content:!"Referer"; http.connection; content:"Close"; reference:url,twitter.com/StopMalvertisin/status/1533651010111307776; reference:url,cert.gov.ua/article/40559; classtype:trojan-activity; sid:2036876; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no SELECT"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006567; classtype:web-application-attack; sid:2006567; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check-updates/c/updates/updates.html"; startswith; bsize:37; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/"; http.header_names; content:!"Referer"; http.connection; content:"Close"; reference:url,twitter.com/StopMalvertisin/status/1533651010111307776; reference:url,cert.gov.ua/article/40559; classtype:trojan-activity; sid:2036881; rev:1; metadata:created_at 2022_06_06, updated_at 2022_06_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UNION SELECT"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006568; classtype:web-application-attack; sid:2006568; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/BabyShark Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=retmodul.com"; fast_pattern; classtype:domain-c2; sid:2036886; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no INSERT"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006569; classtype:web-application-attack; sid:2006569; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/BabyShark Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=hodbeast.com"; fast_pattern; classtype:domain-c2; sid:2036887; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no DELETE"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006570; classtype:web-application-attack; sid:2006570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/BabyShark Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=frebough.com"; fast_pattern; classtype:domain-c2; sid:2036888; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ASCII"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006571; classtype:web-application-attack; sid:2006571; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (APT-C-55/BabyShark Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=beastmodser.com"; fast_pattern; classtype:domain-c2; sid:2036889; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006572; classtype:web-application-attack; sid:2006572; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".cendual.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036897; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006573; classtype:web-application-attack; sid:2006573; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".servicecult.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036898; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006574; classtype:web-application-attack; sid:2006574; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".microsoftsecure.org"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006575; classtype:web-application-attack; sid:2006575; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".learnersarea.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036900; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006576; classtype:web-application-attack; sid:2006576; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".activatetech.info"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036901; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006577; classtype:web-application-attack; sid:2006577; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".sharepointfile.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006578; classtype:web-application-attack; sid:2006578; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".veritasanalyzer.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006579; classtype:web-application-attack; sid:2006579; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".sitesanalyzer.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036904; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006580; classtype:web-application-attack; sid:2006580; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".futuremedias.info"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036905; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006581; classtype:web-application-attack; sid:2006581; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".insyncdigitalbd.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006582; classtype:web-application-attack; sid:2006582; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".bluecake.xyz"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006583; classtype:web-application-attack; sid:2006583; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".penspen.org"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006584; classtype:web-application-attack; sid:2006584; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".edge-cloudservices.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036909; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006585; classtype:web-application-attack; sid:2006585; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".deliveryreporter.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036910; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006586; classtype:web-application-attack; sid:2006586; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".cloudscomputers.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006587; classtype:web-application-attack; sid:2006587; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".equip-med.org"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036912; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006588; classtype:web-application-attack; sid:2006588; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".techtosolution.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036913; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006589; classtype:web-application-attack; sid:2006589; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".technewsportals.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036914; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006590; classtype:web-application-attack; sid:2006590; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".manoramaonlines.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/host-manager/html/add"; nocase; content:"method="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/29502/info; reference:cve,2008-1947; reference:url,doc.emergingthreats.net/2010146; classtype:web-application-attack; sid:2010146; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".healthcaretip.info"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Aris/wflogin.jsp?"; nocase; content:"errmsg="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,38441; reference:url,secunia.com/advisories/38793; reference:url,doc.emergingthreats.net/2011114; classtype:web-application-attack; sid:2011114; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".thepetrosolution.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036917; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPApps.com Template Creature media_level.asp mcatid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/media_level.asp?"; nocase; content:"mcatid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7339; reference:bugtraq,32641; reference:url,doc.emergingthreats.net/2008936; classtype:web-application-attack; sid:2008936; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".ebtlicense.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006783; classtype:web-application-attack; sid:2006783; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".bestweight.net"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UNION SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006784; classtype:web-application-attack; sid:2006784; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".deliverymessage.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici INSERT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006785; classtype:web-application-attack; sid:2006785; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".alpha-olive.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici DELETE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006786; classtype:web-application-attack; sid:2006786; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".symantecdll.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ASCII"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006787; classtype:web-application-attack; sid:2006787; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".microsoftsync.org"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006788; classtype:web-application-attack; sid:2006788; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".softwarepays.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006789; classtype:web-application-attack; sid:2006789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".xchange-connect.org"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UNION SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006790; classtype:web-application-attack; sid:2006790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".vibrantmariners.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola INSERT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006791; classtype:web-application-attack; sid:2006791; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain"; dns.query; dotprefix; content:".mitoplatform.com"; nocase; endswith; reference:url,noticeofpleadings.com/bohrium/; classtype:trojan-activity; sid:2036927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola DELETE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006792; classtype:web-application-attack; sid:2006792; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA401 Arid Viper Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:57; pcre:"/^\/[a-z0-9]{16}\//i"; http.request_body; content:"pcUHJvZ3JhbURhdG"; fast_pattern; classtype:trojan-activity; sid:2036928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ASCII"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006793; classtype:web-application-attack; sid:2006793; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE njRAT v65.0 CnC Checkin"; flow:established,to_server; dsize:<256; content:"|00 00 00|"; offset:1; content:"|00 00 00|"; distance:1; content:"|7c 7c|"; distance:12; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\|\|/R"; content:"|7c 7c|Microsoft Windows"; content:"|7c 7c ce de 7c 7c ce de 7c 7c ce de 7c 7c 31 7c 7c|65.0"; fast_pattern; endswith; reference:md5,008e86fdb755fb073cf629e2a6b8c783; classtype:trojan-activity; sid:2036933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006794; classtype:web-application-attack; sid:2006794; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoLang Popping Eagle Trojan Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"standards=High"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/popping-eagle-malware/; classtype:trojan-activity; sid:2036929; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AstroSPACES profile.php SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profile.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,31771; reference:url,www.milw0rm.com/exploits/6758; reference:url,doc.emergingthreats.net/2008669; classtype:web-application-attack; sid:2008669; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder APT Phishing Activity - Landing Page URI Pattern"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; content:!"/"; distance:0; content:"-"; within:25; bsize:<33; pcre:"/^\/[a-zA-Z0-9]{1,25}\-[a-f0-9]{8}$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.header; content:"Sec-Fetch-Dest|3a 20|document|0d|"; fast_pattern; reference:url,blog.group-ib.com/sidewinder-antibot; reference:url,mp.weixin.qq.com/s/Kkta59k7r81uIBjJvE9pCw; classtype:targeted-activity; sid:2036785; rev:2; metadata:attack_target Client_and_Server, created_at 2022_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, updated_at 2022_06_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID SELECT"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004724; classtype:web-application-attack; sid:2004724; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-Q-37/Manling Flower Payload - CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|00 3a 00 5c 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 5c 00|"; fast_pattern; content:"|74 00 78 00 74 00 7c 00 7c 00 0d|"; content:"|2d 2d 00|"; endswith; reference:url,mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg; classtype:command-and-control; sid:2036935; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UNION SELECT"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004725; classtype:web-application-attack; sid:2004725; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Symbiote CnC Domain in DNS Lookup (assets .fans)"; dns.query; dotprefix; content:".assets.fans"; nocase; endswith; reference:url,blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat; classtype:trojan-activity; sid:2036950; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_09, deployment Perimeter, malware_family Symbiote, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID INSERT"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004726; classtype:web-application-attack; sid:2004726; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Symbiote CnC Domain in DNS Lookup (dpf .fm)"; dns.query; dotprefix; content:".dpf.fm"; nocase; endswith; reference:url,blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat; classtype:trojan-activity; sid:2036951; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_09, deployment Perimeter, malware_family Symbiote, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID DELETE"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004727; classtype:web-application-attack; sid:2004727; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Symbiote CnC Domain in DNS Lookup (bancodobrasil .dev)"; dns.query; dotprefix; content:".bancodobrasil.dev"; nocase; endswith; reference:url,blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat; classtype:trojan-activity; sid:2036952; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_09, deployment Perimeter, malware_family Symbiote, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ASCII"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004728; classtype:web-application-attack; sid:2004728; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Symbiote CnC Domain in DNS Lookup (caixa .cx)"; dns.query; dotprefix; content:".caixa.cx"; nocase; endswith; reference:url,blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat; classtype:trojan-activity; sid:2036953; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_09, deployment Perimeter, malware_family Symbiote, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004729; classtype:web-application-attack; sid:2004729; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Symbiote CnC Domain in DNS Lookup (caixa .wf)"; dns.query; dotprefix; content:".caixa.wf"; nocase; endswith; reference:url,blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat; classtype:trojan-activity; sid:2036954; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_09, deployment Perimeter, malware_family Symbiote, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Auto Listings Script moreinfo.php itemno Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/moreinfo.php?"; nocase; content:"itemno="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32131; reference:url,milw0rm.com/exploits/7003; reference:url,doc.emergingthreats.net/2009186; classtype:web-application-attack; sid:2009186; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/RecordBreaker CnC Checkin - Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"libs_"; content:".dll"; distance:0; content:"sstmnfo_System Info.txt|3a|"; fast_pattern; content:"token|3a|"; pcre:"/^[a-f0-9]{32}/R"; reference:md5,f75f596f7a0369717476f304eef7fe9b; classtype:trojan-activity; sid:2036955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, malware_family RecordBreaker, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/_bot.php?"; nocase; content:"master[currentskin]="; nocase; pcre:"/master\[currentskin\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,secunia.com/advisories/36354; reference:url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt; reference:url,doc.emergingthreats.net/2010198; classtype:web-application-attack; sid:2010198; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant Activity (Outbound)"; flow:established,to_server; dsize:16; content:"|0f 69 64 6b|"; startswith; fast_pattern; content:"|2e 73 73 6c|"; endswith; reference:md5,d9c25c9dd17e1ef2f5b65f9f9723d301; reference:url,www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/; classtype:trojan-activity; sid:2036940; rev:1; metadata:attack_target IoT, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Autos catid SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/searchresults.php?catid="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/6696; reference:url,secunia.com/advisories/32139/; reference:url,doc.emergingthreats.net/2008650; classtype:web-application-attack; sid:2008650; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (blacknurse .lib)"; dns.query; content:"blacknurse.lib"; nocase; bsize:14; reference:url,www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/; classtype:domain-c2; sid:2036941; rev:1; metadata:attack_target IoT, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AvailScript Photo Album Script pics.php sid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pics.php?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31085; reference:url,milw0rm.com/exploits/6411; reference:url,doc.emergingthreats.net/2009718; classtype:web-application-attack; sid:2009718; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (dragon .lib)"; dns.query; content:"dragon.lib"; nocase; bsize:10; reference:url,www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/; classtype:domain-c2; sid:2036942; rev:1; metadata:attack_target IoT, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/articles.php?"; nocase; content:"aIDS="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-4371; reference:url,secunia.com/advisories/31816/; reference:url,milw0rm.com/exploits/6409; reference:url,doc.emergingthreats.net/2009747; classtype:web-application-attack; sid:2009747; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (babaroga .lib)"; dns.query; content:"babaroga.lib"; nocase; bsize:12; reference:url,www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/; classtype:domain-c2; sid:2036943; rev:1; metadata:attack_target IoT, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/awstats/awstats.pl?config="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:url,www.securityfocus.com/bid/30730/info; reference:url,bugzilla.redhat.com/show_bug.cgi?id=474396; reference:url,sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764; reference:cve,2008-3714; reference:url,doc.emergingthreats.net/2010082; classtype:web-application-attack; sid:2010082; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kinsing Botnet Related Domain in DNS Lookup (tempest .lib)"; dns.query; content:"tempest.lib"; nocase; bsize:11; reference:url,www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/; classtype:domain-c2; sid:2036944; rev:1; metadata:attack_target IoT, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob SELECT"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007452; classtype:web-application-attack; sid:2007452; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to bablosoft Domain (downloads .bablosoft .com)"; dns.query; content:"downloads.bablosoft.com"; nocase; reference:url,team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-entry-for-malicious-actors/; classtype:bad-unknown; sid:2036703; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UNION SELECT"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007453; classtype:web-application-attack; sid:2007453; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Suspected APT-Q-37 Related Activity (Outbound)"; flow:established,to_server; dsize:<100; content:"|2a 00|"; depth:12; content:"|2a 00 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00|"; distance:20; within:30; fast_pattern; content:!"User-Agent"; content:!"Referer"; content:!"Host"; reference:url,mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg; reference:md5,71e1cfb5e5a515cea2c3537b78325abf; classtype:trojan-activity; sid:2036945; rev:1; metadata:created_at 2022_06_09, former_category MALWARE, malware_family APT_Q_37, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob INSERT"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007454; classtype:web-application-attack; sid:2007454; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".hr2"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,7c95374f94f10c4c13b7158167dd6d37; reference:url,twitter.com/500mk500/status/1534799900147339267; reference:url,twitter.com/500mk500/status/1534804600246648832; classtype:trojan-activity; sid:2036946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob DELETE"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007455; classtype:web-application-attack; sid:2007455; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (kealkun .16mb .com)"; dns.query; content:"kealkun.16mb.com"; nocase; bsize:16; reference:md5,81e18a1883f80b3056874ba8b87d82ab; classtype:domain-c2; sid:2036960; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ASCII"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007456; classtype:web-application-attack; sid:2007456; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32.Stealer CnC Domain in DNS Lookup (ping .otwalkun .16mb .com)"; dns.query; content:"ping.otwalkun.16mb.com"; nocase; bsize:22; reference:md5,81e18a1883f80b3056874ba8b87d82ab; classtype:domain-c2; sid:2036961; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007457; classtype:web-application-attack; sid:2007457; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gomorrah Stealer Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"hwid="; pcre:"/^[A-Z]{2}[A-F0-9]{16}/R"; content:"Passwords="; content:"CreditCards="; content:"Cookies="; content:"AutoFill="; content:"Wallets="; http.header_names; content:!"Referer"; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; Content:"info.txt"; content:"ProsessList.txt"; fast_pattern; reference:md5,d2a6fe3fc2dcd1b47d9420e71d5d3ba6; classtype:trojan-activity; sid:2036958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, malware_family Gomorrah, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID SELECT"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007458; classtype:web-application-attack; sid:2007458; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-PSW.Win32.Stealer.sb CnC"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET /AH/ HTTP/1.0"; fast_pattern; http.header; pcre:"/^Referer\x3a\x20[a-zA-Z0-9_\-.]+\x28[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9]\x29\w+\x0d\x0a/"; http.header; content:"Referer"; http.connection; content:"Keep-Alive"; reference:md5,b6796c1e9e454517c14da454c23c0ef5; classtype:command-and-control; sid:2036962; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UNION SELECT"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007459; classtype:web-application-attack; sid:2007459; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET MALWARE Win32.Agent.kawe SMTP Stealer"; flow:established,to_server; content:"Content-Type|3a 20|multipart/mixed|3b 0d 0a 09|boundary=|22 2d 2d 2d 2d 3d|_NextPart_000_0000_"; content:"Content-Type|3a 20|text/plain|0d 0a|Content-Transfer-Encoding|3a 20|7bit"; content:"Content-Disposition|3a 20|attachment|3b 0d 0a 09|filename|3d 22|alkunpass|22|"; fast_pattern; reference:md5,cb94fede5345784c5ace43c01419aace; classtype:trojan-activity; sid:2036963; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID INSERT"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007460; classtype:web-application-attack; sid:2007460; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.Fish Data Exfiltration"; flow:established,to_server; http.request_line; content:"POST /data/collect  HTTP/1.1"; fast_pattern; http.user_agent; content:"data-collect"; http.header; content:"HOST|3a 20|"; http.header_names; content:!"Referer"; http.request_body; content:"|22|HostName|22 3a 22|"; content:"|22|UserName|22 3a 22|"; content:"|22|AdapterDescription|22 3a 22|"; content:"|22|DhcpEnabled|22|"; content:"|22|IpAddresses|22 3a|"; reference:md5,0768fd9a6c0344944a223b28eedff41f; classtype:trojan-activity; sid:2036959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID DELETE"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007461; classtype:web-application-attack; sid:2007461; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP/LuciferHTTP/Gomorrah Client Action M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/^[A-Z0-9]{18}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,ad9d3caa8843e88c32c4a1168a3ae422; reference:md5,d543973bd33d45d515e8dfc251411c4b; classtype:trojan-activity; sid:2036964; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Gomorrah, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ASCII"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007462; classtype:web-application-attack; sid:2007462; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (bahriafoundation .live)"; dns.query; dotprefix; content:".bahriafoundation.live"; nocase; endswith; reference:url,twitter.com/h2jazi/status/1536330475656171520; reference:md5,36e14deaed17e71b4dee52dc139914f1; classtype:domain-c2; sid:2036965; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007463; classtype:web-application-attack; sid:2007463; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LingyunNet.A CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CLogin?key="; startswith; fast_pattern; pcre:"/^[A-Za-z0-9+/=]{730,}/R"; http.user_agent; content:"Lingjiang"; bsize:9; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:md5,185a0a1a16f93c8e43cdb2955d4c64c4; classtype:trojan-activity; sid:2036976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Lingyun_A, performance_impact Low, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004331; classtype:web-application-attack; sid:2004331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PingPull ICMP Activity (Outbound)"; content:"|03 41 40 7e 04 37 24 70|R"; startswith; fast_pattern; content:"total="; content:"current="; distance:0; reference:url,unit42.paloaltonetworks.com/pingpull-gallium/; reference:md5,b4dd22013aefae6f721f0b67be61dc91; classtype:trojan-activity; sid:2036967; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Gallium, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004332; classtype:web-application-attack; sid:2004332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PingPull Related Activity (POST)"; http.method; content:"POST"; http.uri; content:"/PROJECT_"; startswith; fast_pattern; content:"_"; within:33; content:!".asp"; content:!".htm"; content:!".php"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:67; reference:url,unit42.paloaltonetworks.com/pingpull-gallium/; reference:md5,7e01d776a0eb044a11bf91f3a68ce6f5; classtype:trojan-activity; sid:2036968; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Gallium, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004333; classtype:web-application-attack; sid:2004333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gallium APT Related Domain in DNS Lookup (hinitial .com)"; dns.query; dotprefix; content:".hinitial.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/pingpull-gallium; classtype:domain-c2; sid:2036969; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004334; classtype:web-application-attack; sid:2004334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gallium APT Related Domain in DNS Lookup (micfkbeljacob .com)"; dns.query; dotprefix; content:".micfkbeljacob.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/pingpull-gallium/; classtype:domain-c2; sid:2036970; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004335; classtype:web-application-attack; sid:2004335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LingyunNet.A Heartbeat"; dsize:45; content:"1|7c|"; startswith; pcre:"/^[a-f0-9]{32}/R"; content:"|7c|heart beat"; fast_pattern; endswith; reference:md5,185a0a1a16f93c8e43cdb2955d4c64c4; classtype:trojan-activity; sid:2036977; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Lingyun_A, performance_impact Low, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004336; classtype:web-application-attack; sid:2004336; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE PingPull Related Activity (Outbound)"; content:"|00 00 00 5b|PROJECT_"; fast_pattern; startswith; reference:url,unit42.paloaltonetworks.com/pingpull-gallium/; reference:md5,9ad380e7b6d9c83b88ed1b307107912e; classtype:trojan-activity; sid:2036971; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Gallium, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bahar Download Script aspkat.asp SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/aspkat.asp?kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,31852; reference:url,doc.emergingthreats.net/2008724; classtype:web-application-attack; sid:2008724; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LingyunNet.A Heartbeat Response"; dsize:51; content:"1|7c|"; startswith; pcre:"/^[a-f0-9]{32}/R"; content:"|7c|heart beat|7c|reply"; fast_pattern; endswith; reference:md5,185a0a1a16f93c8e43cdb2955d4c64c4; classtype:trojan-activity; sid:2036978; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Lingyun_A, performance_impact Low, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bandwebsite lyrics.php id parameter Sql Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lyrics.php?"; nocase; content:"section=full"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7215; reference:bugtraq,32454; reference:url,doc.emergingthreats.net/2008896; classtype:web-application-attack; sid:2008896; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PingPull ICMP Activity M2 (Outbound)"; content:"R"; startswith; content:"PROJECT_"; distance:1; within:9; fast_pattern; content:"total="; content:"current="; distance:0; reference:url,unit42.paloaltonetworks.com/pingpull-gallium/; reference:md5,b4dd22013aefae6f721f0b67be61dc91; classtype:trojan-activity; sid:2036972; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category MALWARE, malware_family Gallium, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_username)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_username="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_username=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010547; classtype:web-application-attack; sid:2010547; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Maldoc Domain (sportpony .ch)"; dns.query; content:"sportpony.ch"; nocase; bsize:12; reference:md5,c14a0d922be9a14e0b8aa3a3ce434070; classtype:trojan-activity; sid:2036986; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_server)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_server="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_server=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010548; classtype:web-application-attack; sid:2010548; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Maldoc Domain (spprospekt .com .br)"; dns.query; content:"spprospekt.com.br"; nocase; bsize:17; reference:md5,c14a0d922be9a14e0b8aa3a3ce434070; classtype:trojan-activity; sid:2036987; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_path)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_path="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_path=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010549; classtype:web-application-attack; sid:2010549; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Maldoc Domain (procoach .jp)"; dns.query; content:"procoach.jp"; nocase; bsize:11; reference:md5,c14a0d922be9a14e0b8aa3a3ce434070; classtype:trojan-activity; sid:2036988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_password)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_password="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_password=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010550; classtype:web-application-attack; sid:2010550; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Maldoc Domain (suidi .com)"; dns.query; content:"suidi.com"; nocase; bsize:9; reference:md5,c14a0d922be9a14e0b8aa3a3ce434070; classtype:trojan-activity; sid:2036989; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/main.inc.php?"; nocase; content:"mj_config[src_path]="; nocase; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009195; classtype:web-application-attack; sid:2009195; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Maldoc Domain (regenerationcongo .com)"; dns.query; content:"regenerationcongo.com"; nocase; bsize:21; reference:md5,c14a0d922be9a14e0b8aa3a3ce434070; classtype:trojan-activity; sid:2036990; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007211; classtype:web-application-attack; sid:2007211; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (navy-mil-bd .jmicc .xyz)"; dns.query; content:"navy-mil-bd.jmicc.xyz"; nocase; bsize:21; reference:md5,267870d2a7deec193cf6c2b6926f0451; reference:url,twitter.com/h2jazi/status/1536707820799807489; classtype:domain-c2; sid:2036981; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007212; classtype:web-application-attack; sid:2007212; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aoqin Dragon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"?"; content:!"&"; pcre:"/\/(?:[a-zA-Z0-9+/\x20]{4})*(?:[a-zA-Z0-9+/\x20]{2}==|[a-zA-Z0-9+/\x20]{5}=|[a-zA-Z0-9+/\x20]{4})(?:[a-zA-Z=]{4}?)$/"; http.header; content:!"Content-"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"; fast_pattern; bsize:101; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,54510ab05e1aac891a234624459103a9; classtype:trojan-activity; sid:2036973; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, deprecation_reason Duplicate, former_category MALWARE, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007213; classtype:web-application-attack; sid:2007213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Qbot Payload 2022-06-14"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:".RES HTTP/1.1"; endswith; bsize:<23; fast_pattern; http.uri; pcre:"/^\x2f\d{1,5}\x2eRES$/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"ms-office|3b 20|MSOffice"; reference:url,isc.sans.edu/diary/rss/28728; reference:md5,e7015438268464cedad98b1544d643ad; classtype:trojan-activity; sid:2036983; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Qbot, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007214; classtype:web-application-attack; sid:2007214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loxes/Mongall Related CnC Beacon M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"?"; content:!"&"; pcre:"/^\/(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})(?:[a-zA-Z=]{4})?(?:\x20?)$/"; http.header; content:!"Content-"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36"; fast_pattern; bsize:101; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,d396d0709c0de53e24f1804d392ec968; reference:url,www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/; classtype:command-and-control; sid:2036980; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, malware_family Mongall, malware_family Loxes, malware_family AoqinDragon, signature_severity Major, tag c2, updated_at 2022_06_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007215; classtype:web-application-attack; sid:2007215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loxes/Mongall Related CnC Beacon (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"?"; content:!"&"; pcre:"/^\/(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})(?:[a-zA-Z=]{4})?(?:\x20?)$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b|MSIE 6.0|3b|Windows NT 5.1)"; bsize:48; fast_pattern; http.header_names; content:!"Content"; content:!"Accept"; content:!"Referer"; reference:md5,069daf3015a2bb005142f400612da368; reference:url,www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/; classtype:command-and-control; sid:2036979; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_12, deployment Perimeter, former_category MALWARE, malware_family Mongall, malware_family Loxes, malware_family AoqinDragon, signature_severity Major, tag c2, updated_at 2022_06_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007216; classtype:web-application-attack; sid:2007216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aoqin Dragon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b|MSIE 6.0|3b|Windows NT 5.1)"; bsize:48; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/; reference:md5,5b1cf30e372c9fee9b9b661148271c05; classtype:trojan-activity; sid:2036966; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, deprecation_reason Duplicate, former_category MALWARE, signature_severity Major, updated_at 2022_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/edlink.php?"; nocase; content:"linkid"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009365; classtype:web-application-attack; sid:2009365; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Maldoc Domain (webnar .info)"; dns.query; content:"webnar.info"; nocase; bsize:11; reference:md5,8e71dbfa21a7f5bf494807ac4307ff95; classtype:trojan-activity; sid:2036985; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2022_06_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BibCiter projects.php idp Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reports/projects.php?"; nocase; content:"idp="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009740; classtype:web-application-attack; sid:2009740; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacapew.C!ml Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Clever Internet Suite"; http.uri; content:"/MX/"; content:".php?"; distance:0; content:"&OUT=&PG=&SO="; distance:0; content:"&AV="; distance:0; content:"&US="; distance:0; content:"&PC="; distance:0; content:"&EXE="; distance:0; fast_pattern; content:"&ST="; content:"&DTF="; distance:0; reference:md5,6433f9af678fcd387983d7afafae2af2; classtype:trojan-activity; sid:2037002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BibCiter contacts.php idc Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reports/contacts.php?"; nocase; content:"idc="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009741; classtype:web-application-attack; sid:2009741; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/death/quickly.xml"; fast_pattern; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1536872171032969216; reference:md5,7a91febc06be0dad3c90f0245456383e; classtype:trojan-activity; sid:2036994; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BibCiter users.php idu Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reports/users.php?"; nocase; content:"idu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009742; classtype:web-application-attack; sid:2009742; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE APT/Bitter CnC Exfiltration via TCP"; flow:established,to_server; content:"|00|"; offset:1; depth:1; content:"|00|"; distance:1; within:1; pcre:"/(?:([a-zA-Z0-9]\0){10,})/R"; content:"XXXXXXXXX"; endswith; fast_pattern; stream_size:client,<,200; reference:md5,71e1cfb5e5a515cea2c3537b78325abf; reference:url,twitter.com/RedDrip7/status/1536989979229835265; classtype:command-and-control; sid:2036996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_center_down.php?"; nocase; content:"row_mysql_blocks_center_down[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009417; classtype:web-application-attack; sid:2009417; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tiggre!rfn Zipped Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php?ownerid="; startswith; fast_pattern; content:"&buildid="; distance:0; content:"&username="; distance:0; content:"&country="; distance:0; content:"&ipaddr="; distance:0; reference:md5,57a3a3efdab58faf1249b718769d8622; classtype:trojan-activity; sid:2037003; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_center_top.php?"; nocase; content:"row_mysql_blocks_center_top[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009418; classtype:web-application-attack; sid:2009418; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET 1919 -> $HOME_NET any (msg:"ET MALWARE Panchan Mining Rig CnC Activity (Inbound)"; flow:established,to_client; content:"pan|2d|chan|27|s mining rig hi|21 0a|sharepeer|20|"; startswith; fast_pattern; pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/R"; content:"|0a|sharepeer"; within:30; reference:url,github.com/akamai/akamai-security-research/tree/main/malware/panchan; classtype:command-and-control; sid:2036998; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2022_06_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_left.php?"; nocase; content:"row_mysql_blocks_left[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009420; classtype:web-application-attack; sid:2009420; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loxes/Mongall Related CnC Beacon M3 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"?"; content:!"&"; pcre:"/^\/(?:[a-zA-Z0-9]{280,408})$/"; http.header_names; content:!"Referer"; content:!"Content"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 safari/537.36"; bsize:102; fast_pattern; reference:md5,d25804aa6bd05177e905554e5b06176a; reference:url,www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/; classtype:command-and-control; sid:2036982; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category MALWARE, malware_family Mongall, malware_family Loxes, malware_family AoqinDragon, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_right.php?"; nocase; content:"row_mysql_blocks_right[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009421; classtype:web-application-attack; sid:2009421; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loxes/Mongall Related CnC Beacon M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"?"; content:!"&"; pcre:"/^\/(?:[a-zA-Z0-9=]{60,408})$/"; http.header_names; content:!"Referer"; content:!"Content"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b|WOW64) AppleWebKit|20|/537.36 (KHTML,like Gecko) chrome/40.0.2214.115 safari|20|/537.36"; bsize:109; fast_pattern; reference:md5,4d9732711edfb9826fae4795d31bad69; reference:url,www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/; classtype:command-and-control; sid:2036995; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, malware_family Mongall, malware_family Loxes, malware_family AoqinDragon, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/window_down.php?"; nocase; content:"row_mysql_bloginfo[theme]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009422; classtype:web-application-attack; sid:2009422; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Cobalt Strike Beacon User-Agent String"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|3b 20|NP07|3b 20|NP07|29|"; reference:url,github.com/sophoslabs/IoCs/blob/master/Troj-Miner-AED.csv; classtype:trojan-activity; sid:2037020; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, performance_impact Low, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/window_top.php?"; nocase; content:"row_mysql_bloginfo[theme]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009423; classtype:web-application-attack; sid:2009423; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET MALWARE Maldoc Retrieving Payload 2022-06-15"; flow:established,to_server; urilen:6; http.method; content:"GET"; http.uri.raw; content:"/2.txt HTTP 1.1|0d 0a|"; startswith; bsize:17; fast_pattern; http.host; pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; reference:url,cert.gov.ua/article/160530; classtype:trojan-activity; sid:2036999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/search.5.html?search="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36700/info; reference:url,doc.emergingthreats.net/2010147; classtype:web-application-attack; sid:2010147; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET MALWARE Maldoc Retrieving Payload 2022-06-15"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri.raw; content:"/update.html HTTP 1.1|0d 0a|"; startswith; bsize:23; fast_pattern; http.host; pcre:"/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/"; reference:url,cert.gov.ua/article/160530; classtype:trojan-activity; sid:2037000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php SELECT"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006333; classtype:web-application-attack; sid:2006333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Zegost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?client="; startswith; content:"&v="; distance:0; content:"&con=request&rtm="; distance:0; fast_pattern; content:"&apn="; distance:0; content:"&cm="; distance:0; content:"&cu="; distance:0; content:"&cos="; distance:0; content:"&ctc="; distance:0; content:"&cws="; distance:0; content:"&cpn="; distance:0; reference:md5,e92bd6ef4b93409df37e14e08ffc684e; classtype:command-and-control; sid:2037025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UNION SELECT"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006334; classtype:web-application-attack; sid:2006334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Base64 Encoded Windows Command Prompt (Outbound)"; flow:established,to_server; content:"TWljcm9zb2Z0IFdpbmRvd3MgW1ZlcnNpb24"; fast_pattern; pcre:"/(?:TWljcm9zb2Z0IENvcnBvcmF0aW9uL|1pY3Jvc29mdCBDb3Jwb3JhdGlvbi|NaWNyb3NvZnQgQ29ycG9yYXRpb24u)[a-zA-Z0-9\x2f\x2b]{25,35}(?:Cg0KQzpc|oNCkM6XD|KDQpDOlw\x2b)/R"; reference:url,twitter.com/RedDrip7/status/1537389704374431744; reference:md5,29b6b195cf0671901b75b7d2ac6814f6; classtype:command-and-control; sid:2037018; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php INSERT"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006335; classtype:web-application-attack; sid:2006335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Lyceum Backdoor CnC Activity"; flow:established,to_server; content:"|23|2"; startswith; content:"0000|7c|auto|7c|1|23|"; distance:1; within:13; fast_pattern; content:"|23|"; endswith; reference:url,twitter.com/RedDrip7/status/1537389704374431744; reference:md5,29b6b195cf0671901b75b7d2ac6814f6; classtype:command-and-control; sid:2037019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php DELETE"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006336; classtype:web-application-attack; sid:2006336; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banker Trojan CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/user/"; startswith; content:".php"; endswith; http.request_body; content:"VESPC="; startswith; fast_pattern; content:"&COMPUTA="; content:"&AVZANDO="; content:"&USAR="; content:"ipzao="; reference:md5,f4c7507ec61ea0fbfa6f0ccda851d7c0; classtype:trojan-activity; sid:2037026; rev:1; metadata:created_at 2022_06_16, former_category MALWARE, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php ASCII"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006337; classtype:web-application-attack; sid:2006337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MassLogger FTP Data Exfiltration"; flow:established,to_server; content:"|3c 7c 7c 20 20|v"; startswith; content:"|20 7c 7c 3e|"; distance:0; content:"User Name|3a 20|"; content:"Windows OS|3a 20|"; content:"MassLogger Started|3a 20|"; content:"Interval|3a 20|"; content:"MassLogger Process|3a 20|"; fast_pattern; reference:md5,b044aefa2e42d7efadf53394442fcca6; classtype:trojan-activity; sid:2037021; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006338; classtype:web-application-attack; sid:2006338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Criminal RAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?code="; pcre:"/^[0-9]{3}$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; http.request_body; content:"username="; content:"ip="; content:"country="; content:"city="; content:"date="; content:"lastdate="; content:"lasttime="; content:"mwv="; fast_pattern; content:"assigned="; reference:md5,9cdbd39b541b76b3435b9150a6d97999; classtype:trojan-activity; sid:2037022; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd SELECT"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004828; classtype:web-application-attack; sid:2004828; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; http.header; content:!"ztunnelversion|3a 20|"; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; content:!"trust.zscaler.com"; pcre:"/(?:www\.(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|espa)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:antander(?:banespa|net)?|erasa(?:experian)?)|uolhost)\.com\.br|c(?:(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov))\.br|redicard\.com(?:\.br)?)|itau(?:p(?:ersonnalite|rivatebank)|uniclass)?\.com\.br,|ame(?:ricanexpress\.com(?:\.br)?|x\.com\.br))|(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|risul)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:erasa(?:experian)?|antander)|uolhost)\.com|c(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov)|redicard\.com))\.br|itau(?:(?:p(?:ersonnalite|rivatebank)|uniclass)\.com\.br|\.com\.br,)|ame(?:ricanexpress.com(?:\.br)?|x\.com\.br)|\*(?:linhadefensiva*|hsbc*))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:17; metadata:created_at 2012_02_28, deprecation_reason False_Positive, former_category MALWARE, updated_at 2021_09_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004829; classtype:web-application-attack; sid:2004829; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Information Being Sent in User-Agent"; flow:established,to_server; http.user_agent; content:"UserName|3a 20|"; fast_pattern; content:"System|3a 20|"; content:"GPU|3a 20|"; content:"RAM|3a 20|"; content:"CPU|3a 20|"; reference:md5,64f0fdfbfaa142ae83d8c3f9326e7a94; classtype:trojan-activity; sid:2037038; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd INSERT"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004830; classtype:web-application-attack; sid:2004830; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.FLZ CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?ShopId="; pcre:"/^\/(?:GetProDownConfig|downservers|ShopIp)\.aspx\?ShopId=[0-9]+$/"; http.header_names; content:"|0d 0a|HOST|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; fast_pattern; reference:md5,8767e31c8052f43b6a74557d9579653e; classtype:command-and-control; sid:2037032; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd DELETE"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004831; classtype:web-application-attack; sid:2004831; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CopperStealer - Browser Stealer Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; content:"/sendDocument"; endswith; http.content_type; content:"multipart|2f|form|2d|data|3b 20|boundary|3d 2d 2d 2d 2d|WebKitFormBoundaryovEAlxca0DiIz7tl"; bsize:68; fast_pattern; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|document|22 3b 20|filename|3d 22|"; content:".zip|22 0d 0a|Content-Type: application/x-zip-compressed|0d 0a 0d 0a 37 7a bc af 27 1c|"; distance:36; within:85; reference:md5,2420ce50752a9c25203cecbe194606c5; reference:md5,04bc575585d4663f227cef14a65bea26; reference:url,www.trendmicro.com/en_us/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html; classtype:trojan-activity; sid:2037027; rev:1; metadata:created_at 2022_06_17, updated_at 2022_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd ASCII"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004832; classtype:web-application-attack; sid:2004832; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CopperStealer - Remote Desktop - CnC Server Request via Pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw/"; startswith; content:"?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp"; endswith; http.host; content:"pastebin-com.translate.goog"; http.header; content:"x-csrftoken|3a 20|x|0d 0a|"; fast_pattern; reference:md5,cb39d19f07ea387b1f1dcd22f889545b; reference:md5,04bc575585d4663f227cef14a65bea26; reference:url,www.trendmicro.com/en_us/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html; classtype:command-and-control; sid:2037028; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, malware_family CopperStealer, signature_severity Major, tag c2, updated_at 2022_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004833; classtype:web-application-attack; sid:2004833; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CopperStealer - Remote Desktop - CnC Server Response via Pastebin"; flow:established,to_client; http.response_body; content:"data|2d|sourceurl|3d 22|https|3a 2f 2f|pastebin|2e|com|2f|raw|2f|"; content:"|0a 20 20 3c|pre|3e 40 40|"; distance:0; fast_pattern; content:"|7e 7e 40 40 3c 2f|pre|3e 0a 20 20|"; within:200; reference:md5,cb39d19f07ea387b1f1dcd22f889545b; reference:md5,04bc575585d4663f227cef14a65bea26; reference:url,www.trendmicro.com/en_us/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html; classtype:command-and-control; sid:2037029; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, malware_family CopperStealer, signature_severity Major, tag c2, updated_at 2022_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004024; classtype:web-application-attack; sid:2004024; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CopperStealer - Remote Desktop - Initial Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"x-csrftoken|3a 20|x|0d 0a|"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"guid="; startswith; content:!"&"; distance:0; isdataat:!37,relative; reference:md5,cb39d19f07ea387b1f1dcd22f889545b; reference:md5,04bc575585d4663f227cef14a65bea26; reference:url,www.trendmicro.com/en_us/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html; classtype:trojan-activity; sid:2037030; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, malware_family CopperStealer, signature_severity Major, tag c2, updated_at 2022_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004025; classtype:web-application-attack; sid:2004025; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CopperStealer - Remote Desktop - Task Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/task?guid="; content:!"&"; distance:0; isdataat:!37,relative; http.header; content:"x-csrftoken|3a 20|x|0d 0a|"; fast_pattern; reference:md5,cb39d19f07ea387b1f1dcd22f889545b; reference:md5,04bc575585d4663f227cef14a65bea26; reference:url,www.trendmicro.com/en_us/research/22/f/websites-hosting-fake-cracks-spread-updated-copperstealer.html; classtype:trojan-activity; sid:2037031; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, malware_family CopperStealer, signature_severity Major, tag c2, updated_at 2022_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004026; classtype:web-application-attack; sid:2004026; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown CN Related APT Domain in DNS Lookup (upportteam .lingrevelat .com)"; dns.query; content:"upportteam.lingrevelat.com"; nocase; bsize:26; reference:md5,8cdd56b2b4e1e901f7e728a984221d10; reference:url,twitter.com/h2jazi/status/1537536029250490382; classtype:domain-c2; sid:2037034; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004027; classtype:web-application-attack; sid:2004027; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown CN Related APT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update/v32/default"; startswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; bsize:61; reference:url,twitter.com/h2jazi/status/1537536029250490382; reference:md5,8cdd56b2b4e1e901f7e728a984221d10; classtype:trojan-activity; sid:2037035; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_06_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004028; classtype:web-application-attack; sid:2004028; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Agent.BP Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hive_append.php?id="; startswith; fast_pattern; content:"&obj="; distance:0; content:"&user="; distance:0; http.header; content:"Full-FileName|3a 20|%66%69%6C%65"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,fc878529af50b87ce71c8c36959f542a; classtype:command-and-control; sid:2037053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004029; classtype:web-application-attack; sid:2004029; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Agent.BP System Info Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ads_redir.php"; bsize:14; http.header; content:"Full-FileName|3a 20|%64%69%76%73%69%67%5F%61%69%6E%66%6F%2E%74%78%74"; http.request_body; content:"pcname|20 20 20 3d 20|"; content:"username|20 3d 20|"; content:"fulluser|20 3d 20|"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,fc878529af50b87ce71c8c36959f542a; classtype:trojan-activity; sid:2037054; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004030; classtype:web-application-attack; sid:2004030; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IceXLoader Sending Initial Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/"; http.request_body; content:"SetOn="; startswith; bsize:8; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim; reference:md5,54fb25c20d4191ff7e5185812485282f; classtype:command-and-control; sid:2037043; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category MALWARE, malware_family IceXLoader, signature_severity Major, updated_at 2022_06_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004031; classtype:web-application-attack; sid:2004031; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IceXLoader Sending Command Acknowledgement (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/"; http.request_body; content:"Done="; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim; reference:md5,54fb25c20d4191ff7e5185812485282f; classtype:command-and-control; sid:2037044; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category MALWARE, malware_family IceXLoader, signature_severity Major, updated_at 2022_06_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004032; classtype:web-application-attack; sid:2004032; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IceXLoader Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/"; http.request_body; content:"info="; startswith; fast_pattern; content:"|3c 7c 3e|"; distance:0; http.header_names; content:!"Referer"; reference:url,www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim; reference:md5,54fb25c20d4191ff7e5185812485282f; classtype:command-and-control; sid:2037045; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category MALWARE, malware_family IceXLoader, signature_severity Major, updated_at 2022_06_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004033; classtype:web-application-attack; sid:2004033; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CN Based APT Related Domain in DNS Lookup (open .zerdeopen .top)"; dns.query; content:"open.zerdeopen.top"; nocase; bsize:18; reference:url,twitter.com/nao_sec/status/1539246761067573249; reference:md5,d041af5d7abaa1e50ad59f1f0206b398; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:domain-c2; sid:2037078; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, malware_family TontoTeam, malware_family TA459, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004034; classtype:web-application-attack; sid:2004034; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CN Based APT Related Domain in DNS Lookup (sign .sanaqsign .org)"; dns.query; content:"sign.sanaqsign.org"; nocase; bsize:18; reference:url,twitter.com/nao_sec/status/1539246761067573249; reference:md5,d041af5d7abaa1e50ad59f1f0206b398; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:domain-c2; sid:2037079; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, malware_family TontoTeam, malware_family TA459, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004985; classtype:web-application-attack; sid:2004985; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:".adui.me"; fast_pattern; classtype:domain-c2; sid:2037072; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UNION SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004986; classtype:web-application-attack; sid:2004986; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:".elbu.me"; fast_pattern; classtype:domain-c2; sid:2037073; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by INSERT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004987; classtype:web-application-attack; sid:2004987; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:".elru.me"; fast_pattern; classtype:domain-c2; sid:2037074; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by DELETE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004988; classtype:web-application-attack; sid:2004988; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CN Based APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/News/"; startswith; fast_pattern; content:".html"; endswith; http.header_names; content:!"Referer"; http.request_body; content:"|21|"; endswith; http.user_agent; content:!"Linux"; reference:md5,00079dbf1d25e1d592709e5f895ff5b7; reference:url,twitter.com/nao_sec/status/1539246761067573249; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:trojan-activity; sid:2037076; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, malware_family TontoTeam, malware_family TA459, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by ASCII"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004989; classtype:web-application-attack; sid:2004989; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA459 Related Activity (Inbound)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<HIDER>"; startswith; fast_pattern; content:"|21|</HIDER>"; endswith; reference:md5,00079dbf1d25e1d592709e5f895ff5b7; reference:url,twitter.com/nao_sec/status/1539246761067573249; classtype:trojan-activity; sid:2037080; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, malware_family TA459, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004990; classtype:web-application-attack; sid:2004990; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Unknown Stealer Command (filegrab) (Outbound)"; flow:established,to_server; content:"filegrab"; dsize:8; startswith; fast_pattern; reference:md5,62c49cd81d701e2ad31009bb012758b7; reference:url,twitter.com/James_inthe_box/status/1539639477676568576; classtype:command-and-control; sid:2037084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004991; classtype:web-application-attack; sid:2004991; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Unknown Stealer Command (loader) (Outbound)"; flow:established,to_server; content:"loader"; dsize:6; startswith; fast_pattern; reference:md5,62c49cd81d701e2ad31009bb012758b7; reference:url,twitter.com/James_inthe_box/status/1539639477676568576; classtype:command-and-control; sid:2037085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UNION SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004992; classtype:web-application-attack; sid:2004992; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Unknown Stealer Command (domaindetect) (Outbound)"; flow:established,to_server; content:"domaindetect"; dsize:12; startswith; fast_pattern; reference:md5,62c49cd81d701e2ad31009bb012758b7; reference:url,twitter.com/James_inthe_box/status/1539639477676568576; classtype:command-and-control; sid:2037086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order INSERT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004993; classtype:web-application-attack; sid:2004993; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Unknown Stealer Command (geoblock) (Outbound)"; flow:established,to_server; content:"geoblock"; dsize:8; startswith; fast_pattern; reference:md5,62c49cd81d701e2ad31009bb012758b7; reference:url,twitter.com/James_inthe_box/status/1539639477676568576; classtype:command-and-control; sid:2037087; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order DELETE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004994; classtype:web-application-attack; sid:2004994; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Unknown Stealer CnC Log Exfil"; flow:established,to_server; content:"log|5b|split|5d|"; startswith; fast_pattern; pcre:"/^\x5b[A-Z]{2}\x5d\x20[A-Z0-9]{32}\x20\x5b[0-9]{2}\x2d[0-9]{2}\x2d[0-9]{4}\x20[0-9]{2}\x2d[0-9]{2}\x2d[0-9]{2}\x5d\x5bsplit\x5d/R"; reference:md5,62c49cd81d701e2ad31009bb012758b7; reference:url,twitter.com/James_inthe_box/status/1539639477676568576; classtype:command-and-control; sid:2037088; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order ASCII"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004995; classtype:web-application-attack; sid:2004995; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni APT MalDoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&tp=Microsoft|20|Windows"; distance:0; fast_pattern; content:!"&"; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/h2jazi/status/1539261879188586499; reference:md5,66fba06e965f9a6ea192db7f452ea9b6; classtype:trojan-activity; sid:2037081; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, malware_family KONNI, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004996; classtype:web-application-attack; sid:2004996; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/Unknown Stealer Command Response (filegrab) (Inbound)"; flow:established,to_client; content:"|2e|txt|0d 0a 2e|doc|0d 0a 2e|bd|0d 0a 2e|sql"; dsize:21; startswith; fast_pattern; reference:md5,62c49cd81d701e2ad31009bb012758b7; reference:url,twitter.com/James_inthe_box/status/1539639477676568576; classtype:command-and-control; sid:2037089; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Built2go Real Estate Listings event_id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/event_detail.php?event_id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/6697; reference:url,secunia.com/Advisories/32129/; reference:url,doc.emergingthreats.net/2008653; classtype:web-application-attack; sid:2008653; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> any 1919 (msg:"ET MALWARE [Akamai] Panchan Miner Botnet Checkin"; flow:established,to_server; content:"pan-chan|27|s mining rig hi|21|"; fast_pattern; reference:url,github.com/akamai/akamai-security-research/tree/main/malware/panchan; classtype:trojan-activity; sid:2037093; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006249; classtype:web-application-attack; sid:2006249; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:".unnit.me"; fast_pattern; classtype:domain-c2; sid:2037075; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UNION SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006250; classtype:web-application-attack; sid:2006250; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 143 (msg:"ET MALWARE Win32/APT28 Host Fingerprint Exfiltration via IMAP"; flow:established,to_server; content:"|24 20|APPEND|20|INBOX|20 7b|"; startswith; pcre:"/[0-9]{1,2}\x7d\x0d\x0aFrom\x3a\x20a_/R"; pcre:"/Subject\x3a[0-9]{1,2}\x2f[0-9]{1,2}\x2f[0-9]{4}\x20[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{2}\x20[AP]/R"; content:"M_report|0d 0a|"; within:10; fast_pattern; reference:url,cert.gov.ua/article/341128; reference:md5,d3bddb5de864afd7e4f5e56027f4e5ea; classtype:command-and-control; sid:2037090; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid INSERT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006251; classtype:web-application-attack; sid:2006251; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?Data="; fast_pattern; http.uri.raw; content:"|25 33 44|"; endswith; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1537442234605244416; reference:md5,961aab9910bd0207d0c7816d22949c4d; classtype:trojan-activity; sid:2037095; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, former_category MALWARE, malware_family SharpPanda, signature_severity Major, updated_at 2022_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid DELETE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006252; classtype:web-application-attack; sid:2006252; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile Variant (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/re1f=n1b_s1b_n1oss_1/1617-3222948188-02162949/fie1ld-keyw1ords=bo1oks"; bsize:72; http.header; content:"Cook1ie|3a 20|skin=nosk111in|3b|"; fast_pattern; reference:md5,c05f3ef094c103163d2fae6932e1c324; reference:url,twitter.com/obfusor/status/1539945037563174912; classtype:trojan-activity; sid:2037096; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ASCII"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006253; classtype:web-application-attack; sid:2006253; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.RDE Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/29WA3PoKQwCthxsaBUzygJqzglx9/"; bsize:30; fast_pattern; http.request_body; content:"|01 00 00 05 00 00 00 01 00 00 00 28 0a 00 00 03 00 00 00 00 01 01 00 48 00 00 00 16 00 00 00 5e 00 00 00 00 00 00 00 5e 00 00 00 00 00 00 00 73 00 76 00 63 00 68 00 6f 00 73 00 74 00 2e 00 65 00 78 00 65 00|"; endswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,0a3cc665dec9d017c9b445c1090ec923; classtype:exploit-kit; sid:2037102; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006254; classtype:web-application-attack; sid:2006254; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (mailh .alit .live)"; dns.query; content:"mailh.alit.live"; nocase; bsize:15; reference:md5,dd2ca2a2901fd6e5d54e5540e4a46256; reference:url,twitter.com/malwareforme/status/1540037682314629120; classtype:domain-c2; sid:2037097; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_06_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006255; classtype:web-application-attack; sid:2006255; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.TJJ CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index/getcfg?id="; fast_pattern; startswith; pcre:"/^\d{3,6}$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3b 20|Indy Library|29|"; reference:md5,2e7b9acaf5725c84c9ec9687af15d48e; classtype:trojan-activity; sid:2037107; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category MALWARE, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UNION SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006256; classtype:web-application-attack; sid:2006256; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.TJJ CnC Checkin M2"; flow:established,to_server; http.request_line; content:"POST /index/eventup.html HTTP/1.0"; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3b 20|Indy Library|29|"; http.header_names; content:!"Referer"; http.request_body; content:"event|3d 7b 22|info|22 3a 7b 22|pid|22 3a|"; fast_pattern; startswith; reference:md5,2e7b9acaf5725c84c9ec9687af15d48e; classtype:trojan-activity; sid:2037108; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category MALWARE, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id INSERT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006257; classtype:web-application-attack; sid:2006257; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (ysl .jxwan .com)"; dns.query; content:"ysl.jxwan.com"; nocase; bsize:13; classtype:trojan-activity; sid:2037109; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id DELETE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006258; classtype:web-application-attack; sid:2006258; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (udo .jxwan .com)"; dns.query; content:"udo.jxwan.com"; nocase; bsize:13; classtype:trojan-activity; sid:2037110; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ASCII"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006259; classtype:web-application-attack; sid:2006259; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (dsk .5636 .com)"; dns.query; content:"dsk.5636.com"; nocase; bsize:12; classtype:trojan-activity; sid:2037111; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006260; classtype:web-application-attack; sid:2006260; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (wx .go890 .com)"; dns.query; content:"wx.go890.com"; nocase; bsize:12; classtype:trojan-activity; sid:2037112; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006261; classtype:web-application-attack; sid:2006261; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cfg .jipinwan .com)"; dns.query; content:"cfg.jipinwan.com"; nocase; bsize:16; classtype:trojan-activity; sid:2037113; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UNION SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006262; classtype:web-application-attack; sid:2006262; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (bk .957wan .com)"; dns.query; content:"bk.957wan.com"; nocase; bsize:13; classtype:trojan-activity; sid:2037114; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id INSERT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006263; classtype:web-application-attack; sid:2006263; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (www .58sky .com)"; dns.query; content:"www.58sky.com"; nocase; bsize:13; classtype:trojan-activity; sid:2037115; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id DELETE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006264; classtype:web-application-attack; sid:2006264; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cnwx .58ad .cn)"; dns.query; content:"cnwx.58ad.cn"; nocase; bsize:12; classtype:trojan-activity; sid:2037116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ASCII"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006265; classtype:web-application-attack; sid:2006265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (gc .wb51 .com)"; dns.query; content:"gc.wb51.com"; nocase; bsize:11; classtype:trojan-activity; sid:2037117; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006266; classtype:web-application-attack; sid:2006266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Delf.TJJ CnC Domain in DNS Lookup (cmps .58sky .com)"; dns.query; content:"cmps.58sky.com"; nocase; bsize:14; classtype:trojan-activity; sid:2037118; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, malware_family Delf_TJJ, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006267; classtype:web-application-attack; sid:2006267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ToddyCat Ninja Backdoor CnC Domain in DNS Lookup (eohsdnsaaojrhnqo .windowshost .us)"; dns.query; content:"eohsdnsaaojrhnqo.windowshost.us"; nocase; bsize:31; reference:url,securelist.com/toddycat/106799/; classtype:targeted-activity; sid:2037119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_24, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UNION SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006268; classtype:web-application-attack; sid:2006268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ToddyCat Ninja Backdoor CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Collector/3.0/"; http.host; content:"mobile.pipe.microsoft.com:8080"; fast_pattern; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 6.3|3b 20|Trident/7.0|3b 20|rv 11.0|29| like Gecko"; reference:url,securelist.com/toddycat/106799/; classtype:targeted-activity; sid:2037120; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid INSERT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006269; classtype:web-application-attack; sid:2006269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Matanbuchus Loader Related Domain in DNS Lookup (collectiontelemetrysystem .com)"; dns.query; content:"collectiontelemetrysystem.com"; nocase; bsize:29; reference:url,isc.sans.edu/diary/rss/28752; reference:md5,95159f5427c976d28c86aa716799e6de; classtype:domain-c2; sid:2037103; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid DELETE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006270; classtype:web-application-attack; sid:2006270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Matanbuchus Loader Related Domain in DNS Lookup (telemetrysystemcollection .com)"; dns.query; content:"telemetrysystemcollection.com"; nocase; bsize:29; reference:md5,95159f5427c976d28c86aa716799e6de; reference:url,isc.sans.edu/diary/rss/28752; classtype:domain-c2; sid:2037104; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ASCII"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006271; classtype:web-application-attack; sid:2006271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in HTML Title Tags Inbound"; flow:established,to_client; http.response_body; content:"|3c|title|3e 40|"; content:!"|40|"; within:1; content:"|40 3c 2f|title|3e|"; distance:3; within:150; fast_pattern; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033905; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006272; classtype:web-application-attack; sid:2006272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (extic .icu)"; dns.query; content:"extic.icu"; nocase; bsize:9; reference:url,isc.sans.edu/diary/rss/28752; classtype:domain-c2; sid:2037105; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006273; classtype:web-application-attack; sid:2006273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Win32/TrojanDropper.Agent.SLC Domain"; dns.query; content:"evacdir.com"; nocase; bsize:11; reference:md5,8cf6cda24ee35b361e773be41d77c34a; classtype:trojan-activity; sid:2037133; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006274; classtype:web-application-attack; sid:2006274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake state)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=AU"; fast_pattern; content:!"ST=Some-State"; tls.certs; content:"|02 09 00|"; distance:8; within:3; content:"|06 03 55 04 06 13 02 41 55|"; distance:0; content:"|06 03 55 04 08|"; distance:0; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:11; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006275; classtype:web-application-attack; sid:2006275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[A-Za-z0-9]{16}\/[A-Za-z0-9]{16}\.php$/"; content:"/"; startswith; content:"/"; distance:16; within:1; content:".php"; distance:16; within:4; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:59; fast_pattern; reference:md5,5c45a038846aea315595b97b0a619f1a; reference:url,twitter.com/ShadowChasing1/status/1463498326481932289; reference:md5,67abe8b04f62eb55b6b880668fb8a634; classtype:trojan-activity; sid:2034545; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Moderate, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006276; classtype:web-application-attack; sid:2006276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:"/"; distance:16; within:1; content:".mp3"; distance:48; within:4; endswith; fast_pattern; bsize:70; pcre:"/^\/[A-Za-z0-9]{16}\/[A-Za-z0-9]{48}\.mp3$/"; http.user_agent; content:!"Linux"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:59; reference:md5,92a78894568e2e7869ef7ec454c52db3; classtype:trojan-activity; sid:2037126; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Moderate, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006277; classtype:web-application-attack; sid:2006277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; http.uri; content:"/ip.txt"; nocase; endswith; fast_pattern; http.header; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http.user_agent; content:!"Mozilla"; http.host; dotprefix; content:!".malwaredomainlist.com"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:7; metadata:created_at 2013_05_31, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006278; classtype:web-application-attack; sid:2006278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to DarkCrystal Rat Domain (datagroup .ddns .net) (2022-06-27)"; dns.query; content:"datagroup.ddns.net"; nocase; bsize:18; reference:url,cert.gov.ua/article/405538; classtype:command-and-control; sid:2037130; rev:1; metadata:created_at 2022_06_27, former_category MALWARE, malware_family DarkCrystal, signature_severity Major, tag RAT, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/spaw_control.class.php?"; nocase; content:"spaw_root="; nocase; reference:url,xforce.iss.net/xforce/xfdb/43536; reference:bugtraq,30042; reference:url,milw0rm.com/exploits/5983; reference:url,doc.emergingthreats.net/2009429; classtype:web-application-attack; sid:2009429; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (who .worksolution .buzz)"; dns.query; content:"who.worksolution.buzz"; nocase; bsize:21; reference:url,twitter.com/ShadowChasing1/status/1541354249246089216; reference:md5,18af861c7923df5245f462d37830b486; reference:md5,65bbda25ad307488f89ef409d5b819a1; classtype:domain-c2; sid:2037127; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Faethon info.php item Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/info.php?"; nocase; content:"item="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33775; reference:url,milw0rm.com/exploits/8054; reference:url,doc.emergingthreats.net/2009192; classtype:web-application-attack; sid:2009192; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA60 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sqlputong/sql2k/index.asp?qz="; fast_pattern; content:"&ver="; distance:0; content:"&mac="; distance:0; content:"&hdd="; distance:0; content:"&pcid="; distance:0; content:"&crc="; content:"&winid="; distance:0; http.header_names; content:!"Referer"; reference:md5,dc6cdbdbd101e011a19eb3289b6832b2; classtype:trojan-activity; sid:2037135; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id SELECT"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007893; classtype:web-application-attack; sid:2007893; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (rus .feedpolicy .xyz)"; dns.query; content:"rus.feedpolicy.xyz"; nocase; bsize:18; reference:url,twitter.com/SethKingHi/status/1540392757222834176; reference:md5,a456fb35ef09058265f21e30aaf96a74; reference:md5,bef07691da9e36dea480d8e16d149d3f; classtype:domain-c2; sid:2037128; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007894; classtype:web-application-attack; sid:2007894; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacatac Ransomware Variant Retrieving File (GET)"; flow:established,to_server; http.request_line; content:"GET /decryptor-gui.exe HTTP/1.1"; fast_pattern; http.referer; content:"/payment-registration"; endswith; http.host; content:".onion"; endswith; reference:url,app.any.run/tasks/552daf29-bab5-4065-873c-51542925071c/; reference:url,twitter.com/petrovic082/status/1541392264030814212; reference:md5,1a209343e0eb93a07c0da41ef5c93ab0; classtype:trojan-activity; sid:2037129; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_06_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id INSERT"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007895; classtype:web-application-attack; sid:2007895; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkCrystal Rat Stealer Data Exfiltration Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|WebKitFormBoundary"; startswith; pcre:"/[A-Za-z0-9]{16}\x0d\x0a/Content|2d|Disposition|3a|/R"; content:"|0a 0d 0a 50 4b 03 04|"; within:450; content:"Information|20 5b|"; within:64; content:"|5d 2e|txt"; distance:2; within:5; content:"Screenshots|2f|Screenshot|23|DISPLAY"; distance:512; fast_pattern; within:200; reference:md5,19bbb1b94f66609cbd80945c14486e93; reference:url,cert.gov.ua/article/405538; classtype:trojan-activity; sid:2037132; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DarkCrystal, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id DELETE"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007896; classtype:web-application-attack; sid:2007896; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; dotprefix; content:".folded.in"; nocase; endswith; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035942; rev:4; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_06_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007897; classtype:web-application-attack; sid:2007897; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Response"; flow:established,to_client; content:"200000|7c|YXV0bw|3d 3d|"; startswith; fast_pattern; dsize:15; reference:url,twitter.com/RedDrip7/status/1537389704374431744; reference:md5,29b6b195cf0671901b75b7d2ac6814f6; classtype:command-and-control; sid:2037017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt"; flow:established,to_server; http.uri; content:"_invoice.asp"; nocase; content:"script>"; nocase; pcre:"/(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.coresecurity.com/content/cactushop-xss-persistent-vulnerability; reference:cve,2010-1486; reference:url,doc.emergingthreats.net/2011054; classtype:web-application-attack; sid:2011054; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Khaosz.A!MTB Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/device"; bsize:7; http.request_body; content:"|7b 22|hostname|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|username|22 3a 22|"; distance:0; content:"|22 2c 22|user|5f|id|22 3a 22|"; distance:0; content:"|22 2c 22|os|5f|name|22 3a 22|"; distance:0; content:"|22 2c 22|os|5f|arch|22 3a 22|"; distance:0; content:"|22 2c 22|mac|5f|address|22 3a 22|"; distance:0; content:"|22 2c 22|local|5f|ip|5f|address|22 3a 22|"; distance:0; content:"|22 2c 22|port|22 3a 22|"; distance:0; content:"|22 2c 22|fetched|5f|unix|22 3a|"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,dbe9be7d2f99e434ce1504a8992b11a8; classtype:command-and-control; sid:2037145; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (dish.php)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dish.php"; nocase; content:"?id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008679; classtype:web-application-attack; sid:2008679; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacapew.C!ml Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/orders/Log?processorId="; startswith; fast_pattern; content:"|24 24 24|"; distance:0; content:"+os|24 24 24|"; distance:0; content:"+cpu|24 24 24|"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,d8fc1d015461025abd2126dce5d9a758; classtype:command-and-control; sid:2037146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (menu.php)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/menu.php"; nocase; content:"?id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008680; classtype:web-application-attack; sid:2008680; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".udb"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/InQuest/status/1541776073742028802; reference:md5,71ba796a0946dacc5af63d36f89673e6; classtype:trojan-activity; sid:2037136; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID SELECT"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006165; classtype:web-application-attack; sid:2006165; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZuoRAT Windows Loader Shellcode Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/docs/share/"; startswith; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/"; content:"doc_slug="; fast_pattern; content:"from="; reference:url,github.com/blacklotuslabs/IOCs/blob/main/ZuoRAT_IoCs.txt; classtype:targeted-activity; sid:2037142; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZuoRAT, performance_impact Low, signature_severity Major, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006166; classtype:web-application-attack; sid:2006166; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZuoRAT CBeacon CnC"; flow: established,to_server; http.method; content:"POST"; http.uri; content:"/api"; http.user_agent; content:"WinHTTP"; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:"Connection|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; http.request_body; pcre:"/^[A-Za-z0-9=/+]{100}/"; reference:url,blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/; classtype:targeted-activity; sid:2037143; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZuoRAT, performance_impact Low, signature_severity Major, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID INSERT"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006167; classtype:web-application-attack; sid:2006167; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZuoRAT GoBeacon CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; http.user_agent; content:"Go-http-client/1.1"; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:"Connection|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; http.request_body; pcre:"/^[A-Za-z0-9=/+]{100}/"; reference:url,blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/; classtype:targeted-activity; sid:2037144; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZuoRAT, performance_impact Low, signature_severity Major, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID DELETE"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006168; classtype:web-application-attack; sid:2006168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNum APT Related Domain in DNS Lookup (msdllopt .com)"; dns.query; content:"msdllopt.com"; nocase; bsize:12; reference:url,www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets; reference:md5,61776b209b01d62565e148585fda1954; classtype:domain-c2; sid:2037149; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family EvilNum, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ASCII"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006169; classtype:web-application-attack; sid:2006169; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNum APT Related Domain in DNS Lookup (pcamanalytics .com)"; dns.query; content:"pcamanalytics.com"; nocase; bsize:17; reference:md5,6d329140fb53a3078666e17c249ce112; reference:url,www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets; classtype:domain-c2; sid:2037150; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family EvilNum, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006170; classtype:web-application-attack; sid:2006170; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNum APT Related Domain in DNS Lookup (estimefm .org)"; dns.query; content:"estimefm.org"; nocase; bsize:12; reference:md5,f0d3cff26b419aff4acfede637f6d3a2; reference:url,www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets; classtype:domain-c2; sid:2037151; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family EvilNum, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006183; classtype:web-application-attack; sid:2006183; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNum APT Related Domain in DNS Lookup (imageztun .com)"; dns.query; content:"imageztun.com"; nocase; bsize:13; reference:md5,f5f9ba063e3fee25e0a298c0e108e2d4; reference:url,www.zscaler.com/blogs/security-research/return-evilnum-apt-updated-ttps-and-new-targets; classtype:domain-c2; sid:2037152; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family EvilNum, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006184; classtype:web-application-attack; sid:2006184; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad Backdoor Related Domain in DNS Lookup (grandfoodtony .com)"; dns.query; dotprefix; content:".grandfoodtony.com"; nocase; endswith; reference:url,91131CCF507F61279268FA857AB53463; reference:url,ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/; classtype:domain-c2; sid:2037153; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006185; classtype:web-application-attack; sid:2006185; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M6"; flow:established,to_server; http.request_line; content:"GET /jquery-3.3.2.slim.min.js HTTP/1.1"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; reference:url,ics-cert.kaspersky.com/publications/reports/2022/06/27/attacks-on-industrial-control-systems-using-shadowpad/; reference:md5,e912f273e629bf974a29213b6427d02b; classtype:trojan-activity; sid:2037154; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_06_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006186; classtype:web-application-attack; sid:2006186; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE xCaon Embedded Encrypted Command in Webpage"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 7c 23|"; fast_pattern; content:!"="; distance:0; within:4; content:"|23 7c 2d 2d 3e|"; distance:0; within:300; classtype:command-and-control; sid:2033245; rev:2; metadata:created_at 2021_07_05, former_category MALWARE, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006187; classtype:web-application-attack; sid:2006187; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Variant Data Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Files.zip|3a 3a 3a|"; fast_pattern; content:"filename=|22|Files.zip|22 0d 0a 0d 0a|UEs"; distance:0; reference:md5,1f0296b2c958c1208c7fcaff5ce65a15; classtype:trojan-activity; sid:2037207; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category MALWARE, malware_family a310Logger, performance_impact Low, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006188; classtype:web-application-attack; sid:2006188; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZuoRAT send_http_msg_php Call to arp.php"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/arp.php"; startswith; content:"o_addr="; content:"int_ip="; content:"int_mac="; fast_pattern; http.header; content:"Cache-Control|3a 20|max-age=0"; content:"Upgrade-Insecure-Requests|3a 20|1"; reference:url,github.com/blacklotuslabs/IOCs/blob/main/ZuoRAT_IoCs.txt; classtype:targeted-activity; sid:2037141; rev:2; metadata:attack_target Client_and_Server, created_at 2022_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZuoRAT, performance_impact Low, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy SELECT"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007464; classtype:web-application-attack; sid:2007464; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZuoRAT send_http_msg_php Call to dns.php"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dns.php"; startswith; content:"o_addr="; fast_pattern; content:"ip_addr="; content:"dns="; http.header; content:"Cache-Control|3a 20|max-age=0"; content:"Upgrade-Insecure-Requests|3a 20|1"; reference:url,github.com/blacklotuslabs/IOCs/blob/main/ZuoRAT_IoCs.txt; classtype:targeted-activity; sid:2037140; rev:2; metadata:attack_target Client_and_Server, created_at 2022_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZuoRAT, performance_impact Low, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UNION SELECT"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007465; classtype:web-application-attack; sid:2007465; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZuoRAT send_http_msg_php Call to ssid.php"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ssid.php"; startswith; content:"o_addr="; content:"i_ssid="; content:"i_bssid="; fast_pattern; http.header; content:"Cache-Control|3a 20|max-age=0"; content:"Upgrade-Insecure-Requests|3a 20|1"; reference:url,github.com/blacklotuslabs/IOCs/blob/main/ZuoRAT_IoCs.txt; classtype:targeted-activity; sid:2037139; rev:2; metadata:attack_target Client_and_Server, created_at 2022_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZuoRAT, performance_impact Low, signature_severity Major, updated_at 2022_06_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy INSERT"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007466; classtype:web-application-attack; sid:2007466; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj_Yahoya Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/id|3f 3d|NT|28|Win"; fast_pattern; startswith; content:"x64|29 5f|AV|28|"; distance:0; content:"|29 7c 7c|QN|28|"; distance:0; content:"|29 7c 7c|WN|28|"; distance:0; content:"|29 7c 7c|HN|28|"; distance:0; content:"|29 7c 7c|MA|28|"; distance:0; content:"|29 7c 7c|WF|28|"; distance:0; content:"|29 7c 7c|VE|28|"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,7f8b4a962edea1dd9d552fbc907f76bb; reference:url,research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/; classtype:targeted-activity; sid:2037233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Troj_Yahoya, performance_impact Low, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy DELETE"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007467; classtype:web-application-attack; sid:2007467; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SilentLibrarian Domain in DNS Lookup (login .cardiff .acuk .me)"; dns.query; dotprefix; content:".login.cardiff.acuk.me"; nocase; endswith; reference:url,twitter.com/TeamDreier/status/1542155689631617025; classtype:domain-c2; sid:2037231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ASCII"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007468; classtype:web-application-attack; sid:2007468; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SilentLibrarian)"; flow:established,to_client; tls.cert_subject; content:"edou.me"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?edou\.me(?!\.)/"; reference:url,twitter.com/TeamDreier/status/1542155689631617025; classtype:domain-c2; sid:2037232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007469; classtype:web-application-attack; sid:2007469; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=s.tempeasy.net"; fast_pattern; classtype:domain-c2; sid:2037214; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand SELECT"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007470; classtype:web-application-attack; sid:2007470; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (MageCart Payload CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apfeltee.de"; fast_pattern; classtype:domain-c2; sid:2037215; rev:1; metadata:attack_target Client_and_Server, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UNION SELECT"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007471; classtype:web-application-attack; sid:2007471; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible KONNI CnC Activity"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"User-Agent|3a 20|HTTP|0d 0a|"; fast_pattern; http.host; content:!".realptt.com"; reference:url,us-cert.cisa.gov/ncas/alerts/aa20-227a; classtype:targeted-activity; sid:2030691; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand INSERT"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007472; classtype:web-application-attack; sid:2007472; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fynloski.AA CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok?hw="; fast_pattern; startswith; content:"uuid={"; pcre:"/^[A-F0-9]{8}-(?:[A-F0-9]{4}-){3}[A-F0-9]{12}\}/R"; content:"ver="; content:"name="; content:"system="; content:"sysdate="; content:"act="; content:"str1="; content:"str2="; content:"str3="; http.header_names; content:!"Referer"; content:"User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,082ba31c83e3fc1114b6444111e88019; classtype:trojan-activity; sid:2037234; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, malware_family Win32_Fynloski_AA, performance_impact Low, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand DELETE"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007473; classtype:web-application-attack; sid:2007473; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt any any -> any any (msg:"ET MALWARE LinPEAS Privilege Escalation Script Response (With Banner)"; flow:established,to_client; content:"|0a 20 20 20 20 1b 5b 31 3b 33 32 6d 2f 2d 2d 2d|"; startswith; content:"Do|20|you|20|like|20|PEASS|3f|"; distance:110; within:30; fast_pattern; reference:url,github.com/carlospolop/PEASS-ng/tree/master/linPEAS; classtype:trojan-activity; sid:2037229; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2022_06_30, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CF_Calendar calid parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/calendarevent.cfm?"; nocase; content:"calid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33074/; reference:url,milw0rm.com/exploits/7413; reference:url,doc.emergingthreats.net/2008995; classtype:web-application-attack; sid:2008995; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt any any -> any any (msg:"ET MALWARE LinPEAS Privilege Escalation Script Response (Without Banner)"; flow:established,to_client; content:"Starting linpeas."; depth:30; fast_pattern; content:"Caching Writable Folders"; within:30; reference:url,github.com/carlospolop/PEASS-ng/tree/master/linPEAS; classtype:trojan-activity; sid:2037230; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2022_06_30, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand ASCII"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007474; classtype:web-application-attack; sid:2007474; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Agent.SUD Zipped Data Exfil (set)"; flow:established,to_server; stream_size:server,<,5; dsize:4; flowbits:set,ET.wacatacstealer; flowbits:noalert; content:"|73 61 0d 0a|"; fast_pattern; reference:md5,023e3c7d1de10006b4c52d09aadefc1f; classtype:credential-theft; sid:2037239; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007475; classtype:web-application-attack; sid:2007475; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Agent.SUD Zipped Data Exfil"; flow:established,to_server; stream_size:server,<,20; dsize:1024; flowbits:isset,ET.wacatacstealer; content:"|23 23 23|"; startswith; fast_pattern; content:"|23 23 23|"; distance:0; within:20; content:"|23 23 23|"; distance:0; within:86; pcre:"/^###\d+###[a-zA-Z0-9\-\.]{2,63}###\x00+$/"; reference:md5,023e3c7d1de10006b4c52d09aadefc1f; classtype:credential-theft; sid:2037240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Check New findoffice.php search parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/findoffice.php?"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7328; reference:bugtraq,32590; reference:url,doc.emergingthreats.net/2008933; classtype:web-application-attack; sid:2008933; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacatac.B!ml CnC Checkin"; flow:established,to_server; dsize:4; content:"|73 61 0d 0a|"; fast_pattern; flowbits:set,ET.Wacatac_B_Checkin; reference:md5,082ba31c83e3fc1114b6444111e88019; classtype:trojan-activity; sid:2037235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, malware_family Wacatac_B_ml, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/webline/html/admin/wcs/LoginPage.jhtml"; nocase; content:"dest="; nocase; pcre:"/dest\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.exploit-db.com/exploits/11403/; reference:cve,2010-0641; reference:url,doc.emergingthreats.net/2011676; classtype:web-application-attack; sid:2011676; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacatac.B!ml Data Exfiltration"; flow:established,to_server; flowbits:isset,ET.Wacatac_B_Checkin; content:"|23 23 23|"; content:"|23 23 23|"; distance:0; content:"|23 23 23|"; distance:0; content:"PK|03 04|"; distance:0; byte_test:1,<=,20,0,relative; content:"Google/Chrome/User|20|Data/"; fast_pattern; reference:md5,082ba31c83e3fc1114b6444111e88019; classtype:trojan-activity; sid:2037236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category MALWARE, malware_family Wacatac_B_ml, performance_impact Low, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/+webvpn+/index.html"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; reference:url,doc.emergingthreats.net/2010505; classtype:attempted-user; sid:2010505; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic CMD Remote Shell"; flow:established,to_server; content:"|00 00 00 13|CMD session opened|2e 00 00 00 01 00 00 00|qMicrosoft Windows"; startswith; fast_pattern; reference:md5,38e3ff2c1ad395cc854e2b620adc1a0f; classtype:trojan-activity; sid:2037255; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ekgnkm/AccessCodeStart.asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010506; classtype:attempted-user; sid:2010506; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Golang/Kaos/YamaBot CnC Activity"; flow:established,to_server; http.user_agent; content:"TW96aWxsYS81LjAgKFdpbmRvd3MgTlQgMTAuMDsgV2luNjQ7IHg2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzYwLjAuMzExMi4xMTMgU2FmYXJpLzUzNy4zNg=="; reference:url,blogs.jpcert.or.jp/ja/2022/06/yamabot.html; reference:md5,612538328e0c4f3e445fb58ef811336a; reference:md5,cf1a90e458966bcba8286d46d6ab052c; classtype:command-and-control; sid:2037241; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_03_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date SELECT"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007223; classtype:web-application-attack; sid:2007223; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Golang/Kaos/YamaBot CnC Activity M2 (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"TW96"; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:md5,cf1a90e458966bcba8286d46d6ab052c; reference:md5,612538328e0c4f3e445fb58ef811336a; reference:md5,76125115415a80c4ec4c9b1a440f6054; reference:url,blogs.jpcert.or.jp/ja/2022/06/yamabot.html; classtype:trojan-activity; sid:2037252; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UNION SELECT"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007224; classtype:web-application-attack; sid:2007224; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=*.unde.me"; fast_pattern; classtype:domain-c2; sid:2037242; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006347; classtype:web-application-attack; sid:2006347; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=*.pdlu.me"; fast_pattern; classtype:domain-c2; sid:2037243; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date INSERT"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007225; classtype:web-application-attack; sid:2007225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=*.nerb.me"; fast_pattern; classtype:domain-c2; sid:2037244; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date DELETE"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007226; classtype:web-application-attack; sid:2007226; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=nerb.me"; fast_pattern; classtype:domain-c2; sid:2037245; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ASCII"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007227; classtype:web-application-attack; sid:2007227; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; content:"|55 1d 11|"; content:"*.rnit.me"; fast_pattern; distance:0; classtype:domain-c2; sid:2037246; rev:1; metadata:created_at 2022_07_01, updated_at 2022_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007228; classtype:web-application-attack; sid:2007228; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; content:"|55 1d 11|"; content:"*.uvit.me"; fast_pattern; distance:0; classtype:domain-c2; sid:2037247; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007229; classtype:web-application-attack; sid:2007229; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; content:"|55 1d 11|"; content:"*.edll.me"; fast_pattern; distance:0; classtype:domain-c2; sid:2037248; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UNION SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007230; classtype:web-application-attack; sid:2007230; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 809"; flow:established,to_server; content:"|41 ac 50 53 8f 6b 82 33 6a 46 77|"; startswith; fast_pattern; content:"|bc f6|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2037250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2022_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage INSERT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007231; classtype:web-application-attack; sid:2007231; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 810"; flow:established,to_server; content:"|db a5 e4 7a 50 61 dd 17 46 7d 69|"; startswith; fast_pattern; content:"|e7 8d|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2037251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2022_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage DELETE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007232; classtype:web-application-attack; sid:2007232; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=login.microsoftonline.comn.me"; fast_pattern; classtype:domain-c2; sid:2037256; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ASCII"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007233; classtype:web-application-attack; sid:2007233; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=www.login.microsoftonline.cornn.me"; fast_pattern; classtype:domain-c2; sid:2037257; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007234; classtype:web-application-attack; sid:2007234; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=ulibe.me"; fast_pattern; classtype:domain-c2; sid:2037258; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007235; classtype:web-application-attack; sid:2007235; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=eulib.me"; fast_pattern; classtype:domain-c2; sid:2037259; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UNION SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007236; classtype:web-application-attack; sid:2007236; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=lible.me"; fast_pattern; classtype:domain-c2; sid:2037260; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id INSERT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007237; classtype:web-application-attack; sid:2007237; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HQAF Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.user_agent; content:"mozzzzzzzzzzz"; fast_pattern; http.request_body; content:"machineId="; startswith; content:"&configId="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,bf9fa2681da355e328f6eb8c63da8253; classtype:trojan-activity; sid:2037274; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id DELETE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007238; classtype:web-application-attack; sid:2007238; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GenKryptik.FWXB Telegram Checkin"; flow:established,to_server; http.method; content:"POST"; http.host; content:"api.telegram.org"; bsize:16; http.uri; content:"/bot"; startswith; content:"/sendMessage"; endswith; http.request_body; content:"text=Passwords|3a 3a 3a|"; startswith; fast_pattern; content:"Username|3a 20|"; distance:0; content:"CompName|3a 20|"; distance:0; content:"Windows Version|3a 20|"; distance:0; content:"&chat_id="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,b95798891c33a49b161c00f869877cd2; classtype:credential-theft; sid:2037261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ASCII"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007239; classtype:web-application-attack; sid:2007239; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus APT Related VSingle Backdoor Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?uid="; pcre:"/^[0-9]{8}/R"; content:"&upw="; fast_pattern; distance:0; pcre:"/^(?:[A-Za-z0-9]{4})*(?:[A-Za-z0-9]{2}==|[A-Za-z0-9]{3}=|[A-Za-z0-9]{4})$/R"; http.user_agent; content:"Linux|20|"; http.header_names; content:!"Referer"; reference:md5,7ce51b56a6b0f8f78056ddfc5b5de67c; reference:url,blogs.jpcert.or.jp/en/2022/07/vsingle.html; classtype:trojan-activity; sid:2037276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Stonefly, signature_severity Major, updated_at 2022_07_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007240; classtype:web-application-attack; sid:2007240; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (ougreen .com)"; dns.query; content:"ougreen.com"; nocase; bsize:11; reference:url,blogs.jpcert.or.jp/en/2022/07/vsingle.html; classtype:domain-c2; sid:2037277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_06, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Stonefly, signature_severity Major, updated_at 2022_07_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id SELECT"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007241; classtype:web-application-attack; sid:2007241; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Microsoft Security localhost)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, O=Microsoft, OU=Security, CN=localhost"; bsize:59; fast_pattern; reference:url,unit42.paloaltonetworks.com/brute-ratel-c4-tool; classtype:trojan-activity; sid:2037710; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UNION SELECT"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007242; classtype:web-application-attack; sid:2007242; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Brute Ratel CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"?"; content:!"="; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; bsize:53; http.user_agent; content:!"MSIE"; content:!"Mozilla/4."; http.request_body; pcre:"/^[A-Za-z0-9=+/\x22\x00]{100,1000}$/"; reference:url,unit42.paloaltonetworks.com/brute-ratel-c4-tool/; reference:md5,1b97637fd83abfb7ecab040a4cda2d52; reference:md5,35c16888bdda9dd254a978d3a7c9814e; reference:md5,40afe8c95a3517ad07d3700ad46c2664; reference:md5,229648443814814cde5f01bf0f577e29; reference:md5,35c16888bdda9dd254a978d3a7c9814e; classtype:command-and-control; sid:2037711; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id INSERT"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007243; classtype:web-application-attack; sid:2007243; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon APT Related Domain in DNS Lookup (bitsbfree .com)"; dns.query; content:"bitsbfree.com"; nocase; bsize:13; reference:md5,2e0056ab91c87f87257b137dfff8bbc7; reference:url,twitter.com/h2jazi/status/1545043931238346752; classtype:domain-c2; sid:2037712; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id DELETE"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007244; classtype:web-application-attack; sid:2007244; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.AutoHK.MT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/brume.php"; fast_pattern; endswith; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http.header_names; content:!"Referer"; http.request_body; content:"COMPUTA="; content:"USAR="; content:"VESPC="; reference:md5,32ce4a68224ce580b9d7c9c6d6f96422; classtype:trojan-activity; sid:2037716; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, malware_family TrojanDownloader_AutoHK, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ASCII"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007245; classtype:web-application-attack; sid:2007245; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT AlmondRAT CnC Checkin"; dsize:<150; flow:established,to_server; content:"|00 2a 00|"; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2a 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 20 00|"; fast_pattern; reference:url,www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh; classtype:trojan-activity; sid:2037717; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, malware_family AlmondRAT, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007246; classtype:web-application-attack; sid:2007246; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT ZxxZ Downloader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"profiles.php?profiles="; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh; classtype:trojan-activity; sid:2037718; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, malware_family ZxxZLoader, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007247; classtype:web-application-attack; sid:2007247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Domain in DNS Lookup (emshedulersvc .com)"; dns.query; content:"emshedulersvc.com"; nocase; bsize:17; reference:url,www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh; classtype:targeted-activity; sid:2037719; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007248; classtype:web-application-attack; sid:2007248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Domain in DNS Lookup (diyefosterfeeds .com)"; dns.query; content:"diyefosterfeeds.com"; nocase; bsize:19; reference:url,www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh; classtype:targeted-activity; sid:2037720; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage INSERT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007249; classtype:web-application-attack; sid:2007249; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Bitter APT Domain in DNS Lookup (huandocimama .com)"; dns.query; content:"huandocimama.com"; nocase; bsize:16; reference:url,www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh; classtype:targeted-activity; sid:2037721; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage DELETE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007250; classtype:web-application-attack; sid:2007250; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/field-keywords/"; fast_pattern; http.cookie; content:"PREF=ID="; startswith; http.user_agent; content:"_"; reference:url,cert.gov.ua/article/619229; reference:url,twitter.com/h2jazi/status/1544368077286039552; reference:md5,28f18fc7d9a0ab530742c2314cbd5c32; classtype:trojan-activity; sid:2037713; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family TA471, malware_family UNC2589, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ASCII"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007251; classtype:web-application-attack; sid:2007251; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA471/UNC2589 Related Domain in DNS Lookup (skreatortemp .site)"; dns.query; content:"skreatortemp.site"; nocase; bsize:17; reference:url,twitter.com/h2jazi/status/1544368077286039552; reference:url,cert.gov.ua/article/619229; reference:md5,28f18fc7d9a0ab530742c2314cbd5c32; classtype:domain-c2; sid:2037714; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category MALWARE, malware_family TA471, malware_family UNC2589, signature_severity Major, updated_at 2022_07_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007252; classtype:web-application-attack; sid:2007252; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Agent.RXP Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/odin.php?chatid="; startswith; content:"&compname="; distance:0; content:"&adr="; distance:0; http.request_body; content:"filename|3d 22|odinreport.zip|22|"; fast_pattern; reference:md5,3abdac6f1de69d5b87e6ee2bc4a1c301; classtype:credential-theft; sid:2037729; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007253; classtype:web-application-attack; sid:2007253; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Agent.AES Zipped Exfil"; flow:established,to_server; http.request_line; content:"POST|20|/|20|"; http.request_body; content:"file=UEs"; startswith; fast_pattern; content:"SW5mby50eHS"; distance:0; reference:md5,654dc14b15a14182f7bd0b73aae7fc79; classtype:credential-theft; sid:2037730; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007254; classtype:web-application-attack; sid:2007254; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Agent.DYS Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/c?uid="; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary|3d|"; http.request_body; content:"filename|3d 22|Screenshot.bmp|22|"; reference:md5,a101aebd7e97dba97311cde683a64a32; classtype:trojan-activity; sid:2037731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby INSERT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007255; classtype:web-application-attack; sid:2007255; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CN Based APT Related Domain in DNS Lookup (supportteam .lingrevelat .com)"; dns.query; content:"supportteam.lingrevelat.com"; nocase; bsize:27; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:domain-c2; sid:2037723; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category MALWARE, malware_family TontoTeam, malware_family TA459, signature_severity Major, updated_at 2022_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby DELETE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007256; classtype:web-application-attack; sid:2007256; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CN Based APT Related Domain in DNS Lookup (news .wooordhunts .com)"; dns.query; content:"news.wooordhunts.com"; nocase; bsize:20; reference:md5,543bb103b8ad231ca53f6c1eb369c094; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:domain-c2; sid:2037724; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category MALWARE, malware_family TontoTeam, malware_family TA459, signature_severity Major, updated_at 2022_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ASCII"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007257; classtype:web-application-attack; sid:2007257; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CN Based APT Related Domain in DNS Lookup (instructor .giize .com)"; dns.query; content:"instructor.giize.com"; nocase; bsize:20; reference:md5,6560f5f22eb315da41df8652a772dbcd; reference:url,www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/; classtype:domain-c2; sid:2037726; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category MALWARE, malware_family TontoTeam, malware_family TA459, signature_severity Major, updated_at 2022_07_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007258; classtype:web-application-attack; sid:2007258; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoMercy Stealer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/a?uid="; startswith; content:"version=NoMercy-v"; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features; classtype:trojan-activity; sid:2037738; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, malware_family NoMercy_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage SELECT"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007259; classtype:web-application-attack; sid:2007259; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoMercy Data Exfiltration M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b?sysinfocli"; fast_pattern; startswith; content:"uid="; content:"version="; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features; classtype:trojan-activity; sid:2037739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UNION SELECT"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007260; classtype:web-application-attack; sid:2007260; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NoMercy Data Exfiltration M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b?sysinfoother"; fast_pattern; startswith; content:"uid="; content:"version="; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features; classtype:trojan-activity; sid:2037740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, malware_family NoMercy_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage INSERT"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007261; classtype:web-application-attack; sid:2007261; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiveRAT CnC Activity M2"; flow:established,to_server; dsize:<300; content:"|5b 50 61 73 73 77|"; offset:2; depth:6; fast_pattern; threshold:type both, count 10, seconds 60, track by_src; reference:md5,4ae4ab4a84a78e5b00b5edf0941d4354; classtype:command-and-control; sid:2037734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, malware_family FirebirdRAT, signature_severity Major, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage DELETE"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007262; classtype:web-application-attack; sid:2007262; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/field-keywords/"; endswith; fast_pattern; http.cookie; content:"PREF=ID="; startswith; pcre:"/^[A-Za-z0-9]{262}$/R"; http.header_names; content:!"Referer"; reference:md5,52c5b5e9a2ec443769dba5f44c83d7de; reference:url,cert.gov.ua/article/703548; reference:url,twitter.com/h2jazi/status/1546501374350868481; classtype:trojan-activity; sid:2037735; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family TA471, malware_family UNC2589, signature_severity Major, updated_at 2022_07_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ASCII"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007263; classtype:web-application-attack; sid:2007263; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (syriahr .eu)"; dns.query; content:"syriahr.eu"; nocase; bsize:10; reference:md5,52c5b5e9a2ec443769dba5f44c83d7de; reference:url,twitter.com/h2jazi/status/1546501371725320193; reference:url,cert.gov.ua/article/703548; classtype:domain-c2; sid:2037736; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007264; classtype:web-application-attack; sid:2007264; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=www.cas.lcc.llrn.me"; fast_pattern; classtype:domain-c2; sid:2037732; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007265; classtype:web-application-attack; sid:2007265; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=reun.me"; fast_pattern; classtype:domain-c2; sid:2037733; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007267; classtype:web-application-attack; sid:2007267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RecordBreaker CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer"; http.request_body; content:"machineId="; fast_pattern; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}\|/R"; content:"configId="; pcre:"/^[a-f0-9]{32}/R"; reference:md5,f75f596f7a0369717476f304eef7fe9b; classtype:trojan-activity; sid:2036934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_08, deployment Perimeter, former_category MALWARE, malware_family RecordBreaker, performance_impact Low, signature_severity Major, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007268; classtype:web-application-attack; sid:2007268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.CTK Checkin"; flow:established,to_server; content:"861gLc"; startswith; content:"AnK"; distance:0; content:"AnK"; distance:0; content:"AnK1.2901AnK0901AnK"; endswith; fast_pattern; reference:md5,8b964c81520445c89f337bab7afe5329; classtype:trojan-activity; sid:2037750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007269; classtype:web-application-attack; sid:2007269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Files Stealer CnC Exfil Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?Chatid="; http.content_type; content:"multipart/form-data|3b 20|boundary=|22|"; startswith; content:"|2d|"; distance:8; within:1; content:"|2d|4"; distance:4; within:2; content:"|2d|"; distance:3; within:1; content:"|2d|"; distance:4; within:1; content:"|22|"; distance:12; within:1; bsize:68; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d|file|3b 20|filename|3d|q|3b 20|filename|2a 3d|utf|2d|8|27 27|q|0d 0a 0d 0a|PK|03 04|"; fast_pattern; reference:md5,c128193024853118bd07d4a4e89200bf; classtype:command-and-control; sid:2037743; rev:1; metadata:created_at 2022_07_12, former_category MALWARE, updated_at 2022_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007270; classtype:web-application-attack; sid:2007270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/PSW.Discord.AIY CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/v9/users/"; startswith; http.host; content:"discord.com"; http.user_agent; content:"kath"; bsize:4; http.header_names; content:"content-type|0d 0a|user-Agent|0d 0a|Authorization|0d 0a 0d 0a|"; bsize:43; fast_pattern; reference:md5,2ed86e80ea9b4b95b3e52ed77ea6c401; reference:url,cloudsek.com/yourcyanide-an-investigation-into-the-frankenstein-ransomware-that-sends-malware-laced-love-letters/; classtype:trojan-activity; sid:2037746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007271; classtype:web-application-attack; sid:2007271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Connection To Known Sinkhole Domain sinkdns.org"; flow:to_server,established; http.host; content:".sinkdns.org"; pcre:"/^(\x3a\d{1,5})?$/R"; classtype:trojan-activity; sid:2017838; rev:4; metadata:created_at 2013_12_12, former_category MALWARE, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007272; classtype:web-application-attack; sid:2007272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /api/v2/login HTTP/1.1"; fast_pattern; http.referer; content:"code.jquery.com"; http.cookie; content:"__cfduid="; startswith; pcre:"/^[A-Za-z0-9-_]{171}$/R"; reference:url,isc.sans.edu/diary/rss/28824; reference:md5,0842c91746d69e9c14e51425d1ceca3f; classtype:trojan-activity; sid:2037745; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_07_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007273; classtype:web-application-attack; sid:2007273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Sinkhole banner"; flow:established,to_client; http.header; content:"Server|3a 20|You got served|21|"; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2013/12/30/detecting-sinkholed-domains-in-your-environment; classtype:trojan-activity; sid:2018117; rev:5; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007274; classtype:web-application-attack; sid:2007274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host)"; dns.query; content:"torpig-sinkhole.org"; nocase; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:8; metadata:created_at 2012_10_18, updated_at 2022_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007275; classtype:web-application-attack; sid:2007275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http 195.22.26.192/26 any -> $HOME_NET any (msg:"ET MALWARE AnubisNetworks Sinkhole HTTP Response - 195.22.26.192/26"; flow:established,to_client; http.header; content:"Server|3A|HTTPServerX"; file.data; content:"14|0D 0A|"; within:4; content:"|0D 0A|0|0D 0A 0D 0A|"; distance:0; classtype:trojan-activity; sid:2019630; rev:4; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_05_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007276; classtype:web-application-attack; sid:2007276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Agent.qwiakk CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/upload|20|"; startswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"|2e|yaml|22|"; content:"userName|3a 20|"; content:"userDir|3a 20|"; content:"memSize|3a 20|"; content:"processlist|3a 0a 20|"; fast_pattern; reference:md5,c2e7680c73e6bfdc773a1c3a4895d04f; classtype:trojan-activity; sid:2037760; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007278; classtype:web-application-attack; sid:2007278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=login.ezproxy.uniroma1.rvit.me"; fast_pattern; classtype:domain-c2; sid:2037752; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_13, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007279; classtype:web-application-attack; sid:2007279; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HackTool.Agent.CS SMTP Scanner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ssa/scan.php"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2037754; rev:1; metadata:attack_target SMTP_Server, created_at 2022_07_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007280; classtype:web-application-attack; sid:2007280; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HackTool.Agent.CS SMTP activity"; flow:established,to_server; content:"|7c 7c 7c|hhjjkk"; fast_pattern; threshold: type limit, count 5, seconds 300, track by_src; classtype:trojan-activity; sid:2037755; rev:1; metadata:attack_target SMTP_Server, created_at 2022_07_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007281; classtype:web-application-attack; sid:2007281; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 131.253.18.11-12"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:7; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007282; classtype:web-application-attack; sid:2007282; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"|00 01 00 01|"; content:"|00 04 c7 02 89|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:3; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClipShare Pro channel_detail.php chid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/channel_detail.php?"; nocase; content:"chid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32311; reference:url,milw0rm.com/exploits/7128; reference:url,doc.emergingthreats.net/2008866; classtype:web-application-attack; sid:2008866; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"|00 01 00 01|"; content:"|00 04 cf 2e 5a|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:3; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID SELECT"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004875; classtype:web-application-attack; sid:2004875; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"|00 01 00 01|"; content:"|00 04 01 01 01|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:5; metadata:created_at 2012_12_28, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004876; classtype:web-application-attack; sid:2004876; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis - 195.22.26.192/26"; content:"|00 01 00 01|"; content:"|00 04 c3 16 1a|"; distance:4; within:5; byte_test:1,>,224,0,relative; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:2018455; rev:6; metadata:created_at 2014_05_08, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID INSERT"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004877; classtype:web-application-attack; sid:2004877; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain"; content:"|00 01 00 01|"; content:"|00 04 cc 5f 63|"; distance:4; within:5; classtype:trojan-activity; sid:2018642; rev:3; metadata:created_at 2014_07_04, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID DELETE"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004878; classtype:web-application-attack; sid:2004878; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - IP - 161.69.13.44"; content:"|00 01 00 01|"; content:"|00 04 A1 45 0D 2C|"; distance:4; within:6; content:!"|07|sa-live|03|com"; classtype:trojan-activity; sid:2019508; rev:4; metadata:created_at 2014_10_27, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ASCII"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004879; classtype:web-application-attack; sid:2004879; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Vobus/Beebone Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 2E F4 15 04|"; distance:4; within:6; reference:url,trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/operation-source-botnet-takedown-trend-micro-solutions; classtype:trojan-activity; sid:2020889; rev:2; metadata:created_at 2015_04_11, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004880; classtype:web-application-attack; sid:2004880; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Kaspersky Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 5F D3 AC 8F|"; distance:4; within:6; classtype:trojan-activity; sid:2021021; rev:2; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct SELECT"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006504; classtype:web-application-attack; sid:2006504; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns any any -> $HOME_NET any (msg:"ET MALWARE Wapack Labs Sinkhole DNS Reply"; content:"|00 01 00 01|"; content:"|00 04 17 FD 2E 40|"; distance:4; within:6; classtype:trojan-activity; sid:2021022; rev:2; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UNION SELECT"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006505; classtype:web-application-attack; sid:2006505; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns any any -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis/BitSight - 35.205.61.67"; content:"|00 01 00 01|"; content:"|00 04 23 cd 3d 43|"; distance:4; within:6; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; reference:url,travisgreen.net/2019/08/13/anubis-sinhole.html; classtype:trojan-activity; sid:2031197; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2022_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct INSERT"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006506; classtype:web-application-attack; sid:2006506; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown APT Related Domain in DNS Lookup"; dns.query; content:"shophumm.info"; nocase; bsize:13; reference:md5,061c2429bc058a78cb558479dadc1ee0; reference:url,twitter.com/ShadowChasing1/status/1547193155707355137; classtype:domain-c2; sid:2037762; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct DELETE"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006507; classtype:web-application-attack; sid:2006507; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/TrojanDropper.Agent.OHE CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/root.json|20|"; startswith; http.request_body; content:"|7b 22|useragent|22 3a 22|"; startswith; fast_pattern; content:"|2c 22|path|22 3a 22|"; distance:0; content:"|22 2c 22|time|22 3a|"; distance:0; content:"|2c 22|ip|22 3a 22|"; distance:0; content:"|22 2c 22|xf|22 3a 22|"; distance:0; reference:md5,f5a9d696828051d4487dde248a973658; classtype:trojan-activity; sid:2037769; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ASCII"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006508; classtype:web-application-attack; sid:2006508; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/H0lyGh0st Ransomware CnC Activity (GET Public Key)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/access.php?order=GetPubkey"; startswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1";bsize:18; http.header_names; content:!"Referer"; reference:url,microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware; classtype:trojan-activity; sid:2037766; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006509; classtype:web-application-attack; sid:2006509; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/H0lyGh0st Ransomware Exfil Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/access.php?order=golc_"; startswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; bsize:18; http.header_names; content:!"Referer"; reference:url,microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/; classtype:trojan-activity; sid:2037767; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004636; classtype:web-application-attack; sid:2004636; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to webcodez .com"; dns.query; dotprefix; content:".webcodez.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031388; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004637; classtype:web-application-attack; sid:2004637; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/H0lyGh0st Ransomware CnC Response"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; http.response_body; content:"Key upload Success"; endswith; bsize:18; fast_pattern; http.content_len; content:"18"; bsize:2; http.content_type; content:"text/html"; startswith; reference:url,microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/; classtype:trojan-activity; sid:2037768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004638; classtype:web-application-attack; sid:2004638; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)"; flow:established,to_client; stream_size:server,=,13; dsize:12; content:"|09 12 3b 42|"; depth:4; fast_pattern; content:"|33 a2 44|"; distance:1; within:3; content:"|01 86 73|"; distance:1; within:3; reference:md5,48ad0ffe0b3209700f2b2d73cf2777dc; classtype:command-and-control; sid:2036735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category MALWARE, malware_family AveMariaRAT, signature_severity Major, updated_at 2022_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004639; classtype:web-application-attack; sid:2004639; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacapew CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?email="; startswith; fast_pattern; content:"&username="; distance:0; content:"&step=1"; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a 0d 0a|"; bsize:18; reference:md5,ef1c77617df492026014607785d8fabf; classtype:trojan-activity; sid:2037776; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004640; classtype:web-application-attack; sid:2004640; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-23 Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"btst="; startswith; fast_pattern; pcre:"/\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,f9854aa5bc138498a12af8a45f89dd84; classtype:trojan-activity; sid:2033198; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CommonSpot Server longproc.cfm Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/commonspot/utilities/longproc.cfm?"; nocase; content:"onlyurlvars="; nocase; content:"url="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:bugtraq,37986; reference:url,doc.emergingthreats.net/2010988; classtype:web-application-attack; sid:2010988; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst"; flow:established,to_client; http.cookie; content:"btst="; startswith; fast_pattern; pcre:"/^[a-f0-9]{32}\x7c\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x7c/R"; classtype:trojan-activity; sid:2037771; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Community CMS view.php article_id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view.php?"; nocase; content:"article_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34303; reference:url,milw0rm.com/exploits/8323; reference:url,doc.emergingthreats.net/2009787; classtype:web-application-attack; sid:2009787; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Hiloti DNS Checkin Message explorer_exe"; dns.query; content:"explorer_exe"; fast_pattern; nocase; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:command-and-control; sid:2012781; rev:4; metadata:created_at 2011_05_03, former_category MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/siteminderagent/forms/smpwservices.fcc"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:cve,2007-5923; reference:url,www.securityfocus.com/bid/26375/info; reference:url,doc.emergingthreats.net/2010200; classtype:web-application-attack; sid:2010200; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Possible FakeAV Domain"; dns.query; content:"antiv"; fast_pattern; nocase; classtype:bad-unknown; sid:2012786; rev:2; metadata:created_at 2011_05_04, former_category MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Comtrend ADSL Router srvName parameter XSS attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scvrtsrv.cmd?"; nocase; content:"srvName="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstorm.foofus.com/1001-exploits/comtrend-xss.txt; reference:url,xforce.iss.net/xforce/xfdb/47765; reference:url,doc.emergingthreats.net/2011019; classtype:web-application-attack; sid:2011019; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Backdoor Win32/IRCbot.FJ Cnc connection dns lookup"; dns.query; content:"minerva.cdmon.org"; fast_pattern; nocase; bsize:17; reference:url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ; reference:url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html; reference:md5,13e43c44681ba9acb8fd42217bd3dbd2; classtype:command-and-control; sid:2013187; rev:2; metadata:created_at 2011_07_05, former_category MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004705; classtype:web-application-attack; sid:2004705; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Potential DNS Command and Control via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013514; rev:3; metadata:created_at 2011_09_02, former_category MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004706; classtype:web-application-attack; sid:2004706; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; dns.query; content:".ru"; nocase; endswith; pcre:"/^(?:([a-z0-9])(?!\1)){33,}\.ru$/"; classtype:command-and-control; sid:2014363; rev:9; metadata:created_at 2012_03_13, former_category MALWARE, performance_impact Significant, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004707; classtype:web-application-attack; sid:2004707; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/H0lyGh0st CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"boundary=---------------------------3819074751749789153841466081|0d 0a|"; fast_pattern; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|uploadFile|22 3b|filename|3d|"; http.header_names; content:!"Referer"; reference:url,microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/; classtype:trojan-activity; sid:2037774; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004708; classtype:web-application-attack; sid:2004708; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Wacapew.C!ml CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?cname="; startswith; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:md5,7f939b3ba32224827485168077881948; classtype:command-and-control; sid:2037777; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004709; classtype:web-application-attack; sid:2004709; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain (adbullion .com) 09/26/12"; dns.query; dotprefix; content:".adbullion.com"; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2015741; rev:5; metadata:created_at 2012_09_27, former_category MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004710; classtype:web-application-attack; sid:2004710; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ebury SSH Rootkit data exfiltration"; content:"|12 0b 01 00 00 01|"; depth:6; pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs"; reference:url,cert-bund.de/ebury-faq; classtype:trojan-activity; sid:2018164; rev:2; metadata:created_at 2014_02_21, former_category MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004711; classtype:web-application-attack; sid:2004711; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Upatre DNS Query (jamco .com .pk)"; dns.query; content:"jamco.com.pk"; fast_pattern; nocase; bsize:12; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2015_04_07, former_category MALWARE, malware_family Upatre, signature_severity Critical, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004712; classtype:web-application-attack; sid:2004712; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sality.NBA CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/EcomGxhServer/st/receiveclient?cver="; startswith; fast_pattern; content:"&ver="; distance:0; content:"&cid="; distance:0; content:"&uid="; distance:0; http.request_body; content:"&data=ewogICAiZGVmYnJvd3NlciIgOiAi"; startswith; reference:md5,002d6977d8d62ad9c410db8501b8bdfa; classtype:trojan-activity; sid:2037784; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004715; classtype:web-application-attack; sid:2004715; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (wpsup .daj8 .me)"; dns.query; content:"wpsup.daj8.me"; nocase; bsize:13; reference:url,twitter.com/dark0pcodes/status/1547955372295479298; reference:md5,5bbd65399200ad5295d9cecbadcc6bc5; classtype:domain-c2; sid:2037780; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004716; classtype:web-application-attack; sid:2004716; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (wps .daj8 .me)"; dns.query; content:"wps.daj8.me"; nocase; bsize:11; reference:url,twitter.com/dark0pcodes/status/1547955372295479298; reference:md5,5bbd65399200ad5295d9cecbadcc6bc5; classtype:domain-c2; sid:2037781; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/verify/asp/n6plugindestructor.asp?"; nocase; content:"backurl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39999; reference:url,juniper.net/security/auto/vulnerabilities/vuln39999.html; reference:url,doc.emergingthreats.net/2011152; classtype:web-application-attack; sid:2011152; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=*.libun.me"; fast_pattern; classtype:domain-c2; sid:2037778; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007336; classtype:web-application-attack; sid:2007336; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=rnedu.me"; fast_pattern; classtype:domain-c2; sid:2037779; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007337; classtype:web-application-attack; sid:2007337; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+#alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Unknown CnC DGA Domain (defmaybe .com) 09/25/12"; dns.query; dotprefix; content:"defmaybe.com"; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2015736; rev:5; metadata:created_at 2012_09_26, former_category MALWARE, updated_at 2022_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007338; classtype:web-application-attack; sid:2007338; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS.SocGholish CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".png"; endswith; http.content_len; content:"15"; bsize:2; http.request_body; content:"0="; startswith; content:"&1="; distance:1; within:3; fast_pattern; content:"&2="; distance:3; within:3; isdataat:!4,relative; pcre:"/^(?:0\x3d\w\x261\x3d\d{3}\x262\x3d\d{3})$/"; http.header_names; content:!"Referer"; reference:md5,4fcc9569ca63cb2f5777954ac4c9290f; reference:url,twitter.com/mossdinger/status/1549327792122527745; classtype:trojan-activity; sid:2037789; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SocGholish, signature_severity Major, updated_at 2022_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007339; classtype:web-application-attack; sid:2007339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MSIL.Heracles Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/onlineserial.aspx?TYPE=GetRegSerial&machinCode="; startswith; fast_pattern; content:"&soft="; distance:0; content:"&computerName="; distance:0; content:"&userName="; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,4263294773ac7b794c8f7205967db4b0; classtype:trojan-activity; sid:2037799; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007340; classtype:web-application-attack; sid:2007340; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChromeLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/redsync"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|dd|0d 0a|"; reference:url,unit42.paloaltonetworks.com/chromeloader-malware/; classtype:trojan-activity; sid:2037793; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ChromeLoader, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007341; classtype:web-application-attack; sid:2007341; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (ksew .kpt-gov .org)"; dns.query; content:"ksew.kpt-gov.org"; nocase; bsize:16; reference:url,twitter.com/h2jazi/status/1549762807624880128; reference:md5,1ab1b0b87a2928d0b6c6f60f036196ce; classtype:domain-c2; sid:2037794; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id SELECT"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006303; classtype:web-application-attack; sid:2006303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup (crossfity .com)"; dns.query; dotprefix; content:".crossfity.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/; classtype:trojan-activity; sid:2037795; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, former_category MALWARE, malware_family APT29, malware_family Cloaked_Ursa, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006304; classtype:web-application-attack; sid:2006304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup (techspaceinfo .com)"; dns.query; dotprefix; content:".techspaceinfo.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/; classtype:trojan-activity; sid:2037796; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, former_category MALWARE, malware_family APT29, malware_family Cloaked_Ursa, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id INSERT"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006305; classtype:web-application-attack; sid:2006305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/CloakedUrsa Google Drive Authentication (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/token"; bsize:6; endswith; http.user_agent; content:"google|2d|api|2d|dotnet|2d|client"; startswith; http.host; content:"oauth2.googleapis.com"; http.header; content:"refresh_token=1//0czAXEdbKrikVCgYIARAAGAwSNwF-L9IrjcOVo9aYPFogMEutV6W3cSJMh195N7Ty2cHvtpXf3FNQ9QKDHwN5SKG9FmrMSw5fnsI&grant_type=refresh_token&client_id=477421423157-doqkohd8ihvnpgtsnbld4e4kd1lbs01b.apps.googleusercontent.com&client_secret=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"; fast_pattern; reference:url,twitter.com/mossdinger/status/1549327792122527745; classtype:trojan-activity; sid:2037797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT29, malware_family Cloaked_Ursa, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id DELETE"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006306; classtype:web-application-attack; sid:2006306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Domain (3qbyaoohkcqkzrz6)"; dns.query; content:"3qbyaoohkcqkzrz6"; fast_pattern; nocase; startswith; classtype:trojan-activity; sid:2022647; rev:4; metadata:created_at 2016_03_23, former_category MALWARE, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ASCII"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006307; classtype:web-application-attack; sid:2006307; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTML/TrojanDropper.Agent.T Payload Inbound"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c 21|DOCTYPE|20|html|3e|"; startswith; content:"|5b|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|17|2c|"; distance:148; within:60; fast_pattern; reference:url,unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/; reference:md5,5f6d2af2392a37fae04c0f8c911ccc00; classtype:trojan-activity; sid:2037798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT29, malware_family Cloaked_Ursa, signature_severity Major, updated_at 2022_07_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006308; classtype:web-application-attack; sid:2006308; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA444 Related Domain in DNS Lookup (documentworkspace .io)"; dns.query; dotprefix; content:".documentworkspace.io"; nocase; endswith; reference:url,twitter.com/h2jazi/status/1549780561551675393; reference:md5,d13eb9a69a59001de27db3af7589f5c0; reference:md5,a727ec19eae848a554cbe9cb90dcaf1b; classtype:domain-c2; sid:2037802; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category MALWARE, malware_family TA444, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004809; classtype:web-application-attack; sid:2004809; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA444 Related Domain in DNS Lookup (fclouddown .co)"; dns.query; dotprefix; content:".fclouddown.co"; nocase; endswith; reference:url,twitter.com/h2jazi/status/1549780561551675393; reference:md5,d13eb9a69a59001de27db3af7589f5c0; reference:md5,a727ec19eae848a554cbe9cb90dcaf1b; classtype:domain-c2; sid:2037803; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category MALWARE, malware_family TA444, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UNION SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004810; classtype:web-application-attack; sid:2004810; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA444 Related Domain in DNS Lookup (googlesheet .info)"; dns.query; dotprefix; content:".googlesheet.info"; nocase; endswith; reference:url,twitter.com/h2jazi/status/1549780561551675393; reference:md5,d13eb9a69a59001de27db3af7589f5c0; reference:md5,a727ec19eae848a554cbe9cb90dcaf1b; classtype:domain-c2; sid:2037804; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category MALWARE, malware_family TA444, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav INSERT"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004811; classtype:web-application-attack; sid:2004811; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Stealerium Stealer Checkin via Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"username=Stealerium"; startswith; content:"&content=%60%60%60%0a%f0%9f%98%b9+*Stealerium+-+Report%3a"; distance:0; fast_pattern; reference:md5,53b457a56e207d1f8aa761857acfdb9b; reference:url,twitter.com/petrovic082/status/1550007840005361664; classtype:trojan-activity; sid:2037800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category MALWARE, malware_family Stealerium, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav DELETE"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004812; classtype:web-application-attack; sid:2004812; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab253af862bb0 .com) Apr 2018"; dns.query; content:"ab253af862bb0.com"; fast_pattern; nocase; bsize:17; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024819; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ASCII"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004813; classtype:web-application-attack; sid:2004813; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (aba9a949bc1d .com) Mar 2017"; dns.query; content:"aba9a949bc1d.com"; fast_pattern; nocase; bsize:16; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024709; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004815; classtype:web-application-attack; sid:2004815; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab1b0eaa24bb6 .com) Jun 2018"; dns.query; content:"ab1b0eaa24bb6.com"; fast_pattern; nocase; bsize:17; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024821; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat SELECT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005841; classtype:web-application-attack; sid:2005841; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab33b8aa69bc4 .com) Oct 2018"; dns.query; content:"ab33b8aa69bc4.com"; fast_pattern; nocase; bsize:17; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024825; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005842; classtype:web-application-attack; sid:2005842; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (abf09fc5abba .com) Jul 2018"; dns.query; content:"abf09fc5abba.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024822; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005843; classtype:web-application-attack; sid:2005843; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (abce85a51bbd .com) Aug 2018"; dns.query; content:"abce85a51bbd.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024823; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat DELETE"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005844; classtype:web-application-attack; sid:2005844; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab23660730bca .com) Dec 2018"; dns.query; content:"ab23660730bca.com"; fast_pattern; nocase; bsize:17; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024827; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ASCII"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005845; classtype:web-application-attack; sid:2005845; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab2da3d400c20 .com)  Apr 2017"; dns.query; content:"ab2da3d400c20.com"; fast_pattern; nocase; bsize:17; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024710; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005846; classtype:web-application-attack; sid:2005846; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab1de19d80ae6 .com) in DNS Lookup"; dns.query; content:"ab1de19d80ae6.com"; nocase; bsize:17; reference:md5,ef694b89ad7addb9a16bb6f26f1efaf7; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2031206; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.user_agent; content:"inspath [path disclosure finder"; startswith; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:5; metadata:created_at 2010_10_13, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab2d02b02bb3 .com) May 2018"; dns.query; content:"ab2d02b02bb3.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024820; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005847; classtype:web-application-attack; sid:2005847; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab99c24c0ba9 .com) Feb 2018"; dns.query; content:"ab99c24c0ba9.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024817; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UNION SELECT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005848; classtype:web-application-attack; sid:2005848; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (abccc097dbc0.com) Sep 2018"; dns.query; content:"abccc097dbc0.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024824; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid INSERT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005849; classtype:web-application-attack; sid:2005849; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab3d685a0c37 .com) Nov 2017"; dns.query; content:"ab3d685a0c37.com"; fast_pattern; nocase; bsize:16; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024717; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ASCII"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005851; classtype:web-application-attack; sid:2005851; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab1145b758c30 .com) Sep 2017"; dns.query; content:"ab1145b758c30.com"; fast_pattern; nocase; bsize:17; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024715; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005852; classtype:web-application-attack; sid:2005852; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab1c403220c27 .com) Jun 2017"; dns.query; content:"ab1c403220c27.com"; fast_pattern; nocase; bsize:17; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024712; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start SELECT"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005853; classtype:web-application-attack; sid:2005853; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab1abad1d0c2a .com) Jul 2017"; dns.query; content:"ab1abad1d0c2a.com"; fast_pattern; nocase; bsize:17; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024713; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UNION SELECT"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005854; classtype:web-application-attack; sid:2005854; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab693f4c0bc7 .com) Nov 2018"; dns.query; content:"ab693f4c0bc7.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024826; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start DELETE"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005856; classtype:web-application-attack; sid:2005856; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab890e964c34 .com) Oct 2017"; dns.query; content:"ab890e964c34.com"; fast_pattern; nocase; bsize:16; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024716; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ASCII"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005857; classtype:web-application-attack; sid:2005857; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab8cee60c2d .com) Aug 2017"; dns.query; content:"ab8cee60c2d.com"; fast_pattern; nocase; bsize:15; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024714; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005858; classtype:web-application-attack; sid:2005858; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab2e1b782bad .com) Mar 2018"; dns.query; content:"ab2e1b782bad.com"; fast_pattern; nocase; bsize:16; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024818; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid SELECT"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005859; classtype:web-application-attack; sid:2005859; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab6d54340c1a .com) Feb 2017"; dns.query; content:"ab6d54340c1a.com"; fast_pattern; nocase; bsize:16; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024708; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UNION SELECT"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005860; classtype:web-application-attack; sid:2005860; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab70a139cc3a.com) Dec 2017"; dns.query; content:"ab70a139cc3a.com"; fast_pattern; nocase; bsize:16; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid INSERT"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005861; classtype:web-application-attack; sid:2005861; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab3c2b0d28ba6 .com) Jan 2018"; dns.query; content:"ab3c2b0d28ba6.com"; fast_pattern; nocase; bsize:17; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024816; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid DELETE"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005862; classtype:web-application-attack; sid:2005862; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain (ab3520430c23 .com) May 2017"; dns.query; content:"ab3520430c23.com"; fast_pattern; nocase; bsize:16; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024711; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid ASCII"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005863; classtype:web-application-attack; sid:2005863; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shrine.A CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/info|20|"; http.request_body; content:"data|3d 7b 22|Hostname|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|Username|22 3a 22|"; distance:0; content:"|22 2c 22|Platform|22 3a 22|"; distance:0; content:"|22 2c 22|Process|22 3a 22|"; distance:0; http.user_agent; content:"Go-http-client"; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,34aafe6b66e38e9582cafba003a25e97; classtype:trojan-activity; sid:2037806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005864; classtype:web-application-attack; sid:2005864; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)"; flow:established,to_client; stream_size:server,=,13; dsize:12; content:"|5a 6f 57 81|"; depth:4; fast_pattern; content:"|09 a4 b9|"; distance:1; within:3; content:"|e6 55 6f |"; distance:1; within:3; reference:md5,3bc9680077b50ad074e607b3ba700edc; reference:url,twitter.com/StopMalvertisin/status/1549826315884572672; classtype:command-and-control; sid:2037801; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category MALWARE, malware_family AveMariaRAT, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Business Objects Crystal Reports Web Form Viewer Directory Traversal Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/crystalreportviewers/crystalimagehandler.aspx?"; nocase; content:"dynamicimage="; nocase; reference:url,secunia.com/advisories/11803/; reference:bugtraq,10260; reference:url,doc.emergingthreats.net/2011113; classtype:web-application-attack; sid:2011113; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Firebird RAT CnC Checkin"; flow:established,to_server; dsize:<100; content:"|01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 06 01 00 00 00|"; depth:22; fast_pattern; content:"|0b|"; endswith; reference:md5,ede8ebfc82463d1e7e6f29ca66f96514; classtype:command-and-control; sid:2029606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family Firebird, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php SELECT"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004035; classtype:web-application-attack; sid:2004035; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig QUADAGENT DNS Tunneling"; dns.query; content:"mail."; nocase; pcre:"/^\d{6}/Ri"; content:".cpuproc.com"; fast_pattern; nocase; endswith; bsize:23; threshold: type limit, count 1, seconds 60, track by_src; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:trojan-activity; sid:2025894; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004036; classtype:web-application-attack; sid:2004036; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Agent.CSS Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/stealer/"; startswith; fast_pattern; content:"?pwds="; distance:0; content:"&cards="; distance:0; content:"&user="; distance:0; content:"&comp="; distance:0; content:"&ip="; distance:0; http.user_agent; content:"OnionWClient"; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"Start|20|Date|3a 20|"; content:"Stub|20|Version|3a 20|"; distance:0; content:"Stub|20|Location|3a 20|"; distance:0; content:"|c2 bf 0a 0a|System|3a 0a 09|UserName|3a 20|"; distance:0; content:"|c2 be 0a 09|OSName|3a 20|"; distance:0; content:"Hardware|3a 0a 09|CPUName|3a 20|"; distance:0; reference:md5,c504c32724031c8f76df40b6b97c0338; classtype:trojan-activity; sid:2037812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php INSERT"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004037; classtype:web-application-attack; sid:2004037; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Payload Request"; flow:established,to_server; http.uri; content:"/extr/wave.php?st="; startswith; content:"|2a|"; distance:0; http.user_agent; content:"Windows Installer"; bsize:17; reference:md5,38bbbff31982b1e395b3437134c7cf69; reference:url,twitter.com/RedDrip7/status/1536989979229835265; classtype:trojan-activity; sid:2037809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php DELETE"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004038; classtype:web-application-attack; sid:2004038; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (0a0074066c49886a39b5a3072582f5d6 .net) in DNS Lookup"; dns.query; content:"0a0074066c49886a39b5a3072582f5d6.net"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024957; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004039; classtype:web-application-attack; sid:2004039; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (73780fbd309561e201a4aee9914d882d .org) in DNS Lookup"; dns.query; content:"73780fbd309561e201a4aee9914d882d.org"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024958; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004040; classtype:web-application-attack; sid:2004040; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (aaafc94b3a37b75ae9cb60afc42e86fe .org) in DNS Lookup"; dns.query; content:"aaafc94b3a37b75ae9cb60afc42e86fe.org"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024962; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/portfolio/css.php?"; nocase; content:"theme="; nocase; reference:cve,CVE-2008-6265; reference:bugtraq,32218; reference:url,vupen.com/english/advisories/2008/3070; reference:url,milw0rm.com/exploits/7065; reference:url,doc.emergingthreats.net/2009764; classtype:web-application-attack; sid:2009764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (cba4a6e5d3c956548a337c52388473f1 .com) in DNS Lookup"; dns.query; content:"cba4a6e5d3c956548a337c52388473f1.com"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024956; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010271; classtype:web-application-attack; sid:2010271; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (c13a856f4a879a89e9a638207efd6c94 .biz) in DNS Lookup"; dns.query; content:"c13a856f4a879a89e9a638207efd6c94.biz"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024963; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010272; classtype:web-application-attack; sid:2010272; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (dcb5684707f6c66492aaa9f7d9bfb5a6 .biz) in DNS Lookup"; dns.query; content:"dcb5684707f6c66492aaa9f7d9bfb5a6.biz"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024959; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010273; classtype:web-application-attack; sid:2010273; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (2fa3c2fa16c47d9b9bff8986a42b048f .com) in DNS Lookup"; dns.query; content:"2fa3c2fa16c47d9b9bff8986a42b048f.com"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024964; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010274; classtype:web-application-attack; sid:2010274; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (18bca7c5fd709ac468ba148c590ef6bf .net) in DNS Lookup"; dns.query; content:"18bca7c5fd709ac468ba148c590ef6bf.net"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024961; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010275; classtype:web-application-attack; sid:2010275; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (322ffbbc7c1b312c2f9d942f20422f8d .com) in DNS Lookup"; dns.query; content:"322ffbbc7c1b312c2f9d942f20422f8d.com"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024960; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004083; classtype:web-application-attack; sid:2004083; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE RouteX CnC Domain (3ec9b600789b3bacf2c72ebae142a9c3 .net) in DNS Lookup"; dns.query; content:"3ec9b600789b3bacf2c72ebae142a9c3.net"; fast_pattern; nocase; bsize:36; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024965; rev:5; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004084; classtype:web-application-attack; sid:2004084; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=*.slib.me"; fast_pattern; classtype:domain-c2; sid:2037807; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004085; classtype:web-application-attack; sid:2004085; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=login.cardiff.ac.erlib.me"; fast_pattern; classtype:domain-c2; sid:2037808; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004086; classtype:web-application-attack; sid:2004086; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc) in TLS SNI"; flow:established,to_server; tls.sni; content:"handbrake.cc"; bsize:12; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024893; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category MALWARE, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004087; classtype:web-application-attack; sid:2004087; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com) in DNS Lookup"; dns.query; content:"handbrakestore.com"; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024890; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category MALWARE, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004088; classtype:web-application-attack; sid:2004088; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc) in DNS Lookup"; dns.query; content:"handbrake.cc"; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024892; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category MALWARE, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004456; classtype:web-application-attack; sid:2004456; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in) in DNS Lookup"; dns.query; content:"eltima.in"; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024888; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category MALWARE, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004457; classtype:web-application-attack; sid:2004457; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE BadRabbit Ransomware Payment Onion Domain"; dns.query; content:"caforssztxqzf2nm."; fast_pattern; nocase; reference:md5,fbbdc39af1139aebba4da004475e8839; classtype:trojan-activity; sid:2024910; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_07_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004458; classtype:web-application-attack; sid:2004458; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup (paf-gov .org)"; dns.query; dotprefix; content:".paf-gov.org"; nocase; endswith; reference:url,twitter.com/h2jazi/status/1550524741202726919; reference:md5,af61b84ae374a1ab8f58850cdfcaf367; reference:md5,07f107cf0061a9640f4de376c4dee6de; classtype:domain-c2; sid:2037810; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_22, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004459; classtype:web-application-attack; sid:2004459; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .PNG With Embedded File (.sh)"; flow:established,to_client; http.content_type; content:"image/png"; startswith; http.response_body; content:"|89 50 4E 47 0D 0A 1A 0A|"; startswith; content:"|00 00 00 00 49 45 4E 44 AE 42 60 82 23 21 2f|bin|2f|sh"; distance:0; fast_pattern; reference:url,trendmicro.com/en_us/research/22/g/alibaba-oss-buckets-compromised-to-distribute-malicious-shell-sc.html; classtype:trojan-activity; sid:2037811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004460; classtype:web-application-attack; sid:2004460; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M1 (hl852 .com)"; dns.query; content:"hl852.com"; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024921; rev:6; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004684; classtype:web-application-attack; sid:2004684; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M2 (hl859 .com)"; dns.query; content:"hl859.com"; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024922; rev:6; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004685; classtype:web-application-attack; sid:2004685; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M3 (hi8529 .com)"; dns.query; content:"hi8520.com"; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024923; rev:6; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004686; classtype:web-application-attack; sid:2004686; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Downeks/Quasar DNS Lookup (moreoffer .life)"; dns.query; content:"moreoffer.life"; fast_pattern; nocase; bsize:14; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004687; classtype:web-application-attack; sid:2004687; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Downeks/Quasar DNS Lookup (ping .topsite .life)"; dns.query; content:"ping.topsite.life"; fast_pattern; nocase; bsize:17; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024938; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004688; classtype:web-application-attack; sid:2004688; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Downeks/Quasar DNS Lookup (download .data-server .cloudns .club)"; dns.query; content:"download.data-server.cloudns.club"; fast_pattern; nocase; bsize:34; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024937; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp SELECT"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006081; classtype:web-application-attack; sid:2006081; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Downeks/Quasar DNS Lookup (signup .updatesforme .club)"; dns.query; content:"signup.updatesforme.club"; fast_pattern; nocase; bsize:24; reference:url,securelist.com/gaza-cybergang-updated-2017-activity/82765/; classtype:trojan-activity; sid:2024939; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006082; classtype:web-application-attack; sid:2006082; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SunOrcal Reaver Domain Observed (tashdqdxp .com) in DNS Lookup"; dns.query; content:"tashdqdxp.com"; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2024986; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp DELETE"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006084; classtype:web-application-attack; sid:2006084; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SunOrcal Reaver Domain Observed (weryhstui .com) in DNS Lookup"; dns.query; content:"weryhstui.com"; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2024987; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ASCII"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006085; classtype:web-application-attack; sid:2006085; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SunOrcal Reaver Domain Observed (fyoutside .com) in DNS Lookup"; dns.query; content:"fyoutside.com"; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2024988; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006086; classtype:web-application-attack; sid:2006086; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE SunOrcal Reaver Domain Observed (olinaodi .com) in DNS Lookup"; dns.query; content:"olinaodi.com"; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2024989; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006087; classtype:web-application-attack; sid:2006087; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE 8220 Gang Related Domain in DNS Lookup (onlypirate .top)"; dns.query; dotprefix; content:".onlypirate.top"; nocase; endswith; reference:url,www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/; classtype:domain-c2; sid:2037815; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, malware_family 8220Gang, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; classtype:web-application-attack; sid:2006088; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE 8220 Gang Related Domain in DNS Lookup (letmaker .top)"; dns.query; dotprefix; content:".letmaker.top"; nocase; endswith; reference:url,www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/; classtype:domain-c2; sid:2037816; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, malware_family 8220Gang, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006089; classtype:web-application-attack; sid:2006089; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE 8220 Gang Related Domain in DNS Lookup (oracleservice .top)"; dns.query; dotprefix; content:".oracleservice.top"; nocase; endswith; reference:url,www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/; classtype:domain-c2; sid:2037817; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, malware_family 8220Gang, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp DELETE"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006090; classtype:web-application-attack; sid:2006090; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Maldoc CnC Activity (2022-07-25)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bin/KommDatenGEG.pl?user="; startswith; fast_pattern; content:"&rechner="; distance:0; content:"&rnd="; distance:0; http.header_names; content:"UA-CPU"; reference:md5,2cdae46b94ef33d20a8ace6d4d8cae56; classtype:command-and-control; sid:2037821; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ASCII"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006091; classtype:web-application-attack; sid:2006091; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 3496 (msg:"ET MALWARE Win32/Kryptik.GSKY CnC Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|45 36 27 18|"; startswith; fast_pattern; content:"|23|"; distance:0; content:"Api"; distance:0; reference:md5,0d6118f766b0d75a5085bced64793d76; classtype:command-and-control; sid:2037822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006092; classtype:web-application-attack; sid:2006092; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Loli Stealer CnC Domain in DNS Lookup (webstealer .ru)"; dns.query; content:"webstealer.ru"; nocase; bsize:13; reference:url,twitter.com/Finch39487976/status/1550885316931850241; classtype:domain-c2; sid:2037813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006094; classtype:web-application-attack; sid:2006094; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Loli Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client"; startswith; http.request_body; content:"PassworldX="; startswith; content:"&TegX="; content:"&chatID="; content:"&coockiesX="; fast_pattern; content:"&grabfiles="; content:"&tgstat="; content:"&wallets="; content:"&zipx="; reference:url,twitter.com/Finch39487976/status/1550885316931850241; classtype:trojan-activity; sid:2037814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_07_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp INSERT"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006095; classtype:web-application-attack; sid:2006095; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE VBS/Agent.6B29!tr CnC Checkin"; flow:established,to_server; content:"|09 00|"; startswith; content:"|00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 00|"; distance:5; within:40; fast_pattern; isdataat:!2,relative; reference:md5,4afc35c79e8478d06beb5729534067d8; reference:url,twitter.com/James_inthe_box/status/1550569477439270912; classtype:trojan-activity; sid:2037818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp DELETE"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006096; classtype:web-application-attack; sid:2006096; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.QPK CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/windata/shopx.php?fol="; startswith; fast_pattern; content:"&ac="; distance:0; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,92efa9a889e35d5e5eb8195b5afb5e10; classtype:command-and-control; sid:2037834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ASCII"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006097; classtype:web-application-attack; sid:2006097; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=logon.bradley.zedu.me"; fast_pattern; classtype:domain-c2; sid:2037823; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006098; classtype:web-application-attack; sid:2006098; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=www.logon.bradley.ledu.me"; fast_pattern; classtype:domain-c2; sid:2037824; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006099; classtype:web-application-attack; sid:2006099; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (SilentLibrarian)"; flow:from_server,established; tls.cert_subject; content:"CN=rvedu.me"; fast_pattern; classtype:domain-c2; sid:2037825; rev:1; metadata:attack_target Client_and_Server, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, malware_family SilentLibrarian, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_07_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006100; classtype:web-application-attack; sid:2006100; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VB.NBI CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/soap/"; startswith; content:".php"; endswith; http.request_body; content:"|3c 3f|xml|20|version|3d 22|1|2e|0|22 20|encoding|3d 22|UTF|2d|8|22 3f 3e|"; startswith; content:"|22 3e 3c|username|20|"; distance:0; content:"|3c 2f|username|3e 3c|password|20|"; distance:0; fast_pattern; reference:md5,42691347a0ba4a593ffe3a230c579a77; classtype:command-and-control; sid:2037835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent INSERT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006101; classtype:web-application-attack; sid:2006101; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/guess/presented.xml"; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:url,twitter.com/souiten/status/1551775083340779521; reference:md5,6afec7a8806a7befccd6938137a39495; classtype:trojan-activity; sid:2037826; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent DELETE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006102; classtype:web-application-attack; sid:2006102; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/see/guilty.xml"; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:url,twitter.com/souiten/status/1551775083340779521; reference:md5,ee3661a8a6a1acf33e53f52a1e3a5533; classtype:trojan-activity; sid:2037827; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_07_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ASCII"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006103; classtype:web-application-attack; sid:2006103; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/eso.jpg"; bsize:24; fast_pattern; http.connection; content:"Close"; bsize:5; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|6|2e|1|3b 20|WOW64|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|47|2e|0|2e|2526|2e|111|20|Safari|2f|537|2e|36"; bsize:109; http.header_names; content:!"Referer"; reference:md5,b2a682b8fe731d3c9a97b8fbf1cd84ae; reference:url,malware-traffic-analysis.net/2022/07/25/index.html; classtype:trojan-activity; sid:2037829; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006104; classtype:web-application-attack; sid:2006104; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/na.png"; bsize:23; fast_pattern; http.connection; content:"Close"; bsize:5; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|10|2e|0|3b 20|Win64|3b 20|x64|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|42|2e|0|2e|2311|2e|135|20|Safari|2f|537|2e|36|20|Edge|2f|12|2e|246"; bsize:127; http.header_names; content:!"Referer"; reference:md5,544107beb5ab8c894253576d2cef1b0c; reference:url,malware-traffic-analysis.net/2022/07/25/index.html; classtype:trojan-activity; sid:2037830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent SELECT"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006105; classtype:web-application-attack; sid:2006105; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fo.html?route=true"; bsize:19; fast_pattern; http.connection; content:"Close"; bsize:5; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|6|2e|1|3b 20|WOW64|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|47|2e|0|2e|2526|2e|111|20|Safari|2f|537|2e|36"; bsize:109; http.cookie; content:"lu="; startswith; http.header_names; content:!"Referer"; reference:md5,b2a682b8fe731d3c9a97b8fbf1cd84ae; reference:url,malware-traffic-analysis.net/2022/07/25/index.html; classtype:trojan-activity; sid:2037831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006106; classtype:web-application-attack; sid:2006106; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 8880 (msg:"ET MALWARE Win32/Sabsik.TE.B!ml CnC Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|7c|ICARUS|5f|Client|5f 20 7c 20|"; offset:28; depth:18; fast_pattern; content:"|7c|"; distance:0; content:"|7c|"; distance:2; within:1; reference:md5,9aee6276142d333066c590cbe8647f1a; classtype:command-and-control; sid:2037836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent INSERT"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006107; classtype:web-application-attack; sid:2006107; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 666 (msg:"ET MALWARE Win32/SuperBOT CnC Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|7b 22|Username|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|IP|22 3a 22|"; distance:0; content:"|22 2c 22|GEO|22 3a 22|"; distance:0; content:"|22 2c 22|UnicID|22 3a 22|"; distance:2; within:12; content:"|22 2c 22|Admin|22 3a|"; distance:0; content:"|2c 22|Version|22 3a|"; distance:0; content:"|2c 22|SeenBefore|22 3a|"; distance:0; content:"|22 2c 22|BuildID|22 3a 22|"; distance:0; content:"BOT|22 2c 22|UploadSpeed|22 3a|"; distance:0; nocase; reference:md5,66932b33b777120e887b084d8b6cf94a; classtype:command-and-control; sid:2037837; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent DELETE"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006108; classtype:web-application-attack; sid:2006108; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M4 (cbk99 .com)"; dns.query; content:"cbk99.com"; fast_pattern; nocase; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024933; rev:7; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ASCII"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006109; classtype:web-application-attack; sid:2006109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M5 (bbk80 .com)"; dns.query; content:"bbk80.com"; fast_pattern; nocase; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024934; rev:7; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006110; classtype:web-application-attack; sid:2006110; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M6 (bbk86 .com)"; dns.query; content:"bbk86.com"; fast_pattern; nocase; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024935; rev:6; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent SELECT"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006111; classtype:web-application-attack; sid:2006111; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M7 (ha859 .com)"; dns.query; content:"ha859.com"; fast_pattern; nocase; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024936; rev:6; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006112; classtype:web-application-attack; sid:2006112; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET MALWARE Maldoc Retrieving Payload 2022-06-15"; flow:established,to_server; content:"GET /i HTTP 1.1|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,cert.gov.ua/article/160530; classtype:trojan-activity; sid:2037001; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent INSERT"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006113; classtype:web-application-attack; sid:2006113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Filecoder.EK CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure.php?hero="; startswith; fast_pattern; content:"&movie="; distance:0; http.header; content:"100-continue"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,7e47426d5ae73cc0d3ca3ca6008b2131; classtype:command-and-control; sid:2037846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent DELETE"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006114; classtype:web-application-attack; sid:2006114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unknown VBScript Backdoor Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"8tLS0t"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:42; http.user_agent; content:"WinHttpRequest"; reference:url,asec.ahnlab.com/ko/37123/; reference:md5,e8aa5c0309cbc1966674b110a4afd83a; classtype:trojan-activity; sid:2037840; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ASCII"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006115; classtype:web-application-attack; sid:2006115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemHijack.gen CnC Checkin"; flow:established,to_server; http.request_line; content:"GET|20|/index.php|20|"; startswith; http.user_agent; content:"DSNF_2016="; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,b41090a1804dfd518f93aa1ca1382e69; classtype:command-and-control; sid:2037847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent SELECT"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006117; classtype:web-application-attack; sid:2006117; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.DarkVNC Variant Checkin"; flow:established,to_server; dsize:13; content:"|4a 01 4f 97 00|"; startswith; fast_pattern; reference:url,isc.sans.edu/diary/rss/28884; reference:url,www.malware-traffic-analysis.net/2022/07/26/index.html; classtype:command-and-control; sid:2037841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006118; classtype:web-application-attack; sid:2006118; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (zuyonijobo .com)"; dns.query; content:"zuyonijobo.com"; nocase; bsize:14; reference:url,isc.sans.edu/diary/rss/28884; classtype:domain-c2; sid:2037842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent INSERT"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006119; classtype:web-application-attack; sid:2006119; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain (zuyonijobo .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"zuyonijobo.com"; bsize:14; fast_pattern; reference:url,isc.sans.edu/diary/rss/28884; classtype:domain-c2; sid:2037843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent DELETE"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006120; classtype:web-application-attack; sid:2006120; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Beacon (Custom)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/dz.png"; fast_pattern; bsize:23; http.user_agent; content:"Mozilla/5.0|20 28|Linux|3b 20|Android 6.0|3b 20|HTC One X10 Build/MRA58K|3b 20|wv|29 20|AppleWebKit/537.36|20 28|KHTML, like Gecko|29 20|Version/4.0"; http.header_names; content:!"Referer"; reference:url,isc.sans.edu/diary/rss/28884; reference:url,www.malware-traffic-analysis.net/2022/07/26/index.html; classtype:command-and-control; sid:2037844; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_28, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ASCII"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006121; classtype:web-application-attack; sid:2006121; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIS Backdoor CnC Command Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx"; endswith; http.cookie; content:"EX_TOKEN|3d|"; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/; classtype:trojan-activity; sid:2037845; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2022_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006122; classtype:web-application-attack; sid:2006122; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RKO Remote File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mh/upload.php"; endswith; http.referer; content:"/mh/ftp/remote.htm"; endswith; http.request_body; content:"name|3d 22|filename|22|"; content:"apinew.txt"; distance:4; fast_pattern; content:"name|3d 22|foldername|22|"; distance:0; content:"Files"; distance:4; content:"name|3d 22|data|22|"; distance:0; content:"name|3d 22|send|22|"; distance:0; content:"Send"; distance:4; reference:md5,37f0f9c9d9585befc8ea49b73706e47c; reference:url,twitter.com/James_inthe_box/status/1552756079997513728; classtype:trojan-activity; sid:2037870; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_07_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Multiple Products upload_image_category.asp cid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/upload_image_category.asp?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33253; reference:url,xforce.iss.net/xforce/xfdb/47959; reference:url,milw0rm.com/exploits/7767; reference:url,doc.emergingthreats.net/2009739; classtype:web-application-attack; sid:2009739; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET [!5222,!7687] -> $HOME_NET any (msg:"ET MALWARE Generic AsyncRAT Style SSL Cert"; flow:established,to_client; content:!"infinitecampus.com"; content:"|0f 39 39 39 39 31 32 33 31 32 33 35 39 35 39 5a|"; fast_pattern; content:"|55 04 03|"; pcre:"/^.(?P<servercert>[\x00-\xff][\x20-\x7f]{1,50})\x30.+?\x55\x04\x03.(?P=servercert)\x30/Rsi"; tls.cert_subject; content:"CN="; startswith; content:!"O="; content:!"OU="; content:!"ST="; tls.cert_issuer; content:"CN="; startswith; content:!"O="; content:!"OU="; content:!"ST="; content:!".com"; content:!"CN=localhost"; content:!"CN=ForFunLabs"; reference:md5,7ed7bf7ea7a1551218f73774d28be76c; classtype:domain-c2; sid:2035595; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, signature_severity Major, updated_at 2022_08_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005088; classtype:web-application-attack; sid:2005088; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NMZ CnC Checkin"; flow:established,to_server; http.request_line; content:"GET|20|/O.htm|20|"; fast_pattern; http.user_agent; content:"|3b 2b|SV1|3b|"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,4a8af3635882ee62d67ec9dd47c87796; classtype:command-and-control; sid:2037879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005089; classtype:web-application-attack; sid:2005089; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 5000 (msg:"ET MALWARE Win32/Agent.TWI CnC Checkin"; flow:established,to_server; http.request_line; content:"GET|20|/msg?msg="; startswith; fast_pattern; content:"&token="; distance:0; http.referer; content:":5000/msg?msg="; content:"&token="; distance:0; reference:md5,a487ab85983baa856fb089d9d01993fc; classtype:command-and-control; sid:2037898; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005090; classtype:web-application-attack; sid:2005090; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Manjusaka CnC Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/png"; http.content_len; byte_test:0,=,5,0,string,dec; http.response_body; content:"|1a 1a 6e 04 29|"; fast_pattern; reference:url,blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html; classtype:trojan-activity; sid:2037888; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005092; classtype:web-application-attack; sid:2005092; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/VBS.Sload Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?V="; fast_pattern; content:"&R="; distance:1; content:"|2d 40 2d|"; http.header_names; content:!"Referer"; reference:md5,86342f6cf158b3c0e0f2a25b0ec65739; reference:md5,760ec44980ed5be70fafa5addf538306; classtype:trojan-activity; sid:2037881; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, malware_family sLoad, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005091; classtype:web-application-attack; sid:2005091; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".maw"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1554458444761014273; reference:md5,3224f41bd46b42436f3dd4d97fc012fe; classtype:trojan-activity; sid:2037882; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005113; classtype:web-application-attack; sid:2005113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA444 Related Domain in DNS Lookup (inst .shconstmarket .com)"; dns.query; content:"inst.shconstmarket.com"; nocase; bsize:22; classtype:domain-c2; sid:2037883; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, malware_family TA444, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005112; classtype:web-application-attack; sid:2005112; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA444 Related  Domain in DNS Lookup (web .shconstmarket .com)"; dns.query; content:"web.shconstmarket.com"; nocase; bsize:21; classtype:trojan-activity; sid:2037884; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, malware_family TA444, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005114; classtype:web-application-attack; sid:2005114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA444 Related Domain in DNS Lookup (wordonline .cloud)"; dns.query; content:"wordonline.cloud"; nocase; bsize:16; classtype:trojan-activity; sid:2037885; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, malware_family TA444, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005116; classtype:web-application-attack; sid:2005116; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (ui .0x0x0x0x0 .xyz) in DNS Lookup"; dns.query; content:"ui.0x0x0x0x0.xyz"; nocase; bsize:16; reference:md5,2f56fc7aa5884469e8edf444e12006e1; classtype:domain-c2; sid:2037889; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005115; classtype:web-application-attack; sid:2005115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (rp .oiwcvbnc2e .stream) in DNS Lookup"; dns.query; content:"rp.oiwcvbnc2e.stream"; nocase; bsize:20; reference:md5,2f56fc7aa5884469e8edf444e12006e1; classtype:domain-c2; sid:2037890; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005895; classtype:web-application-attack; sid:2005895; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (aj .0x0x0x0x0 .best) in DNS Lookup"; dns.query; content:"aj.0x0x0x0x0.best"; nocase; bsize:17; reference:md5,2f56fc7aa5884469e8edf444e12006e1; classtype:domain-c2; sid:2037891; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005896; classtype:web-application-attack; sid:2005896; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (xs .0x0x0x0x0 .club) in DNS Lookup"; dns.query; content:"xs.0x0x0x0x0.club"; nocase; bsize:17; reference:md5,2f56fc7aa5884469e8edf444e12006e1; classtype:domain-c2; sid:2037892; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005897; classtype:web-application-attack; sid:2005897; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32/CoinMiner.ESJ!tr CnC Domain (qb .1c1c1c1c .best) in DNS Lookup"; dns.query; content:"qb.1c1c1c1c.best"; nocase; bsize:16; reference:md5,2f56fc7aa5884469e8edf444e12006e1; classtype:domain-c2; sid:2037893; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005898; classtype:web-application-attack; sid:2005898; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32/CoinMinerESJ!tr CnC Domain (ox .mygoodluck .best) in DNS Lookup"; dns.query; content:"ox.mygoodluck.best"; nocase; bsize:18; reference:md5,2f56fc7aa5884469e8edf444e12006e1; classtype:domain-c2; sid:2037894; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005899; classtype:web-application-attack; sid:2005899; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected BTC Swapper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/defaultpservpro.aspx?S="; startswith; fast_pattern; content:"&D="; distance:0; content:"&N="; distance:0; classtype:trojan-activity; sid:2037906; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_08_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005900; classtype:web-application-attack; sid:2005900; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE ENV Variable Data Exfiltration Domain (ovz1 .j19544519 .pr46m .vps .myjino .ru) in DNS Lookup"; dns.query; content:"ovz1.j19544519.pr46m.vps.myjino.ru"; nocase; bsize:34; reference:url,twitter.com/stephenlacy/status/1554697077430505473; classtype:trojan-activity; sid:2037909; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/boardrule.php?"; nocase; content:"groupboardid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36282; reference:url,doc.emergingthreats.net/2010259; classtype:web-application-attack; sid:2010259; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ENV Variable Data Exfiltration Attempt (HTTP POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?org="; fast_pattern; startswith; content:"repo="; http.content_type; content:"application/json"; http.header_names; content:!"Referer"; reference:url,twitter.com/stephenlacy/status/1554697077430505473; classtype:trojan-activity; sid:2037910; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/dfss/lgsl/lgsl_players.php?"; nocase; content:"lgsl_path="; nocase; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011099; classtype:web-application-attack; sid:2011099; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ave Maria/Warzone RAT Credential Exfil"; flow:established; content:"|7c 3d 3d 5b|Chrome|20|Passwords|5d 3d 3d|"; offset:20; depth:30; fast_pattern; content:"|5b|PASSWORD|5d 0d 0a|Hostname|3a 20|"; distance:0; reference:url,fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two; classtype:command-and-control; sid:2037907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_03, deployment Perimeter, former_category ATTACK_RESPONSE, malware_family AveMaria, signature_severity Major, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/dfss/lgsl/lgsl_settings.php?"; nocase; content:"lgsl_path="; nocase; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011100; classtype:web-application-attack; sid:2011100; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible T-RAT Encrypted Zip Request M2"; flow:established,to_server; http.uri; content:".png"; offset:7; depth:4; http.accept; content:"*/*"; bsize:3; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20 2e|NET4.0C|3b 20 2e|NET4.0E|3b 20 2e|NET CLR 2.0.50727|3b 20 2e|NET CLR 3.0.30729|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.3)"; bsize:162; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1304006897729761280; reference:url,www.gdatasoftware.com/blog/trat-control-via-smartphone; classtype:command-and-control; sid:2037908; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/logging/logviewer.jsp?"; nocase; content:"logfile="; nocase; reference:url,www.dsecrg.ru/pages/vul/show.php?id=152; reference:url,www.vupen.com/english/advisories/2009/2285; reference:url,doc.emergingthreats.net/2010194; classtype:web-application-attack; sid:2010194; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Knotweed/SubZero)"; flow:from_server,established; tls.cert_subject; content:"CN=finconsult.cc"; fast_pattern; classtype:domain-c2; sid:2037899; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_08_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DeZine DZcms products.php pcat parameter SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/products.php?"; nocase; content:"pcat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33194; reference:url,milw0rm.com/exploits/7722; reference:url,doc.emergingthreats.net/2009319; classtype:web-application-attack; sid:2009319; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Knotweed/SubZero Domain"; dns.query; content:"finconsult.cc"; endswith; fast_pattern; classtype:bad-unknown; sid:2037900; rev:1; metadata:created_at 2022_08_03, former_category MALWARE, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/latestposts.php?"; nocase; content:"forumspath="; nocase; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009904; classtype:web-application-attack; sid:2009904; rev:9; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Knotweed/SubZero)"; flow:from_server,established; tls.cert_subject; content:"CN=realmetaldns.com"; fast_pattern; classtype:domain-c2; sid:2037901; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_08_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DeluxeBB misc.php qorder Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/misc.php?"; nocase; content:"sub=memberlist"; nocase; content:"qorder="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34174; reference:url,milw0rm.com/exploits/8240; reference:url,doc.emergingthreats.net/2009368; classtype:web-application-attack; sid:2009368; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Knotweed/SubZero Domain"; dns.query; content:"realmetaldns.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2037902; rev:1; metadata:created_at 2022_08_03, former_category MALWARE, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/header.php?"; nocase; content:"theme_directory="; nocase; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009380; classtype:web-application-attack; sid:2009380; rev:9; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Knotweed/SubZero)"; flow:from_server,established; tls.cert_subject; content:"CN=acrobatrelay.com"; fast_pattern; classtype:domain-c2; sid:2037903; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_08_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Demium CMS tracking.php follow_kat Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/tracking.php?"; nocase; content:"follow_kat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009323; classtype:web-application-attack; sid:2009323; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Knotweed/SubZero Domain"; dns.query; content:"acrobatrelay.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2037904; rev:1; metadata:created_at 2022_08_03, former_category MALWARE, updated_at 2022_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/urheber.php?"; nocase; content:"name="; nocase; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009324; classtype:web-application-attack; sid:2009324; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UOI CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/beacon.php|20|"; startswith; fast_pattern; http.request_body; content:"architecture="; startswith; content:"&hostname="; distance:0; content:"&os="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,74cf39a4148c88adfee9f0e02e03dc9e; classtype:command-and-control; sid:2037952; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004834; classtype:web-application-attack; sid:2004834; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 16052 (msg:"ET MALWARE Win64/Spy.Agent.EU CnC Checkin"; flow:established,to_server; content:"|28 0f 00 00 31 00 32 00 33 00 34 00 35 00 36 00 00 00 03 00|"; startswith; fast_pattern; content:"|00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00|"; distance:0; reference:md5,b3d7480ac748ce375ee8f84f656222a1; classtype:command-and-control; sid:2037953; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004835; classtype:web-application-attack; sid:2004835; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.ClipBanker.uhn Exfil"; flow:established,to_server; http.request_line; content:"POST|20|/upfile|20|"; startswith; http.user_agent; content:"HttpSendRequest"; http.request_body; content:"|2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|1234567890123"; startswith; fast_pattern; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|"; distance:0; content:"|2e|"; distance:0; content:"|2e|jpg|22 0d 0a|"; distance:14; within:7; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,ded2b49dbb947c0fc031919158447d46; classtype:trojan-activity; sid:2037954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004836; classtype:web-application-attack; sid:2004836; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedGuard Framework Related Request Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36"; bsize:114; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept|0d 0a|RedGuard|0d 0a|charset|0d 0a|"; fast_pattern; reference:url,github.com/wikiZ/RedGuard; classtype:trojan-activity; sid:2037927; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family RedGuard, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004837; classtype:web-application-attack; sid:2004837; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RedGuard Framework)"; flow:established,to_client; tls.cert_serial; content:"17:01:91:E3:A5:0D:5C:2C"; reference:url,github.com/wikiZ/RedGuard; classtype:trojan-activity; sid:2037928; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category MALWARE, malware_family RedGuard, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004839; classtype:web-application-attack; sid:2004839; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT CnC Domain (microsoft-telemetry .ru) in DNS Lookup"; dns.query; content:"microsoft-telemetry.ru"; nocase; bsize:22; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:domain-c2; sid:2037934; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family WoodyRAT, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/don3_requiem.php?"; nocase; content:"app_path="; nocase; pcre:"/app_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009317; classtype:web-application-attack; sid:2009317; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT CnC Domain (oakrussia .ru) in DNS Lookup"; dns.query; content:"oakrussia.ru"; nocase; bsize:12; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:domain-c2; sid:2037935; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family WoodyRAT, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/frontpage.php?"; nocase; content:"app_path="; nocase; pcre:"/app_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009318; classtype:web-application-attack; sid:2009318; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT CnC Domain (kurmakata .duckdns .org) in DNS Lookup"; dns.query; content:"kurmakata.duckdns.org"; nocase; bsize:21; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:domain-c2; sid:2037936; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family WoodyRAT, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy News And Article aid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/article_details.php?"; nocase; content:"aid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/7014; reference:url,secunia.com/Advisories/32595/; reference:url,doc.emergingthreats.net/2008834; classtype:web-application-attack; sid:2008834; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT CnC Domain (microsoft-ru-data .ru) in DNS Lookup"; dns.query; content:"microsoft-ru-data.ru"; nocase; bsize:20; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:domain-c2; sid:2037937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family WoodyRAT, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id SELECT"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005591; classtype:web-application-attack; sid:2005591; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT CnC Domain (fns77 .ru) in DNS Lookup"; dns.query; content:"fns77.ru"; nocase; bsize:8; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:domain-c2; sid:2037938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family WoodyRAT, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005592; classtype:web-application-attack; sid:2005592; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT Payload Delivery Domain (garmandesar .duckdns .org) in DNS Lookup"; dns.query; content:"garmandesar.duckdns.org"; nocase; bsize:23; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:trojan-activity; sid:2037939; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id INSERT"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005593; classtype:web-application-attack; sid:2005593; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Woody RAT Payload Delivery Domain (fcloud .nciinform .ru) in DNS Lookup"; dns.query; content:"fcloud.nciinform.ru"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:trojan-activity; sid:2037940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id DELETE"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005594; classtype:web-application-attack; sid:2005594; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Woody RAT CnC Checkin"; flow:established,to_server; http.request_line; content:"POST /knock HTTP/1.1"; fast_pattern; http.cookie; content:"as="; startswith; pcre:"/[a-f0-9]{24}\.[a-f0-9]{16}/R"; http.header_names; content:!"Referer"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild; classtype:trojan-activity; sid:2037941; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family WoodyRAT, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ASCII"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005595; classtype:web-application-attack; sid:2005595; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (pgp .eu .com) in DNS Lookup"; dns.query; content:"pgp.eu.com"; nocase; bsize:10; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037942; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005596; classtype:web-application-attack; sid:2005596; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (windowsupadates .com) in DNS Lookup"; dns.query; content:"windowsupadates.com"; nocase; bsize:19; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037943; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id SELECT"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005835; classtype:web-application-attack; sid:2005835; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (skype .se .net) in DNS Lookup"; dns.query; content:"skype.se.net"; nocase; bsize:12; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037944; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UNION SELECT"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005836; classtype:web-application-attack; sid:2005836; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (telegram-update .com) in DNS Lookup"; dns.query; content:"telegram-update.com"; nocase; bsize:19; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037945; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id INSERT"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005837; classtype:web-application-attack; sid:2005837; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-pgp .com) in DNS Lookup"; dns.query; content:"update-pgp.com"; nocase; bsize:14; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id DELETE"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005838; classtype:web-application-attack; sid:2005838; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (server-avira .com) in DNS Lookup"; dns.query; content:"server-avira.com"; nocase; bsize:16; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id ASCII"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005839; classtype:web-application-attack; sid:2005839; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (avira .ltd) in DNS Lookup"; dns.query; content:"avira.ltd"; nocase; bsize:9; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005840; classtype:web-application-attack; sid:2005840; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (uk2privat .com) in DNS Lookup"; dns.query; content:"uk2privat.com"; nocase; bsize:13; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/DetailFile.php?"; nocase; content:"nFileId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/0908-exploits/dscms-sql.txt; reference:url,doc.emergingthreats.net/2010195; classtype:web-application-attack; sid:2010195; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (cloud-avira .com) in DNS Lookup"; dns.query; content:"cloud-avira.com"; nocase; bsize:15; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UPTDATE.+SET/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010073; classtype:web-application-attack; sid:2010073; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE CHIMNEYSWEEP Backdoor CnC Domain (update-real .com) in DNS Lookup"; dns.query; content:"update-real.com"; nocase; bsize:15; reference:url,www.mandiant.com/resources/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against?1; classtype:domain-c2; sid:2037951; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, malware_family CHIMNEYSWEEP, performance_impact Low, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UNION.+SELECT/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010074; classtype:web-application-attack; sid:2010074; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Link Implant Default)"; flow:established,to_client; tls.cert_serial; content:"4D:5B:93:D5:0F:D5:2F:C2:9C:9F:66:4B:62:64:DC:52:D6:E0:B7:D5"; reference:url,github.com/postrequest/link; classtype:domain-c2; sid:2037929; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+SELECT.+FROM/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010075; classtype:web-application-attack; sid:2010075; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Link Implant CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /static/"; http.cookie; content:"banner=banner"; fast_pattern; bsize:13; http.header; content:"x-request-id|3a 20|"; startswith; http.header_names; content:!"Referer"; reference:url,github.com/postrequest/link; classtype:command-and-control; sid:2037930; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+DELETE.+FROM/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010076; classtype:web-application-attack; sid:2010076; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (mktrending .com)"; dns.query; dotprefix; content:".mktrending.com"; nocase; endswith; reference:md5,0dab8ad32f7ed4703b9217837c91cca7; reference:url,twitter.com/h2jazi/status/1555205042331947011; classtype:domain-c2; sid:2037931; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_04, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/doku.php?"; nocase; content:"config_cascade[main][default][]="; nocase; reference:bugtraq,35095; reference:url,milw0rm.com/exploits/8781; reference:url,doc.emergingthreats.net/2009876; classtype:web-application-attack; sid:2009876; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/managePerson.php?"; nocase; content:"personId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35032; reference:url,milw0rm.com/exploits/8738; reference:url,doc.emergingthreats.net/2009795; classtype:web-application-attack; sid:2009795; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen SELECT"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004047; classtype:web-application-attack; sid:2004047; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"ET MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; reference:url,doc.emergingthreats.net/2001055; classtype:attempted-admin; sid:2001055; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UNION SELECT"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004048; classtype:web-application-attack; sid:2004048; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2102008; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen INSERT"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004049; classtype:web-application-attack; sid:2004049; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2102009; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen DELETE"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004050; classtype:web-application-attack; sid:2004050; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ASCII"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004051; classtype:web-application-attack; sid:2004051; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102011; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004052; classtype:web-application-attack; sid:2004052; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2102012; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004065; classtype:web-application-attack; sid:2004065; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2102013; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004066; classtype:web-application-attack; sid:2004066; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004067; classtype:web-application-attack; sid:2004067; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:2101940; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004068; classtype:web-application-attack; sid:2004068; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:2101917; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004069; classtype:web-application-attack; sid:2004069; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:2100449; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004070; classtype:web-application-attack; sid:2004070; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID SELECT"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006141; classtype:web-application-attack; sid:2006141; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006142; classtype:web-application-attack; sid:2006142; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; classtype:attempted-recon; sid:2100517; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID INSERT"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006143; classtype:web-application-attack; sid:2006143; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID DELETE"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006144; classtype:web-application-attack; sid:2006144; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006146; classtype:web-application-attack; sid:2006146; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/libs/internals/core.write_compiled_include.php?"; nocase; content:"smarty="; nocase; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010707; classtype:web-application-attack; sid:2010707; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/libs/internals/core.process_compiled_include.php?"; nocase; content:"smarty="; nocase; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010708; classtype:web-application-attack; sid:2010708; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:2100328; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/libs/plugins/function.config_load.php?"; nocase; content:"_compile_file="; nocase; pcre:"/_compile_file\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010709; classtype:web-application-attack; sid:2010709; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:2100326; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004385; classtype:web-application-attack; sid:2004385; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, former_category MISC, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (1)"; flow:established,to_server; http.uri; content:"v="; nocase; content:"&step="; nocase; content:"&hostid="; nocase; reference:url,www.abuse.ch/?p=2796; reference:url,www.abuse.ch/?p=2740; reference:md5,c59cdd1366dd5c2f448c03738ec0dc88; reference:md5,b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011577; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
+alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSTrojan FakeAV Dropper Activity Observed (2)"; flow:established,to_server; http.uri; content:"/getfile.php?r="; nocase; content:"&p="; nocase; pcre:"/\/getfile\.php\?r=-?\d+&p=/"; reference:url,www.abuse.ch/?p=2796; reference:url,www.abuse.ch/?p=2740; reference:md5,c59cdd1366dd5c2f448c03738ec0dc88; reference:md5,b93360ec3798215a5cca573747df0139; classtype:trojan-activity; sid:2011578; rev:5; metadata:created_at 2010_09_27, updated_at 2020_09_11;)
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id INSERT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004387; classtype:web-application-attack; sid:2004387; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id DELETE"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004388; classtype:web-application-attack; sid:2004388; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ASCII"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004389; classtype:web-application-attack; sid:2004389; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip any any -> any any (msg:"GPL MISC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004390; classtype:web-application-attack; sid:2004390; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006687; classtype:web-application-attack; sid:2006687; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006688; classtype:web-application-attack; sid:2006688; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006689; classtype:web-application-attack; sid:2006689; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006690; classtype:web-application-attack; sid:2006690; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2102561; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006691; classtype:web-application-attack; sid:2006691; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006692; classtype:web-application-attack; sid:2006692; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006694; classtype:web-application-attack; sid:2006694; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006695; classtype:web-application-attack; sid:2006695; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006696; classtype:web-application-attack; sid:2006696; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006697; classtype:web-application-attack; sid:2006697; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006698; classtype:web-application-attack; sid:2006698; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006699; classtype:web-application-attack; sid:2006699; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006700; classtype:web-application-attack; sid:2006700; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006701; classtype:web-application-attack; sid:2006701; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006702; classtype:web-application-attack; sid:2006702; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006703; classtype:web-application-attack; sid:2006703; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006704; classtype:web-application-attack; sid:2006704; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006705; classtype:web-application-attack; sid:2006705; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006706; classtype:web-application-attack; sid:2006706; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006707; classtype:web-application-attack; sid:2006707; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006708; classtype:web-application-attack; sid:2006708; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006709; classtype:web-application-attack; sid:2006709; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006710; classtype:web-application-attack; sid:2006710; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006711; classtype:web-application-attack; sid:2006711; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006712; classtype:web-application-attack; sid:2006712; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006715; classtype:web-application-attack; sid:2006715; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006713; classtype:web-application-attack; sid:2006713; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006714; classtype:web-application-attack; sid:2006714; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006716; classtype:web-application-attack; sid:2006716; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006717; classtype:web-application-attack; sid:2006717; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-Shop Shopping Cart Script search_results.php SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search_results.php?cid="; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,30692; reference:url,doc.emergingthreats.net/2008684; classtype:web-application-attack; sid:2008684; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:to_server; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank SELECT"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004624; classtype:web-application-attack; sid:2004624; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:to_server; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UNION SELECT"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004625; classtype:web-application-attack; sid:2004625; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; http.uri; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; http.content_type; content:"Multipart"; reference:bugtraq,9978; classtype:web-application-activity; sid:2102547; rev:5; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank INSERT"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004626; classtype:web-application-attack; sid:2004626; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin setinfo access"; flow:to_server,established; http.uri; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2102548; rev:4; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank DELETE"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004627; classtype:web-application-attack; sid:2004627; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:established,to_client; flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:5; metadata:created_at 2012_04_28, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank ASCII"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004628; classtype:web-application-attack; sid:2004628; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004629; classtype:web-application-attack; sid:2004629; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/application/views/public/commentform.php?"; nocase; content:"tpl_base_dir="; nocase; pcre:"/tpl_base_dir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/13890/; reference:url,vupen.com/english/advisories/2010/1497; reference:bugtraq,40881; reference:url,doc.emergingthreats.net/2011725; classtype:web-application-attack; sid:2011725; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:"<imei>"; content:"<smscenter>"; content:"<installtime>"; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005268; classtype:web-application-attack; sid:2005268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005269; classtype:web-application-attack; sid:2005269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword INSERT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005270; classtype:web-application-attack; sid:2005270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword DELETE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005271; classtype:web-application-attack; sid:2005271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ASCII"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005272; classtype:web-application-attack; sid:2005272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012844; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005273; classtype:web-application-attack; sid:2005273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012845; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005274; classtype:web-application-attack; sid:2005274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012846; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005275; classtype:web-application-attack; sid:2005275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:command-and-control; sid:2012847; rev:2; metadata:attack_target Mobile_Client, created_at 2011_05_25, former_category MOBILE_MALWARE, updated_at 2011_05_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row INSERT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005276; classtype:web-application-attack; sid:2005276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row DELETE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005277; classtype:web-application-attack; sid:2005277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012853; rev:2; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ASCII"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005278; classtype:web-application-attack; sid:2005278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005279; classtype:web-application-attack; sid:2005279; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS page.php intpageID parameter sql injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/page.php?"; nocase; content:"intPageID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008883; classtype:web-application-attack; sid:2008883; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS subcategory.php intSubCategoryID parameter sql injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"subcategory.php?"; nocase; content:"intSubCategoryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008884; classtype:web-application-attack; sid:2008884; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS news.php intPageID parameter sql injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"news.php?"; nocase; content:"intPageID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008885; classtype:web-application-attack; sid:2008885; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005039; classtype:web-application-attack; sid:2005039; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UNION SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005040; classtype:web-application-attack; sid:2005040; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i INSERT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005041; classtype:web-application-attack; sid:2005041; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012851; rev:3; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i DELETE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005042; classtype:web-application-attack; sid:2005042; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:command-and-control; sid:2012852; rev:4; metadata:created_at 2011_05_26, former_category MOBILE_MALWARE, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i ASCII"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005043; classtype:web-application-attack; sid:2005043; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005045; classtype:web-application-attack; sid:2005045; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005044; classtype:web-application-attack; sid:2005044; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005046; classtype:web-application-attack; sid:2005046; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id INSERT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005047; classtype:web-application-attack; sid:2005047; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_13, former_category MOBILE_MALWARE, updated_at 2011_06_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id DELETE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005048; classtype:web-application-attack; sid:2005048; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id ASCII"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005049; classtype:web-application-attack; sid:2005049; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_17, former_category MOBILE_MALWARE, updated_at 2011_06_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005050; classtype:web-application-attack; sid:2005050; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013143; rev:2; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i SELECT"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005051; classtype:web-application-attack; sid:2005051; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013140; rev:3; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2011_06_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UNION SELECT"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005052; classtype:web-application-attack; sid:2005052; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i INSERT"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005053; classtype:web-application-attack; sid:2005053; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"<connect>http|3A|//"; nocase; content:"<send number="; nocase; distance:0; content:"<insms>http|3A|//"; nocase; distance:0; content:"<delete number="; nocase; distance:0; content:"<clean app="; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:command-and-control; sid:2013194; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i DELETE"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005054; classtype:web-application-attack; sid:2005054; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i ASCII"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005055; classtype:web-application-attack; sid:2005055; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013265; rev:2; metadata:attack_target Mobile_Client, created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005056; classtype:web-application-attack; sid:2005056; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:"<smslist>"; content:"<sms id="; distance:0; content:"upnumber="; distance:0; content:"<|2F|smslist>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:command-and-control; sid:2013266; rev:2; metadata:created_at 2011_07_14, former_category MOBILE_MALWARE, updated_at 2011_07_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId SELECT"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006554; classtype:web-application-attack; sid:2006554; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:"<cmdsystem>"; content:"<mobile>"; content:"<|2F|mobile>"; within:50; content:"<killprocess>"; distance:0; content:"<killinstall>"; distance:0; content:"<killuninst>"; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:command-and-control; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UNION SELECT"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006555; classtype:web-application-attack; sid:2006555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId INSERT"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006556; classtype:web-application-attack; sid:2006556; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2; metadata:created_at 2012_03_21, updated_at 2012_03_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId DELETE"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006557; classtype:web-application-attack; sid:2006557; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET"; http_method; content:"/search/"; http_uri; content:".php?i="; http_uri; distance:0; content:"1.0|0d 0a|User-Agent|3a| unknown|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2016345; rev:5; metadata:created_at 2013_02_05, former_category MOBILE_MALWARE, updated_at 2013_02_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId ASCII"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006558; classtype:web-application-attack; sid:2006558; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Successful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"|7b 22|success|22 3A|1,|22|message|22 3A 22|Product successfully updated.|22|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017788; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006559; classtype:web-application-attack; sid:2006559; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MOBILE_MALWARE Android/Trogle.A Possible Exfiltration of SMS via SMTP"; flow:established,to_server; content:"MAIL FROM|3a|<a137736513@qq.com>"; nocase; reference:md5,ef819779fc4bee6117c124fb752abf57; classtype:trojan-activity; sid:2018887; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_08_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasySiteNetwork Riddles Complete Website riddle.php riddleid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/riddle.php?"; nocase; content:"riddleid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,29966; reference:url,milw0rm.com/exploits/5946; reference:url,doc.emergingthreats.net/2009366; classtype:web-application-attack; sid:2009366; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Code4hk.A Checkin"; flow:established,to_server; content:"ClientInfo"; content:"isWifi"; distance:0; content:"cpuInfo"; distance:0; content:"firstOnlineIp"; distance:0; content:"firstOnlineTime"; distance:0; content:"imei"; distance:0; content:"ipAddr"; distance:0; content:"phoneBrand"; distance:0; content:"phoneNumber"; distance:0; content:"simOperator"; distance:0; fast_pattern; reference:url,malware.lu/articles/2014/09/29/analysis-of-code4hk.html; classtype:trojan-activity; sid:2019318; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_09_30, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2016_07_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easynet4u Link Host directory.php cat_id parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/directory.php?"; nocase; content:"ax=list"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31717; reference:url,www.milw0rm.com/exploits/6728; reference:url,doc.emergingthreats.net/2009117; classtype:web-application-attack; sid:2009117; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI"; flow:established,to_server; content:"POST"; http_method; content:"imei="; nocase; http_uri; pcre:"/imei=\d{2}-?\d{6}-?\d{6,}-?\d{1,}/Ui"; content:!"Host|3a 20|iphone-wu.apple.com"; http_header; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2012848; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005985; classtype:web-application-attack; sid:2005985; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 1"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"sms|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023500; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005986; classtype:web-application-attack; sid:2005986; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible iOS WebView Auto Dialer 2"; flow:established,from_server; file_data; content:"URL=tel|3a|"; nocase; fast_pattern; pcre:"/^\+?[0-9-]{10,}[\x22\x27]/Rsi"; content:"itms-apps|3a|"; nocase; content:"setTimeout"; nocase; content:"window"; nocase; pcre:"/^\s*?\.\s*?location\s*?\.\s*?href/Rsi"; content:"for"; nocase; pcre:"/^\s*?\(\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b\s*?(?P=var)\s*?\<\s*?(?:0x)?\d{4,}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b\s*?(?P<var2>[^\x3d\x3b\)\s]+)\s*?=\s*?(?P=var2)\s*?\+\s*?[\x22\x27]\d+[\x22\x27]/Rsi"; reference:url,www.mulliner.org/blog/blosxom.cgi/security/ios_WebView_auto_dialer.html; classtype:trojan-activity; sid:2023501; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_11_11, deployment Perimeter, updated_at 2016_11_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup INSERT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005987; classtype:web-application-attack; sid:2005987; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU SSL CnC Cert"; flow:established,from_server; content:"|02|IT"; content:"|03|AAA"; distance:0; content:"|02|BB"; distance:0; content:"|03|EEE"; distance:0; content:"|0d|IT Department"; distance:0; content:"|0a|SASDS_Srv0"; fast_pattern; distance:0; reference:md5,cbd1c2db9ffc6b67cea46d271594c2ae; classtype:command-and-control; sid:2023509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2016_11_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup DELETE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005988; classtype:web-application-attack; sid:2005988; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Unknown Redirector Nov 17 2016"; flow:from_server,established; file_data; content:"<script>"; content:".indexOf(|22|_mauthtoken|22|)=="; distance:0; content:"|22|ooglebot|22|"; content:"|7c|fennec|7c|"; content:"|22|_mauthtoken=1|3b| path=/|3b|expires=|22|"; fast_pattern; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023531; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup ASCII"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005989; classtype:web-application-attack; sid:2005989; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Unknown Landing URI Nov 17 2016"; flow:to_server,established; content:"/kt/JpNx9n"; http_uri; pcre:"/\/kt\/JpNx9n$/U"; reference:url,labs.sucuri.net/?note=2016-11-17; classtype:trojan-activity; sid:2023532; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_18, deployment Perimeter, signature_severity Major, tag Android, updated_at 2016_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005990; classtype:web-application-attack; sid:2005990; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tls $EXTERNAL_NET [80,443] -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher SSL CnC Cert"; flow:established,from_server; content:"|00 dd 45 ec 3f 08 74 58 6a|"; content:"|0a|Department"; distance:0; content:"|55 04 03|"; distance:0; content:"|0f|www.example.com"; distance:1; within:16; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:command-and-control; sid:2023708; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2017_01_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005991; classtype:web-application-attack; sid:2005991; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"/billwebsvr.dll?Buy?user="; http_uri; content:"&key="; http_uri; content:"&channel="; http_uri; content:"&corp="; http_uri; content:"&product="; http_uri; content:"&phone="; http_uri; content:"&private="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012862; rev:4; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005992; classtype:web-application-attack; sid:2005992; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Response"; flow:from_server,established; file_data; content:"[{|22|id|22 3a 22|0|22|,|22|command|22 3a 22|OK|22|}"; depth:26; fast_pattern; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024202; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, signature_severity Major, tag Android, updated_at 2017_04_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005993; classtype:web-application-attack; sid:2005993; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon 2"; flow:to_server,established; dsize:22; content:"@!hi|3a|"; depth:5; fast_pattern; pcre:"/^\d{15}\r\n$/R"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024896; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2017_10_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005994; classtype:web-application-attack; sid:2005994; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Golden Rat Checkin"; flow:to_server,established; content:"<HmzaPacket>|3e 0a 20 20|<Command>"; depth:25; fast_pattern; content:"<MSG>"; within:40; content:"</MSG>|3e 0a 20 20|"; distance:0; content:"</HmzaPacket></HAMZA_DELIMITER_STOP>"; distance:0; reference:url,csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf; reference:md5,6296586cf9a59b25d1b8ab3eeb0c2a33; classtype:trojan-activity; sid:2025895; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GoldenRat, tag Android, updated_at 2018_07_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005995; classtype:web-application-attack; sid:2005995; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005996; classtype:web-application-attack; sid:2005996; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005997; classtype:web-application-attack; sid:2005997; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005998; classtype:web-application-attack; sid:2005998; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id INSERT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005999; classtype:web-application-attack; sid:2005999; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:3; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id DELETE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006000; classtype:web-application-attack; sid:2006000; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2013_11_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id ASCII"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006001; classtype:web-application-attack; sid:2006001; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:4; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2015_02_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006002; classtype:web-application-attack; sid:2006002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:trojan-activity; sid:2019181; rev:9; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2014_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006159; classtype:web-application-attack; sid:2006159; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Fakeinst.KD .onion Proxy Domain"; dns_query; content:"pc35hiptpcwqezgs"; depth:16; nocase; fast_pattern; reference:url,www.csis.dk/da/csis/blog/4818/; reference:md5,111b71c120167b5b571ee5501ffef65e; classtype:trojan-activity; sid:2022517; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_13, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006160; classtype:web-application-attack; sid:2006160; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain"; dns_query; content:"yuwurw46taaep6ip"; depth:16; nocase; fast_pattern; reference:md5,58fed8b5b549be7ecbfbc6c63b84a728; classtype:trojan-activity; sid:2022562; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006161; classtype:web-application-attack; sid:2006161; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Torec.a .onion Proxy Domain 2"; dns_query; content:"voooxrrw2wxnoyew"; depth:16; nocase; fast_pattern; reference:md5,8d260ab2bb36aeaf5b033b80b6bc1e6a; classtype:trojan-activity; sid:2022563; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_02_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2019_09_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006162; classtype:web-application-attack; sid:2006162; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:4; metadata:created_at 2013_11_27, former_category CURRENT_EVENTS, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006163; classtype:web-application-attack; sid:2006163; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns_query; content:"storegoogle.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023710; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006164; classtype:web-application-attack; sid:2006164; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns_query; content:"siteanalysto.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023938; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2019_09_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/WorkArea/reterror.aspx?"; nocase; content:"info="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011153; classtype:web-application-attack; sid:2011153; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Adware.Wapsx.A"; flow:established, to_server; content:"/fengmian/"; fast_pattern; content:"meinv6.4.0 qiu shou gou, zhi mai 503 wan ren min bi"; http_user_agent; depth:51; content:!"Referer|3a|"; http_header; reference:md5,37e36531e6dbc3ad0954fd9bb4588fad; classtype:trojan-activity; sid:2018533; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/workarea/medialist.aspx?"; nocase; content:"selectids="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011154; classtype:web-application-attack; sid:2011154; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android JadeRAT CnC Beacon"; flow:to_server,established; dsize:<500; content:"@!MyID|3a|"; depth:7; content:"IMEI|3a|"; distance:0; content:"Mobile|20|ID|3a|"; content:"SIM|3a|"; content:"IMSI|3a|"; content:"Android|20|version|3a|"; content:"Model|3a|"; content:"All|20|SD|20|Size|3a|"; fast_pattern; content:"Free|20|SD|20|Size|3a|"; content:"Network|20|type|3a|"; reference:md5,9027f111377598362972745478e40311; reference:url,blog.lookout.com/mobile-threat-jaderat; classtype:command-and-control; sid:2024895; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_JadeRAT, signature_severity Major, tag Android, tag c2, updated_at 2019_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006449; classtype:web-application-attack; sid:2006449; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:5; metadata:created_at 2015_02_12, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006450; classtype:web-application-attack; sid:2006450; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Geost CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geost.php?bid="; fast_pattern; classtype:command-and-control; sid:2028661; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_10_08, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Geost, updated_at 2019_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006451; classtype:web-application-attack; sid:2006451; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected Android Youzicheng Proxy Activity"; flow:established,to_server; urilen:17; http.method; content:"POST"; http.uri; content:"/api/socksLog/add"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"|7b 22|channelid|22 3a 22|"; startswith; nocase; fast_pattern; content:"|2c 22|content|22 3a 22|"; distance:0; content:"|2c 22|deviceid|22 3a 22|"; distance:0; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c907d74ace51cec7cb53b0c8720063e1; classtype:trojan-activity; sid:2029635; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_03_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006452; classtype:web-application-attack; sid:2006452; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Lightspy Implant CnC"; flow:established,to_server; content:"|0d 0a 0d 0a|udid="; fast_pattern; http.method; content:"POST"; http.uri; content:"/update_device"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"udid="; startswith; content:"&brand="; distance:0; content:"&model="; distance:0; content:"&os="; distance:0; content:"&osversion="; nocase; distance:0; content:"&x="; distance:0; content:"&y="; distance:0; content:"&sdcard="; distance:0; content:"&cid="; distance:0; reference:md5,fadff5b601f6fca588007660934129eb; reference:url,securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/; classtype:command-and-control; sid:2029765; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family lightspy, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006453; classtype:web-application-attack; sid:2006453; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EQO Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ping.php"; endswith; http.request_body; content:"|7b 22|DATA|22 3a 7b 22|DEVICE_ID|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|TAG|22 3a 22|"; within:25; content:"|22|CC_GRABBER|22 3a|"; distance:0; reference:md5,849796248bfe2560039f6986c83f43d6; reference:md5,a8dd3cd7860f3fd2d34a33b0c87bd615; reference:url,twitter.com/PAsinovsky/status/1245790690946285569; classtype:command-and-control; sid:2029811; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_04_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006454; classtype:web-application-attack; sid:2006454; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; http.uri; content:".log"; nocase; content:"id="; nocase; content:"softid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID SELECT"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006135; classtype:web-application-attack; sid:2006135; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; http.uri; content:"req.php"; nocase; content:"pid="; nocase; content:"ver="; nocase; content:"area="; nocase; content:"insttime="; nocase; content:"first="; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006136; classtype:web-application-attack; sid:2006136; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; http.uri; content:"/push/androidxml/"; nocase; content:"sim="; nocase; content:"tel="; nocase; content:"imsi="; content:"pid="; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2029932; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_03_10, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID INSERT"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006137; classtype:web-application-attack; sid:2006137; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android PHONEMONITOR RAT CnC (getsettings)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"PhoneMonitor"; bsize:12; fast_pattern; http.uri; content:"/webpanel/getsettings.php"; bsize:25; reference:md5,09aa3bb05a55b0df864d1e1709c29960; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:command-and-control; sid:2029979; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ASCII"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006139; classtype:web-application-attack; sid:2006139; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; http.uri; content:"/talktome.asmx"; nocase; http.request_body; content:"cell"; nocase; content:"opname"; nocase; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:command-and-control; sid:2012924; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006140; classtype:web-application-attack; sid:2006140; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; http.uri; content:"/ProtocolGW/"; fast_pattern; nocase; content:"filename="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_16, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id SELECT"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006147; classtype:web-application-attack; sid:2006147; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?im="; http.header; content:"User-Agent|3a 20|J2ME/UCWEB"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_06_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UNION SELECT"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006148; classtype:web-application-attack; sid:2006148; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; http.uri; content:"/android/android.dbug.php?action=heart"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:command-and-control; sid:2013078; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id INSERT"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006149; classtype:web-application-attack; sid:2006149; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; http.uri; content:"/ss/attachments/files/URLshorter.apk"; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id DELETE"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006150; classtype:web-application-attack; sid:2006150; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<IMSI>"; nocase; content:"<|2F|IMSI"; nocase; distance:0; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:3; metadata:created_at 2011_06_30, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ASCII"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006151; classtype:web-application-attack; sid:2006151; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server"; flow:established,to_server; http.uri; content:"/wat.php"; nocase; http.host; content:"incorporateapps.com"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2; reference:url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/; classtype:command-and-control; sid:2013209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006152; classtype:web-application-attack; sid:2006152; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected PROJECTSPY CnC (video)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/index.php?p=showMyAllVideos"; fast_pattern; bsize:32; http.user_agent; content:"Dalvik"; reference:md5,30a2f5b9c9cf01b16aaa4d3f40323faf; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:command-and-control; sid:2029981; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID SELECT"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006153; classtype:web-application-attack; sid:2006153; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; http.uri; content:"/alotWorkTask.aspx?no="; content:"&uid="; content:"&ti="; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006154; classtype:web-application-attack; sid:2006154; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; http.uri; content:"?id="; content:"&time="; content:"&imei="; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:4; metadata:created_at 2011_05_26, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID INSERT"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006155; classtype:web-application-attack; sid:2006155; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; http.uri; content:"/Submit.aspx?ver="; content:"&sys="; content:"&imei="; content:"&ua="; content:"&pro="; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:command-and-control; sid:2013316; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_26, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID DELETE"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006156; classtype:web-application-attack; sid:2006156; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?app="; content:"&deviceId="; content:"&mobile="; content:"&country="; content:"&carrier="; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ASCII"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006157; classtype:web-application-attack; sid:2006157; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; http.uri; content:"/AndroidService.aspx?imsi="; content:"&mobile="; content:"&pid="; content:"&ownerid="; content:"&testchlid="; content:"&androidver="; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2011_11_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_20, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007042; classtype:web-application-attack; sid:2007042; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; http.uri; content:"/search/isavailable"; content:".php?imei="; content:"&ch="; content:"&ver="; http.user_agent; content:"adlib/"; startswith; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007043; classtype:web-application-attack; sid:2007043; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected PROJECTSPY Cookie"; flow:established,to_server; http.start; content:"Cookie|3a 20|projectspy_session="; fast_pattern; reference:md5,e49040a572a2b12e5cb784e4a179d5af; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029993; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_20, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID INSERT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007044; classtype:web-application-attack; sid:2007044; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; http.uri; content:"/android_notifier/notifier.php?h="; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:command-and-control; sid:2014162; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID DELETE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007045; classtype:web-application-attack; sid:2007045; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; http.uri; content:"/ProtocolGW/protocol/commands"; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:command-and-control; sid:2014215; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ASCII"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007046; classtype:web-application-attack; sid:2007046; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; http.uri; content:"/clientRequest.htm?method="; nocase; pcre:"/^(?:update|startcharge)/Ri"; content:"&os="; content:"&brand="; nocase; content:"&sdkVersion="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:command-and-control; sid:2013299; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007047; classtype:web-application-attack; sid:2007047; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; http.uri; content:"/phone_getinfokou_android.php"; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_12_28, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id INSERT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007050; classtype:web-application-attack; sid:2007050; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geturl.aspx?email="; content:"&lat="; content:"&lon="; content:"&mobile="; content:"&group="; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:command-and-control; sid:2016209; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id DELETE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007051; classtype:web-application-attack; sid:2007051; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; http.uri; content:"/controls.php"; http.user_agent; content:"Dalvik/"; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ASCII"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007052; classtype:web-application-attack; sid:2007052; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Android_SMS/receiving.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:command-and-control; sid:2016513; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007053; classtype:web-application-attack; sid:2007053; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; http.uri; content:"/Android_SMS/installing.php"; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007054; classtype:web-application-attack; sid:2007054; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; http.stat_code; content:"200"; http.stat_msg; content:"OK"; file.data; content:"PK"; depth:2; content:"|FD FF|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:3; metadata:created_at 2013_07_17, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007055; classtype:web-application-attack; sid:2007055; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srev.asp"; http.request_body; content:"action="; depth:7; content:"&b_name="; distance:0; content:"&b_conter="; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:command-and-control; sid:2017466; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_09_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id INSERT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007056; classtype:web-application-attack; sid:2007056; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/reportMessage"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018004; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id DELETE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007057; classtype:web-application-attack; sid:2007057; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/getTask"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018003; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ASCII"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007058; classtype:web-application-attack; sid:2007058; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/DwnlAPK-A Configuration File Request"; flow:established,to_server; http.uri; content:"/iconfig.txt"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible)"; bsize:24; reference:url,nakedsecurity.sophos.com/2014/01/31/android-banking-malware-with-a-twist-in-the-delivery/; classtype:trojan-activity; sid:2018071; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007049; classtype:web-application-attack; sid:2007049; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/register"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018000; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007030; classtype:web-application-attack; sid:2007030; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/login"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018001; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007031; classtype:web-application-attack; sid:2007031; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/report"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2018002; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_04_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007032; classtype:web-application-attack; sid:2007032; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"androidbugreport.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&token="; depth:7; content:"&target="; depth:8; content:"&rd="; depth:4; content:"&fo="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018138; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007033; classtype:web-application-attack; sid:2007033; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"filter.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018139; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007034; classtype:web-application-attack; sid:2007034; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeKakao checkin 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"history.php"; http.header_names; content:!"User-Agent|0d 0a|"; nocase; http.request_body; content:"id="; depth:3; content:"&ds="; depth:4; content:"&sg="; depth:4; reference:url,blog.fortinet.com/Fake-KakaoTalk-Security-Plug-in/; classtype:trojan-activity; sid:2018140; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_02_14, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_27, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007035; classtype:web-application-attack; sid:2007035; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"ET MOBILE_MALWARE Android Spyware Dowgin Checkin"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/webviewAdReq"; nocase; depth:13; reference:md5,45bf9f6e19649d3e1642854ecd82623c; classtype:trojan-activity; sid:2018663; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_11, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_04_30, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007036; classtype:web-application-attack; sid:2007036; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Kasandra.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/path/DeviceManager.php"; nocase; depth:23; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.request_body; content:"func="; depth:5; content:"&deviceid="; distance:0; reference:md5,6df6553b115d9ed837161a9e67146ecf; classtype:trojan-activity; sid:2018888; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_04, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007037; classtype:web-application-attack; sid:2007037; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SSL/TLS Certificate Observed (Betcity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=*.boxberry1.ru"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/ReBensk/status/1259146097978564609; classtype:domain-c2; sid:2030150; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_05_11, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007038; classtype:web-application-attack; sid:2007038; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetConnect.aspx"; content:"&tIMEI="; content:"&tIMSI="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019331; rev:3; metadata:attack_target Mobile_Client, created_at 2014_10_01, former_category MOBILE_MALWARE, updated_at 2020_05_12, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007039; classtype:web-application-attack; sid:2007039; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending GPS info"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/TargetUploadGps.aspx"; content:"tmac="; content:"&JZ="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019332; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007040; classtype:web-application-attack; sid:2007040; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser sending files"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/TargetUploadFile.aspx"; content:"tmac="; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019333; rev:3; metadata:created_at 2014_10_01, updated_at 2020_05_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007041; classtype:web-application-attack; sid:2007041; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/Xsser checking library version"; flow:to_server,established; urilen:18; http.method; content:"GET"; nocase; http.uri; content:"/CheckLibrary.aspx"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,2cba795aff750259a2fc447cdd6ea1c7; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/; classtype:trojan-activity; sid:2019334; rev:3; metadata:attack_target Mobile_Client, created_at 2014_10_01, former_category MOBILE_MALWARE, updated_at 2020_05_12, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007076; classtype:web-application-attack; sid:2007076; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; http.request_body; content:"name=|22|softwareVersion|22|"; nocase; content:"name=|22|isEnc|22|"; nocase; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019959; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007077; classtype:web-application-attack; sid:2007077; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper User-Agent"; flow:established,to_server; http.user_agent; content:"UAC/"; depth:4; fast_pattern; content:"|28|Android|20|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:trojan-activity; sid:2019960; rev:4; metadata:created_at 2014_12_17, updated_at 2020_05_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007078; classtype:web-application-attack; sid:2007078; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007079; classtype:web-application-attack; sid:2007079; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SMSThief.F Banker CnC Beacon"; flow:established,to_server; http.uri; content:"/input_data_get_contact.asp?user="; content:"&pwd="; content:"&addr="; reference:url,research.zscaler.com/2015/02/android-banking-trojan-and-sms-stealer.html; reference:md5,ff081c1400a948f2bcc4952fed2c818b; classtype:command-and-control; sid:2020353; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_05_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007080; classtype:web-application-attack; sid:2007080; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Operation Pawn Storm IOS_XAGENT Checkin"; flow:to_server,established; http.uri; pcre:"/^(?:(?:sear|wat)ch|results|close|find|open)\/\?[a-zA-Z]{2,8}=/"; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:"XAgent/1."; depth:9; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020363; rev:4; metadata:attack_target Mobile_Client, created_at 2015_02_05, former_category MOBILE_MALWARE, updated_at 2020_05_15, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007081; classtype:web-application-attack; sid:2007081; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE IOS_XAGENT UA"; flow:to_server,established; http.user_agent; content:"XAgent/1."; depth:9; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/; classtype:trojan-activity; sid:2020364; rev:4; metadata:created_at 2015_02_05, updated_at 2020_05_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007082; classtype:web-application-attack; sid:2007082; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SMSSend.Y"; flow:established,to_server; http.uri; content:"/api/log.html|3f|"; fast_pattern; content:"c="; content:"&o="; content:"&n="; http.user_agent; content:"Apache-HttpClient"; depth:18; reference:md5,ef79985c90675e7abfb6b9a6bc5a6c65; classtype:trojan-activity; sid:2020729; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007083; classtype:web-application-attack; sid:2007083; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.m Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"content=eyJmaW5nZXJwcmludCI"; fast_pattern; depth:27; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,0aa69ad64e20bb6cbf72f346ce43ff23; reference:url,www.fireeye.com/blog/threat-research/2014/07/the-service-you-cant-refuse-a-secluded-hijackrat.html; classtype:trojan-activity; sid:2021185; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_06_05, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_05_22, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007084; classtype:web-application-attack; sid:2007084; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.jsp?e="; fast_pattern; depth:10; content:"&s="; distance:0; content:"&g="; distance:0; content:"&versionCode="; distance:0; content:"&osVersion="; distance:0; content:"&countryCode="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021929; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_10_08, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_06_02, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007085; classtype:web-application-attack; sid:2007085; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/xDrop Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"slave.php"; endswith; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE ("; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f154d5596ecb8f63de1e7319e31ad369; classtype:command-and-control; sid:2030243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_06_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007086; classtype:web-application-attack; sid:2007086; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Malvertising Communication"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?rand_key="; fast_pattern; content:"&packagename="; distance:0; content:"&imei="; distance:0; content:"&login="; distance:0; http.user_agent; content:"|20|U|3b 20|Android|20|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique/; reference:md5,c73cf82c0043463f8079d0540b2634e0; classtype:trojan-activity; sid:2030266; rev:1; metadata:attack_target Mobile_Client, created_at 2020_06_08, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_06_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007087; classtype:web-application-attack; sid:2007087; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Cloudsota HTTP Host"; flow:to_server,established; http.host; content:"download.cloudsota.com"; startswith; reference:url,www.cmcm.com/blog/en/security/2015-11-09/842.html; classtype:trojan-activity; sid:2022081; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_11_12, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID SELECT"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007088; classtype:web-application-attack; sid:2007088; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SlemBunk.Banker Phished Credentials Upload"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; depth:1; http.user_agent; content:"Apache-HttpClient/UNAVAILABLE"; startswith; http.request_body; content:"{|22|data|22 3A|"; depth:8; content:"|22|password old|22 3A|"; fast_pattern; distance:0; content:"|22|login|22 3A|"; content:"|22|type|22 3A|"; distance:0; content:"|22|login old|22 3A|"; distance:0; content:"|22|password|22 3A|"; distance:0; content:"|22|name|22 3A|"; distance:0; content:"|22|code|22 3A|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022289; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_12_21, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007089; classtype:web-application-attack; sid:2007089; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.EP HTTP Host"; flow:to_server,established; http.host; content:"jackdojacksgot.ru"; startswith; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; classtype:trojan-activity; sid:2022144; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_06_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID INSERT"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007090; classtype:web-application-attack; sid:2007090; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher Sending Credit Card Info"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cards_json.php"; endswith; http.request_body; content:"bot_id="; depth:7; fast_pattern; content:"&info="; content:"cardNum"; pcre:"/^bot_id=[a-f0-9]{32}&/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,78c2444fe15a8e58c629076781d9442a; reference:url,blog.fortinet.com/2016/11/01/android-banking-malware-masquerades-as-flash-player-targeting-large-banks-and-popular-social-media-apps; classtype:trojan-activity; sid:2023483; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_03, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_08_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID DELETE"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007091; classtype:web-application-attack; sid:2007091; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/RequestActionsToExecute"; fast_pattern; pcre:"/\/RequestActionsToExecute$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|CommandLine|22 3a|"; depth:15; content:",|22|CurrentDirectory|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023507; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_08_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ASCII"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007092; classtype:web-application-attack; sid:2007092; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Comll.Banker RAT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/n/"; pcre:"/\/n\/\d{15}$/"; http.request_body; content:"content=eyJ"; depth:11; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,a78e904a05d4a9e6a15b6f56b261eab9; classtype:command-and-control; sid:2018630; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_08_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007093; classtype:web-application-attack; sid:2007093; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Dropper.Abd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ad-"; pcre:"/\/ad-(?:strat|devi)\/$/"; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"RgQ7"; depth:4; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,66a1dda748d073f5e659b700339c3343; reference:url,www.zscaler.com/blogs/research/malicious-android-ads-leading-drive-downloads; classtype:trojan-activity; sid:2024411; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_06_19, deployment Perimeter, former_category MOBILE_MALWARE, tag Android_07012016, updated_at 2020_08_06, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID SELECT"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007094; classtype:web-application-attack; sid:2007094; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Raiffeisen Bank Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024950; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007095; classtype:web-application-attack; sid:2007095; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Sparkasse Bank Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"netbanking.sparkasse.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024951; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID INSERT"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007096; classtype:web-application-attack; sid:2007096; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - BankAustria Targeting (set)"; flow:to_server,established; flowbits:set,ET.marcherphish; flowbits:noalert; http.method; content:"GET"; http.host; content:"online.bankaustria.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:trojan-activity; sid:2024952; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Minor, tag Android, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID DELETE"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007097; classtype:web-application-attack; sid:2007097; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android Marcher Trojan Download - Austrian Bank Targeting"; flow:to_client,established; flowbits:isset,ET.marcherphish; http.stat_code; content:"200"; http.header; content:"application/vnd.android.package-archive"; fast_pattern; content:"Content-Description|3a 20|File Transfer"; file.data; content:"PK"; depth:2; classtype:trojan-activity; sid:2024953; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_11_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ASCII"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007098; classtype:web-application-attack; sid:2007098; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!".blackberry.com"; content:!".nokia.com"; content:!".sonyericsson.com"; http.request_body; content:"<IMEI>"; nocase; content:"<|2F|IMEI>"; fast_pattern; nocase; distance:0; reference:url,www.met.police.uk/mobilephone/imei.htm; classtype:trojan-activity; sid:2013138; rev:10; metadata:created_at 2011_06_30, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007099; classtype:web-application-attack; sid:2007099; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:command-and-control; sid:2013142; rev:4; metadata:attack_target Mobile_Client, created_at 2011_06_30, former_category MOBILE_MALWARE, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007100; classtype:web-application-attack; sid:2007100; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Adware.Adwo.A"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?m="; content:"&a="; content:"&os="; content:!"&ComPut="; http.header_names; content:!"User-Agent"; reference:md5,bbb0aa6c9f84963dacec55345fe4c47e; classtype:trojan-activity; sid:2023475; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_01, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007101; classtype:web-application-attack; sid:2007101; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Xnore Fake Facebook Login Credentials Collected"; flow:established,to_server; http.method; content:"POST"; http.header; content:"xnore.com"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"app_id="; depth:7; fast_pattern; content:"&cemail="; distance:0; content:"&cpass="; distance:0; http.header_names; content:"Origin"; content:"Referer"; classtype:trojan-activity; sid:2026907; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_02_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Xnore, performance_impact Low, signature_severity Major, tag Spyware, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007102; classtype:web-application-attack; sid:2007102; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/BasBanke CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"data=NewClient"; depth:14; fast_pattern; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,79cf391a3ae2477cd804c68850dba80d; reference:url,securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/; classtype:command-and-control; sid:2027154; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_04_04, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BasBanke, tag Banker, updated_at 2020_08_28, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007103; classtype:web-application-attack; sid:2007103; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor Module Download Request"; flow:to_server,established; http.uri; content:"/?uuid="; content:"&ptype="; content:"&cacheFrom="; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027803; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Critical, tag Android, updated_at 2020_08_31;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007104; classtype:web-application-attack; sid:2007104; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:command-and-control; sid:2013210; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007105; classtype:web-application-attack; sid:2007105; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AOX Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/ReadAllTracks.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"{|22|contacts|22 3a|"; depth:12; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/; classtype:trojan-activity; sid:2027920; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_27, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007106; classtype:web-application-attack; sid:2007106; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Apple iPhone Implant - Boundary Observed"; flow:established,to_server; http.header; content:"multipart/form-data|3b 20|charset=utf-8|3b|boundary=9ff7172192b7"; nocase; fast_pattern; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027931; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2019_08_30, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UNION SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007107; classtype:web-application-attack; sid:2007107; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Apple iPhone Implant - Upload Files"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload/info"; nocase; depth:12; http.request_body; content:"Content-disposition|3a 20|form-data|3b 20|name="; content:"--9ff7172192b7--"; distance:0; fast_pattern; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027932; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2019_08_30, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare INSERT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007108; classtype:web-application-attack; sid:2007108; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Apple iPhone Implant - Command Executed"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/list/suc?name="; nocase; depth:15; fast_pattern; reference:url,googleprojectzero.blogspot.com/2019/08/implant-teardown.html; classtype:trojan-activity; sid:2027933; rev:2; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2019_08_30, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare DELETE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007109; classtype:web-application-attack; sid:2007109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=counter&app_key="; depth:23; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018945; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_18, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ASCII"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007110; classtype:web-application-attack; sid:2007110; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Joker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/api/report"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"eyJ"; depth:3; http.header_names; content:!"Referer|0d 0a|"; reference:md5,058865332bfae541e82b55e4a7e63aaf; reference:url,medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451; classtype:trojan-activity; sid:2027965; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_09, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Joker, tag Android, updated_at 2020_09_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007111; classtype:web-application-attack; sid:2007111; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE MOONSHINE payload C2 activity"; flow:established,to_server; http.uri; content:"/ws?whisky_id|3d|"; fast_pattern; http.header; content:"Upgrade|3a 20|websocket"; http.user_agent; content:"hots|20|scot"; depth:9; reference:url,citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits; classtype:trojan-activity; sid:2028622; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Moonshine, signature_severity Critical, tag Android, updated_at 2020_09_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007112; classtype:web-application-attack; sid:2007112; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Joker CnC Configuration Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/ckwkc2?icc="; startswith; fast_pattern; http.user_agent; content:"(Linux|3b 20|U|3b 20|Android"; http.header_names; content:!"Referer"; reference:url,research.checkpoint.com/2020/android-app-fraud-haken-clicker-and-joker-premium-dialer/; classtype:command-and-control; sid:2030849; rev:2; metadata:attack_target Mobile_Client, created_at 2020_09_08, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UNION SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007113; classtype:web-application-attack; sid:2007113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; dns.query; content:"loaderclientarea24.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear INSERT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007114; classtype:web-application-attack; sid:2007114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; dns.query; content:"loaderclientarea22.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear DELETE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007115; classtype:web-application-attack; sid:2007115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; dns.query; content:"loaderclientarea20.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ASCII"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007116; classtype:web-application-attack; sid:2007116; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; dns.query; content:"loaderclientarea15.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007117; classtype:web-application-attack; sid:2007117; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; dns.query; content:"sagdzusghcsh.top"; nocase; endswith; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_01_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007118; classtype:web-application-attack; sid:2007118; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup"; dns.query; content:"ios-certificate-update.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025727; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UNION SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007119; classtype:web-application-attack; sid:2007119; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2"; dns.query; content:"al-enayah.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025728; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID INSERT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007120; classtype:web-application-attack; sid:2007120; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3"; dns.query; content:"voguextra.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025729; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID DELETE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007121; classtype:web-application-attack; sid:2007121; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4"; dns.query; content:"techwach.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025730; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ASCII"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007122; classtype:web-application-attack; sid:2007122; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5"; dns.query; content:"wpitcher.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025731; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007123; classtype:web-application-attack; sid:2007123; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6"; dns.query; content:"ios-certificate-whatsapp.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025896; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007124; classtype:web-application-attack; sid:2007124; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7"; dns.query; content:"hytechmart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025897; rev:4; metadata:created_at 2018_07_25, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007132; classtype:web-application-attack; sid:2007132; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8"; dns.query; content:"appswonder.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025898; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007127; classtype:web-application-attack; sid:2007127; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9"; dns.query; content:"referfile.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025899; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007128; classtype:web-application-attack; sid:2007128; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10"; dns.query; content:"hiltrox.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025900; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007129; classtype:web-application-attack; sid:2007129; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11"; dns.query; content:"scrollayer.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025901; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007130; classtype:web-application-attack; sid:2007130; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12"; dns.query; content:"twitck.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025902; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007131; classtype:web-application-attack; sid:2007131; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14"; dns.query; content:"nfinx.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025904; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007133; classtype:web-application-attack; sid:2007133; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15"; dns.query; content:"metclix.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025905; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007134; classtype:web-application-attack; sid:2007134; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; dns.query; content:"capsnit.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007135; classtype:web-application-attack; sid:2007135; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 1"; dns.query; content:"banca-movil.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025933; rev:4; metadata:affected_product Android, affected_product iOS, attack_target Mobile_Client, created_at 2018_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007136; classtype:web-application-attack; sid:2007136; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 2"; dns.query; content:"pine-sales.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025934; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007137; classtype:web-application-attack; sid:2007137; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 3"; dns.query; content:"ecommerce-ads.org"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025935; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007138; classtype:web-application-attack; sid:2007138; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 4"; dns.query; content:"bytlo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025936; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007139; classtype:web-application-attack; sid:2007139; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 5"; dns.query; content:"ticket-selections.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025937; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007140; classtype:web-application-attack; sid:2007140; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 6"; dns.query; content:"onlineshopzm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025938; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007141; classtype:web-application-attack; sid:2007141; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 7"; dns.query; content:"zednewszm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025939; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat SELECT"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005256; classtype:web-application-attack; sid:2005256; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 8"; dns.query; content:"zm-banks.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025940; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005257; classtype:web-application-attack; sid:2005257; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 9"; dns.query; content:"zm-weather.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025941; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat INSERT"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005258; classtype:web-application-attack; sid:2005258; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 10"; dns.query; content:"znothernkivu.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025942; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat DELETE"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005259; classtype:web-application-attack; sid:2005259; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 11"; dns.query; content:"afriquenouvelle.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025943; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat ASCII"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005260; classtype:web-application-attack; sid:2005260; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 12"; dns.query; content:"allafricaninfo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025944; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005261; classtype:web-application-attack; sid:2005261; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 13"; dns.query; content:"centrasia-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025945; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat SELECT"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005262; classtype:web-application-attack; sid:2005262; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 14"; dns.query; content:"mystulchik.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025946; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005263; classtype:web-application-attack; sid:2005263; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 15"; dns.query; content:"odnoklass-profile.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025947; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat INSERT"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005264; classtype:web-application-attack; sid:2005264; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 16"; dns.query; content:"sputnik-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025948; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat DELETE"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005265; classtype:web-application-attack; sid:2005265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 17"; dns.query; content:"tengrinews.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025949; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat ASCII"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005266; classtype:web-application-attack; sid:2005266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 18"; dns.query; content:"sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025950; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005267; classtype:web-application-attack; sid:2005267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 19"; dns.query; content:"egov-sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025951; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show_joined.php?"; nocase; content:"path="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; reference:url,doc.emergingthreats.net/2008832; classtype:web-application-attack; sid:2008832; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 20"; dns.query; content:"egov-segek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025952; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show_joined.php?"; nocase; content:"path="; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//i"; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; reference:url,doc.emergingthreats.net/2008833; classtype:web-application-attack; sid:2008833; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 21"; dns.query; content:"mykaspi.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025953; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user SELECT"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006219; classtype:web-application-attack; sid:2006219; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 22"; dns.query; content:"kaspi-payment.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025954; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UNION SELECT"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006220; classtype:web-application-attack; sid:2006220; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 24"; dns.query; content:"e-sveiciens.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025955; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user INSERT"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006221; classtype:web-application-attack; sid:2006221; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 25"; dns.query; content:"klientuserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025956; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ASCII"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006223; classtype:web-application-attack; sid:2006223; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 26"; dns.query; content:"kurjerserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025957; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006224; classtype:web-application-attack; sid:2006224; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 27"; dns.query; content:"reklamas.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025958; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user DELETE"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006222; classtype:web-application-attack; sid:2006222; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 28"; dns.query; content:"legyelvodas.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025959; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id SELECT"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005877; classtype:web-application-attack; sid:2005877; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 29"; dns.query; content:"theastafrican.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025960; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UNION SELECT"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005878; classtype:web-application-attack; sid:2005878; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 30"; dns.query; content:"ajelnews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025961; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id INSERT"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005879; classtype:web-application-attack; sid:2005879; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 31"; dns.query; content:"akhbara-aalawsat.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025962; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id DELETE"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005880; classtype:web-application-attack; sid:2005880; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 32"; dns.query; content:"akhbar-arabia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025963; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ASCII"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005881; classtype:web-application-attack; sid:2005881; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 33"; dns.query; content:"gulf-news.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025964; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005882; classtype:web-application-attack; sid:2005882; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 34"; dns.query; content:"eltiempo-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025965; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/resim.asp?"; nocase; content:"islem=altkat"; nocase; content:"kat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33199/; reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt; reference:url,doc.emergingthreats.net/2008998; classtype:web-application-attack; sid:2008998; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 35"; dns.query; content:"arabnews365.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025966; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template SELECT"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005336; classtype:web-application-attack; sid:2005336; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 36"; dns.query; content:"arabworldnews.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025967; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UNION SELECT"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005337; classtype:web-application-attack; sid:2005337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 37"; dns.query; content:"breaking-extranews.online"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025968; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template INSERT"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005338; classtype:web-application-attack; sid:2005338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 38"; dns.query; content:"breaking-news.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025969; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template DELETE"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005339; classtype:web-application-attack; sid:2005339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 39"; dns.query; content:"breakingnewsasia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025970; rev:4; metadata:created_at 2018_08_03, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template ASCII"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005340; classtype:web-application-attack; sid:2005340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 40"; dns.query; content:"breakthenews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025971; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005341; classtype:web-application-attack; sid:2005341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/collectdata-new.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|a|22 3a|"; depth:5; content:"|22|b|22 3a|[{|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025987; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, tag Android, updated_at 2020_09_16, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno SELECT"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007060; classtype:web-application-attack; sid:2007060; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/newuser.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|imei|22 3a|"; depth:8; content:"|22|tag|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:command-and-control; sid:2025988; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, signature_severity Major, tag Android, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UNION SELECT"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007061; classtype:web-application-attack; sid:2007061; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/fcollectdata.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|category|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b603017bbcee17a76f5b0ee478d2d935; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025989; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, tag Android, updated_at 2020_09_16, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno INSERT"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007062; classtype:web-application-attack; sid:2007062; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup)"; dns.query; content:"1jve.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026115; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno DELETE"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007063; classtype:web-application-attack; sid:2007063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"1jve.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026116; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno ASCII"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007064; classtype:web-application-attack; sid:2007064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS Lookup)"; dns.query; content:"clarke-taylor.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026117; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007065; classtype:web-application-attack; sid:2007065; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"clarke-taylor.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026118; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/threadstop/threadstop.php?"; nocase; content:"exbb[default_lang]="; nocase; reference:bugtraq,28686; reference:url,milw0rm.com/exploits/5405; reference:url,doc.emergingthreats.net/2009428; classtype:web-application-attack; sid:2009428; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS Lookup)"; dns.query; content:"hcttmail.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026119; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id SELECT"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005081; classtype:web-application-attack; sid:2005081; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hcttmail.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026120; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005082; classtype:web-application-attack; sid:2005082; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in DNS Lookup)"; dns.query; content:"mail-presidency.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026121; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id INSERT"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005083; classtype:web-application-attack; sid:2005083; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-presidency.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026122; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id DELETE"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005084; classtype:web-application-attack; sid:2005084; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS Lookup)"; dns.query; content:"aamir-khan.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026123; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id ASCII"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005085; classtype:web-application-attack; sid:2005085; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"aamir-khan.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026124; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005086; classtype:web-application-attack; sid:2005086; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS Lookup)"; dns.query; content:"daario-naharis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026125; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Experts answer.php question_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/answer.php?"; nocase; content:"question_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,2008-5267; reference:url,milw0rm.com/exploits/5776; reference:bugtraq,29642; reference:url,doc.emergingthreats.net/2008931; classtype:web-application-attack; sid:2008931; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"daario-naharis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026126; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex SELECT"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"SELECT"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006813; classtype:web-application-attack; sid:2006813; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS Lookup)"; dns.query; content:"help-live.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026127; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UNION SELECT"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"UNION"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006814; classtype:web-application-attack; sid:2006814; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-live.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026128; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex INSERT"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"INSERT"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006815; classtype:web-application-attack; sid:2006815; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS Lookup)"; dns.query; content:"margaery-tyrell.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026129; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex DELETE"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"DELETE"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006816; classtype:web-application-attack; sid:2006816; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"margaery-tyrell.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026130; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex ASCII"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006817; classtype:web-application-attack; sid:2006817; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in DNS Lookup)"; dns.query; content:"accaunts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026131; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"UPDATE"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006818; classtype:web-application-attack; sid:2006818; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accaunts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026132; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp SELECT"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006339; classtype:web-application-attack; sid:2006339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS Lookup)"; dns.query; content:"dachfunny.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026133; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006340; classtype:web-application-attack; sid:2006340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026134; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp INSERT"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006341; classtype:web-application-attack; sid:2006341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS Lookup)"; dns.query; content:"help-sec.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026135; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp DELETE"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006342; classtype:web-application-attack; sid:2006342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-sec.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026136; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp ASCII"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006343; classtype:web-application-attack; sid:2006343; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in DNS Lookup)"; dns.query; content:"maria-bouchard.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026137; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006344; classtype:web-application-attack; sid:2006344; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"maria-bouchard.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026138; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005615; classtype:web-application-attack; sid:2005615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in DNS Lookup)"; dns.query; content:"account-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026139; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005616; classtype:web-application-attack; sid:2005616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026140; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005617; classtype:web-application-attack; sid:2005617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS Lookup)"; dns.query; content:"dachfunny.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026141; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005618; classtype:web-application-attack; sid:2005618; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026142; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005619; classtype:web-application-attack; sid:2005619; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS Lookup)"; dns.query; content:"heyapp.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026143; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005620; classtype:web-application-attack; sid:2005620; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"heyapp.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026144; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (poll.php)"; flow:established,to_server; http.uri; content:"/mod/poll.php?"; nocase; content:"GLOBALS[nlang]="; nocase; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/i"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010543; classtype:web-application-attack; sid:2010543; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS Lookup)"; dns.query; content:"marklavi.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026145; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (new.php)"; flow:established,to_server; http.uri; content:"/mod/new.php?"; nocase; content:"GLOBALS[nlang]="; nocase; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/i"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010544; classtype:web-application-attack; sid:2010544; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"marklavi.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026146; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/manager/DiagLogListActionBody.do?"; nocase; content:"logFile="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010800; classtype:web-application-attack; sid:2010800; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in DNS Lookup)"; dns.query; content:"account-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026147; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; content:"captureFile="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010801; classtype:web-application-attack; sid:2010801; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026148; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/sat/ViewSatReport.do?"; nocase; content:"fileName="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010802; classtype:web-application-attack; sid:2010802; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS Lookup)"; dns.query; content:"dardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026149; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; content:"capture="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010803; classtype:web-application-attack; sid:2010803; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026150; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/sat/ViewInventoryErrorReport.do?"; nocase; content:"fileName="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010804; classtype:web-application-attack; sid:2010804; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS Lookup)"; dns.query; content:"hitmesanjjoy.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026151; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006123; classtype:web-application-attack; sid:2006123; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"hitmesanjjoy.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026152; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006124; classtype:web-application-attack; sid:2006124; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS Lookup)"; dns.query; content:"mary-crawley.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026153; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006125; classtype:web-application-attack; sid:2006125; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mary-crawley.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026154; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006126; classtype:web-application-attack; sid:2006126; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in DNS Lookup)"; dns.query; content:"accountforuser.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026155; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006127; classtype:web-application-attack; sid:2006127; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforuser.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026156; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006128; classtype:web-application-attack; sid:2006128; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS Lookup)"; dns.query; content:"dardash.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026157; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/sitemap.xml.php?"; nocase; content:"dir[classes]="; nocase; reference:url,secunia.com/advisories/28047; reference:url,milw0rm.com/exploits/4712; reference:url,doc.emergingthreats.net/2009507; classtype:web-application-attack; sid:2009507; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026158; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006327; classtype:web-application-attack; sid:2006327; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS Lookup)"; dns.query; content:"hoopoechat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026159; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006328; classtype:web-application-attack; sid:2006328; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hoopoechat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026160; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006329; classtype:web-application-attack; sid:2006329; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS Lookup)"; dns.query; content:"masuka.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026161; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006330; classtype:web-application-attack; sid:2006330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"masuka.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026162; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006331; classtype:web-application-attack; sid:2006331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in DNS Lookup)"; dns.query; content:"accountforusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026163; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006332; classtype:web-application-attack; sid:2006332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026164; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/datumscalc.php?"; nocase; content:"kal_class_path="; nocase; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011096; classtype:web-application-attack; sid:2011096; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS Lookup)"; dns.query; content:"dardash.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026165; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/monatsblatt.php?"; nocase; content:"kal_class_path="; nocase; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011097; classtype:web-application-attack; sid:2011097; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026166; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006898; classtype:web-application-attack; sid:2006898; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS Lookup)"; dns.query; content:"hotimael.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026167; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006899; classtype:web-application-attack; sid:2006899; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotimael.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026168; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006900; classtype:web-application-attack; sid:2006900; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in DNS Lookup)"; dns.query; content:"matthew-stevens.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026169; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006901; classtype:web-application-attack; sid:2006901; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"matthew-stevens.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026170; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006902; classtype:web-application-attack; sid:2006902; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in DNS Lookup)"; dns.query; content:"accounts-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026171; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006903; classtype:web-application-attack; sid:2006903; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026172; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006904; classtype:web-application-attack; sid:2006904; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS Lookup)"; dns.query; content:"dardash.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026173; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006905; classtype:web-application-attack; sid:2006905; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026174; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006906; classtype:web-application-attack; sid:2006906; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS Lookup)"; dns.query; content:"hotmailme.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026175; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006907; classtype:web-application-attack; sid:2006907; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotmailme.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026176; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006908; classtype:web-application-attack; sid:2006908; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS Lookup)"; dns.query; content:"mauricefischer.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026177; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006909; classtype:web-application-attack; sid:2006909; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mauricefischer.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026178; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/firestats/php/window-add-excluded-ip.php?"; nocase; content:"edit="; nocase; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011256; classtype:web-application-attack; sid:2011256; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in DNS Lookup)"; dns.query; content:"accounts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026179; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/firestats/php/window-add-excluded-url.php?"; nocase; content:"edit="; nocase; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011257; classtype:web-application-attack; sid:2011257; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026180; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/firestats/php/window-new-edit-site.php?"; nocase; content:"site_id="; nocase; pcre:"/site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011258; classtype:web-application-attack; sid:2011258; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS Lookup)"; dns.query; content:"david-mclean.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026181; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007182; classtype:web-application-attack; sid:2007182; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-mclean.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026182; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UNION SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007183; classtype:web-application-attack; sid:2007183; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS Lookup)"; dns.query; content:"italk-chat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026183; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id INSERT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007184; classtype:web-application-attack; sid:2007184; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026184; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id DELETE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007185; classtype:web-application-attack; sid:2007185; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS Lookup)"; dns.query; content:"max-eleanor.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026185; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ASCII"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007186; classtype:web-application-attack; sid:2007186; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-eleanor.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026186; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007187; classtype:web-application-attack; sid:2007187; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in DNS Lookup)"; dns.query; content:"accountusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026187; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007188; classtype:web-application-attack; sid:2007188; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026188; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UNION SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007189; classtype:web-application-attack; sid:2007189; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in DNS Lookup)"; dns.query; content:"david-moris.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026189; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid INSERT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007190; classtype:web-application-attack; sid:2007190; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-moris.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026190; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid DELETE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007191; classtype:web-application-attack; sid:2007191; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS Lookup)"; dns.query; content:"italk-chat.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026191; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ASCII"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007192; classtype:web-application-attack; sid:2007192; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026192; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007193; classtype:web-application-attack; sid:2007193; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS Lookup)"; dns.query; content:"max-mayfield.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026193; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid SELECT"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007194; classtype:web-application-attack; sid:2007194; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-mayfield.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026194; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UNION SELECT"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007195; classtype:web-application-attack; sid:2007195; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in DNS Lookup)"; dns.query; content:"accuant-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026195; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid INSERT"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007196; classtype:web-application-attack; sid:2007196; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accuant-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026196; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid DELETE"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007197; classtype:web-application-attack; sid:2007197; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS Lookup)"; dns.query; content:"davina-claire.xyz"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026197; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ASCII"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007198; classtype:web-application-attack; sid:2007198; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"davina-claire.xyz"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026198; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007199; classtype:web-application-attack; sid:2007199; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in DNS Lookup)"; dns.query; content:"jack-wagner.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026199; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz num_questions.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/num_questions.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009849; classtype:web-application-attack; sid:2009849; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"jack-wagner.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026200; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/answers.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009850; classtype:web-application-attack; sid:2009850; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS Lookup)"; dns.query; content:"maxlight.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026201; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php order_number Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/answers.php?"; nocase; content:"order_number="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009851; classtype:web-application-attack; sid:2009851; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxlight.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026202; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score_web.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/high_score_web.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009852; classtype:web-application-attack; sid:2009852; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS Lookup)"; dns.query; content:"activedardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026203; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz results_table_web.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/results_table_web.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009853; classtype:web-application-attack; sid:2009853; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"activedardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026204; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/question.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009854; classtype:web-application-attack; sid:2009854; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in DNS Lookup)"; dns.query; content:"davos-seaworth.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026205; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php order_number Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/question.php?"; nocase; content:"order_number="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009855; classtype:web-application-attack; sid:2009855; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"davos-seaworth.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026206; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/high_score.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009856; classtype:web-application-attack; sid:2009856; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS Lookup)"; dns.query; content:"james-charles.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026207; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/pmscript.php?"; nocase; content:"with="; nocase; reference:url,milw0rm.com/exploits/8549; reference:bugtraq,34734; reference:url,doc.emergingthreats.net/2009745; classtype:web-application-attack; sid:2009745; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"james-charles.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026208; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/formmailer/formmailer.admin.inc.php?"; nocase; content:"BASE_DIR[jax_formmailer]="; nocase; pcre:"/BASE_DIR\[jax_formmailer\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/55751; reference:url,doc.emergingthreats.net/2010484; classtype:web-application-attack; sid:2010484; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS Lookup)"; dns.query; content:"mediauploader.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026209; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user SELECT"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005176; classtype:web-application-attack; sid:2005176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"mediauploader.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026210; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005147; classtype:web-application-attack; sid:2005147; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup)"; dns.query; content:"alain.ps"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026211; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user INSERT"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005148; classtype:web-application-attack; sid:2005148; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI)"; flow:established,to_server; tls.sni; content:"alain.ps"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026212; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user DELETE"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005149; classtype:web-application-attack; sid:2005149; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS Lookup)"; dns.query; content:"debra-morgan.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026213; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user ASCII"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005150; classtype:web-application-attack; sid:2005150; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"debra-morgan.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026214; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005151; classtype:web-application-attack; sid:2005151; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS Lookup)"; dns.query; content:"jimmykudo.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026217; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Bible Search readbible.php SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/readbible.php?"; nocase; content:"version="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33301; reference:url,milw0rm.com/exploits/7798; reference:url,doc.emergingthreats.net/2009103; classtype:web-application-attack; sid:2009103; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"jimmykudo.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026218; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/init.php?"; nocase; content:"API_HOME_DIR="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; reference:url,doc.emergingthreats.net/2008878; classtype:web-application-attack; sid:2008878; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS Lookup)"; dns.query; content:"meet-me.chat"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026219; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/includes/startmodules.inc.php?"; nocase; content:"lang_file="; nocase; reference:bugtraq,34538; reference:url,milw0rm.com/exploits/8446; reference:url,doc.emergingthreats.net/2009652; classtype:web-application-attack; sid:2009652; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI)"; flow:established,to_server; tls.sni; content:"meet-me.chat"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026220; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Frontis aps_browse_sources.php source_class Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bin/aps_browse_sources.php?"; nocase; content:"source_class="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35369/; reference:url,milw0rm.com/exploits/8900; reference:url,doc.emergingthreats.net/2009935; classtype:web-application-attack; sid:2009935; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS Lookup)"; dns.query; content:"alisonparker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026221; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004917; classtype:web-application-attack; sid:2004917; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"alisonparker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026222; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004918; classtype:web-application-attack; sid:2004918; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS Lookup)"; dns.query; content:"donna-paulsen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026223; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004919; classtype:web-application-attack; sid:2004919; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"donna-paulsen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026224; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004920; classtype:web-application-attack; sid:2004920; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"android-settings.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026225; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004921; classtype:web-application-attack; sid:2004921; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in DNS Lookup)"; dns.query; content:"android-settings.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026226; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004923; classtype:web-application-attack; sid:2004923; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS Lookup)"; dns.query; content:"easyshow.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026227; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id SELECT"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005075; classtype:web-application-attack; sid:2005075; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"easyshow.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026228; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UNION SELECT"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005076; classtype:web-application-attack; sid:2005076; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS Lookup)"; dns.query; content:"jon-snow.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026229; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id INSERT"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005077; classtype:web-application-attack; sid:2005077; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"jon-snow.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026230; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id DELETE"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005078; classtype:web-application-attack; sid:2005078; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS Lookup)"; dns.query; content:"men-ana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026231; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ASCII"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005079; classtype:web-application-attack; sid:2005079; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"men-ana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026232; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005080; classtype:web-application-attack; sid:2005080; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS Lookup)"; dns.query; content:"apkapps.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026233; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005372; classtype:web-application-attack; sid:2005372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026234; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005373; classtype:web-application-attack; sid:2005373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS Lookup)"; dns.query; content:"eleanor-guthrie.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026235; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005374; classtype:web-application-attack; sid:2005374; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanor-guthrie.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026236; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005375; classtype:web-application-attack; sid:2005375; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS Lookup)"; dns.query; content:"jorah-mormont.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026237; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005376; classtype:web-application-attack; sid:2005376; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"jorah-mormont.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026238; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005377; classtype:web-application-attack; sid:2005377; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS Lookup)"; dns.query; content:"michael-keaton.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026239; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006461; classtype:web-application-attack; sid:2006461; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"michael-keaton.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026240; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006462; classtype:web-application-attack; sid:2006462; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS Lookup)"; dns.query; content:"apkapps.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026241; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006463; classtype:web-application-attack; sid:2006463; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026242; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006464; classtype:web-application-attack; sid:2006464; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS Lookup)"; dns.query; content:"eleanorguthrie.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026243; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006465; classtype:web-application-attack; sid:2006465; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanorguthrie.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026244; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006466; classtype:web-application-attack; sid:2006466; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS Lookup)"; dns.query; content:"joycebyers.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026245; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode SELECT"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006467; classtype:web-application-attack; sid:2006467; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"joycebyers.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026246; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UNION SELECT"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006468; classtype:web-application-attack; sid:2006468; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in DNS Lookup)"; dns.query; content:"miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026247; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode INSERT"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006469; classtype:web-application-attack; sid:2006469; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026248; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode DELETE"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006470; classtype:web-application-attack; sid:2006470; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS Lookup)"; dns.query; content:"appchecker.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026249; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ASCII"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006471; classtype:web-application-attack; sid:2006471; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"appchecker.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026250; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006472; classtype:web-application-attack; sid:2006472; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS Lookup)"; dns.query; content:"engin-altan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026251; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006189; classtype:web-application-attack; sid:2006189; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"engin-altan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026252; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006190; classtype:web-application-attack; sid:2006190; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup)"; dns.query; content:"juana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026253; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006191; classtype:web-application-attack; sid:2006191; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"juana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026254; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006192; classtype:web-application-attack; sid:2006192; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS Lookup)"; dns.query; content:"miwakosato.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026255; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006193; classtype:web-application-attack; sid:2006193; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"miwakosato.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026256; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006194; classtype:web-application-attack; sid:2006194; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS Lookup)"; dns.query; content:"appuree.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026257; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006195; classtype:web-application-attack; sid:2006195; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"appuree.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026258; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006196; classtype:web-application-attack; sid:2006196; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS Lookup)"; dns.query; content:"esofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026259; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006197; classtype:web-application-attack; sid:2006197; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"esofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026260; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006198; classtype:web-application-attack; sid:2006198; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS Lookup)"; dns.query; content:"kaniel-outis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026261; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006199; classtype:web-application-attack; sid:2006199; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaniel-outis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026262; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006200; classtype:web-application-attack; sid:2006200; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS Lookup)"; dns.query; content:"mofa-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026263; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006201; classtype:web-application-attack; sid:2006201; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mofa-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026264; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006202; classtype:web-application-attack; sid:2006202; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS Lookup)"; dns.query; content:"arthursaito.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026265; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006203; classtype:web-application-attack; sid:2006203; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"arthursaito.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026266; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006204; classtype:web-application-attack; sid:2006204; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in DNS Lookup)"; dns.query; content:"everyservices.space"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026267; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006205; classtype:web-application-attack; sid:2006205; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"everyservices.space"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026268; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006206; classtype:web-application-attack; sid:2006206; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS Lookup)"; dns.query; content:"karenwheeler.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026269; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic SELECT"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005330; classtype:web-application-attack; sid:2005330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"karenwheeler.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026270; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UNION SELECT"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005331; classtype:web-application-attack; sid:2005331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS Lookup)"; dns.query; content:"moneymotion.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026271; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic INSERT"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005332; classtype:web-application-attack; sid:2005332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"moneymotion.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026272; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic DELETE"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005333; classtype:web-application-attack; sid:2005333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS Lookup)"; dns.query; content:"aryastark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026273; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic ASCII"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005334; classtype:web-application-attack; sid:2005334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aryastark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026274; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005335; classtype:web-application-attack; sid:2005335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS Lookup)"; dns.query; content:"exvsnomy.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026275; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GDL gdl.php node Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gdl.php?"; nocase; content:"mod=browse"; nocase; content:"node="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34144; reference:url,milw0rm.com/exploits/8228; reference:url,doc.emergingthreats.net/2009394; classtype:web-application-attack; sid:2009394; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"exvsnomy.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026276; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GS Real Estate Portal email.php AgentID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/email.php?"; nocase; content:"AgentID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,juniper.net/security/auto/vulnerabilities/vuln32307.html; reference:url,xforce.iss.net/xforce/xfdb/46638; reference:url,milw0rm.com/exploits/7117; reference:url,doc.emergingthreats.net/2009791; classtype:web-application-attack; sid:2009791; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS Lookup)"; dns.query; content:"kate-austen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026277; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery2/lib/adodb/adodb-error.inc.php?"; nocase; content:"ADODB_LANG="; nocase; pcre:"/ADODB_LANG\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10705; reference:url,doc.emergingthreats.net/2011018; classtype:web-application-attack; sid:2011018; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kate-austen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026278; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/core/includes/gfw_smarty.php?"; nocase; content:"config[gfwroot]="; nocase; pcre:"/config\[gfwroot\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12488; reference:bugtraq,39890; reference:url,doc.emergingthreats.net/2011116; classtype:web-application-attack; sid:2011116; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS Lookup)"; dns.query; content:"myboon.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026279; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004000; classtype:web-application-attack; sid:2004000; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"myboon.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026280; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004001; classtype:web-application-attack; sid:2004001; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS Lookup)"; dns.query; content:"aslaug-sigurd.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026281; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aslaug-sigurd.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026282; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004003; classtype:web-application-attack; sid:2004003; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS Lookup)"; dns.query; content:"ezofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026283; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004004; classtype:web-application-attack; sid:2004004; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"ezofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026284; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori SELECT"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004397; classtype:web-application-attack; sid:2004397; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS Lookup)"; dns.query; content:"katesacker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026285; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UNION SELECT"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004398; classtype:web-application-attack; sid:2004398; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"katesacker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026286; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori INSERT"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004399; classtype:web-application-attack; sid:2004399; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup)"; dns.query; content:"mygift.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026287; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori DELETE"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004400; classtype:web-application-attack; sid:2004400; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026288; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ASCII"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004401; classtype:web-application-attack; sid:2004401; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS Lookup)"; dns.query; content:"assets-acc.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026289; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004402; classtype:web-application-attack; sid:2004402; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"assets-acc.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026290; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user SELECT"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005009; classtype:web-application-attack; sid:2005009; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in DNS Lookup)"; dns.query; content:"face-book-support.email"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026291; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UNION SELECT"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005010; classtype:web-application-attack; sid:2005010; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in TLS SNI)"; flow:established,to_server; tls.sni; content:"face-book-support.email"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026292; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user INSERT"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005011; classtype:web-application-attack; sid:2005011; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup)"; dns.query; content:"katie.party"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026293; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user DELETE"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005012; classtype:web-application-attack; sid:2005012; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI)"; flow:established,to_server; tls.sni; content:"katie.party"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026294; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ASCII"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005013; classtype:web-application-attack; sid:2005013; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS Lookup)"; dns.query; content:"mygift.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026295; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005014; classtype:web-application-attack; sid:2005014; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026296; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/library/setup/rpc.php?"; nocase; content:"objectname="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/7344; reference:url,secunia.com/advisories/32982/; reference:url,doc.emergingthreats.net/2008937; classtype:web-application-attack; sid:2008937; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS Lookup)"; dns.query; content:"bbc-learning.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026297; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id SELECT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004349; classtype:web-application-attack; sid:2004349; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bbc-learning.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026298; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004350; classtype:web-application-attack; sid:2004350; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS Lookup)"; dns.query; content:"fasebcck.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026299; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id INSERT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004351; classtype:web-application-attack; sid:2004351; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebcck.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026300; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id DELETE"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004352; classtype:web-application-attack; sid:2004352; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS Lookup)"; dns.query; content:"kik-com.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026301; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id ASCII"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004353; classtype:web-application-attack; sid:2004353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kik-com.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026302; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004354; classtype:web-application-attack; sid:2004354; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS Lookup)"; dns.query; content:"namybotter.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026303; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004355; classtype:web-application-attack; sid:2004355; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"namybotter.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026304; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004356; classtype:web-application-attack; sid:2004356; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS Lookup)"; dns.query; content:"bellamy-bob.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026305; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id INSERT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004357; classtype:web-application-attack; sid:2004357; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"bellamy-bob.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026306; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id DELETE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004358; classtype:web-application-attack; sid:2004358; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup)"; dns.query; content:"fasebock.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026307; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id ASCII"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004359; classtype:web-application-attack; sid:2004359; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebock.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026308; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004360; classtype:web-application-attack; sid:2004360; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in DNS Lookup)"; dns.query; content:"kristy-milligan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026309; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id SELECT"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004361; classtype:web-application-attack; sid:2004361; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"kristy-milligan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026310; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004362; classtype:web-application-attack; sid:2004362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS Lookup)"; dns.query; content:"namyyeatop.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026311; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id INSERT"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004363; classtype:web-application-attack; sid:2004363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"namyyeatop.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026312; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id ASCII"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004365; classtype:web-application-attack; sid:2004365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS Lookup)"; dns.query; content:"bestbitloly.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026313; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004366; classtype:web-application-attack; sid:2004366; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bestbitloly.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026314; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004367; classtype:web-application-attack; sid:2004367; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS Lookup)"; dns.query; content:"fasebook.cam"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026315; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UNION SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004368; classtype:web-application-attack; sid:2004368; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebook.cam"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026316; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url INSERT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004369; classtype:web-application-attack; sid:2004369; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in DNS Lookup)"; dns.query; content:"lagertha-lothbrok.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026317; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url DELETE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004370; classtype:web-application-attack; sid:2004370; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lagertha-lothbrok.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026318; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url ASCII"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004371; classtype:web-application-attack; sid:2004371; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS Lookup)"; dns.query; content:"natemunson.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026319; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004372; classtype:web-application-attack; sid:2004372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"natemunson.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026320; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011262; classtype:web-application-attack; sid:2011262; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS Lookup)"; dns.query; content:"billy-bones.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026321; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011263; classtype:web-application-attack; sid:2011263; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"billy-bones.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026322; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011264; classtype:web-application-attack; sid:2011264; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in DNS Lookup)"; dns.query; content:"fasebookvideo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026339; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011265; classtype:web-application-attack; sid:2011265; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebookvideo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026340; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011266; classtype:web-application-attack; sid:2011266; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in DNS Lookup)"; dns.query; content:"leonard-kim.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026341; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guestbook guestbook.php mes_id SQL Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/guestbook.php?"; nocase; content:"mes_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/9197; reference:url,doc.emergingthreats.net/2009674; classtype:web-application-attack; sid:2009674; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leonard-kim.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026342; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id SELECT"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005222; classtype:web-application-attack; sid:2005222; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in DNS Lookup)"; dns.query; content:"new.filetea.me"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026343; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005223; classtype:web-application-attack; sid:2005223; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"new.filetea.me"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026344; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id INSERT"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005224; classtype:web-application-attack; sid:2005224; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in DNS Lookup)"; dns.query; content:"bitgames.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026345; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id DELETE"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005225; classtype:web-application-attack; sid:2005225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"bitgames.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026346; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ASCII"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005311; classtype:web-application-attack; sid:2005311; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in DNS Lookup)"; dns.query; content:"fatehmedia.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026347; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005226; classtype:web-application-attack; sid:2005226; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"fatehmedia.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026348; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007404; classtype:web-application-attack; sid:2007404; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in DNS Lookup)"; dns.query; content:"leslie-barnes.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026349; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UNION SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007405; classtype:web-application-attack; sid:2007405; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leslie-barnes.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026350; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd INSERT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007406; classtype:web-application-attack; sid:2007406; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in DNS Lookup)"; dns.query; content:"nightchat.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026351; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd DELETE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007407; classtype:web-application-attack; sid:2007407; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026352; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ASCII"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007408; classtype:web-application-attack; sid:2007408; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in DNS Lookup)"; dns.query; content:"black-honey.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026353; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007409; classtype:web-application-attack; sid:2007409; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"black-honey.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026354; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007410; classtype:web-application-attack; sid:2007410; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in DNS Lookup)"; dns.query; content:"firesky.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026355; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UNION SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007411; classtype:web-application-attack; sid:2007411; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"firesky.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026356; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url INSERT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007412; classtype:web-application-attack; sid:2007412; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in DNS Lookup)"; dns.query; content:"lets-see.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026357; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url DELETE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007413; classtype:web-application-attack; sid:2007413; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"lets-see.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026358; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ASCII"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007414; classtype:web-application-attack; sid:2007414; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in DNS Lookup)"; dns.query; content:"nightchat.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026359; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007415; classtype:web-application-attack; sid:2007415; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026364; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/smhui/getuiinfo"; nocase; content:"JS"; nocase; content:"servercert="; nocase; pcre:"/servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727; reference:cve,2009-4185; reference:url,doc.emergingthreats.net/2010770; classtype:web-application-attack; sid:2010770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS Lookup)"; dns.query; content:"bob-turco.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026365; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mypage.php?"; nocase; content:"trg="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32467; reference:bugtraq,31986; reference:url,milw0rm.com/exploits/6874; reference:url,doc.emergingthreats.net/2009878; classtype:web-application-attack; sid:2009878; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bob-turco.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026366; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre SELECT"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004421; classtype:web-application-attack; sid:2004421; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS Lookup)"; dns.query; content:"flirtymania.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026367; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UNION SELECT"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"UNION"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004422; classtype:web-application-attack; sid:2004422; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"flirtymania.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026368; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre INSERT"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004423; classtype:web-application-attack; sid:2004423; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in DNS Lookup)"; dns.query; content:"lexi-branson.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026369; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre DELETE"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004424; classtype:web-application-attack; sid:2004424; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lexi-branson.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026370; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ASCII"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004425; classtype:web-application-attack; sid:2004425; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS Lookup)"; dns.query; content:"nissour-beton.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026371; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004426; classtype:web-application-attack; sid:2004426; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"nissour-beton.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026372; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/includes/header.php?"; nocase; content:"c_temp_path="; nocase; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009231; classtype:web-application-attack; sid:2009231; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS Lookup)"; dns.query; content:"buymicrosft.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026373; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/footer.php?"; nocase; content:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/8028; reference:url,doc.emergingthreats.net/2009232; classtype:web-application-attack; sid:2009232; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"buymicrosft.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026374; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/header.php?"; nocase; content:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009233; classtype:web-application-attack; sid:2009233; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in DNS Lookup)"; dns.query; content:"freya.miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026375; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; http.uri; content:"/manda.php?"; content:"id="; nocase; content:"&v="; nocase; pcre:"/\/manda\.php\?id=(-)?\d{8,10}&v=\w/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,doc.emergingthreats.net/2010765; reference:md5,b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; classtype:command-and-control; sid:2010765; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"freya.miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026376; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/knowledgebase.php?"; nocase; content:"act=art"; nocase; content:"article_id="; nocase; pcre:"/(\?|&)article_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt; reference:url,doc.emergingthreats.net/2010609; classtype:web-application-attack; sid:2010609; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in DNS Lookup)"; dns.query; content:"lincoln-blake.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026377; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php"; flow:to_server,established; http.uri; content:"/horde/services/images/colorpicker.php?"; nocase; pcre:"/colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009494; classtype:web-application-attack; sid:2009494; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lincoln-blake.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026378; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt test.php"; flow:to_server,established; http.uri; content:"/horde/test.php?"; nocase; pcre:"/test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009495; classtype:web-application-attack; sid:2009495; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS Lookup)"; dns.query; content:"octavia-blake.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026379; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php"; flow:to_server,established; http.uri; content:"/horde/passwd/main.php?"; nocase; pcre:"/passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22/i"; reference:url,bugs.horde.org/ticket/8398; reference:url,doc.emergingthreats.net/2009496; classtype:web-application-attack; sid:2009496; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"octavia-blake.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026380; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php (2)"; flow:to_server,established; http.uri; content:"/horde/services/images/colorpicker.php?"; nocase; pcre:"/colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009497; classtype:web-application-attack; sid:2009497; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in DNS Lookup)"; dns.query; content:"camilleoconnell.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026381; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt test.php (2)"; flow:to_server,established; http.uri; content:"/horde/test.php?"; nocase; pcre:"/test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009498; classtype:web-application-attack; sid:2009498; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"camilleoconnell.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026382; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php (2)"; flow:to_server,established; http.uri; content:"/horde/passwd/main.php?"; nocase; pcre:"/passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22/i"; reference:url,bugs.horde.org/ticket/8398; reference:url,doc.emergingthreats.net/2009499; classtype:web-application-attack; sid:2009499; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS Lookup)"; dns.query; content:"geny-wise.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026383; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hubscript XSS Attempt"; flow:to_server,established; http.uri; content:"/patch/single_winner1.php?bid_id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009647; classtype:web-application-attack; sid:2009647; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"geny-wise.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026384; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hubscript PHPInfo Attempt"; flow:to_server,established; http.uri; content:"/patch/manage/phpinfo.php"; nocase; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009650; classtype:web-application-attack; sid:2009650; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS Lookup)"; dns.query; content:"lindamullins.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026385; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id SELECT"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2005179; classtype:web-application-attack; sid:2005179; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lindamullins.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026386; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004630; classtype:web-application-attack; sid:2004630; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS Lookup)"; dns.query; content:"olivia-hartman.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026387; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id INSERT"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004631; classtype:web-application-attack; sid:2004631; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"olivia-hartman.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026388; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id DELETE"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004632; classtype:web-application-attack; sid:2004632; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS Lookup)"; dns.query; content:"caroline-nina.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026389; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ASCII"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004633; classtype:web-application-attack; sid:2004633; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"caroline-nina.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026390; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004634; classtype:web-application-attack; sid:2004634; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS Lookup)"; dns.query; content:"gmailservice.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026391; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005063; classtype:web-application-attack; sid:2005063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmailservice.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026392; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005064; classtype:web-application-attack; sid:2005064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS Lookup)"; dns.query; content:"liz-keen.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026393; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005065; classtype:web-application-attack; sid:2005065; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"liz-keen.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026394; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005066; classtype:web-application-attack; sid:2005066; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS Lookup)"; dns.query; content:"oriential.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026395; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005067; classtype:web-application-attack; sid:2005067; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"oriential.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026396; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005068; classtype:web-application-attack; sid:2005068; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS Lookup)"; dns.query; content:"cassy-gray.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026397; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/advanced/workingSet.jsp"; nocase; content:"operation=add"; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010145; classtype:web-application-attack; sid:2010145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"cassy-gray.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026398; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"searchWord="; nocase; pcre:"/searchWord\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010181; classtype:web-application-attack; sid:2010181; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in DNS Lookup)"; dns.query; content:"graceygretchen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026399; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"maxHits="; nocase; pcre:"/maxHits\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010182; classtype:web-application-attack; sid:2010182; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"graceygretchen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026400; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"scopedSearch="; nocase; pcre:"/scopedSearch\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010183; classtype:web-application-attack; sid:2010183; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS Lookup)"; dns.query; content:"login-yohoo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026401; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"scope="; nocase; pcre:"/scope\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010184; classtype:web-application-attack; sid:2010184; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"login-yohoo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026402; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/help/readme.nsf/Header"; nocase; content:"OpenPage="; nocase; content:"BaseTarget="; nocase; pcre:"/BaseTarget\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/38481; reference:url,doc.emergingthreats.net/2010865; classtype:web-application-attack; sid:2010865; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS Lookup)"; dns.query; content:"ososezo.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026403; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/WebEditor/Authentication/LoginPage.aspx?"; nocase; content:"ReturnUrl="; nocase; content:"errMsg="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstorm.foofus.com/1003-exploits/ibmenovia-xss.txt; reference:url,doc.emergingthreats.net/2010980; classtype:web-application-attack; sid:2010980; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026404; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/cindefn.php"; nocase; content:"INDEX="; nocase; pcre:"/INDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011190; classtype:web-application-attack; sid:2011190; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS Lookup)"; dns.query; content:"cecilia-dobrev.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026405; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/power_management_policy_options.php"; nocase; content:"domain="; nocase; pcre:"/domain\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011191; classtype:web-application-attack; sid:2011191; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-dobrev.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026406; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/pm_temp.php"; nocase; content:"view="; nocase; content:"mod_type="; nocase; content:"slot="; nocase; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011192; classtype:web-application-attack; sid:2011192; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS Lookup)"; dns.query; content:"hareyupnow.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026407; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/power_module.php"; nocase; content:"view="; nocase; content:"mod_type="; nocase; content:"slot="; nocase; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011193; classtype:web-application-attack; sid:2011193; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"hareyupnow.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026408; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/blade_leds.php"; nocase; content:"WEBINDEX="; nocase; pcre:"/WEBINDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011194; classtype:web-application-attack; sid:2011194; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS Lookup)"; dns.query; content:"lord-varys.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026409; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/ipmi_bladestatus.php"; nocase; content:"SLOT="; nocase; pcre:"/SLOT\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011195; classtype:web-application-attack; sid:2011195; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lord-varys.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026410; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007559; classtype:web-application-attack; sid:2007559; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS Lookup)"; dns.query; content:"ososezo.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026442; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id SELECT"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005639; classtype:web-application-attack; sid:2005639; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026443; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005640; classtype:web-application-attack; sid:2005640; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS Lookup)"; dns.query; content:"cecilia-gilbert.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026444; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id INSERT"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005641; classtype:web-application-attack; sid:2005641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-gilbert.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026445; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id DELETE"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005642; classtype:web-application-attack; sid:2005642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS Lookup)"; dns.query; content:"harper-monty.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026446; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ASCII"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005643; classtype:web-application-attack; sid:2005643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"harper-monty.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026447; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005644; classtype:web-application-attack; sid:2005644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS Lookup)"; dns.query; content:"lyanna-stark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026448; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005645; classtype:web-application-attack; sid:2005645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lyanna-stark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026449; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005646; classtype:web-application-attack; sid:2005646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS Lookup)"; dns.query; content:"parrotchat.co"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026450; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005648; classtype:web-application-attack; sid:2005648; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"parrotchat.co"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026451; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005649; classtype:web-application-attack; sid:2005649; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS Lookup)"; dns.query; content:"cerseilannister.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026452; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005650; classtype:web-application-attack; sid:2005650; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"cerseilannister.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026453; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005651; classtype:web-application-attack; sid:2005651; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS Lookup)"; dns.query; content:"harrykane.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026454; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005652; classtype:web-application-attack; sid:2005652; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"harrykane.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026455; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005653; classtype:web-application-attack; sid:2005653; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS Lookup)"; dns.query; content:"mail-accout.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026456; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005654; classtype:web-application-attack; sid:2005654; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-accout.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026457; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005655; classtype:web-application-attack; sid:2005655; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS Lookup)"; dns.query; content:"pmi-pna.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026458; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005656; classtype:web-application-attack; sid:2005656; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pmi-pna.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026459; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id SELECT"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006862; classtype:web-application-attack; sid:2006862; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in DNS Lookup)"; dns.query; content:"chat-often.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026476; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006863; classtype:web-application-attack; sid:2006863; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"chat-often.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026477; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id INSERT"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006864; classtype:web-application-attack; sid:2006864; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in DNS Lookup)"; dns.query; content:"harvey-ross.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026478; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id DELETE"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006865; classtype:web-application-attack; sid:2006865; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"harvey-ross.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026479; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ASCII"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006866; classtype:web-application-attack; sid:2006866; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in DNS Lookup)"; dns.query; content:"mail-goog1e.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026480; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006867; classtype:web-application-attack; sid:2006867; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-goog1e.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026481; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid SELECT"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006868; classtype:web-application-attack; sid:2006868; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in DNS Lookup)"; dns.query; content:"pml-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026482; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UNION SELECT"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006869; classtype:web-application-attack; sid:2006869; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"pml-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026483; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid INSERT"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006870; classtype:web-application-attack; sid:2006870; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in DNS Lookup)"; dns.query; content:"christopher.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026484; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid DELETE"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006871; classtype:web-application-attack; sid:2006871; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"christopher.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026485; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ASCII"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006872; classtype:web-application-attack; sid:2006872; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/GPlayed (sub1 .tdsworker .ru in DNS Lookup)"; dns.query; content:"sub1.tdsworker.ru"; endswith; reference:url,blog.talosintelligence.com/2018/10/gplayerbanker.html; classtype:trojan-activity; sid:2026566; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_11_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GPlayed, signature_severity Critical, tag Android, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006873; classtype:web-application-attack; sid:2006873; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (areadozemode .space in DNS Lookup)"; dns.query; content:"areadozemode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026828; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_01_22, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Anubis, signature_severity Critical, tag Android, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid SELECT"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006874; classtype:web-application-attack; sid:2006874; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (selectnew25mode .space in DNS Lookup)"; dns.query; content:"selectnew25mode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026829; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UNION SELECT"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006875; classtype:web-application-attack; sid:2006875; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (twethujsnu .cc in DNS Lookup)"; dns.query; content:"twethujsnu.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026830; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid INSERT"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006876; classtype:web-application-attack; sid:2006876; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (project2anub .xyz in DNS Lookup)"; dns.query; content:"project2anub.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026831; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid DELETE"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006877; classtype:web-application-attack; sid:2006877; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (taiprotectsq .xyz in DNS Lookup)"; dns.query; content:"taiprotectsq.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026832; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ASCII"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006878; classtype:web-application-attack; sid:2006878; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (uwannaplaygame .space in DNS Lookup)"; dns.query; content:"uwannaplaygame.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026833; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006879; classtype:web-application-attack; sid:2006879; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (projectpredator .space in DNS Lookup)"; dns.query; content:"projectpredator.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026834; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010131; classtype:web-application-attack; sid:2010131; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (nihaobrazzzahit .top in DNS Lookup)"; dns.query; content:"nihaobrazzzahit.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026835; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004797; classtype:web-application-attack; sid:2004797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (aserogeege .space in DNS Lookup)"; dns.query; content:"aserogeege.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026836; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004798; classtype:web-application-attack; sid:2004798; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (hdfuckedin18 .top in DNS Lookup)"; dns.query; content:"hdfuckedin18.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026837; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004799; classtype:web-application-attack; sid:2004799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dingpsounda .space in DNS Lookup)"; dns.query; content:"dingpsounda.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026838; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004800; classtype:web-application-attack; sid:2004800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wantddantiprot .space in DNS Lookup)"; dns.query; content:"wantddantiprot.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026839; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004801; classtype:web-application-attack; sid:2004801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (privateanbshouse .space in DNS Lookup)"; dns.query; content:"privateanbshouse.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026840; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004802; classtype:web-application-attack; sid:2004802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (seconddoxed .space in DNS Lookup)"; dns.query; content:"seconddoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026841; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img SELECT"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006669; classtype:web-application-attack; sid:2006669; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (firstdoxed .space in DNS Lookup)"; dns.query; content:"firstdoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026842; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UNION SELECT"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006670; classtype:web-application-attack; sid:2006670; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (oauth3 .html5100 .com in DNS Lookup)"; dns.query; content:"oauth3.html5100.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026843; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img INSERT"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006671; classtype:web-application-attack; sid:2006671; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dosandiq .space in DNS Lookup)"; dns.query; content:"dosandiq.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026844; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img DELETE"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006672; classtype:web-application-attack; sid:2006672; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (protect4juls .space in DNS Lookup)"; dns.query; content:"protect4juls.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026845; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img ASCII"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006673; classtype:web-application-attack; sid:2006673; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wijariief .space in DNS Lookup)"; dns.query; content:"wijariief.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026846; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006674; classtype:web-application-attack; sid:2006674; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (scradm .in in DNS Lookup)"; dns.query; content:"scradm.in"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026847; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid SELECT"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006681; classtype:web-application-attack; sid:2006681; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13"; dns.query; content:"32player.com"; depth:12; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025903; rev:5; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UNION SELECT"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006682; classtype:web-application-attack; sid:2006682; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (DonotGroup Android CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=justin.drinkeatgood.space"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027195; rev:3; metadata:affected_product Android, attack_target Client_and_Server, created_at 2019_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid INSERT"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006683; classtype:web-application-attack; sid:2006683; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Windows Phone PUA.Redpher (myservicessapps .com in DNS Lookup)"; dns.query; content:"myservicessapps.com"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/pua-microsoft-store-porn-gambling; classtype:trojan-activity; sid:2027220; rev:4; metadata:attack_target Mobile_Client, created_at 2019_04_18, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid DELETE"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006684; classtype:web-application-attack; sid:2006684; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidsmedia .com in DNS Lookup)"; dns.query; content:"androidsmedia.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027490; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ASCII"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006685; classtype:web-application-attack; sid:2006685; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidssystem .com in DNS Lookup)"; dns.query; content:"androidssystem.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027491; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006686; classtype:web-application-attack; sid:2006686; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (secandroid .com in DNS Lookup)"; dns.query; content:"secandroid.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027492; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id SELECT"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006207; classtype:web-application-attack; sid:2006207; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediadownload .space in DNS Lookup)"; dns.query; content:"mediadownload.space"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027493; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006208; classtype:web-application-attack; sid:2006208; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediamobilereg .com in DNS Lookup)"; dns.query; content:"mediamobilereg.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027494; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id INSERT"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006209; classtype:web-application-attack; sid:2006209; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (sharpion .org in DNS Lookup)"; dns.query; content:"sharpion.org"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027495; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id DELETE"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006210; classtype:web-application-attack; sid:2006210; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (shileyfetwell .com in DNS Lookup)"; dns.query; content:"shileyfetwell.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027496; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ASCII"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006211; classtype:web-application-attack; sid:2006211; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .itraffic .click in DNS Lookup)"; dns.query; content:"purple.itraffic.click"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027804; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006212; classtype:web-application-attack; sid:2006212; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .m-ads .net in DNS Lookup)"; dns.query; content:"purple.m-ads.net"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027805; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jeajaxeventcalendar&"; nocase; content:"view="; nocase; reference:url,exploit-db.com/exploits/12598; reference:url,doc.emergingthreats.net/2011140; classtype:web-application-attack; sid:2011140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (drproxy .pro in DNS Lookup)"; dns.query; content:"drproxy.pro"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027806; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005342; classtype:web-application-attack; sid:2005342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; dns.query; content:"gongfu-android.com"; depth:18; endswith; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:command-and-control; sid:2013023; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005343; classtype:web-application-attack; sid:2005343; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; dns.query; content:"tinduongpho.com"; depth:15; fast_pattern; endswith; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005344; classtype:web-application-attack; sid:2005344; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; dns.query; content:"aps.kemoge.net"; depth:14; fast_pattern; nocase; endswith; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005345; classtype:web-application-attack; sid:2005345; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; dns.query; content:"tmdxiawceahpbhmb.com"; depth:20; nocase; endswith; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005346; classtype:web-application-attack; sid:2005346; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; dns.query; content:"info2t.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_10_24, deployment Perimeter, malware_family AndroRAT, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005347; classtype:web-application-attack; sid:2005347; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns.query; content:"rockybalboa.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005360; classtype:web-application-attack; sid:2005360; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"androidbak.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UNION SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005361; classtype:web-application-attack; sid:2005361; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"droidback.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user INSERT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005362; classtype:web-application-attack; sid:2005362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"endpointup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user DELETE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005363; classtype:web-application-attack; sid:2005363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"goodydaddy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ASCII"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005364; classtype:web-application-attack; sid:2005364; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; dns.query; content:"updatmaster.top"; depth:15; fast_pattern; endswith; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005365; classtype:web-application-attack; sid:2005365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; dns.query; content:"axclick.store"; depth:13; fast_pattern; endswith; nocase; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_WireX, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004152; classtype:web-application-attack; sid:2004152; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; dns.query; content:"b1k51.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004153; classtype:web-application-attack; sid:2004153; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; dns.query; content:"b1j3aas.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004154; classtype:web-application-attack; sid:2004154; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; dns.query; content:"wechaatt.gdn"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004155; classtype:web-application-attack; sid:2004155; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; dns.query; content:"10as05.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004156; classtype:web-application-attack; sid:2004156; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; dns.query; content:"ch0ck4.life"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004157; classtype:web-application-attack; sid:2004157; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; dns.query; content:"fatur1s.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004337; classtype:web-application-attack; sid:2004337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; dns.query; content:"b5k31.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004338; classtype:web-application-attack; sid:2004338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; dns.query; content:"erd0.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004339; classtype:web-application-attack; sid:2004339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; dns.query; content:"b1v2a5.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004340; classtype:web-application-attack; sid:2004340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; dns.query; content:"b1502b.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004341; classtype:web-application-attack; sid:2004341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; dns.query; content:"elsssee.gdn"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004342; classtype:web-application-attack; sid:2004342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; dns.query; content:"kvp41.life"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq SELECT"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004480; classtype:web-application-attack; sid:2004480; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; dns.query; content:"servertestapi.ltd"; depth:17; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq INSERT"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004482; classtype:web-application-attack; sid:2004482; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; dns.query; content:"taxii.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq DELETE"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004483; classtype:web-application-attack; sid:2004483; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; dns.query; content:"p0w3r.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ASCII"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004484; classtype:web-application-attack; sid:2004484; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; dns.query; content:"4r3a.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004485; classtype:web-application-attack; sid:2004485; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query Targeted Tibetan Android Malware C2 Domain"; dns.query; content:"android.uyghur.dnsd.me"; depth:22; nocase; fast_pattern; endswith; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:command-and-control; sid:2016711; rev:7; metadata:created_at 2013_04_04, former_category MOBILE_MALWARE, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID SELECT"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004486; classtype:web-application-attack; sid:2004486; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http.request_body; content:"{|22|device_id|22 3a 22|"; depth:14; fast_pattern; http.accept_lang; content:"zh-CN"; depth:5; endswith; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2022_05_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UNION SELECT"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004487; classtype:web-application-attack; sid:2004487; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; http.uri; content:"/upload/UploadFiles.aspx?askId="; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID INSERT"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004488; classtype:web-application-attack; sid:2004488; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; http.uri; content:"/send.php?a_id="; content:"&telno="; fast_pattern; content:"&m_addr="; http.user_agent; content:"Android"; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:command-and-control; sid:2014161; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID DELETE"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004489; classtype:web-application-attack; sid:2004489; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; http.uri; content:"/RegistUid.asp"; fast_pattern; nocase; content:"?pid="; nocase; content:"&cid="; nocase; content:"&imei="; nocase; content:"&sim="; nocase; content:"&imsi="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ASCII"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004490; classtype:web-application-attack; sid:2004490; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmark/getServiceCode?price="; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:5; metadata:created_at 2014_03_24, updated_at 2020_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004491; classtype:web-application-attack; sid:2004491; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; http.uri; content: "device_id="; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/Ri"; content:"&app_id="; pcre:"/^[a-f0-9]{30,35}&app_package_name=/Ri"; content: "screen_density="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006492; classtype:web-application-attack; sid:2006492; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/netsend/nmsm_json.jsp"; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:command-and-control; sid:2013694; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_09_24, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006493; classtype:web-application-attack; sid:2006493; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/youxi_up.php"; fast_pattern; http.request_body; content:"--*****|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|npki|22|"; depth:52; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:5; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006495; classtype:web-application-attack; sid:2006495; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/flash/api.php?id="; fast_pattern; pcre:"/^\/flash\/api\.php\?id=\d/"; http.request_body; content:"method="; depth:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006496; classtype:web-application-attack; sid:2006496; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/api33/api.php"; fast_pattern; http.request_body; content:"method="; depth:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006497; classtype:web-application-attack; sid:2006497; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.uri; content:"/1/?1"; fast_pattern; http.request_body; content:"{|22|n|22 3a 22|"; depth:6; content:"|22 2c 22|d|22 3a 22|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006498; classtype:web-application-attack; sid:2006498; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/message.php"; fast_pattern; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_28, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006499; classtype:web-application-attack; sid:2006499; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/report/install"; fast_pattern; http.request_body; content:"data="; depth:5; content:"os="; distance:0; content:"mac="; distance:0; content:"sign="; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:command-and-control; sid:2019125; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006500; classtype:web-application-attack; sid:2006500; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; http.uri; content:"/updatesrv.aspx?f=1"; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:4; metadata:attack_target Mobile_Client, created_at 2014_09_15, former_category MOBILE_MALWARE, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006502; classtype:web-application-attack; sid:2006502; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; http.uri; content:"/updatesrv.aspx?f=2&uuid="; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:4; metadata:attack_target Mobile_Client, created_at 2014_09_15, former_category MOBILE_MALWARE, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006503; classtype:web-application-attack; sid:2006503; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; http.uri; content:"/dmp/api/"; fast_pattern; pcre:"/\/dmp\/api\/[a-z]+$/"; http.header; content:"dmp."; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/mi"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019958; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt"; flow:established,to_server; http.uri; content:"/HtmlAdaptor"; nocase; content:"action=inspect"; nocase; content:"bean"; nocase; content:"name="; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011696; classtype:web-application-attack; sid:2011696; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE TransparentTribe AhMyth RAT Variant Activity (POST)"; flow:established,to_server; content:"|20|gzip|0d 0a 0d 0a|5d|0d 0a|--"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"U|3b 20|Android"; http.request_body; content:"form-data|3b 20|name=|22|imei|22 0d 0a|"; content:"form-data|3b 20|name=|22|image|22 3b 20|filename=|22|sm.csv|22 0d 0a|"; distance:0; reference:url,securelist.com/transparent-tribe-part-2/98233/; reference:md5,b8006e986453a6f25fd94db6b7114ac2; classtype:trojan-activity; sid:2030940; rev:1; metadata:attack_target Mobile_Client, created_at 2020_10_01, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004077; classtype:web-application-attack; sid:2004077; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; http.uri; content:"/pha?android_version="; fast_pattern; content:"&id="; content:"&phone_number="; content:"&client_version="; content:"&imei="; content:"&name="; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_06_01, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"UNION"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004078; classtype:web-application-attack; sid:2004078; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.2|29 20|"; startswith; http.request_body; content:"appid="; depth:6; content:"&model="; content:"&imei="; fast_pattern; content:"&connect="; content:"&dpi="; content:"&width="; content:"&cpu="; content:"&phoneno="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004079; classtype:web-application-attack; sid:2004079; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; http.uri; content:"/landing?c="; fast_pattern; content:"&g="; content:"&a="; content:"&s1="; content:"&s2="; content:"&s3="; content:"&s4="; content:"&s5="; content:"&s6="; content:"&s7="; content:"&s8="; content:"&s9="; content:"&s10="; content:"&s11="; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004080; classtype:web-application-attack; sid:2004080; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"uuid="; content:"language="; content:"appkey"; content:"model="; content:"operatorsname="; fast_pattern; content:"networkname="; content:"networktype="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004081; classtype:web-application-attack; sid:2004081; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/gac/"; fast_pattern; pcre:"/^\/gac\/[a-f0-9]{15}$/"; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a|"; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_08_13, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004082; classtype:web-application-attack; sid:2004082; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; http.uri; content:"/data.php?table="; fast_pattern; content:"&game="; pcre:"/&game=[a-f0-9]{40}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:4; metadata:attack_target Mobile_Client, created_at 2015_08_31, former_category MOBILE_MALWARE, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UNION SELECT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004667; classtype:web-application-attack; sid:2004667; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cert.php"; http.request_body; content:"id="; depth:3; content:"&cert="; content:"&priv="; fast_pattern; content:"&flag="; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:4; metadata:attack_target Mobile_Client, created_at 2015_08_31, former_category MOBILE_MALWARE, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids INSERT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004668; classtype:web-application-attack; sid:2004668; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; http.uri; content:".php?v="; content:"&brok="; fast_pattern; content:"&u="; content:"&id="; pcre:"/&id=\d{15}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_10_27, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids DELETE"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004669; classtype:web-application-attack; sid:2004669; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itms-services|3a|"; http.header; content:"bb800.com|0d 0a|"; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/m"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:5; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ASCII"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004670; classtype:web-application-attack; sid:2004670; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".plist"; pcre:"/\.plist$/"; http.header; content:"bb800.com|0d 0a|"; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/m"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:5; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004671; classtype:web-application-attack; sid:2004671; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/getInstalledPackages.jsp"; fast_pattern; http.request_body; content:"sdCardFree="; depth:11; content:"&imei="; distance:0; content:"&hasSd="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_10_08, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jetik.net ESA sayfalar.php KayitNo Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sayfalar.php?"; nocase; content:"KayitNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31352; reference:url,www.milw0rm.com/exploits/6549; reference:url,doc.emergingthreats.net/2009118; classtype:web-application-attack; sid:2009118; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c  Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; nocase; http.request_body; content:"{|22|type|22 3a|"; depth:8; content:",|22|text|22 3a|"; content:",|22|code|22 3a|"; fast_pattern; content:",|22|from|22 3a|"; content:"|22|}"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_11_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jetik.net ESA diger.php KayitNo Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/diger.php?"; nocase; content:"KayitNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31352; reference:url,www.milw0rm.com/exploits/6549; reference:url,doc.emergingthreats.net/2009119; classtype:web-application-attack; sid:2009119; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; flowbits:set,ET.And.CruseWin; flowbits:noalert; http.uri; content:"/flash/test.xml"; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:command-and-control; sid:2013193; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007344; classtype:web-application-attack; sid:2007344; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"co"; content:"untry="; content:"phone="; content:"&op="; content:"imei="; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017588; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007345; classtype:web-application-attack; sid:2007345; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/NotifyLog"; fast_pattern; pcre:"/\/NotifyLog$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|ClientId|22 3a|"; depth:12; content:",|22|Date|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007346; classtype:web-application-attack; sid:2007346; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; http.uri; content:"lm="; content:"/watch/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007347; classtype:web-application-attack; sid:2007347; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; http.uri; content:"lm="; content:"/find/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007348; classtype:web-application-attack; sid:2007348; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; http.uri; content:"lm="; content:"/results/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007349; classtype:web-application-attack; sid:2007349; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; http.uri; content:"lm="; content:"/open/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID SELECT"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007350; classtype:web-application-attack; sid:2007350; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; http.uri; content:"lm="; content:"/close/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UNION SELECT"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007351; classtype:web-application-attack; sid:2007351; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"&method="; fast_pattern; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:command-and-control; sid:2023933; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID INSERT"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007352; classtype:web-application-attack; sid:2007352; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/functions.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"apslst="; depth:7; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID DELETE"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007353; classtype:web-application-attack; sid:2007353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; http.uri; content:"/i_info_proxy.php?cmd="; fast_pattern; content:"&data="; http.uri.raw; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/"; http.header; content:"|3b 20|iPhone|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_09_15, deployment Perimeter, former_category MOBILE_MALWARE, updated_at 2020_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ASCII"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007354; classtype:web-application-attack; sid:2007354; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; http.uri; content:"/getTask.php?"; fast_pattern; nocase; content:"imei="; content:"balance="; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017587; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007355; classtype:web-application-attack; sid:2007355; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/adinfo?gi="; fast_pattern; content:"&bf="; http.header; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/m"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024172; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID SELECT"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007356; classtype:web-application-attack; sid:2007356; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/sdk_api.php?id="; fast_pattern; content:"&type="; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, tag Android, updated_at 2020_10_09, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UNION SELECT"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007357; classtype:web-application-attack; sid:2007357; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; http.uri; content:"/inj/injek-1.php?id="; fast_pattern; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:command-and-control; sid:2024426; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID INSERT"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007358; classtype:web-application-attack; sid:2007358; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"lm="; content:"/search/?"; fast_pattern; content:!"&clid="; content:!"&banerid="; content:!"&win="; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_09, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID DELETE"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007359; classtype:web-application-attack; sid:2007359; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=devicestatus"; fast_pattern; content:"&app_key="; offset:19; content:"&imei="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_18, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ASCII"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007360; classtype:web-application-attack; sid:2007360; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; http.uri; content:"/data.php?action="; nocase; content:"&online="; distance:0; content:"&m="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Dalvik/"; depth:7; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2013_02_05, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_14, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007361; classtype:web-application-attack; sid:2007361; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GMServer/GMServlet"; nocase; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/windetail.php?"; nocase; content:"adtype="; nocase; reference:bugtraq,34537; reference:url,milw0rm.com/exploits/8443; reference:url,doc.emergingthreats.net/2009508; classtype:web-application-attack; sid:2009508; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"backup.php"; http.header; content:"Content-Length|3a 20|"; depth:20; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; http.user_agent; content:"Apache-HttpClient"; depth:17; http.request_body; content:"type="; depth:5; fast_pattern; content:"data="; content:"hash="; reference:url,www.fortinet.com/blog/threat-research/android-bondpath--a-mature-spyware.html; classtype:trojan-activity; sid:2026039; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BondPath, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/detail.php?"; nocase; content:"adtype="; nocase; reference:bugtraq,34537; reference:url,milw0rm.com/exploits/8443; reference:url,doc.emergingthreats.net/2009509; classtype:web-application-attack; sid:2009509; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/security.jsp"; nocase; fast_pattern; http.request_body; content:"f0="; depth:3; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:command-and-control; sid:2013327; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JobHut browse.php pk Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/browse.php?"; nocase; content:"pk="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34300; reference:url,milw0rm.com/exploits/8318; reference:url,doc.emergingthreats.net/2009730; classtype:web-application-attack; sid:2009730; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/getLastVersion"; depth:15; http.header; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2017999; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004373; classtype:web-application-attack; sid:2004373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/send_sim_no.php"; fast_pattern; endswith; http.request_body; content:"_no="; depth:16; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017787; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004374; classtype:web-application-attack; sid:2004374; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"info"; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/"; http.request_line; content:"/get.php|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:10; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_04_18, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Hqwar, tag Android, updated_at 2020_11_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004375; classtype:web-application-attack; sid:2004375; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"type="; depth:5; content:"&version="; content:"&lid="; content:"&c="; content:"&i="; http.request_line; content:"/stat/locker|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:command-and-control; sid:2024123; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004376; classtype:web-application-attack; sid:2004376; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"|3b 20|Android|20|"; http.request_line; content:"/gt|20|HTTP/1."; fast_pattern; http.connection; content:"keep-alive"; depth:10; endswith; http.content_type; content:"application/json"; depth:16; endswith; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|"; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:command-and-control; sid:2024765; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_RedAlert, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004377; classtype:web-application-attack; sid:2004377; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/support.aspx"; endswith; http.header; content:"SessionId1|3a 20|"; content:"SessionId2|3a 20|"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024171; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004378; classtype:web-application-attack; sid:2004378; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.2access.xyz"; nocase; bsize:15; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030023; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005292; classtype:web-application-attack; sid:2005292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.nsogroup.com"; nocase; bsize:16; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030024; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005293; classtype:web-application-attack; sid:2005293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.qtechnologies.com"; nocase; bsize:21; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030025; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005294; classtype:web-application-attack; sid:2005294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"oldgoldcities.com"; nocase; bsize:17; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030026; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005295; classtype:web-application-attack; sid:2005295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"mine.remaariegarcia.com"; nocase; bsize:23; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030089; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005296; classtype:web-application-attack; sid:2005296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"egg.stralisemariegar.com"; nocase; bsize:24; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030090; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005297; classtype:web-application-attack; sid:2005297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"api.anaehler.com"; nocase; bsize:16; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030091; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005298; classtype:web-application-attack; sid:2005298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (urlpush .net)"; dns.query; content:".urlpush.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030379; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005299; classtype:web-application-attack; sid:2005299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (free247downloads .com)"; dns.query; content:"free247downloads.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030380; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005300; classtype:web-application-attack; sid:2005300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (chretiendaujoudhui .com)"; dns.query; content:"chretiendaujoudhui.com"; nocase; bsize:22; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005301; classtype:web-application-attack; sid:2005301; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (leprotestant .com)"; dns.query; content:"leprotestant.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030639; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005302; classtype:web-application-attack; sid:2005302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (vie-en-islam .com)"; dns.query; content:"vie-en-islam.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030640; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005303; classtype:web-application-attack; sid:2005303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (viedechretien .org)"; dns.query; content:"viedechretien.org"; nocase; bsize:17; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030641; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005390; classtype:web-application-attack; sid:2005390; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; http.uri; content:"/kspp/do?imei="; fast_pattern; content:"&wid="; content:"&type="; content:"&step="; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; classtype:trojan-activity; sid:2016318; rev:9; metadata:affected_product Android, attack_target Mobile_Client, created_at 2012_12_12, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005391; classtype:web-application-attack; sid:2005391; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern; pcre:"/^\{\x22(?:os|type)\x22\x3a/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_12_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_05_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005802; classtype:web-application-attack; sid:2005802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup)"; dns.query; content:"tryanotherhorse.com"; endswith; reference:md5,cf71ba878434605a3506203829c63b9d; classtype:domain-c2; sid:2030822; rev:3; metadata:attack_target Mobile_Client, created_at 2020_09_02, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ahmyth, signature_severity Critical, tag Android, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005392; classtype:web-application-attack; sid:2005392; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (wherisdomaintv .com in DNS Lookup)"; dns_query; content:"wherisdomaintv.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031309; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005394; classtype:web-application-attack; sid:2005394; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (whoisdomainpc .com in DNS Lookup)"; dns_query; content:"whoisdomainpc.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031310; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005395; classtype:web-application-attack; sid:2005395; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (fullplayersoftware .com in DNS Lookup)"; dns_query; content:"fullplayersoftware.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031311; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005396; classtype:web-application-attack; sid:2005396; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (softwareplayertop .com in DNS Lookup)"; dns_query; content:"softwareplayertop.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031312; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005397; classtype:web-application-attack; sid:2005397; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (img565vv6 .holdmydoor .com)"; flow:established,to_server; tls.sni; dotprefix; content:".img565vv6.holdmydoor.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/; classtype:domain-c2; sid:2031439; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005398; classtype:web-application-attack; sid:2005398; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (crashparadox .net)"; flow:established,to_server; tls.sni; dotprefix; content:".crashparadox.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031440; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005399; classtype:web-application-attack; sid:2005399; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (f15fwd322 .regularhours .net)"; flow:established,to_server; tls.sni; dotprefix; content:".f15fwd322.regularhours.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031441; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005400; classtype:web-application-attack; sid:2005400; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (bananakick .net)"; flow:established,to_server; tls.sni; content:"bananakick.net"; bsize:14; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031442; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005401; classtype:web-application-attack; sid:2005401; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (stilloak .net)"; flow:established,to_server; tls.sni; content:"stilloak.net"; bsize:12; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031443; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005402; classtype:web-application-attack; sid:2005402; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (flowersarrows .com)"; flow:established,to_server; tls.sni; content:"flowersarrows.com"; bsize:17; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031444; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005403; classtype:web-application-attack; sid:2005403; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (bald-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"bald-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005404; classtype:web-application-attack; sid:2005404; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (hawkshaw-cae48 .firebaseio .com in DNS Lookup)"; dns_query; content:"hawkshaw-cae48.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031510; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005405; classtype:web-application-attack; sid:2005405; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (spitfirepanel .firebaseio .com in DNS Lookup)"; dns_query; content:"spitfirepanel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031511; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005406; classtype:web-application-attack; sid:2005406; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (phoenix-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"phoenix-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031512; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005407; classtype:web-application-attack; sid:2005407; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ITW Android Post-Exploit Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api2/v9/pass"; bsize:13; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; reference:url,googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html; classtype:command-and-control; sid:2031525; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005408; classtype:web-application-attack; sid:2005408; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android GolfSpy (services4me .net in TLS SNI)"; flow:established,to_server; tls_sni; content:"services4me.net"; isdataat:!1,relative; nocase; reference:md5,a762768c582064880a29934c81e24ba2; classtype:command-and-control; sid:2032270; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_03_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_03_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005409; classtype:web-application-attack; sid:2005409; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Phenakite User-Agent"; flow:established,to_server; http.user_agent; content:"app/4.7|20 28|iPhone|3b 20|iOS 12.4.5|3b 20|Scale/2.00|29|"; bsize:40; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032808; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Phenakite, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005410; classtype:web-application-attack; sid:2005410; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Phenakite Audio Upload CnC"; flow:established,to_server; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|deviceName|22 3a 22|"; fast_pattern; content:"|22|name|22 3a|"; content:"|22|audio|22 3a 22|"; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032809; rev:2; metadata:attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005411; classtype:web-application-attack; sid:2005411; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Phenakite Image Upload CnC activity"; flow:established,to_server; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|img_name|22 3a 22|"; fast_pattern; content:"|22|img|22 3a 22|"; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032810; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, malware_family Phenakite, signature_severity Major, updated_at 2021_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005412; classtype:web-application-attack; sid:2005412; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .firebaseio .com in DNS Lookup)"; dns_query; content:"dash-chat-c02b3.firebaseio.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2032830; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005413; classtype:web-application-attack; sid:2005413; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .appspot .com in DNS Lookup)"; dns_query; content:"dash-chat-c02b3.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032831; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005414; classtype:web-application-attack; sid:2005414; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .firebaseio .com in DNS Lookup)"; dns_query; content:"hidden-chat-e58d7.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032832; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005415; classtype:web-application-attack; sid:2005415; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .appspot .com in DNS Lookup)"; dns_query; content:"hidden-chat-e58d7.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032833; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005416; classtype:web-application-attack; sid:2005416; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (calculator-1e016 .firebaseio .com in DNS Lookup)"; dns_query; content:"calculator-1e016.firebaseio.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2032834; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005417; classtype:web-application-attack; sid:2005417; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (calculator-1e016 .appspot .com in DNS Lookup)"; dns_query; content:"calculator-1e016.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032835; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005418; classtype:web-application-attack; sid:2005418; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .firebaseio .com in DNS Lookup)"; dns_query; content:"samehnew-10a7c.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032836; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005419; classtype:web-application-attack; sid:2005419; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .appspot .com in DNS Lookup)"; dns_query; content:"samehnew-10a7c.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032837; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005420; classtype:web-application-attack; sid:2005420; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (play-store-51182 .firebaseio .com in DNS Lookup)"; dns_query; content:"play-store-51182.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032838; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005421; classtype:web-application-attack; sid:2005421; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (play-store-51182 .appspot .com in DNS Lookup)"; dns_query; content:"play-store-51182.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032839; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005422; classtype:web-application-attack; sid:2005422; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .firebaseio .com in DNS Lookup)"; dns_query; content:"stand-by-97c5c.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032840; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005423; classtype:web-application-attack; sid:2005423; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .appspot .com in DNS Lookup)"; dns_query; content:"stand-by-97c5c.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032841; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005424; classtype:web-application-attack; sid:2005424; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (es-last-telegram .firebaseio .com in DNS Lookup)"; dns_query; content:"es-last-telegram.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032842; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005425; classtype:web-application-attack; sid:2005425; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (es-last-telegram .appspot .com in DNS Lookup)"; dns_query; content:"es-last-telegram.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032843; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005426; classtype:web-application-attack; sid:2005426; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (margarita-smith .host in DNS Lookup)"; dns_query; content:"margarita-smith.host"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032844; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005427; classtype:web-application-attack; sid:2005427; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasibauik .co in DNS Lookup)"; dns_query; content:"fasibauik.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032845; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005428; classtype:web-application-attack; sid:2005428; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcak .co in DNS Lookup)"; dns_query; content:"fasebcak.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032846; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005429; classtype:web-application-attack; sid:2005429; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcck .com in DNS Lookup)"; dns_query; content:"fasebcck.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032847; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005430; classtype:web-application-attack; sid:2005430; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcoki .com in DNS Lookup)"; dns_query; content:"fasebcoki.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032848; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005431; classtype:web-application-attack; sid:2005431; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcak .com in DNS Lookup)"; dns_query; content:"fasebcak.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032849; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005432; classtype:web-application-attack; sid:2005432; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasbcaok .com in DNS Lookup)"; dns_query; content:"fasbcaok.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032850; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005433; classtype:web-application-attack; sid:2005433; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaak .com in DNS Lookup)"; dns_query; content:"fasebaak.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032851; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005434; classtype:web-application-attack; sid:2005434; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaok .co in DNS Lookup)"; dns_query; content:"fasebaok.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032852; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005435; classtype:web-application-attack; sid:2005435; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaook .com in DNS Lookup)"; dns_query; content:"fasebaook.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032853; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005436; classtype:web-application-attack; sid:2005436; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaok .com in DNS Lookup)"; dns_query; content:"fasebaok.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032854; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005437; classtype:web-application-attack; sid:2005437; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (log-yoahao .co in DNS Lookup)"; dns_query; content:"log-yoahao.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032855; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005438; classtype:web-application-attack; sid:2005438; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (log-yoheo .info in DNS Lookup)"; dns_query; content:"log-yoheo.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032856; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005439; classtype:web-application-attack; sid:2005439; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (kevin-good .top in DNS Lookup)"; dns_query; content:"kevin-good.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032857; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005440; classtype:web-application-attack; sid:2005440; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (marty-colvard .top in DNS Lookup)"; dns_query; content:"marty-colvard.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032858; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005441; classtype:web-application-attack; sid:2005441; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (anna-sanchez .online in DNS Lookup)"; dns_query; content:"anna-sanchez.online"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032859; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005442; classtype:web-application-attack; sid:2005442; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (wendy-johnston .pw in DNS Lookup)"; dns_query; content:"wendy-johnston.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032860; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005443; classtype:web-application-attack; sid:2005443; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (jennifer-marler .pw in DNS Lookup)"; dns_query; content:"jennifer-marler.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032861; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005444; classtype:web-application-attack; sid:2005444; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (goerge-amper .website in DNS Lookup)"; dns_query; content:"goerge-amper.website"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032862; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005445; classtype:web-application-attack; sid:2005445; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stacks-zadar .website in DNS Lookup)"; dns_query; content:"stacks-zadar.website"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032863; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005446; classtype:web-application-attack; sid:2005446; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (joe-rumley .pw in DNS Lookup)"; dns_query; content:"joe-rumley.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032864; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005447; classtype:web-application-attack; sid:2005447; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (richardbeman .info in DNS Lookup)"; dns_query; content:"richardbeman.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032865; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005448; classtype:web-application-attack; sid:2005448; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (vickeryduncan .site in DNS Lookup)"; dns_query; content:"vickeryduncan.site"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032866; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005449; classtype:web-application-attack; sid:2005449; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (moggfelicio .info in DNS Lookup)"; dns_query; content:"moggfelicio.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032867; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005450; classtype:web-application-attack; sid:2005450; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stevensmalley .pro in DNS Lookup)"; dns_query; content:"stevensmalley.pro"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032868; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005451; classtype:web-application-attack; sid:2005451; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (kentporter .site in DNS Lookup)"; dns_query; content:"kentporter.site"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032869; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005452; classtype:web-application-attack; sid:2005452; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (chad-jessie .info in DNS Lookup)"; dns_query; content:"chad-jessie.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032870; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005453; classtype:web-application-attack; sid:2005453; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (lordblackwood .club in DNS Lookup)"; dns_query; content:"lordblackwood.club"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032871; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005454; classtype:web-application-attack; sid:2005454; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (julie-parker .top in DNS Lookup)"; dns_query; content:"julie-parker.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032872; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005455; classtype:web-application-attack; sid:2005455; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (tim-jordan .info in DNS Lookup)"; dns_query; content:"tim-jordan.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032873; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index2.php?option=ds-syndicate"; nocase; content:"version=1"; nocase; content:"feed_id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.secunia.com/advisories/32321; reference:url,www.exploit-db.com/exploits/6792/; reference:url,doc.emergingthreats.net/2008685; classtype:web-application-attack; sid:2008685; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hannah-parsons .info in DNS Lookup)"; dns_query; content:"hannah-parsons.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032874; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/admin.rssreader.php?"; nocase; content:"mosConfig_live_site="; nocase; pcre:"/mosConfig_live_site=\s*(https?|ftps?|php)\:\//i"; reference:url,vupen.com/english/advisories/2008/3119; reference:bugtraq,32265; reference:url,www.exploit-db.com/exploits/7096/; reference:url,doc.emergingthreats.net/2009369; classtype:web-application-attack; sid:2009369; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 2"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll2.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2032971; rev:2; metadata:created_at 2021_05_18, former_category MOBILE_MALWARE, updated_at 2021_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- php5x.php"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/joomla/utilities/compat/php50x.php"; nocase; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009778; classtype:attempted-recon; sid:2009778; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; reference:url,twitter.com/bl4ckh0l3z/status/1340960422485213184; reference:md5,43f75535144f3315e402a0aa5f181e7d; classtype:trojan-activity; sid:2031445; rev:2; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- ldap.php"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/joomla/client/ldap.php"; nocase; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009779; classtype:attempted-recon; sid:2009779; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 3"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/p.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2033003; rev:2; metadata:created_at 2021_05_20, former_category MOBILE_MALWARE, updated_at 2021_05_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- content.php"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/joomla/html/html/content.php"; nocase; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009780; classtype:attempted-recon; sid:2009780; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; fast_pattern; content:"&p1="; distance:1; within:4; content:"&p2="; distance:16; within:4; pcre:"/\.php\?m=[abcdefgh]&p1=[a-f0-9]{16}&p2=[^\r\n]+$/"; http.user_agent; content:"Android"; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; reference:url,blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor; reference:md5,4626ed60dfc8deaf75477bc06bd39be7; classtype:trojan-activity; sid:2033059; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_06_01, deployment Perimeter, former_category MOBILE_MALWARE, updated_at 2021_06_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_artportal&portalid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009834; classtype:web-application-attack; sid:2009834; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE PJobRat System Exfil to CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|7b 22|network|22 3a 22|"; content:"|22 2c 22|type|22 3a 22 5b|"; content:"|22 2c 22|info|22 3a 22|"; content:"|22 2c 22|ipaddr|22 3a 22|"; content:"|22 2c 22|bandwidth|22 3a 22|"; content:"|22 2c 22|downspeed|22 3a 22|"; content:"|22 2c 22|upspeed|22 3a 22|"; content:"|22 2c 22|rip|22 3a 22|"; content:"|22 2c 22|manufacture|22 3a 22|"; content:"|22 2c 22|imei|22 3a 22|"; content:"|22 2c 22|pnumber|22 3a 22|"; content:"|22 2c 22|location|22 3a 22 5b 7b 5c 22|latitude|5c 22 3a 5c 22|"; fast_pattern; content:"|22 2c 22|appname|22 3a 22|"; reference:url,labs.k7computing.com/?p=22537; classtype:command-and-control; sid:2033319; rev:1; metadata:affected_product Android, created_at 2021_07_13, former_category MOBILE_MALWARE, updated_at 2021_07_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_artportal&portalid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009835; classtype:web-application-attack; sid:2009835; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE PJobRat CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b|name|3d 22|"; content:"|3b|filename|3d 22|"; content:"|5b 7b 22|cid|22 3a|"; content:"displayName"; content:"phoneNumber|22 3a 22 2b|"; fast_pattern; content:"file|0d 0a 2d 2d 2d 2d 2d 2d|"; content:"contacts|0d 0a 2d 2d 2d 2d 2d 2d|"; http.uri; content:".php"; endswith; reference:url,labs.k7computing.com/?p=22537; classtype:command-and-control; sid:2033320; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_07_13, former_category MOBILE_MALWARE, updated_at 2021_07_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_artportal&portalid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009836; classtype:web-application-attack; sid:2009836; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/pop2.html?key="; fast_pattern; content:"&n="; distance:0; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033357; rev:1; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection"; flow:to_server,established; http.uri; content:"/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9593/; reference:url,doc.emergingthreats.net/2009881; classtype:web-application-attack; sid:2009881; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS CnC Domain in DNS Lookup (opposedarrangement .net)"; dns.query; content:".opposedarrangement.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:domain-c2; sid:2033358; rev:2; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009913; classtype:web-application-attack; sid:2009913; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/megalodon?m="; fast_pattern; content:"&v="; distance:0; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033359; rev:2; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009914; classtype:web-application-attack; sid:2009914; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Gatekeeper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/wizard/01-00000000"; fast_pattern; endswith; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033360; rev:1; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009915; classtype:web-application-attack; sid:2009915; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=schemics.club"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033369; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009916; classtype:web-application-attack; sid:2009916; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=omeoneha.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033370; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009917; classtype:web-application-attack; sid:2009917; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fceptthis.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033371; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009919; classtype:web-application-attack; sid:2009919; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=oftongueid.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033372; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009920; classtype:web-application-attack; sid:2009920; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=honeiwillre.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033373; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009921; classtype:web-application-attack; sid:2009921; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=eaconhop.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033374; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009924; classtype:web-application-attack; sid:2009924; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ssedonthep.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033375; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009922; classtype:web-application-attack; sid:2009922; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fjobiwouldli.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033376; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?option=com_album&"; nocase; content:"Itemid=128&"; nocase; content:"target="; nocase; reference:url,www.securityfocus.com/bid/36441/info; reference:url,www.exploit-db.com/exploits/9706/; reference:url,doc.emergingthreats.net/2009929; classtype:web-application-attack; sid:2009929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=offeranda.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033377; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/com_koesubmit/koesubmit.php?"; nocase; content:"="; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36447/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009933; classtype:web-application-attack; sid:2009933; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (quantumbots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"quantumbots.xyz"; bsize:15; fast_pattern; reference:md5,daba8377d281c48c1c91e2fa7f703511; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033672; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_moofaq/includes/file_includer.php?"; nocase; content:"file="; nocase; reference:bugtraq,35259; reference:url,www.exploit-db.com/exploits/8898/; reference:url,doc.emergingthreats.net/2009934; classtype:web-application-attack; sid:2009934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (marcobrando .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"marcobrando.xyz"; bsize:15; fast_pattern; reference:md5,eaf0524ba3214b35a068465664963654; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033673; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009938; classtype:web-application-attack; sid:2009938; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (montanatony .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"montanatony.xyz"; bsize:15; fast_pattern; reference:md5,0d1df5c35c3c43e1b8bb7daec2495c06; reference:md5,f73ebc6f645926bf8566220b14173df8; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033674; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009939; classtype:web-application-attack; sid:2009939; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (smoothcbots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"smoothcbots.xyz"; bsize:15; fast_pattern; reference:md5,8daf9ba69c0dcf9224fd1e4006c9dad3; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033675; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009940; classtype:web-application-attack; sid:2009940; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (omegabots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"omegabots.xyz"; bsize:13; fast_pattern; reference:md5,de51b859f41b6a9138285cf26a1fad84; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033676; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009941; classtype:web-application-attack; sid:2009941; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (gogleadser .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogleadser.xyz"; bsize:14; fast_pattern; reference:md5,205861bca8f26430981f9762a50eab3a; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033677; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009942; classtype:web-application-attack; sid:2009942; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (callbinary .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"callbinary.xyz"; bsize:14; fast_pattern; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033678; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009943; classtype:web-application-attack; sid:2009943; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Oscorp/UBEL Activity"; flow:established,to_server; http.uri; content:"/api/app/device/"; startswith; fast_pattern; http.user_agent; content:"|3b 20|Android|3b 20|"; http.host; content:".xyz"; endswith; http.header_names; content:!"Referer"; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:trojan-activity; sid:2033679; rev:2; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009944; classtype:web-application-attack; sid:2009944; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"sk="; startswith; fast_pattern; content:"&cs="; distance:0; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033686; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009945; classtype:web-application-attack; sid:2009945; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M2"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"gs="; startswith; content:"&sk="; distance:0; fast_pattern; content:"&di="; distance:0; content:"&t="; distance:0; content:"&st="; distance:0; content:"&dt="; distance:0; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033687; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009946; classtype:web-application-attack; sid:2009946; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M3"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"s="; startswith; content:"&gfu="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033688; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009947; classtype:web-application-attack; sid:2009947; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M4"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"s="; startswith; content:"&gd="; distance:0; content:"&v=5"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033689; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009956; classtype:web-application-attack; sid:2009956; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Vultr Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/grpc.Rpc/Registration"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"grpc-java-okhttp/"; http.header_names; content:!"Referer|3a 20|"; reference:url,www.threatfabric.com/blogs/vultur-v-for-vnc.html; classtype:command-and-control; sid:2033730; rev:2; metadata:attack_target Mobile_Client, created_at 2021_08_13, former_category MOBILE_MALWARE, updated_at 2021_08_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009957; classtype:web-application-attack; sid:2009957; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FlyTrap Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/cookies"; bsize:12; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"app=FBManager&type=cookie&account="; startswith; content:"&cookies="; distance:0; content:"&deleted="; http.header_names; content:!"Referer"; reference:url,blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/; classtype:trojan-activity; sid:2033767; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_23, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009958; classtype:web-application-attack; sid:2009958; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.update&botid="; startswith; fast_pattern; content:"&param="; distance:0; content:"&value="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033940; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009959; classtype:web-application-attack; sid:2009959; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (number update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=number.update&botid="; startswith; fast_pattern; content:"&phoneNumber="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033941; rev:2; metadata:created_at 2021_09_14, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009960; classtype:web-application-attack; sid:2009960; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (session cookie delete)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=command.delete&id="; startswith; fast_pattern; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033942; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009961; classtype:web-application-attack; sid:2009961; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot registration)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.new&botid="; startswith; fast_pattern; content:"&botip="; distance:0; content:"&sdkVersion="; distance:0; content:"&deviceModel="; distance:0; content:"&typeConnection="; distance:0; content:"&battery="; distance:0; content:"&access="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,03f51334546586d0b56ee81d3df9fd7a; classtype:trojan-activity; sid:2033943; rev:1; metadata:created_at 2021_09_14, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009962; classtype:web-application-attack; sid:2009962; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (log post)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/logpost.php"; bsize:12; fast_pattern; http.request_body; content:"botid="; startswith; content:"&text="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,03f51334546586d0b56ee81d3df9fd7a; classtype:trojan-activity; sid:2033944; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009963; classtype:web-application-attack; sid:2009963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.BEH Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport="; distance:0; content:"&manf="; distance:0; content:"&sid="; distance:0; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"contactsList"; content:"phoneNo"; distance:0; http.header_names; content:!"Referer"; reference:md5,72670e5480849637e86e0daeddbdb43b; reference:url,twitter.com/malwrhunterteam/status/1437787922816806914; classtype:trojan-activity; sid:2033946; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009964; classtype:web-application-attack; sid:2009964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed APT-C-23 Related Domain (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"linda-gaytan.website"; bsize:20; fast_pattern; reference:md5,af0e580b67938afaeb783b72cf2a1c61; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; classtype:domain-c2; sid:2033978; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, signature_severity Major, updated_at 2021_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009965; classtype:web-application-attack; sid:2009965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup (linda-gaytan .website)"; dns.query; content:"linda-gaytan.website"; nocase; bsize:20; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east; reference:md5,af0e580b67938afaeb783b72cf2a1c61; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; classtype:domain-c2; sid:2033979; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010014; classtype:web-application-attack; sid:2010014; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup (javan-demsky .website)"; dns.query; content:"javan-demsky.website"; nocase; bsize:20; reference:md5,dd4596cf68c85eb135f7e0ad763e5dab; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/; classtype:domain-c2; sid:2033980; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010015; classtype:web-application-attack; sid:2010015; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (google-play .serveftp .com)"; dns.query; content:"google-play.serveftp.com"; nocase; bsize:24; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:targeted-activity; sid:2034349; rev:1; metadata:attack_target Mobile_Client, created_at 2021_11_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010016; classtype:web-application-attack; sid:2010016; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; fast_pattern; content:"&p1="; distance:1; within:4; pcre:"/\.php\?m=[abcdefgh]&p1=[a-f0-9]{16}$/"; http.user_agent; content:"Android"; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; reference:url,twitter.com/AhnLab_SecuInfo/status/1460101266760089600; reference:md5,e7caf25de7ce463a6f22ecb8689389ad; classtype:trojan-activity; sid:2034512; rev:1; metadata:attack_target Mobile_Client, created_at 2021_11_18, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Kimsuky, updated_at 2022_04_18, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010017; classtype:web-application-attack; sid:2010017; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot Activity (DNS Lookup)"; dns_query; content:"dhjhzmy0nnbvakjjoux"; isdataat:!1,relative; reference:md5,f7dfd4eb1b1c6ba338d56761b3975618; classtype:domain-c2; sid:2034514; rev:2; metadata:created_at 2021_11_18, former_category MOBILE_MALWARE, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010040; classtype:web-application-attack; sid:2010040; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot Activity (DNS Lookup) 2"; dns_query; content:"sharkedtest1.xyz"; isdataat:!1,relative; reference:md5,f7dfd4eb1b1c6ba338d56761b3975618; classtype:trojan-activity; sid:2034515; rev:2; metadata:created_at 2021_11_18, updated_at 2021_11_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010041; classtype:web-application-attack; sid:2010041; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Anatsa Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/update"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"|3b 20|Android|20|"; http.header_names; content:!"Referer|3a 20|"; http.request_body; content:"{|22|hwid|22 3a|"; depth:8; content:",|22|phone_name|22 3a|"; content:",|22|update_installed|22 3a|"; reference:md5,4a01cad9af92247b828478d5e1b3e00d; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034591; rev:2; metadata:attack_target Mobile_Client, created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010042; classtype:web-application-attack; sid:2010042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in DNS Lookup)"; dns_query; content:"protectionguardapp.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034592; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010043; classtype:web-application-attack; sid:2010043; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"protectionguardapp.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034593; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010044; classtype:web-application-attack; sid:2010044; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in DNS Lookup)"; dns_query; content:"readyqrscanner.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034594; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010045; classtype:web-application-attack; sid:2010045; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"readyqrscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034595; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010046; classtype:web-application-attack; sid:2010046; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in DNS Lookup)"; dns_query; content:"flowdivison.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034596; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010047; classtype:web-application-attack; sid:2010047; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"flowdivison.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034597; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010048; classtype:web-application-attack; sid:2010048; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in DNS Lookup)"; dns_query; content:"multifuctionscanner.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034598; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/59056; reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; reference:url,doc.emergingthreats.net/2010260; classtype:web-application-attack; sid:2010260; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in DNS Lookup)"; dns_query; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034599; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010349; classtype:web-application-attack; sid:2010349; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"multifuctionscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034600; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010350; classtype:web-application-attack; sid:2010350; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; nocase; classtype:command-and-control; sid:2034601; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010351; classtype:web-application-attack; sid:2010351; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Coper Banking Trojan Related Domain in DNS Lookup"; dns.query; content:"s22231232fdnsjds.top"; nocase; bsize:20; reference:url,cert-pl.translate.goog/posts/2021/12/aktywacja-aplikacji-iko/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=op; classtype:domain-c2; sid:2034910; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010352; classtype:web-application-attack; sid:2010352; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FluBot Trojan Sending Information (POST)"; flow:established,to_server; http.request_line; content:"POST /p.php HTTP/1.1"; fast_pattern; http.user_agent; content:"Dalvik/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-z]{15}\.(?:ru|su|cn)$/"; reference:md5,a65d00f3688dc02e2544e02eb57a06c1; reference:url,www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond; classtype:trojan-activity; sid:2034913; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010353; classtype:web-application-attack; sid:2010353; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE AndroidOS/Basbanke.A Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /rdc?method="; fast_pattern; startswith; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,220ec1e3effb6f4a4a3acb6b3b3d2e90; reference:url,www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account; classtype:trojan-activity; sid:2034965; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_25, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_ezine/class/php/d4m_ajax_pagenav.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,37043; reference:url,doc.emergingthreats.net/2010474; classtype:web-application-attack; sid:2010474; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)"; dns_query; content:"xireycicin.xyz"; isdataat:!1,relative; reference:md5,c9ddaa4d670c262bf2621b8299ccf84e; classtype:domain-c2; sid:2035430; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010476; classtype:web-application-attack; sid:2010476; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.BankBot.11270 (TLS SNI)"; flow:established,to_server; tls_sni; content:"xireycicin.xyz"; isdataat:!1,relative; nocase; reference:md5,c9ddaa4d670c262bf2621b8299ccf84e; classtype:domain-c2; sid:2035431; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010477; classtype:web-application-attack; sid:2010477; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.GWO Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"okhttp/"; http.header_names; content:!"Referer|3a 20|"; http.request_body; content:"{|22|logType|22 3a|"; depth:11; content:",|22|msg|22 3a 22|{|5c 22|auth|5c 22 3a|"; fast_pattern; content:"|5c 22|appVersionName|5c 22|"; reference:md5,dcfa846ca56e14e720d4a743ac5c9f0f; classtype:command-and-control; sid:2035432; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010478; classtype:web-application-attack; sid:2010478; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/SharkBot Related Domain in DNS Lookup"; dns.query; content:"statscodicefiscale.xyz"; nocase; bsize:22; reference:md5,1f32aa3ad68eac774cfcaeb0cd84de4d; reference:md5,acaed4c74eb9f0c85c603d4077a95697; reference:url,research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/; classtype:domain-c2; sid:2035439; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010479; classtype:web-application-attack; sid:2010479; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (DNS Lookup)"; dns_query; content:"panel.anuka1.a2hosted.com"; isdataat:!1,relative; reference:md5,2f8f1f7565872f8cbce615f5dbe03d7d; classtype:domain-c2; sid:2035433; rev:2; metadata:created_at 2022_03_11, former_category MOBILE_MALWARE, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010480; classtype:web-application-attack; sid:2010480; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (TLS SNI)"; flow:established,to_server; tls_sni; content:"panel.anuka1.a2hosted.com"; isdataat:!1,relative; nocase; reference:md5,451d41b60db0fc16f16c8cef92a8a97d; classtype:command-and-control; sid:2035434; rev:2; metadata:created_at 2022_03_11, former_category MOBILE_MALWARE, updated_at 2022_03_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla MyRemote Video Gallery (user_id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"user_id="; content:"option=com_mytube"; nocase; content:"index.php?"; nocase; pcre:"/user_id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,milw0rm.org/exploits/9733; reference:url,doc.emergingthreats.net/2010528; classtype:web-application-attack; sid:2010528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/SGCommand.aspx?sgcommand="; fast_pattern; content:"&uid="; distance:0; content:"&sid="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; http.user_agent; content:"|20|Android|20|"; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_11_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_03_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla component com_jinc (newsid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"option=com_jinc"; nocase; content:"newsid="; nocase; content:"index.php?"; nocase; pcre:"/newsid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,milw0rm.org/exploits/9732; reference:url,doc.emergingthreats.net/2010529; classtype:web-application-attack; sid:2010529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE Android.Trojan.AndroRAT.CE Checkin"; flow:to_server,established; content:"info=user"; depth:20; content:"simCountryCode="; distance:0; fast_pattern; content:"posnetwork="; distance:0; content:"recMic="; distance:0; content:"callMoniter="; distance:0; content:"callWhere="; distance:0; reference:md5,5cffec9d80acd836e945e410061363ca; classtype:command-and-control; sid:2035483; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component City Portal (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/city_portal/index.php?"; nocase; content:"Itemid="; nocase; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010535; classtype:web-application-attack; sid:2010535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup)"; dns_query; content:"dostkafa.tk"; isdataat:!1,relative; reference:md5,5ea8d0f4f87b76dd1c7b6c2a34ece434; classtype:domain-c2; sid:2035484; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Event Manager 1.5 (id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/eventmanager/index.php?"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010536; classtype:web-application-attack; sid:2010536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI)"; flow:established,to_server; tls_sni; content:"dostkafa.tk"; isdataat:!1,relative; nocase; reference:md5,5ea8d0f4f87b76dd1c7b6c2a34ece434; classtype:command-and-control; sid:2035485; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_zcalendar (eid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_zcalendar"; nocase; content:"eid="; nocase; pcre:"/(\?|&)eid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010537; classtype:web-application-attack; sid:2010537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 2"; dns_query; content:"hamta-fan-ir.gq"; isdataat:!1,relative; reference:md5,5dab8a38324deadd7a9738a6c59b69da; classtype:command-and-control; sid:2035486; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_acmis (Itemid) SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_acmisc"; nocase; content:"Itemid="; nocase; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010538; classtype:web-application-attack; sid:2010538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"hamta-fan-ir.gq"; isdataat:!1,relative; nocase; reference:md5,5dab8a38324deadd7a9738a6c59b69da; classtype:command-and-control; sid:2035487; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_personel (id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_personel"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlapersonel-sql.txt; reference:url,doc.emergingthreats.net/2010541; classtype:web-application-attack; sid:2010541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 3"; dns_query; content:"alfa-toxic.xyz"; isdataat:!1,relative; reference:md5,2ea18b97e95171afabd9cfafa4813812; classtype:domain-c2; sid:2035488; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_joomportfolio"; nocase; content:"secid="; nocase; pcre:"/(\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt; reference:url,doc.emergingthreats.net/2010542; classtype:web-application-attack; sid:2010542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"alfa-toxic.xyz"; isdataat:!1,relative; nocase; reference:md5,2ea18b97e95171afabd9cfafa4813812; classtype:command-and-control; sid:2035489; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010555; classtype:web-application-attack; sid:2010555; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 4"; dns_query; content:"sahm-melli.tk"; isdataat:!1,relative; reference:md5,56b25d666bb8174d822d8d4c558bad81; classtype:domain-c2; sid:2035490; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010556; classtype:web-application-attack; sid:2010556; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"sahm-melli.tk"; isdataat:!1,relative; nocase; reference:md5,56b25d666bb8174d822d8d4c558bad81; classtype:trojan-activity; sid:2035491; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010557; classtype:web-application-attack; sid:2010557; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 5"; dns_query; content:"kos-nnt.com"; isdataat:!1,relative; reference:md5,c6a3b408175410cd6b5204b804dee2ed; classtype:domain-c2; sid:2035492; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010558; classtype:web-application-attack; sid:2010558; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"kos-nnt.com"; isdataat:!1,relative; nocase; reference:md5,c6a3b408175410cd6b5204b804dee2ed; classtype:command-and-control; sid:2035493; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010559; classtype:web-application-attack; sid:2010559; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 6"; dns_query; content:"samane.site"; isdataat:!1,relative; reference:md5,1cf18d4f51326c4409fccff0b05bd254; classtype:domain-c2; sid:2035494; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_kkcontent"; nocase; content:"catID="; nocase; pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt; reference:url,doc.emergingthreats.net/2010606; classtype:web-application-attack; sid:2010606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"samane.site"; isdataat:!1,relative; nocase; reference:md5,1cf18d4f51326c4409fccff0b05bd254; classtype:command-and-control; sid:2035495; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,xforce.iss.net/xforce/xfdb/54662; reference:url,www.exploit-db.com/exploits/10369; reference:url,doc.emergingthreats.net/2010620; classtype:web-application-attack; sid:2010620; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 7"; dns_query; content:"test-mrx-domin.ml"; isdataat:!1,relative; reference:md5,fa0c00e7e37c6bdd423a01819a1b8d66; classtype:domain-c2; sid:2035496; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010636; classtype:web-application-attack; sid:2010636; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"test-mrx-domin.ml"; isdataat:!1,relative; nocase; reference:md5,fa0c00e7e37c6bdd423a01819a1b8d66; classtype:command-and-control; sid:2035497; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010637; classtype:web-application-attack; sid:2010637; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 8"; dns_query; content:"405.bar"; isdataat:!1,relative; reference:md5,836c642b75b7d063bc663c9612f0f736; classtype:domain-c2; sid:2035498; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010638; classtype:web-application-attack; sid:2010638; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"405.bar"; isdataat:!1,relative; nocase; reference:md5,836c642b75b7d063bc663c9612f0f736; classtype:command-and-control; sid:2035499; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010639; classtype:web-application-attack; sid:2010639; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 9"; dns_query; content:"dolat-sahm-ir.tk"; isdataat:!1,relative; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035500; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010640; classtype:web-application-attack; sid:2010640; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"dolat-sahm-ir.tk"; isdataat:!1,relative; nocase; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:command-and-control; sid:2035501; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-comments-post.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010659; classtype:web-application-attack; sid:2010659; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 10"; dns_query; content:"namosan-nakon.tk"; isdataat:!1,relative; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035502; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-trackback.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010660; classtype:web-application-attack; sid:2010660; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"namosan-nakon.tk"; isdataat:!1,relative; nocase; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035503; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010710; classtype:web-application-attack; sid:2010710; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 11"; dns_query; content:"peygiri.tech"; isdataat:!1,relative; reference:md5,9262943f8fc52b77eedff18c7f122748; classtype:domain-c2; sid:2035504; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010711; classtype:web-application-attack; sid:2010711; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"peygiri.tech"; isdataat:!1,relative; nocase; reference:md5,9262943f8fc52b77eedff18c7f122748; classtype:trojan-activity; sid:2035505; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010712; classtype:web-application-attack; sid:2010712; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 12"; dns_query; content:"sunlovelapi.xyz"; isdataat:!1,relative; reference:md5,f0c894498a890c3afc67916eac3e9c5d; classtype:domain-c2; sid:2035506; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010713; classtype:web-application-attack; sid:2010713; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"sunlovelapi.xyz"; isdataat:!1,relative; nocase; reference:md5,f0c894498a890c3afc67916eac3e9c5d; classtype:command-and-control; sid:2035507; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010714; classtype:web-application-attack; sid:2010714; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?EIO="; depth:16; content:"&transport=polling"; endswith; http.request_body; content:"|5b 22|add|20|user|22|,|22|ID_"; offset:5; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:command-and-control; sid:2029619; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010750; classtype:web-application-attack; sid:2010750; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)"; flow:established,to_server; tls_sni; content:"update.imdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:command-and-control; sid:2035568; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010751; classtype:web-application-attack; sid:2010751; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"imbbq.co"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035569; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010752; classtype:web-application-attack; sid:2010752; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"ds-super-admin.imtokens.money"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035570; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010753; classtype:web-application-attack; sid:2010753; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"imtokenss.token-app.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035571; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010754; classtype:web-application-attack; sid:2010754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"xdhbj.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035572; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_mediaslide/viewer.php?"; nocase; content:"path="; nocase; reference:bugtraq,37440; reference:url,doc.emergingthreats.net/2010780; classtype:web-application-attack; sid:2010780; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"update.xzxqsf.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035573; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010805; classtype:web-application-attack; sid:2010805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"metamask.tptokenm.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035574; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010806; classtype:web-application-attack; sid:2010806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"two.shayu.la"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035575; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010807; classtype:web-application-attack; sid:2010807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"jdzpfw.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035576; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010808; classtype:web-application-attack; sid:2010808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"bp.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035577; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010809; classtype:web-application-attack; sid:2010809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"ok.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035578; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_intuit/models/intuit.php?"; nocase; content:"approval="; nocase; reference:url,www.exploit-db.com/exploits/10730; reference:url,doc.emergingthreats.net/2010833; classtype:web-application-attack; sid:2010833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"mm.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035579; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010843; classtype:web-application-attack; sid:2010843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20"; flow:established,to_server; tls_sni; content:"token-lon.me"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035580; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010844; classtype:web-application-attack; sid:2010844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13"; flow:established,to_server; tls_sni; content:"bh.imtoken.sx"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035581; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010845; classtype:web-application-attack; sid:2010845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14"; flow:established,to_server; tls_sni; content:"ht.imtoken.cn.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035582; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010846; classtype:web-application-attack; sid:2010846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15"; flow:established,to_server; tls_sni; content:"api.tipi21341.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035583; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010842; classtype:web-application-attack; sid:2010842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16"; flow:established,to_server; tls_sni; content:"ariodjs.xyz"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035584; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_morfeoshow/morfeoshow.html.php?"; nocase; content:"user_id="; nocase; pcre:"/user_id\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,secdb.4sec.org/?s1=exp&sid=18773; reference:url,doc.emergingthreats.net/2010848; classtype:web-application-attack; sid:2010848; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17"; flow:established,to_server; tls_sni; content:"walletappforbit.web.app"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035585; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010853; classtype:web-application-attack; sid:2010853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18"; flow:established,to_server; tls_sni; content:"jaxx.su"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035586; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010854; classtype:web-application-attack; sid:2010854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19"; flow:established,to_server; tls_sni; content:"jaxx.tf"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035587; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010855; classtype:web-application-attack; sid:2010855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21"; flow:established,to_server; tls_sni; content:"master-consultas.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035588; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010856; classtype:web-application-attack; sid:2010856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22"; flow:established,to_server; tls_sni; content:"jaxxwalletinc.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035589; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010857; classtype:web-application-attack; sid:2010857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23"; flow:established,to_server; tls_sni; content:"jaxx.podzone.org"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035590; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010924; classtype:web-application-attack; sid:2010924; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24"; flow:established,to_server; tls_sni; content:"saaditrezxie.store"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035591; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010925; classtype:web-application-attack; sid:2010925; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in DNS Lookup)"; dns_query; content:"frances-thomas.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035783; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010926; classtype:web-application-attack; sid:2010926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"frances-thomas.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035784; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010927; classtype:web-application-attack; sid:2010927; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in DNS Lookup)"; dns_query; content:"scott-chapin.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035785; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010928; classtype:web-application-attack; sid:2010928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"scott-chapin.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035786; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010947; classtype:web-application-attack; sid:2010947; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in DNS Lookup)"; dns_query; content:"linda-gaytan.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035787; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010948; classtype:web-application-attack; sid:2010948; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"linda-gaytan.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035788; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010949; classtype:web-application-attack; sid:2010949; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in DNS Lookup)"; dns_query; content:"david-gardiner.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035789; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010950; classtype:web-application-attack; sid:2010950; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-gardiner.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035790; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010951; classtype:web-application-attack; sid:2010951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in DNS Lookup)"; dns_query; content:"amanda-hart.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035791; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jcollection&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11088; reference:url,doc.emergingthreats.net/2010942; classtype:web-application-attack; sid:2010942; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"amanda-hart.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035792; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?option=com_ccnewsletter&"; nocase; content:"controller="; nocase; reference:bugtraq,37987; reference:url,doc.emergingthreats.net/2010989; classtype:web-application-attack; sid:2010989; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in DNS Lookup)"; dns_query; content:"javan-demsky.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035793; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010990; classtype:web-application-attack; sid:2010990; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"javan-demsky.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035794; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010991; classtype:web-application-attack; sid:2010991; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (ifn1h8ag1g .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ifn1h8ag1g.com"; bsize:14; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035905; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010992; classtype:web-application-attack; sid:2010992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (s22231232fdnsjds .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"s22231232fdnsjds.top"; bsize:20; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035906; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010993; classtype:web-application-attack; sid:2010993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (equisdeperson .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"equisdeperson.space"; bsize:19; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035907; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010994; classtype:web-application-attack; sid:2010994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (xipxesip .design in TLS SNI)"; flow:established,to_server; tls.sni; content:"xipxesip.design"; bsize:15; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035908; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010981; classtype:web-application-attack; sid:2010981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain (api .dreamloan .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.dreamloan.cc"; bsize:16; fast_pattern; reference:md5,5038f1ae69db7682e99c04947fa467aa; classtype:command-and-control; sid:2035909; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010982; classtype:web-application-attack; sid:2010982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de"; bsize:43; fast_pattern; reference:md5,ad6f124d00ca05f2a19b5215b85e25a8; classtype:command-and-control; sid:2035910; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010983; classtype:web-application-attack; sid:2010983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba Lure (Package Delivery)"; flow:established,to_client; content:"|82|"; startswith; content:"jsonrpc"; distance:5; within:8; content:"Your parcel has been sent out.Please check and accept it. http"; fast_pattern; reference:url,team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion; classtype:trojan-activity; sid:2036215; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_04_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010984; classtype:web-application-attack; sid:2010984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ActionSpy CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ps/upinfo"; bsize:10; fast_pattern; http.user_agent; content:"android"; bsize:7; http.header; content:"Content-Encoding|3a 20|encrypted|0d 0a|"; reference:md5,43f1891a9c0d8fc69e273095708d9238; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/; classtype:command-and-control; sid:2030342; rev:2; metadata:attack_target Mobile_Client, created_at 2020_06_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010985; classtype:web-application-attack; sid:2010985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.D Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/maid4u_4251/dl.php?sid="; startswith; fast_pattern; content:"&agent="; distance:16; http.user_agent; content:"Linux|3b 20|Android|20|"; http.header; content:"X-Requested-With|3a 20|com.company.gamename|0d 0a|"; content:!"Referer|3a 20|"; reference:md5,71341fc2958e65d208f2770185c61d7a; reference:url,www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/; classtype:trojan-activity; sid:2036425; rev:1; metadata:created_at 2022_04_29, updated_at 2022_04_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_communitypolls&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11511; reference:url,doc.emergingthreats.net/2010996; classtype:web-application-attack; sid:2010996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Origami.b / Donot DNS Lookup"; dns.query; content:"uniqueupdatesfrtetheupdateing.live"; nocase; bsize:34; reference:md5,350204a366fd3a2b1b9b80e6891c0df3; classtype:domain-c2; sid:2036500; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_05_06, deployment Perimeter, signature_severity Major, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011001; classtype:web-application-attack; sid:2011001; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Origami.b / Donot Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"uniqueupdatesfrtetheupdateing.live"; bsize:34; fast_pattern; reference:md5,350204a366fd3a2b1b9b80e6891c0df3; classtype:domain-c2; sid:2036501; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_05_06, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_05_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011002; classtype:web-application-attack; sid:2011002; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android ERMAC Banker (PL) Related Domain in DNS Lookup (bolt-food .site)"; dns.query; content:"bolt-food.site"; nocase; bsize:14; reference:md5,1e0586aef0f106031260fecb412c5cdf; reference:url,twitter.com/ESETresearch/status/1526897310231322630; classtype:domain-c2; sid:2036634; rev:1; metadata:attack_target Mobile_Client, created_at 2022_05_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011003; classtype:web-application-attack; sid:2011003; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ERMAC Banker (PL) Domain (bolt-food .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"bolt-food.site"; bsize:14; fast_pattern; reference:url,twitter.com/ESETresearch/status/1526897310231322630; reference:md5,1e0586aef0f106031260fecb412c5cdf; classtype:domain-c2; sid:2036635; rev:1; metadata:attack_target Mobile_Client, created_at 2022_05_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_05_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011004; classtype:web-application-attack; sid:2011004; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"store-apple.info"; nocase; bsize:16; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037055; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011005; classtype:web-application-attack; sid:2011005; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"155-wind.info"; nocase; bsize:13; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037056; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011022; classtype:web-application-attack; sid:2011022; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"iliad.info"; nocase; bsize:10; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037057; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011023; classtype:web-application-attack; sid:2011023; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"poste-it.info"; nocase; bsize:13; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037058; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011024; classtype:web-application-attack; sid:2011024; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"wind-h3g.info"; nocase; bsize:13; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037059; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011025; classtype:web-application-attack; sid:2011025; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"119-tim.info"; nocase; bsize:12; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037060; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011026; classtype:web-application-attack; sid:2011026; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"133-tre.info"; nocase; bsize:12; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037061; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_jcalpro/cal_popup.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt; reference:url,doc.emergingthreats.net/2011017; classtype:web-application-attack; sid:2011017; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"amex-co.info"; nocase; bsize:12; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037062; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_wgpicasa&"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/39467; reference:url,exploit-db.com/exploits/12230; reference:url,doc.emergingthreats.net/2011067; classtype:web-application-attack; sid:2011067; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"cloud-apple.info"; nocase; bsize:16; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037063; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011077; classtype:web-application-attack; sid:2011077; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"rojavanetwork.info"; nocase; bsize:18; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037064; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011078; classtype:web-application-attack; sid:2011078; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"159-windtre.info"; nocase; bsize:16; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037065; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011079; classtype:web-application-attack; sid:2011079; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"mobdemo.info"; nocase; bsize:12; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037066; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011080; classtype:web-application-attack; sid:2011080; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"kena-mobile.info"; nocase; bsize:16; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037067; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011081; classtype:web-application-attack; sid:2011081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"fb-techsupport.com"; nocase; bsize:18; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037068; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11845; reference:url,doc.emergingthreats.net/2011131; classtype:web-application-attack; sid:2011131; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"milf.house"; nocase; bsize:10; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037069; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_universal/includes/config/config.html.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11865; reference:bugtraq,38949; reference:url,doc.emergingthreats.net/2011132; classtype:web-application-attack; sid:2011132; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"146-fastweb.info"; nocase; bsize:16; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037070; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009383; classtype:web-application-attack; sid:2009383; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy Hermit CnC Domain in DNS Lookup"; dns.query; content:"mobilepays.info"; nocase; bsize:15; reference:url,www.lookout.com/blog/hermit-spyware-discovery; classtype:domain-c2; sid:2037071; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_06_22, deployment Perimeter, signature_severity Major, updated_at 2022_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//i"; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009384; classtype:web-application-attack; sid:2009384; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE Android/Revive Banking Trojan Initial Checkin Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /user/insert HTTP/1.1"; http.user_agent; content:"Linux|3b 20|"; http.header_names; content:!"Referer"; http.request_body; content:"|7b 22|phone|22 3a 22|"; fast_pattern; startswith; content:"|22 2c 22|android_version|22 3a 22|"; distance:0; content:"|22 2c 22|device_name|22 3a 22|"; distance:0; reference:md5,4240473028f88a3ef54f86f1cd387f24; reference:md5,cf704e63652c23c2d609e9a01659511c; reference:url,www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan; classtype:command-and-control; sid:2037262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Revive, signature_severity Major, updated_at 2022_07_05;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_ongumatimesheet20/lib/onguma.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,32095; reference:cve,CVE-2008-6347; reference:url,www.exploit-db.com/exploits/6976/; reference:url,doc.emergingthreats.net/2009391; classtype:web-application-attack; sid:2009391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server (waplove .cn)"; dns.query; dotprefix; content:".waplove.cn"; fast_pattern; nocase; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:4; metadata:created_at 2011_06_16, former_category MOBILE_MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006760; classtype:web-application-attack; sid:2006760; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server (searchwebmobile .com)"; dns.query; content:"www.searchwebmobile.com"; fast_pattern; nocase; bsize:23; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013041; rev:3; metadata:created_at 2011_06_16, former_category MOBILE_MALWARE, updated_at 2022_07_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006761; classtype:web-application-attack; sid:2006761; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 1 (goldncup .com)"; dns.query; content:"goldncup.com"; fast_pattern; nocase; bsize:12; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025639; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006762; classtype:web-application-attack; sid:2006762; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 3 (autoandroidup .website)"; dns.query; content:"autoandroidup.website"; fast_pattern; nocase; bsize:21; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025641; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006763; classtype:web-application-attack; sid:2006763; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 4 (mobilestoreupdate .website)"; dns.query; content:"mobilestoreupdate.website"; fast_pattern; nocase; bsize:25; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025642; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006764; classtype:web-application-attack; sid:2006764; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 5 (updatemobapp .website)"; dns.query; content:"updatemobapp.website"; fast_pattern; nocase; bsize:20; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025643; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006765; classtype:web-application-attack; sid:2006765; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 2 (glancelove .com)"; dns.query; content:"glancelove.com"; fast_pattern; nocase; bsize:14; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025640; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2022_07_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006766; classtype:web-application-attack; sid:2006766; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"wwerenbvb.store"; nocase; bsize:15; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037911; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006767; classtype:web-application-attack; sid:2006767; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"nbvvvb.hair"; nocase; bsize:11; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037912; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006768; classtype:web-application-attack; sid:2006768; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"vntososupplsos.live"; nocase; bsize:19; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037913; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006769; classtype:web-application-attack; sid:2006769; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"qwnbvb.skin"; nocase; bsize:11; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037914; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006770; classtype:web-application-attack; sid:2006770; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"qqnbvb.space"; nocase; bsize:12; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037915; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006771; classtype:web-application-attack; sid:2006771; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"ccnbvb.pics"; nocase; bsize:11; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037916; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006772; classtype:web-application-attack; sid:2006772; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"vbnbvb.online"; nocase; bsize:13; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037917; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006773; classtype:web-application-attack; sid:2006773; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"nbvb3954.fun"; nocase; bsize:12; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037918; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006774; classtype:web-application-attack; sid:2006774; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"olopokogulya.site"; nocase; bsize:17; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037919; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006775; classtype:web-application-attack; sid:2006775; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"nbvber.makeup"; nocase; bsize:13; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037920; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006776; classtype:web-application-attack; sid:2006776; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"nbvbsd.mom"; nocase; bsize:10; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037921; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006777; classtype:web-application-attack; sid:2006777; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"xxnbvb.quest"; nocase; bsize:12; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037922; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/adm/krgourl.php?"; nocase; content:"DOCUMENT_ROOT="; nocase; pcre:"/DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt; reference:url,doc.emergingthreats.net/2010475; classtype:web-application-attack; sid:2010475; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"asqwnbvb.shop"; nocase; bsize:13; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037923; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/customer.forumtopic.php?"; nocase; content:"forum_topic_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,2008-5590; reference:bugtraq,32672; reference:url,www.exploit-db.com/exploits/7368/; reference:url,doc.emergingthreats.net/2009198; classtype:web-application-attack; sid:2009198; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"eenbvb.sbs"; nocase; bsize:10; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037924; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/linking.page.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,29205; reference:url,milw0rm.com/exploits/5611; reference:url,doc.emergingthreats.net/2009658; classtype:web-application-attack; sid:2009658; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"nbvb.one"; nocase; bsize:8; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037925; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004641; classtype:web-application-attack; sid:2004641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Banker Octo CnC Domain in DNS Lookup"; dns.query; content:"nbvbwe.monster"; nocase; bsize:14; reference:url,www.trendmicro.com/en_us/research/22/g/examining-new-dawdropper-banking-dropper-and-daas-on-the-dark-we.html; classtype:domain-c2; sid:2037926; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_08_04, deployment Perimeter, signature_severity Major, updated_at 2022_08_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004642; classtype:web-application-attack; sid:2004642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004643; classtype:web-application-attack; sid:2004643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004644; classtype:web-application-attack; sid:2004644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; classtype:attempted-dos; sid:2009886; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004645; classtype:web-application-attack; sid:2004645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000046; reference:cve,2003-0533; classtype:misc-activity; sid:2000046; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004646; classtype:web-application-attack; sid:2004646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:cve,2003-0533; classtype:misc-activity; sid:2000033; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/engine/content/elements/menu.php?"; nocase; content:"CONFIG[AdminPath]="; nocase; pcre:"/CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57688; reference:url,doc.emergingthreats.net/2010197; classtype:web-application-attack; sid:2010197; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET NETBIOS ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002064; classtype:attempted-admin; sid:2002064; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004979; classtype:web-application-attack; sid:2004979; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; reference:url,doc.emergingthreats.net/bin/view/Main/2002186; classtype:attempted-admin; sid:2002186; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004980; classtype:web-application-attack; sid:2004980; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002199; classtype:protocol-command-decode; sid:2002199; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004981; classtype:web-application-attack; sid:2004981; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002200; classtype:protocol-command-decode; sid:2002200; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004982; classtype:web-application-attack; sid:2004982; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002201; classtype:attempted-admin; sid:2002201; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004983; classtype:web-application-attack; sid:2004983; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; reference:url,doc.emergingthreats.net/bin/view/Main/2002202; classtype:protocol-command-decode; sid:2002202; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004984; classtype:web-application-attack; sid:2004984; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; classtype:attempted-admin; sid:2002203; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005796; classtype:web-application-attack; sid:2005796; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; classtype:misc-attack; sid:2003081; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005797; classtype:web-application-attack; sid:2005797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2003082; classtype:misc-attack; sid:2003082; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005798; classtype:web-application-attack; sid:2005798; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008690; classtype:attempted-admin; sid:2008690; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005799; classtype:web-application-attack; sid:2005799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008691; classtype:attempted-admin; sid:2008691; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005800; classtype:web-application-attack; sid:2005800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008692; classtype:attempted-admin; sid:2008692; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005801; classtype:web-application-attack; sid:2005801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008693; classtype:attempted-admin; sid:2008693; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005069; classtype:web-application-attack; sid:2005069; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008694; classtype:attempted-admin; sid:2008694; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005070; classtype:web-application-attack; sid:2005070; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008696; classtype:attempted-admin; sid:2008696; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005071; classtype:web-application-attack; sid:2005071; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008697; classtype:attempted-admin; sid:2008697; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005072; classtype:web-application-attack; sid:2005072; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008698; classtype:attempted-admin; sid:2008698; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005073; classtype:web-application-attack; sid:2005073; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008699; classtype:attempted-admin; sid:2008699; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005074; classtype:web-application-attack; sid:2005074; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008700; classtype:attempted-admin; sid:2008700; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005973; classtype:web-application-attack; sid:2005973; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008701; classtype:attempted-admin; sid:2008701; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005974; classtype:web-application-attack; sid:2005974; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008702; classtype:attempted-admin; sid:2008702; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005975; classtype:web-application-attack; sid:2005975; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008703; classtype:attempted-admin; sid:2008703; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005976; classtype:web-application-attack; sid:2005976; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008704; classtype:attempted-admin; sid:2008704; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005977; classtype:web-application-attack; sid:2005977; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008705; classtype:attempted-admin; sid:2008705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005978; classtype:web-application-attack; sid:2005978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008706; classtype:attempted-admin; sid:2008706; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006315; classtype:web-application-attack; sid:2006315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008707; classtype:attempted-admin; sid:2008707; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006316; classtype:web-application-attack; sid:2006316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008708; classtype:attempted-admin; sid:2008708; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006317; classtype:web-application-attack; sid:2006317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008709; classtype:attempted-admin; sid:2008709; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006318; classtype:web-application-attack; sid:2006318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008710; classtype:attempted-admin; sid:2008710; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006319; classtype:web-application-attack; sid:2006319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008712; classtype:attempted-admin; sid:2008712; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006320; classtype:web-application-attack; sid:2006320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008713; classtype:attempted-admin; sid:2008713; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004523; classtype:web-application-attack; sid:2004523; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008714; classtype:attempted-admin; sid:2008714; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004524; classtype:web-application-attack; sid:2004524; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008715; classtype:attempted-admin; sid:2008715; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004525; classtype:web-application-attack; sid:2004525; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008717; classtype:attempted-admin; sid:2008717; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004526; classtype:web-application-attack; sid:2004526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008718; classtype:attempted-admin; sid:2008718; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004527; classtype:web-application-attack; sid:2004527; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008719; classtype:attempted-admin; sid:2008719; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004528; classtype:web-application-attack; sid:2004528; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008720; classtype:attempted-admin; sid:2008720; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/include/unverified.inc.php?"; nocase; content:"template="; nocase; reference:bugtraq,27964; reference:url,juniper.net/security/auto/vulnerabilities/vuln27964.html; reference:url,www.exploit-db.com/exploits/5179/; reference:url,doc.emergingthreats.net/2009761; classtype:web-application-attack; sid:2009761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008721; classtype:attempted-admin; sid:2008721; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007294; classtype:web-application-attack; sid:2007294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; classtype:bad-unknown; sid:2000017; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007295; classtype:web-application-attack; sid:2007295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000032; classtype:misc-activity; sid:2000032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007296; classtype:web-application-attack; sid:2007296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A; reference:url,support.microsoft.com/kb/971029; classtype:suspicious-filename-detect; sid:2011526; rev:1; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007297; classtype:web-application-attack; sid:2007297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; reference:url,doc.emergingthreats.net/bin/view/Main/2001944; classtype:attempted-admin; sid:2001944; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007298; classtype:web-application-attack; sid:2007298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET NETBIOS windows recycler .exe request - suspicious"; flow:to_server,established; content:"|00 00 5C 00 72 00 65 00 63 00 79 00 63 00 6C 00 65 00 72 00 5C|"; content:"|00 2E 00 65 00 78 00 65|"; distance:0; reference:url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC; reference:url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe; classtype:suspicious-filename-detect; sid:2011527; rev:4; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007299; classtype:web-application-attack; sid:2007299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt"; content:"|42 4F 00|"; content:"BROWSER"; nocase; distance:0; content:"|08 09 A8 0F 01 20|"; fast_pattern; distance:0; isdataat:65,relative; content:!"|0A|"; within:65; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=22457; reference:bid,46360; classtype:attempted-admin; sid:2012317; rev:2; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007300; classtype:web-application-attack; sid:2007300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007301; classtype:web-application-attack; sid:2007301; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007302; classtype:web-application-attack; sid:2007302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007303; classtype:web-application-attack; sid:2007303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007304; classtype:web-application-attack; sid:2007304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102479; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007305; classtype:web-application-attack; sid:2007305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102478; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007306; classtype:web-application-attack; sid:2007306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102477; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007307; classtype:web-application-attack; sid:2007307; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102476; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007308; classtype:web-application-attack; sid:2007308; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007309; classtype:web-application-attack; sid:2007309; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102473; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007310; classtype:web-application-attack; sid:2007310; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102470; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007311; classtype:web-application-attack; sid:2007311; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102467; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007312; classtype:web-application-attack; sid:2007312; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007313; classtype:web-application-attack; sid:2007313; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007314; classtype:web-application-attack; sid:2007314; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007315; classtype:web-application-attack; sid:2007315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103425; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007316; classtype:web-application-attack; sid:2007316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103426; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007317; classtype:web-application-attack; sid:2007317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103177; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007318; classtype:web-application-attack; sid:2007318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103176; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007319; classtype:web-application-attack; sid:2007319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103427; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007320; classtype:web-application-attack; sid:2007320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007321; classtype:web-application-attack; sid:2007321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103179; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007322; classtype:web-application-attack; sid:2007322; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103178; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007323; classtype:web-application-attack; sid:2007323; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103377; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007324; classtype:web-application-attack; sid:2007324; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103378; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007325; classtype:web-application-attack; sid:2007325; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103379; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007326; classtype:web-application-attack; sid:2007326; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103380; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007327; classtype:web-application-attack; sid:2007327; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103393; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007328; classtype:web-application-attack; sid:2007328; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007329; classtype:web-application-attack; sid:2007329; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007330; classtype:web-application-attack; sid:2007330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007331; classtype:web-application-attack; sid:2007331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007332; classtype:web-application-attack; sid:2007332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007333; classtype:web-application-attack; sid:2007333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007334; classtype:web-application-attack; sid:2007334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103257; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007335; classtype:web-application-attack; sid:2007335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103258; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010023; classtype:web-application-attack; sid:2010023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; pcre:"/cwd=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010024; classtype:web-application-attack; sid:2010024; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006657; classtype:web-application-attack; sid:2006657; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006658; classtype:web-application-attack; sid:2006658; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006659; classtype:web-application-attack; sid:2006659; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102937; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006660; classtype:web-application-attack; sid:2006660; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006661; classtype:web-application-attack; sid:2006661; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103219; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006663; classtype:web-application-attack; sid:2006663; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103218; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006664; classtype:web-application-attack; sid:2006664; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103221; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006665; classtype:web-application-attack; sid:2006665; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103220; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006666; classtype:web-application-attack; sid:2006666; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103409; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006667; classtype:web-application-attack; sid:2006667; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103410; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006668; classtype:web-application-attack; sid:2006668; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103411; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007362; classtype:web-application-attack; sid:2007362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103412; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007364; classtype:web-application-attack; sid:2007364; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103240; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007363; classtype:web-application-attack; sid:2007363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103241; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007365; classtype:web-application-attack; sid:2007365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103115; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007366; classtype:web-application-attack; sid:2007366; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103114; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007367; classtype:web-application-attack; sid:2007367; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103117; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007368; classtype:web-application-attack; sid:2007368; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103116; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007369; classtype:web-application-attack; sid:2007369; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103098; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007370; classtype:web-application-attack; sid:2007370; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103090; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007371; classtype:web-application-attack; sid:2007371; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103099; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007372; classtype:web-application-attack; sid:2007372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103160; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007373; classtype:web-application-attack; sid:2007373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103161; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/smallaxe-0.3.1/inc/linkbar.php?"; nocase; content:"cfile="; nocase; pcre:"/cfile\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10676; reference:url,doc.emergingthreats.net/2011000; classtype:web-application-attack; sid:2011000; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lito Lite CMS cate.php cid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cate.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/7294/; reference:url,secunia.com/advisories/32910/; reference:url,doc.emergingthreats.net/2008927; classtype:web-application-attack; sid:2008927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103162; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006473; classtype:web-application-attack; sid:2006473; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006474; classtype:web-application-attack; sid:2006474; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006475; classtype:web-application-attack; sid:2006475; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006476; classtype:web-application-attack; sid:2006476; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102929; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006477; classtype:web-application-attack; sid:2006477; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006478; classtype:web-application-attack; sid:2006478; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102940; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005829; classtype:web-application-attack; sid:2005829; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|winreg|00|"; within:8; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102174; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005830; classtype:web-application-attack; sid:2005830; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103203; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005831; classtype:web-application-attack; sid:2005831; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005832; classtype:web-application-attack; sid:2005832; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102941; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005833; classtype:web-application-attack; sid:2005833; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:78; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102175; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt"; flow:established,to_server; http.uri; content:"pathToIndex="; nocase; content:".php?"; nocase; pcre:"/\.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\?/i"; reference:url,www.exploit-db.com/exploits/9729/; reference:url,doc.emergingthreats.net/2010530; classtype:web-application-attack; sid:2010530; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006321; classtype:web-application-attack; sid:2006321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103433; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006322; classtype:web-application-attack; sid:2006322; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103434; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006323; classtype:web-application-attack; sid:2006323; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103185; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006324; classtype:web-application-attack; sid:2006324; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103184; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006325; classtype:web-application-attack; sid:2006325; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103435; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006326; classtype:web-application-attack; sid:2006326; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103436; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/profiles/html/simpleSearch.do?name="; nocase; pcre:"/name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload)/i"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022945.html; reference:url,doc.emergingthreats.net/2009990; classtype:web-application-attack; sid:2009990; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004961; classtype:web-application-attack; sid:2004961; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004962; classtype:web-application-attack; sid:2004962; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004963; classtype:web-application-attack; sid:2004963; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004964; classtype:web-application-attack; sid:2004964; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103385; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004965; classtype:web-application-attack; sid:2004965; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103386; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004966; classtype:web-application-attack; sid:2004966; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103387; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004967; classtype:web-application-attack; sid:2004967; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004968; classtype:web-application-attack; sid:2004968; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004969; classtype:web-application-attack; sid:2004969; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004970; classtype:web-application-attack; sid:2004970; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103401; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004971; classtype:web-application-attack; sid:2004971; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103402; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004972; classtype:web-application-attack; sid:2004972; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103403; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005511; classtype:web-application-attack; sid:2005511; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005512; classtype:web-application-attack; sid:2005512; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103264; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005514; classtype:web-application-attack; sid:2005514; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103265; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005515; classtype:web-application-attack; sid:2005515; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103266; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005516; classtype:web-application-attack; sid:2005516; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005517; classtype:web-application-attack; sid:2005517; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006225; classtype:web-application-attack; sid:2006225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102939; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006226; classtype:web-application-attack; sid:2006226; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103024; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006227; classtype:web-application-attack; sid:2006227; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103227; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006228; classtype:web-application-attack; sid:2006228; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103226; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006229; classtype:web-application-attack; sid:2006229; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103229; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006230; classtype:web-application-attack; sid:2006230; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103228; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006231; classtype:web-application-attack; sid:2006231; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103417; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006232; classtype:web-application-attack; sid:2006232; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103418; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006233; classtype:web-application-attack; sid:2006233; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103419; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006234; classtype:web-application-attack; sid:2006234; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103420; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006235; classtype:web-application-attack; sid:2006235; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103248; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006236; classtype:web-application-attack; sid:2006236; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103249; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103250; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012066; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103251; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auktion/auktion_text.php?"; nocase; content:"id_auk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12005/; classtype:web-application-attack; sid:2012068; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103123; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; reference:url,exploit-db.com/exploits/15736/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012069; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103122; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; pcre:"/db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/15735/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012070; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103125; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/session.cgi?"; nocase; content:"sid="; nocase; content:"app=urchin.cgi"; nocase; content:"action=prop"; nocase; content:"rid="; nocase; content:"n="; nocase; content:"vid="; nocase; content:"dtc="; nocase; content:"cmd="; nocase; content:"gfid="; nocase; reference:url,exploit-db.com/exploits/15737/; classtype:web-application-attack; sid:2012071; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?"; nocase; content:"v1="; nocase; pcre:"/v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42544; classtype:web-application-attack; sid:2012072; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103106; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006237; classtype:web-application-attack; sid:2006237; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|llsrpc|00|"; within:8; distance:78; nocase; classtype:protocol-command-decode; sid:2103094; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006238; classtype:web-application-attack; sid:2006238; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103107; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006239; classtype:web-application-attack; sid:2006239; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006240; classtype:web-application-attack; sid:2006240; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103095; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006241; classtype:web-application-attack; sid:2006241; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006242; classtype:web-application-attack; sid:2006242; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103170; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006243; classtype:web-application-attack; sid:2006243; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006244; classtype:web-application-attack; sid:2006244; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006245; classtype:web-application-attack; sid:2006245; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006246; classtype:web-application-attack; sid:2006246; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006247; classtype:web-application-attack; sid:2006247; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006248; classtype:web-application-attack; sid:2006248; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008897; classtype:web-application-attack; sid:2008897; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103211; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008898; classtype:web-application-attack; sid:2008898; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/getid3.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011062; classtype:web-application-attack; sid:2011062; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/module.archive.gzip.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011063; classtype:web-application-attack; sid:2011063; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103394; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004427; classtype:web-application-attack; sid:2004427; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103395; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004428; classtype:web-application-attack; sid:2004428; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103242; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004429; classtype:web-application-attack; sid:2004429; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103243; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004430; classtype:web-application-attack; sid:2004430; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103100; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004431; classtype:web-application-attack; sid:2004431; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103101; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004432; classtype:web-application-attack; sid:2004432; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004433; classtype:web-application-attack; sid:2004433; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004434; classtype:web-application-attack; sid:2004434; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103168; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004435; classtype:web-application-attack; sid:2004435; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103169; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004436; classtype:web-application-attack; sid:2004436; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100538; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004437; classtype:web-application-attack; sid:2004437; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2100537; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004438; classtype:web-application-attack; sid:2004438; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100536; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004766; classtype:web-application-attack; sid:2004766; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:2100535; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004767; classtype:web-application-attack; sid:2004767; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:2100534; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004768; classtype:web-application-attack; sid:2004768; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2100533; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004769; classtype:web-application-attack; sid:2004769; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2100532; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004770; classtype:web-application-attack; sid:2004770; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:2100530; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004771; classtype:web-application-attack; sid:2004771; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt"; flow:established,to_server; http.uri; content:"/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?"; nocase; content:"Command=FileUpload"; nocase; content:"/configuration.php"; nocase; content:"CurrentFolder="; nocase; reference:url,www.securityfocus.com/bid/27472/info; reference:url,doc.emergingthreats.net/2009937; classtype:web-application-attack; sid:2009937; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102382; rev:22; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_viewfulllisting"; nocase; content:"listing_id="; nocase; pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt; reference:url,doc.emergingthreats.net/2010605; classtype:web-application-attack; sid:2010605; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011091; classtype:web-application-attack; sid:2011091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103003; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011092; classtype:web-application-attack; sid:2011092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102403; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011093; classtype:web-application-attack; sid:2011093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102404; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011094; classtype:web-application-attack; sid:2011094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103437; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011095; classtype:web-application-attack; sid:2011095; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103429; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prodshow.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; reference:url,doc.emergingthreats.net/2008837; classtype:web-application-attack; sid:2008837; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103159; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005141; classtype:web-application-attack; sid:2005141; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005142; classtype:web-application-attack; sid:2005142; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IActivation little endian bind attempt"; flow:established,to_server; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; classtype:protocol-command-decode; sid:2103276; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005143; classtype:web-application-attack; sid:2005143; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103198; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005144; classtype:web-application-attack; sid:2005144; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; byte_test:1,&,16,3,relative; content:"|5C 5C|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103197; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005145; classtype:web-application-attack; sid:2005145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_test:4,>,128,0,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103238; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005146; classtype:web-application-attack; sid:2005146; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC IrotIsRunning little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_test:4,>,128,0,little,relative; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103239; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9350/; reference:url,vupen.com/english/advisories/2009/2136; reference:url,doc.emergingthreats.net/2011259; classtype:web-application-attack; sid:2011259; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103236; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1)"; flow:established,to_server; http.uri; content:"/includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009888; classtype:web-application-attack; sid:2009888; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC irot little endian bind attempt"; flow:established,to_server; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103237; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2)"; flow:established,to_server; http.uri; content:"/classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009889; classtype:web-application-attack; sid:2009889; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3)"; flow:established,to_server; http.uri; content:"/classes/class.thcsm_user.php?is_path=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009890; classtype:web-application-attack; sid:2009890; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4)"; flow:established,to_server; http.uri; content:"/modul/mod.users.php?thCMS_root=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009891; classtype:web-application-attack; sid:2009891; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"queueMsgType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011082; classtype:web-application-attack; sid:2011082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103156; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"QtnType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011083; classtype:web-application-attack; sid:2011083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC msqueue little endian bind attempt"; flow:to_server,established; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103157; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004265; classtype:web-application-attack; sid:2004265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103180; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004266; classtype:web-application-attack; sid:2004266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103430; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004267; classtype:web-application-attack; sid:2004267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103181; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004268; classtype:web-application-attack; sid:2004268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103431; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004269; classtype:web-application-attack; sid:2004269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103182; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004270; classtype:web-application-attack; sid:2004270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004271; classtype:web-application-attack; sid:2004271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103381; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004272; classtype:web-application-attack; sid:2004272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103382; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004273; classtype:web-application-attack; sid:2004273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103383; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004274; classtype:web-application-attack; sid:2004274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103384; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004275; classtype:web-application-attack; sid:2004275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103397; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004276; classtype:web-application-attack; sid:2004276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103398; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004277; classtype:web-application-attack; sid:2004277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103399; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004278; classtype:web-application-attack; sid:2004278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103400; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004279; classtype:web-application-attack; sid:2004279; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103260; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004280; classtype:web-application-attack; sid:2004280; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103261; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004281; classtype:web-application-attack; sid:2004281; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103262; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004282; classtype:web-application-attack; sid:2004282; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103263; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004283; classtype:web-application-attack; sid:2004283; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103022; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004284; classtype:web-application-attack; sid:2004284; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004285; classtype:web-application-attack; sid:2004285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103034; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004286; classtype:web-application-attack; sid:2004286; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103026; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004287; classtype:web-application-attack; sid:2004287; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103035; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004288; classtype:web-application-attack; sid:2004288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004289; classtype:web-application-attack; sid:2004289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103051; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004290; classtype:web-application-attack; sid:2004290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103042; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004291; classtype:web-application-attack; sid:2004291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103050; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004292; classtype:web-application-attack; sid:2004292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103036; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004293; classtype:web-application-attack; sid:2004293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103028; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004294; classtype:web-application-attack; sid:2004294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103037; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004295; classtype:web-application-attack; sid:2004295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103029; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103045; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004297; classtype:web-application-attack; sid:2004297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103053; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004298; classtype:web-application-attack; sid:2004298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004299; classtype:web-application-attack; sid:2004299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103052; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004300; classtype:web-application-attack; sid:2004300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103038; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004301; classtype:web-application-attack; sid:2004301; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103030; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004302; classtype:web-application-attack; sid:2004302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103039; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004303; classtype:web-application-attack; sid:2004303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103031; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004304; classtype:web-application-attack; sid:2004304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103047; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004305; classtype:web-application-attack; sid:2004305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103055; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004306; classtype:web-application-attack; sid:2004306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103046; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/centre.php?"; nocase; content:"padmin="; nocase; reference:url,vupen.com/english/advisories/2008/2938; reference:url,www.exploit-db.com/exploits/6846/; reference:url,doc.emergingthreats.net/2009330; classtype:web-application-attack; sid:2009330; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103054; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; content:"settings[locale]="; nocase; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.exploit-db.com/exploits/9018/; reference:url,doc.emergingthreats.net/2010631; classtype:web-application-attack; sid:2010631; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103040; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyioSoft EasyBookMarker Parent parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmarker_backend.php?"; nocase; content:"Parent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32636/; reference:url,www.exploit-db.com/exploits/7053/; reference:url,doc.emergingthreats.net/2008835; classtype:web-application-attack; sid:2008835; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103032; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My PHP Dating id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/success_story.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,secunia.com/advisories/32268; reference:url,www.exploit-db.com/exploits/6754/; reference:url,doc.emergingthreats.net/2008672; classtype:web-application-attack; sid:2008672; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103041; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006627; classtype:web-application-attack; sid:2006627; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103033; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006628; classtype:web-application-attack; sid:2006628; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103049; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006629; classtype:web-application-attack; sid:2006629; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103057; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006630; classtype:web-application-attack; sid:2006630; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103048; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006631; classtype:web-application-attack; sid:2006631; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103056; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006632; classtype:web-application-attack; sid:2006632; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004612; classtype:web-application-attack; sid:2004612; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103223; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004613; classtype:web-application-attack; sid:2004613; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103224; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004614; classtype:web-application-attack; sid:2004614; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103225; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004615; classtype:web-application-attack; sid:2004615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103413; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004616; classtype:web-application-attack; sid:2004616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103414; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004617; classtype:web-application-attack; sid:2004617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103415; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004095; classtype:web-application-attack; sid:2004095; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103416; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004096; classtype:web-application-attack; sid:2004096; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004097; classtype:web-application-attack; sid:2004097; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004098; classtype:web-application-attack; sid:2004098; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004099; classtype:web-application-attack; sid:2004099; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103245; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004100; classtype:web-application-attack; sid:2004100; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103246; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UNION"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004743; classtype:web-application-attack; sid:2004743; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103247; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004742; classtype:web-application-attack; sid:2004742; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103118; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004744; classtype:web-application-attack; sid:2004744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103119; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004745; classtype:web-application-attack; sid:2004745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103120; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004746; classtype:web-application-attack; sid:2004746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103121; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004747; classtype:web-application-attack; sid:2004747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103102; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006880; classtype:web-application-attack; sid:2006880; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103092; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006881; classtype:web-application-attack; sid:2006881; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103103; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006882; classtype:web-application-attack; sid:2006882; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103104; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006883; classtype:web-application-attack; sid:2006883; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103093; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006884; classtype:web-application-attack; sid:2006884; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103105; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006885; classtype:web-application-attack; sid:2006885; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103164; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006736; classtype:web-application-attack; sid:2006736; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103165; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006737; classtype:web-application-attack; sid:2006737; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103166; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006738; classtype:web-application-attack; sid:2006738; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103167; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006739; classtype:web-application-attack; sid:2006739; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006740; classtype:web-application-attack; sid:2006740; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103207; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006741; classtype:web-application-attack; sid:2006741; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006742; classtype:web-application-attack; sid:2006742; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103209; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006743; classtype:web-application-attack; sid:2006743; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006744; classtype:web-application-attack; sid:2006744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103438; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006745; classtype:web-application-attack; sid:2006745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,128,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006746; classtype:web-application-attack; sid:2006746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 04|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103439; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006747; classtype:web-application-attack; sid:2006747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103190; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012122; classtype:web-application-attack; sid:2012122; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103440; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012123; classtype:web-application-attack; sid:2012123; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103389; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012125; classtype:web-application-attack; sid:2012125; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103390; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012126; classtype:web-application-attack; sid:2012126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103391; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012127; classtype:web-application-attack; sid:2012127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103392; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012128; classtype:web-application-attack; sid:2012128; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103405; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012129; classtype:web-application-attack; sid:2012129; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103406; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pingsvr.php?"; nocase; content:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt; reference:url,doc.emergingthreats.net/2012130; classtype:web-application-attack; sid:2012130; rev:6; metadata:created_at 2010_12_30, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103407; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_seyret"; nocase; content:"task=videodirectlink"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14172/; reference:url,doc.emergingthreats.net/2012131; classtype:web-application-attack; sid:2012131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103408; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103268; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012161; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103269; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012162; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 02|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103270; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012163; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103271; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/accept-signups/accept-signups_submit.php?"; nocase; content:"email="; nocase; pcre:"/email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt; classtype:web-application-attack; sid:2012164; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103023; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/blocks/file/controller.php?"; nocase; content:"DIR_FILES_BLOCK_TYPES_CORE="; nocase; pcre:"/DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,45669; classtype:web-application-attack; sid:2012165; rev:6; metadata:created_at 2011_01_07, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103025; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/com_xmovie/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt; classtype:web-application-attack; sid:2012166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103230; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/express_edit/editor.aspx?"; nocase; content:"index="; nocase; content:"AND"; nocase; content:"IF"; nocase; pcre:"/AND.*IF\(/i"; reference:url,exploit-db.com/exploits/15124/; classtype:web-application-attack; sid:2012167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,1024,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103231; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hst="; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; reference:url,unit42.paloaltonetworks.com/cortex-xdr-detects-netsupport-manager-rat-campaign/; reference:md5,dfd424684f3a5c44ff425c7fe425ca8b; classtype:command-and-control; sid:2030853; rev:1; metadata:created_at 2020_09_11, former_category MALWARE, performance_impact Low, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,2048,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103232; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/tiki-jsplugin.php?"; nocase; content:"plugin="; nocase; content:"language="; nocase; reference:url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46; classtype:web-application-attack; sid:2012168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0F 00|"; within:2; distance:19; byte_test:2,>,2048,20,relative,little; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx; classtype:attempted-admin; sid:2103233; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006748; classtype:web-application-attack; sid:2006748; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6; classtype:protocol-command-decode; sid:2103421; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006749; classtype:web-application-attack; sid:2006749; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 5C|"; byte_test:4,>,256,6,little; classtype:protocol-command-decode; sid:2103422; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006751; classtype:web-application-attack; sid:2006751; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8; classtype:protocol-command-decode; sid:2103423; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006752; classtype:web-application-attack; sid:2006752; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.iactivation.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103424; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006753; classtype:web-application-attack; sid:2006753; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103004; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006754; classtype:web-application-attack; sid:2006754; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103005; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103142; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006756; classtype:web-application-attack; sid:2006756; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006757; classtype:web-application-attack; sid:2006757; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103253; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006758; classtype:web-application-attack; sid:2006758; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103254; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006759; classtype:web-application-attack; sid:2006759; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103255; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007288; classtype:web-application-attack; sid:2007288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103126; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007289; classtype:web-application-attack; sid:2007289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,52,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103127; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007290; classtype:web-application-attack; sid:2007290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103128; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007291; classtype:web-application-attack; sid:2007291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.llsrpc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,104,0,relative; reference:url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx; classtype:attempted-admin; sid:2103129; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007292; classtype:web-application-attack; sid:2007292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007293; classtype:web-application-attack; sid:2007293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|llsrpc|00|"; within:8; distance:51; nocase; classtype:protocol-command-decode; sid:2103096; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012181; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/media.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:6; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/xmlrpc/server.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:51; nocase; classtype:protocol-command-decode; sid:2103097; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/libs/PLUGINADMIN.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012185; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"@|FD|,4l<|CE 11 A8 93 08 00|+.|9C|m"; within:16; distance:29; flowbits:set,smb.tree.bind.llsrpc; classtype:protocol-command-decode; sid:2103113; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/profile/user.php?"; nocase; content:"aXconf[default_language]="; nocase; reference:url,exploit-db.com/exploits/15938/; classtype:web-application-attack; sid:2012186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103172; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/bizdir/bizdir.cgi?"; nocase; content:"f_srch="; nocase; pcre:"/f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt; classtype:web-application-attack; sid:2012187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103173; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/English_manual_version_2.php?"; nocase; content:"client="; nocase; pcre:"/client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012190; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103174; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/zimplit.php?"; nocase; content:"action=load"; nocase; content:"file="; nocase; pcre:"/file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012191; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103175; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"varhttp|3A|/"; nocase; content:"wwwhttp|3A|/"; nocase; content:"htmlhttp|3A|/"; nocase; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:7; metadata:created_at 2010_10_13, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103214; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103215; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103217; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103196; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL NETBIOS WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103200; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud.swf?"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103235; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/op/op.Login.php?"; nocase; content:"login="; nocase; content:"sesstheme="; nocase; content:"lang="; nocase; reference:bugtraq,37828; classtype:web-application-attack; sid:2012217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:2103234; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud-ru.swf"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012220; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; fast_pattern; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2102349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; http.uri; content:"/proc/self/environ"; nocase; classtype:web-application-attack; sid:2012230; rev:6; metadata:created_at 2011_01_25, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2102348; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/send.php"; http.header; content:"facebook.com"; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Opera 8.11 UA related to Trojan Activity"; flow:established,to_server; http.header; content:"|20|HTTP/1.0|0d 0a|"; content:"|0d 0a|User-Agent|3a 20|opera/8.11|0d 0a|"; classtype:trojan-activity; sid:2012315; rev:4; metadata:created_at 2011_02_18, former_category USER_AGENTS, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/customer_ftp.php?"; nocase; content:"id="; nocase; pcre:"/id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/16051/; classtype:web-application-attack; sid:2012334; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=viewbus"; nocase; content:"bus="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16034/; classtype:web-application-attack; sid:2012335; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012336; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102309; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012337; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102308; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012338; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012339; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012340; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012341; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:16; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012342; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/active_auctions.php?"; nocase; content:"lan="; nocase; reference:url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63; classtype:web-application-attack; sid:2012343; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102192; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib/addressbook.php?"; nocase; content:"basedir="; nocase; pcre:"/basedir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12369/; classtype:web-application-attack; sid:2012344; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_frontenduseraccess"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/43137/; reference:url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909; classtype:web-application-attack; sid:2012345; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102190; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012346; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012347; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp any any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2102176; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012348; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012349; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; reference:nessus,11110; classtype:denial-of-service; sid:2102102; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012350; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102101; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/SearchCenter/Pages/AllResults.aspx?"; nocase; content:"k="; nocase; pcre:"/k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98029/enp-xss.txt; classtype:web-application-attack; sid:2012351; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/browsecats.php?"; nocase; content:"cid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16062/; classtype:web-application-attack; sid:2012352; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102508; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/audio/getid3/demos/demo.browse.php?"; nocase; content:"showfile="; nocase; pcre:"/showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt; classtype:web-application-attack; sid:2012353; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102509; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/gradebook/open_document.php?"; nocase; content:"file="; reference:bugtraq,46173; classtype:web-application-attack; sid:2012354; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102510; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?"; nocase; content:"PHPCOVERAGE_HOME"; nocase; pcre:"/PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt; classtype:web-application-attack; sid:2012355; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102511; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/js/modalbox/tests/functional/_ajax_method_get.php?"; nocase; content:"param="; nocase; pcre:"/param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt; classtype:web-application-attack; sid:2012356; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102512; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_xgallery/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt; classtype:web-application-attack; sid:2012357; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102513; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flash_upload.php?"; nocase; content:"modelid="; nocase; content:"ORDER"; nocase; content:"BY"; nocase; pcre:"/ORDER.+BY/i"; reference:bugtraq,45933; classtype:web-application-attack; sid:2012358; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Reimageplus Ransomware Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"enfiniql2buev6o.m.pipedream.net"; bsize:31; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:domain-c2; sid:2030851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102524; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reimageplus Ransomware Checkin"; flow:established,to_server; http.request_line; content:"GET /?computer_name="; startswith; content:"&userName="; content:"&allow=ransom HTTP/1.1"; endswith; fast_pattern; reference:md5,0e8d3afa39275492cf98dbdd7da49ce9; reference:url,twitter.com/malwrhunterteam/status/1304390412489166848; classtype:command-and-control; sid:2030852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102525; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (QiHoo Profile)"; flow:established,to_server;  http.method; content:"GET"; http.uri; content:!"."; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,image/apng,*/*|3b|q=0.8"; bsize:85; content:!"application/signed-exchange"; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 4.1.1|3b 20|Nexus 7 Build/JRO03D) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166 Safari";  bsize:123; content:!"Safari/535.19"; http.cookie; content:"__guid="; depth:7; content:"|3b|opqopq="; distance:0; fast_pattern; content:"|3b|QiHooGUID="; distance:0; content:"|3b|"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; classtype:command-and-control; sid:2032746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_09_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102526; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012361; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012362; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012363; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012365; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012366; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012367; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012368; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/com_swmenupro/ImageManager/Classes/ImageManager.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt; classtype:web-application-attack; sid:2012369; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/explanation.php?"; nocase; content:"explain"; nocase; pcre:"/explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012370; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/modules/boonex/custom_rss/post_mod_crss.php?"; nocase; content:"relocate"; nocase; pcre:"/relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012371; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.cfm?"; nocase; content:"actcfug=LibraryView"; nocase; content:"LibraryID="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14935/; classtype:web-application-attack; sid:2012372; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/util/barcode.php?"; nocase; content:"type="; nocase; reference:url,packetstormsecurity.org/files/view/98424/horde-lfi.txt; classtype:web-application-attack; sid:2012373; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012374; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012375; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012376; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012377; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012378; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allauctions.php?"; nocase; content:"aid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt; classtype:web-application-attack; sid:2012379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/core/themes.php?"; nocase; content:"L_failedopentheme="; nocase; pcre:"/L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt; classtype:web-application-attack; sid:2012380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itechd.php?"; nocase; content:"productid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf/WebMessage"; nocase; content:"OpenView"; nocase; content:"messageString="; nocase; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf"; nocase; content:"unescape"; nocase; fast_pattern; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Cewolf?"; nocase; pcre:"/\&(width|height)\=([2-9][0-9][0-9][0-9]*)/i"; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html; classtype:web-application-attack; sid:2012406; rev:5; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; pcre:"/post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012411; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt  updateAJAX.php post_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012412; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012413; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012414; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012415; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012416; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012417; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1"; flow:established,to_server; http.uri; content:"/shipping/methods/fedex_v7/label_mgr/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012418; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; http.uri; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ScriptResource.axd"; nocase; content:!"&t="; nocase; content:!"&amp|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6; metadata:created_at 2010_10_13, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/i"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibs Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?dn"; nocase; content:"&flrdr="; fast_pattern; nocase; content:"&nxte="; nocase; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,doc.emergingthreats.net/2008639; classtype:trojan-activity; sid:2008639; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; http.user_agent; content:"Win98"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3A|"; content:"X-Size|3A|"; content:"X-Sn|3A|"; fast_pattern; classtype:trojan-activity; sid:2014232; rev:5; metadata:created_at 2012_02_16, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Web_Client_Attacks, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/entman/index.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:7; metadata:created_at 2010_09_28, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.user_agent; content:"|20|Netsparker)"; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_pro_desk"; nocase; content:"include_file="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; http.user_agent; content:"FDM 3."; depth:6; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET INFO User-Agent (python-requests) Inbound to Webserver"; flow:established,to_server; http.user_agent; content:"python-requests/"; classtype:attempted-recon; sid:2017515; rev:6; metadata:created_at 2013_09_25, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:1; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.user_agent; content:"Windows 3.1"; fast_pattern; content:!"Cisco AnyConnect VPN Agent"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; flowbits:set,et.exploitkitlanding; http.uri; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$/"; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2017603; rev:10; metadata:created_at 2013_10_17, former_category EXPLOIT_KIT, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; http.uri; content:"/timthumb.php?"; content:!"webshot=1"; distance:0; content:"src="; distance:0; content:"http"; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/i"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:exploit-kit; sid:2014846; rev:14; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode"; flow:established,to_server; http.uri; content:"/svn/"; nocase; content:".exe"; distance:0; nocase; fast_pattern; http.host; content:".googlecode.com"; endswith; classtype:trojan-activity; sid:2018191; rev:4; metadata:created_at 2014_02_27, former_category CURRENT_EVENTS, updated_at 2020_09_13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Custom Contact Forms DB Upload/Download Auth Bypass"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-post.php?"; nocase; content:"page=ccf_settings"; nocase; fast_pattern; http.request_body; pcre:"/ccf_(?:(?:clear|merge)_im|ex)port/i"; reference:url,blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html; classtype:web-application-attack; sid:2018975; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_08_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_14;)
+#alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:7; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; threshold:type limit, count 10, seconds 60, track by_src; http.user_agent; content:"Mozilla/5.0 SF"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:6; metadata:created_at 2010_09_23, former_category NETBIOS, updated_at 2017_11_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; http.user_agent; content:"bsqlbf"; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+#alert tcp any any -> any [139,445] (msg:"ET NETBIOS Tree Connect AndX Request IPC$ Unicode"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; content:"| 00 5c 00 69 00 70 00 63 00 24 00 00 00|"; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; reference:cve,2006-4691; classtype:protocol-command-decode; sid:2025090; rev:2; metadata:created_at 2016_06_14, former_category NETBIOS, updated_at 2020_08_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WebShag Web Application Scan Detected"; flow:to_server,established; http.user_agent; content:"webshag"; reference:url,www.scrt.ch/pages_en/outils.html; classtype:attempted-recon; sid:2009158; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp any any -> $HOME_NET 445 (msg:"ET NETBIOS Microsoft Windows RRAS SMB Remote Code Execution"; flow:established,to_server; content:"|21 00 00 00 10 27 00 00 a4 86 01 00 41 41 41 41 04 00 00 00 41 41 41 41 a4 86 01 00 ad 0b 2d 06 d0 ba 61 41 41 90 90 90 90 90|"; reference:cve,2017-11885; reference:url,exploit-db.com/exploits/44616/; classtype:attempted-user; sid:2025824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_11, deployment Perimeter, deployment Datacenter, former_category NETBIOS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; http.method; content:"GET"; http.header; content:"C|3a|/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC WMI Remote Process Execution"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; classtype:bad-unknown; sid:2027167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_09, deployment Internal, former_category NETBIOS, signature_severity Informational, updated_at 2019_04_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.uni.cc domain"; flow:to_server,established; http.host; content:".uni.cc"; endswith; classtype:bad-unknown; sid:2013438; rev:5; metadata:created_at 2011_08_19, updated_at 2020_09_14;)
+#alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ShellExecute - Likely Lateral Movement"; flow:established,to_server; content:"|00|S|00|h|00|e|00|l|00|l|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027190; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2019_04_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; http.uri; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; classtype:web-application-attack; sid:2006447; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution"; flow:to_client,established; content:"|ff 53 4d 42 72|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; byte_test:4,<,4356,30,relative,little; reference:url,www.exploit-db.com/exploits/12258/; reference:cve,2010-0017; reference:bid,38100; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx; classtype:attempted-user; sid:2012084; rev:3; metadata:created_at 2010_12_22, updated_at 2020_08_19;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; urilen:22; http.method; content:"POST"; http.uri; content:"/cgi-bin/setup_dns.exe"; http.request_body; content:"getpage=|2e 2e|/html/setup/dns.htm"; depth:29; fast_pattern; content:"resolver|3a|settings/nameserver1="; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:6; metadata:created_at 2015_04_08, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow"; flow:to_server,established; content:"|ff 53 4d 42 32|"; offset:4; depth:5; content:"|00 00 00 00|"; within:4; content:"|00 00|"; distance:30; within:2; content:"|00 03 00|"; distance:19; within:3; reference:url,www.exploit-db.com/exploits/14607/; reference:url,seclists.org/fulldisclosure/2010/Aug/122; reference:cve,2010-2550; reference:bid,42224; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx; classtype:attempted-user; sid:2012094; rev:3; metadata:created_at 2010_12_23, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Aribitrary File Upload Vulnerability in WP Mobile Detector"; flow:from_client,established; http.uri; content:"/wp-content/plugins/wp-mobile-detector/"; content:"resize.php?src=http"; fast_pattern; reference:url,pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/; classtype:attempted-user; sid:2022860; rev:4; metadata:created_at 2016_06_03, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB llsrpc unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|l|00|l|00|s|00|r|00|p|00|c|00 00 00|"; within:16; distance:78; nocase; classtype:protocol-command-decode; sid:2103091; rev:6; metadata:created_at 2010_09_23, updated_at 2022_05_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; flowbits:set,ET.GOOTKIT; http.method; content:"GET"; http.uri; content:"/ftp"; nocase; http.header; content:!"www.trendmicro.com"; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest"; nocase; startswith; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_14;)
+alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement"; flow:established,to_server; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; content:!"S|00|Q|00|L|00|C|00|m|00|d|00|P|00|a|00|r|00|s|00|e|00|r|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|r"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2021_05_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Variant Downloader Activity (3)"; flow:established,to_server; http.uri; content:"/?id"; nocase; content:"&rnd="; pcre:"/\/\?id(\d+)?&rnd=\d+$/"; http.header; content:!"Windows NT"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,438bcb3c4a304b65419674ce8775d8a3; classtype:trojan-activity; sid:2011338; rev:6; metadata:created_at 2010_09_28, updated_at 2020_09_14;)
+alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,!&,0x80,7,relative; content:"puiframeworkproresenu|2E|dll"; nocase; distance:0; fast_pattern; reference:cve,2018-12589; reference:url,exploit-db.com/exploits/44985; classtype:attempted-user; sid:2025790; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2021_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,&,0x80,7,relative; content:"p|00|u|00|i|00|f|00|r|00|a|00|m|00|e|00|w|00|o|00|r|00|k|00|p|00|r|00|o|00|r|00|e|00|s|00|e|00|n|00|u|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; reference:cve,2018-12589; reference:url,exploit-db.com/exploits/44985; classtype:attempted-user; sid:2025791; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2021_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?V="; fast_pattern; content:"&U="; distance:0; http.header; content:"Windows NT"; content:"Referer|3a|"; content:".php|0d 0a|"; distance:0; http.header_names; content:!"Accept-"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024176; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, signature_severity Major, tag Felismus, tag c2, updated_at 2020_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1; depth:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:8; metadata:created_at 2010_09_23, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery_photo.php?"; nocase; content:"photo_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008831; classtype:web-application-attack; sid:2008831; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mainx_a.php?"; nocase; content:"x="; nocase; content:"xid="; nocase; content:"bid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/15999/; classtype:web-application-attack; sid:2012219; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&from_main_page="; nocase; distance:0; fast_pattern; content:"&version="; nocase; distance:0; content:"&autologin="; nocase; distance:0; content:"&client="; nocase; distance:0; content:"&uiWebPath="; nocase; distance:0; classtype:credential-theft; sid:2032465; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET P2P Ares Server Connection"; flow:established,to_server; dsize:<70; content:"r|be|bloop|00|dV"; content:"Ares|00 0a|"; distance:16; reference:url,aresgalaxy.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008591; classtype:policy-violation; sid:2008591; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Verified by Visa Phish Jan 30 2014"; flow:established,to_server; http.uri; content:"/vbv.php"; fast_pattern; http.request_body; content:"password="; classtype:credential-theft; sid:2018044; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6969 (msg:"ET P2P BitTorrent Announce"; flow: to_server,established; content:"/announce"; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000369; classtype:policy-violation; sid:2000369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; flowbits:set,ET.PROPFIND; flowbits:noalert; http.method; content:"PROPFIND"; nocase; classtype:misc-activity; sid:2011456; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey IP Request"; dsize:4; content:"|e3 1b|"; depth:2; flowbits:set,BEedk.ip.requestect; flowbits:noalert; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003308; classtype:policy-violation; sid:2003308; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; http.stat_code; content:"404"; http.stat_msg; content:"Not Found"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_14;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Reply"; flowbits:isset,BEedk.ip.requestect; dsize:<20; content:"|e3 1c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003309; classtype:policy-violation; sid:2003309; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BTWebClient UA uTorrent in use"; flow:established,to_server; http.user_agent; content:"BTWebClient"; classtype:policy-violation; sid:2012247; rev:6; metadata:created_at 2011_01_27, updated_at 2020_09_14;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey IP Query End"; dsize:<20; content:"|e3 1d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003316; classtype:policy-violation; sid:2003316; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; http.user_agent; content:"rtorrent/"; depth:9; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; classtype:policy-violation; sid:2011705; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File ACK"; dsize:<20; content:"|e3 0d|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003311; classtype:policy-violation; sid:2003311; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/hnmain.inc.php3?"; nocase; content:"config[incdir]="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,inj3ct0r.com/exploits/11731; reference:url,exploit-db.com/exploits/12160; reference:url,doc.emergingthreats.net/2011161; classtype:web-application-attack; sid:2011161; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Connect Request"; dsize:25; content:"|e3 0a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003312; classtype:policy-violation; sid:2003312; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz"; flow:established,to_client; http.cookie; content:"snkz="; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/R"; classtype:trojan-activity; sid:2018141; rev:5; metadata:created_at 2014_02_15, former_category TROJAN, updated_at 2020_09_14;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Search Request (by file hash)"; dsize:19; content:"|e3 0e 14|"; depth:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003314; classtype:policy-violation; sid:2003314; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Libtorrent User-Agent"; flow:to_server,established; http.user_agent; content:"libtorrent"; nocase; classtype:policy-violation; sid:2012390; rev:6; metadata:created_at 2011_02_27, former_category P2P, updated_at 2020_09_14;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Get Sources Request (by hash)"; dsize:19; content:"|e3 9a|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003318; classtype:policy-violation; sid:2003318; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell GIF"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027738; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Status"; flow:established; dsize:14; content:"|e3 09 00 00 00 34|"; depth:6; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003324; classtype:policy-violation; sid:2003324; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Outbound WebShell JPEG"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2027739; rev:3; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P GnucDNA UDP Ultrapeer Traffic"; content:"SCP@|83|DNA@"; threshold: type both,track by_src,count 10,seconds 600; reference:url,doc.emergingthreats.net/bin/view/Main/2002760; classtype:policy-violation; sid:2002760; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client HTTP Request"; flow:to_server,established; http.uri; content:"/trackerphp/announce.php?"; nocase; content:"?port="; nocase; content:"&peer_id="; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; classtype:trojan-activity; sid:2006375; rev:8; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Kazaa over UDP"; content:"KaZaA"; nocase; threshold: type threshold, track by_src,count 10, seconds 60; reference:url,www.kazaa.com/us/index.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001796; classtype:policy-violation; sid:2001796; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install"; flow: to_server,established; http.uri; content:"/morpheus/morpheus.exe"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; classtype:policy-violation; sid:2001035; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $EXTERNAL_NET 41170 -> $HOME_NET any (msg:"ET P2P Manolito Connection (1)"; dsize:<48; content:"|3d 4a d9|"; depth:3; reference:url,doc.emergingthreats.net/2009097; classtype:policy-violation; sid:2009097; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; http.uri; content:"/morpheus/morpheus_sm.ini"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; classtype:policy-violation; sid:2001036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 41170 (msg:"ET P2P Manolito Ping"; dsize:<24; content:"|3d|"; depth:1; content:"|d9|"; distance:1; content:"|ed bb|"; distance:13; threshold: type limit, track by_src, seconds 300, count 1; reference:url,doc.emergingthreats.net/2009098; classtype:policy-violation; sid:2009098; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; http.uri; content:"/gwebcache/gcache.asg?hostfile="; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; classtype:policy-violation; sid:2001037; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET 8247 -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape UDP Session"; threshold: type both, count 2, seconds 60, track by_src; reference:url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx; reference:url,doc.emergingthreats.net/2009986; classtype:trojan-activity; sid:2009986; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; http.uri; content:"/ycontent/stats.php?version="; nocase; content:"EVENT=InstallBegin"; nocase; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp any any -> any any (msg:"ET P2P Phatbot Control Connection"; flow: established; content:"Wonk-"; content:"|00|#waste|00|"; within: 15; reference:url,www.lurhq.com/phatbot.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000015; classtype:trojan-activity; sid:2000015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 2, seconds 5; http.uri; content:"/acunetix-wvs-test-for-some-inexistent-file"; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET 2234 -> $HOME_NET any (msg:"ET P2P Soulseek Filesearch Results"; flow: from_server,established; content:"|09 00 00 00 78|"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001187; classtype:policy-violation; sid:2001187; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.uri; content:"/Netsparker-"; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; classtype:policy-violation; sid:2002950; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; classtype:web-application-attack; sid:2004546; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; classtype:policy-violation; sid:2002951; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/imc/login.jsf"; nocase; content:"loginForm"; nocase; content:"javax.faces.ViewState="; nocase; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; classtype:web-application-attack; sid:2011145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET P2P TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; classtype:policy-violation; sid:2002952; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; content:"email|3D|"; nocase; content:"hostname|3D|"; nocase; content:"default|5F|domain|3D|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; classtype:web-application-attack; sid:2010462; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; classtype:policy-violation; sid:2002953; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"onmouseover="; nocase; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; classtype:web-application-attack; sid:2009715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT ping request"; content:"d1|3a|ad2|3a|id20|3a|"; depth:12; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008581; classtype:policy-violation; sid:2008581; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; classtype:attempted-user; sid:2010460; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT announce_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:14; content:"e1|3a|q13|3a|announce_peer1|3a|"; nocase; distance:55; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008585; classtype:policy-violation; sid:2008585; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cmd.exe"; nocase; reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon; sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"User-Agent|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001808; classtype:policy-violation; sid:2001808; rev:8; metadata:created_at 2010_07_30, updated_at 2019_10_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/support_param.html/config"; nocase; content:"Admin_Name=&Admin_Phone="; nocase; content:"Product_URL="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/i"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; classtype:web-application-attack; sid:2010919; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P LimeWire P2P Traffic"; flow: established; content:"Server|3a| LimeWire"; nocase; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007800; classtype:policy-violation; sid:2007800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; http.uri; content:".aspx|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 8247 (msg:"ET P2P Octoshape P2P streaming media"; content:"POST / HTTP/1."; depth:64; content:"Oshtcp-streamtype|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,doc.emergingthreats.net/2010008; classtype:policy-violation; sid:2010008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_cmdshell"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| ABC/ABC"; nocase; reference:url,pingpong-abc.sourceforge.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003475; classtype:trojan-activity; sid:2003475; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_servicecontrol"; nocase; pcre:"/(start|stop|continue|pause|querystate)/i"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; reference:url,doc.emergingthreats.net/2009816; classtype:web-application-attack; sid:2009816; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT nodes reply"; content:"d1|3a|rd2|3a|id20|3a|"; nocase; depth:12; content:"5|3a|nodes"; nocase; distance:20; within:7; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008583; classtype:policy-violation; sid:2008583; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"sp_adduser"; nocase; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; classtype:web-application-attack; sid:2009817; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Direct Connect Traffic (client-server)"; flow:from_client,established; content:"$MyINFO"; depth:7; reference:url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application; reference:url,doc.emergingthreats.net/bin/view/Main/2002814; classtype:policy-violation; sid:2002814; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_reg"; nocase; pcre:"/xp_reg(read|write|delete)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; classtype:web-application-attack; sid:2009818; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status"; flow: to_server,established; content:"|e3 14|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001296; classtype:policy-violation; sid:2001296; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_fileexist"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; classtype:web-application-attack; sid:2009819; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey File Status Request"; flow: to_server,established; content:"|e3 11|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001297; classtype:policy-violation; sid:2001297; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_enumerrorlogs"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; classtype:web-application-attack; sid:2009820; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 4660:4799 (msg:"ET P2P eDonkey Server Status Request"; content:"|e3 96|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001298; classtype:policy-violation; sid:2001298; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_readerrorlogs"; nocase; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; classtype:web-application-attack; sid:2009822; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert udp $HOME_NET 4660:4799 -> $EXTERNAL_NET any (msg:"ET P2P eDonkey Server Status"; content:"|e3 97|"; depth: 2; reference:url,www.edonkey.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001299; classtype:policy-violation; sid:2001299; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_"; nocase; content:"_enum"; nocase; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; classtype:web-application-attack; sid:2009823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp any 1024: -> any 1024: (msg:"ET P2P Gnutella TCP Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"200 OK|0d 0a|"; within:15; threshold: type both,track by_src,count 5,seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2007801; classtype:policy-violation; sid:2007801; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; classtype:attempted-recon; sid:2011142; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P KuGoo P2P Connection"; dsize:<30; content:"|64|"; depth:1; content:"|70|"; distance:5; content:"|50 37|"; distance:4; reference:url,koogoo.com; reference:url,doc.emergingthreats.net/2009966; classtype:policy-violation; sid:2009966; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; classtype:attempted-recon; sid:2011143; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert udp any any -> any any (msg:"ET P2P Overnet (Edonkey) Server Announce"; content:"|00 00 02 03 00 6c 6f 63|"; offset: 36; content:"|00 62 63 70 3a 2f 2f|"; distance: 1; reference:url,www.overnet.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000335; classtype:policy-violation; sid:2000335; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; classtype:attempted-recon; sid:2011144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $EXTERNAL_NET 2240 -> $HOME_NET 1024: (msg:"ET P2P SoulSeek P2P Login Response"; flow:from_server,established; content:"|5c 01 00 00 01 00 00 00|"; depth:8; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008611; classtype:policy-violation; sid:2008611; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=https|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009152; classtype:web-application-attack; sid:2009152; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
+alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Vuze BT Connection"; flow:established; content:"|00 00|"; depth:2; content:"|05|AZVER|01|"; distance:5; within:7; content:"appid"; within:10; threshold:type limit, track by_src, count 10, seconds 600; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010139; classtype:policy-violation; sid:2010139; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftp|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009153; classtype:web-application-attack; sid:2009153; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (2)"; dsize:94; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff 00 00 00 00 02 05 21|"; distance:8; within:11; content:"|00 00 00 00 00 00|"; distance:25; within:6; content:"|00 00|"; distance:20; within:2; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010141; classtype:policy-violation; sid:2010141; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftps\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009155; classtype:web-application-attack; sid:2009155; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (3)"; dsize:80; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|02 05 21 04|"; distance:4; within:4; threshold:type limit, track by_dst, count 10, seconds 600; reference:url,doc.emergingthreats.net/2010142; classtype:policy-violation; sid:2010142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; http.uri; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; classtype:web-application-attack; sid:2006443; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET P2P Vuze BT UDP Connection (4)"; dsize:<300; content:"|00 00 04|"; depth:3; content:"|00 00 00 00 00|"; distance:14; within:5; content:"|ff ff ff ff|"; distance:8; within:4; reference:url,doc.emergingthreats.net/2010143; classtype:policy-violation; sid:2010143; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; classtype:web-application-attack; sid:2006444; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request(2)"; dsize:35; content:"|e4 20|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009968; classtype:policy-violation; sid:2009968; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; http.uri; content:"varchar("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Firewalled Request"; dsize:35; content:"|e4 50|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009969; classtype:policy-violation; sid:2009969; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; http.uri; content:"exec("; nocase; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Server Status Request"; dsize:44; content:"|8c 97|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009972; classtype:policy-violation; sid:2009972; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; http.uri; content:"DECLARE|20|"; nocase; content:"CHAR("; nocase; content:"CAST("; nocase; reference:url,doc.emergingthreats.net/2008467; classtype:attempted-admin; sid:2008467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Send Username"; flow:established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:1; within:4; byte_test:1,<,51,37; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009973; classtype:policy-violation; sid:2009973; rev:4; metadata:created_at 2010_07_30, former_category P2P, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; http.uri; content:"ALTER"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; classtype:web-application-attack; sid:2010084; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella Connect"; flow: established,to_server; content:"GNUTELLA CONNECT/"; nocase; depth:17; reference:url,www.gnutella.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001664; classtype:policy-violation; sid:2001664; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; http.uri; content:"DROP"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; classtype:web-application-attack; sid:2010085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Gnutella TCP Ultrapeer Traffic"; flow: established,to_server; content:"GNUTELLA"; depth:8; content:"X-Ultrapeer|3a| True"; nocase; threshold: type both,track by_src,count 5,seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2002761; classtype:policy-violation; sid:2002761; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; http.uri; content:"CREATE"; nocase; pcre:"/^\s+(database|procedure|table|column|directory)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; classtype:web-application-attack; sid:2010086; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Limewire P2P UDP Traffic"; dsize:35; content:"|49 50 40 83 53 43 50 41 00 00|"; offset:25; depth:10; threshold: type both, track by_src, count 1, seconds 360; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001809; classtype:policy-violation; sid:2001809; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"CUR"; nocase; distance:0; pcre:"/^(?:DATE|TIME)/Ri"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; classtype:web-application-attack; sid:2010966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT get_peers request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; offset:12; content:"9|3a|info_hash20|3a|"; nocase; distance:20; within:14; content:"e1|3a|q9|3a|get_peers1|3a|"; nocase; distance:20; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008584; classtype:policy-violation; sid:2008584; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"TABLES"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; classtype:web-application-attack; sid:2010967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k request part"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 47|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000332; classtype:policy-violation; sid:2000332; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"VALUES"; nocase; distance:0; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; classtype:web-application-attack; sid:2011039; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k file request answer"; flow: to_server,established; content:"|e3|"; offset: 1; content:"|00 00 00 59|"; distance: 2; within: 4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000333; classtype:policy-violation; sid:2000333; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MassLogger Domain in TLS SNI (ecigroup-tw .com)"; flow:established,to_server; tls.sni; content:"ecigroup-tw.com"; bsize:15; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030879; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14;)
+#alert tcp $HOME_NET 4660:4799 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Client to Server Hello"; flow:established; dsize:>5; content:"|e3|"; offset:1; content:"|01|"; distance:4; within:5; content:"|02 01 00 01|"; distance:26; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003323; classtype:policy-violation; sid:2003323; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (enoyq5xy70oq .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"enoyq5xy70oq.x.pipedream.net"; bsize:28; reference:md5,033abc4e8a618e545e4e84e0504f853d; classtype:coin-mining; sid:2030872; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 2240 (msg:"ET P2P SoulSeek P2P Server Connection"; flow:established,to_server; content:"|01 00 00 00|"; offset:4; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/2008595; classtype:policy-violation; sid:2008595; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; http.uri; content:"BENCHMARK("; nocase; content:")"; pcre:"/BENCHMARK\x28[0-9].+\x29/i"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; classtype:web-application-attack; sid:2011041; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert tcp any any -> any 4660:4799 (msg:"ET P2P ed2k connection to server"; flow: to_server,established; content:"|e3|"; depth:1; content:"|00 00 00 01|"; distance:2; within:4; reference:url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2000330; classtype:policy-violation; sid:2000330; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server Message"; flow:established; dsize:>10; content:"|e3|"; depth:1; content:"|38|"; distance:4; within:5; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003321; classtype:policy-violation; sid:2003321; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; http.uri; content:"REVERSE"; nocase; pcre:"/[^\w]REVERSE[^\w]?\(/i"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; classtype:web-application-attack; sid:2011122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 4660:4799 (msg:"ET P2P Edonkey Server List"; flow:established; dsize:>12; content:"|e3|"; depth:1; content:"|32|"; distance:4; within:5; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003322; classtype:policy-violation; sid:2003322; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_layouts/help.aspx"; nocase; content:"cid0="; nocase; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; classtype:web-application-attack; sid:2011073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET P2P MS Foldershare Login Detected"; flow:established,to_client; content:"|0b|FolderShare|30 81 9f 30|"; nocase; offset:392; depth:18; reference:url,www.foldershare.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002673; classtype:policy-violation; sid:2002673; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; http.uri; content:"/utility.cgi?testType="; nocase; content:"IP="; nocase; content:"|7C 7C|"; pcre:"/\x7C\x7C.+[a-z]/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; classtype:attempted-admin; sid:2010159; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent DHT find_node request"; content:"d1|3a|ad2|3a|id20|3a|"; nocase; depth:24; content:"6|3a|target20|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; nocase; distance:20; content:"e1|3a|q9|3a|find_node1|3a|"; distance:20; nocase; threshold: type both, count 1, seconds 300, track by_src; reference:url,wiki.theory.org/BitTorrentDraftDHTProtocol; reference:url,doc.emergingthreats.net/bin/view/Main/2008582; classtype:policy-violation; sid:2008582; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004386; classtype:web-application-attack; sid:2004386; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Ocelot BitTorrent Server in Use"; flow:established,from_server; content:"HTTP/1.1 200 |0d 0a|Server|3a| Ocelot "; depth:30; classtype:policy-violation; sid:2012467; rev:2; metadata:created_at 2011_03_10, updated_at 2011_03_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012160; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET "; depth:4; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:2101699; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"INSTR"; nocase; pcre:"/SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; classtype:web-application-attack; sid:2010284; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P JoltID Agent New Code Download"; flow: established; content:"PeerEnabler"; http_header; fast_pattern:only; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; reference:url,doc.emergingthreats.net/2001652; classtype:trojan-activity; sid:2001652; rev:34; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SUBSTR"; nocase; pcre:"/SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; classtype:web-application-attack; sid:2010285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"GPL P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2102181; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; http.uri; content:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:pup-activity; sid:2003060; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"GPL P2P eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; content:"|01|SENDLINK|7c|"; distance:0; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2102584; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; http.uri; content:"/prxjdg.cgi"; nocase; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp any 4711 -> $HOME_NET any (msg:"GPL P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2102587; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/etc/passwd?format="; content:"><script>alert('xss')"; content:"traversal="; reference:url,www.computec.ch/projekte/httprecon/; reference:url,doc.emergingthreats.net/2008627; classtype:attempted-recon; sid:2008627; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/.adSensePostNotThereNoNobook"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Backend Data Miner Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/actSensePostNotThereNoNotive"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008629; classtype:attempted-recon; sid:2008629; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|0D 0A|Location|3A|"; nocase; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; classtype:web-application-attack; sid:2011763; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3; metadata:created_at 2013_03_26, updated_at 2013_03_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; classtype:attempted-recon; sid:2009479; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"|e4 21|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Torrent Client User-Agent (Solid Core/0.82)"; flow:to_server,established; content:"User-Agent|3a| Solid Core/"; http_header; reference:url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b; classtype:policy-violation; sid:2013869; rev:7; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".pl~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent Traffic"; flow: established; content:"|0000400907000000|"; depth:8; threshold: type limit, count 1, seconds 120, track by_src; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000357; classtype:policy-violation; sid:2000357; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET P2P Vuze BT UDP Connection (5)"; dsize:<20; content:"|00 00 04 17 27 10 19 80 00 00 00 00|"; depth:12; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010144; classtype:policy-violation; sid:2010144; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".conf~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares over UDP"; content:"Ares "; offset:36; depth:7; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003437; classtype:policy-violation; sid:2003437; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; classtype:web-application-attack; sid:2009952; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) beacon"; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:42; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015966; rev:2; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category P2P, signature_severity Major, tag c2, updated_at 2012_11_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".aspx~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; classtype:web-application-attack; sid:2009953; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (udp) payload"; content:"QVOD"; depth:32; reference:md5,816a02a1250d90734059ed322ace72c7; classtype:policy-violation; sid:2015967; rev:2; metadata:created_at 2012_11_30, updated_at 2012_11_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".cgi~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; classtype:web-application-attack; sid:2010820; rev:9; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
+#alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET P2P Edonkey Search Reply"; dsize:>200; content:"|e3 0f|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003315; classtype:policy-violation; sid:2003315; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 1"; flow:established,to_client; http.cookie; content:"ci_session="; file.data; content:"ne_unik"; fast_pattern; within:7; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:4; metadata:created_at 2013_05_31, updated_at 2020_09_14;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P Edonkey Publicize File"; dsize:>15; content:"|e3 0c|"; depth:2; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003310; classtype:policy-violation; sid:2003310; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M10"; flow:established,to_server; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:"Referer|0d 0a|"; distance:0; reference:md5,ba2e4a231652f8a492feb937b1e96e71; classtype:trojan-activity; sid:2030868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Major, updated_at 2020_09_14;)
+#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule Kademlia Hello Request"; dsize:<48; content:"|e4 11|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009970; classtype:policy-violation; sid:2009970; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=peernew.com"; nocase; endswith; reference:md5,f3ead1eef8ee0d3b4aceaef10b7b4a9c; classtype:domain-c2; sid:2030867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET !7680 (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Zimbra Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Zimbra Web Client Sign In"; fast_pattern; classtype:social-engineering; sid:2030869; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_09_14;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 7680 (msg:"ET P2P MS WUDO Peer Sync"; flow:established; content:"|00 00 00 0d 06 00|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq; classtype:policy-violation; sid:2022371; rev:1; metadata:created_at 2016_01_15, updated_at 2016_01_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GoLang Dropper Domain (en7dftkjiipor .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en7dftkjiipor.x.pipedream.net"; bsize:29; reference:url,sysopfb.github.io/malware/2019/09/26/Golang-Dropper-With-A-Rat.html; reference:md5,a1de4ff7292f4557a7b133d90e2ec538; classtype:domain-c2; sid:2030873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; content:!"mapfactor.com"; classtype:policy-violation; sid:2014734; rev:5; metadata:created_at 2012_05_11, updated_at 2012_05_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (endpsbn1u6m8f .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"endpsbn1u6m8f.x.pipedream.net"; bsize:29; reference:md5,0789fc10c0b2e34b4d780b147ae98759; classtype:coin-mining; sid:2030874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024: (msg:"ET P2P Vuze BT UDP Connection"; dsize:<80; content:!"|00 22 02 00|"; depth: 4; content:"|00 00 04|"; distance:8; within:3; content:"|00 00 00 00 00|"; distance:6; within:5; threshold: type limit, count 1, seconds 120, track by_src; reference:url,vuze.com; reference:url,doc.emergingthreats.net/2010140; classtype:policy-violation; sid:2010140; rev:7; metadata:created_at 2010_07_30, updated_at 2016_11_01;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CoinMiner CnC Domain (en24zuggh3ywlj .x .pipedream .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"en24zuggh3ywlj.x.pipedream.net"; bsize:30; reference:md5,785a7a47010d58638b874f29c4a1f0ad; classtype:coin-mining; sid:2030875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert udp $HOME_NET [!3389,1024:65535] -> $EXTERNAL_NET [!3389,1024:65535] (msg:"ET P2P Edonkey Search Request (search by name)"; dsize:>5; content:"|e3 98|"; depth:2; content:"|01|"; within:3; reference:url,www.giac.org/certified_professionals/practicals/gcih/0446.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003319; classtype:policy-violation; sid:2003319; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Exfil"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".d.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030876; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert udp $HOME_NET 1024:65535 -> [$EXTERNAL_NET,!224.0.0.0/4] 1024:65535 (msg:"ET P2P ThunderNetwork UDP Traffic"; dsize:<38; content:"|32 00 00 00|"; depth:4; content:"|00 00 00 00|"; distance:1; threshold:type limit, track by_src, count 1, seconds 300; reference:url,xunlei.com; reference:url,en.wikipedia.org/wiki/Xunlei; reference:url,doc.emergingthreats.net/2009099; classtype:policy-violation; sid:2009099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_01_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSBin Demo (requestbin .net) - Data Inbound"; threshold: type limit, track by_src, seconds 180, count 1; dns.query; bsize:>32; content:"|2e|"; content:".i.requestbin.net"; distance:20; within:17; endswith; reference:md5,887648a50d31ed3f5f2f7bbe0d7eb35a; reference:url,requestbin.net/dns; classtype:command-and-control; sid:2030877; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET P2P Soulseek"; flow: established; content:"slsknet"; reference:url,www.slsknet.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001188; classtype:policy-violation; sid:2001188; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Phish M1 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"location="; depth:9; nocase; content:"&langa="; nocase; distance:0; content:"&ext="; nocase; distance:0; content:"&hold="; nocase; distance:0; content:"&djj="; nocase; distance:0; content:"&dmm="; nocase; distance:0; content:"&daa="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expiry="; nocase; distance:0; content:"&cvc="; nocase; distance:0; classtype:credential-theft; sid:2032466; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P BitTorrent announce request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/announce"; content:"info_hash="; content:"event=started"; classtype:policy-violation; sid:2102180; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sage Ransomware Checkin"; flow:established,from_server; flowbits:isset,ET.Sage.Primer; http.header; content:"Content-Length|3a 20|1|0d 0a|"; file.data; content:"k"; within:1; endswith; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023767; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2020_09_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; urilen:8; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; http.method; content:"POST"; http.uri; content:"/service"; classtype:policy-violation; sid:2014459; rev:3; metadata:created_at 2012_04_03, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; http.content_type; content:"application/x-msdownload"; bsize:24; file.data; content:"|3d 28 28|"; within:3; endswith; classtype:exploit-kit; sid:2023768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client HTTP Request"; flow:to_server,established; http.uri; content:"/gnutella/"; nocase; content:"?client=BEAR"; nocase; content:"&version="; reference:url,doc.emergingthreats.net/bin/view/Main/2006379; classtype:trojan-activity; sid:2006379; rev:7; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/foo-autenticazione.php"; fast_pattern; endswith; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2024370; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x)"; flow:to_server,established; http.user_agent; content:"Enhanced-CTorrent"; reference:url,www.rahul.net/dholmes/ctorrent; reference:url,doc.emergingthreats.net/2011703; classtype:policy-violation; sid:2011703; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK Broken/Filtered Payload Download Jun 19 2017"; flow:established,from_server; http.header; content:"Content-Length|3a 20|8|0d 0a|"; fast_pattern; file.data; content:"|6e 6f 62 69 6e 72 65 74|"; within:8; endswith; classtype:exploit-kit; sid:2024414; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Opera/10.x)"; flow:to_server,established; http.user_agent; content:"Opera BitTorrent, Opera/"; reference:url,www.opera.com; reference:url,doc.emergingthreats.net/2011701; classtype:policy-violation; sid:2011701; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FF-RAT Stage 1 CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?hdr_ctx="; fast_pattern; pcre:"/\.php\?hdr_ctx=[0-9]{1,5}_[0-9]{1,5}$/"; http.user_agent; content:"Mozilla/5.0"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cylance.com/en_us/blog/breaking-down-ff-rat-malware.html; classtype:command-and-control; sid:2024419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Vagaa peer-to-peer (Transfer)"; flow:from_client,established; http.header; content:"VAGAA-OPERATION|3a| Transfer|0d 0a|"; reference:url,en.wikipedia.org/wiki/Vagaa; classtype:policy-violation; sid:2018012; rev:3; metadata:created_at 2014_01_27, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LockPOS CnC"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"lock"; fast_pattern; endswith; http.request_body; content:"|00 00 00|"; offset:1; depth:3; reference:md5,0ad35a566cfb60959576835ede75983b; reference:url,www.arbornetworks.com/blog/asert/lockpos-joins-flock/; classtype:command-and-control; sid:2024461; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category MALWARE, malware_family PoS, signature_severity Major, tag POS, tag LockPOS, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (uTorrent)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|uTorrent"; reference:url,www.utorrent.com; reference:url,doc.emergingthreats.net/2011706; classtype:policy-violation; sid:2011706; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)"; dns.query; content:"formyip.com"; endswith; classtype:external-ip-check; sid:2024830; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)"; flow:established,to_server; http.user_agent; content:"Transmission/"; depth:13; reference:url,www.transmissionbt.com; reference:url,doc.emergingthreats.net/2011699; classtype:policy-violation; sid:2011699; rev:7; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dragonfly APT Activity HTTP URI OPTIONS"; flow:established,to_server; http.method; content:"OPTIONS"; http.uri; content:"/ame_icon.png"; fast_pattern; endswith; reference:url,www.us-cert.gov/ncas/alerts/TA17-293A; reference:url,www.us-cert.gov/sites/default/files/publications/MIFR-10128883_TLP_WHITE.pdf; classtype:targeted-activity; sid:2024899; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x)"; flow:to_server,established; http.user_agent; content:"Deluge"; depth:6; reference:url,deluge-torrent.org; reference:url,doc.emergingthreats.net/2011704; classtype:policy-violation; sid:2011704; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in DNS Lookup)"; dns.query; content:"handbrakestore.com"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024890; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Pando Client User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Pando/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008625; classtype:policy-violation; sid:2008625; rev:8; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_08_27;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in DNS Lookup)"; dns.query; content:"eltima.in"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024888; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Tor Get Server Request"; flow:established,to_server; http.uri; content:"/tor/server/"; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008113; classtype:policy-violation; sid:2008113; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_01;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in DNS Lookup)"; dns.query; content:"handbrake.cc"; endswith; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024892; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Tor Get Status Request"; flow:established,to_server; http.uri; content:"/tor/status/"; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008115; classtype:policy-violation; sid:2008115; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IoT_reaper ELF Binary Request M5 (set)"; flow:established,to_server; flowbits:set,ET.iotreaper; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/server.armel"; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/; classtype:trojan-activity; sid:2024928; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; http.user_agent; content:"FDM 3."; depth:6; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic 000webhostapp.com Phish 2017-10-27"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:credential-theft; sid:2029664; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BTWebClient UA uTorrent in use"; flow:established,to_server; http.user_agent; content:"BTWebClient"; classtype:policy-violation; sid:2012247; rev:6; metadata:created_at 2011_01_27, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING 401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017"; flow:to_server, established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"pasuma"; nocase; depth:100; fast_pattern; content:"name"; nocase; classtype:credential-theft; sid:2024942; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (rTorrent)"; flow:to_server,established; http.user_agent; content:"rtorrent/"; depth:9; reference:url,libtorrent.rakshasa.no; reference:url,doc.emergingthreats.net/2011705; classtype:policy-violation; sid:2011705; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M4"; dns.query; content:"cbk99.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024933; rev:5; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Libtorrent User-Agent"; flow:to_server,established; http.user_agent; content:"libtorrent"; nocase; classtype:policy-violation; sid:2012390; rev:6; metadata:created_at 2011_02_27, former_category P2P, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M5"; dns.query; content:"bbk80.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024934; rev:5; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client HTTP Request"; flow:to_server,established; http.uri; content:"/trackerphp/announce.php?"; nocase; content:"?port="; nocase; content:"&peer_id="; reference:url,doc.emergingthreats.net/bin/view/Main/2006375; classtype:trojan-activity; sid:2006375; rev:8; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (cba4a6e5d3c956548a337c52388473f1 .com in DNS Lookup)"; dns.query; content:"cba4a6e5d3c956548a337c52388473f1.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024956; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install"; flow: to_server,established; http.uri; content:"/morpheus/morpheus.exe"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001035; classtype:policy-violation; sid:2001035; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (0a0074066c49886a39b5a3072582f5d6 .net in DNS Lookup)"; dns.query; content:"0a0074066c49886a39b5a3072582f5d6.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024957; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Install ini Download"; flow: to_server,established; http.uri; content:"/morpheus/morpheus_sm.ini"; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001036; classtype:policy-violation; sid:2001036; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (73780fbd309561e201a4aee9914d882d .org in DNS Lookup)"; dns.query; content:"73780fbd309561e201a4aee9914d882d.org"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024958; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Morpheus Update Request"; flow: to_server,established; http.uri; content:"/gwebcache/gcache.asg?hostfile="; nocase; reference:url,www.morpheus.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001037; classtype:policy-violation; sid:2001037; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (dcb5684707f6c66492aaa9f7d9bfb5a6 .biz in DNS Lookup)"; dns.query; content:"dcb5684707f6c66492aaa9f7d9bfb5a6.biz"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024959; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P possible torrent download"; flow:established,to_server; http.uri; content:".torrent"; nocase; endswith; http.host; content:!"mapfactor.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:10; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (322ffbbc7c1b312c2f9d942f20422f8d .com in DNS Lookup)"; dns.query; content:"322ffbbc7c1b312c2f9d942f20422f8d.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024960; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P zzima_loader"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/zzima_loader/"; fast_pattern; http.user_agent; content:"zzima-nloader/ 1.0.3.1"; depth:22; http.header_names; content:!"Referer|0d 0a|"; reference:md5,810b4464785d8d007ca0c86c046ac0ef; classtype:trojan-activity; sid:2018532; rev:5; metadata:created_at 2014_06_05, updated_at 2020_09_24;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (18bca7c5fd709ac468ba148c590ef6bf .net in DNS Lookup)"; dns.query; content:"18bca7c5fd709ac468ba148c590ef6bf.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024961; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P p2p Related User-Agent (eChanblard)"; flow:to_server,established; http.user_agent; content:"eChanblard"; depth:10; endswith; reference:url,doc.emergingthreats.net/2011232; classtype:trojan-activity; sid:2011232; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (aaafc94b3a37b75ae9cb60afc42e86fe .org in DNS Lookup)"; dns.query; content:"aaafc94b3a37b75ae9cb60afc42e86fe.org"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024962; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; http.user_agent; content:"Ares"; startswith; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (c13a856f4a879a89e9a638207efd6c94 .biz in DNS Lookup)"; dns.query; content:"c13a856f4a879a89e9a638207efd6c94.biz"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024963; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; http.user_agent; content:"Azureus"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; classtype:policy-violation; sid:2007799; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M6"; dns.query; content:"bbk86.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024935; rev:4; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; http.user_agent; content:"BTSP/"; depth:5; reference:url,doc.emergingthreats.net/2011713; classtype:policy-violation; sid:2011713; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE IoT_reaper DNS Lookup M7"; dns.query; content:"ha859.com"; endswith; reference:url,research.checkpoint.com/iotroop-botnet-full-investigation/; classtype:trojan-activity; sid:2024936; rev:4; metadata:attack_target IoT, created_at 2017_10_31, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; http.user_agent; content:"BitComet/"; depth:9; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (2fa3c2fa16c47d9b9bff8986a42b048f .com in DNS Lookup)"; dns.query; content:"2fa3c2fa16c47d9b9bff8986a42b048f.com"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024964; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; http.user_agent; content:"BitTornado/"; depth:11; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; classtype:policy-violation; sid:2011702; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE RouteX CnC Domain (3ec9b600789b3bacf2c72ebae142a9c3 .net in DNS Lookup)"; dns.query; content:"3ec9b600789b3bacf2c72ebae142a9c3.net"; endswith; reference:url,forkbomb.us/press-releases/2017/09/08/routex-press-release.html; classtype:command-and-control; sid:2024965; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_11_06, deployment Internal, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; http.user_agent; content:"Bittorrent"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; classtype:trojan-activity; sid:2006372; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (tashdqdxp .com in DNS Lookup)"; dns.query; content:"tashdqdxp.com"; endswith; classtype:trojan-activity; sid:2024986; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; http.user_agent; content:"KTorrent/3"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; classtype:policy-violation; sid:2011700; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (weryhstui .com in DNS Lookup)"; dns.query; content:"weryhstui.com"; endswith; classtype:trojan-activity; sid:2024987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; http.user_agent; content:"ktorrent/2"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; classtype:policy-violation; sid:2011711; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (fyoutside .com in DNS Lookup)"; dns.query; content:"fyoutside.com"; endswith; classtype:trojan-activity; sid:2024988; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; http.user_agent; content:"Shareaza 2."; depth:11; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; classtype:policy-violation; sid:2011707; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE SunOrcal Reaver Domain Observed (olinaodi .com in DNS Lookup)"; dns.query; content:"olinaodi.com"; endswith; classtype:trojan-activity; sid:2024989; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category TROJAN, malware_family SunOrcal, malware_family Reaver, performance_impact Low, signature_severity Major, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; http.user_agent; content:"BearShare"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; classtype:trojan-activity; sid:2006371; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible barclays .co. uk Phishing Domain 2016-06-22"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"barclays.co.uk"; fast_pattern; isdataat:20,relative; content:!".exit"; endswith; classtype:social-engineering; sid:2032445; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P FFTorrent P2P Client User-Agent (FFTorrent/x.x.x)"; flow:to_server,established; http.user_agent; content:"FFTorrent/"; depth:10; classtype:policy-violation; sid:2028942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Amazon Phishing Domain 2016-06-21"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"amazon.com"; fast_pattern; isdataat:20,relative; content:!".exit"; endswith; classtype:social-engineering; sid:2032444; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".tk"; endswith; fast_pattern; classtype:credential-theft; sid:2023137; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1"; dns.query; content:"loaderclientarea24.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025014; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:social-engineering; sid:2012630; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 2"; dns.query; content:"loaderclientarea22.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025015; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET PHISHING Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 3"; dns.query; content:"loaderclientarea20.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025016; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET PHISHING Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:social-engineering; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 4"; dns.query; content:"loaderclientarea15.ru"; nocase; endswith; reference:md5,c4acc83183ac0fabe92fc02ae5ef3ca4; reference:url,www.welivesecurity.com/2017/11/15/multi-stage-malware-sneaks-google-play/; classtype:trojan-activity; sid:2025017; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_11_22, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:command-and-control; sid:2015921; rev:2; metadata:created_at 2012_11_21, former_category PHISHING, updated_at 2012_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Shiz.fxm/Agent-TBT Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 2.0|3b|"; depth:34; fast_pattern; http.referer; content:"http://www.google.com"; depth:21; endswith; classtype:command-and-control; sid:2013435; rev:6; metadata:created_at 2011_08_19, former_category MALWARE, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:3; metadata:created_at 2012_11_29, former_category INFO, updated_at 2012_11_29;)
 
-alert http any any -> any any (msg:"ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wpad.dat"; fast_pattern; endswith; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022913; rev:5; metadata:created_at 2016_06_23, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:bad-unknown; sid:2018334; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2014_03_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .su TLD (Soviet Union) Often Malware Related"; dns.query; content:".su"; nocase; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014169; rev:4; metadata:created_at 2012_01_31, updated_at 2020_09_14;)
+#alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET PHISHING Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:social-engineering; sid:2018853; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; dns.query; content:".3322.org"; nocase; endswith; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:9; metadata:created_at 2011_01_12, updated_at 2020_09_14;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"|22 5c|x6C|5c|x6F|5c|x63|5c|x61|5c|x74|5c|x69|5c|x6F|5c|x6E"; nocase; content:"window[_0x"; content:"[1]][_0x"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:targeted-activity; sid:2019540; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vflooder.C Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"google.com"; fast_pattern; depth:10; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2021337; rev:5; metadata:created_at 2015_06_24, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019681; rev:3; metadata:created_at 2014_11_08, updated_at 2014_11_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup"; dns.query; content:"ilo.brenz.pl"; nocase; endswith; classtype:trojan-activity; sid:2012730; rev:7; metadata:created_at 2011_04_27, former_category TROJAN, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:social-engineering; sid:2020623; rev:3; metadata:created_at 2015_03_05, updated_at 2015_03_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com)"; flow:established,to_server; threshold:type both,track by_src,count 2,seconds 10; http.start; content:"GET / HTTP/1.1|0d 0a|Host|3a 20|google.com|0d 0a 0d 0a|"; depth:36; endswith; classtype:bad-unknown; sid:2018430; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-02"; flow:to_client,established; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"Thank you</title>"; nocase; distance:0; content:"information.Your submitted"; nocase; distance:0; content:"Accounts Management Department in 24 hours"; nocase; distance:0; classtype:credential-theft; sid:2031686; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2015_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; http.host; content:".pw"; fast_pattern; endswith; content:!"u.pw"; depth:4; endswith; classtype:bad-unknown; sid:2016777; rev:14; metadata:created_at 2013_04_20, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Account Phish Landing Oct 22"; flow:established,from_server; file_data; content:"<title>Sign in</title>"; content:"name=chalbhai"; fast_pattern; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; content:"required title=|22|Please Enter Right Value|22|"; nocase; distance:0; classtype:social-engineering; sid:2025692; rev:2; metadata:created_at 2015_10_22, former_category CURRENT_EVENTS, updated_at 2018_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xtrat.A Checkin"; flow:established,to_server; http.uri; content:".functions"; fast_pattern; endswith; pcre:"/^\/\d+\.functions$/"; http.host; content:!"microsoft.com"; http.header_names; content:!"Referer"; reference:md5,f45b1b82c849fbbea3374ae7e9200092; classtype:command-and-control; sid:2016275; rev:12; metadata:created_at 2011_12_13, former_category MALWARE, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"var translate_dict = {"; nocase; content:"VERIFICATION_CODE"; nocase; distance:0; fast_pattern; content:"VERIFICATION_CODE_REQUIRED"; nocase; distance:0; content:"NOT_BEGIN_OR_END_WITH_SPACE"; nocase; distance:0; content:"USERNAME_ALL_NUMERIC"; nocase; distance:0; content:"PASSWORDS_DONT_MATCH"; nocase; distance:0; content:"PWD_HINT_REQUIRED"; nocase; distance:0; content:"PASSWORD_MATCHES_USERNAME"; nocase; distance:0; content:"REQUEST_PASSWORD_RESET"; nocase; distance:0; content:"ENTER_VALID_VERIFICATION_CODE"; nocase; distance:0; content:"PASSWORD_MATCH_HINT"; nocase; distance:0; content:"Your work here is done"; nocase; distance:0; content:"Yikes! Something's gone wrong."; nocase; distance:0; classtype:social-engineering; sid:2031691; rev:2; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2015_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 2"; flow:established,to_server; urilen:>1; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:2,2,Tinba.Pivot,relative; byte_test:2,=,Tinba.Pivot,2,relative; byte_test:2,!=,Tinba.Pivot,5,relative; http.method; content:"POST"; http.uri; content:"/"; endswith; http.content_len; byte_test:0,>,99,0,string,dec; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; fast_pattern; content:!"User-Agent"; content:!"Accept"; reference:md5,7af6d8de2759b8cc534ffd72fdd8a654; classtype:command-and-control; sid:2020418; rev:7; metadata:created_at 2015_02_12, former_category MALWARE, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:social-engineering; sid:2022083; rev:2; metadata:created_at 2015_11_13, updated_at 2015_11_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; http.host; content:"checkip.dyndns.org"; fast_pattern; depth:18; endswith; classtype:external-ip-check; sid:2021378; rev:5; metadata:created_at 2015_07_02, former_category POLICY, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-20"; flow:established,from_server; file_data; content:"<title>Google Drive"; fast_pattern; nocase; content:"For security reasons"; nocase; distance:0; content:"select your email provider"; nocase; distance:0; content:"enter your email and password"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2031701; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".exe"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2016141; rev:7; metadata:created_at 2013_01_03, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webmail Phishing Landing 2015-11-21"; flow:established,from_server; file_data; content:"login.live.com"; nocase; content:"<title>Sign In"; nocase; distance:0; fast_pattern; content:"Generic Password Error Message"; nocase; distance:0; content:"enter your email address"; nocase; distance:0; content:"Microsoft account"; nocase; distance:0; classtype:social-engineering; sid:2031702; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Session"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2009512; classtype:trojan-activity; sid:2009512; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Phishing 2015-11-21"; flow:established,from_server; file_data; content:"<title>Outlook"; fast_pattern; nocase; content:"http-equiv=|22|refresh"; nocase; distance:0; content:"Update successful"; nocase; distance:0; content:"your account verification information"; nocase; distance:0; content:"emailed to you shortly"; nocase; distance:0; classtype:credential-theft; sid:2031703; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.FakeAV.Rean Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; pcre:"/\/\d{10}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; fast_pattern; endswith; http.protocol; content:"HTTP/1.0"; reference:md5,0a998a070beb287524f9be6dd650c959; classtype:command-and-control; sid:2013339; rev:8; metadata:created_at 2011_08_02, former_category MALWARE, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING cPanel Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"<title>Please wait.."; nocase; fast_pattern; content:"form id=|22|myForm|22|"; nocase; distance:0; content:"name=|22|myForm|22|"; nocase; distance:0; content:"method=|22|POST|22|"; nocase; distance:0; content:"name=|22|email|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"name=|22|submit|22|"; nocase; distance:0; classtype:social-engineering; sid:2031704; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check"; flow:established,to_server; urilen:1; http.user_agent; content:"|3b 20|MSIE|20|"; fast_pattern; http.host; content:"www.google.com"; depth:14; endswith; http.accept; content:"*/*"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:59; endswith; classtype:trojan-activity; sid:2018242; rev:7; metadata:created_at 2014_03_10, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing Landing 2015-12-01"; flow:established,to_client; file_data; content:"id=|22|Anonisma"; fast_pattern; nocase; content:"class=|22|Anonisma"; nocase; distance:0; classtype:social-engineering; sid:2031705; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.host; content:"api.wipmania.com"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; classtype:trojan-activity; sid:2015800; rev:10; metadata:created_at 2012_10_13, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phish Landing 2015-12-08"; flow:to_client,established; file_data; content:"id=|22|sfm_excel_body|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|Email|22|"; nocase; distance:0; content:"name=|22|Password|22|"; nocase; distance:0; content:"type=|22|password|22|"; nocase; distance:0; content:"Keep me signed in"; nocase; distance:0; classtype:social-engineering; sid:2031692; rev:4; metadata:created_at 2015_12_08, former_category PHISHING, updated_at 2015_12_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installer)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Installer"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Logging in"; nocase; fast_pattern; content:".php?cmd=_"; nocase; distance:0; content:"Hold a while"; nocase; distance:0; content:"Still loading after a few seconds"; nocase; distance:0; classtype:social-engineering; sid:2031706; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; dns.query; content:".flnet.org"; nocase; endswith; classtype:bad-unknown; sid:2014500; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Apple Phish Landing Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>iTunes"; nocase; fast_pattern; content:"Enter Your Password"; nocase; distance:0; content:"<!-- PHOEN!X -->"; nocase; distance:0; classtype:social-engineering; sid:2031693; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P possible torrent download"; flow:established,to_server; http.uri; content:".torrent"; nocase; endswith; http.host; content:!"mapfactor.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2007727; classtype:policy-violation; sid:2007727; rev:10; metadata:created_at 2010_07_30, former_category P2P, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHOEN!X Phish Loading Page 2015-12-29"; flow:from_server,established; file_data; content:"<title>Checking Informations"; content:"http-equiv=|22|refresh|22|"; classtype:social-engineering; sid:2031694; rev:2; metadata:created_at 2015_12_29, former_category PHISHING, updated_at 2015_12_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious double Server Header"; flow:from_server,established; http.header_names; content:"|0d 0a|Server|0d 0a|"; content:"Server|0d 0a|"; distance:0; http.response_line; content:"HTTP/1.1 200"; depth:12; endswith; classtype:trojan-activity; sid:2012707; rev:7; metadata:created_at 2011_04_22, former_category MALWARE, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful WZ-REKLAMA Phish 2016-01-08"; flow:to_client,established; file_data; content:"<!--WZ-REKLAMA"; nocase; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; within:8; classtype:credential-theft; sid:2031952; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:established,to_client; http.response_line; content:"HTTP/1.1 405 Method Not Allowed"; depth:31; endswith; nocase; file.data; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010520; classtype:web-application-attack; sid:2010520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Account Exceeded Quota Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>WebMail"; nocase; fast_pattern; content:"E-Mail account has exceeded"; nocase; distance:0; content:"upgrade your mailbox"; nocase; distance:0; content:"avoid disrupt and lost"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent Containing .exe"; flow:established,to_server; http.uri; content:!"CTX_"; http.header; content:!"lnssatt.exe"; http.user_agent; content:".exe"; nocase; endswith; fast_pattern; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; content:!"vsee.exe"; nocase; http.host; content:!"gfi.com"; content:!"pandasoftware.com"; classtype:trojan-activity; sid:2013224; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag User_Agent, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 Data URI Javascript Refresh - Possible Phishing Landing"; flow:from_server,established; file_data; content:"<script"; nocase; content:"window.location="; distance:0; content:"data|3a|text/html|3b|base64,"; distance:1; within:22; fast_pattern; classtype:social-engineering; sid:2031955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; http.host; content:".3322.net"; endswith; classtype:misc-activity; sid:2014788; rev:9; metadata:created_at 2012_05_19, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Base64 HTTP URL Refresh - Common Phish Landing Obfuscation 2016-01-01"; flow:to_client,established; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"data|3a|text/html|3b|base64,"; distance:0; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22|\x27/Rsi"; content:!"cGFnZV9ub3RfZm91bmQuaHRtb"; classtype:social-engineering; sid:2031695; rev:3; metadata:created_at 2016_01_01, former_category PHISHING, updated_at 2016_11_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; dns.query; content:"networksecurityx.hopto.org"; endswith; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:6; metadata:created_at 2014_01_24, updated_at 2020_09_14;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022372; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2016_11_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; dns.query; content:".dtdns.net"; nocase; endswith; classtype:bad-unknown; sid:2014492; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M5"; flow:to_server,established; content:"POST"; http_method; content:"/wp-"; http_uri; depth:4; content:".php"; http_uri; content:"usr="; nocase; depth:4; http_client_body; fast_pattern; content:"&pss="; nocase; http_client_body; distance:0; classtype:credential-theft; sid:2031561; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2013684; rev:6; metadata:created_at 2011_09_22, updated_at 2020_09_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:social-engineering; sid:2023657; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, malware_family Tech_Support_Scam, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; http.host; content:".dtdns.net"; endswith; classtype:bad-unknown; sid:2014493; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Kelihos.F EXE Download Common Structure"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^(?:\/[a-z]+\d*?)?\/\d?\w+\d*?\.exe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,f5bcc28e7868a68e473373d684a8c54a; classtype:trojan-activity; sid:2017598; rev:12; metadata:created_at 2013_10_15, updated_at 2020_09_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023891; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.me"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030881; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024001; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_02_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart CnC Domain (mcdnn .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mcdnn.net"; bsize:9; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030882; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Shared Document Phishing Landing Feb 21 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"openOffersDialog"; nocase; distance:0; classtype:social-engineering; sid:2025688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Exfil Domain (imags .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"imags.pw"; bsize:8; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030883; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:social-engineering; sid:2024017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2017_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:!"driftmania"; http.user_agent; content:"Mozilla"; depth:7; http.host; content:!"coreftp.com"; http.request_body; content:"data="; depth:5; fast_pattern; pcre:"/^[A-F0-9]{100,}$/R"; http.header_names; content:!"Referer"; reference:md5,a3440b6117f3783989683753c9f394dd; classtype:command-and-control; sid:2022504; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Alphacrypt, malware_family TeslaCrypt, signature_severity Major, tag Ransomware, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing Feb 27 2017"; flow:from_server,established; file_data; content:"<title>Dropbox"; nocase; fast_pattern; content:"app.png"; nocase; distance:0; content:"live.png"; nocase; distance:0; content:"off.png"; nocase; distance:0; classtype:social-engineering; sid:2025689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; dns.query; content:".myftp.biz"; nocase; endswith; classtype:bad-unknown; sid:2013823; rev:5; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bamital Headers - Likely CnC Beacon"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/5.0)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Connection|0d 0a|"; depth:28; content:!"Referer"; content:!"Accept-"; content:"User-Agent|0d 0a 0d 0a|"; endswith; classtype:command-and-control; sid:2019755; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:credential-theft; sid:2024059; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY IP Check Domain (iplogger .org in DNS Lookup)"; dns.query; content:"iplogger.org"; endswith; classtype:policy-violation; sid:2035948; rev:4; metadata:created_at 2017_11_27, former_category POLICY, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024167; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (iplogger .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"iplogger.org"; endswith; nocase; classtype:policy-violation; sid:2035949; rev:4; metadata:created_at 2017_11_27, former_category POLICY, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024186; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_articles"; depth:13; fast_pattern; content:"/"; endswith; http.header_names; content:"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:md5,9a705a2c25a8b30de80e59dbb9adab83; classtype:command-and-control; sid:2018644; rev:6; metadata:created_at 2014_07_07, former_category MALWARE, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024187; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Checkin 2"; flow:to_server,established; urilen:20; http.method; content:"POST"; http.uri; content:"/forum/viewtopic.php"; endswith; http.user_agent; content:"Windows 98)"; endswith; fast_pattern; http.content_type; content:"application/octet-stream"; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:command-and-control; sid:2016550; rev:8; metadata:created_at 2013_01_12, former_category MALWARE, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024188; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - www.ip.cn"; flow:established,to_server; http.host; content:"www.ip.cn"; depth:9; endswith; classtype:external-ip-check; sid:2021600; rev:5; metadata:created_at 2015_08_06, former_category POLICY, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024231; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".8800.org"; endswith; classtype:misc-activity; sid:2014784; rev:8; metadata:created_at 2012_05_18, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024232; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Hostile Domain .ntkrnlpa.info Lookup"; dns.query; content:".ntkrnlpa.info"; nocase; endswith; classtype:trojan-activity; sid:2012729; rev:6; metadata:created_at 2011_04_27, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2024327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_05_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VBKrypt.cugq/Umbra Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bot.php"; nocase; fast_pattern; endswith; http.request_body; content:"mode="; nocase; pcre:"/^\d/Ri"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,a95dacba360e45fc03769ea55c546a7b; reference:url,arbornetworks.com/asert/2014/06/the-best-of-both-worlds-soraya; classtype:command-and-control; sid:2018518; rev:10; metadata:created_at 2011_04_28, former_category MALWARE, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:social-engineering; sid:2015983; rev:3; metadata:created_at 2012_12_05, former_category CURRENT_EVENTS, updated_at 2017_06_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin"; flow:established,to_server; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z-_]+?\.(php|html)$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016553; rev:6; metadata:created_at 2013_03_08, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iTunes Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; classtype:social-engineering; sid:2018303; rev:4; metadata:created_at 2014_03_21, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; http.host; content:".mooo.com"; endswith; classtype:bad-unknown; sid:2015634; rev:6; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:social-engineering; sid:2020332; rev:3; metadata:created_at 2015_01_30, former_category CURRENT_EVENTS, updated_at 2017_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Simda.C Checkin"; flow:established,to_server; http.uri; content:"/?"; nocase; http.uri.raw; content:"=%96%"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Trident/4.0|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 3.0.04506.590|3b 20|.NET CLR 3.0.04506.648|3b 20|.NET CLR 3.5.21022|3b 20|.NET CLR 3.0.4506.2152|3b 20|.NET CLR 3.5.30729)"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:command-and-control; sid:2016300; rev:7; metadata:created_at 2012_07_20, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Alibaba Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Alibaba&nbsp|3b|Manufacturer&nbsp|3b|Directory"; nocase; classtype:social-engineering; sid:2024389; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; threshold: type limit, track by_dst, count 3, seconds 60; http.method; content:"HEAD"; http.user_agent; content:"Mozilla/5.0 Jorgee"; depth:18; endswith; fast_pattern; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:6; metadata:created_at 2015_06_26, former_category WEB_SERVER, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Free Mobile Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Free Mobile - Bienvenue dans votre Espace"; nocase; classtype:social-engineering; sid:2024393; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query Domain .bit"; dns.query; content:".bit"; nocase; endswith; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:5; metadata:created_at 2013_10_30, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible AOL Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>AOL Mail|3a 20|Simple, Free, Fun</title>"; nocase; classtype:social-engineering; sid:2024394; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.top domain - Likely Hostile"; threshold:type limit, track by_src, count 1, seconds 30; dns.query; content:".top"; nocase; endswith; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023883; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web Access</title>"; nocase; classtype:social-engineering; sid:2024395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; dns.query; content:".8866.org"; endswith; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:8; metadata:created_at 2011_04_28, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible OWA Mail Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; nocase; classtype:social-engineering; sid:2024396; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak HTTP CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"PHPSESSID="; depth:10; fast_pattern; pcre:"/^[A-F0-9]{32}$/R"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; depth:24; endswith; http.header_names; content:!"IBM-PROXY-WTE"; nocase; classtype:command-and-control; sid:2022225; rev:10; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Help Center Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Facebook Help Center</title>"; nocase; classtype:social-engineering; sid:2024397; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Pift DNS TXT CnC Lookup ppift.net"; dns.query; content:"ppift.net"; nocase; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015460; rev:6; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe PDF Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe PDF</title>"; nocase; classtype:social-engineering; sid:2024399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup fasternation"; dns.query; content:"fasternation.net"; nocase; endswith; classtype:trojan-activity; sid:2019695; rev:4; metadata:created_at 2014_11_12, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible DHL Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; classtype:social-engineering; sid:2024400; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice11.ru)"; dns.query; content:"ddnservice11.ru"; nocase; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020065; rev:5; metadata:created_at 2014_12_24, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Adobe ID Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>Sign In - Adobe ID</TITLE>"; nocase; classtype:social-engineering; sid:2024401; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; dns.query; content:".3d-game.com"; nocase; endswith; classtype:bad-unknown; sid:2014478; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capitech Internet Banking Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Capitec Internet Banking</title>"; nocase; classtype:social-engineering; sid:2024453; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork DNS Tunneling (nsn1.winodwsupdates .me)"; dns.query; content:".nsn1.winodwsupdates.me"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023048; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (randreports .org in DNS Lookup)"; dns.query; content:"randreports.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025073; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Domain (rannd .org in DNS Lookup)"; dns.query; content:"rannd.org"; endswith; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:trojan-activity; sid:2025081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category TROJAN, malware_family Patchwork, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cz.cc Domain"; dns.query; content:".cz.cc"; endswith; nocase; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_09_15;)
+#alert udp $HOME_NET any -> any 53 (msg:"ET PHISHING DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:social-engineering; sid:2023180; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2017_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow:established,to_server; http.host; content:".co.cc"; endswith; classtype:bad-unknown; sid:2011374; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023072; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; http.host; content:".hopto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; fast_pattern; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023488; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2016_11_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.cu.cc domain"; dns.query; content:".cu.cc"; nocase; endswith; classtype:bad-unknown; sid:2013172; rev:5; metadata:created_at 2011_07_02, former_category HUNTING, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Excel Online Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Excel Online"; nocase; content:!"Training"; nocase; within:25; classtype:social-engineering; sid:2024392; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_07_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; http.host; content:".osa.pl"; endswith; classtype:bad-unknown; sid:2014037; rev:6; metadata:created_at 2011_12_22, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:credential-theft; sid:2023487; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to Free Hosting Domain (freevnn . com)"; dns.query; content:".freevnn.com"; nocase; endswith; reference:md5,18c1c99412549815bdb89c36316243a7; classtype:bad-unknown; sid:2024235; rev:5; metadata:created_at 2017_04_21, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_15;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2017_07_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic .bin download from Dotted Quad"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; endswith; http.user_agent; content:!"McAfee Agent"; content:!"NetClient/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; classtype:trojan-activity; sid:2018752; rev:12; metadata:created_at 2014_07_23, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mail.ru Phish Aug 10 2017"; flow:to_server,established; content:"POST"; http_method; content:"1login="; depth:7; nocase; http_client_body; fast_pattern; content:"&login="; nocase; distance:0; http_client_body; content:"&Domain="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (blacklister .nl in DNS Lookup)"; dns.query; content:"blacklister.nl"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025079; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Verify Email Error Message M1 Aug 14 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"PASSWORD NOT MATCHED"; nocase; depth:20; fast_pattern; classtype:credential-theft; sid:2024541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Variant Domain (bigboatreps .pw in DNS Lookup)"; dns.query; content:"bigboatreps.pw"; nocase; endswith; reference:url,blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; classtype:trojan-activity; sid:2025078; rev:5; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, former_category TROJAN, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 Aug 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"country="; depth:8; nocase; http_client_body; content:"&cc_holder="; nocase; distance:0; http_client_body; content:"&cc_number="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate_month="; nocase; distance:0; http_client_body; content:"&expdate_year="; nocase; distance:0; http_client_body; content:"&cvv2_number="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024546; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Necurs Common POST Header Structure"; flow:established,to_server; urilen:10<>20; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:!"NSIS|5f|Inetc |28|Mozilla|29|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:62; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,d11a453d4de6e6fd991967d67947c0d7; classtype:trojan-activity; sid:2021995; rev:5; metadata:created_at 2015_10_23, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish M1 Aug 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"<title>"; nocase; content:"Chase Online"; nocase; within:50; fast_pattern; classtype:credential-theft; sid:2031575; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; http.user_agent; content:"API-Guide test program"; depth:22; nocase; endswith; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID"; distance:0; content:"document.other.email"; distance:0; fast_pattern; content:"emailPASS"; distance:0; content:"document.other.phone"; distance:0; classtype:social-engineering; sid:2031712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP request for resource ending in .scr"; flow:established,to_server; http.uri; content:".scr"; endswith; fast_pattern; http.host; content:!"kaspersky.com"; classtype:misc-activity; sid:2018231; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_03_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:".php|22 20|method=|22|POST|22|"; fast_pattern; content:"Sign in with Gmail"; distance:0; content:"Sign in with Yahoo"; distance:0; content:"Sign in with Hotmail"; distance:0; content:"Sign in with AOL"; distance:0; content:"Sign in with Others"; distance:0; classtype:social-engineering; sid:2025683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.google.com"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Connection|0d 0a|Host|0d 0a|Pragma|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:command-and-control; sid:2012645; rev:7; metadata:created_at 2011_04_06, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive/Dropbox Phishing Landing Jul 10 2015"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:social-engineering; sid:2021400; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Fake AV Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; endswith; http.request_body; content:"data="; fast_pattern; depth:5; pcre:"/^data=[a-zA-Z0-9+\/]{64}/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2011912; rev:9; metadata:created_at 2010_11_09, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Status Messages Sept 11 2015"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:credential-theft; sid:2021761; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; depth:30; http.request_body; content:"data="; depth:5; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|Host|0d 0a|"; depth:30; content:"User-Agent|0d 0a|"; distance:0; content:"Content-Length|0d 0a|"; distance:0; classtype:trojan-activity; sid:2012627; rev:5; metadata:created_at 2011_04_04, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Drive Phishing Landing 2015-07-13"; flow:to_client,established; file_data; content:"UPLOADED FILE"; fast_pattern; content:"Sign in with your existing Email Service"; distance:0; content:"Email Service Provider"; distance:0; content:"select.com"; distance:0; content:"VIEW DOCUMENT"; distance:0; classtype:social-engineering; sid:2031707; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; dns.query; content:".xxx"; nocase; endswith; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:4; metadata:created_at 2011_03_21, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>Google Documents Email Verification</title>"; content:"emailID.value"; distance:0; content:"emailPASS.value"; distance:0; classtype:social-engineering; sid:2031713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jadtree Downloader rar"; flow:established,to_server; http.uri; content:".rar"; nocase; endswith; http.user_agent; bsize:4; pcre:"/^\d{4}$/"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:5; metadata:created_at 2014_01_30, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"<title>Meet Google Drive"; nocase; distance:0; classtype:social-engineering; sid:2022035; rev:3; metadata:created_at 2015_11_04, former_category CURRENT_EVENTS, updated_at 2017_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (GeneralDownloadApplication)"; flow:to_server,established; http.user_agent; content:"GeneralDownloadApplication"; depth:26; endswith; classtype:pup-activity; sid:2025092; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>NatWest Online Banking</title>"; nocase; classtype:social-engineering; sid:2024622; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; http.host; content:".vv.cc"; endswith; classtype:bad-unknown; sid:2012827; rev:8; metadata:created_at 2011_05_19, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Pin and Password - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024623; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; http.uri; content:"/ip.txt"; nocase; endswith; fast_pattern; http.header; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; http.user_agent; content:!"Mozilla"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:6; metadata:created_at 2013_05_31, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible NatWest Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Security Details - NWOLB</title>"; nocase; classtype:social-engineering; sid:2024624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; http.host; content:".suroot.com"; endswith; classtype:bad-unknown; sid:2014511; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Verify Email</title>"; fast_pattern; classtype:social-engineering; sid:2024656; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; http.host; content:".xxx"; endswith; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:6; metadata:created_at 2011_04_20, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-06"; flow:established,from_server; file_data; content:"Sign in with your email address"; nocase; content:"view or download attachment"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; content:"Sign in with Gmail"; nocase; distance:0; fast_pattern; content:"Sign in with Yahoo"; nocase; distance:0; content:"Sign in with Hotmail"; nocase; distance:0; content:"Sign in with AOL"; nocase; distance:0; content:"Sign in with Others"; nocase; distance:0; classtype:social-engineering; sid:2031736; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2web)"; dns.query; content:".tor2web"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2015576; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Scotiabank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Sign in to Scotiabank"; nocase; classtype:social-engineering; sid:2024795; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Myvnc.com"; flow:established,to_server; http.host; content:".myvnc.com"; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018213; rev:5; metadata:created_at 2014_03_05, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Desjardins Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Log on|20 7c 20|Desjardins"; nocase; classtype:social-engineering; sid:2024796; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptor/Cycbot Trojan Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"?v"; content:"&tq="; pcre:"/\.(jpg|png|gif)\?v[0-9]{1,2}=[0-9]+&tq=/"; http.user_agent; content:"mozilla/2.0"; fast_pattern; depth:11; endswith; classtype:command-and-control; sid:2012939; rev:10; metadata:created_at 2011_06_07, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible BMO Bank of Montreal Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>BMO Bank of Montreal Online Banking</title>"; nocase; classtype:social-engineering; sid:2024798; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  Possible Kelihos.F EXE Download Common Structure 2"; flow:established,to_server; http.uri; content:"od"; offset:2; depth:2; nocase; content:".exe"; nocase; endswith; fast_pattern; pcre:"/^\/[mp]od[12]\/[^\/]+?\.exe$/i"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent"; reference:md5,9db28205c8dd40efcf7f61e155a96de5; classtype:trojan-activity; sid:2018395; rev:7; metadata:created_at 2014_04_16, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M3 Oct 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"as_cpf="; depth:7; nocase; http_client_body; content:"&as_pass="; nocase; distance:0; http_client_body; fast_pattern; content:"&sender="; nocase; distance:0; http_client_body; content:"&as_continue="; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2024801; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ponmocup Post Infection DNS Lookup intohave"; dns.query; content:"intohave.com"; nocase; endswith; classtype:trojan-activity; sid:2019694; rev:4; metadata:created_at 2014_11_12, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PayPal Phishing Landing Nov 24 2014"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; classtype:social-engineering; sid:2019785; rev:4; metadata:created_at 2014_11_24, former_category CURRENT_EVENTS, updated_at 2017_10_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"post="; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent"; content:!"Accept-"; content:!"Referer"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022280; rev:5; metadata:created_at 2015_12_18, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M1 Aug 09 2016"; flow:to_server,established; content:"POST"; http_method; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; classtype:credential-theft; sid:2023042; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi Remote File Injector Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/ggu.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; depth:11; endswith; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:command-and-control; sid:2016967; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_06_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Landing Uri Nov 25 2015"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:social-engineering; sid:2022187; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; dns.query; content:".bbsindex.com"; nocase; endswith; classtype:bad-unknown; sid:2014484; rev:7; metadata:created_at 2012_04_05, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2015-07-27"; flow:to_client,established; file_data; content:"<title>Secure Login</title>"; content:"action=|22|emsg1.php|22|"; fast_pattern; distance:0; content:"valid Apple ID"; distance:0; content:"valid Password"; distance:0; classtype:social-engineering; sid:2031708; rev:3; metadata:created_at 2015_07_27, former_category PHISHING, updated_at 2017_10_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".mooo.com"; nocase; endswith; classtype:misc-activity; sid:2015633; rev:5; metadata:created_at 2012_08_16, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Jan 30 2014"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:social-engineering; sid:2018042; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.co.tv domain"; dns.query; content:".co.tv"; nocase; endswith; classtype:bad-unknown; sid:2012956; rev:6; metadata:created_at 2011_06_08, former_category HUNTING, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:social-engineering; sid:2018043; rev:3; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2017_10_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Mozilla/3.0"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0"; fast_pattern; depth:11; endswith; classtype:trojan-activity; sid:2012619; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_01, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M2 July 24 2015"; flow:to_client,established; file_data; content:"invoicetoptables"; nocase; fast_pattern; content:"invoicecontent"; nocase; distance:0; content:"displayTextgmail"; nocase; distance:0; content:"displayTexthotmail"; nocase; distance:0; content:"displayTextaol"; nocase; distance:0; classtype:social-engineering; sid:2021536; rev:3; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2017_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"RLMultySocket"; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Potential Data URI Phishing Oct 02 2015"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:social-engineering; sid:2021893; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (forkinvestpay.com)"; dns.query; content:"forkinvestpay.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022045; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:social-engineering; sid:2022029; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.to)"; dns.query; content:".onion.to"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020116; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022093; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2017_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to Browser Coinminer (crypto-loot[.]com)"; dns.query; content:"crypto-loot.com"; endswith; classtype:coin-mining; sid:2024828; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category COINMINER, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Enom Phish Mar 08 2016"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:credential-theft; sid:2022604; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01"; flow:established,to_server; flowbits:set,ET.nemucod.exerequest; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; pcre:"/\/[0-9]{2}\.exe$/i"; http.header_names; content:!"Referer"; reference:url,certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,8bdc81393a4fcfaf6d1b8dc01486f2f0; classtype:trojan-activity; sid:2022482; rev:5; metadata:created_at 2016_02_03, updated_at 2020_09_15;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:social-engineering; sid:2022905; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Sept 1 M2 2015-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"challengetype="; fast_pattern; content:"&phoneNumber="; nocase; content:"&recEmail="; nocase; classtype:credential-theft; sid:2031826; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg2.php|22|"; distance:0; fast_pattern; content:"Adress Line"; distance:0; content:"Zip/Postal Code"; distance:0; classtype:credential-theft; sid:2031709; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; http.host; content:".3322.org"; endswith; classtype:misc-activity; sid:2013213; rev:8; metadata:created_at 2011_07_06, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"Question Of Security"; fast_pattern; content:"nom de votre meilleur"; distance:0; content:"What is your mother maiden name ?"; distance:0; content:"rue avez-vous grandi"; distance:0; content:"What is your favourite show ?"; distance:0; classtype:credential-theft; sid:2031710; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns any any -> any any (msg:"ET POLICY possible Xiaomi phone data leakage DNS"; dns.query; content:"api.account.xiaomi.com"; nocase; endswith; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018918; rev:4; metadata:created_at 2014_08_11, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-27"; flow:to_client,established; file_data; content:"<title>Confirm your account</title>"; content:"action=|22|msg1.php|22|"; fast_pattern; distance:0; content:"Cardholder's Name"; distance:0; content:"Credit Card Number"; distance:0; content:"CVC (CVV)"; distance:0; content:"3D Secure/VBV"; distance:0; classtype:credential-theft; sid:2031711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.connection; content:"Close"; endswith; http.content_type; content:"octet/binary"; endswith; http.header_names; content:!"Referer"; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:command-and-control; sid:2019891; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, former_category MALWARE, malware_family Dridex, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Apple Store - Verification</title>"; nocase; content:"/* VODKA */"; nocase; fast_pattern; classtype:social-engineering; sid:2031716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 4"; dns.query; content:"bigdata.advmob.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"fancyConfirm|28|"; nocase; fast_pattern; content:"checkcvv|28 29|"; nocase; distance:0; content:"checkexm|28 29|"; nocase; distance:0; content:"isvalidcc|28 29|"; nocase; distance:0; content:"imready|28 29|"; nocase; distance:0; classtype:social-engineering; sid:2031717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; http.host; content:".sytes.net"; endswith; classtype:bad-unknown; sid:2018219; rev:9; metadata:created_at 2012_03_05, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"Verification</title>"; nocase; fast_pattern; content:"chosed your country."; nocase; content:"chosed an expiration month."; nocase; distance:0; content:"chosed an expiration year."; nocase; distance:0; classtype:social-engineering; sid:2031718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; dns.query; content:"client-lb.dropbox.com"; nocase; endswith; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:4; metadata:created_at 2015_02_25, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Secure Docs</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024842; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 42"; dns.query; content:"www.37513.cn"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022452; rev:4; metadata:created_at 2016_01_27, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloud Drive Phish Landing 2015-08-12"; flow:to_client,established; file_data; content:"<title>Cloud Drive</title>"; nocase; fast_pattern; content:"reqired to view this document"; nocase; distance:0; classtype:social-engineering; sid:2031721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2017_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 4."; fast_pattern; nocase; http.host; content:!".weatherbug.com"; endswith; content:!".wxbug.com"; endswith; classtype:policy-violation; sid:2016871; rev:7; metadata:created_at 2013_05_21, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma AES Crypto Observed in Javascript - Possible Phishing Landing 2015-12-29"; flow:established,from_server; file_data; content:"Encriptado por Anonisma"; nocase; fast_pattern; content:"Aes.cipher"; nocase; distance:0; content:"Aes.keyExpansion"; nocase; distance:0; classtype:social-engineering; sid:2031741; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 3"; dns.query; content:"bigdata.adfuture.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-07-11"; flow:from_server,established; file_data; content:"<title>DHL GLOBAL"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"E-mail Address or Member ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; classtype:social-engineering; sid:2031998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2017_10_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 2"; dns.query; content:"bigdata.adsunflower.com"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023516; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple ID Phishing Landing 2015-08-19"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"My Apple ID"; fast_pattern; nocase; within:35; classtype:social-engineering; sid:2031723; rev:3; metadata:created_at 2015_08_19, former_category PHISHING, updated_at 2017_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup)"; dns.query; content:"check.torproject.org"; nocase; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017926; rev:6; metadata:created_at 2014_01_04, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel/Adobe Online Phishing Landing Nov 25 2015"; flow:to_client,established; file_data; content:"<title>"; nocase; content:"Online - 09KSJDJR4843984NF98738UNFD843"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025686; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2018_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; content:!".tcl.tk"; content:!"tcl.tk"; depth:6; endswith; classtype:bad-unknown; sid:2012810; rev:12; metadata:created_at 2011_05_15, former_category POLICY, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing Nov 10 2017"; flow:established,to_client; file_data; content:"<label class=|22|MobMenHol"; nocase; fast_pattern; content:"<span class=|22|MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; content:"MobMenIcon"; nocase; distance:0; classtype:social-engineering; sid:2025693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ipinfo.io"; flow:established,to_server; http.host; content:"ipinfo.io"; depth:9; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:external-ip-check; sid:2020716; rev:6; metadata:created_at 2015_03_20, former_category POLICY, updated_at 2020_09_15;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:credential-theft; sid:2024000; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2017_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; http.user_agent; content:"Twisted PageGetter"; depth:18; endswith; http.host; content:"swupdate.openvpn.net"; fast_pattern; depth:20; endswith; classtype:policy-violation; sid:2014799; rev:5; metadata:created_at 2012_05_22, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"MyEtherWallet.com"; within:30; nocase; fast_pattern; classtype:social-engineering; sid:2025140; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)"; dns.query; content:"myip.opendns.com"; nocase; endswith; classtype:external-ip-check; sid:2023472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>FEDEX|20 7c 20|Tracking</TITLE>"; fast_pattern; nocase; classtype:social-engineering; sid:2025158; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; dns.query; content:"ipapi.co"; nocase; endswith; classtype:external-ip-check; sid:2024527; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|48 61 6c 6b 62 61 6e 6b 20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|</title>"; nocase; classtype:social-engineering; sid:2025159; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 2"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/userinfo.php"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; content:!"Accept"; reference:md5,042b2e41a14b67570a993ef909621954; classtype:command-and-control; sid:2022769; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Ziraat Bank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>|20 48 6f c5 9f 67 65 6c 64 69 6e 69 7a 20 7c 20 5a 69 72 61 61 74 20 42 61 6e 6b 61 73 c4 b1|"; nocase; classtype:social-engineering; sid:2025160; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tc domain"; flow:established,to_server; http.host; content:".tc"; endswith; classtype:bad-unknown; sid:2013535; rev:7; metadata:created_at 2011_09_06, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2017-12-26"; flow:established,to_client; file_data; content:"&Rho|3b|ay&Rho|3b|aI</title>"; within:200; classtype:social-engineering; sid:2025173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ipecho.net"; flow:established,to_server; http.host; content:"ipecho.net"; depth:10; endswith; classtype:external-ip-check; sid:2022351; rev:5; metadata:created_at 2016_01_12, former_category POLICY, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible YapiKredi Bank (TR) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Bireysel|20 c4 b0|nternet|20 c5 9e|ubesi|20 7c 20|Yap|c4 b1 20|Kredi</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024583; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_16, deployment Internet, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2017_12_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; http.user_agent; content:"HTTPGET"; depth:7; http.host; content:!"autodesk.com"; endswith; content:!"rsa.com"; endswith; content:!"consumersentinel.gov"; endswith; content:!"technet.microsoft.com"; endswith; content:!"metropolis.com"; endswith; content:!"www.catalog.update.microsoft.com"; endswith; classtype:trojan-activity; sid:2013508; rev:14; metadata:created_at 2011_08_31, former_category TROJAN, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-03"; flow:from_server,established; file_data; content:"L&#959|3b|g|20|in|20|t&#959|3b 20|y&#959|3b|ur|20|&Rho|3b|ay&Rho|3b|aI|20|acc&#959|3b|unt"; nocase; depth:300; classtype:social-engineering; sid:2025181; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)"; dns.query; content:"l2.io"; endswith; classtype:external-ip-check; sid:2024831; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing 2018-01-12"; flow:from_server,established; file_data; content:"var ListEntries"; nocase; content:"|27 2e 2a 66 75 63 6b 2e 2a 27 2c|"; within:50; content:"|27 2e 2a 70 75 73 73 79 2e 2a 27 2c|"; distance:0; content:"|27 2e 2a 6e 69 63 65 2e 2a 74 72 79 2e 2a 27|"; distance:0; classtype:social-engineering; sid:2025685; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_07_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart JS Retrieval"; flow:established,to_server; http.uri; content:"/122002/assets/js/widget.js"; bsize:27; fast_pattern; http.host; content:"mcdnn"; startswith; pcre:"/\.(?:me|net)$/WR"; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:command-and-control; sid:2030884; rev:1; metadata:created_at 2020_09_15, former_category MALWARE, performance_impact Low, updated_at 2020_11_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Dropbox"; nocase; within:25; content:"Select Your Email Provider"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025206; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; http.user_agent; content:"SOGOU_UPDATER"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Chase"; nocase; within:25; content:"WYSIWYG Web Builder"; nocase; distance:0; content:"folling information about yourself"; nocase; fast_pattern; classtype:social-engineering; sid:2025207; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)"; dns.query; content:"onion.plus"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025095; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"background-color|3a 20|rgb(235, 60, 0)"; fast_pattern; nocase; within:200; content:"$Config={|22|scid|22 3a|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; content:"<title"; nocase; distance:0; content:"Sign in to your account"; nocase; within:50; classtype:social-engineering; sid:2025208; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com)"; dns.query; content:"wh47f2as19.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-01-18"; flow:established,to_client; file_data; content:"<title>Chase"; nocase; fast_pattern; content:"googlebot|22 20|content=|22|noindex"; nocase; distance:0; content:"function unhideBody()"; nocase; distance:0; content:"type=|22|password"; nocase; distance:0; classtype:social-engineering; sid:2025210; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup)"; dns.query; content:"onion.casa"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025096; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M1"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; within:300; classtype:social-engineering; sid:2025211; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request"; flow:established,to_server; http.uri; content:"/genericons/example.html"; endswith; fast_pattern; reference:url,blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html; classtype:web-application-attack; sid:2021062; rev:5; metadata:created_at 2015_05_07, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Confirm Your Account"; nocase; fast_pattern; content:"WYSIWYG Web Builder"; nocase; within:200; content:"Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025212; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com)"; dns.query; content:"7hwr34n18.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020844; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_06, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>chase online - confirm</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025213; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 9d 26 66 9a 26 66 9d 42 70 9d 31 10 ed 26 66 98 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M2"; flow:established,to_client; file_data; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; content:"<form action=|22|webscr.php?cmd=_"; nocase; distance:0; classtype:social-engineering; sid:2025215; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_01_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MageCart Exfil URI"; flow:established,to_server; http.uri; content:"/502.jsp"; fast_pattern; http.host; content:"imags.pw"; endswith; reference:url,sansec.io/research/largest-magento-hack-to-date; classtype:trojan-activity; sid:2030885; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Questionnaire Phishing Landing 2018-01-19"; flow:established,to_client; file_data; content:"<title>Questionnaire</title>"; nocase; fast_pattern; content:"assets/css/theDocs.all.min.css"; nocase; distance:0; content:"<h3>DOCUMENT MANAGEMENT SYSTEM"; distance:0; classtype:social-engineering; sid:2025226; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Verification/Upgrade Phishing Landing 2018-01-22"; flow:established,to_client; file_data; content:"<title>Email Verification</title>"; nocase; fast_pattern; content:"Sign in to upgrade your mailbox"; nocase; distance:0; content:"Mail Admin"; nocase; distance:0; classtype:social-engineering; sid:2025229; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 66 8b 30 61 8b 30 66 ef 26 66 9c 46 16 8b 30 63 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multiple Javascript Unescapes - Common Obfuscation Observed in Phish Landing"; flow:established,to_client; file_data; content:"document.write(unescape"; fast_pattern; nocase; within:100; content:"document.write(unescape"; nocase; distance:0; content:"document.write(unescape"; nocase; distance:0; classtype:social-engineering; sid:2025231; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 96 26 66 98 40 70 9d 30 11 e8 40 70 9d 34 70 9c 47|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Server Mobile Security Settings Phishing Landing 2018-01-22"; flow:established,to_client; file_data; file_data; content:"<html>|0d 0a 0d 0a|<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|document.write"; within:100; nocase; content:"3c%68%65%61%64%3e%0d%0a%0d%0a%3c%74%69%74%6c%65%3e%45%6d%61%69%6c%20%53%65%72%76%65%72"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|login|22 20|value=|22|"; nocase; distance:0; content:"User ID|3a 20|<font face=|22|verdana|22 20|size=|22|2|22 20|color=|22|#000000|22|"; nocase; distance:0; classtype:social-engineering; sid:2025232; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3b 70 9d 35 16 8b 30 66 ea 45 16 8b 30 62 8b 31 11|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>&#68|3b|&#114|3b|&#111|3b|&#112|3b|&#98|3b|&#111|3b|&#120|3b|</title>"; nocase; within:300; classtype:social-engineering; sid:2025233; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6d 8b 30 63 ed 26 66 9d 47 13 ed 26 66 99 26 67 ea|"; distance:6; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Incoming Emails Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Retrieval Error</title>"; nocase; fast_pattern; content:"onload=|22|populate()"; nocase; distance:0; content:"<input id=|22|Password|22 20|name=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025242; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 99 26 66 9c 47 70 9d 35 70 9d 34 70 9d 3a 17 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029445; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ABSA Online Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"setTimeout(function(){top.window.location"; nocase; fast_pattern; content:"<title"; nocase; within:150; content:"Absa Online"; nocase; within:50; classtype:social-engineering; sid:2025243; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 34 70 9d 31 11 8b 30 63 8b 30 62 8b 30 6c ec 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029446; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; content:"Login with Facebook"; nocase; distance:0; content:"Hosted on free web hosting 000webhost.com"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025245; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 62 8b 30 67 ea 26 66 98 26 66 99 26 66 97 41 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029447; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque et Assurance (FR) Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title"; nocase; content:"La Banque Postale|20 e2 80 93 20|La Banque Postale"; fast_pattern; within:80; nocase; content:"background-color|3a 20|#FFFFFF|3b|"; nocase; distance:0; classtype:social-engineering; sid:2025246; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 46 70 9d 36 70 9d 37 70 9d 37 17 8b 30 60 8b 30 62 8b 30 61 8b 31 11|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"security is our top priority"; nocase; content:"Use us wherever you pay"; fast_pattern; nocase; distance:0; content:"onsubmit=|22|return checkform(this)|3b 22|"; nocase; distance:0; content:"function checkform"; nocase; distance:0; content:"style.backgroundColor=|22|#FF6A6A|22|"; nocase; distance:0; classtype:social-engineering; sid:2025247; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 10 8b 30 60 8b 30 61 8b 30 61 ec 26 66 9b 26 66 99 26 66 9a 26 67 ea|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Popupwnd Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"function popupwnd(url, "; fast_pattern; nocase; content:"var popupwindow = this.open(url"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"'no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025248; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 eb 26 66 9b 26 66 9a 26 66 9a 41 70 9d 36 70 9d 34 70 9d 37 70 9c 47|"; distance:6; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title"; nocase; content:"View Document"; nocase; within:30; content:"<a href=|22|eciffo365.php"; nocase; fast_pattern; distance:0; content:"<a href=|22|kooltuo.php"; nocase; distance:0; classtype:social-engineering; sid:2025249; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-25"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; fast_pattern; content:"function LoginErrors(){this.userNameFormatError"; nocase; within:300; classtype:social-engineering; sid:2025250; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"document.write(unescape"; nocase; fast_pattern; content:"3C%74%69%74%6C%65%3E%26%23%33%37%30%33%38%3B%26%23%32%30%32%31%34%3B%26%23%33%35%37%37%34%3B%26%23%33%32%36%32%32%3B"; nocase; distance:0; classtype:social-engineering; sid:2025255; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 8b 30 6c 8b 30 61 8b 30 64 8b 30 61 8b 30 6c 8b 30 65 8b 30 62 ef 26 67 ea|"; distance:6; within:53; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029468; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Halkbank (TK) Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Halkbank|20 c4 b0 6e 74 65 72 6e 65 74 20 c5 9e 75 62 65 73 69|"; within:50; fast_pattern; classtype:social-engineering; sid:2025258; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 40 70 9d 32 14 e8 47 17 8b 30 65 ef 26 67 ea|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Smail Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"...|7c|1|7c|Smail Code|7c|1|7c|..."; fast_pattern; nocase; content:"ALTER ANYTHING BELOW THIS LINE"; nocase; distance:0; classtype:social-engineering; sid:2025259; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 16 8b 30 64 ef 45 11 ec 26 66 9e 42 70 9c 47|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029483; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-01-29 M1"; flow:established,to_client; file_data; content:"Apple ID|20 3a|"; within:100; content:"<title>Apple (Switzerland)"; nocase; fast_pattern; classtype:social-engineering; sid:2025260; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ed 26 66 9f 42 13 ea 41 70 9d 33 14 8b 31 11|"; distance:6; within:43; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029484; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M2 2018-01-29"; flow:established,to_client; file_data; content:"background|3a 20|#3baee7|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3baee7, #08c)"; nocase; distance:0; content:"text-shadow|3a 20|1px 1px 3px #666666"; nocase; distance:0; content:"background|3a 20|#3cb0fd|3b|"; nocase; distance:0; content:"-webkit-linear-gradient(top, #3cb0fd, #3498db)"; nocase; distance:0; content:".dark {"; nocase; distance:0; content:"color|3a 20|#525252|3b|"; nocase; distance:0; content:".dark-select {"; nocase; distance:0; content:"background|3a 20|#DFDFDF url('down-arrow.png')"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025261; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|26 67 ea 41 11 8b 30 65 8b 30 6d 8b 30 61 8b 30 61 8b 30 63 ec 26 67 ea|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029488; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"Dear <b id=|22|accessreturn|22|>User</b>,"; nocase; fast_pattern; content:"<b>Ticket|20 3a 20|#"; nocase; distance:0; content:"<b>For This Reason|20 3a 20|"; nocase; distance:0; classtype:social-engineering; sid:2025262; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|70 9c 47 17 ea 26 66 9e 26 66 96 26 66 9a 26 66 9a 26 66 98 41 70 9c 47|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029489; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; content:"Office 365"; nocase; within:25; content:"function LoginErrors(){this.userNameFormatError"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025263; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/P"; content:"|8b 31 11 ec 47 70 9d 33 70 9d 3b 70 9d 37 70 9d 37 70 9d 35 17 8b 31 11|"; distance:6; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Onedrive Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title"; nocase; content:"OneDrive Online Security"; nocase; within:50; classtype:social-engineering; sid:2025264; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.AR Variant Winifixer.com Related Checkin URL"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?affid="; nocase; content:"&uid="; nocase; distance:0; content:"&tm="; nocase; distance:0; http.user_agent; content:"Internet Explorer"; bsize:17; fast_pattern; reference:url,doc.emergingthreats.net/2008277; classtype:command-and-control; sid:2008277; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartsheet Phishing Landing 2018-01-29"; flow:established,to_client; file_data; content:"<title>Log In|20 7c 20|Smartsheet</title>"; nocase; fast_pattern; content:"<form action="; nocase; distance:0; content:".php|22 20|class=|22|clsJspOuterForm|22 20|id="; nocase; distance:0; content:"method=|22|POST|22 20|name=|22|ctlForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025265; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_29, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FakeXPA Checkin URL"; flow:established,to_server; http.uri; content:"/firstrun.php?product="; nocase; fast_pattern; content:"&aff="; nocase; distance:0; content:"&update="; nocase; distance:0; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/2008152; classtype:command-and-control; sid:2008152; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect 2018-01-30"; flow:established,to_client; file_data; content:"<html>|0d 0a|<body>|0d 0a|<script type=|22|text/JavaScript|22|>|0d 0a|<!--|0d 0a|"; nocase; depth:55; content:"setTimeout(|22|location.href|20|=|20 27|redirection.php?"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9_]{50,}/Ri"; content:"|27 3b 22|,0)|3b 0d 0a|-->|0d 0a|</script>|0d 0a|</body>"; nocase; within:100; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/Feebs.kw Worm User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/4.7 [en] (WinNT"; depth:23; fast_pattern; reference:url,doc.emergingthreats.net/2007767; classtype:trojan-activity; sid:2007767; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots.gouv.fr Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Particulier|20 7c 20|impots.gouv.fr"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2025268; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installed OK)"; flow:established,to_server; http.user_agent; content:"Installed OK"; startswith; nocase; reference:md5,16035440878ec6e93d82c2aeea508630; classtype:bad-unknown; sid:2030880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Turbotax Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title>My TurboTax"; nocase; fast_pattern; content:"Login to your MyTurboTax account to start"; nocase; distance:0; content:"User ID"; nocase; distance:0; content:"Email Password"; nocase; distance:0; classtype:social-engineering; sid:2025269; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/3.0 (compatible)"; depth:24; endswith; http.host; content:!".hddstatus.com"; endswith; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Bank of America|20 7c 20|Online Banking"; nocase; within:40; fast_pattern; content:"CONTENT=|22|Unrecognized computer"; nocase; distance:0; content:"SiteKey Challenge Questions"; nocase; distance:0; classtype:social-engineering; sid:2025270; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; http.uri; content:"/"; content:".exe"; distance:1; within:8; fast_pattern; endswith; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/"; http.header; content:!"koggames"; http.host; content:!"download.bitdefender.com"; endswith; content:!".appspot.com"; endswith; content:!"kaspersky.com"; endswith; content:!".sophosxl.net"; endswith; http.header_names; content:!"Referer"; nocase; classtype:bad-unknown; sid:2019714; rev:12; metadata:created_at 2014_11_15, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Capital One Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Online Banking - Capital One 360</title>"; nocase; classtype:social-engineering; sid:2025271; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gdn Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gdn"; fast_pattern; endswith; classtype:bad-unknown; sid:2025097; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Verizon Wireless Phishing Landing 2018-01-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:200; content:"<title"; nocase; distance:0; content:"Sign in"; nocase; within:10; content:"verizonwireless.com"; nocase; within:100; classtype:social-engineering; sid:2025274; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gq domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2025100; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"P&#97|3b|yP&#97|3b|l"; nocase; within:35; fast_pattern; classtype:social-engineering; sid:2025276; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ga Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2025101; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple iTunes Phishing Landing (DE) 2018-01-31"; flow:established,to_client; file_data; content:"<ISONLINE VALUE=TRUE></ISONLINE>"; nocase; within:200; content:"<title>iTunes - Stornierungsformular"; nocase; fast_pattern; classtype:social-engineering; sid:2025277; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ml Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2025102; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"/hellion/postmaster.png"; fast_pattern; nocase; content:"/hellion/logos.png"; nocase; distance:0; classtype:social-engineering; sid:2025279; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.cf Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; fast_pattern; endswith; classtype:bad-unknown; sid:2025103; rev:3; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Roundcube Multi-Brand Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"FILES/jstz.min.js?s="; nocase; fast_pattern; content:"rcube_webmail()"; nocase; distance:0; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; classtype:social-engineering; sid:2025280; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ga Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ga"; nocase; endswith; classtype:bad-unknown; sid:2025105; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Mirrored Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- Mirrored from "; pcre:"/^(?:www(?:1\.masterconsultas\.com\.ar|\.linkedin\.com)|(?:tools\.google|facebook)\.com|cfspart\.impots\.gouv\.fr)/Ri"; content:"by HTTrack Website Copier/"; distance:0; classtype:social-engineering; sid:2025282; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ml Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".ml"; nocase; endswith; classtype:bad-unknown; sid:2025106; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Login Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Sign In</title>"; nocase; content:"Outlook.com is a free, personal email service from Microsoft."; nocase; within:150; fast_pattern; classtype:social-engineering; sid:2025284; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cf Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".cf"; nocase; endswith; classtype:bad-unknown; sid:2025107; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TSB Bank / Lloyds Bank Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Online Personal Verification"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2025285; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gq Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".gq"; nocase; endswith; classtype:bad-unknown; sid:2025104; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-01"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online|c2 ae 20|Verification</title>"; nocase; classtype:social-engineering; sid:2025286; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ga) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ga"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025109; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-01-23"; flow:established,to_client; file_data; content:"<title>AT&amp|3b|T - Login</title>"; nocase; fast_pattern; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22 20 20|focus=|22|userid|22 20|name=|22|LoginForm|22 20|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025244; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gq) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gq"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025108; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Likely Cloned .EDU Website Phishing Landing 2018-02-02"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)https?:\/\/[^/]+\.edu\//Rsi"; content:"<form"; nocase; distance:0; classtype:social-engineering; sid:2025290; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_01;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ml) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".ml"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025110; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M2"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"Online &amp|3b 20|Mobile Security"; nocase; distance:0; classtype:social-engineering; sid:2025293; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.cf) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".cf"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025111; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M3"; flow:established,to_client; file_data; content:"<title>Wells Fargo&nbsp|3b|Sign On to View Your Accounts</title>"; nocase; fast_pattern; content:"View Your Accounts</h1>"; nocase; distance:0; content:"disableSubmitsCollectUserPrefs"; nocase; distance:0; classtype:social-engineering; sid:2025294; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gdn) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".gdn"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2025112; rev:4; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M5"; flow:established,to_client; file_data; content:"<title>Wells Fargo  - Update Your Identification</title>"; nocase; fast_pattern; content:"../css js/passwordReset.css"; within:200; classtype:social-engineering; sid:2025296; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Connection Setup Attempt"; flow:established,to_server; http.host; content:"localtunnel.me"; fast_pattern; endswith; http.header_names; content:"|0d 0a|host|0d 0a|accept"; depth:14; content:!"User-Agent"; content:!"Host"; content:!"Referer"; content:!"Accept"; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025116; rev:4; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M6"; flow:established,to_client; file_data; content:"Online Banking Identity Verification Process</TITLE>"; within:300; content:"name=KONICHIWA1"; within:250; classtype:social-engineering; sid:2025297; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SluttyPutty Maldoc User-Agent"; flow:established,to_server; http.user_agent; content:"come-tome"; depth:9; endswith; classtype:trojan-activity; sid:2025118; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, signature_severity Major, tag MalDoc, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M7"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online&reg|3b 20|Enrollment</title>"; classtype:social-engineering; sid:2025298; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPSEL File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mipsel"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025122; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M8"; flow:established,to_client; file_data; content:"<head><!-- WFB 3.4 -->"; within:300; fast_pattern; content:"var bundle|3b|(function(){function a(b){var c=|22 22 3b|for(var d=0,e=b.length|3b|d<e|3b|++d){var f=b.charCodeAt(d)|3b|c+=f>=55296?b[d]|3a|String.fromCharCode"; distance:0; classtype:social-engineering; sid:2025299; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPS File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mips"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025123; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M9"; flow:established,to_client; file_data; content:"<title>Wells Fargo - Security Upgrade</title>"; classtype:social-engineering; sid:2025300; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025124; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M10"; flow:established,to_client; file_data; content:"<title>Wells Fargo Email Verification"; nocase; fast_pattern; content:"input[type=email], input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025301; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM7 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".arm7"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025125; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banque Populaire Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:".logo_banque"; nocase; content:",.authentif p.num_carte"; nocase; fast_pattern; content:"<title"; content:"Authentification"; nocase; within:20; classtype:social-engineering; sid:2025306; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO x86 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025126; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"PayPaI</title>"; nocase; fast_pattern; content:"application-name content=PayPaI>"; nocase; distance:0; classtype:social-engineering; sid:2025307; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO m68k File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".m68k"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025127; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Antibots Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<?php|0d 0a|include|20 22|antibots.php|22 3b 0d 0a|?>"; within:100; classtype:social-engineering; sid:2025308; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SPARC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".sparc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025128; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Upgrade Payment Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"ONE MORE STEP"; content:"<title"; nocase; distance:0; content:"Enter Your Credit"; nocase; within:25; content:"UPGRADE PAYMENT"; distance:0; content:"fbCreditCard"; nocase; distance:0; classtype:social-engineering; sid:2025309; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POWERPC File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".powerpc"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025129; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Verification Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Yahoo! Account Verification"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025311; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO X86_64 File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86_64"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025130; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google/Adobe Shared Document Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"sign in"; nocase; within:25; content:"MM_validateForm(|27|password|27 2c 27 27 2c 27|R|27 2c 27|mail|27 2c 27 27 2c 27|RisEmail|27 2c 27|phone|27 2c 27 27 2c 27|NisNum|27|)"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025312; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUPERH File Download Request from IP Address"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".superh"; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:bad-unknown; sid:2025131; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category INFO, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Orange Phishing Landing 2018-02-05 (FR)"; flow:established,to_client; file_data; content:"<title"; content:"pour continuer, identifiez-vous"; nocase; within:50; fast_pattern; content:"index_fichiers/authuser"; nocase; distance:0; content:"title=|22|site orange.fr"; nocase; distance:0; classtype:social-engineering; sid:2025313; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup)"; dns.query; content:".localtunnel.me"; endswith; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025138; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-06"; flow:established,to_client; file_data; content:"content=|22|Connecting to PDSA"; nocase; within:600; content:"<title>Sign In</title>"; nocase; distance:0; content:"function LoginErrors(){this.userNameFormatError"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025316; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in TLS SNI)"; flow:established,to_server; tls.sni; content:".localtunnel.me"; endswith; nocase; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025139; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Google|20 7c 20|Drive , Safe"; nocase; fast_pattern; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2025322; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY possible OnePlus phone data leakage DNS"; dns.query; content:"open.oneplus.net"; nocase; endswith; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025133; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>DropBox Buisness</title>"; nocase; classtype:social-engineering; sid:2025323; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Injected WP Keylogger/Coinminer Domain Detected (cloudflare .solutions in DNS Lookup)"; dns.query; content:"cloudflare.solutions"; endswith; reference:url,blog.sucuri.net/2017/12/cloudflare-solutions-keylogger-on-thousands-of-infected-wordpress-sites.html; classtype:coin-mining; sid:2025141; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, tag Coinminer, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Apple - Login"; nocase; content:"href=|22|incorrect_files/"; nocase; distance:0; classtype:social-engineering; sid:2025324; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; depth:51; fast_pattern; reference:md5,5b0e06e3e896d541264a03abef5f30c7; classtype:command-and-control; sid:2025142; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-01-31"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:50; fast_pattern; content:"your mailbox"; nocase; distance:0; content:"email password"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025278; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_01_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/NxRansomware C2 Domain Detected (0cf5ff34 .ngrok .io in DNS Lookup)"; dns.query; content:"0cf5ff34.ngrok.io"; endswith; reference:url,twitter.com/struppigel/status/940239612324319232; classtype:command-and-control; sid:2025143; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2018-02-05"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Settings|20 7c 20|Email"; nocase; within:40; fast_pattern; classtype:social-engineering; sid:2025310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Downloader.Small.BIL CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=Te"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith;  reference:md5,4C669A60719FC1051FB336CB25B209FD; classtype:command-and-control; sid:2025147; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category MALWARE, malware_family Downloader_Small_BIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Business Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"background-color|3a 20|#ffffff|3b|border|3a 20|1px solid #d0d4d9|3b|box-shadow|3a 20|4px 4px 4px #d0d4d9|3b|"; nocase; content:"id=|22|wk|22 20|name=|22|wk|22 20|method=|22|post|22|"; nocase; distance:0; fast_pattern; content:"Sign In To View"; nocase; distance:0; classtype:social-engineering; sid:2025325; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; dns.query; content:"curlmyip.net"; nocase; endswith; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:external-ip-check; sid:2025154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2017_12_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Sign in</title>"; nocase; content:"border|3a 20|1px solid #848484|3b|"; nocase; distance:0; content:"background-color|3a 20|#fff3c0|3b|"; nocase; distance:0; content:"left|3a|389px|3b 20|top|3a|0px|3b 20|width|3a|507px|3b 20|height|3a|474px|3b 20|z-index|3a|0"; nocase; distance:0; content:"<input name=|22|userid|22|"; nocase; distance:0; content:"<input name=|22|formtext2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025326; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .gr.com Domain (gr .com in DNS Lookup)"; dns.query; content:".gr.com"; endswith; reference:url,www.domain.gr.com; classtype:bad-unknown; sid:2025146; rev:5; metadata:created_at 2017_12_12, former_category HUNTING, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon"; nocase; fast_pattern; content:"<!--POH-->"; nocase; distance:0; content:"function AllowNoDups()"; nocase; distance:0; classtype:social-engineering; sid:2025328; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ema="; depth:4; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031864; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Verification Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title>Admin|20 7c 20|Upgrade|3b|</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025329; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Zeus Panda CnC Domain (in DNS Lookup)"; dns.query; content:"pprulispikosqcsiwef.info"; nocase; endswith; reference:md5,20adfac68ced5225c9021bc051e66d18; classtype:command-and-control; sid:2025177; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_29, deployment Perimeter, former_category MALWARE, malware_family Zeus_Panda, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M2"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|https://online.asb.co.nz/auth/img/logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|autocomplete=|22|off|22 20|aria-autocomplete=|22|none|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025336; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qasar Variant Domain (datapeople-cn .com in DNS Lookup)"; dns.query; content:"datapeople-cn.com"; endswith; reference:url,twitter.com/blu3_team/status/947858470816112640; classtype:trojan-activity; sid:2025179; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category TROJAN, malware_family Qasar_Rat, performance_impact Moderate, signature_severity Major, tag Patchwork, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ASB Bank Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title>ASB Bank - Log in"; nocase; fast_pattern; content:"<img src=|22|logo-asb.png|22 20|alt=|22|ASB Logo|22|"; nocase; distance:0; content:".php|22 20|id=|22|login|22 20|autocomplete=|22|off|22|"; nocase; distance:0; classtype:social-engineering; sid:2025334; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jul 2017"; dns.query; content:"ab1abad1d0c2a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Wells Fargo Online</title>"; nocase; fast_pattern; content:"View Your Accounts"; nocase; distance:0; content:"placeholder=|22|Personal ID"; nocase; distance:0; content:"Connection Secured"; nocase; distance:0; classtype:social-engineering; sid:2025337; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2017"; dns.query; content:"ab8cee60c2d.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In to LinkedIn|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025335; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Sep 2017"; dns.query; content:"ab1145b758c30.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Facebook</title>"; nocase; fast_pattern; content:"We didn't recognize your email address or phone number"; nocase; distance:0; content:"theForm.pass.value.length"; nocase; distance:0; classtype:social-engineering; sid:2025339; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Oct 2017"; dns.query; content:"ab890e964c34.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Revalidation Phishing Landing 2018-02-09"; flow:established,to_client; file_data; content:"<title>Re-Validate Your Mailbox</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2025340; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_09;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Nov 2017"; dns.query; content:"ab3d685a0c37.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"hackgallo10k.png"; within:500; nocase; fast_pattern; content:"Facebook application"; nocase; distance:0; classtype:social-engineering; sid:2025341; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Dec 2017"; dns.query; content:"ab70a139cc3a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024718; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive Cloud Document"; nocase; within:40; fast_pattern; content:"function popupwnd(url,"; nocase; distance:0; classtype:social-engineering; sid:2025342; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jan 2018"; dns.query; content:"ab3c2b0d28ba6.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo"; nocase; distance:0; content:"if(user.length<6){alert("; nocase; distance:0; content:"if(pass.length<6){alert("; nocase; distance:0; classtype:social-engineering; sid:2025343; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_11;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Feb 2018"; dns.query; content:"ab99c24c0ba9.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook Application"; nocase; within:30; fast_pattern; content:"placeholder=|22|Password"; nocase; distance:0; classtype:social-engineering; sid:2025347; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Mar 2018"; dns.query; content:"ab2e1b782bad.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Facebook"; nocase; within:20; content:"k7LsZ6Kzebp.css"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Apr 2018"; dns.query; content:"ab253af862bb0.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024819; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox/OneDrive Phishing Landing 2018-02-07"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Place For All Your Files"; within:60; nocase; content:"function popupwnd(url, toolbar"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025327; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 2018"; dns.query; content:"ab2d02b02bb3.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024820; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn"; nocase; fast_pattern; content:"<title>Sign Up</title>"; nocase; distance:0; classtype:social-engineering; sid:2025349; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2018"; dns.query; content:"ab1b0eaa24bb6.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024821; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Verification"; nocase; within:40; fast_pattern; content:"account was suspended"; nocase; distance:0; content:"enable verification process"; nocase; distance:0; classtype:social-engineering; sid:2025351; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jul 2018"; dns.query; content:"abf09fc5abba.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024822; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M2"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Validate Your Card Information"; nocase; within:50; fast_pattern; content:"</capitaloneheader>"; nocase; distance:0; classtype:social-engineering; sid:2025352; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Aug 2018"; dns.query; content:"abce85a51bbd.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024823; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing 2018-02-13 M1"; flow:established,to_client; file_data; content:"ng-app=|22|signInControllerApp|22|"; nocase; within:100; content:"<title>Sign In</title>"; nocase; distance:0; content:"href=|22|index_fichiers/favicon.ico"; nocase; distance:0; content:"usabilla_live_button_container"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025350; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Sep 2018"; dns.query; content:"abccc097dbc0.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024824; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Validation Phishing Landing 2018-02-13"; flow:established,to_client; file_data; content:"function validateForm()"; nocase; content:"email.match(/fuck"; nocase; distance:0; content:"email.match(/asshole"; nocase; distance:0; content:"email.match(/dickhead"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025353; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_13;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Oct 2018"; dns.query; content:"ab33b8aa69bc4.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024825; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title"; nocase; content:"dropbox"; nocase; within:10; content:"text/css|22|>.hny-htirfw"; nocase; fast_pattern; within:100; content:"class=|22|psw_error"; nocase; distance:0; classtype:social-engineering; sid:2025355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Nov 2018"; dns.query; content:"ab693f4c0bc7.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024826; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Business|20 7c 20|LinkedIn</title>"; nocase; content:"function MM_validateForm()"; nocase; distance:0; content:"#a11y-content"; nocase; distance:0; classtype:social-engineering; sid:2025356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Dec 2018"; dns.query; content:"ab23660730bca.com"; endswith; reference:url,www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/; classtype:trojan-activity; sid:2024827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_09, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-14"; flow:established,to_client; file_data; content:"<title>Account Recovery Information</title>"; nocase; fast_pattern; content:"<title>Account Recovery Information</title>"; nocase; distance:0; content:"facebook account has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2025357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_14;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Feb 2017"; dns.query; content:"ab6d54340c1a.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Website Phishing Landing - Saved Website Comment Observed"; flow:established,to_client; file_data; content:"<!-- saved from url=("; within:300; pcre:"/^\s*?\d+?\s*?\)(?:https://(?:w(?:ww(?:\.(?:(?:bankofamerica|paypal|ups|wellsfargo)\.com|a(?:dobecloud\.com|mazon\.co\.jp)|tax\.service\.gov\.uk|cibc\.mobi)|1\.royalbank\.com)|ebmail\.(?:i(?:llinois|ndstate)\.ed|optusnet\.com\.a)u)|(?:s(?:i(?:tekey\.bankofamerica|gnin\.ebay)|ecure(?:\.bankofamerica|05c\.chase))|login\.(?:(?:microsoftonlin|liv)e|verizonwireless|alibaba)|my\.screenname\.aol)\.com|(?:(?:ex(?:change\.(?:louisvill|purdu)|mail\.oregonstat)e|owa\.uaa\.alaska)\.ed|ib\.nab\.com\.a)u|voscomptesenligne\.labanquepostale\.fr|auth\.centurylink\.net)|/logon/logon/chaseOnline|#www\.kucoin\.com)/Rsi"; classtype:social-engineering; sid:2025281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Mar 2017"; dns.query; content:"aba9a949bc1d.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024709; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Online...... - Berliner....</title>"; nocase; fast_pattern; content:"berliner-sparkasse.de"; nocase; distance:0; classtype:social-engineering; sid:2025361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Apr 2017"; dns.query; content:"ab2da3d400c20.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024710; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Dropbox</title>"; within:300; nocase; fast_pattern; content:"featuredcontentglider.init({"; nocase; distance:0; content:"#yregbnr #yregbnrti #yregbnrtii"; nocase; distance:0; classtype:social-engineering; sid:2025362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA May 2017"; dns.query; content:"ab3520430c23.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024711; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"images/fbgiftscards.jpg"; within:100; fast_pattern; content:"CavalryLogger="; nocase; distance:0; content:"Facebook</title>"; nocase; content:"function Form1_Validator"; nocase; distance:0; content:"var alertsay"; nocase; distance:0; classtype:social-engineering; sid:2025363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE CCleaner Backdoor DGA Jun 2017"; dns.query; content:"ab1c403220c27.com"; endswith; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2024712; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M1"; flow:established,to_client; file_data; content:"<title>Wells Fargo BANK</title>"; fast_pattern; content:"Access Your Accounts</div>"; nocase; distance:0; classtype:social-engineering; sid:2025292; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Python Monero Miner CnC DNS Query"; dns.query; content:".zsw8.cc"; endswith; pcre:"/^[a-z]\./"; reference:url,f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto-miner-botnet-flying-under-the-radar; classtype:command-and-control; sid:2025183; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Cryptominer, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; content:"Dropbox Verification"; within:30; nocase; fast_pattern; content:"PhoneVerificationChallenge"; nocase; distance:0; content:"RecoveryEmailChallenge"; nocase; distance:0; classtype:social-engineering; sid:2025365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ml)"; flow:established,to_client; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title>Chase Online - Logon</title><!--"; nocase; fast_pattern; classtype:social-engineering; sid:2025366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gdn)"; flow:established,to_client; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025190; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Square Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"/* VODKA */"; fast_pattern; content:"<form action=|22|--WEBBOT-SELF--"; nocase; distance:0; classtype:social-engineering; sid:2025367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.gq)"; flow:established,to_client; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025191; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Multi-Account Phish 2018-02-16"; flowbits:isset,ET.genericphish; file_data; content:"<input id=|22|login-username|22 20|name=|22|username|22 20|value=|22|"; nocase; content:"<input name=|22|password|22 20|value="; nocase; distance:0; content:"autocomplete=|22|current-password|22|"; nocase; distance:0; content:"Wrong password. Try again or click Forgot password"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_02_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.ga)"; flow:established,to_client; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025192; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2018-02-19"; flow:established,to_client; file_data; content:"<title>Login - Spotify</title>"; nocase; fast_pattern; content:"LOGIN WITH FACEBOOK"; nocase; distance:0; content:"spotify.com"; nocase; distance:0; classtype:social-engineering; sid:2025369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.cf)"; flow:established,to_client; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025193; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Smartermail Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; content:"SmarterMail"; nocase; within:20; fast_pattern; content:"<form method=|22|post|22 20|action=|22|login.php|22 20|id=|22|aspnetForm|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)"; flow:established,to_client; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2025194; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title"; nocase; content:"USAA / Welcome to USAA"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|POST|22 20|id=|22|Logon|22 20|name=|22|Logon|22 20|class=|22|yuimenubaritemlabel|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Mami CnC Checkin"; flow:established,to_server; http.header; content:"User-Agent|3a 20 0d 0a|"; fast_pattern; http.request_body; content:"r="; depth:2; content:"&rc="; distance:0; http.request_line; content:"POST|20|/|20|HTTP/1.1"; depth:15; endswith; http.header_names; content:!"Referer"; reference:url,objective-see.com/blog/blog_0x26.html; reference:md5,8482fc5dbc6e00da151bea3eba61e360; classtype:command-and-control; sid:2025199; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_01_14, deployment Perimeter, former_category MALWARE, malware_family Mami, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Phishing Landing 2018-02-20"; flow:established,to_client; file_data; content:"<title>Securite utilisateur</title>"; nocase; fast_pattern; content:"<title>S&eacute|3b|curite Yahoo</title>"; nocase; distance:0; classtype:social-engineering; sid:2025373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025201; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_16, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo Sign On to Unlock Your Accounts"; nocase; within:50; classtype:social-engineering; sid:2025377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Chrome Extension Domain Request (change-request .info in DNS Lookup)"; dns.query; content:"change-request.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025216; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign In"; nocase; within:15; content:"Validate"; nocase; within:20; content:"personal Microsoft account"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (nyoogle .info in DNS Lookup)"; dns.query; content:"nyoogle.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025217; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Advantage Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo1.png"; nocase; fast_pattern; content:"method=|22|post|22 20|action=|22|post.php"; nocase; distance:0; classtype:social-engineering; sid:2025379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (lite-bookmarks .info in DNS Lookup)"; dns.query; content:"lite-bookmarks.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025219; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-22"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Wells Fargo - Please confirm your identity"; fast_pattern; within:50; nocase; content:"For security reasons"; nocase; distance:0; content:".php|22 20|novalidate=|22 22|"; nocase; distance:0; classtype:social-engineering; sid:2025380; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_22, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in DNS Lookup)"; dns.query; content:"projectevrial.ru"; nocase; endswith; classtype:trojan-activity; sid:2025228; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category TROJAN, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Craigslist Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"craigslist - account log in"; nocase; fast_pattern; within:30; content:".php|22 20|method=|22|POST|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025394; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Evrial Domain (cryptoclipper .ru in DNS Lookup)"; dns.query; content:"cryptoclipper.ru"; endswith; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025256; rev:4; metadata:created_at 2018_01_29, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Mobile Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title>Login</title>"; nocase; content:"mbasic.facebook.com"; nocase; distance:0; content:"name=|22|username|22 20|autocomplete=|22|off|22 20|placeholder=|22|E-mail|22|"; nocase; distance:0; fast_pattern; content:"name=|22|password|22 20|autocomplete=|22|off|22 20|placeholder=|22|Password|22|"; nocase; distance:0; classtype:social-engineering; sid:2025396; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evrial Domain (projectevrial .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"projectevrial.ru"; endswith; nocase; reference:md5,5a71cc1c1ea541eb47638218a25c4123; classtype:trojan-activity; sid:2025257; rev:4; metadata:created_at 2018_01_29, former_category TROJAN, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/logo.png"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; content:"<input name=|22|email|22 20|type=|22|hidden|22|"; nocase; distance:0; classtype:social-engineering; sid:2025397; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Marcher.U DNS Lookup"; dns.query; content:"sagdzusghcsh.top"; nocase; endswith; reference:md5,ccefe18d7b9bc31a8673b9bf82104f48; classtype:trojan-activity; sid:2025273; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_01_30, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing (DE) 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Amazon.de - Kontofreischaltung"; nocase; within:40; fast_pattern; content:"$(|22|#browser_info|22|).val(client.getBrowser"; nocase; distance:0; content:"$(|22|#os_info|22|).val(client.getOS()"; nocase; distance:0; classtype:social-engineering; sid:2025398; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M1"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"superasdc.pw"; depth:12; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025287; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; classtype:social-engineering; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2018_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation EvilTraffic Initial Redirect M2"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/for/77/?d="; nocase; content:"&mykeys="; nocase; distance:0; http.host; content:"caforyn.pw"; depth:10; endswith; fast_pattern; reference:url,csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf; classtype:trojan-activity; sid:2025288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing Oct 04 2017"; flow:established,to_client; file_data; content:"|0d 0a 54 68 65 6d 65 20 4e 61 6d 65 3a 20|"; within:100; content:"|0d 0a 41 75 74 68 6f 72 3a 20 4d 4b 28 72 6a 29|"; within:100; fast_pattern; classtype:social-engineering; sid:2024799; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed ExecPS/Cobolt Domain (getfreshnews .com in DNS Lookup)"; dns.query; content:"getfreshnews.com"; nocase; endswith; reference:md5,5d4d3ba6823a07f070f5a42cbcc7a5c8; classtype:trojan-activity; sid:2025304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-03-08"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"function popupwnd(url"; nocase; distance:0; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025410; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu"; endswith; classtype:credential-theft; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"document.forms[|22|chalbhai|22|][|22|password|22|]"; nocase; classtype:social-engineering; sid:2025418; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evrial Stealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|report -|20|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:19; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ecd56f1f42f932865e98fd319301e1a5; classtype:command-and-control; sid:2025375; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category MALWARE, malware_family Evrial, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Upgrade Email Account Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Secure Login|20 7c 20|E-Mail Administrator"; within:40; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; classtype:social-engineering; sid:2025421; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request for .bin with BITS/ User-Agent"; flow:established,to_server; http.uri; content:".bin"; endswith; http.user_agent; content:"Microsoft BITS/"; depth:15; fast_pattern; http.host; content:!"microsoft.com"; content:!"pdfcomplete.com"; content:!"mymitchell.com"; content:!"azureedge.net"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2024420; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Microsoft_Word, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Retrieve Pending Emails Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Retrieve Pending Emails"; within:30; nocase; fast_pattern; content:"receive any pending mails on server after login"; nocase; distance:0; classtype:social-engineering; sid:2025422; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Princess Ransomware Payment Domain (royal25fphqilqft in DNS Lookup)"; dns.query; content:"royal25fphqilqft"; nocase; endswith; classtype:trojan-activity; sid:2025404; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_02, deployment Perimeter, former_category MALWARE, malware_family Princess_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ourtime Phishing Landing 2018-03-12"; flow:established,to_client; file_data; content:"<title"; nocase; content:"ourtime.com - the 50+ single network"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; nocase; distance:0; classtype:social-engineering; sid:2025423; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (politiaromana .bit in DNS Lookup)"; dns.query; content:"politiaromana.bit"; nocase; endswith; classtype:command-and-control; sid:2025405; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Reader Phishing Landing 2018-03-27"; flow:established,to_client; file_data; content:"<title>Adobe|d0 92 c2 ae 20|PDF Reader|d0 92 c2 ae 20|Xl</title>"; nocase; fast_pattern; content:"this file is protected by adobe"; nocase; distance:0; content:"confirm your email to access this document"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onsubmit=|22|MM_validateForm(&#39|3b|email&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|RisEmail&#39|3b|,&#39|3b|password&#39|3b|,&#39|3b|&#39|3b|,&#39|3b|R&#39|3b|)"; nocase; distance:0; content:"view pdf document"; nocase; distance:0; classtype:social-engineering; sid:2025442; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (gdcb .bit in DNS Lookup)"; dns.query; content:"gdcb.bit"; nocase; endswith; classtype:command-and-control; sid:2025407; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>internal revenue service</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"last 4 of ssn"; nocase; distance:0; content:"if ($('#email').val() == '')"; nocase; distance:0; classtype:social-engineering; sid:2025443; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware CnC/IP Check Domain (malwarehunterteam .bit in DNS Lookup)"; dns.query; content:"malwarehunterteam.bit"; nocase; endswith; classtype:command-and-control; sid:2025406; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_05, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<TITLE>Chase Online - Logon</TITLE>"; nocase; fast_pattern; content:"name=started action=logon.php?lob=rbglogon method=post"; nocase; distance:0; classtype:social-engineering; sid:2025447; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bancos Variant CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.instrumentshigh.com.br"; nocase; endswith; reference:md5,f8b2e89717f77633c7d112c98f2d22ab; classtype:domain-c2; sid:2025433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_03_14, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Impots Phishing Landing 2018-03-28"; flow:established,to_client; file_data; content:"<title>impots.gouv.fr</title>"; nocase; fast_pattern; content:".php|22|"; nocase; distance:0; content:"name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025448; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; dns.query; content:"stickies.pro"; nocase; endswith; reference:url,www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025218; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-03-30"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; fast_pattern; within:300; content:")https://"; within:15; pcre:"/^[^/]+(?:xfinity|comcast)\.(?:com|net)/Ri"; classtype:social-engineering; sid:2025450; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_03_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)"; dns.query; content:".000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026657; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Informational, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-02-15"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Sign in - Google Accounts"; nocase; within:30; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; classtype:social-engineering; sid:2025364; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)"; flow:established,to_client; tls.cert_subject; content:"CN=*.000webhostapp.com"; nocase; endswith; classtype:not-suspicious; sid:2026658; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>wells,fargo sign on to view your accounts</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025473; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Sofacy CnC Domain (ndpmedia24 .com in DNS Lookup)"; dns.query; content:"ndpmedia24.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency; classtype:targeted-activity; sid:2025434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_16, deployment Perimeter, former_category MALWARE, malware_family Sofacy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>|7c 20|tracking system</title>"; nocase; content:"DHL%20_%20Tracking%20System_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025474; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. sx)"; dns.query; content:".onion.sx"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025446; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>resolution center - paypal</title>"; nocase; content:"href=|22|resolutioncenter_files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025478; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. pw)"; dns.query; content:".onion.pw"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title id=|22|pagetitle|22|>facebook - log in or sign up</title>"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|onsubmit=|22|return window.event"; nocase; distance:0; classtype:social-engineering; sid:2025479; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"xmr.pool.minergate.com"; nocase; endswith; classtype:trojan-activity; sid:2025451; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Coinminer, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>share file|20 7c 20|one drive</title>"; nocase; content:"file is waiting"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"onedrive protected file"; nocase; distance:0; classtype:social-engineering; sid:2025480; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (chlenaverasiskihe .sex in DNS Lookup)"; dns.query; content:"chlenaverasiskihe.sex"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025454; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>apple - my apple id</title>"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:"id=|22|donnee"; nocase; distance:0; fast_pattern; content:"name=|22|donnee"; nocase; distance:0; classtype:social-engineering; sid:2025481; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ninjagames .top)"; dns.query; content:"ninjagames.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Post.ch Cloned Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<!-- saved from url="; nocase; within:300; content:"https://account.post.ch"; nocase; within:30; classtype:social-engineering; sid:2025482; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/InnaputRAT CnC DNS Lookup (ajdhsfhiudsfhsi .top)"; dns.query; content:"ajdhsfhiudsfhsi.top"; nocase; endswith; reference:url,www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/; classtype:command-and-control; sid:2025463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family InnaputRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>chase online - account update</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"onsubmit=|22|javascript|3a|return webform_onsubmit()|3b 22|"; nocase; distance:0; classtype:social-engineering; sid:2025475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".js"; endswith; http.user_agent; content:"curl/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025464; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2018-04-14"; flow:established,to_client; file_data; content:"method=|22|post|22|"; nocase; content:"javascript|3a|popupwnd(|22|gmail"; nocase; distance:0; fast_pattern; content:"javascript|3a|popupwnd(|22|outlook"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|aol"; nocase; distance:0; content:"javascript|3a|popupwnd(|22|yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025502; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (ssl .arkouthrie .com)"; dns.query; content:"ssl.arkouthrie.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025466; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mail Verification Phishing Landing 2018-04-18"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Mail Verification"; nocase; within:20; fast_pattern; content:"img src=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"name=|22|passwd|22|"; nocase; distance:0; content:"All rights reserved"; nocase; distance:0; classtype:social-engineering; sid:2025514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (s3 .hiahornber .com)"; dns.query; content:"s3.hiahornber.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025467; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PDF Cloud Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign In - PDF Cloud"; nocase; fast_pattern; content:"href=|22|index_files/adobe.css"; nocase; distance:0; content:"Sign in with your email address to view or download attachment"; nocase; distance:0; classtype:social-engineering; sid:2025515; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/OceanLotus.D CnC DNS Lookup (widget .shoreoa .com)"; dns.query; content:"widget.shoreoa.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025468; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Bank of America|20 7c 20|Online Banking|20 7c 20|Sign In|20 7c 20|Online ID"; nocase; fast_pattern; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"href=|22|css/Untitled1.css"; nocase; distance:0; classtype:social-engineering; sid:2025516; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&bit="; content:"&info=Windows|3a 20|"; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox 000webhost Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Dropbox"; nocase; content:"method=|22|POST|22|"; nocase; distance:0; content:"Select your email provider"; nocase; distance:0; fast_pattern; content:"powered-by-000webhost"; nocase; distance:0; classtype:social-engineering; sid:2025517; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot CnC Task Status"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&taskId="; distance:0; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:command-and-control; sid:2025471; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category MALWARE, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Centurylink Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>centurylink"; nocase; content:"href=|22|centurylink|25|20_|25|20login_files/"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2025523; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP APN/Ask Toolbar PUA/PUP User-Agent"; flow:established,to_server; http.user_agent; content:"TBNotifier"; depth:10; fast_pattern; endswith; classtype:pup-activity; sid:2025400; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING MyADP Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>Login to MyADP"; nocase; fast_pattern; content:"href=|22|AD/"; nocase; distance:0; content:"src=|22|AD/"; nocase; distance:0; classtype:social-engineering; sid:2025524; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LokiBot Fake 404 Response"; flow:established,from_server; flowbits:isset,ET.LokiBot; http.stat_code; content:"404"; file.data; content:"|08 00 00 00 00 00 00 00|File not found."; depth:23; fast_pattern; endswith; reference:md5,CA427D578AFA51B262272C78D1C04AB9; classtype:trojan-activity; sid:2025483; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_10, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M1 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your Microsoft account"; nocase; content:"<!-- /ko -->"; nocase; distance:0; fast_pattern; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; content:"<!-- /ko"; nocase; distance:0; classtype:social-engineering; sid:2025525; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?confirmation"; fast_pattern; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&pass_input="; nocase; distance:0; classtype:credential-theft; sid:2025505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Comcast/Xfinity Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>sign in to xfinity"; nocase; content:"src=|22|comcast_files/"; nocase; distance:0; fast_pattern; content:"src=|22|comcast_files/"; nocase; distance:0; classtype:social-engineering; sid:2025528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Observed Coin-Hive In Browser Mining Domain (coin-hive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"coin-hive.com"; endswith; classtype:trojan-activity; sid:2025535; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family CoinMiner, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LCL Banque Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"<title>lcl banque"; nocase; content:"src=|22|./lcl_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./lcl_files/"; nocase; distance:0; classtype:social-engineering; sid:2025529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coin-Hive In Browser Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.coin-hive.com"; nocase; endswith; classtype:coin-mining; sid:2025536; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing M2 2018-04-19"; flow:established,to_client; file_data; content:"<title>Sign in to your account"; nocase; content:"content=|22|WYSIWYG Web Builder"; nocase; distance:0; content:"<form name=|22|ff|22|"; nocase; distance:0; fast_pattern; content:"method=|22|POST|22|"; nocase; distance:0; classtype:social-engineering; sid:2025526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .com in DNS Lookup)"; dns.query; content:"msoftupdates.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025542; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Popupwnd Phishing Landing 2018-04-19"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:",'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_20, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (msoftupdates .eu in DNS Lookup)"; dns.query; content:"msoftupdates.eu"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"bank of america"; nocase; within:30; content:"<form name=|22|b0a|22|"; nocase; distance:0; fast_pattern; content:".php?session=$pmd$pmd|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025549; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/GravityRAT CnC Domain (mylogisoft .com in DNS Lookup)"; dns.query; content:"mylogisoft.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html; classtype:command-and-control; sid:2025544; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title"; nocase; content:"One Drive"; nocase; within:25; content:"function popupwnd(url"; nocase; distance:0; content:"choose your email provider"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; fast_pattern; content:"'no','no','no','no','no','no'"; nocase; distance:0; classtype:social-engineering; sid:2025550; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M1"; http.host; content:".bit"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025547; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"|23 20 4e 65 77 20 53 63 61 6d 61 20 4e 65 74 66 6c 69 78 20 32 30 31 38 20 42 79 20 58 2d 59 61 63 20 23|"; within:500; classtype:social-engineering; sid:2025555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely GandCrab Ransomware Domain in HTTP Host M2"; http.host; content:".coin"; endswith; pcre:"/^(?:(?:malwarehuntertea|nomoreranso)m|politiaromana|ransomware|carder)\.(?:bit|coin)$/"; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025548; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-02"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Log in to your PayPal"; nocase; within:40; content:"PayPaI.|20 7c 20|All rights reserved."; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025556; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (ransomware .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"ransomware.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025452; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2018-05-07"; flow:established,to_client; file_data; content:"<title>mytax portal</title>"; nocase; fast_pattern; content:"id=|22|form1|22 20|name=|22|form1|22|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"name=|22|pww|22 20|type=|22|password|22 20|id=|22|pww|22|"; nocase; distance:0; classtype:social-engineering; sid:2025561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (zonealarm .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"zonealarm.bit"; nocase; endswith; reference:md5,a85907638378377ff357242a7311244d; classtype:trojan-activity; sid:2025453; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_02, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"content=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; content:"name=|22 48 46 2d 4a 61 63 6b 73 6f 6e 22|"; nocase; distance:0; content:"class=|22 48 46 5f 4a 61 63 6b 73 6f 4e 5f|"; nocase; distance:0; content:"class=|22 42 79 5f 48 61 73 73 61 6e 5f 46 61 72 74 6f 75 74 22|"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025568; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Ransomware Domain (carder .bit in DNS Lookup)"; threshold: type both, track by_src, count 1, seconds 120; dns.query; content:"carder.bit"; endswith; reference:md5,9faf6dedd3e0cd018d2e45bc8855bd4a; classtype:trojan-activity; sid:2025546; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_30, deployment Perimeter, former_category MALWARE, malware_family GandCrab, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 77 69 7a 22|"; nocase; distance:0; content:"class=|22 68 61 73 73 61 6e 22|"; nocase; distance:0; classtype:social-engineering; sid:2025569; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLeaves HOGFISH APT Implant CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; http.connection; content:"Keep-Alive"; http.content_len; byte_test:0,<,110,0,string,dec; http.header_names; content:!"Referer"; content:!"Accept-Encoding"; content:!"Content-Type"; reference:md5,2d9ac00470a104b9841d851ddf33cad7; reference:md5,627b903657b28f3a2e388393103722c8; reference:url,www.accenture.com/t20180423T055005Z__w__/us-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf; classtype:targeted-activity; sid:2025557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT10, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 6c 6f 67 69 6e 5f 6d 6f 75 73 74 61 63 68 65 22|"; nocase; fast_pattern; content:"class=|22 6e 73 69 74 22|"; nocase; distance:0; content:"class=|22 74 39 61 79 61 64 22|"; nocase; distance:0; content:"class=|22 74 73 61 6e 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025570; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; dns.query; content:".myq-see.com"; nocase; endswith; classtype:policy-violation; sid:2025560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 69 6d 67 5f 76 69 63 74 69 6d 65 22|"; nocase; fast_pattern; content:"class=|22 6e 61 6d 65 5f 76 69 63 74 69 6d 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 22|"; nocase; distance:0; content:"class=|22 6d 6f 75 73 74 61 63 68 65 5f 61 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 6d 69 61 5f 6b 68 61 6c 69 66 61 22|"; nocase; distance:0; classtype:social-engineering; sid:2025571; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Ransomware Domain (y5mogzal2w25p6bn .ml in DNS Lookup)"; dns.query; content:"y5mogzal2w25p6bn.ml"; endswith; reference:md5,5f1ab58f0639b5e43fca508eb0d4f97e; classtype:trojan-activity; sid:2025567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"<!--|20 41 6e 4f 5f 6f 6e 69 73 6d 61 20|-->"; nocase; fast_pattern; content:"name=|22 41 6e 6f 6e 69 73 6d 61 22|"; nocase; distance:0; content:"class=|22 41 6e 6f 6e 69 73 6d 61|"; nocase; distance:0; classtype:social-engineering; sid:2025572; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) 2016-02-27"; flow:to_server,established; flowbits:set,ET.bofaphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formID="; depth:7; nocase; classtype:credential-theft; sid:2027958; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-05-09"; flow:established,to_client; file_data; content:"class=|22 61 2d 6e 2d 6f 2d 6e 2d 69 2d 73 2d 6d 2d 61 22|"; nocase; fast_pattern; content:"id=|22 62 6f 74 64 6b 68 6f 6c 22|"; nocase; distance:0; classtype:social-engineering; sid:2025573; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_05_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; fast_pattern; content:"bodyElems"; distance:0; pcre:"/^\s*=\s*document\s*\.\s*getElementsByTagName\s*\(\s*[\x22\x27]body[\x22\x27]/Ri"; content:"bodyElems[0]"; distance:0; pcre:"/^\s*\.\s*style\s*\.\s*visibility\s*=\s*[\x22\x27]visible[\x22\x27]/Ri"; content:"style=|22|visibility:hidden|22 20|onload=|22|unhideBody()|22|"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position|3a|absolute|3b 20|overflow|3a|hidden|3b 20|left|3a|"; nocase; distance:0; classtype:social-engineering; sid:2025653; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending Machine Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"infobot"; depth:7; endswith; http.request_body; content:"|7b 22|bits|22 3a 20 22|"; depth:10; content:"|22|cpun|22 3a 20 22|"; distance:0; http.header_names; content:!"Referer"; reference:md5,3549c3af4417a344b5cbf53dbe7ab36c; classtype:trojan-activity; sid:2025577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing 2018-05-01"; flow:established,to_client; file_data; content:"<title> DocuSlgn </title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_01, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Rarog Stealer CnC Keep-Alive"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/check.php"; endswith; fast_pattern; http.request_body; content:"m="; depth:2; pcre:"/^m=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/si"; http.header_names; content:!"Referer"; reference:md5,b38a63aea75bcf06fed11067cc75cc7e; classtype:command-and-control; sid:2025580; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Wells Fargo Phishing Landing 2018-06-20"; flow:established,to_client; file_data; content:"<title>Wells Fargo |3a| Banking|2c|"; nocase; fast_pattern; content:"content=|22|WELLS FARGO BANK|22|"; nocase; distance:0; classtype:social-engineering; sid:2025624; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_06_25;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET COINMINER Observed Malicious SSL Cert (Coinhive URL Shortener)"; flow:established,to_client; tls.cert_subject; content:"CN=cnhv.co"; nocase; endswith; reference:url,blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shorteners.html; classtype:coin-mining; sid:2025582; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_05_22, deployment Perimeter, former_category MALWARE, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] OneDrive Phishing Landing 2018-06-15"; flow:established,to_client; file_data; content:"<title>One Drive Cloud Document Sharing"; nocase; fast_pattern; content:"Select with email provider below"; nocase; distance:0; content:"Login with Office 365"; nocase; distance:0; classtype:social-engineering; sid:2025625; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:social-engineering; sid:2022486; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Adobe Phishing Landing 2018-07-04"; flow:from_server,established; content:"<title>PDF Online"; nocase; fast_pattern; content:"Please Enter Your receiving Email Address"; nocase; distance:0; content:"method=|22|post|22|"; nocase; classtype:social-engineering; sid:2025648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Minor, updated_at 2018_07_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"POST"; http.header; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:credential-theft; sid:2022487; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Github Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"form action=|22|login.php|22|"; content:"<h1>Sign in to GitHub</h1>"; distance:0; fast_pattern; content:"<input type=|22|text|22 20|name=|22|username|22|"; distance:0; classtype:social-engineering; sid:2025873; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2018_07_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header INetSim"; flow:established,from_server; http.content_type; content:"x-msdos-program"; file.data; content:"MZ|0a|Sinkholed|0a|"; depth:13; fast_pattern; endswith; classtype:trojan-activity; sid:2025585; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Twitter Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Login to Twitter</title>"; content:"form action=|22|login.php|22|"; distance:0; content:"|20 20 20 20 20 20|name=|22|usernameOrEmail|22 0a|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025874; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection"; flow:established,to_server; http.method; content:"POST"; nocase; http.host; content:!"nvidia.com"; endswith; content:!"dc.services.visualstudio.com"; endswith; content:!".avg.com"; endswith; content:!"bitdefender.net"; endswith; content:!"svc.iolo.com"; endswith; content:!".lavasoft.com"; endswith; content:!"canonicalizer.ucsuri.tcs"; http.request_body; content:"C|3A 5C 5C|WINDOWS|5C|"; fast_pattern; nocase; classtype:trojan-activity; sid:2011341; rev:17; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"<title>Netflix</title>"; content:"meta content=|22|watch movies"; distance:0; content:"meta content=|22|Watch Netflix movies"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025875; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031412; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category MALWARE, malware_family Formbook, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2017-07-20"; flow:established,from_server; file_data; content:"class=|22|ie ie6 lte9 lte8 lte7 os-linux|22|>"; content:"<title>LinkedIn|26 23|58|3b 20|Log In or Sign Up</title>"; distance:0; fast_pattern; content:"action=|22|login.php|22|"; distance:0; classtype:social-engineering; sid:2025876; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_20, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2018_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Donut Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.request_body; content:"pc_id="; depth:6; content:"pc_key="; distance:0; content:"win_ver="; fast_pattern; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; content:!"Cache"; classtype:command-and-control; sid:2025595; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_19, deployment Perimeter, former_category MALWARE, malware_family Donut, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] DHL Phish Landing July 24 2018"; flow:established,to_client; file_data; content:"<TITLE>Tracking made easy"; nocase; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Sign In With Your Correct Email and Password To Review Package Information"; nocase; distance:0; classtype:social-engineering; sid:2025886; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_07_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in DNS Lookup)"; dns.query; content:"debasuin.nl"; endswith; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025596; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Christian Mingle Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>christian mingle - login</title>"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|data.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2025973; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BackSwap Trojan C2 Domain Observed (debasuin .nl in TLS SNI)"; flow:established,to_server; tls.sni; content:"debasuin.nl"; endswith; nocase; reference:url,www.cert.pl/en/news/single/backswap-malware-analysis; classtype:command-and-control; sid:2025597; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_20, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your microsoft account</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025974; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".gif"; fast_pattern; endswith; content:!"__utm.gif"; endswith; http.host; content:!".tealiumiq.com"; content:!"snackly.co"; content:!"otf.msn.com"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:17; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>log in to your paypal account</title>"; nocase; fast_pattern; content:"|7a 31 31 38 2e 63 73 73|"; nocase; distance:0; classtype:social-engineering; sid:2025975; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in DNS Lookup)"; dns.query; content:"tpddata.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025599; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Free Mobile Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>free mobile - bienvenue dans votre espace"; nocase; fast_pattern; content:"<img id=|22|fins|22 20|src=|22|fins.png|22|>"; nocase; distance:0; content:"<input type=|22|password|22 20|name=|22|ps|22 20|id=|22|ps|22|"; nocase; distance:0; classtype:social-engineering; sid:2025976; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (tpddata .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"tpddata.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>adobe pdf</title>"; nocase; fast_pattern; content:"title=|22|you are not signed in yet|22|"; nocase; distance:0; content:"title=|22|login to continue|22|"; nocase; distance:0; content:"adobe pdf online"; nocase; distance:0; content:"email password"; nocase; distance:0; classtype:social-engineering; sid:2025977; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in DNS Lookup)"; dns.query; content:"www.anlway.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025601; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Ajax Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account"; nocase; content:"action: posturl|20|}|22 20|action=|22|connectidx.php|22|"; nocase; distance:0; fast_pattern; content:"privacy.microsoft.com"; nocase; distance:0; classtype:social-engineering; sid:2025978; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .anlway .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.anlway.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025602; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"content=|22|alibaba manufacturer directory"; nocase; content:"class=|22|xman"; nocase; distance:0; fast_pattern; content:"id=|22|xman"; nocase; distance:0; content:"<iframe"; nocase; distance:0; classtype:social-engineering; sid:2025979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in DNS Lookup)"; dns.query; content:"www.ap8898.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025603; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Phishing Landing 2018-08-07"; flow:established,to_client; file_data; content:"<title>sign in to your account</title>"; nocase; content:"onerror=|22|$loader.on(this,true)|22 20|onload=|22|$loader.on(this)"; nocase; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"secure.aadcdn.microsoftonline-p.com"; nocase; distance:0; classtype:social-engineering; sid:2025981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_07;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .ap8898 .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ap8898.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:".php|22 20|name=|22|chalbhai|22 20|id=|22|chalbhai|22 20|method=|22|post|22|"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in DNS Lookup)"; dns.query; content:"www.apshenyihl.com"; endswith; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025605; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"var hea2p ="; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; nocase; distance:0; content:"var hea2t ="; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026043; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Autophyte.F C2 Domain (www .apshenyihl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.apshenyihl.com"; endswith; nocase; reference:url,sfkino.tistory.com/60; classtype:command-and-control; sid:2025606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Chalbhai Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function unhideBody()"; nocase; content:"onload=|22|unhideBody()|22|"; nocase; distance:0; content:"name=chalbhai id=chalbhai method=post"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2026042; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] VBS Retrieving Malicious Payload"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php1"; endswith; fast_pattern; pcre:"/\/[0-9]{10}.php1$/"; http.user_agent; content:"Microsoft BITS/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,aa56a1de9b91446c66d53f12f797bef5; classtype:trojan-activity; sid:2025626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Hellion Postmaster Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<img src=|22|./hellion/postmaster.png|22|"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:"<img src=|22|./hellion/logos.png|22|"; nocase; distance:0; classtype:social-engineering; sid:2026044; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN"; fast_pattern; content:"IEEE11iAuthenticationMode"; content:"IEEE11iEncryptionModes"; content:"X_TP_PreSharedKey="; content:"X_TP_GroupKeyUpdateInterval"; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Document Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<h3>DOCUMENT MANAGEMENT SYSTEM</h3>"; fast_pattern; nocase; content:"javascript:void(0)|3b 22|>Document</a> -> <a href=|22|javascript:void(0)|3b 22|>Important Files</a> -> Current File</div>"; nocase; distance:0; content:"<h3>File to Download</h3>"; content:"USER AUTHENTICATION</h4>"; nocase; distance:0; classtype:social-engineering; sid:2026045; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"DMZ_HOST_CFG"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; content:"onclick=|22|popupwnd("; nocase; distance:0; classtype:social-engineering; sid:2026046; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; http.uri; content:"/cgi?3"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"IP_CONN_PORTTRIGGERING"; content:"openProtocol"; content:"openPort="; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:4; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_26, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple AES Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"jQuery(function($)"; nocase; content:"$('.cc-number').payment('formatCardNumber"; nocase; distance:0; content:"$(|22|#ssn|22|).mask(|22|999-99-9999"; nocase; distance:0; content:"Aes.Ctr.decrypt(hea2t, hea2p"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026049; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blind Server-Side Request Forgery"; flow:established,to_server; http.uri; content:"/xmlrpc/pingback"; endswith; http.request_body; content:"<methodCall>"; content:"<methodName>pingback.ping</methodName>"; fast_pattern; content:"<value>http://"; content:"<value>http://"; distance:0; reference:url,exploit-db.com/raw/44945/; classtype:attempted-user; sid:2025759; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Stripe Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Stripe: Login"; nocase; fast_pattern; content:"<form name=|22|appleConnectForm"; nocase; distance:0; content:"onsubmit=|22|if(do_submit(3)) return true|3b 20|"; nocase; distance:0; content:"id=|22|pass0|22|"; nocase; distance:0; classtype:social-engineering; sid:2026050; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN HP Enterprise VAN SDN Controller"; flow:established,to_server; http.uri; content:"/sdn/ui/app/rs/hpws/config"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-recon; sid:2025760; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function MM_validateForm() { //v"; nocase; content:"email address to view or download"; nocase; distance:0; content:"PDF is protected"; nocase; distance:0; content:"onclick=|22|MM_validateForm('password"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026051; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"!<arch>|0a|debian-binary"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Docs Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"url(Google_docs_files/"; nocase; fast_pattern; content:"href=|22|Google_docs_files/"; nocase; distance:0; content:"your email provider"; nocase; distance:0; content:"data-description=|22|Sign in with"; nocase; distance:0; classtype:social-engineering; sid:2026052; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING WeTransfer Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Encrypted Message"; nocase; fast_pattern; content:"<div id=|22|gmail|22|"; nocase; distance:0; content:"<div id=|22|yahoo|22|"; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2026053; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>|ce 92 d0 b0 6e 6b 20 d0 be 66 20 ce 91 6d d0 b5 72 d1 96 d1 81 d0 b0 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 92 d0 b0 6e 6b d1 96 6e 67 20 7c 20 d0 85 d1 96 67 6e 20 ce 99 6e 20 7c 20 ce 9f 6e 6c d1 96 6e d0 b5 20 ce 99 44|</title>"; classtype:social-engineering; sid:2026054; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Trade - Information Disclosure"; flow:established,to_server; http.uri; content:"/dashboard/deposit"; fast_pattern; endswith; reference:cve,2018-12905; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-recon; sid:2025783; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Bank of America"; nocase; content:"name=|22|generator|22 20|content=|22|WYSIWYG"; nocase; distance:0; content:"href=|22|css/Untitled"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026055; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopNx - Arbitrary File Upload"; flow:established,to_server; http.uri; content:"/api/media"; fast_pattern; endswith; http.request_body; content:"<script"; reference:cve,2018-12519; reference:url,exploit-db.com/exploits/44978/; classtype:web-application-attack; sid:2025784; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Verification"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026056; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 1"; dns.query; content:"goldncup.com"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025639; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Mailbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Mail Settings|20 7c 20|Email Upgrade"; nocase; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; nocase; distance:0; classtype:social-engineering; sid:2026057; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 2"; dns.query; content:"glancelove.com"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025640; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Dropbox|20 7c 20|Sign in"; nocase; fast_pattern; content:"name=|22|generator|22 20|content=|22|Web Page Maker"; nocase; distance:0; content:"<div id=|22|image1|22 20|style=|22|position:absolute|3b 20|overflow:hidden|3b 20|left:"; nocase; distance:0; classtype:social-engineering; sid:2026058; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 3"; dns.query; content:"autoandroidup.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025641; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>Sign In|20 7c 20|LinkedIn"; nocase; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22 20|action=|22|login.php|22|>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2026059; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 4"; dns.query; content:"mobilestoreupdat.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025642; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M1 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 32 6b 31 37 20 70 72 69 76 38 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026061; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET MOBILE_MALWARE Android/Spy.Agent.AON / Glancelove DNS Lookup 5"; dns.query; content:"updatemobapp.website"; endswith; reference:url,www.clearskysec.com/glancelove/; classtype:trojan-activity; sid:2025643; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Glancelove, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M2 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 61 6d 61 7a 6f 6e 20 62 79 20 6b 40 6d 65 6c 32 70 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026062; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PolarisOffice Insecure Library Loading"; flow:to_server; http.method; content:"GET"; http.uri; content:"puiframeworkproresenu.dll"; endswith; reference:cve,2018-12589; classtype:attempted-user; sid:2025792; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category WEB_CLIENT, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M3 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 22 69 74 75 6e 65 73 20 62 79 20 68 61 69 74 68 65 6d 20 62 61 74 20 24 22 20 2d 2d 3e|"; classtype:social-engineering; sid:2026063; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rostpay Downloader User-Agent"; flow:established,to_server; http.user_agent; content:"Rostpay Downloader"; nocase; depth:18; endswith; reference:md5,6887e8e2fb391a1ca84f192efd5c8331; classtype:trojan-activity; sid:2025697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M4 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 73 63 61 6d 20 70 72 6f 20 62 79 20 74 68 75 67 2d 6e 65 74 2d 65 76 65 72 20 26 20 70 75 6e 69 73 68 65 72 2d 6f 75 6a 64 69|"; classtype:social-engineering; sid:2026064; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:".dtd|22|>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M5 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 74 61 6b 72 69 7a 20 26 20 32 30 31 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2026065; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE html PUBLIC |22|-//W3C//DTD XHTML 1.0 Transitional//EN|22|"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M6 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 75 70 64 61 74 65 20 62 79 20 78 62 6f 6f 6d 62 65 72 20 26 20 78 68 61 74 20 2d 2d 3e|"; classtype:social-engineering; sid:2026066; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M7 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 2d 20 63 72 65 61 74 65 64 20 62 79 20 6c 65 67 7a 79 20 2d 2d 2d 20 69 63 71 20 3a 20 36 39 32 35 36 31 38 32 34 20 2d 2d 2d 2d 3e|"; classtype:social-engineering; sid:2026067; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"<data>&send|3b|</data>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M8 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 6d 6f 64 65 64 20 62 79 20 61 6e 74 68 72 61 78 2d 2d 3e|"; classtype:social-engineering; sid:2026068; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup"; dns.query; content:"ios-certificate-update.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025727; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M9 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 61 6c 69 62 6f 62 6f 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026069; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 2"; dns.query; content:"al-enayah.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025728; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic PhishKit Author Comment M10 2018-08-30"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 74 68 65 20 73 63 72 69 70 74 20 77 61 73 20 6f 72 69 67 69 6e 61 6c 79 20 63 6f 64 65 64 20 62 79 20 6f 6c 64 6c 65 67 65 6e 64 20 33 36 30 2d 2d 3e|"; classtype:social-engineering; sid:2026070; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 3"; dns.query; content:"voguextra.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025729; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AT&T Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"<title>AT&"; nocase; content:"href=|22|https://home.secureapp.att.net/"; nocase; distance:0; content:".php|22 20|method=|22|post|22 20|id=|22|LoginForm|22|"; nocase; distance:0; content:"|22|type=|22|com.sbc.idm.igate_edam.forms.LoginFormBean|22|"; nocase; distance:0; classtype:social-engineering; sid:2026060; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_08_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 4"; dns.query; content:"techwach.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025730; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic MRxJoker Phishing Landing 2018-09-27"; flow:established,to_client; file_data; content:"content=|22|@importmrxjokercss|22|"; nocase; fast_pattern; content:"name=|22|mrxjokercard|22|"; nocase; distance:0; classtype:social-engineering; sid:2026419; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2018_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 5"; dns.query; content:"wpitcher.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html; classtype:trojan-activity; sid:2025731; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_17, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, tag iOS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Xbalti Phishing Landing 2018-11-26"; flow:established,from_server; file_data; content:"|2d 2d 7e 28 20 20 5c 20 7e 29 29 29 29 29 29 29 29 29 29 29 29 0d 0a 20 20 20 20 2f 20 20 20 20 20 5c 20 20 60 5c 2d 28 28 28 28 28 28 28 28 28|"; within:400; content:"|5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f|"; fast_pattern; classtype:social-engineering; sid:2026650; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2018_11_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Gemini/2.0)"; flow:established,to_server; http.user_agent; content:"Gemini/2.0"; depth:10; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025889; rev:3; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026465; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Hakai/2.0)"; flow:established,to_server; http.user_agent; content:"Hakai/2.0"; depth:9; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025890; rev:4; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-27"; flow:established,to_server; content:"POST"; http_method; content:"id1="; depth:4; nocase; http_client_body; content:"|25|40"; distance:0; http_client_body; content:"&id2="; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.genericphish; flowbits:noalert; classtype:credential-theft; sid:2026038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2018_11_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE OilRig QUADAGENT CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"www.cpuproc.com"; endswith; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:command-and-control; sid:2025891; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Redirect 2019-01-02"; flow:from_server,established; file_data; content:"<!--"; depth:4; content:"window.top.location='account/?view=login&appIdKey="; nocase; within:150; isdataat:!50,relative; classtype:social-engineering; sid:2026748; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_01_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 6"; dns.query; content:"ios-certificate-whatsapp.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025896; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"<!-- saved from url=("; within:500; content:")https://idm.east.cox.net/"; distance:4; within:26; fast_pattern; classtype:social-engineering; sid:2027535; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 7"; dns.query; content:"hytechmart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025897; rev:4; metadata:created_at 2018_07_25, updated_at 2020_09_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Miarroba Phishing Landing"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|3c 21 2d 2d 20 49 6e 73 65 72 74 65 64 20 62 79 20 6d 69 61 72 72 6f 62 61 20 2d 2d 3e|"; classtype:social-engineering; sid:2027561; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2019_06_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 8"; dns.query; content:"appswonder.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025898; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Miarroba Phish 2019-07-11"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<!-- Inserted by miarroba -->"; fast_pattern; nocase; classtype:credential-theft; sid:2027699; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 9"; dns.query; content:"referfile.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025899; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Adobe Phish 2019-07-29"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<title>Adobe Document Cloud"; fast_pattern; nocase; classtype:credential-theft; sid:2027764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 10"; dns.query; content:"hiltrox.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025900; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Fake AV Phone Scam Long Domain Sept 15 2016"; dns_query; content:"issuefound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2023237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_08_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 11"; dns.query; content:"scrollayer.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025901; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish (set) 2016-09-12"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Email="; depth:6; nocase; http_client_body; content:"&Next=Next"; nocase; distance:0; http_client_body; fast_pattern; flowbits:set,ET.GmailPhish_1; flowbits:noalert; classtype:credential-theft; sid:2027956; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_09_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 12"; dns.query; content:"twitck.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025902; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic XBALTI Phishing Landing"; flow:established,to_client; file_data; content:"|3c 21 2d 2d 20 7c 20 20 20 20 5c 20 20 5c 20 42 59 20 58 42 41 4c 54 49 20 2f 20 2d 2d 3e|"; fast_pattern; classtype:social-engineering; sid:2027966; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 14"; dns.query; content:"nfinx.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025904; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 01"; dns_query; content:"account-google.serveftp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023833; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 15"; dns.query; content:"metclix.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025905; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 02"; dns_query; content:"aramex-shipping.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 16"; dns.query; content:"capsnit.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025906; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 03"; dns_query; content:"device-activation.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023835; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising EK Redirect to EK M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?id="; isdataat:!5,relative; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.referer; content:".php?JBOSSESSION="; fast_pattern; classtype:exploit-kit; sid:2025913; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 04"; dns_query; content:"dropbox-service.serveftp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023836; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal RC4 Encrypted 8 Byte Static CnC Checkin"; flow:established,to_server; urilen:<100; http.method; content:"POST"; http.request_body; content:"|81 b2 a8 97 7e a3 1b 91|"; depth:8; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:command-and-control; sid:2025923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 05"; dns_query; content:"dropbox-sign.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023837; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 4"; dns.query; content:"euiro8966.organiccrap.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025927; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 06"; dns_query; content:"dropboxsupport.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023838; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 3"; dns.query; content:"kted56erhg.dynssl.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025926; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 07"; dns_query; content:"fedex-mail.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023839; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 2"; dns.query; content:"www.hosting.tempors.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025925; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 08"; dns_query; content:"fedex-shipping.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023840; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 1"; dns.query; content:"jennifer998.lookin.at"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025924; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 09"; dns_query; content:"fedex-sign.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023841; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal DNS Lookup 5"; dns.query; content:"games.my-homeip.com"; nocase; endswith; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; classtype:trojan-activity; sid:2025928; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category TROJAN, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 10"; dns_query; content:"googledriver-sign.ddns.net"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023842; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 1"; dns.query; content:"banca-movil.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025933; rev:4; metadata:affected_product Android, affected_product iOS, attack_target Mobile_Client, created_at 2018_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 11"; dns_query; content:"googledrive-sign.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023843; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 2"; dns.query; content:"pine-sales.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025934; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 12"; dns_query; content:"google-maps.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023844; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 3"; dns.query; content:"ecommerce-ads.org"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025935; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 13"; dns_query; content:"googlesecure-serv.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023845; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 4"; dns.query; content:"bytlo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025936; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 14"; dns_query; content:"googlesignin.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023846; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 5"; dns.query; content:"ticket-selections.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025937; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 15"; dns_query; content:"googleverify-signin.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023847; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 6"; dns.query; content:"onlineshopzm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025938; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 16"; dns_query; content:"mailgooglesign.servehttp.com"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023848; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 7"; dns.query; content:"zednewszm.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025939; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 17"; dns_query; content:"myaccount.servehttp.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023849; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 8"; dns.query; content:"zm-banks.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025940; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 18"; dns_query; content:"secure-team.servehttp.com"; depth:25; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023850; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 9"; dns.query; content:"zm-weather.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025941; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 19"; dns_query; content:"security-myaccount.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023851; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 10"; dns.query; content:"znothernkivu.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025942; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 20"; dns_query; content:"verification-acc.servehttp.com"; depth:30; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023852; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 11"; dns.query; content:"afriquenouvelle.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025943; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 21"; dns_query; content:"dropbox-verfy.servehttp.com"; depth:27; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023853; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 12"; dns.query; content:"allafricaninfo.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025944; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 22"; dns_query; content:"fedex-s.servehttp.com"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023854; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 13"; dns.query; content:"centrasia-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025945; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 23"; dns_query; content:"watchyoutube.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023855; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 14"; dns.query; content:"mystulchik.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025946; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 24"; dns_query; content:"verification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023856; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 15"; dns.query; content:"odnoklass-profile.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025947; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 25"; dns_query; content:"securityteam-notify.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023857; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 16"; dns.query; content:"sputnik-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025948; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 26"; dns_query; content:"secure-alert.servehttp.com"; depth:26; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023858; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 17"; dns.query; content:"tengrinews.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025949; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 27"; dns_query; content:"quota-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023859; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 18"; dns.query; content:"sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025950; rev:4; metadata:created_at 2018_08_02, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 28"; dns_query; content:"notification-team.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023860; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 19"; dns.query; content:"egov-sergek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025951; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 29"; dns_query; content:"fedex-notification.servehttp.com"; depth:32; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023861; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 20"; dns.query; content:"egov-segek.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025952; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 30"; dns_query; content:"docs-mails.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023862; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 21"; dns.query; content:"mykaspi.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025953; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 31"; dns_query; content:"restricted-videos.servehttp.com"; depth:31; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023863; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 22"; dns.query; content:"kaspi-payment.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025954; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 32"; dns_query; content:"dropboxnotification.servehttp.com"; depth:33; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023864; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 24"; dns.query; content:"e-sveiciens.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025955; rev:4; metadata:created_at 2018_08_02, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 33"; dns_query; content:"moi-gov.serveftp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023865; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 25"; dns.query; content:"klientuserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025956; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 34"; dns_query; content:"activate-google.servehttp.com"; depth:29; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023866; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 26"; dns.query; content:"kurjerserviss.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025957; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Request to NilePhish Domain 35"; dns_query; content:"googlemaps.servehttp.com"; depth:24; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:social-engineering; sid:2023867; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2019_09_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 27"; dns.query; content:"reklamas.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025958; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"AppleSession"; http_cookie; content:"Cookie|3a 20|AppleSession"; fast_pattern; classtype:credential-theft; sid:2024374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_10_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 28"; dns.query; content:"legyelvodas.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025959; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Jul 24 2015"; flow:to_client,established; file_data; content:"GOOGLE.com?</title>"; fast_pattern; content:"view shared document"; content:"ValidateFormYahoo"; distance:0; content:"ValidateFormGmail"; distance:0; content:"ValidateFormHotmail"; distance:0; content:"ValidateFormAol"; distance:0; content:"ValidateFormOther"; distance:0; classtype:social-engineering; sid:2025682; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 29"; dns.query; content:"theastafrican.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025960; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Email Account Phish 2019-12-10"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?yasse="; fast_pattern; content:"&upw="; distance:0; content:"&hidCflag="; distance:0; http.header_names; content:!"Referer"; reference:url,isc.sans.edu/forums/diary/Phishing+with+a+selfcontained+credentialsstealing+webpage/25580/; classtype:credential-theft; sid:2029105; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2019_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 30"; dns.query; content:"ajelnews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025961; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL Cert (Office365 Phish Landing Page 2020-01-09)"; flow:established,to_client; tls.cert_subject; content:"CN=*.lakeshoreemployeetestingservices.com"; nocase; endswith; reference:md5,24a4c5f5033d7f399464df05a072012c; classtype:social-engineering; sid:2029256; rev:1; metadata:affected_product Any, attack_target Client_and_Server, created_at 2020_01_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_01_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 31"; dns.query; content:"akhbara-aalawsat.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025962; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cnumber="; nocase; content:"cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029685; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 32"; dns.query; content:"akhbar-arabia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025963; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"num="; nocase; content:"&expm"; nocase; content:"&expy"; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029686; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 33"; dns.query; content:"gulf-news.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025964; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&mm="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029687; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 34"; dns.query; content:"eltiempo-news.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025965; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cardnumber="; nocase; content:"&month="; nocase; content:"&year="; nocase; content:"&CVV"; nocase; fast_pattern; classtype:credential-theft; sid:2029688; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 35"; dns.query; content:"arabnews365.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025966; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cc="; nocase; content:"&numero_tarjeta="; nocase; content:"&cvv"; nocase; fast_pattern; classtype:credential-theft; sid:2029689; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 36"; dns.query; content:"arabworldnews.info"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025967; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Card="; nocase; content:"MM="; content:"YY="; content:"CVC="; fast_pattern; classtype:credential-theft; sid:2029690; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 37"; dns.query; content:"breaking-extranews.online"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025968; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-02-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CCnumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; classtype:credential-theft; sid:2029691; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 38"; dns.query; content:"breaking-news.co"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025969; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Office Phish 2020-02-26"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&submit=Extract+File+Now&sendgo="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029692; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_02_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 39"; dns.query; content:"breakingnewsasia.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025970; rev:4; metadata:created_at 2018_08_03, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2020-03-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uskkes1="; depth:8; nocase; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029693; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Related Domain 40"; dns.query; content:"breakthenews.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/; classtype:trojan-activity; sid:2025971; rev:4; metadata:created_at 2018_08_03, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-14"; flow:established,to_client; file_data; content:"<TITLE>DHL|20 7c 20|Tracking</TITLE>"; nocase; fast_pattern; content:"Login to Continue Tracking your Package"; nocase; distance:0; content:"Invalid Password."; nocase; distance:0; content:"Please try again using correct details."; nocase; distance:0; classtype:credential-theft; sid:2029654; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/collectdata-new.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|a|22 3a|"; depth:5; content:"|22|b|22 3a|[{|22|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025987; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, tag Android, updated_at 2020_09_16, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fake World Health Organization COVID-19 Portal 2020-03-20"; flow:established,to_client; file.data; content:"<title>Coronavirus disease (COVID-19"; nocase; fast_pattern; content:"Verify your account details"; distance:0; nocase; content:"COVID-19 SAFETY PORTAL"; distance:0; nocase; classtype:social-engineering; sid:2029695; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_03_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/newuser.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|imei|22 3a|"; depth:8; content:"|22|tag|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc56d261cbf0ecddcdc70de85af138d1; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:command-and-control; sid:2025988; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, signature_severity Major, tag Android, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NHS Webmail Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.header; content:"nhs"; nocase; http.request_body; content:"usr="; nocase; content:"&pss="; nocase; fast_pattern; content:"formimage1.x="; nocase; content:"formimage1.y="; nocase; classtype:credential-theft; sid:2029701; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.CrazyMango.a Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/admin/data/fcollectdata.php"; fast_pattern; endswith; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"{|22|category|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b603017bbcee17a76f5b0ee478d2d935; reference:url,drive.google.com/file/d/1WJCXG2SIkVwPEw5dlAE5U__OfDB88zD0/view; classtype:trojan-activity; sid:2025989; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_08_13, deployment Perimeter, former_category MOBILE_MALWARE, malware_family ANdroid_CrazyMango, tag Android, updated_at 2020_09_16, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING UK GOV Identity Verification Phishing Landing"; flow:established,to_client; file.data; content:"|3c 74 69 74 6c 65 3e 50 72 d0 be ce bd d0 b5 20 ce a5 d0 be cf 85 72 20 c6 96 64 d0 b5 6e 74 69 74 79|"; content:"<form action=need.php"; distance:0; content:"method=post"; distance:0; classtype:social-engineering; sid:2029702; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker C2)"; flow:established,to_client; tls.cert_subject; content:"CN=uiaoduiiej.chimkent.su"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:domain-c2; sid:2025995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Unhidebody Function Observed in Phishing Landing"; flow:established,to_client; file.data; content:"function unhideBody()"; nocase; fast_pattern; content:"var bodyElems = document.getElementsByTagName(|22|body|22|)|3b|"; nocase; content:"bodyElems[0].style.visibility =|20 22|visible|22 3b|"; nocase; distance:0; content:"onload=|22|unhideBody()|22|"; content:"method="; nocase; pcre:"/^["']?post/Ri"; classtype:social-engineering; sid:2029732; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_03_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Panda Banker Injects)"; flow:established,to_client; tls.cert_subject; content:"CN=urimchi3dt4.website"; nocase; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:domain-c2; sid:2025996; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful World Health Organization COVID-19 Phish 2020-03-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.request_body; content:"phone="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&contactSubmit=Verify"; distance:0; fast_pattern; isdataat:!1,relative; classtype:credential-theft; sid:2029700; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in DNS Lookup)"; dns.query; content:"uiaoduiiej.chimkent.su"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Colleagues Quarantined with COVID-19 Phish 2020-03-25"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"menamn="; depth:7; nocase; content:"&talk="; nocase; distance:0; content:"|25|40"; distance:0; content:"&onehundr="; nocase; distance:0; content:"&pullfilk="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029737; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker C2 Domain (uiaoduiiej .chimkent .su in TLS SNI)"; flow:established,to_server; tls.sni; content:"uiaoduiiej.chimkent.su"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:command-and-control; sid:2025998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category MALWARE, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"/continue_bnb.php"; nocase; fast_pattern; isdataat:!1,relative; http.header; content:"airbnb"; nocase; content:"covid"; nocase; classtype:credential-theft; sid:2029738; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in DNS Lookup)"; dns.query; content:"urimchi3dt4.website"; endswith; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2025999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Airbnb COVID-19 Phish 2020-03-26"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<script>parent.location='https://www.airbnb.com/help/article/2701/extenuating-circumstances-policy-and-the-coronavirus"; fast_pattern; classtype:credential-theft; sid:2029747; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker Injects Domain (urimchi3dt4 .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"urimchi3dt4.website"; endswith; nocase; reference:url,www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html; classtype:trojan-activity; sid:2026000; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, malware_family Panda_Banker, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Start+Process"; nocase; distance:0; classtype:credential-theft; sid:2029782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (bigboss .x24hr .com)"; dns.query; content:"bigboss.x24hr.com"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026021; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency COVID-19 Assistance Eligability (FR) Phish 2020-04-01"; flow:established,to_server; content:"|0d 0a 0d 0a|FN="; fast_pattern; http.method; content:"POST"; http.request_body; content:"FN="; depth:3; content:"&SN="; distance:0; content:"&submit=Lancer+le+Processus"; nocase; distance:0; classtype:credential-theft; sid:2029783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MSIL/BISKVIT DNS Lookup (secured-links .org)"; dns.query; content:"secured-links.org"; nocase; fast_pattern; endswith; reference:md5,02655131d4167f3be9b83b0eaa6609f7; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026022; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category TROJAN, malware_family BISKVIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility Phishing Landing 2020-04-01"; flow:established,to_client; file.data; content:"$(|22|#sin|22|).keyup(function(e){"; nocase; fast_pattern; content:"<title>Confirmez Votre Identit"; nocase; content:"href=|22|./details_files/"; nocase; content:"<input type=|22|tel|22 20|name=|22|SN|22|"; nocase; classtype:social-engineering; sid:2029788; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Payload Download Nov 11 2014"; flow:established,to_server; http.uri; content:"/bin.exe"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019696; rev:5; metadata:created_at 2014_11_12, former_category CURRENT_EVENTS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency COVID-19 Assistance Eligibility Phishing Landing 2020-04-01"; flow:established,to_client; file.data; content:"$(|22|#sin|22|).keyup(function(e){"; nocase; content:"<title>COVID-19 Check your eligibility"; nocase; fast_pattern; content:"href=|22|./details_files/"; nocase; content:"<input type=|22|tel|22 20|name=|22|SN|22|"; nocase; classtype:social-engineering; sid:2029789; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; content:".deb|0d 0a|"; http.request_body; content:"|7f|ELF"; depth:4; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Billing.php?sslchannel="; fast_pattern; nocase; content:"&sessionid="; distance:0; nocase; http.request_body; content:"name="; depth:5; nocase; content:"&dob="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&telephone="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&town="; nocase; distance:0; content:"&mmn="; nocase; distance:0; classtype:credential-theft; sid:2029850; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_04_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.FakeEzQ.kr Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"MyAgent"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7afebc844a3313eb2a89b3028fbba7a6; reference:url,otx.alienvault.com/pulse/5b8844d6db17df1779153624; classtype:command-and-control; sid:2026071; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful CDC Coronavirus Related Phish 2020-04-07"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location: https://www.cdc.gov"; fast_pattern; classtype:credential-theft; sid:2029827; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in DNS Lookup)"; dns.query; content:"www.megaopac.host"; endswith; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026072; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, deployment Perimeter, former_category TROJAN, malware_family Stealer, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING CDC Coronavirus Related Phishing Landing 2020-04-07"; flow:from_server,established; file.data; content:"<link rel=|22|icon|22 20|href=|22|https://www.cdc.gov/"; nocase; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; content:"submit=|22|return ValidateContactForm()|3b 22|"; nocase; distance:0; fast_pattern; content:"src=|22|./untitled.png|22|"; nocase; distance:0; content:"Sign in with your email"; nocase; distance:0; classtype:social-engineering; sid:2029828; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_04_07;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Mega Chrome Extension Exfil Domain (www .megaopac .host in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.megaopac.host"; endswith; nocase; reference:url,twitter.com/serhack_/status/1037026672787304450; classtype:trojan-activity; sid:2026073; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2018_09_04, former_category TROJAN, malware_family Stealer, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>OneDrive File Viewer"; nocase; distance:0; fast_pattern; content:"document.write(unescape("; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:".php|22|"; nocase; distance:0; classtype:social-engineering; sid:2029858; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (defender-update .com)"; dns.query; content:"defender-update.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"<title>Share Point Online"; nocase; fast_pattern; content:"ACCESS YOUR DOCUMENT"; nocase; distance:0; content:"///url email getting///"; nocase; distance:0; classtype:social-engineering; sid:2029877; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_04_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig CnC DNS Lookup (windowspatch .com)"; dns.query; content:"windowspatch.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-04-10"; flow:established,to_client; file.data; content:"Instagram Help Center</title>"; nocase; fast_pattern; content:"reviewed and decied your account complaited"; nocase; distance:0; classtype:social-engineering; sid:2029878; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pser?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}(?:BBZ|BBY)[A-F0-9]{,1000}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026081; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spotify Phishing Landing 2020-04-14"; flow:to_client,established; file.data; content:"class=|22|xx_Z118x"; fast_pattern; nocase; content:"<title>Spotify"; nocase; classtype:social-engineering; sid:2029899; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tahw?"; depth:6; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING French Government COVID-19 Landing Page"; flow:established,to_client; content:"<title>Info Coronavirus COVID-19|20 7c 20|Gouvernement.fr"; fast_pattern; content:"Informations <strong>Coronavirus </strong></h1>"; distance:0; content:"method=|22|post|22 20|action=|22|"; pcre:"/^(?:(?!\.php).+)\.php\x22/R"; classtype:social-engineering; sid:2030145; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig OopsIE CnC Checkin M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/khc?"; depth:5; fast_pattern; pcre:"/^[A-F0-9]{10,}$/Ri"; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:command-and-control; sid:2026083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_05, deployment Perimeter, former_category MALWARE, malware_family OilRig, malware_family OopsIE, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING NHS Gov UK COVID-19 Landing Page"; flow:established,to_client; content:"<title>NHS COVID19 Relieve - GOV.UK"; fast_pattern; content:"COVID-19 Relieve system"; distance:0; content:"Apply for COVID-19 Relieve"; distance:0; content:"method=|22|post|22|"; distance:0; classtype:social-engineering; sid:2030146; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Aura Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"{KIARA}"; depth:7; endswith; fast_pattern; reference:md5,dde4654f1aa9975d1ffea1af8ea5015f; classtype:trojan-activity; sid:2026100; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_06, deployment Perimeter, former_category MALWARE, malware_family Aura, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS COVID-19 Landing Page"; flow:established,to_client; content:"<title>Get My Payment"; fast_pattern; content:"title=|22|Go to IRS Home Page|22|"; content:".php|22 20|method=|22|post|22|"; distance:0; content:"discovered that you are eligible for an instant amount"; distance:0; content:"credited to your confirmed financial institution in a timeframe of"; distance:0; classtype:social-engineering; sid:2030147; rev:1; metadata:created_at 2020_05_11, former_category PHISHING, updated_at 2020_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; http.user_agent; content:"onedru/"; depth:7; endswith; fast_pattern; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_07, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to NOIP DynDNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp|irc).com|m(?:inecraft.net|p3.com)|b(?:eer.com|log.net))|curitytactics.com)|tufftoread.com|ytes.net)|m(?:y(?:securitycamera.(?:com|net|org)|(?:activedirectory|vnc).com|(?:mediapc|effect|psx).net|d(?:issent.net|dns.me)|ftp.(?:biz|org))|lbfan.org|mafan.biz)|d(?:(?:itchyourip|amnserver|ynns).com|dns(?:.(?:net|me)|king.com)|ns(?:iskinky.com|for.me)|vrcam.info)|h(?:o(?:(?:mesecurity(?:ma|p)c|sthampster).com|pto.(?:org|me))|ealth-carereform.com)|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem).org|iscofreak.com)|p(?:(?:rivatizehealthinsurance|gafan).net|oint(?:2this.com|to.us))|f(?:reedynamicdns.(?:net|org)|antasyleague.cc)|(?:(?:3utiliti|quicksyt)es|onthewifi).com|b(?:logsyte.com|ounceme.net|rasilia.me)|n(?:et-freaks.com|flfan.org|hlfan.net)|re(?:ad-books.org|directme.net)|u(?:nusualperson.com|fcfan.org)|(?:eating-organic|viewdns).net|w(?:orkisboring.com|ebhop.me)|g(?:eekgalaxy.com|olffan.us)|ilovecollege.info|loginto.me|access.ly|zapto.org)(\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030172; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Tor/Noscript JS Bypass"; flow:established,to_client; http.content_type; content:"text/html|3b|/json"; depth:15; endswith; reference:url,twitter.com/Zerodium/status/1039127214602641409; classtype:trojan-activity; sid:2026109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to ChangeIP Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030173; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=baways.com"; nocase; endswith; reference:url,riskiq.com/blog/labs/magecart-british-airways-breach; classtype:domain-c2; sid:2026110; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_11, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Afraid.org Top 100 Dynamic DNS Domain"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; pcre:"/\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(?:\x3a\d{1,5})?$/"; classtype:credential-theft; sid:2030174; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_05_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil)"; flow:established,to_client; tls.cert_subject; content:"CN=info-stat.ws"; nocase; endswith; reference:url,bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script; classtype:domain-c2; sid:2026112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Security Phishing Landing Page"; flow:to_client,established; file.data; content:"href=|22|/public/campaign/"; content:"src=|22|/public/campaign/"; distance:0; content:"no connection or relationship between the trademark owner and Lucy Security or the LUCY Security customer"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2030214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_05_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Android Device Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/generate_204"; fast_pattern; endswith; http.host; content:"connectivitycheck.gstatic.com"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Cache"; content:!"Referer"; classtype:policy-violation; sid:2036220; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_09_14, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Minor, tag Connectivity_Check, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful EDF Account Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; fast_pattern; content:"&nom"; distance:0; content:"&adresse1="; distance:0; content:"&ville="; distance:0; classtype:credential-theft; sid:2031769; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"; flow:from_server,established; tls.cert_subject; content:"CN=ipinfo.io"; nocase; endswith; classtype:external-ip-check; sid:2025330; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Battle.net Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?"; http.request_body; content:"accountName="; depth:12; fast_pattern; content:"&password="; distance:0; content:"&persistLogin="; distance:0; content:"&csrftoken="; distance:0; classtype:credential-theft; sid:2031729; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Exfil Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=neweggstats.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-newegg; classtype:domain-c2; sid:2026215; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Amazon Phish 2015-09-22"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"<title>|0a 20 20 20 20|! successful"; fast_pattern; content:"successful !"; distance:0; content:"Data has been successfully updated"; distance:0; classtype:credential-theft; sid:2031770; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in DNS Lookup)"; dns.query; content:"1jve.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026115; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Web App Phish 2015-10-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"app=o365&"; nocase; depth:9; fast_pattern; content:"&name="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031731; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (1jve .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"1jve.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026116; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"legalfirstname="; depth:15; nocase; content:"&legallastname="; nocase; distance:0; content:"&date_ob="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; classtype:credential-theft; sid:2031782; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in DNS Lookup)"; dns.query; content:"clarke-taylor.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026117; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"cardNumber="; depth:11; nocase; content:"&date_ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&btn_card=Continue"; nocase; distance:0; classtype:credential-theft; sid:2031732; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (clarke-taylor .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"clarke-taylor.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026118; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-10-28 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?websrc="; fast_pattern; http.request_body; content:"bankname="; depth:9; nocase; content:"&accountid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&accounnumber="; nocase; distance:0; classtype:credential-theft; sid:2031733; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in DNS Lookup)"; dns.query; content:"hcttmail.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026119; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish Oct 30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"1="; depth:2; content:"&2="; nocase; distance:0; content:"Log+In=Log+In"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022017; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hcttmail .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hcttmail.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026120; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"name="; depth:5; content:"&adress1="; nocase; distance:0; content:"&phone="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022018; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in DNS Lookup)"; dns.query; content:"mail-presidency.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026121; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-30 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Go=_"; http.request_body; content:"chldr="; depth:7; content:"&ccnum="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2022019; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-presidency .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-presidency.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026122; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-11-03 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"FN="; depth:3; nocase; fast_pattern; content:"&LN="; nocase; distance:0; content:"&ST="; nocase; distance:0; content:"&AL="; nocase; distance:0; content:"&CT="; nocase; distance:0; content:"&SA="; nocase; distance:0; content:"&CN="; nocase; distance:0; content:"&Code="; nocase; distance:0; classtype:credential-theft; sid:2031734; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in DNS Lookup)"; dns.query; content:"aamir-khan.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026123; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-11-03 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"CC="; depth:3; nocase; fast_pattern; content:"&EM="; nocase; distance:0; content:"&EY="; nocase; distance:0; content:"&CV="; nocase; distance:0; content:"&SC="; nocase; distance:0; content:"&BD="; nocase; distance:0; content:"&SN="; nocase; distance:0; content:"&SO="; nocase; distance:0; classtype:credential-theft; sid:2031735; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aamir-khan .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"aamir-khan.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026124; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Data Submitted to Weebly.com - Possible Phishing"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"weebly.net|0d 0a|"; fast_pattern; content:"X-W-DC|3a 20|"; http.content_type; content:"text/html"; startswith; file.data; content:"{|22|success|22 3a|true"; distance:0; content:"|22|action|22 3a 22|finished|22|"; distance:1; content:"Your information has been submitted"; nocase; distance:0; classtype:trojan-activity; sid:2031785; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in DNS Lookup)"; dns.query; content:"daario-naharis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026125; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Weebly Phishing Landing Observed 2015-11-10"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"weebly.net|0d 0a|"; fast_pattern; content:"X-W-DC|3a 20|"; http.content_type; content:"text/html"; startswith; file.data; content:"form enctype=|22|multipart/form-data|22|"; nocase; content:"VERIFY YOUR ACCOUNT BELOW FOR NEW UPGRADE"; nocase; distance:0; content:"U$er Name"; nocase; distance:0; content:"PASSW0RD"; nocase; distance:0; content:"CONFIRM PASSW0RD"; nocase; distance:0; classtype:social-engineering; sid:2031786; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (daario-naharis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"daario-naharis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026126; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2015-11-17"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Keep-Alive|3a 20|timeout="; http.content_type; content:"text/html"; startswith; file.data; content:"To view document"; nocase; fast_pattern; content:"select your email provider"; nocase; distance:0; content:"select other email provider"; nocase; distance:0; content:"Sign In"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2031787; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in DNS Lookup)"; dns.query; content:"help-live.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026127; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SFR Phishing 2015-11-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; distance:0; nocase; content:"&remember-me="; distance:0; nocase; content:"&identifier="; distance:0; nocase; classtype:credential-theft; sid:2031790; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-live .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-live.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026128; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&is_valid_email="; nocase; distance:0; classtype:credential-theft; sid:2031795; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in DNS Lookup)"; dns.query; content:"margaery-tyrell.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026129; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2015-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"t1="; depth:3; nocase; content:"&login="; fast_pattern; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2031796; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (margaery-tyrell .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"margaery-tyrell.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026130; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-06-10"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2030275; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in DNS Lookup)"; dns.query; content:"accaunts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026131; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - CenturyLink Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|syn_login_form|22 20|method=|22|post|22 20|action=|22|check.php|22|>"; classtype:social-engineering; sid:2030281; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accaunts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accaunts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026132; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|login-form|22 20|method=|22|post|22 20|autocomplete=|22|off|22 20|action=|22|mask.php|22 20|>"; classtype:social-engineering; sid:2030282; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in DNS Lookup)"; dns.query; content:"dachfunny.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026133; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic T.Goe Phishing Landing"; flow:established,to_client; file.data; content:"######...........####....####...######..........######..######...####...##...##."; fast_pattern; content:"..##............##......##..##..##................##....##......##..##..###.###"; distance:0; content:"##.###..##..##..####..............##....####....######..##.#.##"; distance:0; classtype:social-engineering; sid:2030283; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026134; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - SunTrust Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|log.php|22 20|id=|22|formcredentials|22 20|method=|22|post|22 20|class=|22 22|>"; classtype:social-engineering; sid:2030284; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in DNS Lookup)"; dns.query; content:"help-sec.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026135; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Instagram Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|id=|22|login-form|22 20|class=|22|adjacent|22 20|action=|22|post.php|22|>"; classtype:social-engineering; sid:2030285; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (help-sec .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"help-sec.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026136; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"facebook"; nocase; content:"<form method=|22|post|22 20|action=|22|logs.php|22 20|class=|22|bd be|22 20|id=|22|login_form|22 20|novalidate=|22|1|22|>"; distance:0; classtype:social-engineering; sid:2030286; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in DNS Lookup)"; dns.query; content:"maria-bouchard.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026137; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"facebook"; nocase; content:"<form id=|22|login_form|22 20|action=|22|post.php|22 20|method=|22|post|22 20|novalidate=|22|1|22 20|onsubmit=|22 22|>"; classtype:social-engineering; sid:2030287; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maria-bouchard .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"maria-bouchard.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026138; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Webmail Mini Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"/login_files/"; nocase; content:"<form action=|22|login.php|22 20|method=|22|post|22 20|novalidate=|22|novalidate|22|>"; classtype:social-engineering; sid:2030288; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in DNS Lookup)"; dns.query; content:"account-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026139; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|logon.php?header=1&enroll=|22 20|method=|22|post|22 20|action=|22|log.php|22 20|id=|22|logon.php?header=1&enroll=|22 20|autocomplete=|22|off|22|>"; classtype:social-engineering; sid:2030289; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026140; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|challenge.php|22 20|id=|22|login-username-form|22 20|method=|22|post|22 20|class=|22|username-challenge|20 22|>"; classtype:social-engineering; sid:2030290; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in DNS Lookup)"; dns.query; content:"dachfunny.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026141; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Cox Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form class=|22|form|22 20|id=|22|consolidated-signin|22 20|name=|22|sign-in|22 20|action=|22|1.php|22 20|method=|22|post|22 20|enctype=|22|application/x-www-form-urlencoded|22|>"; classtype:social-engineering; sid:2030291; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dachfunny .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"dachfunny.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026142; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Linkedin Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|myform|22 20|action=|22|mail.php|22 20|onsubmit=|22|return validateform()|22 20|method=|22|post|22|>"; classtype:social-engineering; sid:2030292; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in DNS Lookup)"; dns.query; content:"heyapp.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026143; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - SunTrust Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|formcredentials|22 20|method=|22|post|22 20|action=|22|log.php|22 20|class=|22|suntrust-login-form ng-untouched ng-pristine ng-valid|22|>"; classtype:social-engineering; sid:2030293; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (heyapp .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"heyapp.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026144; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Whatsapp/Facebook Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"whatsapp"; nocase; content:"<form action=|22|check.php|22 20|method=|22|post|22|>"; distance:0; classtype:social-engineering; sid:2030294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in DNS Lookup)"; dns.query; content:"marklavi.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026145; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - M&T Bank Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"M&amp|3b|T Bank"; nocase; content:"<form action=|22|email1.php|22 20|method=|22|post|22 20|id=|22|aspnetform|22|>"; distance:0; classtype:social-engineering; sid:2030295; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"marklavi.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026146; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|data|22 20|action=|22|wapg2gapp.php|22 20|id=|22|login-username-form|22 20|method=|22|post|22 20|class=|22|username-challenge|20 22|>"; classtype:social-engineering; sid:2030296; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in DNS Lookup)"; dns.query; content:"account-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026147; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Paypal Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form for="; content:"xmarvelxdcxcomic"; distance:0; content:"|22 20|action=|22|1.php|22 20|method=|22|post|22 20|class=|22|"; distance:0; fast_pattern; content:"|22 20|name=|22|login|22|>"; classtype:social-engineering; sid:2030297; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (account-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"account-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026148; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Multibrand Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|send.php|22 20|method=|22|post|22 20|onclick=|22|check(this.form)|22 20|onsubmit=|22|check(this.form)|22|>"; classtype:social-engineering; sid:2030298; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in DNS Lookup)"; dns.query; content:"dardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026149; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Instagram Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form class=|22|_3jvtb|22 20|action=|22|login.php|22 20|method=|22|post|22|>"; classtype:social-engineering; sid:2030299; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026150; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - SunTrust Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form action=|22|1.php|22 20|class=|22|lggfrm|22 20|name=|22|regfrm|22 20|id=|22|regfrm|22 20|method=|22|post|22 20|autocomplete=|22|off|22|>"; classtype:social-engineering; sid:2030300; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in DNS Lookup)"; dns.query; content:"hitmesanjjoy.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026151; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - VK Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|authorization|22 20|action=|22|check.php|22 20|method=|22|post|22|>"; content:"href=|22|https://new.vk.com/"; distance:0; classtype:social-engineering; sid:2030301; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hitmesanjjoy .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"hitmesanjjoy.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026152; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Possible Generic Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|action=|22|post.php|22|>"; classtype:social-engineering; sid:2030302; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in DNS Lookup)"; dns.query; content:"mary-crawley.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026153; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Chase Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form id=|22|login-form|22 20|method=|22|post|22 20|autocomplete=|22|off|22 20|action=|22|jero.php|22|>"; classtype:social-engineering; sid:2030303; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mary-crawley .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mary-crawley.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026154; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Instagram Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form class=|22|_3jvtb|22 20|method=|22|post|22 20|action=|22|./burner.php|22|>"; classtype:social-engineering; sid:2030304; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in DNS Lookup)"; dns.query; content:"accountforuser.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026155; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Netease Webmail Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<title>163"; content:"<form action=|22|waka-login.php|22 20|id=|22|lg-form|22 20|name=|22|lg-form|22 20|method=|22|post|22|>"; distance:0; classtype:social-engineering; sid:2030305; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforuser .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforuser.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026156; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Paypal Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<title>log in to your paypal"; content:"<form action=|22|login.php|22 20|method=|22|post|22 20|class=|22|proceed maskable|22 20|autocomplete=|22|off|22 20|name=|22|login|22|autocomplete=|22|off|22 20|novalidate>"; distance:0; classtype:social-engineering; sid:2030306; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in DNS Lookup)"; dns.query; content:"dardash.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026157; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Microsoft Account Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form name=|22|f1|22 20|id=|22|i0281|22 20|method=|22|post|22 20|action=|22|password.php|22|>"; classtype:social-engineering; sid:2030307; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026158; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Common Form POST - Yahoo Phishing Landing 2020-06-11"; flow:established,to_client; file.data; content:"<form method=|22|post|22 20|name=|22|login_form|22 20|id=|22|login_form|22 20|action=|22|./skz.php|22 20|class=|22|pure-form pure-form-stacked mbr-login-form|22|>"; classtype:social-engineering; sid:2030308; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_06_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in DNS Lookup)"; dns.query; content:"hoopoechat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026159; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-24 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login_cmd="; nocase; depth:10; fast_pattern; content:"&login_params="; nocase; distance:0; content:"&racho"; nocase; distance:0; content:"&submit.x="; nocase; distance:0; classtype:credential-theft; sid:2031799; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hoopoechat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hoopoechat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026160; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Sign In</title>"; nocase; fast_pattern; content:"value=|22|Account Summary|22|"; nocase; distance:0; content:"value=|22|Transfer|22|"; nocase; distance:0; content:"value=|22|Brokerage|22|"; nocase; distance:0; content:"value=|22|Trade|22|"; nocase; distance:0; content:"value=|22|MessageAlerts|22|"; nocase; distance:0; classtype:social-engineering; sid:2031956; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in DNS Lookup)"; dns.query; content:"masuka.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026161; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wells Fargo Phish Loading Page 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Please Wait</title>"; nocase; fast_pattern; content:"http-equiv="; distance:0; nocase; content:"Refresh"; nocase; distance:1; within:8; content:"Verifying Your Account"; nocase; distance:0; content:"Please wait"; nocase; distance:0; classtype:credential-theft; sid:2031957; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (masuka .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"masuka.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026162; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"GOVERNMENT SYSTEM IS FOR AUTHORIZED"; fast_pattern; content:"Use of this system constitutes"; nocase; distance:0; content:"Internal Revenue Service"; nocase; distance:0; content:"Electronic Filing PIN"; nocase; distance:0; content:"foreignPostalLbl"; nocase; distance:0; classtype:social-engineering; sid:2031958; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in DNS Lookup)"; dns.query; content:"accountforusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026163; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Update Phishing Landing 2016-01-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"form action=|22|http|3a|//www.formbuddy.com"; nocase; distance:0; content:"Name|3a|"; nocase; distance:0; content:"E-Mail|3a|"; nocase; distance:0; content:"Password|3a|"; fast_pattern; nocase; distance:0; content:"Submit Form"; nocase; distance:0; classtype:social-engineering; sid:2031959; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountforusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountforusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026164; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chrome Extension Phishing HTTP Request"; flow:to_server,established; http.host; content:"chrome-extension."; startswith; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022373; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in DNS Lookup)"; dns.query; content:"dardash.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026165; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-01-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webscr?cmd=_"; nocase; fast_pattern; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"email="; nocase; content:"password="; nocase; distance:0; classtype:credential-theft; sid:2031960; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026166; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-01-15 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webscr?cmd=_"; nocase; fast_pattern; content:"&account_card="; distance:0; nocase; content:"&session="; nocase; distance:0; http.header; content:"&account_address="; nocase; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"address_1="; nocase; depth:10; content:"&address_2="; nocase; distance:0; classtype:credential-theft; sid:2031961; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in DNS Lookup)"; dns.query; content:"hotimael.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026167; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-01-15 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Submit"; nocase; http.header; content:"/webscr?cmd=_"; nocase; content:"&account_card="; nocase; http.cookie; content:"paypalglobal"; nocase; content:"btnLogin"; nocase; http.request_body; content:"cc_holder="; nocase; depth:10; fast_pattern; content:"&cc_number="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; classtype:credential-theft; sid:2031962; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotimael .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotimael.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026168; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Webeden.co.uk (set) 2016-01-22"; flow:to_server,established; urilen:1; flowbits:set,ET.webeden.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"webeden.co.uk"; endswith; fast_pattern; classtype:social-engineering; sid:2031963; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in DNS Lookup)"; dns.query; content:"matthew-stevens.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026169; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Canada Revenue Agency Phishing Landing 2016-01-25"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"DEBUT DE L|27|EN-TETE"; nocase; fast_pattern; content:"DU GABARIT NSI"; nocase; distance:0; content:"<title>Get Tax Refund"; nocase; distance:0; content:"Canada Revenue Agency"; nocase; distance:0; classtype:social-engineering; sid:2031965; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (matthew-stevens .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"matthew-stevens.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026170; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Navy Federal Credit Union Phishing Landing 2016-01-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Navy Federal Credit Union"; fast_pattern; nocase; content:"Armed Forces Loans"; nocase; distance:0; classtype:social-engineering; sid:2031966; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in DNS Lookup)"; dns.query; content:"accounts-gocgle.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026171; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing 2020-06-22"; flow:established,to_client; file.data; content:"name=|22|chalbhai|22 20|id=|22|chalbhai|22 20|method=|22|get|22|"; fast_pattern; classtype:social-engineering; sid:2030372; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-gocgle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-gocgle.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026172; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Webeden.co.uk M1 2016-01-22"; flow:to_client,established; flowbits:isset,ET.webeden.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2031964; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in DNS Lookup)"; dns.query; content:"dardash.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026173; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USPS Phishing Landing 2016-02-10"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>USPS.com|c2 ae 20|- Sign In</title>"; nocase; fast_pattern; content:"Create a USPS.com"; nocase; distance:0; classtype:social-engineering; sid:2031967; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_11, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (dardash .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"dardash.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026174; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your e-mail account will be verify"; nocase; fast_pattern; content:"DO NOT RESEND"; nocase; distance:0; content:"MESSAGE IS FROM THE SYSTEM ADMIN"; nocase; distance:0; classtype:credential-theft; sid:2031968; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in DNS Lookup)"; dns.query; content:"hotmailme.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026175; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Maps Phishing Landing 2016-02-17"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Google Maps"; nocase; fast_pattern; content:"ultrozoic_rotating_by_dragontunders"; nocase; distance:0; content:"Please enter your email"; nocase; distance:0; content:"Please enter your email password"; nocase; distance:0; classtype:social-engineering; sid:2031969; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hotmailme .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"hotmailme.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026176; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript 2016-02-09"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv"; content:"refresh"; nocase; distance:1; within:8; content:"content="; nocase; distance:0; pcre:"/^\x22[0-9]+?[^\x22]/Rsi"; content:"url=data|3a|text/html,http"; fast_pattern; nocase; distance:0; pcre:"/^[^\x22]+<\s*?script\s*?.+data\x3atext/html\x3bbase64,/Rsi"; classtype:social-engineering; sid:2031970; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in DNS Lookup)"; dns.query; content:"mauricefischer.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026177; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING USAA Phishing Landing 2016-02-26"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"google-site-verification|22 20|content=|22|ixTkEWd_UcMhrL39nLaMLEq66o3Ecdwa-btSiATF0Uc"; content:"<title>USAA / Welcome to USAA"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2031971; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mauricefischer .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mauricefischer.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026178; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-01 M3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Account Verification"; fast_pattern; nocase; content:"Your Apple ID"; nocase; distance:0; content:"Account Verification Complete"; nocase; distance:0; content:"restore your account"; nocase; distance:0; classtype:credential-theft; sid:2031972; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in DNS Lookup)"; dns.query; content:"accounts-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026179; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2016-03-01 M2"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>iCloud"; fast_pattern; nocase; content:"Sign in"; nocase; distance:0; content:"Apple ID"; nocase; distance:0; content:"Activation"; nocase; distance:0; content:"Privacy Policy"; nocase; distance:0; classtype:social-engineering; sid:2031973; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accounts-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accounts-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026180; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing 2016-03-01 M3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".form input[type=email]"; nocase; content:".form input[type=password]"; nocase; distance:0; content:"Apple ID"; fast_pattern; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Sign In"; nocase; distance:0; classtype:social-engineering; sid:2031974; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in DNS Lookup)"; dns.query; content:"david-mclean.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026181; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-01 M5"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".form input[type=email]"; nocase; content:".form input[type=password]"; nocase; distance:0; content:"password are invalid"; fast_pattern; nocase; distance:0; content:"Apple ID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Sign In"; nocase; distance:0; classtype:credential-theft; sid:2031975; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-mclean .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-mclean.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026182; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Lucy Server Phish"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"Server|3a 20|Lucy|0d 0a|"; fast_pattern; content:"/account|0d 0a|"; reference:url,lucysecurity.com/download/; classtype:credential-theft; sid:2030404; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in DNS Lookup)"; dns.query; content:"italk-chat.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026183; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wombat Phishing Test"; flow:established,to_client; file.data; content:"been phished!</title>"; fast_pattern; content:"<form action=|22|/training/acceptance"; distance:0; content:"name=|22|training_ack|22 20|type=|22|submit|22|>Acknowledge"; distance:0; content:"href=|22|https://www.wombatsecurity.com/"; distance:0; classtype:misc-activity; sid:2030405; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026184; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING T-Mobile Phishing Landing"; flow:established,to_client; file.data; content:"src=|22|./T-Mobile QuikView_ Please Login_files/"; fast_pattern; content:"href=|22|./T-Mobile QuikView_ Please Login_files/"; distance:0; content:".php|22 20|method=|22|post|22|"; distance:0; classtype:social-engineering; sid:2030406; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in DNS Lookup)"; dns.query; content:"max-eleanor.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026185; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via MyFreeSites.com (set) 2016-03-31"; flow:to_server,established; urilen:1; flowbits:set,ET.myfreesites.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"myfreesites.net"; fast_pattern; endswith; classtype:social-engineering; sid:2031976; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-eleanor .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-eleanor.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026186; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via MyFreeSites.com M2 2016-03-31"; flow:to_client,established; flowbits:isset,ET.myfreesites.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2031977; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in DNS Lookup)"; dns.query; content:"accountusers.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026187; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com M2 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2031979; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accountusers .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"accountusers.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026188; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Tripod.com Phish 2016-03-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".ajax?m="; content:"&type=Form"; distance:0; content:"&a=addResponse"; distance:0; http.header; content:".tripod.com/|0d 0a|"; http.request_body; content:"data%5Bresponse%5D"; depth:18; fast_pattern; content:"&data%5Bresponse%5D"; distance:0; content:"&data%5Bresponse%5D"; distance:0; pcre:"/=[A-Za-z0-9._+-]+%40[A-Za-z0-9.-]+\.[A-Za-z]{2,6}&data/"; classtype:credential-theft; sid:2031980; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in DNS Lookup)"; dns.query; content:"david-moris.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026189; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com M1 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; fast_pattern; nocase; content:"mail"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2031978; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (david-moris .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"david-moris.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026190; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OWA Phishing Landing 2016-04-04 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>WebMail"; fast_pattern; nocase; content:"@$_GET[|22|email"; nocase; content:"ldCookie(|27|username"; nocase; content:"Secure my account"; nocase; content:"This is a private computer"; nocase; distance:0; content:"By selecting this option"; nocase; distance:0; classtype:social-engineering; sid:2031981; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in DNS Lookup)"; dns.query; content:"italk-chat.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026191; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email System Manager Phishing Landing 2016-04-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"pixi_grey_blue.gif"; fast_pattern; nocase; content:"E-mail System Manager"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; classtype:social-engineering; sid:2031982; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (italk-chat .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"italk-chat.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026192; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING PhishMe.com Phishing Exercise - Client Plugins"; flow:to_server,established; urilen:15; http.method; content:"POST"; http.uri; content:"/plugin_surveys"; fast_pattern; http.cookie; content:"_phishme.com_session_id="; classtype:trojan-activity; sid:2022729; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in DNS Lookup)"; dns.query; content:"max-mayfield.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026193; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M1 2016-04-25"; flow:established,to_client; flowbits:isset,ET.wpphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your session has timed out"; fast_pattern; nocase; content:"sign in e-mail and continue"; nocase; distance:0; classtype:social-engineering; sid:2031983; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (max-mayfield .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"max-mayfield.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026194; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M2 2016-04-25"; flow:established,to_client; flowbits:isset,ET.wpphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; fast_pattern; nocase; content:"Confirm your identity"; distance:0; nocase; content:"account to view document"; distance:0; nocase; classtype:social-engineering; sid:2031984; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in DNS Lookup)"; dns.query; content:"accuant-googlc.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026195; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Document Phish 2016-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php?login="; nocase; fast_pattern; pcre:"/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}$/"; http.header; content:".php?login="; nocase; http.request_body; content:"email="; depth:6; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2031985; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (accuant-googlc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"accuant-googlc.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026196; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist Phish 2016-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"step=confirmation&rt="; depth:21; fast_pattern; content:"&rp="; distance:0; content:"&username="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031986; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_04_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in DNS Lookup)"; dns.query; content:"davina-claire.xyz"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026197; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing M1 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"upgrade your mailbox"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:social-engineering; sid:2025677; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davina-claire .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"davina-claire.xyz"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026198; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Update Phishing Landing M2 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Email Upgrade</title>"; nocase; fast_pattern; content:"Confirm your account"; nocase; distance:0; content:"Mail Administrator"; nocase; distance:0; classtype:social-engineering; sid:2025676; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in DNS Lookup)"; dns.query; content:"jack-wagner.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026199; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citizenbank Phish 2016-05-24 M1"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"CSRF_TOKEN="; depth:11; content:"&initlogin="; distance:0; content:"&UserID="; distance:0; nocase; content:"&passs="; distance:0; fast_pattern; content:"&btnLogin="; distance:0; classtype:credential-theft; sid:2031987; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jack-wagner .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"jack-wagner.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026200; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citizenbank Phish 2016-05-24 M2"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"&UserID=|25|3C|25|3Fphp+echo|25|28|25|24Username"; fast_pattern; content:"&email="; distance:0; content:"&epass="; distance:0; content:"&Q1="; distance:0; classtype:credential-theft; sid:2031988; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in DNS Lookup)"; dns.query; content:"maxlight.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026201; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious File Download Post-Phishing 2016-05-25"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"howLongToWait"; fast_pattern; nocase; content:"urlOfDownloadContent"; nocase; distance:0; content:"triggerDownload"; nocase; distance:0; content:"urlOfRedirectLocation"; nocase; distance:0; content:"startRedirect"; nocase; distance:0; classtype:social-engineering; sid:2031990; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (maxlight .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxlight.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026202; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-05-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"Processing.php?"; fast_pattern; nocase; http.request_body; content:"EM="; nocase; depth:3; content:"&PS="; nocase; distance:0; classtype:credential-theft; sid:2031991; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in DNS Lookup)"; dns.query; content:"activedardash.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026203; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Avast Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"is infected with"; nocase; content:"Your email will be shutdown"; fast_pattern; nocase; distance:0; content:"ForeColor"; distance:0; content:"It is finally here"; nocase; distance:0; content:"advised to run a total scan"; nocase; distance:0; classtype:social-engineering; sid:2031992; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (activedardash .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"activedardash.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026204; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Email Login Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Email-login"; nocase; fast_pattern; content:"MM_validateForm"; nocase; distance:0; content:"Powered By|3a|"; nocase; distance:0; content:"Sign in to your account"; nocase; distance:0; content:"Email address|3a|"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; classtype:social-engineering; sid:2031993; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in DNS Lookup)"; dns.query; content:"davos-seaworth.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026205; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DrSpam Phishing Landing 2016-06-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"drspam_form"; nocase; fast_pattern; content:"drspam_mail"; nocase; distance:0; content:"drspam_pass"; nocase; distance:0; content:"haxor"; nocase; distance:0; classtype:social-engineering; sid:2031994; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (davos-seaworth .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"davos-seaworth.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026206; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DrSpam Phishing Landing CSS 2016-06-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"input.drspam"; nocase; fast_pattern; content:"select.drspam"; nocase; distance:0; content:"input.haxor"; nocase; distance:0; content:".boody"; nocase; distance:0; content:".contens"; nocase; distance:0; classtype:social-engineering; sid:2031995; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in DNS Lookup)"; dns.query; content:"james-charles.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026207; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DrSpam Phish 2016-06-08 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"drspam_mail="; nocase; depth:12; fast_pattern; content:"&drspam_pass="; nocase; distance:0; classtype:credential-theft; sid:2031996; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (james-charles .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"james-charles.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026208; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DrSpam Phish 2016-06-08 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"drspam_name="; nocase; depth:12; fast_pattern; content:"&drspam_dob"; nocase; distance:0; content:"&drspam_adrs"; nocase; distance:0; content:"&drspam_acc"; nocase; distance:0; classtype:credential-theft; sid:2031997; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in DNS Lookup)"; dns.query; content:"mediauploader.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026209; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-06-09 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; nocase; fast_pattern; content:"&reason="; nocase; distance:0; content:"&portal="; nocase; distance:0; content:"&dltoken"; nocase; distance:0; http.header; content:".php?LOB="; http.request_body; content:"user="; nocase; depth:5; content:"&pass="; nocase; classtype:credential-theft; sid:2032016; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mediauploader .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"mediauploader.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026210; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-06-09 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; nocase; fast_pattern; content:"&reason="; nocase; distance:0; content:"&portal="; nocase; distance:0; content:"&dltoken"; nocase; distance:0; http.header; content:".php?LOB="; http.request_body; content:"acct1="; nocase; depth:6; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032017; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in DNS Lookup)"; dns.query; content:"alain.ps"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026211; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ma Domain 2020-07-15"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ma"; endswith; fast_pattern; classtype:credential-theft; sid:2030519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alain .ps in TLS SNI)"; flow:established,to_server; tls.sni; content:"alain.ps"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026212; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"id="; nocase; depth:3; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031568; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in DNS Lookup)"; dns.query; content:"debra-morgan.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026213; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031566; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_12_25, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (debra-morgan .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"debra-morgan.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026214; rev:4; metadata:created_at 2018_09_19, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Termination Phishing Landing 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Protect"; nocase; distance:0; fast_pattern; content:"TERMINATION REQUEST"; nocase; distance:0; content:"Enter Your Email"; nocase; distance:0; content:"Disable Your Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2032018; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot Blockchain Based CnC DNS Lookup (musl .lib)"; dns.query; content:"musl.lib"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026323; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Phishing Landing 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title> Webmail|20 3a 3a|"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"account from virus threats"; nocase; distance:0; content:"Secured by Webmail Security Systems"; nocase; distance:0; classtype:social-engineering; sid:2032019; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (ukrainianhorseriding .com)"; dns.query; content:"ukrainianhorseriding.com"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026324; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wildblue/CenturyLink Phish 2015-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&source="; nocase; distance:0; classtype:credential-theft; sid:2031794; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fbot/Satori CnC DNS Lookup (rippr .cc)"; dns.query; content:"rippr.cc"; nocase; fast_pattern; endswith; reference:url,blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-is-using-a-blockchain-based-dns-en/; classtype:command-and-control; sid:2026325; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Satori, malware_family Fbot, performance_impact Low, signature_severity Major, tag Worm, tag DDoS, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Vmware/Zimbra Phish 2015-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"username="; depth:9; fast_pattern; content:"&username"; distance:0; content:"&password="; distance:0; content:"&client="; distance:0; classtype:credential-theft; sid:2031730; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (censys .xyz)"; dns.query; content:"censys.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026326; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Microsoft Encrypted Email Phishing Landing 2016-06-23"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/microsoft.secure.encrypted"; fast_pattern; nocase; classtype:social-engineering; sid:2032020; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (leakingprivacy .tk)"; dns.query; content:"leakingprivacy.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026327; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Data Submitted to yolasite.com"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.header; content:"forms.yola.com"; fast_pattern; http.request_body; content:"user"; nocase; content:"word"; distance:0; nocase; classtype:social-engineering; sid:2032021; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (realnewstime .xyz)"; dns.query; content:"realnewstime.xyz"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Upgrade Phishing Landing 2016-06-27"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Signin Template"; nocase; fast_pattern; content:"Please upgrade your mailbox"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"upgrade account"; nocase; distance:0; classtype:social-engineering; sid:2032022; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (scanaan .tk)"; dns.query; content:"scanaan.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026329; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M1"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Upgrade"; nocase; fast_pattern; content:"form class=|22|form-signin"; nocase; distance:0; content:"Please wait"; nocase; distance:0; content:"id=|22|success"; nocase; distance:0; content:"Email account upgraded"; nocase; distance:0; classtype:credential-theft; sid:2032023; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (blockbitcoin .com)"; dns.query; content:"blockbitcoin.com"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026330; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Upgrade Phish 2016-06-27 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; http.header; content:".php?userid="; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&submit=upgrade+account"; nocase; distance:0; classtype:credential-theft; sid:2032024; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (vfk2k5s5tfjr27tz .tk)"; dns.query; content:"vfk2k5s5tfjr27tz.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026334; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to MyFreeSites.com - Possible Phishing"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/form/Submit"; fast_pattern; http.header; content:"myfreesites.net|0d 0a|"; content:"X-Requested-With|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; content:"{|22|siteID|22 3a|"; depth:10; http.accept; content:"application/json, text/javascript"; startswith; http.content_type; content:"application/json"; startswith; classtype:trojan-activity; sid:2032025; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_06_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Xbash CnC DNS Lookup (3g2upl4pq6kufc4m .tk)"; dns.query; content:"3g2upl4pq6kufc4m.tk"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/; classtype:command-and-control; sid:2026335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2018_09_20, deployment Perimeter, former_category MALWARE, malware_family Xbash, performance_impact Low, signature_severity Major, tag Coinminer, tag Worm, tag Destructive, tag FakeRansom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Landing 2016-07-05"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.uri; content:"/usaa.com"; pcre:"/\/usaa\.com(?:\.|-)(?:sec(?:ure)?|inet|ent)(?:\.|-)/i"; classtype:social-engineering; sid:2032026; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in DNS Lookup)"; dns.query; content:"jimmykudo.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026217; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Hotmail Phish 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login="; depth:6; content:"&passwd="; fast_pattern; nocase; distance:0; content:"&SI=Sign+in"; nocase; distance:0; classtype:credential-theft; sid:2032027; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jimmykudo .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"jimmykudo.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026218; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Synchronize Email Account Phishing Landing 2016-07-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Login to continue"; nocase; fast_pattern; content:"Global E-mail Server"; nocase; distance:0; content:"Synchronize your e-mail"; nocase; distance:0; content:"avoid deactivation"; nocase; distance:0; content:"registered email"; nocase; distance:0; content:"enter the matching password"; nocase; distance:0; content:"Synchronize My Account"; nocase; distance:0; classtype:social-engineering; sid:2032028; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in DNS Lookup)"; dns.query; content:"meet-me.chat"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026219; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail account"; nocase; fast_pattern; content:"Webmail Account"; nocase; distance:0; content:"for upgrade in your webmail"; nocase; distance:0; content:"check the required"; nocase; distance:0; content:"Confirm Passw"; nocase; distance:0; classtype:social-engineering; sid:2032029; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (meet-me .chat in TLS SNI)"; flow:established,to_server; tls.sni; content:"meet-me.chat"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026220; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Account Phish 2016-07-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?src="; content:"&username="; nocase; distance:0; http.referer; content:".php?src="; nocase; content:"&username="; nocase; http.request_body; content:"username="; depth:9; fast_pattern; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032030; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_07_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in DNS Lookup)"; dns.query; content:"alisonparker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026221; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Tripod/Lycos Form Submission - Possible Successful Phish"; flow:from_client,established; http.method; content:"POST"; http.uri; content:"/_zbl.ajax?m="; depth:13; fast_pattern; content:"&a=addResponse"; distance:0; http.header; content:".tripod.com|0d 0a|"; content:".tripod.com"; http.request_body; content:"data|25|5Bresponse|25|5D|25|5B"; depth:21; classtype:credential-theft; sid:2032015; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (alisonparker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"alisonparker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026222; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com (set) 2016-03-31"; flow:to_server,established; flowbits:set,ET.tripod.phish; flowbits:noalert; http.method; content:"GET"; http.header; content:"tripod.com|0d 0a|"; fast_pattern; classtype:social-engineering; sid:2032012; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in DNS Lookup)"; dns.query; content:"donna-paulsen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026223; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Account Upgrade Phishing Landing 2016-07-20"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|3a 3a|WEBMAIL"; nocase; fast_pattern; content:"Sign in to Update Your Account"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Webmail Admin"; nocase; distance:0; classtype:social-engineering; sid:2032031; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (donna-paulsen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"donna-paulsen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026224; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Phish - Saved Website Comment Observed"; flow:established,to_client; flowbits:isset,ET.genericphish; file.data; content:"<!-- saved from url=("; pcre:"/^\s*?\d+?\s*?\)https?\x3a\x2f/Rsi"; content:"<form"; nocase; distance:0; classtype:credential-theft; sid:2030574; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"android-settings.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026225; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Redeye Phish 2020-07-24"; flow:to_server,established; flowbits:isset,ET.genericphish; http.uri; content:"/redeye/"; fast_pattern; nocase; content:".php"; distance:0; isdataat:!1,relative; classtype:credential-theft; sid:2030587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (android-settings .info in DNS Lookup)"; dns.query; content:"android-settings.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026226; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish 2020-07-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; startswith; content:"&paswd="; distance:0; classtype:credential-theft; sid:2031874; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in DNS Lookup)"; dns.query; content:"easyshow.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026227; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"ja=userAgent"; nocase; depth:12; fast_pattern; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032032; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (easyshow .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"easyshow.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026228; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"mail="; nocase; depth:5; fast_pattern; content:"&name="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&address="; nocase; distance:0; classtype:credential-theft; sid:2032033; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in DNS Lookup)"; dns.query; content:"jon-snow.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026229; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Mobile Phish 2016-08-01 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"ssn="; nocase; depth:4; fast_pattern; content:"&cnum="; nocase; distance:0; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032034; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jon-snow .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"jon-snow.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026230; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Mobile Phishing Landing 2016-08-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"content=|22|Please verify"; nocase; content:"<meta name=|22|apple-mobile"; nocase; distance:0; content:"<title>Wells Fargo"; fast_pattern; nocase; distance:0; content:"your account is disabled"; nocase; distance:0; classtype:social-engineering; sid:2025670; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in DNS Lookup)"; dns.query; content:"men-ana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026231; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/EMS Documents Phishing Landing 2016-08-10"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>EMS |7c 20|Tracking"; fast_pattern; nocase; content:"<title>TRADE FILE"; nocase; distance:0; content:"Sign In Your"; nocase; distance:0; content:"example777@domain.com"; nocase; distance:0; content:"PASSWORD"; nocase; distance:0; classtype:social-engineering; sid:2032035; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (men-ana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"men-ana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026232; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Credential POST to FormBuddy.com - Possible Phishing Aug 10 2016"; flow:to_server,established; urilen:16; http.method; content:"POST"; http.uri; content:"/cgi-bin/form.pl"; fast_pattern; http.host; content:"formbuddy.com"; endswith; http.request_body; content:"username="; depth:9; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:social-engineering; sid:2032036; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in DNS Lookup)"; dns.query; content:"apkapps.pro"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026233; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Tectite Web Form Abuse"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=|22|bad_url|22|"; fast_pattern; content:"name=|22|subject|22|"; content:"name=|22|recipients|22|"; content:"name=|22|env_report|22|"; content:"REMOTE_HOST,REMOTE_ADDR"; content:"AUTH_TYPE,REMOTE_USER"; content:"name=|22|good_url|22|"; content:"<input type=|22|password"; classtype:social-engineering; sid:2032037; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .pro in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.pro"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026234; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Tectite Web Form Submission - Possible Phishing"; flow:from_server,established; http.stat_code; content:"302"; file.data; content:"<title>Form Submission Succeeded"; fast_pattern; content:"Please wait while you are redirected"; distance:0; content:"www.tectite.com"; distance:0; classtype:credential-theft; sid:2032038; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in DNS Lookup)"; dns.query; content:"eleanor-guthrie.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026235; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing Common CSS 2016-08-10"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"background-color|3a 20|#EAEAEA"; nocase; content:"#pdf_holder"; nocase; distance:0; content:"background-color|3a 20|#DADADA"; nocase; distance:0; content:"background-color|3a 20|#069"; nocase; distance:0; content:"#errfnn"; fast_pattern; nocase; distance:0; content:"background-color|3a 20|#A51505"; nocase; distance:0; classtype:social-engineering; sid:2032039; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanor-guthrie .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanor-guthrie.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026236; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Gmail Phish M1 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Gmail Veri"; fast_pattern; nocase; content:"All of Google"; nocase; distance:0; content:"Verified, secured and updated"; nocase; distance:0; content:"You will will be instructed to login shortly"; nocase; distance:0; classtype:credential-theft; sid:2032040; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in DNS Lookup)"; dns.query; content:"jorah-mormont.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026237; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Storage Upgrade Phishing Landing 2016-08-15"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:social-engineering; sid:2023062; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (jorah-mormont .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"jorah-mormont.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026238; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing M1 2016-08-16"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Confirm your identity"; nocase; distance:0; content:"data|3a|image/jpeg|3b|base64"; nocase; distance:0; classtype:social-engineering; sid:2032042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in DNS Lookup)"; dns.query; content:"michael-keaton.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026239; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Netflix Phishing Landing 2016-08-17"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:social-engineering; sid:2023073; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (michael-keaton .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"michael-keaton.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026240; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Docusign Phish M1 2016-08-17"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta HTTP-EQUIV="; nocase; content:"refresh"; nocase; distance:1; within:8; content:"<title>Error"; nocase; fast_pattern; distance:0; content:"MM_preloadImages"; nocase; distance:0; content:"Try Again"; nocase; distance:0; content:"This page will redirect"; nocase; distance:0; classtype:credential-theft; sid:2032043; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in DNS Lookup)"; dns.query; content:"apkapps.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026241; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing 2016-08-19"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe"; nocase; fast_pattern; content:"MM_reloadPage"; nocase; distance:0; content:"someone@example.com"; nocase; distance:0; classtype:social-engineering; sid:2032044; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, performance_impact Low, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (apkapps .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"apkapps.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026242; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Universal Webmail Phishing Landing 2016-08-19"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Universal Webmail"; fast_pattern; content:"de e-mail e senha para verificar"; nocase; distance:0; content:"/CMD_LOST_PASSWORD"; nocase; distance:0; classtype:social-engineering; sid:2032045; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, performance_impact Low, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in DNS Lookup)"; dns.query; content:"eleanorguthrie.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026243; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Data Submitted to yolasite.com M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; http.request_body; content:"user"; nocase; content:"pass"; distance:0; nocase; classtype:social-engineering; sid:2032046; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (eleanorguthrie .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"eleanorguthrie.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026244; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Blocked Email Account Phishing Landing 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Recover Account"; fast_pattern; nocase; content:"Account Might Become Blocked"; nocase; distance:0; content:"these are all due to end user misuse"; nocase; distance:0; content:"email validation takes after one hour"; nocase; distance:0; classtype:social-engineering; sid:2032047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in DNS Lookup)"; dns.query; content:"joycebyers.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026245; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Blocked Email Account Phish M2 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Recover Account"; fast_pattern; nocase; content:"Account Might Become Blocked"; nocase; distance:0; content:"has been fixed successfully"; nocase; distance:0; content:"making us serve you better"; nocase; distance:0; classtype:credential-theft; sid:2032048; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (joycebyers .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"joycebyers.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026246; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Targeted Office 365 Phishing Landing 2016-08-23"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<html dir=|22|ltr|22|"; content:"microsoftonline-p.com"; nocase; distance:0; content:"|61 63 74 69 6f 6e 3d 22 2f 61 75 74 68 74 72 75 65 2e 61 73 70 78 3f|"; fast_pattern; distance:0; classtype:social-engineering; sid:2032049; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in DNS Lookup)"; dns.query; content:"miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026247; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Password Strength Phishing Landing 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Confirm Password Strength"; fast_pattern; nocase; content:"yimg.com"; nocase; distance:0; content:"Yahoo Mail"; nocase; distance:0; content:"Strengthen your account"; nocase; distance:0; content:"confirm your password strength"; nocase; distance:0; classtype:social-engineering; sid:2032050; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026248; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Password Strength Phish M1 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&.scrumb="; nocase; distance:0; content:"&.partner="; nocase; distance:0; classtype:credential-theft; sid:2032051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in DNS Lookup)"; dns.query; content:"appchecker.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026249; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Yahoo Password Strength Phish M2 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Success"; fast_pattern; nocase; content:"mail.yahoo.com"; nocase; distance:0; content:"Account Authenticated"; nocase; distance:0; content:"confirming your password"; nocase; distance:0; content:"secured by Yahoo"; nocase; distance:0; classtype:credential-theft; sid:2032053; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appchecker .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"appchecker.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026250; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Team IPwned Phish 2016-08-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"=Team&"; nocase; content:"=IPwned&"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032052; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in DNS Lookup)"; dns.query; content:"engin-altan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026251; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing 2016-08-25"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Function disabled by ALIBOBO"; nocase; content:"<title>My Drive"; fast_pattern; nocase; content:"You are not logged in"; nocase; distance:0; classtype:social-engineering; sid:2032054; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (engin-altan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"engin-altan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026252; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M1 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/chaseonline.chase.com/"; nocase; fast_pattern; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2032055; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in DNS Lookup)"; dns.query; content:"juana.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026253; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M3 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/online.chase.com/"; nocase; fast_pattern; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2032056; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (juana .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"juana.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026254; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M4 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__LASTFOCUS="; depth:12; fast_pattern; content:"&auth_userId="; nocase; distance:0; content:"&auth_contextId=login"; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032057; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in DNS Lookup)"; dns.query; content:"miwakosato.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026255; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Form Data Submitted to yolasite.com - Possible Phishing"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/formservice/"; depth:13; http.host; content:"forms.yola.com"; fast_pattern; classtype:trojan-activity; sid:2023139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (miwakosato .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"miwakosato.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026256; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Logging in - PayPal"; nocase; fast_pattern; content:"<meta http-equiv="; nocase; distance:0; content:"refresh"; nocase; distance:1; content:"url=websc-"; nocase; distance:0; classtype:credential-theft; sid:2032059; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in DNS Lookup)"; dns.query; content:"appuree.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026257; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Websc Phishing Page 2016-02-05"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/websc-"; nocase; fast_pattern; pcre:"/^(?:l(?:o(?:ading|gin)|imited)|(?:proccess|card)ing|b(?:illing|ank)|success)\.php/R"; classtype:social-engineering; sid:2032014; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (appuree .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"appuree.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026258; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish OWA Credentials 2016-08-16"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"destination="; depth:12; nocase; fast_pattern; content:"&flags="; distance:0; nocase; content:"&forcedownlevel="; distance:0; nocase; content:"&trusted="; distance:0; nocase; content:"password"; distance:0; nocase; classtype:credential-theft; sid:2032041; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in DNS Lookup)"; dns.query; content:"esofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026259; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING TeamIPwned/Hellion Phishing Landing 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"HELLION PROUDLY PRESENTS"; fast_pattern; content:"brought to you by Hellion"; nocase; distance:0; content:"teamipwned"; nocase; distance:0; content:"Do not touch anything"; nocase; distance:0; classtype:social-engineering; sid:2032060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (esofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"esofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026260; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TeamIPwned Phish 2016-08-30"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"hellion.php"; nocase; fast_pattern; classtype:credential-theft; sid:2025003; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in DNS Lookup)"; dns.query; content:"kaniel-outis.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026261; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful CIBC Phish 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Online Banking"; fast_pattern; nocase; content:"Online Banking Verification"; nocase; distance:0; content:"Verifying your CIBC Online Banking"; nocase; distance:0; content:"Please enter your personal information"; nocase; distance:0; content:"Social Insurance Number"; nocase; distance:0; classtype:credential-theft; sid:2032061; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kaniel-outis .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaniel-outis.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026262; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-loading.php?Go=_Login_Success"; depth:36; fast_pattern; http.header; content:"/websc-"; http.request_body; content:"&Log+In=Log+In"; classtype:credential-theft; sid:2032062; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in DNS Lookup)"; dns.query; content:"mofa-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026263; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>DHL|20 7c 20|"; nocase; fast_pattern; content:"<title>TRADE FILE"; nocase; distance:0; content:"Secured To Your Email"; nocase; distance:0; content:"Enter Your Email Password"; nocase; distance:0; classtype:social-engineering; sid:2032063; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mofa-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mofa-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026264; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; content:"dropbox.com"; nocase; distance:0; content:"<title>Loading"; fast_pattern; nocase; distance:0; content:"Please Wait"; nocase; distance:0; content:"servers are currently busy"; nocase; distance:0; classtype:credential-theft; sid:2032064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in DNS Lookup)"; dns.query; content:"arthursaito.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026265; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Yahoo Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Yahoo - login"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"origin-when-cross-origin"; content:!"var MBR_config = {"; classtype:social-engineering; sid:2032058; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (arthursaito .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"arthursaito.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026266; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Google Docs Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Google Docs"; fast_pattern; within:20; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"<title>|0a 20 20 20 20 20 20|Google Docs"; classtype:social-engineering; sid:2025669; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in DNS Lookup)"; dns.query; content:"everyservices.space"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026267; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phish Landing 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function popupwnd"; fast_pattern; nocase; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"liamg"; nocase; distance:0; content:"javascript|3a|popupwnd"; nocase; distance:0; content:"kooltuo"; nocase; distance:0; classtype:social-engineering; sid:2025684; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (everyservices .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"everyservices.space"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026268; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing 2016-08-30"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe PDF"; fast_pattern; nocase; content:"formbreeze_email"; nocase; distance:0; content:"formbreeze_filledin"; nocase; distance:0; content:"emailCheck"; nocase; distance:0; classtype:social-engineering; sid:2032065; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in DNS Lookup)"; dns.query; content:"karenwheeler.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026269; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing M2 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adobe PDF Online"; nocase; fast_pattern; content:"Authentication Is Required"; nocase; distance:0; content:"For security reasons"; nocase; distance:0; content:"confirm your email to view document"; nocase; distance:0; classtype:social-engineering; sid:2032066; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (karenwheeler .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"karenwheeler.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026270; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Alibaba Phishing Landing 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Alibaba"; nocase; fast_pattern; content:"validateForm"; nocase; distance:0; content:"Password is Empty"; nocase; distance:0; content:"Password is Too Short"; nocase; distance:0; content:"Login to Message Center"; nocase; distance:0; classtype:social-engineering; sid:2032067; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in DNS Lookup)"; dns.query; content:"moneymotion.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026271; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook 365 Encrypted Email Phishing Landing M1 2016-08-31"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Sign in - Encrypted mail"; nocase; fast_pattern; content:".password-revealer"; nocase; distance:0; content:"microsoftonline-p.com"; nocase; classtype:social-engineering; sid:2032068; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (moneymotion .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"moneymotion.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026272; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to Webeden.co.uk - Possible Phishing"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/_form/submit"; fast_pattern; http.request_body; content:"PageID="; depth:7; classtype:trojan-activity; sid:2032069; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in DNS Lookup)"; dns.query; content:"aryastark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026273; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to Weebly.com - Possible Phishing"; flow:to_server,established; urilen:27; http.method; content:"POST"; http.uri; content:"/weebly/apps/formSubmit.php"; fast_pattern; http.host; content:"weebly.com"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; classtype:trojan-activity; sid:2032070; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aryastark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aryastark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026274; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passw"; distance:0; nocase; content:"=Sign+In"; distance:0; nocase; classtype:credential-theft; sid:2032071; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in DNS Lookup)"; dns.query; content:"exvsnomy.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026275; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M1 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"LOB=Logon"; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&ChangePassword"; distance:0; nocase; content:"NewPassword"; distance:0; nocase; classtype:credential-theft; sid:2032072; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (exvsnomy .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"exvsnomy.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026276; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M2 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Change password"; nocase; fast_pattern; content:"ChangePasswordForm"; nocase; distance:0; content:"Outlook WebApp"; nocase; distance:0; content:"O365_MainLink"; nocase; distance:0; content:"ChangePasswordControl_PasswordRequirementText"; nocase; distance:0; content:"Incorrect password entered"; classtype:credential-theft; sid:2032073; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in DNS Lookup)"; dns.query; content:"kate-austen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026277; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Password Update Phish M3 2016-09-01"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Change password"; nocase; fast_pattern; content:"Outlook WebApp"; nocase; distance:0; content:"O365_MainLink"; nocase; distance:0; content:"Remember your new password"; nocase; distance:0; content:"close this browser"; nocase; distance:0; classtype:credential-theft; sid:2032074; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kate-austen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"kate-austen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026278; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Facebook - Log In"; fast_pattern; nocase; content:"background-image"; nocase; distance:0; content:"form-group"; nocase; distance:0; content:"class=|22|form-control|22|"; nocase; distance:0; content:"formValidation"; nocase; distance:0; classtype:social-engineering; sid:2032075; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in DNS Lookup)"; dns.query; content:"myboon.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026279; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Facebook Phish 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Facebook - Verification"; fast_pattern; nocase; content:"background-image"; nocase; distance:0; content:"<form name="; nocase; distance:0; content:"<input name="; nocase; distance:0; content:"Continue"; nocase; distance:0; classtype:credential-theft; sid:2032076; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (myboon .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"myboon.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026280; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; content:"_Product-UserID&userid="; distance:0; fast_pattern; http.request_body; content:"email="; depth:6; nocase; content:"&pass"; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in DNS Lookup)"; dns.query; content:"aslaug-sigurd.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026281; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/www.chase.com/"; fast_pattern; http.request_body; content:"&pas"; nocase; classtype:credential-theft; sid:2032102; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (aslaug-sigurd .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aslaug-sigurd.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026282; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Validator Phish M2 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>..|3a 3a|Thank you"; nocase; fast_pattern; content:"email address|3a 3a|..</title>"; nocase; distance:0; classtype:credential-theft; sid:2032103; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in DNS Lookup)"; dns.query; content:"ezofiezo.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026283; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Webmail Validator Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail Client Validator"; nocase; fast_pattern; content:"validate your account"; nocase; distance:0; content:"render your account"; nocase; distance:0; content:"Username"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:social-engineering; sid:2032104; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ezofiezo .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"ezofiezo.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026284; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING iCloud Phishing Landing 2016-09-02"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2024230; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing_07012016, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in DNS Lookup)"; dns.query; content:"katesacker.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026285; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Account Update Phishing Landing 2016-09-06"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Update Your User"; nocase; fast_pattern; content:"update your email"; nocase; distance:0; content:"Username"; nocase; distance:0; content:"Email Address"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm password"; nocase; distance:0; content:"Update My Details"; nocase; distance:0; classtype:social-engineering; sid:2032105; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katesacker .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"katesacker.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026286; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; pcre:"/\x3b[a-f0-9]{32}/"; http.request_body; content:"eml="; depth:4; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032106; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in DNS Lookup)"; dns.query; content:"mygift.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026287; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Minimal HTTP Refresh to Googledrive.com - Possible Phishing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; http.header; pcre:"/Content\-Length\x3a\x20\d{3}\x0d\x0a/mi"; file.data; content:"<META HTTP-EQUIV="; nocase; content:"refresh"; distance:1; nocase; content:"googledrive.com"; distance:0; nocase; fast_pattern; within:50; classtype:trojan-activity; sid:2032107; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026288; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fedex Javascript Phishing Landing 2016-09-08"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; startswith; file.data; content:"click_to_download"; fast_pattern; nocase; content:"make_the_delay"; nocase; distance:0; content:"redirect_the"; nocase; distance:0; content:"now_download"; nocase; distance:0; content:"ajax"; nocase; distance:0; content:"POST"; nocase; distance:0; classtype:social-engineering; sid:2032108; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in DNS Lookup)"; dns.query; content:"assets-acc.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026289; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Microsoft Live Email Account Phish 2016-09-08"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; nocase; content:"live.com"; within:50; content:"<title>Loading"; nocase; distance:0; fast_pattern; content:"verified successfully"; nocase; distance:0; classtype:credential-theft; sid:2032109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (assets-acc .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"assets-acc.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026290; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"MAHDI_1="; depth:8; nocase; fast_pattern; content:"&MAHDI_2="; nocase; distance:0; classtype:credential-theft; sid:2032110; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in DNS Lookup)"; dns.query; content:"face-book-support.email"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026291; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SeniorPeopleMeet Phish M1 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"SkipCSSVerif="; depth:13; nocase; fast_pattern; content:"&FromLocation="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032111; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (face-book-support .email in TLS SNI)"; flow:established,to_server; tls.sni; content:"face-book-support.email"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026292; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SeniorPeopleMeet Phish M2 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name="; depth:5; nocase; fast_pattern; content:"&cc1="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&s1="; nocase; distance:0; classtype:credential-theft; sid:2032112; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in DNS Lookup)"; dns.query; content:"katie.party"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026293; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful View Samples Phish 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"action=submit_form"; depth:19; nocase; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032113; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (katie .party in TLS SNI)"; flow:established,to_server; tls.sni; content:"katie.party"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026294; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M2 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"lobIndicator="; depth:13; nocase; fast_pattern; content:"&ssn"; nocase; distance:0; content:"&acctnum="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; classtype:credential-theft; sid:2032115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in DNS Lookup)"; dns.query; content:"mygift.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026295; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"u_p="; depth:4; nocase; content:"&LOB="; nocase; distance:0; content:"&origination="; nocase; distance:0; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032114; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mygift .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"mygift.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026296; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful US Bank Phish 2016-09-20"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; content:"&password="; nocase; distance:0; content:"&requestCmdId="; nocase; distance:0; fast_pattern; content:"&reqcrda="; nocase; distance:0; content:"&NONCE="; nocase; distance:0; content:"&userType="; nocase; distance:0; classtype:credential-theft; sid:2032116; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_09_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in DNS Lookup)"; dns.query; content:"bbc-learning.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026297; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Square Enix Phishing Domain 2016-08-15"; flow:to_server,established; http.method; content:"GET"; http.host; content:"square-enix.com"; fast_pattern; content:!"square-enix.com"; endswith; http.referer; content:!"square-enix.com"; classtype:social-engineering; sid:2023065; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bbc-learning .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bbc-learning.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026298; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-09-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?excel="; http.header; content:".php?excel="; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&excel="; nocase; distance:0; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2032117; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in DNS Lookup)"; dns.query; content:"fasebcck.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026299; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M1"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030603; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebcck .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebcck.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026300; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M2"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; file.data; content:"<script>"; content:"eval("; within:20; content:"atob("; within:20; content:"dmFyIHM9I"; within:100; fast_pattern; classtype:social-engineering; sid:2030604; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in DNS Lookup)"; dns.query; content:"kik-com.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026301; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M3"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030605; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kik-com .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kik-com.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026302; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M4"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"<script type=|22|text/javascript|22|>"; within:50; content:"<!--"; within:20; content:"document.write(unescape("; within:50; classtype:social-engineering; sid:2030606; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in DNS Lookup)"; dns.query; content:"namybotter.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026303; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?ID=login&Key="; fast_pattern; content:"&path="; distance:0; http.request_body; content:"xuser="; depth:6; nocase; content:"&xpass="; nocase; distance:0; content:"&xbtn="; nocase; distance:0; classtype:credential-theft; sid:2032118; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namybotter .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"namybotter.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026304; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Captcha Check"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Security Check"; content:"function verifyCaptcha()"; distance:0; content:"var blockerurl"; distance:0; content:"email_par"; distance:0; content:"window.location.replace(blockerurl+"; fast_pattern; distance:0; content:".php|22 20|onsubmit=|22|return verifyCaptcha()"; distance:0; classtype:social-engineering; sid:2030610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in DNS Lookup)"; dns.query; content:"bellamy-bob.life"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026305; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bellamy-bob .life in TLS SNI)"; flow:established,to_server; tls.sni; content:"bellamy-bob.life"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026306; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>PANEL FREAKZBROHTER"; nocase; fast_pattern; classtype:web-application-activity; sid:2030612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in DNS Lookup)"; dns.query; content:"fasebock.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026307; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?getinfo"; fast_pattern; http.request_body; content:"comid="; depth:6; nocase; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032119; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebock .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebock.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026308; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?action"; nocase; fast_pattern; http.request_body; content:"loginId="; depth:8; nocase; content:"&loginPd="; nocase; distance:0; classtype:credential-theft; sid:2032121; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in DNS Lookup)"; dns.query; content:"kristy-milligan.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026309; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.cookie; content:"__cfduid"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&pass="; nocase; distance:0; content:"&="; nocase; distance:0; classtype:credential-theft; sid:2032122; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (kristy-milligan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"kristy-milligan.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026310; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Postbank Online Banking Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_loginForm_hf_0="; depth:21; nocase; content:"&jsDisabled="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&nutzername="; nocase; distance:0; fast_pattern; content:"&kennwort="; nocase; distance:0; content:"&loginButton="; nocase; distance:0; classtype:credential-theft; sid:2032123; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in DNS Lookup)"; dns.query; content:"namyyeatop.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026311; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Postbank Online Banking Phish M2 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_loginForm_hf_0="; depth:21; nocase; content:"&jsDisabled="; nocase; distance:0; content:"&validation="; nocase; distance:0; content:"&vorname="; nocase; distance:0; content:"&nachname="; nocase; distance:0; fast_pattern; content:"&street="; nocase; distance:0; content:"&plz="; nocase; distance:0; content:"&ort="; nocase; distance:0; content:"&bday="; nocase; distance:0; content:"&mobilenr="; nocase; distance:0; content:"&telepinalt="; nocase; distance:0; content:"&telepinneu="; nocase; distance:0; content:"&loginButton="; nocase; distance:0; classtype:credential-theft; sid:2032124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (namyyeatop .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"namyyeatop.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026312; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M1 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in DNS Lookup)"; dns.query; content:"bestbitloly.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026313; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M2 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032098; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bestbitloly .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bestbitloly.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026314; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com M3 2016-01-22"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Username"; fast_pattern; nocase; content:"E-mail"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032099; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in DNS Lookup)"; dns.query; content:"fasebook.cam"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026315; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-01-26"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; fast_pattern; nocase; classtype:social-engineering; sid:2032100; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebook .cam in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebook.cam"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026316; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M1 2016-10-03"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"user name"; nocase; content:"email"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032125; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in DNS Lookup)"; dns.query; content:"lagertha-lothbrok.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026317; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing via Moonfruit M2 2016-10-03"; flow:to_client,established; flowbits:isset,ET.moonfruit.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Nazwa uzytkownika"; nocase; content:"Email"; nocase; content:"Haslo"; fast_pattern; nocase; classtype:social-engineering; sid:2032126; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lagertha-lothbrok .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lagertha-lothbrok.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026318; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Byethost Phishing Redirect 2016-10-04"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Zhtml>"; depth:6; fast_pattern; content:"http-equiv="; nocase; distance:0; content:"REFRESH"; nocase; distance:1; content:"|3b|url=http"; nocase; distance:0; content:"ZBODY>"; distance:0; classtype:social-engineering; sid:2032127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in DNS Lookup)"; dns.query; content:"natemunson.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026319; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized OWA Webmail Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"&email="; nocase; distance:0; http.request_body; content:"curl="; depth:5; nocase; content:"&flags="; nocase; distance:0; content:"&forcedownlevel="; nocase; distance:0; content:"&formdir="; nocase; distance:0; content:"&trusted="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&SubmitCreds="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (natemunson .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"natemunson.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026320; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic OWA Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp"; nocase; pcre:"/\.asp$/"; http.header; content:".asp?form_id="; http.request_body; content:"form-data|3b 20|name=|22|submit|22|"; nocase; content:"form-data|3b 20|name=|22|form_id|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|depart_id|22|"; nocase; distance:0; content:"gadgetStyleBOO"; nocase; fast_pattern; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in DNS Lookup)"; dns.query; content:"billy-bones.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026321; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; content:"&id="; nocase; content:"&session="; nocase; http.request_body; content:"provider="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2023964; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (billy-bones .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"billy-bones.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026322; rev:4; metadata:created_at 2018_09_20, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing (DE) 2016-10-04"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<TITLE>Mot de passe - PayPal"; nocase; fast_pattern; content:"PayPal est le moyen"; nocase; distance:0; content:"Bitte geben Sie Ihr Passwort"; nocase; distance:0; classtype:social-engineering; sid:2032129; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (up .jkc8 .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.aspx"; endswith; http.user_agent; content:"sjd32DSKJF9Ssf"; depth:14; fast_pattern; http.host; content:"up.jkc8.com"; http.header_names; content:!"Referer"; reference:md5,5a7526db56f812e62302912a1c20edd2; classtype:external-ip-check; sid:2026216; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Fake Copyright Infringement Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"copyright infringement"; nocase; content:"Instagram account"; nocase; distance:0; content:"powered-by-000webhost"; distance:0; fast_pattern; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in DNS Lookup)"; dns.query; content:"fasebookvideo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026339; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Script Hosted on 000webhostapp"; flow:established,to_client; file.data; content:"<!-- SCRIPT BY"; nocase; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; content:".php"; within:100; content:"powered-by-000webhost"; distance:0; content:"title=|22|Hosted on free web hosting 000webhost"; distance:0; classtype:social-engineering; sid:2030618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fasebookvideo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fasebookvideo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026340; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Let's Encrypt Certificate containing Instagram"; flow:established,to_client; tls.cert_subject; content:"instagram"; nocase; fast_pattern; tls.cert_issuer; content:"Let's Encrypt"; classtype:social-engineering; sid:2030619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in DNS Lookup)"; dns.query; content:"leonard-kim.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026341; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Webmail Phishing Landing"; flow:to_client,established; file.data; content:"<title>EmaiI Securlty"; nocase; fast_pattern; classtype:credential-theft; sid:2030620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leonard-kim .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leonard-kim.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026342; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phone Support Scam/Phishing Landing M1"; flow:established,to_client; file.data; content:"EBRX1:6X76D"; nocase; fast_pattern; content:"Your account is blocked"; nocase; classtype:social-engineering; sid:2030621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in DNS Lookup)"; dns.query; content:"new.filetea.me"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026343; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phone Support Scam/Phishing Landing M2"; flow:established,to_client; file.data; content:"EBRX1:6X76D"; nocase; fast_pattern; content:"Due to suspicious activity"; nocase; classtype:social-engineering; sid:2030622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (new .filetea .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"new.filetea.me"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026344; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish M1 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; http.request_body; content:"showRmrMe="; depth:10; nocase; fast_pattern; content:"&openid.pape.max_auth_age="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&create="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032130; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in DNS Lookup)"; dns.query; content:"bitgames.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026345; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?cmd="; nocase; http.request_body; content:"cazanova_qus1="; depth:14; nocase; fast_pattern; content:"_ans1="; nocase; distance:0; content:"_qus2="; nocase; distance:0; content:"_ans2="; nocase; distance:0; content:"_mail="; nocase; distance:0; content:"_pass="; nocase; distance:0; classtype:credential-theft; sid:2032131; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bitgames .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"bitgames.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026346; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orange (FR) Phish 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"co="; depth:3; nocase; content:"&tt="; nocase; distance:0; content:"&tp="; nocase; distance:0; content:"&rl="; nocase; distance:0; content:"&sv="; nocase; distance:0; content:"&dp="; nocase; distance:0; content:"&rt="; nocase; distance:0; content:"&isconn="; nocase; distance:0; content:"&credential="; nocase; distance:0; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032132; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in DNS Lookup)"; dns.query; content:"fatehmedia.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026347; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Supplier Portal Phish 2016-10-07"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>WebMail</title>"; fast_pattern; content:"<h1>Login Error"; nocase; distance:0; content:"go back and login again"; nocase; distance:0; content:"valid information"; nocase; distance:0; content:"datasheet with your company profile"; nocase; distance:0; content:"<!-- 0 -->"; distance:0; classtype:credential-theft; sid:2032133; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (fatehmedia .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"fatehmedia.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026348; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; content:"UserID&userid="; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032134; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in DNS Lookup)"; dns.query; content:"leslie-barnes.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026349; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (FR) M1 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; content:"apple"; nocase; http.request_body; content:"donnee1="; depth:8; nocase; fast_pattern; content:"&donnee2="; nocase; distance:0; classtype:credential-theft; sid:2032135; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (leslie-barnes .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"leslie-barnes.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026350; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (FR) M2 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; nocase; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032136; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in DNS Lookup)"; dns.query; content:"nightchat.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026351; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-10"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=3d3d3d3d3d3d3d3d3d"; nocase; fast_pattern; distance:0; content:"4f6e6c6e654944"; nocase; distance:0; content:"50617373636f6465"; distance:0; content:"456d61696c"; nocase; distance:0; classtype:credential-theft; sid:2032137; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026352; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&passwd="; nocase; distance:0; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032138; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in DNS Lookup)"; dns.query; content:"black-honey.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026353; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M2 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?email="; nocase; http.request_body; content:"continue="; depth:9; nocase; content:"&bgresponse="; nocase; distance:0; fast_pattern; content:"&phone="; nocase; distance:0; content:"&altemail="; nocase; distance:0; content:"&go="; nocase; distance:0; classtype:credential-theft; sid:2032139; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (black-honey .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"black-honey.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026354; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Webeden.net 2016-10-13"; flow:to_client,established; flowbits:isset,ET.webeden.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"User name"; fast_pattern; nocase; content:"Email"; nocase; content:"Password"; nocase; classtype:social-engineering; sid:2032140; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_07_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in DNS Lookup)"; dns.query; content:"firesky.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026355; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&service="; nocase; distance:0; content:"&ltmpl="; nocase; distance:0; content:"&Taju="; nocase; distance:0; fast_pattern; content:"&Tope="; nocase; distance:0; content:"&signIn="; nocase; distance:0; classtype:credential-theft; sid:2032141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (firesky .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"firesky.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026356; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.cookie; content:"PHPSESSID="; http.request_body; content:"login_email="; depth:12; nocase; fast_pattern; content:"&login_password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; content:"&fso="; nocase; distance:0; classtype:credential-theft; sid:2032142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in DNS Lookup)"; dns.query; content:"lets-see.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026357; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; fast_pattern; content:"&DownTimeMessage="; nocase; distance:0; classtype:credential-theft; sid:2032143; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lets-see .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"lets-see.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026358; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Webmail Phish 2016-10-21"; flow:established,from_server; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Webmail</title>"; nocase; distance:0; fast_pattern; content:"<div class=|22|error"; nocase; distance:0; content:"Please enter a valid email"; nocase; distance:0; content:"Supported Email Providers"; nocase; distance:0; classtype:credential-theft; sid:2032144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in DNS Lookup)"; dns.query; content:"nightchat.live"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026359; rev:4; metadata:created_at 2018_09_21, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&securityquestion="; nocase; distance:0; content:"&Answer="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&Password="; nocase; distance:0; content:"&Submit.x="; nocase; distance:0; content:"&Submit.y="; nocase; distance:0; classtype:credential-theft; sid:2032145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_07_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nightchat .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"nightchat.live"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026364; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"countrycode="; depth:12; nocase; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&.persistent="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; classtype:credential-theft; sid:2032146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in DNS Lookup)"; dns.query; content:"bob-turco.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026365; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".jsp"; nocase; http.request_body; content:"inputCampo1="; depth:12; nocase; content:"&trpm=aHR0cDov"; nocase; distance:0; fast_pattern; content:"&inputCampo"; nocase; distance:0; classtype:credential-theft; sid:2032147; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (bob-turco .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"bob-turco.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026366; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-25"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Windows Live ID"; nocase; fast_pattern; content:"If page do not re-direct automatically"; nocase; distance:0; content:"login.live.com"; nocase; distance:0; classtype:credential-theft; sid:2032148; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in DNS Lookup)"; dns.query; content:"flirtymania.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026367; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"xUserName="; depth:10; nocase; content:"&xPassWord="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032149; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (flirtymania .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"flirtymania.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026368; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-10-25"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"UserID="; depth:7; nocase; content:"&Password="; nocase; distance:0; content:"&fullnaxme="; nocase; distance:0; fast_pattern; content:"&homeadd1="; nocase; distance:0; content:"&citybma="; nocase; distance:0; content:"&staten="; nocase; distance:0; content:"&zip1co="; nocase; distance:0; content:"&home1phone="; nocase; distance:0; content:"&sn1="; nocase; distance:0; content:"&mamanx="; nocase; distance:0; content:"&do1="; nocase; distance:0; content:"&emailxnx="; nocase; distance:0; content:"&emailpassx="; nocase; distance:0; content:"&ccnumber"; nocase; distance:0; content:"&cvv"; nocase; distance:0; content:"&accten="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032150; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in DNS Lookup)"; dns.query; content:"lexi-branson.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026369; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful 163.com Email Account Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"account_name="; depth:13; nocase; fast_pattern; content:"&domain="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&all_secure="; nocase; distance:0; content:"&secure="; nocase; distance:0; classtype:credential-theft; sid:2032151; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lexi-branson .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lexi-branson.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026370; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; content:"&ctx="; nocase; distance:0; content:"&flowToken="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032152; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in DNS Lookup)"; dns.query; content:"nissour-beton.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026371; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful American Express Phish M1 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"Face="; depth:5; nocase; content:"&Logon="; nocase; distance:0; content:"&acctSelected="; nocase; distance:0; fast_pattern; content:"&acctSelectedURL="; nocase; distance:0; content:"&TARGET="; nocase; distance:0; content:"&USERID="; nocase; distance:0; content:"&PWD="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032153; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (nissour-beton .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"nissour-beton.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026372; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful American Express Phish M2 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"UserID="; depth:7; nocase; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailp="; nocase; distance:0; content:"&title="; nocase; distance:0; content:"&FName="; nocase; distance:0; content:"&MName="; nocase; distance:0; content:"&SName="; nocase; distance:0; content:"&dobyyyy="; nocase; distance:0; fast_pattern; content:"&mobileNo="; nocase; distance:0; content:"&homePhNo="; nocase; distance:0; classtype:credential-theft; sid:2032154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in DNS Lookup)"; dns.query; content:"buymicrosft.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026373; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"login="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&Salvc="; nocase; distance:0; content:"&salton="; nocase; distance:0; fast_pattern; content:"&cnum="; nocase; distance:0; content:"&cmonth="; nocase; distance:0; content:"&cyear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&dobmonth="; nocase; distance:0; classtype:credential-theft; sid:2032155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (buymicrosft .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"buymicrosft.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026374; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"EM="; depth:3; nocase; content:"&PS="; nocase; distance:0; content:"&CN="; nocase; distance:0; content:"=Login"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032156; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in DNS Lookup)"; dns.query; content:"freya.miranda-barlow.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026375; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&Passwd="; nocase; distance:0; content:"&signIn=Sign+in&rmShown="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032120; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (freya .miranda-barlow .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"freya.miranda-barlow.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026376; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/\/[a-f0-9]{32}\/\?\d$/i"; http.cookie; content:"PHPSESSID"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032157; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in DNS Lookup)"; dns.query; content:"lincoln-blake.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026377; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/\/[a-f0-9]{32}\/\?\d$/i"; http.cookie; content:"PHPSESSID"; http.request_body; content:"fullname="; depth:9; nocase; content:"&ccnumber="; nocase; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; classtype:credential-theft; sid:2032158; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lincoln-blake .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"lincoln-blake.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026378; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shared Document Phishing Landing Nov 16 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function checkemail"; nocase; content:"function checkbae"; nocase; distance:0; fast_pattern; content:"Sign in to view"; nocase; distance:0; content:"Select your email"; nocase; distance:0; classtype:social-engineering; sid:2025672; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in DNS Lookup)"; dns.query; content:"octavia-blake.world"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026379; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Business Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"emailcheck="; depth:11; nocase; fast_pattern; content:"&Psword="; nocase; distance:0; classtype:credential-theft; sid:2032159; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (octavia-blake .world in TLS SNI)"; flow:established,to_server; tls.sni; content:"octavia-blake.world"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026380; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Email Update Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?user"; nocase; fast_pattern; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&red="; nocase; distance:0; content:"&comment="; nocase; distance:0; classtype:credential-theft; sid:2032160; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in DNS Lookup)"; dns.query; content:"camilleoconnell.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026381; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Shared Adobe PDF Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&Upgrade="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032190; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (camilleoconnell .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"camilleoconnell.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026382; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue Phish 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?form=Tax"; nocase; content:"&sslchannel="; nocase; distance:0; content:"&sessionid="; nocase; distance:0; content:"&securessl="; nocase; distance:0; http.header; content:".php?form=Tax"; nocase; content:"&sslchannel="; nocase; distance:0; content:"&sessionid="; nocase; distance:0; http.request_body; content:"form-data|3b 20|name=|22|ccname|22|"; nocase; content:"form-data|3b 20|name=|22|ccno|22|"; nocase; content:"form-data|3b 20|name=|22|ccexp|22|"; nocase; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; classtype:credential-theft; sid:2032193; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in DNS Lookup)"; dns.query; content:"geny-wise.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026383; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; nocase; http.request_body; content:"surname="; depth:8; nocase; content:"&membershipNumber="; nocase; distance:0; fast_pattern; content:"&debitCardSet1="; nocase; distance:0; content:"&sortCodeSet1="; nocase; distance:0; content:"&accountNumber="; nocase; distance:0; classtype:credential-theft; sid:2032194; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (geny-wise .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"geny-wise.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026384; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-31"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"compte"; nocase; http.request_body; content:"comid="; depth:6; nocase; content:"&compw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032189; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in DNS Lookup)"; dns.query; content:"lindamullins.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026385; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"formtex"; nocase; depth:7; fast_pattern; content:"&formtex"; nocase; distance:0; content:"&formtex"; nocase; distance:0; classtype:credential-theft; sid:2031572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lindamullins .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lindamullins.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026386; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websc-"; nocase; content:".php?SessionID-xb="; nocase; fast_pattern; within:40; classtype:credential-theft; sid:2023558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in DNS Lookup)"; dns.query; content:"olivia-hartman.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026387; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe Online PDF Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.header; content:"&Email="; nocase; http.request_body; content:"feedback="; depth:9; nocase; content:"&feedbacknow="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032195; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (olivia-hartman .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"olivia-hartman.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026388; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"LOB=RBGLogon"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&pass="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; fast_pattern; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032196; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in DNS Lookup)"; dns.query; content:"caroline-nina.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026389; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Phish M2 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"ci="; depth:3; nocase; content:"&path="; nocase; distance:0; content:"&vbpass="; nocase; distance:0; fast_pattern; content:"&userEmail="; nocase; distance:0; content:"&accNum="; nocase; distance:0; classtype:credential-theft; sid:2032197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (caroline-nina .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"caroline-nina.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026390; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Free Mobile (FR) Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?clientid="; nocase; http.header; content:".php?clientid="; nocase; http.request_body; content:"fuser="; depth:6; nocase; content:"&fpass="; nocase; distance:0; fast_pattern; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032198; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in DNS Lookup)"; dns.query; content:"gmailservice.us"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026391; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish Oct 10 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save.asp"; nocase; fast_pattern; http.header; content:"apple"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2023592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (gmailservice .us in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmailservice.us"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026392; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"CN="; depth:3; nocase; content:"&DOB="; nocase; distance:0; content:"&CCN="; nocase; distance:0; fast_pattern; content:"&EXP="; nocase; distance:0; content:"&CVV="; nocase; distance:0; content:"&SSN="; nocase; distance:0; content:"&PAS="; nocase; distance:0; content:"&valider="; nocase; distance:0; classtype:credential-theft; sid:2032199; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in DNS Lookup)"; dns.query; content:"liz-keen.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026393; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Javascript XOR Encoding - Observed in Apple Phishing 2016-12-09"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"strHTML=|22 22 3b|"; nocase; within:100; fast_pattern; content:"strHTML+=|22|"; within:11; content:"function XOR"; nocase; distance:0; content:"strPass"; nocase; distance:0; content:"binl2b64"; nocase; distance:0; content:"core_hmac_md5"; nocase; distance:0; content:"hex_hmac_md5"; nocase; distance:0; classtype:social-engineering; sid:2032200; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (liz-keen .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"liz-keen.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026394; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Password Protected AMEX Phish 2016-12-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&pw="; nocase; distance:0; content:"&AC1="; nocase; distance:0; content:"&AC2="; nocase; distance:0; content:"&AC3="; nocase; distance:0; content:"&CV="; nocase; distance:0; content:"&CSC="; nocase; distance:0; content:"&EM="; nocase; distance:0; content:"&EY="; nocase; distance:0; content:"&MN="; nocase; distance:0; content:"&MM="; nocase; distance:0; content:"&DD="; nocase; distance:0; content:"&BP="; nocase; distance:0; content:"&SCH="; nocase; distance:0; fast_pattern; content:"&SPN="; nocase; distance:0; content:"&EA="; nocase; distance:0; content:"&EP="; nocase; distance:0; classtype:credential-theft; sid:2032201; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in DNS Lookup)"; dns.query; content:"oriential.website"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026395; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Updating Billing Address"; nocase; fast_pattern; content:"Paypal"; nocase; distance:0; content:"Resolution Center"; nocase; distance:0; content:"Confirm my Billing"; nocase; distance:0; classtype:credential-theft; sid:2032203; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (oriential .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"oriential.website"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026396; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>PayPal Service Update"; nocase; fast_pattern; content:"Paypal"; nocase; distance:0; content:"Resolution Center"; nocase; distance:0; classtype:credential-theft; sid:2032204; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in DNS Lookup)"; dns.query; content:"cassy-gray.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026397; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_fn="; depth:4; nocase; content:"&_ln="; nocase; distance:0; content:"&_birthd="; nocase; distance:0; content:"&_birthm="; nocase; distance:0; content:"&_birthy="; nocase; distance:0; content:"&_add1="; nocase; distance:0; content:"&_add2="; nocase; distance:0; content:"&_countr="; nocase; distance:0; fast_pattern; content:"&_ct="; nocase; distance:0; content:"&_st="; nocase; distance:0; content:"&_zipc="; nocase; distance:0; content:"&_ph="; nocase; distance:0; classtype:credential-theft; sid:2032205; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cassy-gray .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"cassy-gray.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026398; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M4 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_fulln="; depth:7; nocase; content:"&_ccn="; nocase; distance:0; content:"&_ccv="; nocase; distance:0; content:"&_expm="; nocase; distance:0; content:"&_expy="; nocase; distance:0; content:"&_3d="; nocase; distance:0; content:"&_drv="; nocase; distance:0; content:"&_sortc="; nocase; distance:0; fast_pattern; content:"&_ssn1="; nocase; distance:0; content:"&_ssn2="; nocase; distance:0; content:"&_ssn3="; nocase; distance:0; classtype:credential-theft; sid:2032206; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in DNS Lookup)"; dns.query; content:"graceygretchen.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026399; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M5 2016-12-13"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"_bkid="; depth:6; nocase; content:"&_bkpass="; nocase; distance:0; fast_pattern; content:"&_accn="; nocase; distance:0; content:"&_routn="; nocase; distance:0; classtype:credential-theft; sid:2032207; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (graceygretchen .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"graceygretchen.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026400; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Shared PDF Phish 2016-12-13"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function delayer"; content:"adobe.com"; nocase; within:50; content:"<title>PDF ONLINE"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032208; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in DNS Lookup)"; dns.query; content:"login-yohoo.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026401; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-13"; flow:from_server,established; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Update Billing Information"; nocase; fast_pattern; content:"chase.com"; nocase; distance:0; classtype:credential-theft; sid:2032209; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (login-yohoo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"login-yohoo.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026402; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Deactivation Phishing Landing 2016-12-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Server Message"; nocase; fast_pattern; content:"logo.png"; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:social-engineering; sid:2032210; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in DNS Lookup)"; dns.query; content:"ososezo.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026403; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Deactivation Phish 2016-12-15"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Email Settings"; nocase; fast_pattern; content:"Processing."; nocase; distance:0; content:"Please wait"; nocase; distance:0; content:"update your account"; nocase; distance:0; classtype:credential-theft; sid:2032211; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026404; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"isJsEnabled="; depth:12; nocase; content:"&session_key="; nocase; distance:0; content:"&session_password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; content:"&session_redirect="; nocase; distance:0; content:"&trk="; nocase; distance:0; content:"&loginCsrfParam="; nocase; distance:0; content:"&fromEmail="; nocase; distance:0; classtype:credential-theft; sid:2032191; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in DNS Lookup)"; dns.query; content:"cecilia-dobrev.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026405; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"donnee"; depth:6; nocase; content:"&donnee"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032192; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-dobrev .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-dobrev.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026406; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credential Phish (Multiple Brands) 2016-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"data1="; depth:6; nocase; content:"&data"; nocase; distance:0; content:"&data"; nocase; distance:0; content:"&donnee"; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032212; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in DNS Lookup)"; dns.query; content:"hareyupnow.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026407; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Phish 2016-12-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032213; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (hareyupnow .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"hareyupnow.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026408; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"continue="; nocase; content:"&service="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"&signIn="; nocase; distance:0; content:"&PersistentCookie="; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in DNS Lookup)"; dns.query; content:"lord-varys.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026409; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banamex Bank Phish 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&USERID="; nocase; content:"&PASSWORD="; nocase; distance:0; content:"&AHN="; nocase; distance:0; content:"&BANK+ID="; nocase; distance:0; fast_pattern; content:"&PRODUCT+NAME="; nocase; distance:0; content:"&LANGUAGE+ID="; nocase; distance:0; content:"&EXTRA1="; nocase; distance:0; content:"&GROUP="; nocase; distance:0; content:"&PIN="; nocase; distance:0; classtype:credential-theft; sid:2032214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lord-varys .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lord-varys.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026410; rev:4; metadata:created_at 2018_09_26, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 03 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login_email"; depth:11; nocase; fast_pattern; content:"login_pass"; nocase; distance:0; classtype:credential-theft; sid:2024572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2018-09-27 M2"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:".php?Email="; nocase; fast_pattern; content:"@"; distance:0; classtype:credential-theft; sid:2029666; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"p="; depth:2; nocase; content:"&a2="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&conta="; nocase; distance:0; fast_pattern; content:"&aa="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&age="; nocase; distance:0; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2023696; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)"; flow:to_server,established; flowbits:set,ET.000webhostpost; flowbits:noalert; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:misc-activity; sid:2026420; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 15 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"form"; nocase; fast_pattern; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; classtype:credential-theft; sid:2024565; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Underminer EK SWF Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; content:".swf"; distance:26; within:4; endswith; pcre:"/\/(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.swf$/i"; http.header; content:"/"; content:".html"; distance:26; within:5; content:"x-flash-version|3a 20|"; http.referer; pcre:"/^.+(?![a-z]{26}|[0-9]{26})[a-z0-9]{26}\.html$/i"; http.cookie; content:"token="; depth:6; fast_pattern; pcre:"/^[a-f0-9]{32}$/Ri"; classtype:exploit-kit; sid:2026426; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Underminer_EK, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union/Paypal Phish 2016-09-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"login_email="; depth:12; nocase; fast_pattern; content:"&login_password="; nocase; distance:0; content:"&image.x="; nocase; distance:0; classtype:credential-theft; sid:2032182; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (curl53)"; flow:established,to_server; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:trojan-activity; sid:2026428; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 12 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ID="; depth:3; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024573; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VPNFilter htpx Module C2 Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; http.header_names; content:"Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:command-and-control; sid:2026429; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024574; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.TW Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.tw"; endswith; classtype:credential-theft; sid:2026430; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jan 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user_id="; depth:8; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024575; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Reaper (APT37) DNS Lookup (kmbr1 .nitesbr1 .org)"; dns.query; content:"kmbr1.nitesbr1.org"; nocase; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026432; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, malware_family DOGCALL, performance_impact Low, signature_severity Major, tag APT37, tag Reaper, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"countrycode="; depth:12; nocase; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&signin="; nocase; distance:0; content:"&_uuid="; nocase; distance:0; content:"&_seqid="; nocase; distance:0; content:"&otp_channel="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032188; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Final1stspy CnC Checkin (Reaper/APT37 Stage 1 Payload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?MachineId="; content:"&InfoSo="; distance:0; content:"&Index="; distance:0; content:"&Account="; distance:0; content:"&List="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Host|20|Process|20|Update"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/; reference:md5,0f1d3ed85fee2acc23a8a26e0dc12e0f; reference:md5,a2fe5dcb08ae8b72e8bc98ddc0b918e7; classtype:targeted-activity; sid:2026431; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category MALWARE, malware_family Final1stspy, performance_impact Low, signature_severity Major, tag APT37, tag ReaperGroup, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Windows Live Account Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&remMe="; nocase; distance:0; content:"&SI="; nocase; distance:0; classtype:credential-theft; sid:2032187; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Malformed Double Accept Header"; flow:established,to_server; http.user_agent; content:!"-DRM"; http.host; content:!"buhphone.ru"; content:!"www.backupmaker.com"; content:!"ati.com"; content:!"amd.com"; endswith; http.accept; content:"Accept|3a 20|"; fast_pattern; reference:url,doc.emergingthreats.net/2008975; classtype:policy-violation; sid:2008975; rev:18; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/websrc"; fast_pattern; endswith; http.request_body; content:"email"; nocase; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2023759; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in DNS Lookup)"; dns.query; content:"ososezo.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026442; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Tripod.com Mar 31 M3"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"mail"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032013; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (ososezo .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"ososezo.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026443; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"GALX="; fast_pattern; content:"bgresponse="; nocase; distance:0; content:"Email="; nocase; distance:0; content:"Passwd="; nocase; distance:0; classtype:credential-theft; sid:2032179; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in DNS Lookup)"; dns.query; content:"cecilia-gilbert.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026444; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phishing 2016-12-12"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"chaseonline.chase.com"; nocase; content:"<title>Chase Online"; nocase; fast_pattern; classtype:credential-theft; sid:2032202; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cecilia-gilbert .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cecilia-gilbert.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026445; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 19 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login"; depth:5; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024560; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in DNS Lookup)"; dns.query; content:"harper-monty.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026446; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 16 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e-mail="; depth:7; fast_pattern; nocase; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024566; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harper-monty .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"harper-monty.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026447; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 22 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"feedback="; depth:9; fast_pattern; nocase; content:"&feedback"; nocase; distance:0; content:"&feedback"; nocase; distance:0; classtype:credential-theft; sid:2024567; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in DNS Lookup)"; dns.query; content:"lyanna-stark.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026448; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 07 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Editbox1="; depth:9; nocase; content:"&Editbox2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024568; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (lyanna-stark .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"lyanna-stark.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026449; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Pass"; nocase; distance:0; classtype:credential-theft; sid:2024569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in DNS Lookup)"; dns.query; content:"parrotchat.co"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026450; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 20 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"name"; depth:7; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024570; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (parrotchat .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"parrotchat.co"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026451; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Dec 27 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uid="; depth:4; nocase; content:"&Pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in DNS Lookup)"; dns.query; content:"cerseilannister.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026452; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (Redirect to Download PDF) 2016-02-08"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<META HTTP-EQUIV="; nocase; within:100; fast_pattern; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:25; content:"url="; nocase; within:25; content:".php"; nocase; within:25; classtype:credential-theft; sid:2032176; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (cerseilannister .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"cerseilannister.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026453; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?Action=SecurityCheck"; nocase; fast_pattern; http.header; content:".php?Action="; http.request_body; content:"csc="; depth:4; nocase; classtype:credential-theft; sid:2032183; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in DNS Lookup)"; dns.query; content:"harrykane.online"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026454; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M2 Feb 13 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"#dob"; nocase; content:".mask"; within:10; content:"#ccexp"; nocase; distance:0; content:".mask"; within:10; content:"#ssn"; nocase; distance:0; content:".mask"; within:10; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; classtype:social-engineering; sid:2025667; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harrykane .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"harrykane.online"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026455; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live External Link Phishing Landing M2 Feb 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Secure redirect"; nocase; fast_pattern; content:"auth.gfx.ms"; nocase; distance:0; content:"access sensitive information"; nocase; distance:0; content:"Confirm your password"; nocase; distance:0; classtype:social-engineering; sid:2025675; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in DNS Lookup)"; dns.query; content:"mail-accout.club"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026456; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sucessful Generic Phish (set) 2020-08-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&form_item"; fast_pattern; content:"&form_item"; distance:0; classtype:credential-theft; sid:2030646; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-accout .club in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-accout.club"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026457; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"locked.php"; nocase; content:"Account-Unlock"; nocase; distance:0; fast_pattern; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023999; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in DNS Lookup)"; dns.query; content:"pmi-pna.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026458; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&txtCelular="; nocase; content:"&txtSenhaCartao="; nocase; distance:0; fast_pattern; content:"btnLogIn"; nocase; distance:0; classtype:credential-theft; sid:2024002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pmi-pna .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pmi-pna.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026459; rev:4; metadata:created_at 2018_10_08, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowsdriversupd.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:domain-c2; sid:2026467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banker, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"self.location.replace("; within:100; fast_pattern; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:social-engineering; sid:2024007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Gadwats Banker CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=www.windowswsusonline.com"; nocase; endswith; reference:md5,07b78bcfb2a6540f060385c9bf00c155; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Gadwats.A; classtype:domain-c2; sid:2026468; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_10_10, deployment Perimeter, former_category MALWARE, malware_family Gadwats, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banker, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"step=confirmation"; depth:17; nocase; content:"&rt="; nocase; distance:0; content:"&rp="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&whichForm="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Parola="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024009; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (weekendstrips .net)"; dns.query; content:"weekendstrips.net"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NumarCard="; depth:10; nocase; fast_pattern; content:"&CVV="; nocase; distance:0; content:"&Luna="; nocase; distance:0; content:"&NumeCard="; nocase; distance:0; content:"&PrenumeCard="; nocase; distance:0; content:"&NumedeContact="; nocase; distance:0; content:"&NumardeTelefon="; nocase; distance:0; content:"&EmaildeContact="; nocase; distance:0; content:"&cryptedStepCheck="; nocase; distance:0; classtype:credential-theft; sid:2024010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FruityArmor DNS Lookup (shelves-design .com)"; dns.query; content:"shelves-design.com"; nocase; fast_pattern; endswith; reference:url,securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/; classtype:trojan-activity; sid:2026470; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag FruityArmor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/webapps/"; content:"/websrc"; distance:5; within:7; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/i"; classtype:social-engineering; sid:2024018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M2 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026475; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Coinminer, tag SocEng, tag CoinMinerCampaign, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish M1 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"liamguname="; depth:11; nocase; fast_pattern; content:"&Button1="; distance:0; nocase; classtype:credential-theft; sid:2032181; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in DNS Lookup)"; dns.query; content:"chat-often.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026476; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"liamgphn="; depth:9; nocase; content:"&liamgrecoveryem="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2032185; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (chat-often .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"chat-often.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026477; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Credit Agricole Bank (FR) Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"origine="; nocase; content:"&situationTravail="; nocase; distance:0; content:"&canal="; nocase; distance:0; content:"&typeAuthentification="; nocase; distance:0; content:"&idUnique="; nocase; distance:0; content:"&caisse="; nocase; distance:0; content:"&CCCRYC="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032186; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in DNS Lookup)"; dns.query; content:"harvey-ross.info"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026478; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Mar 08 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>|26 23|68|3b 26 23|111|3b 26 23|99|3b 26 23|117|3b 26 23|115|3b 26 23|105|3b 26 23|103|3b 26 23|110|3b|"; fast_pattern; classtype:social-engineering; sid:2025662; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (harvey-ross .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"harvey-ross.info"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026479; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shared Document Base64 Phishing Landing 2016-01-20"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|base64"; nocase; fast_pattern; content:"PCFET0NUWVBFIGh0bWw+"; distance:1; within:21; reference:md5,0c9a677efd2762c4d5d759c294bc00d7; classtype:social-engineering; sid:2032175; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_20, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in DNS Lookup)"; dns.query; content:"mail-goog1e.com"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026480; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&digito="; nocase; distance:0; content:"&entrada_1="; nocase; distance:0; fast_pattern; content:"&entrada_2="; nocase; distance:0; content:"&entrada_3="; nocase; distance:0; content:"&entrada_4="; nocase; distance:0; content:"&looking1="; nocase; distance:0; classtype:credential-theft; sid:2023697; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (mail-goog1e .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail-goog1e.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026481; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Mar 13 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"aliasDispatcher="; depth:16; nocase; content:"&indBNCFunds="; nocase; distance:0; content:"&accountNumber1="; nocase; distance:0; content:"&cardExpirDate="; nocase; distance:0; fast_pattern; content:"&registrationMode="; nocase; distance:0; content:"&cardActionTypeSelected="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&clientIpAdress="; nocase; distance:0; content:"&clientUserAgent="; nocase; distance:0; content:"&clientScreenResolution="; nocase; distance:0; classtype:credential-theft; sid:2024047; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in DNS Lookup)"; dns.query; content:"pml-help.site"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026482; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING INTERAC Payment Multibank Phishing Landing Mar 14 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta property=|22|og|3a|title|22 20|content=|22|Deposit your INTERAC e-Transfer|22|"; nocase; content:"<title>INTERAC e-Transfer"; nocase; distance:0; fast_pattern; content:"INTERAC|25|20e-Transfer"; nocase; distance:0; classtype:social-engineering; sid:2025679; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (pml-help .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"pml-help.site"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026483; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Instagram Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cek=login"; depth:9; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2024051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in DNS Lookup)"; dns.query; content:"christopher.fun"; endswith; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026484; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login_cmd="; depth:10; nocase; content:"&login_params="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (christopher .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"christopher.fun"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026485; rev:4; metadata:created_at 2018_10_15, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appid="; depth:6; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pwd"; nocase; distance:0; classtype:credential-theft; sid:2024060; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious XLS DDE rar Drop Fake 404 Response"; flow:established,to_client; flowbits:isset,ET.xls.dde.drop; http.stat_code; content:"200"; file.data; content:"<h1>404 Not Found</h1><span>The resource requested could not be found on this server!</span>"; endswith; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; nocase; content:"&dob="; nocase; distance:0; content:"&cchn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expdate="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; classtype:credential-theft; sid:2024061; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 10)"; flow:to_server,established; http.user_agent; content:"Windows 10"; depth:10; http.host; content:!"google-analytics.com"; endswith; classtype:bad-unknown; sid:2026521; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Email Account Phishing Landing Mar 16 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name="; nocase; content:"mswebdialog-title"; nocase; distance:1; within:18; content:"Arcadis Office 365"; nocase; within:50; fast_pattern; content:"<title>Sign In"; nocase; within:50; classtype:social-engineering; sid:2025664; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious EXE Download Content-Type image/jpeg"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; flowbits:set,ET.http.binary; http.content_type; content:"image/jpeg"; depth:10; endswith; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; fast_pattern; classtype:policy-violation; sid:2026537; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Mar 22 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"identif="; depth:8; nocase; content:"&elserr="; nocase; distance:0; fast_pattern; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2024100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Domain Observed in SNI (samwinchester .club)"; flow:established,to_server; tls.sni; content:"samwinchester.club"; endswith; nocase; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026546; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&K1="; nocase; distance:0; content:"&Q1="; nocase; distance:0; classtype:credential-theft; sid:2024101; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.uri; content:"/api/hazard/"; depth:12; fast_pattern; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026547; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnumber="; depth:8; nocase; fast_pattern; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&cname="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024185; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"common|20|soon"; depth:11; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iCloud Phish 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Home/Save"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest"; nocase; http.request_body; content:"u="; depth:2; fast_pattern; nocase; content:"&p="; distance:0; nocase; classtype:credential-theft; sid:2031793; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Response M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"loub"; depth:4; fast_pattern; endswith; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful OWA Phish Apr 25 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"office365.com/owa/"; nocase; distance:0; fast_pattern; content:"<title>Account"; nocase; distance:0; content:"Success"; nocase; within:20; classtype:credential-theft; sid:2024999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA HTTP Failover Reporting Infected System Information and RAT Version"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_dst; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"|3a|1.0.2|0d 0a 2d 2d 2d 2d 2d|"; fast_pattern; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:trojan-activity; sid:2026551; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-03-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appleId="; nocase; fast_pattern; content:"accountPassword="; nocase; content:"appIdKey="; nocase; classtype:credential-theft; sid:2032178; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_03_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware Initial Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?check$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:trojan-activity; sid:2026541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Miniproxy Cloned Page - Possible Phishing Landing"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<!-- Proxified page constructed by miniProxy"; fast_pattern; nocase; within:100; reference:url,github.com/joshdick/miniProxy; classtype:social-engineering; sid:2024283; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?servers"; fast_pattern; endswith; pcre:"/^\/d[0-9]?\.php\?servers$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026542; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 24 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; depth:5; nocase; content:"|25|40"; distance:0; content:"senha"; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024576; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Octopus Malware CnC Server Connectivity Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?check="; fast_pattern; pcre:"/^\/[a-z]\.php\?check=[a-f0-9]{32}$/i"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:47; endswith; reference:md5,1610cddb80d1be5d711feb46610f8a77; reference:md5,d8c8f2bf85796014feb06be41b99ca76; reference:url,securelist.com/octopus-infested-seas-of-central-asia/88200/; classtype:command-and-control; sid:2026543; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Octopus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish Mar 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha6="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; content:"&agencia="; nocase; distance:0; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; classtype:credential-theft; sid:2024328; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish to zap-webspace.com Webhost 2018-10-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".zap-webspace.com"; endswith; fast_pattern; classtype:credential-theft; sid:2026553; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish May 25 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; depth:8; nocase; content:"&conta="; nocase; distance:0; content:"&senha8="; nocase; distance:0; fast_pattern; content:"&ir="; nocase; distance:0; classtype:credential-theft; sid:2024329; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (IEhook)"; flow:established,to_server; http.user_agent; content:"IEhook"; depth:6; endswith; fast_pattern; reference:md5,f0483493bcb352bd2f474b52f3b2f273; classtype:trojan-activity; sid:2026558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"handle="; depth:7; nocase; fast_pattern; content:"|25|40"; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2024577; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Container"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/containers/create"; endswith; http.user_agent; content:"Docker-Client"; depth:13; fast_pattern; http.request_body; content:"|7b 22|Hostname|22 3a 22|"; depth:13; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2026561; rev:4; metadata:attack_target Server, created_at 2018_10_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Dropbox Phishing Landing May 31 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; nocase; content:"Select your email provider"; nocase; fast_pattern; distance:0; content:"Gmail"; nocase; distance:0; content:"Yahoo"; nocase; distance:0; classtype:social-engineering; sid:2025661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Requesting Redirect/Inject List"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/red/info.php"; depth:13; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; content:"Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026562; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) May 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; classtype:credential-theft; sid:2024578; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Exit Instruction"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"EXIT|3b|"; depth:5; fast_pattern; endswith; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026564; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 08 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; content:"&Pass"; nocase; distance:0; content:"formimage"; nocase; fast_pattern; classtype:credential-theft; sid:2024579; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|C|3a 5c|"; content:".DAT|22 3b 0d 0a|"; distance:0; content:"|0d 0a|Host Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Name|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; content:"|0d 0a|OS Version|3a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:command-and-control; sid:2026559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category MALWARE, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; content:"&conta="; nocase; distance:0; content:"&senha_eletronica="; nocase; distance:0; fast_pattern; content:"&senha_cartao="; nocase; distance:0; content:"&celular="; nocase; distance:0; classtype:credential-theft; sid:2024371; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrueBot/Silence.Downloader Keep-Alive"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?dns="; fast_pattern; pcre:"/^[a-f0-9]{8}$/Rs"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,c2a00949ddacfed9ed2ef83a8cb44780; classtype:trojan-activity; sid:2026560; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family TrueBot, malware_family Silence_Downloader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hostinger Generic Phish Jun 09 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"wb_form_id="; nocase; depth:11; fast_pattern; content:"&message=&wb_input_0="; nocase; distance:8; within:21; content:"&wb_input_0="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; content:"&wb_input_1="; nocase; distance:0; classtype:credential-theft; sid:2024375; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech/PLEAD TSCookie CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; fast_pattern; content:"&i="; distance:0; content:"&p="; distance:0; pcre:"/\.aspx\?m=[A-F0-9]{3,40}&i=[A-F0-9]{3,40}&p=[A-F0-9]{3,40}$/i"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE|20|8.0|3b 20|Win32|29|"; endswith; http.header_names; content:!"Referer"; reference:url,blogs.jpcert.or.jp/ja/2018/10/tscookie-1.html; classtype:command-and-control; sid:2026568; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_01, deployment Perimeter, former_category MALWARE, malware_family TScookie, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phishing 2016-03-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"save"; content:".asp"; within:6; pcre:"/\.asp$/"; http.request_body; content:"u="; depth:2; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2032177; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29/WellMess CnC Activity"; flow:established,to_server; content:"+++|0d 0a|"; fast_pattern; urilen:1; http.method; content:"POST"; http.cookie; content:"+++"; endswith; http.request_body; pcre:"/^(?:[\x3a\x2c\x2e]?[A-Za-z0-9]{1,8}[\x3a\x2c\x2e]?[\x3a\x2c\x2e]?\s*){50,}$/si"; http.header_names; content:!"Referer"; reference:md5,861879f402fe3080ab058c0c88536be4; reference:url,ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf; classtype:trojan-activity; sid:2030534; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_16, deployment Perimeter, former_category MALWARE, malware_family WellMess, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credit Card Information in HTTP POST - Possible Successful Phish Jun 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cnum="; depth:5; nocase; content:"&exp="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024377; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/GPlayed (sub1 .tdsworker .ru in DNS Lookup)"; dns.query; content:"sub1.tdsworker.ru"; endswith; reference:url,blog.talosintelligence.com/2018/10/gplayerbanker.html; classtype:trojan-activity; sid:2026566; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_11_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_GPlayed, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|YTS"; file.data; content:"<title>Yahoo - login"; fast_pattern; nocase; classtype:social-engineering; sid:2024390; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET to Puu.sh for TXT File with Minimal Headers"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".txt"; nocase; endswith; http.host; content:"puu.sh"; depth:6; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2026569; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Yahoo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|YTS"; file.data; content:"<title>Yahoo! Mail"; fast_pattern; nocase; classtype:social-engineering; sid:2024398; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possibly Suspicious Request for Putty.exe from Non-Standard Download Location"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/putty.exe"; nocase; endswith; http.host; content:!"the.earth.li"; classtype:bad-unknown; sid:2026570; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_02, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032180; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_08_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten JS/HTA Stage 1 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?anti="; content:"&cliname="; distance:0; fast_pattern; http.accept; content:"*/*"; endswith; http.accept_enc; content:"gzip, deflate"; endswith; http.header_names; content:"User-Agent"; content:!"Cache"; content:!"Referer"; reference:md5,e15b3d2c39888fe459dc2d9c8dec331d; classtype:targeted-activity; sid:2026575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2020-08-07"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; content:"&paswd="; fast_pattern; distance:0; classtype:credential-theft; sid:2031871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT33/CharmingKitten Retrieving New Payload (flowbit set)"; flow:established,to_server; flowbits:set,ET.APT33CharmingKitten.1; http.method; content:"GET"; http.uri; content:"/images/static/content/"; depth:23; fast_pattern; endswith; http.header_names; content:!"Cache"; content:!"Accept"; content:!"Referer"; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026577; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:!"</title>"; nocase; within:20; content:"|26 23|x"; within:20; content:"|3b 26 23|x"; distance:2; within:4; fast_pattern; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024432; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M1"; dns.query; content:"mynetwork.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026573; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Mobile Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|67|3b 26 23|104|3b 26 23|97|3b 26 23|115|3b 26 23|101|3b 26 23|32|3b 26 23|66|3b 26 23|97|3b 26 23|110|3b 26 23|107|3b|"; within:70; fast_pattern; content:"</title>"; distance:0; classtype:social-engineering; sid:2025691; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33/CharmingKitten DDNS Overlap Domain in DNS Lookup M2"; dns.query; content:"mypsh.ddns.net"; nocase; fast_pattern; endswith; reference:md5,9881bccf12fd8ae71a03247d2ad61a06; classtype:targeted-activity; sid:2026574; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT33, tag CharmingKitten, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 06 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"b2="; depth:3; nocase; content:"&b1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024580; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 12"; flow:established,to_server; urilen:<6; http.method; content:"POST"; http.uri; content:"/"; endswith; content:!"."; content:!"&"; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; depth:2; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Host|0d 0a|Referer|0d 0a|User-Agent"; reference:md5,6ccf5004f5bd1ffd26a428961a4baf6e; classtype:command-and-control; sid:2026555; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category MALWARE, malware_family Sharik, malware_family SmokeLoader, signature_severity Major, tag c2, updated_at 2020_09_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Blockchain title over non SSL Jul 10 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"bitcoin wallet - blockchain"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024450; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArrobarLoader CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"4RR0B4R 4 X0T4 D4 TU4 M4E"; fast_pattern; http.request_body; content:"0"; endswith; http.header_names; content:!"Referer"; content:!"Cache"; reference:md5,3d7436bcf635a7e56a785c9d26ed3767; classtype:command-and-control; sid:2026528; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category MALWARE, malware_family ArrobarLoader, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&pd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024581; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 1/2 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magento.si-shell.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 11 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"IDToken"; depth:7; nocase; content:"&IDToken"; nocase; distance:0; fast_pattern; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; content:"&IDToken"; nocase; distance:0; classtype:credential-theft; sid:2024582; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 3 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlinestatus.site"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; content:"password="; nocase; content:"View+PDF+Document"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032235; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=s3-us-west.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Credit Card"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ccnum"; fast_pattern; content:"&exp"; distance:0; content:"&cvv"; distance:0; classtype:credential-theft; sid:2021692; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=maxijs.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish - Three Security Questions"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"q1="; content:"&answer1="; distance:0; fast_pattern; content:"&q2="; distance:0; content:"&answer2="; distance:0; content:"&q3="; distance:0; content:"&answer3="; distance:0; classtype:credential-theft; sid:2021693; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=allacarts.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Epass Phish 2016-09-01"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?email="; fast_pattern; http.request_body; content:"epass="; depth:6; nocase; classtype:credential-theft; sid:2032237; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=googiecloud.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026596; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Phish M1 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"acc3="; depth:5; nocase; content:"&acc1="; nocase; distance:0; fast_pattern; content:"&acc2="; nocase; distance:0; content:"&isUtf8="; nocase; distance:0; classtype:credential-theft; sid:2032263; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=braintform.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026597; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern; content:"password-revealer"; nocase; distance:0; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:social-engineering; sid:2023047; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=onlineshopsecurity.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026598; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish Aug 15 2016"; flow:to_server,established; http.method; content:"POST"; http.header; content:".php?cmd=login_submit"; nocase; fast_pattern; http.request_body; content:"login="; depth:6; nocase; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2023061; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=magecreativetech.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026599; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Bank Phish Jan 05 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"redirect="; depth:9; nocase; content:"&txtState="; nocase; distance:0; content:"&txtCount="; nocase; distance:0; content:"&txtOneTime="; nocase; distance:0; content:"&Account_ID="; nocase; distance:0; content:"&active_Password="; nocase; distance:0; fast_pattern; content:"&Submit="; nocase; distance:0; classtype:credential-theft; sid:2023698; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=busnguard.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026600; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Netflix Payment Phish M1 Jan 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"firstName="; depth:10; nocase; content:"&lastName="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&securityCode="; nocase; distance:0; fast_pattern; content:"&SubmitButton="; nocase; distance:0; content:"&msg_agree="; nocase; distance:0; classtype:credential-theft; sid:2024462; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cloud-privacy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,go.flashpoint.com/docs/inside-magecart-by-Flashpoint-and-RiskIQ; classtype:domain-c2; sid:2026601; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&ROLLOUT="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2023770; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/upload.cfm?action=upload"; nocase; fast_pattern; endswith; reference:cve,2018-15961; reference:url,volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-user; sid:2026604; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag CVE_2018_15961, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2015-12-10"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&checkedDomains="; nocase; fast_pattern; content:"&checkConnection="; nocase; distance:0; content:"&Email="; nocase; distance:0; content:"&Passwd="; nocase; distance:0; content:"Download+Document"; nocase; distance:0; classtype:credential-theft; sid:2031797; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JunkMiner Downloader Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Microsoft Windows"; depth:17; fast_pattern; endswith; http.request_body; content:"&JSONQUERY="; depth:11; content:"&SHA1="; distance:0; content:"&SHA2="; distance:0; content:"&SHA3="; distance:0; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026608; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_14, deployment Perimeter, former_category MALWARE, malware_family JunkMiner, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - AOL Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"sitedomain="; depth:11; content:"&isSiteStateEncoded="; nocase; distance:0; classtype:credential-theft; sid:2021322; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Mystery Baby syschk CnC Communication"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart / form-data|3b 20|boundary = -------- 1650502037"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/m/1963; classtype:command-and-control; sid:2026614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Hotmail Creds Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hotmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017753; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Inject Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=opzioni.at"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026615; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Remax Phish - Other Creds Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"&_task=login&_action=login"; nocase; classtype:credential-theft; sid:2021324; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"scsnewstoday.com"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026611; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Complete+Apple+ID+Verification"; nocase; fast_pattern; classtype:credential-theft; sid:2031755; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TEMP.Periscope APT Domain in DNS Lookup"; dns.query; content:"thyssenkrupp-marinesystems.org"; nocase; fast_pattern; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1113.pdf; classtype:targeted-activity; sid:2026612; rev:4; metadata:attack_target Client_and_Server, created_at 2018_11_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DragonFly, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Fedex Phish 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc_lang="; depth:8; content:"&afterwardsURL"; fast_pattern; distance:0; content:"https%3A%2F%2Fwww.fedex.com"; distance:1; content:"&username="; distance:0; content:"&password="; distance:0; content:"&login=Login"; distance:0; classtype:credential-theft; sid:2031753; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT29 Domain in DNS Lookup (pandorasong .com)"; dns.query; content:"pandorasong.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT29, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phish M1 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; content:"&phone="; distance:0; content:"View+Document"; distance:0; fast_pattern; classtype:credential-theft; sid:2031751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hades APT Domain in DNS Lookup (findupdatems .com)"; dns.query; content:"findupdatems.com"; nocase; fast_pattern; endswith; reference:url,twitter.com/DrunkBinary/status/1063075530180886529; classtype:targeted-activity; sid:2026620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag HadesAPT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phish 2015-07-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"pcode="; depth:6; fast_pattern; content:"&Submit=Validate"; distance:0; classtype:credential-theft; sid:2031752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkGate CNC Checkin"; flow:established,to_server; urilen:1; flowbits:set,ET.DarkGate.1; http.method; content:"POST"; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|Synapse|29|"; endswith; fast_pattern; http.request_body; content:"id="; depth:3; content:"&data="; distance:0; content:"&action="; distance:0; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"Referer"; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026629; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful ABSA Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"AccessAccount="; depth:14; nocase; fast_pattern; content:"&PIN="; nocase; distance:0; content:"&Operator="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032257; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DarkGate CnC Requesting Data Exfiltration from Bot"; flow:established,from_server; flowbits:isset,ET.DarkGate.1; http.stat_code; content:"200"; file.data; content:"getbotdata"; depth:10; fast_pattern; endswith; reference:md5,33aabffe4ece4d725e558e87d26a9b14; reference:url,blog.ensilo.com/darkgate-malware; classtype:command-and-control; sid:2026630; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category MALWARE, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Account Update Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&emailpassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031768; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (akamai .la)"; dns.query; content:"akamai.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Account Update Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&user"; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"Update+My+Details"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032238; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (hardwarenet .cc)"; dns.query; content:"hardwarenet.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&locale="; nocase; distance:0; content:"=Sign+in"; distance:0; nocase; classtype:credential-theft; sid:2031764; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (awsamazon.cc)"; dns.query; content:"awsamazon.cc"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.header; content:".php?X1="; fast_pattern; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; classtype:credential-theft; sid:2032243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkGate Domain in DNS Lookup (battlenet .la)"; dns.query; content:"battlenet.la"; nocase; fast_pattern; endswith; reference:url,blog.ensilo.com/darkgate-malware; classtype:trojan-activity; sid:2026634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family DarkGate, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-04-29"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"client_id="; fast_pattern; content:"callback="; content:"&client_redirect="; distance:0; content:"&denied_callback="; distance:0; content:"&display="; distance:0; classtype:credential-theft; sid:2032227; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"gazanew.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026621; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2015-08-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"client_id="; depth:10; fast_pattern; content:"&callback="; distance:0; content:"&email="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031767; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcu.pw"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026622; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish M1 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; nocase; depth:6; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&authSrc=AdobeID"; nocase; distance:0; classtype:credential-theft; sid:2032229; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"hostingcloud.science"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026623; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; content:"&pword="; nocase; distance:0; fast_pattern; content:"&login"; nocase; distance:0; content:"&ip_address="; nocase; distance:0; content:"&action=login"; nocase; distance:0; classtype:credential-theft; sid:2032233; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"mining711.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026624; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"adobe"; nocase; content:".php"; distance:0; http.header; content:"adobe"; nocase; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"src-ips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026625; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Form Names 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"formselect1="; depth:12; nocase; fast_pattern; content:"&formtext1="; nocase; distance:0; content:"&formtext2="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcip.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026626; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-08-10"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit=View+Document"; nocase; distance:0; classtype:credential-theft; sid:2032234; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in TLS SNI"; flow:established,to_server; tls.sni; content:"srcip.com"; endswith; nocase; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026627; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish Jun 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&vi="; nocase; distance:0; classtype:credential-theft; sid:2021296; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS.InfectedMikrotik Injects Domain Observed in DNS Lookup"; dns.query; content:"srcips.com"; endswith; reference:url,blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast; classtype:trojan-activity; sid:2026628; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2018_11_19, deployment Perimeter, former_category TROJAN, malware_family CoinMiner, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; nocase; content:"&pswd="; nocase; distance:0; fast_pattern; content:"&Button1="; nocase; distance:0; classtype:credential-theft; sid:2021297; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (cdn-ampproject .com)"; dns.query; content:"cdn-ampproject.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026645; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish June 17 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"server="; depth:7; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2021298; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (bootstraplink .com)"; dns.query; content:"bootstraplink.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026646; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-05-04"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&password="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&ip_em="; nocase; distance:0; classtype:credential-theft; sid:2032228; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (sskimresources .com)"; dns.query; content:"sskimresources.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026647; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&message="; nocase; distance:0; content:"View+Document"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032262; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus Stage 2 Domain in DNS Lookup (widgets-wp .com)"; dns.query; content:"widgets-wp.com"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/; classtype:targeted-activity; sid:2026648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_22, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag OceanLotus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"frm-email="; depth:10; nocase; fast_pattern; content:"&frm-pass="; nocase; distance:0; content:"&frm-submit="; nocase; distance:0; content:"&frm-ac-tok="; nocase; distance:0; classtype:credential-theft; sid:2032246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv6"; nocase; endswith; tls.cert_serial; content:"E2:56:45:9F:06:BC:8C:B9"; classtype:domain-c2; sid:2026666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Credential Phish 2015-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; content:"&Psword1="; fast_pattern; nocase; distance:0; classtype:credential-theft; sid:2031777; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"B6:9B:45:06:EE:69:DE:58"; classtype:domain-c2; sid:2026667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_cs"; depth:3; nocase; content:"&action="; nocase; distance:0; content:"&event_submit_do_verify_email="; nocase; distance:0; fast_pattern; content:"&tryTimes="; nocase; distance:0; content:"&em"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032255; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=debian"; nocase; endswith; tls.cert_serial; content:"CB:E2:F0:46:19:AE:BE:40"; classtype:domain-c2; sid:2026668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-12-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"noCsrfToken="; depth:12; nocase; content:"&xloginCheckToken="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032264; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=srv4"; nocase; endswith; tls.cert_serial; content:"86:80:0E:21:37:91:42:A3"; classtype:domain-c2; sid:2026669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_26, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"xloginPass"; depth:10; nocase; fast_pattern; content:"&xloginCheckToken="; nocase; distance:0; classtype:credential-theft; sid:2032256; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=amorenvena.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:domain-c2; sid:2026678; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-09-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&xloginPassport="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032245; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERSTATS Proxy CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=andresocana.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:domain-c2; sid:2026679; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, malware_family POWERSTAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"noCsrfToken="; depth:12; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&epass"; nocase; distance:0; classtype:credential-theft; sid:2032247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DNSpionage Requesting Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Login?id=Fy"; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:targeted-activity; sid:2026681; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNSpionage, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Alibaba Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sec="; depth:4; nocase; content:"&noCsrfToken="; nocase; distance:0; content:"&loginId="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&Psword1="; nocase; distance:0; fast_pattern; content:"&checkcode="; nocase; distance:0; classtype:credential-theft; sid:2032260; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".0ffice36o.com"; nocase; endswith; reference:md5,c00c9f6ebf2979292d524acff19dd306; classtype:command-and-control; sid:2026557; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Bank Phish (set) Jul 17 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&login.x="; nocase; distance:0; content:"&login.y="; nocase; distance:0; classtype:credential-theft; sid:2025021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to Bit.ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|bit.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2026674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M1 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&password="; nocase; distance:0; content:"&cvv1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"g-analytics.com"; nocase; depth:15; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026685; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M2 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access1="; depth:8; nocase; fast_pattern; content:"&next.x="; nocase; distance:0; content:"&next.y="; nocase; distance:0; classtype:credential-theft; sid:2025023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for MageCart Data Exfil Domain"; dns.query; content:"jquery-js.com"; nocase; endswith; reference:url,www.anomali.com/blog/is-magecart-checking-out-your-secure-online-transactions; classtype:trojan-activity; sid:2026686; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MageCart, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M3 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"access2="; depth:8; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025024; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.ayar.biz"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026689; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Tesco Phish (set) M4 Jul 18 2017"; flow:to_server,established; flowbits:set,ET.genericphish_Tesco; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&emailpass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025025; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"bizsonet.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PHOEN!X Apple Phish M2 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hold="; nocase; depth:5; fast_pattern; content:"&numb="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&submit.x=Validate"; nocase; distance:0; classtype:credential-theft; sid:2031802; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-message.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026691; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon (UK) Phish 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appActionToken="; depth:15; nocase; fast_pattern; content:"&appAction="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032254; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"client-screenfonts.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"emaillo="; depth:8; fast_pattern; content:"&create="; distance:0; content:"&passcode="; distance:0; classtype:credential-theft; sid:2031762; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"docsdriver.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FullName"; nocase; depth:8; content:"&Address"; nocase; distance:0; content:"&StateN="; nocase; distance:0; content:"&enterAddressIsDomestic="; nocase; distance:0; fast_pattern; content:"&isDomestic="; nocase; distance:0; classtype:credential-theft; sid:2031763; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"grsvps.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026694; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish M2 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"showRmrMe="; depth:10; nocase; fast_pattern; content:"&openid.pape.max_auth_age="; nocase; distance:0; content:"&fullname="; nocase; distance:0; content:"&add1="; nocase; distance:0; content:"&add2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032251; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"pqexport.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026695; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish 2015-11-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NameonCards="; nocase; fast_pattern; content:"&Cardanumber="; nocase; distance:0; content:"&CVV2="; nocase; distance:0; content:"&Expiredate"; nocase; distance:0; classtype:credential-theft; sid:2031784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"scaurri.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026696; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ameli.fr Phish M1 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&dob1="; nocase; distance:0; content:"&mail="; nocase; distance:0; content:"&Pwd="; nocase; distance:0; content:"&adresse="; nocase; distance:0; fast_pattern; content:"&ville="; nocase; distance:0; content:"&tel="; nocase; distance:0; classtype:credential-theft; sid:2032258; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"secozco.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026697; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ameli.fr Phish M2 Oct 26 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bank="; depth:5; nocase; content:"&ccnum="; nocase; distance:0; content:"&expMonth="; nocase; distance:0; content:"&expYear="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&account="; nocase; distance:0; content:"&ghazcisse="; nocase; distance:0; fast_pattern; content:"&Valider="; nocase; distance:0; classtype:credential-theft; sid:2032259; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.pw"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026698; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Dec 8 2015"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; fast_pattern; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; content:"=Login"; nocase; distance:0; classtype:credential-theft; sid:2031565; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"sharedriver.us"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026699; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Anonisma Paypal Phish 2015-12-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&ps="; nocase; distance:0; content:"&hostname="; nocase; distance:0; classtype:credential-theft; sid:2031801; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"tempdomain8899.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026700; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M1 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"firstnameoncard="; depth:16; fast_pattern; content:"&address"; nocase; distance:0; content:"&city"; nocase; distance:0; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032230; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"world-paper.net"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026701; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M1 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"paymenttype="; depth:12; fast_pattern; content:"&cardtype"; nocase; distance:0; content:"&nameoncard"; nocase; distance:0; content:"&cvv"; nocase; distance:0; classtype:credential-theft; sid:2032231; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE STOLENPENCIL CnC Domain in DNS Lookup"; dns.query; content:"zwfaxi.com"; nocase; fast_pattern; endswith; reference:url,asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/; classtype:command-and-control; sid:2026702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_05, deployment Perimeter, former_category MALWARE, malware_family StolenPencil, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish M3 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"question="; depth:9; fast_pattern; content:"&answer"; nocase; distance:0; content:"&ScreenName"; nocase; distance:0; content:"&Password"; nocase; distance:0; classtype:credential-theft; sid:2032232; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Group/More_Eggs CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=safesecurefiles.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:domain-c2; sid:2026703; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"openiForgotInNewWindow="; depth:23; nocase; fast_pattern; content:"&fdcBrowserData="; nocase; distance:0; content:"&appIdKey="; nocase; distance:0; classtype:credential-theft; sid:2032250; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursa Loader CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; fast_pattern; http.request_body; pcre:"/^[a-z]{1,10}=[A-Z]+(?:&[a-z]{1,10}=[A-Z]+){2,}$/s"; http.request_line; content:"POST / HTTP/1.0"; depth:15; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:md5,d05af060e3e104dea638f17c4bceb5ac; classtype:command-and-control; sid:2026756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Ursa_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish M1 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email-ali1="; depth:11; nocase; content:"&password-ali"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032249; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=afgdhjkrm.pw"; nocase; endswith; reference:md5,603dc6ff2a0f28cdf7693050a62f2355; classtype:domain-c2; sid:2026769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2015-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; fast_pattern; nocase; content:"&pass"; distance:0; nocase; content:"&oemail="; distance:0; nocase; classtype:credential-theft; sid:2031792; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID WebSocket Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?"; pcre:"/^[A-F0-9]{16}$/R"; http.header; content:"Upgrade|3a 20|websocket|0d 0a|Connection|3a 20|Upgrade|0d 0a|"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,b17a729efb71d1781405c6c00052c85e; classtype:trojan-activity; sid:2026673; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category TROJAN, malware_family IcedID, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"FirstName="; depth:10; nocase; content:"&LastName="; nocase; distance:0; content:"&DOBM="; nocase; distance:0; content:"&AreaCode="; nocase; distance:0; content:"&Phone="; nocase; distance:0; content:"&cardNumber="; nocase; distance:0; fast_pattern; content:"&securityCode="; nocase; distance:0; content:"&VBV="; nocase; distance:0; classtype:credential-theft; sid:2032248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MongoLock Variant CnC Domain (s .rapid7 .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.rapid7.xyz"; endswith; reference:md5,fa64390d7ffa4ee604dd944bbcf0bc09; classtype:command-and-control; sid:2026722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - Fake Loading Page 2017-08-03"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"//configure destination URL"; nocase; fast_pattern; content:"targetdestination"; nocase; distance:0; content:"splashmessage[0]"; nocase; distance:0; content:"splashmessage[1]"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2029660; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Persistence Setup File"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushBatch"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blockchain Account Phish Aug 19 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UID_input="; depth:10; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024616; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donot (APT-C-35) Stage 1 Requesting Main Payload"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/pushAgent"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip,|20|deflate"; depth:13; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:"User-Agent"; content:!"Referer"; content:!"Cache"; reference:url,ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/; classtype:targeted-activity; sid:2026729; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Donot, tag APT_C_35, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Aug 14 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address_1="; depth:10; nocase; fast_pattern; content:"&address_2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&postal="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&number_1="; nocase; distance:0; content:"&number_2="; nocase; distance:0; content:"&number_3="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon V3 CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?selection="; http.user_agent; content:"Mozilla/13.0|20 28|MSIE|20|7.0|3b 20|Windows|20|NT|20|6.0|29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/12/shamoon-3-targets-oil-gas-organization/; classtype:command-and-control; sid:2026730; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_14, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, performance_impact Low, signature_severity Major, tag APT, tag Wiper, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Square Phish Nov 16 2015"; flow:to_server,established; http.method; content:"POST"; http.header; content:"cmd=_identifier_Demarrer_ID="; nocase; fast_pattern; http.request_body; content:"&submit.x="; nocase; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2024547; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=vesecase.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_18, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&mobile="; nocase; distance:0; content:"&ccnumber="; nocase; distance:0; fast_pattern; content:"&cvv="; nocase; distance:0; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; classtype:credential-theft; sid:2032252; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed GandCrab Domain (gandcrab .bit)"; dns.query; content:"gandcrab.bit"; nocase; endswith; reference:md5,023f078d5eb70bcbf4c5ad5b87df9710; classtype:trojan-activity; sid:2026737; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_18, deployment Perimeter, former_category TROJAN, malware_family GandCrab, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"spyuser="; depth:8; nocase; fast_pattern; content:"&spypass="; nocase; distance:0; classtype:credential-theft; sid:2032239; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Free Hosting Domain (.free .bg)"; dns.query; content:".free.bg"; nocase; endswith; classtype:policy-violation; sid:2026742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-10-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"apple_login="; depth:12; nocase; fast_pattern; content:"&apple_password="; nocase; distance:0; classtype:credential-theft; sid:2032253; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.pointsoft.pw"; nocase; endswith; reference:md5,5b7244c47104f169b0840440cdede788; classtype:domain-c2; sid:2026771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_12_21, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"GivenName="; depth:10; nocase; fast_pattern; content:"&Surname="; nocase; distance:0; content:"&StreetAddress="; nocase; distance:0; content:"&ZipCode="; nocase; distance:0; content:"&TelephoneNumber="; nocase; distance:0; content:"&SSN="; nocase; distance:0; classtype:credential-theft; sid:2032240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)"; flow:established,to_client; tls.cert_subject; content:"CN=ident.me"; nocase; endswith; classtype:external-ip-check; sid:2026743; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"CCNumber="; nocase; fast_pattern; content:"&CCExpires="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&CVV"; nocase; distance:0; classtype:credential-theft; sid:2032241; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 1"; dns.query; content:"flux2key.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026744; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2015-10-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; fast_pattern; content:"&trackdata="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2031780; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Windshift APT Related Domain 2"; dns.query; content:"string2me.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x3B.html; classtype:targeted-activity; sid:2026745; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_27, deployment Perimeter, former_category MALWARE, malware_family Windshift, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Oct 31 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"appleId="; depth:8; nocase; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032261; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/Sofacy Zebrocy Go Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; depth:15; http.request_body; content:"project=%3C%230%3E"; depth:18; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool; reference:md5,400a162a9e5946be10b9fd7155a9ee48; classtype:targeted-activity; sid:2026755; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_03, deployment Perimeter, former_category MALWARE, malware_family Zebrocy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M1 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login-id="; depth:9; nocase; content:"&id-passwd="; nocase; distance:0; fast_pattern; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2032265; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SedUploader)"; flow:established,to_client; tls.cert_subject; content:"CN=photopoststories.com"; nocase; endswith; classtype:domain-c2; sid:2026757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M2 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name-re="; depth:8; nocase; content:"&city-add="; nocase; distance:0; content:"&zip-add="; nocase; distance:0; content:"&state-code="; nocase; distance:0; content:"&country-code="; nocase; distance:0; content:"&question-se="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032266; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via vtransmit .com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.php"; depth:10; endswith; http.host; content:"vtransmit.com"; depth:13; fast_pattern; endswith; classtype:external-ip-check; sid:2026761; rev:4; metadata:attack_target Client_and_Server, created_at 2019_01_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M3 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&pass="; nocase; distance:0; content:"&pays="; nocase; distance:0; content:"&first_name="; nocase; distance:0; content:"&ville="; nocase; distance:0; content:"&cpostal="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&expirationMonth="; nocase; distance:0; content:"&expirationYear="; nocase; distance:0; content:"&cvnum="; nocase; distance:0; fast_pattern; content:"&isvbv="; nocase; distance:0; classtype:credential-theft; sid:2032267; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Operation Cobra Venom Stage 1 DNS Lookup"; dns.query; content:"my-homework.890m.com"; nocase; fast_pattern; endswith; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Phish M4 2016-12-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bank_name="; depth:10; nocase; content:"&d3_code="; nocase; distance:0; fast_pattern; content:"&bin_ext="; nocase; distance:0; classtype:credential-theft; sid:2032268; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - CnC Checkin"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=a"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:command-and-control; sid:2026764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Store Transaction Cancellation Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd=_flow&"; depth:10; content:"&first_name="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&credit_card_type="; nocase; distance:0; fast_pattern; content:"&ccnumber="; nocase; distance:0; content:"&accno="; nocase; distance:0; classtype:credential-theft; sid:2032236; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Cobra Venom WSF Stage 1 - File Decode Completed"; flow:established,to_server; urilen:>14; http.method; content:"GET"; http.uri; content:"/board.php?v=e"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,blog.alyac.co.kr/2066; classtype:trojan-activity; sid:2026765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_08, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag Operation_Cobra_Venom, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Credential Phish 2015-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:".tries="; depth:7; fast_pattern; nocase; content:"&.challenge="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&passwd="; nocase; distance:0; classtype:credential-theft; sid:2031776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 1"; dns.query; content:"0ffice365.agency"; nocase; endswith; classtype:targeted-activity; sid:2026775; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish M1 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag="; depth:3; nocase; content:"&ct="; nocase; distance:0; content:"&infor="; nocase; distance:0; content:"&limpar="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032308; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 2"; dns.query; content:"0nedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026776; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco Itau (BR) Phish M2 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag="; depth:3; nocase; content:"&ct="; nocase; distance:0; content:"&infor="; nocase; distance:0; content:"&telefone="; nocase; distance:0; fast_pattern; content:"&telefone"; nocase; distance:0; content:"&senha"; nocase; distance:0; content:"&bt"; nocase; distance:0; classtype:credential-theft; sid:2032309; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 3"; dns.query; content:"corewindows.agency"; nocase; endswith; classtype:targeted-activity; sid:2026777; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"password="; depth:9; nocase; content:"&ssn="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&emailpassword="; nocase; distance:0; fast_pattern; content:"&form1="; nocase; distance:0; content:"&form2="; nocase; distance:0; content:"&form3="; nocase; distance:0; content:"&form4="; nocase; distance:0; content:"&form5="; nocase; distance:0; classtype:credential-theft; sid:2032305; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 4"; dns.query; content:"microsoftonline.agency"; nocase; endswith; classtype:targeted-activity; sid:2026778; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&sitekeyChallengeAnswer1="; nocase; distance:0; fast_pattern; content:"&question2="; nocase; distance:0; content:"&sitekeyChallengeAnswer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&sitekeyChallengeAnswer3="; nocase; distance:0; content:"&sitekeyDeviceBind="; nocase; distance:0; classtype:credential-theft; sid:2032301; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 5"; dns.query; content:"onedrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026779; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M1 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"FromPreSignIn_SIP="; depth:18; nocase; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; content:"&RSA_DEVPRINT="; nocase; distance:0; content:"&cn1="; nocase; distance:0; content:"&cn2="; nocase; distance:0; classtype:credential-theft; sid:2024586; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 6"; dns.query; content:"sharepoint.agency"; nocase; endswith; classtype:targeted-activity; sid:2026780; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RBC Royal Bank Phish M2 Aug 17 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&pin="; nocase; distance:0; content:"&ccin="; nocase; distance:0; fast_pattern; content:"&mmn="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&ssn2="; nocase; distance:0; content:"&ssn3="; nocase; distance:0; content:"&dl="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&year="; nocase; distance:0; classtype:credential-theft; sid:2024587; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 7"; dns.query; content:"skydrive.agency"; nocase; endswith; classtype:targeted-activity; sid:2026781; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-11-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cardnumber="; depth:11; nocase; fast_pattern; content:"&expirymonth="; nocase; distance:0; content:"&expiryyear="; nocase; distance:0; content:"&securitycode="; nocase; distance:0; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032306; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 8"; dns.query; content:"0ffice365.life"; nocase; endswith; classtype:targeted-activity; sid:2026782; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"account_state_held="; depth:19; nocase; fast_pattern; content:"&onlineid="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&___signon_js="; nocase; distance:0; classtype:credential-theft; sid:2032300; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 9"; dns.query; content:"0ffice365.services"; nocase; endswith; classtype:targeted-activity; sid:2026783; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&q1="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&q2="; nocase; distance:0; content:"&a2="; nocase; distance:0; content:"&q3="; nocase; distance:0; content:"&a3="; nocase; distance:0; content:"&q4="; nocase; distance:0; content:"&a4="; nocase; distance:0; content:"&q5="; nocase; distance:0; content:"&a5="; nocase; distance:0; content:"&passcode="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032302; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 10"; dns.query; content:"skydrive.services"; nocase; endswith; classtype:targeted-activity; sid:2026784; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M3 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&idst="; nocase; distance:0; content:"&code="; nocase; distance:0; content:"&q1="; nocase; distance:0; content:"&a1="; nocase; distance:0; content:"&creditcard="; nocase; distance:0; fast_pattern; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; content:"&ccv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&fullname="; nocase; distance:0; content:"&add1="; nocase; distance:0; content:"&accnum="; nocase; distance:0; content:"&routing="; nocase; distance:0; classtype:credential-theft; sid:2032303; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 11"; dns.query; content:"akdns.live"; nocase; endswith; classtype:targeted-activity; sid:2026785; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"creditcard="; fast_pattern; content:"expyear="; content:"ccv="; content:"pin="; classtype:credential-theft; sid:2015907; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 12"; dns.query; content:"akamaiedge.live"; nocase; endswith; classtype:targeted-activity; sid:2026786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic PII Phish"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&phone3="; content:"&ssn3="; fast_pattern; content:"&dob3="; classtype:credential-theft; sid:2015908; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 13"; dns.query; content:"akamaiedge.services"; nocase; endswith; classtype:targeted-activity; sid:2026787; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic SSN Phish"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:!"LabTech Agent"; http.request_body; content:"ssn1="; fast_pattern; content:"ssn2="; content:"ssn3="; classtype:credential-theft; sid:2015952; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 14"; dns.query; content:"edgekey.live"; nocase; endswith; classtype:targeted-activity; sid:2026788; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M4 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"REMOTE_ADDR="; depth:12; nocase; content:"&Sequence="; nocase; distance:0; content:"&fname="; nocase; distance:0; content:"&card="; nocase; distance:0; content:"&expm="; nocase; distance:0; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&pin="; nocase; distance:0; content:"&emailid="; nocase; distance:0; content:"&idpass="; nocase; distance:0; fast_pattern; content:"&alemail="; nocase; distance:0; content:"&ssn1="; nocase; distance:0; content:"&dlisence="; nocase; distance:0; classtype:credential-theft; sid:2032304; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 15"; dns.query; content:"akamaized.live"; nocase; endswith; classtype:targeted-activity; sid:2026789; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-11-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"onlineid="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; content:"&email"; nocase; classtype:credential-theft; sid:2031789; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 16"; dns.query; content:"trafficmanager.live"; nocase; endswith; classtype:targeted-activity; sid:2026790; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2015-10-02"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"accountstate="; nocase; depth:13; fast_pattern; content:"&onlineid="; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 17"; dns.query; content:"cloudfronts.services"; nocase; endswith; classtype:targeted-activity; sid:2026791; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aol.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017750; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 18"; dns.query; content:"hotmai1.com"; nocase; endswith; classtype:targeted-activity; sid:2026792; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AOL Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aoluser="; content:"aolpassword="; classtype:credential-theft; sid:2015910; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 19"; dns.query; content:"microsoftonline.services"; nocase; endswith; classtype:targeted-activity; sid:2026793; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gmail.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017752; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 20"; dns.query; content:"nsatc.agency"; nocase; endswith; classtype:targeted-activity; sid:2026794; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Gmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"gmailuser="; content:"gmailpassword="; classtype:credential-theft; sid:2015912; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 21"; dns.query; content:"phicdn.world"; nocase; endswith; classtype:targeted-activity; sid:2026795; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Hotmail Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hotmailuser="; content:"hotmailpassword="; classtype:credential-theft; sid:2015913; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 22"; dns.query; content:"t-msedge.world"; nocase; endswith; classtype:targeted-activity; sid:2026796; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/other.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 23"; dns.query; content:"akadns.live"; nocase; endswith; classtype:targeted-activity; sid:2026797; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Other Credentials Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"otheruser="; content:"otherpassword="; classtype:credential-theft; sid:2015914; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 24"; dns.query; content:"azureedge.today"; nocase; endswith; classtype:targeted-activity; sid:2026798; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 25 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:"Sign+In"; nocase; classtype:credential-theft; sid:2017751; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=memail.mea.com.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026800; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Nov 21 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"yahoouser="; content:"yahoopassword="; classtype:credential-theft; sid:2015911; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=webmail.finance.gov.lb"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026801; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M1 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Login.php?sslchannel="; depth:22; fast_pattern; content:"&sessionid="; distance:0; http.header; content:"/Login.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032280; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.apc.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026802; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M2 2016-03-29"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Verify.php?sslchannel="; depth:23; fast_pattern; content:"&sessionid="; distance:0; http.header; content:"/Login.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032281; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=mail.mgov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026803; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M3 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Checkcc.php?&sessionid="; depth:24; fast_pattern; content:"&securessl="; distance:0; http.header; content:"/Verify.php?sslchannel="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032282; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ColdRiver APT DNSpionage MITM)"; flow:from_server,established; tls.cert_subject; content:"CN=adpvpn.adpolice.gov.ae"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/; classtype:domain-c2; sid:2026804; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag ColdRiver, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Kit - Successful Credential Phish M4 2016-03-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/vbv.php?&sessionid="; depth:20; fast_pattern; content:"&securessl="; distance:0; http.header; content:"/Checkcc.php?&sessionid="; http.cookie; content:"PHPSESSID"; classtype:credential-theft; sid:2032283; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ServHelper RAT CnC Domain Observed in SNI"; flow:established,to_server; tls.sni; content:"arhidsfderm.pw"; endswith; nocase; reference:md5,43e7274b6d42aef8ceae298b67927aec; classtype:command-and-control; sid:2026768; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_13, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Yahoo Phish Jun 23 2015"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/yahoo.php"; fast_pattern; http.request_body; content:".tries="; nocase; depth:7; content:"&.challenge="; nocase; distance:0; classtype:credential-theft; sid:2021323; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Awad Bot CnC Domain (hawad .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hawad.000webhostapp.com"; endswith; reference:md5,5872fde3bf4b5a30a64837a35d1ec5fd; classtype:command-and-control; sid:2026799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family AwadBot, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Interac Phish Aug 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024599; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 25"; dns.query; content:"data-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026812; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-10-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"stateo="; depth:7; nocase; fast_pattern; content:"&passcode="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2031781; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 26"; dns.query; content:"asimov-win-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026813; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cc="; depth:3; nocase; content:"&ex="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&ssn="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032294; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 27"; dns.query; content:"iecvlist-microsoft.services"; nocase; endswith; classtype:targeted-activity; sid:2026814; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Scotland Phish M1 2015-11-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&frmLogin=frmLogin&submitToken="; nocase; content:"&target="; nocase; distance:0; content:"&hdn_mobile="; nocase; distance:0; content:"&dclinkjourid="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2031783; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DarkHydrus DNS Lookup 28"; dns.query; content:"onecs-live.services"; nocase; endswith; classtype:targeted-activity; sid:2026815; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DNS_tunneling, tag DarkHydrus, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banque Populaire (FR) Phish 2016-12-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"departement="; depth:12; nocase; fast_pattern; content:"&CCPTE="; nocase; distance:0; content:"&CCCRYC="; nocase; distance:0; content:"&SAMLResponse="; nocase; distance:0; classtype:credential-theft; sid:2032310; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cryptor Ransomware CnC Domain (e3kok4ekzalzapsf .onion .ws in TLS SNI)"; flow:established,to_server; tls.sni; content:"e3kok4ekzalzapsf.onion.ws"; endswith; reference:md5,4b6f0113007cddea4ad31237add23786; classtype:command-and-control; sid:2026806; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family CryptorRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cclast="; depth:7; nocase; fast_pattern; content:"&pinsentry1="; nocase; distance:0; content:"&pinsentry2="; nocase; distance:0; content:"&passcode="; nocase; distance:0; content:"&memorable="; nocase; distance:0; classtype:credential-theft; sid:2032295; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TrumpHead Ransomware CnC Domain (6bbsjnrzv2uvp7bp .onion .pet in TLS SNI)"; flow:established,to_server; tls.sni; content:"6bbsjnrzv2uvp7bp.onion.pet"; endswith; reference:md5,49fdb7e267c00249e736aad5258788d2; classtype:command-and-control; sid:2026807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family TrumpHeadRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M1 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"screenName="; depth:11; nocase; content:"&surname="; nocase; distance:0; content:"&membershipNumber="; nocase; distance:0; fast_pattern; content:"&accountNumber="; nocase; distance:0; classtype:credential-theft; sid:2032290; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. pet))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026808; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"address="; depth:8; nocase; content:"&address2="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&postcode="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&Year="; nocase; distance:0; content:"&mmn="; nocase; distance:0; content:"&b3d="; nocase; distance:0; content:"&tbp="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&expmonth="; nocase; distance:0; content:"&expyear="; nocase; distance:0; content:"&ccv="; nocase; distance:0; classtype:credential-theft; sid:2032296; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .pet)"; dns.query; content:".onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026809; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M2 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"car2="; depth:5; nocase; fast_pattern; content:"&pn1="; nocase; distance:0; content:"&pn2="; nocase; distance:0; content:"&p1n="; nocase; distance:0; classtype:credential-theft; sid:2032291; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .ws)"; dns.query; content:".onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026810; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Barclays Phish M3 2016-09-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"requestid="; depth:10; nocase; fast_pattern; content:"&tpin="; nocase; distance:0; content:"&exp="; nocase; distance:0; content:"&mmn="; nocase; distance:0; classtype:credential-theft; sid:2032292; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026811; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BBVA Compass Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale="; depth:7; nocase; fast_pattern; content:"&question1="; nocase; distance:0; content:"&answer1="; nocase; distance:0; content:"&emailadd="; distance:0; content:"&emailpass="; nocase; classtype:credential-theft; sid:2031765; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026816; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blackboard Account Phish 2015-10-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&login=Login"; nocase; distance:0; content:"&action=login"; nocase; distance:0; content:"&new_loc="; nocase; distance:0; classtype:credential-theft; sid:2031778; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PS/PowerRatankba CnC DNS Lookup"; dns.query; content:"bodyshoppechiropractic.com"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:command-and-control; sid:2026818; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, malware_family POWERRATANKBA, performance_impact Low, signature_severity Major, tag APT, tag Lazarus, tag PowerShell, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Blocked Email Account Phish M1 2016-08-23"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&Login=Submit+Now"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032288; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (POWERRATANKBA CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ecombox.store"; nocase; endswith; reference:url,www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties; classtype:domain-c2; sid:2026817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag Lazarus, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 22 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"xxx="; depth:4; nocase; content:"&yyy="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025027; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:domain-c2; sid:2026819; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 25 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"e="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=content-delivery.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:domain-c2; sid:2026820; rev:3; metadata:attack_target Client_and_Server, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Aug 31 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?"; content:"csrfmiddlewaretoken="; nocase; distance:0; content:"username="; nocase; content:"&password="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2024638; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"cdn-content.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026821; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M1 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"connect.sid"; file.data; content:"<title>Manage your Apple ID</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2024703; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MageCart CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"deliveryjs.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-magecart-attack-delivered-through-compromised-advertising-supply-chain/; classtype:command-and-control; sid:2026822; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_01_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M2 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"connect.sid"; file.data; content:"mainController as mainCtrl"; nocase; content:"mainCtrl.username"; nocase; distance:0; content:"mainCtrl.password"; nocase; distance:0; content:"mainCtrl.submitCreds"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2024704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (areadozemode .space in DNS Lookup)"; dns.query; content:"areadozemode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026828; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_01_22, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Anubis, signature_severity Critical, tag Android, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?country.x="; nocase; content:"&locale.x="; nocase; distance:0; http.request_body; content:"login_email="; depth:12; nocase; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031576; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (selectnew25mode .space in DNS Lookup)"; dns.query; content:"selectnew25mode.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026829; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 Sep 15 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zipCode="; nocase; distance:0; content:"&nameoncard="; nocase; distance:0; content:"&cardnumber="; nocase; distance:0; fast_pattern; content:"&c_type="; nocase; distance:0; content:"&c_valid="; nocase; distance:0; content:"&expdate="; nocase; distance:0; content:"&csc="; nocase; distance:0; classtype:credential-theft; sid:2031577; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (twethujsnu .cc in DNS Lookup)"; dns.query; content:"twethujsnu.cc"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026830; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sep 19 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"pass="; depth:5; nocase; fast_pattern; content:"&formimage1.x="; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2025028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (project2anub .xyz in DNS Lookup)"; dns.query; content:"project2anub.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026831; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL Phish 2015-10-09"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sitedomain="; depth:11; nocase; fast_pattern; content:"&loginId="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031779; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (taiprotectsq .xyz in DNS Lookup)"; dns.query; content:"taiprotectsq.xyz"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026832; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Dec 4 2015 M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hidCflag="; nocase; depth:9; fast_pattern; content:"&Email="; nocase; distance:0; content:"&Pass"; distance:0; nocase; content:"sign"; nocase; distance:0; classtype:credential-theft; sid:2022217; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (uwannaplaygame .space in DNS Lookup)"; dns.query; content:"uwannaplaygame.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026833; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Sep 28 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"number"; depth:6; nocase; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&number"; nocase; distance:0; content:"&FormsButton"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025029; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (projectpredator .space in DNS Lookup)"; dns.query; content:"projectpredator.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026834; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Banking Phish (BR) 2016-09-29"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agencia="; nocase; fast_pattern; content:"conta="; nocase; content:"digito="; nocase; classtype:credential-theft; sid:2032293; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (nihaobrazzzahit .top in DNS Lookup)"; dns.query; content:"nihaobrazzzahit.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026835; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"address="; depth:8; fast_pattern; content:"&driver="; distance:0; content:"&employer="; distance:0; content:"&submitBtn=Continue"; distance:0; classtype:credential-theft; sid:2031760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (aserogeege .space in DNS Lookup)"; dns.query; content:"aserogeege.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026836; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"sin1="; depth:5; fast_pattern; content:"&amount="; distance:0; content:"&name="; distance:0; content:"&submitBtn=Continue"; distance:0; classtype:credential-theft; sid:2031759; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (hdfuckedin18 .top in DNS Lookup)"; dns.query; content:"hdfuckedin18.top"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026837; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Canada Revenue Agency Phish 2016-08-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ccname="; depth:7; fast_pattern; content:"&cc="; nocase; distance:0; content:"&ccmm="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&sin1="; nocase; distance:0; content:"&atm="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"=Submit+Form"; nocase; distance:0; classtype:credential-theft; sid:2032289; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dingpsounda .space in DNS Lookup)"; dns.query; content:"dingpsounda.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026838; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Carribean International Bank Account Phish 2015-08-25"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"secq1="; depth:6; nocase; fast_pattern; content:"&ans1="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&email="; distance:0; nocase; classtype:credential-theft; sid:2031766; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wantddantiprot .space in DNS Lookup)"; dns.query; content:"wantddantiprot.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026839; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CenturyLink Phish 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.header; content:!"www.nwcable.net"; http.request_body; content:"domain="; depth:7; nocase; content:"&bounceto="; nocase; distance:0; content:"&submitted_data="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&email_domain="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032297; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (privateanbshouse .space in DNS Lookup)"; dns.query; content:"privateanbshouse.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026840; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-12-16"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hdnPrevSelectedRadio="; depth:21; nocase; content:"&hdnRHSLinkClicked="; nocase; distance:0; content:"&SESSION="; nocase; distance:0; content:"&__EVENTTARGET="; nocase; distance:0; content:"&__EVENTVALIDATION="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&epass="; nocase; distance:0; fast_pattern; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032311; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (seconddoxed .space in DNS Lookup)"; dns.query; content:"seconddoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026841; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-12-22"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&auth_userId="; nocase; fast_pattern; content:"&auth_passwd="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&branch_assist="; nocase; distance:0; classtype:credential-theft; sid:2031798; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (firstdoxed .space in DNS Lookup)"; dns.query; content:"firstdoxed.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026842; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M1 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__EVENTTARGET="; depth:14; nocase; content:"&auth_userId="; nocase; distance:0; fast_pattern; content:"&auth_passwd="; nocase; distance:0; content:"&auth_passwd_org="; nocase; distance:0; content:"&UserID="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032298; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (oauth3 .html5100 .com in DNS Lookup)"; dns.query; content:"oauth3.html5100.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026843; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"hdnPrevSelectedRadio="; depth:21; nocase; content:"&hdnRHSLinkClicked="; nocase; distance:0; fast_pattern; content:"&inptUserId"; nocase; distance:0; content:"&ip_header="; nocase; distance:0; content:"&BirthMonth="; nocase; distance:0; content:"&exp_mon="; nocase; distance:0; content:"&exp_year="; nocase; distance:0; content:"&ccv"; nocase; distance:0; classtype:credential-theft; sid:2032307; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (dosandiq .space in DNS Lookup)"; dns.query; content:"dosandiq.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026844; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish M2 2016-10-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"UserID="; depth:7; nocase; fast_pattern; content:"&Password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&NextButton="; nocase; distance:0; classtype:credential-theft; sid:2032299; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (protect4juls .space in DNS Lookup)"; dns.query; content:"protect4juls.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026845; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M1 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"agg="; depth:4; nocase; content:"&acc="; nocase; distance:0; content:"&ss"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024782; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (wijariief .space in DNS Lookup)"; dns.query; content:"wijariief.space"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026846; rev:4; metadata:created_at 2019_01_22, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M2 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"telefone="; depth:9; nocase; content:"&senha"; nocase; distance:0; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024783; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.d (scradm .in in DNS Lookup)"; dns.query; content:"scradm.in"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/; classtype:trojan-activity; sid:2026847; rev:4; metadata:created_at 2019_01_22, former_category MOBILE_MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco do Brasil Phish M3 Sep 29 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cvv="; depth:4; nocase; content:"&proceguir="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024784; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http any any -> $HOME_NET any (msg:"ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement"; flow:established,to_server; http.user_agent; content:"Microsoft|20|WinRM|20|Client"; depth:22; fast_pattern; endswith; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026850; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_23, deployment Internal, former_category USER_AGENTS, performance_impact Low, signature_severity Major, tag WinRM, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M1 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022497; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"nolkbacteria.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026855; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Phish M3 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Webmail|20 3a 3a 20|Verify"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"has been successfully verified"; nocase; distance:0; content:"Thank you for using our"; nocase; distance:0; content:"We will redirect you shortly"; nocase; distance:0; content:"Webmail Security Systems"; nocase; distance:0; classtype:credential-theft; sid:2032286; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"2searea0.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026856; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Webmail Phish M2 2016-06-22"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Webmail|20 3a 3a 20|Verify"; fast_pattern; nocase; content:"Online Webmail App"; nocase; distance:0; content:"Please Provide your phone number used in creation"; nocase; distance:0; content:"Phone Number"; nocase; distance:0; content:"Webmail Security Systems"; nocase; distance:0; classtype:credential-theft; sid:2032285; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"touristsila1.info"; endswith; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026857; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Apple Phishing M1 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Manage your Apple"; nocase; fast_pattern; content:"si-password"; nocase; distance:0; content:"si-remember-password"; nocase; distance:0; classtype:credential-theft; sid:2032279; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Donot Group/APT-C-35 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=.sessions4life.pw"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026859; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_28, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"em="; nocase; depth:3; fast_pattern; content:"&psw="; nocase; content:"&sub="; nocase; classtype:credential-theft; sid:2032284; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=driverconnectsearch.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,2bd9a6ea29182f5ec6acafe032fbeaab; classtype:domain-c2; sid:2026861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_29, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Online Phish 2015-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"feedback="; nocase; depth:9; fast_pattern; content:"&feedbacknow="; nocase; distance:0; classtype:credential-theft; sid:2031774; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Zepakab CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Seven DSert SHA2 CA"; nocase; endswith; tls.cert_issuer; content:"C=US, ST=Some-State, O=Seven Ltd, CN=Seven DSert SHA2 CA"; reference:url,blog.yoroi.company/research/sofacys-zepakab-downloader-spotted-in-the-wild/; classtype:domain-c2; sid:2026864; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_31, deployment Perimeter, former_category MALWARE, malware_family Zekapab, malware_family Zepakab, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-07-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; depth:6; content:"&pass"; nocase; distance:0; content:"&formimage1.x="; fast_pattern; nocase; distance:0; content:"&formimage1.y="; nocase; distance:0; classtype:credential-theft; sid:2032287; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Skypool Coin Mining Pool DNS Lookup"; dns.query; content:"skypool.org"; nocase; endswith; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UK Tax Phishing M2 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; fast_pattern; content:"&securessl="; distance:0; http.request_body; content:"username="; depth:9; nocase; content:"&password="; distance:0; nocase; reference:md5,8a14eb5764c7c9d01b2b64430933036d; classtype:credential-theft; sid:2032278; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=syn.browserstime.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful UK Tax Phishing M1 2016-02-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; fast_pattern; content:"&securessl="; distance:0; http.request_body; content:"form-data|3b 20|name=|22|email|22|"; content:"form-data|3b 20|name=|22|ccexp|22|"; nocase; distance:0; reference:md5,8a14eb5764c7c9d01b2b64430933036d; classtype:credential-theft; sid:2032277; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.webhop.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing M1 Mar 25 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Your session has timed out"; fast_pattern; nocase; content:"Click OK to sign in and continue"; nocase; distance:0; classtype:social-engineering; sid:2025694; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_27, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=office.windown-update.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026871; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M1 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cpf="; depth:4; nocase; fast_pattern; content:"&s6="; nocase; distance:0; classtype:credential-theft; sid:2024800; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=check.homeip.net"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026872; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Phish M2 Oct 04 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"ag_ct="; depth:6; nocase; content:"&ct_ct="; nocase; distance:0; content:"&us_user="; nocase; distance:0; content:"&us_pant="; nocase; distance:0; fast_pattern; content:"&sender="; nocase; distance:0; content:"&btn_now="; nocase; distance:0; classtype:credential-theft; sid:2024802; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=e.browsersyn.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026873; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-12-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"onlineID1="; depth:10; nocase; content:"&passcode1="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=word.webhop.info"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026874; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish Outlook Credentials Oct 01 2015"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"outlookuser="; depth:12; nocase; fast_pattern; content:"outlookpassword="; nocase; distance:0; classtype:credential-theft; sid:2021890; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_10_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cortana.homelinux.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/; classtype:domain-c2; sid:2026875; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_01, deployment Perimeter, former_category MALWARE, malware_family KerrDown, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive/Dropbox Phish Nov 20 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mailtype="; depth:9; nocase; fast_pattern; content:"&Email"; distance:0; nocase; content:"&Passwd"; distance:0; nocase; classtype:credential-theft; sid:2022967; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL Google User-Agent (google/dance)"; flow:established,to_server; http.user_agent; content:"google/dance"; depth:14; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026883; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M1 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&forgotPassword="; nocase; distance:0; content:"&lat="; nocase; distance:0; content:"&userName="; nocase; distance:0; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2022978; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Peppy/KeeOIL Google Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"google/dance"; depth:12; fast_pattern; endswith; http.host; content:"www.google.com"; depth:14; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026884; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category TROJAN, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, tag Connectivity_Check, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of Oklahoma Phish M2 Jul 21 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"__RequestVerificationToken="; depth:27; content:"&bankId="; fast_pattern; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&q1="; nocase; distance:0; classtype:credential-theft; sid:2022979; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL User-Agent (ekeoil)"; flow:established,to_server; http.user_agent; content:"ekeoil/"; depth:7; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Suspended Account Phish M2 Aug 09 2016"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"holdername="; nocase; depth:11; fast_pattern; content:"&numcard"; nocase; distance:0; content:"&ccv"; nocase; distance:0; content:"&donnee"; nocase; distance:0; classtype:credential-theft; sid:2023043; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.icu domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".icu"; fast_pattern; endswith; classtype:bad-unknown; sid:2026887; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, tag Phishing, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Common /mpp/ Phishing URI Structure 2016-02-08"; flow:to_server,established; http.uri; content:"/mpp/"; fast_pattern; pcre:"/(?:\/mpp\/[0-9a-f]{32}\/|\/[0-9a-f]{32}\/mpp\/)/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:social-engineering; sid:2032370; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .icu Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".icu"; nocase; endswith; classtype:bad-unknown; sid:2026888; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful AirCanada Phish 2015-08-06"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"aircanada"; nocase; fast_pattern; classtype:credential-theft; sid:2031757; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.icu) in TLS SNI"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; tls.sni; content:".icu"; endswith; fast_pattern; nocase; classtype:bad-unknown; sid:2026889; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish Oct 10 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Password1="; depth:10; nocase; fast_pattern; classtype:credential-theft; sid:2025031; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Let's Encrypt Certificate for Suspicious TLD (.icu)"; flow:established,to_client; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"Let's Encrypt"; classtype:bad-unknown; sid:2026890; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"FNAME="; nocase; depth:6; fast_pattern; content:"&LNAME="; nocase; distance:0; content:"&Address="; nocase; distance:0; content:"&SSN="; nocase; distance:0; classtype:credential-theft; sid:2031772; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via iplocation.com"; flow:established,to_server; tls.sni; content:"iplocation.com"; endswith; nocase; classtype:external-ip-check; sid:2026892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_07, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=3d3d3d3d3d3d3d3d3d"; nocase; fast_pattern; distance:0; content:"5573657220496e666f"; nocase; distance:0; content:"557365724944"; distance:0; content:"50617373776f7264"; nocase; distance:0; classtype:credential-theft; sid:2031773; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CDC Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"NCDC-19-PoS"; depth:11; endswith; classtype:policy-violation; sid:2026893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_08, deployment Perimeter, former_category MALWARE, malware_family CDCRansomware, signature_severity Major, tag Ransomware, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Linkedin Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"isJsEnabled="; depth:12; nocase; content:"&source_app="; nocase; distance:0; content:"&tryCount="; nocase; distance:0; content:"pass"; nocase; distance:0; content:"&loginCsrfParam="; nocase; distance:0; fast_pattern; content:"&sourceAlias="; nocase; distance:0; classtype:credential-theft; sid:2032411; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/rpt"; pcre:"/\/rpt\d/"; http.user_agent; content:!"Mozilla"; depth:7; http.host; content:!".apple.com"; endswith; content:!".pandora.com"; endswith; content:!"microsoft.com"; endswith; reference:url,doc.emergingthreats.net/2008233; classtype:command-and-control; sid:2008233; rev:18; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"countrycode="; depth:12; fast_pattern; content:"&username="; nocase; distance:0; content:"&passwd="; nocase; distance:0; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2032400; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"whatismyipaddress.com"; endswith; classtype:external-ip-check; sid:2026896; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M1 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.request_body; content:"pass1="; depth:6; fast_pattern; nocase; content:"&pass2="; nocase; distance:0; content:"&email="; nocase; distance:0; classtype:credential-theft; sid:2032382; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY IP Logger Redirect Domain in SNI"; flow:to_server,established; tls.sni; content:"maper.info"; endswith; classtype:policy-violation; sid:2026897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M2 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"Password Reset"; nocase; distance:0; content:"<meta http-equiv="; nocase; content:"REFRESH"; nocase; distance:1; within:7; content:"loader.gif"; distance:0; classtype:credential-theft; sid:2032383; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SomeTimes)"; flow:established,to_server; http.user_agent; content:"SomeTimes"; depth:9; endswith; fast_pattern; reference:md5,a86d4e17389a37bfc291f4a8da51a9b8; classtype:trojan-activity; sid:2026898; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Mailbox Shutdown Phish M3 2016-05-16"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Mail Settings"; nocase; fast_pattern; content:"Password Reset"; nocase; distance:0; content:"<meta http-equiv="; nocase; content:"REFRESH"; nocase; distance:1; within:7; content:"Your account is safe"; distance:0; classtype:credential-theft; sid:2032384; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.CO Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.co"; endswith; classtype:credential-theft; sid:2026894; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2015-09-24"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"IDUser="; nocase; depth:7; fast_pattern; content:"&Passcode="; nocase; distance:0; content:"&Token="; nocase; distance:0; classtype:credential-theft; sid:2031771; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.BR Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.br"; endswith; classtype:credential-theft; sid:2026895; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing CSS 2015-12-01"; flow:established,to_client; http.content_type; content:"text/css"; startswith; file.data; content:"|2e|Anonisma"; fast_pattern; nocase; classtype:social-engineering; sid:2031791; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE BrushaLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"traderserviceinfo.info"; endswith; classtype:command-and-control; sid:2026900; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_12, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Anonisma Phishing CSS 2015-12-29"; flow:established,from_server; http.content_type; content:"text/css"; startswith; file.data; content:".ANON-000-ISMA"; nocase; fast_pattern; classtype:social-engineering; sid:2031800; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Astaroth User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 20|SLCC1)"; depth:57; endswith; reference:md5,589d2d33825a0329f61406f0af709469; reference:url,www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research; classtype:trojan-activity; sid:2026906; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Astaroth, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M1 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&sms"; nocase; distance:0; classtype:credential-theft; sid:2024838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cayosin/Mirai CnC Domain in DNS Lookup"; dns.query; content:"hostnamepxssy.club"; nocase; endswith; reference:url,perchsecurity.com/perch-news/threat-report-sunday-february-3rd-2019/; classtype:command-and-control; sid:2026915; rev:3; metadata:created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Ziraat Bankasi (TK) Phish M2 Oct 12 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rdLng="; nocase; fast_pattern; content:"&tc="; nocase; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2024839; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Punto Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/klog.php"; endswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; http.accept; content:"text|2f|html|3b|q=0|2e|7|2c 20 2a 2f 2a 3b|q=1"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026945; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_19, deployment Perimeter, former_category MALWARE, malware_family Punto, performance_impact Low, signature_severity Major, tag Loader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-05-26"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<META HTTP-EQUIV="; nocase; content:"Refresh"; distance:1; nocase; content:"wellsfargo.com"; nocase; content:"Authenticating Account"; fast_pattern; nocase; distance:0; content:"information submitted successfully"; nocase; distance:0; classtype:credential-theft; sid:2032385; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FBot Downloader Generic GET for ARM Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fbot.arm"; depth:9; fast_pattern; content:".u"; endswith; pcre:"/^\/fbot\.arm\d{1}\.u$/i"; http.protocol; content:"HTTP/1.0"; reference:url,blog.netlab.360.com/the-new-developments-of-the-fbot-en/; classtype:trojan-activity; sid:2026951; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_21, deployment Perimeter, former_category TROJAN, malware_family Fbot, performance_impact Low, signature_severity Major, tag Downloader, tag DDoS, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Windows Settings Phishing Landing Jul 22 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:social-engineering; sid:2024098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"cheapairlinediscount.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026953; rev:3; metadata:created_at 2019_02_21, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Am3Refh Obfuscated Phishing Landing 2016-02-23"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Am3Refh.Com -->"; nocase; fast_pattern; content:"document.write"; nocase; distance:0; classtype:social-engineering; sid:2032371; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"emailerservo.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026954; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Shipping Document Phishing Landing 2016-06-23"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>SHIPPING DOCUMENT"; nocase; fast_pattern; content:"Login Your Email To View Bill"; nocase; distance:0; content:"Lading and Invoice Document"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"<!-- Payment form -->"; nocase; distance:0; classtype:social-engineering; sid:2032395; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"fazadminmessae.info"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026955; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing 2016-03-10"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Send &amp|3b 20|Receive"; fast_pattern; nocase; content:"Adobe SendNow"; nocase; distance:0; content:"Click to Select Provider"; nocase; distance:0; content:"value=|22|gmail"; nocase; distance:0; classtype:social-engineering; sid:2032373; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"housecleaning.press"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026956; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Online Document Phishing Landing 2016-05-02"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe Online"; fast_pattern; nocase; content:"form method="; nocase; distance:0; content:"post"; nocase; distance:1; content:"someone@example.com"; nocase; distance:0; reference:md5,29e993483411a58d51b9032676a623a2; classtype:social-engineering; sid:2032381; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"hrent.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026957; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Cloud Phishing Landing 2016-06-02"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Adobe File"; fast_pattern; nocase; content:"require sign in with your receiving email"; nocase; distance:0; content:"Adobe Document Cloud"; nocase; distance:0; classtype:social-engineering; sid:2032386; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"irepare.site"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026958; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phishing 2015-11-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; nocase; depth:6; content:"&password="; nocase; distance:0; content:"&ip_address="; nocase; distance:0; fast_pattern; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:credential-theft; sid:2031788; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"macmall.fun"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026959; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M1 Oct 01 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"reason="; nocase; depth:7; fast_pattern; content:"Access_ID="; nocase; distance:0; content:"Current_Passcode="; nocase; distance:0; classtype:credential-theft; sid:2015909; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_11_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"managerdriver.website"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026960; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic POST to myform.php Feb 01 2013"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/myform.php"; classtype:credential-theft; sid:2016327; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mantorsagcoloms.club"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026961; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fname="; content:"lname="; content:"hnum="; content:"snam="; classtype:credential-theft; sid:2018305; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mediaaplayer.win"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026962; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Chase/Bank of America Phishing Landing Uri Structure Nov 27 2012"; flow:established,to_server; http.uri; content:"/Logon.php?LOB=RBG"; content:"&_pageLabel=page_"; classtype:social-engineering; sid:2015938; rev:4; metadata:created_at 2012_11_27, former_category PHISHING, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"mobileshoper.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026963; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 30 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_email="; content:"login_password="; content:"target_page="; classtype:credential-theft; sid:2015972; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_11_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"ppservice.stream"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026964; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Dec 19 2012"; flow:established,to_server; http.request_body; content:"login_email="; content:"login_password="; content:"browser_version="; content:"operating_system="; fast_pattern; classtype:credential-theft; sid:2016063; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"searchidriverip.space"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026965; rev:3; metadata:created_at 2019_02_21, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful iTunes Phish Mar 21 2014"; flow:established,to_server; http.request_body; content:"theAccountName="; content:"theAccountPW="; classtype:credential-theft; sid:2018304; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemai.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026966; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful AOL/PayPal Phish Nov 24 2014"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"1="; content:"2="; content:"submit.x=Login"; classtype:credential-theft; sid:2019781; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servemaining.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026967; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish Oct 10 2017"; flow:to_server,established; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"expm="; nocase; content:"&expy="; nocase; distance:0; content:"&cvv="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025030; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026968; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Jan 23 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"locale.x="; nocase; content:"&processSignin="; nocase; distance:0; fast_pattern; content:"email="; nocase; distance:0; content:"password="; nocase; distance:0; content:"&btnLogin="; nocase; distance:0; classtype:credential-theft; sid:2023760; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serveselitmailer.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026969; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Revalidation Phish Landing Nov 13 2015"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Revalidation</title>"; fast_pattern; nocase; content:"function MM_findObj"; nocase; distance:0; content:"function MM_validateForm"; nocase; distance:0; content:"REVALIDATION"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:social-engineering; sid:2022086; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailelit.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026970; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M2 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"fName="; depth:6; nocase; content:"&lName="; nocase; distance:0; content:"&ZIPCode="; nocase; distance:0; classtype:credential-theft; sid:2022498; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerpro.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026971; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish M3 Feb 06 2016"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?token|3b|"; fast_pattern; http.request_body; content:"ccNum="; depth:6; nocase; content:"&NameOnCard="; nocase; distance:0; content:"&CVV="; nocase; distance:0; classtype:credential-theft; sid:2022499; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servesmailerprogres.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026972; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Suspended Account Phishing Landing Aug 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Log in to my account"; nocase; fast_pattern; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:social-engineering; sid:2023044; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servespromail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026973; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Excel Online Phishing Landing Aug 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; classtype:social-engineering; sid:2023045; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servicemaile.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026974; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; nocase; content:"pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024554; rev:8; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"serviveemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026975; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"&address"; nocase; fast_pattern; content:"&cc"; nocase; content:"&cvv"; nocase; distance:0; content:"&ssn"; nocase; distance:0; classtype:credential-theft; sid:2024556; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servoemail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026976; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jun 8 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&email="; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024557; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"servomail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026977; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Jul 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email"; fast_pattern; nocase; content:"pwd"; nocase; distance:0; classtype:credential-theft; sid:2024558; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_07_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"progresservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026978; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Sept 02 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; fast_pattern; nocase; content:"pwd="; nocase; distance:0; classtype:credential-theft; sid:2024561; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmail.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026979; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 13 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"jar"; nocase; depth:3; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&jar"; nocase; distance:0; content:"&login="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024562; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BrushaLoader CnC DNS Lookup"; dns.query; content:"proservesmailing.science"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/02/combing-through-brushaloader.html; classtype:command-and-control; sid:2026980; rev:3; metadata:created_at 2019_02_22, former_category MALWARE, malware_family BrushaLoader, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 25 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"u="; depth:2; nocase; content:"&p="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024563; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BabyShark CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"fmchr.in"; endswith; reference:url,unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/; classtype:command-and-control; sid:2026981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_25, deployment Perimeter, former_category MALWARE, malware_family BabyShark, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formtext"; nocase; content:"&formtext"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024564; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nuuo NVR RCE Attempt (CVE-2018-15716)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_handle.php?cmd=getupgradinginfo"; fast_pattern; endswith; classtype:attempted-admin; sid:2026982; rev:3; metadata:created_at 2019_02_26, cve 2018_15716, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Docusign Phish 2015-07-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; depth:6; fast_pattern; content:"&Password="; distance:0; content:"&EmailLinkId="; distance:0; content:"RedirectUrl="; distance:0; classtype:credential-theft; sid:2031749; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"aroundtheworld123.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026983; rev:4; metadata:created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Phish Fake Document Loading Error 2015-07-27"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"|2f 2f|configure destination URL"; nocase; content:"VERIFYING LOGIN"; fast_pattern; nocase; content:"LOGIN ACCEPTED"; nocase; distance:0; content:"|2f 2f|Do not edit below this line"; nocase; classtype:credential-theft; sid:2031750; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_07_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup/Patchwork CnC DNS Lookup"; dns.query; content:"frameworksupport.net"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/; classtype:command-and-control; sid:2026984; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phish 2015-07-30"; flow:to_server,established; http.method; content:"POST"; http.header; content:"apple.com"; nocase; http.request_body; content:"user="; depth:5; nocase; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031754; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dittm.org"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:domain-c2; sid:2026997; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2015-07-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"password="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2031756; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 11 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=google-analytics.is"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/ba8f6e93-3815-f047-d2e7-0d9e39303c50; classtype:domain-c2; sid:2026998; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Credential Phish 2015-08-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?rand="; content:"&email="; http.request_body; content:"email="; nocase; depth:6; fast_pattern; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2031758; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=whoama.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2026999; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Renew Phish 2015-08-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Email="; nocase; depth:6; content:"&emailpassword="; nocase; distance:0; fast_pattern; content:"&submit=Submit"; nocase; distance:0; classtype:credential-theft; sid:2031813; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdnnote.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027000; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (FR) Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; content:"&mdp="; nocase; distance:0; content:"&toppl="; nocase; distance:0; fast_pattern; content:"Paypal"; nocase; distance:0; classtype:credential-theft; sid:2024847; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=checkfreedom.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027001; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-17"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"rememberMeStatus="; depth:17; fast_pattern; content:"&userId="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031832; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=connectionstatistics.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027002; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-09-30"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"usernms="; nocase; depth:8; content:"&pswds="; nocase; distance:0; classtype:credential-theft; sid:2031834; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conveeir.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027003; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2015-11-14"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&uidPasswordLogon="; nocase; distance:0; content:"&DownTimeMessage="; nocase; distance:0; classtype:credential-theft; sid:2031856; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryers.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027004; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"email="; depth:6; content:"&password="; fast_pattern; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032399; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=countryflagonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027005; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>DHL"; nocase; fast_pattern; content:"Dowloading"; nocase; content:"Click OK to continue"; nocase; distance:0; content:"Beginning of IP Script"; nocase; distance:0; classtype:social-engineering; sid:2032363; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=crowlock.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027006; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OX App Suite Phish 2017-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"location="; depth:9; nocase; content:"&loginpage="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&signin="; nocase; distance:0; classtype:credential-theft; sid:2029663; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=i-checkme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027007; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish 2015-11-06"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"id="; offset:4; depth:3; nocase; content:"&codepass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031855; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magedefacto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027008; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Oct 26 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"lg="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025032; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mageenergy.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027009; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple ID Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"action=SIGNIN"; http.request_body; content:"email="; depth:6; fast_pattern; content:"&password="; distance:0; content:"&oemail="; distance:0; classtype:credential-theft; sid:2031814; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mnewage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027010; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Account Phish 2015-08-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"destination="; depth:12; fast_pattern; content:"&user"; distance:0; content:"&pass"; distance:0; content:"&screenid="; distance:0; content:"&origination="; distance:0; classtype:credential-theft; sid:2031815; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=my-that.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027011; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Account Phish M3 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"NameonCards="; depth:12; fast_pattern; content:"&Cardanumber="; distance:0; content:"&CVV"; distance:0; content:"&Expiredate"; distance:0; classtype:credential-theft; sid:2031817; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=phatem.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Horde Webmail Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"Horde="; nocase; fast_pattern; content:"&actionID"; nocase; distance:0; content:"&imapuser"; nocase; distance:0; content:"&pass="; distance:0; content:"&loginButton="; nocase; classtype:credential-theft; sid:2031821; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=s1all.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027013; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Woodforest Bank Phish M1 2015-08-31"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"X-ForwardTo="; depth:12; fast_pattern; content:"&principal="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031823; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=scripteco.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027014; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2016-07-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"loginNow="; fast_pattern; nocase; depth:9; content:"&loginSalt="; nocase; distance:0; content:"&userStrId="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2032401; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=secureqbrowser.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027015; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Oct 30 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; fast_pattern; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; classtype:credential-theft; sid:2025033; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=security-mage.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027016; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Free.fr Phish 2016-03-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?get="; fast_pattern; http.request_body; content:"comid="; nocase; depth:6; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sysproperties.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027017; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Microsoft Hosted Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server|3a 20|Windows-Azure-Web/"; file.data; content:".php|22 20|method=|22|post|22|"; fast_pattern; classtype:social-engineering; sid:2030681; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_13, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=teflag.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027018; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Raiffeisen Phishing Domain Nov 03 2017"; dns.query; content:"banking.raiffeisen.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024943; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=topstatshop.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027019; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Sparkasse Phishing Domain Nov 03 2017"; dns.query; content:"netbanking.sparkasse.at."; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024944; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=usvalidly.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027020; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Raiffeisen Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"banking.raiffeisen.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=validlyglobal.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027021; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"netbanking.sparkasse.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024948; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=youlikedme.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027022; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 09 2016"; flow:to_client,established; http.stat_code; content:"302"; http.header; content:"|0d 0a|location|3a 20|"; fast_pattern; pcre:"/^[a-f0-9]{32}\??\x0d\x0a/Ri"; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2025006; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 4 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=zstatonline.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,community.riskiq.com/projects/67ba07d8-49e0-3239-80d0-668b3c096240; classtype:domain-c2; sid:2027023; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2019_02_28, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Browser Plugin Detect - Observed in Apple Phishing"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/ping.html"; http.header; content:".html?appIdKey="; http.request_body; content:"data=eyJwbHVnaW4i"; depth:17; fast_pattern; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; classtype:bad-unknown; sid:2024978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_08, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Address Lookup DNS Query (2ip .ua)"; dns.query; content:"2ip.ua"; nocase; endswith; reference:md5,81bfa5fe9d0147c8df47a51a1cd4b7c4; classtype:external-ip-check; sid:2027026; rev:3; metadata:created_at 2019_03_04, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish - Observed in Apple/Bank of America/Amazon 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?&sessionid="; nocase; content:"&securessl="; nocase; distance:0; http.header; content:".php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2032406; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup/Patchwork CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=car.drivethrough.top"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2026827; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_21, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, tag APT_C_35, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Nov 09 2017 (set)"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025034; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M1"; flow:established,to_server; http.user_agent; content:"Cayosin/2.0"; depth:11; fast_pattern; endswith; classtype:trojan-activity; sid:2026876; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Telstra Phish M1 2015-09-05"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"goto="; depth:5; nocase; fast_pattern; content:"&encoded="; nocase; distance:0; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031828; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cayosin Botnet User-Agent Observed M2"; flow:established,to_server; http.user_agent; content:"Cock/2.0"; depth:8; fast_pattern; endswith; classtype:trojan-activity; sid:2026877; rev:5; metadata:affected_product Linux, attack_target Server, created_at 2019_02_04, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, malware_family Cayosin, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Commonwealth Bank Phish 2015-08-20"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fname="; depth:6; content:"&dob1="; distance:0; content:"&ccnum="; distance:0; content:"&submit1.x="; fast_pattern; distance:0; classtype:credential-theft; sid:2031816; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Py/MechaFlounder CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"|2f|"; depth:1; content:"--"; content:"|5c|"; content:"-service.html"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Python, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish M1 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&prenom="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass"; distance:0; content:"&adress"; distance:0; nocase; fast_pattern; content:"&adress"; distance:0; nocase; classtype:credential-theft; sid:2031818; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win10-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027054; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Impots.gouv.fr Phish M2 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"nom="; depth:4; nocase; content:"&postale="; nocase; distance:0; content:"&passtess="; nocase; distance:0; content:"&ccnum="; distance:0; nocase; fast_pattern; classtype:credential-theft; sid:2031819; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC DNS Query"; dns.query; content:"win7-update.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/; classtype:command-and-control; sid:2027055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family MechaFlounder, performance_impact Low, signature_severity Major, tag APT, tag Chafer, tag Python, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Account Phish 2015-08-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/submit"; pcre:"/\/submit$/"; http.request_body; content:"form-data|3b 20|name=|22|todo|22|"; nocase; fast_pattern; content:"|0d 0a|submit|0d 0a|"; nocase; distance:0; content:"form-data|3b 20|name=|22|Email|22|"; nocase; distance:0; content:"form-data|3b 20|name=|22|Text field"; distance:0; nocase; http.content_type; content:"multipart/form-data|3b 20|boundary=-------"; startswith; classtype:credential-theft; sid:2031820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder CnC DNS Query"; dns.query; content:"cdn-load.net"; nocase; endswith; reference:url,s.tencent.com/research/report/659.html; classtype:command-and-control; sid:2027056; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag Sidewinder, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2015-08-27"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"charset_test="; depth:13; fast_pattern; content:"&email="; distance:0; content:"&pass="; nocase; distance:0; content:"&charset_test="; distance:0; nocase; classtype:credential-theft; sid:2031822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FIN6 StealerOne CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"contactlistsagregator.com"; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027058; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M1 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"usr"; nocase; depth:3; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032377; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN6 StealerOne CnC DNS Query"; dns.query; content:"akamaitechnologies.kz"; nocase; endswith; reference:url,usa.visa.com/content/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf; classtype:command-and-control; sid:2027059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family StealerOne, performance_impact Low, signature_severity Major, tag FIN6, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M2 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"user"; nocase; depth:4; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032378; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getInfoAfterInstall"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M3 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"email"; nocase; depth:5; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2032379; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/SkidRat CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/applyingpoliciesrules"; fast_pattern; endswith; http.user_agent; content:"Firef0x"; http.header_names; content:!"Referer"; reference:url,www.dodgethissecurity.com/2019/02/28/reverse-engineering-an-unknown-rat-lets-call-it-skidrat-1-0/; classtype:command-and-control; sid:2027061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category MALWARE, malware_family SkidRat, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains M5 2016-04-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"email"; nocase; fast_pattern; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2032380; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 JEShell CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=stream.playnetflix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027068; rev:3; metadata:affected_product Java, attack_target Client_and_Server, created_at 2019_03_07, deployment Perimeter, former_category MALWARE, malware_family JEShell, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to Hostinger Domains Apr 4 M4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.host; pcre:"/(?:(?:esy|hol)\.es|(?:890m|16mb)\.com|pe\.hu)$/"; http.request_body; content:"username"; nocase; fast_pattern; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2025000; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_04_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; http.host; content:".su"; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014170; rev:6; metadata:created_at 2012_01_31, former_category POLICY, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to ukit domain - Possible Phishing M2 2016-06-29"; flow:to_server,established; urilen:19; http.method; content:"POST"; http.uri; content:"/api/feedBack/check"; fast_pattern; http.host; pcre:"/(?:udo\.photo|ulcraft\.com|biennale\.info|topstyle\.me|urest\.org|ukit\.me)$/"; classtype:trojan-activity; sid:2032398; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Wget Request for Executable"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; nocase; http.user_agent; content:"Wget/"; depth:5; fast_pattern; classtype:bad-unknown; sid:2027076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_12, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Data Submitted to ukit domain - Possible Phishing M1 2016-06-29"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/api/feedBack"; fast_pattern; http.host; pcre:"/(?:udo\.photo|ulcraft\.com|biennale\.info|topstyle\.me|urest\.org|ukit\.me)$/"; classtype:trojan-activity; sid:2032397; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE iOS/Bahamut DNS Lookup 13"; dns.query; content:"32player.com"; depth:12; nocase; endswith; reference:url,blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html; classtype:trojan-activity; sid:2025903; rev:5; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2018_07_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family iOS_Bahamut, signature_severity Critical, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2024835; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|1|2f|0|2f|0"; endswith; pcre:"/^\/[A-F0-9]{30,60}\/1\/0\/0$/"; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027077; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain (IT) Oct 10 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.it"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2024834; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Retadup Success Response from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|donnn|3a 3a|"; depth:9; endswith; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"craigslist.org"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023880; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PirateMatryoshka CnC DNS Query"; dns.query; content:"mobilekey.pw"; nocase; endswith; reference:url,securelist.com/piratebay-malware/89740/; classtype:command-and-control; sid:2027080; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023829; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ciscoupdt.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/ddb59d8cc93688bbf4925c7d27462b70e53225cb/; classtype:domain-c2; sid:2027082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023828; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Dorv InfoStealer CnC DNS Query"; dns.query; content:"googleservice-info.ru"; nocase; endswith; reference:md5,888864c2ea27babf978d5feda40b3b2f; reference:url,twitter.com/wdsecurity/status/1105992405629583362; classtype:command-and-control; sid:2027088; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Win32_Dorv, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023827; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rdfs.cgi"; depth:17; endswith; fast_pattern; http.request_body; content:"Client="; depth:7; content:"|3b|"; distance:0; content:"&Download="; distance:0; classtype:attempted-admin; sid:2027090; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023826; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 File Inclusion"; flow:established,to_server; content:"&src=|2e 2e 2f 2e 2e 2f 2e 2e 2f|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/cgi-bin/login.cgi"; depth:18; endswith; classtype:attempted-user; sid:2027091; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"drive.google.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023825; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"&ping_IPAddr="; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6077; classtype:attempted-user; sid:2027093; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023824; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnslookup.cgi"; depth:14; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"host_name="; depth:10; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:3; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023823; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/debug.cgi"; depth:10; endswith; http.request_body; content:"data1=|3b|"; depth:7; fast_pattern; content:"&command="; distance:0; reference:url,seclists.org/bugtraq/2010/Jun/93; classtype:attempted-user; sid:2027095; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023822; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=poladidlei.website"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/008d33ce2e5d3583d8ebb115f72b250975757018/; classtype:domain-c2; sid:2027086; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023821; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PlugX Common Header Struct"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a 20|61456|0d 0a|"; fast_pattern; http.user_agent; content:!"Dickson/"; depth:8; http.host; content:!".googleapis.com"; endswith; http.content_len; content:!"61456"; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:9; metadata:created_at 2014_03_06, former_category TROJAN, updated_at 2020_09_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023820; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request to Dotted Quad"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.ip.request; flowbits:noalert; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"UA-CPU"; content:!"Cookie"; content:!"Referer"; content:!"Accept-Language"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; classtype:misc-activity; sid:2022054; rev:6; metadata:created_at 2015_11_10, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.header; content:!"autodiscover"; http.host; content:"discover.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023819; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowHammer DNS Lookup"; dns.query; content:"asushotfix.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027109; rev:3; metadata:created_at 2019_03_25, former_category TROJAN, malware_family ShadowHammer, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"POST"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2023776; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"simplexoj.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027111; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"ebay.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023775; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible ShadowHammer DNS Lookup"; dns.query; content:"homeabcd.com"; nocase; endswith; reference:url,motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers; classtype:trojan-activity; sid:2027110; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category TROJAN, malware_family ShadowHammer, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish 2016-12-23"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:"postepay"; fast_pattern; classtype:credential-theft; sid:2032416; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ShadowHammer CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asushotfix.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,securelist.com/operation-shadowhammer/89992/; classtype:domain-c2; sid:2027116; rev:3; metadata:attack_target Client_and_Server, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag ShadowHammer, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"linkedin.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JasperLoader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?b="; content:"&v="; distance:0; content:"&psver="; distance:0; fast_pattern; isdataat:!2,relative; http.connection; content:"Keep-Alive"; depth:10; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept"; classtype:command-and-control; sid:2027100; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_03_19, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Cartasi Phishing Domain Nov 08 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"cartasi"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023495; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_09, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUA Related User-Agent (WINTERNET)"; flow:established,to_server; http.user_agent; content:"WINTERNET"; depth:9; endswith; fast_pattern; reference:md5,feeb9efd6b724d772768cd89d3c30380; classtype:pup-activity; sid:2027141; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_29, former_category USER_AGENTS, tag User_Agent, tag PUA, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.host; content:"drive.google.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023092; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Mozilla 6.0)"; flow:established,to_server; http.user_agent; content:"Mozilla 6.0"; depth:11; endswith; classtype:bad-unknown; sid:2027142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_01, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"bankofamerica.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2023066; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kribat-A Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"Command"; depth:7; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,78184ca66e1774598b96188f977f0687; classtype:trojan-activity; sid:2027024; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon.com Phish M1 2016-06-27"; flow:to_server,established; http.method; content:"POST"; http.host; content:"amazon.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032396; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Password Submitted to *.000webhostapp.com"; flow:established,to_server; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.request_body; content:"password="; nocase; classtype:credential-theft; sid:2027146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032393; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Request for Payload (TA505 Related)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".tmp"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.start; content:".tmp|20|HTTP/1."; fast_pattern; content:"|0d 0a|Host|3a 20|"; distance:1; within:8; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:25; classtype:trojan-activity; sid:2027143; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful USAA Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032392; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK/BKDR_HTV.ZKGD-A CnC Checkin"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&string="; depth:8; fast_pattern; pcre:"/^[A-F0-9]+$/R"; http.content_type; content:"|20|Charset=UTF-8"; endswith; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.co.jp/archives/19054; classtype:command-and-control; sid:2027155; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category MALWARE, malware_family BKDR_HTV_ZKGD_A, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gozi CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pedraz12ziniphoto.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/16e06a88dbb10c75077780d4baed6d0b2733f985/; classtype:domain-c2; sid:2027157; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_05, deployment Perimeter, former_category MALWARE, malware_family Gozi, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:credential-theft; sid:2032390; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ga"; nocase; endswith; classtype:trojan-activity; sid:2027158; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain 2016-06-14"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"itunes.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032389; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_14, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.gq"; nocase; endswith; classtype:trojan-activity; sid:2027159; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible HMRC Phishing Domain 2016-06-08"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"online.hmrc.gov.uk"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032387; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"aviema.ml"; nocase; endswith; classtype:trojan-activity; sid:2027160; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Paypal Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"paypal.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022618; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.gq"; nocase; endswith; classtype:trojan-activity; sid:2027161; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible USAA Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"usaa.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022617; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"daitalh.ml"; nocase; endswith; classtype:trojan-activity; sid:2027162; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Apple Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"apple.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022616; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.cf"; nocase; endswith; classtype:trojan-activity; sid:2027163; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Chase Phishing Domain Mar 14 2016"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"chase.com"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2022615; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.ml"; nocase; endswith; classtype:trojan-activity; sid:2027164; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Formbuddy Credential Phish Submission 2016-01-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:"www.formbuddy.com"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&reqd="; nocase; distance:0; content:"&Password="; nocase; distance:0; classtype:credential-theft; sid:2032364; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"eparb.tk"; nocase; endswith; classtype:trojan-activity; sid:2027165; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M2 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; http.content_type; content:"text/html"; startswith; file.data; content:"Aes.Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:credential-theft; sid:2024998; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Malicious Domain Observed Serving Various Phish Campaigns"; dns.query; content:"paltyr.tk"; nocase; endswith; classtype:trojan-activity; sid:2027166; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; within:50; classtype:social-engineering; sid:2023557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (DonotGroup Android CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=justin.drinkeatgood.space"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027195; rev:3; metadata:affected_product Android, attack_target Client_and_Server, created_at 2019_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish M2 2016-10-27"; flow:from_server,established; flowbits:isset,ET.genericphish; file_data; content:"<script language=javascript>"; nocase; within:100; content:"window.location"; nocase; fast_pattern; within:200; classtype:credential-theft; sid:2032408; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Check myexternalip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"myexternalip.com"; depth:16; endswith; classtype:external-ip-check; sid:2019980; rev:6; metadata:created_at 2014_12_20, former_category POLICY, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Credit Mutuel de Bretagne (FR) Phishing Landing 2018-02-26"; flow:established,to_client; file_data; content:"<title"; nocase; content:"Cr|c3 a9|dit Mutuel de Bretagne"; nocase; within:40; fast_pattern; content:"<form method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025395; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-04-12"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ur="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027196; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Docusign Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"<title>"; nocase; content:"DocuSlgn"; nocase; within:10; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025476; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Badoo Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Sign in to Badoo</title>"; fast_pattern; content:"<label for=|22|emaill"; distance:0; pcre:"/^\d{5,20}\x22/QR"; content:"<label for=|22|password"; pcre:"/^\d{5,20}\x22/QR"; content:">Password</label>"; within:40; content:">Sign me in!</span>"; distance:0; classtype:social-engineering; sid:2025870; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2020_08_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)"; dns.query; content:"tiny.cc"; nocase; endswith; classtype:trojan-activity; sid:2027199; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING GitLab Phishing Landing 2018-07-19"; flow:established,from_server; file_data; content:"<title>Sign in|20 c2 b7 20|GitLab</title>"; fast_pattern; content:"|20|action=|22|login.php|22 20|"; distance:0; content:"|20|name=|22|username|22 20|"; distance:0; content:"type=|22|password|22|"; distance:0; content:"|20|name=|22|password|22 20|"; within:17; classtype:social-engineering; sid:2025871; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, tag Phish, updated_at 2020_08_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc)"; flow:from_server,established; tls.cert_subject; content:"CN=tiny.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2027200; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Compound Refresh - Possible Phishing Redirect 2016-06-09"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta HTTP-Equiv="; nocase; content:"refresh"; nocase; distance:1; within:8; content:"content="; nocase; distance:0; content:"URL="; nocase; within:10; content:"text/javascript"; nocase; distance:0; content:"self.location.replace"; fast_pattern; nocase; distance:0; content:"window.location"; nocase; within:30; classtype:social-engineering; sid:2032388; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (time-loss .dns05 .com)"; dns.query; content:"time-loss.dns05.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-03-17"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:30; content:"URL=data|3a|text/html|3b|base64,"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2027899; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky/Gaza Cybergang Group1 CnC Domain in DNS Lookup (dji-msi .2waky .com)"; dns.query; content:"dji-msi.2waky.com"; nocase; endswith; reference:url,securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/; classtype:command-and-control; sid:2027209; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_16, former_category MALWARE, tag DustySky, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Office 365 Phishing Landing 2016-08-24"; flow:established,from_server; threshold:type limit, track by_src, count 1, seconds 30; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name=|22|SiteID|22 20|content=|22 22|"; nocase; content:"<meta name=|22|ReqLC|22 20|content=|22|1033|22|"; fast_pattern; nocase; distance:0; content:"<meta name=|22|LocLC|22 20|content="; nocase; distance:0; content:"microsoftonline-p.com"; nocase; distance:0; content:"id=|22|credentials|22|"; nocase; distance:0; content:!"action=|22|/common/login|22|"; nocase; within:50; classtype:social-engineering; sid:2025673; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drivethrough .top)"; dns.query; content:"drivethrough.top"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027217; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish - JS Redirect to PDF 2016-08-24"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script>"; nocase; content:"window.location.href"; nocase; distance:0; fast_pattern; content:".pdf"; nocase; distance:0; content:"</script>"; nocase; within:30; classtype:credential-theft; sid:2032402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup (drinkeatgood .space)"; dns.query; content:"drinkeatgood.space"; nocase; endswith; reference:url,ti.360.net/blog/articles/stealjob-new-android-malware-used-by-donot-apt-group-en/; classtype:command-and-control; sid:2027218; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, malware_family StealJob, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish 2016-10-27"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script type=|22|text/javascript|22|>"; nocase; within:50; content:"window.location"; nocase; fast_pattern; within:30; classtype:credential-theft; sid:2032407; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CoreDn/BLINDINGCAN Activity)"; flow:established,to_client; tls.cert_subject; content:"CN=www.curiofirenze.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030923; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Email Settings Phish 2016-10-28"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<html><head><base target=|22|_blank|22|>"; depth:34; content:"Your report has been received"; nocase; distance:0; fast_pattern; content:"you will be notified once"; nocase; within:30; content:"problem is resolved"; nocase; within:30; content:"<br>----------------<br>"; nocase; distance:0; classtype:credential-theft; sid:2032409; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=microsoftonline-secure-login.com"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027221; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Email Settings Error Phishing Landing Nov 16 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>An error"; nocase; fast_pattern; content:"settings is blocking"; nocase; within:50; content:"incoming emails"; nocase; within:50; content:"error in your SSL settings"; nocase; distance:0; classtype:social-engineering; sid:2025687; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (xsecuremail .com)"; dns.query; content:"xsecuremail.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027224; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Wembail Phish M2 2016-11-18"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>validationOK"; nocase; fast_pattern; content:"Process completed"; nocase; within:50; content:"previous Mail"; nocase; within:50; classtype:credential-theft; sid:2032412; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (wipro365 .com)"; dns.query; content:"wipro365.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027225; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Data URI Inline Javascript Mar 07 2016"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022597; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (microsoftonline-secure-login .com)"; dns.query; content:"microsoftonline-secure-login.com"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027226; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING s0m3 Phishing Landing 2018-04-09"; flow:established,to_client; file_data; content:"href=|22|s0m3/"; nocase; content:"href=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; content:"src=|22|s0m3/"; nocase; distance:0; classtype:social-engineering; sid:2025477; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Windows Phone PUA.Redpher (myservicessapps .com in DNS Lookup)"; dns.query; content:"myservicessapps.com"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/pua-microsoft-store-porn-gambling; classtype:trojan-activity; sid:2027220; rev:4; metadata:attack_target Mobile_Client, created_at 2019_04_18, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"src=|22|signin_files/"; nocase; distance:0; content:"href=|22|signin_files/"; nocase; distance:0; classtype:social-engineering; sid:2026048; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secure-message .online)"; dns.query; content:"secure-message.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027227; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Glitch.me Phishing Domain"; dns.query; content:".glitch.me"; nocase; isdataat:!1,relative; pcre:"/^[a-z]+\-[a-z]+\-[a-z0-9]{8,11}\.glitch\.me$/"; classtype:trojan-activity; sid:2029493; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, signature_severity Major, updated_at 2020_08_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypt-email .online)"; dns.query; content:"encrypt-email.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027228; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"signon_form="; depth:12; nocase; content:"trusteeCompatible="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"card-nickname="; nocase; distance:0; fast_pattern; content:"enter_sol="; nocase; distance:0; classtype:credential-theft; sid:2024326; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (secured-mail .online)"; dns.query; content:"secured-mail.online"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027229; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing"; flow:established,from_server; tls.cert_subject; content:"xn--"; tls.cert_issuer; content:"O=Let's Encrypt"; reference:url,isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024227; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (internal-message .app)"; dns.query; content:"internal-message.app"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027230; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GET Request to Appspot Hosting (set)"; flow:established,to_server; flowbits:set,ET.appspothosted; flowbits:noalert; http.method; content:"GET"; http.host; content:".appspot.com"; fast_pattern; endswith; classtype:social-engineering; sid:2030709; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, updated_at 2020_08_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unattributed CnC Domain in DNS Lookup (encrypted-message .cloud)"; dns.query; content:"encrypted-message.cloud"; nocase; endswith; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:command-and-control; sid:2027231; rev:3; metadata:created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Sign in to your account</title>"; nocase; fast_pattern; content:"URL=https://login.microsoftonline.com/"; distance:0; classtype:social-engineering; sid:2030710; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealerNeko CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"country="; depth:8; content:"&cc="; content:"&autof="; content:"&cookies="; content:"&filezilla="; fast_pattern; content:"&passwords="; content:"&telegram="; content:"&wallet="; content:"winver="; content:"&pidgin="; http.header_names; content:!"Referer"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027239; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, malware_family StealerNeko, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Sign in to Outlook</title>"; nocase; fast_pattern; classtype:social-engineering; sid:2030711; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"kuternull.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027281; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>&#x53|3b|&#x69|3b|&#x67|3b|&#x6E|3b|&#x20|3b|&#x69|3b|&#x6E|3b|&#x20|3b|&#x74|3b|&#x6F|3b|&#x20|3b|&#x79|3b|&#x6F|3b|&#x75|3b|&#x72|3b|&#x20|3b|&#x4D|3b|&#x69|3b|&#x63|3b|&#x72|3b|&#x6F|3b|&#x73|3b|&#x6F|3b|&#x66|3b|&#x74|3b|&#x20|3b|&#x61|3b|&#x63|3b|&#x63|3b|&#x6F|3b|&#x75|3b|&#x6E|3b|&#x74|3b|"; nocase; fast_pattern; classtype:social-engineering; sid:2030712; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; dns.query; content:"rimrun.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Webapp Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Signin Outlook WebApp"; nocase; fast_pattern; classtype:social-engineering; sid:2030713; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert dns $HOME_NET any -> any 53 (msg:"ET INFO DYNAMIC_DNS Query to *.myddns.me Domain"; flow:established,to_server; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".myddns.me"; nocase; endswith; classtype:policy-violation; sid:2027287; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Linkedin Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>LinkedIn Login"; nocase; fast_pattern; classtype:social-engineering; sid:2030714; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire POST M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2027283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Personal cloud storage - Microsoft OneDrive"; nocase; fast_pattern; classtype:social-engineering; sid:2030715; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Powershell Empire GET M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"session="; depth:8; http.header_names; content:"Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2027284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category TROJAN, malware_family PowerShell_Empire, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"window.location.href|20|=|20 22|index1.php?EmailAdd=|22 20|+ hash.split('#')[1]|3b|"; nocase; fast_pattern; classtype:social-engineering; sid:2030716; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myddns.me Domain"; flow:established,to_server; http.host; content:".myddns.me"; endswith; classtype:policy-violation; sid:2027288; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Sign in to your account</title>"; nocase; fast_pattern; content:"method=|22|post|22|"; distance:0; content:"action=|22|popup.php|22|"; distance:0; classtype:social-engineering; sid:2030717; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"pxybomb.icu"; nocase; endswith; classtype:trojan-activity; sid:2027285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Monero, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<script language=javascript>document.write(unescape("; nocase; content:"%3Ctitle%3ELoading%2099%...%3C/title%3E%20%3Cscript"; distance:0; fast_pattern; content:"var%20LIB_view%20%3D%20%27PGRpdiBjbGFzcz0iY29udGFpbm"; distance:0; classtype:social-engineering; sid:2030718; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"data-backup.online"; nocase; endswith; classtype:command-and-control; sid:2027290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BankAustria Phish Nov 03 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"online.bankaustria.at."; fast_pattern; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}/R"; classtype:credential-theft; sid:2024949; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"fontsupdate.com"; nocase; endswith; classtype:command-and-control; sid:2027291; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING BankAustria Phishing Domain Nov 03 2017"; dns.query; content:"online.bankaustria.at."; pcre:"/^[a-z]*?[0-9]{3,9}[a-z]*?\.[a-z]{2,4}$/Ri"; classtype:social-engineering; sid:2024946; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"akamaihub.stream"; nocase; endswith; classtype:command-and-control; sid:2027292; rev:3; metadata:created_at 2019_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emailphone="; depth:11; nocase; fast_pattern; content:"&emailphone2="; nocase; distance:0; classtype:credential-theft; sid:2025099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Novaloader Stage 2 VBS Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cabaco2.txt"; fast_pattern; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,www.zscaler.com/blogs/research/novaloader-yet-another-brazilian-banking-malware-family; reference:md5,4ef89349a52f9fcf9a139736e236217e; classtype:trojan-activity; sid:2027289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_29, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Novaloader, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing (set) Jan 7"; flow:to_server,established; flowbits:set,ET.wpphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; fast_pattern; http.header_names; content:!"Referer"; classtype:social-engineering; sid:2025696; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.autoddns .com Domain"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:".autoddns.com"; nocase; endswith; classtype:policy-violation; sid:2027299; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-04"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025115; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.autoddns.com Domain"; flow:established,to_server; http.host; content:".autoddns.com"; endswith; classtype:policy-violation; sid:2027300; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DynamicDNS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banco de la Nacion Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"transaccion="; depth:12; nocase; content:"&HrTrx="; nocase; distance:0; content:"&validar="; nocase; distance:0; content:"&txtNumeroTarjeta="; nocase; distance:0; classtype:credential-theft; sid:2032405; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT DNSpionage/Karkoff CnC Domain in DNS Lookup"; threshold: type limit, count 1, track by_src, seconds 120; dns.query; content:"coldfart.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html; classtype:targeted-activity; sid:2027280; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family Karkoff, performance_impact Low, signature_severity Major, tag APT34, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"GALX="; depth:5; nocase; content:"&continue="; nocase; distance:0; content:"&checkConnection="; nocase; distance:0; fast_pattern; content:"&checkedDomains="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; content:"&rmShown="; nocase; distance:0; classtype:credential-theft; sid:2032404; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain in DNS Lookup"; dns.query; content:"mystrylust.pw"; nocase; endswith; classtype:command-and-control; sid:2027295; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Shutdown Phishing Landing 2017-12-11"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>"; nocase; depth:300; content:"Secure Email Server|20 3a 3a|"; fast_pattern; nocase; within:100; classtype:social-engineering; sid:2025678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Stage 2 CnC Domain in DNS Lookup"; dns.query; content:"new.listenmusic.pw"; nocase; endswith; classtype:command-and-control; sid:2027296; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2015-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031859; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup Stage 2 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=new.listenmusic.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027297; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic L33bo Phish - URI Contents (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php?"; content:"sslchannel="; distance:0; fast_pattern; content:"sessionid="; content:"securessl="; classtype:credential-theft; sid:2031863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mystrylust.pw"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027298; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_30, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-20"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ma="; depth:3; nocase; content:"&mp="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031865; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"houusha33.icu"; nocase; endswith; classtype:command-and-control; sid:2027304; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Oct 16 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"_csrf="; depth:6; nocase; content:"&locale.x="; nocase; distance:0; content:"&processSignin="; nocase; distance:0; content:"&login_email="; nocase; distance:0; content:"&login_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2024846; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"joisff333.icu"; nocase; endswith; classtype:command-and-control; sid:2027305; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Financial Phish Landing 2017-12-21"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"jQuery(function($)"; nocase; fast_pattern; content:"#dob"; nocase; distance:0; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#ssn"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; content:"#sortcode"; nocase; within:50; content:"mask"; nocase; within:10; content:"placeholder"; nocase; within:30; classtype:social-engineering; sid:2025663; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"aasdkkkdsa3442.icu"; nocase; endswith; classtype:command-and-control; sid:2027306; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yobit Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&email="; nocase; distance:0; content:"&psw1="; nocase; distance:0; content:"&psw2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025174; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"fjiisiis33.icu"; nocase; endswith; classtype:command-and-control; sid:2027307; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HitBTC Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__csrf__="; depth:9; nocase; content:"&utc_offset_hours="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2025175; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"afsafasdarm.icu"; nocase; endswith; classtype:command-and-control; sid:2027308; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Liqui Cryptocurrency Exchange Phish 2017-12-28"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"login_type%5Bemail%5D="; depth:22; nocase; content:"&login_type%5Bpassword%5D="; nocase; distance:0; content:"&login_type%5BtwoFactorKey%5D="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025176; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ServHelper CnC Domain"; dns.query; content:"cdnavupdate.icu"; nocase; endswith; classtype:command-and-control; sid:2027309; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag ServHelper, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Chase Phishing Landing 2016-03-23"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"document.write"; pcre:"/^\s*?\(\s*?unescape\s*?\(/Rsi"; content:"|25 32 45 25 36 33 25 36 38 25 36 31 25 37 33 25 36 35 25 32 45 25 36 33 25 36 46 25 36 44|"; fast_pattern; classtype:social-engineering; sid:2032375; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE AridViper CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"tatsumifoughtogre.club"; endswith; classtype:targeted-activity; sid:2027312; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_SNI, tag AridViper, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING L33bo Phishing Landing 2016-03-29"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Login.php?sslchannel="; depth:22; fast_pattern; content:"&sessionid="; distance:0; http.cookie; content:"PHPSESSID"; classtype:social-engineering; sid:2032376; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Krypton Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Client"; depth:6; endswith; http.request_body; content:"id="; depth:3; content:"&message="; distance:0; fast_pattern; reference:md5,825afad02d07063689b7b59e8cf46809; classtype:command-and-control; sid:2027313; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, deployment Perimeter, former_category MALWARE, malware_family Krypton, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PhishMe.com Phishing Landing Exercise"; flow:to_client,established; http.stat_code; content:"200"; http.cookie; content:"_phishme.com_session_id="; file.data; content:"<!-- ORGANIZATION LOGO"; nocase; fast_pattern; classtype:social-engineering; sid:2022730; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_04_13, deployment Perimeter, former_category INFO, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IcedID Fake Resume Server in DNS Lookup"; dns.query; content:"browse-resumes.com"; nocase; endswith; classtype:trojan-activity; sid:2027314; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_03, former_category TROJAN, malware_family IcedID, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Landing M3 Sep 14 2017"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; startswith; file.data; content:"this.submitCreds"; nocase; fast_pattern; content:"username|3a 20|this.username"; nocase; distance:0; content:"password|3a 20|this.password"; nocase; distance:0; content:"apple.com"; nocase; distance:0; classtype:social-engineering; sid:2024705; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (ReactGet Group)"; dns.query; content:"ebitbr.com"; depth:10; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027317; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:social-engineering; sid:2023712; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ReactGet Group)"; flow:established,to_client; tls.cert_subject; content:"CN=ebitbr.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:domain-c2; sid:2027318; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_06, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, malware_family ReactGet, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Phishing Landing 2016-12-19"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"data|3a|text/html|3B|base64"; nocase; content:"PCFET0NUWVBFIEhUTUw"; nocase; distance:0; content:"PHRpdGxlPlNpZ24gSW48L3RpdGxlPg"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2032415; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Malicious DNS Query (Mirrorthief Group)"; dns.query; content:"cloudmetric-analytics.com"; depth:25; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:trojan-activity; sid:2027321; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-01-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; fast_pattern; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025180; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Mirrortheif group)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudmetric-analytics.com"; nocase; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada; classtype:domain-c2; sid:2027322; rev:4; metadata:attack_target Client_and_Server, created_at 2019_05_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Obfuscation 2016-02-26"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"eval(unescape(|27|"; nocase; content:"%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74"; fast_pattern; nocase; distance:0; content:"eval(unescape(|27|%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; distance:0; reference:url,www.proofpoint.com/sites/default/files/proofpoint-obfuscation-techniques-phishing-attacks-threat-insight-en-v1.pdf; classtype:social-engineering; sid:2032372; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rest/tinymce/1/macro/preview"; fast_pattern; endswith; http.request_body; content:"|22|contentId|22|"; depth:20; content:"|22|_template|22 3a|"; distance:0; reference:url,packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html; classtype:attempted-admin; sid:2027333; rev:4; metadata:created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox/Docusign Phish 2016-10-28"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"pro="; depth:4; nocase; fast_pattern; classtype:credential-theft; sid:2032410; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%3D"; endswith; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,156e021f890dd6eb6f271c2ad9b0316e; classtype:command-and-control; sid:2035056; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Nov 20 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"x1="; depth:3; nocase; fast_pattern; content:"&x2="; nocase; distance:0; classtype:credential-theft; sid:2025013; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,image/webp,*/*|3b|q=0.8"; depth:74; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,430,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:130; reference:md5,4ca520895d86beb6f8cab93639f26f50; classtype:command-and-control; sid:2035055; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_18, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Compromised Wordpress - Generic Phishing Landing 2018-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-"; depth:4; content:"?cmd=login_submit&id="; nocase; distance:0; fast_pattern; content:"&session="; nocase; distance:64; within:9; isdataat:!65,relative; classtype:social-engineering; sid:2025236; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,bda5b754bb079eec4389a9f43d16c903; classtype:command-and-control; sid:2035058; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) Feb 26 2016"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user"; nocase; pcre:!"/^agent/PRi"; content:"pass"; nocase; fast_pattern; classtype:credential-theft; sid:2024555; rev:8; metadata:attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:"/"; endswith; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|"; depth:51; pcre:"/^(?:WOW64\x3b\s)?Trident\/[457]\.0\x3b\s*SLCC2\x3b\s\.NET\sCLR\s2\.0\.50727\x3b\s\.NET\sCLR\s3\.5\.30729\x3b\s(?:\x20\.NET\x20CLR\x203\.5\.30729\x3b\s)?\.NET\sCLR\s3\.0\.30729\x3b\sMedia\sCenter\sPC\s6\.0\x3b\s\.NET4\.0C\x3b\s\.NET4\.0E(?:\.NET4\.0E(?:\x3b\s)?)?(?:\x3b\sInfoPath\.3)?\)$/Rs"; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,675,0,string,dec; byte_test:0,>,415,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[a-z]{2,25}\/){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?P=urivar)\r\n/"; content:"/|20|HTTP/1.1|0d 0a|Referer|3a 20|"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,bda5b754bb079eec4389a9f43d16c903; classtype:command-and-control; sid:2035059; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing Oct 23 2017"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=chalbhai"; fast_pattern; nocase; content:"method=post"; nocase; within:50; classtype:social-engineering; sid:2025655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Pre-auth User Information Leakage"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/search/index?q="; distance:0; isdataat:1,relative; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; reference:url,github.com/rapid7/metasploit-framework/pull/11466; classtype:web-application-attack; sid:2027348; rev:4; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HMRC Phish Oct 18 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"name="; depth:5; nocase; content:"&email="; nocase; distance:0; content:"&ccname="; nocase; distance:0; fast_pattern; content:"&ccn"; nocase; distance:0; content:"&ccexp="; nocase; distance:0; content:"&secode="; nocase; distance:0; content:"&sort"; nocase; distance:0; classtype:credential-theft; sid:2024850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-analytics.com"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:domain-c2; sid:2027342; rev:5; metadata:attack_target Client_and_Server, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyEtherWallet Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=xn--myeth"; depth:12; fast_pattern; classtype:social-engineering; sid:2025317; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC Domain in DNS Lookup"; dns.query; content:"magento-analytics.com"; nocase; endswith; reference:url,blog.netlab.360.com/ongoing-credit-card-data-leak/; classtype:command-and-control; sid:2027343; rev:5; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible MyMonero Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=xn--mymo"; depth:11; fast_pattern; classtype:social-engineering; sid:2025318; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category INFO, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MirrorThief CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextd.at"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:domain-c2; sid:2027355; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Ebay Phishing Landing 2018-02-07"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.host; content:"signin.eby.de."; depth:14; pcre:"/^[a-z0-9]{15}\./R"; classtype:social-engineering; sid:2025321; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MirrorThief CnC in DNS Lookup"; dns.query; content:"jqueryextd.at"; nocase; endswith; reference:url,blog.netlab.360.com/xin-yong-qia-shu-ju-xie-lou-chi-xu-jin-xing-zhong/; classtype:command-and-control; sid:2027356; rev:3; metadata:created_at 2019_05_15, deployment Perimeter, former_category MALWARE, malware_family MirrorThief, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing M1 2017-02-13"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"jQuery(function($)"; nocase; content:"cc-number"; within:50; nocase; fast_pattern; content:"formatCardNumber"; within:50; content:"cc-exp"; nocase; distance:0; content:"formatCardExpiry"; within:50; content:"cc-cvc"; nocase; distance:0; content:"formatCardCVC"; within:50; classtype:social-engineering; sid:2025658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PasswordVault/auth/saml/"; fast_pattern; endswith; http.request_body; content:"SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1F"; depth:41; reference:url,www.exploit-db.com/exploits/46828; classtype:attempted-admin; sid:2027358; rev:4; metadata:created_at 2019_05_16, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-02-26 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"formID="; depth:7; nocase; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031866; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User-Agent Downloading ZIP"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".zip"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2027360; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-08"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&eps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031867; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech Plead CnC in DNS Lookup"; dns.query; content:"ssmailer.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.ssmailer\.com$/"; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:command-and-control; sid:2027362; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psw="; nocase; distance:0; classtype:credential-theft; sid:2025417; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)"; dns.query; content:"dns-report.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.dns-report\.com$/"; classtype:bad-unknown; sid:2027363; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful O2 Phish 2018-03-12"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.request_body; content:"sendTo="; depth:7; nocase; content:"www.o2.co.uk"; nocase; distance:0; content:"&fu="; nocase; distance:0; classtype:credential-theft; sid:2025419; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious shell .now .sh Domain"; dns.query; content:"shell.now.sh"; nocase; endswith; reference:url,www.lacework.com/blog-attacks-exploiting-confluence; classtype:misc-attack; sid:2027367; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2018-03-12"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"save-username="; depth:14; nocase; content:"&origin=cob&userPrefs="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; content:"&LOB="; nocase; distance:0; content:"&loginMode="; nocase; distance:0; content:"&serviceType="; nocase; distance:0; content:"&screenid="; nocase; distance:0; content:"&origination="; nocase; distance:0; content:"&TPB="; nocase; distance:0; content:"&msgId="; nocase; distance:0; content:"&platform="; nocase; distance:0; content:"&alternatesignon="; nocase; distance:0; content:"&destination="; nocase; distance:0; content:"&j_username="; nocase; distance:0; content:"&j_password="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025420; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821"; http.method; content:"POST"; http.uri; content:"/servlet/UploadServlet"; depth:22; endswith; fast_pattern; http.header; content:"Destination-Dir|3a 20|tftpRoot"; http.request_body; content:"String(|22|/bin/"; content:"new Socket(|22|"; distance:0; content:"Runtime.getRuntime().exec("; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header_names; content:!"Referer"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce; classtype:web-application-attack; sid:2027368; rev:4; metadata:attack_target Server, created_at 2019_05_20, cve 2019_1821, deployment Perimeter, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; nocase; depth:3; content:"|25|40"; distance:0; content:"&pas="; nocase; distance:0; classtype:credential-theft; sid:2025354; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Panda Banker CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; pcre:"/^\/[A-Za-z0-9]+(?:\/[A-F0-9]+){3,}$/"; http.user_agent; pcre:"/(?:MSIE|rv\x3a11)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.accept; content:"*/*"; depth:3; endswith; http.start; content:"P/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,17bd012f145bba62b4e58b376d8002d3; classtype:command-and-control; sid:2022609; rev:5; metadata:created_at 2016_03_10, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-03-13"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"o1="; depth:3; nocase; content:"&o2="; nocase; distance:0; content:"&o3="; nocase; distance:0; content:"&o4="; nocase; distance:0; content:"&o5="; nocase; distance:0; content:"&o6="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025425; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoWall Check-in"; flow:established,to_server; urilen:<134; http.uri; pcre:"/[\/=][a-z0-9]{8,}$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; content:"="; offset:1; depth:1; pcre:"/^[a-z]=[a-f0-9]{80,}$/"; http.accept; content:"*/*"; depth:3; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; depth:24; content:!"Accept-"; nocase; content:!"Referer"; reference:md5,3c53c9f7ab32a09de89bb44e5f91f9af; classtype:trojan-activity; sid:2018452; rev:18; metadata:created_at 2014_05_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com 2016-06-22"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"Passw"; nocase; content:"sign in"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032394; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic Check-in"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z]+\/)?$/"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; pcre:"/^Mozilla\/\d+\.\d+\x20\x28compatible\x3b\x20MSIE\x20\d+\.\d+\x3b\x20Windows\x20NT\x20\d+\.\d+\x3b\x20SV1\x29$/"; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Content-Type"; content:!"Accept-"; content:!"Referer"; classtype:trojan-activity; sid:2019881; rev:6; metadata:created_at 2014_12_06, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Dec 13 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Page Redirection"; nocase; fast_pattern; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:social-engineering; sid:2023638; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - iplocation .truevue .org"; flow:established,to_server; http.host; content:"iplocation.truevue.org"; fast_pattern; depth:22; endswith; classtype:external-ip-check; sid:2027372; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing M1 Dec 28 2015"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:".Ctr.decrypt"; nocase; fast_pattern; pcre:"/^\s*?\(\s*[^,]+,\s*?[^,]+,\s*?(?:128|256|512)\s*?\)/Rsi"; classtype:social-engineering; sid:2025657; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to External IP Lookup Domain ( iplocation .truevue .org)"; dns.query; content:"iplocation.truevue.org"; nocase; endswith; classtype:external-ip-check; sid:2027373; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phish Landing Jun 22 2017"; flow:to_client,established; http.stat_code; content:"200"; file.data; content:"Amazon Sign In</title>"; nocase; content:"account is connected with Amazon"; distance:0; nocase; content:"name=|22|signin|22 20|method=|22|post|22 20|novalidate action=|22 22|"; nocase; distance:0; content:"type=|22|password|22 20|id=|22|ap_password"; nocase; distance:0; classtype:social-engineering; sid:2024422; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT DNS Lookup (bulk .fun)"; dns.query; content:"bulk.fun"; nocase; endswith; classtype:targeted-activity; sid:2034146; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, created_at 2019_05_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2015-12-08 M3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"bassimo"; depth:7; nocase; fast_pattern; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; content:"&bassimo"; nocase; distance:0; classtype:credential-theft; sid:2031860; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shade Ransomware Payment Domain in DNS Lookup"; dns.query; content:"cryptsen7f043rr6.onion"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/; classtype:trojan-activity; sid:2027379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_24, deployment Perimeter, former_category MALWARE, malware_family Shade, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"gender="; depth:7; nocase; fast_pattern; content:"&name1="; nocase; distance:0; content:"&name2="; nocase; distance:0; content:"&day="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&submitForm="; nocase; distance:0; classtype:credential-theft; sid:2024184; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Matrix Ransomware Sending Encrypted Filelist"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; http.request_body; content:"name=|22|uploadfile|22 3b 20|filename=|22|C|3a 5c|"; content:"|0d 0a|[ALL]|0d 0a|"; distance:0; content:"|0d 0a|[ALL_END]|0d 0a 0d 0a|[PRIORITY]|0d 0a|"; fast_pattern; distance:0; http.header_names; content:!"Referer"; reference:md5,e5293a4da4b67be6ff2893f88c8ef757; classtype:trojan-activity; sid:2024178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Matrix, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M1 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"tc="; depth:3; nocase; content:"&sms="; nocase; distance:0; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025503; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible EXE Download Request to ngrok"; flow:established,to_server; http.uri; content:".exe"; endswith; http.host; content:".ngrok.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027391; rev:4; metadata:created_at 2019_05_28, deployment Perimeter, former_category POLICY, signature_severity Major, tag Suspicious_Download, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Halkbank Phish M2 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"FakeCustomerName="; depth:17; nocase; fast_pattern; content:"&LoginType="; nocase; distance:0; content:"&CustomerType="; nocase; distance:0; classtype:credential-theft; sid:2025504; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProtonBot Stealer Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"&clip=get"; distance:12; within:9; endswith; http.user_agent; content:"Proton Browser"; fast_pattern; http.header_names; content:!"Referer"; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:trojan-activity; sid:2027383; rev:3; metadata:created_at 2019_05_28, former_category TROJAN, malware_family ProtonBot, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DenizBank Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&tc="; nocase; content:"&sms="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; content:"&login_kullaniciadi="; nocase; distance:0; fast_pattern; content:"&login_parola_card="; nocase; distance:0; classtype:credential-theft; sid:2025506; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".microsofts.org"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027385; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-04-17"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ui="; depth:3; nocase; content:"&pw="; nocase; distance:0; fast_pattern; pcre:"/^ui=[^&]+&pw=/i"; classtype:credential-theft; sid:2025513; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".kaspresksy.com"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027386; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Web App Phishing Landing 2018-04-26"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-Powered-By|3a 20|PHP"; nocase; file.data; content:"<title"; nocase; content:"Outlook Web App"; nocase; within:30; fast_pattern; classtype:social-engineering; sid:2025532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_26, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to APT10 Related CnC Domain"; dns.query; content:".tencentchat.net"; nocase; endswith; reference:url,blog.ensilo.com/uncovering-new-activity-by-apt10; classtype:targeted-activity; sid:2027387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, malware_family APT10, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chalbhai Phishing Landing Feb 18 2016"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name=|22|chalbhai|22|"; fast_pattern; nocase; content:"id=|22|chalbhai|22|"; nocase; content:"method=|22|post|22|"; nocase; classtype:social-engineering; sid:2025654; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:unknown; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) Aug 21 2017"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"GET"; http.uri; content:"&UserName="; nocase; content:"&Password="; nocase; distance:0; fast_pattern; http.host; content:!"absolutdata.com"; content:!"absolutresearch.com"; classtype:credential-theft; sid:2025026; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Node XMLHTTP User-Agent"; flow:established,to_server; http.user_agent; content:"node-XMLHttpRequest"; depth:19; endswith; nocase; fast_pattern; classtype:unknown; sid:2027388; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-02"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; nocase; depth:4; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (php)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"|0d 0a 0d 0a|php"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^php.{0,500}[\x80-\xff]/s"; http.header_names; content:!"Content-Type"; content:!"Referer"; content:!"Cookie:"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022901; rev:5; metadata:created_at 2016_06_15, updated_at 2022_04_18;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pww="; nocase; distance:0; fast_pattern; content:"&image.x="; nocase; distance:0; content:"&image.y="; nocase; distance:0; classtype:credential-theft; sid:2025562; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT ScanBox Framework used in WateringHole Attacks Initial (POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"seed="; fast_pattern; content:"&referrer="; content:"&agent="; content:"&location="; content:"&toplocation="; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:exploit-kit; sid:2019094; rev:8; metadata:created_at 2014_08_30, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible TSB Bank Phishing Landing 2018-05-07"; flow:established,to_server; http.method; content:"GET"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:social-engineering; sid:2025563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SeaDuke CnC Beacon"; flow:established,to_server; content:"|0d 0a 0d 0a|Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; fast_pattern; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/"; http.header_names; content:!"Accept"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:targeted-activity; sid:2021413; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TSB Bank Phish 2018-05-07"; flow:established,to_server; http.method; content:"POST"; http.host; content:"tsb.co.uk.personal.logon.login.jsp."; isdataat:50; classtype:credential-theft; sid:2025564; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Content-Type\x3a[^\r\n]+\r\n)?(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept-Language|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; classtype:command-and-control; sid:2021418; rev:12; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025565; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Doc to IP Address with Terse Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".doc"; fast_pattern; nocase; endswith; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; classtype:bad-unknown; sid:2025162; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-08 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"us1="; depth:4; nocase; content:"&ps1="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2025566; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic - Mozilla 4.0 EXE Request"; flow:established,to_server; urilen:6<>15; http.uri; content:".exe"; endswith; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:unknown; sid:2020705; rev:7; metadata:created_at 2015_03_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-05-16 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025579; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DarkHotel Payload Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|29 20|A"; endswith; http.request_body; content:"filename=|22|"; content:"|3a 5c|Windows|5c|"; distance:1; within:10; pcre:"/^[A-F0-9]{8}_[A-F0-9]{8}\.sql/Ri"; content:"|00|.|00|i|00|n|00|k|00|"; distance:0; fast_pattern; http.request_line; content:".php|20|HTTP/1.0"; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027398; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, tag APT, tag DarkHotel, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-05-31"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"username="; depth:9; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_05_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"pwsmbx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027399; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-11"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"gate="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&push="; nocase; distance:0; classtype:credential-theft; sid:2025588; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"reuqest-userauth.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027400; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-06-14"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025591; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel CnC Domain in DNS Lookup"; dns.query; content:"vgmtx.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2019/05/darkhotel_lnk.html; classtype:targeted-activity; sid:2027401; rev:3; metadata:created_at 2019_05_30, former_category MALWARE, tag DarkHotel, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Paypal Phish Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2e 2e 2e 2e 21 5b 31 5d 20 53 2f 4d 2f 41 2f 49 2f 4c 2f 4d 2f 41 2f 58 21 2e 2e 2e 2e|"; classtype:social-engineering; sid:2025592; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_14, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"schooltillhungryprocess.com"; nocase; endswith; classtype:targeted-activity; sid:2027406; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Santander Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 54 55 44 4f 20 2d 2d 3e|"; content:"|3c 21 2d 2d 20 46 45 49 58 41 4e 44 4f 20 54 55 44 4f 20 2d 2d 3e|"; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025607; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"maylaytravelgroup.com"; nocase; endswith; classtype:targeted-activity; sid:2027407; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Santander Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 63 6f 72 70 6f 20 67 65 72 61 6c 20 2d 2d 3e|"; content:"|3c 21 2d 2d 20 66 65 78 61 6e 64 6f 20 63 6f 72 70 6f 20 67 65 72 61 6c 20 2d 2d 3e|"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025608; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"reasonwithusefulpolicy.com"; nocase; endswith; classtype:targeted-activity; sid:2027408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Live Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Sign in to your Microsoft account"; nocase; content:"|3c 21 2d 2d 20 20 2d 2d 3e|"; distance:0; content:"|3c 21 2d 2d 20 2f 6b 6f 20 2d 2d 3e|"; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025609; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"streetunderrelevantpeople.com"; nocase; endswith; classtype:targeted-activity; sid:2027409; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe PDF Online Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"function popupwnd(url,"; nocase; content:"CLICK ON YOUR EMAIL PROVIDER BELOW"; nocase; distance:0; content:"javascript|3a|popupwnd("; nocase; distance:0; content:"|3c 21 2d 2d 4d 6f 64 65 64 20 42 79 20 41 6e 74 68 72 61 78 2d 2d 3e|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025610; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"experiencewithweakkid.com"; nocase; endswith; classtype:targeted-activity; sid:2027410; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banque et Assurances Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Banque et Assurances"; nocase; content:"|3c 21 2d 2d 20 2f 20 4e 44 37 20 45 4e 43 4f 44 41 47 45 20 44 45 53 49 47 4e 20 26 20 58 53 41 4d 20 4a 53 20 45 4e 43 4f 44 41 47 45 20 2f 20 2d 2d 3e|"; distance:0; fast_pattern; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 CnC Domain DNS Lookup"; dns.query; content:"systembeforeniceparent.com"; nocase; endswith; classtype:targeted-activity; sid:2027411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING iTunes Connect Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>iTunes Connect"; nocase; content:"|3c 21 2d 2d 20 50 48 4f 45 4e 21 58 20 2d 2d 3e|"; distance:0; fast_pattern; classtype:social-engineering; sid:2025612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Request"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.shmyip.com"; fast_pattern; endswith; reference:md5,0b14eedcc9e847a2d20abf409c8b505f; classtype:external-ip-check; sid:2027430; rev:3; metadata:created_at 2019_06_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 20 20 53 63 61 6d 20 4d 61 64 65 20 42 79 20 74 68 65 20 6b 69 6e 67|"; fast_pattern; content:"<title>Bienvenue sur Facebook"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025613; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Sending System Information"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027441; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>sign in to your account"; nocase; fast_pattern; content:"src=|22|https|3a|//secure.aadcdn.microsoftonline-p.com/"; nocase; distance:0; content:"src=|22|files/"; nocase; distance:0; content:"href=|22|files/"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025614; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (BURAN)"; flow:established,to_server; http.user_agent; content:"BURAN"; depth:5; endswith; classtype:trojan-activity; sid:2027443; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2f 67 2d 7a 31 31 38 2e 63 73 73|"; content:"|2f 62 2d 7a 31 31 38 2e 63 73 73|"; distance:0; content:"|63 6c 61 73 73 3d 22 48 65 61 64 65 72 5a 31 31 38|"; distance:0; content:"|63 6c 61 73 73 3d 22 47 2d 46 69 65 6c 64 73 5a 31 31 38|"; distance:0; fast_pattern; content:"|63 6c 61 73 73 3d 22 46 69 65 6c 64 73 5a 31 31 38|"; distance:0; classtype:social-engineering; sid:2025615; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA (GHOST)"; flow:established,to_server; http.user_agent; content:"GHOST"; depth:5; endswith; classtype:trojan-activity; sid:2027444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Assurance Maladie Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"href=|22|ficherss/"; nocase; content:"<title>Compte ameli - mon espace personnel"; nocase; distance:0; content:"src=|22|ficherss/"; nocase; distance:0; fast_pattern; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; classtype:social-engineering; sid:2025616; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buran Ransomware Activity M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"GHOST"; depth:5; endswith; fast_pattern; http.referer; content:!"."; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i"; http.header_names; content:!"Connection"; content:!"Cache"; content:!"Accept"; classtype:trojan-activity; sid:2027445; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_10, deployment Perimeter, former_category MALWARE, malware_family Buran, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"src=|22|2Sign|25|20in|25|20-|25|20Adobe|25|20ID_files/"; nocase; fast_pattern; content:"href=|22|2Sign|25|20in|25|20-|25|20Adobe|25|20ID_files/"; nocase; distance:0; classtype:social-engineering; sid:2025617; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve 2019_3929, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemerty-cdn-cloud.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027465; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"cdn-amaznet.club"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027466; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"reservecdn.pro"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027467; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"wsuswin10.us"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027468; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Lookup"; dns.query; content:"telemetry.host"; nocase; endswith; reference:url,blog.morphisec.com/security-alert-fin8-is-back; classtype:command-and-control; sid:2027469; rev:3; metadata:created_at 2019_06_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN8, updated_at 2020_09_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; http.cookie; content:"ci_session="; fast_pattern; file.data; content:"ok"; depth:2; endswith; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:5; metadata:created_at 2013_05_31, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/\/[a-z-_]{75,}\.php$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016809; rev:8; metadata:created_at 2013_05_02, former_category MALWARE, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zberp receiving config via image file - SET"; flow:to_server,established; flowbits:set,ET.Zberp; flowbits:noalert; http.uri; content:".jpg"; endswith; http.request_line; content:".jpg HTTP/1."; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1e1f44f8a403c4ebc6943eb2dcf731ff; reference:url,securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/#.U5Xgpyh4l8u; reference:url,blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/; classtype:trojan-activity; sid:2021381; rev:10; metadata:created_at 2015_07_06, updated_at 2020_09_17;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ww1-filecloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027472; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn-imgcloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027473; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Capital One Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"background|3a|url(Logon_Files/"; nocase; fast_pattern; content:"href=|22|Logon_Files/"; nocase; distance:0; content:"<title>Capitalone"; nocase; distance:0; content:"href=|22|Logon_Files/"; nocase; distance:0; classtype:social-engineering; sid:2025618; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=font-assets.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027474; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING US Bank Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"href=|22|index|25|5D_files/"; nocase; content:"src=|22|index|25|5D_files/"; nocase; distance:0; fast_pattern; content:"<title>PersonalID Step"; nocase; distance:0; classtype:social-engineering; sid:2025619; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=wix-cloud.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027475; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING American Express Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>American Express"; nocase; content:"href=|22|./index_files/"; nocase; distance:0; fast_pattern; content:"src=|22|./index_files/"; nocase; distance:0; classtype:social-engineering; sid:2025620; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=js-cloudhost.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/; classtype:domain-c2; sid:2027476; rev:3; metadata:attack_target Client_and_Server, created_at 2019_06_14, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING HM Revenue Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>HM Revenue"; nocase; content:"href=|22|file/"; nocase; distance:0; fast_pattern; content:"<h1>Tax Refund"; nocase; distance:0; content:"<!-- DEVELOPMENT ONLY -->"; nocase; distance:0; classtype:social-engineering; sid:2025621; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREK"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,<=,255,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027479; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Kit Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|7c 20 7c 5c 2f 7c 20 7c 20 2f 20 5f 5f 7c 20 5f 5f 2f 20 5f 20 5c 20 27 5f 5f 7c 20 20 5c 5f 5f 5f 20 5c 7c 20 27 5f 20 5c 7c 20 7c 20 7c 20 7c|"; content:"|68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 30 30 37 4d 72 53 70 79|"; distance:0; fast_pattern; content:"|73 72 63 3d 22 4a 73 5f 53 70 79 2f|"; distance:0; classtype:social-engineering; sid:2025622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chafer Win32/TREKX Uploading to CnC (Modified CAB)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b|"; content:"TREC"; distance:0; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Rs"; http.content_type; content:"multipart|2f|form-data|3b|"; http.content_len; byte_test:0,>=,256,0,string,dec; http.header_names; content:!"Referer"; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027480; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family TREKX, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office 365 Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<meta name=|22|generator|22 20|content=|22|WYSIWYG|22|"; nocase; content:"<link href=|22|Untitled1.css|22|"; nocase; distance:0; fast_pattern; content:"<div id=|22|wb_Image1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:"<div id=|22|wb_Form1|22 20|style=|22|position|3a|absolute|3b|left|3a|"; nocase; distance:0; content:".php|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|password|22 20|id=|22|Editbox2|22|"; nocase; distance:0; classtype:social-engineering; sid:2025623; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"nvidia-services.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027481; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Generic Phish 2018-06-15"; flow:to_server,established; flowbits:isset,ET.genericphish; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025628; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-css.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027482; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [eSentire] Successful Personalized Phish 2018-06-15"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?email="; nocase; content:"&password="; nocase; distance:0; http.header; content:"accessToFile="; nocase; fast_pattern; content:"&fileAccess="; nocase; distance:0; content:"&encryptedCookie="; nocase; distance:0; content:"&connecting="; nocase; distance:0; classtype:credential-theft; sid:2025629; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Chafer CnC Domain in DNS Lookup"; dns.query; content:"sabre-airlinesolutions.com"; nocase; endswith; reference:url,securityintelligence.com/posts/observations-of-itg07-cyber-operations/; classtype:command-and-control; sid:2027483; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Chafer, tag APT39, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-06-29"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; content:"&ps="; nocase; distance:0; classtype:credential-theft; sid:2025632; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; depth:13; fast_pattern; endswith; reference:md5,c1ca718e7304bf28b5c96559cbf69a06; classtype:bad-unknown; sid:2027484; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M1 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name"; nocase; content:"mail"; nocase; content:"Password"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032366; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unfrocked.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2027485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_17, deployment Perimeter, former_category MALWARE, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M2 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Domain"; nocase; content:"mail"; nocase; content:"Password"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032367; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User Agent Executable Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; http.user_agent; content:"AutoIt"; depth:6; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2019935; rev:7; metadata:created_at 2014_12_15, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag AutoIt, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M3 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Adresse"; nocase; content:"mail"; nocase; content:"Mot de passe"; nocase; content:"<div class=|22|wsite-form-field|22|"; fast_pattern; classtype:social-engineering; sid:2032368; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com M4 2016-02-02"; flow:to_client,established; flowbits:isset,ET.weebly.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"name"; nocase; content:"mail"; nocase; content:"Passw0rd"; fast_pattern; nocase; content:"<div class=|22|wsite-form-field|22|"; classtype:social-engineering; sid:2032369; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Stripe Phishing Landing Dec 09 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Stripe|3a|"; nocase; fast_pattern; content:"|2f 2a 20 56 4f 44 4b 41 20 2a 2f|"; distance:0; classtype:social-engineering; sid:2025668; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Webmail Phishing Landing Utilizing Clearbit"; flow:established,to_client; file.data; content:"webmail"; nocase; content:"<img src=|22|https://logo.clearbit.com/"; fast_pattern; classtype:social-engineering; sid:2030731; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2018-07-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pswd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2025863; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidsmedia .com in DNS Lookup)"; dns.query; content:"androidsmedia.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027490; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-07-19"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pw="; nocase; distance:0; classtype:credential-theft; sid:2025864; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (androidssystem .com in DNS Lookup)"; dns.query; content:"androidssystem.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027491; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-07-30"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/customer-IDPP00"; fast_pattern; content:"/myaccount/signin/"; nocase; distance:0; classtype:social-engineering; sid:2025919; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (secandroid .com in DNS Lookup)"; dns.query; content:"secandroid.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027492; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-08-01"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"&t2="; nocase; distance:0; content:"&t3="; nocase; distance:0; content:"&t4="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025932; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediadownload .space in DNS Lookup)"; dns.query; content:"mediadownload.space"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027493; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish Phish 2018-08-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; content:"&submit.y="; nocase; distance:0; classtype:credential-theft; sid:2026006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (mediamobilereg .com in DNS Lookup)"; dns.query; content:"mediamobilereg.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027494; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2026360; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (sharpion .org in DNS Lookup)"; dns.query; content:"sharpion.org"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027495; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-24"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"account="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2026362; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.ANA (shileyfetwell .com in DNS Lookup)"; dns.query; content:"shileyfetwell.com"; endswith; reference:md5,81281261132fba4c8ec70322250965b7; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/; classtype:trojan-activity; sid:2027496; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_06_19, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_SpyAgent, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-10"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"|25|40"; distance:0; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026466; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.header; content:!"GeoVision"; http.user_agent; content:"|20|MSIE 5."; fast_pattern; nocase; http.host; content:!".microsoft.com"; endswith; content:!".trendmicro.com"; endswith; content:!".sony.net"; endswith; content:!".weather.com"; endswith; content:!".yahoo.com"; endswith; content:!".dellfix.com"; endswith; content:!".oncenter.com"; endswith; classtype:policy-violation; sid:2016870; rev:15; metadata:created_at 2013_05_21, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^id=[^&%]+%40[^&]+&pass=/i"; classtype:credential-theft; sid:2026492; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla Domain (vision2030 .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"vision2030.tk"; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027501; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (302) 2016-12-16"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a|"; nocase; pcre:"/^\s*(?:\./|\.\./)*(?:s(?:e(?:curity(?:-check|cvv)|rver|condpage)|uccess)|l(?:o(?:ad(?:ing|er)|g(?:off))|iamg)|d(?:e(?:livery|tails)|one|hl)|i(?:d(?:entity)?|ndex2|i)|p(?:ro(?:cess(?:ing)?|file)|hone|ass|in|ayment)|w(?:e(?:iter|bsc)|ait)|t(?:hanky[o0]u|racking)|v(?:alidate|erify?|bv)|L(?:oginVerification|L1|2|ogin2)|f(?:orward|irst|in(?:al|ish))|b(?:illing2?|ank)|e(?:rror|xcel|nd)|questions|1loader|account|recova|confirm|outlook|update(?:bill|card)?|good|SS|verification|qes|upgrade2?|activation|check(?:ing)?|ex|indexx|warning|re(?:name|try))\./Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2029657; rev:28; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla DNS Lookup (vision2030 .cf)"; dns.query; content:"vision2030.cf"; nocase; endswith; reference:url,www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments; classtype:targeted-activity; sid:2027502; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, malware_family Turla, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-16"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/key?k="; depth:11; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; pcre:"/^[^\x20-\x7e\r\n]{2}$/R"; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:command-and-control; sid:2027497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Danabot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Generic Credential POST to Ngrok.io"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ngrok.io"; fast_pattern; classtype:credential-theft; sid:2026516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"webdynamicname.com"; nocase; endswith; classtype:command-and-control; sid:2027498; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-18"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2026518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Plurox CnC Domain in DNS Lookup"; dns.query; content:"obuhov2k.beget.tech"; nocase; endswith; classtype:command-and-control; sid:2027499; rev:3; metadata:created_at 2019_06_20, deployment Perimeter, former_category MALWARE, malware_family Plurox, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; content:!"&"; distance:0; pcre:"/^id=[^&]+&ps=/i"; classtype:credential-theft; sid:2026530; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot UA Observed"; flow:established,to_server; http.user_agent; content:"Mozilla|20|4.0|20 2f 20|Chrome"; depth:20; fast_pattern; endswith; reference:md5,7f5f7de558fd2ef2a195b3a507c11ff2; classtype:trojan-activity; sid:2027500; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_20, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Cryptocurrency Exchange Phish (set) 2018-10-25"; flow:established,to_server; flowbits:set,ET.Cryptocurrency_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"private_key="; depth:12; nocase; fast_pattern; classtype:credential-theft; sid:2026554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Ngioweb Stage 1 CnC Activity Client Request (set)"; flow:established,to_server; flowbits:set,ET.Linux.Ngioweb; flowbits:noalert; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:59.0|29 20|Gecko/20100101 Firefox/59.0"; endswith; http.start; content:"GET|20|/min.js?h=aWQ9"; depth:18; fast_pattern; reference:url,blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/; classtype:command-and-control; sid:2027507; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Fake Login - Possible Phishing - 2018-12-31"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fakeLogin="; depth:10; nocase; content:"&fakePassword="; nocase; distance:0; fast_pattern; classtype:suspicious-login; sid:2026746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_12_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello, World)"; flow:established,to_server; http.user_agent; content:"Hello, World"; depth:12; endswith; classtype:bad-unknown; sid:2027503; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious Generic Login - Possible Successful Phish 2019-01-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"myusername="; depth:11; nocase; content:"&mypassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2026749; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello-World)"; flow:established,to_server; http.user_agent; content:"Hello-World"; depth:11; endswith; classtype:bad-unknown; sid:2027504; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Phish 2016-12-08"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"bynamail="; depth:9; nocase; content:"&bynapass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032414; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious UA (Skuxray)"; flow:established,to_server; http.user_agent; content:"Skuxray"; depth:7; endswith; reference:md5,cc46f255297ef0366dd447bbcde841ac; classtype:bad-unknown; sid:2027505; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category TROJAN, malware_family Skuxray, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-01-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"off8900="; depth:8; nocase; content:"&offpa738="; nocase; distance:0; fast_pattern; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2029668; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HYDSEVEN VBS CnC Host Information Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"Authorization|3a 20|SUQ6"; fast_pattern; http.accept; content:"*.*"; depth:3; endswith; reference:url,www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html; reference:url,www.lac.co.jp/lacwatch/pdf/20190619_cecreport_sp.pdf; classtype:command-and-control; sid:2027515; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-01-30"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"passwd="; depth:7; nocase; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2031868; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT CnC Domain in DNS Lookup"; dns.query; content:"sessions4life.pw"; nocase; endswith; classtype:targeted-activity; sid:2027564; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Credentials Sent to Suspicious TLD via HTTP GET"; flow:to_server,established; flowbits:set,ET.eduphish; http.method; content:"GET"; http.uri; content:"user"; nocase; content:"pass"; distance:0; nocase; fast_pattern; http.host; pcre:"/\.(?:ga|gq|cf|ml|gdn|tk|icu)$/"; classtype:social-engineering; sid:2025113; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"adfs-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027567; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; pcre:"/^mail=[^\x25]+\x2540[^&]+&pass=[^&]+$/i"; classtype:credential-theft; sid:2026902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"b2bmerchant.online"; nocase; endswith; classtype:command-and-control; sid:2027568; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"a="; depth:2; nocase; content:"|25|40"; distance:0; content:"&b="; nocase; fast_pattern; distance:0; pcre:"/^a=[^\x25]+\x2540[^&]+&b=[^&]+/i"; classtype:credential-theft; sid:2026903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"bhnetwork.online"; nocase; endswith; classtype:command-and-control; sid:2027569; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&epass="; nocase; fast_pattern; distance:0; pcre:"/^email=[^\x25]+\x2540[^&]+&epass=[^&]+/i"; classtype:credential-theft; sid:2026905; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cert-ssl.com"; nocase; endswith; classtype:command-and-control; sid:2027570; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious SSN Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&ssn="; nocase; classtype:trojan-activity; sid:2026908; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn-client.com"; nocase; endswith; classtype:command-and-control; sid:2027571; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious CVV Parameter in HTTP POST - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&cvv="; nocase; classtype:trojan-activity; sid:2026909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"cisco-vpn.online"; nocase; endswith; classtype:command-and-control; sid:2027572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-03-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"Eml="; depth:4; fast_pattern; content:"&Password="; distance:0; classtype:credential-theft; sid:2027046; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"corporate-ciscovpn.com"; nocase; endswith; classtype:command-and-control; sid:2027573; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Mailbox Phish 2019-03-07"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"akoko="; depth:6; nocase; content:"|25|40"; distance:0; content:"&ekeji="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029670; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ducacorp.com"; nocase; endswith; classtype:command-and-control; sid:2027574; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-03-11"; flow:established,to_server; http.method; content:"POST"; http.header; content:".php?userid="; fast_pattern; content:"@"; distance:0; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&password="; nocase; distance:0; content:"&login="; nocase; distance:0; classtype:credential-theft; sid:2029671; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"efaxmakeronline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027575; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PirateBay Phish - Possibly PirateMatryoshka Related"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c|p|3e|In order to continue the install"; content:"enter your Piratebay user and pass below"; distance:0; content:"If u don't have an PirateBay"; distance:0; fast_pattern; reference:url,securelist.com/piratebay-malware/89740/; classtype:social-engineering; sid:2027081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_13, deployment Perimeter, former_category PHISHING, malware_family PirateMatryoshka, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Quasar CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Quasar Server CA"; nocase; fast_pattern; endswith; reference:url,sslbl.abuse.ch/ssl-certificates/sha1/f87d2aff4148f98f014460ab709c77587ea1e430/; classtype:domain-c2; sid:2027619; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag RAT, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fedex Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>FedEx|20 7c 20|"; fast_pattern; classtype:social-engineering; sid:2030810; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=tupeska.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GET Request to Googleapis Hosting (set)"; flow:established,to_server; flowbits:set,ET.appspothosted; flowbits:noalert; http.method; content:"GET"; http.host; content:".googleapis.com"; fast_pattern; isdataat:!1,relative; classtype:social-engineering; sid:2030811; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category PHISHING, signature_severity Informational, tag Phishing, updated_at 2020_08_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"backupnet.ddns.net"; nocase; endswith; classtype:targeted-activity; sid:2027622; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING JS Obfuscation - Possible Phishing 2016-03-01"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:social-engineering; sid:2022578; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hyperservice.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027623; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish Jan 14 2016"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; content:!"domain=.facebook.com|3b|"; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:a(?:m(?:ericanexpress|azon)|(?:dob|ppl)e|libaba|ol)|r(?:e(?:gions|max)|bcroyalbank)|f(?:irst-online|acebook|edex)|m(?:icrosoft(?:online)?|atch)|u(?:s(?:bank|aa|ps)|ps)|(?:technologyordi|googl)e|na(?:twest|ver)|d(?:ropbox|hl)|yahoo(?:mail)?|1(?:26|63)|keybank|qq)\.com|i(?:n(?:t(?:ertekgroup\.org|uit\.com)|vestorjunkie\.com|g\.nl)|c(?:icibank\.com|scards\.nl)|mpots\.gouv\.fr|rs\.gov)|c(?:(?:h(?:ristianmingl|as)e|apitalone(?:360)?|ibcfcib|panel)\.com|om(?:mbank\.com\.au|cast\.net)|redit-agricole\.fr)|b(?:a(?:nkofamerica\.com|rclays\.co\.uk)|(?:igpond|t)\.com|luewin\.ch)|o(?:(?:utlook|ffice)\.com|range\.(?:co\.uk|fr)|nline\.hmrc\.gov\.uk)|s(?:(?:(?:aatchiar|untrus)t|c)\.com|ecure\.lcl\.fr|parkasse\.de)|h(?:a(?:lifax(?:-online)?\.co\.uk|waiiantel\.net)|otmail\.com)|p(?:(?:rimelocation|aypal)\.com|ostbank\.de)|l(?:i(?:nkedin|ve)\.com|abanquepostale\.fr)|we(?:llsfargo\.com|stpac\.co\.nz)|etisalat\.ae)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2025005; rev:15; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mynetwork.cf"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027624; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-02-13"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"ud="; depth:3; nocase; content:"|25|40"; distance:0; content:"&pd="; nocase; fast_pattern; distance:0; pcre:"/^ud=[^&]*&pd=[^&]*/i"; classtype:credential-theft; sid:2026904; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"mywinnetwork.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027625; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2019-04-30 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.request_body; content:"usr="; depth:4; nocase; content:"|25|40"; distance:0; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027294; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remote-server.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027626; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Interac Phish 2019-05-15"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"fiId="; depth:5; nocase; content:"&cuId="; nocase; distance:0; content:"&hiddenFiLabel="; nocase; distance:0; content:"&hiddenCuLabel="; nocase; distance:0; content:"&isMobileBrowser="; nocase; distance:0; content:"&language="; nocase; distance:0; content:"&paymentRefNum="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029674; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"remserver.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027627; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-21"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"eml="; depth:4; nocase; content:"&pwd="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027371; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"securityupdated.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027628; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish (set) 2018-10-22"; flow:established,to_server; flowbits:set,ET.Fedex_DHL_Phish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2026529; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"servhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027629; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-06-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&CcNumber="; nocase; fast_pattern; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv"; nocase; classtype:credential-theft; sid:2029675; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"service-avant.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-05-14"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&psw="; nocase; distance:0; fast_pattern; pcre:"/^uname=[^&]+&psw=/i"; classtype:credential-theft; sid:2031869; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"srvhost.servehttp.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027631; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned EWE Telecom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login-tk.ewe.de/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"fucksaudi.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027632; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned La Banque Postale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://voscomptesenligne.labanquepostale.fr/"; distance:4; within:46; fast_pattern; classtype:social-engineering; sid:2027520; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"googlechromehost.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027633; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ATB Bank Online Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.atbonline.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027521; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"younesadams.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027634; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned RBC Royal Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www1.royalbank.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027522; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"teamnj.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027635; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibc.mobi/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027523; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"bistbotsproxies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027636; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://ib.absa.co.za/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"hellocookies.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027637; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027525; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"n3tc4t.hopto.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027638; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://instagram.com/"; distance:4; within:23; fast_pattern; classtype:social-engineering; sid:2027526; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"newhost.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027639; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Spotify Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.spotify.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027527; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"njrat12.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ADP Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://runpayroll.adp.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027528; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"svcexplores.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027641; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Westpac Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://bank.westpac.co.nz/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027529; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"trojan1117.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027642; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Simplii Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://mobile.simplii.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027530; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"update-sec.com"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned CIBC Bank Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cibconline.cibc.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027531; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"windowsx.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027644; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Chase Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure05c.chase.com/"; distance:4; within:29; fast_pattern; classtype:social-engineering; sid:2027532; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"wwwgooglecom.sytes.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027645; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Scotiabank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.scotiaonline.scotiabank.com/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027533; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"xtreme.hopto.org"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027646; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Cox Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.cox.com/"; distance:4; within:21; fast_pattern; classtype:social-engineering; sid:2027534; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT33 CnC Domain in DNS Lookup"; dns.query; content:"za158155.ddns.net"; nocase; endswith; reference:url,go.recordedfuture.com/hubfs/reports/cta-2019-0626.pdf; classtype:targeted-activity; sid:2027647; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://idm.xfinity.com/"; distance:4; within:25; fast_pattern; classtype:social-engineering; sid:2027536; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Ave, Caesar!)"; flow:established,to_server; http.user_agent; content:"Ave,|20|Caesar!"; depth:12; fast_pattern; endswith; classtype:bad-unknown; sid:2027648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_28, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telstra Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.my.telstra.com.au/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027537; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (zwt)"; flow:established,to_server; http.user_agent; content:"zwt"; depth:3; endswith; classtype:bad-unknown; sid:2027649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Comcast / Xfinity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.xfinity.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2027538; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (My Agent)"; flow:established,to_server; http.user_agent; content:"My Agent"; depth:8; endswith; classtype:bad-unknown; sid:2027650; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Itscom Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://webmail.itscom.net/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027539; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (helegedada .github .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"helegedada.github.io"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027662; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://staticweb.bankofamerica.com/"; distance:4; within:37; fast_pattern; classtype:social-engineering; sid:2027540; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027663; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://www.bankofamerica.com/"; distance:4; within:31; fast_pattern; classtype:social-engineering; sid:2027541; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Bank of America Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://secure.bankofamerica.com/"; distance:4; within:34; fast_pattern; classtype:social-engineering; sid:2027542; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .heheda .tk in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.heheda.tk"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027665; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Microsoft Office Apps Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://odc.officeapps.live.com/"; distance:4; within:33; fast_pattern; classtype:social-engineering; sid:2027543; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (dd .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dd.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027666; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://accounts.login.idm.telekom.com/"; distance:4; within:40; fast_pattern; classtype:social-engineering; sid:2027544; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (d .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"d.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027667; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Fidelity Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://login.fidelity.com/"; distance:4; within:28; fast_pattern; classtype:social-engineering; sid:2027545; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Godlua Backdoor Domain (c .cloudappconfig .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"c.cloudappconfig.com"; endswith; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Societe Generale FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:500; content:")https://particuliers.societegenerale.fr/"; distance:4; within:41; fast_pattern; classtype:social-engineering; sid:2027546; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.kemostarlogistics.co.ke"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027651; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Impots Gouv FR Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from cfspart.impots.gouv.fr"; within:500; classtype:social-engineering; sid:2027547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"www.terryhill.top"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027652; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Godaddy Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from sso.godaddy.com"; within:500; classtype:social-engineering; sid:2027548; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Unk HeavensGate Loader CnC in DNS Lookup"; dns.query; content:"mail.jaguarline.com"; nocase; endswith; reference:url,blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html; classtype:command-and-control; sid:2027653; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Dropbox Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.dropbox.com"; within:500; classtype:social-engineering; sid:2027549; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"search.webstie.net"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027654; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned American Express Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from online.americanexpress.com"; within:500; classtype:social-engineering; sid:2027550; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 CnC in DNS Lookup"; dns.query; content:"dns.domain-resolve.org"; nocase; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027655; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned ABSA Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.absa.co.za"; within:500; classtype:social-engineering; sid:2027551; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif POSTing Log Message to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_logs.php"; depth:19; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027656; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Match Dating Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from secure.match.com"; within:500; classtype:social-engineering; sid:2027552; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Submitting Output of Command to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_cmd_res.php"; depth:22; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027657; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Telekom / Tmobile Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from accounts.login.idm.telekom.com"; within:500; classtype:social-engineering; sid:2027553; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cl_client_cmd.php"; depth:18; fast_pattern; endswith; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; classtype:targeted-activity; sid:2027658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned South State Bank Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.southstatebank.com"; within:500; classtype:social-engineering; sid:2027554; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT32 Win32/Ratsnif CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cl_client_online.php"; depth:21; endswith; http.request_body; content:"Q29tcHV0ZXJOYW1lPV"; depth:18; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; reference:url,threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html; reference:md5,516ad28f8fa161f086be7ca122351edf; classtype:targeted-activity; sid:2027659; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Ratsnif, performance_impact Low, signature_severity Major, tag APT32, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Google Tools Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from tools.google.com"; within:500; classtype:social-engineering; sid:2027555; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Tripoli Related CnC Checkin"; flow:established,to_server; http.user_agent; content:"30909D51946D672A48B1729580088C4F"; depth:32; fast_pattern; endswith; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Yahoo Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from login.yahoo.com"; within:500; classtype:social-engineering; sid:2027556; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Turla/APT34 CnC Domain Domain (dubaiexpo2020 .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"dubaiexpo2020.cf"; endswith; reference:md5,4079500faa93e32a2622e1593ad94738; classtype:targeted-activity; sid:2027669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Discover Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from card.discover.com"; within:500; classtype:social-engineering; sid:2027557; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla/APT34 CnC Domain)"; flow:established,to_client; tls.cert_subject; content:"CN=microsoft.updatemeltdownkb7234.com"; nocase; endswith; reference:md5,2a8672b0fd29dc3b6f49935691b648bc; classtype:domain-c2; sid:2027670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_03, deployment Perimeter, former_category MALWARE, malware_family Turla, malware_family APT34, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Linkedin Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.linkedin.com"; within:500; classtype:social-engineering; sid:2027558; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known Malicious Server in DNS Lookup (updatecache .com)"; dns.query; content:"updatecache.com"; nocase; endswith; classtype:trojan-activity; sid:2027678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned NAB Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from ib.nab.com.au"; within:500; classtype:social-engineering; sid:2027559; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Custom Firefox UA Observed (Firefox...)"; flow:established,to_server; http.user_agent; content:"Firefox..."; depth:10; fast_pattern; endswith; classtype:bad-unknown; sid:2027686; rev:3; metadata:created_at 2019_07_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Ziggo NL Page - Possible Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- mirrored from www.ziggo.nl"; within:500; classtype:social-engineering; sid:2027560; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jokerlol.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027687; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Goth Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 47 4f 54 48 20 42 4f 59 20 43 4c 49 51 55 45 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 20 2d 2d 3e|"; classtype:social-engineering; sid:2027563; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kusasukusa.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027688; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Zeus365 Encoding"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 20 68 74 6d 6c 20 65 6e 63 72 79 70 74 69 6f 6e 20 70 72 6f 76 69 64 65 64 20 62 79 20 7a 65 75 73 33 36 35 20 2d 2d 3e|"; classtype:social-engineering; sid:2027562; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"tracker-visitors.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027689; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING SSL/TLS Certificate Observed (Lucy Phishing Awareness Default Certificate)"; flow:established,to_client; tls.cert_issuer; content:"C=CH, ST=Thalwil, L=Thalwil, O=LUCY Phishing GmbH, OU=LUCY Phishing GmbH"; reference:url,cdn.riskiq.com/wp-content/uploads/2019/06/Gift-Cardsharks-Intelligence-Report-2019-RiskIQ.pdf; reference:url,lucysecurity.com; classtype:misc-activity; sid:2027621; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_08_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-web.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027690; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful France Ministry of Action and Public Accounts Phish 2019-07-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"rfr="; nocase; content:"&teledec="; nocase; fast_pattern; content:"&spi="; nocase; content:"&AK09="; nocase; classtype:credential-theft; sid:2027679; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jquery-stats.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027691; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING France Ministry of Action and Public Accounts Phish Landing"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"cardcc|27 29|.mask|28 20 22|9999"; fast_pattern; content:"<title>Remboursement<|2f|title>"; distance:0; content:"id=|22|impotsgouv|22|"; distance:0; classtype:social-engineering; sid:2027680; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Phish, updated_at 2020_08_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"jsreload.pw"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027692; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-07-09"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; content:"&epass="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2031870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=started"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027701; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eCh0raix/QNAPCrypt CnC Activity - Done"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?s=done"; endswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:command-and-control; sid:2027702; rev:4; metadata:attack_target IoT, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FreakzBrothers X"; nocase; fast_pattern; classtype:web-application-activity; sid:2030816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"cloudflare-dns.com"; endswith; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/json-format; classtype:misc-activity; sid:2027695; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Caixa Phishing Landing"; flow:established,to_client; file.data; content:"<title>int_e_r-n___et___B_aNking---- :::____CAIXA"; nocase; fast_pattern; classtype:social-engineering; sid:2030817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_31, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; http.user_agent; content:"Python-urllib/"; nocase; depth:14; http.host; content:!"dropbox.com"; endswith; content:!"downloads.ironport.com"; endswith; content:!".ubuntu.com"; endswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:9; metadata:created_at 2011_06_14, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Anonisma Paypal Phishing Uri Structure 2015-12-29"; flow:to_server,established; http.uri; content:".php?cmd=_"; nocase; fast_pattern; content:"account_limited="; distance:0; nocase; content:"&session="; nocase; distance:0; pcre:"/=[a-f0-9]{32}&session=[a-f0-9]{40}$/i"; classtype:social-engineering; sid:2031861; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_12_29, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC POST"; flow:to_server,established; urilen:>40; http.method; content:"POST"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; http.request_body; content:"AAAAAAAAAAAAAAAAAAAA"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING 16Shop Phishing Kit Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>16SHOP"; fast_pattern; nocase; content:"<label>Public Key"; distance:0; nocase; content:"<label>Password"; distance:0; nocase; classtype:web-application-attack; sid:2029914; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Major, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC GET"; flow:to_server,established; urilen:>40; http.method; content:"GET"; http.uri; content:"/?"; depth:2; content:"AAAAAAAAAA"; distance:0; pcre:"/^\/\?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Accept|3a 20|Accept|3a|*/*|0d 0a|"; depth:20; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.5|3b 20|Windows NT 5.0)"; depth:50; endswith; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027710; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-08-23"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"usuario="; fast_pattern; content:"&clave="; distance:0; classtype:credential-theft; sid:2027911; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&get=Zaloguj"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029677; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (single dash)"; flow:to_server,established; http.user_agent; content:"-"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Query to Generic 107 Phishing Domain"; threshold:type limit, track by_src, count 1, seconds 30; dns.query; content:"login"; nocase; content:"107sbtd9cbhsbt"; fast_pattern; distance:0; nocase; classtype:social-engineering; sid:2024464; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_12, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/uploadplugin.action"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file_"; content:"Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a 50 4b 03 04|"; distance:0; reference:url,www.corben.io/atlassian-crowd-rce/; reference:cve,CVE-2019-11580; classtype:attempted-admin; sid:2027712; rev:3; metadata:attack_target Web_Server, created_at 2019_07_16, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FR Carte Bleue / BCP Phish 2016-09-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ques="; depth:5; nocase; content:"&login="; nocase; distance:0; fast_pattern; content:"&motdepass"; nocase; distance:0; classtype:credential-theft; sid:2032403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SLUB Domain in DNS Lookup"; dns.query; content:"toni132.pen.io"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use/; classtype:trojan-activity; sid:2027722; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish (set) 2016-03-01"; flow:to_server,established; flowbits:set,ET.applephish; flowbits:noalert; http.method; content:"POST"; http.header; content:"Referer|3a|"; http.request_body; content:"u="; depth:2; nocase; fast_pattern; content:"&p="; nocase; distance:0; classtype:credential-theft; sid:2027955; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/sslmgr"; endswith; nocase; http.request_body; content:"scep-profile-name=%"; depth:19; fast_pattern; pcre:"/^[0-9]+/R"; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:4; metadata:attack_target Server, created_at 2019_07_18, cve cve_2019_1579, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST to Free Webhost - Possible Successful Phish (site40 . net) Jul 18 2017"; flow:to_server,established; http.method; content:"POST"; http.host; content:"site40.net"; endswith; fast_pattern; classtype:credential-theft; sid:2024470; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"gamework.ddns.net"; nocase; depth:17; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027724; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-09-03"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"password="; depth:9; content:"&submit=Next"; fast_pattern; nocase; isdataat:!1,relative; pcre:"/^password=[^&]*&submit=Next$/i"; classtype:trojan-activity; sid:2031872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"workan.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027725; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Webmail Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"login="; depth:6; nocase; content:"&password="; nocase; distance:0; content:"&from_main_page="; nocase; distance:0; fast_pattern; content:"&version="; nocase; distance:0; content:"&autologin="; nocase; distance:0; content:"&client="; nocase; distance:0; content:"&uiWebPath="; nocase; distance:0; classtype:credential-theft; sid:2032465; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"clsass.ddns.net"; nocase; depth:15; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027726; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Verified by Visa Phish Jan 30 2014"; flow:established,to_server; http.uri; content:"/vbv.php"; fast_pattern; http.request_body; content:"password="; classtype:credential-theft; sid:2018044; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"kotl.space"; nocase; depth:10; endswith; reference:url,www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/; classtype:command-and-control; sid:2027727; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Zimbra Phishing Landing on Appspot Hosting"; flow:established,to_client; flowbits:isset,ET.appspothosted; file.data; content:"<title>Zimbra Web Client Sign In"; fast_pattern; classtype:social-engineering; sid:2030869; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Disposable Email Provider Domain in DNS Lookup (www .yopmail .com)"; dns.query; content:"www.yopmail.com"; nocase; depth:15; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:policy-violation; sid:2027733; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful WhatsApp Phish M1 2016-12-07"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"location="; depth:9; nocase; content:"&langa="; nocase; distance:0; content:"&ext="; nocase; distance:0; content:"&hold="; nocase; distance:0; content:"&djj="; nocase; distance:0; content:"&dmm="; nocase; distance:0; content:"&daa="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; fast_pattern; content:"&expiry="; nocase; distance:0; content:"&cvc="; nocase; distance:0; classtype:credential-theft; sid:2032466; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nurlamurla.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027740; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_22, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Poste Italiane Phish Jun 08 2017"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/foo-autenticazione.php"; fast_pattern; endswith; http.request_body; content:"pass"; nocase; classtype:credential-theft; sid:2024370; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"subarnakan.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027741; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic 000webhostapp.com Phish 2017-10-27"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; classtype:credential-theft; sid:2029664; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"asilofsen.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING 401TRG Successful Multi-Email Phish - Observed in Docusign/Dropbox/Onedrive/Gdrive Nov 02 2017"; flow:to_server, established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"pasuma"; nocase; depth:100; fast_pattern; content:"name"; nocase; classtype:credential-theft; sid:2024942; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"manrodoerkes.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027743; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible barclays .co. uk Phishing Domain 2016-06-22"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"barclays.co.uk"; fast_pattern; isdataat:20,relative; content:!".exit"; endswith; classtype:social-engineering; sid:2032445; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"ashkidiore.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027744; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Amazon Phishing Domain 2016-06-21"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"amazon.com"; fast_pattern; isdataat:20,relative; content:!".exit"; endswith; classtype:social-engineering; sid:2032444; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"druhanostex.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027745; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish to .tk domain Aug 26 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".tk"; endswith; fast_pattern; classtype:credential-theft; sid:2023137; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"kapintarama.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Drive Phish Sept 1 M2 2015-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"challengetype="; fast_pattern; content:"&phoneNumber="; nocase; content:"&recEmail="; nocase; classtype:credential-theft; sid:2031826; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"moreflorecast.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027747; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2017-12-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ema="; depth:4; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031864; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"preploadert.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027748; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu"; endswith; classtype:credential-theft; sid:2025333; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"troxymuntisex.org"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027749; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-04-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?confirmation"; fast_pattern; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&pass_input="; nocase; distance:0; classtype:credential-theft; sid:2025505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_04_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 ShellTea CnC in DNS Query"; dns.query; content:"nduropasture.net"; nocase; endswith; reference:url,atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/; classtype:command-and-control; sid:2027750; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) 2016-02-27"; flow:to_server,established; flowbits:set,ET.bofaphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"formID="; depth:7; nocase; classtype:credential-theft; sid:2027958; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=nlgyscgika"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=nlgyscgika"; classtype:domain-c2; sid:2027753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:social-engineering; sid:2022486; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Quick Macros)"; flow:established,to_server; http.user_agent; content:"Quick|20|Macros"; depth:12; endswith; reference:md5,aa682f5d4a17307539a2bc7048be0745; classtype:trojan-activity; sid:2027755; rev:3; metadata:created_at 2019_07_24, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; http.method; content:"POST"; http.header; content:"?rid="; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/i"; http.host; content:!"xerox.com"; endswith; reference:url,getgophish.com; classtype:credential-theft; sid:2022487; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Phorpiex CnC Domain in DNS Lookup"; dns.query; content:"b0t.to"; depth:6; nocase; endswith; classtype:command-and-control; sid:2027756; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2018-09-27 M2"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.header; content:".php?Email="; nocase; fast_pattern; content:"@"; distance:0; classtype:credential-theft; sid:2029666; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Commercial Proxy Provider geosurf .io)"; flow:established,to_client; tls.cert_subject; content:"C=IL, L=Tel Aviv, O=BI Science (2009) Ltd, OU=WEB, CN=*.geosurf.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027760; rev:3; metadata:created_at 2019_07_26, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.TW Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.tw"; endswith; classtype:credential-theft; sid:2026430; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)"; flow:established,to_client; threshold: type limit, track by_dst, count 1, seconds 600; tls.cert_subject; content:"C=DE, O=philandro Software GmbH, CN=AnyNet Relay"; endswith; fast_pattern; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027761; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish to zap-webspace.com Webhost 2018-10-25"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".zap-webspace.com"; endswith; fast_pattern; classtype:credential-theft; sid:2026553; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; http.host; content:"8866.org"; endswith; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:7; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.CO Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.co"; endswith; classtype:credential-theft; sid:2026894; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 2"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.2; content:"w-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a 0d 0a|"; depth:60; endswith; reference:url,www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf; reference:md5,cd22fa7c9d9e61b4aeac6acd10790d10; reference:md5,82332d2a0cf8330f8de608865508713d; classtype:targeted-activity; sid:2020029; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic .EDU.BR Phish (Legit Set)"; flow:to_server,established; flowbits:set,ET.realEDUrequest; flowbits:noalert; http.host; content:".edu.br"; endswith; classtype:credential-theft; sid:2026895; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newsocks5.php"; depth:14; fast_pattern; endswith; http.user_agent; content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|10.0|3b 20|Win64"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; content:!"Connection"; reference:md5,03b6c8d49c70df01afc0765f8fa51d0c; classtype:command-and-control; sid:2028920; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, former_category MALWARE, malware_family Phoriex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Phish - Password Submitted to *.000webhostapp.com"; flow:established,to_server; http.method; content:"POST"; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.request_body; content:"password="; nocase; classtype:credential-theft; sid:2027146; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www .net .cn)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static/customercare/yourip.asp"; depth:31; endswith; fast_pattern; http.host; content:"www.net.cn"; reference:md5,51bdd385ab780d1efd1a62129f066edf; classtype:external-ip-check; sid:2027786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-04-12"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ur="; depth:3; nocase; content:"&ps="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2027196; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"protonmail.sh"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027772; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
 
@@ -51690,200 +52496,6 @@ alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishin
 
 alert dns $HOME_NET any -> any any (msg:"ET PHISHING Possible Protonmail Phishing Domain in DNS Query"; dns.query; content:"my.secure-protonmail.com"; nocase; endswith; reference:url,threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/; classtype:social-engineering; sid:2027785; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow:established,to_server; http.header; content:!"cn.patch.battlenet.com.cn"; http.user_agent; content:"agent"; depth:5; http.host; content:!".battle.net"; content:!".blizzard.com"; endswith; content:!"blz"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; classtype:trojan-activity; sid:2001891; rev:24; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=linddiederich462.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027799; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=lambada.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Various CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uberalles.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2027801; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .itraffic .click in DNS Lookup)"; dns.query; content:"purple.itraffic.click"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027804; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Critical, tag Android, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (purple .m-ads .net in DNS Lookup)"; dns.query; content:"purple.m-ads.net"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027805; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan.AndroidOS.TimpDoor (drproxy .pro in DNS Lookup)"; dns.query; content:"drproxy.pro"; endswith; reference:md5,f626bbe0720323635f75ba08b1e7e8e4; reference:md5,5faad53df0fa1f4d5c199b49c77025eb; classtype:trojan-activity; sid:2027806; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2019_08_06, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_TimpDoor, signature_severity Major, tag Android, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm.php"; fast_pattern; endswith; http.request_body; content:"k="; depth:2; pcre:"/^\d{5,10}$/R"; http.accept_lang; content:"en-US|3b|q=0.5,en|3b|q=0.3"; http.header_names; content:!"Referer"; content:"Content"; content:"User-Agent"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027807; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"artisticday.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027819; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"astonishingwill.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027820; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"directfood.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027821; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"gradualrain.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027822; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"proapp.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027823; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"provincialwake.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027824; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"shrek.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027825; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"thinstop.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027826; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Varenyky Spambot CnC in DNS Query"; dns.query; content:"entreprisecommande.icu"; nocase; endswith; reference:url,www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/; classtype:command-and-control; sid:2027827; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Generic Style UA Observed (My_App)"; flow:established,to_server; http.user_agent; content:"My_App"; depth:6; fast_pattern; endswith; reference:md5,2978dbadd8fda7d842298fbd476b47b2; classtype:bad-unknown; sid:2027833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category HUNTING, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emp.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027850; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"bruhitsnot.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027851; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"emptiness.web2tor.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027852; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"version2.ilove26.cf"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027853; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"luckyhere.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027854; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"imtesting.shiina.ga"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027855; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Emptiness CnC Domain in DNS Query"; dns.query; content:"ggwp.emptiness.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027856; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Mirai.shiina CnC Domain in DNS Query"; dns.query; content:"shiina.mashiro.tk"; nocase; endswith; reference:url,blog.netlab.360.com/emptiness-a-new-evolving-botnet/; classtype:command-and-control; sid:2027857; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup getip.pw"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"getip.pw"; fast_pattern; endswith; classtype:external-ip-check; sid:2027860; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP Variant CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"abc="; depth:4; pcre:"/^[a-z0-9/%=]{100,}$/Ri"; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2027861; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Requesting Brute Force List (flowbit set)"; flow:established,to_server; flowbits:set,ET.PhpMyAdminBrute.1; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"GET"; http.uri; content:"?worker=php_b"; fast_pattern; endswith; http.user_agent; content:"Ubuntu|3b 20|Linux|20|x86_64"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1c315f9487ad20c3ac72747f13968507; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:trojan-activity; sid:2033717; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_14, deployment Perimeter, former_category MALWARE, malware_family PhpMyAdminBrute, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gw?worker="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,1b8052d60de7ce8a9d281cf43d8d3091; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoBrut/StealthWorker Service Bruter CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/knock?worker="; fast_pattern; content:"&os="; content:"&version="; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux x"; depth:33; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,bcb7d4fdee2023ad62132ebdf794baa4; reference:url,blog.yoroi.company/research/gobrut-a-new-golang-botnet/; reference:url,blog.yoroi.company/research/new-gobrut-version-in-the-wild/; classtype:command-and-control; sid:2033719; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .biz TLD"; dns.query; content:".biz"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027863; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .okinawa TLD"; dns.query; content:".okinawa"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027864; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .cloud TLD"; dns.query; content:".cloud"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027865; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .desi TLD"; dns.query; content:".desi"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027866; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .life TLD"; dns.query; content:".life"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027867; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .work TLD"; dns.query; content:".work"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027868; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .ryukyu TLD"; dns.query; content:".ryukyu"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027869; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .world TLD"; dns.query; content:".world"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027870; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .fit TLD"; dns.query; content:".fit"; nocase; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027871; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_13, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.okinawa Domain"; flow:established,to_server; http.host; content:".okinawa"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027873; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.cloud Domain"; flow:established,to_server; http.host; content:".cloud"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027874; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.desi Domain"; flow:established,to_server; http.host; content:".desi"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027875; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.life Domain"; flow:established,to_server; http.host; content:".life"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027876; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.work Domain"; flow:established,to_server; http.host; content:".work"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027877; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.ryukyu Domain"; flow:established,to_server; http.host; content:".ryukyu"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027878; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.world Domain"; flow:established,to_server; http.host; content:".world"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027879; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to Suspicious *.fit Domain"; flow:established,to_server; http.host; content:".fit"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2027880; rev:4; metadata:created_at 2019_08_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027881; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027882; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; depth:18; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:4; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:pup-activity; sid:2007860; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Explorer)"; flow:established,to_server; http.user_agent; content:"Explorer"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:pup-activity; sid:2007921; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:27; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:pup-activity; sid:2007929; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP)"; flow:to_server,established; http.user_agent; content:"HTTP"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:pup-activity; sid:2007943; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"wget 3.0"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007961; classtype:pup-activity; sid:2007961; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; endswith; http.host; content:!".iobit.com"; content:!".microsoft.com"; content:!".cnn.com"; content:!".wunderground.com"; content:!".weatherbug.com"; content:!"iobit.com.s3.amazonaws.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:pup-activity; sid:2008038; rev:15; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (My Session)"; flow:to_server,established; http.user_agent; content:"My Session"; nocase; depth:10; http.host; content:!".windows.net"; endswith; reference:url,doc.emergingthreats.net/2010677; classtype:pup-activity; sid:2010677; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"x"; depth:1; endswith; http.host; content:!"update.aida64.com"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:pup-activity; sid:2013017; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; http.host; content:"go2000.cn"; endswith; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:pup-activity; sid:2013422; rev:6; metadata:created_at 2011_08_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; http.uri; content:"/dmresources/instructions"; fast_pattern; content:".dat"; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.protocol; content:"HTTP/1.0"; endswith; http.header_names; content:!"Referer"; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; classtype:pup-activity; sid:2017992; rev:11; metadata:created_at 2014_01_20, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/OptimizerPro.exe"; nocase; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018743; rev:6; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/PicColor Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?d="; content:"&format=json"; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:pup-activity; sid:2020948; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_20, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/launch/"; endswith; http.header_names; content:"X-Crypto-Version"; fast_pattern; content:!"User-Agent"; content:!"Referer"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:pup-activity; sid:2021283; rev:7; metadata:created_at 2015_06_16, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; http.user_agent; content:"PCAcceleratePro"; depth:15; endswith; classtype:pup-activity; sid:2022828; rev:6; metadata:created_at 2016_05_18, former_category ADWARE_PUP, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/q/"; depth:3; fast_pattern; http.request_body; content:"q="; depth:2; pcre:"/^[a-zA-Z0-9_-]+$/R"; http.connection; content:"close"; nocase; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:pup-activity; sid:2025094; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_01, deployment Internet, former_category ADWARE_PUP, malware_family Adposhel, performance_impact Moderate, signature_severity Major, tag Adware, updated_at 2020_09_17;)
-
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; tls.cert_subject; content:"CN=*.qbix.com"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:pup-activity; sid:2025424; rev:4; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2018_03_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"maraukog.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"acinster.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"aclassigned.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025489; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"efishedo.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025490; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"enclosely.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025491; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"insupposity.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025492; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"suggedin.info"; endswith; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:pup-activity; sid:2025493; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_13, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; dns.query; content:"suggedin.info"; nocase; endswith; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:pup-activity; sid:2025531; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Foniad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr5.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027422; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR Request for LNKR js file M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lnkr30_nt.min.js"; endswith; fast_pattern; http.header_names; content:"User-Agent"; content:"Referer"; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027423; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed OSX/PremierOpinionD Collection Domain in TLS SNI"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; tls.sni; content:"oss-content.securestudies.com"; endswith; reference:url,www.airoav.com/mitm-voicefive; classtype:pup-activity; sid:2027694; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_07_09, deployment Perimeter, former_category ADWARE_PUP, malware_family PremierOpinionD, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Reporting Details to CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?ver="; content:"&t="; distance:0; content:"&domain="; distance:0; content:"&file="; distance:0; content:"&ext="; distance:0; content:"&cache="; distance:0; content:"&res1="; distance:0; http.user_agent; content:"VCSoapClient"; depth:12; fast_pattern; endswith; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027830; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_09_17;)
-
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Kryptik.XSY Data Exfil via SMTP"; flow:established,to_server; content:"|0d 0a|Subject: PW_"; content:"filename|3d 22|PW_"; content:"_"; distance:0; content:"_"; distance:4; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:"_"; distance:2; within:1; content:".html|22 0d 0a 0d 0a|VGltZTog"; distance:2; within:18; fast_pattern; reference:md5,61181c9665789225439d04d6eef5527f; classtype:command-and-control; sid:2030887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/i"; http.header; content:!"MstarUpdate"; http.user_agent; content:!"Mozilla/"; http.host; content:!".bitdefender.com"; content:!".homestead.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:10; metadata:created_at 2015_04_01, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - Exfiltration Activity"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/up.php"; depth:37; fast_pattern; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploadfile|22 3b 20|filename|3d 22|"; content:".bin|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:18; within:47; http.content_type; content:"multipart/form-data|3b|"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:trojan-activity; sid:2027895; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category TROJAN, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clipsa Stealer - CnC Checkin"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/WPSecurity/load.php"; depth:39; fast_pattern; endswith; http.request_body; pcre:"/^[a-zA-Z0-9]+$/"; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; byte_test:0,<=,400,0,string,dec; http.header_names; content:!"Referer"; reference:md5,7e52633ffa2c3aee03e8b26f03e07cc4; reference:url,decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/; classtype:command-and-control; sid:2027893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_16, deployment Perimeter, former_category MALWARE, malware_family Clipsa, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTTP-TUNNEL detected"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?crap"; startswith; fast_pattern; threshold:type limit, track by_src,count 5, seconds 30; classtype:policy-violation; sid:2030886; rev:1; metadata:created_at 2020_09_17, former_category POLICY, signature_severity Informational, updated_at 2020_09_17;)
-
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inter Skimmer CnC Domain in DNS Lookup"; dns.query; content:"routingzen.com"; nocase; depth:14; endswith; reference:url,www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html; classtype:command-and-control; sid:2027693; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
-
-alert http any any -> any 10000 (msg:"ET WEB_SERVER Webmin RCE CVE-2019-15107"; flow:to_server,established; content:"/password_change.cgi"; depth:20; fast_pattern; endswith; http.method; content:"POST"; http.request_body; content:"|7c|"; reference:url,blog.firosolutions.com/exploits/webmin/; reference:cve,2019-15107; classtype:attempted-admin; sid:2027896; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_08_18, deployment Perimeter, deployment Internal, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Critical, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/down.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027900; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/vers.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027901; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyKings Bootloader Variant Requesting Payload M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ok/64.html"; startswith; fast_pattern; endswith; http.accept; content:"*/*"; startswith; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Cache"; content:!"Accept-"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response/; classtype:trojan-activity; sid:2027902; rev:3; metadata:created_at 2019_08_21, former_category MALWARE, malware_family Mirai, malware_family MyKings, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipaddress .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myip"; depth:5; endswith; http.host; content:"api.ipaddress.com"; depth:17; fast_pattern; endswith; classtype:external-ip-check; sid:2027905; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Chrome"; fast_pattern; bsize:6; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-conn; reference:md5,0e0b7b238a06a2a37a4de06a5ab5e615; classtype:trojan-activity; sid:2027914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category MALWARE, malware_family Nemty, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Geo IP Lookup (api .db-ip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2027915; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
-
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Alpha Stealer v1.5 PWS Exfil via HTTP"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[A-Za-z]+?/Rsi"; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; distance:0; content:"Screen.jpg"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,a55bd3cc5caa47cb45355e9f79d4fc47; classtype:trojan-activity; sid:2027917; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category TROJAN, malware_family Alpha_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
-
-alert tls $EXTERNAL_NET 853 -> $HOME_NET any (msg:"ET POLICY Quad9 DNS Over TLS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=Berkeley, O=Quad9, CN=*.quad9.net"; endswith; fast_pattern; reference:md5,1e686b56ccbcb28667698389703bb13a; classtype:policy-violation; sid:2027918; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
-
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed External IP Lookup Domain (ipconfig .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipconfig.cf"; endswith; classtype:external-ip-check; sid:2027919; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful SFR Account Phish 2015-09-01"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"&execution="; content:"eventId=submit&username="; fast_pattern; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2031824; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish - Phone Number 2015-09-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Phone="; depth:6; fast_pattern; classtype:credential-theft; sid:2031825; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
@@ -52248,8 +52860,6 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Googl
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Office 365 Phish 2016-11-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Passwd="; nocase; distance:0; content:"&type="; nocase; distance:0; content:"&fspost="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032630; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Generic PDF Online Phish (set) 2016-10-11"; flow:to_server,established; flowbits:set,ET.GenericPDFOnline.Phish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&pass"; nocase; distance:0; content:"&submit="; nocase; distance:0; endswith; classtype:credential-theft; sid:2032631; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2021_06_23;)
-
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish M1 2016-09-30"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"_nossn="; depth:7; nocase; content:"&lobIndicator="; nocase; distance:0; fast_pattern; content:"&userid="; nocase; distance:0; content:"&password="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; classtype:credential-theft; sid:2032556; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse (DE) Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"sfm_form_submitted="; depth:19; nocase; content:"&Anrede="; nocase; distance:0; content:"&Titel="; nocase; distance:0; content:"&Vorname="; nocase; distance:0; content:"&Name="; nocase; distance:0; content:"&LegitimationsID="; nocase; distance:0; fast_pattern; content:"&PIN="; nocase; distance:0; content:"&Strabe="; nocase; distance:0; content:"&Postleitzah="; nocase; distance:0; content:"&PLZ="; nocase; distance:0; content:"&Wohnort="; nocase; distance:0; content:"&Geburtsdatum="; nocase; distance:0; content:"&Handy="; nocase; distance:0; content:"&Telefon="; nocase; distance:0; content:"&KontoNr="; nocase; distance:0; content:"&Datum="; nocase; distance:0; classtype:credential-theft; sid:2032632; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
@@ -52382,17327 +52992,21641 @@ alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Key B
 
 alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Phish 2015-08-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; fast_pattern; content:"&passwd="; distance:0; content:"&Upgrade="; nocase; distance:0; classtype:credential-theft; sid:2031888; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.co.za"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027922; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; dns.query; content:"secure.netsolhost.com"; depth:21; nocase; endswith; fast_pattern; classtype:social-engineering; sid:2022136; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"cybersecnet.org"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027923; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Australia Bank Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Yes="; depth:4; nocase; content:"&PRIMARY_CUR_TYPE_CODE="; nocase; distance:0; fast_pattern; content:"&PRIMARY_PRV_APT_NUM="; nocase; distance:0; content:"&PRIMARY_PRV_STREET_NUM="; nocase; distance:0; content:"&PRIMARY_PRV_STREET_NAME="; nocase; distance:0; content:"&PRIMARY_PRV_STATE="; nocase; distance:0; content:"&PRIMARY_PRV_POST_CODE="; nocase; distance:0; content:"&APP_NAB_PRI_PRV_COUNTRY="; nocase; distance:0; content:"&PRIMARY_PRV_MTHS_AT_RES.year="; nocase; distance:0; content:"&PRIMARY_PRV_MTHS_AT_RES.month="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp_month="; nocase; distance:0; content:"&exp_year="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032721; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"excsrvcdn.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027924; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Facebook Phishing Domain in DNS Lookup"; dns.query; content:"www.oitunmy.com"; nocase; depth:15; endswith; reference:url,twitter.com/bomccss/status/1175173176596152320; classtype:credential-theft; sid:2028616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"online-analytic.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-09-21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"xbalti"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&passid="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2033006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-traffic.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; http.uri; content:"/cart.php?site="; fast_pattern; content:"&p="; content:"&nm="; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019682; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"web-statistics.info"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-09-29"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; content:".php"; isdataat:!1,relative; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscachecloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M5"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030936; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"dnscloudservice.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027929; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M6"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030937; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain Observed in DNS Query"; dns.query; content:"opendnscloud.com"; nocase; endswith; reference:url,www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign; classtype:command-and-control; sid:2027930; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailgun Phishing Landing"; flow:to_client,established; file.data; content:"<title>Log In to Mailgun"; nocase; content:"function checkUsername()"; nocase; distance:0; content:"function checkPassword()"; nocase; distance:0; content:".php|22|,"; nocase; distance:0; content:"type|3a 20 22|POST|22|,"; nocase; distance:0; content:"data|3a 20|{username|3a 20|$('#username').val(),password|3a|$('#password').val()"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2030943; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT RIG EK - Unexpected Victim Location Server Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Sea|20|for|20|a|20|life"; startswith; fast_pattern; endswith; classtype:exploit-kit; sid:2027934; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category EXPLOIT_KIT, malware_family RigEK, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tabDialog.html?dialog=login"; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE W32.Razy Inject Domain in DNS Lookup"; dns.query; content:"solkoptions.host"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/razy-in-search-of-cryptocurrency/89485/; classtype:trojan-activity; sid:2026858; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Login Phish 2016-06-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; fast_pattern; http.request_body; content:"email="; nocase; depth:6; content:"&passwd="; nocase; distance:0; content:"&Submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032682; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .to TLD"; dns.query; content:".to"; endswith; fast_pattern; classtype:bad-unknown; sid:2027757; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Team IPwned Phishing Landing 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"teamipwned"; fast_pattern; content:"data-shortuserid=|22|teamipwned|22|"; nocase; content:"data-userid=|22|teamipwned|22|"; nocase; distance:0; content:"value=|22|IPwned|22|"; nocase; distance:0; classtype:social-engineering; sid:2032693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query for .cc TLD"; dns.query; content:".cc"; endswith; fast_pattern; classtype:bad-unknown; sid:2027758; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category DNS, signature_severity Minor, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"<title>DocuSign"; fast_pattern; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; classtype:social-engineering; sid:2030984; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.vv.cc domain"; dns.query; content:".vv.cc"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2012826; rev:5; metadata:created_at 2011_05_19, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">PASSW0RD <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030985; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.be Domain"; dns.query; content:".co.be"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013124; rev:7; metadata:created_at 2011_06_29, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">Password   <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; content:">Confirm Password  <span class=|22|form-required|22|>*</span></label>"; distance:0; classtype:social-engineering; sid:2030986; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .net.tf Domain"; dns.query; content:".net.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013847; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">P a s s <span class=|22|form-not-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030987; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .eu.tf Domain"; dns.query; content:".eu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013848; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; reference:url,lucysecurity.com/; classtype:web-application-attack; sid:2030992; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .int.tf Domain"; dns.query; content:".int.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013849; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; classtype:web-application-attack; sid:2030993; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .edu.tf Domain"; dns.query; content:".edu.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013850; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_bkid="; content:"_bkpass="; fast_pattern; content:"_accn="; classtype:credential-theft; sid:2019784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .us.tf Domain"; dns.query; content:".us.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013851; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fulln="; fast_pattern; content:"_ccn="; content:"_ccv="; classtype:credential-theft; sid:2019783; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ca.tf Domain"; dns.query; content:".ca.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013852; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fn="; content:"_ln="; content:"_birthd="; fast_pattern; classtype:credential-theft; sid:2019782; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .bg.tf Domain"; dns.query; content:".bg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013853; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish Dec 29 2016"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Chase Online"; fast_pattern; classtype:credential-theft; sid:2031573; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ru.tf Domain"; dns.query; content:".ru.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013854; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Citibank Phish M1 2016-08-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/online.citi.com/"; fast_pattern; content:".php"; endswith; classtype:credential-theft; sid:2032691; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .pl.tf Domain"; dns.query; content:".pl.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013855; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Citibank Phish M2 2016-08-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"/online.citi.com/"; fast_pattern; classtype:credential-theft; sid:2032692; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .cz.tf Domain"; dns.query; content:".cz.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013856; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-10-13"; flow:established,to_client; content:"|0d 0a 0a|<!doctype|20|"; http.stat_code; content:"200"; file.data; content:".lollol|20|{|0d 0a|"; fast_pattern; content:"|20|chase logo|22|></div>|0d 0a|"; classtype:social-engineering; sid:2031010; rev:1; metadata:created_at 2020_10_13, former_category PHISHING, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .de.tf Domain"; dns.query; content:".de.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013857; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"<title>Copyright|20 7c 20|Help Instagram"; fast_pattern; content:"<form method=|22|post|22 20|action=|22|"; distance:0; content:".php|22|"; within:50; classtype:social-engineering; sid:2031003; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .at.tf Domain"; dns.query; content:".at.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013858; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"Amazon Sign In</title>"; content:"#zwimel {"; distance:0; fast_pattern; classtype:social-engineering; sid:2031004; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .ch.tf Domain"; dns.query; content:".ch.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013859; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Instagram Phishing Domain"; flow:established,to_server; http.host; content:"lnstagram"; fast_pattern; pcre:"/\.(?:tk|gq|ga|xyz|ml|cf)$/"; classtype:social-engineering; sid:2031005; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .sg.tf Domain"; dns.query; content:".sg.tf"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013860; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Login Hosted on Firebasestorage"; flow:established,to_client; http.header; content:"X-GUploader-UploadID|3a 20|"; content:"|0d 0a|x-goog-"; file.data; content:"<title>Sign in to your Microsoft account</title>"; fast_pattern; classtype:social-engineering; sid:2031006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .nl.ai Domain"; dns.query; content:".nl.ai"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013861; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Web.App Hosted Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.host; content:".web.app"; isdataat:!1,relative; fast_pattern; http.request_body; content:"password="; depth:9; nocase; classtype:credential-theft; sid:2031011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .xe.cx Domain"; dns.query; content:".xe.cx"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013862; rev:5; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; content:"&passid="; distance:0; fast_pattern; content:"&Token="; distance:0; pcre:"/^userid=[^&]*&passid=[^&]*&Token=$/"; classtype:credential-theft; sid:2033007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for Suspicious .noip.cn Domain"; dns.query; content:".noip.cn"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013970; rev:5; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suntrust Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<!-- Inserted by miarroba"; content:"<title>SunTrust</title>"; fast_pattern; nocase; content:">For your protection"; distance:0; content:"additional security step"; distance:0; content:"name=|22|captcha|22|"; distance:0; classtype:social-engineering; sid:2031062; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server"; dns.query; content:"gongfu-android.com"; depth:18; endswith; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:command-and-control; sid:2013023; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_06_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031063; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ch.vu Domain"; dns.query; content:".ch.vu"; fast_pattern; nocase; endswith; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:8; metadata:created_at 2012_02_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; dns.query; content:".ez-dns.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013845; rev:6; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-11-06"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&ps="; nocase; distance:0; content:"&psRNGCDefaultType="; nocase; distance:0; fast_pattern; content:"&FoundMSAs="; nocase; distance:0; content:"&i19="; nocase; distance:0; classtype:credential-theft; sid:2029681; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; dns.query; content:".dyndns-web.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013863; rev:7; metadata:created_at 2011_11_07, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028945; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; dns.query; content:".dyndns-at-home.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013971; rev:7; metadata:created_at 2011_11_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028946; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain"; dns.query; content:".4irc.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014480; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Phishing Landing 2020-10-23"; flow:established,to_client; file.data; content:"var str =  'Sign in to Outlook'|3b|"; content:"$(|22|#add_pass|22|).show()|3b|"; content:"$('#email').val('')|3b|"; content:"function set_brand("; content:"function true_email("; fast_pattern; classtype:social-engineering; sid:2031086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain"; dns.query; content:".b0ne.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014482; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:".php|22 20|method=|22|post|22|"; content:"src=|22|https://logo.clearbit.com/"; distance:0; content:"$.get(|22|https://logo.clearbit.com/"; distance:0; content:"$(|22|#logoimg|22|).attr(|22|src|22|,|20 22|https://logo.clearbit.com/"; distance:0; classtype:social-engineering; sid:2031097; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain"; dns.query; content:".chatnook.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014486; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr('src', 'https://logo.clearbit.com/' + my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031098; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain"; dns.query; content:".darktech.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014488; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr(|22|src|22|,|20 22|https://logo.clearbit.com/|22|+my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain"; dns.query; content:".deaftone.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014490; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish Oct 07 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; http.method; content:"POST"; http.request_line; content:".php HTTP/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; classtype:credential-theft; sid:2031570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.effers.com Domain"; dns.query; content:".effers.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014494; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-12-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029127; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain"; dns.query; content:".etowns.net"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014496; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2019-12-18"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Emailapp="; depth:9; content:"|25|40"; distance:0; content:"&passwordapp="; distance:0; fast_pattern; classtype:credential-theft; sid:2029682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain"; dns.query; content:".etowns.org"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014498; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-01-27"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029684; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain"; dns.query; content:".gotgeeks.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014502; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M4"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"userid="; nocase; depth:7; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain"; dns.query; content:".scieron.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014504; rev:8; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2029656; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain"; dns.query; content:".slyip.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014506; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M7"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"user="; nocase; depth:5; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031579; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain"; dns.query; content:".suroot.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014510; rev:9; metadata:created_at 2012_04_05, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M1 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"accountname="; depth:12; nocase; fast_pattern; content:"&pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032717; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".2288.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014779; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; fast_pattern; content:"&cvv"; nocase; distance:0; content:"&exp"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".3322.net"; fast_pattern; endswith; classtype:misc-activity; sid:2014781; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish M2 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.cookie; content:"PHPSESSID="; http.request_body; content:"donnee3="; depth:8; nocase; fast_pattern; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032711; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".6600.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014782; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&psw="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032712; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".7766.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014783; rev:10; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M3 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"donnee"; distance:0; nocase; content:"donnee"; distance:0; nocase; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032718; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org"; threshold: type limit, count 1, track by_src, seconds 300; dns.query; content:".9966.org"; fast_pattern; endswith; classtype:misc-activity; sid:2014786; rev:9; metadata:created_at 2012_05_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PNC Bank Phish 2016-01-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; fast_pattern; http.header; content:".php?LOB="; http.request_body; content:"user"; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032671; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com"; dns.query; content:".dns-stuff.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2014868; rev:6; metadata:created_at 2012_06_07, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-01-08"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.header; content:".php?"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032670; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; dns.query; content:".onion"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:5; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-02-23"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"username="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032674; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.be.ma domain"; dns.query; content:".be.ma"; fast_pattern; endswith; classtype:bad-unknown; sid:2012902; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&email="; nocase; content:"&pass"; nocase; classtype:credential-theft; sid:2029655; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Query for a Suspicious *.upas.su domain"; dns.query; content:".upas.su"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2015550; rev:5; metadata:created_at 2012_07_31, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-10-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"fnumber="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&userid="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032708; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; dns.query; content:".exit"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:7; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing Oct 06 2016"; flow:to_server,established; content:"|0d 0a 0d 0a|form"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"form"; depth:4; nocase; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2031569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .co.cc Domain"; dns.query; content:".co.cc"; fast_pattern; nocase; endswith; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:7; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-08-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CardNumber="; nocase; fast_pattern; content:"&Exp"; nocase; content:"CVV="; nocase; classtype:credential-theft; sid:2029676; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; dns.query; content:"provide.yourtrap.com"; depth:20; fast_pattern; nocase; endswith; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:command-and-control; sid:2016135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&transport=websocket&sid="; fast_pattern; http.header; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; content:"Sec-WebSocket-Key|3a 20|"; content:"Upgrade|3a 20|websocket"; content:"origin|3a 20|"; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"; http.cookie; content:"connect.sid="; content:"io="; classtype:credential-theft; sid:2025001; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Known Chewbacca CnC Server"; dns.query; content:"5ji235jysrvwfgmb.onion"; depth:22; fast_pattern; endswith; reference:md5,21f8b9d9a6fa3a0cd3a3f0644636bf09; reference:url,usa.visa.com/download/merchants/Alert-ChewbaccaMalware-030614.pdf; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2013-121813-2446-99; classtype:command-and-control; sid:2018114; rev:5; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multibank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<title>Document</title>"; distance:0; content:"href=|22|run/images/"; distance:0; content:"<img src=|22|run/captcha.php?rand="; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|captcha|22|>"; distance:0; fast_pattern; classtype:social-engineering; sid:2031100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Perl/Calfbot C&C DNS request"; dns.query; content:"jmxkowzoen.info"; depth:15; fast_pattern; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:command-and-control; sid:2018267; rev:10; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-01-29 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"|0d 0a 0d 0a|user"; fast_pattern; http.method; content:"POST"; http.request_body; content:"user"; depth:4; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2029338; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbasic.com Domain"; dns.query; content:".mrbasic.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2018366; rev:6; metadata:created_at 2014_04_05, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-06-22"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:ebay\.co\.uk|singtel\.com|blockchain\.com)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032684; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS DNS Query for vpnoverdns - indicates DNS tunnelling"; dns.query; content:"tun.vpnoverdns.com"; depth:18; fast_pattern; nocase; endswith; reference:url,osint.bambenekconsulting.com/manual/vpnoverdns.txt; classtype:bad-unknown; sid:2018438; rev:6; metadata:created_at 2014_05_02, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-08-19"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:s(?:ocietegenerale\.com|parkasse\.at|ina\.com\.cn|wisscom\.ch|ec\.gov)|b(?:bva(?:compass\.com|\.com\.co)|anque-accord\.fr|mo\.com)|g(?:o(?:(?:ogle\.co|v)\.uk|daddy\.com)|mail\.com)|(?:z(?:illow|oosk)|images\.kw|office365)\.com|t(?:el(?:stra\.com\.au|ekom\.com)|-online\.de)|c(?:reditmutuel\.fr|panel\.net|iti\.com)|(?:(?:realestate|nab)\.com\.a|unc\.ed)u|d(?:esjardins\.c(?:om|a)|iscover\.com)|e(?:arthlink\.net|ftel\.com\.au|bay\.de)|a(?:bl\.com\.pk|liyun\.com|nz\.co\.nz)|w(?:estpac\.com\.au|ikimedia\.org)|v(?:isaeurope\.ch|erizon\.net)|h(?:blibank\.com\.pk|sbc\.com)|paypal\.co\.uk)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032689; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Possible User trying to visit POSHCODER.A .onion link outside of torbrowser"; dns.query; content:"zpwibfsmoowehdsm.onion"; depth:22; nocase; endswith; reference:md5,01f4b1d9b2aafb86d5ccfa00e277fb9d; classtype:trojan-activity; sid:2018679; rev:5; metadata:created_at 2014_07_15, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-11-28"; flow:to_server,established; content:"|0d 0a 0d 0a|id="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032719; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.passinggas.net Domain (Sitelutions)"; dns.query; content:".passinggas.net"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018810; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M1 2016-12-02"; flow:to_server,established; content:"|0d 0a 0d 0a|handle="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"handle="; depth:7; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032722; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myredirect.us Domain (Sitelutions)"; dns.query; content:".myredirect.us"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018812; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M2 2016-12-02"; flow:to_server,established; content:"|0d 0a 0d 0a|userid="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032723; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.rr.nu Domain (Sitelutions)"; dns.query; content:".rr.nu"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2018814; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-12-19"; flow:to_server,established; content:"|0d 0a 0d 0a|t1="; fast_pattern; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"|25|40"; distance:0; content:"&t2="; nocase; distance:0; http.start; pcre:"/^POST\x20(?<var>[^\x20]+).+Referer\x3a\x20[^\r\n]+(?P=var)[\r\n]+/si"; classtype:credential-theft; sid:2032727; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.kwik.to Domain (Sitelutions)"; dns.query; content:".kwik.to"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018816; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing M1 2016-09-26"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.request_body; content:"email="; nocase; content:"&pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032699; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.myfw.us Domain (Sitelutions)"; dns.query; content:".myfw.us"; nocase; endswith; fast_pattern; classtype:bad-unknown; sid:2018818; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-09-12"; flow:to_server,established; content:"|0d 0a 0d 0a|login="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"login="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032698; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *ontheweb.nu Domain (Sitelutions)"; dns.query; content:".ontheweb.nu"; nocase; endswith; classtype:bad-unknown; sid:2018820; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-10-07"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^s?\x3a\/\/[^\/]*(?:goo(?:gle(?:\.(?:c(?:om\.[en]g|a)|r[ou])|apps\.com)|\.gl)|c(?:iovaccocapital\.com|entrin\.net\.id|artasi\.it)|s(?:(?:antander\.com\.b|fr\.f)r|tandardbank\.co\.za)|(?:aliexpress|vanguard|tdbank|ibm)\.com|e(?:xperienceasb\.co\.nz|im\.ae)|n(?:(?:avy)?fcu\.org|wolb\.com)|unicredit\.it|mbna\.co\.uk|oney\.fr|zkb\.ch)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032706; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isthebe.st Domain (Sitelutions)"; dns.query; content:".isthebe.st"; nocase; endswith; classtype:bad-unknown; sid:2018822; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; http.method; content:"POST"; http.uri; content:"/signin"; endswith; http.header; content:"/signin|0d 0a|"; fast_pattern; http.request_body; content:"_token="; depth:7; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024015; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *byinter.net Domain (Sitelutions)"; dns.query; content:".byinter.net"; nocase; endswith; classtype:bad-unknown; sid:2018824; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert dns any any -> $HOME_NET any (msg:"ET PHISHING Suspected Appspot Hosted Phishing Domain"; dns.query; content:!"www."; content:"-dot-"; content:".appspot.com"; fast_pattern; isdataat:!1,relative; pcre:"/^[a-z]{36,38}\-dot\-[a-z]+\-[a-z]+\-\d{6}\.[a-z]{2}\.[a-z]\.appspot\.com$/"; classtype:social-engineering; sid:2031149; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *findhere.org Domain (Sitelutions)"; dns.query; content:".findhere.org"; nocase; endswith; classtype:bad-unknown; sid:2018826; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful My ADP Phish (set) 2017-02-16"; flow:to_server,established; flowbits:set,ET.adpphish; flowbits:noalert; http.method; content:"POST"; http.host; content:!".adp.com"; endswith; http.request_body; content:"target="; depth:7; nocase; fast_pattern; content:"user"; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2027957; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *onthenetas.com Domain (Sitelutions)"; dns.query; content:".onthenetas.com"; nocase; endswith; classtype:bad-unknown; sid:2018828; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned IRS Page - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<!-- saved from url=("; within:500; content:".irs.gov/"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2031166; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *uglyas.com Domain (Sitelutions)"; dns.query; content:".uglyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018830; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING APT SWC PluginDetect Landing Cookie 2015-10-15"; flow:established,from_server; http.start; content:"Cookie|3a 20|PNPSESSID="; fast_pattern; file.data; content:"SharePoint.OpenDocuments.5"; classtype:targeted-activity; sid:2031893; rev:5; metadata:created_at 2015_10_15, former_category PHISHING, updated_at 2020_11_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *assexyas.com Domain (Sitelutions)"; dns.query; content:".assexyas.com"; nocase; endswith; classtype:bad-unknown; sid:2018832; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016"; flow:to_client,established; flowbits:isset,ET.wpphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"|0d 0a|location|3a 20|"; nocase; pcre:"/^[a-f0-9]{32}(?:\/index\.php)?\x0d\x0a/R"; classtype:social-engineering; sid:2025671; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_11_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *passas.us Domain (Sitelutions)"; dns.query; content:".passas.us"; nocase; endswith; classtype:bad-unknown; sid:2018834; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Aug 31 2015"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; classtype:credential-theft; sid:2029652; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *atthissite.com Domain (Sitelutions)"; dns.query; content:"athissite.com"; nocase; endswith; classtype:bad-unknown; sid:2018836; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Office Phishing Landing 2016-12-18"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<title>Microsoft Office"; fast_pattern; nocase; content:"Login below to access file"; nocase; distance:0; classtype:social-engineering; sid:2029658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *athersite.com Domain (Sitelutions)"; dns.query; content:"athersite.com"; nocase; endswith; classtype:bad-unknown; sid:2018838; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Account Phish 2015-11-03"; flow:to_server,established; content:"|0d 0a 0d 0a|fullname="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&postcode="; nocase; distance:0; classtype:credential-theft; sid:2029653; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *isgre.at Domain (Sitelutions)"; dns.query; content:".isgre.at"; nocase; endswith; classtype:bad-unknown; sid:2018840; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish (Meta HTTP-Equiv Refresh) 2017-02-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<meta name=|22|publisher|22 20|content=|22|DHL"; fast_pattern; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; classtype:credential-theft; sid:2029659; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lookin.at Domain (Sitelutions)"; dns.query; content:".lookin.at"; nocase; endswith; classtype:bad-unknown; sid:2018842; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2019-10-18"; flow:established,to_server; content:"|0d 0a 0d 0a|epass="; fast_pattern; http.method; content:"POST"; http.uri; content:"/Logon.php"; nocase; endswith; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2029679; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *bestdeals.at Domain (Sitelutions)"; dns.query; content:".bestdeals.at"; nocase; endswith; classtype:bad-unknown; sid:2018844; rev:5; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful EDU Phish 2017-12-04"; flow:established,to_client; flowbits:isset,ET.eduphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Location|3a 20|"; nocase; pcre:"/^[^\r\n]+\.edu/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; classtype:credential-theft; sid:2025114; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *lowestprices Domain (Sitelutions)"; dns.query; content:".lowestprices.at"; nocase; endswith; classtype:bad-unknown; sid:2018846; rev:7; metadata:created_at 2014_07_30, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M1"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"covid"; nocase; classtype:credential-theft; sid:2029757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to a Suspicious *.orge.pl Domain"; dns.query; content:".orge.pl"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2013843; rev:6; metadata:created_at 2011_11_05, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M2"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"corona"; nocase; classtype:credential-theft; sid:2029758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Query to Known CnC Domain msnsolution.nicaze.net"; dns.query; content:"icaze.net"; depth:9; fast_pattern; endswith; reference:md5,89332c92d0360095e2dda8385d400258; classtype:command-and-control; sid:2014139; rev:8; metadata:created_at 2012_01_21, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-05-26"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:t(?:dcanadatrust|escobank|radekey)|r(?:ealtyexecutive|bcd)s|x(?:finity|oom)|ourtime)\.com|a(?:s(?:perasoft\.com|b\.co\.nz)|(?:ccesbankplc|nz)\.com|mazon\.co\.uk|ruba\.it)|m(?:(?:icrosoftstore|organstanley|sn)\.com|a(?:de-in-china\.com|il\.ru))|s(?:(?:eniorpeoplemeet|cotiabank)\.com|antander\.co\.uk|uddenlink\.net)|c(?:o(?:(?:ldwellbankerpreviews|x)\.com|mpresso\.co\.th)|fapubs\.org)|w(?:e(?:althmanagement\.com|bmail\.sfr\.fr)|ww-01\.ibm\.com)|l(?:(?:endingtree|loydsbank)\.com|abanquepostale\.mobi)|v(?:(?:aluewalk|ideotron)\.com|erifyemailaddress\.org)|n(?:a(?:tionwide\.co\.uk|vyfederal\.org)|etsuite\.com)|b(?:a(?:nquepopulaire\.fr|9hus\.in)|iztree\.com)|i(?:nternetbanking\.caixa\.gov\.br|cloud\.com)|d(?:iscoverbank\.com|hl\.co\.uk)|k(?:iwibank\.co\.nz|eybank\.com)|fidelitybank\.ng|paypal\.fr|ebay\.it)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032681; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for a known malware domain (sektori.org)"; dns.query; content:"sektori.org"; depth:11; fast_pattern; nocase; endswith; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx; classtype:trojan-activity; sid:2014573; rev:9; metadata:created_at 2012_04_16, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Postcode.php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"postcode="; depth:9; content:!"&"; distance:0; classtype:credential-theft; sid:2029849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.bestcomputeradvisor.com"; dns.query; content:".bestcomputeradvisor.com"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:8; metadata:created_at 2012_08_10, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/Adobe/Excel Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"function script()"; nocase; content:"#email_field"; nocase; distance:0; fast_pattern; content:"#password_field"; nocase; distance:0; content:"click_to_download()"; nocase; distance:0; content:"Wrong Email Format"; nocase; distance:0; content:"make_the_delay()"; nocase; distance:0; classtype:social-engineering; sid:2032669; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"chrom-update.online"; nocase; endswith; classtype:command-and-control; sid:2027936; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"mnmnmnmnmnmn.club"; nocase; endswith; classtype:command-and-control; sid:2027937; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; flow:established,to_server; tls.sni; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026487; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Domen SocEng CnC Observed in DNS Query"; dns.query; content:"asasasqwqq.xyz"; nocase; endswith; classtype:command-and-control; sid:2027938; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ml Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ml"; endswith; fast_pattern; classtype:credential-theft; sid:2026532; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Gauss Domain *.guest-access.net"; dns.query; content:".guest-access.net"; fast_pattern; nocase; endswith; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:8; metadata:created_at 2012_08_10, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .cf Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".cf"; endswith; fast_pattern; classtype:credential-theft; sid:2026533; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query Known Reveton Domain whatwillber.com"; dns.query; content:"whatwillber.com"; depth:15; nocase; endswith; classtype:bad-unknown; sid:2015875; rev:9; metadata:created_at 2012_11_09, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ga Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ga"; endswith; fast_pattern; classtype:credential-theft; sid:2026534; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup msonlinelive.com"; dns.query; content:"msonlinelive.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019586; rev:5; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gq Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gq"; endswith; fast_pattern; classtype:credential-theft; sid:2026535; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup malwarecheck.info"; dns.query; content:"malwarecheck.info"; depth:17; fast_pattern; nocase; endswith; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-110315-1233-99&tabid=2; classtype:targeted-activity; sid:2019640; rev:5; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gqn Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gqn"; endswith; fast_pattern; classtype:credential-theft; sid:2026536; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain www.comeinbaby.com"; dns.query; content:"comeinbaby.com"; depth:14; fast_pattern; nocase; endswith; reference:url,www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:trojan-activity; sid:2019667; rev:7; metadata:created_at 2014_11_07, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .icu Domain 2019-02-06"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".icu"; endswith; fast_pattern; classtype:credential-theft; sid:2026886; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/WireLurker DNS Query Domain manhuaba.com.cn"; dns.query; content:"manhuaba.com.cn"; depth:15; fast_pattern; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2014/11/question-wirelurker-attribution-responsible; classtype:trojan-activity; sid:2019718; rev:5; metadata:created_at 2014_11_18, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-06-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id1="; depth:4; nocase; content:"&id2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.no-ip.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.no-ip.net"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019788; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://www.dropbox.com/"; file.data; content:"<title>Dropbox Business</title>"; nocase; classtype:social-engineering; sid:2024403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious cvredirect.ddns.net Domain - CoinLocker Domain"; dns.query; content:"cvredirect.ddns.net"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street; classtype:misc-activity; sid:2019790; rev:6; metadata:created_at 2014_11_24, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adobeincorp.com"; dns.query; content:"adobeincorp.com"; depth:15; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019565; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"your PayPal account"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:log\s*in|sign\s*in)/i"; classtype:social-engineering; sid:2024391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"doosan-job.com"; depth:14; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019851; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"|20|-|20|paypal"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:s(?:e(?:nd money, pay online or set up a merchant|cure) account|uspicious (?:transaction |activities))|con(?:firm card security information|to limitato)|(?:profile updat|mot de pass)e|login)\s*-\s*paypal\s*<\/title>/i"; classtype:social-engineering; sid:2024970; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"downloadsservers.com"; depth:20; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019852; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iCloud Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-Request-UUID|3a|"; file.data; content:"<title>iCloud</title>"; nocase; classtype:social-engineering; sid:2024385; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"drivercenterupdate.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019853; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>Welcome to Facebook</title>"; nocase; classtype:social-engineering; sid:2024402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"easyresumecreatorpro.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019854; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>"; nocase; content:"facebook email security"; within:40; nocase; fast_pattern; classtype:social-engineering; sid:2024451; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019855; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"Log in to Facebook"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2024807; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"googleproductupdate.net"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019856; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"About Copyright|20 7c 20|Facebook Help Center"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025137; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftactiveservices.com"; depth:27; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019858; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Wells Fargo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"wellsfargo.com/"; file.data; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; classtype:social-engineering; sid:2025360; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftmiddleast.com"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019859; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M4"; flow:established,to_client; http.header; content:!".wellsfargo.com/"; file.data; content:"antiClickjack.parentNode.removeChild"; within:1000; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025295; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsserverupdate.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019869; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; http.header; content:"!*.paypal.com"; file.data; content:"<title></title>"; nocase; fast_pattern; content:"<meta name=|22|application-name|22 20|content=|22|PayPal"; distance:0; classtype:social-engineering; sid:2024019; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowssecurityupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019868; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Mobile Phish 2017-08-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"northropgrumman.net"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019865; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-01-26"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&prefill_source="; nocase; distance:0; content:"&prefill_type="; nocase; distance:0; content:"&first_prefill_source="; nocase; distance:0; content:"&first_prefill_type="; nocase; distance:0; content:"&had_cp_prefilled="; nocase; distance:0; content:"&had_password_prefilled="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029665; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsupdate.net"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019864; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-26"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&jazoest="; nocase; distance:0; fast_pattern; content:"&m_ts="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029673; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowscentralupdate.com"; depth:24; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019867; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"teledyne-jobs.com"; depth:17; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019866; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2020-01-10"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftserverupdate.com"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019861; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.host; content:!"amazon.com"; endswith; content:!".amazon.co.jp"; endswith; http.request_body; content:"appActionToken="; nocase; content:"&appAction=SIGNIN"; nocase; distance:0; fast_pattern; content:"|25|40"; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032713; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftonlineupdates.com"; depth:26; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019860; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing Aug 19 2015"; flow:to_client,established; http.header; content:!"X-BOA-RequestID|3a|"; file.data; content:"boaVIPAAuseGzippedBundles"; fast_pattern; content:"boaVIPAAjawrEnabled"; distance:0; classtype:social-engineering; sid:2025666; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftwindowsresources.com"; depth:29; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019863; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineid="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032696; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"windowsupdateserver.com"; depth:23; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019870; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".craigslist.org"; endswith; http.request_body; content:"inputEmailHandle="; nocase; content:"|25|40"; distance:0; content:"&inputPassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032686; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"gesunddurchsjahr.de"; depth:19; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019871; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-I-Request-ID|3a|"; file.data; content:"<title>Manage your Apple ID</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024707; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.org"; dns.query; content:"checkmalware.org"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019582; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible CIBC Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|ServerNoWhere"; file.data; content:"<title>CIBC</title>"; nocase; classtype:social-engineering; sid:2024797; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatesoftware24.com"; dns.query; content:"updatesoftware24.com"; depth:20; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019580; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-12"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; content:!".messenger.com"; endswith; http.request_body; content:"jazoest="; depth:8; nocase; fast_pattern; content:"&lsd="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029672; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup windows-updater.com"; dns.query; content:"windows-updater.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019581; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Base64 Obfuscated Phishing Landing 2015-11-30"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv=|22|Refresh|22|"; within:100; fast_pattern; nocase; content:"content=|22|0|3b 20|URL="; nocase; distance:1; content:"data|3a|text/html|3b|base64,"; nocase; within:25; classtype:social-engineering; sid:2031906; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"microsoftupdateserver.net"; depth:25; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019862; rev:6; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; pcre:"/^\/v0\/b\/(?:send|hit|few|lik|mtn|eli|rfda)\d.*\.appspot\.com\//i"; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031211; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup updatepc.org"; dns.query; content:"updatepc.org"; depth:12; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019579; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"email="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031212; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testsnetcontrol.com"; dns.query; content:"testsnetcontrol.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019578; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"#"; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031213; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup testservice24.net"; dns.query; content:"testservice24.net"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019577; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"login="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup symanttec.org"; dns.query; content:"symanttec.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019576; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024228; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup securitypractic.com"; dns.query; content:"securitypractic.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019575; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup secnetcontrol.com"; dns.query; content:"secnetcontrol.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019574; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-11-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&ps="; nocase; distance:0; pcre:"/^em=[^&]*&ps=[^&]*$/i"; classtype:credential-theft; sid:2031218; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup scanmalware.info"; dns.query; content:"scanmalware.info"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019573; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:800; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2031238; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsof-update.com"; dns.query; content:"microsof-update.com"; depth:19; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019572; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-11-26"; flow:established,to_client; file.data; content:"<title>Ch&alpha|3b|se &Beta|3b|&alpha|3b|n&Kappa|3b|"; fast_pattern; classtype:social-engineering; sid:2031239; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup microsofi.org"; dns.query; content:"microsofi.org"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019571; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Windows.net Hosted Phish 2020-10-14"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".windows.net"; isdataat:!1,relative; fast_pattern; http.uri; content:!"/getEffectiveAccess?api-version="; classtype:credential-theft; sid:2031012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkwinframe.com"; dns.query; content:"checkwinframe.com"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019568; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-11-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; nocase; content:"exp"; nocase; content:"cvv="; nocase; fast_pattern; http.host; content:!".ez-chow.com"; endswith; classtype:credential-theft; sid:2029680; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup check-fix.com"; dns.query; content:"check-fix.com"; depth:13; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019569; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:!".jpg',no','no',no'"; nocase; distance:0; content:!".pdf,no','no',no'"; nocase; distance:0; content:!".SlideMenu1_Folder div"; content:!"PhotoGallery"; nocase; classtype:social-engineering; sid:2026047; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup adawareblock.com"; dns.query; content:"adawareblock.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019564; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (Meta HTTP-Equiv Refresh) Dec 29 2016"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<META HTTP-EQUIV="; nocase; within:600; fast_pattern; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:25; content:"url="; nocase; within:25; http.header; content:!".efunds.com"; classtype:credential-theft; sid:2031574; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup azureon-line.com"; dns.query; content:"azureon-line.com"; depth:16; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019566; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Account Phish Dec 04 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"continue="; content:"followup="; content:"checkedDomains="; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:credential-theft; sid:2015980; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup checkmalware.info"; dns.query; content:"checkmalware.info"; depth:17; fast_pattern; nocase; endswith; reference:url,fireeye.com/resources/pdfs/apt28.pdf; classtype:targeted-activity; sid:2019567; rev:6; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Docusign</title>"; nocase; classtype:social-engineering; sid:2024387; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Operation Cleaver Domain"; dns.query; content:"kundenpflege.menrad.de"; depth:22; fast_pattern; endswith; nocase; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:trojan-activity; sid:2019857; rev:7; metadata:created_at 2014_12_03, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic .EDU Phish Aug 17 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; flowbits:isnotset,ET.realEDUrequest; http.stat_code; content:"302"; http.location; content:".edu"; nocase; fast_pattern; pcre:"/https?:\/\/[^/]+\.edu/i"; classtype:credential-theft; sid:2029662; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas ecolines.es"; dns.query; content:"ecolines.es"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019912; rev:6; metadata:created_at 2014_12_11, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-02-13"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?rand=13InboxLightaspxn."; fast_pattern; content:"&email="; distance:0; content:"@"; distance:0; classtype:credential-theft; sid:2029669; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Cloud Atlas blackberry-support.herokuapp.com"; dns.query; content:"blackberry-support.herokuapp.com"; depth:32; fast_pattern; endswith; nocase; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019913; rev:6; metadata:created_at 2014_12_11, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic 302 Redirect to Phishing Landing"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?client_id="; fast_pattern; content:"&response_mode="; distance:0; content:"&response_type="; distance:0; pcre:"/^[a-z0-9]{24,28}\.php\?client_id=/i"; classtype:social-engineering; sid:2031578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_12_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Invisible Internet Project Domain (I2P)"; dns.query; content:".i2p"; endswith; fast_pattern; reference:url,geti2p.net; classtype:policy-violation; sid:2019988; rev:6; metadata:created_at 2014_12_22, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful IRS Phish 2016-01-23"; flow:to_client,established; flowbits:isset,ET.irs.phish; http.stat_code; content:"302"; http.location; content:"http"; depth:4; content:"irs.gov"; distance:0; nocase; fast_pattern; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032672; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_01_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (great-codes.com)"; dns.query; content:"great-codes.com"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020035; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Redirect - Possible Phishing May 25 2016"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?email="; fast_pattern; content:!"unsubscribe"; content:!"lastpass.com"; classtype:social-engineering; sid:2031567; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (adguard.name)"; dns.query; content:"adguard.name"; depth:12; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020036; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://poloniex.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024617; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (coral-trevel.com)"; dns.query; content:"coral-trevel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020037; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://exmo.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024618; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (ddnservice10.ru)"; dns.query; content:"ddnservice10.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020038; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://paxful.com"; startswith; classtype:credential-theft; sid:2024621; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (paradise-plaza.com)"; dns.query; content:"paradise-plaza.com"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020039; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://localbitcoins.com"; startswith; classtype:credential-theft; sid:2024640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (worldnewsonline.pw)"; dns.query; content:"worldnewsonline.pw"; depth:18; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020040; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish 2020-08-17"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://www.paxful.com"; startswith; classtype:credential-theft; sid:2030695; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (update-java.net)"; dns.query; content:"update-java.net"; depth:15; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; reference:md5,0ad4892ead67e65ec3dd4c978fce7d92; classtype:targeted-activity; sid:2020041; rev:5; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Tombol Microsoft Account Phishing Landing 2020-12-16"; flow:established,to_client; file.data; content:"$('#password').keyup("; content:"$('#Tombol1').click("; distance:0; fast_pattern; content:"data: { u : email, p : password_v"; distance:0; classtype:social-engineering; sid:2031414; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_12_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (allwayshappy.ru)"; dns.query; content:"allwayshappy.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020044; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?cmd=_update-information&account_bank="; nocase; fast_pattern; content:"&dispatch="; distance:32; within:10; nocase; http.content_len; byte_test:0,=,0,0,string,dec; classtype:social-engineering; sid:2024016; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_12_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (deadwalk32.ru)"; dns.query; content:"deadwalk32.ru"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020047; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish 2018-10-22"; flow:established,from_server; flowbits:isset,ET.Fedex_DHL_Phish; http.stat_code; content:"302"; http.location; content:"tracking2.php"; startswith; classtype:credential-theft; sid:2029667; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (doubleclickads.net)"; dns.query; content:"doubleclickads.net"; depth:18; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020048; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-14"; flow:from_server,established; flowbits:isset,ET.bofaphish; http.stat_code; content:"302"; http.location; content:".php?template="; fast_pattern; content:"&valid="; content:"&session="; pcre:"/\.php\?template=[^\r\n]+&valid=[^\r\n]+&session=[a-f0-9]{32,}$/i"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032710; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (octoberpics.ru)"; dns.query; content:"octoberpics.ru"; depth:14; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020054; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.content_len; byte_test:0,=,0,0,string,dec; http.header; content:"location|3a 20|"; fast_pattern; content:"|2f 3f|"; distance:32; within:2; content:"|0d 0a|"; distance:32; within:2; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2024008; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (server38.info)"; dns.query; content:"server38.info"; depth:13; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020057; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Clydesdale Bank Phish 2020-12-30"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uzername="; depth:9; nocase; fast_pattern; content:"&ip="; nocase; distance:0; content:"&ua="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031468; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (ssl-server24.ru)"; dns.query; content:"ssl-server24.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020058; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031483; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (tweeterplanet.ru)"; dns.query; content:"tweeterplanet.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020059; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031484; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (updatemyhost.ru)"; dns.query; content:"updatemyhost.ru"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020061; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Instagram Phishing or Scam Landing Page"; flow:established,to_client; file.data; content:"lnstagram"; nocase; fast_pattern; within:1000; content:"</title>"; within:50; nocase; classtype:social-engineering; sid:2031493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_01_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (walkingdead32.ru)"; dns.query; content:"walkingdead32.ru"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020062; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-03-08"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"password="; nocase; distance:0; classtype:credential-theft; sid:2031875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (worldnews247.net)"; dns.query; content:"worldnews247.net"; depth:16; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2020063; rev:5; metadata:created_at 2014_12_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Docs</title>"; nocase; classtype:social-engineering; sid:2024386; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS query for known Anunak APT Domain (financialnewsonline.pw)"; dns.query; content:"financialnewsonline.pw"; depth:22; nocase; endswith; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020066; rev:6; metadata:created_at 2014_12_24, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Meet Google Drive - One Place For All Your Files</title>"; nocase; classtype:social-engineering; sid:2024388; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Hong Kong SWC Attack DNS Lookup (aoemvp.com)"; dns.query; content:"aoemvp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.html; classtype:trojan-activity; sid:2020171; rev:5; metadata:created_at 2015_01_13, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"url=https://en.wikipedia.org/wiki/Microsoft_Outlook"; content:"$(|22|#hide-from-bots|22|).show()|3b|"; fast_pattern; distance:0; content:"------ START OF BODYYYY ------"; distance:0; classtype:social-engineering; sid:2031920; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p-netdb.innovatio.no)"; dns.query; content:"i2p-netdb.innovatio.no"; depth:22; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020189; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Redirector Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"myFunction()"; within:50; content:"function myFunction() {"; within:50; content:"if (feedUpdateSplit[x]==|22|#|22|"; distance:0; fast_pattern; content:"#|22|+btoa(che)|3b|"; distance:0; content:"window.location.href=joinlink|3b|"; distance:0; classtype:social-engineering; sid:2031921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_03_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p.mooo.com)"; dns.query; content:"i2p.mooo.com"; depth:12; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020190; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Encoded Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"############################"; within:200; content:"### THIS WEBPAGE WAS PROTECTED AT|3a|"; fast_pattern; distance:0; content:"############################"; distance:0; classtype:social-engineering; sid:2031922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (netdb.i2p2.no)"; dns.query; content:"netdb.i2p2.no"; depth:13; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020191; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"https://logo.clearbit.com/"; content:"///////new injection//////"; fast_pattern; distance:0; classtype:social-engineering; sid:2031923; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (reseed.i2p-projekt.de)"; dns.query; content:"reseed.i2p-projekt.de"; depth:21; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020192; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic NewInjection Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"////////urlemailgetting////////"; fast_pattern; content:"///////newinjection//////"; classtype:social-engineering; sid:2031924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (uk.reseed.i2p2.no)"; dns.query; content:"uk.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020193; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic NewInjection Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"/////urlgettingemail/////"; fast_pattern; content:"/////urlemailgetting/////"; classtype:social-engineering; sid:2031925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (us.reseed.i2p2.no)"; dns.query; content:"us.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020194; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2021-03-15"; flow:to_client,established; file.data; content:"<title>OneDrive|20 7c 20|Login"; nocase; fast_pattern; content:"<video playsinline="; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2032007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (apple.dynamic-dns.net)"; dns.query; content:"apple.dynamic-dns.net"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020244; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2021-03-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"j_username="; depth:11; nocase; content:"&j_password="; nocase; distance:0; content:"&save-username="; nocase; distance:0; content:"&hdnuserid="; nocase; distance:0; content:"&btnSignon=Sign+On&screenid=SIGNON&origination="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2036221; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (autocar.ServeUser.com)"; dns.query; content:"autocar.ServeUser.com"; depth:21; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020245; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-03-18"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; fast_pattern; content:"&pass"; nocase; distance:0; pcre:"/^uname=[^&]*&pass/i"; classtype:credential-theft; sid:2032161; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (coastnews.darktech.org)"; dns.query; content:"coastnews.darktech.org"; depth:22; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020249; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING ANTIBOT Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PANEL ANTIBOT"; nocase; fast_pattern; content:">Real Visitor Detection Manager"; nocase; distance:0; classtype:web-application-attack; sid:2032322; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_25, deployment Perimeter, signature_severity Major, updated_at 2021_03_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (demon.4irc.com)"; dns.query; content:"demon.4irc.com"; depth:14; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020250; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ANTIBOT Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PANEL ANTIBOT"; nocase; fast_pattern; content:">Real Visitor Detection Manager"; nocase; distance:0; classtype:web-application-attack; sid:2032323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_25, deployment Perimeter, signature_severity Major, updated_at 2021_03_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (logoff.ddns.info)"; dns.query; content:"logoff.ddns.info"; depth:16; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020259; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL"; nocase; fast_pattern; classtype:web-application-attack; sid:2030588; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scieron DNS Lookup (yellowblog.flnet.org)"; dns.query; content:"yellowblog.flnet.org"; depth:20; nocase; endswith; fast_pattern; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:trojan-activity; sid:2020279; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL"; nocase; fast_pattern; classtype:web-application-attack; sid:2030589; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for Suspicious tolotor.com Domain - Possible CryptoWall Activity"; dns.query; content:"tolotor.com"; depth:11; fast_pattern; endswith; nocase; reference:url,isc.sans.edu/forums/diary/Traffic+Patterns+For+CryptoWall+30/19203/; classtype:misc-activity; sid:2020284; rev:5; metadata:created_at 2015_01_23, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Login Panel</title>"; fast_pattern; content:"background-color|3a 20|#000000"; distance:0; content:"text-center|22|>Login to Panel</div>"; distance:0; content:"class=|22|form-control|22 20|id=|22|key|22 20|name=|22|key|22 20|placeholder=|22|Private Key|22|"; distance:0; classtype:web-application-attack; sid:2032324; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (pstcmedia.com)"; dns.query; content:"pstcmedia.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020444; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Login Panel</title>"; fast_pattern; content:"background-color|3a 20|#000000"; distance:0; content:"text-center|22|>Login to Panel</div>"; distance:0; content:"class=|22|form-control|22 20|id=|22|key|22 20|name=|22|key|22 20|placeholder=|22|Private Key|22|"; distance:0; classtype:web-application-attack; sid:2032325; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mixedwork.com)"; dns.query; content:"mixedwork.com"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020445; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sparkasse Phishing Domain 2021-04-05"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"sparkasse.de"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032469; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ahmedfaiez.info)"; dns.query; content:"ahmedfaiez.info"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020446; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (tk) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".tk"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032470; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupdate.com)"; dns.query; content:"flushupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020447; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (ml) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032471; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (flushupate.com)"; dns.query; content:"flushupate.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020448; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (gq) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032472; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (ineltdriver.com)"; dns.query; content:"ineltdriver.com"; depth:15; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020449; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (ga) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032473; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (mediahitech.info)"; dns.query; content:"mediahitech.info"; depth:16; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020450; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (cf) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032474; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT DNS Lookup (plmedgroup.com)"; dns.query; content:"plmedgroup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020451; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (xyz) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (advtravel.info)"; dns.query; content:"advtravel.info"; depth:14; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020452; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Mamalo Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (fpupdate.info)"; dns.query; content:"fpupdate.info"; depth:13; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020453; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Mamalo Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032477; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Advtravel Campaign DNS Lookup (linksis.info)"; dns.query; content:"linksis.info"; depth:12; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020454; rev:5; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Tehran Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032478; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (linkedim.in)"; dns.query; content:"linkedim.in"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020459; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Tehran Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032479; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (androcity.com)"; dns.query; content:"androcity.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020461; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<img src=|22|file/cip.php?rand="; nocase; fast_pattern; content:"id=|27|capisimg|27|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|capis|22|"; nocase; distance:0; classtype:social-engineering; sid:2032509; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (liptona.net)"; dns.query; content:"liptona.net"; depth:11; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020462; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Hidden Text - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<span style='font-size:0px|3b|'>"; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; classtype:social-engineering; sid:2032510; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nauss-lab.com)"; dns.query; content:"nauss-lab.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020464; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"id='captcha_image' name='captcha_image' src='captcha.php?rand="; nocase; content:"placeholder='Enter Code' style='text-align:center|3b|' class='input' name='captcha'"; nocase; distance:0; content:"function refreshCaptcha(){"; nocase; distance:0; classtype:social-engineering; sid:2032511; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (nice-mobiles.com)"; dns.query; content:"nice-mobiles.com"; depth:16; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020465; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office Related Appspot Hosted Shared Document Phishing Landing"; flow:established,to_client; file.data; content:"script language=javascript>document.write(unescape("; nocase; content:"href%3D%22https%3A//fonts.googleapis.com/"; nocase; distance:0; content:"stylesheet%22%3E%20%3Cscript%20src%3D%22https%3A//kit.fontawesome.com/"; nocase; distance:0; content:"____rdr%20%3D%20%27https%3A//www.office.com/"; nocase; distance:0; content:"var%20LIB_view%20%3D%20%27PGRpdiBjbGFzcz0iY"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2032512; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (facebook-emoticons.bitblogoo.com)"; dns.query; content:"facebook-emoticons.bitblogoo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020466; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Redirect to Phishing Landing"; flow:established,to_client; file.data; content:"<title>Review|3a 20 20|0ffice365"; fast_pattern; nocase; content:"<script type=|22|text/javascript|22|>window.location.href"; distance:0; nocase; classtype:social-engineering; sid:2032513; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (abuhmaid.net)"; dns.query; content:"abuhmaid.net"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020467; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"/////url email getting//////"; fast_pattern; nocase; content:"ind=my_email.indexOf(|22|@|22|"; distance:0; content:"///////new injection//////"; distance:0; nocase; classtype:social-engineering; sid:2032514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (blogging-host.info)"; dns.query; content:"blogging-host.info"; depth:18; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020468; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing"; flow:established,to_client; file.data; content:"$.ajax({|0d 0a|"; content:"dataType|3a 20|'JSON',|0d 0a|"; within:50; content:"url|3a|"; within:50; content:".php',|0d 0a|"; within:500; content:"type|3a 20|'POST',|0d 0a|"; within:50; fast_pattern; content:"data|3a|{|0d 0a|"; within:50; content:"function(xhr"; distance:0; classtype:social-engineering; sid:2032515; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon Related APT DNS Lookup (tvgate.rocks)"; dns.query; content:"tvgate.rocks"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020469; rev:5; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"//////url getting ai//////"; fast_pattern; nocase; content:"var my_ai = ai|3b|"; distance:0; nocase; content:"my_ai.indexOf(|22|@|22|"; distance:0; nocase; classtype:social-engineering; sid:2032516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Desert Falcon APT DNS Lookup (iwork-sys.com)"; dns.query; content:"iwork-sys.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/files/2015/02/The-Desert-Falcons-targeted-attacks.pdf; classtype:targeted-activity; sid:2020472; rev:6; metadata:created_at 2015_02_18, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"/////url ai getting//////"; fast_pattern; nocase; content:"///////url getting ai///////"; distance:0; nocase; classtype:social-engineering; sid:2032517; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE 9002 RAT C&C DNS request"; dns.query; content:"cache.dnsde.com"; depth:15; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2020713; rev:5; metadata:created_at 2015_03_19, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<img src=|22|files/cps.php?rand="; nocase; fast_pattern; content:"id='cpsaimg'"; nocase; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|caps|22|"; nocase; distance:0; classtype:social-engineering; sid:2032518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (saveweb.wink.ws)"; dns.query; content:"saveweb.wink.ws"; depth:15; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020814; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&txtCaptcha="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032633; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (carima2012.site90.com)"; dns.query; content:"carima2012.site90.com"; depth:21; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020815; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-04-08"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emid="; depth:5; nocase; fast_pattern; content:"&epass="; nocase; distance:0; pcre:"/^emid=[^&]*&epass/i"; classtype:credential-theft; sid:2032532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (explorerdotnt.info)"; dns.query; content:"explorerdotnt.info"; depth:18; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020816; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M1 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"IDLOG="; depth:6; nocase; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032590; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotnetexplorer.info)"; dns.query; content:"dotnetexplorer.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020817; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M2 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"question1="; depth:10; nocase; content:"&Answer1="; nocase; distance:0; content:"&question2="; nocase; distance:0; content:"&Answer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&Answer3="; nocase; distance:0; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032591; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (dotntexplorere.info)"; dns.query; content:"dotntexplorere.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020818; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&lname="; nocase; distance:0; content:"&db1="; nocase; distance:0; content:"&db2="; nocase; distance:0; content:"&db3="; nocase; distance:0; content:"&adrs="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp1="; nocase; distance:0; content:"&exp2="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&vbv="; nocase; distance:0; content:"&sortcode="; nocase; distance:0; fast_pattern; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032615; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (xploreredotnet.info)"; dns.query; content:"xploreredotnet.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020819; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; nocase; http.request_body; content:"login_ak"; depth:8; nocase; content:"&pwd_ak"; nocase; distance:0; fast_pattern; content:"&1.Continue"; nocase; distance:0; classtype:credential-theft; sid:2032643; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Volatile Cedar DNS Lookup (erdotntexplore.info)"; dns.query; content:"erdotntexplore.info"; depth:19; nocase; endswith; fast_pattern; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:trojan-activity; sid:2020820; rev:5; metadata:created_at 2015_03_31, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Discover Phish M2 2016-12-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"ccnumb="; depth:7; nocase; fast_pattern; content:"&expirMonth="; nocase; distance:0; content:"&expiryear="; nocase; distance:0; content:"&CCV="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; classtype:credential-theft; sid:2032666; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"aa.hostasa.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:6; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Phish M1 2016-06-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&password="; nocase; distance:0; content:"&domain="; nocase; distance:0; content:"&Phone"; nocase; distance:0; classtype:credential-theft; sid:2032685; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns1.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful *.myjino. ru Phish 2016-12-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.host; content:".myjino.ru"; endswith; http.request_body; content:"user"; depth:4; nocase; content:"&pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032725; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns2.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Onedrive Phish 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; nocase; depth:6; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032680; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns3.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish M1 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"yahoo"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; fast_pattern; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032683; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"ns4.hostasa.org"; depth:15; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr .eur .lc)"; dns.query; content:"apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr.eur.lc"; bsize:52; fast_pattern; classtype:domain-c2; sid:2032795; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gh.dsaj2a1.org"; depth:14; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (hombreymaquina .com)"; dns.query; content:"hombreymaquina.com"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032796; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"navert0p.com"; depth:12; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (igconsulting. pe)"; dns.query; content:"igconsulting.pe"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032797; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"wangzongfacai.com"; depth:17; fast_pattern; nocase; endswith; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:5; metadata:created_at 2015_06_24, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M3 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Passcode="; depth:9; nocase; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032592; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"gggatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname_ak"; depth:8; nocase; fast_pattern; content:"&lname_ak"; nocase; distance:0; content:"&staddd_ak"; nocase; distance:0; content:"&city_ak"; nocase; distance:0; content:"&state_ak"; nocase; distance:0; content:"&zip_ak"; nocase; distance:0; content:"&mobile_ak"; nocase; distance:0; content:"&1.Continue"; nocase; distance:0; classtype:credential-theft; sid:2032644; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"xxxatat456.com"; depth:14; fast_pattern; nocase; endswith; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:5; metadata:created_at 2015_07_13, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-12-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b|"; http.request_body; content:"form-data|3b 20|name=|22|Email"; nocase; content:"form-data|3b 20|name=|22|Pass"; fast_pattern; distance:0; nocase; content:"form-data|3b 20|name=|22|Recovery"; distance:0; nocase; content:"form-data|3b 20|name=|22|mobile"; distance:0; nocase; classtype:credential-theft; sid:2032652; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Android/Spy.Feabme.A Query"; dns.query; content:"tinduongpho.com"; depth:15; fast_pattern; endswith; nocase; reference:md5,3ae3cb09c8f54210cb4faf7aa76741ee; reference:url,blog.trustlook.com/2015/07/08/most-successful-malware-on-google-play/; classtype:trojan-activity; sid:2021412; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_07_14, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Discover Phish M3 2016-12-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"first="; depth:6; nocase; content:"&last="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&Phone="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&jsenabled="; nocase; distance:0; classtype:credential-theft; sid:2032667; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"v8.f1122.org"; depth:12; fast_pattern; nocase; endswith; classtype:trojan-activity; sid:2021443; rev:5; metadata:created_at 2015_07_20, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Mirrored Website Comment Observed"; flow:established,to_client; file.data; content:"<!-- Mirrored from "; content:"by HTTrack Website Copier/"; distance:0; classtype:trojan-activity; sid:2018302; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; threshold:type both,track by_src,count 10,seconds 120; dns.query; content:"GroUndHog.MapSnode.CoM"; depth:22; fast_pattern; nocase; endswith; classtype:command-and-control; sid:2021444; rev:5; metadata:created_at 2015_07_20, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-18"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"<html>"; startswith; content:"<title>Mail Verification</title><script src=|27|http|3a 2f 2f|"; content:!"google."; within:20; content:"/google_analytics_auto.js|27|></script>"; distance:0; within:100; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|"; distance:0; fast_pattern; reference:url,app.any.run/tasks/654f09ca-352f-4d7a-a8eb-ce49c88b4f58/; classtype:credential-theft; sid:2033001; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (drometic.suroot.com)"; dns.query; content:"drometic.suroot.com"; depth:19; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021576; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M1"; flow:established,to_client; file.data; content:"|3c|title|3e 3c 2f|title|3e 3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon"; fast_pattern; content:"|3c 2f|div|3e 3c|script|3e|eval|28|function|28 24|"; distance:0; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27|"; distance:0; content:!":<script>"; distance:0; content:"|3c 2f|script|3e 3c 2f|body|3e 3c 2f|html|3e 0a|"; endswith; content:!"|0d 0a|"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033036; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (docume.sysbloger.com)"; dns.query; content:"docume.sysbloger.com"; depth:20; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021577; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M1"; flow:established,to_client; http.content_type; content:"/javascript"; file.data; content:"eval|28|function|28 24|nbrut|2c|"; startswith; content:"function|28 24|charCode|29 20 7b|return|20 28 24|charCode|20|"; distance:0; content:"|3f 20|String|2e|fromCharCode|28|"; within:150; content:"|29 20 3a 20 24|charCode|2e|toString|28|"; within:50; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27 20 2b|"; distance:0; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ohio.sysbloger.com)"; dns.query; content:"ohio.sysbloger.com"; depth:18; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021578; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M2"; flow:established,to_client; file.data; content:"|3c|title|3e 3c 2f|title|3e 3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon|22 20 2f 3e 3c 2f|head|3e 3c|body|20|class|3d 22|"; content:"|3e 3c 2f|div|3e 3c|script|3e|document|2e|write|28|atob|28 27|PHNjcmlwdD52YXIgXzB4"; fast_pattern; within:200; content:!":<script>"; distance:0; content:"|27 29 29 3c 2f|script|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; content:!"|0d 0a|"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033049; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (specs.dnsrd.com)"; dns.query; content:"specs.dnsrd.com"; depth:15; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021579; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-24"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"2|0a|<html>"; startswith; content:"<title>|26 23|47700|3b 26 23|51068|3b 20 26 23|49444|3b 26 23|51221|3b 20 7c 20 26 23|51060|3b 26 23|47700|3b 26 23|51068|3b 20 26 23|50629|3b 26 23|44536|3b 26 23|47112|3b 26 23|51060|3b 26 23|46300|3b|</title><script src=|27|/google_analytics_auto.js|27|></script>"; distance:0; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; distance:0; reference:url,app.any.run/tasks/e878cb4f-4078-47c8-ac7c-59266940a68e/; classtype:social-engineering; sid:2033048; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (np3.Jkub.com)"; dns.query; content:"np3.Jkub.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021580; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M2"; flow:established,to_client; file.data; content:"var _0x"; startswith; content:"|3d 5b 22|"; distance:4; within:3; content:"|3b|var|20 5f|0x"; distance:0; content:"|3d|function|28|"; within:14; content:"|5b 78 3d 2b 78 5d 3b 76 6f 69 64 20 30 3d 3d 3d 5f 30 78|"; distance:18; within:19; fast_pattern; content:"|2e|replace|28 2f 3d 2b 24 2f 2c 22 22 29|"; distance:86; within:18; content:"return|20|decodeURIComponent|28|"; distance:0; classtype:credential-theft; sid:2033053; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (ns8.ddns1.com)"; dns.query; content:"ns8.ddns1.com"; depth:13; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021581; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M3"; flow:established,to_client; file.data; content:"|3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon|22 20 2f 3e|"; content:"document|2e|write|28|"; distance:0; content:"atob|28|"; within:40; content:"PHNjcmlwdD5ldmFsKGZ1bmN0aW9uKCRuYnJ1dCw"; within:150; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033063; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (books.mrface.com)"; dns.query; content:"books.mrface.com"; depth:16; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021582; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed UK Gov Support Landing 2021-06-01"; flow:established,from_server; file.data; content: "<title> Enter your Self Assessment Unique Taxpayer Reference|20 2d 20|Self|2d|Employment Income Support Scheme|20 2d 20|GOV.UK</title>"; fast_pattern; content:"width=device-width"; distance:0; content:"initial-scale=1"; distance:0; content:"viewport-fit=cover|22 3e|"; reference:url,app.any.run/tasks/b1fe8d30-2f22-4f84-bcc8-2643562a8765/; classtype:social-engineering; sid:2033062; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT SuperhardCorp DNS Lookup (kieti.ipsecsl.net)"; dns.query; content:"kieti.ipsecsl.net"; depth:17; nocase; endswith; fast_pattern; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021583; rev:5; metadata:created_at 2015_08_03, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Secure Email Portal Lure Landing Page"; flow:established,to_client; file.data; content:"|3c|tr|3e 3c|td|3e 3c|IMG|20|SRC|3d 22|"; content:"name|3d 22|submitButton|22 20|value|3d 22 20 20 20 20|Click|20|to|20|read|20|message|20 20 20 20 22 3e|"; fast_pattern; content:"|3b 20|text|2d|align|3a 20|center|3b 22 3e 20 20 3c|A|20|HREF|3d 22 22|"; content:!"|2f|formpostdir|2f|safeformpost|2e|aspx|22 3e|"; classtype:credential-theft; sid:2033064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_06_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; threshold:type limit,track by_src,count 3,seconds 60; dns.query; content:"s-p-o-o-f-e-d.h-o-s-t.name"; depth:26; fast_pattern; nocase; endswith; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:5; metadata:created_at 2015_08_19, former_category CURRENT_EVENTS, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-22"; flow:established,to_client; file.data; content:"<title>L|26 23|79|3b|G|20 26 23|73|3b 26 23|78|3b 20|</title>"; fast_pattern; content:"action=need1.php"; distance:0; content:"name=pfw"; distance:0; content:"method|3d|post|3e|"; distance:0 ; reference:url,app.any.run/tasks/fe8b5eb1-7aab-435f-9795-456983adc07e/; classtype:social-engineering; sid:2033155; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger DNSTunnel DNS Lookup (xssok.blogspot.com)"; dns.query; content:"xssok.blogspot.com"; depth:18; nocase; endswith; fast_pattern; reference:md5,2c65085e7c71fa2c02c9b65e9b747e5b; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021788; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-24"; flow:established,to_client; file.data; content:"<title>Red Link - BANCO DE LA NACION ARGENTINA</title>"; fast_pattern; content:"enctype|3d 22|multipart|2f|form|2d|data|22 20|"; distance:0; content:"id|3d 22|UserNameVerificationForm|22|"; distance:0; content:"name|3d 22|UserNameVerificationForm|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"action|3d 22|doLoginFirstStep.htm|22 3e|"; distance:0; reference:url,app.any.run/tasks/7ff1092c-4c9e-4915-933a-1f568b5ba83d; classtype:social-engineering; sid:2033187; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Gh0ST/PlugX/Various Backdoors DNS Lookup (gameofthrones.ddns.net)"; dns.query; content:"gameofthrones.ddns.net"; depth:22; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-25"; flow:established,from_server; file.data; content:"<title>Sign In</title>"; content:"role|3d 22|form|22|"; distance:0; content:"action|3d 22|squ.php|22|"; distance:0; content:"method|3d 22|post|22 3e|"; reference:url,app.any.run/tasks/a0625793-31c1-4538-a5c6-e213eb4b8128/; classtype:credential-theft; sid:2033215; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Likely PlugX DNS Lookup (chrome.servehttp.com)"; dns.query; content:"chrome.servehttp.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021793; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspicious TikTok Domain Request - Possible Phishing or Scam"; dns.query; content:"tiktok"; fast_pattern; pcre:"/(?:verify|support|account|copyright|help|verified|service|badge|verification|safety)?.{0,30}tiktok(?:verify|support|account|copyright|help|verified|service|badge|verification|safety)?.{0,30}(\.ml$|\.ga$|\.cf$|\.gq$|\.tk$|\.xyz$)/"; classtype:social-engineering; sid:2031492; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger Backdoor.GTalkTrojan DNS Lookup (update.gtalklite.com)"; dns.query; content:"update.gtalklite.com"; depth:20; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021794; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Known Scam/Phishing Domain"; dns.query; content:"creator-partners.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033463; rev:1; metadata:created_at 2021_07_27, former_category PHISHING, updated_at 2021_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Iron Tiger HTTPBrowser DNS Lookup (trendmicro-update.org)"; dns.query; content:"trendmicro-update.org"; depth:21; nocase; endswith; fast_pattern; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:trojan-activity; sid:2021795; rev:5; metadata:created_at 2015_09_17, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Microsoft Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"microsoft"; content:".github.io"; endswith; fast_pattern; content:!"microsoft.github.io"; depth:19; endswith; content:!"microsoftedge.github.io"; depth:23; endswith; classtype:policy-violation; sid:2027274; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2021_08_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-analysis.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021806; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OneDrive Phishing Landing Page 2021-08-09"; flow:established,from_server; file.data; content:"<title>|0d 0a 09|Files - OneDrive|0d 0a|</title>"; fast_pattern; content:"<form method|3d 22|post|22|"; distance:0; content:"action|3d 22|link.php|22|"; distance:0; reference:url,app.any.run/tasks/7d82fceb-ac0f-452a-9b37-4c87478f2df6; classtype:social-engineering; sid:2033696; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_08_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.icloud-diagnostics.com"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021807; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Zimbra Phishing Landing Page 2021-08-09"; flow:established,from_server; file.data; content:"<title>Zimbra Web Client Sign In</title>"; content:"<form method|3d 22|post|22|"; distance:0; content:"name|3d 22|loginForm|22|"; distance:0; content:"action|3d 22|mll.php|22|"; distance:0; fast_pattern; content:"accept-charset|3d 22|UTF-8|22|"; reference:url,app.any.run/tasks/bda22930-0bfb-4ccd-b5c4-26f526b8cba7; classtype:social-engineering; sid:2033697; rev:1; metadata:created_at 2021_08_09, former_category PHISHING, updated_at 2021_08_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE XCodeGhost DNS Lookup"; dns.query; content:"init.crash-analytics.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store; classtype:trojan-activity; sid:2021808; rev:5; metadata:created_at 2015_09_22, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M2"; flow:established,to_client; http.header; content:!"X-LI-UUID|3a|"; nocase; file.data; content:"<title"; nocase; content:"Sign In|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025338; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_08_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Naikon DNS Lookup (greensky27.vicp.net)"; dns.query; content:"greensky27.vicp.net"; depth:19; nocase; endswith; fast_pattern; reference:url,threatconnect.com/camerashy-resources/; classtype:trojan-activity; sid:2021831; rev:5; metadata:created_at 2015_09_24, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing 2021-06-29"; flow:established,from_server; file.data; content:"Webmail Login"; fast_pattern; content:"action|3d 22|process.php|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"target|3d 22 5f|top|22|"; distance:0; content:"style|3d 22|visibility|3a 22|>"; distance:0; reference:url,app.any.run/tasks/5fcdc0a0-7a79-4bcb-b2fb-3d358571d858/; classtype:social-engineering; sid:2033218; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Kemoge DNS Lookup"; dns.query; content:"aps.kemoge.net"; depth:14; fast_pattern; nocase; endswith; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021927; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2015_10_08, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom JS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/js/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.js\x27\x29\.then\x28(?:.{1,1000}themes\/js\/[a-f0-9]{42}\.js\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034002; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_09_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible PlugX DNS Lookup (googlemanage.com)"; dns.query; content:"googlemanage.com"; depth:16; nocase; endswith; fast_pattern; reference:url,volexity.com/blog/?p=179; classtype:trojan-activity; sid:2021935; rev:5; metadata:created_at 2015_10_08, updated_at 2020_09_17;)
+alert http any any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Checks if New Visitor"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|28|store|2e|getters|5b 27|"; fast_pattern; pcre:"/\w{1,255}\/\w{1,255}'\]\s*==\s*"\w{1,255}\"/Ri"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033999; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX or EvilGrab DNS Lookup (websecexp.com)"; dns.query; content:"websecexp.com"; depth:13; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/defending-the-white-elephant/; classtype:trojan-activity; sid:2021960; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Config Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"ID_CUS_SP_NBR_"; nocase; fast_pattern; content:"EMAILRESULT_NBR"; nocase; content:"LINKRE_RESULT"; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup (mailsecurityservice.com)"; dns.query; content:"mailsecurityservice.com"; depth:23; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2015/10/targeted-attacks-ngo-burma/; classtype:trojan-activity; sid:2021962; rev:5; metadata:created_at 2015_10_16, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Password-Processing URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"phishing-processor"; fast_pattern; content:".php"; distance:0; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"softupdates.info"; depth:16; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022121; rev:5; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Message Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"MS_TXT_LOGIN"; nocase; content:"ChangPass_"; nocase; content:"Login_"; nocase; content:"i18nGobal"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sofacy DNS Lookup"; dns.query; content:"drivres-update.info"; depth:19; nocase; endswith; fast_pattern; reference:md5,c3ae4a37094ecfe95c2badecf40bf5bb; classtype:targeted-activity; sid:2022122; rev:5; metadata:created_at 2015_11_19, former_category MALWARE, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom CSS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.css\x27\x29\.then\x28(?:.{1,1000}themes\/css\/[a-f0-9]{42}\.css\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_10_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (alhadath.mobi)"; dns.query; content:"alhadath.mobi"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022148; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Landing Page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; nocase; content:".css"; nocase; distance:45; content:"themes/css/"; nocase; content:".css"; nocase; distance:45; content:"script nonce="; nocase; fast_pattern; content:"themes/"; nocase; content:".js"; nocase; distance: 42; content:"script nonce="; nocase; content:"themes/"; nocase; content:".js"; nocase; distance: 32; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034027; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (big-windowss.com)"; dns.query; content:"big-windowss.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022149; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Variable"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"init_notworkingbrowser"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (cacheupdate14.com)"; dns.query; content:"cacheupdate14.com"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022150; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cmd=login_submit&id="; fast_pattern; content:"session="; distance:0; reference:url,twitter.com/JCyberSec_/status/14474927402840268803112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.space)"; dns.query; content:"fbstatic-a.space"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022151; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishkit Landing Page M2"; flow:established,to_client; file.data; content:"|2e|php"; content:"onSubmit|3d 22|return|20|validateMyForm|28 29 3b 22|"; distance:0; content:"id|3d 27 5f|form|5f|"; distance:0; content:"enctype|3d 27|multipart|2f|form|2d|data|27|"; fast_pattern; distance:0; reference:md5,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034190; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-a.xyz)"; dns.query; content:"fbstatic-a.xyz"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022152; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishkit Landing Page M3"; flow:established,to_client; file.data; content:"url|3d|Thanks|2e|php|22|"; fast_pattern; content:"src|3d 22|images|2f|animation|5f|processing|2e|gif|22| alt|3d 22 22| title|3d 22 22|"; distance:0; reference:md5,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034191; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (fbstatic-akamaihd.com)"; dns.query; content:"fbstatic-akamaihd.com"; depth:21; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022153; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishkit Landing Page M1"; flow:established,to_client; file.data; content:"if|28 21|document|2e|getElementById|28 22|honeypot|22 29 2e|value|29|"; content:"|2e|php"; distance:0; content:"method|3d 22|post|22 20|id|3d 27 5f|form|5f|"; distance:0; content:"enctype|3d 27|multipart|2f|form|2d|data|27|"; fast_pattern; distance:0; content:"placeholder|3d 22|Username|22|"; distance:0; content:"placeholder|3d 22|Password|22|"; distance:0; reference:url,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2021_10_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (gmailtagmanager.com)"; dns.query; content:"gmailtagmanager.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022154; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M1 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; fast_pattern; content:"<h2>YOUR|20|CART<|2f|h2>"; content:"|20|EXTRA|20|BONUS|22|"; content:"An|20|agent|20|will|20|contact"; classtype:social-engineering; sid:2034232; rev:1; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz.link)"; dns.query; content:"haaretz.link"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022155; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M2 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; fast_pattern; content:"|22|>Upload|20|front|20|"; content:"Driver|20|License|20|ID|28|Bold"; classtype:social-engineering; sid:2034233; rev:1; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (haaretz-news.com)"; dns.query; content:"haaretz-news.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022156; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M3 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; content:"<strong>Wait&nbsp|3b 20|few|20|secs"; fast_pattern; content:"ID|20|to|20|uploaded"; classtype:social-engineering; sid:2034234; rev:2; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (heartax.info)"; dns.query; content:"heartax.info"; depth:12; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022157; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M4 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>EDD-Detr|20|Government|20|Stimulus"; fast_pattern; content:"|22|>Upload|20|front|20|"; content:"Driver|20|License|20|ID|28|Bold"; classtype:social-engineering; sid:2034235; rev:1; metadata:created_at 2021_10_21, former_category PHISHING, updated_at 2021_10_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (img.gmailtagmanager.com)"; dns.query; content:"img.gmailtagmanager.com"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022158; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING TodayZoo Phishing Kit GET M1"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//"; pcre:"/[\w\d]{8}\./Ri"; http.host; content:"|2e|ujsd|2e|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/; classtype:credential-theft; sid:2034250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (kernel4windows.in)"; dns.query; content:"kernel4windows.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022159; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING TodayZoo Phishing Kit GET M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/"; pcre:"/[\w\d]{8}/Ri"; http.host; content:"|2e|ujsd|2e|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/; classtype:credential-theft; sid:2034251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (main.windowskernel14.com)"; dns.query; content:"main.windowskernel14.com"; depth:24; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022160; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zoom.us Phish 2021-10-25"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://static.zoom.us"; bsize:22; fast_pattern; reference:md5,eb5994afdc8da491c862867784956a5b; classtype:credential-theft; sid:2034245; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (micro-windows.in)"; dns.query; content:"micro-windows.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022161; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session-error-active/"; content:"/config/?id="; fast_pattern; distance:0; content:"&ath="; distance:0; reference:md5,3a95182c1461c1f396795b328e879e4b; classtype:credential-theft; sid:2034273; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate15.com)"; dns.query; content:"mswordupdate15.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022162; rev:5; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/session-error-active/"; content:"/config/connect.php?id="; fast_pattern; distance:0; content:"&ath="; distance:0; http.request_body; content:"&profile.long_session="; distance:0; reference:md5,3a95182c1461c1f396795b328e879e4b; classtype:credential-theft; sid:2034274; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate16.com)"; dns.query; content:"mswordupdate16.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022163; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"url|3d 25|25"; fast_pattern; distance:0; content:"&mb_id="; distance:0; content:"&mb_password="; distance:0; reference:md5,9939c621f58183455bf56914c3957e51; classtype:credential-theft; sid:2034272; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mswordupdate17.com)"; dns.query; content:"mswordupdate17.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022164; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/languages/mode"; fast_pattern; content:".php?user="; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (mywindows24.in)"; dns.query; content:"mywindows24.in"; depth:14; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022165; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content: "POST"; http.referer; content:"/wp-content/languages/mode"; fast_pattern; http.uri; content:".php"; endswith; http.request_body; content:"user="; content:"&amount="; content:"&submit="; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch7-windows.com)"; dns.query; content:"patch7-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022166; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Debit Card or Check Data Exfil"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|d5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034329; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patch8-windows.com)"; dns.query; content:"patch8-windows.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022167; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Direct Deposit Payment Data Exfil"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|b5.php|22|"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (patchthiswindows.com)"; dns.query; content:"patchthiswindows.com"; depth:20; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022168; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Form"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; distance:0; content:".php"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"id|3d 22|edit|2d|submit|2d|pup|2d|efile|2d|provider|2d|search|22|"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (u.mywindows24.in)"; dns.query; content:"u.mywindows24.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022169; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citibank Phish 2021-11-10"; flow:established,to_server; flowbits:isset,ET.genericphish; http.uri; content:"/citi/"; nocase; fast_pattern; content:".php"; distance:0; http.host; content:".otzo.com"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (walla.link)"; dns.query; content:"walla.link"; depth:10; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022170; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Citibank Phish Landing Page"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<title>Citibank Online</title>"; nocase; content:"form|20|name|3d 22|undefined|22|"; fast_pattern; distance:0; content:"|2e|php|3f|sessionid"; distance:0; content:"|26|sslchannel|3d|true|22 20|method|3d 22|POST|22|"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034397; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wethearservice.com)"; dns.query; content:"wethearservice.com"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022171; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PlayerUnknown's Battlegrounds Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; distance:0; http.referer; content:"otzo.com"; distance:0; http.request_body; content:"email="; distance:0; content:"&password="; content:"&nick="; distance:0; content:"&playid="; fast_pattern; distance:0; content:"&phone="; distance:0; content:"&level="; distance:0; content:"&tier="; distance:0; content:"&rpt="; distance:0; content:"&rpl="; distance:0; content:"&platform="; distance:0; content:"&login=Facebook"; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (wheatherserviceapi.info)"; dns.query; content:"wheatherserviceapi.info"; depth:23; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022172; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ghayt_Zone Phishing Kit"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"INFORMATION"; content:"TELEGRAM|20 3a 20 40|ghayt|5f|Zone"; distance:0; fast_pattern; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034472; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowkernel.com)"; dns.query; content:"windowkernel.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022173; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Made And Morocco"; nocase; content:"Nourblog1"; fast_pattern; nocase; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-10patch.in)"; dns.query; content:"windows-10patch.in"; depth:18; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022174; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Made And Morocco"; nocase; content:"Nour|2e|blog1"; fast_pattern; nocase; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034476; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows24-kernel.in)"; dns.query; content:"windows24-kernel.in"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022175; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Coded By Noureddine Tkodar"; nocase; content:"Nourblog1"; fast_pattern; nocase; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034478; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-drive20.com)"; dns.query; content:"windows-drive20.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022176; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving Images"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; pcre:"/\.(?:jpe?g|png|svg)$/"; classtype:credential-theft; sid:2034553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-india.in)"; dns.query; content:"windows-india.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022177; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving Resources"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; pcre:"/\.(?:css|ttf|woff2?|js)$/"; classtype:credential-theft; sid:2034554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel.in)"; dns.query; content:"windowskernel.in"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022178; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Redirect"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:"/redirect-to-url.php?key="; distance:0; classtype:credential-theft; sid:2034555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-kernel.in)"; dns.query; content:"windows-kernel.in"; depth:17; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022179; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING BulletProofLink Phishkit Template"; flow:established,to_client; file_data; content:"<html><head></head><body><template id="; startswith; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}a-f0-9]{12}/R"; classtype:credential-theft; sid:2034556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowskernel14.com)"; dns.query; content:"windowskernel14.com"; depth:19; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022180; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Dropbox Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"_csp_external_script_nonce"; content:!"when_ready_configure_requirejs"; distance:0; content:!"DETERMINISTIC_MONKEY_CHECK"; distance:0; content:!"<title>Dropbox Status</title>"; classtype:social-engineering; sid:2025659; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowslayer.in)"; dns.query; content:"windowslayer.in"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022181; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com (set) 2016-02-02"; flow:to_server,established; urilen:1; flowbits:set,ET.weebly.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:".weebly.com"; fast_pattern; content:!"www.weebly.com"; depth:14; content:!"runumoviw.weebly.com"; classtype:social-engineering; sid:2032365; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_01_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windows-my50.com)"; dns.query; content:"windows-my50.com"; depth:16; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022182; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2022-01-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"banks"; fast_pattern; http.request_body; content:"username="; content:"&pin="; distance:0; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowssup.in)"; dns.query; content:"windowssup.in"; depth:13; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022183; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2022-01-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"banks"; fast_pattern; http.request_body; content:"username="; http.referer; content:"questions.html"; endswith; content:"&forgot_nextButton="; distance:0; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034895; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKittens DNS Lookup (windowsupup.com)"; dns.query; content:"windowsupup.com"; depth:15; nocase; endswith; fast_pattern; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:trojan-activity; sid:2022184; rev:6; metadata:created_at 2015_11_25, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2022-01-12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"adobe.php"; fast_pattern; endswith; http.referer; content:"callbackwsid"; reference:md5,b6fd669c9bb5e4e2469b00705f2bd678; classtype:credential-theft; sid:2034905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sakula DNS Lookup (inocnation.com)"; dns.query; content:"inocnation.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf; classtype:trojan-activity; sid:2022273; rev:5; metadata:created_at 2015_12_17, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phish Landing Page 2022-01-12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"to access this"; nocase; content:"adobe.php"; fast_pattern; distance:0; content:"id|3d 22|password|22|"; distance:0; content:"id|3d 22|fon|22|"; distance:0; content:"value|3d 22|View|20|PDF|20|Document|22|"; distance:0; reference:md5,b6fd669c9bb5e4e2469b00705f2bd678; classtype:credential-theft; sid:2034906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilGrab or APT.9002 DNS Lookup (secvies.com)"; dns.query; content:"secvies.com"; depth:11; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:targeted-activity; sid:2022355; rev:6; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Metawallet Phish Landing Page 2022-01-13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.host; content:".xyz"; endswith; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TrochilusRAT DNS Lookup (security-centers.com)"; dns.query; content:"security-centers.com"; depth:20; nocase; endswith; fast_pattern; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022356; rev:6; metadata:created_at 2016_01_13, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic DarkX Phish 2022-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wells-darkx"; fast_pattern; reference:url,twitter.com/hyperdefined/status/1481635709261914113; classtype:credential-theft; sid:2034937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsip.ru Domain"; dns.query; content:".dnsip.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022382; rev:5; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com (set)"; flow:to_server,established; urilen:1; flowbits:set,ET.moonfruit.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"moonfruit.com"; endswith; fast_pattern; content:!"www.moonfruit.com"; classtype:social-engineering; sid:2032096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyn-dns.ru Domain"; dns.query; content:".dyn-dns.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022383; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phish Landing Page 2022-01-31"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|Messages|20 7c 20|Linkedln|20 7c 20|Welcome|20|back|2e 2e 2e 3c 2f|title|3e|"; fast_pattern; nocase; reference:md5,05376d1db31ee300b1d567a91bcc22d5; classtype:credential-theft; sid:2035022; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dnsalias.ru Domain"; dns.query; content:".dnsalias.ru"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022381; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING lordspartner Phish Kit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lordspartner"; fast_pattern; reference:md5,712d4b9fe781b9ad6b24786b9d14389d; classtype:credential-theft; sid:2035033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dns-free.ru Domain"; dns.query; content:".dns-free.com"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2022384; rev:6; metadata:created_at 2016_01_20, former_category HUNTING, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DAWN Comment in Phish Landing Page 2022-02-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2f 24 24 24 24 24 24 24 20 20 20 2f 24 24 24 24 24 24 20 5c 20 5f 24 24 20 20 20 20 5f 24 5f 20 20 20 5f 24 24 5f 5f 20 20 5f|"; content:"|7c 5f 5f 5f 5f 5f 5f 5f 2f 20 7c 5f 5f 2f 20 20 7c 5f 5f 2f 20 7c 5f 5f 2f 20 20 20 20 5c 5f 5f 7c 20 7c 5f 5f 2f 20 20 5c 5f 5f 2f|"; fast_pattern; distance:0; reference:md5,a6848434487ce42102712c14f9c05e36; classtype:credential-theft; sid:2035034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (aynfksddnnfwkd)"; dns.query; content:".aynfksddnnfwkd"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022399; rev:5; metadata:created_at 2016_01_22, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2022-02-03"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"intuit"; content:".php"; distance:0; http.request_body; content:"pin"; fast_pattern; nocase; content:"&email="; distance:0; nocase; content:"&tel="; distance:0; nocase; content:"&SignUp="; distance:0; nocase; reference:md5,c8f50422c90b53d2d1aa253661e5b3df; classtype:credential-theft; sid:2035088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cryptolocker Payment Page (krfdnhfnsai3d)"; dns.query; content:".krfdnhfnsai3d"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022400; rev:5; metadata:created_at 2016_01_22, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Landing Page 2022-02-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"action|3d 22 26|lt|3b|grabberurl|26|gt|3b 22|"; fast_pattern; content:"type|3d 22|password|22|"; distance:0; content:"|2f 2f 27 2f|signin|2f|apple|27 3b|"; distance:0; reference:md5,b9463c897aa313f4beba94da35e0c83a; classtype:credential-theft; sid:2035100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 1"; dns.query; content:"9i7ffdgvffibow7.vrnserver.ru"; depth:28; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022411; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phish 2022-02-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/<grabberurl>"; fast_pattern; http.request_body; content:"&pass="; reference:md5,b9463c897aa313f4beba94da35e0c83a; classtype:credential-theft; sid:2035101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 6"; dns.query; content:"admin.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022416; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Standard Bank Login Phish 2022-02-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Sign in</title>"; content:"id|3d 22|sign|20|in|22 20|name|3d 22|Sign|20|in|20|with|20|your|20|Standard|20|Bank|20|ID|22|"; distance:0; content:"|3c|div|20|class|3d 22|ping|2d|header|22 3e|Sign|20|in|20|with|20|your|20|Standard|20|Bank|20|ID|3c 2f|div|3e|"; distance:0; content:"Don|27|t|20|have|20|a|20|Standard|20|Bank|20|ID|3f 20 3c|a|20|onclick|3d 22|login|2e|postRegistration|28 29 22 3e|Register|20|here|3c 2f|a|3e 3c 2f|div|3e|"; fast_pattern; distance:0; reference:md5,444401e72463904c6ccd11654e7cc789; classtype:credential-theft; sid:2035124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 15"; dns.query; content:"dolat.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022425; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed CloudFlare Interstitial Phishing Page"; flow:established,from_server; http.header; content:"|0d 0a|cf-request-id|3a 20|"; file_data; content:"<title>Suspected phishing site|20 7c 20|Cloudflare</title>"; fast_pattern; reference:url,blog.cloudflare.com/protecting-cloudflare-sites-from-phishing; classtype:bad-unknown; sid:2032321; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2022_02_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 16"; dns.query; content:"dolet.websurprisemail.com"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022426; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M1 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PIN/?Authentication-EMAIL="; fast_pattern; nocase; http.host; content:"monzo"; http.request_body; content:"email="; depth:6; reference:md5,0a7b616bf44cb13fe0080b0c2d61305c; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 17"; dns.query; content:"economy.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022427; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M2 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/EMAIL/?Authentication-EMAIL="; nocase; http.host; content:"monzo"; http.request_body; content:"pin_1=&pin_2=&pin_3=&pin_4=&confirmemail="; fast_pattern; depth:41; reference:md5,ac598a7113392e86e9f00847a0732713; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035213; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 20"; dns.query; content:"firefox.spdns.de"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022430; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M3 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"start.php"; bsize:10; http.host; content:"monzo"; fast_pattern; http.request_body; content:"number="; depth:7; reference:md5,21365ef60a95f7453779fbd315ef5ec6; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 24"; dns.query; content:"github.ignorelist.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022434; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Monzo Credential Phish Landing Page 2022-02-17"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=login&say=invalid_login&e=&username="; fast_pattern; depth:40; nocase; http.host; content:"monzo"; reference:md5,4b8c4160334f21dc7b64ef0a5292441d; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 25"; dns.query; content:"islam.youtubesitegroup.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022435; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-02-25"; http.stat_code; content:"200"; file.data; content:"|3c|script|20|type|3d 22|text|2f|javascript|22 3e|"; nocase; content:"window.location.hash"; nocase; distance:100; content:".substring"; nocase; distance:500; content:".split"; nocase; distance:200; content:"let|20|email|20 3d 20|window|2e|atob"; fast_pattern; nocase; distance:500; content:"window.atob"; nocase; distance:200; content:"window.location"; nocase; distance:200; content:".substring"; nocase; distance:500; content:"+email"; nocase; distance:500; content:"window.location"; nocase; distance:100; content:"</script>"; nocase; distance:100; classtype:credential-theft; sid:2035294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 26"; dns.query; content:"kissecurity.firewall-gateway.net"; depth:32; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022436; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (id .bigmir .space)"; dns.query; dotprefix; content:".id.bigmir.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 27"; dns.query; content:"liumingzhen.myftp.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022437; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (aplikacje .ron-mil .space)"; dns.query; dotprefix; content:".aplikacje.ron-mil.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 33"; dns.query; content:"opero.spdns.org"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022443; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (i .ua-passport .space)"; dns.query; dotprefix; content:".i.ua-passport.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 34"; dns.query; content:"otcgk.border.cloudns.pw"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022444; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (akademia-mil .space)"; dns.query; dotprefix; content:".akademia-mil.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 41"; dns.query; content:"webmail.yourturbe.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022451; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (akademia-mil .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".akademia-mil.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035299; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 45"; dns.query; content:"www.googmail.org"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022455; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (aplikacje .ron-mil .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".aplikacje.ron-mil.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 46"; dns.query; content:"www.gorlan.cloudns.pro"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022456; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (id .bigmir .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".id.bigmir.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 47"; dns.query; content:"www.uyghur.25u.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022457; rev:5; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (i .ua-passport .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".i.ua-passport.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarlet Mimic DNS Lookup 44"; dns.query; content:"zjhao.dtdns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2022461; rev:6; metadata:created_at 2016_01_27, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-email .space)"; dns.query; dotprefix; content:".creditals-email.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CustomRAT DNS lookup"; dns.query; content:"www729448908.f3322.org"; depth:22; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022473; rev:5; metadata:created_at 2016_01_29, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (ua-passport .space)"; dns.query; dotprefix; content:".ua-passport.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035317; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.ae.am domain"; dns.query; content:".ae.am"; fast_pattern; endswith; classtype:bad-unknown; sid:2012900; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mil-gov .space)"; dns.query; dotprefix; content:".mil-gov.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035318; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for a Suspicious *.qc.cx domain"; dns.query; content:".qc.cx"; fast_pattern; endswith; classtype:bad-unknown; sid:2012903; rev:7; metadata:created_at 2011_05_31, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-email .space)"; dns.query; dotprefix; content:".verify-email.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035319; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.absentvodka.com)"; dns.query; content:"updates.absentvodka.com"; depth:23; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022555; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-konta .space)"; dns.query; dotprefix; content:".weryfikacja-konta.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (updates.mintylinux.com)"; dns.query; content:"updates.mintylinux.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022556; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (konto-verify .space)"; dns.query; dotprefix; content:".konto-verify.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (eggstrawdinarry.mylittlerepo.com)"; dns.query; content:"eggstrawdinarry.mylittlerepo.com"; depth:32; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022557; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-uzytkownika .space)"; dns.query; dotprefix; content:".walidacja-uzytkownika.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Tsunami DNS Request (linuxmint.kernel-org.org)"; dns.query; content:"linuxmint.kernel-org.org"; depth:24; nocase; endswith; fast_pattern; reference:url,blog.linuxmint.com/?p=2994; classtype:trojan-activity; sid:2022558; rev:5; metadata:created_at 2016_02_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .space)"; dns.query; dotprefix; content:".kontrola-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suckfly/Nidiran Backdoor DNS Lookup"; dns.query; content:"microsoft-security-center.com"; depth:29; nocase; endswith; fast_pattern; reference:url,symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120123-5521-99; classtype:trojan-activity; sid:2022626; rev:5; metadata:created_at 2016_03_16, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-poczty .space)"; dns.query; dotprefix; content:".weryfikacja-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)"; dns.query; content:".ngrok.com"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022641; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-poczty .space)"; dns.query; dotprefix; content:".walidacja-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.io)"; dns.query; content:".ngrok.io"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022642; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (bigmir .space)"; dns.query; dotprefix; content:".bigmir.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.neokred domain - Likely Hostile"; dns.query; content:".neokred.org"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022643; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .site)"; dns.query; dotprefix; content:".mod-mil.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035327; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerShell/Agent.A DNS Lookup (go0gIe.com)"; dns.query; content:"go0gIe.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html; classtype:trojan-activity; sid:2022835; rev:5; metadata:created_at 2016_05_24, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirrohost .space)"; dns.query; dotprefix; content:".mirrohost.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035328; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious dynapoint.pw Domain"; dns.query; content:"dynapoint.pw"; depth:12; endswith; fast_pattern; classtype:bad-unknown; sid:2022876; rev:5; metadata:created_at 2016_06_08, former_category HUNTING, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .online)"; dns.query; dotprefix; content:".mirohost.online"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035329; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpovider.org)"; dns.query; content:".torpovider.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019981; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (meta-ua .space)"; dns.query; dotprefix; content:".meta-ua.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035330; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.org)"; dns.query; content:".torgateway.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019983; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .online)"; dns.query; dotprefix; content:".mod-mil.online"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bladetor.com)"; dns.query; content:".bladetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020107; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .site)"; dns.query; dotprefix; content:".kontrola-poczty.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bonytor.com)"; dns.query; content:".bonytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020108; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-mirohost .space)"; dns.query; dotprefix; content:".creditals-mirohost.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bortor.com)"; dns.query; content:".bortor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020109; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-mail .space)"; dns.query; dotprefix; content:".verify-mail.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (browsetor.com)"; dns.query; content:".browsetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020110; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .site)"; dns.query; dotprefix; content:".mirohost.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (door2tor.org)"; dns.query; content:".door2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020111; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (creditals-email .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".creditals-email.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (enter2tor.com)"; dns.query; content:".enter2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020112; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (ua-passport .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".ua-passport.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (jamator.com)"; dns.query; content:".jamator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020113; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mil-gov .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mil-gov.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion2web.com)"; dns.query; content:".onion2web.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020114; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-email .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verify-email.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.lt)"; dns.query; content:".onion.lt"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020115; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (weryfikacja-konta .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".weryfikacja-konta.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay2tor.com)"; dns.query; content:".pay2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020117; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (konto-verify .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".konto-verify.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay4tor.com)"; dns.query; content:".pay4tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020118; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (walidacja-uzytkownika .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".walidacja-uzytkownika.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035342; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (payrobotor.com)"; dns.query; content:".payrobotor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020119; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (kontrola-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kontrola-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (poltornik.com)"; dns.query; content:".poltornik.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020120; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (weryfikacja-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".weryfikacja-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (slavetor.com)"; dns.query; content:".slavetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020121; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (walidacja-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".walidacja-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035345; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tanktor.com)"; dns.query; content:".tanktor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020122; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (bigmir .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".bigmir.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2pay.com)"; dns.query; content:".tor2pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020123; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mod-mil.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035347; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2www.com)"; dns.query; content:".tor2www.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020124; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirrohost .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirrohost.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035348; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (toralpacho.com)"; dns.query; content:".toralpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020127; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirohost .online in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirohost.online"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torbama.com)"; dns.query; content:".torbama.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020128; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (meta-ua .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".meta-ua.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torchek.com)"; dns.query; content:".torchek.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020129; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .online in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mod-mil.online"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torexplorer.com)"; dns.query; content:".torexplorer.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020130; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (kontrola-poczty .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kontrola-poczty.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforlove.com)"; dns.query; content:".torforlove.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020131; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (creditals-mirohost .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".creditals-mirohost.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torjam.com)"; dns.query; content:".torjam.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020132; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-mail .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verify-mail.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpacho.com)"; dns.query; content:".torpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020134; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirohost .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirohost.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; dns.query; content:".torpaycash.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-03-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"method|3d 22|post|22 20|action|3d 22 2e 2f|index|2e|aspx|3f|code|3d|"; fast_pattern; content:"id|3d 22 5f 5f|VIEWSTATE|22|"; distance:0; content:"id|3d 22 5f 5f|VIEWSTATEGENERATOR|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035369; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycnf.com)"; dns.query; content:".torpaycnf.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020136; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Landing Page 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.aspx?code="; fast_pattern; pcre:"/[a-z0-9]{32}/Ri"; http.content_len; byte_test:0,>=,2000,0,string,dec; http.request_body; content:"__VIEWSTATE="; content:"&__VIEWSTATEGENERATOR="; distance:2000; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035377; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayeur.com)"; dns.query; content:".torpayeur.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020137; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Royal Bank of Canada Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgibin/rbaccess/"; fast_pattern; http.request_body; content:"username="; content:"&password="; distance:0; reference:md5,e29fe69e683c7c04e9b14e46cdfd2e17; classtype:credential-theft; sid:2035378; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayusd.com)"; dns.query; content:".torpayusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020138; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Credential Phish 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"username|3a 20|this|2e|email"; content:"password|3a 20|this|2e|password"; distance:0; content:"from|3a 20 22|Microsoft|20|Login|22|"; distance:0; content:"this|2e|error|20 3d 20 22|An|20|error|20|occured|2c 20|please|20|check|20|input|20|and|20|try|20|again|22 3b|"; distance:0; content:"this|2e|submitCount"; distance:0; content:"window|2e|location|2e|replace|28|"; distance:0; classtype:credential-theft; sid:2035453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torprivatebrowsing.org)"; dns.query; content:".torprivatebrowsing.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020139; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; file.data; content:"|22|https|3a 2f 2f|webhook.site/3cc37709-f3bd-47bf-8b79-f090f0e8075b"; fast_pattern; reference:url,blog.google/threat-analysis-group/update-threat-landscape-ukraine/; classtype:credential-theft; sid:2035405; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, malware_family APT28, malware_family Fancy_Bear, signature_severity Major, updated_at 2022_03_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsanctions.com)"; dns.query; content:".torsanctions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020140; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; file.data; content:"|22|https|3a 2f 2f|webhook.site/d466f7a7-63a1-4c04-8347-fe2d0a96081f"; fast_pattern; reference:url,blog.google/threat-analysis-group/update-threat-landscape-ukraine/; classtype:credential-theft; sid:2035406; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, malware_family APT28, malware_family Fancy_Bear, signature_severity Major, updated_at 2022_03_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsona.com)"; dns.query; content:".torsona.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020141; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-11"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.server; content:"nginx/1.19.1"; bsize:12; http.location; content:"load.php?id="; startswith; fast_pattern; classtype:credential-theft; sid:2035447; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torvsusd.com)"; dns.query; content:".torvsusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020142; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ping Identity Landing Page 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- template name: html.form.login.template.html -->"; content:"<!-- Configurable default behavior for the Remember Username checkbox -->"; content:"<!-- set the checkbox to unchecked -->"; content:"<title>Log in</title>"; content:"|24 2e|ajax"; content:"type|20 3a 20 27|POST|27 2c|"; content:"url|20 3a 20 27|files|2f|action|2e|php|3f|type|3d|login|27 2c|"; content:"data|20 3a 20 24 28 27 23|loginForm|27 29 2e|serialize|28 29 2c|"; content:"location|2e|href|20 3d 20 22|Loading|2e|php|22|"; content:"Ping Identity Corporation"; reference:md5,391dd3f15f5520a3bbfc654dbb3a4ac6; classtype:credential-theft; sid:2035454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwild.com)"; dns.query; content:".torwild.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020143; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Raiffeisen Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Raiffeisen ELBA-internet</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwinner.com)"; dns.query; content:".torwinner.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020144; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M1 July 24 2015"; flow:to_client,established; file_data; content:"<title>Document Shared</title>"; nocase; fast_pattern; content:"name=|22|GENERATOR|22 22|>"; nocase; distance:0; content:"name=|22|HOSTING|22 22|>"; nocase; distance:0; content:"Login with your email"; nocase; distance:0; content:"Choose your email provider"; nocase; distance:0; classtype:social-engineering; sid:2021535; rev:4; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (totortoweb.com)"; dns.query; content:".totortoweb.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020145; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Chase Online - Identification</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025674; rev:4; metadata:created_at 2015_12_01, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (vtorchike.com)"; dns.query; content:".vtorchike.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020146; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Sign in - Apple Store</title>"; nocase; fast_pattern; content:"function isemail|28|email|29|"; nocase; content:"Double-check that you typed a valid Apple ID."; nocase; content:"Double-check that you have typed the right password."; nocase; classtype:social-engineering; sid:2031715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (walterwtor.com)"; dns.query; content:".walterwtor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020147; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wire Transfer Phishing Landing 2015-11-19"; flow:established,from_server; file_data; content:"<TITLE>Foreign Transfer"; nocase; fast_pattern; content:"view Online TT Copy"; nocase; distance:0; content:"Online TT(CURRENCY"; nocase; distance:0; content:"Email Address"; nocase; distance:0; content:"Secure access"; nocase; distance:0; classtype:social-engineering; sid:2031700; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforall.com)"; dns.query; content:".torforall.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020183; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive</title>"; fast_pattern; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; classtype:social-engineering; sid:2025004; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torman2.com)"; dns.query; content:".torman2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020184; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M1"; flow:established,from_server; file_data; content:"<title>Google Docs</title>"; nocase; distance:0; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=number]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; content:"input[type=tel]"; nocase; distance:0; content:"signin-card #Email"; nocase; distance:0; content:"signin-card #Pass"; nocase; distance:0; classtype:social-engineering; sid:2025681; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwoman.com)"; dns.query; content:".torwoman.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020185; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Account Phishing Landing 2015-11-18"; flow:established,from_server; file_data; content:"<title>Verify Apple ID"; nocase; fast_pattern; content:"Please input a valid Email"; nocase; distance:0; content:"Your password is required"; nocase; distance:0; content:"Please sign in to verify"; nocase; distance:0; content:"iCloud Account"; nocase; distance:0; content:"Account Verification"; nocase; distance:0; classtype:social-engineering; sid:2031740; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torroadsters.com)"; dns.query; content:".torroadsters.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020186; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Horde Webmail Phish 2015-08-21"; flow:established,to_client; file_data; content:"<title>|2e 2e 3a 3a|Account Details"; fast_pattern; content:"Successfully Submitted|3a 3a 2e 2e|</title>"; distance:1; content:"Your request has been received"; distance:0; content:"and will be processed shortly."; distance:1; classtype:credential-theft; sid:2031726; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.gq)"; dns.query; content:".onion.gq"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020211; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern; classtype:social-engineering; sid:2021537; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaysolutions.com)"; dns.query; content:".torpaysolutions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020374; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2023888; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayoptions.com)"; dns.query; content:".torpayoptions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020375; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Horde Webmail Phishing Landing 2015-08-21"; flow:established,to_client; file_data; content:"<title>Mail |3a 3a 20|Welcome to Admin Portal</title>"; content:"Kindly update your information"; fast_pattern; distance:0; content:"Email Address"; distance:0; content:"Confirm Password"; distance:0; classtype:social-engineering; sid:2031725; rev:4; metadata:created_at 2015_08_21, former_category PHISHING, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torinvestment2.com)"; dns.query; content:".torinvestment2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020376; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M1 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:credential-theft; sid:2024997; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwillsmith.com)"; dns.query; content:".torwillsmith.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020377; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fake Webmail Account Phishing Landing 2015-09-10"; flow:established,to_client; file_data; content:"<title>Verify Your Account</title>"; fast_pattern; content:"ACCOUNT UPGRADE"; distance:0; content:"VERIFY YOUR WEBMAIL ACCOUNT"; distance:0; content:"Domain|5c|Username"; distance:0; content:"Department|3a|"; distance:0; content:"inconveniences"; distance:0; classtype:social-engineering; sid:2031696; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstorpay22.com)"; dns.query; content:".optionstorpay22.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020390; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing"; flow:established,from_server; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:social-engineering; sid:2025656; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bananator.com)"; dns.query; content:".bananator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020391; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing 2015-08-14"; flow:to_client,established; file_data; content:"<title>Mailbox Added services</title>"; nocase; fast_pattern; content:"autorised email address"; nocase; distance:0; content:"complete this autorization"; nocase; distance:0; classtype:social-engineering; sid:2031722; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (monsterbbc.com)"; dns.query; content:".monsterbbc.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020395; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Fake Document Loading Error 2015-10-01"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; content:"Verifying Login, Please wait"; nocase; fast_pattern; distance:0; content:"Loading"; nocase; distance:0; content:"and collaborate documents"; nocase; distance:0; content:"Initializing"; distance:0; classtype:social-engineering; sid:2031697; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tostotor.com)"; dns.query; content:".tostotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020400; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern; classtype:social-engineering; sid:2021538; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (trusteetor.com)"; dns.query; content:".trusteetor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020401; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Fake Mailbox Quota Increase Messages 2016-05-25"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; content:"Upgrading your mailbox"; nocase; fast_pattern; distance:0; content:"Upgrade Successful"; nocase; distance:0; content:"added to your mail quota"; nocase; distance:0; content:"//Do not edit below this line"; distance:0; nocase; classtype:social-engineering; sid:2031989; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionstopaytor33.com)"; dns.query; content:".solutionstopaytor33.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020402; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Metro Document Phishing Landing 2015-11-17"; flow:established,from_server; file_data; content:"invited to download DATASHEET"; nocase; content:"<title>Metro Download Online"; fast_pattern; nocase; content:"simplest and secure way"; nocase; distance:0; content:"view your documents and files"; nocase; distance:0; content:"View Document"; nocase; distance:0; content:"Confirm email address to download"; nocase; distance:0; classtype:social-engineering; sid:2031699; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.am)"; dns.query; content:".onion.am"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020404; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Page 2015-10-17"; flow:established,to_client; file_data; content:"<TITLE> DHL|7c 20|Trackinng</TITLE>"; nocase; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|rv|3a|32.0)"; nocase; distance:0; content:"fnSubmitOnEnter"; nocase; distance:0; classtype:social-engineering; sid:2031728; rev:4; metadata:created_at 2015_09_16, former_category PHISHING, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (batmantor.com)"; dns.query; content:".batmantor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020405; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Credential Phish - Loading Messages 2015-08-12"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; fast_pattern; content:"Contacting email provider"; nocase; distance:0; content:"Authenticating password for"; nocase; distance:0; content:"Authentication Success"; nocase; distance:0; content:"in spam list"; nocase; distance:0; content:"in fraudlent list"; nocase; distance:0; content:"Please Wait"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2031719; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (dogotor.com)"; dns.query; content:".dogotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020406; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phish Landing 2015-11-14"; flow:established,from_server; file_data; content:"<title>Adobe PDF</title>"; fast_pattern; nocase; content:"Adobe PDF Online"; nocase; distance:0; content:"You are not signed in yet"; nocase; distance:0; content:"Confirm your identity"; nocase; distance:0; content:"receiving email account to view document"; nocase; distance:0; classtype:social-engineering; sid:2031737; rev:4; metadata:created_at 2015_11_14, former_category PHISHING, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.glass)"; dns.query; content:".onion.glass"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020574; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Commonwealth Bank Phish Fake Error Page 2015-08-20"; flow:established,to_client; file_data; content:"MSHTML 10.00.9200.16750"; content:"You&nbsp|3b|already read this statement!"; fast_pattern; distance:0; content:"System Error Code"; distance:0; content:"CommBank technical departament"; distance:0; classtype:credential-theft; sid:2031724; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.direct)"; dns.query; content:".onion.direct"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020577; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fake Webmail Quota Phish 2015-09-10"; flow:established,to_client; file_data; content:"<title>SUCCESSFULLY VALIDATED</title>"; nocase; fast_pattern; content:"MAILBOX HAVE BEEN SUCCESSFULLY"; nocase; distance:0; content:"QUOTA HAVE BEEN SCHEDUELED"; nocase; distance:0; content:"WITHIN 24 HOURS"; nocase; distance:0; classtype:credential-theft; sid:2031727; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion Proxy Domain (connect2tor.org)"; dns.query; content:"connect2tor.org"; depth:15; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020617; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Survey Credential Phish 2015-08-12"; flow:to_client,established; file_data; content:"HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"<title>Survey Successful"; distance:0; nocase; fast_pattern; content:"Survey completed"; distance:0; nocase; content:"included in spam or fraudulent list."; distance:0; nocase; content:"email verification survey system."; distance:0; nocase; classtype:credential-theft; sid:2031720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torstorm.org)"; dns.query; content:".torstorm.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020618; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Sept 14 2015"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; fast_pattern; content:"<title>TRADE FILE</title>"; nocase; distance:0; content:"Sign In With Your Correct Email"; nocase; distance:0; classtype:social-engineering; sid:2025690; rev:6; metadata:created_at 2015_09_15, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bolistatapay.com)"; dns.query; content:".bolistatapay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020619; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Phish Landing 2015-10-23"; flow:established,from_server; file_data; content:"<title>Yahoo"; nocase; content:"You Have Been Signed Out"; fast_pattern; nocase; distance:0; content:"Yahoomail For Yahoo Security"; nocase; distance:0; content:"please Relogin"; nocase; distance:0; classtype:social-engineering; sid:2031688; rev:3; metadata:created_at 2015_10_22, former_category PHISHING, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (sshowmethemoney.com)"; dns.query; content:".sshowmethemoney.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020620; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-16"; flow:established,from_server; file_data; content:"Temporarily unable to load your account"; nocase; content:"Temporarily unable to load your account"; nocase; distance:0; content:"confirm your informations"; fast_pattern; nocase; distance:0; content:"fix this problem"; nocase; distance:0; content:"access to your account"; nocase; distance:0; reference:md5,ce07d8a671e2132f404e13ff8e1959b5; classtype:credential-theft; sid:2031687; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)"; dns.query; content:".optionstopaytos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020639; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zimbra Phish 2015-11-03"; flow:established,from_server; file_data; content:"<title>Thank You</title>"; fast_pattern; nocase; content:"enable us complete your security updates"; nocase; distance:0; content:"wrongly kindly click back"; nocase; distance:0; content:"resulting to the deactivation"; nocase; distance:0; classtype:credential-theft; sid:2031689; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (cheetosnotburitos.com)"; dns.query; content:".cheetosnotburitos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020640; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing 2015-11-14"; flow:established,from_server; file_data; content:"<title>DHL |7c| EzyBill</title>"; fast_pattern; nocase; content:"GlobalEzybill"; nocase; distance:0; content:"NOW YOUR BILLS ARE JUST"; nocase; distance:0; content:"receivable parcel in real time"; nocase; distance:0; content:"Dispute your invoices online"; nocase; distance:0; classtype:social-engineering; sid:2031739; rev:4; metadata:created_at 2015_11_14, former_category PHISHING, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionsketchupay.com)"; dns.query; content:".optionsketchupay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020641; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Phish M3 2016-07-11"; flow:from_server,established; file_data; content:"<title>Verifying |7c| Authentication"; nocase; fast_pattern; content:"<META HTTP-EQUIV="; nocase; distance:0; content:"refresh"; distance:1; within:8; nocase; content:"You have been logged"; nocase; distance:0; content:"view shared files"; nocase; distance:0; classtype:credential-theft; sid:2031953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionsaccountor.com)"; dns.query; content:".solutionsaccountor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020642; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern; classtype:social-engineering; sid:2017135; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_07_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4free.org)"; dns.query; content:".tor4free.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020686; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern; classtype:social-engineering; sid:2021540; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tordomain.org)"; dns.query; content:".tordomain.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020703; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Common Multiple JS Unescape May 25 2017"; flow:from_server,established; file_data; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; content:"document.write(unescape(|27|"; nocase; fast_pattern; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; distance:0; content:"document.write(unescape(|27|"; nocase; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; classtype:social-engineering; sid:2025227; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (welcome2tor.org)"; dns.query; content:".welcome2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020704; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Account Phish 2015-09-02"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"Outlook Web Validation Successful"; distance:0; content:"email details correctly|3b|"; distance:0; content:"wrongly kindly click"; distance:0; content:"refill in details"; distance:0; classtype:credential-theft; sid:2031685; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (clusterpaytor.com)"; dns.query; content:".clusterpaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021190; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phishing Landing Aug 11 2015"; flow:to_client,established; file_data; content:"<title>Email Service Provider</title>"; nocase; fast_pattern; content:"<title>Signin</title>"; nocase; distance:0; classtype:social-engineering; sid:2025665; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (statepaytor.com)"; dns.query; content:".statepaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021191; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>FedEx|20 7c 20|Login Page</title>"; fast_pattern; content:"form name=|22|logonForm|22|"; content:"method=|22|POST|22|"; distance:1; content:!"action=|22|/fcl/logon.do|22|"; distance:1; content:"onsubmit=|22|addWSSInfo|28|username.value|29 3b 22 3e|"; distance:1; classtype:social-engineering; sid:2031714; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (paypartnerstodo.com)"; dns.query; content:".paypartnerstodo.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022041; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern; classtype:social-engineering; sid:2021539; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (allepohelpto.com)"; dns.query; content:".allepohelpto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022042; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"data-title=|22|Need a new Password?|22|>"; fast_pattern; nocase; content:"We|27|ll contact your admin to reset the password for|3a|"; nocase; distance:0; content:"We notified your admin to reset your password."; nocase; distance:0; content:"Now you'll need to wait until they do"; nocase; distance:0; content:"(or go ask them nicely, yourself)."; nocase; distance:0; content:"Once your admin resets your password"; nocase; distance:0; content:"you should receive an email with steps to login."; nocase; distance:0; classtype:social-engineering; sid:2031690; rev:5; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (marketcryptopartners.com)"; dns.query; content:".marketcryptopartners.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022043; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Phishing Landing 2015-11-05"; flow:established,from_server; file_data; content:"<script language=|22|javascript|22| type=|22|text/javascript|22|>var "; depth:57; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"var o1,o2,o3,h1,h2,h3,h4,bits,i"; fast_pattern; distance:0; classtype:social-engineering; sid:2031698; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (partnersinvestpayto.com)"; dns.query; content:".partnersinvestpayto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022044; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M2"; flow:established,from_server; file_data; content:"Welcome to Google Docs"; nocase; fast_pattern; content:"Upload and Share Your Documents Securely"; nocase; distance:0; content:"Enter your email"; nocase; distance:0; content:"Enter a valid email"; nocase; distance:0; content:"Enter your password"; nocase; distance:0; content:"Sign in to view attachment"; nocase; distance:0; content:"Access your documents securely"; nocase; distance:0; classtype:social-engineering; sid:2025680; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (effectwaytopay.com)"; dns.query; content:".effectwaytopay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022046; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2015-11-14"; flow:established,from_server; file_data; content:"<title>PDF ONLINE</title>"; fast_pattern; nocase; content:"Document Has Been Removed"; nocase; distance:0; classtype:credential-theft; sid:2031738; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)"; dns.query; content:".tormaster.fr"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022645; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TA422 Credential Phish 2022-03-17 M1"; flow:established,to_server; http.method; content:"POST"; http.host; content:"webhook.site"; bsize:12; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035520; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.li)"; dns.query; content:".torgateway.li"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022646; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TA422 Credential Phish 2022-03-17"; flow:established,to_server; http.method; content:"POST"; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BartCrypt Payment DNS Query to .onion proxy Domain (khh5cmzh5q7yp7th)"; dns.query; content:".khh5cmzh5q7yp7th"; fast_pattern; endswith; nocase; classtype:trojan-activity; sid:2022947; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; bsize:10; http.referer; content:"login.php"; endswith; http.host; content:".duckdns.org"; http.request_body; content:"email="; startswith; content:"&password="; distance:0; content:"&link_grup="; distance:0; reference:md5,221ce301229b990a02f433a0f2e25a18; classtype:credential-theft; sid:2035539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"g5wcesdfjzne7255.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022950; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish 2022-03-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.host; content:"selcdn.ru"; endswith; http.request_body; content:"email=&password="; content:"&s_rememberMe=true"; fast_pattern; classtype:credential-theft; sid:2035540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Keydnap DNS Query to CnC"; dns.query; content:"r2elajikcosf7zee.onion.to"; depth:25; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:command-and-control; sid:2022951; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TROJAN_OSX_Keydnap, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&changing=Value"; nocase; endswith; classtype:credential-theft; sid:2032461; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Trojan-Banker.AndroidOS.Marcher.i Query"; dns.query; content:"tmdxiawceahpbhmb.com"; depth:20; nocase; endswith; fast_pattern; reference:md5,3c52de547353d94e95cde7d4c219ccac; classtype:trojan-activity; sid:2022975; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe PDF Online Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?e="; nocase; fast_pattern; pcre:"/\.php\?e=[a-zA-Z0-9+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/"; http.request_body; content:"p="; depth:2; nocase; content:"&submit="; nocase; endswith; classtype:credential-theft; sid:2032462; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (rapidcomments.com)"; dns.query; content:"rapidcomments.com"; depth:17; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Bank Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"cpf="; depth:4; nocase; content:"&senha="; nocase; distance:0; content:"&ok=continuar"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032463; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (bikessport.com)"; dns.query; content:"bikessport.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023021; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; fast_pattern; content:"&add="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&continue=Submit+Now"; nocase; endswith; classtype:credential-theft; sid:2032464; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (flowershop22.110mb.com)"; dns.query; content:"flowershop22.110mb.com"; depth:22; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; classtype:trojan-activity; sid:2023023; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BB&T Bank Phish 2016-12-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&input=Go"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032467; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (wildhorses.awardspace.info)"; dns.query; content:"wildhorses.awardspace.info"; depth:26; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023024; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"application/json"; file.data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; endswith; fast_pattern; classtype:credential-theft; sid:2025893; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply-wsu.ebizx.net)"; dns.query; content:"apply-wsu.ebizx.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023059; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkHotel, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-26"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&formtext1="; nocase; distance:0; content:"&formimage1.x=1&formimage1.y=1"; fast_pattern; nocase; endswith; classtype:credential-theft; sid:2026412; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkHotel DNS Lookup (apply.ebizx.net)"; dns.query; content:"apply.ebizx.net"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-made-cookles-with-a-darkhotel-overlap/; classtype:targeted-activity; sid:2023060; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"binance"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (aalaan .tv)"; dns.query; content:"aalaan.tv"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023093; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"ebay"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (accounts .mx)"; dns.query; content:"accounts.mx"; depth:11; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023094; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"webmail"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alawaeltech .com)"; dns.query; content:"alawaeltech.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"account"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (alljazeera .co)"; dns.query; content:"alljazeera.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023097; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"outlook"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararabiya .co)"; dns.query; content:"asrararabiya.co"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023098; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"dhl"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrararablya .com)"; dns.query; content:"asrararablya.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023099; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"docusign"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (asrarrarabiya .com)"; dns.query; content:"asrarrarabiya.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023100; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"facebook"; content:".github.io"; endswith; fast_pattern; content:!"facebook.github.io"; depth:18; endswith; classtype:policy-violation; sid:2027275; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bahrainsms .co)"; dns.query; content:"bahrainsms.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023101; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"paypal"; fast_pattern; content:".github.io"; endswith; content:!"paypal.github.io"; depth:16; endswith; classtype:policy-violation; sid:2027241; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (bulbazaur .com)"; dns.query; content:"bulbazaur.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023103; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"office"; fast_pattern; content:".github.io"; endswith; content:!"officedev.github.io"; classtype:policy-violation; sid:2027245; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (cnn-africa .co)"; dns.query; content:"cnn-africa.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023105; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"dhl"; nocase; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"pass="; nocase; distance:0; classtype:credential-theft; sid:2032505; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (damanhealth .online)"; dns.query; content:"damanhealth.online"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023106; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login_password="; depth:15; nocase; content:"&submit.x=Soumettre"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032561; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (emiratesfoundation .net)"; dns.query; content:"emiratesfoundation.net"; depth:22; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023107; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid="; depth:6; nocase; fast_pattern; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032573; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (fb-accounts .com)"; dns.query; content:"fb-accounts.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023108; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid2="; depth:7; nocase; fast_pattern; content:"&compw2="; nocase; distance:0; content:"&addr="; nocase; distance:0; classtype:credential-theft; sid:2032574; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icloudcacher .com)"; dns.query; content:"icloudcacher.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023110; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M3 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comname="; depth:8; nocase; fast_pattern; content:"&comnum="; nocase; distance:0; content:"&common="; nocase; distance:0; content:"&comy="; nocase; distance:0; content:"&comc="; nocase; distance:0; classtype:credential-theft; sid:2032575; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (icrcworld .com)"; dns.query; content:"icrcworld.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023111; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HBL Bank Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"tp="; depth:3; nocase; content:"&tp2="; nocase; distance:0; content:"&form6="; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032583; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (manoraonline .net)"; dns.query; content:"manoraonline.net"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023112; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NatWest Bank Phish M3 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"nwolb"; nocase; content:".aspx"; nocase; distance:0; content:".php"; nocase; endswith; http.header; content:"nwolb"; nocase; http.request_body; content:"c1="; nocase; content:"&c2="; nocase; distance:0; fast_pattern; content:"&c3="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032597; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mz-vodacom .info)"; dns.query; content:"mz-vodacom.info"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023113; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NAB Bank Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&sbt=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032599; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (newtarrifs .net)"; dns.query; content:"newtarrifs.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023114; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"mpp/"; content:".php"; nocase; endswith; distance:0; http.header; content:"mpp/"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032608; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ooredoodeals .com)"; dns.query; content:"ooredoodeals.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023115; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&SI=Verify"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032594; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (pickuchu .com)"; dns.query; content:"pickuchu.com"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023116; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032568; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (redcrossworld .com)"; dns.query; content:"redcrossworld.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023117; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032625; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sabafon .info)"; dns.query; content:"sabafon.info"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023118; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (1 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Next=Next"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032648; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smser .net)"; dns.query; content:"smser.net"; depth:9; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023119; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (3 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"phoneNumber="; depth:12; nocase; content:"&altemail="; nocase; distance:0; content:"&City="; nocase; distance:0; content:"&submitChallenge=Continue"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032650; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (sms .webadv.co)"; dns.query; content:"sms.webadv.co"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023120; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PDF Online Phish 2016-12-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"pdf"; nocase; content:".php"; nocase; endswith; http.request_body; content:"t1="; depth:3; nocase; content:"X1="; nocase; distance:0; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032726; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (topcontactco .com)"; dns.query; content:"topcontactco.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023121; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mpp/"; nocase; fast_pattern; content:".php"; nocase; endswith; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; pcre:"/^1=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032704; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (tpcontact .co.uk)"; dns.query; content:"tpcontact.co.uk"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023122; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&submit="; nocase; endswith; pcre:"/^username=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032700; rev:9; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (track-your-fedex-package .org)"; dns.query; content:"track-your-fedex-package.org"; depth:28; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023123; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder FreeMobile (FR) Phishing 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; fast_pattern; content:".php"; nocase; endswith; http.header; content:"free.fr"; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032703; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (turkishairines .info)"; dns.query; content:"turkishairines.info"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023125; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"adobe"; fast_pattern; content:".github.io"; endswith; content:!"adobe.github.io"; depth:15; endswith; content:!"adobe-fonts.github.io"; depth:21; endswith; content:!"adobe-type-tools.github.io"; depth:26; endswith; content:!"adobe-apiplatform.github.io"; depth:27; classtype:policy-violation; sid:2027249; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (uaenews .online)"; dns.query; content:"uaenews.online"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023126; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Redirect to Adobe Shared Document Phishing M3 2016-04-18"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pdf.adobe.cloud/"; fast_pattern; content:".php"; endswith; http.referer; content:".php"; endswith; classtype:social-engineering; sid:2032678; rev:10; metadata:attack_target Client_Endpoint, created_at 2016_04_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (univision .click)"; dns.query; content:"univision.click"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023127; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; distance:0; http.referer; content:".otzo.com/verification.php"; fast_pattern; endswith; http.request_body; content:"email="; distance:0; content:"&password="; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034412; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (whatsapp-app .com)"; dns.query; content:"whatsapp-app.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023129; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Phish 2021-11-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/my___fb/meme"; fast_pattern; startswith; content:".php"; endswith; http.request_body; content:"email="; content:"&pass="; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (y0utube .com.mx)"; dns.query; content:"y0utube.com.mx"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023130; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, malware_family Pegasus, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034045; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TorrentLocker DNS Lookup (bigcrashcar.net)"; dns.query; content:"bigcrashcar.net"; depth:15; nocase; endswith; fast_pattern; reference:url,welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf; classtype:trojan-activity; sid:2023142; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category TROJAN, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (collge .myq-see.com)"; dns.query; content:"collge.myq-see.com"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023257; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Banking Phish Landing Page 2022-01-11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"banks"; startswith; content:"pin.php"; fast_pattern; endswith; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Adwind DNS Lookup (sara2011 .no-ip.biz)"; dns.query; content:"sara2011.no-ip.biz"; depth:18; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023258; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing domain observed in TLS SNI (info-getting-eu. com)"; flow:established,to_server; tls.sni; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035619; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Libyan Scorpions Netwire RAT DNS Lookup (wininit .myq-see.com)"; dns.query; content:"wininit.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,cyberkov.com/hunting-libyan-scorpions/; classtype:trojan-activity; sid:2023260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family Netwire_RAT, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-28"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"M09009944646.php"; endswith; fast_pattern; http.request_body; content:"user="; content:"pass="; distance:0; reference:md5,40eff169fa7b8cacdde4499290a57aa5; classtype:credential-theft; sid:2035628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (appleupdate .com)"; dns.query; content:"appleupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023299; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-03-29"; http.stat_code; content:"200"; http.content_len; byte_test:0,>=,68000,0,string,dec; file.data; content:!"<html>"; content:"<!-- ####### THIS IS A COMMENT - Visible only in the source editor #########-->"; content:"action="; pcre:"/\.php/Ri"; content:"name=|22|o8|22|"; fast_pattern; content:!"</html>"; reference:md5,60b2c87b34d51bb1ee2196d5b2db4c73; classtype:credential-theft; sid:2035647; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (apple-iclouds .net)"; dns.query; content:"apple-iclouds.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023300; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Social Media Credential Phish 2022-03-31"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php?nick="; fast_pattern; classtype:credential-theft; sid:2035688; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 Komplex DNS Lookup (itunes-helper .net)"; dns.query; content:"itunes-helper.net"; depth:17; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/; classtype:targeted-activity; sid:2023301; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family OSX_Komplex, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Redirection 2022-03-14"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"location|3a 20|Alert.php|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,07b9f93e06a83868a8b9ede2dff48346; classtype:credential-theft; sid:2035462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"bonmawp.at"; depth:10; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023331; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M1 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Bfrt4DSob5.ico"; fast_pattern; content:"|2e|php|22 20|enctype|3d 22|multipart|2f|form|2d|data|22|"; nocase; distance:0; content:"src|3d 22|poina|2e|png|22|"; distance:0; classtype:credential-theft; sid:2035759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CryptoWall/TeslaCrypt Payment Domain"; dns.query; content:"wallymac.com"; depth:12; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2023332; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, tag Ransomware, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M2 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|inzo|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035760; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed AgentTesla Domain Request"; dns.query; content:"agenttesla.com"; depth:14; nocase; endswith; fast_pattern; reference:md5,32f3fa6b80904946621551399be32207; classtype:trojan-activity; sid:2023354; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, malware_family Keylogger, malware_family AgentTesla, malware_family Backdoor, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M3 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"inzo"; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|cmzs|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftsupp .com)"; dns.query; content:"microsoftsupp.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023355; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Form with Action Value Equal to bit .ly"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form"; content:"action=|22|http://bit.ly"; fast_pattern; distance:0; classtype:credential-theft; sid:2035767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (aljazeera-news .com)"; dns.query; content:"aljazeera-news.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023356; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M1 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"vic_browser=n%2Fa&vic_os=n%2Fa&vic_screen=n%2Fa&vic_lang=n%2Fa&vic_flash=n%2Fa&vic_java=n%2Fa&vic_mime=n%2Fa&vic_plugins=n%2Fa&vic_fonts=n%2Fa"; depth:142; fast_pattern; content:"=Submit&login_name="; distance:0; content:"&pin="; distance:0; classtype:credential-theft; sid:2035933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ausameetings .com)"; dns.query; content:"ausameetings.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023357; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M2 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"=Submit&old_sortcode="; fast_pattern; classtype:credential-theft; sid:2035934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (bbc-press .org)"; dns.query; content:"bbc-press.org"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023358; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M1 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cnnpolitics .eu)"; dns.query; content:"cnnpolitics.eu"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023359; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M2 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"type=|22|password|22|"; distance:0; content:"window.screen.availWidth"; distance:0; content:"window.screen.availHeight"; within:40; content:"jscd.browser"; distance:0; content:"jscd.browserMajorVersion"; within:45; content:"jscd.browserVersion"; within:45; content:"jscd.os"; distance:0; content:"jscd.osVersion"; within:30; content:"jscd.screen"; distance:0; content:"avail_res"; within:50; content:"screen.colorDepth"; within:40; content:"screen.deviceXDPI"; within:45; content:"screen.deviceYDPI"; within:45; content:"language"; distance:0; content:"jscd|2e|flashVersion|3b|"; distance:0; content:"navigator.javaEnabled()"; distance:0; content:"mime"; distance:0; content:"plugins"; distance:0; content:"listFonts().join(',')"; distance:0; classtype:credential-theft; sid:2035936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailyforeignnews .com)"; dns.query; content:"dailyforeignnews.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023360; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dailypoliticsnews .com)"; dns.query; content:"dailypoliticsnews.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023361; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M4 2022-04-13"; flow:established,to_client; flowbits:isset,ET.sparkassephishlanding; http.stat_code; content:"200"; file.data; content:"type|3d 22|tel|22|"; distance:0; content:"Personal?sslchannel=true&sessionid="; fast_pattern; content:"sortcode"; classtype:credential-theft; sid:2035938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defenceiq .us)"; dns.query; content:"defenceiq.us"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023362; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jun 28 2017"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:!"https://*.paypal.com"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern; within:50; content:"</title>"; distance:0; classtype:social-engineering; sid:2025660; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (defencereview .eu)"; dns.query; content:"defencereview.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023363; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OWA Phishing Landing Page 2021-08-20"; flow:established,to_client; file.data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"<form action|3d 22|save.php|22|"; content:"method|3d 22|POST|22|"; distance:0; content:"name|3d 22|logonForm|22|"; distance:0; content:"id|3d 22|logonForm|22|"; distance:0; content:"enctype|3d 22|application/x-www-form-urlencoded|22|"; distance:0; content:"autocomplete|3d 22|off|22 3e|"; distance:0; reference:url,app.any.run/tasks/40a14763-96a6-4897-86c4-2b4693a0034b/; classtype:social-engineering; sid:2033748; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_20, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (diplomatnews .org)"; dns.query; content:"diplomatnews.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023364; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Credit Card Payment Data Exfil"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|c5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euronews24 .info)"; dns.query; content:"euronews24.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023365; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Metawallet Phish 2022-01-13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.request_body; content:"WoRd1="; content:"WoRd2="; distance:0; content:"WoRd3="; distance:0; content:"WoRd4="; distance:0; content:"WoRd5="; distance:0; content:"WoRd6="; distance:0; content:"WoRd7="; distance:0; content:"WoRd8="; distance:0; content:"WoRd9="; distance:0; content:"WoRd10="; distance:0; content:"WoRd11="; distance:0; content:"WoRd12="; distance:0; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (euroreport24 .com)"; dns.query; content:"euroreport24.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023366; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/proccess/log.php"; fast_pattern; http.request_body; content:"FromPreSignIn_SIP=Y"; content:"&RSA_DEVPRINT="; distance:0; content:"&QQ1="; distance:0; reference:md5,023f93be3b12f211c5db927f234290ad; classtype:credential-theft; sid:2035379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kg-news .org)"; dns.query; content:"kg-news.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023367; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CSIS Credential Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/policy/id1383729472034823098/United-States-Nonpaper-on-Iran.pdf/"; fast_pattern; http.referer; content:!"csis.org"; http.request_body; content:"email="; content:"password"; classtype:credential-theft; sid:2034255; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (military-info .eu)"; dns.query; content:"military-info.eu"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023368; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banca Monte dei Paschi di Siena Credential Phish 2022-04-22"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userType=&cod="; fast_pattern; content:"&pin="; distance:0; content:"&tel="; distance:0; classtype:credential-theft; sid:2036319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryadviser .org)"; dns.query; content:"militaryadviser.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banca Monte dei Paschi di Siena Credential Phish Landing Page 2022-04-22"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Banca MPS"; content:"|3c|form|20|method|3d 22|POST|22 20|id|3d 22|includeCodUser|22 20|class|3d 22|margin|5f|login|5f|header|20|includeCodUser|20|dB|5f|box|5f|container|22 3e|"; nocase; distance:0; fast_pattern; content:"name=|22|userType|22|"; distance:0; content:"name=|22|cod|22|"; distance:0; content:"name=|22|pin|22|"; distance:0; content:"name=|22|tel|22|"; distance:0; content:"id=|22|loginOtp1|22|"; distance:0; classtype:credential-theft; sid:2036320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (militaryobserver .net)"; dns.query; content:"militaryobserver.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING IRS Credential Phish Domain in DNS Lookup (supportmicrohere .com)"; dns.query; dotprefix; content:".supportmicrohere.com"; nocase; endswith; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:misc-activity; sid:2036358; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-hq .com)"; dns.query; content:"nato-hq.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023371; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING IRS Credential Phish Domain in DNS Lookup (jbdelmarket .com)"; dns.query; dotprefix; content:".jbdelmarket.com"; nocase; endswith; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:misc-activity; sid:2036359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nato-news .com)"; dns.query; content:"nato-news.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023372; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful IRS Credential Phish 2022-04-25"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/geoAPIChecker/geochecker.php"; bsize:29; fast_pattern; http.content_type; content:"WebKitFormBoundary"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|ai|22|"; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|pr|22|"; distance:0; reference:url,resecurity.com/blog/article/cybercriminals-deliver-irs-tax-scams-phishing-campaigns-by-mimicking-government-vendors; classtype:credential-theft; sid:2036362; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natoint .com)"; dns.query; content:"natoint.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023373; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Tech Support/Refund Scam Landing Inbound 2022/04/25"; flow:established,from_server; content:"|20|-|20|Router|20|Login|20|-|20|"; fast_pattern; content:"and|20|IP|20|address.|20|Both|20|are|20|the|20|best|20|ways|20|to|20|login"; classtype:social-engineering; sid:2036337; rev:1; metadata:created_at 2022_04_25, former_category PHISHING, updated_at 2022_04_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (natopress .com)"; dns.query; content:"natopress.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023374; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"routeronspot.online"; fast_pattern; classtype:social-engineering; sid:2036338; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-info .com)"; dns.query; content:"osce-info.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023375; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"howtosetuprouter.com"; fast_pattern; classtype:social-engineering; sid:2036339; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (osce-press .org)"; dns.query; content:"osce-press.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023376; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"netgearnewextndersetup."; fast_pattern; classtype:social-engineering; sid:2036340; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (pakistan-mofa .net)"; dns.query; content:"pakistan-mofa.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023377; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"mywifiextnetsetup.net"; fast_pattern; classtype:social-engineering; sid:2036341; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicalreview .eu)"; dns.query; content:"politicalreview.eu"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023378; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"simplisafeloginn.com"; fast_pattern; classtype:social-engineering; sid:2036342; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (politicsinform .com)"; dns.query; content:"politicsinform.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023379; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"newextenderlogins.com"; fast_pattern; classtype:social-engineering; sid:2036343; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (reuters-press .com)"; dns.query; content:"reuters-press.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"dllinkaplo.com"; fast_pattern; classtype:social-engineering; sid:2036344; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (shurl .biz)"; dns.query; content:"shurl.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023381; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"routrelogn.net"; fast_pattern; classtype:social-engineering; sid:2036345; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (stratforglobal .net)"; dns.query; content:"stratforglobal.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate - X509v3 Alts (Tech Support/Refund Scam Landing)"; flow:from_server,established; content:"d-linksroutlocaal.co"; fast_pattern; classtype:social-engineering; sid:2036346; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag SocEng, updated_at 2022_04_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (thediplomat-press .com)"; dns.query; content:"thediplomat-press.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023383; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Credential Phish 2022-04-26"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/name.php"; bsize:9; http.referer; content:"invoice.html"; endswith; fast_pattern; http.header.raw; content:"X|2d|Requested|2d|With|3a 20|XMLHttpRequest"; http.request_body; content:"userName="; depth:9; content:"&password="; distance:0; classtype:credential-theft; sid:2036379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (theguardiannews .org)"; dns.query; content:"theguardiannews.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023384; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Credential Phish Landing Page 2022-04-26"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:100; content:")http://localhost:"; distance:0; fast_pattern; content:"microsoft_logo.svg"; distance:0; nocase; content:"Your account or password is incorrect. Please try again using your password."; distance:0; content:"type=|22|password|22|"; distance:0; content:"/index_files/home.js"; distance:0; classtype:credential-theft; sid:2036380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (trend-news .org)"; dns.query; content:"trend-news.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023385; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com)"; dns.query; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035618; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unian-news .info)"; dns.query; content:"unian-news.info"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023386; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.live"; nocase; bsize:31; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032763; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (unitednationsnews .eu)"; dns.query; content:"unitednationsnews.eu"; depth:20; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023387; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.xyz"; nocase; bsize:30; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032765; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (virusdefender .org)"; dns.query; content:"virusdefender.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023388; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established,to_client; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|"; distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033216; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldmilitarynews .org)"; dns.query; content:"worldmilitarynews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023389; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established,to_client; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|"; distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033217; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (worldpoliticsnews .org)"; dns.query; content:"worldpoliticsnews.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023390; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Client Cloaking Javascript Observed"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|html|3e 3c|head|3e 3c|script|20|src|3d 27|"; content:"Aes|2e|Ctr|2e|decrypt|28|"; nocase; fast_pattern; pcre:"/^(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*256\)\x3b/Ri"; content:"document|2e|write|28|output|29|"; distance:0; reference:url,unit42.paloaltonetworks.com/javascript-based-phishing/; classtype:credential-theft; sid:2033947; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (capisp .com)"; dns.query; content:"capisp.com"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023391; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-01-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"http|2d|equiv|3d|refresh"; content:"email="; distance:0; content:"&.rand=13InboxLight.aspx?n="; fast_pattern; distance:0; content:"&fid="; distance:0; content:"n="; distance:0; content:"&fid="; distance:0; content:"&fav="; distance:0; reference:md5,43ac0c5346bf8aefc0068c30a34b7d39; classtype:credential-theft; sid:2034928; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (dataclen .org)"; dns.query; content:"dataclen.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023392; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M5 2022-04-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"async.php"; endswith; http.referer; content:"?affId="; content:"&c1="; distance:0; content:"&c2="; distance:0; content:"&c3="; distance:0; http.request_body; content:"pageType=leadPage&method=importClick"; fast_pattern; classtype:credential-theft; sid:2036473; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (mscoresvw .com)"; dns.query; content:"mscoresvw.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023393; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Survey Credential Phish Landing Page 2022-04-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"plushLoaded"; content:"TP init"; distance:0; content:"/urlshort_test/uid_long="; distance:0; content:"exitClickHandler"; distance:0; content:"trackAnswer"; distance:0; content:"/survey/survey"; distance:0; fast_pattern; content:"setConversion"; distance:0; content:"setProductImpression"; distance:0; content:"setServerPixel"; distance:0; content:"trackProductClick"; distance:0; content:"loadSurveyQuestions"; distance:0; reference:md5,d4490a79d7192656f3c25258ef436291; classtype:credential-theft; sid:2036476; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowscheckupdater .net)"; dns.query; content:"windowscheckupdater.net"; depth:23; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023394; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M6 2022-04-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"async.php"; endswith; fast_pattern; http.referer; content:"?affId="; content:"&c1="; distance:0; content:"&c2="; distance:0; content:"&c3="; distance:0; http.request_body; content:"firstName="; content:"&lastName="; distance:0; content:"&address1="; distance:0; content:"&postalCode="; distance:0; content:"&city="; distance:0; content:"&phone="; distance:0; content:"&phoneNumber="; distance:0; content:"&emailAddress="; distance:0; content:"&cartId="; distance:0; content:"&orderItems="; distance:0; content:"&billShipSame="; distance:0; content:"&state="; distance:0; content:"&country="; distance:0; content:"&method=importLead"; distance:0; classtype:credential-theft; sid:2036474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (acledit .com)"; dns.query; content:"acledit.com"; depth:11; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023395; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M7 2022-04-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"async.php"; endswith; fast_pattern; http.referer; content:"/checkout.php"; http.request_body; content:"paySource=CREDITCARD"; content:"&browserData="; distance:0; content:"&cardNumber="; distance:0; content:"&cardSecurityCode="; distance:0; content:"&cardMonth="; distance:0; content:"&cardYear="; distance:0; content:"&method=importOrder"; distance:0; content:"&redirectsTo=thankyou.php"; distance:0; content:"&errorRedirectsTo="; distance:0; content:"&paySourceId="; distance:0; content:"&achAccountHolderType="; distance:0; content:"&achAccountType="; distance:0; content:"&achAccountNumber="; distance:0; content:"&achRoutingNumber="; distance:0; content:"&achNameOnCheck="; distance:0; content:"&iban="; distance:0; content:"&ddbic="; distance:0; content:"&accountHolder="; distance:0; content:"&orderItems="; distance:0; classtype:credential-theft; sid:2036475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (biocpl .org)"; dns.query; content:"biocpl.org"; depth:10; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf; classtype:targeted-activity; sid:2023396; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M1 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; isdataat:!33,relative; pcre:"/\/nrp=[a-f0-9]{32}$/"; http.request_body; content:"method=SetProductImpression&product="; content:"tracking_id="; distance:0; classtype:credential-theft; sid:2036460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE AndroRAT Bitter DNS Lookup (info2t .com)"; dns.query; content:"info2t.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/bitter-targeted-attack-against-pakistan; classtype:trojan-activity; sid:2023398; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_10_24, deployment Perimeter, malware_family AndroRAT, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M2 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; isdataat:!33,relative; pcre:"/\/nrp=[a-f0-9]{32}$/"; http.request_body; content:"method=SetConversion&survey="; content:"&campaign="; distance:0; content:"&source="; content:"&subid=subid"; distance:0; content:"&tracking_id="; distance:0; classtype:credential-theft; sid:2036461; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (ciscohelpcenter .com)"; dns.query; content:"ciscohelpcenter.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M3 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; http.request_body; content:"method=SetServerPixel&survey="; content:"&campaign="; distance:0; content:"&tracking_id="; content:"&token="; distance:0; content:"&nrp="; distance:0; pcre:"/nrp=[a-f0-9]{32}/"; content:"&returnedClient="; distance:0; classtype:credential-theft; sid:2036471; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (timezoneutc .com)"; dns.query; content:"timezoneutc.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Survey Credential Phish M4 2022-04-04"; flow:established,to_server; http.request_line; content:"POST /survey/survey"; startswith; fast_pattern; http.referer; content:"/survey"; content:"/source="; distance:0; content:"/subid="; distance:0; content:"/nrp="; distance:0; http.request_body; content:"method=SetProductClick&product="; content:"&tracking_id="; distance:0; classtype:credential-theft; sid:2036472; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (inteldrv64 .com)"; dns.query; content:"inteldrv64.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023409; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Cryptowallet Mining Pool Scam Landing Page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"d|20 3d 20|navigator|2e|userAgent"; content:"return|20|d|2e|includes|28 22|hbWallet|22 29 20 3f 20 22|"; content:"|22 20 3a 20|d|2e|includes|28 22|coinbase|22 29 20 3f 20 22|Coinbase"; content:"|22 20 3a 20|d|2e|includes|28 22|CriOS|22 29 20 3f 20 22|MetaMask"; fast_pattern; content:"|22 20 3a 20|d|2e|includes|28 22|imToken|22 29 20 3f 20 22|imToken"; content:"|22 20 3a 20|d|2e|includes|28 22|bitpie|22 29 20 3f 20 22|"; content:"|22 20 3a 20|d|2e|includes|28 22|TokenPocket|22 29 20 3f 20 22|TokenPocket"; classtype:credential-theft; sid:2036601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (advpdxapi .com)"; dns.query; content:"advpdxapi.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023410; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Axie Infinity Credential Phish M1 2022-05-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ronin.php"; bsize:10; http.request_body; content:"kos=Ronin+Wallet"; fast_pattern; classtype:credential-theft; sid:2036618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (cloudflarecdn .com)"; dns.query; content:"cloudflarecdn.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023411; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Axie Infinity Credential Phish M2 2022-05-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/meta.php"; bsize:9; http.request_body; content:"kos=MetaMask"; fast_pattern; classtype:credential-theft; sid:2036619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (driversupdate .info)"; dns.query; content:"driversupdate.info"; depth:18; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Axie Infinity Credential Phish Landing Page M3 2022-05-18"; http.request_line; content:"GET /"; startswith; http.host; content:"axieinfinity.com"; bsize:16; http.referer; content:"/tel.php"; endswith; reference:md5,f8aedfea2bb3f01e129cffc1e670645e; classtype:credential-theft; sid:2036621; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (kenlynton .com)"; dns.query; content:"kenlynton.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Axie Infinity Credential Phish Landing Page M2 2022-05-18"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3c|title|3e|Login|20 7c 20|Axie|20|Infinity|3c 2f|title|3e|"; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|tel|2e|php|22|"; distance:0; fast_pattern; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|meta|2e|php|22 3e|"; distance:0; reference:md5,f8aedfea2bb3f01e129cffc1e670645e; classtype:credential-theft; sid:2036620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsoftdriver .com)"; dns.query; content:"microsoftdriver.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Axie Infinity Credential Phish Landing Page M1 2022-05-18"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"|3c|title|3e|Login|20 7c 20|Axie|20|Infinity|3c 2f|title|3e|"; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|ronin|2e|php|22 3e|"; distance:0; fast_pattern; content:"|3c|form|20|method|3d 22|POST|22 20|action|3d 22 2f|meta|2e|php|22 3e|"; distance:0; reference:md5,f8aedfea2bb3f01e129cffc1e670645e; classtype:credential-theft; sid:2036617; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (microsofthelpcenter .info)"; dns.query; content:"microsofthelpcenter.info"; depth:24; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023415; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Spox Phishkit HTTP POST Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Login/Spox/Mail/Mail1"; endswith; http.request_body; content:"spox_b00T="; startswith; fast_pattern; content:"&username="; content:"&password="; content:"&spox="; content:"&token="; classtype:social-engineering; sid:2036629; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (nortonupdate .org)"; dns.query; content:"nortonupdate.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023416; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spox Phishkit Landing Page Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<!-- Meta BY Spox"; content:"<!-- ICONS BY Spox"; content:"href=|22|Spox/Files"; fast_pattern; classtype:social-engineering; sid:2036630; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (softwaresupportsv .com)"; dns.query; content:"softwaresupportsv.com"; depth:21; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023417; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mainnet.php?token="; fast_pattern; http.request_body; content:"adsad="; startswith; content:"&asdjdf="; classtype:social-engineering; sid:2036631; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (symantecsupport .org)"; dns.query; content:"symantecsupport.org"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023418; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-05-24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/get-001.php"; bsize:12; fast_pattern; http.request_body; content:"disini="; startswith; content:"&disana="; distance:0; reference:md5,07a19eb967e8de16aa8dc953d7186499; classtype:credential-theft; sid:2036668; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatecenter .name)"; dns.query; content:"updatecenter.name"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023419; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-05-24"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"get-001.php"; fast_pattern; content:"type|3d 22|email|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; classtype:credential-theft; sid:2036669; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_05_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updatesystems .net)"; dns.query; content:"updatesystems.net"; depth:17; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023420; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Credential Phish 2022-05-26"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"source=dropbox-office&email="; startswith; fast_pattern; content:"&password="; distance:0; reference:md5,5fbed67f70900d85754d690e2760fc1f; classtype:social-engineering; sid:2036701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (updmanager .com)"; dns.query; content:"updmanager.com"; depth:14; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023421; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Credito Emiliano Credential Phish Landing Page 2022-05-26"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|Mobile|20|Banking|20 2d 20|Accesso|3c 2f|title|3e|"; content:"jQuery|28 27 23|scadenza|27 29 2e|payform|28 27|formatCardExpiry|27 29 3b|"; fast_pattern; distance:0; content:"jQuery|28 27 23|carta|27 29 2e|payform|28 27|formatCardNumber|27 29 3b|"; distance:0; content:"method|3d 22|POST|22 20|action|3d 22|index|2e|php|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,ddae39f72f8e48fe26aa70dbbd8e660a; classtype:social-engineering; sid:2036702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sednit DNS Lookup (windowsappstore .net)"; dns.query; content:"windowsappstore.net"; depth:19; nocase; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023422; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-05-27"; flow:established,to_server; http.method; content:"POST"; http.referer; content:"|2e|xyz|2f|app|3f|"; fast_pattern; http.request_body; content:"name|3d 22|kontonummer|22|"; content:"name|3d 22|pin|22|"; distance:0; classtype:credential-theft; sid:2036707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"securityprotectingcorp.com"; depth:26; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023658; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_03, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ING Credential Phish Landing Page 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|ING|2d|DiBa|20|Internetbanking|20 2b 20|Brokerage|3c 2f|title|3e|"; content:"name|3d 22|kontonummer|22 20|value|3d 22|Exclusive|20|dynamic|20|migration|22|"; distance:0; fast_pattern; content:"name|3d 22|pin|22|"; distance:0; classtype:credential-theft; sid:2036708; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query"; dns.query; content:"bigdata.adups.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023515; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Faebook Credential Phish Landing Page M1 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Facebook Security</title>"; content:"id=|3d 22|u_0_c|22|"; distance:0; content:"<form action=|22|Login_to_Facebook.html|22| method=|22|POST|22|>"; fast_pattern; classtype:credential-theft; sid:2036709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 5"; dns.query; content:"rebootv5.adsunflower.com"; depth:24; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023519; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Phish Landing Page M2 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Facebook Security</title>"; content:"<form action=|22|MK1.php|22| method=|22|POST|22|>"; distance:0; fast_pattern;content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2036710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .about.jkub.com)"; dns.query; content:"www.about.jkub.com"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023523; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-05-27"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"class=|22|containerr|22|"; content:"<form action=|22|submit.php|22| method=|22|post|22|>"; distance:0; fast_pattern; content:"id=|22|password|22|"; distance:0; content:"id=|22|password2|22|"; distance:0; classtype:credential-theft; sid:2036711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_05_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .eleven.mypop3.org)"; dns.query; content:"www.eleven.mypop3.org"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023524; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Phish Landing Page M1 2022-06-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Facebook</title>"; content:"action|3d 22|bisadiatur|2e|php|22|"; distance:0; fast_pattern; reference:md5,66210bdd031b9e039c847ebbf356dd3c; classtype:credential-theft; sid:2036742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (www .backus.myftp.name)"; dns.query; content:"www.backus.myftp.name"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023525; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-06-01"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bisadiatur.php"; bsize:15; fast_pattern; http.request_body; content:"email="; startswith; content:"&password="; reference:md5,66210bdd031b9e039c847ebbf356dd3c; classtype:credential-theft; sid:2036743; rev:1; metadata:created_at 2022_06_01, former_category PHISHING, updated_at 2022_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KeyBoy DNS Lookup (tibetvoices .com)"; dns.query; content:"tibetvoices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/11/parliament-keyboy/; classtype:trojan-activity; sid:2023526; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_18, malware_family KeyBoy, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Phish Landing Page M2 2022-06-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|link|20|href|3d 22|https|3a 2f 2f|cdn|2e|jsdelivr|2e|net"; distance:0; content:"<title>Facebook</title>"; distance:0; content:"<!-- Example Code -->"; distance:0; content:"|2e|php|22 20|method|3d 22|post|22|"; distance:0; content:"<center><b>Your Account is Locked</b></center>"; distance:0; fast_pattern; content:"<!-- End Example Code -->"; distance:0; reference:md5,66210bdd031b9e039c847ebbf356dd3c; classtype:credential-theft; sid:2036762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (anonym.to)"; dns.query; content:".anonym.to"; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2023597; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-06-02"; flow:established,to_client; file.data;content:"id=|22|js-lotto|22|"; distance:0; content:"gift-zone.js"; distance:0; content:"Are you sure to collect this rewards?"; distance:0; fast_pattern; content:"action=|22|email.php|22|"; distance:0; content:"name=|22|email|22|"; distance:0; content:"type=|22|password"; distance:0; reference:md5,6cea149c8f2231dbe1643489dddff6ba; classtype:credential-theft; sid:2036763; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"microsoftfont.com"; depth:17; nocase; endswith; fast_pattern; classtype:targeted-activity; sid:2023666; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_09, cve url_researchcenter_paloaltonetworks_com_2016_12_unit42_let_ride_sofacy_groups_dealerschoice_attacks_continue_, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Cryptowallet Credential Phish Landing Page 2022-06-03"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"verify your wallet"; nocase; distance:0; content:"enter your passphrase"; nocase; distance:0; content:"send_Phrase.php"; distance:0; fast_pattern; reference:md5,64bf35b4188aceb0587d548d60cd5025; classtype:credential-theft; sid:2036830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_03, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"xpknpxmywqsr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023601; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Cryptowallet Credential Phish 2022-05-12"; flow:established,to_server; http.request_line; content:"POST /"; startswith; http.referer; content:!"trustwallet.com/"; content:!"metamask.io/"; http.request_body; content:"submitted=true&passphrase="; startswith; fast_pattern; reference:md5,4df173b9e3c2615141978e361c62815b; classtype:credential-theft; sid:2036593; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_05_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bwhrdaumwuvn.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023603; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Phish Landing Page 2022-06-08"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"bisadiatur"; fast_pattern; content:"martambuah"; content:"<center>For the safety and convenience of users,please verify</center>"; distance:0; content:"<center>your account immediately to avoid account being deactivated!</center>"; content:"Confirm that This is your account"; distance:0; classtype:credential-theft; sid:2036930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"bpmsfckfkrpr.support"; depth:20; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023604; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish M1 2022-06-08"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"bisadiatur"; fast_pattern; content:"php?button_location=settings&button_name="; distance:0; http.request_body; content:"da=&ta"; classtype:credential-theft; sid:2036931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"oornsduuwjli.tech"; depth:17; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/new-mirai-variant-with-dga/; classtype:trojan-activity; sid:2023605; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish M2 2022-06-08"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"valid.php?button_location=settings&button_name="; fast_pattern; http.request_body; content:"nd="; content:"&nm="; content:"&ny="; classtype:credential-theft; sid:2036932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kedbuffigfjs.online"; depth:19; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023632; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Credential Phish Landing Page 2022-06-09"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"DHL Express"; content:"/delivery/checkout/attach"; fast_pattern; content:"id=|22|full_name|22|"; distance:0; content:"id=|22|mail|22|"; distance:0; content:"id=|22|address1|22|"; distance:0; content:"id=|22|address2|22|"; distance:0; content:"id=|22|phone|22|"; distance:0; content:"id=|22|country|22|"; distance:0; content:"id=|22|zip|22|"; distance:0; content:"id=|22|city|22|"; distance:0; content:"id=|22|state|22|"; distance:0; classtype:credential-theft; sid:2036947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"srrys.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023633; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Credential Phish M1 2022-06-09"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/delivery/checkout/attach"; bsize:25; fast_pattern; http.cookie; content:"dhl_session="; startswith; http.request_body; content:"full_name="; startswith; content:"mail="; distance:0; content:"address1="; distance:0; content:"address2="; distance:0; content:"phone="; distance:0; content:"country="; distance:0; content:"zip="; distance:0; content:"city="; distance:0; content:"state="; distance:0; classtype:credential-theft; sid:2036948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"kciap.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023635; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Credential Phish M2 2022-06-09"; http.method; content:"POST"; http.uri; content:"/delivery/checkout/pay"; bsize:22; fast_pattern; http.cookie; content:"dhl_session="; startswith; http.request_body; content:"c_holdername="; startswith; content:"&creditCardNumber="; distance:0; content:"&c_expiration="; distance:0; content:"&c_csc="; distance:0; classtype:credential-theft; sid:2036949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"mziep.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023636; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page 2022-06-10"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"?home="; startswith; content:"&legitimation="; distance:0; content:"&kunde="; distance:0; file.data; content:"<title>Online Legimitation</title>"; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2036957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_10, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Mirai Botnet Domain Observed"; dns.query; content:"tr069.pw"; depth:8; nocase; endswith; fast_pattern; reference:url,blog.opendns.com/2016/12/13/query-volumes-mirai-dgas/; classtype:trojan-activity; sid:2023637; rev:5; metadata:attack_target Networking_Equipment, created_at 2016_12_13, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-06-13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Update/mobile.php"; endswith; fast_pattern; http.request_body; content:"question="; startswith; classtype:credential-theft; sid:2036974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NEODYMIUM Wingbird DNS Lookup (srv602 .ddns.net)"; dns.query; content:"srv602.ddns.net"; depth:15; nocase; endswith; fast_pattern; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023642; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family NEODYMIUM_Wingbird, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-06-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"EvilC0d3r/evilXlog.php"; fast_pattern; classtype:credential-theft; sid:2036975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (updatesync .com)"; dns.query; content:"updatesync.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023643; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-06-14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Masukakun"; fast_pattern; content:".php"; distance:0; http.request_body; content:"disini="; startswith; content:"&disana="; distance:0; classtype:credential-theft; sid:2036984; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (svnservices .com)"; dns.query; content:"svnservices.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023644; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Generic Phishing DNS Lookup (aberto .click2eat .co .il)"; dns.query; content:"aberto.click2eat.co.il"; nocase; bsize:22; reference:md5,ca00bf8163493c234c902434ff2695e4; classtype:credential-theft; sid:2036991; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (mynetenergy .com)"; dns.query; content:"mynetenergy.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023645; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Generic Phishing DNS Lookup (xn--sapeaunoticias-kjb .com .br)"; dns.query; content:"xn--sapeaunoticias-kjb.com.br"; nocase; bsize:29; reference:md5,ed6b29616384da0818667c7a40d27ff2; classtype:credential-theft; sid:2036992; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (windriversupport .com)"; dns.query; content:"windriversupport.com"; depth:20; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023646; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-06-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/app/"; bsize:5; http.referer; content:"/app/"; endswith; http.request_body; content:"cod="; startswith; fast_pattern; content:"&pin="; distance:0; content:"&tel="; distance:0; within:9; reference:md5,fd7fc36096e2d82ee399dd1ecaf834f5; classtype:credential-theft; sid:2037039; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (truecrypte .org)"; dns.query; content:"truecrypte.org"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023647; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GCash Credential Phish 2022-06-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/www.gcash.com.ph/gcash-login-web/"; bsize:34; fast_pattern; http.request_body; content:"number="; startswith; reference:md5,34ba622c5d2442f872ac5e34c22f5f44; classtype:credential-theft; sid:2037036; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (edicupd002 .com)"; dns.query; content:"edicupd002.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023648; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING GCash Credential Phish Landing Page 2022-06-17"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>GCash</title>"; nocase; content:"|3c|form|20|method|3d 22|post|22 20|name|3d 22|mnumber|22 20|onsubmit|3d 22|return|20|valid|28 29 22 3e|"; distance:0; nocase; fast_pattern; reference:md5,34ba622c5d2442f872ac5e34c22f5f44; classtype:credential-theft; sid:2037037; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (jourrapid .com)"; dns.query; content:"jourrapid.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023649; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-06-21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fmicode/"; startswith; fast_pattern; http.uri; content:".php"; reference:md5,6e58fc761e676b4bbf1d23eb73a43d2a; classtype:credential-theft; sid:2037048; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (true-crypte .website)"; dns.query; content:"true-crypte.website"; depth:19; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023650; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Credential Phish Landing Page M1 2022-06-21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"cloudcode.php"; fast_pattern; reference:md5,6e58fc761e676b4bbf1d23eb73a43d2a; classtype:credential-theft; sid:2037049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PROMETHIUM/StrongPity DNS Lookup (myrappid .com)"; dns.query; content:"myrappid.com"; depth:12; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/; reference:url,download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf; classtype:trojan-activity; sid:2023651; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, malware_family Truvasys, malware_family PROMETHIUM_StrongPity, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Credential Phish Landing Page M2 2022-06-21"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Enter the device unlock code"; nocase; content:"cloudcode.php"; distance:0; fast_pattern; reference:md5,6e58fc761e676b4bbf1d23eb73a43d2a; classtype:credential-theft; sid:2037050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice.B DNS Lookup (appexsrv .net)"; dns.query; content:"appexsrv.net"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family DealersChoice_B, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Phish Landing Page 2022-06-21"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"acesofacebook.php"; fast_pattern; reference:md5,0015e4b1c34540e52669176b841a8244; classtype:credential-theft; sid:2037051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"globalresearching.org"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023659; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Credential Phish 2022-06-21"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"frm-email="; startswith; content:"&frm-pass="; distance:0; content:"&frm-submit=View+Document"; distance:0; fast_pattern; content:"&frm-ac-tok="; distance:0; content:"&s-id=adobe-quote"; distance:0; reference:md5,05db4ca86704606a48cecc4d43562ca3; classtype:credential-theft; sid:2037052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"shcserv.com"; depth:11; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023660; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Phish OWA Credentials 2022-06-20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/office19/process-handler.php"; fast_pattern; http.request_body; content:"Email="; content:"&password="; reference:md5,02cf30398983560f6ff99f7f464a0c12; classtype:trojan-activity; sid:2037094; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_22, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2022_06_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobeupgradeflash.com"; depth:21; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023661; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Nedbank Phishing Domain"; dns.query; content:"ips-ac.in"; nocase; bsize:9; reference:md5,fea7f8afb1702315f20a90968dc8c191; classtype:trojan-activity; sid:2037100; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, signature_severity Major, updated_at 2022_06_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"gpufps.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023662; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nedbank Phishing Landing Page 2022-06-22"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"Access-Control-Allow-Origin"; content:"Access-Control-Allow-Methods"; content:"Access-Control-Allow-Headers"; http.response_body; content:"|3c 21|DOCTYPE html|3e 0d 0a 3c 21 2d 2d 20|saved from url|3d 28|0042|29|https|3a 2f 2f|secured|2e|nedbank|2e|co|2e|za|2f 20 2d 2d 3e|"; startswith; fast_pattern; content:"|3c 21 2d 2d 20|base|20|href|3d 22|https|3a 2f 2f|secured|2e|nedbank|2e|co|2e|za|2f 22 20 2d 2d 3e|"; distance:0; reference:md5,fea7f8afb1702315f20a90968dc8c191; classtype:trojan-activity; sid:2037101; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"adobe-flash-updates.org"; depth:23; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023663; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Emirates NBD Bank Credential Phish Landing Page 2022-06-23"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e 26 23|x45|3b 26 23|x6d|3b 26 23|x69|3b 26 23|x72|3b 26 23|x61|3b 26 23|x74|3b 26 23|x65|3b 26 23|x73|3b 26 23|x20|3b 26 23|x4e|3b 26 23|x42|3b 26 23|x44|3b 3c 2f|title|3e|"; content:"/dist/main.php"; distance:0; fast_pattern; classtype:credential-theft; sid:2037098; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"versiontask.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023664; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Emirates NBD Bank Credential Phish 2022-06-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dist/main.php"; bsize:14; fast_pattern; http.request_body; content:"loginForm=loginForm"; startswith; content:"&longitude="; distance:0; content:"&latitude="; distance:0; content:"&fingerprint="; distance:0; content:"&language="; distance:0; content:"&colorDepth="; distance:0; content:"&deviceMemory="; distance:0; content:"&screenResolution="; distance:0; content:"&hardwareConcurrency="; distance:0; content:"&timezone="; distance:0; content:"&pixelRatio="; distance:0; content:"&platform="; distance:0; content:"&username="; distance:0; content:"&username_hidden="; distance:0; content:"&loginPswd="; distance:0; content:"&action=First"; distance:0; content:"&javax.faces.ViewState="; distance:0; content:"&contextToken="; distance:0; classtype:credential-theft; sid:2037099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_23, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup"; dns.query; content:"webcdelivery.com"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platfor/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023665; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to OWA Phishing Domain"; dns.query; content:"survival.berserkerbrotherhood.org"; nocase; bsize:33; reference:md5,63851f42d89543f62287ded37808980f; classtype:credential-theft; sid:2037122; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/SEDNIT Uploader Variant DNS Lookup"; dns.query; content:"postlkwarn.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; reference:url,researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/; classtype:targeted-activity; sid:2023667; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Phish 2022-06-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/TO/api.php"; bsize:11; fast_pattern; http.request_body; content:"host="; startswith; content:"/TO&type="; distance:0; content:"&key="; distance:0; content:"&email="; distance:0; reference:md5,63851f42d89543f62287ded37808980f; classtype:credential-theft; sid:2037123; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher DNS Lookup"; dns.query; content:"rockybalboa.at"; depth:14; nocase; endswith; fast_pattern; reference:md5,d332560f1fc3e6dc58d94d6fa0dab748; reference:url,www.zscaler.com/blogs/research/android-marcher-now-posing-super-mario-run; classtype:trojan-activity; sid:2023709; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_01_09, deployment Perimeter, tag Android, updated_at 2020_09_17;)
+alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to ING Group Phishing Domain"; dns.query; content:"serrvices-dibalistservices.cyou"; nocase; bsize:31; reference:md5,fa9a4aa2c5529b5084e8da0324e97037; classtype:credential-theft; sid:2037125; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.bz"; depth:8; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; classtype:trojan-activity; sid:2023728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful ING Group Phish 2022-06-24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/app?"; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|kontonummer|22|"; fast_pattern; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|pin|22|"; distance:0; reference:md5,fa9a4aa2c5529b5084e8da0324e97037; classtype:credential-theft; sid:2037124; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (gtranm .com)"; dns.query; content:"gtranm.com"; depth:10; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023761; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to American Express Phishing Domain"; dns.query; content:"americanexpresslogin.empmenudigital.com"; nocase; bsize:39; reference:md5,8152a610e4f6283f73e670712a4f1620; classtype:credential-theft; sid:2037134; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28 DealersChoice DNS Lookup (zpfgr .com)"; dns.query; content:"zpfgr.com"; depth:9; nocase; endswith; fast_pattern; reference:url,malware.prevenity.com/2017/01/ataki-na-instytucje-rzadowe-grudzien.html; classtype:targeted-activity; sid:2023762; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_24, former_category MALWARE, malware_family APT28_DealersChoice, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful ANZ Internet Banking Phish 2022-06-23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Login.php"; bsize:10; http.request_body; content:"ip="; startswith; content:"&ua="; distance:0; within:18; content:"&customerRegistrationNumber="; distance:0; fast_pattern; content:"&password="; distance:0; reference:md5,f183214a549d5cd94920ffcc724fa6aa; classtype:credential-theft; sid:2037147; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX Backdoor Quimitchin DNS Lookup"; dns.query; content:"eidk.hopto.org"; depth:14; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/; reference:md5,e4744b9f927dc8048a19dca15590660c; classtype:trojan-activity; sid:2023763; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, malware_family Quimitchin, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sendinblue Credential Theft Landing Page 2022-06-28"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-Sib-Server"; file.data; content:"<title>"; pcre:"/(?:outlook|helpdesk|help desk)/Ri"; content:"</title>"; distance:0; content:"name|3d 22|EMAIL|22|"; content:"name|3d 22|LASTNAME|22|"; content:"name|3d 22|FIRSTNAME|22|"; content:"name|3d 22|email|5f|address|5f|check|22 20|value|3d 22 22|"; distance:0; fast_pattern; reference:md5,ba59d193ba95bd5140b8a272a88b79c5; classtype:credential-theft; sid:2037138; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (webfile .myq-see.com)"; dns.query; content:"webfile.myq-see.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023777; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Onedrive Credential Phish 2022-06-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoicees/khan_anti.php"; bsize:24; fast_pattern; http.request_body; content:"__EVENTTARGET="; startswith; content:"&__EVENTARGUMENT="; content:"&SideBySideToken="; content:"&__VIEWSTATE="; content:"&__VIEWSTATEGENERATOR="; content:"&__VIEWSTATEENCRYPTED="; content:"&__EVENTVALIDATION="; content:"&id="; reference:md5,909ce947aa4e2fd71b9b06730505096e; classtype:credential-theft; sid:2037209; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadmyhost .zapto.org)"; dns.query; content:"downloadmyhost.zapto.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023778; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Alibaba Phishing Domain (krikam .net)"; dns.query; content:"krikam.net"; nocase; bsize:10; reference:md5,cdbdc636cca7829fbea7211412eabbd8; classtype:credential-theft; sid:2037210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (help2014 .linkpc.net)"; dns.query; content:"help2014.linkpc.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023779; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Malicious SSL Certificate detected (Alibaba Phishing)"; flow:established,to_client; tls.cert_subject; content:"CN=krikam.net"; bsize:13; fast_pattern; reference:md5,cdbdc636cca7829fbea7211412eabbd8; classtype:credential-theft; sid:2037211; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (safara .sytes.net)"; dns.query; content:"safara.sytes.net"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023780; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+#alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to ING Bank Phishing Domain (servesrs -kontendiba .cyou)"; dns.query; content:"servesrs-kontendiba.cyou"; nocase; bsize:24; reference:md5,2649e4760e1bf4b569a19f8e85cdea71; classtype:credential-theft; sid:2037212; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (exportball .servegame.org)"; dns.query; content:"exportball.servegame.org"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023781; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-06-29"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Log In</title>"; content:"submit.php"; distance:0; content:"verbot"; distance:0; content:"name|3d 22|type|22 20|value|3d 22|login|22|"; distance:0; content:"name|3d 22|identifiant|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,a0e2bfde5e8cb5807ff9412a0de3891c; classtype:credential-theft; sid:2037157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (viewnet .better-than.tv)"; dns.query; content:"viewnet.better-than.tv"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023782; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Caixa Credential Phish 2022-06-29"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/caixa/"; content:".php"; distance:0; http.request_body; content:"verbot=&type=login&identifiant="; startswith; fast_pattern; content:"&password="; distance:0; reference:md5,a0e2bfde5e8cb5807ff9412a0de3891c; classtype:credential-theft; sid:2037158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (down .downloadoneyoutube.co.vu)"; dns.query; content:"down.downloadoneyoutube.co.vu"; depth:29; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023783; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Credential Phish 2022-06-28"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nam/Login/SubmitPage/"; startswith; fast_pattern; http.request_body; content:"Id="; content:"loginUser="; content:"passwd="; reference:md5,12ace3ae7720891eb01fdeb271dbae87; classtype:credential-theft; sid:2037213; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_29, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (netstreamag .publicvm.com)"; dns.query; content:"netstreamag.publicvm.com"; depth:24; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023784; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Sucessful Global Sources Credential Phish 2022-06-29"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/frx/GlobalSourcebb2/index.php"; bsize:30; fast_pattern; http.request_body; content:"email="; content:"password="; content:"sign_in="; content:"k_sign_in="; reference:md5,e1884c61386799f3e5892802127044a0; classtype:credential-theft; sid:2037237; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (subsidiaryohio .linkpc.net)"; dns.query; content:"subsidiaryohio.linkpc.net"; depth:25; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Sucessful Alibaba Credential Phish 2022-06-29"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploadalibaba/"; startswith; fast_pattern; content:"/next.php"; distance:0; http.request_body; content:"email="; content:"password="; reference:md5,866348daee59de7954e3ebce22b3508a; classtype:credential-theft; sid:2037238; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_30, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (helpyoume .linkpc.net)"; dns.query; content:"helpyoume.linkpc.net"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023787; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING BT Group Credential Phish Landing Page 2022-07-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>sign in</title>"; content:"action|3d 22 2f 2f|www|2e|weebly|2e|com|2f|weebly|2f|apps|2f|formSubmit|2e|php|22|"; distance:0; content:"BT ID or Email address"; nocase; distance:0; content:"Passw|2a 2a 2a|d"; nocase; distance:0; reference:md5,263a4cf0a25e8aa49386fb7b941e95f3; classtype:credential-theft; sid:2037254; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadtesting .com)"; dns.query; content:"downloadtesting.com"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023788; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Malicious SSL/TLS Certificate (PayPal Phish Landing)"; flow:from_server,established; tls.cert_subject; content:"CN=verify-paypal.authorizeddns.net"; fast_pattern; classtype:social-engineering; sid:2037249; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_01, deployment Perimeter, former_category MALWARE, signature_severity Critical, tag Phishing, updated_at 2022_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gameoolines .com)"; dns.query; content:"gameoolines.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023789; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Radobank Phishing Landing Page 2022-07-05"; http.method; content:"GET"; http.uri; content:"/rabo/home.php?pl=token&link="; startswith; fast_pattern; content:"&bid="; distance:0; content:"&callback="; distance:0; content:"&data="; distance:0; flow:established,to_server; reference:md5,d199df2fc57666e8a9618da0f1cd7b8b; classtype:credential-theft; sid:2037273; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (onlinesoft .space)"; dns.query; content:"onlinesoft.space"; depth:16; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023790; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PlayerUnknown's Battlegrounds Credential Phish Landing Page M1 2022-07-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>PUBG MOBILE"; content:"nama|2b 27 2e|php|27|"; fast_pattern; content:"onclick|3d 22|buka"; reference:md5,46e0b8b842a26565528fe090b99409f1; classtype:credential-theft; sid:2037263; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (newphoneapp .com)"; dns.query; content:"newphoneapp.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023791; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PlayerUnknown's Battlegrounds Credential Phish 2022-07-05"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pubg.php?user="; startswith; content:"&ref="; distance:0; http.request_body; content:"user_id=1&message_title=&description=&login=Facebook"; fast_pattern; reference:md5,46e0b8b842a26565528fe090b99409f1; classtype:credential-theft; sid:2037264; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (gamestoplay .bid)"; dns.query; content:"gamestoplay.bid"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023792; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PlayerUnknown's Battlegrounds Credential Phish Landing Page M2 2022-07-05"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"<title>PUBG MOBILE "; content:"nama|2b 27 2e|php|27|"; fast_pattern; content:"name|3d 22|user|5f|id|22 20|id|3d 22|userNickname|22 20|value|3d 22|1|22|"; distance:0; content:"name|3d 22|message|5f|title|22|"; distance:0; content:"name=|22|description|22|"; distance:0; content:"name|3d 22|login|22 20|value|3d 22|Facebook|22|"; distance:0; content:"type|3d 22|submit|22 20|value|3d 22|Log|20|In|22 20|id|3d 22|anonymousProcess|22|"; distance:0; reference:md5,46e0b8b842a26565528fe090b99409f1; classtype:credential-theft; sid:2037265; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (smartsftp .pw)"; dns.query; content:"smartsftp.pw"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023793; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Spox Phish Kit Landing Page 2022-07-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"action|3d 22|Crax|2f|Mail|2f|Mail1|22|"; content:"spox_b00T"; distance:0; fast_pattern; content:"name|3d 22|spox|22 20|value|3d 22|fuck|5f|you|5f|bot|22|"; classtype:credential-theft; sid:2037266; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxysupdates .com)"; dns.query; content:"galaxysupdates.com"; depth:18; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Navy Federal Credit Union Credential Phish Landing Page 2022-07-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Navy Federal Credit Union"; distance:0; content:"<h1>Verification process running...</h1>"; distance:0; fast_pattern; content:"<span>Confirm Your Card Details</span></h2>"; distance:0; content:"<!--******************-->"; distance:0; content:".php|22|"; content:"name|3d 22|Name|22|"; distance:0; content:"name|3d 22|Month|22|"; distance:0; content:"name|3d 22|Year|22|"; distance:0; content:"name|3d 22|CVV|22|"; distance:0; content:"name|3d 22|ATM|22|"; distance:0; content:"name|3d 22|SignIn|22|"; distance:0; reference:md5,4ac348fb32a7a37d184d381186962c5e; classtype:credential-theft; sid:2037267; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (galaxy-s .com)"; dns.query; content:"galaxy-s.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023795; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Phish 2022-07-05"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login-facebook.php"; bsize:19; fast_pattern; http.request_body; content:"correo="; startswith; content:"&password="; distance:0; reference:md5,ee663c82fe3d4788c107cdffe79b9d42; classtype:credential-theft; sid:2037268; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (datasamsung .com)"; dns.query; content:"datasamsung.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023796; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Caixa Credential Phish Landing Page 2022-07-05"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"caixa-vbvfinal"; fast_pattern; reference:md5,a77df3e0e5974e81682880ba1c17c8d8; classtype:credential-theft; sid:2037271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (progsupdate .com)"; dns.query; content:"progsupdate.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023797; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Caixa Credential Phish 2022-07-05"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"caixa-vbvfinal"; fast_pattern; http.request_body; content:"ID="; startswith; content:"&pin1="; distance:0; classtype:credential-theft; sid:2037272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (topgamse .com)"; dns.query; content:"topgamse.com"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023798; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Australian Government Credential Phish Landing Page 2022-07-06"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Sign-in - myGov</title>"; content:"Using your myGov sign in details"; distance:0; content:"action|3d 22|GesSndy|2e|php|22|"; distance:0; fast_pattern; reference:md5,617804a72c07214959840805bf3a7719; classtype:credential-theft; sid:2037278; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (bandtester .com)"; dns.query; content:"bandtester.com"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023799; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Australian Government Credential Phish 2022-07-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"GesSndy.php"; endswith; http.request_body; content:"&credentialType=20"; distance:0; content:"&_flowExecutionKey=e1s1"; distance:0; content:"&OWASP_CSRFTOKEN="; distance:0; reference:md5,617804a72c07214959840805bf3a7719; classtype:credential-theft; sid:2037279; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (speedbind .com)"; dns.query; content:"speedbind.com"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023800; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orange Credential Phish 2022-07-07"; flow:established,to_server; http.request_line; content:"POST|20|/front/login|20|"; startswith; fast_pattern; http.request_body; content:"|7b 22|force|22 3a 22|"; startswith; content:"|22 2c 22|login|22 3a 22|"; distance:0; reference:md5,4c80bc4f11a19f74c381d18b091a46b4; classtype:credential-theft; sid:2037280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_07, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ukgames .tech)"; dns.query; content:"ukgames.tech"; depth:12; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023801; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Credential Phish 2022-07-08"; http.method; content:"POST"; http.request_body; content:"frm-email="; startswith; content:"&frm-pass="; distance:0; content:"&frm-submit=View+Document"; distance:0; content:"&frm-ac-tok="; distance:0; content:"&s-id=adobe-quote"; distance:0; fast_pattern; reference:md5,0aeb593ed32002a9c73d358e7025eca6; classtype:credential-theft; sid:2037727; rev:1; metadata:created_at 2022_07_08, updated_at 2022_07_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .publicvm.com)"; dns.query; content:"wallanews.publicvm.com"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023802; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-07-08"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"isScLogin="; startswith; fast_pattern; content:"&scUserId="; distance:0; content:"&scUserPwd="; distance:0; content:"&id="; distance:0; content:"&id_sub1="; distance:0; content:"&id_sub2="; distance:0; content:"&password="; distance:0; classtype:credential-theft; sid:2037728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (wallanews .sytes.net)"; dns.query; content:"wallanews.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Phish 2022-07-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/journal/"; startswith; content:"request.php?"; distance:0; content:"&error&data="; distance:0; fast_pattern; http.request_body; content:"pass="; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,7c3b4a4a1843dfc318de2e9caee3c188; classtype:credential-theft; sid:2037742; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_11, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (noredirecto .redirectme.net)"; dns.query; content:"noredirecto.redirectme.net"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Phish 2022-07-10"; flow:established,to_server; http.request_line; content:"POST|20|/eng/sharepoint/app.php|20|"; fast_pattern; http.request_body; content:"email="; startswith; content:"&password="; distance:0; reference:md5,459f697565b0ff1f83d0d3fa9edc11cf; classtype:credential-theft; sid:2037751; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (dynamicipaddress .linkpc.net)"; dns.query; content:"dynamicipaddress.linkpc.net"; depth:27; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Midea Credential Phish Landing Page 2022-07-12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Midea"; content:"|3c|form|20|id|3d 22|bookAdd|22|"; distance:0; content:"aq.php"; distance:0; content:"id|3d 22|account|5f|name|22|"; distance:0; content:"name|3d 22|title|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; content:"id|3d 22|password|22 20|name|3d 22|name|22|"; distance:0; content:"onclick|3d 22|douSubmit|28 27|bookAdd|27 29 22|"; distance:0; fast_pattern; reference:md5,1f26e2b80c5dd30dbd6229e2e49280e1; classtype:credential-theft; sid:2037748; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (downloadlog .linkpc.net)"; dns.query; content:"downloadlog.linkpc.net"; depth:22; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Midea Credential Phish 2022-07-12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/aq.php?rec=insert"; fast_pattern; http.request_body; content:"title="; startswith; content:"&name="; distance:0; content:"&token="; distance:0; reference:md5,1f26e2b80c5dd30dbd6229e2e49280e1; classtype:credential-theft; sid:2037749; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (havan .qhigh.com)"; dns.query; content:"havan.qhigh.com"; depth:15; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023807; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Standard Bank Credential Phish 2022-07-12 M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Home/send/send_email.php"; endswith; fast_pattern; http.request_body; content:"email="; startswith; reference:md5,eb877755540c0c962dfa1129de579f6d; classtype:credential-theft; sid:2037756; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_13, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (kolabdown .sytes.net)"; dns.query; content:"kolabdown.sytes.net"; depth:19; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023808; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Standard Bank Credential Phish 2022-07-12 M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Home/send/send_password.php"; endswith; fast_pattern; http.request_body; content:"password="; startswith; reference:md5,eb877755540c0c962dfa1129de579f6d; classtype:credential-theft; sid:2037757; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_13, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (rotter2 .publicvm.com)"; dns.query; content:"rotter2.publicvm.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023809; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Standard Bank Credential Phish 2022-07-12 M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Home/send/send_phone.php"; endswith; fast_pattern; http.request_body; content:"identification="; startswith; content:"&phonenumber="; distance:0; reference:md5,eb877755540c0c962dfa1129de579f6d; classtype:credential-theft; sid:2037758; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_13, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DustySky Downeks/Quasar/other DNS Lookup (ftpserverit .otzo.com)"; dns.query; content:"ftpserverit.otzo.com"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/; classtype:trojan-activity; sid:2023810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, malware_family DustySky_related_implant, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Standard Bank Credential Phish 2022-07-12 M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Home/send/send_otp.php"; endswith; fast_pattern; http.request_body; content:"OTP="; startswith; reference:md5,eb877755540c0c962dfa1129de579f6d; classtype:credential-theft; sid:2037759; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_13, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE iKittens OSX MacDownloader DNS Lookup (officialswebsites .info)"; dns.query; content:"officialswebsites.info"; depth:22; nocase; endswith; fast_pattern; reference:url,iranthreats.github.io/resources/macdownloader-macos-malware/; classtype:trojan-activity; sid:2023877; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_02_07, deployment Perimeter, malware_family MacDownloader, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Credential Phish 2022-07-13"; flow:established,to_server; http.request_line; content:"POST|20 2f|themepark|2f|next|2e|php|20|"; startswith; fast_pattern; http.request_body; content:"email="; startswith; content:"&password="; distance:0; reference:md5,9da66e99dfa47eca7b5a5212eb53dd8e; classtype:credential-theft; sid:2037770; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_14, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spora Ransomware DNS Query"; dns.query; content:"spora.biz"; depth:9; nocase; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/spora-ransomware-works-offline-has-the-most-sophisticated-payment-site-as-of-yet/; reference:md5,41de296c5bcfc24fc0f16b1e997d9aa5; classtype:trojan-activity; sid:2023887; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful OWA Phish 2022-07-15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.request_body; content:"email="; startswith; content:"&password="; distance:0; content:"&submit.x=1&submit.y=1"; endswith; fast_pattern; reference:md5,f5ed323d2dfcc0cbbbb7986def3ca1e0; classtype:credential-theft; sid:2037775; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_15, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_15;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (websecuranalityc.com)"; dns.query; content:"websecuranalityc.com"; depth:20; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023894; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Phish Landing Page 2022-07-18"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Facebook"; content:"href='sat/"; distance:0; content:"href='maroc/Lili.css'"; distance:0; fast_pattern; content:"value='Fbm'"; distance:0; content:"name='email'"; distance:0; content:"name='pass'"; distance:0; content:"value='Log In'"; distance:0; reference:md5,2b91bb19c6d4e1ea9950fa2ea03d83b2; classtype:credential-theft; sid:2037783; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (liveskansys.com)"; dns.query; content:"liveskansys.com"; depth:15; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023895; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, former_category MALWARE, malware_family Qadars, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Coinbase Phish 2022-07-18"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sign-on/home.php?pl=token&link=coinbase&bid="; startswith; fast_pattern; http.cookie; content:"data|5f 5f 3d 7b 22|email|22 3a 22|"; startswith; content:"|22 2c 22|password|22 3a 22|"; distance:0; reference:md5,d885de3c2567972d2f045807f844b6d9; classtype:credential-theft; sid:2037790; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (iusacell-movil .com.mx)"; dns.query; content:"iusacell-movil.com.mx"; depth:21; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023898; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful RoundCube Phish 2022-07-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/roundcube/result.php"; bsize:21; fast_pattern; http.request_body; content:"_token="; startswith; content:"&email="; distance:0; content:"&password="; distance:0; reference:md5,02f3fe49fef32e6644d0434c26503878; classtype:credential-theft; sid:2037791; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smsmensaje .mx)"; dns.query; content:"smsmensaje.mx"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; reference:url,citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/; classtype:trojan-activity; sid:2023899; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_13, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Office 365 Phish 2022-07-19"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|7b 22|signal|22 3a 22|ok|22 2c 22|msg|22 3a 22|InValid|20|Credentials|22 2c 22|redirect|5f|link|22 3a 22|http"; startswith; fast_pattern; content:"|22 7d|"; endswith; reference:url,twitter.com/PhishStats/status/1549419416332427267; classtype:credential-theft; sid:2037788; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Qadars CnC DNS Lookup (zkdef09i7ola.net)"; dns.query; content:"zkdef09i7ola.net"; depth:16; fast_pattern; endswith; nocase; classtype:command-and-control; sid:2023932; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family Qadars, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2022-07-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/hotprofiles.ga/php.php"; bsize:23; fast_pattern; http.request_body; content:"USERNAME="; startswith; content:"&PASSWORD="; distance:0; reference:md5,059aee595eba1a5d14c6338c4804912d; classtype:credential-theft; sid:2037792; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_19, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"androidbak.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023935; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FedEx Phish 2022-07-20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mvn/FedEx/fdx.php"; bsize:18; fast_pattern; http.request_body; content:"passwd="; startswith; content:"&login="; distance:0; reference:md5,43b1f3cf17ee1c81aed0496754e488dd; classtype:credential-theft; sid:2037805; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"droidback.com"; depth:13; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023936; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Idaho Central CU Phish 2022-07-24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iccu/cu/Wealth/Planning/Investing/PrivateClient/process.php"; bsize:60; fast_pattern; http.request_body; content:"usernamex="; startswith; content:"&passwordx="; distance:0; reference:md5,b781afec991dad6f4d1515a061f4ee8f; classtype:credential-theft; sid:2037819; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"endpointup.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023937; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING AlaskaUSA FCU Phish 2022-07-24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/win/alaska/alaskausa/alaskausa/?save"; bsize:37; fast_pattern; http.referer; content:"/win/alaska/alaskausa/alaskausa/?password"; endswith; http.request_body; content:"password="; startswith; content:"&Log+In=Log+In"; endswith; reference:md5,efc213587aac5ed072f864f2afad0ae0; classtype:credential-theft; sid:2037820; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_25, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b DNS Lookup"; dns.query; content:"goodydaddy.com"; depth:14; nocase; endswith; fast_pattern; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023939; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Theft Landing Page 2022-07-26"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"database.php?loadlog=ok"; endswith; fast_pattern; reference:md5,e1f503c542de400a76e27d980e5d5b4a; classtype:credential-theft; sid:2037832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (chrome-up .date)"; dns.query; content:"chrome-up.date"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023953; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Theft Landing Page 2022-07-26"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"peta.php"; endswith; fast_pattern; http.request_body; content:"&pake="; content:"&_pw_sql="; distance:0; content:"&dummy-password="; distance:0; content:"&login_page_source=email-login"; distance:0; reference:md5,e1f503c542de400a76e27d980e5d5b4a; classtype:credential-theft; sid:2037833; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (timezone .live)"; dns.query; content:"timezone.live"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023954; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TA422 Credential Phish 2022-03-17 M2"; flow:established,to_server; http.method; content:"POST"; http.host; content:"pipedream.net"; bsize:13; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035521; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (servicesystem .serveirc.com)"; dns.query; content:"servicesystem.serveirc.com"; depth:26; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023955; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Landing Page - Excel Purchase Order Form"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"<form action|3d 22|"; content:"|2f|post.php|22|"; distance:0; content:"method|3d 22|post|22 3e|"; distance:0; content:"|3c|h3|20|id|3d 22|title|22 3e|Purchase|20|Order|20|Excel|20|Portal|3c 2f|h1|3e|"; within:300; fast_pattern; reference:url,app.any.run/tasks/cd930ac7-e716-42ac-a6ff-b24caffbcaffbc40d; classtype:credential-theft; sid:2037839; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2022_07_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (analytics-google .org)"; dns.query; content:"analytics-google.org"; depth:20; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023956; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-07-29"; flow:established,to_server; http.request_line; content:"POST|20|/html/signin.php|20|"; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; content:"&signin=Sign+in"; endswith; reference:md5,2f792e42691262b66a84a095858e3334; classtype:credential-theft; sid:2037871; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-adm .in)"; dns.query; content:"com-adm.in"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023957; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Set-Cookie"; flow:established,to_client; content:"Server|3a 20|nginx/"; content:"|0d 0a|Set-Cookie|3a 20|"; content:"=|22 22 3b 20|Domain="; distance:0; content:"|3b 20|expires=Thu, 01 Jan 1970 00:00:00 GMT|3b 3b 20|Path=/|0d 0a|"; fast_pattern; distance:0; pcre:"/Set-Cookie\x3a\x20[a-z0-9]{4}=\x22\x22\x3b/i"; classtype:social-engineering; sid:2037848; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (microsoftexplorerservices .cloud)"; dns.query; content:"microsoftexplorerservices.cloud"; depth:31; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Username Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?username="; fast_pattern; startswith; pcre:"/^/?username=[a-zA-Z0-9.-]+@[a-zA-Z0-9.]+.[a-zA-Z]{2,3}$/"; http.request_body; content:"|7b 22|visitorId|22 3a 22|"; startswith; content:"|22 2c 22|connect_token|22 3a 22|"; distance:32; within:19; content:"|22 2c 22|connect_hash|22 3a 22|"; distance:36; within:18; classtype:social-engineering; sid:2037849; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (msservice .site)"; dns.query; content:"msservice.site"; depth:14; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023959; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Cookie Value"; flow:established,to_client; content:"Server|3a 20|nginx/"; content:"|0d 0a 0d 0a 7b 22|statusCode|22 3a 20 22|success|22 2c 20 22|cname|22 3a 20 22|__"; fast_pattern; content:"|22 2c 20 22|cdomain|22 3a 20 22|"; distance:4; within:15; content:"|22 2c 20 22|cvalue|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x22\x7d$/R"; classtype:social-engineering; sid:2037850; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (com-ho .me)"; dns.query; content:"com-ho.me"; depth:9; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023960; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M1"; flow:established,to_server; http.host; content:"res-cdn-office-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037851; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (ntg-sa .com)"; dns.query; content:"ntg-sa.com"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023961; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Theft Landing Page 2022-07-29"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Facebook"; content:"ibb.co"; content:"open_facebook()"; distance:0; content:"tutup_facebook()"; distance:0; content:"action|3d 22 2f|verification|2e|php|22|"; distance:0; reference:md5,effbb613cf2cf673bd32c4740fb50849; classtype:credential-theft; sid:2037869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAGICHOUND-related DNS Lookup (briefl .ink)"; dns.query; content:"briefl.ink"; depth:10; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023962; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M2"; flow:established,to_server; http.host; content:"r4-res-office365-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037852; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 1"; dns.query; content:"backup.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023968; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M3"; flow:established,to_server; http.host; content:"prod-msocdn-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037853; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 2"; dns.query; content:"dataserver.cmonkey3.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023969; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M4"; flow:established,to_server; http.host; content:"portal-microsoftonline-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037854; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 3"; dns.query; content:"google-helps.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023970; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M5"; flow:established,to_server; http.host; content:"outlook-office365-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037855; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 4"; dns.query; content:"kpupdate.amz80.com"; depth:18; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023971; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M6"; flow:established,to_server; http.host; content:"aadcdn-msftauth-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037856; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 5"; dns.query; content:"mail-help.com"; depth:13; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023972; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M7"; flow:established,to_server; http.host; content:"aadcdn-msauth-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037857; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 6"; dns.query; content:"mail-issue.top"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023973; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M8"; flow:established,to_server; http.host; content:"acctcdn-msftauth-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037858; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 7"; dns.query; content:"microsoftupdating.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023974; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M9"; flow:established,to_server; http.host; content:"browser-events-data-microsoft-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037859; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 8"; dns.query; content:"microsoftwww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023975; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M10"; flow:established,to_server; http.host; content:"login-microsoft-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037860; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 9"; dns.query; content:"ns1.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023976; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Microsoft HTTP HOST M11"; flow:established,to_server; http.host; content:"logincdn-msauth-"; startswith; fast_pattern; pcre:"/[a-f0-9]{8}./R"; threshold:type limit, count 1, seconds 30, track by_src; classtype:social-engineering; sid:2037861; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 10"; dns.query; content:"ns1.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [TW] EvilProxy AiTM Network Reporting"; flow:established,to_client; content:"Server|3a 20|nginx/"; content:"|0d 0a|access-control-allow-origin|3a 20 2a 0d 0a|"; content:"|0d 0a|Report-To|3a 20 7b 22|group|22 3a 22|network-errors|22 2c 22|max_age|22 3a|86400|2c 22|endpoints|22 3a 5b 7b 22|url|22 3a 22|"; content:"/api/report?catId=GW+estsfd+"; distance:0; fast_pattern; classtype:social-engineering; sid:2037862; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 11"; dns.query; content:"ns1.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] Robin Banks HTTP HOST M1"; flow:established,to_server; http.host; content:"rbpagev2.in"; bsize:11; fast_pattern; threshold:type limit,count 1,seconds 30,track by_src; classtype:social-engineering; sid:2037864; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 12"; dns.query; content:"ns2.ccccc.work"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023979; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] Robin Banks HTTP HOST M2"; flow:established,to_server; http.host; content:"rbresults.pm"; bsize:12; fast_pattern; threshold:type limit,count 1,seconds 30,track by_src; classtype:social-engineering; sid:2037865; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 13"; dns.query; content:"ns2.superman0x58.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023980; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING [TW] Robin Banks HTTP GET Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?token="; content:"&step="; distance:0; content:"&a_failed="; distance:1; within:10; fast_pattern; pcre:"/&a_failed=[01]$/"; threshold:type limit,count 1,seconds 30,track by_src; classtype:social-engineering; sid:2037866; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 14"; dns.query; content:"ns2.xssr.org"; depth:12; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023981; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [TW] Robin Banks Redirect M1"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"dfsajsk.php?"; startswith; fast_pattern; classtype:social-engineering; sid:2037867; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 15"; dns.query; content:"qr1.3jd90dsj3df.website"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023982; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [TW] Robin Banks Redirect M2"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"?token="; startswith; content:"&step="; distance:0; content:"&a_failed="; distance:1; within:10; fast_pattern; pcre:"/&a_failed=[01]$/"; classtype:social-engineering; sid:2037868; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_07_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 16"; dns.query; content:"r4.microsoftupdating.org"; depth:24; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING America First CU Successful Phish 2022-07-30"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/AFCU/americafirst.com/"; startswith; fast_pattern; content:"/process"; distance:0; content:".php"; endswith; http.request_body; content:"email="; startswith; content:"&emailpass="; distance:0; reference:md5,29d96a74215c911c8631bc23eed49153; classtype:credential-theft; sid:2037876; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 17"; dns.query; content:"rouji.xssr.org"; depth:14; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023984; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING America First CU Account Recovery 2022-07-30"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/AFCU/americafirst.com/"; startswith; fast_pattern; content:"/process"; distance:0; content:".php"; endswith; http.request_body; content:"q1="; startswith; content:"&ans1="; distance:0; content:"&q2="; distance:0; content:"&ans2="; distance:0; content:"&q3="; distance:0; content:"&ans3="; distance:0; reference:md5,29d96a74215c911c8631bc23eed49153; classtype:credential-theft; sid:2037877; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_01, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 18"; dns.query; content:"t2z0n9.microsoftappstore.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023985; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Commerce Bank Phish 2022-07-30"; flow:established,to_server; http.request_line; content:"POST|20|/comm/data.php|20|"; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; reference:md5,998520fc60bf156455dc09286d7436e1; classtype:credential-theft; sid:2037878; rev:1; metadata:created_at 2022_08_01, former_category PHISHING, updated_at 2022_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 19"; dns.query; content:"temp.mail-issue.top"; depth:19; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023986; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Theft Landing Page M1 2022-08-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!--$-->"; content:"|2e|php|3f 2f|checkpoint|2f|dyi|2f 3f|referrer|3d|disabled|5f|checkpoint"; fast_pattern; reference:md5,2102c8709b172edfee22880a261da51d; classtype:credential-theft; sid:2037872; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 20"; dns.query; content:"time-service.org"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023987; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Theft 2022-08-01"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?/checkpoint/dyi/?referrer=disabled_checkpoint&next"; fast_pattern; http.host; content:!"facebook.com"; reference:md5,2102c8709b172edfee22880a261da51d; classtype:credential-theft; sid:2037873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 21"; dns.query; content:"update.microsoftwww.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Facebook Credential Theft Landing Page M2 2022-08-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2e|php|3f 2f|checkpoint|2f|dyi|2f 3f|referrer|3d|disabled|5f|checkpoint"; fast_pattern; content:"Your Account Will Be Deactivated Soon"; distance:0; reference:md5,2102c8709b172edfee22880a261da51d; classtype:credential-theft; sid:2037874; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_08_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 22"; dns.query; content:"updatecz.mykorean.net"; depth:21; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023989; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-08-01"; flow:established,to_server; http.request_line; content:"POST|20|/prijavljivanje/|20|"; fast_pattern; http.request_body; content:"username="; startswith; content:"&password="; distance:0; content:"&action=submit"; distance:0; reference:md5,81328a5646013490029df497162f5cfd; classtype:credential-theft; sid:2037897; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_08_02, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2022_08_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 23"; dns.query; content:"uriupdate.newsbs.net"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023990; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 24"; dns.query; content:"wwgooglewww.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023991; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 25"; dns.query; content:"www.microsoftwww.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 download"; flow: established; content:"Windows Registry Editor Version 5.00"; content:"|0D 0A|"; content:"["; content:"HKEY_"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000421; classtype:misc-activity; sid:2000421; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 26"; dns.query; content:"wwwgooglewww.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023993; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 5 Unicode download"; flow: established; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|R|00|e|00|g|00|i|00|s|00|t|00|r|00|y|00| |00|E|00|d|00|i|00|t|00|o|00|r|00| |00|V|00|e|00|r|00|s|00|i|00|o|00|n|00| |00|5|00|.|00|0|00|0|00|"; content:"|0D 0A|"; content:"[|00|"; content:"H|00|K|00|E|00|Y|00|_|00|"; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000422; classtype:misc-activity; sid:2000422; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShellCrew.APT StreamEx DNS Lookup 27"; dns.query; content:"zy.xssr.org"; depth:11; nocase; endswith; fast_pattern; reference:url,www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar; classtype:targeted-activity; sid:2023994; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT_ShellCrew, malware_family StreamEx, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY EXE compressed PKWARE Windows file download"; flow: established; content:"MZ"; isdataat: 28,relative; content:"PKLITE"; distance: 0; reference:url,www.program-transformation.org/Transform/PcExeFormat; reference:url,doc.emergingthreats.net/bin/view/Main/2000426; classtype:misc-activity; sid:2000426; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FakeM SSL DNS Lookup (islamhood .net)"; dns.query; content:"islamhood.net"; depth:13; nocase; endswith; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/; classtype:trojan-activity; sid:2024005; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_21, deployment Perimeter, malware_family FakeM_SSL, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ZIP file download"; flow: established; content:"PK|0304|"; byte_test:1, <=, 0x14, 0, string, hex; content:"|00 00 00|"; distance: 0; reference:url,zziplib.sourceforge.net/zzip-parse.print.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000428; classtype:misc-activity; sid:2000428; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (63ghdye17.com)"; dns.query; content:"63ghdye17.com"; depth:13; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020839; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_03, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|7C 01 FD 10 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC 7C 01 FD 11 7B AA 11 D0 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000489; classtype:misc-activity; sid:2000489; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Teslacrypt Ransomware .onion domain (2kjb7.net)"; dns.query; content:"2kjb7.net"; depth:9; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024105; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_25, deployment Perimeter, former_category MALWARE, malware_family TeslaCrypt, signature_severity Major, tag DNS_Onion_Query, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Download Windows Help File CHM 2"; flow: established; content:"ITSF|03|"; isdataat: 19,relative; content:"|10 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC 11 FD 01 7C AA 7B D0 11 9E 0C 00 A0 C9 22 E6 EC|"; distance: 0; reference:url,www.speakeasy.org/~russotto/chm/chmformat.html; reference:url,www.securiteam.com/windowsntfocus/6V00N000AU.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000429; classtype:misc-activity; sid:2000429; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1e100 .tech)"; dns.query; content:"1e100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024143; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip [10.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Reserved Internal IP Traffic"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002752; classtype:bad-unknown; sid:2002752; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (1m100 .tech)"; dns.query; content:"1m100.tech"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024144; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> 38.97.75.0/24 443 (msg:"ET POLICY Carbonite Online Backup SSL Handshake"; flow:established,to_server; content:"CarboniteInc"; offset:56; reference:url,doc.emergingthreats.net/2009798; classtype:policy-violation; sid:2009798; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ads-youtube .online)"; dns.query; content:"ads-youtube.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024145; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device in Config Mode"; flow: established; content:"Enter configuration commands, one per line"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001239; classtype:not-suspicious; sid:2001239; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (akamaitechnology .com)"; dns.query; content:"akamaitechnology.com"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024146; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Cisco Device New Config Built"; flow: established; content:"Building configuration..."; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001240; classtype:not-suspicious; sid:2001240; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (alkamaihd .net)"; dns.query; content:"alkamaihd.net"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024147; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Club World Casino Client in Use"; flow:established,to_server; dsize:23; content:"Club World Casinos"; reference:url,doc.emergingthreats.net/2007754; classtype:policy-violation; sid:2007754; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (azurewebsites .tech)"; dns.query; content:"azurewebsites.tech"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024148; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit spaced)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3}) \d{4} \d{4} \d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001375; classtype:policy-violation; sid:2001375; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (broadcast-microsoft .tech)"; dns.query; content:"broadcast-microsoft.tech"; depth:24; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024149; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit dashed)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})-\d{4}-\d{4}-\d{4}/"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001376; classtype:policy-violation; sid:2001376; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (chromeupdates .online)"; dns.query; content:"chromeupdates.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024150; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (16 digit)"; pcre:"/ (6011|5[1-5]\d{2}|4\d{3}|3\d{3})\d{12} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001377; classtype:policy-violation; sid:2001377; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (cloudmicrosoft .net)"; dns.query; content:"cloudmicrosoft.net"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024151; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)\d{11} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001378; classtype:policy-violation; sid:2001378; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (dnsserv .host)"; dns.query; content:"dnsserv.host"; depth:12; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024152; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{4} \d{4} \d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001379; classtype:policy-violation; sid:2001379; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (elasticbeanstalk .tech)"; dns.query; content:"elasticbeanstalk.tech"; depth:21; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024153; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001380; classtype:policy-violation; sid:2001380; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (fdgdsg .xyz)"; dns.query; content:"fdgdsg.xyz"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024154; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})\d{10} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001381; classtype:policy-violation; sid:2001381; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .net)"; dns.query; content:"jguery.net"; depth:10; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024155; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit spaced)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2}) \d{4} \d{4} \d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001382; classtype:policy-violation; sid:2001382; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (jguery .online)"; dns.query; content:"jguery.online"; depth:13; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024156; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (14 digit dashed)"; pcre:"/ (30[0-5]\d|36\d{2}|38\d{2})-\d{4}-\d{4}-\d{2} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2001383; classtype:policy-violation; sid:2001383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-ds .com)"; dns.query; content:"microsoft-ds.com"; depth:16; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024157; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800) \d{6} \d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009293; classtype:policy-violation; sid:2009293; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (microsoft-security .host)"; dns.query; content:"microsoft-security.host"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024158; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)"; pcre:"/ (3[4|7]\d{2}|2014|2149|2131|1800)-\d{6}-\d{5} /"; reference:url,www.beachnet.com/~hstiles/cardtype.html; reference:url,doc.emergingthreats.net/2009294; classtype:policy-violation; sid:2009294; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (nameserver .win)"; dns.query; content:"nameserver.win"; depth:14; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024159; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert udp any 53 -> ![$DNS_SERVERS,$SMTP_SERVERS] any (msg:"ET POLICY Unusual number of DNS No Such Name Responses"; content:"|83|"; offset:3; depth:1; threshold: type both , track by_dst, count 50, seconds 300; reference:url,doc.emergingthreats.net/2003195; classtype:bad-unknown; sid:2003195; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (newsfeeds-microsoft .press)"; dns.query; content:"newsfeeds-microsoft.press"; depth:25; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024160; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"|00 10 00 01 00 00 29 08|"; within:255; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; classtype:bad-unknown; sid:2002676; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (owa-microsoft .online)"; dns.query; content:"owa-microsoft.online"; depth:20; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024161; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Dameware Remote Control Service Install"; flow: to_server,established; content:"DWRCK.DLL"; nocase; reference:url,doc.emergingthreats.net/2001294; classtype:successful-admin; sid:2001294; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (primeminister-goverment-techcenter .tech)"; dns.query; content:"primeminister-goverment-techcenter.tech"; depth:39; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024162; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET POLICY SMTP Executable attachment"; flow:established,to_server; content:"filename="; nocase; content:".exe"; nocase; distance:0; pcre:"/filename=\s*[^\n]+\.exe/i"; reference:url,doc.emergingthreats.net/2003325; classtype:policy-violation; sid:2003325; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (qoldenlines .net)"; dns.query; content:"qoldenlines.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024163; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Login Attempt (non-anonymous)"; flow:to_server,established; content:"USER"; content:!"PASS "; nocase; pcre:!"/^USER\s+(anonymous|ftp)/smi"; reference:url,doc.emergingthreats.net/2003303; classtype:misc-activity; sid:2003303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (sharepoint-microsoft .co)"; dns.query; content:"sharepoint-microsoft.co"; depth:23; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024164; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Administrator Login Attempts"; flow:to_server,established; content:"USER Administrator|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009667; classtype:attempted-admin; sid:2009667; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (ssl-gstatic .online)"; dns.query; content:"ssl-gstatic.online"; depth:18; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024165; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET POLICY FTP Frequent Admin Login Attempts"; flow:to_server,established; content:"USER Admin|0d0a|"; nocase; threshold: type threshold, track by_src, count 3, seconds 30; reference:url,doc.emergingthreats.net/2009668; classtype:attempted-admin; sid:2009668; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible CopyKitten DNS Lookup (trendmicro .tech)"; dns.query; content:"trendmicro.tech"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/copykitten-jpost/; classtype:trojan-activity; sid:2024166; rev:5; metadata:created_at 2017_03_31, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (TYPE A)"; flow:established,to_server; dsize:6; content:"TYPE "; depth:5; reference:url,doc.emergingthreats.net/2008589; classtype:trojan-activity; sid:2008589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Known IoT Malware Domain"; dns.query; content:"ntp.gtpnet.ir"; depth:13; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-81-en/; classtype:trojan-activity; sid:2024244; rev:5; metadata:attack_target IoT, created_at 2017_04_25, deployment Perimeter, former_category TROJAN, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22:1024 (msg:"ET POLICY FTP Conversation on Low Port - Likely Hostile (PASV)"; flow:established,to_server; dsize:4; content:"PASV"; reference:url,doc.emergingthreats.net/2008590; classtype:trojan-activity; sid:2008590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla Snake OSX DNS Lookup (car-service .effers.com)"; dns.query; content:"car-service.effers.com"; depth:22; nocase; endswith; fast_pattern; reference:url,blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/; classtype:targeted-activity; sid:2024271; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family Snake, performance_impact Low, signature_severity Critical, tag APT, tag RUAPT, updated_at 2020_09_17;)
+alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; classtype:bad-unknown; sid:2009243; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Proton.B DNS Lookup"; dns.query; content:"handbrake.biz"; depth:13; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x1D.html; classtype:trojan-activity; sid:2024284; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family OSX_Proton, performance_impact Low, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET !$HTTP_PORTS (msg:"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port"; flow:to_server,established; content:"CONNECT "; nocase; depth:8; content:" HTTP/1."; nocase; within:1000; reference:url,doc.emergingthreats.net/2008284; classtype:misc-activity; sid:2008284; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla SHIRIME DNS Lookup"; dns.query; content:"tnsc.webredirect.org"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html; classtype:targeted-activity; sid:2024286; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, malware_family Turla, malware_family SHIRIME, performance_impact Low, tag APT, tag 0day, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access"; flow:established,to_server; content:"GET /login/FetchProtocolVersion2.htm"; depth:36; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008842; classtype:policy-violation; sid:2008842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (fkksjobnn43 . org)"; dns.query; content:"fkksjobnn43.org"; depth:15; fast_pattern; endswith; nocase; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:trojan-activity; sid:2024289; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download)"; flow:established,to_server; content:"GET login/fetchFreeServersVersion2.aspx"; depth:39; threshold:type limit, track by_src,count 5, seconds 30; reference:url,doc.emergingthreats.net/2008843; classtype:policy-violation; sid:2008843; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"check.paidprefund.org"; depth:21; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024330; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Google Talk TLS Client Traffic"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:64; within:78; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002330; classtype:policy-violation; sid:2002330; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"syn.timeizu.net"; depth:15; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024331; rev:6; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; reference:url,doc.emergingthreats.net/2000356; classtype:misc-activity; sid:2000356; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"blog.docksugs.org"; depth:17; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024332; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY EIN in the clear (US-IRS Employer ID Number)"; pcre:"/ \d\d-\d{7} /"; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001004; reference:url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument; reference:url,doc.emergingthreats.net/2002658; classtype:policy-violation; sid:2002658; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"news.lightpress.info"; depth:20; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024333; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MP3 File Transfer Outbound"; flow:established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002722; classtype:policy-violation; sid:2002722; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32 Komprogo DNS Lookup"; dns.query; content:"mobile.pagmobiles.info"; depth:22; nocase; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html; classtype:targeted-activity; sid:2024334; rev:5; metadata:created_at 2017_05_25, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MP3 File Transfer Inbound"; flow: established; content:"ID3|03|"; content:"TIT2"; distance:6; within:10; reference:url,filext.com/detaillist.php?extdetail=mp3&Search=Search; reference:url,doc.emergingthreats.net/2002723; classtype:policy-violation; sid:2002723; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to Jaff Domain (orhangazitur . com)"; dns.query; content:"orhangazitur.com"; depth:16; fast_pattern; endswith; nocase; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024339; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"ET POLICY Microsoft TEREDO IPv6 tunneling"; content:"|FE 80 00 00 00 00 00 00 80 00|TEREDO"; offset:21; depth:16; reference:url,doc.emergingthreats.net/2003155; classtype:misc-activity; sid:2003155; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT SUSPICIOUS DNS Request for Grey Advertising Often Leading to EK"; dns.query; content:"roughted.com"; depth:12; nocase; endswith; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2017/05/roughted-the-anti-ad-blocker-malvertiser; classtype:exploit-kit; sid:2024349; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_05, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Malvertising, malware_family RoughTed, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+alert udp any any -> any any (msg:"ET POLICY Netop Remote Control Usage"; content:"|554b30303736305337473130|"; reference:url,www.netop.com; reference:url,doc.emergingthreats.net/2001597; classtype:policy-violation; sid:2001597; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (secure-access10 .mx)"; dns.query; content:"secure-access10.mx"; depth:18; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024405; rev:5; metadata:created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys detected on Expected Port"; flowbits:noalert; flowbits:isset,is_ssh_client_kex; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001977; classtype:misc-activity; sid:2001977; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (network190 .com)"; dns.query; content:"network190.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024406; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; reference:url,doc.emergingthreats.net/2001983; classtype:misc-activity; sid:2001983; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mymensaje-sms .com)"; dns.query; content:"mymensaje-sms.com"; depth:17; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024407; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 16680 (msg:"ET POLICY OperaUnite URL Registration"; flow:to_server,established; content:"REGISTER"; offset:0; depth:8; content:"operaunite.com"; within:109; reference:url,unite.opera.com; reference:url,doc.emergingthreats.net/2009895; classtype:policy-violation; sid:2009895; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (smscentro .com)"; dns.query; content:"smscentro.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024408; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TRACE Request - outbound"; flow: to_server,established; content:"TRACE "; nocase; depth: 6; reference:url,doc.emergingthreats.net/2010767; classtype:bad-unknown; sid:2010767; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (ideas-telcel .com.mx)"; dns.query; content:"ideas-telcel.com.mx"; depth:19; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024409; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (twiitter .com.mx)"; dns.query; content:"twiitter.com.mx"; depth:15; nocase; endswith; fast_pattern; reference:url,citizenlab.org/2017/06/reckless-exploit-mexico-nso/; classtype:trojan-activity; sid:2024410; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category TROJAN, malware_family Pegasus, performance_impact Low, signature_severity Major, tag Targeted, tag APT, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Successful"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSvnc.auth.agreed; flowbits:unset,BSis.vnc.setup; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002922; classtype:not-suspicious; sid:2002922; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (resume .immigrantlol .com)"; dns.query; content:"resume.immigrantlol.com"; depth:23; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024458; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VNC Authentication Failure"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 01|"; depth:4; reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2002920; classtype:attempted-admin; sid:2002920; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (job .yoyakuweb .technology)"; dns.query; content:"job.yoyakuweb.technology"; depth:24; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024457; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003026; classtype:not-suspicious; sid:2003026; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (vps2java .securitytactics .com)"; dns.query; content:"vps2java.securitytactics.com"; depth:28; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024456; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 9001 (msg:"ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2004598; classtype:not-suspicious; sid:2004598; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (macos .exoticlol .com)"; dns.query; content:"macos.exoticlol.com"; depth:19; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024459; rev:6; metadata:created_at 2017_07_12, former_category TROJAN, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003027; classtype:not-suspicious; sid:2003027; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (css .google-statics .com)"; dns.query; content:"css.google-statics.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.protectwise.com/blog/winnti-evolution-going-open-source.html; classtype:trojan-activity; sid:2024460; rev:5; metadata:created_at 2017_07_12, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003028; classtype:not-suspicious; sid:2003028; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Fenrir Ransomware CnC Domain"; dns.query; content:"fenrir-ransomware.000webhostapp.com"; depth:35; nocase; endswith; fast_pattern; reference:md5,a5ecf27bfab7fbb1ace3ec9a390b23bd; classtype:command-and-control; sid:2024467; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_13, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Fenrir, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003029; classtype:not-suspicious; sid:2003029; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpres.com"; depth:13; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024472; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8443 (msg:"ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003030; classtype:not-suspicious; sid:2003030; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.net"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024473; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 2967 (msg:"ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003033; classtype:not-suspicious; sid:2003033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpress.org"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024474; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003035; classtype:not-suspicious; sid:2003035; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"bowenpross.com"; depth:14; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024475; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003036; classtype:not-suspicious; sid:2003036; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"datalink.one"; depth:12; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8292 (msg:"ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003037; classtype:not-suspicious; sid:2003037; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"secuerserver.com"; depth:16; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024477; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 8294 (msg:"ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003038; classtype:not-suspicious; sid:2003038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CDT Credphish/Netwire Campaign DNS Lookup"; dns.query; content:"vnews.hk"; depth:8; nocase; endswith; fast_pattern; reference:url,citizenlab.ca/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites; classtype:trojan-activity; sid:2024479; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1521 (msg:"ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003934; classtype:not-suspicious; sid:2003934; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (v5t5z6a55ksmt3oh)"; dns.query; content:".v5t5z6a55ksmt3oh"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024491; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 995 (msg:"ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2008543; classtype:not-suspicious; sid:2008543; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Shifr Ransomware CnC DNS Query (ojdue4474qghybjb)"; dns.query; content:".ojdue4474qghybjb"; fast_pattern; endswith; nocase; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:command-and-control; sid:2024492; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port TLS"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|01|"; within:6; content:"|03 01|"; within:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003002; classtype:unusual-client-port-connection; sid:2003002; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 1 (winupdate64 . com)"; dns.query; content:"winupdate64.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; classtype:trojan-activity; sid:2024495; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established,to_server; content:"|16 03 00|"; depth:3; content:"|01|"; within:2; content:"|03 00|"; within:3; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003003; classtype:unusual-client-port-connection; sid:2003003; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Matryoshka DNS Lookup 2 (twiter-statics . info)"; dns.query; content:"twiter.statics.info"; depth:19; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:trojan-activity; sid:2024496; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category TROJAN, malware_family Matryoshka, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port Case 2"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 01|"; depth:5; offset:2; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003004; classtype:unusual-client-port-connection; sid:2003004; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CopyKittens Cobalt Strike DNS Lookup (cloudflare-analyse . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"cloudflare.analyse.com"; depth:22; nocase; endswith; fast_pattern; reference:url,www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf; reference:md5,752240cddda5acb5e8d026cef82e2b54; classtype:targeted-activity; sid:2024497; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3"; flowbits:isnotset,BS.SSL.Known.Port; flowbits:isnotset,BS.SSL.Client.Hello; flow:established; content:"|01 03 00|"; depth:5; flowbits:set,BS.SSL.Client.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003005; classtype:unusual-client-port-connection; sid:2003005; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Tunneling (microsoft-publisher . com)"; threshold:type limit, track by_src, count 1, seconds 60; dns.query; content:"microsoft-publisher.com"; depth:23; nocase; endswith; fast_pattern; reference:md5,a70a08a1e17b820c7dc8ee1247d6bfa2; reference:url,researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/; classtype:trojan-activity; sid:2024504; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_28, deployment Perimeter, former_category TROJAN, malware_family Ismdoor, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 01 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003008; classtype:unusual-client-port-connection; sid:2003008; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Reborn/Ovidiy Stealer CnC Domain"; dns.query; content:"stealur.info"; depth:12; nocase; endswith; fast_pattern; reference:md5,4daca05b0015efeaacebc58d007c32c4; classtype:command-and-control; sid:2024506; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_31, deployment Perimeter, former_category MALWARE, malware_family Reborn_Stealer, malware_family Ovidiy_Stealer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|14 03 00 00 01 01|"; flowbits:set,BS.SSL.Client.Cipher; flowbits:noalert; reference:url,doc.emergingthreats.net/2003009; classtype:unusual-client-port-connection; sid:2003009; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE ANDROIDOS_LEAKERLOCKER.HRX DNS Lookup"; dns.query; content:"updatmaster.top"; depth:15; fast_pattern; endswith; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/leakerlocker-mobile-ransomware-threatens-expose-user-information/; classtype:trojan-activity; sid:2024509; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_02, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; depth:3; content:"|02|"; within:6; content:"|03 01|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003010; classtype:unusual-client-port-connection; sid:2003010; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"coffeinoffice.xyz"; depth:17; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024488; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; depth:3; content:"|02|"; within:6; content:"|03 00|"; within:6; flowbits:set,BS.SSL.Server.Hello; flowbits:noalert; reference:url,doc.emergingthreats.net/2003011; classtype:unusual-client-port-connection; sid:2003011; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LokiBot Related DNS query"; dns.query; content:"french-cooking.com"; depth:18; fast_pattern; nocase; endswith; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; classtype:trojan-activity; sid:2024487; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_07_21, deployment Perimeter, former_category TROJAN, malware_family lokibot, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003014; classtype:unusual-client-port-connection; sid:2003014; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac DNS Query Observed"; dns.query; content:"api.mughthesec.com"; depth:18; nocase; endswith; fast_pattern; classtype:trojan-activity; sid:2024529; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0c|"; within:6; flowbits:set,BS.SSL.Server.Key; flowbits:noalert; reference:url,doc.emergingthreats.net/2003015; classtype:unusual-client-port-connection; sid:2003015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/Mughthesec/SafeFinder/OperatorMac Rogue Search Engine DNS Query Observed"; dns.query; content:"default27061330-a.akamaihd.net"; depth:30; nocase; endswith; fast_pattern; reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:2024530; rev:6; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_08_09, deployment Perimeter, former_category TROJAN, malware_family Mughthesec, malware_family SafeFinder, malware_family OperatorMac, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 01 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003018; classtype:unusual-client-port-connection; sid:2003018; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 1"; dns.query; content:"nylalobghyhirgh.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024588; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Cipher; flow:established; content:"|14 03 00 00 01|"; flowbits:set,BS.SSL.Established; flowbits:noalert; reference:url,doc.emergingthreats.net/2003019; classtype:unusual-client-port-connection; sid:2003019; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 2"; dns.query; content:"ribotqtonut.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024589; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003020; classtype:unusual-client-port-connection; sid:2003020; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 3"; dns.query; content:"jkvmdmjyfcvkf.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024590; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 00|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003021; classtype:unusual-client-port-connection; sid:2003021; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 4"; dns.query; content:"bafyvoruzgjitwr.com"; depth:19; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024591; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (dashed)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])-\d{2}-\d{4} /"; reference:url,doc.emergingthreats.net/2001328; classtype:policy-violation; sid:2001328; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 5"; dns.query; content:"xmponmzmxkxkh.com"; depth:17; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024592; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (spaced)"; pcre:"/ ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2]) \d{2} \d{4} /"; reference:url,doc.emergingthreats.net/2001384; classtype:policy-violation; sid:2001384; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 6"; dns.query; content:"tczafklirkl.com"; depth:15; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024593; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN )"; content:"SSN "; nocase; pcre:"/SSN ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007971; classtype:policy-violation; sid:2007971; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 7"; dns.query; content:"notped.com"; depth:10; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert ip any any -> any any (msg:"ET POLICY SSN Detected in Clear Text (SSN# )"; content:"SSN# "; nocase; pcre:"/SSN# ([0-6]\d\d|7[0-256]\d|73[0-3]|77[0-2])\d{6} /i"; reference:url,doc.emergingthreats.net/2007972; classtype:policy-violation; sid:2007972; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 8"; dns.query; content:"dnsgogle.com"; depth:12; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024595; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY RemoteControlX rctrlx service created"; flow:to_server,established; content:"|5c 00 72 00 63 00 74 00 72 00 6c 00 78 00 73 00 72 00 76 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-rctrlx.html; reference:url,doc.emergingthreats.net/2010782; classtype:suspicious-filename-detect; sid:2010782; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 9"; dns.query; content:"operatingbox.com"; depth:16; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024596; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert udp ![$DNS_SERVERS,$SMTP_SERVERS] any -> $DNS_SERVERS 53 (msg:"ET POLICY Possible Spambot Host DNS MX Query High Count"; content: "|01 00|"; offset: 2; depth: 4; content: "|00 0f 00 01|"; distance: 8; threshold:type both, count 30, seconds 10, track by_src; reference:url,doc.emergingthreats.net/2003330; classtype:bad-unknown; sid:2003330; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 10"; dns.query; content:"paniesx.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...)"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010570; classtype:policy-violation; sid:2010570; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for known ShadowPad CnC 11"; dns.query; content:"techniciantext.com"; depth:18; fast_pattern; endswith; nocase; reference:url,securelist.com/shadowpad-in-corporate-networks/81432/; classtype:command-and-control; sid:2024598; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...)"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010571; classtype:policy-violation; sid:2010571; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE WireX Botnet DNS Lookup"; dns.query; content:"axclick.store"; depth:13; fast_pattern; endswith; nocase; reference:md5,6af299a2ac9b59f7d551b6e235e0d200; reference:url,blog.cloudflare.com/the-wirex-botnet/; classtype:trojan-activity; sid:2024615; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_WireX, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...)"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010572; classtype:policy-violation; sid:2010572; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT12 THREEBYTE DNS Lookup"; dns.query; content:"bsksac.au-syd.mybluemix.net"; depth:27; nocase; endswith; fast_pattern; reference:url,blog.macnica.net/blog/2017/08/post-fb81.html; classtype:targeted-activity; sid:2024619; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category MALWARE, malware_family THREEBYTE, performance_impact Low, signature_severity Major, tag APT, tag APT12, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...)"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010573; classtype:policy-violation; sid:2010573; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ISMAgent DNS Lookup (msoffice-cdn . com)"; dns.query; content:"msoffice-cdn.com"; depth:16; nocase; endswith; fast_pattern; reference:md5,812d3c4fddf9bb81d507397345a29bb0; reference:url,www.clearskysec.com/ismagent/; classtype:trojan-activity; sid:2024620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...)"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010574; classtype:policy-violation; sid:2010574; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (soligro . com)"; dns.query; content:"soligro.com"; depth:11; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024641; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...)"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010575; classtype:policy-violation; sid:2010575; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gazer DNS query observed (mydreamhoroscope . com)"; dns.query; content:"mydreamhoroscope.com"; depth:20; fast_pattern; endswith; nocase; reference:url,securelist.com/introducing-whitebear/81638/; classtype:trojan-activity; sid:2024642; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category TROJAN, malware_family Gazer, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...)"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010576; classtype:policy-violation; sid:2010576; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4pay.com)"; dns.query; content:".tor4pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020126; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...)"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010577; classtype:policy-violation; sid:2010577; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torminater.com)"; dns.query; content:".torminater.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020133; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP"; flow: to_client,established; content:"Moderate Islam is a Prostration to the West"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010581; classtype:policy-violation; sid:2010581; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.city)"; dns.query; content:".onion.city"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020430; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP"; flow: to_client,established; content:"Jihad, Martyrdom and the Killing of Innocents"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010582; classtype:policy-violation; sid:2010582; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgate.es)"; dns.query; content:".torgate.es"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022644; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP"; flow: to_client,established; content:"The Call to Global Islamic Resistance"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010583; classtype:policy-violation; sid:2010583; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Zloader CnC Domain Detected"; dns.query; content:".chinaandkoreacriminalaffairs"; fast_pattern; endswith; nocase; reference:md5,7a57fcc1afab791f9995fbc479fe340e; classtype:command-and-control; sid:2024680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category MALWARE, malware_family Zloader, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP"; flow: to_client,established; content:"Knights under the Prophet's Banner"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010584; classtype:policy-violation; sid:2010584; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Ransomware Domain Detected"; dns.query; content:"lookingpersonals.top"; depth:20; fast_pattern; endswith; nocase; reference:url,ransomwaretracker.abuse.ch; classtype:trojan-activity; sid:2024728; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP"; flow: to_client,established; content:"Jihad Against Jews and Crusaders World Islamic Front Statement"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010585; classtype:policy-violation; sid:2010585; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (chromup)"; dns.query; content:"chromup.com"; depth:11; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024730; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP"; flow: to_client,established; content:"Declaration of War against the Americans Occupying the Land of the Two Holy Places"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010586; classtype:policy-violation; sid:2010586; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (securityupdated)"; dns.query; content:"securityupdated.com"; depth:19; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP"; flow: to_client,established; content:"Join the Caravan of Martyrs"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010587; classtype:policy-violation; sid:2010587; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor / NanoCore CnC (microsoftupdated)"; dns.query; content:"microsoftupdated.net"; depth:20; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024733; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP"; flow: to_client,established; content:"Sharia and Democracy"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010588; classtype:policy-violation; sid:2010588; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (syn.broadcaster)"; dns.query; content:"syn.broadcaster.rocks"; depth:21; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024734; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010589; classtype:policy-violation; sid:2010589; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup"; dns.query; content:"b1k51.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024735; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010590; classtype:policy-violation; sid:2010590; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 2"; dns.query; content:"b1j3aas.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024736; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET POLICY X-Box Live Connecting"; content:"<Xbox Version="; content:" Title=0x"; distance:4; within:32; reference:url,www.microsoft.com/xbox/; reference:url,doc.emergingthreats.net/2002796; classtype:policy-violation; sid:2002796; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 3"; dns.query; content:"wechaatt.gdn"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024737; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp any any -> any any (msg:"ET POLICY ZIPPED DOC in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".doc"; nocase; reference:url,doc.emergingthreats.net/2001402; classtype:not-suspicious; sid:2001402; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 4"; dns.query; content:"10as05.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024738; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp any any -> any any (msg:"ET POLICY ZIPPED XLS in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".xls"; nocase; reference:url,doc.emergingthreats.net/2001403; classtype:not-suspicious; sid:2001403; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 5"; dns.query; content:"ch0ck4.life"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024739; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp any any -> any any (msg:"ET POLICY ZIPPED EXE in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".exe"; nocase; reference:url,doc.emergingthreats.net/2001404; classtype:not-suspicious; sid:2001404; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 6"; dns.query; content:"fatur1s.life"; depth:12; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024740; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp any any -> any any (msg:"ET POLICY ZIPPED PPT in transit"; flow:established; content:"|50 4B 03 04|"; content:"|00|"; content:".ppt"; nocase; reference:url,doc.emergingthreats.net/2001405; classtype:not-suspicious; sid:2001405; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 7"; dns.query; content:"b5k31.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024741; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) SMTP"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010591; classtype:policy-violation; sid:2010591; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 8"; dns.query; content:"erd0.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024742; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg:"ET POLICY Outbound Multiple Non-SMTP Server Emails"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 120; reference:url,doc.emergingthreats.net/2000328; classtype:misc-activity; sid:2000328; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 9"; dns.query; content:"b1v2a5.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024743; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; flow:established; content:"mail from|3a|"; nocase; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 10"; dns.query; content:"b1502b.gdn"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024744; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail Message Send"; flow:to_server,established; content:"/ym/Compose"; http_uri; nocase; reference:url,doc.emergingthreats.net/2000044; classtype:policy-violation; sid:2000044; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 11"; dns.query; content:"elsssee.gdn"; depth:11; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024745; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail General Page View"; flow:to_server,established; content:"/ym/login"; http_uri; nocase; content:".rand="; nocase; reference:url,doc.emergingthreats.net/2000341; classtype:policy-violation; sid:2000341; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 12"; dns.query; content:"kvp41.life"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024746; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris HelpDesk"; flow:to_server,established; content:"/aexhd/worker/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009696; classtype:misc-activity; sid:2009696; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 13"; dns.query; content:"servertestapi.ltd"; depth:17; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024747; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY External Connection to Altiris Console"; flow:to_server,established; content:"/altiris/ns/"; http_uri; nocase; reference:url,www.symantec.com/business/theme.jsp?themeid=altiris; reference:url,doc.emergingthreats.net/2009697; classtype:misc-activity; sid:2009697; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 14"; dns.query; content:"taxii.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024748; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY REG files version 4 download"; flow:established; content:"REGEDIT4"; content:"|0D 0A|"; distance:0; content:"["; distance:0; content:"HKEY_"; distance:0; nocase; reference:url,www.ss64.com/nt/regedit.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000420; classtype:misc-activity; sid:2000420; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 15"; dns.query; content:"p0w3r.gdn"; depth:9; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024749; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY MSI (microsoft installer file) download"; flow:established; content:"|D0 CF 11 E0 A1 B1 1A E1|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001115; classtype:bad-unknown; sid:2001115; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/Bankbot.HH!tr DNS Lookup 16"; dns.query; content:"4r3a.gdn"; depth:8; fast_pattern; endswith; nocase; reference:url,blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot; classtype:trojan-activity; sid:2024750; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_09_20, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_BankBot, signature_severity Major, tag Android, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY CCProxy in use remotely - Possibly Hostile/Malware"; flow:established,from_server; content:" 200 Connection established|0d 0a|Proxy-agent|3a| CCProxy "; depth:58; reference:url,www.youngzsoft.net; reference:url,doc.emergingthreats.net/bin/view/Main/2007576; classtype:trojan-activity; sid:2007576; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query For TURNEDUP.Backdoor CnC (googlmail)"; threshold: type both, track by_src, count 1, seconds 5; dns.query; content:"googlmail.net"; depth:13; fast_pattern; endswith; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:command-and-control; sid:2024732; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, deployment Perimeter, former_category MALWARE, malware_family TURNEDUP, malware_family StoneDrill, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY route1.com SSL certificate for remote access detected"; flow:established,to_client; content:"Route1 Security Corporation"; nocase; classtype:bad-unknown; sid:2011579; rev:1; metadata:attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS request for Monero mining pool"; dns.query; content:"pool.minexmr.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2017_09_monero_malware.txt; reference:url,www.welivesecurity.com/2017/09/28/monero-money-mining-malware/; classtype:trojan-activity; sid:2024789; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"PCA"; within:50; classtype:not-suspicious; sid:2011539; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 1"; dns.query; content:"download.ns360.info"; depth:19; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024803; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15|"; classtype:not-suspicious; sid:2011525; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 2"; dns.query; content:"update.craftx.biz"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024804; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AOL Webmail Login"; flow: to_server,established; content:"/login/login.psp?siteId="; http_uri; content:"triedAimAuth"; reference:url,doc.emergingthreats.net/bin/view/Main/2000572; classtype:policy-violation; sid:2000572; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 3"; dns.query; content:"mozilla.tftpd.net"; depth:17; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024805; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Placing Item for sale"; flow: to_server,established; content:"/ws2/eBayISAPI.dll"; http_uri; nocase; content:".ebay.com"; http_header; nocase; reference:url,doc.emergingthreats.net/2001907; classtype:policy-violation; sid:2001907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus Decafett DNS Lookup 4"; dns.query; content:"checkupdates.flashserv.net"; depth:26; nocase; endswith; fast_pattern; reference:url,cdn.securelist.com/files/2017/10/Guerrero-Saade-Raiu-VB2017.pdf; classtype:trojan-activity; sid:2024806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category TROJAN, malware_family Decafett, performance_impact Low, signature_severity Critical, tag APT, tag Lazarus, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FOX,ABC On-demand UA"; flow:to_server,established; content:"User-Agent|3a| QSP"; nocase; http_header; reference:url,doc.emergingthreats.net/2007639; classtype:policy-violation; sid:2007639; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Netsolhost SSL Proxying - Possible Phishing Nov 24 2015"; dns.query; content:"secure.netsolhost.com"; depth:21; nocase; endswith; fast_pattern; classtype:social-engineering; sid:2022136; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Calendar in Use"; flow:established,to_server; content:"/calendar/"; http_uri; content:"Host|3a| www.google.com"; http_header; nocase; threshold:type both, count 1, seconds 60, track by_src; reference:url,www.computerworld.com.au/index.php?id=1687889918&eid=-255; reference:url,doc.emergingthreats.net/2003597; classtype:policy-violation; sid:2003597; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"ssrsec.com"; depth:10; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024854; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hotmail Inbox Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/HoTMaiL?curmbox="; nocase; http_uri; reference:url,doc.emergingthreats.net/2000035; classtype:policy-violation; sid:2000035; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"sqlmapff.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024856; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hi5.com Social Site Access"; flow:established,to_server; content:"Host|3a| www.hi5.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003455; classtype:policy-violation; sid:2003455; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"outerlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024858; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Hyves Login Attempt"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"login_username"; reference:url,doc.emergingthreats.net/2007627; classtype:policy-violation; sid:2007627; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"microsoftsec.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024860; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic Windows client user sign-on"; flow:to_server; content:"ms|3a|xml|3a|ns|3a|xmpp-s"; content:"X-GOOGLE-TOKEN"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002332; classtype:policy-violation; sid:2002332; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"martianlol.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024862; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google IM traffic friend invited"; flow:to_server; content:"><invitati"; content:"on xmlns=\"google"; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002333; classtype:policy-violation; sid:2002333; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"dnslog.mobi"; depth:11; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024865; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY McAfee Update User Agent (McAfee AutoUpdate)"; flow:to_server,established; content:"User-Agent|3a| "; http_header; nocase; content:"McAfee AutoUpdate"; http_header; pcre:"/User-Agent\x3a[^\n]+McAfee AutoUpdate/i"; reference:url,doc.emergingthreats.net/2003381; classtype:not-suspicious; sid:2003381; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"alienlol.com"; depth:12; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024867; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rapidshare auth cookie download"; flow:to_server,established; content:"GET"; http_method; content:"/files/"; http_uri; nocase; content:"rapidshare.com"; nocase; http_header; content:"Cookie|3a| user="; nocase; reference:url,en.wikipedia.org/wiki/RapidShare; reference:url,doc.emergingthreats.net/2006369; classtype:policy-violation; sid:2006369; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"yoyakuweb.technology"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024869; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Newzbin Usenet Reader License Check"; flow:established,to_server; content:"/internal/"; http_uri; content:"prodID=nl&licID="; http_uri; content:"&prodVer="; http_uri; content:"Host|3A| www.newsleecher.com"; http_header; reference:url,doc.emergingthreats.net/2009095; classtype:policy-violation; sid:2009095; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"exoticlol.com"; depth:13; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024870; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in URI"; flow:established,to_server; content:"username="; nocase; http_uri; content:"password="; http_uri; nocase; reference:url,doc.emergingthreats.net/2009001; classtype:policy-violation; sid:2009001; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-statics .com)"; dns.query; content:"google-statics.com"; depth:18; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024871; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Login Credentials Possibly Passed in POST Data"; flow:established,to_server; content:"POST"; http_method; content:"username="; http_client_body; nocase; content:"password="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2009004; classtype:policy-violation; sid:2009004; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup (google-searching .com)"; dns.query; content:"google-searching.com"; depth:20; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024872; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring detected"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; nocase; http_header; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003214; classtype:attempted-recon; sid:2003214; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"awsstatics.com"; depth:14; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024873; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pingdom.com Monitoring Node Active"; flow:to_server,established; content:"User-Agent|3a| Pingdom"; http_header; nocase; reference:url,royal.pingdom.com/?p=46; reference:url,doc.emergingthreats.net/2003215; classtype:attempted-recon; sid:2003215; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti-related DNS Lookup"; dns.query; content:"immigrantlol.com"; depth:16; nocase; endswith; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024874; rev:5; metadata:created_at 2017_10_18, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy GET Request"; flow: to_server,established; content:"GET http|3a|//"; nocase; depth: 11; reference:url,doc.emergingthreats.net/2001669; classtype:bad-unknown; sid:2001669; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M1"; dns.query; content:"hl852.com"; depth:9; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024921; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001670; classtype:bad-unknown; sid:2001670; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M2"; dns.query; content:"hl859.com"; depth:9; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024922; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy POST Request"; flow: to_server,established; content:"POST http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001674; classtype:bad-unknown; sid:2001674; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IoT_reaper DNS Lookup M3"; dns.query; content:"hi8520.com"; depth:10; nocase; endswith; fast_pattern; reference:url,blog.netlab.360.com/iot_reaper-a-few-updates-en/; classtype:trojan-activity; sid:2024923; rev:5; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi)"; flow: established,to_server; content:"/proxyjudge.cgi"; http_uri; nocase; reference:url,doc.emergingthreats.net/2003048; classtype:policy-violation; sid:2003048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (myhomemusic. com)"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023022; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, former_category TROJAN, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Winamp Streaming User Agent"; flow:established,to_server; content:"Winamp"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Winamp/Hi"; reference:url,doc.emergingthreats.net/2003168; classtype:policy-violation; sid:2003168; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HTTPBrowser/Pisloader Covert DNS CnC Channel TXT Lookup"; dns.query; content:"myhomemusic.com"; depth:15; nocase; endswith; fast_pattern; reference:md5,985eba97e12c3e5bce9221631fb66d68; reference:url,researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/; classtype:command-and-control; sid:2022842; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_05_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Carbonite.com Backup Software Leaking MAC Address"; flow:established,to_server; content:"GET"; http_method; content:"/manage.old/sun/signup.aspx?MACAddresses=MAC"; nocase; http_uri; content:"ShowCount="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009800; classtype:policy-violation; sid:2009800; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious e5b57288.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"e5b57288.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023229; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication)"; flow:to_server,established; content:"/ap_home.html"; http_uri; reference:url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP; reference:url,doc.emergingthreats.net/bin/view/Main/2008862; classtype:misc-activity; sid:2008862; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 33db9538.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"33db9538.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023227; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gigasize file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/get.php"; http_uri; content:"Host|3a| "; nocase; http_header; content:"gigasize.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2009304; classtype:policy-violation; sid:2009304; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 9507c4e8.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"9507c4e8.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023228; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible Ecard Trojan download"; flow:established,to_server; content:".exe"; nocase; http_uri; pcre:"/(gif|car(d|tao)|jpe?g)\.exe$/Ui"; reference:url,doc.emergingthreats.net/2006434; classtype:trojan-activity; sid:2006434; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 54dfa1cb.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"54dfa1cb.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023230; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Bid Placed"; flow: to_server,established; content:"/ws/eBayISAPI.dll/"; http_uri; nocase; content:"maxbid="; nocase; content:"offer.ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001898; classtype:policy-violation; sid:2001898; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; dns.query; content:"inter-ctrip.com"; depth:15; nocase; endswith; fast_pattern; reference:url,www.forcepoint.com/blog/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_29, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay View Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"ViewItem"; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001908; classtype:policy-violation; sid:2001908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Lookup of Malware Domain twothousands.cm Likely Infection"; dns.query; content:"twothousands.cm"; depth:15; fast_pattern; endswith; nocase; classtype:pup-activity; sid:2012176; rev:6; metadata:created_at 2011_01_13, former_category ADWARE_PUP, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY eBay Watch This Item"; flow: to_server,established; content:"/ws/eBayISAPI.dll"; http_uri; nocase; content:"MakeTrack&Item="; nocase; content:".ebay.com"; nocase; http_header; reference:url,doc.emergingthreats.net/2001909; classtype:policy-violation; sid:2001909; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; dns.query; content:"startupfraction.com"; depth:19; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024722; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Search Appliance browsing the Internet"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3A| gsa-crawler"; http_header; nocase; reference:url,www.google.com/enterprise/gsa/index.html; reference:url,doc.emergingthreats.net/2002838; classtype:web-application-activity; sid:2002838; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; dns.query; content:"search.feedvertizus.com"; depth:23; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024723; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Inbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2000560; classtype:misc-activity; sid:2000560; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; dns.query; content:"opurie.com"; depth:10; fast_pattern; endswith; nocase; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:pup-activity; sid:2024725; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP CONNECT Tunnel Attempt Outbound"; flow: to_server,established; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|80"; within: 4; distance: -11; content:"CONNECT "; nocase; content:"|0d 0a|"; within: 1024; distance: 0; content:"HTTP/1."; nocase; within: 8; distance: -10; content:!"|3a|443"; within: 5; distance: -12; reference:url,doc.emergingthreats.net/2008330; classtype:misc-activity; sid:2008330; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE DNS Query Targeted Tibetan Android Malware C2 Domain"; dns.query; content:"android.uyghur.dnsd.me"; depth:22; nocase; fast_pattern; endswith; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:command-and-control; sid:2016711; rev:7; metadata:created_at 2013_04_04, former_category MOBILE_MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET POLICY JBOSS/JMX port 8080 access from outside"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010378; classtype:web-application-attack; sid:2010378; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a .tk domain - Likely Hostile"; dns.query; content:".tk"; fast_pattern; nocase; endswith; content:!"www.google.tk"; classtype:bad-unknown; sid:2012811; rev:7; metadata:created_at 2011_05_15, former_category DNS, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Mozilla XPI install files download"; flow: from_server,established; content:"content-type|3a| application/x-xpinstall"; http_header; nocase; reference:url,doc.emergingthreats.net/2001114; classtype:bad-unknown; sid:2001114; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BernhardPOS Possible Data Exfiltration via DNS Lookup (29a.de)"; dns.query; content:".29a.de"; nocase; fast_pattern; endswith; pcre:"/^.(?=[a-z0-9+/]*?[A-Z])(?=[A-Z0-9+/]*?[a-z])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.29a\.de$/"; reference:url,morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick; classtype:trojan-activity; sid:2021416; rev:5; metadata:created_at 2015_07_15, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Nagios HTTP Monitoring Connection"; flow:established,to_server; content:"User-Agent|3a| check_http/"; http_header; nocase; content:"(nagios-plugins "; http_header; nocase; reference:url,doc.emergingthreats.net/2006779; classtype:not-suspicious; sid:2006779; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Maldoc CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/software-protection/app.php"; startswith; fast_pattern; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:url,blog.telsy.com/zebrocy-dropbox-remote-injection/; classtype:targeted-activity; sid:2027939; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag APT28, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; reference:url,doc.emergingthreats.net/2001675; classtype:bad-unknown; sid:2001675; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Evil Eye Android Malware Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:65.0) Gecko/20100101 Firefox/65.0"; depth:78; http.request_body; content:"{|22|device_id|22 3a 22|"; depth:14; fast_pattern; http.accept_lang; content:"zh-CN"; depth:5; endswith; reference:url,www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/; classtype:trojan-activity; sid:2027940; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_09_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Wget User Agent"; flow:established,to_server; content:"User-Agent|3A| "; nocase; http_header; content:"Wget"; nocase; http_header; reference:url,www.gnu.org/software/wget; reference:url,doc.emergingthreats.net/2002822; classtype:attempted-recon; sid:2002822; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".serveo.net"; nocase; endswith; classtype:policy-violation; sid:2027942; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User Agent"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:"libwww-perl/"; nocase; http_header; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002934; classtype:attempted-recon; sid:2002934; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".pagekite.net"; nocase; endswith; classtype:policy-violation; sid:2027943; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"googlebot"; nocase; http_header; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002828; classtype:not-suspicious; sid:2002828; rev:9; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful National Australia Bank Phish 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Yes="; depth:4; nocase; content:"&PRIMARY_CUR_TYPE_CODE="; nocase; distance:0; fast_pattern; content:"&PRIMARY_PRV_APT_NUM="; nocase; distance:0; content:"&PRIMARY_PRV_STREET_NUM="; nocase; distance:0; content:"&PRIMARY_PRV_STREET_NAME="; nocase; distance:0; content:"&PRIMARY_PRV_STATE="; nocase; distance:0; content:"&PRIMARY_PRV_POST_CODE="; nocase; distance:0; content:"&APP_NAB_PRI_PRV_COUNTRY="; nocase; distance:0; content:"&PRIMARY_PRV_MTHS_AT_RES.year="; nocase; distance:0; content:"&PRIMARY_PRV_MTHS_AT_RES.month="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp_month="; nocase; distance:0; content:"&exp_year="; nocase; distance:0; content:"&cvv="; nocase; distance:0; classtype:credential-theft; sid:2032721; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002830; classtype:not-suspicious; sid:2002830; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Laturo Stealer CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.header; content:"Os|3a 20|WIN_"; nocase; fast_pattern; content:"Hwid|3a 20|"; nocase; content:"Elevated|3a 20|"; nocase; content:"Arch|3a 20|"; nocase; content:"Special|3a 20|"; nocase; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,06a1eaa62d8de97aec8a151f2ca6569b; classtype:command-and-control; sid:2027944; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_04, deployment Perimeter, former_category MALWARE, malware_family Laturo, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Crawler User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002832; classtype:not-suspicious; sid:2002832; rev:9; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Cloudflare DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=cloudflare-dns.com"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2027671; rev:5; metadata:created_at 2019_07_03, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY python.urllib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"python.urllib/"; nocase; http_header; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002944; classtype:attempted-recon; sid:2002944; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Glupteba CnC Domain (venoxcontrol .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"venoxcontrol.com"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027946; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Briefcase Upload"; flow:to_server,established; content:"briefcase.yahoo.com"; http_header; content:"/process_bcmultipart_form"; http_uri; nocase; reference:url,doc.emergingthreats.net/2001044; classtype:policy-violation; sid:2001044; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"okonewacon.com"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027947; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo 360 Social Site Access"; flow:established,to_server; content:"Host|3a| 360.yahoo.com"; http_header; threshold: type both, track by_src, count 5, seconds 300; reference:url,doc.emergingthreats.net/2003454; classtype:policy-violation; sid:2003454; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"bigtext.club"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 3306 -> $HOME_NET any (msg:"ET POLICY External MYSQL Server Connection"; flow:from_server,established; content:"|00|"; depth:1; offset:3; reference:url,doc.emergingthreats.net/2008572; classtype:trojan-activity; sid:2008572; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"blackempirebuild.com"; nocase; depth:20; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027949; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY exe download without User Agent"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; content:!"User-Agent|3a|"; http_header; content:!"download.windowsupdate.com"; http_header; content:!"mms|3a|//"; nocase; pcre:"/\.exe$/Ui"; reference:url,doc.emergingthreats.net/2003179; classtype:policy-violation; sid:2003179; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"clubhouse.site"; nocase; depth:14; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027950; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|10|"; within:6; flowbits:noalert; reference:url,doc.emergingthreats.net/2003007; classtype:unusual-client-port-connection; sid:2003007; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"nxtfdata.xyz"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027951; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003012; classtype:unusual-client-port-connection; sid:2003012; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"lienews.world"; nocase; depth:13; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027952; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 00|"; content:"|0b|"; within:6; reference:url,doc.emergingthreats.net/2003013; classtype:unusual-client-port-connection; sid:2003013; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"phonemus.net"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027953; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Java JAR Download Attempt"; flow:established,to_server; content:".jar"; http_uri; reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; classtype:bad-unknown; sid:2011855; rev:2; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Domain in DNS Lookup"; dns.query; content:"takebad1.com"; nocase; depth:12; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/; classtype:command-and-control; sid:2027954; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_05, deployment Perimeter, former_category MALWARE, malware_family Glupteba, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY Possible hidden zip extension .cpl"; flow:established; content:"|20 20 2E 63 70 6C 50 4B|"; reference:url,doc.emergingthreats.net/2001406; classtype:suspicious-filename-detect; sid:2001406; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http any any -> any any (msg:"ET MALWARE HTTP Request for Possible ELF/LiLocked Ransomware Note"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"README.lilocked"; fast_pattern; endswith; reference:url,www.zdnet.com/article/thousands-of-servers-infected-with-new-lilocked-lilu-ransomware/; classtype:trojan-activity; sid:2027967; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, malware_family LiLocked, signature_severity Major, tag Ransomware, updated_at 2020_09_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5938 (msg:"ET POLICY TeamViewer Keep-alive outbound"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:set,ET.teamviewerkeepaliveout; flowbits:noalert; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008794; classtype:misc-activity; sid:2008794; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Generic Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/start_cache1.php"; fast_pattern; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027969; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a|"; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+Windows-Update-Agent/i"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002949; classtype:policy-violation; sid:2002949; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible PHP.MAILER WebShell Register Shutdown Function Request Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"r=register_shutdown_function"; startswith; fast_pattern; content:"&d="; distance:0; content:"&s="; distance:0; content:"&c="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-abuses-php-functions-for-persistence-uses-compromised-devices-for-evasion-and-intrusion/; classtype:trojan-activity; sid:2027970; rev:3; metadata:attack_target Server, created_at 2019_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java JAR file download"; flow:from_server,established; content:"PK"; depth:500; content:"META-INF/"; within:100; content:"MANIFEST"; within:100; classtype:not-suspicious; sid:2011854; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious svchost.exe in URI - Possible Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/svchost.exe"; nocase; fast_pattern; endswith; classtype:bad-unknown; sid:2016696; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET 23 -> any any (msg:"ET POLICY Telnet to HP JetDirect Printer With No Password Set"; flow:to_client,established; content:"HP JetDirect"; content:"Password is not set"; offset:40; depth:30; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999#A3; reference:url,doc.emergingthreats.net/2009535; classtype:misc-activity; sid:2009535; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious explorer.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/explorer.exe"; nocase; endswith; fast_pattern; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET POLICY External FTP Connection TO Local HP JetDirect Printer"; flow:to_client,established; content:"Hewlett-Packard FTP Print Server Version"; content:"To print a file, use the command|3a| put <filename> [portx]"; offset:40; depth:190; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06165; reference:url,doc.emergingthreats.net/2009536; classtype:misc-activity; sid:2009536; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious winlogin.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/winlogon.exe"; nocase; endswith; fast_pattern; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active"; ip_proto:41; threshold:type both,track by_dst, count 1, seconds 60; reference:url,en.wikipedia.org/wiki/6in4; classtype:policy-violation; sid:2012141; rev:2; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious services.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/services.exe"; nocase; endswith; fast_pattern; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+#alert ip [0.0.0.0/8,192.0.0.0/24,192.0.2.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24] any -> $HOME_NET any (msg:"ET POLICY Unallocated IP Space Traffic - Bogon Nets"; threshold: type limit, track by_src, count 1, seconds 360; reference:url,www.cymru.com/Documents/bogon-list.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002749; classtype:bad-unknown; sid:2002749; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious smss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/smss.exe"; nocase; endswith; fast_pattern; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{|22|host_int|22 3a| "; depth:13; content:" |22|version|22 3a| ["; distance:0; content:"], |22|displayname|22 3a| |22|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3; metadata:created_at 2011_04_07, updated_at 2011_04_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious csrss.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/csrss.exe"; nocase; fast_pattern; endswith; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Outbound"; flow:established; content:"|16 03 00|"; content:"|00 5c|"; distance:0; content:"|c0 14 c0 0a 00 39 00 38 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 00 ff|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012078; rev:5; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious rundll32.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/rundll32.exe"; nocase; fast_pattern; endswith; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:15; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2"; flow:established; content:"|16 03 00|"; content:"|00 26|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012079; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious lsass.exe in URI"; flow:established,to_server; urilen:<100; http.method; content:"GET"; http.uri; content:"/lsass.exe"; nocase; endswith; fast_pattern; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:16; metadata:created_at 2013_04_02, former_category INFO, updated_at 2020_09_17;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3"; flow:established; content:"|16 03 00|"; content:"|00 34|"; distance:0; content:"|00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03|"; distance:0; threshold: type both, count 1, seconds 300, track by_dst; reference:url,www.stunnel.org/download/binaries.html; classtype:policy-violation; sid:2012080; rev:4; metadata:created_at 2010_12_22, updated_at 2010_12_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-pre.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:domain-c2; sid:2028567; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"arguments.callee"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=1519; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010883; classtype:misc-activity; sid:2010883; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Sidewinder CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=trans-can.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.secrss.com/articles/13390; classtype:domain-c2; sid:2028568; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Sidewinder, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET !3389 (msg:"ET POLICY Remote Desktop Connection via non RDP Port"; flow:established,to_server; content:"|03|"; depth:1; content:"|e0|"; distance:4; within:1; content:"Cookie|3a|"; distance:5; within:7; reference:url,doc.emergingthreats.net/2007571; classtype:policy-violation; sid:2007571; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception Group CnC Observed in DNS Query (ms-check-new-update .com)"; dns.query; content:"ms-check-new-update.com"; nocase; endswith; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031674; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"GPL POLICY MS Remote Desktop Request RDP"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:2101447; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Absent)"; flow:established,to_server; http.user_agent; content:"Absent"; depth:6; endswith; classtype:bad-unknown; sid:2028571; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Terminal Server Root login"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=root|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012710; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Maldoc CnC Checkin"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"relay=y"; startswith; fast_pattern; endswith; http.content_type; content:"application|2f|x-www-form-urlencoded"; http.header_names; content:!"Referer"; content:!"Connection"; content:!"Accept"; reference:url,mp.weixin.qq.com/s/pJ-rnzB7VMZ0feM2X0ZrHA; classtype:targeted-activity; sid:2028569; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TransparentTribe, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Service User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=service|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012712; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=suport.worldupdate.site"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop POS User Login Request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=pos|0d 0a|"; nocase; reference:cve,2001-0540; classtype:protocol-command-decode; sid:2012711; rev:1; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=full.devinelive.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,m.threatbook.cn/detail/1924; classtype:domain-c2; sid:2028585; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP POST on unusual Port Possibly Hostile"; flow:established,to_server; content:"POST"; nocase; http_method; reference:url,doc.emergingthreats.net/2006409; classtype:policy-violation; sid:2006409; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"suport.worldupdate.site"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028586; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"GPL POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:2101846; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"full.devinelive.top"; nocase; endswith; reference:url,m.threatbook.cn/detail/1924; classtype:command-and-control; sid:2028587; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow: to_server,established; content:"curmbox="; http_uri; nocase; content:"hotmail.msn.com"; http_header; nocase; content:"/cgi-bin/compose?/"; nocase; http_uri; reference:url,doc.emergingthreats.net/2000037; classtype:policy-violation; sid:2000037; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"roundworld.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028592; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow: to_server,established; content:"hotmail.msn.com"; http_header; content:"/cgi-bin/getmsg?msg=MSG"; http_uri; reference:url,doc.emergingthreats.net/2000036; classtype:policy-violation; sid:2000036; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"postnews.club"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028593; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Submit"; flow: to_server,established; content:"hotmail.msn.com"; nocase; http_header; content:"/cgi-bin/premail/"; http_uri; reference:url,doc.emergingthreats.net/2000038; classtype:policy-violation; sid:2000038; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"fstyline.xyz"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Submit Data"; flow: to_server,established; content:"curmbox="; nocase; content:"login="; nocase; content:"msghdrid"; nocase; content:"sigflag="; nocase; reference:url,doc.emergingthreats.net/2000039; classtype:policy-violation; sid:2000039; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Glupteba CnC Observed in DNS Query"; dns.query; content:"weekdanys.com"; nocase; endswith; reference:url,www.cybereason.com/blog/glupteba-expands-operation-and-toolkit-with-lolbins-cryptominer-and-router-exploit; classtype:command-and-control; sid:2028595; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:2101771; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-09-17 1)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL, CN=dapoerwedding.com"; endswith; fast_pattern; reference:url,twitter.com/jeFF0Falltrades/status/1173300902242988032; reference:md5,db51f2715c81c4357d11d69ac96bf582; classtype:domain-c2; sid:2028596; rev:3; metadata:attack_target Client_and_Server, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a password"; flow:established,to_server; content:"password|3a|"; nocase; http_header; classtype:policy-violation; sid:2012868; rev:3; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028606; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request containing a pass field"; flow:established,to_server; content:"pass|3a| "; nocase; http_header; classtype:policy-violation; sid:2012869; rev:2; metadata:created_at 2011_05_26, updated_at 2011_05_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"nexcesscdh.net"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028607; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Http Client Body contains password= in cleartext"; flow:established,to_server; content:"password="; nocase; http_client_body; classtype:policy-violation; sid:2012885; rev:3; metadata:created_at 2011_05_30, updated_at 2011_05_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"ossmaxcdn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028608; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains password Parameter"; flow:established,to_server; content:"password="; nocase; http_uri; pcre:"/(?<=(\?|&))password=(?!&)/Ui"; classtype:policy-violation; sid:2012911; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"contextjs.info"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028609; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains passwd Parameter"; flow:established,to_server; content:"passwd="; nocase; http_uri; pcre:"/(?<=(\?|&))passwd=(?!&)/Ui"; classtype:policy-violation; sid:2012912; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-order.com"; nocase; endswith; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028610; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pass Parameter"; flow:established,to_server; content:"pass="; nocase; http_uri; pcre:"/(?<=(\?|&))pass=(?!&)/Ui"; classtype:policy-violation; sid:2012913; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP BundledInstaller PUA/PUP Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rar"; endswith; http.host; content:"down.freefullversion.org"; depth:24; fast_pattern; reference:md5,8edee795e16433717eab784938060198; classtype:pup-activity; sid:2028613; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_09_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pwd Parameter"; flow:established,to_server; content:"pwd="; nocase; http_uri; pcre:"/(?<=(\?|&))pwd=(?!&)/iU"; classtype:policy-violation; sid:2012914; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.online)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".online"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pw Parameter"; flow:established,to_server; content:"pw="; nocase; http_uri; pcre:"/(?<=(\?|&))pw=(?!&)/Ui"; classtype:policy-violation; sid:2012915; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XLS.Unk DDE rar Drop Attempt (.club)"; flow:established,to_server; urilen:1; flowbits:set,ET.xls.dde.drop; flowbits:noalert; http.method; content:"GET"; http.host; content:".club"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; reference:md5,63b070b222d170ef4cc35ad94d42a088; classtype:trojan-activity; sid:2026490; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category TROJAN, malware_family MalDocGeneric, malware_family Maldoc, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains passphrase Parameter"; flow:established,to_server; content:"passphrase="; http_uri; nocase; pcre:"/(?<=(\?|&))passphrase=(?!&)/Ui"; classtype:policy-violation; sid:2012916; rev:3; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Facebook Phishing Domain in DNS Lookup"; dns.query; content:"www.oitunmy.com"; nocase; depth:15; endswith; reference:url,twitter.com/bomccss/status/1175173176596152320; classtype:credential-theft; sid:2028616; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_21, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY URL Contains pword Parameter"; flow:established,to_server; content:"pword="; nocase; http_uri; pcre:"/(?<=(\?|&))pword=(?!&)/Ui"; classtype:policy-violation; sid:2012917; rev:2; metadata:created_at 2011_06_01, updated_at 2011_06_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bsodsupport.icu"; nocase; endswith; classtype:domain-c2; sid:2028614; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile"; flow:established,to_client; content:"Server|3a| nginx"; nocase; offset:15; depth:15; content:"Content-Type|3a| text/html"; nocase; distance:20; content:"eval(function(p,a,c,k,e,d)"; nocase; distance:50; reference:url,doc.emergingthreats.net/2011765; classtype:bad-unknown; sid:2011765; rev:3; metadata:created_at 2010_09_29, updated_at 2010_09_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"en-content.com"; nocase; endswith; pcre:"/(?:^|\.)en-content\.com$/"; classtype:domain-c2; sid:2028615; rev:3; metadata:created_at 2019_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DonotGroup, updated_at 2020_09_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CURL User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"curl"; nocase; within:100; http_header; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002824; classtype:attempted-recon; sid:2002824; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tortoiseshell/HMH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asmx/GetUpdate?val="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a194e3bf830104922295c37e6d19d9a2; reference:url,blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html; classtype:command-and-control; sid:2028617; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"GPL POLICY PCAnywhere server response"; content:"ST"; depth:2; classtype:misc-activity; sid:2100566; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/GMERA.A CnC Domain (appstockfolio .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"appstockfolio.com"; depth:17; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:domain-c2; sid:2028619; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY docs.google.com Activity"; flow:established,to_server; content:"Host|3a| docs.google.com|0d 0a|"; http_header; nocase; reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003121; classtype:policy-violation; sid:2003121; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Majestic12 User-Agent Request Inbound"; flow:established,to_server; content:"MJ12bot/"; http_header; classtype:trojan-activity; sid:2013255; rev:4; metadata:created_at 2011_07_12, updated_at 2011_07_12;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Persona Not Validated)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Persona Not Validated"; classtype:policy-violation; sid:2013294; rev:2; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+
+alert tcp $EXTERNAL_NET 5938 -> $HOME_NET any (msg:"ET POLICY TeamViewer Keep-alive inbound"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isset,ET.teamviewerkeepaliveout; threshold: type limit, count 1, seconds 120, track by_src; reference:url,www.teamviewer.com; reference:url,en.wikipedia.org/wiki/TeamViewer; reference:url,doc.emergingthreats.net/2008795; classtype:misc-activity; sid:2008795; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSPlayer User-Agent Windows Media Player streaming detected"; flow:established,to_server; content:"User-Agent|3A 20|NSPlayer|2F|"; http_header; threshold: type limit, track by_src, seconds 300, count 1; reference:url,msdn.microsoft.com/en-us/library/cc234851; classtype:policy-violation; sid:2011874; rev:3; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (1)"; flow:to_server,established; content:"/uiserver.php?social_plugin=like"; http_uri; content:"external_page_url="; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013458; rev:2; metadata:created_at 2011_08_25, updated_at 2011_08_25;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Facebook Like Button Clicked (2)"; flow:to_server,established; content:"/plugins/like.php?"; http_uri; content:"href="; http_uri; content:"action=like"; http_uri; content:"Host|3a| www.facebook.com|0d 0a|"; http_header; reference:url,developers.facebook.com/docs/reference/plugins/like/; reference:url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/; classtype:policy-violation; sid:2013459; rev:2; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF File Containing Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/JavaScript"; nocase; distance:0; pcre:"/\x3C\x3C[^>]*\x2FJavaScript/smi"; threshold:type limit, count 1, seconds 60, track by_src; classtype:misc-activity; sid:2010882; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"GPL POLICY PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:2100512; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"CryptSoft Pty Ltd"; within:50; classtype:bad-unknown; sid:2011542; rev:6; metadata:created_at 2010_09_27, updated_at 2010_09_27;)
+
+#alert ssh any any -> any !$SSH_PORTS (msg:"ET POLICY SSH session in progress on Unusual Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001984; classtype:misc-activity; sid:2001984; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert ssh any any -> any $SSH_PORTS (msg:"ET POLICY SSH session in progress on Expected Port"; flow:established,to_server; threshold: type both, track by_src, count 2, seconds 300; reference:url,doc.emergingthreats.net/2001978; classtype:misc-activity; sid:2001978; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Centralops.net Probe"; flow:established,to_server; content:"CentralOps.net/)"; http_header; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003631; classtype:policy-violation; sid:2003631; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Bluecoat Proxy in use"; flow:established,to_server; content:"X-BlueCoat-Via|3A|"; http_header; classtype:not-suspicious; sid:2014049; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
+
+#alert http any any -> $HOME_NET any (msg:"ET POLICY HTTP Redirect to IPv4 Address"; flow:established,from_server; content:"302"; http_stat_code; content:"Found"; nocase; content:"Location|3a| "; nocase; pcre:"/Location\: (http\:\/\/)?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//i"; reference:url,doc.emergingthreats.net/2011085; classtype:misc-activity; sid:2011085; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file)"; flow:established,from_server; content:"|0d 0a|Content-Type|3a| application|2f|octet-stream"; content:"|0d 0a 0d 0a 52 61 72 21|"; content:!"|1A 07|"; within:2; reference:url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008782; classtype:trojan-activity; sid:2008782; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; content:"bomgar-scc-"; nocase; distance:0; fast_pattern; content:".exe"; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:3; metadata:created_at 2011_11_08, updated_at 2011_11_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; classtype:policy-violation; sid:2101438; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg:"ET POLICY Outbound MSSQL Connection to Standard port (1433)"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013410; rev:4; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET !1433 (msg:"ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware"; flow:to_server,established; content:"|12 01 00|"; depth:3; content:"|00 00 00 00 00 00 15 00 06 01 00 1b 00 01 02 00 1c 00|"; distance:1; within:18; content:"|03 00|"; distance:1; within:2; content:"|00 04 ff 08 00 01 55 00 00 00|"; distance:1; within:10; flowbits:set,ET.MSSQL; classtype:bad-unknown; sid:2013409; rev:3; metadata:created_at 2011_08_16, updated_at 2011_08_16;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Badongo file download service access"; flow:to_server,established; content:"GET"; http_method; content:"/file/"; http_uri; content:"Host|3a| "; nocase; http_header; content:"badongo.com"; nocase; http_header; within:15; content:"badongoL="; http_cookie; reference:url,doc.emergingthreats.net/2009302; classtype:policy-violation; sid:2009302; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FACEBOOK user id in http_client_body, lookup with fb.com/profile.php?id="; flow:established,to_server; content:".facebook.com|0D 0A|"; http_header; content:"&__user="; http_client_body; threshold: type limit, count 1, seconds 600, track by_src; classtype:not-suspicious; sid:2014102; rev:3; metadata:created_at 2012_01_06, updated_at 2012_01_06;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"GPL POLICY Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2102124; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"GPL POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2102044; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Class 1 Primary Intermediate Server CA"; classtype:policy-violation; sid:2013296; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Free SSL Certificate (StartCom Free Certificate Member)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"StartCom Free Certificate Member"; classtype:policy-violation; sid:2013297; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+
+#alert ftp $HOME_NET any -> any any (msg:"ET POLICY FTP Login Successful"; flow:from_server,established; flowbits:isset,ET.ftp.user.login; flowbits:isnotset,ftp.user.logged_in; flowbits:set,ftp.user.logged_in; content:"230 "; depth:4; reference:url,doc.emergingthreats.net/2003410; classtype:misc-activity; sid:2003410; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:6; metadata:created_at 2012_01_19, former_category POLICY, updated_at 2012_01_19;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP geo location service response"; flow:established,from_server; flowbits:isset,ETPRO.IP.geo.loc; content:"city_name="; http_cookie; content:"state="; http_cookie; content:"country_"; http_cookie; content:"latitude="; http_cookie; content:"longitude="; http_cookie; content:"|0d 0a 0d 0a|document.write(|22|"; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014265; rev:4; metadata:created_at 2012_01_19, former_category POLICY, updated_at 2012_01_19;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY MS Remote Desktop Administrator Login Request"; flow:established,to_server; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; distance:2; within:6; content:"Cookie|3a| mstshash=admin"; distance:0; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2012709; rev:5; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow:established,to_server; content:"/WeatherWindow/WeatherWindow"; nocase; http_uri; content:"?rnd="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; classtype:trojan-activity; sid:2003420; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Command Activity"; flow:established,to_server; content:"/connection/connectionv"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; classtype:trojan-activity; sid:2003422; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Weatherbug Activity"; flow: to_server,established; content:"weatherbug.com|0d 0a|"; nocase; http_header; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; classtype:misc-activity; sid:2001267; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (png)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".png"; nocase; http_uri; content:".png HTTP"; nocase; pcre:"/\.png$/Ui"; reference:url,doc.emergingthreats.net/2010070; classtype:trojan-activity; sid:2010070; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpeg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpeg"; nocase; http_uri; content:".jpeg HTTP"; nocase; pcre:"/\.jpeg$/i"; reference:url,doc.emergingthreats.net/2010068; classtype:trojan-activity; sid:2010068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (bmp)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".bmp"; nocase; http_uri; content:".bmp HTTP"; nocase; pcre:"/\.bmp$/i"; reference:url,doc.emergingthreats.net/2010069; classtype:trojan-activity; sid:2010069; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF"; flow:established,to_client; content:"PDF-"; depth:300; content:"/Filter"; nocase; distance:0; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; content:"Decode"; nocase; within:30; reference:url,www.symantec.com/connect/blogs/journey-center-pdf-stream; reference:url,doc.emergingthreats.net/2011008; classtype:misc-activity; sid:2011008; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET 1723 -> $EXTERNAL_NET any (msg:"ET POLICY PPTP Requester is not authorized to establish a command channel"; flow:to_client,established,no_stream; content:"|00 01|"; offset:2; depth:4; content:"|00 02|"; offset:8; depth:10; content:"|04|"; offset:12; depth:13; reference:url,tools.ietf.org/html/rfc2637; reference:url,doc.emergingthreats.net/2009387; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html; classtype:attempted-admin; sid:2009387; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http any any -> $HOME_NET any (msg:"ET POLICY SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4; metadata:created_at 2012_06_08, updated_at 2012_06_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; content:"<p>Your current User-Agent string appears to be from an automated process,"; classtype:trojan-activity; sid:2012692; rev:6; metadata:created_at 2011_04_19, updated_at 2011_04_19;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.msn .com)"; flow:established,to_client; dsize:>19; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible OneDrive (storage.live .com)"; flow:established,to_client; dsize:>20; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:3; metadata:created_at 2012_06_19, former_category POLICY, updated_at 2012_06_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"GPL POLICY AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; reference:nessus,10441; classtype:misc-activity; sid:2101504; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hi"; classtype:policy-violation; sid:2101437; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:7; metadata:created_at 2011_06_16, updated_at 2011_06_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"|0d 0a|Server|3A| AmazonS3"; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:10; metadata:created_at 2011_08_17, updated_at 2011_08_17;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:7; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"|0d 0a|Content-Language|3A| ru"; nocase; content:"|0d 0a 0d 0a|MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:8; metadata:created_at 2011_03_21, updated_at 2011_03_21;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc)"; flow:to_server,established; content:"boitho.com"; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2003653; classtype:trojan-activity; sid:2003653; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"Windows 98"; http_user_agent; content:"GtekClient"; fast_pattern; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Eurobarre.us Setup User-Agent"; flow:established,to_server; content:"eurobarre "; http_user_agent; nocase; depth:10; reference:url,doc.emergingthreats.net/2008336; classtype:policy-violation; sid:2008336; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> any any (msg:"ET POLICY Internet Explorer 6 in use - Significant Security Risk"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; http_user_agent; depth:34; threshold: type limit, track by_src, seconds 180, count 1; classtype:policy-violation; sid:2010706; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Googlebot Crawl"; flow:established,to_server; content:"googlebot"; nocase; http_user_agent; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.google.com/webmasters/bot.html; reference:url,doc.emergingthreats.net/2002829; classtype:attempted-recon; sid:2002829; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex|0A|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:2; metadata:created_at 2013_05_16, updated_at 2013_05_16;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY JBOSS/JMX port 80 access from outside"; flow:established,to_server; content:"GET"; http_method; content:"/jmx-console"; nocase; http_uri; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010377; classtype:web-application-attack; sid:2010377; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exe download via HTTP - Informational"; flow:established,to_server; content:".exe"; http_uri; nocase; content:"GET"; http_method; nocase; pcre:"/\.exe\b/Ui"; reference:url,doc.emergingthreats.net/2003595; classtype:policy-violation; sid:2003595; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:6; metadata:created_at 2011_04_15, updated_at 2011_04_15;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY fetch User Agent"; flow:established,to_server; content:"fetch"; nocase; http_user_agent; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002826; classtype:attempted-recon; sid:2002826; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 31 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008744; classtype:policy-violation; sid:2008744; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 32 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008745; classtype:policy-violation; sid:2008745; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 33 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008746; classtype:policy-violation; sid:2008746; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 34 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 1, seconds 30; reference:url,doc.emergingthreats.net/2008747; classtype:policy-violation; sid:2008747; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY Possible External FreeGate DNS Query"; content:"|03 77 36 35 0d 7a 69 79 6f 75 6c 6f 6e 67 6c 69 76 65 03 63 6f 6d 00|"; threshold:type limit, track by_src,count 3, seconds 30; reference:url,doc.emergingthreats.net/2008748; classtype:policy-violation; sid:2008748; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 4899 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate OUTBOUND"; flow:to_server,established; dsize:10; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; classtype:policy-violation; sid:2019101; rev:2; metadata:created_at 2014_09_02, updated_at 2014_09_02;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host|3A|"; nocase; http_header; content:"hide|2d|my|2d|ip|2e|com"; nocase; within:20; http_header; content:"cmd|3d|"; nocase; content:"ver|3d|"; nocase; content:"hcode|3d|"; nocase; content:"product|3d|"; nocase; content:"year|3d|"; nocase; content:"xhcode|3d|"; nocase; classtype:policy-violation; sid:2011312; rev:4; metadata:created_at 2010_09_28, former_category POLICY, updated_at 2010_09_28;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cx.cc domain"; flow: to_server,established; content:".cx.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012321; rev:3; metadata:created_at 2011_02_18, updated_at 2011_02_18;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET 3653 (msg:"ET POLICY gogo6/Freenet6 Authentication Attempt"; content:"AUTHENTICATE|20|"; offset:8; pcre:"/^(?:ANONYMOUS|PASSDSS-3DES-1)\r\n/R"; threshold: type both, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2019383; rev:1; metadata:created_at 2014_10_10, updated_at 2014_10_10;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASProtect/ASPack Packed Binary"; flow:from_server,established; flowbits:isnotset,ET.http.binary; content:"|2E 61 73 70 61 63 6B|"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; reference:url,doc.emergingthreats.net/2008575; classtype:trojan-activity; sid:2008575; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack"; flow:established,from_server; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019416; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+
+alert tcp $HOME_NET [443,465,993,995,25] -> any any (msg:"ET POLICY SSLv3 inbound connection to server vulnerable to POODLE attack"; flow:established,to_client; ssl_version:sslv3; ssl_state:server_hello; content:"|16 03 00|"; depth:3; threshold: type limit, track by_src, seconds 300, count 1; reference:cve,2014-3566; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019415; rev:3; metadata:created_at 2014_10_15, updated_at 2014_10_15;)
+
+#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:2100208; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBPAHAAZQBu"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019615; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ATwBwAGUAb"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019616; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoOpen Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAE8AcABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019617; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert http $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"QQB1AHQAbwBFAHgAZQBj"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019618; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"EAdQB0AG8ARQB4AGUAY"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019619; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET POLICY Office Document Containing AutoExec Macro Via smtp"; flow:established,to_server; content:"BAHUAdABvAEUAeABlAG"; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019620; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP OPTIONS invalid method case outbound"; flow:established,to_server; content:"options "; depth:8; nocase; content:!"OPTIONS "; depth:8; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014382; rev:2; metadata:created_at 2012_03_15, updated_at 2012_03_15;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8444 (msg:"ET POLICY Bitmessage Activity"; flow:established,to_server; content:"version"; offset:4; depth:7; content:"Bitmessage|3a|"; distance:0; reference:url,bitmessage.org; classtype:policy-violation; sid:2019746; rev:2; metadata:created_at 2014_11_19, updated_at 2014_11_19;)
+
+alert tcp any 6784 -> $HOME_NET 1024: (msg:"ET POLICY Splashtop Remote Control Session Keepalive Response"; flow:established,from_server; dsize:4; content:"|31 00|"; offset:2; depth:2; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014130; rev:2; metadata:created_at 2012_01_16, updated_at 2012_01_16;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 623 (msg:"ET POLICY Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retrieval RAKP message 1 with default BMC usernames (Admin|root|Administrator|USERID)"; content:"|06 12|"; offset:4; depth:2; pcre:"/((\x0d|\x05)Admin(istrator)?|\x04root|\x06USERID)/Ri"; classtype:protocol-command-decode; sid:2017120; rev:2; metadata:created_at 2013_07_09, former_category POLICY, updated_at 2013_07_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY I2P Seeds File Download"; flow:established,to_client; file_data; content:"I2Psu3"; within:6; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020416; rev:2; metadata:created_at 2015_02_12, updated_at 2015_02_12;)
+
+#alert tcp !$SMTP_SERVERS any -> !$HOME_NET 587 (msg:"ET POLICY Outbound SMTP on port 587"; flow:established; content:"mail from|3a|"; nocase; threshold: type limit, track by_src, count 1, seconds 60; reference:url,doc.emergingthreats.net/2003864; classtype:misc-activity; sid:2003864; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 03|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020634; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 06|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020635; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 08|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020636; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0E|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020637; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 11|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020673; rev:3; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 17|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020675; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 19|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020676; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 26|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020677; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 27|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020678; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 28|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020679; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 29|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020680; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2A|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020681; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 2B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020682; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 0B|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020672; rev:5; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+#alert tcp $HOME_NET any -> any [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204)"; flow:established,to_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|01|"; distance:3; within:1; byte_jump:1,37,relative; byte_extract:2,0,SuiteLength,relative; content:"|00 14|"; within:SuiteLength; fast_pattern; threshold:type limit,track by_src,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020674; rev:4; metadata:created_at 2015_03_11, updated_at 2015_03_11;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Nessus Vulnerability Scanner Plugins Update"; flow:to_client,established; content:"plugins.nessus.org"; content:"https|3a|//www.thawte.com/repository/index.html"; offset:432; depth:88; reference:url,www.nessus.org/nessus/; reference:url,www.nessus.org/plugins/; reference:url,doc.emergingthreats.net/2009706; classtype:policy-violation; sid:2009706; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Exe32Pack Packed Executable Download"; flow:established,to_client; file_data; content:"Packed by exe32pack"; content:"SteelBytes All rights reserved"; distance:0; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:policy-violation; sid:2020914; rev:2; metadata:created_at 2015_04_15, updated_at 2015_04_15;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Petite Packed Binary Download"; flow:to_client,established; flowbits:isnotset,ET.http.binary; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|43 6F 6D 70 72 65 73 73 65 64 20 62 79 20 50 65 74 69 74 65 20 28 63 29 31 39 39 39 20 49 61 6E 20 4C 75 63 6B 2E 00 00|"; distance:-44; flowbits:set,ET.http.binary; reference:md5,fa2c0e8b486c879f4baee1d5bebdf0a2; classtype:trojan-activity; sid:2020973; rev:5; metadata:created_at 2015_04_22, updated_at 2015_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Edwards Packed proxy.pac from 724sky"; flow:established,from_server; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|baidu|7c|"; nocase; reference:md5,50bd21aac1f57d90c54683995ec102aa; classtype:trojan-activity; sid:2021511; rev:2; metadata:created_at 2015_07_23, updated_at 2015_07_23;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain)"; flow: to_client,established; content:"fardh ain"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010578; classtype:policy-violation; sid:2010578; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir)"; flow: to_client,established; content:"Takfir"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010579; classtype:policy-violation; sid:2010579; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara)"; flow: to_client,established; content:"Al-Wala' Wal Bara"; nocase; threshold: type threshold, track by_dst,count 5, seconds 360; reference:url,doc.emergingthreats.net/2010580; classtype:policy-violation; sid:2010580; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ethereum traffic"; flow:established,to_server; content:"POST"; depth:4; content:"|22|id|22 3a|"; nocase; distance:0; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22|method|22 3a|"; nocase; distance:0; pcre:"/^[^/s]*(?:eth_(?:g(?:et(?:B(?:lock(?:TransactionCountBy(?:Number|Hash)|By(?:Number|Hash))|alance)|Transaction(?:By(?:Block(?:Number|Hash)AndIndex|Hash)|(?:Receip|Coun)t)|Uncle(?:ByBlock(?:Number|Hash)AndIndex|CountByBlock(?:Number|Hash))|(?:Filter(?:Change|Log)|Log)s|Co(?:mpilers|de)|StorageAt|Work)|asPrice)|(?:(?:new(?:PendingTransaction|Block)?|uninstall)Filt|blockNumb)er|s(?:(?:end(?:Raw)?Transactio|ig)n|ubmit(?:Hashrate|Work)|yncing)|c(?:o(?:mpile(?:S(?:olidity|erpent)|LLL)|inbase)|all)|(?:estimateGa|account)s|protocolVersion|hashrate|mining)|shh_(?:new(?:Identity|Filter|Group)|get(?:FilterChan|Messa)ges|uninstallFilter|hasIdentity|addToGroup|version|post)|db_(?:get(?:String|Hex)|put(?:String|Hex))|net_(?:listening|peerCount|version)|web3_(?:clientVersion|sha3))/R"; reference:url,github.com/ethereum/wiki/wiki/JSON-RPC; classtype:policy-violation; sid:2021983; rev:2; metadata:created_at 2015_10_20, former_category POLICY, updated_at 2015_10_20;)
+
+alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ET POLICY FOX-SRT - Juniper ScreenOS SSH World Reachable"; flow:to_client,established; content:"SSH-2.0-NetScreen"; reference:cve,2015-7755; reference:url,kb.juniper.net/JSA10713; classtype:policy-violation; sid:2022299; rev:2; metadata:created_at 2015_12_22, updated_at 2015_12_22;)
+
+#alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Lets Encrypt Free SSL Cert Observed"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2022218; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_12_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2017_10_12;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url,doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Server Hello"; flow:from_server,established; content:"|04 00 01 00 02|"; offset:2; depth:5; byte_test:2,>,15,4,relative; byte_test:2,<,33,4,relative; flowbits:set,SSlv2.ServerHello; flowbits:noalert; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022583; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC4_128_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 01 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022584; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 03 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022585; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 04 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022586; rev:1; metadata:created_at 2016_03_02, former_category POLICY, updated_at 2016_03_02;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress ClientMaster Key SSL2_IDEA_128_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|0205 00 80|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022587; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible SSLv2 Negotiation in Progress Client Master Key SSL2_DES_64_CBC_WITH_MD5"; flow:to_server,established; flowbits:isset,SSlv2.ServerHello; content:"|02 06 00 40|"; offset:2; depth:4; threshold: type limit, count 1, seconds 600, track by_dst; reference:url,drownattack.com/drown-attack-paper.pdf; classtype:policy-violation; sid:2022588; rev:1; metadata:created_at 2016_03_02, updated_at 2016_03_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PDF With Embedded File"; flow:established,to_client; file_data; content:"obj"; content:"<<"; within:4; content:"/EmbeddedFile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedFile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2011507; rev:8; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+#alert tcp $HOME_NET any -> [64.34.106.33,64.94.18.67] 12975 (msg:"ET POLICY Outbound Hamachi VPN Connection Attempt"; flags:S,12; flow:to_server; threshold:type limit, track by_src, count 1, seconds 120; reference:url,www.hamachi.cc; reference:url,doc.emergingthreats.net/2002729; classtype:policy-violation; sid:2002729; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> any !6666:7000 (msg:"ET POLICY IRC DCC file transfer request on non-std port"; flow:to_server,established; content:"PRIVMSG "; depth:8; content:" |3a|.DCC SEND"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000349; classtype:non-standard-protocol; sid:2000349; rev:13; metadata:created_at 2010_07_30, updated_at 2016_05_12;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:to_server; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp any 68 -> any 67 (msg:"ET POLICY Possible Kali Linux hostname in DHCP Request Packet"; content:"|63 82 53 63 35 01 03|"; content:"|0c 04|kali"; distance:0; nocase; reference:url,www.kali.org; classtype:policy-violation; sid:2022973; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_07_18, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2017_10_12;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Outgoing Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013800; rev:3; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
+
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Incoming Chromoting Session Response"; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; depth:170; content:"|63 68 72 6F 6D 6F 74 69 6E 67|"; distance:39; reference:url,xinn.org/Chromoting.html; classtype:not-suspicious; sid:2013801; rev:4; metadata:created_at 2011_10_26, updated_at 2016_08_09;)
+
+#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .pif"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".pif"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001407; classtype:suspicious-filename-detect; sid:2001407; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"ET POLICY hidden zip extension .scr"; flow:established; content:"|50 4b 03 04|"; byte_jump:2,22,relative,little, post_offset 2; content:".scr"; distance:-4; within:4; reference:url,doc.emergingthreats.net/2001408; classtype:suspicious-filename-detect; sid:2001408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,587,6666:7000,8076] (msg:"ET POLICY IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:15; metadata:created_at 2010_07_30, updated_at 2017_01_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download Over HTTP"; flow:established; flowbits:isnotset,ET.ELFDownload; file_data; content:"|7F|ELF"; within:4; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2019240; rev:14; metadata:created_at 2014_09_25, updated_at 2017_02_03;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage"; flow:established,to_server; content:"/SubmitWTF.asmx"; http_uri; content:"codeSubmission"; reference:url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx; reference:url,code.google.com/p/submittotdwtf/source/browse/trunk/; classtype:policy-violation; sid:2011871; rev:2; metadata:created_at 2010_10_29, former_category POLICY, updated_at 2010_10_29;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Authentication Initiate"; flow:established,to_server; dsize:<20; content:"|01 00 00 00 05 00 00 02 27 27 02 00 00 00|"; flowbits:set,BE.Radmin.Auth.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003481; classtype:not-suspicious; sid:2003481; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+
+alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Authentication Response"; flowbits:isset,BE.Radmin.Auth.Challenge; flow:established,from_server; dsize:<20; content:"|01 00 00 00 05 00 00 00 27 27 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003482; classtype:not-suspicious; sid:2003482; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Agent User-Agent (Desktop Web System)"; flow:to_server,established; content:"User-Agent|3a| Desktop Web System"; nocase; http_header; reference:url,doc.emergingthreats.net/2003604; classtype:trojan-activity; sid:2003604; rev:9; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent|3a| iexp|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard"; flow:established,to_server; content:" CFNetwork/"; http_user_agent; content:" Darwin/"; http_user_agent; content:"UDID"; nocase; http_client_body; pcre:"/[0-9a-f]{40}[^0-9a-f]/P"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013289; rev:7; metadata:created_at 2011_07_19, former_category POLICY, updated_at 2017_07_11;)
+
+#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M1"; flow:established,to_server; tls_sni; content:"coinhive.com"; classtype:policy-violation; sid:2024785; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
+
+#alert tls $HOME_NET any  -> $EXTERNAL_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M1"; flow:established,to_server; tls_sni; content:"jsecoin.com"; classtype:policy-violation; sid:2024787; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2017_10_02;)
+
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY PsExec service created"; flow:to_server,established; content:"P|00|S|00|E|00|X|00|E|00|S|00|V|00|C"; nocase; reference:url,xinn.org/Snort-psexec.html; reference:url,doc.emergingthreats.net/2010781; classtype:suspicious-filename-detect; sid:2010781; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET POLICY Radmin Remote Control Session Setup Initiate"; flow:established,to_server; content:"|01 00 00 00 01 00 00 00 08 08|"; flowbits:set,ET.BE.Radmin.Challenge; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003479; classtype:not-suspicious; sid:2003479; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2017_04_21;)
+
+#alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET any (msg:"ET POLICY Radmin Remote Control Session Setup Response"; flowbits:isset,ET.BE.Radmin.Challenge; flow:established,from_server; dsize:<50; content:"|01 00 00 00 25 00 00 02 12 08 02 00 00 0a 00 00 00 00 00 00|"; reference:url,www.radmin.com; reference:url,doc.emergingthreats.net/2003480; classtype:not-suspicious; sid:2003480; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Expected Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001973; classtype:misc-activity; sid:2001973; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Expected Port"; flowbits:isset,ET.is_ssh_server_banner; flowbits:noalert; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001974; classtype:misc-activity; sid:2001974; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSH Server Banner Detected on Unusual Port"; flowbits:noalert; flow: from_server,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_server_banner; reference:url,doc.emergingthreats.net/2001979; classtype:misc-activity; sid:2001979; rev:8; metadata:created_at 2010_07_30, updated_at 2017_02_01;)
+
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSH Client Banner Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow: from_client,established; content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; flowbits: set,ET.is_ssh_client_banner; reference:url,doc.emergingthreats.net/2001980; classtype:misc-activity; sid:2001980; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,ET.is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)
+
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Expected Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022325; rev:3; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected within Banner on Unusual Port"; flow: from_server,established; flowbits:noalert; content:"SSH-"; offset:0; depth:4; byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative; byte_test:1,=,46,1,relative; content:"|0d 0a|"; offset: 4; depth: 255; byte_test:1,=,20,5,relative; flowbits: set,ET.is_ssh_server_banner; flowbits: set,ET.is_ssh_server_kex; reference:url,www.proftpd.org/docs/contrib/mod_sftp.html; classtype:misc-activity; sid:2022326; rev:2; metadata:created_at 2016_01_01, updated_at 2016_01_01;)
+
+#alert tcp any $SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Expected Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001975; classtype:misc-activity; sid:2001975; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any $SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Expected Port"; flowbits:isset,is_ssh_server_kex; flowbits:noalert; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001976; classtype:misc-activity; sid:2001976; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any !$SSH_PORTS -> any any (msg:"ET POLICY SSHv2 Server KEX Detected on Unusual Port"; flowbits:isset,ET.is_ssh_client_banner; flowbits:noalert; flow: from_server,established; byte_test:1,=,20,5; flowbits: set,is_ssh_server_kex; reference:url,doc.emergingthreats.net/2001981; classtype:misc-activity; sid:2001981; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any !$SSH_PORTS (msg:"ET POLICY SSHv2 Client KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow: from_client,established; byte_test:1,=,20,5; flowbits: set,ET.is_ssh_client_kex; reference:url,doc.emergingthreats.net/2001982; classtype:misc-activity; sid:2001982; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin Server Hello"; flow:established,to_client; dsize:9; stream_size:client,=,1; stream_size:server,=,10; content:"|05 00 00 00 00 ff ff ff ff|"; depth:9; fast_pattern; classtype:policy-violation; sid:2025008; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY PTsecurity Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0b 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; classtype:policy-violation; sid:2025009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2017_11_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:3; metadata:created_at 2012_09_07, updated_at 2012_09_07;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IP Check Response (rl. ammyy. com)"; flow:to_client,established; file_data; content:"Your IP="; depth:8; content:", country = "; distance:0; isdataat:!3,relative; classtype:policy-violation; sid:2025150; rev:1; metadata:created_at 2017_12_13, updated_at 2017_12_13;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download Non-HTTP"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; app-layer-protocol:!http; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:24; metadata:created_at 2010_07_30, former_category POLICY, performance_impact Significant, updated_at 2018_01_09;)
+
+#alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|aqsatv|02|ps|00|"; nocase; distance:0; fast_pattern; classtype:policy-violation; sid:2023873; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_02_06, cve url_nctc_gov_site_groups_hamas_html, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2018_01_25;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal x509v3 SubjectKeyIdentifier extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^.\x04[^\x08\x10\x14\x20\x30\x40]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025319; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
+
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [Fidelis] Abnormal Very Long x509v3 SubjectKeyIdentifier Extension"; flow:established,from_server; dsize:>768; content:"|16 03|"; depth:2; content:"|06 03 55 1d 0e 04|"; offset:336; pcre:"/^[\x80-\xff]/R"; threshold: type limit, track by_src, seconds 30, count 1; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025320; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2018_02_07;)
+
+#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET POLICY Connection to previously unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:4; metadata:created_at 2013_06_11, former_category POLICY, updated_at 2018_04_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY WebRTC IP tracking Javascript"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:successful-recon-limited; sid:2021089; rev:3; metadata:created_at 2015_05_13, former_category POLICY, updated_at 2018_04_26;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For Browser Cryptocurrency Mining Domain"; content:"|06|static|0a|reasedoper|02|pw|00|"; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/; classtype:trojan-activity; sid:2024779; rev:5; metadata:affected_product Web_Browsers, created_at 2017_09_27, former_category POLICY, malware_family CoinMiner, updated_at 2018_05_23;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; content:"|22|pass|22 3a 22|"; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; classtype:policy-violation; sid:2024792; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_06_15;)
+
+alert tcp $HOME_NET 445 -> any any (msg:"ET POLICY SMB Remote AT Scheduled Job Pipe Creation"; flow:established,to_client; content:"SMB"; depth:8; content:"\\PIPE\\atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025714; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Executable File Transfer"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.smb.binary; classtype:bad-unknown; sid:2025699; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025700; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025701; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"t|00|e|00|m|00|p|00|\\|00|"; nocase; distance:0; content:"|00 2E 00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025703; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|ps1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|p|00|s|00|1|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025705; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|bat|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025706; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .bat File"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|b|00|a|00|t|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a DLL File"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|dll|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025708; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025709; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"|2E|sys|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025710; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00 2E 00|s|00|y|00|s|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025711; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB Remote AT Scheduled Job Create Request - Possible Lateral Movement"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"atsvc|00|"; distance:0; classtype:bad-unknown; sid:2025712; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2018_07_16;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|w|00|"; nocase; distance:0; content:"|00|h|00|i|00|d|00|d|00|e|00|n|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025720; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|p|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025722; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|e|00|x|00|e|00|c|00|"; nocase; distance:0; content:"|00|b|00|y|00|p|00|a|00|s|00|s|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025723; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|n|00|o|00|n|00|i|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025724; rev:2; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY RunDll Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|r|00|u|00|n|00|d|00|l|00|l|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025725; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
+
+alert tcp $EXTERNAL_NET $SSH_PORTS -> any any (msg:"ET POLICY Potentially Vulnerable LibSSH Server Observed - Possible Authentication Bypass (CVE-2018-10933)"; flow:from_server,established; content:"SSH-2.0-libssh-0."; depth:17; pcre:"/^[67]\.[01235]/R"; reference:url,www.libssh.org/security/advisories/CVE-2018-10933.txt; reference:url,github.com/blacknbunny/libSSH-Authentication-Bypass; reference:cve,2018-10933; classtype:bad-unknown; sid:2026526; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_10_19, deployment Perimeter, former_category POLICY, signature_severity Major, tag CVE_2018_10933, updated_at 2018_10_19;)
+
+#alert udp $HOME_NET 137 -> $EXTERNAL_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Outbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013490; rev:4; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
+
+#alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"ET POLICY NetBIOS nbtstat Type Query Inbound"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 00 01|"; threshold:type limit, track by_src, count 1, seconds 10; classtype:unknown; sid:2013491; rev:4; metadata:created_at 2011_08_30, former_category POLICY, updated_at 2018_11_27;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; nocase; distance:0; fast_pattern; content:"|00|-|00|e|00|n|00|c|00|"; nocase; distance:0; classtype:trojan-activity; sid:2025721; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_02_18;)
+
+alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound SMTP NTLM Authentication Observed"; flow:established,to_server; content:"AUTH|20|ntlm|20|"; depth:10; nocase; fast_pattern; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ri"; classtype:policy-violation; sid:2027152; rev:1; metadata:attack_target Client_and_Server, created_at 2019_04_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2019_04_04;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With No Profile Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-nop"; distance:0; classtype:bad-unknown; sid:2027169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Hidden Window Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-w"; distance:0; content:"hidden"; nocase; within:17; classtype:bad-unknown; sid:2027170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Execution Bypass Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"exec"; nocase; distance:0; content:"bypass"; nocase; within:18; classtype:bad-unknown; sid:2027171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With Encoded Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-enc"; nocase; distance:0; classtype:bad-unknown; sid:2027172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Command With NonInteractive Argument Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; content:"-noni"; nocase; distance:0; classtype:bad-unknown; sid:2027173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd.exe"; nocase; distance:0; classtype:bad-unknown; sid:2027174; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"%comspec"; nocase; distance:0; classtype:bad-unknown; sid:2027178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Using Comspec Environmental Variable Over SMB - Very Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|%|00|c|00|o|00|m|00|s|00|p|00|e|00|c|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027175; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, updated_at 2019_04_10;)
+
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"cmd "; nocase; distance:0; classtype:bad-unknown; sid:2027176; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"nslookup"; nocase; distance:0; classtype:bad-unknown; sid:2027183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Nslookup Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|s|00|l|00|o|00|o|00|k|00|u|00|p|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"ipconfig"; nocase; distance:0; classtype:bad-unknown; sid:2027185; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Ipconfig Command in SMB Traffic - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|i|00|p|00|c|00|o|00|n|00|f|00|i|00|g|00|"; nocase; distance:0; classtype:bad-unknown; sid:2027186; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, malware_family CoinMiner, signature_severity Minor, updated_at 2019_04_11;)
+
+alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP msts Handshake"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie|3a 20|mstshash="; distance:5; within:17; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"ET POLICY Tunneled RDP Handshake"; flow:established; content:"|c0 00|Duca"; depth:250; content:"rdpdr"; content:"cliprdr"; reference:url,www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html; classtype:bad-unknown; sid:2027193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"net"; nocase; distance:0; content:"view"; nocase; within:9; classtype:bad-unknown; sid:2027187; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Net View Command in SMB Traffic - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|n|00|e|00|t|00|"; nocase; distance:0; fast_pattern; content:"|00|v|00|i|00|e|00|w|00|"; nocase; within:19; classtype:bad-unknown; sid:2027188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025726; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|w|00|m|00|i|00|c|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027180; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic.exe"; nocase; distance:0; classtype:trojan-activity; sid:2027181; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET any (msg:"ET POLICY WMIC WMI Request Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"wmic "; nocase; distance:0; classtype:trojan-activity; sid:2027182; rev:2; metadata:attack_target SMB_Client, created_at 2019_04_10, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|.|00|e|00|x|00|e|00|"; nocase; distance:0; classtype:trojan-activity; sid:2027202; rev:1; metadata:created_at 2019_04_16, former_category POLICY, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00 20 00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2025719; rev:3; metadata:attack_target SMB_Client, created_at 2018_07_17, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible Powershell .ps1 Script Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".ps1"; nocase; distance:0; classtype:bad-unknown; sid:2027203; rev:2; metadata:created_at 2019_04_16, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:".mof"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
+
+alert smb any any -> $HOME_NET 445 (msg:"ET POLICY Possible WMI .mof Managed Object File Use Over SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|.|00|m|00|o|00|f|00|"; nocase; distance:0; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf; classtype:bad-unknown; sid:2027206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_16, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2019_04_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download HTTP"; flow:established,to_client; flowbits:isnotset,ET.http.binary; flowbits:isnotset,ET.INFO.WindowsUpdate; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2018959; classtype:policy-violation; sid:2018959; rev:4; metadata:created_at 2014_08_19, former_category POLICY, updated_at 2017_02_01;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"|00|c|00|m|00|d|00 20 00|"; nocase; distance:0; classtype:bad-unknown; sid:2027177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cryptocurrency Miner Checkin M2"; flow:established,to_server; content:"|7b 22|id|22 3a|"; nocase; depth:6; content:"|22|jsonrpc|22 3a|"; nocase; distance:0; content:"|22 2c 22|method|22 3a 22|login|22 2c 22|params|22 3a|"; fast_pattern; nocase; content:"|22|agent|22 3a 22|"; nocase; content:!"<title"; nocase; content:!"<script"; nocase; content:!"<html"; nocase; content:!"|22|pass|22 3a 22|"; nocase; classtype:policy-violation; sid:2027316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_05_06;)
+
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Powershell Activity Over SMB - Likely Lateral Movement"; flow:established,to_server; content:"SMB"; depth:8; content:"powershell"; nocase; distance:0; classtype:bad-unknown; sid:2027168; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_10, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_10;)
+
+#alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY Executable Transfer in SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; classtype:bad-unknown; sid:2027191; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2019_04_11;)
+
+alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2019_05_30, deployment Internal, performance_impact Low, signature_severity Minor, updated_at 2019_05_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET [1024:65535,![3389]] (msg:"ET POLICY TLS/SSL Client Key Exchange on Unusual Port"; flowbits:isset,BS.SSL.Client.Hello; flow:established; content:"|16 03 01|"; content:"|10|"; within:6; reference:url,doc.emergingthreats.net/2003006; classtype:unusual-client-port-connection; sid:2003006; rev:9; metadata:created_at 2010_07_30, updated_at 2019_06_06;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Socks5 Proxy to Onion (set)"; flow:established,to_server; flowbits:set,ET.Socks5.OnionReq; content:"|05 01 00 03|"; depth:4; content:".onion|00 50|"; distance:0; fast_pattern; reference:url,www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers; classtype:policy-violation; sid:2027703; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Major, updated_at 2019_07_11;)
+
+alert tcp $HOME_NET any -> any [!$HTTP_PORTS,1024:] (msg:"ET POLICY Windows Update P2P Activity"; flow:established,to_server; dsize:<100; content:"Swarm|20|protocol"; depth:20; classtype:not-suspicious; sid:2027766; rev:2; metadata:created_at 2019_07_31, updated_at 2019_07_31;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Inbox Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/"; http_uri; reference:url,doc.emergingthreats.net/2007628; classtype:policy-violation; sid:2007628; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Access"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/inbox/messages/"; http_uri; reference:url,doc.emergingthreats.net/2007629; classtype:policy-violation; sid:2007629; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Compose Message"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"index.php?l1=mg"; http_uri; reference:url,doc.emergingthreats.net/2007630; classtype:policy-violation; sid:2007630; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hyves Message Submit"; flow:established,to_server; content:"Host|3a| www.hyves."; http_header; content:"/messages/"; http_uri; content:"POST"; http_method; content:"/messages/"; http_uri; content:"postman_secret"; reference:url,doc.emergingthreats.net/2007631; classtype:policy-violation; sid:2007631; rev:7; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (way2tor)"; dns_query; content:".way2tor"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019982; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4life.com)"; dns_query; content:".tor4life.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020125; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2019_09_28;)
+
+alert tcp $HOME_NET 1024: -> any 6783 (msg:"ET POLICY Splashtop Remote Control Checkin"; flow:established,to_server; dsize:12; content:"|00 01 00 08 00 00 00 00 00 02 01 00|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014127; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Start Request"; flow:established,to_server; dsize:4; content:"|01 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014128; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+
+alert tcp $HOME_NET 1024: -> any 6784 (msg:"ET POLICY Splashtop Remote Control Session Keepalive"; flow:established,to_server; dsize:4; content:"|00 00 34 12|"; fast_pattern; reference:url,www.splashtop.com; classtype:not-suspicious; sid:2014129; rev:2; metadata:created_at 2012_01_16, updated_at 2019_10_08;)
+
+alert udp $HOME_NET any -> any 53 (msg:"ET POLICY Possible Grams DarkMarket Search DNS Domain Lookup"; content:"|10|grams7enufi7jmdl"; nocase; fast_pattern; classtype:policy-violation; sid:2018406; rev:4; metadata:created_at 2014_04_22, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoExec Macro"; flow:established,to_client; file_data; content:"A|00|u|00|t|00|o|00|E|00|x|00|e|00|c"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019614; rev:3; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Office Document Download Containing AutoOpen Macro"; flow:established,to_client; file_data; content:!"oct8ne"; content:"A|00|u|00|t|00|o|00|O|00|p|00|e|00|n"; nocase; fast_pattern; reference:url,support.microsoft.com/kb/286310; classtype:policy-violation; sid:2019613; rev:4; metadata:created_at 2014_10_31, updated_at 2019_10_08;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .net"; dns.query; content:".ddns.net"; nocase; isdataat:!1,relative; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028675; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddnsking .com"; dns.query; content:".ddnsking.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028676; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.3utilities .com"; dns.query; content:".3utilities.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028677; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_12;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.bounceme .net"; dns.query; content:".bounceme.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028678; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .net"; dns.query; content:".freedynamicdns.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028679; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.freedynamicdns .org"; dns.query; content:".freedynamicdns.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028680; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hopto .org"; dns.query; content:".hopto.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028681; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myftp .org"; dns.query; content:".myftp.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028684; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myvnc .com"; dns.query; content:".myvnc.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028685; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.onthewifi .com"; dns.query; content:".onthewifi.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028686; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.redirectme .net"; dns.query; content:".redirectme.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028687; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servebeer .com"; dns.query; content:".servebeer.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028688; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveblog .net"; dns.query; content:".serveblog.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028689; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servecounterstrike .com"; dns.query; content:".servecounterstrike.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028690; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveftp .com"; dns.query; content:".serveftp.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028691; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servegame .com"; dns.query; content:".servegame.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028692; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehalflife .com"; dns.query; content:".servehalflife.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028693; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehttp .com"; dns.query; content:".servehttp.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028694; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveirc .com"; dns.query; content:".serveirc.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028695; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveminecraft .net"; dns.query; content:".serveminecraft.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servemp3 .com"; dns.query; content:".servemp3.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028697; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servepics .com"; dns.query; content:".servepics.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028698; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servequake .com"; dns.query; content:".servequake.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028699; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.viewdns .net"; dns.query; content:".viewdns.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028701; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.webhop .me"; dns.query; content:".webhop.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028702; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.zapto .org"; dns.query; content:".zapto.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028703; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.access .ly"; dns.query; content:".access.ly"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028704; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.blogsyte .com"; dns.query; content:".blogsyte.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028705; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.brasilia .me"; dns.query; content:".brasilia.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028706; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.cable-modem .org"; dns.query; content:".cable-modem.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028707; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ciscofreak .com"; dns.query; content:".ciscofreak.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028708; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.collegefan .org"; dns.query; content:".collegefan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028709; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.couchpotatofries .org"; dns.query; content:".couchpotatofries.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028710; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.damnserver .com"; dns.query; content:".damnserver.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028711; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ddns .me"; dns.query; content:".ddns.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028712; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ditchyourip .com"; dns.query; content:".ditchyourip.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028713; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dnsfor .me"; dns.query; content:".dnsfor.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028714; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dnsiskinky .com"; dns.query; content:".dnsiskinky.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028715; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dvrcam .info"; dns.query; content:".dvrcam.info"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028716; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.dynns .com"; dns.query; content:".dynns.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028717; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.eating-organic .net"; dns.query; content:".eating-organic.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028718; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.fantasyleague .cc"; dns.query; content:".fantasyleague.cc"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028719; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.geekgalaxy .com"; dns.query; content:".geekgalaxy.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028720; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.golffan .us"; dns.query; content:".golffan.us"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028721; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.health-carereform .com"; dns.query; content:".health-carereform.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028722; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.homesecuritymac .com"; dns.query; content:".homesecuritymac.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028723; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.homesecuritypc .com"; dns.query; content:".homesecuritypc.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028724; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hosthampster .com"; dns.query; content:".hosthampster.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028725; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.hopto .me"; dns.query; content:".hopto.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028726; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ilovecollege .info"; dns.query; content:".ilovecollege.info"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028727; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.loginto .me"; dns.query; content:".loginto.me"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028728; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mlbfan .org"; dns.query; content:".mlbfan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028729; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mmafan .biz"; dns.query; content:".mmafan.biz"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028730; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myactivedirectory .com"; dns.query; content:".myactivedirectory.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028731; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mydissent .net"; dns.query; content:".mydissent.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028732; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.myeffect .net"; dns.query; content:".myeffect.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028733; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mymediapc .net"; dns.query; content:".mymediapc.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028734; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mypsx .net"; dns.query; content:".mypsx.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028735; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .com"; dns.query; content:".mysecuritycamera.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028736; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .net"; dns.query; content:".mysecuritycamera.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028737; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.mysecuritycamera .org"; dns.query; content:".mysecuritycamera.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028738; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.net-freaks .com"; dns.query; content:".net-freaks.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028739; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.nflfan .org"; dns.query; content:".nflfan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028740; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.nhlfan .net"; dns.query; content:".nhlfan.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028741; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.pgafan .net"; dns.query; content:".pgafan.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028742; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.point2this .com"; dns.query; content:".point2this.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028743; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.pointto .us"; dns.query; content:".pointto.us"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028744; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.privatizehealthinsurance .net"; dns.query; content:".privatizehealthinsurance.net"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028745; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.quicksytes .com"; dns.query; content:".quicksytes.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028746; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.read-books .org"; dns.query; content:".read-books.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028747; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.securitytactics .com"; dns.query; content:".securitytactics.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028748; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.serveexchange .com"; dns.query; content:".serveexchange.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028749; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servehumour .com"; dns.query; content:".servehumour.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028750; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servep2p .com"; dns.query; content:".servep2p.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028751; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.servesarcasm .com"; dns.query; content:".servesarcasm.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028752; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.stufftoread .com"; dns.query; content:".stufftoread.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028753; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.ufcfan .org"; dns.query; content:".ufcfan.org"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028754; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.unusualperson .com"; dns.query; content:".unusualperson.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028755; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS Domain *.workisboring .com"; dns.query; content:".workisboring.com"; nocase; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains; classtype:bad-unknown; sid:2028756; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2019_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; http.uri; content:"/dns/dnslookup?la=en&host="; fast_pattern; content:"&type=A&submit=Resolve"; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0.1|3b 20|"; depth:37; content:"WININET 5.0)"; isdataat:!1,relative; http.host; content:"www.dnswatch.info"; classtype:trojan-activity; sid:2014359; rev:8; metadata:created_at 2012_03_10, updated_at 2019_10_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; http.user_agent; content:"Java/"; nocase; pcre:"/^\d\d?\.\d/Ri"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:13; metadata:created_at 2010_07_30, updated_at 2019_10_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TOR Consensus Data Requested"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tor/status-vote/current/consensus"; depth:34; classtype:policy-violation; sid:2028914; rev:1; metadata:attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2019_10_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - free .ipwhois .io"; flow:established,to_server; http.method; content:"GET"; http.host; content:"free.ipwhois.io"; fast_pattern; classtype:external-ip-check; sid:2029185; rev:2; metadata:created_at 2019_12_20, former_category POLICY, tag IP_address_lookup_website, updated_at 2019_12_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (whois .pconline .com .cn)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"whois.pconline.com.cn"; fast_pattern; classtype:external-ip-check; sid:2029243; rev:2; metadata:created_at 2020_01_09, former_category POLICY, performance_impact Low, updated_at 2020_01_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to IP Logging Service (2no .co)"; flow:established,to_server; http.host; content:"2no.co"; bsize:6; classtype:policy-violation; sid:2029299; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_01_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GeoIP Lookup (nydus.battle.net)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:6; content:"/geoip"; http.host; bsize:16; content:"nydus.battle.net"; fast_pattern; reference:md5,446bed079ec0179e82eab6710d55155f; classtype:policy-violation; sid:2029324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_01_28;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY ABBCCoin Checkin"; flow:to_server,established; content:"_version"; within:14; content:"ABBCCoin"; within:150; fast_pattern; reference:md5,77ec579347955cfa32f219386337f5bb; classtype:misc-activity; sid:2029422; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_02_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (avast .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip-info.ff.avast.com"; fast_pattern; classtype:policy-violation; sid:2029575; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mattermost API Usage"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/v4/teams/name/"; http.header; content:"|0d 0a|Authorization|3a 20|Bearer|20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; reference:md5,df7e78609dd63fe9f3be87be0e2420fa; classtype:misc-activity; sid:2029599; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_03_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipify .org)"; flow:established,to_server; http.uri; content:"/?format="; depth:9; http.host; content:"api.ipify.org"; depth:13; endswith; fast_pattern; classtype:policy-violation; sid:2029622; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbpcstatf.stat"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c|LV|08|qbpcstatf|04|stat|7d 00|"; fast_pattern; content:"|05|crypt|18 00|"; distance:0; content:"|01 06 0a|list|3c|char|3e|"; distance:0; threshold:type limit, track by_src, count 1, seconds 60; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029632; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY QQ Browser WUP Request - qbkpireportbakf.stat"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3c|LV|0e|qbkpireportbakf|04|stat|7d 00|"; fast_pattern; content:"|05|crypt|18 00|"; distance:0; content:"|01 06 0a|list|3c|char|3e|"; distance:0; threshold:type limit, track by_src, count 1, seconds 60; reference:url,citizenlab.ca/2016/03/privacy-security-issues-qq-browser/; classtype:policy-violation; sid:2029633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_03_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed DeepFreezeWeb User-Agent"; flow:established,to_server; http.user_agent; content:"DeepFreezeWeb"; bsize:13; classtype:policy-violation; sid:2029912; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_04_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (ip. jsontest .com)"; flow:to_server,established; http.host; content:"ip.jsontest.com"; bsize:15; classtype:external-ip-check; sid:2029923; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_16, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_04_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; http.method; content:"PUT"; http.header; content:"user-agent|3a|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:3; metadata:created_at 2011_03_16, updated_at 2020_04_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"GPL POLICY Sun JavaServer default password login attempt"; flow:to_server,established; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; http.uri; content:"/servlet/admin"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:2101859; rev:8; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default password login attempt"; flow:to_server,established; http.header; content:"Authorization|3a 20|OmFkbWlu"; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101860; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"GPL POLICY Linksys router default username and password login attempt"; flow:to_server,established; http.header; content:"Authorization|3a 20|YWRtaW46YWRtaW4"; nocase; reference:nessus,10999; classtype:default-login-attempt; sid:2101861; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Inbox Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/InboxLight.aspx"; depth:21; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008238; classtype:policy-violation; sid:2008238; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Message Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/ReadMessageLight.aspx"; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008239; classtype:policy-violation; sid:2008239; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Compose Message Access"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/EditMessageLight.aspx"; http.header; content:"mail.live.com"; nocase; reference:url,doc.emergingthreats.net/2008240; classtype:policy-violation; sid:2008240; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hotmail Access Full Mode"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mail/ApplicationMain"; http.header; content:"mail.live.com"; reference:url,doc.emergingthreats.net/2008242; classtype:policy-violation; sid:2008242; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+
+alert http any any -> any any (msg:"ET POLICY Cleartext WordPress Login"; flow:established,to_server; http.request_body; content:"log="; content:"&pwd="; content:"&wp-submit="; classtype:policy-violation; sid:2012843; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_25, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Wordpress, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Smilebox Software/Adware Checkin"; flow:established,to_server; http.uri; content:"/trackClientAction.jsp?beacon="; content:"&os="; content:"&partner="; reference:url,www.smilebox.com/privacy-policy.html; classtype:policy-violation; sid:2012933; rev:4; metadata:created_at 2011_06_06, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY StumbleUpon Submission Detected"; flow:established,to_server; threshold: type both, count 2, seconds 300, track by_src; http.header; content:"X-SU-Version|3a 20|"; classtype:policy-violation; sid:2013013; rev:4; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTMLGET User Agent Detected - Often Linux utility based"; flow:established,to_server; http.header; content:"User-Agent|3a 20|HTMLGET "; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013018; rev:6; metadata:created_at 2011_06_13, updated_at 2020_04_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.uri; content:"/api/work/getwork?"; depth:18; http.header; content:"bitcoinplus.com"; classtype:coin-mining; sid:2013059; rev:4; metadata:created_at 2011_06_17, former_category POLICY, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Music Streaming"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stream?id="; http.header; content:"googleusercontent.com|0d 0a|"; reference:url,music.google.com/about; classtype:policy-violation; sid:2012935; rev:7; metadata:created_at 2011_06_06, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"/softwareProductLink?"; content:"productSetId="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:3; metadata:created_at 2011_08_24, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; http.uri; content:"/WiPlayer?movieid="; http.host; content:"movies.netflix.com"; bsize:18; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:3; metadata:created_at 2011_08_30, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; http.user_agent; content:"Software Update|2F|"; startswith; content:"|20|Darwin|2F|"; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:4; metadata:created_at 2011_08_31, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device"; flow:established,to_server; threshold:type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 (iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013336; rev:5; metadata:created_at 2011_07_30, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Request to Suspicious Games at pcgame.gamedia.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|html|3f|GameID|3d|0|2c|Path|3d|c|3a|"; classtype:policy-violation; sid:2013400; rev:8; metadata:created_at 2011_08_11, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; http.host; content:".dlinkddns.com"; endswith; classtype:bad-unknown; sid:2013311; rev:4; metadata:created_at 2011_07_26, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY APT User-Agent to BackTrack Repository"; flow:established,to_server; http.user_agent; content:"Ubuntu APT-HTTP|2F|"; startswith; http.host; content:"repository.backtrack-linux.org"; within:40; reference:url,www.backtrack-linux.org; classtype:targeted-activity; sid:2013914; rev:5; metadata:created_at 2011_11_16, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel login"; flow:to_server,established; http.uri; content:"/password.cgi?sptPassword="; classtype:not-suspicious; sid:2013919; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY external cPanel password change"; flow:to_server,established; http.request_body; content:"pwdOld="; content:"pwNew="; content:"pwCfm="; classtype:not-suspicious; sid:2013920; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GridinSoft.com Software Version Check"; flow:established,to_server; http.header; content:"User-Agent|3A 20|GridinSoft"; classtype:trojan-activity; sid:2013719; rev:4; metadata:created_at 2011_10_01, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports"; flow:established,to_server; http.uri; content:"/friendship/email_thank_you.php?"; nocase; content:"folder_id="; nocase; content:"&params_count="; nocase; content:"&nick_name="; nocase; content:"&user_email="; nocase; content:"&user_uin="; nocase; content:"&friend_nickname="; nocase; content:"&friend_contact="; nocase; reference:url,doc.emergingthreats.net/2008351; classtype:policy-violation; sid:2008351; rev:5; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer POSTing Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/bootstrap.php"; http.host; content:".smartiengine.com"; endswith; classtype:policy-violation; sid:2014124; rev:5; metadata:created_at 2012_01_12, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Web Crawl - libwww-perl User Agent"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"libwww-perl/"; fast_pattern; reference:url,www.linpro.no/lwp/; reference:url,doc.emergingthreats.net/2002935; classtype:attempted-recon; sid:2002935; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Being Uploaded to SendSpace File Hosting Site"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"processupload.html"; http.host; content:".sendspace.com"; endswith; fast_pattern; classtype:misc-activity; sid:2014202; rev:3; metadata:created_at 2012_02_07, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains passwd= in cleartext"; flow:established,to_server; http.request_body; content:"passwd="; nocase; classtype:policy-violation; sid:2012886; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY HTTP POST contains pass= in cleartext"; flow:established,to_server; http.request_body; content:"pass="; nocase; classtype:policy-violation; sid:2012887; rev:4; metadata:created_at 2011_05_30, former_category POLICY, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pwd= in cleartext"; flow:established,to_server; http.request_body; content:"pwd="; nocase; classtype:policy-violation; sid:2012888; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains passphrase= in cleartext"; flow:established,to_server; http.request_body; content:"passphrase="; nocase; classtype:policy-violation; sid:2012890; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pword= in cleartext"; flow:established,to_server; http.request_body; content:"pword="; nocase; classtype:policy-violation; sid:2012891; rev:4; metadata:created_at 2011_05_30, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; http.uri; content:"/getip.php?action=getip&ip_url="; classtype:external-ip-check; sid:2014292; rev:3; metadata:created_at 2012_02_29, former_category POLICY, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Coral Web Proxy/Content Distribution Net Use"; flow:to_server,established; http.host; content:".nyud.net"; endswith; reference:url,en.wikipedia.org/wiki/Coral_Content_Distribution_Network; classtype:policy-violation; sid:2014332; rev:2; metadata:created_at 2012_03_07, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v"; content:"/?v="; content:"&c="; pcre:"/\/v\d\.\d\.\d/"; pcre:"/\/\?v=\d/"; classtype:trojan-activity; sid:2013888; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious User Agent UpdateSoft"; flow:established,to_server; http.header; content:"User-Agent|3A 20|UpdateSoft"; reference:md5,254efc77c18eb2f427d2a3920e07c2e8; classtype:trojan-activity; sid:2014345; rev:4; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY eBook Generator User-Agent (EBook)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|EBook|0d 0a|"; reference:url,malwr.com/analysis/a04b28e21adc70837eb7de811556ff4e/; reference:url,www.ebookgenerator.com/; classtype:policy-violation; sid:2014576; rev:3; metadata:created_at 2012_04_16, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $HOME_NET any (msg:"ET POLICY Dlink Soho Router Config Page Access Attempt"; flow:established,to_server; http.uri; content:"/dlink/hwiz.html"; reference:url,doc.emergingthreats.net/2008942; classtype:attempted-admin; sid:2008942; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|SnadBoy"; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:5; metadata:created_at 2012_03_09, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Getting External IP Address - ip2city.asp"; flow:established,to_server; http.uri; content:"/ip2city.asp"; classtype:external-ip-check; sid:2014761; rev:3; metadata:created_at 2012_05_17, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; http.header; content:"Server|3A 20|DynDNS-CheckIP/"; classtype:external-ip-check; sid:2014932; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/LavaGame_"; nocase; content:".exe"; nocase; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:8; metadata:created_at 2012_01_02, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"geoiptool.com"; endswith; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:4; metadata:created_at 2012_07_21, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker Software Manager request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/"; content:"Report?"; fast_pattern; content:"Id="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2013454; rev:4; metadata:created_at 2011_08_24, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY iTunes User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"iTunes"; nocase; depth:6; reference:url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/; reference:url,doc.emergingthreats.net/2002878; classtype:policy-violation; sid:2002878; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Norton Update User-Agent (Install Stub)"; flow:to_server,established; http.host; content:"stats.norton.com"; endswith; http.user_agent; content:"Install Stub"; depth:12; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; classtype:trojan-activity; sid:2013882; rev:6; metadata:created_at 2011_11_08, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Wise"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771; reference:url,doc.emergingthreats.net/2002167; classtype:trojan-activity; sid:2002167; rev:19; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"|20|yum|2F|"; reference:url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/; classtype:policy-violation; sid:2013505; rev:4; metadata:created_at 2011_09_02, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Proxy TRACE Request - inbound"; flow: to_server,established; http.method; content:"TRACE"; nocase; reference:url,doc.emergingthreats.net/2010766; classtype:bad-unknown; sid:2010766; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AOL Toolbar User-Agent (AOLToolbar)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|AOLToolbar"; reference:url,doc.emergingthreats.net/bin/view/Main/2003469; classtype:policy-violation; sid:2003469; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY ApacheBenchmark Tool User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"User-Agent|3a 20|ApacheBench"; nocase; reference:url,httpd.apache.org/docs/2.0/programs/ab.html/; reference:url,doc.emergingthreats.net/2010725; classtype:attempted-recon; sid:2010725; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer)"; flow:established,to_server; http.user_agent; content:"Carbonite Installer"; nocase; depth:19; reference:url,doc.emergingthreats.net/2009801; classtype:policy-violation; sid:2009801; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent Recuva (Recuva)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Recuva"; reference:url,doc.emergingthreats.net/2011090; reference:url,www.piriform.com/; classtype:trojan-activity; sid:2011090; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY VMware User-Agent Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|vmware"; reference:url,www.vmware.com; classtype:policy-violation; sid:2013749; rev:6; metadata:created_at 2011_10_11, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BingBar ToolBar User-Agent (BingBar)"; flow:established,to_server; http.user_agent; content:"BingBar"; depth:7; classtype:policy-violation; sid:2013715; rev:5; metadata:created_at 2011_10_01, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; http.user_agent; content:"ZDM/4.0|3B| Windows Mobile 7.0|3B|"; depth:28; classtype:not-suspicious; sid:2013784; rev:7; metadata:created_at 2011_10_20, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; http.user_agent; content:"APT-HTTP|2F|"; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:6; metadata:created_at 2011_08_31, former_category POLICY, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2"; flow:to_server,established; http.user_agent; content:"AskTb"; depth:5; classtype:policy-violation; sid:2015757; rev:3; metadata:attack_target Client_Endpoint, created_at 2012_10_04, deployment Perimeter, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"heritrix"; nocase; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:5; metadata:created_at 2012_10_12, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; http.user_agent; content:"poclbm/"; nocase; startswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016068; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY trymedia.com User-Agent (Macrovision_DM)"; flow:established,to_server; http.host; content:"trymedia.com"; endswith; http.user_agent; content:"Macrovision_DM"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Crawl using Fetch"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"fetch"; depth:50; nocase; reference:url,gobsd.com/code/freebsd/lib/libfetch; reference:url,doc.emergingthreats.net/2002827; classtype:attempted-recon; sid:2002827; rev:12; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User Agent Ryeol HTTP Client Class"; flow:established,to_server; http.user_agent; content:"Ryeol HTTP Client Class"; classtype:trojan-activity; sid:2013387; rev:5; metadata:created_at 2011_08_10, updated_at 2020_04_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; http.user_agent; content:"|3b 20|Silk/"; pcre:"/^\d+\.\d/R"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:5; metadata:created_at 2012_01_04, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myrahost/list.aspx?"; nocase; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSISDL Iplookup.php IPCheck"; flow:established,to_server; http.uri; content:"/iplookup.php"; fast_pattern; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; classtype:policy-violation; sid:2016744; rev:6; metadata:created_at 2013_04_09, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 2."; nocase; classtype:policy-violation; sid:2016873; rev:6; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 3."; nocase; classtype:policy-violation; sid:2016872; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/0."; nocase; classtype:policy-violation; sid:2016875; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/1."; nocase; classtype:policy-violation; sid:2016876; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Firefox/2."; nocase; classtype:policy-violation; sid:2016877; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 4."; nocase; classtype:policy-violation; sid:2016878; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" Windows NT 5.0"; nocase; classtype:policy-violation; sid:2016879; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:" MSIE 1."; nocase; classtype:policy-violation; sid:2016874; rev:5; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ProtocolGW/protocol/"; nocase; pcre:"/(?:(?:command(?:statu)?|bookmark|shortcut)s|h(?:omepage|istory)|eula(?:status)?|installation|activate|dumplog)/i"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:7; metadata:created_at 2011_06_16, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; http.uri; content:"/PirateBrowser"; content:".exe"; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:3; metadata:created_at 2013_08_15, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CNET TechTracker User-Agent (CNET TechTracker)"; flow:established,to_server; http.user_agent; content:"CNET TechTracker"; reference:url,www.cnet.com/techtracker-free/; classtype:policy-violation; sid:2014574; rev:5; metadata:created_at 2012_04_16, updated_at 2020_04_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Connection From Cisco IOS Device"; flow:established,to_server; http.header; content:"User-Agent|3a 20|cisco-IOS"; nocase; classtype:misc-activity; sid:2014201; rev:4; metadata:created_at 2012_02_07, updated_at 2020_04_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Web Crawl using Wget"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"Wget"; nocase; reference:url,www.gnu.org/software/wget/; reference:url,doc.emergingthreats.net/2002823; classtype:attempted-recon; sid:2002823; rev:13; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_04_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 360, track by_src; http.user_agent; content:"(compatible|3b| Google Desktop)"; fast_pattern; nocase; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:15; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; flowbits:set,ET.autoit.ua; http.header; content:"User-Agent|3a 20|AutoIt"; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; http.header; content:"X-Stratum|3A|"; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:coin-mining; sid:2017960; rev:3; metadata:created_at 2014_01_12, former_category POLICY, updated_at 2020_04_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY InstallIQ Updater Software request"; flow:to_server,established; http.uri; content:"/api/detectionrequest.aspx?keyid=1&shortname="; content:"&langid="; http.host; content:".installiq.com"; endswith; classtype:policy-violation; sid:2018222; rev:4; metadata:created_at 2012_02_13, updated_at 2020_04_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; http.header; content:"User-Agent|3A 20|toys|3A 3A|file"; reference:md5,6b712c6dbc3cd87bbaeb955ea1d2d24f; classtype:trojan-activity; sid:2014341; rev:4; metadata:created_at 2012_03_09, updated_at 2020_04_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iplookup/iplookup.php?format="; fast_pattern; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:external-ip-check; sid:2019126; rev:3; metadata:created_at 2014_09_05, former_category POLICY, updated_at 2020_05_04;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET POLICY Observed iesnare/iovation Tracking Activity"; flow:established,to_server; dsize:22; content:"|47 45 54 20 2f 73 70 61 63 65 20 20 48 54 54 50 2f 31 2e 30 0a 0a|"; classtype:policy-violation; sid:2030113; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/auto_update/HideMyIP/update.dat"; nocase; classtype:policy-violation; sid:2011311; rev:6; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cz.cc domain"; flow:to_server,established; http.host; content:".cz.cc"; endswith; classtype:bad-unknown; sid:2011375; rev:5; metadata:created_at 2010_09_28, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.gv.vg domain"; flow:established,to_server; http.host; content:".gv.vg"; endswith; classtype:bad-unknown; sid:2012542; rev:6; metadata:created_at 2011_03_24, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ce.ms domain"; flow:established,to_server; http.host; content:".ce.ms"; endswith; classtype:bad-unknown; sid:2012593; rev:6; metadata:created_at 2011_03_29, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cw.cm domain"; flow:established,to_server; http.host; content:".cw.cm"; endswith; classtype:bad-unknown; sid:2012737; rev:5; metadata:created_at 2011_04_28, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.ae.am domain"; flow:to_server,established; http.host; content:".ae.am"; endswith; classtype:bad-unknown; sid:2012896; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.noc.su domain"; flow:to_server,established; http.host; content:".noc.su"; endswith; classtype:bad-unknown; sid:2012897; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.be.ma domain"; flow:to_server,established; http.host; content:".be.ma"; endswith; classtype:bad-unknown; sid:2012898; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.qc.cx domain"; flow:to_server,established; http.host; content:".qc.cx"; endswith; classtype:bad-unknown; sid:2012899; rev:4; metadata:created_at 2011_05_31, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Illegal Drug Sales Site (SilkRoad)"; flow:established,to_server; http.host; content:"ianxz6zefk72ulzz.onion"; endswith; classtype:policy-violation; sid:2013015; rev:4; metadata:created_at 2011_06_13, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.be domain"; flow: to_server,established; http.host; content:".co.be"; endswith; classtype:bad-unknown; sid:2013123; rev:6; metadata:created_at 2011_06_29, updated_at 2020_05_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (moanmyip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moanmyip.com"; fast_pattern; classtype:policy-violation; sid:2030126; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_07;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Oracle T3 Requests Inbound"; flow:established,to_server; content:"t3|20|"; startswith; content:"|0a|AS|3a|"; distance:0; fast_pattern; content:"|0a|HL|3a|"; distance:0; content:"|0a 0a|"; endswith; classtype:policy-violation; sid:2030129; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable Version (12.2.1)"; flow:established,from_server; content:"HELO|3a|12.2.1"; startswith; fast_pattern; classtype:policy-violation; sid:2030130; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable Version (10.3.6)"; flow:established,from_server; content:"HELO|3a|10.3.6"; startswith; fast_pattern; classtype:policy-violation; sid:2030131; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET POLICY Oracle T3 Response with CVE-2020-2551 Vulnerable Version (12.1.3)"; flow:established,from_server; content:"HELO|3a|12.1.3"; startswith; fast_pattern; classtype:policy-violation; sid:2030132; rev:2; metadata:attack_target Server, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (ipchicken .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ipchicken.com"; fast_pattern; classtype:policy-violation; sid:2030137; rev:1; metadata:created_at 2020_05_08, updated_at 2020_05_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (address .works)"; flow:to_server,established; http.host; content:"address.works"; endswith; fast_pattern; classtype:policy-violation; sid:2030152; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_11;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Check Domain Domain (address .works in TLS SNI)"; flow:established,to_server; tls.sni; content:"address.works"; bsize:13; classtype:policy-violation; sid:2030153; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_05_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (HEAD)"; flow:to_server,established; http.method; content:"HEAD"; classtype:bad-unknown; sid:2013927; rev:5; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PROPFIND)"; flow:to_server,established; http.method; content:"PROPFIND"; classtype:bad-unknown; sid:2013928; rev:5; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (POST)"; flow:to_server,established; http.method; content:"POST"; http.header; content:!".etrade.com|3a|443|0d 0a|"; classtype:bad-unknown; sid:2013926; rev:9; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (DELETE)"; flow:to_server,established; http.method; content:"DELETE"; classtype:bad-unknown; sid:2013931; rev:4; metadata:created_at 2011_11_18, updated_at 2020_05_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY 2Downloadz.com File Sharing User-Agent"; flow:established,to_server; http.user_agent; content:"2Downloadz.com Agent"; depth:20; classtype:policy-violation; sid:2019366; rev:4; metadata:created_at 2014_10_08, updated_at 2020_05_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to Lockbit Ransomware Payment Domain"; flow:established,to_server; http.host; content:"lockbit-decryptor.com"; endswith; fast_pattern; classtype:trojan-activity; sid:2030166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_14, deployment Perimeter, former_category POLICY, malware_family LockBit, signature_severity Major, tag Ransomware, updated_at 2020_05_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check ip-addr.es"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip-addr.es"; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020105; rev:3; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible IP Check curlmyip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"curlmyip.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; classtype:trojan-activity; sid:2020106; rev:3; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Terse Named Filename EXE Download - Possibly Hostile"; flow:established,to_client; http.header; content:"filename="; content:".exe"; within:8; fast_pattern; pcre:"/filename\x3d[\x27\x22][a-z0-9]{1,3}\x2Eexe/i"; classtype:trojan-activity; sid:2020202; rev:3; metadata:created_at 2015_01_16, updated_at 2020_05_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Retrieving reseed info"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/netdb/"; nocase; depth:7; fast_pattern; http.user_agent; content:"Wget/1.11.4"; bsize:11; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:policy-violation; sid:2019898; rev:4; metadata:created_at 2014_12_09, updated_at 2020_05_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Activation"; flow:established,to_server; http.uri; content:"activation_api.php?"; http.user_agent; content:"ActivationRequestSendingSession"; fast_pattern; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020578; rev:3; metadata:created_at 2015_02_27, updated_at 2020_05_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Checkin"; flow:established,to_server; http.uri; content:"/safecontent.php?"; http.user_agent; content:"Mozilla/5.0 (Windows|3b| U|3b| MSIE 7.0|3b| Windows NT 6.0|3b| en-US)"; fast_pattern; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020579; rev:3; metadata:created_at 2015_02_27, updated_at 2020_05_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pandora Usage"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 3600; http.method; content:"POST"; http.uri; content:"/radio/xmlrpc/"; http.host; content:"pandora.com"; endswith; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:4; metadata:created_at 2012_07_03, updated_at 2020_05_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Remote Access - RView - Host - *.rview.com"; flow:established,to_server; http.host; content:".rview.com"; endswith; classtype:policy-violation; sid:2020804; rev:4; metadata:created_at 2015_03_31, updated_at 2020_05_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - Bravica"; flow:established,to_server; http.method; content:"POST"; http.host; content:"www.bravica.net"; bsize:15; http.request_body; content:"name="; content:"&cmd="; distance:0; classtype:external-ip-check; sid:2020830; rev:5; metadata:created_at 2015_04_02, former_category POLICY, updated_at 2020_05_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip-whois"; flow:established,to_server; http.host; content:"ip-whois.net"; bsize:12; classtype:external-ip-check; sid:2020831; rev:5; metadata:created_at 2015_04_02, former_category POLICY, updated_at 2020_05_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".jpg"; endswith; content:!"upload.wikimedia.org"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:11; metadata:created_at 2010_07_30, updated_at 2020_05_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Timezone Check (earthtools.org)"; flow:established,to_server; http.uri; content:"/timezone/"; depth:10; http.host; content:"www.earthtools.org"; bsize:18; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:policy-violation; sid:2021120; rev:3; metadata:created_at 2015_05_20, updated_at 2020_05_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Xpopup Instant Messenger Downloading Configuration"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/xpopinfo.dat"; fast_pattern; http.user_agent; content:"Mozilla/4.1 (compatible|3b 20|"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c7abe2297ee64362e33584f9f654ebd; classtype:policy-violation; sid:2021205; rev:5; metadata:created_at 2015_06_09, updated_at 2020_05_22;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion . ly)"; dns.query; content:".onion.ly"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2030215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_05_26;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY .onion.ly Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.ly"; fast_pattern; classtype:policy-violation; sid:2030216; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Proxy Server Lookup (nntime)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"nntime.com"; bsize:10; reference:md5,a09f817656ca4336581140fe81921f71; classtype:misc-activity; sid:2030230; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_05_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hola VPN Activity - X-Hola-* Headers"; flow:established,to_server; threshold:type limit,track by_src,seconds 300,count 1; http.header; content:"|0d 0a|X-Hola-"; classtype:policy-violation; sid:2021886; rev:3; metadata:created_at 2015_10_02, updated_at 2020_06_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (OPTIONS)"; flow:to_server,established; http.method; content:"OPTIONS"; classtype:bad-unknown; sid:2013929; rev:6; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (TRACE)"; flow:to_server,established; http.method; content:"TRACE"; classtype:bad-unknown; sid:2013932; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (PUT)"; flow:to_server,established; http.method; content:"PUT"; classtype:bad-unknown; sid:2013930; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; http.method; content:"CONNECT"; classtype:bad-unknown; sid:2013933; rev:5; metadata:created_at 2011_11_18, updated_at 2020_06_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TeamViewer Dyngate User-Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 120, track by_src; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|DynGate)"; fast_pattern; depth:43; reference:url,www.teamviewer.com/index.aspx; reference:url,doc.emergingthreats.net/2009475; classtype:policy-violation; sid:2009475; rev:12; metadata:created_at 2010_07_30, updated_at 2020_06_02;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Potential Spyware Domain (app .hubstaff .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"app.hubstaff.com"; bsize:16; classtype:policy-violation; sid:2030248; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022533; rev:3; metadata:created_at 2016_02_17, updated_at 2020_06_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY COCCOC Browser (VN) Installed"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Coccoc Update/"; startswith; http.uri; content:"/service/update"; http.host; content:"browser.coccoc.com"; reference:md5,332d6a746c3107910df1345d887f99ee; classtype:not-suspicious; sid:2030402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_26, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_06_26;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY LumOffice Uploading Screenshot"; flow:established,to_server; http.request_line; content:"POST /SMService001.asx HTTP/1.1"; bsize:32; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/PushScreen|22|"; http.request_body; content:"<soap:Body><PushScreen "; content:"<accountID>"; content:"</accountID><activityID>"; content:"</activityID><time>"; content:"</time><screen>/9j/"; fast_pattern; reference:md5,084995c3cdee01147226542eb63de872; reference:url,lumoffice.com/; classtype:policy-violation; sid:2030408; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_06_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows Quicktime User-Agent EOL With Known Bugs"; flow:established,to_server; threshold: type limit, count 1, seconds 600, track by_src; http.user_agent; content:"QuickTime"; content:"os=Windows NT"; fast_pattern; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA16-105A; classtype:policy-violation; sid:2022738; rev:4; metadata:created_at 2016_04_18, updated_at 2020_06_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022342; rev:4; metadata:created_at 2016_01_08, updated_at 2020_06_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY go-external-ip library User-Agent"; flow:established,to_server; http.user_agent; content:"go-external-ip (github.com/glendc/go-external-ip)"; threshold: type limit, track by_src, count 1, seconds 5; reference:md5,f33271282bc9aadadf2eff4bc0bad8a4; classtype:external-ip-check; sid:2030468; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_07_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY CommandCam Download"; flow:established,to_client; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"CommandCam "; fast_pattern; reference:url,github.com/tedburke/CommandCam; classtype:policy-violation; sid:2030474; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_07_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible SQLi Attempt in User Agent (Outbound)"; flow:established,from_client; http.user_agent; content:"select"; nocase; fast_pattern; content:"from"; nocase; within:20; pcre:"/select[^\r\n]+from/i"; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022815; rev:3; metadata:created_at 2016_05_17, updated_at 2020_07_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST to MEGA Userstorage"; flow:established,to_server; http.method; content:"POST"; http.host; content:".userstorage.mega.co.nz"; endswith; fast_pattern; classtype:policy-violation; sid:2030504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, signature_severity Informational, updated_at 2020_11_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY EXE File Downloaded from Discord"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/attachments/"; depth:13; content:".exe"; endswith; http.host; content:".discordapp.com"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:misc-activity; sid:2030575; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_22, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Major, updated_at 2020_07_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.header; content:!"X-Trend-ActiveUpdate"; content:!"HTTrack"; http.user_agent; content:"Windows 98"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:22; metadata:created_at 2010_07_30, updated_at 2020_07_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY XenArmor Password Recovery License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xen-check-portable-license.php?key="; fast_pattern; http.user_agent; content:"Software License Checker"; bsize:24; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2030616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup - b4secure .com"; flow:established,to_server; urilen:12; http.uri; content:"/index.shtml"; http.host; content:"b4secure.com"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors/; classtype:external-ip-check; sid:2023469; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_31, former_category POLICY, malware_family Emissary, malware_family Lotus_Blossom, signature_severity Informational, updated_at 2020_08_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; http.server; content:"dbws"; bsize:4; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:10; metadata:created_at 2012_03_06, updated_at 2020_08_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Hamas Terrorist Propaganda TV Channel (aqsatv.ps)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"aqsatv.ps"; startswith; reference:url,nctc.gov/site/groups/hamas.html; classtype:policy-violation; sid:2023874; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Lookup Geoip.co.uk"; flow:established,to_server; urilen:1; http.host; content:"www.geoip.co.uk"; startswith; reference:md5,fa05d4f1558a9581a14936c0ab3723f7; classtype:external-ip-check; sid:2022123; rev:3; metadata:created_at 2015_11_20, updated_at 2020_08_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.tv domain"; flow:to_server,established; http.host; content:".co.tv"; endswith; classtype:bad-unknown; sid:2012955; rev:5; metadata:created_at 2011_06_08, updated_at 2020_08_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Hide IP Installation file download"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/proxyshell_hide_ip_setup.exe"; nocase; reference:url,www.browserdefender.com/file/484661/site/putas18.info/; reference:url,doc.emergingthreats.net/2010792; classtype:policy-violation; sid:2010972; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible ProxyShell Anonymous Access Connection"; flow:established,to_server; http.uri; content:"/services/get_proxies/"; reference:url,doc.emergingthreats.net/2010969; classtype:policy-violation; sid:2010969; rev:5; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_04;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY External IP Lookup SSL/TLS Certificate (ifconfig .me)"; flow:established,to_client; tls.cert_subject; content:"CN=ifconfig.me"; classtype:external-ip-check; sid:2030666; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_10, deployment Perimeter, signature_severity Minor, updated_at 2020_08_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Mobile Device Posting Phone Number"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"&Phone"; fast_pattern; nocase; content:"Number="; nocase; pcre:"/\x26Phone(Number\x3D|\x5FNumber\x3D|\x2DNumber\x3D)/i"; classtype:policy-violation; sid:2013208; rev:4; metadata:created_at 2011_07_06, former_category MOBILE_MALWARE, updated_at 2020_08_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Address (monip.outils-rezo. info)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/text"; http.host; content:"monip.outils-rezo.info"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2024526; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"imsi="; nocase; classtype:bad-unknown; sid:2012849; rev:5; metadata:created_at 2011_05_25, former_category POLICY, updated_at 2020_08_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup sina.com.cn"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/iplookup.php"; http.host; content:"dpool.sina.com.cn"; fast_pattern; classtype:external-ip-check; sid:2021438; rev:4; metadata:created_at 2015_07_20, former_category POLICY, updated_at 2020_08_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; classtype:not-suspicious; sid:2011540; rev:7; metadata:created_at 2010_09_27, former_category POLICY, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Attempt To Wipmania"; flow:established,to_server; http.host; content:"api.wipmania.com"; reference:md5,b318988249cd8e8629b4ef8a52760b65; classtype:external-ip-check; sid:2014304; rev:5; metadata:created_at 2012_03_05, former_category POLICY, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; http.uri; content:"/app/geoip.js"; fast_pattern; http.host; content:"maxmind.com"; classtype:policy-violation; sid:2015878; rev:4; metadata:created_at 2012_11_13, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Application Crash Report Sent to Microsoft"; flow:established,to_server; http.user_agent; content:"MSDW"; depth:4; http.host; content:"watson.microsoft.com"; classtype:policy-violation; sid:2018170; rev:6; metadata:created_at 2014_02_24, updated_at 2020_08_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-api.com"; flow:established,to_server; http.host; content:"ip-api.com"; classtype:external-ip-check; sid:2022082; rev:4; metadata:created_at 2015_11_13, former_category POLICY, updated_at 2020_08_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup api.ipify.org"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"api.ipify.org"; fast_pattern; reference:md5,79809fd3e05a852581b897cc4b06aa32; classtype:external-ip-check; sid:2021997; rev:4; metadata:created_at 2015_10_23, former_category POLICY, updated_at 2020_08_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client User-Agent"; flow:established,to_server; http.user_agent; content:"DynDNS-Client"; classtype:not-suspicious; sid:2014092; rev:4; metadata:created_at 2012_01_03, updated_at 2020_08_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dyndns Client IP Check"; flow:established,to_server; http.user_agent; content:"DynDNS-Client"; depth:13; http.host; content:"checkip.dyndns."; classtype:not-suspicious; sid:2014091; rev:4; metadata:created_at 2012_01_03, updated_at 2020_08_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.cu.cc domain"; flow:established,to_server; http.host; content:".cu.cc"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:bad-unknown; sid:2013170; rev:6; metadata:created_at 2011_07_02, updated_at 2020_08_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Softango.com Installer Checking For Update"; flow:established,to_server; http.uri; content:"/service/updater.php"; http.host; content:".smartiengine.com"; classtype:policy-violation; sid:2014123; rev:4; metadata:created_at 2012_01_12, updated_at 2020_08_18;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Explorer Shell CLSID COM Object Call Method Inbound via TCP"; flow:established,from_server; content:"explorer.exe|20|"; nocase; content:"shell|3a 3a 3a 7b|"; within:20; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]\x7d/Ri"; classtype:trojan-activity; sid:2027201; rev:3; metadata:created_at 2019_04_15, former_category POLICY, updated_at 2020_08_19;)
+
+alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with TLS Security Protocol Requested"; flow:established,to_server; dsize:<30; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 01 00 00 00|"; within:15; fast_pattern; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+
+alert tcp $EXTERNAL_NET any -> any 3389 (msg:"ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested"; flow:established,to_server; content:"|00 00|"; offset:1; depth:2; content:"|e0|"; distance:2; within:1; content:"|01 00 08 00 00 00 00 00|"; within:15; fast_pattern; endswith; reference:url,medium.com/@bromiley/what-happens-before-hello-ce9f29fa0cef; classtype:bad-unknown; sid:2027413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+
+#alert udp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] !53 -> $HOME_NET !53 (msg:"ET POLICY Incoming UDP Packet From Amazon EC2 Cloud";  reference:url,doc.emergingthreats.net/2010816; classtype:command-and-control; sid:2010816; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_20;)
+
+#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"Test PCA (1024 bit)"; within:50; classtype:trojan-activity; sid:2011541; rev:5; metadata:created_at 2010_09_27, updated_at 2022_05_03;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY External Windows Update in Progress"; flow:established,to_server; content:"Windows-Update-Agent"; http_header; content:"Host|3a| "; http_header; nocase; pcre:"/User-Agent|3a|[^\n]+Windows-Update-Agent/Hsmi"; threshold: type limit, count 1, seconds 300, track by_src; reference:url,windowsupdate.microsoft.com; reference:url,doc.emergingthreats.net/2002948; classtype:policy-violation; sid:2002948; rev:11; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+#alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY udp port 0 traffic";  reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:2100525; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; content:"var g_szURL = |22|http|3a 2f 2f|"; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:16; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DriveBy, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipstack .com)"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"api.ipstack.com"; fast_pattern; http.uri; content:"?access_key="; classtype:external-ip-check; sid:2029694; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www. netikus .net)"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"www.netikus.net"; fast_pattern; http.uri; bsize:13; content:"/show_ip.html"; classtype:external-ip-check; sid:2030187; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_19;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [401TRG] DropBox Access via API (SNI)"; flow:established,to_server; tls.sni; content:"content.dropboxapi.com"; nocase; reference:url,github.com/dropbox/dbxcli; classtype:policy-violation; sid:2030702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Informational, updated_at 2020_08_19;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [401TRG] DropBox Access via API (Certificate)"; flow:established,from_server; tls.cert_subject; content:"CN=content.dropboxapi.com"; reference:url,github.com/dropbox/dbxcli; classtype:policy-violation; sid:2030703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Informational, updated_at 2020_08_19;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; tls.cert_subject; content:"CN=*.onion."; nocase; pcre:"/^(?:sh|lu|to)/Ri"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_08_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; http.user_agent; content:"libwww-perl/"; depth:12; nocase; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:5; metadata:created_at 2011_06_14, updated_at 2020_08_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY possible Xiaomi phone data leakage HTTP"; flow:to_server,established; http.host; content:"api.account.xiaomi.com"; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018919; rev:4; metadata:created_at 2014_08_11, updated_at 2020_08_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; tls.cert_subject; content:"LogMeIn, Inc."; fast_pattern; content:"join.me"; classtype:policy-violation; sid:2022551; rev:4; metadata:created_at 2016_02_22, updated_at 2020_08_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible IP Check api.ipify.org"; flow:established,from_server; tls.cert_subject; content:"CN=api.ipify.org"; classtype:policy-violation; sid:2019512; rev:4; metadata:created_at 2014_10_27, updated_at 2020_08_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Request for Coinhive Browser Monero Miner M2"; flow:established,from_server; tls.cert_serial; content:"0A:E1:E6:BD:51:FB:3D:8F:06:BE:0D:B5:5E:BD:E9:DF"; classtype:policy-violation; sid:2024786; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; http.header_names; content:"pw"; nocase; classtype:policy-violation; sid:2012870; rev:4; metadata:created_at 2011_05_26, updated_at 2020_08_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Unencrypted Connection to BASE Console"; flow:to_server,established; http.uri; content:"/base_main.php"; reference:url,base.secureideas.net; reference:url,doc.emergingthreats.net/bin/view/Main/2008570; classtype:misc-activity; sid:2008570; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"l2.io"; fast_pattern; nocase; classtype:external-ip-check; sid:2024833; rev:4; metadata:attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Informational, updated_at 2020_08_20;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Request for Jsecoin Browser Miner M2"; flow:established,from_server; tls.cert_serial; content:"00:E7:F9:B6:DE:A6:57:93:E2:44:6A:3B:95:C6:B3:EC:DF"; classtype:policy-violation; sid:2024788; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_20;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; tls.sni; content:"check.torproject.org"; nocase; classtype:external-ip-check; sid:2017928; rev:4; metadata:created_at 2014_01_04, updated_at 2020_08_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TraceMyIP IP lookup"; flow:established,to_server; http.host; content:"tracemyip.org"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:policy-violation; sid:2017933; rev:4; metadata:created_at 2014_01_06, updated_at 2020_08_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Majestic12 User-Agent Request Outbound"; flow:established,to_server; http.user_agent; content:"MJ12bot/"; classtype:trojan-activity; sid:2013256; rev:5; metadata:created_at 2011_07_12, updated_at 2020_08_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET"; flow:established,to_server; http.uri; content:"UDID"; pcre:"/[0-9a-f]{40}[^0-9a-f]/"; http.user_agent; content:"|20|CFNetwork/"; fast_pattern; content:"|20|Darwin/"; reference:url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid; reference:url,support.apple.com/kb/HT4061; classtype:attempted-recon; sid:2013290; rev:5; metadata:created_at 2011_07_19, updated_at 2020_08_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY localtunnel Sucessful Connection Setup"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b 22|port|22 3a|"; content:"|22|max_conn_count|22 3a|"; distance:0; content:"|22|id|22 3a|"; distance:0; content:"|22|url|22 3a|"; distance:0; content:"localtunnel.me|22 7d|"; distance:0; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025117; rev:2; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_08_24;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com"; flow:established,to_server; http.host; content:"myip.dnsomatic.com"; bsize:18; classtype:external-ip-check; sid:2016754; rev:4; metadata:created_at 2013_04_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTPie User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"HTTPie/"; depth:7; reference:url,httpie.org; classtype:attempted-recon; sid:2025584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; http.method; content:"head"; nocase; content:!"HEAD"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:4; metadata:created_at 2012_03_15, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 9.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/9."; reference:url,www.oracle.com/technetwork/java/javase/documentation/9u-relnotes-3704429.html; classtype:bad-unknown; sid:2025314; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check whatismyip.com Automation Page"; flow:established,to_server; http.uri; content:"/automation/n09230945.asp"; reference:url,doc.emergingthreats.net/2008985; classtype:attempted-recon; sid:2008985; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"whatismyip."; classtype:attempted-recon; sid:2008986; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"showip."; fast_pattern; pcre:"/^[^\r\n]+showip\.[a-z]+(?:\x3a\d{1,5})?$/"; reference:url,doc.emergingthreats.net/2008987; classtype:attempted-recon; sid:2008987; rev:8; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)"; flow:to_server,established; http.host; content:"showmyipaddress.com"; classtype:policy-violation; sid:2025920; rev:4; metadata:created_at 2012_12_12, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (whatismyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".ipchicken.com"; reference:url,doc.emergingthreats.net/2009020; classtype:attempted-recon; sid:2009020; rev:6; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (icanhazip. com in HTTP Host)"; flow:established,to_server; http.host; content:"icanhazip.com"; pcre:"/^(?:\x3a\d{1,5})?$/R"; classtype:attempted-recon; sid:2017398; rev:6; metadata:created_at 2013_08_30, former_category POLICY, updated_at 2020_08_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.6.0_"; content:!"211"; within:3; reference:url,www.oracle.com/technetwork/articles/javase/overview-156328.html; classtype:bad-unknown; sid:2011582; rev:55; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Packity Proxy Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".packity.com"; endswith; reference:md5,47a200e64ea11b25efc9bf78c4b03a1c; classtype:domain-c2; sid:2030799; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_08_26;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Packity Proxy Connection"; flow:established,to_server; http.start; content:"CONNECT /PROVIDER/PROXY2 HTTP/1.1|0d 0a|Host|3a 20|"; startswith; fast_pattern; content:"|0d 0a|Proxy-Authorization|3a 20|Basic "; distance:0; content:"=|0d 0a|"; distance:119; within:3; reference:md5,9d245ac24d0dad591d01d2ef52da3ead; classtype:bad-unknown; sid:2030800; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_08_26;)
+
+alert http any any -> $HOME_NET any (msg:"ET POLICY WinRM wsman Access - Possible Lateral Movement"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman?"; depth:7; fast_pattern; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026849; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_23, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Nimiq Miner Initiating Mining Session with Skypool"; flow:established,to_server; http.method; content:"GET"; http.host; content:"nimiq.skypool.org"; fast_pattern; http.header_names; content:"Upgrade"; content:"Sec-WebSocket-Version"; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026868; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category POLICY, malware_family CoinMiner, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_08_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; threshold: type both, count 1, seconds 300, track by_src; http.header; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2006402; classtype:policy-violation; sid:2006402; rev:13; metadata:created_at 2010_07_30, updated_at 2020_08_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; http.method; content:"post"; nocase; fast_pattern; content:!"POST"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:6; metadata:created_at 2012_03_15, updated_at 2020_08_31;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (extreme-ip-lookup .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"extreme-ip-lookup.com"; depth:21; classtype:external-ip-check; sid:2027765; rev:3; metadata:created_at 2019_07_29, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_08_31;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (bridges.torproject .org in DNS lookup)"; dns.query; content:"bridges.torproject.org"; depth:22; nocase; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:external-ip-check; sid:2017925; rev:6; metadata:created_at 2014_01_04, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Query to a *.opengw.net Open VPN Relay Domain"; dns.query; content:".opengw.net"; nocase; fast_pattern; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:8; metadata:created_at 2013_03_15, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY tor4u tor2web .onion Proxy DNS  lookup"; dns.query; content:"tor4u.net"; depth:9; nocase; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018875; rev:4; metadata:created_at 2014_08_01, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for try2check.me Carder Tool"; dns.query; content:"try2check.me"; depth:12; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:6; metadata:created_at 2012_02_24, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Middle Earth Illegal Marketplace Tor Hidden Service DNS Query"; dns.query; content:"mango7u3rivtwxy7"; depth:16; nocase; fast_pattern; classtype:policy-violation; sid:2020417; rev:4; metadata:created_at 2015_02_12, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.guide)"; dns.query; content:".onion.guide"; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2024662; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_09_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.link)"; dns.query; content:".onion.link"; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2022332; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_05, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.top)"; dns.query; content:".onion.top"; fast_pattern; nocase; classtype:policy-violation; sid:2024665; rev:6; metadata:created_at 2017_09_06, former_category POLICY, updated_at 2020_09_01;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.cab)"; dns.query; content:".onion.cab"; fast_pattern; nocase; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018876; rev:6; metadata:created_at 2014_08_01, former_category POLICY, updated_at 2020_09_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AOL Webmail Message Send"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/compose_frame.adp"; reference:url,doc.emergingthreats.net/bin/view/Main/2000571; classtype:policy-violation; sid:2000571; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Myspace Login Attempt"; flow:established,to_server; http.uri; content:"/index.cfm?fuseaction=login"; http.header; content:"secure.myspace.com"; reference:url,doc.emergingthreats.net/2002872; classtype:policy-violation; sid:2002872; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Orkut.com Social Site Access"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 300; http.host; content:"www.orkut.com"; startswith; reference:url,doc.emergingthreats.net/2003458; classtype:policy-violation; sid:2003458; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Dell MyWay Remote control agent"; flow:established,to_server; threshold:type limit, track by_src, count 2, seconds 360; http.header; content:"Host|3a 20|"; content:"myway.com"; nocase; http.referer; content:"http|3a|//dell"; startswith; reference:url,doc.emergingthreats.net/2008051; classtype:not-suspicious; sid:2008051; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metacafe.com Social Site Access"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 300; http.host; content:"www.metacafe.com"; startswith; reference:url,doc.emergingthreats.net/2003457; classtype:policy-violation; sid:2003457; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY RemoteSpy.com Upload Detect"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.php"; http.host; content:"www.remotespy.com"; startswith; reference:url,doc.emergingthreats.net/2008406; classtype:trojan-activity; sid:2008406; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Smilebox Spyware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smilebox/SmileboxInstaller.exe"; nocase; reference:url,www.smilebox.com/info/privacy.html; reference:url,doc.emergingthreats.net/2009998; classtype:policy-violation; sid:2009998; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY CBS Streaming Video"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/innertube/player.php?"; http.header; content:"Host|3a|"; nocase; content:"cbs.com"; nocase; reference:url,doc.emergingthreats.net/2007763; classtype:policy-violation; sid:2007763; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NBC Streaming Video"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".smil"; endswith; nocase; http.host; content:"video.nbcuni.com"; startswith; reference:url,doc.emergingthreats.net/2007764; classtype:policy-violation; sid:2007764; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (showmyip in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"showmyip."; reference:url,doc.emergingthreats.net/2008989; classtype:attempted-recon; sid:2008989; rev:7; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY External Unencrypted Connection To Aanval Console"; flow:established,to_server; http.uri; content:"/aanval/flex/AanvalFlex"; nocase; reference:url,www.aanval.com; reference:url,doc.emergingthreats.net/bin/view/Main/2008561; classtype:misc-activity; sid:2008561; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_02;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY External Unencrypted Connection to Ossec WUI"; flow:established,to_server; http.uri; content:"/ossec/"; content:"js/calendar-setup.js"; reference:url,www.ossec.net; reference:url,doc.emergingthreats.net/2008569; classtype:misc-activity; sid:2008569; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Centralops.net Domain Dossier Utility Probe"; flow:established,to_server; http.header; content:"USER-Agent|3a 20|Domain Dossier utility (http|3a|//CentralOps.net/)"; nocase; reference:url,centralops.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003623; classtype:policy-violation; sid:2003623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY python.urllib User Agent Web Crawl"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.header; content:"User-Agent|3a 20|"; nocase; content:"python.urllib/"; nocase; reference:url,docs.python.org/lib/module-urllib.html; reference:url,doc.emergingthreats.net/2002943; classtype:attempted-recon; sid:2002943; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98)"; flow:established,to_server; http.user_agent; content:"Win98"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008070; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; http.user_agent; content:"Windows 3.1"; fast_pattern; content:!"Cisco AnyConnect VPN Agent"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http any any -> any $HTTP_PORTS (msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"; flow: established,to_server; http.uri; content:"/prxjdg.cgi"; nocase; reference:url,doc.emergingthreats.net/2003047; classtype:policy-violation; sid:2003047; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - checkip.dyndns.org"; flow:established,to_server; http.host; content:"checkip.dyndns.org"; fast_pattern; depth:18; endswith; classtype:external-ip-check; sid:2021378; rev:5; metadata:created_at 2015_07_02, former_category POLICY, updated_at 2020_09_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY IP Check Domain (iplogger .org in DNS Lookup)"; dns.query; content:"iplogger.org"; endswith; classtype:policy-violation; sid:2035948; rev:4; metadata:created_at 2017_11_27, former_category POLICY, updated_at 2020_09_15;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (iplogger .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"iplogger.org"; endswith; nocase; classtype:policy-violation; sid:2035949; rev:4; metadata:created_at 2017_11_27, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - www.ip.cn"; flow:established,to_server; http.host; content:"www.ip.cn"; depth:9; endswith; classtype:external-ip-check; sid:2021600; rev:5; metadata:created_at 2015_08_06, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.co.cc domain"; flow:established,to_server; http.host; content:".co.cc"; endswith; classtype:bad-unknown; sid:2011374; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; dns.query; content:".xxx"; nocase; endswith; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:4; metadata:created_at 2011_03_21, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.vv.cc domain"; flow:to_server,established; http.host; content:".vv.cc"; endswith; classtype:bad-unknown; sid:2012827; rev:8; metadata:created_at 2011_05_19, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY request to .xxx TLD"; flow:established,to_server; http.host; content:".xxx"; endswith; reference:url,en.wikipedia.org/wiki/.xxx; classtype:policy-violation; sid:2012694; rev:6; metadata:created_at 2011_04_20, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2web)"; dns.query; content:".tor2web"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2015576; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (forkinvestpay.com)"; dns.query; content:"forkinvestpay.com"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022045; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.to)"; dns.query; content:".onion.to"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020116; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_15;)
+
+alert dns any any -> any any (msg:"ET POLICY possible Xiaomi phone data leakage DNS"; dns.query; content:"api.account.xiaomi.com"; nocase; endswith; reference:url,thehackernews.com/2014/08/xiaomi-phones-secretly-sending-users.html; classtype:policy-violation; sid:2018918; rev:4; metadata:created_at 2014_08_11, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 4"; dns.query; content:"bigdata.advmob.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023518; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Dropbox DNS Lookup - Possible Offsite File Backup in Use"; dns.query; content:"client-lb.dropbox.com"; nocase; endswith; reference:url,dropbox.com; classtype:policy-violation; sid:2020565; rev:4; metadata:created_at 2015_02_25, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.user_agent; content:"|20|MSIE 4."; fast_pattern; nocase; http.host; content:!".weatherbug.com"; endswith; content:!".wxbug.com"; endswith; classtype:policy-violation; sid:2016871; rev:7; metadata:created_at 2013_05_21, updated_at 2022_05_03;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 3"; dns.query; content:"bigdata.adfuture.cn"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023517; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 2"; dns.query; content:"bigdata.adsunflower.com"; nocase; endswith; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023516; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup / Tor Checker Domain (check.torproject .org in DNS lookup)"; dns.query; content:"check.torproject.org"; nocase; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017926; rev:6; metadata:created_at 2014_01_04, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to a *.tk domain"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; content:!".tcl.tk"; content:!"tcl.tk"; depth:6; endswith; classtype:bad-unknown; sid:2012810; rev:12; metadata:created_at 2011_05_15, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ipinfo.io"; flow:established,to_server; http.host; content:"ipinfo.io"; depth:9; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:external-ip-check; sid:2020716; rev:6; metadata:created_at 2015_03_20, former_category POLICY, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; http.user_agent; content:"Twisted PageGetter"; depth:18; endswith; http.host; content:"swupdate.openvpn.net"; fast_pattern; depth:20; endswith; classtype:policy-violation; sid:2014799; rev:5; metadata:created_at 2012_05_22, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)"; dns.query; content:"myip.opendns.com"; nocase; endswith; classtype:external-ip-check; sid:2023472; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)"; dns.query; content:"ipapi.co"; nocase; endswith; classtype:external-ip-check; sid:2024527; rev:6; metadata:attack_target Client_Endpoint, created_at 2017_08_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ipecho.net"; flow:established,to_server; http.host; content:"ipecho.net"; depth:10; endswith; classtype:external-ip-check; sid:2022351; rev:5; metadata:created_at 2016_01_12, former_category POLICY, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed IP Lookup Domain (l2 .io in DNS Lookup)"; dns.query; content:"l2.io"; endswith; classtype:external-ip-check; sid:2024831; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; http.user_agent; content:"SOGOU_UPDATER"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY .onion proxy Domain (onion .plus in DNS Lookup)"; dns.query; content:"onion.plus"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025095; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup)"; dns.query; content:"onion.casa"; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2025096; rev:4; metadata:created_at 2017_12_01, former_category POLICY, updated_at 2020_09_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Connection Setup Attempt"; flow:established,to_server; http.host; content:"localtunnel.me"; fast_pattern; endswith; http.header_names; content:"|0d 0a|host|0d 0a|accept"; depth:14; content:!"User-Agent"; content:!"Host"; content:!"Referer"; content:!"Accept"; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025116; rev:4; metadata:attack_target Client_and_Server, created_at 2017_12_04, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in DNS Lookup)"; dns.query; content:".localtunnel.me"; endswith; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025138; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY localtunnel Reverse Proxy Domain (localtunnel .me in TLS SNI)"; flow:established,to_server; tls.sni; content:".localtunnel.me"; endswith; nocase; reference:url,localtunnel.github.io/www/; classtype:policy-violation; sid:2025139; rev:4; metadata:created_at 2017_12_06, former_category POLICY, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY possible OnePlus phone data leakage DNS"; dns.query; content:"open.oneplus.net"; nocase; endswith; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025133; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)"; dns.query; content:"curlmyip.net"; nocase; endswith; reference:md5,c375012865b94fa037d23c555e6c2772; classtype:external-ip-check; sid:2025154; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2017_12_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. sx)"; dns.query; content:".onion.sx"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025446; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_28, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion. pw)"; dns.query; content:".onion.pw"; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2025449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"xmr.pool.minergate.com"; nocase; endswith; classtype:trojan-activity; sid:2025451; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_30, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Coinminer, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".gif"; fast_pattern; endswith; content:!"__utm.gif"; endswith; http.host; content:!".tealiumiq.com"; content:!"snackly.co"; content:!"otf.msn.com"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:17; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)"; flow:from_server,established; tls.cert_subject; content:"CN=ipinfo.io"; nocase; endswith; classtype:external-ip-check; sid:2025330; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (up .jkc8 .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.aspx"; endswith; http.user_agent; content:"sjd32DSKJF9Ssf"; depth:14; fast_pattern; http.host; content:"up.jkc8.com"; http.header_names; content:!"Referer"; reference:md5,5a7526db56f812e62302912a1c20edd2; classtype:external-ip-check; sid:2026216; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Container"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/containers/create"; endswith; http.user_agent; content:"Docker-Client"; depth:13; fast_pattern; http.request_body; content:"|7b 22|Hostname|22 3a 22|"; depth:13; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2026561; rev:4; metadata:attack_target Server, created_at 2018_10_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Free Hosting Domain (.free .bg)"; dns.query; content:".free.bg"; nocase; endswith; classtype:policy-violation; sid:2026742; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_12_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via vtransmit .com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip.php"; depth:10; endswith; http.host; content:"vtransmit.com"; depth:13; fast_pattern; endswith; classtype:external-ip-check; sid:2026761; rev:4; metadata:attack_target Client_and_Server, created_at 2019_01_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. pet))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026808; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .pet)"; dns.query; content:".onion.pet"; nocase; endswith; classtype:policy-violation; sid:2026809; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy domain (onion .ws)"; dns.query; content:".onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026810; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Tor Proxy Domain (.onion. ws))"; flow:established,to_client; tls.cert_subject; content:"CN=*.onion.ws"; nocase; endswith; classtype:policy-violation; sid:2026811; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_01_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Skypool Coin Mining Pool DNS Lookup"; dns.query; content:"skypool.org"; nocase; endswith; reference:md5,2a0a5e1ed928eb01e322dd3680a13eba; classtype:policy-violation; sid:2026867; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via iplocation.com"; flow:established,to_server; tls.sni; content:"iplocation.com"; endswith; nocase; classtype:external-ip-check; sid:2026892; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_07, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"whatismyipaddress.com"; endswith; classtype:external-ip-check; sid:2026896; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY IP Logger Redirect Domain in SNI"; flow:to_server,established; tls.sni; content:"maper.info"; endswith; classtype:policy-violation; sid:2026897; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Address Lookup DNS Query (2ip .ua)"; dns.query; content:"2ip.ua"; nocase; endswith; reference:md5,81bfa5fe9d0147c8df47a51a1cd4b7c4; classtype:external-ip-check; sid:2027026; rev:3; metadata:created_at 2019_03_04, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; http.host; content:".su"; endswith; reference:url,www.abuse.ch/?p=3581; classtype:bad-unknown; sid:2014170; rev:6; metadata:created_at 2012_01_31, former_category POLICY, updated_at 2020_09_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Check myexternalip.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"myexternalip.com"; depth:16; endswith; classtype:external-ip-check; sid:2019980; rev:6; metadata:created_at 2014_12_20, former_category POLICY, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY URL Shortener Service Domain in DNS Lookup (tiny .cc)"; dns.query; content:"tiny.cc"; nocase; endswith; classtype:trojan-activity; sid:2027199; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (URL Shortener Service - tiny .cc)"; flow:from_server,established; tls.cert_subject; content:"CN=tiny.cc"; nocase; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:trojan-activity; sid:2027200; rev:4; metadata:created_at 2019_04_15, former_category POLICY, tag URL_Shortener_Service, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Monero Mining Pool DNS Lookup"; dns.query; content:"pxybomb.icu"; nocase; endswith; classtype:trojan-activity; sid:2027285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Monero, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (dns-report .com)"; dns.query; content:"dns-report.com"; nocase; endswith; pcre:"/^[a-z0-9\-\.]{1,60}\.dns-report\.com$/"; classtype:bad-unknown; sid:2027363; rev:3; metadata:created_at 2019_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - iplocation .truevue .org"; flow:established,to_server; http.host; content:"iplocation.truevue.org"; fast_pattern; depth:22; endswith; classtype:external-ip-check; sid:2027372; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to External IP Lookup Domain ( iplocation .truevue .org)"; dns.query; content:"iplocation.truevue.org"; nocase; endswith; classtype:external-ip-check; sid:2027373; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_05_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible EXE Download Request to ngrok"; flow:established,to_server; http.uri; content:".exe"; endswith; http.host; content:".ngrok.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027391; rev:4; metadata:created_at 2019_05_28, deployment Perimeter, former_category POLICY, signature_severity Major, tag Suspicious_Download, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Request"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"www.shmyip.com"; fast_pattern; endswith; reference:md5,0b14eedcc9e847a2d20abf409c8b505f; classtype:external-ip-check; sid:2027430; rev:3; metadata:created_at 2019_06_04, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> [!134.170.0.0/16,$EXTERNAL_NET] any (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:established,to_server; threshold: type limit,track by_src,count 2,seconds 60; http.header; content:!"GeoVision"; http.user_agent; content:"|20|MSIE 5."; fast_pattern; nocase; http.host; content:!".microsoft.com"; endswith; content:!".trendmicro.com"; endswith; content:!".sony.net"; endswith; content:!".weather.com"; endswith; content:!".yahoo.com"; endswith; content:!".dellfix.com"; endswith; content:!".oncenter.com"; endswith; classtype:policy-violation; sid:2016870; rev:15; metadata:created_at 2013_05_21, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; http.user_agent; content:"Python-urllib/"; nocase; depth:14; http.host; content:!"dropbox.com"; endswith; content:!"downloads.ironport.com"; endswith; content:!".ubuntu.com"; endswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:9; metadata:created_at 2011_06_14, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Disposable Email Provider Domain in DNS Lookup (www .yopmail .com)"; dns.query; content:"www.yopmail.com"; nocase; depth:15; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/; classtype:policy-violation; sid:2027733; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_19, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Commercial Proxy Provider geosurf .io)"; flow:established,to_client; tls.cert_subject; content:"C=IL, L=Tel Aviv, O=BI Science (2009) Ltd, OU=WEB, CN=*.geosurf.io"; endswith; fast_pattern; classtype:policy-violation; sid:2027760; rev:3; metadata:created_at 2019_07_26, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)"; flow:established,to_client; threshold: type limit, track by_dst, count 1, seconds 600; tls.cert_subject; content:"C=DE, O=philandro Software GmbH, CN=AnyNet Relay"; endswith; fast_pattern; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027761; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (www .net .cn)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static/customercare/yourip.asp"; depth:31; endswith; fast_pattern; http.host; content:"www.net.cn"; reference:md5,51bdd385ab780d1efd1a62129f066edf; classtype:external-ip-check; sid:2027786; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup getip.pw"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"getip.pw"; fast_pattern; endswith; classtype:external-ip-check; sid:2027860; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTTP-TUNNEL detected"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?crap"; startswith; fast_pattern; threshold:type limit, track by_src,count 5, seconds 30; classtype:policy-violation; sid:2030886; rev:1; metadata:created_at 2020_09_17, former_category POLICY, signature_severity Informational, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (api .ipaddress .com)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/myip"; depth:5; endswith; http.host; content:"api.ipaddress.com"; depth:17; fast_pattern; endswith; classtype:external-ip-check; sid:2027905; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External Geo IP Lookup (api .db-ip .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2027915; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert tls $EXTERNAL_NET 853 -> $HOME_NET any (msg:"ET POLICY Quad9 DNS Over TLS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=California, L=Berkeley, O=Quad9, CN=*.quad9.net"; endswith; fast_pattern; reference:md5,1e686b56ccbcb28667698389703bb13a; classtype:policy-violation; sid:2027918; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed External IP Lookup Domain (ipconfig .cf in TLS SNI)"; flow:established,to_server; tls.sni; content:"ipconfig.cf"; endswith; classtype:external-ip-check; sid:2027919; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag IP_address_lookup_website, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; dns.query; content:".onion"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:5; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; dns.query; content:".exit"; fast_pattern; endswith; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:7; metadata:created_at 2012_06_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Invisible Internet Project Domain (I2P)"; dns.query; content:".i2p"; endswith; fast_pattern; reference:url,geti2p.net; classtype:policy-violation; sid:2019988; rev:6; metadata:created_at 2014_12_22, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p-netdb.innovatio.no)"; dns.query; content:"i2p-netdb.innovatio.no"; depth:22; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020189; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (i2p.mooo.com)"; dns.query; content:"i2p.mooo.com"; depth:12; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020190; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (netdb.i2p2.no)"; dns.query; content:"netdb.i2p2.no"; depth:13; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020191; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (reseed.i2p-projekt.de)"; dns.query; content:"reseed.i2p-projekt.de"; depth:21; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020192; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (uk.reseed.i2p2.no)"; dns.query; content:"uk.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020193; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY I2P Reseed Domain Lookup (us.reseed.i2p2.no)"; dns.query; content:"us.reseed.i2p2.no"; depth:17; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2020194; rev:5; metadata:created_at 2015_01_15, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.ngrok domain (ngrok.com)"; dns.query; content:".ngrok.com"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022641; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a *.neokred domain - Likely Hostile"; dns.query; content:".neokred.org"; fast_pattern; endswith; nocase; classtype:policy-violation; sid:2022643; rev:5; metadata:created_at 2016_03_23, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpovider.org)"; dns.query; content:".torpovider.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019981; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.org)"; dns.query; content:".torgateway.org"; fast_pattern; nocase; endswith; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2019983; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_12_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bladetor.com)"; dns.query; content:".bladetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020107; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bonytor.com)"; dns.query; content:".bonytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020108; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bortor.com)"; dns.query; content:".bortor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020109; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (browsetor.com)"; dns.query; content:".browsetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020110; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (door2tor.org)"; dns.query; content:".door2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020111; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (enter2tor.com)"; dns.query; content:".enter2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020112; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (jamator.com)"; dns.query; content:".jamator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020113; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion2web.com)"; dns.query; content:".onion2web.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020114; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.lt)"; dns.query; content:".onion.lt"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020115; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay2tor.com)"; dns.query; content:".pay2tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020117; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (pay4tor.com)"; dns.query; content:".pay4tor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020118; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (payrobotor.com)"; dns.query; content:".payrobotor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020119; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (poltornik.com)"; dns.query; content:".poltornik.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020120; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (slavetor.com)"; dns.query; content:".slavetor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020121; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tanktor.com)"; dns.query; content:".tanktor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020122; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2pay.com)"; dns.query; content:".tor2pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020123; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor2www.com)"; dns.query; content:".tor2www.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020124; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (toralpacho.com)"; dns.query; content:".toralpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020127; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torbama.com)"; dns.query; content:".torbama.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020128; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torchek.com)"; dns.query; content:".torchek.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020129; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torexplorer.com)"; dns.query; content:".torexplorer.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020130; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforlove.com)"; dns.query; content:".torforlove.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020131; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torjam.com)"; dns.query; content:".torjam.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020132; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpacho.com)"; dns.query; content:".torpacho.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020134; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycash.com)"; dns.query; content:".torpaycash.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020135; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaycnf.com)"; dns.query; content:".torpaycnf.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020136; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayeur.com)"; dns.query; content:".torpayeur.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020137; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayusd.com)"; dns.query; content:".torpayusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020138; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torprivatebrowsing.org)"; dns.query; content:".torprivatebrowsing.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020139; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsanctions.com)"; dns.query; content:".torsanctions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020140; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torsona.com)"; dns.query; content:".torsona.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020141; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torvsusd.com)"; dns.query; content:".torvsusd.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020142; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwild.com)"; dns.query; content:".torwild.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020143; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwinner.com)"; dns.query; content:".torwinner.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020144; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (totortoweb.com)"; dns.query; content:".totortoweb.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020145; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (vtorchike.com)"; dns.query; content:".vtorchike.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020146; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (walterwtor.com)"; dns.query; content:".walterwtor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020147; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torforall.com)"; dns.query; content:".torforall.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020183; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torman2.com)"; dns.query; content:".torman2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020184; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwoman.com)"; dns.query; content:".torwoman.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020185; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torroadsters.com)"; dns.query; content:".torroadsters.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020186; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_15, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.gq)"; dns.query; content:".onion.gq"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020211; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpaysolutions.com)"; dns.query; content:".torpaysolutions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020374; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torpayoptions.com)"; dns.query; content:".torpayoptions.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020375; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torinvestment2.com)"; dns.query; content:".torinvestment2.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020376; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torwillsmith.com)"; dns.query; content:".torwillsmith.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020377; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstorpay22.com)"; dns.query; content:".optionstorpay22.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020390; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bananator.com)"; dns.query; content:".bananator.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020391; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (monsterbbc.com)"; dns.query; content:".monsterbbc.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020395; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tostotor.com)"; dns.query; content:".tostotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020400; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (trusteetor.com)"; dns.query; content:".trusteetor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020401; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionstopaytor33.com)"; dns.query; content:".solutionstopaytor33.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020402; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.am)"; dns.query; content:".onion.am"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020404; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (batmantor.com)"; dns.query; content:".batmantor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020405; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (dogotor.com)"; dns.query; content:".dogotor.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020406; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.glass)"; dns.query; content:".onion.glass"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020574; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.direct)"; dns.query; content:".onion.direct"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020577; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_26, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion Proxy Domain (connect2tor.org)"; dns.query; content:"connect2tor.org"; depth:15; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020617; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torstorm.org)"; dns.query; content:".torstorm.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020618; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (bolistatapay.com)"; dns.query; content:".bolistatapay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020619; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (sshowmethemoney.com)"; dns.query; content:".sshowmethemoney.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020620; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionstopaytos.com)"; dns.query; content:".optionstopaytos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020639; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (cheetosnotburitos.com)"; dns.query; content:".cheetosnotburitos.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020640; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (optionsketchupay.com)"; dns.query; content:".optionsketchupay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020641; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (solutionsaccountor.com)"; dns.query; content:".solutionsaccountor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020642; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4free.org)"; dns.query; content:".tor4free.org"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020686; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_12, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tordomain.org)"; dns.query; content:".tordomain.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020703; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (welcome2tor.org)"; dns.query; content:".welcome2tor.org"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2020704; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (clusterpaytor.com)"; dns.query; content:".clusterpaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021190; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (statepaytor.com)"; dns.query; content:".statepaytor.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2021191; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_06_06, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (paypartnerstodo.com)"; dns.query; content:".paypartnerstodo.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022041; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (allepohelpto.com)"; dns.query; content:".allepohelpto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022042; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (marketcryptopartners.com)"; dns.query; content:".marketcryptopartners.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022043; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (partnersinvestpayto.com)"; dns.query; content:".partnersinvestpayto.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022044; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (effectwaytopay.com)"; dns.query; content:".effectwaytopay.com"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022046; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_11_07, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tormaster.fr)"; dns.query; content:".tormaster.fr"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022645; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgateway.li)"; dns.query; content:".torgateway.li"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022646; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query"; dns.query; content:"bigdata.adups.com"; depth:17; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023515; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Android Adups Firmware DNS Query 5"; dns.query; content:"rebootv5.adsunflower.com"; depth:24; nocase; endswith; fast_pattern; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023519; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (anonym.to)"; dns.query; content:".anonym.to"; nocase; endswith; fast_pattern; classtype:policy-violation; sid:2023597; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (tor4pay.com)"; dns.query; content:".tor4pay.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020126; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torminater.com)"; dns.query; content:".torminater.com"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:bad-unknown; sid:2020133; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (onion.city)"; dns.query; content:".onion.city"; nocase; endswith; fast_pattern; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:trojan-activity; sid:2020430; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to .onion proxy Domain (torgate.es)"; dns.query; content:".torgate.es"; fast_pattern; endswith; nocase; reference:url,en.wikipedia.org/wiki/Tor_(anonymity_network); classtype:policy-violation; sid:2022644; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_03_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DNS_Onion_Query, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS request for Monero mining pool"; dns.query; content:"pool.minexmr.com"; depth:16; nocase; endswith; fast_pattern; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2017_09_monero_malware.txt; reference:url,www.welivesecurity.com/2017/09/28/monero-money-mining-malware/; classtype:trojan-activity; sid:2024789; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_29, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".serveo.net"; nocase; endswith; classtype:policy-violation; sid:2027942; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".pagekite.net"; nocase; endswith; classtype:policy-violation; sid:2027943; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (cmyip.com in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"cmyip.com"; fast_pattern; endswith; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:9; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; http.header; content:"myip.ozymo.com"; fast_pattern; nocase; classtype:external-ip-check; sid:2013217; rev:4; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; http.user_agent; content:"REBATEINF"; fast_pattern; startswith; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:4; metadata:created_at 2011_12_20, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; http.uri; content:"/tuner/?StationId="; fast_pattern; http.header; content:"tunein.com|0d 0a|"; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:4; metadata:created_at 2012_07_18, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploadify.php"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:4; metadata:created_at 2012_09_08, updated_at 2020_09_17;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; http.user_agent; content:"BitCoin"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:coin-mining; sid:2013457; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; http.host; content:".net78.net"; endswith; fast_pattern; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:4; metadata:created_at 2013_05_30, updated_at 2020_09_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; http.host; content:"myip.ru"; fast_pattern; endswith; classtype:policy-violation; sid:2018021; rev:6; metadata:created_at 2014_01_28, updated_at 2020_09_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; http.uri; content:"/ping/installping.aspx"; fast_pattern; content:"shortname="; content:"&os="; content:"&parents="; content:"&browserNames="; content:"&DefaultBrowserName="; content:"&langid="; content:"&installdate="; http.header; content:".installiq.com|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_05, deployment Perimeter, former_category POLICY, signature_severity Major, tag c2, updated_at 2020_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup maxmind.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/locate_my_ip"; fast_pattern; http.header; content:"maxmind.com"; reference:md5,0559c56d6dcf6ffe9ca18f43e225e3ce; classtype:external-ip-check; sid:2019140; rev:4; metadata:created_at 2014_09_09, former_category POLICY, updated_at 2020_09_25;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check wtfismyip.com"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:text|json|xml)?$/"; http.host; content:"wtfismyip.com"; endswith; fast_pattern; classtype:policy-violation; sid:2019737; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to WebDAV CloudMe Service"; flow:established,to_server; http.host; content:"webdav.cloudme.com"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:policy-violation; sid:2019914; rev:4; metadata:created_at 2014_12_11, updated_at 2020_09_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Request with BITS_POST Method"; flow:established,to_server; http.method; content:"BITS_POST"; fast_pattern; classtype:policy-violation; sid:2030917; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exploitpack.com tool checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/changelog/"; fast_pattern; pcre:"/^\/changelog\/(?:appversion|changelog|help)$/"; http.user_agent; content:"Java/1"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.exploitpack.com; classtype:bad-unknown; sid:2020195; rev:4; metadata:created_at 2015_01_15, updated_at 2020_09_29;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Monitoring Software Domain (sneek .io) in TLS SNI"; flow:established,to_server; tls.sni; content:"sneek.io"; bsize:8; classtype:policy-violation; sid:2030922; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Seeds File Request"; flow:established,to_server; http.uri; content:"/i2pseeds.su3"; fast_pattern; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020415; rev:4; metadata:created_at 2015_02_12, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Update check"; flow:established,to_server; http.uri; content:"/update.inf"; http.header; content:"X-TA-ClientVer|3a 20|"; fast_pattern; content:"X-TA-ClientOS|3a 20|"; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020580; rev:4; metadata:created_at 2015_02_27, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip2location.com"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021162; rev:5; metadata:created_at 2015_05_29, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ip.webmasterhome.cn"; flow:established,to_server; http.host; content:"ip.webmasterhome.cn"; fast_pattern; bsize:19; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021250; rev:4; metadata:created_at 2015_06_11, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup www.whatsmyip.us"; flow:established,to_server; http.host; content:"www.whatsmyip.us"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2021371; rev:4; metadata:created_at 2015_06_30, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip?json"; fast_pattern; http.host; content:"trackip.net"; classtype:external-ip-check; sid:2021550; rev:4; metadata:created_at 2015_07_29, former_category POLICY, updated_at 2020_10_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip2nation.com"; flow:established,to_server; http.host; content:"www.ip2nation.com"; fast_pattern; bsize:17; classtype:external-ip-check; sid:2022222; rev:4; metadata:created_at 2015_12_07, former_category POLICY, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IOS Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".ipa"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022296; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".apk"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022297; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip.tyk.nu"; flow:established,to_server; urilen:1; http.host; content:"ip.tyk.nu"; fast_pattern; bsize:9; classtype:external-ip-check; sid:2022368; rev:4; metadata:created_at 2016_01_14, former_category POLICY, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - meuip.net.br"; flow:established,to_server; http.host; content:"meuip.net.br"; fast_pattern; bsize:12; classtype:external-ip-check; sid:2022405; rev:4; metadata:created_at 2016_01_25, former_category POLICY, updated_at 2020_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via dawhois.com"; flow:established,to_server; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; classtype:external-ip-check; sid:2022687; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-score.com"; flow:established,to_server; http.host; content:"ip-score.com"; fast_pattern; bsize:12; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2022892; rev:4; metadata:created_at 2016_06_13, former_category POLICY, updated_at 2020_10_06;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTA Application Download"; flow:established,to_server; flowbits:set,ET.HTA.Download; http.method; content:"GET"; http.uri; content:".hta"; nocase; fast_pattern; endswith; http.host; content:!"kaspersky.com"; endswith; reference:url,www.trustedsec.com/july-2015/malicious-htas/; classtype:bad-unknown; sid:2022520; rev:6; metadata:created_at 2016_02_15, updated_at 2020_10_06;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Adups Firmware Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"{|22|dc_date|22 3a|"; depth:11; content:",|22|dc_type|22 3a|"; fast_pattern; content:",|22|keyword|22 3a|"; content:",|22|md5|22 3a|"; content:",|22|msg_date|22 3a|"; content:",|22|msg_type|22 3a|"; content:",|22|tell|22 3a|"; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023514; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_10_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (tinytools.nu)"; flow:established,to_server; http.uri; content:"/MyIPAddress/"; nocase; http.host; content:"www.tinytools.nu"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2023520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; http.host; content:"check.torproject.org"; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017927; rev:5; metadata:created_at 2014_01_04, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; http.header; content:"hotfile.com|0d 0a|"; fast_pattern; classtype:policy-violation; sid:2015015; rev:4; metadata:created_at 2012_07_04, former_category POLICY, updated_at 2020_10_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup whoer.net"; flow:established,to_server; http.host; content:"whoer.net"; fast_pattern; bsize:9; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021195; rev:5; metadata:created_at 2015_06_08, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; http.header; content:"User-Agent|3a|Mozilla"; nocase; fast_pattern; content:!"BlackBerry|3b|"; content:!"PlayBook|3b|"; content:!"Konfabulator"; content:!"masterconn.qq.com"; content:!"QQPCMgr"; classtype:trojan-activity; sid:2011800; rev:12; metadata:created_at 2010_10_13, former_category POLICY, updated_at 2020_10_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/updateserver"; fast_pattern; http.user_agent; content:"MSFX/"; depth:5; http.header_names; content:!"Referer"; classtype:misc-activity; sid:2020475; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_02_19, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_10_09;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service nrecom)"; flow:from_server,established; tls.cert_subject; content:"CN=ngn.gg"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2031000; rev:1; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_10_12;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; http.host; content:"myip.kz"; fast_pattern; bsize:7; classtype:external-ip-check; sid:2021533; rev:4; metadata:created_at 2015_07_27, former_category POLICY, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BSSID Location Lookup via api .mylnikov .org"; flow:established,to_server; http.host; content:"api.mylnikov.org"; fast_pattern; http.uri; content:"/geolocation/wifi?"; content:"&bssid="; distance:0; reference:md5,b666dc5379e31680a5621870210f0619; classtype:bad-unknown; sid:2031008; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; http.user_agent; content:"Installer Ping"; depth:14; classtype:trojan-activity; sid:2013190; rev:5; metadata:created_at 2011_07_05, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; http.user_agent; content:"asafaweb.com"; depth:12; endswith; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_13;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (uplovd .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.uplovd.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,b666dc5379e31680a5621870210f0619; classtype:policy-violation; sid:2031018; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; http.user_agent; content:"Babylon"; depth:7; fast_pattern; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:9; metadata:created_at 2011_04_28, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; http.uri; content:"/do/SDM"; nocase; content:"action="; nocase; http.user_agent; content:"AHTTPConnection"; nocase; depth:15; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:7; metadata:created_at 2011_09_28, updated_at 2020_10_14;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; http.header; content:!"Tree"; within:4; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:6; metadata:created_at 2011_06_17, updated_at 2020_10_14;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (api .anonfiles .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.anonfiles.com"; bsize:20; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:policy-violation; sid:2031019; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; http.user_agent; content:"WmpHostInternetConnection"; depth:25; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"curl"; nocase; startswith; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; http.uri; content:"/install/banner/"; nocase; pcre:"/\d/\d+.jpg/i"; http.user_agent; content:"NSISDL"; nocase; depth:6; http.host; content:"www.winpcap.org"; startswith; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; http.header; content:"|0d 0a|Host|3a 20|idisk.mac.com|0d 0a|"; nocase; http.user_agent; content:"DotMacKit-like, File-Sync-Direct"; depth:32; nocase; classtype:policy-violation; sid:2012331; rev:6; metadata:created_at 2011_02_22, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; http.user_agent; content:"MxAgent"; nocase; depth:7; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 10.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/10.0."; reference:url,www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html; classtype:bad-unknown; sid:2025518; rev:5; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 12.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/12.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html; classtype:bad-unknown; sid:2028868; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2021_12_22;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DoH Service)"; flow:from_server,established; tls.cert_subject; content:"CN=www.rubyfish.cn"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2029051; rev:3; metadata:created_at 2019_11_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag DNS_over_HTTPS, updated_at 2020_10_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter Download Observed"; flow:established,to_server; http.user_agent; content:"PCHunter"; depth:8; reference:url,www.bleepingcomputer.com/download/pc-hunter/; classtype:misc-activity; sid:2031087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_10_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious ToTok Mobile Application DNS Request"; dns.query; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious ToTok Mobile Application TLS Request"; tls.sni; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY GG Url Shortener Observed in DNS Query"; dns.query; content:"gg.gg"; nocase; bsize:5; classtype:policy-violation; sid:2029258; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Website Hosting Service Observed in DNS Query"; dns.query; content:"dynapps.be"; nocase; endswith; classtype:policy-violation; sid:2029308; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_10_27;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".portmap."; nocase; pcre:"/^(?:com|io|host)/Ri"; classtype:policy-violation; sid:2027941; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; depth:49; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:5; metadata:created_at 2011_08_30, updated_at 2020_10_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=get&applicationID="; nocase; depth:25; fast_pattern; content:"&developerId="; nocase; distance:0; content:"&deviceId="; nocase; distance:0; content:"android.permission"; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:6; metadata:created_at 2011_06_16, updated_at 2020_10_28;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 13.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/13.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html; classtype:bad-unknown; sid:2028869; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query for Suspicious TLD (.management)"; dns.query; content:".management"; nocase; endswith; classtype:policy-violation; sid:2029509; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/update.logmein.com/"; nocase; fast_pattern; http.header_names; content:!"Host|0d 0a|"; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OnePlus phone data leakage"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cloud/pushdata"; endswith; fast_pattern; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"data="; depth:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025134; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_11_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; threshold:type threshold, track by_src, count 20, seconds 120; http.method; content:"POST"; http.cookie; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/"; http.accept_enc; content:"gzip"; depth:4; http.content_type; content:"application/octet-stream"; fast_pattern; nocase; bsize:24; http.header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:6; metadata:created_at 2016_03_28, updated_at 2020_11_03;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed External IP Lookup SSL Cert"; flow:from_server,established; tls.cert_subject; content:".iplocation.com"; nocase; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:external-ip-check; sid:2026882; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_11_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (rl. ammyy. com)"; flow:to_server,established; urilen:1; http.host; content:"rl.ammyy.com"; depth:12; endswith; fast_pattern; classtype:policy-violation; sid:2025149; rev:5; metadata:created_at 2017_12_13, updated_at 2020_11_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Onion2Web Tor Proxy Cookie"; flow:established,to_server; http.cookie; content:"onion2web_confirmed="; fast_pattern; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; classtype:policy-violation; sid:2020324; rev:5; metadata:created_at 2015_01_28, updated_at 2020_11_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (myip .com)"; flow:established,to_server; http.host; content:"api.myip.com"; depth:12; isdataat:!1,relative; classtype:policy-violation; sid:2031188; rev:1; metadata:created_at 2020_11_06, updated_at 2020_11_06;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS *.dyn-ip24 .de Domain"; dns.query; content:".dyn-ip24.de"; nocase; endswith; classtype:policy-violation; sid:2029638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded via ge.tt Filesharing Service"; flowbits:set,ET.ge.tt.download; http.method; content:"GET"; http.uri; content:"/gett/"; fast_pattern; depth:6; content:"?index="; distance:0; content:"&user="; distance:0; content:"&referrer="; distance:0; content:"&download="; distance:0; http.host; content:"ge.tt"; endswith; classtype:misc-activity; sid:2029745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Uploaded to ge.tt Filesharing Service"; flow:established,to_server; content:"/upload/"; depth:8; http.method; content:"POST"; http.host; content:"ge.tt"; fast_pattern; http.request_body; content:"|22 3b 20|filename=|22|"; classtype:misc-activity; sid:2029746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_11_10;)
+
+alert smb any any -> $HOME_NET any (msg:"ET POLICY Possible winexe over SMB - Possible Lateral Movement"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|5c 00|a|00|h|00|e|00|x|00|e|00|c|00 00 00|"; fast_pattern; endswith; nocase; reference:url,attack.mitre.org/software/S0191/; classtype:bad-unknown; sid:2026879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Informational, updated_at 2020_11_10;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Upaste Paste Site"; dns.query; content:"upaste.me"; nocase; endswith; classtype:trojan-activity; sid:2031195; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, signature_severity Informational, updated_at 2020_11_10;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Upaste)"; flow:established,to_client; tls.cert_subject; content:"CN=upaste.me"; classtype:misc-activity; sid:2031196; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to .burpcollector .net Domain"; dns.query; content:".burpcollector.net"; nocase; endswith; classtype:policy-violation; sid:2029826; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_16;)
+
+#alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns_query; content:".authentication.directory"; nocase; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029834; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY moanmyip .com DNS Lookup"; dns.query; content:"moanmyip.com"; nocase; endswith; classtype:policy-violation; sid:2030127; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (mazenews .top)"; dns.query; content:"mazenews.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030135; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (newsmaze .top)"; dns.query; content:"newsmaze.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030136; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY ipchicken .com DNS Lookup"; dns.query; content:"ipchicken.com"; nocase; endswith; classtype:policy-violation; sid:2030138; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (corpleaks .net)"; dns.query; content:"corpleaks.net"; nocase; bsize:13; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030161; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (hxt254aygrsziejn .onion) DNS Lookup"; dns.query; content:"hxt254aygrsziejn.onion"; nocase; bsize:22; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030162; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M1"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"x-flash-version|3a 20|"; content:!"32.0.0.387|0d 0a|"; within:12; content:!"32,0,0,387|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:127; metadata:affected_product Adobe_Flash, created_at 2012_05_09, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Inbound PowerShell Capable of Enumerating Internal Network via WMI"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|Win32_NetworkAdapterConfiguration"; nocase; content:"_.IPEnabled|20|-ne|20|$null"; within:200; nocase; content:"_.DefaultIPGateway|20|-ne|20|$null"; within:200; nocase; content:"select|20|IPAddress"; within:200; nocase; fast_pattern; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.4."; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:14; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nvserver"; http.request_body; content:"cmd="; content:"&params="; content:"Netviewer Proxy Test"; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:7; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service nrecom in DNS Query"; dns.query; content:"paste.nrecom.net"; nocase; endswith; classtype:policy-violation; sid:2031001; rev:3; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_11_19;)
+
+alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY ToDesk Remote Access Control Tool"; flow:established,to_server; content:"|00 00 00|"; startswith; content:"|01 0a 20|"; offset:4; depth:3; content:"|12|"; offset:39; depth:1; byte_jump:1,0,relative; content:"|18 01 22|"; within:3; byte_jump:1,0,relative; content:"|3a 3f|"; within:2; content:"B$"; distance:63; within:2; isdataat:!68,relative; reference:md5,d428709903e8c86bc02dfc29ab903634; classtype:policy-violation; sid:2031242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_30, deployment Perimeter, former_category POLICY, performance_impact Significant, signature_severity Informational, updated_at 2020_11_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"X-Requested-With|3a 20|ShockwaveFlash/"; fast_pattern; content:!"32.0.0.453|0d 0a|"; within:12; content:!"32.0.0.445|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2024379; rev:37; metadata:affected_product Adobe_Flash, created_at 2017_06_13, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_12_07;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded from Discord"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; http.uri; content:"/attachments/"; startswith; fast_pattern; pcre:"/^[0-9]{18}\/[0-9]{18}\/[a-zA-Z0-9]{5,7}$/R"; reference:md5,1ef671ebe0e5efd44cf05c630fbe9cb5; classtype:policy-violation; sid:2031083; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_01_25;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 Remote AT Scheduled Job Create Request"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00|a|00|t|00|s|00|v|00|c|00|"; distance:0; content:!"|00|c|00|r|00|y|00|p|00|t|00|c|00|a|00|t|00|s|00|v|00|c|00|"; classtype:bad-unknown; sid:2025713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2021_01_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Image"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"images/create?fromImage="; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2031584; rev:2; metadata:attack_target Server, created_at 2021_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2021_01_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Sending Docker Swarm Join Command"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/swarm/join"; endswith; http.request_body; content:"|7b 22|ListenAddr|22 3a 22|"; startswith; content:"|22|RemoteAddrs|22 3a 5b 22|"; content:"|2c 22|JoinToken|22 3a 22|"; http.header_names; content:!"Referer"; reference:url,github.com/Caprico1/Docker-Botnets/commit/bbfd65fce31d74bfa798e00a2c918022a45d211a; classtype:trojan-activity; sid:2031587; rev:2; metadata:attack_target Server, created_at 2021_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2021_01_28;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"www.watismijnip.nl"; endswith; classtype:external-ip-check; sid:2031616; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2021_02_12;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY RDP Wrapper Download (bat)"; flow:established,to_client; file.data; content:"|3a 3a| Automatic RDP Wrapper installer and updater"; fast_pattern; content:"|3a 3a| Location of new/updated rdpwrap.ini files"; content:"set rdpwrap_ini_update_github_1=|22|"; reference:url,github.com/asmtron/rdpwrap; classtype:bad-unknown; sid:2032880; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, updated_at 2021_04_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY RDP Wrapper Download (ini)"; flow:established,to_client; file.data; content:"|3b| RDP Wrapper Library configuration"; fast_pattern; content:"LogFile=|5c|rdpwrap.txt"; reference:url,github.com/asmtron/rdpwrap; classtype:bad-unknown; sid:2032881; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2021_04_27;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter CnC activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PCHunter_"; startswith; fast_pattern; content:"="; distance:0; pcre:"/[A-F0-9]{96}$/R"; reference:md5,987b65cd9b9f4e9a1afd8f8b48cf64a7; classtype:misc-activity; sid:2032946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_05_12;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.mylnikov.org"; bsize:16; fast_pattern; reference:md5,1bad0cbd09b05a21157d8255dc801778; classtype:policy-violation; sid:2033010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2021_05_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Wifi Geolocation Lookup Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geolocation/wifi"; startswith; fast_pattern; content:"bssid="; http.host; content:"api.mylnikov.org"; bsize:16; reference:md5,1bad0cbd09b05a21157d8255dc801778; classtype:policy-violation; sid:2033011; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_05_21;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)"; flow:from_server,established; tls.cert_subject; content:"CN=transfer.sh"; fast_pattern; classtype:policy-violation; sid:2033076; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_06_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.7.0_"; content:!"301"; within:3; reference:url,www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html; classtype:bad-unknown; sid:2014297; rev:61; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2012_03_01, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Filesharing Domain (privatlab .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.com"; bsize:13; fast_pattern; classtype:policy-violation; sid:2033137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_06_10;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)"; dns.query; content:".nanopool.org"; nocase; endswith; classtype:policy-violation; sid:2033268; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_07;)
+
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M1"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033247; rev:2; metadata:created_at 2021_07_06, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M2"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|2f 00|"; content:"|2f|"; distance:0; within:30; classtype:misc-activity; sid:2033274; rev:2; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M3"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00 3f 00 5c 00|U|00|N|00|C|00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033275; rev:2; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+
+#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M4"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00 3f 00 3f 00 5c 00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033276; rev:1; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - AddPrinterDriverEx with Suspicious Filepath"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c|spool|5c|drivers|5c|x64|5c|3|5c|old|5c|"; fast_pattern; classtype:misc-activity; sid:2033246; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_06, cve 2021_34527, former_category POLICY, updated_at 2021_07_08;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncAddPrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|27 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033255; rev:4; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncCorePrinterDriverInstalled"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|41 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033263; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|2a 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033258; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriverEx"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|2b 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033259; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|43 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033265; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncEnumPrinterDrivers"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|28 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:bad-unknown; sid:2033254; rev:3; metadata:created_at 2021_07_06, former_category POLICY, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetCorePrinterDrivers"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|40 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033262; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|1a 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033256; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriverDirectory"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|29 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033257; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriverPackagePath"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|42 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033264; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Chisel SOCKS Proxy Startup Observed"; flow:established,from_server; http.stat_code; content:"101"; file.data; content:"SSH-chisel-v3-server"; offset:2; fast_pattern; classtype:policy-violation; sid:2033342; rev:1; metadata:created_at 2021_07_15, former_category POLICY, tag Proxy, tag Tunnel, updated_at 2021_07_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Request via wttr .in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?format="; startswith; http.host; content:"wttr.in"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2033354; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_07_16;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncUploadPrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3f 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033261; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
+
+alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncInstallPrinterDriverFromPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3e 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033260; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (ifconfig .me)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ifconfig.me"; depth:11; endswith; fast_pattern; reference:md5,52ba2e1f51d16394bf109b42c1166b74; classtype:external-ip-check; sid:2026718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2021_07_21;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (myexternalip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"myexternalip.com"; endswith; nocase; xbits:set,ET.ipcheck,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033385; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (freegeoip .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"freegeoip.live"; endswith; nocase; xbits:set,ET.ipcheck,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033386; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IPFS Domain (storage .snark .art in TLS SNI)"; flow:established,to_server; tls.sni; content:"storage.snark.art"; endswith; nocase; xbits:set,ET.dropsite,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033388; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
+
+alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; classtype:misc-activity; sid:2018789; rev:4; metadata:created_at 2014_07_28, former_category POLICY, updated_at 2021_07_23;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Cisco Data Center Network Manager Version Check Inbound (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/fmrest/about/version"; endswith; fast_pattern; flowbits:set,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033441; rev:1; metadata:created_at 2021_07_27, former_category POLICY, updated_at 2021_07_27;)
+
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Cisco Data Center Network Manager - Vulnerable Version Detected 11.1"; flow:established,from_server; file.data; content:"version|22 3a 22|11.1|28|1|29|"; flowbits:isset,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033442; rev:1; metadata:created_at 2021_07_27, updated_at 2021_07_27;)
+
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Cisco Data Center Network Manager - Vulnerable Version Detected 10.4"; flow:established,from_server; file.data; content:"version|22 3a 22|10.4|28|2|29|"; flowbits:isset,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033443; rev:1; metadata:created_at 2021_07_27, updated_at 2021_07_27;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DNS Service)"; flow:from_server,established; tls.cert_subject; content:".sslip.io"; endswith; nocase; fast_pattern; classtype:policy-violation; sid:2033621; rev:1; metadata:created_at 2021_07_30, former_category POLICY, updated_at 2021_07_30;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup via 3322 .org"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip"; endswith; http.host; content:"3322.org"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2033630; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_07_30;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed URL Shortening Service Domain (longurl .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"longurl.in"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033666; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_08_04;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to IP Lookup Domain (me .shodan .io)"; dns.query; content:"me.shodan.io"; nocase; bsize:12; classtype:policy-violation; sid:2033729; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_08_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Seetrol Software Download (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; startswith; content:".exe"; endswith; http.host; content:"www.seetrol."; startswith; fast_pattern; classtype:bad-unknown; sid:2033917; rev:1; metadata:created_at 2021_09_09, former_category POLICY, updated_at 2021_09_09;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Autodiscover Credentials Leak via Basic Auth"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/autodiscover/autodiscover.xml"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|"; reference:url,guardicore.com/labs/autodiscovering-the-great-leak/; classtype:policy-violation; sid:2034019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup via ad4989 .co .kr"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ipcheck.asp"; endswith; http.host; content:".ad4989.co.kr"; endswith; fast_pattern; classtype:policy-violation; sid:2034090; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_18;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AmeriTechnology Group - CHARM Client"; flow:established,to_server; http.request_line; content:"GET /check.asp?co="; startswith; fast_pattern; http.uri; content:"&pc="; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,451f2852e35977a150066afdc5acb318; classtype:policy-violation; sid:2034118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_05;)
+
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Apache HTTP Server 2.4.49 Observed - Vulnerable to CVE-2021-41773"; flow:established,to_client; http.server; content:"Apache/2.4.49"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:cve,2021-41773; classtype:bad-unknown; sid:2034126; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category POLICY, signature_severity Informational, updated_at 2021_10_05;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|NSEC-UID|0d 0a|"; fast_pattern; http.request_body; content:"|3c|sessions|20|uid|3d 22|"; startswith; content:"|22 20|user|3d 22|"; distance:0; content:"|2f 3e 3c 2f|sessions|3e|"; endswith; reference:md5,4a14459e5dbadb86417483dba7174ffa; classtype:bad-unknown; sid:2034144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_10_06;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service paste .c-net in DNS Query"; dns.query; content:"paste.c-net.org"; nocase; endswith; reference:md5,144cf514759595e65f3468f6fdb66d59; classtype:policy-violation; sid:2034154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_07;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service paste .c-net)"; flow:established,to_server; tls.sni; content:"paste.c-net.org"; fast_pattern; classtype:policy-violation; sid:2034155; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_07;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M2"; flow:established,to_server; stream_size:server,=,1; dsize:512; content:"MFjOLrqOLbmPnAKuM7cBwxcPgaqvM7cNcoZKIYmscocPnAOuM7jRJYJy2YBEmEORcoZKLSuscOByLFZL2rZunrfOrFqNJazEJ7GXgYNocF24J8EocoZOgST/Ja3sceRocazuJaOEIYsvnYNsce5ocxkV"; startswith; fast_pattern; reference:md5,9b9f3a3b03831b6f98ca1b935dd0eb51; classtype:bad-unknown; sid:2034178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_12;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed ApoioViewer Remote Access Tool  Domain (apoioviewer .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"apoioviewer.com"; bsize:15; fast_pattern; reference:md5,b27ede7c569f27d96c66b4d3c7a84a95; classtype:policy-violation; sid:2034276; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_10_28;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)"; dns.query; content:"transfer.sh"; nocase; bsize:11; classtype:bad-unknown; sid:2034316; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_01;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Connection Manager Administration Kit (cmdl32.exe) User-Agent"; flow:established,to_server; http.user_agent; content:"Microsoft(R) Connection Manager Vpn File Update"; bsize:47; reference:url,twitter.com/ElliotKillick/status/1455897435063074824; reference:url,www.hexacorn.com/blog/2017/04/30/the-archaeologologogology-3-downloading-stuff-with-cmdln32; classtype:policy-violation; sid:2034335; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_03;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)"; dns.query; content:".publicvm.com"; nocase; endswith; content:!"www.publicvm.com"; classtype:bad-unknown; sid:2034457; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
+
+alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:3; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:17; metadata:created_at 2010_07_30, updated_at 2021_11_18;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Burp Collaborator Domain in DNS Query"; dns_query; content:".burpcollaborator.net"; nocase; endswith; classtype:policy-violation; sid:2034505; rev:1; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2021_11_18;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Burp Collaborator Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=*.burpcollaborator.net"; nocase; classtype:policy-violation; sid:2034507; rev:1; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2021_11_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Burp Collaborator Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".burpcollaborator.net"; endswith; fast_pattern; classtype:policy-violation; sid:2034506; rev:2; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2022_03_16;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 11.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/11.0."; content:!"13"; within:2; reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html; classtype:bad-unknown; sid:2028867; rev:8; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2021_12_22;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY owncloud .online Hosted Site Observed in TLS SNI"; flow:established,to_server; tls.sni; content:".owncloud.online"; endswith; reference:url,tria.ge/210809-35bb7j7tne/behavioral2; classtype:trojan-activity; sid:2034549; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_29;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Owncloud Observed Self Signed TLS Certificate"; flow:established,to_client; tls.cert_subject; content:"CN=owncloud"; nocase; tls.cert_issuer; content:"CN=owncloud"; classtype:policy-violation; sid:2034550; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_29;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)"; dns.query; dotprefix; content:".trycloudflare.com"; nocase; endswith; classtype:bad-unknown; sid:2034552; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2021_11_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NetSupport GeoLocation Lookup Request"; flow:established,to_server; http.request_line; content:"GET /location/loca.asp"; startswith; http.host; content:"geo.netsupportsoftware.com"; bsize:26; reference:md5,f76954b68cc390f8009f1a052283a740; classtype:policy-violation; sid:2034559; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_30;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY dnslog .cn Observed in DNS Query"; dns.query; dotprefix; content:".dnslog.cn"; nocase; endswith; classtype:domain-c2; sid:2034669; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_11, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_11;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY File Sharing Site in DNS Lookup (satoshidisk .com)"; dns.query; content:"satoshidisk.com"; nocase; bsize:15; classtype:policy-violation; sid:2034681; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_13;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; flowbits:set,ET.http.javaclient; flowbits:noalert; http.user_agent; content:"Java/"; classtype:misc-activity; sid:2013035; rev:5; metadata:created_at 2011_06_16, updated_at 2021_12_14;)
+
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY GIOP/IIOP Request Outbound"; flow:established,to_server; flowbits:set,ET.GIOPsession; stream_size:server,<,5; content:"|47 49 4f 50 01|"; startswith; content:"|00|"; distance:2; within:1; classtype:policy-violation; sid:2034730; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful GIOP/IIOP Request Outbound"; flow:established,to_client; flowbits:isset,ET.GIOPsession; stream_size:server,<,50; content:"|47 49 4f 50 01|"; startswith; content:"|01|"; distance:2; within:1; classtype:policy-violation; sid:2034731; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; content:"|30 24 02 01|"; startswith; content:"|78 1f 0a 01 00 04 00 04 00 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034720; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_15;)
+
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPSBindRequest; flowbits:isnotset,ET.LDAPSBindRequest; stream_size:server,<,5; content:"|30 1d 02 01|"; startswith; content:"|77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:bad-unknown; sid:2034719; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|78 07 0a 01 00 04 00 04 00|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034721; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY RMI Request Outbound"; flow:established,to_server; stream_size:server,<,5; flowbits:set,ET.RMIRequest; flowbits:isnotset,ET.RMIRequest; content:"|4a 52 4d 49 00|"; startswith; fast_pattern; pcre:"/^(?:\x01|\x02)(?:\x4b|\x4c|\x4d)/R"; reference:url,docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; reference:url,github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/rex/proto/rmi/model.rb; classtype:policy-violation; sid:2034718; rev:3; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_16;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Serialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ac ed|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034748; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Unserialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ca fe ba be|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034749; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPAnonBindRequest; stream_size:server,<,50; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|61 07 0a 01 00 04 00 04 00|"; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034705; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPAnonBindRequest; flowbits:isnotset,ET.LDAPAnonBindRequest; stream_size:server,<,5; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|60 07 02 01 03 04 00 80 00|"; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034704; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3 Bind Request"; flow:established,to_client; flowbits:isset,ET.LDAPAnonBindRequest; content:"javaClassName"; fast_pattern; nocase; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034770; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPBindRequest; flowbits:isnotset,ET.LDAPBindRequest; content:"|30|"; startswith; content:"|02 01|"; within:4; content:"|60|"; distance:1; within:1; byte_test:1,>,7,0,relative; content:"|02 01 03 04|"; distance:1; within:4; fast_pattern; byte_jump:1,0,relative; content:"|80|"; within:1; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034812; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful Non-Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPBindRequest; content:"|30|"; startswith; content:"|02 01|"; distance:0; content:"|61|"; distance:0; content:"|07 0a 01 00 04 00 04 00|"; within:12; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034771; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+
+alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY JavaClass Returned Via Non-Anonymous Outbound LDAPv3 Bind Request"; flow:established,to_client; flowbits:isset,ET.LDAPBindRequest; content:"javaClassName"; fast_pattern; nocase; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034772; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 14.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/14.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/14u-relnotes.html; classtype:bad-unknown; sid:2034814; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 15.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/15.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/15u-relnotes.html; classtype:bad-unknown; sid:2034815; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 16.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/16.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/16u-relnotes.html; classtype:bad-unknown; sid:2034816; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 17.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/17.0."; content:!"1"; within:1; reference:url,www.oracle.com/java/technologies/javase/17u-relnotes.html; classtype:bad-unknown; sid:2034817; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+
+alert tcp any any -> $HOME_NET any (msg:"ET POLICY Serialized Java Object returned via LDAPv3 Response"; flow:established,to_client; content:"|30|"; depth:1; content:"|04 0d|javaClassName"; fast_pattern; content:"|04 12|javaSerializedData"; distance:0; content:"|ac ed|"; within:10; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:bad-unknown; sid:2034818; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_12_21;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Observed CVE-2021-44228 Security Scanner Domain (dns .cyberwar .nl)"; dns.query; dotprefix; content:".dns.cyberwar.nl"; nocase; endswith; reference:cve,2021-44228; classtype:policy-violation; sid:2034829; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_21;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"Java/1.5."; nocase; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:12; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.8.0_"; content:!"291"; within:3; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:35; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".2o2.lol"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; reference:md5,c5dcbd49126fff30970e849207d47c9d; classtype:credential-theft; sid:2034237; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".strongencryption.org"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029833; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".comano.us"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029835; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M5"; flow:established,to_server; http.request_line; content:"GET /pages/"; startswith; fast_pattern; content:"/"; distance:13; within:1; pcre:"/^[A-Za-z0-9+\/]{50,}={0,2} HTTP\//R"; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2031609; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_10, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phishtrain.org"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029830; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".microransom.us"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029836; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phishing.guru"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029832; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phish.farm"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029831; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".password.land"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029829; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_12_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M3"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|oops|2d|banner|2d|header|22 3e 3c|strong|3e|OOPS|21 20|YOU|20|CLICKED|20|ON|20|A|20|SIMULATED|20|PHISHING|20|TEST|2e 3c 2f|strong|3e 3c 2f|div|3e 0d 0a|"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031518; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M4"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|disclaimer|22 3e 0d 0a 3c|p|3e|Please|20|Note|3a 20|This|20|message|20|came|20|from|20|KnowBe4|2c 20|Inc|2e 20|"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031519; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M1"; flow:established,to_client; file.data; content:"/popcorn/logos/Popcorn+Training+Logo.png|22 20 2f 3e|"; fast_pattern; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031516; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M2"; flow:established,to_client; file.data; content:"|3c|meta|20|name|3d 22|IMPORTANT|22 20|content|3d 22|This|20|page|20|is|20|part|20|of|20|a|20|simulated|20|phishing|20|attack|20|initiated|20|by|20|KnowBe4"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031517; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)"; dns.query; content:"wtools.io"; nocase; bsize:9; reference:md5,19c6520ed056e9dec48778a3e3d4203d; classtype:policy-violation; sid:2034938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_18;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style Service (paste .ee) in TLS SNI"; flow:established,to_server; tls.sni; content:"paste.ee"; bsize:8; fast_pattern; classtype:policy-violation; sid:2034978; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_01_26;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Shared via Zoom"; flow:established,to_server; http.method; content:"GET"; http.host; content:"support.zoom.us"; bsize:15; fast_pattern; http.uri; content:"/attachments/token/"; startswith; content:"/?name="; distance:0; classtype:bad-unknown; sid:2034981; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2022_01_26;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious File Sharing Domain in DNS Lookup (drive .cloudplus .one)"; dns.query; content:"drive.cloudplus.one"; nocase; bsize:19; reference:md5,934c7b7c31d84728f0086be9b80ee1e4; reference:url,twitter.com/ShadowChasing1/status/1486542725692284930; reference:url,twitter.com/malwrhunterteam/status/1483853345924255745; classtype:bad-unknown; sid:2034987; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_27;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 1"; dns_query; content:"bigdata.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:trojan-activity; sid:2034994; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 1"; flow:established,to_server; tls_sni; content:"bigdata.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034995; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 2"; dns_query; content:"api.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034996; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"api.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034997; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 3"; dns_query; content:"my2022.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034998; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"my2022.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034999; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY 3proxy Domain Domain in DNS Lookup (3proxy .ru)"; dns.query; content:"3proxy.ru"; nocase; bsize:9; classtype:policy-violation; sid:2035020; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_31;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY 3proxy Domain Domain in DNS Lookup (3proxy .org)"; dns.query; content:"3proxy.org"; nocase; bsize:10; classtype:policy-violation; sid:2035021; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_01_31;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pin= in cleartext"; flow:established,to_server; http.request_body; content:"pin="; nocase; classtype:policy-violation; sid:2035089; rev:2; metadata:created_at 2022_02_03, updated_at 2022_02_03;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains otp= in cleartext"; flow:established,to_server; http.request_body; content:"otp="; nocase; classtype:policy-violation; sid:2035090; rev:2; metadata:created_at 2022_02_03, former_category POLICY, updated_at 2022_02_03;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC"; flow:established,to_client; tls.cert_subject; content:"O=IRC geeks"; fast_pattern; classtype:command-and-control; sid:2019387; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; tls.cert_issuer; content:"OU=Nessus Certification Authority"; fast_pattern; classtype:bad-unknown; sid:2013298; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_02_26;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,to_client; tls.cert_subject; content:"O=LogMeIn, Inc."; nocase; fast_pattern; pcre:"/CN=(?:[^\r\n\,]+?[\.-])?app\d/"; classtype:policy-violation; sid:2014756; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_10_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_15;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0d 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,5003c00cdd28d6d1461e9a6a76c544a6; classtype:policy-violation; sid:2035467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.cab"; fast_pattern; endswith; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_23;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; tls.sni; content:"bridges.torproject.org"; bsize:22; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:3; metadata:created_at 2014_01_04, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,to_client; tls.cert_subject; content:"OU=SomeOrganizationalUnit"; fast_pattern; classtype:policy-violation; sid:2013659; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_09_15, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,to_client; tls.cert_issuer; content:"CN=Snake Oil CA"; fast_pattern; classtype:policy-violation; sid:2013295; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,to_client; tls.cert_subject; content:"CN=*.rview.com"; fast_pattern; classtype:policy-violation; sid:2020805; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropboxusercontent.com"; fast_pattern; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:7; metadata:created_at 2013_06_13, updated_at 2022_03_23;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:established,to_server; tls.sni; content:"ipinfo.io"; bsize:9; fast_pattern; classtype:external-ip-check; sid:2025331; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"tor4u.net"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_24;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"formyip.com"; fast_pattern; classtype:external-ip-check; sid:2024832; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2022_03_24;)
+
+alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,to_client; tls.cert_subject; content:"DivX, Inc. Certificate Authority"; fast_pattern; classtype:policy-violation; sid:2013300; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; tls.cert_subject; content:"CN=IOS-Self-Signed-Certificate-"; fast_pattern; classtype:misc-activity; sid:2014617; rev:4; metadata:created_at 2012_04_20, updated_at 2022_03_25;)
+
+alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropbox.com"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, updated_at 2022_03_25;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; tls.certs; content:"This program cannot be run in DOS mode"; nocase; bsize:>768; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_28;)
+
+alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service (note .youdao .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035669; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
+
+alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp|5c|"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2022_04_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [TW] IPFS Protocol HTTP Headers Observed"; flow:established,to_client; http.header_names; content:"|0d 0a|X-Ipfs-"; nocase; fast_pattern; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [TW] IPFS File Request Observed"; flow:established,to_server; http.uri; content:"/ipfs/"; fast_pattern; pcre:"/^[a-z0-9]{40,}/Ri"; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style service note .youdao .com  in DNS query"; dns.query; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035668; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_05_02;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow:established,to_server; http.user_agent; content:"Launcher"; nocase; content:!"EpicGamesLauncher"; depth:17; content:!"7Launcher"; reference:url,doc.emergingthreats.net/2010645; classtype:policy-violation; sid:2010645; rev:12; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2022_05_03;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"curl/"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:7; metadata:created_at 2011_06_14, updated_at 2022_05_03;)
+
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv2 Used in Session"; flow:established,to_server; ssl_version:sslv2; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031488; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
+
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv3 Used in Session"; flow:established,to_server; ssl_version:sslv3; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031489; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
+
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.1 Used in Session"; flow:established,to_server; tls.version:1.1; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031490; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
+
+#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.0 Used in Session"; flow:established,to_server; tls.version:1.0; reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031491; rev:2; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Ask Webcrawler User-Agent"; flow:established,to_server; http.user_agent; content:"Ask Jeeves"; nocase; classtype:not-suspicious; sid:2033164; rev:2; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed nc (netcat) EXE Inbound"; flow:established,to_client; file.data; content:"MZ"; depth:10; content:"!This program"; distance:0; content:"www.vulnwatch.org/netcat/"; distance:0; fast_pattern; content:"nc [-options]"; distance:0; content:"nc -l -p port"; distance:0; reference:md5,e0db1d3d47e312ef62e5b0c74dceafe5; classtype:policy-violation; sid:2033890; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY F5 BIG-IP Exposed REST API GET (flowbit set)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mgmt/shared/authn/login"; fast_pattern; flowbits:set,ET.F5.exposed.api; flowbits:noalert; classtype:policy-violation; sid:2036504; rev:1; metadata:created_at 2022_05_06, updated_at 2022_05_06;)
+
+alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY F5 BIG-IP Publicly Accessible Exposed REST API Detected"; flow:from_server,established; http.stat_code; content:"401"; file.data; content:"resterrorresponse"; fast_pattern; flowbits:isset,ET.F5.exposed.api; classtype:policy-violation; sid:2036505; rev:1; metadata:created_at 2022_05_06, updated_at 2022_05_06;)
+
+alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY ScreenConnect-ConnectWise Initial Checkin Packet"; dsize:<600; content:"|87 15 10 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; classtype:policy-violation; sid:2036627; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_05_19, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2022_05_19;)
+
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed URL Shortening Service SSL/TLS Cert (rb.gy)"; flow:from_server,established; tls.cert_subject; content:"CN=rb.gy"; fast_pattern; classtype:policy-violation; sid:2036628; rev:1; metadata:created_at 2022_05_19, former_category POLICY, updated_at 2022_05_19;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device (CVE-2011-0228)"; flow:established,to_server; threshold: type limit, count 1, seconds 600, track by_src; http.header; content:"Mozilla/5.0 |28|iPhone"; content:" OS 4_"; distance:0; content:!"OS 4_2_1 like"; pcre:"/OS 4_2_[0-9] like/"; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4825; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013408; rev:8; metadata:created_at 2011_08_12, former_category POLICY, updated_at 2020_04_20;)
+
+alert http $HOME_NET any -> any any (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; threshold: type both, count 1, seconds 300, track by_src; http.header; content:"Authorization|3a 20|Basic"; nocase; content:!"YW5vbnltb3VzOg=="; within:32; content:!"Proxy-Authorization|3a 20|Basic"; nocase; content:!"KG51bGwpOihudWxsKQ=="; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:15; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2022_06_14;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in DNS Lookup)"; dns.query; content:"formyip.com"; fast_pattern; nocase; endswith; classtype:external-ip-check; sid:2024830; rev:5; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2022_07_22;)
+
+alert dns $HOME_NET any -> any any (msg:"ET POLICY External IP Address Lookup (bei .kr)"; dns.query; content:"bei.kr"; nocase; bsize:6; reference:md5,4be96f71944c22990a686e280107dc06; classtype:external-ip-check; sid:2037875; rev:1; metadata:attack_target Client_and_Server, created_at 2022_08_01, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_08_01;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2101936; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:2101938; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:2101635; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:2101634; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2102250; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2102122; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2102121; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102112; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102111; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102110; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102109; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102108; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:2100287; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102014; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102015; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2102016; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2102017; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102018; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102019; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102020; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2102021; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102022; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102025; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102026; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101950; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2101951; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101952; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:2101957; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:2101958; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101959; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101960; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101961; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101962; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2101963; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101964; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101965; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101949; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101922; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101923; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2101925; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101907; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:2101908; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:2101909; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:2101912; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101913; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101914; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101915; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101916; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101891; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL RPC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:2101867; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101732; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101733; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101926; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2101924; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"GPL RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101281; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101277; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102256; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102255; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102185; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2102184; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL RPC rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102114; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"GPL RPC rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2102104; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102095; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102094; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102093; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2102088; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102084; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102083; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102082; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102081; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102080; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102079; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102036; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2102033; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102032; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102031; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102030; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102029; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102028; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2102027; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:2100601; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp any any -> $HOME_NET 135 (msg:"ET RPC DCERPC SVCCTL - Remote Service Control Manager Access"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00|"; content:"|13 00 0d 81 bb 7a 36 44 98 f1 35 ad 32 98 f0 38 00 10 03|"; within:100; classtype:attempted-user; sid:2027237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_22, deployment Perimeter, former_category RPC, performance_impact Low, signature_severity Informational, updated_at 2020_08_19;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 912 (msg:"ET SCADA RealWin SCADA System Buffer Overflow"; flow:established,to_server; content:"|64 12 54 6a|"; depth:4; content:"|00 00 00 f4 1f 00 00|"; distance:1; within:7; isdataat:220; content:!"|0a|"; distance:0; pcre:"/\x64\x12\x54\x6a[\x20\x10\x02]\x00\x00\x00\xf4\x1f\x00\x00/"; reference:url,www.exploit-db.com/exploits/15337/; classtype:attempted-dos; sid:2011976; rev:1; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA ICONICS WebHMI ActiveX Stack Overflow"; flow:to_client,established; content:"D25FCAFC-F795-4609-89BB-5F78B4ACAF2C"; nocase; content:"SetActiveXGUID"; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D25FCAFC-F795-4609-89BB-5F78B4ACAF2C/si"; reference:url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf; reference:url,www.exploit-db.com/exploits/17240/; classtype:attempted-user; sid:2012787; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_05_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging  Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1; metadata:created_at 2011_06_28, updated_at 2011_06_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Vulnerability"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"BD9E5104-2F20-4A9F-AB14-82D558FF374E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BD9E5104-2F20-4A9F-AB14-82D558FF374E/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013735; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (GetExtendedColor)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".GetExtendedColor"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013734; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (LoadObject)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".LoadObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013733; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (SaveObject)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"2BBD45A5-28AE-11D1-ACAC-0800170967D9"; nocase; distance:0; content:".SaveObject"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2BBD45A5-28AE-11D1-ACAC-0800170967D9/si"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013732; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".SaveCfg"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013878; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PROMOTIC ActiveX Control Insecure method (AddTrend)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".AddTrend"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; classtype:attempted-user; sid:2013879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"3310FA24-A027-47B3-8C49-1091077317E9"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3310FA24-A027-47B3-8C49-1091077317E9/si"; reference:bugtraq,49747; classtype:attempted-user; sid:2013736; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (AddPage)"; flow:to_client,established; file_data; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".AddPage"; nocase; content:"<OBJECT"; nocase; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*?083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013730; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCADA PcVue Activex Control Insecure method (DeletePage)"; flow:to_client,established; file_data; content:"083B40D3-CCBA-11D2-AFE0-00C04F7993D6"; nocase; distance:0; content:".DeletePage"; nocase; content:"<OBJECT"; pcre:"/^[^>]*?classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*083B40D3-CCBA-11D2-AFE0-00C04F7993D6/Rsi"; reference:url,exploit-db.com/exploits/17896; classtype:attempted-user; sid:2013731; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_10_04, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability"; flow:established,to_server; content:"GetFlexMLangIResourceBrowser"; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,exploit-db.com/exploits/17417/; classtype:denial-of-service; sid:2013074; rev:2; metadata:created_at 2011_06_21, updated_at 2011_06_21;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"ET SCADA Golden FTP Server PASS Command Remote Buffer Overflow Attempt"; flow:established,to_server; content:"PASS"; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:bugtraq,45957; classtype:denial-of-service; sid:2013235; rev:2; metadata:created_at 2011_07_08, updated_at 2011_07_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)
+
+alert tcp any any -> $HOME_NET 12397 (msg:"ET SCADA SEIG SYSTEM 9 - Remote Code Execution"; flow:established,to_server; content:"|14 60 00 00 66 66 07 00 10 00 00 00 19 00 00 00 00 00 04 00 00 00 60 00|"; depth:24; content:!"|0d|"; distance:0; content:!"|0a|"; distance:0; content:!"|ff|"; content:!"|00|"; distance:0; reference:url,exploit-db.com/exploits/45218/; reference:cve,2013-0657; classtype:attempted-user; sid:2026003; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
+
+alert tcp any any -> $HOME_NET 27700 (msg:"ET SCADA SEIG Modbus 3.4 - Remote Code Execution"; flow:established,to_server; content:"|42 42 ff ff 07 03 44 00 64|"; fast_pattern; content:"|90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/45220/; reference:cve,2013-0662; classtype:attempted-user; sid:2026005; rev:1; metadata:created_at 2018_08_21, former_category SCADA, updated_at 2018_08_21;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 910 (msg:"ET SCADA DATAC RealWin SCADA Server Buffer Overflow"; flow:established,to_server; content:"|10 23 54 67 00 08 00 00|"; depth:8; content:"|e3 77 0a 00 05 00 04 00 00 00|"; within:10; isdataat:744,relative; content:!"|0a|"; within:744; reference:url,www.securityfocus.com/bid/31418; reference:cve,2008-4322; reference:url,secunia.com/advisories/32055; classtype:attempted-user; sid:2012096; rev:2; metadata:created_at 2010_12_23, updated_at 2020_08_19;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap TCP Service Scan Detected"; flow:to_server; flags:PA; content:"service|3A|thc|3A 2F 2F|"; depth:105; content:"service|3A|thc"; within:40; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010371; classtype:attempted-recon; sid:2010371; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Amap UDP Service Scan Detected"; dsize:<135; content:"THCTHCTHCTHCTHC|20 20 20|"; reference:url,freeworld.thc.org/thc-amap/; reference:url,doc.emergingthreats.net/2010372; classtype:attempted-recon; sid:2010372; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET SCAN Cisco Torch TFTP Scan"; content:"|52 61 6E 64 30 6D 53 54 52 49 4E 47 00 6E 65 74 61 73 63 69 69|"; offset:2; depth:21; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008414; classtype:attempted-recon; sid:2008414; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"root"; within:15; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010642; classtype:attempted-recon; sid:2010642; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt"; flow:established,to_server; content:"USER "; nocase; depth:5; content:"administrator"; within:25; nocase; threshold: type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2010643; classtype:attempted-recon; sid:2010643; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp any any -> any 21 (msg:"ET SCAN Grim's Ping ftp scanning tool"; flow:to_server,established; content:"PASS "; content:"gpuser@home.com"; within:18; reference:url,archives.neohapsis.com/archives/snort/2002-04/0448.html; reference:url,grimsping.cjb.net; reference:url,doc.emergingthreats.net/2007802; classtype:network-scan; sid:2007802; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; depth: 64; reference:url,www.ks-soft.net/ip-tools.eng; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; reference:url,doc.emergingthreats.net/2000575; classtype:misc-activity; sid:2000575; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack"; content:"nng Snort (Snort)"; offset:90; threshold:type threshold, track by_dst, count 4, seconds 15; reference:url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html; reference:url,doc.emergingthreats.net/2008560; classtype:misc-activity; sid:2008560; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.0 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:5; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-323.html; reference:url,doc.emergingthreats.net/2001906; classtype:protocol-command-decode; sid:2001906; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL 4.1 brute force root login attempt"; flow:to_server,established; content:"|01|"; offset:3; depth:4; content:"root|00|"; nocase; distance:32; within:5; threshold:type both,track by_src,count 5,seconds 60; reference:url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html; reference:url,doc.emergingthreats.net/2002842; classtype:protocol-command-decode; sid:2002842; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET 3306 -> any any (msg:"ET SCAN Non-Allowed Host Tried to Connect to MySQL Server"; flow:from_server,established; content:"|6A 04|Host|20 27|"; depth:70; content:"|27 20|is not allowed to connect to this MySQL server"; distance:0; reference:url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html; reference:url,doc.emergingthreats.net/2010493; classtype:attempted-recon; sid:2010493; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple NBTStat Query Responses to External Destination, Possible Automated Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; threshold: type threshold, track by_dst, count 10, seconds 60; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009767; classtype:attempted-recon; sid:2009767; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $HOME_NET 137 -> $EXTERNAL_NET any (msg:"ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration"; content:"|20 43 4b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21|"; depth:55; reference:url,technet.microsoft.com/en-us/library/cc940106.aspx; reference:url,doc.emergingthreats.net/2009768; classtype:attempted-recon; sid:2009768; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET SCAN PRO Search Crawler Probe"; flow:to_server,established; content:"PASS "; nocase; depth:5; content:"crawler"; nocase; within:30; pcre:"/^PASS\s+PRO(-|\s)*search\s+Crawler/smi"; reference:url,sourceforge.net/project/showfiles.php?group_id=149797; reference:url,doc.emergingthreats.net/2008179; classtype:not-suspicious; sid:2008179; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious Scan"; content:"From|3A 20 22|sipvicious"; threshold: type limit, count 1, seconds 10, track by_src; reference:url,blog.sipvicious.org; reference:url,doc.emergingthreats.net/2008578; classtype:attempted-recon; sid:2008578; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious User-Agent Detected (sundayddr)"; content:"|0d 0a|User-Agent|3A| sundayddr"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,honeynet.org.au/?q=sunday_scanner; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011766; classtype:attempted-recon; sid:2011766; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipsak SIP scan"; content:"sip|3a|sipsak@"; offset:90; reference:url,sipsak.org/; reference:url,doc.emergingthreats.net/2008598; classtype:attempted-recon; sid:2008598; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan"; content:"SIVuS_VoIP_Scanner <sip|3a|SIVuS"; offset:130; threshold:type threshold, track by_src, count 3, seconds 10; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008609; classtype:attempted-recon; sid:2008609; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan"; content:"sip|3a|sivus-discovery@vopsecurity.org"; offset:110; reference:url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html; reference:url,www.vopsecurity.org/; reference:url,doc.emergingthreats.net/2008610; classtype:attempted-recon; sid:2008610; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET SCAN External to Internal UPnP Request udp port 1900"; content:"MSEARCH * HTTP/1.1"; depth:18; content:"MAN|3a| ssdp|3a|"; nocase; distance:0; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008094; classtype:attempted-recon; sid:2008094; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Smap VOIP Device Scan"; content:"<sip|3a|smap@"; offset:80; depth:40; reference:url,www.go2linux.org/smap-find-voip-enabled-devices; reference:url,doc.emergingthreats.net/2008526; classtype:attempted-recon; sid:2008526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Toolkit Torturer Scan"; content:"interesting-Method"; content:"sip|3a|1_unusual.URI"; content:"to-be!sure"; offset:20; depth:60; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008568; classtype:attempted-recon; sid:2008568; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Voiper Fuzzing Scan"; content:"sip|3a|tester@"; content:"Via|3a| SIP/2.0"; offset:20; depth:60; threshold: type threshold, track by_dst, count 5, seconds 15; reference:url,sourceforge.net/projects/voiper; reference:url,doc.emergingthreats.net/2008577; classtype:attempted-recon; sid:2008577; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 400"; depth:13; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,support.microsoft.com/kb/247249; reference:url,doc.emergingthreats.net/2009884; classtype:attempted-recon; sid:2009884; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack"; flow:from_server,established; content:"HTTP/1.1 404"; depth:13; threshold: type threshold, track by_dst, count 30, seconds 60; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html; reference:url,en.wikipedia.org/wiki/HTTP_404; reference:url,doc.emergingthreats.net/2009885; classtype:attempted-recon; sid:2009885; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST "; depth:5; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2022_05_03;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SIP erase_registrations/add registrations attempt"; content:"REGISTER "; depth:9; content:"User-Agent|3a| Hacker"; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008640; classtype:attempted-recon; sid:2008640; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yahoo Crawler Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Yahoo-MMCrawler"; nocase; http_header; threshold: type both, track by_src, count 10, seconds 60; reference:url,mms-mmcrawler-support@yahoo-inc.com; reference:url,doc.emergingthreats.net/2002833; classtype:attempted-recon; sid:2002833; rev:7; metadata:attack_target Web_Server, created_at 2010_07_30, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2010_07_30, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan"; flow:from_server,established; content:"HTTP/1.1 403"; depth:13; threshold: type threshold, track by_dst, count 35, seconds 60; reference:url,www.checkupdown.com/status/E403.html; reference:url,doc.emergingthreats.net/2009749; classtype:attempted-recon; sid:2009749; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,1024:2048] (msg:"ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND"; flow:established,to_server; content:"|05|"; content:"|80 bd a8 af 8a 7d c9 11 be f4 08 00 2b 10 29 89|"; distance:31; reference:url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf; reference:url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf; reference:url,seclists.org/fulldisclosure/2003/Aug/0432.html; reference:url,doc.emergingthreats.net/2009832; classtype:attempted-recon; sid:2009832; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Acunetix Version 6 (Free Edition) Scan Detected"; flow:to_server,established; content:"(Acunetix Web Vulnerability Scanner"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2009646; classtype:attempted-recon; sid:2009646; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN RatProxy in-use"; flow:established,to_server; content:"X-Ratproxy-Loop|3A| "; threshold: type limit, track by_src,count 1, seconds 60; classtype:attempted-recon; sid:2011975; rev:2; metadata:created_at 2010_11_24, updated_at 2010_11_24;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipp SIP Stress Test Detected"; content:"sip|3a|sipp@"; content:"Subject|3a| Performance Test"; offset:90; depth:90; threshold: type threshold, track by_dst, count 20, seconds 15; reference:url,sourceforge.net/projects/sipp/; reference:url,doc.emergingthreats.net/2008579; classtype:attempted-recon; sid:2008579; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN sipscan probe"; content:"sip|3a|thisisthecanary@"; content:"sip|3a|test@"; offset:30; depth:70; reference:url,www.hackingvoip.com/sec_tools.html; reference:url,doc.emergingthreats.net/2008641; classtype:attempted-recon; sid:2008641; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser)"; content:"From|3A 20 22|sipsscuser|22|"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,honeynet.org.au/?q=sunday_scanner; classtype:attempted-recon; sid:2012204; rev:3; metadata:created_at 2011_01_20, updated_at 2011_01_20;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; nocase; classtype:network-scan; sid:2101918; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:2100478; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:2100465; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:2100483; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:2100372; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:2100484; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:2100471; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:2100474; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:2100476; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:2101638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ftp any any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl)"; flow:to_server,established; content:"pass nessus@"; depth:12; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=10079; reference:url,osvdb.org/show/osvdb/69; classtype:attempted-recon; sid:2013263; rev:3; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
+
+alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl)"; flow:to_server,established; content:"MKD"; nocase; depth:3; content:"Nessus"; nocase; reference:url,www.nessus.org/plugins/index.php?view=single&id=19782; reference:url,osvdb.org/show/osvdb/76; classtype:attempted-recon; sid:2013264; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Potential muieblackcat scanner double-URI and HTTP library"; flow:established,to_server; content:"GET //"; depth:6; fast_pattern; content:"HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Accept-Language|3a| en-us|0d 0a|Accept-Encoding|3a| gzip, deflate|0d 0a|Host|3a| "; http_header; content:"|0d 0a|Connection|3a| Close|0d 0a 0d 0a|"; http_header; distance:0; classtype:attempted-recon; sid:2013116; rev:5; metadata:created_at 2011_06_24, former_category SCAN, updated_at 2011_06_24;)
+
+#alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:2100333; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:2103151; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger 0 Query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:2100332; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Account Enumeration Attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:2100321; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:2100331; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:2100329; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Null Request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:2100324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Probe 0 Attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:2100325; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Redirection Attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:2100330; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Root Query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:2100323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Search Query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:2100322; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 4569 (msg:"ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan"; content:"|00 00|"; content:"|06 0D 06 01 30 13 02 07 08|"; distance:40; within:10; reference:url,sourceforge.net/projects/enumiax/; reference:url,doc.emergingthreats.net/2008606; classtype:attempted-recon; sid:2008606; rev:3; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan"; itype:3; dsize:>69; content:"securityfocus"; content:"securityfocus"; distance:50; within:15; reference:url,xprobe.sourceforge.net/; reference:url,doc.emergingthreats.net/2009298; classtype:attempted-recon; sid:2009298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible jBroFuzz Fuzzer Detected"; flow:to_server,established; content:"Host|3a| localhost"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-GB|3b| rv|3b|1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"; http_header; threshold: type threshold, track by_src, count 3, seconds 6; reference:url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz; reference:url,doc.emergingthreats.net/2009476; classtype:attempted-recon; sid:2009476; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:5; metadata:created_at 2012_06_14, updated_at 2012_06_14;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; dsize:>6; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:2; metadata:created_at 2012_07_31, updated_at 2012_07_31;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:2100617; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; distance:0; http_header; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/Hi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:4; metadata:created_at 2011_04_29, updated_at 2011_04_29;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5; metadata:created_at 2012_12_05, updated_at 2012_12_05;)
+
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range|3a|"; nocase; content:"bytes="; nocase; distance:0; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:10,relative; content:","; within:11; isdataat:70,relative; content:!"|0d 0a|"; within:12; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:5; metadata:created_at 2011_08_26, updated_at 2011_08_26;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:7; metadata:created_at 2013_04_17, updated_at 2013_04_17;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SQLNinja MSSQL Version Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28substring%28%28select%20%40%40version"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009038; classtype:attempted-recon; sid:2009038; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN pangolin SQL injection tool"; flow:established,to_server; content:"pangolin"; http_user_agent; reference:url,www.lifedork.net/pangolin-best-sql-injection-tool.html; classtype:web-application-activity; sid:2010343; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected"; flow:established,to_server; content:"PROPFIND "; depth:9; content:"D|3A|propfind xmlns|3A|D=|22|DAV|3A 22|><D|3A|allprop/></D|3A|propfind>"; distance:0; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011088; classtype:attempted-recon; sid:2011088; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN FIN"; flags:SF; classtype:bad-unknown; sid:2011367; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+#alert tcp any any -> any any (msg:"ET SCAN Malformed Packet SYN RST"; flags:SR; classtype:bad-unknown; sid:2011368; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert tcp any any -> $HOME_NET 1720 (msg:"ET SCAN H.323 Scanning device"; flow:established,to_server; content:"|40 04 00 63 00 69 00 73 00 63 00 6f|"; fast_pattern; offset:55; depth:12; threshold: type limit, track by_src, count 1, seconds 60; reference:url,videonationsltd.co.uk/2014/11/h-323-cisco-spam-calls/; classtype:network-scan; sid:2020853; rev:2; metadata:created_at 2015_04_08, updated_at 2015_04_08;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan"; itype:8; icode:0; content:"=XXXXXXXX"; reference:url,doc.emergingthreats.net/2010686; classtype:network-scan; sid:2010686; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert ssh $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:2006546; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt response"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; classtype:unsuccessful-user; sid:2002383; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:2002910; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg:"ET SCAN Potential VNC Scan 5900-5920"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002911; classtype:attempted-recon; sid:2002911; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"ET SCAN Rapid POP3 Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002992; classtype:misc-activity; sid:2002992; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET SCAN Rapid IMAP Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002994; classtype:misc-activity; sid:2002994; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,doc.emergingthreats.net/2002995; classtype:misc-activity; sid:2002995; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg:"ET SCAN Potential SSH Scan OUTBOUND"; flow:to_server; flags:S,12; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2003068; classtype:attempted-recon; sid:2003068; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN Possible WordPress xmlrpc.php BruteForce in Progress - Response"; flow:established,from_server; flowbits:isset,ET.XMLRPC.PHP; file_data; content:"<name>faultCode</name>"; content:"<int>403</int>"; content:"<string>Incorrect username or password.</string>"; threshold:type both, track by_src, count 5, seconds 120; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018755; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_03_01;)
+
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET SCAN Possible SSL Brute Force attack or Site Crawl"; flow: established,to_server; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2001553; classtype:attempted-dos; sid:2001553; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2001904; classtype:misc-activity; sid:2001904; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg:"ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 10 , seconds 60; reference:url,doc.emergingthreats.net/2002973; classtype:misc-activity; sid:2002973; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; reference:url,doc.emergingthreats.net/2008230; classtype:misc-activity; sid:2008230; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET SCAN Redis SSH Key Overwrite Probing"; flow:to_server,established; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"dir"; distance:0; content:"/.ssh"; distance:0; isdataat:!5,relative; reference:url,antirez.com/news/96; classtype:misc-attack; sid:2023510; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Datacenter, performance_impact Low, signature_severity Minor, tag SCAN_Redis_SSH, updated_at 2016_11_15;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:2023753; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2017_01_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2017_02_23;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP Delphi Likely Precursor to Scan"; itype:8; icode:0; content:"Pinging from Delphi code written"; reference:url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx; reference:url,doc.emergingthreats.net/2010681; classtype:misc-activity; sid:2010681; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"ET SCAN Multiple MySQL Login Failures Possible Brute Force Attempt"; flow:from_server,established; dsize:<251; byte_test:1,<,0xfb,0,little; content:"|ff 15 04 23 32 38 30 30 30|"; offset:4; threshold: type threshold, track by_src, count 5, seconds 120; reference:url,doc.emergingthreats.net/2010494; classtype:attempted-recon; sid:2010494; rev:4; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> any 445 (msg:"ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001569; classtype:misc-activity; sid:2001569; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> any 139 (msg:"ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001579; classtype:misc-activity; sid:2001579; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> any 137 (msg:"ET SCAN Behavioral Unusual Port 137 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001580; classtype:misc-activity; sid:2001580; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:2001581; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> any 1434 (msg:"ET SCAN Behavioral Unusual Port 1434 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001582; classtype:misc-activity; sid:2001582; rev:15; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:2001583; rev:16; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:network-scan; sid:2001972; rev:20; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ICMP @hello request Likely Precursor to Scan"; itype:8; icode:0; content:"@hello ???"; reference:url,doc.emergingthreats.net/2010641; classtype:misc-activity; sid:2010641; rev:3; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2017_05_11;)
+
+alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)"; flow:to_server; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:5; metadata:created_at 2011_08_29, former_category SCAN, updated_at 2017_05_11;)
+
+alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version"; flow:established,to_server; ssh_proto; content:"PUTTY"; threshold: type limit, track by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:6; metadata:created_at 2014_12_05, former_category SCAN, updated_at 2017_12_01;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:2010939; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4333 (msg:"ET SCAN Suspicious inbound to mSQL port 4333"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010938; classtype:bad-unknown; sid:2010938; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN Suspicious inbound to mySQL port 3306"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010937; classtype:bad-unknown; sid:2010937; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1521 (msg:"ET SCAN Suspicious inbound to Oracle SQL port 1521"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010936; classtype:bad-unknown; sid:2010936; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1433 (msg:"ET SCAN Suspicious inbound to MSSQL port 1433"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2010935; classtype:bad-unknown; sid:2010935; rev:3; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2018_03_27;)
+
+alert udp any any -> $HOME_NET 4070 (msg:"ET SCAN HID VertX and Edge door controllers discover"; dsize:<45; content:"discover|3b|013|3b|"; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-recon; sid:2025822; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, former_category SCAN, updated_at 2018_07_18;)
+
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN StarDotStar HELO, suspected AUTH LOGIN botnet"; flow:established,to_server; content:"HELO|20 2a 2e 2a 0d 0a|"; depth:11; classtype:bad-unknown; sid:2026463; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2018_10_12;)
+
+alert tcp $HOME_NET any -> $HOME_NET 2555 (msg:"ET SCAN Internal to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008092; classtype:attempted-recon; sid:2008092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2555 (msg:"ET SCAN External to Internal UPnP Request tcp port 2555"; flow:established,to_server; content:"GET "; depth:4; content:"/upnp/"; nocase; pcre:"/^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{16}\//Ri"; reference:url,www.upnp-hacks.org/upnp.html; reference:url,doc.emergingthreats.net/2008093; classtype:attempted-recon; sid:2008093; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DEBUG Method Request with Command"; flow:established,to_server; content:"DEBUG "; depth:6; content:"|0d 0a|Command|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008312; classtype:attempted-recon; sid:2008312; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| pymills-spider/"; reference:url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes; reference:url,doc.emergingthreats.net/2011721; classtype:attempted-recon; sid:2011721; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLBrute SQL Scan Detected"; flow:to_server,established; content:"AND not exists (select * from master..sysdatabases)"; offset:60; depth:60; reference:url,www.justinclarke.com/archives/2006/03/sqlbrute.html; reference:url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/; reference:url,doc.emergingthreats.net/2009477; classtype:attempted-recon; sid:2009477; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL User Scan"; content:"?param=a"; flow:to_server,established; content:"if%20ascii%28substring%28%28select%20system%5Fuser"; distance:2; threshold: type threshold, track by_src, count 20, seconds 10; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009040; classtype:attempted-recon; sid:2009040; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Database User Rights Scan"; flow:to_server,established; content:"?param=a"; content:"if%20is%5Fsrvrolemember%28%27sysadmin"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009041; classtype:attempted-recon; sid:2009041; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL Authentication Mode Scan"; flow:to_server,established; content:"?param=a"; content:"if%20not%28%28select%20serverproperty%28%27IsIntegratedSecurityOnly"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009042; classtype:attempted-recon; sid:2009042; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Esp%5Fconfigure%20%27show%20advanced%20options"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009043; classtype:attempted-admin; sid:2009043; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja Attempt To Create xp_cmdshell Session"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell%20%27cmd%20%2FC%20%25TEMP"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; reference:url,doc.emergingthreats.net/2009044; classtype:attempted-admin; sid:2009044; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Stompy Web Application Session Scan"; flow:to_server,established; content:"Session Stomper"; offset:100; depth:25; reference:url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/; reference:url,doc.emergingthreats.net/2008605; classtype:attempted-recon; sid:2008605; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af Scan In Progress ARGENTINA Req Method"; flow:to_server,established; content:"ARGENTINA "; depth:10; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2011027; classtype:attempted-recon; sid:2011027; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent|3A| WhatWeb/"; reference:url,www.morningstarsecurity.com/research/whatweb; reference:url,doc.emergingthreats.net/2010960; classtype:attempted-recon; sid:2010960; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wapiti Web Server Vulnerability Scan"; flow:to_server,established; content:"GET /"; depth:5; content:"?http|3A|//www.google."; within:100; nocase; content:"|0d 0a|User-Agent|3A 20|Python-httplib2"; distance:0; reference:url,wapiti.sourceforge.net/; reference:url,doc.emergingthreats.net/2008417; classtype:attempted-recon; sid:2008417; rev:9; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLNinja MSSQL XPCmdShell Scan"; flow:to_server,established; content:"?param=a"; content:"exec%20master%2E%2Exp%5Fcmdshell"; distance:2; reference:url,sqlninja.sourceforge.net/index.html; classtype:attempted-recon; sid:2009039; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ProxyReconBot CONNECT method to Mail"; flow:established,to_server; content:"CONNECT "; depth:8; content:"|3A|25 HTTP/"; within:200; reference:url,doc.emergingthreats.net/2003869; classtype:misc-attack; sid:2003869; rev:9; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2019_09_27;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:3; metadata:created_at 2012_10_01, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:2; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"|0D 0A|User-Agent|3A 20|sipcli/"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:3; metadata:created_at 2013_07_17, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:4; metadata:created_at 2014_05_21, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SCAN MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:2; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Watchfire AppScan Web App Vulnerability Scanner"; flow:established,to_server; http.uri; content:"/appscan_fingerprint/mac_address"; nocase; reference:url,www.watchfire.com/products/appscan/default.aspx; reference:url,doc.emergingthreats.net/2008311; classtype:attempted-recon; sid:2008311; rev:8; metadata:created_at 2010_07_30, updated_at 2019_12_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomato Router Default Credentials (admin:admin)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/admin-scripts.asp"; nocase; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4="; fast_pattern; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:attempted-admin; sid:2029317; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_01_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomato Router Default Credentials (root:admin)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/admin-scripts.asp"; endswith; nocase; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDphZG1pbg=="; fast_pattern; reference:url,unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/; classtype:attempted-admin; sid:2029318; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_01_23, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_01_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai User-Agent Observed (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Ankit|0d 0a|"; nocase; fast_pattern; classtype:attempted-admin; sid:2029473; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_02_17, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_02_17;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris botnet"; fast_pattern; classtype:attempted-admin; sid:2029577; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_05, deployment Perimeter, signature_severity Minor, updated_at 2020_03_05;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Polaris Botnet User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|polaris|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029645; rev:1; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_18, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_03_18;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|DVRBOT"; fast_pattern; classtype:attempted-admin; sid:2029759; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_29, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_03_29;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|iamdelta"; fast_pattern; classtype:attempted-admin; sid:2029763; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_30, deployment Perimeter, signature_severity Minor, updated_at 2020_03_30;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|NoIr_x.86/"; fast_pattern; classtype:attempted-admin; sid:2029769; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello/"; fast_pattern; classtype:attempted-admin; sid:2029792; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Minor, updated_at 2020_04_02;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029790; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_02, deployment Perimeter, signature_severity Minor, updated_at 2020_04_03;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|XTC BOTNET|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2029808; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_03, deployment Perimeter, signature_severity Minor, updated_at 2020_04_03;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Kratos"; fast_pattern; classtype:attempted-admin; sid:2029929; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_17, deployment Perimeter, signature_severity Minor, updated_at 2020_04_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_31, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; http.header; content:"|29 20|Havij|0d 0a|Connection|3a 20|"; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_12, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; http.uri; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; content:"-- AND"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:3; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt"; flow:established,to_server; http.header; content:"Range|3a|bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,5-10,5-11,5-12,5-13,5-14"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013472; rev:5; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:" OR sqlspider"; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:3; metadata:created_at 2011_10_19, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Paros Proxy Scanner Detected"; flow:to_server,established; http.user_agent; content:"Paros/"; startswith; reference:url,www.parosproxy.org; reference:url,doc.emergingthreats.net/2008187; classtype:attempted-recon; sid:2008187; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQLix SQL Injection Vector Scan"; flow:established,to_server; http.header; content:"GET"; content:"myVAR=1234"; content:"Windows 98"; distance:36; within:120; reference:url,www.owasp.org/index.php/Category%3aOWASP_SQLiX_Project; reference:url,doc.emergingthreats.net/2008654; classtype:attempted-recon; sid:2008654; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
+
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Gootkit Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"Gootkit auto-rooter scanner"; classtype:web-application-attack; sid:2014022; rev:3; metadata:created_at 2011_12_13, former_category SCAN, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hydra User-Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Hydra)"; nocase; fast_pattern; reference:url,freeworld.thc.org/thc-hydra; classtype:attempted-recon; sid:2011497; rev:5; metadata:created_at 2010_09_28, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN McAfee/Foundstone Scanner Web Scan"; flow:established,to_server; threshold: type both, count 2, seconds 120, track by_src; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b 20|Windows NT 6.1|3b 20|en-US)|0d 0a|"; fast_pattern; content:"|0d 0a|Accept-Encoding|3a 20|text|0d 0a|"; reference:url,www.mcafee.com/us/products/vulnerability-manager.aspx; classtype:attempted-recon; sid:2013492; rev:5; metadata:created_at 2011_08_30, updated_at 2020_04_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (manager)"; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:"Authorization|3a| Basic bWFuYWdlcjp"; fast_pattern; reference:url,doc.emergingthreats.net/2008455; classtype:web-application-attack; sid:2008455; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (tomcat)"; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:"Authorization|3a| Basic dG9tY2F0"; fast_pattern; reference:url,doc.emergingthreats.net/2008454; classtype:web-application-attack; sid:2008454; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:"Authorization|3a| Basic YWRtaW46"; fast_pattern; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN nessus 2.x 404 probe"; flow:to_server,established; http.uri; content:"/NessusTest"; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2102585; rev:4; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; threshold: type limit, track by_src, count 5, seconds 40; http.user_agent; content:"Vega/"; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:4; metadata:created_at 2011_07_11, updated_at 2020_04_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu Scanner User-Agent Inbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZmEu|0d 0a|"; classtype:trojan-activity; sid:2012936; rev:4; metadata:created_at 2011_06_07, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-blank login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a| Basic YWRtaW46|0d 0a|"; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009218; classtype:attempted-admin; sid:2009218; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Absinthe SQL Injection Tool HTTP Header Detected"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Absinthe"; nocase; reference:url,0x90.org/releases/absinthe; reference:url,doc.emergingthreats.net/2009555; classtype:attempted-recon; sid:2009555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nessus User Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Nessus"; nocase; depth:40; reference:url,www.nessus.org; reference:url,doc.emergingthreats.net/2002664; classtype:attempted-recon; sid:2002664; rev:11; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; http.user_agent; content:"Brutus/AET"; classtype:attempted-recon; sid:2015702; rev:4; metadata:created_at 2012_09_17, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ZmEu exploit scanner"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"Made by ZmEu"; depth:12; reference:url,doc.emergingthreats.net/2010715; classtype:web-application-attack; sid:2010715; rev:10; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent inbound (bot)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.header; content:"User-Agent|3a 20|bot/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008228; classtype:trojan-activity; sid:2008228; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FHScan core User-Agent Detect"; flow:to_server,established; http.user_agent; content:"FHScan Core 1."; reference:url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html; classtype:attempted-recon; sid:2014541; rev:6; metadata:created_at 2012_04_12, updated_at 2020_04_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin scanning"; flow:established,to_server; http.request_line; content:"GET <title>"; startswith; classtype:web-application-attack; sid:2016222; rev:3; metadata:created_at 2013_01_16, updated_at 2020_04_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; http.user_agent; content:"Cisco-torch"; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; http.user_agent; content:"core-project/1.0"; classtype:web-application-activity; sid:2008529; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_23;)
+
+alert http $HOME_NET any -> any any (msg:"ET SCAN NETWORK Outgoing Masscan detected"; flow:established,to_server; http.user_agent; content:"masscan/"; depth:8; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017615; rev:6; metadata:created_at 2013_10_18, updated_at 2020_04_27;)
+
+alert http any any -> $HOME_NET any (msg:"ET SCAN NETWORK Incoming Masscan detected"; flow:established,to_server; http.user_agent; content:"masscan/"; depth:8; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017616; rev:6; metadata:created_at 2013_10_18, updated_at 2020_04_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprint Web Server Fingerprint Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/antidisestablishmentarianism"; reference:url,www.net-square.com/httprint/; reference:url,www.net-square.com/httprint/httprint_paper.html; reference:url,doc.emergingthreats.net/2008416; classtype:attempted-recon; sid:2008416; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nikto Web App Scan in Progress"; flow:to_server,established; threshold: type both, count 5, seconds 60, track by_src; http.user_agent; content:"(Nikto"; reference:url,www.cirt.net/code/nikto.shtml; reference:url,doc.emergingthreats.net/2002677; classtype:web-application-attack; sid:2002677; rev:14; metadata:created_at 2010_07_30, updated_at 2020_04_27;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|flow|0d 0a|"; fast_pattern; classtype:attempted-admin; sid:2030048; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_04_29, deployment Perimeter, signature_severity Minor, updated_at 2020_04_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN IBM NSA User Agent"; flow:established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Network-Services-Auditor"; reference:url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf; reference:url,doc.emergingthreats.net/2003171; classtype:attempted-recon; sid:2003171; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internet Scanning Project HTTP scan"; flow:established,to_server; http.user_agent; content:"research-scanner/"; startswith; http.host; content:"internetscanningproject.org"; reference:url,www.internetscanningproject.org; classtype:attempted-recon; sid:2018782; rev:3; metadata:created_at 2014_07_25, updated_at 2020_05_01;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Chroot-apache0day Unknown Web Scanner User Agent"; flow:established,to_server; http.user_agent; content:"chroot-apach0day"; nocase; depth:16; reference:url,isc.sans.edu/forums/diary/Interesting+HTTP+User+Agent+chroot-apach0day+/18453; classtype:attempted-recon; sid:2018800; rev:5; metadata:created_at 2014_07_29, updated_at 2020_05_01;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+"; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030093; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Minor, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; http.user_agent; content:"Nmap NSE"; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis"; flow:established,to_server; http.user_agent; content:"pavuk"; nocase; reference:url,pavuk.sourceforge.net/about.html; reference:url,doc.emergingthreats.net/2009827; classtype:attempted-recon; sid:2009827; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WITOOL SQL Injection Scan"; flow:to_server,established; threshold: type threshold, track by_dst, count 2, seconds 30; http.uri.raw; content:"union+select"; content:"select+user"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|MyIE2"; fast_pattern; reference:url,witool.sourceforge.net/; reference:url,doc.emergingthreats.net/2009833; classtype:attempted-recon; sid:2009833; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool"; flow:established,to_server; http.user_agent; content:"Mysqloit"; reference:url,code.google.com/p/mysqloit/; classtype:attempted-recon; sid:2009882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected"; flow:established,to_server; http.uri; content:"+UNION+select+'BENCHMARK(10000000,SHA1(1))"; reference:url,code.google.com/p/mysqloit/; reference:url,doc.emergingthreats.net/2009883; classtype:attempted-recon; sid:2009883; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN SQL Injection Attempt (Agent uil2pn)"; flow:to_server,established; http.user_agent; content:"uil2pn"; reference:url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html; reference:url,doc.emergingthreats.net/2010215; classtype:web-application-attack; sid:2010215; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Springenwerk XSS Scanner User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Springenwerk"; reference:url,springenwerk.org/; reference:url,doc.emergingthreats.net/2010508; classtype:attempted-recon; sid:2010508; rev:6; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected (2)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".old"; http.header; content:"Range|3A| bytes=0-199999"; http.user_agent; content:"Mozilla/5.0 SF/"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010956; classtype:attempted-recon; sid:2010956; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN crimscanner User-Agent detected"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"crimscanner/"; nocase; reference:url,doc.emergingthreats.net/2010954; classtype:network-scan; sid:2010954; rev:6; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/w3af/remoteFileInclude.html"; nocase; http.host; content:"w3af.sourceforge.net"; startswith; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WafWoof Web Application Firewall Detection Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/<invalid>hello.html"; reference:url,code.google.com/p/waffit/; reference:url,doc.emergingthreats.net/2011720; classtype:attempted-recon; sid:2011720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Internal Dummy Connection User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"(internal dummy connection)"; classtype:trojan-activity; sid:2012937; rev:4; metadata:created_at 2011_06_07, updated_at 2020_05_04;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Nikto Scan Remote File Include Retrieval"; flow:established,to_server; http.uri; content:"/rfiinc.txt"; http.host; content:"cirt.net"; bsize:8; reference:url,cirt.net/nikto2; classtype:web-application-activity; sid:2011390; rev:5; metadata:affected_product Any, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Simple Slowloris Flooder"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.method; content:"POST"; http.header; content:"Content-length|3a 20|5235|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:5; metadata:created_at 2012_12_14, updated_at 2020_05_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Accept|3a 20|acunetix"; reference:url,www.acunetix.com/; classtype:attempted-recon; sid:2019963; rev:3; metadata:created_at 2014_12_18, updated_at 2020_05_14;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|danutzbaiatfinutz"; fast_pattern; classtype:attempted-admin; sid:2030198; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_05_21, deployment Perimeter, signature_severity Minor, updated_at 2020_05_21;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"Arachni/"; pcre:"/Arachni\/v?\d\.\d\.\d$/i"; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:6; metadata:created_at 2012_06_07, updated_at 2020_06_09;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; depth:9; content:"servlet/"; http.request_body; content:"org.jboss.invocation.MarshalledValue"; http.content_type; content:"application/x-java-serialized-object|3b|"; endswith; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:3; metadata:created_at 2015_12_09, updated_at 2020_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Observed Suspicious UA (Callstranger Vulnerability Checker)"; flow:established,to_server; http.user_agent; content:"Callstranger Vulnerability Checker"; bsize:34; reference:url,github.com/yunuscadirci/CallStranger; classtype:attempted-recon; sid:2030271; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category SCAN, signature_severity Informational, updated_at 2020_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN UPnP SUBSCRIBE Inbound - Possible CallStranger Scan (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; nocase; http.header; content:"CALLBACK|3a 20|"; fast_pattern; content:"NT|3a 20|"; reference:cve,2020-12695; reference:url,kb.cert.org/vuls/id/339275; classtype:attempted-recon; sid:2030272; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_06_09, deployment Perimeter, former_category SCAN, signature_severity Informational, updated_at 2020_06_09;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Sa0aS"; fast_pattern; classtype:attempted-admin; sid:2030273; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_09, deployment Perimeter, signature_severity Minor, updated_at 2020_06_09;)
+
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Zmap User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; fast_pattern; bsize:21; classtype:network-scan; sid:2030345; rev:4; metadata:created_at 2015_12_01, former_category SCAN, updated_at 2020_06_16;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Hello, pee"; fast_pattern; classtype:attempted-admin; sid:2030373; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, signature_severity Minor, updated_at 2020_06_22;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Meth/"; fast_pattern; classtype:attempted-admin; sid:2030375; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_22, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_06_22;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Masayki"; fast_pattern; classtype:attempted-admin; sid:2030470; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_06, deployment Perimeter, signature_severity Minor, updated_at 2020_07_06;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Scylla/"; fast_pattern; classtype:attempted-admin; sid:2030583; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_07_23, deployment Perimeter, signature_severity Minor, updated_at 2020_07_23;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing SQL Inject/ion Likely SQL Injection Scanner"; flow:established,to_server; http.user_agent; content:"SQL"; nocase; depth:200; content:"Inject"; nocase; distance:0; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2010087; classtype:attempted-recon; sid:2010087; rev:8; metadata:affected_product Web_Server_Applications, affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, former_category HUNTING, signature_severity Major, tag SQL_Injection, tag User_Agent, updated_at 2020_08_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing Web Scan/er Likely Web Scanner"; flow:established,to_server; http.user_agent; content:"web"; nocase; depth:200; content:"scan"; nocase; distance:0; reference:url,doc.emergingthreats.net/2010088; classtype:attempted-recon; sid:2010088; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Suspicious User-Agent Containing Security Scan/ner Likely Scan"; flow:established,to_server; http.user_agent; content:"security"; nocase; content:"scan"; nocase; distance:0; reference:url,doc.emergingthreats.net/2010089; classtype:attempted-recon; sid:2010089; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_06;)
+
+alert http $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; http.user_agent; content:"|20|Nmap"; fast_pattern; classtype:web-application-attack; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|m3th/"; fast_pattern; classtype:attempted-admin; sid:2030676; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_12, deployment Perimeter, signature_severity Minor, updated_at 2020_08_12;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN struts-pwn User-Agent"; flow:established,to_server; http.user_agent; content:"struts-pwn"; depth:10; fast_pattern; reference:url,github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py; reference:cve,2017-9805; reference:url,paladion.net/paladion-cyber-labs-discovers-a-new-ransomware/; classtype:attempted-user; sid:2024843; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_16, deployment Datacenter, former_category SCAN, performance_impact Moderate, signature_severity Minor, updated_at 2022_04_18;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ZASE"; fast_pattern; classtype:attempted-admin; sid:2030692; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_08_17, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_08_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVAS User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"OpenVAS"; reference:url,openvas.org; classtype:attempted-recon; sid:2012726; rev:6; metadata:created_at 2011_04_26, updated_at 2020_08_18;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Web App Scan in Progress"; flow:to_server,established; http.user_agent; content:"DirBuster"; depth:9; reference:url,owasp.org; reference:url,doc.emergingthreats.net/2008186; classtype:web-application-attack; sid:2008186; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WebHack Control Center User-Agent Inbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; content:"WHCC"; fast_pattern; nocase; within:50; pcre:"/User-Agent\:[^\n]+WHCC/i"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003924; classtype:trojan-activity; sid:2003924; rev:10; metadata:created_at 2010_07_30, updated_at 2020_08_19;)
+
+#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic";  reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:7; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Sqlmap SQL Injection Scan"; flow:to_server,established; threshold: type limit, count 2, seconds 40, track by_src; http.user_agent; content:"sqlmap"; depth:6; reference:url,sqlmap.sourceforge.net; reference:url,doc.emergingthreats.net/2008538; classtype:attempted-recon; sid:2008538; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NYU Internet Census UA Inbound"; http.user_agent; content:"NYU Internet Census"; depth:19; reference:url,scan.lol; classtype:network-scan; sid:2025461; rev:3; metadata:created_at 2018_04_03, deployment Perimeter, deployment Datacenter, former_category SCAN, signature_severity Informational, updated_at 2020_08_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; http.user_agent; content:"Morfeus"; nocase; depth:7; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2003466; rev:16; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_08_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN ntop-ng Authentication Bypass via Session ID Guessing"; flow:established,to_server; threshold: type threshold, track by_dst, count 255, seconds 10; http.uri; content:"/lua/network_load.lua"; fast_pattern; http.cookie; content:"session="; content:"user="; reference:cve,2018-12520; reference:url,exploit-db.com/exploits/44973/; classtype:attempted-recon; sid:2025780; rev:3; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
+
+alert http any any -> $HOME_NET any (msg:"ET SCAN Geutebrueck re_porter 7.8.974.20 Information Disclosure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/statistics/gscsetup.xml"; reference:cve,2018-15534; reference:url,exploit-db.com/exploits/45240/; classtype:attempted-recon; sid:2026008; rev:2; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+
+alert http any any -> $HOME_NET any (msg:"ET SCAN Hikvision IP Camera 5.4.0 Information Disclosure"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/System/configurationFile?auth=YWRtaW46MTEK"; reference:url,exploit-db.com/exploits/45231/; classtype:attempted-recon; sid:2026015; rev:2; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category SCAN, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Hello Peppa! Scan Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"=die(|27|Hello, Peppa!|27|"; fast_pattern; reference:url,isc.sans.edu/diary/rss/23860; classtype:attempted-recon; sid:2026464; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_10, deployment Perimeter, former_category SCAN, malware_family Hello_Peppa, performance_impact Moderate, signature_severity Major, updated_at 2020_08_26;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DirBuster Scan in Progress"; flow:established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.uri; content:"/thereIsNoWayThat-You-CanBeThere"; nocase; reference:url,www.owasp.org/index.php/Category%3aOWASP_DirBuster_Project; classtype:attempted-recon; sid:2011914; rev:3; metadata:created_at 2010_11_09, updated_at 2020_09_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Metasploit WMAP GET len 0 and type"; flow:established,to_server; threshold: type limit, track by_src,count 1,seconds 60; http.method; content:"GET"; http.header; content:"|0d 0a|Content-Type|3A 20|text/plain|0d 0a|Content-Length|3A 20|0|0d 0a|"; classtype:attempted-recon; sid:2011974; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_11_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_09_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Goatzapszu Header from unknown Scanning Tool"; flow:established,to_server; http.header; content:"Goatzapszu|3a|"; nocase; classtype:attempted-recon; sid:2012077; rev:4; metadata:created_at 2010_12_18, updated_at 2020_09_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; http.uri; content:"/nessus_is_probing_you_"; reference:arachnids,301; classtype:web-application-attack; sid:2101102; rev:12; metadata:created_at 2010_09_23, updated_at 2020_09_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Medusa User-Agent"; flow: established,to_server; threshold: type limit, track by_src,count 1, seconds 60; http.user_agent; content:"Teh Forest Lobster"; fast_pattern; nocase; startswith; reference:url,www.foofus.net/~jmk/medusa/medusa.html; classtype:attempted-recon; sid:2011887; rev:4; metadata:created_at 2010_10_31, updated_at 2020_09_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN DotDotPwn User-Agent"; flow:established,to_server; threshold:type limit, track by_src,count 1, seconds 60; http.user_agent; content:"DotDotPwn"; nocase; startswith; reference:url,dotdotpwn.sectester.net; classtype:attempted-recon; sid:2011915; rev:4; metadata:created_at 2010_11_09, updated_at 2020_09_04;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.user_agent; content:"inspath [path disclosure finder"; startswith; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:5; metadata:created_at 2010_10_13, updated_at 2020_09_10;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Inspathx Path Disclosure Scan"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"varhttp|3A|/"; nocase; content:"wwwhttp|3A|/"; nocase; content:"htmlhttp|3A|/"; nocase; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011809; rev:7; metadata:created_at 2010_10_13, updated_at 2020_09_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.user_agent; content:"|20|Netsparker)"; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Skipfish Web Application Scan Detected"; flow:established,to_server; threshold:type limit, count 10, seconds 60, track by_src; http.user_agent; content:"Mozilla/5.0 SF"; reference:url,isc.sans.org/diary.html?storyid=8467; reference:url,code.google.com/p/skipfish/; reference:url,doc.emergingthreats.net/2010953; classtype:attempted-recon; sid:2010953; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN bsqlbf Brute Force SQL Injection"; flow:established,to_server; http.user_agent; content:"bsqlbf"; nocase; reference:url,code.google.com/p/bsqlbf-v2/; reference:url,doc.emergingthreats.net/2008362; classtype:web-application-activity; sid:2008362; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WebShag Web Application Scan Detected"; flow:to_server,established; http.user_agent; content:"webshag"; reference:url,www.scrt.ch/pages_en/outils.html; classtype:attempted-recon; sid:2009158; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN HZZP Scan in Progress calc in Headers"; flow:to_server,established; http.method; content:"GET"; http.header; content:"C|3a|/WINDOWS/system32/calc.exe"; content:"|0d 0a|"; within:9; pcre:"/^.+\x3a\s(test.)?C\:\/WINDOWS\/system32\/calc\.exe(.test)?\r$/m"; reference:url,www.krakowlabs.com/dev.html; reference:url,doc.emergingthreats.net/2011028; classtype:attempted-recon; sid:2011028; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Acunetix Version 6 Crawl/Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 2, seconds 5; http.uri; content:"/acunetix-wvs-test-for-some-inexistent-file"; reference:url,www.acunetix.com/; reference:url,doc.emergingthreats.net/2008571; classtype:attempted-recon; sid:2008571; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Netsparker Scan in Progress"; flow:to_server,established; threshold:type limit,track by_src,count 1,seconds 60; http.uri; content:"/Netsparker-"; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011030; classtype:attempted-recon; sid:2011030; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Httprecon Web Server Fingerprint Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/etc/passwd?format="; content:"><script>alert('xss')"; content:"traversal="; reference:url,www.computec.ch/projekte/httprecon/; reference:url,doc.emergingthreats.net/2008627; classtype:attempted-recon; sid:2008627; rev:11; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/.adSensePostNotThereNoNobook"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008617; classtype:attempted-recon; sid:2008617; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Wikto Backend Data Miner Scan"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/actSensePostNotThereNoNotive"; reference:url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm; reference:url,doc.emergingthreats.net/2008629; classtype:attempted-recon; sid:2008629; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; reference:url,doc.emergingthreats.net/2009479; classtype:attempted-recon; sid:2009479; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN HP Enterprise VAN SDN Controller"; flow:established,to_server; http.uri; content:"/sdn/ui/app/rs/hpws/config"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-recon; sid:2025760; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, former_category SCAN, signature_severity Major, updated_at 2020_09_16;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; http.uri; content:"/ServiceDefinition"; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; classtype:attempted-recon; sid:2008628; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; http.user_agent; content:"PTX"; endswith; fast_pattern; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:6; metadata:created_at 2011_10_19, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; http.user_agent; content:"w3af.sf.net"; fast_pattern; classtype:attempted-recon; sid:2015484; rev:4; metadata:created_at 2012_07_18, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; http.uri; content:"/sftp-config.json"; fast_pattern; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:4; metadata:created_at 2012_11_27, updated_at 2020_09_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FOCA uri"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:5; metadata:created_at 2014_01_10, updated_at 2020_09_22;)
+
+alert http any any -> any 5000 (msg:"ET SCAN Hikvision DVR attempted Synology Recon Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webman/info.cgi?host="; fast_pattern; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:4; metadata:created_at 2014_04_02, former_category SCAN, updated_at 2020_09_23;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit Set"; flow:established,to_server; flowbits:set,ET.XMLRPC.PHP; flowbits:noalert; http.uri; content:"/xmlrpc.php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018754; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_24;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:attempted-admin; sid:2030909; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Minor, updated_at 2020_09_28;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 20, seconds 40; http.method; content:"GET"; http.uri; content:"/random"; nocase; fast_pattern; pcre:"/\x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do)/i"; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_29;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Xenu Link Sleuth"; fast_pattern; classtype:attempted-recon; sid:2021058; rev:5; metadata:created_at 2015_05_05, updated_at 2020_09_30;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN COMMIX Command injection scan attempt"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 6d 6d 69 78|"; fast_pattern; reference:url,github.com/stasinopoulos/commix/blob/master/README.md; classtype:web-application-activity; sid:2022243; rev:4; metadata:created_at 2015_12_11, updated_at 2020_10_05;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:attempted-admin; sid:2030964; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_06;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:attempted-admin; sid:2030995; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Minor, updated_at 2020_10_12;)
+
+alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; http.user_agent; content:"DominoHunter"; nocase; depth:12; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:4; metadata:created_at 2011_07_02, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Toata Scanner User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Toata dragostea|20|"; depth:16; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; classtype:attempted-recon; sid:2009159; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; http.user_agent; content:"AutoGetColumn"; depth:13; reference:url,doc.emergingthreats.net/2009154; classtype:attempted-recon; sid:2009154; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; threshold: type limit, track by_dst, count 1, seconds 60; http.header; content:"http|3a|//www.grendel-scan.com"; nocase; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Grendel-Scan"; nocase; depth:37; fast_pattern; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; classtype:attempted-recon; sid:2009480; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; http.user_agent; content:"BOT/0.1 (BOT for JCE)"; depth:21; classtype:web-application-attack; sid:2016032; rev:5; metadata:created_at 2012_12_14, updated_at 2020_10_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manager/html"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_17;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; http.user_agent; content:"get-minimal"; depth:11; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; http.user_agent; content:"w3af.sourceforge.net"; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:13; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; http.user_agent; content:"DAV.pm/v"; depth:8; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; http.user_agent; content:"Grabber"; depth:7; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; classtype:attempted-recon; sid:2009483; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Mini MySqlatOr SQL Injection Scanner"; flow:to_server,established; http.user_agent; content:"prog.CustomCrawler"; depth:18; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; classtype:attempted-recon; sid:2008729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; http.user_agent; content:"SQL Power Injector"; depth:18; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA)"; flow:established,to_server; http.user_agent; content:"webcollage/"; depth:11; nocase; reference:url,stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:8; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2020_10_19;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"4.75 [en] (Windows NT 5.0"; http.protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029015; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_22;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:attempted-admin; sid:2029016; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:attempted-admin; sid:2029017; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:attempted-admin; sid:2029018; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:attempted-admin; sid:2029019; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:attempted-admin; sid:2029020; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:attempted-admin; sid:2029021; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:attempted-admin; sid:2029024; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Kayla"; startswith; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/"; classtype:attempted-admin; sid:2029023; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029026; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Zmap User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; depth:21; endswith; classtype:network-scan; sid:2029054; rev:2; metadata:created_at 2019_11_26, former_category SCAN, updated_at 2020_10_23;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Dark Nexus IoT Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:attempted-admin; sid:2029208; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; http.request_line; content:"GET @"; depth:5; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:4; metadata:created_at 2011_10_24, updated_at 2020_10_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat upload from external source"; flow:to_server,established; flowbits:isset,ET.Tomcat.login.attempt; http.method; content:"POST"; http.uri; content:"/manager/html/upload"; nocase; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009220; classtype:successful-admin; sid:2009220; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:attempted-admin; sid:2029022; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_29;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-admin login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4=|0d 0a|"; fast_pattern; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN abdullkarem Wordpress PHP Scanner"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"&php"; nocase; distance:0; content:"&wphp"; nocase; distance:0; content:"&abdullkarem="; nocase; fast_pattern; distance:0; http.protocol; content:"HTTP/1.0"; depth:8; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:web-application-attack; sid:2021949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_10_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_03;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; http.uri; content:"|3a|@"; http.request_line; content:"GET|20 3a|@"; depth:6; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:6; metadata:created_at 2011_10_24, updated_at 2020_11_06;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; threshold:type threshold, track by_dst, count 10, seconds 20; http.header; content:"TE|3a 20|deflate,gzip|3b|q=0.3|0d 0a|Connection|3a 20|TE, close|0d 0a|Host|3a 20|"; depth:53; content:"User-Agent|3a 20|"; within:100; http.user_agent; content:!"libwww-perl/"; http.request_line; content:"GET //"; fast_pattern; depth:6; http.header_names; content:"|0d 0a|TE|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:26; endswith; classtype:attempted-recon; sid:2013416; rev:11; metadata:created_at 2011_08_17, updated_at 2020_11_06;)
+
+alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:attempted-admin; sid:2029025; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_09;)
+
+#alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; flow:established,to_server; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; reference:url,doc.emergingthreats.net/2009286; classtype:bad-unknown; sid:2009286; rev:4; metadata:created_at 2010_07_30, updated_at 2020_11_12;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"acunetix_wvs_security_test"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"|24|acunetix"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023688; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+
+alert http any any -> $HOME_NET any (msg:"ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML"; flow:established,to_server; http.uri; content:"/wp-includes/wlwmanifest.xml"; threshold: type both, track by_src, count 4, seconds 8; classtype:network-scan; sid:2031505; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_01_08;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Generic IDBTE4M Exploit Scanner (Outbound)"; flow:to_server,established; http.user_agent; content:"IDBTE4M CODE87"; fast_pattern; classtype:bad-unknown; sid:2031602; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_02, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_02_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Generic IDBTE4M Exploit Scanner (Inbound)"; flow:to_server,established; http.user_agent; content:"IDBTE4M CODE87"; fast_pattern; classtype:bad-unknown; sid:2031603; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_02, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_02_02;)
+
+alert dns any any -> any any (msg:"ET SCAN DNS Query for allports.exposed"; dns.query; content:"allports.exposed"; nocase; reference:url,blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/; classtype:network-scan; sid:2032091; rev:1; metadata:created_at 2021_03_17, updated_at 2021_03_17;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Baidu Spider Webcrawler User Agent - inbound"; flow:established,to_server; content:"baiduspider"; nocase; http_user_agent; classtype:not-suspicious; sid:2033338; rev:1; metadata:attack_target Web_Server, created_at 2021_05_19, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_19, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Exabot Webcrawler User Agent"; flow:established,to_server; content:"Exabot"; nocase; http_user_agent; classtype:not-suspicious; sid:2033165; rev:2; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN AOL Webcrawler User-Agent"; flow:established,to_server; content:"AOLBuild "; nocase; http_user_agent; classtype:not-suspicious; sid:2033166; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,github.com/greenbone/openvas-scanner/blob/622e205327ea374d1ccbb3b0e8dcb3fe5c1bb87d/nasl/nasl_http.c#L120; classtype:bad-unknown; sid:2033101; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_08_11;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Outbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,github.com/greenbone/openvas-scanner/blob/622e205327ea374d1ccbb3b0e8dcb3fe5c1bb87d/nasl/nasl_http.c#L120; classtype:bad-unknown; sid:2033102; rev:2; metadata:created_at 2021_06_07, former_category ATTACK_RESPONSE, updated_at 2021_08_11;)
+
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN FTPSync Settings Disclosure Attempt"; flow:to_server,established; http.uri; content:"/ftpsync.settings"; fast_pattern; endswith; reference:url,github.com/NoxArt/SublimeText2-FTPSync; classtype:attempted-recon; sid:2034253; rev:2; metadata:created_at 2021_10_26, former_category SCAN, updated_at 2021_10_26;)
+
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET SCAN Laravel Debug Mode Information Disclosure Probe Inbound"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"0x%5B%5D=androxgh0st"; nocase; fast_pattern; reference:url,thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/; classtype:attempted-recon; sid:2034508; rev:1; metadata:created_at 2021_11_18, former_category SCAN, updated_at 2021_11_18;)
+
+alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern; classtype:attempted-recon; sid:2021024; rev:2; metadata:created_at 2015_04_28, updated_at 2022_03_17;)
+
+alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern; classtype:attempted-recon; sid:2021023; rev:2; metadata:created_at 2015_04_28, updated_at 2022_03_17;)
+
+alert tcp any any -> any 3389 (msg:"ET SCAN RDP Connection Attempt from Nmap"; flow:established,to_server; content:"|00 00 00 00 00|Cookie|3a 20|mstshash|3d|nmap|0d 0a|"; fast_pattern; reference:url,github.com/nmap/nmap/blob/4b46fa7097673f157e7b93e72f0c8b3249c54b4c/nselib/rdp.lua#L211; classtype:network-scan; sid:2036252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category SCAN, performance_impact Low, signature_severity Minor, updated_at 2022_04_19;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)"; flow:established,to_server; http.user_agent; content:"Mediapartners-Google"; nocase; classtype:not-suspicious; sid:2032978; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yandex Webcrawler User-Agent (YandexBot)"; flow:established,to_server; http.user_agent; content:"YandexBot"; nocase; classtype:not-suspicious; sid:2032979; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot)"; flow:established,to_server; http.user_agent; content:"DuckDuckBot"; nocase; classtype:not-suspicious; sid:2032980; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Bing Webcrawler User-Agent (BingBot)"; flow:established,to_server; http.user_agent; content:"bingbot"; nocase; classtype:not-suspicious; sid:2032981; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Naver Webcrawler User-Agent (Naver.me)"; flow:established,to_server; http.user_agent; content:"naver.me"; nocase; classtype:not-suspicious; sid:2032982; rev:2; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2022_05_03, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WordPress HelloThinkCMF Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=fetch&content="; startswith; content:"die(@md5(HelloThinkCMF))"; fast_pattern; distance:0; http.header_names; content:!"Referer"; classtype:network-scan; sid:2034838; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_12_22, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_05_03;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Web Scanner - Fuzz Faster U Fool (Inbound)"; flow:established,to_server; http.user_agent; content:"Fuzz Faster U Fool v"; fast_pattern; startswith; threshold:type limit, count 1, seconds 300, track by_src; classtype:web-application-activity; sid:2037838; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_07_28, deployment Perimeter, deployment SSLDecrypt, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2022_07_28;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode"; flow:established; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009246; classtype:shellcode-detect; sid:2009246; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp any any -> any any (msg:"ET SHELLCODE Bindshell2 Decoder Shellcode (UDP)"; content:"|53 53 53 53 53 43 53 43 53 FF D0 66 68|"; content:"|66 53 89 E1 95 68 A4 1A|"; distance:0; reference:url,doc.emergingthreats.net/2009285; classtype:shellcode-detect; sid:2009285; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode"; flow:established; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009247; classtype:shellcode-detect; sid:2009247; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Rothenburg Shellcode (UDP)"; content:"|D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance:0; reference:url,doc.emergingthreats.net/2009284; classtype:shellcode-detect; sid:2009284; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode"; flow:established; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009248; classtype:shellcode-detect; sid:2009248; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP)"; content:"|EB 15 B9|"; content:"|81 F1|"; distance:0; content:"|80 74 31 FF|"; distance:0; content:"|E2 F9 EB 05 E8 E6 FF FF FF|"; reference:url,doc.emergingthreats.net/2009283; classtype:shellcode-detect; sid:2009283; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode"; flow:established; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009249; classtype:shellcode-detect; sid:2009249; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Adenau Shellcode (UDP)"; content:"|eb 19 5e 31 c9 81 e9|"; content:"|81 36|"; distance:0; content:"|81 ee fc ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009282; classtype:shellcode-detect; sid:2009282; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode"; flow:established; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009250; classtype:shellcode-detect; sid:2009250; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Mainz/Bielefeld Shellcode (UDP)"; content:"|33 c9 66 b9|"; content:"|80 34|"; distance:0; content:"|eb 05 e8 eb ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009281; classtype:shellcode-detect; sid:2009281; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode"; flow:established; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009251; classtype:shellcode-detect; sid:2009251; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Wuerzburg Shellcode (UDP)"; content:"|eb 27|"; content:"|5d 33 c9 66 b9|"; distance:0; content:"|8d 75 05 8b fe 8a 06 3c|"; distance:0; content:"|75 05 46 8a 06|"; distance:0; content:"|88 07 47 e2 ed eb 0a e8 da ff ff ff|"; distance:0; reference:url,doc.emergingthreats.net/2009280; classtype:shellcode-detect; sid:2009280; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009252; classtype:shellcode-detect; sid:2009252; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Schauenburg Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009279; classtype:shellcode-detect; sid:2009279; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode"; flow:established; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009253; classtype:shellcode-detect; sid:2009253; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Koeln Shellcode (UDP)"; content:"|eb 0f 8b 34 24 33 c9 80 c1|"; content:"|80 36|"; distance:0; content:"|46 e2 fa c3 e8 ec|"; distance:0; reference:url,doc.emergingthreats.net/2009278; classtype:shellcode-detect; sid:2009278; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode"; flow:established; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009254; classtype:shellcode-detect; sid:2009254; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Lichtenfels Shellcode (UDP)"; content:"|01 fc ff ff 83 e4 fc 8b ec 33 c9 66 b9|"; content:"|80 30|"; distance:0; content:"|40 e2 fA|"; distance:0; reference:url,doc.emergingthreats.net/2009277; classtype:shellcode-detect; sid:2009277; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode"; flow:established; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009255; classtype:shellcode-detect; sid:2009255; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Mannheim Shellcode (UDP)"; content:"|80 73 0e|"; content:"|43 e2|"; distance:0; content:"|73 73 73|"; distance:0; content:"|81 86 8c 81|"; distance:0; reference:url,doc.emergingthreats.net/2009276; classtype:shellcode-detect; sid:2009276; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode"; flow:established; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009256; classtype:shellcode-detect; sid:2009256; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Berlin Shellcode (UDP)"; content:"|31 c9 b1 fc 80 73 0c|"; content:"|43 e2 8b 9f|"; distance:0; reference:url,doc.emergingthreats.net/2009275; classtype:shellcode-detect; sid:2009275; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode"; flow:established; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009257; classtype:shellcode-detect; sid:2009257; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Leimbach Shellcode (UDP)"; content:"|5b 31 c9 b1|"; content:"|80 73|"; distance:0; content:"|43 e2|"; distance:0; reference:url,doc.emergingthreats.net/2009274; classtype:shellcode-detect; sid:2009274; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode"; flow:established; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009258; classtype:shellcode-detect; sid:2009258; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Aachen Shellcode (UDP)"; content:"|8b 45 04 35|"; content:"|89 45 04 66 8b 45 02 66 35|"; distance:0; content:"|66 89 45 02|"; distance:0; reference:url,doc.emergingthreats.net/2009273; classtype:shellcode-detect; sid:2009273; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Furth Shellcode"; flow:established; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009259; classtype:shellcode-detect; sid:2009259; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Furth Shellcode (UDP)"; content:"|31 c9 66 b9|"; content:"|80 73|"; distance:0; content:"|43 e2 1f|"; distance:0; reference:url,doc.emergingthreats.net/2009272; classtype:shellcode-detect; sid:2009272; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode"; flow:established; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009260; classtype:shellcode-detect; sid:2009260; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Langenfeld Shellcode (UDP)"; content:"|eb 0f 5b 33 c9 66 b9|"; content:"|80 33|"; distance:0; content:"|43 e2 fa eb|"; distance:0; reference:url,doc.emergingthreats.net/2009271; classtype:shellcode-detect; sid:2009271; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode"; flow:established; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009261; classtype:shellcode-detect; sid:2009261; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Bonn Shellcode (UDP)"; content:"|31 c9 81 e9|"; content:"|83 eb|"; distance:0; content:"|80 73|"; distance:0; content:"|43 e2 f9|"; distance:0; reference:url,doc.emergingthreats.net/2009270; classtype:shellcode-detect; sid:2009270; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode"; flow:established; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009262; classtype:shellcode-detect; sid:2009262; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Siegburg Shellcode (UDP)"; content:"|31 eb 80 eb|"; content:"|58 80 30|"; distance:0; content:"|40 81 38|"; distance:0; reference:url,doc.emergingthreats.net/2009269; classtype:shellcode-detect; sid:2009269; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode"; flow:established; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009263; classtype:shellcode-detect; sid:2009263; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Plain1 Shellcode (UDP)"; content:"|89 e1 cd|"; content:"|5b 5d 52 66 bd|"; distance:0; content:"|0f cd 09 dd 55 6a|"; distance:0; content:"|51 50|"; distance:0; reference:url,doc.emergingthreats.net/2009268; classtype:shellcode-detect; sid:2009268; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode"; flow:established; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009264; classtype:shellcode-detect; sid:2009264; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Plain2 Shellcode (UDP)"; content:"|50 50 50 50 40 50 40 50 ff 56 1c 8b d8 57 57 68 02|"; content:"|8b cc 6a|"; distance:0; content:"|51 53|"; distance:0; reference:url,doc.emergingthreats.net/2009267; classtype:shellcode-detect; sid:2009267; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode"; flow:established; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009265; classtype:shellcode-detect; sid:2009265; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp any any -> any any (msg:"ET SHELLCODE Bindshell1 Decoder Shellcode (UDP)"; content:"|58 99 89 E1 CD 80 96 43 52 66 68|"; content:"|66 53 89 E1 6A 66 58 50 51 56|"; distance:0; reference:url,doc.emergingthreats.net/2009266; classtype:shellcode-detect; sid:2009266; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010383; classtype:shellcode-detect; sid:2010383; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; reference:url,doc.emergingthreats.net/2010392; classtype:shellcode-detect; sid:2010392; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010423; classtype:shellcode-detect; sid:2010423; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; reference:url,doc.emergingthreats.net/2010424; classtype:shellcode-detect; sid:2010424; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; reference:url,doc.emergingthreats.net/2010425; classtype:shellcode-detect; sid:2010425; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; reference:url,doc.emergingthreats.net/2010426; classtype:shellcode-detect; sid:2010426; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010427; classtype:shellcode-detect; sid:2010427; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010428; classtype:shellcode-detect; sid:2010428; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; reference:url,doc.emergingthreats.net/2010429; classtype:shellcode-detect; sid:2010429; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010430; classtype:shellcode-detect; sid:2010430; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; reference:url,doc.emergingthreats.net/2010431; classtype:shellcode-detect; sid:2010431; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; reference:url,doc.emergingthreats.net/2010432; classtype:shellcode-detect; sid:2010432; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; reference:url,doc.emergingthreats.net/2010433; classtype:shellcode-detect; sid:2010433; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; reference:url,doc.emergingthreats.net/2010434; classtype:shellcode-detect; sid:2010434; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; reference:url,doc.emergingthreats.net/2010437; classtype:shellcode-detect; sid:2010437; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; reference:url,doc.emergingthreats.net/2010435; classtype:shellcode-detect; sid:2010435; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; reference:url,doc.emergingthreats.net/2010436; classtype:shellcode-detect; sid:2010436; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexFnstenvMov/Sub Encoder"; flow:established; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; classtype:shellcode-detect; sid:2002903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Alpha2 GetEIPs Encoder"; flow:established; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; classtype:shellcode-detect; sid:2002904; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 Countdown Encoder"; flow:established; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; classtype:shellcode-detect; sid:2002905; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET SHELLCODE x86 PexAlphaNum Encoder"; flow:established; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; classtype:shellcode-detect; sid:2002906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 PexCall Encoder"; flow:established; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; classtype:shellcode-detect; sid:2002907; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE x86 JmpCallAdditive Encoder"; flow:established; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; classtype:shellcode-detect; sid:2002908; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:2; content:!"|0A|"; within:2; content:!"|20|"; within:2; pcre:"/(%U([0-9a-f]{2})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; classtype:trojan-activity; sid:2003173; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; content:"%u"; nocase; isdataat:4; content:!"|0A|"; within:4; content:!"|20|"; within:4; pcre:"/(%U([0-9a-f]{4})){6}/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; classtype:trojan-activity; sid:2003174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; reference:url,doc.emergingthreats.net/2010385; classtype:shellcode-detect; sid:2010385; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; reference:url,doc.emergingthreats.net/2010386; classtype:shellcode-detect; sid:2010386; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; reference:url,doc.emergingthreats.net/2010387; classtype:shellcode-detect; sid:2010387; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5)"; content:"|17 1c 1a 19 fb 77 80 ce|"; reference:url,doc.emergingthreats.net/2010388; classtype:shellcode-detect; sid:2010388; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010389; classtype:shellcode-detect; sid:2010389; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010390; classtype:shellcode-detect; sid:2010390; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; reference:url,doc.emergingthreats.net/2010391; classtype:shellcode-detect; sid:2010391; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; reference:url,doc.emergingthreats.net/2010393; classtype:shellcode-detect; sid:2010393; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; reference:url,doc.emergingthreats.net/2010394; classtype:shellcode-detect; sid:2010394; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; reference:url,doc.emergingthreats.net/2010395; classtype:shellcode-detect; sid:2010395; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; reference:url,doc.emergingthreats.net/2010396; classtype:shellcode-detect; sid:2010396; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; reference:url,doc.emergingthreats.net/2010397; classtype:shellcode-detect; sid:2010397; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010398; classtype:shellcode-detect; sid:2010398; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; reference:url,doc.emergingthreats.net/2010399; classtype:shellcode-detect; sid:2010399; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; reference:url,doc.emergingthreats.net/2010400; classtype:shellcode-detect; sid:2010400; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010401; classtype:shellcode-detect; sid:2010401; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; reference:url,doc.emergingthreats.net/2010402; classtype:shellcode-detect; sid:2010402; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; reference:url,doc.emergingthreats.net/2010403; classtype:shellcode-detect; sid:2010403; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; reference:url,doc.emergingthreats.net/2010404; classtype:shellcode-detect; sid:2010404; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; reference:url,doc.emergingthreats.net/2010405; classtype:shellcode-detect; sid:2010405; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; reference:url,doc.emergingthreats.net/2010406; classtype:shellcode-detect; sid:2010406; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010407; classtype:shellcode-detect; sid:2010407; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; reference:url,doc.emergingthreats.net/2010409; classtype:shellcode-detect; sid:2010409; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; reference:url,doc.emergingthreats.net/2010410; classtype:shellcode-detect; sid:2010410; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; reference:url,doc.emergingthreats.net/2010411; classtype:shellcode-detect; sid:2010411; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; reference:url,doc.emergingthreats.net/2010412; classtype:shellcode-detect; sid:2010412; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; reference:url,doc.emergingthreats.net/2010413; classtype:shellcode-detect; sid:2010413; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; reference:url,doc.emergingthreats.net/2010414; classtype:shellcode-detect; sid:2010414; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; reference:url,doc.emergingthreats.net/2010415; classtype:shellcode-detect; sid:2010415; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; reference:url,doc.emergingthreats.net/2010416; classtype:shellcode-detect; sid:2010416; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; reference:url,doc.emergingthreats.net/2010417; classtype:shellcode-detect; sid:2010417; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; reference:url,doc.emergingthreats.net/2010418; classtype:shellcode-detect; sid:2010418; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; reference:url,doc.emergingthreats.net/2010419; classtype:shellcode-detect; sid:2010419; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; reference:url,doc.emergingthreats.net/2010420; classtype:shellcode-detect; sid:2010420; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; reference:url,doc.emergingthreats.net/2010421; classtype:shellcode-detect; sid:2010421; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected"; flow:established; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; content:!"MZ"; content:!"This program cannot be run in DOS mode"; content:!"Windows Program"; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011803; rev:5; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected"; content:"|EB|"; byte_jump:1,0,relative; content:"|E8|"; within:1; content:"|FF FF FF|"; distance:1; within:3; reference:url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/; classtype:shellcode-detect; sid:2011804; rev:2; metadata:created_at 2010_10_13, updated_at 2010_10_13;)
+
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode"; flow:established,to_client; content:"writeByte(0x"; nocase; pcre:"/writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}.+writeByte\x280x[a-z,0-9]{2}/smi"; reference:url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html; classtype:shellcode-detect; sid:2012120; rev:2; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
+
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String"; flow:established,to_client; content:"%0a%0a%0a%0a"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012253; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Common 0c0c0c0c Heap Spray String"; flow:established,to_client; content:"0c0c0c0c"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012256; rev:2; metadata:created_at 2011_02_03, updated_at 2011_02_03;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE UTF-8/16 Encoded Shellcode"; flow:established,to_client; content:"|5C|u"; nocase; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; content:"|5C|u"; nocase; within:6; pcre:"/\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012510; rev:2; metadata:created_at 2011_03_16, updated_at 2011_03_16;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable %u Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"%u"; nocase; within:3; content:"%u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x25u[a-f,0-9]{2,4}\x25u[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012534; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Variable Unicode Shellcode"; flow:established,to_client; content:"= unescape|28|"; nocase; content:"|5C|u"; nocase; within:3; content:"|5C|u"; nocase; within:6; pcre:"/var\x20[a-z,0-9]{1,30}\x20\x3D\x20unescape\x28.\x5Cu[a-f,0-9]{2,4}\x5Cu[a-f,0-9]{2,4}/i"; reference:url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf; classtype:shellcode-detect; sid:2012535; rev:2; metadata:created_at 2011_03_22, updated_at 2011_03_22;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:2100640; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:2; metadata:created_at 2011_06_02, updated_at 2011_06_02;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt"; flow:established,to_client; content:"0x0b0b0b0b"; nocase; classtype:shellcode-detect; sid:2012963; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|7C|u0"; nocase; content:"|7C|u0"; distance:1; within:4; pcre:"/\x7Cu0[a-d](\x7Cu0|0)[a-d]/\x7Cu0[a-d](\x7Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012969; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt"; flow:established,to_client; content:"|5C|u0"; nocase; content:"|5C|u0"; distance:1; within:4; pcre:"/\x5Cu0[a-d](\x5Cu0|0)[a-d]/\x5Cu0[a-d](\x5Cu0|0)[a-d]/i"; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012970; rev:2; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"heap|2E|"; nocase; fast_pattern:only; pcre:"/var\x20[^\n\r]*\x3D[^\n\r]*heap\x2E/smi"; classtype:shellcode-detect; sid:2013148; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; content:"u0"; nocase; distance:1; within:2; pcre:"/u0[a-d]u0[a-d]u0[a-d]u0[a-d]/smi"; classtype:shellcode-detect; sid:2013319; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unicode UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"u0"; nocase; content:"u0"; nocase; distance:3; within:2; pcre:"/u0[a-d]0[a-d]u0[a-d]0[a-d]/smi"; classtype:shellcode-detect; sid:2013320; rev:2; metadata:created_at 2011_07_27, updated_at 2011_07_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt"; flow:established,to_client; content:"0x0a0a0a0a"; nocase; classtype:shellcode-detect; sid:2012962; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt"; flow:established,to_client; content:"0x0c0c0c0c"; nocase; classtype:shellcode-detect; sid:2012964; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt"; flow:established,to_client; content:"0x0d0d0d0d"; nocase; classtype:shellcode-detect; sid:2012965; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt"; flow:established,to_client; content:"%0d%0d%0d%0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012966; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u0d%u0d%u0d%u0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012967; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u0d0d%u0d0d"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012968; rev:3; metadata:created_at 2011_06_09, updated_at 2011_06_09;)
+
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Unescape Hex Obfuscated Content"; flow:established,to_client; content:"unescape|28|"; fast_pattern; content:"|5C|x"; distance:1; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; content:"|5C|x"; distance:2; within:2; pcre:"/unescape\x28(\x22|\x27)\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/smi"; classtype:shellcode-detect; sid:2013272; rev:3; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2102313; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2102312; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; file_data; content:"|5C|x0b|5C|x0b|5C|x0b|5C|x0b"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013268; rev:4; metadata:created_at 2011_07_14, updated_at 2011_07_14;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c|5C|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:2; metadata:created_at 2013_04_04, updated_at 2013_04_04;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"|5c|u9090|5c|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:4; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:2100648; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2100653; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2102314; rev:4; metadata:created_at 2010_09_23, updated_at 2016_09_09;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 8F|"; fast_pattern:only; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012089; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2017_09_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C|x41|5C|x41|5C|x41|5C|x41"; nocase; fast_pattern:only; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013273; rev:3; metadata:created_at 2011_07_14, former_category SHELLCODE, updated_at 2017_09_08;)
+
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"|5C|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:3; metadata:created_at 2013_04_04, former_category SHELLCODE, updated_at 2017_09_08;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:10; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
+
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:2101390; rev:7; metadata:created_at 2010_09_23, former_category SHELLCODE, updated_at 2017_09_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Execve(/bin/sh) Shellcode"; content:"|31 c0 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50 53 89 e1 b0 0b cd 80|"; classtype:shellcode-detect; sid:2025695; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2018_07_13, deployment Perimeter, former_category SHELLCODE, performance_impact Low, updated_at 2018_07_13;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 58|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012087; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012091; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset UDP Shellcode"; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012093; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F A9|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012092; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 8F|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012088; rev:4; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2016_09_16;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Call with No Offset TCP Shellcode"; flow:established; content:"|E8 00 00 00 00 0F 1A|"; reference:url,community.rsa.com/community/products/netwitness/blog/2012/08/22/network-detection-of-x86-buffer-overflow-shellcode; classtype:shellcode-detect; sid:2012090; rev:3; metadata:created_at 2010_12_23, former_category SHELLCODE, updated_at 2010_12_23;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:4; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2"; flow:established,to_client; content:"unescape|28 27|"; content:!"|29|"; within:100; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; content:"|27| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012197; rev:5; metadata:created_at 2011_01_17, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90%90"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:4; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0a0a%u0a0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012254; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0a%u0a%u0a%u0a"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012255; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String"; flow:established,to_client; content:"%0c%0c%0c%0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012257; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String"; flow:established,to_client; content:"%u0c0c%u0c0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012258; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String"; flow:established,to_client; content:"%u0c%u0c%u0c%u0c"; nocase; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2012259; rev:4; metadata:created_at 2011_02_03, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:5; metadata:created_at 2010_12_28, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Common 0a0a0a0a Heap Spray String"; flow:established,to_client; content:"0a0a0a0a"; nocase; reference:url,www.darkreading.com/vulnerabilities---threats/heap-spraying-attackers-latest-weapon-of-choice/d/d-id/1132487; classtype:shellcode-detect; sid:2012252; rev:5; metadata:created_at 2011_02_03, former_category SHELLCODE, updated_at 2019_09_27;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt"; flow:established,to_client; content:"%41%41%41%41"; fast_pattern; classtype:shellcode-detect; sid:2013145; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt"; flow:established,to_client; content:"%u41%u41%u41%u41"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013146; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt"; flow:established,to_client; content:"%u4141%u4141"; nocase; fast_pattern; classtype:shellcode-detect; sid:2013147; rev:3; metadata:created_at 2011_06_30, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141"; flow:established,to_client; content:"|5C 5C|x41|5C 5C|x41|5C 5C|x41|5C 5C|x41"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013279; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C 5C|x90|5C 5C|x90|5C 5C|x90|5C 5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013278; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d|5C 5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013277; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c|5C 5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013276; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b"; flow:established,to_client; content:"|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b|5C 5C|x0b"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013275; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a"; flow:established,to_client; content:"|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a|5C 5C|x0a"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013274; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript NOP SLED"; flow:established,to_client; content:"|5C|x90|5C|x90|5C|x90|5C|x90"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013271; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d"; flow:established,to_client; content:"|5C|x0d|5C|x0d|5C|x0d|5C|x0d"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013270; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c"; flow:established,to_client; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; nocase; fast_pattern; reference:url,www.darkreading.com/security/vulnerabilities/221901428/index.html; classtype:shellcode-detect; sid:2013269; rev:3; metadata:created_at 2011_07_14, updated_at 2019_10_08;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern; classtype:shellcode-detect; sid:2100691; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern; classtype:shellcode-detect; sid:2101424; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Flush IPTables Shellcode"; content:"|6a 52 58 99 52 66 68 2d 46 54 5b 52 48 b9 69 70 74 61 62 6c 65 73 51 d0 e0 28 c8 48 b9 2f 2f 73 62 69 6e 2f 2f 51 54 5f 52 53 57 54 5e 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polyflushiptables1434.html; classtype:shellcode-detect; sid:2024057; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode"; content:"|31 ff 57 6a 69 58 48 bb 5e c4 d2 dc 5e 5e e6 d0 0f 05 48 d1 cb b0 3b 53 87 f7 54 99 5f 0f 05|"; fast_pattern; reference:url,a41l4.blogspot.ca/2017/03/polysetuidexecve1434.html; classtype:shellcode-detect; sid:2024058; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_15, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Linux/x86-64 - Reverse Shell Shellcode"; content:"|6a 02 6a 2a 6a 10 6a 29 6a 01 6a 02|"; content:"|48 bf 2f 2f 62 69 6e 2f 73 68|"; fast_pattern; reference:url,exploit-db.com/exploits/41477/; classtype:shellcode-detect; sid:2024065; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category SHELLCODE, performance_impact Low, signature_severity Critical, updated_at 2019_10_08;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3; metadata:created_at 2010_12_15, updated_at 2010_12_15;)
+
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"|0d 0a|ORGANIZER"; content:"mailto|3a|"; nocase; within:50; isdataat:2000,relative; content:!"|0a|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3; metadata:created_at 2011_01_05, updated_at 2011_01_05;)
+
+alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Robtex.com Block Message"; flow:established,from_server; content:"robtex.com"; classtype:not-suspicious; sid:2012986; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+
+alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2102590; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:!"|0a|"; within:300; isdataat:300; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:17; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"|0a|"; within:255; pcre:"/^EXPN[^\n]{255}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP EXE - ZIP file with .pif filename inside"; flow:established; content:"|0D 0A 0D 0A|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnBpZ|5waW|ucGlm)/R"; classtype:bad-unknown; sid:2018144; rev:2; metadata:created_at 2014_02_15, updated_at 2014_02_15;)
+
+alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sorbs.net Block Message"; flow:established,from_server; content:"sorbs.net"; classtype:not-suspicious; sid:2012985; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+
+#alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET SMTP Sophos.com Block Message"; flow:established,from_server; content:"sophos.com"; classtype:not-suspicious; sid:2012984; rev:2; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Abuseat.org Block Message"; flow:established,from_server; content:"abuseat.org"; classtype:not-suspicious; sid:2012982; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+
+alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SMTP Spamcop.net Block Message"; flow:established,from_server; content:"spamcop.net"; classtype:not-suspicious; sid:2012983; rev:3; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
+
+alert smtp any any -> any any (msg:"ET SMTP Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:3; metadata:created_at 2014_10_02, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
+
+alert tcp any any -> $SMTP_SERVERS [25,587] (msg:"ET SMTP Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; fast_pattern; content:"|0d 0a 2d 2d|"; distance:0; pcre:"/^(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{0,69}?[^\x2d])--(?:\x0d\x0a(?!--|\x2e|RSET)[^\r\n]*?)*\x0d\x0a--(?P=boundary)\x0d\x0a/R"; reference:url,www.certego.local/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:2023255; rev:2; metadata:attack_target SMTP_Server, created_at 2016_09_22, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2022_03_17;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002880; classtype:attempted-dos; sid:2002880; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002881; classtype:attempted-dos; sid:2002881; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002882; classtype:attempted-dos; sid:2002882; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; depth:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002926; classtype:attempted-dos; sid:2002926; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port"; content:"|02 01|"; depth:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002927; classtype:attempted-dos; sid:2002927; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert udp $EXTERNAL_NET !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; depth:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; reference:url,doc.emergingthreats.net/bin/view/Main/2002928; classtype:attempted-dos; sid:2002928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; content:"ILMI"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011011; classtype:attempted-admin; sid:2011011; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI"; flow:to_server,established; content:"ILMI"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml; reference:url,doc.emergingthreats.net/2011012; classtype:attempted-admin; sid:2011012; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; content:"cable-docsis"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011013; classtype:attempted-admin; sid:2011013; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis"; flow:to_server,established; content:"cable-docsis"; nocase; reference:url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml; reference:url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm; reference:url,www.kb.cert.org/vuls/id/840665; reference:cve,2004-1776; reference:url,doc.emergingthreats.net/2011014; classtype:attempted-admin; sid:2011014; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"|30|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2; metadata:created_at 2013_01_09, updated_at 2013_01_09;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 3"; content:"|30|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|02|"; distance:-129; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"|04 00|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016180; rev:3; metadata:created_at 2013_01_09, former_category SNMP, updated_at 2017_08_24;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:13; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern; classtype:policy-violation; sid:2015856; rev:6; metadata:created_at 2012_11_01, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:3; metadata:created_at 2012_11_29, updated_at 2019_10_08;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:2100227; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:12; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap";  reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:11; metadata:created_at 2010_09_23, updated_at 2020_08_20;)
+
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
+
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET SQL MSSQL sp_replwritetovarbin - potential memory overwrite case 1"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008909; classtype:attempted-user; sid:2008909; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
+
+alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL Slammer Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102003; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:2101775; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:2101776; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:2101698; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:2101674; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:2101673; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2102049; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100677; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:2100678; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100683; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:2100684; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:2100685; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:2100692; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:2100693; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:2100694; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
+
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=skillsnew.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_25, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_09_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (cmyip.com in HTTP Host)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"cmyip.com"; fast_pattern; endswith; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:9; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; threshold:type limit, seconds 300, count 1, track by_src; http.method; content:"POST"; http.uri; content:"metadata.svc"; endswith; http.header; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; fast_pattern; classtype:misc-activity; sid:2025275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_31, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"windsecdown.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"downloadsecurity.info"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category MALWARE, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"tratatata.space"; nocase; endswith; reference:md5,e5eeb5560fcea89abdfb3ea8ec2091ec; classtype:command-and-control; sid:2028640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"rmedia15.ru"; nocase; endswith; reference:md5,3f9f8a007ad6982b14fb74d4583bdd4b; classtype:command-and-control; sid:2028641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".connectioncdn.com"; nocase; endswith; classtype:trojan-activity; sid:2028649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_04, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN WSFuzzer Web Application Fuzzing"; flow:to_server,established; http.uri; content:"/ServiceDefinition"; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; reference:url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project; reference:url,doc.emergingthreats.net/2008628; classtype:attempted-recon; sid:2008628; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Esion CnC Checkin"; flow:established,to_server; http.uri; content:"/bot/gate.php"; fast_pattern; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2; classtype:command-and-control; sid:2013211; rev:4; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; http.header; content:"myip.ozymo.com"; fast_pattern; nocase; classtype:external-ip-check; sid:2013217; rev:4; metadata:created_at 2011_07_06, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; http.uri; content:"/upload/UploadFiles.aspx?askId="; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; http.user_agent; content:"REBATEINF"; fast_pattern; startswith; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:4; metadata:created_at 2011_12_20, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iebar Spyware User Agent (iebar)"; flow:established,to_server; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"|3b 20|iebar"; fast_pattern; reference:url,doc.emergingthreats.net/2007583; classtype:trojan-activity; sid:2007583; rev:12; metadata:created_at 2010_07_30, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Ixeshe"; flow:to_server,established; http.header; content:"User-Agent|3a 20|User-Agent|3a 20|"; nocase; http.uri; content:"/ym/Attachments?YY="; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:7; metadata:created_at 2012_03_22, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAvCn-A Checkin 1"; flow:established,to_server; urilen:10; http.method; content:"GET"; nocase; http.uri; content:"/support/s"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; classtype:command-and-control; sid:2014855; rev:5; metadata:created_at 2012_06_05, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"type="; content:"lien_2="; fast_pattern; nocase; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:7; metadata:created_at 2011_09_19, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; http.uri; content:"~1"; fast_pattern; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:5; metadata:created_at 2012_07_04, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; http.uri; content:"/net/?u="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.0)"; startswith; http.host; content:"net"; startswith; content:"net.net"; distance:2; within:7; endswith; pcre:"/^net[0-4]{2}net\.net$/i"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; http.user_agent; content:"PTX"; endswith; fast_pattern; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:6; metadata:created_at 2011_10_19, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; http.user_agent; content:"w3af.sf.net"; fast_pattern; classtype:attempted-recon; sid:2015484; rev:4; metadata:created_at 2012_07_18, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; http.uri; content:"/tuner/?StationId="; fast_pattern; http.header; content:"tunein.com|0d 0a|"; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:4; metadata:created_at 2012_07_18, updated_at 2020_09_17;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla  com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jeformcr"; fast_pattern; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bsadv"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_mailchimpccnewsletter"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lile.A DoS Outbound"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.header; content:"UserAgent|3a|"; content:"Windows 98"; fast_pattern; http.host; content:"www.fbi.gov"; startswith; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:5; metadata:created_at 2012_08_07, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Sutra TDS /simmetry"; flow:to_server,established; http.uri; content:"/simmetry?"; fast_pattern; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:exploit-kit; sid:2015593; rev:4; metadata:created_at 2012_08_09, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; http.uri; content:"/spl_data/"; fast_pattern; http.header; content:"|20|Java/"; classtype:exploit-kit; sid:2015603; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_08_10, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/was/uid.php"; fast_pattern; reference:md5,3ccc73f049a1de731baf7ea8915c92a8; reference:md5,91ce41376a5b33059744cb58758213bb; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:md5,21880326089f2eab466128974fc70d24; classtype:command-and-control; sid:2015623; rev:4; metadata:created_at 2012_08_14, former_category MALWARE, malware_family URLZone, tag Banking_Trojan, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; http.uri; content:"/go.php?sid="; fast_pattern; classtype:trojan-activity; sid:2015675; rev:5; metadata:created_at 2012_09_05, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploadify.php"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:4; metadata:created_at 2012_09_08, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; http.uri; content:"/1."; fast_pattern; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//"; classtype:exploit-kit; sid:2015693; rev:4; metadata:created_at 2012_09_11, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; within:2; classtype:exploit-kit; sid:2015695; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_09_11, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; http.uri; content:"/login.uix"; fast_pattern; nocase; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:7; metadata:created_at 2010_09_23, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; http.uri; content:"/iLog.php?dl="; fast_pattern; content:"&log="; http.user_agent; content:"IE"; startswith; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:command-and-control; sid:2013534; rev:9; metadata:created_at 2011_09_03, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; http.uri; content:"ch=1"; fast_pattern; pcre:"/ch=1$/"; http.request_body; content:"ch=1"; depth:4; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:md5,99fab94fd824737393f5184685e8edf2; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; classtype:command-and-control; sid:2015799; rev:8; metadata:created_at 2012_10_13, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; urilen:39; http.method; content:"POST"; http.uri; content:"/?ptrxcz_"; fast_pattern; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:command-and-control; sid:2015807; rev:5; metadata:created_at 2012_10_05, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fujacks Activity"; flow:to_server,established; http.header; content:".whboy.net|0d 0a|"; nocase; fast_pattern; http.user_agent; content:"QQ"; bsize:2; classtype:trojan-activity; sid:2015814; rev:14; metadata:created_at 2012_10_18, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; http.user_agent; content:"Windows NT 9"; nocase; fast_pattern; classtype:trojan-activity; sid:2015822; rev:5; metadata:created_at 2012_10_19, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot initial checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?ver="; content:"&p=cert123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015854; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Georbot checkin"; flow:to_server,established; http.uri; content:".php?ver="; content:"&p=bot123"; fast_pattern; content:"&id="; classtype:command-and-control; sid:2015855; rev:4; metadata:created_at 2012_11_01, former_category MALWARE, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 2"; nocase; fast_pattern; classtype:trojan-activity; sid:2015899; rev:5; metadata:created_at 2012_11_20, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 3"; nocase; fast_pattern; classtype:trojan-activity; sid:2015900; rev:6; metadata:created_at 2012_11_20, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; http.uri; content:".php?x=img&img="; fast_pattern; classtype:web-application-activity; sid:2015926; rev:4; metadata:created_at 2012_11_24, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; http.uri; content:"/sftp-config.json"; fast_pattern; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:4; metadata:created_at 2012_11_27, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; http.uri; content:"/core/Loader.php?"; fast_pattern; nocase; content:"g="; content:"s="; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:5; metadata:created_at 2012_11_28, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown EK Landing URL"; flow:established,to_server; http.uri; content:".php?dentesus=208779"; fast_pattern; classtype:exploit-kit; sid:2015964; rev:13; metadata:created_at 2012_11_30, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; http.uri; content:"/js/java.js"; fast_pattern; http.host; content:"."; offset:2; depth:1; pcre:"/^[a-z]{2}\./"; classtype:exploit-kit; sid:2015982; rev:4; metadata:created_at 2012_12_04, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/admin/admin_header.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:5; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/ajax_list_tree.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:4; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/previews_functions.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:4; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dispatch.php?"; nocase; content:"atkaction=search"; fast_pattern; nocase; content:"atknodetype="; nocase; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/consulta_fact.php?"; nocase; fast_pattern; content:"fact_num="; nocase; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newinventario.php?"; nocase; fast_pattern; content:"sn="; nocase; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newtransact.php?"; nocase; fast_pattern; content:"ref="; nocase; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeBot grab data plaintext"; flow:established,to_server; http.request_body; content:"cmd=grab&data="; fast_pattern; content:"&login="; classtype:trojan-activity; sid:2016011; rev:6; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/hava_user.php?"; nocase; fast_pattern; content:"userId="; nocase; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"module="; nocase; content:"view="; nocase; content:"having="; nocase; fast_pattern; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ssi_examples.php?"; nocase; fast_pattern; content:"view="; nocase; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/group/members.php?"; nocase; fast_pattern; content:"id="; nocase; content:"query="; nocase; pcre:"/query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,securityfocus.com/bid/56718; classtype:web-application-attack; sid:2016156; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/up.php?del="; nocase; fast_pattern; content:"del="; nocase; reference:url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html; classtype:web-application-attack; sid:2016198; rev:5; metadata:created_at 2013_01_12, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/run1/pr.php?p1="; fast_pattern; content:"&p2="; content:"&id="; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016206; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Iyus.H work_troy.php CnC Request"; flow:established,to_server; http.uri; content:"/work_troy.php?id="; fast_pattern; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:command-and-control; sid:2016207; rev:5; metadata:created_at 2013_01_15, former_category MALWARE, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload"; flow:established,to_server; http.uri; content:"/pir/bfg.php?dll="; fast_pattern; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2016208; rev:5; metadata:created_at 2013_01_15, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_collector"; nocase; fast_pattern; content:"view="; nocase; reference:url,exploit-db.com/exploits/24228/; classtype:web-application-attack; sid:2016288; rev:5; metadata:created_at 2013_01_25, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible JDB Exploit Kit Class Request"; flow:established,to_server; http.uri; content:"/jdb/"; nocase; content:".class"; nocase; pcre:"/\/jdb\/[^\/]+\.class$/i"; http.header; content:"|20|Java/1"; fast_pattern; classtype:exploit-kit; sid:2016308; rev:8; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; http.uri; content:"/lib/adobe.php?id="; nocase; fast_pattern; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/i"; classtype:exploit-kit; sid:2016310; rev:7; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Landing Pattern"; flow:established,to_server; http.uri; content:"/i.php?token="; fast_pattern; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/i"; classtype:exploit-kit; sid:2015998; rev:5; metadata:created_at 2012_12_08, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Beebus HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/s/asp?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3B 20 29 0D 0A|"; startswith; reference:url,blog.fireeye.com/research/2013/02/operation-beebus.html; classtype:command-and-control; sid:2016342; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; http.uri; content:"/jerk.cgi?"; fast_pattern; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:exploit-kit; sid:2016352; rev:4; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:2100673; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Secondary Landing"; flow:established,to_server; http.uri; content:".js"; pcre:"/^[a-z]+\.js$/"; http.referer; content:"/i.html"; fast_pattern; pcre:"/^(\?[^=]{1,10}=[^&\r\n]{100,})?$/Ri"; classtype:exploit-kit; sid:2016347; rev:8; metadata:created_at 2013_02_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; http.user_agent; content:"<?php"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; http.user_agent; content:"base64_decode("; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; http.uri; content:"/forum/images.php?id"; nocase; fast_pattern; http.user_agent; content:"Mozilla/6"; depth:9; content:"|20|MSIE|20|"; distance:0; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:7; metadata:created_at 2013_02_19, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBeplay Downloading Design"; flow:established,to_server; http.uri; content:".CAB.bin"; fast_pattern; pcre:"/[a-z]{2}\.CAB.bin/"; http.header; content:"|20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)|0d 0a|"; classtype:trojan-activity; sid:2016489; rev:6; metadata:created_at 2013_02_22, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw CnC Configuration File Request"; flow:established,to_server; http.uri; content:"&id="; content:"&inst="; content:"&net"; content:"&cmd=cfg"; fast_pattern; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016508; rev:4; metadata:created_at 2013_02_27, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; http.uri; content:"/send.php?a_id="; content:"&telno="; fast_pattern; content:"&m_addr="; http.user_agent; content:"Android"; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:command-and-control; sid:2014161; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Exploit Request"; flow:established,to_server; http.uri; content:"/module.php?e="; fast_pattern; pcre:"/\.php\?e=[^&]+?$/"; classtype:exploit-kit; sid:2016523; rev:4; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Request for fake postal receipt from e-mail link"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:"receipt="; nocase; fast_pattern; pcre:"/\.php\?(print_)?receipt=(s00|\d{3})_\d+$/i"; classtype:trojan-activity; sid:2016359; rev:5; metadata:created_at 2013_02_07, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; http.uri; pcre:"/\.html\?[0-9]{10}$/"; http.user_agent; content:"sleep|20|"; fast_pattern; startswith; pcre:"/^sleep \d+[\r\x2c]/"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:targeted-activity; sid:2016568; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; http.uri; content:"/news/show.asp?id1="; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1"; startswith; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016572; rev:4; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; http.uri; content:"/RegistUid.asp"; fast_pattern; nocase; content:"?pid="; nocase; content:"&cid="; nocase; content:"&imei="; nocase; content:"&sim="; nocase; content:"&imsi="; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_09, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/usr/bin/perl"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/bin/sh"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8; metadata:created_at 2010_09_28, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Galock Ransomware Check-in"; flow:established,to_server; http.uri; content:"&os="; content:"&hostname="; content:"&codepage="; content:"&account"; http.header; content:"|3a 20|Mozilla/4.1|20|"; fast_pattern; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"error in your SQL syntax"; fast_pattern; classtype:bad-unknown; sid:2016672; rev:4; metadata:created_at 2013_03_27, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enchanim Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"svchost.exe"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.01|3b 20|Windows NT 5.0)"; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:command-and-control; sid:2016707; rev:6; metadata:created_at 2013_04_01, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Data Exfiltration POST to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adserv/get.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016727; rev:4; metadata:created_at 2013_04_05, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BaneChant.APT Initial CnC Beacon"; flow:established,to_server; http.uri; content:"/adserv/logo.jpg"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV2)"; bsize:55; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016728; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?id="; content:"&os="; content:"&bot_id="; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]*&bot_id=/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Revoyem Ransomware Activity"; flow:established,to_server; http.uri; content:".php?id="; content:"&gr"; fast_pattern; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Haxdoor Reporting User Activity 2"; flow:established,to_server; http.uri; content:"param="; content:"&socksport="; content:"&httpport="; fast_pattern; content:"&uptime"; content:"&uid="; content:"&ver="; reference:md5,e787c4437ff67061983cd08458f71c94; reference:md5,1777f0ffa890ebfcc7587957f2d08dca; reference:md5,d86b9eaf9682d60cb8b928dc6ac40954; reference:url,doc.emergingthreats.net/2002929; reference:md5,0995ecb8bb78f510ae995a50be0c351a; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; classtype:trojan-activity; sid:2002929; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET SQL MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_06_16, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PDF - Acrobat Enumeration - pdfobject.js"; flow:established,to_server; http.uri; content:"/pdfobject.js"; fast_pattern; classtype:misc-activity; sid:2016765; rev:4; metadata:created_at 2013_04_18, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BitCoin User-Agent Likely Bitcoin Miner"; flow:established,to_server; http.user_agent; content:"BitCoin"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=11059; classtype:coin-mining; sid:2013457; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, deployment Datacenter, former_category POLICY, signature_severity Informational, tag Bitcoin_Miner, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|AMD-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aAMD-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:9; metadata:created_at 2012_10_13, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"|3b|c|3a|INT-"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3aINT-/"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:10; metadata:created_at 2012_10_13, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO myobfuscate.com Encoded Script Calling home"; flow:to_server,established; http.uri; content:"/?getsrc="; content:"&url="; http.header; content:"api.myobfuscate.com|0d|"; nocase; fast_pattern; classtype:misc-activity; sid:2016802; rev:6; metadata:created_at 2013_05_01, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medfos Connectivity Check"; flow:established,to_server; http.uri; content:"/uploading/id="; fast_pattern; http.uri.raw; pcre:"/^\/uploading\/id=\d{2,20}&u=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:misc-activity; sid:2016800; rev:8; metadata:created_at 2013_05_01, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cookies/Cookiebag Checkin"; flow:to_server,established; http.uri; content:"/indexs.zip"; fast_pattern; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:command-and-control; sid:2016808; rev:4; metadata:created_at 2013_05_02, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Activity"; flow:established,to_server; http.uri; content:".php?version="; fast_pattern; content:"&user="; content:"&server="; content:"&crc="; pcre:"/user=[a-f0-9]{31,32}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6; metadata:created_at 2012_02_24, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Zusy.45802 Checkin"; flow:to_server,established; http.uri; content:".php?uid="; fast_pattern; content:"&affid="; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1)"; pcre:"/^$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2016816; rev:5; metadata:created_at 2013_05_04, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Fake Opera 10 User-Agent"; flow:established,to_server; http.user_agent; content:"Opera/10|20|"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:2016823; rev:6; metadata:created_at 2013_05_04, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE Possible Linux/Cdorked.A CnC"; flow:established,to_server; http.uri; content:"/favicon.iso?"; fast_pattern; reference:url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:command-and-control; sid:2016850; rev:4; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Chrome Plugin install"; flow:to_server,established; http.uri; content:"|2f|crx|2f|blobs"; nocase; fast_pattern; http.user_agent; content:"|20|Chrome/"; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:2016847; rev:5; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover Campaign Keylogger Checkin"; flow:established,to_server; http.uri; content:".php?fol="; fast_pattern; content:"&ac="; content:"AVs"; content:"OS"; content:"SystemDT"; content:"AppVersion"; content:"DropPath"; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016861; rev:4; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; http.uri; content:"/hyper/fm.php?tp=in"; fast_pattern; content:"&tg="; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016863; rev:4; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; http.uri; content:"/wakeup/access.php"; fast_pattern; http.user_agent; content:"UPHTTP"; depth:6; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016864; rev:5; metadata:created_at 2013_05_21, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Firefox Plugin install"; flow:to_server,established; http.uri; content:".xpi"; nocase; fast_pattern; endswith; http.user_agent; content:"|20|Firefox/"; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:2016846; rev:6; metadata:created_at 2013_05_14, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Registering Client"; flow:established,to_server; http.uri; content:"/gate.php?reg="; fast_pattern; pcre:"/\/gate\.php\?reg=(?:[a-z]{10}|[A-Za-z]{15})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016899; rev:6; metadata:created_at 2013_05_21, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Briba CnC POST Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index"; depth:6; content:".asp"; distance:9; within:4; http.header; content:"Content-Length|3a 20|00"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.host; content:"update.microsoft.com"; startswith; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:command-and-control; sid:2016911; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; http.uri; content:"/smadstat.php?mac="; fast_pattern; content:"&key="; content:"&name="; content:"&os="; content:"&build="; content:"&old="; content:"&comp="; http.user_agent; content:"Smart-RTP"; depth:9; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:md5,a80f33c94c44556caa2ef46cd5eb863c; classtype:command-and-control; sid:2016914; rev:5; metadata:created_at 2013_05_23, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:3; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; http.uri; content:"xwork"; nocase; content:"MethodAccessor"; nocase; content:"denyMethodExecution"; nocase; fast_pattern; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:4; metadata:created_at 2013_05_24, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si"; http.header; content:"chunked"; nocase; fast_pattern; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/i"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:8; metadata:created_at 2013_05_23, former_category WEB_SERVER, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] ![139,445] (msg:"ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tcp-pkt any any -> any any (msg:"ET INFO [401TRG] RPCNetlogon UUID (CVE-2020-1472) (Set)"; flow:established,to_server; content:"|05 00 0B|"; depth:3; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 cf fb|"; distance:0; flowbits:set,dcerpc.rpcnetlogon; flowbits:noalert; reference:cve,2020-1472; classtype:misc-activity; sid:2030888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_18, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; content:"|05 00 00|"; depth:3; content:"|1a 00|"; distance:19; within:3; content:"|00 00 00 00 00 00 00 00|"; isdataat:!5,relative; threshold:type both, track by_src, seconds 60, count 3; reference:cve,2020-1472; classtype:attempted-admin; sid:2030889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; http.uri; content:"LOAD_FILE("; nocase; fast_pattern; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; http.host; content:".net78.net"; endswith; fast_pattern; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:4; metadata:created_at 2013_05_30, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Trup.CX Checkin 1"; flow:to_server,established; http.uri; content:"/sms/do|2e|php?userid="; nocase; fast_pattern; content:"&time="; nocase; content:"&msg="; nocase; content:"&pauid="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE; classtype:command-and-control; sid:2016951; rev:7; metadata:created_at 2011_03_14, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"AuthenticAMD|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:12; metadata:created_at 2013_06_01, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; http.uri; content:"ts="; nocase; content:"affid="; nocase; http.user_agent; content:"GenuineIntel|3b|"; fast_pattern; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:13; metadata:created_at 2013_06_01, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; http.uri; content:"allow_url_include"; fast_pattern; pcre:"/\ballow_url_include\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; http.uri; content:"safe_mode"; fast_pattern; pcre:"/\bsafe_mode\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; http.uri; content:"open_basedir"; fast_pattern; pcre:"/\bopen_basedir\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:6; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; http.uri; content:"auto_prepend_file"; fast_pattern; pcre:"/\bauto_prepend_file\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; http.uri; content:"suhosin.simulation"; fast_pattern; pcre:"/\bsuhosin\.simulation\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:6; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; http.uri; content:"disable_functions"; fast_pattern; pcre:"/\bdisable_functions[\s\+]*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:7; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Travnet.A Checkin"; flow:to_server,established; http.uri; content:".asp?hostid="; content:"&hostname="; content:"&hostip="; content:"&filename="; content:"&filestart="; content:"&filetext=begin|3a 3a|"; fast_pattern; pcre:"/\?hostid=[0-9A-F]+?&/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:command-and-control; sid:2016968; rev:7; metadata:created_at 2013_03_01, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tobfy.S"; flow:established,from_client; http.uri; content:"/upload/img.jpg"; fast_pattern; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:6; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; http.request_body; content:"xp_cmdshell"; nocase; fast_pattern; classtype:bad-unknown; sid:2017010; rev:5; metadata:created_at 2013_06_13, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TripleNine RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/999"; fast_pattern; bsize:4; http.header; content:".0|0d 0a|Host"; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2017021; rev:7; metadata:created_at 2013_06_15, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Webserver Backdoor"; flow:established,to_server; http.user_agent; content:"SEX/1"; nocase; fast_pattern; startswith; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017026; rev:4; metadata:created_at 2013_06_18, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; http.method; content:"GET"; nocase; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/"; http.header; content:"User-Agent|3a|"; depth:11; http.user_agent; content:"|20|MSIE 6.0|3b|"; content:".NET CLR 1.1.4322"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:targeted-activity; sid:2017036; rev:5; metadata:created_at 2013_06_20, former_category MALWARE, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; http.uri; content:".php?ver="; content:"&cver="; fast_pattern; content:"&id="; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:7; metadata:created_at 2010_10_25, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (5)"; flow:established,to_server; http.uri; content:".txt?e="; nocase; fast_pattern; pcre:"/\.txt\?e=\d+(?:&[fh]=\d+)?$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016414; rev:10; metadata:created_at 2013_02_16, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; http.uri; content:"/?wps="; depth:6; fast_pattern; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:exploit-kit; sid:2017068; rev:4; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Redirect to DotkaChef EK Landing"; flow:established,from_server; http.stat_code; content:"302"; http.location; pcre:"/^[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/i"; http.header; content:".js?cp="; fast_pattern; classtype:exploit-kit; sid:2017077; rev:5; metadata:created_at 2013_06_29, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; http.uri; content:".asp?action="; nocase; fast_pattern; pcre:"/\.asp\?action=(?:txt(?:edit|view)|upload|info|del)(?:&|$)/i"; classtype:trojan-activity; sid:2017091; rev:4; metadata:created_at 2013_07_02, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT - Possible Redkit 1-4 char JNLP request"; flow:established,to_server; urilen:<11; http.uri; content:".jnlp"; endswith; nocase; fast_pattern; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/"; classtype:exploit-kit; sid:2016811; rev:8; metadata:created_at 2013_05_03, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; http.uri; content:"|0D 0A|"; fast_pattern; pcre:"/[\n\r](?:content-(?:type|length)|set-cookie|location)\x3a/i"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:5; metadata:created_at 2013_07_13, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Compromise svchost.jpg Beacon - Java  Zeroday"; flow:established,to_server; http.uri; content:"/svchost.jpg"; fast_pattern; http.user_agent; content:"Java/1."; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; http.uri; content:"/vw.php?i="; fast_pattern; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:8; metadata:created_at 2013_06_12, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT JDB Exploit Kit JAR Download"; flow:established,to_server; http.uri; content:".php?id="; nocase; pcre:"/\.php\?id=[a-f0-9]{32}$/i"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016309; rev:9; metadata:created_at 2013_01_30, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; http.uri; content:"/Java-SPLOIT.jar"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2016521; rev:7; metadata:created_at 2013_03_05, former_category EXPLOIT_KIT, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Loader default URI struct"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pony"; fast_pattern; content:"/gate.php"; nocase; classtype:trojan-activity; sid:2017065; rev:6; metadata:created_at 2013_06_25, former_category CURRENT_EVENTS, updated_at 2020_09_18;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CBReplay.P Ransomware"; flow:established,to_server; urilen:33; http.uri; pcre:"/^\/[a-f0-9]{32}$/"; http.user_agent; content:"MSIE 9.0|3b|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2017269; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Configuration File Request"; flow:established,to_server; flowbits:set,et.stealrat.config; http.uri; content:"/lts.txt"; fast_pattern; pcre:"/^\x2Flts\x2Etxt$/"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017274; rev:4; metadata:created_at 2013_08_05, former_category MALWARE, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/StealRat.SpamBot Email Template Request"; flow:established,to_server; http.uri; content:"/ae1.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017276; rev:4; metadata:created_at 2013_08_05, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco Reporting Hacked Accounts"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bruteres.php"; fast_pattern; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; classtype:trojan-activity; sid:2017311; rev:5; metadata:created_at 2013_08_12, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; http.uri; content:"option=com_media"; nocase; fast_pattern; http.request_body; content:"Filedata[]"; nocase; pcre:"/filename[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/i"; classtype:attempted-user; sid:2017327; rev:4; metadata:created_at 2013_08_14, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Proxychecker Lookup"; flow:established,to_server; http.uri; content:"/proxy/proxychecker/"; nocase; fast_pattern; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis; classtype:trojan-activity; sid:2017344; rev:5; metadata:created_at 2013_08_19, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Troj.Cidox Checkin"; flow:established,to_server; http.uri; content:".php?sign="; fast_pattern; content:"&key="; content:"&av="; content:"&os="; content:"&vm="; content:"&digital="; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:command-and-control; sid:2017349; rev:5; metadata:created_at 2013_05_14, former_category MALWARE, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; http.method; content:"POST"; http.uri; content:"/adminapi/administrator.cfc?"; nocase; content:"method"; nocase; content:"login"; nocase; http.request_body; content:"rdsPasswordAllowed"; nocase; fast_pattern; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(?:true|1)/i"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:4; metadata:created_at 2013_08_22, updated_at 2020_09_19;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RegSubsDat Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:command-and-control; sid:2014310; rev:7; metadata:created_at 2012_03_05, former_category MALWARE, updated_at 2020_09_20;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitcoin variant Checkin"; flow:to_server,established; http.uri; content:"/register_slave.php"; fast_pattern; http.header_names; content:!"|0d 0a|Referer"; nocase; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; classtype:coin-mining; sid:2017369; rev:4; metadata:created_at 2013_08_23, former_category MALWARE, updated_at 2020_09_20;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Vabushky.A Malicious driver download"; flow:established,to_server; http.uri; content:".bmp.gz"; fast_pattern; pcre:"/\/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}|default)\.bmp\.gz$/i"; reference:url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/; classtype:trojan-activity; sid:2017377; rev:4; metadata:created_at 2013_08_27, updated_at 2020_09_20;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SERVER["; fast_pattern; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_GET["; fast_pattern; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_POST["; fast_pattern; pcre:"/[&\?]_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SERVER["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_GET["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_POST["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Waledac FACEPUNCH Traffic Detected"; flow:to_server,established; http.method; content:"POST"; depth:4; http.header; content:"X-Request-Kind-Code|3a 20|"; fast_pattern; http.user_agent; content:"Mozilla"; startswith; http.referer; content:"Mozilla"; nocase; bsize:7; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf; classtype:trojan-activity; sid:2017455; rev:8; metadata:created_at 2013_09_11, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Dipverdle.A Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cp/?"; nocase; fast_pattern; pcre:"/\/cp\/\?(?:logo\.jpg|adm)/i"; http.request_body; content:"token="; nocase; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:4; metadata:created_at 2013_09_17, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unicorn Stealer Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename="; content:"form-data|3b 20|name=|22|filename|22 0d 0a|"; content:"form-data|3b 20|name=|22|submit|22 0d 0a|"; content:"form-data|3b 20|name=|22|id|22 0d 0a|"; content:"form-data|3b 20|name=|22|src|22 0d 0a|"; fast_pattern; content:"form-data|3b 20|name=|22|type|22 0d 0a|"; content:"form-data|3b 20|name=|22|on|22 0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1307025445536239616; reference:md5,852646191db6768157a7fddcc13afed2; classtype:trojan-activity; sid:2030894; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-09-21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"xbalti"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&passid="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2033006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; http.uri; content:".swf"; offset:66; depth:4; endswith; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/i"; classtype:exploit-kit; sid:2016799; rev:5; metadata:created_at 2013_04_29, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Caphaw Requesting Additional Modules From CnC"; flow:established,to_server; http.uri; content:"/ping.html?r="; fast_pattern; content:!"/utils/"; pcre:"/\x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$/"; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:command-and-control; sid:2016507; rev:7; metadata:created_at 2013_02_27, former_category MALWARE, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-driver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-driver"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017519; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-process)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-process"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017521; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert  http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-cmd-shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-cmd-shell"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017522; rev:4; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DATA-BROKER BOT Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"g="; depth:2; content:"&cmd="; fast_pattern; pcre:"/^g=[A-Z0-9]+&cmd=/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:5; metadata:created_at 2013_09_25, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT LightsOut EK POST Compromise POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?id="; nocase; content:"&v1="; nocase; content:"&v2="; nocase; fast_pattern; content:"&q="; nocase; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:exploit-kit; sid:2017544; rev:4; metadata:created_at 2013_09_30, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; flowbits:set,et.exploitkitlanding; http.uri; content:".php?"; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017554; rev:5; metadata:created_at 2013_10_03, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages"; flow:established,to_server; http.method; content:"POST"; http.host; content:".atwebpages.com"; fast_pattern; classtype:misc-activity; sid:2030890; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, signature_severity Informational, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; http.uri; content:".js?cp="; fast_pattern; pcre:"/\/[A-F0-9]{8}\.js\?cp=/"; classtype:exploit-kit; sid:2017555; rev:4; metadata:created_at 2013_10_03, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; http.uri; content:".js?"; fast_pattern; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/"; classtype:trojan-activity; sid:2017453; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FiestaEK js-redirect"; flow:established,to_server; http.uri; content:"/?"; fast_pattern; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/"; classtype:exploit-kit; sid:2017567; rev:5; metadata:created_at 2013_10_08, former_category EXPLOIT_KIT, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade.php"; nocase; fast_pattern; http.header; content:"Origin|3a|"; http.request_body; content:"&customerid="; nocase; content:"&htmlsubmit="; content:"username"; nocase; content:"confirmpassword"; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:4; metadata:created_at 2013_10_10, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible W32/KanKan tools.ini Request"; flow:established,to_server; http.uri; content:"/tools.ini"; fast_pattern; bsize:10; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017585; rev:5; metadata:created_at 2013_10_14, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kovter Ransomware Check-in"; flow:established,to_server; http.uri; content:".php?mode="; nocase; content:"&OS="; nocase; content:"&OSbit="; nocase; fast_pattern; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:14; metadata:attack_target Client_Endpoint, created_at 2013_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_09_21, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Egobot Checkin"; flow:to_server,established; http.uri; content:".php?arg1="; nocase; fast_pattern; content:"&arg2="; pcre:"/&arg2=((?:[a-f0-9]{32})|(?:[A-Za-z0-9\x2b\x2f]{4})*(?:[A-Za-z0-9\x2b\x2f]{2}==|[A-Za-z0-9\x2b\x2f]{3}=|[A-Za-z0-9\x2b\x2f]{4}))(?:&|$)/i"; reference:url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; classtype:command-and-control; sid:2017600; rev:4; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; http.uri; content:"/WEB-INF/web.xml"; nocase; fast_pattern; http.uri.raw; content:"|2e 2e 2f|"; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:4; metadata:created_at 2013_10_17, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Install"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/stats/debug/"; fast_pattern; content:"/?ts="; content:"&ver="; content:"&group="; content:"&token="; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:4; metadata:created_at 2013_10_30, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msctcd.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskmgr.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wsqmocn.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_21;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?computer-name="; fast_pattern; content:"&username="; distance:0; http.accept_enc; content:"gzip, deflate"; http.header_names; content:!"Cache"; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030895; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-sharepoint.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030896; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Rampant_Kitten, updated_at 2020_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (RampantKitten CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=afalr-onedrive.com"; nocase; fast_pattern; endswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:domain-c2; sid:2030897; rev:1; metadata:attack_target Client_and_Server, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Rampant_Kitten, updated_at 2020_09_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RampantKitten APT TelB Python Variant - CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?Usrname="; fast_pattern; content:"&0S-Name="; distance:0; content:"&Pt-Name="; distance:0; content:"&ToolsIsActive"; endswith; http.user_agent; content:"Python-urllib/"; startswith; reference:url,research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign; classtype:command-and-control; sid:2030898; rev:1; metadata:created_at 2020_09_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Rampant_Kitten, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lgfxsrvc.exe"; nocase; fast_pattern; endswith; classtype:trojan-activity; sid:2017676; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wimhost.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winlog.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/waulct.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/alg.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mssrs.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhosts.exe"; nocase; fast_pattern; endswith; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:4; metadata:created_at 2013_11_06, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Stitur Secondary Download"; flow:established,from_server; http.header; content:".file|0d 0a|"; fast_pattern; content:"Content-Description|3a 20|File Transfer|0d 0a|"; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a|"; pcre:"/filename=[a-f0-9]{13}\.file\r\n/"; classtype:trojan-activity; sid:2017700; rev:5; metadata:created_at 2013_11_09, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Monitor Request CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/monitor.php?resp=ID|3a|"; fast_pattern; content:"Target|3a|"; content:"Message|3a|"; pcre:"/\/monitor\.php\?resp=ID\x3a[A-Za-z]{15}/"; http.user_agent; content:"Mozilla/4.0 (SEObot)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017717; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.BlackRev Botnet Command Request CnC Beacon"; flow:established,to_server; http.uri; content:"/gate.php?cmd="; fast_pattern; pcre:"/\/gate\.php\?cmd=(?:get(?:installconfig|exe)|urls)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:command-and-control; sid:2017723; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_11_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; http.uri; content:"/pwn.jsp?"; nocase; fast_pattern; content:"cmd="; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:6; metadata:created_at 2013_11_20, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; http.uri; content:"cmd="; nocase; content:"pwd=dayoff"; nocase; fast_pattern; pcre:"/[&?]pwd=dayoff(?:&|$)/i"; pcre:"/[&?]cmd=/i"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:5; metadata:created_at 2013_12_06, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; http.uri; content:"isn_getlog"; nocase; fast_pattern; pcre:"/[?&]isn_getlog/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:7; metadata:created_at 2013_12_10, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS winhost(32|64).exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/winhost"; nocase; fast_pattern; pcre:"/\/winhost(?:32|64)\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017842; rev:4; metadata:created_at 2013_12_12, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS pony.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pony."; nocase; fast_pattern; pcre:"/\/pony\.(exe|pack)$/i"; classtype:trojan-activity; sid:2017843; rev:4; metadata:created_at 2013_12_12, former_category CURRENT_EVENTS, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kryptik Check-in"; flow:established,to_server; http.uri; content:".php?"; nocase; content:"&bot_id="; nocase; fast_pattern; pcre:"/\.php\?(q|name)=/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:attempted-user; sid:2017741; rev:5; metadata:created_at 2013_11_22, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:6; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; urilen:35<>37; http.method; content:"POST"; http.uri; content:".aspx?Random="; fast_pattern; pcre:"/^\x2F(?:acheb|bajree|cyacrin|dauber|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$/i"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:targeted-activity; sid:2017858; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"path="; nocase; pcre:"/^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; http.uri; content:"/cfcexplorer.cfc"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:4; metadata:created_at 2013_12_17, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CritXPack Jar Request"; flow:established,to_server; http.uri; content:"/j.php?t=u00"; fast_pattern; http.user_agent; content:"Java/1."; classtype:exploit-kit; sid:2015960; rev:14; metadata:created_at 2012_11_29, former_category EXPLOIT_KIT, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN FOCA uri"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/*F0C4~1*/foca.aspx?aspxerrorpath=/"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:5; metadata:created_at 2014_01_10, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; threshold:type both,track by_src,count 2,seconds 60; http.method; content:"POST"; http.uri; content:"/201"; fast_pattern; content:".jsp"; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.2|3b 20|.NET CLR 1.1.4322|3b 20|.NET CLR 2.0.50727|3b 20|InfoPath.1)"; bsize:101; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:command-and-control; sid:2017967; rev:5; metadata:created_at 2014_01_14, former_category MALWARE, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Possible Process Dump in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"System Idle Process"; fast_pattern; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:6; metadata:created_at 2014_01_15, former_category INFO, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICEFOG JAVAFOG JAR checkin"; flow:to_server; http.method; content:"POST"; http.uri; content:"?title=2.0_-"; fast_pattern; http.user_agent; content:"Java"; startswith; http.request_body; content:"content=HostName|3a 20|"; depth:18; content:"|0d 0a|Java Version|3a 20|"; distance:0; content:"|0d 0a 20|HostIp|3a 20|"; distance:0; http.header_names; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:command-and-control; sid:2017972; rev:6; metadata:created_at 2014_01_15, former_category MALWARE, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; http.method; content:"GET"; http.uri; content:"/reboot/index.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:command-and-control; sid:2018023; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; http.host; content:"myip.ru"; fast_pattern; endswith; classtype:policy-violation; sid:2018021; rev:6; metadata:created_at 2014_01_28, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:5; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4; metadata:created_at 2014_02_03, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/StoredBt.A Activity"; flow:to_server,established; http.uri; content:".php?a1="; fast_pattern; pcre:"/\.php\?a1=\d+&a2=(?:[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}-[0-9A-Fa-f]{2}|(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4}))(?:&a\d+=[^&]+)+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,e8e9eb1cd4be7ab27743887be2aa28e9; classtype:trojan-activity; sid:2018074; rev:4; metadata:created_at 2014_02_05, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; content:"Content-Type|3a|"; nocase; pcre:"/^[^\r\n]*?boundary\s*?=\s*?[^\r\n]/Ri"; isdataat:4091,relative; content:!"|0A|"; within:4091; http.header; content:"multipart/form-data"; fast_pattern; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:4; metadata:created_at 2014_02_12, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Jackpos Checkin 2"; flow:to_server,established; http.uri; content:"/post/echo"; fast_pattern; bsize:10; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,aa9686c3161242ba61b779aa325e9d24; reference:md5,88e721f62470f8bd267810fbaa29104f; reference:url,intelcrawler.com/about/press10; classtype:command-and-control; sid:2018128; rev:4; metadata:created_at 2014_02_13, former_category MALWARE, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alman Dropper Checkin"; flow:established,to_server; http.uri; content:"?action=post&HD="; fast_pattern; content:"&OT="; content:"&IV="; pcre:"/&HD=[A-F0-9]{32}&/"; reference:url,doc.emergingthreats.net/2009203; classtype:command-and-control; sid:2009203; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:4; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin 2"; flow:to_server,established; http.uri; content:"/cmd?version="; fast_pattern; content:"&aid="; content:"&id="; content:"&os="; pcre:"/&id=[a-f0-9]{8}(-[a-f0-9]{4}){4}[a-f0-9]{8}&os=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018198; rev:6; metadata:created_at 2014_01_22, former_category MALWARE, updated_at 2020_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; http.uri; content:"/login.uix"; fast_pattern; nocase; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:7; metadata:created_at 2010_09_23, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Geral Checkin"; http.uri; content:".asp?MAC="; nocase; fast_pattern; content:"&ver="; nocase; pcre:"/\.asp\?MAC=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&VER=[^&]+$/i"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f01260fff3d6fb705fc8afaa3ea54564; classtype:command-and-control; sid:2018201; rev:4; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_22;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; content:!"|29|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:4; metadata:created_at 2010_09_23, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER log4jAdmin access from non-local network (can modify logging levels)"; flow:established,to_server; http.uri; content:"/log4jAdmin.jsp"; fast_pattern; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018202; rev:4; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2020_09_23;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.BSYO Checkin"; flow:to_server,established; http.uri; content:"/log?"; content:"|7c|aid="; fast_pattern; content:"|7c|version="; content:"|7c|id="; content:"|7c|os="; pcre:"/\/log\?(start|install)\x7caid=/"; reference:md5,494d0fb7efaabaf9c69edbc58360671f; reference:md5,1fd3e714669ac8a3bc4af33a3e6cf21f; reference:url,www.virusradar.com/en/Win32_Kryptik.BSYO/description; classtype:command-and-control; sid:2018205; rev:5; metadata:created_at 2014_03_04, former_category MALWARE, updated_at 2020_09_23;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Adultdns.net"; flow:established,to_server; http.host; content:".adultdns.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018211; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:2100492; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?r=cmd"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,e47a296bac49284371ac396a053a8488; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030904; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
+#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Servehttp.com"; flow:established,to_server; http.host; content:".servehttp.com"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018212; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Redirectme.net"; flow:established,to_server; http.host; content:".redirectme.net"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018214; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Zapto.org"; flow:established,to_server; http.host; content:".zapto.org"; fast_pattern; endswith; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018215; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MIRAI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MIRAI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023019; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain serveblog.net"; flow:established,to_server; http.host; content:".serveblog.net"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018217; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox ECCHI hackers - Possible Brute Force Attack"; flow:to_server,established; content:"ECCHI"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023304; rev:1; metadata:attack_target Server, created_at 2016_09_27, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain myftp.com"; flow:established,to_server; http.host; content:".myftp.com"; fast_pattern; endswith; reference:url,isc.sans.edu/diary/Fiesta!/17739; classtype:bad-unknown; sid:2018218; rev:4; metadata:created_at 2014_03_05, updated_at 2020_09_23;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET TELNET busybox MEMES Hackers - Possible Brute Force Attack"; flow:to_server,established; content:"MEMES"; flowbits:isset,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:attempted-admin; sid:2023901; rev:1; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_14, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2017_02_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; http.uri; content:"/ping/installping.aspx"; fast_pattern; content:"shortname="; content:"&os="; content:"&parents="; content:"&browserNames="; content:"&DefaultBrowserName="; content:"&langid="; content:"&installdate="; http.header; content:".installiq.com|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_05, deployment Perimeter, former_category POLICY, signature_severity Major, tag c2, updated_at 2020_09_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Styx Exploit Kit Payload Download"; flow:established,to_server; http.uri; content:".exe"; nocase; fast_pattern; content:"&h="; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/i"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016499; rev:16; metadata:created_at 2013_02_26, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3a 20|root"; fast_pattern; classtype:suspicious-login; sid:2100719; rev:9; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RDP Brute Force Bot Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cmd.php"; http.user_agent; content:"Browser"; depth:7; http.request_body; content:"name=|22|data|22|"; content:"{ |22|bad|22 20 3a 20|"; content:", |22|bruting|22 20 3a 20|"; fast_pattern; content:", |22|checked|22 20 3a 20|"; reference:md5,c0c1f1a69a1b59c6f2dab18135a73919; reference:md5,e310cf7385ae4d15956e461c6d118c91; reference:md5,d316d208a66248c09986896f671f1db1; reference:url,www.alienvault.com/open-threat-exchange/blog/botnet-bruteforcing-point-of-sale-via-remote-desktop/; classtype:command-and-control; sid:2018253; rev:8; metadata:created_at 2014_02_14, former_category MALWARE, updated_at 2020_09_23;)
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; fast_pattern; classtype:bad-unknown; sid:2101251; rev:10; metadata:created_at 2010_09_23, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Expiro.CD Check-in"; flow:established,to_server; http.uri; content:"/gate.php?user="; fast_pattern; content:"&id="; nocase; content:"&type="; pcre:"/\.php\?user=[a-f0-9]{32}&id=\d+&type=\d+(?:$|&)/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,c6e161a948f4474849d5740b2f27964a; classtype:trojan-activity; sid:2018255; rev:4; metadata:created_at 2014_03_12, updated_at 2020_09_23;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; pcre:"/^\/1[34]\d{8}\.pdf$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018258; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".htm"; fast_pattern; pcre:"/^\/1[34]\d{8}\.htm$/"; http.header; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2018259; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_03_12, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_23;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; reference:url,doc.emergingthreats.net/2008117; classtype:policy-violation; sid:2008117; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Goon EK Java Payload"; flow:established,to_server; http.uri; content:".mp3"; pcre:"/\/\d{6}\.mp3$/"; http.user_agent; content:"Java/1."; fast_pattern; classtype:exploit-kit; sid:2017755; rev:7; metadata:created_at 2013_11_25, former_category EXPLOIT_KIT, updated_at 2020_09_23;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP ACK"; content:"|00 04|"; depth:2; reference:url,doc.emergingthreats.net/2008118; classtype:policy-violation; sid:2008118; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_SLOTH.A Checkin"; flow:established,to_server; urilen:10; http.method; content:"GET"; http.uri; content:"/help.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,185e930a19ad1a99c226d59ef563e28c; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/; reference:url,fireeye.com/blog/technical/targeted-attack/2014/03/a-detailed-examination-of-the-siesta-campaign.html; classtype:command-and-control; sid:2018285; rev:6; metadata:created_at 2014_03_17, former_category MALWARE, updated_at 2020_09_23;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Error Message"; content:"|00 05|"; depth:2; reference:url,doc.emergingthreats.net/2008119; classtype:policy-violation; sid:2008119; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus GameOver Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"X-ID|3a 20|"; http.host; content:"default"; fast_pattern; startswith; content:!"."; reference:md5,bd850c21254c33cd9f6be41aafc6bf46; classtype:command-and-control; sid:2018296; rev:4; metadata:created_at 2014_03_18, former_category MALWARE, updated_at 2020_09_23;)
+#alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; fast_pattern; tls.cert_issuer; content:"C=Zhongguo, ST=Internet Security, L=ShenZhen, O=ESET, OU=Internet Security, CN=Eset Internet Security"; bsize:101; reference:url,twitter.com/bryceabdo/status/1308802052487774210; classtype:domain-c2; sid:2030901; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP root directory"; content:"|00 01|/"; depth:3; reference:cve,1999-0183; classtype:bad-unknown; sid:2100520; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SMSSend Fake flappy bird APK"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmark/getServiceCode?price="; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,securehoney.net/blog/how-to-dissect-android-flappy-bird-malware.html; reference:md5,6c357ac34d061c97e6237ce9bd1fe003; classtype:trojan-activity; sid:2018306; rev:5; metadata:created_at 2014_03_24, updated_at 2020_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP parent directory"; content:".."; offset:2; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:2100519; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nlog/nlog"; fast_pattern; content:".php"; http.header; content:"Content-Length|3a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:command-and-control; sid:2017465; rev:6; metadata:created_at 2013_09_16, former_category MALWARE, updated_at 2020_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Put"; content:"|00 02|"; depth:2; reference:cve,1999-0183; classtype:bad-unknown; sid:2100518; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=conwaytools.me"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:url,twitter.com/bryceabdo/status/1308743381099646976; classtype:domain-c2; sid:2030902; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp any any -> any 69 (msg:"GPL TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2102337; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http any any -> any 5000 (msg:"ET SCAN Hikvision DVR attempted Synology Recon Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webman/info.cgi?host="; fast_pattern; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:4; metadata:created_at 2014_04_02, former_category SCAN, updated_at 2020_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2102336; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mal/Ransom-CE Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/windows"; fast_pattern; endswith; http.user_agent; content:"MSIE"; http.host; content:"www.microsoft.com"; bsize:17; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,6faa7077de347ee0fa8c991934c2c3a5; reference:md5,a1fe3a7ff1ec997411b71212483eea33; reference:md5,97c0000473c5004d2e8c0464e322f429; classtype:trojan-activity; sid:2018295; rev:5; metadata:created_at 2014_03_18, updated_at 2020_09_23;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=TR, ST=Istanbul, L=Istanbul Buyuksehir Belediyesi, O=EsT Country, OU=ESTTKEY, CN=alahuakber"; bsize:93; fast_pattern; reference:url,twitter.com/bryceabdo/status/1308778721797640195; classtype:domain-c2; sid:2030903; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; http.user_agent; content:"Windows NT 8"; nocase; fast_pattern; content:!"NOKIA"; nocase; classtype:trojan-activity; sid:2015821; rev:6; metadata:created_at 2012_10_19, updated_at 2020_09_23;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/counter.img?theme="; fast_pattern; content:"&digits="; content:"&siteId="; http.user_agent; content:"Opera/9 (Windows NT"; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:command-and-control; sid:2015723; rev:6; metadata:created_at 2012_09_21, former_category MALWARE, updated_at 2020_09_23;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; flowbits:set,ET.Rbrute.incoming; http.user_agent; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; fast_pattern; nocase; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:5; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2020_09_23;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbasic.com Domain"; flow:established,to_server; http.host; content:".mrbasic.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018365; rev:4; metadata:created_at 2014_04_05, updated_at 2020_09_23;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:2101222; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp"; flow:established,to_server; http.uri; content:".asp?mevla=1"; nocase; fast_pattern; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018370; rev:6; metadata:created_at 2014_04_07, updated_at 2020_09_23;)
+alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Read Request"; content:"|00 01|"; depth:2; reference:url,doc.emergingthreats.net/2008120; classtype:policy-violation; sid:2008120; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Moist Stealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=moist.company"; nocase; endswith; classtype:domain-c2; sid:2030899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_09_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $HOME_NET any -> [$EXTERNAL_NET,!255.255.255.255] 69 (msg:"ET TFTP Outbound TFTP Write Request"; content:"|00 02|"; depth:2; reference:url,doc.emergingthreats.net/2008116; classtype:policy-violation; sid:2008116; rev:4; metadata:created_at 2010_07_30, updated_at 2017_01_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sehyioa Variant Activity (Download)"; flow:established,to_client; http.stat_code; content:"200"; file_data; content:"seCurEstrInGTogloBALAlLoCUnicOdE|28 20 24 28 27|76492d1116743f0423413b16050a5345MgB8A"; nocase; fast_pattern; reference:md5,fc30e902d1098b7efd85bd2651b2293f; reference:url,www.group-ib.com/blog/oldgremlin; classtype:trojan-activity; sid:2030905; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_23;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 20|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:5; metadata:created_at 2012_11_01, former_category TFTP, updated_at 2017_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moist Stealer CnC Exfil"; flow:established,to_server; http.uri; content:".php?id=";  content:"&caption="; distance:0; content:"|20|Moist|20|Stealer|20|gate|20|detected|20|new|20|log!"; nocase; distance:0; fast_pattern; content:"User|3a|"; nocase; distance:0; content:"IP|3a|"; nocase; distance:0; http.request_body; content:"].zip|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,f855dffcbd21d4e4a59eed5a7a392af9; classtype:command-and-control; sid:2030900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Moist_Stealer, signature_severity Major, updated_at 2020_09_23;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer With Cisco Config 2"; content:"|00 03|"; depth:2; content:"NVRAM config last update"; distance:0; classtype:policy-violation; sid:2024481; rev:2; metadata:affected_product Cisco_ASA, affected_product Cisco_PIX, affected_product CISCO_Catalyst, attack_target Networking_Equipment, created_at 2017_07_19, deployment Perimeter, former_category TFTP, performance_impact Moderate, signature_severity Major, updated_at 2017_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Trojan Downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?p="; fast_pattern; content:"&s="; content:"&v="; distance:0; content:"uid="; distance:0; content:"&q="; distance:0; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2009299; classtype:trojan-activity; sid:2009299; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_24;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET TFTP TFTPGUI Long Transport Mode Buffer Overflow"; content:"|00 02|"; depth:2; content:"|00|"; within:50; content:!"|00|"; within:9; reference:url,www.exploit-db.com/exploits/12482/; reference:url,packetstormsecurity.org/files/view/96395/tftputilgui-dos.rb.txt; reference:url,securityfocus.com/bid/39872/; classtype:attempted-dos; sid:2012051; rev:3; metadata:created_at 2010_12_14, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE hacker87 checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/AppEn.php"; fast_pattern; http.request_body; content:"parameter="; depth:10; reference:md5,0d7dd2a6c69f2ae7e575ee8640432c4b; classtype:command-and-control; sid:2018420; rev:4; metadata:created_at 2014_04_25, former_category MALWARE, updated_at 2020_09_24;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest - Post Data Form 01"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/post.aspx?"; fast_pattern; pcre:"/^\/post\.aspx\?[^&]+=[0-9]{9,10}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018425; rev:4; metadata:created_at 2014_04_28, updated_at 2020_09_24;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Spy.Win32.Zbot.qgxi Checkin"; flow:to_server,established; http.uri; content:".php?bot="; fast_pattern; http.cookie; content:"bot="; depth:4; reference:md5,0b450a92f29181065bc6601333f01b07; reference:md5,548fbf4dde27e725c0a1544f61362b50; reference:url,arbornetworks.com/asert/2014/04/trojan-eclipse-a-bad-moon-rising; classtype:command-and-control; sid:2018412; rev:10; metadata:created_at 2013_10_31, former_category MALWARE, updated_at 2020_09_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:"WHCC"; http_header; fast_pattern; nocase; pcre:"/^User-Agent\:[^\n]+WHCC/Hmi"; reference:url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start=; reference:url,doc.emergingthreats.net/2003925; classtype:trojan-activity; sid:2003925; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sefnit Checkin"; flow:established,to_server; http.uri; content:"/0001"; fast_pattern; pcre:"/^\/j\/[a-f0-9]{8}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{4}[\x2d\x5f]?[a-f0-9]{12}\/0001\/?$/"; reference:url,www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103; classtype:command-and-control; sid:2018448; rev:5; metadata:created_at 2014_05_05, former_category MALWARE, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan"; flow:to_server,established; content:"User-Agent|3a|"; nocase; content:!"rss"; nocase; pcre:"/User-Agent\:[^\n]+http\:\/\//i"; reference:url,doc.emergingthreats.net/bin/view/Main/2003394; classtype:trojan-activity; sid:2003394; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Register CnC Beacon"; flow:established,to_server; urilen:55; http.uri; content:"/el/sregister.php?name="; fast_pattern; pcre:"/^\x2Fel\x2Fsregister\x2Ephp\x3Fname\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018474; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User Agent no space"; flow:established,to_server; content:"|0d 0a|User-Agent|3a|"; content:!"|0d 0a|User-Agent|3a 20|"; classtype:bad-unknown; sid:2012180; rev:3; metadata:created_at 2011_01_15, former_category HUNTING, updated_at 2011_01_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/HelloBridge.Backdoor Login CnC Beacon"; flow:established,to_server; urilen:51; http.uri; content:"/el/slogin.php?uid="; fast_pattern; pcre:"/^\x2Fel\x2Fslogin\x2Ephp\x3Fuid\x3D[a-f0-9]{32}$/"; reference:url,www.secureworks.com/resources/blog/research/hellobridge-trojan-uses-heartbleed-news-to-lure-victims/; classtype:command-and-control; sid:2018475; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_05_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; content:"User-Agent|3a| Updater"; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003584; classtype:trojan-activity; sid:2003584; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hicrazyk.A Downloader Install CnC Beacon"; flow:established,to_server; http.uri; content:"/setup/?name="; fast_pattern; content:"&ini="; content:"&v="; http.user_agent; content:"NSISDL/"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FHicrazyk.A&ThreatID=-2147281007; reference:md5,ddb8110ec415b7b6f43c0ef2b4076d45; classtype:command-and-control; sid:2018435; rev:9; metadata:attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InetURL)"; flow:established,to_server; content:"User-Agent|3a| InetURL"; http_header; content:!"www.dell.com"; http_header; content:!"pdfmachine.com"; http_header; content:!"gs.apple.com"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008374; classtype:trojan-activity; sid:2008374; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2017_10_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Agent.ksja"; flow:established,to_server; http.uri; content:".php?m="; fast_pattern; pcre:"/\.php\?m=[A-F0-9]{12}/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (Compatible|3b 20|MSIE 6.0|3b 29 0d 0a|Host|3a|"; depth:54; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,3b440e052da726942763d11cf9e3f72c; classtype:trojan-activity; sid:2018507; rev:5; metadata:created_at 2014_05_29, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| "; http_header; content:!")|0d 0a|"; within:100; http_header; pcre:"/\(compatible[^\)]+\n/"; reference:url,doc.emergingthreats.net/2010906; classtype:bad-unknown; sid:2010906; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Crypt.nc Checkin"; flow:to_server,established; http.uri; content:".php?l"; content:"&rvz1="; fast_pattern; content:"&rvz2="; pcre:"/&rvz1=\d+&rvz2=\d+?$/"; http.header_names; content:!"Accept|0d 0a|"; reference:url,doc.emergingthreats.net/2008567; classtype:command-and-control; sid:2008567; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE"; flow:established,to_server; content:"user-agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:!"|0d 0a|VIA|3a 20|"; http_header; classtype:trojan-activity; sid:2012607; rev:4; metadata:created_at 2011_03_31, updated_at 2011_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS/Lotoor.Q"; flow:established, to_server; http.uri; content: "device_id="; pcre:"/^\d{10,20}&imsi=\d{10,15}&device_name=/Ri"; content:"&app_id="; pcre:"/^[a-f0-9]{30,35}&app_package_name=/Ri"; content: "screen_density="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,92608e6ff795862f83d891ad8337b387; classtype:trojan-activity; sid:2018520; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_06_04, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server; content:"User-Agent|3a| dwplayer"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008489; classtype:policy-violation; sid:2008489; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2017_10_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P zzima_loader"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/zzima_loader/"; fast_pattern; http.user_agent; content:"zzima-nloader/ 1.0.3.1"; depth:22; http.header_names; content:!"Referer|0d 0a|"; reference:md5,810b4464785d8d007ca0c86c046ac0ef; classtype:trojan-activity; sid:2018532; rev:5; metadata:created_at 2014_06_05, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sgrunt Dialer User Agent (sgrunt)"; flow:to_server,established; content:"sgrunt"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+sgrunt/Hi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003385; classtype:trojan-activity; sid:2003385; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Trojan.Agent.U3D7V0 Checkin"; flow:established, to_server; http.method; content: "GET"; http.uri; content:"/getc"; content:"/?c="; fast_pattern; pcre:"/^\/getc(?:loud|onf)\/\?c=/i"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,97572a7a0690ba1643525bf6666b74c6; classtype:command-and-control; sid:2018530; rev:5; metadata:created_at 2014_06_05, former_category MALWARE, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS 2search.org User Agent (2search)"; flow:to_server,established; content:"2search"; http_user_agent; fast_pattern:only; reference:url,doc.emergingthreats.net/2003335; classtype:trojan-activity; sid:2003335; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Etumbot.B Requesting RC4 Key"; flow:to_server,established; http.uri; content:"/home/index.asp?typeid="; nocase; fast_pattern; pcre:"/^\/home\/index\.asp\?typeid=(?:1[13]?|[3579])$/i"; http.referer; content:"http|3a|//www.google.com/"; bsize:22; reference:md5,82d4850a02375a7447d2d0381b642a72; reference:md5,ff5a7a610746ab5492cc6ab284138852; reference:url,arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf; classtype:trojan-activity; sid:2018552; rev:5; metadata:created_at 2014_06_09, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"User-Agent|3a| inetinst|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007808; classtype:trojan-activity; sid:2007808; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JCE Joomla Extension"; flow:to_server,established; http.uri; content:".php"; content:"option="; content:"&task="; content:"&plugin=imgmanager"; content:"&file="; content:"&version="; content:"&cid="; http.request_body; content:"folderRename"; fast_pattern; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:web-application-attack; sid:2018326; rev:5; metadata:created_at 2014_03_26, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"User-Agent|3a| okcpmgr|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007810; classtype:trojan-activity; sid:2007810; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Scar Downloader Request"; flow:established,to_server; http.uri; content:"/tasksz.php?"; fast_pattern; pcre:"/\/tasksz\.php\?(?:dc|load)/"; http.user_agent; content:"Google Bot"; bsize:10; reference:url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml; reference:url,doc.emergingthreats.net/2010288; classtype:trojan-activity; sid:2010288; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification)"; flow:to_server,established; content:"RFRudokop"; http_user_agent; depth:9; reference:url,doc.emergingthreats.net/2008046; classtype:trojan-activity; sid:2008046; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:"commondatastorage.googleapis.com"; bsize:32; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:4; metadata:created_at 2014_06_11, former_category CURRENT_EVENTS, updated_at 2020_09_24;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1)"; flow:to_server,established; content:"User-Agent|3a| doshowmeanad "; http_header; reference:url,doc.emergingthreats.net/2008142; classtype:trojan-activity; sid:2008142; rev:6; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/netsend/nmsm_json.jsp"; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:command-and-control; sid:2013694; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_09_24, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun)"; flow:established,to_server; content:"User-Agent|3a| ElectroSun "; http_header; reference:url,doc.emergingthreats.net/2008608; classtype:trojan-activity; sid:2008608; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sasfis Botnet Client Reporting Back to Controller After Command Execution"; flow:established,to_server; http.uri; content:"/bb.php"; nocase; fast_pattern; content:"id="; nocase; content:"v="; nocase; content:"tm="; nocase; content:"b="; nocase; reference:url,www.fortiguard.com/analysis/sasfisanalysis.html; reference:url,doc.emergingthreats.net/2010756; classtype:trojan-activity; sid:2010756; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent|3A 20|Revolution|20 28|Win32|29|"; http_header; classtype:trojan-activity; sid:2013725; rev:3; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2017_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miuref/Boaxxe Checkin"; flow:to_server,established; urilen:>400; http.method; content:"GET"; http.uri.raw; content:"%2b"; fast_pattern; content:"%2f"; content:!"|2e|"; content:!"|3f|"; content:!"|26|"; pcre:"/^\/(?:[a-zA-Z0-9]|%2[fb]){400,}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/01/17/boaxxe-adware-a-good-advert-sells-the-product-without-drawing-attention-to-itself-part-2/; reference:url,blogs.technet.com/b/mmpc/archive/2014/05/13/msrt-may-2014-miuref.aspx; classtype:pup-activity; sid:2018582; rev:12; metadata:created_at 2013_11_22, former_category MALWARE, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MtGox Leak wallet stealer UA"; flow:established,to_server; content:"MtGoxBackOffice"; depth:15; http_user_agent; reference:url,www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive; reference:md5,c4e99fdcd40bee6eb6ce85167969348d; classtype:trojan-activity; sid:2018279; rev:4; metadata:created_at 2014_03_14, former_category CURRENT_EVENTS, updated_at 2017_11_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Andr/com.sdwiurse"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/youxi_up.php"; fast_pattern; http.request_body; content:"--*****|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|npki|22|"; depth:52; reference:url,fireeye.com/blog/technical/2014/06/what-are-you-doing-dsencrypt-malware.html; reference:md5,04d24eb45d3278400b5fee5c1b06226c; classtype:trojan-activity; sid:2018584; rev:5; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:pup-activity; sid:2011293; rev:8; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2010_09_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; http.uri; content:"/PSBlock"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:6; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; http.user_agent; content:"Valve/Steam HTTP Client"; depth:23; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2028651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; http.uri; content:"/PSStore"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:7; metadata:created_at 2014_06_20, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)"; flow:established,to_server; http.user_agent; content:"MSDW"; depth:4; isdataat:!1,relative; fast_pattern; threshold: type limit, track by_src, count 1, seconds 300; classtype:unknown; sid:2027389; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2019_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override URI"; flow:to_server,established; http.uri; content:"c99shcook["; nocase; fast_pattern; pcre:"/[&?]c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018601; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (IExplorer 34)"; flow:established,to_server; http.user_agent; content:"IExplorer 34"; bsize:12; classtype:bad-unknown; sid:2028834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2019_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Client Body"; flow:to_server,established; http.request_body; content:"c99shcook["; nocase; fast_pattern; pcre:"/(?:^|&)c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018603; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (reqwest/)"; flow:established,to_server; http.user_agent; content:"reqwest/"; depth:8; reference:md5,be59ae5fab354d29e53f11a08d805db7; classtype:bad-unknown; sid:2028842; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2019_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TimThumb Remote Command Execution"; flow:established,to_server; http.uri; content:".php"; content:"webshot="; fast_pattern; content:"src="; content:"|24 28|"; pcre:"/[&?]src=https?[^&]+\x24\x28/"; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:attempted-user; sid:2018605; rev:4; metadata:created_at 2014_06_26, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Client)"; flow:established,to_server; http.user_agent; content:"Client"; bsize:6; http.header; content:"User-Agent|3a 20|Client|0d 0a|"; fast_pattern; classtype:bad-unknown; sid:2028912; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_10_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?secue="; fast_pattern; content:"&pro="; content:"|2c|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,secureworks.com/resources/blog/research/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761/; reference:md5,1c29b24d4d4ef7568f519c470b51bbed; classtype:targeted-activity; sid:2018631; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (system_file/2.0)"; flow:established,to_server; content:"system_file/2.0"; http.user_agent; bsize:15; classtype:bad-unknown; sid:2028983; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2019_11_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 2"; flow:established,to_server; http.uri; content:".php?file"; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Ffile(?:index\x3D[A-Z]|n\x3Dnoexist|wh\x3Dfalse)/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018632; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (DxD)"; flow:established,to_server; http.user_agent; bsize:3; content:"DxD"; fast_pattern; classtype:bad-unknown; sid:2029232; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_01_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 3"; flow:established,to_server; http.uri; content:".php?Re="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3FRe\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018633; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ABBCCoin Activity Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ABBCCoin"; fast_pattern; reference:md5,77ec579347955cfa32f219386337f5bb; classtype:misc-activity; sid:2029423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_12, deployment Perimeter, signature_severity Minor, updated_at 2020_02_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Antifulai.APT CnC Beacon 4"; flow:established,to_server; http.uri; content:".php?verify="; fast_pattern; pcre:"/^\x2F[^\x2F]+\x2Fin(?:fo|dex)\x2Ephp\x3Fverify\x3D/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/antifulai-targeted-attack-exploits-ichitaro-vulnerability/; classtype:targeted-activity; sid:2018634; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent filled with System Details - GET Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"mac="; http_user_agent; depth:4; nocase; content:"&hdid="; distance:0; nocase; http_user_agent; content:"&wlid="; nocase; distance:0; http_user_agent; content:"&start="; nocase; distance:0; http_user_agent; content:"&os="; nocase; distance:0; http_user_agent; content:"&mem="; nocase; distance:0; http_user_agent; content:"&alive"; nocase; distance:0; http_user_agent; content:"&ver="; nocase; distance:0; http_user_agent; content:"&mode="; nocase; distance:0; http_user_agent; content:"&guid"; distance:0; http_user_agent; content:"&install="; nocase; distance:0; http_user_agent; content:"&auto="; nocase; distance:0; http_user_agent; content:"&serveid"; nocase; distance:0; http_user_agent; content:"&area="; nocase; distance:0; http_user_agent; reference:url,doc.emergingthreats.net/2009541; classtype:trojan-activity; sid:2009541; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_02_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Exorcist 2.0 Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header.raw; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)|20 0d 0a|"; fast_pattern; http.request_body; content:"d="; depth:2; isdataat:100,relative; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; content:"|0d 0a|"; distance:0; http.header_names; content:!"Referer"; reference:md5,9e5c89c84cdbf460fc6857c4e32dafdf; classtype:command-and-control; sid:2030906; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family Exorcist_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_09_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (VB OpenUrl)"; flow:to_server,established; http.user_agent; bsize:10; content:"VB OpenUrl"; classtype:bad-unknown; sid:2029544; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_02_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_02_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PS/SunCrypt Ransomware CnC Activity"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"|19 10 03 41 24 29 70 24|"; depth:8; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,c171bcd34151cbcd48edbce13796e0ed; classtype:command-and-control; sid:2030907; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_24, deployment Perimeter, former_category MALWARE, malware_family SunCrypt, signature_severity Major, tag Ransomware, updated_at 2020_09_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (\xa4)"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20 a4 0d 0a|"; fast_pattern; http.user_agent; content:"|a4|"; bsize:1; classtype:bad-unknown; sid:2029554; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_03_02, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_03_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BANKER.WIN32.BANBRA.BEEC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/black/?"; fast_pattern; http.request_body; content:"tipo="; depth:5; content:"&cliente="; reference:md5,ceb6684ffce35dcbfae4afde3b6fd4bd; classtype:command-and-control; sid:2018641; rev:5; metadata:created_at 2014_07_04, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (easyhttp client)"; flow:established,to_server; http.user_agent; content:"easyhttp client"; bsize:15; classtype:bad-unknown; sid:2029569; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_04, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; pcre:"/\.asp\?IDPC=[^\x26]*?\x26(?:Status=|Msg=)[^\x26]*?$/i"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018649; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (xPCAP)"; flow:established,to_server; http.user_agent; content:"xPCAP"; bsize:5; classtype:bad-unknown; sid:2029748; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.request_body; content:"OPC="; nocase; fast_pattern; pcre:"/^OPC=\d/i"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018653; rev:4; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Http-connect)"; flow:established,to_server; http.user_agent; content:"Http-connect"; bsize:12; classtype:bad-unknown; sid:2029752; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_03_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_03_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Banload2.KZU Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".hlp"; nocase; fast_pattern; pcre:"/^\/[^\x2f]+?\.hlp$/i"; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|User-Agent|3a 20|Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,b67e23e4a0248c71b71e73e37d52c906; classtype:command-and-control; sid:2018654; rev:5; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Shadowcoin Cryptocurrency UA Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|ShadowCoin"; fast_pattern; classtype:misc-activity; sid:2029771; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auth.cgi?mode="; fast_pattern; content:"&id="; content:"&serv="; distance:0; content:"&lang="; distance:0; content:"&q="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018669; rev:4; metadata:created_at 2014_07_12, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Willowcoin Cryptocurrency UA Observed"; flow:established,to_server; http.header; content:"User-Agent|3a 20|WillowCoin"; fast_pattern; classtype:misc-activity; sid:2029772; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, signature_severity Minor, updated_at 2020_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Uroburos/Turla CnC (OUTBOUND) 2"; flow:established,to_server; http.uri; content:"/default.asp?act="; fast_pattern; content:"&id="; content:"&item="; distance:0; content:"&cln="; distance:0; content:"&flt="; distance:0; content:"&serv="; distance:0; content:"&t="; distance:0; content:"&mode="; distance:0; content:"&lang="; distance:0; content:"&date="; distance:0; reference:url,circl.lu/pub/tr-25/; classtype:command-and-control; sid:2018670; rev:5; metadata:created_at 2014_07_12, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious CASPER/Mirai UA"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0   (compatible|3b|   MSIE   5.01|3b|   Windows   NT   5.0)"; bsize:63; fast_pattern; reference:url,www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf; reference:md5,ea78869555018cdab3699e2df5d7e7f8; classtype:misc-activity; sid:2029892; rev:1; metadata:created_at 2020_04_13, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soraya Credit Card Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"&ccnum="; fast_pattern; content:"mode="; depth:5; content:"&compinfo="; distance:0; content:"&type="; distance:0; content:"&track="; distance:0; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; reference:url,fortinet.com/sites/default/files/whitepapers/soraya_WP.pdf; classtype:trojan-activity; sid:2018680; rev:4; metadata:created_at 2014_07_16, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Sample"; flow:established,to_server; http.header; content:"User-Agent|3a 20|sample"; nocase; classtype:trojan-activity; sid:2012611; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_31, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin 2"; flow:established,to_server; urilen:7; http.method; content:"GET"; http.uri; content:"/u.html"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/07/16/win32aibatook/; reference:md5,d5e8adfefbcc3667734b8df4ae066be6; classtype:command-and-control; sid:2018687; rev:4; metadata:created_at 2014_07_17, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user agent string (changhuatong)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|changhuatong"; classtype:trojan-activity; sid:2012751; rev:3; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kuluoz / Asprox checkin"; flow:established,to_server; http.uri; content:"/api/"; fast_pattern; pcre:"/^\/(?:components|wp-content|tmp)/api/[a-zA-Z0-9\/\x20]{43}=\/(?:toll|inv|notice|get_label)$/"; reference:url,garwarner.blogspot.com/2014/07/e-zpass-spam-leads-to-location-aware.html; reference:url,blog.malcovery.com/blog/more-information-on-this-weeks-e-zpass-scam; classtype:command-and-control; sid:2018739; rev:4; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (PhoneMonitor)"; flow:established,to_server; http.user_agent; content:"PhoneMonitor"; bsize:12; reference:md5,09aa3bb05a55b0df864d1e1709c29960; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/; classtype:trojan-activity; sid:2029980; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_20, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Asterope Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; content:"&id="; distance:0; content:"&os="; distance:0; content:"&res="; distance:0; http.header; content:"Accept-Asterope|3a|"; fast_pattern; reference:md5,19190ef53877979191f6889c6a795f31; classtype:command-and-control; sid:2018750; rev:5; metadata:created_at 2014_06_23, former_category MALWARE, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; threshold: type limit, count 2, seconds 40, track by_src; http.header; content:"User-Agent|3a 20|CholTBAgent"; classtype:trojan-activity; sid:2012757; rev:6; metadata:created_at 2011_04_30, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible WordPress xmlrpc.php wp.getUsersBlogs Flowbit Set"; flow:established,to_server; flowbits:set,ET.XMLRPC.PHP; flowbits:noalert; http.uri; content:"/xmlrpc.php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary/+WordPress+brute+force+attack+via+wp.getUsersBlogs/18427; classtype:attempted-admin; sid:2018754; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_24;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; http.user_agent; content:"WORKED"; classtype:trojan-activity; sid:2012909; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win.Trojan.Agent-29225 Checkin"; flow:to_server,established; http.uri; content:"/proxy.exe"; nocase; fast_pattern; http.user_agent; content:"Java/1"; nocase; reference:url,virustotal.com/file/17b1639c08352cc37baac08f23137563546750292131896f37fd8be8c9412407/analysis/; classtype:command-and-control; sid:2018763; rev:6; metadata:created_at 2013_01_22, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|Revolution"; reference:md5,1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:3; metadata:created_at 2011_09_06, updated_at 2020_04_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/flash/api.php?id="; fast_pattern; pcre:"/^\/flash\/api\.php\?id=\d/"; http.request_body; content:"method="; depth:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018769; rev:6; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"Atomic_Email_Hunter/"; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013173; rev:5; metadata:created_at 2011_07_04, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android ScarePakage checkin 2"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/api33/api.php"; fast_pattern; http.request_body; content:"method="; depth:7; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,blog.lookout.com/blog/2014/07/16/scarepakage/; reference:url,contagiominidump.blogspot.com/2014/07/android-scarepackage-ransomware.html; reference:md5,645a60e6f4393e4b7e2ae16758dd3a11; classtype:trojan-activity; sid:2018774; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"Atomic_Email_Hunter/"; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:5; metadata:created_at 2011_07_04, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kbot.Backdoor Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat.php"; nocase; http.request_body; content:"id="; depth:3; content:"&build_id="; fast_pattern; pcre:"/&build_id=[A-F0-9]+$/i"; reference:md5,1df0ceab582ae94c83d7d2c79389e178; classtype:command-and-control; sid:2018078; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; http.header; content:"User-Agent|3A| SimpleClient "; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_05_26, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AndroidOS.Simplocker Checkin"; flow:established,to_server; urilen:5; http.method; content:"POST"; http.uri; content:"/1/?1"; fast_pattern; http.request_body; content:"{|22|n|22 3a 22|"; depth:6; content:"|22 2c 22|d|22 3a 22|"; distance:0; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2014/07/22/androidsimplocker/; reference:md5,b98cac8f1ce9284f9882ba007878caf1; classtype:trojan-activity; sid:2018781; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Win32"; nocase; classtype:trojan-activity; sid:2012249; rev:5; metadata:created_at 2011_02_02, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Worm.AndroidOS.Selfmite.a Checkin"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/message.php"; fast_pattern; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,54b715f6608d4457a9d22cfdd8bddbe6; reference:url,adaptivemobile.com/blog/selfmite-worm; reference:url,computerworld.com/s/article/9249430/Self_propagating_SMS_worm_Selfmite_targets_Android_devices; classtype:trojan-activity; sid:2018792; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_07_28, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (ChilkatUpload)"; flow:to_server,established; http.user_agent; content:"ChilkatUpload"; depth:13; nocase; reference:url,chilkatsoft.com; classtype:trojan-activity; sid:2016904; rev:4; metadata:created_at 2013_05_21, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passinggas.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passinggas.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018809; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013033; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myredirect.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myredirect.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018811; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (Google page)"; flow:to_server,established; http.header; content:"User-Agent|3a 20|Google page"; classtype:trojan-activity; sid:2017067; rev:6; metadata:created_at 2011_05_31, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.rr.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".rr.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018813; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Unknown - Java Request  - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; http.uri; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/i"; http.user_agent; content:"Java/1."; fast_pattern; content:"Mozilla"; depth:7; classtype:trojan-activity; sid:2014912; rev:7; metadata:created_at 2012_06_16, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.kwik.to Domain (Sitelutions)"; flow:established,to_server; http.host; content:".kwik.to"; fast_pattern; endswith; classtype:bad-unknown; sid:2018815; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS FOCA User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; http.header; content:"User-Agent|3a 20|FOCA"; fast_pattern; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017949; rev:6; metadata:created_at 2014_01_10, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.myfw.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".myfw.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018817; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS BeeMovie Related Activity"; flow:to_server,established; http.header; content:"User-Agent|3a 20|BeeMovie/"; classtype:misc-activity; sid:2030050; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.ontheweb.nu Domain (Sitelutions)"; flow:established,to_server; http.host; content:".ontheweb.nu"; fast_pattern; endswith; classtype:bad-unknown; sid:2018819; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (h55u4u4u5uii5)"; flow:established,to_server; http.user_agent; content:"h55u4u4u5uii5"; bsize:13; reference:url,www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/; classtype:trojan-activity; sid:2030058; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isthebe.st Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isthebe.st"; fast_pattern; endswith; classtype:bad-unknown; sid:2018821; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; http.user_agent; content:"DownloadMR"; nocase; depth:10; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_05_21, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.byinter.net Domain (Sitelutions)"; flow:established,to_server; http.host; content:".byinter.net"; fast_pattern; endswith; classtype:bad-unknown; sid:2018823; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hi)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|hi|0d 0a|"; nocase; classtype:trojan-activity; sid:2018381; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_10, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.findhere.org Domain (Sitelutions)"; flow:established,to_server; http.host; content:".findhere.org"; fast_pattern; endswith; classtype:bad-unknown; sid:2018825; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Possible QBot User-Agent"; flow:established,to_server; http.user_agent; bsize:14; content:"MelindaMelinda"; reference:md5,d5129d51bf982b055ee00fe7ef4da3c0; classtype:trojan-activity; sid:2030149; rev:1; metadata:created_at 2020_05_11, updated_at 2020_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.onthenetas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".onthenetas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018827; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:established,to_server; http.user_agent; content:"MSIE|28|6.00.2900.5512|20 28|"; fast_pattern; content:"|3b 20|NT|28|"; distance:0; content:"|29 3b 20|AV|28|"; distance:0; content:"|29 3b 20|OV|28|"; distance:0; content:"|29 3b 20|NA|28|"; distance:0; content:"VR|28|PH"; reference:url,documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf; classtype:trojan-activity; sid:2030170; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_15, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.uglyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".uglyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018829; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSF Meterpreter Default User Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 0d 0a|"; fast_pattern; reference:url,blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings; classtype:bad-unknown; sid:2021060; rev:3; metadata:created_at 2015_05_06, updated_at 2020_05_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.assexyas.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".assexyas.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018831; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (CODE)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030439; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.passas.us Domain (Sitelutions)"; flow:established,to_server; http.host; content:".passas.us"; fast_pattern; endswith; classtype:bad-unknown; sid:2018833; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS BLEXBot User-Agent"; flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 300; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|BLEXBot/"; fast_pattern; startswith; reference:url,webmeup.com/about.html; classtype:misc-activity; sid:2022775; rev:3; metadata:created_at 2016_05_02, former_category MALWARE, updated_at 2020_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athissite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athissite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018835; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (grab)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|grab|0d 0a|"; classtype:bad-unknown; sid:2030492; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_07_10, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.athersite.com Domain (Sitelutions)"; flow:established,to_server; http.host; content:".athersite.com"; fast_pattern; endswith; classtype:bad-unknown; sid:2018837; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET USER_AGENTS SAP CVE-2020-6287 PoC UA Observed"; flow:established,to_server; http.user_agent; content:"CVE-2020-6287|20|PoC"; endswith; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; classtype:attempted-recon; sid:2030548; rev:1; metadata:created_at 2020_07_16, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.isgre.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".isgre.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018839; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (justupdate)"; flow:established,to_server; http.user_agent; bsize:10; content:"justupdate"; reference:md5,7a814300b204e14467deff69c1159cbe; classtype:bad-unknown; sid:2030556; rev:1; metadata:created_at 2020_07_17, former_category USER_AGENTS, updated_at 2020_07_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lookin.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lookin.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018841; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (.NET Framework Client)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|.NET Framework Client|0d 0a|"; classtype:bad-unknown; sid:2030586; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.bestdeals.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".bestdeals.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018843; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (cctv.mtv)"; flow:established,to_server; http.user_agent; bsize:8; content:"cctv.mtv"; reference:md5,deffb804976c0531144d999ded0df8b9; classtype:bad-unknown; sid:2030598; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to *.lowestprices.at Domain (Sitelutions)"; flow:established,to_server; http.host; content:".lowestprices.at"; fast_pattern; endswith; classtype:bad-unknown; sid:2018845; rev:4; metadata:created_at 2014_07_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (cso)"; flow:established,to_server; http.user_agent; content:"cso v"; startswith; fast_pattern; pcre:"/^[0-9][0-9]?\.[0-9][0-9]?$/R"; reference:md5,5640851c35221c3ae7bbde053d1bb38e; reference:url,app.any.run/tasks/d94c1428-253d-432a-be65-53ea3a0505f4/; classtype:trojan-activity; sid:2030600; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff POS Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"&op="; depth:4; content:"&id="; content:"&ui="; content:"&wv="; fast_pattern; content:"&bv="; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:command-and-control; sid:2018857; rev:8; metadata:created_at 2014_03_06, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (firefox)"; flow:established,to_server; http.user_agent; content:"firefox"; bsize:7; fast_pattern; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; classtype:trojan-activity; sid:2030623; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 1"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/project/check.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,12854bb8d1e6a590e1bd578267e4f8c9; classtype:command-and-control; sid:2018882; rev:6; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (chrome)"; flow:established,to_server; http.user_agent; content:"chrome"; bsize:6; fast_pattern; reference:url,unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/; classtype:trojan-activity; sid:2030624; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_30, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 2"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/dr.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|)"; bsize:25; http.header_names; content:"Content-Length|0d 0a|"; content:"User-Agent|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:url,blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2; reference:md5,c0656b66b9f4180e59e1fd2f9f1a85f2; classtype:command-and-control; sid:2018883; rev:5; metadata:created_at 2014_07_14, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Edge on Windows 10 SET"; flow:established,to_server; flowbits:set,ET_EDGE_UA; flowbits:noalert; http.user_agent; content:"Windows NT 10."; content:"Edge/12."; distance:0; fast_pattern; classtype:misc-activity; sid:2023197; rev:5; metadata:affected_product Microsoft_Edge_Browser, created_at 2016_09_13, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, tag User_Agent, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Pgift.Backdoor APT CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pgift.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:targeted-activity; sid:2018869; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Go HTTP Client User-Agent"; flow:established,to_server; http.user_agent; content:"Go-http-client"; nocase; fast_pattern; classtype:misc-activity; sid:2024897; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Troj/ReRol.A Checkin 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/qsc.asp"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b|)"; bsize:25; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html; classtype:command-and-control; sid:2018884; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19 etc)"; flow:established,to_server; http.user_agent; content:")ver"; fast_pattern; pcre:"/\)ver\d/"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 1"; flow:established,to_server; urilen:17; http.method; content:"HEAD"; http.uri; content:"/GlobalUpdate.upt"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018889; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-agent DownloadNetFile Win32.small.hsh downloader"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"DownloadNetFile"; nocase; bsize:15; reference:url,doc.emergingthreats.net/2007778; classtype:trojan-activity; sid:2007778; rev:15; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Mysayad Checkin 2"; flow:established,to_server; urilen:9; http.method; content:"HEAD"; http.uri; content:"/all.wipe"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent|0d 0a|"; reference:md5,799600122930bbc64b7dac987ea8bb39; reference:url,vinsula.com/2014/07/20/sayad-flying-kitten-infostealer-malware/; classtype:command-and-control; sid:2018890; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (chek)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"chek"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008253; classtype:trojan-activity; sid:2008253; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upfornow/connect.php"; fast_pattern; http.header; content:"Content-Length|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f085395253a40ce8ca077228c2322010; reference:url,securityblog.s21sec.com/2014/08/kronos-is-here.html; classtype:command-and-control; sid:2018891; rev:4; metadata:created_at 2014_08_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AutoHotkey)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!".ahk4.net|0d 0a|"; http.user_agent; content:"AutoHotkey"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008259; classtype:trojan-activity; sid:2008259; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE  BITTERBUG Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/vtris"; fast_pattern; content:".php?srs="; pcre:"/\/vtris\d?\.php\?srs=\d{1,10}$/"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,34c7f12b4e8f2b81143453af12442ee0; reference:md5,48bbae6ee277b5693b40ecf51919d3a6; classtype:command-and-control; sid:2018901; rev:4; metadata:created_at 2014_08_06, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (contains loader)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"|20|loader"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008276; classtype:trojan-activity; sid:2008276; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Config Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/soft"; content:".dll"; fast_pattern; pcre:"/\/soft(?:32|64)\.dll$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|"; depth:32; content:"User-Agent|3a|"; http.header_names; content:!"Referer"; reference:md5,5a99a6a6cd8600ea88a8fcc1409b82f4; classtype:trojan-activity; sid:2018661; rev:5; metadata:created_at 2014_07_10, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ErrCode)"; flow:established,to_server; http.user_agent; content:"ErrCode"; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; classtype:trojan-activity; sid:2008378; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OneLouder Common URI Struct"; flow:established,to_server; http.uri; content:"/ord/"; fast_pattern; content:".exe"; nocase; pcre:"/\/ord\/[^\x2f]+?\.exe$/i"; classtype:trojan-activity; sid:2018929; rev:4; metadata:created_at 2014_08_13, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Loands) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: Loands|0d 0a|"; reference:url,doc.emergingthreats.net/2009537; classtype:trojan-activity; sid:2009537; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Steam.NBP Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data2.php?file="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,17d2b62f2fa20f407485437de17787fb; reference:md5,bec091077138a1cac49db00495d456e7; classtype:command-and-control; sid:2018949; rev:5; metadata:created_at 2014_08_18, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: ms_ie|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009538; classtype:trojan-activity; sid:2009538; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Downloading Config"; flow:established,to_server; http.uri; content:"/zConfig/"; fast_pattern; pcre:"/\/zConfig\/\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-99; classtype:trojan-activity; sid:2018960; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:"User-Agent\: Forthgoner|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2009547; classtype:trojan-activity; sid:2009547; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/zImprimer/"; fast_pattern; pcre:"/\/zImprimer\/\d+-/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018961; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Si25f_302 User-Agent"; flow:established,to_server; http.user_agent; content:"Si25"; depth:4; classtype:trojan-activity; sid:2012310; rev:7; metadata:created_at 2011_02_14, former_category TROJAN, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroLocker Activity"; flow:established,to_server; http.uri; content:"/enc/1"; fast_pattern; pcre:"/\/enc\/1$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018962; rev:4; metadata:created_at 2014_08_19, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Im Luo"; flow:established,to_server; http.user_agent; content:"Im|27|Luo"; startswith; classtype:trojan-activity; sid:2012586; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_28, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python.Ragua Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebCam/Cam.txt"; nocase; fast_pattern; http.user_agent; content:"Python-urllib/"; depth:14; nocase; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66108/el-machete/; reference:md5,a8602b4c35f426107c9667d804470745; classtype:command-and-control; sid:2018968; rev:5; metadata:created_at 2014_08_20, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MacShield User-Agent Likely Malware"; flow:established,to_server; http.user_agent; content:"MacShield"; startswith; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:5; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download"; flow:established,to_server; http.uri; content:"/Signed_Update.jar"; nocase; fast_pattern; http.user_agent; content:"Java/1."; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018969; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent _updater_agent"; flow:established,to_server; http.header; content:"User-Agent|3A 20|_updater_agent"; classtype:trojan-activity; sid:2013395; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_10, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX variant"; flow:to_server,established; threshold: type both, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:"/p/"; depth:3; pcre:"/^\/p\/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/"; http.header; content:"code.google.com"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Connection|0d 0a|"; reference:md5,f92e9e3e86856b5c0ee465f77a440abb; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:9; metadata:created_at 2014_08_22, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MadeByLc)"; flow:established,to_server; http.user_agent; content:"MadeBy"; startswith; classtype:trojan-activity; sid:2013512; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_31, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Xema dropping file"; flow:to_server,established; http.uri; content:"/pruebas.doc"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f5fbdb120594f4da7f638122d6635933; classtype:trojan-activity; sid:2018994; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; http.user_agent; content:"LockXLS"; startswith; classtype:trojan-activity; sid:2013724; rev:4; metadata:created_at 2011_10_01, former_category TROJAN, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Tuscas"; flow:established,to_server; http.uri; content:"?version="; fast_pattern; content:"&group="; content:"&client="; content:"&computer="; content:"&os="; content:"&latency="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:2018999; rev:4; metadata:created_at 2014_08_25, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FULLSTUFF)"; flow: established,to_server; http.user_agent; content:"FULLSTUFF"; nocase; startswith; reference:url,threatexpert.com/reports.aspx?find=mrb.mail.ru; classtype:trojan-activity; sid:2013880; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/publickey/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,b61145a54698753cecf8748359c9d81e; classtype:command-and-control; sid:2018579; rev:9; metadata:created_at 2014_06_12, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HardCore Software For)"; flow:to_server,established; http.user_agent; content:"HardCore Software For"; depth:21; nocase; classtype:trojan-activity; sid:2018608; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_06, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/fd/"; flow:established,to_server; http.uri; content:"/proc/self/fd/"; nocase; fast_pattern; classtype:web-application-attack; sid:2019110; rev:4; metadata:created_at 2014_09_04, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (App4)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"App"; depth:3; fast_pattern; pcre:"/^\d/R"; http.host; content:!"liveupdate.symantecliveupdate.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Youmi.Adware Install Report CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/report/install"; fast_pattern; http.request_body; content:"data="; depth:5; content:"os="; distance:0; content:"mac="; distance:0; content:"sign="; distance:0; reference:md5,6096ace9002792e625a0cdb6aec3f379; classtype:command-and-control; sid:2019125; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_09_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Presto)"; flow:established,to_server; http.user_agent; content:"Opera/10.60 Presto/2.2.30"; http.header_names; content:!"Accept"; classtype:trojan-activity; sid:2012491; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bapy.Downloader PE Download Request"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/tmps."; fast_pattern; pcre:"/[a-z]\d{2}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,e256976cedda8c9d07a21ca0e5c2f86c; classtype:trojan-activity; sid:2019127; rev:4; metadata:created_at 2014_09_05, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WildTangent User-Agent (WT Games App)"; flow:established,to_server; http.header; content:"|0d 0a|WT-User-Agent|3a 20|WT|20|Games|20|App|20|"; classtype:policy-violation; sid:2021384; rev:3; metadata:created_at 2015_07_07, updated_at 2020_08_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup maxmind.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/locate_my_ip"; fast_pattern; http.header; content:"maxmind.com"; reference:md5,0559c56d6dcf6ffe9ca18f43e225e3ce; classtype:external-ip-check; sid:2019140; rev:4; metadata:created_at 2014_09_09, former_category POLICY, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Our_Agent)"; flow:established,to_server; http.user_agent; content:"Our_Agent"; classtype:trojan-activity; sid:2012278; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection"; flow:established,to_server; http.uri; content:"wp-admin/admin.php"; content:"page=gallerys_huge_it_gallery"; fast_pattern; content:"task=edit_cat"; content:"removeslide="; reference:url,packetstormsecurity.com/files/128118/wphugeitig-sql.txt; classtype:web-application-attack; sid:2019139; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_09_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ClickAdsByIE)"; flow:to_server,established; http.user_agent; content:"ClickAdsByIE"; depth:12; reference:url,doc.emergingthreats.net/2010220; classtype:pup-activity; sid:2010220; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; http.uri; content:".pdf"; nocase; fast_pattern; pcre:"/\/w(?:hite|orld|step)\/.*(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/"; classtype:exploit-kit; sid:2016405; rev:9; metadata:created_at 2013_02_13, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Long Fake wget 3.0 User-Agent Detected"; flow:established,to_server; http.user_agent; content:"wget 3.0"; classtype:trojan-activity; sid:2013178; rev:6; metadata:created_at 2011_07_04, former_category TROJAN, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Zeus GameOver Connectivity Check 2"; flow:established,to_server; urilen:1; http.host; content:"windowsupdate.microsoft.com"; bsize:27; http.connection; content:"Close"; fast_pattern; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,236bde81355e075e7ed6bcdc60daefcb; classtype:trojan-activity; sid:2019155; rev:4; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Ufasoft bitcoin Related User-Agent"; flow:established,to_server; http.user_agent; content:"Ufasoft"; depth:7; classtype:trojan-activity; sid:2013391; rev:6; metadata:created_at 2011_08_10, former_category TROJAN, updated_at 2020_08_18;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save_env.cgi"; fast_pattern; http.request_body; content:"&user="; content:"|2e 2e 2f|"; distance:0; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:5; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MSIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MSIE"; depth:4; http.host; content:!"www.msftncsi.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003657; classtype:trojan-activity; sid:2003657; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecebalPOS Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?&co="; fast_pattern; content:"&us="; content:"&av="; content:"&os="; content:"&tr2="; reference:md5,87cfa0addda5c0e0fc34f3847408e557; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:command-and-control; sid:2019160; rev:4; metadata:created_at 2014_09_11, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (explorersvc)"; flow:established,to_server; http.user_agent; bsize:11; content:"explorersvc"; classtype:bad-unknown; sid:2029749; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JackPOS XOR Encoded HTTP Client Body (key AA)"; flow:established,to_server; http.request_body; content:"|AB AB|"; depth:2; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; fast_pattern; reference:md5,3959fb5b5909d9c6fb9c9a408d35f67a; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf; classtype:trojan-activity; sid:2019164; rev:4; metadata:created_at 2014_09_11, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (KtulhuBrowser)"; flow:established,to_server; http.user_agent; bsize:13; content:"KtulhuBrowser"; nocase; classtype:bad-unknown; sid:2029750; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_27, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; http.uri; content:"/images2/"; nocase; fast_pattern; pcre:"/\/images2\/[0-9a-fA-F]{500}/"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:command-and-control; sid:2012799; rev:8; metadata:created_at 2011_05_10, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspected Mekotio User-Agent (MyCustomUser)"; flow:established,to_server; http.user_agent; content:"MyCustomUser"; bsize:12; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030721; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.de.ms domain"; flow:to_server,established; http.host; content:".de.ms"; fast_pattern; endswith; classtype:bad-unknown; sid:2013378; rev:5; metadata:created_at 2011_08_08, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspected Mekotio User-Agent (4M5yC6u4stom5U8se3r)"; flow:established,to_server; http.user_agent; content:"4M5yC6u4stom5U8se3r"; bsize:19; fast_pattern; reference:url,www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/; classtype:trojan-activity; sid:2030722; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_21, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.eu.tf domain"; flow: to_server,established; http.host; content:".eu.tf"; fast_pattern; endswith; classtype:bad-unknown; sid:2013828; rev:5; metadata:created_at 2011_11_05, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (=Mozilla)"; flow:established,to_server; http.header; content:"User-Agent|3a|=Mozilla/5"; fast_pattern; classtype:trojan-activity; sid:2025456; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2018_03_27, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a .noip.cn domain"; flow:to_server,established; http.host; content:".noip.cn"; fast_pattern; endswith; classtype:bad-unknown; sid:2013969; rev:5; metadata:created_at 2011_11_28, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InfoBot)"; flow:to_server,established; http.user_agent; content:"InfoBot"; nocase; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Predator Variant Dropper Activity"; flow:established,to_server; http.request_line; content:"GET|20|/FDpb|20|HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3679a900a8895e242e97e9d54cd2f5fa; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-268a; reference:url,twitter.com/craiu/status/1309449368559378432; classtype:trojan-activity; sid:2030908; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP_CONNECT_)"; flow:established,to_server; http.user_agent; content:"HTTP_Connect_"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; classtype:bad-unknown; sid:2007821; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.upas.su domain"; flow:to_server,established; http.host; content:".upas.su"; fast_pattern; endswith; classtype:bad-unknown; sid:2015551; rev:5; metadata:created_at 2012_07_31, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows XP)"; flow:to_server,established; http.user_agent; content:"Windows XP"; depth:10; classtype:bad-unknown; sid:2026519; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 1"; flow:established,to_server; http.uri; content:"/updatesrv.aspx?f=1"; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019174; rev:4; metadata:attack_target Mobile_Client, created_at 2014_09_15, former_category MOBILE_MALWARE, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 8)"; flow:to_server,established; http.user_agent; content:"Windows 8"; depth:9; classtype:bad-unknown; sid:2026520; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS/AppBuyer Checkin 2"; flow:established,to_server; http.uri; content:"/updatesrv.aspx?f=2&uuid="; fast_pattern; reference:md5,1c32f9f05234cac7dd7a83e3925a3105; reference:url,researchcenter.paloaltonetworks.com/2014/09/appbuyer-new-ios-malware-steals-apple-id-password-buy-apps/; classtype:trojan-activity; sid:2019175; rev:4; metadata:attack_target Mobile_Client, created_at 2014_09_15, former_category MOBILE_MALWARE, updated_at 2020_09_25, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 7)"; flow:to_server,established; http.user_agent; content:"Windows 7"; depth:9; classtype:bad-unknown; sid:2026522; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.RapidStealer.B Checkin"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/key/index.php"; fast_pattern; http.request_body; content:"dir="; depth:4; content:"&data="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c14690b90459744a300a02f45b32168a; reference:url,quequero.org/2014/09/win32-blackberrybbc-malware-analysis/; classtype:command-and-control; sid:2019179; rev:4; metadata:created_at 2014_09_16, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SFML User-Agent (libsfml-network)"; flow:established,to_server; http.user_agent; content:"libsfml-network/"; depth:16; fast_pattern; reference:url,github.com/SFML; classtype:trojan-activity; sid:2026914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_08_27;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; http.request_body; content:"base64_decode"; nocase; fast_pattern; classtype:trojan-activity; sid:2019182; rev:4; metadata:created_at 2014_09_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)"; flow:established,to_server; http.user_agent; content:"Clever Internet Suite"; classtype:trojan-activity; sid:2027045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_03_05, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHPMyAdmin BackDoor Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/server_sync.php?"; fast_pattern; content:"c="; pcre:"/\/server_sync.php\?(?:.+?&)?c=/i"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:8; metadata:created_at 2012_09_26, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (boostsoftware-urlexists)"; flow:established,to_server; http.user_agent; bsize:23; content:"boostsoftware-urlexists"; classtype:bad-unknown; sid:2030814; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader GetBooks UA"; flow:established,to_server; http.user_agent; content:"GetBooks"; nocase; fast_pattern; classtype:trojan-activity; sid:2015756; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_10_03, deployment Perimeter, signature_severity Major, tag Trojan_Downloader, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Aria2 User-Agent"; flow:to_server,established; http.user_agent; content:"aria2/"; depth:6; fast_pattern; reference:url,github.com/aria2/aria2; reference:md5,eb042fe28b8a235286df2c7f4ed1d8a8; classtype:trojan-activity; sid:2027286; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos.K Executable Download DGA"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; http.host; content:".ru"; offset:7; depth:6; endswith; pcre:"/^(?:u(?:wf(?:ekfyj|ubpeb)|d(?:xowub|zycaf)|h(?:duxic|zubvo)|x(?:fokur|osgik)|celgos|ggifym|mpefan|qlahaf)|s(?:u(?:t(?:fasof|imjy)|kbewli)|i(?:ttanyg|webheb|hemuj)|e(?:suhror|xjereh)|o(?:haxim|qvaqo)|axyjuw)|r(?:i(?:zsebym|firac|sytfa|trios)|e(?:bfelqi|kvyfo)|u(?:xymqic|jfeag)|y(?:buhoq|kafeh)|acadpuh)|j(?:y(?:meegom|vvozoz|kyvca|torqu)|a(?:mwazer|ibzup)|e(?:btelyx|dytlu)|o(?:dkymy|kenqi))|o(?:t(?:geguuz|xolpow|pipug)|q(?:lapjim|jogxi)|cgaextu|gdowkys|jpaxlam|vquqaip|smuryf)|i(?:r(?:ojvuqu|hegre)|v(?:kikcop|nuvuk)|hmytog|kevzaq|mgohut|pdehas|wvahin|zxirfy)|b(?:y(?:(?:cmolh|vbym)y|gotbys|jlegta)|i(?:pulte|wuvba)|o(?:pwyeb|wbaiv))|p(?:e(?:dugtap|gyrgun|vhyvys)|y(?:nxomoj|ykxug)|a(?:gube|waha)v|ogwytfy)|d(?:e(?:afesqy|hjujuq)|o(?:hwapih|xilik)|a(?:lwoza|rabub)|inymak)|t(?:a(?:hfifak|ixcih)|i(?:wciwu|koqo)x|ecviqir|ozfyma|uriwil)|g(?:i(?:jevsog|nnyjyb)|olhysux|ywilhof|azuzoz|edopan|ubahvi)|y(?:(?:n(?:japru|kicy)|kocna)r|bsahov|dabxag|xyqwiz|zsabuq)|h(?:a(?:hsekju|poneg)|e(?:ztymut|dybih)|uquqxov|itakat)|w(?:a(?:pifnu|rkafo)c|e(?:tifjam|fecfo)|ibveces|yjenqo)|a(?:d(?:nedat|tesok)|qzepylu|baxhad|smukuf|wewsip)|l(?:u(?:(?:fseki|pylzu)m|ditla)|eqgugom|opoqyv)|z(?:u(?:pivzed|qijcel)|aefofin|idamuk|ylhomu)|v(?:u(?:njuet|ohsub)|ijsixem|otqygiq|euwhyz)|m(?:u(?:zupdyg|hipew|wosiv)|osjinme|abuhos)|x(?:o(?:fsimi|gitaj|moqol)|ikmonej|enacoz)|f(?:e(?:vnotow|tucxo)|i(?:dedhah|xavpu))|k(?:u(?:btyhuz|irfufo)|ejejib|ycufvy)|n(?:(?:iliqri|obzeky)x|eluzjiv)|c(?:ylqiduh|aqxaro|itsibe)|q(?:aijroke|iquzcy|uohdit)|e(?:gnisje|stesgo|vdyvaz))\.ru$/"; classtype:trojan-activity; sid:2016029; rev:5; metadata:created_at 2012_12_13, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Fake Mozilla User-Agent String Observed (M0zilla)"; flow:established,to_server; http.user_agent; content:"M0zilla|2f|"; depth:8; fast_pattern; content:"."; distance:1; within:1; reference:md5,c6c1292bf7dd1573b269afb203134b1d; classtype:trojan-activity; sid:2027565; rev:2; metadata:created_at 2019_06_26, former_category USER_AGENTS, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zbot.Variant Fake MSIE 6.0 UA"; flow:to_server,established; flowbits:set,ET.zbot.ua.2106509; http.uri; content:".htm?"; fast_pattern; pcre:"/\/[a-z]\.htm\?[A-Za-z0-9]+$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:trojan-activity; sid:2016509; rev:7; metadata:created_at 2013_02_27, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))"; flow:established,to_server; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; reference:url,doc.emergingthreats.net/2011227; classtype:bad-unknown; sid:2011227; rev:7; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_08_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Kia.exe Request"; flow:established,to_server; http.uri; content:"/kia.exe"; fast_pattern; classtype:trojan-activity; sid:2018081; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)"; flow:established,to_server; threshold:type limit, track by_src, count 2, seconds 360; http.user_agent; content:"Microsoft Internet Explorer"; depth:28; http.host; content:!"bbc.co.uk"; content:!"vmware.com"; content:!"rc.itsupport247.net"; content:!"msn.com"; content:!"msn.es"; content:!"live.com"; content:!"gocyberlink.com"; content:!"ultraedit.com"; content:!"windowsupdate.com"; content:!"cyberlink.com"; content:!"lenovo.com"; content:!"itsupport247.net"; content:!"msn.co.uk"; content:!"support.weixin.qq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2002400; classtype:trojan-activity; sid:2002400; rev:37; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Wav.exe Request"; flow:established,to_server; http.uri; content:"/wav.exe"; fast_pattern; classtype:trojan-activity; sid:2018082; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (_TEST_)"; flow: to_server,established; http.user_agent; content:"_TEST_"; nocase; reference:url,doc.emergingthreats.net/2009545; classtype:unknown; sid:2009545; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Zeus.InfoStealer Infection Campaign Heap.exe Request"; flow:established,to_server; http.uri; content:"/heap.exe"; fast_pattern; classtype:trojan-activity; sid:2018083; rev:5; metadata:created_at 2014_02_05, updated_at 2020_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Malware Protection User-Agent Observed"; flow:to_server,established; http.user_agent; content:"MpCommunication"; depth:15; classtype:misc-activity; sid:2030835; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_03, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ppp/ta.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:command-and-control; sid:2018183; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Windows Vista UA - Commonly Abused"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0b|3b 20|Windows NT 6.0)"; fast_pattern; classtype:misc-activity; sid:2030847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_08, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_09_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Unknown Initial CnC Beacon 10/4/2014"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ccc/tab.php"; fast_pattern; http.header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:command-and-control; sid:2018384; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Session) - Possible Trojan-Clicker"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Session"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2009512; classtype:trojan-activity; sid:2009512; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Downloader 2p (Zeus) May 07 2014"; flow:to_server,established; http.uri; content:"2p/"; fast_pattern; pcre:"/\/p?2p\/[a-z]{3}$/"; http.header_names; content:!"Accept-Language"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018453; rev:7; metadata:created_at 2014_05_08, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installer)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Installer"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008184; classtype:trojan-activity; sid:2008184; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/333"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018894; rev:8; metadata:created_at 2014_08_05, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (API-Guide test program) Used by Several trojans"; flow:established,to_server; http.user_agent; content:"API-Guide test program"; depth:22; nocase; endswith; reference:url,doc.emergingthreats.net/2007826; classtype:trojan-activity; sid:2007826; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Probable OneLouder downloader (Zeus P2P)"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/222"; fast_pattern; http.header; content:"|20|MSIE|20|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018971; rev:5; metadata:created_at 2014_08_20, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (RLMultySocket)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"RLMultySocket"; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008603; classtype:trojan-activity; sid:2008603; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; http.request_body; content:"|25|28|25|29|25|20|25|7b|25|20"; fast_pattern; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:6; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent HTTPGET"; flow:established,to_server; http.user_agent; content:"HTTPGET"; depth:7; http.host; content:!"autodesk.com"; endswith; content:!"rsa.com"; endswith; content:!"consumersentinel.gov"; endswith; content:!"technet.microsoft.com"; endswith; content:!"metropolis.com"; endswith; content:!"www.catalog.update.microsoft.com"; endswith; classtype:trojan-activity; sid:2013508; rev:14; metadata:created_at 2011_08_31, former_category TROJAN, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackEnergy v2 POST Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"id="; content:"&bid="; content:"&dv="; content:"&dpv="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf; reference:md5,948cd0bf83a670c05401c8b67d2eb310; classtype:trojan-activity; sid:2019281; rev:4; metadata:created_at 2014_09_26, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32/Feebs.kw Worm User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/4.7 [en] (WinNT"; depth:23; fast_pattern; reference:url,doc.emergingthreats.net/2007767; classtype:trojan-activity; sid:2007767; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_09_15;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Boleteiro checking stolen boleto payment information"; flow:to_server,established; http.uri; content:"Vencimento="; fast_pattern; content:"&Valor="; content:"&Sacado="; content:"&URL="; content:"&Browser=Chrome"; reference:md5,3cffb955c08f6c1546bfeae37a215787; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-091718-2034-99&tabid=2; classtype:command-and-control; sid:2019243; rev:6; metadata:created_at 2014_09_25, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Installed OK)"; flow:established,to_server; http.user_agent; content:"Installed OK"; startswith; nocase; reference:md5,16035440878ec6e93d82c2aeea508630; classtype:bad-unknown; sid:2030880; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_15, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_15;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"curl|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/3.0 (compatible))"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/3.0 (compatible)"; depth:24; endswith; http.host; content:!".hddstatus.com"; endswith; reference:url,doc.emergingthreats.net/2009867; classtype:trojan-activity; sid:2009867; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_16;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"wget|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Gemini/2.0)"; flow:established,to_server; http.user_agent; content:"Gemini/2.0"; depth:10; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025889; rev:3; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER lwp-download Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"lwp-download|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:4; metadata:created_at 2014_09_29, former_category WEB_SERVER, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (Hakai/2.0)"; flow:established,to_server; http.user_agent; content:"Hakai/2.0"; depth:9; fast_pattern; endswith; reference:url,twitter.com/m0rb/status/1021626709307805696; classtype:trojan-activity; sid:2025890; rev:4; metadata:attack_target Server, created_at 2018_07_25, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; http.uri; content:"|28 29 20 7b|"; fast_pattern; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:6; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS MSIL/Peppy User-Agent"; flow:established,to_server; http.user_agent; content:"onedru/"; depth:7; endswith; fast_pattern; reference:md5,ebffb046d0e12b46ba5f27c0176b01c5; classtype:trojan-activity; sid:2026101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_07, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, performance_impact Moderate, signature_severity Major, updated_at 2020_09_16;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; http.request_body; content:"()|25|20|25|7b"; fast_pattern; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:5; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS VPNFilter Related UA (curl53)"; flow:established,to_server; http.user_agent; content:"curl53"; depth:6; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/09/vpnfilter-part-3.html; classtype:trojan-activity; sid:2026428; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_10_01, deployment Perimeter, former_category USER_AGENTS, malware_family VPNFilter, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SpyClicker.ClickFraud CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/feed.dll?pub_id="; fast_pattern; content:"&ua="; offset:17; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,stopmalvertising.com/malware-reports/anatomy-of-a-net-click-fraud-bot.html; reference:md5,17b077840ab874a8370c98c840b6c671; classtype:command-and-control; sid:2019355; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows 10)"; flow:to_server,established; http.user_agent; content:"Windows 10"; depth:10; http.host; content:!"google-analytics.com"; endswith; classtype:bad-unknown; sid:2026521; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_18, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_09_16;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt URI"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019364; rev:4; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (IEhook)"; flow:established,to_server; http.user_agent; content:"IEhook"; depth:6; endswith; fast_pattern; reference:md5,f0483493bcb352bd2f474b52f3b2f273; classtype:trojan-activity; sid:2026558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Connectivity Check"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/usdeclar.txt"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5f3530edbe1fce44e05ad0c96e54efb4; reference:md5,279fc5e6181d58f883a15d5089ce541b; reference:url,krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/; reference:url,csis.dk/en/csis/news/4472/; classtype:trojan-activity; sid:2019380; rev:6; metadata:created_at 2014_10_09, updated_at 2020_09_25;)
+alert http any any -> $HOME_NET any (msg:"ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement"; flow:established,to_server; http.user_agent; content:"Microsoft|20|WinRM|20|Client"; depth:22; fast_pattern; endswith; reference:url,attack.mitre.org/techniques/T1028/; classtype:bad-unknown; sid:2026850; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_01_23, deployment Internal, former_category USER_AGENTS, performance_impact Low, signature_severity Major, tag WinRM, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest Request URI Struct"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?sid="; fast_pattern; pcre:"/\/\d\.php\?sid=[0-9A-F]{32}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2019384; rev:5; metadata:created_at 2014_10_10, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL Google User-Agent (google/dance)"; flow:established,to_server; http.user_agent; content:"google/dance"; depth:14; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026883; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt Client Body"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; http.request_body; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019365; rev:7; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Peppy/KeeOIL User-Agent (ekeoil)"; flow:established,to_server; http.user_agent; content:"ekeoil/"; depth:7; fast_pattern; endswith; reference:url,www.malcrawler.com/team-simbaa-targets-indian-government-using-united-nations-military-observers-themed-malware-nicked-named-keeoil/; classtype:trojan-activity; sid:2026885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category USER_AGENTS, malware_family Peppy, malware_family KeeOIL, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BlackEnergy Dirconf CnC Beacon"; flow:established,to_server; http.uri; content:"/dirconf/check.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/mi"; reference:url,www.f-secure.com/weblog/archives/00002721.html; classtype:command-and-control; sid:2019412; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SomeTimes)"; flow:established,to_server; http.user_agent; content:"SomeTimes"; depth:9; endswith; fast_pattern; reference:md5,a86d4e17389a37bfc291f4a8da51a9b8; classtype:trojan-activity; sid:2026898; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_11, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_09_16;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Mozilla 6.0)"; flow:established,to_server; http.user_agent; content:"Mozilla 6.0"; depth:11; endswith; classtype:bad-unknown; sid:2027142; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_01, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; http.request_body; content:"name%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:misc-activity; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; http.request_body; content:"nam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Node XMLHTTP User-Agent"; flow:established,to_server; http.user_agent; content:"node-XMLHttpRequest"; depth:19; endswith; nocase; fast_pattern; classtype:unknown; sid:2027388; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; http.request_body; content:"nam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; depth:13; fast_pattern; endswith; reference:md5,c1ca718e7304bf28b5c96559cbf69a06; classtype:bad-unknown; sid:2027484; rev:3; metadata:created_at 2019_06_17, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; http.request_body; content:"na%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello, World)"; flow:established,to_server; http.user_agent; content:"Hello, World"; depth:12; endswith; classtype:bad-unknown; sid:2027503; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; http.request_body; content:"na%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Hello-World)"; flow:established,to_server; http.user_agent; content:"Hello-World"; depth:11; endswith; classtype:bad-unknown; sid:2027504; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_06_21, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; http.request_body; content:"na%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Ave, Caesar!)"; flow:established,to_server; http.user_agent; content:"Ave,|20|Caesar!"; depth:12; fast_pattern; endswith; classtype:bad-unknown; sid:2027648; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_06_28, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; http.request_body; content:"na%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (zwt)"; flow:established,to_server; http.user_agent; content:"zwt"; depth:3; endswith; classtype:bad-unknown; sid:2027649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; http.request_body; content:"n%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (My Agent)"; flow:established,to_server; http.user_agent; content:"My Agent"; depth:8; endswith; classtype:bad-unknown; sid:2027650; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_07_01, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; http.request_body; content:"n%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Custom Firefox UA Observed (Firefox...)"; flow:established,to_server; http.user_agent; content:"Firefox..."; depth:10; fast_pattern; endswith; classtype:bad-unknown; sid:2027686; rev:3; metadata:created_at 2019_07_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; http.request_body; content:"n%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (single dash)"; flow:to_server,established; http.user_agent; content:"-"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; http.request_body; content:"n%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious UA Observed (Quick Macros)"; flow:established,to_server; http.user_agent; content:"Quick|20|Macros"; depth:12; endswith; reference:md5,aa682f5d4a17307539a2bc7048be0745; classtype:trojan-activity; sid:2027755; rev:3; metadata:created_at 2019_07_24, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; http.request_body; content:"n%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (agent)"; flow:established,to_server; http.header; content:!"cn.patch.battlenet.com.cn"; http.user_agent; content:"agent"; depth:5; http.host; content:!".battle.net"; content:!".blizzard.com"; endswith; content:!"blz"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2001891; classtype:trojan-activity; sid:2001891; rev:24; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; http.request_body; content:"n%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious Generic Style UA Observed (My_App)"; flow:established,to_server; http.user_agent; content:"My_App"; depth:6; fast_pattern; endswith; reference:md5,2978dbadd8fda7d842298fbd476b47b2; classtype:bad-unknown; sid:2027833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_09, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; http.request_body; content:"n%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; endswith; http.host; content:!".iobit.com"; content:!".microsoft.com"; content:!".cnn.com"; content:!".wunderground.com"; content:!".weatherbug.com"; content:!"iobit.com.s3.amazonaws.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:pup-activity; sid:2008038; rev:15; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; http.request_body; content:"n%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (My Session)"; flow:to_server,established; http.user_agent; content:"My Session"; nocase; depth:10; http.host; content:!".windows.net"; endswith; reference:url,doc.emergingthreats.net/2010677; classtype:pup-activity; sid:2010677; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; http.request_body; content:"%6eame["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Absent)"; flow:established,to_server; http.user_agent; content:"Absent"; depth:6; endswith; classtype:bad-unknown; sid:2028571; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; http.request_body; content:"%6eame%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Internet Explorer)"; flow:established,to_server; http.user_agent; content:"Internet Explorer"; depth:17; endswith; nocase; http.host; content:!"pnrws.skype.com"; content:!"iecvlist.microsoft.com"; content:!".lenovo.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:bad-unknown; sid:2008052; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_05;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; http.request_body; content:"%6eam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SideStep User-Agent"; flow: to_server,established; http.user_agent; content:"SideStep"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; classtype:misc-activity; sid:2002078; rev:32; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_10_08;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; http.request_body; content:"%6eam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Moxilla"; flow:established,to_server; http.user_agent; content:"Moxilla"; depth:7; classtype:trojan-activity; sid:2012313; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; http.request_body; content:"%6ea%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (VMozilla)"; flow:to_server,established; http.user_agent; content:"VMozilla"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; classtype:trojan-activity; sid:2012555; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_25, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; http.request_body; content:"%6ea%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious User Agent (Lotto)"; flow:to_server,established; http.user_agent; content:"Lotto"; depth:5; classtype:trojan-activity; sid:2012695; rev:4; metadata:created_at 2011_04_20, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; http.request_body; content:"%6ea%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (mdms)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"mdms"; depth:4; endswith; classtype:trojan-activity; sid:2012761; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; http.request_body; content:"%6ea%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (asd)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"asd"; nocase; depth:3; endswith; classtype:trojan-activity; sid:2012762; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; http.request_body; content:"%6e%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013032; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; http.request_body; content:"%6e%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Binget PHP Library User Agent Outbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013050; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; http.request_body; content:"%6e%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013052; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; http.request_body; content:"%6e%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS PyCurl Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; depth:6; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013054; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; http.request_body; content:"%6e%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding)"; flow:to_server,established; http.user_agent; content:"AskPartner"; depth:10; classtype:trojan-activity; sid:2012734; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; http.request_body; content:"%6e%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; http.user_agent; content:"BlackSun"; nocase; depth:8; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"AskInstall"; depth:10; nocase; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:4; metadata:created_at 2014_10_16, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; http.user_agent; content:"XXX"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod_jshoppi"; fast_pattern; pcre:"/^\/mod_jshoppi(?:-|ng|\/)/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019459; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (USERAGENT)"; flow:to_server,established; http.user_agent; content:"USERAGENT"; nocase; depth:9; endswith; reference:md5,cd0e98508657b208219d435f9ac9d76c; reference:md5,cd100abc8eedf2119c7e6746975d7773; classtype:trojan-activity; sid:2034066; rev:7; metadata:created_at 2011_11_22, former_category USER_AGENTS, updated_at 2020_10_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; http.uri; content:"[$ne]"; fast_pattern; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; classtype:web-application-attack; sid:2019460; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Unknown)"; flow:to_server,established; http.user_agent; content:"Unknown"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; classtype:trojan-activity; sid:2007991; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 1"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Metafisher/Goldun User-Agent (z)"; flow:to_server,established; http.user_agent; content:"z"; depth:1; endswith; reference:url,doc.emergingthreats.net/2002874; classtype:trojan-activity; sid:2002874; rev:17; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 2"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.header; content:"Accept-Encoding|3a|"; content:"User-Agent|3a|"; distance:0; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"WinXP Pro Service Pack"; depth:22; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 3"; flow:established,to_server; http.uri; content:"=1/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:4; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent outbound (bot)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"bot/"; depth:4; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Orca RAT URI Struct 4"; flow:established,to_server; http.uri; content:"=2/"; fast_pattern; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/"; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:5; metadata:created_at 2014_10_21, former_category CURRENT_EVENTS, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"PlayStation"; http.user_agent; content:"HTTPTEST"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE vSkimmer.PoS Checkin"; flow:to_server,established; http.uri; content:"/process.php?xy="; fast_pattern; http.header_names; content:!"Accept"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,a99d5d1652dfcda190c3d412828dcf6d; reference:md5,82d9cab2692ae13fc5b835ea2cbb36d7; reference:url,anubis.iseclab.org/action=result&task_id=1b92f08cdbfb73e64450fd07ec88849b3; classtype:command-and-control; sid:2018109; rev:6; metadata:created_at 2013_03_12, former_category MALWARE, updated_at 2020_09_25;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Snatch-System)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Snatch-System"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Siggen.Dropper CnC Beacon"; flow:established,to_server; http.uri; content:".jpg?log="; fast_pattern; content:"&ts="; offset:11; content:"&act="; distance:0; http.header; content:"client|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ee363de2168aab353c829434189350e4; classtype:command-and-control; sid:2019515; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"KKTone"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptoBot Downloading Files"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"btc"; fast_pattern; pcre:"/\/[a-z]+\.k(?:ey)?btc$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3563; classtype:trojan-activity; sid:2019607; rev:4; metadata:created_at 2014_10_30, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Dialer-967 User-Agent"; flow:to_server,established; http.user_agent; content:"del"; depth:3; endswith; nocase; reference:url,doc.emergingthreats.net/2006364; classtype:trojan-activity; sid:2006364; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?a=start&id="; fast_pattern; pcre:"/&id=[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d8e7983004c5545df6de868bc0c5a947; classtype:command-and-control; sid:2019636; rev:4; metadata:created_at 2014_11_04, former_category MALWARE, updated_at 2020_09_25;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MYURL)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MYURL"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iOS/WireLurker CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getversion.php?v="; fast_pattern; content:"&adid="; offset:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019664; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Matcash or related downloader User-Agent Detected"; flow:established,to_server; http.user_agent; pcre:"/^x\w\wx\w\w\!x\w\wx\w\wx\w\w/"; content:"x"; startswith; reference:url,doc.emergingthreats.net/2006382; classtype:trojan-activity; sid:2006382; rev:12; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear SilverLight URI Struct (noalert)"; flow:established,to_server; flowbits:set,et.Nuclear.SilverLight; flowbits:noalert; http.uri; content:"/14"; fast_pattern; pcre:"/\/14\d{8}(?:\.xap)?$/"; classtype:exploit-kit; sid:2019668; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_11_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_09_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; http.user_agent; content:"Windows Updates Manager|7c|"; depth:24; reference:url,doc.emergingthreats.net/2006387; classtype:trojan-activity; sid:2006387; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; http.uri; content:"/cart.php?site="; fast_pattern; content:"&p="; content:"&nm="; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:social-engineering; sid:2019682; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_09_27;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (ld)"; flow:established,to_server; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/2006394; classtype:trojan-activity; sid:2006394; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/view.php"; fast_pattern; pcre:"/\/images\/view\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019687; rev:4; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_09_27;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"netcfg"; depth:6; endswith; reference:url,doc.emergingthreats.net/2007758; classtype:trojan-activity; sid:2007758; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related WinRAR Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|2e 8a 83 32 1f 36 bb 08 cb fc 19 52 92 2e c3 3c|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,4994952020da28bb0aa023d236a6bf3b; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030913; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Tear Application User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Tear Application"; depth:16; endswith; reference:url,doc.emergingthreats.net/2007770; classtype:trojan-activity; sid:2007770; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FinSpy Related Flash Installer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?attachmentid="; content:"&d="; distance:0; http.request_body; content:"|c3 d6 21 f6 77 d7 95 61 2a 27 22 8b 2a d4 c9 16|"; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,a55aa68518586381213cd85441aa4e16; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; classtype:trojan-activity; sid:2030914; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; http.user_agent; content:"WinInet"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007837; classtype:trojan-activity; sid:2007837; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Roficor.A (Darkhotel) Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/txt/read.php"; fast_pattern; pcre:"/\/txt\/read\.php$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/66779/the-darkhotel-apt/; classtype:targeted-activity; sid:2019688; rev:4; metadata:created_at 2014_11_11, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Possible Trojan Downloader Shell"; flow:established,to_server; http.user_agent; content:"Shell"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007840; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2007840; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"<email_accounts_list>"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e24831e3f808116b30d85731c545e3ee; classtype:command-and-control; sid:2019704; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; http.user_agent; content:"https"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2008019; classtype:trojan-activity; sid:2008019; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker Checkin"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/mac_log/?appid="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019661; rev:5; metadata:created_at 2014_11_06, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Version 1.23)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Version|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WireLurker CnC Beacon"; flow:established,to_server; flowbits:set,ET.WireLurkerUA; http.method; content:"GET"; http.uri; content:"/getversion.php?sn="; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf; classtype:command-and-control; sid:2019662; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_11_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla-web"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Autorun.J Checkin"; flow:established,to_server; http.uri; content:".asp?i=0&v=o10.1"; fast_pattern; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AVBS%2FAutorun.J#tab=2; classtype:command-and-control; sid:2019710; rev:4; metadata:created_at 2014_11_15, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INSTALLER)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INSTALLER"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check wtfismyip.com"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:text|json|xml)?$/"; http.host; content:"wtfismyip.com"; endswith; fast_pattern; classtype:policy-violation; sid:2019737; rev:4; metadata:created_at 2014_11_18, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IEMGR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IEMGR"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Matsnu.Backdoor CnC Beacon"; flow:established,to_server; http.uri; content:"id="; content:"&mynum="; content:"&ver="; content:"&cvr="; content:"&threadid="; fast_pattern; content:"&lang="; content:"&os="; reference:url,www.seculert.com/blog/2014/11/dgas-a-domain-generation-evolution.html; classtype:command-and-control; sid:2019741; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GOOGLE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"GOOGLE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault POST M1"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&func="; fast_pattern; pcre:"/^hwid=[A-F0-9]{4}(?:-[A-F0-9]{4}){7}&func=/"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:url,securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/; reference:md5,8e1bdc1c484bc03880c67424d80e351d; classtype:trojan-activity; sid:2019776; rev:4; metadata:created_at 2014_11_24, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (RBR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"RBR"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rtpd.cgi?"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Otwycal User-Agent (Downing)"; flow:to_server,established; http.user_agent; content:"Downing"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008159; classtype:trojan-activity; sid:2008159; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; http.method; content:"GET"; http.uri; content:"/upnp/asf-mp4.asf"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"MS Internet Explorer"; depth:20; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/md/lums.cgi"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:4; metadata:created_at 2014_11_25, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (QQ)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|0d 0a|Q-UA|3a 20|"; http.user_agent; content:"QQ"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:attempted-admin; sid:2030909; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Minor, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (TestAgent)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"TestAgent"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"Katana/"; fast_pattern; startswith; classtype:web-application-attack; sid:2030910; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SERVER"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".html"; fast_pattern; pcre:"/\/[A-Za-z0-9-_]{75,}\.html$/"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE|20|"; depth:42; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016567; rev:8; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinProxy)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WinProxy"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/W32.KRBanker.60928.C Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/upload.php"; http.header; content:"|0d 0a|Accept-Language|3a 20|zh-cn|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; bsize:50; http.request_body; content:"name=|22|upload_file1|22 3b 20|"; fast_pattern; content:".zip|22 0d 0a|"; content:"Content-Type|3a 20|application/x-zip-compressed|0d 0a|"; pcre:"/filename=\x22[A-Z]\x3a\\.+?\\[a-f0-9]{32}\.zip\x22\r\n/"; reference:md5,ec5d7bc9d84551066fff51e36bc41d4d; reference:md5,13bd584bb12ee5dc15c35f5911912b09; classtype:command-and-control; sid:2019828; rev:5; metadata:created_at 2014_12_01, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"sickness"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HompesA Activity"; flow:established,to_server; http.uri; content:"/me/"; fast_pattern; pcre:"/^\/me\/(?:get(?:ref|ua)\.php|videos\.txt)$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,8cc58bc4d63f4b78b635d45aa69108f7; classtype:trojan-activity; sid:2019838; rev:4; metadata:created_at 2014_12_02, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (up2dash updater)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"up2dash"; nocase; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan/MSIL.bfsx Checkin"; flow:to_server,established; http.uri; content:"/infect"; fast_pattern; content:".php"; offset:7; pcre:"/\/infect(?:-\d)?\.php$/"; http.user_agent; content:"Microsoft"; bsize:9; reference:md5,506cd65bdd06f41f8219cd1ed78eac7d; reference:md5,0c39b39ee4a59a8ac5fc1df500da2a88; classtype:command-and-control; sid:2019840; rev:6; metadata:created_at 2014_12_03, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"NSIS_DOWNLOAD"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:pup-activity; sid:2008216; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Sony Breach Wiper Malware Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/igfxtpers.exe"; fast_pattern; reference:url,logfile.packetninjas.net/related-malware-to-sony-breach; classtype:trojan-activity; sid:2019849; rev:4; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:"|20|biz|0d 0a|"; within:15; http.user_agent; content:"Mozilla|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest Posting Data"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?i="; content:"&data="; distance:0; content:"&hash="; fast_pattern; pcre:"/&hash=[^&]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,13c982c3b9c1ef714770820ffa278d2e; classtype:trojan-activity; sid:2019843; rev:5; metadata:created_at 2014_12_03, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"IE"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fin4.InfoStealer Uploading User Credentials CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?msg="; fast_pattern; content:"&uname="; content:"&pword="; reference:url,www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html; classtype:command-and-control; sid:2019829; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm 1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WebForm"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HTTP Request to WebDAV CloudMe Service"; flow:established,to_server; http.host; content:"webdav.cloudme.com"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:policy-violation; sid:2019914; rev:4; metadata:created_at 2014_12_11, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (opera)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"opera"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas Request to WebDAV CloudMe"; flow:established,to_server; http.uri; content:"/CloudDrive/"; nocase; pcre:"/^\/(?:b(?:i(?:llder1405|mm4276)|rowner8674935)|c(?:arter0648|h(?:ak2488|hloe7400)|orn6814)|d(?:aw0996|epp3353)|fr(?:anko7046|ogs6352)|garristone|hurris4124867|james9611|lisa\.walker|parker2339915|sa(?:mantha2064|nmorinostar)|tem5842|young0498814)\/CloudDrive\//i"; http.header; content:"webdav.cloudme.com"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?webdav\.cloudme\.com[^\r\n]*?\r?$/mi"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:trojan-activity; sid:2019915; rev:4; metadata:created_at 2014_12_11, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Zilla)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Zilla"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cloud Atlas CnC Beacon"; flow:established,to_server; urilen:10; threshold:type limit, count 1, seconds 120, track by_src; http.method; content:"POST"; http.uri; content:"/check.jsp"; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/research/68083/cloud-atlas-redoctober-apt-is-back-in-style/; classtype:command-and-control; sid:2019919; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (123)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"123"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/TinyZBot Checkin (Operation Cleaver)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkupdate.asmx"; fast_pattern; http.header; content:"SOAPAction|3a 20 22|http|3a|//tempuri.org/GetServerTime|22 0d 0a|"; http.request_body; content:"GetServerTime xmlns=|22|http|3a|//tempuri.org/"; http.header_names; content:!"|0d 0a|Accept"; content:!"Referer|0d 0a|"; reference:md5,68cfc418c72b58b770bdccf19805703e; reference:url,www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf; classtype:command-and-control; sid:2019942; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (angel)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"angel"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Agent.AIXD Checkin"; flow:to_server,established; http.uri; content:"/cnc.php?id="; fast_pattern; content:"&uid="; http.user_agent; content:"AppleMac"; bsize:8; reference:md5,801e450679e9d60f8c64675c432aab33; reference:md5,ad2e8210ca7c2b4b433b3fba65e87b94; reference:md5,f6ea10f719885fbcfb6743724faa94f7; classtype:command-and-control; sid:2019945; rev:5; metadata:created_at 2014_12_16, former_category MALWARE, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Accessing)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Accessing"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Symmi.46846 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/notify.php"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MyApp)"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fe5dc2a4ee8aa084c9da42cd2d1ded2e; classtype:command-and-control; sid:2019948; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ISMYIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ISMYIE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"allow_url_include"; content:"safe_mode"; http.uri.raw; content:"php|3a 2f 2f|input"; http.request_body; content:"<?php"; fast_pattern; content:"chmod 777"; classtype:attempted-user; sid:2019957; rev:4; metadata:affected_product Any, attack_target Server, created_at 2014_12_17, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (svchost)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"svchost"; depth:7; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE CoolReaper CnC Beacon 1"; flow:established,to_server; http.uri; content:"/dmp/api/"; fast_pattern; pcre:"/\/dmp\/api\/[a-z]+$/"; http.header; content:"dmp."; pcre:"/^Host\x3a[^\r\n]+?dmp\.[^\r\n]+?\r?$/mi"; http.user_agent; content:"UAC/"; depth:4; content:"|28|Android|20|"; distance:0; reference:url,researchcenter.paloaltonetworks.com/2014/12/coolreaper-revealed-backdoor-coolpad-android-devices/; classtype:command-and-control; sid:2019958; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag c2, updated_at 2020_09_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ReadFileURL"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks.A Checkin 2"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; http.method; content:"GET"; http.uri; content:"/query?version="; fast_pattern; content:"&sid="; content:"&builddate="; distance:0; content:"&q="; distance:0; content:"&ua="; content:"&lang="; content:"&wt="; content:"&lr="; distance:0; content:"&ls="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019966; rev:4; metadata:created_at 2014_12_18, former_category MALWARE, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"PcPcUpdater"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Flash Redirector to RIG EK Dec 17 2014"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf?myid="; fast_pattern; pcre:"/\.swf\?myid=[a-zA-Z0-9]+$/"; classtype:exploit-kit; sid:2019967; rev:4; metadata:created_at 2014_12_18, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Inet_read)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Inet_read"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Ransom Page"; flow:established,to_server; http.uri; content:"/buy.php?user_code="; fast_pattern; content:"&user_pass="; reference:url,barracudalabs.com/2014/12/new-cryptolocker-spear-phishing-campaign-looks-to-be-the-grinch-that-stole-christmas-in-australia/; classtype:trojan-activity; sid:2019978; rev:4; metadata:created_at 2014_12_20, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS Agent)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS Agent"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030911; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS_DOWNLOAD"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030912; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"AdiseExplorer"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M1"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/googleyou_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030915; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HTTP Downloader"; depth:15; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT39/Chafer Payload - CnC Checkin M2"; flow:established,to_server; http.method; content:"BITS_POST"; http.uri; content:"/winfoxupdate_"; startswith; fast_pattern; http.header_names; content:"BITS-"; classtype:command-and-control; sid:2030916; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HttpDownload)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HttpDownload"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda Checkin"; flow:established,to_server; dsize:50<>400; content:"|46 45 79 4e 56 59 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; reference:md5,07328ad6efcf16b532499cbb8daa7633; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:trojan-activity; sid:2030920; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Download App)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Download App"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vicious Panda CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tel/1214"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; bsize:26; http.accept; content:"image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*"; bsize:56; reference:md5,3009db32ca8895a0f15f724ba12a6711; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign/; reference:url,twitter.com/dewan202/status/1244595728175030272; classtype:command-and-control; sid:2030921; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent (AutoDL\/1.0)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"AutoDL/1.0"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008458; classtype:trojan-activity; sid:2008458; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outbound HTTP Request with BITS_POST Method"; flow:established,to_server; http.method; content:"BITS_POST"; fast_pattern; classtype:policy-violation; sid:2030917; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hacker)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"hacker"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 1"; flow:established,from_server; flowbits:isset,ET.Anunanak.HTTP.1; http.header; content:"Content-Length|3a 20|11|0d 0a|"; file.data; content:"no commands"; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020028; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ieguideupdate"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2"; flow:established,from_server; flowbits:isset,ET.Anunanak.HTTP.2; http.header; content:"Content-Length|3a 20|9|0d 0a|"; file.data; content:"no result"; fast_pattern; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020030; rev:4; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adsntD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"adsntD"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Nurjax Downloading PE"; flow:established,to_server; http.uri; content:".exe?dummy="; fast_pattern; pcre:"/\.exe\?dummy=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6b7759565454fb7d02fb5bc638136f31; classtype:trojan-activity; sid:2020032; rev:4; metadata:created_at 2014_12_23, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieagent)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"ieagent"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/connect.php?a=1"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type|0d 0a|"; classtype:command-and-control; sid:2020077; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (antispyprogram)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"antispyprogram"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kronos Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Length|3a 20|74|0d 0a|"; fast_pattern; http.request_body; pcre:"/^(?P<v1>.).{33}(?P=v1).{9}(?P<v2>.)(?:.{4}(?P=v2)){3}/s"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Content-Type"; classtype:command-and-control; sid:2020080; rev:4; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SUiCiDE"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/uploads/images/201"; fast_pattern; pcre:"/\.png$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"User-Agent|0d 0a|"; reference:md5,5f50e810668942e8d694faeabab08260; reference:url,blog.0x3a.com/post/107195908164/analysis-of-steam-stealers-and-the-steam-stealer; classtype:trojan-activity; sid:2020095; rev:5; metadata:created_at 2015_01_06, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"msIE"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY exploitpack.com tool checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/changelog/"; fast_pattern; pcre:"/^\/changelog\/(?:appversion|changelog|help)$/"; http.user_agent; content:"Java/1"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.exploitpack.com; classtype:bad-unknown; sid:2020195; rev:4; metadata:created_at 2015_01_15, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"AVP200"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISRStealer Checkin"; flow:to_server,established; http.uri; content:"?action="; content:"&username="; content:"&password="; content:"&app="; content:"&pcname="; fast_pattern; content:"&sitename="; reference:md5,44be7c6d4109ae5fb0ceb2824facf2dd; reference:url,cert.pl/news/8706/langswitch_lang/en; classtype:command-and-control; sid:2016941; rev:8; metadata:created_at 2011_07_06, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (winlogon)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"winlogon"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.Codenox.gyezu CnC Activity"; flow:established,to_server; http.request_line; content:"GET /__wendaoQuery.ashx?t=getcoklist&area="; startswith; fast_pattern; content:"&tb="; content:"&min="; content:"&rnd="; content:" HTTP/1.1"; distance:18; within:9; endswith; reference:md5,2c8495e13ba334324574be52dbdce173; classtype:command-and-control; sid:2030918; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Internet HTTP"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Adrom.Backdoor CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?page="; content:"&enckey="; fast_pattern; pcre:"/\x26enckey\x3D[A-F0-9]+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c621055803c68e89f3cb141608fd0894; reference:md5,3c2be5202d2d68047c76bdf7e1dfc2be; classtype:command-and-control; sid:2020293; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Downloader"; depth:10; pcre:"/^Downloader\d+\.\d/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008643; classtype:trojan-activity; sid:2008643; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (7)"; flow:established,to_server; http.uri; content:"/get"; fast_pattern; content:".jpg"; pcre:"/\/(?:w(?:hite|orld)|step)\/get(?:a+|n+)\.jpg/"; classtype:exploit-kit; sid:2016559; rev:17; metadata:created_at 2013_03_09, former_category EXPLOIT_KIT, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Compatible"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; classtype:trojan-activity; sid:2008657; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Heimdallbot"; nocase; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*?Heimdallbot/mi"; classtype:web-application-attack; sid:2020323; rev:4; metadata:created_at 2015_01_28, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"GetUrlSize"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; classtype:trojan-activity; sid:2008658; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download"; flow:established,to_server; http.uri; content:"/admin-ajax.php?"; fast_pattern; content:"slider_show_image"; pcre:"/^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rim"; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:6; metadata:created_at 2015_01_21, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"aguarovex-loader v"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; classtype:trojan-activity; sid:2008663; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action=get_"; fast_pattern; pcre:"/^\/action\.php\?action=get_(?:mails|red)$/"; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020330; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WINS_HTTP_SEND"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; classtype:trojan-activity; sid:2008734; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress PingBack Possible GHOST attempt"; flow:established,to_server; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; content:"<string>"; pcre:"/^\s*?https?\x3a\/\//Rs"; isdataat:1024,relative; content:!"|2f|"; within:1024; content:!"</string>"; within:1033; pcre:"/^\d[\d\x2e]{255}/R"; classtype:web-application-attack; sid:2020327; rev:8; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_01_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (checkonline)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"checkonline"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; classtype:trojan-activity; sid:2008749; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Update"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data_updater.dat"; fast_pattern; pcre:"/\/data_updater\.dat$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020333; rev:4; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Kvadrlson|20|"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; classtype:trojan-activity; sid:2008756; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.PYO Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/data.cfg"; fast_pattern; pcre:"/\/data\.cfg$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/; classtype:trojan-activity; sid:2020334; rev:4; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Kangkio User-Agent (lsosss)"; flow:established,to_server; http.user_agent; content:"lsosss"; depth:6; endswith; reference:url,doc.emergingthreats.net/2008767; classtype:trojan-activity; sid:2008767; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Download"; flow:to_server,established; http.uri; content:"/bn_versions/"; fast_pattern; content:".exe"; pcre:"/\/bn_versions\/\d+?\.exe$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:trojan-activity; sid:2020341; rev:6; metadata:created_at 2015_01_30, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (miip)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"miip"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; classtype:trojan-activity; sid:2008797; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FancyBox Remote Code Inclusion POST Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin-post.php?page=fancybox-for-wordpress"; fast_pattern; http.request_body; content:"INPUTBODY|3a|"; content:"action=update"; content:"mfbfw"; content:"extraCalls"; nocase; reference:url,blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; classtype:attempted-admin; sid:2020368; rev:7; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozil1a)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Mozil1a"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; classtype:trojan-activity; sid:2008847; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-09-29"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; content:".php"; isdataat:!1,relative; http.method; content:"POST"; http.request_body; content:"mail="; depth:5; nocase; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_09_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"min"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; classtype:trojan-activity; sid:2008912; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast C2 Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp?cstring="; fast_pattern; content:"&tom="; content:"&id="; distance:0; http.request_body; content:"|00 00 00 00|"; depth:4; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:command-and-control; sid:2020378; rev:4; metadata:created_at 2015_02_06, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/1.0 (compatible|3b 20|MSIE 8.0|3b|"; depth:34; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; classtype:trojan-activity; sid:2008913; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS *.rar.exe in HTTP URL"; flow:to_server,established; http.uri; content:".rar.exe"; fast_pattern; nocase; endswith; classtype:bad-unknown; sid:2020386; rev:4; metadata:created_at 2015_02_09, former_category POLICY, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"xr"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; classtype:trojan-activity; sid:2008914; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:"checkip.dyndns.org"; fast_pattern; http.header; pcre:"/^(?:Accept\x3a\x20text\/\*, application\/\*\r\n)?User-Agent\x3a[^\r\n\x3b\x28\x29]+\r\nHost\x3a[^\r\n]+checkip\.dyndns\.org\r\nCache-Control\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2020370; rev:6; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Yandesk)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Yandesk"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; classtype:trojan-activity; sid:2008916; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Monitoring Software Domain (sneek .io) in TLS SNI"; flow:established,to_server; tls.sni; content:"sneek.io"; bsize:8; classtype:policy-violation; sid:2030922; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"sections"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; classtype:trojan-activity; sid:2008919; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mayhem Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.header; content:"Pragma|3a 20|1337|0d 0a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2014/05/elf-shared-so-dynamic-library-malware.html; classtype:command-and-control; sid:2018456; rev:5; metadata:created_at 2014_05_08, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HELLO)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HELLO"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; classtype:trojan-activity; sid:2008941; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.KeyLogger.ODN Checkin"; flow:established,to_server; urilen:19; http.method; content:"GET"; http.uri; content:"/newage.txt"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4e83c405f35efd128ab8c324c12dbde9; classtype:command-and-control; sid:2019467; rev:5; metadata:created_at 2014_10_17, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IE/1.0"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY I2P Seeds File Request"; flow:established,to_server; http.uri; content:"/i2pseeds.su3"; fast_pattern; reference:url,phishme.com/dyre-attackers-shift-tactics/; classtype:policy-violation; sid:2020415; rev:4; metadata:created_at 2015_02_12, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runUpdater|2e|html"; depth:15; reference:url,doc.emergingthreats.net/2009355; classtype:trojan-activity; sid:2009355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/0/"; fast_pattern; pcre:"/\/(?:5[12]|6[0-3])\/0\/[A-Z]*$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020419; rev:5; metadata:created_at 2015_02_13, former_category CURRENT_EVENTS, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runPatch.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runPatch|2e|html"; depth:13; reference:url,doc.emergingthreats.net/2009356; classtype:trojan-activity; sid:2009356; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gulcrypt.B Downloading components - set"; flow:established,to_server; urilen:8; flowbits:set,ET.Gulcrypt; flowbits:noalert; http.method; content:"GET"; http.uri; content:"/manager"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c41449d6c3efd4c9f98374a0d132ff6; classtype:trojan-activity; sid:2020420; rev:4; metadata:created_at 2015_02_13, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Poker)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Poker"; depth:5; endswith; nocase; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; classtype:trojan-activity; sid:2009534; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; pcre:"/&user=\d+$/"; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020434; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"InHold"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2009544; classtype:trojan-activity; sid:2009544; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Exfiltrating files"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"account="; depth:8; content:"&name="; content:"&folder="; fast_pattern; content:"&fname="; content:"&s="; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020435; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INet)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INet"; depth:4; endswith; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checking filename"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"path="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020437; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (STEROID Download)"; flow:established,to_server; http.user_agent; content:"STEROID Download"; nocase; depth:16; endswith; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; classtype:trojan-activity; sid:2009994; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
 
-alert udp any any -> any any (msg:"ET MALWARE Mozi Botnet DHT Config Sent"; flow:established,to_client; content:"|64 31 3a 72 64 32 3a 69 64 32 30 3a 38 38 38 38 38 38 38 38|"; content:"|3a 6e 6f 64 65 73 36 32 34 3a 15 15|"; distance:13; within:12; reference:url,blog.netlab.360.com/mozi-another-botnet-using-dht/; reference:url,securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/; reference:md5,5616a3471565d34d779b5b3d0520bb70; reference:md5,891158b3c43e621956558cd0b5b41e81; classtype:command-and-control; sid:2030919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2020_09_29, deployment Perimeter, former_category MALWARE, malware_family Mozi, performance_impact Low, signature_severity Major, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0(compatible|3b 20|TALWinHttpClient)"; depth:41; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2010261; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010261; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT File information"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; fast_pattern; content:"&user="; content:"&file="; distance:0; content:"&type="; distance:0; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020438; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32.OnLineGames User-Agent (BigFoot)"; flow:to_server,established; http.user_agent; content:"BigFoot"; nocase; depth:7; reference:url,doc.emergingthreats.net/2010678; classtype:trojan-activity; sid:2010678; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Serial"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&serial="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020439; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Nine Ball User-Agent Detected (NQX315)"; flow:established,to_server; http.user_agent; content:"NQX315"; depth:6; endswith; reference:url,doc.emergingthreats.net/2011188; classtype:trojan-activity; sid:2011188; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Transmitting Date"; flow:established,to_server; http.uri; content:".php?name="; fast_pattern; content:"&date="; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020440; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GUIDTracker)"; flow:to_server,established; http.user_agent; content:"GUIDTracker"; depth:11; reference:md5,7a8807f4de0999dba66a8749b2366def; classtype:trojan-activity; sid:2013455; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (SK)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"SK"; nocase; fast_pattern; bsize:2; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020441; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (windsoft)"; flow:established,to_server; http.user_agent; content:"WindSoft"; depth:8; endswith; classtype:trojan-activity; sid:2013561; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skype)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skype"; nocase; fast_pattern; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020442; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NateFinder)"; flow:to_server,established; http.user_agent; content:"NateFinder"; depth:10; classtype:trojan-activity; sid:2013881; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Possible User-Agent (Skypee)"; flow:established,to_server; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.user_agent; content:"Skypee"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer|0d 0a|"; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020443; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (webfile)"; flow:to_server,established; http.user_agent; content:"webfile"; depth:7; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; classtype:trojan-activity; sid:2013883; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Viper APT Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_rtemp.php?n="; fast_pattern; http.header; content:"|0d 0a|REMOTE_USER|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5efc02d416b15554b25d9acec362148e; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020436; rev:4; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DARecover)"; flow:to_server,established; http.user_agent; content:"DARecover"; depth:9; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; classtype:trojan-activity; sid:2013884; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Beaugrit.gen.AAAA"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/attach/1759CB3B5124F217143044"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,fbfe6c2673aec9098e1fc9bf6d7fc059; classtype:trojan-activity; sid:2020479; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; http.user_agent; content:"Updater"; depth:7; endswith; reference:url,doc.emergingthreats.net/2003470; classtype:pup-activity; sid:2003470; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.NSIS.Comame.A Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/9.php?safe="; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; bsize:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a15f19a3ccd05f74537464e6df64dab; classtype:command-and-control; sid:2020480; rev:5; metadata:created_at 2015_02_19, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (update)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"update"; depth:6; endswith; reference:url,doc.emergingthreats.net/2003583; classtype:pup-activity; sid:2003583; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ddnsmngr.cmd?action=apply"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:pup-activity; sid:2006361; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (FTP)"; flow: to_server,established; http.user_agent; content:"Ftp"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:pup-activity; sid:2008735; rev:11; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"dnsPrimary="; fast_pattern; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (Sme32)"; flow: established, to_server; http.user_agent; content:"Sme32"; depth:5; endswith; reference:url,doc.emergingthreats.net/2010137; classtype:pup-activity; sid:2010137; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"dnsDynamic="; content:"dnsRefresh="; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:4; metadata:created_at 2015_02_19, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FaceCooker)"; flow:to_server,established; http.user_agent; content:"FaceCooker"; nocase; depth:10; reference:url,doc.emergingthreats.net/2010717; classtype:pup-activity; sid:2010717; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SuperFish CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/verify.php?version="; fast_pattern; content:"&GUID=|7b|"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:command-and-control; sid:2020490; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (lineguide)"; flow:to_server,established; http.user_agent; content:"lineguide"; nocase; depth:9; reference:url,doc.emergingthreats.net/2011106; classtype:pup-activity; sid:2011106; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Arid Viper APT Advtravel Campaign GET Keepalive"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php/customer/onlin"; fast_pattern; http.user_agent; content:"Internet Explorer"; bsize:17; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf; classtype:targeted-activity; sid:2020432; rev:7; metadata:created_at 2015_02_17, former_category MALWARE, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; http.user_agent; content:"|5f|InTeRNeT"; depth:9; reference:url,doc.emergingthreats.net/2011127; classtype:pup-activity; sid:2011127; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC Beacon 2"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/cou.php"; fast_pattern; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020504; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSIE 5.5"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007833; classtype:trojan-activity; sid:2007833; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO .exe download with no referer (noalert)"; flow:established,to_server; flowbits:set,exe.no.referer; flowbits:noalert; http.uri; content:".exe"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2020573; rev:4; metadata:created_at 2015_02_27, former_category INFO, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; http.user_agent; content:"ScrapeBox"; depth:9; classtype:trojan-activity; sid:2011282; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Superlinks Plugin SQL Injection"; flow:established,to_server; http.uri; content:"/superlinks.php?"; nocase; fast_pattern; pcre:"/[?&]id=\d*?[^\d]\d*?(?:&|$)/i"; reference:url,www.exploit-db.com/exploits/33809/; classtype:attempted-user; sid:2018612; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_06_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"REKOM"; nocase; depth:5; classtype:trojan-activity; sid:2012295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_07, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Privdog Update check"; flow:established,to_server; http.uri; content:"/update.inf"; http.header; content:"X-TA-ClientVer|3a 20|"; fast_pattern; content:"X-TA-ClientOS|3a 20|"; reference:url,blog.hboeck.de/archives/866-PrivDog-wants-to-protect-your-privacy-by-sending-data-home-in-clear-text.html; reference:url,blog.lumension.com/9848/whats-worse-than-superfish-meet-privdog-leaving-users-wide-open-to-attacks/; classtype:policy-violation; sid:2020580; rev:4; metadata:created_at 2015_02_27, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; http.user_agent; content:"VCTestClient"; depth:12; nocase; classtype:trojan-activity; sid:2012386; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; urilen:9; http.method; content:"POST"; http.uri; content:"/ping.ccp"; fast_pattern; http.request_body; content:"ccp_act=ping_v6&ping_addr="; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:4; metadata:created_at 2015_03_03, updated_at 2020_09_29;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; http.user_agent; content:"PrivacyInfoUpdate"; depth:17; nocase; classtype:trojan-activity; sid:2012387; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xunpf.A Retrieving DLL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web_"; fast_pattern; content:".jpg"; pcre:"/\/web_[0-9A-F]{12}\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfb7dd8b6975b73dc9c731319a05f86d; classtype:trojan-activity; sid:2020601; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Fire-Cloud)"; flow:established,to_server; http.user_agent; content:"Fire-Cloud"; bsize:10; reference:md5,804c8f7d3b10b421ab5c09d675644212; classtype:trojan-activity; sid:2031065; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/fwupgrade.ccp"; fast_pattern; http.request_body; content:"|0d 0a|fwupgrade"; content:"|0d 0a|resolv.conf"; nocase; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:4; metadata:created_at 2015_03_04, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"SteamHTTPClient"; depth:15; endswith; classtype:policy-violation; sid:2028650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; fast_pattern; http.request_body; content:"set_general"; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:5; metadata:created_at 2015_03_02, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Autoupdate)"; flow:to_server,established; http.header; content:!" Creative AutoUpdate v"; http.user_agent; content:"Autoupdate"; nocase; depth:10; content:!"McAfeeAutoUpdate"; nocase; http.host; content:!"update.nai.com"; content:!"nokia.com"; content:!"sophosupd.com"; content:!"sophosupd.net"; content:!"wholetomato.com"; content:!".acclivitysoftware.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:pup-activity; sid:2003337; rev:22; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Downloading Module"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".pack"; nocase; fast_pattern; endswith; http.user_agent; content:"Mozilla"; startswith; pcre:"/^Mozilla(?:\/4\.0)?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65125129418e07ce1000aa677b66b72f; classtype:trojan-activity; sid:2018604; rev:7; metadata:created_at 2014_06_25, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious HttpSocket User-Agent Observed"; flow:established,to_server; http.user_agent; content:"HttpSocket By Xswallow"; depth:22; classtype:misc-activity; sid:2031167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, signature_severity Major, updated_at 2020_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tor Based Locker Page (Torrentlocker)"; flow:established,to_server; http.uri; content:"/buy.php?"; fast_pattern; http.header; pcre:"/Host\x3a\x20[a-z0-9]{16}\.[^\r\n]*?(?:tor|onion)/mi"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018951; rev:6; metadata:created_at 2014_08_18, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent"; flow:established,to_server; http.user_agent; content:"AnyDesk"; depth:7; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027762; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct M2 Feb 06 2015"; flow:established,to_server; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$/"; classtype:exploit-kit; sid:2020644; rev:4; metadata:created_at 2015_03_07, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ESET Installer"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"ESET Installer"; depth:14; endswith; classtype:policy-violation; sid:2027219; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag PUA, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Post Infection CnC Beacon"; flow:established,to_server; http.uri; content:"/rp?"; fast_pattern; content:"v="; content:"a="; content:"u="; content:"d="; pcre:"/^\/(?:[^\x2f]+\/)?rp\?[a-z]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fc962cb08f62e3d6368500a8e747cf73; classtype:command-and-control; sid:2020645; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (downloader)"; flow:to_server,established; http.user_agent; content:"downloader"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:pup-activity; sid:2007885; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Onkods.A Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)*?[a-z]+\.exe$/"; http.header; content:"User-Agent|3a 20|"; depth:12; pcre:"/^User-Agent\x3a\x20(?=\d*[a-z])[a-z0-9]+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,fb570e6d68e708daeceae5dfc544fba2; classtype:command-and-control; sid:2018121; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Simple Bot"; flow:established,to_server; http.user_agent; content:"Simple Bot v"; startswith; fast_pattern; reference:md5,3cf04350400299844abb17a0e1640975; classtype:bad-unknown; sid:2031471; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_12_31;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaoutra.ru)"; flow:to_server,established; http.header; content:"bagacaoutra.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaoutra\.ru\r\n/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020650; rev:6; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (aaaa)"; flow:established,to_server; http.user_agent; content:"aaaa"; bsize:4; reference:md5,61e213e717cc8e156cec79a7c1cd0c64; classtype:bad-unknown; sid:2031613; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_02_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacavoltou.ru)"; flow:to_server,established; http.header; content:"bagacavoltou.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacavoltou\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020651; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Collection Info)"; flow:established,to_server; http.user_agent; content:"Collection Info/1.0"; bsize:19; fast_pattern; reference:md5,864eace6e6f67b77163d7ed5da4498c8; reference:url,github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam; reference:url,www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/; classtype:bad-unknown; sid:2031684; rev:1; metadata:created_at 2021_03_01, former_category USER_AGENTS, performance_impact Low, updated_at 2021_03_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaveia.ru)"; flow:to_server,established; http.header; content:"bagacaveia.ru|0d 0a|"; fast_pattern; pcre:"/^Host\x3a[^\r\n]+bagacaveia\.ru/mi"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:trojan-activity; sid:2020652; rev:5; metadata:created_at 2015_03_09, updated_at 2020_09_29;)
+alert http any any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (HaxerMen)"; flow:established,to_server; http.user_agent; content:"HaxerMen"; bsize:8; fast_pattern; reference:md5,19aa54bd0c5a4b78f47247bb432b689d; classtype:bad-unknown; sid:2032081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trapwot FakeAV Checkin"; flow:established,to_server; http.uri; content:"v="; content:"a="; content:"u="; content:"i=0"; fast_pattern; pcre:"/^\/(?:[a-z]+\/)?[a-z_]+\?[a-z]=/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,baf71ace207afd3f330c4aba3784e074; classtype:command-and-control; sid:2020646; rev:6; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Non-standard User-Agent (PATCHER)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|PATCHER|0d 0a|"; classtype:policy-violation; sid:2032938; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Checkin"; flow:established,to_server; http.uri; content:"/?user="; fast_pattern; content:"os="; content:"&os2="; content:"&ver="; content:"&host="; content:!"|2e|"; content:"type="; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2019678; rev:5; metadata:created_at 2014_11_08, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious User-Agent (altera forma)"; flow:established,to_server; http.user_agent; content:"altera|20|forma"; bsize:12; fast_pattern; reference:md5,f019d3031c3aaf45dbd3630a33ab0991; classtype:bad-unknown; sid:2032948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2021_05_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin 3"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|13|0d 0a|"; fast_pattern; http.request_body; content:"|00 04 00 00 00|"; offset:4; depth:5; content:!"|00 00 00 00|"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e610d3c383a4f1c8a27aaf018b12c370; classtype:command-and-control; sid:2020568; rev:6; metadata:created_at 2015_02_25, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MyAgent)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"www.google-analytics.com"; http.user_agent; content:"MyAgent"; depth:7; fast_pattern; http.host; content:!"driverdl.lenovo.com.cn"; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; fast_pattern; pcre:"/\.php\?id=\d+$/"; http.header; content:!"Content-T"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,693ca229558aab99e0a9d3385cacc40c; classtype:command-and-control; sid:2020706; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WaterDropX PRISM UA Observed"; flow:established,to_server; http.user_agent; content:"agent-waterdropx"; fast_pattern; classtype:command-and-control; sid:2033269; rev:1; metadata:created_at 2021_07_07, former_category USER_AGENTS, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FindPOS Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"oprat="; fast_pattern; content:"&uid="; content:"&uinfo="; content:"&win="; content:"&vers="; reference:md5,fe0f997d81d88bc11cc03e4d1fd61ebe; classtype:command-and-control; sid:2020723; rev:5; metadata:created_at 2015_03_21, former_category MALWARE, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (Brute Force Attacks)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML,|20|like|20|Gecko)|20|Chrome/70."; bsize:91; reference:url,media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF; classtype:bad-unknown; sid:2033314; rev:1; metadata:created_at 2021_07_12, former_category USER_AGENTS, updated_at 2021_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fileless infection dropped by EK CnC Beacon"; flow:established,to_server; http.uri; content:"hl="; content:"source="; content:"aq="; content:"aqi="; content:"aql="; fast_pattern; content:"oq="; http.header; content:!"google."; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; depth:49; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020734; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (Brute Force Attacks)"; flow:established,to_server; http.user_agent; content:"Microsoft|20|Office/14.0|20|(Windows|20|NT|20|6.1|3b 20|Microsoft|20|Outlook|20|14.0.7162|3b 20|Pro"; bsize:71; reference:url,media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF; classtype:bad-unknown; sid:2033315; rev:1; metadata:created_at 2021_07_12, former_category USER_AGENTS, updated_at 2021_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanProxy.JpiProx.B CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sync"; depth:5; content:"ext="; content:"&pid="; content:"&country="; content:"&regd="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2020738; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sysWeb User-Agent"; flow:established,to_server; http.user_agent; content:"|20|sysWeb/"; fast_pattern; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033665; rev:1; metadata:created_at 2021_08_04, former_category USER_AGENTS, performance_impact Low, updated_at 2021_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Teslacrypt Ransomware HTTP CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/state"; fast_pattern; content:".php?"; pcre:"/\/state[^\x2f]*\.php\?[A-Za-z0-9+/]*={0,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c075fa8484d52c3978826c2f07ce9a9c; classtype:command-and-control; sid:2020717; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_03_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)"; flow:established,to_server; http.user_agent; content:"Embarcadero URI Client/1.0"; bsize:26; reference:md5,c0e620ed4e96aa1fe8452a3f8b7e2e8d; classtype:bad-unknown; sid:2034244; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2021_10_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hyteod CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.header; content:"|5f 5e 5b 8b e5 5d|"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; bsize:63; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept-"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f2ad19a08063171b039accd24b0c27ca; classtype:command-and-control; sid:2020821; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Microsoft-ATL-Native/9.00)"; flow:established,to_server; http.user_agent; content:"Microsoft-ATL-Native/9.00"; bsize:25; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:bad-unknown; sid:2034296; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_10_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.BXEW Variant HTTP CnC Beacon 2"; flow:established,to_server; http.header; content:"Accept|3a 20|*/*,|20|"; content:", MZ"; fast_pattern; pcre:"/^Accept\x3a\x20\*\/\*,[^\r\n]+, MZ/mi"; reference:md5,0ebaf8a6292237b33045f5e81947004b; classtype:command-and-control; sid:2020834; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (urlRequest)"; flow:established,to_server; http.user_agent; content:"urlRequest"; bsize:10; reference:md5,988fbcfeebf2a49af4072030dead68f9; classtype:bad-unknown; sid:2034298; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2021_10_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F exe Download 2"; flow:to_server,established; urilen:<13; http.method; content:"GET"; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/^\/[^\x2f]+?\.exe$/i"; http.host; content:".ru"; endswith; http.header; content:".ru|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:8; metadata:created_at 2013_07_24, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; threshold: type threshold, track by_dst, count 20, seconds 40; http.method; content:"GET"; http.uri; content:"/random"; nocase; fast_pattern; pcre:"/\x2Frandom\w+?\x2E(?:c(?:f[cm]|gi)|ht(?:ml?|r)|(?:ws|x)dl|a(?:sp|xd)|p(?:hp3|l)|bat|swf|vbs|do)/i"; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_29;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dBrowser CallGetResponse)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"dBrowser"; startswith; content:"CallGetResponse:"; fast_pattern; distance:3; within:16; pcre:"/^dBrowser\x20\d\x20CallGetResponse\x3a\d$/V"; reference:md5,e09ad59bff10bd4b730ee643809ec9a7; classtype:trojan-activity; sid:2034948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_01_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.sanlorenzoyacht.com"; bsize:23; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Chrome)"; flow:established,to_server; content:"User-Agent|3a 20|Chrome|0d 0a|"; http_header; fast_pattern; classtype:bad-unknown; sid:2027916; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_01_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .automercado .co .cr in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.automercado.co.cr"; bsize:21; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (example/1.0)"; flow:to_server,established; http.user_agent; content:"example/1.0"; bsize:11; startswith; reference:url,cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; classtype:bad-unknown; sid:2035032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_02_07;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLINDINGCAN Domain (www .sanlorenzoyacht .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.ne-ba.org"; bsize:13; fast_pattern; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:domain-c2; sid:2030931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Suspcious LeakIX User-Agent (l9explore)"; flow:established,to_server; http.user_agent; content:"l9explore"; startswith; fast_pattern; reference:url,ithub.com/LeakIX/l9format; classtype:bad-unknown; sid:2035314; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_02_28;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/cgi-bin/webcm"; fast_pattern; http.request_body; content:"getpage="; depth:10; content:"errorpage="; distance:0; content:"/html/index.html&login|3a|command"; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ItIsMe)"; flow:to_server,established; http.user_agent; content:"ItIsMe"; depth:6; fast_pattern; reference:url,resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts; classtype:trojan-activity; sid:2035445; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2022_03_14;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup.cgi?todo=wan_dns1="; fast_pattern; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:5; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP-Test-Program)"; flow:to_server,established; http.user_agent; content:"HTTP-Test-Program"; bsize:17; startswith; reference:md5,6e69e15ae55aee85ace66bb99e6ba885; classtype:bad-unknown; sid:2035452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_03_14;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?wan_primary_dns="; fast_pattern; content:"&wan_secondary_dns="; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (CobaltStrike)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0_Frsg_stredf_o21_crown_type"; startswith; fast_pattern; reference:md5,b8b7a10dcc0dad157191620b5d4e5312; classtype:trojan-activity; sid:2035537; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category USER_AGENTS, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/router/add_dhcp_segment.cgi?"; fast_pattern; content:"is_router_as_dns=1"; content:"&dns1="; content:"submitbutton="; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:4; metadata:created_at 2015_04_09, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)"; flow:established,to_server; http.user_agent; content:"FastInvoice"; bsize:11; startswith; fast_pattern; reference:md5,42218b0ce7fc47f80aa239d4f9e000a1; classtype:bad-unknown; sid:2035932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kriptovor Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/loader.php?name="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|en-US|3b 20|rv|3a|x.xx) Gecko/20030504 Mozilla Firebird/0.6"; depth:92; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html; reference:md5,7e47a518561c46123d4facd43effafbf; classtype:command-and-control; sid:2020883; rev:7; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee)"; flow:established,to_server; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; reference:url,blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/; classtype:trojan-activity; sid:2036237; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_04_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shellshock Worm Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.c.php?request="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,volexity.com/blog/?p=118; classtype:command-and-control; sid:2020887; rev:4; metadata:created_at 2015_04_09, former_category MALWARE, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed DPRK Related APT User-Agent (dafom)"; flow:established,to_server; http.user_agent; content:"dafom"; bsize:5; fast_pattern; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:bad-unknown; sid:2036260; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; pcre:"/\/gate\.php$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; http.request_body; content:"id="; depth:3; pcre:"/^[A-F0-9]+$/R"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020890; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (006)"; flow:established,to_server; http.user_agent; content:"00"; depth:2; pcre:"/00\d+$/"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:pup-activity; sid:2006388; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault Mailer CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/redirect.php?loc=mail"; fast_pattern; pcre:"/\/redirect\.php\?loc=mail$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,af0e5a5df0be279aa517e2fd65cadd5c; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020906; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (REBOL)"; flow:established,to_server; http.user_agent; content:"REBOL"; nocase; startswith; reference:url,twitter.com/James_inthe_box/status/1441140639169609736; classtype:bad-unknown; sid:2034021; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoinVault CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"hwid="; depth:5; content:"&knock="; distance:0; content:"&keylog="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c7e34daa9e9160ce433a6cae74867711; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3581; classtype:command-and-control; sid:2020907; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Mozilla/3.0"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0"; fast_pattern; depth:11; endswith; classtype:bad-unknown; sid:2012619; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ruckguv.A Requesting Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/id.exe"; fast_pattern; http.user_agent; content:"MSIE"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,227365242cc97fa611fdac295b732d82; reference:md5,b9eec5be1d2f5d0007bd94fdd8c7ea57; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3801; classtype:trojan-activity; sid:2020910; rev:5; metadata:created_at 2015_04_14, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; http.header; content:"User-Agent|3A 20|adlib/"; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:bad-unknown; sid:2013967; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_24, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ttint XORed CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.connection; content:"Upgrade"; http.request_body; content:"|a1 8a ee 02 e8 91 ff 04 be ac f7 09 b3 9c|"; offset:8; fast_pattern; reference:url,blog.netlab.360.com/ttint-an-iot-rat-uses-two-0-days-to-spread/; classtype:command-and-control; sid:2030924; rev:2; metadata:affected_product IoT, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, malware_family Ttint, performance_impact Low, signature_severity Major, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Windows Explorer)"; flow:established,to_server; http.user_agent; content:"Windows Explorer"; nocase; bsize:16; fast_pattern; reference:url,twitter.com/reecdeep/status/1541735626915069954; reference:md5,a750e7ca3c96e229159290610f050f44; classtype:trojan-activity; sid:2037137; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_06_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_06_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; http.stat_code; content:"302"; http.stat_msg; content:"Found"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:4; metadata:created_at 2015_04_16, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS DanaBot Specific UA Observed"; flow:to_server,established; http.user_agent; content:"Mozilla/777.0"; startswith; fast_pattern; classtype:trojan-activity; sid:2037737; rev:1; metadata:created_at 2022_07_11, updated_at 2022_07_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; http.stat_code; content:"301"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:4; metadata:created_at 2015_04_16, updated_at 2020_09_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (kath)"; flow:established,to_server; http.user_agent; content:"kath"; fast_pattern; depth:4; endswith; bsize:4; reference:md5,2ed86e80ea9b4b95b3e52ed77ea6c401; reference:url,cloudsek.com/yourcyanide-an-investigation-into-the-frankenstein-ransomware-that-sends-malware-laced-love-letters/; classtype:bad-unknown; sid:2037747; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_07_12, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?id="; fast_pattern; content:"&os="; content:"&com="; content:"&ver="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020918; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (56)"; flow:to_server,established; http.user_agent; content:"56"; bsize:2; depth:2; fast_pattern; reference:md5,c9ee1d6a90be7524b01814f48b39b232; classtype:trojan-activity; sid:2037828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_07_26, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2022_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FighterPOS CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/keylogger.php?id="; fast_pattern; content:"&com="; content:"&key="; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,b0416d389b0b59776fe4c4ddeb407239; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/wp-fighterpos.pdf; classtype:command-and-control; sid:2020920; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?fn="; fast_pattern; pcre:"/&(?:uid|name|file)=[a-f0-9]+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020921; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sysget/HelloBridge HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?fn="; fast_pattern; http.request_body; content:"name=|22|file|22|"; content:"name=|22|path|22|"; distance:0; content:"name=|22|submit|22|"; distance:0; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020922; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood TCP"; flow:established,to_server; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003192; classtype:attempted-dos; sid:2003192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bioazih RAT Checkin"; flow:to_server,established; http.header; content:"Hostname|3a|"; content:"Ip|3a|"; content:"Os|3a|"; content:"Proxy|3a|"; fast_pattern; content:"Vm|3a|"; http.user_agent; content:"Pass|3a|"; startswith; reference:md5,7bc5451341a684aca80a59a463bad973; reference:md5,5443cf2b6c010c57cf740356c9167b77; reference:url,blogs.technet.com/b/mmpc/archive/2015/04/13/bioazih-rat-how-clean-file-metadata-can-help-keep-you-safe.aspx; classtype:command-and-control; sid:2020927; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP INVITE Message Flood UDP"; content:"INVITE"; depth:6; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009698; classtype:attempted-dos; sid:2009698; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".asp?HostID="; fast_pattern; pcre:"/\?HostID=([A-F0-9]{2}(?:-|<>)){5}[A-F0-9]{2}$/"; http.header; content:"Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 0d 0a|"; reference:md5,e397a68bf4fbb7a9b4d1b6da1fe2172b; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020928; rev:5; metadata:created_at 2015_04_16, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood TCP"; flow:established,to_server; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2003193; classtype:attempted-dos; sid:2003193; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?bit="; fast_pattern; content:"&version="; pcre:"/\/\?bit=(?:32|64)&version=\d{4}-\d{1,2}-\d{1,2}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020939; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP REGISTER Message Flood UDP"; content:"REGISTER"; depth:8; threshold: type both , track by_src, count 100, seconds 60; reference:url,doc.emergingthreats.net/2009699; classtype:attempted-dos; sid:2009699; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 6"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?check"; fast_pattern; pcre:"/\/\?check$/"; http.user_agent; content:"Example"; bsize:7; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,b1fe4120e3b38784f9fe57f6bb154517; classtype:command-and-control; sid:2020940; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP SIP UDP Softphone INVITE overflow"; dsize:>1000; content:"INVITE"; depth:6; nocase; pcre:"/\r?\n\r?\n/R"; isdataat:1000,relative; reference:bugtraq,16213; reference:cve,2006-0189; reference:url,doc.emergingthreats.net/bin/view/Main/2002848; classtype:attempted-user; sid:2002848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dalexis CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|uploaded|22 3b 20|filename=|22|"; fast_pattern; content:".jpg"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; nocase; classtype:command-and-control; sid:2020933; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP MultiTech SIP UDP Overflow"; content:"INVITE"; nocase; depth:6; isdataat:65,relative; content:!"|0a|"; within:61; reference:cve,2005-4050; reference:url,doc.emergingthreats.net/2003237; classtype:attempted-user; sid:2003237; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Graftor Downloading Dridex"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; content:"Host|3a|"; depth:5; pcre:"/^Host\x3a[^\r\n]+\r\nAccept-Language\x3a[^\r\n]+\r\nAccept\x3a[^\r\n]+\r\nAccept-Encoding\x3a[^\r\n]+\r\nConnection\x3a\x20close\r\nUser-Agent\x3a[^\r\n]+\r\n(?:\r\n)?$/"; http.user_agent; content:"MSIE"; http.connection; content:"close"; bsize:5; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5d9d5b9089ad464e51ff391b14da1953; classtype:trojan-activity; sid:2020960; rev:4; metadata:created_at 2015_04_22, updated_at 2020_09_30;)
+alert tcp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses TCP"; flow:established,from_server; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2003194; classtype:attempted-dos; sid:2003194; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP GET CnC Beacon"; flow:established,to_server; flowbits:set,ET.CozyDuke.HTTP; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; pcre:"/[A-Z]{100}(?:&\w+=[a-zA-Z0-9/+=]+){0,2}$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020963; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert udp $HOME_NET 5060 -> $EXTERNAL_NET any (msg:"ET VOIP Multiple Unauthorized SIP Responses UDP"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 5, seconds 360; reference:url,doc.emergingthreats.net/2009700; classtype:attempted-dos; sid:2009700; rev:1; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyDuke APT HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?$/"; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:61; http.request_body; pcre:"/^\w+=(?:[a-zA-Z0-9/+=]{1,30}&\w+=)?[a-zA-Z0-9+/]{0,13}[A-Z]{200}/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,98a6484533fa12a9ba6b1bd9df1899dc; classtype:targeted-activity; sid:2020964; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Asterisk Register with no URI or Version DOS Attempt"; content:"REGISTER|0d 0a|"; nocase; depth:10; content:!"SIP/"; distance:0; reference:url,labs.musecurity.com/advisories/MU-200703-01.txt; reference:url,tools.ietf.org/html/rfc3261; reference:url,doc.emergingthreats.net/2003474; classtype:attempted-dos; sid:2003474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; http.stat_code; content:"307"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Modified Sipvicious Asterisk PBX User-Agent"; content:"|0d 0a|User-Agent|3A| Asterisk PBX"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html; classtype:attempted-recon; sid:2012296; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; http.stat_code; content:"303"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:4; metadata:created_at 2015_04_23, updated_at 2020_09_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper"; content:"|0d 0a|User-Agent|3A| Zoiper"; nocase; threshold: type limit, count 1, seconds 60, track by_src; reference:url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html; classtype:attempted-recon; sid:2012297; rev:2; metadata:created_at 2011_02_07, updated_at 2011_02_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BUILDINGCAN CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; bsize:69; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) Chrome/28.0.1500.95 Safari/537.36"; fast_pattern; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.request_body; content:"id="; startswith; pcre:"/(?:&(?:boardid|bbsNo|strBoardID|userid|bbs|filename|code|pid|seqNo|ReportID|v|PageNumber|num|view|read|action|page|mode|idx|cateId|bbsId|pType|pcode|index|tbl|idx_num|act|bbs_id|bbs_form|bid|bbscate|menu|tcode|b_code|bname|tb|borad01|borad02|borad03|mid|newsid|table|Board_seq|bc_idx|seq|ArticleID|B_Notice|nowPage|webid|boardDiv|sub_idxa)=[^&]+){3}$/R"; reference:url,blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html; classtype:targeted-activity; sid:2030932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_09_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET VOIP Possible Modified Sipvicious OPTIONS Scan"; content:"OPTIONS "; depth:8; content:"ccxllrlflgig|22|<sip|3A|100"; nocase; distance:0; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; classtype:attempted-recon; sid:2011422; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed DownloadAssistant User-Agent"; flow:established,to_server; http.user_agent; content:"DLA/"; startswith; reference:md5,521875fc63f4b2c004deb75e766cb8c5; classtype:pup-activity; sid:2030933; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Internet, former_category ADWARE_PUP, performance_impact Low, signature_severity Informational, updated_at 2020_09_30;)
+alert ip any any -> any 5060 (msg:"GPL VOIP SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100158; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/"; classtype:exploit-kit; sid:2020991; rev:4; metadata:created_at 2015_04_24, updated_at 2020_09_30;)
+alert ip any any -> any 5060 (msg:"GPL VOIP SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:2100163; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP DownloadAssistant Activity"; flow:established,to_server; http.start; content:"POST /v2/events HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Length|3a 20|"; fast_pattern; http.request_body; content:"4F44"; startswith; reference:md5,d6d20eef805a4719f0771321f832bbed; classtype:pup-activity; sid:2030934; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_09_30;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:2100223; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; threshold: type both, track by_dst, count 10, seconds 60; http.method; content:"POST"; http.uri; content:"/apply_noauth.cgi"; fast_pattern; http.request_body; content:"timestamp="; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:4; metadata:created_at 2015_04_28, updated_at 2020_09_30;)
+alert ip any 5060 -> any any (msg:"GPL VOIP SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:2100162; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin"; flow:to_server,established; urilen:7; http.method; content:"GET"; http.uri; content:"/dw/gtk"; fast_pattern; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021028; rev:4; metadata:created_at 2015_04_28, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from MERA RTU"; flow:to_server,established; content:"|22 c0 09 00 7a b7 07|MERA RTU|08|"; classtype:misc-attack; sid:2022022; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downeks Checkin 2"; flow:to_server,established; urilen:>107; http.method; content:"GET"; http.uri; content:"/setup/"; fast_pattern; pcre:"/\/setup\/[a-zA-Z0-9!-]{100,}$/"; http.header; content:"Host|3a|"; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html; classtype:command-and-control; sid:2021029; rev:4; metadata:created_at 2015_04_29, former_category MALWARE, updated_at 2020_09_30;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; content:"|05 04|"; distance:3; within:2; classtype:misc-activity; sid:2022023; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim payload retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/app.exe"; fast_pattern; pcre:"/\/app\.exe$/"; http.user_agent; content:"Wget"; depth:4; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,seclists.org/fulldisclosure/2015/Jan/131; reference:md5,cdcc132fad2e819e7ab94e5e564e8968; classtype:trojan-activity; sid:2020350; rev:6; metadata:created_at 2015_02_03, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP H.323 in Q.931 Call Setup - Inbound"; flow:to_server,established; content:"|08|"; offset:4; depth:1; byte_jump:1,0,relative; content:"|05 04|"; within:2; byte_jump:1,0,relative; content:"|70|"; byte_jump:1,0,relative; content:"|7E|"; within:1; byte_test:1,!&,0x0F,3,relative; isdataat:31; classtype:misc-activity; sid:2022024; rev:1; metadata:created_at 2015_11_03, updated_at 2015_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; http.header; content:"Content-Disposition|3a 20|inline|3b|"; content:".xap"; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/m"; file.data; content:"AppManifest.xaml"; fast_pattern; classtype:exploit-kit; sid:2020982; rev:5; metadata:created_at 2015_04_23, former_category EXPLOIT_KIT, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"/g"; http_uri; nocase; content:"back=++Back++"; nocase; pcre:"/^\/g($|[?#])/Ui"; reference:url,www.milw0rm.com/exploits/3189; reference:url,doc.emergingthreats.net/bin/view/Main/2003329; reference:cve,2007-0528; classtype:attempted-user; sid:2003329; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Carbon FormGrabber/Retgate.A/Rombertik Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; content:"&host="; content:"&browser="; content:"&post="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,symantec.com/connect/blogs/european-automobile-businesses-fall-prey-carbon-grabber; reference:md5,72bab43e406c9e325e49e27b22853b60; reference:url,blogs.cisco.com/security/talos/rombertik; reference:md5,f504ef6e9a269e354de802872dc5e209; classtype:command-and-control; sid:2021055; rev:6; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_09_30;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"ET VOIP Possible Misuse Call from Cisco ooh323"; flow:to_server,established; content:"|28 06|cisco|00|"; offset:14; depth:8; content:"|b8 00 00 27 05|ooh323|06|"; within:60; reference:url,videonationsltd.co.uk/2015/04/h-323-cisco-spam-calls/; classtype:misc-attack; sid:2021066; rev:2; metadata:created_at 2015_05_07, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Xenu Link Sleuth Scanner Outbound"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"Xenu Link Sleuth"; fast_pattern; classtype:attempted-recon; sid:2021058; rev:5; metadata:created_at 2015_05_05, updated_at 2020_09_30;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M1 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^1\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021067; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M2 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^2\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021068; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt"; flow:established,to_client; content:"-J-jar -J"; pcre:"/(launch\x28.+-J-jar -J|-J-jar -J.+launch\x28)/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/; reference:url,doc.emergingthreats.net/2011053; classtype:attempted-user; sid:2011053; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M3 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^3\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021069; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection Attempt"; flow:established,to_client; content:"<dxstudio"; nocase; content:"shell.execute("; nocase; reference:cve,2009-2011; reference:url,doc.emergingthreats.net/2010841; classtype:attempted-user; sid:2010841; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M4 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^4\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021070; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 403 Forbidden|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010516; classtype:web-application-attack; sid:2010516; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M5 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^5\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021071; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010518; classtype:web-application-attack; sid:2010518; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M6 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^6\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021072; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, former_category CURRENT_EVENTS, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M7 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^7\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021073; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<body\s+[^>]*onUnload\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009132; classtype:web-application-attack; sid:2009132; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M8 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^8\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021074; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (img)"; flow:from_server,established; content:"img"; nocase; content:"onUnload"; distance:0; nocase; pcre:"/<img\s+[^>]*onEnd\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009133; classtype:web-application-attack; sid:2009133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host M9 (noalert)"; flowbits:set,http.dottedquadhost; flowbits:noalert; flow:to_server,established; http.host; pcre:"/^9\d{0,2}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; depth:1; classtype:bad-unknown; sid:2021075; rev:4; metadata:created_at 2015_05_08, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt (body)"; flow:from_server,established; content:"body"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<body\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009134; classtype:web-application-attack; sid:2009134; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC GET"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"docs/"; fast_pattern; pcre:"/^\/(?:tran|http)docs\//"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021080; rev:4; metadata:created_at 2015_05_09, former_category MALWARE, updated_at 2020_09_30;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt"; flow:from_server,established; content:"img"; nocase; content:"onURLFlip"; distance:0; nocase; pcre:"/<img\s+[^>]*onURLFlip\s*=\s*[\x22\x27]?\(\)/"; reference:url,doc.emergingthreats.net/2009135; classtype:web-application-attack; sid:2009135; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VaultCrypt Checkin"; flow:to_server,established; urilen:6; http.method; content:"GET"; http.uri; content:"/v.vlt"; fast_pattern; http.header; content:"|0d 0a|UA-CPU|3a 20|"; reference:md5,d8bd77eebee2e74ea74679bf3f1f7210; classtype:command-and-control; sid:2021091; rev:4; metadata:created_at 2015_05_13, former_category MALWARE, updated_at 2020_10_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt"; flow:established,to_client; content:"setInterval("; nocase; content:"document.getElementById"; nocase; distance:0; content:".innerHTML"; nocase; distance:0; content:".toString("; nocase; within:60; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20815; reference:url,reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1; reference:url,doc.emergingthreats.net/2011764; classtype:attempted-user; sid:2011764; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putty SSH Credential Stealer"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?"; content:"=c3NoOi8v"; fast_pattern; pcre:"/=c3NoOi8v[A-Za-z0-9+/]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b5c88d5af37afd13f89957150f9311ca; classtype:trojan-activity; sid:2021095; rev:4; metadata:created_at 2015_05_14, updated_at 2020_10_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:"<imfl>"; pcre:"/<[^>%]*%/R"; content:"</imfl>"; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; reference:url,doc.emergingthreats.net/bin/view/Main/2002381; classtype:web-application-attack; sid:2002381; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Tmanger Checkin"; flow:established,to_server; content:"|8f 98 45 59 08 12 b2 aa ea 9d 7b 27 15 96 5f 00 2b b5 00|"; offset:8; depth:19; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001099; classtype:misc-attack; sid:2001099; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA428 Infostealer CnC Host Checkin"; flow:established,to_server; content:"|54 0b 54|"; offset:16; depth:3; fast_pattern; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|54 0b 54|"; distance:0; content:"|08 00|"; distance:0; content:"|01|"; endswith; reference:md5,a5a4046989fa0f99c2076aec3ea0ab2a; reference:url,vblocalhost.com/uploads/VB2020-20.pdf; classtype:targeted-activity; sid:2030939; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001101; classtype:misc-attack; sid:2001101; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M5"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.csb.app"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030936; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001102; classtype:misc-attack; sid:2001102; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Hosted on CodeSandbox.io M6"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"domain=.codesandbox.io"; fast_pattern; file.data; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; content:"|e2 95 ab e2 95 ab e2 95 ab e2 95 ab|"; distance:0; classtype:social-engineering; sid:2030937; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Stealth attempt to access SHELL#=#="; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell|3a|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001103; classtype:misc-attack; sid:2001103; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".asp?"; fast_pattern; pcre:"/\.asp\?(?:[A-Za-z0-9+*]{4})*(?:[A-Za-z0-9+*]{2}==|[A-Za-z0-9+*]{3}=|[A-Za-z0-9+*]{4})$/"; http.user_agent; content:"|20|MSIE|20|"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,a69ac85c7e723ae37377516d7054fa0b; classtype:command-and-control; sid:2021118; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001105; classtype:misc-activity; sid:2001105; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SPEAR CnC Beacon 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?wd="; fast_pattern; pcre:"/\?wd=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,blog.cylance.com/spear-a-threat-actor-resurfaces; reference:md5,1beb162fc327101c01b07240a924202f; classtype:command-and-control; sid:2021119; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_20, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001106; classtype:misc-activity; sid:2001106; rev:10; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.Jenxcus.H URL Structure"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/is-rinoy"; fast_pattern; reference:url,www.virustotal.com/en/file/a00eaca44c480843b1a8a11ac8870a931477be08d98f0476d1f8f60433e3f40a/analysis; classtype:trojan-activity; sid:2021122; rev:4; metadata:created_at 2015_05_20, updated_at 2020_10_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001048; classtype:misc-activity; sid:2001048; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP GET CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&guid="; content:"&version="; distance:0; pcre:"/&version=\d+$/"; http.header; content:"WinHttp.WinHttpRequest."; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021132; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy"; flow:to_client,established; content:"WebViewFolderIcon"; nocase; content:".setSlice"; nocase; content:"0x7ffffff"; nocase; reference:url,riosec.com/msie-setslice-vuln; reference:url,osvdb.org/27110; reference:cve,2006-3730; reference:url,doc.emergingthreats.net/bin/view/Main/2003110; classtype:attempted-user; sid:2003110; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE H1N1 Loader CnC Beacon M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|"; depth:53; http.request_body; pcre:"/^[A-Za-z0-9/_]+={0,2}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=3851; classtype:command-and-control; sid:2021139; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection"; flow:from_server,established; content:"ftp|3a|//"; nocase; pcre:"/ftp\://[^\' \"]*%0a/i"; reference:url,osvdb.org/12299; reference:cve,2004-1166; reference:url,doc.emergingthreats.net/bin/view/Main/2003230; classtype:attempted-user; sid:2003230; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bancos URL Structure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/infects/"; fast_pattern; pcre:"/\/[a-z]\/infects\/[a-z]\?[a-z]=[^\\\*\+\=\|\:\;\x22\?\<\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/65335e9df2d4cb5267bdab0dd9e3d1bcdff957fa4d40e3219fc9267af94a318e/analysis; reference:md5,9766c5eca8d229f1af9dfb9bd97f02a0; classtype:trojan-activity; sid:2021142; rev:4; metadata:created_at 2015_05_22, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_client; content:"WScript.Shell"; nocase; content:"shell.Run"; nocase; within:40; content:"|22|"; within:6; reference:url,msdn.microsoft.com/en-us/library/d5fk67ky(VS.85).aspx; reference:url,doc.emergingthreats.net/2010961; classtype:attempted-user; sid:2010961; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Autorun.AD Checkin"; flow:established,to_server; urilen:14; http.method; content:"GET"; http.uri; content:"/loglogin.html"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; reference:md5,3d652375fd511878f410fb1048e47f83; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AMSIL/Autorun.AD; reference:md5,3d652375fd511878f410fb1048e47f83; classtype:command-and-control; sid:2021143; rev:6; metadata:created_at 2015_05_23, former_category MALWARE, updated_at 2020_10_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Red-Is-Sus Server"; nocase; endswith; reference:md5,de232dfbef55fa3803b15f4fa01c9f95; classtype:domain-c2; sid:2030935; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_01, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007704; classtype:attempted-user; sid:2007704; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE TransparentTribe AhMyth RAT Variant Activity (POST)"; flow:established,to_server; content:"|20|gzip|0d 0a 0d 0a|5d|0d 0a|--"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"U|3b 20|Android"; http.request_body; content:"form-data|3b 20|name=|22|imei|22 0d 0a|"; content:"form-data|3b 20|name=|22|image|22 3b 20|filename=|22|sm.csv|22 0d 0a|"; distance:0; reference:url,securelist.com/transparent-tribe-part-2/98233/; reference:md5,b8006e986453a6f25fd94db6b7114ac2; classtype:trojan-activity; sid:2030940; rev:1; metadata:attack_target Mobile_Client, created_at 2020_10_01, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt"; flow:established,to_client; content:"window.open("; nocase; content:"setTimeout("; nocase; distance:0; content:"document.body.innerHTML"; nocase; distance:0; content:".stop"; nocase; distance:0; pcre:"/(window|w)\x2Estop/i"; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-45.html; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=556957; reference:cve,2010-1206; reference:url,doc.emergingthreats.net/2011240; classtype:misc-attack; sid:2011240; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 7"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action=getuid"; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021166; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt"; flow:established,to_client; content:"APPLET"; nocase; content:"children"; nocase; distance:0; content:"location.reload"; nocase; within:100; reference:url,code.google.com/p/skylined/issues/detail?id=18; reference:url,www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html; classtype:attempted-user; sid:2011864; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 8"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?action="; fast_pattern; content:"&uid="; content:"&bit="; content:"&version="; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,aa87ab0c51887b86b48c009931dcc410; classtype:command-and-control; sid:2021167; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug MoBB#6"; flow:from_server,established; content:"DirectAnimation.StructuredGraphicsControl"; reference:url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html; reference:cve,2006-3427; reference:url,doc.emergingthreats.net/bin/view/Main/2003023; classtype:web-application-activity; sid:2003023; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin"; flow:to_server,established; http.uri; content:"/pha?android_version="; fast_pattern; content:"&id="; content:"&phone_number="; content:"&client_version="; content:"&imei="; content:"&name="; reference:url,securityblog.s21sec.com/2015/05/new-ransomware-in-mobile-environment.html; classtype:trojan-activity; sid:2021174; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_06_01, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; reference:url,doc.emergingthreats.net/bin/view/Main/2001182; classtype:misc-attack; sid:2001182; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Backspace CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.header; content:"HOST|3a 20|"; http.user_agent; content:"SJZJ (compatible|3b 20|MSIE 6.0|3b 20|Win32)"; fast_pattern; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,ddf0981aebeea6ba9abdae6ddf8ed4e2; classtype:targeted-activity; sid:2021184; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt"; flow:established,from_server; content:"RTSP/"; nocase; depth:5; content:"|0a|Content-Type|3a|"; nocase; distance:0; isdataat:50,relative; content:!"|0a|"; within:50; reference:url,www.kb.cert.org/vuls/id/659761; reference:url,www.milw0rm.com/exploits/4657; reference:url,doc.emergingthreats.net/2007703; classtype:attempted-user; sid:2007703; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?type=notification&machinename="; fast_pattern; content:"&machinetime="; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:command-and-control; sid:2021188; rev:4; metadata:created_at 2015_06_05, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt"; flow:established,to_client; content:"appletComponentArch.DynamicTreeApplet"; nocase; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; content:"PARAM"; nocase; distance:0; reference:url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/; reference:url,www.mozilla.org/security/announce/2010/mfsa2010-37.html; reference:bugtraq,41842; reference:cve,2010-1214; classtype:attempted-user; sid:2011538; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".py"; fast_pattern; endswith; http.user_agent; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021213; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt"; flow:established,to_client; content:"FLV"; nocase; depth:300; content:"onMetaData"; nocase; distance:0; content:"|07 50 75 08|"; within:100; reference:url,service.real.com/realplayer/security/08262010_player/en/; reference:url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/; reference:bugtraq,42775; reference:cve,2010-3000; classtype:attempted-user; sid:2011485; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zacom.A CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; fast_pattern; pcre:"/\.asp$/"; http.header; content:"Windows NT 5.0|3b|"; http.request_body; pcre:"/^\d{4}/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,25631f5ccec8f155a8760b8568ca22c5; classtype:command-and-control; sid:2021214; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt"; flow:established,to_client; content:"|3C|smil"; nocase; content:"|3C|img src="; nocase; distance:0; content:!"http"; nocase; within:20; content:"|3A|//"; within:20; isdataat:700,relative; content:!"|3C 2F|smil|3E|"; nocase; within:700; content:!"|0A|"; within:700; reference:url,securitytracker.com/alerts/2010/Aug/1024336.html; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:2011366; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip2location.com"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip2location.com"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021162; rev:5; metadata:created_at 2015_05_29, former_category POLICY, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding"; flow:established,to_client; content:"%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012041; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup ip.webmasterhome.cn"; flow:established,to_server; http.host; content:"ip.webmasterhome.cn"; fast_pattern; bsize:19; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021250; rev:4; metadata:created_at 2015_06_11, former_category POLICY, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding"; flow:established,to_client; content:"%63%68%61%72%43%6f%64%65%41%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012043; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Retrieving Config"; flow:to_server,established; urilen:22; http.method; content:"GET"; http.uri; content:"/css/bootstrap.min.css"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/i"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:4; metadata:created_at 2015_06_13, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding"; flow:established,to_client; content:"%u63%u68%u61%u72%u43%u6f%u64%u65%u41%u74"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012044; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload"; flow:established,to_server; http.uri; content:"/lns.txt"; fast_pattern; pcre:"/\/lns.txt$/"; http.user_agent; content:"WinHttp.WinHttpRequest"; reference:md5,0ed66982890ec483c3bc6f883e2424fb; classtype:trojan-activity; sid:2021284; rev:5; metadata:created_at 2015_06_17, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding"; flow:established,to_client; content:"%u53%u74%u72%u69%u6e%u67%u2e%u66%u72%u6f%u6d%u43%u68%u61%u72%u43%u6f%u64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012042; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; pcre:"/\/win\.html$/"; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/si"; classtype:exploit-kit; sid:2021292; rev:4; metadata:created_at 2015_06_18, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|IconIndex|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.Win32.Adload (KaiXin Payload) Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".ini?"; fast_pattern; pcre:"/^\/[a-z]+?\.*?ini\?\d+$/i"; http.header_names; content:!"|0d 0a|Accept-"; content:!"User-Agent|0d 0a|"; reference:md5,c45810710617f0149678cc1c6cbec7a6; classtype:command-and-control; sid:2021300; rev:4; metadata:created_at 2015_06_18, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"|22|Text|22|"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*4E3770F4-1937-4F05-B9A2-959BE7321909\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/page_"; nocase; fast_pattern; content:".html"; nocase; pcre:"/\/[a-f0-9]{8}\/page_\d{8,10}\.html$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0"; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021274; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write % Encoding"; flow:established,to_client; content:"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012059; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.DES.Downloader Request"; flow:to_server,established; http.uri; content:"/ad.php?id="; fast_pattern; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Macintosh|3b 20|Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10|0d 0a|Accept-Encoding|3a 20|deflate|0d 0a|Accept-Language|3a 20|en-us|0d 0a|HOST|3a 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021352; rev:4; metadata:created_at 2015_06_26, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding"; flow:established,to_client; content:"%u64%u6f%u63%u75%u6d%u65%u6e%u74%u2e%u77%u72%u69%u74%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012060; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup www.whatsmyip.us"; flow:established,to_server; http.host; content:"www.whatsmyip.us"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2021371; rev:4; metadata:created_at 2015_06_30, former_category POLICY, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding"; flow:established,to_client; content:"%61%72%67%75%6d%65%6e%74%73%2e%63%61%6c%6c%65%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012061; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Checkin"; flow:established,to_server; http.uri; content:"/up_docx.php"; fast_pattern; http.header_names; content:!"Referer"; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:command-and-control; sid:2021376; rev:4; metadata:created_at 2015_07_02, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding"; flow:established,to_client; content:"%u61%u72%u67%u75%u6d%u65%u6e%u74%u73%u2e%u63%u61%u6c%u6c%u65%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012062; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UpDocX Download"; flow:established,to_server; http.uri; content:"/WINWORD32.exe"; fast_pattern; http.header_names; content:!"Referer"; reference:url,pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html; classtype:trojan-activity; sid:2021377; rev:5; metadata:created_at 2015_07_02, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set"; flow:to_client,established; content:"NtDllImageBase|22|"; nocase; content:"getModuleInfos|28|"; distance:0; content:"|27|ntdll.dll|27|"; nocase; within:50; flowbits:set,NtDll.ImageBase.Module.Called; flowbits:noalert; classtype:not-suspicious; sid:2012085; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.2|29 20|"; startswith; http.request_body; content:"appid="; depth:6; content:"&model="; content:"&imei="; fast_pattern; content:"&connect="; content:"&dpi="; content:"&width="; content:"&cpu="; content:"&phoneno="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021386; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt"; flow:established,to_client; content:"@import url(|22|"; nocase; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; content:"@import url(|22|"; nocase; distance:0; content:"css|22|)|3B|"; nocase; within:40; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Dec/110; reference:url,www.breakingpointsystems.com/community/blog/ie-vulnerability/; reference:url,www.microsoft.com/technet/security/advisory/2488013.mspx; reference:bid,45246; reference:cve,2010-3971; classtype:attempted-user; sid:2012075; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gunpoder Checkin"; flow:to_server,established; http.uri; content:"/landing?c="; fast_pattern; content:"&g="; content:"&a="; content:"&s1="; content:"&s2="; content:"&s3="; content:"&s4="; content:"&s5="; content:"&s6="; content:"&s7="; content:"&s8="; content:"&s9="; content:"&s10="; content:"&s11="; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/; reference:md5,b0b2cd71b4d15bb5f07b8315d7b27822; classtype:trojan-activity; sid:2021392; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding"; flow:established,to_client; content:"%u646f%u6375%u6d65%u6e74%u2e77%u7269%u7465"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012107; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android BatteryBotPro Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"uuid="; content:"language="; content:"appkey"; content:"model="; content:"operatorsname="; fast_pattern; content:"networkname="; content:"networktype="; reference:md5,6f39ac1c8c34ab9ba51bf26eba4cc6fb; reference:url,research.zscaler.com/2015/07/fake-batterybotpro-clickfraud-adfruad.html; classtype:trojan-activity; sid:2021387; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_07_07, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding"; flow:established,to_client; content:"%u6368%u6172%u436f%u6465%u4174"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012108; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matsnu Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; bsize:70; http.request_body; content:"="; depth:7; content:"AA"; distance:3; within:2; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.connection; content:"Keep-AliveCache-Control|3a 20|no-cache"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:command-and-control; sid:2021399; rev:5; metadata:created_at 2015_07_10, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16 Encoding"; flow:established,to_client; content:"%u5374%u7269%u6e67%u2e66%u726f%u6d43%u6861%u7243%u6f64%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012109; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Banload.VZS Banker POST CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adm/contador.php"; fast_pattern; http.user_agent; content:"Firefox/15.0.1"; bsize:14; reference:md5,3f30e3a023a720f0227a0a8653484239; reference:md5,b9d6539f4136b715656f8a515810c90d; classtype:command-and-control; sid:2021403; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi_test.cgi?write_"; fast_pattern; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/i"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:4; metadata:created_at 2015_07_13, updated_at 2020_10_01;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage"; flow:established,to_client; content:"|5C|x"; nocase; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; content:"|5C|x"; nocase; distance:2; within:2; pcre:"/\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}\x5Cx[a-f,0-9]{2}/i"; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; classtype:bad-unknown; sid:2012119; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; http.uri; content:"/movie.swf"; fast_pattern; classtype:trojan-activity; sid:2021414; rev:4; metadata:created_at 2015_07_15, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set"; flow:established,to_client; flowbits:set,ET.AVI.RIFF.Chunk; content:"|52 49 46 46|"; content:"|41 56 49 20|"; distance:4; within:4; flowbits:noalert; classtype:not-suspicious; sid:2012142; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SLOTHFULMEDIA RAT CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v?m="; startswith; fast_pattern; content:"&i="; distance:0; http.accept; content:"application/octet-stream,application/xhtml"; bsize:42; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-275a; reference:md5,448838b2a60484ee78c2198f2c0c9c85; classtype:command-and-control; sid:2030960; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow"; flow:established,to_client; flowbits:isset,ET.AVI.RIFF.Chunk; content:"|73 74 72 66|"; content:"|93 00 00 00|"; distance:8; within:4; reference:cve,2010-0480; reference:url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/; reference:url,www.exploit-db.com/exploits/14895/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx; classtype:attempted-user; sid:2012143; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; http.uri; content:"isn_logdel"; nocase; fast_pattern; pcre:"/[?&]isn_logdel/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:8; metadata:created_at 2013_12_10, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set"; flow:established,to_client; flowbits:set,DXF.Ext.Access; content:"|20 20 30|"; content:"|0A 53 45 43 54 49 4F 4E|"; within:10; content:"|20 20 32|"; within:5; content:"|48 45 41 44 45 52|"; distance:0; content:"|0a|"; within:2; flowbits:noalert; classtype:not-suspicious; sid:2012152; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; http.uri; content:"isn_logpath"; nocase; fast_pattern; pcre:"/[?&]isn_logpath/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:8; metadata:created_at 2013_12_10, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 2"; flow:to_server,established; urilen:12; http.method; content:"GET"; http.uri; content:"/checkupdate"; fast_pattern; http.header; pcre:"/Host\x3a\x20jdk\.[a-f0-9]{32}\.org/mi"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; startswith; http.cookie; content:"A="; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/m"; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021502; rev:4; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String"; flow:established,to_client; content:"String.fromCharCode|28|"; nocase; content:"|2E|charCodeAt|28|"; nocase; within:32; pcre:"/String.fromCharCode|28|[a-z,0-9]{1,20}\x2EcharCodeAt\x28/i"; classtype:misc-activity; sid:2012205; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jiripbot CnC 1"; flow:to_server,established; http.uri; content:"/status"; fast_pattern; http.header; pcre:"/^[a-f0-9]{32}\.org/R"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0)"; startswith; http.host; content:"jdk."; startswith; http.cookie; content:"SSID="; content:"A="; pcre:"/SSID=[0-9]{5}[0-8][01][a-f0-9]{36}/"; reference:url,www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:command-and-control; sid:2021501; rev:5; metadata:created_at 2015_07_21, former_category MALWARE, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible % Encoded Iframe Tag"; flow:established,to_client; content:"%69%66%72%61%6d%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012241; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/"; fast_pattern; pcre:"/\.php\/(?:[a-zA-Z0-9]+\/)+[A-F0-9]{8}$/"; http.header; pcre:"/^User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/mi"; http.request_body; pcre:"/^[\x20-\x7e\s]{0,20}[^\x20-\x7e\s]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:command-and-control; sid:2021520; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag"; flow:established,to_client; content:"%u69%u66%u72%u61%u6d%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012242; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W2KM_BARTALEX Downloading Payload M2"; flow:established,from_server; flowbits:isset,ET.BARTALEX; content:"text/plain|0d 0a 0d 0a|http"; fast_pattern; http.stat_code; content:"200"; file.data; content:"http"; within:4; pcre:"/^s?\x3a\x2f+[^\r\n\s]+\.exe/Ri"; classtype:trojan-activity; sid:2021532; rev:4; metadata:created_at 2015_07_24, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag"; flow:established,to_client; content:"%u6966%u7261%u6d65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012243; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; http.uri; content:".xap"; nocase; fast_pattern; pcre:"/\/\d{2,}\.xap$/i"; classtype:exploit-kit; sid:2018402; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_04_22, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag DriveBy, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible # Encoded Iframe Tag"; flow:established,to_client; content:"#69#66#72#61#6d#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.guardian.co.uk/technology/2008/apr/03/security.google; classtype:bad-unknown; sid:2012244; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup trackip.net"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ip?json"; fast_pattern; http.host; content:"trackip.net"; classtype:external-ip-check; sid:2021550; rev:4; metadata:created_at 2015_07_29, former_category POLICY, updated_at 2020_10_01;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write # Encoding"; flow:established,to_client; content:"#64#6f#63#75#6d#65#6e#74#2e#77#72#69#74#65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012245; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; http.uri; content:".php?id="; fast_pattern; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/"; classtype:trojan-activity; sid:2021552; rev:4; metadata:created_at 2015_07_30, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage"; flow:established,to_client; content:"eval|28|CRYPT.obfuscate|28|"; nocase; fast_pattern; reference:url,research.zscaler.com/2010/05/malicious-hidden-iframes-using-publicly.html; classtype:bad-unknown; sid:2012404; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sakula/Mivast RAT CnC Beacon 7"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?vid="; fast_pattern; pcre:"/\.jpg\?vid=\d+$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/; classtype:command-and-control; sid:2021570; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById|28|"; nocase; content:"id.getAttributeNode|28|"; nocase; distance:0; content:"attribute.childNodes"; nocase; distance:0; content:"document.body.removeChild|28|"; nocase; distance:0; content:"attribute.removeChild|28|"; fast_pattern; nocase; distance:0; reference:bid,40642; reference:cve,2010-1119; classtype:attempted-user; sid:2012509; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Androm.gnlb Checkin"; flow:established,to_server; http.uri; content:"/Count.asp?ver="; fast_pattern; nocase; content:"&mac="; http.header; content:"Content-Length|3a 20|0"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c7e6ebf91c03a2bcaa8053f149870fad; classtype:command-and-control; sid:2021608; rev:4; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2020_10_01;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt"; flow:established,to_client; content:"window.open|28|"; nocase; content:"document.createElement|28|"; nocase; distance:0; content:"document.body.appendChild|28|"; nocase; distance:0; content:"close|28|"; nocase; distance:0; content:"document.cloneNode|28|"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/16979/; classtype:attempted-user; sid:2012511; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/gac/"; fast_pattern; pcre:"/^\/gac\/[a-f0-9]{15}$/"; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Accept-Encoding|3a 20|gzip|0d 0a|"; http.user_agent; content:"|20|Android|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises; classtype:trojan-activity; sid:2021617; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_08_13, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"<title>MWL</title>"; classtype:bad-unknown; sid:2012530; rev:3; metadata:created_at 2011_03_21, former_category CURRENT_EVENTS, updated_at 2011_03_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak/NeverQuest CnC Beacon"; flow:established,to_server; flowbits:set,ET.Vawtrak; http.method; content:"POST"; http.uri; content:".php?"; content:"/0"; content:"=0000"; fast_pattern; content:"=?"; pcre:"/\.php\?[a-z]+=0000[a-fA-F0-9]{4}&[a-z]+=\?[A-F0-9]+&[a-z]=\d{4}&[a-z]=\d{4}$/"; http.header; content:"Accept"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,1b820dda5833f802be829d468884884e; classtype:command-and-control; sid:2025089; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; content:"AllowScriptAccess"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15698/; classtype:attempted-dos; sid:2012056; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tcp any any -> $HOME_NET 40006 (msg:"ET EXPLOIT [401TRG] HPDM Backdoor Login"; flow:established,to_server; content:"user|00|dm_postgres|00|database|00|hpdmdb|00|"; fast_pattern; reference:url,twitter.com/nickstadb/status/1310853783765815297; classtype:attempted-admin; sid:2030961; rev:2; metadata:created_at 2020_10_02, former_category EXPLOIT, performance_impact Low, updated_at 2020_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"unescape|28|"; nocase; distance:0; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,doc.emergingthreats.net/2010881; classtype:bad-unknown; sid:2010881; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"Launch"; distance:0; content:"Win"; distance:0; content:".exe"; nocase; distance:0; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,doc.emergingthreats.net/2010968; classtype:attempted-user; sid:2010968; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030942; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With eval Function - Possibly Hostile"; flow:established,to_client; content:"PDF-"; depth:300; content:"eval|28|"; nocase; distance:0; reference:url,www.w3schools.com/jsref/jsref_eval.asp; classtype:bad-unknown; sid:2011506; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailgun Phishing Landing"; flow:to_client,established; file.data; content:"<title>Log In to Mailgun"; nocase; content:"function checkUsername()"; nocase; distance:0; content:"function checkPassword()"; nocase; distance:0; content:".php|22|,"; nocase; distance:0; content:"type|3a 20 22|POST|22|,"; nocase; distance:0; content:"data|3a 20|{username|3a 20|$('#username').val(),password|3a|$('#password').val()"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2030943; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2; metadata:created_at 2011_04_28, former_category CURRENT_EVENTS, updated_at 2011_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Sending Debug Messages"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?usid="; fast_pattern; content:"&txt=00"; distance:0; pcre:"/^[0-9a-f]+$/R"; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030954; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2; metadata:created_at 2011_04_28, former_category CURRENT_EVENTS, updated_at 2011_04_28;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Help and Support Center XSS Attempt"; flow:established,to_client; content:"hcp|3A|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; reference:cve,2010-1885; classtype:attempted-user; sid:2012756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_04_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; content:"|2f 2f|mshtml|2e|dll"; nocase; content:"unescape|28|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad|28|"; within:32; pcre:"/src\s*\x3d\s*\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030946; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:2101840; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set"; flow:established,to_client; content:"PDF-"; depth:300; content:".ses"; fast_pattern; nocase; distance:0; flowbits:set,ET_Assassin.ses; flowbits:noalert; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:bad-unknown; sid:2012813; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Files"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lup.php?name="; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030956; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:2101735; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt"; flow:established,to_client; content:"COOLNESS"; content:"TRKM"; distance:0; content:"A|00|u|00|d|00|i|00|t|00|i|00|o|00|n|00|"; nocase; distance:0; content:"A|00|u|00|d|00|i|00|o|00 20 00|O|00|u|00|t|00|p|00|u|00|t|00|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file; reference:bid,47838; reference:cve,2011-0615; classtype:attempted-user; sid:2012978; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3; metadata:created_at 2011_06_17, former_category CURRENT_EVENTS, updated_at 2011_06_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System"; flow:to_client,established; content:"<span id=|22|loadspan|22|>Initializing Virus Protection System...</span>"; classtype:bad-unknown; sid:2011343; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt"; flow:established,to_client; content:"document.getElementById(|27|treeset|27|)"; nocase; content:"view.selection"; nocase; distance:0; content:"invalidateRange"; nocase; distance:0; reference:bid,41853; reference:cve,2010-2753; classtype:attempted-user; sid:2013144; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030952; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Compressed Flash Content"; flowbits:noalert; flow:established,to_client; content:"stream"; content:"|0A|CWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)CWS/"; flowbits:set,ET.flash.pdf; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012907; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030953; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:13; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending File Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|file|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030957; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave rcsL Chunk Remote Code Execution Attempt"; flow:established,to_client; content:"rcsL"; content:"|FF F0 02 67|"; fast_pattern; distance:0; reference:url,www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/; reference:bid,42682; reference:cve,2010-2873; classtype:attempted-user; sid:2013069; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Sending Screenshot Upload Progress"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; content:"me="; distance:0; content:"&info=bot|2c 20|src|20|"; distance:0; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, performance_impact Low, signature_severity Major, updated_at 2020_10_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"tSAC|1D 02|"; fast_pattern; content:"|01 00 FF FF 11 11|"; distance:0; reference:url,www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/; classtype:attempted-user; sid:2013070; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_06_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDMonitor Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/data/"; content:".xd"; isdataat:!2,relative; http.user_agent; bsize:17; content:"internet explorer"; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, malware_family XDSpy, signature_severity Major, updated_at 2020_10_02;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of OpenAction"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"OpenAction"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^OpenAction](O|#4F)(p|#70)(e|#65)(n|#6E)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011537; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FinSpy Domain (browserupdate .download in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".browserupdate.download"; endswith; fast_pattern; reference:url,www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/; reference:url,github.com/AmnestyTech/investigations/blob/master/2020-09-25_finfisher/domains.txt; classtype:domain-c2; sid:2030962; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of JS"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JS"; within:2; content:"#"; within:4; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JS](J|#4A)(S|#53)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011535; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt CnC Beacon 3"; flow:established,to_server; urilen:>250; http.method; content:"GET"; http.uri; content:"/r.php?"; fast_pattern; pcre:"/\/r\.php\?[A-F0-9]+=?$/"; http.header; content:"User-Agent|3a 20|"; depth:12; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,0a4d0e5d0b69560414bbd20127bd8176; classtype:command-and-control; sid:2021723; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of EmbeddedFile"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"EmbeddedFile"; within:12; content:"#"; within:34; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^EmbeddedFile](E|#45)(m|#6D)(b|#62)(e|#65)(d|#64)(d|#64)(e|#65)(d#64)(F|#46)(i|#69)(l|#6C)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011530; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Aibatook checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; pcre:"/\.asp$/"; http.request_body; content:"m="; depth:2; content:"AA=="; fast_pattern; pcre:"/^m=(?:[A-Za-z0-9+/]{4}){11}(?:(?:[A-Za-z0-9+/]{4}){6})?AA==/i"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,57a0af91f3b35ef1cf54502e77cc2904; reference:url,www.welivesecurity.com/2014/07/16/win32aibatook/; classtype:command-and-control; sid:2018685; rev:5; metadata:created_at 2014_07_16, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Type"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Type"; within:4; content:"#"; within:11; pcre:"/\x3C\x3C[^>]*\x2F[^Type](T|#54)(y|#79)(p|#70)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011531; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin"; flow:to_server,established; http.uri; content:"/data.php?table="; fast_pattern; content:"&game="; pcre:"/&game=[a-f0-9]{40}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021737; rev:4; metadata:attack_target Mobile_Client, created_at 2015_08_31, former_category MOBILE_MALWARE, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Javascript"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"Javascript"; within:10; content:"#"; within:28; pcre:"/\x3C\x3C[^\n]*\x2F[^Javascript](J|#4A)(a|#61)(v|#76)(a|#61)(S|#73|#53)(c|#63)(r|#72)(i|#69)(p|#70)(t|#74)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011532; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cert.php"; http.request_body; content:"id="; depth:3; content:"&cert="; content:"&priv="; fast_pattern; content:"&flag="; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/; classtype:trojan-activity; sid:2021738; rev:4; metadata:attack_target Mobile_Client, created_at 2015_08_31, former_category MOBILE_MALWARE, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of URL"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"URL"; within:3; content:"#"; within:7; pcre:"/\x3C\x3C[^>]*\x2F[^URL](U|#55)(R|#52)(L|#4C)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011533; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Reconyc.equo Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; content:"&mac="; fast_pattern; content:"&auth="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,32c17edee5b29e41f31eda05e78b2241; classtype:command-and-control; sid:2021744; rev:5; metadata:created_at 2015_09_04, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2; metadata:created_at 2011_07_05, former_category CURRENT_EVENTS, updated_at 2011_07_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AlphaCrypt Connectivity Check 1"; flow:established,to_server; urilen:4; http.uri; content:"/raw"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,d0e3471f4963496cefd73744e98340aa; classtype:trojan-activity; sid:2021775; rev:4; metadata:created_at 2015_09_15, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability"; flow:to_server; content:"GET"; http_method; content:"res|3a|"; http_uri; content:"ieframe.dll"; http_uri; content:"acr_error"; pcre:"/(\&lt\;).+(\&gt\;)/Ui"; reference:bugtraq,28581; reference:url,doc.emergingthreats.net/bin/view/Main/2008170; classtype:web-application-attack; sid:2008170; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; http.uri; content:".php?rnd="; fast_pattern; content:"&id="; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2021786; rev:4; metadata:created_at 2015_09_16, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2; metadata:created_at 2011_07_11, former_category CURRENT_EVENTS, updated_at 2011_07_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Iron Tiger Backdoor.GCloud CnC Beacon"; flow:established,to_server; http.uri; content:"/user?pid="; fast_pattern; content:"&data="; http.user_agent; content:"WinHTTP Example/1.0"; bsize:19; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-iron-tiger.pdf; classtype:command-and-control; sid:2021790; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|D2 60 38 40 BA 03 14 0E|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:bid,40586; reference:cve,2010-1297; classtype:attempted-user; sid:2013281; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upx/"; fast_pattern; pcre:"/\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"User-Agent|3a 20|Mozilla/"; depth:20; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021812; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Koler.C Checkin"; flow:to_server,established; http.uri; content:".php?v="; content:"&brok="; fast_pattern; content:"&u="; content:"&id="; pcre:"/&id=\d{15}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6ae7b0d04e2fd64a50703910d0eff9cc; classtype:trojan-activity; sid:2019510; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_10_27, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer toStaticHTML HTML Sanitizing Information Disclosure Attempt"; flow:established,to_client; content:"toStaticHTML|28|"; fast_pattern; nocase; content:"expression|28|"; nocase; within:150; reference:bid,48199; reference:cve,2011-1252; classtype:attempted-user; sid:2013321; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"P"; depth:1; nocase; content:"myPath =|20|"; nocase; content:"iFold =|20|"; nocase; content:"wallPath =|20|"; nocase; fast_pattern; content:"listPath =|20|"; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021851; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt"; flow:established,to_client; content:".printSeps"; nocase; pcre:"/(this|doc)\x2EprintSeps/i"; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2011910; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Created wallet -|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021855; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M RecursiveFileSearch"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021856; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; content:".addBehavior"; nocase; content:"|23|default|23|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Scan folder|3a 20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021857; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:2103079; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Saved cryptor key -|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021858; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103134; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"|29 20|Encrypt|20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021859; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103133; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Files encrypted,"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021860; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103132; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M STATE|3a 20|CRYPTED_"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021861; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*?<area[\s\n\r]+href=[\x22\x27]file\x3ajavascript\x3a/smi"; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2102437; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Win32/WinPlock.A CnC Beacon 11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?rnd="; http.request_body; content:"P"; depth:1; content:"M Free disk space|3a 20|"; nocase; fast_pattern; pcre:"/^\d+\x20/R"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6f2159e72e7ab7b02e18211ecbed7dd3; reference:url,researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/; classtype:command-and-control; sid:2021862; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2102671; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itms-services|3a|"; http.header; content:"bb800.com|0d 0a|"; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/m"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021901; rev:5; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2102673; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE YiSpecter Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".plist"; pcre:"/\.plist$/"; http.header; content:"bb800.com|0d 0a|"; fast_pattern; pcre:"/^Host\x3a\x20[a-z0-9.]+\.bb800\.com/m"; reference:url,researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/; classtype:trojan-activity; sid:2021900; rev:5; metadata:created_at 2015_10_05, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:2103149; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StartPage Userclass HTTP Request"; flow:established,to_server; urilen:10; http.uri; content:"/Userclass"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent|0d 0a|"; content:!"Referer"; reference:md5,92ecb8cedb226a27e354b45a56f0353f; classtype:trojan-activity; sid:2021922; rev:4; metadata:created_at 2015_10_07, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:2103088; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Kemoge Checkin"; flow:established,to_server; urilen:25; http.method; content:"POST"; http.uri; content:"/getInstalledPackages.jsp"; fast_pattern; http.request_body; content:"sdCardFree="; depth:11; content:"&imei="; distance:0; content:"&hasSd="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html; classtype:trojan-activity; sid:2021928; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_10_08, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2102925; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Nemim Checkin"; flow:to_server,established; http.uri; content:".php?a1="; nocase; fast_pattern; content:"&a2="; nocase; content:"&a3="; nocase; pcre:"/\.php\?a1=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&a2=[a-f0-9]{32}&a3=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/i"; reference:url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve; classtype:command-and-control; sid:2017599; rev:6; metadata:created_at 2013_10_15, former_category MALWARE, updated_at 2020_10_05;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - flickr.com.*"; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"&act="; fast_pattern; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:4; metadata:created_at 2015_10_28, updated_at 2020_10_05;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - picasa.com.*"; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malvertising Malicious PE Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adobe_flashplayer_7.exe"; fast_pattern; reference:md5,d9b91aa8c66c4a701f5558bdca805eec; reference:url,otx.alienvault.com/pulse/5637202b4637f2388aaec61c/; classtype:trojan-activity; sid:2022020; rev:4; metadata:created_at 2015_11_03, updated_at 2020_10_05;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - blogger.com.*"; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MosaicRegressor WinHTTP Downloader)"; flow:established,to_client; tls.cert_subject; content:"CN=ezan.yikongjian.cc"; bsize:21; fast_pattern; tls.cert_issuer; content:"C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA"; bsize:86; reference:url,securelist.com/mosaicregressor/98849/; reference:url,74DB88B890054259D2F16FF22C79144D; classtype:domain-c2; sid:2030963; rev:1; metadata:attack_target Client_and_Server, created_at 2020_10_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - wordpress.com.*"; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Ransom.Win32.Blocker.dham Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ID="; content:"&Serial="; content:"&acao="; content:"&Log="; content:"&PCInfo="; fast_pattern; reference:md5,e15b38251aed80298ba07169eb6ee2fa; classtype:command-and-control; sid:2022091; rev:4; metadata:created_at 2015_11_13, former_category MALWARE, updated_at 2020_10_05;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - img.youtube.com.*"; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Buhtrap CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/menu.php"; fast_pattern; endswith; http.user_agent; content:"rv|3a|20.0"; content:"Firefox/20.0"; distance:0; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,welivesecurity.com/2015/04/09/operation-buhtrap/; reference:md5,24fac66b3a6d55a83e1309bc530b032e; classtype:command-and-control; sid:2020891; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.*"; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MegalodonHTTP/LuciferHTTP Client Action"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?hwid="; fast_pattern; pcre:"/\.php\?hwid=[A-F0-9]{16}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; startswith; reference:md5,966301e88d8a43abe1215413bfd48b09; reference:url,damballa.com/megalodonhttp-botnet-discovered-the-shark-paradox/; reference:md5,d543973bd33d45d515e8dfc251411c4b; classtype:trojan-activity; sid:2022127; rev:4; metadata:created_at 2015_11_23, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|></iframe>"; fast_pattern; content:"<html"; nocase; distance:0; classtype:bad-unknown; sid:2013380; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_10, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matryoshka CnC Beacon 1"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; content:"/img/"; depth:5; content:"/"; distance:32; within:1; content:"/general.png"; endswith; fast_pattern; pcre:"/^\/img\/[a-f0-9]{32}\/[a-f0-9]+\/general\.png$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,9853fc1f4d7ba23d728f4ee80842faf9; reference:url,minerva-labs.com/#!CopyKittens-Attack-Group/c7a5/5655651e0cf20a760c4cae95; classtype:command-and-control; sid:2022146; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt"; flow:established,to_client; content:"QueryInterface|28|Components.interfaces.nsIChannelEventSink|29|"; nocase; content:"onChannelRedirect|28|null"; nocase; distance:0; reference:url,www.mozilla.org/security/announce/2011/mfsa2011-13.html; reference:bid,47635; reference:cve,2011-0065; classtype:attempted-user; sid:2013417; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_08_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST 2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\d+$/"; http.user_agent; content:"Sony|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,f184c13be617754e394ecb8c972c8861; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2022188; rev:4; metadata:created_at 2015_11_26, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; reference:bid,49933; reference:cve,2011-2841; classtype:attempted-user; sid:2013742; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_10_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip2nation.com"; flow:established,to_server; http.host; content:"www.ip2nation.com"; fast_pattern; bsize:17; classtype:external-ip-check; sid:2022222; rev:4; metadata:created_at 2015_12_07, former_category POLICY, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|"; reference:url,exploit-db.com/download_pdf/15077; classtype:attempted-user; sid:2011543; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN COMMIX Command injection scan attempt"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"|55 73 65 72 2d 41 67 65 6e 74 3a 20 63 6f 6d 6d 69 78|"; fast_pattern; reference:url,github.com/stasinopoulos/commix/blob/master/README.md; classtype:web-application-activity; sid:2022243; rev:4; metadata:created_at 2015_12_11, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:3; metadata:created_at 2011_12_02, former_category CURRENT_EVENTS, updated_at 2011_12_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:4; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:3; metadata:created_at 2011_12_02, former_category CURRENT_EVENTS, updated_at 2011_12_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (exe) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".exe"; nocase; fast_pattern; classtype:misc-activity; sid:2022264; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2; metadata:created_at 2011_12_30, former_category CURRENT_EVENTS, updated_at 2011_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msi) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msi"; nocase; fast_pattern; classtype:misc-activity; sid:2022265; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2102577; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (msp) unset (no exe)"; flow:to_server,established; flowbits:isset,et.MS.XMLHTTP.no.exe.request; flowbits:unset,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:".msp"; nocase; fast_pattern; classtype:misc-activity; sid:2022266; rev:6; metadata:created_at 2015_12_15, updated_at 2020_10_05;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/<<[^>]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:4; metadata:created_at 2015_12_16, updated_at 2020_10_05;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"HTTP/1.1 30"; depth:11; content:"clickpayz.com/"; classtype:bad-unknown; sid:2014318; rev:2; metadata:created_at 2012_03_06, former_category CURRENT_EVENTS, updated_at 2012_03_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ragnarok Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&prv_ip="; fast_pattern; content:".doc"; content:".xls"; content:".ppt"; content:".sql"; content:".pdf"; reference:url,twitter.com/malwrhunterteam/status/1256263426441125888; reference:md5,32ed52d918a138ddad24dd3a84e20e56; classtype:command-and-control; sid:2030117; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Malicious PDF Containing StrReverse"; flow:established,to_client; content:"%PDF-"; content:"StrReverse|28|"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011246; classtype:bad-unknown; sid:2011246; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Internet Explorer)"; flow:established,to_server; http.user_agent; content:"Internet Explorer"; depth:17; endswith; nocase; http.host; content:!"pnrws.skype.com"; content:!"iecvlist.microsoft.com"; content:!".lenovo.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:bad-unknown; sid:2008052; rev:20; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt"; flow:established,to_client; content:"document.getElementById|28 27|tableid|27 29|.cloneNode"; nocase; content:"cells.urns"; nocase; distance:0; content:"cells.item"; nocase; distance:0; reference:url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-002; reference:bid,37894; reference:cve,2010-0248; classtype:attempted-user; sid:2014463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Evil Macro Downloading Trojan Dec 16 2015 Post to EXE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/^[\x2fa-z\d]+\.exe$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|Connection|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022270; rev:4; metadata:created_at 2015_12_17, former_category CURRENT_EVENTS, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S|#53)(u|#75)(b|#62)(t|#74)(y|#79)(p|#70)(e|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ProPoS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Pro PoS"; fast_pattern; startswith; http.accept; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.talosintel.com/2015/12/pro-pos.html; classtype:command-and-control; sid:2022282; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Action"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Action"; within:6; content:"#"; within:16; pcre:"/\x2F(?!Action)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|#6E)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011529; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Acecard.c  Checkin"; flow:to_server,established; urilen:1; http.method; content:"POST"; nocase; http.request_body; content:"{|22|type|22 3a|"; depth:8; content:",|22|text|22 3a|"; content:",|22|code|22 3a|"; fast_pattern; content:",|22|from|22 3a|"; content:"|22|}"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:url,b0n1.blogspot.com.br/2015/11/android-malware-drops-banker-from-png.html?m=1; reference:url,fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022137; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_11_24, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_05, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of Pages"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Pages"; within:5; content:"#"; within:13; pcre:"/\x2F(?!Pages)(P|#40)(a|#61)(g|#67)(e|#65)(s|#73)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011536; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IOS Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".ipa"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022296; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation"; flow:to_client,established; content:"|0d 0a 0d 0a|PDF-"; content:"/"; distance:0; content:!"Launch"; within:6; content:"#"; within:16; content:".exe"; nocase; distance:0; pcre:"/\x2F(?!Launch)(L|#4C)(a|#61)(u|#75)(n#6E)(c|#63)(h|#68).+\x2F(W|#57)(i|#69)(n|#6E).+\x2Eexe/sm"; reference:url,www.kb.cert.org/vuls/id/570177; reference:url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html; reference:url,www.sudosecure.net/archives/673; reference:url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html; reference:url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/; reference:url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011329; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Download from Vshare Marketplace (Possible DarkSideLoading)"; flow:to_server,established; http.uri; content:".apk"; nocase; http.host; content:"appvv.com"; endswith; fast_pattern; classtype:policy-violation; sid:2022297; rev:4; metadata:created_at 2015_12_22, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:exploit-kit; sid:2014895; rev:2; metadata:created_at 2012_06_15, former_category CURRENT_EVENTS, updated_at 2012_06_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; http.uri; content:"/444.jpg"; fast_pattern; http.host; content:"postimg.org"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:7; metadata:created_at 2014_01_28, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Htbot.B Checkin"; flow:to_server,established; http.uri; content:".php?command="; fast_pattern; pcre:"/\.php\?command=(?:g(?:hl|et(?:ip|id|backconnect))|update2?|dl|log)(?:$|&)/"; http.user_agent; content:"pb"; bsize:2; reference:md5,bdd2328d466e563a650bb7ccdb9aca79; reference:md5,ba1404af71ecf3ca8b0e30a2b365f6fd; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FHtbot.B; classtype:command-and-control; sid:2020089; rev:6; metadata:created_at 2015_01_05, former_category MALWARE, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Downloader fake image zip"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".zip"; endswith; nocase; fast_pattern; pcre:"/\.(?:gif|jpe?g)\.zip$/i"; http.content_type; content:"text/plain|3b 20|Charset=UTF-8"; bsize:25; reference:md5,7b678a25c533652dbb0c2a2ac37cf1e3; classtype:trojan-activity; sid:2022334; rev:4; metadata:created_at 2016_01_06, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2; metadata:created_at 2012_06_26, former_category CURRENT_EVENTS, updated_at 2012_06_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC"; flow:established,to_server; flowbits:set,ET.And.CruseWin; flowbits:noalert; http.uri; content:"/flash/test.xml"; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html; classtype:command-and-control; sid:2013193; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_05, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL Linux/Torte Uploaded"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"JGVudiA9ICJYRFZTTl9TRVNTSU9OX0NPT0tJR"; fast_pattern; content:"eval(base64_decode($_REQUEST["; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:attempted-admin; sid:2022359; rev:4; metadata:created_at 2016_01_13, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Checkin"; flow:established,to_server; http.uri; content:"/logo.gif?sessd="; fast_pattern; content:"&sessc="; content:"&sessk="; distance:0; http.header; pcre:"/^(?:zh-CN|en-US)\x3b rv\x3a1\.7\.6\)\r\n/R"; http.user_agent; content:"Mozilla/5.0 (Windows|3b 20|U|3b 20|Windows NT 5.1|3b 20|"; startswith; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:command-and-control; sid:2022358; rev:5; metadata:created_at 2016_01_13, former_category MALWARE, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL JSP/Backdoor Shell Access"; flow:established,to_server; http.uri; content:".war?cmd="; fast_pattern; content:"&winurl="; content:"&linurl="; pcre:"/\.war\?cmd=[a-zA-Z0-9+/=]+&winurl=[a-zA-Z0-9+/=]*&linurl=[a-zA-Z0-9+/=]*/"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:successful-admin; sid:2022348; rev:5; metadata:created_at 2016_01_12, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2; metadata:created_at 2012_07_25, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - ip.tyk.nu"; flow:established,to_server; urilen:1; http.host; content:"ip.tyk.nu"; fast_pattern; bsize:9; classtype:external-ip-check; sid:2022368; rev:4; metadata:created_at 2016_01_14, former_category POLICY, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3; metadata:created_at 2012_07_31, former_category CURRENT_EVENTS, updated_at 2012_07_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tabDialog.html?dialog=login"; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:social-engineering; sid:2022374; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_01_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6; metadata:created_at 2011_06_10, former_category CURRENT_EVENTS, updated_at 2011_06_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup - meuip.net.br"; flow:established,to_server; http.host; content:"meuip.net.br"; fast_pattern; bsize:12; classtype:external-ip-check; sid:2022405; rev:4; metadata:created_at 2016_01_25, former_category POLICY, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow"; flow:established,to_client; content:"|0d 0a 0d 0a|PDF-"; content:"|2f|Title"; nocase; distance:0; isdataat:540,relative; content:!"|0A|"; within:540; reference:url,www.exploit-db.com/exploits/15532/; classtype:attempted-user; sid:2012064; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_17, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; http.uri; content:"/?keyword="; fast_pattern; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/"; classtype:exploit-kit; sid:2022493; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_06, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_10_05;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10; metadata:created_at 2012_08_23, former_category WEB_CLIENT, updated_at 2012_08_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen CnC HTTP Pattern"; flow:established,to_server; http.method; content:"GET"; http.uri; content:",0x"; fast_pattern; pcre:"/(?:,0x[0-9a-f]{2}){10}$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,8df8d0cd70f96538211c65fb6361704d; classtype:command-and-control; sid:2022494; rev:4; metadata:created_at 2016_02_08, former_category MALWARE, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 1"; flow:established,to_server; urilen:11; http.method; content:"GET"; http.uri; content:"/flamme.php"; fast_pattern; http.header; content:"Cache-Control|3a 20|no-cache"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; http.connection; content:"Keep-Alive"; bsize:10; classtype:command-and-control; sid:2022495; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_02_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Microsoft"; nocase; content:"/default.asp"; distance:0; content:"?tmp="; fast_pattern; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:command-and-control; sid:2018554; rev:6; metadata:created_at 2014_06_11, former_category MALWARE, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_07_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep HTTP POST CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?"; fast_pattern; pcre:"/\.php(?:\?[a-zA-Z0-9=&]+)?$/"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?(?:Content-Type\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+\.php[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; http.cookie; content:"PHPSESSID="; pcre:"/(?:[a-z]+=\d{3,4}\x3b\x20){4}/"; http.request_body; pcre:"/^[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})(?:&[a-z]+\d*=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})){2,}$/"; http.accept; content:"text/html, application/xhtml+xml, */*"; bsize:37; classtype:command-and-control; sid:2021718; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2; metadata:created_at 2012_12_13, former_category CURRENT_EVENTS, updated_at 2012_12_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton Checkin"; flow:to_server,established; http.uri; content:".php?ch="; fast_pattern; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-length|3a 20|0|0d 0a|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022676; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 1"; flow:to_server,established; http.request_body; content:"task=report&id="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022677; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware/Coverton CnC 2"; flow:to_server,established; http.request_body; content:"task=knock&pub="; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c5c4f4860c69ea7469ca3be3caf5bf18; classtype:command-and-control; sid:2022678; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:exploit-kit; sid:2016128; rev:2; metadata:created_at 2012_12_29, former_category CURRENT_EVENTS, updated_at 2012_12_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.TreasureHunter Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; content:"request=true"; fast_pattern; http.request_body; content:"request="; depth:8; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; reference:md5,070e9a317ee53ac3814eb86bc7d5bf49; reference:url,isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/; classtype:command-and-control; sid:2022681; rev:3; metadata:created_at 2016_03_29, former_category MALWARE, updated_at 2020_10_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_02_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-sale.com"; bsize:18; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030969; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_10_06, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_04_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".html"; nocase; fast_pattern; pcre:"/\/\d{8,10}\.html$/i"; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:!"www.youdao.com"; startswith; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,cfa7954722d4277d26e96edc3289a4ce; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021276; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 1"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"4BF0D1BD8B85D111B16A00C0F0283628"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025082; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Lookup via dawhois.com"; flow:established,to_server; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; classtype:external-ip-check; sid:2022687; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 2"; flow:from_server,established; flowbits:isset,ETPRO.RTF; file_data; content:"|5c|object"; distance:0; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"E0F56B9944805046ADEB0B013914E99C"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion External IP Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; bsize:11; http.host; content:"www.dawhois.com"; fast_pattern; bsize:15; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:external-ip-check; sid:2022688; rev:4; metadata:created_at 2016_03_30, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download with vulnerable ActiveX control flowbit set 3"; flow:from_server,established; flowbits:isset,ETPRO.RTF; content:"|5c|object"; content:"|5c|objocx"; distance:0; content:"|5c|objdata"; distance:0; content:"5FDC81917DE08A41ACA68EEA1ECB8E9E"; distance:0; flowbits:set,ETPRO.RTF.OBJ; flowbits:noalert; reference:cve,2012-0158; classtype:attempted-user; sid:2025084; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_04_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag ActiveX, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; http.request_body; content:"|40 24|"; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/s"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:command-and-control; sid:2022689; rev:4; metadata:created_at 2016_03_30, former_category MALWARE, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_27, former_category CURRENT_EVENTS, updated_at 2012_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; http.uri; content:".php?"; content:"co"; content:"untry="; content:"phone="; content:"&op="; content:"imei="; fast_pattern; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017588; rev:8; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, former_category CURRENT_EVENTS, updated_at 2013_05_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST Keepalive"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".asp"; http.header; content:"Content-Length|3a 20|2|0d 0a|"; fast_pattern; http.request_body; content:"ok"; depth:2; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d579d7a42ff140952da57264614c37bc; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; classtype:trojan-activity; sid:2022363; rev:5; metadata:created_at 2016_01_13, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.XST/UP007 Keepalive 2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.method; content:"POST"; http.uri; content:".asp"; http.header; content:"Content-Length|3a 20|5|0d 0a|"; fast_pattern; http.request_body; content:"READY"; depth:5; http.content_type; content:"text/html"; bsize:9; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; classtype:trojan-activity; sid:2022750; rev:4; metadata:created_at 2016_04_20, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:2; metadata:affected_product Any, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_07_09, deployment Perimeter, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, tag Wordpress, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanDownloader.Banload.XDL Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/okok/Notify.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; reference:md5,70adf5506c767590e11bdc473c91bb38; classtype:command-and-control; sid:2022754; rev:4; metadata:created_at 2016_04_22, former_category MALWARE, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; nocase; http.header; content:"Authorization|3a 20|Basic"; http.request_body; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; fast_pattern; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:4; metadata:created_at 2016_04_25, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3; metadata:created_at 2013_06_19, former_category CURRENT_EVENTS, updated_at 2013_06_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer Data Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ga.php?analytic=WyJ1cmwl"; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030979; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2; metadata:attack_target Client_Endpoint, created_at 2013_07_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Ransomware, updated_at 2013_07_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3718 SSRF Inbound (mvg + fill + url)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"fill"; content:"url("; distance:0; nocase; pcre:"/^\s*https?\x3a\/\//Ri"; classtype:web-application-attack; sid:2022791; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3715 File Deletion Inbound (ephermeral:+ mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"ephemeral"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022792; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3716 Move File Inbound (msl: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"msl"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022793; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3717 Local File Read Inbound (label: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"label"; nocase; pcre:"/^\s*\x3a\s*\x40/Ri"; classtype:web-application-attack; sid:2022794; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:2; metadata:created_at 2013_07_24, former_category CURRENT_EVENTS, updated_at 2013_07_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/"; http.header; content:"Range"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; classtype:trojan-activity; sid:2022500; rev:7; metadata:created_at 2016_02_10, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality-GR Checkin 2"; flow:to_server,established; http.uri; content:".png?"; fast_pattern; pcre:"/\.png\x3f[0-9a-f]{4,8}\x3d\d+?$/"; http.header_names; content:!"Accept"; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:md5,99d614964eafe83ec4ed1a4537be35b9; classtype:command-and-control; sid:2022804; rev:4; metadata:created_at 2016_05_13, former_category MALWARE, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enfal CnC POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; fast_pattern; endswith; http.header; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:md5,f1b341d3383b808ecfacfa22dcbe9196; classtype:command-and-control; sid:2021079; rev:5; metadata:created_at 2015_05_09, former_category MALWARE, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2; metadata:created_at 2013_07_30, former_category CURRENT_EVENTS, updated_at 2013_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; pcre:"/https\x3a.+(?<!\x5c)(:[\x22\x27]|\\x2[27])\s*?[\x3b&\x7c><].*?(:[\x22\x27]|\\x2[27])/si"; classtype:web-application-attack; sid:2022789; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_08_12, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)"; flow:established,to_server; http.request_body; content:"<svg|20|"; nocase; fast_pattern; content:"xlink"; nocase; pcre:"/xlink\s*?\x3a\s*?href\s*?=\s*?(:[\x22\x27]|\\x2[27])https.+?&quot\s*?\x3b(?:\x7c|&(?:[gl]t|amp)\s*?\x3b)/si"; classtype:web-application-attack; sid:2022790; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6; metadata:created_at 2012_08_29, former_category CURRENT_EVENTS, updated_at 2012_08_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b|)"; http.accept; content:"*/*"; bsize:3; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:4; metadata:created_at 2016_05_19, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"/*/"; fast_pattern; pcre:"/^[a-f0-9]{6}\*\//R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; threshold: type both, track by_src, count 15, seconds 30; http.referer; content:"/slowhttptest/"; fast_pattern; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:6; metadata:created_at 2012_01_10, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M1"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022848; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:6; metadata:created_at 2013_08_26, former_category CURRENT_EVENTS, updated_at 2013_08_26;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M2"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 22 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022849; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2; metadata:created_at 2013_09_24, former_category CURRENT_EVENTS, updated_at 2013_09_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Email Login Phish 2016-06-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?userid="; fast_pattern; http.request_body; content:"email="; nocase; depth:6; content:"&passwd="; nocase; distance:0; content:"&Submit=Sign+In"; nocase; distance:0; classtype:credential-theft; sid:2032682; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M1"; flow:to_server,established; urilen:5; http.method; content:"GET"; http.uri; content:"/EPWD"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022851; rev:4; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; file_data; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_23, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luminosity RAT Possible Module Download M2"; flow:to_server,established; urilen:4; http.method; content:"GET"; http.uri; content:"/PWD"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,7a7776473db6e4b6ac90a4b1da4b50d4; classtype:trojan-activity; sid:2022852; rev:4; metadata:created_at 2016_06_02, updated_at 2020_10_06;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:exploit-kit; sid:2017592; rev:1; metadata:created_at 2013_10_15, former_category CURRENT_EVENTS, updated_at 2013_10_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".pdf/?"; fast_pattern; pcre:"/\.pdf\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023912; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:exploit-kit; sid:2017621; rev:3; metadata:created_at 2013_10_21, former_category CURRENT_EVENTS, updated_at 2013_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".zip/?"; fast_pattern; pcre:"/\.zip\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023913; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:2; metadata:created_at 2013_11_04, former_category CURRENT_EVENTS, updated_at 2013_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".htm/?"; fast_pattern; pcre:"/\.htm\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023914; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:5; metadata:created_at 2013_11_08, former_category CURRENT_EVENTS, updated_at 2013_11_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 SEDNIT Variant CnC Beacon 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".xml/?"; fast_pattern; pcre:"/\.xml\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c2988e3e4f70d5901b234ff1c1363dcc; classtype:targeted-activity; sid:2023915; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:exploit-kit; sid:2017698; rev:2; metadata:created_at 2013_11_09, former_category CURRENT_EVENTS, updated_at 2013_11_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup ip-score.com"; flow:established,to_server; http.host; content:"ip-score.com"; fast_pattern; bsize:12; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2022892; rev:4; metadata:created_at 2016_06_13, former_category POLICY, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016860; rev:18; metadata:created_at 2013_05_17, former_category CURRENT_EVENTS, updated_at 2013_05_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; http.uri; content:".jpg?"; fast_pattern; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header; content:"Range"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022895; rev:4; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017116; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRatReporter check-in"; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php?filename="; fast_pattern; http.header; content:"Accept: */*"; http.accept_enc; content:"utf-8"; bsize:5; http.header_names; content:!"Referer"; content:!"Content-Type"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022903; rev:4; metadata:created_at 2016_06_15, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:exploit-kit; sid:2016090; rev:3; metadata:created_at 2012_12_28, former_category CURRENT_EVENTS, updated_at 2012_12_28;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Continuum Arbitrary Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/saveInstallation.action"; fast_pattern; http.request_body; content:"&installation.varValue="; content:"|25|60"; classtype:attempted-user; sid:2022912; rev:4; metadata:created_at 2016_06_22, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2013_12_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit Connectivity Check 0 Byte POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"=http"; content:"/?"; pcre:"/\.[a-z]{3,4}\/\?[A-Za-z0-9]+=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0D 0A|"; fast_pattern; http.host; content:"google."; within:10; pcre:"/^(?:www\.)?google(?:\.[a-z]{2,3})+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used; classtype:targeted-activity; sid:2021506; rev:6; metadata:created_at 2015_07_22, former_category MALWARE, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_01_04, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SFG Client Information POST"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".log"; pcre:"/\.log$/"; http.host; content:"nullptr"; fast_pattern; bsize:7; reference:url,sentinelone.com/blogs/sfg-furtims-parent/; classtype:trojan-activity; sid:2022963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_13, deployment Perimeter, malware_family Futrim, malware_family SFG, signature_severity Major, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2014_01_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server; http.uri; content:!".exe"; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/"; http.user_agent; content:"Microsoft BITS"; startswith; fast_pattern; http.host; content:!".microsoft.com"; endswith; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2022_04_18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Default SSL Cert"; flow:established,from_server; content:"|0b|Bovine Land"; fast_pattern; content:"|1e|Browser Exploitation Framework"; classtype:attempted-user; sid:2018089; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Lady CnC Beacon 1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pm.sh?"; fast_pattern; pcre:"/^\/pm\.sh\?\d+$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,86ac68e5b09d1c4b157193bb6cb34007; reference:url,vms.drweb.com/virus/?_is=1&i=8400817; classtype:command-and-control; sid:2023034; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category MALWARE, malware_family Linux_Lady, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.execute"; pcre:"/^\s*?\(/Rs"; threshold: type limit, track by_src, seconds 300, count 1; classtype:attempted-user; sid:2018090; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dw.php"; fast_pattern; endswith; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, malware_family MONSOON, malware_family Tinytyphon, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET WEB_CLIENT Wordpress possible Malicious DNS-Requests - photobucket.com.*"; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_04, deployment Datacenter, former_category WEB_CLIENT, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Monsoon Tinytyphon CnC Beacon Exfiltrating Docs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"name=|22|MD5|22|"; content:"name=|22|fname|22|"; distance:0; content:"name=|22|compname|22|"; distance:0; content:"name=|22|uploadedfile|22 3b|"; fast_pattern; reference:md5,f32c5a923393a2ae2fcd292f299b63b1; reference:url,blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign; classtype:command-and-control; sid:2023050; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3; metadata:created_at 2014_02_11, former_category CURRENT_EVENTS, updated_at 2014_02_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern; classtype:social-engineering; sid:2023068; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:3; metadata:created_at 2013_09_20, former_category CURRENT_EVENTS, updated_at 2013_09_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Curso Banker.BR Checkin"; flow:established,to_server; http.uri; content:".asp?m="; fast_pattern; content:"&v="; pcre:"/\.asp\?m=(?:INS|UAC)(?:&p=&a=)?&i=201\d{11}&/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-new-technique-to-take-advantage-of-2016-olympics/; reference:md5,bd389eb9cf03e55013eaf07970288f08; classtype:command-and-control; sid:2023081; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:3; metadata:created_at 2014_02_28, former_category CURRENT_EVENTS, updated_at 2014_02_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible HTA Application Download"; flow:established,to_server; flowbits:set,ET.HTA.Download; http.method; content:"GET"; http.uri; content:".hta"; nocase; fast_pattern; endswith; http.host; content:!"kaspersky.com"; endswith; reference:url,www.trustedsec.com/july-2015/malicious-htas/; classtype:bad-unknown; sid:2022520; rev:6; metadata:created_at 2016_02_15, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:2; metadata:created_at 2014_03_06, former_category CURRENT_EVENTS, updated_at 2014_03_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Team IPwned Phishing Landing 2016-08-24"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"teamipwned"; fast_pattern; content:"data-shortuserid=|22|teamipwned|22|"; nocase; content:"data-userid=|22|teamipwned|22|"; nocase; distance:0; content:"value=|22|IPwned|22|"; nocase; distance:0; classtype:social-engineering; sid:2032693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:exploit-kit; sid:2018236; rev:2; metadata:created_at 2014_03_08, former_category CURRENT_EVENTS, updated_at 2014_03_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET MALWARE PNScan.2 Inbound Status Check - set"; flow:established,to_server; urilen:6; flowbits:set,ET.PNScan.2; flowbits:noalert; http.uri; content:"/check"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023087; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-1761 HTTP"; flow:from_server,established; file_data; content:"{|5c|rt{"; content:"|5c|objocx|5c|"; distance:0; content:"MSComctlLib."; content:"|5c|u-554"; fast_pattern; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; content:"|5c|u-554"; distance:0; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018313; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_25, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET 9000 -> $EXTERNAL_NET any (msg:"ET MALWARE PNScan.2 Inbound Status Check Response"; flow:established,from_server; flowbits:isset,ET.PNScan.2; http.header; content:"Content-Length|3a 20|12|0d 0a|"; file.data; content:"{|22|status|22 3a|1}"; fast_pattern; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:trojan-activity; sid:2023088; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, malware_family PNScan_2, performance_impact Low, signature_severity Major, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10; metadata:created_at 2014_04_04, former_category CURRENT_EVENTS, updated_at 2014_04_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/srv_report?ver="; fast_pattern; pcre:"/\?ver=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023090; rev:4; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3; metadata:created_at 2014_02_20, former_category CURRENT_EVENTS, updated_at 2014_02_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 9000 (msg:"ET MALWARE PNScan.2 CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?ver="; fast_pattern; pcre:"/^\/(?:i686|arm|mips(?:el)?)\?ver=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html; reference:url,vms.drweb.com/virus/?_is=1&i=7299536; classtype:command-and-control; sid:2023089; rev:5; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2016_08_25, deployment Perimeter, deployment Datacenter, former_category MALWARE, malware_family PNScan_2, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow"; flow:to_client,established; flowbits:isset,NtDll.ImageBase.Module.Called; content:"ZwProtectVirtualMemory|22|"; content:"strDup|28|"; distance:0; content:"<object|20|"; distance:0; content:"application|2f|x|2d|java|2d|applet"; within:35; content:"|3c|param|20|name"; distance:0; content:"|22|launchjnlp|22|"; within:20; content:"|3c|param|20|name"; distance:0; content:"|22|docbase|22|"; within:20; content:"|3c|fieldset|3e 3c|legend|3e|"; distance:0; content:"object"; within:10; content:"|2e|innerHTML"; distance:0; reference:url,www.exploit-db.com/exploits/15241/; reference:cve,2010-3552; reference:bid,44023; classtype:attempted-user; sid:2012100; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_12_22, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pegasus/Trident Related HTTP Beacon 3"; flow:established,to_server; http.uri; content:"/final111?&nocache="; fast_pattern; reference:url,citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/; classtype:trojan-activity; sid:2023133; rev:5; metadata:affected_product iOS, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category MALWARE, malware_family Pegasus_Trident, malware_family NSO, signature_severity Major, tag c2, updated_at 2020_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Base64 Encoded Java Value"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"<value="; distance:0; pcre:"/\x3Cvalue\x3D\x22([a-z0-9+/]{4})*(?:[a-z0-9+/]{2}==|[a-z0-9+/]{3}=)/smi"; reference:url,vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html; classtype:bad-unknown; sid:2018447; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_05_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:attempted-admin; sid:2030964; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:2; metadata:created_at 2014_06_02, former_category CURRENT_EVENTS, updated_at 2014_06_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"NotRift/"; depth:8; fast_pattern; nocase; classtype:web-application-attack; sid:2030965; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:4; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2014_02_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Google Adwords Conversion not from Google"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pagead/conversion_async.js"; endswith; fast_pattern; http.host; content:!"googleadservices.com"; content:!"doubleclick.net"; content:!"google.com"; classtype:bad-unknown; sid:2030980; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5; metadata:created_at 2014_06_20, former_category CURRENT_EVENTS, updated_at 2014_06_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Card Skimmer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".tags-manager.com"; endswith; fast_pattern; reference:url,blogs.akamai.com/2020/11/a-new-skimmer-uses-websockets-and-a-fake-credit-card-form-to-steal-sensitive-data.html; classtype:domain-c2; sid:2031205; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2022_03_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4; metadata:created_at 2014_05_08, former_category CURRENT_EVENTS, updated_at 2014_05_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fullz House Credit Card Skimmer JavaScript Inbound"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"var SendFlag = []|3b 0a|function Base64Function(e) {|0d|"; startswith; fast_pattern; content:"|0a|function SendData(vals){|0a|"; distance:0; content:"var b = document.createElement|28 22|img|22 29 3b|b.width = |22|1px|22 3b|b.height = |22|1px|22 3b 20|b.id = img_id|3b|b.src = atob|28 22|"; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:command-and-control; sid:2030981; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_10_06;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:exploit-kit; sid:2018493; rev:4; metadata:created_at 2014_05_21, former_category CURRENT_EVENTS, updated_at 2014_05_21;)
 
-alert udp $HOME_NET !9987 -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:13; metadata:created_at 2012_05_04, updated_at 2022_04_18;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:5; metadata:created_at 2014_07_16, former_category CURRENT_EVENTS, updated_at 2014_07_16;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:10; metadata:created_at 2012_05_04, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; content:!"7PYqwfzt"; depth:8; content:!"r6fnvWj8"; depth:8; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:10; metadata:created_at 2012_05_04, updated_at 2020_10_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text|HTML)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)*?<span[\r\n\s\>]((?!<\/span>).)*?<(?:[QU]|S(?:TR(?:IKE|ONG)|U[BP]|MALL|AMP)?|B(?:LINK|DO|IG)?|A(?:CRONYM|BBR)|R(?:[PT]|UBY)|(?:NOB|VA)R|C(?:IT|OD)E|D(?:EL|FN)|I(?:NS)?|KBD|EM|TT)[^>]*?\bid[\r\n\s]*?=/Rsi"; classtype:attempted-user; sid:2017463; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=z55gc.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2030988; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:5; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Pony Variant FOX Reporting Adfraud Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php/data"; fast_pattern; pcre:"/\.php\/data$/"; http.request_body; content:"http|3a 2f 2f|"; offset:20; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cdfb7e5544c9aa49c17217fdfe04e854; reference:url,malware.dontneedcoffee.com/2016/09/fox-stealer-another-pony-fork.html; classtype:trojan-activity; sid:2023293; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_08, deployment Perimeter, malware_family Pony, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4; metadata:created_at 2013_07_23, former_category CURRENT_EVENTS, updated_at 2013_07_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot URI Struct"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/catalog/"; fast_pattern; pcre:"/\/catalog\/\d{3,}$/"; http.header; content:!"nap.edu|0d 0a|"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,b8e0b97c8e9faa6e5daa8f0cac845516; classtype:trojan-activity; sid:2019458; rev:5; metadata:created_at 2014_10_17, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit Web Clone code detected"; flow:established,from_server; file_data; content:"|3c|param name=|22|"; content:"value=|22|nix.bin|22 3e|"; distance:0; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018972; rev:2; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Anuna PHP Backdoor Attempt"; flow:established,to_server; flowbits:set,ET.Anuna.Backdoor; http.uri; content:".php?cookie=1"; fast_pattern; pcre:"/\.php\?cookie=1$/"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023305; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2016_09_28, deployment Perimeter, malware_family Anuna, signature_severity Major, updated_at 2020_10_07;)
+#alert tcp $EXTERNAL_NET [!21,!22,!23,!2100,!3535] -> $HOME_NET 1024:65535 (msg:"ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID Overflow CVE-2014-3466"; flow:established,to_client; content:"|16 03|"; depth:2; byte_test:1,<,4,2; content:"|02|"; distance:3; within:1; content:"|03|"; distance:3; within:1; byte_test:1,<,4,0,relative; byte_test:4,>,1370396981,1,relative; byte_test:4,<,1465091381,1,relative; byte_test:1,>,32,33,relative; reference:url,radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/; reference:cve,2014-3466; classtype:attempted-user; sid:2018537; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_06_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Aerial Keylogger DNS Request"; dns.query; content:"aerial-keylogger.com"; nocase; endswith; classtype:trojan-activity; sid:2030983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Major, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"SING"; distance:0; content:"|01 00 01 0E|"; within:100; content:"|00 3A|"; within:100; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html; reference:cve,2010-2883; classtype:attempted-user; sid:2011501; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Citadel Checkin"; flow:established,to_server; flowbits:set,et.citadel; http.method; content:"POST"; http.uri; content:"/file.php"; fast_pattern; pcre:"/^\/[A-Za-z0-9]+?\/file\.php$/"; http.header; content:"Content-Length|3a 20|128|0d 0a|"; nocase; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|"; depth:25; http.header_names; content:!"Referer"; reference:md5,280ffd0653d150906a65cd513fcafc27; reference:md5,f1c8cc93d4e0aabd4713621fe271abc8; reference:url,arbornetworks.com/asert/2014/06/the-citadel-and-gameover-campaigns-of-5cb682c10440b2ebaf9f28c1fe438468/; classtype:command-and-control; sid:2018598; rev:5; metadata:created_at 2014_06_24, former_category MALWARE, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC)"; flow:from_server,established; file_data; content:"position|3A|absolute|3B|"; content:"clip|3A|"; within:20; content:"rect|28|0|29|"; fast_pattern; within:20; reference:url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html; reference:url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks; reference:url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html; reference:url,www.offensive-security.com/0day/ie-0day.txt; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb; classtype:attempted-user; sid:2011892; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Request for Pdf.exe Observed in Zeus/Luminosity Link"; flow:established,to_server; http.uri; content:"/pdf.exe"; fast_pattern; classtype:trojan-activity; sid:2018080; rev:6; metadata:created_at 2014_02_05, former_category MALWARE, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_06, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptFile2 Ransomware Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20 70 6f 73 74 5f 65 78 61 6d 70 6c 65|"; fast_pattern; http.request_body; content:"=0x"; content:"|2c|0x"; distance:2; within:5; content:"|3c 62 72 3e|"; distance:0; reference:md5,ad2c80611ebc7f6d45bd3e46de38b776; reference:md5,5bb7d85f7a5f1d2b01efabe5635e2992; classtype:command-and-control; sid:2023397; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family CryptFile2, signature_severity Major, tag Ransomware, updated_at 2020_10_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.science) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".science"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023454; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Windows Media component specific exploit"; flow:established,to_client; content:"bang()"; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_01_28, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.top) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".top"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023455; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/^\d+&w=\d+&ua=.+&e=1$/UR"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:3; metadata:created_at 2014_09_29, former_category CURRENT_EVENTS, updated_at 2014_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.stream) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".stream"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023456; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:3; metadata:created_at 2014_09_30, former_category CURRENT_EVENTS, updated_at 2014_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.download) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".download"; fast_pattern; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023457; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.biz) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".biz"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023459; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:exploit-kit; sid:2019375; rev:4; metadata:created_at 2014_10_09, former_category CURRENT_EVENTS, updated_at 2014_10_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.accountant) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".accountant"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023460; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2; metadata:created_at 2014_10_30, former_category CURRENT_EVENTS, updated_at 2014_10_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.click) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".click"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023461; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding"; flow:established,to_client; content:"%70%61%72%73%65%49%6e%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012260; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.link) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".link"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023462; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding"; flow:established,to_client; content:"%u70%u61%u72%u73%u65%u49%u6e%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012261; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.win) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".win"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023463; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, former_category INFO, signature_severity Minor, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding"; flow:established,to_client; content:"%u7061%u7273%u6549%u6e74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.w3schools.com/jsref/jsref_parseInt.asp; classtype:bad-unknown; sid:2012262; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Tor Module Download"; flow:established,to_server; http.uri; content:"/tor/"; fast_pattern; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/i"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_01, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding"; flow:established,to_client; content:"%3c%73%63%72%69%70%74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012263; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M1"; flow:to_server,established; urilen:1; content:"PP|3b 20|nhash="; fast_pattern; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|nhash="; distance:0; content:"|3b 20|chash="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023477; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"redim|25|"; nocase; fast_pattern; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; content:"redim|25|"; nocase; distance:0; pcre:"/^(?:25)?20(?:\x25(?:25)?20|\s)*?Preserve/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019732; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Moose CnC Response"; flow:from_server,established; content:"PP|3b 20|expires="; fast_pattern; http.stat_code; content:"200"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|expires="; distance:0; content:"WL="; content:"PP|3b 20|expires="; distance:0; http.content_type; content:"text/html"; startswith; file.data; content:"<html><body><h1>It works!</h1>"; nocase; depth:30; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023478; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Hidden Embedded File"; flow:established,to_client; flowbits:isset,ET.pdf.in.http; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/Embeddedfile"; distance:0; pcre:"/\x3C\x3C[^>]*\x2FEmbeddedfile/sm"; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:bad-unknown; sid:2019850; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda - Sakula/Mivast RAT CnC Beacon 5"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg?id="; fast_pattern; pcre:"/\.jpg\?id=\d+$/"; http.header; content:!"tagesschau.de"; http.user_agent; content:!"ClipOrganizer"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2021203; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2; metadata:created_at 2014_12_16, former_category CURRENT_EVENTS, updated_at 2014_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sednit/APT28/Sofacy Delphocy CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"as_q="; content:"as_ft="; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.welivesecurity.com/post_paper/en-route-with-sednit-part-3-a-mysterious-downloader/; classtype:targeted-activity; sid:2023486; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Sofacy, malware_family Sednit_Delphocy, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2; metadata:created_at 2014_12_17, former_category CURRENT_EVENTS, updated_at 2014_12_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Trojan.HiddenApp.OU Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/NotifyLog"; fast_pattern; pcre:"/\/NotifyLog$/"; http.user_agent; content:"|20|Android|20|"; http.request_body; content:"{|22|ClientId|22 3a|"; depth:12; content:",|22|Date|22 3a|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,3c1055f19971d580ef9ced172d8eba3b; reference:url,rednaga.io/2016/11/14/hackingteam_back_for_your_androids/; classtype:trojan-activity; sid:2023508; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_15, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Download Redirection Dec 18 2014"; flow:established,from_server; file_data; content:"<br><meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; pcre:"/^[^\x2f\x22]+?\x22>/R"; classtype:trojan-activity; sid:2019970; rev:2; metadata:created_at 2014_12_18, former_category CURRENT_EVENTS, updated_at 2014_12_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android Adups Firmware Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"{|22|dc_date|22 3a|"; depth:11; content:",|22|dc_type|22 3a|"; fast_pattern; content:",|22|keyword|22 3a|"; content:",|22|md5|22 3a|"; content:",|22|msg_date|22 3a|"; content:",|22|msg_type|22 3a|"; content:",|22|tell|22 3a|"; reference:url,www.kryptowire.com/adups_security_analysis.html; classtype:policy-violation; sid:2023514; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_11_16, deployment Perimeter, former_category POLICY, signature_severity Informational, tag Android, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit 2"; flow:established,to_client; file_data; content:"execCommand"; nocase; content:"YMjf"; content:"u0c08"; distance:1; within:6; content:"u0c0cKDog"; distance:1; within:10; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2020099; rev:8; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2015_01_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2016_07_01;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mida eFramework RCE Attempt Inbound (CVE-2020-15922)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipaddress0|22|"; fast_pattern; content:"|3b|"; within:6; reference:url,www.exploit-db.com/exploits/48835; reference:cve,2020-15922; classtype:attempted-admin; sid:2030989; rev:1; metadata:created_at 2020_10_07, cve CVE_2020_15922, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; file_data; content:"UEsDB"; content:"var"; pcre:"/^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB/R"; flowbits:isset,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020161; rev:3; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2015_01_09;)
 
-alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_07;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2; metadata:created_at 2015_01_23, former_category CURRENT_EVENTS, updated_at 2015_01_23;)
 
-alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; http.request_body; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3; metadata:created_at 2014_12_11, former_category CURRENT_EVENTS, updated_at 2014_12_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Adobe Connectivity check"; flow:established,to_server; urilen:18; http.method; content:"POST"; http.uri; content:"/support/main.html"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,3a128a9e8668c0181d214c20898f4a00; classtype:trojan-activity; sid:2018676; rev:6; metadata:created_at 2014_07_15, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:exploit-kit; sid:2019647; rev:5; metadata:created_at 2014_11_05, former_category CURRENT_EVENTS, updated_at 2014_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke Loader Microsoft Connectivity Check"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fwlink/?LinkId="; fast_pattern; http.header; content:!"SOAPAction|3a|"; http.user_agent; content:!"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http.host; content:"go.microsoft.com"; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,467b786f7c645c73d5c29347d35cae11; classtype:trojan-activity; sid:2022124; rev:8; metadata:created_at 2015_11_20, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DistTrack/Shamoon CnC Beacon M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?shinu="; fast_pattern; pcre:"/\.php\?shinu=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5446f46d89124462ae7aca4fce420423; reference:md5,5bac4381c00044d7f4e4cbfd368ba03b; reference:url,researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/; classtype:command-and-control; sid:2023570; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family DistTrack, malware_family Shamoon, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in Hex No Seps"; flow:to_client,established; file_data; content:"5368656c6c45786563757465"; nocase; classtype:trojan-activity; sid:2020482; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE User-Agent (Visbot)"; flow:to_server,established; http.user_agent; content:"Visbot"; fast_pattern; startswith; reference:url,www.bleepingcomputer.com/news/security/visbot-malware-found-on-6-691-magento-online-stores/; classtype:trojan-activity; sid:2023575; rev:4; metadata:affected_product Magento, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, malware_family Visbot, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY GENERIC ShellExecute in URLENCODE"; flow:to_client,established; file_data; content:"%53%68%65%6c%6c%45%78%65%63%75%74%65"; nocase; classtype:trojan-activity; sid:2020483; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_02_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin HTTP Pattern"; flow:to_server,established; http.method; content:"POST"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; fast_pattern; content:"www-form-urlencoded|0d 0a|"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\r?$/m"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023577; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office RTF Stack Buffer Overflow"; flow:from_server,established; file_data; content:"|7b 5c|rt"; within:4; flowbits:set,ETPRO.RTF; flowbits:noalert; reference:cve,2010-3333; classtype:misc-activity; sid:2020699; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Click Fraud Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/link.txt?"; fast_pattern; pcre:"/^\/link\.txt\?[0-9]{1,2}\x3a[0-9]{1,2}\x3a[0-9]{1,2}/"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; classtype:command-and-control; sid:2023669; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2020_10_07;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)"; flow:from_server,established; file_data; content:"chrome|3a 2f 2f|"; nocase; content:"open"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]chrome\x3a\/\//Ri"; content:"messageManager.loadFrameScript"; nocase; content:"Proxy.create"; nocase; reference:url,community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636; reference:cve,2014-8636; classtype:attempted-user; sid:2020756; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_03_26, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Braincrypt Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?uuid="; fast_pattern; pcre:"/\.php\?uuid=[a-z0-9]{32}$/i"; http.user_agent; content:"Go-http-client/"; startswith; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,6b938ca31a55e743112ab34dc540a076; classtype:command-and-control; sid:2023675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Braincrypt, signature_severity Major, tag Ransomware, updated_at 2020_10_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Web Start Command Injection (.jar)"; flow:established,from_server; content:"http|3a| -J-jar -J|5C 5C 5C 5C|"; nocase; content:".launch("; nocase; pcre:"/http\x3a -J-jar -J\x5C\x5C\x5C\x5C\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x5C\x5C[^\n]*\.jar/i"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011698; classtype:web-application-attack; sid:2011698; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin"; flow:to_server,established; http.uri; content:"lm="; content:"/watch/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023680; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 3"; flow:to_server,established; http.uri; content:"lm="; content:"/find/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023682; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2015_04_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 4"; flow:to_server,established; http.uri; content:"lm="; content:"/results/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023683; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download"; flow:to_client,established; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|fb ff ff ff|"; content:"|0b 00 00 00 01 00 00 00|"; content:"|25 00 00 00 01 00 00 00|"; content:"|8b 00 00 00 01 00 00 00|"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4141; classtype:attempted-user; sid:2019420; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 5"; flow:to_server,established; http.uri; content:"lm="; content:"/open/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023684; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt"; flow:established,to_client; content:"obj"; nocase; content:"data"; nocase; within:10; content:"file|3A|//127."; nocase; within:20; pcre:"/(obj.data|object.data).+file\x3A\x2F\x2F127\x2E[0-9]/si"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19873; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx; reference:url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag; reference:cve,2010-0255; reference:url,doc.emergingthreats.net/2011695; classtype:attempted-user; sid:2011695; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 6"; flow:to_server,established; http.uri; content:"lm="; content:"/close/?"; fast_pattern; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023685; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2; metadata:created_at 2015_09_30, former_category CURRENT_EVENTS, updated_at 2015_09_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/HydraCrypt CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/upd.php"; fast_pattern; endswith; http.header; pcre:"/^(?:Referer\x3a[^\r\n]+\r\n)?Host\x3a[^\r\n]+[\r\n]+$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:md5,046e4b3ff7b323f2147f2d5d43b7e5f4; reference:md5,e4ab12da8828a7f1e6c077a2999f8320; classtype:command-and-control; sid:2020503; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI struct Oct 24 2016  (RIG-v)"; flow:established,to_server; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"q="; content:"oq="; fast_pattern; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/"; classtype:exploit-kit; sid:2023401; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_07;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - OWASP Zed Attack Proxy Certificate Seen"; content:"|16|"; depth:1; content:"OWASP Zed Attack Proxy Root CA"; nocase; classtype:misc-activity; sid:2021941; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Strongpity CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=7ea7494e71e9"; nocase; endswith; reference:md5,989af6e0bb7fa4d62815f4fdc4696b85; classtype:domain-c2; sid:2030982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_07, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - BurpSuite PortSwigger Proxy Certificate Seen"; content:"|16|"; depth:1; content:"PortSwigger CA"; nocase; classtype:misc-activity; sid:2021942; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Docusign Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"<title>DocuSign"; fast_pattern; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; classtype:social-engineering; sid:2030984; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_07;)
+alert tcp any any -> $HOME_NET any (msg:"ET WEB_CLIENT Proxy - Fiddler Proxy Certificate Seen"; content:"|16|"; depth:1; content:"DO_NOT_TRUST_FiddlerRoot"; nocase; classtype:misc-activity; sid:2021943; rev:1; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_10_10, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">PASSW0RD <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030985; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; depth:120; classtype:bad-unknown; sid:2011355; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_09_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">Password   <span class=|22|form-required|22|>*</span></label>"; fast_pattern; distance:0; content:">Confirm Password  <span class=|22|form-required|22|>*</span></label>"; distance:0; classtype:social-engineering; sid:2030986; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, former_category CURRENT_EVENTS, updated_at 2010_11_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Landing Hosted via Weebly"; flow:established,to_client; file.data; content:"content=|22|My Site|22|"; distance:0; content:".weebly.com/"; distance:0; content:">P a s s <span class=|22|form-not-required|22|>*</span></label>"; fast_pattern; distance:0; classtype:social-engineering; sid:2030987; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4; metadata:created_at 2011_08_30, former_category CURRENT_EVENTS, updated_at 2011_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Second Stage VBS Downloader with URL Padding"; flow:established,to_server; http.uri; content:".exe???????????????"; nocase; fast_pattern; pcre:"/\.exe\?+$/i"; http.user_agent; content:"WinHttp.WinHttpRequest."; reference:md5,57ce6f966c6b441fe82a211647c6e863; classtype:trojan-activity; sid:2023739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_12, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_10_07;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS SideStep User-Agent"; flow: to_server,established; http.user_agent; content:"SideStep"; reference:url,doc.emergingthreats.net/2002078; reference:url,github.com/chetan51/sidestep/; classtype:misc-activity; sid:2002078; rev:32; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, performance_impact Low, signature_severity Minor, tag User_Agent, updated_at 2020_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt"; flow:to_server,established; http.uri; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:attempted-user; sid:2023756; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6; metadata:created_at 2012_04_13, former_category CURRENT_EVENTS, updated_at 2012_04_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; http.header; content:"Font_Update.exe"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/mi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:social-engineering; sid:2023817; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_31, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Possible Evil Download wsf Double Ext No Referer"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".wsf"; nocase; fast_pattern; pcre:"/\/[^\x2f]+\.[^\x2f]+\.wsf$/i"; http.header; content:!"User-Agent|3a 20 2a|"; classtype:trojan-activity; sid:2022271; rev:5; metadata:created_at 2015_12_17, former_category INFO, updated_at 2020_10_08;)
+#alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9; metadata:created_at 2012_04_17, former_category CURRENT_EVENTS, updated_at 2012_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x32)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X32.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023871; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2012_06_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant Retrieving Payload (x64)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"X64.jpg"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,4dbff312f5ee5bfbd757030109faec2d; classtype:trojan-activity; sid:2023872; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family ursnif, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_03, former_category CURRENT_EVENTS, updated_at 2012_07_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?f="; fast_pattern; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tonto_SPM Backdoor CnC Activity"; flow:to_server,established; http.uri; content:"spm=xx{}:>*()_!"; endswith; classtype:trojan-activity; sid:2030990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Variant CnC Beacon via WebDAV"; flow:established,to_server; http.uri; content:"/catalog/outgoing"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV-MiniRedir/"; startswith; reference:md5,f3459924f8b657359cb0bd0984a1d0fa; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family APT29_MiniDuke, signature_severity Major, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, former_category CURRENT_EVENTS, updated_at 2012_07_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Language|3a 20|en-US|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; depth:98; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"&method="; fast_pattern; pcre:"/^d(?:id|ei)=[A-F0-9]{10,100}&method=IS[A-Z]{1,10}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d6ef9b0cdb49b56c53da3433e30f3fd6; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:command-and-control; sid:2023933; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6; metadata:created_at 2011_12_22, former_category CURRENT_EVENTS, updated_at 2011_12_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Femas.b Apps List Exfil"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/functions.php"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"apslst="; depth:7; reference:md5,4ddf3ff57db24513a16eacb99ad07675; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:2023934; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, performance_impact Low, signature_severity Major, tag Android, updated_at 2020_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2016-0063)"; flow:established,to_client; file_data; content:"prototype"; nocase; content:"DOMImplementation"; fast_pattern; pcre:"/^\s*\([^\)]*\)\s*\.\s*prototype\s*\.\s*(?:hasFeature|isPrototypeOf)/Rsi"; reference:cve,2016-0063; classtype:trojan-activity; sid:2022523; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_02_16, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH Retrieving Malicious PowerShell"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/pro.bat"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,97454efcab28e64ac5400e63780af764; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-attacks-identified/; classtype:trojan-activity; sid:2023948; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, malware_family MAGICHOUND_FETCH, signature_severity Major, updated_at 2020_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Pdfium JPEG2000 Heap Overflow"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"stream"; content:"|00 00 00 0c 6a 50 20 20 0d 0a 87 0a|"; distance:0; content:"|00 00 00 00 6a 70 32 63 ff 4f|"; distance:0; content:"|ff 51|"; within:200; content:"|00 00 ff|"; distance:36; within:3; byte_test:1,>,0x51,0,relative; byte_test:1,<,0x94,0,relative; pcre:"/^[\x52\x5c\x64\x65\x90\x93]/R"; classtype:bad-unknown; sid:2022890; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_06_13, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - Evil Twitter Callback"; flow:established,to_server; urilen:21; http.method; content:"GET"; http.uri; content:"/api/asyncTwitter.php"; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:social-engineering; sid:2022954; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant Fake Request to Google"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/\?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.host; content:"google.com"; bsize:10; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023917; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:social-engineering; sid:2022981; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup (tinytools.nu)"; flow:established,to_server; http.uri; content:"/MyIPAddress/"; nocase; http.host; content:"www.tinytools.nu"; fast_pattern; bsize:16; classtype:external-ip-check; sid:2023520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:social-engineering; sid:2022991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE iOS DualToy Checkin"; flow:to_server,established; http.uri; content:"/i_info_proxy.php?cmd="; fast_pattern; content:"&data="; http.uri.raw; pcre:"/&data=(?:([A-Za-z0-9]|%2[FB]){4})*(?:([A-Za-z0-9]|%2[FB]){2}==|([A-Za-z0-9]|%2[FB]){3}=|([A-Za-z0-9]|%2[FB]){4})$/"; http.header; content:"|3b 20|iPhone|20|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/; classtype:trojan-activity; sid:2023240; rev:4; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2016_09_15, deployment Perimeter, former_category MOBILE_MALWARE, updated_at 2020_10_08, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:social-engineering; sid:2022994; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; http.host; content:"check.torproject.org"; endswith; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:external-ip-check; sid:2017927; rev:5; metadata:created_at 2014_01_04, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:social-engineering; sid:2022955; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_07, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_07_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; http.uri; content:".php?cn"; content:"&str="; fast_pattern; content:"&file="; pcre:"/\.php\?cn(ame)?=/"; http.user_agent; content:"WinInetGet/"; depth:11; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:command-and-control; sid:2016912; rev:7; metadata:created_at 2012_12_12, former_category MALWARE, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:social-engineering; sid:2023038; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mutter Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.aspx?i="; fast_pattern; http.header; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/i"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:command-and-control; sid:2016773; rev:5; metadata:created_at 2013_04_19, former_category MALWARE, updated_at 2020_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:social-engineering; sid:2023040; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; http.header; content:"hotfile.com|0d 0a|"; fast_pattern; classtype:policy-violation; sid:2015015; rev:4; metadata:created_at 2012_07_04, former_category POLICY, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:social-engineering; sid:2023041; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/user/login"; http.request_body; content:"username"; content:"SelectQuery"; fast_pattern; http.content_type; content:"application/vnd.php.serialized"; bsize:30; reference:url,www.ambionics.io/blog/drupal-services-module-rce; classtype:web-application-attack; sid:2024039; rev:4; metadata:affected_product Drupal_Server, attack_target Server, created_at 2017_03_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:social-engineering; sid:2023052; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_12;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; http.header; content:"Content-Disposition|3a|"; nocase; content:"|43 68 72 ce bf 6d 65|"; nocase; fast_pattern; content:"|66 ce bf 6e 74|"; nocase; content:"|2e 65 78 65|"; nocase; file.data; content:"MZ"; within:2; classtype:social-engineering; sid:2024040; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:social-engineering; sid:2023069; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:exploit-kit; sid:2024055; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family terror_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:social-engineering; sid:2023079; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2016_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS Downloader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; fast_pattern; pcre:"/\.php\?file=(?:64|86)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:trojan-activity; sid:2024064; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_03_16, deployment Perimeter, former_category TROJAN, malware_family MagikPOS, performance_impact Low, signature_severity Major, tag POS, updated_at 2020_10_08;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:social-engineering; sid:2022574; rev:3; metadata:created_at 2016_03_01, former_category CURRENT_EVENTS, updated_at 2016_08_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MagikPOS CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/?act=in"; fast_pattern; pcre:"/\/api\/\?act=in$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,121c1008d54e91db66feaf67b3d4084e; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/; classtype:command-and-control; sid:2024067; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_16, deployment Perimeter, former_category MALWARE, malware_family MagikPOS, signature_severity Major, tag POS, tag c2, updated_at 2020_10_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:social-engineering; sid:2023238; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2016_09_15;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed PoetRAT Domain (slimip .accesscam .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"slimip.accesscam.org"; bsize:20; fast_pattern; reference:url,blog.talosintelligence.com/2020/10/poetrat-update.html; classtype:domain-c2; sid:2030991; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_08, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:social-engineering; sid:2023757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_24, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2017_01_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XDUpload Uploading Directory Listting"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name="; startswith; content:"&usid="; distance:0; fast_pattern; content:"&part="; reference:url,vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf; classtype:targeted-activity; sid:2030955; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_08;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt"; flow:established,to_client; content:"table"; nocase; content:"position|3A|absolute"; nocase; within:30; content:"clip|3A|rect"; fast_pattern; nocase; within:15; reference:bid,44536; reference:cve,2010-3962; classtype:attempted-user; sid:2011891; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_11_05, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_03_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; http.uri; content:"/search?hl="; content:"q="; content:"meta="; fast_pattern; pcre:"/meta=(?:(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?(?:&?id=[a-z]+)?$/"; http.host; content:!"sogou.com"; http.user_agent; content:"Windows NT 5."; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:7; metadata:attack_target Client_Endpoint, created_at 2013_05_29, deployment Perimeter, former_category TROJAN, malware_family HIMAN, performance_impact Moderate, signature_severity Major, updated_at 2020_10_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS Microsoft-Edge protocol in use (Observed in Magnitude EK)"; flow:established,to_client; file_data; content:"microsoft-edge|3a|http"; nocase; fast_pattern; byte_test:1,>,0x21,-20,relative; byte_test:1,<,0x28,-20,relative; byte_test:1,!=,0x23,-20,relative; byte_test:1,!=,0x24,-20,relative; byte_test:1,!=,0x25,-20,relative; byte_test:1,!=,0x26,-20,relative; content:"location"; nocase; content:"iframe"; nocase; content:"contentWindow"; nocase; reference:url,www.brokenbrowser.com/abusing-of-protocols/; classtype:exploit-kit; sid:2024030; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_03_06, former_category WEB_CLIENT, malware_family BrokenBrowser, signature_severity Major, updated_at 2017_03_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"cmd="; content:"version="; content:"quality="; fast_pattern; content:"av="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bef57db893b54c5605d0e3e7d50d6d70; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:command-and-control; sid:2018580; rev:7; metadata:created_at 2014_06_18, former_category MALWARE, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible MacOSX HelpViewer 10.12.1 XSS Arbitrary File Execution and Arbitrary File Read (CVE-2017-2361)"; flow:established,from_server; file_data; content:"%25252f..%25252f..%25252f..%25252f..%25252f..%25252f..%25252f"; content:"javascript%253aeval"; fast_pattern; content:"help|3a 2f 2f|"; pcre:"/document\s*\.\s*location\s*?\x3d\s*?[\x27\x22]help\x3a\/\/\/[^\x3b]+?\%25252f\.\.\%25252f\.\.\%25252f\.\.\%25252f/"; reference:url,exploit-db.com/exploits/41443/; classtype:attempted-user; sid:2024034; rev:2; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_03_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neutrino CC dump"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dumpgrab="; fast_pattern; content:"track_type="; content:"track_data="; content:"process_name="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bf555378d935de805f39c2d2d965a888; reference:url,securitykitten.github.io/an-evening-with-n3utrino/; classtype:trojan-activity; sid:2020094; rev:5; metadata:created_at 2015_01_05, former_category TROJAN, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3; metadata:created_at 2012_06_22, former_category CURRENT_EVENTS, updated_at 2017_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; http.uri; content:"/getTask.php?"; fast_pattern; nocase; content:"imei="; content:"balance="; http.header_names; content:!"Referer|0d 0a|"; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:command-and-control; sid:2017587; rev:6; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_10_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:5; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mang.bbk"; fast_pattern; endswith; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Moderate, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:3; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2017_05_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon M2"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/adinfo?gi="; fast_pattern; content:"&bf="; http.header; pcre:"/^Host\x3a[^\n\r]\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[\r\n]+$/m"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024172; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload Download"; flow:established,to_server; http.uri; content:"e=cve"; fast_pattern; pcre:"/[&?]e=cve\d{8}(?:&|$)/"; pcre:"/=[a-f0-9]{32,}(?:&|$)/"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2024180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, performance_impact Low, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Flash Possible Remote Code Execution Attempt"; flow:established,to_client; content:"PDF-"; depth:300; content:"/SubType"; distance:0; content:"flash"; nocase; within:100; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; classtype:bad-unknown; sid:2011505; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE AdWare.AndroidOS.Ewind.cd Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/sdk_api.php?id="; fast_pattern; content:"&type="; pcre:"/\.php\?id=[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}&type=/"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.header_names; content:!"Referer|0d 0a|"; reference:md5,bc76d516a66e4002461128f62896c6dd; classtype:trojan-activity; sid:2024201; rev:4; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_04_11, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ewind, tag Android, updated_at 2020_10_09, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Samsung Galaxy Knox Android Browser RCE smdm attempt"; flow:to_client,established; file_data; content:"smdm|3a|//"; nocase; distance:0; reference:url,blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html; reference:url,cxsecurity.com/issue/WLB-2014110124; classtype:web-application-activity; sid:2019750; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sofacy Request Outbound"; flow:established,to_server; http.uri; content:"/?"; content:"&ai="; fast_pattern; content:!"&adurl="; pcre:"/^\/[a-z]+?\/\?(?:[a-z]+?=[A-Za-z0-9\x5f\x2d]+&){1,}ai=[^&]{5}(?:[A-Za-z0-9\x5f\x2d]{4})*(?:[A-Za-z0-9\x5f\x2d]{2}==|[A-Za-z0-9\x5f\x2d]{3}=|[A-Za-z0-9\x5f\x2d]{4})(?:&|$)/"; http.user_agent; content:"Windows NT"; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2019545; rev:1238; metadata:created_at 2014_10_29, former_category MALWARE, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BeEF Module in use"; flow:established,from_server; file_data; content:"beef.websocket.send"; pcre:"/^\s*?\(/Rs"; content:"beef.encode.base64.encode"; pcre:"/^\s*?\(/Rs"; classtype:attempted-user; sid:2024415; rev:2; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_06_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; http.content_type; content:"application/hta"; nocase; endswith; fast_pattern; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Watering Hole Redirect Inject Jun 28 2017"; flow:established,from_server; file_data; content:"REMOTE_URL"; content:"C_TIMEOUT"; distance:0; content:"apply_payload"; distance:0; fast_pattern; content:"execute_request"; distance:0; classtype:trojan-activity; sid:2024431; rev:2; metadata:created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2017_06_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Betabot Checkin 5"; flow:established,to_server; http.uri; content:"/order.php"; fast_pattern; pcre:"/\.php$/"; http.request_body; pcre:"/(?:^|=)[A-F0-9]{70,}(?:$|&)/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,4c3b84efe89e5f5cf3e17f1e1751e708; classtype:command-and-control; sid:2023765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; content:"Wscript.Shell"; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, cve 2017_0199, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_08_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Unknown Possibly Ransomware (Dropped by RIG) CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Accept|3a 20|*|0d 0a|"; fast_pattern; http.request_body; content:"|0a|"; offset:64; depth:1; pcre:"/^[A-Za-z0-9+/]{64}\x0a/"; http.content_type; content:"application/octet-stream"; bsize:24; http.header_names; content:!"Referer|0d 0a|"; reference:md5,26b21902548e3b821387c90d729bace6; classtype:command-and-control; sid:2024233; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M2 Oct 24 2017"; flow:established,from_server; file_data; content:"Msxml2.XMLHTTP.6.0"; fast_pattern; content:"InjectionString"; nocase; distance:0; content:"hasOwnProperty"; nocase; distance:0; content:"navigator"; nocase; distance:0; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"!!document"; nocase; distance:0; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; classtype:trojan-activity; sid:2024912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2017_10_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Abnormal HTTP Headers high likelihood of Poweliks infection"; flow:established,to_server; http.method; content:"GET"; http.header; content:"builddate|3a 20|"; fast_pattern; content:"version|3a 20|"; content:"id|3a 20|"; classtype:trojan-activity; sid:2019606; rev:6; metadata:created_at 2014_10_30, former_category TROJAN, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; http.host; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024298; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2020_10_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Update/Installer ForceDL Template Nov 03 2017"; flow:established,from_server; file_data; content:"addDownloadHint"; nocase; pcre:"/^\s*\x28\s*[\x22\x27][^\x22\x27]*[\x22\x27]\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Rsi"; content:"doDownload(force)"; nocase; content:"userConversion(true)"; nocase; distance:0; content:"trigger_dl"; nocase; pcre:"/^\s*\(\s*force\s*\?\s*true\s*\x3a\s*false\s*,\s*\d+\s*,\s*\d+\s*,\s*[\x22\x27][^\x22\x27]+\.exe[\x22\x27]/Ri"; classtype:social-engineering; sid:2024945; rev:1; metadata:created_at 2017_11_03, former_category CURRENT_EVENTS, updated_at 2017_11_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; reference:url,lucysecurity.com/; classtype:web-application-attack; sid:2030992; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 1"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"cnVuZGxsMz"; content:"VXNlckluaXRNcHJMb2dvblNjcmlwd"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Lucy Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Phishing Server"; fast_pattern; content:"system.appName =|20 22|Phishing Server|22 3b|"; content:"href=|22|/admin/login|22|>Phishing Server"; content:"title=|22|Lucy|22|"; classtype:web-application-attack; sid:2030993; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 2"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"J1bmRsbDMy"; content:"VzZXJJbml0TXByTG9nb25TY3JpcH"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024972; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; http.host; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category MALWARE, malware_family wannacry, signature_severity Major, tag Ransomware, updated_at 2020_10_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 3"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"ydW5kbGwzM"; content:"Vc2VySW5pdE1wckxvZ29uU2NyaXB0"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024973; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neverquest/Vawtrak Posting Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/viewforum.php?f="; fast_pattern; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/"; http.content_type; content:"application/octet-stream"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:5; metadata:created_at 2014_06_07, former_category CURRENT_EVENTS, updated_at 2020_10_09;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 4"; flow:established,to_client; file_data; content:"U3RhcnQtUHJvY2Vzc"; content:"RG93bmxvYWRGaWxl"; content:"V2ViQ2xpZW50"; content:"aW8uRmlsZ"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:to_server,established; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:5; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 5"; flow:established,to_client; file_data; content:"N0YXJ0LVByb2Nlc3"; content:"Rvd25sb2FkRmlsZ"; content:"dlYkNsaWVud"; content:"lvLkZpbG"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024975; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Terror EK Payload URI T1 Jun 02 2017"; flow:established,to_server; http.uri; content:"/d/"; content:"/?q=r4&"; fast_pattern; pcre:"/\&e=(?:cve|flash)/i"; classtype:exploit-kit; sid:2024344; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_02, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_Terror, signature_severity Major, tag Exploit_Kit_Terror, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT pshell dl/execute primitives in wideb64 6"; flow:established,to_client; file_data; content:"TdGFydC1Qcm9jZXNz"; content:"Eb3dubG9hZEZpbG"; content:"XZWJDbGllbn"; content:"pby5GaWxl"; reference:url,securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign/; classtype:trojan-activity; sid:2024976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; http.uri; content:".hta"; nocase; fast_pattern; http.user_agent; content:"Microsoft Office"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SocEng Fake Font Download Template Nov 14 2017"; flow:established,from_server; file_data; content:"|63 6c 69 63 6b 5f 75 70 64|"; nocase; content:"|46 6f 6e 74 20 50 61 63 6b|"; nocase; content:"|2e 6a 73 20 66 69 6c 65 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 70 72 6f 63 65 73 73 2e|"; nocase; reference:url,malware-traffic-analysis.net/2017/11/12/index.html; classtype:social-engineering; sid:2024985; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category CURRENT_EVENTS, malware_family SocEng, performance_impact Low, signature_severity Major, updated_at 2017_11_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Madness Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mk="; fast_pattern; content:"&rs="; content:"&rq="; content:"&ver="; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-zA-Z]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,f1ed53c4665d2893fd116a5b0297fc68; classtype:command-and-control; sid:2018028; rev:6; metadata:created_at 2014_01_28, former_category MALWARE, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Type Confusion Microsoft Edge (CVE-2017-11873)"; flow:established,from_server; file_data; content:"[1.1, 2.2"; fast_pattern; pcre:"/^(?:\]|, 3\.3\])\x3b/R"; content:"Array(100)"; content:"i = 0|3b| i < 100"; content:"function opt("; reference:url,raw.githubusercontent.com/theori-io/pwnjs/master/examples/CVE-2017-11873.js; reference:cve,2017-11873; classtype:attempted-user; sid:2024993; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Significant, signature_severity Major, updated_at 2017_11_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a CnC Beacon"; flow:to_server,established; http.uri; content:"/inj/injek-1.php?id="; fast_pattern; pcre:"/\?id=(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,e9542a8bd9f0ab57e40bb8519ac443a2; classtype:command-and-control; sid:2024426; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_06_26, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Marcher, signature_severity Major, tag Android, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PWNJS JS Constructs"; flow:established,from_server; file_data; content:"base_lo"; content:"base_hi"; content:"fake_object"; fast_pattern; pcre:"/^\s*?\[\s*?\d/Rs"; content:"i32"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"f64"; pcre:"/^\s*?\[\s*?\d/Rs"; content:"array_addr"; reference:url,raw.githubusercontent.com/theori-io/pwnjs/; classtype:attempted-user; sid:2024994; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2017_11_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup whoer.net"; flow:established,to_server; http.host; content:"whoer.net"; fast_pattern; bsize:9; http.header_names; content:!"Referer|0d 0a|"; classtype:external-ip-check; sid:2021195; rev:5; metadata:created_at 2015_06_08, former_category POLICY, tag IP_address_lookup_website, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious Fake JS Lib Inject"; flow:established,from_server; file_data; content:".min.php"; nocase; pcre:"/^(?P<q>[\x22\x27])\+(?P=q)\?(?P=q)\+(?P=q)/R"; content:"default_keyword="; within:2500; fast_pattern; content:"<"; within:2500; content:!"/script>"; within:8; pcre:"/^[\x22\x27+\s]*\/[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[\x22\x27+\s]*>/Rsi"; classtype:trojan-activity; sid:2025151; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_12_15, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_12_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M1"; flow:established,to_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.uri; content:".sct"; nocase; fast_pattern; endswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, performance_impact Low, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set"; flow:established,to_client; content:"stream"; content:"|0a|FWS"; within:5; fast_pattern; pcre:"/stream(\x0D\x0A|\x0A)FWS/"; flowbits:set,ET.flash.pdf; flowbits:noalert; reference:url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader; reference:url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/; classtype:misc-activity; sid:2012906; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_05_31, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M2"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"text/scriptlet"; nocase; fast_pattern; startswith; reference:url,www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/; classtype:trojan-activity; sid:2024551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"; flow:established,from_server; file_data; content:"<script"; content:"|3c 20|simpleByteArray.length|29|"; distance:0; content:"simpleByteArray|5b|"; within:50; content:"|2a 20|TABLE1_STRIDE|29 7c 30 29 20 26 20 28|TABLE1_BYTES-1|29|"; distance:0; fast_pattern; content:"|5e 3d 20|probeTable|5b|"; distance:0; content:"|7c 30 5d 7c 30 3b|"; distance:0; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,spectreattack.com/spectre.pdf; classtype:attempted-user; sid:2025184; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_02_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Likely Malicious Windows SCT Download MSXMLHTTP M3"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; content:"Content-Disposition|3a 20|"; nocase; content:".sct"; nocase; fast_pattern; pcre:"/^Content-Disposition\x3a[^\r\n]*\.sct[\x22\x27\s\r\n]/mi"; classtype:trojan-activity; sid:2024552; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category CURRENT_EVENTS, malware_family PowerShell, signature_severity Major, tag PowerShell_Downloader, updated_at 2020_11_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"; flow:established,from_server; file_data; content:"<script"; nocase; content:"<"; distance:0; content:".length"; distance:0; nocase; fast_pattern; pcre:"/^\s*?\)\s*?\{\s*(?P<var>[^\s]+)\s*=[^\x5b]+?\x5b\s*(?P=var)\s*?\|\s*?0\s*?\]\s*?\x3b\s*?/Rsi"; content:"^="; distance:0; pcre:"/^\s*[^\s]+\x5b\s*?[^\x5d\x7c]+\x7c\s*?0\s*?\x5d\s*?\x7c\s*?0\s*?\x3b/Rsi"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025185; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2018_02_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_bkid="; content:"_bkpass="; fast_pattern; content:"_accn="; classtype:credential-theft; sid:2019784; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; reference:cve,2018-4989; reference:cve,2018-4987; classtype:bad-unknown; sid:2013995; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_12_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fulln="; fast_pattern; content:"_ccn="; content:"_ccv="; classtype:credential-theft; sid:2019783; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code"; flow:established,to_client; content:"PDF-"; depth:300; content:"app.setTimeOut("; nocase; distance:0; reference:url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4; reference:url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4; reference:cve,2018-4980; reference:cve,2018-4961; classtype:bad-unknown; sid:2011868; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_10_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2018_05_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PayPal Phish Nov 24 2014"; flow:established,to_server; http.request_body; content:"_fn="; content:"_ln="; content:"_birthd="; fast_pattern; classtype:credential-theft; sid:2019782; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_11_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:3; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2017_11_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/HTA Downloader Behavior M3"; flow:to_server,established; http.uri; content:".php?cmd=p&id="; fast_pattern; content:"&rnd="; pcre:"/\.php\?cmd=p&id=\w+.*?&rnd=[\x2e\d]+$/i"; http.header_names; content:!"Referer"; reference:md5,d3abaa6736d7d549eca8644c67e9fcfe; classtype:trojan-activity; sid:2023485; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_07, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [eSentire] Fake Flash Update 2018-07-09"; flow:established,to_client; file_data; content:"<title>Critical error!"; nocase; fast_pattern; content:"Your player version"; nocase; distance:0; content:"has a critical vulnerability"; nocase; distance:0; content:"FlashPlayer.exe"; nocase; distance:0; classtype:trojan-activity; sid:2025647; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Moderate, signature_severity Major, updated_at 2018_07_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba Checkin 4"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|157"; nocase; fast_pattern; http.request_body; content:"|00 80 00 00 00|"; offset:24; depth:5; http.header_names; content:!"Content-Type"; nocase; content:!"Accept"; nocase; content:!"Referer:"; nocase; content:!"User-Agent|0d 0a|"; nocase; reference:md5,ade4d8f0447dac5a8edd14c3d44f410d; classtype:command-and-control; sid:2024659; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family Tinba, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file_data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2018_10_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Andromeda File Request"; flow:established,to_server; http.uri; content:"myguy"; fast_pattern; pcre:"/myguy\.(?:xls(?:\.hta)?|exe)$/"; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference:cve,2017-0199; classtype:trojan-activity; sid:2024490; rev:5; metadata:created_at 2017_07_21, former_category TROJAN, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT IE Double Free (CVE-2018-8460)"; flow:to_client,established; file_data; content:"<script"; nocase; content:"CreateElement"; nocase; content:"cssText"; nocase; content:"DOMAttrModified"; fast_pattern; nocase; content:"addEventListener"; nocase; pcre:"/(?P<obj>[^\s]{1,25})\s*=\s*document\s*\.\s*createElement.*?(?P<func>[^\s]{1,25})\s*=\s*function\s*\x28\s*e\s*\x29\s*{[^}]*this\s*\.\s*style\s*\.\s*cssText.*?(?P=obj)\s*\.\s*addEventListener\s*\x28\s*[\x22\x27]\s*DOMAttrModified\s*[\x22\x27]\s*\x2c\s*(?P=func)/si"; reference:cve,2018-8460; classtype:attempted-user; sid:2026531; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category WEB_CLIENT, updated_at 2018_10_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; http.header; content:"User-Agent|3a|Mozilla"; nocase; fast_pattern; content:!"BlackBerry|3b|"; content:!"PlayBook|3b|"; content:!"Konfabulator"; content:!"masterconn.qq.com"; content:!"QQPCMgr"; classtype:trojan-activity; sid:2011800; rev:12; metadata:created_at 2010_10_13, former_category POLICY, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; classtype:bad-unknown; sid:2014729; rev:5; metadata:created_at 2012_05_10, former_category CURRENT_EVENTS, updated_at 2012_05_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RelevantKnowledge Adware CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&os="; content:"&osmajorver="; distance:0; content:"&osminorver="; distance:0; content:"&osmajorsp="; distance:0; content:"&lang="; distance:0; content:"&country="; distance:0; content:"&ossname="; distance:0; content:"&brand="; distance:0; content:"&bits="; distance:0; http.header; content:"X-OSSProxy|3a|"; fast_pattern; reference:md5,d93b888e08693119a1b0dd3983b8d1ec; classtype:command-and-control; sid:2018174; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_02_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; classtype:trojan-activity; sid:2017122; rev:4; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2013_07_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nolja Trojan User-Agent (FileNolja)"; flow:established,to_server; http.user_agent; content:"FileNolja"; nocase; fast_pattern; classtype:trojan-activity; sid:2013376; rev:5; metadata:created_at 2011_08_05, former_category USER_AGENTS, updated_at 2020_10_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; classtype:trojan-activity; sid:2017846; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; http.request_body; content:"=OIMINTERNAL"; fast_pattern; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:4; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, created_at 2017_11_01, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; classtype:trojan-activity; sid:2019597; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:10; http.uri; content:"/top2.html"; fast_pattern; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:exploit-kit; sid:2015478; rev:5; metadata:created_at 2012_07_17, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; classtype:trojan-activity; sid:2019599; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Book of Eli CnC Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.header; content:"CharSet|3a 20|windows-1256|0d 0a|"; http.request_body; content:"id_serial="; depth:10; content:"&id_cpu="; content:"&go_and_fuck_this_life="; content:"&system__="; fast_pattern; content:"&hard_id="; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,blog.eset.ie/2016/09/22/malware-in-libya-book-of-eli-african-targeted-attacks/; reference:md5,25e5744979b365dc58cce23d377b3835; reference:md5,d22857cebad4200c3b1e8ec17836b451; reference:url,www.virustotal.com/en/file/faa20341f7a7277114f5c61e5013b9871ab2b0356f383b6798013ce333a30ae5/analysis/; classtype:command-and-control; sid:2023254; rev:6; metadata:created_at 2013_05_17, former_category MALWARE, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING! Your PC may not be protected!"; content:"remove malicious malware and adware"; distance:0; classtype:social-engineering; sid:2020588; rev:3; metadata:created_at 2015_03_03, former_category WEB_CLIENT, updated_at 2015_03_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Invoice EXE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/invoice"; nocase; fast_pattern; pcre:"/\/invoice[^a-z\/]*?\.(?:exe|zip|7z|rar|com|vbs|ps1)$/i"; reference:md5,bdf12366779ce94178c2d1e495565d2b; classtype:trojan-activity; sid:2019158; rev:7; metadata:created_at 2014_09_11, former_category TROJAN, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING|3a| Your PC may have a serious virus!"; content:"assistance removing malicious viruses"; classtype:social-engineering; sid:2020589; rev:3; metadata:created_at 2015_03_03, former_category WEB_CLIENT, updated_at 2015_03_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024808; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - Alert"; flow:established,to_client; file_data; content:"<title>WARNING - SECURITY ALERT</title>"; classtype:trojan-activity; sid:2020710; rev:3; metadata:created_at 2015_03_19, former_category CURRENT_EVENTS, updated_at 2015_03_19;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024809; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT</title>"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:social-engineering; sid:2021177; rev:3; metadata:created_at 2015_06_03, former_category WEB_CLIENT, updated_at 2015_06_03;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024810; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"<title>MICROSOFT WINDOWS SECURITY ALERT</title>"; nocase; fast_pattern; content:"<title>WARNING: VIRUS CHECK</title>"; nocase; distance:0; classtype:social-engineering; sid:2021181; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024811; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"<title>WARNING: VIRUS CHECK</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:social-engineering; sid:2021182; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024812; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"<title>Advised System Support!</title>"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:social-engineering; sid:2021183; rev:3; metadata:created_at 2015_06_04, former_category WEB_CLIENT, updated_at 2015_06_04;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024813; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M2"; flow:established,to_client; file_data; content:"<title>Security Error</title>"; nocase; content:"myFunction|28 29|"; content:"setInterval"; content:"WARNING"; nocase; classtype:social-engineering; sid:2021286; rev:4; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Metasploit Framework Checking For Update"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/updateserver"; fast_pattern; http.user_agent; content:"MSFX/"; depth:5; http.header_names; content:!"Referer"; classtype:misc-activity; sid:2020475; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_02_19, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_10_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M4"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; content:"onmouseover=|22|myFunction|28 29 3b 22|"; distance:1; content:"onclick=|22|myFunction|28 29 3b 22|"; distance:1; content:"onkeydown=|22|myFunction|28 29 3b 22|"; distance:1; content:"onunload=|22|myFunction|28 29 3b 22|"; distance:1; classtype:social-engineering; sid:2021288; rev:3; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2015_06_17;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"_v="; content:"deleteid="; http.method; content:"POST"; http.uri; content:"/centralbackup.php?"; fast_pattern; classtype:trojan-activity; sid:2017060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_06_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M1"; flow:established,to_client; file_data; content:"/Alert_files/"; nocase; fast_pattern; content:"Due to a third party application"; nocase; distance:0; content:"iOS is crashed"; nocase; distance:0; classtype:social-engineering; sid:2021294; rev:3; metadata:created_at 2015_06_18, former_category WEB_CLIENT, updated_at 2015_06_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Kazy Checkin"; flow:established,to_server; urilen:65; http.uri; content:"AAA=="; endswith; fast_pattern; pcre:"/\/[\x2f\x2bA-Za-z0-9]{59}AAA==$/"; http.host; content:!"mvds1.org"; classtype:command-and-control; sid:2018401; rev:5; metadata:created_at 2014_04_18, former_category MALWARE, updated_at 2020_10_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 17 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"a=HT&u="; http_uri; fast_pattern; content:"&clickid="; http_uri; distance:0; content:"&browser="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&device="; http_uri; distance:0; content:"&model="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; classtype:social-engineering; sid:2021295; rev:3; metadata:created_at 2015_06_18, former_category WEB_CLIENT, updated_at 2015_06_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; http.uri; content:"/proxy.cgi?chk&url="; fast_pattern; classtype:attempted-user; sid:2025223; rev:3; metadata:attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".php?cid="; http_uri; fast_pattern; content:"-w"; distance:0; http_uri; pcre:"/\.php\?cid=[0-9]+?-w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2021357; rev:5; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; http.uri; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"Enable_DNSFollowing=1"; classtype:attempted-user; sid:2025222; rev:4; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, created_at 2018_01_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M2"; flow:established,to_client; file_data; content:"<title>SCANNING.."; fast_pattern; content:"myFunction|28 29|"; distance:0; content:"virus"; nocase; distance:0; classtype:social-engineering; sid:2021358; rev:3; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Fancy Bear Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"lm="; content:"/search/?"; fast_pattern; content:!"&clid="; content:!"&banerid="; content:!"&win="; pcre:"/\/\?(?:text|from|a(?:gs|q)|oe|btnG|oprnd|utm|channel)=/"; reference:md5,6f7523d3019fa190499f327211e01fcb; reference:url,www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/; classtype:trojan-activity; sid:2023681; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2016_12_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Fancy_Bear, updated_at 2020_10_09, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M3"; flow:established,to_client; file_data; content:"e.ctrlKey &&"; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"IP has been Registed"; nocase; fast_pattern; distance:0; classtype:social-engineering; sid:2021359; rev:3; metadata:created_at 2015_06_26, former_category WEB_CLIENT, updated_at 2015_06_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miniduke Checkin"; flow:to_server,established; http.uri; content:"/create.php?"; fast_pattern; pcre:"/^\/[^\x2f]+?\/create\.php\?[a-z0-9]+\x3d[a-z0-9\x5f\x2d]+?$/i"; http.host; content:!"maplelegends.com"; content:!"violinlab.com"; reference:url,welivesecurity.com/2014/05/20/miniduke-still-duking/; classtype:targeted-activity; sid:2018491; rev:7; metadata:created_at 2014_05_21, former_category MALWARE, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Stylesheet June 26 2015"; flow:established,to_client; content:"Content-Type|3a 20|text/css"; http_header; file_data; content:".header-warning"; content:".what-to-do"; distance:0; content:"more-about-the-virus"; distance:0; fast_pattern; classtype:social-engineering; sid:2021366; rev:3; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Banker.AAQD Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:"valor="; depth:6; content:"verde"; content:"branco"; content:"vermelho"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,759db11b07f3a370338f2e0a28eb1def; reference:url,www.virusradar.com/en/Win32_Spy.Banker.AAQD/description; classtype:command-and-control; sid:2018516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_04_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M6"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING|3a|"; nocase; fast_pattern; content:"onbeforeunload"; nocase; distance:0; content:"function|28 29|"; nocase; distance:0; content:"virus"; nocase; distance:0; classtype:social-engineering; sid:2021368; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2015_06_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Content-Key|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Accept|0d 0a|Content-Type|0d 0a|"; startswith; nocase; reference:md5,5ba6cf36f57697a1eb5ac8deaa377b4b; classtype:command-and-control; sid:2025381; rev:6; metadata:created_at 2015_11_24, former_category MALWARE, updated_at 2020_10_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M4"; flow:to_client,established; file_data; content:"myFunction|28 29|"; content:"setInterval"; distance:0; content:"alert"; distance:0; content:"gp-msg.mp3"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2021449; rev:3; metadata:created_at 2015_07_20, former_category WEB_CLIENT, updated_at 2015_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".men"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M1"; flow:to_client,established; file_data; content:"us_win.mp3"; fast_pattern; content:"yourOS|28 29|"; distance:0; content:"myFunction|28 29|"; distance:0; content:"onload_fun|28 29|"; distance:0; classtype:social-engineering; sid:2021500; rev:3; metadata:created_at 2015_07_20, former_category WEB_CLIENT, updated_at 2015_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".webcam"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Sept 21 2015"; flow:established,to_client; file_data; content:"malware error 895-system 32.exe"; nocase; fast_pattern; content:"RESOLVE THE ISSUE ON TOLL FREE - 1-855-"; nocase; content:"DO NOT SHUT DOWN OR RESTART"; nocase; classtype:social-engineering; sid:2021811; rev:3; metadata:created_at 2015_09_22, former_category WEB_CLIENT, updated_at 2015_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".yokohama"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:".html?a="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2021963; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".tokyo"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:"/scan"; depth:5; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/scan[A-Z][a-z]?\/?$/U"; classtype:social-engineering; sid:2021967; rev:3; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2015_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".gq"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:4; metadata:created_at 2018_04_16, former_category HUNTING, updated_at 2020_10_10;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; classtype:social-engineering; sid:2021974; rev:3; metadata:created_at 2015_10_20, former_category WEB_CLIENT, updated_at 2015_10_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; http.host; content:".work"; endswith; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:4; metadata:created_at 2018_04_16, former_category INFO, updated_at 2020_10_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; classtype:social-engineering; sid:2021975; rev:3; metadata:created_at 2015_10_20, former_category WEB_CLIENT, updated_at 2015_10_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java Download non Jar file"; flow:established,to_server; flowbits:set,ET.JavaNotJar; flowbits:noalert; http.uri; content:!".jar"; nocase; content:!".jnlp"; nocase; content:!".hpi"; nocase; http.user_agent; content:"Java/1."; fast_pattern; content:!"ArduinoIDE/"; classtype:bad-unknown; sid:2016539; rev:9; metadata:created_at 2013_03_06, former_category CURRENT_EVENTS, updated_at 2020_10_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING! Windows Update Required"; nocase; fast_pattern; content:"Call US Toll Free|20 3a 20|1-877"; nocase; distance:0; content:"System connected with OVERSEAS IP Address"; nocase; distance:0; content:"YOUR COMPUTER HAS BEEN LOCKED!!"; nocase; distance:0; reference:url,threatglass.com/malicious_urls/funu-info; classtype:social-engineering; sid:2022010; rev:3; metadata:created_at 2015_10_29, former_category WEB_CLIENT, updated_at 2015_10_29;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MobileIron RCE Attempt Inbound (CVE-2020-15505)"; flow:established,to_server; http.uri; content:"|2f 2e 3b 2f|"; fast_pattern; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2030997; rev:1; metadata:created_at 2020_10_12, cve CVE_2020_15505, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; classtype:social-engineering; sid:2022012; rev:3; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2015_10_31;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service nrecom)"; flow:from_server,established; tls.cert_subject; content:"CN=ngn.gg"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2031000; rev:1; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; classtype:social-engineering; sid:2022013; rev:3; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2015_10_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Spy/TVRat Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&stat="; pcre:"/\.php\?id=\d+&stat=[a-z0-9]{32}(?:&cidl=\d+|&sidl=[\d%:\x20-]+)?$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-082915-1318-99; reference:url,damballa.com/tvspy-threat-actor-group-reappears/; classtype:command-and-control; sid:2021747; rev:12; metadata:created_at 2015_09_05, former_category MALWARE, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam JS Landing Nov 4"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; content:"Content-Encoding|3a 20|gzip"; http_header; file_data; content:"tfnnumber"; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"msgencoded"; content:"returnmsgencoded"; distance:0; content:"Base64"; pcre:"/^\s*?\.\s*?decode\s*?\(\s*?msgencoded\s*?\)\s*?\.\s*?replace/Rsi"; classtype:social-engineering; sid:2022031; rev:5; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1"; flow:established,to_server; urilen:9; http.method; content:"POST"; http.uri; content:"/is-ready"; fast_pattern; nocase; reference:md5,d2e799904582f03281060689f5447585; reference:url,www.menlosecurity.com/hubfs/pdfs/Menlo_Houdini_Report%20WEB_R.pdf; classtype:command-and-control; sid:2017516; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2013_08_28, deployment Perimeter, former_category MALWARE, malware_family Houdini, malware_family H_worm, performance_impact Low, signature_severity Major, updated_at 2020_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam GET Nov 4"; flow:to_server,established; content:"GET"; http_method; content:".html?cid="; nocase; http_uri; fast_pattern; content:"&caid="; http_uri; nocase; distance:0; content:"&oid="; http_uri; nocase; distance:0; content:"&zid="; http_uri; nocase; distance:0; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; content:!"www.google-analytics.com|0d 0a|"; http_header; classtype:social-engineering; sid:2022032; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2015_11_04;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; threshold:type both, track by_dst, count 1, seconds 60; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"new|20|"; nocase; pcre:"/new\s+(java|org|sun)/i"; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035; rev:4; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 11"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 22|"; fast_pattern; content:"onclick=|22|myFunction|28 29 22|"; distance:0; content:"onkeydown=|22|myFunction|28 29 22|"; distance:0; content:"onunload=|22|myFunction|28 29 22|"; distance:0; classtype:social-engineering; sid:2022079; rev:3; metadata:created_at 2015_11_12, former_category WEB_CLIENT, updated_at 2015_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SA Banker Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?role="; fast_pattern; content:"&os="; content:"&bits="; content:"&av="; content:"&host="; content:"&plugins="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d42c4395cb4cfa3cd6c4798b8c5e493a; classtype:command-and-control; sid:2023424; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category MALWARE, malware_family Banking_Trojan, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,from_server; file_data; content:"Windows Browser"; fast_pattern; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]country[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]isp[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]ip[\x22\x27]/Rsi"; content:"Hello China"; nocase; distance:0; classtype:social-engineering; sid:2022092; rev:3; metadata:created_at 2015_11_16, former_category WEB_CLIENT, updated_at 2015_11_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mera Keylogger POSTing keystrokes"; flow:established,to_server; urilen:14; http.method; content:"POST"; http.uri; content:"/log/index.php"; fast_pattern; http.request_body; content:"text="; depth:5; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,techhelplist.com/index.php/spam-list/695-financial-statement-malware; classtype:trojan-activity; sid:2019965; rev:5; metadata:created_at 2014_12_18, former_category TROJAN, updated_at 2020_10_12;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:social-engineering; sid:2022103; rev:3; metadata:created_at 2015_11_17, former_category WEB_CLIENT, updated_at 2015_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; http.user_agent; content:"Envolo"; fast_pattern; reference:url,doc.emergingthreats.net/2001706; classtype:pup-activity; sid:2001706; rev:38; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; classtype:social-engineering; sid:2022125; rev:3; metadata:created_at 2015_11_21, former_category WEB_CLIENT, updated_at 2015_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; http.user_agent; content:"SAH Agent"; fast_pattern; reference:url,doc.emergingthreats.net/2001707; classtype:pup-activity; sid:2001707; rev:36; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M1"; flow:to_client,established; file_data; content:"/windowslogo.jpg"; fast_pattern; nocase; content:"/winborder.html"; nocase; distance:0; content:"bug1.html"; nocase; distance:0; content:"infected your system"; nocase; distance:0; content:"TCP connection already exists"; nocase; distance:0; content:"TOLL FREE"; nocase; distance:0; classtype:social-engineering; sid:2022319; rev:3; metadata:created_at 2015_12_30, former_category WEB_CLIENT, updated_at 2015_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fun Web Products Spyware User-Agent (MyWay)"; flow: established,to_server; threshold:type limit, count 1, seconds 360, track by_src; http.user_agent; content:"MyWay"; fast_pattern; reference:url,doc.emergingthreats.net/2001864; classtype:pup-activity; sid:2001864; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M2"; flow:to_client,established; file_data; content:"/sound.mp3"; fast_pattern; nocase; content:"function goodbye"; nocase; distance:0; content:"DetectMobile()"; nocase; distance:0; content:"stopPropagation"; nocase; distance:0; content:"preventDefault"; nocase; distance:0; classtype:social-engineering; sid:2022320; rev:3; metadata:created_at 2015_12_30, former_category WEB_CLIENT, updated_at 2015_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; http.user_agent; content:"MyWebSearch"; fast_pattern; reference:url,doc.emergingthreats.net/2001865; classtype:pup-activity; sid:2001865; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:social-engineering; sid:2022410; rev:3; metadata:created_at 2016_01_27, former_category WEB_CLIENT, updated_at 2016_01_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; http.header; content:"|20|searchengine|0d 0a|"; fast_pattern; pcre:"/User-Agent\:[^\n]+searchengine/i"; reference:url,doc.emergingthreats.net/2001867; classtype:pup-activity; sid:2001867; rev:30; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:social-engineering; sid:2022528; rev:3; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2016_02_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (sureseeker)"; flow: established,to_server; http.user_agent; content:"sureseeker.com"; reference:url,doc.emergingthreats.net/2001868; classtype:pup-activity; sid:2001868; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:social-engineering; sid:2022530; rev:3; metadata:created_at 2016_02_17, former_category WEB_CLIENT, updated_at 2016_02_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; http.header; content:"SurferPlugin"; fast_pattern; pcre:"/User-Agent\:[^\n]+SurferPlugin/i"; reference:url,doc.emergingthreats.net/2001870; classtype:pup-activity; sid:2001870; rev:28; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022602; rev:3; metadata:created_at 2016_03_07, former_category WEB_CLIENT, updated_at 2016_03_07;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; http.header; content:"THNALL"; fast_pattern; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/i"; reference:url,doc.emergingthreats.net/2002002; classtype:pup-activity; sid:2002002; rev:33; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022603; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; http.header; content:"XupiterToolbar"; fast_pattern; pcre:"/User-Agent\:[^\n]+XupiterToolbar/i"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:pup-activity; sid:2002071; rev:19; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:social-engineering; sid:2022605; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; http.header; content:"spywareaxe"; fast_pattern; pcre:"/User-Agent\:[^\n]+spywareaxe/"; reference:url,doc.emergingthreats.net/2002808; classtype:pup-activity; sid:2002808; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:social-engineering; sid:2022606; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; http.user_agent; content:"ErrorSafe|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003346; classtype:pup-activity; sid:2003346; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2022607; rev:3; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2016_03_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; http.user_agent; content:"GAMEHOUSE"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003347; classtype:pup-activity; sid:2003347; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:social-engineering; sid:2022619; rev:3; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2016_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; http.user_agent; content:"FreezeInet"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003355; classtype:pup-activity; sid:2003355; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:social-engineering; sid:2022649; rev:3; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2016_03_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; threshold: type limit, count 1, seconds 300, track by_src; http.user_agent; content:"SpamBlockerUtility|20|"; fast_pattern; reference:url,doc.emergingthreats.net/2003384; classtype:pup-activity; sid:2003384; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:3; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2016_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; http.user_agent; content:"Morpheus"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003396; classtype:pup-activity; sid:2003396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:social-engineering; sid:2022695; rev:3; metadata:created_at 2016_04_01, former_category WEB_CLIENT, updated_at 2016_04_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; threshold:type both, count 1, seconds 300, track by_src; http.user_agent; content:"Seekmo"; fast_pattern; nocase; classtype:pup-activity; sid:2003397; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2022802; rev:3; metadata:created_at 2016_05_11, former_category WEB_CLIENT, updated_at 2016_05_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; http.user_agent; content:"SmartInstaller"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003398; classtype:pup-activity; sid:2003398; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:social-engineering; sid:2022855; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; http.header; content:"iMeshBar"; fast_pattern; pcre:"/User-Agent\:[^\n]+iMeshBar/i"; reference:url,doc.emergingthreats.net/2003406; classtype:pup-activity; sid:2003406; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:social-engineering; sid:2022856; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; http.user_agent; content:"SF Installer"; fast_pattern; reference:url,doc.emergingthreats.net/2003428; classtype:pup-activity; sid:2003428; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:social-engineering; sid:2022857; rev:3; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2016_06_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; http.user_agent; content:"DSInstall"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003439; classtype:pup-activity; sid:2003439; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:social-engineering; sid:2022926; rev:3; metadata:created_at 2016_06_29, former_category WEB_CLIENT, updated_at 2016_06_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; http.header; content:"|20|Oemji"; fast_pattern; pcre:"/User-Agent\:[^\n]+Oemji/i"; reference:url,doc.emergingthreats.net/2003468; classtype:pup-activity; sid:2003468; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:social-engineering; sid:2022928; rev:3; metadata:created_at 2016_06_29, former_category WEB_CLIENT, updated_at 2016_06_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; threshold:type limit, count 2, seconds 360, track by_src; http.user_agent; content:"AskSearch"; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2003493; classtype:pup-activity; sid:2003493; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_12;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:social-engineering; sid:2023869; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_03, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2017_02_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Win95)"; flow:to_server,established; http.user_agent; content:"Win95"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:pup-activity; sid:2008015; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024124; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; http.uri; content:"?action="; content:"&pc_id="; content:"&abbr="; fast_pattern; content:"&err="; reference:url,doc.emergingthreats.net/2008282; classtype:pup-activity; sid:2008282; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024127; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Unknown Malware patchlist.xml Request"; flow:established,to_server; http.uri; content:"/update/patchlist.xml"; fast_pattern; classtype:pup-activity; sid:2013200; rev:5; metadata:created_at 2011_07_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024128; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_03_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; http.uri; content:".php?pi="; fast_pattern; content:"&gu="; content:"&ac="; http.user_agent; content:"Mozilla/4.0(compatible|3b 20|MSIE 6.0)"; bsize:33; classtype:pup-activity; sid:2013540; rev:8; metadata:created_at 2011_09_06, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Multibrowser Resource Exhaustion observed in Tech Support Scam"; flow:from_server,established; file_data; content:"var|20|total|20|=|20 22 22 3b|"; nocase; content:"total|20|=|20|total"; nocase; distance:0; content:"history.pushState"; nocase; fast_pattern; distance:0; pcre:"/^\s*\(\s*0\s*,\s*0\s*,\s*total\s*\)/Ri"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1246773; classtype:social-engineering; sid:2024305; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2017_05_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; http.uri; content:"/LogProc.php?"; fast_pattern; content:"mac="; content:"mode="; content:"&pCode="; reference:md5,2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:pup-activity; sid:2013797; rev:7; metadata:created_at 2011_10_24, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe - Update Adobe Flash Player</title>"; nocase; classtype:bad-unknown; sid:2024643; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.Ezula Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/download/UVid.asp?"; fast_pattern; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:pup-activity; sid:2016938; rev:6; metadata:created_at 2013_05_29, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player Update</title>"; nocase; classtype:bad-unknown; sid:2024644; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; http.uri; content:"/api/success/?s="; fast_pattern; content:"&c="; content:"&cv="; content:"&context="; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017880; rev:9; metadata:attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player</title>"; nocase; classtype:bad-unknown; sid:2024645; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; http.uri; content:"/downloads/icons.dat"; fast_pattern; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:pup-activity; sid:2017881; rev:6; metadata:created_at 2013_12_18, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player|20 7c 20|Free Download</title>"; nocase; classtype:bad-unknown; sid:2024646; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP GMUnpackerInstaller.A Checkin"; flow:to_server,established; http.uri; content:"/new/rar.xml"; fast_pattern; nocase; http.header_names; content:!"User-Agent|0d 0a|"; nocase; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:pup-activity; sid:2017892; rev:5; metadata:created_at 2013_12_20, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Adobe Flash Player Update</title>"; nocase; classtype:bad-unknown; sid:2024647; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.PUQD Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/debug/Version/"; fast_pattern; startswith; content:"/trace/"; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:pup-activity; sid:2017945; rev:6; metadata:created_at 2014_01_08, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Flash Player is outdated</title>"; nocase; classtype:bad-unknown; sid:2024648; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; http.uri; content:".gif?action="; content:"&browser="; content:"&ver="; content:"&bic="; fast_pattern; content:"&app="; content:"&appver="; content:"&verifier="; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:pup-activity; sid:2018301; rev:6; metadata:created_at 2012_10_05, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Update Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>flash player might be outdated</title>"; nocase; classtype:bad-unknown; sid:2024649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2017_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/product-am.php?id="; fast_pattern; content:"&v="; content:"&offer["; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; depth:20; http.header_names; content:!"Referer|0d 0a|"; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:pup-activity; sid:2018307; rev:7; metadata:created_at 2014_03_19, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam Landing M1 Oct 13 2017"; flow:established,to_client; file_data; content:"<title>Windows Defender</title>"; nocase; fast_pattern; content:"background-color|3a 20|#659e1d"; nocase; distance:0; classtype:social-engineering; sid:2024841; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_13, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2017_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; http.uri; content:"/api/software/?s="; fast_pattern; content:"&os="; content:"&output="; content:"&v="; content:"&l="; content:"&np="; content:"&osv="; content:"&b="; content:"&bv="; content:"&c="; content:"&cv="; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:pup-activity; sid:2018323; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_03_26, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2018-01-10"; flow:from_server,established; file_data; content:"<title>Security Warning"; nocase; fast_pattern; content:"background-color:#d70000"; nocase; distance:0; classtype:social-engineering; sid:2025197; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_01_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?mode="; fast_pattern; content:"&subid="; content:"&filedescription="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:pup-activity; sid:2018367; rev:10; metadata:created_at 2014_04_07, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Feb 12"; flow:from_server,established; file_data; content:"|57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 20 41 6c 65 72 74 20 3a 20 5a 65 75 73 20 56 69 72 75 73 20 44 65 74 65 63 74 65 64 20 49 6e 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 20 21 21 3c 2f 68 31 3e|"; fast_pattern; nocase; content:"|3e 50 6c 65 61 73 65 20 44 6f 20 4e 6f 74 20 53 68 75 74 20 44 6f 77 6e 20 6f 72 20 52 65 73 65 74 20 59 6f 75 72 20 43 6f 6d 70 75 74 65 72 2e 3c 2f 68 33 3e|"; nocase; distance:0; classtype:social-engineering; sid:2025345; rev:3; metadata:created_at 2018_02_12, former_category WEB_CLIENT, updated_at 2018_02_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/evt/?nexcb="; startswith; fast_pattern; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/"; http.request_body; content:"a="; depth:2; content:"&b="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:pup-activity; sid:2018565; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_06_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"Microsoft Windows Notification"; nocase; fast_pattern; content:"<audio autoplay=autoplay loop id=audio>"; nocase; distance:0; content:".mp3 type=audio/mpeg"; nocase; distance:0; classtype:social-engineering; sid:2025908; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?q="; offset:4; depth:8; pcre:"/^\/(?:get|install)\/\?q=/"; http.header; content:"optpro"; fast_pattern; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:pup-activity; sid:2018744; rev:7; metadata:created_at 2014_07_21, former_category ADWARE_PUP, updated_at 2020_10_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"href=|22|./files/alert.css"; nocase; content:"<audio autoplay=|22|autoplay|22 20|loop=|22|"; nocase; fast_pattern; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Internet Security Alert"; nocase; distance:0; classtype:social-engineering; sid:2025909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[a-f0-9]{50,}$/"; http.header; content:"Proxy-Authorization|3a 20|Basic"; http.host; content:"stan|2E|"; fast_pattern; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019145; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2017-07-26"; flow:from_server,established; file_data; content:"<title>Windows Defender"; nocase; fast_pattern; content:"<audio id=|22|play|22 20|loop="; nocase; distance:0; content:".mp3|22 20|type=|22|audio/mpeg"; nocase; distance:0; content:"Windows Defender Alert"; nocase; distance:0; classtype:social-engineering; sid:2025910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_07_26;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[\w-]{50,}$/"; http.host; content:"kyle|2E|"; fast_pattern; startswith; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019156; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam Landing 2018-09-12"; flow:established,to_client; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern; content:"<strong>VIRUS ALERT FROM MICROSOFT"; nocase; distance:0; content:"<audio autoplay=|22|autoplay|22|"; nocase; distance:0; classtype:social-engineering; sid:2026111; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2018_09_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; http.method; content:"POST"; http.uri; content:"/?pcrc="; fast_pattern; pcre:"/^\/\?pcrc=[0-9]{7,10}$/"; http.request_body; content:"0A0Czut"; depth:7; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:pup-activity; sid:2019511; rev:8; metadata:created_at 2014_10_27, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M2 Feb 29"; dns_query; content:"errorcode"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022576; rev:4; metadata:created_at 2016_03_01, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DealPly Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/pxl/"; fast_pattern; content:"e=-1"; content:"&c="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:pup-activity; sid:2019622; rev:5; metadata:created_at 2014_10_31, former_category ADWARE_PUP, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 15"; dns_query; content:"suspiciousactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022625; rev:4; metadata:created_at 2016_03_16, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/update.php?p="; fast_pattern; content:"&v="; content:"&id="; distance:0; http.user_agent; content:"AutoUpdate"; bsize:10; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:pup-activity; sid:2021401; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_10, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M1"; dns_query; content:"errorunauthorized"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022631; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney User Agent"; flow:established,to_server; http.user_agent; content:"Downloader|20|"; startswith; fast_pattern; pcre:"/^Downloader \d\.\d$/"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024249; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M2"; dns_query; content:"drivercrashed"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022632; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 3"; flow:to_server,established; http.uri; content:"/get_download_xml_"; fast_pattern; content:"?id="; http.user_agent; content:"tiny-dl"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024252; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 21 M3"; dns_query; content:"computer-is-locked"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022633; rev:4; metadata:created_at 2016_03_21, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 6"; flow:to_server,established; http.uri; content:"/get_xml?story="; fast_pattern; content:"&file"; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024254; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 23"; dns_query; content:"unauthorized-transaction"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022648; rev:4; metadata:created_at 2016_03_23, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 7"; flow:to_server,established; http.uri; content:"/info?story="; fast_pattern; content:"&file="; http.user_agent; content:"Downloader"; depth:10; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024255; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_09_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M1"; dns_query; content:"diskissue"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022690; rev:4; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney.A Checkin 5"; flow:to_server,established; http.uri; content:"/getspfile.php?id="; fast_pattern; http.user_agent; content:"tiny-dl"; depth:7; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024256; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_20, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M3 Feb 29"; dns_query; content:"yourcomputer"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022739; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 1"; flow:established,to_server; urilen:8; http.method; content:"POST"; http.uri; content:"/ppu.php"; fast_pattern; http.request_body; content:"xml_req="; depth:8; content:"system"; distance:0; content:"os+version"; distance:0; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024258; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_17, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M1"; dns_query; content:"unusualactivity"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022740; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Loadmoney Checkin 3"; flow:established,to_server; http.uri; content:"/get_json?"; fast_pattern; content:"&name="; content:"rnd="; http.user_agent; content:"Downloader|20|"; startswith; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:pup-activity; sid:2024261; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_09, deployment Perimeter, former_category ADWARE_PUP, malware_family Loadmoney, performance_impact Low, signature_severity Minor, tag Loadmoney, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M2"; dns_query; content:"yoursystem"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022741; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Java.Deathbot Requesting Proxies"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Socks"; fast_pattern; content:".txt"; endswith; distance:1; within:4; pcre:"/\/Socks[45]\.txt$/"; http.user_agent; content:"Java/1."; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; classtype:pup-activity; sid:2024794; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category ADWARE_PUP, malware_family Spambot, signature_severity Major, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M3"; dns_query; content:"howcanwehelp"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022742; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PoetRAT Upload via HTTP"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Max-Downloads|0d 0a|Max-Days|0d 0a|"; fast_pattern; reference:url,blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html; classtype:command-and-control; sid:2031002; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, malware_family PoetRat, performance_impact Moderate, signature_severity Major, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M4"; dns_query; content:"bluescreen"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022743; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN ELF/Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:attempted-admin; sid:2030995; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Minor, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M5"; dns_query; content:"cloud-on"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022744; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"JuffHell/"; depth:9; nocase; classtype:web-application-attack; sid:2030996; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_10_12, deployment Perimeter, signature_severity Major, updated_at 2020_10_12;)
+#alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 18 M6"; dns_query; content:"call-now"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022745; rev:4; metadata:created_at 2016_04_18, former_category WEB_CLIENT, updated_at 2019_08_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex DL Pattern Feb 18 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe?."; fast_pattern; pcre:"/\.exe\?\.\d+$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022549; rev:6; metadata:created_at 2016_02_19, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:social-engineering; sid:2023039; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; http.method; content:"GET"; http.uri; content:".exe"; endswith; fast_pattern; pcre:"/^\/\d+\/\d+\.exe$/"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/mi"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:5; metadata:created_at 2015_04_17, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript|3a|"; nocase; distance:0; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; classtype:attempted-user; sid:2010664; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock CVE-2014-6271"; flow:established,to_server; http.uri; content:"authLogin.cgi"; http.header; content:"|28 29 20 7b|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:5; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; classtype:attempted-user; sid:2010798; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; http.method; content:"GET"; nocase; http.referer; content:"?//"; fast_pattern; pcre:"/\/(?:(?:index|toc)\.html?)?\?\/\//i"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:5; metadata:created_at 2013_06_20, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Containing Windows Commands Downloaded"; flow:established,to_client; content:"%PDF-"; content:"|3C 3C 0D 0A 20 2f|type|20 2F|action|0D 0A 20 2F|s|20 2F|launch|0D 0A 20 2F|win"; distance:0; nocase; reference:url,doc.emergingthreats.net/2011245; classtype:bad-unknown; sid:2011245; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2012-1533 altjvm (jvm.dll) Requested Over WebDAV"; flow:established,to_server; http.uri; content:"/jvm.dll"; fast_pattern; endswith; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:7; metadata:created_at 2013_06_13, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010522; classtype:web-application-attack; sid:2010522; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Locker.B Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"method=devicestatus"; fast_pattern; content:"&app_key="; offset:19; content:"&imei="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,28726f772f6b4b63fb40696a28afafc9; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; classtype:trojan-activity; sid:2018946; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_08_18, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010525; classtype:web-application-attack; sid:2010525; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor Lanfiltrator Checkin"; flow:established,to_server; http.uri; content:"/ralog.cgi?action="; nocase; fast_pattern; content:"&ip="; nocase; content:"&servertype="; nocase; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:command-and-control; sid:2009078; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010527; classtype:web-application-attack; sid:2010527; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Chase Phish Dec 29 2016"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Chase Online"; fast_pattern; classtype:credential-theft; sid:2031573; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile"; flow: established,to_client; content:"|313030|,111,99,117,109,101,110,116,46,119,114,105,116,101"; reference:url,doc.emergingthreats.net/2001811; classtype:misc-activity; sid:2001811; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible External IP Lookup myip.kz"; flow:established,to_server; http.host; content:"myip.kz"; fast_pattern; bsize:7; classtype:external-ip-check; sid:2021533; rev:4; metadata:created_at 2015_07_27, former_category POLICY, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|F2 3D 8D 23|"; reference:url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/; reference:cve,2010-1297; classtype:attempted-user; sid:2011519; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"33db9538.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023231; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"9507c4e8.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023232; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(|22|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.e5b57288.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"e5b57288.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023233; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"54dfa1cb.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023234; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt"; flowbits:isset,ET.ass.request; flow:established,to_client; content:"Dialogue|3A|"; nocase; isdataat:60000,relative; content:!"|0A|"; within:60000; reference:url,www.securityfocus.com/bid/37832/info; reference:url,doc.emergingthreats.net/2010758; classtype:attempted-user; sid:2010758; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"pjl_ready_message="; nocase; fast_pattern; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt"; flow:established,to_client; content:"<location>"; nocase; content:"smb|3A|//"; within:20; nocase; content:!"|0A|"; within:1000; isdataat:1000,relative; pcre:"/\x3Clocation\x3D.+smb\x3A\x2F\x2F.{1000}.+\x3C\x2Flocation\x3E/smi"; reference:url,www.securityfocus.com/bid/35500/info; reference:url,doc.emergingthreats.net/2010813; classtype:attempted-user; sid:2010813; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE indux.php check-in"; flow:established,to_server; http.uri; content:"/indux.php?U="; nocase; fast_pattern; content:"@"; http.referer; content:"http|3a|//www.google.com"; nocase; bsize:21; classtype:trojan-activity; sid:2011387; rev:8; metadata:created_at 2010_09_28, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious"; flow:established,to_client; content:"eval|28|"; fast_pattern; nocase; content:"String.fromCharCode|28|"; nocase; within:40; pcre:"/eval\x28(String\x2EfromCharCode\x28|[a-z,0-9]{1,20}\x28String\x2EfromCharCode\x28)/i"; classtype:bad-unknown; sid:2012173; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; depth:32; content:"&dnsserver="; content:"&Save=Save"; fast_pattern; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:5; metadata:created_at 2015_04_08, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"window.setInterval"; distance:0; nocase; content:"srcElement"; fast_pattern; nocase; distance:0; reference:url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19726; reference:url,www.kb.cert.org/vuls/id/492515; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; classtype:attempted-user; sid:2010799; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; http.header; content:"Range|3a|"; nocase; content:"18446744073709551615"; fast_pattern; distance:0; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/mi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:5; metadata:created_at 2015_04_15, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding"; flow:established,to_client; content:"%72%65%70%6c%61%63%65%28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012398; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; http.uri; content:"/level/15/exec/-/"; fast_pattern; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/i"; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding"; flow:established,to_client; content:"%u72%u65%u70%u6c%u61%u63%u65%u28"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012399; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Felismus CnC Beacon 2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/products.php?"; fast_pattern; pcre:"/\.php\?[a-z]{15,}$/"; http.header; content:"Referer|3a|"; content:"/products.php|0d 0a|"; distance:0; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Content-Type|0d 0a|"; reference:url,blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware; reference:md5,8de3f20d94611e0200c484e42093f447; classtype:command-and-control; sid:2024177; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family Felismus, signature_severity Major, tag Felismus, tag c2, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding"; flow:established,to_client; content:"%u7265%u706c%u6163%u6528"; nocase; fast_pattern; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012400; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_03_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Citibank Phish M1 2016-08-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/online.citi.com/"; fast_pattern; content:".php"; endswith; classtype:credential-theft; sid:2032691; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding"; flow:established,to_client; content:"%u3c%u73%u63%u72%u69%u70%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012264; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Citibank Phish M2 2016-08-22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"/online.citi.com/"; fast_pattern; classtype:credential-theft; sid:2032692; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding"; flow:established,to_client; content:"%u3c73%u6372%u6970%u74"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012265; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"new.odgarsupport.world"; nocase; endswith; classtype:domain-c2; sid:2028660; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape % Encoding"; flow:established,to_client; content:"%75%6e%65%73%63%61%70%65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012266; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows-updates.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028662; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding"; flow:established,to_client; content:"%u75%u6e%u65%u73%u63%u61%u70%u65"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012267; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".windows64x.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028663; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding"; flow:established,to_client; content:"%u756e%u6573%u6361%u7065"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012268; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".firewallsupports.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028664; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Adobe_Coldfusion, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr % Encoding"; flow:established,to_client; content:"%73%75%62%73%74%72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012269; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 CnC Domain in DNS Lookup"; dns.query; content:".winx64-microsoft.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:domain-c2; sid:2028665; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding"; flow:established,to_client; content:"%u73%u75%u62%u73%u74%u72"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012270; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Upatre Header Structure 2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:!"Taitus"; content:!"Sling/"; content:!"Updexer/"; http.host; content:!"sophosupd.com"; content:!"sophosupd.net"; http.accept; content:"text/*,|20|application/*"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:14; metadata:created_at 2014_07_03, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding"; flow:established,to_client; content:"%u7375%u6273%u7472"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012271; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; bsize:22; content:"CN=superlatinradio.com"; fast_pattern; reference:md5,ce879fb552e7740bb2e940c65746aad2; classtype:domain-c2; sid:2028672; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval % Encoding"; flow:established,to_client; content:"%65%76%61%6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012272; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AZORult CnC Server) 2019-10-08"; flow:established,to_client; tls.cert_subject; content:"CN=corpcougar.in"; endswith; fast_pattern; reference:md5,f7a490fcf756f9ddbaedc2441fbc3c0c; classtype:domain-c2; sid:2028673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding"; flow:established,to_client; content:"%u65%u76%u61%u6c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012273; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_09_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; http.user_agent; content:"NetInstaller"; nocase; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:pup-activity; sid:2003528; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt"; flow:established,to_client; content:"util.printf|28 22 25|"; nocase; fast_pattern; pcre:"/util.printf\x28\x22\x25[^\x2C\x29]*f\x22\x2C/i"; reference:url,www.coresecurity.com/content/adobe-reader-buffer-overflow; reference:bid,30035; reference:cve,2008-2992; classtype:attempted-user; sid:2013152; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (double dashes)"; flow:to_server,established; http.user_agent; content:"|2d 2d |"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:pup-activity; sid:2007948; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_01, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET MALWARE Downloader.Win32.Small CnC Beacon"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSDN SurfBear"; depth:13; endswith; reference:url,doc.emergingthreats.net/2011269; classtype:command-and-control; sid:2011269; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Hostile Microsoft Rich Text File (RTF) with corrupted listoverride"; flow:from_server,established; flowbits:set,ETPRO.RTF; content:"|7b 5c 2a 5c|listoverridetable"; content:"|5c|listoverride|5c|"; fast_pattern; pcre:"/\x5clistoverride\x5c((?!\x5cls\d{1,4}\s*\}).)+?\x5clistoverride\x5c/s"; reference:cve,2012-0183; classtype:attempted-user; sid:2025085; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Moxilla"; flow:established,to_server; http.user_agent; content:"Moxilla"; depth:7; classtype:trojan-activity; sid:2012313; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Excel file download - SET 1"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; file_data; content:"|09 08 10 00 00 06 05 00|"; distance:512; content:"|57006F0072006B0062006F006F006B00|"; fast_pattern; flowbits:set,ETPRO.Microsoft.Excel; flowbits:noalert; reference:cve,2012-0185; classtype:attempted-user; sid:2025086; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_05_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Casino Related Spyware User-Agent Detected (Viper 4.0)"; flow:established,to_server; http.header; content:"Viper 4.0|29|"; nocase; fast_pattern; distance:2; within:10; http.user_agent; content:"Mozilla|2f|5|2e|0 |28|compatible"; depth:23; reference:url,doc.emergingthreats.net/2008586; classtype:pup-activity; sid:2008586; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017549; rev:3; metadata:created_at 2013_10_02, former_category EXPLOIT_KIT, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (VMozilla)"; flow:to_server,established; http.user_agent; content:"VMozilla"; depth:8; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF; reference:url,www.avira.com/en/support-threats-description/tid/6259/tlang/en; classtype:trojan-activity; sid:2012555; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_03_25, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:5; metadata:created_at 2014_01_30, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious User Agent (Lotto)"; flow:to_server,established; http.user_agent; content:"Lotto"; depth:5; classtype:trojan-activity; sid:2012695; rev:4; metadata:created_at 2011_04_20, updated_at 2020_10_13;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF Cookie Outbound"; flow:to_server,established; content:"Cookie|3a 20|BEEFSESSION="; fast_pattern; threshold: type limit, track by_src, seconds 300, count 1; reference:url,beefproject.com; classtype:attempted-user; sid:2018088; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskx.txt"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; reference:md5,9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:4; metadata:created_at 2011_04_29, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322"; flow:established,to_client; file_data; content:"onpropertychange"; nocase; fast_pattern; content:".outerHTML"; pcre:"/^\s*?=\s*?[^\s]+?\.outerHTML/Rsi"; content:"appendChild"; nocase; content:"getElementsByTagName"; nocase; pcre:"/^\s*?\(\s*?[\x22\x27]script[\x22\x27].+?\s(?P<vname>[^\s]+)\.onpropertychange\s*=.+?\s(?P<vname2>[^\s\x3d]+)\s*?=\s*?[^\s]*?createElement\s*?\(\s*?[\x22\x27]select[\x22\x27].+?(?P=vname)\.appendChild\(\s*?[\x22\x27]?(?P=vname2)[\x22\x27]?/Rsi"; reference:cve,2014-0322; classtype:attempted-user; sid:2018147; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; http.user_agent; content:"VERTEXNET"; depth:9; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:5; metadata:created_at 2011_03_31, former_category USER_AGENTS, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT EMET Detection Via XMLDOM"; flow:established,from_server; file_data; content:"loadXML"; nocase; content:"parseError"; nocase; content:"res:/"; content:"AppPatch"; nocase; distance:0; pcre:"/^.+?\bEMET\.DLL/Rsi"; content:"EMET.DLL"; nocase; fast_pattern; classtype:attempted-user; sid:2018152; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_02_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (mdms)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"mdms"; depth:4; endswith; classtype:trojan-activity; sid:2012761; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic HeapSpray Construct"; flow:established,from_server; file_data; content:"createElement(|22|div|22|)"; fast_pattern; content:"for("; pcre:"/^\s*?(?P<var>[^\x3d\x3b\)\s]+)\s*?=\s*?0\s*?\x3b(?P=var)\s*?\<\s*?(?:0x)?\d{3,4}\s*?\x3b\s*?(?P=var)\+\+\s*?\)\s*?\x7b[^\x7d]+?\[\s*?(?P=var)\s*?\]\s*?=\s*?document\.createElement\([\x22]div[\x22]\)[^\x7d]+?\[\s*?(?P=var)\s*?\]/Rsi"; classtype:trojan-activity; sid:2018299; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_03_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious user agent (asd)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"asd"; nocase; depth:3; endswith; classtype:trojan-activity; sid:2012762; rev:4; metadata:created_at 2011_05_03, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File .RTF File download with invalid listoverridecount"; flow:from_server,established; file_data; content:"|5c|listoverridetable"; distance:0; content:"|5c|listoverride|5c|"; fast_pattern; content:"|5c|listoverridecount"; isdataat:2,relative; pcre:"/^(?:0*?[19]\d|[^190])/R"; reference:cve,2012-2539; classtype:attempted-user; sid:2018315; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_12_12, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound"; flow:established,to_server; http.user_agent; content:"EmailSiphon"; nocase; depth:11; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013032; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_14, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed CWS"; flow:established,from_server; content:"callback=CWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=CWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018656; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed FWS"; flow:established,from_server; content:"callback=FWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=FWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018657; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Binget PHP Library User Agent Outbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013050; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Rosetta Flash compressed ZWS"; flow:established,from_server; content:"callback=ZWS"; nocase; fast_pattern; content:"<object"; nocase; pcre:"/^((?!(?i:<\/object>)).)+?data\s*?\=\s*?[\x22\x27][^\x22\x27]*[?&]callback=ZWS[a-zA-Z0-9_\.\x0d\x0a]{50,}+[&\x22\x27]/Rsi"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018658; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_07_09, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR filename detected"; flow:established,to_client; content:"<applet"; content:"Signed_Update.jar"; fast_pattern; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018970; rev:4; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013052; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 2"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"rebootinfo.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019112; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:to_client,established; flowbits:isset,ET.http.binary; file_data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS PyCurl Suspicious User Agent Outbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; depth:6; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013054; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe guessing router password 1"; flow:established,from_server; file_data; content:"dnsPrimary="; nocase; fast_pattern; content:"dnsSecondary="; nocase; content:"dnsDynamic="; nocase; content:"dnsconfig.cgi"; nocase; reference:url,securelist.com/blog/incidents/66358/web-based-attack-targeting-home-routers-the-brazilian-way/; classtype:attempted-user; sid:2019111; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_09_04, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Peach C++ Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013055; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC VB ShellExecute Function Inside of VBSCRIPT tag"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"shellexecute"; nocase; fast_pattern; content:"<script "; nocase; pcre:"/^[^>]*?(?:language\s*?=\s*?[\x22\x27]vbscript[\x22\x27]|type\s*?=\s*?[\x22\x27]text/vbscript[\x22\x27](?:(?!<\/script>).)+?\WShellExecute)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019707; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_14, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure obfuscated CVE-2014-6332"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"Xor"; nocase; pcre:"/^\W/R"; content:"Execute"; nocase; content:"&chr"; nocase; content:"UBound"; fast_pattern; nocase; content:"Cint"; nocase; pcre:"/^\W/R"; content:"Split"; nocase; pcre:"/^\W/R"; content:"Mid"; pcre:"/^\W/R"; content:"Len"; pcre:"/^\W/R"; reference:cve,2014-6332; classtype:attempted-user; sid:2019715; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_15, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT GENERIC Possible IE Memory Corruption CollectGarbage with DOM Reset"; flow:established,to_client; file_data; content:"unescape"; nocase; content:"%u"; nocase; content:"CollectGarbage"; nocase; fast_pattern; content:"innerHTML"; nocase; pcre:"/^\s*?=\s*?(?:undefined|false|null|-?0|NaN|\x22\x22|\x27\x27)/Rsi"; classtype:attempted-user; sid:2019730; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_11_18, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET SCAN DominoHunter Security Scan in Progress"; flow:established,to_server; http.user_agent; content:"DominoHunter"; nocase; depth:12; reference:url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html; classtype:web-application-attack; sid:2013171; rev:4; metadata:created_at 2011_07_02, updated_at 2020_10_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern; classtype:trojan-activity; sid:2020091; rev:3; metadata:created_at 2015_01_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yandexbot Request Outbound"; flow:established,to_server; http.user_agent; content:"YandexBot"; depth:9; classtype:trojan-activity; sid:2013254; rev:4; metadata:attack_target Web_Server, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Informational, tag WebCrawler, updated_at 2020_10_13, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Android RCE via XSS and Play Store XFO"; flow:from_server,established; file_data; content:"|5c|u00"; byte_test:2,<,0x21,0,relative,string,hex; content:"javascript|3a|"; nocase; within:11; distance:2; content:"/store/apps/details?id="; nocase; fast_pattern; reference:url,1337day.com/exploit/22581; reference:cve,2014-6041; reference:url,github.com/rapid7/metasploit-framework/commit/7f2add2ce30f33e7787310d7abcb1781e8ea8f43; classtype:attempted-user; sid:2020393; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_02_11, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-10-13"; flow:established,to_client; content:"|0d 0a 0a|<!doctype|20|"; http.stat_code; content:"200"; file.data; content:".lollol|20|{|0d 0a|"; fast_pattern; content:"|20|chase logo|22|></div>|0d 0a|"; classtype:social-engineering; sid:2031010; rev:1; metadata:created_at 2020_10_13, former_category PHISHING, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file_data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (MSDN Query Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"&ac="; content:!"&refinement="; content:"/Search/en-US?query="; content:"&pgArea=header"; distance:150; endswith; content:!"."; pcre:"/^\/Search\/en-US\?query=[a-z]{200,400}&pgArea=header$/"; http.header; content:"|0d 0a|Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|"; fast_pattern; http.cookie; content:"MUID="; depth:5; content:"|3b|"; distance:32; within:1; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032747; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:4; metadata:created_at 2015_12_05, former_category CURRENT_EVENTS, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding)"; flow:to_server,established; http.user_agent; content:"AskPartner"; depth:10; classtype:trojan-activity; sid:2012734; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_04_28, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Metasploit Browser Autopwn Aug1 2016"; flow:established,from_server; file_data; content:"|65 78 70 6c 6f 69 74 4c 69 73 74 2e 73 70 6c 69 63 65|"; nocase; fast_pattern; content:"|73 65 74 54 69 6d 65 6f 75 74 28 22 6c 6f 61 64 45 78 70 6c 6f 69 74 28 29 22|"; nocase; classtype:attempted-admin; sid:2023014; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (BlackSun)"; flow:to_server,established; http.user_agent; content:"BlackSun"; nocase; depth:8; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008983; classtype:trojan-activity; sid:2008983; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:social-engineering; sid:2023080; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_18, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Toata Scanner User-Agent Detected"; flow:to_server,established; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Toata dragostea|20|"; depth:16; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/2009159; classtype:attempted-recon; sid:2009159; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Safari UXSS (CVE-2017-7089)"; flow:from_server,established; file_data; content:"parent-tab://"; fast_pattern; content:"open"; pcre:"/\b(?P<varname>[^\s\x3d]+)\s*\x3d\s*open\s*\x28\s*[^\x29]+parent-tab:\/\/.+(?P=varname)\s*\.\s*document\s*\.\s*body\s*.\s*innerHTML\s*=/si"; reference:cve,2017-7089; classtype:attempted-user; sid:2024995; rev:3; metadata:affected_product Safari, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY BSSID Location Lookup via api .mylnikov .org"; flow:established,to_server; http.host; content:"api.mylnikov.org"; fast_pattern; http.uri; content:"/geolocation/wifi?"; content:"&bssid="; distance:0; reference:md5,b666dc5379e31680a5621870210f0619; classtype:bad-unknown; sid:2031008; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Spectre Exploit Javascript"; flow:from_server,established; file_data; content:"0x1000000"; fast_pattern; pcre:"/(?<var1>[^=\s]*)\s*=\s*0x1000000.+?\x28\s*\x28\s*\x28\s*\w+\s*<<\s*12\s*\x29\s*\|\s*0\s*\x29\s*\+\s*(?P=var1)\s*\x29\s*\|\s*0/s"; reference:cve,2017-5753; reference:cve,2017-5715; reference:url,github.com/cgvwzq/spectre; classtype:attempted-user; sid:2025188; rev:6; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2018_01_09, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Instagram Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"<title>Copyright|20 7c 20|Help Instagram"; fast_pattern; content:"<form method=|22|post|22 20|action=|22|"; distance:0; content:".php|22|"; within:50; classtype:social-engineering; sid:2031003; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT VBscript UAF (CVE-2018-8373)"; flow:to_client,established; file_data; content:"vbscript"; nocase; content:"class_initialize"; nocase; fast_pattern; content:"<script "; nocase; content:"Redim"; nocase; content:"private"; nocase; pcre:"/^\s+sub\s+class_initialize\b(?:(?!end\s*sub).)*?\bReDim\s+array\b/Rsi"; content:"Public"; pcre:"/^\s+Default\s+Property\b(?:(?!end\s*property).)*?\bReDim\s+Preserve\s+array\b/Rsi"; reference:cve,2018-8373; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/; classtype:attempted-user; sid:2026411; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Amazon Phishing Landing 2020-10-13"; flow:established,to_client; file.data; content:"Amazon Sign In</title>"; content:"#zwimel {"; distance:0; fast_pattern; classtype:social-engineering; sid:2031004; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_13;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:social-engineering; sid:2021968; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Instagram Phishing Domain"; flow:established,to_server; http.host; content:"lnstagram"; fast_pattern; pcre:"/\.(?:tk|gq|ga|xyz|ml|cf)$/"; classtype:social-engineering; sid:2031005; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"<style"; nocase; pcre:"/^[^>]*?>\s*?form\s*?\{\s*?-ms-behavior\s*?\x3a\s*?url/Rsi"; content:"x-ua-compatible"; nocase; pcre:"/^[\x22\x27]\s*content\s*=\s*[\x22\x27]\s*IE\s*=\s*10/Rsi"; content:"<button"; nocase; content:"<label"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"<optgroup"; nocase; distance:0; content:"<meter"; nocase; distance:0; content:"-ms-behavior"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021709; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_08_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (AskInstallChecker)"; flow:to_server,established; http.method; content:"GET"; http.user_agent; content:"AskInstall"; depth:10; nocase; reference:url,doc.emergingthreats.net/2011225; classtype:policy-violation; sid:2011225; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"finance-usbnc.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029354; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Data Exfil via Telegram"; flow:established,to_server; http.host; bsize:16; content:"api.telegram.org"; http.uri; content:"/sendMessage?chat_id="; content:"text=|0a|"; content:"|20 f0 9f|"; distance:0; content:"*|0a|Date|3a 20|"; distance:0; content:"|0a|System|3a 20|"; content:"|20|Bit)|0a|Username|3a 20|"; reference:md5,00171267979ca2e972336e751a5725b7; reference:url,github.com/LimerBoy/StormKitty; classtype:command-and-control; sid:2031009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"system-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029355; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Login Hosted on Firebasestorage"; flow:established,to_client; http.header; content:"X-GUploader-UploadID|3a 20|"; content:"|0d 0a|x-goog-"; file.data; content:"<title>Sign in to your Microsoft account</title>"; fast_pattern; classtype:social-engineering; sid:2031006; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-issues.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029356; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Windows+NT"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"inztaqram.ga"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029357; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; http.uri; content:"/envia.php"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; nocase; http.request_body; content:"praquem="; fast_pattern; nocase; reference:url,doc.emergingthreats.net/2008256; classtype:command-and-control; sid:2008256; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"bahaius.info"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029358; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping)"; flow:to_server,established; http.user_agent; content:"Installer Ping"; depth:14; classtype:trojan-activity; sid:2013190; rev:5; metadata:created_at 2011_07_05, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"malcolmrifkind.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029359; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (Museon)"; flow:established,to_server; http.user_agent; content:"Museon"; depth:6; reference:url,doc.emergingthreats.net/2006418; classtype:pup-activity; sid:2006418; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"instagram-com.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029360; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> any any (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; http.user_agent; content:"asp2009"; depth:7; endswith; reference:md5,6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"recovery-options.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029361; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (??)"; flow:established,to_server; http.header; content:"User-Agent|3a 20 3f 3f 0d 0a|"; reference:url,doc.emergingthreats.net/2007689; classtype:trojan-activity; sid:2007689; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"accounts-drive.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029362; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WScript/VBScript XMLHTTP downloader likely malicious get?src="; flow:established,to_server; content:"|0d 0a|Request|3a 20|"; nocase; content:"run|0d 0a|"; within:5; http.uri; content:"/get?src="; nocase; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest"; nocase; depth:54; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010838; classtype:trojan-activity; sid:2010838; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"acconut-verify.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029363; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zentom FakeAV Checkin"; flow:established,to_server; http.uri; content:".php?prodclass="; fast_pattern; content:"&coid="; content:"&fff="; content:"&IP="; content:"&lct="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; classtype:command-and-control; sid:2013785; rev:5; metadata:created_at 2011_10_20, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-activities.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029364; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P p2p Related User-Agent (eChanblard)"; flow:to_server,established; http.user_agent; content:"eChanblard"; depth:10; endswith; reference:url,doc.emergingthreats.net/2011232; classtype:trojan-activity; sid:2011232; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"yah00.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029365; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Automated Injection Tool User-Agent (AutoGetColumn)"; flow:established,to_server; http.user_agent; content:"AutoGetColumn"; depth:13; reference:url,doc.emergingthreats.net/2009154; classtype:attempted-recon; sid:2009154; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"service-activity-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029366; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B Connectivity check"; flow:from_client,established; http.method; content:"GET"; http.uri; content:"/search?qu="; fast_pattern; http.header; content:"Content-Length|3a 20|4|0D 0A|"; http.user_agent; content:"Firefox/2.0.0.2"; depth:15; endswith; http.host; content:"www.google.com"; distance:0; bsize:14; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; classtype:trojan-activity; sid:2014173; rev:5; metadata:created_at 2012_01_31, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"skynevvs.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029367; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; http.user_agent; content:"asafaweb.com"; depth:12; endswith; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"drive-accounts.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029368; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; http.uri; content:".com.exe"; fast_pattern; http.user_agent; content:"GetRight/"; depth:9; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:command-and-control; sid:2014290; rev:4; metadata:created_at 2012_02_29, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"cpanel-services.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029369; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Graybird Checkin"; flow:to_server,established; http.uri; content:"/count.asp?mac="; content:"&os="; content:"&av="; http.user_agent; content:"Post"; depth:4; endswith; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:command-and-control; sid:2014365; rev:5; metadata:created_at 2012_02_11, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"two-step-checkup.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029370; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (ld)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008342; classtype:trojan-activity; sid:2008342; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"seisolarpros.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029371; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE General Banker.PWS POST Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"IDMAQUINA="; reference:url,doc.emergingthreats.net/2009127; classtype:command-and-control; sid:2009127; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"phonechallenges-submit.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029372; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bancos/Banker Info Stealer Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; nocase; http.request_body; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; classtype:trojan-activity; sid:2009471; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, malware_family Bancos, tag Banking_Trojan, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"customers-service.ddns.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029373; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"guid="; nocase; content:"ver="; nocase; content:"stat="; nocase; content:"ie="; nocase; content:"os="; nocase; content:"ut="; nocase; content:"cpu="; nocase; fast_pattern; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; endswith; nocase; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; classtype:command-and-control; sid:2009550; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"leslettrespersanes.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029374; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; http.request_body; content:"tipo="; reference:url,doc.emergingthreats.net/2007863; classtype:command-and-control; sid:2007863; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"software-updating-managers.site"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029375; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; http.user_agent; content:"clk_jdfhid"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008399; classtype:command-and-control; sid:2008399; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"niaconucil.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029376; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DMSpammer HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/stat"; content:".php"; pcre:"/\/stat\d+\.php/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Synapse)"; depth:33; endswith; fast_pattern; http.request_body; content:"x|9c|"; reference:url,doc.emergingthreats.net/2008271; classtype:command-and-control; sid:2008271; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"w3-schools.org"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029377; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (MzApp)"; flow:established,to_server; http.user_agent; content:"MzApp"; depth:5; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2009988; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"unirsd.com"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029378; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; http.uri; content:".php?"; content:"mode="; content:"&PartID="; content:"&mac="; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2007913; classtype:command-and-control; sid:2007913; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed Malicious SSL Cert (Charming Kitten Phishing Domain)"; flow:established,to_client; tls.cert_subject; content:"isis-online.net"; fast_pattern; reference:url,blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/; classtype:targeted-activity; sid:2029379; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_02_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID)"; flow:established,to_server; http.user_agent; content:"MSID ["; nocase; depth:6; reference:url,doc.emergingthreats.net/2003590; classtype:trojan-activity; sid:2003590; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam 2020-03-24"; flow:established,to_client; file.data; content:"<title>Microsoft _Official_Support"; classtype:social-engineering; sid:2029733; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_24, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_03_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; http.user_agent; content:"IRC-U v"; depth:7; nocase; reference:url,doc.emergingthreats.net/2003647; classtype:trojan-activity; sid:2003647; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2020-04-10"; flow:established,to_client; file.data; content:"<title>Windows_Official_Support"; nocase; fast_pattern; classtype:social-engineering; sid:2029857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?id="; nocase; content:"&serial="; nocase; content:"ver="; nocase; http.user_agent; content:"WinInetHTTP"; depth:11; endswith; nocase; reference:md5,0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,doc.emergingthreats.net/2009804; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; classtype:trojan-activity; sid:2009804; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029859; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE/ROGUE AV/Security Application Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?url="; nocase; content:"&affid="; fast_pattern; nocase; pcre:"/\?url=[0-9]&affid=[0-9]{5}/i"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows XP)"; depth:46; endswith; nocase; reference:url,doc.emergingthreats.net/2009554; classtype:command-and-control; sid:2009554; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.5 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029861; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (uplovd .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.uplovd.com"; bsize:17; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,b666dc5379e31680a5621870210f0619; classtype:policy-violation; sid:2031018; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT X-Sec Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>X-Sec Shell V."; nocase; fast_pattern; classtype:web-application-attack; sid:2029863; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FraudLoad.aww HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/instlog/?"; nocase; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient"; depth:45; reference:url,doc.emergingthreats.net/2008322; classtype:command-and-control; sid:2008322; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 4.2.5 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029867; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; reference:url,doc.emergingthreats.net/2009455; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 4.2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029869; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fruspam polling for IP likely infected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/automation/n09230945.asp"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|U|3b 20|Linux i686|3b 20|en-US|3b 20|rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0"; depth:85; endswith; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; reference:url,doc.emergingthreats.net/2011072; classtype:trojan-activity; sid:2011072; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Kageyama Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<H1><center>Shell Kageyama</center></H1>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029871; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lost Door Checkin"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"subject=Lost|20|door|20|"; fast_pattern; content:"by|20|OussamiO"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008340; classtype:command-and-control; sid:2008340; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029873; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mac User-Agent Typo INBOUND Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Macintosh|3b|"; depth:23; content:"(KHTML, like Geco,"; distance:0; fast_pattern; reference:url,doc.emergingthreats.net/2008955; classtype:trojan-activity; sid:2008955; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MINI MO Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029875; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Obitel Downloader Request"; flow: established,to_server; http.uri; content:".php?id="; pcre:"/\.php\?id=[0-9a-f]{8}$/"; http.user_agent; content:"ie"; bsize:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T; reference:url,doc.emergingthreats.net/2010244; classtype:trojan-activity; sid:2010244; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>"; fast_pattern; classtype:web-application-attack; sid:2029882; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poebot Related User Agent (SPM_ID=)"; flow:established,to_server; http.user_agent; content:"SPM_ID="; depth:7; nocase; reference:url,doc.emergingthreats.net/2006391; classtype:trojan-activity; sid:2006391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form   method=|20 22|post|22 20|action=|20 22 22|> <input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value="; fast_pattern; classtype:web-application-attack; sid:2029884; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/update?id="; http.header; content:"X-Status|3a|"; content:"X-Size|3a|"; content:"X-Sn|3a|"; fast_pattern; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b|SV1|3b |"; depth:54; endswith; classtype:trojan-activity; sid:2014231; rev:5; metadata:created_at 2012_02_16, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Anonymous Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>AnonyMous SHell</title>"; nocase; fast_pattern; content:"id=|22|pageheading|22|>AnonyMous SHell"; nocase; distance:0; classtype:web-application-attack; sid:2029886; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Minor, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE)"; flow:to_server,established; http.user_agent; content:"Babylon"; depth:7; fast_pattern; reference:md5,54e482d6c0344935115d04b411afdb27; reference:md5,54dfd618401a573996b2b32bdd21b2d4; reference:md5,546888f8a18ed849058a5325015c29ef; reference:url,www.babylon.com; classtype:policy-violation; sid:2012735; rev:9; metadata:created_at 2011_04_28, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mini Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<tr><td>Current Path : <a href=|22|?path=/"; nocase; content:"<tr class=|22|first|22|>"; nocase; distance:0; content:"<td><center>File/Folder Name</center></td>"; nocase; distance:0; content:"<td><center>Size</center></td>"; nocase; distance:0; content:"<td><center>Permissions</center></td>"; nocase; distance:0; content:"<td><center>Options</center></td>"; nocase; distance:0; content:"<td><center><form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; fast_pattern; content:"<td><a href=|22|?filesrc="; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<option value=|22|edit|22|>Edit</option>"; nocase; distance:0; classtype:web-application-attack; sid:2029888; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; http.uri; content:"/search"; content:"?h1="; fast_pattern; content:"&h2="; distance:0; content:"&h3="; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b|"; depth:24; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014174; rev:6; metadata:created_at 2012_01_31, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>password<br><input type=password name=pass style=|22|background-color:whitesmoke|3b|border:1px solid #fff|3b|outline:none|3b|' required>"; content:"<input type=submit name=|22|watching|22 20|value=|22|submit|22 20|style=|22|border:none|3b|background-color:#56ad15|3b|color:#fff|3b|cursor:pointer|3b 22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029890; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (XXX) Often Sony Update Related"; flow:established,to_server; http.user_agent; content:"XXX"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2010157; classtype:not-suspicious; sid:2010157; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag User_Agent, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='submit' style='border:none|3b|background-color:#56AD15|3b|color:#fff|3b|cursor:pointer|3b|'></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029900; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; http.uri; content:"/do/SDM"; nocase; content:"action="; nocase; http.user_agent; content:"AHTTPConnection"; nocase; depth:15; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:7; metadata:created_at 2011_09_28, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form action=|22 22 20|method=|22|post|22|><input type=|22|text|22 20|name=|22|_nv|22|><input type=|22|submit|22 20|value=|22|>>|22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029902; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Fullstuff Initial Checkin"; flow:established,to_server; http.uri; content:"/version.txt?type="; content:"&GUID="; content:"&rfr="; content:"&bgn="; http.user_agent; content:"FULLSTUFF"; depth:9; classtype:command-and-control; sid:2013887; rev:5; metadata:created_at 2011_11_08, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Leaf PHPMailer"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2029904; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (register machine)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/registraMaquina"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014952; rev:5; metadata:created_at 2012_06_23, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Owl PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Owl PHPMailer"; fast_pattern; content:"function stopSending()"; content:"function startSending()"; classtype:web-application-attack; sid:2029906; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Capfire4 Checkin (update machine status)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/updMaqStatus"; http.user_agent; content:"Clickteam"; depth:9; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:command-and-control; sid:2014953; rev:5; metadata:created_at 2012_06_23, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029908; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 1"; flow:established,to_server; urilen:7; http.uri; content:"/plg3.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015458; rev:4; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; classtype:web-application-attack; sid:2029916; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pift Checkin 2"; flow:established,to_server; urilen:7; http.uri; content:"/ext1.z"; fast_pattern; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:command-and-control; sid:2015459; rev:4; metadata:created_at 2012_07_13, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|description|22 20|content=|22|This Mini Shell"; nocase; content:"<meta name=|22|author|22 20|content=|22|An0n 3xPloiTeR"; fast_pattern; distance:0; nocase; classtype:web-application-attack; sid:2029918; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Major, updated_at 2020_04_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Playtech Downloader Online Gaming Checkin"; flow:to_server,established; http.uri; content:"/client_update_urls.php"; http.user_agent; content:"Playtech|20|"; depth:9; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:command-and-control; sid:2008365; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT WSO 2.6 Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029934; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Peach C++ Library User Agent Outbound"; flow:established,to_server; http.header; content:!"Tree"; within:4; http.user_agent; content:"Peach"; nocase; depth:5; reference:url,www.useragentstring.com/pages/useragentstring.php; reference:url,www.useragentstring.com/Peach1.01_id_12276.php; classtype:attempted-recon; sid:2013056; rev:6; metadata:created_at 2011_06_17, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>DRIV3R KR PRIV8 MAILER"; fast_pattern; nocase; classtype:web-application-attack; sid:2029936; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; http.uri; content:"/data.asp?mydata="; content:"&uid="; content:"&state="; http.user_agent; content:"you"; depth:3; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:command-and-control; sid:2015632; rev:6; metadata:created_at 2012_08_16, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|Description|22 20|content=|22|Mr.Rm19"; nocase; content:">Time On Server : <font color="; nocase; distance:0; content:">Server IP : <font color="; nocase; distance:0; content:">Current Dir : </font><a href="; nocase; distance:0; content:">Mass Deface</a>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029938; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|7.0|3b 20|Windows|20|NT|20|6"; startswith; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,8000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|DNT|0d 0a|Connection|0d 0a|"; startswith; content:"Referer|0d 0a|"; reference:md5,f4b00ffce71b197865071073dec5068d; classtype:trojan-activity; sid:2035077; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>|20 7c 20|Log In|20 7c 20|Power Mailer Inbox"; nocase; content:"</a>Welcome To Power Mailer Inbox"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029940; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Free File Hosting Service (api .anonfiles .com))"; flow:established,to_client; tls.cert_subject; content:"CN=api.anonfiles.com"; bsize:20; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; bsize:52; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:policy-violation; sid:2031019; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>F. Mortolino</title>"; nocase; content:"MortoLino - mode*SPAMMER"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029942; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Web.App Hosted Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.host; content:".web.app"; isdataat:!1,relative; fast_pattern; http.request_body; content:"password="; depth:9; nocase; classtype:credential-theft; sid:2031011; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>GwEx Mailer"; nocase; fast_pattern; content:">GwEx Mailer </font>"; nocase; distance:0; classtype:web-application-attack; sid:2029944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Chase Phish 2020-10-14"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; content:"&passid="; distance:0; fast_pattern; content:"&Token="; distance:0; pcre:"/^userid=[^&]*&passid=[^&]*&Token=$/"; classtype:credential-theft; sid:2033007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>W0rmVps PRIV8 MAILER"; nocase; fast_pattern; classtype:web-application-attack; sid:2029946; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StormKitty Exfil via AnonFiles"; flow:established,to_server; http.start; content:"POST /upload?token=43a7df2f0395152e HTTP/1.1|0d 0a|Content-Type|3a 20|multipart/form-data|3b|"; startswith; fast_pattern; http.host; content:"api.anonfiles.com"; bsize:17; reference:md5,74d2206a0f29c6d975cba20028284ca2; classtype:command-and-control; sid:2031020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family StormKitty, performance_impact Low, signature_severity Major, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>SMTP Mailer</title>"; nocase; fast_pattern; content:">Inbox SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2029948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Malware CnC Hosted on 000webhostapp - POST to gate.php"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; isdataat:!1,relative; http.host; content:".000webhostapp.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2031013; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer Inbox"; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2029950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Major, updated_at 2020_04_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; http.uri; content:"/data.php?action="; nocase; content:"&online="; distance:0; content:"&m="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Dalvik/"; depth:7; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2013_02_05, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_10_14, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt"; flow:established,to_server; http.uri; content:"/mfc71"; nocase; pcre:"/^[a-z]{2,3}\.dll/Ri"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=23601; reference:url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx; reference:bid,42681; reference:cve,2010-3148; classtype:attempted-user; sid:2013322; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"6."; depth:2; pcre:"/^6\.[0-2]\x20\d\d\x3a\d\d\x20/i"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016433; rev:5; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Apache DDos UA Observed (DDos Apache) Inbound"; flow:established,to_client; http.header; content:"User-Agent|3a 20|DDos Apache"; classtype:attempted-dos; sid:2029984; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_21, deployment Perimeter, signature_severity Major, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"0"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016435; rev:7; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malvertising FlashPost - POST to *.stats"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".stats"; http.request_body; content:"pageURL="; classtype:bad-unknown; sid:2016023; rev:4; metadata:created_at 2012_12_13, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"1"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016436; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"Leaf PHPMailer</title>"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2030015; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; flowbits:set,ET.webc2; http.header; content:"|3a|"; distance:1; within:1; content:"|3a|"; distance:2; within:1; content:"+"; distance:2; within:1; http.user_agent; content:"2"; startswith; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016437; rev:4; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on Compromised External Server"; flow:established,to_client; file.data; content:"<title>D3V1l H4X0R Priv8 Shell"; fast_pattern; classtype:web-application-attack; sid:2030017; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; http.uri; content:"?rands="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:command-and-control; sid:2016446; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on Compromised External Server"; flow:established,to_client; file.data; content:"Upload File : <input type=|22|file|22 20|name=|22|file|22|"; fast_pattern; nocase; content:">Name</center></td>"; nocase; distance:0; content:">Size</center></td>"; nocase; distance:0; content:">Permissions</center></td>"; nocase; distance:0; content:">Options</center></td>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; classtype:web-application-attack; sid:2030019; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WARP Win32/Barkiofork.A"; flow:established,to_server; http.uri; content:"/s/asp?"; fast_pattern; content:"p=1"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|)"; depth:26; endswith; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:4; metadata:created_at 2013_02_20, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on Compromised External Server"; flow:established,to_client; file.data; content:"title>-:- Stupidc0de Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2030021; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Major, updated_at 2020_04_24;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031014; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT W32/Caphaw DriveBy Campaign Statistic.js"; flow:established,to_server; http.uri; content:"/statistic.js?k="; content:"&d="; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017512; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_25, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031015; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption"; flow:established,to_server; http.uri; content:"/Generic/BEX/iexplore_exe/"; content:"/vgx_dll_unloaded/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018434; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031016; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Microsoft Application Crash Report Indicates Potential VGX Memory Corruption 2"; flow:established,to_server; http.uri; content:"/StageOne/iexplore_exe/"; content:"/vgx_dll/"; fast_pattern; http.host; content:"watson.microsoft.com"; startswith; reference:url,community.websense.com/blogs/securitylabs/archive/2014/04/28/cve-2014-1776-using-crash-reports-to-find-possible-exploited-vulnerabilities.aspx; reference:url,www.websense.com/assets/reports/websense-crash-report-en.pdf; reference:cve,2014-1776; classtype:attempted-user; sid:2018436; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_04_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031017; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030059; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-DIV UA"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer Exelon|20|"; depth:35; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:command-and-control; sid:2016454; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"SCRIPT MAILER INBOX"; content:">SMTP Login:</font></div>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030061; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; http.user_agent; content:"IPHONE"; depth:6; pcre:"/^IPHONE\d+\x2e\d+\x28(host\x3a|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/i"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016461; rev:6; metadata:created_at 2011_06_28, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<form method=post style=|22|font-family:fantasy|3b 22|>"; content:"Password: <input type=password name=pass style=|22|background-color|3a|whitesmoke|3b|border|3a|1px solid #FFF|3b 22|><input type=submit value='>>' style=|22|border|3a|none|3b|background-color|3a|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030065; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_04_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-RAVE UA"; flow:established,to_server; http.user_agent; content:"HTTP Mozilla/5.0(compatible+MSIE)"; depth:33; endswith; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:command-and-control; sid:2016458; rev:5; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Genol Shell"; nocase; fast_pattern; content:"><b>Uname|20 3a 20|Linux|20|"; nocase; distance:0; classtype:web-application-attack; sid:2030073; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_05_01, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO)"; flow:established,to_server; http.user_agent; content:"DEMO"; nocase; depth:4; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016886; rev:4; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title> Mailer Created By"; nocase; fast_pattern; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|Enviar|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP)"; flow:established,to_server; http.user_agent; content:"UPHTTP"; nocase; depth:6; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016887; rev:7; metadata:created_at 2013_05_21, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>alexusMailer 2.0</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bifrose/Cycbot Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sv="; fast_pattern; content:"&tq="; pcre:"/(?:1|2)\.(?:p(?:hp|ng)|jpe?g|cgi|gif)\?sv=\d{2,3}&tq=/i"; http.user_agent; content:"chrome/9.0"; depth:10; classtype:command-and-control; sid:2013795; rev:11; metadata:created_at 2011_10_24, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Stolen Credentials Accessed on External Server"; flow:established,to_client; file.data; content:"---------0nline Inf0---------------"; nocase; fast_pattern; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:web-application-attack; sid:2030079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Blackbeard Downloader"; flow:established,to_server; http.uri; content:"/load"; content:"p="; content:"&t="; pcre:"/[\?&]p=\d&t=\d(&|$)/"; http.user_agent; content:"IE"; depth:2; endswith; fast_pattern; reference:md5,2f6f13eced7fce495168059530246d77; reference:url,blog.avast.com/2014/01/15/win3264blackbeard-pigeon-stealthiness-techniques-in-64-bit-windows-part-1/; classtype:trojan-activity; sid:2018110; rev:7; metadata:created_at 2014_01_23, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Stolen Credentials Accessed on External Server"; flow:established,to_client; file.data; content:">E-MAIL INFORMATION</font> ]-_-_-_-_-_-_-"; nocase; fast_pattern; content:">INFO VICTIM</font> ]-_-_-_-_-_-_-"; nocase; distance:0; classtype:web-application-attack; sid:2030081; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Ping"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/history/"; fast_pattern; depth:9; content:".asp"; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Cpanel Cracker Accessed on External Server"; flow:established,to_client; file.data; content:"<title>HEx CPanel Cracker"; nocase; fast_pattern; content:"<strong>CPanelCracker Script"; nocase; distance:0; classtype:web-application-attack; sid:2030083; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot PUT File Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/docs/name="; fast_pattern; depth:11; pcre:"/^\x2fdocs\x2fname\x3d\x2f[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018549; rev:5; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Pro Mailer V2</title>"; nocase; classtype:web-application-attack; sid:2030085; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Major, updated_at 2020_05_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Command Status Message"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tech/s.asp?m="; fast_pattern; depth:14; pcre:"/^\x2ftech\x2fs\x2easp\x3fm\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018548; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid"; flow:established,to_server; http.uri; content:"/baby.mid"; reference:cve,2012-0003; classtype:trojan-activity; sid:2014207; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_02_07, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Initial Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manage/asp/item.asp?id="; fast_pattern; depth:24; pcre:"/^\x2fmanage\x2fasp\x2fitem\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26mux\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018550; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_05_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot GET File Data Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/article/30441/Review.asp?id="; fast_pattern; depth:29; pcre:"/^\x2farticle\x2f30441\x2fReview\x2easp\x3fid\x3d[A-Za-z0-9+_-]+\x26\x26data\x3d[A-Za-z0-9+_-]+$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018551; rev:6; metadata:created_at 2014_06_09, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic PHP Uploader Accessed on External Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030212; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XPSecurityCenter FakeAV Checkin"; flow:to_server,established; http.uri; content:"/XPSecurityCenter/"; http.user_agent; content:"Internet Explorer 6.0"; depth:21; endswith; reference:md5,1c5eb2ea27210cf19c6ab24b7cc104b9; classtype:command-and-control; sid:2018761; rev:5; metadata:created_at 2012_07_14, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Witch3r Mini Shell"; nocase; fast_pattern; content:"Mini-Shell</h1></font>"; nocase; distance:0; classtype:web-application-attack; sid:2030218; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Major, updated_at 2020_05_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon.DF Checkin"; flow:to_server,established; urilen:7; http.uri; content:"/ip.txt"; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:command-and-control; sid:2018762; rev:5; metadata:created_at 2012_07_14, former_category MALWARE, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Evil Redirector Sep 29 2015"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/snitch?default|5f|keyword="; depth:24; fast_pattern; content:"&referrer="; distance:0; content:"&se_referrer="; distance:0; content:"&source="; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2020_06_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grendel Web Scan - Default User Agent Detected"; flow:to_server,established; threshold: type limit, track by_dst, count 1, seconds 60; http.header; content:"http|3a|//www.grendel-scan.com"; nocase; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Grendel-Scan"; nocase; depth:37; fast_pattern; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009480; classtype:attempted-recon; sid:2009480; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Email Spoofing Tool Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Email Spoofer"; content:"id=|22|title|22|>Email Spoofer"; content:"id=|22|from|22 20|placeholder=|22 20|Email Spoofed"; content:"id=|22|name|22 20|placeholder=|22|Name Spoofed"; content:"var mailist = $(|22|#to|22|).val().split("; classtype:web-application-attack; sid:2030247; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_03, deployment Perimeter, signature_severity Major, updated_at 2020_06_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; http.user_agent; content:"czxt2s"; nocase; depth:6; endswith; reference:url,doc.emergingthreats.net/2011174; classtype:web-application-attack; sid:2011174; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_10_14;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Cushion Redirection"; flow:established,to_server; http.uri; content:"/index.php?"; content:"="; distance:1; within:1; content:!"=aHR0"; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2030249; rev:7; metadata:created_at 2013_10_02, former_category CURRENT_EVENTS, updated_at 2020_06_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; http.uri; content:"backupdata"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012286; rev:7; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible vBulletin object injection vulnerability Attempt"; flow:established,to_server; http.uri; content:"/api/hook/decodeArguments"; nocase; content:"arguments="; nocase; content:"|7b|"; distance:0; content:"|3a|"; distance:0; content:"|3b|"; distance:0; content:"free_result"; nocase; distance:0; reference:url,blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html; classtype:attempted-admin; sid:2022039; rev:3; metadata:created_at 2015_11_05, former_category CURRENT_EVENTS, updated_at 2020_06_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; http.uri; content:"backup_data"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012287; rev:6; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>anaLTEAM"; nocase; fast_pattern; content:"name=|22|command|22 20|value=|22|Crotz|22|"; nocase; distance:0; content:"value=|22|Upload Bos"; nocase; distance:0; classtype:web-application-attack; sid:2030318; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:to_server,established; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/";  reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:6; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>b374k"; nocase; fast_pattern; content:"class='inputz' type='password"; nocase; distance:0; content:"class='inputzbut' type='submit'"; nocase; distance:0; classtype:web-application-attack; sid:2030320; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|.NET CLR 1.1.2150)"; depth:69; endswith; fast_pattern; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:8; metadata:created_at 2012_05_29, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title> By Gentoo"; nocase; fast_pattern; content:"<h2>Gentoo @ MyHack"; nocase; distance:0; content:"function ChMod(chdir, file) {var o = prompt('Chmod:"; nocase; distance:0; classtype:web-application-attack; sid:2030322; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner"; flow:established,to_server; http.user_agent; content:"BOT/0.1 (BOT for JCE)"; depth:21; classtype:web-application-attack; sid:2016032; rev:5; metadata:created_at 2012_12_14, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form></pre>"; fast_pattern; classtype:web-application-attack; sid:2030324; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent (DownloadNetFile)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"DownloadNetFile"; depth:15; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008344; classtype:trojan-activity; sid:2008344; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form|20 20 20|method=|20 22|post|22 20|action=|20 22 22|>|20|<input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value=|20 22|&gt|3b 22|/>"; fast_pattern; classtype:web-application-attack; sid:2030326; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Brontok User-Agent Detected (Rivest)"; flow:established,to_server; http.user_agent; content:"Rivest"; depth:6; endswith; nocase; reference:md5,c83b55ab56f3deb60858cb25d6ded8c4; classtype:trojan-activity; sid:2020179; rev:4; metadata:created_at 2015_01_13, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<h1>PAYLEETS - TESTER"; fast_pattern; nocase; content:">Check  Mailling ..</font>"; nocase; distance:0; content:"type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030328; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Major, updated_at 2020_06_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS Bittorrent User-Agent inbound - possible DDOS"; flow:established,to_server; threshold: type both, count 1, seconds 60, track by_src; http.user_agent; content:"Bittorrent"; depth:10; reference:url,torrentfreak.com/zombie-pirate-bay-tracker-fuels-chinese-ddos-attacks-150124/; classtype:attempted-dos; sid:2020702; rev:4; metadata:created_at 2015_03_18, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Predator the Thief Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Predator The Thief"; fast_pattern; nocase; content:"<form method=|22|POST|22 20|class=|22|sign-box|22|"; nocase; distance:0; content:"<input type=|22|text|22 20|class=|22|form-control|22 20|name=|22|login|22 20|value=|22 22 20|placeholder="; nocase; distance:0; content:"<input type=|22|password|22 20|class=|22|form-control|22 20|name=|22|password|22 20|placeholder="; nocase; distance:0; classtype:web-application-attack; sid:2030446; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, signature_severity Major, updated_at 2020_07_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"spShopId="; content:"&spShopPaymentId="; fast_pattern; distance:0; content:"&spCurrency="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020827; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<h1>PAYLEETS - TESTER"; fast_pattern; nocase; content:">Check  Mailling ..</font>"; nocase; distance:0; content:"type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030329; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Critical, updated_at 2020_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Payment Info 2"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"action=showPaymentForm&"; fast_pattern; content:"psAgreement="; distance:0; content:"&paymentSystemId="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:trojan-activity; sid:2020828; rev:4; metadata:created_at 2015_04_02, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_06, deployment Perimeter, signature_severity Major, updated_at 2020_07_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xoxofuck.cyou"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT FiercePhish Password Prompt Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FiercePhish"; fast_pattern; content:"/fiercephish_logo.png|22 20|alt=|22|FiercePhish"; content:"placeholder=|22|Username|22|"; content:"<input type=|22|password|22|"; classtype:web-application-attack; sid:2030498; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Minor, updated_at 2020_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LockScreen.BW Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|11.0)"; depth:37; http.request_body; content:"locker_ver="; fast_pattern; content:"&i_firstboot="; distance:0; content:"&harddiskserial="; distance:0; http.referer; content:"http|3a|//mysticnews.ru"; startswith; reference:md5,c74d4633e0593879d5e1321d9021e708; classtype:command-and-control; sid:2020829; rev:4; metadata:created_at 2015_04_02, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=|22|POST|22|>|0d 0a|"; content:"Password|3a 0d 0a|"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|auth|22 20|value=|22|"; distance:0; content:"<input type=|22|password|22 20|name=|22|password|22|>|0d 0a|"; distance:0; content:"<input type=|22|submit|22 20|value=|22|>>|22|>|0d 0a|"; fast_pattern; distance:0; classtype:web-application-attack; sid:2030500; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Major, updated_at 2020_07_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 Fake Mozilla UA"; flow:established,to_server; http.user_agent; content:"Moziea/"; depth:7; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020901; rev:4; metadata:created_at 2015_04_14, former_category MALWARE, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"name=|22|author|22 20|content=|22|Mr.IN130X"; content:"Mini Shell</title>"; fast_pattern; classtype:web-application-attack; sid:2030535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Major, updated_at 2020_07_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"flathommy.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|"; content:"type=submit name='watching' value='submit' style='border|3a|none|3b|background-color|3a|#"; fast_pattern; classtype:web-application-attack; sid:2030537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Major, updated_at 2020_07_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"minishtab.cyou"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031023; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>"; content:"Password: <input type=password name=pass><input type=submit value='>>'>"; fast_pattern; classtype:web-application-attack; sid:2030539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Major, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zacom/NFlog HTTP POST Fake UA CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|29 |"; depth:69; endswith; fast_pattern; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020925; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"cmd{background-color|3a|"; content:"SCROLLBAR-DARKSHADOW-COLOR|3a|"; distance:0; content:"<body style=|22|FILTER|3a 20|progid|3a|DXImageTransform.Microsoft.Gradient("; distance:0; content:"gradientType=0,startColorStr="; content:"<input name='envlpass' type='password'"; fast_pattern; classtype:web-application-attack; sid:2030541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FormerFirstRAT HTTP POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"|3a|443|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322)"; depth:69; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/; classtype:command-and-control; sid:2020926; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>:: Mailer Inbox"; fast_pattern; content:"document.getElementById(|22|emails|22|"; distance:0; content:"document.getElementById(|22|txtml|22|"; distance:0; classtype:web-application-attack; sid:2030543; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ldrpeset.casa"; bsize:13; fast_pattern; classtype:domain-c2; sid:2031024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"Priv8 (Mailer Inbox Sender"; distance:0; content:"SMTP SETUP</font>"; distance:0; classtype:web-application-attack; sid:2030545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?"; content:"localip="; distance:0; content:"&macaddr="; distance:0; content:"&program="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; fast_pattern; reference:md5,9bfae378e38f0eb2dfff87fffa0dfe37; classtype:trojan-activity; sid:2021100; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Cpanel Cracker Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">CPANEL CRACKER</font><font color="; fast_pattern; content:"color=white>--==[[Greetz to]]==--"; distance:0; content:"####### Coded By"; distance:0; classtype:web-application-attack; sid:2030553; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_17, deployment Perimeter, signature_severity Major, updated_at 2020_07_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Dropper Installing PUP 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ohupdate.php?program="; content:"&q="; distance:0; http.user_agent; content:"Mozilla/4.0"; fast_pattern; bsize:11; classtype:trojan-activity; sid:2021101; rev:4; metadata:created_at 2015_05_15, updated_at 2020_10_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT ALFA TEaM Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"ALFA TEaM Shell"; nocase; fast_pattern; pcre:"/^\s*\-\s*/R"; classtype:web-application-attack; sid:2029865; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_17;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed IcedID CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"smalleryurta.club"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031025; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, malware_family IcedID, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_14;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing 2016-07-21 M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern; nocase; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; classtype:social-engineering; sid:2022980; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_21, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Deep Panda User-Agent"; flow:established,to_server; http.header; content:!"Host|3a 20|iecvlist.microsoft.com"; http.user_agent; content:"Mozilla/4.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|29 |"; depth:158; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,5acc539355258122f8cdc7f5c13368e1; classtype:trojan-activity; sid:2020380; rev:5; metadata:created_at 2015_02_06, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Server"; flow:established,to_client; file.data; content:"<title>[ RC-SHELL v"; nocase; fast_pattern; classtype:web-application-attack; sid:2030590; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ispen BADNEWS Fake User-Agent"; flow:established,to_server; http.user_agent; content:"UserAgent|3a|Mozilla/5.0(Windows|20|"; depth:30; fast_pattern; reference:md5,f974bb8a5b5220a061cb92a16fc6a1c6; reference:url,unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/; classtype:targeted-activity; sid:2030361; rev:4; metadata:created_at 2016_06_03, former_category MALWARE, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Password Prompt Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|0d 0a 09|<form method=|22|POST|22|>|0d 0a 09 09|Password|3a 20 0d 0a 09 09|"; nocase; content:"name=|22|password|22|>|0d 0a 09 09|<input type=|22|submit|22 20|value=|22|>>|22|>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030592; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Swrort.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; pcre:"/^\/[A-Za-z0-9-_]{30,}\/$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.1|3b 20|Windows NT|29 |"; depth:46; endswith; http.request_body; content:"RECV"; depth:4; fast_pattern; reference:md5,61dacbf1fc20af3afdc432a0dd78eaf3; reference:md5,a3ef217825ce310c41e6edaee2db5eb9; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32/Swrort.A; classtype:command-and-control; sid:2019841; rev:5; metadata:created_at 2014_12_03, former_category MALWARE, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Website Ransomnote Accessed on External Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030595; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (USERAGENT)"; flow:to_server,established; http.user_agent; content:"USERAGENT"; nocase; depth:9; endswith; reference:md5,cd0e98508657b208219d435f9ac9d76c; reference:md5,cd100abc8eedf2119c7e6746975d7773; classtype:trojan-activity; sid:2034066; rev:7; metadata:created_at 2011_11_22, former_category USER_AGENTS, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (err.mp3) 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2023055; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious UA Mozilla / 4.0"; flow:to_server,established; http.host; content:!"captive.apple.com"; endswith; content:!".google.com"; endswith; http.user_agent; content:"Mozilla / 4.0"; nocase; bsize:13; classtype:trojan-activity; sid:2013964; rev:6; metadata:created_at 2011_11_23, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (msg.mp3) 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2023056; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Xmaker)"; flow:to_server,established; http.user_agent; content:"Xmaker"; depth:6; reference:url,www.pcapanalysis.com/tag/trickster-google-drive-malware-trojan-pcap-file-download-traffic-sample/; classtype:trojan-activity; sid:2023746; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_17, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:social-engineering; sid:2023057; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; http.user_agent; content:"build"; depth:5; pcre:"/^build\d/"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 2016-08-12"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:social-engineering; sid:2023058; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; http.user_agent; content:"Jcomers Bot"; nocase; depth:11; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011285; rev:8; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_10_15;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M1 2016-09-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:social-engineering; sid:2023235; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (Unknown)"; flow:to_server,established; http.user_agent; content:"Unknown"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007991; classtype:trojan-activity; sid:2007991; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M2 2016-09-15"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:social-engineering; sid:2023236; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_07_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0+(compatible|3b|+MSIE+/"; depth:31; fast_pattern; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:16; metadata:created_at 2010_07_30, former_category INFO, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030609; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_07_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Metafisher/Goldun User-Agent (z)"; flow:to_server,established; http.user_agent; content:"z"; depth:1; endswith; reference:url,doc.emergingthreats.net/2002874; classtype:trojan-activity; sid:2002874; rev:17; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"Warning|3a|"; nocase; distance:0; fast_pattern; content:"Call Microsoft"; nocase; classtype:social-engineering; sid:2023751; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinXP Pro Service Pack 2)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"WinXP Pro Service Pack"; depth:22; reference:url,doc.emergingthreats.net/2003586; classtype:trojan-activity; sid:2003586; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Microsoft Official Support"; nocase; fast_pattern; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:social-engineering; sid:2023889; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent outbound (bot)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"bot/"; depth:4; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003622; classtype:trojan-activity; sid:2003622; rev:15; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?model="; nocase; content:"&brand="; nocase; distance:0; content:"&osversion="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&voluumdata=BASE64"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024033; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_03_06, deployment Internet, former_category CURRENT_EVENTS, malware_family Fake_Alert, signature_severity Minor, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; http.user_agent; content:"Rescue/9.11"; depth:11; reference:url,doc.emergingthreats.net/2003645; classtype:trojan-activity; sid:2003645; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>System Virus Alert"; nocase; fast_pattern; content:"|3a|-webkit-full-screen"; nocase; distance:0; classtype:social-engineering; sid:2024042; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTPTEST) - Seen used by downloaders"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"PlayStation"; http.user_agent; content:"HTTPTEST"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2003927; classtype:trojan-activity; sid:2003927; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File Download Flowbit Set"; flow:established,to_client; flowbits:set,et.http.hta; flowbits:noalert; http.content_type; content:"application/hta"; fast_pattern; startswith; classtype:not-suspicious; sid:2024195; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Snatch-System)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Snatch-System"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2003930; classtype:trojan-activity; sid:2003930; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office UA FB SET"; flow:established,to_server; flowbits:set,Office.UA; flowbits:noalert; http.user_agent; content:"Microsoft Office"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024225; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Ms)"; flow:established,to_server; http.user_agent; content:"Ms"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; classtype:trojan-activity; sid:2003933; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<form method=post><input type=password name=ps><input type=submit value='>>'></form>"; classtype:web-application-attack; sid:2030660; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; http.user_agent; content:"ExampleDL"; depth:9; reference:url,doc.emergingthreats.net/2004440; classtype:trojan-activity; sid:2004440; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password<br><input type=password name=pass"; nocase; content:"background-color|3a|whitesmoke|3b|border"; distance:0; content:"type=submit name='watching' value='Login'"; distance:0; fast_pattern; classtype:web-application-attack; sid:2030662; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, signature_severity Major, updated_at 2020_08_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS KKtone Suspicious User-Agent (KKTone)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"KKTone"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2004443; classtype:trojan-activity; sid:2004443; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT BeEF HTTP Get Outbound"; flow:to_server,established; threshold: type limit, track by_src, seconds 300, count 1; http.uri; content:".js?BEEFHOOK="; fast_pattern; reference:url,beefproject.com; classtype:attempted-user; sid:2024416; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Dialer-967 User-Agent"; flow:to_server,established; http.user_agent; content:"del"; depth:3; endswith; nocase; reference:url,doc.emergingthreats.net/2006364; classtype:trojan-activity; sid:2006364; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing Jul 19 2017"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"function getSystemInfo"; nocase; distance:0; content:"OnChatTextKeyDown"; nocase; distance:0; fast_pattern; content:"function scrollcheck"; nocase; distance:0; content:"function callconv"; nocase; distance:0; content:"function istyping"; nocase; distance:0; content:"function dochat"; nocase; distance:0; classtype:social-engineering; sid:2024480; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Phishing, updated_at 2020_08_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MYURL)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"MYURL"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2006365; classtype:trojan-activity; sid:2006365; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer VBscript CVE-2014-6332 multiple redim preserve"; flow:to_client,established; http.header_names; content:!"Content-Type|0d 0a|text/xml|0d 0a|"; content:!"Content-Type|0d 0a|application/xml|0d 0a|"; file.data; content:"preserve"; nocase; content:"redim|20|"; nocase; fast_pattern; pcre:"/^\s*?Preserve\s*?(?P<var1>[a-z]\w{0,254}+)\s*?\x28\s*?[^\x29]+?\x29.*?redim\s*?Preserve\s*?(?P=var1)/Rsi"; reference:cve,2014-6332; classtype:attempted-user; sid:2019842; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_12_03, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Matcash or related downloader User-Agent Detected"; flow:established,to_server; http.user_agent; pcre:"/^x\w\wx\w\w\!x\w\wx\w\wx\w\w/"; content:"x"; startswith; reference:url,doc.emergingthreats.net/2006382; classtype:trojan-activity; sid:2006382; rev:12; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 29 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; content:"has been blocked"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2022925; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_06_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; http.user_agent; content:"Windows Updates Manager|7c|"; depth:24; reference:url,doc.emergingthreats.net/2006387; classtype:trojan-activity; sid:2006387; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jul 29 2016"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Google Security"; nocase; fast_pattern; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; classtype:social-engineering; sid:2022992; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2020_08_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent Detected (ld)"; flow:established,to_server; http.user_agent; content:"ld"; depth:2; endswith; reference:url,doc.emergingthreats.net/2006394; classtype:trojan-activity; sid:2006394; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Google Chrome Credential Stealing via SCF file Reflected Request"; flow:to_server,established; http.uri; content:"shell"; nocase; content:"IconFile"; nocase; http.uri.raw; content:"|5c 5c|"; pcre:"/Shell.*%0a\s*IconFile\s*=\s*\x5c\x5c/i"; reference:url,defensecode.com/whitepapers/Stealing-Windows-Credentials-Using-Google-Chrome.pdf; classtype:attempted-recon; sid:2025060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (Mz)"; flow:established,to_server; http.user_agent; content:"Mz"; depth:2; endswith; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; classtype:trojan-activity; sid:2007594; rev:12; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/jpeg/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; classtype:web-application-attack; sid:2008313; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; http.user_agent; content:"Ismazo"; nocase; depth:6; reference:url,doc.emergingthreats.net/2007633; classtype:trojan-activity; sid:2007633; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\x3a\s+image\/gif/i"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; classtype:web-application-attack; sid:2008314; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Server_Applications, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Web_Client_Attacks, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; http.user_agent; content:"WINDOWS_LOADS"; depth:13; reference:url,doc.emergingthreats.net/2007699; classtype:trojan-activity; sid:2007699; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; within:70; classtype:bad-unknown; sid:2015578; rev:3; metadata:created_at 2012_08_07, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm C&C with typo'd User-Agent (Windoss)"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windoss NT"; depth:45; fast_pattern; reference:url,doc.emergingthreats.net/2007742; classtype:trojan-activity; sid:2007742; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find |22|"; content:"|20|Please Click Here to install......"; within:85; classtype:trojan-activity; sid:2017301; rev:3; metadata:created_at 2013_08_08, former_category CURRENT_EVENTS, updated_at 2020_08_20;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"netcfg"; depth:6; endswith; reference:url,doc.emergingthreats.net/2007758; classtype:trojan-activity; sid:2007758; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; within:40; classtype:social-engineering; sid:2023239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Tear Application User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Tear Application"; depth:16; endswith; reference:url,doc.emergingthreats.net/2007770; classtype:trojan-activity; sid:2007770; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (1)"; flow:established,from_server; content:"|22|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; within:400; content:!"|22|"; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003326; classtype:attempted-admin; sid:2003326; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Related Trojan User-Agent (kpangupdate)"; flow:established,to_server; http.user_agent; content:"kpangupdate"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007779; classtype:pup-activity; sid:2007779; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Quicktime RTSP Overflow (2)"; flow:established,from_server; content:"|27|rtsp|3a|//"; nocase; isdataat:400,relative; content:!"|0a|"; within:400; content:!"|27|"; within:400; reference:cve,2007-0015; reference:bugtraq,21829; reference:url,doc.emergingthreats.net/2003327; classtype:attempted-admin; sid:2003327; rev:9; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Neonaby.com Related Trojan User-Agent (neonabyupdate)"; flow:established,to_server; http.user_agent; content:"neonabyupdate"; depth:13; endswith; nocase; reference:url,doc.emergingthreats.net/2007825; classtype:trojan-activity; sid:2007825; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Embedded NTLM Hash Theft Code"; flow:established,to_client; file.data; content:"src="; nocase; content:"file|3a 2f 2f 2f 5c 5c|"; distance:0; nocase; fast_pattern; within:10; content:"|5f|C$|5f|"; nocase; within:50; content:"visibility|3a|"; nocase; within:50; content:"hidden"; within:8; content:"src="; pcre:"/^\s*[\x22\x27]\s*file\x3a\x2f\x2f\x2f\x5c\x5c[^\x20]+\x5cC\$\x5c\s*[\x22\x27]/Rsi"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:attempted-user; sid:2029329; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; http.user_agent; content:"WinInet"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007837; classtype:trojan-activity; sid:2007837; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:6; metadata:created_at 2014_09_08, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Possible Trojan Downloader Shell"; flow:established,to_server; http.user_agent; content:"Shell"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007840; reference:url,www.securelist.com/en/blog/434/The_Chinese_bootkit; classtype:trojan-activity; sid:2007840; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:exploit-kit; sid:2019643; rev:4; metadata:created_at 2014_11_04, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kpang.com Related Trojan User-Agent (alertup)"; flow:established,to_server; http.user_agent; content:"alertup"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007849; classtype:trojan-activity; sid:2007849; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:7; metadata:created_at 2015_01_20, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; http.user_agent; content:"Yhrbg"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2007912; classtype:trojan-activity; sid:2007912; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:7; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; http.user_agent; content:"Digital"; depth:7; endswith; nocase; reference:url,doc.emergingthreats.net/2007923; classtype:trojan-activity; sid:2007923; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious SCF File Inbound"; flow:to_client,established; file_data; content:"[shell]"; nocase; content:"iconfile"; nocase; distance:0; pcre:"/^\s*=\s*\x5c\x5c/Rs"; reference:url,defensecode.com/news_article.php?id=21; classtype:attempted-user; sid:2024303; rev:3; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, former_category WEB_CLIENT, performance_impact Moderate, signature_severity Minor, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; http.user_agent; content:"downloaded"; depth:10; endswith; nocase; reference:url,doc.emergingthreats.net/2007924; classtype:trojan-activity; sid:2007924; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible BadRabbit Driveby Download M1 Oct 24 2017"; flow:established,from_server; file_data; content:"InjectionString"; fast_pattern; content:"setRequestHeader"; nocase; pcre:"/^\s*\(\s*[\x22\x27]Content\-Type/Ri"; content:"onreadystatechange"; nocase; distance:0; content:"readyState"; nocase; distance:0; pcre:"/^\s*==\s*4/Ri"; content:"status"; nocase; distance:0; pcre:"/^\s*==\s*200/Ri"; content:"navigator"; nocase; pcre:"/^\s*\.\s*userAgent/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*referrer/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; content:"window"; nocase; pcre:"/^\s*\.\s*location\s*\.\s*hostname/Ri"; content:"document"; nocase; pcre:"/^\s*\.\s*cookie/Ri"; reference:url,www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/; reference:url,www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html; classtype:trojan-activity; sid:2024911; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_and_Server, created_at 2017_10_24, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; http.user_agent; content:"wnames"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2007925; classtype:trojan-activity; sid:2007925; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 1"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:".run"; nocase; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025061; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; http.user_agent; content:"https"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/2008019; classtype:trojan-activity; sid:2008019; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PowerShell call in script 2"; flow:from_server,established; file_data; content:"vbscript"; nocase; content:"shell"; nocase; pcre:"/^\W/Rs"; content:"powershell.exe"; fast_pattern; content:"<script"; pcre:"/^((?!<\/script>).)+?powershell\.exe/Rsi"; classtype:attempted-user; sid:2025062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_27, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (c \windows)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"c|3a 5c|"; depth:3; reference:url,doc.emergingthreats.net/bin/view/Main/2008043; classtype:trojan-activity; sid:2008043; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT SmailMax PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"SmailMax SMTP Mailer</title>"; fast_pattern; content:"SERVER SETUP</font>"; content:"SMTP Login:</font>"; classtype:web-application-attack; sid:2030227; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_28, deployment Perimeter, former_category WEB_CLIENT, signature_severity Critical, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Version 1.23)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Version|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008048; classtype:trojan-activity; sid:2008048; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Check Accessed on External Server"; flow:established,to_client; file.data; content:"Check  Mailling ..<br>"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030063; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Major, updated_at 2020_08_19;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla-web)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla-web"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008084; classtype:trojan-activity; sid:2008084; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2020-08-19"; flow:established,to_client; file.data; content:"opener.location = gourl|3b|"; content:"onbeforeunload=function()"; distance:0; content:"Press ESC, to close this page!"; distance:0; content:"Scanning... <strong>Folders"; distance:0; fast_pattern; content:"Scanning... <strong>Documents"; distance:0; content:"Scanning... <strong>System Files"; distance:0; classtype:social-engineering; sid:2030704; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Minor, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INSTALLER)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INSTALLER"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008096; classtype:trojan-activity; sid:2008096; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2020-08-19"; flow:established,to_client; file.data; content:"<strong>VIRUS ALERT FROM MICROSOFT"; fast_pattern; content:"<b>This computer is BLOCKED"; distance:0; content:"<strong>Microsoft Security"; distance:0; classtype:social-engineering; sid:2030705; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_19, deployment Perimeter, signature_severity Minor, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IEMGR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IEMGR"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008097; classtype:trojan-activity; sid:2008097; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [Deepend Research] BestaBid FakeFlash Redirect"; http.stat_code; content:"302"; http.location; content:"/?pcl="; nocase; content:".&cid="; fast_pattern; nocase; distance:40; pcre:"/^[^\r\n]+\/\?pcl=(?:[a-zA-Z0-9_-]{86}|[a-zA-Z0-9_-]{43})\x2e{1,2}&cid=/i"; reference:url,www.deependresearch.org/2018/02/yaff-yet-another-fake-flash-campaign.html; classtype:bad-unknown; sid:2025374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_21, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag FakeFlash, updated_at 2020_08_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GOOGLE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"GOOGLE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008098; classtype:trojan-activity; sid:2008098; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Volexity - JS Sniffer Data Theft Beacon Detected"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"=WyJ1cmw"; distance:0; fast_pattern; reference:url,www.volexity.com/blog/2018/07/19/js-sniffer-e-commerce-data-theft-made-easy/; classtype:trojan-activity; sid:2025880; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_23, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Stealer, tag c2, updated_at 2020_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (RBR)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"RBR"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008147; classtype:trojan-activity; sid:2008147; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M1 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php?clickid="; fast_pattern; pcre:"/^[a-z0-9]{6,15}$/Ri"; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026474; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Coinminer, tag SocEng, tag CoinMinerCampaign, updated_at 2020_08_26, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Otwycal User-Agent (Downing)"; flow:to_server,established; http.user_agent; content:"Downing"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008159; classtype:trojan-activity; sid:2008159; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M1 (Enable Registration)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin-ajax.php"; http.request_body; content:"action=wpgdprc_"; fast_pattern; content:"users_can_register|22|,|22|value|22 3a 22|1"; distance:0; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026605; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag PrivilegeEsc, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MS Internet Explorer)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"MS Internet Explorer"; depth:20; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008181; classtype:trojan-activity; sid:2008181; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted WordPress GDPR Plugin Privilege Escalation M2 (Set as Administrator)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin-ajax.php"; http.request_body; content:"action=wpgdprc_"; fast_pattern; content:"default_role|22|,|22|value|22 3a 22|administrator"; distance:0; reference:url,www.wordfence.com/blog/2018/11/trends-following-vulnerability-in-wp-gdpr-compliance-plugin/; classtype:attempted-admin; sid:2026606; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag PrivilegeEsc, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (QQ)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|0d 0a|Q-UA|3a 20|"; http.user_agent; content:"QQ"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Attempted RCE in Wordpress Social Warfare Plugin Inbound (CVE-2019-9978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wp-admin/admin-post.php?swp_debug=load_options&swp_url="; fast_pattern; pcre:"/^https?:\/\//R"; reference:url,www.exploit-db.com/exploits/46794; classtype:attempted-admin; sid:2027315; rev:3; metadata:affected_product Wordpress_Plugins, created_at 2019_05_03, cve 2019_9978, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (TestAgent)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"TestAgent"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008208; classtype:trojan-activity; sid:2008208; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible JS Credit Card Stealer Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"Month|3a 20|"; content:"Year|3a 20|"; content:"CVV|3a 20|"; content:"Holder|27 5d 20|===|20|undefined|20 7c 7c 20 24|"; fast_pattern; content:"CVV|20|!==|20|null|20|&&"; distance:0; content:".SendData|28 29|"; classtype:trojan-activity; sid:2027344; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_05_09, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SERVER2_03)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SERVER"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008209; classtype:trojan-activity; sid:2008209; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT JS ShellWindows/AddInProcess Win10 DeviceGuardBypass Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|9BA05972-F6A8-11CF-A442-00A0C90A8F39|7d|"; nocase; fast_pattern; content:"AddInProcess"; content:"|2f|guid|3a|"; distance:0; content:"|2f|pid|3a|"; distance:0; content:"Windows|5c 5c|Microsoft.Net|5c 5c|"; distance:0; classtype:trojan-activity; sid:2027378; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag DeviceGuard, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WinProxy)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WinProxy"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008211; classtype:trojan-activity; sid:2008211; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT XHR POST Request - Possible Form Grabber Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"info="; depth:5; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; content:"&hostname="; distance:0; fast_pattern; content:"&key="; distance:0; http.content_type; content:"application|2f|x-www-form-urlencoded"; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027818; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (sickness29a/0.1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"sickness"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008214; classtype:trojan-activity; sid:2008214; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Adobe Flash Player malware binary requested"; flow:established,to_server; http.uri; content:"&filename=Flash Player|20|"; content:".exe"; classtype:trojan-activity; sid:2017123; rev:5; metadata:created_at 2013_07_09, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (up2dash updater)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"up2dash"; nocase; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008215; classtype:trojan-activity; sid:2008215; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; http.uri; content:"/styles/javaupdate.css"; classtype:trojan-activity; sid:2017845; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_12_13, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NSIS_DOWNLOAD)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"NSIS_DOWNLOAD"; nocase; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008216; classtype:pup-activity; sid:2008216; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; http.uri; content:"windows-firewall.png"; classtype:trojan-activity; sid:2019598; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozilla 1.02.45 biz)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:"|20|biz|0d 0a|"; within:15; http.user_agent; content:"Mozilla|20|"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008231; classtype:trojan-activity; sid:2008231; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Windows Security Warning - png"; flow:established,to_server; http.uri; content:"gp-warning-img.png"; classtype:trojan-activity; sid:2020711; rev:4; metadata:created_at 2015_03_19, former_category CURRENT_EVENTS, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP my247eshop .com User-Agent"; flow:established,to_server; http.user_agent; content:"EShopee"; depth:7; endswith; reference:url,doc.emergingthreats.net/2008243; classtype:pup-activity; sid:2008243; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, updated_at 2020_10_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>*** Security Error Code 0x80070424</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2021255; rev:5; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"IE"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008255; classtype:trojan-activity; sid:2008255; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"isp="; content:"&browser="; distance:0; content:"&browserversion"; distance:0; fast_pattern; content:"&ip="; distance:0; content:"&os="; distance:0; content:"&osversion="; distance:0; classtype:social-engineering; sid:2021367; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Suspicious User-Agent (Nimo Software HTTP Retriever 1.0)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Nimo Software HTTP"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008257; classtype:pup-activity; sid:2008257; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing July 20 2015 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"index.html?city="; fast_pattern; content:"&ip="; distance:0; content:"&isp="; distance:0; http.header_names; content:!"Referer|0d 0a|"; classtype:social-engineering; sid:2021447; rev:4; metadata:created_at 2015_07_20, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (WebForm 1)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WebForm"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008262; classtype:trojan-activity; sid:2008262; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:social-engineering; sid:2022608; rev:4; metadata:created_at 2016_03_09, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (opera)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"opera"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008264; classtype:trojan-activity; sid:2008264; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:social-engineering; sid:2022854; rev:4; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Zilla)"; flow:to_server,established; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Zilla"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008266; classtype:trojan-activity; sid:2008266; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"your-computer-is-locked-"; nocase; fast_pattern; content:"your-computer-is-locked-"; distance:0; nocase; classtype:social-engineering; sid:2022927; rev:4; metadata:created_at 2016_06_29, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keypack.co.kr Related Trojan User-Agent Detected"; flow:established,to_server; http.user_agent; content:"keypack"; depth:7; reference:url,doc.emergingthreats.net/2008339; classtype:trojan-activity; sid:2008339; rev:7; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing (warning.mp3) Jan 24 2017"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"warning.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:social-engineering; sid:2024365; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category WEB_CLIENT, malware_family Tech_Support_Scam, performance_impact Moderate, signature_severity Minor, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (123)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"123"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008343; classtype:trojan-activity; sid:2008343; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M2 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"microsoft official support"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024444; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (angel)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"angel"; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008355; classtype:trojan-activity; sid:2008355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M1 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"security error 0x00759b"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024445; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Accessing)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Accessing"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008361; classtype:trojan-activity; sid:2008361; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M3 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"virus warning alert"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024446; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ISMYIE)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ISMYIE"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008363; classtype:trojan-activity; sid:2008363; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Apple Tech Support Phone Scam Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"official apple support"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024447; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (svchost)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"svchost"; depth:7; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008391; classtype:trojan-activity; sid:2008391; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Tech Support Phone Scam M4 Jul 07 2017"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"windows official support"; nocase; within:50; fast_pattern; classtype:social-engineering; sid:2024448; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Tech_Support_Scam, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ReadFileURL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ReadFileURL"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008400; classtype:trojan-activity; sid:2008400; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M1 Oct 16 2016"; flow:from_server,established; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm="; nocase; content:"Error"; nocase; distance:0; fast_pattern; content:"-"; distance:0; pcre:"/^WWW-Authenticate\x3a\x20Basic\x20realm=[\x22\x27][^\r\n]*Error[^\r\n]*-/mi"; classtype:social-engineering; sid:2024844; rev:5; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (PcPcUpdater)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"PcPcUpdater"; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2008413; classtype:trojan-activity; sid:2008413; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Adobe Software Update Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Adobe - Update"; nocase; fast_pattern; content:"href=|22|flashfiles/"; nocase; distance:0; content:"src=|22|flashfiles/"; nocase; distance:0; content:"function getUrl(url)"; nocase; distance:0; reference:url,www.malware-traffic-analysis.net/2018/07/05/index.html; classtype:trojan-activity; sid:2025715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Inet_read)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Inet_read"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008422; classtype:trojan-activity; sid:2008422; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing 2018-07-18"; flow:established,to_client; http.stat_code; content:"401"; http.header; content:"WWW-Authenticate|3a 20|Basic realm=|22|Microsoft has detected suspicious activity"; fast_pattern; classtype:social-engineering; sid:2025831; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Tech_Support_Scam, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS Agent)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS Agent"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2008423; classtype:trojan-activity; sid:2008423; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M2 2019-04-15"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"createOscillator|28 29|"; content:"createGain|28 29|"; distance:0; content:"|3e|System|20|Warning!|3c 2f|span|3e|"; distance:0; fast_pattern; content:"|3c|b|3e|Windows|20|Version"; distance:0; classtype:social-engineering; sid:2027198; rev:3; metadata:created_at 2019_04_15, former_category WEB_CLIENT, tag Tech_Support_Scam, tag Malvertising, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (CFS_DOWNLOAD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"CFS_DOWNLOAD"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008424; classtype:trojan-activity; sid:2008424; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Mar 30 M2"; dns.query; content:"avirus"; fast_pattern; nocase; isdataat:100,relative; content:!"spotify.com"; classtype:social-engineering; sid:2022691; rev:6; metadata:created_at 2016_03_30, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AdiseExplorer)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"AdiseExplorer"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008427; classtype:trojan-activity; sid:2008427; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain M1 Feb 29"; dns.query; content:"helpdesk"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022575; rev:5; metadata:created_at 2016_03_01, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP Downloader)"; flow: established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HTTP Downloader"; depth:15; reference:url,doc.emergingthreats.net/bin/view/Main/2008428; classtype:trojan-activity; sid:2008428; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M1 Mar 3"; dns.query; content:"errorfound"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022591; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HttpDownload)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HttpDownload"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008429; classtype:trojan-activity; sid:2008429; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M2 Mar 3"; dns.query; content:"unattendedfile"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022592; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Download App)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Download App"; depth:12; reference:url,doc.emergingthreats.net/bin/view/Main/2008440; classtype:trojan-activity; sid:2008440; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Fake AV Phone Scam Domain M3 Mar 3"; dns.query; content:"internetsituation"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022593; rev:5; metadata:created_at 2016_03_03, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Downloader User-Agent (AutoDL\/1.0)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"AutoDL/1.0"; depth:10; endswith; reference:url,doc.emergingthreats.net/2008458; classtype:trojan-activity; sid:2008458; rev:11; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_16;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Possible Fake AV Phone Scam Long Domain Apr 4"; dns.query; content:"callasap"; fast_pattern; nocase; isdataat:100,relative; classtype:social-engineering; sid:2022696; rev:5; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (hacker)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"hacker"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008460; classtype:trojan-activity; sid:2008460; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set"; flow:established,to_server; flowbits:set,ET.ass.request; flowbits:noalert; http.uri; content:".ass"; nocase; reference:url,doc.emergingthreats.net/2010757; classtype:not-suspicious; sid:2010757; rev:8; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieguideupdate)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"ieguideupdate"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008463; classtype:trojan-activity; sid:2008463; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_02_21, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag Web_Client_Attacks, updated_at 2020_09_13;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (adsntD)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"adsntD"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008464; classtype:trojan-activity; sid:2008464; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_16;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; flowbits:set,ET.PROPFIND; flowbits:noalert; http.method; content:"PROPFIND"; nocase; classtype:misc-activity; sid:2011456; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (NULL)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"NULL"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008488; classtype:trojan-activity; sid:2008488; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source)"; flow:established,to_client; http.response_line; content:"HTTP/1.1 405 Method Not Allowed"; depth:31; endswith; nocase; file.data; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010520; classtype:web-application-attack; sid:2010520; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ieagent)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"ieagent"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008494; classtype:trojan-activity; sid:2008494; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (nyoogle .info in DNS Lookup)"; dns.query; content:"nyoogle.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025217; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (antispyprogram)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"antispyprogram"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008495; classtype:trojan-activity; sid:2008495; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (lite-bookmarks .info in DNS Lookup)"; dns.query; content:"lite-bookmarks.info"; nocase; endswith; reference:url,icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025219; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (SUiCiDE/1.5)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"SUiCiDE"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008504; classtype:trojan-activity; sid:2008504; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Malicious Chrome Extension Domain Request (stickies .pro in DNS Lookup)"; dns.query; content:"stickies.pro"; nocase; endswith; reference:url,www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; classtype:trojan-activity; sid:2025218; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"|5c|xa2|5c|xa2HttpClient"; depth:18; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008510; classtype:trojan-activity; sid:2008510; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT PolarisOffice Insecure Library Loading"; flow:to_server; http.method; content:"GET"; http.uri; content:"puiframeworkproresenu.dll"; endswith; reference:cve,2018-12589; classtype:attempted-user; sid:2025792; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category WEB_CLIENT, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (C slash)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.header; content:!"|5c|Citrix|5c|"; content:!"|5c|Panda S"; nocase; content:!"|5c|Mapinfo"; nocase; http.user_agent; content:"C|3a 5c|"; depth:3; fast_pattern; classtype:trojan-activity; sid:2008512; rev:19; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake FlashPlayer Update Leading to CoinMiner M2 2018-10-12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flashplayer_down.php"; fast_pattern; endswith; reference:url,researchcenter.paloaltonetworks.com/2018/10/unit42-fake-flash-updaters-push-cryptocurrency-miners/; classtype:coin-mining; sid:2026475; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Coinminer, tag SocEng, tag CoinMinerCampaign, updated_at 2020_09_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (msIE 7.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"msIE"; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008513; classtype:trojan-activity; sid:2008513; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/upload.cfm?action=upload"; nocase; fast_pattern; endswith; reference:cve,2018-15961; reference:url,volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-user; sid:2026604; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, created_at 2018_11_13, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag CVE_2018_15961, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (AVP2006IE)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"AVP200"; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2008514; classtype:trojan-activity; sid:2008514; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT Possible Confluence SSTI Exploitation Attempt - Leads to RCE/LFI (CVE-2019-3396)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/rest/tinymce/1/macro/preview"; fast_pattern; endswith; http.request_body; content:"|22|contentId|22|"; depth:20; content:"|22|_template|22 3a|"; distance:0; reference:url,packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html; classtype:attempted-admin; sid:2027333; rev:4; metadata:created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (winlogon)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"winlogon"; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2008544; classtype:trojan-activity; sid:2008544; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".connectioncdn.com"; nocase; endswith; classtype:trojan-activity; sid:2028649; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_04, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Internet HTTP Request)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Internet HTTP"; depth:13; reference:url,doc.emergingthreats.net/bin/view/Main/2008564; classtype:trojan-activity; sid:2008564; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; http.uri; content:".js?"; fast_pattern; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/"; classtype:trojan-activity; sid:2017453; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_09_11, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag DriveBy, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Downloader1.2)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Downloader"; depth:10; pcre:"/^Downloader\d+\.\d/"; reference:url,doc.emergingthreats.net/bin/view/Main/2008643; classtype:trojan-activity; sid:2008643; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT DRIVEBY Social Engineering Toolkit JAR Download"; flow:established,to_server; http.uri; content:"/Signed_Update.jar"; nocase; fast_pattern; http.user_agent; content:"Java/1."; reference:url,trustedsec.com/downloads/social-engineer-toolkit/; reference:url,securelist.com/blog/research/66108/el-machete/; classtype:trojan-activity; sid:2018969; rev:5; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_08_20, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, tag DriveBy, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (Compatible)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Compatible"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008657; classtype:trojan-activity; sid:2008657; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030912; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (GetUrlSize)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"GetUrlSize"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008658; classtype:trojan-activity; sid:2008658; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; http.uri; content:".php?id="; fast_pattern; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/"; classtype:trojan-activity; sid:2021552; rev:4; metadata:created_at 2015_07_30, former_category CURRENT_EVENTS, updated_at 2020_10_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (aguarovex-loader v3.221)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"aguarovex-loader v"; depth:18; reference:url,doc.emergingthreats.net/bin/view/Main/2008663; classtype:trojan-activity; sid:2008663; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030942; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"WINS_HTTP_SEND"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2008734; classtype:trojan-activity; sid:2008734; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (checkonline)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"checkonline"; depth:11; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008749; classtype:trojan-activity; sid:2008749; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Kvadrlson 1.0)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Kvadrlson|20|"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2008756; classtype:trojan-activity; sid:2008756; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Kangkio User-Agent (lsosss)"; flow:established,to_server; http.user_agent; content:"lsosss"; depth:6; endswith; reference:url,doc.emergingthreats.net/2008767; classtype:trojan-activity; sid:2008767; rev:7; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (miip)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"miip"; depth:4; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008797; classtype:trojan-activity; sid:2008797; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030953; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Mozil1a)"; flow:established,to_server; threshold:type limit,count 2,track by_src,seconds 300; http.user_agent; content:"Mozil1a"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2008847; classtype:trojan-activity; sid:2008847; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Possible Chrome WebEx Extension RCE Attempt"; flow:to_server,established; http.uri; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=1096; classtype:attempted-user; sid:2023756; rev:4; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Errordigger.com related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"min"; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008912; classtype:trojan-activity; sid:2008912; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; http.content_type; content:"application/hta"; nocase; endswith; fast_pattern; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Mozilla/1.0 (compatible|3b 20|MSIE 8.0|3b|"; depth:34; reference:url,doc.emergingthreats.net/bin/view/Main/2008913; classtype:trojan-activity; sid:2008913; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; http.uri; content:".hta"; nocase; fast_pattern; http.user_agent; content:"Microsoft Office"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category WEB_CLIENT, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_10_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (xr - Worm.Win32.VB.cj related)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"xr"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008914; classtype:trojan-activity; sid:2008914; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031015; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Yandesk)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Yandesk"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008916; classtype:trojan-activity; sid:2008916; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031017; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_10_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent pricers.info related (section)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"sections"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008919; classtype:trojan-activity; sid:2008919; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031027; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HELLO)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"HELLO"; depth:5; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008941; classtype:trojan-activity; sid:2008941; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031029; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (IE/1.0)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"IE/1.0"; depth:6; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008956; classtype:trojan-activity; sid:2008956; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Internet Security Damaged !!! Call Help Desk"; nocase; classtype:social-engineering; sid:2028970; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow:established,to_server; http.user_agent; content:"AV1"; depth:3; endswith; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:11; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Official Windows Notification"; nocase; fast_pattern; content:"Call Windows Technical Support"; nocase; distance:0; classtype:social-engineering; sid:2028971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runUpdater.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runUpdater|2e|html"; depth:15; reference:url,doc.emergingthreats.net/2009355; classtype:trojan-activity; sid:2009355; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic File Upload Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (runPatch.html)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"runPatch|2e|html"; depth:13; reference:url,doc.emergingthreats.net/2009356; classtype:trojan-activity; sid:2009356; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Poker)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"Poker"; depth:5; endswith; nocase; reference:url,vil.nai.com/vil/content/v_130975.htm; reference:url,doc.emergingthreats.net/2009534; classtype:trojan-activity; sid:2009534; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"InHold"; depth:6; endswith; nocase; reference:url,doc.emergingthreats.net/2009544; classtype:trojan-activity; sid:2009544; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".sslproviders.net"; nocase; endswith; classtype:trojan-activity; sid:2029268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (INet)"; flow:established,to_server; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"INet"; depth:4; endswith; reference:url,doc.emergingthreats.net/2009703; classtype:trojan-activity; sid:2009703; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031175; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS User-Agent (STEROID Download)"; flow:established,to_server; http.user_agent; content:"STEROID Download"; nocase; depth:16; endswith; reference:url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10; reference:url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html; reference:url,doc.emergingthreats.net/2009994; classtype:trojan-activity; sid:2009994; rev:10; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; content:">MAILER INBOX SENDING"; distance:0; fast_pattern; classtype:web-application-attack; sid:2031176; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient"; flow:established,to_server; http.user_agent; content:"Mozilla/3.0(compatible|3b 20|TALWinHttpClient)"; depth:41; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2010261; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010261; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; http.content_type; content:"multipart/related"; fast_pattern; startswith; file.data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:6; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Win32.OnLineGames User-Agent (BigFoot)"; flow:to_server,established; http.user_agent; content:"BigFoot"; nocase; depth:7; reference:url,doc.emergingthreats.net/2010678; classtype:trojan-activity; sid:2010678; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:social-engineering; sid:2022697; rev:6; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_11_05;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Nine Ball User-Agent Detected (NQX315)"; flow:established,to_server; http.user_agent; content:"NQX315"; depth:6; endswith; reference:url,doc.emergingthreats.net/2011188; classtype:trojan-activity; sid:2011188; rev:8; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031200; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Artro Downloader User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|wget 3.0|3b 20|rv|3a|5.0) Gecko/20100101 Firefox/5.0"; depth:73; fast_pattern; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:pup-activity; sid:2013184; rev:9; metadata:created_at 2011_07_04, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031203; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (GUIDTracker)"; flow:to_server,established; http.user_agent; content:"GUIDTracker"; depth:11; reference:md5,7a8807f4de0999dba66a8749b2366def; classtype:trojan-activity; sid:2013455; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_08_24, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031204; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_11_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Delphi Trojan Downloader User-Agent (JEDI-VCL)"; flow:established,to_server; http.host; content:!"apexwin.com"; http.user_agent; content:"JEDI-VCL"; depth:8; classtype:trojan-activity; sid:2013559; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud DNS Lookup (count.trackstatisticsss .com)"; dns.query; content:"count.trackstatisticsss.com"; nocase; bsize:27; classtype:bad-unknown; sid:2030099; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (windsoft)"; flow:established,to_server; http.user_agent; content:"WindSoft"; depth:8; endswith; classtype:trojan-activity; sid:2013561; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_12, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud Domain in DNS Lookup (stat.trackstatisticsss .com)"; dns.query; content:"stat.trackstatisticsss.com"; nocase; bsize:26; reference:url,www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/; classtype:bad-unknown; sid:2030118; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Downloader User-Agent (NOPE)"; flow:established,to_server; http.user_agent; content:"N0PE"; depth:4; reference:url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369; reference:url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734; classtype:trojan-activity; sid:2013702; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake 404 With Hidden Login Form"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>404 Not Found</title>"; fast_pattern; depth:28; content:"background-color|3a 23|fff|3b|"; distance:0; content:"<form method=post>"; distance:0; content:"input type=password"; within:50; classtype:trojan-activity; sid:2025872; rev:3; metadata:attack_target Client_and_Server, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot)"; flow:to_server,established; http.user_agent; content:"Aldi Bot"; nocase; depth:8; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013747; rev:7; metadata:created_at 2011_09_24, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FFSniff Inject Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:".type|20|==|20 22|password|22 29|"; nocase; content:"=|20 22|Subject|3a 20 22 20|+|20|"; distance:0; nocase; content:"|20 22 5c|r|5c|n|5c|r|5c|n|22 20|+|20|window.top.content.document.location|20|"; within:150; nocase; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027814; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (NateFinder)"; flow:to_server,established; http.user_agent; content:"NateFinder"; depth:10; classtype:trojan-activity; sid:2013881; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"|27 5c|x61|5c|x57|5c|x35|5c|x75|5c|x5a|5c|x58|5c|x4a|5c|x49|5c|x5a"; within:150; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027815; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (webfile)"; flow:to_server,established; http.user_agent; content:"webfile"; depth:7; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; classtype:trojan-activity; sid:2013883; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"location.href.search|28|atob|28 27|Y"; pcre:"/^[2'][2h'+][2hl'+][2hlY'+][2hlY2'+][2hlY2t'+][2hlY2tv'+][2hlY2tvd'+][2hlY2tvdX'+][2hlY2tvdXQ'+](?:[2hlY2tvdXQ='+]){1,10}/R"; content:"|20|=|20|atob|28 27|aHR0cHM6L"; within:300; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027816; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (DARecover)"; flow:to_server,established; http.user_agent; content:"DARecover"; depth:9; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; classtype:trojan-activity; sid:2013884; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_11_08, deployment Perimeter, former_category TROJAN, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Inbound JS with Possible 1px-1px Exfiltration Image"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"document.createElement|28 22|"; content:".width=|22|1px|22|"; within:30; content:".height=|22|1px|22|"; within:30; content:"atob|28 22|aHR0cHM6Ly9"; within:100; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027817; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0 (compatible- MSIE 6.0- Windows NT 5.1- SV1-|20|"; depth:56; fast_pattern; reference:url,doc.emergingthreats.net/2010868; classtype:bad-unknown; sid:2010868; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M1 2019-04-15"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"alert|28 22|Windows|20|Firewall|20|has|20|detected|20|that|20|your|20|Windows"; fast_pattern; content:"system|20|files|20|are|20|automatically|20|deleted"; within:200; content:"Please|20|follow|20|the|20|instructions"; within:200; classtype:social-engineering; sid:2027197; rev:4; metadata:created_at 2019_04_15, former_category WEB_CLIENT, tag Tech_Support_Scam, tag Malvertising, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet Optimizer User-Agent (ROGUE)"; flow: to_server,established; http.user_agent; content:"ROGUE"; depth:5; reference:url,www.internet-optimizer.com; reference:url,doc.emergingthreats.net/2002405; classtype:pup-activity; sid:2002405; rev:14; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"eval|28|function|28|p,a,c,k,e,r|29|"; depth:26; content:"|20|TASKID|3d|"; distance:0; content:"|20|MAGICNUM|3d|"; within:25; content:"|20|EXECNUM|3d|"; within:25; content:"|20|FEEDBACKADDR|3d|"; within:25; content:"|28 2f|chrome|5c 5c 2f 28 5b 5c 5c 64 5d 2b 29 2f|gi"; distance:0; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027961; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User Agent (_)"; flow:to_server,established; http.user_agent; content:"_"; depth:1; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007942; classtype:trojan-activity; sid:2007942; rev:10; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a"; depth:6; content:"|27 2c|_b"; within:120; content:"|27 2c|_c"; within:120; content:"|2c|TASKID|3d|"; distance:0; content:"|2c|MAGICNUM|3d|"; within:25; content:"|2c|EXECNUM|3d|"; within:25; content:"|2c|FEEDBACKADDR|3d|"; within:25; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:27; within:11; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027962; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat Web Application Manager scanning"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/manager/html"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; content:!"Proxy-Authorization|3a 20|Basic"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; reference:url,doc.emergingthreats.net/2010019; classtype:attempted-recon; sid:2010019; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 27|"; depth:8; content:"|27 2c|_b|3d 27|"; within:120; content:"|27 2c|_c|3d 27|"; within:120; content:"|27 2c|e|3d|"; within:120; content:"|2c|t|3d|"; within:10; content:"|2c|n|3d|"; within:15; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:26; within:12; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027963; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; http.user_agent; content:"Agent"; depth:5; pcre:"/^Agent\d{5,6}$/i"; http.host; content:!"cloud.10jqka.com.cn"; content:!".maxthon.com";  classtype:trojan-activity; sid:2013315; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M4"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 22|"; depth:8; content:"|22 2c|_b|3d 22|"; within:120; content:"|22 2c|_c|3d 22|"; within:120; content:"|22 3b|eval|28|function|28 5f 2c|"; within:120; content:"|29 7b|if|28|n|3d|function|28 5f 29 7b|return|28 5f|"; distance:9; within:27; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027964; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ezula Related User-Agent (mez)"; flow: to_server,established; http.user_agent; content:"mez"; nocase; depth:3; endswith; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:pup-activity; sid:2000586; rev:35; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031244; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP YourSiteBar User-Agent (istsvc)"; flow: to_server,established; http.user_agent; content:"istsvc"; nocase; depth:6; endswith; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:pup-activity; sid:2001699; rev:264; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031272; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; http.user_agent; content:"Bundle"; depth:6; reference:url,doc.emergingthreats.net/2001702; classtype:pup-activity; sid:2001702; rev:40; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Java Installer Landing Page Oct 21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; content:"&sid="; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/"; pcre:"/&name=[a-z0-9\x20]+$/i"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2020_12_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 404Search Spyware User-Agent (404search)"; flow:established,to_server; http.user_agent; content:"404search"; depth:9; reference:url,doc.emergingthreats.net/2001852; classtype:pup-activity; sid:2001852; rev:31; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031416; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; http.user_agent; content:"ESB"; depth:3; reference:url,doc.emergingthreats.net/2001853; classtype:pup-activity; sid:2001853; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031430; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EZULA Spyware User Agent"; flow: established,to_server; http.user_agent; content:"ezula"; depth:5; nocase; reference:url,doc.emergingthreats.net/2001854; classtype:pup-activity; sid:2001854; rev:27; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031438; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, signature_severity Major, updated_at 2020_12_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (Sidesearch)"; flow: established,to_server; http.user_agent; content:"Sidesearch"; depth:10; reference:url,doc.emergingthreats.net/2001869; classtype:pup-activity; sid:2001869; rev:29; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; http.user_agent; content:"TSA/"; depth:4; reference:url,doc.emergingthreats.net/2001871; classtype:pup-activity; sid:2001871; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Attempted Executable Drop via VBScript"; flow:established,to_client; file.data; content:"<SCRIPT Language=VBScript"; nocase; content:"DropFileName"; nocase; within:100; content:".exe"; within:100; nocase; content:"WriteData =|20 22|4D5A"; nocase; within:100; fast_pattern; classtype:trojan-activity; sid:2031508; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_01_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP UCMore Spyware User-Agent (EI)"; flow: to_server,established; http.user_agent; content:"EI"; depth:2; endswith; reference:url,doc.emergingthreats.net/2001996; classtype:pup-activity; sid:2001996; rev:18; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031514; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware (Feat)"; flow: to_server,established; http.user_agent; content:"Feat"; nocase; depth:4; pcre:"/^Feat[^\r\n]+(?:Install|Updat)er/i"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:pup-activity; sid:2002160; rev:21; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031607; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, signature_severity Major, updated_at 2021_02_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Hotbar Spyware User-Agent (host)"; flow: to_server,established; http.header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/i"; http.user_agent; content:"host"; nocase; depth:4; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:pup-activity; sid:2002164; rev:16; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".cdncontentdelivery.com"; nocase; endswith; classtype:trojan-activity; sid:2031612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2021_02_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva User-Agent (TPSystem)"; flow: to_server,established; http.user_agent; content:"TPSystem"; nocase; depth:8; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:pup-activity; sid:2002395; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (9487d)"; flow:established,from_server; http.stat_code; content:"302"; http.cookie; content:"9487d=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2031614; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family KeitaroTDS, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; http.user_agent; content:"Travel Update"; depth:13; endswith; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:pup-activity; sid:2002396; rev:15; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031680; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Context Plus User-Agent (PTS)"; flow: to_server,established; http.user_agent; content:"PTS"; depth:3; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:pup-activity; sid:2002403; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Uploader Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031682; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install)"; flow: to_server,established; http.uri; content:"/checkhttp.htm"; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:pup-activity; sid:2002840; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT APT/Hafnium SPORTSBALL Webshell Observed Outbound"; flow:established,to_client; file.data; content:"<td>logon|3a|<td>"; content:"name=|22|sport|22 20|"; distance:0; content:"<td>cmd|3a|"; distance:0; content:"input|20|name=|22|balls|22 20|"; fast_pattern; content:"name=|22|woods|22|"; content:"name=|22|sky|22|"; reference:md5,1a4ab99bbe9adbe2deb0e4b96d82a955; classtype:web-application-attack; sid:2031812; rev:2; metadata:attack_target Web_Server, created_at 2021_03_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2021_03_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; http.uri; content:"/ping/?shortname="; nocase; http.header; content:"freeze.com"; nocase; http.user_agent; content:"Wise"; nocase; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:pup-activity; sid:2002841; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032006; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, signature_severity Major, updated_at 2021_03_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; http.uri; content:"/checkin.php?"; nocase; content:"unq="; nocase; content:"version="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:pup-activity; sid:2003209; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Best-targeted-traffic.com Spyware Install"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"&pais="; nocase; content:"unq="; nocase; http.user_agent; content:"Opera|20|"; nocase; depth:6; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:pup-activity; sid:2003210; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of Multimedia Content flowbit set"; flow:established,to_client; file_data; content:"|00 00 00|"; depth:3; content:"|66 74 79 70|"; distance:1; within:4; fast_pattern; flowbits:noalert; flowbits:set,ET.Multimedia.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024689; rev:2; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; http.user_agent; content:"Download Agent"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:pup-activity; sid:2003243; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of .MOV Content flowbit set"; flow:established,to_client; file_data; content:"|6D 6F 6F 76|"; distance:4; within:4; flowbits:noalert; flowbits:set,ET.MP4.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024690; rev:2; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; http.user_agent; content:"YourScreen"; depth:10; reference:url,doc.emergingthreats.net/2003405; classtype:pup-activity; sid:2003405; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032088; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; http.user_agent; content:"RX Bar"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003407; classtype:pup-activity; sid:2003407; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032090; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Updater)"; flow:to_server,established; http.user_agent; content:"Updater"; depth:7; endswith; reference:url,doc.emergingthreats.net/2003470; classtype:pup-activity; sid:2003470; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_17;)
+alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Exchange Webshell CnC Domain in DNS Lookup"; dns.query; content:"brian.krebsonsecurity.top"; nocase; bsize:25; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:domain-c2; sid:2032345; rev:1; metadata:created_at 2021_03_29, former_category WEB_CLIENT, updated_at 2021_03_29;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; http.user_agent; content:"ad-protect"; nocase; depth:10; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:pup-activity; sid:2003476; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; http.user_agent; content:"DInstaller"; nocase; depth:10; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:pup-activity; sid:2003477; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032521; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, signature_severity Major, updated_at 2021_04_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; http.user_agent; content:"ERRORNUKER"; nocase; depth:10; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:pup-activity; sid:2003478; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032634; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, signature_severity Major, updated_at 2021_04_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; http.user_agent; content:"MalwareWipe"; nocase; depth:11; endswith; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:pup-activity; sid:2003489; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032738; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; http.user_agent; content:"Mirar_KeywordContent"; nocase; depth:20; endswith; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:pup-activity; sid:2003490; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032740; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ms)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"ms"; depth:2; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:pup-activity; sid:2003497; rev:16; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032774; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; http.user_agent; content:"Sprout Game"; nocase; depth:11; endswith; reference:url,doc.emergingthreats.net/2003498; classtype:pup-activity; sid:2003498; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M1 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>Windows|20|code|20|firewall0x"; fast_pattern; content:".mp3|22 20|type=|22|audio/mpeg|22|"; content:"<span>Windows-Firewall"; classtype:social-engineering; sid:2034203; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; http.user_agent; content:"SpyDawn"; nocase; depth:7; endswith; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:pup-activity; sid:2003499; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M2 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|firewall0x"; fast_pattern; content:"src=|22|virus-scan.png|22|"; content:"<span>Scan|20|quickly"; classtype:social-engineering; sid:2034204; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; http.user_agent; content:"STBHOGet"; nocase; depth:8; endswith; reference:url,doc.emergingthreats.net/2003500; classtype:pup-activity; sid:2003500; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M3 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Scanned|20|items|20|<"; fast_pattern; content:">Threats|20|found<"; content:"<p>Detected|20|items|20|Item<"; classtype:social-engineering; sid:2034205; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; http.user_agent; content:"Alawar Toolbar"; nocase; depth:14; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:pup-activity; sid:2003506; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M4 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"i>|20|Looking|20|for|20|updates<"; fast_pattern; content:"i>|20|Scan|20|memory<"; content:"<span>Windows|20|registry|20|scan"; classtype:social-engineering; sid:2034206; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; http.user_agent; content:"CommonName"; nocase; depth:10; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:pup-activity; sid:2003532; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M5 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|22|>Contact|20|Technical|20|Support|3a 20|<"; content:"|22|>Windows|0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20|was|20|banned|20|for"; fast_pattern; content:"PLEASE|20|call|20|us"; classtype:social-engineering; sid:2034207; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; http.user_agent; content:"WinFixMaster"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003544; classtype:pup-activity; sid:2003544; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Generic Components"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|22|>Contact|20|Technical|20|Support|3a 20|<"; content:"src=|22|fullscreen.js|22|"; content:"toggleFullScreen|28 29 3b|"; classtype:social-engineering; sid:2034208; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (DIALER)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"DIALER"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003566; classtype:pup-activity; sid:2003566; rev:15; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_10_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; http.user_agent; content:"iefeatsl"; nocase; depth:8; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:pup-activity; sid:2003570; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_10_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; http.user_agent; content:"MalwareWiped"; nocase; depth:12; reference:url,doc.emergingthreats.net/2003582; classtype:pup-activity; sid:2003582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious PHP UNZIP Tool Accessed on External Possibly Compromised Server"; flow:established,to_client; file_data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_11_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (update)"; flow:to_server,established; threshold: type limit, count 3, seconds 300, track by_src; http.user_agent; content:"update"; depth:6; endswith; reference:url,doc.emergingthreats.net/2003583; classtype:pup-activity; sid:2003583; rev:14; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034439; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; http.user_agent; content:"EELoader"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003613; classtype:pup-activity; sid:2003613; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed JavaScript Event Listener with Clipboard Data"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<script>"; content:"addEventListener|28 27|copy|27|"; distance:0; content:"clipboardData|2e|setData|28 27|text|2f|plain|27|"; fast_pattern; distance:0; content:"sh"; distance:0; content:"|5c|n"; distance:0; content:"</script>"; distance:0; reference:url,www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked; classtype:web-application-activity; sid:2034860; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Informational, updated_at 2022_01_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; http.user_agent; content:"KRSystem"; nocase; depth:8; reference:url,doc.emergingthreats.net/2003625; classtype:pup-activity; sid:2003625; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024132; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; http.user_agent; content:"ProxyDown"; nocase; depth:9; reference:url,doc.emergingthreats.net/2003639; classtype:pup-activity; sid:2003639; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern; classtype:social-engineering; sid:2021966; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; http.user_agent; content:"91cast"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003640; classtype:pup-activity; sid:2003640; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; http.user_agent; content:"GTBank"; nocase; depth:6; reference:url,doc.emergingthreats.net/2003654; classtype:pup-activity; sid:2003654; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; classtype:social-engineering; sid:2021258; rev:4; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; http.user_agent; content:"Internet 1."; nocase; depth:11; reference:url,doc.emergingthreats.net/2003655; classtype:pup-activity; sid:2003655; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:social-engineering; sid:2023037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; http.user_agent; content:"PWMI/"; nocase; depth:5; reference:url,doc.emergingthreats.net/2003926; classtype:pup-activity; sid:2003926; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:social-engineering; sid:2022853; rev:4; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; http.user_agent; content:"Mbar"; nocase; depth:4; endswith; reference:url,doc.emergingthreats.net/2003928; classtype:pup-activity; sid:2003928; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; classtype:social-engineering; sid:2021365; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; http.user_agent; content:"Mirar_Toolbar"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003929; classtype:pup-activity; sid:2003929; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre IE Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|attachment|3b 20|"; http_header; content:".zip|20 3b 0d 0a|"; distance:0; http_header; content:"Content-Type|3a 20|$ctype|0d 0a|"; http_header; fast_pattern; file_data; content:"PK|03 04|"; within:4; classtype:trojan-activity; sid:2020160; rev:6; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; http.user_agent; content:"fetcher"; nocase; depth:7; endswith; reference:url,doc.emergingthreats.net/2005318; classtype:pup-activity; sid:2005318; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:exploit-kit; sid:2016144; rev:4; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; http.user_agent; content:"NavHelper"; nocase; depth:9; reference:url,doc.emergingthreats.net/2005321; classtype:pup-activity; sid:2005321; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024125; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; http.user_agent; content:"Huai_Huai"; depth:9; endswith; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:pup-activity; sid:2006361; rev:12; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024126; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; http.user_agent; content:"IBSBand-"; depth:8; reference:url,doc.emergingthreats.net/2006362; classtype:pup-activity; sid:2006362; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; classtype:social-engineering; sid:2022011; rev:4; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031026; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:social-engineering; sid:2022366; rev:4; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031027; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:social-engineering; sid:2023051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:social-engineering; sid:2021207; rev:4; metadata:created_at 2015_06_09, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031029; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; classtype:social-engineering; sid:2022033; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; http.user_agent; content:"atsu"; depth:4; endswith; reference:url,doc.emergingthreats.net/2006370; classtype:pup-activity; sid:2006370; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:social-engineering; sid:2022525; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (006)"; flow:established,to_server; http.user_agent; content:"00"; depth:2; pcre:"/00\d+$/";  reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:pup-activity; sid:2006388; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:social-engineering; sid:2022527; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; http.user_agent; content:"WTRecover"; depth:9; reference:url,doc.emergingthreats.net/2006392; classtype:pup-activity; sid:2006392; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; distance:0; classtype:social-engineering; sid:2021285; rev:4; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; http.user_agent; content:"WTInstaller"; depth:11; reference:url,doc.emergingthreats.net/2006393; classtype:pup-activity; sid:2006393; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern; classtype:trojan-activity; sid:2016298; rev:5; metadata:created_at 2013_01_29, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; http.user_agent; content:"pint_agency"; depth:11; reference:url,doc.emergingthreats.net/2006413; classtype:pup-activity; sid:2006413; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024131; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; http.user_agent; content:"anycleaner"; depth:10; reference:url,doc.emergingthreats.net/2006419; classtype:pup-activity; sid:2006419; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, tag Spyware_User_Agent, updated_at 2020_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern; classtype:trojan-activity; sid:2016297; rev:5; metadata:created_at 2013_01_29, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; http.user_agent; content:"DoctorVaccine"; depth:13; reference:url,doc.emergingthreats.net/2006421; classtype:pup-activity; sid:2006421; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024130; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; http.user_agent; content:"WT_GET_COMM"; depth:11; reference:url,doc.emergingthreats.net/2006422; classtype:pup-activity; sid:2006422; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern; distance:0; classtype:social-engineering; sid:2021964; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; http.user_agent; content:"doctorpro"; depth:9; reference:url,doc.emergingthreats.net/2006423; classtype:pup-activity; sid:2006423; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:social-engineering; sid:2023752; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; http.user_agent; content:"Access down"; depth:11; endswith; reference:url,doc.emergingthreats.net/2006430; classtype:pup-activity; sid:2006430; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern; content:"contact Microsoft Support"; nocase; distance:0; classtype:social-engineering; sid:2022409; rev:4; metadata:created_at 2016_01_26, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; http.user_agent; content:"CPUSH_"; depth:6; reference:url,doc.emergingthreats.net/2006553; classtype:pup-activity; sid:2006553; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern; distance:0; content:"myFunction()|3b|"; classtype:social-engineering; sid:2022365; rev:7; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; http.user_agent; content:"blahrx"; depth:6; reference:url,doc.emergingthreats.net/2006778; classtype:pup-activity; sid:2006778; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024129; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; http.user_agent; content:"ZC-Bridgev"; depth:10; reference:url,doc.emergingthreats.net/2006780; classtype:pup-activity; sid:2006780; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:social-engineering; sid:2021206; rev:4; metadata:created_at 2015_06_09, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; http.user_agent; content:"ZC XML-RPC"; depth:10; reference:url,doc.emergingthreats.net/2006781; classtype:pup-activity; sid:2006781; rev:42; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:social-engineering; sid:2022526; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; http.user_agent; content:"szNotifyIdent"; depth:13; reference:url,doc.emergingthreats.net/2006782; classtype:pup-activity; sid:2006782; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2022030; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; http.user_agent; content:"vikiller ctrl"; nocase; depth:13; reference:url,doc.emergingthreats.net/2007582; classtype:pup-activity; sid:2007582; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:social-engineering; sid:2022993; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; http.user_agent; content:"B Register"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007597; classtype:pup-activity; sid:2007597; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Sep 08 2017"; flow:established,to_client; file_data; content:"background-color|3a|#CE3426|3b|"; nocase; fast_pattern; content:"=window[|22|eval|22|](|22|eval|22|)|3b|"; nocase; distance:0; content:"charCodeAt"; distance:0; content:"fromCharCode"; distance:0; classtype:social-engineering; sid:2024688; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; http.user_agent; content:"updatesodui"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007598; classtype:pup-activity; sid:2007598; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; classtype:social-engineering; sid:2021965; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; http.user_agent; content:"aaaabbb"; nocase; depth:7; reference:url,doc.emergingthreats.net/2007599; classtype:pup-activity; sid:2007599; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:social-engineering; sid:2022364; rev:4; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; http.user_agent; content:"TryMedia_DM_"; nocase; depth:12; reference:url,doc.emergingthreats.net/2007600; classtype:pup-activity; sid:2007600; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; classtype:social-engineering; sid:2021256; rev:4; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2022_03_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; http.user_agent; content:"VirusProtectPro"; depth:15; reference:url,doc.emergingthreats.net/2007617; classtype:pup-activity; sid:2007617; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,to_client; tls.cert_issuer; content:"CN=eDellRoot"; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; http.user_agent; content:"viruscheck"; nocase; depth:10; reference:url,doc.emergingthreats.net/2007643; classtype:pup-activity; sid:2007643; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; content:"85937=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2035620; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; http.user_agent; content:"Ultimate Fixer"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007645; classtype:pup-activity; sid:2007645; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:established,to_client; file.data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2024845; rev:4; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (XXX)"; flow:established,to_server; http.user_agent; content:"XXX"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:pup-activity; sid:2007648; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT [TW] WEBDAV UA"; flow:established,to_server; flowbits:set,ET.WEBDAVUA; flowbits: noalert; http.method; content:"GET"; http.user_agent; content:"Microsoft-WebDAV-MiniRedir"; nocase; startswith; classtype:attempted-user; sid:2036877; rev:1; metadata:created_at 2022_06_06, former_category WEB_CLIENT, updated_at 2022_06_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; http.user_agent; content:"QdrBi Starter"; nocase; depth:13; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:pup-activity; sid:2007659; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible DiagCab Abuse Attempt"; flowbits:isset,ET.WEBDAVUA; flow:established,to_client; file_data; content:"|4d 53 43 46 00 00 00 00|"; within:8; reference:url,irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd; classtype:attempted-user; sid:2036878; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_06_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Browser"; nocase; depth:26; endswith; reference:url,doc.emergingthreats.net/2007660; classtype:pup-activity; sid:2007660; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT [TW] CAB From Possible WebDAV Share Possible DiagCab Abuse Attempt"; flowbits:isset,ET.PROPFIND; flow:established,to_client; file_data; content:"|4d 53 43 46 00 00 00 00|"; within:8; reference:url,irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd; classtype:attempted-user; sid:2036879; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category WEB_CLIENT, updated_at 2022_06_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (install_s)"; flow:established,to_server; http.user_agent; content:"install_"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:pup-activity; sid:2007666; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT [TW] WEBDAV Requesting Startup Dir"; flow:established,to_server; http.uri; content:"/Microsoft/Windows/Start Menu/Programs/Startup/"; fast_pattern; http.user_agent; content:"Microsoft-WebDAV-MiniRedir"; nocase; startswith; reference:url,irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd; classtype:attempted-user; sid:2036880; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_06, deployment Perimeter, former_category WEB_CLIENT, updated_at 2022_06_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware User-Agent (count)"; flow:established,to_server; http.user_agent; content:"count"; nocase; depth:5; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:pup-activity; sid:2007667; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt (CVE-2010-3333)"; flowbits:isset,OLE.CompoundFile; flow:established,to_client; content:"rtf"; nocase; content:"|7B 5C|sp|7B 5C|sn pFragments|7D 7B 5C|sv"; nocase; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013280; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; http.user_agent; content:"BndDriveLoader"; nocase; depth:14; reference:url,doc.emergingthreats.net/2007693; classtype:pup-activity; sid:2007693; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt (CVE-2010-3333)"; flow:established,to_client; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; http.user_agent; content:"LmaokaazLdr"; nocase; depth:11; reference:url,doc.emergingthreats.net/2007694; classtype:pup-activity; sid:2007694; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit (CVE-2012-0754)"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_07, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; http.user_agent; content:"ie"; depth:2; endswith; reference:url,doc.emergingthreats.net/2007827; classtype:pup-activity; sid:2007827; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free (CVE-2012-1875)"; flow:established,from_server; content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:11; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; http.user_agent; content:"DrPCClean"; depth:9; reference:url,doc.emergingthreats.net/2007839; classtype:pup-activity; sid:2007839; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption (CVE-2012-1889)"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:14; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_22, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"microsoft"; depth:9; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:pup-activity; sid:2007859; rev:10; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption (CVE-2012-1889)"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:19; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; http.user_agent; content:"Firefox"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:pup-activity; sid:2007868; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag Trojan_Downloader, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt (CVE-2012-0754)"; flow:established,to_client; content:"|66 74 79 70 6D 70 34|"; content:"|01 6D 70 34 32 69 73 6F 6D|"; distance:0; content:"|63 70 72 74 00 FF FF FF|"; distance:0; reference:url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html; reference:bid,52034; reference:cve,2012-0754; classtype:attempted-user; sid:2014335; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_03_09, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; http.user_agent; content:"Vomba"; depth:5; reference:url,doc.emergingthreats.net/2007869; classtype:pup-activity; sid:2007869; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability (CVE-2012-4969)"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:7; metadata:affected_product Web_Browsers, affected_product Any, affected_product Web_Browser_Plugins, attack_target Client_and_Server, created_at 2012_09_18, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category WEB_CLIENT, signature_severity Critical, tag Web_Client_Attacks, tag Metasploit, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; http.user_agent; content:"HTTP_GET_COMM"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007881; classtype:pup-activity; sid:2007881; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt (CVE-2012-1889)"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:".definition|28|"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:21; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2012_06_19, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; http.user_agent; content:"SHINI"; depth:5; endswith; reference:url,doc.emergingthreats.net/2007882; classtype:pup-activity; sid:2007882; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash (CVE-2013-0634)"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:6; metadata:created_at 2013_02_09, former_category WEB_CLIENT, updated_at 2013_02_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; http.user_agent; content:"VirusHeat"; depth:9; reference:url,doc.emergingthreats.net/2007883; classtype:pup-activity; sid:2007883; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Exploit Specific Uncompressed Flash Inside of OLE (CVE-2013-0634)"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:5; metadata:created_at 2013_02_09, former_category WEB_CLIENT, updated_at 2013_02_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Example)"; flow:to_server,established; http.user_agent; content:"Example"; depth:7; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:pup-activity; sid:2007884; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex (CVE-2013-0634)"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:4; metadata:created_at 2013_02_12, former_category WEB_CLIENT, updated_at 2013_02_12;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; http.user_agent; content:"auctionplusup"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007900; classtype:pup-activity; sid:2007900; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Flash Action Script Invalid Regex (CVE-2013-0634)"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:4; metadata:created_at 2013_02_12, former_category WEB_CLIENT, updated_at 2013_02_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; http.user_agent; content:"HTTPGETDATA"; depth:11; endswith; reference:url,doc.emergingthreats.net/2007908; classtype:pup-activity; sid:2007908; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free (CVE-2013-3163)"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)*?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)*?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_10, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTPFILEDOWN"; depth:12; endswith; reference:url,doc.emergingthreats.net/2007909; classtype:pup-activity; sid:2007909; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free (CVE-2013-3163)"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.body.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; http.user_agent; content:"HTTP_FILEDOWN"; depth:13; endswith; reference:url,doc.emergingthreats.net/2007910; classtype:pup-activity; sid:2007910; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE Memory Corruption Inbound (CVE-2013-3893)"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; http.user_agent; content:"UDonkey"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007927; classtype:pup-activity; sid:2007927; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft IE Memory Corruption Inbound (CVE-2013-3893)"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?function[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{.*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(\x22\x22|\x27\x27))?.*?document\.write\([\r\n\s]*?(\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\)/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; http.user_agent; content:"InvokeAd"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007928; classtype:pup-activity; sid:2007928; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound (CVE-2013-1347)"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(\x22{2}|\x27{2}|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_05_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Internet)"; flow:to_server,established; http.user_agent; content:"Internet"; depth:8; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:pup-activity; sid:2008013; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]*?=[\r\n\s\+]*?[^\)]+\.createElement\(.+?\.appendChild\([\r\n\s]*?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]*?\).+\b(?P=var)\.innerHTML[\r\n\s\+]*?=[\r\n\s\+]*?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_07_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; http.user_agent; content:"Ssol NetInstaller"; depth:17; reference:url,doc.emergingthreats.net/2008040; classtype:pup-activity; sid:2008040; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Internet Explorer Memory Corruption Inbound (CVE-2013-3893)"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]*?\([^\)]*?\)[\r\n\s]*?\{((?!function).)*?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]*?=[\r\n\s]*?(?:\x22\x22|\x27\x27))?((?!function).)*?document\.write\([\r\n\s]*?(?:\x22\x22|\x27\x27|(?P=var))[\r\n\s]*?\).+?onlosecapture(:?([\x22\x27][\r\n\s]*?\])?[\r\n\s]*?=|[\x22\x27][\r\n\s]*?\,)[\r\n\s]*?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_09_18, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; http.user_agent; content:"WinTouch"; depth:8; reference:url,doc.emergingthreats.net/2008141; classtype:pup-activity; sid:2008141; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free (CVE-2013-3897)"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]*?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2013_10_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; http.user_agent; content:"Sidebar"; depth:7; reference:url,doc.emergingthreats.net/2008201; classtype:pup-activity; sid:2008201; rev:10; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ZenoSearch Spyware User-Agent"; flow:to_server,established; http.header; content:"User-Agent|3a 20|["; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/i"; reference:url,doc.emergingthreats.net/2008279; classtype:pup-activity; sid:2008279; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; http.user_agent; content:"AsmUpdater"; depth:10; reference:url,doc.emergingthreats.net/2008294; classtype:pup-activity; sid:2008294; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3443 (msg:"ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt"; flow:to_server,established; content:"/OvCgi/connectedNodes.ovpl?"; nocase; pcre:"/node=.*\|.+\|/i"; reference:bugtraq,14662; reference:url,doc.emergingthreats.net/2002365; classtype:web-application-attack; sid:2002365; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; http.user_agent; content:"Connector v"; depth:11; reference:url,doc.emergingthreats.net/2008372; classtype:pup-activity; sid:2008372; rev:13; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt"; flow: to_server,established; content:"THCOWNZIIS!"; reference:url,www.thc.org/exploits/THCIISSLame.c; reference:url,isc.sans.org/diary.php?date=2004-07-17; reference:url,doc.emergingthreats.net/2000559; classtype:web-application-attack; sid:2000559; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; http.user_agent; content:"FavUpdate"; depth:9; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:pup-activity; sid:2008457; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"UNION%20"; within:200; nocase; content:"SELECT"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]+UNION.+SELECT/i"; reference:url,www.w3schools.com/sql/sql_union.asp; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009770; classtype:web-application-attack; sid:2009770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (FTP)"; flow: to_server,established; http.user_agent; content:"Ftp"; nocase; depth:3; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:pup-activity; sid:2008735; rev:11; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0d\x0aCookie\x3a[^\n]+SELECT.+FROM/i"; reference:url,www.w3schools.com/sql/sql_select.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009771; classtype:web-application-attack; sid:2009771; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Matcash Trojan Related Spyware Code Download"; flow:established,to_server; http.user_agent; content:"Windows 5.1 (2600)|3b 20|DMCP"; depth:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:pup-activity; sid:2008759; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible DELETE FROM SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"DELETE%20"; within:200; nocase; content:"FROM"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]DELETE.+FROM/i"; reference:url,www.w3schools.com/Sql/sql_delete.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009772; classtype:web-application-attack; sid:2009772; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; http.user_agent; content:"Smileware"; depth:9; reference:url,doc.emergingthreats.net/2008892; classtype:pup-activity; sid:2008892; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INSERT INTO SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INSERT%20"; nocase; within:200; content:"INTO"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INSERT.+INTO/i"; reference:url,www.w3schools.com/SQL/sql_insert.asp; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,doc.emergingthreats.net/2009773; classtype:web-application-attack; sid:2009773; rev:36; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (FileDownloader)"; flow:to_server,established; http.user_agent; content:"FileDownloader"; depth:14; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:pup-activity; sid:2009027; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie"; flow:to_server,established; content:"|0d 0a|Cookie|3A|"; nocase; content:"INTO%20"; nocase; within:200; content:"OUTFILE"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]INTO.+OUTFILE/i"; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010038; classtype:web-application-attack; sid:2010038; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Fake AV User-Agent (N1)"; flow:to_server,established; http.user_agent; content:"N1"; depth:2; endswith; reference:url,doc.emergingthreats.net/2009157; classtype:pup-activity; sid:2009157; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"INSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010286; classtype:web-application-attack; sid:2010286; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; http.user_agent; content:"Lobo Lunar"; depth:10; reference:url,doc.emergingthreats.net/2009222; classtype:pup-activity; sid:2009222; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt"; flow:established,to_server; content:"|0d 0a|Cookie|3A|"; nocase; content:"SELECT%20"; nocase; within:200; content:"SUBSTR"; nocase; distance:0; pcre:"/\x0a\x0dCookie\x3a[^\n]SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010287; classtype:web-application-attack; sid:2010287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow:established,to_server; http.user_agent; content:"CTT"; depth:3; reference:url,doc.emergingthreats.net/2009236; classtype:pup-activity; sid:2009236; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt"; flow:established,to_server; content:"UNLOCK"; nocase; depth:6; content:"Connection|3A| Close"; nocase; distance:0; content:"Lock-token|3A|"; nocase; within:100; reference:url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt; reference:url,doc.emergingthreats.net/2011015; classtype:web-application-attack; sid:2011015; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySideSearch Browser Optimizer"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php?aff="; nocase; content:"&act="; nocase; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; nocase; depth:20; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:pup-activity; sid:2009524; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS|20|"; depth:8; nocase; isdataat:400,relative; content:!"|0A|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; classtype:web-application-attack; sid:2011016; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"Microgaming Install Program"; nocase; depth:27; endswith; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:pup-activity; sid:2009783; rev:11; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebDAV search overflow"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; isdataat:1000,relative; content:!"|0a|"; within:1000; reference:cve,2003-0109; reference:url,doc.emergingthreats.net/2002844; classtype:web-application-attack; sid:2002844; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"ERRN200"; depth:7; reference:url,doc.emergingthreats.net/2009861; classtype:pup-activity; sid:2009861; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Asprox Spambot SQL-Injection Atempt"; flow:established,to_server; content:"GET"; http_method; content:"declare "; http_uri; nocase; content:"char("; http_uri; nocase; content:"exec(@"; nocase; http_uri; classtype:web-application-attack; sid:2011291; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; http.user_agent; content:"User Agent"; depth:10; reference:url,doc.emergingthreats.net/2009930; classtype:pup-activity; sid:2009930; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound"; flow:established,to_server; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012151; rev:1; metadata:created_at 2011_01_06, updated_at 2011_01_06;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; http.user_agent; content:"VaccineKiller"; depth:13; reference:url,doc.emergingthreats.net/2009993; classtype:pup-activity; sid:2009993; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"/OvCgi/Main/Snmp.exe"; http_uri; nocase; content:"Host="; nocase; content:"Oid="; nocase; within:50; isdataat:600,relative; pcre:"/\x2FOvCgi\x2FMain\x2FSnmp\x2Eexe.+id\x3D.{600}/smi"; reference:cve,2009-3849; reference:url,doc.emergingthreats.net/2010687; classtype:web-application-attack; sid:2010687; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-#alert http $HOME_NET any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (Sme32)"; flow: established, to_server; http.user_agent; content:"Sme32"; depth:5; endswith; reference:url,doc.emergingthreats.net/2010137; classtype:pup-activity; sid:2010137; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_04_01, former_category CURRENT_EVENTS, updated_at 2011_04_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; http.user_agent; content:"SogouExplorerMiniSetup"; nocase; depth:22; reference:url,doc.emergingthreats.net/2010675; classtype:pup-activity; sid:2010675; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"HTTP/1.1 414 Request-URI Too Large"; depth:35; nocase; classtype:web-application-attack; sid:2012708; rev:2; metadata:created_at 2011_04_22, updated_at 2011_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Fast Browser Search)"; flow:to_server,established; http.user_agent; content:"Fast Browser Search"; nocase; depth:19; reference:url,doc.emergingthreats.net/2010676; classtype:pup-activity; sid:2010676; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2101945; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; http.user_agent; content:"General Antivirus"; nocase; depth:17; reference:url,doc.emergingthreats.net/2010679; classtype:pup-activity; sid:2010679; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER robots.txt access"; flow:to_server,established; content:"/robots.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101852; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; http.user_agent; content:"Update1.0"; depth:9; reference:url,doc.emergingthreats.net/2010680; classtype:pup-activity; sid:2010680; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER robot.txt access"; flow:to_server,established; content:"/robot.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101857; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (FaceCooker)"; flow:to_server,established; http.user_agent; content:"FaceCooker"; nocase; depth:10; reference:url,doc.emergingthreats.net/2010717; classtype:pup-activity; sid:2010717; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Live Enterprise Suite)"; flow:to_server,established; http.user_agent; content:"Live Enterprise Suite"; nocase; depth:21; reference:url,doc.emergingthreats.net/2010727; classtype:pup-activity; sid:2010727; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; content:"TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE"; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:2101817; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; http.user_agent; content:"InfoBox"; depth:7; reference:url,doc.emergingthreats.net/2010934; classtype:pup-activity; sid:2010934; rev:8; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; reference:nessus,11018; classtype:web-application-attack; sid:2101818; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (lineguide)"; flow:to_server,established; http.user_agent; content:"lineguide"; nocase; depth:9; reference:url,doc.emergingthreats.net/2011106; classtype:pup-activity; sid:2011106; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER webalizer access"; flow:established,to_server; content:"/webalizer/"; nocase; http_uri; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:2101847; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Save)"; flow:to_server,established; http.user_agent; content:"Save"; depth:4; endswith; reference:url,poweredbysave.com; classtype:pup-activity; sid:2011120; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; nocase; http_uri; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; http.user_agent; content:"|5f|InTeRNeT"; depth:9; reference:url,doc.emergingthreats.net/2011127; classtype:pup-activity; sid:2011127; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt"; flow:established,to_server; content:".php?"; http_uri; content:"=http|3a|//"; http_uri; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012997; rev:4; metadata:created_at 2011_06_10, updated_at 2011_06_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"Download Master"; depth:15; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:pup-activity; sid:2011146; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Muieblackcat scanner"; flow:established,to_server; content:"GET /muieblackcat HTTP/1.1"; depth:26; classtype:attempted-recon; sid:2013115; rev:3; metadata:created_at 2011_06_24, updated_at 2011_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (webcount)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"webcount"; depth:8; reference:url,doc.emergingthreats.net/2011149; classtype:pup-activity; sid:2011149; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; nocase; classtype:attempted-recon; sid:2101122; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Sogou Toolbar Checkin"; flow:to_server,established; http.uri; content:"/seversion.txt"; http.user_agent; content:"SeFastSetup"; depth:11; reference:url,doc.emergingthreats.net/2011225; classtype:pup-activity; sid:2011226; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]*&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; http.user_agent; content:"Mozilla/4.0 |28|SP3 WINLD|29 |"; depth:23; endswith; fast_pattern; reference:url,doc.emergingthreats.net/2011238; classtype:pup-activity; sid:2011238; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type|3A| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:3; metadata:created_at 2011_12_30, updated_at 2011_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; http.user_agent; content:"Forthgoer"; depth:9; reference:url,doc.emergingthreats.net/2011247; classtype:pup-activity; sid:2011247; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER xp_cmdshell Attempt in Cookie"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_header; pcre:"/\x0a\x0dCookie\x3a[^\n]+xp_cmdshell/i"; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=4072; reference:url,doc.emergingthreats.net/2010119; classtype:web-application-attack; sid:2010119; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"XieHongWei"; depth:10; reference:url,doc.emergingthreats.net/2011248; classtype:pup-activity; sid:2011248; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible BASE Authentication Bypass Attempt"; flow:to_server,established; content:"BASERole="; http_header; content:"794b69ad33015df95578d5f4a19d390e"; within:40; http_header; reference:url,seclists.org/bugtraq/2009/Jun/0218.html; reference:url,seclists.org/bugtraq/2009/Jun/0217.html; reference:url,doc.emergingthreats.net/2009677; classtype:web-application-attack; sid:2009677; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (CustomSpy)"; flow:to_server,established; http.user_agent; content:"|28|CustomSpy|29 |"; depth:11; endswith; reference:url,doc.emergingthreats.net/2011271; classtype:pup-activity; sid:2011271; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; http.user_agent; content:"C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; depth:32; classtype:pup-activity; sid:2011334; rev:9; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER TRACE attempt"; flow:to_server,established; content:"TRACE"; http_method; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2102056; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"http-get-demo"; depth:13; endswith; classtype:pup-activity; sid:2011392; rev:7; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Alternate Data Stream source view attempt"; flow:to_server,established; content:"|3A 3A|$DATA"; http_uri; reference:url,support.microsoft.com/kb/q188806/; reference:cve,1999-0278; reference:url,doc.emergingthreats.net/2001365; classtype:web-application-activity; sid:2001365; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; http.user_agent; content:"Microsoft Internet Explorer 6.0"; depth:31; endswith; classtype:pup-activity; sid:2011393; rev:6; metadata:created_at 2010_09_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp"; http_uri; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:2101056; rev:10; metadata:created_at 2010_09_23, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; http.uri; content:"/registerSession.py?"; nocase; content:"proj="; nocase; content:"&country="; nocase; content:"&lang="; nocase; content:"&channel="; nocase; content:"source="; nocase; http.user_agent; content:"NSIS_Inetc (Mozilla)"; depth:20; reference:url,doc.emergingthreats.net/2011677; reference:md5,af0bbdf6097233e8688c5429aa97bbed; classtype:pup-activity; sid:2011677; rev:10; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 3"; flow:to_server,established; content:".js%2570"; http_uri; nocase; classtype:attempted-recon; sid:2101236; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (HTTP_Query)"; flow:to_server,established; http.user_agent; content:"HTTP_Query"; nocase; depth:10; endswith; reference:url,doc.emergingthreats.net/2011678; classtype:pup-activity; sid:2011678; rev:8; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 2"; flow:to_server,established; content:".j%2573p"; http_uri; nocase; classtype:attempted-recon; sid:2101237; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Gbot)"; flow:established,to_server; http.user_agent; content:"gbot"; depth:4; classtype:pup-activity; sid:2011872; rev:6; metadata:created_at 2010_10_29, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat sourcecode view attempt 1"; flow:to_server,established; content:".%256Asp"; http_uri; nocase; classtype:attempted-recon; sid:2101238; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; http.user_agent; content:"Search Toolbar"; depth:14; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:pup-activity; sid:2013333; rev:7; metadata:created_at 2011_07_28, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/SWInformer.B Checkin"; flow:to_server,established; http.uri; content:"log.php?"; http.user_agent; content:"FDMuiless"; depth:9; endswith; reference:md5,0f90568d86557d62f7d4e1c0f7167431; classtype:pup-activity; sid:2014004; rev:7; metadata:created_at 2011_12_08, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~ftp access"; flow:to_server,established; content:"/~ftp"; nocase; http_uri; classtype:attempted-recon; sid:2101662; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; http.uri; content:"/inst.php?"; http.user_agent; content:"psi"; depth:3; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:pup-activity; sid:2014262; rev:7; metadata:created_at 2012_01_21, former_category ADWARE_PUP, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-activity; sid:2101285; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netflix On-demand User-Agent"; flow:to_server,established; http.user_agent; content:"WmpHostInternetConnection"; depth:25; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:2101023; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Steam Steal0r"; flow:established,to_server; http.uri; content:"info=Steam|20|Steal0r|20|"; fast_pattern; content:"&acc="; content:"&pw="; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; depth:55; nocase; reference:url,doc.emergingthreats.net/2008360; classtype:trojan-activity; sid:2008360; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/PR"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virusremover2008.com Checkin"; flow:to_server,established; http.method; content:"GET"; depth:3; nocase; http.uri; content:"?action="; nocase; content:"pc_id="; nocase; content:"abbr="; http.user_agent; content:"Statistican"; depth:11; reference:url,doc.emergingthreats.net/2008527; classtype:command-and-control; sid:2008527; rev:8; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Small.qh/xSock User-Agent Detected"; flow:established,to_server; http.user_agent; content:"xSock Config"; depth:12; nocase; reference:url,doc.emergingthreats.net/2007609; classtype:trojan-activity; sid:2007609; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent.pt User-Agent Detected"; flow:established,to_server; http.user_agent; content:"Machaon"; depth:7; endswith; reference:url,doc.emergingthreats.net/2007663; classtype:trojan-activity; sid:2007663; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/9.28 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009474; classtype:trojan-activity; sid:2009474; rev:8; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality - Fake Opera User-Agent"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Opera/8.81 (Windows NT 6.0|3b 20|U|3b 20|en)"; depth:34; endswith; reference:url,www.spywareremove.com/removeTrojanDownloaderSalityG.html; reference:url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM; reference:url,doc.emergingthreats.net/2009525; classtype:trojan-activity; sid:2009525; rev:9; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; http.user_agent; content:"YOK Agent"; depth:9; endswith; reference:url,doc.emergingthreats.net/2008752; classtype:pup-activity; sid:2008752; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; http_uri; nocase; classtype:web-application-activity; sid:2101371; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY POSSIBLE Web Crawl using Curl"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; http.user_agent; content:"curl"; nocase; startswith; reference:url,curl.haxx.se; reference:url,doc.emergingthreats.net/2002825; classtype:attempted-recon; sid:2002825; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot/Zeus Dropper Infection - /loads.php"; flow:established,to_server; http.uri; content:"/loads.php"; content:"?r="; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"Microsoft Internet Explorer"; depth:27; http.host; content:"knocker"; startswith; reference:url,doc.emergingthreats.net/2009213; classtype:trojan-activity; sid:2009213; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; http.user_agent; content:"VIP20"; depth:5; nocase; reference:url,doc.emergingthreats.net/2008156; classtype:trojan-activity; sid:2008156; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; http.method; content:"GET"; nocase; http.user_agent; content:"MSIE 5.5"; depth:8; endswith; reference:url,doc.emergingthreats.net/2007833; classtype:trojan-activity; sid:2007833; rev:9; metadata:created_at 2010_07_30, former_category TROJAN, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan"; flow:established,to_server; http.user_agent; content:"get-minimal"; depth:11; reference:url,doc.emergingthreats.net/2003634; classtype:attempted-admin; sid:2003634; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Winpcap Installation in Progress"; flow:established,to_server; http.uri; content:"/install/banner/"; nocase; pcre:"/\d/\d+.jpg/i"; http.user_agent; content:"NSISDL"; nocase; depth:6; http.host; content:"www.winpcap.org"; startswith; reference:url,www.winpcap.org; reference:url,doc.emergingthreats.net/2002866; classtype:policy-violation; sid:2002866; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; http.user_agent; content:"WinFix Master"; nocase; depth:13; reference:url,doc.emergingthreats.net/2003545; classtype:pup-activity; sid:2003545; rev:11; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Related msndown"; flow:established,to_server; http.user_agent; content:"msndown"; depth:7; endswith; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1; classtype:trojan-activity; sid:2012221; rev:5; metadata:created_at 2011_01_22, former_category USER_AGENTS, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Apple iDisk Sync Unencrypted"; flow:established,to_server; http.header; content:"|0d 0a|Host|3a 20|idisk.mac.com|0d 0a|"; nocase; http.user_agent; content:"DotMacKit-like, File-Sync-Direct"; depth:32; nocase; classtype:policy-violation; sid:2012331; rev:6; metadata:created_at 2011_02_22, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN w3af User Agent"; flow: established,to_server; http.user_agent; content:"w3af.sourceforge.net"; depth:20; reference:url,w3af.sourceforge.net; reference:url,doc.emergingthreats.net/2007757; classtype:attempted-recon; sid:2007757; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Hostname"; dns.query; bsize:>30; content:"61643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}6164(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){5,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Number of Queries"; dns.query; bsize:>30; content:"63643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6364(?:3[0-9]){4}\d{1,3}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028668; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Initial Hello Beacon"; dns.query; bsize:>30; content:"64643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6464(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028666; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Finished Sending Results"; dns.query; bsize:>30; content:"66643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}6664(?:3[0-9]){4}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028669; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Getting CnC Data"; dns.query; bsize:>30; content:"68643"; offset:5; depth:5; content:"31303"; distance:7; within:5; content:"|2e|"; distance:1; within:1; pcre:"/^[a-zA-Z0-9]{5}6864(?:3[0-9]){4}31303[0-9]\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Sending Command Results"; dns.query; bsize:>30; content:"72643"; offset:5; depth:5; content:"31303"; distance:7; within:5; pcre:"/^[a-zA-Z0-9]{5}7264(?:3[0-9]){4}31303[0-9](?:[a-f0-9][a-f0-9]){10,}\./"; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028671; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_10, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER sumthin scan"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sumthin"; nocase; http_uri; reference:url,www.webmasterworld.com/forum11/2100.htm; reference:url,doc.emergingthreats.net/2002667; classtype:attempted-recon; sid:2002667; rev:38; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent WebUpdate"; flow:established,to_server; http.user_agent; content:"WebUpdate"; bsize:9; reference:url,doc.emergingthreats.net/2010600; classtype:trojan-activity; sid:2010600; rev:5; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_06_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Ares traffic"; flow:established,to_server; http.user_agent; content:"Ares"; startswith; reference:url,www.aresgalaxy.org; reference:url,doc.emergingthreats.net/bin/view/Main/2001059; classtype:policy-violation; sid:2001059; rev:11; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:2; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/GMServer/GMServlet"; nocase; fast_pattern; http.user_agent; content:"Dalvik"; depth:6; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_03_10, deployment Perimeter, signature_severity Critical, tag Android, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:3; metadata:created_at 2012_11_21, updated_at 2012_11_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CASHY200 Style DNS Query - Request Command Beacon"; dns.query; bsize:>30; content:"71643"; offset:5; depth:5; pcre:"/^[a-zA-Z0-9]{5}7164(?:3[0-9]){4}\./"; reference:md5,ea66def6d653fb9e164751e007cbbe68; reference:url,unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/; classtype:command-and-control; sid:2028674; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:2; metadata:created_at 2012_11_24, updated_at 2012_11_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Maxthon Browser Background Agent UA (MxAgent)"; flow:to_server,established; http.user_agent; content:"MxAgent"; nocase; depth:7; reference:url,doc.emergingthreats.net/2011125; classtype:not-suspicious; sid:2011125; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent (securityinternet)"; flow:established,to_server; http.user_agent; content:"securityinternet"; depth:16; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:4; metadata:created_at 2013_01_04, updated_at 2013_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (Winlogon)"; flow:established,to_server; http.user_agent; content:"Winlogon"; depth:8; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:2; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; http.user_agent; content:"internetsecurity"; depth:16; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software|3a|"; content:"<b>uname -a|3a|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:3; metadata:created_at 2013_01_22, updated_at 2013_01_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; http.user_agent; content:"SexTrackerWSI"; depth:13; nocase; reference:url,doc.emergingthreats.net/2003627; classtype:pup-activity; sid:2003627; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=|22|GET|22| NAME=|22|comments|22| ACTION=|22 22|>"; classtype:attempted-user; sid:2016501; rev:2; metadata:created_at 2013_02_26, updated_at 2013_02_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (???)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|???"; http.user_agent; content:!"|20|Sparkle|2f|"; reference:url,doc.emergingthreats.net/2010595; classtype:pup-activity; sid:2010595; rev:9; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:2; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Azureus P2P Client User-Agent"; flow:to_server,established; http.user_agent; content:"Azureus"; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007799; classtype:policy-violation; sid:2007799; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier|3a|"; content:"Exeuta comada|3a|"; classtype:bad-unknown; sid:2016577; rev:4; metadata:created_at 2013_03_14, updated_at 2013_03_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BTSP)"; flow:to_server,established; http.user_agent; content:"BTSP/"; depth:5; reference:url,doc.emergingthreats.net/2011713; classtype:policy-violation; sid:2011713; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitComet)"; flow:to_server,established; http.user_agent; content:"BitComet/"; depth:9; reference:url,www.bitcomet.com; reference:url,doc.emergingthreats.net/2011710; classtype:policy-violation; sid:2011710; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (BitTornado)"; flow:to_server,established; http.user_agent; content:"BitTornado/"; depth:11; reference:url,www.bittornado.com; reference:url,doc.emergingthreats.net/2011702; classtype:policy-violation; sid:2011702; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x)"; flow:to_server,established; http.user_agent; content:"Bittorrent"; depth:10; reference:url,doc.emergingthreats.net/bin/view/Main/2006372; classtype:trojan-activity; sid:2006372; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:2; metadata:created_at 2013_03_27, updated_at 2013_03_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x)"; flow:to_server,established; http.user_agent; content:"KTorrent/3"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011700; classtype:policy-violation; sid:2011700; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:2; metadata:created_at 2013_04_02, updated_at 2013_04_02;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x)"; flow:to_server,established; http.user_agent; content:"ktorrent/2"; depth:10; reference:url,ktorrent.org; reference:url,doc.emergingthreats.net/2011711; classtype:policy-violation; sid:2011711; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:2; metadata:created_at 2013_04_16, updated_at 2013_04_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Client User-Agent (Shareaza 2.x)"; flow:to_server,established; http.user_agent; content:"Shareaza 2."; depth:11; reference:url,shareaza.sourceforge.net; reference:url,doc.emergingthreats.net/2011707; classtype:policy-violation; sid:2011707; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.*?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected"; flow:established,to_server; http.user_agent; content:"DAV.pm/v"; depth:8; reference:url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/; reference:url,code.google.com/p/davtest/; reference:url,doc.emergingthreats.net/2011089; classtype:attempted-recon; sid:2011089; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Grabber.py Web Scan Detected"; flow:to_server,established; http.user_agent; content:"Grabber"; depth:7; reference:url,rgaucher.info/beta/grabber/; reference:url,doc.emergingthreats.net/2009483; classtype:attempted-recon; sid:2009483; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=|22|haz|22| value=|22|pasa|22|>"; classtype:trojan-activity; sid:2017087; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Mini MySqlatOr SQL Injection Scanner"; flow:to_server,established; http.user_agent; content:"prog.CustomCrawler"; depth:18; reference:url,www.scrt.ch/pages_en/minimysqlator.html; reference:url,doc.emergingthreats.net/2008729; classtype:attempted-recon; sid:2008729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:2; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN SQL Power Injector SQL Injection User Agent Detected"; flow:to_server,established; http.user_agent; content:"SQL Power Injector"; depth:18; reference:url,www.sqlpowerinjector.com/index.htm; reference:url,en.wikipedia.org/wiki/Sql_injection; reference:url,doc.emergingthreats.net/2009769; classtype:attempted-recon; sid:2009769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:3; metadata:created_at 2013_07_02, updated_at 2013_07_02;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Open-Proxy ScannerBot (webcollage-UA)"; flow:established,to_server; http.user_agent; content:"webcollage/"; depth:11; nocase; reference:url,stateofsecurity.com/?p=526; reference:url,www.botsvsbrowsers.com/details/214715/index.html; reference:url,doc.emergingthreats.net/2010768; classtype:bad-unknown; sid:2010768; rev:8; metadata:created_at 2010_07_30, former_category SCAN, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length|3A|"; http_header; content:"Content-Length|3A|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:3; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; http.user_agent; content:"revolt"; depth:6; reference:url,www.Whitehatsecurityresponse.blogspot.com; reference:url,doc.emergingthreats.net/2009288; classtype:web-application-attack; sid:2009288; rev:59; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2; metadata:created_at 2013_07_13, updated_at 2013_07_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x)"; flow:to_server,established; http.user_agent; content:"BearShare"; depth:9; reference:url,doc.emergingthreats.net/bin/view/Main/2006371; classtype:trojan-activity; sid:2006371; rev:10; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3; metadata:created_at 2013_07_25, former_category CURRENT_EVENTS, updated_at 2013_07_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; http.user_agent; content:"DataCha0s"; nocase; depth:9; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; classtype:web-application-activity; sid:2003616; rev:41; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; nocase; pcre:"/^Accept-Language\:[^\n]*?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (ScrapeBox)"; flow:to_server,established; http.user_agent; content:"ScrapeBox"; depth:9; classtype:trojan-activity; sid:2011282; rev:6; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:2; metadata:created_at 2013_08_15, updated_at 2013_08_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Hmap Webserver Fingerprint Scan"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"4.75 [en] (Windows NT 5.0"; http.protocol; content:"HTTP/1.0"; reference:url,www.ujeni.murkyroc.com/hmap/; reference:url,doc.emergingthreats.net/2008537; classtype:attempted-recon; sid:2008537; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:2; metadata:created_at 2013_08_19, updated_at 2013_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS suspicious user-agent (REKOM)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"REKOM"; nocase; depth:5; classtype:trojan-activity; sid:2012295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_07, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; http.user_agent; content:"VCTestClient"; depth:12; nocase; classtype:trojan-activity; sid:2012386; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:3; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; http.user_agent; content:"PrivacyInfoUpdate"; depth:17; nocase; classtype:trojan-activity; sid:2012387; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_02_27, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Goolbot.E Checkin UA Detected iamx"; flow:established,to_server; http.user_agent; content:"iamx/"; depth:5; classtype:trojan-activity; sid:2012246; rev:7; metadata:created_at 2011_01_27, former_category USER_AGENTS, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:2; metadata:created_at 2013_08_28, updated_at 2013_08_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JEUSD CnC Domain Observed in DNS Query"; dns.query; content:"beastgoc.com"; nocase; endswith; classtype:domain-c2; sid:2031622; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"stopsms.biz"; nocase; endswith; classtype:domain-c2; sid:2028817; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"infospress.com"; nocase; endswith; classtype:domain-c2; sid:2028818; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"hmizat.co"; nocase; endswith; classtype:domain-c2; sid:2028819; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"revolution-news.co"; nocase; endswith; classtype:domain-c2; sid:2028820; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:2; metadata:created_at 2013_10_17, updated_at 2013_10_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"videos-download.co"; nocase; endswith; classtype:domain-c2; sid:2028821; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NSO Group Pegasus CnC Domain Observed in DNS Query"; dns.query; content:"business-today.info"; nocase; endswith; classtype:domain-c2; sid:2028822; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Open port(s)|3A| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Mustang Panda Payload - CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?wd="; pcre:"/^[a-f0-9]{8}$/Ri"; http.header_names; content:"x-debug"; content:"x-request"; content:"x-content"; content:"x-storage"; reference:url,www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations; classtype:command-and-control; sid:2028823; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT MustangPanda CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=Adobe Reader"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"CN=Adobe Reader"; tls.cert_serial; content:"62:CA:BE:68"; classtype:domain-c2; sid:2028824; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag MustangPanda, updated_at 2020_10_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"xp101.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028838; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"svn-dns.ahnlabinc.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028839; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"dns1-1.7release.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028840; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT 41 CnC Domain Observed in DNS Query"; dns.query; content:"ssl.dyn-dns.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf; classtype:domain-c2; sid:2028841; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, malware_family LOWKEY, signature_severity Major, tag APT41, updated_at 2020_10_19;)
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG|20|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3; metadata:created_at 2013_12_10, updated_at 2013_12_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; http.uri; content:".php"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)"; depth:50; endswith; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:"Cache-Control|0d 0a 0d 0a|"; distance:0; classtype:trojan-activity; sid:2012384; rev:5; metadata:created_at 2011_02_27, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:3; metadata:created_at 2014_01_11, updated_at 2014_01_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_line; content:"/log HTTP/1."; distance:0; fast_pattern; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:command-and-control; sid:2016014; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Oracle Reports Parse Query Returned Creds CVE-2012-3153"; flow:established,to_client; file_data; content:"Result Reports Server Command"; content:"userid="; distance:0; content:"/"; distance:0; content:"@"; distance:0; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018093; rev:2; metadata:created_at 2014_02_07, updated_at 2014_02_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.EGZ Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/b.php?id="; fast_pattern; pcre:"/^\d{1,3}$/R"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; classtype:command-and-control; sid:2013947; rev:6; metadata:created_at 2011_11_23, former_category MALWARE, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4; metadata:created_at 2012_07_25, updated_at 2012_07_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,from_server; file_data; content:"<title>CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:2; metadata:created_at 2014_03_18, updated_at 2014_03_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL K-Shell/ZHC Shell 1.0/Aspx Shell Backdoor NetCat_Listener"; flow:established,from_server; file_data; content:"Silentz's Tricks:"; content:"action=cmd2"; content:"Start NC"; reference:url,www.fidelissecurity.com/webfm_send/377; reference:url,pastebin.com/XAG1Hnfd; classtype:web-application-attack; sid:2018369; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP NULL Pointer Dereference Attempt Inbound (CVE-2020-25858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; pcre:"/^[^=]{1,}$/RUi"; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-25858; classtype:attempted-admin; sid:2031058; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_25858, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_19;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp - content"; flow:established,from_server; file_data; content:"<title>zehir3--> powered by zehir"; content:"Sistem Bilgileri"; content:"color=red>Local Adres</td"; content:"zehirhacker"; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018371; rev:2; metadata:created_at 2014_04_07, updated_at 2014_04_07;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=carlossaldanhacertificado"; bsize:28; fast_pattern; tls.cert_issuer; content:"CN=carlossaldanhacertificado"; bsize:28; classtype:domain-c2; sid:2031059; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent NV32ts)"; flow:to_server,established; content:"User-Agent|3a| NV32ts"; reference:url,doc.emergingthreats.net/2009029; classtype:web-application-attack; sid:2009029; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_10_15;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=PatataDorito"; bsize:15; fast_pattern; tls.cert_issuer; content:"CN=PatataDorito"; bsize:15; classtype:domain-c2; sid:2031060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M"; flow:established,to_server; content:"M Fucking Scanner"; http_user_agent; nocase; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; reference:url,doc.emergingthreats.net/2003466; classtype:web-application-attack; sid:2009799; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (bollywoods .co .in in DNS Lookup)"; dns.query; content:"bollywoods.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031030; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt"; flow:established,to_server; content:"|2F|APR|3A 3A|SockAddr|3A 3A|port|2F|"; http_uri; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/Ui"; reference:url,www.securityfocus.com/bid/34383/info; reference:cve,2009-0796; reference:url,doc.emergingthreats.net/2010281; classtype:attempted-user; sid:2010281; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chat2hire .net in DNS Lookup)"; dns.query; content:"chat2hire.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; reference:url,doc.emergingthreats.net/2010463; reference:url,opinion.josepino.com/php/howto_website_hack1; classtype:successful-user; sid:2010463; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (chuki .mozillaupdates .us in DNS Lookup)"; dns.query; content:"chuki.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER TIEHTTP User-Agent"; flow:to_server,established; content:"User-Agent|3a| tiehttp"; nocase; reference:url,www.torry.net/authorsmore.php?id=4292; classtype:web-application-activity; sid:2011759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (click2chat .org in DNS Lookup)"; dns.query; content:"click2chat.org"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful DD-WRT Information Disclosure"; flowbits:isset,et.ddwrt.infodis; flow:established,from_server; content:"lan_mac|3A 3A|"; content:"wlan_mac|3A 3A|"; distance:0; content:"lan_ip|3A 3A|"; distance:0; content:"mem_info|3A 3A|"; distance:0; reference:url,www.exploit-db.com/exploits/15842/; classtype:successful-recon-limited; sid:2012117; rev:3; metadata:created_at 2010_12_30, updated_at 2010_12_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (cvstyler .co .in in DNS Lookup)"; dns.query; content:"cvstyler.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (daily .windowsupdates .eu in DNS Lookup)"; dns.query; content:"daily.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019244; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (dailybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"dailybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019245; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (enigma .net .in in DNS Lookup)"; dns.query; content:"enigma.net.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019246; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gozap .co .in in DNS Lookup)"; dns.query; content:"gozap.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031038; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29|20|%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019247; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (gyzu .mozillaupdates .us in DNS Lookup)"; dns.query; content:"gyzu.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031039; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019248; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (melodymate .co .in in DNS Lookup)"; dns.query; content:"melodymate.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031040; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20{%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019249; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nortonupdates .online in DNS Lookup)"; dns.query; content:".nortonupdates.online"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b|20|"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019250; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightly .windowsupdates .eu in DNS Lookup)"; dns.query; content:"nightly.windowsupdates.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%29%20%7b%20"; nocase; fast_pattern; within:15; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019251; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (nightlybuild .mozillaupdates .com in DNS Lookup)"; dns.query; content:"nightlybuild.mozillaupdates.com"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031043; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{|20|"; nocase; fast_pattern; within:6; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019252; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (orangevault .net in DNS Lookup)"; dns.query; content:"orangevault.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|{%20"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019253; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sake .mozillaupdates .us in DNS Lookup)"; dns.query; content:"sake.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031045; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019254; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (savitabhabi .co .in in DNS Lookup)"; dns.query; content:"savitabhabi.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031046; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28|20|%7b%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019255; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (sharify .co .in in DNS Lookup)"; dns.query; content:"sharify.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{|20|"; nocase; fast_pattern; within:8; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019256; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (strongbox .in in DNS Lookup)"; dns.query; content:"strongbox.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20{%20"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019257; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (teraspace .co .in in DNS Lookup)"; dns.query; content:"teraspace.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b|20|"; nocase; fast_pattern; within:10; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019258; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (titaniumx .co .in in DNS Lookup)"; dns.query; content:"titaniumx.co.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031050; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"%28%20%7b%20"; nocase; fast_pattern; within:12; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019259; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (msoftserver .eu in DNS Lookup)"; dns.query; content:".msoftserver.eu"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019260; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (microsoftupdate .in in DNS Lookup)"; dns.query; content:".microsoftupdate.in"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|{%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019261; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (wesharex .net in DNS Lookup)"; dns.query; content:"wesharex.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019262; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (x-trust .net in DNS Lookup)"; dns.query; content:"x-trust.net"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29|20|%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019263; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GravityRAT CnC Domain (zen .mozillaupdates .us in DNS Lookup)"; dns.query; content:"zen.mozillaupdates.us"; nocase; endswith; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:trojan-activity; sid:2031055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019264; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GravityRAT CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"signatureHash="; fast_pattern; content:"signatureString="; content:"userName="; content:"pcName="; content:"macId="; content:"cpuId="; content:"agent="; reference:url,securelist.com/gravityrat-the-spy-returns/99097/; classtype:command-and-control; sid:2031061; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, former_category MALWARE, malware_family GravityRAT, signature_severity Major, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20{%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019265; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enosch.A gtalk connectivity check"; flow:to_server; http.uri; content:"/index.html"; http.user_agent; content:"gtalk"; fast_pattern; bsize:5; http.host; content:"www.google.com"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,b13db8b21289971b3c88866d202fad49; classtype:trojan-activity; sid:2018508; rev:5; metadata:created_at 2014_05_30, updated_at 2020_10_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b|20|"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019266; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Dojos Downloader Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.user_agent; content:"|3a 3a|"; content:"|3a 3a 2f 2e|"; distance:0; fast_pattern; reference:md5,be75ac1d9f26bee3cfdc7bdd977c0cdd; classtype:trojan-activity; sid:2035025; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"(%29%20%7b%20"; nocase; fast_pattern; within:13; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019267; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Fire-Cloud)"; flow:established,to_server; http.user_agent; content:"Fire-Cloud"; bsize:10; reference:md5,804c8f7d3b10b421ab5c09d675644212; classtype:trojan-activity; sid:2031065; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_10_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019269; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Toplist.cz Related Spyware Checkin"; flow:to_server,established; http.user_agent; content:"BWL"; depth:3; pcre:"/^BWL(?:\sToplist|\d_UPDATE)/"; classtype:pup-activity; sid:2003505; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|%7b%20"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019270; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon"; flow:established,to_server; urilen:8; http.method; content:"GET"; http.uri; content:"/php.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/"; http.user_agent; content:"Mozilla/4.0 (compatible)"; depth:24; reference:md5,cb53a6e8d65d86076fc0c94dac62aa77; classtype:command-and-control; sid:2019946; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20{|20|"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019271; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suntrust Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<!-- Inserted by miarroba"; content:"<title>SunTrust</title>"; fast_pattern; nocase; content:">For your protection"; distance:0; content:"additional security step"; distance:0; content:"name=|22|captcha|22|"; distance:0; classtype:social-engineering; sid:2031062; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_20, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_10_20;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b|20|"; nocase; fast_pattern; within:9; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019272; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=jspri.co"; nocase; endswith; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028835; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()%20%7b%20"; nocase; fast_pattern; within:11; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019273; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Staging Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=cssjs.co"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028836; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_10_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; flow:established,to_server; pcre:"/[\?\=\x3a\s\x2f]/"; content:"()|20|{%20"; nocase; fast_pattern; within:7; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019268; rev:4; metadata:created_at 2014_09_26, updated_at 2014_09_26;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"acciaio.com.br"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:domain-c2; sid:2028843; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"ceycarb.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028844; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Insomnia Shell Outbound CMD Banner"; flow:to_server,established; content:"Shell enroute......."; depth:20; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019900; rev:1; metadata:created_at 2014_12_09, updated_at 2014_12_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"coachandcook.at"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028845; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - Landing Page"; flow:established,to_client; file_data; content:"cPanel Cracker"; classtype:trojan-activity; sid:2020096; rev:3; metadata:created_at 2015_01_06, updated_at 2015_01_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"fisioterapiabb.it"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028846; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Downloaded"; flow:established,to_client; file_data; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020555; rev:2; metadata:created_at 2015_02_24, updated_at 2015_02_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"lorriratzlaff.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028847; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt"; flow:established,to_server; content:"POST /"; depth:6; content:"search"; distance:0; content:"script_fields"; distance:0; nocase; content:".class.forName"; nocase; distance:0; content:"java.lang.Runtime"; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"mavin21c.dothome.co.kr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028848; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; fast_pattern; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"motherlodebulldogclub.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028849; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER AnonGhost PHP Webshell"; flow:from_server,established; file_data; content:"base64_decode("; content:"Bbm9uR2hvc3Qg"; fast_pattern; classtype:trojan-activity; sid:2023143; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2016_09_01, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2016_09_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"powerpolymerindustry.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028850; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 404 Not Found|0d 0a|"; depth:24; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010517; classtype:web-application-attack; sid:2010517; rev:4; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2017_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"publiccouncil.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028851; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; content:!"_VIEWSTATE"; classtype:trojan-activity; sid:2017134; rev:5; metadata:created_at 2013_07_12, updated_at 2013_07_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"rulourialuminiu.co.uk"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028852; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 1"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|09a0aa1091460d23e5a68550826b359b|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026337; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"sistemikan.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028853; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Pass 20-09-2018 2"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"String|20|PASS|20|=|20 22|098f6bcd4621d373cade4e832627b4f6|22|"; distance:0; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026338; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PolyglotDuke Domain Observed"; dns.query; content:"varuhusmc.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028854; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER JSP.SJavaWebManage WebShell Access"; flow:established,from_server; file_data; content:"|3c 25 40|page"; depth:7; content:"|22|os.name|22|"; distance:0; content:"|22|/bin/sh|22|"; distance:0; content:"getRuntime|28 29|.exec|28|"; fast_pattern; reference:md5,91eaca79943c972cb2ca7ee0e462922c; classtype:trojan-activity; sid:2026336; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_09_20, deployment Datacenter, former_category WEB_SERVER, malware_family SJavaWebManage, performance_impact Low, signature_severity Major, tag WebShell, updated_at 2018_09_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"ecolesndmessines.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CGI AWstats Migrate Command Attempt"; flow:established,to_server; content:"/awstats.pl?"; http_uri; nocase; content:"/migrate"; http_uri; pcre:"/migrate\s*=\s*\|/Ui"; reference:bugtraq,17844; reference:url,doc.emergingthreats.net/2002900; classtype:web-application-attack; sid:2002900; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MiniDuke Domain Observed"; dns.query; content:"salesappliances.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; reference:url,doc.emergingthreats.net/2002362; classtype:web-application-attack; sid:2002362; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"busseylawoffice.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028857; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/img.pl?"; http_uri; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; reference:url,doc.emergingthreats.net/2002685; classtype:web-application-attack; sid:2002685; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"fairfieldsch.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028858; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.*\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003086; classtype:web-application-attack; sid:2003086; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"ministernetwork.org"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt"; flow: to_server,established; content:"/cgi-bin/preview_email.cgi?"; http_uri; nocase; pcre:"/file=.+\.\..+\|/Ui"; reference:bugtraq,19276; reference:url,doc.emergingthreats.net/2003087; classtype:web-application-attack; sid:2003087; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"skagenyoga.com"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028860; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cisco IOS HTTP set enable password attack"; flow:established,to_server; content:"/configure/"; http_uri; content:"/enable/"; http_uri; reference:cve,2005-3921; reference:bugtraq,15602; reference:url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html; reference:url,doc.emergingthreats.net/2002721; classtype:web-application-attack; sid:2002721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FatDuke Domain Observed"; dns.query; content:"westmedicalgroup.net"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028861; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern"; flow:established,to_server; content:"/CCMAdmin/serverlist.asp?"; http_uri; nocase; content:"pattern="; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2832; reference:url,www.secunia.com/advisories/25377; reference:url,doc.emergingthreats.net/2004556; classtype:web-application-attack; sid:2004556; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LiteDuke Domain Observed"; dns.query; content:"bandabonga.fr"; nocase; endswith; reference:url,www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf; classtype:trojan-activity; sid:2028862; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_17, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure"; flow:to_server,established; content:"GET "; depth:4; content:"lastvist.html?"; http_uri; nocase; content:"domain="; http_uri; nocase; content:"../"; depth:200; reference:url,milw0rm.com/exploits/9039; reference:bugtraq,35518; reference:url,doc.emergingthreats.net/2009484; classtype:web-application-attack; sid:2009484; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"encryptit.qc.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028870; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; content:"OpenForm"; http_uri; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference:bugtraq,14845; reference:url,doc.emergingthreats.net/2002376; classtype:web-application-attack; sid:2002376; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecure.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028871; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IBM Lotus Domino Src XSS attempt"; flow:to_server,established; content:"OpenFrameSet"; http_uri; nocase; pcre:"/src=.*\"><\/FRAMESET>.*<script>.*<\/script>/iU"; reference:bugtraq,14846; reference:url,doc.emergingthreats.net/2002377; classtype:web-application-attack; sid:2002377; rev:10; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.uk.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028872; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt"; flow:established,to_server; content:"POST "; depth:5; nocase; content:"/OvCgi/OvWebHelp.exe"; http_uri; nocase; content:"Topic="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:cve,2009-4178; reference:url,doc.emergingthreats.net/2010970; classtype:web-application-attack; sid:2010970; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"chatsecurelite.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028873; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C"; flow: to_server,established; content:".aspx"; http_uri; nocase; content:"GET"; nocase; depth: 3; content:"%5C"; depth: 200; nocase; content:"aspx"; within:100; reference:url,doc.emergingthreats.net/2001343; classtype:web-application-attack; sid:2001343; rev:23; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"privatehd.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028874; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER osCommerce extras/update.php disclosure"; flow:to_server,established; content:"extras/update.php"; http_uri; nocase; reference:url,retrogod.altervista.org/oscommerce_22_adv.html; reference:url,doc.emergingthreats.net/2002864; classtype:attempted-recon; sid:2002864; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-27 CnC Domain Observed in DNS Query"; dns.query; content:"sex17.us.to"; nocase; endswith; reference:url,otx.alienvault.com/pulse/5da9dc215c51c8a86a2d19f1; classtype:domain-c2; sid:2028875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT_C_27, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports XML Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"CUSTOMIZE=/"; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*CUSTOMIZE=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html; reference:url,doc.emergingthreats.net/2002131; classtype:web-application-activity; sid:2002131; rev:11; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|0B 87 06 53 DF 3A|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028876; rev:2; metadata:created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"destype=file"; http_uri; nocase; content:"desformat="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*destype=file.*desformat=\//Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html; reference:url,doc.emergingthreats.net/2002132; classtype:web-application-activity; sid:2002132; rev:11; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Steganographic Encoded WAV File Inbound via HTTP M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"RIFF"; startswith; content:"WAVE"; distance:4; within:4; content:"|5C 99 13 6F F2 52|"; distance:32; within:6; fast_pattern; reference:url,threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html; classtype:trojan-activity; sid:2028877; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; reference:url,doc.emergingthreats.net/2002133; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 10.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/10.0."; reference:url,www.oracle.com/technetwork/java/javase/10u-relnotes-4108739.html; classtype:bad-unknown; sid:2025518; rev:5; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2018_04_19, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)"; flow:to_server,established; content:".php"; http_uri; nocase; content:"=http|3a|/"; http_uri; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui"; reference:url,doc.emergingthreats.net/2009151; classtype:web-application-attack; sid:2009151; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 12.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/12.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html; classtype:bad-unknown; sid:2028868; rev:3; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2021_12_22;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection"; flow:established,to_server; content:"/*"; http_uri; content:"*/"; http_uri; pcre:"/\x2F\x2A.+\x2A\x2F/U"; reference:url,dev.mysql.com/doc/refman/5.0/en/comments.html; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2011040; classtype:web-application-attack; sid:2011040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkRAT CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".php"; http.request_body; content:"request=YUhkcFpEM"; depth:17; fast_pattern; pcre:"/^[A-Za-z0-9\/\+\=]{100,}$/Rsi"; http.header_names; content:!"Referer"; reference:url,github.com/albertzsigovits/malware-writeups/tree/master/DarkRATv2; classtype:command-and-control; sid:2027886; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category MALWARE, malware_family DarkRAT, performance_impact Moderate, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx"; flow:established,to_server; content:"/default.aspx?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2581; reference:url,www.securityfocus.com/bid/23832; reference:url,doc.emergingthreats.net/2003903; classtype:web-application-attack; sid:2003903; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031063; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail"; flow:established,to_server; content:"/contact/contact/index.php?"; http_uri; nocase; content:"form[mail]="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003904; classtype:web-application-attack; sid:2003904; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>iServer Pro V"; fast_pattern; content:"<p>Welcome to your iServer Pro V"; distance:0; content:"<input name=|22|Password|22|"; distance:0; classtype:web-application-attack; sid:2031064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_20, deployment Perimeter, signature_severity Major, updated_at 2020_10_20;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Poison Null Byte"; flow:established,to_server; content:"|00|"; http_uri; depth:2400; reference:cve,2006-4542; reference:cve,2006-4458; reference:cve,2006-3602; reference:url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf; reference:url,doc.emergingthreats.net/2003099; classtype:web-application-activity; sid:2003099; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=.extrafeature.xyz"; nocase; endswith; reference:md5,9d479cec86ea919694dab765bba9abbd; classtype:domain-c2; sid:2028893; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_09_06, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/axis2/services/Version?"; http_uri; nocase; content:"xsd="; http_uri; nocase; content:"../"; depth:200; reference:bugtraq,40343; reference:url,doc.emergingthreats.net/2011160; classtype:web-application-attack; sid:2011160; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework"; flow:established,to_server; http.uri; pcre:"/\.(?:txt|gif|exe|bmp)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Win32|29|"; depth:41; http.header_names; content:!"Referer"; content:!"Accept"; content:"|0d 0a|User-Agent|0d 0a|HOST|0d 0a|"; depth:20; fast_pattern; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020897; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_10_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/search/query/search"; nocase; content:"search_p_groups="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=125; reference:url,doc.emergingthreats.net/2009643; classtype:web-application-attack; sid:2009643; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Steam HTTP Client User-Agent"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 300; http.user_agent; content:"SteamHTTPClient"; depth:15; endswith; classtype:policy-violation; sid:2028650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_07, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2020_10_20;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7011 (msg:"ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/consolehelp/console-help.portal"; nocase; content:"searchQuery="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,dsecrg.com/pages/vul/show.php?id=131; reference:url,doc.emergingthreats.net/2009644; classtype:web-application-attack; sid:2009644; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_26;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)"; flow:established,to_server; http.uri; content:"|25|OA"; nocase; content:"=/bin/sh+-c+'"; nocase; distance:0; fast_pattern; reference:url,github.com/neex/phuip-fpizdam; reference:url,github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043; reference:cve,2019-11043; classtype:web-application-attack; sid:2028895; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2019_10_23, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| Mozilla/4.76 [ru] (X11|3b| U|3b| SunOS 5.7 sun4u)"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011244; classtype:web-application-attack; sid:2011244; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE R980/CRYPBEE.A Ransomware Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/assets/timepicker/x.php?"; fast_pattern; http.user_agent; content:"cpp"; depth:3; reference:md5,a38e156b5c7b337ffbde6cc1ddab1004; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/; classtype:trojan-activity; sid:2023085; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_08_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_10_20, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes)"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa "; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011286; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BlackTech Plead Encrypted Payload Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|91 00 13 87 33 00 90 06 19|"; fast_pattern; reference:url,www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/; classtype:trojan-activity; sid:2027364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category MALWARE, malware_family Plead, performance_impact Low, signature_severity Major, tag APT, tag BlackTech, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt"; flow:established,to_server; content:"GET |2F|AUX HTTP|2F|1|2E|"; nocase; depth:16; reference:url,securitytracker.com/alerts/2009/Oct/1023095.html; reference:url,www.securityfocus.com/bid/36814/info; reference:url,www.securityfocus.com/archive/1/507456; reference:url,doc.emergingthreats.net/2010229; classtype:attempted-dos; sid:2010229; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT32 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cdn.redirectme.net"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028898; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT32, updated_at 2020_10_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt"; flow:to_client,established; content:"CSCO_WebVPN"; nocase; content:"csco_wrap_js"; within:100; nocase; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18442; reference:url,www.securityfocus.com/archive/1/504516; reference:url,www.securityfocus.com/bid/35476; reference:cve,2009-1201; reference:cve,2009-1202; reference:url,doc.emergingthreats.net/2010730; classtype:web-application-attack; sid:2010730; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"czinfo.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028899; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 405 Method Not Allowed|0d 0a|"; depth:33; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010519; classtype:web-application-attack; sid:2010519; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"pegasusco.net"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028900; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source)"; flow:from_server,established; content:"HTTP/1.1 406 Not Acceptable|0d 0a|"; depth:29; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010521; classtype:web-application-attack; sid:2010521; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"smilekeepers.co"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028901; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 500 Internal Server Error|0d 0a|"; depth:36; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010524; classtype:web-application-attack; sid:2010524; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"crabbedly.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028902; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source)"; flow:from_server,established; content:"HTTP/1.1 503 Service Unavailable|0d 0a|"; depth:34; nocase; content:"<script"; nocase; within:512; reference:url,doc.emergingthreats.net/2010526; classtype:web-application-attack; sid:2010526; rev:4; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"indagator.club"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028903; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_password attempt"; flow:to_server,established; content:"sp_password"; nocase; reference:url,doc.emergingthreats.net/2000105; classtype:attempted-user; sid:2000105; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus CnC Domain Observed in DNS Query"; dns.query; content:"craypot.live"; nocase; endswith; reference:url,blog.alyac.co.kr/2388; classtype:domain-c2; sid:2028904; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:6; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"microsofte-update.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028909; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MSSQL Server OLEDB asp error"; flow: established,from_server; content:"Microsoft OLE DB Provider for SQL Server error"; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm; reference:url,doc.emergingthreats.net/2001768; classtype:web-application-activity; sid:2001768; rev:12; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"pasta58.com"; nocase; endswith; reference:url,threatrecon.nshc.net/2019/10/24/sectord01-when-anime-goes-cyber/; classtype:trojan-activity; sid:2028910; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011287; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"study---hard.medianewsonline.com"; nocase; endswith; classtype:domain-c2; sid:2028921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Local Website Infected By Gootkit"; flow:established,from_server; content:"Gootkit iframer component"; nocase; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011289; rev:4; metadata:created_at 2010_09_28, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky CnC Domain Observed in DNS Query"; dns.query; content:"sportsgame.mypressonline.com"; nocase; endswith; classtype:domain-c2; sid:2028922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Successful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt"; flow:established,from_server; content:"Juniper Networks, Inc"; content:"Version|3A|"; within:100; content:"ScreenOS"; distance:0; reference:url,securitytracker.com/alerts/2009/Apr/1022123.html; reference:url,www.securityfocus.com/bid/34710; reference:url,seclists.org/bugtraq/2009/Apr/242; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05; reference:url,doc.emergingthreats.net/2010162; classtype:attempted-recon; sid:2010162; rev:5; metadata:created_at 2010_07_30, updated_at 2019_09_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"cdnpps.us"; nocase; endswith; classtype:domain-c2; sid:2028924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unk/LNKR CnC Domain Observed in DNS Query"; dns.query; content:"thisadsfor.us"; nocase; endswith; classtype:domain-c2; sid:2028925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?token="; fast_pattern; content:"&computername="; distance:0; content:"&username="; distance:0; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031072; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda/RedDelta Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?api=40"; fast_pattern; endswith; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML|2e 20|like|20|Gecko)|20|Chrome/72.0.3626.121|20|Safari/537.36"; reference:url,twitter.com/IntezerLabs/status/1316384526323638274; reference:md5,1ec914ef8443a1fb259c79b038e64ebf; classtype:trojan-activity; sid:2031073; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MustangPanda, tag RedDelta, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Texas, O=lol, OU=, CN=topbackupintheworld.com"; bsize:60; reference:url,twitter.com/malwrhunterteam/status/1318904041590718469; reference:md5,45ed8898bead32070cf1eb25640b414c; classtype:domain-c2; sid:2031069; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:8; metadata:created_at 2013_08_31, updated_at 2019_10_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (StrongPity CnC)"; flow:from_server,established; tls.cert_serial; content:"0E:4D:5A:5C:F8:C9"; classtype:domain-c2; sid:2028926; rev:2; metadata:attack_target Client_and_Server, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER log4jAdmin access from non-local network Page Body (can modify logging levels)"; flow:established,from_server; file_data; content:"<title>Log4J Administration</title>"; fast_pattern; content:"Change Log Level To"; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018203; rev:3; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2019_10_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity CnC Domain Observed in DNS Query"; dns.query; content:"upd32-secure-serv4.com"; nocase; endswith; classtype:trojan-activity; sid:2028927; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Cookie"; flow:to_server,established; content:"c99shcook"; nocase; fast_pattern; pcre:"/c99shcook/Ci"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018602; rev:3; metadata:created_at 2014_06_24, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer IP Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?action=getIP"; fast_pattern; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028929; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, signature_severity Major, updated_at 2020_10_21;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; flow:to_server,established; content:"|28 29 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019291; rev:3; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Screenshot Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|screenshot_"; content:".jpeg|22|"; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028930; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; flow:to_server,established; content:"|28 29 0d 0a 20 7b|"; fast_pattern; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; classtype:attempted-admin; sid:2019292; rev:4; metadata:created_at 2014_09_28, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.L4L Stealer Systeminfo Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action=upload&host="; fast_pattern; content:"@"; distance:0; http.request_body; content:"filename=|22|system.info|22|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,918ffdba1014ec647ae24ddc9de9fde9; classtype:command-and-control; sid:2028931; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_31, deployment Perimeter, former_category TROJAN, malware_family MSIL_L4L, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev udp Inbound to WebServer"; flow:established,to_server; content:"/dev/udp/"; fast_pattern; classtype:bad-unknown; sid:2019314; rev:4; metadata:created_at 2014_09_29, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CryptInject.BE!MTB Stealer CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"logs=ey"; startswith; fast_pattern; isdataat:10000,relative; http.header_names; content:!"Referer"; reference:md5,644b45001c0e0af1c0a208ffad79e316; classtype:command-and-control; sid:2028932; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_17, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible bash shell piped to dev tcp Inbound to WebServer"; flow:established,to_server; content:"/dev/tcp/"; fast_pattern; classtype:bad-unknown; sid:2019285; rev:4; metadata:created_at 2014_09_26, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Connectivity Check"; flow:established,to_server; urilen:15; http.method; content:"HEAD"; http.uri; content:"/view/index.php"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt"; flow:established,to_server; content:" HTTP/1."; pcre:"/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s"; content:"|28 29 20 7b|"; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view/index.php?id="; depth:19; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20 20|Windows NT 6.1)"; fast_pattern; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo.NG Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"versiya="; fast_pattern; content:"comp="; content:"id="; http.header_names; content:!"Referer"; reference:md5,a7183477c46a767a72caebee066dce39; classtype:command-and-control; sid:2034344; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_29, deployment Perimeter, former_category MALWARE, malware_family Stealer, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.5 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029862; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Capesand EK Visitor Tracking"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add_visitor.php?referrer=http"; depth:30; fast_pattern; http.header; content:"/landing.php|0d 0a|"; classtype:exploit-kit; sid:2028939; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER X-Sec Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>X-Sec Shell V."; nocase; fast_pattern; classtype:web-application-attack; sid:2029864; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P FFTorrent P2P Client User-Agent (FFTorrent/x.x.x)"; flow:to_server,established; http.user_agent; content:"FFTorrent/"; depth:10; classtype:policy-violation; sid:2028942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 4.2.5 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.5</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029868; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Turla CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsme.info"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028944; rev:2; metadata:attack_target Client_and_Server, created_at 2019_11_05, deployment Perimeter, former_category MALWARE, malware_family Turla, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 4.2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 4.2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029870; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Microsoft Account Phish 2019-11-06"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&ps="; nocase; distance:0; content:"&psRNGCDefaultType="; nocase; distance:0; fast_pattern; content:"&FoundMSAs="; nocase; distance:0; content:"&i19="; nocase; distance:0; classtype:credential-theft; sid:2029681; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Kageyama Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<H1><center>Shell Kageyama</center></H1>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029872; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"userid="; depth:7; nocase; content:"&psw="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028945; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029874; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2019-11-06"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pd="; nocase; fast_pattern; distance:0; classtype:credential-theft; sid:2028946; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER MINI MO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MINI MO Shell</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029876; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinum APT Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"|3b 20|Win64|3b 20|x64|3b 20|rv|3a|42.0"; http.header; content:"AcceptanceID|3a|"; fast_pattern; reference:url,securelist.com/titanium-the-platinum-group-strikes-again/94961/; classtype:command-and-control; sid:2028959; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag PLATINUM, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>"; fast_pattern; classtype:web-application-attack; sid:2029883; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-set.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028961; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form   method=|20 22|post|22 20|action=|20 22 22|> <input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value="; fast_pattern; classtype:web-application-attack; sid:2029885; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"micro-office.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028962; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Anonymous Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>AnonyMous SHell</title>"; nocase; fast_pattern; content:"id=|22|pageheading|22|>AnonyMous SHell"; nocase; distance:0; classtype:web-application-attack; sid:2029887; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Critical, updated_at 2020_04_13;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mini Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<tr><td>Current Path : <a href=|22|?path=/"; nocase; content:"<tr class=|22|first|22|>"; nocase; distance:0; content:"<td><center>File/Folder Name</center></td>"; nocase; distance:0; content:"<td><center>Size</center></td>"; nocase; distance:0; content:"<td><center>Permissions</center></td>"; nocase; distance:0; content:"<td><center>Options</center></td>"; nocase; distance:0; content:"<td><center><form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; fast_pattern; content:"<td><a href=|22|?filesrc="; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<option value=|22|edit|22|>Edit</option>"; nocase; distance:0; classtype:web-application-attack; sid:2029889; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, signature_severity Major, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Almashreq CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"MS|20|Web|20|Services|20|Client|20|Protocol"; fast_pattern; http.request_body; content:"<?xml"; depth:5; content:"<PCName>"; distance:0; content:"<|2f|PCName>"; distance:0; content:!"<SiteID>"; http.header_names; content:"SOAPAction"; content:!"Referer"; classtype:command-and-control; sid:2027353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file_data; content:"<form method=post>password<br><input type=password name=pass style=|22|background-color:whitesmoke|3b|border:1px solid #fff|3b|outline:none|3b|' required>"; content:"<input type=submit name=|22|watching|22 20|value=|22|submit|22 20|style=|22|border:none|3b|background-color:#56ad15|3b|color:#fff|3b|cursor:pointer|3b 22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029891; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_13, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Extraction"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=exe"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_11_11;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='submit' style='border:none|3b|background-color:#56AD15|3b|color:#fff|3b|cursor:pointer|3b|'></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029901; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Critical, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Payload Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?a=run"; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028965; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form action=|22 22 20|method=|22|post|22|><input type=|22|text|22 20|name=|22|_nv|22|><input type=|22|submit|22 20|value=|22|>>|22|></form>"; distance:0; fast_pattern; classtype:web-application-attack; sid:2029903; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Update Request"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/api/update/"; depth:12; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029077; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Leaf PHPMailer"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2029905; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Major, updated_at 2020_04_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible APT33 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dyn-intl.world-careers.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2028968; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag APT33, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Owl PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Owl PHPMailer"; fast_pattern; content:"function stopSending()"; content:"function startSending()"; classtype:web-application-attack; sid:2029907; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_04_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain Observed in DNS Query"; dns.query; content:"office-crash.ddns.net"; nocase; endswith; classtype:domain-c2; sid:2028969; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<input type=password name=pass style='background-color:whitesmoke|3b|border:1px solid #FFF|3b|outline:none|3b|' required>"; content:"<input type=submit name='watching' value='>>' style="; distance:0; fast_pattern; classtype:web-application-attack; sid:2029909; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_14, deployment Perimeter, signature_severity Critical, updated_at 2020_04_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Internet Security Damaged !!! Call Help Desk"; nocase; classtype:social-engineering; sid:2028970; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<font><font>file Manager</font></font>"; nocase; distance:0; content:"<font><font>Back Connect"; nocase; distance:0; content:"<font><font>CgiShell</font></font>"; nocase; distance:0; content:"<font><font>Symlink</font></font>"; nocase; distance:0; content:"Mailer</font></font>"; nocase; distance:0; content:"<font><font>Auto r00t</font></font>"; nocase; distance:0; content:"<font><font>Upload</font></font>"; nocase; distance:0; content:"Exploiter & scan Tools</font></font>"; nocase; distance:0; fast_pattern; content:"<font><font>Self remove</font></font>"; nocase; distance:0; classtype:web-application-attack; sid:2029917; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Critical, updated_at 2020_04_15;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam 2019-11-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Official Windows Notification"; nocase; fast_pattern; content:"Call Windows Technical Support"; nocase; distance:0; classtype:social-engineering; sid:2028971; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|description|22 20|content=|22|This Mini Shell"; nocase; content:"<meta name=|22|author|22 20|content=|22|An0n 3xPloiTeR"; fast_pattern; distance:0; nocase; classtype:web-application-attack; sid:2029919; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Landing Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.htm$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028979; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WSO 2.6 Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WSO 2.6</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2029935; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Flash Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-z.-]+\/[a-f0-9]{40}\/[a-z.-]+\/[a-z0-9]+\.swf$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2028980; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>DRIV3R KR PRIV8 MAILER"; fast_pattern; nocase; classtype:web-application-attack; sid:2029937; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"[Byte[]]$image = 0x4d, 0x5a,|20|"; depth:29; fast_pattern; pcre:"/^(?:0x[a-f0-9]{1,2}, ){500}/R"; classtype:exploit-kit; sid:2028982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<meta name=|22|Description|22 20|content=|22|Mr.Rm19"; nocase; content:">Time On Server : <font color="; nocase; distance:0; content:">Server IP : <font color="; nocase; distance:0; content:">Current Dir : </font><a href="; nocase; distance:0; content:">Mass Deface</a>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029939; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:".xyz"; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|x-flash-version|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; depth:110; endswith; fast_pattern; classtype:exploit-kit; sid:2028973; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|20 7c 20|Log In|20 7c 20|Power Mailer Inbox"; nocase; content:"</a>Welcome To Power Mailer Inbox"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; http.stat_code; content:"200"; http.cookie; content:"__cfduid="; http.content_type; content:"image/jpeg"; bsize:10; file.data; content:"|20 2e 20|$Env|3a|comSPEC["; depth:16; nocase; fast_pattern; content:"]-joIN|27 27|)( -JoiN(|20 27|"; nocase; within:30; classtype:exploit-kit; sid:2028976; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>F. Mortolino</title>"; nocase; content:"MortoLino - mode*SPAMMER"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2029943; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash HEAD Request"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; classtype:exploit-kit; sid:2028977; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GwEx Mailer"; nocase; fast_pattern; content:">GwEx Mailer </font>"; nocase; distance:0; classtype:web-application-attack; sid:2029945; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Flash GET Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".swf"; endswith; http.host; content:"rawcdn.githack.com"; fast_pattern; depth:18; endswith; http.cookie; content:"__cfduid="; depth:9; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:"|0d 0a|x-flash-version|0d 0a|"; distance:0; classtype:exploit-kit; sid:2028978; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>W0rmVps PRIV8 MAILER"; nocase; fast_pattern; classtype:web-application-attack; sid:2029947; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework Payload"; flow:established,to_client; content:"|0d 0a 0d 0a 20 28 20 27|"; fast_pattern; http.stat_code; content:"200"; http.content_type; content:"image/jpeg"; depth:10; endswith; http.content_len; byte_test:0,>,100000,0,string,dec; file.data; content:"|20 28 20 27|"; depth:4; pcre:"/^[0-9_,{AbZwP&-]{2000}/R"; classtype:exploit-kit; sid:2028981; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_14, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>SMTP Mailer</title>"; nocase; fast_pattern; content:">Inbox SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2029949; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Buer Loader)"; flow:established,to_client; tls.cert_subject; content:"CN=prioritywireless.club"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:command-and-control; sid:2029080; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2020_10_21;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer Inbox"; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2029951; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_17, deployment Perimeter, signature_severity Critical, updated_at 2020_04_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asd.stylesheet.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029004; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_19, deployment Perimeter, former_category MALWARE, malware_family YTY_Framework, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_10_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER perl post attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/perl/"; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:2101979; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd%20/tmp|3b|wget%20"; depth:24; fast_pattern; http.header.raw; content:"Mozilla/5.0%20(Windows|3b|%20U|3b|%20Windows%20NT"; reference:md5,a26f67a1d0a50af72c5fd9c94e9f5a1c; classtype:web-application-attack; sid:2029008; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_11_20, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Oracle Java Process Manager access"; flow:to_server,established; http.uri; content:"/oprocmgr-status"; reference:nessus,10851; classtype:web-application-activity; sid:2101874; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; http.uri; content:!"/CallParrotWebClient/"; http.header.raw; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http.user_agent; content:"Mozilla/4.0"; fast_pattern; nocase; bsize:11; http.host; content:!"www.google.com"; content:!"secure.logmein.com"; content:!"weixin.qq.com"; content:!"slickdeals.net"; content:!"cloudera.com"; content:!"secure.digitalalchemy.net.au"; content:!".ksmobile.com"; content:!"gstatic.com"; content:!".cmcm.com"; content:!".deckedbuilder.com"; content:!".mobolize.com"; content:!"wq.cloud.duba.net"; content:!"infoc2.duba.net"; content:!".bitdefender.net"; reference:url,doc.emergingthreats.net/2003492; classtype:bad-unknown; sid:2003492; rev:34; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service"; flow:to_server,established; urilen:>1400; http.uri; content:"|2F 3F|P|3D 2A 3F 2A 3F 2A 3F 2A 3F 2A 3F|"; pcre:"/(?:\x2a\x3f){700}/"; reference:cve,2011-0419; reference:url,cxib.net/stuff/apr_fnmatch.txt; reference:url,bugzilla.redhat.com/show_bug.cgi?id=703390; classtype:attempted-dos; sid:2012926; rev:4; metadata:created_at 2011_06_02, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (lol)"; flow:established,to_client; tls.cert_subject; content:", O=lol, "; fast_pattern; tls.cert_issuer; content:", O=lol, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031133; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; http.uri; content:"/perl?"; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SolarSys CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /login.php "; startswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Win64|3b 20|x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"; bsize:114; fast_pattern; http.request_body; content:"id="; nocase; startswith; pcre:"/^[A-F0-9]{128}$/R"; reference:url,blog.360totalsecurity.com/en/secret-stealing-trojan-active-in-brazil-releases-the-new-framework-solarsys/; classtype:command-and-control; sid:2031070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=file|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013002; rev:6; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Authentication Bypass Attempt Inbound (CVE-2020-8193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&sid=loginchallenge"; content:"&username=nsroot"; distance:0; fast_pattern; http.request_body; content:"<appfwprofile"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8193; classtype:attempted-admin; sid:2031067; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8193, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=php|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Information Disclosure Attempt Inbound (CVE-2020-8195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?filter=path|3a 25|2F"; fast_pattern; http.request_body; content:"<clipermission"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8195; classtype:attempted-admin; sid:2031068; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8195, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftps|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013000; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity"; flow:established,to_client; dsize:41; content:"|00 27 00 00 00 01 00 00 00 15 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 65 73 6b 74 6f 70 00 00 00 05 2a 2e 74 78 74 05|"; fast_pattern; reference:url,twitter.com/executemalware/status/1318689700882821120; reference:md5,aac706fe42b4a03cac17330bfcd8d9ea; classtype:trojan-activity; sid:2031074; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ftp Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ftp|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012999; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible T-RAT Encrypted Zip Request"; flow:established,to_server; http.uri; content:".jpg"; offset:7; depth:4; http.accept; content:"*/*"; bsize:3; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20 2e|NET4.0C|3b 20 2e|NET4.0E|3b 20 2e|NET CLR 2.0.50727|3b 20 2e|NET CLR 3.0.30729|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.3)"; bsize:162; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1304006897729761280; reference:url,www.gdatasoftware.com/blog/trat-control-via-smartphone; classtype:command-and-control; sid:2031081; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible https Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=https|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2012998; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MassLogger Client Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ID|22 3a 22|"; startswith; content:"|22 2c 22|User|22 3a 22|"; content:"|22 2c 22|Country|22 3a 22|"; content:"|22 2c 22|Date|22 3a 22|"; content:"|22 2c 22|Image|22 3a|"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1305509852362338304; reference:url,app.any.run/tasks/010a8af5-97bd-4e27-961d-8d202a9d6f29/; reference:md5,0a838f0ecff085eb611e41acf78a9682; classtype:trojan-activity; sid:2030878; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible zlib Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=zlib|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013014; rev:6; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/pause"; bsize:10; http.header; content:"Update|3a 20|/act/pause|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,1c3dde885aa3cc2d7c24b7e13cccc941; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031084; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=data|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013003; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bazaloader Variant Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/act/resume"; bsize:11; http.header; content:"Update|3a 20|/act/resume|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:url,twitter.com/James_inthe_box/status/1319298609255383040; classtype:trojan-activity; sid:2031085; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible glob Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=glob|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013004; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic File Upload Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible phar Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=phar|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013005; rev:6; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic File Upload Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ssh2 Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ssh2|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013006; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible rar Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=rar|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013007; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible ogg Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=ogg|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013008; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP FLV/Youtube Downloader Install Activity"; flow:established,to_server; http.request_line; content:"GET /images/downloader/pixel.gif?action=install&"; startswith; content:"&lngid="; content:"cid="; content:"&kt=flvd"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,3af4b637e16922fdceaff00d64e98f53; classtype:pup-activity; sid:2031082; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Possible expect Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:".php?"; content:"=expect|3a|//"; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013009; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; http.method; content:"PUT"; http.request_body; content:"<title>.|3a 3a|[+] Defaced by "; nocase; classtype:web-application-attack; sid:2013365; rev:3; metadata:created_at 2011_08_05, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DNS changer cPanel attempt"; flow:to_server,established; http.request_body; content:"pwCfm=Dn5Ch4ng3"; classtype:web-application-attack; sid:2013921; rev:3; metadata:created_at 2011_11_18, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE [PTsecurity] Spyware.BondPath (PathCall/Dingwe) Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"backup.php"; http.header; content:"Content-Length|3a 20|"; depth:20; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; http.user_agent; content:"Apache-HttpClient"; depth:17; http.request_body; content:"type="; depth:5; fast_pattern; content:"data="; content:"hash="; reference:url,www.fortinet.com/blog/threat-research/android-bondpath--a-mature-spyware.html; classtype:trojan-activity; sid:2026039; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MOBILE_MALWARE, malware_family BondPath, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:3; metadata:created_at 2011_12_10, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=generalmusician.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029047; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; http.uri; content:"/jmx-console/HtmlAdaptor?"; nocase; content:"Runtime.getRuntime().exec("; reference:cve,2010-0738; classtype:web-application-activity; sid:2014018; rev:3; metadata:created_at 2011_12_10, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"76:DC:D7:09:68:53:16:74:BB:A8:7B:CC:DE:C4:9D:66:77:43:34:DC"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029048; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ASP.NET Forms Authentication Bypass"; flow:to_server,established; content:"CreateUserStepContainer"; content:"UserName="; distance:0; content:"%00"; distance:0; pcre:"/UserName\x3d[^\x26]+\x2500/"; http.uri; content:"/CreatingUserAccounts.aspx"; reference:cve,2011-3416; classtype:attempted-user; sid:2014100; rev:4; metadata:created_at 2012_01_03, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ACBackdoor CnC)"; flow:established,from_server; tls.cert_serial; content:"0E:4F:8B:2C:65:0A"; reference:url,www.intezer.com/blog-acbackdoor-analysis-of-a-new-multiplatform-backdoor/; classtype:domain-c2; sid:2029049; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family ACBackdoor, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER mod_gzip_status access"; flow:to_server,established; http.uri; content:"/mod_gzip_status"; reference:nessus,11685; classtype:web-application-activity; sid:2102156; rev:6; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Possible Godlua CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fullmeshnet.eu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029050; rev:3; metadata:attack_target Client_and_Server, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, malware_family Godlua, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER globals.pl access"; flow:to_server,established; http.uri; content:"/globals.pl"; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2102073; rev:7; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DoH Service)"; flow:from_server,established; tls.cert_subject; content:"CN=www.rubyfish.cn"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:policy-violation; sid:2029051; rev:3; metadata:created_at 2019_11_21, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag DNS_over_HTTPS, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /etc/shadow Detected in URI"; flow:to_server,established; http.uri; content:"/etc/shadow"; nocase; reference:url,en.wikipedia.org/wiki/Shadow_password; reference:url,doc.emergingthreats.net/2009485; classtype:attempted-recon; sid:2009485; rev:7; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (ph0ne)"; flow:established,to_server; http.user_agent; content:"ph0ne"; startswith; classtype:trojan-activity; sid:2028989; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER eval/base64_decode Exploit Attempt Inbound"; flow:established,to_server; http.uri; content:"eval|28|base64_decode|28|"; classtype:web-application-attack; sid:2014296; rev:3; metadata:created_at 2012_02_29, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029015; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command"; flow:established,to_server; http.uri; content:"sp_configure"; nocase; reference:url,technet.microsoft.com/en-us/library/ms188787.aspx; reference:url,technet.microsoft.com/en-us/library/ms190693.aspx; classtype:web-application-attack; sid:2011424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:attempted-admin; sid:2029016; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER apache ?M=D directory list attempt"; flow:to_server,established; http.uri; content:"/?M=D"; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:2101519; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:attempted-admin; sid:2029017; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat server snoop access"; flow:to_server,established; http.uri; content:"/jsp/snp/"; content:".snp"; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:2101108; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:attempted-admin; sid:2029018; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER Tomcat directory traversal attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:2101055; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:attempted-admin; sid:2029019; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /~root access"; flow:to_server,established; http.uri; content:"/~root"; nocase; classtype:attempted-recon; sid:2101145; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:attempted-admin; sid:2029020; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; http.uri; content:".htaccess"; nocase; classtype:attempted-recon; sid:2101129; rev:9; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:attempted-admin; sid:2029021; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/ksh"; nocase; classtype:web-application-attack; sid:2011467; rev:6; metadata:created_at 2010_09_10, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:attempted-admin; sid:2029024; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/tsh"; nocase; classtype:web-application-attack; sid:2011466; rev:6; metadata:created_at 2010_09_10, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Kayla"; startswith; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/"; classtype:attempted-admin; sid:2029023; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/sh"; nocase; classtype:web-application-attack; sid:2011465; rev:8; metadata:created_at 2010_10_13, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook Phishing Landing 2020-10-23"; flow:established,to_client; file.data; content:"var str =  'Sign in to Outlook'|3b|"; content:"$(|22|#add_pass|22|).show()|3b|"; content:"$('#email').val('')|3b|"; content:"function set_brand("; content:"function true_email("; fast_pattern; classtype:social-engineering; sid:2031086; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; content:"/bin/csh"; nocase; classtype:web-application-attack; sid:2011464; rev:5; metadata:created_at 2010_09_10, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:attempted-admin; sid:2029026; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER DELETE attempt"; flow:to_server,established; http.method; content:"DELETE"; nocase; reference:nessus,10498; classtype:web-application-activity; sid:2101603; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^DEMONS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"DEMONS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029027; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Apache DDos UA Observed (DDos Apache) Outbound"; flow:established,to_server; http.header; content:"User-Agent|3a 20|DDos Apache"; classtype:attempted-dos; sid:2029983; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_21, deployment Perimeter, signature_severity Major, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hakai(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hakai"; fast_pattern; startswith; classtype:web-application-attack; sid:2029028; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt"; flow:established,to_server; http.uri; content:"|3a|$INDEX_ALLOCATION"; nocase; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html; classtype:bad-unknown; sid:2014886; rev:3; metadata:created_at 2012_06_11, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Messiah(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Messiah"; fast_pattern; startswith; classtype:web-application-attack; sid:2029029; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; http.uri; content:"@@version"; nocase; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:3; metadata:created_at 2012_06_14, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Liquor(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Liquor"; fast_pattern; startswith; classtype:web-application-attack; sid:2029030; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect"; flow:established,to_server; http.uri; content:"/rds-help/advanced/deferredView.jsp?"; nocase; content:"href="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014986; rev:3; metadata:created_at 2012_06_29, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"B4ckdoor"; bsize:8; classtype:web-application-attack; sid:2029031; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/rds-help/advanced/deferredView.jsp?"; nocase; content:"href="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|javascript)/Ri"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014987; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Nija(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Nija"; fast_pattern; startswith; classtype:web-application-attack; sid:2029032; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; content:"func="; nocase; content:"root="; nocase; content:"path="; nocase; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:3; metadata:created_at 2012_07_07, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Gemini(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Gemini"; fast_pattern; startswith; classtype:web-application-attack; sid:2029033; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; http.uri; content:"BULK"; nocase; content:"INSERT"; nocase; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Kayla(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Kayla"; fast_pattern; startswith; classtype:web-application-attack; sid:2029035; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; http.uri; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; content:".php"; nocase; distance:0; classtype:bad-unknown; sid:2015518; rev:6; metadata:created_at 2012_07_24, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Sector(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Sector"; fast_pattern; startswith; classtype:web-application-attack; sid:2029036; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; http.user_agent; content:"Googlebot-"; fast_pattern; nocase; content:!"Googlebot-News"; startswith; content:!"Googlebot-Image/1.0"; startswith; content:!"Googlebot-Video/1.0"; startswith; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)"; endswith; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:3; metadata:created_at 2012_07_26, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^OSIRIS(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"OSIRIS"; fast_pattern; startswith; classtype:web-application-attack; sid:2029038; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; http.uri; content:"python "; nocase; classtype:web-application-attack; sid:2101350; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (lessie)"; flow:established,to_server; http.user_agent; content:"lessie"; nocase; depth:6; pcre:"/^lessie(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027130; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; http.uri; content:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:2100952; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Cakle)"; flow:established,to_server; http.user_agent; content:"Cakle"; nocase; depth:5; pcre:"/^Cakle(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027132; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; http.uri; content:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:2100951; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Damien)"; flow:established,to_server; http.user_agent; content:"Damien"; nocase; depth:6; pcre:"/^Damien(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027134; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100958; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Solar)"; flow:established,to_server; http.user_agent; content:"Solar"; nocase; depth:5; pcre:"/^Solar(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027136; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; http.uri; content:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100959; rev:10; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (muhstik)"; flow:established,to_server; http.user_agent; content:"muhstik"; nocase; depth:7; pcre:"/^muhstik(?:-scan)?(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027138; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100961; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Shaolin)"; flow:established,to_server; http.user_agent; content:"Shaolin"; nocase; depth:7; pcre:"/^Shaolin(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027140; rev:3; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100965; rev:13; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Rift)"; flow:established,to_server; http.user_agent; content:"Rift"; nocase; depth:4; pcre:"/^Rift(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027120; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; http.uri; content:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:2100994; rev:11; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Tsunami)"; flow:established,to_server; http.user_agent; content:"Tsunami"; nocase; depth:7; pcre:"/^Tsunami(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027122; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; http.uri; content:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:2101016; rev:16; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yowai)"; flow:established,to_server; http.user_agent; content:"Yowai"; nocase; depth:5; pcre:"/^Yowai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027124; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; http.uri; content:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:14; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Yakuza)"; flow:established,to_server; http.user_agent; content:"Yakuza"; nocase; depth:6; pcre:"/^Yakuza(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027126; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; http.uri; content:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:2101403; rev:12; metadata:created_at 2010_09_23, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (Hentai)"; flow:established,to_server; http.user_agent; content:"Hentai"; nocase; depth:6; pcre:"/^Hentai(?:\/[0-9]\.0)?$/i"; classtype:trojan-activity; sid:2027128; rev:4; metadata:attack_target IoT, created_at 2019_03_27, deployment Perimeter, former_category USER_AGENTS, malware_family Mirai, performance_impact Low, signature_severity Informational, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; http.stat_code; content:"403"; classtype:attempted-recon; sid:2101201; rev:11; metadata:created_at 2010_09_23, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/"; depth:8; http.host; content:!"login.live.com"; endswith; content:!"google.com"; endswith; content:!"www.bing.com"; endswith; content:!"yandex.ru"; endswith; content:!"linkedin.com"; endswith; http.connection; content:"close"; nocase; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:25; metadata:created_at 2010_10_02, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Brutus Scan Inbound"; flow:established,to_server; http.user_agent; content:"Brutus/AET"; classtype:attempted-recon; sid:2015703; rev:4; metadata:created_at 2012_09_17, updated_at 2020_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Various Crimeware)"; flow:established,to_client; tls.cert_subject; content:"CN=uloab.com"; endswith; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; classtype:trojan-activity; sid:2029053; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"POST"; http.uri; content:"/wp-login.php"; nocase; http.request_body; content:"log|3d|"; content:"pwd|3d|"; classtype:attempted-recon; sid:2014020; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Zmap User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 zgrab/0.x"; depth:21; endswith; classtype:network-scan; sid:2029054; rev:2; metadata:created_at 2019_11_26, former_category SCAN, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell)"; flow:from_server,established; http.content_type; content:"image/"; startswith; file.data; content:"eval(gzinflate(base64_decode("; distance:0; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html; classtype:attempted-user; sid:2015755; rev:4; metadata:created_at 2012_10_02, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Mylegion666)"; flow:established,to_server; http.user_agent; content:"Mylegion666"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029061; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WebResource.axd"; nocase; content:!"&t="; nocase; content:!"&amp|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:7; metadata:created_at 2010_10_13, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (YourUserAgent)"; flow:established,to_server; http.user_agent; content:"YourUserAgent"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029062; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; http.cookie; content:"visitz="; file.data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:3; metadata:created_at 2012_10_18, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (salmonella-symptome)"; flow:established,to_server; http.user_agent; content:"salmonella-symptome"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029063; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data\; name=|22|a|22|"; content:"form-data\; name=|22|c|22|"; content:"form-data\; name=|22|p1|22|"; classtype:attempted-user; sid:2015920; rev:3; metadata:created_at 2012_11_21, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (suspira)"; flow:established,to_server; http.user_agent; content:"suspiria"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|from|22|"; content:"form-data|3b| name=|22|realname|22|"; content:"form-data|3b| name=|22|amount|22|"; classtype:web-application-activity; sid:2015924; rev:3; metadata:created_at 2012_11_24, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (lilith)"; flow:established,to_server; http.user_agent; content:"lilith"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b| name=|22|formSubmited|22|"; content:"form-data|3b| name=|22|scriptPassword|22|"; classtype:misc-activity; sid:2015937; rev:8; metadata:created_at 2012_11_27, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (legion)"; flow:established,to_server; http.user_agent; content:"legion"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029066; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PIWIK Backdoored Version calls home"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/x.php"; http.host; content:"prostoivse.com"; endswith; http.request_body; content:"reff="; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:5; metadata:created_at 2012_11_28, former_category WEB_SERVER, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (the devil)"; flow:established,to_server; http.user_agent; content:"The devil come to me"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029067; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; nocase; http.uri; content:"/CFIDE/wizards/common/_logintowizard.cfm"; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:5; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"fuck u"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029068; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/archives/index.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011359; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (Amen)"; flow:established,to_server; http.user_agent; content:"Amen"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/enter.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:6; metadata:created_at 2010_09_28, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (satan)"; flow:established,to_server; http.user_agent; content:"satan"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - JSP File Admin - POST Structure - dir"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dir="; content:"&sort="; content:"&command="; content:"&Submit="; classtype:attempted-user; sid:2016153; rev:4; metadata:created_at 2013_01_04, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (neva-project)"; flow:established,to_server; http.user_agent; content:"neva-project"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion adminapi access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/adminapi"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016183; rev:5; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter Download Observed"; flow:established,to_server; http.user_agent; content:"PCHunter"; depth:8; reference:url,www.bleepingcomputer.com/download/pc-hunter/; classtype:misc-activity; sid:2031087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_10_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion componentutils access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/componentutils"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016182; rev:7; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Magecart)"; flow:established,to_client; tls.cert_subject; content:"OU=Domain Control Validated, OU=PositiveSSL Multi-Domain, CN=marketplace-magento.com"; fast_pattern; tls.cert_issuer; content:"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"; classtype:trojan-activity; sid:2029072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/CFIDE/administrator"; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:6; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Pavica.FH Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/command.php?t=1&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT)"; reference:md5,704f7e92de304744ad8b3a839550084c; reference:url,app.any.run/tasks/2acce298-8180-47fd-befc-9f380468dbe4/; reference:url,twitter.com/jstrosch/status/1319704698031640577; classtype:command-and-control; sid:2031096; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_23;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Non-Standard HTML page in Joomla /com_content/ dir"; flow:established,to_server; http.uri; content:"/components/com_content/"; content:!"index.html"; nocase; within:10; content:".html"; nocase; distance:0; classtype:bad-unknown; sid:2016311; rev:7; metadata:created_at 2013_01_30, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Magecart Credit Card Information JS Script"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; depth:22; endswith; file.data; content:"|20|Sxml_cc_cid"; nocase; content:"Sxml_cc_number"; nocase; distance:0; content:"Sxml_expiration_yr"; nocase; distance:0; content:"ccnum+|22 3b 22|+exp_m+|22 3b 22|+exp_y+|22 3b 22|+cvv"; distance:0; fast_pattern; nocase; classtype:credential-theft; sid:2029073; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WSO WebShell Activity POST structure 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:" name=|22|c|22|"; content:"name=|22|p1|22|"; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/i"; classtype:attempted-user; sid:2016354; rev:4; metadata:created_at 2013_02_05, updated_at 2020_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"marketplace-magento.com"; nocase; endswith; classtype:domain-c2; sid:2029074; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"|0d 0a 0d 0a|act="; fast_pattern; http.method; content:"POST"; http.request_body; content:"act="; depth:4; content:"&d="; within:20; classtype:attempted-user; sid:2016516; rev:3; metadata:created_at 2013_03_04, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .XYZ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".xyz"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*="; flow:established,to_server; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016575; rev:4; metadata:created_at 2013_03_14, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TOP Domain with Minimal Headers"; flow:established,to_server; http.host; content:".top"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031089; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*="; flow:established,to_client; http.cookie; content:"mysql_web_admin_"; classtype:bad-unknown; sid:2016576; rev:3; metadata:created_at 2013_03_14, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to 000webhostapp Domain with Minimal Headers"; flow:established,to_server; http.host; content:".000webhostapp.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031090; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar2)"; flow:established,to_server; http.uri; content:"varchar2("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2016596; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_03_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .ML Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031091; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; threshold: type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"?id="; content:"&msg="; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:6; metadata:created_at 2012_01_23, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .CF Domain with Minimal Headers"; flow:established,to_server; http.host; content:".cf"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"mssql_query"; classtype:bad-unknown; sid:2016664; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GQ Domain with Minimal Headers"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"mssql_query"; classtype:bad-unknown; sid:2016665; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .TK Domain with Minimal Headers"; flow:established,to_server; http.host; content:".tk"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"pgsql_query"; classtype:bad-unknown; sid:2016666; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request to .GA Domain with Minimal Headers"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; classtype:bad-unknown; sid:2031095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Major, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"pgsql_query"; classtype:bad-unknown; sid:2016667; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:".php|22 20|method=|22|post|22|"; content:"src=|22|https://logo.clearbit.com/"; distance:0; content:"$.get(|22|https://logo.clearbit.com/"; distance:0; content:"$(|22|#logoimg|22|).attr(|22|src|22|,|20 22|https://logo.clearbit.com/"; distance:0; classtype:social-engineering; sid:2031097; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"mysql_query"; classtype:bad-unknown; sid:2016668; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr('src', 'https://logo.clearbit.com/' + my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031098; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"mysql_query"; classtype:bad-unknown; sid:2016669; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing"; flow:established,to_client; file.data; content:").attr(|22|src|22|,|20 22|https://logo.clearbit.com/|22|+my_slice)|3b|"; content:"//new injection//"; distance:0; content:"var|20|filter|20|=|20|/^([a-zA-Z0-9_|5c|.|5c|-])+|5c|@(([a-zA-Z0-9|5c|-])+|5c|.)+([a-zA-Z0-9]{2,4})+$/|3b|"; distance:0; classtype:social-engineering; sid:2031099; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_23, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_10_23;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"SqlException"; classtype:bad-unknown; sid:2016670; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup BROLER.F CnC Check-in"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?"; content:!"&"; distance:0; content:"=google"; endswith; fast_pattern; http.request_body; pcre:"/^[a-zA-Z/+=]$/"; http.content_len; content:"72"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,285e25e31b498dd1c0827286e9b44cfe; classtype:command-and-control; sid:2029092; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"SqlException"; classtype:bad-unknown; sid:2016671; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TickGroup ABK Backdoor CnC Check-in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?uid="; fast_pattern; content:"&pid="; distance:0; pcre:"/\?uid=[A-F0-9]{15,}&pid=\d+$/i"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,ed363efd32984ed21e67cf618758b635; classtype:command-and-control; sid:2029093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"error in your SQL syntax"; classtype:bad-unknown; sid:2016673; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Snack CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"WinHTTP AutoProxy Sample/1.0"; depth:28; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:34; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; http.request_body; content:"netsh"; nocase; fast_pattern; content:"firewall"; within:15; classtype:bad-unknown; sid:2016681; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Coolbee/Avenger CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id="; content:"&group="; distance:0; content:"&class="; distance:0; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:22; endswith; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; reference:md5,507daf07c6f8f0080b5c4f818cfe77cb; classtype:command-and-control; sid:2029095; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE"; flow:established,to_server; http.request_body; content:"reg"; nocase; content:"HKEY_LOCAL_MACHINE"; nocase; within:80; classtype:bad-unknown; sid:2016682; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible TickGroup Casper CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1|3b 20|.NET4.0C|3b 20|.NET4.0E)"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|"; depth:38; reference:url,documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICKs-Multistage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf; classtype:command-and-control; sid:2029096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_04, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - wget http - POST"; flow:established,to_server; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:bad-unknown; sid:2016683; rev:3; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:established,from_server; tls.cert_serial; content:"00:B3:4B:42:19:50:7A:3B:55:78:3D:6D:FD:12:54:C8:88"; classtype:domain-c2; sid:2029102; rev:2; metadata:attack_target Client_and_Server, created_at 2019_12_09, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"ERROR|3a|  syntax error at or near"; classtype:bad-unknown; sid:2016674; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magento-statistics.com"; nocase; endswith; classtype:domain-c2; sid:2029100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, signature_severity Major, updated_at 2020_10_24;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; http.stat_code; content:"500"; file.data; content:"ERROR|3a|  syntax error at or near"; classtype:bad-unknown; sid:2016675; rev:4; metadata:created_at 2013_03_27, updated_at 2020_04_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNSChanger CnC Domain in DNS Lookup"; dns.query; content:"strds.ru"; nocase; bsize:8; reference:url,otx.alienvault.com/pulse/5d8c92c1a08aa6bd58eca488; classtype:command-and-control; sid:2028639; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2019_10_01, deployment Perimeter, former_category TROJAN, malware_family DNSChanger, performance_impact Low, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - Haxplorer URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=dir&dir="; classtype:attempted-user; sid:2016761; rev:3; metadata:created_at 2013_04_16, updated_at 2020_04_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (Get2 CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=upgrade-ms-home.com"; classtype:trojan-activity; sid:2029108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; http.uri; content:".php?&s=r&cmd=con"; classtype:attempted-user; sid:2016762; rev:3; metadata:created_at 2013_04_17, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish Oct 07 2016"; flow:to_server,established; flowbits:isset,ET.genericphish; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; http.method; content:"POST"; http.request_line; content:".php HTTP/"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; classtype:credential-theft; sid:2031570; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"mfunc"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/i"; classtype:attempted-user; sid:2016788; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updateinfos.com"; nocase; endswith; classtype:domain-c2; sid:2029114; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"mclude"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/i"; classtype:attempted-user; sid:2016789; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT38 CnC Domain Observed in DNS Query"; dns.query; content:"updatemain.com"; nocase; endswith; classtype:domain-c2; sid:2029115; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag APT38, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"comment"; nocase; content:"dynamic-cached-content"; fast_pattern; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/i"; classtype:attempted-user; sid:2016790; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_04_26, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check JS"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"hasFlash=0x1"; content:"flashVersion=parseInt(VSwf"; distance:0; fast_pattern; content:"new RegExp('MSIE|5c|x20(|5c|x5cd+|5c|x5c.|5c|x5cd+)|3b|')|3b|"; distance:0; content:"))|3b|if(user==''){setCookie("; distance:0; content:"'data':{'data1':chk,'data2':is64,'data3':fls"; distance:0; classtype:exploit-kit; sid:2029123; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; http.uri; content:"CHAR("; nocase; pcre:"/^[0-9]{2,3}\)char\([^\x0d\x0a\x20]{98}/Ri"; classtype:attempted-admin; sid:2014352; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Plugin Check Response"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?callback=?&data1="; fast_pattern; content:"&data2="; distance:0; content:"&data3="; distance:0; content:"&callback=JSONP_"; distance:0; http.cookie; content:"username="; http.accept; content:"application/javascript, */*|3b|q=0.8"; classtype:exploit-kit; sid:2029124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion password.properties access"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"password.properties"; nocase; reference:url,cxsecurity.com/issue/WLB-2013050065; classtype:web-application-attack; sid:2016836; rev:4; metadata:created_at 2013_05_08, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious VBS Encoding Observed in BottleEK"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; classtype:bad-unknown; sid:2029125; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER  ColdFusion path disclosure to get the absolute path"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/administrator/analyzer/index.cfm"; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:5; metadata:created_at 2013_05_09, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BottleEK Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/conn.php?ge="; depth:13; fast_pattern; http.cookie; content:"username="; http.header_names; content:!"Referer"; classtype:exploit-kit; sid:2029126; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2020_10_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduletasks access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduletasks.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016842; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2019-12-12"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&psword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029127; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion scheduleedit access"; flow:established,to_server; http.uri; content:"/CFIDE/administrator/scheduler/scheduleedit.cfm"; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016843; rev:3; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magento-statistics.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029128; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTPing Usage Inbound"; flow:established,to_server; http.user_agent; content:"HTTPing"; depth:7; reference:url,www.vanheusden.com/httping/; classtype:policy-violation; sid:2016845; rev:4; metadata:created_at 2013_05_14, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=solomontoosas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029116; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; http.uri; content:"/phppath/php"; pcre:"/^\b/R"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:attempted-admin; sid:2016983; rev:3; metadata:created_at 2013_06_06, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=colordrawyx.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029117; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; http.request_body; content:"|7F|ELF"; classtype:bad-unknown; sid:2017054; rev:3; metadata:created_at 2013_06_22, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=potronisl.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029118; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> any any (msg:"ET WEB_SERVER WebShell - GODSpy - Cookie"; flow:established; http.cookie; content:"godid="; classtype:trojan-activity; sid:2017085; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontromosals.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSPy - Auth Creds"; flow:established,to_server; http.request_body; content:"ctr="; content:"haz=pasa"; classtype:trojan-activity; sid:2017088; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pontrolimon.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - raiz"; flow:established,to_server; http.uri; content:".asp?raiz="; classtype:trojan-activity; sid:2017090; rev:3; metadata:created_at 2013_07_02, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motylino.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029130; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"Leaf PHPMailer</title>"; fast_pattern; content:"<li>[-email-] : <b>Reciver Email"; content:"<li>[-emailuser-] : <b>Email User"; classtype:web-application-attack; sid:2030016; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=motorlafd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029131; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"<title>D3V1l H4X0R Priv8 Shell"; fast_pattern; classtype:web-application-attack; sid:2030018; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantoropols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"Upload File : <input type=|22|file|22 20|name=|22|file|22|"; fast_pattern; nocase; content:">Name</center></td>"; nocase; distance:0; content:">Size</center></td>"; nocase; distance:0; content:">Permissions</center></td>"; nocase; distance:0; content:">Options</center></td>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; classtype:web-application-attack; sid:2030020; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=janfioooslls.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"<title>-:- Stupidc0de Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2030022; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, signature_severity Critical, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=golitrops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029133; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; http.request_body; content:"|0D 0A|"; content:"<%"; within:5; fast_pattern; content:"%>"; distance:0; pcre:"/<%[\x00-\x7f]{20}/"; classtype:trojan-activity; sid:2017260; rev:12; metadata:created_at 2013_07_31, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=giltipolsfols.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029134; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; http.request_body; content:"4d5a"; nocase; content:"50450000"; distance:0; classtype:bad-unknown; sid:2017293; rev:3; metadata:created_at 2013_08_07, updated_at 2020_04_24;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Malicious SSL Cert (Dreambot CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=finogorosod.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let|27|s Encrypt, CN=Let|27|s Encrypt Authority X3"; reference:md5,74487b631e5688ad6affdd23340563bd; reference:url,twitter.com/w3ndige/status/1199375393297448961; classtype:domain-c2; sid:2029135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/flowplayer-3.1.1.min.js"; nocase; reference:url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html; classtype:trojan-activity; sid:2017280; rev:4; metadata:created_at 2013_08_06, updated_at 2020_04_24;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"txtpath="; depth:8; content:"&cmd="; classtype:trojan-activity; sid:2017392; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"?upload=@&txtpath="; http.request_body; content:"Upload !"; classtype:trojan-activity; sid:2017393; rev:3; metadata:created_at 2013_08_28, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell in POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"eval"; content:"mcrypt_decrypt"; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017641; rev:5; metadata:created_at 2013_10_28, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/cgi/url_redirect.cgi"; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017688; rev:3; metadata:created_at 2013_11_07, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029156; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=system"; nocase; content:"j_password=Passw0rd"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017803; rev:5; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029157; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=system"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017804; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=monitor"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017805; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible WebLogic Operator Login With Default Creds"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/console/j_security_check"; nocase; http.request_body; content:"j_username=operator"; content:"j_password=password"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017806; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029160; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt"; flow:to_server,established; http.uri; content:"select"; nocase; content:"mysql.user"; nocase; distance:1; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017807; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029161; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:to_server,established; http.uri; content:"information_schema"; nocase; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017808; rev:3; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; http.request_body; content:"work_dir="; content:"command="; content:"submit_btn=Execute+Command"; classtype:web-application-attack; sid:2017952; rev:3; metadata:created_at 2014_01_11, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_07, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; http.host; content:!"smartcom.com"; endswith; content:!"iscoresports.com"; endswith; content:!"popslotscasino.com"; endswith; http.user_agent; content:"Mozilla"; bsize:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:pup-activity; sid:2007854; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Recon-ng User-Agent"; flow: established,to_server; http.user_agent; content:"Recon-ng"; reference:url,itbucket.org/LaNMaSteR53/recon-ng/overview; classtype:attempted-recon; sid:2018118; rev:4; metadata:created_at 2014_02_12, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER AntSword Webshell Commands Inbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|antSword/v"; fast_pattern; http.request_body; content:"cmd="; depth:4; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030036; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER Possible AntSword Webshell Commands Inbound"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Response.Write(|25|22"; within:50; nocase; content:"eval(System.Text.Encoding.GetEncoding(|25|22"; nocase; distance:0; content:"|25|22).GetString(System.Convert.FromBase64String(|25|22"; nocase; distance:0; content:")|25|3BResponse.End()|25|3B&"; nocase; distance:0; fast_pattern; reference:url,github.com/AntSwordProject/antSword; classtype:web-application-attack; sid:2030037; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_28, deployment Perimeter, signature_severity Major, updated_at 2020_04_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029168; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cazanova SMTP Mailer"; nocase; content:">Cazanova SMTP Mailer</div>"; nocase; distance:0; classtype:web-application-attack; sid:2030060; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029169; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"SCRIPT MAILER INBOX"; content:">SMTP Login:</font></div>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030062; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029170; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Check Accessed on Internal Server"; flow:established,to_client; file.data; content:"Upload is <b><"; content:"Check  Mailling ..<br>"; nocase; distance:0; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|Send test >>|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030064; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029171; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<form method=post style=|22|font-family:fantasy|3b 22|>"; content:"Password: <input type=password name=pass style=|22|background-color|3a|whitesmoke|3b|border|3a|1px solid #FFF|3b 22|><input type=submit value='>>' style=|22|border|3a|none|3b|background-color|3a|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030066; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_29, deployment Perimeter, signature_severity Critical, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Crawler"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 300; http.user_agent; content:"PHPCrawl"; depth:8; reference:url,phpcrawl.cuab.de/; classtype:attempted-user; sid:2018607; rev:3; metadata:created_at 2014_06_26, updated_at 2020_04_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Adobe Flash Player Rosetta Flash compressed CWS in URI"; flow:established,to_server; urilen:>70; http.uri; content:"callback=CWS"; nocase; pcre:"/^[a-z0-9\.\_]{5}hC[a-z0-9\.\_]{50}/Ri"; reference:url,miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/; reference:cve,2014-4671; classtype:attempted-user; sid:2018740; rev:3; metadata:created_at 2014_07_18, updated_at 2020_04_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029174; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Genol Shell"; nocase; fast_pattern; content:"><b>Uname|20 3a 20|Linux|20|"; nocase; distance:0; classtype:web-application-attack; sid:2030074; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_05_01, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029175; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title> Mailer Created By"; nocase; fast_pattern; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|Enviar|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030076; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query for APT40 Possible DADSTACHE CnC Domain"; dns.query; content:"nethosting.viewdns.net"; nocase; bsize:22; reference:md5,2e8d758b9bce51d25ea500d7b4ce4774; classtype:domain-c2; sid:2029151; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, malware_family APT40, signature_severity Major, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>alexusMailer 2.0</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029162; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Stolen Credentials Accessed on Internal Server"; flow:established,to_client; file.data; content:"---------0nline Inf0---------------"; nocase; fast_pattern; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; classtype:web-application-attack; sid:2030080; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029163; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Stolen Credentials Accessed on Internal Server"; flow:established,to_client; file.data; content:">E-MAIL INFORMATION</font> ]-_-_-_-_-_-_-"; nocase; fast_pattern; content:">INFO VICTIM</font> ]-_-_-_-_-_-_-"; nocase; distance:0; classtype:web-application-attack; sid:2030082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon HEAD Request for .dot file on ddns.net"; http.method; content:"HEAD"; http.uri; content:".dot"; endswith; http.user_agent; content:"Microsoft Office"; fast_pattern; http.host; content:".ddns.net"; endswith; reference:md5,dbf4f92852cdae17aa3f2b1234f0140e; reference:md5,b221647d110bd2be2c6e9c5d727ca8db; classtype:command-and-control; sid:2028967; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Cpanel Cracker Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>HEx CPanel Cracker"; nocase; fast_pattern; content:"<strong>CPanelCracker Script"; nocase; distance:0; classtype:web-application-attack; sid:2030084; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish 2019-12-18"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Emailapp="; depth:9; content:"|25|40"; distance:0; content:"&passwordapp="; distance:0; fast_pattern; classtype:credential-theft; sid:2029682; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_12_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Pro Mailer V2</title>"; nocase; classtype:web-application-attack; sid:2030086; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_01, deployment Perimeter, signature_severity Critical, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.BrowSecX.AB Install Log Sent"; flow:established,to_server; http.request_line; content:"GET http://"; startswith; content:"/installLog.php?scheme="; fast_pattern; content:"&user="; content:"&cpuid="; content:"&execid="; content:"&chromeLog="; content:"&winVer="; reference:md5,336867c6cfe7aacc6aaa3107300f93b6; classtype:pup-activity; sid:2031116; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006445; classtype:web-application-attack; sid:2006445; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TinyNuke CnC Checkin"; flow:established,to_server; flowbits:set,ET.TinyNuke; http.method; content:"POST"; http.uri; content:!"&"; content:".php?"; pcre:"/\.php\?[A-F0-9]{15,25}$/i"; http.header; content:"|0d 0a|Content-Length|3a 20|9|0d 0a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,917124e4d53057324aa129520fca73fb; classtype:command-and-control; sid:2024991; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL sp_start_job attempt"; flow:to_server,established; http.uri; content:"sp_start_job"; nocase; reference:url,doc.emergingthreats.net/2010004; classtype:attempted-user; sid:2010004; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amarula IRC Botnet Connection Request"; flow:established,to_server; content:"|55 53 45 52 20|"; startswith; content:"|20 3a 5a 75 4d 62 49 0a|"; endswith; fast_pattern; reference:md5,603841f6a7036311fa5bbc44d7435f83; reference:url,github.com/hackerama/Amarula-Python-Botnet/; classtype:command-and-control; sid:2031117; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt"; flow:established,to_server; http.uri; content:"INTO"; nocase; content:"OUTFILE"; nocase; distance:0; reference:url,www.milw0rm.com/papers/372; reference:url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection; reference:url,websec.wordpress.com/2007/11/17/mysql-into-outfile/; reference:url,doc.emergingthreats.net/2010037; classtype:web-application-attack; sid:2010037; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"arcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; http.user_agent; content:"CZ32ts"; nocase; reference:url,doc.emergingthreats.net/2009029; reference:url,www.Whitehatsecurityresponse.blogspot.com; classtype:web-application-attack; sid:2010621; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"aucdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031102; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit"; flow:established,to_server; http.uri; content:"/bin/bash"; reference:url,doc.emergingthreats.net/2010667; classtype:web-application-attack; sid:2010667; rev:7; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"frcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031103; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Scan Precursor"; flow:established,to_server; http.uri; content:"/thisdoesnotexistahaha.php"; reference:url,doc.emergingthreats.net/2010720; classtype:web-application-attack; sid:2010720; rev:5; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Casper Bot Search RFI Scan"; flow:established,to_server; http.user_agent; content:"Casper Bot"; nocase; reference:url,doc.emergingthreats.net/2011175; classtype:web-application-attack; sid:2011175; rev:8; metadata:created_at 2010_07_30, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtag.site"; nocase; endswith; classtype:trojan-activity; sid:2031105; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DD-WRT Information Disclosure Attempt"; flow:established,to_server; flowbits:set,et.ddwrt.infodis; http.uri; content:"/Info.live.htm"; nocase; reference:url,www.exploit-db.com/exploits/15842/; classtype:attempted-recon; sid:2012116; rev:6; metadata:created_at 2010_12_30, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtage.site"; nocase; endswith; classtype:trojan-activity; sid:2031106; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI"; flow:established,to_server; http.uri; content:"2.2250738585072011e-308"; nocase; reference:url,bugs.php.net/bug.php?id=53632; classtype:attempted-dos; sid:2012150; rev:4; metadata:created_at 2011_01_06, updated_at 2020_05_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtamanag.site"; nocase; endswith; classtype:trojan-activity; sid:2031107; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Component SQLi Attempt"; flow:established,to_server; http.uri; content:"option=com_"; nocase; content:"union"; nocase; distance:0; content:"select"; nocase; distance:0; content:"from"; nocase; distance:0; content:"jos_users"; distance:0; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:4; metadata:created_at 2012_12_05, updated_at 2020_05_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031108; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Cookie"; flow:established,to_server; http.cookie; content:"|28 29 20 7b|"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019239; rev:5; metadata:created_at 2014_09_25, updated_at 2020_05_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtgcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WEB-PHP phpinfo access"; flow:to_server,established; http.uri; content:"/phpinfo.php"; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:2019526; rev:5; metadata:created_at 2010_09_23, updated_at 2020_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"gtmcdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031110; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SERVER printenv access"; flow:to_server,established; http.uri; content:"/printenv"; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:2101877; rev:11; metadata:created_at 2010_09_23, updated_at 2020_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"usacdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031112; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:"ET WEB_SERVER Possible CVE-2014-3120 Elastic Search Remote Code Execution Attempt"; flow:established,to_server; http.uri; content:"search"; nocase; content:"source="; nocase; distance:0; content:"script_fields"; nocase; distance:0; content:"import"; distance:0; nocase; content:"java."; nocase; distance:0; reference:url,bouk.co/blog/elasticsearch-rce/; classtype:attempted-admin; sid:2018495; rev:4; metadata:created_at 2014_05_21, updated_at 2020_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"uscdn.site"; nocase; endswith; classtype:trojan-activity; sid:2031113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"php|3a 2f 2f|input"; fast_pattern; http.request_body; content:"<?"; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:4; metadata:created_at 2014_11_25, updated_at 2020_05_13;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Double Encoded Characters in URI (../)"; flow:to_server,established; http.uri.raw; content:"%252E%252E%252F"; nocase; classtype:misc-attack; sid:2019880; rev:5; metadata:created_at 2014_12_06, updated_at 2020_05_14;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Authentication Bypass Attempt Inbound (CVE-2020-26879)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|OlDkR+oocZg="; fast_pattern; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26879; classtype:attempted-admin; sid:2031115; rev:1; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26879, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Insomnia Shell HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".aspx"; http.request_body; content:"txtRemoteHost="; fast_pattern; content:"txtRemotePort="; distance:0; content:"txtBindPort="; distance:0; content:"txtPipeName="; distance:0; reference:url,www.insomniasec.com/releases; classtype:trojan-activity; sid:2019899; rev:3; metadata:created_at 2014_12_09, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terse Upload to Free Image Hosting Provider (uploads .im) - Likely Malware"; flow:established,to_server; http.request_line; content:"POST /api?upload"; startswith; http.host; content:"uploads.im"; bsize:10; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,897a5b60d609501e0feb06ff8e54d424; classtype:command-and-control; sid:2031118; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used)"; flow:to_server,established; http.header; content:"aGVsbF9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013939; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Root"; flow:established,to_server; tls.sni; content:"Root"; depth:4; endswith; nocase; classtype:bad-unknown; sid:2029191; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used)"; flow:to_server,established; http.header; content:"JHAgPSBhcnJheShhcnJh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013940; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious ToTok Mobile Application DNS Request"; dns.query; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029198; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (popen() function used)"; flow:to_server,established; http.header; content:"JGggPSBwb3Bl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013941; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Suspicious ToTok Mobile Application TLS Request"; tls.sni; content:"capi.im.totok.ai"; nocase; endswith; reference:url,objective-see.com/blog/blog_0x52.html; classtype:trojan-activity; sid:2029199; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_26, deployment Perimeter, signature_severity Minor, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used)"; flow:to_server,established; http.header; content:"JHBlcmwgPSBuZXcg"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013944; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magesource.su"; nocase; endswith; classtype:trojan-activity; sid:2029203; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (exec() function used)"; flow:to_server,established; http.header; content:"ZXhlYygn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013945; rev:5; metadata:created_at 2011_11_22, updated_at 2022_05_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"magesource.su"; classtype:trojan-activity; sid:2029204; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; http.header; content:"QHN5c3Rl"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:7; metadata:created_at 2011_11_21, updated_at 2020_05_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=magesource.su"; nocase; fast_pattern; classtype:domain-c2; sid:2029205; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; http.uri; content:"?cmd=ZXhpdA=="; fast_pattern; http.user_agent; content:"Mozilla 5"; startswith; reference:url,seclists.org/fulldisclosure/2014/Nov/78; classtype:bad-unknown; sid:2019951; rev:3; metadata:created_at 2014_12_16, updated_at 2020_05_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_27;)
+alert http any any -> any any (msg:"ET WEB_SERVER ATTACKER WebShell - 1337w0rm - cPanel Cracker"; flow:established,to_server; http.request_body; content:"user=CRACKER"; classtype:trojan-activity; sid:2020097; rev:3; metadata:created_at 2015_01_06, updated_at 2020_05_14;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Dark Nexus IoT Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:attempted-admin; sid:2029208; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP System Command in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?"; content:"system|28|"; distance:0; classtype:web-application-attack; sid:2020102; rev:5; metadata:created_at 2015_01_07, updated_at 2020_05_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Nexus IoT Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"dark_NeXus"; fast_pattern; startswith; classtype:web-application-attack; sid:2029209; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WPScan User Agent"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.user_agent; content:"WPScan v"; depth:8; reference:url,github.com/wpscanteam/wpscan; classtype:web-application-attack; sid:2020338; rev:4; metadata:created_at 2015_01_30, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - POSTed"; flow:established,to_server; http.request_body; content:"<?php|0A|$"; content:"="; distance:4; within:2; content:" str_replace("; distance:0; classtype:trojan-activity; sid:2020556; rev:3; metadata:created_at 2015_02_24, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound"; flow:established,to_server; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_27;)
+alert http any any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; http.header; content:"ing|3a| identity|0D 0A|Host|3a|"; http.cookie; content:"SESS="; content:"|3B| SID="; distance:0; content:"|3B| PREF="; distance:0; content:"|3B|SSID="; distance:0; classtype:trojan-activity; sid:2020557; rev:3; metadata:created_at 2015_02_24, updated_at 2020_05_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Inbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:10; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - File Create - POST Structure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Fname="; depth:6; content:"&cmd="; classtype:trojan-activity; sid:2020572; rev:4; metadata:created_at 2015_02_25, updated_at 2020_05_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Chmod Usage in URI (Outbound)"; flow:to_server,established; http.uri; content:"chmod"; fast_pattern; nocase; content:!"&launchmode="; content:!"/chmod/"; content:!"searchmod"; pcre:"/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri"; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?"; nocase; content:"cmd="; fast_pattern; nocase; pcre:"/[&?]cmd=[^\x26\x28]*(?:cd|\;|echo|cat|perl|curl|wget|id|uname|t?ftp)/i"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:9; metadata:created_at 2010_07_30, updated_at 2020_05_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:15; metadata:created_at 2014_04_22, former_category TROJAN, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:to_server,established; http.uri.raw; content:"/_plugin/"; fast_pattern; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:5; metadata:created_at 2015_05_22, updated_at 2020_05_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"fuck u"; nocase; bsize:6; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2028991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic PHP Uploader Accessed on Internal Server"; flow:established,to_client; file.data; content:"PHP Uploader - By Phenix-TN & Mr.Anderson"; nocase; fast_pattern; content:"<input type=|22|submit|22 20|value=|22|File Reload|22|"; nocase; distance:0; classtype:web-application-attack; sid:2030213; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Critical, updated_at 2020_05_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"autizm"; nocase; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,0a73a5bf772fde4868283ce7d5228901; classtype:command-and-control; sid:2029101; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Witch3r Mini Shell"; nocase; fast_pattern; content:"Mini-Shell</h1></font>"; nocase; distance:0; classtype:web-application-attack; sid:2030217; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_05_26, deployment Perimeter, signature_severity Critical, updated_at 2020_05_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.header; content:"User-Agent|3a 20 63 6f 63 6b 0d 0a|"; nocase; fast_pattern; http.header_names; content:!"Referer"; reference:md5,5a4384f5e18cfbd993a135301141243e; classtype:command-and-control; sid:2029176; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - net user"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net"; nocase; content:!"work"; within:4; nocase; content:"user"; nocase; within:11; content:!"-agent"; nocase; within:6; pcre:"/net(?:%(?:25)?20|\s)+user/i"; classtype:bad-unknown; sid:2016680; rev:7; metadata:created_at 2013_03_27, updated_at 2020_06_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buran Ransomware UA"; flow:established,to_server; http.user_agent; content:"get_you"; nocase; fast_pattern; bsize:7; http.header_names; content:!"Referer"; reference:md5,6d6a438b1687645b48cea729f235963e; classtype:command-and-control; sid:2029220; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_27, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Email Spoofing Tool Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Email Spoofer"; content:"id=|22|title|22|>Email Spoofer"; content:"id=|22|from|22 20|placeholder=|22 20|Email Spoofed"; content:"id=|22|name|22 20|placeholder=|22|Name Spoofed"; content:"var mailist = $(|22|#to|22|).val().split("; classtype:web-application-attack; sid:2030246; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_03, deployment Perimeter, signature_severity Critical, updated_at 2020_06_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed (carlos_castaneda)"; flow:established,to_server; http.user_agent; content:"carlos_castaneda"; nocase; fast_pattern; bsize:16; http.header_names; content:!"Referer"; reference:md5,35d17e42e314a5ebf6ddd4a3d0b47712; classtype:command-and-control; sid:2029223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; http.request_body; content:!"&date="; content:"code="; depth:5; content:"&submit="; distance:0; classtype:trojan-activity; sid:2017389; rev:7; metadata:created_at 2013_08_28, updated_at 2020_06_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlo-analytics.com"; nocase; endswith; classtype:domain-c2; sid:2029224; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>anaLTEAM"; nocase; fast_pattern; content:"name=|22|command|22 20|value=|22|Crotz|22|"; nocase; distance:0; content:"value=|22|Upload Bos"; nocase; distance:0; classtype:web-application-attack; sid:2030319; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlo-analytics.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029226; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>b374k"; nocase; fast_pattern; content:"class='inputz' type='password"; nocase; distance:0; content:"class='inputzbut' type='submit'"; nocase; distance:0; classtype:web-application-attack; sid:2030321; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"googlc-analytics.net"; nocase; endswith; classtype:domain-c2; sid:2029227; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title> By Gentoo"; nocase; fast_pattern; content:"<h2>Gentoo @ MyHack"; nocase; distance:0; content:"function ChMod(chdir, file) {var o = prompt('Chmod:"; nocase; distance:0; classtype:web-application-attack; sid:2030323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=googlc-analytics.net"; nocase; fast_pattern; classtype:domain-c2; sid:2029229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password: <input type='password' name='pass'><input type='submit' value='>>'></form></pre>"; fast_pattern; classtype:web-application-attack; sid:2030325; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"bestbuy.zapto.org"; nocase; endswith; classtype:domain-c2; sid:2029230; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form|20 20 20|method=|20 22|post|22 20|action=|20 22 22|>|20|<input type=|22|input|22 20|name =|22|f_pp|22 20|value=|20 22 22|/><input type=|20 22|submit|22 20|value=|20 22|&gt|3b 22|/>"; fast_pattern; classtype:web-application-attack; sid:2030327; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_06_12, deployment Perimeter, signature_severity Critical, updated_at 2020_06_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain Observed in DNS Query"; dns.query; content:"comodo.world"; nocase; endswith; classtype:domain-c2; sid:2029239; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Compromised Webserver Retriving Inject"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; pcre:"/^\/blog\/\?[a-z]+&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\x3a\d{1,5})?$/"; classtype:trojan-activity; sid:2022485; rev:3; metadata:created_at 2016_02_03, updated_at 2020_06_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Legion Loader Activity Observed"; flow:established,to_server; http.user_agent; content:"pussy"; fast_pattern; startswith; http.accept; content:"text/*"; depth:6; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:30; classtype:trojan-activity; sid:2029238; rev:2; metadata:created_at 2020_01_08, former_category MALWARE, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Custom Content Type Manager WP Backdoor Access"; flow:established,to_server; http.uri; content:"/plugins/custom-content-type-manager/auto-update.php"; fast_pattern; nocase; reference:url,blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html; classtype:trojan-activity; sid:2022596; rev:4; metadata:created_at 2016_03_07, updated_at 2020_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] PS/PowDesk Checkin (APT34)"; flow:to_server,established; http.uri; content:".php?devicename="; fast_pattern; content:"&result="; pcre:"/^(?:Sucessful|Failed|Missing\x20CBA8|Missing\x20LANDesk\x20Agent)$/R"; reference:url,www.clearskysec.com/powdesk-apt34/; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:targeted-activity; sid:2029253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Predator the Thief Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Predator The Thief"; fast_pattern; nocase; content:"<form method=|22|POST|22 20|class=|22|sign-box|22|"; nocase; distance:0; content:"<input type=|22|text|22 20|class=|22|form-control|22 20|name=|22|login|22 20|value=|22 22 20|placeholder="; nocase; distance:0; content:"<input type=|22|password|22 20|class=|22|form-control|22 20|name=|22|password|22 20|placeholder="; nocase; distance:0; classtype:web-application-attack; sid:2030447; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_03, deployment Perimeter, signature_severity Critical, updated_at 2020_07_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Domain Observed in DNS Query"; dns.query; content:"mimestyle.xyz"; nocase; endswith; classtype:domain-c2; sid:2029254; rev:3; metadata:created_at 2020_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Cordoba Mailer</title>"; nocase; classtype:web-application-attack; sid:2030473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_06, deployment Perimeter, signature_severity Critical, updated_at 2020_07_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OilRig APT PowDesk Powershell Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reclaimlandesk.php?devicename="; fast_pattern; content:"&result="; distance:0; http.uri.raw; content:!"Missing%20LANDESK"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:url,twitter.com/ClearskySec/status/1209055280090288131; reference:md5,2de2e528991ac2d85aa8f12fce5351ad; classtype:command-and-control; sid:2029189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FiercePhish Password Prompt Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FiercePhish"; fast_pattern; content:"/fiercephish_logo.png|22 20|alt=|22|FiercePhish"; content:"placeholder=|22|Username|22|"; content:"<input type=|22|password|22|"; classtype:web-application-attack; sid:2030499; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Minor, updated_at 2020_07_13;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Lets Encrypt Certificate for Suspicious TLD (.top)"; flow:established,to_client; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"Lets Encrypt"; classtype:bad-unknown; sid:2029257; rev:3; metadata:created_at 2020_01_13, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=|22|POST|22|>|0d 0a|"; content:"Password|3a 0d 0a|"; distance:0; content:"<input type=|22|hidden|22 20|name=|22|auth|22 20|value=|22|"; distance:0; content:"<input type=|22|password|22 20|name=|22|password|22|>|0d 0a|"; distance:0; content:"<input type=|22|submit|22 20|value=|22|>>|22|>|0d 0a|"; fast_pattern; distance:0; classtype:web-application-attack; sid:2030501; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_13, deployment Perimeter, signature_severity Major, updated_at 2020_07_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".sslproviders.net"; nocase; endswith; classtype:trojan-activity; sid:2029268; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M1"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 22 7c|"; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022846; rev:3; metadata:created_at 2016_06_01, updated_at 2020_07_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY GG Url Shortener Observed in DNS Query"; dns.query; content:"gg.gg"; nocase; bsize:5; classtype:policy-violation; sid:2029258; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_13, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit SVG attempt M2"; flow:established,to_server; http.request_body; content:"<svg"; nocase; content:"|78 6c 69 6e 6b 3a 68 72 65 66 3d 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022847; rev:3; metadata:created_at 2016_06_01, updated_at 2020_07_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,1400,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\shttp\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.0\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:64; classtype:command-and-control; sid:2029279; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_14, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"name=|22|author|22 20|content=|22|Mr.IN130X"; content:"Mini Shell</title>"; fast_pattern; classtype:web-application-attack; sid:2030536; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SMS-Bomber Activity"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&v="; depth:3; http.referer; content:"SMS-Bomber"; fast_pattern; startswith; reference:md5,65ee077b7917f85234061082806f0352; classtype:trojan-activity; sid:2029281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_15, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"form method=post>Password<br><input type=password name=pass style='background-color:whitesmoke|3b|"; content:"type=submit name='watching' value='submit' style='border|3a|none|3b|background-color|3a|#"; fast_pattern; classtype:web-application-attack; sid:2030538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Group 21 CnC Domain Observed in DNS Query"; dns.query; content:"quwa-paf.servehttp.com"; nocase; endswith; classtype:domain-c2; sid:2029289; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Group21, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post>"; content:"Password: <input type=password name=pass><input type=submit value='>>'>"; fast_pattern; classtype:web-application-attack; sid:2030540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl.cccccsssss.com"; nocase; endswith; reference:md5,0224334fbec16d74b4101c270a3566bf; classtype:domain-c2; sid:2031119; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"cmd{background-color|3a|"; content:"SCROLLBAR-DARKSHADOW-COLOR|3a|"; distance:0; content:"<body style=|22|FILTER|3a 20|progid|3a|DXImageTransform.Microsoft.Gradient("; distance:0; content:"gradientType=0,startColorStr="; content:"<input name='envlpass' type='password'"; fast_pattern; classtype:web-application-attack; sid:2030542; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart CnC Domain Observed in DNS Query"; dns.query; content:"jqueryextplugin.com"; nocase; endswith; classtype:domain-c2; sid:2029297; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>:: Mailer Inbox"; fast_pattern; content:"document.getElementById(|22|emails|22|"; distance:0; content:"document.getElementById(|22|txtml|22|"; distance:0; classtype:web-application-attack; sid:2030544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_07_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ELF/Rekoobe CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kooktijd.acc.dynapps.be"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029307; rev:2; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"Priv8 (Mailer Inbox Sender"; distance:0; content:"SMTP SETUP</font>"; distance:0; classtype:web-application-attack; sid:2030546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_16, deployment Perimeter, signature_severity Critical, updated_at 2020_07_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Website Hosting Service Observed in DNS Query"; dns.query; content:"dynapps.be"; nocase; endswith; classtype:policy-violation; sid:2029308; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Cpanel Cracker Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">CPANEL CRACKER</font><font color="; fast_pattern; content:"color=white>--==[[Greetz to]]==--"; distance:0; content:"####### Coded By"; distance:0; classtype:web-application-attack; sid:2030554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_17, deployment Perimeter, signature_severity Major, updated_at 2020_07_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/Rekoobe CnC Observed in DNS Query"; dns.query; content:"huawel.site"; nocase; endswith; reference:url,intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/; classtype:domain-c2; sid:2029309; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Rekoobe, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ALFA TEaM Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"ALFA TEaM Shell"; nocase; fast_pattern; pcre:"/^\s*\-\s*/R"; classtype:web-application-attack; sid:2029866; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_07_17;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jqueryextplugin.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>[ RC-SHELL v"; nocase; fast_pattern; classtype:web-application-attack; sid:2030591; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Critical, updated_at 2020_07_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"jquerysmartstack.com"; nocase; endswith; classtype:domain-c2; sid:2029303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Password Prompt Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|0d 0a 09|<form method=|22|POST|22|>|0d 0a 09 09|Password|3a 20 0d 0a 09 09|"; nocase; content:"name=|22|password|22|>|0d 0a 09 09|<input type=|22|submit|22 20|value=|22|>>|22|>"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2030593; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Critical, updated_at 2020_07_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request"; flow:established,to_server; http.request_line; content:"GET /getrandombase64.php?get="; fast_pattern; content:"|20|HTTP/1.1"; distance:32; within:9; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031127; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Website Ransomnote Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:!"<html"; nocase; content:"<p>We will systematically go through a series of steps of totally damaging your reputation"; nocase; content:"database will be leaked or sold to the highest bidder"; distance:0; nocase; content:"fault thusly damaging your reputation"; distance:0; fast_pattern; nocase; classtype:web-application-attack; sid:2030596; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_24, deployment Perimeter, signature_severity Major, updated_at 2020_07_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DTLoader Encoded Binary - Server Response"; flow:established,to_client; http.response_body; content:"<html><head></head><body><p>Code|3a 20|"; startswith; fast_pattern; content:"</p><p>@@@"; distance:32; within:10; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:command-and-control; sid:2031128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER DFind w00tw00t GET-Requests"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/w00tw00t."; nocase; depth:10; reference:url,doc.emergingthreats.net/2010794; classtype:attempted-recon; sid:2010794; rev:9; metadata:created_at 2010_07_30, updated_at 2020_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Domain (ahgwqrq .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"ahgwqrq.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1321088232512106502; reference:md5,259de13f2337562a9075cd8acb1ef615; classtype:domain-c2; sid:2031129; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>k2ll33d"; nocase; fast_pattern; content:"function tukar("; distance:0; nocase; classtype:web-application-attack; sid:2030608; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_07_29, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_07_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Improperly Spaced Accept Header in User-Agent"; flow:established,to_server; http.user_agent; content:"Accept|3a|*/*"; classtype:misc-activity; sid:2031120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:to_server,established; http.uri; content:"|24 7b|"; content:"|25 7b|"; distance:0; content:"|7d|"; distance:0; pcre:"/\${\s*?%{/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2023535; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2016_11_18, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL Cert (Magecart)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerysmartstack.com"; nocase; fast_pattern; classtype:domain-c2; sid:2029305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SLEEP|28|"; nocase; distance:0; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Observed in DNS Query"; dns.query; content:"masseffect.space"; nocase; endswith; classtype:domain-c2; sid:2029310; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Gamaredon, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used)"; flow:to_server,established; http.header; content:"JGFyZ3MgPSBh"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013943; rev:7; metadata:created_at 2011_11_22, updated_at 2020_08_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=askkkkkkassaa.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029311; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used)"; flow:to_server,established; http.header; content:"QHB5dGhvbl9l"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013942; rev:6; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2020_08_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mantropoliops.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029312; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft IIS Remote Code Execution (CVE-2017-7269)"; flow:to_server,established; http.header; content:"If|3a 20 3c|"; pcre:"/^If\x3a\x20\x3c[^\r\n>]+?(?:[\x7f-\xff])/mi"; reference:url,github.com/edwardz246003/IIS_exploit/blob/master/exploit.py; classtype:attempted-user; sid:2024107; rev:3; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2017_03_28, cve cve_2017_7269, deployment Datacenter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=prontosloshop.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029313; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Accessed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.referer; content:".php"; endswith; http.request_body; content:"password="; startswith; content:"&action=login&hide="; fast_pattern; distance:0; content:"&username="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030650; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=miiiiisdkkkksd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029314; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic Webshell Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?ganteng"; endswith; fast_pattern; http.referer; content:".php?ganteng"; endswith; http.request_body; content:"key=password&method="; startswith; content:"&submit="; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/; classtype:web-application-attack; sid:2030651; rev:1; metadata:attack_target Web_Server, created_at 2020_08_05, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=faniposlskd.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029315; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like planetwork)"; flow:established,to_server; http.user_agent; content:"plaNETWORK Bot"; nocase; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011243; classtype:web-application-attack; sid:2011243; rev:8; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_08_06;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ferilppdslos.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029316; rev:3; metadata:attack_target Client_and_Server, created_at 2020_01_23, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_27, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER UA WordPress probable DDOS-Attack"; flow:established,to_server; http.user_agent; content:"Wordpress/"; depth:10; reference:url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html; reference:url,pastebin.com/NP64hTQr; classtype:bad-unknown; sid:2017528; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_09_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag Wordpress, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031121; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<form method=post><input type=password name=ps><input type=submit value='>>'></form>"; nocase; fast_pattern; classtype:web-application-attack; sid:2030659; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031122; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, signature_severity Minor, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<pre align=center><form method=post>Password<br><input type=password name=pass"; nocase; content:"background-color|3a|whitesmoke|3b|border"; distance:0; content:"type=submit name='watching' value='Login'"; distance:0; fast_pattern; classtype:web-application-attack; sid:2030661; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_08_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_08_06;)
 
-alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031123; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER OptionsBleed (CVE-2017-9798)"; flow:from_server; http.header; content:"Allow|3a 20|"; pcre:"/^[^\n]+(?:[^ -~\x0d\x0a]|,\x20*,)/R"; reference:cve,CVE-2017-9798; classtype:misc-activity; sid:2024760; rev:5; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_09_19, deployment Datacenter, former_category WEB_SERVER, performance_impact Significant, signature_severity Minor, updated_at 2020_08_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"exec("; fast_pattern; within:500; classtype:attempted-admin; sid:2031124; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body"; flow:established,to_server; threshold:type limit, track by_src, seconds 3600, count 1; http.request_body; content:"wget"; nocase; content:"http"; nocase; within:11; classtype:web-application-attack; sid:2024930; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2017_10_26, deployment Datacenter, former_category WEB_SERVER, malware_family webshell, performance_impact Moderate, signature_severity Major, updated_at 2020_08_13;)
 
-alert http $HOME_NET any -> any any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031125; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source)"; flow:from_server,established; http.stat_code; content:"403"; file.data; content:"<script"; nocase; depth:512; content:!"location.replace|28 22|https|3a 2f 2f|block.opendns.com"; distance:0; reference:url,doc.emergingthreats.net/2010515; classtype:web-application-attack; sid:2010515; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_13;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET HUNTING Suspicious PHP Code in HTTP POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?php"; content:"/bin/bash"; fast_pattern; within:500; classtype:attempted-admin; sid:2031126; rev:2; metadata:attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_08_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2020-01-27"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"&month="; nocase; content:"&year="; nocase; content:"&cvv="; nocase; fast_pattern; classtype:credential-theft; sid:2029684; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell Download"; flow:established,to_client; file_data; content:"eval"; content:"mcrypt_decrypt"; within:30; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017640; rev:4; metadata:affected_product PHP, attack_target Web_Server, created_at 2013_10_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Telegram API Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"CN=api.telegram.org"; fast_pattern; nocase; endswith; classtype:misc-activity; sid:2029322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_10_27;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:26; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Generic RAT over Telegram API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"Microsoft"; nocase; content:"Windows"; nocase; content:"Pass"; nocase; http.header; content:"|0d 0a|Host|3a 20|api.telegram.org|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2029323; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>"; content:"ASPX Shell"; fast_pattern; nocase; content:"</title>"; distance:0; classtype:trojan-activity; sid:2017183; rev:5; metadata:created_at 2013_07_24, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to a Reverse Proxy Service Observed"; dns.query; content:".portmap."; nocase; pcre:"/^(?:com|io|host)/Ri"; classtype:policy-violation; sid:2027941; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_09_03, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SmailMax PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"SmailMax SMTP Mailer</title>"; fast_pattern; content:"SERVER SETUP</font>"; content:"SMTP Login:</font>"; classtype:web-application-attack; sid:2030228; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_05_28, deployment Perimeter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_08_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Unk.PowerShell Loader CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"internationalrule.com"; bsize:21; reference:url,app.any.run/tasks/9b18c721-13b2-4151-9a1d-22b5c8478ad4; classtype:domain-c2; sid:2029325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT USER SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"USER"; nocase; pcre:"/SELECT[^a-z]+USER/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2010963; classtype:web-application-attack; sid:2010963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_08_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Diezen/Sakabota CnC Domain Observed in DNS Query"; dns.query; content:"6google.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting; classtype:domain-c2; sid:2029327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"</script>"; nocase; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M4"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"userid="; nocase; depth:7; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031571; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi Attempt in User Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"select"; nocase; distance:0; fast_pattern; content:"from"; nocase; within:20; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:trojan-activity; sid:2022816; rev:4; metadata:created_at 2016_05_17, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M2"; flow:to_server,established; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2029656; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"VERSION"; nocase; distance:1; reference:url,support.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Terse POST to Wordpress Folder - Probable Successful Phishing M7"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; content:!"__utma="; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; content:".php"; http.request_body; content:"user="; nocase; depth:5; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2031579; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp)"; flow:established,to_server; http.uri; content:".asp|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010592; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010592; rev:9; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Winnti DNS Lookup"; dns.query; content:".dnslookup.services"; nocase; endswith; reference:url,www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/; classtype:targeted-activity; sid:2029347; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_01_31, deployment Perimeter, former_category MALWARE, malware_family Winnti, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo)"; flow:to_server,established; http.uri; content:"?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011141; classtype:attempted-recon; sid:2011141; rev:5; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrongPity Host Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|name=v"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"name=v"; depth:6; content:"_kt"; within:5; content:"p"; within:3; content:"_"; distance:1; within:1; pcre:"/^name=v[0-9]{1,2}_kt[0-9]{1,2}p[0-9]{1}_[0-9]{8,10}$/i"; reference:md5,e4758783b146b506e0ec42e98ad9e65c; reference:md5,98cca7f2f6ad00771f50e97f97b5b38e; reference:url,twitter.com/HONKONE_K/status/1505920551503626242; classtype:targeted-activity; sid:2035541; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt"; flow:established,to_server; http.uri; content:"/system32/"; nocase; reference:url,doc.emergingthreats.net/2009362; classtype:attempted-recon; sid:2009362; rev:7; metadata:created_at 2010_07_30, updated_at 2020_08_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup CnC Observed in DNS Query"; dns.query; content:"mangasiso.top"; nocase; endswith; classtype:trojan-activity; sid:2029348; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag DonotGroup, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M2"; flow:to_server,established; http.header; content:"BwYXNzdGhydSgn"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025593; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, former_category WEB_SERVER, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Storm/Waledac 3.0 Checkin 2"; flow:established,to_server; content:"|01 02 01 01|"; fast_pattern; http.method; content:"GET"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".htm HTTP/1.1"; http.content_len; byte_test:0,<,100,0,string,dec; http.header_names; content:"Host|0d 0a|"; content:"Content-Length|0d 0a|"; classtype:command-and-control; sid:2012139; rev:10; metadata:created_at 2011_01_05, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M3"; flow:to_server,established; http.header; content:"AcGFzc3RocnUoJ"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2025594; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, former_category WEB_SERVER, malware_family weevely, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lici Initial Checkin"; flow:established,to_server; http.uri; content:".php?email="; content:"&lici="; content:"&ver="; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:command-and-control; sid:2014119; rev:5; metadata:created_at 2012_01_12, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Cookie Based BackDoor Used in Drupal Attacks"; flow:established,to_server; http.cookie; content:"preg_replace"; nocase; reference:url,www.kahusecurity.com/posts/drupal_7_sql_injection_info.html; classtype:attempted-user; sid:2019627; rev:4; metadata:created_at 2014_11_03, former_category WEB_SERVER, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kelihos/Hlux GET jucheck.exe from CnC"; flow:established,to_server; http.uri; content:"/jucheck.exe"; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,www.abuse.ch/?p=3658; classtype:command-and-control; sid:2014330; rev:5; metadata:created_at 2012_03_07, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP Intelligent Management Java Deserialization RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.jsf"; http.request_body; content:"java.util.HashMap"; content:"javax.management.openmbean.TabularDataSupport"; reference:cve,2017-12557; reference:url,www.exploit-db.com/exploits/45952; classtype:web-application-attack; sid:2026719; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_12_10, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_08_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Win32.Autorun HTTP Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"cbID="; content:"cbVer="; distance:0; content:"cbTit="; distance:0; http.request_body; content:"cbBody="; depth:7; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; reference:url,doc.emergingthreats.net/2009516; classtype:trojan-activity; sid:2009516; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER jQuery File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/"; http.request_body; content:"name=|22|files|22 3b|"; content:"<?php"; nocase; reference:url,github.com/lcashdol/Exploits/tree/master/CVE-2018-9206; reference:cve,2018-9206; classtype:web-application-attack; sid:2026552; rev:4; metadata:affected_product PHP, attack_target Server, created_at 2018_10_25, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_08_27;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:1; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_10_27;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 25 40 20|Page|20|Language=|22|Jscript|22 25 3e 3c 25|eval|28|"; fast_pattern; content:"FromBase64String"; distance:0; nocase; content:"|25 3e|"; distance:0; classtype:trojan-activity; sid:2027393; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_05_29, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonBot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.protocol; content:"HTTP/1.0"; reference:url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/; classtype:command-and-control; sid:2013047; rev:6; metadata:created_at 2011_06_16, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ThinkPHP RCE Exploitation Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index"; content:"/invokefunction&function=call_user_func_array"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/45978; classtype:attempted-admin; sid:2026731; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_12_14, deployment Perimeter, deployment Datacenter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, tag ThinkPHP, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Bot Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/gateway/index"; http.request_body; content:"botver="; content:"&build="; content:"&profile="; reference:md5,be3aed34928cb826030b462279a1c453; classtype:command-and-control; sid:2013168; rev:7; metadata:created_at 2011_07_01, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Observed FxCodeShell Web Shell Password"; flow:established,to_server; http.request_body; content:"FxxkMyLie1836710Aa"; classtype:trojan-activity; sid:2027514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2019_06_25, deployment Perimeter, former_category WEB_SERVER, malware_family FxCodeShell, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot GET to Bing checking Internet connectivity"; flow:established,to_server; http.header; content:"|3a 20|no-cache"; http.host; content:"www.bing.com"; depth:12; endswith; http.start; content:"GET / HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|"; depth:60; http.header_names; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:command-and-control; sid:2013488; rev:5; metadata:created_at 2011_08_30, former_category MALWARE, updated_at 2020_10_28;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER 16Shop Phishing Kit Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>16SHOP"; fast_pattern; nocase; content:"<label>Public Key"; nocase; distance:0; content:"<label>Password"; nocase; distance:0; classtype:web-application-attack; sid:2029915; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_15, deployment Perimeter, signature_severity Critical, updated_at 2020_09_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.MUD Variant Reporting"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/total_visitas.php"; fast_pattern; http.start; content:".php HTTP/1.1|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:6; metadata:created_at 2012_01_11, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt"; flow:to_server,established; http.uri; content:"/servlet/JavascriptProbe"; nocase; content:"documentElement=true"; nocase; content:"regexp=true"; nocase; content:"frames=true"; reference:url,www.securityfocus.com/bid/34454/info; reference:url,doc.emergingthreats.net/2010622; classtype:web-application-attack; sid:2010622; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|3b 20|name=|22|bot_id|22 0d 0a 0d 0a|"; fast_pattern; content:"|3b 20|name=|22|os_version|22 0d 0a 0d 0a|"; distance:0; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:command-and-control; sid:2014269; rev:7; metadata:created_at 2012_02_21, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT"; flow:established,to_server; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006446; classtype:web-application-attack; sid:2006446; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014542; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - *.tar.gz in POST body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:".tar.gz"; nocase; classtype:bad-unknown; sid:2016992; rev:4; metadata:created_at 2013_06_08, updated_at 2020_09_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014548; rev:5; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:to_server,established; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:8; metadata:created_at 2010_09_23, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - redirect received"; flow:established,to_client; http.stat_code; content:"302"; http.cookie; content:"=_"; content:"_|3b 20|domain="; distance:1; within:10; fast_pattern; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/"; classtype:exploit-kit; sid:2014547; rev:7; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cgi-bin/|3B|"; nocase; pcre:"/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i"; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; depth:49; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:5; metadata:created_at 2011_08_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/environ"; flow:established,to_server; http.uri; content:"/proc/self/environ"; nocase; classtype:web-application-attack; sid:2012230; rev:6; metadata:created_at 2011_01_25, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:".php"; pcre:"/^\/[a-z]\.php/"; http.user_agent; content:"Indy Library"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:command-and-control; sid:2015504; rev:6; metadata:created_at 2012_07_21, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ScriptResource.axd"; nocase; content:!"&t="; nocase; content:!"&amp|3b|t="; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6; metadata:created_at 2010_10_13, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MUROFET/Licat Trojan"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/news/?s="; fast_pattern; pcre:"/^\d{1,6}$/R"; http.header_names; content:!"Referer"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; classtype:trojan-activity; sid:2011825; rev:11; metadata:created_at 2010_10_18, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"locale=../../"; nocase; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/entman/index.cfm"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:7; metadata:created_at 2010_09_28, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/security.jsp"; nocase; fast_pattern; http.request_body; content:"f0="; depth:3; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:command-and-control; sid:2013327; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2011_07_27, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET"; flow:established,to_server; http.uri; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; pcre:"/\WUPDATE\s+[A-Za-z0-9$_].*?\WSET\s+[A-Za-z0-9$_].*?\x3d/i"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006447; classtype:web-application-attack; sid:2006447; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses"; flow:established,to_server; http.uri; content:"/distrib_serv/ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013536; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Aribitrary File Upload Vulnerability in WP Mobile Detector"; flow:from_client,established; http.uri; content:"/wp-content/plugins/wp-mobile-detector/"; content:"resize.php?src=http"; fast_pattern; reference:url,pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/; classtype:attempted-user; sid:2022860; rev:4; metadata:created_at 2016_06_03, updated_at 2020_09_14;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M2"; flow:established,to_client; dsize:1051; content:"|04 19 00 00 00 1a 00 00 00 17 25 75 73 65 72 70 72 6f 66 69 6c 65 25 5c 44 6f 63 75 6d 65 6e 74 73 00 00 00 08 55 54 43 2d 2d|"; depth:42; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031131; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; flowbits:set,ET.GOOTKIT; http.method; content:"GET"; http.uri; content:"/ftp"; nocase; http.header; content:!"www.trendmicro.com"; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest"; nocase; startswith; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:9; metadata:created_at 2010_09_28, updated_at 2020_09_14;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ficker Stealer Activity M3"; flow:established,to_server; dsize:8; content:"|0c 00 0f 0a 0b 0a 0b 0a|"; reference:url,twitter.com/malware_traffic/status/1321182175916679168; reference:md5,25cddcec88ee81aab4db84bbd19a64d6; reference:url,app.any.run/tasks/228c144e-90a0-4e8f-87d8-102bc04b0335/; classtype:trojan-activity; sid:2031132; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/imc/login.jsf"; nocase; content:"loginForm"; nocase; content:"javax.faces.ViewState="; nocase; pcre:"/ViewState\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2010/May/1024022.html; reference:url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html; reference:url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02; reference:url,doc.emergingthreats.net/2011145; classtype:web-application-attack; sid:2011145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server"; flow:established,to_server; http.uri; content:"/search=ip_list_"; fast_pattern; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013537; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|cgi|2D|mod|2F|smtp|5F|test|2E|cgi"; nocase; content:"email|3D|"; nocase; content:"hostname|3D|"; nocase; content:"default|5F|domain|3D|"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/37248/info; reference:url,doc.emergingthreats.net/2010462; classtype:web-application-attack; sid:2010462; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server"; flow:established,to_server; http.uri; content:"/search="; fast_pattern; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|close|0d 0a|Host|3a 20|"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013538; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"onmouseover="; nocase; reference:url,www.w3schools.com/jsref/jsref_onmouseover.asp; reference:url,doc.emergingthreats.net/2009715; classtype:web-application-attack; sid:2009715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; http.uri; content:"knock.php?ver="; fast_pattern; content:"&sid="; distance:0; http.header; content:"Connection|3a 20|close|0d 0a|Host|3a 20|"; depth:25; http.protocol; content:"HTTP/1.1"; http.header_names; content:!"User-Agent|0d 0a|"; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:coin-mining; sid:2013539; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_09_06, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Bitcoin_Miner, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"|2F|ekgnkm|2F|AccessCodeStart|2E|asp"; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010460; classtype:attempted-user; sid:2010460; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (listdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/listdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013668; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt"; flow:to_server,established; http.uri; content:"/cmd.exe"; nocase; reference:url,doc.emergingthreats.net/2009361; classtype:attempted-recon; sid:2009361; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Riberow.A (mkdir)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mkdir.php?dir="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Pragma|0d 0a|Accept|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,c55fe941b80b3e5e77be8728642d138e; classtype:trojan-activity; sid:2013669; rev:4; metadata:created_at 2011_09_19, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/support_param.html/config"; nocase; content:"Admin_Name=&Admin_Phone="; nocase; content:"Product_URL="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange).+Apply\x3DApply/i"; reference:url,dsecrg.com/pages/vul/show.php?id=148; reference:cve,2009-2684; reference:url,doc.emergingthreats.net/2010919; classtype:web-application-attack; sid:2010919; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 1"; flow:established,to_server; http.request_line; content:"GET @"; depth:5; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013791; rev:4; metadata:created_at 2011_10_24, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx)"; flow:established,to_server; http.uri; content:".aspx|3B 2E|"; nocase; reference:url,www.securityfocus.com/bid/37460/info; reference:url,doc.emergingthreats.net/2010593; reference:url,www.securityfocus.com/bid/37460/info; reference:url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf; reference:cve,2009-4444; classtype:web-application-attack; sid:2010593; rev:10; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (APT34 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=manygoodnews.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029385; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family APT34, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_cmdshell"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms175046.aspx; reference:url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm; reference:url,doc.emergingthreats.net/2009815; classtype:web-application-attack; sid:2009815; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fiffaslslslld.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029386; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_servicecontrol"; nocase; pcre:"/(start|stop|continue|pause|querystate)/i"; reference:url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/; reference:url,doc.emergingthreats.net/2009816; classtype:web-application-attack; sid:2009816; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=loppappsas.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029387; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family BrushaLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"sp_adduser"; nocase; reference:url,technet.microsoft.com/en-us/library/ms181422.aspx; reference:url,doc.emergingthreats.net/2009817; classtype:web-application-attack; sid:2009817; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=conversia91.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029388; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_reg"; nocase; pcre:"/xp_reg(read|write|delete)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009818; classtype:web-application-attack; sid:2009818; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=123faster.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029389; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_fileexist"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.dugger-it.com/articles/xp_fileexist.asp; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009819; classtype:web-application-attack; sid:2009819; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fatoftheland.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029390; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_enumerrorlogs"; nocase; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,doc.emergingthreats.net/2009820; classtype:web-application-attack; sid:2009820; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=creatorz123.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029391; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_readerrorlogs"; nocase; reference:url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx; reference:url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005; reference:url,doc.emergingthreats.net/2009822; classtype:web-application-attack; sid:2009822; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MINEBRIDGE/MINEDOOR CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=compilator333.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029392; rev:3; metadata:attack_target Client_and_Server, created_at 2020_02_06, deployment Perimeter, former_category MALWARE, malware_family MINEBRIDGE, malware_family MINEDOOR, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_28, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI"; flow:established,to_server; http.uri; content:"EXEC"; nocase; content:"xp_"; nocase; content:"_enum"; nocase; pcre:"/(xp_enumdsn|xp_enumgroups|xp_ntsec_enumdomains)/i"; reference:url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,msdn.microsoft.com/en-us/library/ms173792.aspx; reference:url,doc.emergingthreats.net/2009823; classtype:web-application-attack; sid:2009823; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set"; flow:established,to_client; http.stat_code; content:!"302"; http.cookie; content:"SL_"; depth:3; content:"_0000="; within:8; fast_pattern; classtype:exploit-kit; sid:2014544; rev:6; metadata:created_at 2012_04_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F34-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011142; classtype:attempted-recon; sid:2011142; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; http.uri; content:"/Default.asp"; http.header; content:"Accept: image/gif,image/x-xbitmap"; content:"|20|MSIE|20|"; http.cookie; content:"PREF=86845632017245"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:targeted-activity; sid:2016452; rev:4; metadata:created_at 2013_02_22, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011143; classtype:attempted-recon; sid:2011143; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; http.method; content:"GET"; nocase; http.user_agent; content:"VBTagEdit"; depth:9; nocase; http.protocol; content:"HTTP/1.0"; reference:url,doc.emergingthreats.net/2010439; classtype:command-and-control; sid:2010439; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo)"; flow:to_server,established; http.uri; content:"?=PHPE9568F36-D428-11d2-A769-00AA001ACF42"; reference:url,osvdb.org/12184; reference:url,www.0php.com/php_easter_egg.php; reference:url,seclists.org/nmap-dev/2010/q2/569; reference:url,doc.emergingthreats.net/2011144; classtype:attempted-recon; sid:2011144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; http.content_type; content:"audio|2F|"; startswith; file.data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:11; metadata:created_at 2011_08_22, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=https|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttps\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009152; classtype:web-application-attack; sid:2009152; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; http.request_body; content:"dbhost="; content:"dbuser="; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:4; metadata:created_at 2013_07_02, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftp|3a|/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009153; classtype:web-application-attack; sid:2009153; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=get&applicationID="; nocase; depth:25; fast_pattern; content:"&developerId="; nocase; distance:0; content:"&deviceId="; nocase; distance:0; content:"android.permission"; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:6; metadata:created_at 2011_06_16, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS)"; flow:to_server,established; http.uri; content:".php"; nocase; content:"=ftps\:/"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3Dftp\x3A\x2F[^\x3F\x26]+\x3F/i"; reference:url,doc.emergingthreats.net/2009155; classtype:web-application-attack; sid:2009155; rev:11; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; http.uri; content:"/search?query="; depth:14; content:"&sort=relevance"; within:15; pcre:"/^[A-Z0-9]{8}/R"; http.host; content:"groups.yahoo.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:4; metadata:created_at 2013_08_22, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM"; flow:established,to_server; http.uri; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006443; classtype:web-application-attack; sid:2006443; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; http.uri; content:"/1"; depth:2; fast_pattern; pcre:"/^[a-z0-9]{13}\.[a-z]{3}$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:exploit-kit; sid:2017731; rev:5; metadata:created_at 2013_11_20, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,doc.emergingthreats.net/2006444; classtype:web-application-attack; sid:2006444; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/getLastVersion"; depth:15; http.header; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:command-and-control; sid:2017999; rev:7; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2014_01_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (varchar)"; flow:established,to_server; http.uri; content:"varchar("; nocase; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2008175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.MyDNS DNSChanger - HTTP POST"; flow:established,to_server; content:"|0d 0a 0d 0a|r="; fast_pattern; http.method; content:"POST"; nocase; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; http.request_body; content:"r="; depth:2; nocase; content:"&f="; nocase; distance:0; content:"&p="; nocase; distance:0; content:"&u="; nocase; distance:0; content:"&i="; nocase; distance:0; content:"&g="; nocase; distance:0; reference:url,doc.emergingthreats.net/2009813; classtype:trojan-activity; sid:2009813; rev:6; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection (exec)"; flow:established,to_server; http.uri; content:"exec("; nocase; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE possible OneLouder header structure"; flow:to_server,established; flowbits:set,ET.OneLouder.Header; flowbits:noalert; http.header; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b|)|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"Accept-Encoding|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2018463; rev:11; metadata:created_at 2014_05_13, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare)"; flow:established,to_server; http.uri; content:"DECLARE|20|"; nocase; content:"CHAR("; nocase; content:"CAST("; nocase; reference:url,doc.emergingthreats.net/2008467; classtype:attempted-admin; sid:2008467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS HOIC with booster outbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_src; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018977; rev:5; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible ALTER SQL Injection Attempt"; flow:to_server,established; http.uri; content:"ALTER"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_alter.asp; reference:url,doc.emergingthreats.net/2010084; classtype:web-application-attack; sid:2010084; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET DOS HOIC with booster inbound"; flow:to_server,established; threshold: type both, count 1, seconds 60, track by_dst; http.method; content:"GET"; http.header.raw; content:"If-Modified-Since|3a 20 20|"; content:"Keep-Alive|3a 20 20|"; content:"Connection|3a 20 20|"; content:"User-Agent|3a 20 20|"; http.start; content:"HTTP/1.0|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; reference:md5,23fc64a5cac4406d7143ea26e8c4c7ab; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:trojan-activity; sid:2018978; rev:4; metadata:created_at 2014_08_21, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible DROP SQL Injection Attempt"; flow:to_server,established; http.uri; content:"DROP"; nocase; pcre:"/^\s+(?:database|procedure|table|column)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/SQl/sql_drop.asp; reference:url,doc.emergingthreats.net/2010085; classtype:web-application-attack; sid:2010085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dirt Jumper/Russkill3 Checkin"; flow:established,to_server; content:"|0d 0a 0d 0a|k="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"k="; depth:2; pcre:"/^\d{15}/R"; http.protocol; content:"HTTP/1.0"; reference:md5,10e7af7057833a19097cb22ba0bd1b99; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; classtype:command-and-control; sid:2013439; rev:12; metadata:created_at 2011_08_03, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI"; flow:to_server,established; http.uri; content:"CREATE"; nocase; pcre:"/^\s+(database|procedure|table|column|directory)/Ri"; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,www.w3schools.com/Sql/sql_create_db.asp; reference:url,doc.emergingthreats.net/2010086; classtype:web-application-attack; sid:2010086; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HB_Banker16 Get"; flow:to_server,established; http.method; content:"GET"; http.header; content:"Content-Type|3a 20|text/html|0d 0a|Host|3a|"; depth:30; fast_pattern; content:!"Indy Library"; http.user_agent; content:"Firefox/12.0"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:44; endswith; classtype:trojan-activity; sid:2019608; rev:6; metadata:created_at 2014_10_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"CUR"; nocase; distance:0; pcre:"/^(?:DATE|TIME)/Ri"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate; reference:url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime; reference:url,doc.emergingthreats.net/2010966; classtype:web-application-attack; sid:2010966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fb 28 39 fc 28 39 fb 4c 2f fb 3f 4f 8b 28 38 8c 28 39 fe|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"TABLES"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/4.1/en/show-tables.html; reference:url,doc.emergingthreats.net/2010967; classtype:web-application-attack; sid:2010967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3e 2f fb 39 2f fb 3e 4b ed 3e 38 8d 4e 2f fa 49 2f fb 3b|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt"; flow:established,to_server; http.uri; content:"INSERT"; nocase; content:"VALUES"; nocase; distance:0; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,en.wikipedia.org/wiki/Insert_(SQL); reference:url,doc.emergingthreats.net/2011039; classtype:web-application-attack; sid:2011039; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 39 ed 3e 3e ed 3e 39 89 28 39 fa 48 49 ed 3f 4e ed 3e 3c|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_10, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources"; flow:established,to_server; http.uri; content:"BENCHMARK("; nocase; content:")"; pcre:"/BENCHMARK\x28[0-9].+\x29/i"; reference:url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark; reference:url,doc.emergingthreats.net/2011041; classtype:web-application-attack; sid:2011041; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sem/"; nocase; content:".php"; nocase; content:"uniqueid="; nocase; content:"|3B|"; pcre:"/\/sem\/\w+\.php.*(\?|&)uniqueid=\d*\;/i"; reference:url,www.securityfocus.com/bid/37375/info; reference:url,doc.emergingthreats.net/2010510; classtype:web-application-attack; sid:2010510; rev:6; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"CONCAT"; nocase; pcre:"/SELECT.+CONCAT/i"; reference:url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/; reference:url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3; reference:url,doc.emergingthreats.net/2011042; classtype:web-application-attack; sid:2011042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Thumbnail.php?"; nocase; content:"base_path="; nocase; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,securityvulns.com/Odocument913.html; reference:url,doc.emergingthreats.net/2009053; classtype:web-application-attack; sid:2009053; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function"; flow:established,to_server; http.uri; content:"REVERSE"; nocase; pcre:"/[^\w]REVERSE[^\w]?\(/i"; reference:url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html; reference:url,doc.emergingthreats.net/2011122; classtype:web-application-attack; sid:2011122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat upload from external source"; flow:to_server,established; flowbits:isset,ET.Tomcat.login.attempt; http.method; content:"POST"; http.uri; content:"/manager/html/upload"; nocase; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009220; classtype:successful-admin; sid:2009220; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_layouts/help.aspx"; nocase; content:"cid0="; nocase; pcre:"/cid0\x3d.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20415; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20610; reference:cve,2010-0817; reference:url,doc.emergingthreats.net/2011073; classtype:web-application-attack; sid:2011073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_14;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/statuswml.cgi?"; nocase; content:"ping"; nocase; pcre:"/^\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ri"; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; classtype:web-application-attack; sid:2009670; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt"; flow:established,to_server; http.uri; content:"/utility.cgi?testType="; nocase; content:"IP="; nocase; content:"|7C 7C|"; pcre:"/\x7C\x7C.+[a-z]/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023051.html; reference:url,www.securityfocus.com/archive/1/507263; reference:url,www.securityfocus.com/bid/36722/info; reference:url,doc.emergingthreats.net/2010159; classtype:attempted-admin; sid:2010159; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/unathenticated/"; http.uri.raw; content:"/unauthenticated//..%01/..%01/..%01/"; reference:url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin; reference:url,doc.emergingthreats.net/2010009; classtype:web-application-attack; sid:2010009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT INSTR in URI Possible ORACLE Related Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"INSTR"; nocase; pcre:"/SELECT.+INSTR/i"; reference:url,www.psoug.org/reference/substr_instr.html; reference:url,www.easywebtech.com/artical/Oracle_INSTR.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010284; classtype:web-application-attack; sid:2010284; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; http.method; content:"POST"; http.uri; content:"/jmx-console/HtmlAdaptor"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; classtype:web-application-attack; sid:2010379; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SELECT SUBSTR/ING in URI Possible Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"SUBSTR"; nocase; pcre:"/SELECT.+SUBSTR/i"; reference:url,www.1keydata.com/sql/sql-substring.html; reference:url,www.owasp.org/index.php/SQL_Injection; reference:url,msdn.microsoft.com/en-us/library/ms161953.aspx; reference:url,doc.emergingthreats.net/2010285; classtype:web-application-attack; sid:2010285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\x2F[A-F0-9]{25,40}$/"; http.user_agent; content:"UpdaterResponse"; fast_pattern; depth:15; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018025; rev:6; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|0D 0A|Location|3A|"; nocase; reference:url,www.secureworks.com/ctu/advisories/SWRX-2010-001/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20737; reference:cve,2008-7257; reference:url,doc.emergingthreats.net/2011763; classtype:web-application-attack; sid:2011763; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/?8080"; fast_pattern; http.request_body; content:"name=|22|action|22 0d 0a 0d 0a|"; pcre:"/^(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/R"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; pcre:"/^(?:winload(?:32)?|cmms)\x0d\x0a/R"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018257; rev:6; metadata:created_at 2014_03_12, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .php~ source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009955; classtype:web-application-attack; sid:2009955; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; content:"DeploymentScanner"; nocase; content:"methodName=addURL"; nocase; content:"=http"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; classtype:web-application-attack; sid:2010380; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .pl source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".pl~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009949; classtype:web-application-attack; sid:2009949; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/send_sim_no.php"; fast_pattern; endswith; http.request_body; content:"_no="; depth:16; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:command-and-control; sid:2017787; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2013_11_28, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .inc source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".inc~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009950; classtype:web-application-attack; sid:2009950; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; http.uri; content:"/Check.ashx?"; depth:12; content:"&e="; content:"&n="; content:"&mv="; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:pup-activity; sid:2018026; rev:5; metadata:created_at 2014_01_28, former_category ADWARE_PUP, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .conf source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".conf~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009951; classtype:web-application-attack; sid:2009951; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FortDisco Reporting Status"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cmd.php"; fast_pattern; endswith; http.user_agent; content:"|3b 20|Synapse"; http.request_body; content:"status="; depth:7; pcre:"/^\d$/R"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:6; metadata:created_at 2013_08_12, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .asp source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".asp~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009952; classtype:web-application-attack; sid:2009952; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamut Spambot Checkin"; flow:established,to_server; flowbits:set,ETGamut; http.uri; content:"file=SenderClient.conf"; nocase; fast_pattern; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:command-and-control; sid:2018245; rev:6; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .aspx source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".aspx~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009953; classtype:web-application-attack; sid:2009953; rev:15; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_15, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Tilde in URI - potential .cgi source disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".cgi~"; nocase; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2010820; classtype:web-application-attack; sid:2010820; rev:9; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_09_14;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Almanahe.B Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"ClientUpdate"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.virustotal.com/en/file/f80fc95e44d90a8e02de4fde0ea5e58227cbbde7b6d3848c1f8afbd5ed0affe7/analysis/; reference:md5,1d331ef7d24f6316947e94f737d1f219; classtype:command-and-control; sid:2018123; rev:6; metadata:created_at 2014_02_12, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Jorgee Scan"; flow:established,to_server; threshold: type limit, track by_dst, count 3, seconds 60; http.method; content:"HEAD"; http.user_agent; content:"Mozilla/5.0 Jorgee"; depth:18; endswith; fast_pattern; reference:url,www.skepticism.us/2015/05/new-malware-user-agent-value-jorgee/; classtype:trojan-activity; sid:2024265; rev:6; metadata:created_at 2015_06_26, former_category WEB_SERVER, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Trojan with Fake Java User-Agent"; flow:established,to_server; http.user_agent; content:"Java/"; depth:5; http.request_line; content:"GET /1.php HTTP/1.1"; fast_pattern; http.accept; content:"text/html, image/gif, image/jpeg, *|3b 20|q=.2, */*|3b 20|q=.2"; depth:52; endswith; http.connection; content:"keep-alive"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2018640; rev:7; metadata:created_at 2014_07_04, updated_at 2020_10_28;)
+alert http any any -> any 10000 (msg:"ET WEB_SERVER Webmin RCE CVE-2019-15107"; flow:to_server,established; content:"/password_change.cgi"; depth:20; fast_pattern; endswith; http.method; content:"POST"; http.request_body; content:"|7c|"; reference:url,blog.firosolutions.com/exploits/webmin/; reference:cve,2019-15107; classtype:attempted-admin; sid:2027896; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_08_18, deployment Perimeter, deployment Internal, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Banload.BTQP Checkin 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp?IDPC="; fast_pattern; content:"&so="; nocase; content:"&user"; nocase; content:"&versao"; nocase; content:"&pcname="; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; http.header_names; content:!"Referer"; reference:md5,03092adccde639ba26ef2e192c49f62d; classtype:command-and-control; sid:2018650; rev:6; metadata:created_at 2014_07_08, former_category MALWARE, updated_at 2020_10_28;)
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious e5b57288.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"e5b57288.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023229; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dyreza RAT Fake Server Header"; flow:established,to_client; http.protocol; content:"HTTP/1."; http.server; content:"Stalin"; fast_pattern; startswith; reference:md5,7e3e28320d209a586917668e3b8eac40; classtype:trojan-activity; sid:2018775; rev:6; metadata:created_at 2014_07_25, updated_at 2020_10_28;)
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 33db9538.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"33db9538.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023227; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DADJOKE/Rail Tycoon Initial Macro Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.html?u="; content:"&h="; distance:0; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,4c89d5d8016581060d9781433cfb0bb5; classtype:command-and-control; sid:2028963; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family APT_40, signature_severity Major, updated_at 2020_10_28;)
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 9507c4e8.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"9507c4e8.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023228; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK Payload Download (9)"; flow:established,to_server; http.uri; content:".txt?f="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:!"Referer|0d 0a|"; classtype:exploit-kit; sid:2016976; rev:12; metadata:created_at 2013_06_06, former_category EXPLOIT_KIT, updated_at 2020_10_28;)
+alert dns $HTTP_SERVERS any -> any any (msg:"ET WEB_SERVER DNS Query for Suspicious 54dfa1cb.com Domain - Anuna Checkin - Compromised PHP Site"; dns.query; content:"54dfa1cb.com"; depth:12; fast_pattern; endswith; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:trojan-activity; sid:2023230; rev:6; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, former_category WEB_SERVER, signature_severity Critical, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Retrieving Second Stage"; flow:established,to_server; http.host; pcre:"/^[^\r\n]+\x20[a-z]/i"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"POST / HTTP/1.1"; fast_pattern; reference:md5,6948d4f22e8d57369988be219ab70335; classtype:trojan-activity; sid:2020470; rev:8; metadata:created_at 2015_02_18, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; http.uri; content:"~1"; fast_pattern; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:5; metadata:created_at 2012_07_04, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaScriptBackdoor HTTP POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"username="; content:"memory_total="; content:"os_caption="; content:"os_serialnumber="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,154e76a480b22cf24ddac4d2d59c22fe; classtype:command-and-control; sid:2021133; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_05_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; http.uri; content:"/net/?u="; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.0)"; startswith; http.host; content:"net"; startswith; content:"net.net"; distance:2; within:7; endswith; pcre:"/^net[0-4]{2}net\.net$/i"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_17;)
 
-#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Errorcontent CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/?ip="; fast_pattern; content:"&referer="; distance:0; content:"&ua="; pcre:"/^\/[a-z]+\/\?ip=/"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,isc.sans.edu/diary/Possible+Wordpress+Botnet+C&C:+errorcontent.com/19733; classtype:command-and-control; sid:2021153; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2015_05_27, deployment Perimeter, deployment Datacenter, former_category MALWARE, signature_severity Major, tag Wordpress, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; http.uri; content:".php?x=img&img="; fast_pattern; classtype:web-application-activity; sid:2015926; rev:4; metadata:created_at 2012_11_24, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M1 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"accountname="; depth:12; nocase; fast_pattern; content:"&pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032717; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; http.user_agent; content:"<?php"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-11-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"fullname="; depth:9; nocase; fast_pattern; content:"&cvv"; nocase; distance:0; content:"&exp"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; http.user_agent; content:"base64_decode("; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:5; metadata:created_at 2013_02_16, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Docs Phish M2 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.cookie; content:"PHPSESSID="; http.request_body; content:"donnee3="; depth:8; nocase; fast_pattern; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032711; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/usr/bin/perl"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&psw="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032712; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"#!/bin/sh"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:8; metadata:created_at 2013_03_22, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M3 2016-11-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"donnee"; depth:6; nocase; fast_pattern; content:"donnee"; distance:0; nocase; content:"donnee"; distance:0; nocase; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032718; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8; metadata:created_at 2010_09_28, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.VBS.ayr CnC command (is-enum-folder)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/is-enum-fa"; fast_pattern; nocase; http.header; content:"|3c 7c 3e|"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:command-and-control; sid:2017520; rev:6; metadata:created_at 2013_09_25, former_category MALWARE, updated_at 2020_10_28;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"error in your SQL syntax"; fast_pattern; classtype:bad-unknown; sid:2016672; rev:4; metadata:created_at 2013_03_27, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Initial Checkin"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/20100101 Firefox/7.0.1"; fast_pattern; depth:67; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021051; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; http.uri; content:"xwork"; nocase; content:"MethodAccessor"; nocase; content:"denyMethodExecution"; nocase; fast_pattern; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:4; metadata:created_at 2013_05_24, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux.Mumblehard Command Status CnC"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|rv|3a|7.0.1) Gecko/"; fast_pattern; depth:45; pcre:"/^\d{1,5}\.[2-5]0[0-5]\.\d+? Firefox\/7\.0\.1/Ri"; http.connection; content:"close"; nocase; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Accept-Charset|0d 0a|Connection|0d 0a 0d 0a|"; depth:92; reference:url,www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf; reference:md5,86f0b0b74fe8b95b163a1b31d76f7917; classtype:command-and-control; sid:2021052; rev:5; metadata:created_at 2015_05_04, former_category MALWARE, updated_at 2020_10_28;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; pcre:"/^[\r\n\s]*?[^\r\n]+HTTP\/1\.\d[^\r\n]*?\r?\n((?!(\r?\n\r?\n)).)*?Transfer-Encoding\x3a[^\r\n]*?Chunked((?!(\r?\n\r?\n)).)*?\r?\n\r?\n[\r\n\s]*?(f{6}[8-9a-f][0-9a-f]|[a-f0-9]{9})/si"; http.header; content:"chunked"; nocase; fast_pattern; pcre:"/Transfer-Encoding\x3a[^\r\n]*?chunked/i"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:8; metadata:created_at 2013_05_23, former_category WEB_SERVER, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 5"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/6."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020944; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; http.uri; content:"LOAD_FILE("; nocase; fast_pattern; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_05_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chthonic CnC Beacon 6"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/7."; fast_pattern; startswith; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.request_line; content:"/ HTTP/1.1"; http.accept; content:"*/*"; depth:3; endswith; http.content_len; content:!"0"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|"; depth:56; content:!"Accept-"; content:!"Content-Type"; content:!"Referer|0d 0a|"; reference:md5,97369af278cc004ce390f68ae94013b6; classtype:command-and-control; sid:2020946; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; http.uri; content:"allow_url_include"; fast_pattern; pcre:"/\ballow_url_include\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BePush/Kilim CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type="; fast_pattern; pcre:"/^(?:update_hash|js|key|arsiv_(?:hash|link))$/R"; http.user_agent; content:!"Mozilla|2f|"; http.host; content:!"threatseeker.com"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,dad57ec2d5d99b725acc726b0a644c00; reference:url,seclists.org/fulldisclosure/2015/Jan/131; classtype:command-and-control; sid:2021030; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_10_28, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; http.uri; content:"safe_mode"; fast_pattern; pcre:"/\bsafe_mode\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Scanbox Sending Host Data"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jpg"; pcre:"/\/(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=|[A-Za-z0-9_-]{4})\.jpg$/"; http.cookie; content:"recordid="; fast_pattern; depth:9; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2021229; rev:5; metadata:created_at 2015_06_10, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; http.uri; content:"open_basedir"; fast_pattern; pcre:"/\bopen_basedir\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:6; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ArcDoor Intial Checkin"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|28|0d 0a|"; fast_pattern; http.request_body; pcre:"/^[a-z0-9]{11}=\d{16}$/"; http.header_names; content:!"Accept"; reference:md5,71bae4762a6d2c446584f1ae991a8fbe; classtype:command-and-control; sid:2020345; rev:5; metadata:created_at 2015_02_03, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; http.uri; content:"auto_prepend_file"; fast_pattern; pcre:"/\bauto_prepend_file\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potao CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22|?>"; depth:21; content:"10a7d030-1a61-11e3-beea-001c42e2a08b"; distance:24; fast_pattern; http.content_type; content:"application/xml"; classtype:command-and-control; sid:2021554; rev:4; metadata:created_at 2015_07_31, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; http.uri; content:"suhosin.simulation"; fast_pattern; pcre:"/\bsuhosin\.simulation\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:6; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC"; flow:established,to_server; flowbits:set,ET.centerpos; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&osname="; nocase; distance:0; content:"&compname="; nocase; distance:0; fast_pattern; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022469; rev:4; metadata:created_at 2016_01_29, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; http.uri; content:"disable_functions"; fast_pattern; pcre:"/\bdisable_functions[\s\+]*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:7; metadata:created_at 2013_06_06, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CenterPOS CnC 2"; flow:established,to_server; flowbits:set,ET.centerpos; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"mode="; depth:5; nocase; content:"&uid="; nocase; distance:0; content:"&comid="; nocase; fast_pattern; distance:0; reference:md5,0e278436fb49f9ab0d1a3da792cfb0c3; reference:url,www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html; classtype:command-and-control; sid:2022472; rev:4; metadata:created_at 2016_01_29, former_category MALWARE, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; http.request_body; content:"xp_cmdshell"; nocase; fast_pattern; classtype:bad-unknown; sid:2017010; rev:5; metadata:created_at 2013_06_13, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan Generic - POST To gate.php with no accept headers"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; nocase; fast_pattern; http.header_names; content:!"Accept"; reference:md5,d7c19ba47401f69aafed551138ad7e7c; classtype:trojan-activity; sid:2022985; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; http.uri; content:".asp?action="; nocase; fast_pattern; pcre:"/\.asp\?action=(?:txt(?:edit|view)|upload|info|del)(?:&|$)/i"; classtype:trojan-activity; sid:2017091; rev:4; metadata:created_at 2013_07_02, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sage Ransomware Checkin Primer"; flow:established,to_server; urilen:1; flowbits:set,ET.Sage.Primer; flowbits:noalert; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Content-Type|0d 0a|"; reference:url,isc.sans.edu/forums/diary/Sage+20+Ransomware/21959; classtype:command-and-control; sid:2023766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_01_25, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Sage, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; http.uri; content:"|0D 0A|"; fast_pattern; pcre:"/[\n\r](?:content-(?:type|length)|set-cookie|location)\x3a/i"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:5; metadata:created_at 2013_07_13, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infostealer.Bancos ProxyChanger Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//admin/imagens/icones/new/get.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,d34912a19473fe41abdd4764e7bec5f9; classtype:command-and-control; sid:2024028; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_28, deployment Perimeter, former_category MALWARE, malware_family Bancos, performance_impact Low, signature_severity Major, tag Banking_Trojan, updated_at 2020_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; http.uri; content:"/${"; fast_pattern; pcre:"/\/\$\{[^\}\x2c]+?=/"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PNC Bank Phish 2016-01-09"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?LOB="; fast_pattern; http.header; content:".php?LOB="; http.request_body; content:"user"; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032671; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; http.uri; content:"option=com_media"; nocase; fast_pattern; http.request_body; content:"Filedata[]"; nocase; pcre:"/filename[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/i"; classtype:attempted-user; sid:2017327; rev:4; metadata:created_at 2013_08_14, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-01-08"; flow:to_server,established; content:"|0d 0a 0d 0a|user="; fast_pattern; http.method; content:"POST"; http.uri; content:".php?"; nocase; http.header; content:".php?"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032670; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SERVER["; fast_pattern; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-02-23"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"username="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032674; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_GET["; fast_pattern; pcre:"/[&\?]_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Mailbox Update Phish 2016-02-17"; flow:to_server,established; content:"|0d 0a 0d 0a|username="; fast_pattern; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"username="; depth:9; nocase; content:"&email="; nocase; content:"&pass"; nocase; classtype:credential-theft; sid:2029655; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_02_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_POST["; fast_pattern; pcre:"/[&\?]_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-10-10"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"fnumber="; depth:8; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&userid="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032708; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing Oct 06 2016"; flow:to_server,established; content:"|0d 0a 0d 0a|form"; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"form"; depth:4; nocase; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; content:"&form"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2031569; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-08-02"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"CardNumber="; nocase; fast_pattern; content:"&Exp"; nocase; content:"CVV="; nocase; classtype:credential-theft; sid:2029676; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ldrctl.php"; endswith; http.request_body; content:"os="; depth:3; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; nocase; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:command-and-control; sid:2010217; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; http.uri; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; http.start; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; classtype:exploit-kit; sid:2022990; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SERVER["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_SERVER\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (123faster .top)"; dns.query; content:"123faster.top"; nocase; bsize:13; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_GET["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_GET\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&transport=websocket&sid="; fast_pattern; http.header; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; content:"Sec-WebSocket-Key|3a 20|"; content:"Upgrade|3a 20|websocket"; content:"origin|3a 20|"; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"; http.cookie; content:"connect.sid="; content:"io="; classtype:credential-theft; sid:2025001; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_POST["; fast_pattern; pcre:"/(?:[&\?\r\n]|^)_POST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (conversia91 .top)"; dns.query; content:"conversia91.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_COOKIE["; fast_pattern; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (fatoftheland .top)"; dns.query; content:"fatoftheland.top"; nocase; bsize:16; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_SESSION["; fast_pattern; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (creatorz123 .top)"; dns.query; content:"creatorz123.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_REQUEST["; fast_pattern; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query to MINEBRIDGE CnC Domain (compilator333 .top)"; dns.query; content:"compilator333.top"; nocase; bsize:17; reference:url,www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html; classtype:domain-c2; sid:2029430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category TROJAN, malware_family MINEBRIDGE, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; http.request_body; content:"_ENV["; fast_pattern; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]*?=/"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:4; metadata:created_at 2013_09_10, updated_at 2020_09_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f0 28 39 fe 4e 2f fb 3e 4e 8e 4e 2f fa 49 2f fb 3a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029436; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; http.uri; content:"/pwn.jsp?"; nocase; fast_pattern; content:"cmd="; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:6; metadata:created_at 2013_11_20, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 35 2f fb 3b 49 ed 3e 39 8c 4b 49 ed 3f 4e ed 3e 3d|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; http.uri; content:"isn_getlog"; nocase; fast_pattern; pcre:"/[?&]isn_getlog/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:7; metadata:created_at 2013_12_10, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 32 ed 3e 3c 8b 28 39 fb 49 4c 8b 28 38 8c 28 39 ff|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"path="; nocase; pcre:"/^[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; http.uri; content:"/cfcexplorer.cfc"; nocase; fast_pattern; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:4; metadata:created_at 2013_12_17, updated_at 2020_09_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (Texsa)"; flow:established,to_client; tls.cert_subject; content:", L=Texsa, "; fast_pattern; tls.cert_issuer; content:", L=Texsa, "; reference:md5,45ed8898bead32070cf1eb25640b414c; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031135; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4; metadata:created_at 2014_02_03, updated_at 2020_09_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878 Cobalt Strike CnC SSL Cert Inbound (Mountainvew)"; flow:established,to_client; tls.cert_subject; content:", L=Mountainvew, "; nocase; fast_pattern; tls.cert_issuer; content:", L=Mountainvew, "; nocase; reference:md5,5c1fce8fa3e228b8f2641bb1f7a29c3f; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; classtype:targeted-activity; sid:2031136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Suspicious_Cert, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Tomcat Boundary Overflow DOS/File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; content:"Content-Type|3a|"; nocase; pcre:"/^[^\r\n]*?boundary\s*?=\s*?[^\r\n]/Ri"; isdataat:4091,relative; content:!"|0A|"; within:4091; http.header; content:"multipart/form-data"; fast_pattern; reference:url,blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html; reference:cve,2014-0050; classtype:web-application-attack; sid:2018113; rev:4; metadata:created_at 2014_02_12, updated_at 2020_09_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 ff 28 39 fa 49 2f fb 3b 2f fb 3a 2f fb 34 48 ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER log4jAdmin access from non-local network (can modify logging levels)"; flow:established,to_server; http.uri; content:"/log4jAdmin.jsp"; fast_pattern; reference:url,gist.github.com/iamkristian/943918; classtype:web-application-activity; sid:2018202; rev:4; metadata:created_at 2014_03_04, former_category WEB_SERVER, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3a 2f fb 3f 4e ed 3e 3c ed 3e 3d ed 3e 33 8a 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ATTACKER WebShell - Zehir4.asp"; flow:established,to_server; http.uri; content:".asp?mevla=1"; nocase; fast_pattern; reference:url,pastebin.com/m44e60e60; reference:url,www.fidelissecurity.com/webfm_send/377; classtype:web-application-attack; sid:2018370; rev:6; metadata:created_at 2014_04_07, updated_at 2020_09_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 3d ed 3e 38 8c 28 39 fe 28 39 ff 28 39 f1 4f 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029444; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override URI"; flow:to_server,established; http.uri; content:"c99shcook["; nocase; fast_pattern; pcre:"/[&?]c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018601; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE POWERTON CnC Domain in DNS Lookup"; dns.query; content:"dailystudy.org"; nocase; bsize:14; reference:url,blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/; classtype:domain-c2; sid:2029448; rev:2; metadata:created_at 2020_02_13, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER c99 Shell Backdoor Var Override Client Body"; flow:to_server,established; http.request_body; content:"c99shcook["; nocase; fast_pattern; pcre:"/(?:^|&)c99shcook\[/i"; reference:url,thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/; classtype:trojan-activity; sid:2018603; rev:4; metadata:created_at 2014_06_24, updated_at 2020_09_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Multibank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<title>Document</title>"; distance:0; content:"href=|22|run/images/"; distance:0; content:"<img src=|22|run/captcha.php?rand="; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|captcha|22|>"; distance:0; fast_pattern; classtype:social-engineering; sid:2031100; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Likely Malicious Request for /proc/self/fd/"; flow:established,to_server; http.uri; content:"/proc/self/fd/"; nocase; fast_pattern; classtype:web-application-attack; sid:2019110; rev:4; metadata:created_at 2014_09_04, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Grimagent CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Keep-Alive|3a 20|"; content:"|0d 0a|Connection|3a 20|keep-alive|0d 0a|Referer|3a 20|https|3a 2f 2f|www."; distance:3; within:50; pcre:"/^(?:(?:youtub|googl)e|microsoft|amazon|ebay).com\x0d\x0a/Rsi"; http.request_body; content:!"&"; pcre:"/^[A-Za-z0-9]{3,25}=[a-f0-9]{28,}$/s"; reference:md5,d0ef174669abc7d6358531002e458df1; classtype:trojan-activity; sid:2034179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HTTP POST Generic eval of base64_decode"; flow:established,to_server; content:"eval"; nocase; pcre:"/^[\r\n\s]*?\x28[\r\n\s]*?base64_decode/Rsi"; http.request_body; content:"base64_decode"; nocase; fast_pattern; classtype:trojan-activity; sid:2019182; rev:4; metadata:created_at 2014_09_16, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Pierogi Backdoor Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"cname="; depth:6; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"&av="; within:40; content:"&osversion="; within:50; content:"&aname="; within:50; fast_pattern; content:"&ver="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor; classtype:targeted-activity; sid:2029431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_13, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHPMyAdmin BackDoor Access"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/server_sync.php?"; fast_pattern; content:"c="; pcre:"/\/server_sync.php\?(?:.+?&)?c=/i"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:8; metadata:created_at 2012_09_26, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2020-01-29 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; content:"|0d 0a 0d 0a|user"; fast_pattern; http.method; content:"POST"; http.request_body; content:"user"; depth:4; nocase; content:"&pwd="; nocase; distance:0; classtype:credential-theft; sid:2029338; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2"; flow:established,to_server; http.request_body; content:"|25|28|25|29|25|20|25|7b|25|20"; fast_pattern; pcre:"/(:?(:?\x5e|%5e)|(:?[=?&]|\x25(:?3d|3f|26)))\s*?(:?%28|\x28)(:?%29|\x29)(:?%20|\x20)(:?%7b|\x7b)(:?%20|\x20)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019234; rev:6; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:attempted-admin; sid:2029022; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2020_10_29;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER CURL Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"curl|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bcurl\s[^\r\n]*?-(?:[Oo]|-(?:remote-name|output))[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019308; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; pcre:"/^Hello, World(?:(?:\/|\s)[0-9]\.0)?$/i"; content:"Hello, World"; nocase; fast_pattern; startswith; classtype:web-application-attack; sid:2029034; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, signature_severity Major, updated_at 2020_10_29;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WGET Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"wget|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\bwget\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019309; rev:4; metadata:created_at 2014_09_29, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-06-22"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:ebay\.co\.uk|singtel\.com|blockchain\.com)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032684; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER lwp-download Command Specifying Output in HTTP Headers"; flow:established,to_server; http.header; content:"lwp-download|20|"; fast_pattern; pcre:"/(?!^User-Agent\x3a)\blwp-download\s[^\r\n]+(?:\x3b|&&)/m"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019310; rev:4; metadata:created_at 2014_09_29, former_category WEB_SERVER, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware.Hidden-Tear Variant CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?info="; fast_pattern; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,5ae92b52b0a6df8a64a5f98700bc290f; classtype:command-and-control; sid:2034675; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; http.uri; content:"|28 29 20 7b|"; fast_pattern; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019231; rev:6; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-08-19"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:s(?:ocietegenerale\.com|parkasse\.at|ina\.com\.cn|wisscom\.ch|ec\.gov)|b(?:bva(?:compass\.com|\.com\.co)|anque-accord\.fr|mo\.com)|g(?:o(?:(?:ogle\.co|v)\.uk|daddy\.com)|mail\.com)|(?:z(?:illow|oosk)|images\.kw|office365)\.com|t(?:el(?:stra\.com\.au|ekom\.com)|-online\.de)|c(?:reditmutuel\.fr|panel\.net|iti\.com)|(?:(?:realestate|nab)\.com\.a|unc\.ed)u|d(?:esjardins\.c(?:om|a)|iscover\.com)|e(?:arthlink\.net|ftel\.com\.au|bay\.de)|a(?:bl\.com\.pk|liyun\.com|nz\.co\.nz)|w(?:estpac\.com\.au|ikimedia\.org)|v(?:isaeurope\.ch|erizon\.net)|h(?:blibank\.com\.pk|sbc\.com)|paypal\.co\.uk)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032689; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 3"; flow:established,to_server; http.request_body; content:"()|25|20|25|7b"; fast_pattern; pcre:"/(:?(?:\x5e|%5e)|([=?&]|\x25(?:3d|3f|26)))\s*?\(\)(?:%20|\x20)(?:%7b|\x7b)/i"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019241; rev:5; metadata:created_at 2014_09_25, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish 2016-11-28"; flow:to_server,established; content:"|0d 0a 0d 0a|id="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032719; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MongoDB Negated Parameter Server Side JavaScript Injection Attempt"; flow:established,to_server; http.uri; content:"[$ne]"; fast_pattern; reference:url,blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html; reference:url,docs.mongodb.org/manual/reference/operator/query/ne/; classtype:web-application-attack; sid:2019460; rev:4; metadata:created_at 2014_10_17, updated_at 2020_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M1 2016-12-02"; flow:to_server,established; content:"|0d 0a 0d 0a|handle="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"handle="; depth:7; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032722; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Generic PHP Remote File Include"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"allow_url_include"; content:"safe_mode"; http.uri.raw; content:"php|3a 2f 2f|input"; http.request_body; content:"<?php"; fast_pattern; content:"chmod 777"; classtype:attempted-user; sid:2019957; rev:4; metadata:affected_product Any, attack_target Server, created_at 2014_12_17, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phish M2 2016-12-02"; flow:to_server,established; content:"|0d 0a 0d 0a|userid="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032723; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030911; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, signature_severity Major, updated_at 2020_09_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 2f fb 38 2f fb 39 2f fb 39 48 ed 3e 3f ed 3e 3d ed 3f 4e ed 3e 3e|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Heimdallbot Attack Tool Inbound"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"Heimdallbot"; nocase; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*?Heimdallbot/mi"; classtype:web-application-attack; sid:2020323; rev:4; metadata:created_at 2015_01_28, updated_at 2020_09_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f ed 3e 3f ed 3e 3e ed 3e 3e 8a 28 39 fd 28 39 ff 28 38 8c 28 39 fc|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029458; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; http.uri; content:"isn_logdel"; nocase; fast_pattern; pcre:"/[?&]isn_logdel/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:8; metadata:created_at 2013_12_10, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8d 28 39 fd 28 39 fc 28 39 fc 4f 2f fb 38 2f fb 3a 2f fa 49 2f fb 39|"; distance:10; within:49; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; http.uri; content:"isn_logpath"; nocase; fast_pattern; pcre:"/[?&]isn_logpath/i"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:8; metadata:created_at 2013_12_10, updated_at 2020_10_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 f1 28 39 fc 28 39 f9 28 39 fc 28 39 f1 28 39 f8 28 39 ff 28 38 8c 4c|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029463; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<title>j3mb03dz m4w0tz sh311"; nocase; distance:0; classtype:web-application-attack; sid:2030941; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M14"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 34 2f fb 39 2f fb 3c 2f fb 39 2f fb 34 2f fb 3d 2f fb 3a 2f fa 49 4b|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Ani-Shell"; nocase; fast_pattern; content:"[]--------------Ani Shell---"; nocase; distance:0; classtype:web-application-attack; sid:2030944; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M15"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89|"; distance:10; within:51; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029465; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_14, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_29;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mr Secretz Shell"; nocase; fast_pattern; content:"Mr Secretz Shell</font>"; nocase; distance:0; classtype:web-application-attack; sid:2030946; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&handle=java."; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031144; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_10_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Evil Twin Shell"; nocase; fast_pattern; content:">EVIL TWIN SHELL</a></span></center>"; nocase; distance:0; classtype:web-application-attack; sid:2030948; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"%252e%252e%252f"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031145; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_11_06;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini Shell By Black_Shadow"; nocase; fast_pattern; classtype:web-application-attack; sid:2030950; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-12-19"; flow:to_server,established; content:"|0d 0a 0d 0a|t1="; fast_pattern; http.method; content:"POST"; http.request_body; content:"t1="; depth:3; nocase; content:"|25|40"; distance:0; content:"&t2="; nocase; distance:0; http.start; pcre:"/^POST\x20(?<var>[^\x20]+).+Referer\x3a\x20[^\r\n]+(?P=var)[\r\n]+/si"; classtype:credential-theft; sid:2032727; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"WebShellOrb 2.6</title>"; nocase; fast_pattern; content:"Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span>"; nocase; distance:0; classtype:web-application-attack; sid:2030952; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_02, deployment Perimeter, signature_severity Major, updated_at 2020_10_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing M1 2016-09-26"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.request_body; content:"email="; nocase; content:"&pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032699; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL Linux/Torte Uploaded"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"JGVudiA9ICJYRFZTTl9TRVNTSU9OX0NPT0tJR"; fast_pattern; content:"eval(base64_decode($_REQUEST["; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:attempted-admin; sid:2022359; rev:4; metadata:created_at 2016_01_13, updated_at 2020_10_05;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (vighik .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"vighik.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031150; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WEBSHELL JSP/Backdoor Shell Access"; flow:established,to_server; http.uri; content:".war?cmd="; fast_pattern; content:"&winurl="; content:"&linurl="; pcre:"/\.war\?cmd=[a-zA-Z0-9+/=]+&winurl=[a-zA-Z0-9+/=]*&linurl=[a-zA-Z0-9+/=]*/"; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:successful-admin; sid:2022348; rev:5; metadata:created_at 2016_01_12, updated_at 2020_10_05;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (cntrhum .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cntrhum.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031151; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3718 SSRF Inbound (mvg + fill + url)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"fill"; content:"url("; distance:0; nocase; pcre:"/^\s*https?\x3a\/\//Ri"; classtype:web-application-attack; sid:2022791; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (doldig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"doldig.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3715 File Deletion Inbound (ephermeral:+ mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"ephemeral"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022792; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (sh78bug .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"sh78bug.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031153; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3716 Move File Inbound (msl: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"msl"; nocase; pcre:"/^\s*\x3a\s*[./]/Ri"; classtype:web-application-attack; sid:2022793; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (dghns .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"dghns.xyz"; bsize:9; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3717 Local File Read Inbound (label: + mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"label"; nocase; pcre:"/^\s*\x3a\s*\x40/Ri"; classtype:web-application-attack; sid:2022794; rev:5; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (bigjamg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigjamg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031155; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (mvg)"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; pcre:"/https\x3a.+(?<!\x5c)(:[\x22\x27]|\\x2[27])\s*?[\x3b&\x7c><].*?(:[\x22\x27]|\\x2[27])/si"; classtype:web-application-attack; sid:2022789; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (numklo .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"numklo.xyz"; bsize:10; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031156; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ImageMagick CVE-2016-3714 Inbound (svg)"; flow:established,to_server; http.request_body; content:"<svg|20|"; nocase; fast_pattern; content:"xlink"; nocase; pcre:"/xlink\s*?\x3a\s*?href\s*?=\s*?(:[\x22\x27]|\\x2[27])https.+?&quot\s*?\x3b(?:\x7c|&(?:[gl]t|amp)\s*?\x3b)/si"; classtype:web-application-attack; sid:2022790; rev:6; metadata:created_at 2016_05_04, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (gut45bg .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gut45bg.xyz"; bsize:11; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031157; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Unusually Fast HTTP Requests With Referer Url Matching DoS Tool"; flow:to_server,established; threshold: type both, track by_src, count 15, seconds 30; http.referer; content:"/slowhttptest/"; fast_pattern; reference:url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read; classtype:web-application-activity; sid:2014103; rev:6; metadata:created_at 2012_01_10, updated_at 2020_10_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BazarLoader Domain (moig .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"moig.xyz"; bsize:8; fast_pattern; reference:url,github.com/blacklotuslabs/IOCs/blob/main/domains_assoc_ryuk.txt; classtype:domain-c2; sid:2031158; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M1"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 27 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022848; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA67 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?v="; content:"&g="; distance:0; http.user_agent; content:"Mozilla/5.0 Gecko/41.0 Firefox/41.0"; bsize:35; fast_pattern; http.header_names; content:!"Referer"; reference:md5,3e5d4de6c6e2c18da8c1f75b10ca9cac; classtype:trojan-activity; sid:2031146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2016-5118 Exploit MVG attempt M2"; flow:established,to_server; http.request_body; content:"viewbox|20|"; nocase; fast_pattern; content:"|20 22 7c|"; nocase; reference:url,seclists.org/oss-sec/2016/q2/432; reference:cve,2016-5118; classtype:trojan-activity; sid:2022849; rev:4; metadata:created_at 2016_06_01, updated_at 2020_10_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder Phishing 2016-09-12"; flow:to_server,established; content:"|0d 0a 0d 0a|login="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"login="; nocase; content:"pass"; nocase; distance:0; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032698; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Continuum Arbitrary Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/saveInstallation.action"; fast_pattern; http.request_body; content:"&installation.varValue="; content:"|25|60"; classtype:attempted-user; sid:2022912; rev:4; metadata:created_at 2016_06_22, updated_at 2020_10_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-10-07"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^s?\x3a\/\/[^\/]*(?:goo(?:gle(?:\.(?:c(?:om\.[en]g|a)|r[ou])|apps\.com)|\.gl)|c(?:iovaccocapital\.com|entrin\.net\.id|artasi\.it)|s(?:(?:antander\.com\.b|fr\.f)r|tandardbank\.co\.za)|(?:aliexpress|vanguard|tdbank|ibm)\.com|e(?:xperienceasb\.co\.nz|im\.ae)|n(?:(?:avy)?fcu\.org|wolb\.com)|unicredit\.it|mbna\.co\.uk|oney\.fr|zkb\.ch)\/?/Ri"; http.content_type; content:"text/html"; startswith; classtype:credential-theft; sid:2032706; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.33db9538.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"33db9538.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023231; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Parallax RAT CnC Domain Observed in DNS Query"; dns.query; content:"vahlallha.duckdns.org"; nocase; bsize:21; reference:url,twitter.com/malwrhunterteam/status/1227196799997431809; classtype:domain-c2; sid:2029454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_02_14, former_category MALWARE, malware_family Parallax, updated_at 2020_10_30;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.9507c4e8.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"9507c4e8.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023232; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 13.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/13.0."; content:!"2"; within:1; reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html; classtype:bad-unknown; sid:2028869; rev:4; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.e5b57288.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"e5b57288.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023233; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4e 2f fb 3c 4b 8e 49 48 ed 3e 3a ed 3f 4e 89|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029479; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP Request to a *.54dfa1cb.com domain - Anuna Checkin - Compromised PHP Site"; flow:to_server,established; http.header; content:"54dfa1cb.com"; fast_pattern; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2; reference:url,security.stackexchange.com/questions/47253/hacked-site-encrypted-code; classtype:bad-unknown; sid:2023234; rev:4; metadata:affected_product Apache_HTTP_server, affected_product PHP, attack_target Web_Server, created_at 2016_09_15, deployment Datacenter, signature_severity Critical, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|49 ed 3e 3b 89 4b 4e 8a 28 39 f8 28 38 8c 4c|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029480; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; http.header; content:"Range|3a|"; nocase; content:"18446744073709551615"; fast_pattern; distance:0; pcre:"/^Range\x3a[^\r\n]*?18446744073709551615/mi"; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:5; metadata:created_at 2015_04_15, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8b 28 39 f9 4c 4c 8c 4f 2f fb 3d 2f fa 49 4b|"; distance:10; within:41; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt"; flow:to_server,established; http.uri; content:"/level/15/exec/-/"; fast_pattern; nocase; pcre:"/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/i"; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M19"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|4f 4e ed 3e 3a ed 3e 32 ed 3e 3e ed 3e 3e ed 3e 3c ed 3f 4e 8a|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Binget PHP Library User Agent Inbound"; flow:established,to_server; http.user_agent; content:"Binget/"; nocase; depth:7; reference:url,www.bin-co.com/php/scripts/load/; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013049; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M20"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|48 8c 28 39 f8 28 39 f0 28 39 fc 28 39 fc 28 39 fe 28 38 8c 4f|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029486; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER pxyscand Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"pxyscand/"; nocase; depth:9; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013051; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M21"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|8a 49 2f fb 3d 2f fb 35 2f fb 39 2f fb 39 2f fb 3b 2f fa 49 48|"; distance:10; within:47; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2029487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PyCurl Suspicious User Agent Inbound"; flow:established,to_server; http.user_agent; content:"PyCurl"; nocase; startswith; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013053; rev:4; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Flowbit set for POST to Quicken Updater"; flow:established,to_server; flowbits:set,ET.QuickenUpdater; flowbits:noalert; http.method; content:"POST"; http.header; content:"quicken.com|0d 0a|"; content:"Date|3a|"; http.user_agent; content:"InetClntApp"; fast_pattern; depth:11; classtype:misc-activity; sid:2022803; rev:4; metadata:created_at 2016_05_11, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Inbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013057; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible ReactorBot .bin Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi/"; content:".bin"; fast_pattern; endswith; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"kankan.com"; endswith; content:!"aocdn.net"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2022841; rev:5; metadata:created_at 2016_05_27, former_category CURRENT_EVENTS, updated_at 2020_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Outbound PHP User-Agent"; flow:established,to_server; http.user_agent; content:"PHP/"; nocase; depth:4; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013058; rev:5; metadata:created_at 2011_06_17, updated_at 2020_10_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransomware Locky CnC Beacon 21 May"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_dispatch.php"; fast_pattern; endswith; http.header; content:"|0d 0a|x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; http.request_body; pcre:"/^[0-9a-zA-Z=%-]{0,48}(?:%[A-F0-9]{2}){4}/si"; http.content_type; content:"www-form-urlencoded"; endswith; reference:md5,6f8987e28fed878d08858a943e7c6e7c; classtype:command-and-control; sid:2022952; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>GR0V Shell"; nocase; fast_pattern; content:">GR0V shell</font></center></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031014; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, signature_severity Major, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CozyCar V2 CnC Beacon"; flow:established,to_server; http.header; content:"=12&"; content:"=2"; distance:1; within:8; content:"=="; distance:12; within:6; content:"=="; distance:18; within:10; http.request_line; content:".php? HTTP/1."; fast_pattern; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:command-and-control; sid:2023966; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_CozyCar, signature_severity Major, tag c2, updated_at 2020_10_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mini-Shell v"; nocase; fast_pattern; content:">..:: Mini-Shell moded by"; nocase; distance:0; classtype:web-application-attack; sid:2031016; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_14, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; http.method; content:"POST"; http.uri; content:"/signin"; endswith; http.header; content:"/signin|0d 0a|"; fast_pattern; http.request_body; content:"_token="; depth:7; nocase; content:"&email="; nocase; distance:0; content:"|25|40"; nocase; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2024015; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_10_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s)"; flow:to_server,established; http.user_agent; content:"czxt2s"; nocase; depth:6; endswith; reference:url,doc.emergingthreats.net/2011174; classtype:web-application-attack; sid:2011174; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag SQL_Injection, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GET Request to Jaff Domain (orhangazitur . com)"; flow:to_server,established; http.method; content:"GET"; http.host; content:"orhangazitur.com"; fast_pattern; bsize:16; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:trojan-activity; sid:2024338; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category TROJAN, malware_family Jaff_Ransomware, performance_impact Moderate, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; http.uri; content:"backupdata"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012286; rev:7; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"comboratiogferrdto.com"; fast_pattern; bsize:22; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,51cf3452feb218a4b1295cebf3b2130e; classtype:command-and-control; sid:2024340; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_31, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_10_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Automated Site Scanning for backup_data"; flow:established,to_server; http.uri; content:"backup_data"; nocase; http.user_agent; content:"Mozilla/4.0"; bsize:11; classtype:attempted-recon; sid:2012287; rev:6; metadata:created_at 2011_02_04, updated_at 2020_10_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; distance:0; fast_pattern; pcre:"/\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024306; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Bot Search RFI Scan (Casper-Like Jcomers Bot scan)"; flow:established,to_server; http.user_agent; content:"Jcomers Bot"; nocase; depth:11; reference:url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/; reference:url,doc.emergingthreats.net/2011285; classtype:web-application-attack; sid:2011285; rev:8; metadata:created_at 2010_07_30, former_category WEB_SERVER, updated_at 2020_10_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Posting Host Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?id="; content:"&act="; fast_pattern; distance:0; pcre:"/\?id=\d+&act=\d$/"; http.host; content:!".money-media.com"; http.request_body; content:"rprt="; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024307; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_05_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>YoungSister</title>"; fast_pattern; content:"YOUNG SISTER</font></font></font></h1>"; distance:0; content:"<center><font color=|22|white|22|>YoungSister"; distance:0; classtype:web-application-attack; sid:2031026; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_19, deployment Perimeter, signature_severity Major, updated_at 2020_10_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OilRig QUADAGENT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=cpuproc.com"; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,d51c2ffce844d42bab2f2c3131e3dbd4; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/; classtype:domain-c2; sid:2025892; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_25, deployment Perimeter, former_category MALWARE, malware_family QuadAgent, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer By ME</title>"; fast_pattern; content:"<form id=|22|form1|22 20|name=|22|form1|22 20|method=|22|post|22|"; nocase; distance:0; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031028; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_19, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_10_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MICROPSIA CnC Domain)"; flow:from_server,established; tls.cert_subject; content:"CN=new.young-spencer.com"; fast_pattern; reference:md5,738b3370230bd3168a97a7171d17ed64; reference:url,docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc; classtype:domain-c2; sid:2025918; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_07_27, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Attack Tool Revolt Scanner"; flow:established,to_server; http.user_agent; content:"revolt"; depth:6; reference:url,www.Whitehatsecurityresponse.blogspot.com; reference:url,doc.emergingthreats.net/2009288; classtype:web-application-attack; sid:2009288; rev:59; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BadPatch CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"python-requests/"; depth:16; http.request_body; content:"="; pcre:"/^(?:[A-F0-9]{2}%3A){5}[A-F0-9]{2}&/R"; content:"=Py+version+"; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/badpatch-campaign-uses-python-malware.html; classtype:command-and-control; sid:2028913; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_10_28, deployment Perimeter, former_category MALWARE, malware_family BadPatch, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER DataCha0s Web Scanner/Robot"; flow:established,to_server; http.user_agent; content:"DataCha0s"; nocase; depth:9; reference:url,www.internetofficer.com/web-robot/datacha0s.html; reference:url,doc.emergingthreats.net/2003616; classtype:web-application-activity; sid:2003616; rev:41; metadata:created_at 2010_07_30, updated_at 2020_10_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Various Malicious AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; http.uri; content:!"="; content:!"&"; content:!"?"; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/"; http.user_agent; content:"MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022503; rev:5; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible PHP Remote Code Execution CVE-2019-11043 PoC (Inbound)"; flow:established,to_server; http.uri; content:"|25|OA"; nocase; content:"=/bin/sh+-c+'"; nocase; distance:0; fast_pattern; reference:url,github.com/neex/phuip-fpizdam; reference:url,github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043; reference:cve,2019-11043; classtype:web-application-attack; sid:2028895; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2019_10_23, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Powershell Download Command Observed within Flash File - Probable EK Activity"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/x-shockwave-flash"; file.data; content:"cmd.exe /c powershell"; fast_pattern; content:"DownloadFile("; nocase; within:100; classtype:exploit-kit; sid:2028941; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SERVER JAWS Webserver Unauthenticated Shell Command Execution"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/shell?cd%20/tmp|3b|wget%20"; depth:24; fast_pattern; http.header.raw; content:"Mozilla/5.0%20(Windows|3b|%20U|3b|%20Windows%20NT"; reference:md5,a26f67a1d0a50af72c5fd9c94e9f5a1c; classtype:web-application-attack; sid:2029008; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_11_20, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_10_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M3"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/optout/set/lt?jsonp="; fast_pattern; content:"key="; distance:16; within:27; content:"cv="; distance:18; within:27; content:"t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027427; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic File Upload Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Tryag File Manager"; fast_pattern; content:"<h1>Tryag File Manager"; distance:0; content:"Upload File|20 3a 20|<input type=|22|file|22|"; distance:0; classtype:web-application-attack; sid:2031075; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr5.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027425; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer"; content:"<h1>Simple Mailer</h1>"; distance:0; fast_pattern; content:"for=|22|Emails|22|>Emails|20 3a|</label>"; distance:0; classtype:web-application-attack; sid:2031077; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/addons/lnkr30_nt.min.js"; fast_pattern; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027426; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Priv8 Mailer"; fast_pattern; content:"document.getElementById(|22|sender-email|22|"; distance:0; content:"document.getElementById(|22|xmailer|22|"; distance:0; classtype:web-application-attack; sid:2031079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_22, deployment Perimeter, signature_severity Major, updated_at 2020_10_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET GAMES Wolfteam HileYapak Server Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; file.data; content:"Temizleme Yapildi HileYapak"; depth:27; fast_pattern; reference:md5,85cf4df17fcf04286fcbbdf9fbe11077; classtype:policy-violation; sid:2027417; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_31, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; http.request_body; content:"dbhost="; content:"dbuser="; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:4; metadata:created_at 2013_07_02, updated_at 2020_10_28;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xwo CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept-Charset|3a 20|ISO-8859-1"; http.request_body; content:"wanip="; depth:6; fast_pattern; content:"&username="; distance:0; content:"&password="; distance:0; content:"&lanip="; distance:0; content:"&port="; distance:0; reference:url,www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner; reference:md5,fd67a98599b08832cf8570a641712301; classtype:command-and-control; sid:2027144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Xwo, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/statuswml.cgi?"; nocase; content:"ping"; nocase; pcre:"/^\s*=\s*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|[^\x26\x0D\x0A]*\x3B)/Ri"; reference:bugtraq,35464; reference:url,doc.emergingthreats.net/2009670; classtype:web-application-attack; sid:2009670; rev:13; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR landing page (possible compromised site) M5"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"/code?id="; fast_pattern; content:"subid="; distance:3; within:19; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027429; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST)"; flow:established,to_server; content:"action=invokeOp&name=jboss.deployment"; nocase; content:"flavor%253DURL%252Ctype%253DDeploymentScanner"; within:50; nocase; content:"=http%3A%2F%2F"; within:40; http.method; content:"POST"; http.uri; content:"/jmx-console/HtmlAdaptor"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010379; classtype:web-application-attack; sid:2010379; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Spark Backdoor CnC Domain Query"; dns.query; content:"nysura.com"; nocase; bsize:10; reference:url,www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one; classtype:domain-c2; sid:2029492; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_30;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.deployment"; content:"DeploymentScanner"; nocase; content:"methodName=addURL"; nocase; content:"=http"; nocase; reference:url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/; reference:url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf; reference:url,doc.emergingthreats.net/2010380; classtype:web-application-attack; sid:2010380; rev:9; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdnlib.at"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029501; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/OvCgi/"; nocase; content:"/OpenView5.exe?"; nocase; distance:0; fast_pattern; content:"Action=../../"; nocase; distance:0; http.protocol; content:"HTTP/1."; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; classtype:web-application-attack; sid:2008171; rev:12; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=storefrontcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029502; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=e4.ms"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029503; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=givemejs.cc"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029504; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OvCgi/Toolbar.exe"; nocase; fast_pattern; http.header; content:"Accept-Language|3a 20|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3a|"; distance:0; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=opendoorcdn.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029505; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Darkleech C2"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; fast_pattern; content:"&utm_source="; distance:0; pcre:"/^\/blog\/\?[a-z]{3,20}+\&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:command-and-control; sid:2022260; rev:4; metadata:created_at 2015_12_14, former_category WEB_SERVER, updated_at 2020_11_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=wappallyzer.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029506; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http.method; content:"POST"; http.connection; content:"close"; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019749; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=jquerycdn.su"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029507; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031174; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=toplevelstatic.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.riskiq.com/blog/labs/magecart-group-12-olympics/; classtype:domain-c2; sid:2029508; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; fast_pattern; content:">MAILER INBOX SENDING"; distance:0; classtype:web-application-attack; sid:2031177; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP 180solutions Spyware Keywords Download"; flow: to_server,established; http.method; content:"GET"; http.uri; content:"keywords/kyf"; nocase; content:"partner_id="; distance:0; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:pup-activity; sid:2002001; rev:12; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WeBaCoo Web Backdoor Detected"; flow:to_server,established; http.method; content:"GET"; http.cookie; content:"cm="; content:"cn=M-cookie|3b|"; fast_pattern; content:"cp="; reference:url,panagioto.com/webacoo-backdoor-detection; classtype:web-application-activity; sid:2022295; rev:5; metadata:created_at 2015_12_22, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; threshold: type limit, count 1, track by_src, seconds 360; http.header; content:"UtilMind HTTPGet"; fast_pattern; http.host; content:!"www.blueocean.com"; content:!"www.backupmaker.com"; content:!"promo.ascomp.de"; content:!"www.synchredible.com"; content:!"support.numarasoftware.com"; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:pup-activity; sid:2002402; rev:25; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_10_30;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019748; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Fake ProtonVPN/AZORult CnC Domain Query"; dns.query; content:"accounts.protonvpn.store"; nocase; bsize:24; reference:url,securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/; classtype:command-and-control; sid:2029523; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_10_30;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/api/xmlrpc"; http.request_body; content:"file|3a 2f 2f 2f|"; fast_pattern; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:4; metadata:created_at 2012_08_15, updated_at 2020_11_05;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query for Suspicious TLD (.management)"; dns.query; content:".management"; nocase; endswith; classtype:policy-violation; sid:2029509; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_02_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SET"; nocase; distance:0; http.uri; content:"SHOW"; nocase; content:"CHARACTER"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; classtype:web-application-attack; sid:2010964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert dns any any -> $HOME_NET any (msg:"ET PHISHING Suspected Appspot Hosted Phishing Domain"; dns.query; content:!"www."; content:"-dot-"; content:".appspot.com"; fast_pattern; isdataat:!1,relative; pcre:"/^[a-z]{36,38}\-dot\-[a-z]+\-[a-z]+\-\d{6}\.[a-z]{2}\.[a-z]\.appspot\.com$/"; classtype:social-engineering; sid:2031149; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession(";  fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-user; sid:2031147; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/OvCgi/ovalarm.exe"; nocase; fast_pattern; content:"OVABverbose="; nocase; distance:0; pcre:"/^(1|on|true)/Ri"; http.accept_lang; isdataat:100,relative; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Python/PBot Browser Hijacker Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js?streamId="; fast_pattern; content:"&isAdvpp="; distance:0; content:".js?streamId="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})&isAdvpp=(?:true|false)$/Rsi"; http.header; content:"|0d 0a|Origin|3a 20|http"; reference:md5,f741a2febf0630407ba17945362f3bce; classtype:trojan-activity; sid:2031148; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_10_31;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; http.uri; content:"+CSCOE+/files/browse.html"; nocase; fast_pattern; content:"code=init"; nocase; distance:0; content:"path=ftp"; nocase; distance:0; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; classtype:attempted-user; sid:2010457; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_07;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart Group 12)"; flow:from_server,established; tls.cert_subject; content:"CN=stat-group.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,www.goggleheadedhacker.com/blog/post/16; classtype:domain-c2; sid:2029524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_02_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_10_31, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=apkv6.endurecif.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031162; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031201; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fif0.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031163; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031202; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=seahome.top"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031164; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<%@|20|Page|20|Language=|22|Jscript|22|%><eval|28|Request.Item|5b|"; fast_pattern; content:"|22 29 3b|%>"; within:50; classtype:trojan-activity; sid:2027341; rev:4; metadata:created_at 2019_05_09, former_category WEB_SERVER, performance_impact Low, updated_at 2020_11_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup FireStarter CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=inapturst.top"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2031165; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family Firestarter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_02, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER BlackSquid JSP Webshell Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<|25 25|java.io.InputStream|20|"; depth:25; content:"Runtime.getRunetime|28 29|.exec|28|request"; within:50; content:".getInputStream|28 29 3b|int|20|"; distance:0; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/; classtype:attempted-admin; sid:2027433; rev:3; metadata:attack_target Web_Server, created_at 2019_06_04, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE f0xy Checkin"; flow:to_server,established; urilen:10; content:"/hello.php"; fast_pattern; http.method; content:"GET"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,160634d784c256d29563117554685c31; reference:url,community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx; classtype:command-and-control; sid:2020339; rev:5; metadata:created_at 2015_01_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT KaiXin Secondary Landing Page"; flow:to_server,established; http.uri; content:"/win.html"; fast_pattern; endswith; http.header; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/si"; http.host; content:!"www.carrona.org"; classtype:exploit-kit; sid:2021293; rev:6; metadata:created_at 2015_06_18, updated_at 2020_11_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_25, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; http.uri; content:!"/"; offset:1; content:".asp"; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/"; pcre:"/[a-z].*?[a-z]/"; pcre:"/[A-Z].*?[A-Z]/"; pcre:"/\d.*?\d/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2021407; rev:6; metadata:created_at 2015_07_13, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031243; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Duqu 2.0 Request"; flow:established,to_server; http.start; content:"Cookie|3a 20|COUNTRY="; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,www.symantec.com/connect/blogs/duqu-20-reemergence-aggressive-cyberespionage-threat; classtype:trojan-activity; sid:2021247; rev:5; metadata:created_at 2015_06_11, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031271; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/apply.cgi"; endswith; http.request_body; content:"submit_button=index"; depth:19; content:"&action=Apply"; distance:0; nocase; content:"&lan_dns0="; distance:0; fast_pattern; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:4; metadata:created_at 2015_04_08, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031415; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Autoupdate)"; flow:to_server,established; http.header; content:!" Creative AutoUpdate v"; http.user_agent; content:"Autoupdate"; nocase; depth:10; content:!"McAfeeAutoUpdate"; nocase; http.host; content:!"update.nai.com"; content:!"nokia.com"; content:!"sophosupd.com"; content:!"sophosupd.net"; content:!"wholetomato.com"; content:!".acclivitysoftware.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:pup-activity; sid:2003337; rev:22; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031429; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; fast_pattern; content:"style="; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; classtype:web-application-attack; sid:2004023; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031437; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_12_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=TQBpAGMAcgBvAHMAbwBmAHQAIABXAGk"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2c727910738e0a381acf00fd0e1d636d; classtype:trojan-activity; sid:2030139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Elite Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.jsp"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021626; rev:9; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031513; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Scout Windows Implant Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021627; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031606; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, signature_severity Major, updated_at 2021_02_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Android Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Android"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021628; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER DEWMODE Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:".php?csrftoken="; content:"|22|><font|20|size=4>Cleanup|20|Shell</font>"; fast_pattern; content:"file_id"; content:"path"; content:"file_name"; content:"uploaded_by"; content:"Recipient"; content:"Actions"; reference:url,www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html; reference:md5,2798c0e836b907e8224520e7e6e4bb42; reference:md5,bdfd11b1b092b7c61ce5f02ffc5ad55a; classtype:attempted-admin; sid:2031650; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hacking Team Implant Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.cookie; pcre:"/^ID=\w{8}-\w{4}-\w{4}-\w{4}-\w{12}/"; http.request_body; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/"; http.start; content:"Cookie|3a 20|ID="; fast_pattern; reference:url,www.4armed.com/blog/network-defense-catching-galileo-rcs-using-snort; classtype:trojan-activity; sid:2021629; rev:10; metadata:created_at 2015_08_14, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form action=|22 22 20|"; content:"<input|20|type=|22|text|22 20|name=|22|_jy|22|><input|20|type=|22|submit|22 20|value=|22|>>"; fast_pattern; classtype:attempted-admin; sid:2031651; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_02_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.WVW CnC Beacon 3"; flow:to_server,established; urilen:4; http.header; content:"Empty|0d 0a|"; http.request_line; content:"GET /cl1"; depth:8; fast_pattern; http.referer; content:"1|3a|"; depth:2; pcre:"/^\d\.\d_(?:64|32)_\d\x3a/R"; reference:md5,1de834aca8905124e1abcd4f71dea062; classtype:command-and-control; sid:2021259; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031679; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; http.uri; content:".php?sid="; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022070; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Uploader Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031681; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; http.uri; content:".php?id=4"; fast_pattern; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/"; http.host; content:!".hostingcatalog.com"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2022071; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_11_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:4; metadata:created_at 2013_10_17, updated_at 2021_03_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; fast_pattern; content:"gid="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; classtype:web-application-attack; sid:2005850; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (External)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031879; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_03_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; fast_pattern; content:"passwordNew="; nocase; distance:0; content:"UNION"; nocase; distance:0; pcre:"/^\s+SELECT/Ri"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006022; classtype:web-application-attack; sid:2006022; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (Internal)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031880; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Internal, deployment SSLDecrypt, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_03_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; fast_pattern; content:"sent="; nocase; distance:0; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; classtype:web-application-attack; sid:2006116; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032005; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, signature_severity Major, updated_at 2021_03_15;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; fast_pattern; content:"ID="; nocase; distance:0; content:"ASCII("; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006145; classtype:web-application-attack; sid:2006145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful My ADP Phish (set) 2017-02-16"; flow:to_server,established; flowbits:set,ET.adpphish; flowbits:noalert; http.method; content:"POST"; http.host; content:!".adp.com"; endswith; http.request_body; content:"target="; depth:7; nocase; fast_pattern; content:"user"; nocase; distance:0; content:"pass"; nocase; distance:0; classtype:credential-theft; sid:2027957; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032087; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE jFect HTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping"; http.user_agent; content:"Java/"; depth:5; http.request_body; content:"uid="; depth:4; content:"&group="; content:"&lan="; content:"&nameAtPc="; fast_pattern; nocase; content:"&os="; content:"&country="; content:"&uptime="; content:"&installDate="; nocase; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d19261cf449afc52532028cca110eb36; classtype:command-and-control; sid:2022582; rev:4; metadata:created_at 2016_03_02, former_category MALWARE, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032089; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible WinHttpRequest (no .exe)"; flow:to_server,established; flowbits:set,et.MS.WinHttpRequest.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022652; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_02;)
+alert http any any -> any any (msg:"ET WEB_SERVER Babydraco WebShell Activity"; flow:established,to_server; http.uri; content:"/owa/auth/babydraco.aspx"; bsize:24; fast_pattern; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:attempted-admin; sid:2032344; rev:1; metadata:created_at 2021_03_29, former_category WEB_SERVER, updated_at 2021_03_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; http.user_agent; content:"TEST"; fast_pattern; bsize:4; http.host; content:!"messagecenter.comodo.com"; content:!"symantec.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:pup-activity; sid:2006357; rev:14; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032520; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, signature_severity Major, updated_at 2021_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; content:"SELECT"; nocase; distance:0; http.uri; content:"/kullanicilistesi.asp?"; nocase; fast_pattern; content:"ak="; nocase; distance:0; content:"ASCII("; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; classtype:web-application-attack; sid:2006829; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032522; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_04_06;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; content:"FROM"; nocase; distance:0; http.uri; content:"/aramayap.asp?"; nocase; fast_pattern; content:"kelimeler="; nocase; distance:0; content:"DELETE"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; classtype:web-application-attack; sid:2006834; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032635; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, signature_severity Major, updated_at 2021_04_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; fast_pattern; content:"mesajno="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; classtype:web-application-attack; sid:2006846; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032739; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"INSERT"; nocase; distance:0; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006935; classtype:web-application-attack; sid:2006935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032741; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/update.logmein.com/"; nocase; fast_pattern; http.header_names; content:!"Host|0d 0a|"; reference:url,doc.emergingthreats.net/2007766; classtype:policy-violation; sid:2007766; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032775; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, signature_severity Major, updated_at 2021_04_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; endswith; http.request_body; content:"vit="; nocase; distance:0; content:"&bk="; nocase; distance:0; content:"&dados="; fast_pattern; nocase; distance:0; reference:url,doc.emergingthreats.net/2007999; classtype:command-and-control; sid:2007999; rev:10; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M1"; flow:established,to_server; http.cookie; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L146-L151; classtype:attempted-admin; sid:2032928; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/OvCgi/"; nocase; content:"/OpenView5.exe?"; nocase; distance:0; fast_pattern; content:"Action=../../"; nocase; distance:0; http.protocol; content:"HTTP/1."; reference:bugtraq,28745; reference:cve,CVE-2008-0068; reference:url,aluigi.altervista.org/adv/closedviewx-adv.txt; reference:url,doc.emergingthreats.net/2008171; classtype:web-application-attack; sid:2008171; rev:12; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"mgdminhtml="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032929; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; http.user_agent; content:"Mozila"; nocase; fast_pattern; bsize:6; http.host; content:!"rd.jword.jp"; endswith; content:!".lge.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:pup-activity; sid:2008210; rev:13; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M3"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"name=|22|mgdminhtml|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032930; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KLog Nick Keylogger Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:".php"; http.user_agent; content:"Mozilla/3.0|20|(compatible|3b 20|Indy|20|Library)"; depth:38; http.request_body; content:"Nick+Key+Ativado"; fast_pattern; reference:url,doc.emergingthreats.net/2008338; classtype:command-and-control; sid:2008338; rev:12; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032931; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7541; reference:bugtraq,32962; reference:url,doc.emergingthreats.net/2009000; classtype:web-application-attack; sid:2009000; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|lolzilla|22|"; fast_pattern; content:"name=|22|g|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032932; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/scripts/export.php?"; nocase; fast_pattern; content:"ftype="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; reference:url,doc.emergingthreats.net/2009009; classtype:web-application-attack; sid:2009009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|BM6OAa1XCpH4x4"; fast_pattern; content:"SEnJYZXmyHhJG8JxC|0d|"; distance:1; within:18; http.header_names; content:"HTTP_X_CNT|0d|"; content:"HTTP_X_CMD|0d|"; classtype:attempted-admin; sid:2033788; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/books/getConfig.php?"; nocase; fast_pattern; content:"book_id="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/7543; reference:bugtraq,32966; reference:url,doc.emergingthreats.net/2009010; classtype:web-application-attack; sid:2009010; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|zzdibweoQxffnDEi2UKacJlEekplJ7uwrt|0d|"; fast_pattern; http.header_names; content:"HTTP_X_CNT|0d|"; content:"HTTP_X_CMD|0d|"; classtype:attempted-admin; sid:2033789; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-admin login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4=|0d 0a|"; fast_pattern; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/licenseserverproto.cgi"; content:"serverid="; content:"csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa"; distance:0; within:35; fast_pattern; classtype:attempted-admin; sid:2033790; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?action=add&a="; fast_pattern; content:"&c="; distance:0; content:"&u="; distance:0; content:"&l="; distance:0; content:"&p="; distance:0; http.host; content:!"whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:command-and-control; sid:2009458; rev:11; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [exec] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=exec"; fast_pattern; content:"&newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034006; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"15438.xyz"; nocase; endswith; pcre:"/(?:^|\.)15438\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029534; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [upload] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=upload"; fast_pattern; content:"&path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034009; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"12724.xyz"; nocase; endswith; pcre:"/(?:^|\.)12724\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029535; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034246; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_10_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Adwind RAT CnC DNS Query"; dns.query; content:"21736.xyz"; nocase; endswith; pcre:"/(?:^|\.)21736\.xyz$/"; reference:url,research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/; classtype:domain-c2; sid:2029536; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034248; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_10_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Drop.Agent.bfsv HTTP Activity (UsER-AgENt)"; flow:established,to_server; http.method; content:"GeT"; http.protocol; content:"HttP"; http.header_names; content:"HoST|0d 0a|"; content:"UsER-AgENt|0d 0a|"; fast_pattern; reference:url,doc.emergingthreats.net/2010129; classtype:trojan-activity; sid:2010129; rev:9; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspicious PHP UNZIP Tool Accessed on Internal Possibly Compromised Server"; flow:established,to_client; file.data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034337; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/html"; depth:9; nocase; content:!"application"; nocase; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2020_11_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; content:"bash|20 2d|c"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, updated_at 2021_11_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; http.content_type; content:"text/css"; depth:8; endswith; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:12; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034440; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET 1024: (msg:"ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source)"; flow:from_server,established; threshold:type threshold,track by_src,count 10,seconds 60; http.stat_code; content:"401"; http.stat_msg; content:"Unauthorized"; nocase; file.data; content:"<script"; nocase; depth:280; fast_pattern; reference:url,doc.emergingthreats.net/2010513; classtype:web-application-attack; sid:2010513; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; content:!"twitter.com"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; reference:url,doc.emergingthreats.net/2010698; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert dns $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox)"; dns.query; content:"anonymousfox."; startswith; fast_pattern; pcre:"/(?:is|mx|info|co)$/"; reference:url,twitter.com/unmaskparasites/status/1507038308789936150; classtype:bad-unknown; sid:2035612; rev:2; metadata:attack_target Web_Server, created_at 2022_03_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_03_25;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OvCgi/Toolbar.exe"; nocase; fast_pattern; http.header; content:"Accept-Language|3a 20|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3a|"; distance:0; reference:cve,2009-0921; reference:url,doc.emergingthreats.net/2010864; classtype:web-application-attack; sid:2010864; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Agent.PMS Variant CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|command="; fast_pattern; http.method; content:"POST"; nocase; http.request_body; content:"command="; depth:8; content:"&result="; within:12; classtype:pup-activity; sid:2011391; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_02;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M1"; flow:to_server,established; http.uri; content:"?dest="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036428; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Anchor ICMP Request"; itype:8; content:"hanc"; depth:4; pcre:"/^[a-f0-9]+\x08\x00$/Rs"; reference:md5,3690c361f7f2bdb1d1aed67c142bb90b; classtype:trojan-activity; sid:2031159; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, malware_family Anchor, signature_severity Major, updated_at 2020_11_02;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M2"; flow:to_server,established; http.uri; content:"?redirect="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036429; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LolliCrypt Ransomware Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"key="; depth:4; fast_pattern; content:"&id="; distance:100; content:"&date="; distance:0; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rs"; http.header_names; content:!"Referer"; reference:md5,8e23b560b66134dcc4e21c461ed1a399; classtype:trojan-activity; sid:2031160; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M3"; flow:to_server,established; http.uri; content:"?uri="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036430; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE D1onis Stealer Sending Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; content:"&p1="; content:"&p2="; content:"&region="; fast_pattern; content:"&ip="; content:"&p3="; content:"&p4="; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,6cf4f85e3907d4f0a0c1e653d6c6943f; classtype:trojan-activity; sid:2031161; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_02, deployment Perimeter, former_category MALWARE, malware_family D1onis, signature_severity Major, updated_at 2020_11_02;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M4"; flow:to_server,established; http.uri; content:"?path="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036431; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY OnePlus phone data leakage"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cloud/pushdata"; endswith; fast_pattern; http.user_agent; content:"okhttp/"; depth:7; http.request_body; content:"data="; depth:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.chrisdcmoore.co.uk/post/oneplus-analytics/; classtype:policy-violation; sid:2025134; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2017_12_06, deployment Perimeter, former_category POLICY, malware_family Android_OnePlus, signature_severity Minor, tag Android, updated_at 2020_11_02;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M5"; flow:to_server,established; http.uri; content:"?continue="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036432; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] MSIL/Biskvit.A Check-in"; flow:established,to_server; urilen:15; http.method; content:"POST"; http.uri; content:"/api/auth/token"; http.header; content:"Authorization|3a 20 0d 0a|"; depth:18; fast_pattern; content:"Expect|3a 20|100-continue"; http.request_body; content:"{|22|ApiKey|22 3a 22|"; depth:11; isdataat:!100,relative; http.connection; content:"Keep-Alive"; depth:10; http.content_type; content:"application/json"; depth:16; http.header_names; content:"|0d 0a|Authorization|0d 0a|"; depth:17; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:url,www.fortinet.com/blog/threat-research/russian-army-exhibition-decoy-leads-to-new-biskvit-malware.html; classtype:trojan-activity; sid:2026007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_22, deployment Perimeter, former_category MALWARE, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M6"; flow:to_server,established; http.uri; content:"?url="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036433; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN abdullkarem Wordpress PHP Scanner"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"&php"; nocase; distance:0; content:"&wphp"; nocase; distance:0; content:"&abdullkarem="; nocase; fast_pattern; distance:0; http.protocol; content:"HTTP/1.0"; depth:8; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:web-application-attack; sid:2021949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_10_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_03;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M7"; flow:to_server,established; http.uri; content:"?window="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036434; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Possible Darkleech C2"; flow:established,to_server; http.uri; content:"/blog/?"; depth:7; fast_pattern; content:"&utm_source="; distance:0; pcre:"/^\/blog\/\?[a-z]{3,20}+\&utm_source=\d+\x3a\d+\x3a\d+$/"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:command-and-control; sid:2022260; rev:4; metadata:created_at 2015_12_14, former_category WEB_SERVER, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M8"; flow:to_server,established; http.uri; content:"?next="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036435; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Psiphon Proxy Tool traffic"; flow:established,to_server; urilen:1; threshold:type threshold, track by_src, count 20, seconds 120; http.method; content:"POST"; http.cookie; pcre:"/^[A-Z]=(?:[A-Za-z0-9+/])+=?=?$/"; http.accept_enc; content:"gzip"; depth:4; http.content_type; content:"application/octet-stream"; fast_pattern; nocase; bsize:24; http.header_names; content:"Content-Length|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Connection"; content:!"Cache-Control"; content:!"Accept|0d 0a|"; reference:md5,a050a1e9fa0fe0e01cfbf14ead388c4e; classtype:policy-violation; sid:2022679; rev:6; metadata:created_at 2016_03_28, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M9"; flow:to_server,established; http.uri; content:"?data="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036436; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M1"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"1"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022197; rev:6; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M10"; flow:to_server,established; http.uri; content:"?reference="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036437; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M2"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"2"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022198; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M11"; flow:to_server,established; http.uri; content:"?site="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036438; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M3"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"3"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022199; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M12"; flow:to_server,established; http.uri; content:"?html="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036439; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M4"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"4"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022200; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M13"; flow:to_server,established; http.uri; content:"?val="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036440; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M5"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"5"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022201; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M14"; flow:to_server,established; http.uri; content:"?validate="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036441; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M6"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"6"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022202; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M15"; flow:to_server,established; http.uri; content:"?domain="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036442; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M7"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022203; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M16"; flow:to_server,established; http.uri; content:"?callback="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036443; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M8"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"8"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022204; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M17"; flow:to_server,established; http.uri; content:"?return="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036444; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M9"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"9"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022205; rev:5; metadata:created_at 2015_12_02, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M18"; flow:to_server,established; http.uri; content:"?page="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036445; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024020; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_02_27, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M19"; flow:to_server,established; http.uri; content:"?feed="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036446; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin"; flow:to_server,established; http.method; content:"GET"; http.host; content:"fkksjobnn43.org"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; endswith; reference:url,blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style; reference:md5,942c6a039724ed5326c3c247bfce3461; classtype:command-and-control; sid:2024288; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M20"; flow:to_server,established; http.uri; content:"?host="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036447; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enigma Locker Checkin"; flow:to_server,established; urilen:8; http.method; content:"GET"; http.uri; content:"/get.php"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nConnection\x3a\x20close(?:\r\n)+$/i"; http.connection; content:"close"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,229b639878c9e932ef8028d2875526b9; reference:md5,b4c5edd3ba110e0fdb420277f24bd0b0; reference:url,www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/; classtype:command-and-control; sid:2023334; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Enigma, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M21"; flow:to_server,established; http.uri; content:"?port="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036448; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|0d 0a 0d 0a 0d 0a 2f 2f 2f 2f 2f 2f 2f|"; content:"System Infomation"; within:30; content:"|0d 0a 0d 0a|Boot Device|3a 20 5c|"; fast_pattern; content:"|0d 0a|Build Number|3a 20|"; distance:0; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M22"; flow:to_server,established; http.uri; content:"?to="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036449; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Malware Suite Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"up.php?id="; pcre:"/^[A-Z]+$/R"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:"01234567890"; fast_pattern; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M23"; flow:to_server,established; http.uri; content:"?out="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036450; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned IRS Page - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<!-- saved from url=("; within:500; content:".irs.gov/"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2031166; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M24"; flow:to_server,established; http.uri; content:"?view="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036451; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor Secondary Payload Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=news&id="; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0."; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible SSRF Attempt Inbound Using Common Dork M25"; flow:to_server,established; http.uri; content:"?dir="; fast_pattern; pcre:"/^(?:\w{2,6}://|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/R"; classtype:misc-activity; sid:2036452; rev:1; metadata:attack_target Web_Server, created_at 2022_05_02, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category WEB_SERVER, performance_impact Moderate, signature_severity Informational, updated_at 2022_05_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious HttpSocket User-Agent Observed"; flow:established,to_server; http.user_agent; content:"HttpSocket By Xswallow"; depth:22; classtype:misc-activity; sid:2031167; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell arp Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=arp|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037004; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky CSPY Downloader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"dwn.php?van="; fast_pattern; pcre:"/^\d+$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell del Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=del|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037005; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"?id="; content:"&act="; content:"&ver=x"; distance:3; within:6; fast_pattern; pcre:"/^(?:64|86)$/R"; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031172; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_03, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell systeminfo Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=systeminfo"; fast_pattern; endswith; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037006; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Moose CnC Request M2"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.cookie; content:"PHPSESSID="; content:"|3b 20|nhash="; distance:0; content:"|3b 20|chash="; fast_pattern; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|Connection|0d 0a 0d 0a|"; depth:76; endswith; content:!"Referer|0d 0a|"; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023479; rev:5; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, former_category MALWARE, malware_family Linux_Moose, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell tasklist Command (Inbound)"; flow:established,to_server; http.uri; content:".jsp?cmd=tasklist"; fast_pattern; endswith; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037007; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"info"; pcre:"/(?:^|&|\x22|\{\x22)id(?:=|\x22\x3a\x22)(?:[a-f0-9]{32}|[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})(?:&|\x22|$)/"; http.request_line; content:"/get.php|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a85990f79268a18329f4040a2ec85591; reference:md5,f48cd0c0e5362142c0c15316fa2635dd; classtype:trojan-activity; sid:2023553; rev:10; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_04_18, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Hqwar, tag Android, updated_at 2020_11_03, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell wmic Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=wmic|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037008; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WS/JS Downloader Mar 07 2017 M2"; flow:established,to_server; http.uri; content:"/counter/?"; fast_pattern; pcre:"/\/counter\/(?:\?[a-z]?\d{1,2}$|[^\x2f]*\d\.exe$|.*?[?=](?=[A-Za-z_-]{0,200}[0-9][A-Za-z_-]{0,200}[0-9])(?=[A-Z0-9_-]{0,200}[a-z][A-Z0-9_-]{0,200}[a-z])(?=[a-z0-9_-]{0,200}[A-Z][a-z0-9_-]{0,200}[A-Z])[A-Za-z0-9_-]{50,}(?:&|$))/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"User-Agent|0d 0a|"; classtype:trojan-activity; sid:2024036; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell ipconfig Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=ipconfig|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037009; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod requesting EXE payload 2016-02-06"; flow:established,to_server; http.uri; content:".vbn"; nocase; endswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2023875; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_06, deployment Perimeter, malware_family Nemucod, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell query Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=query|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037010; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Xtunnel Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; pcre:"/^\/(?:\w+\/){1,5}\?[a-z]{1,6}=[a-z0-9]{2,40}(?:&[a-z]{1,6}=(?:[a-z0-9]){1,40}(%3D){0,2}){1,4}$/i"; http.header; content:"deflate,sdch|0d 0a|Accept|3a 20|text|2f|html,application|2f|xhtml"; fast_pattern; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|MSIE|20|7.0"; http.connection; content:"Close"; http.header_names; content:!"Referer"; content:!"Cache"; classtype:targeted-activity; sid:2027405; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, former_category MALWARE, malware_family XTunnel, performance_impact Low, signature_severity Major, tag APT, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell registry Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=reg|2b|query"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037011; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Onliner Receiving Commands from CnC"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|7b|id|3a|"; depth:4; pcre:"/^\d{5,10}\x7d/R"; content:"|7b|ok|3a 5b|task|5d|"; distance:0; fast_pattern; content:"|7b|urls|7d|"; distance:0; content:"|7b|tasks|7d|"; distance:0; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027808; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell net Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=net|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037012; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Check-in Activity"; flow:established,to_server; threshold:type limit,track by_src,count 1,seconds 60; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|10.0) like Gecko"; fast_pattern; depth:61; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.connection; content:"Close"; depth:5; endswith; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"Connection|0d 0a|"; distance:0; content:!"Referer|0d 0a|"; reference:md5,ac6ea1e500de772341a2075a7d916d63; classtype:trojan-activity; sid:2020064; rev:5; metadata:created_at 2014_12_23, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell netstat Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?cmd=netstat|2b|"; fast_pattern; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037013; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 3 M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".html"; nocase; endswith; pcre:"/\/\d{8,10}\.html$/i"; http.cookie; content:"BX="; http.start; content:"Cookie|3a 20|XX="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cf3f36dd3235d2cff5754b19b9e1cb1f; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021278; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell directory listing Command (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?p=C|3a 2f|"; fast_pattern; nocase; content:"&action=get"; distance:0; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037014; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"webscriptly.com"; nocase; bsize:15; reference:url,twitter.com/felixaime/status/1234111603831910400; classtype:domain-c2; sid:2029566; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell Activity (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?file=C|3a 2f|"; fast_pattern; nocase; content:"&data="; distance:0; content:"&p=C|3a 2f|"; distance:0; content:"&action="; distance:0; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037015; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=huivaritaslloa.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected Webshell Activity (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?action="; fast_pattern; content:"&p=C|3a 2f|"; distance:0; content:"&filename="; distance:0; nocase; reference:url,thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/; classtype:web-application-attack; sid:2037016; rev:1; metadata:attack_target Web_Server, created_at 2022_06_16, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_06_16;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=infinitydevelooperspes.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager Backdoor ReadFile Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSIONID=ReadFile-"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037218; rev:1; metadata:attack_target Server, created_at 2022_06_30, deployment Perimeter, deployment Internal, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SmokeLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=unverifiedintigoosjai.info"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2029558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SmokeLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_03, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor GETFILE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=GETFILE|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037219; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"app.dynamicrosoft.com"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029559; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor PUTFILE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=PUTFILE|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037220; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"home.mwbsys.org"; nocase; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029560; rev:3; metadata:affected_product Web_Browsers, affected_product Linux, attack_target Client_and_Server, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family TScookie, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor DELETEFILE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=DELETEFILE|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037221; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; http.method; content:"POST"; nocase; http.request_body; content:"&z"; pcre:"/^\d{1,3}=/Ri"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:5; metadata:created_at 2013_08_12, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor FILESIZE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=FILESIZE|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037222; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot POST Request to C2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla"; depth:32; fast_pattern; pcre:"/(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:44; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:command-and-control; sid:2019141; rev:5; metadata:created_at 2014_09_09, former_category MALWARE, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor CMD Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=CMD|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037223; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tinba Checkin"; flow:established,to_server; flowbits:set,ET.Tinba.Checkin; content:"|0d 0a 0d 0a|"; content:!"|00 00 00 00|"; within:4; content:!"|FF FF FF FF|"; within:4; byte_extract:4,0,Tinba.Pivot,relative; byte_test:4,=,Tinba.Pivot,16,relative; byte_test:4,!=,Tinba.Pivot,4,relative; http.method; content:"POST"; http.content_len; byte_test:0,>,99,0,string,dec; http.start; content:"/|20|HTTP/1.0|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; depth:26; endswith; reference:md5,1e644fe146f62bd2fc585b8df6712ff6; classtype:command-and-control; sid:2019168; rev:7; metadata:created_at 2014_09_12, former_category MALWARE, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor PING Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=PING|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037224; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Dervec.gen Connectivity Check to Google"; flow:established,to_server; content:"|00 00 00 00 00 00 00 00 00 00|"; offset:35; depth:10; http.header; content:"HOST|3a 20|www.google.com|0d 0a|"; depth:22; fast_pattern; reference:md5,5eaae2d6a4b5d338b83ea5d97af93672; classtype:trojan-activity; sid:2019129; rev:12; metadata:created_at 2012_06_12, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5CONNECT Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5CONNECT|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037225; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|20|MSIE|20|"; nocase; fast_pattern; content:!"Mozilla/4.0 (compatible|3b 20|MSIE|20|6.0|3b 20|DynGate)"; content:!"Windows Live Messenger"; content:!"MS Web Services Client Protocol"; http.host; content:!"groove.microsoft.com"; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.request_body; content:!"grooveDNS|3a|//"; http.header_names; content:!"X-Requested-With"; nocase; content:!"Accept-Encoding"; content:!"Referer"; classtype:bad-unknown; sid:2018358; rev:10; metadata:created_at 2014_04_04, former_category INFO, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5WRITE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5WRITE|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037226; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http.method; content:"POST"; http.connection; content:"close"; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019749; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5READ Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5READ|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037227; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING APT SWC PluginDetect Landing Cookie 2015-10-15"; flow:established,from_server; http.start; content:"Cookie|3a 20|PNPSESSID="; fast_pattern; file.data; content:"SharePoint.OpenDocuments.5"; classtype:targeted-activity; sid:2031893; rev:5; metadata:created_at 2015_10_15, former_category PHISHING, updated_at 2020_11_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Win32/SessionManager2 Backdoor S5CLOSE Command (Inbound)"; flow:established,to_server; http.cookie; content:"SM_SESSION=S5CLOSE|3b|"; fast_pattern; reference:url,securelist.com/the-sessionmanager-iis-backdoor/106868/; classtype:trojan-activity; sid:2037228; rev:1; metadata:attack_target Web_Server, created_at 2022_06_30, deployment Perimeter, former_category WEB_SERVER, malware_family SessionManager, signature_severity Major, updated_at 2022_06_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=sucuritester.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029571; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]*?\stype\s*=\s*(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:5; metadata:created_at 2013_01_12, former_category WEB_SERVER, updated_at 2013_01_12;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MageCart)"; flow:from_server,established; tls.cert_subject; content:"CN=reportgns.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029572; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_04, deployment Perimeter, former_category MALWARE, malware_family MageCart, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_04, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack (CVE-2013-6397)"; flow:to_server,established; content:"../../"; fast_pattern; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:4; metadata:created_at 2013_12_18, former_category WEB_SERVER, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAGICHOUND.FETCH CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?n="; fast_pattern; content:"&m="; distance:0; content:"&i="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,ed9e14a932b28f1ebdc4cd5b549af9da; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:command-and-control; sid:2023951; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_16, deployment Perimeter, former_category MALWARE, malware_family MAGICHOUND_related, signature_severity Major, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi (CVE-2012-1557)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/enterprise/control/agent.php"; http.header; content:"HTTP_AUTH_LOGIN|3a|"; pcre:"/^[^\r\n]*?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:5; metadata:created_at 2013_04_27, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28 Uploader Variant CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"."; content:"/?"; distance:0; content:"="; distance:1; within:3; pcre:"/\/?[a-zA-Z0-9]{1,3}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:!"google.com"; endswith; http.start; content:".1|0d 0a|User-Agent|3a 20|Mozi"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:targeted-activity; sid:2023916; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_07, deployment Perimeter, former_category MALWARE, malware_family APT28_Uploader, signature_severity Major, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.uri; content:".action?"; content:"redirect|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:6; metadata:created_at 2013_07_17, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky KGH Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:".php?wShell="; fast_pattern; pcre:"/^\d+$/R"; http.user_agent; content:"|3b 20 2e|NET CLR 3.5.30729|3b 20|InfoPath.2)"; endswith; reference:url,www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite; classtype:targeted-activity; sid:2031179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, malware_family KGH_Malware_Suite, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.uri; content:".action?"; content:"redirectAction|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]redirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:6; metadata:created_at 2013_07_17, former_category WEB_SERVER, updated_at 2020_04_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Host Data Exfil M3"; flow:established,to_server; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Content-Type|0d 0a|"; reference:md5,1e14ded758c5dd7b41fe20297935eeef; classtype:targeted-activity; sid:2035444; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.uri; content:".action?"; content:"action|3a|"; distance:0; content:"{"; distance:0; pcre:"/[\?&]action\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:6; metadata:created_at 2013_07_17, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spora Ransomware Checkin"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"=XDATABASE64ENCRYPTED"; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:command-and-control; sid:2024041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2020_11_04, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])pwd=/i"; pcre:"/(?:^|[\n\&])name=(?:%\d{2}|[^%&]){129}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017684; rev:4; metadata:created_at 2013_11_07, former_category WEB_SERVER, updated_at 2020_04_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WSF/JS Downloader Jan 30 2017 M1"; flow:to_server,established; urilen:>65; http.uri; content:"/counter/?"; fast_pattern; depth:10; content:"a="; content:"i="; pcre:"/[&?]i=[A-Za-z0-9_-]{50,}(?:&|$)/"; pcre:"/[&?]a=(?:[a-zA-Z0-9_-]{25,}|(?:0\.)?\d+)(?:&|$)/"; http.user_agent; content:"MSIE 7.0"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,852cbd70766feb96923a79b210e94646; classtype:trojan-activity; sid:2023816; rev:4; metadata:created_at 2017_01_31, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/login.cgi"; nocase; http.request_body; content:"name="; nocase; content:"pwd="; nocase; pcre:"/(?:^|[\n\&])name=/i"; pcre:"/(?:^|[\n\&])pwd=(?:%\d{2}|[^%&]){25}/i"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017685; rev:4; metadata:created_at 2013_11_07, former_category WEB_SERVER, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Redirect to Joom AG Hosted Document - Potential Phishing"; flow:to_client,established; http.stat_code; content:"302"; http.location; content:"https://view.joomag.com/"; fast_pattern; startswith; classtype:misc-activity; sid:2031173; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category HUNTING, signature_severity Informational, tag Phishing, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/close_window.cgi"; nocase; http.request_body; content:"sess_sid="; nocase; pcre:"/(?:^|[\n\&])sess_sid=(?:%\d{2}|[^%&]){21}/"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017686; rev:4; metadata:created_at 2013_11_07, former_category WEB_SERVER, updated_at 2020_04_27;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031174; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/cgi/close_window.cgi"; nocase; http.request_body; content:"ACT="; nocase; pcre:"/(?:^|[\n\&])ACT=(?:%\d{2}|[^%&]){21}/i"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017687; rev:4; metadata:created_at 2013_11_07, former_category WEB_SERVER, updated_at 2020_04_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>j3mb03dz m4w0tz sh311"; nocase; fast_pattern; classtype:web-application-attack; sid:2031175; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Ruby on Rails RCE Attempt Inbound (CVE-2013-0333)"; flow:established,to_server; http.request_body; content:"!ruby/"; nocase; content:"NamedRouteCollection"; nocase; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:9; metadata:created_at 2013_01_30, former_category WEB_SERVER, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kimsuky Sending Encrypted System Information to CnC"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"WebKitFormBoundarywhpFxMBe19cSjFnG"; endswith; fast_pattern; reference:md5,92001e9cebec0f0f0ac2b7c7e04f017d; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031178; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_05, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; http.request_body; content:"redirect|3a|"; content:"{"; distance:0; pcre:"/\bredirect\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:7; metadata:created_at 2013_07_24, former_category WEB_SERVER, updated_at 2020_06_24;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky WildCommand CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"4cef22e90f"; endswith; fast_pattern; reference:url,vblocalhost.com/uploads/VB2020-46.pdf; classtype:command-and-control; sid:2031180; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Kimsuky, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; http.request_body; content:"redirectAction|3a|"; content:"{"; pcre:"/\bredirectAction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:7; metadata:created_at 2013_07_24, former_category WEB_SERVER, updated_at 2020_06_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; content:">MAILER INBOX SENDING"; distance:0; fast_pattern; classtype:web-application-attack; sid:2031176; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; http.request_body; content:"action|3a|"; content:"{"; distance:0; pcre:"/\baction\x3a/"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:7; metadata:created_at 2013_07_24, former_category WEB_SERVER, updated_at 2020_06_24;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; fast_pattern; content:">MAILER INBOX SENDING"; distance:0; classtype:web-application-attack; sid:2031177; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_04, deployment Perimeter, signature_severity Major, updated_at 2020_11_04;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; http.method; content:"POST"; http.uri; content:"/adminapi/administrator.cfc?"; nocase; content:"method"; nocase; content:"login"; nocase; http.request_body; content:"rdsPasswordAllowed"; nocase; fast_pattern; pcre:"/rdsPasswordAllowed[\r\n\s]*?=[\r\n\s]*?(?:true|1)/i"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:5; metadata:created_at 2013_08_22, former_category WEB_SERVER, updated_at 2020_09_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"oq="; fast_pattern; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024048; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"QMvXcJ"; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_04;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony Payload DL"; flow:established,to_server; http.uri; content:"/inst.exe"; fast_pattern; endswith; http.host; content:!"360safe.com"; endswith; content:!"qhcdn.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept-"; content:"User-Agent|0d 0a|"; content:"Accept|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2023740; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_13, deployment Perimeter, former_category TROJAN, malware_family Pony, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 82 (msg:"ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt"; flow:established,to_server; content:"GET"; content:"script"; nocase; content:"/proxy.php?"; nocase; content:"url="; nocase; pcre:"/\/proxy\.php(\?|.*[\x26\x3B])url=[^&\;\x0D\x0A]*[<>\"\']/i"; reference:url,www.securityfocus.com/bid/37446/info; reference:url,doc.emergingthreats.net/2010602; classtype:web-application-attack; sid:2010602; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO IE7UA No Cookie No Referer"; flow:to_server,established; flowbits:set,et.IE7.NoRef.NoCookie; flowbits:noalert; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; fast_pattern; startswith; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:bad-unknown; sid:2023670; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, malware_family Trojan_Kwampirs, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt"; flow:established,to_client; content:"/HtmlAdaptor"; nocase; content:"action=invokeOpByName"; nocase; within:25; content:"DeploymentFileRepository"; nocase; within:80; content:"methodName="; nocase; within:25; content:".war"; nocase; distance:0; content:".jsp"; nocase; distance:0; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011697; classtype:web-application-attack; sid:2011697; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin Dec 5 M1"; flow:to_server,established; urilen:12; http.method; content:"POST"; http.uri; content:"/checkupdate"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/s"; classtype:command-and-control; sid:2023576; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_05, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (private message)"; flow: established,from_server; content:"privmsg.php"; pcre:"/\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001928; classtype:web-application-attack; sid:2001928; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.C2P.Qd!c Ransomware CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"type="; depth:5; content:"&version="; content:"&lid="; content:"&c="; content:"&i="; http.request_line; content:"/stat/locker|20|HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.zscaler.com/blogs/research/new-android-ransomware-bypasses-all-antivirus-programs; classtype:command-and-control; sid:2024123; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_11_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (signature)"; flow: established,from_server; content:"_________________"; pcre:"/\<br \/\>_________________\<br \/\>\<a href="[^"]*(script|about|applet|activex|chrome)\s*\:/i"; reference:url,www.securitytracker.com/alerts/2005/May/1013918.html; reference:url,doc.emergingthreats.net/2001929; classtype:web-application-attack; sid:2001929; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Kwampirs Outbound GET request"; flow:to_server,established; urilen:>21; http.method; content:"GET"; http.uri; content:"?q=KT"; fast_pattern; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/"; http.user_agent; content:"Mozilla/"; depth:8; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; content:!"Accept"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_12_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Synactis All_IN_THE_BOX ActiveX SaveDoc Method Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"B5576893-F948-4E0F-9BE1-A37CB56D66FF"; nocase; distance:0; content:"SaveDoc"; nocase; reference:url,milw0rm.com/exploits/7928; reference:bugtraq,33535; reference:url,doc.emergingthreats.net/2009138; classtype:web-application-attack; sid:2009138; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029011; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, signature_severity Minor, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/left.cgi?"; nocase; content:"dom="; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/i"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009587; classtype:web-application-attack; sid:2009587; rev:5; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Generic IOT Downloader Malware in POST (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"wget"; content:".sh|3b 20|chmod +x|20|"; within:200; fast_pattern; content:"|3b 20|./"; within:100; classtype:bad-unknown; sid:2029009; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_20, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/link.cgi/"; nocase; content:"script"; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009588; classtype:web-application-attack; sid:2009588; rev:5; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Router EK Landing Page Inbound 2019-05-24"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Loading ...<|2f|title>"; content:"|3b|base64,"; distance:0; content:"ZnVuY3Rpb24gTWFrZShDcmVkZW50aWF"; distance:0; fast_pattern; content:"ZG5zU2Vjb25kYXJ5OiAn"; distance:0; classtype:exploit-kit; sid:2027380; rev:3; metadata:created_at 2019_05_24, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"ET WEB_SPECIFIC_APPS Virtualmin Anonymous Proxy attempt"; flow:to_server,established; content:"GET "; depth:4; content:"/virtual-server/link.cgi/"; nocase; content:"/http\://"; nocase; reference:url,milw0rm.com/exploits/9143; reference:url,doc.emergingthreats.net/2009589; classtype:web-application-attack; sid:2009589; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baldr Stealer Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Encrypted.zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; fast_pattern; content:!"PK"; within:25; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,216a00647603b66967cda5d91638f18a; classtype:command-and-control; sid:2027273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, malware_family BALDR, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5622772D-6C27-11D3-95E5-006008D14F3B"; nocase; distance:0; content:"Open"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5622772D-6C27-11D3-95E5-006008D14F3B/si"; reference:url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt; reference:url,doc.emergingthreats.net/2010945; classtype:attempted-user; sid:2010945; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo EK Post-Compromise Data Dump"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/?"; depth:2; http.request_body; content:"|06 00 00 00 01 00 00 00|"; depth:8; content:"|00 00 02 00 00 00|"; offset:8; depth:16; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2027075; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Spleevo_EK, performance_impact Moderate, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 4274 (msg:"ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt"; flow: to_server,established; content:"/../data/log.txt"; content:"/../WINNT/"; nocase; reference:url,www.gulftech.org/?node=research&article_id=00047-08302004; reference:url,doc.emergingthreats.net/2001238; classtype:web-application-activity; sid:2001238; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed External IP Lookup SSL Cert"; flow:from_server,established; tls.cert_subject; content:".iplocation.com"; nocase; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:external-ip-check; sid:2026882; rev:3; metadata:attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, tag IP_address_lookup_website, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"admin/record_company.php/password_forgotten.php"; content:"action=insert"; nocase; depth:100; reference:url,www.securityfocus.com/bid/35467; reference:url,www.milw0rm.com/exploits/9004; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-activity; sid:2009693; rev:4; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC Checkin"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/imageload.cgi"; fast_pattern; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.request_body; pcre:"/^[A-Za-z]{1,10}=[^&]+(?:&[A-Za-z]{1,10}=[^&]+){10,}$/s"; reference:md5,40ebefdec6870263827ce6425702e785; classtype:command-and-control; sid:2026517; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Locky, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 10616 (msg:"ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow"; flow:established,to_server; content:"LICMGR_ADDLICENSE&"; nocase; depth:18; isdataat:450,relative; pcre:"/LICMGR_ADDLICENSE&[^\x00\n\r@&]{450}/i"; reference:cve,2006-3838; reference:url,secunia.com/advisories/21211/; reference:url,doc.emergingthreats.net/2003056; classtype:attempted-admin; sid:2003056; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.YordanyanActiveAgent CnC Reporting"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"client?mac_address="; content:"&agent_id="; distance:0; content:"agent_file_version"; http.user_agent; content:"cpprestsdk/"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,d71d1ad067c3d4dc9ca74cca76bc9139; classtype:command-and-control; sid:2026435; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_04, deployment Perimeter, former_category MALWARE, malware_family ActiveAgent, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004313; classtype:web-application-attack; sid:2004313; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in"; flow:established,to_server; content:"|0d 0a 0d 0a|"; depth:2000; byte_extract:2,0,byte0,relative; byte_extract:2,0,byte1,relative; byte_test:2,=,byte1,6,relative; byte_test:2,!=,byte1,7,relative; byte_test:2,=,byte1,10,relative; byte_test:2,!=,byte1,11,relative; byte_test:2,!=,byte1,23,relative; byte_test:2,!=,byte0,25,relative; byte_test:2,!=,byte1,27,relative; byte_test:2,=,byte0,40,relative; byte_test:2,=,byte1,42,relative; byte_test:2,=,byte0,44,relative; byte_test:2,=,byte1,46,relative; byte_test:2,=,byte0,48,relative; byte_test:2,=,byte1,50,relative; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 10.0|3b 20|Windows NT 6.1|3b 20|Trident/6.0)"; depth:64; fast_pattern; http.request_body; content:!"|00 00|"; depth:30; content:"|00 00|"; offset:34; depth:2; content:"|00 00|"; distance:2; within:2; content:"|00 00|"; distance:2; within:2; http.header_names; content:!"Referer|0d 0a|"; reference:md5,be312fdb94f3a3c783332ea91ef00ebd; classtype:trojan-activity; sid:2026002; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_20, deployment Perimeter, former_category TROJAN, signature_severity Major, tag Tinba, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004314; classtype:web-application-attack; sid:2004314; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitList Argument Injection"; flow:established,to_server; http.request_body; content:"query=--open-files-in-pager"; fast_pattern; content:"php%20"; content:"%22eval"; content:"base64_decode"; reference:url,exploit-db.com/exploits/44993/; classtype:attempted-user; sid:2025820; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_07_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004315; classtype:web-application-attack; sid:2004315; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?page=pie-invitation-codes&orderby="; nocase; content:"&order="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44867/; classtype:web-application-attack; sid:2025747; rev:4; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2018_06_26, cve cve_2018_10969, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004316; classtype:web-application-attack; sid:2004316; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Wordpress Redirect - Possible Phishing Landing Jan 7 2016"; flow:to_client,established; flowbits:isset,ET.wpphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Content-Length|3a 20|0|0d 0a|"; fast_pattern; content:"|0d 0a|location|3a 20|"; nocase; pcre:"/^[a-f0-9]{32}(?:\/index\.php)?\x0d\x0a/R"; classtype:social-engineering; sid:2025671; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2016_01_08, deployment Perimeter, deployment Datacenter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Wordpress, updated_at 2020_11_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004318; classtype:web-application-attack; sid:2004318; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)"; flow:established,to_server; http.cookie; content:"DNNPersonalization="; fast_pattern; content:"ObjectStateFormatter"; content:"ObjectDataProvider"; reference:cve,2017-9822; reference:url,f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks?sf176487178; classtype:attempted-admin; sid:2025545; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"e_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1481; reference:url,www.milw0rm.com/exploits/3490; reference:url,doc.emergingthreats.net/2004317; classtype:web-application-attack; sid:2004317; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/OceanLotus.D Requesting Commands from CnC"; flow:established,to_server; threshold:type limit, count 1, seconds 30, track by_src; http.method; content:"GET"; http.uri; content:".css"; endswith; http.user_agent; content:"curl/"; http.cookie; content:"m_pixel_ratio="; fast_pattern; depth:14; pcre:"/^[a-f0-9]{32}\x3b$/R"; http.header_names; content:"Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a|"; content:!"Referer"; content:!"Cache"; content:!"Accept-"; reference:md5,306d3ed0a7c899b5ef9d0e3c91f05193; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/; classtype:command-and-control; sid:2025465; rev:4; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/global.php?"; http_uri; nocase; content:"config[installdir]="; http_uri; nocase; pcre:"/config\[installdir\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33691; reference:url,milw0rm.com/exploits/8026; reference:url,doc.emergingthreats.net/2009846; classtype:web-application-attack; sid:2009846; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2018_04_03, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UNION SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003765; classtype:web-application-attack; sid:2003765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; http.method; content:"PUT"; http.uri; content:"/_users/"; http.request_body; content:"_admin"; fast_pattern; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:4; metadata:attack_target Server, created_at 2018_03_19, deployment Datacenter, former_category EXPLOIT, malware_family CoinMiner, signature_severity Major, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid INSERT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003766; classtype:web-application-attack; sid:2003766; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; urilen:26; http.method; content:"PUT"; http.uri; content:"/_config/query_servers/cmd"; http.header; content:"Authorization|3a 20|Basic"; http.request_body; pcre:"/^\s*[\x22\x27]/"; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:4; metadata:created_at 2018_03_13, deployment Datacenter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid DELETE"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003767; classtype:web-application-attack; sid:2003767; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Delf Checkin"; flow:established,to_server; http.uri; content:"/autoupdate/versaoatual.txt"; fast_pattern; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; reference:md5,52765b346c12d55e255a669bb8cfebb8; classtype:command-and-control; sid:2025283; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, former_category MALWARE, malware_family Dropper, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid ASCII"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003768; classtype:web-application-attack; sid:2003768; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (rl. ammyy. com)"; flow:to_server,established; urilen:1; http.host; content:"rl.ammyy.com"; depth:12; endswith; fast_pattern; classtype:policy-violation; sid:2025149; rev:5; metadata:created_at 2017_12_13, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003769; classtype:web-application-attack; sid:2003769; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell commands sent when remote host claims to send an image"; flow:established,from_server; http.content_type; content:"image/jpeg"; startswith; file.data; content:"New-Object"; nocase; content:"System.Net.WebClient"; nocase; content:"Start-Process"; fast_pattern; classtype:trojan-activity; sid:2025007; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_16, deployment Perimeter, former_category MALWARE, malware_family PowerShell_Downloader, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WPS wps_shop.cgi Remote Command Execution Attempt"; flow: to_server,established; content:"/wps_shop.cgi?"; http_uri; nocase; pcre:"/(art=\|.+\|)/"; reference:bugtraq,14245; reference:url,doc.emergingthreats.net/2002100; classtype:web-application-attack; sid:2002100; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome XSS (CVE-2017-5124)"; flow:from_server,established; http.content_type; content:"multipart/related"; fast_pattern; startswith; file.data; content:"<xsl"; pcre:"/^((?!<\/xsl).)+?src\s*=\s*[\x27\x22](?P<loc>[^\x22\x27]+?)[\x27\x22].+?Content-Location\x3a\s+(?P=loc)/Rsi"; reference:cve,2017-5124; classtype:attempted-user; sid:2024996; rev:6; metadata:affected_product Google_Chrome, attack_target Client_Endpoint, created_at 2017_11_15, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt"; flow:to_server,established; content:"GET"; http_method; content:"index.php?"; nocase; http_uri; content:"imgdir="; nocase; http_uri; content:".."; pcre:"/\/index\.php(\?|.*\x26)imgdir=([^\x26\x3B\x0D\x0A]*[\x2F\x5C])?\.\.[\x2F\x5C]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt; reference:url,doc.emergingthreats.net/2010601; classtype:web-application-attack; sid:2010601; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trickbot Payload Request"; flow:to_server,established; http.method; content:"GET"; http.uri; pcre:"/^\/(?:kas|ser|mac)[0-9]+\.png$/i"; http.start; content:".png HTTP/1.1|0d 0a|Host|3a 20|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; reference:md5,2c6cd25a31fe097ee7532422fc8eedc8; classtype:trojan-activity; sid:2024901; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Trickbot, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods"; flow:established,to_server; content:"/search/list/action_search/index.php?"; nocase; http_uri; content:"form[mods]["; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003905; classtype:web-application-attack; sid:2003905; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.RedAlert CnC Beacon"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"|3b 20|Android|20|"; http.request_line; content:"/gt|20|HTTP/1."; fast_pattern; http.connection; content:"keep-alive"; depth:10; endswith; http.content_type; content:"application/json"; depth:16; endswith; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Connection|0d 0a|Content-Type|0d 0a|"; reference:md5,b66010a9c91b17f4d26dc973a97419ac; reference:url,info.phishlabs.com/blog/redalert2-mobile-banking-trojan-actively-updating-its-techniques; classtype:command-and-control; sid:2024765; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_09_25, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_RedAlert, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form"; flow:established,to_server; content:"/search/list/action_search/index.php?"; nocase; http_uri; content:"form["; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003906; classtype:web-application-attack; sid:2003906; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader Aug 01 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0)"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,cb558b04216e0e7a9c936945ebee6611; classtype:trojan-activity; sid:2024508; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id"; flow:established,to_server; content:"/modules/dl/download.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003907; classtype:web-application-attack; sid:2003907; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Downloader Aug 18 2017"; flow:established,to_server; http.uri; content:"/s.php?id="; depth:10; pcre:"/^\/s\.php\?id=[a-z0-9]{2,6}$/"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,5285f1adfc0013fa86218a7d76c0016d; classtype:trojan-activity; sid:2024600; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_21, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Maldoc, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat"; flow:established,to_server; content:"/news/list/index.php?"; nocase; http_uri; content:"form[cat]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003908; classtype:web-application-attack; sid:2003908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hancitor/Tordal Document Request"; flow:established,to_server; flowbits:set,ET.Hancitor; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php?d="; fast_pattern; pcre:"/\.php\?d=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie"; classtype:trojan-activity; sid:2024604; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_08_22, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Hancitor, malware_family Tordal, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[cat]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003909; classtype:web-application-attack; sid:2003909; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Locky VB/JS Loader Download Sep 08 2017"; flow:established,from_server; http.header_names; content:!"Cookie|0d 0a|"; file.data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 23 65 65 65 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 63 63 63 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 31 30 70 78 3b 22 3e 59 6f 75 72|"; nocase; within:100; fast_pattern; pcre:"/^[a-z0-9!\x22#$%&'()*+,.\/\x3a\x3b<=>?@\[\] ^_`{|}~\s-]+?downloading\.?\s*Please wait\x2e*<\/div\>\s*<iframe src\s*=\s*[\x22\x27]http\:\/\/[^\x22\x27]+\.php[\x22\x27]\s*style\s*=\s*[\x22\x27]display\x3a\s*none\x3b\s*[\x22\x27]>\s*<\/iframe\>\s*$/Rsi"; classtype:trojan-activity; sid:2024678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[name]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003910; classtype:web-application-attack; sid:2003910; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bitshifter Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?root="; fast_pattern; pcre:"/^[a-f0-9]{16}$/Ri"; http.accept; content:"text/plain"; depth:10; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer|0d 0a|"; content:!"Accept-"; reference:md5,d01229914a6b57387e2c963e3aadbc1f; classtype:command-and-control; sid:2024489; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_21, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Bitshifter, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message"; flow:established,to_server; content:"/action_create/index.php?"; nocase; http_uri; content:"form[message]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003911; classtype:web-application-attack; sid:2003911; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:".php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; content:"&il="; distance:0; nocase; content:"&vr="; distance:0; nocase; content:"&bt="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,23646295E98BD8FA022299374E4F76E0; classtype:trojan-activity; sid:2024452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail"; flow:established,to_server; content:"/newsletter/create/index.php?"; nocase; http_uri; content:"form[mail]="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2579; reference:url,www.securityfocus.com/bid/23834; reference:url,doc.emergingthreats.net/2003912; classtype:web-application-attack; sid:2003912; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/LoadMoney Adware Activity"; flow:to_server,established; flowbits:set,ETPTadmoney; http.method; content:"POST"; http.uri; content:".htm?v="; fast_pattern; content:"&eh="; distance:0; content:"&ts="; distance:0; content:"&u2="; distance:0; http.cookie; content:"a=h+"; depth:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:pup-activity; sid:2024693; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_12, deployment Perimeter, former_category ADWARE_PUP, malware_family Neshta, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir"; flow:established,to_server; content:"/common/func.php?"; nocase; http_uri; content:"CommonAbsDir="; nocase; http_uri; reference:cve,CVE-2007-2596; reference:url,www.milw0rm.com/exploits/3884; reference:url,doc.emergingthreats.net/2003704; classtype:web-application-attack; sid:2003704; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucifer Loader Requesting Payload"; flow:established,to_server; urilen:15; http.uri; content:"/demonsgate.php"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,74a3c324a8565d7f567763bee960bcca; classtype:trojan-activity; sid:2024719; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_18, deployment Perimeter, former_category TROJAN, malware_family Lucifer_Loader, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header"; flow:established,to_server; content:"/common/errormsg.php?"; nocase; http_uri; content:"header="; nocase; http_uri; reference:cve,CVE-2007-2634; reference:url,secunia.com/advisories/25224; reference:url,doc.emergingthreats.net/2003736; classtype:web-application-attack; sid:2003736; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; http.uri; content:".hta"; nocase; fast_pattern; pcre:"/\.hta(?:[?&]|$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; depth:34; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php"; flow:established,to_server; content:"/shared/code/cp_authorization.php?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2625; reference:url,www.frsirt.com/english/advisories/2007/1637; reference:url,doc.emergingthreats.net/2003886; classtype:web-application-attack; sid:2003886; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/javascript|0d 0a|Server|3a 20|Apache/2.2.3 (CentOS)|0d 0a|Pragma|3a|"; fast_pattern; depth:69; content:"|0d 0a|Expires|3a 20|0|0d 0a|"; http.header_names; content:!"Set-Cookie|0d 0a|"; content:!"X-Powered-By|0d 0a|"; classtype:attempted-user; sid:2024421; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_23, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php"; flow:established,to_server; content:"/shared/config/cp_config.php?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2624; reference:url,www.securityfocus.com/bid/23790; reference:url,doc.emergingthreats.net/2003887; classtype:web-application-attack; sid:2003887; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT RIG EK URI Struct Jun 13 2017"; flow:established,to_server; urilen:>90; flowbits:set,ET.RIGEKExploit; http.uri; content:"/?"; depth:2; content:"=x"; fast_pattern; distance:0; pcre:"/^[HX3][^&]Q[cdM][^&]{3}[ab]R/R"; http.header_names; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024381; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/layouts/standard.php?"; nocase; http_uri; content:"page_include="; nocase; http_uri; pcre:"/page_include=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2009/0360; reference:url,milw0rm.com/exploits/8003; reference:url,doc.emergingthreats.net/2009717; classtype:web-application-attack; sid:2009717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nemucod JS Downloader June 12 2017"; flow:established,to_server; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|Accept-Language|3a|"; depth:29; http.user_agent; content:"Firefox/51.0"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2024380; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_13, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Nemucod, performance_impact Low, signature_severity Major, tag WS_JS_Downloader, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id"; flow:established,to_server; content:"/news.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2892; reference:url,www.securityfocus.com/bid/24135; reference:url,doc.emergingthreats.net/2004594; classtype:web-application-attack; sid:2004594; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Bingo EK Payload Download"; flow:established,to_server; urilen:116; http.uri; content:"/?"; depth:2; pcre:"/^\/\?[a-f0-9]{114}$/"; http.user_agent; content:"WinHttp.WinHttpRequest.5"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:exploit-kit; sid:2024367; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_08, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, performance_impact Low, signature_severity Major, tag Exploit_Kit_Bingo, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/container.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009378; classtype:web-application-attack; sid:2009378; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jaff Ransomware Checkin M1"; flow:to_server,established; urilen:4; http.request_line; content:"GET /a5/ HTTP/1."; depth:16; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; depth:10; endswith; reference:md5,924c84415b775af12a10366469d3df69; reference:url,blog.dynamoo.com/2017/05/malware-spam-with-nmpdf-attachment.html; classtype:command-and-control; sid:2024290; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_11, deployment Perimeter, former_category MALWARE, malware_family Jaff_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"theme_directory="; nocase; http_uri; pcre:"/theme_directory=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009379; classtype:web-application-attack; sid:2009379; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Webbug Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"_utm.gif?utmac="; fast_pattern; content:"&utmcn="; distance:0; content:"&utmcs="; distance:0; content:"&utmsr="; distance:0; content:"&utmsc="; distance:0; content:"&utmul="; distance:0; http.host; content:!"www.google-analytics.com"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc65cbf12622eb55f0fd382e0fe250c5; classtype:command-and-control; sid:2032748; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_04_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/latestposts.php?"; nocase; http_uri; content:"forumspath="; nocase; http_uri; pcre:"/forumspath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009903; classtype:web-application-attack; sid:2009903; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.cookie; content:"skin=noskin"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dc65cbf12622eb55f0fd382e0fe250c5; classtype:command-and-control; sid:2032749; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/rss_importer_functions.php?"; nocase; http_uri; content:"sitepath="; nocase; http_uri; pcre:"/sitepath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8016; reference:bugtraq,33698; reference:url,doc.emergingthreats.net/2009167; classtype:web-application-attack; sid:2009167; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/OzazaLocker Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?key="; fast_pattern; content:"&value="; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e8c6d686249fc3c6df3dc88ea2cddf02; classtype:command-and-control; sid:2024276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, malware_family OzazaLocker, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whstart.js"; flow:established,to_server; content:"/whstart.js?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003897; classtype:web-application-attack; sid:2003897; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32|3b 20|Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whcsh_home.htm"; flow:established,to_server; content:"/whcsh_home.htm?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003898; classtype:web-application-attack; sid:2003898; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet CnC Beacon 1"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; fast_pattern; http.cookie; pcre:"/^[A-Za-z0-9]{3,4}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; http.header_names; content:"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.cyphort.com/emotet-cookies-c2-fakes-404/; reference:url,blogs.forcepoint.com/security-labs/new-variant-geodoemotet-banking-malware-targets-uk; reference:url,blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1; reference:md5,21542133a586782e7c2fa4286d98fd73; classtype:command-and-control; sid:2024274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startpage.js"; flow:established,to_server; content:"/wf_startpage.js?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003899; classtype:web-application-attack; sid:2003899; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443] (msg:"ET MALWARE W32.Geodo/Emotet Checkin"; flow:established,to_server; urilen:1; flowbits:set,ETPRO.Emotet; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host"; fast_pattern; http.cookie; pcre:"/[a-z0-9]{3,4}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+$/i"; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; depth:10; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2024272; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startqs.htm"; flow:established,to_server; content:"/wf_startqs.htm?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003900; classtype:web-application-attack; sid:2003900; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Runsome Ransomware CnC Checkin"; flow:established,to_server; http.uri; content:".php?name="; content:"&key=ENC"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,70c27926e54732a579b0004ede566fc6; reference:url,github.com/ShaneNolan/Runsome; classtype:command-and-control; sid:2024223; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Runsome, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt WindowManager.dll"; flow:established,to_server; content:"/WindowManager.dll?"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1280; reference:url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded; reference:url,doc.emergingthreats.net/2003901; classtype:web-application-attack; sid:2003901; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".boyput.site"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029580; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture"; flow:established,to_server; content:"/picture.php?"; nocase; http_uri; content:"picture="; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-0605; reference:url,www.securityfocus.com/bid/23873; reference:url,doc.emergingthreats.net/2003915; classtype:web-application-attack; sid:2003915; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magniber Ransomware CnC Domain in DNS Lookup"; dns.query; content:".byteson.space"; nocase; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:domain-c2; sid:2029581; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category MALWARE, malware_family Magniber, signature_severity Major, tag Ransomware, updated_at 2020_11_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/admin/frontpage_right.php?"; nocase; http_uri; content:"loadadminpage="; nocase; http_uri; pcre:"/loadadminpage=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,31959; reference:url,milw0rm.com/exploits/6859; reference:url,vupen.com/english/advisories/2008/2959; reference:url,doc.emergingthreats.net/2009382; classtype:web-application-attack; sid:2009382; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Turla Carbon Paper CnC Beacon (Fake User-Agent)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"."; distance:1; within:2; content:".0|3b 20|Windows NT|20|"; distance:0; content:"Trident/"; distance:0; http.user_agent; pcre:"/^Mozilla\/4\.0\x20\(compatible\x3b\x20MSIE\x20\d{1,2}\.0\.\d+\.\d+\.0\x3b\x20Windows\x20NT\x20/"; content:"Mozilla/4.0 (compatible|3b 20|MSIE|20|"; startswith; http.start; content:"Cookie|3a 20|PHPSESSID="; fast_pattern; http.header_names; content:"Referer|0d 0a|"; reference:url,www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/; classtype:command-and-control; sid:2024183; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005772; classtype:web-application-attack; sid:2005772; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Red Leaves HTTP CnC Beacon (APT10 implant)"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:"/index.php"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,28}[^\x20-\x7e\r\n]/s"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Keep-Alive"; depth:10; endswith; http.start; content:"dex.php|20|HTTP/1.1|0d 0a|Co"; fast_pattern; http.header_names; content:!"Content-Type|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; reference:url,blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html; classtype:targeted-activity; sid:2024175; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MALWARE, malware_family RedLeaves, malware_family Red_Leaves, signature_severity Major, tag APT, tag APT10, tag RedLeaves, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005773; classtype:web-application-attack; sid:2005773; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Pegasus CnC Beacon"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/support.aspx"; endswith; http.header; content:"SessionId1|3a 20|"; content:"SessionId2|3a 20|"; fast_pattern; http.user_agent; content:"|3b 20|Android|20|"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|header|22 3b 20|filename=|22|header|22 0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf; classtype:command-and-control; sid:2024171; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2017_04_04, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag Android, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005774; classtype:web-application-attack; sid:2005774; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:6; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005775; classtype:web-application-attack; sid:2005775; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Malicious Doc Downloading Payload Dec 06 2016"; flow:to_server,established; urilen:<12; http.method; content:"GET"; http.uri; pcre:"/^\/(?=[a-z]{0,9}?\d)(?=\d{0,9}?[a-z])[a-z0-9]{4,10}$/"; http.user_agent; content:"Firefox"; fast_pattern; http.accept; content:"*/*"; depth:3; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|"; depth:62; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2023583; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category TROJAN, malware_family Downloader, malware_family Locky_JS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005776; classtype:web-application-attack; sid:2005776; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Quant Loader Download Request"; flow:to_server,established; threshold: type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.uri; content:"/index.php?id="; fast_pattern; content:"&c="; distance:0; nocase; content:"&mk="; distance:0; nocase; http.header_names; content:!"Referer"; content:!"Cookie|0d 0a|"; reference:md5,7554244ea84457f53ab9d4989c4d363d; classtype:trojan-activity; sid:2023203; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_09_12, deployment Perimeter, malware_family Locky, malware_family Pony9, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0202; reference:url,www.milw0rm.com/exploits/3103; reference:url,doc.emergingthreats.net/2005777; classtype:web-application-attack; sid:2005777; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; http.uri; content:"/distr/Proxifier"; nocase; depth:16; fast_pattern; http.host; content:"proxifier.com"; endswith; http.header_names; content:!"User-Agent|0d 0a|"; nocase; content:!"Referer|0d 0a|"; content:!"Accept-"; content:!"Cookie|0d 0a|"; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_26, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"pack="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2824; reference:url,www.milw0rm.com/exploits/3956; reference:url,doc.emergingthreats.net/2004022; classtype:web-application-attack; sid:2004022; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/index"; http.start; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:attempted-admin; sid:2023075; rev:4; metadata:affected_product Fortigate, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection"; flow:to_server,established; content:"/index.php?"; nocase; http_uri; content:"Act="; nocase; http_uri; content:"&pgm"; nocase; http_uri; pcre:"/\+UNION\+SELECT/Ui"; reference:bugtraq,30259; reference:url,milw0rm.com/exploits/6087; reference:url,doc.emergingthreats.net/2008439; classtype:web-application-attack; sid:2008439; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pottieq.A Check-in"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20 7b|"; fast_pattern; http.user_agent; pcre:"/^\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}$/i"; http.request_body; content:"pc="; content:"mail="; content:"guid="; nocase; pcre:"/(?:^|&)id=\d+(?:$|&)/"; http.header_names; content:!"Accept"; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, malware_family Pottieq, performance_impact Low, signature_severity Major, tag Pottieq, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/LSTable.php?"; nocase; http_uri; content:"class_dir="; nocase; http_uri; pcre:"/class_dir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31419; reference:url,milw0rm.com/exploits/6575; reference:url,doc.emergingthreats.net/2009165; classtype:web-application-attack; sid:2009165; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dll"; http.header; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; fast_pattern; http.user_agent; content:"MSIE 7"; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/main.inc.php?"; nocase; http_uri; content:"mj_config[src_path]="; nocase; http_uri; pcre:"/mj_config\[src_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009196; classtype:web-application-attack; sid:2009196; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; http.uri; content:"/~"; depth:2; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/i"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:5; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath"; flow:established,to_server; content:"/language/1/splash.lang.php?"; nocase; http_uri; content:"languagePath="; nocase; http_uri; reference:cve,CVE-2007-2663; reference:url,www.milw0rm.com/exploits/3909; reference:url,doc.emergingthreats.net/2003738; classtype:web-application-attack; sid:2003738; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag c2, updated_at 2010_07_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Pony DLL Download"; flow:established,to_server; http.uri; content:"/pm"; pcre:"/^\d?\.dll$/R"; http.request_line; content:".dll HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:6; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/linkadmin.php?"; nocase; http_uri; content:"page="; nocase; http_uri; pcre:"/page=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009364; classtype:web-application-attack; sid:2009364; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; http.uri; content:!".swf"; nocase; content:!".flv"; nocase; content:!"/crossdomain.xml"; http.header; content:"x-flash-version|3a|"; fast_pattern; content:!"/crossdomain.xml"; content:!".swf"; nocase; content:!".flv"; nocase; content:!"[DYNAMIC]"; content:!"sync-eu.exe.bid"; http.host; pcre:"/^[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)/i"; http.header_names; content:!"|0d 0a|Cookie|0d 0a|"; classtype:trojan-activity; sid:2022894; rev:8; metadata:created_at 2016_06_14, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot"; flow:established,to_server; content:"/berylium-classes.php?"; nocase; http_uri; content:"beryliumroot="; nocase; http_uri; reference:cve,CVE-2007-2531; reference:url,www.milw0rm.com/exploits/3869; reference:url,doc.emergingthreats.net/2003677; classtype:web-application-attack; sid:2003677; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; http.request_body; content:"a="; depth:2; content:"&c="; distance:0; content:"&r="; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/"; http.request_line; content:"POST /u/"; depth:8; fast_pattern; http.connection; content:"Close"; nocase; depth:5; endswith; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; nocase; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:pup-activity; sid:2022723; rev:5; metadata:created_at 2016_04_11, former_category ADWARE_PUP, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; reference:url,doc.emergingthreats.net/2002069; classtype:web-application-attack; sid:2002069; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:social-engineering; sid:2022697; rev:6; metadata:created_at 2016_04_04, former_category WEB_CLIENT, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"blog="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2932; reference:url,www.securityfocus.com/bid/24156; reference:url,doc.emergingthreats.net/2004583; classtype:web-application-attack; sid:2004583; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IrcBot Downloading .old"; flow:established,to_server; http.start; content:".old|20|HTTP/1.1|0d 0a|Host"; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,ca6208a4dd3f1f846aaaf4a6cbcc66ea; classtype:trojan-activity; sid:2022657; rev:4; metadata:created_at 2016_03_24, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/HTMLSax3.php?"; nocase; http_uri; content:"dir[plugins]="; nocase; http_uri; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009370; classtype:web-application-attack; sid:2009370; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; http.uri.raw; content:"%"; content:"temp%"; nocase; fast_pattern; within:7; pcre:"/\%(?:25)?temp\%/i"; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:5; metadata:created_at 2016_02_22, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/safehtml.php?"; nocase; http_uri; content:"dir[plugins]="; nocase; http_uri; pcre:"/dir\[plugins\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009371; classtype:web-application-attack; sid:2009371; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Keitaro TDS Redirect"; flow:established,from_server; http.stat_code; content:"302"; http.header; content:"LOCATION|3a 20|http"; nocase; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; fast_pattern; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/s"; http.content_type; content:"text/html|3b 20|charset=utf-8"; depth:24; endswith; classtype:exploit-kit; sid:2022466; rev:7; metadata:created_at 2016_01_28, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/inc/content.inc.php?"; nocase; http_uri; content:"sIncPath="; nocase; http_uri; pcre:"/sIncPath=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/6024; reference:bugtraq,30136; reference:url,doc.emergingthreats.net/2009372; classtype:web-application-attack; sid:2009372; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Torte Downloading Binary"; flow:established,to_server; urilen:8; http.uri; content:"/crond"; fast_pattern; pcre:"/^(?:32|64)$/R"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|rv|3a|18.0) Gecko/20100101 Firefox/18.0"; endswith; depth:72; reference:url,blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html; classtype:trojan-activity; sid:2022357; rev:5; metadata:created_at 2016_01_13, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id SELECT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003776; classtype:web-application-attack; sid:2003776; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER WeBaCoo Web Backdoor Detected"; flow:to_server,established; http.method; content:"GET"; http.cookie; content:"cm="; content:"cn=M-cookie|3b|"; fast_pattern; content:"cp="; reference:url,panagioto.com/webacoo-backdoor-detection; classtype:web-application-activity; sid:2022295; rev:5; metadata:created_at 2015_12_22, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UNION SELECT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003777; classtype:web-application-attack; sid:2003777; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Retrieving encoded payload"; flow:to_server,established; http.method; content:"GET"; http.uri; content:!"."; content:"/en-us/"; depth:7; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/R"; content:!"/im/"; http.start; content:"=|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6c8c988a8129ff31ad0e764e59b31200; classtype:trojan-activity; sid:2020746; rev:10; metadata:created_at 2015_03_25, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id INSERT"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003778; classtype:web-application-attack; sid:2003778; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT30 or Win32/Nuclear HTTP Framework POST"; flow:established,to_server; content:"|0d 0a 0d 0a|"; byte_jump:4,1,relative,little,post_offset -6; isdataat:!2,relative; http.method; content:"POST"; http.header; content:"|20 28|compatible|3b 20|MSIE 6.0|3b 20|Win32|29 0d 0a|HOST|3a|"; fast_pattern; http.header_names; content:!"Accept"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf; classtype:targeted-activity; sid:2020898; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_13, deployment Perimeter, former_category MALWARE, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id DELETE"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003779; classtype:web-application-attack; sid:2003779; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE Common Upatre URI/Headers Struct"; flow:established,to_server; urilen:<53; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:6; content:"/"; distance:1; within:2; content:"/"; distance:1; within:1; content:"/"; distance:1; within:1; pcre:"/^\/\d{2,4}[a-z]{2,}_?\d*?\/[^\x2f]+\/\d{1,2}\/\d\/\d\/[A-Z]*$/"; http.host.raw; pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a\d{1,5}$/i"; http.start; content:"|20|HTTP/1.1|0d 0a|User-Agent"; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020369; rev:6; metadata:created_at 2015_02_05, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ASCII"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003780; classtype:web-application-attack; sid:2003780; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Onion2Web Tor Proxy Cookie"; flow:established,to_server; http.cookie; content:"onion2web_confirmed="; fast_pattern; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; classtype:policy-violation; sid:2020324; rev:5; metadata:created_at 2015_01_28, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE"; flow:established,to_server; content:"/bry.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2420; reference:url,www.securityfocus.com/bid/23678; reference:url,doc.emergingthreats.net/2003781; classtype:web-application-attack; sid:2003781; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Nivdort Posting Data 2"; flow:established,to_server; content:"|0d 0a 0d 0a|env="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^env=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/"; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32/Nivdort; classtype:trojan-activity; sid:2022281; rev:4; metadata:created_at 2015_12_18, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX"; flow:established,to_server; content:"/mtdialogo.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003726; classtype:web-application-attack; sid:2003726; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request (no .exe)"; flow:to_server,established; flowbits:set,et.MS.XMLHTTP.no.exe.request; flowbits:noalert; http.uri; content:!".exe"; nocase; content:!".msi"; nocase; content:!".msp"; nocase; http.start; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:45; content:!"Cookie|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"UA-CPU|0d 0a|"; classtype:misc-activity; sid:2022049; rev:5; metadata:created_at 2015_11_09, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX"; flow:established,to_server; content:"/ltdialogo.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003727; classtype:web-application-attack; sid:2003727; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Stats Callout Oct 28"; flow:established,to_server; http.uri; content:"/pict."; fast_pattern; content:"?id="; distance:0; pcre:"/\/pict\.(?:jpg|php|xsp)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/"; http.user_agent; content:"office"; nocase; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2022008; rev:6; metadata:created_at 2015_10_28, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX"; flow:established,to_server; content:"/login.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003729; classtype:web-application-attack; sid:2003729; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PSEmpire Checkin via POST"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/admin/get.php"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; http.cookie; pcre:"/^SESSIONID=[A-Z0-9]{16}/"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:url,www.powershellempire.com; classtype:command-and-control; sid:2021616; rev:5; metadata:created_at 2015_08_12, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir"; flow:established,to_server; content:"/pcltrace.lib.php?"; nocase; http_uri; content:"g_pcltar_lib_dir="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2660; reference:url,www.milw0rm.com/exploits/3915; reference:url,doc.emergingthreats.net/2003737; classtype:web-application-attack; sid:2003737; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST CnC Beacon 2"; flow:established,to_server; urilen:1; content:"|0d 0a 0d 0a|"; byte_extract:1,0,Dridex.Pivot,relative; byte_test:1,!=,Dridex.Pivot,0,relative; byte_test:1,=,Dridex.Pivot,7,relative; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|text/css|0d 0a|Accept|3a 20|image/**|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; depth:8; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020301; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid SELECT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003794; classtype:web-application-attack; sid:2003794; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019748; rev:4; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UNION SELECT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003795; classtype:web-application-attack; sid:2003795; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cohhoc RAT CnC Response"; flow:established,from_server; http.header; content:"Content-Length|3a 20|64|0d 0a|"; file.data; content:"gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; offset:1; depth:63; fast_pattern; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019626; rev:7; metadata:created_at 2014_11_03, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid INSERT"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003796; classtype:web-application-attack; sid:2003796; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ursnif Checkin"; flow:established,to_server; content:"no-cache|0d 0a 0d 0a 0d 0a|"; endswith; http.method; content:"POST"; http.uri; pcre:"/^(?:\/\w{3,12}){2,4}\?[a-z]{3,12}=(?:[A-Za-z0-9+/\x20]{4})*(?:[A-Za-z0-9+/\x20]{2}==|[A-Za-z0-9+/\x20]{3}=|[A-Za-z0-9+/\x20]{4})$/"; http.header; content:"|0d 0a|Content-Length|3a 20|2|0d 0a|Connection|3a 20|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,dfeaae9cb1bc24ac467411955e48483b; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019377; rev:8; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid DELETE"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003865; classtype:web-application-attack; sid:2003865; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Stobox Connectivity Check"; flow:established,to_server; threshold: type both, count 5, seconds 300, track by_src; http.uri; content:"/windowsupdate/v6/thanks.aspx?ln=en&&thankspage="; fast_pattern; http.host; content:"update.microsoft.com"; depth:20; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Language|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,aba20c8289b37b10d42979730674a2ca; classtype:trojan-activity; sid:2019166; rev:7; metadata:created_at 2014_09_11, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ASCII"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003797; classtype:web-application-attack; sid:2003797; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake rootkit usermode-centric client request"; flow:to_server,established; http.uri; content:"/1/6b-558694705129b01c0"; fast_pattern; http.connection; content:"Keep-Alive"; depth:10; endswith; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; classtype:trojan-activity; sid:2018247; rev:5; metadata:created_at 2014_03_11, former_category TROJAN, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE"; flow:established,to_server; content:"/stylesheet.php?"; nocase; http_uri; content:"templateid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2473; reference:url,www.securityfocus.com/bid/23753; reference:url,doc.emergingthreats.net/2003798; classtype:web-application-attack; sid:2003798; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banking Trojan HTTP Cookie"; flow:established,to_server; http.cookie; content:"tcpopunder"; fast_pattern; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/updates-to-the-citadel-trojan/; classtype:trojan-activity; sid:2018119; rev:5; metadata:created_at 2014_02_12, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/id_menu\x3d.+DELETE.+FROM/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009977; classtype:web-application-attack; sid:2009977; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; http.method; content:"GET"; http.uri; content:"/launch/?c="; fast_pattern; content:"&m="; content:"&l="; content:"&b="; content:"&sid="; content:"&os="; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:pup-activity; sid:2018095; rev:9; metadata:created_at 2014_01_14, former_category ADWARE_PUP, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/id_menu\x3d.+UPDATE.+SET/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009979; classtype:web-application-attack; sid:2009979; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed JS/Skimmer (likely Magecart) CnC Domain in DNS Lookup"; dns.query; content:"imprintcenter.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1236321303902269441; classtype:domain-c2; sid:2029597; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CSV-DB CSV_DB.CGI Remote Command Execution Attempt"; flow:to_server,established; content:"/cgi-bin/csv_db.cgi?"; nocase; http_uri; pcre:"/(file=\|.+\|)/"; reference:bugtraq,14059; reference:url,doc.emergingthreats.net/2002066; classtype:web-application-attack; sid:2002066; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackTech ELF/TSCookie CnC Observed in DNS Query"; dns.query; content:"cybermon.fortigatecloud.com"; nocase; depth:27; endswith; reference:url,blogs.jpcert.or.jp/ja/2020/02/elf_tscookie.html; classtype:domain-c2; sid:2029587; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti graph_image.php Remote Command Execution Attempt"; flow:to_server,established; content:"/graph_image.php?"; nocase; http_uri; pcre:"/(graph_start=%0a.+%0a)/i"; reference:cve,CAN-2005-1524; reference:bugtraq,14129; reference:bugtraq,14042; reference:url,doc.emergingthreats.net/2002313; classtype:web-application-attack; sid:2002313; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=mikkymax.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt"; flow:to_server,established; content:"/cmd.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; reference:cve,CVE-2006-6799; reference:bugtraq,21799; reference:url,doc.emergingthreats.net/2003334; classtype:web-application-attack; sid:2003334; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MonetizUs/LNKR)"; flow:from_server,established; tls.cert_subject; content:"CN=linkojager.org"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029595; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_03_09, deployment Perimeter, former_category MALWARE, malware_family LNKR, malware_family MonetizeUs, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007889; classtype:web-application-attack; sid:2007889; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/EJBInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017574; rev:6; metadata:created_at 2013_10_10, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list INSERT"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007890; classtype:web-application-attack; sid:2007890; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017573; rev:6; metadata:created_at 2013_10_10, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list DELETE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007891; classtype:web-application-attack; sid:2007891; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SmokeLoader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; nocase; http.header; content:"|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a 0d 0a|"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.request_body; pcre:"/^\d+$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; classtype:command-and-control; sid:2017261; rev:7; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE"; flow:established,to_server; content:"graph_view.php?"; nocase; http_uri; content:"graph_list="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007892; classtype:web-application-attack; sid:2007892; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; http.uri; content:"/vid.aspx?id="; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]+$/Ri"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:7; metadata:created_at 2013_07_11, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs"; flow:established,to_server; content:"/cand_login.asp?"; nocase; http_uri; content:"strJobIDs="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.*script/iU"; reference:cve,CVE-2007-2818; reference:url,www.securityfocus.com/bid/24078; reference:url,doc.emergingthreats.net/2004559; classtype:web-application-attack; sid:2004559; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Alina Server Response Code"; flow: established,from_server; http.response_line; content:"|20|666 OK"; fast_pattern; endswith; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:7; metadata:created_at 2013_06_08, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"brand="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004569; classtype:web-application-attack; sid:2004569; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Variant.Kazy.174106 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?T="; http.user_agent; content:"Tesla"; fast_pattern; startswith; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:command-and-control; sid:2016939; rev:5; metadata:created_at 2013_05_29, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg"; flow:established,to_server; content:"/scripts/prodList.asp?"; nocase; http_uri; content:"Msg="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2804; reference:url,www.secunia.com/advisories/25370; reference:url,doc.emergingthreats.net/2004570; classtype:web-application-attack; sid:2004570; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT FlimKit Post Exploit Payload Download"; flow:to_server,established; urilen:17; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]{16}$/"; http.header; content:"Content-Length|3a 20|0|0d 0a|"; fast_pattern; http.connection; content:"close"; depth:5; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; depth:38; endswith; classtype:exploit-kit; sid:2016869; rev:6; metadata:created_at 2013_05_21, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX"; flow:established,to_server; content:"/inc/logingecon.php?"; nocase; http_uri; content:"pathCGX="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2611; reference:url,www.milw0rm.com/exploits/3874; reference:url,doc.emergingthreats.net/2003728; classtype:web-application-attack; sid:2003728; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT GrandSoft PDF Payload Download"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.method; content:"GET"; http.user_agent; content:"http|3a|//"; fast_pattern; startswith; http.start; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; classtype:exploit-kit; sid:2016764; rev:19; metadata:created_at 2013_04_17, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/config/edituser.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009590; classtype:web-application-attack; sid:2009590; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Redyms.A Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; offset:6; depth:7; http.header; content:".net|0d 0a|Content-Length|3a 20|128|0d 0a|"; fast_pattern; http.start; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; classtype:command-and-control; sid:2016759; rev:4; metadata:created_at 2013_04_16, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/console.php?"; nocase; http_uri; content:"location="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009591; classtype:web-application-attack; sid:2009591; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT_NGO_wuaclt"; flow:to_server,established; http.uri; content:"/pics/"; content:".asp?id="; distance:0; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SP Q"; depth:55; http.header_names; content:"|0d 0a|Cookies|0d 0a|"; fast_pattern; reference:url,labs.alienvault.com; classtype:targeted-activity; sid:2016573; rev:5; metadata:created_at 2013_03_14, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/forcesd.php?"; nocase; http_uri; content:"vmrefid="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009592; classtype:web-application-attack; sid:2009592; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/COOKIEBAG Cookie APT1 Related"; flow:established,to_server; http.start; content:"|0a|Cookie|3a 20|CAQGBgoFD1Y"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016434; rev:6; metadata:created_at 2013_02_20, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt"; flow:to_server,established; content:"GET"; http_method; content:"/forcerestart.php?"; nocase; http_uri; content:"vmrefid="; nocase; http_uri; content:"vmname="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009593; classtype:web-application-attack; sid:2009593; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"symbol"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:6; metadata:created_at 2013_01_09, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb changepw.php CSRF attempt"; flow:to_server,established; content:"GET"; http_method; content:"/config/changepw.php?"; nocase; http_uri; content:"username="; nocase; http_uri; content:"&newpass="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009594; classtype:web-application-attack; sid:2009594; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"yaml"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]yaml[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:6; metadata:created_at 2013_01_09, former_category CURRENT_EVENTS, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb hardstopvm.php CSRF attempt"; flow:to_server,established; content:"GET"; http_method; content:"hardstopvm.php?"; nocase; http_uri; content:"stop_vmref="; nocase; http_uri; content:"&stop_vmname="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009595; classtype:web-application-attack; sid:2009595; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/api/xmlrpc"; http.request_body; content:"file|3a 2f 2f 2f|"; fast_pattern; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:4; metadata:created_at 2012_08_15, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Citrix XenCenterWeb writeconfig.php Remote Command Execution attempt"; flow:to_server,established; content:"GET"; http_method; content:"writeconfig.php?"; nocase; http_uri; content:"pool1="; nocase; http_uri; reference:url,milw0rm.com/exploits/9106; reference:url,doc.emergingthreats.net/2009596; classtype:web-application-attack; sid:2009596; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [443,7080,8080] (msg:"ET MALWARE W32/Emotet Empty CnC Beacon"; flow:established,to_server; http.start; content:"GET / HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/5.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 5.1|3b 20|SLCC1|3b 20|.NET CLR 1.1.4322)|0d 0a|Host|3a|"; depth:111; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; content:!"Cookie|0d 0a|"; reference:md5,627f3572e9c37de307b3511925934fb9; classtype:command-and-control; sid:2035046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag c2, updated_at 2020_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/install.clickheat.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009754; classtype:web-application-attack; sid:2009754; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer Requesting Config"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/config"; endswith; content:!"."; http.header; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|id|22 3b 0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2030625; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_31, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1"; flow:to_server,established; content:"GET"; http_method; content:"/heatmap/_main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009755; classtype:web-application-attack; sid:2009755; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP STOPzilla Download Accelerator Activity"; flow:established,to_server; http.user_agent; content:"STOPzilla Download Accelerator"; depth:30; reference:md5,6748824b325cbc1be57394469e361d63; classtype:pup-activity; sid:2031182; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2"; flow:to_server,established; content:"GET"; http_method; content:"/heatmap/main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009756; classtype:web-application-attack; sid:2009756; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleWave Stealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|spamerhash|22 3b 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|screenshot|22 3b 20|filename=|22|screenshot|22|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2031181; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, former_category MALWARE, malware_family PurpleWaveStealer, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/Clickheat/Cache.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009757; classtype:web-application-attack; sid:2009757; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SilverSpeedup Generic PUA Software UA"; flow:established,to_server; http.user_agent; content:"SilverSpeedup"; depth:13; reference:md5,b6640c915f827013c4cbfece4d5fb7c0; classtype:pup-activity; sid:2031183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_05, deployment Perimeter, signature_severity Major, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/Clickheat_Heatmap.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009758; classtype:web-application-attack; sid:2009758; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_edir"; nocase; fast_pattern; distance:0; content:"view="; nocase; distance:0; content:"controller="; nocase; distance:0; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1"; flow:to_server,established; content:"GET"; http_method; content:"/GlobalVariables.php?"; nocase; http_uri; content:"GLOBALS[mosConfig_absolute_path]="; nocase; http_uri; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009759; classtype:web-application-attack; sid:2009759; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kuarela.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029602; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2"; flow:to_server,established; content:"GET"; http_method; content:"/overview/main.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7038; reference:bugtraq,32190; reference:url,doc.emergingthreats.net/2009760; classtype:web-application-attack; sid:2009760; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=gabardina.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029603; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/utdb_access.php?"; nocase; http_uri; content:"minsoft_path="; nocase; http_uri; pcre:"/minsoft_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31492; reference:url,milw0rm.com/exploits/6632; reference:url,doc.emergingthreats.net/2009141; classtype:web-application-attack; sid:2009141; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=almagel.icu"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029604; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/utgn_message.php?"; nocase; http_uri; content:"minsoft_path="; nocase; http_uri; pcre:"/minsoft_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31492; reference:url,milw0rm.com/exploits/6632; reference:url,doc.emergingthreats.net/2009142; classtype:web-application-attack; sid:2009142; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dsnnguyrygfu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029605; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_10, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/export_batch.inc.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008900; classtype:web-application-attack; sid:2008900; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ofiughfuu.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029610; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/run_auto_suspend.cron.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008901; classtype:web-application-attack; sid:2008901; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=kiparis.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029611; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/send_email_cache.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008902; classtype:web-application-attack; sid:2008902; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=dfsgu747hugr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029612; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/2checkout_return.inc.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008903; classtype:web-application-attack; sid:2008903; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sgahugu4ijgji.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029613; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/nettools.popup.php?"; nocase; http_uri; content:"DIR="; nocase; http_uri; pcre:"/DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32529/; reference:url,milw0rm.com/exploits/6916; reference:url,doc.emergingthreats.net/2008904; classtype:web-application-attack; sid:2008904; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ServHelper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=asggh554tgahhr.pw"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029614; rev:3; metadata:attack_target Client_and_Server, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family ServHelper, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_05, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"ticketID="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004566; classtype:web-application-attack; sid:2004566; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; http.header; content:"-Disposition|3a 20|inline"; nocase; content:".jar"; fast_pattern; pcre:"/[=\"]\w{8}\.jar/i"; file.data; content:"PK"; depth:2; classtype:trojan-activity; sid:2015050; rev:6; metadata:created_at 2012_07_12, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004567; classtype:web-application-attack; sid:2004567; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cridex Post to CnC"; flow:established,to_server; content:"|0d 0a 0d 0a de ad be ef|"; fast_pattern; http.method; content:"POST"; http.uri; content:!"."; http.host; content:!"hbi-ingest.net"; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:command-and-control; sid:2015028; rev:8; metadata:created_at 2012_07_06, former_category MALWARE, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fuse="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2805; reference:url,www.securityfocus.com/bid/24061; reference:url,doc.emergingthreats.net/2004568; classtype:web-application-attack; sid:2004568; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie is set RULEZ"; flow:established,to_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014612; rev:5; metadata:created_at 2012_04_18, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"query="; nocase; fast_pattern; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2913; reference:url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded; reference:url,doc.emergingthreats.net/2004591; classtype:web-application-attack; sid:2004591; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT TDS Sutra - cookie set RULEZ"; flow:established,from_server; http.cookie; content:"sutraRULEZcookiessupport"; fast_pattern; classtype:exploit-kit; sid:2014611; rev:5; metadata:created_at 2012_04_18, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/header.php?"; nocase; http_uri; content:"sections_file="; nocase; http_uri; pcre:"/sections_file=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31461; reference:url,milw0rm.com/exploits/6598; reference:url,doc.emergingthreats.net/2009166; classtype:web-application-attack; sid:2009166; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; fast_pattern; http.accept_enc; content:"*|3b|q=0"; http.protocol; content:"HTTP/1.0"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; classtype:trojan-activity; sid:2014562; rev:5; metadata:created_at 2012_04_13, updated_at 2020_11_05;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"p_skin="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004713; classtype:web-application-attack; sid:2004713; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; http.host; content:!"pandora.com"; content:!"wordpress.com"; http.start; content:"= HTTP/1.1|0D 0A|Host|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:command-and-control; sid:2014409; rev:8; metadata:created_at 2012_03_22, former_category MALWARE, updated_at 2020_11_05;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system"; flow:established,to_server; content:"/lib/smarty/SmartyFU.class.php?"; nocase; http_uri; content:"system["; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2608; reference:url,www.milw0rm.com/exploits/3878; reference:url,doc.emergingthreats.net/2003717; classtype:web-application-attack; sid:2003717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M1 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"console.portal?"; content:".sh.ShellSession|28|"; distance:0; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-admin; sid:2031143; rev:3; metadata:created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"SELECT"; nocase; fast_pattern; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003835; classtype:web-application-attack; sid:2003835; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".FileSystemXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031184; rev:2; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003836; classtype:web-application-attack; sid:2003836; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M4 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.header; content:"|0d 0a|cmd|3a 20|"; fast_pattern; http.request_body; content:"_nfpb=true"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031186; rev:1; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; fast_pattern; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003837; classtype:web-application-attack; sid:2003837; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M5 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal?"; http.request_body; content:".ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031187; rev:1; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; fast_pattern; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003839; classtype:web-application-attack; sid:2003839; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 60"; flow:established,to_server; content:"|30 d0 52 71 74 3c 46 41 ac f3 4e|"; depth:11; fast_pattern; content:"|4e 3b|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026500; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; fast_pattern; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003840; classtype:web-application-attack; sid:2003840; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 28"; flow:established,to_server; content:"|ea 7f 70 7a 80 7c 4a a9 1b 68 8e|"; depth:11; fast_pattern; content:"|81 9c|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,29a0d1bc5abfbbf0bdf15ffa762cac27; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.htm; classtype:command-and-control; sid:2026018; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Cisco IOS HTTP Server Cross Site Scripting Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ping?"; nocase; http_uri; pcre:"/\/ping\?.+(script|alert|on(mouse[a-z]+|key[a-z]+|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17364; reference:url,www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html; reference:cve,2008-3821; reference:url,doc.emergingthreats.net/2011189; classtype:web-application-attack; sid:2011189; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 63"; flow:established,to_server; content:"|d1 ef 79 30 f1 d3 16 52 6d e9 f3|"; depth:11; fast_pattern; content:"|25 fc|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026503; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/footer.php?"; nocase; http_uri; content:"footer_file="; nocase; http_uri; pcre:"/footer_file=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31217; reference:url,milw0rm.com/exploits/6475; reference:url,doc.emergingthreats.net/2009793; classtype:web-application-attack; sid:2009793; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 67"; flow:established,to_server; content:"|0b 7e 42 80 62 68 98 84 a8 66 28|"; depth:11; fast_pattern; content:"|39 f3|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026507; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id SELECT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003752; classtype:web-application-attack; sid:2003752; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos RAT Checkin 23"; flow:established,to_server; content:"|1b 84 d5 b0 5d f4 c4 93 c5 30 c2|"; depth:11; fast_pattern; content:"|da b1|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,f4f2425e9735f92cc9f75711aa8cb210; classtype:command-and-control; sid:2025637; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UNION SELECT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003753; classtype:web-application-attack; sid:2003753; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 58"; flow:established,to_server; content:"|05 3b 09 6a f6 9e f9 65 e5 38 b3|"; depth:11; fast_pattern; content:"|4d 70|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026498; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id INSERT"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003754; classtype:web-application-attack; sid:2003754; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 62"; flow:established,to_server; content:"|46 4f 3e 16 69 12 4c e2 9a c2 28|"; depth:11; fast_pattern; content:"|a3 09|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026502; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id DELETE"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003755; classtype:web-application-attack; sid:2003755; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 30"; flow:established,to_server; content:"|81 29 6b 48 7f c7 22 ec 9b 9e b6|"; depth:11; fast_pattern; content:"|d8 95|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,63d36de591491d04071b4dc0a39d5fab; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026020; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ASCII"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003756; classtype:web-application-attack; sid:2003756; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 25"; flow:established,to_server; content:"|38 b6 1d 2b 3b 5c 11 b4 d8 75 2c|"; depth:11; fast_pattern; content:"|35 03|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,41c292b0cb2a4662381635a3316226f4; classtype:command-and-control; sid:2025984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_09, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE"; flow:established,to_server; content:"/error.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2342; reference:url,www.milw0rm.com/exploits/3767; reference:url,doc.emergingthreats.net/2003757; classtype:web-application-attack; sid:2003757; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 55"; flow:established,to_server; content:"|2f 81 e4 ab 65 ab 1c 0d b9 8c e8|"; depth:11; fast_pattern; content:"|b6 13|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026495; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright"; flow:established,to_server; content:"/footer.php?"; nocase; http_uri; content:"copyright="; nocase; http_uri; fast_pattern; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0694; reference:url,www.securityfocus.com/bid/24200; reference:url,doc.emergingthreats.net/2004584; classtype:web-application-attack; sid:2004584; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 109"; flow:established,to_server; content:"|5b bc 1f 13 45 60 61 fd 0d 43 7f|"; depth:11; fast_pattern; content:"|3e 41|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:url,research.checkpoint.com/operation-tripoli/; classtype:command-and-control; sid:2027660; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/dm-albums/template/album.php?"; nocase; http_uri; content:"SECURITY_FILE="; nocase; http_uri; pcre:"/SECURITY_FILE=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010027; classtype:web-application-attack; sid:2010027; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 29"; flow:established,to_server; content:"|5e 0d 10 db 92 bf 73 6c 7d 6f 5d|"; depth:11; fast_pattern; content:"|67 04|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5cb07299cedd69f096b09358754831e0; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026019; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"HomeDir="; nocase; http_uri; fast_pattern; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2527; reference:url,milw0rm.com/exploits/3868; reference:url,doc.emergingthreats.net/2003680; classtype:web-application-attack; sid:2003680; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 56"; flow:established,to_server; content:"|7d b5 14 83 61 23 20 d9 44 8a a7|"; depth:11; fast_pattern; content:"|2c da|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026496; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"catid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005111; classtype:web-application-attack; sid:2005111; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 27"; flow:established,to_server; content:"|bf 9b b2 d8 b7 a9 86 78 26 d6 10|"; depth:11; fast_pattern; content:"|0e 24|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,5c52234cf35ab8d08b10fcc3c2a9d32b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026017; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003758; classtype:web-application-attack; sid:2003758; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Remcos RAT Checkin 24"; flow:established,to_server; content:"|e8 ee 51 c7 05 29 cd 17 31 7b fd|"; depth:11; fast_pattern; content:"|55 47|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,98202283d7752779abd092665e80af71; classtype:command-and-control; sid:2025921; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2018_07_31, former_category MALWARE, malware_family Remcos, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003759; classtype:web-application-attack; sid:2003759; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 59"; flow:established,to_server; content:"|ed d1 72 f7 67 72 6f 57 ec 23 3c|"; depth:11; fast_pattern; content:"|59 73|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026499; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003760; classtype:web-application-attack; sid:2003760; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 61"; flow:established,to_server; content:"|f3 85 1c e5 6c 10 d9 78 fa 64 de|"; depth:11; fast_pattern; content:"|78 49|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026501; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003761; classtype:web-application-attack; sid:2003761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 54"; flow:established,to_server; content:"|bc f5 5e 86 40 fa 48 95 a8 9e 28|"; depth:11; fast_pattern; content:"|ba 38|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026494; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003762; classtype:web-application-attack; sid:2003762; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 57"; flow:established,to_server; content:"|56 1e 2c fa 6e cc e4 74 40 48 df|"; depth:11; fast_pattern; content:"|22 30|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026497; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"cid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2370; reference:url,www.milw0rm.com/exploits/3672; reference:url,doc.emergingthreats.net/2003763; classtype:web-application-attack; sid:2003763; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 26"; flow:established,to_server; content:"|24 8a 91 18 92 bb 4b 55 39 bc ed|"; depth:11; fast_pattern; content:"|c5 de|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,81cecc440bd57a736ef6e473e77d5a1b; reference:url,blog.talosintelligence.com/2018/08/picking-apart-remcos.html; classtype:command-and-control; sid:2026016; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"qid="; nocase; http_uri; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005087; classtype:web-application-attack; sid:2005087; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 64"; flow:established,to_server; content:"|d7 9e f0 38 3f f1 9a ab d6 74 00|"; depth:11; fast_pattern; content:"|15 46|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026504; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki Configure Script TYPEOF Remote Command Execution Attempt"; flow:to_server,established; content:"|26|TYPEOF"; http_uri; nocase; pcre:"/&TYPEOF\:.+system\s*\(/Ui"; reference:cve,CVE-2006-3819; reference:bugtraq,19188; reference:url,doc.emergingthreats.net/2003085; classtype:web-application-attack; sid:2003085; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 84"; flow:established,to_server; content:"|d5 c2 f9 4e 0a 7b 1c 62  a1 49 05|"; depth:11; fast_pattern; content:"|5d fe|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; reference:md5,12346b292b752af5ad924239eac02a09; classtype:command-and-control; sid:2026901; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_23, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/news/search.php3?"; nocase; http_uri; content:"bn="; nocase; http_uri; pcre:"/(..\\)/i"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011853; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 66"; flow:established,to_server; content:"|12 37 57 b2 1e 20 12 3d f1 8a 24|"; depth:11; fast_pattern; content:"|d3 86|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026506; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid"; flow:established,to_server; content:"/loan.php?"; nocase; http_uri; content:"movieid="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003920; classtype:web-application-attack; sid:2003920; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 68"; flow:established,to_server; content:"|62 8d 57 43 81 41 32 36 55 5e 26|"; depth:11; fast_pattern; content:"|ec 50|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026508; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s"; flow:established,to_server; content:"/listmovies.php?"; nocase; http_uri; content:"s="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2499; reference:url,www.securityfocus.com/bid/23764; reference:url,doc.emergingthreats.net/2003921; classtype:web-application-attack; sid:2003921; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 65"; flow:established,to_server; content:"|ba e7 11 d6 b7 9f b5 c9 1d 10 58|"; depth:11; fast_pattern; content:"|4f 3a|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2026505; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/engine/api/api.class.php?"; nocase; http_uri; content:"dle_config_api="; nocase; http_uri; pcre:"/dle_config_api\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html; reference:url,milw0rm.com/exploits/9572; reference:url,doc.emergingthreats.net/2010252; classtype:web-application-attack; sid:2010252; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; threshold: type both, track by_src, count 225, seconds 60; http.header.raw; content:"User-Agent|3a 20 20|"; fast_pattern; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:8; metadata:created_at 2012_01_28, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name"; flow:established,to_server; content:"/room/info_book.asp?"; nocase; http_uri; content:"Room_name="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2880; reference:url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded; reference:url,doc.emergingthreats.net/2004595; classtype:web-application-attack; sid:2004595; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; fast_pattern; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear"; flow:established,to_server; content:"/room/week.asp?"; nocase; http_uri; content:"curYear="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2880; reference:url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded; reference:url,doc.emergingthreats.net/2004596; classtype:web-application-attack; sid:2004596; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php  SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; fast_pattern; content:"only_hostid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img"; flow:established,to_server; content:"/main/inc/lib/fckeditor/editor/plugins/ImageManager/editor.php?"; nocase; http_uri; content:"img="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2901; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004593; classtype:web-application-attack; sid:2004593; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_content"; distance:0; content:"sflDir="; nocase; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,exploit-db.com/exploits/17736; classtype:web-application-attack; sid:2013870; rev:5; metadata:created_at 2011_11_08, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.inc.php?"; nocase; http_uri; content:"root="; nocase; http_uri; pcre:"/root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5393; reference:bugtraq,28660; reference:url,doc.emergingthreats.net/2009848; classtype:web-application-attack; sid:2009848; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Apache mod_proxy Reverse Proxy Exposure 2"; flow:established,to_server; http.uri; content:"|3a|@"; http.request_line; content:"GET|20 3a|@"; depth:6; reference:url,www.contextis.com/research/blog/reverseproxybypass/; reference:url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E; classtype:attempted-recon; sid:2013792; rev:6; metadata:created_at 2011_10_24, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir"; flow:established,to_server; content:"/dp_logs.php?"; nocase; http_uri; content:"HomeDir="; nocase; http_uri; pcre:"/=\s*(https?|ftps|php)\:\//Ui"; reference:cve,CVE-2007-2527; reference:url,milw0rm.com/exploits/3868; reference:url,doc.emergingthreats.net/2003679; classtype:web-application-attack; sid:2003679; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; http.uri; content:"/ibrowser/scripts/random.php?"; nocase; fast_pattern; content:"dir="; nocase; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a SELECT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003770; classtype:web-application-attack; sid:2003770; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent"; flow:established,to_server; threshold:type threshold, track by_dst, count 10, seconds 20; http.header; content:"TE|3a 20|deflate,gzip|3b|q=0.3|0d 0a|Connection|3a 20|TE, close|0d 0a|Host|3a 20|"; depth:53; content:"User-Agent|3a 20|"; within:100; http.user_agent; content:!"libwww-perl/"; http.request_line; content:"GET //"; fast_pattern; depth:6; http.header_names; content:"|0d 0a|TE|0d 0a|Host|0d 0a|User-Agent|0d 0a 0d 0a|"; depth:26; endswith; classtype:attempted-recon; sid:2013416; rev:11; metadata:created_at 2011_08_17, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UNION SELECT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003771; classtype:web-application-attack; sid:2003771; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download (Security)"; flow:established,to_client; http.header; content:"filename=|22|"; nocase; content:"security"; fast_pattern; nocase; within:50; content:!"ALLOW-FROM www.onecallnow.com"; pcre:"/filename\x3D\x22[^\r\n]*security[^\n]+\.exe/i"; http.content_type; content:!"text/xml"; depth:8; classtype:trojan-activity; sid:2012981; rev:7; metadata:created_at 2011_06_09, former_category TROJAN, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a INSERT"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003772; classtype:web-application-attack; sid:2003772; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/accounts/ValidateAnswers?methodToCall=validateAll"; nocase; fast_pattern; http.request_body; content:"&Hide_Captcha=0"; nocase; content:"&LOGIN_NAME="; nocase; distance:0; content:"&quesList="; nocase; distance:0; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3272; classtype:web-application-attack; sid:2012979; rev:4; metadata:created_at 2011_06_09, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a DELETE"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003773; classtype:web-application-attack; sid:2003773; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php?"; nocase; fast_pattern; content:"sleep="; nocase; distance:0; content:"file="; nocase; distance:0; http.uri.raw; content:"..%2f"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012657; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a ASCII"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003774; classtype:web-application-attack; sid:2003774; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check (myip .com)"; flow:established,to_server; http.host; content:"api.myip.com"; depth:12; isdataat:!1,relative; classtype:policy-violation; sid:2031188; rev:1; metadata:created_at 2020_11_06, updated_at 2020_11_06;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE"; flow:established,to_server; content:"/home.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"UPDATE"; nocase; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2416; reference:url,www.securityfocus.com/bid/23727; reference:url,doc.emergingthreats.net/2003775; classtype:web-application-attack; sid:2003775; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-runnow-iframe.php?wpabs=/"; nocase; content:"%00&"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012407; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale"; flow:established,to_server; content:"/common.php?"; nocase; http_uri; content:"locale="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2521; reference:url,www.milw0rm.com/exploits/3846; reference:url,doc.emergingthreats.net/2003682; classtype:web-application-attack; sid:2003682; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-view_log-iframe.php?wpabs=/"; nocase; content:"%00&logfile=/"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show"; flow:established,to_server; content:"/listmembers.php?"; nocase; http_uri; content:"show="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2716; reference:url,www.securityfocus.com/bid/23951; reference:url,doc.emergingthreats.net/2003876; classtype:web-application-attack; sid:2003876; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_banners/banners.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt; classtype:web-application-attack; sid:2011929; rev:5; metadata:created_at 2010_11_19, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show"; flow:established,to_server; content:"/stats.php?"; nocase; http_uri; content:"show="; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2716; reference:url,www.securityfocus.com/bid/23951; reference:url,doc.emergingthreats.net/2003877; classtype:web-application-attack; sid:2003877; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; distance:0; content:"mailform_send="; nocase; distance:0; content:"confirm_value="; nocase; distance:0; content:"mailform_1="; nocase; distance:0; fast_pattern; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt; classtype:web-application-attack; sid:2011927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_07;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"dbhcms_pid="; nocase; http_uri; content:"editmenu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011875; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; fast_pattern; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011839; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref SELECT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003846; classtype:web-application-attack; sid:2003846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve 2020_8518, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UNION SELECT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003847; classtype:web-application-attack; sid:2003847; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"feb.kkooppt.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029626; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref INSERT"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003848; classtype:web-application-attack; sid:2003848; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"compdate.my03.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029627; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref DELETE"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003849; classtype:web-application-attack; sid:2003849; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"jocoly.esvnpe.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref ASCII"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003850; classtype:web-application-attack; sid:2003850; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI"; flow:established,to_server; content:"SET"; nocase; distance:0; http.uri; content:"SHOW"; nocase; content:"CHARACTER"; nocase; distance:0; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html; reference:url,doc.emergingthreats.net/2010964; classtype:web-application-attack; sid:2010964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE"; flow:established,to_server; content:"/question.php?"; nocase; http_uri; content:"questionref="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2749; reference:url,www.milw0rm.com/exploits/3943; reference:url,doc.emergingthreats.net/2003851; classtype:web-application-attack; sid:2003851; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bmy.hqoohoa.com"; bsize:15; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029629; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/FSphp.php?"; nocase; http_uri; content:"FSPHP_LIB="; nocase; http_uri; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58315; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010359; classtype:web-application-attack; sid:2010359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"bur.vueleslie.com"; bsize:17; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/navigation.php?"; nocase; http_uri; content:"FSPHP_LIB="; nocase; http_uri; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58316; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010360; classtype:web-application-attack; sid:2010360; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Vicious Panda CnC Domain"; dns.query; content:"wind.windmilldrops.com"; bsize:22; reference:url,research.checkpoint.com/2020/vicious-panda-the-covid-campaign; classtype:domain-c2; sid:2029631; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/sitemap.xml.php?"; nocase; http_uri; content:"dir[classes]="; nocase; http_uri; pcre:"/dir\[classes\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/28047; reference:url,milw0rm.com/exploits/4712; reference:url,doc.emergingthreats.net/2009506; classtype:web-application-attack; sid:2009506; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER LANDesk Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gsb/datetime.php"; nocase; http.request_body; content:"delBackupName"; nocase; content:"backupRestoreFormSubmitted"; distance:0; nocase; reference:url,www.coresecurity.com/content/landesk-csrf-vulnerability; reference:cve,2010-0369; reference:url,doc.emergingthreats.net/2010863; classtype:web-application-attack; sid:2010863; rev:9; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003788; classtype:web-application-attack; sid:2003788; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; nocase; content:"page="; nocase; distance:0; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(?:\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/i"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003789; classtype:web-application-attack; sid:2003789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/OvCgi/ovalarm.exe"; nocase; fast_pattern; content:"OVABverbose="; nocase; distance:0; pcre:"/^(1|on|true)/Ri"; http.accept_lang; isdataat:100,relative; reference:cve,2009-4179; reference:url,doc.emergingthreats.net/2010704; classtype:web-application-attack; sid:2010704; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003790; classtype:web-application-attack; sid:2003790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt"; flow:established,to_server; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; distance:0; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010673; classtype:web-application-attack; sid:2010673; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003791; classtype:web-application-attack; sid:2003791; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010672; classtype:web-application-attack; sid:2010672; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003792; classtype:web-application-attack; sid:2003792; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010670; classtype:web-application-attack; sid:2010670; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"fid="; nocase; http_uri; fast_pattern; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2469; reference:url,www.securityfocus.com/bid/23752; reference:url,doc.emergingthreats.net/2003793; classtype:web-application-attack; sid:2003793; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"INTO"; nocase; content:"OUTFILE"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010669; classtype:web-application-attack; sid:2010669; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT"; flow:established,to_server; content:"/modules/admin/include/config.php?"; nocase; http_uri; content:"DOCUMENT_ROOT="; nocase; http_uri; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2460; reference:url,www.frsirt.com/english/advisories/2007/1554; reference:url,doc.emergingthreats.net/2003690; classtype:web-application-attack; sid:2003690; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt"; flow:established,to_server; http.uri; content:"+CSCOE+/files/browse.html"; nocase; fast_pattern; content:"code=init"; nocase; distance:0; content:"path=ftp"; nocase; distance:0; reference:url,www.securityfocus.com/bid/35475/info; reference:cve,2009-1203; reference:url,doc.emergingthreats.net/2010457; classtype:attempted-user; sid:2010457; rev:9; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid SELECT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003823; classtype:web-application-attack; sid:2003823; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; classtype:web-application-attack; sid:2010134; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UNION SELECT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003824; classtype:web-application-attack; sid:2003824; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; classtype:web-application-attack; sid:2010133; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid INSERT"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003825; classtype:web-application-attack; sid:2003825; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query to DynDNS *.dyn-ip24 .de Domain"; dns.query; content:".dyn-ip24.de"; nocase; endswith; classtype:policy-violation; sid:2029638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid DELETE"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003826; classtype:web-application-attack; sid:2003826; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid ASCII"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003827; classtype:web-application-attack; sid:2003827; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Joia CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ABCDIMQ"; depth:7; fast_pattern; http.start; content:".php|20|HTTP/1.0|0d 0a|Host|3a 20|"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,7e10e615edd111a5b77266c862aca78a; classtype:command-and-control; sid:2029641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE"; flow:established,to_server; content:"/game.php?"; nocase; http_uri; content:"lid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2543; reference:url,www.milw0rm.com/exploits/3849; reference:url,doc.emergingthreats.net/2003828; classtype:web-application-attack; sid:2003828; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Sogou.H Variant Request"; flow:established,to_server; http.request_line; content:"GET /appinfo?num="; startswith; fast_pattern; pcre:"/^\d+\sHTTP/1.1$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.user_agent; content:"HttpDownload"; bsize:12; reference:md5,29db559062d82a56c53c70c68dc160ec; classtype:pup-activity; sid:2031191; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/init.php?"; nocase; http_uri; content:"API_HOME_DIR="; nocase; http_uri; pcre:"/API_HOME_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; reference:url,doc.emergingthreats.net/2008879; classtype:web-application-attack; sid:2008879; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MZRevenge Ransomware CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; http.request_body; content:"filename|3d 22|TVpS"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=--------"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,app.any.run/tasks/e5a3d700-993f-47ab-bde1-e9ed8e9d323e/; classtype:trojan-activity; sid:2029647; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/includes/header.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33768/; reference:url,milw0rm.com/exploits/7955; reference:url,doc.emergingthreats.net/2009163; classtype:web-application-attack; sid:2009163; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish Aug 31 2015"; flow:to_server,established; content:"|0d 0a 0d 0a|email="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"email="; depth:6; content:"&pass="; distance:0; classtype:credential-theft; sid:2029652; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st"; flow:established,to_server; content:"/showown.php?"; nocase; http_uri; content:"st="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2916; reference:url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded; reference:url,doc.emergingthreats.net/2004586; classtype:web-application-attack; sid:2004586; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Office Phishing Landing 2016-12-18"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<title>Microsoft Office"; fast_pattern; nocase; content:"Login below to access file"; nocase; distance:0; classtype:social-engineering; sid:2029658; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/www/lib/head_auth.php?"; nocase; http_uri; content:"CFG[PREPEND_FILE]="; nocase; http_uri; pcre:"/CFG\[PREPEND_FILE\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,juniper.net/security/auto/vulnerabilities/vuln28024.html; reference:bugtraq,28024; reference:url,milw0rm.com/exploits/5197; reference:url,doc.emergingthreats.net/2010096; classtype:web-application-attack; sid:2010096; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Account Phish 2015-11-03"; flow:to_server,established; content:"|0d 0a 0d 0a|fullname="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"fullname="; depth:9; nocase; content:"&address="; nocase; distance:0; content:"&phonenumber="; nocase; distance:0; content:"&postcode="; nocase; distance:0; classtype:credential-theft; sid:2029653; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_09_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_cat_detail="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004563; classtype:web-application-attack; sid:2004563; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful DHL Phish (Meta HTTP-Equiv Refresh) 2017-02-08"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; file.data; content:"<meta name=|22|publisher|22 20|content=|22|DHL"; fast_pattern; content:"<meta http-equiv="; nocase; content:"refresh"; nocase; distance:1; within:7; classtype:credential-theft; sid:2029659; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_gal_detail="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004564; classtype:web-application-attack; sid:2004564; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2019-10-18"; flow:established,to_server; content:"|0d 0a 0d 0a|epass="; fast_pattern; http.method; content:"POST"; http.uri; content:"/Logon.php"; nocase; endswith; http.request_body; content:"epass="; depth:6; nocase; content:!"&"; distance:0; classtype:credential-theft; sid:2029679; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"galix_cat_detail_sort="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2806; reference:url,www.securityfocus.com/bid/24066; reference:url,doc.emergingthreats.net/2004565; classtype:web-application-attack; sid:2004565; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP POST to XYZ TLD Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; endswith; fast_pattern; http.request_body; content:"pass"; nocase; classtype:misc-activity; sid:2031189; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2020_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; content:"/down_indir.asp?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2003999; classtype:web-application-attack; sid:2003999; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ET MALWARE Emotet Post Drop C2 Comms M2"; flow:established,from_server; http.stat_code; content:"404"; http.header; content:"Content-Length|3a 20|148|0d 0a|"; fast_pattern; http.content_type; content:"text/html"; depth:9; file.data; content:!"<html"; nocase; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035049; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_19, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid SELECT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003866; classtype:web-application-attack; sid:2003866; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET SCAN Mirai Variant User-Agent (Inbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:attempted-admin; sid:2029025; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UNION SELECT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003841; classtype:web-application-attack; sid:2003841; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirai Variant User-Agent (Outbound)"; flow:established,to_server; http.user_agent; content:"APEP"; fast_pattern; startswith; classtype:web-application-attack; sid:2029037; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_11_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid INSERT"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003842; classtype:web-application-attack; sid:2003842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp-pkt $HOME_NET any -> any any (msg:"ET MALWARE Pay2Key Ransomware - Sending RSA Key"; flow:established,to_server; dsize:286; content:"|10 10 00 00 00 00 14 01 00 00 06 02 00 00 00 a4 00 00 52 53 41 31 00 08 00 00 01 00 01 00|"; startswith; reference:url,research.checkpoint.com/2020/ransomware-alert-pay2key/; classtype:command-and-control; sid:2031192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_09, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid DELETE"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003843; classtype:web-application-attack; sid:2003843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"546874.tk"; nocase; endswith; classtype:domain-c2; sid:2029715; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid ASCII"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003844; classtype:web-application-attack; sid:2003844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a54cf56.tk"; nocase; endswith; classtype:domain-c2; sid:2029716; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE"; flow:established,to_server; content:"/glossaire-p-f.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2738; reference:url,www.milw0rm.com/exploits/3932; reference:url,doc.emergingthreats.net/2003845; classtype:web-application-attack; sid:2003845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0x4fc271.tk"; nocase; endswith; classtype:domain-c2; sid:2029717; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database"; flow:established,to_server; content:"/gnatsweb.pl?"; nocase; http_uri; content:"database="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2808; reference:url,www.secunia.com/advisories/25333; reference:url,doc.emergingthreats.net/2004562; classtype:web-application-attack; sid:2004562; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"change-password.ml"; nocase; endswith; classtype:domain-c2; sid:2029718; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include"; flow:established,to_server; content:"/includes/common.php"; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,18180; reference:url,doc.emergingthreats.net/2003333; classtype:web-application-attack; sid:2003333; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id24556.tk"; nocase; endswith; classtype:domain-c2; sid:2029719; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/index_logged.php?"; nocase; http_uri; content:"main_loaded="; nocase; http_uri; content:"cur_module="; nocase; http_uri; pcre:"/cur_module=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8112; reference:url,vupen.com/english/advisories/2009/0553; reference:bugtraq,33916; reference:url,doc.emergingthreats.net/2009733; classtype:web-application-attack; sid:2009733; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id451295.com"; nocase; endswith; classtype:domain-c2; sid:2029720; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Google Appliance External Proxy Stylesheet"; flow:established,to_server; content:"/search?"; http_uri; content:"proxystylesheet="; http_uri; pcre:"/proxystylesheet=\s*(https?|ftps?|php)/Ui"; reference:bugtraq,15509; reference:cve,2005-3758; reference:url,doc.emergingthreats.net/2002849; classtype:web-application-attack; sid:2002849; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"yahoo-change-password.com"; endswith; classtype:domain-c2; sid:2029721; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/functions.php?"; nocase; http_uri; content:"location="; nocase; http_uri; pcre:"/location=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28838; reference:url,juniper.net/security/auto/vulnerabilities/vuln28838.html; reference:url,milw0rm.com/exploits/5463; reference:url,doc.emergingthreats.net/2009427; classtype:web-application-attack; sid:2009427; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"0xf4a5.tk"; nocase; endswith; classtype:domain-c2; sid:2029722; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"authusername="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2847; reference:url,www.securityfocus.com/bid/24102; reference:url,doc.emergingthreats.net/2004554; classtype:web-application-attack; sid:2004554; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible APT28 Phishing Domain in DNS Query"; dns.query; content:"id6589.com"; nocase; endswith; classtype:domain-c2; sid:2029723; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"authpassword="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2847; reference:url,www.securityfocus.com/bid/24102; reference:url,doc.emergingthreats.net/2004555; classtype:web-application-attack; sid:2004555; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful EDU Phish 2017-12-04"; flow:established,to_client; flowbits:isset,ET.eduphish; http.stat_code; content:"302"; http.header; content:"|0d 0a|Location|3a 20|"; nocase; pcre:"/^[^\r\n]+\.edu/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; classtype:credential-theft; sid:2025114; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"| 3C |"; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2812; reference:url,www.securityfocus.com/bid/24063; reference:url,doc.emergingthreats.net/2004560; classtype:web-application-attack; sid:2004560; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor CnC Check-in M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?b="; nocase; pcre:"/^[A-F0-9]{30}$/Ri"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025164; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action"; flow:established,to_server; content:"/hlstats.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2812; reference:url,www.securityfocus.com/bid/24063; reference:url,doc.emergingthreats.net/2004561; classtype:web-application-attack; sid:2004561; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Patchwork.Backdoor Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?cx="; nocase; fast_pattern; content:"&b="; nocase; distance:0; content:"&gt="; nocase; distance:0; content:"&tx="; nocase; distance:0; pcre:"/\.php\?cx=[A-F0-9]+&b=[A-F0-9]+&gt=[A-F0-9]+&tx=[A-F0-9]+$/i"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ddeabe234c4084ba379cf3be4fdf503d; classtype:command-and-control; sid:2025163; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid ICount Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"ICount="; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-085/; reference:cve,2010-1554; reference:url,doc.emergingthreats.net/2011196; classtype:web-application-attack; sid:2011196; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Initial Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?t="; depth:4; content:"&&s="; distance:0; content:"&&p="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:65; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027439; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid MaxAge Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"MaxAge="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-084/; reference:cve,2010-1553; reference:url,doc.emergingthreats.net/2011197; classtype:web-application-attack; sid:2011197; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HAWKBALL CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?e="; depth:4; content:"&&t="; distance:0; content:"&&k="; distance:0; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|InfoPath.2)"; http.cookie; content:"id="; depth:3; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:73; endswith; reference:md5,d90e45fbf11b5bbdca945b24d155a4b2; reference:url,www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html; classtype:command-and-control; sid:2027440; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_06_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid Hostname Remote Code Execution Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/OvCgi/getnnmdata.exe"; nocase; http_uri; content:"Hostname="; nocase; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-086/; reference:cve,2010-1555; reference:url,doc.emergingthreats.net/2011198; classtype:web-application-attack; sid:2011198; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Spelevo VBS Payload Downloaded"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&00000111&11"; fast_pattern; endswith; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a|Cookie|0d 0a 0d 0a|"; depth:49; classtype:exploit-kit; sid:2028865; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, former_category EXPLOIT_KIT, malware_family Spelevo_EK, signature_severity Major, tag Spelevo_EK, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/plugin_admin.php?"; nocase; http_uri; content:"_settings[pluginpath]="; nocase; http_uri; pcre:"/_settings\[pluginpath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5902; reference:bugtraq,29877; reference:url,doc.emergingthreats.net/2009398; classtype:web-application-attack; sid:2009398; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConstructorWin32/Agent.V"; flow:to_server,established; http.header; content:"|0d 0a|Pragma|3a 20|no-catch|0d 0a|"; http.request_line; content:"GET http://"; depth:11; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"X-HOST|0d 0a|"; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:10; metadata:created_at 2012_04_26, updated_at 2020_11_09;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde Web Mail Help Access"; flow:established,to_server; content:"/horde/services/help/"; nocase; http_uri; reference:cve,2006-1491; reference:bugtraq,17292; reference:url,doc.emergingthreats.net/2002868; classtype:web-application-activity; sid:2002868; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"System Idle Process"; fast_pattern; content:"|49 6d 61 67 65 20 4e 61 6d 65|"; content:"|50 49 44 20 53 65 73 73 69 6f 6e 20 4e 61 6d 65|"; distance:0; content:"|53 65 73 73 69 6f 6e 23|"; distance:0; content:"|4d 65 6d 20 55 73 61 67 65|"; distance:0; content:"svchost.exe"; content:"winlogon.exe"; classtype:trojan-activity; sid:2018886; rev:4; metadata:created_at 2014_08_04, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Horde README access probe"; flow:to_server,established; content:"/horde"; nocase; http_uri; pcre:"/\/horde((2|3|-3\.(0\.[1-9]|1\.0)))?\/{1,2}README/Ui"; reference:cve,CVE-2006-1491; reference:url,csirt.terradon.com/postarchive.php?month=4&year=2006#article28; reference:url,doc.emergingthreats.net/2002897; classtype:web-application-activity; sid:2002897; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.header; content:"|0d 0a|NSC_USER|3a 20|"; nocase; content:"|0d 0a|NSC_NONCE|3a 20|"; nocase; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_01_13, deployment Perimeter, signature_severity Critical, updated_at 2020_11_10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt"; flow:established,to_server; content:"/exec_raw.php"; http_uri; fast_pattern; nocase; content:"cmd="; http_uri; nocase; reference:bid,44974; classtype:web-application-attack; sid:2011940; rev:2; metadata:created_at 2010_11_20, updated_at 2010_11_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/n2019cov (COVID-19) Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"usuario="; startswith; content:"|20|-|20|"; distance:0; content:"|20|-|20|"; distance:0; content:"&llave1="; distance:0; content:"&llave2="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,f02e5ae5b997e447a43ace281bc2bae9; classtype:command-and-control; sid:2029736; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_10, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/portal_block.php?"; nocase; http_uri; content:"phpbb_root_path="; nocase; http_uri; pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; reference:url,doc.emergingthreats.net/2008964; classtype:web-application-attack; sid:2008964; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded via ge.tt Filesharing Service"; flowbits:set,ET.ge.tt.download; http.method; content:"GET"; http.uri; content:"/gett/"; fast_pattern; depth:6; content:"?index="; distance:0; content:"&user="; distance:0; content:"&referrer="; distance:0; content:"&download="; distance:0; http.host; content:"ge.tt"; endswith; classtype:misc-activity; sid:2029745; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET"; http_method; content:"/acp_lcxbbportal.php?"; nocase; http_uri; content:"phpbb_root_path="; nocase; http_uri; pcre:"/phpbb_root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7341; reference:bugtraq,32647; reference:url,doc.emergingthreats.net/2008965; classtype:web-application-attack; sid:2008965; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Uploaded to ge.tt Filesharing Service"; flow:established,to_server; content:"/upload/"; depth:8; http.method; content:"POST"; http.host; content:"ge.tt"; fast_pattern; http.request_body; content:"|22 3b 20|filename=|22|"; classtype:misc-activity; sid:2029746; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_25, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/embedforum.php?"; nocase; http_uri; content:"CONFIG[LANGUAGE_CPATH]="; nocase; http_uri; pcre:"/CONFIG\[LANGUAGE_CPATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009381; classtype:web-application-attack; sid:2009381; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Meterpreter)"; flow:established,to_server; http.uri; pcre:"/^\/ucD[A-Za-z0-9_\/\-+]{171}$/"; http.request_line; content:"GET|20|/ucD"; fast_pattern; content:"|20|HTTP/1.1"; distance:171; within:9; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/meterpreter.profile; classtype:command-and-control; sid:2029742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/scorm/lib.inc.php?"; nocase; http_uri; content:"CONFIG[BASE_PATH]="; nocase; http_uri; pcre:"/CONFIG\[BASE_PATH\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/5526; reference:bugtraq,28996; reference:url,doc.emergingthreats.net/2009386; classtype:web-application-attack; sid:2009386; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Adobe RTMP)"; flow:established,to_server; http.user_agent; content:"Shockwave Flash"; bsize:15; http.cookie; bsize:172; content:"="; offset:171; depth:1; endswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/"; http.request_line; content:"GET|20|/idle/1376547834/1|20|HTTP/1.1"; fast_pattern; bsize:31; http.content_type; content:"application/x-fcs"; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/rtmp.profile; classtype:command-and-control; sid:2029744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php"; flow:established,to_server; content:"/module_bbcodeloader.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004576; classtype:web-application-attack; sid:2004576; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert smb any any -> $HOME_NET any (msg:"ET POLICY Possible winexe over SMB - Possible Lateral Movement"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; content:"|5c 00|a|00|h|00|e|00|x|00|e|00|c|00 00 00|"; fast_pattern; endswith; nocase; reference:url,attack.mitre.org/software/S0191/; classtype:bad-unknown; sid:2026879; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_05, deployment Perimeter, former_category POLICY, performance_impact Moderate, signature_severity Informational, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php"; flow:established,to_server; content:"/module_div.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004577; classtype:web-application-attack; sid:2004577; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Upaste Paste Site"; dns.query; content:"upaste.me"; nocase; endswith; classtype:trojan-activity; sid:2031195; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, signature_severity Informational, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php"; flow:established,to_server; content:"/module_email.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004578; classtype:web-application-attack; sid:2004578; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL/TLS Certificate Observed (Upaste)"; flow:established,to_client; tls.cert_subject; content:"CN=upaste.me"; classtype:misc-activity; sid:2031196; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php"; flow:established,to_server; content:"/module_image.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004579; classtype:web-application-attack; sid:2004579; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M1"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"covid"; nocase; classtype:credential-theft; sid:2029757; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php"; flow:established,to_server; content:"/module_link.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004580; classtype:web-application-attack; sid:2004580; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful COVID-19 Related Phish M2"; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.uri; content:"corona"; nocase; classtype:credential-theft; sid:2029758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid"; flow:established,to_server; content:"/jscripts/folder_rte_files/module_table.php?"; nocase; http_uri; content:"editorid="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2963; reference:url,www.securityfocus.com/bid/24244; reference:url,doc.emergingthreats.net/2004581; classtype:web-application-attack; sid:2004581; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Telerik.Web.UI.WebResource.axd"; fast_pattern; content:"type=rau"; nocase; distance:0; http.request_body; content:"rauPostData"; nocase; reference:url,github.com/noperator/CVE-2019-18935; reference:cve,2019-18935; classtype:web-application-attack; sid:2029761; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006675; classtype:web-application-attack; sid:2006675; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M2"; http.method; content:"GET"; http.uri; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; reference:url,www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid:2029762; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_10;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006676; classtype:web-application-attack; sid:2006676; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Plurox Backdoor CnC Checkin"; flow:established,to_server; content:"|aa 95 82 71|"; depth:4; content:"|01 00 00 00 00 00 00 00|"; distance:4; within:8; content:"|95 82 71 aa 95 82 71|"; endswith; fast_pattern; reference:md5,c5b42399a6636de5014e2934ef08278f; reference:url,securelist.com/plurox-modular-backdoor/91213/; classtype:command-and-control; sid:2027506; rev:4; metadata:created_at 2019_06_21, former_category MALWARE, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006677; classtype:web-application-attack; sid:2006677; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Check Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK>"; endswith; fast_pattern; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>$/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027707; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006678; classtype:web-application-attack; sid:2006678; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"system0_update04driver_roots.dynamic-dns.net"; bsize:44; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029766; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006679; classtype:web-application-attack; sid:2006679; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Stitch C2 Domain"; dns.query; content:"sys_andriod20_designer.dynamic-dns.net"; bsize:38; nocase; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; classtype:domain-c2; sid:2029767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Stitch, signature_severity Major, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"img="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006680; classtype:web-application-attack; sid:2006680; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (jquery Profile)"; flow:established,to_server; http.cookie; bsize:179; content:"session-"; depth:8; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/R"; http.start; content:"GET|20|/jquery.min.js|20|HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Cookie|3a 20|session-"; startswith; fast_pattern; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2032751; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_31, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php"; flow:established,to_server; content:"/calendar.php?"; nocase; http_uri; content:"| 3C |"; http_uri; content:"SCRIPT"; nocase; http_uri; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2909; reference:url,www.vbulletin.com/forum/showthread.php?postid=1355012; reference:url,doc.emergingthreats.net/2004592; classtype:web-application-attack; sid:2004592; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M2"; http.method; content:"POST"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029714; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003939; classtype:web-application-attack; sid:2003939; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 Domain M1"; http.method; content:"POST"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029713; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UNION SELECT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003940; classtype:web-application-attack; sid:2003940; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2"; http.method; content:"GET"; http.host; content:"corona"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029712; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php INSERT"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003941; classtype:web-application-attack; sid:2003941; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M1"; http.method; content:"GET"; http.host; content:"covid"; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029711; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php DELETE"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003942; classtype:web-application-attack; sid:2003942; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M2"; http.method; content:"POST"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029756; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php ASCII"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003943; classtype:web-application-attack; sid:2003943; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Request with Possible COVID-19 URI M1"; http.method; content:"POST"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029755; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE"; flow:established,to_server; content:"/main_page.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003944; classtype:web-application-attack; sid:2003944; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2"; http.method; content:"GET"; http.uri; content:"corona"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029754; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php SELECT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003945; classtype:web-application-attack; sid:2003945; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M1"; http.method; content:"GET"; http.uri; content:"covid"; nocase; http.host; content:!".jhu.edu"; endswith; content:!".ncsc.gov.ie"; endswith; content:!".nhs.wales"; endswith; content:!".govt.nz"; endswith; content:!".nhp.gov.in"; endswith; content:!".oracle.com"; endswith; content:!".cdc.gov"; endswith; classtype:bad-unknown; sid:2029753; rev:3; metadata:created_at 2020_03_28, former_category HUNTING, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UNION SELECT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003946; classtype:web-application-attack; sid:2003946; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE DNS Reply Sinkhole - Anubis/BitSight - 35.205.61.67"; content:"|00 01 00 01|"; content:"|00 04 23 cd 3d 43|"; distance:4; within:6; content:!"|0e|anubisnetworks|03|com|00|"; nocase; content:!"|05|mpsmx|03|net|00|"; nocase; content:!"|09|mailspike|03|com|00|"; nocase; content:!"|09|mailspike|03|org|00|"; nocase; threshold: type limit, track by_src, seconds 60, count 1; reference:url,travisgreen.net/2019/08/13/anubis-sinhole.html; classtype:trojan-activity; sid:2031197; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php INSERT"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003947; classtype:web-application-attack; sid:2003947; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil"; flow:established,to_server; content:"|50 4b 03 04 14 00|"; depth:6; content:"Desktop.png"; distance:0; fast_pattern; reference:md5,20f025a45247cc0289e666057149c28e; reference:md5,7f053ba33d6e4bf07a15ee65dd2b0d92; reference:url,twitter.com/3xp0rtblog/status/1455134317710090248; reference:md5,490f0cff27a1cff0aead0ca3864e15d6; classtype:command-and-control; sid:2031198; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_11, deployment Perimeter, former_category MALWARE, malware_family HunterStealer, malware_family AlfonsoStealer, malware_family PhoenixStealer, signature_severity Major, updated_at 2020_11_11;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php DELETE"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003948; classtype:web-application-attack; sid:2003948; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-standard.com"; bsize:22; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030966; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php ASCII"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003949; classtype:web-application-attack; sid:2003949; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=bing-analytics.com"; bsize:21; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030967; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE"; flow:established,to_server; content:"/open_tree.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003950; classtype:web-application-attack; sid:2003950; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-money.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030968; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php SELECT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003951; classtype:web-application-attack; sid:2003951; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-assist.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030970; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UNION SELECT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003952; classtype:web-application-attack; sid:2003952; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypal-debit.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030971; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php INSERT"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003953; classtype:web-application-attack; sid:2003953; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=connect-facebook.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030972; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php DELETE"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003954; classtype:web-application-attack; sid:2003954; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=cdn-jquery.com"; bsize:17; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030973; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php ASCII"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003955; classtype:web-application-attack; sid:2003955; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-assistant.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030974; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE"; flow:established,to_server; content:"/outputs.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003956; classtype:web-application-attack; sid:2003956; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=paypalapiobjects.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030975; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003957; classtype:web-application-attack; sid:2003957; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=google-tasks.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030976; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003958; classtype:web-application-attack; sid:2003958; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=jquery-insert.com"; bsize:20; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030977; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003959; classtype:web-application-attack; sid:2003959; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fullz House CC Skimmer)"; flow:established,to_client; tls.cert_subject; content:"CN=googleapimanager.com"; bsize:23; fast_pattern; reference:url,blog.malwarebytes.com/malwarebytes-news/2020/10/mobile-network-operator-falls-into-the-hands-of-fullz-house-criminal-group/; classtype:domain-c2; sid:2030978; rev:2; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2020_10_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag CardSkimmer, updated_at 2020_11_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003960; classtype:web-application-attack; sid:2003960; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (info)"; flow:established,from_server; dsize:<50; content:"info|7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; distance:0; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003961; classtype:web-application-attack; sid:2003961; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (aw)"; flow:established,from_server; dsize:<50; content:"aw|7c 7c 7c|"; fast_pattern; nocase; depth:5; content:"|7c|"; isdataat:!1,relative;  reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003962; classtype:web-application-attack; sid:2003962; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF Linux/Dnsamp.AB Variant CnC"; flow:established,to_server; dsize:84; content:"|54|"; depth:1; content:"|11|"; distance:6; within:1; content:"|95 08 00 00 01 00 00 00|"; distance:68; within:8; fast_pattern; isdataat:!1,relative; reference:md5,b1fcab441a1221b33206924f12af64a0; reference:url,intezer.com/blog/ddos/chinaz-updates-toolkit-by-introducing-new-undetected-malware/; classtype:command-and-control; sid:2029839; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id SELECT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003963; classtype:web-application-attack; sid:2003963; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE M3RAT CnC Checkin Outbound"; flow:established,to_server; content:"infoHacKed*"; depth:11; fast_pattern; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*"; distance:0; content:"*Beta"; isdataat:!1,relative; reference:md5,5627e7aba7168aefe878e9251392542e; classtype:command-and-control; sid:2030144; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family M3RAT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UNION SELECT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003964; classtype:web-application-attack; sid:2003964; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (aw)"; flow:established,to_server; dsize:<50; content:"aw|7c 7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id INSERT"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003965; classtype:web-application-attack; sid:2003965; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (in)"; flow:established,from_server; dsize:<50; content:"in|7c 7c|Screen_Numbers|7c 7c|"; nocase; depth:20; fast_pattern; content:"|7c|"; isdataat:!1,relative; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2030141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id DELETE"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003966; classtype:web-application-attack; sid:2003966; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Outbound (ds)"; flow:established,to_server; dsize:<50; content:"ds|7c 7c|"; nocase; depth:5; fast_pattern; content:"|7c 7c|"; distance:0; content:"|7c|"; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id ASCII"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003967; classtype:web-application-attack; sid:2003967; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Screenshot Outbound"; flow:established,to_server; content:"|40 7c 7c|"; depth:3; content:"|FF D8 FF E0 00 10 4A 46 49 46 00 01|"; within:100; content:"|7c|Boss2019|7c|"; fast_pattern; isdataat:!1,relative; reference:md5,d09be7dd3433a0b6fc2bc729f181a1f0; classtype:command-and-control; sid:2030143; rev:3; metadata:affected_product Windows_DNS_server, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE"; flow:established,to_server; content:"/admin/cms/opentree.php?"; nocase; http_uri; content:"id["; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2684; reference:url,www.netvigilance.com/advisory0027; reference:url,doc.emergingthreats.net/2003968; classtype:web-application-attack; sid:2003968; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer Init Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"guid="; depth:5; content:"&crederror="; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003969; classtype:web-application-attack; sid:2003969; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Dridex Download URI Struct with no referer"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\d+\/\d+\.exe$/"; http.user_agent; content:!"LogitechUpdate"; depth:14; http.request_line; content:".exe HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; content:!"Cookie|0d 0a|"; classtype:trojan-activity; sid:2021245; rev:9; metadata:created_at 2015_06_10, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003970; classtype:web-application-attack; sid:2003970; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT29 Implant8 - MAL_REFERER"; flow:established,to_server; http.method; content:"GET"; http.header; content:"&bvm=bv.81"; fast_pattern; content:"|2c|d."; distance:6; within:3; content:"|0d 0a|"; distance:3; within:2; content:"Referer|3a 20|https|3a|//www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd="; pcre:"/^(?:[02-9]|1[01]?)&ved=0C[A-L]{2}QFjA[A-L]&url=/R"; content:"&ei="; distance:0; pcre:"/^[A-Za-z0-9]{20,22}&usg=[A-Za-z0-9_]{34}&bvm=bv\.81[1-7]{6}\,d\.[A-Za-z0-9_]{3}\r\n/R"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2024004; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_17, deployment Perimeter, former_category MALWARE, malware_family APT29_Implant8, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003971; classtype:web-application-attack; sid:2003971; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert tcp any any -> any 502 (msg:"ET SCAN Modbus Scanning detected"; flow:established,to_server; content:"|00 00 00 00 00 02|"; depth:6; threshold: type both, track by_src, count 100, seconds 10; reference:url,code.google.com/p/modscan/; reference:url,www.rtaautomation.com/modbustcp/; reference:url,doc.emergingthreats.net/2009286; classtype:bad-unknown; sid:2009286; rev:4; metadata:created_at 2010_07_30, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003972; classtype:web-application-attack; sid:2003972; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031199; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003973; classtype:web-application-attack; sid:2003973; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>{ IndoSec sHell }"; nocase; fast_pattern; classtype:web-application-attack; sid:2031200; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2685; reference:url,www.netvigilance.com/advisory0028; reference:url,doc.emergingthreats.net/2003974; classtype:web-application-attack; sid:2003974; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031201; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"login="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2686; reference:url,www.osvdb.org/34791; reference:url,doc.emergingthreats.net/2004572; classtype:web-application-attack; sid:2004572; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031202; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004122; classtype:web-application-attack; sid:2004122; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>MAILER</title>"; nocase; fast_pattern; content:"<u>HBT EMAILER</u></marquee></h1>"; nocase; distance:0; classtype:web-application-attack; sid:2031203; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004123; classtype:web-application-attack; sid:2004123; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title> NullPriveScam - Web Panel"; nocase; fast_pattern; classtype:web-application-attack; sid:2031204; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004124; classtype:web-application-attack; sid:2004124; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Successful Generic Phish 2016-05-26"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.header; content:"Location|3a 20|http"; nocase; fast_pattern; pcre:"/^(?:s)?\x3a\/\/[^\/]*(?:(?:t(?:dcanadatrust|escobank|radekey)|r(?:ealtyexecutive|bcd)s|x(?:finity|oom)|ourtime)\.com|a(?:s(?:perasoft\.com|b\.co\.nz)|(?:ccesbankplc|nz)\.com|mazon\.co\.uk|ruba\.it)|m(?:(?:icrosoftstore|organstanley|sn)\.com|a(?:de-in-china\.com|il\.ru))|s(?:(?:eniorpeoplemeet|cotiabank)\.com|antander\.co\.uk|uddenlink\.net)|c(?:o(?:(?:ldwellbankerpreviews|x)\.com|mpresso\.co\.th)|fapubs\.org)|w(?:e(?:althmanagement\.com|bmail\.sfr\.fr)|ww-01\.ibm\.com)|l(?:(?:endingtree|loydsbank)\.com|abanquepostale\.mobi)|v(?:(?:aluewalk|ideotron)\.com|erifyemailaddress\.org)|n(?:a(?:tionwide\.co\.uk|vyfederal\.org)|etsuite\.com)|b(?:a(?:nquepopulaire\.fr|9hus\.in)|iztree\.com)|i(?:nternetbanking\.caixa\.gov\.br|cloud\.com)|d(?:iscoverbank\.com|hl\.co\.uk)|k(?:iwibank\.co\.nz|eybank\.com)|fidelitybank\.ng|paypal\.fr|ebay\.it)\/?/Ri"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032681; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004125; classtype:web-application-attack; sid:2004125; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING GOV UK Possible COVID-19 Phish 2020-04-06"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Postcode.php?sslchannel="; fast_pattern; content:"&sessionid="; distance:0; http.request_body; content:"postcode="; depth:9; content:!"&"; distance:0; classtype:credential-theft; sid:2029849; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004126; classtype:web-application-attack; sid:2004126; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MOOZ.THCCABO CoinMiner CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|7c 20|Processor|3a 20|"; content:"|7c 20|Cores|3a 20|"; distance:0; content:"|7c 20|Videocard|3a 20|"; distance:0; content:"|7c 20|SmartScreen|3a 20|"; distance:0; content:"|7c 20|Defender|3a 20|"; distance:0; content:"|7c 20|Antivirus|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer; classtype:command-and-control; sid:2029813; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2020_11_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"kolumna="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1612; reference:url,www.exploit-db.com/exploits/3513/; reference:url,doc.emergingthreats.net/2004127; classtype:web-application-attack; sid:2004127; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL/Adobe/Excel Phishing Landing 2016-01-07"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"function script()"; nocase; content:"#email_field"; nocase; distance:0; fast_pattern; content:"#password_field"; nocase; distance:0; content:"click_to_download()"; nocase; distance:0; content:"Wrong Email Format"; nocase; distance:0; content:"make_the_delay()"; nocase; distance:0; classtype:social-engineering; sid:2032669; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_07, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"_m="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2562; reference:url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded; reference:url,doc.emergingthreats.net/2003913; classtype:web-application-attack; sid:2003913; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ModPipe CnC Activity (POST)"; flow:established,to_server; http.start; content:"POST /robots.txt HTTP/1."; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 8.0|3b 20|Windows|20|NT|20|6.1|3b 20|Trident/4.0)"; depth:63; isdataat:!1,relative; http.header_names; content:"Accept|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/; classtype:command-and-control; sid:2031208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004689; classtype:web-application-attack; sid:2004689; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; http.uri; content:".jar"; fast_pattern; http.header; content:"|20|Java/1"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2015483; rev:6; metadata:created_at 2012_07_18, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004690; classtype:web-application-attack; sid:2004690; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot downloader Installing Zeus"; flow:to_server,established; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.uri; content:".exe"; fast_pattern; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|"; depth:30; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0|3b 29 0d 0a|Host|3a 20|"; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; endswith; classtype:trojan-activity; sid:2018421; rev:5; metadata:created_at 2014_04_25, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004691; classtype:web-application-attack; sid:2004691; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to .burpcollector .net Domain"; dns.query; content:".burpcollector.net"; nocase; endswith; classtype:policy-violation; sid:2029826; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_07, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004692; classtype:web-application-attack; sid:2004692; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Lazarus Nukesped Downloader"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.header; content:"Accept-Language|3a 20|ko-KR|3b|q="; http.request_body; content:"fn="; depth:3; nocase; content:".gif&code="; nocase; distance:0; fast_pattern; pcre:"/^fn=[^&]*\.gif&code=\d+$/i"; reference:url,www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/; classtype:command-and-control; sid:2031207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004693; classtype:web-application-attack; sid:2004693; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns_query; content:".authentication.directory"; nocase; isdataat:!1,relative; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029834; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2021_12_23;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"member_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2006-7116; reference:url,www.exploit-db.com/exploits/2863/; reference:url,doc.emergingthreats.net/2004694; classtype:web-application-attack; sid:2004694; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/util.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,5aa703c714e3fa012289bb521687cb0f; classtype:command-and-control; sid:2029837; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category MALWARE, malware_family KPOT_Stealer, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path"; flow:established,to_server; content:"/views/print/printbar.php?"; nocase; http_uri; content:"views_path="; nocase; http_uri; pcre:"/=\s*(https?|ftps|php)\:\//Ui"; reference:cve,CVE-2007-2607; reference:url,www.exploit-db.com/exploits/3870/; reference:url,doc.emergingthreats.net/2003716; classtype:web-application-attack; sid:2003716; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent"; flow:established,to_server; http.user_agent; content:"AnyDesk"; depth:7; reference:md5,1501639af59b0ff39d41577af30367cf; classtype:policy-violation; sid:2027762; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_07_26, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004409; classtype:web-application-attack; sid:2004409; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible DACLS RAT CnC (Log Server Reporting)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"log=save&session_id="; depth:20; fast_pattern; content:"&value="; distance:0; pcre:"/^log=save&session_id=[^&]+&value=[^&]+$/"; reference:url,blog.netlab.360.com/dacls-the-dual-platform-rat-en/; classtype:command-and-control; sid:2029879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004410; classtype:web-application-attack; sid:2004410; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.AAIB Variant CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.user_agent; content:"WinHttpClient"; bsize:13; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; reference:md5,0e3b41da52382744e5b2c1c38be00f04; reference:url,www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf; classtype:command-and-control; sid:2029893; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004411; classtype:web-application-attack; sid:2004411; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Redkeeper Ransomware Domain"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwex.com"; nocase; endswith; classtype:domain-c2; sid:2029898; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2020_11_16, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004412; classtype:web-application-attack; sid:2004412; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN7/JSSLoader CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=domenuscdm.com"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2029920; rev:2; metadata:attack_target Client_and_Server, created_at 2020_04_15, deployment Perimeter, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004413; classtype:web-application-attack; sid:2004413; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Possible Malicious (HTA-VBS-PowerShell) obfuscated command"; flow: established,to_client; http.stat_code; content:"200"; file.data; content:"<?xml"; depth:5; content:"|22|JScript|22|><![CDATA[ eval("; within:500; fast_pattern; pcre:"/%comSpec%\s\/c\s(?:(?:\\x50)|(?:\\x70)|[Pp])\^?(?:(?:\\x4f)|(?:\\x5f)|[Oo])\^?(?:(?:\\x57)|(?:\\x77)|[Ww])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x52)|(?:\\x72)|[Rr])\^?(?:(?:\\x53)|(?:\\x73)|[Ss])\^?(?:(?:\\x48)|(?:\\x68)|[Hh])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x4c)|(?:\\x6c)|[Ll])\^?(?:(?:\\x2e)|\.)\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?(?:(?:\\x58)|(?:\\x78)|[Xx])\^?(?:(?:\\x45)|(?:\\x65)|[Ee])\^?\s/R"; classtype:trojan-activity; sid:2025558; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"lcnt="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1339; reference:url,www.exploit-db.com/exploits/3416/; reference:url,doc.emergingthreats.net/2004414; classtype:web-application-attack; sid:2004414; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ModPipe CnC Activity (Response)"; flow:established,to_client; http.stat_code; content:"405"; file.data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d|"; fast_pattern; reference:url,www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector; classtype:command-and-control; sid:2031209; rev:1; metadata:created_at 2020_11_16, former_category MALWARE, performance_impact Moderate, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005135; classtype:web-application-attack; sid:2005135; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GandCrab Ransomware CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,20}(?:\?[a-z]{3,20}=[a-z]{0,10}&[a-z]{3,20}=[a-z]{0,10})?$/"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64"; http.host; pcre:"/\.(?:bit|coin|sex|com|gandcrab\d*)$/"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.content_len; byte_test:0,>,4000,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:67; fast_pattern; content:!"Accept"; content:!"Referer"; reference:md5,8b7d3093c477b2e99effde5065affbd5; classtype:command-and-control; sid:2025455; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005136; classtype:web-application-attack; sid:2005136; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trojan.JS.Agent.dwz Checkin 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*"; content:"Accept-Language|3a 20|"; distance:0; content:"auth255|3a 20|login"; fast_pattern; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; distance:0; content:"Accept-Encoding|3a 20|gzip, deflate"; distance:0; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"a="; depth:2; pcre:"/^(?:[a-f0-9]{2}){23,60}$/R"; classtype:command-and-control; sid:2025530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005137; classtype:web-application-attack; sid:2005137; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Adposhel.A Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>200; content:"/q/?q="; startswith; pcre:"/^[a-zA-Z0-9_-]+/R"; http.user_agent; content:"User-Agent|3a 20|"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; classtype:pup-activity; sid:2029055; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_26, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005138; classtype:web-application-attack; sid:2005138; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check"; flow:established,to_server; http.method; content:"GET"; urilen:1; http.header; content:"User-Agent|3a 20|WinHTTP loader/"; fast_pattern; http.host; bsize:21; content:"checkip.amazonaws.com"; http.header_names; content:!"Referer"; reference:md5,730b66cd89c8b4751dbe2c5158701a0b; classtype:trojan-activity; sid:2032216; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_16, deployment Perimeter, former_category MALWARE, malware_family AnchorTrickBot, signature_severity Major, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005139; classtype:web-application-attack; sid:2005139; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.parody)"; dns.query; content:".parody"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029954; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"startrow="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0623; reference:url,www.securityfocus.com/bid/22293; reference:url,doc.emergingthreats.net/2005140; classtype:web-application-attack; sid:2005140; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.libre)"; dns.query; content:".libre"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029958; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php"; flow:established,to_server; content:"/sendmail.php?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2532; reference:url,www.securityfocus.com/bid/23847; reference:url,doc.emergingthreats.net/2003918; classtype:web-application-attack; sid:2003918; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.bbs)"; dns.query; content:".bbs"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029960; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php"; flow:established,to_server; content:"/order_form.php?"; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2532; reference:url,www.securityfocus.com/bid/23847; reference:url,doc.emergingthreats.net/2003919; classtype:web-application-attack; sid:2003919; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.null)"; dns.query; content:".null"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029963; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin"; flow:established,to_server; content:"/configure_plugin.tpl.php?"; nocase; http_uri; content:"edit_plugin="; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003882; classtype:web-application-attack; sid:2003882; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.pirate)"; dns.query; content:".pirate"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029964; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1"; flow:established,to_server; content:"/web/phpinfo.php?"; nocase; http_uri; content:"1["; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003883; classtype:web-application-attack; sid:2003883; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.oss)"; dns.query; content:".oss"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029966; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a"; flow:established,to_server; content:"/web/phpinfo.php?"; nocase; http_uri; content:"a["; nocase; http_uri; content:"script"; nocase; http_uri; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2632; reference:url,www.securityfocus.com/bid/23917; reference:url,doc.emergingthreats.net/2003884; classtype:web-application-attack; sid:2003884; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.epic)"; dns.query; content:".epic"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029967; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Exploit"; flow:established,to_server; content:"mosConfig_absolute_path="; http_uri; content:".php"; nocase; http_uri; pcre:"/mosConfig_absolute_path=(https?|ftps?|php)\:\//Ui"; reference:url,seclists.org/lists/fulldisclosure/2005/Nov/0528.html; reference:url,isc.sans.org/diary.php?storyid=869; reference:url,www.us-cert.gov/cas/bulletins/SB07-106.html; reference:url,doc.emergingthreats.net/2002681; classtype:web-application-attack; sid:2002681; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.indy)"; dns.query; content:".indy"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029968; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003987; classtype:web-application-attack; sid:2003987; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for OpenNIC Alternative DNS TLD (.gopher)"; dns.query; content:".gopher"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029969; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003988; classtype:web-application-attack; sid:2003988; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)"; dns.query; content:".coin"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029971; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid INSERT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003989; classtype:web-application-attack; sid:2003989; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.emc)"; dns.query; content:".emc"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029972; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid DELETE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003990; classtype:web-application-attack; sid:2003990; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for EmerDNS TLD (.bazar)"; dns.query; content:".bazar"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; reference:url,emercoin.com/en/documentation/blockchain-services/emerdns/emerdns-introduction; classtype:bad-unknown; sid:2029973; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid ASCII"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003991; classtype:web-application-attack; sid:2003991; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Observed DNS Query for FurNIC TLD (.fur)"; dns.query; content:".fur"; nocase; endswith; reference:url,wiki.opennic.org/opennic/dot; classtype:bad-unknown; sid:2029974; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_20, deployment Perimeter, signature_severity Informational, updated_at 2020_11_16;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"listid="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2792; reference:url,www.exploit-db.com/exploits/3944/; reference:url,doc.emergingthreats.net/2003992; classtype:web-application-attack; sid:2003992; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> [92.63.0.0/16,91.218.114.0/24,149.56.245.196] any (msg:"ET MALWARE Maze/ID Ransomware Activity"; flow:established,to_server; urilen:>1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|AS|3b 20|rv|3a|11.0) like Gecko"; depth:72; endswith; fast_pattern; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,f83fb9ce6a83da58b20685c1d7e1e546; reference:md5,9823800f063a1d4ee7a749961db7540f; classtype:trojan-activity; sid:2027392; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_29, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, tag Maze, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include"; flow:established,to_server; content:"/membres/membreManager.php"; nocase; http_uri; pcre:"/include_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22287; reference:url,doc.emergingthreats.net/2003331; classtype:web-application-attack; sid:2003331; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"clipbutton.com.br"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029991; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)"; flow:established,to_server; flowbits:isset,ET.phpBB3_test; flowbits:isnotset,ET.phpBB3_register_stage3; flowbits:isset,ET.phpBB3_register_stage4; reference:url,doc.emergingthreats.net/2010897; classtype:web-application-attack; sid:2010897; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE JS Skimmer Domain in DNS Lookup"; dns.query; content:"tivents.de"; nocase; bsize:10; reference:url,twitter.com/MBThreatIntel/status/1252338975265546242; classtype:trojan-activity; sid:2029992; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2)"; flow:established,to_server; flowbits:isnotset,ET.phpBB3_register_stage1; flowbits:isset,ET.phpBB3_register_stage2; flowbits:isset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010896; classtype:web-application-attack; sid:2010896; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Downloader - HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"mac="; fast_pattern; nocase; content:"key="; content:"ver="; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,doc.emergingthreats.net/2009549; classtype:trojan-activity; sid:2009549; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting"; flow:established,to_server; content:"/BPELConsole/default/processLog.jsp"; nocase; depth:50; content:"processName="; nocase; within:100; pcre:"/processName\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,43954; reference:cve,2010-3581; classtype:attempted-admin; sid:2011860; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Wimmie.A Set"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/count.php?m=c&n="; content:"_"; distance:0; content:"@"; distance:0; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,6fd7493e56fdc3b0dd8ecd24aea20da1; classtype:trojan-activity; sid:2014803; rev:9; metadata:created_at 2011_11_05, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/index.jsp"; nocase; http_uri; pcre:"/help\x2Findex\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012396; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Malvertising Related Domain"; dns.query; content:"gdprcountryrestriction.com"; nocase; bsize:26; reference:url,duo.com/labs/research/crxcavator-malvertising-2020; classtype:pup-activity; sid:2030014; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt"; flow:established,to_server; content:"/help/advanced/content.jsp"; nocase; http_uri; pcre:"/content\x2Ejsp.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bid,44883; reference:cve,2010-4647; classtype:web-application-attack; sid:2012397; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.2access.xyz"; nocase; bsize:15; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030023; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; nocase; http_uri; content:"appMVCPath="; http_uri; nocase; pcre:"/appMVCPath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012583; rev:3; metadata:created_at 2011_03_25, updated_at 2011_03_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.nsogroup.com"; nocase; bsize:16; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030024; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; nocase; http_uri; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012584; rev:3; metadata:created_at 2011_03_25, updated_at 2011_03_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"sip.qtechnologies.com"; nocase; bsize:21; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030025; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; http_uri; nocase; content:"appMVCPath="; nocase; http_uri; pcre:"/appMVCPath=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012604; rev:4; metadata:created_at 2011_03_29, updated_at 2011_03_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup"; dns.query; content:"oldgoldcities.com"; nocase; bsize:17; reference:url,context-cdn.washingtonpost.com/notes/prod/default/documents/bf5edf35-5672-49fa-aca1-edefadff683f/note/8ef25c0d-fee9-416a-b7f9-e0a4dedc66f2.pdf; reference:url,twitter.com/jsrailton/status/1253526716460535808; classtype:command-and-control; sid:2030026; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_24, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; http_uri; nocase; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012605; rev:3; metadata:created_at 2011_03_29, updated_at 2011_03_29;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_22, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; content:"D="; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006613; classtype:web-application-attack; sid:2006613; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Win32/Cridex Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/(?:[a-z0-9+]+?\/){3}$/i"; http.header; content:"Accept|3a 20|*/*|0d 0a|Host|3a 20|"; depth:19; content:"Cache-Control|3a 20|no-cache"; distance:0; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080$/"; http.connection; content:"Keep-Alive"; bsize:10; http.content_len; byte_test:0,>,99,0,string,dec; byte_test:0,<,1000,0,string,dec; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; startswith; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:command-and-control; sid:2017305; rev:5; metadata:created_at 2013_08_09, former_category MALWARE, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/vars.inc.php?"; http_uri; nocase; content:"_SESSION[SCRIPT_PATH]="; http_uri; pcre:"/_SESSION\[SCRIPT_PATH\]=\s*(https?|ftps?|php)\x3a\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009179; classtype:web-application-attack; sid:2009179; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK Related Domain in DNS Lookup"; dns.query; content:"sophosfirewallupdate.com"; nocase; bsize:24; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:trojan-activity; sid:2030031; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; http_method; content:"top_graph_header.php"; http_uri; pcre:"/top_graph_header\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; reference:url,doc.emergingthreats.net/2002129; classtype:web-application-activity; sid:2002129; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ASNAROK CnC Domain in DNS Lookup"; dns.query; content:"sophosproductupdate.com"; nocase; bsize:23; reference:url,news.sophos.com/en-us/2020/04/26/asnarok/; classtype:command-and-control; sid:2030033; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2"; flow:established,to_server; content:"GET"; http_method; content:"config_settings.php"; http_uri; pcre:"/config_settings\.php\?.*=(http|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; classtype:web-application-activity; sid:2013993; rev:2; metadata:created_at 2011_12_07, updated_at 2011_12_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"forgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030041; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump successful leakage"; flow:established,from_server; content:"|0d 0a|<!-- This is a WordPress eXtended RSS file generated by WordPress as an export of your site. -->|0d 0a|"; content:"|0d 0a|Content-Type|3a 20|text/plain|0d 0a|"; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:successful-recon-largescale; sid:2012809; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"bestgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030042; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014079; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"thegame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030043; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; content:"/athenareg.php?pass= |3b|"; nocase; http_uri; reference:cve,CAN-2004-1782; reference:bugtraq,9349; reference:url,doc.emergingthreats.net/2001949; classtype:web-application-attack; sid:2001949; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"newgame.bazar"; nocase; bsize:13; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030044; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BAZAR CnC Domain in DNS Lookup"; dns.query; content:"portgame.bazar"; nocase; bsize:14; reference:url,www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html; classtype:command-and-control; sid:2030045; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns.query; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026486; rev:10; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; flow:established,to_server; tls.sni; content:".core.windows.net"; endswith; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; pcre:!"/^onedrivecl[a-z]{2}prod[a-z]{2}[0-9]{5}\./"; classtype:policy-violation; sid:2026487; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"mine.remaariegarcia.com"; nocase; bsize:23; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030089; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"egg.stralisemariegar.com"; nocase; bsize:24; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030090; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE PHANTOMLANCE CnC Domain in DNS Lookup"; dns.query; content:"api.anaehler.com"; nocase; bsize:16; reference:url,securelist.com/apt-phantomlance/96772/; reference:md5,0d5c03da348dce513bf575545493f3e3; classtype:command-and-control; sid:2030091; rev:2; metadata:attack_target Mobile_Client, created_at 2020_05_01, deployment Perimeter, former_category MOBILE_MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.dev"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IXWARE Stealer Domain in DNS Lookup"; dns.query; content:"ixware.xyz"; nocase; bsize:10; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:domain-c2; sid:2030097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IXWARE Stealer CnC Activity"; flow:established,to_server; http.request_body; content:"checkAcc="; startswith; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.start; content:"POST /stubCheck HTTP/"; depth:21; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1248010996502769664; classtype:command-and-control; sid:2030098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud DNS Lookup (count.trackstatisticsss .com)"; dns.query; content:"count.trackstatisticsss.com"; nocase; bsize:27; classtype:bad-unknown; sid:2030099; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Minor, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE WEBMONITOR RAT CnC Domain in DNS Lookup (dabmaster.wm01 .to)"; dns.query; content:"dabmaster.wm01.to"; nocase; bsize:17; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/webmonitor-rat-bundled-with-zoom-installer/?web_view=true; classtype:command-and-control; sid:2030100; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2016_07_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious User-Agent (1 space)"; flow:to_server,established; http.header; content:"User-Agent|3a 20 0d 0a|"; http.host; content:!"connectivitycheck.gstatic.com"; endswith; content:!".mcafee.com"; content:!"deezer.com"; endswith; content:!"googlezip.net"; content:!"metrics.tbliab.net"; endswith; content:!"dajax.com"; endswith; content:!"update.eset.com"; endswith; content:!".sketchup.com"; endswith; content:!".yieldmo.com"; endswith; content:!"ping-start.com"; endswith; content:!".bluekai.com"; content:!".stockstracker.com"; content:!".doubleclick.net"; content:!".pingstart.com"; content:!".colis-logistique.com"; content:!"android-lrcresource.wps.com"; content:!"track.package-buddy.com"; content:!"talkgadget.google.com"; endswith; content:!".visualstudio.com"; endswith; content:!".slack-edge.com"; endswith; content:!".slack.com"; endswith; content:!".lifesizecloud.com"; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:unknown; sid:2007994; rev:24; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category INFO, signature_severity Major, tag User_Agent, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:5; metadata:created_at 2010_10_29, updated_at 2010_10_29;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT SEO Injection/Fraud Domain in DNS Lookup (stat.trackstatisticsss .com)"; dns.query; content:"stat.trackstatisticsss.com"; nocase; bsize:26; reference:url,www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/; classtype:bad-unknown; sid:2030118; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY moanmyip .com DNS Lookup"; dns.query; content:"moanmyip.com"; nocase; endswith; classtype:policy-violation; sid:2030127; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EVILNUM CnC Host Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register.php"; http.request_body; content:"av="; depth:3; content:"&cpu-name="; fast_pattern; distance:0; content:"&ref="; distance:0; content:"&user="; distance:0; reference:url,blog.prevailion.com/2020/05/phantom-in-command-shell5.html; classtype:command-and-control; sid:2030125; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit"; flow:established,to_server; content:"/services/help/"; nocase; http_uri; pcre:"/module=[^\;]*\;.*\"/UGi"; reference:url,www.exploit-db.com/exploits/1660; reference:cve,2006-1491; reference:bugtraq,17292; classtype:web-application-attack; sid:2002867; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal CnC Checkin"; flow:established,to_server; http.uri; content:".txt"; pcre:"/^\/[a-z]{4}(?:\d{1,3}\.){3}\d{1,3}[a-z]{6}\.txt/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.1.4322|0d 0a|Host|3a 20|"; depth:88; fast_pattern; reference:md5,CC71620DE7216B186DA2C9BA06703613; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/; reference:url,blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html; classtype:command-and-control; sid:2025922; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_31, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; content:"/page.asp?"; nocase; http_uri; content:"art_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004838; classtype:web-application-attack; sid:2004838; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain in DNS Lookup"; dns.query; content:"aoacugmutagkwctu.onion"; nocase; bsize:22; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030133; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Wordpress, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MAZE Ransomware Payment Domain DNS Lookup"; dns.query; content:"mazedecrypt.top"; nocase; bsize:15; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:trojan-activity; sid:2030134; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category MALWARE, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack"; flow:to_server,established; content:"/index.php?"; http_uri; nocase; content:"select="; nocase; http_uri; fast_pattern; pcre:"/UNION\s+SELECT/URi"; reference:bugtraq,15068; reference:url,doc.emergingthreats.net/2002494; classtype:web-application-attack; sid:2002494; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2016_07_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (mazenews .top)"; dns.query; content:"mazenews.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030135; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M1"; flow:to_server,established; content:"Host|3a|"; http_header; nocase; content:"("; http_header; nocase; content:")"; http_header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/Hmi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024277; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2017_05_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY MAZE Ransomware Victim Publishing Site DNS Lookup (newsmaze .top)"; dns.query; content:"newsmaze.top"; nocase; bsize:12; reference:url,www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html; classtype:bad-unknown; sid:2030136; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, malware_family Maze_Ransomware, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 CMS backdoor access admin-access cookie and HTTP POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|Cookie\: "; nocase; content:"admin-access="; content:"e107language_"; pcre:"/Cookie: .*admin-access=/i"; reference:url,seclists.org/fulldisclosure/2010/Jan/480; reference:url,www.e107.org/news.php; reference:url,doc.emergingthreats.net/2010719; classtype:attempted-admin; sid:2010719; rev:3; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2017_05_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY ipchicken .com DNS Lookup"; dns.query; content:"ipchicken.com"; nocase; endswith; classtype:policy-violation; sid:2030138; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DAMICMS Cross-Site Request Forgery (Add Admin)"; flow:from_server,established; file_data; content:"history.pushState"; content:"/admin.php?s=/Admin/doadd|22| method=|22|POST|22|>"; nocase; fast_pattern; content:"name=|22|username|22|"; content:"name=|22|password|22|"; reference:url,exploit-db.com/exploits/44960/; classtype:web-application-attack; sid:2025771; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.VBSLoader Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?uid=VwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcg"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,f1864d53ba7512471182cd100fb96c4b; classtype:trojan-activity; sid:2030148; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 1"; flow:established,to_server; content:"Y21kIC9jIHBvd2Vyc2hlbGwuZXhl"; classtype:attempted-user; sid:2025827; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (corpleaks .net)"; dns.query; content:"corpleaks.net"; nocase; bsize:13; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030161; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 2"; flow:established,to_server; content:"NtZCAvYyBwb3dlcnNoZWxsLmV4Z"; classtype:attempted-user; sid:2025828; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY NEPHILIM Ransomware Victim Publishing Site DNS Lookup (hxt254aygrsziejn .onion) DNS Lookup"; dns.query; content:"hxt254aygrsziejn.onion"; nocase; bsize:22; reference:url,app.any.run/tasks/c8d61923-ae7c-42e4-9b92-f4be92b2b04e; classtype:policy-violation; sid:2030162; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_12, deployment Perimeter, former_category POLICY, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cmd powershell base64 encoded to Web Server 3"; flow:established,to_server; content:"jbWQgL2MgcG93ZXJzaGVsbC5leG"; classtype:attempted-user; sid:2025829; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Emotet.C Variant Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/download.php?listfiles="; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,cd74438c04b09baa5c32ad0e5a0306e7; classtype:command-and-control; sid:2020157; rev:4; metadata:created_at 2015_01_08, former_category MALWARE, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 1"; flow:established,to_server; content:"base64"; fast_pattern; content:"f0VM"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025716; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header CERT.PL"; flow:established,from_server; http.content_len; byte_test:0,=,24,0,string,dec; file.data; content:"Sinkholed by CERT.PL"; within:24; fast_pattern; classtype:trojan-activity; sid:2020172; rev:4; metadata:created_at 2015_01_13, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 2"; flow:established,to_server; content:"base64"; fast_pattern; content:"9FT"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025717; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (irc.eleethub .com)"; dns.query; content:"irc.eleethub.com"; nocase; bsize:16; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030195; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Inbound Web Servers Likely Command Execution 3"; flow:established,to_server; content:"base64"; fast_pattern; content:"/RU"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; classtype:attempted-user; sid:2025718; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub botnet CnC Domain in DNS Lookup (ghost.eleethub .com)"; dns.query; content:"ghost.eleethub.com"; nocase; bsize:18; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:command-and-control; sid:2030196; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded ASCII Inbound Web Servers Likely Command Execution 4"; flow:established,to_server; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; classtype:attempted-user; sid:2025732; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2018_07_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE eleethub .com Domain in DNS Lookup (eleethub .com)"; dns.query; content:"eleethub.com"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet; classtype:trojan-activity; sid:2030197; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 5"; flow:established,to_server; content:"XDE3N1wxMDVcMTE0XDEwN"; classtype:attempted-user; sid:2025832; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jsp?view="; fast_pattern; content:"&os="; distance:0; content:"&address="; distance:0; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 6"; flow:established,to_server; content:"wxNzdcMTA1XDExNFwxMD"; classtype:attempted-user; sid:2025833; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to known Avaddon Ransomware Payment Domain"; dns.query; content:"avaddonbotrxmuyl.onion.pet"; bsize:26; reference:md5,c9ec0d9ff44f445ce5614cc87398b38d; classtype:trojan-activity; sid:2030251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_05, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Avaddon, signature_severity Major, tag Ransomware, updated_at 2020_11_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 UTF-8 Inbound Web Servers Likely Command Execution 7"; flow:established,to_server; content:"cMTc3XDEwNVwxMTRcMTA2"; classtype:attempted-user; sid:2025834; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_18, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2018_07_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"yourcontents.xyz"; nocase; endswith; classtype:domain-c2; sid:2030333; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 8"; flow:established,to_server; content:"XFx4N2ZcXHg0NVxceDRjXFx4ND"; classtype:attempted-user; sid:2025865; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"filepage.icu"; nocase; endswith; classtype:domain-c2; sid:2030332; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 9"; flow:established,to_server; content:"xceDdmXFx4NDVcXHg0Y1xceDQ2"; classtype:attempted-user; sid:2025866; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Staging Domain in DNS Query"; dns.query; content:"datasecure.icu"; nocase; endswith; classtype:domain-c2; sid:2030331; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic encoded Base64 Hex Escape Inbound Web Servers Likely Command Execution 10"; flow:established,to_server; content:"cXHg3ZlxceDQ1XFx4NGNcXHg0N"; classtype:attempted-user; sid:2025867; rev:1; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M1"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"x-flash-version|3a 20|"; content:!"32.0.0.387|0d 0a|"; within:12; content:!"32,0,0,387|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:127; metadata:affected_product Adobe_Flash, created_at 2012_05_09, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 11"; flow:established,to_server; content:"|5c|177|5c|105|5c|114|5c|106|5c|"; fast_pattern; classtype:attempted-user; sid:2025868; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M6"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2B"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,200,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029060; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_17;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ELF file magic plain Inbound Web Servers Likely Command Execution 12"; flow:established,to_server; content:"|5c 5c|x7f|5c 5c|x45|5c 5c|x4c|5c 5c|x46|5c 5c|"; classtype:attempted-user; sid:2025869; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_19, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_07_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.accept; content:"text/html, */*"; depth:14; endswith; http.accept_enc; content:"identity"; depth:8; endswith; http.content_len; byte_test:0,>,50000,0,string,dec; byte_test:0,<,120000,0,string,dec; http.start; content:".php HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Length|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5b2eca6abe1903955d1dfd41e301e0af; classtype:targeted-activity; sid:2030122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Deserialization  (CVE-2018-2893)"; flow:established,to_server; content:"t3|20|12"; depth:5; fast_pattern; content:"AS|3a|255"; distance:0; content:"HL|3a|19"; distance:0; content:"MS|3a|10000000"; distance:0; content:"PU|3a|t3|3a|//"; distance:0; reference:cve,2018-2893; reference:url,github.com/pyn3rd/CVE-2018-2893; classtype:attempted-admin; sid:2025929; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2018_08_01;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (urlpush .net)"; dns.query; content:".urlpush.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030379; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid"; flow:established,to_server; content:"/news.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004585; classtype:web-application-attack; sid:2004585; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group Domain in DNS Lookup (free247downloads .com)"; dns.query; content:"free247downloads.com"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/; classtype:trojan-activity; sid:2030380; rev:3; metadata:attack_target Mobile_Client, created_at 2020_06_22, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt"; flow:to_server,established; content:"/lib/pathwirte.php?"; http_uri; nocase; content:"FSPHP_LIB="; http_uri; nocase; pcre:"/FSPHP_LIB\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,osvdb.org/show/osvdb/58317; reference:url,www.milw0rm.com/exploits/9720; reference:url,doc.emergingthreats.net/2010361; classtype:web-application-attack; sid:2010361; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Patchwork Staging Domain in DNS Query"; dns.query; content:"dnsresolve.live"; nocase; endswith; classtype:domain-c2; sid:2030378; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Patchwork, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ch_readalso.php?"; http_uri; nocase; content:"read_xml_include="; http_uri; nocase; pcre:"/read_xml_include=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29251; reference:url,xforce.iss.net/xforce/xfdb/42459; reference:url,milw0rm.com/exploits/5624; reference:url,doc.emergingthreats.net/2010099; classtype:web-application-attack; sid:2010099; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evil Google Drive Download"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|CODE|0d 0a|"; fast_pattern; http.host; content:"drive.google.com"; reference:md5,f5ee4c578976587586202c15e98997ed; classtype:bad-unknown; sid:2030438; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/common.php?"; http_uri; nocase; content:"root="; http_uri; nocase; pcre:"/root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/29904; reference:url,milw0rm.com/exploits/7218; reference:url,doc.emergingthreats.net/2008922; classtype:web-application-attack; sid:2008922; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms6-upload-serv3.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030418; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls"; flow:established,to_server; content:"/modules/noevents/templates/mfa_theme.php?"; http_uri; nocase; content:"tpls["; http_uri; nocase; reference:cve,CVE-2007-2572; reference:url,www.milw0rm.com/exploits/3861; reference:url,doc.emergingthreats.net/2003694; classtype:web-application-attack; sid:2003694; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"updt-servc-app2.com"; bsize:19; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030419; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username"; flow:established,to_server; content:"/de/pda/dev_logon.asp?"; http_uri; nocase; content:"username="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003894; classtype:web-application-attack; sid:2003894; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"cdn2-system3-secrv.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030420; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp"; flow:established,to_server; content:"/usrmgr/registerAccount.asp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003895; classtype:web-application-attack; sid:2003895; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"file3-netwk-system.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030421; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp"; flow:established,to_server; content:"/de/create_account.asp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2592; reference:url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded; reference:url,doc.emergingthreats.net/2003896; classtype:web-application-attack; sid:2003896; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"service-net2-file.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030422; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/resource_categories_view.php?"; http_uri; nocase; content:"CLASSES_ROOT="; http_uri; nocase; pcre:"/CLASSES_ROOT=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009333; classtype:web-application-attack; sid:2009333; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-access-sec43.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030423; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt"; flow: established,from_client; content:"/osticket/include"; http_uri; nocase; pcre:"/.*\[.*\].*\;/U"; reference:url,secunia.com/advisories/15216; reference:url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438; reference:cve,CAN-2005-1439; reference:url,doc.emergingthreats.net/bin/view/Main/2002702; classtype:web-application-attack; sid:2002702; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"network-msx-system33.com"; bsize:24; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030424; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home"; flow:established,to_server; content:"/skins/header.php?"; http_uri; nocase; content:"ote_home="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003741; classtype:web-application-attack; sid:2003741; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mx3-rewc-state.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030425; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home"; flow:established,to_server; content:"/skins/header.php?"; http_uri; nocase; content:"ote_home="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2676; reference:url,www.milw0rm.com/exploits/3838; reference:url,doc.emergingthreats.net/2003878; classtype:web-application-attack; sid:2003878; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd3-srv-system-app.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030426; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/filepool.php?"; http_uri; nocase; content:"oe_classpath="; http_uri; nocase; pcre:"/oe_classpath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31423; reference:url,milw0rm.com/exploits/6585; reference:url,doc.emergingthreats.net/2009164; classtype:web-application-attack; sid:2009164; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"syse-update-app4.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030427; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/modules/core/logger/init.php?"; http_uri; nocase; content:"GLOBALS[preloc]="; http_uri; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009459; classtype:web-application-attack; sid:2009459; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"system2-cdn5-mx8.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030428; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/newscat.php?"; http_uri; nocase; content:"GLOBALS[preloc]="; http_uri; nocase; pcre:"/GLOBALS\[preloc\]=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009460; classtype:web-application-attack; sid:2009460; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"secure-upd21-app2.com"; bsize:21; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030429; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006528; classtype:web-application-attack; sid:2006528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"ms21-app3-upload.com"; bsize:20; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030430; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006529; classtype:web-application-attack; sid:2006529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"apt5-secure3-state.com"; bsize:22; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030431; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006530; classtype:web-application-attack; sid:2006530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"upd8-sys2-apt.com"; bsize:17; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030432; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006531; classtype:web-application-attack; sid:2006531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"update5-sec3-system.com"; bsize:23; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030433; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006532; classtype:web-application-attack; sid:2006532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"state-awe3-apt.com"; bsize:18; reference:url,blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html; classtype:domain-c2; sid:2030434; rev:2; metadata:affected_product Web_Browsers, created_at 2020_07_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag StrongPity, tag SSL_TLS_SNI, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Client_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006533; classtype:web-application-attack; sid:2006533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"advertstv.com"; bsize:13; classtype:domain-c2; sid:2030459; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006534; classtype:web-application-attack; sid:2006534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"amazingdonutco.com"; bsize:18; classtype:domain-c2; sid:2030461; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006535; classtype:web-application-attack; sid:2006535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"mwebsoft.com"; bsize:12; classtype:domain-c2; sid:2030463; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006536; classtype:web-application-attack; sid:2006536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"rostraffic.com"; bsize:14; classtype:domain-c2; sid:2030465; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006537; classtype:web-application-attack; sid:2006537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"typiconsult.com"; bsize:15; classtype:domain-c2; sid:2030467; rev:2; metadata:created_at 2020_07_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006538; classtype:web-application-attack; sid:2006538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cddn .site)"; dns.query; content:"cddn.site"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030480; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Invoice_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006539; classtype:web-application-attack; sid:2006539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cxizi .net)"; dns.query; content:"cxizi.net"; nocase; bsize:9; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030481; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006540; classtype:web-application-attack; sid:2006540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (yzxi .net)"; dns.query; content:"yzxi.net"; nocase; bsize:8; reference:url,blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/; classtype:trojan-activity; sid:2030482; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006541; classtype:web-application-attack; sid:2006541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TaurusStealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"zyvcin.xyz"; bsize:10; classtype:domain-c2; sid:2030477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_07, deployment Perimeter, former_category MALWARE, malware_family Taurus, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006542; classtype:web-application-attack; sid:2006542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Phorpiex Template 6 Active - Outbound Malicious Email Spam"; flow:established,to_server; content:"Subject|3a 20|YOU|20|BETTER|20|READ|20|THIS|0d|"; fast_pattern; content:"COLLECTED|20|ALL|20|YOUR|20|FILES"; content:"in|20|Bitcoin"; nocase; content:"receiving|20|the|20|Bitcoin"; nocase; threshold: type limit, count 1, seconds 30, track by_src; classtype:command-and-control; sid:2031210; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_11_17, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Phorpiex, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006543; classtype:web-application-attack; sid:2006543; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi (Outbound)"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2030503; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006544; classtype:web-application-attack; sid:2006544; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ml Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ml"; endswith; fast_pattern; classtype:credential-theft; sid:2026532; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"Vendor_ID="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006545; classtype:web-application-attack; sid:2006545; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .cf Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".cf"; endswith; fast_pattern; classtype:credential-theft; sid:2026533; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/converter.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009871; classtype:web-application-attack; sid:2009871; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .ga Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".ga"; endswith; fast_pattern; classtype:credential-theft; sid:2026534; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/messages.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009872; classtype:web-application-attack; sid:2009872; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gq Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gq"; endswith; fast_pattern; classtype:credential-theft; sid:2026535; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/settings.inc.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(ftps?|https?|php)\://Ui"; reference:url,vupen.com/english/advisories/2008/0908; reference:bugtraq,28284; reference:url,milw0rm.com/exploits/5266; reference:url,doc.emergingthreats.net/2009873; classtype:web-application-attack; sid:2009873; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .gqn Domain 2018-10-23"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".gqn"; endswith; fast_pattern; classtype:credential-theft; sid:2026536; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB Remote Code Execution Attempt"; flow:established,to_server; content:"/viewtopic.php?"; http_uri; pcre:"/highlight=.*?(\'|\%[a-f0-9]{4})(\.|\/|\\|\%[a-f0-9]{4}).+?(\'|\%[a-f0-9]{4})/Ui"; reference:url,secunia.com/advisories/15845/; reference:bugtraq,14086; reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; reference:url,doc.emergingthreats.net/2002070; classtype:web-application-attack; sid:2002070; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish to .icu Domain 2019-02-06"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".icu"; endswith; fast_pattern; classtype:credential-theft; sid:2026886; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"phpbb_root_path="; http_uri; nocase; pcre:"/phpbb_root_path=(ftps?|https?|php)/Ui"; reference:url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path; reference:url,doc.emergingthreats.net/2002731; classtype:web-application-attack; sid:2002731; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Suspicious Outbound SIG DNS Query"; content:"|00 00 18 00 01|"; fast_pattern; dns.query; pcre:"/^\d/"; classtype:bad-unknown; sid:2030547; rev:2; metadata:created_at 2020_07_16, former_category INFO, performance_impact Significant, signature_severity Informational, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage1; flowbits:noalert; reference:url,doc.emergingthreats.net/2010890; classtype:attempted-user; sid:2010890; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M1"; flow:established,to_server; http.uri; content:"/+CSCOT+/translation-table?type=mst&textdomain=/|2b|CSCOE|2b|/"; fast_pattern; content:"&default-language&lang="; distance:0; http.uri.raw; content:"&default-language&lang=../"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030581; rev:3; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"agreed=I+agree+to+these+terms"; content:"change_lang="; content:"creation_time"; content:"form_token"; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage1; flowbits:set,ET.phpBB3_register_stage2; flowbits:noalert; reference:url,doc.emergingthreats.net/2010891; classtype:attempted-user; sid:2010891; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M2"; flow:established,to_server; http.uri; content:"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform="; fast_pattern; content:"&name=|2b|CSCOE|2b 2f|"; distance:0; http.uri.raw; content:"&platform=..&resource-type=.."; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030582; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=confirm"; http_uri; content:"confirm_id="; http_uri; content:"type="; http_uri; flowbits:set,ET.phpBB3_test; flowbits:set,ET.phpBB3_register_stage3; flowbits:noalert; reference:url,doc.emergingthreats.net/2010892; classtype:attempted-user; sid:2010892; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2018-06-27 (set)"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"id1="; depth:4; nocase; content:"&id2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2025630; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"email_confirm="; content:"new_password"; content:"password_confirm"; content:"lang="; content:"tz="; content:"confirm_code="; content:"refresh_vc="; content:"confirm_id="; content:"agreed="; content:"change_lang="; content:"confirm_id="; content:"creation_time="; content:"form_token="; flowbits:set,ET.phpBB3_test; flowbits:isset,ET.phpBB3_register_stage3; flowbits:set,ET.phpBB3_register_stage4; flowbits:noalert; reference:url,doc.emergingthreats.net/2010893; classtype:attempted-user; sid:2010893; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ThiefQuest CnC Domain in DNS Lookup"; dns.query; content:"andrewka6.pythonanywhere.com"; nocase; bsize:28; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/updates-on-thiefquest-the-quickly-evolving-macos-malware/; classtype:command-and-control; sid:2030613; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_07_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^Y$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010894; classtype:web-application-attack; sid:2010894; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cloud-sources .com)"; dns.query; content:"cloud-sources.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030636; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX)"; flowbits:isset,ET.phpBB3_test; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=register"; http_uri; content:"username="; content:"email="; content:"pf_XXXXX="; pcre:!"/^YYY$/R"; flowbits:unset,ET.phpBB3_test; reference:url,doc.emergingthreats.net/2010895; classtype:web-application-attack; sid:2010895; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart/Skimmer Domain in DNS Lookup (cdn-filestorm .com)"; dns.query; content:"cdn-filestorm.com"; nocase; bsize:17; reference:url,twitter.com/felixaime/status/1287409263623770112; classtype:trojan-activity; sid:2030637; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 registration (Bogus Stage3 GET)"; flow:to_server,established; content:"GET "; depth:4; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=confirm"; http_uri; content:"id="; http_uri; pcre:"/(\?|&)id=/Ui"; content:"type="; http_uri; reference:url,doc.emergingthreats.net/2010898; classtype:web-application-attack; sid:2010898; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (chretiendaujoudhui .com)"; dns.query; content:"chretiendaujoudhui.com"; nocase; bsize:22; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030638; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 multiple login attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/ucp.php"; http_uri; nocase; content:"mode=login"; http_uri; threshold: type threshold, track by_src, count 2, seconds 60; reference:url,doc.emergingthreats.net/2010899; classtype:attempted-user; sid:2010899; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (leprotestant .com)"; dns.query; content:"leprotestant.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030639; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBB3 possible spammer posting attempts"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/posting.php"; http_uri; nocase; content:"mode=post"; http_uri; threshold: type threshold, track by_src, count 2, seconds 30; reference:url,doc.emergingthreats.net/2010900; classtype:web-application-attack; sid:2010900; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (vie-en-islam .com)"; dns.query; content:"vie-en-islam.com"; nocase; bsize:16; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030640; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid"; flow:established,to_server; content:"/settings.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003879; classtype:web-application-attack; sid:2003879; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Group CnC Domain in DNS Lookup (viedechretien .org)"; dns.query; content:"viedechretien.org"; nocase; bsize:17; reference:url,citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/; classtype:targeted-activity; sid:2030641; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid"; flow:established,to_server; content:"/cat.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2670; reference:url,www.securityfocus.com/bid/23761; reference:url,doc.emergingthreats.net/2003880; classtype:web-application-attack; sid:2003880; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.cnaweb.mrslove .com)"; dns.query; content:"www.cnaweb.mrslove.com"; nocase; bsize:22; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030642; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config"; flow:established,to_server; content:"/includes/language.php?"; http_uri; nocase; content:"config="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003742; classtype:web-application-attack; sid:2003742; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAIDOOR CnC Domain in DNS Lookup (www.infonew.dubya .net)"; dns.query; content:"www.infonew.dubya.net"; nocase; bsize:21; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-216a; classtype:command-and-control; sid:2030643; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path"; flow:established,to_server; content:"/layout_admin_cfg.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003743; classtype:web-application-attack; sid:2003743; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://www.dropbox.com/"; file.data; content:"<title>Dropbox Business</title>"; nocase; classtype:social-engineering; sid:2024403; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path"; flow:established,to_server; content:"/layout_cfg.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003744; classtype:web-application-attack; sid:2003744; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing 2018-01-18 M1"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"|73 63 72 69 70 74 3a 20 6e 6f 64 65 2c 20 74 65 6d 70 6c 61 74 65 3a 20 20 2c 20 64 61 74 65 3a 20 4a 75 6c 20 33|"; content:"<title>Log in to your PayPal account</title>"; fast_pattern; nocase; distance:0; classtype:social-engineering; sid:2025214; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path"; flow:established,to_server; content:"/skins/phpchess/layout_t_top.php?"; http_uri; nocase; content:"Root_Path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2677; reference:url,www.milw0rm.com/exploits/3837; reference:url,doc.emergingthreats.net/2003745; classtype:web-application-attack; sid:2003745; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"your PayPal account"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:log\s*in|sign\s*in)/i"; classtype:social-engineering; sid:2024391; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPEventMan remote file include"; flow:established,to_server; content:"/controller/"; http_uri; nocase; pcre:"/(text\.ctrl\.php|common\.function\.php)\?level=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22358; reference:url,doc.emergingthreats.net/2003372; classtype:web-application-attack; sid:2003372; rev:6; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Paypal Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"https://*.paypal.com"; file.data; content:"<title>"; nocase; content:"|20|-|20|paypal"; nocase; within:100; fast_pattern; pcre:"/<title>\s*(?:s(?:e(?:nd money, pay online or set up a merchant|cure) account|uspicious (?:transaction |activities))|con(?:firm card security information|to limitato)|(?:profile updat|mot de pass)e|login)\s*-\s*paypal\s*<\/title>/i"; classtype:social-engineering; sid:2024970; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_11_07, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include"; flow:established,to_server; content:"/block.php?"; http_uri; nocase; content:"Include="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2665; reference:url,www.milw0rm.com/exploits/3906; reference:url,doc.emergingthreats.net/2003740; classtype:web-application-attack; sid:2003740; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible iCloud Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-Request-UUID|3a|"; file.data; content:"<title>iCloud</title>"; nocase; classtype:social-engineering; sid:2024385; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/CoupleDB.php?"; http_uri; nocase; content:"DataDirectory="; http_uri; nocase; pcre:"/DataDirectory=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9155; reference:url,packetstormsecurity.org/0907-exploits/phpgenealogy-rfi.txt; reference:url,doc.emergingthreats.net/2010095; classtype:web-application-attack; sid:2010095; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>Welcome to Facebook</title>"; nocase; classtype:social-engineering; sid:2024402; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003805; classtype:web-application-attack; sid:2003805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title>"; nocase; content:"facebook email security"; within:40; nocase; fast_pattern; classtype:social-engineering; sid:2024451; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_07_10, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UNION SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003806; classtype:web-application-attack; sid:2003806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"Log in to Facebook"; nocase; within:100; fast_pattern; classtype:social-engineering; sid:2024807; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_05, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER INSERT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003807; classtype:web-application-attack; sid:2003807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Facebook Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"*.facebook.com"; file.data; content:"<title"; nocase; content:"About Copyright|20 7c 20|Facebook Help Center"; within:100; nocase; fast_pattern; classtype:social-engineering; sid:2025137; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_12_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER DELETE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003808; classtype:web-application-attack; sid:2003808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Wells Fargo Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"wellsfargo.com/"; file.data; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; classtype:social-engineering; sid:2025360; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ASCII"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003809; classtype:web-application-attack; sid:2003809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wells Fargo Phishing Landing 2018-02-02 M4"; flow:established,to_client; http.header; content:!".wellsfargo.com/"; file.data; content:"antiClickjack.parentNode.removeChild"; within:1000; content:"<title>Wells Fargo Sign On to View Your Accounts</title>"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025295; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_USER="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003810; classtype:web-application-attack; sid:2003810; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; http.header; content:"!*.paypal.com"; file.data; content:"<title></title>"; nocase; fast_pattern; content:"<meta name=|22|application-name|22 20|content=|22|PayPal"; distance:0; classtype:social-engineering; sid:2024019; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003811; classtype:web-application-attack; sid:2003811; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"cdnapis.com"; nocase; endswith; depth:11; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UNION SELECT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003812; classtype:web-application-attack; sid:2003812; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Mobile Phish 2017-08-15"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029661; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS INSERT"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003813; classtype:web-application-attack; sid:2003813; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2018-01-26"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&prefill_source="; nocase; distance:0; content:"&prefill_type="; nocase; distance:0; content:"&first_prefill_source="; nocase; distance:0; content:"&first_prefill_type="; nocase; distance:0; content:"&had_cp_prefilled="; nocase; distance:0; content:"&had_password_prefilled="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029665; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_01_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS DELETE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003814; classtype:web-application-attack; sid:2003814; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-26"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&jazoest="; nocase; distance:0; fast_pattern; content:"&m_ts="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; content:"&login="; nocase; distance:0; content:"&prefill_contact_point="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; classtype:credential-theft; sid:2029673; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ASCII"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003815; classtype:web-application-attack; sid:2003815; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-08-29"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; fast_pattern; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029678; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE"; flow:established,to_server; content:"/admin.php?"; http_uri; nocase; content:"ADMIN_PASS="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2534; reference:url,www.securityfocus.com/bid/23854; reference:url,doc.emergingthreats.net/2003816; classtype:web-application-attack; sid:2003816; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2020-01-10"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; http.request_body; content:"lsd="; depth:4; nocase; content:"&m_ts="; nocase; distance:0; content:"&li="; nocase; distance:0; content:"&try_number="; nocase; distance:0; content:"&unrecognized_tries="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&login="; nocase; distance:0; content:"&_fb_noscript="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2029683; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_01_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib"; flow:established,to_server; content:"/examples/widget8.php?"; http_uri; nocase; content:"phphtmllib="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2614; reference:url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded; reference:url,doc.emergingthreats.net/2003730; classtype:web-application-attack; sid:2003730; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Amazon Phish 2016-10-27"; flow:to_server,established; http.method; content:"POST"; http.host; content:!"amazon.com"; endswith; content:!".amazon.co.jp"; endswith; http.request_body; content:"appActionToken="; nocase; content:"&appAction=SIGNIN"; nocase; distance:0; fast_pattern; content:"|25|40"; distance:0; content:"&pass"; nocase; distance:0; classtype:credential-theft; sid:2032713; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local"; flow:established,to_server; content:"/ftp.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003731; classtype:web-application-attack; sid:2003731; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing Aug 19 2015"; flow:to_client,established; http.header; content:!"X-BOA-RequestID|3a|"; file.data; content:"boaVIPAAuseGzippedBundles"; fast_pattern; content:"boaVIPAAjawrEnabled"; distance:0; classtype:social-engineering; sid:2025666; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_19, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local"; flow:established,to_server; content:"/libs/db.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003732; classtype:web-application-attack; sid:2003732; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish M2 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineid="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032696; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing_07012016, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local"; flow:established,to_server; content:"/libs/ftp.php?"; http_uri; nocase; content:"path_local="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2615; reference:url,www.milw0rm.com/exploits/3875; reference:url,doc.emergingthreats.net/2003733; classtype:web-application-attack; sid:2003733; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Craigslist Phish 2016-07-11"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".craigslist.org"; endswith; http.request_body; content:"inputEmailHandle="; nocase; content:"|25|40"; distance:0; content:"&inputPassword="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032686; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/_conf/core/common-tpl-vars.php?"; http_uri; nocase; content:"confdir="; http_uri; nocase; pcre:"/confdir=\s*(ftps?|https?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008962; classtype:web-application-attack; sid:2008962; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"X-Apple-I-Request-ID|3a|"; file.data; content:"<title>Manage your Apple ID</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024707; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_15, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPOutsourcing Zorum prod.php Remote Command Execution Attempt"; flow:to_server,established; content:"/prod.php?"; http_uri; nocase; pcre:"/(argv[1]=\|.+)/"; reference:bugtraq,14601; reference:url,doc.emergingthreats.net/2002314; classtype:web-application-attack; sid:2002314; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible CIBC Phishing Landing - Title over non SSL"; flow:established,to_client; http.header; content:!"Server|3a 20|ServerNoWhere"; file.data; content:"<title>CIBC</title>"; nocase; classtype:social-engineering; sid:2024797; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_03, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH"; flow:established,to_server; content:"/include/logout.php?"; http_uri; nocase; content:"PSA_PATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2628; reference:url,www.securityfocus.com/bid/23801; reference:url,doc.emergingthreats.net/2003735; classtype:web-application-attack; sid:2003735; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1"; flow:established,to_server; urilen:>100; flowbits:set,ET.Anunanak.HTTP.1; content:"Accept|3a 20 2a 2f 2a 0d 0a 0d 0a|"; fast_pattern; http.user_agent; pcre:"/(?: MSIE |rv\x3a11)/"; http.method; content:"GET"; http.uri; pcre:"/^[a-zA-Z0-9=/&?\x2e-]+$/"; http.host; content:!".imodules.com"; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Accept|0d 0a 0d 0a|"; depth:30; endswith; reference:url,fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf; classtype:targeted-activity; sid:2020027; rev:7; metadata:created_at 2014_12_23, former_category MALWARE, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPStore Yahoo Answers id parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"cmd=4"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32717/; reference:url,milw0rm.com/exploits/7131; reference:url,doc.emergingthreats.net/2008874; classtype:web-application-attack; sid:2008874; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ave Maria RAT CnC Domain in DNS Lookup (uknwn.linkpc .net)"; dns.query; content:"uknwn.linkpc.net"; nocase; bsize:16; reference:url,twitter.com/James_inthe_box/status/1293267162258272256?cn=ZmxleGlibGVfcmVjcw%3D%3D&refsrc=email; reference:url,app.any.run/tasks/49ba0acb-fd7a-47ec-9998-cacc6eb875d5/; classtype:command-and-control; sid:2030679; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt"; flow: to_server,established; content:"/modules.php?"; http_uri; content:"name="; http_uri; content:"SCRIPT"; http_uri; nocase; pcre:"/<\s*SCRIPT\s*>/iU"; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,doc.emergingthreats.net/2001218; classtype:web-application-attack; sid:2001218; rev:12; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Phish 2019-04-12"; flow:established,to_server; http.method; content:"POST"; http.host; content:!".facebook.com"; endswith; content:!".messenger.com"; endswith; http.request_body; content:"jazoest="; depth:8; nocase; fast_pattern; content:"&lsd="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"|25|40"; distance:0; content:"&pass="; nocase; distance:0; classtype:credential-theft; sid:2029672; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt"; flow:established,to_server; content:"/iframe.php"; http_uri; nocase; content:"file="; http_uri; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.zone-h.org/en/advisories/read/id=8694/; reference:url,doc.emergingthreats.net/2002800; classtype:web-application-attack; sid:2002800; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GratefulPOS Covert DNS CnC Initial Checkin"; dns.query; content:".grp"; within:12; content:"ping.adm."; within:15; fast_pattern; isdataat:30,relative; pcre:"/^[a-f0-9]{8}\.grp[0-9]*\.ping\.adm\.(?:[a-f0-9]+\.){2,}/"; reference:md5,67a53bd24ee8499fed79c8c368e05f7a; reference:url,community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season; classtype:command-and-control; sid:2025144; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Grateful_POS, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt"; flow:established,to_server; content:"/send_reminders.php"; http_uri; nocase; pcre:"/includedir=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,14651; reference:cve,2005-2717; reference:url,doc.emergingthreats.net/2002898; classtype:web-application-attack; sid:2002898; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Base64 Obfuscated Phishing Landing 2015-11-30"; flow:established,from_server; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.content_type; content:"text/html"; startswith; file.data; content:"<meta http-equiv=|22|Refresh|22|"; within:100; fast_pattern; nocase; content:"content=|22|0|3b 20|URL="; nocase; distance:1; content:"data|3a|text/html|3b|base64,"; nocase; within:25; classtype:social-engineering; sid:2031906; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_11_17;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir"; flow:established,to_server; content:"/plugin/HP_DEV/cms2.php?"; http_uri; nocase; content:"s_dir="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2573; reference:url,www.milw0rm.com/exploits/3860; reference:url,doc.emergingthreats.net/2003693; classtype:web-application-attack; sid:2003693; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; pcre:"/^\/v0\/b\/(?:send|hit|few|lik|mtn|eli|rfda)\d.*\.appspot\.com\//i"; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031211; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PmWiki Globals Variables Overwrite Attempt"; flow:to_server,established; content:"/pmwiki.php"; http_uri; nocase; content:"GLOBALS[FarmD]="; nocase; pcre:"/GLOBALS\x5bFarmD\x5d\x3d/i"; reference:cve,CVE-2006-0479; reference:bugtraq,16421; reference:nessus,20891; reference:url,doc.emergingthreats.net/2002837; classtype:web-application-attack; sid:2002837; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AutoIt.NU Miner Dropper CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; depth:5; content:"&pt="; within:20; fast_pattern; http.user_agent; pcre:"/^[a-f0-9]{32}$/i"; http.request_body; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/i"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"Accept"; content:!"Accept-"; content:!"Cache"; content:!"Referer"; reference:md5,cd7a49513771efd9d4de873956ef8af5; classtype:command-and-control; sid:2025598; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_06_21, deployment Perimeter, former_category MALWARE, malware_family Autoit_NU, performance_impact Low, signature_severity Major, tag Dropper, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004606; classtype:web-application-attack; sid:2004606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake 404 With Hidden Login Form"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>404 Not Found</title>"; fast_pattern; depth:28; content:"background-color|3a 23|fff|3b|"; distance:0; content:"<form method=post>"; distance:0; content:"input type=password"; within:50; classtype:trojan-activity; sid:2025872; rev:3; metadata:attack_target Client_and_Server, created_at 2018_07_19, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004607; classtype:web-application-attack; sid:2004607; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/Ramnit Stage 0 Communicating with CnC"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"WAIT|20|"; depth:15; content:"CERT|20|"; fast_pattern; within:20; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/Ri"; reference:md5,20148e48668cb5e0b22d437ee0443cfe; reference:url,research.checkpoint.com/ramnits-network-proxy-servers/; classtype:command-and-control; sid:2026113; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_09_14, deployment Perimeter, former_category MALWARE, malware_family Ramnit, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004608; classtype:web-application-attack; sid:2004608; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possibly Malicious VBS Writing to Persistence Registry Location"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"on|20|error|20|resume|20|next"; nocase; content:".regwrite|20 22|"; distance:0; content:"|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"; within:80; fast_pattern; reference:md5,cac1aedbcb417dcba511db5caae4b8c0; classtype:trojan-activity; sid:2026427; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_09_28, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag VBS, tag Persistence, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004609; classtype:web-application-attack; sid:2004609; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=pvtchat.live"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; classtype:domain-c2; sid:2031215; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2020_11_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004610; classtype:web-application-attack; sid:2004610; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"email="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031212; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"c="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3052; reference:url,www.milw0rm.com/exploits/4026; reference:url,doc.emergingthreats.net/2004611; classtype:web-application-attack; sid:2004611; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"#"; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031213; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"order="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2962; reference:url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded; reference:url,doc.emergingthreats.net/2004582; classtype:web-application-attack; sid:2004582; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Personalized Google Firebase Hosted Phishing Landing"; flow:established,to_server; http.uri; content:"/v0/b/"; depth:6; content:".appspot.com/"; distance:0; fast_pattern; content:"login="; distance:0; content:"@"; distance:0; http.host; content:"firebasestorage.googleapis.com"; classtype:social-engineering; sid:2031214; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System"; flow:established,to_server; content:"/blocks/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003660; classtype:web-application-attack; sid:2003660; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound PowerShell Executing Base64 Decoded VBE from Temp 2018-11-29"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3a 3a|FromBase64String"; nocase; content:"-Path|20|C|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; content:"start-process|20|c|3a 5c|windows|5c|system32|5c|wscript.exe|20|-ArgumentList|20 22|c|3a 5c|windows|5c|temp|5c|"; distance:0; nocase; fast_pattern; content:".vbe|22|"; within:20; reference:url,www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/; classtype:trojan-activity; sid:2026677; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag Obfuscated, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System"; flow:established,to_server; content:"/files/blocks/latest_files.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003661; classtype:web-application-attack; sid:2003661; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/LamePyre Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?uid="; pcre:"/^[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}$/Ri"; http.user_agent; content:"curl/"; depth:5; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|scr|22 3b 20|filename=|22|"; fast_pattern; content:".png|22 0d 0a|"; within:30; http.header_names; content:!"Referer"; reference:md5,1dc949fbb35b816b3046731d8db98a3d; reference:url,objective-see.com/blog/blog_0x3C.html; classtype:trojan-activity; sid:2026823; rev:3; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family LamePyre, performance_impact Moderate, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System"; flow:established,to_server; content:"/forums/blocks/latest_posts.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003662; classtype:web-application-attack; sid:2003662; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/KeyRedirEx Banker Receiving Redirect/Inject List"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"REDIR|3b|"; depth:15; content:"|7c 2d 7c|http"; within:50; fast_pattern; reference:md5,ec33cc6cb625197587410840bce5983b; reference:url,otx.alienvault.com/pulse/5bd339328f32ad2db2e03f1a; classtype:trojan-activity; sid:2026563; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_29, deployment Perimeter, former_category TROJAN, malware_family KeyRedirEx, performance_impact Low, signature_severity Major, tag Banker, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System"; flow:established,to_server; content:"/groups/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003663; classtype:web-application-attack; sid:2003663; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apply.cgi"; depth:10; http.request_body; content:"submit_button="; depth:14; content:"&submit_type=start_ping"; distance:0; fast_pattern; content:"&ping_size="; distance:0; content:"|3b|"; within:30; reference:url,www.exploit-db.com/exploits/24936; classtype:attempted-user; sid:2027099; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System"; flow:established,to_server; content:"/filters/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003664; classtype:web-application-attack; sid:2003664; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookies.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookies.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027104; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System"; flow:established,to_server; content:"/links/blocks/links.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003665; classtype:web-application-attack; sid:2003665; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"passwords.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027106; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System"; flow:established,to_server; content:"/menu/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003666; classtype:web-application-attack; sid:2003666; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (wallet.dat) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"wallet.dat"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027115; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System"; flow:established,to_server; content:"/news/blocks/latest_news.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003667; classtype:web-application-attack; sid:2003667; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"screenshot."; distance:26; within:300; nocase; fast_pattern; pcre:"/^(?:(?:jp|pn)g|bmp)/Ri"; classtype:trojan-activity; sid:2027108; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System"; flow:established,to_server; content:"/settings/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003668; classtype:web-application-attack; sid:2003668; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (cookie.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"cookie.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System"; flow:established,to_server; content:"/modules/users/headerfile.php?"; http_uri; nocase; content:"system["; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2545; reference:url,www.milw0rm.com/exploits/3853; reference:url,doc.emergingthreats.net/2003681; classtype:web-application-attack; sid:2003681; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (ccdata.txt) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"ccdata.txt"; distance:26; within:50; nocase; fast_pattern; classtype:trojan-activity; sid:2027272; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_04_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1005, tag Data_from_local_system, tag Collection, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004089; classtype:web-application-attack; sid:2004089; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (google_chrome_default_) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"google_chrome_default_"; distance:26; within:100; nocase; fast_pattern; pcre:"/^(?:logins|c(?:cdata|ookie))/Ri"; classtype:trojan-activity; sid:2027277; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004090; classtype:web-application-attack; sid:2004090; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Mozilla_Firefox_Cookies) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:".zip|22 0d 0a|"; within:150; content:"|0d 0a|PK"; distance:0; content:"Mozilla_Firefox_Cookies"; distance:26; within:100; nocase; fast_pattern; classtype:trojan-activity; sid:2027279; rev:3; metadata:attack_target Client_and_Server, created_at 2019_04_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag T1002, tag data_compressed, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004091; classtype:web-application-attack; sid:2004091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Wide HTA with PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/hta"; file.data; content:"W|00|s|00|c|00|r|00|i|00|p|00|t"; nocase; content:"S|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; content:"p|00|o|00|w|00|e|00|r|00|s|00|h|00|e|00|l|00|l|00|"; distance:0; nocase; fast_pattern; content:"h|00|i|00|d|00|d|00|e|00|n"; within:200; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027335; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004092; classtype:web-application-attack; sid:2004092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"=|20|ReadSmbResponse|28|"; content:"|20|==|20|0x72|20|&&|20|"; within:400; fast_pattern; content:"|20|==|20|00"; within:400; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027336; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004093; classtype:web-application-attack; sid:2004093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CSharp SMB Scanner Assembly in PowerShell Inbound M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|=|20|new|20|byte|5b 5d|"; content:"0xff,0x53,0x4d,0x42"; within:300; fast_pattern; content:"0x01,0x28"; distance:0; content:"0x02,0x4c,0x41,0x4e"; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"form_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2933; reference:url,www.milw0rm.com/exploits/4003; reference:url,doc.emergingthreats.net/2004094; classtype:web-application-attack; sid:2004094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Inbound PowerShell Capable of Enumerating Internal Network via WMI"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|Win32_NetworkAdapterConfiguration"; nocase; content:"_.IPEnabled|20|-ne|20|$null"; within:200; nocase; content:"_.DefaultIPGateway|20|-ne|20|$null"; within:200; nocase; content:"select|20|IPAddress"; within:200; nocase; fast_pattern; reference:md5,e5a9c413812b5217ef0da962668e9651; classtype:trojan-activity; sid:2027338; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_08, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Major, tag PowerShell, tag T1086, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/basicfogfactory.class.php?"; http_uri; nocase; content:"PATH_TO_CODE="; http_uri; nocase; pcre:"/PATH_TO_CODE=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,28588; reference:url,milw0rm.com/exploits/5348; reference:url,doc.emergingthreats.net/2009415; classtype:web-application-attack; sid:2009415; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER China Chopper WebShell Observed Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<%@|20|Page|20|Language=|22|Jscript|22|%><eval|28|Request.Item|5b|"; fast_pattern; content:"|22 29 3b|%>"; within:50; classtype:trojan-activity; sid:2027341; rev:4; metadata:created_at 2019_05_09, former_category WEB_SERVER, performance_impact Low, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/init.php?"; http_uri; nocase; content:"includepath="; http_uri; nocase; pcre:"/includepath=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32335; reference:url,milw0rm.com/exploits/7143; reference:url,doc.emergingthreats.net/2008871; classtype:web-application-attack; sid:2008871; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"powershell"; nocase; content:"-e"; within:40; nocase; content:".Get|28 22|Win32_ProcessStartup|22 29|"; distance:0; nocase; fast_pattern; content:"Process.Create|28|"; distance:0; nocase; reference:md5,f17e15a9d28a85bd41d74233859d4df4; classtype:trojan-activity; sid:2027374; rev:4; metadata:created_at 2019_05_23, former_category CURRENT_EVENTS, tag Loader, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/action/rss.php?"; http_uri; nocase; content:"lib="; http_uri; nocase; pcre:"/lib=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32465; reference:url,milw0rm.com/exploits/7225; reference:url,doc.emergingthreats.net/2008899; classtype:web-application-attack; sid:2008899; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER BlackSquid JSP Webshell Outbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<|25 25|java.io.InputStream|20|"; depth:25; content:"Runtime.getRunetime|28 29|.exec|28|request"; within:50; content:".getInputStream|28 29 3b|int|20|"; distance:0; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner/; classtype:attempted-admin; sid:2027433; rev:3; metadata:attack_target Web_Server, created_at 2019_06_04, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piranha default passwd attempt"; flow:to_server,established; content:"/piranha/secure/control.php3"; http_uri; content:"Authorization\: Basic cGlyYW5oYTp"; reference:bugtraq,1148; reference:cve,2000-0248; reference:nessus,10381; reference:url,doc.emergingthreats.net/2002331; classtype:attempted-recon; sid:2002331; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M1 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script language=|22|"; content:"VBScript"; within:8; nocase; content:"|2e|scrollLeft"; distance:0; content:"|26|h4003|09 27 20|VT_BYREF|20 7c 20|VT_I4"; distance:0; fast_pattern; content:"|28 28 28 28 5c 2e 2e 5c|"; distance:0; content:"Powershell"; within:10; nocase; content:"|26|h40|2c 20 22 23 3e 24|"; within:400; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use; reference:url,www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer; reference:cve,CVE-2019-0752; classtype:attempted-admin; sid:2027721; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt"; flow:to_server,established; content:"/prepend.php"; http_uri; nocase; content:"_px_config[manager_path]="; nocase; pcre:"/_px_config\x5bmanager_path\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-0725; reference:bugtraq,16662; reference:nessus,20972; reference:url,doc.emergingthreats.net/2002815; classtype:web-application-attack; sid:2002815; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible FFSniff Inject Observed"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:".type|20|==|20 22|password|22 29|"; nocase; content:"=|20 22|Subject|3a 20 22 20|+|20|"; distance:0; nocase; content:"|20 22 5c|r|5c|n|5c|r|5c|n|22 20|+|20|window.top.content.document.location|20|"; within:150; nocase; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027814; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id"; flow:established,to_server; content:"/Default.aspx?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2555; reference:url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded; reference:url,doc.emergingthreats.net/2003914; classtype:web-application-attack; sid:2003914; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var|20|_0x"; content:"|27 5c|x61|5c|x57|5c|x35|5c|x75|5c|x5a|5c|x58|5c|x4a|5c|x49|5c|x5a"; within:150; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027815; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/cms/modules/form.lib.php?"; http_uri; nocase; content:"sourceFolder="; http_uri; nocase; pcre:"/sourceFolder=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,30235; reference:url,juniper.net/security/auto/vulnerabilities/vuln30235.html; reference:url,milw0rm.com/exploits/6078; reference:url,doc.emergingthreats.net/2009898; classtype:web-application-attack; sid:2009898; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Injected JS Form Stealer Checking Page Contents M2"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"location.href.search|28|atob|28 27|Y"; pcre:"/^[2'][2h'+][2hl'+][2hlY'+][2hlY2'+][2hlY2t'+][2hlY2tv'+][2hlY2tvd'+][2hlY2tvdX'+][2hlY2tvdXQ'+](?:[2hlY2tvdXQ='+]){1,10}/R"; content:"|20|=|20|atob|28 27|aHR0cHM6L"; within:300; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027816; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS select_image.php dir Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; content:"/imagelibrary/select_image.php?"; http_uri; nocase; content:"dir="; http_uri; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009736; classtype:web-application-attack; sid:2009736; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Inbound JS with Possible 1px-1px Exfiltration Image"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"document.createElement|28 22|"; content:".width=|22|1px|22|"; within:30; content:".height=|22|1px|22|"; within:30; content:"atob|28 22|aHR0cHM6Ly9"; within:100; fast_pattern; reference:url,www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-formjacking-deep-dive-en.pdf; classtype:trojan-activity; sid:2027817; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_08_07, deployment Perimeter, deployment SSLDecrypt, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ProjectCMS admin_theme_remove.php file Parameter Remote Directory Delete"; flow:to_server,established; content:"GET "; depth:4; content:"/admin_includes/admin_theme_remove.php?"; http_uri; nocase; content:"file="; http_uri; nocase; content:"../"; reference:url,milw0rm.com/exploits/8608; reference:bugtraq,34816; reference:url,doc.emergingthreats.net/2009737; classtype:web-application-attack; sid:2009737; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX ADWARE/AD Injector"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&mvr="; within:5; pcre:"/[a-fA-F0-9]{8}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{4}\-[a-fA-F0-9]{12}/"; http.user_agent; content:"Python-urllib/"; depth:14; fast_pattern; reference:url,objective-see.com/blog/blog_0x3F.html; classtype:pup-activity; sid:2027319; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php"; flow:established,to_server; content:"/awards.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004587; classtype:web-application-attack; sid:2004587; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M1"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/optout/set/"; depth:12; fast_pattern; content:"?jsonp="; within:20; content:"&key="; distance:16; within:23; content:"&cv="; distance:18; within:23; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027419; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php"; flow:established,to_server; content:"/login.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004588; classtype:web-application-attack; sid:2004588; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP LNKR CnC Activity M3"; flow:established,to_server; threshold: type limit, track by_dst, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/metric/?mid="; depth:13; fast_pattern; content:"&wid="; within:20; content:"&sid="; within:20; content:"&tid="; within:20; content:"&rid="; within:20; content:"&t="; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027421; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php"; flow:established,to_server; content:"/register.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004589; classtype:web-application-attack; sid:2004589; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Win32/DealPly Configuration File Inbound"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<Data|20|"; depth:6; content:"|20|step1=|22|"; within:100; content:"|20|step2=|22|"; within:30; content:"|20|step3=|22|"; within:30; content:"<|2f|FName><FHash>"; distance:0; fast_pattern; reference:url,blog.ensilo.com/leveraging-reputation-services; classtype:pup-activity; sid:2027829; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_08, deployment Perimeter, former_category ADWARE_PUP, malware_family DealPly, performance_impact Low, signature_severity Major, tag Adware, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php"; flow:established,to_server; content:"/weapons.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2914; reference:url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded; reference:url,doc.emergingthreats.net/2004590; classtype:web-application-attack; sid:2004590; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Landing M1 2019-04-15"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"alert|28 22|Windows|20|Firewall|20|has|20|detected|20|that|20|your|20|Windows"; fast_pattern; content:"system|20|files|20|are|20|automatically|20|deleted"; within:200; content:"Please|20|follow|20|the|20|instructions"; within:200; classtype:social-engineering; sid:2027197; rev:4; metadata:created_at 2019_04_15, former_category WEB_CLIENT, tag Tech_Support_Scam, tag Malvertising, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/server_request.php?"; http_uri; nocase; content:"CONFIG[gameroot]="; http_uri; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009502; classtype:web-application-attack; sid:2009502; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScriptCompile"; distance:0; content:"value=|40|GrabConfig"; distance:0; content:"|40|GrabResolver|28|"; distance:0; content:"|27|http"; within:60; content:"|27 29 0a 40|Grab|28|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027349; rev:5; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/qlib/smarty.inc.php?"; http_uri; nocase; content:"CONFIG[gameroot]="; http_uri; nocase; pcre:"/CONFIG\[gameroot\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009504; classtype:web-application-attack; sid:2009504; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"eval|28|function|28|p,a,c,k,e,r|29|"; depth:26; content:"|20|TASKID|3d|"; distance:0; content:"|20|MAGICNUM|3d|"; within:25; content:"|20|EXECNUM|3d|"; within:25; content:"|20|FEEDBACKADDR|3d|"; within:25; content:"|28 2f|chrome|5c 5c 2f 28 5b 5c 5c 64 5d 2b 29 2f|gi"; distance:0; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027961; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/qte_web.php?"; http_uri; nocase; content:"qte_web_path="; http_uri; nocase; pcre:"/qte_web_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009723; classtype:web-application-attack; sid:2009723; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a"; depth:6; content:"|27 2c|_b"; within:120; content:"|27 2c|_c"; within:120; content:"|2c|TASKID|3d|"; distance:0; content:"|2c|MAGICNUM|3d|"; within:25; content:"|2c|EXECNUM|3d|"; within:25; content:"|2c|FEEDBACKADDR|3d|"; within:25; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:27; within:11; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027962; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d"; flow:established,to_server; content:"cp/ps/Main/login/Login"; http_uri; nocase; content:"d="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2802; reference:url,www.secunia.com/advisories/25326; reference:url,doc.emergingthreats.net/2004571; classtype:web-application-attack; sid:2004571; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 27|"; depth:8; content:"|27 2c|_b|3d 27|"; within:120; content:"|27 2c|_c|3d 27|"; within:120; content:"|27 2c|e|3d|"; within:120; content:"|2c|t|3d|"; within:10; content:"|2c|n|3d|"; within:15; content:"|5d 3b|if|28 2f|chrome|5c 2f 28 5b 5c|d|5d 2b 29 2f|gi"; distance:0; fast_pattern; content:"|5d 5d 28|window|5b 5f|"; distance:26; within:12; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027963; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/display.php?"; http_uri; nocase; content:"path="; http_uri; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,29873; reference:url,milw0rm.com/exploits/5900; reference:url,doc.emergingthreats.net/2009788; classtype:web-application-attack; sid:2009788; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Great Cannon DDoS JS M4"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"var _a|3d 22|"; depth:8; content:"|22 2c|_b|3d 22|"; within:120; content:"|22 2c|_c|3d 22|"; within:120; content:"|22 3b|eval|28|function|28 5f 2c|"; within:120; content:"|29 7b|if|28|n|3d|function|28 5f 29 7b|return|28 5f|"; distance:9; within:27; fast_pattern; reference:url,citizenlab.ca/2015/04/chinas-great-cannon/; reference:url,twitter.com/chrisdoman/status/1168576334777454594; classtype:attempted-dos; sid:2027964; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/define.php?"; http_uri; nocase; content:"INC_DIR="; http_uri; nocase; pcre:"/INC_DIR=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33227; reference:url,milw0rm.com/exploits/7743; reference:url,doc.emergingthreats.net/2009101; classtype:web-application-attack; sid:2009101; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InfoBot Sending LAN Details"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|7b 22 4c 61 6e 43 6e 74 22 3a 20 22|"; depth:12; fast_pattern; content:"|22 7d|"; within:3; endswith; http.header_names; content:!"Referer"; reference:md5,6daa7e95d172c2e54953adae7bdfaffc; classtype:trojan-activity; sid:2025578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_16, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/add_tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009059; classtype:web-application-attack; sid:2009059; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scarsi Variant CnC Activity"; flow:to_server,established; http.uri; content:"/WP"; content:".php"; within:50; endswith; pcre:"/\/WP(?:Security|CoreLog)\/(?:data\/)?\w+\.php$/i"; http.header; content:"Content-Length|3a 20|"; byte_test:1,>,0x30,0,relative; http.request_body; pcre:"/^[\x20-\x25\x27-\x3c\x3e-\x7e]{25,}$/si"; http.content_type; content:"application/x-www-form-urlencoded|3b 20|Charset=UTF-8"; fast_pattern; bsize:48; http.header_names; content:!"Referer|0d 0a|"; reference:md5,52c193a7994a6bb55ec85addc8987c10; classtype:command-and-control; sid:2024758; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/edit_tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009060; classtype:web-application-attack; sid:2009060; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Sending JPG Screenshot to CnC with .his Extension"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"compatible|3b 20|Googlebot|2f|"; http.request_body; content:"name=|22|kerna|22 3b 20|filename"; fast_pattern; content:".his|22 0d 0a|"; within:20; content:"|0d 0a 0d 0a ff d8 ff|"; distance:0; content:"JFIF"; within:15; http.accept_enc; content:"UTF8"; depth:4; endswith; http.content_type; content:"multipart|2f|form-data|3b 20|boundary|3d 2d 2d 2d 2d 2d 2d 2d|Embt-Boundary"; reference:md5,6eff53e85a9ce9f1d99c812270093581; reference:url,twitter.com/ClearskySec/status/1054722167433297920; classtype:command-and-control; sid:2026550; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/tmsp.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009062; classtype:web-application-attack; sid:2009062; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.request_body; content:"pingstr="; depth:8; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:5; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/competitions/add.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009466; classtype:web-application-attack; sid:2009466; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000"; flow:established,to_server; http.method; content:"POST"; depth:4; endswith; http.uri; content:"config.xml"; endswith; http.request_body; content:"|3c|script|3e 0a|"; content:"import|20|org|2e|buildobjects|2e|process|2e|ProcBuilder"; distance:0; fast_pattern; content:"|40|Grab|28 27|org|2e|buildobjects|3a|jproc|3a|"; distance:0; content:"|27 29 0a|"; within:12; content:"print|20|new|20|ProcBuilder|28 22 2f|"; distance:0; content:"|22 29 2e|run|28 29|"; within:200; content:"|2e|getOutputString|28|"; within:18; content:"|3c 2f|script|3e|"; within:30; reference:url,github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; classtype:web-application-attack; sid:2027346; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2019_1003000, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/competitions/competitions.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009467; classtype:web-application-attack; sid:2009467; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/settings/settings.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32192; reference:url,milw0rm.com/exploits/7039; reference:url,doc.emergingthreats.net/2009468; classtype:web-application-attack; sid:2009468; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:4; metadata:created_at 2019_06_11, cve 2018_7841, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s"; flow:established,to_server; content:"/wp-content/themes/redoable/searchloop.php?"; http_uri; nocase; content:"s="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003872; classtype:web-application-attack; sid:2003872; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s"; flow:established,to_server; content:"/wp-content/themes/redoable/header.php?"; http_uri; nocase; content:"s="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2757; reference:url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded; reference:url,doc.emergingthreats.net/2003873; classtype:web-application-attack; sid:2003873; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv SELECT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003829; classtype:web-application-attack; sid:2003829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UNION SELECT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003830; classtype:web-application-attack; sid:2003830; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv INSERT"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003831; classtype:web-application-attack; sid:2003831; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Godlua Backdoor Downloading Encrypted Lua"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; http.user_agent; content:"Mozilla|2f|5.0|20 28|"; pcre:"/^(?:i686|x86_64|arm|mipsel)\-(?:static-linux|w64|iamsatan)\-(?:mingw32|uclibc(?:gnueabi)?)/R"; content:"|29 20|Chrome|2f|20"; within:11; http.referer; content:"https://www.google.com"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Referer|0d 0a 0d 0a|"; reference:url,blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/; classtype:trojan-activity; sid:2027677; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2019_07_03, deployment Perimeter, former_category TROJAN, malware_family Godlua, performance_impact Moderate, signature_severity Major, tag Backdoor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv DELETE"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003832; classtype:web-application-attack; sid:2003832; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP LNKR Possible Response for LNKR js file"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; file.data; content:"lnkr_redirecting"; fast_pattern; content:"_lnkr"; content:"excludeDomains"; within:40; content:"document.createElement|28 22|script|22|"; distance:0; reference:url,securitytrails.com/blog/lnkr-malicious-browser-extension; classtype:pup-activity; sid:2027424; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2019_06_03, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv ASCII"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003833; classtype:web-application-attack; sid:2003833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; depth:42; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:5; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE"; flow:established,to_server; content:"/edit_day.php?"; http_uri; nocase; content:"id_reserv="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2735; reference:url,www.milw0rm.com/exploits/3931; reference:url,doc.emergingthreats.net/2003834; classtype:web-application-attack; sid:2003834; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NetSupport Remote Admin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application/x-www-form-urlencoded"; http.server; content:"NetSupport Gateway"; fast_pattern; startswith; reference:md5,54c0e7593d94c03a2b7909e6a459ce14; classtype:trojan-activity; sid:2035895; rev:5; metadata:created_at 2015_08_27, former_category POLICY, updated_at 2022_04_11;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure"; flow:established,to_server; content:"GET "; depth:4; content:"/download.php?"; http_uri; nocase; content:"filename="; http_uri; nocase; pcre:"/(\.\.\/){1,}/U"; reference:url,securityfocus.com/bid/32968; reference:url,milw0rm.com/exploits/7542; reference:url,doc.emergingthreats.net/2009018; classtype:web-application-attack; sid:2009018; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kuriyama Loader Checkin"; flow: established, to_server; threshold: type both, track by_src, count 2, seconds 60; http.method; content:"GET"; http.uri; content:"?hwid="; content:"&group="; fast_pattern; content:"&os="; content:"&cpu="; http.header_names; content:!"Referer|0d 0a|"; reference:url,darkwebs.ws/threads/41806/; reference:md5,e18c73ec38cbdd0bb0c66f360183e6d9; classtype:command-and-control; sid:2025253; rev:6; metadata:created_at 2018_01_26, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004660; classtype:web-application-attack; sid:2004660; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.4."; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011584; rev:14; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004661; classtype:web-application-attack; sid:2004661; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"</title>"; nocase; distance:0; classtype:social-engineering; sid:2024228; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004662; classtype:web-application-attack; sid:2004662; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle America)"; tls.cert_subject; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=California"; content:"L=Redwood Shores"; content:"O=Oracle America, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle America, Inc."; fast_pattern; reference:md5,a0bbfdb2d4dbfb2f3c182bd394099803; classtype:trojan-activity; sid:2025413; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004663; classtype:web-application-attack; sid:2004663; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Yahoo)"; tls.cert_subject; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Arizona"; content:"L=Phoenix"; content:"O=Yahoo Widget, Inc."; content:"OU=Yahoo Widget Bureau"; content:"CN=Yahoo Widget, Inc."; fast_pattern; reference:md5,ce413a29e6cde5701a26e7e4e02ecc66; classtype:trojan-activity; sid:2025412; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004664; classtype:web-application-attack; sid:2004664; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Google)"; tls.cert_subject; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; tls.cert_issuer; content:"C=US"; content:"ST=Florida"; content:"L=Tampa"; content:"O=Google, Inc."; content:"OU=Google Corp, Inc"; content:"CN=Google, Inc."; fast_pattern; reference:md5,8c7722acb2f7400df1027fa6741e37d5; classtype:trojan-activity; sid:2025414; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"categoria="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1293; reference:url,www.milw0rm.com/exploits/3403; reference:url,doc.emergingthreats.net/2004665; classtype:web-application-attack; sid:2004665; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Fake SSL Certificate Observed (Oracle canada)"; tls.cert_subject; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; tls.cert_issuer; content:"C=canada"; content:"ST=quebec"; content:"L=Redwood Shores"; content:"O=Oracle canada, Inc."; content:"OU=Code Signing Bureau"; content:"CN=Oracle canada, Inc."; fast_pattern; reference:md5,f71d168b5b987d9fde792098ca5cca19; classtype:trojan-activity; sid:2025415; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category TROJAN, malware_family QRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost"; flow:established,to_server; content:"/contact/index.php?"; http_uri; nocase; content:"ripeformpost="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2206; reference:url,www.securityfocus.com/bid/23597; reference:url,doc.emergingthreats.net/2003871; classtype:web-application-attack; sid:2003871; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer IP Lookup"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; http.host; content:"ip-api.com"; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025429; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries SELECT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003817; classtype:web-application-attack; sid:2003817; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arkei Stealer Config Download Request"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/grubConfig"; http.user_agent; content:"Arkei/"; depth:6; fast_pattern; reference:md5,1f075616f69983f5b3fc7ba068032c6d; classtype:trojan-activity; sid:2025430; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_13, deployment Perimeter, former_category TROJAN, malware_family Arkei, signature_severity Major, tag Stealer, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UNION SELECT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003818; classtype:web-application-attack; sid:2003818; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Uploading Screenshots"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/upload.php"; fast_pattern; http.request_body; content:"filename=|22|"; pcre:"/^[^\\\*\+\=\|\:\;\x22\?\>\>\,\#][a-zA-Z0-9-!@#\$%^&\(\)\x20_{}\.~]{1,14}[\d_]+\.(?:jpg|png)\x22\x0d\x0a/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; content:"|0d 0a|Expect|0d 0a|"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021441; rev:5; metadata:created_at 2015_07_20, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries INSERT"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003819; classtype:web-application-attack; sid:2003819; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M1"; flow:to_server,established; http.header; content:"QHBhc3N0aHJ1KC"; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013938; rev:7; metadata:created_at 2011_11_22, former_category WEB_SERVER, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries DELETE"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003820; classtype:web-application-attack; sid:2003820; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; http.uri; content:"/_users/org.couchdb.user|3a|"; http.request_body; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; fast_pattern; content:"password"; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:4; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries ASCII"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003821; classtype:web-application-attack; sid:2003821; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, deployment Datacenter, former_category EXPLOIT, signature_severity Critical, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE"; flow:established,to_server; content:"/class/debug/debug_show.php?"; http_uri; nocase; content:"executed_queries="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2538; reference:url,www.milw0rm.com/exploits/3850; reference:url,doc.emergingthreats.net/2003822; classtype:web-application-attack; sid:2003822; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Bank of America Phishing Landing"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Bank of America"; nocase; content:"// the field has a value it's a spam bot"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2025698; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003858; classtype:web-application-attack; sid:2003858; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003859; classtype:web-application-attack; sid:2003859; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; http.user_agent; content:"|20|MySearch"; reference:url,doc.emergingthreats.net/2002080; classtype:pup-activity; sid:2002080; rev:26; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003860; classtype:web-application-attack; sid:2003860; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Adware-Win32/EoRezo Reporting"; flow:established,to_server; http.uri; content:"/advert/get"; nocase; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/i"; reference:md5,b5708efc8b478274df4b03d8b7dbbb26; classtype:pup-activity; sid:2013983; rev:9; metadata:created_at 2011_12_02, former_category ADWARE_PUP, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003861; classtype:web-application-attack; sid:2003861; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"NSIS_Inetc (Mozilla)"; fast_pattern; http.request_body; content:"from="; depth:5; content:"&type="; distance:0; content:"&pubid="; distance:0; content:"&BundleVersionID="; distance:0; classtype:pup-activity; sid:2018148; rev:7; metadata:attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003862; classtype:web-application-attack; sid:2003862; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve 2017_0199, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; content:"/devami.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2752; reference:url,www.milw0rm.com/exploits/3936; reference:url,doc.emergingthreats.net/2003863; classtype:web-application-attack; sid:2003863; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, former_category CURRENT_EVENTS, signature_severity Critical, tag Metasploit, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_css="; http_uri; nocase; pcre:"/_page_css=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009653; classtype:web-application-attack; sid:2009653; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Netviewer.com Remote Control Proxy Test"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nvserver"; http.request_body; content:"cmd="; content:"&params="; content:"Netviewer Proxy Test"; reference:url,doc.emergingthreats.net/2008472; classtype:policy-violation; sid:2008472; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_javascript="; http_uri; nocase; pcre:"/_page_javascript=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009654; classtype:web-application-attack; sid:2009654; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/chat/settings.php"; http.header; content:"facebook.com|0d 0a|"; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:7; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/theme/format.php?"; http_uri; nocase; content:"_page_content="; http_uri; nocase; pcre:"/_page_content=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,34569; reference:url,milw0rm.com/exploits/8460; reference:url,doc.emergingthreats.net/2009656; classtype:web-application-attack; sid:2009656; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004116; classtype:web-application-attack; sid:2004116; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004117; classtype:web-application-attack; sid:2004117; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/hours/data/get_hours.php?"; nocase; content:"take="; nocase; content:"skip="; nocase; content:"pageSize="; nocase; content:"id="; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/i"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:6; metadata:created_at 2012_04_28, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004118; classtype:web-application-attack; sid:2004118; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Koobface Checkin via POST"; flow: to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"f="; content:"&a="; content:"&v="; content:"&c="; content:"&s="; content:"&l="; content:"&ck="; content:"&c_fb="; content:"&c_ms="; content:"&c_hi="; content:"&c_be="; content:"&c_fr="; content:"&c_yb="; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:command-and-control; sid:2009156; rev:12; metadata:created_at 2010_09_28, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004119; classtype:web-application-attack; sid:2004119; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET DNS Query to a *.pw domain - Likely Hostile"; dns.query; content:".pw"; nocase; endswith; content:!".u.pw"; endswith; nocase; classtype:bad-unknown; sid:2016778; rev:8; metadata:created_at 2013_04_20, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004120; classtype:web-application-attack; sid:2004120; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PRG/wnspoem/Zeus InfoStealer Trojan Config Download"; flow:established; http.method; content:"GET"; http.uri; content:"/cfg.bin"; nocase; fast_pattern; endswith; http.header; content:"no-cache|0d 0a|"; nocase; reference:url,doc.emergingthreats.net/2008100; classtype:trojan-activity; sid:2008100; rev:15; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"catid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1615; reference:url,www.milw0rm.com/exploits/3509; reference:url,doc.emergingthreats.net/2004121; classtype:web-application-attack; sid:2004121; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Accept in HTTP POST - Possible Alphacrypt/TeslaCrypt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.accept; pcre:"/^(?!m(?:ultipart|essage|odel)|a(?:pplication|udio|ccept)|(?:exampl|imag)e|video|text|\*)/i"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; fast_pattern; content:!"Referer"; content:"Accept"; reference:md5,35a6de1e8dbea19bc44cf49ae0cae59e; classtype:trojan-activity; sid:2022502; rev:7; metadata:created_at 2016_02_11, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form"; flow:established,to_server; content:"/sendcard.php?"; http_uri; nocase; content:"form="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2472; reference:url,www.secunia.com/advisories/25085; reference:url,doc.emergingthreats.net/2003922; classtype:web-application-attack; sid:2003922; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns.query; content:".gdn"; nocase; endswith; classtype:bad-unknown; sid:2025098; rev:5; metadata:created_at 2017_12_03, former_category HUNTING, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/SezHooTabsAndActions.php?"; http_uri; nocase; content:"IP="; http_uri; nocase; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,31756; reference:url,www.milw0rm.com/exploits/6751; reference:url,doc.emergingthreats.net/2009123; classtype:web-application-attack; sid:2009123; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Agent.qweydh CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/update.php"; endswith; fast_pattern; http.request_body; content:"data="; depth:5; pcre:"/^(?:[A-Za-z0-9%2b%2f]{4})*(?:[A-Za-z0-9%2b%2f]{2}%3d%3d|[A-Za-z0-9%2b%2f]{3}%3d|[A-Za-z0-9%2b%2f]{4})$/Rsi"; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,5dcc10711305c0bd4c8290eaae660ef3; classtype:command-and-control; sid:2025171; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr SELECT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003852; classtype:web-application-attack; sid:2003852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MedusaHTTP CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|Ubuntu|3b 20|Linux i686|3b 20|rv|3a|45.0) Gecko/20100101 Firefox/45.0"; fast_pattern; endswith; http.request_body; content:"xyz="; depth:4; content:"|7c|"; distance:0; content:"|7c|"; distance:0; http.header_names; content:!"Referer"; reference:md5,d463ee91a2d7b8482554c23bb7d9aa3d; reference:url,www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight; classtype:command-and-control; sid:2025187; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_01_05, deployment Perimeter, former_category MALWARE, malware_family MedusaHTTP, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UNION SELECT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003853; classtype:web-application-attack; sid:2003853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DanijBot User-Agent"; flow:established,to_server; http.user_agent; content:"Botnet by Danij"; fast_pattern; depth:15; endswith; http.header_names; content:!"Referer"; reference:md5,41aa955d06abf7df96e746cf1cb781b4; classtype:trojan-activity; sid:2025469; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_06, deployment Perimeter, former_category TROJAN, malware_family DanijBot, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr INSERT"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003854; classtype:web-application-attack; sid:2003854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Cobalt Strike Beacon"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|43 6f 62 61 6c 74 20 53 74 72 69 6b 65 20 42 65 61 63 6f 6e 29|"; fast_pattern; endswith; http.header_names; content:!"Referer"; classtype:targeted-activity; sid:2025635; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr DELETE"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003855; classtype:web-application-attack; sid:2003855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> any any (msg:"ET MALWARE [PT MALWARE] Hacked Mikrotik C2 Request"; flow:established, to_server; threshold:type threshold, track by_src, count 1, seconds 35; http.method; content:"GET"; http.uri; content:"/mikrotik.php"; endswith; http.user_agent; content:"Mikrotik/6.x Fetch"; depth:18; endswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,forum.mikrotik.com/viewtopic.php?t=137217; classtype:command-and-control; sid:2026027; rev:5; metadata:created_at 2018_08_23, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr ASCII"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003856; classtype:web-application-attack; sid:2003856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS ESET Installer"; flow:established,to_server; threshold: type limit, track by_src, seconds 180, count 1; http.user_agent; content:"ESET Installer"; depth:14; endswith; classtype:policy-violation; sid:2027219; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_17, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, tag PUA, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE"; flow:established,to_server; content:"/print.php?"; http_uri; nocase; content:"newsnr="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2750; reference:url,www.milw0rm.com/exploits/3942; reference:url,doc.emergingthreats.net/2003857; classtype:web-application-attack; sid:2003857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.center"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027576; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gallery="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2679; reference:url,www.securityfocus.com/bid/23534; reference:url,doc.emergingthreats.net/2003746; classtype:web-application-attack; sid:2003746; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027577; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/slogin_lib.inc.php?"; http_uri; nocase; content:"slogin_path="; http_uri; nocase; pcre:"/slogin_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32811; reference:url,milw0rm.com/exploits/7444; reference:url,doc.emergingthreats.net/2008996; classtype:web-application-attack; sid:2008996; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encryptedmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027578; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005518; classtype:web-application-attack; sid:2005518; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"encrypted-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027579; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005519; classtype:web-application-attack; sid:2005519; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveypro.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027580; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005520; classtype:web-application-attack; sid:2005520; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"hrsurveyservice.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027581; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005521; classtype:web-application-attack; sid:2005521; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ifileupload.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027582; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005522; classtype:web-application-attack; sid:2005522; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027583; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ps="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005523; classtype:web-application-attack; sid:2005523; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-secure.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027584; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005524; classtype:web-application-attack; sid:2005524; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"imail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027585; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005525; classtype:web-application-attack; sid:2005525; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"internal-message.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027586; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005527; classtype:web-application-attack; sid:2005527; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"itunesrewardscode.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027587; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005528; classtype:web-application-attack; sid:2005528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafeeonlinescanner.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027588; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005529; classtype:web-application-attack; sid:2005529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"mcafee-scan.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027589; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005530; classtype:web-application-attack; sid:2005530; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"online-microsoft-update.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027590; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005531; classtype:web-application-attack; sid:2005531; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"outlook-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027591; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005532; classtype:web-application-attack; sid:2005532; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"searscorporategiftcard.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027592; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005533; classtype:web-application-attack; sid:2005533; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-corp.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027593; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005534; classtype:web-application-attack; sid:2005534; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027594; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"f="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005535; classtype:web-application-attack; sid:2005535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-online.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027595; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005536; classtype:web-application-attack; sid:2005536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"seccmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027596; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005537; classtype:web-application-attack; sid:2005537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secmail-us.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027597; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005538; classtype:web-application-attack; sid:2005538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secureimailonline.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027598; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005539; classtype:web-application-attack; sid:2005539; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-data.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027599; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005540; classtype:web-application-attack; sid:2005540; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-mail.global"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027600; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"code="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005541; classtype:web-application-attack; sid:2005541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securemail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027601; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/pcltar.lib.php?"; http_uri; nocase; content:"g_pcltar_lib_dir="; http_uri; pcre:"/g_pcltar_lib_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009180; classtype:web-application-attack; sid:2009180; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-ssl.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027602; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"part="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-1903; reference:url,www.netvigilance.com/advisory0020; reference:url,doc.emergingthreats.net/2003881; classtype:web-application-attack; sid:2003881; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"securessl-vpn.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027603; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004379; classtype:web-application-attack; sid:2004379; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"secure-vpn.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027604; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004380; classtype:web-application-attack; sid:2004380; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-account.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027605; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004381; classtype:web-application-attack; sid:2004381; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-login.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027606; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004382; classtype:web-application-attack; sid:2004382; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-secure.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027607; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004383; classtype:web-application-attack; sid:2004383; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssl-upgrade.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027608; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"list="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1425; reference:url,www.milw0rm.com/exploits/3457; reference:url,doc.emergingthreats.net/2004384; classtype:web-application-attack; sid:2004384; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"ssofiles.online"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027609; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe"; flow:established,to_server; content:"/site_conf.php?"; http_uri; nocase; content:"ordnertiefe="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003705; classtype:web-application-attack; sid:2003705; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027610; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot"; flow:established,to_server; content:"/class.csv.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003706; classtype:web-application-attack; sid:2003706; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"sso-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot"; flow:established,to_server; content:"/produkte_nach_serie.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003707; classtype:web-application-attack; sid:2003707; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vpn-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027612; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; content:"/functionen/ref_kd_rubrik.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003708; classtype:web-application-attack; sid:2003708; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"vsecuremail.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027613; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot"; flow:established,to_server; content:"/hg_referenz_jobgalerie.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003709; classtype:web-application-attack; sid:2003709; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-cloud.net"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027614; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot"; flow:established,to_server; content:"/surfer_anmeldung_NWL.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003710; classtype:web-application-attack; sid:2003710; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"webex-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027615; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot"; flow:established,to_server; content:"/produkte_nach_serie_alle.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003711; classtype:web-application-attack; sid:2003711; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"wu-signon.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027616; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot"; flow:established,to_server; content:"/surfer_aendern.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003712; classtype:web-application-attack; sid:2003712; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-auth.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027617; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot"; flow:established,to_server; content:"/ref_kd_rubrik.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003715; classtype:web-application-attack; sid:2003715; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gift Cardshark CnC Domain in DNS Lookup"; dns.query; content:"xmail-ssl.com"; nocase; endswith; reference:url,www.riskiq.com/blog/external-threat-management/giftcard-sharks/; classtype:command-and-control; sid:2027618; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_06_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot"; flow:established,to_server; content:"/module/referenz.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003713; classtype:web-application-attack; sid:2003713; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (downloader)"; flow:to_server,established; http.user_agent; content:"downloader"; depth:10; endswith; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:pup-activity; sid:2007885; rev:13; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot"; flow:established,to_server; content:"/standard/1/lay.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003714; classtype:web-application-attack; sid:2003714; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey CnC Check-In"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; nocase; content:"&vs="; nocase; content:"&ar="; nocase; content:"&bi="; nocase; content:"&lv="; nocase; content:"&os="; nocase; content:"&av="; nocase; fast_pattern; reference:md5,a83a58cbcd200461b1a80de45e436d9c; classtype:command-and-control; sid:2027700; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Amadey, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot"; flow:established,to_server; content:"/standard/3/lay.php?"; http_uri; nocase; content:"tt_docroot="; http_uri; nocase; reference:cve,CVE-2007-2597; reference:url,www.milw0rm.com/exploits/3885; reference:url,doc.emergingthreats.net/2003867; classtype:web-application-attack; sid:2003867; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi MVEL Eval RCE Inbound M1 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"|22|script|3a 3a|"; distance:0; fast_pattern; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031219; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005567; classtype:web-application-attack; sid:2005567; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Usteal.B Checkin"; flow:to_server,established; http.uri; content:"/ufr.php"; fast_pattern; http.request_body; content:"name="; content:"filename="; content:"UFR|21|"; reference:md5,3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:command-and-control; sid:2014616; rev:8; metadata:created_at 2011_11_16, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005568; classtype:web-application-attack; sid:2005568; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; http.uri; content:"/kspp/do?imei="; fast_pattern; content:"&wid="; content:"&type="; content:"&step="; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; classtype:trojan-activity; sid:2016318; rev:9; metadata:affected_product Android, attack_target Mobile_Client, created_at 2012_12_12, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_11_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005569; classtype:web-application-attack; sid:2005569; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi OGNL Eval RCE Inbound M2 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"getClass|28|"; distance:0; nocase; content:".runtime"; distance:0; nocase; content:"getDeclaredMethods|28|"; distance:0; fast_pattern; content:".invoke|28|"; distance:0; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031220; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005571; classtype:web-application-attack; sid:2005571; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kelihos.F Checkin"; flow:established,to_server; urilen:<13; http.method; content:"GET"; http.uri; content:".htm"; fast_pattern; pcre:"/^\/[^\x2f]+?\.htm$/"; http.header; content:"Content-Length|3a 20|"; content:!"0|0d 0a|"; within:3; content:"|0d 0a|"; distance:0; http.user_agent; content:!"BridgitAgent"; http.header_names; content:!"Accept"; content:!"Referer"; content:!"Content-Type"; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:command-and-control; sid:2017191; rev:6; metadata:created_at 2013_07_24, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005572; classtype:web-application-attack; sid:2005572; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Nuclear EK PDF URI Struct"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".pdf"; fast_pattern; content:"/1"; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/"; http.header; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/m"; classtype:exploit-kit; sid:2017636; rev:14; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_10_28, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp"; flow:established,to_server; content:"/implicit-objects.jsp?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2006-7195; reference:url,www.frsirt.com/english/advisories/2007/1729; reference:url,doc.emergingthreats.net/2003902; classtype:web-application-attack; sid:2003902; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK URI Struct"; flow:established,to_server; http.uri; content:"/3/"; fast_pattern; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/"; classtype:exploit-kit; sid:2018534; rev:6; metadata:created_at 2014_06_05, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test"; flow:established,to_server; content:"/appdev/sample/web/hello.jsp?"; http_uri; nocase; content:"test="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-1355; reference:url,www.securityfocus.com/bid/24058; reference:url,doc.emergingthreats.net/2004575; classtype:web-application-attack; sid:2004575; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_10, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file"; flow:established,to_server; content:"/templates/default/tpl_message.php?"; http_uri; nocase; content:"right_file="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2544; reference:url,www.milw0rm.com/exploits/3854; reference:url,doc.emergingthreats.net/2003669; classtype:web-application-attack; sid:2003669; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dyreza RAT Checkin 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"|2e|"; distance:6; within:1; content:"/replace/"; fast_pattern; http.header_names; content:!"Accept|0d 0a|"; content:!"Connection|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,4d1d43789e038c6a03c07083ca0b0809; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl/; classtype:command-and-control; sid:2018749; rev:9; metadata:created_at 2014_07_21, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/config.php?"; http_uri; nocase; content:"inc_dir="; http_uri; nocase; pcre:"/inc_dir=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009663; classtype:web-application-attack; sid:2009663; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; http.request_body; content:"|28 29 20 7b|"; fast_pattern; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b/"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019233; rev:7; metadata:created_at 2014_09_25, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId"; flow:established,to_server; content:"/reportItem.do?"; http_uri; nocase; content:"projId="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2819; reference:url,www.securityfocus.com/bid/24060; reference:url,doc.emergingthreats.net/2004558; classtype:web-application-attack; sid:2004558; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cryptolocker Checkin"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/random.php"; fast_pattern; http.user_agent; content:"Mozilla/5."; pcre:"/^\d{2,7}$/R"; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,01be3fc3243d582d9f93d01401c4f95e; classtype:command-and-control; sid:2019353; rev:6; metadata:created_at 2014_10_03, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH"; flow:established,to_server; content:"/dosearch.php?"; http_uri; nocase; content:"RESPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2530; reference:url,www.milw0rm.com/exploits/3865; reference:url,doc.emergingthreats.net/2003678; classtype:web-application-attack; sid:2003678; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Blocker.fwlm Checkin"; flow:established,to_server; urilen:497; http.method; content:"GET"; http.uri; content:".bin"; fast_pattern; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\.bin$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/; classtype:command-and-control; sid:2019538; rev:5; metadata:created_at 2014_10_28, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"action=play"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/32890/; reference:url,milw0rm.com/exploits/7256; reference:url,doc.emergingthreats.net/2008934; classtype:web-application-attack; sid:2008934; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Citrix XenMobile Server Directory Traversal Attempt Inbound (CVE-2020-8209)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sbFileName=../"; fast_pattern; reference:url,github.com/B1anda0/CVE-2020-8209/blob/main/CVE-2020-8209.py; reference:cve,2020-8209; classtype:attempted-admin; sid:2031221; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_8209, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path"; flow:established,to_server; content:"/include/payment/payflow_pro.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003687; classtype:web-application-attack; sid:2003687; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Mailer CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?action="; fast_pattern; content:"&sent_all="; content:"&sent_success="; distance:0; content:"&active_connections="; distance:0; content:"&queue_connections="; distance:0; http.user_agent; content:"Send Mail"; depth:9; http.header_names; content:!"Referer|0d 0a|"; reference:md5,57e546330fd3a4658dff0e29cbb98214; classtype:command-and-control; sid:2020329; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_01_29, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path"; flow:established,to_server; content:"/global.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003688; classtype:web-application-attack; sid:2003688; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Bayrob Keepalive"; flow:established,to_server; urilen:9; http.method; content:"GET"; http.uri; content:"/isup.php"; fast_pattern; http.header.raw; content:"Accept-Encoding|3a 20 20 20 20 20 20 20 20 20 20 20 20 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,a4a3fab712b04ee901f491d4c704b138; classtype:trojan-activity; sid:2020621; rev:6; metadata:created_at 2015_03_05, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path"; flow:established,to_server; content:"/libsecure.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2474; reference:url,www.securityfocus.com/bid/23662; reference:url,doc.emergingthreats.net/2003689; classtype:web-application-attack; sid:2003689; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE W32/Farfli.BHQ!tr Dropper CnC Beacon 2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/do.asp?search="; fast_pattern; http.header; pcre:"/^Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x3A\d{1,5}\r?$/mi"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,93be88ad3816c19d74155f8cd3aae1d2; classtype:command-and-control; sid:2020913; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"l="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2547; reference:url,www.securityfocus.com/bid/23856; reference:url,doc.emergingthreats.net/2003917; classtype:web-application-attack; sid:2003917; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile"; flow:established,to_server; content:"/browseCat.php?"; http_uri; nocase; content:"catFile="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003888; classtype:web-application-attack; sid:2003888; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT Lurker POST CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; pcre:"/\.php$/"; http.header; content:"HOST|3a|"; depth:5; content:"User-Agent|3a|"; distance:0; pcre:"/^Host\x3a[^\r\n]+\r\nUser-Agent\x3a[^\r\n]+\r\nContent-Length\x3a\x20\d+\r\n(?:\r\n)?$/mi"; http.header_names; content:!"Content-Type|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,c5a8e09295b852a6e32186374b66e1a7; reference:url,blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf; classtype:targeted-activity; sid:2021584; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_08_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile"; flow:established,to_server; content:"/browseSubCat.php?"; http_uri; nocase; content:"catFile="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003889; classtype:web-application-attack; sid:2003889; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; http.header; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; content:"Next|2d|Polling"; fast_pattern; content:"Content|2d|Salt|3a 20|"; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/i"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:13; metadata:created_at 2010_07_30, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id"; flow:established,to_server; content:"/openTutorial.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003890; classtype:web-application-attack; sid:2003890; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw/SlemBunk/SLocker Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.request_body; content:",|22|model|22 3a|"; content:",|22|apps|22 3a 5b 22|"; content:",|22|imei|22 3a|"; fast_pattern; pcre:"/^\{\x22(?:os|type)\x22\x3a/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c9d3237885072b796e5849f7b9ec1a64; reference:md5,a83ce290469654002bcc64062c39387c; reference:url,www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html; classtype:trojan-activity; sid:2022288; rev:8; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_12_21, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2020_11_19, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id"; flow:established,to_server; content:"/topFrame.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003891; classtype:web-application-attack; sid:2003891; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Glupteba/ClIEcker CnC Checkin"; flow:established,to_server; http.uri; content:"&downlink="; content:"&uplink="; content:"&id="; content:"&statpass="; fast_pattern; content:"&version="; content:"&features="; content:"&guid="; content:"&comment="; reference:url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs; classtype:command-and-control; sid:2013293; rev:7; metadata:created_at 2011_07_19, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id"; flow:established,to_server; content:"/admin/editListing.php?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003892; classtype:web-application-attack; sid:2003892; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LokiBot User-Agent (Charon/Inferno)"; flow:established,to_server; http.user_agent; content:"(Charon|3b 20|Inferno)"; fast_pattern; classtype:trojan-activity; sid:2021641; rev:9; metadata:created_at 2015_08_18, former_category TROJAN, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search"; flow:established,to_server; content:"/search.php?"; http_uri; nocase; content:"search="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2600; reference:url,www.milw0rm.com/exploits/3887; reference:url,doc.emergingthreats.net/2003893; classtype:web-application-attack; sid:2003893; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/i"; http.header; content:"WinHttp.WinHttpRequest."; http.host; content:!"download.nai.com"; classtype:trojan-activity; sid:2022658; rev:8; metadata:created_at 2016_03_24, former_category CURRENT_EVENTS, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt"; flow:to_server,established; content:"INCLUDE"; http_uri; nocase; pcre:"/%INCLUDE\s*{.*rev=\"\d+\|.+\".*}\s*%/i"; reference:bugtraq,14960; reference:url,doc.emergingthreats.net/2002662; classtype:web-application-attack; sid:2002662; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"application/x-httpd-php"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|"; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"serverid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:bugtraq,32340; reference:url,milw0rm.com/exploits/7148; reference:url,doc.emergingthreats.net/2008872; classtype:web-application-attack; sid:2008872; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; flowbits:set,ET.iTunes.vuln; flowbits:noalert; http.header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/m"; http.user_agent; content:"iTunes/10.6."; depth:12; classtype:policy-violation; sid:2014954; rev:12; metadata:created_at 2012_06_25, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/include/timesheet.php?"; http_uri; nocase; content:"config[include_dir]="; http_uri; pcre:"/config\[include_dir\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010126; classtype:web-application-attack; sid:2010126; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header; content:"DNT|3a 20|1|0d 0a|"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:!"."; content:"%2F"; fast_pattern; http.content_len; byte_test:0,<,800,0,string,dec; byte_test:0,>,300,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}){1,5})\sHTTP\/1\.1\r\nReferer\x3a\x20http\x3a\x2f\x2f[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|DNT|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:93; reference:md5,e5fecd3be1747f6a934f70e921399a10; classtype:command-and-control; sid:2029059; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_27, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR"; flow:established,to_server; content:"/watermark.php?"; http_uri; nocase; content:"GALLERY_BASEDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2575; reference:url,www.milw0rm.com/exploits/3857; reference:url,doc.emergingthreats.net/2003692; classtype:web-application-attack; sid:2003692; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin Dec 29 2014"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/4.0"; depth:11; endswith; http.request_body; content:"EPF#"; depth:4; fast_pattern; http.connection; content:"close"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept"; reference:md5,7a1ad388bdcebcbc4cc48a2eff71775f; classtype:command-and-control; sid:2020076; rev:5; metadata:created_at 2014_12_29, former_category MALWARE, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type"; flow:established,to_server; content:"/shopcontent.asp?"; http_uri; nocase; content:"type="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2790; reference:url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded; reference:url,doc.emergingthreats.net/2004573; classtype:web-application-attack; sid:2004573; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 3"; flow:established,to_server; urilen:1; http.request_line; content:"POST / 1.1"; depth:10; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; depth:28; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021632; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php"; flow:established,to_server; content:"/get_header.php"; http_uri; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/1632; reference:cve,2006-1636; reference:bugtraq,17358; reference:url,doc.emergingthreats.net/2002899; classtype:web-application-attack; sid:2002899; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FTCode Stealer CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"l=dj0"; depth:5; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/Rs"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,www.malware-traffic-analysis.net/2020/04/02/index.html; classtype:command-and-control; sid:2029803; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php"; flow:established,to_server; content:"/functions_install.php"; http_uri; nocase; pcre:"/vwar_root=\s*(ftps?|https?|php)\:\//Ui"; reference:cve,2006-1503; reference:bugtraq,17290; reference:url,doc.emergingthreats.net/2002902; classtype:web-application-attack; sid:2002902; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (Ouija_x.86)"; flow:established,to_server; http.user_agent; content:!"OuijaBoardWigi"; content:"Ouija"; startswith; classtype:trojan-activity; sid:2028990; rev:6; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo"; flow:established,to_server; content:"/includes/ajax_listado.php?"; http_uri; nocase; content:"urlModulo="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2541; reference:url,www.milw0rm.com/exploits/3847; reference:url,doc.emergingthreats.net/2003671; classtype:web-application-attack; sid:2003671; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Backdoor.AndroidOS.Ahmyth.f (DNS Lookup)"; dns.query; content:"tryanotherhorse.com"; endswith; reference:md5,cf71ba878434605a3506203829c63b9d; classtype:domain-c2; sid:2030822; rev:3; metadata:attack_target Mobile_Client, created_at 2020_09_02, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Android_Ahmyth, signature_severity Critical, tag Android, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/admin.googlebase.php?"; http_uri; nocase; content:"mosConfig_absolute_path="; http_uri; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32098; reference:url,milw0rm.com/exploits/6975; reference:url,doc.emergingthreats.net/2009877; classtype:web-application-attack; sid:2009877; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Microsoft Update GET)"; flow:established,to_server; urilen:220; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; startswith; fast_pattern; content:".cab"; distance:171; endswith; http.user_agent; content:"Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40"; bsize:58; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/microsoftupdate_getonly.profile; classtype:command-and-control; sid:2032752; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003993; classtype:web-application-attack; sid:2003993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.hostareas.com"; nocase; bsize:17; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030891; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003994; classtype:web-application-attack; sid:2003994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"lib.jsquerys.net"; nocase; bsize:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030892; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003995; classtype:web-application-attack; sid:2003995; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE RedDelta Poison Ivy Domain in DNS Lookup"; dns.query; content:"web.miscrosaft.com"; nocase; bsize:18; reference:url,go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf; classtype:domain-c2; sid:2030893; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_21, deployment Perimeter, former_category MALWARE, malware_family PoisonIvy, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003996; classtype:web-application-attack; sid:2003996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"cnc.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030925; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; content:"/default.asp?"; http_uri; nocase; content:"id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003997; classtype:web-application-attack; sid:2003997; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"back.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030926; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"crea.php?"; http_uri; nocase; content:"plancia="; http_uri; nocase; pcre:"/plancia=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/32515/; reference:url,milw0rm.com/exploits/6992; reference:url,doc.emergingthreats.net/2008826; classtype:web-application-attack; sid:2008826; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint CnC Domain in DNS Query"; dns.query; content:"q9uvveypiB.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030927; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/cron.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009307; classtype:web-application-attack; sid:2009307; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Ttint Update CnC Domain in DNS Query"; dns.query; content:"uhyg8v.notepod2.com"; nocase; endswith; classtype:domain-c2; sid:2030928; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_browsers.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009309; classtype:web-application-attack; sid:2009309; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Checkin CnC in DNS Query"; dns.query; content:"log.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030999; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_countries.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009311; classtype:web-application-attack; sid:2009311; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PowerGhost Staging CnC in DNS Query"; dns.query; content:"box.conf1g.com"; nocase; endswith; classtype:domain-c2; sid:2030998; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/ST_platforms.php?"; http_uri; nocase; content:"include_path="; http_uri; nocase; pcre:"/include_path=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009313; classtype:web-application-attack; sid:2009313; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service nrecom in DNS Query"; dns.query; content:"paste.nrecom.net"; nocase; endswith; classtype:policy-violation; sid:2031001; rev:3; metadata:created_at 2020_10_12, former_category POLICY, signature_severity Informational, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webCalendar Remote File include"; flow: to_server,established; content:"includedir="; http_uri; pcre:"/\/ws\/(login|get_reminders|get_events)\.php/"; reference:url,www.securityfocus.com/archive/1/462957; reference:url,doc.emergingthreats.net/2003520; classtype:web-application-attack; sid:2003520; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2020-11-19"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"em="; depth:3; nocase; fast_pattern; content:"&ps="; nocase; distance:0; pcre:"/^em=[^&]*&ps=[^&]*$/i"; classtype:credential-theft; sid:2031218; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004754; classtype:web-application-attack; sid:2004754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PoetRAT CnC Domain in DNS Lookup"; dns.query; content:"volt220.kozow.com"; nocase; bsize:17; reference:url,twitter.com/ShadowChasing1/status/1314847032155074562; classtype:domain-c2; sid:2031007; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_13, deployment Perimeter, malware_family PoetRat, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004755; classtype:web-application-attack; sid:2004755; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UNC1878/FIN12 Cobalt Strike CnC SSL Cert Inbound (office)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; fast_pattern; tls.cert_issuer; content:"C=US, ST="; startswith; content:", O=Office, OU=, CN="; nocase; reference:md5,880a45ff31bc540e80ecf2cf93134c12; reference:url,gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456; reference:url,www.youtube.com/watch?v=BhjQ6zsCVSc; classtype:targeted-activity; sid:2031134; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004756; classtype:web-application-attack; sid:2004756; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"duke6.tk"; nocase; bsize:8; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031137; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004757; classtype:web-application-attack; sid:2004757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"wekanda.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031138; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004758; classtype:web-application-attack; sid:2004758; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"sanitar.ml"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031139; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"strid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004759; classtype:web-application-attack; sid:2004759; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"branter.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031140; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Framework/EmailTemplates.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010092; classtype:web-application-attack; sid:2010092; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"bronerg.tk"; nocase; bsize:10; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031141; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Customers/PDPEmailReplaceConstants.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010093; classtype:web-application-attack; sid:2010093; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ComRAT CnC Domain in DNS Lookup"; dns.query; content:"crusider.tk"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar20-303a; classtype:targeted-activity; sid:2031142; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/Admin/ResellersManager.class.php?"; http_uri; nocase; content:"GLOBALS[RootPath]="; http_uri; nocase; pcre:"/GLOBALS\[RootPath\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8792; reference:url,doc.emergingthreats.net/2010094; classtype:web-application-attack; sid:2010094; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/setup.htm"; nocase; http.request_body; content:"wan_proto=dhcp"; nocase; content:"dhcps_dns_1="; nocase; fast_pattern; content:"dhcps_mode=enabled"; nocase; content:"lan_proto=enable"; nocase; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; classtype:attempted-admin; sid:2023468; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/include/header.php?"; http_uri; nocase; content:"config_path="; http_uri; nocase; pcre:"/config_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32472; reference:url,milw0rm.com/exploits/7229; reference:url,doc.emergingthreats.net/2008935; classtype:web-application-attack; sid:2008935; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CCleaner Backdoor DGA Domain in DNS Lookup"; dns.query; content:"ab1de19d80ae6.com"; nocase; bsize:17; reference:md5,ef694b89ad7addb9a16bb6f26f1efaf7; reference:url,blog.talosintelligence.com/2017/09/avast-distributes-malware.html; classtype:trojan-activity; sid:2031206; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep"; flow:established,to_server; content:"/handlers/page/show.php?"; http_uri; nocase; content:"sous_rep="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2570; reference:url,www.milw0rm.com/exploits/3863; reference:url,doc.emergingthreats.net/2003696; classtype:web-application-attack; sid:2003696; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DonotGroup CnC in DNS Query"; dns.query; content:"pvtchat.live"; nocase; endswith; classtype:domain-c2; sid:2031216; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_19;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name"; flow:established,to_server; content:"/usersettings.php?"; http_uri; nocase; content:"name="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2551; reference:url,www.securityfocus.com/bid/23894; reference:url,doc.emergingthreats.net/2003916; classtype:web-application-attack; sid:2003916; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2"; dns.query; content:"corona"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!"services.corona.be"; isdataat:!1,relative; classtype:bad-unknown; sid:2029710; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2020_11_20;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php"; flow:established,to_server; content:"/include/sessionRegister.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2781; reference:url,www.secunia.com/advisories/25308; reference:url,doc.emergingthreats.net/2004574; classtype:web-application-attack; sid:2004574; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (TrevorForget Profile)"; flow:established,to_server; http.request_line; content:"GET /us/ky/louisville/312-s-fourth-st.html HTTP/1.1"; bsize:51; fast_pattern; http.cookie; bsize:171; pcre:"/^[a-zA-Z0-9\/+_-]{171}$/"; http.referer; content:"https://locations.smashburger.com/us/ky/louisville.html"; bsize:55; reference:md5,d2c8f1a8b5fc9bf4fe8bde43e88f04a0; classtype:command-and-control; sid:2032754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2020_11_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; content:"/wp-login.php"; http_uri; nocase; content:"redirect_to"; http_uri; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gdn)"; flow:from_server,established; tls.cert_subject; content:".gdn"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031223; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH"; flow:established,to_server; content:"/js/wptable-button.php?"; http_uri; nocase; content:"wpPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2484; reference:url,www.milw0rm.com/exploits/3824; reference:url,doc.emergingthreats.net/2003685; classtype:web-application-attack; sid:2003685; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ml)"; flow:from_server,established; tls.cert_subject; content:".ml"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031224; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH"; flow:established,to_server; content:"/wordtube-button.php?"; http_uri; nocase; content:"wpPATH="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2481; reference:url,www.milw0rm.com/exploits/3825; reference:url,doc.emergingthreats.net/2003686; classtype:web-application-attack; sid:2003686; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.gq)"; flow:from_server,established; tls.cert_subject; content:".gq"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031225; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php"; flow:established,to_server; content:"/sidebar.php?"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2627; reference:url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded; reference:url,doc.emergingthreats.net/2003885; classtype:web-application-attack; sid:2003885; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.ga)"; flow:from_server,established; tls.cert_subject; content:".ga"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031226; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/function_core.php?"; http_uri; nocase; content:"web_root="; http_uri; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009925; classtype:web-application-attack; sid:2009925; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.cf)"; flow:from_server,established; tls.cert_subject; content:".cf"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031227; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/templates/layout_lyrics.php?"; http_uri; nocase; content:"web_root="; http_uri; nocase; pcre:"/web_root=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009927; classtype:web-application-attack; sid:2009927; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.xyz)"; flow:from_server,established; tls.cert_subject; content:".xyz"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031228; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Xoops Articles modules print.php SQL injection attempt"; flow:to_server,established; content:"/print.php?"; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/id=-?\d+.+UNION.+SELECT/Ui"; reference:bugtraq,23160; reference:url,doc.emergingthreats.net/2003516; classtype:web-application-attack; sid:2003516; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.icu)"; flow:from_server,established; tls.cert_subject; content:".icu"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031229; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include"; flow:established,to_server; content:"/header.php?"; http_uri; nocase; content:"set_menu="; http_uri; nocase; pcre:"/set_menu=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,23189; reference:url,doc.emergingthreats.net/2003517; classtype:web-application-attack; sid:2003517; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.top)"; flow:from_server,established; tls.cert_subject; content:".top"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031230; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/update_trailer.php?"; http_uri; nocase; content:"context[path_to_root]="; http_uri; nocase; pcre:"/context\[path_to_root\]=\s*(https?|ftps?|php)\:\//Ui"; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009190; classtype:web-application-attack; sid:2009190; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL SSL/TLS Certificate"; flow:from_server,established; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031231; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path"; flow:established,to_server; content:"/includes/common.php?"; http_uri; nocase; content:"root_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2664; reference:url,www.milw0rm.com/exploits/3908; reference:url,doc.emergingthreats.net/2003739; classtype:web-application-attack; sid:2003739; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed ZeroSSL Certificate for Suspicious TLD (.pw)"; flow:from_server,established; tls.cert_subject; content:".pw"; endswith; tls.cert_issuer; content:"ZeroSSL"; classtype:bad-unknown; sid:2031232; rev:1; metadata:created_at 2020_11_23, updated_at 2020_11_23;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler SELECT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003981; classtype:web-application-attack; sid:2003981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Agent.QAQ Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; endswith; fast_pattern; http.header; content:"|0d 0a|Content-Length|3a 20|95|0d 0a|"; http.header_names; content:!"User-Agent"; content:!"Accept"; content:!"Pragma"; content:!"Referer"; reference:md5,a3c4951687b39e58550309dbbf2e5c85; reference:md5,1c1d7bf3ad926f3cdf0befbc5205a1fe; classtype:trojan-activity; sid:2031233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_24;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UNION SELECT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003982; classtype:web-application-attack; sid:2003982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Cloned Instagram Page - Possible Phishing Landing M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- saved from url=("; within:800; content:")https://www.instagram.com/"; distance:4; within:27; fast_pattern; classtype:social-engineering; sid:2031238; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler INSERT"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003983; classtype:web-application-attack; sid:2003983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackrota Domain (blackrato .ga in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackrato.ga"; bsize:12; fast_pattern; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031235; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_11_25;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler DELETE"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003984; classtype:web-application-attack; sid:2003984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Blackrota)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; fast_pattern; tls.cert_issuer; content:"C=US, ST=Arizona, L=Scottsdale, O=Amazon, OU=Starfield Class, CN=blackrato.ga"; bsize:77; reference:md5,04dab9530bbcb7679ff5498400417e40; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031236; rev:1; metadata:attack_target Client_and_Server, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler ASCII"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003985; classtype:web-application-attack; sid:2003985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Geocon CnC Request"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE 9.0|3b 20|Windows NT 6.0|3b 20|Trident/5.0|3b 20|BOIE9|3b|ENUS)"; fast_pattern; bsize:76; http.cookie; bsize:172; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; reference:url,github.com/darkr4y/geacon/blob/5d9a9101c1f3b7dfb71484a58db5cc51ea279583/cmd/packet/http.go; reference:md5,6e020db51665614f4a2fd84fb0f83778; classtype:command-and-control; sid:2031237; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_11_25;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE"; flow:established,to_server; content:"/plugins/mp3playlist/mp3playlist.php?"; http_uri; nocase; content:"speler="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2773; reference:url,www.milw0rm.com/exploits/3955; reference:url,doc.emergingthreats.net/2003986; classtype:web-application-attack; sid:2003986; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Chase Phish Landing 2020-11-26"; flow:established,to_client; file.data; content:"<title>Ch&alpha|3b|se &Beta|3b|&alpha|3b|n&Kappa|3b|"; fast_pattern; classtype:social-engineering; sid:2031239; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_11_26, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2020_11_26;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php"; flow:established,to_server; content:"/ReadMsg.php?"; http_uri; nocase; content:"| 3C |"; http_uri; content:"SCRIPT"; http_uri; nocase; content:"| 3E |"; http_uri; reference:cve,CVE-2007-2825; reference:url,xforce.iss.net/xforce/xfdb/34376; reference:url,doc.emergingthreats.net/2004557; classtype:web-application-attack; sid:2004557; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|proclist|22|"; content:"svchost.exe"; content:"name=|22|sysinfo|22|"; content:"ipconfig"; content:"net view /all"; fast_pattern; content:"nltest"; distance:0; reference:md5,f99adab7b2560097119077b99aceb40d; classtype:command-and-control; sid:2031241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_11_27;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008966; classtype:web-application-attack; sid:2008966; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Windows.net Hosted Phish 2020-10-14"; flow:established,to_server; flowbits:isset,ET.genericphish; http.method; content:"POST"; http.host; content:".windows.net"; isdataat:!1,relative; fast_pattern; http.uri; content:!"/getEffectiveAccess?api-version="; classtype:credential-theft; sid:2031012; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/handle/proxy.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008967; classtype:web-application-attack; sid:2008967; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credit Card Information Phish 2019-11-04"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"number="; nocase; content:"exp"; nocase; content:"cvv="; nocase; fast_pattern; http.host; content:!".ez-chow.com"; endswith; classtype:credential-theft; sid:2029680; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/header.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008968; classtype:web-application-attack; sid:2008968; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Lazarus APT MalDoc 2020-11-30)"; flow:established,to_client; tls.cert_subject; content:"CN=filestream.download"; nocase; endswith; reference:md5,1e0d96c551ca31a4055491edc17ce2dd; classtype:domain-c2; sid:2031240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_11_30, deployment Perimeter, former_category MALWARE, malware_family Maldoc, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_11_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/include.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008969; classtype:web-application-attack; sid:2008969; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY ToDesk Remote Access Control Tool"; flow:established,to_server; content:"|00 00 00|"; startswith; content:"|01 0a 20|"; offset:4; depth:3; content:"|12|"; offset:39; depth:1; byte_jump:1,0,relative; content:"|18 01 22|"; within:3; byte_jump:1,0,relative; content:"|3a 3f|"; within:2; content:"B$"; distance:63; within:2; isdataat:!68,relative; reference:md5,d428709903e8c86bc02dfc29ab903634; classtype:policy-violation; sid:2031242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_30, deployment Perimeter, former_category POLICY, performance_impact Significant, signature_severity Informational, updated_at 2020_11_30;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/includes/workspace.php?"; http_uri; nocase; content:"cct_base="; http_uri; nocase; pcre:"/cct_base=\s*(ftps?|https?|php)\:\//Ui"; reference:url,www.milw0rm.com/exploits/7336; reference:url,secunia.com/Advisories/32995/; reference:url,doc.emergingthreats.net/2008970; classtype:web-application-attack; sid:2008970; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031243; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/lib.module.php?"; http_uri; nocase; content:"mod_root"; http_uri; nocase; pcre:"/mod_root=\s*(https?|ftps?|php)/Ui"; reference:url,milw0rm.com/exploits/5921; reference:bugtraq,29914; reference:url,doc.emergingthreats.net/2009367; classtype:web-application-attack; sid:2009367; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">AnonyMous SHell</div>"; nocase; fast_pattern; content:"<form method='post'>"; distance:0; classtype:web-application-attack; sid:2031244; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_01, deployment Perimeter, signature_severity Major, updated_at 2020_12_01;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/_functions.php?"; http_uri; nocase; content:"GLOBALS[prefix]="; http_uri; nocase; pcre:"/GLOBALS\[prefix\]=\s*(ftps?|https?|php)\://Ui"; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009874; classtype:web-application-attack; sid:2009874; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M6 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:"com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031245; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_02, cve CVE_2020_14882, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_12_02;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006951; classtype:web-application-attack; sid:2006951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multi-Email Phishing Landing 2018-08-30"; flow:established,to_client; file_data; content:"function popupwnd(url,"; nocase; fast_pattern; content:"var popupwindow = this.open(url,"; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:"href=|22|javascript:popupwnd("; nocase; distance:0; content:!".jpg',no','no',no'"; nocase; distance:0; content:!".pdf,no','no',no'"; nocase; distance:0; content:!".SlideMenu1_Folder div"; content:!"PhotoGallery"; nocase; classtype:social-engineering; sid:2026047; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_08_30, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_02;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006952; classtype:web-application-attack; sid:2006952; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006953; classtype:web-application-attack; sid:2006953; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix_wvs_security_test in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"acunetix_wvs_security_test"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023687; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006954; classtype:web-application-attack; sid:2006954; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Acunetix scan in progress acunetix variable in http_uri"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.uri; content:"|24|acunetix"; fast_pattern; reference:url,www.acunetix.com/; classtype:web-application-attack; sid:2023688; rev:7; metadata:affected_product Any, attack_target Web_Server, created_at 2016_12_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006955; classtype:web-application-attack; sid:2006955; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow:established; http.header; content:"Content-Type|3A|"; content:"application/x-msn-messenger"; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation; sid:2009375; rev:9; metadata:created_at 2010_07_30, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"seite_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006956; classtype:web-application-attack; sid:2006956; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forms/dns_1?"; fast_pattern; content:"Enable_DNSFollowing=1"; distance:0; content:"dnsPrimary="; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:8; metadata:created_at 2015_01_29, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006957; classtype:web-application-attack; sid:2006957; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Blackrota Domain"; dns.query; content:"blackrato.ga"; nocase; bsize:12; reference:url,blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/; classtype:domain-c2; sid:2031234; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_25, deployment Perimeter, former_category MALWARE, malware_family Blackrota, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006958; classtype:web-application-attack; sid:2006958; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"european-who.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031246; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006960; classtype:web-application-attack; sid:2006960; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"who-international.com"; nocase; bsize:21; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031247; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006961; classtype:web-application-attack; sid:2006961; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"office-pulgin.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031248; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006962; classtype:web-application-attack; sid:2006962; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"health-world-org.com"; nocase; bsize:20; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031249; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006963; classtype:web-application-attack; sid:2006963; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to WHO Themed Malware Delivery Domain"; dns.query; content:"adverting-cdn.com"; nocase; bsize:17; reference:url,www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign; classtype:domain-c2; sid:2031250; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006964; classtype:web-application-attack; sid:2006964; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (hotspot .accesscam .org)"; dns.query; content:"hotspot.accesscam.org"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031252; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006965; classtype:web-application-attack; sid:2006965; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (highcolumn .webredirect .org)"; dns.query; content:"highcolumn.webredirect.org"; nocase; bsize:26; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031253; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006966; classtype:web-application-attack; sid:2006966; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (ethdns .mywire .org)"; dns.query; content:"ethdns.mywire.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031254; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"ASCII"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006967; classtype:web-application-attack; sid:2006967; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Turla/Crutch CnC Domain in DNS Lookup (theguardian .webredirect .org)"; dns.query; content:"theguardian.webredirect.org"; nocase; bsize:27; reference:url,www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/; classtype:domain-c2; sid:2031255; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"go_target="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006968; classtype:web-application-attack; sid:2006968; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (allmedicalpro .com)"; dns.query; content:"allmedicalpro.com"; nocase; bsize:17; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031256; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/123flashchat.php?"; http_uri; nocase; content:"e107path="; http_uri; nocase; pcre:"/e107path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009435; classtype:web-application-attack; sid:2009435; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (mediqhealthcare .com)"; dns.query; content:"mediqhealthcare.com"; nocase; bsize:19; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031257; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/index_inc.php?"; http_uri; nocase; content:"inc_ordner="; http_uri; nocase; pcre:"/inc_ordner=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009225; classtype:web-application-attack; sid:2009225; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/PowerPepper CnC Domain in DNS Lookup (gofinancesolutions .com)"; dns.query; content:"gofinancesolutions.com"; nocase; bsize:22; reference:url,securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/; classtype:domain-c2; sid:2031258; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_03;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user"; flow:established,to_server; content:"/all_photos.html?"; http_uri; nocase; content:"user="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2724; reference:url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded; reference:url,doc.emergingthreats.net/2003875; classtype:web-application-attack; sid:2003875; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".sh.ShellSession"; fast_pattern; pcre:"/^(?:\x28|%28)/R"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031185; rev:3; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_12_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/toolbar.php?"; http_uri; nocase; content:"dirDepth="; http_uri; nocase; pcre:"/dirDepth=\s*(https?|ftps?|php)\:\//Ui"; reference:url,vupen.com/english/advisories/2008/2059; reference:url,milw0rm.com/exploits/6036; reference:url,doc.emergingthreats.net/2009188; classtype:web-application-attack; sid:2009188; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish (Meta HTTP-Equiv Refresh) Dec 29 2016"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"text/html"; file.data; content:"<META HTTP-EQUIV="; nocase; within:600; fast_pattern; content:"refresh"; nocase; distance:1; within:7; content:"content="; nocase; within:25; content:"url="; nocase; within:25; http.header; content:!".efunds.com"; classtype:credential-theft; sid:2031574; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; content:"/libs/lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003718; classtype:web-application-attack; sid:2003718; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DarkIRC Bot CnC Domain Lookup"; dns.query; content:"cnc."; startswith; fast_pattern; content:".xyz"; endswith; bsize:22; pcre:"/^cnc\.[a-fA-F0-9]{14}.xyz$/"; reference:url,blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability; classtype:command-and-control; sid:2031260; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR"; flow:established,to_server; content:"/lom_update.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003719; classtype:web-application-attack; sid:2003719; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_12_04;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR"; flow:established,to_server; content:"/scripts/check-lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003720; classtype:web-application-attack; sid:2003720; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?m="; pcre:"/^[^&]+&[a-z]=[^&]+&[a-z]=[A-F0-9]+$/Rsi"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Win32)"; bsize:41; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,2250fec29baf44d9d2c123ae037fce9c; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036308; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_04, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR"; flow:established,to_server; content:"/scripts/weigh_keywords.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003721; classtype:web-application-attack; sid:2003721; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information"; flow:established,to_server; http.uri; content:"?q=7b2268776964223a22"; nocase; fast_pattern; content:"222c22706e223a22"; nocase; distance:0; content:"222c226f73223a2257696e646f7773"; nocase; distance:0; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:trojan-activity; sid:2030393; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2020_12_07;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR"; flow:established,to_server; content:"/logout.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003722; classtype:web-application-attack; sid:2003722; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (gogohid .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogohid.com"; bsize:11; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031261; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR"; flow:established,to_server; content:"/help.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003723; classtype:web-application-attack; sid:2003723; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (blackl1vesmatter .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"blackl1vesmatter.org"; bsize:20; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031262; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003724; classtype:web-application-attack; sid:2003724; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Jupyter Stealer CnC Domain (vincentolife .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vincentolife.com"; bsize:16; fast_pattern; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; classtype:domain-c2; sid:2031263; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_07, deployment Perimeter, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2020_12_07;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR"; flow:established,to_server; content:"/login.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003725; classtype:web-application-attack; sid:2003725; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Outdated Flash Version M2"; flow:established,to_server; threshold: type limit, count 1, seconds 60, track by_src; http.header; content:"X-Requested-With|3a 20|ShockwaveFlash/"; fast_pattern; content:!"32.0.0.453|0d 0a|"; within:12; content:!"32.0.0.445|0d 0a|"; within:12; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2024379; rev:37; metadata:affected_product Adobe_Flash, created_at 2017_06_13, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2020_12_07;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR"; flow:established,to_server; content:"/web/lom.php?"; http_uri; nocase; content:"ETCDIR="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2609; reference:url,www.milw0rm.com/exploits/3876; reference:url,doc.emergingthreats.net/2003747; classtype:web-application-attack; sid:2003747; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031271; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/test/pages/contact.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010191; classtype:web-application-attack; sid:2010191; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"c99shell</title>"; nocase; fast_pattern; content:"<b>C99Shell v. "; nocase; distance:0; classtype:web-application-attack; sid:2031272; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/system/pageTemplate.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010192; classtype:web-application-attack; sid:2010192; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/system/utilities.php?"; http_uri; nocase; content:"fs_jVroot="; http_uri; nocase; pcre:"/fs_jVroot\s*=\s*(https?|ftps?|php)\:\//Ui"; reference:url,secunia.com/advisories/36072/; reference:url,milw0rm.com/exploits/9308; reference:url,doc.emergingthreats.net/2010193; classtype:web-application-attack; sid:2010193; rev:3; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce 2]"; content:"|a7 06 02 04 6C 69 6C 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path"; flow:established,to_server; content:"/faq.php?"; http_uri; nocase; content:"module_root_path="; http_uri; nocase; content:"cmd="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2493; reference:url,www.milw0rm.com/exploits/3833; reference:url,doc.emergingthreats.net/2003684; classtype:web-application-attack; sid:2003684; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] POSSIBLE HackTool.TCP.Rubeus.[User32LogonProcesss]"; flow:to_server; content:"User32LogonProcesss"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004469; classtype:web-application-attack; sid:2004469; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[Build ID]"; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004470; classtype:web-application-attack; sid:2004470; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.SSL.BEACON.[CSBundle Ajax]"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; fast_pattern; tls.cert_issuer; content:"C=US, ST=WA, L=Seattle, O=Microsoft, OU=Information Technologies, CN=ajax.microsoft.com"; bsize:87; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004471; classtype:web-application-attack; sid:2004471; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|0a|_domainkey"; distance:0; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004472; classtype:web-application-attack; sid:2004472; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert udp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.UDP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031269; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004473; classtype:web-application-attack; sid:2004473; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any 88 (msg:"ET CURRENT_EVENTS [Fireeye] HackTool.TCP.Rubeus.[nonce]"; content:"|05|"; depth:30; content:"|0a|"; distance:4; within:1; content:"Z"; content:"|6C 69 6C 00|"; within:25; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031266; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004474; classtype:web-application-attack; sid:2004474; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M2"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 31 00 30 00 20 00 44 00 65 00 66 00 65 00 6e 00 64 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031301; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004475; classtype:web-application-attack; sid:2004475; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M1"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 55 00 70 00 64 00 61 00 74 00 65 00 20 00 43 00 6f 00 6e 00 74 00 72 00 6f 00 6c 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031300; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004476; classtype:web-application-attack; sid:2004476; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M3"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 4c 00 69 00 63 00 65 00 6e 00 73 00 65 00 20 00 4b 00 65 00 79 00 20 00 41 00 63 00 74 00 69 00 76 00 61 00 74 00 69 00 6f 00 6e|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004477; classtype:web-application-attack; sid:2004477; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M4"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 66 00 66 00 69 00 63 00 65 00 20 00 33 00 36 00 35 00 20 00 50 00 72 00 6f 00 78 00 79|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004478; classtype:web-application-attack; sid:2004478; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M5"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 53 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031304; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"year="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004479; classtype:web-application-attack; sid:2004479; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M6"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|4f 00 6e 00 65 00 44 00 72 00 69 00 76 00 65 00 20 00 53 00 79 00 6e 00 63 00 20 00 43 00 65 00 6e 00 74 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031305; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS nweb2fax viewrq.php var_filename Parameter Directory Traversal"; flow:to_server,established; content:"GET "; depth:4; content:"/viewrq.php?"; http_uri; nocase; content:"format=ps"; http_uri; nocase; content:"var_filename="; http_uri; content:"../"; reference:bugtraq,29804; reference:url,milw0rm.com/exploits/5856; reference:url,doc.emergingthreats.net/2009501; classtype:web-application-attack; sid:2009501; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M7"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|42 00 61 00 63 00 6b 00 67 00 72 00 6f 00 75 00 6e 00 64 00 20 00 41 00 63 00 74 00 69 00 6f 00 6e 00 20 00 4d 00 61 00 6e 00 61 00 67 00 65 00 72|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031306; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003698; classtype:web-application-attack; sid:2003698; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M8"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|53 00 65 00 63 00 75 00 72 00 65 00 20 00 54 00 6f 00 6b 00 65 00 6e 00 20 00 4d 00 65 00 73 00 73 00 61 00 67 00 69 00 6e 00 67 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path"; flow:established,to_server; content:"/checkout.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003699; classtype:web-application-attack; sid:2003699; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert tcp any any -> any [139,445] (msg:"ET CURRENT_EVENTS [Fireeye] M.HackTool.SMB.Impacket-Obfuscation.[Service Names] M9"; content:"|ff 53 4d 42|"; offset:4; depth:4; content:"|57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 20 00 55 00 70 00 64 00 61 00 74 00 65|"; distance:0; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031308; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, updated_at 2020_12_08;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path"; flow:established,to_server; content:"/libsecure.php?"; http_uri; nocase; content:"abs_path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2559; reference:url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded; reference:url,doc.emergingthreats.net/2003700; classtype:web-application-attack; sid:2003700; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; content:"Cookie|3a 20|"; content:"display-culture=en|3b|check=true|3b|lbcs=0|3b|sess-id="; content:"|3b|SIDCC=AN0-TY21iJHH32j2m|3b|FHBv3=B"; fast_pattern; http.uri; pcre:"/^\/(?:v(?:1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|4\/links\/activity-stream|3\/links\/ping-centre)|gp\/(?:aj\/private\/reviewsGallery\/get-(?:application-resource|image-gallery-asset)s|cerberus\/gv)|en-us\/(?:p\/(?:onerf\/MeSilentPassport|book-2\/8MCPZJJCC98C)|store\/api\/checkproductinwishlist)|wp-(?:content\/themes\/am43-6\/dist\/records|includes\/js\/script\/indigo-migrate)|api2\/json\/(?:cluster\/(?:resource|task)s|access\/ticket))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031264; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"repinc="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2558; reference:url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded; reference:url,doc.emergingthreats.net/2003701; classtype:web-application-attack; sid:2003701; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; flow:established,from_server; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031294; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server"; flow:established,to_server; content:"/sqledit.php?"; http_uri; nocase; content:"server="; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/.*<?(java|vb)?script>?.*<.+\/script>?/iU"; reference:cve,CVE-2007-2865; reference:url,www.securityfocus.com/bid/24115; reference:url,doc.emergingthreats.net/2004552; classtype:web-application-attack; sid:2004552; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031293; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/body_comm.inc.php?"; http_uri; nocase; content:"content="; http_uri; nocase; pcre:"/content=\s*(https?|ftps?|php)\:\//Ui"; reference:bugtraq,27952; reference:url,milw0rm.com/exploits/5175; reference:url,doc.emergingthreats.net/2009397; classtype:web-application-attack; sid:2009397; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Accept-Ranges|3a 20|bytes"; content:"Age|3a 20|5806"; content:"Cache-Control|3a 20|public,max-age=31536000"; content:"Content-Encoding|3a 20|gzip"; content:"Content-Length|3a 20|256398"; content:"Content-Type|3a 20|application/javascript"; content:"Server|3a 20|UploadServer"; content:"Vary|3a 20|Accept-Encoding, Fastly-SSL"; content:"x-api-version|3a 20|F-X"; content:"x-cache|3a 20|HIT"; content:"x-Firefox-Spdy|3a 20|h2"; content:"x-nyt-route|3a 20|vi-assets"; content:"x-served-by|3a 20|cache-mdw17344-MDW"; content:"x-timer|3a 20|S1580937960.346550,VS0,VE0"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031267; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003782; classtype:web-application-attack; sid:2003782; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a 22|"; fast_pattern; content:"nid"; content:"msg-"; http.method; content:"POST"; http.uri; content:"/notification"; startswith; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031292; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UNION"; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+UNION\s+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003783; classtype:web-application-attack; sid:2003783; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 3]"; flow:established,from_server; content:"{|22|alias|22 3a 22|apx|22|,|22|prefix|22 3a 22 22|,|22|suffix|22 3a|null,|22|suggestions|22 3a|[],|22|responseId|22 3a 22|15QE9JX9CKE2P|22|,|22|addon|22 3a 20 22|"; fast_pattern; content:"|22|,|22|shuffled|22 3a|false}"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031268; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"INSERT"; http_uri; nocase; content:"INTO"; http_uri; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003784; classtype:web-application-attack; sid:2003784; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[POST]"; flow:established,to_server; urilen:1; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.connection; content:"upgrade"; depth:7; http.header; content:"|0d 0a|Upgrade|3a 20|tcp/1|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cookie:"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031270; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+DELETE.+FROM/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003785; classtype:web-application-attack; sid:2003785; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server 2]"; flow:established,from_server; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"ASCII("; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/.+ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003786; classtype:web-application-attack; sid:2003786; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:from_server,established; file.data; content:"{|22|navgd|22 3a 22|<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https|3a|//supportlocal.usatoday.com/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031273; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; content:"SET"; http_uri; nocase; pcre:"/.+UPDATE.+SET/Ui"; reference:cve,CVE-2007-2427; reference:url,www.milw0rm.com/exploits/3813; reference:url,doc.emergingthreats.net/2003787; classtype:web-application-attack; sid:2003787; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Server]"; flow:established,from_server; content:"{|22|meta|22|:{},|22|status|22 3a 22|OK|22|,|22|saved|22 3a 22|1|22|,|22|starttime|22 3a|17656184060,|22|id|22 3a 22 22|,|22|vims|22 3a|{|22|dtc|22 3a|"; fast_pattern; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031275; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/footer.php?"; http_uri; nocase; content:"_path[counter]="; http_uri; nocase; pcre:"/_path\[counter\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009321; classtype:web-application-attack; sid:2009321; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice GET]"; flow:established,to_server; content:"sess-="; content:"auth=0|3b|loc=US|7d|"; fast_pattern; http.method; content:"GET"; http.uri; pcre:"/^(?:\/updates|\/license\/eula|\/docs\/office|\/software-activation)/"; http.accept; content:"*/*"; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031290; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt"; flow:to_server,established; content:"/tiki-featured_link.php?type="; http_uri; nocase; content:"/iframe>"; http_uri; nocase; reference:url,www.securityfocus.com/archive/1/450268/30/0; reference:url,doc.emergingthreats.net/2003167; classtype:web-application-attack; sid:2003167; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; flow:established,to_server; content:"nyt-a="; content:"nyt-gdpr=0|3b|nyt-purr=cfh|3b|nyt-geo=US}"; fast_pattern; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; http.request_line; pcre:"/^GET\s(?:\/(?:(?:v(?:i-assets\/static-asset|[12]\/preference)|idcta\/translation)s|ads\/google))/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031276; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/startup.php?"; http_uri; nocase; content:"CFG[txtsql][class]="; http_uri; nocase; pcre:"/CFG\[txtsql\]\[class\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,30625; reference:url,milw0rm.com/exploits/6224; reference:url,doc.emergingthreats.net/2009416; classtype:web-application-attack; sid:2009416; rev:4; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp Request]"; flow:established,to_server; http.cookie; content:"hl=en|3b|bse="; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9_\/\+\-]{2}==|[a-zA-Z0-9_\/\+\-]{3}=|[a-zA-Z0-9_\/\+\-]{4})\x3b/"; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b|"; endswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031289; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl"; flow:established,to_server; content:"/printcal.pl?"; http_uri; nocase; content:"script"; http_uri; nocase; pcre:"/<?(java|vb)?script>?.*<.+\/script>?/Ui"; reference:cve,CVE-2007-2745; reference:url,www.securityfocus.com/bid/24022; reference:url,doc.emergingthreats.net/2003874; classtype:web-application-attack; sid:2003874; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday Server]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Connection|3a 20|close"; content:"Content-Type|3a 20|application/json|3b 20|charset=utf-8"; content:"Content-Security-Policy|3a 20|upgrade-insecure-requests"; content:"Strict-Transport-Security|3a 20|max-age=10890000"; content:"Cache-Control|3a 20|public, immutable, max-age=315360000"; content:"Accept-Ranges|3a 20|bytes"; content:"X-Cache|3a 20|HIT, HIT"; content:"X-Timer|3a 20|S1593010188.776402,VS0,VE1"; content:"Vary|3a 20|X-AbVariant, X-AltUrl, Accept-Encoding"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031274; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004881; classtype:web-application-attack; sid:2004881; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle NYTIMES POST]"; flow:established,to_server; content:"|7b 22|locale|22 3a 22|en|22 2c 22|channel|22 3a 22|prod|22 2c 22|addon|22 3a|"; fast_pattern; http.method; content:"POST"; http.uri; pcre:"/^(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; http.accept; content:"*/*"; startswith; http.accept_enc; content:"gzip, deflate, br"; startswith; http.accept_lang; content:"en-US,en|3b|q=0.5"; startswith; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"UNION"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004882; classtype:web-application-attack; sid:2004882; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.GORAT.[SID1]"; flow:established,to_server; http.start; content:"|0d 0a|Cookie: SID1="; fast_pattern; http.method; content:"GET"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031278; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, signature_severity Major, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"INSERT"; http_uri; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004883; classtype:web-application-attack; sid:2004883; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager]"; flow:established,from_client; http.accept; content:"*/*"; depth:3; http.accept_lang; content:"en-US"; depth:5; http.accept_enc; content:"gzip, deflate"; depth:13; http.cookie; content:"SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; depth:80; fast_pattern; http.uri; content:"/api/v1/user/"; content:"/avatar/"; distance:3; within:8; pcre:"/\/api\/v1\/user\/(?:512|124)\/avatar/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031277; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"DELETE"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004884; classtype:web-application-attack; sid:2004884; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (wherisdomaintv .com in DNS Lookup)"; dns_query; content:"wherisdomaintv.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031309; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004885; classtype:web-application-attack; sid:2004885; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (whoisdomainpc .com in DNS Lookup)"; dns_query; content:"whoisdomainpc.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031310; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"showonly="; http_uri; nocase; content:"UPDATE"; http_uri; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1019; reference:url,www.milw0rm.com/exploits/3325; reference:url,doc.emergingthreats.net/2004886; classtype:web-application-attack; sid:2004886; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (fullplayersoftware .com in DNS Lookup)"; dns_query; content:"fullplayersoftware.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031311; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path"; flow:established,to_server; content:"/header.php?"; http_uri; nocase; content:"path="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2542; reference:url,www.milw0rm.com/exploits/3848; reference:url,doc.emergingthreats.net/2003670; classtype:web-application-attack; sid:2003670; rev:7; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.Trojan.Rana.A (softwareplayertop .com in DNS Lookup)"; dns_query; content:"softwareplayertop.com"; isdataat:!1,relative; reference:url,blog.reversinglabs.com/hubfs/Blog/rana_android_malware/; classtype:domain-c2; sid:2031312; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2020_12_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"/nmap.php?"; http_uri; nocase; content:"target="; http_uri; nocase; pcre:"/target=\w*\;/Ui"; reference:url,osvdb.org/show/osvdb/67739; classtype:web-application-attack; sid:2011555; rev:2; metadata:created_at 2010_09_27, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original Stager 2]"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Content-Type|3a 20|text/json|0d 0a|"; content:"Server|3a 20|Microsoft-IIS/10.0|0d 0a|"; content:"X-Powered-By|3a 20|ASP.NET|0d 0a|"; content:"Cache-Control|3a 20|no-cache, no-store, max-age=0, must-revalidate|0d 0a|"; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"X-Frame-Options|3a 20|SAMEORIGIN|0d 0a|"; content:"Connection|3a 20|close|0d 0a|"; content:"Content-Type|3a 20|image/gif"; file_data; content:"|01 00 01 00 00 02 01 44 00 3b|"; content:"|ff ff ff 21 f9 04 01 00 00 00 2c 00 00 00 00|"; fast_pattern; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006609; classtype:web-application-attack; sid:2006609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[Yelp GET]"; flow:established,to_server; content:"request_origin=user"; http.method; content:"GET"; http.request_line; content:"&parent_request_id="; within:256; fast_pattern; content:"|20|HTTP/1"; within:1024; pcre:"/^GET [^\r\n]{0,256}&parent_request_id=(?:[A-Za-z0-9_\/\+\-%]{128,1024})={0,2}[^\r\n]{0,256} HTTP\/1\.[01]/"; http.header; content:"|0d 0a|Sec-Fetch-Dest|3a 20|empty|0d 0a|"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031280; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"D="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006611; classtype:web-application-attack; sid:2006611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle CDN GET]"; flow:established,to_server; http.method; content:"GET"; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; http.header; content:"client-="; fast_pattern; content:"|3b|auth=1}"; http.uri; pcre:"/^\/v1\/(?:queue|profile|docs\/wsdl|pull)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031282; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"D="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006612; classtype:web-application-attack; sid:2006612; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice Server]"; flow:from_server,established; http.response_line; content:"HTTP/1."; depth:7; file.data; content:"|7b 22|meta|22 3a 7b 7d 2c 22|status|22 3a 22|OK|22 2c 22|saved|22 3a 22|1|22 2c 22|starttime|22 3a|17656184060|2c 22|id|22 3a 22 22 2c 22|vims|22 3a 7b 22|dtc|22 3a 22|"; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031279; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid SELECT"; flow:established,to_server; content:"/viewcat.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/.+SELECT.+FROM/Ui"; reference:cve,CVE-2007-2373; reference:url,www.milw0rm.com/exploits/3670; reference:url,doc.emergingthreats.net/2003764; classtype:web-application-attack; sid:2003764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle USAToday GET]"; flow:established,to_server; content:"gnt_ub=86|3b|gnt_sb=18|3b|usprivacy=1YNY|3b|DigiTrust.v1.identity="; fast_pattern; content:"%3D|3b|GED_PLAYLIST_ACTIVITY=W3sidSI6IkZtTWUiLCJ0c2wiOjE1OTMwM|3b|"; http.method; content:"GET"; http.connection; content:"close"; bsize:5; http.accept; content:"*/*"; bsize:3; http.header; content:"Cookie|3a 20|"; http.request_line; pcre:"/^GET\s(?:\/USAT-GUP\/user\/|\/entertainment\/|\/entertainment\/navdd-q1a2z3Z6TET4gv2PNfXpaJAniOzOajK7M\.min\.json|\/global-q1a2z3C4M2nNlQYzWhCC0oMSEFjQbW1KA\.min\.json|\/life\/|\/news\/weather\/|\/opinion\/|\/sports\/|\/sports\/navdd-q1a2z3JHa8KzCRLOQAnDoVywVWF7UwxJs\.min\.json|\/tangstatic\/js\/main-q1a2z3b37df2b1\.min\.js|\/tangstatic\/js\/pbjsandwich-q1a2z300ab4198\.min\.js|\/tangstatic\/js\/pg-q1a2z3bbc110a4\.min\.js|\/tangsvc\/pg\/3221104001\/|\/tangsvc\/pg\/5059005002\/|\/tangsvc\/pg\/5066496002\/|\/tech\/|\/travel\/)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031283; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system)"; flow:established,to_server; content:"POST"; http_method; content:"/scripts/setup.php"; http_uri; nocase; content:"token="; http_client_body; depth:6; content:"host"; http_client_body; content:"system|28 24 5F|"; nocase; http_client_body; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009710; classtype:web-application-attack; sid:2009710; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns any any -> any any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.DNS.BEACON.[CSBundle DNS]"; content:"|00 01 00 01|"; offset:4; depth:4; content:"|03|"; within:15; content:"|0a|_domainkey"; distance:3; within:11; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 02 01 00 ff|v=DKIM1\; p="; fast_pattern; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031265; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo)"; flow:established,to_server; content:"POST "; depth:5; content:"/scripts/setup.php"; http_uri; nocase; content:"|0D 0A 0D 0A|token="; content:"host"; content:"phpinfo|25|28|25|29|25|3b"; nocase; within:64; reference:cve,CVE-2009-1151; reference:url,www.securityfocus.com/bid/34236; reference:url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/; reference:url,doc.emergingthreats.net/2009709; classtype:web-application-attack; sid:2009709; rev:6; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle Original POST]"; flow:established,to_server; content:"ses-"; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.accept_lang; content:"en-US"; bsize:5; http.accept_enc; content:"gzip, deflate"; bsize:13; http.request_line; pcre:"/^POST\s(?:\/v4\/links\/check-activity\/check|\/v1\/stats|\/gql|\/api2\/json\/check\/ticket|\/1.5\/95648064\/storage\/history|\/1.5\/95648064\/storage\/tabs|\/u\/0\/_\/og\/botguard\/get|\/ev\/prd001001|\/ev\/ext001001|\/gp\/aw\/ybh\/handlers|\/v3\/links\/ping-beat\/check)/"; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031284; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cid="; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-2737; reference:url,www.frsirt.com/english/advisories/2007/1830; reference:url,doc.emergingthreats.net/2003838; classtype:web-application-attack; sid:2003838; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS [Fireeye] Backdoor.HTTP.BEACON.[CSBundle MSOffice POST]"; flow:established,to_server; content:"{|22|locale|22 3a 22|en|22|,|22|channel|22 3a 22|prod|22|,|22|addon|22 3a 22|"; fast_pattern; content:"cli"; content:"l-"; http.request_line; content:"POST /v1/push"; depth:13; http.accept; content:"*/*"; depth:3; http.accept_enc; content:"gzip, deflate, br"; depth:17; http.accept_lang; content:"en-US"; bsize:5; reference:url,github.com/fireeye/red_team_tool_countermeasures; classtype:trojan-activity; sid:2031285; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag c2, updated_at 2020_12_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES"; flow:established,to_server; content:"/inc/articles.inc.php?"; http_uri; nocase; content:"GLOBALS[CHEMINMODULES]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2594; reference:url,www.milw0rm.com/exploits/3879; reference:url,doc.emergingthreats.net/2003703; classtype:web-application-attack; sid:2003703; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Qbot CnC Activity M2"; flow:established,to_server; http.request_line; content:"POST|20|/t4|20|HTTP/1.1"; bsize:17; fast_pattern; http.accept; content:"application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*"; bsize:70; http.request_body; pcre:"/^[A-Za-z0-9]{3,20}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/si"; http.header_names; content:!"Referer"; reference:md5,3ceb36fc3607df3d67d9eb0f1d00fea0; classtype:command-and-control; sid:2035525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Qbot, performance_impact Low, signature_severity Major, updated_at 2020_12_09;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore"; flow:established,to_server; content:"/user/turbulence.php?"; http_uri; nocase; content:"GLOBALS[tcore]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2504; reference:url,www.securityfocus.com/bid/23580; reference:url,doc.emergingthreats.net/2003683; classtype:web-application-attack; sid:2003683; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT28/Sofacy Zebrocy CnC DNS Lookup (support-cloud .life)"; dns_query; content:"support-cloud.life"; nocase; bsize:18; reference:url,www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/; classtype:domain-c2; sid:2031315; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod"; flow:established,to_server; content:"/mod/image/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003672; classtype:web-application-attack; sid:2003672; rev:9; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Google Account Phish Dec 04 2012"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"continue="; content:"followup="; content:"checkedDomains="; http.host; content:!".microsoft.com"; isdataat:!1,relative; classtype:credential-theft; sid:2015980; rev:6; metadata:attack_target Client_Endpoint, created_at 2012_12_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod"; flow:established,to_server; content:"/mod/liens/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003673; classtype:web-application-attack; sid:2003673; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Docusign Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Docusign</title>"; nocase; classtype:social-engineering; sid:2024387; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod"; flow:established,to_server; content:"/mod/liste/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003674; classtype:web-application-attack; sid:2003674; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi/?SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031314; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod"; flow:established,to_server; content:"/mod/special/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003675; classtype:web-application-attack; sid:2003675; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cgi?SoID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031313; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod"; flow:established,to_server; content:"/mod/texte/index.php?"; http_uri; nocase; content:"config[pathMod]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2540; reference:url,www.milw0rm.com/exploits/3852; reference:url,doc.emergingthreats.net/2003676; classtype:web-application-attack; sid:2003676; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; http.request_line; content:"|2e 20|HTTP/1."; fast_pattern; http.uri; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/"; classtype:exploit-kit; sid:2019176; rev:5; metadata:created_at 2014_09_16, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path"; flow:established,to_server; content:"/psg.smarty.lib.php?"; http_uri; nocase; content:"cfg[sys][base_path]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2458; reference:url,www.frsirt.com/english/advisories/2007/1390; reference:url,doc.emergingthreats.net/2003691; classtype:web-application-attack; sid:2003691; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Valak <v9 - Stage 2 - Request"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>60; content:"_aWQ9"; fast_pattern; content:".html"; endswith; pcre:"/_aWQ9[a-zA-Z0-9\/]{43,46}(?:JmdpZD|Z2lkP|ZnaWQ9)/"; http.header_names; content:!"Referer"; reference:md5,c254b4f261a6f426c282ed8858a7bee0; reference:url,medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7; classtype:command-and-control; sid:2029193; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_22, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path"; flow:established,to_server; content:"/resources/includes/class.Smarty.php?"; http_uri; nocase; content:"cfg[sys][base_path]="; http_uri; nocase; pcre:"/=\s*(https?|ftps?|php)\:\//Ui"; reference:cve,CVE-2007-2457; reference:url,www.milw0rm.com/exploits/3733; reference:url,doc.emergingthreats.net/2003702; classtype:web-application-attack; sid:2003702; rev:8; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Trojan.APT.9002 POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-f0-9]+$/"; http.user_agent; content:"lynx"; depth:4; isdataat:!1,relative; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:targeted-activity; sid:2017702; rev:4; metadata:created_at 2013_11_11, former_category MALWARE, updated_at 2022_04_18;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/tmsp/subscription.php?"; http_uri; nocase; content:"GLOBALS[mosConfig_absolute_path]="; http_uri; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,32194; reference:url,milw0rm.com/exploits/7040; reference:url,doc.emergingthreats.net/2009061; classtype:web-application-attack; sid:2009061; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[A-F0-9]{24}$/"; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; depth:13; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017714; rev:8; metadata:created_at 2013_11_14, former_category MALWARE, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/plugin/themes/default/init.php?"; http_uri; nocase; content:"apps_path[themes]="; http_uri; nocase; pcre:"/apps_path\[themes\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009086; classtype:web-application-attack; sid:2009086; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PHPs Labyrinth Backdoor Stage1 CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?host="; fast_pattern; content:"&password="; distance:0; pcre:"/\.php\?host=[^&]+&password=[a-f0-9]{32}$/"; reference:url,blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html; classtype:command-and-control; sid:2029499; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_02_19, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion"; flow:established,to_server; content:"GET "; depth:4; content:"/lib/function.php?"; http_uri; nocase; content:"apps_path[libs]="; http_uri; nocase; pcre:"/apps_path\[libs\]=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009088; classtype:web-application-attack; sid:2009088; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kuluoz.B Request"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-f0-9]+$/i"; http.header; content:"Windows NT 9.0|3b|"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:6; metadata:created_at 2012_12_05, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; uricontent:"/default.asp?"; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-2803; reference:url,www.secunia.com/advisories/25348; reference:url,doc.emergingthreats.net/2003998; classtype:web-application-attack; sid:2003998; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Asprox CnC Beacon"; flow:established,to_server; http.host; pcre:"/\x3a\d{1,5}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern; http.uri; pcre:"/^\x2F[a-f0-9]{40,60}$/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:command-and-control; sid:2016528; rev:8; metadata:attack_target Client_Endpoint, created_at 2013_03_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include"; flow:established,to_server; content:"/includes/includes.php"; http_uri; content:"site_path"; http_uri; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; reference:bugtraq,22361; reference:url,doc.emergingthreats.net/2003371; classtype:web-application-attack; sid:2003371; rev:8; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Java Installer Landing Page Oct 21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; content:"&sid="; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/"; pcre:"/&name=[a-z0-9\x20]+$/i"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:4; metadata:created_at 2015_10_21, former_category CURRENT_EVENTS, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; content:"main.php?action=download"; http_uri; nocase; content:"&id="; http_uri; nocase; pcre:"/(\.\.\/){1}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/Oceanlotus Maldoc CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png?"; content:"=e010000127"; distance:0; fast_pattern; content:".exe|3b|"; nocase; pcre:"/^[^\r\n]+\.exe(?:\x3b)?$/Ri"; reference:md5,e2511f009b1ef8843e527f765fd875a7; reference:md5,cc2027319a878ee18550e35d9b522706; reference:url,twitter.com/HONKONE_K/status/1290511333343993856; classtype:command-and-control; sid:2030652; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT32, malware_family OceanLotus, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; content:"/passwiki.php?site_id="; http_uri; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MontysThree HTTPTransport Module Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?id="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|image|22 3b 20|filename=|22|image.jpg|22|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1f0461dba1aefdd124f8333afe7f5982; reference:url,twitter.com/Int2e_/status/1314479575523446784; classtype:trojan-activity; sid:2030994; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_10_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution"; flow:established,to_server; content:"POST "; depth:5; content:".php/"; http_uri; pcre:"/\/[a-z_]+\.php\/[a-z_]+\.php/U"; reference:url,seclists.org/fulldisclosure/2009/Nov/169; reference:url,seclists.org/fulldisclosure/2009/Nov/170; reference:url,doc.emergingthreats.net/2010341; classtype:web-application-attack; sid:2010341; rev:5; metadata:created_at 2010_07_30, updated_at 2019_08_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; http.user_agent; content:"AskPBar"; fast_pattern; reference:url,doc.emergingthreats.net/2006381; classtype:pup-activity; sid:2006381; rev:14; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_12_10;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x0d\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon 4"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"."; pcre:"/\.(?:gif|bmp|jpeg|png)$/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1)|0d 0a|Host|3a 20|"; depth:70; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|"; distance:0; pcre:"/\r\nHost\x3a[^\r\n]+\r\n(?:Content-Length\x3a\x20\d+\r\n)?Connection\x3a\x20Keep-Alive\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,f870c0d62691fc39194922e4a59fdc1c; classtype:command-and-control; sid:2021829; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_09_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"952E3F80-0C34-48CD-829B-A45913B29670"; nocase; distance:0; content:"isRegistered"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*952E3F80-0C34-48CD-829B-A45913B29670/si"; reference:url,www.exploit-db.com/exploits/11059; reference:url,secunia.com/advisories/38081/; reference:url,doc.emergingthreats.net/2010976; classtype:attempted-user; sid:2010976; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, signature_severity Major, tag ActiveX, updated_at 2019_09_27;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M6"; flow:from_server,established; flowbits:isset,et.IE7.NoRef.NoCookie; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023679; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_23, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JoomSocial AvatarUpload RCE"; flow:established,to_server; content:"func="; nocase; content:"photo"; nocase; distance:0; content:"ajaxUploadAvatar"; nocase; fast_pattern; content:"CStringHelper"; nocase; content:"escape"; nocase; distance:0; reference:url,blog.sucuri.net/2014/02/joomla-jomsocial-remote-code-execution-vulnerability.html; classtype:web-application-attack; sid:2018107; rev:9; metadata:created_at 2014_02_11, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/WSF Downloader Dec 08 2016 M7"; flow:from_server,established; flowbits:isset,min.gethttp; http.header; pcre:"/Content-Disposition\x3a[^\r\n]+=[\x22\x27]?[a-z]?\d{1,3}(?:\.dat)?[\x22\x27]?\r\n/mi"; file.data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2023711; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_01_09, deployment Perimeter, malware_family Trojan_Kwampirs, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB"; flow:established,from_server; file_data; content:"<script"; content:"=i?php.war/moc.nibetsap"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022014; rev:3; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 3"; flow:to_server,established; content:"/rico.php"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/multiplatform-boleto-fraud-hits-users-in-brazil/; classtype:command-and-control; sid:2020656; rev:5; metadata:created_at 2015_03_09, former_category MALWARE, updated_at 2020_12_11;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Reversed Pastebin Injection in Magento DB 2"; flow:established,from_server; file_data; content:"<script"; content:"ptth|22|=crs tpircs"; fast_pattern; content:".reverse("; reference:url,labs.sucuri.net/?note=2015-11-02; classtype:web-application-attack; sid:2022015; rev:4; metadata:created_at 2015_11_02, updated_at 2019_10_08;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; http.user_agent; content:"JDatabaseDriverMysqli"; fast_pattern; http.header; pcre:"/^User-Agent\x3a[^\r\n]*JDatabaseDriverMysqli/Hmi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:4; metadata:created_at 2015_12_14, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt"; flow: to_server,established; http.uri; content:"/modules.php?"; content:"name="; distance:0; content:"UNION"; distance:0; nocase; content:"SELECT"; nocase; reference:url,www.waraxe.us/?modname=sa&id=030; reference:url,www.waraxe.us/?modname=sa&id=036; reference:url,doc.emergingthreats.net/2001202; classtype:web-application-attack; sid:2001202; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_02_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 2"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|Pragma|3a 20|no-cache|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; depth:104; fast_pattern; content:"Connection|3a 20|Keep-Alive|0d 0a|Content-Length|3a 20|"; distance:0; pcre:"/User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a)[^\r\n]+\r\nConnection\x3a\x20Keep-Alive\r\nContent-Length\x3a\x20\d+\r\nHost\x3a[^\r\n]+\r\n(?:\r\n)?$/m"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,789ee114125a6e1db363b505a643c03d; classtype:command-and-control; sid:2021631; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>600; content:"/ecp/"; startswith; content:"__VIEWSTATEGENERATOR="; distance:0; content:"__VIEWSTATE="; distance:0; reference:url,www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keyscve; reference:cve,2020-0688; reference:url,www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/; classtype:attempted-admin; sid:2029540; rev:2; metadata:affected_product Web_Server_Applications, attack_target SMTP_Server, created_at 2020_02_26, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_03_02;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET DOS CallStranger - Attempted UPnP Reflected Amplified TCP with Multiple Callbacks (CVE-2020-12695)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"CALLBACK|3a 20|"; fast_pattern; nocase; content:"<http"; distance:0; content:"><http"; distance:0; pcre:"/^Callback\x3a\x20<http[^>]+><http/mi"; reference:url,github.com/yunuscadirci/CallStranger; reference:cve,2020-12695; classtype:attempted-dos; sid:2030339; rev:2; metadata:affected_product UPnP, attack_target IoT, created_at 2020_06_15, deployment Perimeter, former_category DOS, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id SELECT"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006547; classtype:web-application-attack; sid:2006547; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Locky CnC checkin Nov 21"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[^\x2e\x3f\x3d\x26]+\.[^\x2e\x2f\x3f\x3d\x26]+$/"; http.header; content:"x-requested-with|3a 20|XMLHttpRequest|0d 0a|"; content:"www-form-urlencoded|0d 0a|"; http.referer; pcre:"/^http\x3a\x2f\x2f[^\x2f]+\x2f$/"; http.request_body; pcre:"/^(?:[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+&)+(?=[a-z]{0,9}[A-Z])(?=[A-Z]{0,9}[a-z])[A-Za-z]{1,10}=(?=[A-Za-z0-9_+\x2d\x2e%]*%[A-F0-9]{2}%[A-F0-9]{2}%[A-F0-9]{2})[A-Za-z0-9_+\x2d\x2e%]+\s*$/"; classtype:command-and-control; sid:2023551; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_21, deployment Perimeter, former_category MALWARE, malware_family Locky, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006548; classtype:web-application-attack; sid:2006548; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic .EDU Phish Aug 17 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; flowbits:isnotset,ET.realEDUrequest; http.stat_code; content:"302"; http.location; content:".edu"; nocase; fast_pattern; pcre:"/https?:\/\/[^/]+\.edu/i"; classtype:credential-theft; sid:2029662; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id INSERT"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006549; classtype:web-application-attack; sid:2006549; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Personalized Phish 2019-02-13"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?rand=13InboxLightaspxn."; fast_pattern; content:"&email="; distance:0; content:"@"; distance:0; classtype:credential-theft; sid:2029669; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_02_13, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id DELETE"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006550; classtype:web-application-attack; sid:2006550; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic 302 Redirect to Phishing Landing"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?client_id="; fast_pattern; content:"&response_mode="; distance:0; content:"&response_type="; distance:0; pcre:"/^[a-z0-9]{24,28}\.php\?client_id=/i"; classtype:social-engineering; sid:2031578; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_15, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ASCII"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006551; classtype:web-application-attack; sid:2006551; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful IRS Phish 2016-01-23"; flow:to_client,established; flowbits:isset,ET.irs.phish; http.stat_code; content:"302"; http.location; content:"http"; depth:4; content:"irs.gov"; distance:0; nocase; fast_pattern; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032672; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_01_23, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE"; flow:established,to_server; http.uri; content:"/ViewCat.php?"; nocase; content:"s_user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3354; reference:url,www.securityfocus.com/bid/24584; reference:url,doc.emergingthreats.net/2006552; classtype:web-application-attack; sid:2006552; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Redirect - Possible Phishing May 25 2016"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?email="; fast_pattern; content:!"unsubscribe"; content:!"lastpass.com"; classtype:social-engineering; sid:2031567; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004158; classtype:web-application-attack; sid:2004158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO McAfee AV Download (set)"; flow:established,to_server; flowbits:set,ET.Mcafee.Site.Download; flowbits:noalert; http.method; content:"GET"; http.user_agent; content:"McAfee ePO"; fast_pattern; http.host; content:"update.nai.com"; classtype:not-suspicious; sid:2031317; rev:1; metadata:created_at 2020_12_11, former_category INFO, performance_impact Low, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004159; classtype:web-application-attack; sid:2004159; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE Emotet CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.header; pcre:"/^Host\x3a\x20[^\r\n]+\r\n(?:Cache-Control|Pragma)\x3a\x20no-cache\r\n(?:\r\n)?$/"; http.start; content:".php|20|HTTP/1.1|0d 0a|Host|3a|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; http.host; content:!".360.cn"; reference:md5,518d189f8922280c81ab123604076dfd; classtype:command-and-control; sid:2035075; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004160; classtype:web-application-attack; sid:2004160; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; content:"|0d 0a|PK"; distance:0; content:"Passwords.txt"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2029846; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004161; classtype:web-application-attack; sid:2004161; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 401TRG Liferay RCE (CVE-2020-7961)"; flow:established,to_server; http.uri; content:"/api/jsonws/expandocolumn/update-column"; nocase; http.request_body; content:"userOverridesAsString=HexAsciiSerializedMap"; nocase; fast_pattern; reference:cve,2020-7961; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; classtype:attempted-admin; sid:2031318; rev:1; metadata:created_at 2020_12_11, cve CVE_2020_7961, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004162; classtype:web-application-attack; sid:2004162; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2"; flow:established,to_server; http.header; content:"JDatabaseDriverMysqli"; fast_pattern; content:"JSimplepieFactory"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2031319; rev:1; metadata:created_at 2020_12_11, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UPDATE"; nocase; content:"SET"; distance:0; nocase; reference:cve,CVE-2007-1566; reference:url,www.exploit-db.com/exploits/3520/; reference:url,doc.emergingthreats.net/2004163; classtype:web-application-attack; sid:2004163; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT LuckyMouse Polpo Malware CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getPolicy?a="; fast_pattern; startswith; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031320; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Low, signature_severity Major, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004936; classtype:web-application-attack; sid:2004936; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Generic 302 Redirect to Google"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"https://google.com"; fast_pattern; startswith; classtype:misc-activity; sid:2030594; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, signature_severity Informational, updated_at 2020_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004937; classtype:web-application-attack; sid:2004937; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Poloniex Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://poloniex.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024617; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004938; classtype:web-application-attack; sid:2004938; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Exmo Cryptocurrency Exchange Phish Aug 28 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://exmo.com"; fast_pattern; startswith; classtype:credential-theft; sid:2024618; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004939; classtype:web-application-attack; sid:2004939; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://paxful.com"; startswith; classtype:credential-theft; sid:2024621; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004940; classtype:web-application-attack; sid:2004940; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful LocalBitcoins Cryptocurrency Exchange Phish Aug 30 2017"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://localbitcoins.com"; startswith; classtype:credential-theft; sid:2024640; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_08_31, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004941; classtype:web-application-attack; sid:2004941; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paxful Cryptocurrency Wallet Phish 2020-08-17"; flow:to_client,established; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://www.paxful.com"; startswith; classtype:credential-theft; sid:2030695; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_08_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004942; classtype:web-application-attack; sid:2004942; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M1"; flow:established,to_server; http.uri; content:"/swip/Events"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004943; classtype:web-application-attack; sid:2004943; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M2"; flow:established,to_server; http.uri; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004945; classtype:web-application-attack; sid:2004945; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M3"; flow:established,to_server; http.uri; content:"swip/Upload.ashx"; endswith; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031339; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004946; classtype:web-application-attack; sid:2004946; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST M4"; flow:established,to_server; http.uri; content:"/swip/upd/"; within:75; http.host; content:!".solarwinds.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031340; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004947; classtype:web-application-attack; sid:2004947; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to digitalcollege .org"; flow:established,to_server; http.host; dotprefix; content:".digitalcollege.org"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031347; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentmail="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004948; classtype:web-application-attack; sid:2004948; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to freescanonline .com"; flow:established,to_server; http.host; dotprefix; content:".freescanonline.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031348; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004949; classtype:web-application-attack; sid:2004949; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to deftsecurity .com"; flow:established,to_server; http.host; dotprefix; content:".deftsecurity.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031349; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004950; classtype:web-application-attack; sid:2004950; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to thedoccloud .com"; flow:established,to_server; http.host; dotprefix; content:".thedoccloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031350; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004951; classtype:web-application-attack; sid:2004951; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to virtualdataserver .com"; flow:established,to_server; http.host; dotprefix; content:".virtualdataserver.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031351; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004952; classtype:web-application-attack; sid:2004952; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M2"; flow:established,from_server; http.response_line; content:"HTTP/1."; depth:7; http.header; content:"Server: nginx/1.14.0 (Ubuntu)"; content:"Connection|3a 20|close"; distance:0; content:"Cache-Control|3a 20|max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options|3a 20|nosniff"; distance:0; content:"X-AspNetMvc-Version|3a 20|3.0"; fast_pattern; distance:0; content:"X-AspNet-Version|3a 20|4.0.30319"; distance:0; content:"X-Powered-By|3a 20|ASP.NET"; distance:0; content:"Content-Length|3a 20|"; content:"|0d 0a|"; distance:6; within:4; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004953; classtype:web-application-attack; sid:2004953; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M3"; flow:established,from_server; file.data; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"commentwebsite="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004954; classtype:web-application-attack; sid:2004954; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M4"; flow:established,from_server; file.data; content:"<p>Companies-Best-Man-Vendors-Best</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004955; classtype:web-application-attack; sid:2004955; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M5"; flow:established,from_server; file.data; content:"<meta name=|22|msvalidate.01|22| content=|22|ECEE9516DDABFC7CCBBF1EACC04CAC20|22|>"; content:"<meta name=|22|google-site-verification|22| content=|22|CD5EF1FCB54FE29C838ABCBBE0FA57AE|22|>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UNION SELECT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004956; classtype:web-application-attack; sid:2004956; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M6"; flow:from_server,established; file.data; content:"<p>Million-Support-Years-Week-Agents</p>"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031322; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment INSERT"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004957; classtype:web-application-attack; sid:2004957; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|"; content:"|22 3b|filename=|22|"; content:"|22 0a|Content-Type|3a|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031323; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment DELETE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004958; classtype:web-application-attack; sid:2004958; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .com)"; dns_query; content:"tocaoonline.com"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031372; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment ASCII"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004959; classtype:web-application-attack; sid:2004959; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (qh2020 .org)"; dns_query; content:"qh2020.org"; nocase; bsize:10; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031373; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE"; flow:established,to_server; http.uri; content:"/pages/addcomment2.php?"; nocase; content:"comment="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6993; reference:url,www.secunia.com/advisories/19703; reference:url,doc.emergingthreats.net/2004960; classtype:web-application-attack; sid:2004960; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tinmoivietnam .com)"; dns_query; content:"tinmoivietnam.com"; nocase; bsize:17; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031374; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/forum.php?"; nocase; content:"GLOBALS[UTE][__tplCollection][a][file]="; nocase; reference:url,www.exploit-db.com/exploits/8841/; reference:url,secunia.com/advisories/35299/; reference:url,doc.emergingthreats.net/2009905; classtype:web-application-attack; sid:2009905; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (tocaoonline .org)"; dns_query; content:"tocaoonline.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031375; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/container.php?"; nocase; content:"theme_directory="; nocase; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009377; classtype:web-application-attack; sid:2009377; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (facebookdeck .com)"; dns_query; content:"facebookdeck.com"; nocase; bsize:16; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031376; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/news_show.php?"; nocase; content:"newsoffice_directory="; nocase; reference:url,secunia.com/advisories/29797; reference:bugtraq,28748; reference:url,www.exploit-db.com/exploits/5429/; reference:url,doc.emergingthreats.net/2009431; classtype:web-application-attack; sid:2009431; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (nhansudaihoi13 .org)"; dns_query; content:"nhansudaihoi13.org"; nocase; bsize:18; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031377; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012420; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus Associated Domain in DNS Lookup (thundernews .org)"; dns_query; content:"thundernews.org"; nocase; bsize:15; reference:url,about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/; classtype:domain-c2; sid:2031378; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UNION SELECT"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012421; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to thedoccloud .com"; dns.query; content:"thedoccloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031325; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid INSERT"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012422; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to deftsecurity .com"; dns.query; content:"deftsecurity.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid DELETE"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to freescanonline .com"; dns.query; content:"freescanonline.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid ASCII"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to websitetheme .com"; dns.query; content:"websitetheme.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031328; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE"; flow:established,to_server; http.uri; content:"/dsp_page.cfm?"; nocase; content:"pageid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16225/; reference:url,securelist.com/en/advisories/43460; reference:url,secunia.com/advisories/43460; classtype:web-application-attack; sid:2012425; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to highdatabase .com"; dns.query; content:"highdatabase.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031329; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/xcloner-backup-and-restore/cloner.cron.php?"; nocase; content:"config="; nocase; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012426; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to incomeupdate .com"; dns.query; content:"incomeupdate.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031330; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/administrator/components/com_xcloner-backupandrestore/cloner.cron.php?"; nocase; content:"config="; nocase; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to databasegalore .com"; dns.query; content:"databasegalore.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031331; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012431; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to panhardware .com"; dns.query; content:"panhardware.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031332; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012432; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to zupertech .com"; dns.query; content:"zupertech.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012433; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to virtualdataserver .com"; dns.query; content:"virtualdataserver.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012434; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to digitalcollege .org"; dns.query; content:"digitalcollege.org"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012435; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Grabber CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/datarecord/"; endswith; http.request_body; content:"username="; startswith; content:"&content=IP%3a+"; distance:0; fast_pattern; content:"%0a"; endswith; reference:md5,635b08c141465abf86eaec88391b5ee6; classtype:command-and-control; sid:2030599; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/forum-server/feed.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16235/; classtype:web-application-attack; sid:2012436; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (thedoccloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".thedoccloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031362; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012468; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (incomeudpate .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".incomeupdate.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031363; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UNION SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012469; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (panhardware .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".panhardware.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031364; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu DELETE"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012471; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (freescanonline .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".freescanonline.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031365; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu ASCII"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012472; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (databasegalore .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".databasegalore.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031366; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012473; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (highdatabase .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".highdatabase.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031367; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012478; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (websitetheme .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".websitetheme.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012480; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (zupertech .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".zupertech.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012481; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Observed Backdoor.SUNBURST CnC Domain (deftsecurity .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".deftsecurity.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012482; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dotm)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dotm; http.method; content:"GET"; http.uri; content:".dotm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; classtype:bad-unknown; sid:2031379; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf SELECT"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012485; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|Googlebot/2.1|3b 20|+http|3a 2f 2f|www.google|2e|com/bot.html)"; bsize:72; http.request_body; content:"="; depth:25; content:"&"; distance:0; content:"="; distance:0; within:25; content:"=V2luZG93cy"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/pymicropsia/; classtype:trojan-activity; sid:2031371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UNION SELECT"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012486; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Windows Explorer Tab Add-on Post Install Checkin"; flow:established,to_server; http.request_line; content:"POST /api HTTP/1.1"; bsize:18; http.request_body; content:"f=100&p=ew0KICAgIk0iOi"; startswith; fast_pattern; reference:md5,47d9aee3497bed660b640194dbab5879; classtype:pup-activity; sid:2031386; rev:2; metadata:created_at 2020_12_15, former_category ADWARE_PUP, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf INSERT"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012487; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to solartrackingsystem .net"; dns.query; dotprefix; content:".solartrackingsystem.net"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031387; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf DELETE"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012488; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to webcodez .com"; dns.query; dotprefix; content:".webcodez.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031388; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012490; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to lcomputers .com"; dns.query; dotprefix; content:".lcomputers.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031389; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu INSERT"; flow:established,to_server; http.uri; content:"/public/code/cp_menu_data_file.php?"; nocase; content:"menu="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011020009; classtype:web-application-attack; sid:2012470; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to seobundlekit .com"; dns.query; dotprefix; content:".seobundlekit.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031390; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; content:"gall_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012479; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to kubecloud .com"; dns.query; dotprefix; content:".kubecloud.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031391; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf ASCII"; flow:established,to_server; http.uri; content:"/products.php?"; nocase; content:"ctf="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16954/; classtype:web-application-attack; sid:2012489; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Dark Halo/SUNBURST Related DNS Lookup to globalnetworkissues .com"; dns.query; dotprefix; content:".globalnetworkissues.com"; nocase; endswith; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031392; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id SELECT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012498; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (solartrackingsystem .net in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031393; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012499; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_14, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (webcodez .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031394; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012500; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (lcomputers .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031395; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012501; rev:4; metadata:created_at 2011_03_15, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (seobundlekit .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031396; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; http.uri; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; content:"page_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (kubecloud .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012557; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dark Halo/SUNBURST CnC Domain (globalnetworkissues .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031398; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012556; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (solartrackingsystem .net)"; flow:established,to_client; tls.cert_subject; content:"CN=solartrackingsystem.net"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031380; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012558; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (webcodez .com)"; flow:established,to_client; tls.cert_subject; content:"CN=webcodez.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031381; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012559; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (lcomputers .com)"; flow:established,to_client; tls.cert_subject; content:"CN=lcomputers.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031382; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/imprimir.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt; classtype:web-application-attack; sid:2012560; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (seobundlekit .com)"; flow:established,to_client; tls.cert_subject; content:"CN=seobundlekit.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031383; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012567; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (kubecloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=kubecloud.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031384; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012568; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dark Halo/SUNBURST SSL Cert Inbound (globalnetworkissues .com)"; flow:established,to_client; tls.cert_subject; content:"CN=globalnetworkissues.com"; endswith; fast_pattern; reference:url,www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/; classtype:trojan-activity; sid:2031385; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_15, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012569; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (panhardware .com)"; flow:established,to_client; tls.cert_subject; content:"CN=panhardware.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031355; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012570; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (deftsecurity .com)"; flow:established,to_client; tls.cert_subject; content:"CN=deftsecurity.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031344; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/jquery-mega-menu/skin.php?"; nocase; content:"skin="; nocase; reference:url,exploit-db.com/exploits/16250; classtype:web-application-attack; sid:2012571; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (thedoccloud .com)"; flow:established,to_client; tls.cert_subject; content:"CN=thedoccloud.com"; bsize:18; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031345; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/Cache/Lite/Output.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/16912; classtype:web-application-attack; sid:2012572; rev:4; metadata:created_at 2011_03_25, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (virtualdataserver .com)"; flow:established,to_client; tls.cert_subject; content:"CN=virtualdataserver.com"; bsize:24; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031346; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/header.php?"; nocase; content:"row[titledesc]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012573; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (incomeupdate .com)"; flow:established,to_client; tls.cert_subject; content:"CN=incomeupdate.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031352; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/rp-menu.php?"; nocase; content:"_SESSION[sess_user]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt; classtype:web-application-attack; sid:2012574; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (digitalcollege .org)"; flow:established,to_client; tls.cert_subject; content:"CN=digitalcollege.org"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031342; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012575; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (zupertech .com)"; flow:established,to_client; tls.cert_subject; content:"CN=zupertech.com"; bsize:16; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031353; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012579; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.BEACON SSL Cert Inbound (databasegalore .com)"; flow:established,to_client; tls.cert_subject; content:"CN=databasegalore.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031354; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2020_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; content:"image="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012581; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (freescanonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=freescanonline.com"; bsize:21; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031343; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012577; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (websitetheme .com)"; flow:established,to_client; tls.cert_subject; content:"CN=websitetheme.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031360; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/content/rubric/index.php?"; nocase; content:"rubID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt; classtype:web-application-attack; sid:2012585; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (highdatabase .com)"; flow:established,to_client; tls.cert_subject; content:"CN=highdatabase.com"; bsize:19; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031361; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012595; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] Observed SUNBURST DGA Request"; dns.query; content:".appsync-api."; nocase; content:".avsvmcloud.com"; distance:9; within:15; endswith; nocase; fast_pattern; pcre:"/^[a-z0-9]+\.appsync-api\.(?:eu|us)-(?:ea|we)st-[12]\.avsvmcloud\.com$/"; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031359; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012596; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031449; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012597; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"&"; http.request_body; content:"="; within:15; content:"|00 00 00 00 00 00|"; fast_pattern; isdataat:!1,relative; pcre:"/=[a-z0-9\(_~\-\.\x00]{300,}\x00$/i"; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.connection; content:"close"; depth:5; endswith; http.content_len; byte_test:0,>,300,0,string,dec; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Content-Length|0d 0a|"; depth:36; reference:md5,6f5d2b42f4a74886ac3284fa9a414a87; classtype:command-and-control; sid:2031413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2021_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012598; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Tombol Microsoft Account Phishing Landing 2020-12-16"; flow:established,to_client; file.data; content:"$('#password').keyup("; content:"$('#Tombol1').click("; distance:0; fast_pattern; content:"data: { u : email, p : password_v"; distance:0; classtype:social-engineering; sid:2031414; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012599; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"baldwin-gonzalez.live"; depth:21; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; http.uri; content:"/web/classes/autocomplete.php?"; nocase; content:"field="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012600; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/de/?d="; startswith; fast_pattern; content:"&v="; distance:0; content:"&t="; distance:0; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,d01bcca6255a4f062fc59a014f407532; reference:md5,2d459929135993959cacceb0dd81a813; classtype:command-and-control; sid:2031417; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; content:"image="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012601; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Foudre Checkin M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/en/?2"; startswith; fast_pattern; http.host; pcre:"/^[a-f0-9]{8}\.(?:s(?:pac|it)e|net|top)$/Wm"; http.request_body; content:"f="; startswith; content:"&c="; distance:0; content:"&u="; distance:0; content:"&v="; distance:0; content:"&s="; distance:0; content:"&mi="; distance:0; content:"&t="; distance:0; content:"&txt="; distance:0; content:"&e=EOF"; endswith; reference:url,twitter.com/ShadowChasing1/status/1339190981703266304; reference:md5,2d459929135993959cacceb0dd81a813; reference:md5,d01bcca6255a4f062fc59a014f407532; classtype:command-and-control; sid:2031418; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/basicstats.php?"; nocase; content:"AjaxHandler="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012603; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031415; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012673; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>r57"; nocase; fast_pattern; content:"<title=|22|Private shell|22|"; nocase; distance:0; classtype:web-application-attack; sid:2031416; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa INSERT"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012674; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"jaime-martinez.info"; depth:19; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa DELETE"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012675; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"judystevenson.info"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031401; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa ASCII"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012676; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"robert-keegan.life"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031402; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012677; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"benyallen.club"; depth:14; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031403; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/openBrowser.php?"; nocase; content:"onload="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012678; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"chad-jessie.info"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/we/include/we_modules/shop/edit_shop_editorFrameset.php?"; nocase; content:"onload="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012679; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"escanor.live"; depth:12; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031405; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/we/include/we_modules/messaging/messaging_show_folder_content.php?"; nocase; content:"we_transaction="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012680; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"krasil-anthony.icu"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031406; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/we/include/weTracking/econda/weEcondaImplement.inc.php?"; nocase; content:"shop_artikelid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47047; reference:url,packetstormsecurity.org/files/99790; reference:url,exploit-db.com/exploits/17054/; classtype:web-application-attack; sid:2012681; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"nicoledotson.icu"; depth:16; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031407; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; http.uri; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; content:"pdfa="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"samwinchester.club"; depth:18; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031408; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/ckeditor/filemanager/connectors/php/upload.php?"; nocase; content:"CKEditorFuncNum="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/99698/ClanSphere2010.3CKEditor-xss.txt; classtype:web-application-attack; sid:2012669; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AridViper CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"tatsumifoughtogre.club"; depth:22; endswith; reference:url,unit42.paloaltonetworks.com/pymicropsia; classtype:domain-c2; sid:2031409; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_16, deployment Perimeter, signature_severity Major, updated_at 2020_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/lib/lcUser.php?"; nocase; content:"LIBDIR="; nocase; reference:url,secunia.com/advisories/22484; classtype:web-application-attack; sid:2012668; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (vgca.homeunix .org)"; dns.query; content:"vgca.homeunix.org"; nocase; bsize:17; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031431; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_mediamall"; nocase; content:"category="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/88439/joomlamediamallfactory-bsql.txt; classtype:web-application-attack; sid:2012667; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PhantomNet/Smanager CnC Domain in DNS Lookup (office365.blogdns .com)"; dns.query; content:"office365.blogdns.com"; nocase; bsize:21; reference:url,www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/; classtype:domain-c2; sid:2031432; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/components/com_smartformer/smartformer.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/95477/joomlasmartformer-rfi.txt; classtype:web-application-attack; sid:2012666; rev:4; metadata:created_at 2011_04_11, updated_at 2020_04_19;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031429; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012664; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Con7ext Mini Shell"; nocase; fast_pattern; classtype:web-application-attack; sid:2031430; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012663; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertrex20.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031419; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012662; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"gentexman37.xyz"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012661; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"advertsp74.xyz"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portel patron Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/portel/libreria/php/decide.php?"; nocase; content:"patron="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/80053/portel-sql.txt; classtype:web-application-attack; sid:2012660; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"shopweb95.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031422; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_doqment"; nocase; content:"cid="; nocase; content:"admin.ponygallery.html.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/99278/joomladoqment-rfilfisql.txt; classtype:web-application-attack; sid:2012659; rev:4; metadata:created_at 2011_04_11, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"mexstat128.com"; nocase; depth:14; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt"; flow:established,to_server; http.uri; content:"/templates/recruitment/jobVacancy.php?"; nocase; content:"recruitcode="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,47046; classtype:web-application-attack; sid:2012658; rev:4; metadata:created_at 2011_04_11, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"sdadvert197.com"; nocase; depth:15; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031424; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/jsonp_primitive.php?"; nocase; content:"callback="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012656; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.com"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031425; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"decatos30.xyz"; nocase; depth:13; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031426; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.com"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012653; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed SystemBC CnC Domain in DNS Query"; dns.query; content:"asdasd08.xyz"; nocase; depth:12; endswith; reference:url,news.sophos.com/en-us/2020/12/16/systembc; classtype:trojan-activity; sid:2031428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_17, deployment Perimeter, signature_severity Major, updated_at 2020_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012652; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"&log=passwords|3a 20|"; depth:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/Surveys/modules.php?"; nocase; content:"name=Surveys"; nocase; content:"op="; nocase; content:"pollID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012651; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; http.request_body; content:"************************"; depth:24; content:"************************"; distance:0; content:"************************"; distance:0; content:"username|3a 20|"; distance:0; content:"password|3a 20|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cchatbox.php?"; nocase; content:"do="; nocase; content:"messageid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,46635; classtype:web-application-attack; sid:2012665; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Nitol.K Variant CnC"; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; content:"Windows|20|"; distance:4; within:8; content:"|00|"; within:5; content:"|7c b4 ab b2 a5 7c|"; fast_pattern; reference:md5,56bff68317a0af08f749a1c717125cf3; classtype:command-and-control; sid:2022337; rev:4; metadata:created_at 2016_01_07, former_category MALWARE, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012698; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Randrew.A CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?A="; fast_pattern; pcre:"/^[A-Z0-9\-]{30,42}$/R"; http.header; content:"Accept-Language|3a 20|zh-TW"; http.header_names; content:"Referer|0d 0a|"; content:!"Cache"; reference:md5,344c04216840312cad17b6610b723825; classtype:command-and-control; sid:2025145; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_11, deployment Perimeter, former_category MALWARE, malware_family Randrew_A, performance_impact Low, signature_severity Major, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/action.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012561; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; http.uri; content:".html"; pcre:"/^\/\d+?\/\d+?\.html$/i"; http.header; content:"From|3a| "; depth:6; pcre:"/^\d+?\r\n/Ri"; content:"Via|3a| "; content:!"1|2e|"; within:2; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:command-and-control; sid:2015786; rev:5; metadata:created_at 2012_10_10, former_category MALWARE, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/architecte.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012562; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M5"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__io_r="; fast_pattern; http.cookie; content:"__io_r="; startswith; content:"|3b 20|__io_vl="; distance:0; content:"|3b 20|__io_bl="; distance:0; content:"|3b 20|Session_id="; distance:0; content:"|3b 20|__io_uniq="; distance:0; content:"|3b 20|__io_f="; isdataat:!38,relative; pcre:"/^__io_r=[0-9]{10}_[01]_[0-9]{4,5}_[0-9]{7,8}_[0-9]{1,2}\x3b\x20__io_vl=[0-9]_[0-9]{6}_[0-9]{3}_[0-9]{2}\x3b\x20__io_bl=[0-9]{1,2}:[0-9]:[0-9]{4,5}:[0-9]{2}\x3b\x20Session_id=[0-9A-F]{12}\x3b\x20__io_uniq=[0-9A-F]{8,22}_[0-9A-F]{12,20}\x3b\x20__io_f=[0-9]{2}::[0-9]{10}::[0-9]{9,10}::[0-9]{9,10}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; classtype:command-and-control; sid:2031298; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_12_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2020_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/avis.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012563; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (img565vv6 .holdmydoor .com)"; flow:established,to_server; tls.sni; dotprefix; content:".img565vv6.holdmydoor.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/; classtype:domain-c2; sid:2031439; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/bible.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012564; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (crashparadox .net)"; flow:established,to_server; tls.sni; dotprefix; content:".crashparadox.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031440; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/obj/blocnote.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:url,exploit-db.com/exploits/12366; classtype:web-application-attack; sid:2012565; rev:5; metadata:created_at 2011_03_25, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (f15fwd322 .regularhours .net)"; flow:established,to_server; tls.sni; dotprefix; content:".f15fwd322.regularhours.net"; endswith; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031441; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin vbBux vbplaza.php Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vbplaza.php?"; nocase; content:"do="; nocase; content:"name="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/8784/; classtype:web-application-attack; sid:2012566; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (bananakick .net)"; flow:established,to_server; tls.sni; content:"bananakick.net"; bsize:14; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031442; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod/vm/controller/AccessController.php?"; nocase; content:"global[approot]="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012496; rev:5; metadata:created_at 2011_03_14, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (stilloak .net)"; flow:established,to_server; tls.sni; content:"stilloak.net"; bsize:12; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031443; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod/vm/model/dao.php?"; nocase; content:"global[approot]="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\x3a\//Ri"; reference:bugtraq,45656; reference:url,exploit-db.com/exploits/15896/; reference:url,xforce.iss.net/xforce/xfdb/64442; classtype:web-application-attack; sid:2012497; rev:5; metadata:created_at 2011_03_14, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed NSO Group CnC Domain in TLS SNI (flowersarrows .com)"; flow:established,to_server; tls.sni; content:"flowersarrows.com"; bsize:17; fast_pattern; reference:url,citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit; classtype:domain-c2; sid:2031444; rev:1; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; content:"to_p_dict="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012483; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031437; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/_wk/Xinha/plugins/SpellChecker/spell-check-savedicts.php?"; nocase; content:"to_r_list="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43709; classtype:web-application-attack; sid:2012484; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"function Pilih1("; nocase; fast_pattern; content:"document.getElementById(|22|xmailer"; nocase; distance:0; classtype:web-application-attack; sid:2031438; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_12_21, deployment Perimeter, signature_severity Major, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/rp-menu.php?"; nocase; content:"_SESSION[sess_user]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012474; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http any any -> any any (msg:"ET MALWARE Possible MSIL/Solorigate.G!dha/SUPERNOVA Webshell Access Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/logoimagehandler.ashx"; content:"clazz="; fast_pattern; content:"method="; content:"args="; content:"codes="; http.header_names; content:!"Referer"; reference:url,www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect; reference:url,unit42.paloaltonetworks.com/solarstorm-supernova; classtype:trojan-activity; sid:2031436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_12_21, deployment Perimeter, former_category MALWARE, malware_family Solorigate, signature_severity Major, updated_at 2020_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/header.php?"; nocase; content:"row[titledesc]="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46798; reference:url,exploit-db.com/exploits/16950/; classtype:web-application-attack; sid:2012475; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Redirect to Download EXE from Bitbucket"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"https://bitbucket.org"; startswith; content:".exe"; endswith; classtype:bad-unknown; sid:2026515; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_17, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/folder.php?"; nocase; content:"type="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html; reference:url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt; classtype:web-application-attack; sid:2012476; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; http.stat_code; content:"3"; depth:1; http.location; content:"data|3a|"; fast_pattern; depth:5; classtype:misc-activity; sid:2015674; rev:6; metadata:created_at 2012_09_05, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/zotpress/zotpress.image.php?"; nocase; content:"citation="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/98746/WordPressZotpress2.6-xss.txt; classtype:web-application-attack; sid:2012437; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:".php?cmd=_update-information&account_bank="; nocase; fast_pattern; content:"&dispatch="; distance:32; within:10; nocase; http.content_len; byte_test:0,=,0,0,string,dec; classtype:social-engineering; sid:2024016; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, tag Phishing, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; content:"task=dologin"; nocase; content:"option="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012428; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fedex/DHL Phish 2018-10-22"; flow:established,from_server; flowbits:isset,ET.Fedex_DHL_Phish; http.stat_code; content:"302"; http.location; content:"tracking2.php"; startswith; classtype:credential-theft; sid:2029667; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/xcloner-backup-and-restore/index2.php?"; nocase; content:"mosmsg="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012429; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Bank of America Phish 2016-10-14"; flow:from_server,established; flowbits:isset,ET.bofaphish; http.stat_code; content:"302"; http.location; content:".php?template="; fast_pattern; content:"&valid="; content:"&session="; pcre:"/\.php\?template=[^\r\n]+&valid=[^\r\n]+&session=[a-f0-9]{32,}$/i"; http.content_type; content:"text/html"; depth:9; classtype:credential-theft; sid:2032710; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/administrator/components/com_xcloner-backupandrestore/index2.php?"; nocase; content:"mosmsg="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46582; reference:url,exploit-db.com/exploits/16246/; classtype:web-application-attack; sid:2012430; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Poweliks Clickfraud CnC M3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?c="; fast_pattern; pcre:"/\.php\?c=[a-f0-9]{160}$/"; http.referer; content:".php?q="; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/evolution-of-poweliks.pdf; reference:md5,e13234077f513208238203108df30ff4; classtype:command-and-control; sid:2021228; rev:4; metadata:created_at 2015_06_10, former_category MALWARE, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php jahr Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newsscript.php?"; nocase; content:"m=archive"; nocase; content:"jahr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/7741; classtype:web-application-attack; sid:2010028; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent in Referer Field - Likely Malware"; flow:established,to_server; http.referer; content:"Mozilla/4.0|20|"; startswith; classtype:trojan-activity; sid:2013423; rev:10; metadata:created_at 2011_08_18, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php idneu Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newsscript.php?"; nocase; content:"m=archive"; nocase; content:"idneu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010122; classtype:web-application-attack; sid:2010122; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; http.stat_code; content:"302"; http.content_len; byte_test:0,=,0,0,string,dec; http.header; content:"location|3a 20|"; fast_pattern; content:"|2f 3f|"; distance:32; within:2; content:"|0d 0a|"; distance:32; within:2; http.content_type; content:"text/html"; startswith; classtype:social-engineering; sid:2024008; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewSolved newsscript.php newsid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/newsscript.php?"; nocase; content:"mailto=ok"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35611/; reference:url,www.exploit-db.com/exploits/9042/; reference:url,doc.emergingthreats.net/2010123; classtype:web-application-attack; sid:2010123; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Bedep Connectivity Check (2)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/timezone/0/0"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.host; content:"www.earthtools.org"; bsize:18; http.header_names; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/09/09/index.html; classtype:trojan-activity; sid:2020491; rev:10; metadata:created_at 2015_02_20, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news_show.php?"; nocase; content:"newsoffice_directory="; nocase; pcre:"/^\s*(?:https?|ftps?|php)\:\//Ri"; reference:url,secunia.com/advisories/29797; reference:bugtraq,28748; reference:url,www.exploit-db.com/exploits/5429/; reference:url,doc.emergingthreats.net/2009432; classtype:web-application-attack; sid:2009432; rev:8; metadata:created_at 2010_07_30, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Poweliks GET Request"; flow:established,to_server; urilen:4; http.method; content:"GET"; http.uri; content:"/dll"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; reference:url,malware-traffic-analysis.net/2014/08/01/index3.html; classtype:trojan-activity; sid:2019138; rev:6; metadata:created_at 2014_09_08, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_virtuemart"; content:"page="; content:"substring"; reference:url,exploit-db.com/exploits/17132; classtype:web-application-attack; sid:2012697; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zeprox.B Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".php?a=n|60|e|3e|"; fast_pattern; http.header; content:"Proxy-Connection|3a|"; http.header_names; content:!"Referer|0d 0a|"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,bc27f28e5fe47b78202fd3108d39aac1; reference:md5,38c89cca7806fde08bba82b3cb533e5a; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Backdoor%3AWin32/Zeprox.B; classtype:command-and-control; sid:2020203; rev:8; metadata:created_at 2015_01_16, former_category MALWARE, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012699; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"coms.documentmeda.com"; nocase; bsize:21; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031446; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012700; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Smanager CnC Domain in DNS Lookup"; dns.query; content:"freenow.chickenkiller.com"; nocase; bsize:25; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031447; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_22, deployment Perimeter, signature_severity Major, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012701; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (PhantomNet/Smanager CnC)"; flow:established,to_client; tls.cert_subject; content:"C=AU, ST=Hello, L=China, O=Microsoft, OU=dirweb, CN=secfire/emailAddress=iunkown1987@gmail.com"; bsize:94; fast_pattern; reference:url,insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager; classtype:domain-c2; sid:2031448; rev:1; metadata:attack_target Client_and_Server, created_at 2020_12_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2020_12_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/samples/with_db/loaddetails.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,securityreason.com/wlb_show/WLB-2011040052; classtype:web-application-attack; sid:2012702; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT LuckyMouse BlueTraveller CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/home/"; startswith; pcre:"/^[0-9]{4}\/[0-9]{4}\/[^\r\n]+(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; pcre:"/Cache-Control\r\n(?:\r\n|Cookie\r\n\r\n)$/"; reference:url,decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/; classtype:command-and-control; sid:2031316; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_11, deployment Perimeter, former_category MALWARE, malware_family apt27, malware_family luckymouse, performance_impact Moderate, signature_severity Major, updated_at 2020_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/mod_virtuemart_latestprod/mod_virtuemart_latestprod.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100324; classtype:web-application-attack; sid:2012703; rev:4; metadata:created_at 2011_04_21, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M9"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; content:"|3b 20|"; distance:1; within:2; http.request_body; content:!".zip"; content:!".png"; content:!".jp"; content:!".exe"; content:"--|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; http.content_len; byte_test:0,<,9000,0,string,dec; byte_test:0,>,500,0,string,dec; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:96; reference:md5,73f8864c7dfee8445205d0d233f20707; classtype:trojan-activity; sid:2035076; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_04, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, updated_at 2020_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/mod_virtuemart_featureprod/mod_virtuemart_featureprod.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100325; classtype:web-application-attack; sid:2012704; rev:4; metadata:created_at 2011_04_21, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FormBook CnC Checkin (GET)"; flow:established,to_server; content:"Connection|3a 20|close|0d 0a 0d 0a 00 00 00 00 00 00|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[A-Za-z0-9_-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))&[A-Za-z0-9-]{1,15}=(?:[A-Za-z0-9-_]{1,25}|(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))(?:&sql=\d*)?$/R"; http.connection; content:"close"; depth:5; endswith; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; endswith; reference:md5,a6a114f6bc3e86e142256c5a53675d1a; classtype:command-and-control; sid:2031453; rev:9; metadata:attack_target Client_Endpoint, created_at 2017_12_19, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2020_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-publication-archive/includes/openfile.php?"; nocase; content:"file="; nocase; reference:url,secunia.com/advisories/43067; reference:url,securelist.com/en/advisories/43067; classtype:web-application-attack; sid:2012705; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in TLS SNI (mobilnweb .com)"; flow:established,to_server; tls.sni; content:"mobilnweb.com"; bsize:13; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/vtigerservice.php?"; nocase; content:"service="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/100183/vtigerCRM5.2.1-XSS.txt; classtype:web-application-attack; sid:2012706; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed CobaltStrike/TEARDROP CnC Domain Domain in DNS Query"; dns_query; content:"mobilnweb.com"; nocase; depth:13; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline; classtype:domain-c2; sid:2031452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_23, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/classes/file.class.php?"; nocase; content:"filePath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100525/cituscms-rfi.txt; classtype:web-application-attack; sid:2012724; rev:4; metadata:created_at 2011_04_22, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sephardimension .com)"; dns.query; content:"sephardimension.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031454; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo component com_zoom Blind SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoom"; nocase; content:"Itemid="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/80992/mambozoom-sql.txt; classtype:web-application-attack; sid:2012723; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (besaintegration .com)"; dns.query; content:"besaintegration.com"; nocase; bsize:19; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031455; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/plugins/socialgrid/static/js/inline-admin.js.php?"; nocase; content:"default_services="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/44256; reference:url,htbridge.ch/advisory/xss_in_socialgrid_wordpress_plugin.html; classtype:web-application-attack; sid:2012722; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (dmnadmin .com)"; dns.query; content:"dmnadmin.com"; nocase; bsize:12; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031456; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/filemanager/get_file.php?"; nocase; content:"language="; nocase; reference:url,secunia.com/advisories/39517; classtype:web-application-attack; sid:2012721; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (sendbits .m2stor4ge .xyz)"; dns.query; content:"sendbits.m2stor4ge.xyz"; nocase; bsize:22; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031457; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012719; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak CnC Domain in DNS Lookup (myrric-uses .singlejets .com)"; dns.query; content:"myrric-uses.singlejets.com"; nocase; bsize:26; reference:url,blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/; classtype:domain-c2; sid:2031458; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2020_12_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012718; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"securebestapp20.com"; bsize:19; fast_pattern; reference:md5,222792d2e75782516d653d5cccfcf33b; classtype:domain-c2; sid:2032958; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category MALWARE, malware_family DarkSide, signature_severity Major, tag SSL_Malicious_Cert, tag Ransomware, updated_at 2020_12_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; content:"country_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012717; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT PurpleFox EK Domain in DNS Lookup"; dns.query; content:"rawcdn.githack.cyou"; nocase; bsize:19; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:domain-c2; sid:2031461; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012716; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Payload Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/up.php?key="; startswith; bsize:13; fast_pattern; pcre:"/^\d$/R"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031462; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/country_escorts.php?"; nocase; content:"country_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012715; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"/?key="; fast_pattern; pcre:"/^[A-F0-9]{16}$/R"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"/?key="; within:400; pcre:"/^[A-F0-9]{16}\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1343918070989877252; classtype:exploit-kit; sid:2031463; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/PluginController.php?"; nocase; content:"path="; nocase; reference:url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt; classtype:web-application-attack; sid:2012750; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Framework URI Struct Jpg Request"; flow:established,to_server; urilen:>60; http.method; content:"GET"; http.uri; content:".jpg"; endswith; pcre:"/^\/(?!(?:[a-z]{16}|[0-9]{16}))[a-zA-Z0-9]{16}\/[a-zA-Z0-9]{16}\/[a-f0-9]{40}\/[a-zA-Z0-9]+\.jpg$/"; http.host; content:"rawcdn.githack.com"; fast_pattern; classtype:exploit-kit; sid:2031466; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT_KIT, signature_severity Major, tag Exploit_Kit, updated_at 2020_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/extensions/saurus4/captcha_image.php?"; nocase; content:"class_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100461/sauruscms-rfi.txt; classtype:web-application-attack; sid:2012743; rev:4; metadata:created_at 2011_04_29, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /update HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031464; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Publishing Technology id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CollectionContent.asp?"; nocase; content:"id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100822/publishingtechnology-sql.txt; classtype:web-application-attack; sid:2012744; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET COINMINER Win32/Ymacco.AA2F Checking (Multiple OS)"; flow:established,to_server; http.start; content:"GET /banner HTTP"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; reference:url,twitter.com/luc4m/status/1340737667961679881; classtype:coin-mining; sid:2031465; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category COINMINER, performance_impact Low, signature_severity Minor, updated_at 2020_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012745; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE NuggetPhantom Module Download Request"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:".moe"; endswith; fast_pattern; pcre:"/^\/[a-fA-F0-9]{8}\.moe$/"; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf; classtype:command-and-control; sid:2031467; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012746; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Clydesdale Bank Phish 2020-12-30"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uzername="; depth:9; nocase; fast_pattern; content:"&ip="; nocase; distance:0; content:"&ua="; nocase; distance:0; content:"&password="; nocase; distance:0; classtype:credential-theft; sid:2031468; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_12_30, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2020_12_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012747; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.TRM Data Exfil (sysinfo)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"Cookie|3a 20|dkv="; fast_pattern; http.cookie; content:"dkv="; startswith; content:"|3b|YSC="; distance:32; within:5; pcre:"/^dkv=[a-f0-9]{32}\x3bYSC=\d+$/C"; http.header_names; content:!"Referer"; content:!"Content-Type"; http.request_body; content:"DQpIb3N0IE5hbWU6"; startswith; reference:md5,d2b81c4f5d075daa681f823cc9a5e4c0; reference:url,twitter.com/w3ndige/status/1247547923845578755; classtype:command-and-control; sid:2029855; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2020_12_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012748; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in TLS SNI (cs .lg22l .com)"; flow:established,to_server; tls.sni; content:"cs.lg22l.com"; bsize:12; reference:md5,774419bb738a2a4fa18aacee88850d2c; classtype:domain-c2; sid:2031469; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2020_12_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/model-kits.php?"; nocase; content:"akce="; nocase; content:"nazev="; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; classtype:web-application-attack; sid:2012749; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent Simple Bot"; flow:established,to_server; http.user_agent; content:"Simple Bot v"; startswith; fast_pattern; reference:md5,3cf04350400299844abb17a0e1640975; classtype:bad-unknown; sid:2031471; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_12_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012788; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Azula Logger CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=azula+logger&avatar_url="; startswith; fast_pattern; reference:md5,7ad3777dfb916150e21e9414dd24c1da; reference:url,github.com/CythosaSec/Azula-Logger; classtype:command-and-control; sid:2031470; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_12_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012789; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mykessef .com)"; dns.query; content:"mykessef.com"; nocase; bsize:12; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031474; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012790; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (mihannevis .com)"; dns.query; content:"mihannevis.com"; nocase; bsize:14; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012791; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT32/OceanLotus CnC Domain in DNS Lookup (idtpl .org)"; dns.query; content:"idtpl.org"; nocase; bsize:9; reference:url,labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/; classtype:domain-c2; sid:2031476; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interna.php?"; nocase; content:"txtCodiInfo="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97186/klink-sql.txt; classtype:web-application-attack; sid:2012792; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031472; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-Xoopport Samsara Sections module secid Parameter Blind SQL Injection Exploit"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sections/index.php?"; nocase; content:"op="; nocase; content:"secid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15004; classtype:web-application-attack; sid:2012793; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<head/><form method=|22|post|22 20|action="; depth:34; nocase; fast_pattern; content:"<input type=|22|input|22 20|name=|22|f_pp|22 20|value="; distance:0; classtype:web-application-attack; sid:2031473; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_04, deployment Perimeter, signature_severity Major, updated_at 2021_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/mods/ckeditor/filemanager/connectors/php/connector.php?"; nocase; content:"Command="; nocase; content:"Type="; nocase; content:"CurrentFolder="; nocase; reference:bugtraq,47636; classtype:web-application-attack; sid:2012794; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ymacco.AA1C Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?REQ="; fast_pattern; content:"&ID="; distance:0; http.user_agent; content:"|29 20|WindowsPowerShell/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,b100f0ab63a2b74a5d5ff54d533fc60f; classtype:trojan-activity; sid:2031477; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/admin_news_bot.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,securityreason.com/exploitalert/7180; classtype:web-application-attack; sid:2012795; rev:4; metadata:created_at 2011_05_09, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.uri; content:"?i=7B226964223A22"; nocase; fast_pattern; content:"222C2268776964223A22"; nocase; distance:0; content:"227D"; nocase; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:url,www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf; reference:md5,a9c8b293fdb84ceb9478f8043ff19b71; classtype:trojan-activity; sid:2031481; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family Jupyter, signature_severity Major, updated_at 2021_01_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/jscalendar/test.php?"; nocase; content:"lang="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt; classtype:web-application-attack; sid:2012797; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_09, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious XSL file download (FTP)"; flow:established,to_server; content:"RETR|20|/frog/usoprive.xsl"; fast_pattern; reference:md5,dd0124264f131a203ecfc70314dcec04; reference:url,asec.ahnlab.com/ko/19439/; classtype:trojan-activity; sid:2031482; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upload-controler.php?"; nocase; content:"atm-regen="; nocase; reference:url,securelist.com/en/advisories/43589; classtype:web-application-attack; sid:2012805; rev:4; metadata:created_at 2011_05_14, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ElectroRAT CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|go-resty/"; content:"|20|(https|3a|//github.com/go-resty/resty)|0d 0a|"; distance:0; within:50; http.request_body; content:"{|22|id|22 3a 22|"; depth:7; content:"|22 2c 22|mac_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os_version|22 3a 22|"; nocase; fast_pattern; distance:0; content:"|22 2c 22|user_name|22 3a 22|"; nocase; distance:0; content:"|22 2c 22|os|22 3a 22|"; nocase; distance:0; http.header_names; content:!"Referer"; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031478; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump attempted access"; flow:established,to_server; http.uri; content:"/uploads/"; content:".wordpress.20"; distance:0; content:".xml_.txt"; distance:0; fast_pattern; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:attempted-recon; sid:2012808; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Screenshot)"; flow:established,from_server; content:"{|22|type|22 3a 22|Screenshot|22 2c 22|uid|22 3a|"; offset:2; depth:27; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031479; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs=|27|waitfor"; nocase; content:"delay|27|"; nocase; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0960; classtype:web-application-attack; sid:2012818; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ElectroRAT Command from Server (Get folder content)"; flow:established,from_server; content:"{|22|type|22 3a 22|Get folder content|22 2c 22|uid|22 3a|"; offset:2; depth:35; fast_pattern; reference:md5,3cd1639f28659348e22c2eb8482cd3d6; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets; classtype:trojan-activity; sid:2031480; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_05, deployment Perimeter, former_category MALWARE, malware_family ElectroRAT, signature_severity Major, updated_at 2021_01_05;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager advancedfind.do Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/advancedfind.do?extn="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012819; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat Backdoor Checkin"; flow:established,to_server; http.request_line; content:"GET /users.php?"; startswith; fast_pattern; pcre:"/^(?:resp|onl|pr)=/R"; content:"|3a|windows|20|"; distance:0; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; reference:md5,dae90ae7fe103fc7e1866b4e13389101; classtype:command-and-control; sid:2031486; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager deviceInstanceName Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"deviceCapability=deviceCap"; nocase; content:"/iptm/ddv.do?deviceInstanceName="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012820; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IceRat CnC Acitivty M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/execuser.php?login="; startswith; fast_pattern; content:"&pass="; content:"&user="; http.user_agent; content:"Java/"; startswith; reference:url,malwaretips.com/threads/jphp-icerat-analysis.105233/; reference:md5,5e864667d91e3867a29df90dbcadb6b2; classtype:command-and-control; sid:2031487; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/eventmon?cmd="; nocase; content:"&dojo.preventCache="; nocase; pcre:"/cmd\x3D(?:filterHelper|getDeviceData\x26group\x3D).+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012821; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031483; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon_wrapper.jsp Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?"; nocase; content:"Name="; nocase; pcre:"/\x2Ejsp\x3F(?:clusterName|deviceName)\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012822; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>--> Ermecca Panel <--"; nocase; fast_pattern; classtype:web-application-attack; sid:2031484; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_06, deployment Perimeter, signature_severity Major, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager clusterName Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/iptm/logicalTopo.do?clusterName="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0959; classtype:web-application-attack; sid:2012823; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv2 Used in Session"; flow:to_server,established; ssl_version:sslv2;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031488; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Common Services Framework Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage"; nocase; pcre:"/^.+(alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0962; classtype:web-application-attack; sid:2012824; rev:3; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY SSLv3 Used in Session"; flow:to_server,established; ssl_version:sslv3;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031489; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CiscoWorks Help Servlet Reflective XSS Attempt"; flow:established,to_server; http.uri; content:"/cwhp/device.center.do?device="; nocase; pcre:"/^.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,www.exploit-db.com/exploits/17304/; reference:cve,2011-0961; classtype:web-application-attack; sid:2012825; rev:4; metadata:created_at 2011_05_18, updated_at 2020_04_20;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.1 Used in Session"; flow:to_server,established; tls.version:1.1;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031490; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012829; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY TLSv1.0 Used in Session"; flow:to_server,established; tls.version:1.0;  reference:url,github.com/nsacyber/Mitigating-Obsolete-TLS; classtype:misc-activity; sid:2031491; rev:1; metadata:created_at 2021_01_06, former_category POLICY, updated_at 2021_01_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012830; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; pcre:"/(localhost|127\.0\.0\.1)/W"; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012831; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,CVE-2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_16846, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012832; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Instagram Phishing or Scam Landing Page"; flow:established,to_client; file.data; content:"lnstagram"; nocase; fast_pattern; within:1000; content:"</title>"; within:50; nocase; classtype:social-engineering; sid:2031493; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_01_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; nocase; content:"view="; nocase; content:"catid="; nocase; content:"secid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt; classtype:web-application-attack; sid:2012833; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.ULH CnC Activity"; flow:established,to_server; http.start; content:"GET /swidget/d23r523t4id HTTP/1.1|0d 0a|Host|3a 20|whos.amung.us|0d 0a 0d 0a|"; bsize:58; fast_pattern; reference:md5,2679be8b6b76fb765191c9854af39e9f; classtype:command-and-control; sid:2031496; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/core/show.site.php?"; nocase; content:"editprofile"; nocase; content:"mod="; nocase; content:"AND"; nocase; content:"SELECT"; nocase; content:"substring"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/89665/chillycms-sql.txt; reference:url,exploit-db.com/exploits/12643; classtype:web-application-attack; sid:2012834; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17132)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ecp/DLPPolicy/ManagePolicyFromISV.aspx"; startswith; http.request_body; content:"ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; content:"[Diagnostics.Process]::start|28|"; distance:0; reference:cve,CVE-2020-17132; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-17132/CVE-2020-17132.rules; reference:cve,2020-17132; classtype:attempted-admin; sid:2031506; rev:2; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17132, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/ffileman.cgi?"; nocase; content:"direkt="; nocase; reference:url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt; classtype:web-application-attack; sid:2012835; rev:3; metadata:created_at 2011_05_20, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Amadey Stealer CnC"; flow:established,to_server; http.request_line; content:"POST //"; depth:7; http.uri; content:".php"; endswith; http.request_body; content:"id="; depth:3; content:"&cred="; fast_pattern; distance:0; content:"|7c|"; within:10; pcre:"/^id=\d+&cred=[a-z]+\x7c/"; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,ca467e332368cbae652245faa4978aa4; reference:url,www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/; classtype:command-and-control; sid:2031498; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/components/com_mgm/help.mgm.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:3; metadata:created_at 2011_05_20, updated_at 2020_04_20;)
 
-alert http any any -> any any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17141)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; startswith; http.request_body; content:"<m:RouteComplaint|20|"; content:"<m:Data>"; distance:0; base64_decode:bytes 300, offset 0, relative; base64_data; content:"<!DOCTYPE"; content:"SYSTEM"; distance:0; reference:cve,CVE-2020-17141; reference:cve,2020-17141; classtype:web-application-attack; sid:2031507; rev:1; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17141, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; content:"permLink="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012881; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET INFO PHP Xdebug Extension Query Parameter (XDEBUG_SESSION_START)"; flow:established,to_server; http.uri; content:"?XDEBUG_SESSION_START="; classtype:web-application-activity; sid:2031499; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012872; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET INFO Spring Boot Actuator Health Check Request"; flow:established,to_server; http.uri; content:"/actuator/health"; endswith; classtype:web-application-activity; sid:2031500; rev:1; metadata:attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012873; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET INFO Netlink GPON Login Attempt (GET)"; flow:established,to_server; http.uri; content:"/boaform/admin/formLogin"; fast_pattern; content:"username="; content:"psd="; classtype:attempted-admin; sid:2031501; rev:2; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012874; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ElegyRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=ElegyRAT Server"; fast_pattern; endswith; tls.cert_issuer; content:"CN=ElegyRAT Server"; endswith; reference:md5,a24cae9f6cf137e0e72817a1879f0acf; classtype:domain-c2; sid:2031497; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_08, deployment Perimeter, former_category MALWARE, malware_family ElegyRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012875; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET INFO Request to Hidden Environment File"; flow:established,to_server; http.uri; content:"/.env"; endswith; classtype:misc-attack; sid:2031502; rev:1; metadata:created_at 2021_01_08, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin/code/tce_xml_user_results.php?"; nocase; content:"user_id="; nocase; content:"startdate="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201; classtype:web-application-attack; sid:2012876; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET INFO Liferay JSON Web Services Invoker"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/invoke"; http.content_type; content:"application/json"; classtype:web-application-activity; sid:2031503; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_handlers/secure_img_handler.php?"; nocase; content:"HANDLERS_DIRECTORY="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012877; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET INFO Apache Solr System Information Request"; flow:established,to_server; http.uri; content:"/solr/admin/info/system"; classtype:web-application-activity; sid:2031504; rev:1; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_handlers/secure_img_handler.php?"; nocase; content:"IMAGES_DIRECTORY="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012878; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET SCAN WordPress Scanner Performing Multiple Requests to Windows Live Writer XML"; flow:established,to_server; http.uri; content:"/wp-includes/wlwmanifest.xml"; threshold: type both, track by_src, count 4, seconds 8; classtype:network-scan; sid:2031505; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2021_01_08, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_01_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_handlers/secure_img_handler.php?"; nocase; content:"imgp="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012879; rev:4; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Attempted Executable Drop via VBScript"; flow:established,to_client; file.data; content:"<SCRIPT Language=VBScript"; nocase; content:"DropFileName"; nocase; within:100; content:".exe"; within:100; nocase; content:"WriteData =|20 22|4D5A"; nocase; within:100; fast_pattern; classtype:trojan-activity; sid:2031508; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_11, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/e107_plugins/trackback/trackbackClass.php?"; nocase; content:"trackback_url="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt; classtype:web-application-attack; sid:2012880; rev:3; metadata:created_at 2011_05_27, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (bald-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"bald-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031509; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/config.cgi"; nocase; content:"type=command&expand="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,48087; classtype:web-application-attack; sid:2012919; rev:3; metadata:created_at 2011_06_02, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (hawkshaw-cae48 .firebaseio .com in DNS Lookup)"; dns_query; content:"hawkshaw-cae48.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031510; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/authenticate/sessions.php?"; nocase; content:"globalIncludeFilePath="; nocase; reference:url,packetstormsecurity.org/files/view/101786/nvisionix-lfi.txt; classtype:web-application-attack; sid:2012945; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (spitfirepanel .firebaseio .com in DNS Lookup)"; dns_query; content:"spitfirepanel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031511; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/inline-gallery/browser/browser.php?"; nocase; content:"do="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,46781; classtype:web-application-attack; sid:2012946; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Hawkshaw.a (phoenix-panel .firebaseio .com in DNS Lookup)"; dns_query; content:"phoenix-panel.firebaseio.com"; isdataat:!1,relative; reference:url,research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/; classtype:domain-c2; sid:2031512; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_01_12, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jmsfileseller"; nocase; content:"view="; nocase; reference:url,exploit-db.com/exploits/17338; classtype:web-application-attack; sid:2012948; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX DNS Lookup"; dns.query; content:"sery.brushupdata.com"; nocase; bsize:20; reference:url,twitter.com/KorbenD_Intel/status/1346193938277949443; reference:md5,a587a2af22c7e18a0260cab5c06d980d; classtype:domain-c2; sid:2031520; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/scr/soustab.php?"; nocase; content:"dsn[phptype]="; nocase; reference:url,hack0wn.com/view.php?xroot=1440.0&cat=exploits; classtype:web-application-attack; sid:2012949; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031513; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om  Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"droit.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012950; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:">EMAIl|3a|"; nocase; content:"SUBJECT|3a 20|<input name=|22|assunto|22|"; nocase; distance:0; content:"type=|22|submit|22 20|name=|22|Enoc|22 20|value=|22|FIRE DOWN|22|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2031514; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/collectivite.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012951; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Kryptos Logic"; flow:to_client,established; file.data; content:"<title>Sinkholed by Kryptos Logic"; fast_pattern; content:"<h1>Sinkholed!</h1><p>This domain has been sinkholed"; distance:0; classtype:misc-activity; sid:2031515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, signature_severity Major, updated_at 2021_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utilisateur.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012952; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (MassLogger)"; flow:established,to_client; tls.cert_subject; content:"CN=bestpccare.best"; bsize:18; fast_pattern; reference:url,twitter.com/jorgemieres/status/1306608136623718401; classtype:domain-c2; sid:2031521; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_13, deployment Perimeter, former_category MALWARE, malware_family MassLogger, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courrier.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012953; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Qihoo360.J Variant Install Report"; flow:established,to_server; http.request_line; content:"POST /v1/client/report"; startswith; fast_pattern; http.request_body; content:"|5b 7b 22|action|22 3a 22|"; startswith; content:"|22 2c 22|device|5f|id|22 3a 22|"; distance:0; reference:md5,93dc18be56153f41fd1e12b686cca9fe; classtype:pup-activity; sid:2031522; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_13, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profil.class.php?"; nocase; content:"path_om="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt; classtype:web-application-attack; sid:2012954; rev:3; metadata:created_at 2011_06_07, updated_at 2020_04_20;)
 
-alert tls any any -> any any (msg:"ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M1"; flow:established,to_server; tls.sni; content:"covid"; nocase; content:!".jhu.edu"; isdataat:!1,relative; content:!".ncsc.gov.ie"; isdataat:!1,relative; content:!".nhs.wales"; isdataat:!1,relative; content:!".govt.nz"; isdataat:!1,relative; content:!".nhp.gov.in"; isdataat:!1,relative; content:!".oracle.com"; isdataat:!1,relative; content:!".cdc.gov"; isdataat:!1,relative; content:!"covid19.wisc.edu"; isdataat:!1,relative; content:!".canada.ca"; isdataat:!1,relative; content:!".nicovideo.jp"; isdataat:!1,relative; content:!"strib-covid-data.s3.amazonaws.com"; isdataat:!1,relative; classtype:bad-unknown; sid:2029707; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, signature_severity Informational, updated_at 2021_01_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt"; flow:established,to_server; http.uri; content:"/hpdiags/frontend2/help/search.php?query="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,45420; reference:cve,2010-4111; classtype:web-application-attack; sid:2012976; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Password - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031523; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt"; flow:established,to_server; http.uri; content:"/EmployeeSearch"; nocase; fast_pattern; content:"actionId="; nocase; content:"searchString="; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3274; classtype:web-application-attack; sid:2012980; rev:3; metadata:created_at 2011_06_09, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious HTTP POST Only Containing Pass - Possible Phishing"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"pass="; nocase; depth:5; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2031524; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_01_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_people"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Key Exchange Request"; flow:established,to_server; dsize:28; stream_size:client,=,29; content:"|24 01 00 00 00 00 00 00 00 00 00 00|"; startswith; classtype:command-and-control; sid:2034465; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, former_category MALWARE, malware_family Danabot, signature_severity Major, updated_at 2021_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pear.php?"; nocase; content:"_PEAR_PHPDIR="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012994; rev:3; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ITW Android Post-Exploit Downloader CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api2/v9/pass"; bsize:13; fast_pattern; http.content_type; content:"application/octet-stream"; bsize:24; reference:url,googleprojectzero.blogspot.com/2021/01/in-wild-series-android-post-exploitation.html; classtype:command-and-control; sid:2031525; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pear.php?"; nocase; content:"include_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/86292/pear-rfi.txt; classtype:web-application-attack; sid:2012993; rev:3; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.user_agent; content:"|20|MSIE|20|"; fast_pattern; http.request_body; pcre:"/[\x80-\xff]/"; http.content_type; content:"www-form-urlencoded"; http.header_names; content:!"Referer"; http.host; content:!".webex.com"; endswith; classtype:trojan-activity; sid:2017259; rev:15; metadata:created_at 2013_07_31, updated_at 2021_01_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/addons/kcfinder/browse.php?"; nocase; content:"CKEditorFuncNum="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,autosectools.com/Advisory/Nakid-CMS-1.0.2-Reflected-Cross-site-Scripting-230; classtype:web-application-attack; sid:2012992; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-#alert tcp any any -> any any (msg:"ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability"; flow:established; file_data; content:"|63 3a 5c 3a 24 69 33 30 3a 24 62 69 74 6d 61 70|"; classtype:attempted-admin; sid:2031526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_15, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Informational, updated_at 2021_01_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012991; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/checkupdate.js?id="; startswith; fast_pattern; content:"&token="; distance:0; content:"&platform="; distance:0; reference:url,github.com/BenChaliah/Arbitrium-RAT/; classtype:command-and-control; sid:2031528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012990; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arbitrium-RAT Observed User-Agent (JustKidding)"; flow:established,to_server; http.user_agent; content:"JustKidding"; bsize:11; reference:url,github.com/BenChaliah/Arbitrium-RAT; classtype:command-and-control; sid:2031529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, malware_family Arbitrium_RAT, performance_impact Low, signature_severity Major, updated_at 2021_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012989; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] DeDeCMS RFI Attempt"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data"; http.uri; content:"/select_soft_post.php"; nocase; http.request_body; content:"cfg_basedir"; nocase; content:"uploadfile"; nocase; content:"upload"; nocase; reference:cve,2010-1097; reference:url,www.exploit-db.com/exploits/33685; classtype:attempted-admin; sid:2031527; rev:2; metadata:created_at 2021_01_19, former_category EXPLOIT, updated_at 2021_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012988; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FFDroider CnC Activity"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/poe.php?e="; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,d5b7b65cd6e3fa8c8ac4ebe39bb5ffef; reference:url,www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users; classtype:trojan-activity; sid:2035795; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tde_busca/processaPesquisa.php?"; nocase; content:"pesqExecutada="; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt; classtype:web-application-attack; sid:2012987; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_10, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/WizardUpdate Domain in TLS SNI ( .dlvplayer .com)"; flow:established,to_server; tls.sni; content:".dlvplayer.com"; endswith; reference:md5,6a76ee693b3d43ed385ce4b930fe3e30; classtype:domain-c2; sid:2031530; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013080; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/WizardUpdate CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/checknew"; nocase; endswith; http.request_body; content:"{|22|machine_id|22 3a 20 22|"; depth:16; content:"|22 2c 20 22|model_name|22 3a 20 22|"; fast_pattern; distance:0; content:"|22 2c 20 22|os|22 3a 20 22|"; distance:0; content:"|22 2c 20 22|os_version|22 3a 20 22|"; distance:0; content:"|22 2c 20 22|model_ident"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,6a76ee693b3d43ed385ce4b930fe3e30; classtype:trojan-activity; sid:2031531; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Freakout IRC Checkin"; flow:established,to_server; content:"NICK|20|[HAX|7c|"; depth:10; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; classtype:command-and-control; sid:2031534; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013082; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST /info/"; startswith; fast_pattern; pcre:"/(?:retdl|fb|step) HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"info="; startswith; content:!"&"; reference:md5,acd347a1839ee422d9393a09b5302ea2; classtype:command-and-control; sid:2031927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013083; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zend3/public/"; bsize:14; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:1; metadata:created_at 2021_01_22, cve CVE_2021_3007, updated_at 2021_01_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/showcats.php?"; nocase; content:"sbcat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,46048; classtype:web-application-attack; sid:2013084; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AHK.CREDSTEALER.A MalDoc Retrieving Payload"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{6,16}-(?:pro|xl2|us1)$/s"; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Connection"; content:!"Referer"; reference:url,www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html; classtype:trojan-activity; sid:2031433; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/templates/admin_default/confirm.tpl.php?"; nocase; content:"nsextt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,seclists.org/bugtraq/2011/Jun/59; classtype:web-application-attack; sid:2013085; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Downloaded from Discord"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; http.uri; content:"/attachments/"; startswith; fast_pattern; pcre:"/^[0-9]{18}\/[0-9]{18}\/[a-zA-Z0-9]{5,7}$/R"; reference:md5,1ef671ebe0e5efd44cf05c630fbe9cb5; classtype:policy-violation; sid:2031083; rev:4; metadata:attack_target Client_Endpoint, created_at 2020_10_22, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/xperience.php?"; nocase; content:"sortfield="; nocase; content:"sortorder="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102001/xperience-xss.txt; classtype:web-application-attack; sid:2013086; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http any any -> any any (msg:"ET EXPLOIT Suspected SAP EEM SOLMAN RCE (CVE-2020-6207)"; flow:established,to_server; http.uri; content:"/EemAdminService/EemAdmin"; startswith; fast_pattern; http.request_body; content:"getruntime|28 29 2e|exec"; nocase; content:"processbuilder|28|"; nocase; reference:url,github.com/chipik/SAP_EEM_CVE-2020-6207; classtype:attempted-admin; sid:2031546; rev:1; metadata:created_at 2021_01_25, cve CVE_2020_6207, former_category EXPLOIT, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/FCKeditor/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013087; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/jarrewrite.sh"; endswith; fast_pattern; http.user_agent; content:"|28 29 20 7b|"; reference:url,darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/; reference:cve,2014-6271; classtype:attempted-admin; sid:2031543; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/tinymce/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013088; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [401TRG] SUNBURST Related DNS Lookup to infinitysoftwares .com"; dns.query; content:"infinitysoftwares.com"; nocase; endswith; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:3; metadata:created_at 2011_06_22, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain (infinitysoftwares .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"infinitysoftwares.com"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/nagios/cgi-bin/config.cgi"; nocase; content:"type=command&expand="; fast_pattern; nocase; pcre:"/^.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ri"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound (infinitysoftwares .com)"; flow:established,to_client; tls.cert_subject; content:"CN=infinitysoftwares.com"; bsize:24; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/security/useredit.action?"; nocase; content:"username="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013099; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [401TRG] SUNBURST Related DNS Lookup to bigtopweb .com"; dns.query; content:"bigtopweb.com"; nocase; endswith; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/security/roleedit.action?"; nocase; content:"name="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013100; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [401TRG] Observed Backdoor.SUNBURST CnC Domain (bigtopweb .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigtopweb.com"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/security/userlist!show.action?"; nocase; content:"roleName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013101; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [401TRG] Backdoor.BEACON SSL Cert Inbound (bigtopweb .com)"; flow:established,to_client; tls.cert_subject; content:"CN=bigtopweb.com"; bsize:16; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware; classtype:trojan-activity; sid:2031542; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_01_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/deleteArtifact!doDelete.action?"; nocase; content:"groupId="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013102; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Sysn.cdjy CnC Activity"; flow:established,to_server; http.uri; content:".php?logik="; content:".txt&info=Time|3a|"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; bsize:38; reference:md5,9842e0a710a5b820f6ceb687fa079721; classtype:command-and-control; sid:2031544; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addLegacyArtifactPath!commit.action?"; nocase; content:"legacyArtifactPath.path="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013103; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Silver"; bsize:9; fast_pattern; tls.cert_issuer; content:"CN=Silver"; bsize:9; reference:md5,949f4223f86d23ec243d1e23dd0a28c9; reference:url,twitter.com/reecdeep/status/1345411411829260289; classtype:domain-c2; sid:2031545; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_01_25, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/deleteNetworkProxy!confirm.action?"; nocase; content:"proxyid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013104; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (angeldonationblog .com)"; flow:established,to_client; tls.cert_subject; content:"CN=angeldonationblog.com"; bsize:24; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031548; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addRepository.action"; nocase; content:"repository.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.com/files/101797/; classtype:web-application-attack; sid:2013105; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (codevexillium .org)"; flow:established,to_server; tls.sni; content:"codevexillium.org"; bsize:17; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031549; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/confirmDeleteRepository.action?"; nocase; content:"repoid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.com/files/101797/; classtype:web-application-attack; sid:2013106; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (investbooking .de)"; flow:established,to_client; tls.cert_subject; content:"CN=investbooking.de"; bsize:19; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031550; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/editAppearance.action"; nocase; content:"organisationName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013107; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (krakenfolio .com)"; flow:established,to_server; tls.sni; content:"krakenfolio.com"; bsize:15; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031551; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addLegacyArtifactPath.action"; nocase; content:"legacyArtifactPath.path="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013108; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious SSL Cert (opsonew3org .sg)"; flow:established,to_client; tls.cert_subject; content:"CN=opsonew3org.sg"; bsize:17; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031552; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/addNetworkProxy.action"; nocase; content:"proxy.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013109; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (transferwiser .io)"; flow:established,to_server; tls.sni; content:"transferwiser.io"; bsize:16; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031553; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/networkProxies.action"; nocase; content:"proxy.id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013110; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (transplugin .io)"; flow:established,to_server; tls.sni; content:"transplugin.io"; bsize:14; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031554; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/legacyArtifactPath.action"; nocase; content:"legacyArtifactPath.path="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013111; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (rninhsss .com)"; dns.query; content:"www.rninhsss.com"; nocase; bsize:16; reference:md5,3dbf62639a63001daee68b25fadf4f10; classtype:domain-c2; sid:2031555; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/archiva/admin/configureAppearance.action"; nocase; content:"organisationName="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt; classtype:web-application-attack; sid:2013112; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_22, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST to Wordpress Folder - Possible Successful Banking Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-"; depth:4; http.request_body; content:"pin="; depth:4; fast_pattern; classtype:credential-theft; sid:2031547; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category HUNTING, signature_severity Major, tag Phishing, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/vBTube.php?"; nocase; content:"page="; nocase; content:"do="; nocase; content:"uname="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013134; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle WebLogic JNDI Injection RCE Attempt (CVE-2021-2109)"; flow:established,to_server; http.uri; content:"/consolejndi.portal?"; content:"_pageLabel=JNDIBindingPageGeneral"; content:"_nfpb=true"; content:"JNDIBindingPortletHandle=com.bea.console.handles.JndiBindingHandle("; content:"ldap|3a 2f 2f|"; distance:0; within:20; content:"|3b|AdminServer"; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw; reference:cve,2021-2109; reference:url,packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html; classtype:attempted-user; sid:2031532; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_20, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/vBTube.php?"; nocase; content:"do="; nocase; content:"vidid="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt; classtype:web-application-attack; sid:2013133; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gh0st Variant CnC Domain in DNS Lookup (dexercisep .com)"; dns.query; content:"www.dexercisep.com"; nocase; bsize:18; reference:md5,cd14c71626f022781cfd2192bd8b454e; classtype:domain-c2; sid:2031556; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013129; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Targeted Attack Malicious Domain in TLS SNI (blog .br0vvnn .io)"; flow:established,to_server; tls.sni; content:"blog.br0vvnn.io"; bsize:15; fast_pattern; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:domain-c2; sid:2031557; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013128; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/upload/upload.php HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031558; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/download/download.asp HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031559; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious POST Format"; flow:established,to_server; http.method; content:"POST"; http.request_line; content:"/upload/upload.asp HTTP/1.0"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,norfolkinfosec.com/dprk-malware-targeting-security-researchers/; reference:url,blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/; classtype:bad-unknown; sid:2031560; rev:1; metadata:created_at 2021_01_26, former_category HUNTING, updated_at 2021_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftMP3 search Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/minbrowse.php?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/17209; classtype:web-application-attack; sid:2013125; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB2 Remote AT Scheduled Job Create Request"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|00|a|00|t|00|s|00|v|00|c|00|"; distance:0; content:!"|00|c|00|r|00|y|00|p|00|t|00|c|00|a|00|t|00|s|00|v|00|c|00|"; classtype:bad-unknown; sid:2025713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2021_01_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ZyXEL ZyWALL LoginPassword/HiddenPassword Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/rpAuth"; nocase; content:"nPassword="; nocase; pcre:"/(?:Loging|Hidden)Password\x3D.+(?:script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:cve,2011-2466; classtype:web-application-attack; sid:2013150; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover"; nocase; http.request_body; content:"<!DOCTYPE"; depth:50; content:"file:///etc/passwd"; distance:0; fast_pattern; content:"<EMailAddress>"; content:"<AcceptableResponseSchema>"; reference:url,www.exploit-db.com/exploits/46967; reference:url,packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html; reference:cve,2019-9621; reference:cve,2021-2109; classtype:attempted-user; sid:2031562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013159; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E"; fast_pattern; reference:url,www.kb.cert.org/vuls/id/520827; reference:cve,2012-2311; classtype:attempted-user; sid:2031563; rev:1; metadata:affected_product PHP, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2012_2311, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Creating Docker Image"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"images/create?fromImage="; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/; classtype:trojan-activity; sid:2031584; rev:2; metadata:attack_target Server, created_at 2021_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2021_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013157; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TeamTNT Gattling Gun AWS Creds Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/incoming/access_data/aws.php"; endswith; fast_pattern; reference:url,www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques; reference:url,twitter.com/Suprn8/status/1349938276623384576; classtype:command-and-control; sid:2031585; rev:2; metadata:attack_target Client_and_Server, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webcat web_id Parameter Blind SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ecat/cms_view.php?"; nocase; content:"lang="; nocase; content:"web_id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/17444; classtype:web-application-attack; sid:2013164; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TeamTNT Gattling Gun CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".borg.wtf"; nocase; endswith; reference:url,www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques; reference:url,twitter.com/Suprn8/status/1349938276623384576; classtype:domain-c2; sid:2031586; rev:1; metadata:attack_target Client_and_Server, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013156; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET [2375,2376] (msg:"ET POLICY External Host Sending Docker Swarm Join Command"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/swarm/join"; endswith; http.request_body; content:"|7b 22|ListenAddr|22 3a 22|"; startswith; content:"|22|RemoteAddrs|22 3a 5b 22|"; content:"|2c 22|JoinToken|22 3a 22|"; http.header_names; content:!"Referer"; reference:url,github.com/Caprico1/Docker-Botnets/commit/bbfd65fce31d74bfa798e00a2c918022a45d211a; classtype:trojan-activity; sid:2031587; rev:2; metadata:attack_target Server, created_at 2021_01_28, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag Docker, updated_at 2021_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/kbcat.cgi?"; nocase; content:"cid="; nocase; content:"or"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt; classtype:web-application-attack; sid:2013234; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sn0wsLogger CnC Exfil M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|RestSharp/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22 0d 0a 0d 0a|token_"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|name|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|text|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a|"; http.header_names; content:!"Referer"; reference:md5,644038dbb036d00f45969afb7992e762; classtype:trojan-activity; sid:2031582; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, malware_family Sn0wsLogger, signature_severity Major, updated_at 2021_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013231; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sn0wsLogger CnC Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!"."; http.header; content:"User-Agent|3a 20|RestSharp/"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22 0d 0a|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; content:"-payment.txt|22 0d 0a|"; within:40; fast_pattern; http.header_names; content:!"Referer"; reference:md5,644038dbb036d00f45969afb7992e762; classtype:trojan-activity; sid:2031583; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_28, deployment Perimeter, former_category MALWARE, malware_family Sn0wsLogger, signature_severity Major, updated_at 2021_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013230; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Magecart/Skimmer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=google-conversion.com"; bsize:24; fast_pattern; reference:url,twitter.com/jeromesegura/status/1354598447022653442; classtype:domain-c2; sid:2031593; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2021_01_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_01_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013229; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|"; startswith; content:"%22%26"; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031590; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013228; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|unsafe+"; startswith; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031591; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp annonce parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/annonce_detail.php?"; nocase; content:"annonce="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,48341; classtype:web-application-attack; sid:2013227; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/"; http.request_body; content:".c3p0.WrapperConnectionPoolDataSource"; fast_pattern; content:"&defaultData.userOverridesAsString=HexAsciiSerializedMap|3a|"; distance:0; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; reference:cve,2020-7961; classtype:attempted-admin; sid:2031592; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_7961, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/annonce.php?"; nocase; content:"secteur="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,48341; classtype:web-application-attack; sid:2013226; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to cl .ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|cl.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:bad-unknown; sid:2031588; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_01_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013303; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to rebrand .ly"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Host|3a 20|rebrand.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; endswith; fast_pattern; classtype:misc-activity; sid:2031589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013304; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO NoxPlayer Simulator Update Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/posttoken/simulator/"; startswith; fast_pattern; content:"/update"; endswith; http.host; content:"api.bignox.com"; bsize:14; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:policy-violation; sid:2031594; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013305; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Poison Ivy Variant CnC Domain in DNS Lookup (cdn. cloudistcdn .com)"; dns.query; content:"cdn.cloudistcdn.com"; nocase; bsize:19; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031595; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013306; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (q. cloudistcdn .com)"; dns.query; content:"q.cloudistcdn.com"; nocase; bsize:17; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031597; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules.php?"; nocase; content:"name=Tutorials"; nocase; content:"t_op=showtutorial"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt; classtype:web-application-attack; sid:2013307; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NIGHTSCOUT Malware CnC Domain in DNS Lookup (update .boshiamys .com)"; dns.query; content:"update.boshiamys.com"; nocase; bsize:20; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; classtype:domain-c2; sid:2031598; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; content:"page="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013308; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot maserv Module Command"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mass/"; depth:30; fast_pattern; pcre:"/^(?:81|freq|domains|over|rate|npcap\.exe)\/?\s*[^\/]*$/si"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:url,www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/; reference:md5,ff57c02b09cd9df4d1cac5090e01a5d2; classtype:trojan-activity; sid:2031600; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; content:"page="; nocase; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013309; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot maserv Module CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/81"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|source|22 0d 0a 0d 0a|PORT|20|scan|0d 0a|"; nocase; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/; reference:md5,ff57c02b09cd9df4d1cac5090e01a5d2; classtype:trojan-activity; sid:2031601; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_02, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability"; flow:established,to_server; http.uri; content:"/snarf_ajax.php?"; nocase; content:"url="; content:"ajax="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/103179/tikiwiki7-xss.txt; classtype:web-application-attack; sid:2013434; rev:4; metadata:created_at 2011_08_19, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN Generic IDBTE4M Exploit Scanner (Outbound)"; flow:to_server,established; http.user_agent; content:"IDBTE4M CODE87"; fast_pattern; classtype:bad-unknown; sid:2031602; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_02, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jfeedback"; nocase; content:"controller="; nocase; reference:url,xforce.iss.net/xforce/xfdb/57654; classtype:web-application-attack; sid:2013433; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Generic IDBTE4M Exploit Scanner (Inbound)"; flow:to_server,established; http.user_agent; content:"IDBTE4M CODE87"; fast_pattern; classtype:bad-unknown; sid:2031603; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_02, deployment Perimeter, former_category SCAN, signature_severity Minor, updated_at 2021_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=eshop-orders.php"; nocase; content:"viewemail="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013427; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin"; flow:established,to_server; dsize:100; content:"ordata|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:1; depth:47; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2031599; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_03, deployment Perimeter, former_category MALWARE, malware_family SystemBC, signature_severity Major, updated_at 2021_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=eshop-orders.php"; nocase; content:"action="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013426; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snake Keylogger CnC Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; http.request_body; content:"PC Name|3a|"; content:"Snake|20|Keylogger"; fast_pattern; content:"Snake|20|Keylogger"; distance:0; http.host; content:"telegram.org"; endswith; http.header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; classtype:trojan-activity; sid:2031604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_03, deployment Perimeter, former_category MALWARE, malware_family Snake_Keylogger, signature_severity Major, updated_at 2021_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=eshop-templates.php"; nocase; content:"eshoptemplate="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/45553; classtype:web-application-attack; sid:2013425; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PivNoxy CnC Activity"; flow:established,to_server; urilen:17; http.cookie; content:"id="; startswith; bsize:15; http.header_names; content:"|0d 0a|Accept|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.uri; pcre:"/^\/[0-9a-f]{16}$/"; reference:url,www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/; reference:md5,77a06a18015ee2d509d8e89000489eb6; reference:md5,7fd7b1c218d7df7a3f09a8f06f141c71; classtype:command-and-control; sid:2031596; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_02_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013471; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Small.AWO CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"boxfid.php?&mac="; fast_pattern; content:"&action="; distance:12; within:8; content:"&disk="; distance:0; content:"&md5="; distance:0; isdataat:!33,relative; reference:md5,047719e7aae5c1466db7c82a18726828; classtype:command-and-control; sid:2031605; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013470; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Detplock Checkin via SMTP"; flow:established,to_server; content:"Subject|3a 20|Virus Infection Monitor|0d 0a|"; fast_pattern; content:"Content|2d|type|3a 20|multipart|2f|mixed|3b 20|boundary|3d 22 23|BOUNDARY|23 22 0d 0a|"; reference:md5,6ac14ccd294d75e340d48d19aa74be09; classtype:trojan-activity; sid:2031608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013469; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031606; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, signature_severity Major, updated_at 2021_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12644; classtype:web-application-attack; sid:2013468; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>|7c 7c 20|B3taCypt Priv8 Mailer|20 7c 7c|</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031607; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_02_08, deployment Perimeter, signature_severity Major, updated_at 2021_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/guestbook/blocks/control.block.php?"; nocase; content:"lang="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/93285/diycms-rfi.txt; classtype:web-application-attack; sid:2013466; rev:4; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer Installer Started"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"type=install&seller="; startswith; fast_pattern; content:"&price="; content:"&guid="; content:"&ver="; content:"&origin="; reference:md5,e2d3f779d8d646f7287dc58976e79494; classtype:command-and-control; sid:2031928; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sublink.php?"; nocase; content:"langval="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/104292/easysiteedit-rfi.txt; classtype:web-application-attack; sid:2013465; rev:4; metadata:created_at 2011_08_26, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Buer Loader Domain (officewestunionbank .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"officewestunionbank.com"; bsize:23; fast_pattern; reference:md5,61e213e717cc8e156cec79a7c1cd0c64; classtype:domain-c2; sid:2031610; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_10, deployment Perimeter, former_category MALWARE, malware_family Buer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ungallery/source_vuln.php?"; nocase; content:"pic="; nocase; reference:url,packetstormsecurity.org/files/view/99004/RhinOS3.0r1113-lfi.txt; classtype:web-application-attack; sid:2013464; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer Loader Download Request"; flow:established,to_server; urilen:>200; flowbits:set,ETPRO.wacatac.b.download; http.method; content:"GET"; http.uri; content:"/api/download/"; depth:14; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_ext_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/bug_actiongroup_ext_page.php?"; nocase; content:"action="; nocase; classtype:web-application-attack; sid:2013563; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Buer Loader Successful Payload Download"; flow:established,to_client; flowbits:isset,ETPRO.wacatac.b.download; http.stat_code; content:"200"; http.content_type; content:"application/*"; fast_pattern; bsize:13; http.content_len; byte_test:0,>,500000,0,string,dec; byte_test:0,<,3000000,0,string,dec; reference:md5,a8819db1fa758fd9f1d501dbb50f454f; classtype:command-and-control; sid:2029079; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, malware_family BuerLoader, signature_severity Major, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bug_actiongroup_page.php script Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/bug_actiongroup_page.php?"; nocase; content:"action="; nocase; classtype:web-application-attack; sid:2013564; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Trend Micro Phishing Simulation Service"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>You have almost been phished"; nocase; content:"Trend Micro Phish Insight provides a phishing simulation service"; nocase; fast_pattern; classtype:social-engineering; sid:2031611; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pranian Group e107 page Parameter Cross Site Scripting Vulnerability Attempt"; flow:established,to_server; http.uri; content:"/plugins/pviewgallery/pviewgallery.php?"; nocase; content:"album="; nocase; content:"page="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; classtype:web-application-attack; sid:2013567; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Observed DNS Query to Malicious Cookie Monster Roulette JS Cookie Stealer Exfil Domain"; dns.query; content:".cdncontentdelivery.com"; nocase; endswith; classtype:trojan-activity; sid:2031612; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family CookieMonster, performance_impact Low, signature_severity Major, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OneFileCMS p parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/onefilecms.php?"; nocase; content:"p="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; classtype:web-application-attack; sid:2013568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_12, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (aaaa)"; flow:established,to_server; http.user_agent; content:"aaaa"; bsize:4; reference:md5,61e213e717cc8e156cec79a7c1cd0c64; classtype:bad-unknown; sid:2031613; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013673; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sq?"; startswith; fast_pattern; http.cookie; content:"woocommerce_cart_hash="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,4d1d20d5691af20be3592ddc1936a8c0; classtype:command-and-control; sid:2032756; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013674; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RELEASE?"; startswith; fast_pattern; http.cookie; content:"woocommerce_items_in_cart="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,631bcc2f0885acb960fd500ca574a796; classtype:command-and-control; sid:2032757; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_02_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013675; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (9487d)"; flow:established,from_server; http.stat_code; content:"302"; http.cookie; content:"9487d=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2031614; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category WEB_CLIENT, malware_family KeitaroTDS, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013676; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Evil Keitaro TDS Redirection Domain (fiberswatch .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"fiberswatch.com"; bsize:15; fast_pattern; classtype:domain-c2; sid:2031615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_11, deployment Perimeter, former_category MALWARE, malware_family KeitaroTDS, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tune-library/tune-library-ajax.php?"; nocase; content:"letter="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,49553; classtype:web-application-attack; sid:2013677; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mobilelink.buzz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"O=Let's Encrypt"; classtype:domain-c2; sid:2031617; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_02_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_12, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jr_questionnaire"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt; classtype:web-application-attack; sid:2013678; rev:4; metadata:created_at 2011_09_19, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Known External IP Lookup Service Domain in SNI"; flow:to_server,established; tls.sni; content:"www.watismijnip.nl"; endswith; classtype:external-ip-check; sid:2031616; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, former_category POLICY, signature_severity Minor, updated_at 2021_02_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ezrealty"; nocase; content:"task="; nocase; content:"id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt; classtype:web-application-attack; sid:2013680; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Playit Activity (playit .gg)"; flow:established,to_server; http.method; content:"GET"; http.referer; content:"https://playit.gg/claim/v2/"; startswith; http.host; content:"playit.gg"; bsize:9; fast_pattern; reference:md5,adef7b6d9fcd8c2a0fabd94d73bc9789; classtype:policy-violation; sid:2031619; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, deployment SSLDecrypt, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2021_02_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS American Bankers Association Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Search2/searchaba.aspx?"; nocase; content:"SearchPhrase="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/view/103855/aba-xss.txt; classtype:web-application-attack; sid:2013681; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/RemoteUtilities Checkin via SMTP"; flow:established,to_server; content:"|0d 0a|SUQ6"; content:"0J3QsNC30LLQsNC90LjQtSDQutC+0LzQv9GM0Y7RgtC1"; distance:0; fast_pattern; classtype:pup-activity; sid:2031618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_12, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_02_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simplis CMS download_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"action=do_download"; nocase; content:"download_file="; nocase; reference:url,packetstormsecurity.org/files/view/99797/simpliscms-disclose.txt; classtype:web-application-attack; sid:2013682; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CoderVir Stealer Zip Upload"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|LOG|5f|"; fast_pattern; pcre:"/^[A-F0-9]{24}/R"; content:"|2e|zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; within:53; reference:md5,35ff637ac2748789925a34f893376545; classtype:command-and-control; sid:2031620; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013704; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admin"; bsize:6; http.cookie; content:"wordpress_"; startswith; pcre:"/^[a-z0-9]{32}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; fast_pattern; reference:md5,e75bef518faea38765cb91b71ba6c8a8; classtype:command-and-control; sid:2032755; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013705; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; depth:20; endswith; http.request_body; content:"remote_submit_Flag="; depth:19; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; classtype:attempted-user; sid:2027092; rev:5; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_02_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013706; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSMTPD RCE Inbound (CVE-2020-7247)"; flow:established,to_server; content:"MAIL|20|FROM|3a|<|3b|"; fast_pattern; reference:url,blog.qualys.com/vulnerabilities-research/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247; reference:cve,2020-7247; classtype:attempted-admin; sid:2031621; rev:1; metadata:attack_target SMTP_Server, created_at 2021_02_17, cve CVE_2020_7247, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013707; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GoldenSpy CnC Activity"; flow:established,to_server; http.request_line; content:"POST /data/receive "; depth:19; fast_pattern; http.request_body; content:"ectid="; depth:6; content:"&taxCode="; distance:0; http.host; content:!"i-xinnuo.com"; endswith; reference:md5,be1a7bbc42d5d6f3a3270201906a68d9; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/; classtype:command-and-control; sid:2030394; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo N-Myndir UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_n-myndir"; nocase; content:"flokkur="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt; classtype:web-application-attack; sid:2013708; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Fancy Bear (APT28) Maldoc CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; bsize:22; http.request_body; content:"IB="; startswith; fast_pattern; content:"&log="; distance:0; reference:url,twitter.com/RedDrip7/status/1362343352759250946?s=20; reference:md5,c9a43fd6623bf0bc287012b6ee10a98e; reference:md5,49696043b51acca6ced2ab213bd4abef; classtype:command-and-control; sid:2031628; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family APT28, malware_family Fancy_Bear, performance_impact Low, signature_severity Major, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?"; nocase; content:"abspath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt; classtype:web-application-attack; sid:2013709; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7/Carbanak Staging Domain in DNS Lookup (civilizationidium .com)"; dns.query; content:"civilizationidium.com"; nocase; bsize:21; reference:url,twitter.com/z0ul_/status/1361698529228578816; reference:md5,17735bdf3f19b51eaa45d6375f943f97; classtype:trojan-activity; sid:2031629; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family Carbanak, malware_family Carbanak_JScript, performance_impact Low, signature_severity Major, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upload/tfu_upload.php?"; nocase; content:"workaround_dir="; nocase; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013711; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Activity (Windows Variant)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"wMKBUqjC7ZMG5A5g"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; reference:md5,48971e0e71300c99bb585d328b08bc88; classtype:command-and-control; sid:2031623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery install_path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/admin/tfu_login.php?"; nocase; content:"install_path="; nocase; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013712; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Activity (OSX Variant)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"jGzAcN6k4VsTRn9"; fast_pattern; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; reference:md5,6058368894f25b7bc8dd53d3a82d9146; classtype:command-and-control; sid:2031624; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joostina CMS users component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_users"; nocase; content:"user="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/100853/joostinausers-sql.txt; classtype:web-application-attack; sid:2013713; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - JMT Trading CnC Domain in DNS Lookup (jmttrading .org)"; dns.query; content:"jmttrading.org"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048b; classtype:domain-c2; sid:2031625; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rokquickcart"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/view/96804/joomlarokquickcart-lfi.txt; classtype:web-application-attack; sid:2013738; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Union Crypto CnC Domain in DNS Lookup (unioncrypto .vip)"; dns.query; content:"unioncrypto.vip"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048c; classtype:domain-c2; sid:2031626; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2"; flow:established,to_server; http.uri; content:"/phpThumb.demo.random.php?"; nocase; content:"dir="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013765; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - Union Crypto CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"auth_timestamp"; content:"rlz="; content:"&ei="; distance:0; content:"&act=check"; distance:0; fast_pattern; reference:md5,da17802bc8d3eca26b7752e93f33034b; reference:md5,629b9de3e4b84b4a0aa605a3e9471b31; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048c; classtype:command-and-control; sid:2031627; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Redirect Component view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_redirect"; content:"view="; nocase; reference:url,packetstormsecurity.org/files/view/96608/joomlaredirect-lfi.txt; classtype:web-application-attack; sid:2013764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup (levelframeblog .com)"; dns.query; content:"levelframeblog.com"; nocase; bsize:18; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; reference:md5,17ab2927a235a0b98480945285767bcf; classtype:domain-c2; sid:2031631; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013762; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Domain in DNS Lookup (kupaywallet .com)"; dns.query; content:"kupaywallet.com"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; classtype:domain-c2; sid:2031630; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family JEUSD, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013760; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AppleJeus - Kupay Wallet CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.request_body; content:"ver="; startswith; content:"&timestamp="; fast_pattern; isdataat:!11,relative; reference:md5,60c2efdafbffc5bd6709c8e461f7b77d; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048d; classtype:command-and-control; sid:2031632; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013759; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - CoinGoTrade CnC Domain in DNS Lookup (coingotrade .com)"; dns.query; content:"coingotrade.com"; nocase; bsize:15; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,149a696472d4a189f5896336ab16cc34; classtype:domain-c2; sid:2031633; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Zingiri webshop plugin Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php?"; nocase; content:"wpabspath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt; classtype:web-application-attack; sid:2013758; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (airbseeker .com)"; dns.query; content:"airbseeker.com"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031634; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family NukeSped, signature_severity Major, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013763; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (globalkeystroke .com)"; dns.query; content:"globalkeystroke.com"; nocase; bsize:19; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031635; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family NukeSped, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/vars.inc.php?"; nocase; content:"_SESSION[SCRIPT_PATH]="; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009181; classtype:web-application-attack; sid:2009181; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/NukeSped Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"N9dLfqxHNUUw8qaUPqggVTpX"; fast_pattern; reference:md5,451c23709ecd5a8461ad060f6346930c; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; classtype:command-and-control; sid:2031637; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family NukeSped, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Rentventory SQL Injection Attempt"; flow:to_server,established; http.uri; content:"/patch/?product="; nocase; content:"&panel=rent/select_time"; nocase; reference:url,www.milw0rm.com/exploits/9081; reference:url,doc.emergingthreats.net/2009513; classtype:web-application-attack; sid:2009513; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/NukeSped Variant CnC Domain in DNS Lookup (woodmate .it)"; dns.query; content:"woodmate.it"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048e; reference:md5,451c23709ecd5a8461ad060f6346930c; classtype:domain-c2; sid:2031636; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family NukeSped, signature_severity Major, tag Lazarus, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/cart.php?"; nocase; content:"a="; nocase; content:"templatefile="; nocase; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; classtype:web-application-attack; sid:2013818; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Dorusio CnC Domain in DNS Lookup (dorusio .com)"; dns.query; content:"dorusio.com"; nocase; bsize:11; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048f; reference:md5,d620c699a5b1828aca699b5aee77e5e6; reference:md5,0f39312e8eb5702647664e9ae8502ceb; classtype:domain-c2; sid:2031638; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wpeasystats/export.php?"; nocase; content:"homep="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,secunia.com/advisories/46069; reference:url,spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos; classtype:web-application-attack; sid:2013817; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup (ants2whale .com)"; dns.query; content:"ants2whale.com"; nocase; bsize:14; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048g; classtype:domain-c2; sid:2031639; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/layout/plain.footer.php?"; nocase; content:"mainnav="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt; classtype:web-application-attack; sid:2013815; rev:4; metadata:created_at 2011_10_31, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE AppleJeus - Ants2Whale CnC Domain in DNS Lookup (qnalytica .com)"; dns.query; dotprefix; content:".qnalytica.com"; nocase; endswith; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-048g; reference:md5,d4d1bcdfb67ee30303f30137db752b94; classtype:domain-c2; sid:2031640; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, malware_family JEUSD, signature_severity Major, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBSng str Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/util/show_multistr.php?"; nocase; content:"str="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:bugtraq,50468; classtype:web-application-attack; sid:2013871; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LODEINFO v0.4.x CnC Checkin"; flow:established,to_server; urilen:1; http.start; content:"POST|20|/|20|HTTP/1.1|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|User-Agent|3a 20|"; http.request_body; content:"=Ghc7XJ5OVyh_"; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html; reference:md5,7831a9eebbb485ab4850460e33185cb3; classtype:command-and-control; sid:2031641; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, malware_family LODEINFO, signature_severity Major, updated_at 2021_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mole Group Vacation Estate Listing Script Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/properties_view.php?"; nocase; content:"editid1="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/7626; classtype:web-application-attack; sid:2013872; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Use of rzd URL Shortener Service"; flow:established,to_server; http.method; content:"HEAD"; http.host; content:"rzd.ac"; bsize:6; fast_pattern; classtype:policy-violation; sid:2031647; rev:1; metadata:created_at 2021_02_22, former_category HUNTING, updated_at 2021_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013873; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS SNI"; flow:established,to_server; tls_sni; content:"specialattributes.s3.amazonaws.com"; bsize:34; reference:url,redcanary.com/blog/clipping-silver-sparrows-wings; classtype:domain-c2; sid:2031642; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013877; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed OSX/Silver Sparrow Download Domain in TLS SNI"; flow:established,to_server; tls_sni; content:"mobiletraits.s3.amazonaws.com"; bsize:29; reference:url,redcanary.com/blog/clipping-silver-sparrows-wings; classtype:domain-c2; sid:2031644; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 1024 CMS filename Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/modules/forcedownload/force_download.php?"; nocase; content:"filename="; reference:url,exploit-db.com/exploits/18000; classtype:web-application-attack; sid:2013885; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WRAT Dropper (TLS SNI)"; flow:established,to_server; tls.sni; content:"alsalaf.info"; reference:md5,7831f12dac1d4ef7dcd6e3218b8dad68; classtype:trojan-activity; sid:2031646; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WRAT, updated_at 2021_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; pcre:"/abspath=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (WRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=alsalaf.info"; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:md5,7831f12dac1d4ef7dcd6e3218b8dad68; classtype:trojan-activity; sid:2031645; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_22, deployment Perimeter, former_category TROJAN, signature_severity Major, tag WRAT, updated_at 2021_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tinderbox.mozilla.org showbuilds.cgi Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/showbuilds.cgi?"; nocase; content:"tree=SeaMonkey"; nocase; content:"hours="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstorm.codar.com.br/1111-exploits/tinderbox-xss.txt; classtype:web-application-attack; sid:2013980; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER DEWMODE Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:".php?csrftoken="; content:"|22|><font|20|size=4>Cleanup|20|Shell</font>"; fast_pattern; content:"file_id"; content:"path"; content:"file_name"; content:"uploaded_by"; content:"Recipient"; content:"Actions"; reference:url,www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html; reference:md5,2798c0e836b907e8224520e7e6e4bb42; reference:md5,bdfd11b1b092b7c61ce5f02ffc5ad55a; classtype:attempted-admin; sid:2031650; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orbis editor-body.php script Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/editors/text/editor-body.php?"; nocase; content:"s="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,autosectools.com/Advisory/Orbis-1.0.2-Reflected-Cross-site-Scripting-4; classtype:web-application-attack; sid:2013981; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Spy.Keylogger.ENJ Variant CnC Activity"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; depth:19; http.host; content:"discord.com"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"username=New+User+open+your+virus&content=%60%60%60%0aUser+name+%3a+"; startswith; fast_pattern; reference:md5,9b48e6da117f45841cb629964af7e463; classtype:command-and-control; sid:2031648; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component img Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_img"; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95683/joomlaimg-lfi.txt; classtype:web-application-attack; sid:2013989; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form action=|22 22 20|"; content:"<input|20|type=|22|text|22 20|name=|22|_jy|22|><input|20|type=|22|submit|22 20|value=|22|>>"; fast_pattern; classtype:attempted-admin; sid:2031651; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php INSERT INTO  SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013988; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VoidRay Downloader CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?UID="; fast_pattern; content:"_"; distance:8; within:1; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; reference:md5,082b7a27b2e75bbcde189fab82b0fe72; classtype:trojan-activity; sid:2031649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013987; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ares Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/panel/connect.php?a="; startswith; fast_pattern; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,372184b84d8a35ae1c5d756c69d1d0a2; classtype:trojan-activity; sid:2032947; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php UNION SELECT SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013986; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (billionaireshore .top)"; dns.query; content:"billionaireshore.top"; nocase; bsize:20; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031655; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; content:"only_hostid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013985; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (vikingsofnorth .top)"; dns.query; content:"vikingsofnorth.top"; nocase; bsize:18; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031656; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web File Browser file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/webFileBrowser.php?"; nocase; content:"act=download"; nocase; content:"sortby=name"; nocase; content:"file="; nocase; reference:url,exploit-db.com/exploits/18070/; classtype:web-application-attack; sid:2013982; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (realityarchitector .top)"; dns.query; content:"realityarchitector.top"; nocase; bsize:22; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031657; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014061; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (gentlebouncer .top)"; dns.query; content:"gentlebouncer.top"; nocase; bsize:17; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031658; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014062; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (brainassault .top)"; dns.query; content:"brainassault.top"; nocase; bsize:16; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031659; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014063; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (greatersky .top)"; dns.query; content:"greatersky.top"; nocase; bsize:14; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031660; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014064; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (unicornhub .top)"; dns.query; content:"unicornhub.top"; nocase; bsize:14; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031661; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_dshop Component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?"; nocase; content:"option=com_dshop"; nocase; content:"controller="; nocase; content:"task="; nocase; content:"idofitem="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,51116; classtype:web-application-attack; sid:2014065; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (corporatelover .top)"; dns.query; content:"corporatelover.top"; nocase; bsize:18; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031662; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability"; flow:established,to_server; http.uri; content:"/details_view.php?"; nocase; content:"event_id="; nocase; content:"date="; nocase; content:"view="; nocase; content:"loc="; nocase; content:"page_info_message="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:4; metadata:created_at 2012_01_02, former_category WEB_SPECIFIC_APPS, updated_at 2020_04_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MINEBRIDGE CnC Domain in DNS Lookup (bloggersglobbers .top)"; dns.query; content:"bloggersglobbers.top"; nocase; bsize:20; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:domain-c2; sid:2031663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pet Listing Script type_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/preview.php?"; nocase; content:"controller="; nocase; content:"action=search"; nocase; content:"type_id="; nocase; content:"bedrooms_from="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstorm.foofus.com/1112-exploits/petlisting-xss.txt; classtype:web-application-attack; sid:2014072; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (simsimsalabim .top)"; flow:established,to_server; tls.sni; content:"simsimsalabim.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2031652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress The-Welcomizer plugin page parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/the-welcomizer/twiz-index.php?"; nocase; content:"page="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,dl.packetstormsecurity.net/1112-exploits/wpthewelcomizer-xss.txt; classtype:web-application-attack; sid:2014073; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (perfectscenario .top)"; flow:established,to_server; tls.sni; content:"perfectscenario.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2031653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014074; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mariofart8 .top)"; flow:established,to_server; tls.sni; content:"mariofart8.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2031654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014075; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~4387gfoyusfh_gut/~3fog467wugrgfgd43r9.bin"; fast_pattern; bsize:43; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031664; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014076; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~8f3g4yogufey8g7yfg/~dfb375y8ufg34gfyu.bin"; fast_pattern; bsize:43; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031665; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014077; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MINEBRIDGE CnC Activity"; flow:established,to_server; http.uri; content:"/~munhgy8fw6egydubh/9gh3yrubhdkgfby43.php"; fast_pattern; bsize:41; reference:url,www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures; classtype:command-and-control; sid:2031666; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jbshop/jbshop.php?"; nocase; content:"item_details="; nocase; content:"item_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/18056/; classtype:web-application-attack; sid:2014078; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (DonotGroup CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=flickry.xyz"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"O=Let's Encrypt"; classtype:domain-c2; sid:2031672; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Android, attack_target Client_and_Server, created_at 2021_02_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag DonotGroup, updated_at 2021_02_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"xajax=SelTheme"; nocase; content:"ajaxargs[]="; nocase; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M1 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031667; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M2 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|2f|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031668; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt"; flow:established,to_server; http.uri; content:"/RESTART.HTM?"; nocase; content:"NDSContext="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,exploit-db.com/exploits/17114; classtype:web-application-attack; sid:2014086; rev:5; metadata:created_at 2012_01_03, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt with Untrusted SSH Key Upload (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:".tar|22|"; content:"|0d 0a|."; distance:0; content:"|2f|.ssh|2f|authorized_keys"; distance:0; within:100; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031669; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014087; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M3 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031670; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014088; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_20;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M4 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|2f|"; distance:0; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031671; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openads row Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/libraries/lib-view-main.inc.php?"; nocase; content:"row="; nocase; pcre:"/basedir_save=\s*(?:ftps?|https?|php)\x3a\//i"; classtype:web-application-attack; sid:2013562; rev:6; metadata:created_at 2011_09_12, updated_at 2020_04_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaBackdoor Variant CnC Activity M4"; flow:established,to_server; urilen:36; http.method; content:"POST"; http.uri; content:!"."; content:!"?"; content:!"="; content:!"&"; http.cookie; content:"group="; depth:6; isdataat:!2,relative; fast_pattern; pcre:"/^\d$/R"; http.uri; pcre:"/^\/[a-z0-9]{32}\/\d\/$/i"; reference:url,twitter.com/lazyactivist192/status/1364668631460827142; reference:md5,8488d9be18308a7f4e83b7c39fc79d17; classtype:command-and-control; sid:2031673; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/usr/extensions/get_infochannel.inc.php?"; nocase; content:"root_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt; classtype:web-application-attack; sid:2014180; rev:4; metadata:created_at 2012_02_06, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gameredon Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64|3a 3a|"; startswith; fast_pattern; content:"|3a 3a|"; distance:2; endswith; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; reference:md5,04490fb43c9adbfdee9d7918e3db0af5; classtype:trojan-activity; sid:2031676; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_02_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mod_currencyconverter from Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/modules/mod_currencyconverter/includes/convert.php?"; nocase; content:"from="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|marquee|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109337/Joomla-Currency-Converter-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014179; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound Hashicorp Consul RCE via Services API"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"v1/agent/service/register"; fast_pattern; http.request_body; content:"|22|sh|22|"; content:"|22|-c|22|"; reference:url,www.exploit-db.com/exploits/46074; classtype:attempted-admin; sid:2031675; rev:1; metadata:attack_target Web_Server, created_at 2021_02_26, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_02_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014184; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (ms-officeupdate .com)"; dns.query; content:"ms-officeupdate.com"; nocase; bsize:19; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031677; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014185; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Inception/CloudAtlas CnC Domain in DNS Lookup (newmsoffice .com)"; dns.query; content:"newmsoffice.com"; nocase; bsize:15; reference:url,www.domaintools.com/resources/blog/the-continuous-conundrum-of-cloud-atlas; classtype:domain-c2; sid:2031678; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_02_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_02_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014186; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031679; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014187; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Inbox To All"; nocase; fast_pattern; content:"<input type=|22|hidden|22 20|name=|22|vai|22|"; distance:0; classtype:web-application-attack; sid:2031680; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nouvelles.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_06, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Uploader Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031681; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jreactions mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jreactions"; nocase; content:"Itemid="; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/95431/Joomla-Jreactions-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014250; rev:4; metadata:created_at 2012_02_21, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Uploader Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Uploader by ghost-dz</title>"; nocase; fast_pattern; classtype:web-application-attack; sid:2031682; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_01, deployment Perimeter, signature_severity Major, updated_at 2021_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grady Levkov id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/view-search.php?"; nocase; content:"id="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109814/Grady-Levkov-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014251; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT32/OceanLotus Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Collection Info/1.0"; bsize:19; fast_pattern; http.request_body; content:"data1="; startswith; reference:md5,864eace6e6f67b77163d7ed5da4498c8; reference:url,github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam; reference:url,www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/; classtype:trojan-activity; sid:2031683; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Membership Site Manager Script key Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/scripts/membershipsite/manager/index.php?"; nocase; content:"action="; nocase; content:"key="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108687/PHP-Membership-Site-Manager-Script-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014252; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Collection Info)"; flow:established,to_server; http.user_agent; content:"Collection Info/1.0"; bsize:19; fast_pattern; reference:md5,864eace6e6f67b77163d7ed5da4498c8; reference:url,github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam; reference:url,www.amnesty.org/en/latest/research/2021/02/click-and-bait-vietnamese-human-rights-defenders-targeted-with-spyware-attacks/; classtype:bad-unknown; sid:2031684; rev:1; metadata:created_at 2021_03_01, former_category USER_AGENTS, performance_impact Low, updated_at 2021_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014253; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark CnC Activity M2"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".php?u="; fast_pattern; content:"_"; distance:0; content:"&i="; distance:0; http.user_agent; content:"Microsoft BITS/"; startswith; reference:md5,d30484a523fe3d8a883738f4ec06a952; reference:md5,f9509755c5781f87788ffdf9efad075d; reference:url,twitter.com/reddrip7/status/1366703445990723585?s=21; classtype:trojan-activity; sid:2031748; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014254; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Battle.net Phish 2015-09-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".asp?"; http.request_body; content:"accountName="; depth:12; fast_pattern; content:"&password="; distance:0; content:"&persistLogin="; distance:0; content:"&csrftoken="; distance:0; classtype:credential-theft; sid:2031742; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_22, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2020_06_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014255; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (cook32.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cook32.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_03_02, former_category MALWARE, malware_family ursnif, updated_at 2021_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014256; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (cook64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cook64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031744; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pfile file.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.php?"; nocase; content:"eintrag="; nocase; content:"filecat="; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014257; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab32.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab32.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031745; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_visa controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_visa"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109214/Joomla-Visa-SQL-Injection-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014258; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_02_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Payload Request (grab64.rar)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/grab64.rar"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/ursnif.txt; reference:md5,c453d38c87a5df2fff509a4d9aba40e8; classtype:trojan-activity; sid:2031746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_eventcal mosConfig_absolute_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_eventcal"; nocase; content:"Itemid="; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/94983/Joomla-Eventcal-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014259; rev:4; metadata:created_at 2012_02_21, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Observed Interesting Content-Type Inbound (application/x-sh)"; flow:established,from_server; http.header; content:"Content-Type|3a 20|application/x-sh"; fast_pattern; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types; classtype:policy-violation; sid:2031747; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_02, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_22;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; http.uri; content:"/services/javascript.php"; http.cookie; content:"href"; http.request_body; content:"file=open_calendar.js"; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:4; metadata:created_at 2012_02_21, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Hidden embedded HTML Document"; flow:established,to_client; file.data; content:"<embed src=|27|data|3a|text/html|3b|base64|2c|PCFET0NUWVBFIGh0bWw+"; content:"|27 20|height|3d 27|0|27 20|frameborder|3d 27|0|27 3e 3c 2f|embed|3e|"; within:6000; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:bad-unknown; sid:2031803; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ButorWiki service Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sso/signin?"; nocase; content:"service="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109852/ButorWiki-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014320; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; nocase; content:"dnsPrimary="; content:"dnsRefresh="; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2021_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS b2evolution inc_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/blogs/default.php?"; nocase; content:"inc_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014321; rev:4; metadata:created_at 2012_03_06, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mt?"; startswith; fast_pattern; content:"="; distance:0; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,0d2c5bbf711058f31cd8ce81da30e870; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031806; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS b2evolution skins_path Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/blogs/default.php?"; nocase; content:"skins_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014322; rev:4; metadata:created_at 2012_03_06, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT DNS Change Attempt (Unknown Device)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/advWAN.cgi"; startswith; http.request_body; content:"tAction=editApply"; content:"viewPage=multiWANCfg"; content:"action=edit"; content:"dns1="; content:"dns2="; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031804; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_03, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bch controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bch"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109025/Joomla-BCH-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014323; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"fabulouscityofbruges.top"; bsize:24; fast_pattern; classtype:domain-c2; sid:2031805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_03, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fork-CMS js.php module parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/frontend/js.php?"; nocase; content:"file="; nocase; content:"language="; nocase; content:"module="; nocase; reference:url,packetstormsecurity.org/files/109709/Fork-CMS-3.2.4-Cross-Site-Scripting-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014324; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".css"; endswith; http.cookie; content:"lu="; fast_pattern; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,ce73caaa42bd465a37802ad3457d2081; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS starCMS q parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"r="; nocase; content:"lang="; nocase; content:"actionsuche="; nocase; content:"q="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110376/starCMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014327; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (teastycandycoffe .top)"; flow:established,to_server; tls.sni; content:"teastycandycoffe.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_boss controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_boss"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108905/Joomla-Boss-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014328; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/form2dns.cgi?dnsmode=1&dns1="; nocase; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&submit.htm?dns.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:4; metadata:attack_target Networking_Equipment, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2021_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snipsnap search Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/space/snipsnap-search?"; nocase; content:"query="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/109543/Snipsnap-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014329; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_06, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SUNSHUTTLE CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.cookie; content:"HjELmFxKJc="; fast_pattern; content:"P5hCrabkKf="; content:"iN678zYrXMJZ="; reference:url,www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html; classtype:command-and-control; sid:2031811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EJBCA issuer Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/publicweb/webdist/certdist?"; nocase; content:"cmd="; nocase; content:"serno="; nocase; content:"issuer="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110683/EJBCA-4.0.7-Cross-Site-Scripting-User-Enumeration.html; classtype:web-application-attack; sid:2014397; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt M2"; flow:established,to_server; http.uri; content:"/form2wan.cgi?wantype=1"; nocase; content:"&wan_dns2="; distance:0; content:"&wan_dns3="; distance:0; content:"&submit.htm"; distance:0; content:"wan.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031808; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_phocadownload folder Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_phocadownload"; nocase; content:"view="; nocase; content:"manager="; nocase; content:"tmpl="; nocase; content:"folder="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/100406/Joomla-Phocadownload-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014388; rev:4; metadata:created_at 2012_03_17, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DI-804HV DNS Changer Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/prim"; startswith; content:"prim&rf=0004&"; fast_pattern; content:"&ID00="; distance:0; content:"&ID01="; distance:0; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031809; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_adsmanager mosConfig_absolute_path Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_adsmanager"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstorm.foofus.com/1012-exploits/joomlaadsmanager-rfi.txt; classtype:web-application-attack; sid:2014389; rev:4; metadata:created_at 2012_03_17, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT APT/Hafnium SPORTSBALL Webshell Observed Outbound"; flow:established,to_client; file.data; content:"<td>logon|3a|<td>"; content:"name=|22|sport|22 20|"; distance:0; content:"<td>cmd|3a|"; distance:0; content:"input|20|name=|22|balls|22 20|"; fast_pattern; content:"name=|22|woods|22|"; content:"name=|22|sky|22|"; reference:md5,1a4ab99bbe9adbe2deb0e4b96d82a955; classtype:web-application-attack; sid:2031812; rev:2; metadata:attack_target Web_Server, created_at 2021_03_04, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2021_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_fundhelp controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_fundhelp"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109023/Joomla-Fundhelp-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014392; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (thereisnoscheme .top)"; flow:established,to_server; tls.sni; content:"thereisnoscheme.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2031876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_05, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rule controller Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rule"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/109026/Joomla-Rule-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014393; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-03-08"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; fast_pattern; content:"password="; nocase; distance:0; classtype:credential-theft; sid:2031875; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_kp controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_kp"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108917/Joomla-KP-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO MP3 with ID3 in HTTP Flowbit Set"; flow:from_server,established; file.data; content:"ID3"; within:3; content:"|FB FF|"; distance:0; flowbits:set,ET.mp3.in.http; flowbits:noalert; classtype:not-suspicious; sid:2025986; rev:2; metadata:affected_product Adobe_Flash, created_at 2018_08_10, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Address Book from Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/preferences.php?"; nocase; content:"from="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110667/PHP-Address-Book-6.2.12-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014395; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG|0D 0A 1A 0A|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:4; metadata:created_at 2013_10_17, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Volusion Chat ID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/livechat.aspx?"; nocase; content:"location="; nocase; content:"auto="; nocase; content:"cookieGuid="; nocase; content:"ID="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110811/Volusion-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014396; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_17, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:social-engineering; sid:2024199; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, former_category CURRENT_EVENTS, malware_family EITest, signature_severity Major, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006932; classtype:web-application-attack; sid:2006932; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|a0 00 00 00 24 02 00 00 40 00 00 00|"; distance:0; content:"|b8 00 00 00 6c 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029336; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006933; classtype:web-application-attack; sid:2006933; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Mimidrv.sys Download Over HTTP"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|88 01 00 00 3c 04 00 00 40 00 00 00|"; distance:0; content:"|e8 02 00 00 f8 02 00 00 40 00 00 00|"; within:16; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029337; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011158; classtype:web-application-attack; sid:2011158; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Google Docs Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Google Docs</title>"; nocase; classtype:social-engineering; sid:2024386; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011159; classtype:web-application-attack; sid:2011159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET PHISHING Possible Dropbox Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Meet Google Drive - One Place For All Your Files</title>"; nocase; classtype:social-engineering; sid:2024388; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_06_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Greenpeace.fr filter_dpt Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/incinerateurs/list.php?"; nocase; content:"list_name="; nocase; content:"filter_dpt="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110989/Greenpeace.fr-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (nyqualitypizza .top)"; flow:established,to_server; tls.sni; content:"nyqualitypizza.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WikyBlog which Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php/Special/Main/Templates?"; nocase; content:"cmd="; nocase; content:"which="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/110863/WikyBlog-1.7.3RC2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES GameHouse License Check"; flow:established,to_server; http.request_line; content:"POST /lm/dynamicLicense HTTP/1.1"; bsize:32; fast_pattern; http.header_names; content:"|0d 0a|Referer|0d 0a|"; http.request_body; content:"parameters="; startswith; reference:md5,0e29380dcc1f9a57f545fc26b4045c94; classtype:policy-violation; sid:2031878; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_08, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OneFileCMS f parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/onefilecms.php?"; nocase; content:"f="; nocase; reference:url,packetstormsecurity.org/files/110906/OneFileCMS-1.1.5-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014425; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP VilnyNet VPN Install Started"; flow:established,to_server; http.uri; content:"?event=winInstaller"; fast_pattern; content:"&uuid="; distance:0; content:"&osver"; distance:0; content:"&osbuild="; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; bsize:20; reference:md5,3bdc372644285aa7b3c8263d7d1c9a4a; classtype:pup-activity; sid:2031533; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_20, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VTiger CRM module_name parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.uri; content:"/modules/com_vtiger_workflow/sortfieldsjson.php?"; nocase; content:"module_name="; nocase; reference:url,packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014424; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_03_26, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (External)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031879; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_community"; nocase; content:"userid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/103680/joomlacommunity-sql.txt; classtype:web-application-attack; sid:2013467; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_08_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Suspected SUPERNOVA Webshell Command (Internal)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Orion/logoimagehandler.ashx"; bsize:28; fast_pattern; http.user_agent; content:"python-requests/"; startswith; nocase; reference:url,www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group; classtype:attempted-admin; sid:2031880; rev:1; metadata:attack_target Server, created_at 2021_03_09, deployment Internal, deployment SSLDecrypt, former_category WEB_SERVER, performance_impact Low, signature_severity Major, updated_at 2021_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS University Of Vermont intro Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/magicscript.php?"; nocase; content:"Page="; nocase; content:"intro="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; classtype:web-application-attack; sid:2013569; rev:5; metadata:created_at 2011_09_12, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"woocommerce_cart_hash="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,7502041ccf809668e2dce5a38fa0a2a5; reference:url,medium.com/walmartglobaltech/nimar-loader-4f61c090c49e; classtype:command-and-control; sid:2031881; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/demo_eventcalendar.php?"; nocase; content:"cal_id="; nocase; content:"cal_month="; nocase; content:"cal_year="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014449; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Glitch Hosted GET Request - Possible Phishing Landing"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.host; content:".glitch.me"; fast_pattern; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031917; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/OpenSiteAdmin/pages/pageHeader.php?"; nocase; pcre:"/^.{0,300}=(?:https?:|ftps?:)/Ri"; reference:url,www.securityfocus.com/bid/36445/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009931; classtype:web-application-attack; sid:2009931; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Glitch Hosted DNS Request - Possible Phishing Landing"; dns.query; content:".glitch.me"; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031918; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt"; flow:to_server,established; http.uri; content:"/showGallery.php"; nocase; content:"galid="; nocase; pcre:"/^-?\d+ /Ri"; reference:bugtraq,15313; reference:url,doc.emergingthreats.net/2002671; classtype:web-application-attack; sid:2002671; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing"; flow:established,to_server; tls.sni; content:".glitch.me"; endswith; pcre:"/^[a-z]+\-[a-z]+\-[a-z]+\.glitch\.me$/"; classtype:social-engineering; sid:2031919; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Pretty Link plugin url Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/pretty-link/pretty-bar.php?"; nocase; content:"url="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107551/WordPress-Pretty-Link-1.5.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014554; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"url=https://en.wikipedia.org/wiki/Microsoft_Outlook"; content:"$(|22|#hide-from-bots|22|).show()|3b|"; fast_pattern; distance:0; content:"------ START OF BODYYYY ------"; distance:0; classtype:social-engineering; sid:2031920; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress flash-album-gallery plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/flash-album-gallery/facebook.php?"; nocase; content:"i="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/107424/WordPress-Flash-Album-Gallery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014555; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (thelegendofberia .top)"; flow:established,to_server; tls.sni; content:"thelegendofberia.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS wordpress thecartpress plugin loop parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/thecartpress/widgets/CustomPostTypeListWidget.class.php?"; nocase; content:"loop="; nocase; reference:url,1337day.com/exploits/18018; classtype:web-application-attack; sid:2014556; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (hitfromthebong .top)"; flow:established,to_server; tls.sni; content:"hitfromthebong.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bulkenquery controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bulkenquery"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108913/Joomla-Bulkenquery-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014557; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (autopartslarry .top)"; flow:established,to_server; tls.sni; content:"autopartslarry.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_br controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_br"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/108948/Joomla-BR-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014558; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Redirector Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"myFunction()"; within:50; content:"function myFunction() {"; within:50; content:"if (feedUpdateSplit[x]==|22|#|22|"; distance:0; fast_pattern; content:"#|22|+btoa(che)|3b|"; distance:0; content:"window.location.href=joinlink|3b|"; distance:0; classtype:social-engineering; sid:2031921; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free PHP photo gallery script path parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/jadro/libs/adodb/adodb.inc.php?"; nocase; content:"path="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/92079/Free-PHP-Photo-Gallery-Script-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014559; rev:4; metadata:created_at 2012_04_13, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Encoded Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"############################"; within:200; content:"### THIS WEBPAGE WAS PROTECTED AT|3a|"; fast_pattern; distance:0; content:"############################"; distance:0; classtype:social-engineering; sid:2031922; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress yousaytoo-auto-publishing plugin submit Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?"; nocase; content:"submit="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108470/wpystap-xss.txt; classtype:web-application-attack; sid:2014589; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Custom Logo Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"https://logo.clearbit.com/"; content:"///////new injection//////"; fast_pattern; distance:0; classtype:social-engineering; sid:2031923; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_pinboard option Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/components/com_pinboard/popup/popup.php?"; nocase; content:"option="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/94991/Joomla-Pinboard-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014590; rev:3; metadata:created_at 2012_04_16, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic NewInjection Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"////////urlemailgetting////////"; fast_pattern; content:"///////newinjection//////"; classtype:social-engineering; sid:2031924; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress whois search domain Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-whois/wp-whois-ajax.php?"; nocase; content:"cmd="; nocase; content:"ms="; nocase; content:"domain="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108271/WordPress-Whois-Search-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014591; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic NewInjection Phishing Landing 2021-03-10"; flow:to_client,established; file.data; content:"/////urlgettingemail/////"; fast_pattern; content:"/////urlemailgetting/////"; classtype:social-engineering; sid:2031925; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_10, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Facebook-Page-Promoter-Lightbox settings-updated Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/facebook-page-promoter-lightbox/arevico_options.php?"; nocase; content:"settings-updated="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/108238/WordPress-Facebook-Page-Promoter-Lightbox-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014592; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_16, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_21;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/RedXOR CnC Checkin"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031934; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, former_category MALWARE, malware_family RedXOR, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews lib.panier.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/panier/lib.panier.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014628; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/RedXOR CnC Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031935; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, former_category MALWARE, malware_family RedXOR, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DokuWiki target parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/doku.php?"; nocase; content:"do="; nocase; content:"id="; nocase; content:"target="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/111939/DocuWiki-2012-01-25-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014621; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Unauthenticated RCE Inbound (CVE-2020-26919)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.htm"; http.request_body; content:"submitId=debug&debugCmd="; startswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-26919; classtype:attempted-admin; sid:2031936; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_26919, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 1-jquery-photo-gallery-slideshow-flash plugin page Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-jquery-photo-gallery-slideshow-flash/wp-1pluginjquery.php?"; nocase; content:"page="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107423/WordPress-1-JQuery-Photo-Gallery-Slideshow-Flash-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014622; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Remote Authentication Bypass with Factory Reset (CVE-2020-35231)"; dsize:13; content:"|00 1a 00 00 04 00 00 01 01 ff ff 00 00|"; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35231; classtype:attempted-admin; sid:2031937; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35231, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews rootpath parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/plan/index.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014623; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)"; dsize:>16; content:"|00 1a 00 0a|"; startswith; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35232; classtype:attempted-admin; sid:2031938; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35232, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews uploadBigFiles.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/upload/uploadBigFiles.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014624; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Stored XSS Inbound (CVE-2020-35228)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submitId=multiLanguageCfg&selectLang="; fast_pattern; content:"|27 3a|"; distance:0; within:50; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35228; classtype:attempted-admin; sid:2031939; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews remote.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/ajax/remote.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014625; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Write Access to DHCP Config (CVE-2020-35226)"; content:"|00 0b 00|"; content:"|ff ff 00 00|"; distance:2; within:4; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031940; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews class.panier_article.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/panier/class.panier_article.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014626; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M1 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&groupId=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031941; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DirectNews menu_layers.php Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/menu/menu_layers.php?"; nocase; content:"rootpath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/15795; classtype:web-application-attack; sid:2014627; rev:4; metadata:created_at 2012_04_20, updated_at 2020_04_21;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M2 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&memBMap=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031942; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_videogallery"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2022_05_03;)
 
-alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0003 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 03|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031943; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_some"; nocase; content:"controller="; nocase; http.uri.raw; content:"|2e 2e 2f|"; reference:url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014655; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0005 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 05|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031944; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Skysa Official submit parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/skysa-official/skysa.php?"; nocase; content:"submit="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107342/WordPress-Skysa-Official-1.01-1.02-1.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014656; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x000a (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 0a|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031945; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/wp-custom-pages/wp-download.php?"; nocase; content:"url="; nocase; reference:url,packetstormsecurity.org/files/100047/WordPress-WP-Custom-Pages-0.5.0.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014717; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mynameisgarfield .top)"; flow:established,to_server; tls.sni; content:"mynameisgarfield.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/anzeigen_neu.php?"; nocase; content:"bereich="; nocase; content:"kat_id="; nocase; content:"kategorie="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112289/Maxxweb-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014711; rev:4; metadata:created_at 2012_05_04, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mansizeprofile .top)"; flow:established,to_server; tls.sni; content:"mansizeprofile.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031947; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wpsc-mijnpress/mijnpress_plugin_framework.php?"; nocase; content:"rwflush="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112324/WordPress-WPsc-MijnPress-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014712; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (letsmakesome .fun)"; flow:established,to_server; tls.sni; content:"letsmakesome.fun"; bsize:16; fast_pattern; classtype:domain-c2; sid:2031948; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_obsuggest"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/103598/Joomla-obSuggest-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014715; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (gogowormdealer .top)"; flow:established,to_server; tls.sni; content:"gogowormdealer.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_joomtouch"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_04, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tls any any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (Metasploit Self Signed CA)"; flow:from_server,established; tls.cert_issuer; content:"CN=MetasploitSelfSignedCA"; classtype:policy-violation; sid:2031932; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, deployment Internet, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/andromeda.php?"; nocase; content:"q="; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:4; metadata:created_at 2012_05_11, updated_at 2020_04_21;)
 
-alert tls any any -> $HOME_NET any (msg:"ET HUNTING Observed Suspicious SSL Cert (Metasploit in TLS Subject)"; flow:from_server,established; tls.cert_subject; content:"Metasploit"; nocase; classtype:policy-violation; sid:2031933; rev:2; metadata:attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, deployment Internet, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP Survey and Quiz Tool plugin rowcount Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-survey-and-quiz-tool/javascript/survey_section.php?"; nocase; content:"rowcount="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112685/WordPress-WP-Survey-And-Quiz-Tool-2.9.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014768; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Maldoc CnC"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/shop_testbr/localization/dir_photoes/"; startswith; fast_pattern; content:".php?"; distance:0; http.user_agent; content:"Office"; http.host; content:"www.dronerc.it"; reference:url,twitter.com/h2jazi/status/1370024802791096320; reference:md5,6c7fb32d476b7a367df0403b6a8c950f; reference:md5,31d748392f447001ba275361fbe65695; classtype:command-and-control; sid:2031951; rev:1; metadata:created_at 2021_03_11, former_category MALWARE, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=catablog-gallery"; nocase; content:"category="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014769; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (seattlecarwash .fun)"; flow:established,to_server; tls.sni; content:"seattlecarwash.fun"; bsize:18; fast_pattern; classtype:domain-c2; sid:2031950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor plugin uploader.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; content:"tab="; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014770; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX/Korplug CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; bsize:7; http.request_body; content:"v="; startswith; fast_pattern; content:"&id="; distance:0; content:"&uid="; distance:0; content:"&vs="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; reference:md5,26e442aa18fcea38e4c652d346627238; classtype:command-and-control; sid:2032001; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, malware_family PlugX, performance_impact Low, signature_severity Major, updated_at 2021_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Appointment Booking Pro view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rsappt_pro2"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/103172/Joomla-Appointment-Booking-Pro-Arbitrary-File-Reading.html; classtype:web-application-attack; sid:2014771; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad CnC Domain in DNS Lookup (ns .rtechs .org)"; dns.query; content:"ns.rtechs.org"; nocase; bsize:13; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; classtype:command-and-control; sid:2032002; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_media file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/components/com_media/helpers/media.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/99775/Joomla-Media-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014772; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ShadowPad CnC Domain in DNS Lookup (soft .mssysinfo .xyz)"; dns.query; content:"soft.mssysinfo.xyz"; nocase; bsize:18; reference:url,www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/; classtype:command-and-control; sid:2032003; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"league_id="; nocase; content:"group="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014812; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (pleaseletmesleep .fun)"; flow:established,to_server; tls.sni; content:"pleaseletmesleep.fun"; bsize:20; fast_pattern; classtype:domain-c2; sid:2031999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaguemanager"; nocase; content:"subpage="; nocase; content:"edit="; nocase; content:"season="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_05_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (return2monkey .fun)"; flow:established,to_server; tls.sni; content:"return2monkey.fun"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032000; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_12, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jesubmit"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014814; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Moderate, signature_severity Informational, updated_at 2021_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_acooldebate"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014815; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/framework/modules/pixidou/download.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014840; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasmin Ransomware C2 Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"machine_name="; startswith; fast_pattern; content:"&computer_user="; nocase; distance:0; content:"&systemid="; nocase; distance:0; content:"&os="; nocase; distance:0; content:"&date="; nocase; distance:0; content:"&time="; nocase; distance:0; content:"&ip="; nocase; distance:0; content:"&location="; nocase; distance:0; content:"&password="; nocase; distance:0; reference:md5,eabb920f75c2943113713849878a6dfb; reference:url,twitter.com/c3rb3ru5d3d53c/status/1370740134937772037; classtype:command-and-control; sid:2032010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/plugins/DPGguestbook/guestbookaction.php?"; nocase; content:"PathToRoot="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014836; rev:3; metadata:created_at 2012_06_01, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (youaresoslow .top)"; flow:established,to_server; tls.sni; content:"youaresoslow.top"; bsize:16; fast_pattern; classtype:domain-c2; sid:2032011; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Jotloader component section parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jotloader"; nocase; content:"section="; nocase; reference:url,packetstormsecurity.org/files/96812/Joomla-Jotloader-2.2.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014837; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032005; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, signature_severity Major, updated_at 2021_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin type parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/joliprint/joliprint_options_upload.php?"; nocase; content:"type="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014838; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Spammer's Mail (Private)"; nocase; fast_pattern; classtype:web-application-attack; sid:2032006; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_15, deployment Perimeter, signature_severity Major, updated_at 2021_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/options-general.php?"; nocase; content:"page=joliprint/joliprint_admin_options.php"; nocase; content:"opt="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014839; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING OneDrive Phishing Landing 2021-03-15"; flow:to_client,established; file.data; content:"<title>OneDrive|20 7c 20|Login"; nocase; fast_pattern; content:"<video playsinline="; nocase; distance:0; content:"your email provider"; nocase; distance:0; classtype:social-engineering; sid:2032007; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jvb_bridge Itemid Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_jvb_bridge"; nocase; content:"Itemid="; nocase; pcre:"/^.*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/90844/Joomla-JVB-Bridge-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014883; rev:4; metadata:created_at 2012_06_08, updated_at 2020_04_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Phishing Landing via Tripod.com M3 2016-03-31"; flow:to_client,established; flowbits:isset,ET.tripod.phish; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"username"; nocase; content:"mail"; nocase; content:"Password"; fast_pattern; nocase; classtype:social-engineering; sid:2032215; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_03_31, signature_severity Major, updated_at 2021_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jeauto"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014878; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2021-03-16"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"j_username="; depth:11; nocase; content:"&j_password="; nocase; distance:0; content:"&save-username="; nocase; distance:0; content:"&hdnuserid="; nocase; distance:0; content:"&btnSignon=Sign+On&screenid=SIGNON&origination="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2036221; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jradio controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jradio"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/96751/Joomla-JRadio-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014879; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Leaf PHPMailer Accessed on External Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032078; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-livephp plugin wp-live.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-livephp/wp-live.php?"; nocase; content:"s="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/108282/WordPress-LivePHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014880; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Leaf PHPMailer Accessed on Internal Server"; flow:established,to_client; file.data; content:"V5 PHPMailer</title>"; fast_pattern; content:"for=|22|senderName|22|>Sender Name</label>"; content:"type=|22|file|22 20|name=|22|attachment[]|22 20|id=|22|attachment[]|22|"; classtype:web-application-attack; sid:2032079; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_16, deployment Perimeter, signature_severity Major, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mingle Forum groupid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=mfstructure"; nocase; content:"mingleforum_action="; nocase; content:"groupid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112696/WordPress-Mingle-Forum-1.0.33-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014881; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Saint Bot CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header; content:"Accept|3a 20|text/plain"; http.request_body; content:"transfer="; depth:9; fast_pattern; pcre:"/^transfer=[A-Za-z0-9/+=]+$/"; reference:md5,b1f40eac7ca6d66ba9b11dcf77f1a259; reference:url,blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/; classtype:trojan-activity; sid:2032753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_catalogue controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_catalogue"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/96190/Joomla-Catalogue-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ZHtrap CnC Checkin"; flow:established,to_server; content:"|05 01 00|"; startswith; content:".onion"; distance:0; fast_pattern; isdataat:!3,relative; flowbits:set,ET.zhtrap1; reference:url,blog.netlab.360.com/new_threat_zhtrap_botnet_en/; classtype:command-and-control; sid:2032083; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/themes.php?"; nocase; content:"page=dynwid-config"; nocase; content:"action="; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014811; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_25, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ZHtrap CnC Response - Connection Successfully Established"; flow:established,from_server; content:"|05 00 00 01 00 00 00 00 00 00|"; startswith; fast_pattern; flowbits:isset,ET.zhtrap1; reference:url,blog.netlab.360.com/new_threat_zhtrap_botnet_en/; classtype:command-and-control; sid:2032084; rev:2; metadata:attack_target Client_and_Server, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_ckforms"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014905; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Phishing Page - Page Saved with SingleFile Extension"; flow:to_client,established; file.data; content:"Page saved with SingleFile"; fast_pattern; content:"|0d 0a 20|url|3a 20|"; distance:0; content:"|0d 0a 20|saved date|3a 20|"; distance:0; reference:url,chrome.google.com/webstore/detail/singlefile/mpiodijhokgodhhofbcjdecpffjipkle?hl=en; classtype:misc-activity; sid:2032082; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_03_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jmsfileseller view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jmsfileseller"; nocase; content:"cat_id="; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/101770/Joomla-JMSFileSeller-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014897; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (followmeasap13 .top)"; flow:established,to_server; tls.sni; content:"followmeasap13.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_mscomment controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_mscomment"; nocase; content:"controller="; nocase; reference:url,1337day.com/exploits/12246; classtype:web-application-attack; sid:2014898; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of Multimedia Content flowbit set"; flow:established,to_client; file_data; content:"|00 00 00|"; depth:3; content:"|66 74 79 70|"; distance:1; within:4; fast_pattern; flowbits:noalert; flowbits:set,ET.Multimedia.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024689; rev:2; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Sharebar plugin status parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/sharebar/sharebar-admin.php?"; nocase; fast_pattern; content:"status="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112690/WordPress-Sharebar-1.2.1-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014904; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Download of .MOV Content flowbit set"; flow:established,to_client; file_data; content:"|6D 6F 6F 76|"; distance:4; within:4; flowbits:noalert; flowbits:set,ET.MP4.Download; reference:url,www.garykessler.net/library/file_sigs.html; classtype:misc-activity; sid:2024690; rev:2; metadata:created_at 2017_09_08, former_category WEB_CLIENT, tag noalert, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Tinymce Thumbnail Gallery href parameter Remote File Disclosure Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?"; nocase; fast_pattern; content:"href="; nocase; reference:url,packetstormsecurity.org/files/113417/WordPress-Tinymce-Thumbnail-Gallery-1.0.7-File-Disclosure.html; classtype:web-application-attack; sid:2014899; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http any any -> any any (msg:"ET USER_AGENTS Suspicious User-Agent (HaxerMen)"; flow:established,to_server; http.user_agent; content:"HaxerMen"; bsize:8; fast_pattern; reference:md5,19aa54bd0c5a4b78f47247bb432b689d; classtype:bad-unknown; sid:2032081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_16, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin pinterest-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?"; nocase; fast_pattern; content:"pinterest-url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014900; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?"; nocase; fast_pattern; content:"xing-url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014901; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_15, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tcp any 666 -> any any (msg:"ET MALWARE ELF/BASHLITE CnC Activity (Response)"; flow:established,to_client; content:"|21 20|DUP"; content:"epoll_"; distance:0; isdataat:!1,relative; fast_pattern; reference:md5,d76cebc82c79b9d7c56bced94c03c9e8; classtype:trojan-activity; sid:2032080; rev:2; metadata:created_at 2021_03_16, former_category MALWARE, updated_at 2021_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"board["; fast_pattern; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Request Cookie"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"_gads="; depth:7; content:"_gat="; distance:0; content:"_ga="; distance:0; content:"_u="; distance:0; content:"_io="; distance:0; content:"_gid="; distance:0; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; reference:url,www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html; classtype:trojan-activity; sid:2032086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/perfgraphs/index.php?"; nocase; content:"start="; nocase; content:"end="; nocase; content:"view="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014951; rev:3; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Unauthenticated RCE Inbound (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/"; http.request_body; content:"|22|filepath|22 3a 22 60|"; fast_pattern; reference:cve,2021-22986; classtype:attempted-admin; sid:2032092; rev:1; metadata:attack_target Server, created_at 2021_03_17, cve CVE_2021_22986, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/smarty/internals/core.write_compiled_include.php?"; nocase; fast_pattern; content:"smarty="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014944; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032087; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHCMS banco Parameter Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/gateways/boleto/boleto.php?"; nocase; fast_pattern; content:"banco="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014945; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PHP Mailer"; nocase; fast_pattern; content:"$(|22|#patb|22|).click(function(){"; distance:0; classtype:web-application-attack; sid:2032088; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt 2"; flow:established,to_server; http.uri; content:"/includes/smarty/internals/core.process_compiled_include.php?"; nocase; fast_pattern; content:"smarty="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014946; rev:5; metadata:created_at 2012_06_22, updated_at 2020_04_21;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Mailer Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032089; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Thinkun Remind Plugin dirPath Remote File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/thinkun-remind/exportData.php?"; nocase; fast_pattern; content:"dirPath="; nocase; reference:url,secunia.com/advisories/49461; classtype:web-application-attack; sid:2014947; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Mailer Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>Mailer Venom"; nocase; fast_pattern; content:"name=|22|fmail|22 20|type=|22|text|22 20|id=|22|fakemail|22|"; distance:0; classtype:web-application-attack; sid:2032090; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_17, deployment Perimeter, signature_severity Major, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/simple-download-button-shortcode/simple-download-button_dl.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,secunia.com/advisories/49462; classtype:web-application-attack; sid:2014948; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=su94Cb2b5Ed89d7c.su"; bsize:22; fast_pattern; classtype:domain-c2; sid:2032093; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/wp-imagezoom/download.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,1337day.com/exploits/18685; classtype:web-application-attack; sid:2014949; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_22, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CopperStealer CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=ru94cb2b5ed89d7c.ru"; bsize:22; fast_pattern; classtype:domain-c2; sid:2032094; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pliggCMS src parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/modules/thumbnail_plus/thumbs/grab.php?"; nocase; content:"src="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,1337day.com/exploits/18854; classtype:web-application-attack; sid:2014988; rev:4; metadata:created_at 2012_06_29, updated_at 2020_04_21;)
 
-alert dns any any -> any any (msg:"ET SCAN DNS Query for allports.exposed"; dns.query; content:"allports.exposed"; nocase; reference:url,blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/; classtype:network-scan; sid:2032091; rev:1; metadata:created_at 2021_03_17, updated_at 2021_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor thumbnail parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; fast_pattern; content:"tab="; nocase; content:"thumbnail="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014989; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-03-18"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"uname="; depth:6; nocase; fast_pattern; content:"&pass"; nocase; distance:0; pcre:"/^uname=[^&]*&pass/i"; classtype:credential-theft; sid:2032161; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor tags parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; fast_pattern; content:"tab="; nocase; content:"tags="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014990; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible F5 BIG-IP Infoleak and Out-of-Bounds Write Inbound (CVE-2021-22991)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3a 2f 2f 5b|"; fast_pattern; content:"|5d|"; endswith; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2126; reference:cve,2021-22991; classtype:attempted-admin; sid:2032173; rev:1; metadata:attack_target Server, created_at 2021_03_18, cve CVE_2021_22991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AdaptCMS sitepath parameter Remote File Inclusion Vulnerability"; flow:established,to_server; http.uri; content:"/inc/smarty/libs/init.php?"; nocase; content:"sitepath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/91022/AdaptCMS-2.0.0-Beta-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014993; rev:3; metadata:created_at 2012_06_29, updated_at 2020_04_21;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Dotted Quad Host PS1 Request"; flow:established,from_client; flowbits:isset,http.dottedquadhost; flowbits:set,http.dottedquadhost.ps1; flowbits:unset,http.dottedquadhost; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2027259; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_23, former_category INFO, performance_impact Significant, signature_severity Minor, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_profile controller parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_profile"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95609/Joomla-Profile-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014994; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PS1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".ps1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032162; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/jrss-widget/proxy.php?"; nocase; fast_pattern; content:"url="; nocase; reference:url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014995; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_06_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSM1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psm1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; content:"ctask="; nocase; content:"approveImmediately="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ri"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:5; metadata:created_at 2012_07_07, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSD1 Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psd1 HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032164; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; fast_pattern; content:"page="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PS1XML Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".ps1xml HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032165; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_wisroyq"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSSC Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".pssc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032166; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_rssreader"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015040; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PSRC Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".psrc HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032167; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms options-general.php Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/options-general.php?"; nocase; content:"page=bb2_options"; nocase; content:"x="; nocase; pcre:"/^.+?(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112616/WordPress-Custom-Contact-Forms-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015041; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_07, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO CDXML Powershell File Request"; flow:established,from_client; flowbits:set,ET.PS.Download; http.request_line; content:".cdxml HTTP/1."; nocase; fast_pattern; classtype:bad-unknown; sid:2032168; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaflet_marker"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015466; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell DownloadString Command"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:".DownloadString("; nocase; fast_pattern; classtype:bad-unknown; sid:2032169; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_layer) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=leaflet_layer"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015467; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell DownloadFile Command"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:".DownloadFile("; nocase; fast_pattern; classtype:bad-unknown; sid:2032170; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_jstore controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jstore"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/94689/Joomla-JStore-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015468; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell Starting Wscript Process"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:"start-process wscript"; nocase; fast_pattern; classtype:bad-unknown; sid:2032171; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Help Center Live file parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/module.php?"; nocase; content:"module=helpcenter"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/88998/Help-Center-Live-2.0.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015469; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Powershell Launching Hidden Window"; flow:established,to_client; flowbits:isset,ET.PS.Download; http.stat_code; content:"200"; file.data; content:"-windowstyle hidden"; nocase; fast_pattern; classtype:bad-unknown; sid:2032172; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpPollScript include_class Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/php/init.poll.php?"; nocase; content:"include_class="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/81376/phpPollScript-1.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015470; rev:3; metadata:created_at 2012_07_13, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (finalcountdown .top)"; flow:established,to_server; tls.sni; content:"finalcountdown.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032174; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_18, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_connect controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_connect"; nocase; content:"view="; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95590/Joomla-Connect-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015472; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Netbounce Related Activity (Program Wrapper)"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/json"; bsize:16; file.data; content:"|5c 5c|Trackingfolder084|5c 5c|start.txt|22 0a|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1daccddd902156737587a2041224b46b; classtype:trojan-activity; sid:2032222; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=catablog-gallery"; nocase; content:"category="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015473; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce User-Agent (Netbounce)"; flow:established,to_server; http.user_agent; content:"Netbounce/1.0"; bsize:13; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; classtype:trojan-activity; sid:2032223; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Newsletter data parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/plugin-newsletter/preview.php?"; nocase; fast_pattern; content:"data="; nocase; reference:url,packetstormsecurity.org/files/113413/WordPress-Newsletter-1.5-File-Disclosure.html; classtype:web-application-attack; sid:2015499; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/IcedID Requesting Encoded Binary M4"; flow:established,to_server; http.method; content:"GET"; http.start; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cookie|3a 20|__gads="; fast_pattern; http.cookie; content:"__gads="; startswith; content:"|3b 20|_gat="; distance:0; content:"|3b 20|_ga="; distance:0; content:"|3b 20|_u="; distance:0; content:"|3b 20|__io="; distance:0; content:"|3b 20|_gid="; isdataat:!13,relative; pcre:"/^__gads=\d{9,10}:[01]:\d+:\d+(?::\d{2,4})?\x3b\s_gat=(?:10|6)\.[0-3]\.\d{4,6}\.(?:32|64)\x3b\s_ga=\d\.\d+\.\d+\.\d+\x3b\s_u=[0-9A-F]+:[0-9A-F]+\x3b\s__io=\d{2}_\d{9,10}_\d{9,10}_\d{9,10}\x3b\s_gid=[0-9A-F]{12}$/"; http.header_names; bsize:30; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|Host|0d 0a 0d 0a|"; reference:url,sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html; classtype:command-and-control; sid:2030053; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family IcedID, performance_impact Moderate, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin PICA Photo Gallery imgname parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/wp-content/plugins/pica-photo-gallery/picadownload.php?"; nocase; fast_pattern; content:"imgname="; nocase; reference:url,packetstormsecurity.org/files/113404/WordPress-PICA-Photo-Gallery-1.0-File-Disclosure.html; classtype:web-application-attack; sid:2015494; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [NCC/FOX-IT] Possible F5 BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; nocase; fast_pattern; http.request_body; content:"|22|command|22 3a 20 22|run|22|"; content:"|22|utilCmdArgs|22 3a 20 22|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2021_03_cve_2021_22986.txt; reference:cve,2021-22986; classtype:attempted-admin; sid:2032220; rev:1; metadata:created_at 2021_03_19, cve CVE_2021_22986, former_category EXPLOIT, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Edition mod parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/include/we_modules/show.php?"; nocase; content:"mod="; nocase; reference:url,packetstormsecurity.org/files/99789/Web-Edition-6.1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015495; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Successful Bank of America Phish M1 2016-08-31"; flow:to_server,established; http.method; content:"POST"; http.host; content:!".bankofamerica.com"; endswith; http.request_body; content:"csrfTokenHidden="; depth:16; nocase; content:"&lpPasscodeErrorCounter="; nocase; distance:0; content:"&onlineId="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032269; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_08_31, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress church_admin Plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/church-admin/includes/validate.php?"; nocase; fast_pattern; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,securityfocus.com/bid/54329; classtype:web-application-attack; sid:2015496; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (mydrinksare .top)"; flow:established,to_server; tls.sni; content:"mydrinksare.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=file-manager/categories"; nocase; content:"cid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015497; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Proxy Activity"; flow:established,to_server; http.start; content:"CONNECT|20|/_controlPath/|20|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032224; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern; nocase; content:"title="; nocase; pcre:"/^.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_23, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Proxy User-Agent (idk)"; flow:established,to_server; http.user_agent; content:"idk"; bsize:3; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032225; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"gruppe_id="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Ransomware HTTP POST to Onion Link Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".onion.link"; endswith; fast_pattern; http.request_body; content:"data="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-076a; classtype:command-and-control; sid:2032219; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; fast_pattern; distance:0; nocase; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Netbounce Program Wrapper Download"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.uri; content:"/progwrapper.exe"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; content:!"Connect"; reference:url,www.fortinet.com/blog/threat-research/netbounce-threat-actor-tries-bold-approach-to-evade-detection; reference:md5,1b4b013948c9af0260409ce7cb7d107b; classtype:trojan-activity; sid:2032226; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_picasa2gallery controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_picasa2gallery"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/90915/Joomla-Picasa2Gallery-1.2.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015540; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userid="; startswith; fast_pattern; pcre:"/^[A-Z]{256}$/R"; http.header; content:"Content-Transfer-Encoding|3a 20|base64|0d 0a|"; http.header_names; content:!"Referer"; reference:md5,435f83b1ab70c68e34bd523bae4217e0; reference:url,twitter.com/bryceabdo/status/1372895643102969861; classtype:trojan-activity; sid:2032274; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Commentics id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/comments/admin/index.php?"; nocase; content:"page=edit_page"; nocase; content:"id="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/113996/Commentics-2.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015541; rev:3; metadata:created_at 2012_07_27, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android GolfSpy (services4me .net in TLS SNI)"; flow:established,to_server; tls_sni; content:"services4me.net"; isdataat:!1,relative; nocase; reference:md5,a762768c582064880a29934c81e24ba2; classtype:command-and-control; sid:2032270; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_03_22, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Critical, tag Android, updated_at 2021_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress clickdesk-live-support-chat plugin cdwidgetid parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?"; nocase; fast_pattern; content:"cdwidgetid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107255/WordPress-Clickdesk-Live-Support-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015542; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MALWARECAT Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|MALWARECAT"; fast_pattern; reference:md5,bc45f9e3b0a681fb7bc08dbf3c44bcf3; classtype:command-and-control; sid:2032271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpProfiles menu Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/Full_Release/include/body_admin.inc.php?"; nocase; content:"menu="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015543; rev:3; metadata:created_at 2012_07_27, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (habbybearshop .top)"; flow:established,to_server; tls.sni; content:"habbybearshop.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032272; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpProfiles topic_title parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/full_release/community.php?"; nocase; content:"action="; nocase; content:"comm_id="; nocase; content:"topic_title="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015544; rev:3; metadata:created_at 2012_07_27, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (youcanfindmeonthe .top)"; flow:established,to_server; tls.sni; content:"youcanfindmeonthe.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032273; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_pollxt"; nocase; content:"Itemid="; nocase; reference:url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015545; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/tmp?q=6"; endswith; fast_pattern; http.user_agent; content:"|20|Office|20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/ShadowChasing1/status/1372464570183208961; reference:md5,1670bb091dba017606ea5e763072d45f; classtype:trojan-activity; sid:2032275; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress featurific-for-wordpress plugin snum parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/featurific-for-wordpress/cached_image.php?"; nocase; fast_pattern; content:"snum="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107256/WordPress-Featurific-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015536; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_27, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (chMiner/RAT)"; flow:established,to_client; tls.cert_subject; content:"CN=8Yq1.qSt3.S5It.Lbp0"; bsize:22; fast_pattern; reference:url,twitter.com/3xp0rtblog/status/1374080723032887297; reference:md5,102362f98b67ece5b9b3607bebf4125a; classtype:domain-c2; sid:2032276; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TEMENOS T24 skin parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/genrequest.jsp?"; nocase; content:"routineName="; nocase; content:"routineArgs="; nocase; content:"compId="; nocase; content:"skin="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/115126/Temenos-T24-R07.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015572; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (nameyourcatlikeshedeserved .top)"; flow:established,to_server; tls.sni; content:"nameyourcatlikeshedeserved.top"; bsize:30; fast_pattern; classtype:domain-c2; sid:2032312; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_23, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Applications Manager attributeToSelect parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/jsp/ThresholdActionConfiguration.jsp?"; nocase; content:"resourceid="; nocase; content:"attributeIDs="; nocase; content:"attributeToSelect="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,securityfocus.com/bid/54759/; classtype:web-application-attack; sid:2015565; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP klm123.com Spyware User Agent"; flow:established,to_server; http.user_agent; content:"{"; depth:1; fast_pattern; pcre:"/\{[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}\}/i"; http.host; content:!"directory.gladinet.com"; content:!"ff.avast.com"; content:!"ispringsolutions.com"; content:!"cdn.download.comodo.com"; content:!"liveupdate.symantec.com"; content:!"liveupdate.norton.com"; reference:url,doc.emergingthreats.net/2007616; classtype:pup-activity; sid:2007616; rev:17; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2021_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pragmaMx img_url parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/imgpopup/img_popup.php?"; nocase; content:"img_url="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/113035/pragmaMx-1.12.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015571; rev:3; metadata:created_at 2012_08_03, updated_at 2020_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; fast_pattern; reference:url,twitter.com/z0ul_/status/1374121916143919106; reference:md5,4cf6fb8514073319e7759b4f66d13f08; classtype:domain-c2; sid:2032313; rev:1; metadata:attack_target Client_and_Server, created_at 2021_03_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Advanced Text Widget plugin  page parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/advanced-text-widget/advancedtext.php?"; nocase; fast_pattern; content:"page="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107192/WordPress-Advanced-Text-Widget-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015609; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert smtp any any -> any any (msg:"ET MALWARE Suspected Jobcrypter Ransomware Exfil (SMTP)"; flow:to_server,established; content:"|0d 0a|RTEE="; fast_pattern; content:"RRRTC|3a 20|"; pcre:"/^[0-9]{90,180}\r\n/R"; distance:0; reference:md5,4de76198ea4488eae192d0ca4e4bd66b; reference:url,twitter.com/guelfoweb/status/1374042649322209283; classtype:trojan-activity; sid:2032318; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla je-media-player view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/components/je-media-player.html?"; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/91171/Joomla-JE-Media-Player-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015611; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, former_category EXPLOIT, updated_at 2021_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dirLIST show_scaled_image.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dirLIST_files/gallery_files/show_scaled_image.php?"; nocase; content:"image_path="; nocase; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015612; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Girostat Stealer (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; http.request_body; content:"name=|22|info|22 0d 0a|"; content:"name=|22|debug1|22 0d 0a|"; distance:0; content:"name=|22|debug2|22 0d 0a|"; fast_pattern; content:"filename=|22|"; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,934058124782476cdbe7866c4ceed167; classtype:trojan-activity; sid:2032319; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dirLIST thumb_gen.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dirLIST_files/thumb_gen.php?"; nocase; content:"image_path="; nocase; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015613; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (onthewire1 .top)"; flow:established,to_server; tls.sni; content:"onthewire1.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BaglerCMS articleID parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/baglercms.php?"; nocase; content:"articleID="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,1337day.com/exploits/18221; classtype:web-application-attack; sid:2015614; rev:3; metadata:created_at 2012_08_10, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (companyllc .top)"; flow:established,to_server; tls.sni; content:"companyllc.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress LiveGrounds plugin uid parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/livegrounds/lg_crop.php?"; nocase; fast_pattern; content:"uid="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,1337day.com/exploits/18932; classtype:web-application-attack; sid:2015615; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (rpirpiwhyyouleaveyourhorse .top)"; flow:established,to_server; tls.sni; content:"rpirpiwhyyouleaveyourhorse.top"; bsize:30; fast_pattern; classtype:domain-c2; sid:2032317; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/lanoba-social-plugin/index.php?"; nocase; fast_pattern; content:"action="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015610; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_08_10, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HiddenTears Ransomware Activity (GET)"; flow:established,to_server; urilen:13; http.method; content:"GET"; http.uri; content:"/alertmsg.zip"; fast_pattern; http.host; content:".tk"; endswith; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,eabb920f75c2943113713849878a6dfb; reference:md5,28b0ef0c832916a852ddf0c3c5427be3; classtype:trojan-activity; sid:2032320; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_24, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2021_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/gui/link.php?"; nocase; content:"IP="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015637; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Atom Logger exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|["; content:"|20 7c 20|Atom Logger"; within:100; fast_pattern; reference:md5,78bd897a638e7c0d3c00c31c8c68f18b; classtype:trojan-activity; sid:2026825; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_17, deployment Perimeter, former_category TROJAN, malware_family AtomLogger, performance_impact Moderate, signature_severity Major, updated_at 2021_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"IP="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015638; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/MID/32546678/dn.php?client_id="; fast_pattern; startswith; content:"&prefix="; distance:0; reference:url,twitter.com/ShadowChasing1/status/1374750091001491458; reference:md5,c578189efd31c06b494b78c168cf84dd; classtype:trojan-activity; sid:2032329; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"wgDekiPluginPath="; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015639; rev:4; metadata:created_at 2012_08_17, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity"; flow:established,to_server; http.method; content:"GET"; http.start; content:".js|20|HTTP/1.1|0d 0a|Cookie|3a 20|SSID="; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\r\n/R"; reference:md5,653b45c576c89c00a164b51e23732957; reference:url,twitter.com/z0ul_/status/1374724622508245008; classtype:trojan-activity; sid:2032330; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/web/deki/gui/link.php?"; nocase; content:"IP="; nocase; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015640; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Black KingDom Ransomware Related Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpn-service/"; startswith; content:"crunchyroll-vpn"; endswith; fast_pattern; pcre:"/^\/vpn-service\/[a-z]{15}\/crunchyroll-vpn$/"; reference:url,news.sophos.com/en-us/2021/03/23/black-kingdom/; classtype:trojan-activity; sid:2032331; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_03_25, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"IP="; nocase; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015641; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert udp any any -> $HOME_NET 1900 (msg:"ET EXPLOIT DD-WRT UPNP Unauthenticated Buffer Overflow (CVE-2021-27137)"; content:"M-SEARCH|20|"; startswith; content:"|0d 0a|ST|3a|"; nocase; fast_pattern; content:"uuid|3a|"; distance:0; within:6; pcre:"/^[^\r\n]{128,}\r\n/R"; reference:url,ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/; reference:cve,2021-27137; classtype:attempted-admin; sid:2032326; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_25, cve CVE_2021_27137, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/web/deki/plugins/deki_plugin.php?"; nocase; content:"wgDekiPluginPath="; nocase; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015642; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Agent.NSU CnC Activity M2"; flow:established,to_server; http.request_line; content:"POST /?z="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"zone="; startswith; content:"&rb="; distance:0; content:"&hil="; distance:0; content:"&wgl="; distance:0; reference:md5,d29f4467c54f688c8903d2e365f3ba8f; classtype:pup-activity; sid:2032327; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_g2bridge"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015645; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_17, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FFDroider CnC Activity M2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/seemorebty/"; fast_pattern; content:".php?e="; distance:0; http.referer; content:"https://www.facebook.com"; reference:md5,ffceece2e297cf5769a35bf387c310ef; reference:url,www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users; classtype:command-and-control; sid:2035798; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; http.uri; content:"/show.php?"; nocase; content:"id="; nocase; content:"UNION"; distance:0; nocase; pcre:"/id=-?\d+\s+UNION\s/i"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING ANTIBOT Phishing Panel Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>PANEL ANTIBOT"; nocase; fast_pattern; content:">Real Visitor Detection Manager"; nocase; distance:0; classtype:web-application-attack; sid:2032322; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_25, deployment Perimeter, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/picmgmt.inc.php?"; nocase; content:"output="; nocase; pcre:"/output=\w/i"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:5; metadata:created_at 2011_02_25, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ANTIBOT Phishing Panel Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>PANEL ANTIBOT"; nocase; fast_pattern; content:">Real Visitor Detection Manager"; nocase; distance:0; classtype:web-application-attack; sid:2032323; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_03_25, deployment Perimeter, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/picmgmt.inc.php?"; nocase; content:"retva="; nocase; pcre:"/^\w/Ri"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:5; metadata:created_at 2011_02_25, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/boxes?nid="; fast_pattern; startswith; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,91b9c9db4916b7e416da074e29a36082; classtype:trojan-activity; sid:2032332; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config/custom/base.ini.php?"; nocase; content:"x="; nocase; pcre:"/^\w/Ri"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:5; metadata:created_at 2011_04_22, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Small.CLJ CnC Activity"; flow:established,to_server; http.start; content:"GET /"; startswith; content:"|20|HTTP/1.1|0d 0a|Referer|3a 20|Microsoft|20|Windows|20|"; fast_pattern; http.user_agent; content:"@"; http.header_names; content:"|0d 0a|Referer|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:43; reference:md5,fb7f916531e239c8a705249d93b48598; classtype:trojan-activity; sid:2032328; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_25;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/src/slooz.php?"; nocase; content:"file="; nocase; pcre:"/^\w/Ri"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:4; metadata:created_at 2011_05_20, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL"; nocase; fast_pattern; classtype:web-application-attack; sid:2030588; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/is-human/engine.php?"; nocase; content:"action="; nocase; content:"type="; nocase; pcre:"/^\w/Ri"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_05_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>FREAKZBROTHERS - PANEL"; nocase; fast_pattern; classtype:web-application-attack; sid:2030589; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/telecharger.php?"; nocase; content:"Fichier_a_telecharger="; nocase; pcre:"/^\w/Ri"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:4; metadata:created_at 2011_06_07, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Login Panel</title>"; fast_pattern; content:"background-color|3a 20|#000000"; distance:0; content:"text-center|22|>Login to Panel</div>"; distance:0; content:"class=|22|form-control|22 20|id=|22|key|22 20|name=|22|key|22 20|placeholder=|22|Private Key|22|"; distance:0; classtype:web-application-attack; sid:2032324; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/awstatstotals.php?"; nocase; content:"sort="; nocase; pcre:"/^\w/Ri"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:4; metadata:created_at 2011_06_10, updated_at 2020_04_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Login Panel</title>"; fast_pattern; content:"background-color|3a 20|#000000"; distance:0; content:"text-center|22|>Login to Panel</div>"; distance:0; content:"class=|22|form-control|22 20|id=|22|key|22 20|name=|22|key|22 20|placeholder=|22|Private Key|22|"; distance:0; classtype:web-application-attack; sid:2032325; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_03_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; content:"cmd="; nocase; pcre:"/cmd=\w/i"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:6; metadata:created_at 2012_01_02, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/copyright.js"; bsize:13; fast_pattern; http.cookie; content:"SSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,653b45c576c89c00a164b51e23732957; classtype:trojan-activity; sid:2032337; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,CVE-2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4; metadata:created_at 2012_09_28, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forums?listinfo="; fast_pattern; startswith; http.cookie; content:"made_write_conn="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,49ebd0be7e33c59ee584cb8601093775; classtype:trojan-activity; sid:2032338; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; http.uri; content:"/phptax/"; nocase; content:"&pfilez="; nocase; classtype:web-application-attack; sid:2015794; rev:3; metadata:created_at 2012_10_12, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (videomart .top)"; flow:established,to_server; tls.sni; content:"videomart.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_03_26, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; http.uri; content:"/core/DataTable/Filter/Megre.php"; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:3; metadata:created_at 2012_11_28, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ku?disable="; startswith; fast_pattern; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,661bdbab0140cf3bed508a14c2c5804a; classtype:trojan-activity; sid:2032339; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/tests/test_tools/functional_tests.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE X-Files Stealer CnC Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/log.php"; endswith; http.request_body; content:"form-data|3b 20|name=userfile|3b 20|filename="; content:"Stealer|5c|"; distance:0; fast_pattern; reference:md5,b572ed0bf3030cbb18d8af16e2c7e2c2; classtype:trojan-activity; sid:2032333; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_26, former_category MALWARE, signature_severity Major, updated_at 2021_03_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/demos/time-tracker/tests/functional.php?"; nocase; content:"sr="; nocase; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; content:"|20|/logo|20|HTTP/1."; fast_pattern; http.method; content:"GET"; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|"; startswith; reference:md5,45ec8cee2c028e47d3bba2e14a93a957; classtype:trojan-activity; sid:2032336; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; http.uri; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; pcre:"/(?:\?|&)(?:host|service|opt|end|start)=[^&]+?\x60.+?\x60/i"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|SSID="; fast_pattern; pcre:"/^SSID=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/C"; http.method; content:"GET"; http.uri; content:".css"; endswith; http.header_names; content:"User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,9e97ace1f585b0914f99fde7014ed8c5; classtype:trojan-activity; sid:2032335; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; fast_pattern; content:"wpp="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Valyria Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/naw15?"; fast_pattern; pcre:"/^(?:id|tfzT)=/R"; http.header_names; content:!"Referer"; reference:md5,0c4578dac4ae278beabbfe18a8c37efb; reference:md5,5154a6f3a5c93337a8a390e63b1448f8; classtype:trojan-activity; sid:2032343; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?"; nocase; fast_pattern; content:"wpp="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016038; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http any any -> any any (msg:"ET WEB_SERVER Babydraco WebShell Activity"; flow:established,to_server; http.uri; content:"/owa/auth/babydraco.aspx"; bsize:24; fast_pattern; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:attempted-admin; sid:2032344; rev:1; metadata:created_at 2021_03_29, former_category WEB_SERVER, updated_at 2021_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/includes/download.php?"; nocase; content:"f="; nocase; reference:url,packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016042; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Win32/Unk Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=arganaif.org"; bsize:15; fast_pattern; tls.cert_issuer; content:"C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority"; bsize:79; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:domain-c2; sid:2032341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_03_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_03_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/windows/code.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016043; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET WEB_CLIENT Exchange Webshell CnC Domain in DNS Lookup"; dns.query; content:"brian.krebsonsecurity.top"; nocase; bsize:25; reference:url,krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/; classtype:domain-c2; sid:2032345; rev:1; metadata:created_at 2021_03_29, former_category WEB_CLIENT, updated_at 2021_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/windows/function.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016044; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|type|22 3a 20 22|javascript|22|"; fast_pattern; content:"|22|function|22 3a 20|"; pcre:"/^\x22[^\x22]*\x7b[^\x22]*\x7d[^\x22]*\x22[^\x22]*\x22{2}/Rm"; reference:cve,2021-25646; classtype:attempted-admin; sid:2032340; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2021_03_29, cve CVE_2021_25646, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase; fast_pattern; content:"headline="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2016045; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
 
-#alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26877)"; content:"|2e 95|"; offset:2; depth:2; content:"|00 10 00 01|"; distance:0; fast_pattern; byte_extract:1,5,data_len,relative; byte_test:1,>,data_len,0,relative; reference:cve,2021-26877; classtype:attempted-admin; sid:2032347; rev:2; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26877, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=video-lead-form"; nocase; fast_pattern; content:"errMsg="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016076; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_04_22;)
 
-alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plist.php?albumid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016077; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; http.user_agent; content:!"Mozilla/"; content:"-"; offset:4; depth:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; bsize:19; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032349; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; nocase; http.uri; content:"/force-download.php?file="; nocase; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016078; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?file="; http.accept_lang; content:"ru|2d|RU|2c|ru|3b|q|3d|0|2e|9|2c|en|3b|q|3d|0|2e|8"; bsize:23; http.user_agent; content:"TAKEMIX"; bsize:7; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS simple machines forum include parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"action=admin"; nocase; content:"include="; nocase; reference:url,packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016079; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Amazon Profile) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/g/rfer=nmn_fr_gees_1/42-332638-0264389/field-keywords=toys"; fast_pattern; http.cookie; content:"skin=noskin|3b|"; startswith; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,5ac5656269d2dd45405a153dca591ede; classtype:trojan-activity; sid:2032353; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016080; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Related Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ZP/MIKV.php"; bsize:12; fast_pattern; http.user_agent; content:"Embarcadero|20|URI|20|Client/1.0"; bsize:26; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/ESETresearch/status/1376490532445294594; reference:md5,ad8fd5461bec26b97cdfc0b05028bfc0; reference:md5,1e4b45e2ab5c679f9e983da1c135ab5e; reference:md5,34db9c98f3149d98bf0a562ce2ef5344; classtype:trojan-activity; sid:2032356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_03_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/zp-core/zp-extensions/zenpage/admin-news-articles.php?"; nocase; content:"date="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016081; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Request for EXE via GO HTTP Client"; flow:established,to_server; http.request_line; content:".exe HTTP/"; http.user_agent; content:"Go-http-client/"; startswith; classtype:misc-activity; sid:2032355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit page XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=tokenmanageredit"; nocase; fast_pattern; content:"tid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016082; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?usersearch="; fast_pattern; http.cookie; content:"reg_fb_gate="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:url,twitter.com/z0ul_/status/1377385770470703106; reference:md5,c5668ee76cb9a9a5c4837eb0049c005b; classtype:trojan-activity; sid:2032360; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit page XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?"; nocase; content:"page=tokenmanagertypeedit"; nocase; fast_pattern; content:"tid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016083; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP DriverPack Domain in DNS Query"; dns.query; content:"drp.su"; nocase; endswith; classtype:pup-activity; sid:2032357; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2021_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script Insertion Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dbInfo"; nocase; content:"dbInfoRequest"; nocase; content:"searchStr"; nocase; pcre:"/(?:\x3c|\x253c)dbInfo(?:\x3e|\x253e)[\r\n\s]*?(?:\x3c|\x253c)dbInfoRequest(?:\x3e|\x253e).+?(?:\x3c|\x253c)searchStr(?:\x3e|\x253e)((?!(?:\x3c|\x253c)(?:\/|\x252f)searchStr(?:\x3e|\x253e)).)+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=)).+?(?:\x3c|\x253c)(?:\/|\x252f)searchStr(?:\x3e|\x253e)/si"; reference:url,securelist.com/en/advisories/51615; reference:url,seclists.org/bugtraq/2012/Dec/110; classtype:web-application-attack; sid:2016086; rev:3; metadata:created_at 2012_12_21, updated_at 2020_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".wm01.to"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/; reference:md5,b44898666f0f07e9fae379b6e88a331c; reference:md5,e91bbe677636002682dbcc430fc1065b; classtype:domain-c2; sid:2032361; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory"; flow:established,to_server; http.uri; content:"/wp-content/w3tc/dbcache"; nocase; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:trojan-activity; sid:2016100; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".gif?utmac="; fast_pattern; content:"&utmcn="; distance:0; content:"&utmcs="; distance:0; http.header_names; content:!"Referer"; reference:url,twitter.com/MichalKoczwara/status/1377651431478595588; reference:md5,db9214c2f8340ceba664800481f0ca08; classtype:trojan-activity; sid:2032362; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/wp-property/third-party/uploadify/uploadify.php"; nocase; http.request_body; content:"Filedata"; nocase; reference:url,www.securityfocus.com/bid/53787/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php; classtype:web-application-attack; sid:2016109; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-#alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible OpenSSL TLSv1.2 DoS Inbound (CVE-2021-3449)"; flow:established,to_server; tls.version:1.2; ssl_state:client_hello; content:!"|00 0d|"; content:"|00 32 00|"; content:"|ff 01 00 01 00|"; distance:0; fast_pattern; reference:cve,2021-3449; classtype:denial-of-service; sid:2032358; rev:1; metadata:affected_product OpenSSL, created_at 2021_04_01, cve CVE_2021_3449, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/?cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016114; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for EXE from DigitalOcean Spaces"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:".digitaloceanspaces.com"; endswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:bad-unknown; sid:2032359; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Child_Page?"; nocase; content:"cmd=new_section"; nocase; fast_pattern; content:"section="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016115; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious HTTP Request to .bit domain"; flow:to_server,established; http.host; content:".bit"; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/R"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:5; metadata:created_at 2014_01_24, former_category HUNTING, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/index.php/Admin_Theme_Content?"; nocase; content:"cmd=edittext"; nocase; fast_pattern; content:"key="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016116; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Control Panel Applet File Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"CPlApplet"; fast_pattern; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/bb776392%28v=vs.85%29.aspx; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf; classtype:policy-violation; sid:2018087; rev:3; metadata:created_at 2014_02_07, updated_at 2021_04_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/pages/links.php?"; nocase; content:"configpath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016120; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Nitro Stealer Exfil Activity (Response)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"is_bot|22 3a|"; content:"|2c 22|username|22 3a 22|nitronotification_bot|22|"; fast_pattern; reference:url,app.any.run/tasks/ab993f27-958c-4ab4-8da4-0bcd7fe35fcd/; reference:url,twitter.com/James_inthe_box/status/1378044484089376768; reference:md5,95b98ecb440a23daefc5c12d0edfa048; classtype:trojan-activity; sid:2032418; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase; fast_pattern; content:"ru_folder="; nocase; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016121; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible PurpleFox EK Redirect M2"; flow:established,to_client; http.stat_code; content:"302"; http.location; content:"?key="; fast_pattern; content:"&id="; distance:16; within:4; content:"&gid="; pcre:"/key=[A-F0-9]{16}&id=\d+&gid=[A-F0-9\-]+$/"; file.data; content:"<body>"; content:"<a HREF=|22|http"; distance:0; content:"?key="; within:400; pcre:"/^[A-F0-9]{16}(?:&|&amp\x3b)id=\d+(?:&|&amp\x3b)gid=[A-F0-9\-]+\x22>/R"; content:!"<html>"; reference:url,twitter.com/nao_sec/status/1378546891349106692; classtype:exploit-kit; sid:2032480; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/asktheoracle.php?"; nocase; fast_pattern; content:"type="; nocase; content:"oracle_query="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016122; rev:3; metadata:created_at 2012_12_29, updated_at 2020_04_22;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Suspicious GitHack TLS SNI Request - Possible PurpleFox EK"; flow:established,to_server; tls.sni; content:".githack."; content:!".githack.com"; endswith;  classtype:exploit-kit; sid:2032481; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, performance_impact Low, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; fast_pattern; content:"path="; nocase; reference:url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016123; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Killbot JS Configuration - Possible Phishing"; flow:established,to_client; file.data; content:"const killbot"; nocase; content:"apiKey|3a|"; nocase; content:"botRedirection|3a|"; nocase; content:"killbot-security.js"; nocase; fast_pattern; reference:url,killbot.org; classtype:misc-activity; sid:2032468; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category INFO, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2"; flow:to_server,established; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/brightmail/admin/restore/download.do?"; content:"&localBackupFileSelection="; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00; classtype:attempted-user; sid:2016119; rev:4; metadata:created_at 2012_12_04, updated_at 2020_04_22;)
 
-alert dns $HOME_NET any -> any any (msg:"ET EXPLOIT_KIT Suspicious GitHack DNS Request - Possible PurpleFox EK"; flow:established,to_server; dns.query; content:".githack."; content:!".githack.com"; endswith; classtype:exploit-kit; sid:2032482; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category EXPLOIT_KIT, malware_family PurpleFox, signature_severity Major, tag Exploit_Kit, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Advanced Custom Fields Remote File Inclusion"; flow:established,to_server; http.uri; content:"/wp-content/plugins/advanced-custom-fields/core/actions/export.php"; nocase; fast_pattern; http.request_body; content:"abspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; classtype:attempted-user; sid:2016148; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_04, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Sparkasse Phishing Domain 2021-04-05"; flow:to_server,established; threshold: type limit, count 1, track by_src, seconds 30; http.method; content:"GET"; http.host; content:"sparkasse.de"; fast_pattern; isdataat:20,relative; classtype:social-engineering; sid:2032469; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mail/filters/editfilter.html?"; nocase; content:"account="; nocase; content:"filtername="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57061; classtype:web-application-attack; sid:2016157; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (tk) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".tk"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032470; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/wp-content/plugins/google-document-embedder/libs/pdf.php?"; nocase; fast_pattern; content:"file="; nocase; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (ml) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ml"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032471; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability"; flow:established,to_server; http.uri; content:"/SSI.php?ssi_function="; nocase; reference:url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html; classtype:web-application-attack; sid:2016159; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (gq) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".gq"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032472; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/green/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016163; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (ga) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".ga"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032473; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/style/blue/get_templet.php?"; nocase; content:"MyStyle[StylePath]="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016164; rev:3; metadata:created_at 2013_01_05, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (cf) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".cf"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032474; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/x3/files/dir.html?"; nocase; fast_pattern; content:"showhidden="; nocase; content:"dir="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|error|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57064; classtype:web-application-attack; sid:2016165; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_22;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING HTTP POST Contains Only Password (xyz) 2021-04-05"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xyz"; isdataat:!1,relative; http.request_body; content:"password="; nocase; depth:9; fast_pattern; content:!"&"; distance:0; classtype:credential-theft; sid:2032475; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/nextgen-gallery/nggallery.php?"; nocase; fast_pattern; content:"test-head="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016194; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Mamalo Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/browser-rejector/rejectr.js.php?"; nocase; fast_pattern; content:"wppath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51739/; classtype:web-application-attack; sid:2016195; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_22;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Mamalo Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032477; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; http.uri; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; content:"topic="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on External Server"; flow:established,to_client; file.data; content:"<title>Tehran Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032478; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/src/userchange.php?"; nocase; content:"op=changeview"; nocase; fast_pattern; content:"viewid="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,secunia.com/advisories/51816/; classtype:web-application-attack; sid:2016199; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Panel Accessed on Internal Server"; flow:established,to_client; file.data; content:"<title>Tehran Phishing"; nocase; fast_pattern; classtype:web-application-attack; sid:2032479; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016200; rev:4; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A Ransomware CnC Init Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?gen&session-id="; fast_pattern; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/Rs"; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; content:!"User-Agent"; reference:md5,b306115dc9c137b0fa455a9ce1708917; classtype:trojan-activity; sid:2032419; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/edit.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016201; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/MereTam.A Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?submit"; http.request_body; content:"session-id="; depth:11; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/Rs"; content:"&id="; distance:0; within:4; content:"&country="; content:"&operatingSystem="; content:"&cpuModel="; content:"&machineName="; content:"&randomAccessMemory="; fast_pattern; http.header_names; content:!"Accept"; content:!"Cache-"; content:!"Referer"; content:!"User-Agent"; reference:md5,b306115dc9c137b0fa455a9ce1708917; classtype:trojan-activity; sid:2032420; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_04_05, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt"; flow:established,to_server; http.uri; content:"/js/tiny_mce/plugins/tinybrowser/upload.php?"; nocase; content:"type="; nocase; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016202; rev:3; metadata:created_at 2013_01_12, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Template Download"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:"/jack/"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9]{32}\.dot$/R"; http.user_agent; content:"Microsoft Office"; http.header_names; content:!"Referer"; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:md5,8cc87eb3667aecc1bd41018f00aca559; reference:md5,d4b45f7a937139e05f386a8ad0aba04e; reference:md5,5fdcbb85733f9e8686d582b2f1459961; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032483; rev:1; metadata:created_at 2021_04_05, former_category MALWARE, malware_family DonotGroup, updated_at 2021_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/gallery-plugin/gallery-plugin.php?"; nocase; fast_pattern; content:"filename_1="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57256/; classtype:web-application-attack; sid:2016203; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_12, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP Version Number"; flow:established,to_server; http.protocol; content:"|28 29 20 7b|"; startswith; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019236; rev:6; metadata:created_at 2014_09_25, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Age Verification plugin redirect_to Parameter URI Redirection"; flow:established,to_server; http.uri; content:"/wp-content/plugins/age-verification/age-verification.php?"; nocase; fast_pattern; content:"redirect_to="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/51357/; classtype:web-application-attack; sid:2016230; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cartweaver 3 Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/helpfiles/AdminHelp.php?"; nocase; content:"helpFileName="; nocase; reference:url,packetstormsecurity.com/files/117370/Cartweaver-3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016231; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mu Perspectives Cms id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/site_news.php?id="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/116148/Mu-Perspectives-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016234; rev:4; metadata:created_at 2013_01_18, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011110; classtype:web-application-attack; sid:2011110; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Security.php XSS Attempt"; flow:established,to_server; http.uri; content:"/com_incapsula/assets/tips/en/Security.php?"; nocase; fast_pattern; content:"token="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016238; rev:3; metadata:created_at 2013_01_18, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011111; classtype:web-application-attack; sid:2011111; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Performance.php file XSS Attempt"; flow:established,to_server; http.uri; content:"/com_incapsula/assets/tips/en/Performance.php?"; nocase; fast_pattern; content:"token="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016239; rev:3; metadata:created_at 2013_01_18, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011112; classtype:web-application-attack; sid:2011112; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_bit controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bit"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.com/files/118943/Joomla-Bit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016232; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<img src=|22|file/cip.php?rand="; nocase; fast_pattern; content:"id=|27|capisimg|27|"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|capis|22|"; nocase; distance:0; classtype:social-engineering; sid:2032509; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_ztautolink controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_ztautolink"; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.com/files/118944/Joomla-ZtAutoLink-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016233; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (lifemaindecision .top)"; flow:established,to_server; tls.sni; content:"lifemaindecision.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2032524; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin.php?_g=filemanager/language"; nocase; fast_pattern; content:"loc="; nocase; reference:url,packetstormsecurity.com/files/119082/CubeCart-4.4.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016284; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Hidden Text - Possible Phishing Landing"; flow:established,to_client; file.data; content:"<span style='font-size:0px|3b|'>"; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; content:"<span style='font-size:0px|3b|'>"; within:75; classtype:social-engineering; sid:2032510; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GetSimple CMS path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/filebrowser.php?"; nocase; fast_pattern; content:"path="; nocase; reference:url,packetstormsecurity.com/files/115302/GetSimple-CMS-3.1.2-Local-File-Inclusion-Path-Disclosure.html; classtype:web-application-attack; sid:2016285; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"id='captcha_image' name='captcha_image' src='captcha.php?rand="; nocase; content:"placeholder='Enter Code' style='text-align:center|3b|' class='input' name='captcha'"; nocase; distance:0; content:"function refreshCaptcha(){"; nocase; distance:0; classtype:social-engineering; sid:2032511; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Banana Dance name Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/functions/ajax.php?"; nocase; content:"action="; nocase; content:"name="; nocase; reference:url,packetstormsecurity.com/files/118964/Banana-Dance-B.2.6-Inclusion-Access-Control-SQL-Injection.html; classtype:web-application-attack; sid:2016287; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Office Related Appspot Hosted Shared Document Phishing Landing"; flow:established,to_client; file.data; content:"script language=javascript>document.write(unescape("; nocase; content:"href%3D%22https%3A//fonts.googleapis.com/"; nocase; distance:0; content:"stylesheet%22%3E%20%3Cscript%20src%3D%22https%3A//kit.fontawesome.com/"; nocase; distance:0; content:"____rdr%20%3D%20%27https%3A//www.office.com/"; nocase; distance:0; content:"var%20LIB_view%20%3D%20%27PGRpdiBjbGFzcz0iY"; nocase; distance:0; fast_pattern; classtype:social-engineering; sid:2032512; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/data/file/edit.php?"; nocase; content:"hybridid="; nocase; content:"result="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016282; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Account Redirect to Phishing Landing"; flow:established,to_client; file.data; content:"<title>Review|3a 20 20|0ffice365"; fast_pattern; nocase; content:"<script type=|22|text/javascript|22|>window.location.href"; distance:0; nocase; classtype:social-engineering; sid:2032513; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/users/users.php?"; nocase; content:"type="; nocase; content:"keyword="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016283; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2022_04_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"/////url email getting//////"; fast_pattern; nocase; content:"ind=my_email.indexOf(|22|@|22|"; distance:0; content:"///////new injection//////"; distance:0; nocase; classtype:social-engineering; sid:2032514; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/post_message_form.asp?"; nocase; content:"ForumID="; nocase; content:"ThreadPage="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016290; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand Ajax XHR CredPost Phishing Landing"; flow:established,to_client; file.data; content:"$.ajax({|0d 0a|"; content:"dataType|3a 20|'JSON',|0d 0a|"; within:50; content:"url|3a|"; within:50; content:".php',|0d 0a|"; within:500; content:"type|3a 20|'POST',|0d 0a|"; within:50; fast_pattern; content:"data|3a|{|0d 0a|"; within:50; content:"function(xhr"; distance:0; classtype:social-engineering; sid:2032515; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Major, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/phpminiadmin.php?"; nocase; fast_pattern; content:"XSS="; nocase; content:"db="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,cxsecurity.com/issue/WLB-2013010179; classtype:web-application-attack; sid:2016291; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"//////url getting ai//////"; fast_pattern; nocase; content:"var my_ai = ai|3b|"; distance:0; nocase; content:"my_ai.indexOf(|22|@|22|"; distance:0; nocase; classtype:social-engineering; sid:2032516; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"script"; nocase; content:"Submit"; nocase; content:"Runtime"; nocase; content:"getRuntime"; nocase; distance:0; content:".exec"; nocase; classtype:attempted-user; sid:2016294; rev:11; metadata:created_at 2013_01_25, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Multibrand NewInjection Phishing Landing Template"; flow:established,to_client; file.data; content:"/////url ai getting//////"; fast_pattern; nocase; content:"///////url getting ai///////"; distance:0; nocase; classtype:social-engineering; sid:2032517; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell)"; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"cmd.exe"; fast_pattern; classtype:attempted-user; sid:2016295; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Bank Captcha Phishing Landing"; flow:established,to_client; file.data; content:"<img src=|22|files/cps.php?rand="; nocase; fast_pattern; content:"id='cpsaimg'"; nocase; distance:0; content:"placeholder=|22|Captcha code|22 20|class=|22|input|22 20|name=|22|caps|22|"; nocase; distance:0; classtype:social-engineering; sid:2032518; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, signature_severity Minor, tag Phishing, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/script"; nocase; pcre:"/^\/?$/R"; http.request_body; content:"sun.misc.BASE64Decoder"; nocase; content:".decodeBuffer"; nocase; content:"/bin/sh"; fast_pattern; classtype:attempted-user; sid:2016296; rev:8; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_25, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/forum_members.asp?"; nocase; content:"find="; nocase; content:"ForumID="; nocase; pcre:"/^.+(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|c(?:hange|lick)|(?:un)?load|focus|mouse|blur|key)|s(?:cript|tyle=))/Ri"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016289; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<center><h1>IDBTE4M CODE 87</h1><br>[uname] Linux"; nocase; fast_pattern; classtype:web-application-attack; sid:2032520; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, signature_severity Major, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass file Parameter Remote File Access Attempt"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=upgrade"; nocase; content:"file="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016334; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032521; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, signature_severity Major, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 1"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=enable_category"; nocase; fast_pattern; content:"id="; nocase; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016335; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"FoxWSO v1</title>"; fast_pattern; nocase; content:"function encrypt("; distance:0; classtype:web-application-attack; sid:2032522; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_06, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 2"; flow:established,to_server; http.uri; content:"/oc-admin/index.php?"; nocase; content:"page="; nocase; content:"action=edit_category_post"; nocase; fast_pattern; content:"id="; nocase; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016336; rev:3; metadata:created_at 2013_02_01, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Western Union Phish 2016-09-27"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&txtCaptcha="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032633; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern; nocase; content:"h="; nocase; content:"src="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016338; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pult Downloader Activity"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|UserAgent|3a|Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|"; fast_pattern; reference:md5,82e3981303bee2eff6d1af17ad51eb32; reference:url,twitter.com/ShadowChasing1/status/1379048935969316871; classtype:trojan-activity; sid:2032525; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_06, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2021_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMSQLITE id parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/mediaAdmin.php?"; nocase; content:"id="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016339; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats Related VBS Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xx/f_Skoifa.vbs"; fast_pattern; bsize:16; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; reference:url,www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt; reference:md5,27d85a6aff129deb07048a735de1c884; classtype:trojan-activity; sid:2032530; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Molerats, performance_impact Low, signature_severity Major, updated_at 2021_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMSQLITE mediaAdmin.php file Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/mediaAdmin.php?"; nocase; content:"d="; nocase; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016340; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Python RAT (Aurora Campaign))"; flow:established,to_client; tls.cert_subject; content:"C=MK, ST=MikoState, L=MikoCity, O=Miko LLC, OU=Miko, CN=Foo Bar"; bsize:63; fast_pattern; reference:url,blog.malwarebytes.com/threat-analysis/2021/04/aurora-campaign-attacking-azerbaijan-using-multiple-rats/; classtype:domain-c2; sid:2032528; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_and_Server, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Audio Player Plugin playerID parameter XSS attempt in swf"; flow:established,to_server; http.uri; content:"/wp-content/plugins/audio-player/assets/player.swf?"; nocase; fast_pattern; content:"playerID="; nocase; pcre:"/^.+\)\)\}catch\(.+\)\{/Ri"; reference:url,packetstormsecurity.com/files/120129/WordPress-Audio-Player-SWF-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016383; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT)"; flow:established,to_client; tls.cert_issuer; content:"CN=DcRat Server"; fast_pattern; reference:md5,c57460b4d595a97fd37211e5087b2557; classtype:domain-c2; sid:2034847; rev:1; metadata:attack_target Client_and_Server, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/extra/contacts/DownloadMailAttach.php?"; nocase; content:"file="; nocase; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016388; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (heroofthe .top)"; flow:established,to_server; tls.sni; content:"heroofthe.top"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032529; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteGo OpenFolder parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/admin/extra/StyleManager/EditFile.php?"; nocase; content:"OpenFolder="; nocase; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016389; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_04_23;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Generic Phish (set) 2021-04-08"; flow:to_server,established; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"emid="; depth:5; nocase; fast_pattern; content:"&epass="; nocase; distance:0; pcre:"/^emid=[^&]*&epass/i"; classtype:credential-theft; sid:2032532; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Glossword gw_admin.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/1.8/gw_admin.php?a="; nocase; fast_pattern; content:"t="; nocase; pcre:"/a\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.com/files/120045/Glossword-1.8.12-XSS-CSRF-Shell-Upload-Database-Disclosure.html; classtype:web-application-attack; sid:2016390; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_04_23;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin dompdf RFI Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-ecommerce-shop-styling/includes/generate-pdf.php?"; nocase; fast_pattern; content:"dompdf="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,secunia.com/advisories/51707/; classtype:web-application-attack; sid:2016381; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_23;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hierarchicalfiles .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hierarchicalfiles.com"; bsize:21; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032534; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; http.request_body; content:"_ajax_nonce="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_08, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (resolutionplatform .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resolutionplatform.com"; bsize:22; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032535; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value"; flow:to_server,established; http.uri; content:".php?"; nocase; content:"=AES_ENCRYPT("; nocase; distance:0; reference:url,localhost.re/p/whmcs-527-vulnerability; classtype:attempted-admin; sid:2017560; rev:5; metadata:created_at 2013_10_05, updated_at 2020_04_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (pulmonyarea .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"pulmonyarea.com"; bsize:15; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032536; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection"; flow:established,to_server; http.uri; content:"[sqltype]="; nocase; content:"[value]="; nocase; content:".php?"; nocase; reference:url,localhost.re/res/whmcs2.py; classtype:attempted-admin; sid:2017622; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_10_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_04_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hardwareoption .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hardwareoption.com"; bsize:18; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1380150818914119681; classtype:targeted-activity; sid:2032537; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass Attempt"; flow:to_server,established; http.method; content:"HEAD"; nocase; http.uri; content:"/ctc/"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017802; rev:4; metadata:created_at 2013_12_06, updated_at 2020_04_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Domain in TLS SNI (shehootastayonwhatshelirned .top)"; flow:established,to_server; tls.sni; content:"shehootastayonwhatshelirned.top"; bsize:31; fast_pattern; classtype:domain-c2; sid:2032538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/lib/admin/media-upload"; pcre:"/^(?:-lncthumb|-sq_button)?\.php/Ri"; http.request_body; content:"<?"; content:".php"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017853; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_12_13, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_04_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (applicationrepo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"applicationrepo.com"; bsize:19; fast_pattern; reference:md5,60e9f401ea30605d57cdc821533d9675; reference:url,twitter.com/RedBeardIOCs/status/1379422249590128646; classtype:targeted-activity; sid:2032539; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:3; metadata:created_at 2014_02_22, updated_at 2020_04_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (uppertrainingtool .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"uppertrainingtool.com"; bsize:21; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1347357947307778049?s=20; classtype:targeted-activity; sid:2032540; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HOME_NET [8443,9090] (msg:"ET WEB_SPECIFIC_APPS Symantec Endpoint Manager XXE RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/servlet/ConsoleServlet?ActionType=ConsoleLog"; http.request_body; content:"Content-Type|3a| text/xml|0d 0a|"; nocase; content:"|3c 21|DOCTYPE"; nocase; content:"http|3a|//127.0.0.1|3a|9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum="; nocase; content:"&Parameter="; nocase; reference:cve,2013-5014; reference:cve,2013-5015; reference:url,cxsecurity.com/issue/WLB-2014020199; classtype:web-application-attack; sid:2018176; rev:4; metadata:created_at 2014_02_26, updated_at 2020_04_28;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity CnC Domain (hostoperationsystems .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hostoperationsystems.com"; bsize:24; fast_pattern; reference:url,twitter.com/BaoshengbinCumt/status/1347357947307778049?s=20; classtype:targeted-activity; sid:2032541; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP Plug-in MailPoet  Arbitrary File Upload/Auth Bypass Vulnerability"; flow:established,to_server; http.uri; content:"/wp-admin/admin-post.php"; content:"page=wysija_campaigns"; content:"action=themes"; http.request_body; content:"|0d 0a|PK"; content:"style.css"; reference:url,www.exploit-db.com/exploits/33991/; classtype:web-application-attack; sid:2018648; rev:4; metadata:created_at 2014_07_08, updated_at 2020_04_30;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ozone/Darktrack RAT Variant - Client Hello (set)"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.OzoneRAT; content:"|2c ef 3a e7 89 fe 48 af ac f8|"; depth:10; dsize:110<>113; reference:md5,583de02ec747f0316fb7b0e59bd858bd; classtype:trojan-activity; sid:2032542; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle Event Processing FileUploadServlet Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wlevs/visualizer/upload"; http.request_body; content:"filename"; pcre:"/^\s*?=\s*?[\x22\x27]?[^&]*?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c|\/|\\)|2e(?:25)?%(?:25)?2f)|\.(?:%(?:25)?(?:2f|5c)|\/|\\))|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f|5c)|\/|\\)|\.(?:%(?:25)?(?:2f|5c)|\/|\\)))/Ri"; reference:url,www.exploit-db.com/exploits/33989/; reference:cve,2014-2424; classtype:web-application-attack; sid:2018652; rev:4; metadata:created_at 2014_07_08, updated_at 2020_04_30;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ozone/Darktrack RAT Variant - Server Hello"; flow:established,to_client; flowbits:isset,ET.OzoneRAT; dsize:666; content:"|53 53 48 2d 32 2e 30 2d 64 72 6f 70 62 65 61 72 5f 32 30 31 37 2e 37 35 0d 0a|"; reference:md5,583de02ec747f0316fb7b0e59bd858bd; classtype:trojan-activity; sid:2032543; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible WP CuckooTap Arbitrary File Download"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php"; content:"action=revslider_show_image"; http.uri.raw; content:"img=|2e 2e 2f|"; reference:url,exploit-db.com/exploits/34511/; classtype:web-application-attack; sid:2019137; rev:3; metadata:created_at 2014_09_08, updated_at 2020_05_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Downer.B Variant Checkin"; flow:established,to_server; http.method; content:"GET"; content:"winver="; distance:0; content:"&sdsoft="; distance:0; fast_pattern; content:"&webid="; distance:0; content:"&softid"; distance:0; content:"&usesnum="; distance:0; content:"&mac="; distance:0; content:"&filename="; distance:0; reference:md5,fa304e71504863f32e6f9032b772cea1; reference:md5,b4188819a0da135ada42e2df4fa97619; classtype:pup-activity; sid:2030565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_07_21, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; http.uri; content:"/base_stat_common.php"; nocase; fast_pattern; content:"BASE_path="; nocase; pcre:"/^(?:(?:ht|f)tps?|data|php)/Ri"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:2019524; rev:7; metadata:affected_product Any, attack_target Server, created_at 2010_09_23, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_05_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed POST to xsph .ru Domain"; flow:established,to_server; http.method; content:"POST"; http.host; content:".xsph.ru"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032531; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yjcontactus"; content:"view="; nocase; reference:url,packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt; classtype:web-application-attack; sid:2013816; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_10_31, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_05_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OilRig SideTwist CnC Domain in DNS Lookup (sarmsoftware .com)"; dns.query; content:"sarmsoftware.com"; nocase; bsize:16; reference:url,research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/; classtype:domain-c2; sid:2032640; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pandora FMS SQLi"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/pandora_console/mobile/index.php"; http.request_body; content:"action=login"; fast_pattern; content:"user="; distance:0; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,www.rapid7.com/db/modules/exploit/linux/http/pandora_fms_sqli; classtype:attempted-admin; sid:2019903; rev:4; metadata:created_at 2014_12_10, updated_at 2020_05_14;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Desktop Central Administrator Account Creation"; flow:established,to_server; http.uri; content:"/servlets/DCPluginServelet?"; nocase; content:"action=addPlugInUser"; nocase; content:"role="; nocase; content:"userName="; nocase; content:"email="; nocase; content:"password="; nocase; content:"salt="; nocase; reference:cve,CVE-2014-7862; reference:url,seclists.org/fulldisclosure/2015/Jan/2; classtype:trojan-activity; sid:2020092; rev:3; metadata:created_at 2015_01_05, updated_at 2020_05_14;)
 
-alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/spywall/timeConfig.php"; bsize:23; fast_pattern; http.user_agent; content:"XTC"; http.request_body; content:"posttime="; content:"&saveForm="; content:"&timesync="; content:"&ntpserver="; content:"wget"; content:"/tmp/viktor|29 3b|"; content:"timezone="; reference:url,unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/; classtype:attempted-user; sid:2030193; rev:1; metadata:attack_target Web_Server, created_at 2020_05_19, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vulnerable Magento Adminhtml Access"; flow:established,to_server; http.uri; content:"Adminhtml"; nocase; content:!"|2f|admin|2f|"; nocase; reference:url,blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability; classtype:attempted-admin; sid:2021005; rev:3; metadata:created_at 2015_04_24, updated_at 2020_05_21;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032634; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, signature_severity Major, updated_at 2021_04_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP RCE PHPBB 2004-1315"; flow:established,to_server; http.uri; content:"viewtopic.php"; nocase; content:"highlight="; nocase; http.uri.raw; pcre:"/[&?]highlight=[^&]*?\x2525[a-f0-9]{2}/i"; reference:cve,2004-1315; classtype:web-application-attack; sid:2021390; rev:3; metadata:created_at 2015_07_07, updated_at 2020_05_28;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<b><br><br>Linux|20|"; content:"method=|22|post|22 20|enctype=|22|multipart/form-data|22 20|name=|22|uploader|22 20|id=|22|uploader|22|><input type=|22|file|22 20|name=|22|file|22 20|size="; content:"<input name=|22|_upl|22 20|type=|22|submit|22 20|id=|22|_upl|22 20|value=|22|Upload|22|></form>"; fast_pattern; classtype:web-application-attack; sid:2032635; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_09, deployment Perimeter, signature_severity Major, updated_at 2021_04_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET 4848 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"TRACE"; http.uri; content:".jsf"; nocase; reference:url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass; reference:bid,47818; reference:cve,2011-1511; classtype:attempted-recon; sid:2012977; rev:4; metadata:created_at 2011_06_09, updated_at 2020_06_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (lomhasnopryiyome .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"lomhasnopryiyome.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2032639; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_09, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"arHandle="; nocase; fast_pattern; content:"method="; nocase; content:"btask="; nocase; pcre:"/btask\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/i"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:5; metadata:created_at 2012_07_07, updated_at 2020_06_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M1 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"IDLOG="; depth:6; nocase; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032590; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"option="; nocase; content:"view="; nocase; content:"list[select]="; nocase; fast_pattern; pcre:"/&list\[select\]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/)?/i"; http.header_names; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access; reference:cve,2015-7297; reference:cve,2015-7587; reference:cve,2015-7858; classtype:attempted-admin; sid:2021992; rev:3; metadata:created_at 2015_10_22, former_category WEB_SPECIFIC_APPS, updated_at 2020_06_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M2 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"question1="; depth:10; nocase; content:"&Answer1="; nocase; distance:0; content:"&question2="; nocase; distance:0; content:"&Answer2="; nocase; distance:0; content:"&question3="; nocase; distance:0; content:"&Answer3="; nocase; distance:0; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032591; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invalid/Suspicious User-Agent (PHP)"; flow:to_server,established; http.user_agent; content:"PHP/5."; nocase; fast_pattern; startswith; pcre:"/^\{\d(?:\|\d){1,}\}\.\{\d(?:\|\d){1,}\}\{\d(?:\|\d){1,}\}/R"; classtype:web-application-attack; sid:2022350; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, signature_severity Major, tag User_Agent, updated_at 2020_06_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M3 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname="; depth:6; nocase; content:"&lname="; nocase; distance:0; content:"&db1="; nocase; distance:0; content:"&db2="; nocase; distance:0; content:"&db3="; nocase; distance:0; content:"&adrs="; nocase; distance:0; content:"&country="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&phone="; nocase; distance:0; content:"&cc="; nocase; distance:0; content:"&exp1="; nocase; distance:0; content:"&exp2="; nocase; distance:0; content:"&cvv="; nocase; distance:0; content:"&vbv="; nocase; distance:0; content:"&sortcode="; nocase; distance:0; fast_pattern; content:"&ssn="; nocase; distance:0; classtype:credential-theft; sid:2032615; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Magento Shoplift Exploit Inbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin/Cms_Wysiwyg/directive/index/"; http.request_body; content:"filter=cG9wdWxhcml0eVtmcm9tXT0wJnBvcHVsYXJpdHlbdG9dPTMmcG9wdWxhcml0eVtmaWVsZF9leHByXT0w"; fast_pattern; depth:100; reference:url,blog.sucuri.net/2015/04/magento-shoplift-supee-5344-exploits-in-the-wild.html; reference:url,packetstormsecurity.com/files/133327/Magento-Add-Administrator-Account.html; classtype:web-application-attack; sid:2022776; rev:3; metadata:created_at 2016_05_03, updated_at 2020_07_07;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor Initial Beacon"; content:"|00 00 01 00 01|"; endswith; dns.query; bsize:>19; content:"646"; offset:2; depth:5; fast_pattern; pcre:"/^[qbedm]{1}[a-zA-Z]{1,3}646[a-zA-Z0-9]{1,3}+\./"; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; reference:md5,162959ebfd839229969d5e830c7d1dbc; classtype:command-and-control; sid:2031193; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS User Agent (SQLi Injection / Scanning)"; flow:established,to_server; http.user_agent; content:"testitest"; fast_pattern; startswith; reference:url,en.wikipedia.org/wiki/SQL_injection; classtype:web-application-attack; sid:2023351; rev:3; metadata:attack_target SQL_Server, created_at 2016_10_19, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_07_31;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (tapewormorchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"tapewormorchestra.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla GoogleMaps Plugin Open Proxy Access"; flow:established,to_server; http.uri; content:"/plugins/system/plugin_googlemap2_proxy.php?url="; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,bnshosting.net/googlemap-proxy-vulnerability; classtype:web-application-attack; sid:2023574; rev:3; metadata:affected_product Joomla, attack_target Web_Server, created_at 2016_12_02, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (belochkaneprihoditodna .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"belochkaneprihoditodna.top"; bsize:26; fast_pattern; classtype:domain-c2; sid:2032743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_12;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS LifterLMS Arbitrary File Write Attempt Inbound (CVE-2020-6008)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"action=export_admin_table"; content:"&filename=../"; fast_pattern; reference:url,cpr-zero.checkpoint.com/vulns/cprid-2148/; reference:cve,2020-6008; classtype:attempted-admin; sid:2030644; rev:1; metadata:created_at 2020_08_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SSL/TLS Certificate Observed (OpenNIC Project API)"; flow:established,to_client; tls.cert_subject; content:"CN=api.opennicproject.org"; bsize:25; fast_pattern; reference:url,wiki.opennic.org/API; classtype:bad-unknown; sid:2032744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_04_12;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Netgear WNR2000v5 Possible Serial Number Leak"; flow:to_server,established; http.uri; content:"/BRS_netgear_success.html"; nocase; reference:cve,2016-10175; reference:url,cve.circl.lu/cve/CVE-2016-10175; classtype:attempted-recon; sid:2023830; rev:3; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_02_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; nocase; http.request_body; content:"login_ak"; depth:8; nocase; content:"&pwd_ak"; nocase; distance:0; fast_pattern; content:"&1.Continue"; nocase; distance:0; classtype:credential-theft; sid:2032643; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3"; flow:to_server,established; http.header; content:"Content-Type|3a 20|%{(#"; nocase; fast_pattern; content:"multipart/form-data"; classtype:web-application-attack; sid:2024045; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Discover Phish M2 2016-12-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"ccnumb="; depth:7; nocase; fast_pattern; content:"&expirMonth="; nocase; distance:0; content:"&expiryear="; nocase; distance:0; content:"&CCV="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&jsenabled="; nocase; distance:0; classtype:credential-theft; sid:2032666; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; http.header; content:"multipart/form-data"; nocase; http.request_body; content:"Content-Disposition|3a|"; nocase; content:"filename"; nocase; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/mi"; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:4; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING HTTP Request for OpenNIC API GeoIP Request"; flow:established,to_server; http.uri; content:"/geoip"; nocase; startswith; http.host; content:"api.opennicproject.org"; bsize:22; fast_pattern; reference:url,wiki.opennic.org/API; classtype:bad-unknown; sid:2032745; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_12, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_04_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M3"; flow:to_server,established; http.header; content:"substr{"; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/mi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024279; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Webmail Phish M1 2016-06-22"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; nocase; depth:9; fast_pattern; content:"&password="; nocase; distance:0; content:"&domain="; nocase; distance:0; content:"&Phone"; nocase; distance:0; classtype:credential-theft; sid:2032685; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Host Header Injection (CVE-2016-10033) M2"; flow:to_server,established; http.uri; content:"action=lostpassword"; nocase; fast_pattern; http.header; pcre:"/^Host\x3a[^\r\n]+?[\x28\x29\x27\x22\x7b\x7d]/mi"; reference:url,exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html; classtype:web-application-attack; sid:2024278; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2017_05_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful *.myjino. ru Phish 2016-12-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.host; content:".myjino.ru"; endswith; http.request_body; content:"user"; depth:4; nocase; content:"&pass"; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032725; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Sort Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"sort="; nocase; pcre:"/sort\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Onedrive Phish 2016-05-16"; flow:from_client,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"login="; nocase; depth:6; fast_pattern; content:"&passwd="; nocase; distance:0; content:"&phone="; nocase; distance:0; classtype:credential-theft; sid:2032680; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_05_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/sessions?path="; nocase; content:"orderby="; nocase; pcre:"/orderby\x3D.+(?:alert|script|onmouse|onkey|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,45015; reference:cve,2010-4172; classtype:web-application-attack; sid:2013118; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_06_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Yahoo Phish M1 2016-06-15"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"yahoo"; nocase; http.request_body; content:"id="; depth:3; nocase; content:"&password="; nocase; distance:0; fast_pattern; content:"&formimage1.x="; nocase; distance:0; classtype:credential-theft; sid:2032683; rev:7; metadata:attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTRS Installation Dialog (after auth) attempt"; flow:to_server,established; http.uri; content:"/otrs/index.pl?Action=Installer"; nocase; reference:cve,2017-9324; classtype:web-application-attack; sid:2024368; rev:3; metadata:affected_product OTRS, attack_target Web_Server, created_at 2017_06_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032738; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
+alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS vBulletin RCE Inbound (CVE-2019-16759 Bypass)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"subWidgets|5b|"; content:"|3b|"; distance:0; reference:url,blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/; classtype:attempted-admin; sid:2030667; rev:1; metadata:attack_target Web_Server, created_at 2020_08_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>0byt3m1n1-"; fast_pattern; classtype:web-application-attack; sid:2032739; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OGNL Expression Injection (CVE-2017-9791)"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"multipart"; content:"form-data"; distance:1; within:11; content:"ognl.OgnlContext"; distance:1; fast_pattern; content:"DEFAULT_MEMBER_ACCESS"; distance:1; within:23; content:"java.lang.ProcessBuilder"; distance:1; content:".start"; distance:1; reference:url,securityonline.info/tutorial-cve-2017-9791-apache-struts2-s2-048-remote-code-execution-vulnerability/; reference:cve,2017-9791; classtype:attempted-user; sid:2024468; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_07_14, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032740; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"D="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006610; classtype:web-application-attack; sid:2006610; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; fast_pattern; classtype:web-application-attack; sid:2032741; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_12, deployment Perimeter, signature_severity Major, updated_at 2021_04_12;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Ui"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020731; rev:3; metadata:created_at 2015_03_24, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"tkyjzgbqfwk3gr55."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024981; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; http_raw_header; distance:0; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Pmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020732; rev:3; metadata:created_at 2015_03_24, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u7duee44hwu5lf7r."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024983; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie)"; flow:established,to_server; content:"Content-Type|3a 20|application"; http_raw_header; content:"Content-Type|3a 20|"; distance:0; http_raw_header; pcre:"/(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)/Cmi"; reference:url,seclists.org/fulldisclosure/2015/Mar/95; classtype:attempted-dos; sid:2020733; rev:3; metadata:created_at 2015_03_24, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain"; dns.query; content:"u2sg7pqxmmrhnzms."; reference:url,www.deependresearch.org/2017/01/threat-intel-ransomware-payment-sites.html; classtype:trojan-activity; sid:2024982; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_14, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware_Onion_Domain, tag Ransomware, updated_at 2021_04_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M2"; flow:established,to_server; http.content_type; content:"multipart/form-data"; content:"{"; distance:0; content:"}"; distance:15; classtype:web-application-attack; sid:2024044; rev:5; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2017_03_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MewsSpy.AE Onion Domain (cxkefbwo7qcmlelb in DNS Lookup)"; dns.query; content:"cxkefbwo7qcmlelb"; nocase; depth:16; reference:md5,e69b3a5b8fccd8607e08dd6d34ae99a9; classtype:trojan-activity; sid:2025121; rev:3; metadata:attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag DNS_Onion_Query, updated_at 2021_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)"; flow:established,to_server; http.header; content:"apache"; http.content_type; content:"ProcessBuilder"; content:".struts"; distance:0; reference:cve,2017-5638; reference:url,github.com/rapid7/metasploit-framework/issues/8064; classtype:web-application-attack; sid:2024038; rev:4; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_08, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_20;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Netlify Hosted GET Request - Possible Phishing Landing"; flow:established,to_server; http.method; content:"GET"; http.host; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032758; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/module.php?module=osTicket&file=../"; fast_pattern; reference:url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt; classtype:web-application-attack; sid:2011941; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_08_24;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Suspicious Netlify Hosted DNS Request - Possible Phishing Landing"; dns.query; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032759; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Jenkins CLI RCE (CVE-2017-1000353)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/cli"; depth:4; http.header; content:"Side|3a 20|upload"; http.request_body; content:"JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJ"; fast_pattern; reference:url,blogs.securiteam.com/index.php/archives/3171; reference:cve,2017-1000353; reference:url,research.checkpoint.com/jenkins-miner-one-biggest-mining-operations-ever-discovered/; classtype:attempted-user; sid:2025376; rev:3; metadata:created_at 2018_02_21, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_24;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Netlify Hosted TLS SNI Request - Possible Phishing Landing"; flow:established,to_server; tls.sni; content:".netlify.app"; pcre:"/^[a-z0-9]+\-[a-z0-9]+\-[a-f0-9]{6}\.netlify\.app$/"; classtype:social-engineering; sid:2032760; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category HUNTING, signature_severity Critical, tag Phishing, updated_at 2021_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/user/register"; http.request_body; content:"drupal"; pcre:"/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/i"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Adware.Vonteera.M Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getdata.php?wti="; fast_pattern; content:"&s="; distance:0; content:"&sta="; distance:0; http.user_agent; content:"NSISDL/1.2 (Mozilla)"; bsize:20; reference:md5,06cba7e1a75deca367afca8f27eb4db2; classtype:pup-activity; sid:2032761; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_04_14;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Drupal RCE (CVE-2018-7602)"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/?q=node"; content:"delete&destination="; pcre:"/(?:%(?:25)?23|#)/"; http.request_body; content:"form_id=node_delete_confirm"; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours; reference:cve,2018-7602; classtype:attempted-user; sid:2025533; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, tag drupalgeddon, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (whatsthescore .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"whatsthescore.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_14;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"user/password"; pcre:"/(?:%(?:25)?23|#)\s*(access_callback|pre_render|post_render|lazy_builder)/"; http.request_body; content:"_triggering_element_name"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025534; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, tag drupalgeddon, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedLine - GetArguments Request"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|SOAPAction|3a 20 22|http://tempuri.org/"; http.request_body; content:"|3c 73 3a|Body|3e 3c|GetArguments|20|xmlns=|22|http|3a 2f 2f|tempuri|2e|org|2f 22 2f|"; fast_pattern; reference:md5,9a3ac9f18c1222e7a77a47db01b1f597; classtype:command-and-control; sid:2034361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_14, deployment Perimeter, former_category MALWARE, malware_family Redline, signature_severity Major, updated_at 2021_04_14;)
+alert http any any -> $HTTP_SERVERS 8161 (msg:"ET WEB_SPECIFIC_APPS Apache ActiveMQ File Upload RCE (CVE-2016-3088)"; flow:established,to_server; http.method; content:"MOVE"; http.header; content:"Destination|3a 20|"; reference:cve,2016-3088; reference:url,www.exploit-db.com/exploits/42283/; classtype:attempted-admin; sid:2025574; rev:3; metadata:attack_target Web_Server, created_at 2018_05_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .live) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.live"; nocase; bsize:31; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032763; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin iThemes Security SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; content:"&orderby="; fast_pattern; pcre:"/&orderby=(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/i"; classtype:web-application-attack; sid:2025738; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_25, cve cve_2018_12636, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; distance:0; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:1; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/_config/query_servers/cmd"; reference:cve,2017-12636; classtype:attempted-user; sid:2025741; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15"; dns.query; content:"ctgame.tk"; nocase; bsize:9; reference:url,twitter.com/nao_sec/status/1381100024919035908; classtype:domain-c2; sid:2032764; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/_temp_view?limit="; http.request_body; content:"|22|cmd|22|"; fast_pattern; reference:cve,2017-12636; classtype:attempted-user; sid:2025742; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 4"; flow:established,to_server; http.method; content:"DELETE"; http.uri; content:"/_config/query_servers/cmd"; fast_pattern; reference:cve,2017-12636; classtype:attempted-user; sid:2025743; rev:3; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Observed Phish Domain in DNS Query (daviviendapersonalingresos .xyz) 2021-04-15"; dns.query; content:"daviviendapersonalingresos.xyz"; nocase; bsize:30; reference:url,twitter.com/TeamDreier/status/1382230430108254209; classtype:credential-theft; sid:2032765; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 3"; flow:established,to_server; http.uri; content:"/index.php?option=com_ekrishta&view="; nocase; content:"&cid="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025746; rev:3; metadata:affected_product Joomla, attack_target Client_Endpoint, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?filename=corona"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest|2e|5)"; bsize:57; http.header_names; content:!"Referer"; reference:md5,0821884168a644f3c27176a52763acc9; reference:url,twitter.com/ShadowChasing1/status/1382509560179531782; classtype:trojan-activity; sid:2032770; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 2"; flow:established,to_server; http.uri; content:"/ekrishta/index.php/login/sign-in"; nocase; fast_pattern; http.request_body; content:"username="; nocase; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025745; rev:3; metadata:affected_product Joomla, attack_target Web_Server, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - AngryBeaver Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"cgi-bin/index.php"; endswith; http.content_type; content:"application/x-www-form-urlencoded|3b|charset=utf-8"; bsize:47; http.request_body; content:"0="; startswith; content:"&1="; distance:0; content:"&2=enc02"; endswith; fast_pattern; reference:url,twitter.com/rootprivilege/status/1376899513592336391?s=20; reference:url,lukeleal.com/research/posts/magento2-angrybeaver-skimmer/; classtype:trojan-activity; sid:2032769; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 1"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc"; nocase; fast_pattern; http.request_body; content:"name="; nocase; pcre:"/^(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/Ri"; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025748; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (annafraudy .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"annafraudy.top"; bsize:14; fast_pattern; classtype:domain-c2; sid:2032768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_15, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Contact Form Maker Plugin - SQL Injection 2"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?form_id="; nocase; content:"&send_header="; nocase; distance:0; content:"&action="; nocase; distance:0; http.request_body; content:"search_labels="; fast_pattern; pcre:"/^(?:[a-zA-Z0-9_%+])*(?:[\x2c\x22\x27\x28]|\x252[c278])/Ri"; reference:url,www.exploit-db.com/exploits/44854/; classtype:web-application-attack; sid:2025749; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_06_26, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032774; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Ek rishta 2.10 - SQL Injection 1"; flow:established,to_server; http.uri; content:"home/requested_user/Sent interest/"; nocase; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:cve,2018-12254; reference:url,www.exploit-db.com/exploits/44869/; classtype:web-application-attack; sid:2025744; rev:4; metadata:affected_product Joomla, attack_target Web_Server, created_at 2018_06_26, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<title>x3x3x3x_5h3ll"; fast_pattern; classtype:web-application-attack; sid:2032775; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_04_16, deployment Perimeter, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 1"; flow:established,to_server; http.uri; content:"/wp-admin/post.php?post="; http.request_body; content:"action=editattachment&_wpnonce="; fast_pattern; content:"&thumb=../../"; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025757; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2018_06_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (youareperfect2day .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"youareperfect2day.top"; bsize:21; fast_pattern; classtype:domain-c2; sid:2032771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Arbitrary File Deletion 2"; flow:established,to_server; http.uri; content:"/wp-admin/post.php?post="; http.request_body; content:"action=delete&_wpnonce="; fast_pattern; reference:url,exploit-db.com/exploits/44949/; classtype:attempted-user; sid:2025758; rev:3; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2018_06_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (mindbreaker .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"mindbreaker.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dolibarr ERP CRM PHP Code Injection"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"&db_name="; content:"%5C%27%3Bsystem(%24_GET%5B"; fast_pattern; reference:url,exploit-db.com/exploits/44964/; classtype:web-application-attack; sid:2025770; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_07_02, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Critical, updated_at 2020_08_25;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remocs 3.x Unencrypted Checkin"; flow:established,to_server; content:"|24 04 ff 00|"; startswith; content:"|4b 00 00 00|"; distance:4; within:4; content:"|7c 1e 1e 1f 7c|"; distance:0; fast_pattern; reference:md5,d27f70216d11b769c937a961fc1b1c81; classtype:command-and-control; sid:2032776; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SoftExpert Excellence Suite 2.0 SQL Injection"; flow:established,to_server; http.uri; content:"/view_eletronic_download.php?class_name="; fast_pattern; content:"&cddocument="; pcre:"/^[a-z0-9A-Z]+[^&]+[\x27\x22]/Ri"; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44981/; classtype:web-application-attack; sid:2025786; rev:2; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Remocs 3.x Unencrypted Server Response"; flow:established,to_client; content:"|24 04 ff 00|"; startswith; content:"|01 00 00 00 30 7c 1e 1e 1f 7c|"; distance:4; within:10; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:md5,d27f70216d11b769c937a961fc1b1c81; classtype:command-and-control; sid:2032777; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ManageEngine Exchange Reporter Plus Remote Code Execution"; flow:established,to_server; http.uri; content:"/servlet/ADSHACluster"; fast_pattern; http.request_body; content:"MTCALL=nativeClient"; content:"&BCP_RLL=0102"; content:"&BCP_EXE=4d5a"; reference:url,exploit-db.com/exploits/44975/; classtype:attempted-user; sid:2025787; rev:2; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (attentionmagnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"attentionmagnet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Airties AIR5444TT - Cross-Site Scripting"; flow:established,to_server; http.uri; content:"/top.html?page=main&productboardtype="; fast_pattern; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,exploit-db.com/exploits/44986/; reference:cve,2018-8738; classtype:attempted-user; sid:2025789; rev:3; metadata:attack_target Web_Server, created_at 2018_07_06, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk Downloader CnC Activity"; flow:established,to_server; http.request_line; content:"GET /"; startswith; content:"image.php?id="; fast_pattern; pcre:"/^[0-9A-F]{21,22}\x20HTTP\/1\.1$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,1743533d63a8ba25142ffa3efc59b50b; classtype:command-and-control; sid:2032342; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Elektronischer Leitz-Ordner 10 - SQL Injection"; flow:established,to_server; http.uri; content:"/social/api/feed/aggregation"; fast_pattern; content:"ticket="; pcre:"/^[^&]*[\x22\x27\x28]/Ri"; reference:url,exploit-db.com/exploits/44999/; classtype:attempted-user; sid:2025819; rev:3; metadata:attack_target Web_Server, created_at 2018_07_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET HUNTING Malformed Domain Name in DNS Query (Domain Length Exceeds 253 Bytes)"; dns.query; bsize:>253; classtype:bad-unknown; sid:2032779; rev:1; metadata:created_at 2021_04_19, former_category HUNTING, updated_at 2021_04_19;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"user/password&name"; nocase; fast_pattern; content:"markup|5d 3d|"; nocase; distance:0; pcre:"/^\[(?:%(?:25)?23|#)\s*(?:access_callback|pre_render|post_render|lazy_builder)/Ri"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025646; rev:2; metadata:affected_product Drupal_Server, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".config"; endswith; http.request_body; content:"CMD=CONFIG&GO=index.asp&TYPE=CONFIG"; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032780; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dicoogle PACS 2.5.0 - Directory Traversal"; flow:established,to_server; http.uri; content:"/exportFile?UID="; fast_pattern; content:"|2e 2e 5c|"; reference:url,exploit-db.com/exploits/45007/; classtype:attempted-user; sid:2025825; rev:3; metadata:attack_target Web_Server, created_at 2018_07_11, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M2"; flow:established,to_server; flowbits:set,ZBLEPON.1; http.method; content:"GET"; http.uri; content:"/system_password.asp"; endswith; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032781; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitStack - Unsanitized Argument Remote Code Execution"; flow:established,to_server; http.uri; content:"p="; content:".git&a="; fast_pattern; http.header; content:"Authorization|3a 20|Basic"; pcre:"/(?:Y21kIC9jIHBvd2Vyc2hlbGwuZXhl|NtZCAvYyBwb3dlcnNoZWxsLmV4Z|jbWQgL2MgcG93ZXJzaGVsbC5leG)/Ri"; reference:cve,2018-5955; reference:url,exploit-db.com/exploits/44356/; classtype:attempted-user; sid:2025830; rev:2; metadata:attack_target Web_Server, created_at 2018_07_12, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation - Responding with Superuser Credentials"; flow:established,from_server; flowbits:isset,ZBLEPON.1; http.stat_code; content:"200"; file_data; content:"1|3b|super|3b|"; fast_pattern; content:"1|3b|admin|3b|"; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032782; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, former_category EXPLOIT, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Job Manager Stored Cross-Site Scripting"; flow:established,to_server; http.uri; content:"/?step=|00|"; content:"submit-job-form"; fast_pattern; content:"enctype=|22|multipart/form-data|22|"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,exploit-db.com/exploits/45031/; classtype:attempted-user; sid:2025839; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon MalDoc CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; http.user_agent; content:"Mozilla/"; startswith; content:"|3a 3a|"; distance:0; content:"|3a 3a 2f 2e|"; within:50; fast_pattern; http.header_names; content:!"Referer"; content:!"Cache-"; reference:md5,bbfef3fcb75449889e544601f7975b34; classtype:command-and-control; sid:2035024; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hadoop YARN ResourceManager Unauthenticated Command Execution"; flow:established,to_server; http.uri; content:"/ws/v1/cluster/apps"; fast_pattern; http.request_body; content:"|22|application-type|22 3a 22|YARN|22|"; content:"|22 3a 7b 22|commands|22 3a 7b 22|command|22 3a 22|"; pcre:"/(?:f0VM|9FT|\/RU)/R"; content:"base64"; reference:url,exploit-db.com/exploits/45025/; classtype:attempted-user; sid:2025840; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos Builder License Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"logaccess.php?DATA="; fast_pattern; pcre:"/^[0-9A-F]+$/R"; http.user_agent; content:"Remcos"; bsize:6; classtype:trojan-activity; sid:2032783; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; http.uri; content:"/download.sh?script=/cgi-bin/"; content:"/system-editor.sh&path=/etc/"; fast_pattern; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025845; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Wacapew.A!ml Domain in TLS SNI (zytrox .tk)"; flow:established,to_server; tls.sni; content:"zytrox.tk"; bsize:9; classtype:domain-c2; sid:2032778; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; http.uri; content:"/IPn4G.config"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025847; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Cobalt Strike Stager Time Check M1"; flow:established,to_server; dsize:11; content:"GET|20|driver|0a|"; fast_pattern; reference:md5,e566c853fe8555fc255bd643f96ba574; classtype:trojan-activity; sid:2032784; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download"; flow:established,to_server; http.uri; content:"/cgi-bin/system.conf"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025846; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET MALWARE Cobalt Strike Stager Time Check M2"; flow:established,to_server; dsize:8; content:"GET|20|drv|0a|"; fast_pattern; reference:md5,e566c853fe8555fc255bd643f96ba574; classtype:trojan-activity; sid:2032785; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Stop"; flow:established,to_server; http.uri; content:"/system-services.sh?service="; fast_pattern; content:"&action=stop"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-dos; sid:2025848; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Magecart/Skimmer - _try_action Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".png"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.request_body; content:"cid="; startswith; fast_pattern; content:"&host="; reference:url,lukeleal.com/research/posts/cdn-frontend-skimmer/; classtype:trojan-activity; sid:2032788; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag CardSkimmer, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Process Kill"; flow:established,to_server; http.uri; content:"/status-processes.sh"; http.request_body; content:"signal=SIGILL&pid="; fast_pattern; content:"&kill=+Send+"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-dos; sid:2025849; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart/Skimmer - _try_action CnC Domain (cdn-frontend .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cdn-frontend.com"; bsize:16; fast_pattern; reference:url,lukeleal.com/research/posts/cdn-frontend-skimmer/; classtype:domain-c2; sid:2032789; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag CardSkimmer, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service start"; flow:established,to_server; http.uri; content:"/system-services.sh?service="; fast_pattern; content:"&action=start"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025850; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (newageiscoming .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"newageiscoming.top"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032790; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Service Enable"; flow:established,to_server; http.uri; content:"/system-services.sh?service="; fast_pattern; content:"&action=enable"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025851; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Possibly SLIGHTPULSE Related - Suspicious POST to Specific URI Path"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"meeting_testjs.cgi"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-admin; sid:2032787; rev:1; metadata:created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Change Admin Passwd"; flow:established,to_server; http.uri; content:"/system-acl.sh"; fast_pattern; http.request_body; content:"pw1"; content:"pw2"; content:"passwdchange"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025852; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
 
-alert tls $EXTERNAL_NET ![443,587] -> $HOME_NET any (msg:"ET MALWARE Observed Qbot Style SSL Certificate"; flow:established,from_server; tls.cert_issuer; content:"C="; depth:2; content:",|20|ST="; distance:2; within:5; content:",|20|L="; distance:2; within:4; content:",|20|O="; within:20; content:",|20|CN="; within:50; pcre:"/^C=(?:M[ACDEGHKLMNOPQRSTUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|B[ABDEFGHIJMNORSTVWZ]|A[DEFGILMNOQRSTUWXZ]|S[ABCEGHIJKLMNRTUVZ]|C[ACFHIKLMNORSVXYZ]|T[CDFGHJKMNOPRTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRTUZ]|K[EGHIMNRWYZ]|L[ACIKSTUVY]|I[DELMNOST]|E[CEGHRST]|F[IJKMORX]|U[AGKMSYZ]|V[ACEGINU]|D[EJKMOZ]|H[KMNRTU]|R[EOSUW]|J[EMOP]|W[FS]|Y[ET]|Z[AM]|OM|QA),\sST=(?!(?:M[ADEINOST]|N[CDEHJMVY]|A[KLRZ]|I[ADLN]|W[AIVY]|C[AOT]|O[HKR]|[GLP]A|K[SY]|S[CD]|T[NX]|V[AT]|[HR]I|DE|FL|UT))[A-Z]{2},\sL=[A-Z][a-z]{2,15}(?:\s[A-Z][a-z]{2,10})?,\sO=[A-Z][a-z]{2,25}\s[A-Z][a-z]{2,25}(?:\s[A-Z][a-z]{2,25})?(?:\s[A-Z][a-z]{2,25})?(?:\s(?:Inc|LLC)\.)?,\sCN=[a-z]{4,11}\.[a-z]{2,4}$/"; classtype:trojan-activity; sid:2035530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family Qbot, performance_impact Significant, signature_severity Major, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Admin Passwd"; flow:established,to_server; http.uri; content:"/system-acl.sh"; fast_pattern; http.request_body; content:"pw1"; content:"pw2"; content:"user_add"; content:"password_add"; content:"mhadd_user"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025853; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HabitsRAT Checkin"; flow:established,to_server; http.request_line; content:"POST /checkin"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.request_body; content:"goarch="; content:"goos="; content:"hostname="; content:"no_replay="; content:"public_key="; reference:url,www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers; reference:md5,2177fb8f49934333a201197d6f55378d; classtype:command-and-control; sid:2032791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family HabitsRAT, performance_impact Low, signature_severity Major, updated_at 2021_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Add Root Htpasswd"; flow:established,to_server; http.uri; content:"/system-editor.sh"; fast_pattern; http.request_body; content:"pw1"; content:"/etc"; content:"htpasswd"; content:"root:"; content:"Save Changes"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025854; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Possible STEADYPULSE Webshell Accessed M1"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<form action=|22||22| method=|22|GET|22|>"; content:"<input type=|22|text|22| name=|22|cmd|22| "; distance:0; content:"<input type=|22|text|22| name=|22|serverid|22| "; distance:0; fast_pattern; content:"<input type=|22|submit|22| value=|22|Run|22|>"; distance:0; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-user; sid:2032801; rev:1; metadata:created_at 2021_04_21, former_category MALWARE, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Crontab"; flow:established,to_server; http.uri; content:"/system-crontabs.sh"; fast_pattern; http.request_body; content:"Save Changes"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025856; rev:2; metadata:created_at 2018_07_17, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Possible STEADYPULSE Webshell Accessed M2"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"|0d 0a|Results of|20 27|"; content:"'|27 20|execution|3a 0a 0a|"; distance:1; within:256; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-user; sid:2032800; rev:1; metadata:created_at 2021_04_21, former_category MALWARE, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Startup Script"; flow:established,to_server; http.uri; content:"/system-startup.sh"; fast_pattern; http.request_body; content:"/etc/init.d"; content:"#!/bin/sh"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025857; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (gimmegimmejimmy .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"gimmegimmejimmy.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032802; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Disable Firewall"; flow:established,to_server; http.uri; content:"/system-crontabs.sh"; fast_pattern; http.request_body; content:"/etc/init.d/firewall stop"; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025858; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .myfirewall .org"; dns.query; content:".myfirewall.org"; endswith; fast_pattern; classtype:bad-unknown; sid:2032792; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Start the Microhard Sh (msshc) service"; flow:established,to_server; http.uri; content:"/system-services.sh?service=msshc&action=start"; fast_pattern; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025859; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Request for uac.exe With Minimal Headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uac.exe"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"|0d 0a|Host|0d 0a|"; depth:10; isdataat:!20,relative; bsize:<31; reference:md5,fd66c2729efe28d54dbbdca62490b936; classtype:trojan-activity; sid:2032794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Auto-enable the Microhard Sh (msshc) service"; flow:established,to_server; http.uri; content:"/system-services.sh?service=msshc&action=enable"; fast_pattern; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-user; sid:2025860; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr .eur .lc)"; dns.query; content:"apiujpnkbrhsdn57oi0ns0qmbaj0wcdzjhblj6frlh1tr.eur.lc"; bsize:52; fast_pattern; classtype:domain-c2; sid:2032795; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic YWRtaW46YWRtaW4="; reference:url,exploit-db.com/exploits/45036/; classtype:attempted-recon; sid:2025855; rev:2; metadata:attack_target Server, created_at 2018_07_17, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (hombreymaquina .com)"; dns.query; content:"hombreymaquina.com"; bsize:18; fast_pattern; classtype:domain-c2; sid:2032796; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XML External Entity Information Disclosure"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22 20|encoding="; content:"<!DOCTYPE"; content:"<!ENTITY"; content:"SYSTEM |22|file|3a|///etc/"; fast_pattern; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-recon; sid:2025877; rev:3; metadata:affected_product Linux, attack_target Web_Server, created_at 2018_07_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Phishing Domain (igconsulting. pe)"; dns.query; content:"igconsulting.pe"; bsize:15; fast_pattern; classtype:domain-c2; sid:2032797; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XML External Entity Remote Code Execution"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22 20|encoding="; content:"<!DOCTYPE"; content:"<!ENTITY"; content:"SYSTEM |22|php|3a|//"; fast_pattern; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-user; sid:2025878; rev:3; metadata:attack_target Web_Server, created_at 2018_07_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif CnC Domain (vorulenuke. us)"; dns.query; content:"vorulenuke.us"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032798; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution < 2.6.4 phpthumb.php RCE Attempt"; flow:established,to_server; urilen:31; http.method; content:"POST"; http.uri; content:"/connectors/system/phpthumb.php"; fast_pattern; http.request_body; content:"<?php"; nocase; content:"($_SERVER"; nocase; distance:0; reference:url,exploit-db.com/exploits/45055/; classtype:web-application-attack; sid:2025917; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_27, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Ursnif CnC Domain (horulenuke .us)"; dns.query; content:"horulenuke.us"; bsize:13; fast_pattern; classtype:domain-c2; sid:2032799; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, malware_family ursnif, signature_severity Major, updated_at 2021_04_21;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 1"; flow:established,to_server; http.uri; content:"/modifychannel/exec?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026009; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 44 Caliber Stealer Data Exfil via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.content_type; content:"multipart/form-data|3b 20|boundary=|22|"; startswith; http.request_body; content:"form-data|3b 20|name=content|0d 0a 0d 0a 5c|n|20 3a|spy|3a 20|NEW LOG FROM - "; fast_pattern; content:"|20 30|person_in_manual_wheelchair|3a 0d 0a 5c|n|20 3a|eye|3a 20|IP|3a 20|"; distance:0; content:"|5c|n|20 3a|desktop|3a 20|"; distance:0; reference:md5,5d8135dc3f85bee9dd93456a9445fa35; reference:url,twitter.com/nao_sec/status/1370702500798418946; classtype:command-and-control; sid:2032803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_21;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 2"; flow:established,to_server; http.uri; content:"/images/IOMemoryPool.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026010; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil via Discord M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:".lunar|22 3b 20|filename=|22|"; content:"|0d 0a 0d 0a|<UsernameSplit><UsernameSplit><TimeHackedSplit>"; reference:md5,11ca4e678716a5aa177bd8506f0e109f; classtype:command-and-control; sid:2032804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_22;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 3"; flow:established,to_server; http.uri; content:"/images/Statistics.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026011; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Phenakite User-Agent"; flow:established,to_server; http.user_agent; content:"app/4.7|20 28|iPhone|3b 20|iOS 12.4.5|3b 20|Scale/2.00|29|"; bsize:40; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032808; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Phenakite, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 4"; flow:established,to_server; http.uri; content:"/images/GLIBBackground.jpg?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026012; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Phenakite Audio Upload CnC"; flow:established,to_server; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|deviceName|22 3a 22|"; fast_pattern; content:"|22|name|22 3a|"; content:"|22|audio|22 3a 22|"; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032809; rev:2; metadata:attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 5"; flow:established,to_server; http.uri; content:"/images/MainMemoryPool.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026013; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Phenakite Image Upload CnC activity"; flow:established,to_server; http.method; content:"POST"; http.accept; content:"*/*"; bsize:3; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|img_name|22 3a 22|"; fast_pattern; content:"|22|img|22 3a 22|"; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:targeted-activity; sid:2032810; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2021_04_23, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, malware_family Phenakite, signature_severity Major, updated_at 2021_04_23;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geutebrueck re_porter 16 - Cross-Site Scripting 6"; flow:established,to_server; http.uri; content:"/images/ProcessMemory.png?"; pcre:"/^[^&]+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:cve,2018-15533; reference:url,exploit-db.com/exploits/45242/; classtype:attempted-user; sid:2026014; rev:3; metadata:attack_target IoT, created_at 2018_08_22, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CollectorStealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|[dw0rd]_"; fast_pattern; content:"Information.txt"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,51e8f4abbb4ba18a39e302edad171b71; classtype:trojan-activity; sid:2032805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family CollectorStealer, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts inbound .getWriter OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:".getWriter"; fast_pattern; distance:0; reference:cve,2018-11776; classtype:attempted-admin; sid:2026032; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (linda-callaghan .icu)"; dns.query; content:"linda-callaghan.icu"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts java.lang inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:"java|2E|lang"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026033; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (mikkelbourke .pro)"; dns.query; content:"mikkelbourke.pro"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts inbound .getClass OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"${"; content:".getClass"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026034; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (scorerabbate .site)"; dns.query; content:"scorerabbate.site"; nocase; bsize:17; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway SQL Injection"; flow:established,to_server; http.uri; content:"/enginelist.php"; fast_pattern; http.request_body; content:"appkey="; pcre:"/^[a-z0-9A-Z]+\x252[270]/R"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb; classtype:attempted-user; sid:2026036; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_08_24, cve cve_2018_12464, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (overingtonray .info)"; dns.query; content:"overingtonray.info"; nocase; bsize:18; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MicroFocus Secure Messaging Gateway Remote Code Execution"; flow:established,to_server; http.uri; content:"/manage_domains_save_data.json.php?cache="; http.request_body; content:"%24%28"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/microfocus_secure_messaging_gateway.rb; classtype:attempted-user; sid:2026037; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_08_24, cve cve_2018_12465, deployment Datacenter, former_category WEB_SPECIFIC_APPS, updated_at 2020_08_25;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (marwapetersson .info)"; dns.query; content:"marwapetersson.info"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Kibana Attempted LFI Exploitation (CVE-2018-17246)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/console/api_server?sense_version="; depth:38; fast_pattern; content:"SENSE_VERSION&apis="; pcre:"/^(?:\.\.\/){2,}/R"; reference:url,www.bleepingcomputer.com/news/security/file-inclusion-bug-in-kibana-console-for-elasticsearch-gets-exploit-code/; classtype:attempted-user; sid:2026739; rev:4; metadata:attack_target Web_Server, created_at 2018_12_19, cve 2018_17246, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (belcherjacky .info)"; dns.query; content:"belcherjacky.info"; nocase; bsize:17; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Cost Estimator Plugin AFI Vulnerability"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?action=lfb_upload_form"; nocase; reference:url,www.wordfence.com/blog/2019/02/vulnerabilities-patched-in-wp-cost-estimation-plugin/; classtype:web-application-attack; sid:2026950; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2019_02_21, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_08_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (gallant-william .icu)"; dns.query; content:"gallant-william.icu"; nocase; bsize:19; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rails Arbitrary File Disclosure Attempt"; flow:established,to_server; http.accept; content:"../"; reference:url,github.com/mpgn/CVE-2019-5418; classtype:web-application-attack; sid:2027096; rev:3; metadata:attack_target Web_Server, created_at 2019_03_19, cve 2019_5418, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_08_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (ansonwhitmore .live)"; dns.query; content:"ansonwhitmore.live"; nocase; bsize:18; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScript"; distance:0; content:"|40|ASTTest"; distance:0; content:"Runtime|2e|getRuntime|28 29 2e|exec|28 22|"; distance:0; content:"|22 29 7d 29 0a|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027350; rev:3; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (irenewansley .icu)"; dns.query; content:"irenewansley.icu"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS ECSHOP user.php SQL INJECTION via Referer"; flow:established,to_server; http.uri; content:"/user.php"; http.referer; content:"SELECT"; nocase; content:"UNION"; nocase; content:",4,5,6,7,8,0x"; fast_pattern; reference:url,github.com/theLSA/ecshop-getshell; reference:url,github.com/Hzllaga/EcShop_RCE_Scanner/; reference:url,xz.aliyun.com/t/2689?from=groupmessage; classtype:web-application-attack; sid:2027416; rev:2; metadata:attack_target Web_Server, created_at 2019_05_31, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-23 MICROPSIA Variant CnC Domain in DNS Lookup (norayowell .info)"; dns.query; content:"norayowell.info"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Appointment Hour Booking - WordPress Plugin - Stored XSS (CVE-2019-13505)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form-data|3b 20|name=|22|cp_appbooking_pform_process|22|"; fast_pattern; content:"form-data|3b 20|name=|22|email_1|22 0d 0a 0d 0a 3c|script|3e|"; distance:0; reference:cve,CVE-2019-13505; reference:url,github.com/ivoschyk-cs/CVE-s/blob/master/Appointment%20Hour%20Booking%20%E2%80%93%20WordPress%20Booking%20Plugin%20--%20stored%20XSS; classtype:web-application-attack; sid:2027706; rev:3; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2019_07_12, deployment Internet, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to MoserPass Download Domain (passwordstate-18ed2 .kxcdn .com)"; dns.query; content:"passwordstate-18ed2.kxcdn.com"; bsize:29; fast_pattern; reference:url,www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain; classtype:domain-c2; sid:2032806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004011; classtype:web-application-attack; sid:2004011; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_01;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"D5wdnvX3A="; startswith; content:"&WgJEo7TIB=c2xsZ3JhdA&"; distance:0; fast_pattern; reference:md5,bbe4dddc09dcef160db0fd4c24c4f052; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:command-and-control; sid:2032821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/photosmash-galleries/index.php?"; nocase; content:"action="; nocase; pcre:"/action\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/99089/photosmash-xss.txt; classtype:web-application-attack; sid:2012670; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_01;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/MosaiqueRAT CnC Checkin"; flow:established,to_server; dsize:<400; content:"|e1 00 00 00|"; startswith; content:"|00 00 00|Windows|20|"; fast_pattern; distance:0; content:"|00 00 00|Client|20|"; isdataat:!4,relative; reference:url,github.com/thdal/MosaiqueRAT; classtype:trojan-activity; sid:2032807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible SharePoint RCE Attempt (CVE-2019-0604)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Picker.aspx?PickerDialogType=Microsoft.SharePoint"; nocase; http.request_body; content:"ctl00|25|24PlaceHolderDialogBodySection|25|24ctl05|25|24hiddenSpanData|3d5f5f|"; nocase; fast_pattern; reference:url,www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability; classtype:attempted-admin; sid:2027345; rev:4; metadata:attack_target Web_Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.uri; content:"/logo.html"; bsize:10; http.cookie; content:"wordpress_logged_in="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,6517eadd2e4fb8fdf1f64a601e5a2b59; reference:url,twitter.com/MichalKoczwara/status/1385679642791665668; classtype:trojan-activity; sid:2032824; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_04_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011378; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Screenshot Upload M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|jpxnk|22 3b 20|filename="; fast_pattern; content:"|22 0d 0a|Content-Type|3a 20|utf-8|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF"; within:40; http.header_names; content:!"Referer"; reference:md5,7833c0f413c1611f7281ac303bcef4b3; classtype:command-and-control; sid:2032822; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011380; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MICROPSIA Screenshot Upload M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|vcqmxylcv|22|"; fast_pattern; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF"; distance:0; within:40; reference:md5,7833c0f413c1611f7281ac303bcef4b3; classtype:command-and-control; sid:2032823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_23, deployment Perimeter, former_category MALWARE, malware_family MICROPSIA, performance_impact Low, signature_severity Major, updated_at 2021_04_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (birdmilk .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"birdmilk.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2032825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,41377; classtype:web-application-attack; sid:2011382; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (footballstar .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"footballstar.top"; bsize:16; fast_pattern; classtype:domain-c2; sid:2032826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/csstidy/css_optimiser.php?"; nocase; content:"url="; nocase; pcre:"/url\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40515/; reference:url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html; classtype:web-application-attack; sid:2011383; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_02;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stockme .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"stockme.top"; bsize:11; fast_pattern; classtype:domain-c2; sid:2032827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_26, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(?:ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/5609; reference:url,vupen.com/english/advisories/2009/2136; classtype:web-application-attack; sid:2011384; rev:5; metadata:created_at 2010_09_28, updated_at 2020_09_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PHP Skimmer CnC Domain in DNS Lookup (secure-authorize .net)"; dns.query; content:"secure-authorize.net"; nocase; bsize:20; reference:url,lukeleal.com/research/posts/secure-authorize-dot-net-skimmer/; classtype:domain-c2; sid:2032828; rev:1; metadata:affected_product Web_Server_Applications, affected_product Magento, attack_target Web_Server, created_at 2021_04_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_noticeboard"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/12427; classtype:web-application-attack; sid:2011385; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_02;)
 
-alert http [$HTTP_SERVERS,$HOME_NET] any -> $EXTERNAL_NET any (msg:"ET MALWARE PHP Skimmer Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".dll"; endswith; http.content_type; content:"text/plain"; bsize:10; http.request_body; content:"|22|cc_type|22|"; content:"|22|cc_number|22|"; fast_pattern; content:"|22|ip|22|"; content:"|22|cc_cid|22|"; content:"|22|site|22|"; reference:url,lukeleal.com/research/posts/secure-authorize-dot-net-skimmer/; classtype:command-and-control; sid:2032829; rev:2; metadata:affected_product Web_Server_Applications, affected_product Magento, attack_target Web_Server, created_at 2021_04_26, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_04_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004132; classtype:web-application-attack; sid:2004132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SharpNoPSExec EXE Lateral Movement Tool Downloaded"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"S|00|h|00|a|00|r|00|p|00|N|00|o|00|P|00|S|00|E|00|x|00|e|00|c|00 2e 00|e|00|x|00|e"; distance:0; fast_pattern; content:"Z|00|Q|00|B|00|j|00|A|00|G|00|g|00|A|00|b|00|w|00|A|00|g|00|A|00|E|00|c|00|A|00|b|00|w|00|B|00|k|00|A|00|C|00|A|00|A|00|Q|00|g|00|B|00|s|00|A|00|G|00|U|00|A|00|c|00|w|00|B|00|z|00|A|00|C|00|A|00|A|00|W|00|Q|00|B|00|v|00|A|00|H|00|U|00|A|00|I|00|Q|00|A|00 3d|"; distance:0; reference:url,github.com/juliourena/SharpNoPSExec/; classtype:trojan-activity; sid:2032875; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004133; classtype:web-application-attack; sid:2004133; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .firebaseio .com in DNS Lookup)"; dns_query; content:"dash-chat-c02b3.firebaseio.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2032830; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004134; classtype:web-application-attack; sid:2004134; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (dash-chat-c02b3 .appspot .com in DNS Lookup)"; dns_query; content:"dash-chat-c02b3.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032831; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004135; classtype:web-application-attack; sid:2004135; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .firebaseio .com in DNS Lookup)"; dns_query; content:"hidden-chat-e58d7.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032832; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004136; classtype:web-application-attack; sid:2004136; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hidden-chat-e58d7 .appspot .com in DNS Lookup)"; dns_query; content:"hidden-chat-e58d7.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032833; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004137; classtype:web-application-attack; sid:2004137; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (calculator-1e016 .firebaseio .com in DNS Lookup)"; dns_query; content:"calculator-1e016.firebaseio.com"; isdataat:!1,relative; classtype:trojan-activity; sid:2032834; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004138; classtype:web-application-attack; sid:2004138; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (calculator-1e016 .appspot .com in DNS Lookup)"; dns_query; content:"calculator-1e016.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032835; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004139; classtype:web-application-attack; sid:2004139; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .firebaseio .com in DNS Lookup)"; dns_query; content:"samehnew-10a7c.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032836; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id SELECT"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004647; classtype:web-application-attack; sid:2004647; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (samehnew-10a7c .appspot .com in DNS Lookup)"; dns_query; content:"samehnew-10a7c.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032837; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004648; classtype:web-application-attack; sid:2004648; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (play-store-51182 .firebaseio .com in DNS Lookup)"; dns_query; content:"play-store-51182.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032838; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id INSERT"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004649; classtype:web-application-attack; sid:2004649; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (play-store-51182 .appspot .com in DNS Lookup)"; dns_query; content:"play-store-51182.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032839; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id DELETE"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004650; classtype:web-application-attack; sid:2004650; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .firebaseio .com in DNS Lookup)"; dns_query; content:"stand-by-97c5c.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032840; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ASCII"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004651; classtype:web-application-attack; sid:2004651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stand-by-97c5c .appspot .com in DNS Lookup)"; dns_query; content:"stand-by-97c5c.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032841; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE"; flow:established,to_server; http.uri; content:"/urunbak.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3133; reference:url,www.securityfocus.com/bid/24364; reference:url,doc.emergingthreats.net/2004652; classtype:web-application-attack; sid:2004652; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (es-last-telegram .firebaseio .com in DNS Lookup)"; dns_query; content:"es-last-telegram.firebaseio.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032842; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft SELECT"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005304; classtype:web-application-attack; sid:2005304; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (es-last-telegram .appspot .com in DNS Lookup)"; dns_query; content:"es-last-telegram.appspot.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:trojan-activity; sid:2032843; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UNION SELECT"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005305; classtype:web-application-attack; sid:2005305; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (margarita-smith .host in DNS Lookup)"; dns_query; content:"margarita-smith.host"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032844; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft INSERT"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005306; classtype:web-application-attack; sid:2005306; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (blogsolutions .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogsolutions.top"; bsize:17; fast_pattern; classtype:domain-c2; sid:2032876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft DELETE"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005307; classtype:web-application-attack; sid:2005307; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasibauik .co in DNS Lookup)"; dns_query; content:"fasibauik.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032845; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ASCII"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005308; classtype:web-application-attack; sid:2005308; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcak .co in DNS Lookup)"; dns_query; content:"fasebcak.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032846; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE"; flow:established,to_server; http.uri; content:"/mailer.w2b?"; nocase; content:"draft="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005309; classtype:web-application-attack; sid:2005309; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcck .com in DNS Lookup)"; dns_query; content:"fasebcck.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032847; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay SELECT"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005310; classtype:web-application-attack; sid:2005310; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcoki .com in DNS Lookup)"; dns_query; content:"fasebcoki.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032848; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UNION SELECT"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005187; classtype:web-application-attack; sid:2005187; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebcak .com in DNS Lookup)"; dns_query; content:"fasebcak.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032849; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay INSERT"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005188; classtype:web-application-attack; sid:2005188; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasbcaok .com in DNS Lookup)"; dns_query; content:"fasbcaok.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032850; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay DELETE"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005189; classtype:web-application-attack; sid:2005189; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaak .com in DNS Lookup)"; dns_query; content:"fasebaak.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032851; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ASCII"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005190; classtype:web-application-attack; sid:2005190; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaok .co in DNS Lookup)"; dns_query; content:"fasebaok.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032852; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE"; flow:established,to_server; http.uri; content:"/DocPay.w2b?"; nocase; content:"listDocPay="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3175; reference:url,xforce.iss.net/xforce/xfdb/34593; reference:url,doc.emergingthreats.net/2005191; classtype:web-application-attack; sid:2005191; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaook .com in DNS Lookup)"; dns_query; content:"fasebaook.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032853; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009838; classtype:web-application-attack; sid:2009838; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (fasebaok .com in DNS Lookup)"; dns_query; content:"fasebaok.com"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032854; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/archive.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009839; classtype:web-application-attack; sid:2009839; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (log-yoahao .co in DNS Lookup)"; dns_query; content:"log-yoahao.co"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032855; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/Archive.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009840; classtype:web-application-attack; sid:2009840; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (log-yoheo .info in DNS Lookup)"; dns_query; content:"log-yoheo.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032856; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/comments.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009841; classtype:web-application-attack; sid:2009841; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (kevin-good .top in DNS Lookup)"; dns_query; content:"kevin-good.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032857; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/Comments.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009842; classtype:web-application-attack; sid:2009842; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (marty-colvard .top in DNS Lookup)"; dns_query; content:"marty-colvard.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032858; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009843; classtype:web-application-attack; sid:2009843; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (anna-sanchez .online in DNS Lookup)"; dns_query; content:"anna-sanchez.online"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032859; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/News.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009844; classtype:web-application-attack; sid:2009844; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (wendy-johnston .pw in DNS Lookup)"; dns_query; content:"wendy-johnston.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032860; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/base/SendFriend.php?"; nocase; content:"config[installdir]="; nocase; pcre:"/config\[installdir\]=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,33434; reference:url,juniper.net/security/auto/vulnerabilities/vuln33434.html; reference:url,doc.emergingthreats.net/2009845; classtype:web-application-attack; sid:2009845; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (jennifer-marler .pw in DNS Lookup)"; dns_query; content:"jennifer-marler.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032861; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key SELECT"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005949; classtype:web-application-attack; sid:2005949; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (goerge-amper .website in DNS Lookup)"; dns_query; content:"goerge-amper.website"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032862; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UNION SELECT"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005950; classtype:web-application-attack; sid:2005950; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stacks-zadar .website in DNS Lookup)"; dns_query; content:"stacks-zadar.website"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032863; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key INSERT"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005951; classtype:web-application-attack; sid:2005951; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (joe-rumley .pw in DNS Lookup)"; dns_query; content:"joe-rumley.pw"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032864; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key DELETE"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005952; classtype:web-application-attack; sid:2005952; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (richardbeman .info in DNS Lookup)"; dns_query; content:"richardbeman.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032865; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ASCII"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005953; classtype:web-application-attack; sid:2005953; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (vickeryduncan .site in DNS Lookup)"; dns_query; content:"vickeryduncan.site"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032866; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE"; flow:established,to_server; http.uri; content:"/coupon_detail.asp?"; nocase; content:"key="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6859; reference:url,www.securityfocus.com/bid/21824; reference:url,doc.emergingthreats.net/2005954; classtype:web-application-attack; sid:2005954; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (moggfelicio .info in DNS Lookup)"; dns_query; content:"moggfelicio.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032867; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004253; classtype:web-application-attack; sid:2004253; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (stevensmalley .pro in DNS Lookup)"; dns_query; content:"stevensmalley.pro"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032868; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004254; classtype:web-application-attack; sid:2004254; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (kentporter .site in DNS Lookup)"; dns_query; content:"kentporter.site"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032869; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004255; classtype:web-application-attack; sid:2004255; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (chad-jessie .info in DNS Lookup)"; dns_query; content:"chad-jessie.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032870; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004256; classtype:web-application-attack; sid:2004256; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (lordblackwood .club in DNS Lookup)"; dns_query; content:"lordblackwood.club"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032871; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004257; classtype:web-application-attack; sid:2004257; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (julie-parker .top in DNS Lookup)"; dns_query; content:"julie-parker.top"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032872; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1517; reference:url,www.milw0rm.com/exploits/3477; reference:url,doc.emergingthreats.net/2004258; classtype:web-application-attack; sid:2004258; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (tim-jordan .info in DNS Lookup)"; dns_query; content:"tim-jordan.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032873; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSN Guest search.php search parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?"; nocase; content:"searchfields[0]=ownerid"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33097; reference:url,milw0rm.com/exploits/7659; reference:url,doc.emergingthreats.net/2009058; classtype:web-application-attack; sid:2009058; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Arid Viper (hannah-parsons .info in DNS Lookup)"; dns_query; content:"hannah-parsons.info"; isdataat:!1,relative; reference:url,about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf; classtype:domain-c2; sid:2032874; rev:2; metadata:created_at 2021_04_27, former_category MOBILE_MALWARE, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page SELECT"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006455; classtype:web-application-attack; sid:2006455; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY RDP Wrapper Download (bat)"; flow:established,to_client; file.data; content:"|3a 3a| Automatic RDP Wrapper installer and updater"; fast_pattern; content:"|3a 3a| Location of new/updated rdpwrap.ini files"; content:"set rdpwrap_ini_update_github_1=|22|"; reference:url,github.com/asmtron/rdpwrap; classtype:bad-unknown; sid:2032880; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UNION SELECT"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006456; classtype:web-application-attack; sid:2006456; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY RDP Wrapper Download (ini)"; flow:established,to_client; file.data; content:"|3b| RDP Wrapper Library configuration"; fast_pattern; content:"LogFile=|5c|rdpwrap.txt"; reference:url,github.com/asmtron/rdpwrap; classtype:bad-unknown; sid:2032881; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page INSERT"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006457; classtype:web-application-attack; sid:2006457; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lunar Builder Domain (lunarbuilder .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lunarbuilder.000webhostapp.com"; bsize:30; fast_pattern; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:domain-c2; sid:2032877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page DELETE"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006458; classtype:web-application-attack; sid:2006458; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|account|22 3b 20|filename=|22|"; content:".lunar|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|<UsernameSplit>"; distance:0; fast_pattern; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:command-and-control; sid:2032878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page ASCII"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006459; classtype:web-application-attack; sid:2006459; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Koubbeh Sending Windows System Info"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/api/ping//?"; startswith; fast_pattern; http.user_agent; content:"|3b| WinHttp.WinHttpRequest.5|29|"; reference:md5,3883ea48ee84f9b084e0920bc185bc39; classtype:trojan-activity; sid:2032882; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE"; flow:established,to_server; http.uri; content:"/content.php?"; nocase; content:"page="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3128; reference:url,www.osvdb.org/34164; reference:url,doc.emergingthreats.net/2006460; classtype:web-application-attack; sid:2006460; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<UsernameSplit>"; nocase; fast_pattern; content:"<TimeHackedSplit>"; nocase; reference:md5,4a07860c39171b71ca0aa359b0185f33; classtype:command-and-control; sid:2032879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num SELECT"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005955; classtype:web-application-attack; sid:2005955; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.SpyEyes.bllw CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|"; distance:0; content:".zip|22 0d 0a|"; distance:0; within:50; content:"passwords.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,c818013b12aedef81965f4dd98634ea8; classtype:trojan-activity; sid:2035017; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UNION SELECT"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005956; classtype:web-application-attack; sid:2005956; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Modi RAT CnC Command Inbound (plugin)"; flow:established,from_server; content:"plugin|7c 7c|"; depth:8; fast_pattern; content:"|7c 7c|"; within:100; isdataat:1000,relative; app-layer-protocol:!http; reference:md5,ca075cb808eb6f69ab5ea82d7acb3f39; classtype:command-and-control; sid:2029699; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_23, deployment Perimeter, former_category MALWARE, malware_family ModiRAT, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num INSERT"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005957; classtype:web-application-attack; sid:2005957; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; content:"magelib.com"; bsize:11; nocase; reference:url,www.riskiq.com/blog/labs/magecart-reused-domains/?utm_campaign=magecart-reused-domains; classtype:domain-c2; sid:2028611; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_09_19, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_04_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num DELETE"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005958; classtype:web-application-attack; sid:2005958; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA471 Malicious AutoIT File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upld/"; startswith; http.content_type; content:"multipart/form-data|3b| boundary=----WebKitFormBoundary"; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|"; depth:14; content:!"Accept-Enc"; reference:md5,75d6f57cfba0ebc3633a49a8412a43e5; reference:md5,304d1ac0296fedec694a097480b341d9; classtype:trojan-activity; sid:2032886; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ASCII"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005959; classtype:web-application-attack; sid:2005959; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE"; flow:established,to_server; http.uri; content:"/phonemessage.asp?"; nocase; content:"num="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005960; classtype:web-application-attack; sid:2005960; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x86 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|89 71 04 89|"; content:"|30 8d 04 bd|"; within:7; content:"|8b 4d|"; content:"|8b 45 f4 89 75|"; distance:1; within:5; content:"|89 01 85 ff 74|"; distance:1; within:5; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029334; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005961; classtype:web-application-attack; sid:2005961; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mimikatz x64 Executable Download Over HTTP"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|33 ff|"; content:"|89 37|"; distance:1; within:2; content:"|8b f3 45 85|"; distance:1; within:4; content:"|74|"; distance:1; within:1; content:"|4c 8b df 49|"; content:"|c1 e3 04 48|"; within:7; content:"|8b cb 4c 03|"; within:7; content:"|d8|"; within:4; reference:url,github.com/gentilkiwi/mimikatz; classtype:trojan-activity; sid:2029335; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_29, deployment Perimeter, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005962; classtype:web-application-attack; sid:2005962; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Bank of America Phish (set) M3 2016-10-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Passcode="; depth:9; nocase; flowbits:set,ET.bofaphish; flowbits:noalert; classtype:credential-theft; sid:2032592; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005963; classtype:web-application-attack; sid:2005963; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M2 2016-11-29"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"fname_ak"; depth:8; nocase; fast_pattern; content:"&lname_ak"; nocase; distance:0; content:"&staddd_ak"; nocase; distance:0; content:"&city_ak"; nocase; distance:0; content:"&state_ak"; nocase; distance:0; content:"&zip_ak"; nocase; distance:0; content:"&mobile_ak"; nocase; distance:0; content:"&1.Continue"; nocase; distance:0; classtype:credential-theft; sid:2032644; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005964; classtype:web-application-attack; sid:2005964; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Gmail Phish 2016-12-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"Content-Type|3a 20|multipart/form-data|3b|"; http.request_body; content:"form-data|3b 20|name=|22|Email"; nocase; content:"form-data|3b 20|name=|22|Pass"; fast_pattern; distance:0; nocase; content:"form-data|3b 20|name=|22|Recovery"; distance:0; nocase; content:"form-data|3b 20|name=|22|mobile"; distance:0; nocase; classtype:credential-theft; sid:2032652; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005965; classtype:web-application-attack; sid:2005965; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Discover Phish M3 2016-12-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"first="; depth:6; nocase; content:"&last="; nocase; distance:0; content:"&address="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&Phone="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&password="; nocase; distance:0; fast_pattern; content:"&jsenabled="; nocase; distance:0; classtype:credential-theft; sid:2032667; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6846; reference:url,www.milw0rm.com/exploits/3032; reference:url,doc.emergingthreats.net/2005966; classtype:web-application-attack; sid:2005966; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded Server Response (success)"; flow:established,from_server; file.data; content:"c3VjY2Vzcw=="; depth:12; classtype:bad-unknown; sid:2032883; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/refund_request.php?"; nocase; content:"orderid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41377; classtype:web-application-attack; sid:2011794; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $HOME_NET 80 (msg:"ET EXPLOIT Possible Local Active Directory Federation Services (AD FS) Replication Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/services/policystoretransfer"; startswith; fast_pattern; threshold:type limit,track by_src,count 1,seconds 600; reference:url,fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html; classtype:web-application-attack; sid:2032884; rev:1; metadata:attack_target Server, created_at 2021_04_28, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2005177; classtype:web-application-attack; sid:2005177; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SupremeLogger CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"machineID="; startswith; nocase; content:"&guid={"; content:"&ver="; content:"&os=Windows"; nocase; content:"&platform="; content:"&username="; content:"&display_resolution="; content:"processor="; content:"&cpu_count="; fast_pattern; content:"&install_path="; http.header_names; content:!"Referer"; reference:md5,0f1ab52a8d9c2d23412e0badc4515cb3; classtype:trojan-activity; sid:2032885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id DELETE"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004549; classtype:web-application-attack; sid:2004549; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDropper.Agent.RLO CnC Acitivty"; flow:established,to_server; dsize:576; content:"|5f 53 40 59 32 32 32 32 32 32 32 32 32 32|"; offset:298; depth:14; fast_pattern; content:"|65 5b 5c|"; offset:564; depth:3; reference:md5,a6d36df7ee6cb5407853aeacfd818ac9; classtype:command-and-control; sid:2032887; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/login"; nocase; content:"login_username="; nocase; pcre:"/(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:cve,2009-1798; reference:url,doc.emergingthreats.net/2010862; classtype:web-application-attack; sid:2010862; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious lnk Activity"; flow:established,to_client; file.data; content:"ExpandEnvironmentStrings|28 22 25|Temp|25 5c|MaGiaiNenNe.txt|22 29|"; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1387602989033017346; reference:md5,57f02fe8fa9d096e5ac9b6c9be66f05b; classtype:trojan-activity; sid:2032891; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UNION SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006826; classtype:web-application-attack; sid:2006826; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (realonlinetrend .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"realonlinetrend.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2032890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, malware_family Raccoon_Stealer, signature_severity Major, updated_at 2021_04_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf INSERT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006851; classtype:web-application-attack; sid:2006851; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PurpleFox EK Landing Page Domain in SNI"; flow:to_server,established; tls.sni; content:"lingering-math-ec29.7axrg.workers.dev"; endswith; classtype:exploit-kit; sid:2032889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2021_04_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login DELETE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006978; classtype:web-application-attack; sid:2006978; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/XRat.AT Variant CnC Activity"; flow:established,to_server; content:"0|7c|SS Client ID|7c|"; startswith; fast_pattern; content:"Windows"; distance:0; reference:md5,35b93cc523e0ac8c9bb922a236416d6f; classtype:command-and-control; sid:2032888; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_04_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006345; classtype:web-application-attack; sid:2006345; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (baroquetees .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"baroquetees.com"; bsize:15; fast_pattern; reference:url,twitter.com/Bank_Security/status/1387787132249518087; reference:md5,54f99323245d439893539eb6c7cd0239; classtype:domain-c2; sid:2032894; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family DarkSide, signature_severity Major, tag Ransomware, updated_at 2021_04_30, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006346; classtype:web-application-attack; sid:2006346; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Buer - DomainInfo User-Agent"; flow:established,to_server; http.user_agent; content:"|6e 71 71 66 34 3a 33 35 25 2d 46 75 75 71 6a 32 6e 55 6d 74 73 6a 3c 48 37 34 36 37 35 37 33 39 3b 3b 40 25 5a 40 25 48 55 5a 25 71 6e 70 6a 25 52 66 68 25 54 58 25 5d 40 25 6a 73 2e 25 46 75 75 71 6a 5c 6a 67 50 6e 79 34 39 37 35 30 25 2d 50 4d 59 52 51 31 25 71 6e 70 6a 25 4c 6a 68 70 74 2e 25 5b 6a 77 78 6e 74 73 34 38 33 35 25 52 74 67 6e 71 6a 34 36 46 3a 39 38 25 58 66 6b 66 77 6e 34 39 36 3e 33 38|"; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:trojan-activity; sid:2032892; rev:1; metadata:created_at 2021_04_30, former_category MALWARE, malware_family Buer, updated_at 2021_04_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006348; classtype:web-application-attack; sid:2006348; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to Buer - DomainInfo Domain"; flow:established,to_server; dns.query; content:"officewestunionbank.com"; bsize:23; reference:md5,0731679c5f99e8ee65d8b29a3cabfc6b; classtype:domain-c2; sid:2032893; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_04_30, deployment Perimeter, former_category MALWARE, malware_family Buer, signature_severity Major, updated_at 2021_04_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006349; classtype:web-application-attack; sid:2006349; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phish - Mirrored Website Comment Observed"; flow:established,to_client; file.data; content:"<!-- Mirrored from "; content:"by HTTrack Website Copier/"; distance:0; classtype:trojan-activity; sid:2018302; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2014_03_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006350; classtype:web-application-attack; sid:2006350; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/DarkNexus User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|checker/v"; fast_pattern; http.user_agent; content:"checker/v"; startswith; content:"/p"; distance:0; http.header_names; content:!"Referer"; reference:md5,81150784e5cef98bf6e56638da5fe5f3; classtype:trojan-activity; sid:2032895; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006351; classtype:web-application-attack; sid:2006351; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange RCE Setup Inbound (CVE-2021-28482)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; http.request_body; content:"ProposeOptionsMeeting"; content:"&quot|3b|&gt|3b|cmd"; distance:0; fast_pattern; content:"Value&gt|3b|"; distance:0; reference:cve,2021-28482; classtype:attempted-admin; sid:2032897; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_05_04, cve CVE_2021_28482, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UNION SELECT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006352; classtype:web-application-attack; sid:2006352; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M1 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 20|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032898; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006795; classtype:web-application-attack; sid:2006795; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M2 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 09|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032899; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UNION SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006796; classtype:web-application-attack; sid:2006796; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M1 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+\+0A/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032900; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi INSERT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006797; classtype:web-application-attack; sid:2006797; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M2 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+(?:\+[A-F0-9]{2}){4,}/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032901; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi DELETE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006798; classtype:web-application-attack; sid:2006798; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound - Information Disclosure Attempt (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^.{0,100}\+0A.{0,100}\x40/R"; content:"+0A"; fast_pattern; content:"|40|"; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032902; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ASCII"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006799; classtype:web-application-attack; sid:2006799; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim Stack Exhaustion via BDAT Error Inbound (CVE-2020-28019)"; flow:established,to_server; content:"BDAT|20|"; pcre:"/^[^\r\n]{50,}/R"; content:"BDAT|20|"; distance:0; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28019; classtype:attempted-admin; sid:2032903; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28019, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"kullanici_ismi="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006800; classtype:web-application-attack; sid:2006800; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.addns .org Domain"; dns.query; content:".addns.org"; endswith; classtype:bad-unknown; sid:2032896; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006801; classtype:web-application-attack; sid:2006801; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1"; flow:established,to_server; http.uri; content:"/dana"; depth:7; fast_pattern; pcre:"/^\S{0,7}\/(?:meeting|fb\/smb|namedusers|metric)/Ri"; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032904; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UNION SELECT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006802; classtype:web-application-attack; sid:2006802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2"; flow:established,to_server; http.uri.raw; content:"/dana-na/"; depth:11; content:"cat%20/home/webserver/htdocs/dana-na/"; nocase; distance:2; within:100; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032905; rev:1; metadata:affected_product Pulse_Secure, attack_target Networking_Equipment, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre INSERT"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006803; classtype:web-application-attack; sid:2006803; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3"; flow:established,to_server; content:"MIME|3a 3a|Base64|3b|"; nocase; http.uri; content:"/dana-na/"; depth:11; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:trojan-activity; sid:2032906; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_05_05, cve CVE_2021_22893, former_category EXPLOIT, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre DELETE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006804; classtype:web-application-attack; sid:2006804; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected PULSECHECK Webshell Access Inbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|0d 0a|x_cmd|3a 20|"; nocase; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; http.header_names; content:"|0d 0a|x_key|0d 0a|"; nocase; content:"|0d 0a|x_cnt|0d 0a|"; nocase; content:"|0d 0a|x_cmd|0d 0a|"; nocase; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:attempted-admin; sid:2032786; rev:3; metadata:attack_target Server, created_at 2021_04_20, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ASCII"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006805; classtype:web-application-attack; sid:2006805; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [FIREEYE] PULSECHECK Webshell Access Outbound"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|X-CMD|0d 0a|"; nocase; content:"|0d 0a|X-CNT|0d 0a|"; nocase; content:"|0d 0a|X-KEY|0d 0a|"; nocase; content:!"|0d 0a|Referer|0d 0a|"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032907; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE"; flow:established,to_server; http.uri; content:"/uye_giris_islem.asp?"; nocase; content:"sifre="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6298; reference:url,www.securityfocus.com/bid/21418; reference:url,doc.emergingthreats.net/2006806; classtype:web-application-attack; sid:2006806; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-#alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M1"; flow:established,to_server; flowbits:isnotset,ET.slightpulse; flowbits:noalert; flowbits:set,ET.slightpulseM1; http.method; content:"POST"; http.request_body; content:"cert="; startswith; fast_pattern; content:"&md5="; distance:16; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032908; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005603; classtype:web-application-attack; sid:2005603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-#alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1 (set) M2"; flow:established,to_server; flowbits:isnotset,ET.slightpulse; flowbits:noalert; flowbits:set,ET.slightpulseM1; http.method; content:"POST"; http.request_body; content:"md5="; startswith; content:"&cert="; fast_pattern; distance:16; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032909; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005604; classtype:web-application-attack; sid:2005604; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2"; flow:established,to_client; flowbits:isset,ET.slightpulseM2; http.stat_code; content:"200"; http.content_type; content:"application/x-download"; bsize:22; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename=tmp|0d 0a|"; fast_pattern; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032912; rev:1; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005605; classtype:web-application-attack; sid:2005605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M3"; flow:established,to_client; flowbits:isset,ET.slightpulseM2; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.content_type; content:"image/gif"; bsize:9; fast_pattern; file.data; content:!"<br>"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032913; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005606; classtype:web-application-attack; sid:2005606; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-#alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M1"; flow:established,to_client; flowbits:isset,ET.slightpulseM1; http.stat_code; content:"200"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.content_type; content:"text/html"; bsize:9; http.header_names; content:"|0d 0a|Content-Type|0d 0a 0d 0a|"; endswith; fast_pattern; file.data; content:!"<br>"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:2032914; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005607; classtype:web-application-attack; sid:2005607; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected HARDPULSE Request"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/dana-na/auth/recover.cgi?token="; startswith; fast_pattern; http.request_body; content:"checkcode"; content:"hashid"; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032915; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE"; flow:established,to_server; http.uri; content:"/duyuru.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0304; reference:url,www.milw0rm.com/exploits/3120; reference:url,doc.emergingthreats.net/2005608; classtype:web-application-attack; sid:2005608; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M1"; flow:established,to_server; flowbits:isnotset,ET.slightpulseM2; flowbits:noalert; flowbits:set,ET.slightpulseM2; http.method; content:"POST"; http.request_body; content:"img="; startswith; fast_pattern; content:"&name="; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032910; rev:3; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant SELECT"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007006; classtype:web-application-attack; sid:2007006; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> any any (msg:"ET MALWARE [FIREEYE] SLIGHTPULSE Webshell Activity M2 (set) M2"; flow:established,to_server; flowbits:isnotset,ET.slightpulseM2; flowbits:noalert; flowbits:set,ET.slightpulseM2; http.method; content:"POST"; http.request_body; content:"name="; startswith; fast_pattern; content:"&img="; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:command-and-control; sid:2032911; rev:2; metadata:attack_target Server, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UNION SELECT"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007007; classtype:web-application-attack; sid:2007007; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SuperAntiSpyware Install Checkin"; flow:established,to_server; http.uri; content:"sEventName=SASRPI_Install&sEventData=tag|3a|SUPERAntiSpyware.exe"; fast_pattern; http.user_agent; content:"SUPERSetup"; bsize:10; reference:md5,05226ffa6102a0b3f9dfb8fa4965d0a2; classtype:pup-activity; sid:2032923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant INSERT"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007008; classtype:web-application-attack; sid:2007008; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET NETBIOS DCERPC DCOM ExecuteShellCommand Call - Likely Lateral Movement"; flow:established,to_server; content:"|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|S|00|h|00|e|00|l|00|l|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; content:!"S|00|Q|00|L|00|C|00|m|00|d|00|P|00|a|00|r|00|s|00|e|00|r|00|E|00|x|00|e|00|c|00|u|00|t|00|e|00|r"; reference:url,enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/; reference:url,enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/; reference:url,attack.mitre.org/techniques/T1175/; classtype:bad-unknown; sid:2027189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_11, deployment Internal, former_category NETBIOS, signature_severity Minor, updated_at 2021_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant DELETE"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007009; classtype:web-application-attack; sid:2007009; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"download.riseknite.life"; bsize:23; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032920; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ASCII"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007010; classtype:web-application-attack; sid:2007010; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"onedrive-upload.ikpoo.cf"; bsize:24; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032921; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE"; flow:established,to_server; http.uri; content:"/item_show.asp?"; nocase; content:"id2006quant="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007011; classtype:web-application-attack; sid:2007011; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT CnC Domain in DNS Lookup"; dns.query; content:"alps.travelmountain.ml"; bsize:22; nocase; reference:url,mp.weixin.qq.com/s/8RgFvA_rOR2nIGxjWbEq-w; classtype:domain-c2; sid:2032922; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_05_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007012; classtype:web-application-attack; sid:2007012; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Exep Command Issued"; dsize:>787; itype:8; content:"exep"; depth:4; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032934; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UNION SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007013; classtype:web-application-attack; sid:2007013; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Shell Command Issued"; dsize:>787; itype:8; content:"shell"; depth:5; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032916; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup INSERT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007014; classtype:web-application-attack; sid:2007014; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Download Command Issued"; dsize:>787; itype:8; content:"download"; depth:8; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032917; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup DELETE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007015; classtype:web-application-attack; sid:2007015; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Upload Command Issued"; dsize:>787; itype:8; content:"upload"; depth:6; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032918; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ASCII"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007016; classtype:web-application-attack; sid:2007016; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback Exec Command Issued"; dsize:>787; itype:8; content:"exec"; depth:4; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032919; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"maingroup="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007017; classtype:web-application-attack; sid:2007017; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert icmp $HOME_NET any -> any any (msg:"ET MALWARE Pingback OK Issued"; dsize:>787; itype:8; content:"OK"; depth:2; reference:url,www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/; reference:md5,264c2ede235dc7232d673d4748437969; classtype:trojan-activity; sid:2032935; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007018; classtype:web-application-attack; sid:2007018; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE lolzilla JS/PHP WebSkimmer - Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"_hash|22 0d 0a 0d 0a|eydyZWZlcmVyJzo"; fast_pattern; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; classtype:command-and-control; sid:2032927; rev:1; metadata:affected_product Magento, attack_target Client_and_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UNION SELECT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007019; classtype:web-application-attack; sid:2007019; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M1"; flow:established,to_server; http.cookie; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L146-L151; classtype:attempted-admin; sid:2032928; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup INSERT"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007020; classtype:web-application-attack; sid:2007020; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"mgdminhtml="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032929; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup DELETE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007021; classtype:web-application-attack; sid:2007021; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE zgRAT Activity"; flow:established,to_server; flowbits:isset,ET.zgRAT; content:"|01 00 00 00 1f 8b 08 00 00 00 00 00 04 00 33 04 00 b7 ef dc 83 01 00 00 00|"; dsize:25; reference:md5,b18a7e266eee1977ef3a145369589d5c; classtype:command-and-control; sid:2033108; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ASCII"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"ASCII"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007022; classtype:web-application-attack; sid:2007022; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M3"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"mgdminhtml="; fast_pattern; http.request_body; content:"name=|22|mgdminhtml|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L140-L145; classtype:attempted-admin; sid:2032930; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE"; flow:established,to_server; http.uri; content:"/item_list.asp?"; nocase; content:"secondgroup="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6209; reference:url,www.securityfocus.com/bid/21273; reference:url,doc.emergingthreats.net/2007023; classtype:web-application-attack; sid:2007023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"lolzilla="; fast_pattern; content:"g="; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032931; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Miva Merchant Cross Site Scripting Attack"; flow:to_server,established; http.uri; content:"merchant.mv"; nocase; content:"customer_login"; nocase; pcre:"/customer_login.*\">/i"; reference:bugtraq,14828; reference:url,smallbusiness.miva.com/products/mia/; reference:url,www.frsirt.com/english/advisories/2005/1758; reference:url,doc.emergingthreats.net/2002371; classtype:web-application-activity; sid:2002371; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER lolzilla WebSkimmer - Remote Code Execution Attempt M5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|lolzilla|22|"; fast_pattern; content:"name=|22|g|22|"; reference:url,lukeleal.com/research/posts/lolzilla-php-js-skimmer/; reference:url,github.com/rootprivilege/samples/blob/0bbb2f1e3028f4eb53b797175a4b40a535d5742d/skimmers/lolzilla/skimmerv2-deob.php#L135-L139; classtype:attempted-admin; sid:2032932; rev:1; metadata:affected_product PHP, affected_product Magento, attack_target Web_Server, created_at 2021_05_10, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SERVER, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/viewsource.php?"; nocase; content:"dirn="; nocase; reference:url,milw0rm.com/exploits/5394; reference:url,secunia.com/advisories/29685; reference:bugtraq,28659; reference:url,doc.emergingthreats.net/2009437; classtype:web-application-attack; sid:2009437; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (number1g .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"number1g.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2032933; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/viewsource.php?"; nocase; content:"fname="; nocase; reference:url,milw0rm.com/exploits/5394; reference:url,secunia.com/advisories/29685; reference:bugtraq,28659; reference:url,doc.emergingthreats.net/2009430; classtype:web-application-attack; sid:2009430; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request for .x86"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x86"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032924; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004635; classtype:web-application-attack; sid:2004635; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request for .x64"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x64"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2032925; rev:1; metadata:affected_product Linux, affected_product IoT, attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004714; classtype:web-application-attack; sid:2004714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected SombRAT DNS Activity (TXT)"; pcre:"/\x1c(?:[a-z0-9]{28})[^\r\n]+(?:\x03(?:net|com)|\x02in)/"; content:"|00 10 00 01|"; fast_pattern; endswith; threshold:type both, track by_src,count 10, seconds 300; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; reference:url,us-cert.cisa.gov/ncas/analysis-reports/ar21-126a; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; reference:md5,05e133f34e44d75e596811bffba24156; classtype:trojan-activity; sid:2032942; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c SELECT"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004164; classtype:web-application-attack; sid:2004164; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (UNC2447)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-includes/po.php"; endswith; fast_pattern; http.cookie; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; classtype:trojan-activity; sid:2032943; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_05_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004165; classtype:web-application-attack; sid:2004165; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET INFO Possible Overflow Attempt - Abnormally Large SMTP EHLO Inbound"; flow:established,to_server; content:"EHLO"; startswith; isdataat:1000,relative; classtype:bad-unknown; sid:2032926; rev:2; metadata:attack_target SMTP_Server, created_at 2021_05_10, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c INSERT"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004166; classtype:web-application-attack; sid:2004166; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (catsdegree .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"catsdegree.com"; bsize:14; fast_pattern; reference:md5,f00aded4c16c0e8c3b5adfc23d19c609; classtype:domain-c2; sid:2032939; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c DELETE"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004167; classtype:web-application-attack; sid:2004167; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (temisleyes .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"temisleyes.com"; bsize:14; fast_pattern; reference:md5,f00aded4c16c0e8c3b5adfc23d19c609; classtype:domain-c2; sid:2032940; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004169; classtype:web-application-attack; sid:2004169; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (UNC2447)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htm"; endswith; http.user_agent; content:"|20 28|compatible|3b 20|"; content:"|3b 20|.NET4.0E|20 29|"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html; classtype:trojan-activity; sid:2032944; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_05_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName SELECT"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005778; classtype:web-application-attack; sid:2005778; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DarkSide Ransomware Domain (rumahsia .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"rumahsia.com"; bsize:12; fast_pattern; reference:md5,979692cd7fc638beea6e9d68c752f360; classtype:domain-c2; sid:2032941; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UNION SELECT"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005779; classtype:web-application-attack; sid:2005779; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.CoinMiner Loader Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; http.header; content:"User-Agent|3a 20|Win|3a|"; http.user_agent; content:"Win|3a|"; startswith; content:"|20 7c 20|CPU|3a 20|"; fast_pattern; content:"|20 7c 20|Cores|3a 20|"; content:"|20 7c 20|GPU|3a 20|"; http.header_names; content:!"Referer"; content:!"Cache-"; content:!"Accept"; content:!"Connection"; reference:md5,403913dda79d0b739a8046022d2e3b37; classtype:trojan-activity; sid:2032937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Coinminer, updated_at 2021_05_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName INSERT"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005780; classtype:web-application-attack; sid:2005780; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Non-standard User-Agent (PATCHER)"; flow:established,to_server; http.header; content:"User-Agent|3a 20|PATCHER|0d 0a|"; classtype:policy-violation; sid:2032938; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_11, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_05_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName DELETE"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005781; classtype:web-application-attack; sid:2005781; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious User-Agent (altera forma)"; flow:established,to_server; http.user_agent; content:"altera|20|forma"; bsize:12; fast_pattern; reference:md5,f019d3031c3aaf45dbd3630a33ab0991; classtype:bad-unknown; sid:2032948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2021_05_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ASCII"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005782; classtype:web-application-attack; sid:2005782; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Observed (MASB UA)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0|20|(compatible|3b 20|MSIE 9.0|3b 20|Windows NT|20|6.1|3b 20|WOW64|3b 20|Trident/5.0|3b 20|MASB)"; bsize:76; fast_pattern; http.cookie; pcre:"/^[a-zA-Z0-9/+]{171}=$/"; http.header_names; content:!"Referer"; reference:md5,8079676dd62582da4d2e9d2448c1142d; classtype:command-and-control; sid:2032945; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_05_12, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE"; flow:established,to_server; http.uri; content:"/admin_check_user.asp?"; nocase; content:"txtUserName="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0196; reference:url,www.milw0rm.com/exploits/3105; reference:url,doc.emergingthreats.net/2005783; classtype:web-application-attack; sid:2005783; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tnega Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/hit.php?a=|25|"; fast_pattern; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,f019d3031c3aaf45dbd3630a33ab0991; classtype:trojan-activity; sid:2032949; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_05_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/global.php?"; nocase; content:"pfad="; nocase; pcre:"/(?:\.\.\/){1,}/"; reference:url,secunia.com/advisories/32986/; reference:url,milw0rm.com/exploits/7335; reference:url,doc.emergingthreats.net/2008938; classtype:web-application-attack; sid:2008938; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Ares Loader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/panel/upload/"; startswith; content:".cmp"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:25; reference:md5,b3cdb7135bf99a921376870898b22155; reference:url,www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan; classtype:trojan-activity; sid:2032950; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Multiple Membership Script id parameter SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/sitepage.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33019/; reference:url,milw0rm.com/exploits/7346; reference:url,doc.emergingthreats.net/2008994; classtype:web-application-attack; sid:2008994; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY PCHunter CnC activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PCHunter_"; startswith; fast_pattern; content:"="; distance:0; pcre:"/[A-F0-9]{96}$/R"; reference:md5,987b65cd9b9f4e9a1afd8f8b48cf64a7; classtype:misc-activity; sid:2032946; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_05_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start INSERT"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005855; classtype:web-application-attack; sid:2005855; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible RustyBuer Client Activity"; flowbits:set,ET.rustybuer; flowbits: noalert; ja3.hash; content:"6cc312d5b10bcbc97c4619603a24131b"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032959; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004461; classtype:web-application-attack; sid:2004461; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible RustyBuer Server Response"; flowbits:isset,ET.rustybuer; ja3s.hash; content:"f6dfdd25d1522e4e1c7cd09bd37ce619"; reference:md5,ea98a9d6ca6f5b2a0820303a1d327593; classtype:bad-unknown; sid:2032960; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category JA3, malware_family RustyBuer, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004683; classtype:web-application-attack; sid:2004683; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com"; bsize:74; fast_pattern; tls.cert_issuer; content:"C=US, ST=CA, L=Mountain View, O=Google GMail, OU=Google Mail, CN=gmail.com"; bsize:74; reference:md5,b210c0f7687a9199de870e0cc11996c1; classtype:domain-c2; sid:2032952; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp INSERT"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006083; classtype:web-application-attack; sid:2006083; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (security-desk .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"security-desk.com"; bsize:17; fast_pattern; reference:md5,efb5212c17a7cd05e087ef7a5655b4aa; classtype:domain-c2; sid:2032955; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp SELECT"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006093; classtype:web-application-attack; sid:2006093; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fam_newspaper"; startswith; http.accept; content:"image/*"; bsize:7; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 8.0.0|3b 20|SM-G960F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202"; bsize:112; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,efb5212c17a7cd05e087ef7a5655b4aa; classtype:command-and-control; sid:2032956; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/section.php?"; nocase; content:"Module_Text="; nocase; content:"ID="; nocase; content:"Lang="; nocase; content:"Nav="; nocase; content:"Module="; nocase; reference:url,packetstormsecurity.org/1005-exploits/724cms459-lfi.txt; classtype:web-application-attack; sid:2011828; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remove"; startswith; fast_pattern; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 7.0|3b 20|Pixel C Build/NRD90M|3b 20|wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"; bsize:109; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,bf8061539abbe6664924e37489a3751c; classtype:command-and-control; sid:2032957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/classes/flash_mp3_player/extras/external_feeds/getfeed.php?"; nocase; content:"file="; nocase; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011829; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 10.0|3b 20|Win32|3b 20|x32|3b 20|rv|3a|87.0b4) Gecko/201001 Firefox/87.0|0d 0a|"; reference:md5,9f2fe567dfe655efe8da577990aac077; classtype:trojan-activity; sid:2032951; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2021_05_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php?"; nocase; content:"file="; nocase; reference:url,inj3ct0r.com/exploits/12674; classtype:web-application-attack; sid:2011830; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Unknown Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|DNT|3a 20|1|0d 0a|"; http.cookie; content:"OSID="; startswith; pcre:"/^OSID=[a-zA-Z0-9\/+]{171}=$/"; reference:md5,b210c0f7687a9199de870e0cc11996c1; classtype:command-and-control; sid:2032953; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/include/admin.lib.inc.php?"; nocase; content:"site_path="; nocase; pcre:"/site_path=\s*(?:ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/1010-exploits/cmsboard-rfi.txt; classtype:web-application-attack; sid:2011831; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remote Desktop Spy Install Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"tn=remote-desktop-spy"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,4b25cfe19ea5e3778de80058fc99e531; classtype:command-and-control; sid:2032961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011832; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound"; flow:established,to_server; http.accept_enc; content:",|20|,"; fast_pattern; reference:url,github.com/0vercl0k/CVE-2021-31166; reference:cve,2021-31166; classtype:attempted-admin; sid:2032962; rev:1; metadata:attack_target Server, created_at 2021_05_17, cve CVE_2021_31166, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011833; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VenusLocker Associated User-Agent Activity"; flow:established,to_server; http.user_agent; content:"gooGgleee"; bsize:9; fast_pattern; reference:md5,9aa3cc9d7c641ea22cfa3e5233e13c94; classtype:trojan-activity; sid:2032967; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family VenusLocker, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011834; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VenusLocker Activity"; flow:established,to_server; http.uri; content:"/dumbdumb?"; startswith; fast_pattern; pcre:"/\=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"text/*"; bsize:6; http.header_names; content:!"Referer"; content:!"Connect"; reference:md5,9aa3cc9d7c641ea22cfa3e5233e13c94; classtype:trojan-activity; sid:2032968; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family VenusLocker, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011835; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (zolo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"zolo.pw"; bsize:7; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/; classtype:trojan-activity; sid:2032969; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, signature_severity Major, updated_at 2021_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/admincp.php?"; nocase; content:"section=smilies"; nocase; content:"action=edit"; nocase; content:"smilieid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14205; classtype:web-application-attack; sid:2011836; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (pathc .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"pathc.space"; bsize:11; fast_pattern; reference:url,blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/; classtype:trojan-activity; sid:2032970; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, signature_severity Major, updated_at 2021_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?"; nocase; content:"mosConfig_live_site="; nocase; pcre:"/mosConfig_live_site=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,19198; reference:cve,CVE-2006-3930; classtype:web-application-attack; sid:2011837; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (dimentos .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dimentos.com"; bsize:12; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; reference:md5,4ffbffbde361609d7f2ea1c410d8272e; classtype:domain-c2; sid:2032963; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011838; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (btn_bg)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/btn_bg"; http.request_body; content:"paper="; startswith; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:command-and-control; sid:2032964; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011840; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)"; flow:established,to_server; http.cookie; content:"__session__id="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:command-and-control; sid:2032965; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011841; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (bg)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bg"; bsize:3; http.cookie; content:"SSID="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032966; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011842; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.date domain"; flow:established,to_server; http.host; content:".date"; fast_pattern; endswith; classtype:bad-unknown; sid:2032983; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/baconmap/admin/updatelist.php?"; nocase; content:"filepath="; nocase; reference:url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt; classtype:web-application-attack; sid:2011843; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.cam domain"; flow:established,to_server; http.host; content:".cam"; fast_pattern; endswith; classtype:bad-unknown; sid:2032984; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/com_rwcards/rwcards.advancedate.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt; classtype:web-application-attack; sid:2011844; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.surf domain"; flow:established,to_server; http.host; content:".surf"; fast_pattern; endswith; classtype:bad-unknown; sid:2032985; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/html/11-login.asp?"; nocase; content:"intPassedLocationID="; nocase; pcre:"/intPassedLocationID\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,43865; classtype:web-application-attack; sid:2011845; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.asia domain"; flow:established,to_server; http.host; content:".asia"; fast_pattern; endswith; classtype:bad-unknown; sid:2032986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"uniqcode=KPI"; nocase; content:"menu_no_top=performance"; nocase; content:"uri="; nocase; reference:url,exploit-db.com/exploits/15232; classtype:web-application-attack; sid:2011846; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tw domain"; flow:established,to_server; http.host; content:".tw"; fast_pattern; endswith; classtype:bad-unknown; sid:2032987; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/real_estate/index.php?"; nocase; content:"option=com_jomestate"; nocase; content:"task="; nocase; pcre:"/task=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/12835; classtype:web-application-attack; sid:2011847; rev:4; metadata:created_at 2010_10_25, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ml domain"; flow:established,to_server; http.host; content:".ml"; fast_pattern; endswith; classtype:bad-unknown; sid:2032988; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/news/search.php3?"; nocase; content:"bn="; nocase; pcre:"/bn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,44370; classtype:web-application-attack; sid:2011852; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_26, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.gq domain"; flow:established,to_server; http.host; content:".gq"; fast_pattern; endswith; classtype:bad-unknown; sid:2032989; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/detail.php?"; nocase; content:"siteid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,frsirt.com/english/advisories/2008/3079; reference:bugtraq,32191; reference:url,doc.emergingthreats.net/2008838; classtype:web-application-attack; sid:2008838; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.ga domain"; flow:established,to_server; http.host; content:".ga"; fast_pattern; endswith; classtype:bad-unknown; sid:2032990; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID DELETE"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006138; classtype:web-application-attack; sid:2006138; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.buzz domain"; flow:established,to_server; http.host; content:".buzz"; fast_pattern; endswith; classtype:bad-unknown; sid:2032991; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006158; classtype:web-application-attack; sid:2006158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Cobalt Strike Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"ESF"; bsize:3; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,5b5a730628dc9eba2c12530d225c2f70; classtype:command-and-control; sid:2032974; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bazar/picturelib.php?"; nocase; content:"cat="; nocase; pcre:"/cat=\s*(?:ftps?|https?|php)\x3a\//i"; reference:cve,CVE-2010-2315; reference:url,exploit-db.com/exploits/12855/; classtype:web-application-attack; sid:2011880; rev:4; metadata:created_at 2010_10_29, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Collector/2.0/settings/"; startswith; fast_pattern; content:"events="; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032975; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/loadplugin.php?"; nocase; content:"load="; nocase; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; classtype:web-application-attack; sid:2011884; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (Teams) M2"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Authentication|3a 20|skypetoken=eyJhbGciOi"; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"json"; bsize:4; http.referer; content:"https://teams.microsoft.com/_"; bsize:29; reference:url,www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/; classtype:command-and-control; sid:2032976; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/classes/BxDolGzip.php?"; nocase; content:"file="; nocase; reference:url,secunia.com/advisories/42108; reference:url,exploit-db.com/exploits/15400/; classtype:web-application-attack; sid:2011936; rev:4; metadata:created_at 2010_11_19, updated_at 2020_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=CL, L=Santiago, O=Tigomemo Uteendtu GP, OU=Touintsanc Ft4an, CN=cess3wessr.mq"; bsize:79; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032992; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/thumbnailformpost.inc.php?"; nocase; content:"adminlangfile="; nocase; reference:url,exploit-db.com/exploits/15345/; classtype:web-application-attack; sid:2011928; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (WastedLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=LC, L=Castries, O=Isesem Cooperative, OU=Tinarthar and tha6mate narobiaof and t5he, CN=Udngt5rlura.my"; bsize:103; fast_pattern; reference:url,www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf; classtype:domain-c2; sid:2032993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_18, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011930; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Google Webcrawler User-Agent (Mediapartners-Google)"; flow:established,to_server; http.user_agent; content:"Mediapartners-Google"; nocase;  classtype:not-suspicious; sid:2032978; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011931; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DecryptmyFiles Ransomware CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"decryptmyfiles.top"; bsize:18; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:command-and-control; sid:2032994; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DecryptmyFiles Ransomware User-Agent (uniquesession)"; flow:established,to_server; http.user_agent; content:"uniquesession"; bsize:13; fast_pattern; reference:md5,0e61e496fc218c1c6dc1f5640a3ac7e5; classtype:trojan-activity; sid:2032995; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/vodpod-video-gallery/vodpod_gallery_thumbs.php?"; nocase; content:"gid="; nocase; pcre:"/gid\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42195; classtype:web-application-attack; sid:2011942; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/RiskWare.YouXun.AD CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sc="; content:!"&"; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31"; bsize:101; fast_pattern; reference:md5,2292c6acb1e5f139900b9d1942b14b08; classtype:command-and-control; sid:2032977; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011943; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Yandex Webcrawler User-Agent (YandexBot)"; flow:established,to_server; http.user_agent; content:"YandexBot"; nocase;  classtype:not-suspicious; sid:2032979; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011944; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN DuckDuckGo Webcrawler User-Agent (DuckDuckBot)"; flow:established,to_server; http.user_agent; content:"DuckDuckBot"; nocase;  classtype:not-suspicious; sid:2032980; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011946; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Bing Webcrawler User-Agent (BingBot)"; flow:established,to_server; http.user_agent; content:"bingbot"; nocase;  classtype:not-suspicious; sid:2032981; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011947; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Naver Webcrawler User-Agent (Naver.me)"; flow:established,to_server; http.user_agent; content:"naver.me"; nocase;  classtype:not-suspicious; sid:2032982; rev:1; metadata:attack_target Web_Server, created_at 2021_05_18, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_18, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/includes/window_top.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011948; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Ymacco.AA36 User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|deus vult|0d 0a|"; reference:md5,bde62aedd46fcbf7520a22e7375b6254; classtype:trojan-activity; sid:2032972; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/control/common.php?"; nocase; content:"lang_file="; nocase; pcre:"/lang_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011949; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 2"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll2.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2032971; rev:2; metadata:created_at 2021_05_18, former_category MOBILE_MALWARE, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/awcm/header.php?"; nocase; content:"theme_file="; nocase; pcre:"/theme_file=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15510/; classtype:web-application-attack; sid:2011950; rev:4; metadata:created_at 2010_11_20, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/poll.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; reference:url,twitter.com/bl4ckh0l3z/status/1340960422485213184; reference:md5,43f75535144f3315e402a0aa5f181e7d; classtype:trojan-activity; sid:2031445; rev:2; metadata:attack_target Mobile_Client, created_at 2020_12_21, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011932; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible ELF executable sent when remote host claims to send a Text File"; flow:established,from_server; http.header; content:"Content-Type|3a 20|text/plain"; file.data; content:"|7f 45 4c 46|"; startswith; fast_pattern; isdataat:3000,relative; classtype:bad-unknown; sid:2032973; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_05_18, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_05_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/site_info.php?"; nocase; content:"siid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,inj3ct0r.com/exploits/14090; classtype:web-application-attack; sid:2011934; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Bizarro Banker Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b|MSIE 6.0|3b 20|Windows|20|NT|20|5.0"; bsize:48; fast_pattern; reference:url,securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/; classtype:trojan-activity; sid:2032998; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/filemgmt/singlefile.php?"; nocase; content:"lid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,securityreason.com/exploitalert/9145; classtype:web-application-attack; sid:2011945; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_20, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert dns any any -> any any (msg:"ET MALWARE Suspected Sliver DNS CnC"; content:"|00 10 00 01|"; isdataat:!1,relative; dns.query; content:"_"; startswith; pcre:"/^[a-z0-9_]{6}[^a-z0-9_]/R"; content:"_domainkey"; distance:8; fast_pattern; reference:url,github.com/BishopFox/sliver; classtype:trojan-activity; sid:2032936; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_10, deployment Perimeter, former_category MALWARE, malware_family Sliver, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softbiz Article Directory Script sbiz_id Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/server/article_details.php?"; nocase; content:"sbiz_id="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/14910/; classtype:web-application-attack; sid:2011987; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_26, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Baidu Spider Webcrawler User Agent - inbound"; flow:established,to_server; content:"baiduspider"; nocase; http_user_agent; classtype:not-suspicious; sid:2033338; rev:1; metadata:attack_target Web_Server, created_at 2021_05_19, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_05_19, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006494; classtype:web-application-attack; sid:2006494; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Discord Token Grabber"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"**Account Info**"; fast_pattern; content:"**Token**"; distance:0; content:"NightfallGT"; distance:0; reference:md5,0adc114f1b8ed3336d73d4d0521c39f5; reference:url,github.com/NightfallGT/Token-Grabber-Builder/; classtype:command-and-control; sid:2032999; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006501; classtype:web-application-attack; sid:2006501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Discord Nitro Ransomware"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord.com"; http.request_body; content:"**Program executed**"; fast_pattern; content:"Status|3a 20|Active|20|"; distance:0; content:"PC|20|Name|3a 20|"; distance:0; content:"IP|20|Address|3a 20|"; distance:0; reference:md5,0adc114f1b8ed3336d73d4d0521c39f5; reference:url,github.com/NightfallGT/Nitro-Ransomware; classtype:command-and-control; sid:2033000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_05_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004147; classtype:web-application-attack; sid:2004147; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-18"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"<html>"; startswith; content:"<title>Mail Verification</title><script src=|27|http|3a 2f 2f|"; content:!"google."; within:20; content:"/google_analytics_auto.js|27|></script>"; distance:0; within:100; content:"<form method=|22|post|22 20|action=|22|x3d.php|22|"; distance:0; fast_pattern; reference:url,app.any.run/tasks/654f09ca-352f-4d7a-a8eb-ce49c88b4f58/; classtype:credential-theft; sid:2033001; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids SELECT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004666; classtype:web-application-attack; sid:2004666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Silver Implant Domain (raspoly .biz in TLS SNI)"; flow:established,to_server; tls.sni; content:"raspoly.biz"; bsize:11; fast_pattern; reference:md5,13816c3ba10d4a3ca4b4c97f248a985f; classtype:domain-c2; sid:2032996; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_19, deployment Perimeter, signature_severity Major, updated_at 2021_05_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012001; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Silver Implant)"; flow:established,to_client; tls.cert_subject; content:"CN=raspoly.biz"; bsize:14; fast_pattern; reference:md5,13816c3ba10d4a3ca4b4c97f248a985f; classtype:domain-c2; sid:2032997; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_19, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_19, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012002; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M2"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 41|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033005; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012003; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Flubot / LIKEACHARM Stealer Exfil (POST) 3"; flow:established,to_server; http.method; content:"POST"; http.start; content:"/p.php HTTP/1.1|0d 0a|Content-Length|3a 20|"; fast_pattern; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android|20|"; http.host; pcre:"/^[a-z]{15}\.(?:com|ru|cn|su)$/W"; classtype:trojan-activity; sid:2033003; rev:2; metadata:created_at 2021_05_20, former_category MOBILE_MALWARE, updated_at 2021_05_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012004; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SystemBC CnC Checkin (null key) M1"; flow:established,to_server; dsize:100; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; startswith; content:"|89 40|"; distance:2; within:2; content:"|46 ad 57 90|"; fast_pattern; endswith; reference:md5,b8fb4ba9ef16fcaa442c2857bb045640; classtype:command-and-control; sid:2033004; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_20, deployment Perimeter, former_category MALWARE, malware_family SystemBC, performance_impact Moderate, signature_severity Major, updated_at 2021_05_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cart.php?"; nocase; content:"m=features"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15405/; classtype:web-application-attack; sid:2012005; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; startswith; content:".min.js"; endswith; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Referer|3a 20|"; startswith; fast_pattern; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,4547d3404ceb0436585e11f317eadb7c; classtype:command-and-control; sid:2033008; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Base/example_1.php?"; nocase; content:"GLOBALS[MM_ROOT_DIRECTORY]="; nocase; pcre:"/GLOBALS\[MM_ROOT_DIRECTORY\]=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15441/; classtype:web-application-attack; sid:2012006; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response"; flow:established,to_client; file.data; content:"/*!|20|jQuery|20|v"; startswith; content:"if|28|e|5b|n|5d 3d 3d 3d|t|29|return n|3b|return|2d|1|7d 2c|P|3d 22|"; fast_pattern; distance:0; content:!"checked"; within:7; reference:md5,09773b90da8f3688faf54750b6a5ecf5; classtype:command-and-control; sid:2033009; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_05_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; pcre:"/skin_file=\s*(ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012007; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Wifi Geolocation Domain (api .mylnikov .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.mylnikov.org"; bsize:16; fast_pattern; reference:md5,1bad0cbd09b05a21157d8255dc801778; classtype:policy-violation; sid:2033010; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Informational, updated_at 2021_05_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plugins/templateie/lib/templateie_install.class.php?"; nocase; content:"skin_file="; nocase; reference:url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt; classtype:web-application-attack; sid:2012008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Kimsuky Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"list.php?query=1"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; bsize:57; http.header_names; content:!"Referer"; reference:md5,04a0505cc45d2dac4be9387768efcb7c; reference:md5,d8e817abd5ad765bf7acec5d672cbb8d; classtype:trojan-activity; sid:2033012; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/feedlist/handler_image.php?"; nocase; content:"i="; nocase; pcre:"/i\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42197/; reference:url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56; classtype:web-application-attack; sid:2012009; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Wifi Geolocation Lookup Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geolocation/wifi"; startswith; fast_pattern; content:"bssid="; http.host; content:"api.mylnikov.org"; bsize:16; reference:md5,1bad0cbd09b05a21157d8255dc801778; classtype:policy-violation; sid:2033011; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_21, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_05_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/initsystem.php?"; nocase; content:"loader_file="; nocase; reference:url,secunia.com/advisories/42101/; classtype:web-application-attack; sid:2012010; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (number2g .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"number2g.top"; bsize:12; fast_pattern; classtype:domain-c2; sid:2033014; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/fetchmailprefs.php?"; nocase; content:"actionID=fetchmail_prefs_save"; nocase; content:"fm_driver=imap"; nocase; content:"fm_id="; nocase; pcre:"/fm_id\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt; classtype:web-application-attack; sid:2012011; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (genericalphabet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"genericalphabet.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2033015; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/api/download_launch.php?"; nocase; content:"filename="; nocase; reference:url,exploit-db.com/exploits/13966/; classtype:web-application-attack; sid:2012012; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Activity M14"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"_"; distance:0; content:"*"; distance:0; http.host; content:"bb3u9.com"; fast_pattern; classtype:command-and-control; sid:2033019; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_smf/smf.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt; classtype:web-application-attack; sid:2012013; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Checkin M6"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?&"; fast_pattern; content:"&"; distance:0; content:"-"; distance:0; content:"&"; distance:0; content:"|3a|"; distance:2; within:1; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,293b4a6f18fdf5146b92e87e51cf8aa1; classtype:command-and-control; sid:2033020; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jimtawl"; nocase; content:"Itemid="; nocase; content:"task="; nocase; reference:url,expbase.com/WebApps/13388.html; reference:url,secunia.com/advisories/42324/; classtype:web-application-attack; sid:2012014; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_03;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lemon_Duck Powershell CnC Activity M15"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp?"; content:"_"; distance:0; content:"*"; distance:0; http.host; content:"t."; startswith; fast_pattern; pcre:"/^[a-z0-9]{5}\.com$/R"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; classtype:command-and-control; sid:2033021; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_05_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/viewver.php?"; nocase; content:"doc_root="; nocase; pcre:"/doc_root=\s*(?:ftps?|https?|php)\:\//i"; reference:url,expbase.com/WebApps/13387.html; reference:url,xforce.iss.net/xforce/xfdb/63343; classtype:web-application-attack; sid:2012015; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_03;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP MusicStation Pre-Auth RCE Inbound (CVE-2020-36197)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/musicstation/api/upload.php?arttype=../../"; fast_pattern; reference:url,www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/; reference:cve,2020-36197; classtype:attempted-admin; sid:2033013; rev:2; metadata:created_at 2021_05_24, cve CVE_2020_36197, former_category EXPLOIT, updated_at 2021_05_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012016; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M1"; flow:established,to_server; content:"sbyc"; startswith; fast_pattern; content:"/000"; distance:20; within:4; content:"JFIF"; distance:0; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033016; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012017; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M2"; flow:established,to_server; content:"|0d 0a|clinet|20|utc|20|time|3a 3a 20|"; fast_pattern; content:"Hard|20|Disk|20|Used|20|Sizes|3a 3a|"; nocase; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033017; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012018; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Teslarvng Ransomware CnC Activity M3"; flow:established,to_server; content:"|00 00|encrypted|20|local|20|size|20 3a|"; nocase; fast_pattern; content:"|0d 0a|Encrypted|20|Network|20|size|20 3a|"; nocase; distance:0; reference:md5,d26e609c77e314fc3f242a736c323ab6; classtype:command-and-control; sid:2033018; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_24, deployment Perimeter, former_category MALWARE, malware_family Ouroboros, signature_severity Major, tag Ransomware, updated_at 2021_05_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012019; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rl?tm="; content:"&id="; content:"&cu="; content:"&ci="; content:"&cv="; content:"&iv="; content:"&pchid="; content:"&ug="; http.header_names; content:!"Referer|0d 0a|"; reference:url,www.cybereason.com/blog/targetingedge-mac-os-x-pirrit-malware-adware-still-active; classtype:pup-activity; sid:2033028; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"view=catalog"; nocase; content:"item_type=M"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,expbase.com/WebApps/13391.html; reference:url,secunia.com/advisories/42330/; classtype:web-application-attack; sid:2012020; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP OSX/Adware.Pirrit CnC Activity 4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/exec.tgz"; endswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit; classtype:pup-activity; sid:2033029; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_05_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"action=gallery.list"; nocase; content:"id_gallery="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15595/; reference:url,secunia.com/advisories/42334/; classtype:web-application-attack; sid:2012021; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/files-"; offset:25; content:"/data?d="; distance:0; fast_pattern; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,344b7370c6e61812eeb1cf1d737f27f3; reference:url,twitter.com/ShadowChasing1/status/1396809305194590211; classtype:trojan-activity; sid:2033032; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_cbe"; nocase; content:"task=userProfile"; nocase; content:"user="; nocase; content:"ajaxdirekt="; nocase; content:"tabname="; nocase; reference:url,exploit-db.com/exploits/15222/; classtype:web-application-attack; sid:2012022; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OSX/MapperState CnC Domain in DNS Lookup"; dns.query; content:"web.mapperstate.com"; nocase; bsize:19; reference:url,twitter.com/ConfiantIntel/status/1393215825931288580; classtype:domain-c2; sid:2033030; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Forms/home_1?"; nocase; content:"HomeCurrent_Date="; nocase; pcre:"/HomeCurrent_Date\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42344/; reference:url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html; classtype:web-application-attack; sid:2012023; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/MapperState CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"ms"; offset:7; depth:2; content:"|20|(unknown|20|version)|20|"; http.request_body; content:"smc31000"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,twitter.com/ConfiantIntel/status/1393215825931288580; classtype:trojan-activity; sid:2033031; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2021_05_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/gbookmx/gbook.php?"; nocase; content:"newlangsel="; nocase; pcre:"/newlangsel=\s*(?:ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/10986/; classtype:web-application-attack; sid:2012024; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaLoader CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; http.header; http.header; content:"Date|3a 20|"; content:"GMT|0d 0a|"; distance:0; pcre:"/^[a-z]{3,15}\x3a\x20/Rs"; content:"|0d 0a|User-Agent|3a 20|apiutwq|0d 0a|"; fast_pattern; distance:100; http.header_names; content:!"Referer"; reference:md5,96764a0a62e66a147a3d4db0e59a6e34; classtype:command-and-control; sid:2033033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, signature_severity Major, updated_at 2021_05_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..//"; depth:200; http.method; content:"GET"; http.uri; content:"/download.php?"; nocase; content:"filesec=sitemap"; nocase; content:"filetype=text"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt; classtype:web-application-attack; sid:2012025; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)"; flow:established,to_client; tls.cert_subject; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; fast_pattern; tls.cert_issuer; content:"C=KZ, ST=Astana, L=Astana, O=NN Fern, OU=KZ System, CN=forenzik.kz"; bsize:66; reference:md5,4cca9a1ec4b92df89a8bc992a6ba961f; classtype:domain-c2; sid:2033034; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_05_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_05_26, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012026; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".py?action=update&app=WebAssistant/1.0&db=Database/1.0"; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033038; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012027; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups (officemodel .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"officemodel.org"; bsize:15; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033039; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012028; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/verify_/.php?flag=false"; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:trojan-activity; sid:2033040; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012029; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups (tcahf .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"tcahf.org"; bsize:9; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:domain-c2; sid:2033041; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/takefreestart.php?"; nocase; content:"tid="; nocase; content:"tid2="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,exploit-db.com/exploits/15526/; classtype:web-application-attack; sid:2012030; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Domain Targeting Minority Groups Domain (unohcr .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"unohcr.org"; bsize:10; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:domain-c2; sid:2033042; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012032; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M1"; flow:established,to_client; file.data; content:"|3c|title|3e 3c 2f|title|3e 3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon"; fast_pattern; content:"|3c 2f|div|3e 3c|script|3e|eval|28|function|28 24|"; distance:0; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27|"; distance:0; content:!":<script>"; distance:0; content:"|3c 2f|script|3e 3c 2f|body|3e 3c 2f|html|3e 0a|"; endswith; content:!"|0d 0a|"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033036; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/login.php?"; nocase; content:"default_login_language="; nocase; reference:url,secunia.com/advisories/39144/; reference:url,1337db.com/exploits/11446; classtype:web-application-attack; sid:2012033; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012034; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Actor Targeting Minority Groups CnC Activity"; flow:established,to_server; http.uri; content:"/verify_.php?uuid="; startswith; fast_pattern; reference:url,research.checkpoint.com/2021/uyghurs-a-Turkic-ethnic-minority-in-china-targeted-via-fake-foundations/; classtype:command-and-control; sid:2033043; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012035; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M1"; flow:established,to_client; http.content_type; content:"/javascript"; file.data; content:"eval|28|function|28 24|nbrut|2c|"; startswith; content:"function|28 24|charCode|29 20 7b|return|20 28 24|charCode|20|"; distance:0; content:"|3f 20|String|2e|fromCharCode|28|"; within:150; content:"|29 20 3a 20 24|charCode|2e|toString|28|"; within:50; content:"|2e|replace|28|new|20|RegExp|28 27 5c 5c|b|27 20 2b|"; distance:0; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_27, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M2"; flow:established,to_client; file.data; content:"|3c|title|3e 3c 2f|title|3e 3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon|22 20 2f 3e 3c 2f|head|3e 3c|body|20|class|3d 22|"; content:"|3e 3c 2f|div|3e 3c|script|3e|document|2e|write|28|atob|28 27|PHNjcmlwdD52YXIgXzB4"; fast_pattern; within:200; content:!":<script>"; distance:0; content:"|27 29 29 3c 2f|script|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; content:!"|0d 0a|"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033049; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012037; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".theyardservice.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; classtype:domain-c2; sid:2033050; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mod.php?"; nocase; content:"mod=publisher"; nocase; content:"op=printarticle"; nocase; content:"artid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15006/; classtype:web-application-attack; sid:2012038; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".worldhomeoutlet.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; classtype:domain-c2; sid:2033051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=en_Home"; nocase; content:"car="; nocase; content:"and"; nocase; content:"substring("; nocase; distance:0; reference:url,exploit-db.com/exploits/15135/; classtype:web-application-attack; sid:2012039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apricot/"; fast_pattern; http.user_agent; content:"Microsoft|20|Internet|20|Explorer"; bsize:27; reference:md5,d843b58f31c687d22de09a6765b3ba3b; reference:url,twitter.com/ShadowChasing1/status/1395274704366145539; reference:url,research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/; classtype:trojan-activity; sid:2033054; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/en/front_content.php?"; nocase; content:"idart="; nocase; pcre:"/idart\x3d.+(?:script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42440/; classtype:web-application-attack; sid:2012040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Rclone Client Response (Mega Storage)"; flowbits:isset,ET.rclone; ja3s.hash; content:"eb1d94daa7e0344597e756a1fb6e7054"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033055; rev:1; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010018; classtype:web-application-attack; sid:2010018; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Rclone Client Response (Mega Storage)"; flowbits:isset,ET.rclone; ja3s.hash; content:"b607b6456e5d8a98efa7eb7f15029431"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033056; rev:1; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012073; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing Page 2021-05-24"; flow:established,from_server; http.header; content:"|0d 0a|Content-Type|3a 20|text/html"; file.data; content:"2|0a|<html>"; startswith; content:"<title>|26 23|47700|3b 26 23|51068|3b 20 26 23|49444|3b 26 23|51221|3b 20 7c 20 26 23|51060|3b 26 23|47700|3b 26 23|51068|3b 20 26 23|50629|3b 26 23|44536|3b 26 23|47112|3b 26 23|51060|3b 26 23|46300|3b|</title><script src=|27|/google_analytics_auto.js|27|></script>"; distance:0; fast_pattern; content:"<form method=|22|post|22 20|action=|22|post.php|22|"; distance:0; reference:url,app.any.run/tasks/e878cb4f-4078-47c8-ac7c-59266940a68e/; classtype:social-engineering; sid:2033048; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012074; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion JavaScript Response M2"; flow:established,to_client; file.data; content:"var _0x"; startswith; content:"|3d 5b 22|"; distance:4; within:3; content:"|3b|var|20 5f|0x"; distance:0; content:"|3d|function|28|"; within:14; content:"|5b 78 3d 2b 78 5d 3b 76 6f 69 64 20 30 3d 3d 3d 5f 30 78|"; distance:18; within:19; fast_pattern; content:"|2e|replace|28 2f 3d 2b 24 2f 2c 22 22 29|"; distance:86; within:18; content:"return|20|decodeURIComponent|28|"; distance:0; classtype:credential-theft; sid:2033053; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_billyportfolio"; nocase; content:"view=billyportfolio"; nocase; content:"catid="; nocase; content:"and"; nocase; content:"if("; nocase; distance:0; reference:url,exploit-db.com/exploits/15721/; classtype:web-application-attack; sid:2012099; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_22, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible Rclone Client Activity"; flowbits:set,ET.rclone; flowbits:noalert; ja3.hash; content:"d0ee3237a14bbd89ca4d2b5356ab20ba"; tls.sni; content:!"grafana.com"; content:!"grafana.org"; content:!"grafana.net"; reference:url,twitter.com/NCCGroupInfosec/status/1398137873954652163; classtype:bad-unknown; sid:2033047; rev:2; metadata:created_at 2021_05_28, former_category JA3, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php INSERT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006750; classtype:web-application-attack; sid:2006750; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POST to Double Slash in URI"; flow:established,to_server; http.request_line; content:"POST|20|//|20|HTTP/1."; startswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033045; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_05_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013876; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Landing Page M3"; flow:established,to_client; file.data; content:"|3c|link|20|href|3d 22 22 20|rel|3d 22|shortcut|20|icon|22 20 2f 3e|"; content:"document|2e|write|28|"; distance:0; content:"atob|28|"; within:40; content:"PHNjcmlwdD5ldmFsKGZ1bmN0aW9uKCRuYnJ1dCw"; within:150; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033063; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013875; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JSSLoader Domain (deprivationant .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"deprivationant.com"; bsize:18; fast_pattern; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:domain-c2; sid:2033058; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, signature_severity Major, updated_at 2021_06_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla techfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_techfolio"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17138; classtype:web-application-attack; sid:2013874; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_11_08, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; fast_pattern; content:"&p1="; distance:1; within:4; content:"&p2="; distance:16; within:4; pcre:"/\.php\?m=[abcdefgh]&p1=[a-f0-9]{16}&p2=[^\r\n]+$/"; http.user_agent; content:"Android"; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; reference:url,blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor; reference:md5,4626ed60dfc8deaf75477bc06bd39be7; classtype:trojan-activity; sid:2033059; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_06_01, deployment Perimeter, former_category MOBILE_MALWARE, updated_at 2021_06_01, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/goform/formLogin"; nocase; http.request_body; content:"Login="; nocase; content:!"|0A|"; within:300; isdataat:300,relative; pcre:"/Login=[^\r\n]{300}/i"; reference:url,www.securityfocus.com/bid/36933; reference:cve,2009-2685; reference:url,doc.emergingthreats.net/2010699; classtype:web-application-attack; sid:2010699; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike C2 Profile (news_indexedimages)"; flow:established,to_server; http.request_line; content:"GET /news_indexedimages_autrzd/"; startswith; fast_pattern; content:"&usqp=CAU HTTP/1.1"; endswith; http.referer; content:"http://www.google.com"; bsize:21; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|compatible|3b 20|MSIE|20|8|2e|0|3b 20|Windows|20|NT|20|6|2e|1|3b 20|Trident|2f|5|2e|0|29|"; bsize:63; reference:md5,8ece22e6b6e564e3cbfb190bcbd5d3b9; classtype:command-and-control; sid:2033065; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_06_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011876; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike Loader Domain (cybersecyrity .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cybersecyrity.com"; bsize:17; fast_pattern; reference:md5,611d4c566575d5657661766e27292d28; classtype:domain-c2; sid:2033060; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011877; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (defendersecyrity .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defendersecyrity.com"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033061; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011878; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile)"; flow:established,to_server; http.user_agent; content:"sendFile"; nocase; depth:8; http.host; content:!".tannereda.com"; endswith; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016888; rev:6; metadata:created_at 2013_05_21, updated_at 2021_06_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"dbhcms_pid="; nocase; fast_pattern; content:"editmenu="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/15309/; classtype:web-application-attack; sid:2011879; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed UK Gov Support Landing 2021-06-01"; flow:established,from_server; file.data; content: "<title> Enter your Self Assessment Unique Taxpayer Reference|20 2d 20|Self|2d|Employment Income Support Scheme|20 2d 20|GOV.UK</title>"; fast_pattern; content:"width=device-width"; distance:0; content:"initial-scale=1"; distance:0; content:"viewport-fit=cover|22 3e|"; reference:url,app.any.run/tasks/b1fe8d30-2f22-4f84-bcc8-2643562a8765/; classtype:social-engineering; sid:2033062; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_06_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"owa_action="; nocase; fast_pattern; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011882; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analitycs .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analitycs.site"; bsize:21; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033067; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"owa_do="; nocase; fast_pattern; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011883; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_10_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analytics .online in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analytics.online"; bsize:23; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033068; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"site=static"; nocase; fast_pattern; content:"staticID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/15152/; classtype:web-application-attack; sid:2011886; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_31, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googie-analytics .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"googie-analytics.website"; bsize:24; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033069; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery cat_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery_category.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008830; classtype:web-application-attack; sid:2008830; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (googletagsmanager .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"googletagsmanager.website"; bsize:25; fast_pattern; reference:url,twitter.com/AffableKraut/status/1399786791931101192; classtype:trojan-activity; sid:2033070; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, signature_severity Major, updated_at 2021_06_02;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution RCE (CVE-2018-1000207)"; flow:established,to_server; http.uri; content:".php"; http.request_body; content:"useRawIMoutput"; content:"IMresizedData"; content:"config_prefer_imagemagick"; fast_pattern; reference:cve,2018-1000207; reference:url,www.exploit-db.com/exploits/45055; classtype:attempted-admin; sid:2025930; rev:3; metadata:attack_target Web_Server, created_at 2018_08_01, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Secure Email Portal Lure Landing Page"; flow:established,to_client; file.data; content:"|3c|tr|3e 3c|td|3e 3c|IMG|20|SRC|3d 22|"; content:"name|3d 22|submitButton|22 20|value|3d 22 20 20 20 20|Click|20|to|20|read|20|message|20 20 20 20 22 3e|"; fast_pattern; content:"|3b 20|text|2d|align|3a 20|center|3b 22 3e 20 20 3c|A|20|HREF|3d 22 22|"; content:!"|2f|formpostdir|2f|safeformpost|2e|aspx|22 3e|"; classtype:credential-theft; sid:2033064; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2021_06_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/dm-albums/template/album.php?"; nocase; content:"SECURITY_FILE="; nocase; reference:url,secunia.com/advisories/35622/; reference:bugtraq,35521; reference:url,milw0rm.com/exploits/9044; reference:url,doc.emergingthreats.net/2010025; classtype:web-application-attack; sid:2010025; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evilnum Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/actions/authenticate.php"; bsize:25; fast_pattern; http.cookie; content:"_gid="; startswith; reference:url,twitter.com/ShadowChasing1/status/1399697694491254798; reference:md5,3f230856172f211d5c9ed44ea783f850; classtype:trojan-activity; sid:2033071; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, malware_family EvilNum, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ECShop user.php order_sn Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/user.php?"; nocase; content:"act=order_query"; nocase; content:"order_sn="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34733; reference:url,milw0rm.com/exploits/8548; reference:url,doc.emergingthreats.net/2009716; classtype:web-application-attack; sid:2009716; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[a-zA-z]{5,10}_[A-F0-9]{12}$/R"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:trojan-activity; sid:2033072; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005647; classtype:web-application-attack; sid:2005647; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed JSSLoader Variant Domain (legislationient .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"legislationient.com"; bsize:19; fast_pattern; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,58e9f9575c6d908fb32b528064e14004; classtype:domain-c2; sid:2033073; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UNION SELECT"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004481; classtype:web-application-attack; sid:2004481; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[a-zA-z]{5,10}_[A-F0-9]{12}$/R"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,twitter.com/z0ul_/status/1399764964521488384; reference:md5,6a20636bed7deafe7317400bd18c7b9e; classtype:trojan-activity; sid:2033074; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family jssLoader, performance_impact Low, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_digistore (pid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_digistore"; nocase; content:"pid="; nocase; pcre:"/(?:\?|&)pid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0903-exploits/joomladigistore-sql.txt; reference:url,doc.emergingthreats.net/2010539; classtype:web-application-attack; sid:2010539; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Vidar Stealer - FaceIt Checkin Response"; flow:established,to_client; file.data; content:"|7b 22|result|22 3a 22|ok|22 2c 22|payload|22 3a 7b 22|country|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|about|22 3a 22|"; pcre:"/^[^\"]+\x7c\x22\x2c\x22/R"; reference:url,medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed; classtype:command-and-control; sid:2033066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_02, deployment Perimeter, former_category MALWARE, malware_family Arkei, signature_severity Major, updated_at 2021_06_02;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jbook (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_jbook"; nocase; content:"Itemid="; nocase; pcre:"/(?:\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/filedesc/joomlajbook-sql.txt.html; reference:url,doc.emergingthreats.net/2010540; classtype:web-application-attack; sid:2010540; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh)"; flow:from_server,established; tls.cert_subject; content:"CN=transfer.sh"; fast_pattern; classtype:policy-violation; sid:2033076; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_03, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS nicLOR CMS-School showarticle.php aID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showarticle.php?"; nocase; content:"aID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32112; reference:url,milw0rm.com/exploits/6982; reference:url,xforce.iss.net/xforce/xfdb/46330; reference:url,doc.emergingthreats.net/2009335; classtype:web-application-attack; sid:2009335; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT34 Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; content:"&formid="; distance:0; http.header_names; content:!"Referer"; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,twitter.com/360CoreSec/status/1408348476660797440; classtype:trojan-activity; sid:2033083; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005675; classtype:web-application-attack; sid:2005675; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CNRarypt Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HOW_TO_BACK_YOUR_FILES.txt"; endswith; fast_pattern; http.user_agent; content:"CertUtil URL Agent"; bsize:18; http.header_names; content:!"Referer"; reference:md5,62292df897bf304872aad2dc92c96d70; classtype:trojan-activity; sid:2033075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UNION SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005676; classtype:web-application-attack; sid:2005676; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT34 Related DNS Tunneling Activity"; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".dnsstatus.org"; endswith; threshold: type both, track by_src, count 3, seconds 5; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,twitter.com/360CoreSec/status/1408348476660797440; classtype:trojan-activity; sid:2033084; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category INSERT"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005677; classtype:web-application-attack; sid:2005677; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lyceum Group Activity (DNS)"; threshold: type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderlive.com"; endswith; reference:md5,e2919dea773eb0796e46e126dbce17b1; reference:url,securelist.com/lyceum-group-reborn/104586/; classtype:trojan-activity; sid:2033085; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category DELETE"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005678; classtype:web-application-attack; sid:2005678; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET :1024 (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard Low Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033077; rev:1; metadata:created_at 2021_06_03, former_category INFO, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ASCII"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005679; classtype:web-application-attack; sid:2005679; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET [!3478,1023:] (msg:"ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)"; content:"|00 01|"; depth:2; content:"|21 12 a4 42|"; distance:2; within:4; reference:url,tools.ietf.org/html/rfc5389; classtype:attempted-user; sid:2033078; rev:2; metadata:created_at 2021_06_03, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE"; flow:established,to_server; http.uri; content:"/shared/code/cp_functions_downloads.php?"; nocase; content:"download_category="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0223; reference:url,www.secunia.com/advisories/23726; reference:url,doc.emergingthreats.net/2005680; classtype:web-application-attack; sid:2005680; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033079; rev:1; metadata:attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nitrotech members.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/members.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32458; reference:url,doc.emergingthreats.net/2008921; classtype:web-application-attack; sid:2008921; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033080; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005015; classtype:web-application-attack; sid:2005015; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005016; classtype:web-application-attack; sid:2005016; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id INSERT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005017; classtype:web-application-attack; sid:2005017; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SharpPanda APT Maldoc Activity"; flow:established,to_server; http.uri; content:"/Apricot"; startswith; http.user_agent; content:"Office"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/; reference:md5,1e9f1746c2dbea0df5017afdf8b94189; classtype:trojan-activity; sid:2033086; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id DELETE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005018; classtype:web-application-attack; sid:2005018; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (analiticsweb .site in TLS SNI)"; flow:established,to_server; tls.sni; content:"analiticsweb.site"; bsize:17; fast_pattern; reference:url,twitter.com/rootprivilege/status/1400850998063632389; reference:url,lukeleal.com/research/posts/analiticsweb-skimmer/; classtype:trojan-activity; sid:2033098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ASCII"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005019; classtype:web-application-attack; sid:2005019; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Command Injection Attempt Inbound (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm?type=4"; fast_pattern; http.request_body; content:"|22|common_name|22 3a|"; nocase; content:"|27 24 28|"; distance:0; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1652; classtype:attempted-admin; sid:2033088; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1652, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0786; reference:url,www.milw0rm.com/exploits/3261; reference:url,doc.emergingthreats.net/2005020; classtype:web-application-attack; sid:2005020; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Config Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/config.exp"; endswith; fast_pattern; flowbits:set,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033089; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.php?"; nocase; content:"newlang=kacper"; nocase; content:"languages[kacper][file]="; nocase; reference:url,milw0rm.com/exploits/8504; reference:bugtraq,34636; reference:url,doc.emergingthreats.net/2009728; classtype:web-application-attack; sid:2009728; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Config Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"sysconfig"; flowbits:isset,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033090; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/dhost/modules"; nocase; content:"dconserv.dlm="; nocase; pcre:"/(?:script|img|src|onmouse|onkey|onload)/i"; reference:url,www.securityfocus.com/bid/36567/info; reference:url,doc.emergingthreats.net/2010031; classtype:web-application-attack; sid:2010031; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Debug Dump Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/export_debug_msg.exp"; endswith; fast_pattern; http.request_body; content:"submitdebugmsg|22 3a 20 22|1|22|"; flowbits:set,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033091; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006591; classtype:web-application-attack; sid:2006591; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Debug Dump Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"Salted__"; flowbits:isset,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033092; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UNION SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006592; classtype:web-application-attack; sid:2006592; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FatalRAT CnC Activity"; flow:established,to_server; stream_size:server,=,1; content:"|bf bc 95|"; depth:3; content:"|8e 8e|"; distance:2; within:2; content:"|8e 8e 2c 1b 80 8e e6 02|"; distance:2; within:8; fast_pattern; reference:md5,99fc53d3d4c2c31fd5b5f0f15dbdeab4; reference:url,twitter.com/c3rb3ru5d3d53c/status/1400075253695537155; classtype:command-and-control; sid:2033093; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family FatalRAT, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid INSERT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006593; classtype:web-application-attack; sid:2006593; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE sysrv.ELF Exploit Success Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ldr.sh"; endswith; fast_pattern; http.user_agent; pcre:"/^(?:curl|wget)_?(?:c(?:ve_20(?:1(?:(?:7_1161|8_760)0|9_10758)|20_16846)|url_xxljobUnauth)|tp5)$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,mblogs.akamai.com/sitr/2021/03/another-golang-crypto-miner-on-the-loose.html; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:trojan-activity; sid:2033094; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid DELETE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006594; classtype:web-application-attack; sid:2006594; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ALFA Shell APT33 DNS Lookup (solevisible .com)"; dns.query; content:"solevisible.com"; nocase; endswith; threshold:type limit,count 1,track by_src,seconds 120; reference:url,fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html; classtype:domain-c2; sid:2033095; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ASCII"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006595; classtype:web-application-attack; sid:2006595; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/SkinnyBoy Payload Request"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Opera"; bsize:5; http.request_body; content:"id="; startswith; content:"#"; distance:0; content:"#"; distance:0; content:"&cmd=y"; endswith; fast_pattern; reference:url,cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf; classtype:command-and-control; sid:2033097; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family SkinnyBoy, performance_impact Low, signature_severity Major, updated_at 2021_06_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"agentid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006596; classtype:web-application-attack; sid:2006596; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.7.0_"; content:!"301"; within:3; reference:url,www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html; classtype:bad-unknown; sid:2014297; rev:61; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2012_03_01, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006597; classtype:web-application-attack; sid:2006597; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/NoCry Ransomware Checkin Via Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/"; http.request_body; content:"|0d 0a|Content-Disposition|3a 20|form-data|3b 20|name=username|0d 0a|"; content:"Content-Disposition: form-data|3b 20|name=content|0d 0a 0d 0a|**New Victim**|0d 0a|"; fast_pattern; distance:0; content:"ID|20 3a 20|"; distance:0; content:"Key|20 3a 20|"; content:"Date&Time|20 3a 20|"; http.header_names; content:!"Referer"; reference:md5,682b432662affb2812ece6b940f5be51; classtype:trojan-activity; sid:2033099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006598; classtype:web-application-attack; sid:2006598; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlagueBot User-Agent"; flow:established,to_server; http.header; content:"User-Agent|3a 20|PlagueBot|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2142ed343d1020dca9dec439933c1877; classtype:trojan-activity; sid:2033100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass INSERT"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006599; classtype:web-application-attack; sid:2006599; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ETag HTTP Header Observed at JPCERT Sinkhole"; flow:established,to_client; http.header; content:"ETag|3a 20 22|9-525c24c725e00|22|"; classtype:bad-unknown; sid:2033103; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass DELETE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006600; classtype:web-application-attack; sid:2006600; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ETag HTTP Header Observed at CNCERT Sinkhole"; flow:established,to_client; http.header; content:"ETag|3a 20 22|2b1-55fb5d562c37c|22|"; classtype:bad-unknown; sid:2033104; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ASCII"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006601; classtype:web-application-attack; sid:2006601; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"Server|3a 20|malware-sinkhole"; nocase; classtype:trojan-activity; sid:2033105; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Minor, updated_at 2021_06_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/dagent/downloadreport.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6450; reference:url,www.securityfocus.com/bid/21473; reference:url,doc.emergingthreats.net/2006602; classtype:web-application-attack; sid:2006602; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response Header"; flow:established,to_client; http.header; content:"Server|3a 20|360Netlab-sinkhole"; nocase; classtype:trojan-activity; sid:2033106; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004307; classtype:web-application-attack; sid:2004307; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004308; classtype:web-application-attack; sid:2004308; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT XXL-Job RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; http.request_body; content:"GLUE_SHELL"; nocase; fast_pattern; content:"glueSource"; nocase; content:"glueUpdatetime"; nocase; reference:url,github.com/jas502n/xxl-job; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004309; classtype:web-application-attack; sid:2004309; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uy.txt"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1402239834819743746; reference:md5,dfbe17d9dfa3f3bb715e1d8348bd1f50; classtype:trojan-activity; sid:2033116; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004310; classtype:web-application-attack; sid:2004310; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Unix/Linux Processhider Source Being Downloaded"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/d/processhider.c"; bsize:17; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; content:"m.windowsupdatesupport.org"; bsize:26; reference:md5,4ff3828a2ecc6314bfc7dc22ca194480; reference:url,twitter.com/JAMESWT_MHT/status/1402239031602302983; classtype:bad-unknown; sid:2033117; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_06_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004311; classtype:web-application-attack; sid:2004311; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Puzzlemaker Remote Shell Domain (media-seoengine .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"media-seoengine.com"; bsize:19; fast_pattern; reference:url,securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; reference:md5,d6b850c950379d5ee0f254f7164833e8; classtype:domain-c2; sid:2033127; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; http.uri; content:"/nukesentinel.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1493; reference:url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded; reference:url,doc.emergingthreats.net/2004312; classtype:web-application-attack; sid:2004312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Puzzlemaker Remote Shell Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/analytics"; bsize:10; http.header_names; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:34; fast_pattern; http.user_agent; content:"Win64|3b|"; content:"Chrome/"; reference:md5,d6b850c950379d5ee0f254f7164833e8; reference:url,securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/; classtype:trojan-activity; sid:2033128; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php SELECT"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004736; classtype:web-application-attack; sid:2004736; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rose/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,3c71395a0863fcc262e9e819ba4907b1; reference:url,twitter.com/ShadowChasing1/status/1402417050174164993; classtype:trojan-activity; sid:2033129; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004737; classtype:web-application-attack; sid:2004737; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .dns1 .us"; dns.query; content:".dns1.us"; endswith; fast_pattern; classtype:bad-unknown; sid:2033119; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php INSERT"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004738; classtype:web-application-attack; sid:2004738; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .otzo .com"; dns.query; content:".otzo.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033120; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php DELETE"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004739; classtype:web-application-attack; sid:2004739; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .zyns .com"; dns.query; content:".zyns.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033121; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php ASCII"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004740; classtype:web-application-attack; sid:2004740; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to DDNS Domain .zzux .com"; dns.query; content:".zzux.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033122; rev:1; metadata:created_at 2021_06_09, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE"; flow:established,to_server; http.uri; content:"/includes/nsbypass.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1171; reference:url,www.milw0rm.com/exploits/3337; reference:url,doc.emergingthreats.net/2004741; classtype:web-application-attack; sid:2004741; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".hkbusupport.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033123; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid SELECT"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006807; classtype:web-application-attack; sid:2006807; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".4vw37z.cn"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033124; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UNION SELECT"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006808; classtype:web-application-attack; sid:2006808; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".boshiamys.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033125; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid INSERT"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006809; classtype:web-application-attack; sid:2006809; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Gelsemium CnC"; dns.query; content:".96html.com"; endswith; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033126; rev:1; metadata:created_at 2021_06_09, former_category MALWARE, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid DELETE"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006810; classtype:web-application-attack; sid:2006810; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Spy.Agent.QCL Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/vocha/ogo"; bsize:10; fast_pattern; http.request_body; content:"data="; startswith; http.header_names; content:!"Referer"; reference:md5,8fe3b7be548ab6bba549ddbfdabc90ed; classtype:pup-activity; sid:2033130; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Major, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ASCII"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006811; classtype:web-application-attack; sid:2006811; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Spy.Agent.QCL Variant Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wiki/Hello_orld_(film)"; bsize:23; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; reference:md5,8fe3b7be548ab6bba549ddbfdabc90ed; classtype:pup-activity; sid:2033131; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, deployment Perimeter, deployment SSLDecrypt, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE"; flow:established,to_server; http.uri; content:"/viewthread.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6280; reference:url,www.securityfocus.com/bid/21172; reference:url,doc.emergingthreats.net/2006812; classtype:web-application-attack; sid:2006812; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jboss RCE (CVE-2017-12149)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/readonly"; fast_pattern; http.request_body; content:"java.util.HashSet"; reference:cve,2017-12149; reference:url,github.com/gottburgm/Exploits/blob/master/CVE-2017-12149/CVE_2017_12149.pl#L180; classtype:attempted-admin; sid:2033118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, cve CVE_2017_12149, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/fonctions_racine.php?"; nocase; content:"chemin_lib="; nocase; pcre:"/chemin_lib\s*=\s*(?:https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57869; reference:url,secunia.com/advisories/36658/; reference:url,doc.emergingthreats.net/2010355; classtype:web-application-attack; sid:2010355; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Office Doc Retrieving Shortened URL (bit .do)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:"bit.do"; bsize:6; fast_pattern; reference:md5,04a303e67b4a2f9f7bb532779aef2c72; classtype:bad-unknown; sid:2033133; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_06_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/resource_categories_view.php?"; nocase; content:"CLASSES_ROOT="; nocase; reference:url,secunia.com/advisories/30784/; reference:url,milw0rm.com/exploits/5906; reference:url,doc.emergingthreats.net/2009332; classtype:web-application-attack; sid:2009332; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING URL Shortening Service Used by Curl (ic9 .in)"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; http.host; content:"ic9.in"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2033134; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_06_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010652; classtype:web-application-attack; sid:2010652; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!6180,!80,!443,!8080,!8443,!25,!587,!2525] (msg:"ET MALWARE QuasarRAT/zgRAT C2 Activity (set)"; flow:established,to_server; flowbits:set,ET.zgRAT; flowbits:noalert; content:"|19 00 00 00|"; dsize:4; reference:md5,4e893ea0874f70f4972fa93fed96e77c; classtype:command-and-control; sid:2033107; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_10, deployment Perimeter, former_category MALWARE, malware_family Quasar, malware_family VoidRat, malware_family zgRAT, signature_severity Major, updated_at 2021_06_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010653; classtype:web-application-attack; sid:2010653; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Filesharing Domain (privatlab .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.com"; bsize:13; fast_pattern; classtype:policy-violation; sid:2033137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_06_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010654; classtype:web-application-attack; sid:2010654; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY User-Agent (Launcher)"; flow: to_server,established; http.user_agent; content:"Launcher"; nocase; content:!"EpicGamesLauncher"; depth:17; content:!"7Launcher";  reference:url,doc.emergingthreats.net/2010645; classtype:policy-violation; sid:2010645; rev:11; metadata:created_at 2010_07_30, former_category POLICY, updated_at 2021_06_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010655; classtype:web-application-attack; sid:2010655; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Maldoc CnC Domain (shopweblive .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopweblive.com"; bsize:15; fast_pattern; reference:url,twitter.com/360CoreSec/status/1402920149754155010; reference:md5,4fb3bd661331b10fbd01e5f3e72f476c; reference:md5,b7dbb3bef80d04e4b8981ab4011f4bfe; classtype:domain-c2; sid:2033135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_10, deployment Perimeter, malware_family Maldoc, performance_impact Low, signature_severity Major, updated_at 2021_06_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ossim/repository/repository_attachment.php?"; nocase; content:"id_document="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,www.exploit-db.com/exploits/10479; reference:url,doc.emergingthreats.net/2010656; classtype:web-application-attack; sid:2010656; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ADM_Pagina.php?"; nocase; content:"Tipo="; nocase; pcre:"/Tipo=\s*(?:https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-5063; reference:url,vupen.com/english/advisories/2008/3093; reference:url,secunia.com/advisories/32645; reference:url,doc.emergingthreats.net/2009395; classtype:web-application-attack; sid:2009395; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT28/SkinnyBoy Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Opera"; bsize:5; http.request_body; content:"id="; startswith; content:"#"; distance:0; content:"#"; distance:0; content:"&current="; distance:0; fast_pattern; content:"&total="; distance:0; content:"&data="; distance:0; reference:url,cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf; classtype:command-and-control; sid:2033096; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family SkinnyBoy, performance_impact Low, signature_severity Major, updated_at 2021_06_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ADM_Pagina.php?"; nocase; content:"Tipo="; reference:cve,CVE-2008-5063; reference:url,vupen.com/english/advisories/2008/3093; reference:url,secunia.com/advisories/32645; reference:url,doc.emergingthreats.net/2009396; classtype:web-application-attack; sid:2009396; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN7 CnC Domain (injuryless .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"injuryless.com"; bsize:14; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1403150596849295362; reference:md5,1ac719c744d22f42e4978e7b55828435; reference:md5,526d56017ef5105277fe0d366c95c39d; classtype:domain-c2; sid:2033138; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_06_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id SELECT"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005597; classtype:web-application-attack; sid:2005597; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed APT41 Malicious SSL Cert (ColunmTK Campaign)"; flow:established,to_client; tls.cert_fingerprint; content:"b3:03:81:01:fd:0e:8b:11:c5:19:f7:39:f1:2c:7e:9b:60:23:4d:3b"; classtype:domain-c2; sid:2033140; rev:2; metadata:attack_target Client_and_Server, created_at 2021_06_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_11, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005598; classtype:web-application-attack; sid:2005598; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (WooCommerce Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ba.html"; bsize:8; fast_pattern; http.cookie; content:"woocommerce_items_in_cart="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:md5,68abb4a9c6203acca940a49157264497; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033141; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id INSERT"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005599; classtype:web-application-attack; sid:2005599; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (MyAgent)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.header; content:!"www.google-analytics.com"; http.user_agent; content:"MyAgent"; depth:7; fast_pattern; http.host; content:!"driverdl.lenovo.com.cn"; reference:url,doc.emergingthreats.net/bin/view/Main/2005320; classtype:trojan-activity; sid:2005320; rev:16; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Major, tag User_Agent, updated_at 2021_06_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id DELETE"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005600; classtype:web-application-attack; sid:2005600; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?inc="; fast_pattern; http.cookie; content:"affiliate_id="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b3d1ca6f439f2b2014643cc8fad9a55; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033142; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ASCII"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005601; classtype:web-application-attack; sid:2005601; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (Wordpress Profile)"; flow:established,to_server; http.uri; content:"/ny.js"; bsize:6; fast_pattern; http.cookie; content:"wordpress_logged_in="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,93b24d6de3e38fe3112554355a1ba98f; reference:url,twitter.com/_brettfitz/status/1404095220506103812; classtype:command-and-control; sid:2033143; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE"; flow:established,to_server; http.uri; content:"/etkinlikbak.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0305; reference:url,www.milw0rm.com/exploits/3135; reference:url,doc.emergingthreats.net/2005602; classtype:web-application-attack; sid:2005602; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart Skimmer Websocket Domain in DNS Lookup"; dns.query; content:"hotjar.info"; nocase; bsize:11; reference:url,lukeleal.com/research/posts/hotjar-dot-info-skimmer/; reference:url,twitter.com/rootprivilege/status/1404595455065870336; classtype:trojan-activity; sid:2033144; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp SELECT"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004450; classtype:web-application-attack; sid:2004450; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalDoc Retrieving Payload 2021-06-15"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\.[0-9]{6,18}\.dat$/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034460; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004451; classtype:web-application-attack; sid:2004451; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".css?open="; fast_pattern; http.cookie; content:"lu="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,c49f5361c91208f95a3f4d8a9cccf5cc; reference:url,twitter.com/_brettfitz/status/1404438059962208256; classtype:trojan-activity; sid:2033145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp INSERT"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004452; classtype:web-application-attack; sid:2004452; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php|20|SSL3.4"; fast_pattern; startswith; reference:url,securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/; reference:md5,569246a3325effa11cb8ff362428ab2c; classtype:command-and-control; sid:2033146; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_16, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, signature_severity Major, tag Backdoor, updated_at 2021_06_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp DELETE"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004453; classtype:web-application-attack; sid:2004453; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andariel Backdoor Actvity (Response)"; flow:established,to_client; content:"HTTP|20|1.1|20|200|20|OK|20|SSL2.1"; fast_pattern; startswith; reference:url,securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/; reference:md5,569246a3325effa11cb8ff362428ab2c; classtype:command-and-control; sid:2033147; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_16, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, performance_impact Low, signature_severity Major, tag Backdoor, updated_at 2021_06_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp ASCII"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004454; classtype:web-application-attack; sid:2004454; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile (extension.css)"; flow:established,to_server; http.uri; content:"/extension.css?goto="; startswith; http.cookie; content:"lu="; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1387149833274810368; reference:url,github.com/pan-unit42/tweets/blob/master/2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt; classtype:trojan-activity; sid:2033148; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE"; flow:established,to_server; http.uri; content:"/OmegaMw7.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-2992; reference:url,www.securityfocus.com/bid/24275; reference:url,doc.emergingthreats.net/2004455; classtype:web-application-attack; sid:2004455; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 BEACON Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html|20|/"; content:".html?auth=uid"; distance:0; fast_pattern; http.user_agent; content:"ms-office|3b 20|"; http.header_names; content:!"Referer"; content:!"Accept"; reference:url,www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html; reference:md5,5f1e9ae81c6a3797bf16b9ee469dc66a; classtype:command-and-control; sid:2033149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_06_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Grades parents.php ADD Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/parents/parents.php?"; nocase; content:"func=mailto"; nocase; content:"ADD="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35304/; reference:url,milw0rm.com/exploits/8844; reference:url,doc.emergingthreats.net/2009906; classtype:web-application-attack; sid:2009906; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET JA3 HASH - Possible Nessus Client"; ja3.hash; content:"9598288c48f0a784d8e153b0df2b3bd1"; classtype:bad-unknown; sid:2033150; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category JA3, performance_impact Low, signature_severity Informational, updated_at 2021_06_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2005186; classtype:web-application-attack; sid:2005186; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UNC2628 Malicious MSHTA Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ID-508260156241"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html; classtype:trojan-activity; sid:2033151; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004846; classtype:web-application-attack; sid:2004846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT Operation Sidecopy lnk Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/font/js/images/"; startswith; fast_pattern; content:"/css"; endswith; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; http.host; content:".in"; endswith; reference:url,twitter.com/ShadowChasing1/status/1406959698142666756; reference:md5,e05468aaa0c436e953116989ccf9703b; classtype:trojan-activity; sid:2033153; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004847; classtype:web-application-attack; sid:2004847; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Matanbuchus CnC Domain in DNS Lookup (eonsabode .at)"; dns.query; content:"eonsabode.at"; nocase; bsize:12; reference:url,unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/; classtype:domain-c2; sid:2033154; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004848; classtype:web-application-attack; sid:2004848; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Gelsemium CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=IH, L=IH, O=IH, OU=IH, CN=IH"; bsize:37; fast_pattern; tls.cert_issuer; content:"C=US, ST=CA, L=CA, O=CA, OU=CA, CN=CA"; bsize:37; reference:md5,87eb0975758ecef44e8368914cffe151; reference:url,www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf; classtype:domain-c2; sid:2033152; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id ASCII"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004849; classtype:web-application-attack; sid:2004849; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Klingon RAT)"; flow:established,to_client; tls.cert_subject; content:"emailAddress=trump@whitehouse.xyz"; tls.cert_issuer; content:"C=US, ST=Washington, L=Washington, O=White House, OU=Mr President, CN=whitehouse.xyz/emailAddress=trump@whitehouse.xyz"; bsize:118; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/; classtype:command-and-control; sid:2033156; rev:1; metadata:attack_target Client_and_Server, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; http.uri; content:"/user_pages/page.asp?"; nocase; content:"art_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1058; reference:url,www.milw0rm.com/exploits/3339; reference:url,doc.emergingthreats.net/2004850; classtype:web-application-attack; sid:2004850; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"eb1d94daa7e0344597e756a1fb6e7054"; reference:url,thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/; classtype:bad-unknown; sid:2033157; rev:1; metadata:created_at 2021_06_22, former_category JA3, updated_at 2021_06_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/lib-remotehost.inc.php?"; nocase; content:"phpAds_geoPlugin="; nocase; pcre:"/phpAds_geoPlugin=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14432/; reference:url,inj3ct0r.com/exploits/13426; reference:url,doc.emergingthreats.net/2011274; classtype:web-application-attack; sid:2011274; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Profile wordpress_ Cookie Test"; flow:established,to_server; http.cookie; content:"wordpress"; fast_pattern; pcre:"/^_?=?(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer"; reference:url,thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/; classtype:trojan-activity; sid:2033158; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_06_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011057; classtype:web-application-attack; sid:2011057; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET [!443] -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:from_server,established; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2021_06_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011058; classtype:web-application-attack; sid:2011058; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity (wget)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/supermicro_cr.gz"; bsize:21; fast_pattern; http.user_agent; content:"Wget/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033159; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011059; classtype:web-application-attack; sid:2011059; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity (curl)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.php?apirequests="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033160; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011060; classtype:web-application-attack; sid:2011060; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Telegram Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1322235264:AAE7QI-f1GtAF_huVz8E5IBdb5JbWIIiGKI/sendMessage?chat_id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; content:"api.telegram.org"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033161; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jtfwcpnt.jsp?"; nocase; content:"query="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,39510; reference:url,doc.emergingthreats.net/2011061; classtype:web-application-attack; sid:2011061; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux DarkRadiation Ransomware Activity Attack Check"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_attack/0.txt"; bsize:19; fast_pattern; http.user_agent; content:"Wget/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html; classtype:trojan-activity; sid:2033162; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_06_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/faces/jsf/tips.jsp?"; nocase; content:"context="; nocase; pcre:"/context\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/14369/; reference:url,secunia.com/advisories/40605; reference:url,doc.emergingthreats.net/2011268; classtype:web-application-attack; sid:2011268; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-22"; flow:established,to_client; file.data; content:"<title>L|26 23|79|3b|G|20 26 23|73|3b 26 23|78|3b 20|</title>"; fast_pattern; content:"action=need1.php"; distance:0; content:"name=pfw"; distance:0; content:"method|3d|post|3e|"; distance:0 ; reference:url,app.any.run/tasks/fe8b5eb1-7aab-435f-9795-456983adc07e/; classtype:social-engineering; sid:2033155; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_06_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/modules/core/security/init.php?"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009461; classtype:web-application-attack; sid:2009461; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanClicker Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/test/err.asp?alerr="; startswith; fast_pattern; content:"&time="; distance:0; http.host; content:".cn"; endswith; reference:md5,f990d21e020f4130e58d49cc368921b1; classtype:pup-activity; sid:2033168; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/stage1.php"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009462; classtype:web-application-attack; sid:2009462; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/arm/template.php"; bsize:17; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:"winxpo.live"; bsize:11; reference:url,twitter.com/ShadowChasing1/status/1407636259367899138; reference:md5,e8e866e522b66c16d2ed8e345e48f524; classtype:trojan-activity; sid:2033169; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/stage4.php?"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009463; classtype:web-application-attack; sid:2009463; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 0d 0a 0d 0a|"; content:".zip|0d 0a|"; distance:0; within:50; content:"|0d 0a|PK"; distance:0; content:"system.txt"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8124a572f854007e63cc7337547a37af; reference:md5,673410a381f324b0209abf1175415206; reference:url,3xp0rt.com/posts/mars-stealer; classtype:trojan-activity; sid:2033163; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/stage6.php?"; nocase; content:"GLOBALS[preloc]="; nocase; reference:bugtraq,29820; reference:url,milw0rm.com/exploits/5864; reference:url,doc.emergingthreats.net/2009464; classtype:web-application-attack; sid:2009464; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Downloading from Dropbox via API"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/2/files/download"; http.header; content:"Authorization|3a 20|Bearer|20|FLtUsbS3oqcAAAAAAAAAAZ_86BAKGkKPNHeBSV8ETDcqFjlDgagrviCEw0VV6Ecn|0d 0a|"; content:"/Energy/staging/debugps"; fast_pattern; http.host; content:"content.dropboxapi.com"; bsize:22; reference:url,twitter.com/ShadowChasing1/status/1407540607954743297; reference:md5,f123a68eea92b34d76f0ca0b677419bd; classtype:trojan-activity; sid:2033170; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate SELECT"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005937; classtype:web-application-attack; sid:2005937; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Ask Webcrawler User-Agent"; flow:established,to_server; http.user_agent; content:"Ask Jeeves"; nocase;  classtype:not-suspicious; sid:2033164; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UNION SELECT"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005938; classtype:web-application-attack; sid:2005938; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Exabot Webcrawler User Agent"; flow:established,to_server; content:"Exabot"; nocase; http_user_agent; classtype:not-suspicious; sid:2033165; rev:2; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate INSERT"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005939; classtype:web-application-attack; sid:2005939; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN AOL Webcrawler User-Agent"; flow:established,to_server; content:"AOLBuild "; nocase; http_user_agent; classtype:not-suspicious; sid:2033166; rev:1; metadata:attack_target Web_Server, created_at 2021_06_23, deployment Perimeter, former_category SCAN, signature_severity Informational, tag WebCrawler, updated_at 2021_06_23, mitre_tactic_id TA0043, mitre_tactic_name Reconnaissance, mitre_technique_id T1593, mitre_technique_name Search_Open_Websites;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate DELETE"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005940; classtype:web-application-attack; sid:2005940; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NewGames.jar Download Suspicious Possible Exploit Attempt"; flow:established,to_server; content:"/NewGames.jar"; http_uri;  classtype:policy-violation; sid:2011326; rev:5; metadata:created_at 2010_09_28, former_category HUNTING, updated_at 2021_06_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ASCII"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005941; classtype:web-application-attack; sid:2005941; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_ttp"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,532acbadb8151944650aaecc0a397965; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033171; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE"; flow:established,to_server; http.uri; content:"/login/register.asp?"; nocase; content:"UserUpdate="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005942; classtype:web-application-attack; sid:2005942; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore CnC Activity"; flow:established,to_server; content:"|3c 7c|"; startswith; content:"SOCKET|7c 3e|"; distance:0; fast_pattern; content:"|3c 7c|END|7c 3e|"; endswith; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; reference:md5,8f8bad9fb9a1f333bd3380e2698b4236; classtype:command-and-control; sid:2033173; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family AllaKore, signature_severity Major, tag RAT, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp SELECT"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005943; classtype:web-application-attack; sid:2005943; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaChi RAT Client CnC (POST)"; flow:established,to_server; flowbits:set,ET.chachirat; http.method; content:"POST"; http.uri; content:"/cert/trust"; bsize:11; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033182; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005944; classtype:web-application-attack; sid:2005944; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ChaChi RAT Server Response"; flow:established,to_client; flowbits:isset,ET.chachirat; http.stat_code; content:"200"; file.data; content:"-zig"; endswith; fast_pattern; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033183; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp INSERT"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005945; classtype:web-application-attack; sid:2005945; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ChaChi RAT Client CnC (POST)"; flow:established,to_server; flowbits:set,ET.chachirat; http.method; content:"POST"; http.uri; content:"/time/sync"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat; reference:md5,9976373177d217207a692a6d0867e9c4; classtype:trojan-activity; sid:2033184; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp DELETE"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005946; classtype:web-application-attack; sid:2005946; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|43 21 f0 39 ff 82 2c 1c 54 06|"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,63c6febaeff62391187077b5e2f781e7; reference:md5,33a68137c05b0e2c2ee2ca559e038358; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033174; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp ASCII"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005947; classtype:web-application-attack; sid:2005947; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_t_t_p"; fast_pattern; bsize:8; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,63c6febaeff62391187077b5e2f781e7; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033175; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE"; flow:established,to_server; http.uri; content:"/includes/a_register.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6861; reference:url,www.securityfocus.com/bid/21822; reference:url,doc.emergingthreats.net/2005948; classtype:web-application-attack; sid:2005948; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected DNS CnC via TXT queries"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|00 00 10 00 01|"; threshold:type both, track by_src,count 500, seconds 300; classtype:bad-unknown; sid:2033185; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, deployment Internal, former_category HUNTING, performance_impact Significant, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Daily add_postit.php id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add_postit.php?"; nocase; content:"mode=rep"; nocase; content:"id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32408; reference:url,milw0rm.com/exploits/6833; reference:url,doc.emergingthreats.net/2009065; classtype:web-application-attack; sid:2009065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9]{5,12}&a=/R"; content:"&a=Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033176; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Daily delete.php id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/delete.php?"; nocase; content:"mode=postit"; nocase; content:"id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32/32408; reference:url,milw0rm.com/exploits/6833; reference:url,doc.emergingthreats.net/2009066; classtype:web-application-attack; sid:2009066; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu00.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033177; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/members.php?"; nocase; content:"sortby="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,33156; reference:url,milw0rm.com/exploits/7697; reference:url,doc.emergingthreats.net/2009067; classtype:web-application-attack; sid:2009067; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu03.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip SELECT"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004241; classtype:web-application-attack; sid:2004241; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu01.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033179; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UNION SELECT"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004242; classtype:web-application-attack; sid:2004242; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE lu0bot CnC Domain in DNS Lookup"; dns.query; content:"lu02.xyz"; nocase; bsize:8; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:domain-c2; sid:2033180; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip INSERT"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004243; classtype:web-application-attack; sid:2004243; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response"; flow:established,to_client; file.data; content:"cmd"; nocase; startswith; content:"new%2520ActiveXObject%2528%2522WinHttp.WinHttpRequest.5.1"; distance:0; content:"GET%2522%252Cunescape"; distance:0; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; classtype:command-and-control; sid:2033181; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_06_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip DELETE"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004244; classtype:web-application-attack; sid:2004244; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?query=5"; bsize:9; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:84; reference:md5,b567f7aac1574b2ba3a769702d2f6a1e; reference:md5,815c690bfc097b82a8f1d171cd00e775; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033192; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ASCII"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004245; classtype:web-application-attack; sid:2004245; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (JS WebSkimmer Exfil Site)"; flow:established,to_client; tls.cert_subject; content:"hotjar.info"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hotjar\.info(?!\.)/"; reference:url,lukeleal.com/research/posts/hotjar-dot-info-skimmer/; classtype:domain-c2; sid:2033188; rev:1; metadata:affected_product Web_Browsers, attack_target Client_and_Server, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_06_25, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE"; flow:established,to_server; http.uri; content:"/php-stats.recphp.php?"; nocase; content:"ip="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7172; reference:url,www.milw0rm.com/exploits/3497; reference:url,doc.emergingthreats.net/2004246; classtype:web-application-attack; sid:2004246; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (init)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=init"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033193; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/previews.php?"; nocase; content:"browse="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; reference:url,doc.emergingthreats.net/2009068; classtype:web-application-attack; sid:2009068; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (down)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=down"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033194; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reviews.php?"; nocase; content:"browse="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,2008-5841; reference:bugtraq,31340; reference:url,milw0rm.com/exploits/6540; reference:url,doc.emergingthreats.net/2009069; classtype:web-application-attack; sid:2009069; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (ping)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; bsize:1; http.request_body; content:"i=ping"; startswith; fast_pattern; content:"&u="; distance:0; content:"&p="; distance:0; content:"&v="; distance:0; http.header_names; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033195; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006510; classtype:web-application-attack; sid:2006510; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/?d="; fast_pattern; http.uri; pcre:"/^\/\?d=[a-f0-9]{16}$/"; http.header_names; content:"|0d 0a|UA-CPU|0d 0a|Accept-Encoding|0d 0a|"; content:!"Referer"; reference:md5,447163d776b62bf0b1c652c996cc0586; reference:md5,7e041b101e1e574fb81f3f0cdf1c72b8; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006511; classtype:web-application-attack; sid:2006511; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Related Downloader User-Agent"; flow:established,to_server; http.method; content:"GET"; http.header; content:"User-Agent|3a 20|TAKEMIXTWO|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,23f169e4be475e3eec4dcb9d9a344649; classtype:trojan-activity; sid:2033186; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006512; classtype:web-application-attack; sid:2006512; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malware Delivery Landing Page via JS Redirect (2021-06-24)"; flow:established,to_client; file.data; content:"|3c|title|3e|File Download|3c 2f|title|3e|"; content:"|24 2e|getJSON|28 20 22|https|3a 2f 2f|"; distance:0; content:"|2f 22 2c 20|function|28|res|29 20 7b 0d 0a 0d 0a|"; within:300; content:"|7d 29 2e|done|28|function|28|res|29 20 7b 0d 0a|"; within:40; content:"params|2e|url|20 3d 20 22|https|3a 2f 2f|"; within:120; fast_pattern; content:"|22 20 2b 20|res|2e|data"; within:300; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:trojan-activity; sid:2033189; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006513; classtype:web-application-attack; sid:2006513; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malware Delivery Domain (analyticsnet .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"analyticsnet.top"; bsize:16; fast_pattern; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:domain-c2; sid:2033190; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006514; classtype:web-application-attack; sid:2006514; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malware Delivery Landing Page Domain (bigeront .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"bigeront.top"; bsize:12; fast_pattern; reference:url,app.any.run/tasks/bfa6644a-3d2c-41e0-9a6d-fe9306e8fc85/; classtype:domain-c2; sid:2033191; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_Type_ID="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006515; classtype:web-application-attack; sid:2006515; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-24"; flow:established,to_client; file.data; content:"<title>Red Link - BANCO DE LA NACION ARGENTINA</title>"; fast_pattern; content:"enctype|3d 22|multipart|2f|form|2d|data|22 20|"; distance:0; content:"id|3d 22|UserNameVerificationForm|22|"; distance:0; content:"name|3d 22|UserNameVerificationForm|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"action|3d 22|doLoginFirstStep.htm|22 3e|"; distance:0; reference:url,app.any.run/tasks/7ff1092c-4c9e-4915-933a-1f568b5ba83d; classtype:social-engineering; sid:2033187; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006516; classtype:web-application-attack; sid:2006516; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-23 Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.cookie; content:"btst="; startswith; fast_pattern; pcre:"/\|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\|/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cookie|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,f9854aa5bc138498a12af8a45f89dd84; classtype:trojan-activity; sid:2033198; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006517; classtype:web-application-attack; sid:2006517; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?m="; fast_pattern; offset:4; pcre:"/^[a-z]{1}/R"; content:"&p1="; distance:0; content:"&p2="; distance:0; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:53; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,739d14336826d078c40c9580e3396d15; reference:url,twitter.com/Timele9527/status/1407610627011403779; classtype:trojan-activity; sid:2033199; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006518; classtype:web-application-attack; sid:2006518; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-23 Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mehro"; endswith; fast_pattern; http.request_body; content:"celal="; startswith; content:"&type="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Connect"; reference:md5,738886d83e8dc379fc463e3869c74217; classtype:trojan-activity; sid:2033200; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006519; classtype:web-application-attack; sid:2006519; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Ransomware Decryptor Domain in DNS Query (decryptor .top)"; dns.query; content:"decryptor.top"; nocase; bsize:13; reference:url,tria.ge/191216-4rcmytrrka; classtype:domain-c2; sid:2033201; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_06_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006520; classtype:web-application-attack; sid:2006520; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Ransomware Decryptor Domain in  DNS Query (decoder .re)"; dns.query; content:"decoder.re"; nocase; bsize:10; classtype:domain-c2; sid:2033202; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_06_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Outgoing_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006521; classtype:web-application-attack; sid:2006521; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE REvil Exfil SFTP Certificate Inbound"; flow:to_client,established; content:"Kanzas City"; nocase; fast_pattern; content:"System IT Inc"; content:"|55 04 03|"; content:"|06|server"; distance:1; within:7; reference:url,thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/; classtype:targeted-activity; sid:2033205; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, malware_family Ransomware, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006522; classtype:web-application-attack; sid:2006522; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Valyria Downloader Activity"; flow:established,to_client; file.data; content:"|5c|Temp|5c|regles2.cmd|22|"; fast_pattern; content:"|5c|Temp|5c|CMSTPBypass.exe"; distance:0; content:"|5c|Temp|5c|regles.cmd"; distance:0; reference:url,twitter.com/James_inthe_box/status/1409980230379311105; reference:md5,4f8c9ac36ca0268eb7c9ccec4f9d76f5; classtype:trojan-activity; sid:2033206; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006523; classtype:web-application-attack; sid:2006523; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/index.php?member="; startswith; fast_pattern; content:"|20|SSL3.3"; distance:0; reference:url,twitter.com/360CoreSec/status/1405790277034418177; reference:md5,c827d95429b644e918d53b24719dbe6e; classtype:command-and-control; sid:2033207; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family Andariel, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006524; classtype:web-application-attack; sid:2006524; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NightfallGT Mercurial Grabber"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; http.request_body; content:"|2c 22|username|22 3a 20 22|Mercurial|20|Grabber|22 2c 20 22|"; fast_pattern; reference:md5,252689e3688229ce5e3e26a2ef0a5bf1; reference:url,github.com/NightfallGT/Mercurial-Grabber; classtype:command-and-control; sid:2033197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006525; classtype:web-application-attack; sid:2006525; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; pkt_data; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; classtype:attempted-admin; sid:2033208; rev:1; metadata:created_at 2021_06_30, cve CVE_2021_35464, former_category EXPLOIT, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006526; classtype:web-application-attack; sid:2006526; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Reborn Stealer 2021 Exfil attempt via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sendDocument?chat_id="; content:"|26|caption|3d|"; content:"|f0 9f 8f b4 20|IP|3a 20|"; distance:0; content:"|20|BASIC|20|INFORMATION|3a 0a 20 20 20 e2 88 9f 20|Passwords|20 2d 20|"; distance:0; fast_pattern; reference:md5,f925449e1f939ca70b5f842d4fc55921; reference:url,github.com/alikaptanoglu/Reborn-Stealer-2021-SOURCE/; classtype:command-and-control; sid:2033209; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"Project_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3345; reference:url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html; reference:url,doc.emergingthreats.net/2006527; classtype:web-application-attack; sid:2006527; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; pkt_data; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; reference:url,attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464; reference:cve,2021-35464; classtype:attempted-admin; sid:2033210; rev:1; metadata:attack_target Server, created_at 2021_06_30, cve CVE_2021_35464, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005967; classtype:web-application-attack; sid:2005967; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!2038,!3478,!5000,!22466,!3101,!6180,!80,!443,!8080,!8443,!25,!587,!2525] (msg:"ET MALWARE QuasarRAT/zgRAT C2 Activity (set)"; flow:established,to_server; flowbits:set,ET.zgRAT; flowbits:noalert; content:"|40 00 00 00|"; dsize:4; reference:md5,43a2f0f6fb1b858e9d7997ba8317df03; reference:url,twitter.com/James_inthe_box/status/1410260077861249028; classtype:command-and-control; sid:2033211; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005968; classtype:web-application-attack; sid:2005968; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE zgRAT Activity M2"; flow:established,to_server; flowbits:isset,ET.zgRAT; content:"|2b 00 00 00 1f 8b 08 00 00 00 00 00 04 00 33 b6 51 51 b5 b7|"; depth:20; isdataat:!45,relative; reference:md5,43a2f0f6fb1b858e9d7997ba8317df03; reference:url,twitter.com/James_inthe_box/status/1410260077861249028; classtype:command-and-control; sid:2033212; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_06_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005969; classtype:web-application-attack; sid:2005969; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MageCart Group 12 Domain (toolser .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"toolser.pw"; bsize:10; fast_pattern; reference:url,lukeleal.com/research/posts/magecart-group-12-toolser-skimmer/; classtype:trojan-activity; sid:2033213; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, signature_severity Major, updated_at 2021_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005970; classtype:web-application-attack; sid:2005970; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.2ip.ua"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033214; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_07_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005971; classtype:web-application-attack; sid:2005971; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established, from_server; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|";  distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033216; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_acronyms.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6842; reference:url,www.milw0rm.com/exploits/3033; reference:url,doc.emergingthreats.net/2005972; classtype:web-application-attack; sid:2005972; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-29"; flow:established, from_server; file.data; content:"<title>HOME|20 2d 20|BEZPIECZE|26|amp|3b 23|x143|3b|STWA ADMIN JEDNOSTKA</title>"; fast_pattern; content:"method|3d 22|post|22|";  distance:0; content:"encType|3d 22|multipart/form-data|22|"; distance:0; content:"id|3d 22|rJ6e8Wwhpou|22|"; distance:0; content:"novalidate|3d 22 22|"; classtype:credential-theft; sid:2033217; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006969; classtype:web-application-attack; sid:2006969; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing Landing Page 2021-06-25"; flow:established,from_server; file.data; content:"<title>Sign In</title>"; content:"role|3d 22|form|22|"; distance:0; content:"action|3d 22|squ.php|22|"; distance:0; content:"method|3d 22|post|22 3e|"; reference:url,app.any.run/tasks/a0625793-31c1-4538-a5c6-e213eb4b8128/; classtype:credential-theft; sid:2033215; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006970; classtype:web-application-attack; sid:2006970; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT xCaon/Textpadx Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/kw.asp"; endswith; fast_pattern; http.request_body; content:"d="; startswith; content:"&k="; distance:0; content:"&w="; distance:0; http.header_names; content:!"Referer"; reference:md5,3562bf97997c54d74f58d4c1ad84fcea; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033219; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006971; classtype:web-application-attack; sid:2006971; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IndigoZebra APT BoxCaon DropBox Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/2/files/create_folder_v2"; bsize:25; http.header; content:"Authorization|3a 20|Bearer|20|iioKFUvLMX0AAAAAAAAAARDKLMS9uW1ax9ogdxWVqMC582VLW-CVofMpeFTEVfhU|0d 0a|"; fast_pattern; http.host; content:"api.dropboxapi.com"; bsize:18; reference:md5,974201f7895967bff0b018b95d5f5f4b; reference:url,research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/; classtype:command-and-control; sid:2033220; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006972; classtype:web-application-attack; sid:2006972; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Nivesro Cheat CnC Activity M1"; flow:established,to_server; http.uri; content:"authentication.php?a="; fast_pattern; content:"&b="; distance:0; http.accept; content:"text/*"; bsize:6; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,6aaa1742b89bd72be6ee50709fc457ab; classtype:trojan-activity; sid:2033221; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006973; classtype:web-application-attack; sid:2006973; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP NivesroCheat CnC Activity M2"; flow:established,to_server; http.uri; content:"version.php?a="; fast_pattern; content:!"&"; distance:0; http.accept; content:"text/*"; bsize:6; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|"; startswith; reference:md5,6aaa1742b89bd72be6ee50709fc457ab; classtype:trojan-activity; sid:2033222; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE"; flow:established,to_server; http.uri; content:"/admin_hacks_list.php?"; nocase; content:"hack_id="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6216; reference:url,www.milw0rm.com/exploits/2851; reference:url,doc.emergingthreats.net/2006974; classtype:web-application-attack; sid:2006974; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BnpOnspQwtjCA"; endswith; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033223; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/website.php?"; nocase; content:"page="; nocase; reference:bugtraq,30176; reference:url,milw0rm.com/exploits/6037; reference:url,doc.emergingthreats.net/2009743; classtype:web-application-attack; sid:2009743; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Register M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BnpOnspQwtjCA/register"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004041; classtype:web-application-attack; sid:2004041; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Register M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/register"; http.request_body; content:"cid="; content:"&group="; distance:0; content:"ip_local="; distance:0; content:"&ip_local2="; distance:0; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004042; classtype:web-application-attack; sid:2004042; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Key Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/key"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004043; classtype:web-application-attack; sid:2004043; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Services Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/services"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033227; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004044; classtype:web-application-attack; sid:2004044; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Priority Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/priority"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004045; classtype:web-application-attack; sid:2004045; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Ignore Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/ignore"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; http.uri; content:"/modules/admin/modules/gallery.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2866; reference:url,www.frsirt.com/english/advisories/2007/1937; reference:url,doc.emergingthreats.net/2004046; classtype:web-application-attack; sid:2004046; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Ext Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/ext"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004695; classtype:web-application-attack; sid:2004695; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Wipe Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/wipe"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004696; classtype:web-application-attack; sid:2004696; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol Communicating with CnC - Landing Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Bnyar8RsK04ug/"; fast_pattern; content:"/landing"; endswith; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004697; classtype:web-application-attack; sid:2004697; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Diavol HTTP Cookie Observed"; flow:established,to_server; http.cookie; content:"diavol_session="; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider; reference:md5,eb20d16d94bb9cd8d28248ba918ff732; classtype:command-and-control; sid:2033233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_05, deployment Perimeter, former_category TROJAN, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004698; classtype:web-application-attack; sid:2004698; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain"; dns.query; content:".indexsinas.me"; endswith; fast_pattern; reference:url,www.guardicore.com/labs/smb-worm-indexsinas/; classtype:domain-c2; sid:2033234; rev:1; metadata:created_at 2021_07_05, former_category TROJAN, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004699; classtype:web-application-attack; sid:2004699; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known Indexsinas CnC Domain"; dns.query; content:"a.ccmd.website"; endswith; fast_pattern; reference:url,www.guardicore.com/labs/smb-worm-indexsinas/; classtype:domain-c2; sid:2033235; rev:1; metadata:created_at 2021_07_05, former_category TROJAN, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE"; flow:established,to_server; http.uri; content:"/include.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7115; reference:url,www.securityfocus.com/bid/21002; reference:url,doc.emergingthreats.net/2004700; classtype:web-application-attack; sid:2004700; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET HUNTING Possible REvil 0day Exploitation Activity Inbound"; flow:established,to_server; content:"|0a|procCreate|28 22|Archive"; content:"procStep|28|"; distance:0; within:50; content:"+++SQLCMD|3a 22|+"; distance:0; within:100; content:"|22|DELETE|20|FROM"; reference:url,blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/; classtype:bad-unknown; sid:2033236; rev:1; metadata:created_at 2021_07_05, former_category HUNTING, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid SELECT"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005784; classtype:web-application-attack; sid:2005784; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Initial CnC Checkin Outbound"; flow:established,to_server; dsize:8; content:"|3e c7 e3 1e 37 47 61 20|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033237; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UNION SELECT"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005785; classtype:web-application-attack; sid:2005785; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Initial CnC Checkin Inbound"; flow:established,to_server; dsize:8; content:"|3e c7 e3 1e 37 47 61 20|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033238; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid INSERT"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005786; classtype:web-application-attack; sid:2005786; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Bot Upload Command Outbound"; flow:established,from_server; dsize:8; content:"|b1 2f de ce cb 89 e1 a0|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033239; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid DELETE"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005787; classtype:web-application-attack; sid:2005787; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Info Submission Outbound"; flow:established,to_server; dsize:<300; content:"|3a 31 34 b5 02 00|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033240; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid ASCII"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005788; classtype:web-application-attack; sid:2005788; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Info Submission Inbound"; flow:established,to_server; dsize:<300; content:"|3a 31 34 b5 02 00|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033241; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE"; flow:established,to_server; http.uri; content:"/comment.php?"; nocase; content:"subid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0179; reference:url,www.securityfocus.com/bid/21962; reference:url,doc.emergingthreats.net/2005789; classtype:web-application-attack; sid:2005789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Mirai pTea Variant - Attack Command Outbound"; flow:established,from_server; dsize:<70; content:"|ad af fe 7f|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033242; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Million Pixel Ad Script tops_top.php id_cat parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tops_top.php?"; nocase; content:"id_cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/31626/; reference:url,milw0rm.com/exploits/6044; reference:url,doc.emergingthreats.net/2009139; classtype:web-application-attack; sid:2009139; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Bot Upload Command Inbound"; flow:established,from_server; dsize:8; content:"|b1 2f de ce cb 89 e1 a0|"; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033244; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_conf/core/common-tpl-vars.php?"; nocase; content:"lang="; nocase; pcre:"/(?:\.\.\/){1,}/"; reference:url,milw0rm.com/exploits/7392; reference:bugtraq,32705; reference:url,doc.emergingthreats.net/2008961; classtype:web-application-attack; sid:2008961; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE xCaon Embedded Encrypted Command in Webpage"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|3c 21 2d 2d 7c 23|"; fast_pattern; content:"|23 7c 2d 2d 3e|"; distance:0; within:300; classtype:command-and-control; sid:2033245; rev:1; metadata:created_at 2021_07_05, former_category MALWARE, updated_at 2021_07_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/DB_adodb.class.php?"; nocase; content:"PHPOF_INCLUDE_PATH="; nocase; pcre:"/PHPOF_INCLUDE_PATH=\s*(?:ftps?|https?|php)\:\//i"; reference:bugtraq,25541; reference:url,doc.emergingthreats.net/2009051; classtype:web-application-attack; sid:2009051; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kaseya VSA Exploit Activity M1 (SET)"; flow:established,to_server; http.request_line; content:"POST|20|/dl.asp|20|"; fast_pattern; startswith; http.user_agent; content:"curl/"; startswith; flowbits:set,ET.kaseya1; flowbits:noalert; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033248; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Realty dpage.php docID parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dpage.php?"; nocase; content:"docID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/31484/; reference:url,packetstorm.linuxsecurity.com/0808-exploits/phprealty-sql.txt; reference:url,doc.emergingthreats.net/2009137; classtype:web-application-attack; sid:2009137; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kaseya VSA Exploit Activity M2 (SET)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/KUpload.asp"; fast_pattern; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:set,ET.kaseya2; flowbits:noalert; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033249; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPStore Wholesales id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/track.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32741/; reference:url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt; reference:url,doc.emergingthreats.net/2008873; classtype:web-application-attack; sid:2008873; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/done.asp"; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:isset,ET.kaseya1; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033250; rev:1; metadata:affected_product Kaseya_VSA, attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004701; classtype:web-application-attack; sid:2004701; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit Activity Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/done.asp"; endswith; http.method; http.user_agent; content:"curl/"; startswith; flowbits:isset,ET.kaseya2; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004702; classtype:web-application-attack; sid:2004702; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kaseya VSA Exploit URI Structure Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userFilterTableRpt.asp"; fast_pattern; endswith; http.method; http.user_agent; content:"curl/"; startswith; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:trojan-activity; sid:2033252; rev:1; metadata:affected_product Kaseya_VSA, attack_target Web_Server, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php INSERT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005180; classtype:web-application-attack; sid:2005180; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Payload 2021-07-06"; flow:established, to_server; http.uri; pcre: "/\.(?:exe|dll)$/"; http.header; content:"User-Agent|3a 20|charris"; fast_pattern; content:"UA-CPU|3a|"; http.header_names; content:!"Referer"; reference:md5,fda11c3ab0a8f8fb190456842974583c; classtype:trojan-activity; sid:2033253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php DELETE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004703; classtype:web-application-attack; sid:2004703; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE Possible Siloscape IRC CnC JOIN Command Observed"; flow:established,to_server; content:"JOIN|20|#WindowsKubernetes"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/siloscape/; classtype:command-and-control; sid:2033266; rev:1; metadata:created_at 2021_07_07, former_category MALWARE, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php ASCII"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2004704; classtype:web-application-attack; sid:2004704; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO URL Shortening Service Domain in TLS SNI (coki .me)"; flow:established,to_server; tls.sni; content:"coki.me"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2033267; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_07, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7101; reference:url,www.milw0rm.com/exploits/2759; reference:url,doc.emergingthreats.net/2005181; classtype:web-application-attack; sid:2005181; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC Channel join"; flow:to_server,established; content:"JOIN|20 3a 20 23|"; fast_pattern; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101729; rev:12; metadata:created_at 2010_09_23, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Lance show.php catid SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/show.php?catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/Advisories/32027/; reference:url,www.milw0rm.com/exploits/6605; reference:url,doc.emergingthreats.net/2008614; classtype:web-application-attack; sid:2008614; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg:"ET MALWARE IRC Channel join on non-standard port"; flow:to_server,established; content:"JOIN|20 3a 20|#"; nocase; depth:8; reference:url,doc.emergingthreats.net/bin/view/Main/2000351; classtype:policy-violation; sid:2000351; rev:12; metadata:created_at 2010_07_30, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPNuke SQL injection attempt"; flow: to_server,established; http.uri; content:"/modules.php?"; content:"name=Search"; content:"instory="; reference:url,www.waraxe.us/index.php?modname=sa&id=35; reference:url,doc.emergingthreats.net/2001197; classtype:web-application-attack; sid:2001197; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET MALWARE IRC Bot Download http Command"; flow:established,from_server; content:"JOIN|20 3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:5; metadata:created_at 2012_03_28, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang SELECT"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004325; classtype:web-application-attack; sid:2004325; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)"; dns.query; content:".nanopool.org"; nocase; endswith; classtype:policy-violation; sid:2033268; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UNION SELECT"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004326; classtype:web-application-attack; sid:2004326; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS WaterDropX PRISM UA Observed"; flow:established,to_server; http.user_agent; content:"agent-waterdropx"; fast_pattern; classtype:command-and-control; sid:2033269; rev:1; metadata:created_at 2021_07_07, former_category USER_AGENTS, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang INSERT"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004327; classtype:web-application-attack; sid:2004327; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WaterDropX PRISM CnC Response"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"@@"; fast_pattern; offset:1; content:"@@"; distance:1; within:2; content:"@@"; distance:0; within:50; isdataat:!6,relative; flowbits:isset,ET.waterdropx; classtype:command-and-control; sid:2033271; rev:2; metadata:created_at 2021_07_07, former_category MALWARE, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang DELETE"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004328; classtype:web-application-attack; sid:2004328; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WaterDropX PRISM CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".x?v="; content:"&act="; http.user_agent; content:"agent-waterdropx"; fast_pattern; flowbits:set,ET.waterdropx; classtype:command-and-control; sid:2033270; rev:2; metadata:created_at 2021_07_07, former_category MALWARE, malware_family PRISM, tag WaterDropX, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang ASCII"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004329; classtype:web-application-attack; sid:2004329; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Command Injection Attempt Inbound (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/op_type="; startswith; fast_pattern; content:"|3b|"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-user; sid:2033272; rev:1; metadata:created_at 2021_07_07, former_category EXPLOIT, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE"; flow:established,to_server; http.uri; content:"/mainfile.php?"; nocase; content:"lang="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1450; reference:url,www.securityfocus.com/bid/22909; reference:url,doc.emergingthreats.net/2004330; classtype:web-application-attack; sid:2004330; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Vulnerability Exploit Attempt (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/"; startswith; http.request_body; content:"key=|27 3b 60|"; startswith; fast_pattern; content:"wget"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-admin; sid:2033273; rev:1; metadata:attack_target Server, created_at 2021_07_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004851; classtype:web-application-attack; sid:2004851; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ISearchTech.com XXXPornToolbar Activity (IST)"; flow:to_server,established; http.user_agent; content:"IST"; bsize:3; fast_pattern; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/2001493; classtype:pup-activity; sid:2001493; rev:37; metadata:created_at 2010_07_30, former_category USER_AGENTS, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UNION SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004852; classtype:web-application-attack; sid:2004852; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M1"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033247; rev:2; metadata:created_at 2021_07_06, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004853; classtype:web-application-attack; sid:2004853; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M2"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|2f 00|"; content:"|2f|"; distance:0; within:30; classtype:misc-activity; sid:2033274; rev:2; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id DELETE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004854; classtype:web-application-attack; sid:2004854; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M3"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00 3f 00 5c 00|U|00|N|00|C|00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033275; rev:2; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id ASCII"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004855; classtype:web-application-attack; sid:2004855; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-#alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - RpcAddPrinterDriverEx with Possible UNC Path M4"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c 00 3f 00 3f 00 5c 00|"; content:"|5c|"; distance:0; within:30; classtype:misc-activity; sid:2033276; rev:1; metadata:created_at 2021_07_07, cve 2021_34527, former_category POLICY, updated_at 2021_07_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"category_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1034; reference:url,www.milw0rm.com/exploits/3334; reference:url,doc.emergingthreats.net/2004856; classtype:web-application-attack; sid:2004856; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tcp any any -> $HOME_NET [139,445] (msg:"ET POLICY [MS-RPRN] Windows Printer Spooler Activity - AddPrinterDriverEx with Suspicious Filepath"; flow:established,to_server; content:"|00|"; startswith; content:"SMB"; distance:4; within:3; content:"|00 00|"; distance:0; content:"|10 00 00 00|"; distance:1; within:4; content:"|59 00|"; distance:14; within:2; content:"|5c|spool|5c|drivers|5c|x64|5c|3|5c|old|5c|"; fast_pattern; classtype:misc-activity; sid:2033246; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_06, cve 2021_34527, former_category POLICY, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active SELECT"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005456; classtype:web-application-attack; sid:2005456; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=sharebusiness.xyz"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033277; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005457; classtype:web-application-attack; sid:2005457; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CryptoMimic Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=elwoodasset.xyz"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033278; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active INSERT"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005458; classtype:web-application-attack; sid:2005458; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BazaLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.header; pcre:"/^Date\x3a\x20[^\r\n]+[0-9]{2}::[0-9]{2}\x20/"; http.header_names; content:"|0d 0a|Date|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; content:!"Accept"; http.user_agent; content:"Win"; bsize:3; reference:md5,f75e5710a5c84cec8e06b9b5c99e5400; reference:url,twitter.com/malware_traffic/status/1412914497338097664; classtype:trojan-activity; sid:2033279; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BazaLoader, performance_impact Low, signature_severity Major, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active DELETE"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005459; classtype:web-application-attack; sid:2005459; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033280; rev:2; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ASCII"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005460; classtype:web-application-attack; sid:2005460; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033281; rev:1; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE"; flow:established,to_server; http.uri; content:"/admin/modules/modules.php?"; nocase; content:"active="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005461; classtype:web-application-attack; sid:2005461; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033282; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005462; classtype:web-application-attack; sid:2005462; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033283; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005463; classtype:web-application-attack; sid:2005463; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005464; classtype:web-application-attack; sid:2005464; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, updated_at 2021_07_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005465; classtype:web-application-attack; sid:2005465; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (NHS UK Covid Passport Phish)"; flow:from_server,established; tls.cert_subject; content:"CN=nhs.applyonline20.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033286; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_08, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005466; classtype:web-application-attack; sid:2005466; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING jpg download from fileupload .site"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jpg"; endswith; http.host; content:"fileupload.site"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033287; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_class="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005467; classtype:web-application-attack; sid:2005467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO URL Shortening Service Domain in TLS SNI (hyp .ae)"; flow:established,to_server; tls.sni; content:"hyp.ae"; bsize:6; fast_pattern; classtype:policy-violation; sid:2033288; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category INFO, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005468; classtype:web-application-attack; sid:2005468; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 8000: (msg:"ET MALWARE Malicious Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn/"; startswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.header_names; content:!"Referer"; reference:md5,0e0c65c206e1244987db350f3fefabd6; reference:md5,e31b4fb81764e4dd6bacab9baba266b4; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033289; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005469; classtype:web-application-attack; sid:2005469; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/updates"; bsize:8; http.cookie; content:"user="; startswith; fast_pattern; pcre:"/^[A-P]{256}$/R"; http.header_names; content:!"Referer"; reference:md5,5dfb7f863cd291544b9dfdb3de25162f; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033290; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005470; classtype:web-application-attack; sid:2005470; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Connection|3a 20|Keel-Alive"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59d23f4da9837474d3f2d9f6816bd716; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033291; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_09, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005471; classtype:web-application-attack; sid:2005471; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BIOPASS RAT Related Domain in DNS Lookup (0x3s .com)"; dns.query; content:"0x3s.com"; nocase; bsize:8; reference:url,www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:domain-c2; sid:2033292; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005472; classtype:web-application-attack; sid:2005472; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033294; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"imageurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005473; classtype:web-application-attack; sid:2005473; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005474; classtype:web-application-attack; sid:2005474; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033296; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005475; classtype:web-application-attack; sid:2005475; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005476; classtype:web-application-attack; sid:2005476; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033298; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005477; classtype:web-application-attack; sid:2005477; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033299; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005479; classtype:web-application-attack; sid:2005479; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033300; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005480; classtype:web-application-attack; sid:2005480; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033301; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005481; classtype:web-application-attack; sid:2005481; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033302; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005482; classtype:web-application-attack; sid:2005482; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005483; classtype:web-application-attack; sid:2005483; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005484; classtype:web-application-attack; sid:2005484; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"ad_code="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005485; classtype:web-application-attack; sid:2005485; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033306; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005486; classtype:web-application-attack; sid:2005486; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033307; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005487; classtype:web-application-attack; sid:2005487; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_08;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Outbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033308; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position INSERT"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005489; classtype:web-application-attack; sid:2005489; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Inbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033309; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, former_category EXPLOIT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position DELETE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005490; classtype:web-application-attack; sid:2005490; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BIOPASS RAT Python Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/res/"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.host; content:"flashdownloadserver.oss-cn-hongkong.aliyuncs.com"; reference:md5,f0b96efe2f714e7bddf76cc90a8b8c88; reference:url,trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:trojan-activity; sid:2033293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005491; classtype:web-application-attack; sid:2005491; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BIOPASS RAT Go Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/res/"; startswith; fast_pattern; content:".exe"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.host; content:"flashdownloadserver.oss-cn-hongkong.aliyuncs.com"; reference:md5,f0b96efe2f714e7bddf76cc90a8b8c88; reference:url,trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html; classtype:trojan-activity; sid:2033310; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"position="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005492; classtype:web-application-attack; sid:2005492; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DCRat CnC Exfil"; flow:established,to_server; urilen:>150; http.method; content:"POST"; http.uri; content:".php?"; http.request_body; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^[a-f0-9]{32}\r\n\r\nPK/Rsi"; content:"Browsers/"; fast_pattern; distance:0; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,3aa17643535d17db367447e1104e12d9; classtype:trojan-activity; sid:2033087; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_04, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat SELECT"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005585; classtype:web-application-attack; sid:2005585; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005586; classtype:web-application-attack; sid:2005586; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, updated_at 2021_07_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat INSERT"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005587; classtype:web-application-attack; sid:2005587; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (SideWinder APT CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.pakmarines.com"; nocase; fast_pattern; endswith; classtype:domain-c2; sid:2033313; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat DELETE"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005588; classtype:web-application-attack; sid:2005588; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (Brute Force Attacks)"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64)|20|AppleWebKit/537.36|20|(KHTML,|20|like|20|Gecko)|20|Chrome/70."; bsize:91; reference:url,media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF; classtype:bad-unknown; sid:2033314; rev:1; metadata:created_at 2021_07_12, former_category USER_AGENTS, updated_at 2021_07_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ASCII"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005589; classtype:web-application-attack; sid:2005589; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (Brute Force Attacks)"; flow:established,to_server; http.user_agent; content:"Microsoft|20|Office/14.0|20|(Windows|20|NT|20|6.1|3b 20|Microsoft|20|Outlook|20|14.0.7162|3b 20|Pro"; bsize:71; reference:url,media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF; classtype:bad-unknown; sid:2033315; rev:1; metadata:created_at 2021_07_12, former_category USER_AGENTS, updated_at 2021_07_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE"; flow:established,to_server; http.uri; content:"/blocks/block-Old_Articles.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0309; reference:url,www.securityfocus.com/bid/22037; reference:url,doc.emergingthreats.net/2005590; classtype:web-application-attack; sid:2005590; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WildPressure/Milum CnC Activity"; flow:established,to_server; content:"|0d 0a 0d 0a|pk="; fast_pattern; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"User-Agent|3a 20|Python-urllib/"; http.request_body; content:"pk="; startswith; content:"&value="; distance:0; pcre:"/^pk=[A-Za-z0-9]{8,50}&value=[a-f0-9]{50,500}$/s"; http.header_names; content:!"Referer"; reference:url,securelist.com/wildpressure-targets-macos/103072/; reference:md5,92a11f0dcb973d1a58d45c995993d854; classtype:trojan-activity; sid:2033316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006927; classtype:web-application-attack; sid:2006927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation SpoofedScholars Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect/?memberemailid="; startswith; fast_pattern; pcre:"/^[A-Z]{2}-[A-Z0-9]{10,20}-[A-Z0-9]{6,10}-[A-Z0-9]{2,8}-[A-Z0-9]{2,8}-[0-9]{2,5}$/R"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2033317; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_12, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006928; classtype:web-application-attack; sid:2006928; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Maldoc/Zloader CnC)"; flow:from_server,established; content:"|0f|heavenlygem.com"; nocase; fast_pattern; content:"|2a|.heavenlygem.com"; classtype:domain-c2; sid:2033318; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006929; classtype:web-application-attack; sid:2006929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE PJobRat System Exfil to CnC"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|7b 22|network|22 3a 22|"; content:"|22 2c 22|type|22 3a 22 5b|"; content:"|22 2c 22|info|22 3a 22|"; content:"|22 2c 22|ipaddr|22 3a 22|"; content:"|22 2c 22|bandwidth|22 3a 22|"; content:"|22 2c 22|downspeed|22 3a 22|"; content:"|22 2c 22|upspeed|22 3a 22|"; content:"|22 2c 22|rip|22 3a 22|"; content:"|22 2c 22|manufacture|22 3a 22|"; content:"|22 2c 22|imei|22 3a 22|"; content:"|22 2c 22|pnumber|22 3a 22|"; content:"|22 2c 22|location|22 3a 22 5b 7b 5c 22|latitude|5c 22 3a 5c 22|"; fast_pattern; content:"|22 2c 22|appname|22 3a 22|"; reference:url,labs.k7computing.com/?p=22537; classtype:command-and-control; sid:2033319; rev:1; metadata:affected_product Android, created_at 2021_07_13, former_category MOBILE_MALWARE, updated_at 2021_07_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid DELETE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006930; classtype:web-application-attack; sid:2006930; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE PJobRat CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b|name|3d 22|"; content:"|3b|filename|3d 22|"; content:"|5b 7b 22|cid|22 3a|"; content:"displayName"; content:"phoneNumber|22 3a 22 2b|"; fast_pattern; content:"file|0d 0a 2d 2d 2d 2d 2d 2d|"; content:"contacts|0d 0a 2d 2d 2d 2d 2d 2d|"; http.uri; content:".php"; endswith; reference:url,labs.k7computing.com/?p=22537; classtype:command-and-control; sid:2033320; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2021_07_13, former_category MOBILE_MALWARE, updated_at 2021_07_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid ASCII"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006931; classtype:web-application-attack; sid:2006931; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)"; flow:established,to_client; file.data; content:"RhinoSoft"; content:"Serv-U"; distance:0; content:"\\r\\nCRhinoUintAttr\\r\\nLastHour\\r\\n"; fast_pattern; content:".Archive"; content:"Serv-U-Tray.exe"; content:"window.close|28 29|"; reference:md5,2443968bb4d1c9f5e99d4dd09fd754af; reference:url,www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211; classtype:trojan-activity; sid:2033321; rev:2; metadata:attack_target Server, created_at 2021_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UNION SELECT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006934; classtype:web-application-attack; sid:2006934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fareit Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/otproc.asp"; bsize:11; http.user_agent; content:"Indy|20|Library|29|"; endswith; http.request_body; content:"sGbn="; startswith; fast_pattern; content:"&sGbn1="; distance:0; content:"&n5uid="; distance:0; http.header_names; content:!"Referer"; reference:md5,bf0c3851bd0cdd2bbdd3902326e37688; classtype:trojan-activity; sid:2033322; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid DELETE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006936; classtype:web-application-attack; sid:2006936; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncAddPrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|27 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033255; rev:4; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid ASCII"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006937; classtype:web-application-attack; sid:2006937; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncCorePrinterDriverInstalled"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|41 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033263; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006938; classtype:web-application-attack; sid:2006938; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|2a 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033258; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid SELECT"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007176; classtype:web-application-attack; sid:2007176; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriverEx"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|2b 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033259; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007177; classtype:web-application-attack; sid:2007177; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncDeletePrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|43 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033265; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid INSERT"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007178; classtype:web-application-attack; sid:2007178; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncEnumPrinterDrivers"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|28 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:bad-unknown; sid:2033254; rev:3; metadata:created_at 2021_07_06, former_category POLICY, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid DELETE"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007179; classtype:web-application-attack; sid:2007179; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetCorePrinterDrivers"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|40 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033262; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ASCII"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007180; classtype:web-application-attack; sid:2007180; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriver"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|1a 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033256; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE"; flow:established,to_server; http.uri; content:"/modules/News/index.php?"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6200; reference:url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded; reference:url,doc.emergingthreats.net/2007181; classtype:web-application-attack; sid:2007181; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriverDirectory"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|29 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033257; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Module Emporium SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; content:"name=Shopping_Cart"; nocase; content:"category_id="; nocase; pcre:"/(?:\?|&)category_id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,milw0rm.com/exploits/3334; reference:url,packetstormsecurity.org/0912-exploits/phpnukeemporium-sql.txt; reference:url,doc.emergingthreats.net/2010553; classtype:web-application-attack; sid:2010553; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncGetPrinterDriverPackagePath"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|42 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033264; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011133; classtype:web-application-attack; sid:2011133; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed AZORult CnC Domain (miscrosoftworrd .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"miscrosoftworrd.000webhostapp.com"; bsize:33; fast_pattern; reference:md5,6610271aeae6daa7df27641cba63115a; classtype:domain-c2; sid:2033323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_14, deployment Perimeter, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_07_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011134; classtype:web-application-attack; sid:2011134; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Connectivity Check M2"; flow:to_server,established; http.uri; content:"/proxy.php"; endswith; fast_pattern; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3b 20|Win64|3b 20|x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/90.0.4430.85 Safari/537.36 OPR/76.0.4017.94"; bsize:131; http.host; content:"zennolab.com"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc171ee77dc2d657e0c018fcad17608f; classtype:trojan-activity; sid:2033324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011135; classtype:web-application-attack; sid:2011135; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tofsee Connectivity Check M3"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 |28|Windows NT 10.0|3b 20|Win64|3b 20|x64|29| AppleWebKit/537.36 |28|KHTML, like Gecko|29| Chrome/90.0.4430.85 Safari/537.36 OPR/76.0.4017.94"; bsize:131; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,cc171ee77dc2d657e0c018fcad17608f; classtype:trojan-activity; sid:2033325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011136; classtype:web-application-attack; sid:2011136; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspicious TikTok Domain Request - Possible Phishing or Scam"; dns.query; content:"tiktok"; fast_pattern; pcre:"/(?:verify|support|account|copyright|help|verified|service|badge|verification|safety)?.{0,30}tiktok(?:verify|support|account|copyright|help|verified|service|badge|verification|safety)?.{0,30}(\.ml$|\.ga$|\.cf$|\.gq$|\.tk$|\.xyz$)/"; classtype:social-engineering; sid:2031492; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_07, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_07_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/links.php?"; nocase; content:"op=viewslink&"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,exploit-db.com/exploits/12514; reference:bugtraq,39925; reference:url,doc.emergingthreats.net/2011137; classtype:web-application-attack; sid:2011137; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE MSHTML Out-of-Bounds Write Inbound (CVE-2021-33742)"; flow:from_server,established; file.data; content:"innerHTML|20|=|20|Array|28|"; nocase; fast_pattern; byte_test:0,>=,33554431,0,string,dec,relative; content:"|29|.toString|28 29 3b|"; distance:0; within:50; reference:url,googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html; reference:cve,2021-33742; classtype:attempted-admin; sid:2033326; rev:1; metadata:created_at 2021_07_15, cve CVE_2021_33742, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011168; classtype:web-application-attack; sid:2011168; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M5"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/htt_p"; fast_pattern; bsize:6; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,f85752f580eabe38362bea8e9bb61297; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:command-and-control; sid:2033327; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011169; classtype:web-application-attack; sid:2011169; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (msstore .io)"; dns.query; content:"msstore.io"; nocase; bsize:10; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033328; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011170; classtype:web-application-attack; sid:2011170; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (adtracker .link)"; dns.query; content:"adtracker.link"; nocase; bsize:14; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033329; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011171; classtype:web-application-attack; sid:2011171; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Spyware CnC Domain in DNS Lookup (cdnmobile .io)"; dns.query; content:"cdnmobile.io"; nocase; bsize:12; reference:url,citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/; classtype:domain-c2; sid:2033330; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/friend.php?"; nocase; content:"op=FriendSend&"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt; reference:bugtraq,39992; reference:url,doc.emergingthreats.net/2011172; classtype:web-application-attack; sid:2011172; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.DPRK MalDoc SysInfo CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|MAX_FILE_SIZE|22 0d 0a|"; content:"name=|22|userfile|22 3b 20|filename=|22|yo|22 0d 0a|"; distance:0; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,8a7686430d9ad2832e8a4c3992186b36; classtype:trojan-activity; sid:2033331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Realtor v_cat SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view_cat.php?v_cat="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/6694; reference:url,secunia.com/advisories/32149/; reference:url,doc.emergingthreats.net/2008649; classtype:web-application-attack; sid:2008649; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Checkin M1"; flow:established,to_server; content:"|00 44 a2 62 97 ec 0b db 04 08 1c 3c 59 32 28 08 b7|"; offset:3; depth:17; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ReVou Micro Blogging user_updates.php user Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/user_updates.php?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7925; reference:bugtraq,33540; reference:url,doc.emergingthreats.net/2009140; classtype:web-application-attack; sid:2009140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Outbound M1"; flow:established,to_server; content:"|31 36 00 ba fe ef fa 6f d3 df bf 95 83 64 32 67 88 bc 83|"; dsize:19; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005901; classtype:web-application-attack; sid:2005901; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Inbound M1"; flow:established,to_client; content:"|31 36 00 da 1b 70 b5 96 ed a6 4a 18 8e ce 90 cc 5a fc 71|"; reference:md5,66fb288e71fa3fbcd2b49d292f1938f6; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005902; classtype:web-application-attack; sid:2005902; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Checkin M2"; flow:established,to_server; content:"|00 93 2d 95 a9 6e fb 6c fb e0 02 ba 4b 2a a9 d9 e5|"; offset:3; depth:17; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005903; classtype:web-application-attack; sid:2005903; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Outbound M2"; flow:established,to_server; content:"|31 36 00 0d 47 53 7a 9b 6b b1 37 a8 9b a9 97 b3 e6 8f 1d|"; dsize:19; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, signature_severity Major, tag RAT, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005904; classtype:web-application-attack; sid:2005904; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MargulasRAT Keep-Alive Inbound M2"; flow:established,to_client; content:"|31 36 00 29 73 c4 34 06 b6 62 c3 2e d4 0f 86 fb f3 35 c0|"; reference:md5,5d54adefcf435c4e9f1705df690386c7; reference:url,blog.talosintelligence.com/2021/07/sidecopy.html; classtype:command-and-control; sid:2033337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family MargulasRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005905; classtype:web-application-attack; sid:2005905; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket CnC Checkin"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/cert/trust"; bsize:11; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033339; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family Gasket, performance_impact Low, signature_severity Major, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newmessage="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005906; classtype:web-application-attack; sid:2005906; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket Requesting Commands from CnC"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/time/sync"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033340; rev:1; metadata:created_at 2021_07_15, former_category MALWARE, malware_family Gasket, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005907; classtype:web-application-attack; sid:2005907; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gasket Submitting Logs to CnC"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/Psi"; http.method; content:"POST"; http.uri; content:"/cert/dist"; bsize:10; fast_pattern; http.user_agent; content:"Go-http-client"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\:\d{1,5})?$/"; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033341; rev:1; metadata:created_at 2021_07_15, former_category MALWARE, malware_family Gasket, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005908; classtype:web-application-attack; sid:2005908; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Chisel SOCKS Proxy Startup Observed"; flow:established,from_server; http.stat_code; content:"101"; file.data; content:"SSH-chisel-v3-server"; offset:2; fast_pattern; classtype:policy-violation; sid:2033342; rev:1; metadata:created_at 2021_07_15, former_category POLICY, tag Proxy, tag Tunnel, updated_at 2021_07_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005909; classtype:web-application-attack; sid:2005909; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mespinoza Ransomware - Pre-Encryption File Exfil to CnC"; flow:established,to_server; http.uri; content:"/upload-"; startswith; fast_pattern; content:"?token="; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; content:"&id="; distance:0; content:"&fullPath="; distance:0; reference:url,unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/; classtype:command-and-control; sid:2033343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family Mespinoza, signature_severity Major, tag Ransomware, updated_at 2021_07_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005910; classtype:web-application-attack; sid:2005910; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; flowbits:set,ET.webc2ugx; http.user_agent; content:"Windows+NT+5"; startswith; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:targeted-activity; sid:2009486; rev:17; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005911; classtype:web-application-attack; sid:2005911; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Baidu Spider Webcrawler User Agent - inbound"; flow:established,to_server; content:"baiduspider"; nocase; http_user_agent; classtype:not-suspicious; sid:2033002; rev:1; metadata:attack_target Web_Server, created_at 2021_05_19, former_category SCAN, signature_severity Informational, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005912; classtype:web-application-attack; sid:2005912; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRAT Activity (POST) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/h_tt_p"; fast_pattern; bsize:7; http.header_names; content:!"User-Agent"; content:!"Referer"; content:!"Accept"; reference:md5,14a2b8af48b6db92f047525d893eaeb8; reference:url,blog.lumen.com/suspected-pakistani-actor-compromises-indian-power-company-with-new-reverserat/; classtype:trojan-activity; sid:2033172; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_06_24, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005913; classtype:web-application-attack; sid:2005913; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"all-brain-company.xyz"; bsize:21; fast_pattern; reference:md5,997e848955296560d80ae65a1ec073d5; classtype:domain-c2; sid:2033344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005914; classtype:web-application-attack; sid:2005914; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA Authentication Bypass (management) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/management"; http.referer; content:!"/__api__/v1/logon"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033345; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005915; classtype:web-application-attack; sid:2005915; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/sslvpnclient"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033346; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005916; classtype:web-application-attack; sid:2005916; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (portal) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/portal"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033347; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005917; classtype:web-application-attack; sid:2005917; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url,www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; reference:cve,2019-7481; classtype:web-application-attack; sid:2033348; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2019_7481, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newwebsite="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005918; classtype:web-application-attack; sid:2005918; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005919; classtype:web-application-attack; sid:2005919; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UNION SELECT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005920; classtype:web-application-attack; sid:2005920; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail INSERT"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005921; classtype:web-application-attack; sid:2005921; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail DELETE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005922; classtype:web-application-attack; sid:2005922; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS and Webpass IoT devices CVE-2021-31643"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=EmpRcd.htm"; content:"&username=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3c|"; distance:0; reference:cve,2021-31643; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31643, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail ASCII"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005923; classtype:web-application-attack; sid:2005923; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Address Request via wttr .in"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?format="; startswith; http.host; content:"wttr.in"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2033354; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE"; flow:established,to_server; http.uri; content:"/code/guestadd.php?"; nocase; content:"newemail="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6880; reference:url,www.milw0rm.com/exploits/3017; reference:url,doc.emergingthreats.net/2005924; classtype:web-application-attack; sid:2005924; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows Powershell User-Agent Usage"; flow:established,to_server; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; classtype:not-suspicious; sid:2033355; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/chat/dac.php?"; nocase; content:"sendChatData="; nocase; reference:url,milw0rm.com/exploits/8268; reference:bugtraq,34213; reference:url,doc.emergingthreats.net/2009390; classtype:web-application-attack; sid:2009390; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DTLoader Binary Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"steven-gerrard-liverpool-future-dalglish--goal-"; http.host; content:!"www.liverpool.com"; reference:md5,10f8195621113f9c8de63ba139e91cff; classtype:command-and-control; sid:2033356; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category MALWARE, malware_family DTLoader, performance_impact Low, signature_severity Major, updated_at 2021_07_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt"; flow:established,to_server; http.uri; content:"/home.php?page=http\:"; nocase; reference:url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt; reference:url,doc.emergingthreats.net/2009892; classtype:web-application-attack; sid:2009892; rev:6; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/pop2.html?key="; fast_pattern; content:"&n="; distance:0; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033357; rev:1; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_words.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009073; classtype:web-application-attack; sid:2009073; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS CnC Domain in DNS Lookup (opposedarrangement .net)"; dns.query; content:".opposedarrangement.net"; nocase; endswith; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:domain-c2; sid:2033358; rev:2; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_groups_reapir.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009074; classtype:web-application-attack; sid:2009074; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/megalodon?m="; fast_pattern; content:"&v="; distance:0; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033359; rev:2; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/admin/admin_smilies.php?"; nocase; content:"ModName="; nocase; reference:bugtraq,33103; reference:url,doc.emergingthreats.net/2009075; classtype:web-application-attack; sid:2009075; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE NSO Pegasus iOS Megalodon Gatekeeper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stadium/wizard/01-00000000"; fast_pattern; endswith; reference:url,www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/; classtype:trojan-activity; sid:2033360; rev:1; metadata:attack_target Mobile_Client, created_at 2021_07_19, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id SELECT"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004930; classtype:web-application-attack; sid:2004930; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroStealer CnC Exfil M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|nitropacked.zip|22 0d 0a|"; fast_pattern; content:"screenshot"; nocase; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,367ef1b1579a6987d5648bb95f7c9a10; classtype:trojan-activity; sid:2033361; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004931; classtype:web-application-attack; sid:2004931; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CHIYU IoT Devices - Denial of Service"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=AccLog.htm"; startswith; content:"&type=go_log_page&page=2781000"; endswith; fast_pattern; http.referer; content:"/AccLog.htm"; endswith; reference:cve,2021-31642; reference:url,www.exploit-db.com/exploits/49937; classtype:denial-of-service; sid:2033362; rev:2; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id INSERT"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004932; classtype:web-application-attack; sid:2004932; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-07-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/s";  http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; bsize:178; fast_pattern; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034452; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id DELETE"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004933; classtype:web-application-attack; sid:2004933; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncUploadPrinterDriverPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3f 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033261; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id ASCII"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004934; classtype:web-application-attack; sid:2004934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] [1024:5000,49152:] (msg:"ET POLICY [MS-PAR] Windows Printer Spooler Activity - RpcAsyncInstallPrinterDriverFromPackage"; flow:established,to_server; content:"|00|"; offset:3; content:"|10 00 00 00|"; distance:1; within:4; content:"|3e 00 8e ca 40 99 2f 51 58 4c 88 a9 61 09 8d 68 96 bd|"; distance:14; within:18; classtype:misc-activity; sid:2033260; rev:3; metadata:created_at 2021_07_06, former_category POLICY, signature_severity Informational, updated_at 2021_07_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE"; flow:established,to_server; http.uri; content:"/item.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7005; reference:url,www.securityfocus.com/bid/17974; reference:url,doc.emergingthreats.net/2004935; classtype:web-application-attack; sid:2004935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/@/"; startswith; content:"/tele.txt"; fast_pattern; http.host; content:"microsoft-updates.servehttp.com"; bsize:31; reference:md5,f23dd9acbf28f324b290b970fbc40b30; classtype:trojan-activity; sid:2033363; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006730; classtype:web-application-attack; sid:2006730; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected DonotGroup Dropper Telegram API Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bot1624838777:AAGjNO7By4SqVdmXRlSPcde2DRinvDNYbzA/"; fast_pattern; startswith; http.host; content:"api.telegram.org"; bsize:16; reference:md5,f23dd9acbf28f324b290b970fbc40b30; classtype:trojan-activity; sid:2033364; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006731; classtype:web-application-attack; sid:2006731; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to freemyip .com Domain"; dns.query; content:".freemyip.com"; nocase; endswith; classtype:bad-unknown; sid:2033365; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_20, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006732; classtype:web-application-attack; sid:2006732; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.sherifu/.k4m3l0t"; bsize:18; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:md5,99639dffa18356f683dbbbf4a6d3d023; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; classtype:trojan-activity; sid:2033366; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006733; classtype:web-application-attack; sid:2006733; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup Domain (ifconfig .me)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ifconfig.me"; depth:11; endswith; fast_pattern; reference:md5,52ba2e1f51d16394bf109b42c1166b74; classtype:external-ip-check; sid:2026718; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_10, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, tag IP_address_lookup_website, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006734; classtype:web-application-attack; sid:2006734; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Loader Activity M1 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.mini/.report_system"; bsize:21; fast_pattern; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; reference:md5,92ea08fb8af71468bd74d19b1b9994cd; classtype:trojan-activity; sid:2033367; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"main="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6349; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl; reference:url,doc.emergingthreats.net/2006735; classtype:web-application-attack; sid:2006735; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Miner Loader Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.sherifu/"; startswith; fast_pattern; pcre:"/^\.(?:93joshua|purrple|black)$/"; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; reference:url,www.bitdefender.com/blog/labs/how-we-tracked-a-threat-group-running-an-active-cryptojacking-campaign; classtype:trojan-activity; sid:2033368; rev:1; metadata:attack_target Linux_Unix, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/message_class.php?"; nocase; content:"pfadhier="; nocase; reference:bugtraq,33718; reference:url,milw0rm.com/exploits/8030; reference:url,doc.emergingthreats.net/2009168; classtype:web-application-attack; sid:2009168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=schemics.club"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033369; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ParsBlogger blog.asp wr parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/blog.asp?"; nocase; content:"wr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7239; reference:bugtraq,32488; reference:url,doc.emergingthreats.net/2008930; classtype:web-application-attack; sid:2008930; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=omeoneha.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033370; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid SELECT"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004259; classtype:web-application-attack; sid:2004259; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fceptthis.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033371; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UNION SELECT"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004260; classtype:web-application-attack; sid:2004260; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=oftongueid.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033372; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid INSERT"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004261; classtype:web-application-attack; sid:2004261; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=honeiwillre.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033373; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid DELETE"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004262; classtype:web-application-attack; sid:2004262; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=eaconhop.online"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033374; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid ASCII"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004263; classtype:web-application-attack; sid:2004263; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=ssedonthep.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033375; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE"; flow:established,to_server; http.uri; content:"/post.php?"; nocase; content:"postid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1510; reference:url,www.milw0rm.com/exploits/3500; reference:url,doc.emergingthreats.net/2004264; classtype:web-application-attack; sid:2004264; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=fjobiwouldli.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033376; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month SELECT"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005216; classtype:web-application-attack; sid:2005216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Observed Malicious SSL Cert (Android/FakeAdBlocker CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=offeranda.biz"; nocase; fast_pattern; endswith; reference:url,www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/; classtype:domain-c2; sid:2033377; rev:1; metadata:affected_product Android, attack_target Client_and_Server, created_at 2021_07_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UNION SELECT"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005217; classtype:web-application-attack; sid:2005217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer Domain (cheapfacechange .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"cheapfacechange.top"; bsize:19; fast_pattern; classtype:domain-c2; sid:2033378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month INSERT"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005218; classtype:web-application-attack; sid:2005218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Trickbot Data Exfiltration"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\.[A-F0-9]{32}\//"; http.header; content:"Accept|3a 20|*/*"; depth:12; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b 20|Windows NT 6.1|3b|"; content:"Host|3a 20|"; pcre:"/^(?:(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.){3}(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])/R"; content:"Connection|3a 20|close"; nocase; http.header_names; content:!"Referer|0d 0a|"; http.request_body; pcre:"/Content-Disposition\x3a\x20form-data\x3b\s*name=\x22(?:source|formdata|billinfo|cardinfo)\x22/m"; content:"=|22|billinfo|22|"; fast_pattern; classtype:trojan-activity; sid:2026738; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_19, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month DELETE"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005219; classtype:web-application-attack; sid:2005219; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (nltest)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"nltest /domain_trusts"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month ASCII"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005220; classtype:web-application-attack; sid:2005220; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (ipconfig)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipconfig /all"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE"; flow:established,to_server; http.uri; content:"/archives.php?"; nocase; content:"month="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3179; reference:url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded; reference:url,doc.emergingthreats.net/2005221; classtype:web-application-attack; sid:2005221; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (net view)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net view /all"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment SELECT"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004618; classtype:web-application-attack; sid:2004618; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Windows Commands in POST Body (net config)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"net config workstation"; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; classtype:bad-unknown; sid:2033382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_07_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UNION SELECT"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004619; classtype:web-application-attack; sid:2004619; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanDownloader.Agent.BXA CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Xingapp|2f 35 2e 30 20 28|windowsxue|29|"; bsize:24; threshold:type limit, track by_src, seconds 600, count 1; reference:md5,d4a8b93cb872a2817a1e7467ea449363; classtype:pup-activity; sid:2033383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment INSERT"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004620; classtype:web-application-attack; sid:2004620; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nova_assets/Sys/_Getcode/keywords="; fast_pattern; startswith; http.cookie; content:"skin="; startswith; content:"sparrow_init="; distance:0; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; content:"cfruid="; distance:0; reference:url,twitter.com/mojoesec/status/1403072399860506638; reference:md5,4ba24c8dd87c35c1d7492eb31a14c2bd; classtype:trojan-activity; sid:2033384; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment DELETE"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004621; classtype:web-application-attack; sid:2004621; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (myexternalip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"myexternalip.com"; endswith; nocase; xbits:set,ET.ipcheck,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033385; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ASCII"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004622; classtype:web-application-attack; sid:2004622; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IP Check Domain (freegeoip .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"freegeoip.live"; endswith; nocase; xbits:set,ET.ipcheck,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033386; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE"; flow:established,to_server; http.uri; content:"/viewimage.php?"; nocase; content:"editcomment="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3065; reference:url,www.milw0rm.com/exploits/4019; reference:url,doc.emergingthreats.net/2004623; classtype:web-application-attack; sid:2004623; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY IPFS Domain (storage .snark .art in TLS SNI)"; flow:established,to_server; tls.sni; content:"storage.snark.art"; endswith; nocase; xbits:set,ET.dropsite,track ip_src; reference:md5,4c24760ed6e163caf0cff96177475ab6; classtype:policy-violation; sid:2033388; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid SELECT"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004924; classtype:web-application-attack; sid:2004924; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BOUNCEBEAM Backdoor CnC Activity"; flow:established,to_server; http.uri; content:"/api/getTask?uniqid="; startswith; http.host; content:"cloudflare.5156game.com"; fast_pattern; bsize:23; reference:url,twitter.com/ESETresearch/status/1415542465176735748; reference:md5,429914c2cf45355ca4baa95a1dcdffab; reference:md5,19b8681e4dd4f9698ec324606a642dd6; reference:md5,bded44bf177a52a9ffbd13d077f8747d; classtype:command-and-control; sid:2033389; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_07_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UNION SELECT"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004925; classtype:web-application-attack; sid:2004925; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BOUNCEBEAM Backdoor CnC Domain (cloudflare .5156game .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloudflare.5156game.com"; bsize:23; fast_pattern; reference:url,twitter.com/ESETresearch/status/1415542465176735748; reference:md5,429914c2cf45355ca4baa95a1dcdffab; reference:md5,bded44bf177a52a9ffbd13d077f8747d; reference:md5,19b8681e4dd4f9698ec324606a642dd6; classtype:command-and-control; sid:2033390; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004926; classtype:web-application-attack; sid:2004926; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M2 (Group String Len 2+)"; flow:established,to_server; dsize:<34; content:"|33 66 99|"; depth:3; byte_test:1,>=,2,3; byte_test:1,<=,30,3; byte_extract:1,4,length; isdataat:!length,relative; pcre:"/^[A-Za-z0-9_-]+$/Rsi"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030491; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid DELETE"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004927; classtype:web-application-attack; sid:2004927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; nocase; endswith; fast_pattern; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; http.host; content:!"7zip.org"; content:!".bloomberg.com"; content:!".bitdefender.com"; content:!".microsoft.com"; endswith; http.accept; content:"*/*"; depth:3; endswith; http.accept_enc; content:"gzip, deflate"; depth:13; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|"; depth:10; content:!"Referer"; content:!"Cookie"; classtype:trojan-activity; sid:2022550; rev:20; metadata:affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_02_19, deployment Perimeter, former_category CURRENT_EVENTS, malware_family MalDocGeneric, performance_impact Low, signature_severity Major, tag MalDoc, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid ASCII"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004928; classtype:web-application-attack; sid:2004928; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> any any (msg:"ET MALWARE Possible DarkRats Tor Traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; xbits:isset,ET.ipcheck,track ip_dst; xbits:isset,ET.dropsite,track ip_dst; classtype:trojan-activity; sid:2033387; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_22, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_07_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE"; flow:established,to_server; http.uri; content:"/philboard_forum.asp?"; nocase; content:"forumid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0920; reference:url,www.milw0rm.com/exploits/3295; reference:url,doc.emergingthreats.net/2004929; classtype:web-application-attack; sid:2004929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)"; flow:established,to_client; tls.cert_subject; content:"C=UA, ST=Kyev, L=Kyev, O=GG UKR, OU=UA System, CN=monblan.ua"; bsize:60; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1418253931080163328; reference:md5,4d171ef3656ef56354ba8f336eab2cca; classtype:domain-c2; sid:2033391; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pilot Online Training Solution news_read.php id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/news_read.php?id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/31969/; reference:url,www.milw0rm.com/exploits/6613; reference:url,doc.emergingthreats.net/2008616; classtype:web-application-attack; sid:2008616; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (krinsop .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"krinsop.com"; bsize:11; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; reference:md5,2232b445760712242a0e5ea456fcc700; classtype:domain-c2; sid:2033392; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pixel8 Web Photo Album AlbumID SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Photo.asp?"; nocase; content:"AlbumID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33373/; reference:url,milw0rm.com/exploits/7627; reference:url,doc.emergingthreats.net/2009056; classtype:web-application-attack; sid:2009056; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (charity-wallet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"charity-wallet.com"; bsize:18; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; reference:md5,a83083f276326a7a4e77416bb0cb1537; classtype:domain-c2; sid:2033393; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pligg check_url.php url parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/evb/check_url.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7544; reference:bugtraq,32970; reference:url,doc.emergingthreats.net/2009055; classtype:web-application-attack; sid:2009055; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (gmbfrom .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gmbfrom.com"; bsize:11; fast_pattern; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:domain-c2; sid:2033394; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger plog-download.php checked Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/plog-download.php?"; nocase; content:"checked[]="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,30547; reference:url,xforce.iss.net/xforce/xfdb/44233; reference:url,milw0rm.com/exploits/6204; reference:url,doc.emergingthreats.net/2009936; classtype:web-application-attack; sid:2009936; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"aa29d305dff6e6ac9cd244a62c6ad0c2"; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:bad-unknown; sid:2033395; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/classes/pctemplate.php?"; nocase; content:"pcConfig[smartyPath]="; nocase; pcre:"/pcConfig\[smartyPath\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt; reference:url,doc.emergingthreats.net/2010466; classtype:web-application-attack; sid:2010466; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET JA3 HASH - Possible Cobalt Strike Server"; flowbits:isset,ET.cobaltstrike.ja3; ja3s.hash; content:"ae4edc6faf64d08308082ad26be60767"; reference:url,thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/; classtype:bad-unknown; sid:2033396; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_07_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id SELECT"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004905; classtype:web-application-attack; sid:2004905; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KPOT Stealer Initial CnC Activity M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api.php?id="; fast_pattern; pcre:"/^[A-F0-9]+$/Rsi"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; reference:md5,1ea7d46d94299fa8bad4043c13100df0; classtype:command-and-control; sid:2033397; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004906; classtype:web-application-attack; sid:2004906; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (cloudflare-cdnjs .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloudflare-cdnjs.com"; bsize:20; fast_pattern; reference:url,twitter.com/MBThreatIntel/status/1416101496022724609; reference:url,twitter.com/AffableKraut/status/1408512205289660429; classtype:domain-c2; sid:2033398; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id INSERT"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004907; classtype:web-application-attack; sid:2004907; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Magecart Skimmer Domain (static-zdassets .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"static-zdassets.com"; bsize:19; fast_pattern; reference:url,twitter.com/MBThreatIntel/status/1416101496022724609; reference:url,twitter.com/AffableKraut/status/1408512205289660429; classtype:domain-c2; sid:2033399; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id DELETE"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004908; classtype:web-application-attack; sid:2004908; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any ![21,25,110,143,443,465,587,636,989:995,5061,5222,8443] -> any any (msg:"ET POLICY TLS possible TOR SSL traffic"; flow:established,from_server; tls.cert_issuer; content:"CN=www"; startswith; content:".com"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.com$/"; tls.cert_subject; content:"CN=www"; startswith; content:".net"; endswith; pcre:"/^CN=www\.[0-9a-z]{8,20}\.net$/"; classtype:misc-activity; sid:2018789; rev:4; metadata:created_at 2014_07_28, former_category POLICY, updated_at 2021_07_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id ASCII"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004909; classtype:web-application-attack; sid:2004909; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache Kylin REST API DiagnosisService Command Injection Inbound (CVE-2020-13925)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/kylin/api/diag/project/%7c%7c"; reference:url,github.com/bit4woo/CVE-2020-13925; reference:cve,2020-13925; classtype:attempted-admin; sid:2033404; rev:1; metadata:created_at 2021_07_24, cve CVE_2020_13925, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE"; flow:established,to_server; http.uri; content:"/pollmentorres.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0984; reference:url,www.milw0rm.com/exploits/3301; reference:url,doc.emergingthreats.net/2004910; classtype:web-application-attack; sid:2004910; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2019-0230)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"id=%25%7b%23"; reference:url,github.com/bit4woo/CVE-2020-13925; reference:cve,2019-0230; classtype:attempted-admin; sid:2033405; rev:1; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2021_07_24, cve CVE_2019_0230, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005621; classtype:web-application-attack; sid:2005621; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING .exec in HTTP URI Inbound - Possible Exploit Activity"; flow:established,to_server; http.uri; content:".exec|28|"; fast_pattern; classtype:bad-unknown; sid:2033406; rev:2; metadata:created_at 2021_07_24, former_category HUNTING, updated_at 2021_07_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UNION SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005622; classtype:web-application-attack; sid:2005622; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING .exec in HTTP Header Inbound - Possible Exploit Activity"; flow:established,to_server; http.header; content:".exec|28|"; fast_pattern; classtype:bad-unknown; sid:2033407; rev:2; metadata:created_at 2021_07_24, former_category HUNTING, updated_at 2021_07_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid INSERT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005623; classtype:web-application-attack; sid:2005623; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"|3a|addUser>"; content:"<userName>"; content:"<roleName>"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15976, updated_at 2021_07_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid DELETE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005624; classtype:web-application-attack; sid:2005624; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Information Disclosure Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=displayServerInfos"; http.header; content:"|20|YWRtaW46bmJ2XzEyMzQ1|0d|"; fast_pattern; reference:url,www.exploit-db.com/exploits/48019; classtype:attempted-admin; sid:2033410; rev:1; metadata:created_at 2021_07_24, updated_at 2021_07_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid ASCII"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005625; classtype:web-application-attack; sid:2005625; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbInventoryWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"sortType>|3b|"; content:"|3b|--"; distance:0; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15984; classtype:attempted-admin; sid:2033411; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15984, updated_at 2021_07_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"blogid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005626; classtype:web-application-attack; sid:2005626; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Directory Traversal Inbound (CVE-2019-15980)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ReportWSService/ReportWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:">..|2f|..|2f|"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15980; classtype:attempted-admin; sid:2033412; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15980, updated_at 2021_07_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005627; classtype:web-application-attack; sid:2005627; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dmechant Exfil Cryptowallets via SMTP"; flow:established,to_server; content:"|0d 0a|Subject|3a 20|Cryptowallets|3a 3a 3a 3a|"; reference:md5,e2da54028e5172ac42c89bc2271a2bb8; reference:url,www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials; classtype:command-and-control; sid:2033413; rev:1; metadata:created_at 2021_07_25, former_category TROJAN, updated_at 2021_07_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UNION SELECT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005628; classtype:web-application-attack; sid:2005628; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dmechant Exfil Passwords via SMTP"; flow:established,to_server; content:"|0d 0a|Subject|3a 20|Passwords|3a 3a 3a 3a|"; fast_pattern; content:"Username|3a 20|"; distance:0; content:"CompName|3a 20|"; distance:0; content:"Password|20 3a 20|"; distance:0; content:"Application|20 3a 20|"; distance:0; content:"========"; reference:md5,e2da54028e5172ac42c89bc2271a2bb8; reference:url,www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials; classtype:command-and-control; sid:2033414; rev:1; metadata:created_at 2021_07_25, former_category TROJAN, updated_at 2021_07_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid INSERT"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005629; classtype:web-application-attack; sid:2005629; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RustyBuer CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"shipmentofficedepot.com"; endswith; classtype:domain-c2; sid:2033415; rev:1; metadata:created_at 2021_07_25, former_category MALWARE, updated_at 2021_07_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid DELETE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005630; classtype:web-application-attack; sid:2005630; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Webshell Landing Outbound - Possibly Iran-based"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>filesystembrowser<|2f|title>"; content:"action=|22|?operation=upload|22|"; distance:0; fast_pattern; content:"<br>Auth|20|Key|3a|"; distance:0; within:100; classtype:command-and-control; sid:2033416; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid ASCII"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005631; classtype:web-application-attack; sid:2005631; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Upload Command Inbound - Possibly Iran-based"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?operation=upload"; fast_pattern; http.request_body; content:"name=|22|authKey|22|"; content:"name=|22|file|22|"; distance:0; classtype:command-and-control; sid:2033417; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE"; flow:established,to_server; http.uri; content:"/simplog/archive.php?"; nocase; content:"pid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005632; classtype:web-application-attack; sid:2005632; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Access with Known Password Inbound - Possibly Iran-based"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name=|22|authKey|22 0d 0a 0d 0a|woanware|0d 0a|"; fast_pattern; classtype:command-and-control; sid:2033418; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid SELECT"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005633; classtype:web-application-attack; sid:2005633; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Webshell Execute Command Inbound - Possibly Iran-based M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__VIEWSTATE="; startswith; content:"&txtAuthKey=20TyG6eQqEopbFMB&txtCommand="; fast_pattern; classtype:command-and-control; sid:2033419; rev:1; metadata:attack_target Server, created_at 2021_07_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag WebShell, updated_at 2021_07_25, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UNION SELECT"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005634; classtype:web-application-attack; sid:2005634; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Anchor_DNS stickseed Variant CnC Checkin"; dns.query; content:"efkezwpdxpsq3l"; startswith; fast_pattern; pcre:"/\.[dghbcijklmnfqrwxyz23stuopaev4569]{26}\.[a-z0-9_-]{1,50}\.[a-z]{2,8}$/"; classtype:command-and-control; sid:2033420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_07_26, former_category MALWARE, signature_severity Major, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid INSERT"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005635; classtype:web-application-attack; sid:2005635; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malsmoke Staging Domain in SNI"; flow:to_server,established; tls.sni; content:"premiumpornotubes.com"; endswith; classtype:social-engineering; sid:2033421; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid DELETE"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005636; classtype:web-application-attack; sid:2005636; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"yuidskadjna.com"; endswith; classtype:trojan-activity; sid:2033422; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid ASCII"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005637; classtype:web-application-attack; sid:2005637; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader CnC Domain in SNI"; flow:to_server,established; tls.sni; content:"odjdnhsaj.com"; endswith; classtype:trojan-activity; sid:2033423; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE"; flow:established,to_server; http.uri; content:"/simplog/index.php?"; nocase; content:"blogid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6935; reference:url,www.securityfocus.com/bid/20974/exploit; reference:url,doc.emergingthreats.net/2005638; classtype:web-application-attack; sid:2005638; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC M1 (CVE-2019-16662)"; flow:established,to_server; http.uri.raw; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/user/User_ChkLogin.asp?"; nocase; content:"ComeUrl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39696; reference:url,secunia.com/advisories/39627; reference:url,doc.emergingthreats.net/2011117; classtype:web-application-attack; sid:2011117; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Solr DataImport Handler RCE (CVE-2019-0193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/solr/"; content:"dataimport"; distance:0; http.request_body; content:"command=full-import"; fast_pattern; pcre:"/\bexec\b/Ri"; reference:cve,2019-0193; reference:url,github.com/jas502n/CVE-2019-0193; classtype:attempted-admin; sid:2033114; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerNews news.php newsid parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33363/; reference:url,milw0rm.com/exploits/7641; reference:url,doc.emergingthreats.net/2009057; classtype:web-application-attack; sid:2009057; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Admin Cores"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/admin/cores?_="; startswith; fast_pattern; content:"&indexInfo="; classtype:attempted-recon; sid:2033425; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/footer.inc.php?"; nocase; content:"settings[footer]="; nocase; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009659; classtype:web-application-attack; sid:2009659; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/"; startswith; content:"/dataimport?_="; content:"&command=show-config"; fast_pattern; classtype:attempted-recon; sid:2033426; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/header.inc.php?"; nocase; content:"settings[header]="; nocase; reference:cve,CVE-2008-1534; reference:url,juniper.net/security/auto/vulnerabilities/vuln28421.html; reference:bugtraq,28421; reference:url,milw0rm.com/exploits/5303; reference:url,doc.emergingthreats.net/2009660; classtype:web-application-attack; sid:2009660; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Config URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/"; startswith; content:"/dataimport?_="; content:"&command=status"; fast_pattern; classtype:attempted-recon; sid:2033427; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Auctions id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gotourl.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/6839; reference:url,secunia.com/advisories/32373; reference:url,doc.emergingthreats.net/2008786; classtype:web-application-attack; sid:2008786; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.crud.php?searchTerm="; http.uri.raw; content:"&catCommand=%22%22"; fast_pattern; reference:cve,2019-16663; classtype:attempted-admin; sid:2033428; rev:1; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_16663, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/Script/store_info.php?"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.securityfocus.com/bid/37541/info; reference:url,doc.emergingthreats.net/2010604; classtype:web-application-attack; sid:2010604; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Echmark/MarkiRAT CnC Activity M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?u="; http.user_agent; content:"WinHTTP"; bsize:7; http.request_body; content:"p=<br><mark>Hello|3a 20|"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,1fe34d84a058156296e86888ddd5cac9; reference:url,securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/; classtype:command-and-control; sid:2033429; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Pre Podcast Portal tour.php id SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Tour.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32563/; reference:url,milw0rm.com/exploits/6997; reference:url,doc.emergingthreats.net/2008823; classtype:web-application-attack; sid:2008823; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING NOP Sled in HTTP Header Inbound - Possible Exploit Activity"; flow:established,to_server; http.header; content:"|90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern; classtype:bad-unknown; sid:2033430; rev:1; metadata:created_at 2021_07_26, former_category HUNTING, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa DELETE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006354; classtype:web-application-attack; sid:2006354; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (clank .hazari .ru)"; dns.query; content:"clank.hazari.ru"; nocase; bsize:15; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; reference:md5,ff95a2f9d3f40802afaa528f563feeee; classtype:domain-c2; sid:2033432; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa ASCII"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006355; classtype:web-application-attack; sid:2006355; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (lump .semara .ru)"; dns.query; content:"lump.semara.ru"; nocase; bsize:14; reference:md5,919b119827ca1a947602096fb6328ba3; reference:md5,8959c893438f4a2d34f6eafcbc6f5e4d; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033433; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006356; classtype:web-application-attack; sid:2006356; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (lovers .semara .ru)"; dns.query; content:"lovers.semara.ru"; nocase; bsize:16; reference:md5,b2193f0fb8b5ee8b2fe161cde30f4d65; reference:md5,557a2e80b2a070bb2f873b6489b026ee; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033434; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/include/prodler.class.php?"; nocase; content:"sPath="; nocase; pcre:"/sPath\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/58298; reference:url,doc.emergingthreats.net/2010276; classtype:web-application-attack; sid:2010276; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (aconitum .xyz)"; dns.query; content:"aconitum.xyz"; nocase; bsize:12; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033435; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rating/rate.php?"; nocase; content:"id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009672; classtype:web-application-attack; sid:2009672; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (blattodea .ru)"; dns.query; content:"blattodea.ru"; nocase; bsize:12; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033436; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rating/postcomments.php?"; nocase; content:"id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt; reference:url,doc.emergingthreats.net/2009673; classtype:web-application-attack; sid:2009673; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (hierodula .online)"; dns.query; content:"hierodula.online"; nocase; bsize:16; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033437; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PozScripts Business Directory Script cid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcategory.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,frsirt.com/english/advisories/2008/3118; reference:url,milw0rm.com/exploits/7098; reference:url,doc.emergingthreats.net/2008865; classtype:web-application-attack; sid:2008865; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (tomond .ru)"; dns.query; content:"tomond.ru"; nocase; bsize:9; reference:url,twitter.com/IntezerLabs/status/1419625563942227970; classtype:domain-c2; sid:2033438; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/server_request.php?"; nocase; content:"CONFIG[gameroot]="; nocase; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009503; classtype:web-application-attack; sid:2009503; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ClipBanker Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/report7.4.php"; bsize:14; fast_pattern; http.request_body; content:"p="; startswith; http.header_names; content:!"Referer"; reference:md5,64db07d60025e04128de8b508673b6fe; reference:url,www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf; classtype:trojan-activity; sid:2033439; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/qlib/smarty.inc.php?"; nocase; content:"CONFIG[gameroot]="; nocase; reference:bugtraq,27945; reference:url,secunia.com/advisories/29077; reference:url,milw0rm.com/exploits/5174; reference:url,doc.emergingthreats.net/2009505; classtype:web-application-attack; sid:2009505; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Cisco Data Center Network Manager Version Check Inbound (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/fmrest/about/version"; endswith; fast_pattern; flowbits:set,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033441; rev:1; metadata:created_at 2021_07_27, former_category POLICY, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/qte_web.php?"; nocase; content:"qte_web_path="; nocase; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009746; classtype:web-application-attack; sid:2009746; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Cisco Data Center Network Manager - Vulnerable Version Detected 11.1"; flow:established,from_server; file.data; content:"version|22 3a 22|11.1|28|1|29|"; flowbits:isset,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033442; rev:1; metadata:created_at 2021_07_27, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/bin/qte_init.php?"; nocase; content:"qte_root="; nocase; reference:url,secunia.com/advisories/34997/; reference:url,milw0rm.com/exploits/8602; reference:url,doc.emergingthreats.net/2009724; classtype:web-application-attack; sid:2009724; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Cisco Data Center Network Manager - Vulnerable Version Detected 10.4"; flow:established,from_server; file.data; content:"version|22 3a 22|10.4|28|2|29|"; flowbits:isset,ET.ciscodcnm.1; reference:url,www.exploit-db.com/exploits/47347; classtype:attempted-recon; sid:2033443; rev:1; metadata:created_at 2021_07_27, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010185; classtype:web-application-attack; sid:2010185; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010186; classtype:web-application-attack; sid:2010186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010187; classtype:web-application-attack; sid:2010187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:!"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010188; classtype:web-application-attack; sid:2010188; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lunar Builder Exfil via Discord M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:".lunar"; content:"|3b 20|filename="; within:12; content:"|0d 0a 0d 0a|[Username]"; distance:0; content:"[Username][TimeHacked]"; distance:0; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:command-and-control; sid:2033440; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qte_result.php?"; nocase; content:"title="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt; reference:url,doc.emergingthreats.net/2010189; classtype:web-application-attack; sid:2010189; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Screenshot Uploaded to Discord"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks"; http.host; content:"discord.com"; http.request_body; content:"filename="; content:"screenshot."; within:12; fast_pattern; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:bad-unknown; sid:2033447; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RS-CMS rscms_mod_newsview.php key Parameter Processing Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rscms_mod_newsview.php?"; nocase; content:"key="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/9000; reference:url,vupen.com/english/advisories/2009/1658; reference:url,doc.emergingthreats.net/2010021; classtype:web-application-attack; sid:2010021; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 8888 (msg:"ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)"; flow:established,to_server; content:"|90 90 90 90 90 90 90 90|"; offset:500; depth:800; content:"|90 90 90 90 90 90|"; distance:0; within:64; reference:url,www.exploit-db.com/exploits/44175; reference:cve,2018-6892; classtype:attempted-admin; sid:2033448; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2018_6892, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/top_graph_header.php?"; nocase; content:"config[library_path]="; nocase; pcre:"/config\[library_path\]=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,14030; reference:url,doc.emergingthreats.net/2010097; classtype:web-application-attack; sid:2010097; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Lunar Builder Exfil Response"; flow:established,to_client; http.content_type; content:"application/json"; bsize:16; file.data; content:"|22|title|22 3a 20 22|Lunar|20|Builder|22|"; fast_pattern; content:"|22|name|22 3a 20 22|Stolen|20|From|22 2c|"; distance:0; reference:md5,19917b254644d1039dd31d0a488ddeeb; classtype:command-and-control; sid:2033449; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lunar_Builder, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rakhi Software Price Comparison Script product.php subcategory_id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/product.php?"; nocase; content:"subcategory_id="; nocase; content:"UNION"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32504; reference:url,milw0rm.com/exploits/7250; reference:url,doc.emergingthreats.net/2008924; classtype:web-application-attack; sid:2008924; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (page .googledocpage .com)"; dns.query; content:"page.googledocpage.com"; nocase; bsize:22; reference:md5,bcb4a8f190f2124be57496649078e0ae; reference:url,twitter.com/ShadowChasing1/status/1417324113840857092; classtype:domain-c2; sid:2033450; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id SELECT"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005681; classtype:web-application-attack; sid:2005681; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp any any -> [$HOME_NET,$SMTP_SERVERS] [25,143,993,995] (msg:"ET EXPLOIT Possible Dovecot Memory Corruption Inbound (CVE-2019-11500)"; flow:to_server,established; content:"|22|"; content:"|00|"; distance:0; content:"|5c|"; distance:200; reference:url,nickroessler.com/dovecot-cve-2019-11500/; reference:cve,2019-11500; classtype:attempted-admin; sid:2033451; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_11500, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005682; classtype:web-application-attack; sid:2005682; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Kibana Prototype Pollution RCE Inbound (CVE-2019-7609)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/timelion/run"; fast_pattern; http.request_body; content:"|7b 22|sheet|22|"; startswith; content:".__proto__."; content:"child_process"; distance:0; content:".exec|28|"; distance:0; reference:url,github.com/mpgn/CVE-2019-7609; reference:cve,2019-7609; classtype:attempted-admin; sid:2033452; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_7609, former_category WEB_SPECIFIC_APPS, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id INSERT"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005683; classtype:web-application-attack; sid:2005683; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Kibana Path Traversal Inbound (CVE-2018-17246)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/console/api_server?apis=|2e 2e 2f 2e 2e 2f|"; fast_pattern; reference:url,github.com/mpgn/CVE-2018-17246; reference:cve,2018-17246; classtype:attempted-admin; sid:2033453; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_17246, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id DELETE"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005684; classtype:web-application-attack; sid:2005684; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity Sending Windows User Info (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uralchem/"; startswith; fast_pattern; pcre:"/^[a-zA-z]{8}\./R"; http.header_names; content:!"Referer"; reference:md5,7a7bc6e080657fc77acbcf91d1892d31; reference:url,twitter.com/ShadowChasing1/status/1417650046485495808; classtype:trojan-activity; sid:2033454; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id ASCII"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005685; classtype:web-application-attack; sid:2005685; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 44Calibar Variant Exfil via Telegram"; flow:established,to_server; http.request_line; content:"POST /bot"; startswith; content:"/sendDocument"; distance:0; http.host; bsize:16; content:"api.telegram.org"; http.request_body; content:"name|3d|caption|0d 0a 0d 0a|"; content:"44CALIBER"; nocase; within:15; fast_pattern; content:"Grabbed Software|3a|"; distance:0; reference:md5,fc489c5343f6db7d1be798a3ee331bdf; classtype:command-and-control; sid:2033455; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE"; flow:established,to_server; http.uri; content:"/viewad.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6930; reference:url,www.securityfocus.com/bid/21197; reference:url,doc.emergingthreats.net/2005686; classtype:web-application-attack; sid:2005686; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LibreOffice pydoc RCE Inbound (CVE-2018-16858)"; flow:from_server,established; file.data; content:"<office|3a|document"; depth:100; content:"<office|3a|"; distance:0; content:"<script|3a|"; content:"|2f|pydoc.py|24|tempfilepager"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/46727; reference:cve,2018-16858; classtype:attempted-admin; sid:2033456; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_16858, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005021; classtype:web-application-attack; sid:2005021; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity Sending Windows User Info (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eabr/"; startswith; fast_pattern; pcre:"/^[a-zA-z]{8}\./R"; http.header_names; content:!"Referer"; reference:md5,c7f14020934ebcc55546fbd73a6e49d0; reference:url,twitter.com/ShadowChasing1/status/1417650046485495808; classtype:trojan-activity; sid:2033457; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005022; classtype:web-application-attack; sid:2005022; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CobaltStrike CnC Domain (stg .pesrado .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"stg.pesrado.com"; bsize:15; fast_pattern; reference:url,twitter.com/mojoesec/status/1418625292105654275; reference:md5,69519748fdb0bedaab25c702bfd0ed9a; classtype:domain-c2; sid:2033458; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_27, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user INSERT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005023; classtype:web-application-attack; sid:2005023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, former_category EXPLOIT, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user DELETE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005024; classtype:web-application-attack; sid:2005024; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Attempt Inbound (CVE-2021-34429)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WEB-INF/web.xml"; fast_pattern; http.uri.raw; content:"/%u002e/"; startswith; flowbits:set,ET.2021.34429.attempt; reference:cve,2021-34429; classtype:attempted-admin; sid:2033460; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_34429, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user ASCII"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005025; classtype:web-application-attack; sid:2005025; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Successful Exploitation (CVE-2021-34429)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<web-app>"; fast_pattern; flowbits:isset,ET.2021.34429.attempt; reference:cve,2021-34429; classtype:attempted-admin; sid:2033461; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_34429, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005026; classtype:web-application-attack; sid:2005026; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005027; classtype:web-application-attack; sid:2005027; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Observed DNS Query to Known Scam/Phishing Domain"; dns.query; content:"creator-partners.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2033463; rev:1; metadata:created_at 2021_07_27, former_category PHISHING, updated_at 2021_07_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UNION SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005028; classtype:web-application-attack; sid:2005028; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033464; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password INSERT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005029; classtype:web-application-attack; sid:2005029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033465; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password DELETE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005030; classtype:web-application-attack; sid:2005030; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033466; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password ASCII"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005031; classtype:web-application-attack; sid:2005031; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033467; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"password="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0784; reference:url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded; reference:url,doc.emergingthreats.net/2005032; classtype:web-application-attack; sid:2005032; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033468; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005093; classtype:web-application-attack; sid:2005093; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033469; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005094; classtype:web-application-attack; sid:2005094; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033470; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id INSERT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005095; classtype:web-application-attack; sid:2005095; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033471; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id DELETE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005096; classtype:web-application-attack; sid:2005096; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033472; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ASCII"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005097; classtype:web-application-attack; sid:2005097; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033473; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005098; classtype:web-application-attack; sid:2005098; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033474; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005099; classtype:web-application-attack; sid:2005099; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033475; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005100; classtype:web-application-attack; sid:2005100; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033476; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass INSERT"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005101; classtype:web-application-attack; sid:2005101; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033477; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass DELETE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005102; classtype:web-application-attack; sid:2005102; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033478; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ASCII"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005103; classtype:web-application-attack; sid:2005103; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033479; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/user_confirm.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0642; reference:url,www.securityfocus.com/bid/22350; reference:url,doc.emergingthreats.net/2005104; classtype:web-application-attack; sid:2005104; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033480; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Real Estate Manager realestate-index.php cat_id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"realestate-index.php?"; nocase; content:"&cat_id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32049/; reference:url,www.milw0rm.com/exploits/6599; reference:url,doc.emergingthreats.net/2008615; classtype:web-application-attack; sid:2008615; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033481; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RealtyListings type.asp iType Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/type.asp?"; nocase; content:"iType="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009049; classtype:web-application-attack; sid:2009049; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033482; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009050; classtype:web-application-attack; sid:2009050; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033483; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid SELECT"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006939; classtype:web-application-attack; sid:2006939; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033484; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UNION SELECT"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006940; classtype:web-application-attack; sid:2006940; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033485; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid INSERT"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006941; classtype:web-application-attack; sid:2006941; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033486; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid DELETE"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006942; classtype:web-application-attack; sid:2006942; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033487; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ASCII"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006943; classtype:web-application-attack; sid:2006943; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033488; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE"; flow:established,to_server; http.uri; content:"/recipe.php?"; nocase; content:"recipeid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006944; classtype:web-application-attack; sid:2006944; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033489; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid SELECT"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006945; classtype:web-application-attack; sid:2006945; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033490; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UNION SELECT"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006946; classtype:web-application-attack; sid:2006946; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033491; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid INSERT"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006947; classtype:web-application-attack; sid:2006947; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033492; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid DELETE"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006948; classtype:web-application-attack; sid:2006948; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033493; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid ASCII"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006949; classtype:web-application-attack; sid:2006949; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033494; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE"; flow:established,to_server; http.uri; content:"/list.php?"; nocase; content:"categoryid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6220; reference:url,www.milw0rm.com/exploits/2834; reference:url,doc.emergingthreats.net/2006950; classtype:web-application-attack; sid:2006950; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033495; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/addons/version/pages/index.inc.php?"; nocase; content:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//i"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011254; classtype:web-application-attack; sid:2011254; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033496; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/pages/specials.inc.php?"; nocase; content:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX\[INCLUDE_PATH\]=\s*(ftps?|https?|php)\:\//i"; reference:url,vupen.com/english/advisories/2010/0942; reference:url,exploit-db.com/exploits/12276; reference:url,doc.emergingthreats.net/2011255; classtype:web-application-attack; sid:2011255; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033497; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rematic CMS referenzdetail.php id parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/referenzdetail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; reference:url,doc.emergingthreats.net/2009011; classtype:web-application-attack; sid:2009011; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033498; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rematic CMS produkte.php id parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/produkte.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33208/; reference:url,milw0rm.com/exploits/7502; reference:url,doc.emergingthreats.net/2009012; classtype:web-application-attack; sid:2009012; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033499; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php SELECT"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004600; classtype:web-application-attack; sid:2004600; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033500; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UNION SELECT"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004601; classtype:web-application-attack; sid:2004601; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033501; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php INSERT"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004602; classtype:web-application-attack; sid:2004602; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033502; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php DELETE"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004603; classtype:web-application-attack; sid:2004603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033503; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php ASCII"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004604; classtype:web-application-attack; sid:2004604; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033504; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE"; flow:established,to_server; http.uri; content:"/inc/class_users.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3051; reference:url,www.milw0rm.com/exploits/4020; reference:url,doc.emergingthreats.net/2004605; classtype:web-application-attack; sid:2004605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033505; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID SELECT"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005687; classtype:web-application-attack; sid:2005687; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033506; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005688; classtype:web-application-attack; sid:2005688; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033507; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID INSERT"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005689; classtype:web-application-attack; sid:2005689; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033508; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID DELETE"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005690; classtype:web-application-attack; sid:2005690; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033509; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID ASCII"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005691; classtype:web-application-attack; sid:2005691; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033510; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/listfull.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005692; classtype:web-application-attack; sid:2005692; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033511; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID SELECT"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005693; classtype:web-application-attack; sid:2005693; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033512; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005694; classtype:web-application-attack; sid:2005694; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033513; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID INSERT"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005695; classtype:web-application-attack; sid:2005695; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033514; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID DELETE"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005696; classtype:web-application-attack; sid:2005696; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033515; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID ASCII"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005697; classtype:web-application-attack; sid:2005697; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033516; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/printmain.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005698; classtype:web-application-attack; sid:2005698; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033517; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005699; classtype:web-application-attack; sid:2005699; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033518; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005700; classtype:web-application-attack; sid:2005700; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033519; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005701; classtype:web-application-attack; sid:2005701; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033520; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005702; classtype:web-application-attack; sid:2005702; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033521; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005703; classtype:web-application-attack; sid:2005703; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033522; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005704; classtype:web-application-attack; sid:2005704; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033523; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005705; classtype:web-application-attack; sid:2005705; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033524; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005706; classtype:web-application-attack; sid:2005706; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033525; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005707; classtype:web-application-attack; sid:2005707; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033526; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005708; classtype:web-application-attack; sid:2005708; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033527; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005709; classtype:web-application-attack; sid:2005709; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033528; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005710; classtype:web-application-attack; sid:2005710; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033529; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005711; classtype:web-application-attack; sid:2005711; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033530; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005712; classtype:web-application-attack; sid:2005712; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033531; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat INSERT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005713; classtype:web-application-attack; sid:2005713; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033532; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat DELETE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005714; classtype:web-application-attack; sid:2005714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033533; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat ASCII"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005715; classtype:web-application-attack; sid:2005715; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033534; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005716; classtype:web-application-attack; sid:2005716; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033535; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005717; classtype:web-application-attack; sid:2005717; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033536; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UNION SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005718; classtype:web-application-attack; sid:2005718; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033537; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword INSERT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005719; classtype:web-application-attack; sid:2005719; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033538; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword DELETE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005720; classtype:web-application-attack; sid:2005720; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033539; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword ASCII"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005721; classtype:web-application-attack; sid:2005721; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033540; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"Keyword="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005722; classtype:web-application-attack; sid:2005722; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033541; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005723; classtype:web-application-attack; sid:2005723; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033542; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UNION SELECT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005724; classtype:web-application-attack; sid:2005724; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033543; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area INSERT"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005725; classtype:web-application-attack; sid:2005725; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033544; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area DELETE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005726; classtype:web-application-attack; sid:2005726; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033545; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area ASCII"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005727; classtype:web-application-attack; sid:2005727; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033546; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE"; flow:established,to_server; http.uri; content:"/searchmain.asp?"; nocase; content:"area="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005728; classtype:web-application-attack; sid:2005728; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033547; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005729; classtype:web-application-attack; sid:2005729; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033548; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005730; classtype:web-application-attack; sid:2005730; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033549; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005731; classtype:web-application-attack; sid:2005731; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033550; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005732; classtype:web-application-attack; sid:2005732; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033551; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005733; classtype:web-application-attack; sid:2005733; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033552; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"area="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005734; classtype:web-application-attack; sid:2005734; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033553; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005735; classtype:web-application-attack; sid:2005735; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033554; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UNION SELECT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005736; classtype:web-application-attack; sid:2005736; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033555; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin INSERT"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005738; classtype:web-application-attack; sid:2005738; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033556; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin DELETE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005739; classtype:web-application-attack; sid:2005739; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033557; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin ASCII"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005740; classtype:web-application-attack; sid:2005740; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033558; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE"; flow:established,to_server; http.uri; content:"/searchkey.asp?"; nocase; content:"searchin="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005741; classtype:web-application-attack; sid:2005741; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033559; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005742; classtype:web-application-attack; sid:2005742; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033560; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005743; classtype:web-application-attack; sid:2005743; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033561; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005744; classtype:web-application-attack; sid:2005744; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033562; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005745; classtype:web-application-attack; sid:2005745; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033563; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005746; classtype:web-application-attack; sid:2005746; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033564; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost1="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005747; classtype:web-application-attack; sid:2005747; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033565; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005748; classtype:web-application-attack; sid:2005748; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033566; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005749; classtype:web-application-attack; sid:2005749; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033567; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005750; classtype:web-application-attack; sid:2005750; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033568; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005751; classtype:web-application-attack; sid:2005751; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033569; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005752; classtype:web-application-attack; sid:2005752; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033570; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"cost2="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005753; classtype:web-application-attack; sid:2005753; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033571; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005754; classtype:web-application-attack; sid:2005754; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033572; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005755; classtype:web-application-attack; sid:2005755; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033573; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005756; classtype:web-application-attack; sid:2005756; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033574; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005757; classtype:web-application-attack; sid:2005757; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033575; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005758; classtype:web-application-attack; sid:2005758; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033576; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"acreage1="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005759; classtype:web-application-attack; sid:2005759; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033577; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005760; classtype:web-application-attack; sid:2005760; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033578; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UNION SELECT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005761; classtype:web-application-attack; sid:2005761; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033579; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 INSERT"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005762; classtype:web-application-attack; sid:2005762; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033580; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 DELETE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005763; classtype:web-application-attack; sid:2005763; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033581; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ASCII"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005764; classtype:web-application-attack; sid:2005764; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033582; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE"; flow:established,to_server; http.uri; content:"/searchoption.asp?"; nocase; content:"squarefeet1="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6927; reference:url,www.securityfocus.com/bid/21191; reference:url,doc.emergingthreats.net/2005765; classtype:web-application-attack; sid:2005765; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033583; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011155; classtype:web-application-attack; sid:2011155; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033584; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011156; classtype:web-application-attack; sid:2011156; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033585; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roleManager.jsp?"; nocase; content:"type=query&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/39404/; reference:url,doc.emergingthreats.net/2011157; classtype:web-application-attack; sid:2011157; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033586; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt"; flow:established,to_server; http.uri; content:"/modules/admincp.php?"; nocase; content:"admin="; nocase; pcre:"/(\?|&)admin=[^\x26\x3B]*([\x2F\x5C\x00]|\x2E\x2E)/i"; reference:url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt; reference:url,doc.emergingthreats.net/2010610; classtype:web-application-attack; sid:2010610; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033587; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/load_lang.php?"; nocase; content:"_SERWEB[configdir]="; nocase; pcre:"/_SERWEB\[configdir\]=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010124; classtype:web-application-attack; sid:2010124; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033588; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/main_prepend.php?"; nocase; content:"_SERWEB[functionsdir]="; nocase; pcre:"/_SERWEB\[functionsdir\]=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,26747; reference:url,milworm.com/exploits/9284; reference:url,doc.emergingthreats.net/2010125; classtype:web-application-attack; sid:2010125; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033589; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, malware_family ysoserial, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcategory.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6903; reference:url,doc.emergingthreats.net/2008815; classtype:web-application-attack; sid:2008815; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view.php?id=21504"; fast_pattern; http.host; content:"kr2959.atwebpages.com"; http.header_names; content:!"Referer"; reference:md5,72d43ff8f9ee0819e96ed7fd7d9a551a; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033590; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/software-description.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32536/; reference:url,milw0rm.com/exploits/6915; reference:url,doc.emergingthreats.net/2008816; classtype:web-application-attack; sid:2008816; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/report.php?key="; startswith; fast_pattern; http.host; content:"kr2959.atwebpages.com"; http.header_names; content:!"Referer"; reference:md5,72d43ff8f9ee0819e96ed7fd7d9a551a; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033591; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/track.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; reference:url,secunia.com/advisories/32552/; reference:url,milw0rm.com/exploits/6910; reference:url,doc.emergingthreats.net/2008793; classtype:web-application-attack; sid:2008793; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Heracles Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"cwyuno1c7n82bc201et81t627c8e6912r"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; threshold:type limit, track by_src, count 1, seconds 120; reference:md5,e0c6208936aa0cccd6867214145433b3; reference:url,tria.ge/210728-48w5bjla3x; classtype:command-and-control; sid:2033592; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/admin/device_admin.php?"; nocase; content:"cs_base_path="; nocase; pcre:"/cs_base_path=\s*(ftps?|https?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/65117; reference:cve,CVE-2010-2145; reference:url,doc.emergingthreats.net/2011209; classtype:web-application-attack; sid:2011209; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Heracles Variant CnC Domain (stainless .fun in TLS SNI)"; flow:established,to_server; tls.sni; content:"stainless.fun"; bsize:13; fast_pattern; reference:md5,e0c6208936aa0cccd6867214145433b3; reference:url,tria.ge/210728-48w5bjla3x; classtype:domain-c2; sid:2033593; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp SELECT"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004463; classtype:web-application-attack; sid:2004463; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/expres.php?op=2"; bsize:16; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,be4ab3c46d87b1900137647814f0f305; classtype:trojan-activity; sid:2033594; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004464; classtype:web-application-attack; sid:2004464; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?who="; fast_pattern; content:"&secure="; distance:0; content:"&v="; distance:0; content:".exe|20|"; distance:0; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,5b2355014f72dc2714dc5a5f04fe9519; classtype:trojan-activity; sid:2033595; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp INSERT"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004465; classtype:web-application-attack; sid:2004465; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?w="; fast_pattern; content:"&v="; distance:0; content:".exe|20|"; distance:0; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,d7b717134358bbeefc5796b5912369f0; classtype:trojan-activity; sid:2033596; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp DELETE"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004466; classtype:web-application-attack; sid:2004466; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Script Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/list.php?query=1"; fast_pattern; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:!"Referer"; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; reference:md5,78bdd34f641fb2d1992c8651298f4aff; classtype:trojan-activity; sid:2033597; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ASCII"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004467; classtype:web-application-attack; sid:2004467; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Activity (HEAD)"; flow:established,to_server; http.method; content:"HEAD"; http.uri; content:".dotm?q=6"; endswith; fast_pattern; http.user_agent; content:"Office"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,a9b6cf8d8d0a67da4eea269dab16fe99; reference:url,mp.weixin.qq.com/s/og8mfnqoKZsHlOJdIDKYgQ; classtype:trojan-activity; sid:2033598; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE"; flow:established,to_server; http.uri; content:"/cgi-bin/reorder2.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-2997; reference:url,www.securityfocus.com/bid/24226; reference:url,doc.emergingthreats.net/2004468; classtype:web-application-attack; sid:2004468; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Monitorr 1.7.6m RCE Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/assets/php/upload.php"; nocase; http.request_body; content:"name=|22|fileToUpload|22|"; nocase; content:"<?"; reference:url,github.com/Monitorr/Monitorr; reference:url,www.exploit-db.com/exploits/48980; classtype:attempted-admin; sid:2033599; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/classes/excel/class.writeexcel_workbook.inc.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010922; classtype:web-application-attack; sid:2010922; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jenkins Plugin Script RCE Exploit Attempt (CVE-2019-1003001)"; flow:established,to_server; http.uri; content:"CpsFlowDefinition"; nocase; content:"checkScriptCompile"; nocase; content:"GrabResolver"; nocase; content:"GrabConfig"; nocase; content:"Grab("; nocase; reference:url,0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html; reference:url,www.exploit-db.com/exploits/46427; reference:cve,2019-1003001; classtype:attempted-admin; sid:2033600; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2019_1003001, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/classes/excel/class.writeexcel_worksheet.inc.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt; reference:url,doc.emergingthreats.net/2010923; classtype:web-application-attack; sid:2010923; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Ambari Default Credentials Attempt"; flow:established,to_server; http.uri; content:"/api/v1/users/admin?fields="; nocase; content:"privilege"; nocase; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; nocase; reference:url,docs.cloudera.com/HDPDocuments/Ambari-2.7.4.0/bk_ambari-installation/content/log_in_to_apache_ambari.html; classtype:attempted-admin; sid:2033601; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004493; classtype:web-application-attack; sid:2004493; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004494; classtype:web-application-attack; sid:2004494; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GraphQL Introspection Query Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20|"; nocase; startswith; content:"__schema"; nocase; distance:0; content:"queryType"; nocase; distance:0; reference:url,blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/; classtype:attempted-admin; sid:2033603; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004495; classtype:web-application-attack; sid:2004495; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, cve CVE_2018_17254, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004496; classtype:web-application-attack; sid:2004496; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004497; classtype:web-application-attack; sid:2004497; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible MobileIron MDM RCE Inbound (CVE-2020-15505)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mifs/|2e 3b|/"; fast_pattern; content:"|63 02 00 48 00 84|"; startswith; content:"B|00|e|00|a|00|n|00|F|00|a|00|c|00|"; content:"r|00|m|00|i|00 3a 00 2f 00 2f|"; distance:0; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2033606; rev:1; metadata:created_at 2021_07_28, cve CVE_2020_15505, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"name="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004498; classtype:web-application-attack; sid:2004498; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Socelars Related Domain in DNS Lookup"; dns.query; content:"www.cncode.pw"; nocase; bsize:13; reference:md5,f6c01214414fe2cedaa217c69ab093e1; classtype:bad-unknown; sid:2033607; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category ADWARE_PUP, updated_at 2021_07_28, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004499; classtype:web-application-attack; sid:2004499; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DCRat CnC Domain (dud-shotline .000webhostapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dud-shotline.000webhostapp.com"; bsize:30; fast_pattern; reference:md5,a8c6a612108ac2266263c6a6be7a58cc; classtype:domain-c2; sid:2033608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_28, deployment Perimeter, former_category MALWARE, malware_family DCRat, performance_impact Low, signature_severity Major, updated_at 2021_07_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004500; classtype:web-application-attack; sid:2004500; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".netcatkit.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004501; classtype:web-application-attack; sid:2004501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".sqlnetcat.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004502; classtype:web-application-attack; sid:2004502; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".b69kq.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033611; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004503; classtype:web-application-attack; sid:2004503; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zz3r0.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"country="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004504; classtype:web-application-attack; sid:2004504; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ackng.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004505; classtype:web-application-attack; sid:2004505; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zer9g.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004506; classtype:web-application-attack; sid:2004506; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".pp6r1.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004507; classtype:web-application-attack; sid:2004507; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hwqloan.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004508; classtype:web-application-attack; sid:2004508; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".amynx.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033617; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004509; classtype:web-application-attack; sid:2004509; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".bb3u9.com"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"email="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004510; classtype:web-application-attack; sid:2004510; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".js88.ag"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004511; classtype:web-application-attack; sid:2004511; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lemon_Duck CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cdnimages.xyz"; nocase; endswith; reference:url,www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/; classtype:domain-c2; sid:2033620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_29, deployment Perimeter, malware_family Lemon_Duck, performance_impact Low, signature_severity Major, updated_at 2021_07_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004512; classtype:web-application-attack; sid:2004512; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed SSL Cert (DNS Service)"; flow:from_server,established; tls.cert_subject; content:".sslip.io"; endswith; nocase; fast_pattern; classtype:policy-violation; sid:2033621; rev:1; metadata:created_at 2021_07_30, former_category POLICY, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004513; classtype:web-application-attack; sid:2004513; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdn.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033625; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004514; classtype:web-application-attack; sid:2004514; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=api-cdnw5.net"; nocase; fast_pattern; classtype:domain-c2; sid:2033624; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004515; classtype:web-application-attack; sid:2004515; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=git-api.com"; nocase; fast_pattern; classtype:domain-c2; sid:2033623; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"website="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004516; classtype:web-application-attack; sid:2004516; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (FIN8 Staging CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=104-168-237-21.sslip.io"; nocase; fast_pattern; classtype:domain-c2; sid:2033622; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004517; classtype:web-application-attack; sid:2004517; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Meterpreter Paranoid Mode CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Texas, L=Austin, O=Development, CN=www.example.com"; bsize:59; fast_pattern; tls.cert_issuer; content:"C=US, ST=Texas, L=Austin, O=Development, CN=www.example.com"; bsize:59; reference:md5,7f969b888db2ac8aec19f2997167253e; reference:url,titanwolf.org/Network/Articles/Article?AID=97b8845a-85d0-407a-b14b-8dc773ed551b; classtype:domain-c2; sid:2033626; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_30, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UNION SELECT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004518; classtype:web-application-attack; sid:2004518; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/USA/precision.dot"; fast_pattern; bsize:18; http.host; content:"usa-national.info"; bsize:17; reference:md5,26b29c539d0d35fd414e36884c380e0e; classtype:trojan-activity; sid:2033627; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message INSERT"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004519; classtype:web-application-attack; sid:2004519; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer Domain (hellowoodie .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"hellowoodie.top"; bsize:15; fast_pattern; classtype:domain-c2; sid:2033628; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message DELETE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004520; classtype:web-application-attack; sid:2004520; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CandyOpen/UniClient Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uniplatform/getVersion"; fast_pattern; bsize:23; http.host; content:"uniplatform.snyzt.org"; bsize:21; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf; reference:md5,2ad8bfde025d1a739eee02f3b23365c9; reference:url,www.hybrid-analysis.com/sample/a94d56067aa15f28f66a139eecc90e49b008bfa1f0faf7d65721ecfb68a6a6a2; classtype:trojan-activity; sid:2033629; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message ASCII"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004521; classtype:web-application-attack; sid:2004521; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup via 3322 .org"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getip"; endswith; http.host; content:"3322.org"; endswith; fast_pattern; http.header_names; content:!"Referer"; classtype:policy-violation; sid:2033630; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE"; flow:established,to_server; http.uri; content:"/add2.php?"; nocase; content:"message="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1304; reference:url,www.securityfocus.com/bid/22820; reference:url,doc.emergingthreats.net/2004522; classtype:web-application-attack; sid:2004522; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CandyOpen/UniClient Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uniplatform/getUniclientVersion"; fast_pattern; bsize:32; http.header_names; content:"|0d 0a|accept|0d 0a|User-Agent|0d 0a 0d 0a|"; bsize:24; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-0729.pdf; reference:md5,2ad8bfde025d1a739eee02f3b23365c9; reference:url,www.hybrid-analysis.com/sample/a94d56067aa15f28f66a139eecc90e49b008bfa1f0faf7d65721ecfb68a6a6a2; classtype:trojan-activity; sid:2033631; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_07_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011726; classtype:web-application-attack; sid:2011726; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M1"; flow:established,to_client; tls.cert_subject; content:"C=IL, O=StartCom Ltd., CN="; startswith; isdataat:!20,relative; tls.cert_subject; content:"CN=*"; endswith; reference:url,community.riskiq.com/article/541a465f; classtype:command-and-control; sid:2033632; rev:2; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011727; classtype:web-application-attack; sid:2011727; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M2"; flow:established,to_client; tls.cert_subject; content:"C=KR, O=SGssl, CN="; startswith; isdataat:!20,relative; tls.cert_subject; content:"CN=*"; endswith; reference:url,community.riskiq.com/article/541a465f; classtype:command-and-control; sid:2033633; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011728; classtype:web-application-attack; sid:2011728; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA421/YTTRIUM/APT29 TLS Certificate M3"; flow:established,to_client; tls.cert_subject; content:"C=US, O=GMO GlobalSign, Inc"; startswith; fast_pattern; tls.cert_issuer; content:"C=US, O=GMO GlobalSign, Inc, CN=*"; bsize:33; reference:url,community.riskiq.com/article/642d186e; classtype:command-and-control; sid:2033634; rev:1; metadata:attack_target Client_and_Server, created_at 2021_07_31, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_07_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011729; classtype:web-application-attack; sid:2011729; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)"; dns.query; content:"paymenthacks.com"; nocase; bsize:16; reference:url,twitter.com/Arkbird_SOLG/status/1421984944792944643; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:domain-c2; sid:2033635; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011730; classtype:web-application-attack; sid:2011730; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)"; dns.query; content:"mojobiden.com"; nocase; bsize:13; reference:url,twitter.com/Arkbird_SOLG/status/1421984944792944643; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:domain-c2; sid:2033636; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/html/studentmain.php?"; nocase; content:"session="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,40737; reference:url,exploit-db.com/exploits/13812/; reference:url,doc.emergingthreats.net/2011731; classtype:web-application-attack; sid:2011731; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"sgcgoogleanalytic="; nocase; startswith; content:"<script"; nocase; distance:0; content:"savegooglecode"; nocase; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3810; classtype:attempted-admin; sid:2033637; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid SELECT"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006309; classtype:web-application-attack; sid:2006309; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 SQLi (CVE-2018-3811)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"action=saveadwords"; nocase; startswith; content:"oId="; nocase; distance:0; pcre:"/oId=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/i"; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3811; classtype:attempted-admin; sid:2033638; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UNION SELECT"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006310; classtype:web-application-attack; sid:2006310; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid INSERT"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006311; classtype:web-application-attack; sid:2006311; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT phpMyAdmin setup.php Local File Include"; flow:established,to_server; http.uri; content:"/scripts/setup.php"; nocase; fast_pattern; http.request_body; content:"action="; nocase; startswith; content:"configuration="; nocase; content:"PMA_Config"; nocase; content:"source"; nocase; reference:url,www.programmersought.com/article/87603212281/; reference:url,github.com/projectdiscovery/nuclei; classtype:attempted-admin; sid:2033640; rev:1; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid DELETE"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006312; classtype:web-application-attack; sid:2006312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)"; flow:established,to_server; http.uri; content:"/v2/api/product/manger/getInfo"; nocase; http.request_body; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:url,www.cnblogs.com/0day-li/p/13663350.html; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1; metadata:created_at 2021_08_02, cve CVE_2020_11991, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ASCII"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006313; classtype:web-application-attack; sid:2006313; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE"; flow:established,to_server; http.uri; content:"/utilities/usermessages.asp?"; nocase; content:"mesid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6594; reference:url,www.secunia.com/advisories/23372; reference:url,doc.emergingthreats.net/2006314; classtype:web-application-attack; sid:2006314; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackMatter CnC Activity"; flow:established,to_server; http.request_line; content:"POST /?"; startswith; http.header; content:"Accept|3a 20|*/*|0d 0a|Connection|3a 20|keep-alive|0d 0a|Accept-Encoding|3a 20|gzip, deflate, br|0d 0a|Content-Type|3a 20|text/plain|0d 0a|User-Agent|3a 20|"; startswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:104; http.user_agent; content:"/"; content:!"/"; distance:0; reference:md5,d0512f2063cbd79fb0f770817cc81ab3; classtype:command-and-control; sid:2033643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family DarkSide, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/SearchResults.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2008-6242; reference:bugtraq,32039; reference:url,milw0rm.com/exploits/6922; reference:url,doc.emergingthreats.net/2009727; classtype:web-application-attack; sid:2009727; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (www .msfthelpdesk .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.msfthelpdesk.com"; bsize:20; fast_pattern; reference:md5,37c44fe692371563ebc10fade5142918; reference:url,twitter.com/mojoesec/status/1421198691742986243; classtype:domain-c2; sid:2033644; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/deptdisplay.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/7610; reference:bugtraq,33040; reference:url,doc.emergingthreats.net/2009048; classtype:web-application-attack; sid:2009048; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer Reporting System Information M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/success?q=7b226964223a22"; nocase; fast_pattern; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:url,blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html; reference:md5,e3bd6b1694b35bef352b2303b46ce522; classtype:trojan-activity; sid:2033646; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, malware_family Jupyter, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004415; classtype:web-application-attack; sid:2004415; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![445,139] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND)"; flow:to_server,established; dsize:248; content:"|18 18|"; offset:2; depth:2; content:!"|18 18|"; within:2; content:"|18 18|"; distance:2; within:2; content:!"|18 18|"; within:2; content:"|18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18 18|"; pcre:"/[^\x18][^\x44\x32\x33\x25\x64\x22\x23\x3a\x27\x24\x26\x34\x3b\x12][\x20\x21\x28-\x2f\x70-\x77\x79-\x7f\x60-\x63\x65\x66\x67-\x6f\x50-\x5f\x40-\x42\x46-\x4f\x30\x31\x35\x36\x38\x3e\x39\x3b]{1,14}\x18/R"; reference:md5,16549f8a09fd5724f2107a8f18dca10b; classtype:command-and-control; sid:2019204; rev:11; metadata:created_at 2014_09_22, former_category MALWARE, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004416; classtype:web-application-attack; sid:2004416; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Jupyter Stealer Related Activity (GET)"; flow:established,to_server; http.start; content:"GET /get/"; startswith; content:".ps1 HTTP/1.1|0d 0a|Host|3a 20|"; distance:0; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,e3bd6b1694b35bef352b2303b46ce522; classtype:trojan-activity; sid:2033645; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004417; classtype:web-application-attack; sid:2004417; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Rootkit Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/safe/"; startswith; content:"?appid="; distance:0; content:"&m="; distance:0; content:"&nonce_str="; distance:0; content:"&time_stamp="; distance:0; content:"&sign="; distance:0; http.user_agent; content:"Http-connect"; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033647; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004418; classtype:web-application-attack; sid:2004418; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Rootkit Checkin Activity (getSystemInfo)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/system/getSystemInfo"; bsize:25; fast_pattern; http.user_agent; content:"Http-connect"; bsize:12; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033648; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004419; classtype:web-application-attack; sid:2004419; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xml/"; bsize:5; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; bsize:65; http.host; content:"freegeoip.net"; bsize:13; fast_pattern; http.header_names; content:!"Referer"; reference:md5,aabf88d786c8a58cccae674621277a54; classtype:trojan-activity; sid:2033649; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, former_category MALWARE, malware_family Quasar, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"serendipity[multiCat]["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1326; reference:url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded; reference:url,doc.emergingthreats.net/2004420; classtype:web-application-attack; sid:2004420; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SSV Agent CnC Activity"; flow:established,to_server; http.request_body; content:"|00 00 00 01 00 00 00 01 00 00 00|"; offset:1; depth:11; fast_pattern; pcre:"/^[A-F0-9]{32}/R"; reference:url,github.com/ptresearch/AttackDetection/tree/master/APT31; reference:md5,db1673a1e8316287cb940725bb6caa68; classtype:command-and-control; sid:2033650; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SHOP-INET show_cat2.php grid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show_cat2.php?"; nocase; content:"grid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,33471; reference:url,milw0rm.com/exploits/7874; reference:url,secunia.com/advisories/33660/; reference:url,doc.emergingthreats.net/2010020; classtype:web-application-attack; sid:2010020; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (edgecloudc .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".edgecloudc.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033651; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopMaker product.php id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/product.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,www.milw0rm.com/exploits/6799; reference:bugtraq,31854; reference:url,doc.emergingthreats.net/2008723; classtype:web-application-attack; sid:2008723; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (be-government .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".be-government.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033652; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID SELECT"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005790; classtype:web-application-attack; sid:2005790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (gitcloudcache .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".gitcloudcache.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033653; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UNION SELECT"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005791; classtype:web-application-attack; sid:2005791; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (hostupoeui .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".hostupoeui.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033654; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID INSERT"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005792; classtype:web-application-attack; sid:2005792; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (drmtake .tk in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".drmtake.tk"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID DELETE"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005793; classtype:web-application-attack; sid:2005793; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (rsnet-devel .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".rsnet-devel.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ASCII"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005794; classtype:web-application-attack; sid:2005794; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed SSV Agent CnC Domain (flushcdn .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".flushcdn.com"; endswith; fast_pattern; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/apt31-new-attacks/; classtype:domain-c2; sid:2033657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_03, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE"; flow:established,to_server; http.uri; content:"/orange.asp?"; nocase; content:"CatID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0142; reference:url,www.securityfocus.com/bid/21905; reference:url,doc.emergingthreats.net/2005795; classtype:web-application-attack; sid:2005795; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Customer contact.php SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/contact.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,28852; reference:url,doc.emergingthreats.net/2008722; classtype:web-application-attack; sid:2008722; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed Translogic Packet (CVE-2021-37164)"; dsize:>369; content:"TLPU"; startswith; fast_pattern;  reference:cve,2021-37164; reference:url,www.armis.com/pwnedPiper; classtype:attempted-admin; sid:2033662; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37164, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username SELECT"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004779; classtype:web-application-attack; sid:2004779; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup"; dns.query; content:"cloud-documents.com"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033663; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UNION SELECT"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004780; classtype:web-application-attack; sid:2004780; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc CnC Domain (cloud-documents .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"cloud-documents.com"; bsize:19; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/07/crimea-manifesto-deploys-vba-rat-using-double-attack-vectors/; classtype:domain-c2; sid:2033664; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username INSERT"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004781; classtype:web-application-attack; sid:2004781; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS sysWeb User-Agent"; flow:established,to_server; http.user_agent; content:"|20|sysWeb/"; fast_pattern; reference:md5,3f295401fa59a32ff7a11551551ec607; reference:url,twitter.com/starsSk87264403/status/1422543872853426198; classtype:trojan-activity; sid:2033665; rev:1; metadata:created_at 2021_08_04, former_category USER_AGENTS, performance_impact Low, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username DELETE"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004782; classtype:web-application-attack; sid:2004782; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed URL Shortening Service Domain (longurl .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"longurl.in"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2033666; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username ASCII"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004783; classtype:web-application-attack; sid:2004783; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (gopstoporchestra .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"gopstoporchestra.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033667; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE"; flow:established,to_server; http.uri; content:"/logon_user.php?"; nocase; content:"username="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004784; classtype:web-application-attack; sid:2004784; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (onlineworkercz .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"onlineworkercz.com"; bsize:18; fast_pattern; reference:url,thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/; classtype:domain-c2; sid:2033668; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username SELECT"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004785; classtype:web-application-attack; sid:2004785; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; urilen:3; http.method; content:"GET"; http.cookie; content:"reg_fb_gate="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,bed512b1b901f03d421d39132a6c75b6; reference:url,thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/; classtype:trojan-activity; sid:2033669; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UNION SELECT"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004786; classtype:web-application-attack; sid:2004786; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Thallium  CnC Domain in DNS Lookup"; dns.query; content:"tksrpdl.atwebpages.com"; nocase; bsize:22; reference:url,twitter.com/cyberwar_15/status/1422692746909786112; classtype:domain-c2; sid:2033670; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username INSERT"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004787; classtype:web-application-attack; sid:2004787; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TrickBot Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/r/tomkruzback.bazar"; fast_pattern; bsize:20; http.host; content:"dns."; http.user_agent; content:"curl/"; startswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,ad938b03f3719bf14f1e14c90a73ff2b; classtype:trojan-activity; sid:2033660; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username DELETE"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004788; classtype:web-application-attack; sid:2004788; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup (societyf500 .ddns .net)"; dns.query; content:"societyf500.ddns.net"; nocase; bsize:20; reference:url,twitter.com/JAMESWT_MHT/status/1422813422828331009; classtype:domain-c2; sid:2033671; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username ASCII"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004789; classtype:web-application-attack; sid:2004789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (quantumbots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"quantumbots.xyz"; bsize:15; fast_pattern; reference:md5,daba8377d281c48c1c91e2fa7f703511; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033672; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE"; flow:established,to_server; http.uri; content:"/update_profile.php?"; nocase; content:"username="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7088; reference:url,xforce.iss.net/xforce/xfdb/30252; reference:url,doc.emergingthreats.net/2004790; classtype:web-application-attack; sid:2004790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (marcobrando .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"marcobrando.xyz"; bsize:15; fast_pattern; reference:md5,eaf0524ba3214b35a068465664963654; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033673; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id SELECT"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005871; classtype:web-application-attack; sid:2005871; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (montanatony .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"montanatony.xyz"; bsize:15; fast_pattern; reference:md5,0d1df5c35c3c43e1b8bb7daec2495c06; reference:md5,f73ebc6f645926bf8566220b14173df8; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033674; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005872; classtype:web-application-attack; sid:2005872; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (smoothcbots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"smoothcbots.xyz"; bsize:15; fast_pattern; reference:md5,8daf9ba69c0dcf9224fd1e4006c9dad3; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033675; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id INSERT"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005873; classtype:web-application-attack; sid:2005873; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (omegabots .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"omegabots.xyz"; bsize:13; fast_pattern; reference:md5,de51b859f41b6a9138285cf26a1fad84; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033676; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id DELETE"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005874; classtype:web-application-attack; sid:2005874; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (gogleadser .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"gogleadser.xyz"; bsize:14; fast_pattern; reference:md5,205861bca8f26430981f9762a50eab3a; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033677; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id ASCII"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005875; classtype:web-application-attack; sid:2005875; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Oscorp/UBEL CnC Domain (callbinary .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"callbinary.xyz"; bsize:14; fast_pattern; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:domain-c2; sid:2033678; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE"; flow:established,to_server; http.uri; content:"/page.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0093; reference:url,www.milw0rm.com/exploits/3076; reference:url,doc.emergingthreats.net/2005876; classtype:web-application-attack; sid:2005876; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideCopy Group Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/css/css/b/l/i2.php"; bsize:19; fast_pattern; http.accept_enc; content:"gzip,|20|deflate"; bsize:13; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1422914152381616134; reference:url,twitter.com/c3rb3ru5d3d53c/status/1422982036365750275; reference:md5,896793b5a446fb3a648a7f290a2b38cd; reference:md5,8e07953b96ffa7ee7f5d0fa6fea71a6a; classtype:trojan-activity; sid:2033680; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/main/forum/komentar.php?"; nocase; content:"site_path="; nocase; pcre:"/site_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,23334; reference:url,doc.emergingthreats.net/2010564; classtype:web-application-attack; sid:2010564; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Oscorp/UBEL Activity"; flow:established,to_server; http.uri; content:"/api/app/device/"; startswith; fast_pattern; http.user_agent; content:"|3b 20|Android|3b 20|"; http.host; content:".xyz"; endswith; http.header_names; content:!"Referer"; reference:url,www.cleafy.com/cleafy-labs/ubel-oscorp-evolution; classtype:trojan-activity; sid:2033679; rev:2; metadata:attack_target Mobile_Client, created_at 2021_08_05, deployment Perimeter, deployment SSLDecrypt, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/login.tpl.php?"; nocase; content:"TplSuffix="; nocase; reference:bugtraq,33092; reference:url,doc.emergingthreats.net/2009070; classtype:web-application-attack; sid:2009070; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Microsoft Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"microsoft"; content:".github.io"; endswith; fast_pattern; content:!"microsoft.github.io"; depth:19; endswith; content:!"microsoftedge.github.io"; depth:23; endswith; classtype:policy-violation; sid:2027274; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Minor, tag Phishing, updated_at 2021_08_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.tpl.php?"; nocase; content:"theme="; nocase; pcre:"/theme=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,33092; reference:url,doc.emergingthreats.net/2009071; classtype:web-application-attack; sid:2009071; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Roboto - Possible Encrypted Roboto P2P Payload Requested M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/roboto."; fast_pattern; pcre:"/^tt[cf]$/R"; http.user_agent; content:!"Windows"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,blog.netlab.360.com/the-awaiting-roboto-botnet-en/; classtype:command-and-control; sid:2029040; rev:3; metadata:affected_product Linux, created_at 2019_11_21, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Roboto, performance_impact Low, signature_severity Major, updated_at 2021_08_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SlimCMS edit.php pageid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/edit.php?"; nocase; content:"pageID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32300; reference:url,doc.emergingthreats.net/2008867; classtype:web-application-attack; sid:2008867; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE Observed SSL/TLS Cert (Splashtop Remote Support)"; flow:from_server,established; tls.cert_subject; content:"CN=Splashtop Inc. Self CA"; nocase; fast_pattern; classtype:domain-c2; sid:2033685; rev:1; metadata:attack_target Client_and_Server, created_at 2021_08_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005542; classtype:web-application-attack; sid:2005542; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover?"; nocase; content:"/mapi/nspi"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033682; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005543; classtype:web-application-attack; sid:2005543; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)"; flow:established,from_server; http.stat_code; content:"302"; flowbits:isset,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033683; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005544; classtype:web-application-attack; sid:2005544; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"sk="; startswith; fast_pattern; content:"&cs="; distance:0; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033686; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005545; classtype:web-application-attack; sid:2005545; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M2"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"gs="; startswith; content:"&sk="; distance:0; fast_pattern; content:"&di="; distance:0; content:"&t="; distance:0; content:"&st="; distance:0; content:"&dt="; distance:0; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033687; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005546; classtype:web-application-attack; sid:2005546; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M3"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"s="; startswith; content:"&gfu="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033688; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"code="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005547; classtype:web-application-attack; sid:2005547; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE APT33/Charming Kitten Android/LittleLooter Activity (POST) M4"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.user_agent; content:"|3b 20|Android|20|"; http.host; content:".xyz"; endswith; http.request_body; content:"s="; startswith; content:"&gd="; distance:0; content:"&v=5"; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:url,threatpost.com/black-hat-charming-kitten-opsec-goofs-training-videos/168394/; reference:md5,a04c2c3388da643ef67504ef8c6907fb; classtype:command-and-control; sid:2033689; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_09, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005548; classtype:web-application-attack; sid:2005548; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"mariamistado.com"; nocase; bsize:16; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005549; classtype:web-application-attack; sid:2005549; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"arctiusa.com"; nocase; bsize:12; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005550; classtype:web-application-attack; sid:2005550; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"onecoloradosport.com"; nocase; bsize:20; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033692; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005551; classtype:web-application-attack; sid:2005551; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"fivefkl.com"; nocase; bsize:11; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005552; classtype:web-application-attack; sid:2005552; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"amusient.com"; nocase; bsize:12; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"f="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005553; classtype:web-application-attack; sid:2005553; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Infrastructure CnC Domain in DNS Lookup"; dns.query; content:"fondfbr.com"; nocase; bsize:11; reference:url,twitter.com/MichalKoczwara/status/1424685098264301571; classtype:trojan-activity; sid:2033695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005554; classtype:web-application-attack; sid:2005554; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OneDrive Phishing Landing Page 2021-08-09"; flow:established,from_server; file.data; content:"<title>|0d 0a 09|Files - OneDrive|0d 0a|</title>"; fast_pattern; content:"<form method|3d 22|post|22|"; distance:0; content:"action|3d 22|link.php|22|"; distance:0; reference:url,app.any.run/tasks/7d82fceb-ac0f-452a-9b37-4c87478f2df6; classtype:social-engineering; sid:2033696; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_09, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005555; classtype:web-application-attack; sid:2005555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Zimbra Phishing Landing Page 2021-08-09"; flow:established,from_server; file.data; content:"<title>Zimbra Web Client Sign In</title>"; content:"<form method|3d 22|post|22|"; distance:0; content:"name|3d 22|loginForm|22|"; distance:0; content:"action|3d 22|mll.php|22|"; distance:0; fast_pattern; content:"accept-charset|3d 22|UTF-8|22|"; reference:url,app.any.run/tasks/bda22930-0bfb-4ccd-b5c4-26f526b8cba7; classtype:social-engineering; sid:2033697; rev:1; metadata:created_at 2021_08_09, former_category PHISHING, updated_at 2021_08_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005556; classtype:web-application-attack; sid:2005556; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Sharepoint Resource Infection"; flow:established,to_client; http.response_line; content:"HTTP/1.1|20|409|20|CONFLICT"; http.header; content:"|0d 0a|x-virus-infected|3a 20|"; content:"-location|3a 20|"; distance:0; reference:url,docs.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-wsshp/ba4ee7a8-704c-4e9c-ab14-fa44c574bdf4; classtype:bad-unknown; sid:2033698; rev:1; metadata:attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_08_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005557; classtype:web-application-attack; sid:2005557; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yuxicu.com"; bsize:10; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt; classtype:domain-c2; sid:2033699; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005558; classtype:web-application-attack; sid:2005558; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"gojihu.com"; bsize:10; fast_pattern; reference:url,github.com/pan-unit42/tweets/blob/master/2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt; classtype:domain-c2; sid:2033700; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"us="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005559; classtype:web-application-attack; sid:2005559; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TeamTNT Linux Miner Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s3f715/"; startswith; http.host; content:"oracle.htxreceive.top"; fast_pattern; bsize:21; reference:url,blog.netlab.360.com/wei-xie-kuai-xun-teamtntxin-huo-dong-tong-guo-gan-ran-wang-ye-wen-jian-ti-gao-chuan-bo-neng-li/; classtype:trojan-activity; sid:2033702; rev:1; metadata:attack_target Linux_Unix, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005560; classtype:web-application-attack; sid:2005560; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Campo Loader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/campo/"; startswith; fast_pattern; pcre:"/^[a-z](?:[0-9])?\/[a-z](?:[0-9]?)$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/; reference:md5,c865db24e6a0ca317424eb1c1543426e; reference:md5,dd6c4275c1b7b761b6f96a7e1e2f3607; classtype:trojan-activity; sid:2032352; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UNION SELECT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005561; classtype:web-application-attack; sid:2005561; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Ursnif Injects)"; flow:established,to_client; tls.cert_subject; content:"inbizintesansanpaolo.com"; bsize:24; fast_pattern; classtype:domain-c2; sid:2033703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_08_10, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps INSERT"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005562; classtype:web-application-attack; sid:2005562; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Malicious VBS Script Activity"; flow:established,to_server; http.uri; content:"/user/get/"; startswith; fast_pattern; http.user_agent; content:"Microsoft BITS/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,blog.group-ib.com/prometheus-tds; classtype:trojan-activity; sid:2033704; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps DELETE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005563; classtype:web-application-attack; sid:2005563; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE IIStealer CnC Domain in DNS Lookup (xinxx .allsoulu .com)"; dns.query; content:"xinxx.allsoulu.com"; nocase; bsize:18; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; reference:url,www.welivesecurity.com/2021/08/06/iistealer-server-side-threat-ecommerce-transactions/; classtype:command-and-control; sid:2033705; rev:1; metadata:attack_target Web_Server, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps ASCII"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005564; classtype:web-application-attack; sid:2005564; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIStealer Inbound Exfil Request"; flow:established,to_server; http.uri; content:"/privacy.aspx"; bsize:13; http.header; content:"|0d 0a|X-IIS-Data|3a 20|"; fast_pattern; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; classtype:trojan-activity; sid:2033706; rev:1; metadata:attack_target Server, created_at 2021_08_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE"; flow:established,to_server; http.uri; content:"/dl.php?"; nocase; content:"ps="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005566; classtype:web-application-attack; sid:2005566; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IIStealer Inbound Exfil Request M2"; flow:established,to_server; http.uri; content:"/checkout/Payment.aspx"; bsize:22; http.header; content:"|0d 0a|X-IIS-Data|3a 20|"; fast_pattern; reference:url,i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf; classtype:trojan-activity; sid:2033707; rev:1; metadata:attack_target Server, created_at 2021_08_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/pcltar.lib.php?"; nocase; content:"g_pcltar_lib_dir="; reference:url,secunia.com/advisories/33865/; reference:url,milw0rm.com/exploits/8017; reference:url,doc.emergingthreats.net/2009182; classtype:web-application-attack; sid:2009182; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown DPRK Threat Actor Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccom"; startswith; pcre:"/^(?:[1-3]?)\/download\.php\?filename=ccom/R"; http.host; content:".atwebpages.com"; endswith; reference:url,asec.ahnlab.com/ko/26183; reference:md5,833794f663ddecd3533c661c9ac5fef6; reference:md5,857a0eb7dcd9c63f4474a069012a3389; classtype:trojan-activity; sid:2033708; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004863; classtype:web-application-attack; sid:2004863; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,github.com/greenbone/openvas-scanner/blob/622e205327ea374d1ccbb3b0e8dcb3fe5c1bb87d/nasl/nasl_http.c#L120; classtype:bad-unknown; sid:2033101; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004864; classtype:web-application-attack; sid:2004864; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DownloadAdmin Activity"; flow:established,to_server; http.uri; content:"install|3f|"; nocase; content:"country|3d|"; nocase; http.user_agent; content:"Tightrope Bundle Manager"; nocase; http.header_names; content:"|0d 0a|x|2d|webinstallcode|0d 0a|"; nocase; content:"|0d 0a|x|2d|exename|0d 0a|"; nocase; content:"|0d 0a|x|2d|webinstallurl|0d 0a|"; nocase; threshold: type limit, track by_src, seconds 180, count 1; reference:md5,36d8c484882c961b2f351bb4c73536e1; classtype:trojan-activity; sid:2033709; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id INSERT"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004865; classtype:web-application-attack; sid:2004865; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET SCAN OpenVASVT RCE Test String in HTTP Request Outbound"; flow:established,to_server; content:"T3BlblZBU1ZUIFJDRSBUZXN0"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,github.com/greenbone/openvas-scanner/blob/622e205327ea374d1ccbb3b0e8dcb3fe5c1bb87d/nasl/nasl_http.c#L120; classtype:bad-unknown; sid:2033102; rev:2; metadata:created_at 2021_06_07, former_category ATTACK_RESPONSE, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004866; classtype:web-application-attack; sid:2004866; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> any any (msg:"ET MALWARE Suspected Praying Mantis Threat Actor Activity"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0+(Windows+NT+10.0|3b|+WOW64|3b|+Trident/7.0|3b|+rv|3a|11.0)+like+Gecko"; bsize:69; fast_pattern; reference:url,f.hubspotusercontent30.net/hubfs/8776530/TG1021%20-%20Praying%20Mantis%20Threat%20Actor.pdf; classtype:trojan-activity; sid:2033710; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004867; classtype:web-application-attack; sid:2004867; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE with Python PSRP Client UA Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover/autodiscover.json?"; http.user_agent; content:"Python|20|PSRP|20|Client"; fast_pattern; reference:cve,2021-34473; classtype:attempted-admin; sid:2033712; rev:1; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE"; flow:established,to_server; http.uri; content:"/pop_profile.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1023; reference:url,www.milw0rm.com/exploits/3321; reference:url,doc.emergingthreats.net/2004868; classtype:web-application-attack; sid:2004868; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M1 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<s"; content:"SerializedSecurityContext>"; distance:0; content:"Message>"; distance:0; content:"Attachments>"; distance:0; content:"Content>"; distance:0; content:"|60 c2 ac c2 aa|"; distance:0; within:200; reference:cve,2021-34473; classtype:attempted-admin; sid:2033684; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SocialEngine browse_classifieds.php Remote SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/browse_classifieds.php?"; nocase; content:"classifiedcat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/33474/; reference:url,milw0rm.com/exploits/7730; reference:url,doc.emergingthreats.net/2009100; classtype:web-application-attack; sid:2009100; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (msresearchcenter .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"msresearchcenter.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2033714; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_08_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/content/themes/softsaurus_default/pages/subHeader.php?"; nocase; content:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011051; classtype:web-application-attack; sid:2011051; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Server Response"; flow:established,to_client; dsize:10; content:"|7e 62 6c 61 63 6b 20 68 61 74|"; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; classtype:command-and-control; sid:2033715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_08_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/content/themes/softsaurus_stretched/pages/subHeader.php?"; nocase; content:"objects_path="; nocase; pcre:"/objects_path=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,38842; reference:url,exploit-db.com/exploits/11807; reference:url,doc.emergingthreats.net/2011052; classtype:web-application-attack; sid:2011052; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Chinese Threat Actor Malicious Redirect Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/public/"; startswith; fast_pattern; pcre:"/^x?\/jquery\.min\.js\?ver=[0-9a-f]{24}$/R"; http.referer; content:"/s/02B"; pcre:"/^[a-z]$/R"; reference:url,imp0rtp3.wordpress.com/2021/08/12/tetris/; classtype:trojan-activity; sid:2033720; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent SELECT"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006129; classtype:web-application-attack; sid:2006129; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Unknown Chinese Threat Actor CnC Domain in DNS Lookup"; dns.query; content:"googledrivers.com"; nocase; bsize:17; reference:url,imp0rtp3.wordpress.com/2021/08/12/tetris/; classtype:domain-c2; sid:2033721; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UNION SELECT"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006130; classtype:web-application-attack; sid:2006130; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup (office360-expert .online)"; dns.query; content:"office360-expert.online"; nocase; bsize:23; reference:md5,fbc037e68f5988df9190cdadf7424752; reference:url,twitter.com/NinjaOperator/status/1354526362627936258; classtype:domain-c2; sid:2033722; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent INSERT"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006131; classtype:web-application-attack; sid:2006131; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sell/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:md5,fbc037e68f5988df9190cdadf7424752; reference:url,twitter.com/NinjaOperator/status/1354526362627936258; classtype:trojan-activity; sid:2033723; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent DELETE"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006132; classtype:web-application-attack; sid:2006132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (ntc-pk .sytes .net)"; dns.query; content:"ntc-pk.sytes.net"; nocase; bsize:16; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; reference:md5,dc7044f273b0a161279ddce8c5dff0a7; classtype:domain-c2; sid:2033724; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ASCII"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006133; classtype:web-application-attack; sid:2006133; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT-C-48 Related Activity Retrieving ConsoleHost (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Index-out/"; startswith; content:"/raw/main/ConsoleHost"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.host; content:"github.com"; bsize:10; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; reference:md5,2d8a0bd2b45683d9c00d7e1cb0999e3a; classtype:trojan-activity; sid:2033725; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE"; flow:established,to_server; http.uri; content:"/list.asp?"; nocase; content:"agent="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6807; reference:url,www.milw0rm.com/exploits/3001; reference:url,doc.emergingthreats.net/2006134; classtype:web-application-attack; sid:2006134; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-48 Related CnC Domain in DNS Lookup (nitb .pk-gov .org)"; dns.query; content:"nitb.pk-gov.org"; nocase; bsize:15; reference:md5,1255eb3e81ec17d030da6884e0d3c724; reference:url,mp.weixin.qq.com/s/dMFyLxsErYUZX7BQyBL9YQ; classtype:domain-c2; sid:2033726; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php SELECT"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006479; classtype:web-application-attack; sid:2006479; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to IP Lookup Domain (me .shodan .io)"; dns.query; content:"me.shodan.io"; nocase; bsize:12; classtype:policy-violation; sid:2033729; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UNION SELECT"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006480; classtype:web-application-attack; sid:2006480; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Vultr Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/grpc.Rpc/Registration"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"grpc-java-okhttp/"; http.header_names; content:!"Referer|3a 20|"; reference:url,www.threatfabric.com/blogs/vultur-v-for-vnc.html; classtype:command-and-control; sid:2033730; rev:2; metadata:attack_target Mobile_Client, created_at 2021_08_13, former_category MOBILE_MALWARE, updated_at 2021_08_13, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php INSERT"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006481; classtype:web-application-attack; sid:2006481; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCRat/Gh0st CnC Beacon Request (Xfire variant)"; flow:established,to_server; stream_size:server,=,1; content:"|58 66 69 72 65|"; startswith; content:!"|00 00|"; within:2; content:"|00 00|"; distance:2; within:2; content:!"|00 00|"; within:2; content:"|00 00|"; distance:2; within:2; byte_jump:4,5,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:md5,7a55388f877ce40d2abf72ea5ee2a6b8; classtype:command-and-control; sid:2033731; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php DELETE"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006482; classtype:web-application-attack; sid:2006482; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.Agent.OMP Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.request_body; content:"pc="; startswith; content:"&g-passwds="; fast_pattern; distance:0; reference:md5,61f9fc4c3fe06dca2fcaa678144bb59a; classtype:command-and-control; sid:2033732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php ASCII"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006484; classtype:web-application-attack; sid:2006484; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"sparrowsgroup.org"; nocase; bsize:17; classtype:domain-c2; sid:2035799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE"; flow:established,to_server; http.uri; content:"/game_listing.php?"; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-3307; reference:url,www.milw0rm.com/exploits/4078; reference:url,doc.emergingthreats.net/2006485; classtype:web-application-attack; sid:2006485; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"electroboard.net"; nocase; bsize:16; classtype:domain-c2; sid:2035800; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sonicwall NSA E7500 XSS attempt (fwReg parameter)"; flow:established,to_server; http.uri; content:"/servlet/dea/register?"; nocase; content:"pwd="; nocase; content:"fwReg="; nocase; content:"sn="; nocase; pcre:"/\/servlet\/dea\/register\?fwReg=[>\"]/i"; reference:url,securiteam.com/exploits/6O00C1FQAS.html; reference:url,doc.emergingthreats.net/2010509; classtype:web-application-attack; sid:2010509; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"exprogroup.org"; nocase; bsize:14; classtype:domain-c2; sid:2035801; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sonicwall Global Management System XSS attempt (scrn_name parameter)"; flow:established,to_server; http.uri; content:"/sgms/caption.jsp?"; nocase; content:"scrn_name="; nocase; pcre:"/\/sgms\/caption\.jsp\?.*scrn_name=.*[>\"]/i"; reference:url,securiteam.com/exploits/6P00D1FQAG.html; reference:url,doc.emergingthreats.net/2010511; classtype:web-application-attack; sid:2010511; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 Related CnC Domain in DNS Lookup"; dns.query; content:"elecresearch.org"; nocase; bsize:16; classtype:domain-c2; sid:2035802; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/example_clientside_javascript.php?"; nocase; content:"neededFiles[patForms]="; nocase; pcre:"/neededFiles\[patForms\]=\s*(ftps?|https?|php)\:\//i"; reference:url,doc.emergingthreats.net/2009144; classtype:web-application-attack; sid:2009144; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig ajaxArchiveFiles.php Command Injection Inbound (CVE-2019-19509)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; fast_pattern; http.uri.raw; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; pcre:"/^%(?:3B|0A|26|60|7C|24)/Ri"; reference:url,www.exploit-db.com/exploits/47982; reference:cve,2019-19509; classtype:attempted-admin; sid:2033424; rev:3; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_19509, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_08_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004816; classtype:web-application-attack; sid:2004816; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache SkyWalking GraphQL SQL Injection Inbound (CVE-2020-13921)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/graphql"; fast_pattern; http.request_body; content:"|7b 22|query"; nocase; startswith; content:"|27 29|"; pcre:"/^\s?.{0,100}(?:SELECT|UNION|CHAR|LONGVARCHAR|SCHEMA|FROM|WHERE|IFNULL|INSERT|UPDATE)/R"; reference:url,blog.csdn.net/caiqiiqi/article/details/107857173; reference:cve,2020-13921; classtype:attempted-admin; sid:2033403; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_13921, updated_at 2021_08_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004817; classtype:web-application-attack; sid:2004817; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9uDQoNCiAgIEhvc3QgTmFtZSAuI"; classtype:bad-unknown; sid:2033734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004818; classtype:web-application-attack; sid:2004818; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"aW5kb3dzIElQIENvbmZpZ3VyYXRpb24NCg0KICAgSG9zdCBOYW1lIC4g"; classtype:bad-unknown; sid:2033735; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004819; classtype:web-application-attack; sid:2004819; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded Windows IP Configuration Output in HTTP POST M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvbg0KDQogICBIb3N0IE5hbWUgLi"; classtype:bad-unknown; sid:2033736; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_08_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004820; classtype:web-application-attack; sid:2004820; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 65535 (msg:"ET MALWARE DarkWay Client Checkin"; flow:established,to_server; content:"|1f 8b 08 00 00 00 00 00 04 00|"; startswith; fast_pattern; content:"|00 00|"; endswith; reference:md5,afe88d8042a796816c8a7251a6e2fddc; reference:md5,bf95d7062c1c7df67ce9fff64a213cf2; reference:url,twitter.com/_jsoo_/status/1423975922164633601; classtype:command-and-control; sid:2033737; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"category="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7057; reference:url,www.secunia.com/advisories/20131; reference:url,doc.emergingthreats.net/2004821; classtype:web-application-attack; sid:2004821; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING NOP Sled in HTTP URI Inbound - Possible Exploit Activity"; flow:established,to_server; http.uri.raw; content:"|90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern; classtype:bad-unknown; sid:2033431; rev:3; metadata:created_at 2021_07_26, former_category HUNTING, updated_at 2021_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005152; classtype:web-application-attack; sid:2005152; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005153; classtype:web-application-attack; sid:2005153; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BLUELIGHT Payload Domain (storage .jquery .services in TLS SNI)"; flow:established,to_server; tls.sni; content:"storage.jquery.services"; bsize:23; fast_pattern; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:domain-c2; sid:2033739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, signature_severity Major, updated_at 2021_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005155; classtype:web-application-attack; sid:2005155; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BLUELIGHT OAuth Login Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth20_token.srf"; bsize:18; nocase; http.request_body; content:"client_id=b893cacd-9d41-4457-9e7d-47081a065095&client_secret=KT_onD~A9uRpIyjzoL_O1w3pDZ~1Zz488C"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,0b649bc5dbbf21801c21aaa5e5f79fc6; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:trojan-activity; sid:2033740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BLUELIGHT, signature_severity Major, updated_at 2021_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005154; classtype:web-application-attack; sid:2005154; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BLUELIGHT OAuth Login Attempt M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth20_token.srf"; bsize:18; nocase; http.header; content:"|0d 0a|User-Agent|3a 20|Myapp|0d 0a|"; fast_pattern; http.request_body; content:"client_id="; startswith; content:"&client_secret="; distance:36; within:15; content:"&refresh_token="; distance:0; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,0b649bc5dbbf21801c21aaa5e5f79fc6; reference:url,www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits; classtype:trojan-activity; sid:2033741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_18, deployment Perimeter, former_category MALWARE, malware_family BLUELIGHT, signature_severity Major, updated_at 2021_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005156; classtype:web-application-attack; sid:2005156; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE"; flow:established,to_server; http.uri; content:"/rss/show_webfeed.php?"; nocase; content:"wcHeadlines="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0574; reference:url,www.securityfocus.com/bid/22282; reference:url,doc.emergingthreats.net/2005157; classtype:web-application-attack; sid:2005157; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Agent.DNL CnC Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|TaskResult|22|"; content:"|22|Date|22|"; content:"|22|owner|22|"; fast_pattern; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:command-and-control; sid:2033743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_08_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SunByte e-Flower popupproduct.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/popupproduct.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7323; reference:bugtraq,32589; reference:url,doc.emergingthreats.net/2008932; classtype:web-application-attack; sid:2008932; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Agent.DNL Server Response Task (whoami)"; flow:established,to_client; http.content_type; content:"application/json|3b|"; startswith; file.data; content:"|7b 22|command|22 3a 22|d2hvYW1p|22 7d|"; bsize:22; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Date|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:40; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:command-and-control; sid:2033744; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SuperNews valor.php noticia Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/valor.php?"; nocase; content:"noticia="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8255; reference:bugtraq,34195; reference:url,doc.emergingthreats.net/2009744; classtype:web-application-attack; sid:2009744; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Base64 Encoded whoami in HTTP Server Response"; flow:established,to_client; file.data; content:"d2hvYW1p"; reference:md5,a6828081717974a89792548e1e31f29a; reference:url,twitter.com/fr0s7_/status/1428326979527381000; classtype:bad-unknown; sid:2033745; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2021_08_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat SELECT"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004822; classtype:web-application-attack; sid:2004822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Malgent!MSR Dropper Requesting Payload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api"; endswith; http.request_body; content:"4F440D71527A05240C72440216527C015109"; startswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,4c1e57a0388a703307319d17ae5e9039; classtype:trojan-activity; sid:2033746; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004823; classtype:web-application-attack; sid:2004823; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Malgent!MSR User-Agent"; flow:established,to_server; http.user_agent; content:"Not a Virus Download A"; bsize:22; fast_pattern; http.header_names; content:!"Referer"; reference:md5,4c1e57a0388a703307319d17ae5e9039; classtype:trojan-activity; sid:2033747; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat INSERT"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004824; classtype:web-application-attack; sid:2004824; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Pulse Secure VPN Version Disclosure Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/misc/admin.cgi"; fast_pattern; classtype:attempted-recon; sid:2033749; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_08_20, former_category INFO, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat DELETE"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004825; classtype:web-application-attack; sid:2004825; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033752; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat ASCII"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004826; classtype:web-application-attack; sid:2004826; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger, PoC Based (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; http.header; pcre:"/^[A-Z]{8}\x3a/m"; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033753; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE"; flow:established,to_server; http.uri; content:"/directory.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7034; reference:url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded; reference:url,doc.emergingthreats.net/2004827; classtype:web-application-attack; sid:2004827; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange ProxyLogon Activity - OABVirtualDirectory SetObject (CVE-2021-27065)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ecp/"; content:"/SetObject?"; content:"schema=OABVirtualDirectory"; fast_pattern; http.header; content:"msExchLogonMailbox|3a|"; http.request_body; content:"__type"; content:"Microsoft.Exchange.Management.ControlPanel"; distance:0; content:"ExternalUrl"; distance:0; reference:url,github.com/praetorian-inc/proxylogon-exploit/blob/main/exploit.py; reference:cve,2021-27065; classtype:attempted-admin; sid:2033754; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_27065, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp SELECT"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006633; classtype:web-application-attack; sid:2006633; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Initial Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/setTargetObject"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b|null|5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5bnull\x5d/"; xbits:set,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033755; rev:1; metadata:created_at 2021_08_20, cve CVE_2021_21985, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006634; classtype:web-application-attack; sid:2006634; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Final Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/invoke"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b 5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5b\x5d/"; xbits:isset,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033756; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_21985, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp INSERT"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006635; classtype:web-application-attack; sid:2006635; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; http.uri; content:".exe"; fast_pattern; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/"; http.header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http.host; content:!".bloomberg.com"; content:!"leg1.state.va.us"; content:!"7-zip.org"; content:!"virginia.gov"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:45; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2022566; rev:8; metadata:created_at 2016_02_26, former_category MALWARE, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp DELETE"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006636; classtype:web-application-attack; sid:2006636; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any ![902] -> any any (msg:"ET MALWARE US-CERT TA14-353A Proxy Tool 3"; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern; reference:url,www.us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:2020019; rev:3; metadata:created_at 2014_12_23, updated_at 2021_08_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp ASCII"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006637; classtype:web-application-attack; sid:2006637; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/card_scan"; startswith; fast_pattern; content:".php"; distance:0; within:15; content:"=|60|"; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:1; metadata:created_at 2021_08_22, cve CVE_2019_7256, former_category EXPLOIT, updated_at 2021_08_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE"; flow:established,to_server; http.uri; content:"/sendarticle.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006638; classtype:web-application-attack; sid:2006638; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp SELECT"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006639; classtype:web-application-attack; sid:2006639; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Target Application Command Injection Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nrdh.php?cmd"; fast_pattern; content:"="; distance:0; within:3; pcre:"/^.{0,5}(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2033759; rev:1; metadata:attack_target Server, created_at 2021_08_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006640; classtype:web-application-attack; sid:2006640; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark Uploading to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?q="; content:"o543n"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.request_body; content:"|7b 22|Data|22 3a 5b 22|"; startswith; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; content:"|22 5d 7d|"; classtype:command-and-control; sid:2033762; rev:1; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_08_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp INSERT"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006641; classtype:web-application-attack; sid:2006641; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon"; flow:established,to_server; urilen:>125; http.method; content:"GET"; http.uri; content:"/images/"; fast_pattern; content:".gif"; distance:100; pcre:"/\/images(?:\/[a-zA-Z0-9_]+)+\.gif$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; pcre:"/^User-Agent\x3a\x20(?:Mozilla\/|Shockwave)/mi"; http.user_agent; content:!"ms-office"; reference:md5,f48f626cf746a2c3c73182c752c481b6; reference:md5,8ab21ac9199d3ced2230924b90f49f0d; classtype:command-and-control; sid:2021813; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_08_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp DELETE"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006642; classtype:web-application-attack; sid:2006642; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .magicalgirlonlive .com)"; dns.query; content:"www.magicalgirlonlive.com"; nocase; bsize:25; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033763; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp ASCII"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006643; classtype:web-application-attack; sid:2006643; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .getkiplayer .com)"; dns.query; content:"www.getkiplayer.com"; nocase; bsize:19; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033764; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE"; flow:established,to_server; http.uri; content:"/printarticle.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006644; classtype:web-application-attack; sid:2006644; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .supapureigemu .com)"; dns.query; content:"www.supapureigemu.com"; nocase; bsize:21; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033765; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006645; classtype:web-application-attack; sid:2006645; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cinobi Banking Trojan Domain in DNS Lookup (www .chirigame .com)"; dns.query; content:"www.chirigame.com"; nocase; bsize:17; reference:url,www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html; classtype:trojan-activity; sid:2033766; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006646; classtype:web-application-attack; sid:2006646; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FlyTrap Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/cookies"; bsize:12; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"app=FBManager&type=cookie&account="; startswith; content:"&cookies="; distance:0; content:"&deleted="; http.header_names; content:!"Referer"; reference:url,blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/; classtype:trojan-activity; sid:2033767; rev:1; metadata:attack_target Mobile_Client, created_at 2021_08_23, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006647; classtype:web-application-attack; sid:2006647; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M1"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|D3|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033768; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006648; classtype:web-application-attack; sid:2006648; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M2"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|D4|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006649; classtype:web-application-attack; sid:2006649; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M3"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|BUNIFU|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033770; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID SELECT"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006651; classtype:web-application-attack; sid:2006651; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HMCH Dropper User-Agent M4"; flow:established,to_server; http.header; content:"|0d 0a|User-Agent|3a 20|EXE|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,59075c68ce103414d52aabced411043c; classtype:trojan-activity; sid:2033771; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006652; classtype:web-application-attack; sid:2006652; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware CnC Checkin"; http.method; content:"POST"; http.uri; content:"|2f|key|2f|"; http.host; content:"karen|2e|"; startswith; fast_pattern; http.user_agent; content:"Go|2d|http|2d|client"; http.request_body; content:"id|3d|"; startswith; content:"|2d|"; distance:8; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|2d|"; distance:4; within:1; content:"|26|key|3d|"; distance:12; within:5; isdataat:!513,relative; pcre:"/id\x3d[a-z0-9]{8}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{4}\x2d[a-z0-9]{12}\x26key\x3d[a-z0-9]{512}/"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033772; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID INSERT"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006653; classtype:web-application-attack; sid:2006653; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware Powershell Loader"; http.method; content:"GET"; http.uri; content:"|2f|loader|2f|loader2.ps1"; fast_pattern; http.host; content:"karen|2e|"; startswith; http.user_agent; content:"Go|2d|http|2d|client"; http.header_names; content:!"Referer"; reference:md5,f155ec35d67f746593ce8cc4e64d33e5; reference:url,twitter.com/fbgwls245/status/1427610307283677186; classtype:trojan-activity; sid:2033773; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID DELETE"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006654; classtype:web-application-attack; sid:2006654; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Karen Ransomware Domain (karen .h07 .wlh .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"karen.h07.wlh.io"; bsize:16; fast_pattern; reference:url,twitter.com/fbgwls245/status/1427610307283677186; reference:url,F155EC35D67F746593CE8CC4E64D33E5; classtype:trojan-activity; sid:2033774; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_08_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ASCII"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006655; classtype:web-application-attack; sid:2006655; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Use-After-Free in QuickTimePluginReplacement (CVE-2021-1879)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var"; pcre:"/^\s*(?P<worker>[A-Za-z0-9_-]{1,20})\s*=\s*null\x3b.{1,300}(?P=worker)\s*=\s*document\.getElementById\([\x22\x27](?P=worker)[\x22\x27]\)\x3b.{1,300}\.addEventListener\([\x22\x27]DOMNodeInserted[\x22\x27]\s*,\s*(?P<callback0>[A-Za-z0-9_-]{1,20}).{0,300}(?P=worker)(?P<worker_ext>(\.\w{1,20})+)\s*=\s*\d+\x3b.{1,300}function\s*(?P=callback0)\([^\)]+\)\s*\{\s*.{1,300}\.requestAnimationFrame\((?P<callback>[A-Za-z0-9_-]{1,20})\)\x3b.{1,300}function\s*(?P<garbagecollector>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*.{0,100}for\s*\(let\s*(?P<gc_counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=gc_counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=gc_counter)(?:\+{2}|-{2})\s*\)\s*.{1,300}function\s*(?P=callback)\([^\)]+\)\s*\{\s*.{1,300}(?P=garbagecollector)\(\)\s*\x3b\s*.{1,300}\((?P=worker)(?P=worker_ext)\)/Rs"; content:"document.getElementById|28|"; content:".addEventListener|28 22|DOMNodeInserted"; content:"window.requestAnimationFrame"; fast_pattern; reference:cve,2021-1879; classtype:attempted-admin; sid:2033781; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2021_1879, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/preferences.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006656; classtype:web-application-attack; sid:2006656; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InjectJsBuiltInLibraryCode Use-After-Free Inbound (CVE-2019-0568)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<opt>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*let\s*(?P<o_var>[A-Za-z0-9_-]{1,20})\s*=\s*\{\}\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=o_var)\.(?P<x_prop>[A-Za-z0-9_-]{1,20}).{1,300}for\s*\(\s*let\s*(?P<counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)(?:\+{2}|-{2})\).{1,100}(?P=opt)\(\).{1,300}let\s*(?P<leaked_stack_obj>[A-Za-z0-9_-]{1,20})\s*=\s*null.{1,100}let\s*(?P<obj_proto>[A-Za-z0-9_-]{1,20})\s*=\s*\(\{\}\)\.__proto__\x3b.{1,300}(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P=x_prop)[\x22\x27],\s*Error\.prototype\.toString\)\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P<message_proto>[A-Za-z0-9_-]{1,20})[\x22\x27].{1,300}delete\s*(?P=obj_proto)\.(?P=message_proto)\x3b.{1,300}(?P=obj_proto)\.\w+\s*=\s*Array\.prototype.{1,300}(?P=opt)/Rs"; content:"|28 7b 7d 29|.__proto__"; fast_pattern; content:"Error.prototype.toString"; reference:cve,2019-0568; classtype:attempted-admin; sid:2033775; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2019_0568, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cgi/surgeftpmgr.cgi?"; nocase; content:"cmd=class&"; nocase; content:"classid="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/38097; reference:url,packetstormsecurity.org/1001-exploits/surgeftp-xss.txt; reference:url,doc.emergingthreats.net/2011065; classtype:web-application-attack; sid:2011065; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; fast_pattern; http.request_body; content:"g="; startswith; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033776; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/preview.php?"; nocase; content:"synTarget="; nocase; reference:url,www.milw0rm.com/exploits/7977; reference:bugtraq,33601; reference:url,doc.emergingthreats.net/2009145; classtype:web-application-attack; sid:2009145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?di="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033777; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Telephone Directory 2008 edit1.php code Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/edit1.php?"; nocase; content:"action=confirm_data"; nocase; content:"code="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,29614; reference:url,xforce.iss.net/xforce/xfdb/42972; reference:url,milw0rm.com/exploits/5764; reference:url,doc.emergingthreats.net/2010098; classtype:web-application-attack; sid:2010098; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSO Group Pegasus Related Data Exfil (POST) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a 0d 0a|"; bsize:48; fast_pattern; http.request_body; content:"silly=./"; startswith; content:"&kusr="; distance:0; reference:url,www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html; reference:md5,0a1c6d9cd67172995d22fa54946662f0; classtype:trojan-activity; sid:2033778; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006003; classtype:web-application-attack; sid:2006003; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE a310Logger Stealer Exfil (SMTP)"; flow:established,to_server; content:"Subject|3a 20|Passwords:::"; fast_pattern; content:"CompName|3a 20|"; content:"Windows|20|Version|3a 20|"; content:"Url"; content:"============================="; reference:md5,3ad8fcbd4c1f1d525207679eb23f3e3c; reference:url,twitter.com/James_inthe_box/status/1407463890078691331; reference:url,app.any.run/tasks/f403243a-ee3c-4797-ba30-616c766d6005/; classtype:trojan-activity; sid:2033167; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006004; classtype:web-application-attack; sid:2006004; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Clipboard Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Keylogger|3a 3a 3a|"; fast_pattern; content:"[CLIPBOARD]"; distance:0; reference:md5,5f04cfa0c174af13b9825337bfa7691f; classtype:trojan-activity; sid:2033779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006005; classtype:web-application-attack; sid:2006005; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/a310Logger Data Exfil via SMTP"; flow:established,to_server; content:"Subject|3a 20|Data|3a 3a 3a|"; fast_pattern; content:".zip|22 0d 0a 0d 0a|UEsDB"; distance:0; reference:md5,5f04cfa0c174af13b9825337bfa7691f; classtype:trojan-activity; sid:2033780; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006006; classtype:web-application-attack; sid:2006006; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M1 (CVE-2018-8617)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_opt>[\w-]{1,20})\((?P<var_a>[\w-]{1,20})\s*,\s*(?P<var_b>[\w-]{1,20}).{1,300}(?:(?P=var_a)\.(?P=var_b)|(?P=var_b)\.(?P=var_a))\s*=\s*\d+\x3b\s*(?:(?P=var_a)|(?P=var_b))\.push\(\d+\)\x3b\s*(?:(?P=var_a)\.(?P=var_a)|(?P=var_b)\.(?P=var_b))\s*=\s*0x.{1,300}Object\.prototype\.push\s*=\s*Array\.prototype\.push\x3b\s*for\s*\(\s*let\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\).{1,300}let\s*(?:(?P=var_a)|(?P=var_b))\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}\x3b.{1,300}(?P=func_opt)\((?:(?P=var_a)|(?P=var_b)),\s*\{\}.{1,300}let\s*(?P<var_o>[\w-]{1,20})\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}.{1,300}(?P=func_opt)\((?P=var_o)/Rs"; content:"Object.prototype.push = Array.prototype.push"; fast_pattern; content:".push|28|"; reference:cve,2018-8617; classtype:attempted-admin; sid:2033782; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2018_8617, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006007; classtype:web-application-attack; sid:2006007; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - NewScObjectNoCtor InitProtoType Confusion Inbound (CVE-2019-0567)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_a>[\w-]{1,20})\((?P<obj1>[\w-]{1,20})\s*,\s*(?P<tmp_obj>[\w-]{1,20})\s*,\s*(?P<value>[\w-]{1,20})\).{1,300}(?P=obj1)\.\w+\s*=\s*\d+\.\d+\x3b\s*var\s*\w+\s*=\s*\{__proto__:\s*(?P=tmp_obj)\}\x3b\s*(?P=obj1)\.\w+\s*=\s*(?P=value)\x3b.{1,300}var\s*(?P=obj1)\s*=\s*\{\w+:\s*\d+\.\d+\s*,\s*\w+:\s*\d+\.\d+\}\x3b\s*for\s*\(\s*var\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\)\s*\{\s*(?P=func_a)\((?P=obj1)\s*,\s*(\x22{2}|\x27{2})\s*,\s*(\x22{2}|\x27{2})\)\x3b.{1,300}(?P=func_a)\((?P=obj1)\s*,\s*(?P=obj1)\s*,\s*\d+\.\d{8,}.{1,300}eval\((?P=obj1)\./Rs"; content:" = |7b|__proto__|3a|"; fast_pattern; content:"eval|28|"; reference:cve,2019-0567; classtype:attempted-admin; sid:2033783; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2019_0567, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"lastname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006008; classtype:web-application-attack; sid:2006008; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS Lookup"; dns.query; content:"update.facebookint.workers.dev"; nocase; bsize:30; reference:url,www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:domain-c2; sid:2033784; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Winnti_related, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006009; classtype:web-application-attack; sid:2006009; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SparklingGoblin/Winnti Group SideWalk Domain in DNS Lookup"; dns.query; content:"cdn.cloudfiare.workers.dev"; nocase; bsize:26; reference:url,www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:domain-c2; sid:2033785; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Winnti_related, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006010; classtype:web-application-attack; sid:2006010; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft .microcaft .xyz)"; dns.query; content:"microsoft.microcaft.xyz"; nocase; bsize:23; reference:url,twitter.com/Timele9527/status/1430351736921681928; classtype:domain-c2; sid:2033786; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006011; classtype:web-application-attack; sid:2006011; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FerociousKitten CnC Domain in DNS Lookup (microsoft .com-view .space)"; dns.query; content:"microsoft.com-view.space"; nocase; bsize:24; reference:url,twitter.com/Timele9527/status/1430351736921681928; classtype:domain-c2; sid:2033787; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006012; classtype:web-application-attack; sid:2006012; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|BM6OAa1XCpH4x4"; fast_pattern; content:"SEnJYZXmyHhJG8JxC|0d|"; distance:1; within:18; http.header_names; content:"HTTP_X_CNT|0d|"; content:"HTTP_X_CMD|0d|"; classtype:attempted-admin; sid:2033788; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006013; classtype:web-application-attack; sid:2006013; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"HTTP_X_KEY|3a 20|zzdibweoQxffnDEi2UKacJlEekplJ7uwrt|0d|"; fast_pattern; http.header_names; content:"HTTP_X_CNT|0d|"; content:"HTTP_X_CMD|0d|"; classtype:attempted-admin; sid:2033789; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"firstname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006014; classtype:web-application-attack; sid:2006014; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER SLIGHTPULSE WebShell Access Inbound M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/licenseserverproto.cgi"; content:"serverid="; content:"csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa"; distance:0; within:35; fast_pattern; classtype:attempted-admin; sid:2033790; rev:1; metadata:created_at 2021_08_25, deployment SSLDecrypt, former_category WEB_SERVER, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006015; classtype:web-application-attack; sid:2006015; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni RAT Exfiltrating Data"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?name="; fast_pattern; http.request_body; content:"name=|22|fileToUpload|22 3b|"; content:"Upload|20|Image|0d 0a|----"; distance:0; content:"|00 00 00 00 00 00|"; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/; classtype:command-and-control; sid:2033791; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006016; classtype:web-application-attack; sid:2006016; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sinresby.B Downloader CnC Activity M1"; flow:established,to_server; http.request_line; content:"POST /?c=Public&a=get_config"; startswith; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|9|2e|0|3b 20|Windows|20|NT|20|6|2e|1|29|"; bsize:50; http.referer; content:"/?c=Public&a=get_config"; endswith; reference:md5,8049009d9675d5ac345ce96d1a7c9e67; classtype:command-and-control; sid:2033792; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006017; classtype:web-application-attack; sid:2006017; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sinresby.B Downloader CnC Activity M2"; flow:established,to_server; content:"|00 00 00 7b 22 63 67 69 22 3a 31|"; offset:1; depth:11; content:"|22|data|22 3a 7b 22|mac|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|pc|22 3a 22|"; distance:0; reference:md5,8049009d9675d5ac345ce96d1a7c9e67; classtype:command-and-control; sid:2033793; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006018; classtype:web-application-attack; sid:2006018; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Konni RAT Querying CnC for Commands"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&prefix=tt"; endswith; fast_pattern; reference:url,blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/; classtype:trojan-activity; sid:2033794; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006019; classtype:web-application-attack; sid:2006019; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; content:"&user="; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"-"; offset:2; depth:1; content:"-"; distance:2; within:1; content:"-"; distance:2; within:1; content:"-"; distance:2; within:1; content:"-"; distance:1; within:1; isdataat:!2,relative; bsize:15; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:command-and-control; sid:2033795; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordOld="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006020; classtype:web-application-attack; sid:2006020; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET [!25,!587] -> $HOME_NET any (msg:"ET JA3 Hash - Suspected Cobalt Strike Malleable C2 (ja3s) M1"; flow:established,from_server; ja3s.hash; content:"649d6810e8392f63dc311eecb6b7098b"; tls.cert_subject; content:!"servicebus.windows.net"; flowbits:isset,ET.cobaltstrike.ja3; classtype:command-and-control; sid:2028832; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_15, deployment Perimeter, former_category JA3, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006021; classtype:web-application-attack; sid:2006021; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (Custom Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; bsize:24; fast_pattern; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8|0d 0a|Accept-Language|3a 20|en-US,en|3b|q=0.5|0d 0a|Accept-Encoding|3a 20|gzip,|20|deflate,|20|br|0d 0a|sec-fetch-dest|3a 20|empty|0d 0a|"; http.cookie; content:"ANID="; startswith; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:md5,4d9798fee3636a228dc420d338fd6f59; classtype:command-and-control; sid:2033796; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006023; classtype:web-application-attack; sid:2006023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (windowsupdatesc .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"windowsupdatesc.com"; bsize:19; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033797; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006024; classtype:web-application-attack; sid:2006024; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (securityupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"securityupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033798; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006025; classtype:web-application-attack; sid:2006025; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (defenderupdateav .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"defenderupdateav.com"; bsize:20; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:domain-c2; sid:2033799; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_25, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"passwordNew="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006026; classtype:web-application-attack; sid:2006026; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LIST)"; flow: to_server,established; tls.sni; content:"LIST-"; startswith; fast_pattern; pcre:"/^LIST-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033800; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006027; classtype:web-application-attack; sid:2006027; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LS)"; flow: to_server,established; tls.sni; content:"LS-"; startswith; fast_pattern; pcre:"/^LS-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033801; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006028; classtype:web-application-attack; sid:2006028; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (SIZE)"; flow: to_server,established; tls.sni; content:"SIZE-"; startswith; fast_pattern; pcre:"/^SIZE-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033802; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006029; classtype:web-application-attack; sid:2006029; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (LD)"; flow: to_server,established; tls.sni; content:"LD-"; startswith; fast_pattern; pcre:"/^LD-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033803; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006030; classtype:web-application-attack; sid:2006030; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CB)"; flow: to_server,established; tls.sni; content:"CB-"; startswith; fast_pattern; pcre:"/^CB-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033804; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006031; classtype:web-application-attack; sid:2006031; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (CD)"; flow: to_server,established; tls.sni; content:"CD-"; startswith; fast_pattern; pcre:"/^CD-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033805; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006032; classtype:web-application-attack; sid:2006032; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EX)"; flow: to_server,established; tls.sni; content:"EX-"; startswith; fast_pattern; pcre:"/^EX-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033806; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006033; classtype:web-application-attack; sid:2006033; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (ALIVE)"; flow: to_server,established; tls.sni; content:"ALIVE-"; startswith; fast_pattern; pcre:"/^ALIVE-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033807; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006034; classtype:web-application-attack; sid:2006034; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (EXIT)"; flow: to_server,established; tls.sni; content:"EXIT-"; startswith; fast_pattern; pcre:"/^EXIT-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033808; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006035; classtype:web-application-attack; sid:2006035; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SNIcat - Detected C2 Commands (finito)"; flow: to_server,established; tls.sni; content:"finito-"; startswith; fast_pattern; pcre:"/^finito-[A-Za-z0-9]{16}\./";  reference:url,mnemonic.no/blog/introducing-snicat/; reference:url,github.com/mnemonic-no/SNIcat/blob/master/signatures/snicat.rules; classtype:command-and-control; sid:2033809; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SNIcat, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006036; classtype:web-application-attack; sid:2006036; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Default CobaltStrike SSL Certificate"; flow:established,to_client; tls.cert_issuer; content:"C=Earth"; nocase; content:"ST=Cyberspace"; nocase; content:"L=Somewhere"; nocase; content:"O=cobaltstrike"; nocase; content:"OU=AdvancedPenTesting"; nocase; content:"CN=Major Cobalt Strike"; nocase; fast_pattern; reference:url,fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html; classtype:trojan-activity; sid:2030111; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_05_06, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006037; classtype:web-application-attack; sid:2006037; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Custom Wordpress Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.cookie; content:"wordpress_"; startswith; fast_pattern; pcre:"/^(?:[a-f0-9]{32})=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; reference:md5,926ecee0190a5211a9670f369007ec3a; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:command-and-control; sid:2033810; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"language="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006038; classtype:web-application-attack; sid:2006038; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdn .net)"; dns.query; content:"api-cdn.net"; nocase; bsize:11; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033811; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006039; classtype:web-application-attack; sid:2006039; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (git-api .com)"; dns.query; content:"git-api.com"; nocase; bsize:11; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033812; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006040; classtype:web-application-attack; sid:2006040; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN8 SARDONIC CnC Domain in DNS Lookup (api-cdnw5 .net)"; dns.query; content:"api-cdnw5.net"; nocase; bsize:13; reference:url,www.bitdefender.com/blog/labs/fin8-threat-actor-spotted-once-again-with-new-sardonic-backdoor/; classtype:domain-c2; sid:2033813; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006041; classtype:web-application-attack; sid:2006041; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type=text"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,db7ffa8d3fa480e489c9062b18067f36; classtype:command-and-control; sid:2033814; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006042; classtype:web-application-attack; sid:2006042; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Click and Removal of Download Element"; flow:established, to_client; http.stat_code; content:"200"; file.data; content:"e|2e|setAttribute|28 22|download|22 2c 22 22 29|"; fast_pattern; content:"e|2e|click|28 29 2c|e|2e|remove|28 29|"; distance:0;  reference:url,www.bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033816; rev:1; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006043; classtype:web-application-attack; sid:2006043; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"onedrivelive.me"; nocase; bsize:15; classtype:domain-c2; sid:2035796; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"defaultLetter="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006044; classtype:web-application-attack; sid:2006044; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; content:"librarycollection.org"; nocase; bsize:21; classtype:domain-c2; sid:2035797; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006045; classtype:web-application-attack; sid:2006045; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Javascript Displays malicious download page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|22 26|gt|3b 26|lt|3b|div|26|gt|3b 26|lt|3b|h1|26|gt|3b|Your|20|download|20|will|20|start|20|shortly|2e 26|lt|3b 2f|h1|26|gt|3b 26|lt|3b|p|26|gt|3b|If|20|your|20|download|20|does|20|not|20|start|2c 20|please|20 26|lt|3b|a|20|href|3d 22|"; fast_pattern; reference:url,www,bleepingcomputer.com/news/security/phishing-campaign-uses-upscom-xss-vuln-to-distribute-malware/; classtype:social-engineering; sid:2033815; rev:2; metadata:created_at 2021_08_26, former_category MALWARE, updated_at 2021_08_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006046; classtype:web-application-attack; sid:2006046; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (ywbgrcrupasdiqxknwgceatlnbvmezti .com)"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033822; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006047; classtype:web-application-attack; sid:2006047; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Orderfiles Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=orderfiles"; nocase; content:"controller=filesmanager"; nocase; fast_pattern; http.request_body; content:"addfile"; nocase; content:"file|5b|"; nocase; classtype:attempted-admin; sid:2033826; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006048; classtype:web-application-attack; sid:2006048; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Supercheckout Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=supercheckout"; nocase; content:"controller=supercheckout"; nocase; content:"method=SaveFilesCustomField"; nocase; fast_pattern; http.request_body; content:"custom_fields|5b|"; nocase; classtype:attempted-admin; sid:2033827; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006049; classtype:web-application-attack; sid:2006049; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (pdjwebrfgdyzljmwtxcoyomapxtzchvn .com)"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033828; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserPass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006050; classtype:web-application-attack; sid:2006050; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (etzndtcvqvyxajpcgwkzsoweaubilflh .com)"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; bsize:36; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033831; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006051; classtype:web-application-attack; sid:2006051; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/br.ico"; fast_pattern; http.header; content:"Connection|3a 20|Close|0d 0a|"; http.user_agent; content:"Mozilla/5.0|20|(iPhone|3b 20|CPU|20|iPhone|20|OS|20|12_0|20|like Mac|20|OS|20|X)|20|AppleWebKit/605.1.15|20|(KHTML,|20|like|20|Gecko)|20|Version/12.0"; bsize:108; http.header_names; content:!"Referer"; http.accept; content:"image/*"; bsize:7; reference:md5,efcf2797aaa1ff0bb8914aba8e3a5e15; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033820; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006052; classtype:web-application-attack; sid:2006052; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image-directory/fam_newspaper.ico"; fast_pattern; http.header; content:"Connection|3a 20|Close|0d 0a|"; http.user_agent; content:"Mozilla/5.0|20|(Linux|3b 20|Android|20|7.0|3b 20|Pixel|20|C|20|Build/NRD90M|3b 20|wv)|20|AppleWebKit/537.36|20|(KHTML,|20|like|20|Gecko)|20|Version/4.0"; bsize:109; http.header_names; content:!"Referer"; reference:md5,3dd7eb4707c960948f24367ecd652971; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033821; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_08_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006053; classtype:web-application-attack; sid:2006053; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Document Stealer Exfil"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|nnnnnnnmmmmmmmmmmmeeeee|0d 0a|"; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header; content:"__IIIIMMMMM|0d 0a|"; fast_pattern; reference:md5,8df25eee669d222ab9e002ac7d81228f; classtype:trojan-activity; sid:2033818; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006054; classtype:web-application-attack; sid:2006054; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenCBL.XS CnC Activity"; flow:established,to_server; content:"|30 32 bc|"; startswith; content:"|bc 4d 4a 56 3a 20|"; distance:0; content:"|20 31 20 2d 20 42 75 69 6c 64 20 3a 20|"; distance:0; fast_pattern; reference:md5,9dfd2f831b3672dc0c50b98550d3aa06; classtype:command-and-control; sid:2033819; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006055; classtype:web-application-attack; sid:2006055; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (esnoptdkkiirzewlpgmccbwuynvxjumf .name)"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033832; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserType="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006056; classtype:web-application-attack; sid:2006056; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (nfcomizsdseqiomzqrxwvtprxbljkpgd .name)"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033829; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006057; classtype:web-application-attack; sid:2006057; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (hkxpqdtgsucylodaejmzmtnkpfvojabe .com)"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; bsize:36; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033830; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006058; classtype:web-application-attack; sid:2006058; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (ruciplbrxwjscyhtapvlfskoqqgnxevw .name)"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033825; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006059; classtype:web-application-attack; sid:2006059; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (yhgrffndvzbtoilmundkmvbaxrjtqsew .com)"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; bsize:36; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033823; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006060; classtype:web-application-attack; sid:2006060; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE HCRootkit CnC Domain in DNS Lookup (wcmbqxzeuopnvyfmhkstaretfciywdrl .name)"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; bsize:37; fast_pattern; reference:url,twitter.com/AvastThreatLabs/status/1430527767855058949; classtype:command-and-control; sid:2033824; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006061; classtype:web-application-attack; sid:2006061; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Cobalt Strike Beacon Activity (DNS)"; threshold: type both, track by_src, count 3, seconds 5; dns.query; pcre:"/^[a-z0-9]{32}/"; content:".defenderupdateav.com"; endswith; fast_pattern; reference:url,thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/; classtype:trojan-activity; sid:2033817; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"newuserEmail="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006062; classtype:web-application-attack; sid:2006062; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/44Caliber Stealer Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"44CALIBER|20|MODIFIED|20|BY"; nocase; fast_pattern; content:"Build|3a 20|"; distance:0; content:"PC|3a 20|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1431366451231801346; reference:url,app.any.run/tasks/366ad91a-2b9d-4ca0-8e1d-269f61558aa6/; reference:md5,32595ac79386e97e05f876c5dd2ab874; classtype:command-and-control; sid:2033833; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006063; classtype:web-application-attack; sid:2006063; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - Information Disclosure flowbit set (CVE-2021-33766)"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; fast_pattern; http.cookie; content:"SecurityToken="; flowbits:set,ET.proxytoken; reference:cve,2021-33766; classtype:attempted-admin; sid:2033834; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_33766, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006064; classtype:web-application-attack; sid:2006064; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - InboxRules.svc Access Observed Following Successful ProxyToken Attack"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; content:"RulesEditor/InboxRules.svc/"; fast_pattern; content:"?msExchEcpCanary="; xbits:isset,ET.proxytoken.500,track ip_src,expire 30; classtype:attempted-admin; sid:2033836; rev:1; metadata:attack_target Server, created_at 2021_08_30, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006065; classtype:web-application-attack; sid:2006065; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006066; classtype:web-application-attack; sid:2006066; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formStaticDHCP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formStaticDHCP"; endswith; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]{42,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033841; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006067; classtype:web-application-attack; sid:2006067; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlanMultipleAP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlanMultipleAP"; endswith; fast_pattern; http.request_body; content:"submit-url="; pcre:"/^[^&]{512,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033842; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"goTo="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006068; classtype:web-application-attack; sid:2006068; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.uri; content:"/upnp/"; http.header; content:"Callback|3a 20 3c|http"; fast_pattern; pcre:"/^Callback\x3a\x20\x3chttp[^\x3a]+\x3a\d{1,5}[^\/]/Hmi"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033843; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006069; classtype:web-application-attack; sid:2006069; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033845; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006070; classtype:web-application-attack; sid:2006070; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%22%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033846; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006071; classtype:web-application-attack; sid:2006071; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%27%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033847; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006072; classtype:web-application-attack; sid:2006072; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=|22 3e 3c|script|3e|"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033848; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006073; classtype:web-application-attack; sid:2006073; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Microsoft Exchange - Successful msExchEcpCanary Disclosure (CVE-2021-33766)"; flow:established,from_server; http.stat_code; content:"500"; http.cookie; content:"msExchEcpCanary="; fast_pattern; flowbits:isset,ET.proxytoken; flowbits:unset,ET.proxytoken; xbits:set,ET.proxytoken.500,track ip_src,expire 30; reference:cve,2021-33766; classtype:attempted-admin; sid:2033835; rev:2; metadata:created_at 2021_08_30, cve CVE_2021_33766, former_category EXPLOIT, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006074; classtype:web-application-attack; sid:2006074; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlSiteSurvey Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlSiteSurvey"; fast_pattern; endswith; http.request_body; content:"ifname="; pcre:"/^[^&]{90,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033838; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName SELECT"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006075; classtype:web-application-attack; sid:2006075; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; endswith; http.request_body; content:"sysCmd="; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033839; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UNION SELECT"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006076; classtype:web-application-attack; sid:2006076; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Injection Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWsc"; fast_pattern; endswith; http.request_body; content:"peerPin="; content:"|3b|"; distance:0; within:50; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033840; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName INSERT"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006077; classtype:web-application-attack; sid:2006077; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Shellcode Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shellcode/"; fast_pattern; startswith; content:".txt"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"python-requests/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8f21b629ef0aa2558962644a4a1605ca; classtype:bad-unknown; sid:2033844; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_30, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName DELETE"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006078; classtype:web-application-attack; sid:2006078; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName ASCII"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006079; classtype:web-application-attack; sid:2006079; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"r|00|u|00|n|00|C|00|o|00|m|00|m|00|a|00|n|00|d"; fast_pattern; classtype:attempted-admin; sid:2033850; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE"; flow:established,to_server; http.uri; content:"/save.php?"; nocase; content:"groupAddName="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006080; classtype:web-application-attack; sid:2006080; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"runCommand"; fast_pattern; classtype:attempted-admin; sid:2033851; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/export.php?"; nocase; content:"export_to="; nocase; reference:bugtraq,33731; reference:url,milw0rm.com/exploits/8029; reference:url,doc.emergingthreats.net/2009169; classtype:web-application-attack; sid:2009169; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"g|00|e|00|t|00|R|00|u|00|n|00|t|00|i|00|m|00|e"; fast_pattern; classtype:attempted-admin; sid:2033852; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/examples/tbs_us_examples_0view.php?"; nocase; content:"script="; nocase; reference:url,milw0rm.com/exploits/8667; reference:url,vupen.com/english/advisories/2009/1304; reference:url,doc.emergingthreats.net/2009789; classtype:web-application-attack; sid:2009789; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"getRuntime"; fast_pattern; classtype:attempted-admin; sid:2033853; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shop_display_products.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2009-0296; reference:url,secunia.com/advisories/33661/; reference:url,milw0rm.com/exploits/7873; reference:url,doc.emergingthreats.net/2009199; classtype:web-application-attack; sid:2009199; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".|00|e|00|x|00|e|00|c|00 28|"; fast_pattern; classtype:attempted-admin; sid:2033854; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TorrentTrader Classic delreq.php categ Parameter Sql Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/torrenttrader109/delreq.php?"; nocase; content:"categ="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8958; reference:bugtraq,35369; reference:url,doc.emergingthreats.net/2010026; classtype:web-application-attack; sid:2010026; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".exec|28|"; fast_pattern; classtype:attempted-admin; sid:2033855; rev:1; metadata:created_at 2021_08_31, former_category EXPLOIT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.php?"; nocase; content:"inc_dir="; nocase; reference:bugtraq,34617; reference:url,milw0rm.com/exploits/8494; reference:url,doc.emergingthreats.net/2009726; classtype:web-application-attack; sid:2009726; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 79"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6168f11bb42ff767a224396c2656ea87; classtype:command-and-control; sid:2020780; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/cms_detect.php?"; nocase; content:"include="; nocase; reference:url,milw0rm.com/exploits/8503; reference:bugtraq,34634; reference:url,doc.emergingthreats.net/2009729; classtype:web-application-attack; sid:2009729; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 69"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,262d04177c4bec3215db085fc4c44493; classtype:command-and-control; sid:2020770; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tours Manager cityview.php cityid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cityview.php?"; nocase; content:"cityid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32503/; reference:url,milw0rm.com/exploits/6988; reference:url,doc.emergingthreats.net/2008821; classtype:web-application-attack; sid:2008821; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 72"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1bb5562b08bae781086095c439fc9e8b; classtype:command-and-control; sid:2020773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TurnkeyForms Business Survey Pro id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/survey_results_text.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32561/; reference:url,milw0rm.com/exploits/7029; reference:url,doc.emergingthreats.net/2008827; classtype:web-application-attack; sid:2008827; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 85"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9f/s"; content:!"POST /"; content:!"microsoft.com"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6bc0070240a714175e44dd2d6bf98481; classtype:command-and-control; sid:2020786; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcategory.php?"; nocase; content:"cid="; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32568/; reference:url,milw0rm.com/exploits/7027; reference:url,doc.emergingthreats.net/2008828; classtype:web-application-attack; sid:2008828; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 41"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|c3 70|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xc3\x70/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,23bb9c2ed95e942f886d544fefd20d70; classtype:command-and-control; sid:2019083; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/listtest.php?"; nocase; content:"r="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32591/; reference:url,milw0rm.com/exploits/7035; reference:url,doc.emergingthreats.net/2008829; classtype:web-application-attack; sid:2008829; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 88"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,e3ac512a1978cec5eb8bc12fbb384e1f; classtype:command-and-control; sid:2020789; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id SELECT"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004869; classtype:web-application-attack; sid:2004869; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:established,to_server; stream_size:server,<,5; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; fast_pattern; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017916; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004870; classtype:web-application-attack; sid:2004870; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 40"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2018880; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_08_02, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id INSERT"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004871; classtype:web-application-attack; sid:2004871; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 28"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9b|"; offset:8; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,52849773bc0d08eb9dfcb0df2b7caf33; classtype:command-and-control; sid:2018166; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_21, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id DELETE"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004872; classtype:web-application-attack; sid:2004872; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 90"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1fa6460563cddcb165511c6b17ff4637; classtype:command-and-control; sid:2020791; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id ASCII"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004873; classtype:web-application-attack; sid:2004873; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"HALF"; bsize:4; fast_pattern; reference:md5,ff4ae9d00058d3e9d5034d043387c4be; reference:url,medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a; classtype:trojan-activity; sid:2032351; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE"; flow:established,to_server; http.uri; content:"/h_goster.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1022; reference:url,www.securityfocus.com/bid/22591; reference:url,doc.emergingthreats.net/2004874; classtype:web-application-attack; sid:2004874; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phishing Landing 2018-02-09 M2"; flow:established,to_client; http.header; content:!"X-LI-UUID|3a|"; nocase; file.data; content:"<title"; nocase; content:"Sign In|20 7c 20|LinkedIn"; nocase; within:40; classtype:social-engineering; sid:2025338; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_02_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2021_08_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug SELECT"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004672; classtype:web-application-attack; sid:2004672; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 74"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,178f7f122f1de5c759a6538d78d67277; classtype:command-and-control; sid:2020775; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UNION SELECT"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004673; classtype:web-application-attack; sid:2004673; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 30"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 5e|"; offset:13; depth:2; byte_jump:4,-10,little,relative,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,aa717cce1ccfc766e0c8ad7a217f4be3; classtype:command-and-control; sid:2018193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug INSERT"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004674; classtype:web-application-attack; sid:2004674; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018007; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug DELETE"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004675; classtype:web-application-attack; sid:2004675; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:established,to_server; stream_size:server,<,5; dsize:8; content:"|00 00|"; offset:2; depth:2; content:"|00 00|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017935; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ASCII"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004676; classtype:web-application-attack; sid:2004676; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 48"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|da 41|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\xda\x41/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,69ffa441a8c3cf4d8fe643174bebb51d; classtype:command-and-control; sid:2020607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE"; flow:established,to_server; http.uri; content:"/ViewReport.php?"; nocase; content:"bug="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1290; reference:url,www.secunia.com/advisories/24385; reference:url,doc.emergingthreats.net/2004677; classtype:web-application-attack; sid:2004677; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 87"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,32652a6c74e5358549a7c536c3080d58; classtype:command-and-control; sid:2020788; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s SELECT"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004678; classtype:web-application-attack; sid:2004678; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 61"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3f a6|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3f\xa6/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0045ce5ce7d697ecc86f1e44398bf404; classtype:command-and-control; sid:2020696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UNION SELECT"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2005185; classtype:web-application-attack; sid:2005185; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 91"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3d10b1c4471c7d29e968d9059f844aab; classtype:command-and-control; sid:2020792; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s INSERT"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004679; classtype:web-application-attack; sid:2004679; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 55"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|39 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f42a5b709bf9a1377d2464f936fc841; classtype:command-and-control; sid:2020614; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s DELETE"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004680; classtype:web-application-attack; sid:2004680; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:command-and-control; sid:2018032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ASCII"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004681; classtype:web-application-attack; sid:2004681; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Office Retrieving .rtf (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".rtf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1433038639961804800; reference:md5,c9f8addb927c3b96aee6a9f671a1f801; classtype:bad-unknown; sid:2033858; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE"; flow:established,to_server; http.uri; content:"/ViewBugs.php?"; nocase; content:"s="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1289; reference:url,www.securityfocus.com/bid/22799; reference:url,doc.emergingthreats.net/2004682; classtype:web-application-attack; sid:2004682; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET HUNTING Suspicious Request to iplogger .org Contains Period"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|"; http.host; content:"iplogger|2e|org"; bsize:12; fast_pattern; reference:md5,dcef208fcdac3345c6899a478d16980f; classtype:bad-unknown; sid:2033859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid SELECT"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005233; classtype:web-application-attack; sid:2005233; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (decoding .at)"; dns.query; content:"decoding.at"; nocase; bsize:11; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; classtype:bad-unknown; sid:2033860; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UNION SELECT"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005234; classtype:web-application-attack; sid:2005234; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (bigblog .at)"; dns.query; content:"bigblog.at"; nocase; bsize:10; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; classtype:bad-unknown; sid:2033861; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid INSERT"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005235; classtype:web-application-attack; sid:2005235; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbit-decryptor .com)"; dns.query; content:"lockbit-decryptor.com"; nocase; bsize:21; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; reference:md5,5b741c6abf44d2eecd853addeafdcf24; classtype:bad-unknown; sid:2033862; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid DELETE"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005236; classtype:web-application-attack; sid:2005236; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Lockbit Ransomware Related Domain in DNS Lookup (lockbit-decryptor .top)"; dns.query; content:"lockbit-decryptor.top"; nocase; bsize:21; fast_pattern; reference:url,unit42.paloaltonetworks.com/emerging-ransomware-groups/; reference:md5,69bec32d50744293e85606a5e8f80425; classtype:bad-unknown; sid:2033863; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category INFO, signature_severity Major, tag Ransomware, updated_at 2021_09_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ASCII"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005237; classtype:web-application-attack; sid:2005237; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Pegasus Domain (hooklevel .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hooklevel.com"; bsize:13; fast_pattern; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033864; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE"; flow:established,to_server; http.uri; content:"/banner.php?"; nocase; content:"bid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0520; reference:url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded; reference:url,doc.emergingthreats.net/2005238; classtype:web-application-attack; sid:2005238; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Pegasus Domain (api1r3f4 .redirectweburl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".api1r3f4.redirectweburl.com"; endswith; fast_pattern; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033865; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, malware_family Pegasus, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci SELECT"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006886; classtype:web-application-attack; sid:2006886; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (start-anew .net)"; dns.query; content:"start-anew.net"; nocase; bsize:14; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033866; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UNION SELECT"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006887; classtype:web-application-attack; sid:2006887; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (news-now .co)"; dns.query; content:"news-now.co"; nocase; bsize:11; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci INSERT"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006888; classtype:web-application-attack; sid:2006888; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (reunionlove .net)"; dns.query; content:"reunionlove.net"; nocase; bsize:15; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033868; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci DELETE"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006889; classtype:web-application-attack; sid:2006889; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain (helpusfind .biz)"; dns.query; content:"helpusfind.biz"; nocase; bsize:14; reference:url,citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/; classtype:trojan-activity; sid:2033869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ASCII"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006890; classtype:web-application-attack; sid:2006890; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"wp-extension.cloud"; nocase; bsize:18; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033870; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE"; flow:established,to_server; http.uri; content:"/slideshow.asp?"; nocase; content:"ci="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006891; classtype:web-application-attack; sid:2006891; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"wp-extension.work"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033871; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006892; classtype:web-application-attack; sid:2006892; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.business"; nocase; bsize:20; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033872; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UNION SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006893; classtype:web-application-attack; sid:2006893; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.org"; nocase; bsize:15; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci INSERT"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006894; classtype:web-application-attack; sid:2006894; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.us"; nocase; bsize:14; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033874; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci DELETE"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006895; classtype:web-application-attack; sid:2006895; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"xenapp.blog"; nocase; bsize:11; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033875; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ASCII"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006896; classtype:web-application-attack; sid:2006896; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"trafficapps.quest"; nocase; bsize:17; reference:url,twitter.com/MBThreatIntel/status/1433104999152697344; classtype:domain-c2; sid:2033876; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_01, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE"; flow:established,to_server; http.uri; content:"/thumbnails.asp?"; nocase; content:"ci="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6247; reference:url,www.securityfocus.com/bid/21319; reference:url,doc.emergingthreats.net/2006897; classtype:web-application-attack; sid:2006897; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Blockchain Domain (api .blockcypher .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.blockcypher.com"; bsize:19; fast_pattern; classtype:bad-unknown; sid:2033877; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp SELECT"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005003; classtype:web-application-attack; sid:2005003; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"data-update.site"; nocase; bsize:16; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005004; classtype:web-application-attack; sid:2005004; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"data-log.site"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033879; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp INSERT"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005005; classtype:web-application-attack; sid:2005005; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"ticket-stat.site"; nocase; bsize:16; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp DELETE"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005006; classtype:web-application-attack; sid:2005006; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"cdn-plugin.us"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp ASCII"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005007; classtype:web-application-attack; sid:2005007; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"google-stats.work"; nocase; bsize:17; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE"; flow:established,to_server; http.uri; content:"/badword.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0799; reference:url,www.securityfocus.com/bid/22382; reference:url,doc.emergingthreats.net/2005008; classtype:web-application-attack; sid:2005008; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"pro-cdn2.site"; nocase; bsize:13; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033883; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007283; classtype:web-application-attack; sid:2007283; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"google-info.us"; nocase; bsize:14; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033884; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007200; classtype:web-application-attack; sid:2007200; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain in DNS Lookup"; dns.query; content:"formstats.us"; nocase; bsize:12; reference:url,twitter.com/unmaskparasites/status/1433171323199631361; classtype:domain-c2; sid:2033885; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007201; classtype:web-application-attack; sid:2007201; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET !443 -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response"; flow:established,to_client; dsize:3; content:"|33 66 99|"; reference:md5,0e4c2aa30a72fd75ef49c430fd767fa0; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en; classtype:command-and-control; sid:2030489; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, former_category MALWARE, malware_family Mirai, malware_family MooBot, signature_severity Major, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007202; classtype:web-application-attack; sid:2007202; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 78"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3b d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,844ddc8d762f94e8cf04bbc6eb483121; classtype:command-and-control; sid:2020779; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007203; classtype:web-application-attack; sid:2007203; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 70"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,d9d1fd5025f47caaaa276d747657e01b; classtype:command-and-control; sid:2020771; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007204; classtype:web-application-attack; sid:2007204; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"kuroro"; depth:6; byte_jump:4,0,relative,little,from_beginning; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,984ec607cbaefdd2ce977c9a07a3e175; classtype:command-and-control; sid:2022885; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_06_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007205; classtype:web-application-attack; sid:2007205; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 66"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7c\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ec6b10b55732f68a174bb5b751bff840; classtype:command-and-control; sid:2020767; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007206; classtype:web-application-attack; sid:2007206; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017913; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007207; classtype:web-application-attack; sid:2007207; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 63"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,00d4c1faeacaf45cfb02c592efe61a1d; classtype:command-and-control; sid:2020764; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007208; classtype:web-application-attack; sid:2007208; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,little,post_offset -10; isdataat:!2,relative; pcre:"/^[\x20-\x7e]{5,}.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2021716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_08_25, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007209; classtype:web-application-attack; sid:2007209; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 68"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 95|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x95/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8026990bea6f95613f6111b9a5506941; classtype:command-and-control; sid:2020769; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6194; reference:url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded; reference:url,doc.emergingthreats.net/2007210; classtype:web-application-attack; sid:2007210; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 47"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5ad0bb62806297fb8bf159d94f82dbb9; classtype:command-and-control; sid:2020606; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/include/timesheet.php?"; nocase; content:"config[include_dir]="; reference:url,milw0rm.com/exploits/9297; reference:url,secunia.com/advisories/36033/; reference:url,doc.emergingthreats.net/2010127; classtype:web-application-attack; sid:2010127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Chrome_Default.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"Chrome_Default.txt"; nocase; distance:0; fast_pattern; classtype:bad-unknown; sid:2033886; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname SELECT"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005669; classtype:web-application-attack; sid:2005669; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (Cookies/Firefox_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"Cookies/Firefox_"; nocase; distance:0; fast_pattern; content:".default.txt"; within:25; classtype:bad-unknown; sid:2033887; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UNION SELECT"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005670; classtype:web-application-attack; sid:2005670; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Zipped Filename in Outbound POST Request (History/Firefox_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"PK|03 04|"; content:"History/Firefox_"; nocase; distance:0; fast_pattern; content:".default.txt"; within:25; classtype:bad-unknown; sid:2033888; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname INSERT"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005671; classtype:web-application-attack; sid:2005671; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Variant Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?id="; startswith; fast_pattern; pcre:"/^[A-Z]{14}$/R"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/; reference:md5,bf23c48d111f5a2d3169062428940b1c; classtype:trojan-activity; sid:2033889; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag FIN7, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname DELETE"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005672; classtype:web-application-attack; sid:2005672; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed nc (netcat) EXE Inbound"; flow:established,from_server; file.data; content:"MZ"; depth:10; content:"!This program"; distance:0; content:"www.vulnwatch.org/netcat/"; distance:0; fast_pattern; content:"nc [-options]"; distance:0; content:"nc -l -p port"; distance:0;  reference:md5,e0db1d3d47e312ef62e5b0c74dceafe5; classtype:policy-violation; sid:2033890; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ASCII"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005673; classtype:web-application-attack; sid:2005673; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Suspicious Request nc.exe in URI"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nc.exe"; fast_pattern; nocase; endswith; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2033891; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE"; flow:established,to_server; http.uri; content:"/shopgiftregsearch.asp?"; nocase; content:"LoginLastname="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0224; reference:url,www.milw0rm.com/exploits/3115; reference:url,doc.emergingthreats.net/2005674; classtype:web-application-attack; sid:2005674; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)"; dns.query; content:"nowautomation.com"; nocase; bsize:17; reference:url,twitter.com/James_inthe_box/status/1433481199939297308; reference:md5,18c7c940bc6a4e778fbdf4a3e28151a8; classtype:domain-c2; sid:2033892; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_02, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_02, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VS Panel showcat.php Cat_ID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/showcat.php?"; nocase; content:"Cat_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,34648; reference:url,milw0rm.com/exploits/8506; reference:url,doc.emergingthreats.net/2009731; classtype:web-application-attack; sid:2009731; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; threshold:type threshold, track by_dst, count 10, seconds 30; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033893; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user SELECT"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006603; classtype:web-application-attack; sid:2006603; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; content:"|ec 19 0e 80 01|"; distance:0; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033894; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006604; classtype:web-application-attack; sid:2006604; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 26"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x71\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,b316680fd2578a2781ee9497888bd1e4; classtype:command-and-control; sid:2018085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user INSERT"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006605; classtype:web-application-attack; sid:2006605; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!11000,!11001,!12000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9e|"; fast_pattern; pcre:"/^[\x20-\x7e]*?.{8}\x79\x9e/s"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017707; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_11_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user DELETE"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006606; classtype:web-application-attack; sid:2006606; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 27"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9c|"; offset:8; byte_jump:4,-6,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7c\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,29aabeba14f6b5950edcd2a5d99acc94; classtype:command-and-control; sid:2018153; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ASCII"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006607; classtype:web-application-attack; sid:2006607; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 52"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,61c03cdd39f0618d1643af15594da3e4; classtype:command-and-control; sid:2020611; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE"; flow:established,to_server; http.uri; content:"/vf_memberdetail.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6448; reference:url,www.frsirt.com/english/advisories/2006/4850; reference:url,doc.emergingthreats.net/2006608; classtype:web-application-attack; sid:2006608; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 38"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|49 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa5/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,c8564898ab2598a075cbb478d104e750; classtype:command-and-control; sid:2018638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/editor/edit_htmlarea.php?"; nocase; content:"highlighter="; nocase; pcre:"/highlighter\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57679; reference:url,doc.emergingthreats.net/2010254; classtype:web-application-attack; sid:2010254; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 98"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,79dd610cc7a62ad237d21c050eae32ec; classtype:command-and-control; sid:2020799; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/debugger/debug_php.php?"; nocase; content:"_GET[filename]="; nocase; reference:url,osvdb.org/show/osvdb/57680; reference:url,doc.emergingthreats.net/2010255; classtype:web-application-attack; sid:2010255; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning; isdataat:!7,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:command-and-control; sid:2017934; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Venalsur Booking Centre HotelID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/hotel_habitaciones.php?"; nocase; content:"HotelID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7253; reference:bugtraq,32512; reference:url,doc.emergingthreats.net/2008926; classtype:web-application-attack; sid:2008926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:established,to_server; stream_size:server,<,5; flowbits:isset,ET.gh0stFmly; content:"|78 9c 0b cf cc|"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3b1abb60bafbab204aeddf8acdf58ac9; classtype:command-and-control; sid:2017936; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006279; classtype:web-application-attack; sid:2006279; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 31"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7d\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2018287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_03_18, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UNION SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006280; classtype:web-application-attack; sid:2006280; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 93"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,29ac81a0607f6456bc886f6099fdb5c8; classtype:command-and-control; sid:2020794; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod INSERT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006281; classtype:web-application-attack; sid:2006281; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:command-and-control; sid:2018485; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod DELETE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006282; classtype:web-application-attack; sid:2006282; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Enemyfear Stealer Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?act="; http.content_type; content:"multipart/form-data"; startswith; http.request_body; content:".zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; content:"Stealer|20|Work|2e|txt"; fast_pattern; reference:md5,8206d5fdc88e2c8c07fe2731d6ffeac3; classtype:command-and-control; sid:2033895; rev:1; metadata:created_at 2021_09_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod ASCII"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006283; classtype:web-application-attack; sid:2006283; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP ThunderUnion Install Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"peerid="; content:"&userid="; distance:0; content:"referfrom="; distance:0; content:"&OS="; distance:0; content:"&OSversion="; distance:0; content:"productname="; distance:0; http.user_agent; content:"ThunderUnion"; bsize:12; fast_pattern; reference:md5,ae4c9b58510bd358745caf3b7ad81003; classtype:pup-activity; sid:2033896; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category ADWARE_PUP, updated_at 2021_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick_mod="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006284; classtype:web-application-attack; sid:2006284; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Observed Honeygain Domain (api .honeygain .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.honeygain.com"; bsize:17; fast_pattern; reference:url,blog.talosintelligence.com/2021/08/proxyware-abuse.html; classtype:domain-c2; sid:2033900; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category ADWARE_PUP, malware_family PUP, signature_severity Informational, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006285; classtype:web-application-attack; sid:2006285; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Hack Browser Data Exfil Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; startswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; bsize:90; pcre:"/^multipart/form-data\x3b\x20boundary=[a-f0-9]{60}$/"; http.request_body; content:"name|3d 22|file|22 3b 20|filename|3d 22|"; content:"_=_"; distance:0; fast_pattern; content:"_=_"; distance:0; content:"_=_"; distance:0; content:"_=_"; distance:0; content:".json|22 0d 0a|"; distance:0; reference:md5,4a13256c1c9701146ad9ce6682b1a12e; classtype:command-and-control; sid:2033899; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UNION SELECT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006286; classtype:web-application-attack; sid:2006286; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET COINMINER Observed DNS Query to herominers Domain (herominers .com)"; dns.query; content:".herominers.com"; nocase; endswith; fast_pattern; classtype:coin-mining; sid:2033901; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2021_09_03, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick INSERT"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006287; classtype:web-application-attack; sid:2006287; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 Related CnC Domain in DNS Lookup (tnskvggujjqfcskwk .com)"; dns.query; content:"tnskvggujjqfcskwk.com"; nocase; bsize:21; fast_pattern; reference:url,www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor; reference:url,twitter.com/Circuitous__/status/1433516145752035331; reference:url,twitter.com/JAMESWT_MHT/status/1433706754555138066; classtype:domain-c2; sid:2033897; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag FIN7, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick DELETE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006288; classtype:web-application-attack; sid:2006288; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 Related CnC Domain in DNS Lookup (bypassociation .com)"; dns.query; content:"bypassociation.com"; nocase; bsize:18; fast_pattern; reference:url,www.anomali.com/blog/cybercrime-group-fin7-using-windows-11-alpha-themed-docs-to-drop-javascript-backdoor; reference:url,twitter.com/Circuitous__/status/1433516145752035331; reference:url,twitter.com/JAMESWT_MHT/status/1433706754555138066; classtype:domain-c2; sid:2033898; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag FIN7, updated_at 2021_09_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick ASCII"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006289; classtype:web-application-attack; sid:2006289; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BleachGap Ransomware Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|username|22 3a 20 22|BleachGap|20|"; content:"|22|name|22 3a 20 22|Hacker$quad|22|"; content:"discord.gg"; reference:md5,4809f621c6dbaf0c93f1a92def0f592e; classtype:trojan-activity; sid:2033902; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_09_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE"; flow:established,to_server; http.uri; content:"/repass.php?"; nocase; content:"nick="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006290; classtype:web-application-attack; sid:2006290; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (share .bloomcloud .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"share.bloomcloud.org"; bsize:20; fast_pattern; reference:url,twitter.com/ShadowChasing1/status/1433807018867912705; reference:md5,a224350ce67eea6a8d818b85436c5309; reference:md5,02904e802b5dc2f85eec83e3c1948374; reference:md5,bac4acc2544626bac6377fb32c5f244c; classtype:command-and-control; sid:2033903; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_09_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006291; classtype:web-application-attack; sid:2006291; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in XML HTML Title Tags Inbound"; flow:established,to_client; content:"|3c 3f|xml"; content:"|3c|title|20|type|3d 27|text|27 3e 40|"; distance:0; fast_pattern; content:"|40 3c 2f|title|3e|"; distance:0;  reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033904; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2021_09_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UNION SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006292; classtype:web-application-attack; sid:2006292; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick INSERT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006293; classtype:web-application-attack; sid:2006293; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M1"; flow:established,to_server; http.request_line; content:"POST /action "; startswith; http.user_agent; content:"Statistics"; bsize:10; http.request_body; content:"|7b 22|hwid|22 3a 22|"; startswith; content:"|22 2c 22|macAddress|22 3a 22|"; distance:0; content:"|22 2c 22|ipAddressLocal|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|installDate|22 3a 22|"; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033909; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick DELETE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006294; classtype:web-application-attack; sid:2006294; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M2"; flow:established,to_server; http.request_line; content:"GET /action?hwid="; startswith; content:"&macAddress="; distance:0; content:"&ipAddressLocal="; distance:0; fast_pattern; content:"&installDate="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033910; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick ASCII"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006295; classtype:web-application-attack; sid:2006295; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/MobiGame Install Stats Checkin M3"; flow:established,to_server; http.request_line; content:"POST /sysinfo "; startswith; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"hwid="; startswith; content:"&macAddress="; distance:0; content:"&ipAddressLocal="; distance:0; fast_pattern; content:"&date="; distance:0; content:"&cpu="; distance:0; content:"&cpuUsage="; distance:0; content:"&os="; distance:0; reference:md5,18f26612bc642daa9b269660eb585500; classtype:pup-activity; sid:2033911; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006296; classtype:web-application-attack; sid:2006296; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Bingoml!tr CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/message?mac="; startswith; bsize:30; fast_pattern; content:!"="; distance:0; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,82732a7bdac99e2a9ce4e9a706947423; classtype:command-and-control; sid:2033912; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006297; classtype:web-application-attack; sid:2006297; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Beapy/Lemon_Duck CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?ID="; content:"&GUID="; distance:0; content:"&MAC="; distance:0; content:"&OS=Win"; distance:0; content:"&BIT="; distance:0; content:"&CARD="; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,21e49843502325b063b4d52e8c297f79; reference:url,s.tencent.com/research/report/680.html; classtype:command-and-control; sid:2027147; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_04_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UNION SELECT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006298; classtype:web-application-attack; sid:2006298; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.Coinminer Checkin"; flow:established,to_server; content:"|7b 22|CPU_Model|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|Elevated|22 3a|"; distance:0; content:"|22|GPU_Model|22 3a 22|"; distance:0; content:"|22|Identity|22 3a 22|"; distance:0; reference:md5,a98df471bde22b7b2d25aae974237363; classtype:coin-mining; sid:2033906; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Coinminer, updated_at 2021_09_08, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod INSERT"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006299; classtype:web-application-attack; sid:2006299; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Mingloa CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page=querycpc/items/&duid="; fast_pattern; content:"&pid="; distance:0; content:"&time="; distance:0; content:"&hash="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|";  reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service; classtype:command-and-control; sid:2033913; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod DELETE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006300; classtype:web-application-attack; sid:2006300; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed Possible Phishing 2021-06-29"; flow:established,from_server; file.data; content:"Webmail Login"; fast_pattern; content:"action|3d 22|process.php|22|"; distance:0; content:"method|3d 22|post|22|"; distance:0; content:"target|3d 22 5f|top|22|"; distance:0; content:"style|3d 22|visibility|3a 22|>"; distance:0; reference:url,app.any.run/tasks/5fcdc0a0-7a79-4bcb-b2fb-3d358571d858/; classtype:social-engineering; sid:2033218; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_01, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_09_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod ASCII"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006301; classtype:web-application-attack; sid:2006301; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Android/iprdr.php"; fast_pattern; bsize:18; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033914; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE"; flow:established,to_server; http.uri; content:"/verify.php?"; nocase; content:"nick_mod="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6667; reference:url,www.frsirt.com/english/advisories/2006/5059; reference:url,doc.emergingthreats.net/2006302; classtype:web-application-attack; sid:2006302; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Apple/script.php?a="; fast_pattern; startswith; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"Referer"; reference:url,twitter.com/Timele9527/status/1435495701329317895; reference:md5,28ffba0b074218b0c9ff0360d8791bfd; classtype:trojan-activity; sid:2033915; rev:1; metadata:created_at 2021_09_08, former_category MALWARE, updated_at 2021_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS VidShare Pro listing_video.php catid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/listing_video.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8737; reference:bugtraq,35033; reference:url,doc.emergingthreats.net/2009794; classtype:web-application-attack; sid:2009794; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SiameseKitten/Lyceum/Hexane MSIL/Shark Response - 1 Byte XOR Key"; flow:established,from_server; file.data; base64_decode:offset 0; base64_data; content:"|6e 4b 5e 4b|"; content:"|27 20|"; classtype:command-and-control; sid:2033761; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_22, deployment Perimeter, deprecation_reason Performance, former_category MALWARE, malware_family Shark, performance_impact Significant, signature_severity Major, updated_at 2021_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005493; classtype:web-application-attack; sid:2005493; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?q="; content:"&qi="; distance:0; content:"&q1="; distance:0; content:"&q2="; distance:0; content:"&q3="; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; http.user_agent; content:"|28|Windows|20|NT|20|10.0|3b 20|Win64|3b 20|x64|29|"; http.header_names; content:"If-None-Match|0d 0a|Sec-Fetch-Dest|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-User|0d 0a|"; nocase; http.header; content:"Sec-Fetch-Dest|3a 20|document|0d|"; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; reference:url,www.clearskysec.com/siamesekitten/; classtype:command-and-control; sid:2033760; rev:2; metadata:created_at 2021_08_22, former_category MALWARE, malware_family Shark, updated_at 2021_09_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UNION SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005494; classtype:web-application-attack; sid:2005494; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible IceRat CnC Acitivty"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dow_"; startswith; fast_pattern; content:".txt"; endswith; http.user_agent; content:"Java/"; startswith; reference:url,www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp; classtype:trojan-activity; sid:2031485; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_06, deployment Perimeter, former_category MALWARE, malware_family IceRAT, signature_severity Major, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid INSERT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005495; classtype:web-application-attack; sid:2005495; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid DELETE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005496; classtype:web-application-attack; sid:2005496; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web.config.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031459; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, deployment Perimeter, former_category EXPLOIT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ASCII"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005497; classtype:web-application-attack; sid:2005497; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Stitch Variant Backdoor CnC"; flow:established,to_server; content:"|00 00 00 0f|stitch626hctits"; fast_pattern; content:!"Referer|3a 20|"; content:!"User-Agent|3a 20|"; content:!"Connection|3a 20|"; content:!"Host|3a 20|"; content:!"Keep-Alive:|3a 20|"; reference:url,securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/; reference:md5,ec993ff561cbc175953502452bfa554a; classtype:command-and-control; sid:2029794; rev:2; metadata:attack_target Client_Endpoint, created_at 2020_04_02, deployment Perimeter, former_category MALWARE, malware_family Stitch, performance_impact Low, signature_severity Major, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"Itemid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005498; classtype:web-application-attack; sid:2005498; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB ASCII"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,!&,0x80,7,relative; content:"puiframeworkproresenu|2E|dll"; nocase; distance:0; fast_pattern; reference:cve,2018-12589; reference:url,exploit-db.com/exploits/44985; classtype:attempted-user; sid:2025790; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005499; classtype:web-application-attack; sid:2005499; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET [445,139] -> any any (msg:"ET NETBIOS PolarisOffice Insecure Library Loading - SMB Unicode"; flow:from_server; content:"SMB"; offset:4; depth:5; byte_test:1,&,0x80,7,relative; content:"p|00|u|00|i|00|f|00|r|00|a|00|m|00|e|00|w|00|o|00|r|00|k|00|p|00|r|00|o|00|r|00|e|00|s|00|e|00|n|00|u|00 2E 00|d|00|l|00|l|00|"; nocase; distance:0; reference:cve,2018-12589; reference:url,exploit-db.com/exploits/44985; classtype:attempted-user; sid:2025791; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_07_06, deployment Perimeter, former_category NETBIOS, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UNION SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005500; classtype:web-application-attack; sid:2005500; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Muhstik Botnet Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; pcre:"/^(?:curl|wget)/i"; http.uri; content:"/dk"; startswith; fast_pattern; pcre:"/^[0-9]{2}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/; reference:md5,898b3dc58bc5d05d3034a1c259b5a915; classtype:trojan-activity; sid:2033916; rev:1; metadata:created_at 2021_09_09, former_category ATTACK_RESPONSE, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id INSERT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005501; classtype:web-application-attack; sid:2005501; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 33"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2acd1b235e12dc9b961e7236f6db8144; classtype:command-and-control; sid:2018486; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id DELETE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005502; classtype:web-application-attack; sid:2005502; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 62"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,bcb626c7cca304f927ec97450008e600; classtype:command-and-control; sid:2020763; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ASCII"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005503; classtype:web-application-attack; sid:2005503; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 58"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 ad|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x31\xad/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,20a72c5af06e054ff840915b6632965f; classtype:command-and-control; sid:2020693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"product_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005504; classtype:web-application-attack; sid:2005504; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 65"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|40 a3|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x40\xa3/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a2ae5eada44872675561a97ea56c0df; classtype:command-and-control; sid:2020766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005505; classtype:web-application-attack; sid:2005505; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 97"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0c014b17729784f905f55e43347469ed; classtype:command-and-control; sid:2020798; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UNION SELECT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005506; classtype:web-application-attack; sid:2005506; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 45"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9a|"; offset:13; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x7a\x9a/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,eb7909105fd05064b14a21465742952c; classtype:command-and-control; sid:2020371; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_02_06, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id INSERT"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005507; classtype:web-application-attack; sid:2005507; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 95"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9d/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,599fc172ebcd9f41557ba1293522f424; classtype:command-and-control; sid:2020796; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id DELETE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005508; classtype:web-application-attack; sid:2005508; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:command-and-control; sid:2017915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ASCII"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005509; classtype:web-application-attack; sid:2005509; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !5800 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 21"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}\x70\x94[\x20-\x7e]/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,3ae76f6b76e743fd8063e1831236ce24; classtype:command-and-control; sid:2018057; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE"; flow:established,to_server; http.uri; content:"/virtuemart_parser.php?"; nocase; content:"category_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6945; reference:url,www.securityfocus.com/bid/22123; reference:url,doc.emergingthreats.net/2005510; classtype:web-application-attack; sid:2005510; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 36"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 da|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xda/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5b50cc5215694841b9faea0fde472648; classtype:command-and-control; sid:2018636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id SELECT"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005889; classtype:web-application-attack; sid:2005889; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 89"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|30 a5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x30\xa5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3fb6b63928996a2fab06ba634710740b; classtype:command-and-control; sid:2020790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005890; classtype:web-application-attack; sid:2005890; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 86"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4af85987c9aca11196eb1a603b40b18d; classtype:command-and-control; sid:2020787; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id INSERT"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005891; classtype:web-application-attack; sid:2005891; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 75"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9a3309620c23d821ea4e2f41538454a7; classtype:command-and-control; sid:2020776; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id DELETE"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005892; classtype:web-application-attack; sid:2005892; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 80"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|31 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x31\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,132c66e47afb0c1b969140713b09d625; classtype:command-and-control; sid:2020781; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ASCII"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005893; classtype:web-application-attack; sid:2005893; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 73"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9c44da3c6326deb5b802b1494b202a1d; classtype:command-and-control; sid:2020774; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haberdetay.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0052; reference:url,www.milw0rm.com/exploits/3061; reference:url,doc.emergingthreats.net/2005894; classtype:web-application-attack; sid:2005894; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 20"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a037b3241c0b957efe6037b25570292f; classtype:command-and-control; sid:2018054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Vlog System note parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/blog.php?"; nocase; content:"user="; nocase; content:"note="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32784/; reference:url,www.milw0rm.com/exploits/7186; reference:url,doc.emergingthreats.net/2008875; classtype:web-application-attack; sid:2008875; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 50"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1701f8c71b5861a2f2890dc609ef6eda; classtype:command-and-control; sid:2020609; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat SELECT"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007416; classtype:web-application-attack; sid:2007416; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 56"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|2e 96|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x2e\x96/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fc4f20426ab1da2c705a4523d3baa0b; classtype:command-and-control; sid:2020691; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007417; classtype:web-application-attack; sid:2007417; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !443 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 103"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; fast_pattern; byte_jump:4,-10,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x78\x9c/s"; reference:md5,b0c2a5a3cfef4e759979b7d0869b7612; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2021753; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat INSERT"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007418; classtype:web-application-attack; sid:2007418; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 77"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 98|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x98/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,010c49cb69591e1738b7bdd78a54d8f8; classtype:command-and-control; sid:2020778; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat DELETE"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007419; classtype:web-application-attack; sid:2007419; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 105"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|4a ae|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xae/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,ba6eaf301344de6fe1e079fa960bc698; classtype:command-and-control; sid:2022773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_04_29, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ASCII"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007420; classtype:web-application-attack; sid:2007420; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 101"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|71 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x71\x9e/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8776e617b59da52bcac43b380a354aa0; classtype:command-and-control; sid:2021065; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_05_07, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/cat.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007421; classtype:web-application-attack; sid:2007421; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; fast_pattern; byte_jump:4,0,little,post_offset 1; isdataat:!2,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017876; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007422; classtype:web-application-attack; sid:2007422; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; fast_pattern; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?[\x00]*?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2017877; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_17, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007423; classtype:web-application-attack; sid:2007423; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:established,to_server; stream_size:server,<,5; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"|08 01|"; offset:2; depth:2; content:"|79 94|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:command-and-control; sid:2017944; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007424; classtype:web-application-attack; sid:2007424; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 46"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|84 60|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x84\x60/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,019ab136fd79147b10ddb3e4162709db; classtype:command-and-control; sid:2020586; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007425; classtype:web-application-attack; sid:2007425; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 82"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|40 d8|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x40\xd8/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2978e52da3503e33c65cd286a322bd2; classtype:command-and-control; sid:2020783; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007426; classtype:web-application-attack; sid:2007426; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 92"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7f 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7f\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1dabf462f9c07878f6cd0b58cabf6538; classtype:command-and-control; sid:2020793; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"keyword="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007427; classtype:web-application-attack; sid:2007427; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:command-and-control; sid:2017974; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007428; classtype:web-application-attack; sid:2007428; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 35"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7e 95|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,17274afd768cd0cbc2aa236cf82ab951; classtype:command-and-control; sid:2018488; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007429; classtype:web-application-attack; sid:2007429; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 64"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2a6c1f4e14533d9f2af8d9e4fcf53338; classtype:command-and-control; sid:2020765; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007430; classtype:web-application-attack; sid:2007430; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 51"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4b70f302c72c94d0b9214808d9f72419; classtype:command-and-control; sid:2020610; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007431; classtype:web-application-attack; sid:2007431; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 81"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7e 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7e\x9c/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,733d252921fa9b74b268c1e451d2e0c8; classtype:command-and-control; sid:2020782; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007432; classtype:web-application-attack; sid:2007432; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9b|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:command-and-control; sid:2017988; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007433; classtype:web-application-attack; sid:2007433; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 99"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|39 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x39\x99/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2499b8a890b084b9d4eb76d2bfaeff56; classtype:command-and-control; sid:2020800; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007434; classtype:web-application-attack; sid:2007434; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|49 a2|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x49\xa2/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0928c98b9702e3c8df4e44f31bea56ac; classtype:command-and-control; sid:2020797; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007435; classtype:web-application-attack; sid:2007435; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 37"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9d|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,f80fc82b5ff8f65f02ba7af363f84264; classtype:command-and-control; sid:2018637; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007436; classtype:web-application-attack; sid:2007436; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 57"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9f/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,06be359c6e6396fe105e8b59ac5a992e; classtype:command-and-control; sid:2020692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007437; classtype:web-application-attack; sid:2007437; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 71"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,8b69118f7c25f79c4c7de5b0830dda39; classtype:command-and-control; sid:2020772; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007438; classtype:web-application-attack; sid:2007438; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 60"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 94|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x94/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0fbca8d9f71265f44513e4f885587301; classtype:command-and-control; sid:2020695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"sort="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007439; classtype:web-application-attack; sid:2007439; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 59"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|44 df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x44\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,6a263de8d3f6d82e73330c84a83057bf; classtype:command-and-control; sid:2020694; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_14, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007440; classtype:web-application-attack; sid:2007440; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 39"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3134e62b117f9994e173c262b1bcbca5; classtype:command-and-control; sid:2018639; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007441; classtype:web-application-attack; sid:2007441; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:command-and-control; sid:2018013; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007442; classtype:web-application-attack; sid:2007442; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 43"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|83 7f|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x83\x7f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5f0c10c1705783d3f32742bce3b2aea5; classtype:command-and-control; sid:2019602; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_30, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007443; classtype:web-application-attack; sid:2007443; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 24"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7c 9f|"; offset:8; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?\x7c\x9f/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,0be9e3f4507a8ee23bb0c2b6c218d1cc; classtype:command-and-control; sid:2018076; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007444; classtype:web-application-attack; sid:2007444; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 67"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9a|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9a/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,142b8df89b9ae5019c1f1855d2212e9f; classtype:command-and-control; sid:2020768; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"menuSelect="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007445; classtype:web-application-attack; sid:2007445; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !5938 (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 104"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:9; depth:21; fast_pattern; byte_test:4,<,65535,-14,relative,little; byte_test:4,<,65535,-10,relative,little; byte_jump:4,-10,relative,little,post_offset 3; isdataat:!2,relative; pcre:"/^.{9,28}\x78\x9c/s"; reference:url,researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-campaign-involving-new-variant-of-gh0st-malware/; classtype:command-and-control; sid:2022401; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007446; classtype:web-application-attack; sid:2007446; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 100"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]{5}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2021012; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_04_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007447; classtype:web-application-attack; sid:2007447; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 84"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|4a d5|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"Fxv"; depth:3; pcre:"/^[\x20-\x7e]+?.{8}\x4a\xd5/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,096fd620508d929b3422c6dca836e718; classtype:command-and-control; sid:2020785; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007448; classtype:web-application-attack; sid:2007448; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 49"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 dd|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\xdd/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,2e99b9462f95154e9f5b94eeed33a6e3; classtype:command-and-control; sid:2020608; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007449; classtype:web-application-attack; sid:2007449; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 54"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4d6e0de81f57461337ccfbcce6dc1056; classtype:command-and-control; sid:2020613; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007450; classtype:web-application-attack; sid:2007450; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 25"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7a 5d|"; offset:8; byte_jump:4,-12,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{10}\x7a\x5d/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,794eac549f98320b818037b8074da320; classtype:command-and-control; sid:2018077; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"state="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6152; reference:url,www.securityfocus.com/bid/21190; reference:url,doc.emergingthreats.net/2007451; classtype:web-application-attack; sid:2007451; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 34"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|74 9d|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,3063e7406947d00b792cb013ca667a69; classtype:command-and-control; sid:2018487; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004128; classtype:web-application-attack; sid:2004128; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![80,443,9000] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:established,to_server; stream_size:server,<,5; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!8,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; content:"|7c 9e|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:command-and-control; sid:2017938; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_08, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004129; classtype:web-application-attack; sid:2004129; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 22"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7d 9e|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7d\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2018069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004130; classtype:web-application-attack; sid:2004130; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 53"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|70 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning, post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x70\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,5a0e030383c472f7d94c0bcd6af71a90; classtype:command-and-control; sid:2020612; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_04, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"search_forum="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1607; reference:url,www.securityfocus.com/bid/23057; reference:url,doc.emergingthreats.net/2004131; classtype:web-application-attack; sid:2004131; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 76"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|3b df|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x3b\xdf/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1e3f91c46410d5205c7b6f6b53a45cff; classtype:command-and-control; sid:2020777; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006975; classtype:web-application-attack; sid:2006975; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 83"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|47 d9|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x47\xd9/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,4bd54550a23cb5bf40e0924dea7bad76; classtype:command-and-control; sid:2020784; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UNION SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006976; classtype:web-application-attack; sid:2006976; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|79 99|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:command-and-control; sid:2017914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_01_03, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login INSERT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006977; classtype:web-application-attack; sid:2006977; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 29"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9e|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!2,relative; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9af77f89a565143983fa008bbd8eedee; classtype:command-and-control; sid:2018181; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_27, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login ASCII"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006979; classtype:web-application-attack; sid:2006979; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET !80 -> $EXTERNAL_NET [!5721,!5938] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; content:!"PWHDR"; depth:5; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:command-and-control; sid:2016922; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_04_23, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"login="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006980; classtype:web-application-attack; sid:2006980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 23"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-18,relative,little,from_beginning, post_offset 1; isdataat:!2,relative; pcre:"/^.{8}[\x20-\x7e]+?.{2}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,db1c4342f617798bcb2ba5655d32bf67; classtype:command-and-control; sid:2018075; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_02_05, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006981; classtype:web-application-attack; sid:2006981; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 44"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|96 71|"; offset:13; depth:2; byte_jump:4,-15,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^.{4}[\x20-\x7e]{5}.{4}\x96\x71/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,0a09c176351398922770153bdd54c594; classtype:command-and-control; sid:2020214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_20, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UNION SELECT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006982; classtype:web-application-attack; sid:2006982; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 94"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|7b 9b|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9b/s"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,7403a3a7c924a50cb205c5936cb57821; classtype:command-and-control; sid:2020795; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_03_28, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Critical, tag PCRAT, tag Gh0st, tag RAT, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password INSERT"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006983; classtype:web-application-attack; sid:2006983; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Seetrol Software Download (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/"; startswith; content:".exe"; endswith; http.host; content:"www.seetrol."; startswith; fast_pattern; classtype:bad-unknown; sid:2033917; rev:1; metadata:created_at 2021_09_09, former_category POLICY, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password DELETE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006984; classtype:web-application-attack; sid:2006984; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PSW.WOW.NLZ CnC Activity"; flow:established,to_server; http.request_line; content:"GET /in/3/"; startswith; content:"?d56tdrf2z="; distance:0; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,2bf730c712910a18f09e4d53750594d2; classtype:command-and-control; sid:2033918; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password ASCII"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006985; classtype:web-application-attack; sid:2006985; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.microsoft-secure-cdn.com"; bsize:51; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; reference:md5,83d664b0078d46952baf9ee1d8732d7a; classtype:domain-c2; sid:2033919; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE"; flow:established,to_server; http.uri; content:"/process.php?"; nocase; content:"password="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006986; classtype:web-application-attack; sid:2006986; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.brian-krebs-erectile-dysfunction.com"; bsize:63; fast_pattern; reference:md5,83d664b0078d46952baf9ee1d8732d7a; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033920; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid SELECT"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006987; classtype:web-application-attack; sid:2006987; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.krebsonsecurity.info"; bsize:47; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; reference:md5,83d664b0078d46952baf9ee1d8732d7a; classtype:domain-c2; sid:2033921; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006988; classtype:web-application-attack; sid:2006988; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.krebsonfellatio.net"; bsize:46; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033922; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid INSERT"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006989; classtype:web-application-attack; sid:2006989; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ELF/HabitsRAT CnC Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"xaxaxa-shadowserver-losers.552-39-1658.com"; bsize:42; fast_pattern; reference:url,twitter.com/michalmalik/status/1435918937162715139; classtype:domain-c2; sid:2033923; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid DELETE"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006990; classtype:web-application-attack; sid:2006990; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M1"; flow:established,to_server; http.request_line; content:"GET /delonl.php?hwid="; startswith; content:!"&"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033924; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ASCII"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006991; classtype:web-application-attack; sid:2006991; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M2"; flow:established,to_server; http.request_line; content:"GET /gateonl.php?hwid="; startswith; fast_pattern; content:"&cpuname="; distance:0; content:"&gpuname="; distance:0; content:"&cpu="; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033925; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE"; flow:established,to_server; http.uri; content:"/dlwallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6215; reference:url,www.frsirt.com/english/advisories/2006/4687; reference:url,doc.emergingthreats.net/2006992; classtype:web-application-attack; sid:2006992; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Small.FU Variant CnC Activity M3"; flow:established,to_server; http.request_line; content:"GET /del.php?hwid="; startswith; fast_pattern; content:!"&"; distance:0; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,72513b6c906dcac441a146c8ebf256e7; classtype:command-and-control; sid:2033926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid SELECT"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006993; classtype:web-application-attack; sid:2006993; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id="; content:"&info="; http.user_agent; content:"REBOL"; startswith; fast_pattern; reference:md5,3a8a6702523f9f53866fb2682fdaaf66; classtype:command-and-control; sid:2034012; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_10, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UNION SELECT"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006994; classtype:web-application-attack; sid:2006994; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/topstories"; bsize:11; fast_pattern; http.cookie; content:"__cfduid="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT 6.1|29 20|Gecko/14.0|20|Firefox/14.0"; bsize:52; reference:md5,432e0676db09997f78e133263737b401; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033927; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid INSERT"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006995; classtype:web-application-attack; sid:2006995; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; bsize:20; fast_pattern; http.cookie; content:"__cfduid="; startswith; http.user_agent; content:"Mozilla/5.0|20 28|Windows|20|NT|20|6.3|3b 20|Trident/7.0|3b 20|rv|3a|11.0|29 20|like|20|Gecko"; bsize:61; reference:md5,b3f3de10b3c1c15491c53223f1b5979f; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033928; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid DELETE"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006996; classtype:web-application-attack; sid:2006996; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lv?access=true"; bsize:15; fast_pattern; http.cookie; content:"SSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; http.host; content:".workers.dev"; endswith; reference:md5,9dca269e64ebea04fe6060afe0015820; reference:url,documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf; classtype:trojan-activity; sid:2033929; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ASCII"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006997; classtype:web-application-attack; sid:2006997; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Checkin"; flow:established,to_server; content:"|7e 5c 77 6f 72 6d 73 5c 2e 42 6c 61 63 6b 20 48 61 74 20 57 6f 72 6d|"; startswith; content:"|62 6c 61 63 6b 20 68 61 74|"; distance:0; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; classtype:command-and-control; sid:2033716; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE"; flow:established,to_server; http.uri; content:"/wallpaper.php?"; nocase; content:"wallpaperid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6214; reference:url,www.milw0rm.com/exploits/2835; reference:url,doc.emergingthreats.net/2006998; classtype:web-application-attack; sid:2006998; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vermilion Stager Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/microsoft/en-us/logo.aspx"; bsize:26; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:md5,6310a2c9f45fd46cd405e31eda2ad7d3; reference:url,www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/; classtype:trojan-activity; sid:2033930; rev:1; metadata:created_at 2021_09_13, former_category MALWARE, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID SELECT"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007070; classtype:web-application-attack; sid:2007070; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Vermilion Stager Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/g.pixel"; bsize:8; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:"|0d 0a|Content-Type|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.cookie; pcre:"/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,6310a2c9f45fd46cd405e31eda2ad7d3; reference:url,www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/; classtype:trojan-activity; sid:2033931; rev:1; metadata:created_at 2021_09_13, former_category MALWARE, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UNION SELECT"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007071; classtype:web-application-attack; sid:2007071; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Black Hat Worm Server Response"; flow:established,to_client; stream_size:client,<,5; content:"|2d 62 6c 61 63 6b 20 68 61 74|"; reference:md5,bfa67c998ebedf8ab17e2d8898d0067d; reference:md5,42c130f8d037d6cc0ca4342b6e8794b4; classtype:command-and-control; sid:2033932; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID INSERT"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007072; classtype:web-application-attack; sid:2007072; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick Malformed SVG Upload Leading to RCE"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|svg|20|"; content:"|28|%pipe%/"; fast_pattern; content:"/|3b|"; distance:0; within:100; classtype:attempted-admin; sid:2033933; rev:1; metadata:attack_target Server, created_at 2021_09_13, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID DELETE"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007073; classtype:web-application-attack; sid:2007073; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"domains=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033934; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ASCII"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007074; classtype:web-application-attack; sid:2007074; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"clients=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033935; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE"; flow:established,to_server; http.uri; content:"/item.asp?"; nocase; content:"ItemID="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6206; reference:url,www.securityfocus.com/bid/21324; reference:url,doc.emergingthreats.net/2007075; classtype:web-application-attack; sid:2007075; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GenKryptik.FKJZ CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&pass="; content:"&cookie="; content:"&cc="; content:"&chrome="; content:"&firefox="; content:"&binancepass="; fast_pattern; content:"&paypalpass="; content:"&hwid="; content:"&bit="; http.request_body; content:"PK|03 04|"; reference:md5,b369e6f7f7ed1771110e9017741be7b3; classtype:trojan-activity; sid:2033936; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wazzum Dating Software profile_view.php userid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"profile_view.php"; nocase; content:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7877; reference:url,secunia.com/Advisories/33654/; reference:url,doc.emergingthreats.net/2009122; classtype:web-application-attack; sid:2009122; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewalk CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|gtuvid|0d 0a|"; fast_pattern; content:"|0d 0a|gtsid|0d 0a|";  reference:url,welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/; classtype:command-and-control; sid:2033937; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wbstreet show.php id parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/7337; reference:bugtraq,32635; reference:url,doc.emergingthreats.net/2008939; classtype:web-application-attack; sid:2008939; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Checkin"; flow:established,to_server; content:"|20 5b 20|"; content:"|20 5b 20|"; distance:0; content:"[endof]"; endswith; reference:md5,8db6655c0a5cb219c3bbc4bb5fc92e1a; classtype:command-and-control; sid:2033938; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family njrat, performance_impact Low, signature_severity Major, updated_at 2021_09_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/cron.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009306; classtype:web-application-attack; sid:2009306; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.update&botid="; startswith; fast_pattern; content:"&param="; distance:0; content:"&value="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033940; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ST_browsers.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009308; classtype:web-application-attack; sid:2009308; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (number update)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=number.update&botid="; startswith; fast_pattern; content:"&phoneNumber="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033941; rev:2; metadata:created_at 2021_09_14, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ST_countries.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009310; classtype:web-application-attack; sid:2009310; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (session cookie delete)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=command.delete&id="; startswith; fast_pattern; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,01b6f0220794476fe19a54c049600ab3; classtype:trojan-activity; sid:2033942; rev:2; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/ST_platforms.php?"; nocase; content:"include_path="; nocase; reference:url,milw0rm.com/exploits/8195; reference:bugtraq,34074; reference:url,doc.emergingthreats.net/2009312; classtype:web-application-attack; sid:2009312; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (bot registration)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api?method=bots.new&botid="; startswith; fast_pattern; content:"&botip="; distance:0; content:"&sdkVersion="; distance:0; content:"&deviceModel="; distance:0; content:"&typeConnection="; distance:0; content:"&battery="; distance:0; content:"&access="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,03f51334546586d0b56ee81d3df9fd7a; classtype:trojan-activity; sid:2033943; rev:1; metadata:created_at 2021_09_14, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id SELECT"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004760; classtype:web-application-attack; sid:2004760; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SOVA Banking Trojan Activity (log post)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/logpost.php"; bsize:12; fast_pattern; http.request_body; content:"botid="; startswith; content:"&text="; distance:0; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; reference:url,www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html; reference:md5,03f51334546586d0b56ee81d3df9fd7a; classtype:trojan-activity; sid:2033944; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004761; classtype:web-application-attack; sid:2004761; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/NitroStealer/exoStub CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22 3b 20|filename=|22|Upload.zip|22 0d 0a|"; fast_pattern; nocase; content:"screenshot"; nocase; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,3594572488e00679a144001e24c675ab; classtype:trojan-activity; sid:2032417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id INSERT"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004762; classtype:web-application-attack; sid:2004762; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Eyoorun.D Variant Checkin"; flow:established,to_server; http.request_line; content:"GET /?opt=put&mq="; startswith; fast_pattern; http.uri; content:"&mac="; content:"&pcname="; distance:12; within:8; content:"&bootid="; distance:0; reference:md5,957c7bf090944fb437e1b9f20bbea1ff; classtype:pup-activity; sid:2033945; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id DELETE"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004763; classtype:web-application-attack; sid:2004763; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Spy.Agent.BEH Variant Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport="; distance:0; content:"&manf="; distance:0; content:"&sid="; distance:0; http.user_agent; content:"|28|Linux|3b 20|U|3b 20|Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"contactsList"; content:"phoneNo"; distance:0; http.header_names; content:!"Referer"; reference:md5,72670e5480849637e86e0daeddbdb43b; reference:url,twitter.com/malwrhunterteam/status/1437787922816806914; classtype:trojan-activity; sid:2033946; rev:1; metadata:created_at 2021_09_14, former_category MOBILE_MALWARE, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id ASCII"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004764; classtype:web-application-attack; sid:2004764; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Client Cloaking Javascript Observed"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|html|3e 3c|head|3e 3c|script|20|src|3d 27|"; content:"Aes|2e|Ctr|2e|decrypt|28|"; nocase; fast_pattern; pcre:"/^(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*(?:[^0-9][a-zA-Z0-9_$]{1,254}),\s*256\)\x3b/Ri"; content:"document|2e|write|28|output|29|"; distance:0;  reference:url,unit42.paloaltonetworks.com/javascript-based-phishing/; classtype:credential-theft; sid:2033947; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE"; flow:established,to_server; http.uri; content:"/filecheck.php?"; nocase; content:"id["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1135; reference:url,www.securityfocus.com/bid/22726; reference:url,doc.emergingthreats.net/2004765; classtype:web-application-attack; sid:2004765; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/btn_bg.html?contact=true"; fast_pattern; bsize:25; http.cookie; content:"HSID="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1437787000690683911; reference:url,github.com/pan-unit42/tweets/blob/master/2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt; reference:md5,3963abbca3932a7d1e2b77cef1f6d57e; classtype:trojan-activity; sid:2033948; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro art.php idm Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/art.php"; nocase; content:"idm="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009013; classtype:web-application-attack; sid:2009013; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M1"; flow:established,to_server; stream_size:server,<,5; content:"|3d 22 3f 4b 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033949; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro rub.php idr Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rub.php"; nocase; content:"idr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009014; classtype:web-application-attack; sid:2009014; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Delf.OKR Variant CnC M2"; flow:established,to_server; stream_size:server,<,5; dsize:4; content:"|6d 35 30 0a|"; startswith; reference:md5,320564554767ddd328932997067f64a5; classtype:command-and-control; sid:2033950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_14, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php ida Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/galeri_info.php?"; nocase; content:"ida="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009015; classtype:web-application-attack; sid:2009015; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=netfoundationmtgcorp.com"; nocase; endswith; reference:md5,9845a9edb7484874171c80e3cb26135d; reference:url,twitter.com/benkow_/status/1437376463305596929; classtype:domain-c2; sid:2033951; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php lang Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/galeri_info.php?"; nocase; content:"lang="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009016; classtype:web-application-attack; sid:2009016; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M1"; flow:established,to_server; http.request_line; content:"GET|20|/?s="; startswith; fast_pattern; content:"&q="; distance:0; content:"&g="; distance:0; pcre:"/^[a-f0-9]{32}/R"; http.header_names; content:!"User-Agent"; content:!"Accept|0d 0a|"; reference:md5,9284526d864c785b1d6bedd7830e8c19; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033953; rev:1; metadata:created_at 2021_09_15, updated_at 2021_09_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebPhotoPro rubrika.php idr Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/rubrika.php?"; nocase; content:"idr="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32829; reference:url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt; reference:url,doc.emergingthreats.net/2009017; classtype:web-application-attack; sid:2009017; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?arch="; content:"&s="; distance:0; content:"&q="; distance:0; http.request_body; content:"continuebtn="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,9284526d864c785b1d6bedd7830e8c19; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033954; rev:2; metadata:created_at 2021_09_15, updated_at 2021_09_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID SELECT"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004911; classtype:web-application-attack; sid:2004911; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls any [5986,5985,1270] -> any any (msg:"ET INFO Possible Microsoft OMI Agent Default TLS Certificate Observed"; flow:established,to_client; tls.cert_subject; content:"cloudapp.net"; tls.cert_issuer; content:".cloudapp.net"; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; classtype:bad-unknown; sid:2033955; rev:2; metadata:attack_target Server, created_at 2021_09_15, deployment Perimeter, deployment Internet, former_category POLICY, signature_severity Informational, updated_at 2021_09_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UNION SELECT"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004912; classtype:web-application-attack; sid:2004912; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteScript"; fast_pattern; nocase; content:"|3c|p|3a|Script|3e|"; nocase; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033952; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_15, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID INSERT"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004913; classtype:web-application-attack; sid:2004913; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Inbound Powershell Creating .hta File"; flow:established,to_client; file.data; content:".hta|22 3b|"; content:"|28|New-Object|20|-COM"; classtype:bad-unknown; sid:2033956; rev:1; metadata:created_at 2021_09_15, former_category HUNTING, updated_at 2021_09_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID DELETE"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004914; classtype:web-application-attack; sid:2004914; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Inbound Powershell Creating .lnk File"; flow:established,to_client; file.data; content:".lnk|22|"; content:"|28|New-Object|20|-COM|20|WScript.Shell|29|.CreateShortcut|28|"; classtype:bad-unknown; sid:2033957; rev:1; metadata:created_at 2021_09_15, former_category HUNTING, updated_at 2021_09_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID ASCII"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004915; classtype:web-application-attack; sid:2004915; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/TrojanDownloader.Adload.NSD Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?commandline="; fast_pattern; content:"&country="; distance:0; content:"&username="; distance:0; content:"&newpc="; distance:0; content:"&av="; distance:0; http.user_agent; content:"WinHttpClient"; bsize:13; reference:md5,dd6dca8dd2f53fdedeb5513f103ab711; classtype:pup-activity; sid:2033958; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE"; flow:established,to_server; http.uri; content:"/directions.php?"; nocase; content:"testID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0970; reference:url,www.securityfocus.com/bid/22559; reference:url,doc.emergingthreats.net/2004916; classtype:web-application-attack; sid:2004916; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING DNS Lookup for 8+ hexadecimal only duckdns domain"; dns.query; content:".duckdns.org"; fast_pattern; pcre:"/^[a-f0-9]{8,}\.duckdns\.org$/"; reference:md5,cfaed1a20d1d7e877f58d54272361df1; classtype:bad-unknown; sid:2033959; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id SELECT"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004772; classtype:web-application-attack; sid:2004772; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Software Download Redirect Leading to Malware M3"; flow:established,to_server; http.request_line; content:"GET|20|/?s="; startswith; fast_pattern; content:"&q="; distance:0; content:"&hmac="; distance:0; reference:url,news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/; classtype:trojan-activity; sid:2033961; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004773; classtype:web-application-attack; sid:2004773; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe Related CnC Activity"; flow:established,to_server; content:"x999"; startswith; fast_pattern; content:">"; distance:0; pcre:"/>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}>/"; content:"|20|>>"; reference:md5,ae20da9a88c7624a6b3f81a20bc8065c; reference:url,twitter.com/s1ckb017/status/1435888576710029315; reference:url,blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/; classtype:trojan-activity; sid:2033962; rev:1; metadata:created_at 2021_09_16, former_category MALWARE, malware_family TransparentTribe, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id INSERT"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004774; classtype:web-application-attack; sid:2004774; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Bisonal Backdoor CnC Domain in DNS Lookup"; dns.query; content:"ergencucur.com"; nocase; bsize:14; reference:url,twitter.com/nao_sec/status/1438460553479921665; reference:md5,60490ea995531924f77af5f1bfb38eec; classtype:domain-c2; sid:2033963; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Bisonal, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id DELETE"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004775; classtype:web-application-attack; sid:2004775; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Bisonal Backdoor CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/post.asp"; endswith; http.host; content:".com#.com"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,60490ea995531924f77af5f1bfb38eec; reference:url,twitter.com/nao_sec/status/1438460553479921665; classtype:trojan-activity; sid:2033964; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Bisonal, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id ASCII"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004776; classtype:web-application-attack; sid:2004776; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/ZuRu Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u.php?id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,objective-see.com/blog/blog_0x66.html; reference:md5,2786ebc3b917866d30e622325fc6f5f3; classtype:trojan-activity; sid:2033965; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE"; flow:established,to_server; http.uri; content:"/connexion.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-7089; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2; reference:url,doc.emergingthreats.net/2004778; classtype:web-application-attack; sid:2004778; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET HUNTING Telegram API Domain in DNS Lookup"; dns.query; content:"api.telegram.org"; nocase; bsize:16; classtype:misc-activity; sid:2033966; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp SELECT"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004224; classtype:web-application-attack; sid:2004224; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.telegram.org"; bsize:16; fast_pattern; classtype:misc-activity; sid:2033967; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004225; classtype:web-application-attack; sid:2004225; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteShellCommand"; fast_pattern; nocase; content:"|3c|p|3a|command|3e|"; nocase; reference:url,github.com/horizon3ai/CVE-2021-38647/blob/main/omigod.py; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033968; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_16, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp INSERT"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004226; classtype:web-application-attack; sid:2004226; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno CVE-2021-41314 (new line injection)"; http.method; content:"POST"; http.uri; content:"/cgi/set.cgi?cmd=home_loginAuth"; fast_pattern; http.request_body; content:"_ds="; content:"pwd="; distance:0; pcre:"/^[^&\x0d\r]+[\n\x0a]/R"; reference:url,gynvael.coldwind.pl/?id=742; reference:cve,2021-41314; classtype:attempted-dos; sid:2033969; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp DELETE"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004227; classtype:web-application-attack; sid:2004227; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain (phonefix .bar in TLS SNI)"; flow:established,to_server; tls.sni; content:"phonefix.bar"; bsize:12; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566?s=20; reference:url,tria.ge/210913-nebwkaded5; classtype:domain-c2; sid:2033972; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp ASCII"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004228; classtype:web-application-attack; sid:2004228; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//l/f/"; startswith; fast_pattern; pcre:"/^[A-Za-z0-9_]{20}\/[a-f0-9]{40}$/R"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033973; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE"; flow:established,to_server; http.uri; content:"/functions/functions_filters.asp?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004229; classtype:web-application-attack; sid:2004229; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.content_type; content:"multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV"; fast_pattern; bsize:62; reference:md5,8b45338ac11f819c85dd86d13a1cc2bb; classtype:command-and-control; sid:2033974; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_09_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name SELECT"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004230; classtype:web-application-attack; sid:2004230; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v4/api_t.php?id="; startswith; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034038; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UNION SELECT"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004231; classtype:web-application-attack; sid:2004231; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v4/down/"; startswith; fast_pattern; http.host; content:".cc"; endswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034039; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name INSERT"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004232; classtype:web-application-attack; sid:2004232; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer Sending OS Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v4/api_t.php"; bsize:13; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.request_body; content:"id="; startswith; content:"&mid="; distance:0; content:"&username="; distance:0; content:"&os_info="; distance:0; content:"&version="; distance:0; content:"&computername="; distance:0; content:"&memory="; distance:0; content:"&screen="; distance:0; content:"&drives="; distance:0; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034040; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name DELETE"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004233; classtype:web-application-attack; sid:2004233; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Voltron/Spectre Stealer CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v4/api_t.php"; bsize:13; fast_pattern; http.user_agent; content:"UserAgent"; bsize:9; http.request_body; content:"id="; startswith; content:"&mid="; distance:0; content:"&cmd_id="; distance:0; content:"&msg_id="; distance:0; content:"&msg="; distance:0; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034041; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ASCII"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004439; classtype:web-application-attack; sid:2004439; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed APT-C-23 Related Domain (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"linda-gaytan.website"; bsize:20; fast_pattern; reference:md5,af0e580b67938afaeb783b72cf2a1c61; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; classtype:domain-c2; sid:2033978; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE"; flow:established,to_server; http.uri; content:"/forum/pop_up_member_search.asp?"; nocase; content:"name="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004234; classtype:web-application-attack; sid:2004234; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup (linda-gaytan .website)"; dns.query; content:"linda-gaytan.website"; nocase; bsize:20; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east; reference:md5,af0e580b67938afaeb783b72cf2a1c61; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; classtype:domain-c2; sid:2033979; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004235; classtype:web-application-attack; sid:2004235; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE APT-C-23 Related CnC Domain in DNS Lookup (javan-demsky .website)"; dns.query; content:"javan-demsky.website"; nocase; bsize:20; reference:md5,dd4596cf68c85eb135f7e0ad763e5dab; reference:url,twitter.com/malwrhunterteam/status/1437498154501480451; reference:url,blog.cyble.com/2021/09/15/apt-c-23-using-new-variant-of-android-spyware-to-target-users-in-the-middle-east/; classtype:domain-c2; sid:2033980; rev:1; metadata:attack_target Mobile_Client, created_at 2021_09_17, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UNION SELECT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004236; classtype:web-application-attack; sid:2004236; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazed/alternative.jng"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; http.host; content:".ru"; endswith; reference:md5,0c6eb0ff9121eae3ce6e15f7af8f9909; reference:url,twitter.com/s1ckb017/status/1438458210147520514; classtype:trojan-activity; sid:2033981; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID INSERT"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004237; classtype:web-application-attack; sid:2004237; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; pcre:"/^.{4}(?:R(?:k(?:Z(?:GQkBG|CQEY)|BCRUVG)|0FFRkFH|UJDQUE)|Q(?:U(?:V(?:CQ0FB|GQUc)|NCRkI)|kFDQkZC|EJFRUY)|(?:Z(?:AQkVF|GRkJA)R|JBQ0JGQ)g|FFQkNBQQ|dBRUZBRw)/R"; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith;  reference:url,twitter.com/jaydinbas/status/1437708323038564352; classtype:command-and-control; sid:2033982; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID DELETE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004238; classtype:web-application-attack; sid:2004238; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ASCII"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004239; classtype:web-application-attack; sid:2004239; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Bitter Related CnC Domain in DNS Lookup"; dns.query; content:"olmajhnservice.com"; nocase; bsize:18; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:domain-c2; sid:2033986; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, signature_severity Major, updated_at 2021_09_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE"; flow:established,to_server; http.uri; content:"/News/page.asp?"; nocase; content:"NewsID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1548; reference:url,www.securityfocus.com/bid/23051; reference:url,doc.emergingthreats.net/2004240; classtype:web-application-attack; sid:2004240; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561_CVE_2021_27562, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_09_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/html.php?"; nocase; content:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009690; classtype:web-application-attack; sid:2009690; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (CobaltStrike CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=sammitng.com"; nocase; endswith; reference:md5,b656845e2755920db24364b42ce2ea18; reference:url,thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/; classtype:domain-c2; sid:2033988; rev:1; metadata:attack_target Client_and_Server, created_at 2021_09_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_20, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/html2.php?"; nocase; content:"page="; nocase; pcre:"/page=\s*(ftps?|https?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt; reference:url,doc.emergingthreats.net/2009691; classtype:web-application-attack; sid:2009691; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WP Download From Files Plugin <= 1.48 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; bsize:4; http.uri; content:"/wp-admin/admin-ajax.php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|files[]|22 3b 20|filename=|22|"; content:"<?"; content:"download_from_files_617_fileupload"; fast_pattern; reference:url,cxsecurity.com/issue/WLB-2021090097; classtype:attempted-admin; sid:2033989; rev:1; metadata:created_at 2021_09_20, former_category EXPLOIT, updated_at 2021_09_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010167; classtype:web-application-attack; sid:2010167; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Socelars.S CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST|20|/base/api/getData.php|20|HTTP/1.1"; startswith; fast_pattern; http.request_body; content:"data="; startswith; isdataat:50,relative; http.header_names; content:!"Referer"; reference:md5,064f0d6900675bed580da1291a566cfa; classtype:trojan-activity; sid:2034192; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"FileName="; nocase; pcre:"/Filename\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010168; classtype:web-application-attack; sid:2010168; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK Server Response"; flow:established,to_client; file.data; content:"|ce f8 f4 fc fb c8 98 9f|"; startswith; fast_pattern; content:"|98 9f|"; content:"|98 9f|"; endswith; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010169; classtype:web-application-attack; sid:2010169; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Syndicasec Encoded Response Embedded in HTML Title Tags Inbound"; flow:established,to_client; content:"|3c|title|3e 40|"; content:"|40 3c 2f|title|3e|"; distance:0; within:150; fast_pattern; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-mangal-win32syndicasec-used-targeted-attacks-indian-organizations/; reference:md5,f339bbca8e7a5d0f1629212f61b7d351; classtype:command-and-control; sid:2033905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/viewHeaders.asp?"; nocase; content:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010170; classtype:web-application-attack; sid:2010170; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Cobalt Strike)"; flow:established,to_client; tls.cert_subject; content:"CN=systemmentorsec.com"; bsize:22; fast_pattern; reference:url,twitter.com/Unit42_Intel/status/1440027013595766784; reference:url,www.malware-traffic-analysis.net/2021/09/20/index.html; classtype:domain-c2; sid:2033993; rev:1; metadata:attack_target Client_and_Server, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_09_21, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010171; classtype:web-application-attack; sid:2010171; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GCleaner Downloader Activity M5"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?pub=mix"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:!"Mozilla"; content:"-"; offset:2; depth:1; content:"-"; distance:0; http.header_names; content:!"Referer"; reference:md5,064f0d6900675bed580da1291a566cfa; classtype:command-and-control; sid:2033995; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010172; classtype:web-application-attack; sid:2010172; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA XSS Attempt (CVE-2020-3580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/+CSCOE+/saml/sp/acs?tgname="; fast_pattern; http.request_body; content:"=|22|><"; reference:url,twitter.com/ptswarm/status/1408050644460650502; reference:cve,2020-3580; classtype:web-application-attack; sid:2033994; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2021_09_21, cve CVE_2020_3580, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010173; classtype:web-application-attack; sid:2010173; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M2 (CVE-2018-8617)"; flow:established,from_server; file_data; content:"function"; pcre:"/^\s*(?P<func_a>[\w\-]{1,20})\((?P<obj_1>[\w\-]{1,20})\s*,\s*(?P<obj_2>[\w\-]{1,20}).{1,300}(?P=obj_1)\.(?P<prop_2>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,300}?(?P=obj_2)\.pop\(\).{1,300}?(?P=obj_1)\.(?P<prop_1>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,500}Object\.prototype\.p(op|ush)\s*=\s*Array\.prototype\.p(op|ush)\x3b.{1,500}var\s*(?P<obj_3>[\w\-]{1,20})\s*=\s*\{\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?:(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?|(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)).{1,500}(?P=func_a)\(\s*(?:(?P=obj_3)\s*,\s*new\s*Object\(\)|\s*new\s*Object\(\)\s*,\s*(?P=obj_3)\s*).{1,500}?(?P=func_a)\((?P=obj_3)/Rsi"; content:"Object.prototype.p"; content:"|20|=|20|Array.prototype.p"; fast_pattern; reference:cve,2018-8617; classtype:attempted-admin; sid:2034004; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, cve CVE_2018_8617, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"Dictionary="; nocase; pcre:"/Dictionary\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010174; classtype:web-application-attack; sid:2010174; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot Generic URI/Header Struct .bin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"aocdn.net"; content:!"kankan.com"; endswith; content:!"conf.v.xunlei.com"; endswith; content:!"burstek.com"; endswith; http.request_line; content:".bin HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018052; rev:11; metadata:created_at 2014_02_01, former_category CURRENT_EVENTS, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"Scoring="; nocase; pcre:"/Scoring\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010175; classtype:web-application-attack; sid:2010175; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; http.header; content:!"ztunnelversion|3a 20|"; file_data; content:"FindProxyForURL"; fast_pattern; distance:0; content:"|22|PROXY"; distance:0; content:!"trust.zscaler.com"; pcre:"/(?:www\.(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|espa)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:antander(?:banespa|net)?|erasa(?:experian)?)|uolhost)\.com\.br|c(?:(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov))\.br|redicard\.com(?:\.br)?)|itau(?:p(?:ersonnalite|rivatebank)|uniclass)?\.com\.br,|ame(?:ricanexpress\.com(?:\.br)?|x\.com\.br))|(?:(?:b(?:an(?:co(?:dobrasil|hsbc)|risul)|radesco(?:prime)?|b)|hsbc(?:pr(?:ivatebank|emier)|ba(?:merindus|nk))?|s(?:erasa(?:experian)?|antander)|uolhost)\.com|c(?:aixa(?:(?:economica(?:federal)?|qui)\.gov|\.(?:com|gov))|onsultasintegradas\.rs\.gov|ef\.(?:com|gov)|redicard\.com))\.br|itau(?:(?:p(?:ersonnalite|rivatebank)|uniclass)\.com\.br|\.com\.br,)|ame(?:ricanexpress.com(?:\.br)?|x\.com\.br)|\*(?:linhadefensiva*|hsbc*))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:16; metadata:created_at 2012_02_28, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgAnalyse.asp?"; nocase; content:"MessagePart="; nocase; pcre:"/MessagePart\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010176; classtype:web-application-attack; sid:2010176; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ntuser.txt"; bsize:11; fast_pattern; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; bsize:20; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"Queue="; nocase; pcre:"/Queue\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010177; classtype:web-application-attack; sid:2010177; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NSIS/TrojanDownloader.Agent.NZK CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/max.txt"; bsize:8; fast_pattern; http.user_agent; content:"NSIS|5f|Inetc|20 28|Mozilla|29|"; bsize:20; reference:md5,168feb87d7264b4ee2b39cffd7d3b5e3; classtype:command-and-control; sid:2033991; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"FileName="; nocase; pcre:"/FileName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010178; classtype:web-application-attack; sid:2010178; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom JS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/js/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.js\x27\x29\.then\x28(?:.{1,1000}themes\/js\/[a-f0-9]{42}\.js\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034002; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"IsolatedMessageID="; nocase; pcre:"/IsolatedMessageID\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010179; classtype:web-application-attack; sid:2010179; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http any any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Checks if New Visitor"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|28|store|2e|getters|5b 27|"; fast_pattern; pcre:"/\w{1,255}\/\w{1,255}'\]\s*==\s*"\w{1,255}\"/Ri"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2033999; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt"; flow:established,to_server; http.uri; content:"/web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp?"; nocase; content:"ServerName="; nocase; pcre:"/ServerName\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36741/; reference:url,doc.emergingthreats.net/2010180; classtype:web-application-attack; sid:2010180; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CopperStealer CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.host; content:"|2e|"; offset:16; depth:1; pcre:"/^[a-f0-9]{16}\./"; http.request_body; content:"info="; startswith; fast_pattern; pcre:"/^[A-Za-z0-9\-_~]{75,}$/R"; http.header_names; content:!"Referer"; reference:md5,b0110812a72552902f0bd69d640b8e1c; classtype:trojan-activity; sid:2031926; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_06_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID SELECT"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005227; classtype:web-application-attack; sid:2005227; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fgt_lang?lang="; fast_pattern; content:"|2e 2e 2f|"; distance:0; reference:url,devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/; reference:url,github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py; reference:cve,2018-13379; classtype:attempted-admin; sid:2034005; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2021_09_22, cve CVE_2018_13379, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UNION SELECT"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005228; classtype:web-application-attack; sid:2005228; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Generic Phishkit Javascript Response with Phishy Text"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"click OK or reload"; nocase; fast_pattern; content:"longtime to request"; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2034003; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Informational, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID INSERT"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005229; classtype:web-application-attack; sid:2005229; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Config Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"ID_CUS_SP_NBR_"; nocase; fast_pattern; content:"EMAILRESULT_NBR"; nocase; content:"LINKRE_RESULT"; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID DELETE"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005230; classtype:web-application-attack; sid:2005230; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M2"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|5c|nUpdate your browser"; nocase; content:"is out-of-date"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033997; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ASCII"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005231; classtype:web-application-attack; sid:2005231; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible Outdated Browser Landing Page M1"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Your browser is"; nocase; fast_pattern; content:"work well in"; nocase; distance:0; content:"your browser to view this"; nocase; distance:0; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033996; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE"; flow:established,to_server; http.uri; content:"/eWebQuiz.asp?"; nocase; content:"QuizID="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0527; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html; reference:url,doc.emergingthreats.net/2005232; classtype:web-application-attack; sid:2005232; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [exec] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=exec"; fast_pattern; content:"&newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034006; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order SELECT"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004140; classtype:web-application-attack; sid:2004140; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"?newid="; content:"&pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034007; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UNION SELECT"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004141; classtype:web-application-attack; sid:2004141; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Possible WebShell Access Inbound [upload] M1 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?act=upload"; fast_pattern; content:"&path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034009; rev:1; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_09_22, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order INSERT"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004142; classtype:web-application-attack; sid:2004142; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order DELETE"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004143; classtype:web-application-attack; sid:2004143; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:2; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ASCII"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004144; classtype:web-application-attack; sid:2004144; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible SQUIRRELWAFFLE Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b 20|charset=UTF-8"; bsize:24; file.data; content:"|0d 0d 0d 09 09 09 0a 0a 0a|"; startswith; fast_pattern; content:"|0a 0a 0a 09 09 09 0d 0d 0d|"; endswith; classtype:command-and-control; sid:2033984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, malware_family SQUIRRELWAFFLE, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE"; flow:established,to_server; http.uri; content:"/check_vote.php?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1602; reference:url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded; reference:url,doc.emergingthreats.net/2004145; classtype:web-application-attack; sid:2004145; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (post-auth shell injection)"; http.method; content:"POST"; http.uri; content:"/set.cgi?cmd=diag_traceroute"; fast_pattern; http.request_body; content:"&hostname="; pcre:"/^[^&\r\n]+(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033971; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php SELECT"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004247; classtype:web-application-attack; sid:2004247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (fake packet upload)"; http.method; content:"POST"; http.uri; content:"/cgi/get.cgi?cmd=home_login"; http.content_type; content:"multipart/form-data"; http.content_len; byte_test:0,>=,300000000,0,string,dec; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033970; rev:3; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UNION SELECT"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004248; classtype:web-application-attack; sid:2004248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Monitor.PCTattletale.A Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Prod/api/pctt/devices/"; fast_pattern; bsize:23; http.header_names; content:!"Referer"; content:!"User-Agent"; http.request_body; content:"{|22|MemberID|22 3a|"; startswith; content:"|22 2c 22|DeviceName|22 3a 22|"; distance:0; content:"|22 2c 22|DeviceDescription|22 3a 22|"; distance:0; content:"|22 2c 22|SoftwareVersion|22 3a 22|"; distance:0; reference:md5,d76d32487a84bb529a94ee39444f8212; reference:url,www.vice.com/en/article/m7ezj8/stalkerware-leaking-phone-screenshots-pctattletale; classtype:trojan-activity; sid:2034013; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php INSERT"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004249; classtype:web-application-attack; sid:2004249; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/diag/diag.cgi"; fast_pattern; content:"&options="; distance:0; content:"-r"; distance:0; reference:url,packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html; reference:url,packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html; reference:cve,2019-11539; classtype:attempted-admin; sid:2034014; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_09_23, cve CVE_2019_11539, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php DELETE"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004250; classtype:web-application-attack; sid:2004250; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/FamousSparrow Activity (POST)"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.uri; content:"/"; http.host; content:"credits.offices-analytics.com"; bsize:29; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Accept-Language|0d 0a|Accept|0d 0a|Host|0d 0a|"; content:!"Referer"; reference:url,www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/; reference:url,twitter.com/ESETresearch/status/1441013111469879300; classtype:trojan-activity; sid:2034015; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php ASCII"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004251; classtype:web-application-attack; sid:2004251; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/FamousSparrow CnC Domain in DNS Lookup (credits.offices-analytics .com)"; dns.query; content:"credits.offices-analytics.com"; nocase; bsize:29; reference:url,twitter.com/ESETresearch/status/1441013111469879300; reference:url,www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/; classtype:domain-c2; sid:2034016; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE"; flow:established,to_server; http.uri; content:"/usergroups.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1518; reference:url,www.securityfocus.com/bid/22970; reference:url,doc.emergingthreats.net/2004252; classtype:web-application-attack; sid:2004252; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:1; metadata:affected_product Nagios, attack_target Server, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid SELECT"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004997; classtype:web-application-attack; sid:2004997; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyTurla CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Title|0d 0a|"; fast_pattern; http.header; content:"Title|3a 20|"; content:"-"; distance:8; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"-"; distance:4; within:1; content:"|0d 0a|"; distance:12; within:2; reference:url,blog.talosintelligence.com/2021/09/tinyturla.html; classtype:command-and-control; sid:2034018; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2021_09_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UNION SELECT"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004998; classtype:web-application-attack; sid:2004998; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Possible Autodiscover Credentials Leak via Basic Auth"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/autodiscover/autodiscover.xml"; nocase; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|"; reference:url,guardicore.com/labs/autodiscovering-the-great-leak/; classtype:policy-violation; sid:2034019; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_23, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid INSERT"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2004999; classtype:web-application-attack; sid:2004999; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Spy.Agent.AW Download"; flow:established,to_client; http.response_body; content:"var"; startswith; content:"|5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34 5c 78 35 46 5c 78 36 36 5c 78 36 46 5c 78 37 32 5c 78 36 44 5c 78 35 46 5c 78 36 33 5c 78 36 33 5c 78 37 33 5c 78 36 31 5c 78 37 36 5c 78 36 35|"; within:90; fast_pattern; content:"|5c 78 36 35 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 35 46 5c 78 37 33 5c 78 36 35 5c 78 36 33 5c 78 37 35 5c 78 37 32 5c 78 36 35 5c 78 35 46 5c 78 37 30 5c 78 36 31 5c 78 37 39 5c 78 36 44 5c 78 36 35 5c 78 36 45 5c 78 37 34|"; distance:62; within:76;  reference:md5,ade43b2b2cf95ca908b82fe0e76ea54d; classtype:trojan-activity; sid:2034020; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid DELETE"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005000; classtype:web-application-attack; sid:2005000; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (REBOL)"; flow:established,to_server; http.user_agent; content:"REBOL"; nocase; startswith;  reference:url,twitter.com/James_inthe_box/status/1441140639169609736; classtype:bad-unknown; sid:2034021; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid ASCII"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005001; classtype:web-application-attack; sid:2005001; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=bmFtZT"; fast_pattern; pcre:"/(?:JmJ1aWxkP|YnVpbGQ9|ZidWlsZD)/R"; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034022; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE"; flow:established,to_server; http.uri; content:"/pms.php?"; nocase; content:"pmid["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0812; reference:url,www.milw0rm.com/exploits/3262; reference:url,doc.emergingthreats.net/2005002; classtype:web-application-attack; sid:2005002; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast CnC Activity M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"=dXVpZD"; fast_pattern; content:"LT"; distance:18; within:2; content:"t"; distance:5; within:1; http.user_agent; content:"REBOL"; startswith; reference:url,twitter.com/ffforward/status/1441137165329649664; reference:md5,6b59a4657eb90d92590f5a183d9d1e77; classtype:command-and-control; sid:2034023; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Low, signature_severity Major, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005280; classtype:web-application-attack; sid:2005280; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc CnC Domain in DNS Lookup (r .significantbyte .com)"; dns.query; content:"r.significantbyte.com"; fast_pattern; nocase; bsize:21; reference:url,twitter.com/h2jazi/status/1440418522950107140; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; classtype:domain-c2; sid:2034029; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005281; classtype:web-application-attack; sid:2005281; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc Domain in DNS Lookup (aljazeera .cc)"; dns.query; content:"aljazeera.cc"; fast_pattern; nocase; bsize:12; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; reference:url,twitter.com/h2jazi/status/1440418522950107140; classtype:domain-c2; sid:2034030; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005282; classtype:web-application-attack; sid:2005282; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Microsoft Netconnection Domain in DNS Lookup"; dns.query; content:"internetbeacon.msedge.net"; fast_pattern; nocase; bsize:25; reference:url,lazyadmin.nl/powershell/test-netconnection/; classtype:bad-unknown; sid:2034025; rev:2; metadata:created_at 2021_09_24, former_category INFO, updated_at 2021_09_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005283; classtype:web-application-attack; sid:2005283; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Sending Windows System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/t/"; startswith; content:".php?"; http.host; content:"r.significantbyte.com"; fast_pattern; bsize:21; reference:url,twitter.com/ShadowChasing1/status/1441367412562030600; reference:url,twitter.com/h2jazi/status/1440418522950107140; classtype:trojan-activity; sid:2034031; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_27, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005284; classtype:web-application-attack; sid:2005284; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sabsik.FL.B!ml CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client"; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"|ef bc 9a|"; depth:40; content:"Memorytotal|ef bc 9a|"; fast_pattern; content:"|ef bc 9a 5b|System|20|Process|5d 20|"; distance:0; reference:md5,84fffb6b0ee44238261a21a0af066c12; classtype:command-and-control; sid:2034032; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_09_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"boardids["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005285; classtype:web-application-attack; sid:2005285; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.aspx"; content:"id=../"; fast_pattern; content:"bp="; content:"accountid="; reference:url,codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html; reference:cve,2021-22941; classtype:attempted-admin; sid:2034033; rev:1; metadata:attack_target Server, created_at 2021_09_27, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005286; classtype:web-application-attack; sid:2005286; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FoggyWeb Backdoor Incoming Request (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adfs/portal/images/theme/light01/"; startswith; content:".webp"; endswith; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034034; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005287; classtype:web-application-attack; sid:2005287; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FoggyWeb Backdoor Incoming Request (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/portal/images/theme/light01/"; startswith; content:".webp"; endswith; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034035; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005288; classtype:web-application-attack; sid:2005288; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FoggyWeb Backdoor Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"image/webp"; bsize:10; file.data; content:"|52 49 46 46|"; startswith; content:"|57 45 42 50 56 50 38 20|"; distance:4; within:8; content:"|10 32 00 9d 01 2a|"; distance:4; within:6; fast_pattern; pcre:"/^[\x80|\x40]\x00[\x80|\x40]\x00\x00\x00/R"; reference:url,www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor; classtype:command-and-control; sid:2034036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2021_09_28, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family FoggyWeb, performance_impact Low, signature_severity Major, updated_at 2021_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005289; classtype:web-application-attack; sid:2005289; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupyter Stealer CnC Checkin"; flow:established,to_server; http.start; content:"POST / HTTP/1.1|0d 0a|Host|3a 20|"; startswith; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:38; fast_pattern; http.content_len; byte_test:0,>=,200,0,string,dec; byte_test:0,<=,999,0,string,dec; http.connection; content:"Keep-Alive"; bsize:10; http.request_body; content:!"|0d 0a|"; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:url,blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer; reference:md5,c4772d76029004a5512ea6e2ff3be39b; classtype:command-and-control; sid:2034024; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category MALWARE, malware_family Jupyter, performance_impact Significant, signature_severity Major, updated_at 2021_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005290; classtype:web-application-attack; sid:2005290; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter RCE Exploitation Attempt M2 (CVE-2021-22005)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&_i=."; content:"../../"; fast_pattern; reference:cve,2021-22005; classtype:attempted-admin; sid:2034037; rev:1; metadata:attack_target Server, created_at 2021_09_28, cve CVE_2021_22005, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"board["; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0388; reference:url,www.milw0rm.com/exploits/3144; reference:url,doc.emergingthreats.net/2005291; classtype:web-application-attack; sid:2005291; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReflectiveGnome Download Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin"; endswith; http.user_agent; content:"msie"; bsize:4; fast_pattern; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2034042; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit SELECT"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006921; classtype:web-application-attack; sid:2006921; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3b"; distance:0; pcre:"/^(?:%[a-f0-9]{2}){5,}/R"; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034043; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UNION SELECT"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006922; classtype:web-application-attack; sid:2006922; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3bimport|20|"; distance:0; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034044; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit INSERT"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006923; classtype:web-application-attack; sid:2006923; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/TrojanDownloader.Age Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; http.user_agent; content:"unknown"; fast_pattern; bsize:7; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer";  reference:md5,fd59dd7bb54210a99c1ed677bbfc03a8; classtype:trojan-activity; sid:2034048; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit DELETE"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006924; classtype:web-application-attack; sid:2006924; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=check&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/Rs"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:md5,9bf1574b794c7937cdbd12a9ff6fba76; classtype:command-and-control; sid:2034049; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ASCII"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006925; classtype:web-application-attack; sid:2006925; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Password-Processing URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"phishing-processor"; fast_pattern; content:".php"; distance:0; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034047; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_09_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE"; flow:established,to_server; http.uri; content:"/thread.php?"; nocase; content:"threadvisit="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6237; reference:url,www.milw0rm.com/exploits/2841; reference:url,doc.emergingthreats.net/2006926; classtype:web-application-attack; sid:2006926; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session/downexlog/cd/"; fast_pattern; startswith; http.header_names; content:!"Refer"; classtype:trojan-activity; sid:2034883; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004403; classtype:web-application-attack; sid:2004403; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|28 39 fa 28 39 fb 28 39 f9 4c 48 8d 28 39 fe 28 38 8c 4f|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034050; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004404; classtype:web-application-attack; sid:2004404; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|2f fb 3f 2f fb 3e 2f fb 3c 4b 8a 48 2f fb 3b 2f fa 49 48|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034051; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004405; classtype:web-application-attack; sid:2004405; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.2 Client Checkin M24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"|4a|"; depth:1; pcre:"/^(?:[\x4b-\x4c]|[\x48-\x49]|[\x4e-\x4f]|\x2f\xfb)/R"; content:"|ed 3e 38 ed 3e 39 ed 3e 3b 89 4f 4f ed 3e 3c ed 3f 4e 8a|"; distance:10; within:45; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034052; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004406; classtype:web-application-attack; sid:2004406; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M22"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|26 67 ea 26 66 9c 26 66 9d 26 66 9f 42 17 eb 26 66 98 41 70 9c 47|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034053; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004407; classtype:web-application-attack; sid:2004407; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M23"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|70 9c 47 70 9d 31 70 9d 30 70 9d 32 14 ec 46 70 9d 35 17 8b 31 11|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034054; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-functions.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1409; reference:url,www.secunia.com/advisories/24566; reference:url,doc.emergingthreats.net/2004408; classtype:web-application-attack; sid:2004408; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/AZORult V3.3 Client Checkin M24"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; pcre:"/^(?:\x00\x00\x00)?(?:[\x40-\x42]|[\x45-\x47]|\x26\x66)/R"; content:"|8b 31 11 8b 30 67 8b 30 66 8b 30 64 ef 41 10 8b 30 63 ec 26 67 ea|"; distance:6; within:47; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2034055; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family AZORult, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004654; classtype:web-application-attack; sid:2004654; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megalodon/Gomorrah/CosaNostra HTTP Bot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?hwid="; isdataat:!17,relative; http.request_body; content:".txt|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"|22|PC Name|22|"; content:"|22|Operating System|22|"; content:"|22|Anti virus|22|"; fast_pattern; content:"|22|Firewall|22|"; content:"|22|Processor|22|"; content:"|22|Memory|20|(RAM)|22|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,github.com/moneermasoud/CosaNostra-HTTP-Botnet/blob/master/stub/keylogger/keylogger/Form1.vb; reference:md5,0dad0861840cb73b4cefce3dcce28fa5; classtype:command-and-control; sid:2034056; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004655; classtype:web-application-attack; sid:2004655; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-ajaxSuccess.js"; fast_pattern; bsize:22; http.cookie; content:"__cfduid="; startswith; pcre:"/^[a-zA-Z0-9_-]{171}$/R"; reference:md5,cc13942c46fb85a5754570c2b2c06e35; classtype:trojan-activity; sid:2034057; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_09_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004656; classtype:web-application-attack; sid:2004656; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .me)"; dns.query; dotprefix; content:".samuelblog.me"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034058; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004657; classtype:web-application-attack; sid:2004657; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .site)"; dns.query; dotprefix; content:".samuelblog.site"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034059; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004658; classtype:web-application-attack; sid:2004658; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .info)"; dns.query; dotprefix; content:".samuelblog.info"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034060; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE"; flow:established,to_server; http.uri; content:"/xmlrpc.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3140; reference:url,www.milw0rm.com/exploits/4039; reference:url,doc.emergingthreats.net/2004659; classtype:web-application-attack; sid:2004659; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .website)"; dns.query; dotprefix; content:".samuelblog.website"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034061; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005657; classtype:web-application-attack; sid:2005657; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TAG28 Associated CnC Domain in DNS Lookup (samuelblog .xyz)"; dns.query; dotprefix; content:".samuelblog.xyz"; nocase; endswith; reference:url,www.recordedfuture.com/china-linked-tag-28-targets-indias-the-times-group; classtype:domain-c2; sid:2034062; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005658; classtype:web-application-attack; sid:2005658; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert smb any any -> $HOME_NET any (msg:"ET MALWARE CobaltStrike SMB P2P Default Msagent Named Pipe Interaction"; flow:established,to_server; content:"SMB"; depth:8; content:"|5c 00|m|00|s|00|a|00|g|00|e|00|n|00|t|00|_|00|"; nocase; distance:0; fast_pattern; content:!"s|00|p|00|_|00|M|00|S|00|a|00|g|00|e|00|n|00|t|00|_|00|"; reference:url,blog.cobaltstrike.com/2015/10/07/named-pipe-pivoting/; reference:url,www.cobaltstrike.com/help-malleable-c2; reference:url,posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456; classtype:targeted-activity; sid:2027325; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_07, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005659; classtype:web-application-attack; sid:2005659; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c 21 2d 2d|havexhavex|2d 2d 3e|"; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018243; rev:3; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005660; classtype:web-application-attack; sid:2005660; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:5; content:"|33 00|FCC"; fast_pattern; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034063; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005661; classtype:web-application-attack; sid:2005661; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE S400 RAT Server Response"; flow:established,to_client; stream_size:client,<,10; content:"|7c|S400|7c|"; within:16; content:"|7c|S400|7c|"; distance:32; within:6; content:"|7c|S400|7c|"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034064; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2021_09_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; http.uri; content:"/wp-trackback.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0233; reference:url,www.milw0rm.com/exploits/3109; reference:url,doc.emergingthreats.net/2005662; classtype:web-application-attack; sid:2005662; rev:8; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"ywbgrcrupasdiqxknwgceatlnbvmezti.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034067; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/st_newsletter/stnl_iframe.php"; nocase; content:"?newsletter="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,milw0rm.com/exploits/6777; reference:url,secunia.com/advisories/32336; reference:url,doc.emergingthreats.net/2008725; classtype:web-application-attack; sid:2008725; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"pdjwebrfgdyzljmwtxcoyomapxtzchvn.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034068; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/js/wptable-tinymce.php?"; nocase; content:"ABSPATH="; nocase; pcre:"/ABSPATH\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/56763; reference:url,doc.emergingthreats.net/2010473; classtype:web-application-attack; sid:2010473; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"yhgrffndvzbtoilmundkmvbaxrjtqsew.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034069; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/wp-content/plugins/nextgen-gallery/xml/media-rss.php"; nocase; content:"mode="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.coresecurity.com/content/nextgen-gallery-xss-vulnerability; reference:cve,2010-1186; reference:url,doc.emergingthreats.net/2011006; classtype:web-application-attack; sid:2011006; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"wcmbqxzeuopnvyfmhkstaretfciywdrl.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034070; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011044; classtype:web-application-attack; sid:2011044; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"ruciplbrxwjscyhtapvlfskoqqgnxevw.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034071; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011045; classtype:web-application-attack; sid:2011045; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"esnoptdkkiirzewlpgmccbwuynvxjumf.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034072; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011071; classtype:web-application-attack; sid:2011071; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"nfcomizsdseqiomzqrxwvtprxbljkpgd.name"; nocase; bsize:37; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034073; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011046; classtype:web-application-attack; sid:2011046; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"hkxpqdtgsucylodaejmzmtnkpfvojabe.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034074; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cpl/cplphoto.php?"; nocase; content:"postid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,www.exploit-db.com/exploits/11458; reference:url,doc.emergingthreats.net/2011047; classtype:web-application-attack; sid:2011047; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/Sutersu Rootkit CnC Domain in DNS Lookup"; dns.query; content:"etzndtcvqvyxajpcgwkzsoweaubilflh.com"; nocase; bsize:36; reference:url,www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/; classtype:domain-c2; sid:2034075; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-cumulus/tagcloud.swf"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,doc.emergingthreats.net/2011107; classtype:web-application-attack; sid:2011107; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (newtrendmicro .com)"; dns.query; dotprefix; content:".newtrendmicro.com"; fast_pattern; nocase; endswith; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; reference:md5,cbbd0addd5eb6cab479a1f188f7f5af0; reference:md5,897bfb316d2e8ff72031a3332842be0f; classtype:domain-c2; sid:2034076; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id SELECT"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004343; classtype:web-application-attack; sid:2004343; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (centralgoogle .com)"; dns.query; dotprefix; content:".centralgoogle.com"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; reference:md5,38bf0d130c73fd59c950a2fdac1b70e3; classtype:domain-c2; sid:2034077; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004344; classtype:web-application-attack; sid:2004344; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (microsoft-support .net)"; dns.query; dotprefix; content:".microsoft-support.net"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:domain-c2; sid:2034078; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id INSERT"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004345; classtype:web-application-attack; sid:2004345; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (cdn-chrome .com)"; dns.query; dotprefix; content:".cdn-chrome.com"; nocase; endswith; fast_pattern; content:!"www"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:domain-c2; sid:2034079; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id DELETE"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004346; classtype:web-application-attack; sid:2004346; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ChamelGang Related CnC Domain in DNS Lookup (mcafee-upgrade .com)"; dns.query; dotprefix; content:".mcafee-upgrade.com"; nocase; endswith; fast_pattern; content:!"www"; classtype:domain-c2; sid:2034080; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id ASCII"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004347; classtype:web-application-attack; sid:2004347; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Home.aspx"; bsize:10; http.host; content:"www.funding-exchange.org"; bsize:24; fast_pattern; http.cookie; content:"ASP.NET_SessionId="; startswith; http.header_names; content:"Accept|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|DNT|0d 0a|Cache-Control|0d 0a|"; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034081; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE"; flow:established,to_server; http.uri; content:"/devami.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1438; reference:url,www.milw0rm.com/exploits/3469; reference:url,doc.emergingthreats.net/2004348; classtype:web-application-attack; sid:2004348; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/images/L._SX2_.jpg"; bsize:19; http.host; content:"static.mhysl.org"; bsize:24; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1|3b 20|WOW64|3b 20|Trident/7.0|3b 20|rv|3a|11.0)|20|like|20|Gecko"; bsize:68; http.header_names; content:!"Referer"; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/; classtype:trojan-activity; sid:2034082; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_10_01, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005117; classtype:web-application-attack; sid:2005117; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Fake Anti-Pegasus AV CnC Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connect?hwid="; fast_pattern; content:"&os="; distance:0; content:"&bits=x"; distance:0; content:"&av="; distance:0; http.header_names; content:!"Referer";  reference:url,blog.talosintelligence.com/2021/09/fakeantipegasusamnesty.html; classtype:command-and-control; sid:2034083; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005118; classtype:web-application-attack; sid:2005118; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (JPEG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|ff d8 ff|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034084; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id INSERT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005119; classtype:web-application-attack; sid:2005119; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (PNG)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|89 50 4e 47|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034085; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id DELETE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005120; classtype:web-application-attack; sid:2005120; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 Amazon Profile POST (RIFF)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"|52 49 46 46|"; startswith; reference:url,securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/; classtype:command-and-control; sid:2034086; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_10_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id ASCII"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005121; classtype:web-application-attack; sid:2005121; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ELENAPC/principles/"; startswith; nocase; content:".mp3"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/s1ckb017/status/1443950604968149010; reference:md5,b345a53a6a432fa2467a0f7931bd79ae; classtype:trojan-activity; sid:2034087; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005122; classtype:web-application-attack; sid:2005122; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/MachO.Netwire Connectivity Check"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; endswith; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.netwire; classtype:trojan-activity; sid:2034088; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005123; classtype:web-application-attack; sid:2005123; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Netwire Connectivity Check"; flow:to_server,established; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (Windows NT 6.1|3b| WOW64|3b| Trident/7.0|3b| rv|3a|11.0) like Gecko"; endswith; http.host; content:"checkip.dyndns.org"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,malpedia.caad.fkie.fraunhofer.de/details/win.netwire; classtype:trojan-activity; sid:2034089; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005124; classtype:web-application-attack; sid:2005124; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY External IP Lookup via ad4989 .co .kr"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ipcheck.asp"; endswith; http.host; content:".ad4989.co.kr"; endswith; fast_pattern; classtype:policy-violation; sid:2034090; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from INSERT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005125; classtype:web-application-attack; sid:2005125; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DOS Possible Microsoft Windows HTTP2 Reset Flood Denial of Service Inbound (CVE-2019-9514)"; flow:established,to_server; dsize:9; content:"|00 00 00 01 04 00 00 00|"; startswith; fast_pattern; threshold:type threshold, count 45, seconds 60, track by_src; reference:cve,2019-9514; classtype:denial-of-service; sid:2034093; rev:1; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9514, deployment Perimeter, deployment Internal, former_category DOS, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from DELETE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005126; classtype:web-application-attack; sid:2005126; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (autodesk360 .com)"; flow:established,to_server; tls.sni; dotprefix; content:".autodesk360.com"; endswith; fast_pattern; classtype:bad-unknown; sid:2034097; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from ASCII"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005127; classtype:web-application-attack; sid:2005127; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed AutoDesk Domain in TLS SNI (api .autodesk .com)"; flow:established,to_server; tls.sni; content:"developer.api.autodesk.com"; bsize:26; fast_pattern; classtype:bad-unknown; sid:2034098; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category HUNTING, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"from="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005128; classtype:web-application-attack; sid:2005128; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (yawero .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"yawero.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:command-and-control; sid:2034099; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005129; classtype:web-application-attack; sid:2005129; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (sazoya .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sazoya.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034100; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_04, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005130; classtype:web-application-attack; sid:2005130; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securetourspd .com)"; dns.query; content:"securetourspd.com"; nocase; bsize:17; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034101; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q INSERT"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005131; classtype:web-application-attack; sid:2005131; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (secure-daddy .com)"; dns.query; content:"secure-daddy.com"; nocase; bsize:16; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; classtype:domain-c2; sid:2034102; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q DELETE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005132; classtype:web-application-attack; sid:2005132; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"http"; pcre:"/\/[0-9A-Za-z]{8,13}\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; fast_pattern; http.host; content:!".freeip.com"; http.content_len; byte_test:0,<,2000,0,string,dec; http.request_body; pcre:"/(?:Q(?:k(?:MIdh|UMcR)|0IPdR)|(?:DQg91|FRghw)F|(?:NCD3U|VGCHA)X|C(?:Qwh2E|RQxxF)|J(?:DCHYT|FDHEW)|R(?:UYIcB|kIJcR)|GQglxE|ZCCXEQ)/"; reference:md5,2933e342334bdb24ba99f70c15506294; reference:md5,e4f16cbac43141987a39f9841642fe90; reference:url,twitter.com/ffforward/status/1437688494017728516; reference:url,twitter.com/ffforward/status/1437473409542262795; classtype:trojan-activity; sid:2033939; rev:6; metadata:created_at 2021_09_13, former_category MALWARE, malware_family SQUIRRELWAFFLE, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q ASCII"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005133; classtype:web-application-attack; sid:2005133; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (centr-security .com)"; dns.query; content:"centr-security.com"; nocase; bsize:18; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034103; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE"; flow:established,to_server; http.uri; content:"/classes/class.news.php?"; nocase; content:"q="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0630; reference:url,www.frsirt.com/english/advisories/2007/0395; reference:url,doc.emergingthreats.net/2005134; classtype:web-application-attack; sid:2005134; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Wintervivern Related CnC Domain in DNS Lookup (securemanag .com)"; dns.query; content:"securemanag.com"; nocase; bsize:15; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; classtype:domain-c2; sid:2034104; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/includes/function_core.php?"; nocase; content:"web_root="; nocase; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009926; classtype:web-application-attack; sid:2009926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:".xml"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034105; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/templates/layout_lyrics.php?"; nocase; content:"web_root="; nocase; reference:url,secunia.com/advisories/31920; reference:bugtraq,31225; reference:url,milw0rm.com/exploits/6480; reference:url,doc.emergingthreats.net/2009928; classtype:web-application-attack; sid:2009928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:".txt"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034106; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/mini.php?"; nocase; content:"help_file="; nocase; reference:url,milw0rm.com/exploits/6592; reference:bugtraq,31460; reference:url,doc.emergingthreats.net/2009194; classtype:web-application-attack; sid:2009194; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Retrieving Task"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"/getcommand?username="; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034107; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XAMPP showcode.php TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/xampp/showcode.php?"; nocase; content:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:bugtraq,37997; reference:url,doc.emergingthreats.net/2011138; classtype:web-application-attack; sid:2011138; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"/getanswer.php?username="; nocase; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034108; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XAMPP xamppsecurity.phpp TEXT Parameter Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/xampp/xamppsecurity.php?"; nocase; content:"TEXT[global-showcode]="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:bugtraq,37997; reference:url,doc.emergingthreats.net/2011139; classtype:web-application-attack; sid:2011139; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Client Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data="; fast_pattern; pcre:"/(?:fCxTeXN0ZW0gSWRsZS|wsU3lzdGVtIElkbGUg|8LFN5c3RlbSBJZGxlI)/R"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,254022730f51ee770452015b6987b939; reference:url,twitter.com/rcwht_/status/1443867650686439489; classtype:command-and-control; sid:2034091; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_01, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Moderate, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS X-BLC get_read.php section Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/get_read.php?"; nocase; content:"section="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/8258; reference:bugtraq,34197; reference:url,doc.emergingthreats.net/2009738; classtype:web-application-attack; sid:2009738; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"vivern/"; fast_pattern; content:"serverHttpRequest"; endswith; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034109; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004857; classtype:web-application-attack; sid:2004857; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".rb|0d 0a|"; within:32; http.cookie; content:"XSRF-TOKEN=eyJpdiI6I"; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; content:"load_session=eyJpdiI6I"; fast_pattern; pcre:"/(?:I(?:iwidmFsdWUiO|sInZhbHVlIjo)i|iLCJ2YWx1ZSI6I)/R"; classtype:command-and-control; sid:2034110; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_04, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UNION SELECT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004858; classtype:web-application-attack; sid:2004858; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp any any -> any any (msg:"ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515)"; flow:established,to_server; content:"|04|"; offset:3; depth:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; byte_jump:3,0, post_offset 9; content:"|04|"; within:1; threshold:type threshold, track by_dst, count 20, seconds 10; flowbits:isset,ET.http2; flowbits:set,ET.CVE20199515; flowbits:noalert; reference:cve,2019-9515; classtype:denial-of-service; sid:2034095; rev:2; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9515, deployment Perimeter, deployment Internal, deprecation_reason Performance, former_category DOS, performance_impact Significant, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album INSERT"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004859; classtype:web-application-attack; sid:2004859; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp any any -> any any (msg:"ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515)"; flow:established,to_client; content:"|00 00 00 04 01|"; depth:5; content:"|00 00 00 04 01|"; distance:4; within:5; content:"|00 00 00 04 01|"; distance:4; within:5; threshold:type threshold, track by_src, count 20, seconds 10; flowbits:isset,ET.CVE20199515; reference:cve,2019-9515; classtype:denial-of-service; sid:2034096; rev:2; metadata:attack_target Server, created_at 2021_10_04, cve CVE_2019_9515, deployment Perimeter, deployment Internal, former_category DOS, performance_impact Moderate, signature_severity Major, tag Exploit, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album DELETE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004860; classtype:web-application-attack; sid:2004860; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp any any -> any any (msg:"ET INFO HTTP/2 Traffic (SET)"; flow:established,to_server; stream_size:server,<,5; content:"|50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a 0d 0a 53 4d 0d 0a 0d 0a|"; startswith; flowbits:set,ET.http2; flowbits:noalert; classtype:misc-activity; sid:2034094; rev:2; metadata:created_at 2021_10_04, former_category INFO, updated_at 2021_10_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album ASCII"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004861; classtype:web-application-attack; sid:2004861; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ADWARE_PUP Observed DNS Query to Known PUA Host Domain"; dns.query; content:"honeypoc.io"; endswith; fast_pattern; classtype:bad-unknown; sid:2034111; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE"; flow:established,to_server; http.uri; content:"/view.php?"; nocase; content:"album="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1026; reference:url,www.milw0rm.com/exploits/3327; reference:url,doc.emergingthreats.net/2004862; classtype:web-application-attack; sid:2004862; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Known PUA Host Domain"; dns.query; content:"givemeyourpasswords.ninja"; endswith; fast_pattern; classtype:bad-unknown; sid:2034112; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/activities/workflow-activities.php?"; nocase; content:"include_directory="; nocase; pcre:"/include_directory=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-3399; reference:url,milw0rm.com/exploits/6131; reference:url,xforce.iss.net/xforce/xfdb/43992; reference:url,doc.emergingthreats.net/2009870; classtype:web-application-attack; sid:2009870; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed HTTP Request to Known PUA Host Domain"; http.host; content:"honeypoc.io"; endswith; fast_pattern; classtype:bad-unknown; sid:2034113; rev:1; metadata:created_at 2021_10_05, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id SELECT"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005378; classtype:web-application-attack; sid:2005378; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed HTTP Request to Known PUA Host Domain"; http.host; content:"givemeyourpasswords.ninja"; endswith; fast_pattern; classtype:bad-unknown; sid:2034114; rev:1; metadata:created_at 2021_10_05, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005379; classtype:web-application-attack; sid:2005379; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Retrieving Commands"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/../users/"; fast_pattern; startswith; content:".php"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id INSERT"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005380; classtype:web-application-attack; sid:2005380; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\.(?:com|eu|va|lt|sk|)\//"; content:".php?v="; fast_pattern; pcre:"/^[0-9a-f]{64}$/R"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034116; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id DELETE"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005381; classtype:web-application-attack; sid:2005381; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintervivern Activity M5 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\.(?:com|eu|va|lt|sk|)\//"; content:".nsf?v="; fast_pattern; pcre:"/^[0-9a-f]{64}$/R"; http.header_names; content:!"Referer"; reference:url,www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs; reference:url,lab52.io/blog/winter-vivern-all-summer/; reference:md5,7940c343ae91e7198acf83400b25252f; classtype:trojan-activity; sid:2034117; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id ASCII"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005382; classtype:web-application-attack; sid:2005382; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY AmeriTechnology Group - CHARM Client"; flow:established,to_server; http.request_line; content:"GET /check.asp?co="; startswith; fast_pattern; http.uri; content:"&pc="; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,451f2852e35977a150066afdc5acb318; classtype:policy-violation; sid:2034118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE"; flow:established,to_server; http.uri; content:"/kernel/group.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005383; classtype:web-application-attack; sid:2005383; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Tomiris C2 (init)"; flow:established,to_server; content:"|74 00 2b 00 77 00 6c 00 7c 00 76 00 76 00 27 00 30 00 79 00 20 00 29 00|"; offset:0;  reference:url,securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/; classtype:trojan-activity; sid:2034119; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid SELECT"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005384; classtype:web-application-attack; sid:2005384; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Message Variables"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"MS_TXT_LOGIN"; nocase; content:"ChangPass_"; nocase; content:"Login_"; nocase; content:"i18nGobal"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034028; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UNION SELECT"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005385; classtype:web-application-attack; sid:2005385; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript - Observed Repetitive Custom CSS Components"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; fast_pattern; pcre:"/^[a-f0-9]{42}\.css\x27\x29\.then\x28(?:.{1,1000}themes\/css\/[a-f0-9]{42}\.css\x27\x29\.then\x28){5,}/Rsi"; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034001; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, performance_impact Moderate, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid INSERT"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005386; classtype:web-application-attack; sid:2005386; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Landing Page"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"themes/css/"; nocase; content:".css"; nocase; distance:45; content:"themes/css/"; nocase; content:".css"; nocase; distance:45; content:"script nonce="; nocase; fast_pattern; content:"themes/"; nocase; content:".js"; nocase; distance: 42; content:"script nonce="; nocase; content:"themes/"; nocase; content:".js"; nocase; distance: 32; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034027; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid DELETE"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005387; classtype:web-application-attack; sid:2005387; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING PerSwaysion Phishkit Javascript Variable"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"init_notworkingbrowser"; nocase; fast_pattern; reference:url,blog.group-ib.com/perswaysion; classtype:credential-theft; sid:2034026; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid ASCII"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005388; classtype:web-application-attack; sid:2005388; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (get-europe-group .bar)"; flow:established,to_server; tls.sni; content:"get-europe-group.bar"; bsize:20; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; classtype:domain-c2; sid:2034120; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE"; flow:established,to_server; http.uri; content:"/class/table_broken.php?"; nocase; content:"lid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0377; reference:url,www.securityfocus.com/bid/22399; reference:url,doc.emergingthreats.net/2005389; classtype:web-application-attack; sid:2005389; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (download-serv-234116 .xyz)"; flow:established,to_server; tls.sni; content:"download-serv-234116.xyz"; bsize:24; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; reference:md5,157105990ae7e4673035fd9224b793c9; classtype:domain-c2; sid:2034121; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006486; classtype:web-application-attack; sid:2006486; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (manholi .xyz)"; flow:established,to_server; tls.sni; content:"manholi.xyz"; bsize:11; fast_pattern; reference:url,twitter.com/hatching_io/status/1437431372537282566; reference:md5,03a80daa82c29b55aa02a276ff58e22e; classtype:domain-c2; sid:2034122; rev:1; metadata:created_at 2021_10_05, former_category MALWARE, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006487; classtype:web-application-attack; sid:2006487; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Elysium Stealer Domain in TLS SNI (phonefix .bar)"; flow:established,to_server; tls.sni; content:"phonefix.bar"; bsize:12; fast_pattern; classtype:domain-c2; sid:2034123; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id INSERT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006488; classtype:web-application-attack; sid:2006488; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 756"; flow:established,to_server; content:"|bf cd 35 03 80 a5 a0 21 05 b6 42|"; startswith; fast_pattern; content:"|8c 21|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2034236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_05, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id DELETE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006489; classtype:web-application-attack; sid:2006489; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET POLICY Apache HTTP Server 2.4.49 Observed - Vulnerable to CVE-2021-41773"; flow:established,to_client; http.server; content:"Apache/2.4.49"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:cve,2021-41773; classtype:bad-unknown; sid:2034126; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category POLICY, signature_severity Informational, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id ASCII"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006490; classtype:web-application-attack; sid:2006490; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any [!80] -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Mirai pTea Variant - Attack Command Inbound"; flow:established,to_server; dsize:<70; content:"|ad af fe 7f|"; startswith; reference:url,blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability/; classtype:command-and-control; sid:2033243; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2021_07_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-3311; reference:url,www.milw0rm.com/exploits/3588; reference:url,doc.emergingthreats.net/2006491; classtype:web-application-attack; sid:2006491; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Wordpress Plugin TheCartPress Privilege Escalation Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php?action=tcp_register_and_login_ajax"; fast_pattern; http.request_body; content:"tcp_role|27 3a 20|"; content:"tcp_new_user_pass|27 3a 20|"; classtype:attempted-admin; sid:2034129; rev:1; metadata:attack_target Server, created_at 2021_10_06, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XOOPS Makale Module id SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/makale.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,secunia.com/advisories/32347/; reference:url,www.milw0rm.com/exploits/6795; reference:url,doc.emergingthreats.net/2008688; classtype:web-application-attack; sid:2008688; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Suspicious POST to Axis OS (smtptest.cgi)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/axis-cgi/smtptest.cgi"; fast_pattern; reference:url,nozominetworks.com/blog/new-axis-os-security-research-aided-by-transparent-design/; reference:cve,2021-31986; classtype:attempted-admin; sid:2034130; rev:1; metadata:attack_target Server, created_at 2021_10_06, deployment Perimeter, deployment Internal, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/qas/aviso.php?"; nocase; content:"codigo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,milw0rm.com/exploits/9249; reference:url,xforce.iss.net/xforce/xfdb/51985; reference:url,doc.emergingthreats.net/2010121; classtype:web-application-attack; sid:2010121; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (sharemanage .elwoodasset .xyz)"; dns.query; content:"sharemanage.elwoodasset.xyz"; nocase; bsize:27; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034131; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dictionary/detail.php?"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt; reference:url,doc.emergingthreats.net/2010607; classtype:web-application-attack; sid:2010607; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dshellelink .gcloud-share .com)"; dns.query; content:"dshellelink.gcloud-share.com"; nocase; bsize:28; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034132; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news SELECT"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006213; classtype:web-application-attack; sid:2006213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (dev .sslsharecloud .net)"; dns.query; content:"dev.sslsharecloud.net"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034133; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UNION SELECT"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006214; classtype:web-application-attack; sid:2006214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (signverydn .sharebusiness .xyz)"; dns.query; content:"signverydn.sharebusiness.xyz"; nocase; bsize:28; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034134; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news INSERT"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006215; classtype:web-application-attack; sid:2006215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (gsheet .gdocsdown .com)"; dns.query; content:"gsheet.gdocsdown.com"; nocase; bsize:20; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034135; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news DELETE"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006216; classtype:web-application-attack; sid:2006216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MirrorBlast KiXtart Downloader Client Request M2"; flow:established,to_server; http.request_line; content:"GET /?data="; startswith; fast_pattern; content:!"="; distance:0; content:"|3a|"; within:17; content:"|3a|"; distance:0; isdataat:!261; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; endswith; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,8b6199f5d5465c327c8c30ac9fdfd23a; classtype:command-and-control; sid:2034136; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, malware_family MirrorBlast, performance_impact Moderate, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news ASCII"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006217; classtype:web-application-attack; sid:2006217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (share .devprocloud .com)"; dns.query; content:"share.devprocloud.com"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034137; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE"; flow:established,to_server; http.uri; content:"/show_news.php?"; nocase; content:"id_news="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6747; reference:url,www.securityfocus.com/bid/21719; reference:url,doc.emergingthreats.net/2006218; classtype:web-application-attack; sid:2006218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (product .onlinedoc .dev)"; dns.query; content:"product.onlinedoc.dev"; nocase; bsize:21; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034138; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder SELECT"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005609; classtype:web-application-attack; sid:2005609; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (www .googlesheetpage .org)"; dns.query; content:"www.googlesheetpage.org"; nocase; bsize:23; reference:url,ti.qianxin.com/blog/articles/Lazarus'-Recent-Attack-Campaign-Targeting-Blockchain-Finance-and-Energy-Sectors/; classtype:domain-c2; sid:2034139; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UNION SELECT"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005610; classtype:web-application-attack; sid:2005610; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Gloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"gloderuniok.website"; bsize:19; fast_pattern;  reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034140; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder INSERT"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005611; classtype:web-application-attack; sid:2005611; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Ursnif CnC Domain (Vloderuniok .website in TLS SNI)"; flow:established,to_server; tls.sni; content:"vloderuniok.website"; bsize:19; fast_pattern;  reference:url,twitter.com/JAMESWT_MHT/status/1445322477350146054; classtype:domain-c2; sid:2034141; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder DELETE"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005612; classtype:web-application-attack; sid:2005612; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Gojihu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Gojihu.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034142; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ASCII"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005613; classtype:web-application-attack; sid:2005613; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain (Yuxicu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"Yuxicu.com"; bsize:10; fast_pattern;  reference:url,thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks; classtype:domain-c2; sid:2034143; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_06, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE"; flow:established,to_server; http.uri; content:"/displaypic.asp?"; nocase; content:"sortorder="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6937; reference:url,www.securityfocus.com/bid/21138; reference:url,doc.emergingthreats.net/2005614; classtype:web-application-attack; sid:2005614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M1"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|NSEC-UID|0d 0a|"; fast_pattern; http.request_body; content:"|3c|sessions|20|uid|3d 22|"; startswith; content:"|22 20|user|3d 22|"; distance:0; content:"|2f 3e 3c 2f|sessions|3e|"; endswith; reference:md5,4a14459e5dbadb86417483dba7174ffa; classtype:bad-unknown; sid:2034144; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/update_trailer.php?"; nocase; content:"context[path_to_root]="; nocase; reference:url,milw0rm.com/exploits/8066; reference:url,secunia.com/advisories/33959/; reference:url,doc.emergingthreats.net/2009191; classtype:web-application-attack; sid:2009191; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ESPecter Bootkit Initialization Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Heart.aspx?ti="; startswith; fast_pattern; content:"&tn="; distance:0; content:"&tg="; distance:0; content:"&tv="; distance:0; http.header_names; content:!"Referer"; reference:url,www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/; classtype:trojan-activity; sid:2034145; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/last_gallery.php?"; nocase; content:"YAPIG_PATH="; nocase; pcre:"/YAPIG_PATH=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/11708; reference:url,doc.emergingthreats.net/2011098; classtype:web-application-attack; sid:2011098; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ELENAPC/"; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,05aca0e7e247224adebecc3239a4cfbc; reference:md5,4f70faa3c0ad89de6a862f729678fc77; reference:url,twitter.com/s1ckb017/status/1445704873345896455; reference:url,twitter.com/s1ckb017/status/1445706513956306950; classtype:trojan-activity; sid:2034147; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/class_yapbbcooker.php?"; nocase; content:"cfgIncludeDirectory="; nocase; pcre:"/cfgIncludeDirectory=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30686; reference:url,doc.emergingthreats.net/2009316; classtype:web-application-attack; sid:2009316; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2"; flow:established,to_server; http.request_line; content:"POST|20|/service/communication.php|20|HTTP/1.1"; startswith; fast_pattern; http.request_body; content:"data="; startswith; isdataat:50,relative; http.header_names; content:!"Referer"; reference:md5,9a112488064fd03d4a259e0f1db9d323; classtype:trojan-activity; sid:2034202; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/autoresponderhosting/tr.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6938; reference:url,doc.emergingthreats.net/2008817; classtype:web-application-attack; sid:2008817; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup  Related Domain in DNS Lookup (ppadoaolnwod .xyz)"; dns.query; dotprefix; content:".ppadoaolnwod.xyz"; nocase; endswith; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034148; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Reminder Service tr.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reminderservice/tr.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6943; reference:url,doc.emergingthreats.net/2008818; classtype:web-application-attack; sid:2008818; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (officeframework .online)"; dns.query; dotprefix; content:".officeframework.online"; nocase; endswith; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034149; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/classifiedsblaster/tr.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32504/; reference:url,milw0rm.com/exploits/6944; reference:url,doc.emergingthreats.net/2008819; classtype:web-application-attack; sid:2008819; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (web.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/web.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034150; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/cuenta/cuerpo.php?"; nocase; content:"base_archivo="; nocase; reference:url,milw0rm.com/exploits/6117; reference:bugtraq,30345; reference:url,secunia.com/advisories/31161; reference:url,doc.emergingthreats.net/2009393; classtype:web-application-attack; sid:2009393; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (seraph-config.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/classes/seraph-config.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034151; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/locales.php?"; nocase; content:"next="; nocase; content:"srclang="; nocase; reference:url,secunia.com/advisories/34091/; reference:url,milw0rm.com/exploits/8140; reference:bugtraq,33965; reference:url,doc.emergingthreats.net/2009329; classtype:web-application-attack; sid:2009329; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.properties) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034152; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS zeeproperty adid Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bannerclick.php?adid="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32333/; reference:url,milw0rm.com/exploits/6780; reference:url,doc.emergingthreats.net/2008686; classtype:web-application-attack; sid:2008686; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034153; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; http.uri; content:"/zport/dmd/ZenUsers/admin"; nocase; content:"defaultAdminLevel"; nocase; content:"manage_editUserSettings"; nocase; content:"method=Save"; nocase; content:"password="; nocase; content:"zenScreenName=editUserSettings"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010761; classtype:web-application-attack; sid:2010761; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Pastebin-style Service paste .c-net in DNS Query"; dns.query; content:"paste.c-net.org"; nocase; endswith; reference:md5,144cf514759595e65f3468f6fdb66d59; classtype:policy-violation; sid:2034154; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; http.uri; content:"/zport/dmd/userCommands/ping"; nocase; content:"commandId=ping"; nocase; content:"manage_editUserCommand"; nocase; content:"ScreenName=userCommandDetail"; nocase; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010763; classtype:web-application-attack; sid:2010763; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed SSL Cert (Pastebin-style Service paste .c-net)"; flow:established,to_server; tls.sni; content:"paste.c-net.org"; fast_pattern; classtype:policy-violation; sid:2034155; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id SELECT"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004803; classtype:web-application-attack; sid:2004803; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PR_KYY/"; fast_pattern; startswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1445115785454788615; reference:md5,00f61bdf5d04a8551b5e15c1f74083c0; reference:md5,ab4ac6236cb487fed4768e1e4d2dd8b6; reference:md5,92b9a1db86b631fc9de68915de446756; classtype:trojan-activity; sid:2034156; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004804; classtype:web-application-attack; sid:2004804; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Remote Template Retrieval (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/BEST-KOMP/"; fast_pattern; startswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1445115787870707715; classtype:trojan-activity; sid:2034157; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id INSERT"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004805; classtype:web-application-attack; sid:2004805; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (mimeversion .top)"; dns.query; content:"mimeversion.top"; nocase; bsize:15; reference:url,www.amnesty.org/en/documents/afr57/4756/2021/en/; classtype:trojan-activity; sid:2034158; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id DELETE"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004806; classtype:web-application-attack; sid:2004806; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Set flow on bmp file get"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bmp"; http.request_line; content:".bmp HTTP/1."; fast_pattern; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:8; metadata:created_at 2010_07_30, former_category HUNTING, updated_at 2021_10_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ASCII"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004807; classtype:web-application-attack; sid:2004807; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert tcp $EXTERNAL_NET !5665 -> $HOME_NET any (msg:"ET MALWARE Possible Netwire RAT Client HeartBeat C2"; flow:established,to_client; flowbits:isset,ET.Netwire.HB; dsize:5; content:"|01 00 00 00|"; depth:4; pcre:"/^[\x01-\x4c]$/R"; threshold: type threshold, track by_src, count 3, seconds 60; reference:md5,154a2366cd3e39e8625f5f737f9da8f1; reference:md5,e01c79d227c6315150f7ff0afe40db4c; classtype:command-and-control; sid:2018283; rev:8; metadata:created_at 2014_03_14, former_category MALWARE, updated_at 2021_10_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE"; flow:established,to_server; http.uri; content:"/functions.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1122; reference:url,www.securityfocus.com/bid/22685; reference:url,doc.emergingthreats.net/2004808; classtype:web-application-attack; sid:2004808; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; distance:0; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005192; classtype:web-application-attack; sid:2005192; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005193; classtype:web-application-attack; sid:2005193; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M1"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; content:"="; distance:0; within:5; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2034161; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id INSERT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005194; classtype:web-application-attack; sid:2005194; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M2"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; http.uri.raw; content:"="; pcre:"/^%(?:3b|0a|26|60|7C|24)/R"; classtype:attempted-admin; sid:2034162; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id DELETE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005195; classtype:web-application-attack; sid:2005195; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious FIN12 Related SSL Cert (serviceswork .net)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=TX, L=Texas, O=serviceswork, OU=, CN=serviceswork.net"; bsize:62; fast_pattern; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; reference:md5,f1c35cf848d984785e9c0621958fe5ae; classtype:trojan-activity; sid:2034163; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ASCII"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005196; classtype:web-application-attack; sid:2005196; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/AhMyth RAT Init Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/socket.io/?model="; startswith; fast_pattern; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport=polling&release="; distance:0; content:"&manf="; distance:0; http.header_names; content:!"Referer"; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034164; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005197; classtype:web-application-attack; sid:2005197; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android/AhMyth RAT WebSocket Session"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/socket.io/?release="; startswith; fast_pattern; content:"&model="; distance:0; content:"&EIO="; distance:0; content:"&id="; distance:0; content:"&transport=websocket&manf="; distance:0; content:"&sid="; distance:0; http.header_names; content:!"Referer"; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034165; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005198; classtype:web-application-attack; sid:2005198; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Location Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000lm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034166; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005199; classtype:web-application-attack; sid:2005199; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Contacts Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000cn|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034167; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass INSERT"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005200; classtype:web-application-attack; sid:2005200; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (SMS Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000sm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034168; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass DELETE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005201; classtype:web-application-attack; sid:2005201; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Call Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000cl|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034169; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ASCII"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005202; classtype:web-application-attack; sid:2005202; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Files Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000fm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034170; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/mezungiris.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005203; classtype:web-application-attack; sid:2005203; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Android/AhMyth RAT Command Inbound (Camera Manager)"; flow:from_server,established; dsize:<100; content:"[|22|order|22|,{|22|order|22 3a 22|x0000fm|22|"; offset:1; depth:40; fast_pattern; reference:url,www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-ahmyth; classtype:trojan-activity; sid:2034171; rev:1; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2021_10_11, deployment Perimeter, former_category MALWARE, malware_family AhMyth, signature_severity Major, updated_at 2021_10_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005204; classtype:web-application-attack; sid:2005204; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:2; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UNION SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005205; classtype:web-application-attack; sid:2005205; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32.Perinet CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ceb.aspx"; endswith; http.user_agent; content:"Mozila"; fast_pattern; bsize:6; http.header_names; content:!"Referer"; reference:md5,c1c94bd5effc12455d7d0fe22e29feb5; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=PUA:Win32/Perion; classtype:pup-activity; sid:2034175; rev:1; metadata:created_at 2021_10_12, former_category ADWARE_PUP, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass INSERT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005206; classtype:web-application-attack; sid:2005206; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M1"; flow:established,to_server; content:"/.%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/.%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034172; rev:2; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass DELETE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005207; classtype:web-application-attack; sid:2005207; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M2"; flow:established,to_server; content:"/%%32%65%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/%%32%65%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034173; rev:2; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ASCII"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005208; classtype:web-application-attack; sid:2005208; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (Unassigned CVE)"; flow:established,to_server; content:"%%%25%33%32%25%36%35/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"%%%25%33%32%25%36%35/"; classtype:attempted-admin; sid:2034174; rev:2; metadata:attack_target Server, created_at 2021_10_09, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005209; classtype:web-application-attack; sid:2005209; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus Related Domain (docs .gsheetpage .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"docs.gsheetpage.com"; bsize:19; fast_pattern; reference:md5,42e6310ffbdd24cf9a2b5d200190359e; reference:url,twitter.com/ShadowChasing1/status/1447900397935362053; classtype:trojan-activity; sid:2034176; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, signature_severity Major, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005210; classtype:web-application-attack; sid:2005210; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious FIN12 Related SSL Cert"; flow:established,to_client; tls.cert_subject; content:"OU=Delegated Licensor,KYP SDT LTD"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?OU=Delegated\ Licensor,KYP\ SDT\ LTD(?!\.)/"; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034177; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005211; classtype:web-application-attack; sid:2005211; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NSecSoft Remote Monitoring Update/Download Activity M2"; flow:established,to_server; stream_size:server,=,1; dsize:512; content:"MFjOLrqOLbmPnAKuM7cBwxcPgaqvM7cNcoZKIYmscocPnAOuM7jRJYJy2YBEmEORcoZKLSuscOByLFZL2rZunrfOrFqNJazEJ7GXgYNocF24J8EocoZOgST/Ja3sceRocazuJaOEIYsvnYNsce5ocxkV"; startswith; fast_pattern; reference:md5,9b9f3a3b03831b6f98ca1b935dd0eb51; classtype:bad-unknown; sid:2034178; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_10_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id INSERT"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005212; classtype:web-application-attack; sid:2005212; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN12 Related Cobalt Strike Domain (netrie .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"netrie.com"; bsize:10; fast_pattern; reference:md5,21b4d9c046db511738232582b41f453c; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:command-and-control; sid:2034180; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, former_category MALWARE, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id DELETE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005213; classtype:web-application-attack; sid:2005213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related ICECANDLE/Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-includes/admin.gif"; fast_pattern; bsize:22; http.header_names; content:"|0d 0a|Host|0d 0a|Cache-Control|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:49; reference:md5,256fa0ae50b4e199b631047f2fe98b58; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034181; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ASCII"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005214; classtype:web-application-attack; sid:2005214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed FIN12 Related Domain (hdhuge .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"hdhuge.com"; bsize:10; fast_pattern; reference:md5,cf3027fa4e3d5597487691dff1831b97; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:domain-c2; sid:2034182; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, signature_severity Major, updated_at 2021_10_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE"; flow:established,to_server; http.uri; content:"/ogretmenkontrol.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3178; reference:url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded; reference:url,doc.emergingthreats.net/2005215; classtype:web-application-attack; sid:2005215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M1"; flow:established,from_server; content:"|2c 31 25 25 27 3a 7e|"; content:"|2c 31 25 25 27 3a 7e|"; distance:0; pcre:"/[-\d]{1,4}(?:\x2c\x31\x25\x25\x27\x3a\x7e[-\d]{1,4}){10}/R"; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034183; rev:1; metadata:created_at 2021_10_13, former_category ATTACK_RESPONSE, updated_at 2021_10_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005979; classtype:web-application-attack; sid:2005979; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated Batch Script Inbound M2"; flow:established,from_server; content:"%%comspec|3a|"; nocase; content:"%%programfiles|3a|"; content:"%commonprogramfiles|3a|"; nocase; fast_pattern; reference:md5,abd0a49fda67547639eeaced7955a01a; classtype:misc-attack; sid:2034184; rev:1; metadata:created_at 2021_10_13, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_10_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005980; classtype:web-application-attack; sid:2005980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET [!5222,!7687] -> $HOME_NET any (msg:"ET MALWARE Generic AsyncRAT Style SSL Cert"; flow:established,to_client; content:!"infinitecampus.com"; content:"|0f 39 39 39 39 31 32 33 31 32 33 35 39 35 39 5a|"; fast_pattern; content:"|55 04 03|"; pcre:"/^.(?P<servercert>[\x00-\xff][\x20-\x7f]{1,50})\x30.+?\x55\x04\x03.(?P=servercert)\x30/Rsi"; tls.cert_subject; content:"CN="; startswith; content:!"O="; content:!"OU="; content:!"ST="; tls.cert_issuer; content:"CN="; startswith; content:!"O="; content:!"OU="; content:!"ST="; content:!".com"; reference:md5,7ed7bf7ea7a1551218f73774d28be76c; classtype:domain-c2; sid:2035595; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_13, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, signature_severity Major, updated_at 2021_10_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode INSERT"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005981; classtype:web-application-attack; sid:2005981; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related WHITEDAGGER/Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/files/remove.gif|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:57; reference:md5,cf3027fa4e3d5597487691dff1831b97; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034185; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode DELETE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005982; classtype:web-application-attack; sid:2005982; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN12 Related WEIRDLOOP/Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.request_line; content:"GET|20|/image-directory/bn.ico|20|HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; reference:md5,fd81452a3a8f9460ffac8aff6e20431a; reference:url,www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets; classtype:trojan-activity; sid:2034186; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_13, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Fin12, signature_severity Major, tag c2, updated_at 2021_10_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode ASCII"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005983; classtype:web-application-attack; sid:2005983; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?cmd=login_submit&id="; fast_pattern; content:"session="; distance:0; reference:url,twitter.com/JCyberSec_/status/14474927402840268803112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE"; flow:established,to_server; http.uri; content:"/faqDsp.asp?"; nocase; content:"catcode="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6831; reference:url,www.milw0rm.com/exploits/3031; reference:url,doc.emergingthreats.net/2005984; classtype:web-application-attack; sid:2005984; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishkit Landing Page M2"; flow:established,to_client; file.data; content:"|2e|php"; content:"onSubmit|3d 22|return|20|validateMyForm|28 29 3b 22|"; distance:0; content:"id|3d 27 5f|form|5f|"; distance:0; content:"enctype|3d 27|multipart|2f|form|2d|data|27|"; fast_pattern; distance:0; reference:md5,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034190; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/artmedic_print.php?"; nocase; content:"date="; nocase; reference:url,secunia.com/advisories/28927/; reference:url,milw0rm.com/exploits/5116; reference:url,doc.emergingthreats.net/2009661; classtype:web-application-attack; sid:2009661; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phishkit Landing Page M3"; flow:established,to_client; file.data; content:"url|3d|Thanks|2e|php|22|"; fast_pattern; content:"src|3d 22|images|2f|animation|5f|processing|2e|gif|22| alt|3d 22 22| title|3d 22 22|"; distance:0; reference:md5,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034191; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view_messages.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010771; classtype:web-application-attack; sid:2010771; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.host; content:"www.onlinedocpage.org"; bsize:21; fast_pattern; http.header_names; content:!"Referer"; reference:md5,c44d866adf8c6845b7dda742c59c6b59; reference:url,twitter.com/ShadowChasing1/status/1448150917912559616; classtype:trojan-activity; sid:2034187; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_10_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view_blog_comments.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010772; classtype:web-application-attack; sid:2010772; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Limbozar Ransomware Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postme"; bsize:7; http.header; content:"|0d 0a|from|3a 20|me|0d 0a|"; fast_pattern; content:"|0d 0a|user-agent|3a 20|libsfml-network/"; http.request_body; content:"&ip="; startswith; content:"&disk="; distance:0; content:"&id="; distance:0; content:"&mail="; distance:0; http.header_names; content:!"Referer"; reference:url,securelist.com/cis-ransomware/104452/; reference:md5,91332f289d3e577b57d878b55c5cf18a; classtype:trojan-activity; sid:2034195; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2021_10_15, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view_blog_archives.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010773; classtype:web-application-attack; sid:2010773; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (my-ip .io)"; dns.query; dotprefix; content:".my-ip.io"; nocase; endswith; classtype:bad-unknown; sid:2034196; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/add_comments.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010774; classtype:web-application-attack; sid:2010774; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/xmlpserver/ReportTemplateService.xls"; bsize:37; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"|3c 21|DOCTYPE|20|soap|3a|envelope|20|PUBLIC|20 22 2d 2f 2f|B|2f|A|2f|EN|22 20 22|http"; startswith;  reference:url,nvd.nist.gov/vuln/detail/CVE-2019-2616; reference:cve,2019-2616; classtype:attempted-admin; sid:2034199; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_15, cve CVE_2019_2616, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/downloads.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010775; classtype:web-application-attack; sid:2010775; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Interactsh Control Panel (DNS)"; threshold: type both, track by_src, count 1, seconds 600; dns.query; pcre:"/^[a-z0-9]{33}/"; content:".interact.sh"; endswith; fast_pattern;  reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:trojan-activity; sid:2034201; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/emailsender.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010776; classtype:web-application-attack; sid:2010776; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/MysterySnail RAT CnC Domain in DNS Lookup"; dns.query; content:"http.ddspadus.com"; nocase; bsize:17; reference:url,securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/; reference:md5,e2f2d2832da0facbd716d6ad298073ca; classtype:domain-c2; sid:2034197; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, signature_severity Major, updated_at 2021_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/left_menu.php?"; nocase; content:"row_y5_site_configuration[templates_folder]="; nocase; pcre:"/row_y5_site_configuration\[templates_folder\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt; reference:url,doc.emergingthreats.net/2010777; classtype:web-application-attack; sid:2010777; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interact .sh)"; dns.query; dotprefix; content:".interact.sh"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034198; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php SELECT"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005324; classtype:web-application-attack; sid:2005324; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.RTQ CnC Activity"; flow:established,to_server; content:"|0b 00 00 00|"; startswith; content:"|57 69 6e 64 6f 77 73 20|"; distance:4; within:8; content:"|00 00 00 cc ec b7 a3 20 56 65 72 20|"; distance:0; fast_pattern; reference:md5,1f2d30b383d332972d8a36b23d1d726e; classtype:command-and-control; sid:2034193; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UNION SELECT"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005325; classtype:web-application-attack; sid:2005325; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRAT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content: "&"; pcre: "/^(?:[a-f0-9]{2}){16}=(?:[a-f0-9]{2}){16}&(?:[a-f0-9]{2}){16}=(?=[a-z0-9A-Z]{0,32}[A-Z][a-z][A-Z][a-z][A-Z])/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:56; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1448751827046985746; reference:md5,60cf8c1093d596a44dc997d00caae463; classtype:trojan-activity; sid:2034194; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php INSERT"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005326; classtype:web-application-attack; sid:2005326; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M1 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<title>Windows|20|code|20|firewall0x"; fast_pattern; content:".mp3|22 20|type=|22|audio/mpeg|22|"; content:"<span>Windows-Firewall"; classtype:social-engineering; sid:2034203; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php DELETE"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005327; classtype:web-application-attack; sid:2005327; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M2 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|20|firewall0x"; fast_pattern; content:"src=|22|virus-scan.png|22|"; content:"<span>Scan|20|quickly"; classtype:social-engineering; sid:2034204; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php ASCII"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005328; classtype:web-application-attack; sid:2005328; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M3 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:">Scanned|20|items|20|<"; fast_pattern; content:">Threats|20|found<"; content:"<p>Detected|20|items|20|Item<"; classtype:social-engineering; sid:2034205; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE"; flow:established,to_server; http.uri; content:"/bb-includes/formatting-functions.php?"; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-3244; reference:url,trac.bbpress.org/ticket/592; reference:url,doc.emergingthreats.net/2005329; classtype:web-application-attack; sid:2005329; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M4 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"i>|20|Looking|20|for|20|updates<"; fast_pattern; content:"i>|20|Scan|20|memory<"; content:"<span>Windows|20|registry|20|scan"; classtype:social-engineering; sid:2034206; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bcoos adresses module viewcat.php cid Parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/adresses/viewcat.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/Advisories/32870/; reference:url,milw0rm.com/exploits/7317; reference:url,doc.emergingthreats.net/2008929; classtype:web-application-attack; sid:2008929; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Windows Firewall M5 2021-08-17"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|22|>Contact|20|Technical|20|Support|3a 20|<"; content:"|22|>Windows|0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20|was|20|banned|20|for"; fast_pattern; content:"PLEASE|20|call|20|us"; classtype:social-engineering; sid:2034207; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/arch.php?"; nocase; content:"arch="; nocase; reference:url,milw0rm.com/exploits/8680; reference:bugtraq,34968; reference:url,secunia.com/advisories/35059/; reference:url,doc.emergingthreats.net/2009790; classtype:web-application-attack; sid:2009790; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam - Generic Components"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|22|>Contact|20|Technical|20|Support|3a 20|<"; content:"src=|22|fullscreen.js|22|"; content:"toggleFullScreen|28 29 3b|"; classtype:social-engineering; sid:2034208; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_17, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, tag SocEng, updated_at 2021_10_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk SELECT"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005766; classtype:web-application-attack; sid:2005766; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=mummyvich.xyz"; fast_pattern; classtype:domain-c2; sid:2034209; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UNION SELECT"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005767; classtype:web-application-attack; sid:2005767; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dxb/mx_cmd.php"; endswith; classtype:command-and-control; sid:2034210; rev:1; metadata:created_at 2021_10_17, former_category MALWARE, updated_at 2021_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk INSERT"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005768; classtype:web-application-attack; sid:2005768; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dxb/mx_jscript.php"; endswith; classtype:command-and-control; sid:2034211; rev:1; metadata:created_at 2021_10_17, former_category MALWARE, updated_at 2021_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk DELETE"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005769; classtype:web-application-attack; sid:2005769; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit Variant Data Exfil M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".html"; http.request_body; content:"&filesize="; content:"&framesize="; fast_pattern; content:"&framenum="; content:"&filecrc="; content:"&filename="; content:"&pcname="; reference:md5,f05af511670dba679d845e3d477e789d; reference:url,twitter.com/James_inthe_box/status/1425921372987944961; reference:url,blog.reversinglabs.com/blog/data-exfiltrator; classtype:command-and-control; sid:2033727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk ASCII"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005770; classtype:web-application-attack; sid:2005770; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Stealbit Variant Data Exfil M2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:!".html"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"key="; startswith; fast_pattern; content:"&data="; within:100; pcre:"/^key=\w+\&data=/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,twitter.com/James_inthe_box/status/1425921372987944961; reference:url,blog.reversinglabs.com/blog/data-exfiltrator; classtype:command-and-control; sid:2033728; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_08_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE"; flow:established,to_server; http.uri; content:"/newsletters/edition.php?"; nocase; content:"tk="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6923; reference:url,www.securityfocus.com/bid/20996; reference:url,doc.emergingthreats.net/2005771; classtype:web-application-attack; sid:2005771; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Outbound .png HTTP GET flowbit set"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".png"; endswith; flowbits:set,ET.httpget.png; flowbits:noalert; classtype:misc-activity; sid:2034212; rev:1; metadata:created_at 2021_10_18, former_category INFO, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/frontend/x3/files/fileop.html?"; nocase; content:"fileop="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,37394; reference:url,vupen.com/english/advisories/2009/3608; reference:url,doc.emergingthreats.net/2011115; classtype:web-application-attack; sid:2011115; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible BlackByte Ransomware Encryption Key Inbound (fake .png)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:!"|89 50 4E 47 0D 0A 1A 0A|"; startswith; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; flowbits:isset,ET.httpget.png; classtype:command-and-control; sid:2034213; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, malware_family BlackByte, signature_severity Major, tag Ransomware, updated_at 2021_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cfagcms right.php title Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/right.php"; nocase; content:"title="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,32851; reference:url,milw0rm.com/exploits/7483; reference:url,doc.emergingthreats.net/2009045; classtype:web-application-attack; sid:2009045; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.feedbackfileweb.club"; fast_pattern; classtype:domain-c2; sid:2034214; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006171; classtype:web-application-attack; sid:2006171; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (IcedID CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=*.iserunifish.club"; fast_pattern; classtype:domain-c2; sid:2034215; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UNION SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006172; classtype:web-application-attack; sid:2006172; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"gsterangsic.buzz"; endswith; classtype:domain-c2; sid:2034216; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse INSERT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006173; classtype:web-application-attack; sid:2006173; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"oscanonamik.club"; endswith; classtype:domain-c2; sid:2034217; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse DELETE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006174; classtype:web-application-attack; sid:2006174; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IcedID CnC Domain in SSL/TLS SNI"; flow:to_server,established; tls.sni; content:"riderskop.top"; endswith; classtype:domain-c2; sid:2034218; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_TLS_SNI, updated_at 2021_10_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ASCII"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006175; classtype:web-application-attack; sid:2006175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wiki0509.html"; fast_pattern; bsize:14; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1438602464765386757; reference:md5,41dacae2a33ee717abcc8011b705f2cb; classtype:trojan-activity; sid:2034221; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtUse="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006176; classtype:web-application-attack; sid:2006176; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF/FontOnLake Related CnC Domain in DNS Lookup (hm2 .yrnykx .com)"; dns.query; content:"hm2.yrnykx.com"; nocase; bsize:14; reference:url,www.welivesecurity.com/wp-content/uploads/2021/10/eset_fontonlake.pdf; reference:md5,fa73b2fd914a0cfd5e7d3161af903b6c; reference:md5,5ecf30b7a6221af8f209a7b6681f91f9; classtype:domain-c2; sid:2034222; rev:1; metadata:created_at 2021_10_18, former_category MALWARE, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006177; classtype:web-application-attack; sid:2006177; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Harvester Group Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/Values_V2/Getting3210"; bsize:26; fast_pattern; http.host; content:".azurewebsites.net"; endswith; http.header_names; content:"|0d 0a|MC|0d 0a|Ath|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia; reference:md5,2578bf48da48c262e4a83e2a9ae47c68; classtype:trojan-activity; sid:2034223; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UNION SELECT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006178; classtype:web-application-attack; sid:2006178; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Actiivty M2"; flow:established,to_server; http.request_line; content:"GET /?opt=put&mq=loader_tx_report"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.uri; content:"&mac="; content:"&pcname="; distance:12; within:8; reference:md5,c52f17b858b143310dc1cb218feca5c8; classtype:command-and-control; sid:2034220; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas INSERT"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006179; classtype:web-application-attack; sid:2006179; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Graphon Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/Values_V1/AuthAsyncComplete_V1?Identity="; fast_pattern; startswith; http.uri.raw; content:"=%3E"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:30; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia; reference:md5,ff81a65150e318c1ffbeaba7a56bb09f; classtype:command-and-control; sid:2034224; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas DELETE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006180; classtype:web-application-attack; sid:2006180; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE [CISA AA21-291A] Possible BlackMatter Ransomware Lateral Movement"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; fast_pattern; detection_filter:track by_src, count 4, seconds 1; classtype:command-and-control; sid:2034225; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family BlackMatter, signature_severity Major, tag Ransomware, updated_at 2021_10_19, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ASCII"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006181; classtype:web-application-attack; sid:2006181; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=swissarny.store"; fast_pattern; classtype:exploit-kit; sid:2034226; rev:1; metadata:created_at 2021_10_19, former_category TROJAN, updated_at 2021_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE"; flow:established,to_server; http.uri; content:"/SelGruFra.asp?"; nocase; content:"txtPas="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6791; reference:url,www.securityfocus.com/bid/21732; reference:url,doc.emergingthreats.net/2006182; classtype:web-application-attack; sid:2006182; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Observed Malicious SSL/TLS Certificate (MagnitudeEK Associated)"; flow:from_server,established; tls.cert_subject; content:"CN=rtpdn14.com"; fast_pattern; classtype:exploit-kit; sid:2034227; rev:1; metadata:created_at 2021_10_19, former_category TROJAN, updated_at 2021_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_if_nexus&"; nocase; content:"controller="; nocase; pcre:"/controller\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10754; reference:url,doc.emergingthreats.net/2010847; classtype:web-application-attack; sid:2010847; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/set_ftp.cgi?"; fast_pattern; content:"loginuse="; content:"next_url=ftp.htm"; content:"loginpas="; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:attempted-admin; sid:2030309; rev:4; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, signature_severity Minor, updated_at 2021_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category SELECT"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004053; classtype:web-application-attack; sid:2004053; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan:Win32/Sabsik.FL.B!ml CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|0c 22 38 4e 5a 7b 2d 43 00 00 00 00 00 00 00 00|"; startswith; fast_pattern; content:"//"; distance:0; reference:md5,956e62df6ea59dfc9a459ea85d7bb2eb; classtype:command-and-control; sid:2034229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UNION SELECT"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004054; classtype:web-application-attack; sid:2004054; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Fake AppleWebKit User-Agent Version Number Observed"; flow:established,to_server; http.user_agent; content:"AppleWebKit/"; fast_pattern; byte_test:3,>,605,0,string,dec,relative; reference:url,bugs.webkit.org/show_bug.cgi?id=180365; classtype:bad-unknown; sid:2034228; rev:1; metadata:created_at 2021_10_19, former_category INFO, updated_at 2021_10_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category INSERT"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004055; classtype:web-application-attack; sid:2004055; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.db-ip.com"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034230; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category DELETE"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004056; classtype:web-application-attack; sid:2004056; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"IP retriever"; fast_pattern; bsize:12; http.host; content:"api.ipify.org"; endswith; http.header_names; content:!"Accept"; content:!"Referer"; reference:url,www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/; reference:md5,fbf7ba464d564dbf42699c34b239b73a; classtype:trojan-activity; sid:2034231; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_19, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category ASCII"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004057; classtype:web-application-attack; sid:2004057; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishkit Landing Page M1"; flow:established,to_client; file.data; content:"if|28 21|document|2e|getElementById|28 22|honeypot|22 29 2e|value|29|"; content:"|2e|php"; distance:0; content:"method|3d 22|post|22 20|id|3d 27 5f|form|5f|"; distance:0; content:"enctype|3d 27|multipart|2f|form|2d|data|27|"; fast_pattern; distance:0; content:"placeholder|3d 22|Username|22|"; distance:0; content:"placeholder|3d 22|Password|22|"; distance:0; reference:url,3112bc432450ae3d08a0491ccaaf914d; classtype:credential-theft; sid:2034189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_12, deployment Perimeter, former_category PHISHING, performance_impact Low, signature_severity Minor, updated_at 2021_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE"; flow:established,to_server; http.uri; content:"/category.php?"; nocase; content:"id_category="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-2890; reference:url,www.milw0rm.com/exploits/3981; reference:url,doc.emergingthreats.net/2004058; classtype:web-application-attack; sid:2004058; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M1 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; fast_pattern; content:"<h2>YOUR|20|CART<|2f|h2>"; content:"|20|EXTRA|20|BONUS|22|"; content:"An|20|agent|20|will|20|contact"; classtype:social-engineering; sid:2034232; rev:1; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer SELECT"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004101; classtype:web-application-attack; sid:2004101; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M2 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; fast_pattern; content:"|22|>Upload|20|front|20|"; content:"Driver|20|License|20|ID|28|Bold"; classtype:social-engineering; sid:2034233; rev:1; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UNION SELECT"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004102; classtype:web-application-attack; sid:2004102; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M3 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>New|20|Stimulus|20|payment"; content:"<strong>Wait&nbsp|3b 20|few|20|secs"; fast_pattern; content:"ID|20|to|20|uploaded"; classtype:social-engineering; sid:2034234; rev:2; metadata:created_at 2021_10_21, former_category CURRENT_EVENTS, updated_at 2021_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer INSERT"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004103; classtype:web-application-attack; sid:2004103; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Covid19 Stimulus Payment Phish Inbound M4 (2021-10-21)"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<title>EDD-Detr|20|Government|20|Stimulus"; fast_pattern; content:"|22|>Upload|20|front|20|"; content:"Driver|20|License|20|ID|28|Bold"; classtype:social-engineering; sid:2034235; rev:1; metadata:created_at 2021_10_21, former_category PHISHING, updated_at 2021_10_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer DELETE"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004104; classtype:web-application-attack; sid:2004104; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING TodayZoo Phishing Kit GET M1"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//"; pcre:"/[\w\d]{8}\./Ri"; http.host; content:"|2e|ujsd|2e|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/; classtype:credential-theft; sid:2034250; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ASCII"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"SELECT"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004105; classtype:web-application-attack; sid:2004105; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING TodayZoo Phishing Kit GET M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/"; pcre:"/[\w\d]{8}/Ri"; http.host; content:"|2e|ujsd|2e|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/10/21/franken-phish-todayzoo-built-from-other-phishing-kits/; classtype:credential-theft; sid:2034251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_24, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE"; flow:established,to_server; http.uri; content:"/manufacturer.php?"; nocase; content:"id_manufacturer="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-2959; reference:url,www.securityfocus.com/bid/24223; reference:url,doc.emergingthreats.net/2004106; classtype:web-application-attack; sid:2004106; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING [@Silv0123] Possible Fake Microsoft Office User-Agent Observed"; flow:established,to_server; http.user_agent; content:"Microsoft Office"; startswith; fast_pattern; pcre:"/^[^\x3b\x2f\x28]+$/R"; content:!"2014"; endswith; content:!"Discovery"; endswith; content:!"OneNote"; endswith; reference:url,twitter.com/silv0123/status/1437869745961832455; classtype:bad-unknown; sid:2033960; rev:3; metadata:created_at 2021_09_16, former_category HUNTING, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/_functions.php?"; nocase; content:"GLOBALS[prefix]="; nocase; reference:bugtraq,35103; reference:url,milw0rm.com/exploits/8790; reference:url,doc.emergingthreats.net/2009875; classtype:web-application-attack; sid:2009875; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker Checkin M1"; flow:established,to_server; stream_size:server,<,5; dsize:11; content:"#PRINCIPAL#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034238; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005033; classtype:web-application-attack; sid:2005033; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker Server Response M1"; flow:established,to_client; stream_size:server,<,40; dsize:9; content:"#Convite#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034239; rev:1; metadata:attack_target Client_and_Server, created_at 2021_10_25, former_category MALWARE, malware_family Ousaban, tag Banker, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005034; classtype:web-application-attack; sid:2005034; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker Checkin M2"; flow:established,to_server; stream_size:server,<,40; content:"#ConvitRC#<#>"; startswith; content:"<#>"; distance:0; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005035; classtype:web-application-attack; sid:2005035; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker Server Response M2"; flow:established,to_client; stream_size:server,<,40; content:"#SocketMain#<#>"; startswith; pcre:"/^\d+$/R"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005036; classtype:web-application-attack; sid:2005036; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ousaban Banker KeepAlive"; flow:established,to_client; dsize:9; content:"#ON-LINE#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005037; classtype:web-application-attack; sid:2005037; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ousaban Banker KeepAlive Response"; flow:established,to_server; dsize:11; content:"#strPingOk#"; reference:md5,f2836216ca554dfdc8a300decb644911; reference:url,twitter.com/c3rb3ru5d3d53c/status/1452638349240455176; reference:url,twitter.com/James_inthe_box/status/1452631575976288261; classtype:command-and-control; sid:2034243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category MALWARE, malware_family Ousaban, signature_severity Major, tag Banker, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"c_id="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0765; reference:url,www.milw0rm.com/exploits/3256; reference:url,doc.emergingthreats.net/2005038; classtype:web-application-attack; sid:2005038; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034246; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006615; classtype:web-application-attack; sid:2006615; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"Cylul007 Webshell V 2.0</title>"; fast_pattern; classtype:web-application-attack; sid:2034247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UNION SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006616; classtype:web-application-attack; sid:2006616; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034248; rev:1; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc INSERT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006617; classtype:web-application-attack; sid:2006617; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"MARIJUANA</title>"; fast_pattern; content:"|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"; distance:0; classtype:web-application-attack; sid:2034249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc DELETE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006618; classtype:web-application-attack; sid:2006618; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)"; flow:established,to_server; http.user_agent; content:"Embarcadero URI Client/1.0"; bsize:26; reference:md5,c0e620ed4e96aa1fe8452a3f8b7e2e8d; classtype:bad-unknown; sid:2034244; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category USER_AGENTS, signature_severity Major, tag User_Agent, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc ASCII"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006619; classtype:web-application-attack; sid:2006619; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_doc="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006620; classtype:web-application-attack; sid:2006620; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zoom.us Phish 2021-10-25"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.location; content:"https://static.zoom.us"; bsize:22; fast_pattern; reference:md5,eb5994afdc8da491c862867784956a5b; classtype:credential-theft; sid:2034245; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006621; classtype:web-application-attack; sid:2006621; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 ClumsyCover Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session/downexlog/cdfd/"; fast_pattern; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034884; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UNION SELECT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006622; classtype:web-application-attack; sid:2006622; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/WinDealer CnC Activity (Checkin)"; dsize:<200; content:"|06 81 da 91 ce c7 9f 43|"; startswith; fast_pattern; content:"|14 00|"; distance:4; within:4; reference:url,blogs.jpcert.or.jp/en/2021/10/windealer.html; reference:md5,5a7a90ceb6e7137c753d8de226fc7947; classtype:trojan-activity; sid:2034254; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut INSERT"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006623; classtype:web-application-attack; sid:2006623; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN FTPSync Settings Disclosure Attempt"; flow:to_server,established; http.uri; content:"/ftpsync.settings"; fast_pattern; endswith; reference:url,github.com/NoxArt/SublimeText2-FTPSync; classtype:attempted-recon; sid:2034253; rev:2; metadata:created_at 2021_10_26, former_category SCAN, updated_at 2021_10_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut DELETE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006624; classtype:web-application-attack; sid:2006624; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Shiro 1.2.4 Cookie RememberME Deserial RCE (CVE-2016-4437)"; flow:established,to_server; http.cookie; content:"rememberMe="; startswith; fast_pattern; bsize:>125; reference:url,issues.apache.org/jira/browse/SHIRO-550; reference:cve,2016-4437; classtype:attempted-admin; sid:2034256; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2016_4437, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut ASCII"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006625; classtype:web-application-attack; sid:2006625; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE"; flow:established,to_server; http.uri; content:"/dettaglio.asp?"; nocase; content:"id_aut="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6414; reference:url,www.securityfocus.com/bid/21463; reference:url,doc.emergingthreats.net/2006626; classtype:web-application-attack; sid:2006626; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M1 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; content:"/solr/test/config"; nocase; endswith; http.request_body; content:"solr.VelocityResponseWriter"; nocase; fast_pattern; content:"params.resource.loader.enabled"; nocase; pcre:"/[^\r\n]*true/Ri"; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034258; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 resetcore.php SQL Injection attempt"; flow:to_server,established; http.uri; content:"/resetcore.php?"; nocase; pcre:"/a_name='/i"; reference:bugtraq,15125; reference:url,doc.emergingthreats.net/2002663; classtype:web-application-attack; sid:2002663; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M2 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"GET"; bsize:3; http.uri; content:"/select"; nocase; endswith; content:"wt=velocity"; nocase; distance:0; content:"v.template=custom"; nocase; content:"v.template.custom="; nocase; fast_pattern; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034259; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 BLOG Engine macgurublog.php uid Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/macgurublog.php?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,29344; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008788; classtype:web-application-attack; sid:2008788; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8080 (msg:"ET EXPLOIT Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution (CVE-2020-12133)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; pcre:"/\x2f(?:FURUKAWA|APROS)\x2f/i"; http.request_body; content:"javax.faces.ViewState"; nocase; fast_pattern; content:"|3a|"; distance:0; content:"|22|"; distance:0; reference:url,packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html; reference:cve,2020-12133; classtype:attempted-admin; sid:2034260; rev:2; metadata:created_at 2021_10_27, cve CVE_2020_12133, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lyrics_song.php?"; nocase; content:"l_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32477/; reference:url,milw0rm.com/exploits/6885; reference:url,doc.emergingthreats.net/2008813; classtype:web-application-attack; sid:2008813; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8090 (msg:"ET EXPLOIT Confluence Server Path Traversal Vulnerability (CVE-2019-3398)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"plugins/drag-and-drop/upload.action"; nocase; fast_pattern; content:"draftId="; nocase; distance:0; content:"filename="; nocase; content:"/shell.jsp"; nocase; content:"atl_token"; nocase; http.request_body; content:"<%"; reference:url,github.com/superevr/cve-2019-3398/blob/master/poc.py; reference:cve,2019-3398; classtype:attempted-admin; sid:2034261; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_3398, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/123flashchat.php?"; nocase; content:"e107path="; nocase; reference:url,xforce.iss.net/xforce/xfdb/41867; reference:url,secunia.com/advisories/29870; reference:url,milw0rm.com/exploits/5459; reference:url,doc.emergingthreats.net/2009436; classtype:web-application-attack; sid:2009436; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M1 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/translation-table?"; nocase; fast_pattern; content:"type=mst"; content:"textdomain="; content:"&lang="; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286012324722155525; reference:cve,2020-3452; classtype:attempted-admin; sid:2034262; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eFiction toplists.php list Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/toplists.php?"; nocase; content:"list="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/30606/; reference:url,milw0rm.com/exploits/5785; reference:url,doc.emergingthreats.net/2009227; classtype:web-application-attack; sid:2009227; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M2 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem-customization?"; nocase; fast_pattern; content:"app=AnyConnect"; nocase; content:"type=oem"; nocase; content:"platform="; nocase; content:"resource-type="; nocase; content:"name="; nocase; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286141887716503553; reference:cve,2020-3452; classtype:attempted-admin; sid:2034263; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/libraries/database.php?"; nocase; content:"="; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36411/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009932; classtype:web-application-attack; sid:2009932; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (magento-plugin .com)"; dns.query; content:"magento-plugin.com"; nocase; bsize:18; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034264; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005925; classtype:web-application-attack; sid:2005925; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (cdn-cgi .net)"; dns.query; content:"cdn-cgi.net"; nocase; bsize:11; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034265; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UNION SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005926; classtype:web-application-attack; sid:2005926; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Recaptcha Magecart Skimmer Domain in DNS Lookup (trustdomains .net)"; dns.query; content:"trustdomains.net"; nocase; bsize:16; reference:url,twitter.com/MBThreatIntel/status/1452690744544665601; classtype:domain-c2; sid:2034266; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did INSERT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005927; classtype:web-application-attack; sid:2005927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/loadercrypt_"; startswith; fast_pattern; content:".php?vid="; distance:32; within:9; isdataat:171,relative; http.user_agent; content:"Mozilla/5.0|20|(Windows|20|NT|20|6.1)|20|AppleWebKit/587.38"; bsize:47; reference:url,twitter.com/malwrhunterteam/status/1452992872928661512; reference:md5,aa1add403d79f0ae38f8b0aed2fcb0c2; classtype:trojan-activity; sid:2034267; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_10_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did DELETE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005928; classtype:web-application-attack; sid:2005928; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Middle East Threat Group Domain in DNS Lookup (liveupdatedriver .com)"; dns.query; dotprefix; content:".liveupdatedriver.com"; nocase; endswith; reference:url,twitter.com/kyleehmke/status/1453352660766269451; classtype:domain-c2; sid:2034268; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did ASCII"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005929; classtype:web-application-attack; sid:2005929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected Middle East Threat Group Domain in DNS Lookup (dnsnamefinder .com)"; dns.query; dotprefix; content:".dnsnamefinder.com"; nocase; endswith; reference:url,twitter.com/kyleehmke/status/1453352660766269451; classtype:domain-c2; sid:2034269; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"did="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005930; classtype:web-application-attack; sid:2005930; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"|2d 27 20|AND|20 28|SELECT|20|"; content:"|28|SELECT|28|SLEEP|28 5b|SLEEPTIME|5d 29 29 29 2d 2d|"; distance:9; fast_pattern; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034270; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005931; classtype:web-application-attack; sid:2005931; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/session-error-active/"; content:"/config/?id="; fast_pattern; distance:0; content:"&ath="; distance:0; reference:md5,3a95182c1461c1f396795b328e879e4b; classtype:credential-theft; sid:2034273; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005932; classtype:web-application-attack; sid:2005932; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"UNION|20|ALL|20|SELECT|20|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL"; fast_pattern; distance:0; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034271; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid INSERT"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005933; classtype:web-application-attack; sid:2005933; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/session-error-active/"; content:"/config/connect.php?id="; fast_pattern; distance:0; content:"&ath="; distance:0; http.request_body; content:"&profile.long_session="; distance:0; reference:md5,3a95182c1461c1f396795b328e879e4b; classtype:credential-theft; sid:2034274; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid DELETE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005934; classtype:web-application-attack; sid:2005934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"url|3d 25|25"; fast_pattern; distance:0; content:"&mb_id="; distance:0; content:"&mb_password="; distance:0; reference:md5,9939c621f58183455bf56914c3957e51; classtype:credential-theft; sid:2034272; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_27, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_10_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid ASCII"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005935; classtype:web-application-attack; sid:2005935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IP Phones Web Server Vulnerability (CVE-2020-3161)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/deviceconfig/setActivationCode?params="; nocase; fast_pattern; isdataat:150,relative; reference:url,github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt; reference:cve,2020-3161; classtype:attempted-admin; sid:2034277; rev:1; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2020_3161, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE"; flow:established,to_server; http.uri; content:"/mod.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6873; reference:url,www.milw0rm.com/exploits/3004; reference:url,doc.emergingthreats.net/2005936; classtype:web-application-attack; sid:2005936; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm"; nocase; fast_pattern; http.request_body; content:"page=self_generator.htm"; nocase; content:"common_name="; pcre:"/[^\r\n]*(?:\x60|\x24|\x7c|\bsh\b)/Ri"; reference:url,www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection; reference:cve,2019-1653; classtype:attempted-admin; sid:2034278; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2019_1653, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion"; flow:to_server,established; content:"../"; http.uri; content:"/index_inc.php?"; nocase; content:"inc_ordner="; nocase; reference:url,secunia.com/advisories/33927/; reference:bugtraq,33774; reference:url,milw0rm.com/exploits/8052; reference:url,doc.emergingthreats.net/2009224; classtype:web-application-attack; sid:2009224; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:1; metadata:created_at 2021_10_28, cve CVE_2020_29557, former_category EXPLOIT, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/3rdparty/adminpart/add3rdparty.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008849; classtype:web-application-attack; sid:2008849; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 2 Inbound - Upload Malicious Config (CVE-2020-8260)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-admin/cached/config/import.cgi"; http.referer; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:isset,ET.2020_8260.1,track ip_src,expire 10; xbits:set,ET.2020_8260.2,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033751; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/polling/adminpart/addpolling.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008850; classtype:web-application-attack; sid:2008850; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 1 Inbound - Request Config Backup (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:set,ET.2020_8260.1,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033750; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/contact/adminpart/addcontact.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008851; classtype:web-application-attack; sid:2008851; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TinyNuke VNC Checkin"; flow:established,to_server; dsize:7; content:"MELTED|00|"; fast_pattern; reference:url,app.any.run/tasks/cad45c57-d1fd-4e3b-9e1f-4e6742affb56/; reference:md5,e82aae34a54d0398bd099a0c33db9266; reference:url,twitter.com/Jane_0stin/status/1453441977014497280; classtype:trojan-activity; sid:2034281; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family TinyNuke, signature_severity Major, tag RAT, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/brandnews/adminpart/addbrandnews.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008852; classtype:web-application-attack; sid:2008852; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed CloudAtlas APT Related Domain (checklicensekey .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"checklicensekey.com"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:domain-c2; sid:2034282; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/newsletter/adminpart/addnewsletter.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008853; classtype:web-application-attack; sid:2008853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE CloudAtlas APT Related CnC Domain in DNS Lookup (checklicensekey .com)"; dns.query; content:"checklicensekey.com"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:domain-c2; sid:2034283; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/game/adminpart/addgame.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008854; classtype:web-application-attack; sid:2008854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CloudAtlas APT Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dotm"; endswith; http.host; content:"checklicensekey.com"; fast_pattern; bsize:19; reference:url,twitter.com/h2jazi/status/1453748348964548617; reference:md5,1060678d61ea5152283be60df2472b6f; classtype:trojan-activity; sid:2034284; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/tour/adminpart/addtour.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008855; classtype:web-application-attack; sid:2008855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Sabsik Config Downloader"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_body; content:"|24|url|3d 22|http|3a 2f 2f|"; startswith; content:"|2e|txt|22 3b 0d 0a 24|web|20 3d 20|New|2d|Object|20|System|2e|Net|2e|WebClient|3b|"; distance:0; within:63; fast_pattern;  reference:md5,49eb944fb7f86a9d6649c6a190c782e8; classtype:trojan-activity; sid:2034288; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/articles/adminpart/addarticles.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008856; classtype:web-application-attack; sid:2008856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DonotGroup Maldoc Related Domain (digitalresolve .live in TLS SNI)"; flow:established,to_server; tls.sni; content:"digitalresolve.live"; bsize:19; fast_pattern; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034285; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/product/adminpart/addproduct.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008857; classtype:web-application-attack; sid:2008857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Maldoc Related Domain in DNS Lookup (digitalresolve .live)"; dns.query; content:"digitalresolve.live"; nocase; bsize:19; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:domain-c2; sid:2034286; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/plain/adminpart/addplain.php?"; nocase; content:"module="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32180; reference:url,milw0rm.com/exploits/7031; reference:url,doc.emergingthreats.net/2008858; classtype:web-application-attack; sid:2008858; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_09;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Application.ThunderN.A Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|1b 00 0c|"; startswith; content:"Startup102_embedding|ea 03 01 00 00 00|"; endswith; fast_pattern; reference:md5,1f1ef30f55a9b69bf0b8706e479beca0; classtype:command-and-control; sid:2034275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/e-pay/src/a_affil.php?"; nocase; content:"_REQUEST[read]="; nocase; pcre:"/_REQUEST\[read\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10697; reference:url,doc.emergingthreats.net/2010661; classtype:web-application-attack; sid:2010661; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; urilen:80<>90; http.method; content:"GET"; http.host; content:"digitalresolve.live"; bsize:19; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,c531319309db1a034936e245f6414959; reference:url,twitter.com/h2jazi/status/1453763622593826825; reference:url,twitter.com/HONKONE_K/status/1453659791625056261; classtype:trojan-activity; sid:2034287; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which SELECT"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007374; classtype:web-application-attack; sid:2007374; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed ApoioViewer Remote Access Tool  Domain (apoioviewer .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"apoioviewer.com"; bsize:15; fast_pattern; reference:md5,b27ede7c569f27d96c66b4d3c7a84a95; classtype:policy-violation; sid:2034276; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_28, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_10_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UNION SELECT"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007375; classtype:web-application-attack; sid:2007375; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE slock Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/slock.php?ip="; fast_pattern; content:"&&user="; distance:0; content:"&&host="; distance:0; content:"&&domain="; distance:0; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|10|2e|0|3b 20|WOW64|3b 20|Trident|2f|7|2e|0|3b 20|rv|3a|11|2e|0|29 20|like|20|Gecko"; bsize:69; reference:md5,45a430e2bcba867f4d8a537354a98a73; classtype:command-and-control; sid:2034291; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which INSERT"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007376; classtype:web-application-attack; sid:2007376; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casbaneiro CnC Host Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?AT="; fast_pattern; content:"Microsoft Windows"; distance:0; content:"&MD="; distance:0; content:!"&"; distance:0; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,6716f7a0e6f96617c9ba4b47ff9f41eb; classtype:trojan-activity; sid:2034292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Casbaneiro, performance_impact Low, signature_severity Major, tag Banker, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which DELETE"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007377; classtype:web-application-attack; sid:2007377; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (croperdate .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"croperdate.com"; bsize:14; fast_pattern; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; reference:md5,67c916ed405a3163d19f7642734d94be; classtype:domain-c2; sid:2034302; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which ASCII"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007378; classtype:web-application-attack; sid:2007378; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (kaslose .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"kaslose.com"; bsize:11; fast_pattern; reference:md5,0b10e6fe7db4421f4807e08bd3b5982a; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; classtype:domain-c2; sid:2034303; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE"; flow:established,to_server; http.uri; content:"/index1.asp?"; nocase; content:"which="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6117; reference:url,www.milw0rm.com/exploits/2829; reference:url,doc.emergingthreats.net/2007379; classtype:web-application-attack; sid:2007379; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (cdnwin .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"cdnwin.xyz"; bsize:10; fast_pattern; reference:url,thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/; classtype:domain-c2; sid:2034304; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_10_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat SELECT"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007380; classtype:web-application-attack; sid:2007380; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"from=CIA"; startswith; content:"|26|body|3d|Your|20|Subject|20|is|20|Online|20 3a|P|20|Victim|20|Name|3a 20|"; fast_pattern; content:"Clients|20|Conneted|3a 20|"; distance:0; reference:md5,7055137624d83f3c6025caf1e62e85f6; classtype:command-and-control; sid:2034293; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UNION SELECT"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007381; classtype:web-application-attack; sid:2007381; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Ciadoor.10.UPX CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=log&ip="; content:"&usrname="; distance:0; content:"&server=C|2e|I|2e|A"; distance:0; fast_pattern; reference:md5,7055137624d83f3c6025caf1e62e85f6; classtype:command-and-control; sid:2034294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat INSERT"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007382; classtype:web-application-attack; sid:2007382; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (Microsoft-ATL-Native/9.00)"; flow:established,to_server; http.user_agent; content:"Microsoft-ATL-Native/9.00"; bsize:25; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:bad-unknown; sid:2034296; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat DELETE"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007383; classtype:web-application-attack; sid:2007383; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Systweak Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a 20 22|http://tempuri.org/IsUserAuthenticated|22 0d 0a|"; http.request_body; content:"<sUsername>"; content:"</sUsername><sPassword>"; distance:0; fast_pattern; content:"</sPassword><sMacId>"; distance:0; content:"</sMacId><refno>"; distance:0; reference:md5,cb5de25d798ed63a781926c903317f70; classtype:pup-activity; sid:2034297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat ASCII"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007384; classtype:web-application-attack; sid:2007384; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (urlRequest)"; flow:established,to_server; http.user_agent; content:"urlRequest"; bsize:10; reference:md5,988fbcfeebf2a49af4072030dead68f9; classtype:bad-unknown; sid:2034298; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Minor, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE"; flow:established,to_server; http.uri; content:"/default2.asp?"; nocase; content:"kat="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6116; reference:url,www.milw0rm.com/exploits/2830; reference:url,doc.emergingthreats.net/2007385; classtype:web-application-attack; sid:2007385; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - GetTasks Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//get-tasks.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|HWID|0d 0a|Host|0d 0a 0d 0a|"; bsize:16; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034299; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007386; classtype:web-application-attack; sid:2007386; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Kryptik.HNBU CryptoMiner - Report Request"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//report.php"; endswith; http.header; content:"IPINFO|3a 20 7b 22|status|22 3a 22|"; fast_pattern; http.header_names; content:"|0d 0a|UN|0d 0a|MN|0d 0a|"; reference:md5,c81af89afb924196c0a9f50bce4df130; classtype:command-and-control; sid:2034300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"UNION"; nocase; pcre:"/.+UNION\s+SELECT/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007387; classtype:web-application-attack; sid:2007387; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Google Chrome Notifications Installer"; flow:established,to_client; http.response_body; content:"|28|function|20 28 29|"; startswith; content:"callbackName|3a 20 27|onSubInit|27|"; distance:0; content:"workerName|3a 20 27|"; distance:0; content:"serverUrl|3a 20 27|"; distance:0; content:"applicationServerKey|3a 20|"; distance:0; content:"cookieNameS|3a 20 27|notify|2d|p|27|"; fast_pattern; distance:0;  reference:url,rapid7.com/blog/post/2021/10/28/sneaking-through-windows-infostealer-malware-masquerades-as-windows-application; reference:md5,45602bfa86ee9a5e31758a24a0d5cd08; classtype:trojan-activity; sid:2034307; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007388; classtype:web-application-attack; sid:2007388; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NO Checkin"; flow:established,to_server; stream_size:server,<,5; dsize:76; content:"MB|00 00|"; offset:32; depth:9; content:"|32 2e 32 d5 fd ca bd b0 e6 00 00 00|"; endswith; fast_pattern; reference:md5,e09e70ae301e0816355ad0bfa0ab8707; classtype:command-and-control; sid:2034301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007389; classtype:web-application-attack; sid:2007389; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP SecureDriverUpdater Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/driverupdateservicenewsdu/updateservice.asmx"; bsize:45; http.header; content:"SOAPAction|3a 20 22|http://systweak.com/GetDriverUpdatesData1|22 0d 0a|"; fast_pattern; reference:md5,783aef84f5b315704ff6b064a00e2573; classtype:pup-activity; sid:2034295; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2021_10_29, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"ASCII"; nocase; pcre:"/.+ASCII\(.+SELECT/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007390; classtype:web-application-attack; sid:2007390; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UWW Variant Activity (Retrieving Commands)"; flow:established,to_server; http.request_line; content:"GET|20|/console.php|20|HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:34; reference:md5,c028d598f8ba842bc03631f92bc6f242; reference:url,twitter.com/malwrhunterteam/status/1454160943471079425; classtype:trojan-activity; sid:2034305; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"fid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2006-6115; reference:url,www.milw0rm.com/exploits/2828; reference:url,doc.emergingthreats.net/2007391; classtype:web-application-attack; sid:2007391; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.UWW Variant Activity (Sending System Information)"; flow:established,to_server; http.request_line; content:"POST|20|/console.php|20|HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0"; bsize:11; http.request_body; content:"FROM|20|"; startswith; content:"User|20|accounts|20|for"; content:"Directory|20|of|20|"; http.header_names; content:!"Referer"; reference:md5,c028d598f8ba842bc03631f92bc6f242; reference:url,twitter.com/malwrhunterteam/status/1454160943471079425; classtype:trojan-activity; sid:2034306; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_10_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid SELECT"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; pcre:"/.+SELECT.+FROM/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004108; classtype:web-application-attack; sid:2004108; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)"; dns.query; content:"transfer.sh"; nocase; bsize:11; classtype:bad-unknown; sid:2034316; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid INSERT"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004110; classtype:web-application-attack; sid:2004110; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PinkBot CnC Domain in DNS Lookup (cnc .pinklander .com)"; dns.query; content:"cnc.pinklander.com"; nocase; bsize:18; reference:url,blog.netlab.360.com/pink-en/; classtype:domain-c2; sid:2034317; rev:1; metadata:attack_target IoT, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid DELETE"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; pcre:"/.+DELETE.+FROM/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004111; classtype:web-application-attack; sid:2004111; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Sabsik.FL.B!ml Checkin"; flow:established,to_server; content:"|02|"; startswith; content:"|05 4c 41 75 74 6f 20 28|"; offset:5; depth:8; fast_pattern; content:"|29|"; distance:0; isdataat:!30,relative; reference:md5,0792e225ebae5021f0dd6c333026ee00; classtype:command-and-control; sid:2034313; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; pcre:"/.+UPDATE.+SET/i"; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004113; classtype:web-application-attack; sid:2004113; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Lantern Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getlantern/data?action=startup&deviceID="; startswith; fast_pattern; content:"&goarch="; distance:0; content:"&osName="; distance:0; content:"&secret="; distance:0; reference:md5,0d79f6cae6898ab27f2df1740aedbbec; classtype:pup-activity; sid:2034314; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, updated_at 2021_11_01, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005807; classtype:web-application-attack; sid:2005807; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005808; classtype:web-application-attack; sid:2005808; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id INSERT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005804; classtype:web-application-attack; sid:2005804; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_09;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id DELETE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005806; classtype:web-application-attack; sid:2005806; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id ASCII"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005809; classtype:web-application-attack; sid:2005809; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_4430, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005810; classtype:web-application-attack; sid:2005810; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/PSW.Agent_AGen.A Data Exfil"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; content:!"-"; distance:0; http.user_agent; content:"GRequests/0.10"; bsize:14; http.request_body; content:"|5c 5c 2f|arch|2e|zip|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|PK|03 04|"; reference:md5,662002d61f1aebd64fc204ce40fd65f2; classtype:command-and-control; sid:2034315; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005811; classtype:web-application-attack; sid:2005811; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/languages/mode"; fast_pattern; content:".php?user="; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UNION SELECT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005812; classtype:web-application-attack; sid:2005812; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish Activity POST"; flow:established,to_server; http.method; content: "POST"; http.referer; content:"/wp-content/languages/mode"; fast_pattern; http.uri; content:".php"; endswith; http.request_body; content:"user="; content:"&amount="; content:"&submit="; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie INSERT"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005813; classtype:web-application-attack; sid:2005813; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034330; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie DELETE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005814; classtype:web-application-attack; sid:2005814; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; content:"pluginName="; content:"|2e 2e 2f|"; distance:0; within:5; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034331; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ASCII"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005815; classtype:web-application-attack; sid:2005815; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Possible GoCD Authentication Bypass URI Path - cruise_config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cruise_config"; nocase; fast_pattern; flowbits:set,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034332; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category INFO, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE"; flow:established,to_server; http.uri; content:"/display_review.php?"; nocase; content:"user_login_cookie="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0133; reference:url,www.frsirt.com/english/advisories/2007/0056; reference:url,doc.emergingthreats.net/2005816; classtype:web-application-attack; sid:2005816; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT GoCD Authentication Bypass Successful Leak"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"agentAutoRegisterKey="; nocase; fast_pattern; content:"webhookSecret="; nocase; content:" tokenGenerationKey="; nocase; flowbits:isset,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034333; rev:1; metadata:attack_target Server, created_at 2021_11_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id SELECT"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005817; classtype:web-application-attack; sid:2005817; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Debit Card or Check Data Exfil"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|d5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034329; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005818; classtype:web-application-attack; sid:2005818; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Direct Deposit Payment Data Exfil"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|b5.php|22|"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034327; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id INSERT"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005819; classtype:web-application-attack; sid:2005819; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Payment Credential Phish Form"; flow:established,to_client; http.stat_code; content: "200"; file.data; content:"Internal Revenue Service"; nocase; distance:0; content:".php"; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; fast_pattern; distance:0; content:"id|3d 22|edit|2d|submit|2d|pup|2d|efile|2d|provider|2d|search|22|"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id DELETE"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005820; classtype:web-application-attack; sid:2005820; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible MalDoc Retrieving Payload 2021-11-01"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dat"; endswith; pcre:"/\/(?:[0-9]{2,8}\.)?[0-9]{4,16}\.dat$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.2|3b 20|WOW64|3b 20|Trident/8.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET|20|CLR|20|2.0.50727|3b 20|.NET|20|CLR|20|3.0.30729|3b 20|.NET|20|CLR|20|3.5.30729|3b 20|InfoPath.3)"; fast_pattern; bsize:162; http.header_names; content:!"Referer";  reference:md5,8eb1525db6bdadce7dae53b15f544bd2; classtype:trojan-activity; sid:2034464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ASCII"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005821; classtype:web-application-attack; sid:2005821; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual CnC Activity"; flow:established,to_server; urilen:<50; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]+/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"vl="; startswith; pcre:"/^[0-9D]+$/R"; reference:md5,b0ab12a5a4c232c902cdeba421872c37; classtype:command-and-control; sid:2034325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag TA450, updated_at 2021_11_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE"; flow:established,to_server; http.uri; content:"/compare_product.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0132; reference:url,www.milw0rm.com/exploits/3083; reference:url,doc.emergingthreats.net/2005822; classtype:web-application-attack; sid:2005822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory Corruption (CVE-2019-0667)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"Class|20|"; pcre:"/^(?P<class>[A-Z0-9_-]{1,20})\s*.*?(?P<var>[A-Z0-9_-]{1,15})\s*=\s*(?:&amp\x3b|0x|\\x|&?h)*\d{8}\s*.*?(?:ReDim|Dim)\s*(?P=var)\(\d{4,20}\).*?set\s*(?P=var)\(\d+\)\s*=\s*new\s*(?P=class).*?Erase\s*(?P=var).*?Erase\s*(?P=var)/Rsi"; content:"Erase|20|"; fast_pattern; content:"Dim|20|"; reference:cve,2019-0667; classtype:attempted-admin; sid:2033733; rev:4; metadata:attack_target Server, created_at 2021_08_13, cve CVE_2019_0667, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005823; classtype:web-application-attack; sid:2005823; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Suspicious PHP UNZIP Tool Accessed on External Possibly Compromised Server"; flow:established,to_client; file_data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005824; classtype:web-application-attack; sid:2005824; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Suspicious PHP UNZIP Tool Accessed on Internal Possibly Compromised Server"; flow:established,to_client; file.data; content:"<head><title>PHP UnZIP"; nocase; fast_pattern; content:"<div class=|22|header|22|>PHP UnZIP!!!</div>"; classtype:web-application-attack; sid:2034337; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005825; classtype:web-application-attack; sid:2005825; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Windows Defender"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"reg|20|delete|20 22|HKLM|5c|Software|5c|Policies|5c|Microsoft|5c|Windows|20|Defender|22 20 2f|f"; distance:0; fast_pattern;  classtype:trojan-activity; sid:2034338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005826; classtype:web-application-attack; sid:2005826; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded .bat Disables Real Time Monitoring"; flow:established,to_client; http.content_type; content:"application/x-msdos-program"; file.data; content:"@echo off"; startswith; content:"powershell.exe Set-MpPreference -DisableRealtimeMonitoring|20 24|true"; within:66; fast_pattern;  classtype:trojan-activity; sid:2034339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005827; classtype:web-application-attack; sid:2005827; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT-C-59 Related Domain in DNS Lookup"; dns.query; content:"itoxtlthpw.com"; nocase; bsize:14; reference:url,otx.alienvault.com/pulse/61811ddc259f23fdd630e196; classtype:domain-c2; sid:2034334; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, malware_family apt_c_59, signature_severity Major, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0130; reference:url,www.milw0rm.com/exploits/3082; reference:url,doc.emergingthreats.net/2005828; classtype:web-application-attack; sid:2005828; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; http.header; content:"|28 29 20 7b|"; fast_pattern; content:"bash|20 2d|c"; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/gallery_show.asp?"; nocase; content:"GID="; nocase; pcre:"/(\?|&)GID=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt; reference:url,doc.emergingthreats.net/2010608; classtype:web-application-attack; sid:2010608; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed Connection Manager Administration Kit (cmdl32.exe) User-Agent"; flow:established,to_server; http.user_agent; content:"Microsoft(R) Connection Manager Vpn File Update"; bsize:47; reference:url,twitter.com/ElliotKillick/status/1455897435063074824; reference:url,www.hexacorn.com/blog/2017/04/30/the-archaeologologogology-3-downloading-stuff-with-cmdln32; classtype:policy-violation; sid:2034335; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS icash Click&BaneX user_menu.asp ID parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/user_menu.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/7484; reference:bugtraq,32856; reference:url,doc.emergingthreats.net/2008997; classtype:web-application-attack; sid:2008997; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - GET"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Vv/"; fast_pattern; startswith; pcre:"/\.(dll|exe|zip|json)$/i"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/tools/filemanager/skins/mobile/admin1.template.php?"; nocase; content:"net2ftp_globals[application_skinsdir]="; nocase; pcre:"/net2ftp_globals\[application_skinsdir\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,packetstorm.foofus.com/1003-exploits/ispcp-rfi.txt; reference:bugtraq,38644; reference:url,doc.emergingthreats.net/2010979; classtype:web-application-attack; sid:2010979; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST"; flow:established,to_server; http.request_line; content:"POST /log HTTP/1.1"; fast_pattern; startswith; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor SELECT"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004840; classtype:web-application-attack; sid:2004840; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus Related Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/details.php?image="; fast_pattern; content:".PRJ"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1455489336850325519; reference:md5,606695bae4f0eb5ba0f35b8897b9f57a; classtype:trojan-activity; sid:2034342; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_04, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UNION SELECT"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004841; classtype:web-application-attack; sid:2004841; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt STrike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /EbhM HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0|20|(compatible|3b 20|MSIE|20|9.0|3b 20|Windows|20|NT|20|6.0|3b 20|Trident/5.0)"; bsize:63; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,72dac7c7f9c50d8ab420acb75132f631; reference:url,twitter.com/BlackLotusLabs/status/1456314419215020043; classtype:trojan-activity; sid:2034346; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor INSERT"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004842; classtype:web-application-attack; sid:2004842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /9Wla HTTP/1.1"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,ac45cc9b586d30836bb2997745a5208e; reference:url,twitter.com/malwrhunterteam/status/1455885521905934339; classtype:trojan-activity; sid:2034347; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor DELETE"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004843; classtype:web-application-attack; sid:2004843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SolarMarker Backdoor Related Domain in DNS Lookup (noelfpar .com)"; dns.query; content:"noelfpar.com"; nocase; bsize:12; reference:url,twitter.com/MBThreatIntel/status/1456395490820440065; classtype:domain-c2; sid:2034348; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor ASCII"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004844; classtype:web-application-attack; sid:2004844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (google-play .serveftp .com)"; dns.query; content:"google-play.serveftp.com"; nocase; bsize:24; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:targeted-activity; sid:2034349; rev:1; metadata:attack_target Mobile_Client, created_at 2021_11_05, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE"; flow:established,to_server; http.uri; content:"/install.php?"; nocase; content:"bgcolor="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1073; reference:url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded; reference:url,doc.emergingthreats.net/2004845; classtype:web-application-attack; sid:2004845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (bitsadmin .ddns .net)"; dns.query; content:"bitsadmin.ddns.net"; nocase; bsize:18; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:targeted-activity; sid:2034350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/users/payment.php?"; nocase; content:"order_id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt; reference:url,doc.emergingthreats.net/2009671; classtype:web-application-attack; sid:2009671; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon/Armageddon Related Domain in DNS Lookup (list-sert .ddns .net)"; dns.query; content:"list-sert.ddns.net"; nocase; bsize:18; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:domain-c2; sid:2034351; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myEvent viewevent.php SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/viewevent.php?eventdate="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,31773; reference:url,www.milw0rm.com/exploits/6760; reference:url,doc.emergingthreats.net/2008668; classtype:web-application-attack; sid:2008668; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon CnC Activity (Sending Windows System Information)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_540AD80E/walt.html"; endswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/modules/comments.php?"; nocase; content:"templates_dir="; nocase; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009719; classtype:web-application-attack; sid:2009719; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"phps_query|3d 22 3e 25 32 30 3c|iframe src="; startswith; fast_pattern; content:"onload="; distance:0; content:"|29 3e 26|phps_search|3d 3b 29|"; endswith; reference:url,exploit-db.com/exploits/50491; classtype:attempted-admin; sid:2034354; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_05, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/modules/comments.php?"; nocase; content:"template="; nocase; reference:url,milw0rm.com/exploits/6000; reference:bugtraq,19838; reference:url,doc.emergingthreats.net/2009720; classtype:web-application-attack; sid:2009720; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon/Armageddon Activity (Retrieving Remote .dot)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prior/energy/bidding.dot"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf; classtype:trojan-activity; sid:2034353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_05, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_11_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gunaysoft.php?"; nocase; content:"icerikyolu="; nocase; pcre:"/icerikyolu=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009325; classtype:web-application-attack; sid:2009325; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9]{9,12}\/t\.html$/U"; http.request_line; content:"/t.html HTTP/1.1"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; startswith; content:!"Referer"; reference:md5,1b18012902faa7670ceef2b6a12953f8; reference:md5,1a23e15c82ebc19f52a4da440cec596e; reference:url,twitter.com/Max_Mal_/status/1456555275326996497; classtype:trojan-activity; sid:2034355; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_11_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gunaysoft.php?"; nocase; content:"sayfaid="; nocase; pcre:"/sayfaid=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009326; classtype:web-application-attack; sid:2009326; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/BlackNet Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"?key="; content:!"?token="; content:!"/index.php"; content:!"act=bkw9"; nocase; content:!"?data="; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:16; metadata:created_at 2014_10_09, former_category MALWARE, updated_at 2021_11_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gunaysoft.php?"; nocase; content:"uzanti="; nocase; pcre:"/uzanti=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,30064; reference:cve,CVE-2008-3022; reference:url,xforce.iss.net/xforce/xfdb/43569; reference:url,doc.emergingthreats.net/2009327; classtype:web-application-attack; sid:2009327; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M1"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"GetObject|28 22|winmgmts|3a 22 2b 22 7b|impersonationLevel=impersonate|7d 22 2b 22|"; fast_pattern; distance:0; content:"ExecQuery|28 22|Select|20 2a 20 22 2b 22|from|20 22 2b 22|Win32|5f 22 2b 22|Process|22 29 3b|"; distance:0;  reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010615; classtype:web-application-attack; sid:2010615; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Citibank Phish 2021-11-10"; flow:established,to_server; flowbits:isset,ET.genericphish; http.uri; content:"/citi/"; nocase; fast_pattern; content:".php"; distance:0; http.host; content:".otzo.com"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010616; classtype:web-application-attack; sid:2010616; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Certificate (cloudflace-network .digital)"; flow:established,to_client; tls.cert_subject; content:"CN=cloudflace-network.digital"; bsize:29; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009/; classtype:domain-c2; sid:2034356; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010617; classtype:web-application-attack; sid:2010617; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/LNK/Agent.GX Javascript Downloader M2"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"|3c|script language|3d 22|javascript|22 3e|"; startswith; content:"|3d 22|Explore|22 3b|"; distance:0; content:"|22|W|22 2b 22|scr"; distance:0; content:"|2b 22|ipt|22 2b 22 2e|S|22 3b|"; distance:0; content:"|3d 22|aHR0cHM6Ly9kb2NzLmdvb2dsZS5jb20vc3ByZWFkc2hlZXRzL2Qv"; distance:0; fast_pattern;  reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034360; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010618; classtype:web-application-attack; sid:2010618; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Citibank Phish Landing Page"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; file.data; content:"<title>Citibank Online</title>"; nocase; content:"form|20|name|3d 22|undefined|22|"; fast_pattern; distance:0; content:"|2e|php|3f|sessionid"; distance:0; content:"|26|sslchannel|3d|true|22 20|method|3d 22|POST|22|"; distance:0; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034397; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/bms/invoices_discount_ajax.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,osvdb.org/show/osvdb/59194; reference:url,xforce.iss.net/xforce/xfdb/51650; reference:url,doc.emergingthreats.net/2010619; classtype:web-application-attack; sid:2010619; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain in TLS SNI (stackpatc-technologies .digital)"; flow:established,to_server; tls.sni; content:"stackpatc-technologies.digital"; bsize:30; fast_pattern; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; classtype:domain-c2; sid:2034357; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid SELECT"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004899; classtype:web-application-attack; sid:2004899; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oscp/"; startswith; fast_pattern; pcre:"/^[a-z]{256}$/R"; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:57; reference:url,www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-009; reference:md5,f790bea81673806479e30337629fa605; classtype:trojan-activity; sid:2034358; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UNION SELECT"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004900; classtype:web-application-attack; sid:2004900; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (rackspare-technology .digital)"; dns.query; content:"rackspare-technology.digital"; nocase; bsize:28; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034391; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid INSERT"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004901; classtype:web-application-attack; sid:2004901; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Cobalt Strike SSL Cert (asurecloud .tech)"; flow:established,to_client; tls.cert_subject; content:"CN=asurecloud.tech"; bsize:18; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034392; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid DELETE"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004902; classtype:web-application-attack; sid:2004902; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Domain (asureupdate .tech in TLS SNI)"; flow:established,to_server; tls.sni; content:"asureupdate.tech"; bsize:16; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; reference:md5,80447e4ec87e319bdc6895e04b18363e; classtype:domain-c2; sid:2034393; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid ASCII"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004903; classtype:web-application-attack; sid:2004903; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)"; flow:established,to_server; http.uri; content:"/./RestAPI/"; startswith; fast_pattern; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034362; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE"; flow:established,to_server; http.uri; content:"/nickpage.php?"; nocase; content:"npid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0985; reference:url,www.milw0rm.com/exploits/3299; reference:url,doc.emergingthreats.net/2004904; classtype:web-application-attack; sid:2004904; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034363; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"p=phpinfo()"; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010902; classtype:web-application-attack; sid:2010902; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; content:"filename=|22|"; pcre:"/^[^\x22]+\.jsp\x22/R"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034364; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"c="; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; reference:url,doc.emergingthreats.net/2010903; classtype:web-application-attack; sid:2010903; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (asureupdate .pro)"; dns.query; content:"asureupdate.pro"; nocase; bsize:15; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034394; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt"; flow:to_server,established; http.uri; content:"rootagenda="; nocase; pcre:"/(agendaplace(2?)|infoevent|agenda(2?))\.php3\?/i"; pcre:"/rootagenda=(https?|ftps?|php)/i"; reference:cve,2006-2009; reference:bugtraq,17670; reference:url,doc.emergingthreats.net/2002879; classtype:web-application-attack; sid:2002879; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/Connection"; http.request_body; content:"methodToCall=openSSLTool"; nocase; content:"+-providerclass"; fast_pattern; content:"+-providerpath"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034365; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/addedit-render.php?"; nocase; content:"editform="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,milw0rm.com/exploits/7417; reference:bugtraq,32774; reference:url,doc.emergingthreats.net/2008992; classtype:web-application-attack; sid:2008992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Downloaded Script Disables Firewall/Antivirus"; flow:established,to_client; http.content_type; content:"text/plain"; file.data; content:"|22|C:|5c|Windows|5c|debug|5c|m|5c|winlogon.exe|22|"; content:"netsh advfirewall set allprofiles state off"; within:45; fast_pattern; content:"name like |27 25|Eset|25 27 22| call uninstall /nointeractive";  reference:md5,fcfc0feed527d188d6b2ed3445758511; classtype:trojan-activity; sid:2034395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/assets/plugins/mp3_id/mp3_id.php?"; nocase; content:"GLOBALS[BASE]="; nocase; pcre:"/GLOBALS\[BASE\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt; reference:url,doc.emergingthreats.net/2010485; classtype:web-application-attack; sid:2010485; rev:5; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:"<?"; content:"<base64>"; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004170; classtype:web-application-attack; sid:2004170; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Beacon)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"s6rt&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034367; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004171; classtype:web-application-attack; sid:2004171; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Download)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"xrtf&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034368; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004172; classtype:web-application-attack; sid:2004172; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SiameseKitten/Lyceum/Hexane MSIL/Shark CnC Activity (Upload)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"o543n&qi="; fast_pattern; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034369; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, malware_family Shark, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004173; classtype:web-application-attack; sid:2004173; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M1"; flow:established,to_server; http.uri; content:"/?proto="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034370; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004174; classtype:web-application-attack; sid:2004174; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M2"; flow:established,to_server; http.uri; content:"/?kind="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034371; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"image_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004175; classtype:web-application-attack; sid:2004175; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Backdoor CnC Activity M3"; flow:established,to_server; http.uri; content:"/?pt="; startswith; fast_pattern; pcre:"/^[0-9]&(?:index|pi|serv)=/R"; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:command-and-control; sid:2034372; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004176; classtype:web-application-attack; sid:2004176; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LNK/Agent.GX CnC Traffic"; flow:established,to_server; http.method; content:"GET"; http.header; content:!"Referer"; content:"UA-CPU"; http.uri; pcre:"/^\/[a-zA-Z0-9+=]{29,44}.{0,8}=$/U"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|Trident|2f|7.0|3b 20|.NET4.0C|3b 20|.NET4.0E|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.0.30729|3b 20|.NET CLR 3.5.30729)"; bsize:156; fast_pattern; reference:md5,4b9eb054d9f7f5dd8c23cc1d7312013c; classtype:trojan-activity; sid:2034410; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004177; classtype:web-application-attack; sid:2004177; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WBK Download from dotted-quad Host"; flow:established,to_server; http.uri; content:".wbk"; endswith; nocase; http.host; content:"."; offset:1; depth:3; content:"."; within:4; content:"."; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.request_line; content:".wbk HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2034396; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004178; classtype:web-application-attack; sid:2004178; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".digitalmarketingagency.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034373; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004179; classtype:web-application-attack; sid:2004179; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".centosupdatecdn.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034374; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004180; classtype:web-application-attack; sid:2004180; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".wsuslink.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034375; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004181; classtype:web-application-attack; sid:2004181; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hpesystem.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034376; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004182; classtype:web-application-attack; sid:2004182; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ndianmombais.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034377; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004183; classtype:web-application-attack; sid:2004183; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".micrsoftonline.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034378; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004184; classtype:web-application-attack; sid:2004184; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnscdn.org"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034379; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004185; classtype:web-application-attack; sid:2004185; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".uctpostgraduate.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034380; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004186; classtype:web-application-attack; sid:2004186; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".zonestatistic.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034381; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004187; classtype:web-application-attack; sid:2004187; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".akastatus.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034382; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004188; classtype:web-application-attack; sid:2004188; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".updatecdn.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034383; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004189; classtype:web-application-attack; sid:2004189; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".sysadminnews.info"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034384; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id INSERT"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004190; classtype:web-application-attack; sid:2004190; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".windowsupdatecdn.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034385; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id DELETE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004191; classtype:web-application-attack; sid:2004191; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnsanalizer.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034386; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id ASCII"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004192; classtype:web-application-attack; sid:2004192; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".defenderstatus.com"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034387; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE"; flow:established,to_server; http.uri; content:"/print.php?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004193; classtype:web-application-attack; sid:2004193; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".checkinternet.org"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034388; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004194; classtype:web-application-attack; sid:2004194; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".securednsservice.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034389; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004195; classtype:web-application-attack; sid:2004195; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE LYCEUM CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dnscatalog.net"; nocase; endswith; reference:url,www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns; classtype:domain-c2; sid:2034390; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_09, deployment Perimeter, performance_impact Low, signature_severity Major, tag LYCEUM, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004196; classtype:web-application-attack; sid:2004196; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart CnC Domain Observed in DNS Query"; dns.query; dotprefix; content:".ncdn.space"; nocase; endswith; classtype:trojan-activity; sid:2031111; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_10_26, deployment Perimeter, signature_severity Major, updated_at 2021_11_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004197; classtype:web-application-attack; sid:2004197; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akastat .app)"; dns.query; content:"akastat.app"; nocase; bsize:11; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034398; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004198; classtype:web-application-attack; sid:2004198; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious Cobalt Strike SSL Cert (cdnengine .biz)"; flow:established,to_client; tls.cert_subject; content:"CN=cdnengine.biz"; bsize:16; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034399; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"news_cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004199; classtype:web-application-attack; sid:2004199; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (azurestat .app in TLS SNI)"; flow:established,to_server; tls.sni; content:"azurestat.app"; bsize:13; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034400; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004200; classtype:web-application-attack; sid:2004200; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related CnC Domain in DNS Lookup (akamaclouds .tech)"; dns.query; content:"akamaclouds.tech"; nocase; bsize:16; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034401; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004201; classtype:web-application-attack; sid:2004201; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rpc"; bsize:4; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; http.accept_lang; content:"en-GB|3b|q=0.9,|20|*|3b|q=0.7"; bsize:20; reference:md5,f7810878118c08539c0cb0c60e4a23b7; reference:md5,8ccc051bbaf6dc9cb76bfea2bbd8f6d4; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:trojan-activity; sid:2034402; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id INSERT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004202; classtype:web-application-attack; sid:2004202; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious Cobalt Strike SSL Cert (setupfastonline .com)"; flow:established,to_client; tls.cert_subject; content:"CN=setupfastonline.com"; bsize:22; fast_pattern; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034403; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id DELETE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004203; classtype:web-application-attack; sid:2004203; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akamalupdate .site)"; dns.query; content:"akamalupdate.site"; nocase; bsize:17; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034404; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2021_11_10, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id ASCII"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004204; classtype:web-application-attack; sid:2004204; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible SombRAT Initial DNS Lookup"; dns.query; content:!".amazonaws.com"; content:"images"; nocase; depth:6; fast_pattern; content:!"images."; depth:7; content:"."; distance:8; within:1; pcre:"/^images[a-f0-9]{8}\./i"; reference:md5,f43377b04b66d1aed783cd6037e3298d; reference:url,blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced; classtype:trojan-activity; sid:2031251; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_03, deployment Perimeter, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004205; classtype:web-application-attack; sid:2004205; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (c2 .hax .vg)"; dns.query; content:"c2.hax.vg"; nocase; bsize:9; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034405; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004206; classtype:web-application-attack; sid:2004206; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andromeda Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; http.content_len; byte_test:0,>,60,0,string,dec; byte_test:0,<,150,0,string,dec; http.connection; content:"close"; bsize:5; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4}))?$/i"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,41c33fdb9a95353a3b109393543f90dd; classtype:command-and-control; sid:2016223; rev:13; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_03_30, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UNION SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004207; classtype:web-application-attack; sid:2004207; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (azuresecure .tech)"; dns.query; content:"azuresecure.tech"; nocase; bsize:16; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034406; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id INSERT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004208; classtype:web-application-attack; sid:2004208; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (securesurvey .cloud)"; dns.query; content:"securesurvey.cloud"; nocase; bsize:18; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034407; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id DELETE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004209; classtype:web-application-attack; sid:2004209; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (akabox .tech)"; dns.query; content:"akabox.tech"; nocase; bsize:11; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034408; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id ASCII"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004210; classtype:web-application-attack; sid:2004210; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (electronicwhosaleonline .com)"; dns.query; content:"electronicwhosaleonline.com"; nocase; bsize:27; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-009.pdf; classtype:domain-c2; sid:2034409; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"topic_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004211; classtype:web-application-attack; sid:2004211; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET INFO Observed Initial NKN POST Request"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|id|22 3a 22|"; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:policy-violation; sid:2034414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_11_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004212; classtype:web-application-attack; sid:2004212; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PlayerUnknown's Battlegrounds Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; distance:0; http.referer; content:"otzo.com"; distance:0; http.request_body; content:"email="; distance:0; content:"&password="; content:"&nick="; distance:0; content:"&playid="; fast_pattern; distance:0; content:"&phone="; distance:0; content:"&level="; distance:0; content:"&tier="; distance:0; content:"&rpt="; distance:0; content:"&rpl="; distance:0; content:"&platform="; distance:0; content:"&login=Facebook"; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_11_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004213; classtype:web-application-attack; sid:2004213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_cmd.php"; distance:3; within:11; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id INSERT"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004214; classtype:web-application-attack; sid:2004214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jasper URI Path Observed M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; startswith; content:"/mx_jscript.php"; distance:3; within:15; endswith; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:command-and-control; sid:2034428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id DELETE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004215; classtype:web-application-attack; sid:2004215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL/TLS Certificate (Jasper CnC)"; flow:from_server,established; tls.cert_subject; content:"CN=uaic.nl"; fast_pattern; reference:url,twitter.com/c_APT_ure/status/1458388621317246977; classtype:domain-c2; sid:2034429; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family JasperLoader, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id ASCII"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004216; classtype:web-application-attack; sid:2004216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M14"; flow:established,to_client; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:isset,ET.Parallax-14; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032527; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/forums.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004217; classtype:web-application-attack; sid:2004217; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M14"; flow:established,to_server; content:"|cb 79 32 bd|"; depth:4; fast_pattern; content:"|30 8e c5|"; distance:1; within:3; flowbits:set,ET.Parallax-14; flowbits:noalert; reference:md5,4ffdb788b7971827509fe2e3ccadbae2; classtype:command-and-control; sid:2032526; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_07, deployment Perimeter, former_category MALWARE, malware_family Parallax, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004218; classtype:web-application-attack; sid:2004218; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity (set) M16"; flow:established,to_server; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:set,ET.Parallax-16; flowbits:noalert; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034432; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004219; classtype:web-application-attack; sid:2004219; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M15"; flow:established,to_client; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:isset,ET.Parallax-15; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004220; classtype:web-application-attack; sid:2004220; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Parallax CnC Activity (set) M15"; flow:established,to_server; content:"|ed 69 e6 bd|"; startswith; fast_pattern; content:"|fb 5f 07|"; distance:1; within:3; flowbits:set,ET.Parallax-15; flowbits:noalert; reference:md5,bf815840ff00a0c3ba04d47cc2d158ee; classtype:command-and-control; sid:2034430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004221; classtype:web-application-attack; sid:2004221; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 30003 (msg:"ET MALWARE Possible NGLite Backdoor C2 Traffic (NKN)"; flow:established,to_server; http.request_line; content:"POST|20|/|20|HTTP/1.1"; http.host.raw; content:"seed.nkn.org|3a|"; startswith; fast_pattern; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"|22|address|22 3a|"; content:"|2e|monitor_03|2e|"; within:20;  reference:url,unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; reference:md5,aedebba95462e9db10b834551e3abc03; classtype:command-and-control; sid:2034438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family NGLite, signature_severity Major, tag c2, updated_at 2021_11_11, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004222; classtype:web-application-attack; sid:2004222; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (lurkingnet .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lurkingnet.com"; bsize:14; fast_pattern; classtype:domain-c2; sid:2034434; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1550; reference:url,www.securityfocus.com/bid/23033; reference:url,doc.emergingthreats.net/2004223; classtype:web-application-attack; sid:2004223; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (autoconfirmations .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"autoconfirmations.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034435; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProjectButler RFI attempt"; flow:established,to_server; http.uri; content:"/pda_projects.php?offset=http\:"; nocase; reference:url,www.sans.org/top20/; reference:url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt; reference:url,doc.emergingthreats.net/2009887; classtype:web-application-attack; sid:2009887; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed StrongPity Domain (singlefunctionapp .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"singlefunctionapp.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2034436; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/_footer.php?"; nocase; content:"skin_path="; nocase; reference:bugtraq,33621; reference:url,milw0rm.com/exploits/7978; reference:url,doc.emergingthreats.net/2009320; classtype:web-application-attack; sid:2009320; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|29 2a 28|"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034437; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/templater.php?"; nocase; content:"config[template]="; reference:url,milw0rm.com/exploits/6287; reference:bugtraq,30785; reference:url,doc.emergingthreats.net/2009331; classtype:web-application-attack; sid:2009331; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M16"; flow:established,to_client; content:"|a0 cd 78 e6|"; startswith; fast_pattern; content:"|ff fc 36|"; distance:1; within:3; flowbits:isset,ET.Parallax-16; reference:md5,36439a5f029df1777b51a34bd454b9d2; classtype:command-and-control; sid:2034433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_11, deployment Perimeter, former_category MALWARE, malware_family Parallax, signature_severity Major, updated_at 2021_11_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005663; classtype:web-application-attack; sid:2005663; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Compromised  Domain (cryptoarenastore .com in TLS SNI) (2021-11-12)"; flow:established,to_server; tls.sni; dotprefix; content:".cryptoarenastore.com"; endswith; fast_pattern; reference:md5,4965ac0316d652fe5026b4b92d563672; classtype:trojan-activity; sid:2034441; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005664; classtype:web-application-attack; sid:2005664; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M1"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Application"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034442; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005665; classtype:web-application-attack; sid:2005665; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M2"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Name"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034443; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005666; classtype:web-application-attack; sid:2005666; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M3"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Email"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034444; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005667; classtype:web-application-attack; sid:2005667; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M4"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Server"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034445; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE"; flow:established,to_server; http.uri; content:"/wbsearch.aspx?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0226; reference:url,www.milw0rm.com/exploits/3106; reference:url,doc.emergingthreats.net/2005668; classtype:web-application-attack; sid:2005668; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M5"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Secured"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034446; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005348; classtype:web-application-attack; sid:2005348; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M6"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Type"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034447; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UNION SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005349; classtype:web-application-attack; sid:2005349; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M7"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=User"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034448; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php INSERT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005350; classtype:web-application-attack; sid:2005350; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M8"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=Password"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034449; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php DELETE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005351; classtype:web-application-attack; sid:2005351; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M9"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=SMTP"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034450; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php ASCII"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005352; classtype:web-application-attack; sid:2005352; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Nymeria CnC Activity (GET) M10"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:!"Referer"; http.header; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.user_agent; content:"AutoIt"; bsize:6; http.uri; content:".php?cmd=|2f 2a 5c|"; fast_pattern;  reference:md5,3fe6b67ca8cc95875dd1fe9f1ec7dc90; classtype:trojan-activity; sid:2034451; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3197; reference:url,www.vbulletin.org/forum/showthread.php?t=94023&page=38; reference:url,doc.emergingthreats.net/2005353; classtype:web-application-attack; sid:2005353; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034439; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VBulletin 4.0.1 SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/misc.php?"; content:"sub=profilename"; content:"name="; nocase; content:"|27|"; pcre:"/[\?&]name=[^&\;\?]+\x27/i"; reference:url,www.packetstormsecurity.org/1001-exploits/vbulletin401-sql.txt; reference:url,doc.emergingthreats.net/2010701; classtype:web-application-attack; sid:2010701; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"|2e|cmd|7b|background|2d|color|3a 23|000|3b|color|3a 23|FFF"; content:"|3c|input|20|name|3d 27|postpass|27 20|type|3d 27|password|27 20|size|3d 27|22|27 3e 20 3c|input|20|type|3d 27|submit|27 20|value|3d|"; nocase; distance:0; fast_pattern; classtype:web-application-attack; sid:2034440; rev:1; metadata:attack_target Server, created_at 2021_11_12, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_11_12, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005354; classtype:web-application-attack; sid:2005354; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Webshell Upload (CVE-2021-42669)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"teacher_avatar.php"; fast_pattern; http.request_body; content:"<?php"; reference:cve,2021-42669; classtype:attempted-admin; sid:2034453; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42669, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UNION SELECT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005355; classtype:web-application-attack; sid:2005355; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Access Control Bypass (CVE-2021-42671)"; flow:established,to_server; http.uri; content:"/nia_munoz_monitoring_system/admin/uploads"; fast_pattern; reference:cve,2021-42671; classtype:attempted-admin; sid:2034454; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42671, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid INSERT"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005356; classtype:web-application-attack; sid:2005356; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploads/user"; http.request_body; content:"Content-Type|3a 20|image/jpeg"; content:"DJVMDIRM|00|"; content:"DJVIANT"; content:"|7b|"; content:"|7d|"; distance:0; within:400; reference:cve,2021-22205; classtype:attempted-admin; sid:2034455; rev:2; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_22205, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid DELETE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005357; classtype:web-application-attack; sid:2005357; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (BitRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=Sfgh"; bsize:7; fast_pattern; tls.cert_issuer; content:"CN=Sfgh"; bsize:7; reference:md5,353bf835f7858ee5a1a77e70cef01607; classtype:domain-c2; sid:2034456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family BitRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_11_15, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ASCII"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005358; classtype:web-application-attack; sid:2005358; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Terse HTTP Request to textbin"; flow:established,to_server; http.request_line; content:"GET /raw/"; startswith; http.host; content:"textbin.net"; bsize:11; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; classtype:bad-unknown; sid:2034461; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2021_11_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE"; flow:established,to_server; http.uri; content:"/vBSupport.php?"; nocase; content:"ticketid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3196; reference:url,www.securityfocus.com/bid/24397; reference:url,doc.emergingthreats.net/2005359; classtype:web-application-attack; sid:2005359; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; http.user_agent; content:"miner"; nocase; content:!"IdleMiner"; content:!"CFNetwork"; pcre:"/miner[^a-z]/i"; http.host; content:!".kaspersky.com"; endswith; reference:url,abcpool.co/mining-software-comparison.php; classtype:coin-mining; sid:2016067; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_12_21, deployment Perimeter, deployment Datacenter, former_category COINMINER, signature_severity Informational, tag Bitcoin_Miner, updated_at 2021_11_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004748; classtype:web-application-attack; sid:2004748; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (publicvm .com)"; dns.query; content:".publicvm.com"; nocase; endswith; content:!"www.publicvm.com"; classtype:bad-unknown; sid:2034457; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UNION SELECT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004749; classtype:web-application-attack; sid:2004749; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to DynDNS Domain (linkpc .net)"; dns.query; content:".linkpc.net"; nocase; endswith; content:!"www.linkpc.net"; classtype:bad-unknown; sid:2034458; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic INSERT"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004750; classtype:web-application-attack; sid:2004750; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith;  reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034481; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic DELETE"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004751; classtype:web-application-attack; sid:2004751; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith;  reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034482; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic ASCII"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004752; classtype:web-application-attack; sid:2004752; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Emotet CnC Beacon 3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"."; content:!"&"; content:!"-"; http.header_names; content:"|0d 0a|Cookie|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; fast_pattern; http.header; content:"|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|Cache-Control|3a 20|no-cache|0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.cookie; bsize:>250; pcre:"/^[A-Za-z0-9]{1,15}=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:md5,bc3532085a0b4febd9eed51aac2180d0; classtype:command-and-control; sid:2034459; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Moderate, signature_severity Major, updated_at 2021_11_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE"; flow:established,to_server; http.uri; content:"/printview.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1163; reference:url,www.milw0rm.com/exploits/3351; reference:url,doc.emergingthreats.net/2004753; classtype:web-application-attack; sid:2004753; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (awsmcafee .com)"; dns.query; content:"awsmcafee.com"; nocase; bsize:13; reference:md5,a8e97752bb385cc263d89350518633c2; reference:url,twitter.com/fr0s7_/status/1458150977278726147; classtype:domain-c2; sid:2034462; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005239; classtype:web-application-attack; sid:2005239; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M5"; flow:established,to_server; http.request_line; content:"GET /jquery-3.3.2.slim.min.js HTTP/1.1"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:47; http.accept_enc; content:"gzip, deflate"; bsize:13; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; reference:url,twitter.com/fr0s7_/status/1458150977278726147; reference:md5,a8e97752bb385cc263d89350518633c2; classtype:trojan-activity; sid:2034463; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005240; classtype:web-application-attack; sid:2005240; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M1"; dsize:16; flow:established,to_server; stream_size:client,>,200; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 c9|"; reference:md5,0428de20539f8341f0987457bc96fd9f; reference:md5,57e582c2a00cfb50a748b78b6c17ee74; classtype:command-and-control; sid:2035632; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005241; classtype:web-application-attack; sid:2005241; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"=eyIzQ0VrIjoi"; fast_pattern; pcre:"/(?:IiwiM2ZlMTEiOi|IsIjNmZTExIjoi|iLCIzZmUxMSI6I)/R"; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034466; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005242; classtype:web-application-attack; sid:2005242; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"=eyIzbTd4Ijoi"; fast_pattern; pcre:"/(?:IiwiYXU1byI6I|IsImF1NW8iOi|iLCJhdTVvIjoi)/R"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:trojan-activity; sid:2034469; rev:1; metadata:created_at 2021_11_16, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005243; classtype:web-application-attack; sid:2005243; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Matanbuchus Loader Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_len; byte_test:0,<,100,0,string,dec; http.response_body; content:"eyJoc3pBIjoi"; startswith; fast_pattern; pcre:"/(?:ifQ==|In0=|J9)$/"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034470; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"picID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0520; reference:url,www.milw0rm.com/exploits/3172; reference:url,doc.emergingthreats.net/2005244; classtype:web-application-attack; sid:2005244; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Post)"; flow:established,to_server; http.uri; content:!"/uup.php"; http.header; content:!".360.cn|0d 0a|"; content:!".360.com|0d 0a|"; content:!".360safe.com|0d 0a|"; http.user_agent; content:"Post"; fast_pattern; bsize:4; classtype:trojan-activity; sid:2014366; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2012_03_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag User_Agent, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005245; classtype:web-application-attack; sid:2005245; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING ghayt_Zone Phishing Kit"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"INFORMATION"; content:"TELEGRAM|20 3a 20 40|ghayt|5f|Zone"; distance:0; fast_pattern; reference:md5,52f9a1141716b47fba9fdbb94f7ddb31; classtype:credential-theft; sid:2034472; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005246; classtype:web-application-attack; sid:2005246; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Made And Morocco"; nocase; content:"Nourblog1"; fast_pattern; nocase; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034477; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005247; classtype:web-application-attack; sid:2005247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Made And Morocco"; nocase; content:"Nour|2e|blog1"; fast_pattern; nocase; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034476; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005248; classtype:web-application-attack; sid:2005248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (bg .knonwsec .com)"; dns.query; content:"bg.knonwsec.com"; nocase; bsize:15; reference:url,twitter.com/malwrhunterteam/status/1425771461499920385; reference:md5,e31a96ce2760c27a4f1cf83a0b5da83b; classtype:domain-c2; sid:2034473; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005249; classtype:web-application-attack; sid:2005249; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Nourblog1 Phish Kit"; http.stat_code; content:"200"; file.data; content:"Coded By Noureddine Tkodar"; nocase; content:"Nourblog1"; fast_pattern; nocase; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034478; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005250; classtype:web-application-attack; sid:2005250; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; pcre:"/^[a-z]{256}-\.jpg$/R"; http.header_names; content:"|0d 0a|Referer|0d 0a|Accept|0d 0a|Pragma|0d 0a|Cache-Control|0d 0a|"; startswith; fast_pattern; reference:md5,e31a96ce2760c27a4f1cf83a0b5da83b; reference:url,twitter.com/malwrhunterteam/status/1425771461499920385; classtype:trojan-activity; sid:2034474; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_16, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005251; classtype:web-application-attack; sid:2005251; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WIN-"; startswith; content:"/source.jng"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,5aba4f68dcb7107f921d12410b62b538; reference:url,twitter.com/h2jazi/status/1457759124037439491; classtype:trojan-activity; sid:2034475; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005312; classtype:web-application-attack; sid:2005312; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Danabot Associated Activity (GET)"; flow:established,to_server; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Power Off"; bsize:9; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/spike-danabot-malware-activity; classtype:trojan-activity; sid:2034471; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005252; classtype:web-application-attack; sid:2005252; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33;  reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005253; classtype:web-application-attack; sid:2005253; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 26800 (msg:"ET MALWARE ABCbot CnC Exfil"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; bsize:11; http.header_names; content:!"Referer"; http.connection; content:"close"; http.content_type; content:"application/x-www-form-url encoded"; http.request_body; content:"OS|3a 20|"; startswith; content:"CPU:"; distance:0; content:"os-name:"; fast_pattern; distance:0; content:"lanip:"; distance:0;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034483; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005254; classtype:web-application-attack; sid:2005254; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI"; flow:established,to_server; http.uri; content:"SHOW"; nocase; content:"VARIABLES"; nocase; distance:0; content:!"twitter.com"; reference:url,en.wikipedia.org/wiki/SQL_injection; reference:url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html; reference:url,doc.emergingthreats.net/2010965; classtype:web-application-attack; sid:2010965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE"; flow:established,to_server; http.uri; content:"/gallery.php?"; nocase; content:"galleryID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0492; reference:url,www.frsirt.com/english/advisories/2007/0270; reference:url,doc.emergingthreats.net/2005255; classtype:web-application-attack; sid:2005255; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"tmp"; distance:0; content:"wget"; distance:0;  reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:1; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005158; classtype:web-application-attack; sid:2005158; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase;  reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:1; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005159; classtype:web-application-attack; sid:2005159; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (stop)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73746f707d1|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034479; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005160; classtype:web-application-attack; sid:2005160; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (syn)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"73796e|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034484; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005161; classtype:web-application-attack; sid:2005161; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (dns)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"646e73|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034485; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Internal, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005162; classtype:web-application-attack; sid:2005162; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET 26800 -> $HOME_NET any (msg:"ET MALWARE ABCbot CnC Instruction (bigudp)"; flow:established,to_client; http.content_type; content:"text/plain"; http.response_line; content:"HTTP/1.0 200 OK"; http.header; content:"Connection|3a 20|close"; http.response_body; content:"626967756470|7c|"; fast_pattern; startswith;  reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en; classtype:trojan-activity; sid:2034486; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_11_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE"; flow:established,to_server; http.uri; content:"/xNews.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0569; reference:url,www.milw0rm.com/exploits/3216; reference:url,doc.emergingthreats.net/2005163; classtype:web-application-attack; sid:2005163; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri";  reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:1; metadata:created_at 2021_11_17, cve CVE_2017_18362, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS z1exchange edit.php site parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/edit.php?"; nocase; content:"site="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32556; reference:url,milw0rm.com/exploits/7311; reference:url,doc.emergingthreats.net/2008928; classtype:web-application-attack; sid:2008928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/HNAP1/"; nocase; http.header; content:"SOAPAction|3a 20 22|http|3a 2f 2f|purenetworks|2e|com|2f|HNAP1|2f|GetDeviceSettings|2f 60|"; fast_pattern; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; classtype:attempted-admin; sid:2034491; rev:2; metadata:created_at 2021_11_17, cve CVE_2015_2051, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/catalogo.php?"; nocase; content:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted IDSVSE IP Camera RCE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ctrl.cgi?language=ie&sntpip="; startswith; content:"uname"; distance:0; content:"telnet"; distance:0; content:"&timezone="; content:"&timezone=13&setdaylight=0&timeformat=2&tstampformat=2"; reference:url,en.0day.today/exploit/27569; classtype:attempted-admin; sid:2034480; rev:1; metadata:created_at 2021_11_17, former_category EXPLOIT, updated_at 2021_11_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; content:"src="; nocase; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011573; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - XR300 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|b7 05 00|"; content:"|e0 e7 02|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034493; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; content:"w="; nocase; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011574; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - R6700V3 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|d0|j|06 00|"; content:"|81 01 00|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034494; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/plog-includes/lib/phpthumb/phpThumb.php?"; nocase; content:"h="; nocase; reference:url,exploit-db.com/exploits/14636/; classtype:web-application-attack; sid:2011572; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from External Host - SUBSCRIBE/UNSUBSCRIBE"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034495; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/addressbook.cgi?"; nocase; content:"show=search"; nocase; content:"page="; nocase; pcre:"/page\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13944; classtype:web-application-attack; sid:2011566; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from Internal Host - SUBSCRIBE/UNSUBSCRIBE"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034496; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dompdf.php?"; nocase; content:"input_file="; nocase; pcre:"/input_file=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14851/; classtype:web-application-attack; sid:2011565; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from External Host - NOTIFY"; flow:established,to_server; http.method; content:"NOTIFY"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034497; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class.phpmailer.php?"; nocase; content:"lang_path="; nocase; pcre:"/lang_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14893/; classtype:web-application-attack; sid:2011564; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible UPnP UUID Overflow Exploit Attempt from Internal Host - NOTIFY"; flow:established,to_server; http.method; content:"NOTIFY"; http.header; content:"UUID|3a 20|"; fast_pattern; pcre:"/^[^\r\n]{100,}/R"; classtype:unknown; sid:2034498; rev:1; metadata:created_at 2021_11_18, former_category HUNTING, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/content/dynpage_load.php?"; nocase; content:"file="; nocase; reference:url,secunia.com/advisories/41317/; classtype:web-application-attack; sid:2011563; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Obfuscated VBS Inbound - Underscore Var/Chr/math"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"Set|20|"; nocase; fast_pattern; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"_"; distance:1; within:1; content:"Chr|28|"; nocase; pcre:"/^\d+(\+|\-|\\|\*)\d+/R"; classtype:bad-unknown; sid:2034499; rev:1; metadata:created_at 2021_11_18, former_category ATTACK_RESPONSE, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/oldnews_reader.php?"; nocase; content:"lang="; nocase; reference:url,exploit-db.com/exploits/13899/; classtype:web-application-attack; sid:2011562; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Unattributed WebShell Access - File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"exec_code=put"; fast_pattern; content:"delimiter="; content:"dst="; reference:url,thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/; classtype:attempted-admin; sid:2034500; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011557; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Unattributed WebShell Access - Command Execution"; flow:established,to_server; http.uri; content:"exec_code=put"; fast_pattern; content:"delimiter="; content:!"dst="; reference:url,thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/; classtype:attempted-admin; sid:2034501; rev:1; metadata:created_at 2021_11_18, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011558; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/AbcBot CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/postip"; fast_pattern; http.request_body; content:"OS|3a|"; content:"CPU|3a|"; distance:0; content:"os-name|3a|"; distance:0; content:"lanip|3a|"; distance:0; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:command-and-control; sid:2034502; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, malware_family AbcBot, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011559; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/AbcBot Requesting Commands from CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/getlist"; fast_pattern; http.content_len; content:"1"; bsize:1; http.request_body; content:"1"; reference:url,blog.netlab.360.com/abcbot_an_evolving_botnet_en/; classtype:command-and-control; sid:2034503; rev:1; metadata:created_at 2021_11_18, former_category MALWARE, malware_family AbcBot, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011560; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Bash Script Inbound - Kill Coin Mining Related Processes"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|0d 0a|ps|20|aux"; fast_pattern; pcre:"/^[^\r\n]+(?:mine\.moneropool|xmr\.crypto-pool|monerohash)[^\r\n]+kill\x20\-9/R"; content:"kill|20|-9"; classtype:bad-unknown; sid:2034504; rev:1; metadata:created_at 2021_11_18, former_category ATTACK_RESPONSE, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_zoomportfolio"; nocase; content:"view=portfolio"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,secunia.com/advisories/41047/; reference:url,exploit-db.com/exploits/14718/; classtype:web-application-attack; sid:2011561; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA408 Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?query=5 HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; content:!"Referer"; reference:url,twitter.com/AhnLab_SecuInfo/status/1460101266760089600; reference:md5,e521c68ac280c00b0e27cbd2fed4c9c4; classtype:trojan-activity; sid:2034511; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_18, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jphone"; nocase; content:"controller="; nocase; reference:url,exploit-db.com/exploits/14964/; classtype:web-application-attack; sid:2011554; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Kimsuky AppleSeed CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?m="; fast_pattern; content:"&p1="; distance:1; within:4; pcre:"/\.php\?m=[abcdefgh]&p1=[a-f0-9]{16}$/"; http.user_agent; content:"Android"; http.content_len; content:"0"; bsize:1; http.header_names; content:!"Referer"; reference:url,twitter.com/AhnLab_SecuInfo/status/1460101266760089600; reference:md5,e7caf25de7ce463a6f22ecb8689389ad; classtype:trojan-activity; sid:2034512; rev:1; metadata:attack_target Mobile_Client, created_at 2021_11_18, deployment Perimeter, former_category MOBILE_MALWARE, malware_family Kimsuky, updated_at 2022_04_18, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/familynews.php?"; nocase; content:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011552; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:3; flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation; sid:2000418; rev:17; metadata:created_at 2010_07_30, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/settings.php?"; nocase; content:"current_user_id="; nocase; pcre:"/current_user_id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14965/; classtype:web-application-attack; sid:2011553; rev:4; metadata:created_at 2010_09_27, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Burp Collaborator Domain in DNS Query"; dns_query; content:".burpcollaborator.net"; nocase; endswith; classtype:policy-violation; sid:2034505; rev:1; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AlstraSoft AskMe que_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/forum_answer.php?"; nocase; content:"que_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,exploit-db.com/exploits/14979/; classtype:web-application-attack; sid:2011547; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Burp Collaborator Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=*.burpcollaborator.net"; nocase; classtype:policy-violation; sid:2034507; rev:1; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/gnupg/json.php?"; nocase; content:"task=send_key"; nocase; content:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/i"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET SCAN Laravel Debug Mode Information Disclosure Probe Inbound"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"0x%5B%5D=androxgh0st"; nocase; fast_pattern; reference:url,thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/; classtype:attempted-recon; sid:2034508; rev:1; metadata:created_at 2021_11_18, former_category SCAN, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_del.php?"; nocase; content:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,inj3ct0r.com/exploits/13665; classtype:web-application-attack; sid:2011377; rev:4; metadata:created_at 2010_09_28, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_vti_bin"; content:"/webpartpages.asmx"; endswith; http.request_body; content:"<?xml"; content:"System.Diagnostics.Process.Start"; fast_pattern; reference:url,dl.packetstormsecurity.net/2003-exploits/sharepoint_workflows_xoml.rb.txt; reference:cve,2020-0646; classtype:attempted-admin; sid:2034509; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_0646, former_category EXPLOIT, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cacti/utilities.php"; nocase; content:"tail_lines="; nocase; content:"message_type="; nocase; content:"filter="; nocase; pcre:"/filter\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:bid,42575; reference:cve,2010-2544; reference:cve,2010-2545; classtype:web-application-attack; sid:2011423; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_28, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-1147)"; flow:established,to_server; http.method; content:"POST"; http.uri; http.request_body; content:"__SUGGESTIONSCACHE__"; fast_pattern; content:"<DataSet"; nocase; distance:0; content:"System.Data.Services.Internal.ExpandedWrapper"; nocase; distance:0; reference:url,srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html; reference:cve,2020-1147; classtype:attempted-admin; sid:2034510; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_1147, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011426; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011427; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Burp Collaborator Domain in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".burpcollaborator.net"; endswith; fast_pattern; classtype:policy-violation; sid:2034506; rev:2; metadata:created_at 2021_11_18, former_category POLICY, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,41204; classtype:web-application-attack; sid:2011428; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot Activity (DNS Lookup)"; dns_query; content:"dhjhzmy0nnbvakjjoux"; isdataat:!1,relative; reference:md5,f7dfd4eb1b1c6ba338d56761b3975618; classtype:domain-c2; sid:2034514; rev:2; metadata:created_at 2021_11_18, former_category MOBILE_MALWARE, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011429; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Possible Trojan-Banker.AndroidOS.Sharkbot Activity (DNS Lookup) 2"; dns_query; content:"sharkedtest1.xyz"; isdataat:!1,relative; reference:md5,f7dfd4eb1b1c6ba338d56761b3975618; classtype:trojan-activity; sid:2034515; rev:2; metadata:created_at 2021_11_18, updated_at 2021_11_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/classified_img.php?"; nocase; content:"clsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:bugtraq,41204; classtype:web-application-attack; sid:2011450; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:!"&"; content:"=ey"; depth:13; fast_pattern; pcre:"/^[IJKL].*(?:PT0iLC|09Iiwi|9PSIsI)[a-zA-Z0-9+\/]+(?:PT0iLC|09Iiwi|9PSIsI)/R"; http.header_names; content:!"Referer"; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034468; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jgrid"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/40987/; reference:url,exploit-db.com/exploits/14656/; classtype:web-application-attack; sid:2011451; rev:4; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
 
-#alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kimsuky Related FTP File Download"; flow:established,to_server; content:"RETR|20|/mongo/"; fast_pattern; pcre:"/[a-z]{8}.(:?tif|gif)/Ri";  classtype:trojan-activity; sid:2034513; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_18, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/dailyview.php?"; nocase; content:"date="; nocase; pcre:"/date\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,inj3ct0r.com/exploits/13770; classtype:web-application-attack; sid:2011452; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9]{5,12}&a=/R"; content:"&a=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/; reference:md5,a86f56aa7d6ce07b9639cf34e798b102; classtype:command-and-control; sid:2034516; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_19, deployment Perimeter, former_category MALWARE, malware_family lu0bot, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/maincore.php?"; nocase; content:"folder_level="; nocase; reference:url,inj3ct0r.com/exploits/13709; classtype:web-application-attack; sid:2011453; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_09_29, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE lu0bot Loader HTTP Response M2"; flow:established,to_client; http.response_body; content:"/d/s/c"; depth:20; fast_pattern; content:"node.exe"; distance:0; content:"7C%"; distance:0; content:"7C%"; within:10; content:"ActiveXObject"; distance:0; content:"252Cunescape%25"; distance:0; content:"WScript"; within:23; reference:url,fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp; reference:md5,79b9a5e7b2e87ad7f99fbcd7d7d0a9ed; classtype:command-and-control; sid:2034517; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_19, deployment Perimeter, former_category MALWARE, malware_family lu0bot, signature_severity Major, updated_at 2021_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/global.php?"; nocase; content:"db_servertype="; nocase; pcre:"/db_servertype=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:4; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SHLAYER CnC"; flow:established,to_server; http.request_line; content:"POST http://"; fast_pattern; http.uri; content:"/l"; bsize:2; http.host; content:"api."; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer"; http.request_body; content:"cs="; startswith; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:md5,4d86ae25913374cfcb80a8d798b9016e; reference:url,securelist.com/shlayer-for-macos/95724/; classtype:command-and-control; sid:2030231; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_05_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011493; classtype:web-application-attack; sid:2011493; rev:6; metadata:created_at 2010_09_29, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)"; flow:established,to_server; http.uri; content:"/api/geojson?url=file|3a 2f|"; fast_pattern; reference:url,github.com/0x0021h/expbox/blob/main/CVE-2021-41277.yaml; reference:cve,2021-41277; classtype:attempted-admin; sid:2034518; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_41277, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files"; flow:established,to_server; http.uri; content:"/admin/plugins/videoReport/lib/tmp-upload-images"; nocase; reference:url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well; reference:url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/; reference:url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/; reference:url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/; reference:url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html; reference:url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/; reference:url,doc.emergingthreats.net/2011494; classtype:web-application-attack; sid:2011494; rev:6; metadata:created_at 2010_09_29, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Delete User Configuration - xbit set 1 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|DeleteUserConfiguration>"; xbits:set,ET.2021.42321.1,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034519; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007277; classtype:web-application-attack; sid:2007277; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Create User Configuration - xbit set 2 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|CreateUserConfiguration>"; content:"|3a|UserConfiguration>"; content:"|3a|BinaryData>"; base64_decode:offset 0, relative; base64_data; content:"|00|"; depth:10; xbits:isset,ET.2021.42321.1,track ip_src,expire 30; xbits:unset,ET.2021.42321.1,track ip_src,expire 30; xbits:set,ET.2021.42321.2,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034520; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007048; classtype:web-application-attack; sid:2007048; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server Remote Code Execution Inbound (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|GetClientAccessToken>"; content:"|3a|TokenRequests>"; xbits:isset,ET.2021.42321.2,track ip_src,expire 30; xbits:unset,ET.2021.42321.2,track ip_src,expire 30; reference:cve,2021-42321; classtype:attempted-admin; sid:2034521; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007059; classtype:web-application-attack; sid:2007059; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BlackNET CnC Requesting Command"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand.php?id="; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; content:!"Referer"; reference:md5,16b2192fc64d1cc4347cc505234efbb7; classtype:command-and-control; sid:2029180; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_17, deployment Perimeter, former_category MALWARE, malware_family BlackNET, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007125; classtype:web-application-attack; sid:2007125; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fpui/uploadConfigServlet?fileNumber="; nocase; fast_pattern; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034530; rev:1; metadata:attack_target Server, created_at 2021_11_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007126; classtype:web-application-attack; sid:2007126; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (llink .link)"; dns.query; content:"llink.link"; nocase; bsize:10; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034522; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UNION SELECT"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004109; classtype:web-application-attack; sid:2004109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .app)"; dns.query; content:"cuturl.app"; nocase; bsize:10; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034523; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid ASCII"; flow:established,to_server; http.uri; content:"/getnewsitem.php?"; nocase; content:"newsid="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2971; reference:url,www.milw0rm.com/exploits/3988; reference:url,doc.emergingthreats.net/2004112; classtype:web-application-attack; sid:2004112; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (url-tiny .co)"; dns.query; content:"url-tiny.co"; nocase; bsize:11; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034524; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"functions_navlinks.php?"; nocase; content:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008880; classtype:web-application-attack; sid:2008880; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (bitly .tel)"; dns.query; content:"bitly.tel"; nocase; bsize:9; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034525; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"profile_send.php?"; nocase; content:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008881; classtype:web-application-attack; sid:2008881; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (instagrarn .co)"; dns.query; content:"instagrarn.co"; nocase; bsize:13; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034526; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/plugin/gateway/gnokii/init.php?"; nocase; content:"apps_path[plug]="; nocase; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009085; classtype:web-application-attack; sid:2009085; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Candiru Related Domain in DNS Lookup (cuturl .space)"; dns.query; content:"cuturl.space"; nocase; bsize:12; reference:url,www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/; classtype:targeted-activity; sid:2034527; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/plugin/themes/default/init.php?"; nocase; content:"apps_path[themes]="; nocase; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009087; classtype:web-application-attack; sid:2009087; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/3"; bsize:6; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Host|0d 0a|Cookie|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:65; reference:md5,c3c7bfb6c4f0e5c7a455ee1066893552; reference:url,blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html; classtype:trojan-activity; sid:2034528; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"viewtopic_PM-link.php?"; nocase; content:"pun_user[language]="; nocase; pcre:"/(\.\.\/){1,}/"; reference:bugtraq,32360; reference:url,milw0rm.com/exploits/7159; reference:url,doc.emergingthreats.net/2008882; classtype:web-application-attack; sid:2008882; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/2"; bsize:6; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:49; reference:md5,1cc3c8d9bdc43fd4f792b40fdf1333bc; reference:url,blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html; classtype:trojan-activity; sid:2034529; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion"; flow:established,to_server; content:"../"; http.method; content:"GET"; http.uri; content:"/lib/function.php?"; nocase; content:"apps_path[libs]="; nocase; reference:url,secunia.com/advisories/33386/; reference:url,milw0rm.com/exploits/7687; reference:url,doc.emergingthreats.net/2009089; classtype:web-application-attack; sid:2009089; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains"; dns.query; content:"crpt"; fast_pattern; depth:4; pcre:"/^[a-zA-Z0-9]{12}\.onion/R"; reference:url,blogs.cisco.com/security/talos/cryptowall-2; reference:url,researchcenter.paloaltonetworks.com/2014/10/tracking-new-ransomware-cryptowall-2-0/; classtype:misc-activity; sid:2020292; rev:5; metadata:created_at 2015_01_23, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_joomlaxplorer/admin.joomlaxplorer.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\x3a\//i"; reference:url,packetstormsecurity.org/1011-exploits/joomlaxplorer-rfi.txt; classtype:web-application-attack; sid:2011935; rev:6; metadata:created_at 2010_11_19, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex CnC Request - Spam/Worm Component"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PJ3ZQWVJPYCYDCA9A6Q2Y6YA"; bsize:25; fast_pattern; classtype:command-and-control; sid:2034532; rev:1; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6398; reference:url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded; reference:url,doc.emergingthreats.net/2006650; classtype:web-application-attack; sid:2006650; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Dridex CnC Returning Email Addresses - Possible Spam Module"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"@"; content:"|22|,|22|"; pcre:"/^\x7b(?:\x22[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.[a-z]{2,10}\x22,){4}\x22[a-z0-9_\-\.]+@[a-z0-9_\-\.]+\.[a-z]{2,10}\x22\x7d$/"; flowbits:isset,ET.Dridex.Email.Sets.1; classtype:command-and-control; sid:2034534; rev:1; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/includes/esqueletos/skel_null.php?"; nocase; content:"ABTPV_BLOQUE_CENTRAL="; nocase; pcre:"/ABTPV_BLOQUE_CENTRAL=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/15711/; classtype:web-application-attack; sid:2012031; rev:4; metadata:created_at 2010_12_11, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SideCopy Related Domain in DNS Lookup (securedesk .one)"; dns.query; content:"securedesk.one"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1460744936635224064; reference:md5,a42ea41f21e36173bb0fc268262a15ae; classtype:domain-c2; sid:2034538; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005834; classtype:web-application-attack; sid:2005834; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (a .pwn-t .tk)"; dns.query; content:"a.pwn-t.tk"; nocase; bsize:10; reference:url,twitter.com/TheDFIRReport/status/1463175512000368640; reference:md5,36be5b491426de64f9ac85c50f85808c; classtype:domain-c2; sid:2034539; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id SELECT"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004005; classtype:web-application-attack; sid:2004005; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/image/"; startswith; pcre:"/^[a-z]{256}\.gif$/R"; http.header; content:"Accept|3a 20|text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*l|3b|q=0.8|0d 0a|"; fast_pattern; reference:url,twitter.com/TheDFIRReport/status/1463175512000368640; reference:md5,36be5b491426de64f9ac85c50f85808c; classtype:trojan-activity; sid:2034540; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004006; classtype:web-application-attack; sid:2004006; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Snojan.BNQKZQH User-Agent"; flow:established,to_server; http.user_agent; content:"|29 20|leee Maxwe"; endswith; nocase; reference:md5,83d2fa0e16b39ee2280dea9d8f89aa48; classtype:command-and-control; sid:2034536; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id INSERT"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004007; classtype:web-application-attack; sid:2004007; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Snojan.BNQKZQH CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?action="; content:"&id="; distance:0; isdataat:!18,relative; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"eyJwYXNzIjoi"; startswith; fast_pattern; reference:md5,83d2fa0e16b39ee2280dea9d8f89aa48; classtype:command-and-control; sid:2034537; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id DELETE"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004008; classtype:web-application-attack; sid:2004008; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id ASCII"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004009; classtype:web-application-attack; sid:2004009; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike CnC Domain in DNS Lookup (zuppohealth .com)"; dns.query; content:"zuppohealth.com"; nocase; bsize:15; reference:url,github.com/pan-unit42/tweets/blob/master/2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt; reference:url,twitter.com/Unit42_Intel/status/1463178309160906753; classtype:domain-c2; sid:2034541; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_23, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE"; flow:established,to_server; http.uri; content:"/read/index.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2817; reference:url,www.milw0rm.com/exploits/3964; reference:url,doc.emergingthreats.net/2004010; classtype:web-application-attack; sid:2004010; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 11.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/11.0."; content:!"13"; within:2; reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html; classtype:bad-unknown; sid:2028867; rev:8; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2019_10_18, deployment Perimeter, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/auktion.php?"; nocase; content:"id_auk="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12026/; classtype:web-application-attack; sid:2012189; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 29|"; fast_pattern; endswith; http.header_names; content:!"BlueCoat"; nocase; http.host; content:!".bluecoat.com"; classtype:trojan-activity; sid:2014002; rev:12; metadata:created_at 2011_12_08, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004012; classtype:web-application-attack; sid:2004012; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/InfoTester Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"JTU3JTY5JTZFJTY0JTZGJTc3JTczJTNBJTIw"; startswith; fast_pattern; pcre:"/(?:JTBEJTBBJTBEJTBBJTREJTY1JTZEJTZGJTcyJTc5JTNBJTIw|UwRCUwQSUwRCUwQSU0RCU2NSU2RCU2RiU3MiU3OSUzQSUyM|lMEQlMEElMEQlMEElNEQlNjUlNkQlNkYlNzIlNzklM0ElMj)/R"; reference:md5,1d081e356b0593df10bcb12de2931ffa; classtype:command-and-control; sid:2034543; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004013; classtype:web-application-attack; sid:2004013; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup Related Domain in DNS Lookup (wordfile .live)"; dns.query; content:"wordfile.live"; nocase; bsize:13; reference:md5,5c45a038846aea315595b97b0a619f1a; reference:md5,67abe8b04f62eb55b6b880668fb8a634; reference:url,twitter.com/ShadowChasing1/status/1463498326481932289; classtype:domain-c2; sid:2034544; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004014; classtype:web-application-attack; sid:2004014; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[A-Za-z0-9]{16}\/[A-Za-z0-9]{16}\.php$/"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:59; fast_pattern; reference:md5,5c45a038846aea315595b97b0a619f1a; reference:url,twitter.com/ShadowChasing1/status/1463498326481932289; reference:md5,67abe8b04f62eb55b6b880668fb8a634; classtype:trojan-activity; sid:2034545; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, performance_impact Moderate, signature_severity Major, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004015; classtype:web-application-attack; sid:2004015; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Dotted Quad CnC Request (flowbit set)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; pcre:"/^[A-Z0-9]{15,40}$/R"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d+)?$/"; flowbits:set,ET.Dridex.Email.Sets.1; flowbits:noalert; classtype:command-and-control; sid:2034533; rev:2; metadata:created_at 2021_11_23, former_category MALWARE, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE"; flow:established,to_server; http.uri; content:"/wp-admin/admin-ajax.php?"; nocase; content:"cookie="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2821; reference:url,www.securityfocus.com/bid/24076; reference:url,doc.emergingthreats.net/2004016; classtype:web-application-attack; sid:2004016; rev:9; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex CnC Request - Spam/Worm Component"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG"; bsize:38; fast_pattern; classtype:command-and-control; sid:2034542; rev:1; metadata:created_at 2021_11_24, former_category MALWARE, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo AHS Shop component UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_ahsshop"; nocase; content:"flokkur="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; classtype:web-application-attack; sid:2013761; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Datoploader Activity M2 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-Z0-9]{9,12}\/x\.html$/"; http.request_line; content:"/x.html HTTP/1.1"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; startswith; content:!"Referer"; reference:md5,d868b389f2f824a32367767a17b397b8; reference:url,www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html; classtype:trojan-activity; sid:2034546; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2021_11_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; http.uri; content:"/modules.php"; nocase; reference:bugtraq,7193; classtype:web-application-attack; sid:2102654; rev:7; metadata:created_at 2010_09_23, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Bobik CnC Traffic"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?key="; http.user_agent; content:"test-upload"; bsize:11; fast_pattern; http.request_body; content:"lang="; startswith; content:"&image=iVBORw"; distance:0; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:command-and-control; sid:2034547; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/body_default.php?"; nocase; content:"GOODS[no]="; nocase; content:"GOODS[gs_input]="; nocase; content:"shop_this_skin_path="; nocase; pcre:"/shop_this_skin_path=\s*(https?|ftps?|php)\:\//i"; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; reference:url,doc.emergingthreats.net/2009229; classtype:web-application-attack; sid:2009229; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (test-upload)"; flow:established,to_server; http.user_agent; content:"test-upload"; nocase; bsize:11; reference:md5,c110a5814451bbfba9eb41a2b2328213; classtype:bad-unknown; sid:2034548; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category USER_AGENTS, signature_severity Informational, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/body_default.php?"; nocase; content:"GOODS[no]="; nocase; content:"GOODS[gs_input]="; nocase; content:"shop_this_skin_path="; nocase; reference:url,secunia.com/advisories/33732/; reference:cve,CVE-2009-0441; reference:url,milw0rm.com/exploits/7965; reference:url,doc.emergingthreats.net/2009230; classtype:web-application-attack; sid:2009230; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (checkauj .com)"; dns.query; content:"checkauj.com"; nocase; bsize:12; reference:md5,ab3a744545a12ba2f6789e94b789666a; reference:url,thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/; classtype:domain-c2; sid:2034551; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ardeaCore/lib/core/ardeaInit.php?"; nocase; content:"pathForArdeaCore="; nocase; pcre:"/pathForArdeaCore=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,40811; reference:url,vupen.com/english/advisories/2010/1444; reference:url,exploit-db.com/exploits/13832/; reference:url,doc.emergingthreats.net/2011214; classtype:web-application-attack; sid:2011214; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving Images"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; pcre:"/\.(?:jpe?g|png|svg)$/"; classtype:credential-theft; sid:2034553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutManager.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011666; classtype:web-application-attack; sid:2011666; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VNCStartServer BOT Variant CnC Beacon"; flow:established,to_server; dsize:<100; content:"|00 00 00 19 00 00 00|"; offset:1; depth:7; content:"|01 00 00|"; distance:1; within:3; content:"BOT-"; distance:1; within:7; fast_pattern; content:"|00|"; endswith; reference:md5,d66956e0ee70a60e19a4f310339d28a9; classtype:command-and-control; sid:2035524; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2021_11_29, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutParser.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011167; classtype:web-application-attack; sid:2011167; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Retrieving Resources"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; pcre:"/\.(?:css|ttf|woff2?|js)$/"; classtype:credential-theft; sid:2034554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/2fly_gift.php?"; nocase; content:"gameid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/36294/; reference:url,osvdb.org/show/osvdb/57136; reference:url,doc.emergingthreats.net/2010196; classtype:web-application-attack; sid:2010196; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible BulletProofLink Phishkit Activity - Redirect"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:"/redirect-to-url.php?key="; distance:0; classtype:credential-theft; sid:2034555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004059; classtype:web-application-attack; sid:2004059; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY owncloud .online Hosted Site Observed in TLS SNI"; flow:established,to_server; tls.sni; content:".owncloud.online"; endswith; reference:url,tria.ge/210809-35bb7j7tne/behavioral2; classtype:trojan-activity; sid:2034549; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004060; classtype:web-application-attack; sid:2004060; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Owncloud Observed Self Signed TLS Certificate"; flow:established,to_client; tls.cert_subject; content:"CN=owncloud"; nocase; tls.cert_issuer; content:"CN=owncloud"; classtype:policy-violation; sid:2034550; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating INSERT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004061; classtype:web-application-attack; sid:2004061; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING BulletProofLink Phishkit Template"; flow:established,to_client; file_data; content:"<html><head></head><body><template id="; startswith; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}a-f0-9]{12}/R"; classtype:credential-theft; sid:2034556; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating DELETE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004062; classtype:web-application-attack; sid:2004062; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)"; dns.query; dotprefix; content:".trycloudflare.com"; nocase; endswith; classtype:bad-unknown; sid:2034552; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_29, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2021_11_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating ASCII"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004063; classtype:web-application-attack; sid:2004063; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Activity Sending Windows Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/info.php?"; startswith; content:"=C|3a 5c|Program"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.request_body; content:"v="; startswith; content:"|20|svchost.exe|20|"; content:"&r="; reference:md5,40de99fb06e52e3364f2cd70f100ff71; reference:url,twitter.com/h2jazi/status/1465402736996933640; classtype:trojan-activity; sid:2034560; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"rating="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2898; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004064; classtype:web-application-attack; sid:2004064; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (hello)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=hello"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034562; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004071; classtype:web-application-attack; sid:2004071; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (command)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=command"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034563; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004072; classtype:web-application-attack; sid:2004072; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (result)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=result"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034564; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id INSERT"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004073; classtype:web-application-attack; sid:2004073; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Chinotto CnC Activity (file)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"type=file"; fast_pattern; content:"&direction="; pcre:"/^(send|receive)/R"; content:"id="; http.header_names; content:!"Referer";  reference:md5,55afe67b0cd4a01f3a9a6621c26b1a49; reference:url,securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/; classtype:trojan-activity; sid:2034565; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, malware_family Chinotto, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id DELETE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004074; classtype:web-application-attack; sid:2004074; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/?unix|3a|"; nocase; fast_pattern; content:"|7c|http"; reference:cve,2021-40438; classtype:attempted-admin; sid:2034566; rev:2; metadata:attack_target Server, created_at 2021_11_30, cve CVE_2021_40438, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id ASCII"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004075; classtype:web-application-attack; sid:2004075; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.DarkVNC Variant Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|4a 01 4f 97 00 1c 84 df cd 3f 1f eb 14 28 b1 ba fa 0e 7e de 22 e0 33 cb a5 8c 23 75 ea e4 e4 3e|"; startswith; fast_pattern; reference:md5,1e081d3f09f24a81194327628a25c214; reference:url,www.malware-traffic-analysis.net/2021/11/05/index.html; classtype:command-and-control; sid:2034557; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/includes/rating.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2905; reference:url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded; reference:url,doc.emergingthreats.net/2004076; classtype:web-application-attack; sid:2004076; rev:13; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32.Raccoon Stealer CnC Domain (stanculinaryblog .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"stanculinaryblog.top"; bsize:20; fast_pattern; classtype:domain-c2; sid:2034558; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007217; classtype:web-application-attack; sid:2007217; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5938,!1935,!3265,!2394,!1514] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 106"; flow:to_server,established; stream_size:server,<,5; dsize:>11; content:"|00 00|"; offset:2; depth:2; content:!"|00 00|"; depth:2; content:"|9c 4b|"; offset:8; fast_pattern; byte_jump:4,0,little,from_beginning,post_offset -9; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32/PcClient.ZR&ThreatID=-2147325231; reference:md5,edc84c505d101301459dafab296fb743; classtype:command-and-control; sid:2023349; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Major, tag Gh0st, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007218; classtype:web-application-attack; sid:2007218; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY NetSupport GeoLocation Lookup Request"; flow:established,to_server; http.request_line; content:"GET /location/loca.asp"; startswith; http.host; content:"geo.netsupportsoftware.com"; bsize:26; reference:md5,f76954b68cc390f8009f1a052283a740; classtype:policy-violation; sid:2034559; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007219; classtype:web-application-attack; sid:2007219; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to Commonly Abused Preview Domain (preview-domain .com)"; dns.query; dotprefix; content:".preview-domain.com"; nocase; endswith; classtype:bad-unknown; sid:2034561; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_11_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2021_11_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007220; classtype:web-application-attack; sid:2007220; rev:14; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Request)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"update.php?id="; fast_pattern; pcre:"/^[0-9]{9}/R"; content:"&stat="; pcre:"/^[0-9a-zA-Z]{32}/R"; http.connection; content:"Keep-Alive"; bsize:10; http.header_names; content:!"Referer|0d 0a|";  reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034573; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007221; classtype:web-application-attack; sid:2007221; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY curl User-Agent Outbound"; flow:established,to_server; http.user_agent; content:"curl/"; nocase; startswith;  reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013028; rev:6; metadata:created_at 2011_06_14, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; http.uri; content:"/admin/edit.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6191; reference:url,www.milw0rm.com/exploits/2853; reference:url,doc.emergingthreats.net/2007222; classtype:web-application-attack; sid:2007222; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING curl User-Agent to Dotted Quad"; flow:established,to_server; http.user_agent; content:"curl/"; startswith; nocase; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:bad-unknown; sid:2034567; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod ASCII"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005061; classtype:web-application-attack; sid:2005061; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Edgewater Networks Edgemarc Blind Command Injection Attempt (CVE-2017-6079)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config?page=50&form=mainForm"; nocase; fast_pattern; reference:url,github.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/blob/master/CVE-2017-6079.py; reference:cve,2017-6079; classtype:attempted-admin; sid:2034575; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_12_01, cve CVE_2017_6079, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005062; classtype:web-application-attack; sid:2005062; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Magecart Exfil Domain in DNS Lookup (convert-server .com)"; dns.query; content:"convert-server.com"; nocase; bsize:18; reference:url,twitter.com/rootprivilege/status/1465763408901337092; classtype:trojan-activity; sid:2034568; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005573; classtype:web-application-attack; sid:2005573; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Sidewinder APT Maldoc Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file.rtf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,e096b33467e6018944c05fb6e4bb03a0; reference:url,twitter.com/ShadowChasing1/status/1466001768765018116; classtype:trojan-activity; sid:2034569; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Sidewinder_APT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UNION SELECT"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005574; classtype:web-application-attack; sid:2005574; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (ny .silvergatehr .com)"; dns.query; content:"ny.silvergatehr.com"; nocase; bsize:19; reference:md5,69c9881a6b7b89a648074328292da7e8; reference:md5,84dd7ccb69d0010c97c1fc336650d5e2; reference:url,twitter.com/ShadowChasing1/status/1465998020734898176; classtype:domain-c2; sid:2034570; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name INSERT"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005575; classtype:web-application-attack; sid:2005575; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/September/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,3182b68be6c01537d466415d4eda7933; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034571; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name DELETE"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005576; classtype:web-application-attack; sid:2005576; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sequence/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6cc602c79e906a64af6c30581ca77906; reference:url,blog.talosintelligence.com/2021/02/gamaredonactivities.html; classtype:trojan-activity; sid:2034572; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ASCII"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005577; classtype:web-application-attack; sid:2005577; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SpyAgent C&C Activity (Response)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"|21|lexec|3b|http"; startswith; fast_pattern; content:"|2e|exe"; endswith;  reference:md5,fbfd9afac42ae8e86193a8e4be085eaf; reference:url,trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html; classtype:command-and-control; sid:2034574; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE"; flow:established,to_server; http.uri; content:"/shared/code/cp_authorization.php?"; nocase; content:"xuser_name="; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005578; classtype:web-application-attack; sid:2005578; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matanbuchus Loader CnC M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"Windows-AzureAD-Authentication-Provider/"; startswith; fast_pattern; threshold:type limit, track by_src, count 1, seconds 120; reference:url,twitter.com/fr0s7_/status/1458823504925798408; classtype:command-and-control; sid:2034467; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Matanbuchus, signature_severity Major, updated_at 2021_12_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005579; classtype:web-application-attack; sid:2005579; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request for .txt - Likely Hostile"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".txt"; endswith; bsize:6; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2034581; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UNION SELECT"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005580; classtype:web-application-attack; sid:2005580; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Code Execution"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; fast_pattern; startswith; content:"&curpath=/&currentsetting.htm=1"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2034576; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2021_12_02, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did INSERT"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005581; classtype:web-application-attack; sid:2005581; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"document.getelementbyid|28|"; nocase; content:".scroll"; nocase; fast_pattern; content:"Set"; nocase; pcre:"/^\s*(?P<obj>[\w\-]{1,20})\s*=\s*document\.getElementById\(.{1,500}Class\s*(?P<class>[\w\-]{1,20}).{1,500}End\s*Class.{1,500}set\s*(?P=obj)\.scroll((Left|Top)(Max)?|Height|Width)\s*=\s*New\s*(?P=class)/Rsi"; reference:cve,2019-0752; classtype:attempted-user; sid:2034578; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, cve CVE_2019_0752, deployment Perimeter, former_category EXPLOIT, performance_impact Significant, signature_severity Major, tag Exploit, updated_at 2021_12_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did DELETE"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005582; classtype:web-application-attack; sid:2005582; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/Agent.NL Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getconfig.php?r="; fast_pattern; pcre:"/^[0-9]+$/R"; http.content_type; content:"application/json"; bsize:16; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|7b 22|data|22 3a 22|"; startswith; content:!"|3a|"; distance:0; reference:md5,d37bb6fc88cd71f86a3d4211a064d80b; classtype:command-and-control; sid:2034580; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ASCII"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005583; classtype:web-application-attack; sid:2005583; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AgentTesla Communicating with CnC Server"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"p="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9%+\/]{4,6})*(?:[A-Za-z0-9%+\/]{2}==|[A-Za-z0-9%+\/]{3}=|[A-Za-z0-9%+\/]{4})$/R"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,274ff72c29b0711d01254c95770ca193; classtype:command-and-control; sid:2034579; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_10, deployment Perimeter, former_category MALWARE, malware_family AgentTesla, performance_impact Low, signature_severity Major, updated_at 2021_12_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE"; flow:established,to_server; http.uri; content:"/public/code/cp_downloads.php?"; nocase; content:"did="; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-0316; reference:url,www.securityfocus.com/bid/22032; reference:url,doc.emergingthreats.net/2005584; classtype:web-application-attack; sid:2005584; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [exec] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=exec"; fast_pattern; content:"&newid="; content:"?pwd="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034008; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011215; classtype:web-application-attack; sid:2011215; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M2 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"?path="; content:"&context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034010; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/DELETE.+FROM/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011216; classtype:web-application-attack; sid:2011216; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET DELETED Possible WebShell Access Inbound [upload] M3 (CISA AA21-259A)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&act=upload"; fast_pattern; content:"&path="; content:"?context="; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-259a; classtype:attempted-user; sid:2034011; rev:2; metadata:attack_target Server, created_at 2021_09_22, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, tag WebShell, updated_at 2021_12_03, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011217; classtype:web-application-attack; sid:2011217; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter Unauthorized File Read Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=file|3a|"; classtype:attempted-admin; sid:2034582; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/INSERT.+INTO/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011218; classtype:web-application-attack; sid:2011218; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter SSRF Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=http"; classtype:attempted-admin; sid:2034583; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/campsiteattachment/attachments.php?"; nocase; content:"article_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011219; classtype:web-application-attack; sid:2011219; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA455 CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; classtype:trojan-activity; sid:2035803; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007510; classtype:web-application-attack; sid:2007510; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hancitor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; http.request_body; content:"DATA="; startswith; base64_decode:bytes 156, relative; base64_data; content:"GUID="; content:"&BUILD="; distance:20; content:"&INFO="; distance:0; fast_pattern; content:"&EXT="; distance:0; content:"&IP="; distance:0; content:"&TYPE="; distance:0; content:"&WIN="; distance:0; reference:md5,655d778bd44bf0c6660f92f69e48fd64; reference:url,twitter.com/Jane_0stin/status/1467804081708318722; reference:url,app.any.run/tasks/ca223281-a12f-4f03-b0f7-d152747baefb/; classtype:trojan-activity; sid:2034585; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family Hancitor, signature_severity Major, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007511; classtype:web-application-attack; sid:2007511; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WIN32/KOVTER.B Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:!"DoPost"; nocase; http.host; content:!".foxitservice.com"; http.content_len; byte_test:0,<,1000,0,string,dec; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; fast_pattern; content:!"Referer"; content:!"Accept"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; reference:md5,7943a103d7b79f87843655e6b2f8e80c; classtype:command-and-control; sid:2020181; rev:11; metadata:created_at 2015_01_15, former_category MALWARE, performance_impact Significant, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007512; classtype:web-application-attack; sid:2007512; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA505 P2P CnC Checkin"; flow:established,to_server; http.uri; content:"/c/p1/dnsc.php?n="; fast_pattern; reference:url,research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/; classtype:command-and-control; sid:2034584; rev:1; metadata:created_at 2021_12_06, former_category TROJAN, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007513; classtype:web-application-attack; sid:2007513; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (afrepublic .xyz)"; dns.query; content:"afrepublic.xyz"; nocase; bsize:14; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034586; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007514; classtype:web-application-attack; sid:2007514; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (newsroom247 .xyz)"; dns.query; content:"newsroom247.xyz"; nocase; bsize:15; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034587; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"categoryID_list="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007515; classtype:web-application-attack; sid:2007515; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (afghannewsnetwork .com)"; dns.query; content:"afghannewsnetwork.com"; nocase; bsize:21; reference:md5,e9647fa7c1b4a2403b32689298fdee53; reference:md5,99dc4221019a3892c612356d8e9b6ef1; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034588; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007516; classtype:web-application-attack; sid:2007516; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Related CnC Domain in DNS Lookup (republicofaf .xyz)"; dns.query; content:"republicofaf.xyz"; nocase; bsize:16; reference:url,blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/; classtype:command-and-control; sid:2034589; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_06, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007517; classtype:web-application-attack; sid:2007517; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM (TA421) EnvyScout Fingerprint Checkin"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|7b 22|io|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|tu|22 3a 22|"; distance:0; content:"|22 2c 22|sd|22 3a 22|"; distance:0; reference:url,www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:command-and-control; sid:2033052; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2021_05_28, deployment Perimeter, former_category MALWARE, malware_family EnvyScout, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007518; classtype:web-application-attack; sid:2007518; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".doggroomingnews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034602; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007519; classtype:web-application-attack; sid:2007519; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cityloss.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034603; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007520; classtype:web-application-attack; sid:2007520; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".ideasofbusiness.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034604; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"sale_type="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007521; classtype:web-application-attack; sid:2007521; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".trendignews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034605; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007522; classtype:web-application-attack; sid:2007522; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".giftbox4u.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034606; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007523; classtype:web-application-attack; sid:2007523; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".rchosts.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034607; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007524; classtype:web-application-attack; sid:2007524; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".businesssalaries.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034608; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007525; classtype:web-application-attack; sid:2007525; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stonecrestnews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034609; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007526; classtype:web-application-attack; sid:2007526; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dailydews.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034610; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"stock_number="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007527; classtype:web-application-attack; sid:2007527; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".newminigolf.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034611; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007528; classtype:web-application-attack; sid:2007528; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".celebsinformation.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034612; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007529; classtype:web-application-attack; sid:2007529; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".newstepsco.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034613; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007530; classtype:web-application-attack; sid:2007530; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stockmarketon.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007531; classtype:web-application-attack; sid:2007531; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".tacomanewspaper.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007532; classtype:web-application-attack; sid:2007532; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".alifemap.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"manufacturer="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007533; classtype:web-application-attack; sid:2007533; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".myexpertforum.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034617; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007534; classtype:web-application-attack; sid:2007534; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".teachingdrive.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034618; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007535; classtype:web-application-attack; sid:2007535; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".hanproud.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034619; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007536; classtype:web-application-attack; sid:2007536; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".enpport.com"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034620; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007537; classtype:web-application-attack; sid:2007537; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".cbdnewsandreviews.net"; nocase; endswith; reference:url,www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-011.pdf; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/; classtype:domain-c2; sid:2034621; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007538; classtype:web-application-attack; sid:2007538; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ANTa|00 00|"; fast_pattern; pcre:"/[^\r\n]*\x5c(?:n|c)[^\r\n]{0,100}[\x60\x24]/Ri"; reference:url,blogs.blogs.blackberry.com/en/2021/06/from-fix-to-exploit-arbitrary-code-execution-for-cve-2021-22204-in-exiftool; classtype:attempted-admin; sid:2034626; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_07, cve CVE_2021_22204, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"model="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007539; classtype:web-application-attack; sid:2007539; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".stonecrestnews.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034622; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007540; classtype:web-application-attack; sid:2007540; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".nordicmademedia.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034623; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007541; classtype:web-application-attack; sid:2007541; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".theandersonco.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034624; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007542; classtype:web-application-attack; sid:2007542; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM (TA421) CEELOADER CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".tomasubiera.com"; nocase; endswith; reference:url,www.mandiant.com/resources/russian-targeting-gov-business; classtype:domain-c2; sid:2034625; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007543; classtype:web-application-attack; sid:2007543; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Dropper.AndroidOS.Anatsa Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/update"; fast_pattern; isdataat:!1,relative; http.user_agent; content:"|3b 20|Android|20|"; http.header_names; content:!"Referer|3a 20|"; http.request_body; content:"{|22|hwid|22 3a|"; depth:8; content:",|22|phone_name|22 3a|"; content:",|22|update_installed|22 3a|"; reference:md5,4a01cad9af92247b828478d5e1b3e00d; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034591; rev:2; metadata:attack_target Mobile_Client, created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007544; classtype:web-application-attack; sid:2007544; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in DNS Lookup)"; dns_query; content:"protectionguardapp.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034592; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vehicleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007545; classtype:web-application-attack; sid:2007545; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (protectionguardapp .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"protectionguardapp.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034593; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007546; classtype:web-application-attack; sid:2007546; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in DNS Lookup)"; dns_query; content:"readyqrscanner.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034594; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007547; classtype:web-application-attack; sid:2007547; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (readyqrscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"readyqrscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034595; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007548; classtype:web-application-attack; sid:2007548; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in DNS Lookup)"; dns_query; content:"flowdivison.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034596; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007549; classtype:web-application-attack; sid:2007549; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (flowdivison .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"flowdivison.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:command-and-control; sid:2034597; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007550; classtype:web-application-attack; sid:2007550; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in DNS Lookup)"; dns_query; content:"multifuctionscanner.club"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034598; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"year="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007551; classtype:web-application-attack; sid:2007551; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in DNS Lookup)"; dns_query; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:domain-c2; sid:2034599; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007552; classtype:web-application-attack; sid:2007552; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS-Officecmd Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; content:"filename"; nocase; distance:0; content:"|2d 2d|gpu|2d|launcher|3d|"; nocase; distance:0; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-user; sid:2034627; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007553; classtype:web-application-attack; sid:2007553; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET HUNTING Suspicious Response (MS-Officecmd)"; flow:established,to_client; http.response_body; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern;  reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-admin; sid:2034628; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007554; classtype:web-application-attack; sid:2007554; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Brunhilda Dropper (multifuctionscanner .club in TLS SNI)"; flow:established,to_server; tls_sni; content:"multifuctionscanner.club"; isdataat:!1,relative; nocase; reference:url,www.threatfabric.com/blogs/deceive-the-heavens-to-cross-the-sea.html; classtype:trojan-activity; sid:2034600; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007555; classtype:web-application-attack; sid:2007555; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Gymdrop Dropper (onlinefitnessanalysis .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"onlinefitnessanalysis.com"; isdataat:!1,relative; nocase; classtype:command-and-control; sid:2034601; rev:2; metadata:created_at 2021_12_07, former_category MOBILE_MALWARE, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007556; classtype:web-application-attack; sid:2007556; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".midcitylanews.com"; nocase; endswith; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:domain-c2; sid:2034867; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"vin="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007557; classtype:web-application-attack; sid:2007557; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE NOBELIUM Cobalt Strike CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".dom-news.com"; nocase; endswith; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:domain-c2; sid:2034869; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, performance_impact Low, signature_severity Major, updated_at 2021_12_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007558; classtype:web-application-attack; sid:2007558; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M1"; flow:established,to_server; urilen:>150; http.method; content:"GET"; http.uri; content:"v1.5472"; endswith; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:command-and-control; sid:2034868; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_07, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price INSERT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007560; classtype:web-application-attack; sid:2007560; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (set)"; flow:established,to_server; flowbits:set,ET.maldoc.trick; flowbits:noalert; http.method; content:"GET"; http.uri; content:".png"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|"; content:"|0d 0a|Connection|0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,e6258c27362df0668295258b69a5a74d; classtype:trojan-activity; sid:2034631; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price DELETE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007561; classtype:web-application-attack; sid:2007561; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Maldoc Retrieving Binary"; flow:established,to_client; flowbits:isset,ET.maldoc.trick; http.start; content:"HTTP/1.1 200 OK|0d 0a|Server|3a 20|fasthttp|0d 0a|"; fast_pattern; file.data; content:"MZ"; startswith; reference:md5,e6258c27362df0668295258b69a5a74d; reference:md5,91314d1cdd3bfb38daba9273730ed1a4; classtype:trojan-activity; sid:2034632; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ASCII"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007562; classtype:web-application-attack; sid:2007562; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO webhook .site in TLS SNI"; flow:established,to_server; tls.sni; content:"webhook.site"; endswith; nocase; reference:md5,58f8070803608bd0bd2cb6b18351918e; reference:url,isc.sans.edu/forums/diary/InfoStealer+Using+webhooksite+to+Exfiltrate+Data/28088/; classtype:misc-activity; sid:2034634; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007563; classtype:web-application-attack; sid:2007563; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/SDK/webLanguage"; bsize:16; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:2; metadata:affected_product IP_Camera, attack_target Networking_Equipment, created_at 2021_12_08, cve CVE_2021_36260, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 212cafe Board view.php qID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view.php?"; nocase; content:"qID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31426; reference:url,xforce.iss.net/xforce/xfdb/45428; reference:url,milw0rm.com/exploits/6578; reference:url,doc.emergingthreats.net/2009734; classtype:web-application-attack; sid:2009734; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious GET Request (Likely Pentester CnC)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pentest-macro?computer=c_"; fast_pattern;  reference:md5,f7ddcef3607b41c593284dde397e35b8; classtype:command-and-control; sid:2034637; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/page/pageDescriptionObject.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011164; reference:cve,2010-1922; classtype:web-application-attack; sid:2011164; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> any any (msg:"ET INFO Python SimpleHTTP ServerBanner"; flow:established; http.server; content:"SimpleHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lib/layout/layoutHeaderFuncs.php?"; nocase; content:"LibDir="; nocase; pcre:"/LibDir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12558; reference:bugtraq,40049; reference:url,doc.emergingthreats.net/2011165; classtype:web-application-attack; sid:2011165; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL KETRUM CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.html?q="; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|"; startswith; reference:md5,002267297066965505e5e2ea1db867b4; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe; classtype:trojan-activity; sid:2034633; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2021_12_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod SELECT"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005057; classtype:web-application-attack; sid:2005057; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT15/NICKEL Related CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?newfrs"; startswith; fast_pattern; content:"setssion="; distance:0; http.header_names; content:!"Referer"; http.accept; content:"Accept|3a 20|"; reference:md5,95507bd09d464582e82ed0b2fdf46a31; reference:md5,8a5e766065ea81d1470e4955f0c7f402; reference:url,www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/; classtype:trojan-activity; sid:2034645; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category MALWARE, malware_family APT15, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UNION SELECT"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005058; classtype:web-application-attack; sid:2005058; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"V2luZG93cyBJUCBDb25maWd1cmF0aW9u"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034641; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod INSERT"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005059; classtype:web-application-attack; sid:2005059; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"dpbmRvd3MgSVAgQ29uZmlndXJhdGlvb"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034642; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod DELETE"; flow:established,to_server; http.uri; content:"/templates/modif.html?"; nocase; content:"id_mod="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0698; reference:url,www.frsirt.com/english/advisories/2007/0388; reference:url,doc.emergingthreats.net/2005060; classtype:web-application-attack; sid:2005060; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Base64 Encoded ipconfig sent via HTTP POST M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"XaW5kb3dzIElQIENvbmZpZ3VyYXRpb2"; fast_pattern; pcre:"/(?:Q29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4|Nvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpe|Db25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaX)/R"; reference:md5,1df312629294f2de70a335a751a13a28; classtype:bad-unknown; sid:2034643; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UNION SELECT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004542; classtype:web-application-attack; sid:2004542; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Dropbox Page - Possible Phishing Landing"; flow:to_client,established; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>Dropbox"; fast_pattern; content:"<form"; distance:0; nocase; content:"password"; nocase; distance:0; content:!"_csp_external_script_nonce"; content:!"when_ready_configure_requirejs"; distance:0; content:!"DETERMINISTIC_MONKEY_CHECK"; distance:0; content:!"<title>Dropbox Status</title>"; classtype:social-engineering; sid:2025659; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_29, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2021_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid INSERT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004543; classtype:web-application-attack; sid:2004543; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/ImportTechnicians"; fast_pattern; http.request_body; content:"filename=|22|msiexec.exe|22|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-336a; reference:cve,2021-44077; reference:url,attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis; classtype:attempted-admin; sid:2034577; rev:2; metadata:attack_target Server, created_at 2021_12_03, cve CVE_2021_44077, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid DELETE"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004544; classtype:web-application-attack; sid:2004544; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/static-directory/bn.png"; fast_pattern; bsize:24; http.header_names; content:!"Referer"; http.user_agent; content:"Linux|3b 20|Android|20|"; reference:url,twitter.com/kienbigmummy/status/1468836018560192512; reference:md5,f3e31cd5f0972e4dbc789807ad2d129b; classtype:trojan-activity; sid:2034646; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ASCII"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004545; classtype:web-application-attack; sid:2004545; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET ![443,80] -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Keep Alive"; flow:established,to_client; dsize:4; content:"|13 11 18 19|"; threshold:type threshold, count 4, seconds 40, track by_src; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034639; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id SELECT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004547; classtype:web-application-attack; sid:2004547; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET ![443,80] -> $HOME_NET any (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant Server Response M2"; flow:established,to_client; dsize:<48; content:"|00 00 00 3c|"; startswith; fast_pattern; content:"|01|"; distance:1; within:1; content:"|20|"; distance:4; within:1; pcre:"/^[\x01-\x04]/R"; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034640; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category MALWARE, performance_impact Significant, signature_severity Major, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id INSERT"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004548; classtype:web-application-attack; sid:2004548; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![443,80] (msg:"ET MALWARE ELF/MooBot Mirai DDoS Variant CnC Checkin M3"; flow:established,to_server; stream_size:server,<,5; dsize:6; content:"|13 11 18 19 01 68|"; reference:md5,b3be367b4868d39d6978d27f4d4dfaaf; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:url,blog.netlab.360.com/ddos-botnet-moobot-en/; classtype:command-and-control; sid:2034638; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_09, deployment SSLDecrypt, former_category MALWARE, signature_severity Minor, updated_at 2021_12_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id ASCII"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004550; classtype:web-application-attack; sid:2004550; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE"; flow:established,to_server; http.uri; content:"/topic_title.php?"; nocase; content:"td_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1295; reference:url,www.milw0rm.com/exploits/3411; reference:url,doc.emergingthreats.net/2004551; classtype:web-application-attack; sid:2004551; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible APC Switched Rack PDU Web Administration Interface Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/Forms/login1?login_username="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,securitytracker.com/alerts/2009/Dec/1023331.html; reference:url,doc.emergingthreats.net/2010507; classtype:web-application-attack; sid:2010507; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid SELECT"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006819; classtype:web-application-attack; sid:2006819; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UNION SELECT"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006820; classtype:web-application-attack; sid:2006820; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid INSERT"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006821; classtype:web-application-attack; sid:2006821; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid DELETE"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006822; classtype:web-application-attack; sid:2006822; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid ASCII"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006823; classtype:web-application-attack; sid:2006823; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE"; flow:established,to_server; http.uri; content:"/forum2.asp?"; nocase; content:"soruid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006824; classtype:web-application-attack; sid:2006824; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006825; classtype:web-application-attack; sid:2006825; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak INSERT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006827; classtype:web-application-attack; sid:2006827; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak DELETE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006828; classtype:web-application-attack; sid:2006828; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"ak="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006830; classtype:web-application-attack; sid:2006830; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET ![5938,1433] (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 107"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"|14 24|"; offset:8; fast_pattern; content:!"|00 00|"; distance:-10; within:2; content:"|00 00|"; distance:-4; within:2; byte_jump:4,-8,relative,little,from_beginning,post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; classtype:command-and-control; sid:2023611; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_12, deployment Perimeter, former_category MALWARE, malware_family Gh0st, malware_family PCRAT, performance_impact Significant, signature_severity Major, tag Gh0st, updated_at 2021_12_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler SELECT"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006831; classtype:web-application-attack; sid:2006831; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UNION SELECT"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006832; classtype:web-application-attack; sid:2006832; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler INSERT"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006833; classtype:web-application-attack; sid:2006833; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ASCII"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006835; classtype:web-application-attack; sid:2006835; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034661; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE"; flow:established,to_server; http.uri; content:"/aramayap.asp?"; nocase; content:"kelimeler="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006836; classtype:web-application-attack; sid:2006836; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034662; rev:2; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006837; classtype:web-application-attack; sid:2006837; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034663; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UNION SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006838; classtype:web-application-attack; sid:2006838; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034664; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi INSERT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006839; classtype:web-application-attack; sid:2006839; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY dnslog .cn Observed in DNS Query"; dns.query; dotprefix; content:".dnslog.cn"; nocase; endswith; classtype:domain-c2; sid:2034669; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_11, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi DELETE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006840; classtype:web-application-attack; sid:2006840; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034665; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ASCII"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006841; classtype:web-application-attack; sid:2006841; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol lower Bypass (udp) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034666; rev:1; metadata:created_at 2021_12_11, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullaniciadi="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006842; classtype:web-application-attack; sid:2006842; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com)"; dns.query; dotprefix; content:".bingsearchlib.com"; nocase; endswith; reference:url,twitter.com/sans_isc/status/1469305954835521539; reference:cve,2021-44228; classtype:domain-c2; sid:2034670; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_11, cve CVE_2121_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2021_12_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno SELECT"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006843; classtype:web-application-attack; sid:2006843; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".docx"; endswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,9127505386ade0774a1671e146e40ed7; classtype:trojan-activity; sid:2034679; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UNION SELECT"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006844; classtype:web-application-attack; sid:2006844; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideCopy APT Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /ab.vbs HTTP/1.1"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"powershell/"; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/h2jazi/status/1469399194435735553; reference:md5,64fff1f62c8771e2f558e5cb8694326f; classtype:trojan-activity; sid:2034680; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno INSERT"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006845; classtype:web-application-attack; sid:2006845; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY File Sharing Site in DNS Lookup (satoshidisk .com)"; dns.query; content:"satoshidisk.com"; nocase; bsize:15; classtype:policy-violation; sid:2034681; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ASCII"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006847; classtype:web-application-attack; sid:2006847; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034676; rev:1; metadata:attack_target Server, created_at 2021_12_13, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; content:"mesajno="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006848; classtype:web-application-attack; sid:2006848; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/var/"; startswith; content:"pty"; fast_pattern; endswith; bsize:11; pcre:"/^\/var\/(?:run|tmp)\/pty$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer";  classtype:trojan-activity; sid:2034686; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006849; classtype:web-application-attack; sid:2006849; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"traderstruthrevealed.com"; nocase; bsize:24; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034682; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UNION SELECT"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006850; classtype:web-application-attack; sid:2006850; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED Kimsuky Related Domain in DNS Lookup"; dns.query; content:"usrfiles.com"; nocase; bsize:12; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034687; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf DELETE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006852; classtype:web-application-attack; sid:2006852; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"ausq.inaver.org"; nocase; bsize:15; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034688; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ASCII"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006853; classtype:web-application-attack; sid:2006853; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky Related Domain in DNS Lookup"; dns.query; content:"wnqd.navercloud.org"; nocase; bsize:19; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034689; rev:1; metadata:created_at 2021_12_13, former_category MALWARE, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE"; flow:established,to_server; http.uri; content:"/kullanicilistesi.asp?"; nocase; content:"harf="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006854; classtype:web-application-attack; sid:2006854; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related FTP File Download"; flow:established,to_server; content:"RETR|20|/board/"; fast_pattern; pcre:"/[a-z]{8}.(:?psd|dib)/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034690; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006855; classtype:web-application-attack; sid:2006855; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php?dhk="; fast_pattern; content:"&user="; distance:0; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006856; classtype:web-application-attack; sid:2006856; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kimsuky Related Malicious VBScript Inbound M3"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"reg add"; nocase; fast_pattern; content:"ftp://"; distance:0; within:200; pcre:"/[a-z]{8}.(:?dib|psd)/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034693; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006857; classtype:web-application-attack; sid:2006857; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Kimsuky Related Malicious VBScript Inbound M4"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"open"; nocase; content:"GET"; distance:0; within:10; content:".php?dhk="; fast_pattern; content:"&user="; content:"&fore="; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik DELETE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006858; classtype:web-application-attack; sid:2006858; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert ftp-data $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible Kimsuky Related Malicious VBScript Inbound"; flow:established,to_client; content:"CreateObject(|22|WScript.Shell|22|)"; content:"reg add"; nocase; fast_pattern; content:"ftp://"; distance:0; within:200; pcre:"/[a-z]{8}.[a-z]{3}/Ri"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034695; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik ASCII"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006859; classtype:web-application-attack; sid:2006859; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/https:\/\/[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}.[a-z]{3,12}.com\/[a-z]{3,4}\/[a-z0-9]{6}_[a-z0-9]{32}/"; content:".xls?dn="; fast_pattern; content:".xls"; endswith; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034696; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"baslik="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006860; classtype:web-application-attack; sid:2006860; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ugd/"; fast_pattern; pcre:"/^[a-z0-9]{6}_[a-z0-9]{32}/R"; content:".txt"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:md5,d74f268b986fecfa03b81029dd134811; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username SELECT"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005105; classtype:web-application-attack; sid:2005105; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:!"naver.com"; content:"naver"; fast_pattern; pcre:"/\.php\?[a-z]{3}=(baby|child|adult)/i"; content:"&user="; http.header; content:"Connection|3a 20|Keep-Alive"; nocase; http.header_names; content:!"Referer"; reference:url,github.com/eset/malware-ioc/tree/master/kimsuky/hotdoge_donutcat_case; classtype:trojan-activity; sid:2034692; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UNION SELECT"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005106; classtype:web-application-attack; sid:2005106; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gasti.tm Checkin Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|blob|22 0d 0a|"; fast_pattern; content:"name|3d 22|blob|5f|num|22 0d 0a|"; distance:0; content:"name|3d 22|blob|5f|num|22|name|3d 22|total|5f|blob|5f|num|22 0d 0a|"; distance:0; content:"name|3d 22|hashCode|22 0d 0a 0d 0a|"; content:"|0d 0a 2d 2d|"; distance:32; within:4; reference:md5,0b7504c8770d109f0bc326c1dd4cbee4; classtype:command-and-control; sid:2034678; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2021_12_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username INSERT"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005107; classtype:web-application-attack; sid:2005107; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034699; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username DELETE"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005108; classtype:web-application-attack; sid:2005108; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ASCII"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005109; classtype:web-application-attack; sid:2005109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:3; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE"; flow:established,to_server; http.uri; content:"/artreplydelete.asp?"; nocase; content:"username="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0632; reference:url,www.frsirt.com/english/advisories/2007/0341; reference:url,doc.emergingthreats.net/2005110; classtype:web-application-attack; sid:2005110; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034671; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id SELECT"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005164; classtype:web-application-attack; sid:2005164; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034672; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005165; classtype:web-application-attack; sid:2005165; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034700; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id INSERT"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005166; classtype:web-application-attack; sid:2005166; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034701; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id DELETE"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005167; classtype:web-application-attack; sid:2005167; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034702; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id ASCII"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005168; classtype:web-application-attack; sid:2005168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034703; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE"; flow:established,to_server; http.uri; content:"/news_detail.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0566; reference:url,www.milw0rm.com/exploits/3187; reference:url,doc.emergingthreats.net/2005169; classtype:web-application-attack; sid:2005169; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034706; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user SELECT"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005170; classtype:web-application-attack; sid:2005170; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034707; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005171; classtype:web-application-attack; sid:2005171; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034708; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user INSERT"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005172; classtype:web-application-attack; sid:2005172; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034709; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user DELETE"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005173; classtype:web-application-attack; sid:2005173; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034710; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user ASCII"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005174; classtype:web-application-attack; sid:2005174; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034711; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE"; flow:established,to_server; http.uri; content:"/user.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0560; reference:url,www.milw0rm.com/exploits/3186; reference:url,doc.emergingthreats.net/2005175; classtype:web-application-attack; sid:2005175; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034712; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005883; classtype:web-application-attack; sid:2005883; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034713; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005884; classtype:web-application-attack; sid:2005884; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034714; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005885; classtype:web-application-attack; sid:2005885; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034715; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005886; classtype:web-application-attack; sid:2005886; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034716; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005887; classtype:web-application-attack; sid:2005887; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034717; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iPro="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0053; reference:url,www.milw0rm.com/exploits/3062; reference:url,doc.emergingthreats.net/2005888; classtype:web-application-attack; sid:2005888; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Java Client HTTP Request"; flow:established,to_server; flowbits:set,ET.http.javaclient; flowbits:noalert; http.user_agent; content:"Java/"; classtype:misc-activity; sid:2013035; rev:5; metadata:created_at 2011_06_16, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID SELECT"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007000; classtype:web-application-attack; sid:2007000; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/2345.H Variant Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /dmdt/dmdt_data.php HTTP/1.1"; fast_pattern; http.request_body; content:"data_version="; startswith; content:"&client_data="; http.header_names; content:!"Referer"; reference:md5,3b2806dc35cb7bc4db464a5fe017ab4e; reference:md5,0b1f16f067ba71f5b8ec87c9f1a544c6; classtype:pup-activity; sid:2034724; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007001; classtype:web-application-attack; sid:2007001; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup"; dns.query; content:"api.musicbee.getlist.destinycraftpe.com"; nocase; bsize:39; reference:url,twitter.com/Unit42_Intel/status/1470778363254128651; reference:md5,b873bfa8dec8c3a1f62c30903e59e849; classtype:domain-c2; sid:2034725; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID INSERT"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007002; classtype:web-application-attack; sid:2007002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response"; flow:established,to_client; content:"|30 81|"; startswith; content:"|02 01|"; distance:1; within:2; content:"|64|"; distance:1; within:1; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0d|javaClassName"; within:20; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0c|javaCodeBase"; within:19; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|objectClass"; within:18; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|javaFactory"; within:18; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034722; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID DELETE"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007003; classtype:web-application-attack; sid:2007003; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /azure/v2/api HTTP/1.1"; fast_pattern; http.user_agent; content:"MusicBee/3.4"; bsize:12; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a|"; startswith; http.cookie; content:"HSID="; startswith; reference:url,twitter.com/Unit42_Intel/status/1470778363254128651; reference:md5,b873bfa8dec8c3a1f62c30903e59e849; classtype:trojan-activity; sid:2034726; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, tag c2, updated_at 2021_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID ASCII"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007004; classtype:web-application-attack; sid:2007004; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (bqtconsulting .com)"; dns.query; content:"bqtconsulting.com"; nocase; bsize:17; reference:url,twitter.com/malware_traffic/status/1470812160427233294; reference:md5,c681c785d6055a1d5a8fe74403c9dfe9; classtype:domain-c2; sid:2034727; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/listpics.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6210; reference:url,www.securityfocus.com/bid/21279; reference:url,doc.emergingthreats.net/2007005; classtype:web-application-attack; sid:2007005; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /image-directory/templates.mp3 HTTP/1.1"; fast_pattern; http.accept; content:"image/jpeg"; bsize:10; http.header_names; content:!"Referer"; reference:url,twitter.com/malware_traffic/status/1470812160427233294; reference:md5,c681c785d6055a1d5a8fe74403c9dfe9; classtype:trojan-activity; sid:2034728; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/view.asp?"; nocase; content:"entry="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33693; reference:url,milw0rm.com/exploits/8012; reference:url,doc.emergingthreats.net/2009185; classtype:web-application-attack; sid:2009185; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt"; flow:established,to_server; http.uri; content:"CONFIG[PATH]="; nocase; pcre:"/(join|lostpw)\.php\?/i"; pcre:"/&CONFIG\x5bpath\x5d=(https?|ftps?|php)\:/i"; reference:cve,CVE-2006-2149; reference:url,www.osvdb.org/25158; reference:url,doc.emergingthreats.net/2002901; classtype:web-application-attack; sid:2002901; rev:9; metadata:affected_product Any, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Remote_File_Include, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Khonsri Ransomware CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zambos_caldo_de_p.txt"; startswith; fast_pattern; http.header_names; content:!"User-Agent"; reference:url,businessinsights.bitdefender.com/technical-advisory-zero-day-critical-vulnerability-in-log4j2-exploited-in-the-wild; classtype:command-and-control; sid:2034723; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2021_12_14, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004319; classtype:web-application-attack; sid:2004319; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY GIOP/IIOP Request Outbound"; flow:established,to_server; flowbits:set,ET.GIOPsession; stream_size:server,<,5; content:"|47 49 4f 50 01|"; startswith; content:"|00|"; distance:2; within:1; classtype:policy-violation; sid:2034730; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/UNION\s+SELECT/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004320; classtype:web-application-attack; sid:2004320; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful GIOP/IIOP Request Outbound"; flow:established,to_client; flowbits:isset,ET.GIOPsession; stream_size:server,<,50; content:"|47 49 4f 50 01|"; startswith; content:"|01|"; distance:2; within:1; classtype:policy-violation; sid:2034731; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid INSERT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/INSERT.+INTO/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004321; classtype:web-application-attack; sid:2004321; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M12"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_setdata&__ds_setdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection";  reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid DELETE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/DELETE.+FROM/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004322; classtype:web-application-attack; sid:2004322; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .carelessnessing .com)"; dns.query; content:"www.carelessnessing.com"; nocase; bsize:23; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; reference:md5,2f602c6feaa750e7d3b64276b630498a; classtype:domain-c2; sid:2034733; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/ASCII\(.+SELECT/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004323; classtype:web-application-attack; sid:2004323; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .weekendorg .com)"; dns.query; content:"www.weekendorg.com"; nocase; bsize:18; reference:md5,04662666c8a97998fb1b2fcf907526e8; reference:md5,1454d4feacdd503c0542f70f44a8edc1; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034734; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"categoryid="; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2007-1469; reference:url,www.securityfocus.com/bid/22988; reference:url,doc.emergingthreats.net/2004324; classtype:web-application-attack; sid:2004324; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> any any (msg:"ET MALWARE DCRat CnC Activity M13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?type=__ds_getdata&__ds_getdata_user="; fast_pattern; offset:140; depth:60; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Connection";  reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid SELECT"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007392; classtype:web-application-attack; sid:2007392; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Interactsh Domain in DNS Lookup (.interactsh .com)"; dns.query; dotprefix; content:".interactsh.com"; nocase; endswith; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:bad-unknown; sid:2034732; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UNION SELECT"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007393; classtype:web-application-attack; sid:2007393; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; content:"|30 24 02 01|"; startswith; content:"|78 1f 0a 01 00 04 00 04 00 8a 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034720; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid INSERT"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007394; classtype:web-application-attack; sid:2007394; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPSBindRequest; flowbits:isnotset,ET.LDAPSBindRequest; stream_size:server,<,5; content:"|30 1d 02 01|"; startswith; content:"|77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:bad-unknown; sid:2034719; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid DELETE"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007395; classtype:web-application-attack; sid:2007395; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful LDAPSv3 LDAPS_START_TLS Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPSBindRequest; stream_size:server,<,50; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|78 07 0a 01 00 04 00 04 00|"; endswith; fast_pattern; reference:url,ldap.com/ldapv3-wire-protocol-reference-extended/; classtype:policy-violation; sid:2034721; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ASCII"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007396; classtype:web-application-attack; sid:2007396; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/FunnyDream Backdoor Related Domain in DNS Lookup (www .aexhausts .com)"; dns.query; content:"www.aexhausts.com"; nocase; bsize:17; reference:md5,23d4cfceb70d19cf5dc15ea0e8ea1acd; reference:md5,1f3a2e8058411cc04f474a68501b3045; reference:md5,fa80669685cf12de62b4e3156b997553; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034735; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family TAG_16, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE"; flow:established,to_server; http.uri; content:"/product.asp?"; nocase; content:"productid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007397; classtype:web-application-attack; sid:2007397; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortner Domain in DNS Lookup (urlz .fr)"; dns.query; content:"urlz.fr"; nocase; bsize:7; reference:md5,947c34579e51417d9290c0cd8475cc54; classtype:bad-unknown; sid:2034742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007398; classtype:web-application-attack; sid:2007398; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (news .networkslaoupdate .com)"; dns.query; content:"news.networkslaoupdate.com"; nocase; bsize:26; reference:md5,b9fecf531ebd323cd25b4dbb179a8969; reference:url,go.recordedfuture.com/hubfs/reports/cta-2021-1208.pdf; classtype:domain-c2; sid:2034736; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, malware_family TAG_33, signature_severity Major, updated_at 2021_12_15, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007399; classtype:web-application-attack; sid:2007399; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (koltary .com)"; dns.query; content:"koltary.com"; nocase; bsize:11; reference:md5,91cde71b55ae86e9d64f4ea2c233790f; classtype:domain-c2; sid:2034737; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007400; classtype:web-application-attack; sid:2007400; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE lu0bot Loader HTTP Request M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?"; pcre:"/^[a-f0-9=]{5,12}&ap=/R"; content:"&ap=|20|Mozilla/4.0|20|"; fast_pattern; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Win32|3b 20|WinHttp|2e|WinHttpRequest|2e|5|29|"; bsize:57; reference:url,twitter.com/benkow_/status/1469238517066838018; reference:md5,8e343598ba830d20ffc22d2a9c82ad5a; classtype:command-and-control; sid:2034738; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007401; classtype:web-application-attack; sid:2007401; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Muhstik Botnet CnC Activity"; flow:established,to_server; content:"NICK|20|"; content:"USER|20|"; content:"|3a|muhstik-"; fast_pattern; pcre:"/^[0-9]{8}$/Rm"; reference:md5,81fbe69a36650504b88756074a36c183; reference:md5,d20478a01344026a0ecd60b0b29e9bc1; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034743; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Muhstik, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007402; classtype:web-application-attack; sid:2007402; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Mirai Botnet CnC Activity"; flow:established,to_server; dsize:11; content:"SWATunknown"; fast_pattern; reference:md5,1348a00488a5b3097681b6463321d84c; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034744; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family Mirai, signature_severity Major, updated_at 2021_12_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"search="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6111; reference:url,www.securityfocus.com/bid/21166; reference:url,doc.emergingthreats.net/2007403; classtype:web-application-attack; sid:2007403; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Octopus Backdoor Related Domain in DNS Lookup"; dns.query; content:"movetolight.xyz"; nocase; bsize:15; classtype:command-and-control; sid:2034746; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2021_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010132; classtype:web-application-attack; sid:2010132; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BazarLoader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header; content:"User-Agent|3a 20|Win|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; reference:md5,c70d6690d2d6fcead1e752195985fc54; classtype:trojan-activity; sid:2034752; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, malware_family BazarLoader, signature_severity Major, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010135; classtype:web-application-attack; sid:2010135; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY RMI Request Outbound"; flow:established,to_server; stream_size:server,<,5; flowbits:set,ET.RMIRequest; flowbits:isnotset,ET.RMIRequest; content:"|4a 52 4d 49 00|"; startswith; fast_pattern; pcre:"/^(?:\x01|\x02)(?:\x4b|\x4c|\x4d)/R"; reference:url,docs.oracle.com/javase/9/docs/specs/rmi/protocol.html; reference:url,github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/rex/proto/rmi/model.rb; classtype:policy-violation; sid:2034718; rev:3; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/debugger.php?"; nocase; content:"config_atkroot="; nocase; pcre:"/config_atkroot\s*=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,36822; reference:url,doc.emergingthreats.net/2010354; classtype:web-application-attack; sid:2010354; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (gawocag .com)"; dns.query; dotprefix; content:".gawocag.com"; nocase; endswith; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:trojan-activity; sid:2034753; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID SELECT"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007476; classtype:web-application-attack; sid:2007476; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (rce .ee)"; dns.query; dotprefix; content:".rce.ee"; nocase; endswith; reference:url,www.fastly.com/blog/new-data-and-insights-into-log4shell-attacks-cve-2021-44228; reference:cve,2021-44228; classtype:domain-c2; sid:2034747; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UNION SELECT"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007477; classtype:web-application-attack; sid:2007477; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hiduwu .com)"; dns.query; content:"hiduwu.com"; nocase; bsize:10; reference:url,thedfirreport.com/2021/12/13/diavol-ransomware/; classtype:domain-c2; sid:2034754; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID INSERT"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007478; classtype:web-application-attack; sid:2007478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DCRat CnC Activity M11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?data=active"; endswith; fast_pattern; pcre:"/^\/[a-z0-9]{45,60}\/[a-z0-9]{35,65}\/[a-z0-9]{38,60}\.php\?data=active$/U"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:"Connection";  reference:md5,b478d340a787b85e086cc951d0696cb1; classtype:command-and-control; sid:2034739; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, former_category MALWARE, malware_family DCRat, signature_severity Major, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID DELETE"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007479; classtype:web-application-attack; sid:2007479; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Serialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ac ed|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034748; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007480; classtype:web-application-attack; sid:2007480; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Unserialized Java Payload via RMI Response"; flow:established,to_client; stream_size:client,<,100; flowbits:isset,ET.RMIRequest; content:"|51 ca fe ba be|"; startswith; reference:url,blogs.juniper.net/en-us/threat-research/log4j-vulnerability-attackers-shift-focus-from-ldap-to-rmi; classtype:bad-unknown; sid:2034749; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE"; flow:established,to_server; http.uri; content:"/activenews_view.asp?"; nocase; content:"articleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007481; classtype:web-application-attack; sid:2007481; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007482; classtype:web-application-attack; sid:2007482; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007483; classtype:web-application-attack; sid:2007483; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007564; classtype:web-application-attack; sid:2007564; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007484; classtype:web-application-attack; sid:2007484; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007485; classtype:web-application-attack; sid:2007485; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6095; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007486; classtype:web-application-attack; sid:2007486; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034763; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID SELECT"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007487; classtype:web-application-attack; sid:2007487; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034764; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UNION SELECT"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007488; classtype:web-application-attack; sid:2007488; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID INSERT"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007489; classtype:web-application-attack; sid:2007489; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern;  reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007490; classtype:web-application-attack; sid:2007490; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034767; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007491; classtype:web-application-attack; sid:2007491; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034768; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE"; flow:established,to_server; http.uri; content:"/activeNews_categories.asp?"; nocase; content:"catID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007492; classtype:web-application-attack; sid:2007492; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Obfuscated log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|env|3a|NaN|3a|-j|7d|ndi|24 7b|env|3a|NaN|3a|"; nocase; fast_pattern; content:"|24 7b|env|3a|NaN|3a|-l|7d|dap|24|"; reference:url,twitter.com/bad_packets/status/1471253695459332102; reference:cve,2021-44228; classtype:attempted-admin; sid:2034755; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID SELECT"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007493; classtype:web-application-attack; sid:2007493; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /dequeue/paypal"; startswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,b96171a46e7a83815b90271f711727aa; reference:url,twitter.com/malwrhunterteam/status/1471915892980264962/; classtype:trojan-activity; sid:2034756; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_17, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UNION SELECT"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007494; classtype:web-application-attack; sid:2007494; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034750; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID INSERT"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007495; classtype:web-application-attack; sid:2007495; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034751; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID DELETE"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007496; classtype:web-application-attack; sid:2007496; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ASCII"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007497; classtype:web-application-attack; sid:2007497; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (Outbound) (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034782; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE"; flow:established,to_server; http.uri; content:"/activeNews_comments.asp?"; nocase; content:"articleID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007498; classtype:web-application-attack; sid:2007498; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol TCP (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034783; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query SELECT"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007499; classtype:web-application-attack; sid:2007499; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol UDP (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|3a 2f 2f|"; distance:0; within:20; reference:cve,2021-44228; classtype:misc-activity; sid:2034784; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UNION SELECT"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007500; classtype:web-application-attack; sid:2007500; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034785; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query INSERT"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007501; classtype:web-application-attack; sid:2007501; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034787; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query DELETE"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007502; classtype:web-application-attack; sid:2007502; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034788; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ASCII"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007503; classtype:web-application-attack; sid:2007503; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034789; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE"; flow:established,to_server; http.uri; content:"/activenews_search.asp?"; nocase; content:"query="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6094; reference:url,www.securityfocus.com/bid/21167; reference:url,doc.emergingthreats.net/2007565; classtype:web-application-attack; sid:2007565; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034790; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AdaptWeb a_index.php CodigoDisciplina Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/a_index.php?"; nocase; content:"CodigoDisciplina="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2009-2152; reference:url,en.securitylab.ru/nvd/381723.php; reference:url,milw0rm.com/exploits/8954; reference:url,doc.emergingthreats.net/2010022; classtype:web-application-attack; sid:2010022; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034791; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Flex/index.template.html"; nocase; pcre:"/index.template.html.+(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:cve,2009-1879; reference:url,securitytracker.com/alerts/2009/Aug/1022748.html; reference:url,doc.emergingthreats.net/2010214; classtype:web-application-attack; sid:2010214; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034792; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/EditUrl.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32413/; reference:url,milw0rm.com/exploits/6856; reference:url,doc.emergingthreats.net/2008785; classtype:web-application-attack; sid:2008785; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034793; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AjaxPortal ajaxp_backend.php page Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ajaxp_backend.php?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/8341; reference:bugtraq,34338; reference:url,doc.emergingthreats.net/2009424; classtype:web-application-attack; sid:2009424; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034794; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/install/di.php?"; nocase; content:"pathtoserverdata="; nocase; pcre:"/pathtoserverdata\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/55485; reference:url,doc.emergingthreats.net/2010362; classtype:web-application-attack; sid:2010362; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034795; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id SELECT"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004887; classtype:web-application-attack; sid:2004887; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034796; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004888; classtype:web-application-attack; sid:2004888; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034797; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id INSERT"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004889; classtype:web-application-attack; sid:2004889; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034798; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id DELETE"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004890; classtype:web-application-attack; sid:2004890; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034834; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ASCII"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004891; classtype:web-application-attack; sid:2004891; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034835; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE"; flow:established,to_server; http.uri; content:"/HaberDetay.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004892; classtype:web-application-attack; sid:2004892; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034799; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004893; classtype:web-application-attack; sid:2004893; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034800; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004894; classtype:web-application-attack; sid:2004894; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|upper|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034801; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004895; classtype:web-application-attack; sid:2004895; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034802; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid DELETE"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004896; classtype:web-application-attack; sid:2004896; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; content:"|24 7b|lower|3a|"; distance:0; reference:cve,2021-44228; classtype:misc-activity; sid:2034803; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ASCII"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004897; classtype:web-application-attack; sid:2004897; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034836; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE"; flow:established,to_server; http.uri; content:"/rss.asp?"; nocase; content:"kid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1016; reference:url,www.frsirt.com/english/advisories/2007/0620; reference:url,doc.emergingthreats.net/2004898; classtype:web-application-attack; sid:2004898; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034804; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS All In One Control Panel poll_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cp_polls_results.php?"; nocase; content:"poll_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/6854; reference:url,secunia.com/advisories/32431; reference:url,doc.emergingthreats.net/2008787; classtype:web-application-attack; sid:2008787; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034806; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/album.php?"; nocase; content:"UID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-3386; reference:url,www.milw0rm.com/exploits/6092; reference:url,secunia.com/advisories/31134/; reference:url,doc.emergingthreats.net/2009228; classtype:web-application-attack; sid:2009228; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034807; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004717; classtype:web-application-attack; sid:2004717; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /alpha_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034773; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004718; classtype:web-application-attack; sid:2004718; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /beta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034774; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004719; classtype:web-application-attack; sid:2004719; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gamma_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034775; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004720; classtype:web-application-attack; sid:2004720; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /delta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034776; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004721; classtype:web-application-attack; sid:2004721; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /epsilon_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034777; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; http.uri; content:"/section/default.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1250; reference:url,www.milw0rm.com/exploits/3390; reference:url,doc.emergingthreats.net/2004723; classtype:web-application-attack; sid:2004723; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Phorpiex Botnet Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /zeta_ HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,ec96bcc50ca8fa91821e820fdfe30915; reference:url,research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/; classtype:trojan-activity; sid:2034778; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family Phorpiex, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006560; classtype:web-application-attack; sid:2006560; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2"; flow:established,to_client; content:"|30|"; startswith; content:"|04 0d|javaClassName"; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 12|javaSerializedData"; within:25; content:"|ac ed|"; within:10; content:"|2e|exec"; distance:0; content:"FromCharCode"; nocase; distance:0; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034769; rev:2; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category ATTACK_RESPONSE, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006561; classtype:web-application-attack; sid:2006561; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034808; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006562; classtype:web-application-attack; sid:2006562; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (lower UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|lower|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034809; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006564; classtype:web-application-attack; sid:2006564; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper TCP Bypass) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034810; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006565; classtype:web-application-attack; sid:2006565; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache log4j RCE Attempt - Any Protocol (upper UDP Bypass) (CVE-2021-44228)"; content:"|24 7b|upper|3a|j"; nocase; fast_pattern; content:"n"; distance:0; within:12; content:"d"; distance:0; within:12; content:"i"; distance:0; within:12; reference:cve,2021-44228; classtype:attempted-admin; sid:2034811; rev:1; metadata:created_at 2021_12_20, cve CVE_2021_44228, former_category HUNTING, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006566; classtype:web-application-attack; sid:2006566; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPAnonBindRequest; stream_size:server,<,50; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|61 07 0a 01 00 04 00 04 00|"; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034705; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no SELECT"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006567; classtype:web-application-attack; sid:2006567; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPAnonBindRequest; flowbits:isnotset,ET.LDAPAnonBindRequest; stream_size:server,<,5; dsize:14; content:"|30 0c 02 01|"; startswith; content:"|60 07 02 01 03 04 00 80 00|"; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034704; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_14, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UNION SELECT"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006568; classtype:web-application-attack; sid:2006568; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY JavaClass Returned Via Anonymous Outbound LDAPv3 Bind Request"; flow:established,to_client; flowbits:isset,ET.LDAPAnonBindRequest; content:"javaClassName"; fast_pattern; nocase; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034770; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no INSERT"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006569; classtype:web-application-attack; sid:2006569; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MageCart Skimmer Domain in DNS Lookup (bootstrap2 .xyz)"; dns.query; content:"bootstrap2.xyz"; nocase; bsize:14; reference:url,twitter.com/MBThreatIntel/status/1472995976507916290; classtype:domain-c2; sid:2034779; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_20, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no DELETE"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006570; classtype:web-application-attack; sid:2006570; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET POLICY Non-Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_server; flowbits:set,ET.LDAPBindRequest; flowbits:isnotset,ET.LDAPBindRequest; content:"|30|"; startswith; content:"|02 01|"; within:4; content:"|60|"; distance:1; within:1; byte_test:1,>,7,0,relative; content:"|02 01 03 04|"; distance:1; within:4; fast_pattern; byte_jump:1,0,relative; content:"|80|"; within:1; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034812; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ASCII"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006571; classtype:web-application-attack; sid:2006571; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY Successful Non-Anonymous LDAPv3 Bind Request Outbound"; flow:established,to_client; flowbits:isset,ET.LDAPBindRequest; content:"|30|"; startswith; content:"|02 01|"; distance:0; content:"|61|"; distance:0; content:"|07 0a 01 00 04 00 04 00|"; within:12; endswith; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034771; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE"; flow:established,to_server; http.uri; content:"/voirannonce.php?"; nocase; content:"no="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006572; classtype:web-application-attack; sid:2006572; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle Coherence Deserialization RCE (CVE-2020-2555)"; flow:established,to_server; content:"|74 33 20 31 32 2e 32 2e 31 0a 41 53 3a 32 35 35|"; content:"javax.management.BadAttributeValueExpException"; nocase; fast_pattern; content:"weblogic.common.internal.PackageInfo"; reference:url,github.com/Y4er/CVE-2020-2555/blob/master/weblogic_t3.py; reference:url,www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server; reference:cve,2020-2555; classtype:attempted-admin; sid:2034780; rev:1; metadata:attack_target Server, created_at 2021_12_20, cve CVE_2020_2555, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006573; classtype:web-application-attack; sid:2006573; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET POLICY JavaClass Returned Via Non-Anonymous Outbound LDAPv3 Bind Request"; flow:established,to_client; flowbits:isset,ET.LDAPBindRequest; content:"javaClassName"; fast_pattern; nocase; reference:url,ldap.com/ldapv3-wire-protocol-reference-bind/; classtype:policy-violation; sid:2034772; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_20, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006574; classtype:web-application-attack; sid:2006574; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 14.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/14.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/14u-relnotes.html; classtype:bad-unknown; sid:2034814; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006575; classtype:web-application-attack; sid:2006575; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 15.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/15.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/15u-relnotes.html; classtype:bad-unknown; sid:2034815; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006576; classtype:web-application-attack; sid:2006576; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 16.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/16.0."; content:!"2"; within:1; reference:url,www.oracle.com/java/technologies/javase/16u-relnotes.html; classtype:bad-unknown; sid:2034816; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006577; classtype:web-application-attack; sid:2006577; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 17.0.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/17.0."; content:!"1"; within:1; reference:url,www.oracle.com/java/technologies/javase/17u-relnotes.html; classtype:bad-unknown; sid:2034817; rev:2; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2021_12_21, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_membre/fiche_membre.php?"; nocase; content:"idmembre="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006578; classtype:web-application-attack; sid:2006578; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OWOWA Stealer CnC Domain in DNS Lookup"; dns.query; content:"s3crt.biz"; nocase; bsize:9; reference:url,securelist.com/owowa-credential-stealer-and-remote-access/105219/; classtype:domain-c2; sid:2034833; rev:1; metadata:attack_target Server, created_at 2021_12_21, deployment Perimeter, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006579; classtype:web-application-attack; sid:2006579; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET POLICY Serialized Java Object returned via LDAPv3 Response"; flow:established,to_client; content:"|30|"; depth:1; content:"|04 0d|javaClassName"; fast_pattern; content:"|04 12|javaSerializedData"; distance:0; content:"|ac ed|"; within:10; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:bad-unknown; sid:2034818; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, deployment Perimeter, deployment Internal, former_category POLICY, signature_severity Informational, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006580; classtype:web-application-attack; sid:2006580; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j .binaryedge .io)"; dns.query; dotprefix; content:".log4j.binaryedge.io"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034819; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006581; classtype:web-application-attack; sid:2006581; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4shell .huntress .com)"; dns.query; dotprefix; content:".log4shell.huntress.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034820; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006582; classtype:web-application-attack; sid:2006582; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (kryptoslogic-cve-2021-44228 .com)"; dns.query; dotprefix; content:".kryptoslogic-cve-2021-44228.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034821; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006583; classtype:web-application-attack; sid:2006583; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (ceye .io)"; dns.query; dotprefix; content:".ceye.io"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034822; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/okvalannonce.php?"; nocase; content:"idannonce="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006584; classtype:web-application-attack; sid:2006584; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (oob .li)"; dns.query; dotprefix; content:".oob.li"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034823; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006585; classtype:web-application-attack; sid:2006585; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (pwn .af)"; dns.query; dotprefix; content:".pwn.af"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034824; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006586; classtype:web-application-attack; sid:2006586; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (notburpcollaborator .net)"; dns.query; dotprefix; content:".notburpcollaborator.net"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034825; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006587; classtype:web-application-attack; sid:2006587; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scannermcscanface-edgescan .com)"; dns.query; dotprefix; content:".scannermcscanface-edgescan.com"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034826; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006588; classtype:web-application-attack; sid:2006588; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (service .exfil .site)"; dns.query; dotprefix; content:".service.exfil.site"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034827; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006589; classtype:web-application-attack; sid:2006589; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (scanworld .net)"; dns.query; dotprefix; content:".scanworld.net"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034828; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_annonce/changeannonce.php?"; nocase; content:"idannonce="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6478; reference:url,www.securityfocus.com/bid/21514/exploit; reference:url,doc.emergingthreats.net/2006590; classtype:web-application-attack; sid:2006590; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Query for Observed CVE-2021-44228 Security Scanner Domain (dns .cyberwar .nl)"; dns.query; dotprefix; content:".dns.cyberwar.nl"; nocase; endswith; reference:cve,2021-44228; classtype:policy-violation; sid:2034829; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/host-manager/html/add"; nocase; content:"method="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/29502/info; reference:cve,2008-1947; reference:url,doc.emergingthreats.net/2010146; classtype:web-application-attack; sid:2010146; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (log .exposedbotnets .ru)"; dns.query; dotprefix; content:".log.exposedbotnets.ru"; nocase; endswith; reference:cve,2021-44228; classtype:domain-c2; sid:2034830; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/Aris/wflogin.jsp?"; nocase; content:"errmsg="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,38441; reference:url,secunia.com/advisories/38793; reference:url,doc.emergingthreats.net/2011114; classtype:web-application-attack; sid:2011114; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (canarytokens .com)"; dns.query; content:".l4j."; nocase; content:".canarytokens.com"; nocase; endswith; fast_pattern; reference:cve,2021-44228; classtype:domain-c2; sid:2034832; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2021_12_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPApps.com Template Creature media_level.asp mcatid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/media_level.asp?"; nocase; content:"mcatid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7339; reference:bugtraq,32641; reference:url,doc.emergingthreats.net/2008936; classtype:web-application-attack; sid:2008936; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN WordPress HelloThinkCMF Scan"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=fetch&content="; startswith; content:"die(@md5(HelloThinkCMF))"; fast_pattern; distance:0; http.header_names; content:!"Referer";  classtype:network-scan; sid:2034838; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_12_22, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006783; classtype:web-application-attack; sid:2006783; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.header; content:"Java/1.5."; nocase; reference:url,www.oracle.com/technetwork/java/javase/documentation/index.html; classtype:bad-unknown; sid:2011581; rev:12; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2010_09_27, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, tag EOL, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UNION SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006784; classtype:web-application-attack; sid:2006784; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; http.user_agent; content:"Java/1.8.0_"; content:!"291"; within:3; reference:url,www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html; classtype:bad-unknown; sid:2019401; rev:35; metadata:affected_product Java, attack_target Client_Endpoint, created_at 2014_10_15, deployment Perimeter, deployment Internal, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici INSERT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006785; classtype:web-application-attack; sid:2006785; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php="; fast_pattern; startswith; content:"SSL3."; distance:0; reference:url,threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/; classtype:command-and-control; sid:2034837; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_22, deployment Perimeter, former_category MALWARE, malware_family Andariel, signature_severity Major, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici DELETE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006786; classtype:web-application-attack; sid:2006786; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Sality.3 Checkin"; flow:established,to_server; http.uri; content:"/?f"; fast_pattern; endswith; http.header; content:!"broadcastify.com"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Accept"; content:!"Referer|0d 0a|"; content:!"Cache-Control|0d 0a|"; reference:md5,df9516919e75853742e63db318e7d346; classtype:command-and-control; sid:2020505; rev:6; metadata:created_at 2015_02_24, deprecation_reason Relevance, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ASCII"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006787; classtype:web-application-attack; sid:2006787; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b 24 7b 3a 3a 2d 24 7b 3a 3a 2d 24 24 7b 3a 3a 2d|"; fast_pattern; content:"|7d 7d 7d 7d|"; distance:0; within:6; reference:cve,2021-45105; classtype:attempted-admin; sid:2034839; rev:1; metadata:created_at 2021_12_22, cve CVE_2021_45105, former_category EXPLOIT, updated_at 2021_12_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"kullanici="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006788; classtype:web-application-attack; sid:2006788; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".2o2.lol"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; reference:md5,c5dcbd49126fff30970e849207d47c9d; classtype:credential-theft; sid:2034237; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_10_21, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006789; classtype:web-application-attack; sid:2006789; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".strongencryption.org"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029833; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UNION SELECT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006790; classtype:web-application-attack; sid:2006790; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".comano.us"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029835; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola INSERT"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006791; classtype:web-application-attack; sid:2006791; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M5"; flow:established,to_server; http.request_line; content:"GET /pages/"; startswith; fast_pattern; content:"/"; distance:13; within:1; pcre:"/^[A-Za-z0-9+\/]{50,}={0,2} HTTP\//R"; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2031609; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_02_10, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola DELETE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006792; classtype:web-application-attack; sid:2006792; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phishtrain.org"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029830; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ASCII"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006793; classtype:web-application-attack; sid:2006793; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".microransom.us"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029836; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE"; flow:established,to_server; http.uri; content:"/giris.asp?"; nocase; content:"parola="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6337; reference:url,www.securityfocus.com/bid/21398; reference:url,doc.emergingthreats.net/2006794; classtype:web-application-attack; sid:2006794; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phishing.guru"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029832; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AstroSPACES profile.php SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/profile.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,31771; reference:url,www.milw0rm.com/exploits/6758; reference:url,doc.emergingthreats.net/2008669; classtype:web-application-attack; sid:2008669; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".phish.farm"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029831; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID SELECT"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004724; classtype:web-application-attack; sid:2004724; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to KnowBe4 Simulated Phish Domain"; dns.query; content:".password.land"; nocase; endswith; threshold: type limit, track by_src, count 1, seconds 120; classtype:credential-theft; sid:2029829; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_08, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UNION SELECT"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004725; classtype:web-application-attack; sid:2004725; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M3"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|oops|2d|banner|2d|header|22 3e 3c|strong|3e|OOPS|21 20|YOU|20|CLICKED|20|ON|20|A|20|SIMULATED|20|PHISHING|20|TEST|2e 3c 2f|strong|3e 3c 2f|div|3e 0d 0a|"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031518; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID INSERT"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004726; classtype:web-application-attack; sid:2004726; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M4"; flow:established,to_client; file.data; content:"|3c|div|20|class|3d 22|disclaimer|22 3e 0d 0a 3c|p|3e|Please|20|Note|3a 20|This|20|message|20|came|20|from|20|KnowBe4|2c 20|Inc|2e 20|"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031519; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID DELETE"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004727; classtype:web-application-attack; sid:2004727; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M1"; flow:established,to_client; file.data; content:"/popcorn/logos/Popcorn+Training+Logo.png|22 20 2f 3e|"; fast_pattern; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031516; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ASCII"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004728; classtype:web-application-attack; sid:2004728; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Observed KnowBe4/Popcorn Training Simulated Phish Landing Page M2"; flow:established,to_client; file.data; content:"|3c|meta|20|name|3d 22|IMPORTANT|22 20|content|3d 22|This|20|page|20|is|20|part|20|of|20|a|20|simulated|20|phishing|20|attack|20|initiated|20|by|20|KnowBe4"; threshold: type limit, track by_dst, count 1, seconds 120; classtype:credential-theft; sid:2031517; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_01_12, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, performance_impact Low, signature_severity Informational, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE"; flow:established,to_server; http.uri; content:"/system/index.php?"; nocase; content:"PHPSESSID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1242; reference:url,www.securityfocus.com/bid/22728; reference:url,doc.emergingthreats.net/2004729; classtype:web-application-attack; sid:2004729; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky Related Maldoc Retrieving Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?id=1"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,51fa8bf006d80f5e140d84df313c650f; reference:url,twitter.com/ShadowChasing1/status/1465549330744414215; classtype:trojan-activity; sid:2034840; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Auto Listings Script moreinfo.php itemno Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/moreinfo.php?"; nocase; content:"itemno="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32131; reference:url,milw0rm.com/exploits/7003; reference:url,doc.emergingthreats.net/2009186; classtype:web-application-attack; sid:2009186; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET GAMES Moonlight Hack Domain in DNS Lookup"; dns.query; content:"moonsoft.eu3.biz"; nocase; bsize:16; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034841; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/_bot.php?"; nocase; content:"master[currentskin]="; nocase; pcre:"/master\[currentskin\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,secunia.com/advisories/36354; reference:url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt; reference:url,doc.emergingthreats.net/2010198; classtype:web-application-attack; sid:2010198; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET GAMES Moonlight Hack Domain in DNS Lookup"; dns.query; content:"moonlight.uno"; nocase; bsize:13; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034842; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Autos catid SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/searchresults.php?catid="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/6696; reference:url,secunia.com/advisories/32139/; reference:url,doc.emergingthreats.net/2008650; classtype:web-application-attack; sid:2008650; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Moonlight Hack Actvity (GET)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"moonlight.uno"; bsize:13; fast_pattern; reference:md5,ebfdbc2a60373344e6ab32c866027ea8; classtype:policy-violation; sid:2034843; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_23, deployment Perimeter, deployment SSLDecrypt, former_category GAMES, signature_severity Minor, updated_at 2021_12_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AvailScript Photo Album Script pics.php sid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pics.php?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31085; reference:url,milw0rm.com/exploits/6411; reference:url,doc.emergingthreats.net/2009718; classtype:web-application-attack; sid:2009718; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.host; content:"content.dropboxapi.com"; bsize:22; http.header_names; content:"Authorization: Bearer 88THpJioM6QAAAAAAAAAAQKMa4g-5-qcnYv1lIQi3ue3U41FJvH_p23jQR_5c146"; fast_pattern; classtype:command-and-control; sid:2035120; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/articles.php?"; nocase; content:"aIDS="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-4371; reference:url,secunia.com/advisories/31816/; reference:url,milw0rm.com/exploits/6409; reference:url,doc.emergingthreats.net/2009747; classtype:web-application-attack; sid:2009747; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats External IP Lookup Activity"; flow:established,to_server; http.method; content:"GET"; http.host; bsize:15; content:"api.ipstack.com"; http.uri; content:"?access_key=5b9ed178f9687b4a92d196168c0282ca="; fast_pattern; classtype:external-ip-check; sid:2035121; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/awstats/awstats.pl?config="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:url,www.securityfocus.com/bid/30730/info; reference:url,bugzilla.redhat.com/show_bug.cgi?id=474396; reference:url,sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764; reference:cve,2008-3714; reference:url,doc.emergingthreats.net/2010082; classtype:web-application-attack; sid:2010082; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Malware Domain in DNS Lookup"; dns.query; dotprefix; content:".easyuploadservice.com"; nocase; endswith; classtype:domain-c2; sid:2035122; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob SELECT"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007452; classtype:web-application-attack; sid:2007452; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Malware Domain in DNS Lookup"; dns.query; dotprefix; content:".uggboots4sale.com"; nocase; endswith; classtype:domain-c2; sid:2035123; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2021_12_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UNION SELECT"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007453; classtype:web-application-attack; sid:2007453; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Observed Malicious SSL Cert (showmypc.com)"; flow:established,to_client; tls.cert_subject; content:"showmypc.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?showmypc\.com(?!\.)/"; classtype:pup-activity; sid:2034846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2021_12_29, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob INSERT"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007454; classtype:web-application-attack; sid:2007454; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected MuddyWater Related CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getTargetInfo?guid="; startswith; fast_pattern; content:"&status="; distance:0; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034845; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2021_12_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob DELETE"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007455; classtype:web-application-attack; sid:2007455; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EUPUDS.A Requests for Boleto replacement"; flow:established,to_server; urilen:10; http.request_line; content:"POST /index.php HTTP/1."; fast_pattern; http.header_names; content:"Content-Type|0d 0a|"; content:"Content-Length|0d 0a|"; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Cache-Control|0d 0a|"; content:!"Accept"; content:!"Connection|0d 0a|"; http.host; content:!"antia-client-log.puzzleplusgames.net"; bsize:36; reference:url,blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf; classtype:trojan-activity; sid:2018793; rev:7; metadata:created_at 2014_07_28, former_category MALWARE, updated_at 2021_12_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ASCII"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007456; classtype:web-application-attack; sid:2007456; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/X-Files Stealer Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.content_len; byte_test:0,>,90000,0,string,dec; http.request_body; content:"zipx="; startswith; fast_pattern; reference:md5,43379d3c3faf5d7e37df398de90ee58b; reference:url,twitter.com/h2jazi/status/1476292943027871755; reference:url,twitter.com/3xp0rtblog/status/1473323635469438978; classtype:trojan-activity; sid:2034848; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_30, deployment Perimeter, former_category MALWARE, malware_family X_Files, signature_severity Major, updated_at 2021_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE"; flow:established,to_server; http.uri; content:"/publications_list.asp?"; nocase; content:"vjob="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007457; classtype:web-application-attack; sid:2007457; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /googleapi HTTP/1.1"; fast_pattern; http.referer; content:"http|3a 2f 2f|code.google.com/"; bsize:23; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Referer|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; reference:md5,f7ac5192404c8dea43fdeedf01d1d66e; reference:url,twitter.com/malwrhunterteam/status/1476211484103524366; classtype:trojan-activity; sid:2034849; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2021_12_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID SELECT"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007458; classtype:web-application-attack; sid:2007458; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UNION SELECT"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007459; classtype:web-application-attack; sid:2007459; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mod_simplefileuploadv1.3"; fast_pattern; reference:url,www.cvedetails.com/cve/CVE-2011-5148/; classtype:attempted-admin; sid:2034851; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_12_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID INSERT"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007460; classtype:web-application-attack; sid:2007460; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (s .id)"; dns.query; dotprefix; content:".s.id"; nocase; endswith; classtype:bad-unknown; sid:2034852; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2021_12_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID DELETE"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007461; classtype:web-application-attack; sid:2007461; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (s .id in TLS SNI)"; flow:established,to_server; tls.sni; content:"s.id"; bsize:4; fast_pattern; classtype:misc-activity; sid:2034858; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_31, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_01_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ASCII"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007462; classtype:web-application-attack; sid:2007462; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"h378576.atwebpages.com"; nocase; bsize:22; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE"; flow:established,to_server; http.uri; content:"/publication_view.asp?"; nocase; content:"InfoID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6110; reference:url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded; reference:url,doc.emergingthreats.net/2007463; classtype:web-application-attack; sid:2007463; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"i758769.atwebpages.com"; nocase; bsize:22; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004331; classtype:web-application-attack; sid:2004331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Konni Group CnC Domain in DNS Lookup"; dns.query; content:"455686.c1.biz"; nocase; bsize:13; reference:url,cluster25.io/2022/01/03/konni-targets-the-russian-diplomatic-sector/; classtype:domain-c2; sid:2034855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004332; classtype:web-application-attack; sid:2004332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Security Scanner Domain (log4j. leakix .net)"; dns.query; content:"log4j.leakix.net"; nocase; endswith; reference:cve,2021-44228; reference:url,twitter.com/VessOnSecurity/status/1473414886533304322; classtype:domain-c2; sid:2034831; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_21, cve CVE_2021_44228, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2022_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004333; classtype:web-application-attack; sid:2004333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Observed JavaScript Event Listener with Clipboard Data"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<script>"; content:"addEventListener|28 27|copy|27|"; distance:0; content:"clipboardData|2e|setData|28 27|text|2f|plain|27|"; fast_pattern; distance:0; content:"sh"; distance:0; content:"|5c|n"; distance:0; content:"</script>"; distance:0; reference:url,www.bleepingcomputer.com/news/security/dont-copy-paste-commands-from-webpages-you-can-get-hacked; classtype:web-application-activity; sid:2034860; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_04, deployment Perimeter, former_category WEB_CLIENT, signature_severity Informational, updated_at 2022_01_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004334; classtype:web-application-attack; sid:2004334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RDP Authentication Bypass Attempt"; flow:established,to_server; content:"|03 00 00 2f 2a|"; startswith; content:"Cookie: mstshash="; dsize:<60;  reference:url,pastebin.com/PSbQXJYL; classtype:attempted-admin; sid:2034857; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, created_at 2022_01_04, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_01_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004335; classtype:web-application-attack; sid:2004335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:"?=1"; within:7; fast_pattern; pcre:"/^[678]\d{8}$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,c398b504f74500d6a1a47f72bb45bc83; classtype:command-and-control; sid:2034859; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"layout="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1445; reference:url,www.milw0rm.com/exploits/3466; reference:url,doc.emergingthreats.net/2004336; classtype:web-application-attack; sid:2004336; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; http.cookie; content:"HFS_SID_="; startswith; http.response_body; content:"Rar!|1a 07 01 00|"; startswith; content:"rundll3222.exe"; within:150; fast_pattern; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:trojan-activity; sid:2034856; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_05, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_01_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bahar Download Script aspkat.asp SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/aspkat.asp?kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:bugtraq,31852; reference:url,doc.emergingthreats.net/2008724; classtype:web-application-attack; sid:2008724; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/"; startswith; content:".zip?="; within:7; fast_pattern; pcre:"/^(?:0|1[678]\d{8})$/R"; http.host; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; startswith; content:"Accept-Encoding|0d 0a|User-Agent|0d 0a|Host|0d 0a|Connection|0d 0a|"; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; reference:md5,465dae978a41d566c7fabc9f5808487c; classtype:command-and-control; sid:2034871; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_01_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bandwebsite lyrics.php id parameter Sql Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/lyrics.php?"; nocase; content:"section=full"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7215; reference:bugtraq,32454; reference:url,doc.emergingthreats.net/2008896; classtype:web-application-attack; sid:2008896; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ELEFANTE/ElephantBeetle WebShell Access Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp"; content:"zc="; distance:0; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:web-application-attack; sid:2034861; rev:1; metadata:created_at 2022_01_10, former_category EXPLOIT, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_username)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_username="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_username=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010547; classtype:web-application-attack; sid:2010547; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Command Tunneling M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|GET"; content:"|22|xp_cmdshell"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034862; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_server)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_server="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_server=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010548; classtype:web-application-attack; sid:2010548; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Command Tunneling M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|474554"; content:"78705f636d647368656c6c"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034863; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_path)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_path="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_path=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010549; classtype:web-application-attack; sid:2010549; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Enumeration Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|GET"; content:"whoami"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:attempted-recon; sid:2034864; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_password)"; flow:established,to_server; http.uri; content:"/cgi-mod/index.cgi?"; nocase; content:"backup_password="; nocase; pcre:"/\/cgi-mod\/index\.cgi\?.*backup_password=[^&\;]*[>\"]/i"; reference:url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt; reference:url,doc.emergingthreats.net/2010550; classtype:web-application-attack; sid:2010550; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Enumeration Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"host="; content:"port="; content:"request=|22|474554"; content:"77686f616d69"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:attempted-recon; sid:2034865; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/main.inc.php?"; nocase; content:"mj_config[src_path]="; nocase; reference:url,secunia.com/advisories/31947/; reference:url,milw0rm.com/exploits/6533; reference:url,doc.emergingthreats.net/2009195; classtype:web-application-attack; sid:2009195; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible ELEFANTE/ElephantBeetle Lateral Movement Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?kmd=|22|"; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:command-and-control; sid:2034866; rev:1; metadata:created_at 2022_01_10, former_category ATTACK_RESPONSE, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007211; classtype:web-application-attack; sid:2007211; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Checkin"; flow:established,to_server; stream_size:server,<,5; content:"|37 39 78|"; startswith; content:"|98 98 98|"; distance:1; within:3; content:"|98 98|"; distance:2; within:2; content:"|98 98 98 20 fc|"; distance:1; within:5; fast_pattern; reference:md5,465dae978a41d566c7fabc9f5808487c; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034873; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Low, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007212; classtype:web-application-attack; sid:2007212; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Remote Template (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/latest/"; startswith; fast_pattern; pcre:"/^(?:update|designs)$/R"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,447e3c337f206ff59a727223bddd13ad; reference:md5,2bac793cfaf071a37366d3331cc99518; reference:url,twitter.com/ShadowChasing1/status/1480493639545470976; classtype:trojan-activity; sid:2034875; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id INSERT"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007213; classtype:web-application-attack; sid:2007213; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Maldoc Activity"; flow:established,to_server; http.uri; content:"/nt.php/?dt="; startswith; content:"-EX-1&ct="; distance:0; fast_pattern; reference:md5,be9bd8ed8a4c052be5cedb0266f50c0d; reference:url,twitter.com/ShadowChasing1/status/1439929215919411206; classtype:trojan-activity; sid:2033987; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_09_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id DELETE"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007214; classtype:web-application-attack; sid:2007214; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Related Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/userlog.php?id="; fast_pattern; content:"&&user="; distance:0; content:"&&OsI="; distance:0; http.header_names; content:!"User-Agent"; content:!"Referer"; reference:md5,cc7ddf9ed230ad4e060dfd0f32389efb; reference:url,twitter.com/ShadowChasing1/status/1478259210110775297; classtype:command-and-control; sid:2034876; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id ASCII"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007215; classtype:web-application-attack; sid:2007215; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Sidewinder CnC Domain in DNS Lookup (afcat .xyz)"; dns.query; content:"afcat.xyz"; nocase; bsize:9; reference:url,twitter.com/h2jazi/status/1479502335328112645; reference:md5,e7c7916f7bf0ddc511466ce106137e66; classtype:domain-c2; sid:2034877; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE"; flow:established,to_server; http.uri; content:"/edit.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6193; reference:url,www.milw0rm.com/exploits/2848; reference:url,doc.emergingthreats.net/2007216; classtype:web-application-attack; sid:2007216; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT/Donot Group CnC Domain in DNS Lookup (request .soundedge .live)"; dns.query; content:"request.soundedge.live"; nocase; bsize:22; reference:md5,209050f85af2786248bd4d7ec0f5a808; reference:url,twitter.com/h2jazi/status/1476946007741108249; reference:md5,7be9832a01b3004f02ff5bc0691d1700; classtype:domain-c2; sid:2034878; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/edlink.php?"; nocase; content:"linkid"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/8216; reference:bugtraq,34129; reference:url,doc.emergingthreats.net/2009365; classtype:web-application-attack; sid:2009365; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Donot Group Checkin Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /access/fps_ips_cp_ifpcspf_ifis_p HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,209050f85af2786248bd4d7ec0f5a808; reference:md5,7be9832a01b3004f02ff5bc0691d1700; reference:url,twitter.com/h2jazi/status/1476946007741108249; classtype:command-and-control; sid:2034879; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BibCiter projects.php idp Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reports/projects.php?"; nocase; content:"idp="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009740; classtype:web-application-attack; sid:2009740; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".inject1byte.com"; nocase; endswith; reference:url,twitter.com/malwrhunterteam/status/1479767752885874688; classtype:trojan-activity; sid:2034880; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BibCiter contacts.php idc Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reports/contacts.php?"; nocase; content:"idc="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009741; classtype:web-application-attack; sid:2009741; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Quasar CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".black-crystal.net"; nocase; endswith; reference:url,twitter.com/malwrhunterteam/status/1479767752885874688; classtype:trojan-activity; sid:2034881; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BibCiter users.php idu Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/reports/users.php?"; nocase; content:"idu="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33555; reference:bugtraq,33329; reference:url,milw0rm.com/exploits/7814; reference:url,doc.emergingthreats.net/2009742; classtype:web-application-attack; sid:2009742; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Possible cs2nginx Proxy Redirect"; flow:established,to_client; content:"302"; http_stat_code; content:"|0d 0a|Server|3a 20|Server|0d 0a|Referrer-Policy|3a 20|no-referrer|0d 0a|"; http_header; isdataat:!1,relative; fast_pattern; reference:url,github.com/threatexpress/cs2modrewrite/blob/d6516e153dfd2a19cc3fba6c26b948e2b0933708/cs2nginx.py; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/; classtype:bad-unknown; sid:2034874; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_10, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_center_down.php?"; nocase; content:"row_mysql_blocks_center_down[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009417; classtype:web-application-attack; sid:2009417; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Phishing Landing via Weebly.com (set) 2016-02-02"; flow:to_server,established; urilen:1; flowbits:set,ET.weebly.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:".weebly.com"; fast_pattern; content:!"www.weebly.com"; depth:14; content:!"runumoviw.weebly.com"; classtype:social-engineering; sid:2032365; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_center_top.php?"; nocase; content:"row_mysql_blocks_center_top[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009418; classtype:web-application-attack; sid:2009418; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|2e|zip|3b 20|filename="; distance:1; within:15; content:"|2e|zip"; distance:1; within:4; endswith; http.response_body; content:"PK|03 04|"; startswith; content:"|2e|exe"; within:150; reference:url,blog.minerva-labs.com/malicious-telegram-installer-drops-purple-fox-rootkit; classtype:command-and-control; sid:2034872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_07, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Significant, signature_severity Major, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_left.php?"; nocase; content:"row_mysql_blocks_left[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009420; classtype:web-application-attack; sid:2009420; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible NOBELIUM CnC Traffic (Observed UA)"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|20|6|2e|2|29 20|AppleWebKit|2f|537|2e|36|20 28|KHTML|2c 20|like|20|Gecko|29 20|Chrome|2f|90|2e|0|2e|4430|2e|85|20|Safari|2f|537|2e|36"; bsize:101; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:bad-unknown; sid:2034870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_01_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/block_right.php?"; nocase; content:"row_mysql_blocks_right[file]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009421; classtype:web-application-attack; sid:2009421; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Qianxin Netcom NGFW Command Injection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/directdata/direct/router"; http.request_body; content:"SSLVPN_Resource"; fast_pattern; content:"deleteImage"; content:"f8839p7rqtj"; reference:url,www.fatalerrors.org/a/national-hw-action-part-0-day-loopholes-reappear-in-2021.html; classtype:attempted-admin; sid:2034885; rev:1; metadata:created_at 2022_01_11, deployment Perimeter, former_category EXPLOIT, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/window_down.php?"; nocase; content:"row_mysql_bloginfo[theme]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009422; classtype:web-application-attack; sid:2009422; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0standavalue0 .xyz)"; dns.query; dotprefix; content:".0standavalue0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034886; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/window_top.php?"; nocase; content:"row_mysql_bloginfo[theme]="; nocase; reference:url,milw0rm.com/exploits/8290; reference:bugtraq,34261; reference:url,secunia.com/advisories/34480/; reference:url,doc.emergingthreats.net/2009423; classtype:web-application-attack; sid:2009423; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0storageatools0 .xyz)"; dns.query; dotprefix; content:".0storageatools0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034887; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/search.5.html?search="; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36700/info; reference:url,doc.emergingthreats.net/2010147; classtype:web-application-attack; sid:2010147; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA453 Related CnC Domain in DNS Lookup (0brandaeyes0 .xyz)"; dns.query; dotprefix; content:".0brandaeyes0.xyz"; nocase; endswith; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:domain-c2; sid:2034888; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php SELECT"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006333; classtype:web-application-attack; sid:2006333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034674; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UNION SELECT"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006334; classtype:web-application-attack; sid:2006334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php INSERT"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006335; classtype:web-application-attack; sid:2006335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034673; rev:3; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php DELETE"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006336; classtype:web-application-attack; sid:2006336; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034786; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php ASCII"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006337; classtype:web-application-attack; sid:2006337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http.uri; content:"/Api/"; startswith; http.request_body; content:"Data="; startswith; http.header_names; content:!"Referer"; content:"|0d 0a|Content-type|0d 0a|Content-length|0d 0a|"; fast_pattern; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:trojan-activity; sid:2034889; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family APT35, malware_family CharmingKitten, malware_family Phosphorus, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE"; flow:established,to_server; http.uri; content:"/bt-trackback.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6540; reference:url,www.secunia.com/advisories/23316; reference:url,doc.emergingthreats.net/2006338; classtype:web-application-attack; sid:2006338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA453 Related Activity (FTP)"; flow:established,to_server; content:"VICTIM-PC__"; fast_pattern; content:"/screen/"; content:".jpg"; reference:url,research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/; classtype:trojan-activity; sid:2034890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd SELECT"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004828; classtype:web-application-attack; sid:2004828; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jersydok .com)"; dns.query; dotprefix; content:".jersydok.com"; nocase; endswith; reference:url,medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489; classtype:domain-c2; sid:2034891; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004829; classtype:web-application-attack; sid:2004829; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zloader Related Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/processingSetRequest"; fast_pattern; content:"/?servername="; distance:3; http.user_agent; content:"powershell"; nocase; http.header_names; content:!"Referer"; reference:md5,06ca129910fd79de8bdc7a319949fb25; reference:url,medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489; classtype:trojan-activity; sid:2034892; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd INSERT"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004830; classtype:web-application-attack; sid:2004830; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2022-01-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"banks"; fast_pattern; http.request_body; content:"username="; content:"&pin="; distance:0; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034894; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd DELETE"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004831; classtype:web-application-attack; sid:2004831; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Emotet HTML Template Response"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html|3b|charset=UTF-8"; depth:24; file.data; content:"id|3d 22|uid|22 3e 3c 2f|h1|3e 3c|br|3e|"; content:"File|20 27|Preview Complaint Report in XLS|27 3c|br|3e|is|20|ready|20|for|20|open"; fast_pattern; content:"|22 3e|Preview XLS"; distance:0; content:"getElementById|28 27|uid|27 29 2e|innerHTML|20 3d 20 27|Name|3a 20 27|"; classtype:command-and-control; sid:2034882; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category MALWARE, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2022_01_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd ASCII"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004832; classtype:web-application-attack; sid:2004832; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Banking Phish 2022-01-11"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"banks"; fast_pattern; http.request_body; content:"username="; http.referer; content:"questions.html"; endswith; content:"&forgot_nextButton="; distance:0; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034895; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE"; flow:established,to_server; http.uri; content:"/admin/config.php?"; nocase; content:"sqlcmd="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7025; reference:url,www.secunia.com/advisories/19758; reference:url,doc.emergingthreats.net/2004833; classtype:web-application-attack; sid:2004833; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO External IP Lookup Domain DNS Lookup (ip .dnsexit .com)"; dns.query; content:"ip.dnsexit.com"; nocase; bsize:14; classtype:external-ip-check; sid:2034898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004024; classtype:web-application-attack; sid:2004024; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO External IP Lookup HTTP Request (ip .dnsexit .com)"; flow:established,to_server; http.method; content:"GET"; http.host; content:"ip.dnsexit.com"; bsize:14; fast_pattern; classtype:misc-activity; sid:2034899; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004025; classtype:web-application-attack; sid:2004025; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Delf.TJJ Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getcfg?id="; fast_pattern; pcre:"/^\d$/R"; http.user_agent; content:"Mozilla|2f|3|2e|0|20 28|compatible|3b 20|Indy|20|Library|29|"; bsize:38; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,0751e43ec2a6ce78407b95b1d0326776; classtype:command-and-control; sid:2034900; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Minor, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004026; classtype:web-application-attack; sid:2004026; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TellYouThePass Ransomware Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery.js?v="; startswith; fast_pattern; pcre:"/^[0-9]{2,8}$/R"; http.host.raw; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a80$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,39a9b92a69a191db0a7e2bc1e78d55e4; reference:md5,c05f8b395c6356bf99aad9c84c13a867; reference:url,www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/; reference:md5,b99c4684f7eac1f2af37e6de609e936c; classtype:trojan-activity; sid:2034904; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004027; classtype:web-application-attack; sid:2004027; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET GAMES UnknownApps Game Cheat Service Checkin (auth .hwidspoof .me)"; dns.query; content:"auth.hwidspoof.me"; nocase; bsize:17; reference:md5,26c643629102e506561890596fb2dd5c; reference:md5,dc4b2c44289288d64fa757311515304f; classtype:misc-activity; sid:2034901; rev:1; metadata:created_at 2022_01_12, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"style="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004028; classtype:web-application-attack; sid:2004028; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET GAMES UnknownApps Game Cheat Service Checkin (auth .unknownp .one)"; dns.query; content:"auth.unknownp.one"; nocase; bsize:17; reference:md5,26c643629102e506561890596fb2dd5c; reference:md5,dc4b2c44289288d64fa757311515304f; classtype:misc-activity; sid:2034902; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category GAMES, performance_impact Low, signature_severity Informational, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004029; classtype:web-application-attack; sid:2004029; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Phish 2022-01-12"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"adobe.php"; fast_pattern; endswith; http.referer; content:"callbackwsid"; reference:md5,b6fd669c9bb5e4e2469b00705f2bd678; classtype:credential-theft; sid:2034905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004030; classtype:web-application-attack; sid:2004030; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; distance:0; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:1; metadata:attack_target Server, created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004031; classtype:web-application-attack; sid:2004031; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Phish Landing Page 2022-01-12"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"to access this"; nocase; content:"adobe.php"; fast_pattern; distance:0; content:"id|3d 22|password|22|"; distance:0; content:"id|3d 22|fon|22|"; distance:0; content:"value|3d 22|View|20|PDF|20|Document|22|"; distance:0; reference:md5,b6fd669c9bb5e4e2469b00705f2bd678; classtype:credential-theft; sid:2034906; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004032; classtype:web-application-attack; sid:2004032; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004033; classtype:web-application-attack; sid:2004033; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownWare.V Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"av="; content:"&mac="; content:"&os="; distance:17; within:4; content:"&secret="; distance:0; fast_pattern; content:"&sid="; pcre:"/^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/R"; reference:md5,68b8cd6e7905578b21dd2ad02b33648c; classtype:pup-activity; sid:2034903; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; content:"langue="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004034; classtype:web-application-attack; sid:2004034; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Kuwo Music Installer Log"; flow:established,to_server; http.request_line; content:"POST|20|/music.yl|20|"; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.request_body; pcre:"/(SU5TVEFMTF9JTkZP|lOU1RBTExfSU5GT|JTlNUQUxMX0lORk)/"; reference:md5,9387e26f309874d834d4bb699808654d; classtype:pup-activity; sid:2034907; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, former_category ADWARE_PUP, updated_at 2022_01_13, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004985; classtype:web-application-attack; sid:2004985; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/RemoteUtilities Checkin via SMTP M2"; flow:established,to_server; content:"|0d 0a 0d 0a|UmVtb3RlIFV0aWxpdGllcy"; fast_pattern; pcre:"/(?:DQpTZXJ2ZXI6I|0KU2VydmVyOi|NClNlcnZlcjog)/R"; reference:md5,8574a1f23e4292f6d76857df1f70ff0e; classtype:pup-activity; sid:2034644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_09, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_01_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UNION SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004986; classtype:web-application-attack; sid:2004986; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Coper Banking Trojan Related Domain in DNS Lookup"; dns.query; content:"s22231232fdnsjds.top"; nocase; bsize:20; reference:url,cert-pl.translate.goog/posts/2021/12/aktywacja-aplikacji-iko/?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=op; classtype:domain-c2; sid:2034910; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by INSERT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004987; classtype:web-application-attack; sid:2004987; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/Hao123.C Variant CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|ufile01|22 3b 20|filename|3d 22|boundary|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a 2f 78 ec 05 67|"; fast_pattern; reference:md5,dd2a33d25cea02f25513940751a36649; classtype:pup-activity; sid:2034908; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by DELETE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004988; classtype:web-application-attack; sid:2004988; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (solo-hoy .com)"; dns.query; content:"solo-hoy.com"; nocase; bsize:12; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034917; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by ASCII"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004989; classtype:web-application-attack; sid:2004989; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (mobile-analytics .netweb-cloud-services .com)"; dns.query; content:"mobile-analytics.netweb-cloud-services.com"; nocase; bsize:42; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034918; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"by="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004990; classtype:web-application-attack; sid:2004990; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible Pegasus Related DNS Lookup (deportes24-7 .com)"; dns.query; content:"deportes24-7.com"; nocase; bsize:16; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034919; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004991; classtype:web-application-attack; sid:2004991; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain"; dns.query; content:"informados24h.com"; nocase; bsize:32; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034920; rev:2; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UNION SELECT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004992; classtype:web-application-attack; sid:2004992; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Pegasus Domain"; dns.query; content:"info-urbano.com"; nocase; bsize:15; reference:url,citizenlab.ca/2022/01/project-torogoz-extensive-hacking-media-civil-society-el-salvador-pegasus-spyware/; classtype:trojan-activity; sid:2034921; rev:1; metadata:attack_target Client_and_Server, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, malware_family Pegasus, signature_severity Major, tag Targeted, tag APT, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order INSERT"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004993; classtype:web-application-attack; sid:2004993; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE APT/Bitter Related CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|db f6 94 f6 9f f6 82 f6 f6 f6|"; fast_pattern; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 cc f6|"; distance:3; within:3; content:"|f6 f6 f6|"; distance:3; within:3; endswith; reference:url,twitter.com/ShadowChasing1/status/1480853604609126403; reference:md5,1cdc2c0f6834b37da085c0deb9d3461a; classtype:targeted-activity; sid:2034909; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order DELETE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004994; classtype:web-application-attack; sid:2004994; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Retrieving Additional Resources (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Profile.html"; bsize:13; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/; reference:md5,eb47824fe3b93f30e6805938814b9cca; classtype:trojan-activity; sid:2034911; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order ASCII"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004995; classtype:web-application-attack; sid:2004995; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Metawallet Phish Landing Page 2022-01-13"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.host; content:".xyz"; endswith; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034916; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE"; flow:established,to_server; http.uri; content:"/torrents.php?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6972; reference:url,www.securityfocus.com/bid/18549; reference:url,doc.emergingthreats.net/2004996; classtype:web-application-attack; sid:2004996; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dns.alidns.com"; bsize:14; fast_pattern; classtype:misc-activity; sid:2034912; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Built2go Real Estate Listings event_id SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/event_detail.php?event_id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.milw0rm.com/exploits/6697; reference:url,secunia.com/Advisories/32129/; reference:url,doc.emergingthreats.net/2008653; classtype:web-application-attack; sid:2008653; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Windows Defender POWERLIKS Detection Bypass"; flow:established,to_client; file.data; content:"|3c 21 5b|CDATA|5b 0a|var"; content:"|20 3d 20 22|6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E2"; fast_pattern; content:"str|20 2b 3d 20|String.fromCharCode|28|parseInt"; reference:url,exploit-db.com/exploits/50654; classtype:trojan-activity; sid:2034914; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006249; classtype:web-application-attack; sid:2006249; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FluBot Trojan Sending Information (POST)"; flow:established,to_server; http.request_line; content:"POST /p.php HTTP/1.1"; fast_pattern; http.user_agent; content:"Dalvik/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^[a-z]{15}\.(?:ru|su|cn)$/"; reference:md5,a65d00f3688dc02e2544e02eb57a06c1; reference:url,www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond; classtype:trojan-activity; sid:2034913; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_13, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UNION SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006250; classtype:web-application-attack; sid:2006250; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic DarkX Phish 2022-01-22"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"wells-darkx"; fast_pattern; reference:url,twitter.com/hyperdefined/status/1481635709261914113; classtype:credential-theft; sid:2034937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid INSERT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006251; classtype:web-application-attack; sid:2006251; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/SysJoker Retrieving CnC Information (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uc?id="; startswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:"WinHttpClient"; bsize:13; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:!"Referer"; http.host; content:"drive.google.com"; fast_pattern; bsize:16; reference:md5,53f1bb23f670d331c9041748e7e8e396; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034922; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid DELETE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006252; classtype:web-application-attack; sid:2006252; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Dropper Related Domain in DNS Lookup (github .url-mini .com)"; dns.query; content:"github.url-mini.com"; nocase; bsize:19; reference:md5,d71e1a6ee83221f1ac7ed870bc272f01; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034923; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ASCII"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006253; classtype:web-application-attack; sid:2006253; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (bookitlab .tech)"; dns.query; content:"bookitlab.tech"; nocase; bsize:14; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034924; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"kid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006254; classtype:web-application-attack; sid:2006254; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (graphic-updater .com)"; dns.query; content:"graphic-updater.com"; nocase; bsize:19; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034925; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006255; classtype:web-application-attack; sid:2006255; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (office360-update .com)"; dns.query; content:"office360-update.com"; nocase; bsize:20; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034926; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UNION SELECT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006256; classtype:web-application-attack; sid:2006256; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SysJoker Related Domain in DNS Lookup (winaudio-tools .com)"; dns.query; content:"winaudio-tools.com"; nocase; bsize:18; reference:url,www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/; classtype:trojan-activity; sid:2034927; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id INSERT"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006257; classtype:web-application-attack; sid:2006257; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-01-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"http|2d|equiv|3d|refresh"; content:"email="; distance:0; content:"&.rand=13InboxLight.aspx?n="; fast_pattern; distance:0; content:"&fid="; distance:0; content:"n="; distance:0; content:"&fid="; distance:0; content:"&fav="; distance:0;  reference:md5,43ac0c5346bf8aefc0068c30a34b7d39; classtype:credential-theft; sid:2034928; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id DELETE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006258; classtype:web-application-attack; sid:2006258; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (dik .si in TLS SNI)"; flow:established,to_server; tls.sni; content:"dik.si"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2034932; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ASCII"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006259; classtype:web-application-attack; sid:2006259; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)"; dns.query; content:"wtools.io"; nocase; bsize:9; reference:md5,19c6520ed056e9dec48778a3e3d4203d; classtype:policy-violation; sid:2034938; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE"; flow:established,to_server; http.uri; content:"/HABERLER.ASP?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006260; classtype:web-application-attack; sid:2006260; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT Related Domain in DNS Lookup (gooeglle .mypressonline .com)"; dns.query; content:"gooeglle.mypressonline.com"; nocase; bsize:26; reference:md5,2de3ab14e582ed83da376345abfb81da; reference:url,twitter.com/ShadowChasing1/status/1482976392958865413; classtype:domain-c2; sid:2034933; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006261; classtype:web-application-attack; sid:2006261; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UNION SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006262; classtype:web-application-attack; sid:2006262; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id INSERT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006263; classtype:web-application-attack; sid:2006263; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE OceanLotus APT Related Domain in DNS Lookup (confusion-cerulean-samba .glitch .me)"; dns.query; content:"confusion-cerulean-samba.glitch.me"; nocase; bsize:34; reference:md5,92f5f40db8df7cbb1c7c332087619afa; reference:url,twitter.com/ShadowChasing1/status/1483011032612499460; classtype:domain-c2; sid:2034934; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, malware_family APT32, malware_family OceanLotus, signature_severity Major, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id DELETE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006264; classtype:web-application-attack; sid:2006264; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Sending System Information (POST)"; flow:established,to_server; http.request_line; content:"POST /proxy HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"NewFolderName="; startswith; pcre:"/\*\*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\*\*/R"; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034935; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ASCII"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006265; classtype:web-application-attack; sid:2006265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Small.NQT!tr CnC Activity"; flow:established,to_server; content:"|49 4d 49 4e 20|"; startswith; fast_pattern; content:"|40|"; distance:0; content:"|0a|"; endswith; reference:md5,07d0d60fbcf30f7ab7861ad9981a2eed; classtype:command-and-control; sid:2034931; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006266; classtype:web-application-attack; sid:2006266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /publish HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"token="; startswith; content:"&Category="; distance:0; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034939; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006267; classtype:web-application-attack; sid:2006267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Powershell Octopus Backdoor Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /bills HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|App-Logic|0d 0a|Authorization|0d 0a|Session|0d 0a|"; reference:url,app.any.run/tasks/0c991e38-b571-435c-a34b-281b2c9df1ef/; classtype:trojan-activity; sid:2034940; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UNION SELECT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006268; classtype:web-application-attack; sid:2006268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (lm-career .com)"; dns.query; content:"lm-career.com"; nocase; bsize:13; reference:md5,3f326da2affb0f7f2a4c5c95ffc660cc; reference:url,twitter.com/h2jazi/status/1483521532433473536; classtype:domain-c2; sid:2034942; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid INSERT"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006269; classtype:web-application-attack; sid:2006269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (printerjobs .xyz)"; dns.query; dotprefix; content:".printerjobs.xyz"; nocase; endswith; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034943; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid DELETE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006270; classtype:web-application-attack; sid:2006270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (seasonsbackup .xyz)"; dns.query; dotprefix; content:".seasonsbackup.xyz"; nocase; endswith; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:url,github.com/eset/malware-ioc/tree/master/donot; classtype:domain-c2; sid:2034944; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ASCII"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006271; classtype:web-application-attack; sid:2006271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (dBrowser CallGetResponse)"; flow:to_server,established; threshold: type limit, count 2, track by_src, seconds 300; http.user_agent; content:"dBrowser"; startswith; content:"CallGetResponse:"; fast_pattern; distance:3; within:16; pcre:"/^dBrowser\x20\d\x20CallGetResponse\x3a\d$/V"; reference:md5,e09ad59bff10bd4b730ee643809ec9a7; classtype:trojan-activity; sid:2034948; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE"; flow:established,to_server; http.uri; content:"/ASPKAT.ASP?"; nocase; content:"kid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6672; reference:url,www.frsirt.com/english/advisories/2006/5085; reference:url,doc.emergingthreats.net/2006272; classtype:web-application-attack; sid:2006272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (submitonline .club)"; dns.query; dotprefix; content:".submitonline.club"; nocase; endswith; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006273; classtype:web-application-attack; sid:2006273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (oceansurvey .club)"; dns.query; content:"oceansurvey.club"; nocase; bsize:16; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006274; classtype:web-application-attack; sid:2006274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Injector.VVP Downloader Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; pcre:"/^\/wp\x2dcontent\/[a-z]{3}\/[0-9]{16}\.exe$/U"; http.user_agent; content:"Mozilla/5.0|20 28|Windows NT|3b 20|Windows NT 6.1|3b 20|en-US|29 20|WindowsPowerShell/5.1.14409.1005"; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:md5,009934cd29110745347705ec4f877b6d; classtype:trojan-activity; sid:2034949; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006275; classtype:web-application-attack; sid:2006275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (s3r .io)"; dns.query; content:"s3r.io"; nocase; bsize:6; classtype:bad-unknown; sid:2034950; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006276; classtype:web-application-attack; sid:2006276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Donot APT Related Domain in DNS Lookup (dataupdates .live)"; dns.query; content:"dataupdates.live"; nocase; bsize:16; reference:md5,43a909814aa5467cb45f8e59ed2fd3b0; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; classtype:domain-c2; sid:2034951; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006277; classtype:web-application-attack; sid:2006277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Suspected Reverse Shell Connection"; flow:established,to_server; content:"Microsoft|20|Windows|20|"; content:"|5b|Version|20|"; distance:0; content:"|5d|"; content:"|20|Microsoft|20|Corp"; fast_pattern; content:"|43 3a 5c|"; content:"|3e|"; content:!"Host"; reference:url,github.com/eset/malware-ioc/tree/master/donot; reference:url,www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/; reference:md5,039d8e77b65faae44d5e7e39d4cc9c59; classtype:trojan-activity; sid:2034945; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6671; reference:url,www.securityfocus.com/bid/21676; reference:url,doc.emergingthreats.net/2006278; classtype:web-application-attack; sid:2006278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /api/market HTTP/1.1"; fast_pattern; http.cookie; content:"nyt-a="; startswith; pcre:"/^[A-Za-z0-9-_]{176}$/R"; reference:md5,31b8467ad176116d238afa2fa6bf6497; reference:url,twitter.com/h2jazi/status/1483504922003968003; classtype:trojan-activity; sid:2034941; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/spaw_control.class.php?"; nocase; content:"spaw_root="; nocase; reference:url,xforce.iss.net/xforce/xfdb/43536; reference:bugtraq,30042; reference:url,milw0rm.com/exploits/5983; reference:url,doc.emergingthreats.net/2009429; classtype:web-application-attack; sid:2009429; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup (kinopoisksu .com)"; dns.query; dotprefix; content:".kinopoisksu.com"; nocase; endswith; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034952; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family APT41, signature_severity Major, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Faethon info.php item Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/info.php?"; nocase; content:"item="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33775; reference:url,milw0rm.com/exploits/8054; reference:url,doc.emergingthreats.net/2009192; classtype:web-application-attack; sid:2009192; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE MoonBounce Backdoor Related Domain in DNS Lookup (glbaitech .com)"; dns.query; dotprefix; content:".glbaitech.com"; nocase; endswith; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034953; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, malware_family APT41, signature_severity Major, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id SELECT"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007893; classtype:web-application-attack; sid:2007893; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (m .necemarket .com)"; dns.query; content:"m.necemarket.com"; nocase; bsize:16; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034954; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007894; classtype:web-application-attack; sid:2007894; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Microcin Backdoor Related Domain in DNS Lookup (holdmem .dbhubspi .com)"; dns.query; content:"holdmem.dbhubspi.com"; nocase; bsize:20; reference:url,securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/; classtype:domain-c2; sid:2034955; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id INSERT"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007895; classtype:web-application-attack; sid:2007895; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Maldoc Related Domain in DNS Lookup (markettrendingcenter .com)"; dns.query; content:"markettrendingcenter.com"; nocase; bsize:24; reference:md5,a27a9324d282d920e495832933d486ee; reference:url,twitter.com/s1ckb017/status/1484451637653614592; classtype:domain-c2; sid:2034956; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_21, deployment Perimeter, former_category MALWARE, malware_family Maldoc, malware_family Lazarus, signature_severity Major, updated_at 2022_01_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id DELETE"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007896; classtype:web-application-attack; sid:2007896; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/agentLogUploader?"; distance:0; content:"filename="; nocase; distance:0; pcre:"/^[a-zA-Z0-9]+\.(?:zip|7z|gz)/Ri"; content:"branchofficeid="; nocase; http.cookie; content:"STATE_COOKIE="; reference:url,attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis; reference:cve,2021-44515; classtype:attempted-admin; sid:2034957; rev:2; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE"; flow:established,to_server; http.uri; content:"tree.php?"; nocase; content:"leaf_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2008-0785; reference:bugtraq,27749; reference:url,doc.emergingthreats.net/2007897; classtype:web-application-attack; sid:2007897; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; http.uri; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:1; metadata:attack_target Server, created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt"; flow:established,to_server; http.uri; content:"_invoice.asp"; nocase; content:"script>"; nocase; pcre:"/(alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.coresecurity.com/content/cactushop-xss-persistent-vulnerability; reference:cve,2010-1486; reference:url,doc.emergingthreats.net/2011054; classtype:web-application-attack; sid:2011054; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Witch.3FA0!tr CnC Activity M3"; flow:established,to_server; http.request_line; content:"POST /?opt=put&type="; startswith; fast_pattern; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.request_body; content:"|22|mac|22 3a 22|"; content:"|22|pcname|22 3a 22|"; distance:14; within:10; reference:md5,4e24d219ba1790b93347110fd1bfcb6b; classtype:trojan-activity; sid:2034959; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (dish.php)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dish.php"; nocase; content:"?id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008679; classtype:web-application-attack; sid:2008679; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (menu.php)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/menu.php"; nocase; content:"?id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,secunia.com/advisories/32308/; reference:url,milw0rm.com/exploits/6762; reference:url,doc.emergingthreats.net/2008680; classtype:web-application-attack; sid:2008680; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/irq"; startswith; fast_pattern; bsize:8; pcre:"/^\/\.x\/irq\d$/U"; http.user_agent; content:"Wget"; startswith; content:!"Referer"; classtype:trojan-activity; sid:2034685; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID SELECT"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006165; classtype:web-application-attack; sid:2006165; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unk.PSAttack Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/powershell_attack.txt"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,f9eb044f8b537aa5d9164b1784d618a2; classtype:trojan-activity; sid:2032793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006166; classtype:web-application-attack; sid:2006166; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Suspicious UA (Chrome)"; flow:established,to_server; content:"User-Agent|3a 20|Chrome|0d 0a|"; http_header; fast_pattern; classtype:bad-unknown; sid:2027916; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_08_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID INSERT"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006167; classtype:web-application-attack; sid:2006167; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Spark Backdoor Related Domain in DNS Lookup (bundanesia .com)"; dns.query; dotprefix; content:".bundanesia.com"; nocase; endswith; reference:url,www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east; classtype:domain-c2; sid:2034963; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID DELETE"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006168; classtype:web-application-attack; sid:2006168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/"; startswith; fast_pattern; bsize:7; content:"sh"; endswith; pcre:"/^\/\.x\/\dsh$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2034683; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ASCII"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006169; classtype:web-application-attack; sid:2006169; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx"; content:"id"; content:"|40|"; distance:0; content:"|2e 2e 2f|"; distance:0; content:"|2e|cshtml"; distance:0; fast_pattern; content:"bp"; content:"accountid"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; reference:cve,2021-22941; classtype:attempted-admin; sid:2034972; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_22941, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/calendar_detail.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6792; reference:url,www.milw0rm.com/exploits/2993; reference:url,doc.emergingthreats.net/2006170; classtype:web-application-attack; sid:2006170; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Tsunami Remote Shell M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/.x/var/run/tty"; startswith; fast_pattern; pcre:"/^\/\.x\/var\/run\/tty\d$/U"; http.user_agent; content:"Wget"; startswith; http.header_names; content:!"Referer";  classtype:trojan-activity; sid:2034684; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006183; classtype:web-application-attack; sid:2006183; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (portal .gfinanzen .net)"; dns.query; content:"portal.gfinanzen.net"; nocase; bsize:20; reference:md5,b371e1c2ca2e5718e151760bc4664366; reference:url,twitter.com/czy_1116/status/1485813878550597632; classtype:domain-c2; sid:2034964; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006184; classtype:web-application-attack; sid:2006184; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE AndroidOS/Basbanke.A Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /rdc?method="; fast_pattern; startswith; http.user_agent; content:"okhttp/"; startswith; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,220ec1e3effb6f4a4a3acb6b3b3d2e90; reference:url,www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account; classtype:trojan-activity; sid:2034965; rev:1; metadata:attack_target Mobile_Client, created_at 2022_01_25, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID INSERT"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006185; classtype:web-application-attack; sid:2006185; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup (wordkeyvpload .net)"; dns.query; content:"wordkeyvpload.net"; nocase; bsize:17; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; reference:md5,8e2f8c95b1919651fcac7293cb704c1c; classtype:domain-c2; sid:2034966; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID DELETE"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006186; classtype:web-application-attack; sid:2006186; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup"; dns.query; content:"wordkeyvpload.org"; nocase; bsize:17; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; classtype:domain-c2; sid:2034967; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ASCII"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006187; classtype:web-application-attack; sid:2006187; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspected APT28 Related Domain in DNS Lookup (jimbeam .live)"; dns.query; content:"jimbeam.live"; nocase; bsize:12; reference:url,www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html; classtype:domain-c2; sid:2034968; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, malware_family APT28, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/admin/admin_mail_adressee.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6787; reference:url,www.milw0rm.com/exploits/2998; reference:url,doc.emergingthreats.net/2006188; classtype:web-application-attack; sid:2006188; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/portals/office/log.php?Data="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"Microsoft Internet Explorer"; bsize:27; reference:url,twitter.com/ShadowChasing1/status/1485514043679199233; reference:md5,9521e4138fd0e6996072778cd4f1f06a; reference:md5,2ee3ae478e7d1f2f473b191b1be5e14f; classtype:trojan-activity; sid:2034969; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy SELECT"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007464; classtype:web-application-attack; sid:2007464; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; distance:0; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UNION SELECT"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007465; classtype:web-application-attack; sid:2007465; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer Overflow (CVE-2021-20038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f 04 3f 7f 3f 18 3f 7f 3f 18 3f 7f 3f 64 3f 06 08 3b|"; startswith; fast_pattern; content:"|3b 3f|"; distance:0; bsize:>200; http.header_names; content:!"Referer"; reference:url,psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026; reference:cve,2021-20038; classtype:attempted-admin; sid:2034970; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2022_01_25, cve CVE_2021_20038, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy INSERT"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007466; classtype:web-application-attack; sid:2007466; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible vRealize Operations Manager API SSRF Attempt (CVE-2021-21975)"; flow:established,to_server; http.request_line; content:"POST /casa/nodes/thumbprints HTTP/1.1"; fast_pattern; http.request_body; content:"|5b|"; http.content_type; content:"application/json|3b|charset=UTF-8"; bsize:30; reference:cve,2021-21975; classtype:attempted-admin; sid:2034974; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21975, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy DELETE"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007467; classtype:web-application-attack; sid:2007467; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DazzleSpy Related Domain in DNS Lookup"; dns.query; content:"fightforhk.com"; nocase; bsize:14; reference:url,www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/; classtype:trojan-activity; sid:2034975; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ASCII"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007468; classtype:web-application-attack; sid:2007468; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DazzleSpy Related Domain in DNS Lookup"; dns.query; content:"amnestyhk.org"; nocase; bsize:13; reference:url,www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/; classtype:trojan-activity; sid:2034976; rev:1; metadata:affected_product Mac_OSX, affected_product Safari, attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_01_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE"; flow:established,to_server; http.uri; content:"/openPolicy.asp?"; nocase; content:"policy="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007469; classtype:web-application-attack; sid:2007469; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 109"; flow:established,to_server; stream_size:server,<,5; dsize:<250; content:"|00 00 01 78 9c|"; offset:10; depth:5; fast_pattern; byte_jump:2,0,little,from_beginning, post_offset 3; isdataat:!2,relative; pcre:"/^(?<len>.{2})\xc0\xff(?P=len)\x00\x00.{2}\x00\x00\x01\x78\x9c/s"; reference:md5,edacdc76bb11e8db5c1a1b8917b5deb0; classtype:command-and-control; sid:2034977; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, malware_family Gh0st, performance_impact Moderate, signature_severity Major, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand SELECT"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007470; classtype:web-application-attack; sid:2007470; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UNION SELECT"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007471; classtype:web-application-attack; sid:2007471; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%08%b7%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034985; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand INSERT"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007472; classtype:web-application-attack; sid:2007472; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style Service (paste .ee) in TLS SNI"; flow:established,to_server; tls.sni; content:"paste.ee"; bsize:8; fast_pattern; classtype:policy-violation; sid:2034978; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand DELETE"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007473; classtype:web-application-attack; sid:2007473; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY File Shared via Zoom"; flow:established,to_server; http.method; content:"GET"; http.host; content:"support.zoom.us"; bsize:15; fast_pattern; http.uri; content:"/attachments/token/"; startswith; content:"/?name="; distance:0; classtype:bad-unknown; sid:2034981; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category POLICY, signature_severity Informational, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CF_Calendar calid parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/calendarevent.cfm?"; nocase; content:"calid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33074/; reference:url,milw0rm.com/exploits/7413; reference:url,doc.emergingthreats.net/2008995; classtype:web-application-attack; sid:2008995; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Powershell Request for paste .ee Page"; flow:established,to_server; http.method; content:"GET"; http.host; content:"paste.ee"; fast_pattern; http.user_agent; content:") WindowsPowerShell/"; classtype:bad-unknown; sid:2034979; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand ASCII"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007474; classtype:web-application-attack; sid:2007474; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"delete"; nocase; content:"CERT"; nocase; distance:0; content:"n"; nocase; content:"perl"; nocase; distance:0; content:"base64"; nocase; within:30; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE"; flow:established,to_server; http.uri; content:"/prodList.asp?"; nocase; content:"brand="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6109; reference:url,www.securityfocus.com/bid/21090/info; reference:url,doc.emergingthreats.net/2007475; classtype:web-application-attack; sid:2007475; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Powershell with Decimal Encoded RUNPE Downloaded"; flow:established,to_client; http.content_type; content:"text/plain"; startswith; http.response_body; content:"RUNPE"; nocase; content:"31,139,8,0,0,0,0,0,4,0,237,189,7,96"; within:50; fast_pattern; content:"82,101,109,111,116,101,83,105,103,110,101,100"; distance:0; reference:url,blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader; classtype:trojan-activity; sid:2034980; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_01_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Check New findoffice.php search parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/findoffice.php?"; nocase; content:"search="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7328; reference:bugtraq,32590; reference:url,doc.emergingthreats.net/2008933; classtype:web-application-attack; sid:2008933; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY Suspicious File Sharing Domain in DNS Lookup (drive .cloudplus .one)"; dns.query; content:"drive.cloudplus.one"; nocase; bsize:19; reference:md5,934c7b7c31d84728f0086be9b80ee1e4; reference:url,twitter.com/ShadowChasing1/status/1486542725692284930; reference:url,twitter.com/malwrhunterteam/status/1483853345924255745; classtype:bad-unknown; sid:2034987; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/webline/html/admin/wcs/LoginPage.jhtml"; nocase; content:"dest="; nocase; pcre:"/dest\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.exploit-db.com/exploits/11403/; reference:cve,2010-0641; reference:url,doc.emergingthreats.net/2011676; classtype:web-application-attack; sid:2011676; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/GrandaMisha Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload?tags="; startswith; fast_pattern; content:"&pass="; distance:0; content:"&cookie="; distance:0; content:"&cc="; distance:0; content:"&hwid="; distance:0; content:"&ip="; distance:0; http.user_agent; content:"ureq/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|document|22 3b 20|filename="; content:"Content-Type|3a 20|application/x-ms-dos-executable"; reference:md5,256ad62aa30b6dfb7755627698d31156; reference:url,twitter.com/benkow_/status/1486700404482134021; classtype:trojan-activity; sid:2034988; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/+webvpn+/index.html"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/34307/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17950; reference:cve,2009-1220; reference:url,doc.emergingthreats.net/2010505; classtype:attempted-user; sid:2010505; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ekgnkm/AccessCodeStart.asp"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/29191/info; reference:cve,2008-2165; reference:url,doc.emergingthreats.net/2010506; classtype:attempted-user; sid:2010506; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date SELECT"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007223; classtype:web-application-attack; sid:2007223; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Phishing Landing via MoonFruit.com (set)"; flow:to_server,established; urilen:1; flowbits:set,ET.moonfruit.phish; flowbits:noalert; http.method; content:"GET"; http.host; content:"moonfruit.com"; endswith; fast_pattern; content:!"www.moonfruit.com"; classtype:social-engineering; sid:2032096; rev:5; metadata:attack_target Client_Endpoint, created_at 2016_01_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UNION SELECT"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007224; classtype:web-application-attack; sid:2007224; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (docusign .agency)"; dns.query; dotprefix; content:".docusign.agency"; nocase; endswith; reference:md5,993cecde0cd707f795e00181414d97bd; reference:url,twitter.com/ShadowChasing1/status/1486530954382348290; classtype:domain-c2; sid:2034991; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6521; reference:url,www.securityfocus.com/bid/21513; reference:url,doc.emergingthreats.net/2006347; classtype:web-application-attack; sid:2006347; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (yourblogcenter .com)"; dns.query; content:"yourblogcenter.com"; nocase; bsize:18; reference:md5,8df7777ac7315c5e256ce35ea36cc73f; reference:url,twitter.com/h2jazi/status/1486448926081302536; classtype:domain-c2; sid:2034989; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date INSERT"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007225; classtype:web-application-attack; sid:2007225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related Domain in DNS Lookup (allinfostudio .com)"; dns.query; content:"allinfostudio.com"; nocase; bsize:17; reference:md5,8df7777ac7315c5e256ce35ea36cc73f; reference:url,twitter.com/h2jazi/status/1486448926081302536; classtype:domain-c2; sid:2034990; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_27, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date DELETE"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007226; classtype:web-application-attack; sid:2007226; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/principles/"; fast_pattern; content:".mp3"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,4c61eeb1745d24e2c4ee67c6e56af8f3; reference:url,twitter.com/500mk500/status/1486791607311548423; classtype:trojan-activity; sid:2035006; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ASCII"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007227; classtype:web-application-attack; sid:2007227; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perfectly/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,74c22fd7a20072c8719cd7cfbc4abe84; reference:url,twitter.com/500mk500/status/1486791607311548423; classtype:trojan-activity; sid:2035007; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE"; flow:established,to_server; http.uri; content:"/displayCalendar.asp?"; nocase; content:"date="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6189; reference:url,www.securityfocus.com/bid/21310; reference:url,doc.emergingthreats.net/2007228; classtype:web-application-attack; sid:2007228; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 1"; dns_query; content:"bigdata.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:trojan-activity; sid:2034994; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007229; classtype:web-application-attack; sid:2007229; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 1"; flow:established,to_server; tls_sni; content:"bigdata.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034995; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UNION SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007230; classtype:web-application-attack; sid:2007230; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 2"; dns_query; content:"api.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034996; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage INSERT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007231; classtype:web-application-attack; sid:2007231; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"api.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034997; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage DELETE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007232; classtype:web-application-attack; sid:2007232; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY My2022/Beijing2022 App (DNS Lookup) 3"; dns_query; content:"my2022.beijing2022.cn"; isdataat:!1,relative; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034998; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ASCII"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007233; classtype:web-application-attack; sid:2007233; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY My2022/Beijing2022 App (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"my2022.beijing2022.cn"; isdataat:!1,relative; nocase; reference:url,citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/; classtype:policy-violation; sid:2034999; rev:2; metadata:created_at 2022_01_28, former_category POLICY, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007234; classtype:web-application-attack; sid:2007234; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; distance:0; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_1947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007235; classtype:web-application-attack; sid:2007235; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts RCE Attempt (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"="; pcre:"/^(%25|%)(%7b|{)(%28|\()(%23|#)/R"; content:"instancemanager"; nocase; fast_pattern; pcre:"/^(%3d|=)(%23|#)application(%5b|\[)(%22|")org(%2e|\.)apache(%2e|\.)tomcat(%2e|\.)instancemanager(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)(ognlstack|stack)(%3d|=)(%23|#)attr(%5b|\[)(%22|")com(%2e|\.)opensymphony(%2e|\.)xwork2(%2e|\.)util(%2e|\.)valuestack(%2e|\.)valuestack(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)/Rsi"; content:"bean"; distance:0; within:200; content:"java"; distance:0; within:400; content:"execute"; distance:0; pcre:"/^(%2e|\.)exec/Ri"; reference:cve,2020-17530; classtype:attempted-admin; sid:2035009; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_17530, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UNION SELECT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007236; classtype:web-application-attack; sid:2007236; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)"; flow:established,to_server; flowbits:set,ET.Cisco_ABypass; http.request_line; content:"GET /api/v1/auth/token-services/debug HTTP/1.1"; nocase; fast_pattern; http.accept; content:"application/json"; bsize:16; reference:cve,2019-12643; classtype:attempted-admin; sid:2035010; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id INSERT"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007237; classtype:web-application-attack; sid:2007237; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] 55443 -> any any (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)"; flow:established,from_server; flowbits:isset,ET.Cisco_ABypass; http.stat_code; content:"200"; file.data; content:"|5b 7b 22|last-access-time|22 3a|"; fast_pattern; content:"|22|token-id|22 3a 20 22|"; within:200; pcre:"/^[a-zA-Z0-9]{5,40}/R"; xbits:set,ET.Cisco_ABypass,track ip_pair,expire 60; reference:cve,2019-12643; classtype:successful-admin; sid:2035011; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id DELETE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007238; classtype:web-application-attack; sid:2007238; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; content:"X-auth-token"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ASCII"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007239; classtype:web-application-attack; sid:2007239; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> any any (msg:"ET EXPLOIT Oracle WebLogic IIOP JNDI Injection (CVE-2020-14841)"; flow:established,to_server; content:"corbaloc|3a|iiop|3a|"; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]{7,200}/R"; content:"idl|3a|weblogic/corba/cos/naming/namingcontextany"; nocase; reference:cve,2020-14841; classtype:attempted-admin; sid:2035013; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_14841, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE"; flow:established,to_server; http.uri; content:"/view_gallery.asp?"; nocase; content:"gallery_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007240; classtype:web-application-attack; sid:2007240; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp any any -> any any (msg:"ET EXPLOIT Sangoma Asterisk Originate AMI RCE (CVE-2019-18610) (PoC Based)"; content:"Action|3a 20|Originate"; nocase; distance:0; fast_pattern; content:"Data|3a|"; nocase; distance:0; content:"|20|/tmp/"; nocase; within:45; reference:cve,2019-18610; classtype:attempted-admin; sid:2035014; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_18610, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id SELECT"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007241; classtype:web-application-attack; sid:2007241; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp-pkt any any -> $HOME_NET any (msg:"ET INFO Apache Spark RPC - CheckExistence Request (set)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_CE; flowbits:isnotset,ET.ApacheSpark_CE; flowbits:noalert; content:"endpoint-verifier"; fast_pattern; content:"CheckExistence"; distance:0; classtype:not-suspicious; sid:2035001; rev:2; metadata:attack_target Server, created_at 2022_01_28, deployment Internal, deployment Datacenter, former_category INFO, signature_severity Informational, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UNION SELECT"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007242; classtype:web-application-attack; sid:2007242; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp-pkt any any -> $HOME_NET any (msg:"ET INFO Apache Spark RPC - Auth Request (set)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_AuthAttempted; flowbits:noalert; content:"sparkSaslUser|00 00 00 00|"; endswith; classtype:not-suspicious; sid:2035002; rev:2; metadata:attack_target Server, created_at 2022_01_28, deployment Internal, deployment Datacenter, former_category INFO, signature_severity Informational, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id INSERT"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007243; classtype:web-application-attack; sid:2007243; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035003; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_01_28; target:dest_ip;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id DELETE"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007244; classtype:web-application-attack; sid:2007244; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp-pkt $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Apache Spark RPC - Unauthenticated RegisterApplication - Successfully Registered (CVE-2020-9480)"; flow:established,to_client; flowbits:isset,ET.ApacheSpark_UnauthRegisterApplication; content:"org.apache.spark.deploy.DeployMessages$RegisteredApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:successful-admin; sid:2035004; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ASCII"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007245; classtype:web-application-attack; sid:2007245; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request - RCE Attempt (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; content:"spark.driver.port="; distance:0; pcre:"/^\d+..(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))-XX:OnOutOfMemoryError=/R"; content:"-XX:OnOutOfMemoryError="; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035005; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, former_category EXPLOIT, signature_severity Major, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE"; flow:established,to_server; http.uri; content:"/download_image.asp?"; nocase; content:"image_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007246; classtype:web-application-attack; sid:2007246; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PowerShell Script Downloading Emotet DLL"; flow:from_server,established; http.stat_code; content:"200"; http.content_type; content:"image/png"; bsize:9; http.response_body; content:"|24|path"; startswith; content:".dll"; distance:0; within:200; pcre:"/\x24url[0-9]{1}\s=\s'(http|https):\/\/[^']*\x27\x3b/i"; content:"((Get-Item |24|path).Length -ge 30000)"; nocase; fast_pattern; reference:md5,c3cb504f97c7c7df9c25b0957dd60d9f; classtype:trojan-activity; sid:2035000; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_01_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007247; classtype:web-application-attack; sid:2007247; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-17418)"; flow:established,to_server; http.uri; content:"/admin/?"; content:"a=doSearchParameter"; fast_pattern; distance:0; content:"appno=0"; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-17418; reference:cve,2019-17418; classtype:attempted-admin; sid:2035018; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_17418, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007248; classtype:web-application-attack; sid:2007248; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-16997)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/?"; content:"a=doExportPack"; fast_pattern; distance:0; http.request_body; content:"appno="; startswith; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,y4er.com/post/metinfo7-sql-tips/#sql-injection-2; reference:cve,2019-16997; classtype:attempted-admin; sid:2035019; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_16997, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage INSERT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007249; classtype:web-application-attack; sid:2007249; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY 3proxy Domain Domain in DNS Lookup (3proxy .ru)"; dns.query; content:"3proxy.ru"; nocase; bsize:9; classtype:policy-violation; sid:2035020; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage DELETE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007250; classtype:web-application-attack; sid:2007250; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET POLICY 3proxy Domain Domain in DNS Lookup (3proxy .org)"; dns.query; content:"3proxy.org"; nocase; bsize:10; classtype:policy-violation; sid:2035021; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ASCII"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007251; classtype:web-application-attack; sid:2007251; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING LinkedIn Phish Landing Page 2022-01-31"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|title|3e|Messages|20 7c 20|Linkedln|20 7c 20|Welcome|20|back|2e 2e 2e 3c 2f|title|3e|"; fast_pattern; nocase; reference:md5,05376d1db31ee300b1d567a91bcc22d5; classtype:credential-theft; sid:2035022; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"currentpage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007252; classtype:web-application-attack; sid:2007252; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (yourls .org)"; dns.query; content:"yourls.org"; nocase; bsize:10; classtype:bad-unknown; sid:2035023; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_01_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007253; classtype:web-application-attack; sid:2007253; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS .LNK File Inside of Zip"; flow:established,from_server; file_data; content:"PK|03 04|"; startswith; content:".lnk"; nocase; fast_pattern; within:500; classtype:unknown; sid:2035026; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UNION SELECT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007254; classtype:web-application-attack; sid:2007254; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension ZIP File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".zip"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.zip$/"; classtype:unknown; sid:2035027; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby INSERT"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007255; classtype:web-application-attack; sid:2007255; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension VBS File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".vbs"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.vbs$/"; classtype:unknown; sid:2035028; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby DELETE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007256; classtype:web-application-attack; sid:2007256; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension PIF File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".pif"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.pif$/"; classtype:unknown; sid:2035029; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ASCII"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007257; classtype:web-application-attack; sid:2007257; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Double Extension EXE File Downloaded from Discord (Request)"; flow:established,to_server; http.method; content:"GET"; http.host; content:".discordapp.com"; endswith; fast_pattern; http.uri; content:"/attachments/"; startswith; content:".exe"; nocase; endswith; pcre:"/^\/attachments\/[0-9]{18}\/[0-9]{18}\/\w+\.(?:p(?:ptx?|df|ng)|(?:gi|rt)f|docx?|jpe?g|xlsx?)\.exe$/"; classtype:unknown; sid:2035030; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE"; flow:established,to_server; http.uri; content:"/gallery.asp?"; nocase; content:"orderby="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007258; classtype:web-application-attack; sid:2007258; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater Rat CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"example/1.0"; bsize:11; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"-----"; startswith; content:"name=|22|token|22|"; content:"name=|22|tid|22|"; distance:0; content:"name=|22|apiData|22|"; distance:0; reference:url,cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; classtype:trojan-activity; sid:2035031; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage SELECT"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007259; classtype:web-application-attack; sid:2007259; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (example/1.0)"; flow:to_server,established; http.user_agent; content:"example/1.0"; bsize:11; startswith; reference:url,cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; classtype:bad-unknown; sid:2035032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UNION SELECT"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007260; classtype:web-application-attack; sid:2007260; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING lordspartner Phish Kit"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lordspartner"; fast_pattern; reference:md5,712d4b9fe781b9ad6b24786b9d14389d; classtype:credential-theft; sid:2035033; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage INSERT"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007261; classtype:web-application-attack; sid:2007261; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DAWN Comment in Phish Landing Page 2022-02-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|2f 24 24 24 24 24 24 24 20 20 20 2f 24 24 24 24 24 24 20 5c 20 5f 24 24 20 20 20 20 5f 24 5f 20 20 20 5f 24 24 5f 5f 20 20 5f|"; content:"|7c 5f 5f 5f 5f 5f 5f 5f 2f 20 7c 5f 5f 2f 20 20 7c 5f 5f 2f 20 7c 5f 5f 2f 20 20 20 20 5c 5f 5f 7c 20 7c 5f 5f 2f 20 20 5c 5f 5f 2f|"; fast_pattern; distance:0; reference:md5,a6848434487ce42102712c14f9c05e36; classtype:credential-theft; sid:2035034; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_01, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage DELETE"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007262; classtype:web-application-attack; sid:2007262; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Create DAG (CVE-2020-11978)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/dag_runs"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035035; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ASCII"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007263; classtype:web-application-attack; sid:2007263; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Unpause (CVE-2020-11978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/paused/false"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035036; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE"; flow:established,to_server; http.uri; content:"/view_recent.asp?"; nocase; content:"currentpage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6187; reference:url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded; reference:url,doc.emergingthreats.net/2007264; classtype:web-application-attack; sid:2007264; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Possible Apache Airflow Experimental API Authentication Bypass Attempt (CVE-2020-13927)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/test"; fast_pattern; reference:cve,2020-13927; classtype:attempted-admin; sid:2035037; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_13927, deployment Perimeter, deployment Internal, former_category HUNTING, signature_severity Informational, updated_at 2022_02_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007265; classtype:web-application-attack; sid:2007265; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StrifeWater RAT CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|token|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|tid|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|apiData|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 3b 20|filename=|22|data|22 0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations; reference:md5,a70d6bbf2acb62e257c98cb0450f4fec; classtype:command-and-control; sid:2035040; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007267; classtype:web-application-attack; sid:2007267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Requesting Remote Template (.dot)"; flow:established,to_server; flowbits:set,ETPRO.Maldoc.dot; http.method; content:"GET"; http.uri; content:".dot"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|MSOffice|20|"; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2035038; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007268; classtype:web-application-attack; sid:2007268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Variant.Zusy.402698 Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?serial="; pcre:"/\.php\?serial=[a-z0-9]{16}/U"; http.user_agent; content:"Some USER-AGENT"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; reference:md5,8b9464c10764e08d5939d149dfa451b4; classtype:trojan-activity; sid:2035041; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007269; classtype:web-application-attack; sid:2007269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Related VBS Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/help_"; fast_pattern; pcre:"/^[0-3]{2}_[0-2]{2}\.php$/R"; http.header_names; content:!"Referer"; content:"|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; reference:md5,2e70b2b0cf4e2d3ac2ed6d1ea967f18e; reference:url,www.trendmicro.com/en_us/research/20/d/gamaredon-apt-group-use-covid-19-lure-in-campaigns.html; classtype:trojan-activity; sid:2035039; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, performance_impact Moderate, signature_severity Major, updated_at 2022_02_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"AlphaSort="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007270; classtype:web-application-attack; sid:2007270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Injector.DSQR CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; pcre:"/^dBrowser\x20\d\x20CallGetResponse\x3a\d$/"; http.header_names; content:!"Referer"; http.request_body; content:"data|3d 7b 22|msg|22 3a 22|DataRecivied|2d 3e 7b 5c 22|message|5c 22 3a 5c 22|JSON.parse|5c|"; fast_pattern; startswith; reference:url,otx.alienvault.com/indicator/file/ded76741a5f551fac777d384b089db408565f666ddf33669d6b8eefd8f3d34c3; classtype:command-and-control; sid:2034936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007271; classtype:web-application-attack; sid:2007271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Type: image/jpeg"; content:"AT&TFORM|00 00 03 AF|DJVMDIRM"; fast_pattern; distance:80; within:40; http.header_names; content:!"Referer"; reference:cve,CVE-2021-24563; reference:url,about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/; reference:cve,2021-24563; classtype:trojan-activity; sid:2034961; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2022_01_24, cve CVE_2021_24563, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007272; classtype:web-application-attack; sid:2007272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ClipBanker.OC CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/exp.php?usr="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0"; startswith; http.header_names; content:!"Referer"; reference:md5,40b3c1644d3bd1702fdde6eb08f961d2; classtype:trojan-activity; sid:2034982; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007273; classtype:web-application-attack; sid:2007273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ClipBanker.OC CnC Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\w$/Um"; http.user_agent; content:"MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400"; endswith; fast_pattern; http.content_len; content:"784"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; reference:md5,40b3c1644d3bd1702fdde6eb08f961d2; classtype:trojan-activity; sid:2034983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_26, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007274; classtype:web-application-attack; sid:2007274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SManager Backdoor Domain in DNS Lookup"; dns.query; content:"aiwqi.aurobindos.com"; nocase; bsize:20; reference:url,twitter.com/TI_ESC/status/1489182130982825987; classtype:domain-c2; sid:2035091; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SManager, malware_family PhantomNet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007275; classtype:web-application-attack; sid:2007275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SManager Backdoor Domain in DNS Lookup"; dns.query; content:"fuji1.aurobindos.com"; nocase; bsize:20; reference:url,twitter.com/TI_ESC/status/1489182130982825987; classtype:domain-c2; sid:2035092; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_02_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SManager, malware_family PhantomNet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"In="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007276; classtype:web-application-attack; sid:2007276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Doc Template Downloaded from DDNS Site"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".dot"; endswith; http.host; content:".ddns.net"; fast_pattern; http.header_names; content:!"Referer"; classtype:bad-unknown; sid:2035078; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007278; classtype:web-application-attack; sid:2007278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007279; classtype:web-application-attack; sid:2007279; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE KHRAT DNS Lookup (upload-dropbox .com)"; dns.query; dotprefix; content:".upload-dropbox.com"; nocase; endswith; reference:url,researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/; classtype:trojan-activity; sid:2024658; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_04, deployment Perimeter, former_category MALWARE, malware_family KHRAT, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007280; classtype:web-application-attack; sid:2007280; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacOS/UpdateAgent.A CnC Activity M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wrte?maid="; startswith; fast_pattern; pcre:"/^\/wrte\?maid=[A-Z0-9]{8}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{12}$/U"; http.user_agent; content:"curl"; startswith; http.header_names; content:!"Referer"; reference:md5,5dc4e1b8610aacc5941ccf68f823f366; reference:url,microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression; classtype:trojan-activity; sid:2035085; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007281; classtype:web-application-attack; sid:2007281; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MacOS/UpdateAgent.A CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/service?uuid="; depth:20; fast_pattern; pcre:"/^\/[a-z0-9]{1,3}\/service\?uuid=[A-Z0-9]{8}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{4}\-[A-Z0-9]{12}$/U"; http.user_agent; content:"curl"; startswith; http.header_names; content:!"Referer"; reference:md5,5dc4e1b8610aacc5941ccf68f823f366; reference:url,microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression; classtype:trojan-activity; sid:2035086; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"orderby="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007282; classtype:web-application-attack; sid:2007282; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-#alert http $EXTERNAL_NET [443,7080,8080,80] -> $HOME_NET any (msg:"ET MALWARE W32/Emotet.v4 Checkin Fake 404 Payload Response"; flow:established,from_server; content:"404"; http_stat_code; http_content_type; content:"text/html"; http_content_len; byte_test:0,<=,999999,0,string,dec; byte_test:0,>,99999,0,string,dec; file_data; content:!"<html"; nocase; depth:1024; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n][\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035065; rev:1; metadata:created_at 2022_02_03, former_category MALWARE, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClipShare Pro channel_detail.php chid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/channel_detail.php?"; nocase; content:"chid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32311; reference:url,milw0rm.com/exploits/7128; reference:url,doc.emergingthreats.net/2008866; classtype:web-application-attack; sid:2008866; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Office Macro Emotet Download URI Nov 24 2021"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"Mozilla|2f|5|2e|0|20 28|Windows|20|NT|3b 20|Windows|20|NT|20|6|2e|1|3b 20|en-US|29 20|WindowsPowerShell|2f|5.1.14409.1005"; fast_pattern; bsize:80; http.header; content:!"Referer"; http.connection; content:"Keep-Alive"; http.uri; pcre:"/^\/wp-includes\/[A-Za-z0-9]{10}\/$/U"; reference:md5,67ec9f81dd3970e3e5f66121a3502b5d; classtype:trojan-activity; sid:2035064; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID SELECT"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004875; classtype:web-application-attack; sid:2004875; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Gophish X-Server"; flow:established,to_client; http.stat_code; content:"200"; http.header_names; content:"|58 2d 53 65 72 76 65 72|"; http.header; content:"gophish"; fast_pattern; reference:md5,bf2162ca3c0cb9253af87d7a785a97a4; classtype:misc-activity; sid:2035087; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004876; classtype:web-application-attack; sid:2004876; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (deangelomcnay .news)"; dns.query; content:"deangelomcnay.news"; nocase; bsize:18; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035079; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID INSERT"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004877; classtype:web-application-attack; sid:2004877; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (earlahenry .com)"; dns.query; content:"earlahenry.com"; nocase; bsize:14; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035080; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID DELETE"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004878; classtype:web-application-attack; sid:2004878; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (nicholasuhl .website)"; dns.query; content:"nicholasuhl.website"; nocase; bsize:19; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035081; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ASCII"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004879; classtype:web-application-attack; sid:2004879; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (cooperron .me)"; dns.query; content:"cooperron.me"; nocase; bsize:12; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035082; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE"; flow:established,to_server; http.uri; content:"/inc_listnews.asp?"; nocase; content:"CAT_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1021; reference:url,www.milw0rm.com/exploits/3317; reference:url,doc.emergingthreats.net/2004880; classtype:web-application-attack; sid:2004880; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (dorothymambrose .live)"; dns.query; content:"dorothymambrose.live"; nocase; bsize:20; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035083; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct SELECT"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006504; classtype:web-application-attack; sid:2006504; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Viper APT Related Domain in DNS Lookup (juliansturgill .info)"; dns.query; content:"juliansturgill.info"; nocase; bsize:19; reference:url,blog.talosintelligence.com/2022/02/arid-viper-targets-palestine.html; classtype:domain-c2; sid:2035084; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family AridViper, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UNION SELECT"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006505; classtype:web-application-attack; sid:2006505; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Intuit Phish 2022-02-03"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"intuit"; content:".php"; distance:0; http.request_body; content:"pin"; fast_pattern; nocase; content:"&email="; distance:0; nocase; content:"&tel="; distance:0; nocase; content:"&SignUp="; distance:0; nocase; reference:md5,c8f50422c90b53d2d1aa253661e5b3df; classtype:credential-theft; sid:2035088; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct INSERT"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006506; classtype:web-application-attack; sid:2006506; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Parallax CnC Activity M17 (set)"; flow:established,to_server; content:"|46 6f fb 85|"; startswith; fast_pattern; content:"|86 b8 83|"; distance:1; within:3; flowbits:set,ET.Parallax-17; flowbits:noalert; reference:md5,65a0ec476aaefcf6aeb328ac1641ed29; classtype:command-and-control; sid:2035066; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct DELETE"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006507; classtype:web-application-attack; sid:2006507; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Parallax CnC Response Activity M17"; flow:established,to_client; content:"|46 6f fb 85 |"; startswith; fast_pattern; content:"|86 b8 83|"; distance:1; within:3; flowbits:isset,ET.Parallax-17; reference:md5,65a0ec476aaefcf6aeb328ac1641ed29; classtype:command-and-control; sid:2035067; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ASCII"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006508; classtype:web-application-attack; sid:2006508; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains pin= in cleartext"; flow:established,to_server; http.request_body; content:"pin="; nocase; classtype:policy-violation; sid:2035089; rev:2; metadata:created_at 2022_02_03, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE"; flow:established,to_server; http.uri; content:"/comersus_optReviewReadExec.asp?"; nocase; content:"idProduct="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3323; reference:url,www.securityfocus.com/bid/24562; reference:url,doc.emergingthreats.net/2006509; classtype:web-application-attack; sid:2006509; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> any any (msg:"ET POLICY Http Client Body contains otp= in cleartext"; flow:established,to_server; http.request_body; content:"otp="; nocase; classtype:policy-violation; sid:2035090; rev:2; metadata:created_at 2022_02_03, former_category POLICY, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004636; classtype:web-application-attack; sid:2004636; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Subterranean Security Domain in DNS Lookup"; dns.query; content:"subterranean-security.pw"; nocase; bsize:24; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; reference:md5,10729e87fa72432fbc009a15314d670b; classtype:trojan-activity; sid:2035068; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004637; classtype:web-application-attack; sid:2004637; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - AssignID Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_assignID"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035070; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004638; classtype:web-application-attack; sid:2004638; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - FileManager List Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"FILEMANAGER_list"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035071; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004639; classtype:web-application-attack; sid:2004639; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - FileManager pwd Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"FILEMANAGER_pwd"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035072; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"epi="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3088; reference:url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded; reference:url,doc.emergingthreats.net/2004640; classtype:web-application-attack; sid:2004640; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - GetClientLog Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_getClientLog"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035073; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CommonSpot Server longproc.cfm Cross Site Scripting Attempt"; flow:to_server,established; http.uri; content:"/commonspot/utilities/longproc.cfm?"; nocase; content:"onlyurlvars="; nocase; content:"url="; nocase; pcre:"/(onmouse|onkey|onload=|onblur=|ondragdrop=|onclick=|alert|<script|<img|<src)/i"; reference:bugtraq,37986; reference:url,doc.emergingthreats.net/2010988; classtype:web-application-attack; sid:2010988; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Subterranean Crimson Rat - Client Traffic"; flow:established,to_server; content:"crimson.universal.containers.Message"; nocase; fast_pattern; content:"java.lang.Object|3b|"; within:50; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035074; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Community CMS view.php article_id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view.php?"; nocase; content:"article_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34303; reference:url,milw0rm.com/exploits/8323; reference:url,doc.emergingthreats.net/2009787; classtype:web-application-attack; sid:2009787; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Subterranean Crimson Rat - GetInfo Command"; flow:established,to_client; content:"crimson.universal.containers.Message"; content:"CLIENT_getInfo"; nocase; fast_pattern; content:"|00|"; within:4; pcre:"/^.\d{1,2}\.\d+\.\d+/R"; reference:url,twitter.com/James_inthe_box/status/1488987814066753538; classtype:trojan-activity; sid:2035069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_03, deployment Perimeter, former_category MALWARE, malware_family Subterranean_Crimson, signature_severity Major, tag RAT, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/siteminderagent/forms/smpwservices.fcc"; nocase; pcre:"/(script|img|src|alert|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:cve,2007-5923; reference:url,www.securityfocus.com/bid/26375/info; reference:url,doc.emergingthreats.net/2010200; classtype:web-application-attack; sid:2010200; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET MALWARE W32.Geodo/Emotet Checkin Fake 404 Response"; flow:established,from_server; flowbits:isset,ETPRO.Emotet; http.stat_code; content:"404"; file.data; content:!"<html"; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:md5,dacdcd451204265ad6f44ef99db1f371; classtype:command-and-control; sid:2035062; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, malware_family Geodo, malware_family Emotet, performance_impact Low, signature_severity Major, updated_at 2022_02_03;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Comtrend ADSL Router srvName parameter XSS attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scvrtsrv.cmd?"; nocase; content:"srvName="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstorm.foofus.com/1001-exploits/comtrend-xss.txt; reference:url,xforce.iss.net/xforce/xfdb/47765; reference:url,doc.emergingthreats.net/2011019; classtype:web-application-attack; sid:2011019; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyNuke VNC Checkin M2"; flow:established,to_server; dsize:10; content:"AVE_MARIA|00|"; fast_pattern; reference:url,asec.ahnlab.com/en/27346/; classtype:trojan-activity; sid:2035094; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004705; classtype:web-application-attack; sid:2004705; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TinyNuke VNC Checkin M3"; flow:established,to_server; dsize:13; content:"LIGHT'S BOMB|00|"; fast_pattern; reference:url,asec.ahnlab.com/en/27346/; classtype:trojan-activity; sid:2035095; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004706; classtype:web-application-attack; sid:2004706; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004707; classtype:web-application-attack; sid:2004707; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004708; classtype:web-application-attack; sid:2004708; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator SQL Injection (CVE-2020-3984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portal/"; http.request_body; content:"softwareUpdate/getSoftwareUpdates"; fast_pattern; content:"|22|modulus|22 3a|"; content:"UNION SELECT"; nocase; distance:0; reference:cve,2020-3984; classtype:attempted-admin; sid:2035104; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_3984, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004709; classtype:web-application-attack; sid:2004709; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE"; flow:established,to_server; http.uri; content:"/admin.php?"; nocase; content:"uploadimage="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1255; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004710; classtype:web-application-attack; sid:2004710; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Authentication Bypass (CVE-2020-4001)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|login|2f|doResetPassword|2e|html"; http.request_body; content:"super|40|velocloud|2e|net"; fast_pattern; content:"|7b|CLEAR|7b|"; nocase; content:"logicalId"; nocase; reference:cve,2020-4001; classtype:attempted-admin; sid:2035102; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_4001, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004711; classtype:web-application-attack; sid:2004711; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/GameHack.ADW CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?e="; offset:45; depth:12; content:"&k="; distance:0; http.user_agent; content:"Some USER-AGENT"; bsize:15; fast_pattern; http.header_names; content:!"Referer"; reference:md5,89b7dd04a1f32b23a75c30a00523f7e8; classtype:pup-activity; sid:2035097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004712; classtype:web-application-attack; sid:2004712; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Win32/Hancitor Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forum.php"; endswith; fast_pattern; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"DATA="; startswith; reference:md5,d90f5bb9e103ea6935e453a8bafe4a66; reference:url,twitter.com/james_inthe_box/status/1488521848467959810; classtype:trojan-activity; sid:2035096; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004715; classtype:web-application-attack; sid:2004715; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Agent.FSTT CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?company_id="; depth:25; fast_pattern; content:"&lua="; distance:0; http.user_agent; content:"Installed"; startswith; http.header_names; content:!"Referer"; reference:md5,f1c404760bfac3c952d0f10dfa21e659; classtype:trojan-activity; sid:2035098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"p_skin="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1254; reference:url,www.milw0rm.com/exploits/3352; reference:url,doc.emergingthreats.net/2004716; classtype:web-application-attack; sid:2004716; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pteranodon CnC Exfil (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/deep-"; depth:20; fast_pattern; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; http.request_body; content:"username="; startswith; content:"&cart="; distance:0; content:"&deep-"; distance:0; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021; reference:md5,b5120dcc0f2682cb6fb2a4f68dcbbb0b; classtype:trojan-activity; sid:2035099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/verify/asp/n6plugindestructor.asp?"; nocase; content:"backurl="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39999; reference:url,juniper.net/security/auto/vulnerabilities/vuln39999.html; reference:url,doc.emergingthreats.net/2011152; classtype:web-application-attack; sid:2011152; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/newbm.pl"; nocase; fast_pattern; endswith; http.header_names; content:"|0d 0a|NSC_USER|0d 0a|"; nocase; content:"|0d 0a|NSC_NONCE|0d 0a|"; nocase; http.request_body; content:"template.new"; nocase; content:"url="; nocase; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2034279; rev:2; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2019_19781, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007336; classtype:web-application-attack; sid:2007336; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Landing Page 2022-02-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"action|3d 22 26|lt|3b|grabberurl|26|gt|3b 22|"; fast_pattern; content:"type|3d 22|password|22|"; distance:0; content:"|2f 2f 27 2f|signin|2f|apple|27 3b|"; distance:0; reference:md5,b9463c897aa313f4beba94da35e0c83a; classtype:credential-theft; sid:2035100; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007337; classtype:web-application-attack; sid:2007337; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phish 2022-02-04"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/<grabberurl>"; fast_pattern; http.request_body; content:"&pass="; reference:md5,b9463c897aa313f4beba94da35e0c83a; classtype:credential-theft; sid:2035101; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007338; classtype:web-application-attack; sid:2007338; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?type=ping&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/R"; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.content_len; byte_test:0,=,0,0,string,dec; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"Referer"; reference:md5,a56fea310f3cf5e724ee4a9990047b78; reference:url,twitter.com/3xp0rtblog/status/1489245446883069954; classtype:command-and-control; sid:2035107; rev:1; metadata:created_at 2022_02_05, former_category MALWARE, updated_at 2022_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007339; classtype:web-application-attack; sid:2007339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Colibri Loader Activity M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?type=update&uid="; fast_pattern; pcre:"/^[0-9A-F]{16,32}$/R"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.user_agent; content:!"Mozilla"; content:!"Safari"; content:!"Opera"; pcre:"/^[A-Za-z0-9]{16,32}$/"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; startswith; content:!"Referer"; reference:md5,a56fea310f3cf5e724ee4a9990047b78; reference:url,twitter.com/3xp0rtblog/status/1489245446883069954; classtype:command-and-control; sid:2035108; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_05, deployment Perimeter, former_category MALWARE, malware_family Colibri, signature_severity Major, updated_at 2022_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007340; classtype:web-application-attack; sid:2007340; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:5; metadata:attack_target Server, created_at 2019_12_30, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6157; reference:url,www.milw0rm.com/exploits/2822; reference:url,doc.emergingthreats.net/2007341; classtype:web-application-attack; sid:2007341; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2035109; rev:2; metadata:attack_target Server, created_at 2022_02_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id SELECT"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006303; classtype:web-application-attack; sid:2006303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpns/cfg/smb.con"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035110; rev:2; metadata:created_at 2022_02_05, cve CVE_2019_19781, updated_at 2022_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006304; classtype:web-application-attack; sid:2006304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Via|3a 20|NS-CACHE-"; http.response_body; content:"|5b|global|5d|"; startswith; content:"encrypt passwords"; distance:0; fast_pattern; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035111; rev:2; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id INSERT"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006305; classtype:web-application-attack; sid:2006305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (geoiplookup .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"geoiplookup.io"; bsize:14; fast_pattern; classtype:misc-activity; sid:2035114; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id DELETE"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006306; classtype:web-application-attack; sid:2006306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Lazarus APT Related Domain (designautocad .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"designautocad.org"; bsize:17; fast_pattern; reference:url,twitter.com/s1ckb017/status/1489591023030448129; reference:md5,16b9ced590e449446f12c733f3e0b808; classtype:domain-c2; sid:2035115; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, signature_severity Major, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ASCII"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006307; classtype:web-application-attack; sid:2006307; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Lazarus APT Related CnC Domain in DNS Lookup (designautocad .org)"; dns.query; content:"designautocad.org"; nocase; bsize:17; reference:md5,16b9ced590e449446f12c733f3e0b808; reference:url,twitter.com/s1ckb017/status/1489591023030448129; classtype:domain-c2; sid:2035116; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haber.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6642; reference:url,www.securityfocus.com/bid/21626; reference:url,doc.emergingthreats.net/2006308; classtype:web-application-attack; sid:2006308; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Standard Bank Login Phish 2022-02-04"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<title>Sign in</title>"; content:"id|3d 22|sign|20|in|22 20|name|3d 22|Sign|20|in|20|with|20|your|20|Standard|20|Bank|20|ID|22|"; distance:0; content:"|3c|div|20|class|3d 22|ping|2d|header|22 3e|Sign|20|in|20|with|20|your|20|Standard|20|Bank|20|ID|3c 2f|div|3e|"; distance:0; content:"Don|27|t|20|have|20|a|20|Standard|20|Bank|20|ID|3f 20 3c|a|20|onclick|3d 22|login|2e|postRegistration|28 29 22 3e|Register|20|here|3c 2f|a|3e 3c 2f|div|3e|"; fast_pattern; distance:0; reference:md5,444401e72463904c6ccd11654e7cc789; classtype:credential-theft; sid:2035124; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004809; classtype:web-application-attack; sid:2004809; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pteranodon CnC Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"Referer"; http.request_body; content:"username="; startswith; content:"_"; within:255; content:"&cart=FV&"; fast_pattern; distance:0; content:"-"; within:12; content:"="; within:12; pcre:"/^\d+$/R"; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021; reference:md5,b5120dcc0f2682cb6fb2a4f68dcbbb0b; classtype:trojan-activity; sid:2035119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UNION SELECT"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004810; classtype:web-application-attack; sid:2004810; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed CloudFlare Interstitial Phishing Page"; flow:established,from_server; http.header; content:"|0d 0a|cf-request-id|3a 20|"; file_data; content:"<title>Suspected phishing site|20 7c 20|Cloudflare</title>"; fast_pattern; reference:url,blog.cloudflare.com/protecting-cloudflare-sites-from-phishing; classtype:bad-unknown; sid:2032321; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2021_03_25, deployment Perimeter, former_category PHISHING, signature_severity Minor, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav INSERT"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004811; classtype:web-application-attack; sid:2004811; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA402/Molerats CnC Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; endswith; pcre:"/^\/[A-Za-z0-9]{30}\.php$/U"; http.header_names; content:!"Referer"; http.request_body; content:"aW50ZXJuYWwgY2xhc3M"; startswith; fast_pattern; content:"IHs"; distance:0; within:20; content:"cHVibGljIHN0cmluZw"; within:20; classtype:trojan-activity; sid:2035112; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav DELETE"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004812; classtype:web-application-attack; sid:2004812; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE TA402/Molerats Payload Downloaded"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"import base64|0a|from datetime import date"; startswith; fast_pattern; content:"timestamp = date.today|28 29 2e|strftime|28 22 25|m|25|d|25|Y|22 29|"; distance:0; content:"base64.b64encode(bytes(timestamp"; distance:0; content:"print|28 22|http"; content:"|2f 25 73 25 73 22 20 25 20 28 22 52 22 2c 20 75 72 69 29 29|"; distance:0; classtype:trojan-activity; sid:2035113; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_27, deployment Perimeter, former_category MALWARE, malware_family Molerats, signature_severity Major, updated_at 2022_02_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ASCII"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004813; classtype:web-application-attack; sid:2004813; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (sdilok .com)"; dns.query; content:"sdilok.com"; nocase; bsize:10; reference:url,news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/; classtype:domain-c2; sid:2035127; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE"; flow:established,to_server; http.uri; content:"/thumbnails.php?"; nocase; content:"cpg131_fav="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1107; reference:url,www.milw0rm.com/exploits/3371; reference:url,doc.emergingthreats.net/2004815; classtype:web-application-attack; sid:2004815; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Viptela vManage Directory Traversal (CVE-2020-27128)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dataservice/statistics/download/dr/filelist"; fast_pattern; http.request_body; content:"|2f 2e 2e 2f|"; reference:cve,2020-27128; classtype:web-application-attack; sid:2035136; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_27128, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat SELECT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005841; classtype:web-application-attack; sid:2005841; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco SD-WAN vManage Software Directory Traversal (CVE-2020-26073)"; flow:established,to_server; http.request_line; content:"GET /dataservice/disasterrecovery/download/token/"; startswith; fast_pattern; pcre:"/^(%2E%2E%2F|\.\.\/)/Ri"; reference:cve,2020-26073; classtype:web-application-attack; sid:2035137; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_26073, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005842; classtype:web-application-attack; sid:2005842; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server OWA GetWacUrl Information Disclosure Attempt (CVE-2020-17143)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/owa/service.svc"; fast_pattern; http.header; content:"Action|3a 20|GetWacIframeUrlForOneDrive"; nocase; content:"|22|EndPointUrl|22 3a 22|"; nocase; reference:cve,2020-17143; classtype:web-application-attack; sid:2035138; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_17143, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005843; classtype:web-application-attack; sid:2005843; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (world .healthamericacu .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"world.healthamericacu.com"; bsize:25; fast_pattern; reference:md5,314a879c4cae8ae7c08d5fc207a5a22d; classtype:domain-c2; sid:2035128; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat DELETE"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005844; classtype:web-application-attack; sid:2005844; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (world .healthamericacu .com)"; dns.query; content:"world.healthamericacu.com"; nocase; bsize:25; reference:md5,314a879c4cae8ae7c08d5fc207a5a22d; classtype:domain-c2; sid:2035129; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ASCII"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005845; classtype:web-application-attack; sid:2005845; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup)"; dns.query; content:"transfer.sh"; nocase; bsize:11; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035139; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE"; flow:established,to_server; http.uri; content:"/albmgr.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005846; classtype:web-application-attack; sid:2005846; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)"; dns.query; content:"sendspace.com"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035140; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005847; classtype:web-application-attack; sid:2005847; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (anonfiles .com in DNS Lookup)"; dns.query; content:"anonfiles.com,"; nocase; bsize:14; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035141; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UNION SELECT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005848; classtype:web-application-attack; sid:2005848; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (send .exploit .in in DNS Lookup)"; dns.query; content:"send.exploit.in"; nocase; bsize:15; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035142; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid INSERT"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005849; classtype:web-application-attack; sid:2005849; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (fex .net in DNS Lookup)"; dns.query; content:"fex.net"; nocase; bsize:7; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035143; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ASCII"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005851; classtype:web-application-attack; sid:2005851; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (privatlab .net in DNS Lookup)"; dns.query; content:"privatlab.net"; nocase; bsize:13; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035144; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; content:"gid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005852; classtype:web-application-attack; sid:2005852; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)"; flow:established,to_server; tls.sni; content:"transfer.sh"; bsize:11; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035145; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start SELECT"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005853; classtype:web-application-attack; sid:2005853; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"sendspace.com"; bsize:13; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035146; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UNION SELECT"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005854; classtype:web-application-attack; sid:2005854; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (anonfiles .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"anonfiles.com,"; bsize:14; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035147; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start DELETE"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005856; classtype:web-application-attack; sid:2005856; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (send .exploit .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"send.exploit.in"; bsize:15; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035148; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ASCII"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005857; classtype:web-application-attack; sid:2005857; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (fex .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"fex.net"; bsize:7; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035149; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE"; flow:established,to_server; http.uri; content:"/db_ecard.php?"; nocase; content:"start="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005858; classtype:web-application-attack; sid:2005858; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Site Domain Observed (privatlab .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"privatlab.net"; bsize:13; fast_pattern; reference:url,www.ic3.gov/Media/News/2022/220204.pdf; classtype:misc-activity; sid:2035150; rev:1; metadata:created_at 2022_02_08, former_category INFO, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid SELECT"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005859; classtype:web-application-attack; sid:2005859; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?provider="; fast_pattern; http.cookie; content:"wordpress_"; startswith; http.user_agent; content:"Windows|20|NT|20|7.1|3b 20|"; http.header_names; content:!"Referer"; reference:md5,b4c716f08907cd4e848bb9ab541dc449; classtype:trojan-activity; sid:2035130; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UNION SELECT"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005860; classtype:web-application-attack; sid:2005860; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed ZLoader Related Domain (lkjhgfgsdshja .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"lkjhgfgsdshja.com"; bsize:17; fast_pattern; reference:url,research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/; classtype:domain-c2; sid:2035133; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, signature_severity Major, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid INSERT"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005861; classtype:web-application-attack; sid:2005861; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Applied Privacy DNS over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=doh.applied-privacy.net"; bsize:26; fast_pattern; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=R3"; bsize:28; classtype:misc-activity; sid:2035125; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid DELETE"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005862; classtype:web-application-attack; sid:2005862; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.censurfridns.dk"; bsize:26; fast_pattern; classtype:misc-activity; sid:2035126; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category POLICY, signature_severity Informational, tag DoH, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid ASCII"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005863; classtype:web-application-attack; sid:2005863; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Maldoc Domain in DNS Lookup (travelcrimea .info)"; dns.query; dotprefix; content:".travelcrimea.info"; nocase; endswith; reference:md5,126110a4b240f1fedba2ff8d3d8e2ebe; reference:url,twitter.com/h2jazi/status/1490829405106569217; classtype:domain-c2; sid:2035134; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_02_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE"; flow:established,to_server; http.uri; content:"/cats.asp?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0112; reference:url,www.securityfocus.com/bid/21929; reference:url,doc.emergingthreats.net/2005864; classtype:web-application-attack; sid:2005864; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (shopapptech .com)"; dns.query; content:"shopapptech.com"; nocase; bsize:15; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035158; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Business Objects Crystal Reports Web Form Viewer Directory Traversal Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/crystalreportviewers/crystalimagehandler.aspx?"; nocase; content:"dynamicimage="; nocase; reference:url,secunia.com/advisories/11803/; reference:bugtraq,10260; reference:url,doc.emergingthreats.net/2011113; classtype:web-application-attack; sid:2011113; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (shopapptech .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopapptech.com"; bsize:15; fast_pattern; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035159; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php SELECT"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004035; classtype:web-application-attack; sid:2004035; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (shopapppro .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"shopapppro.com"; bsize:14; fast_pattern; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035160; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004036; classtype:web-application-attack; sid:2004036; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (shopapppro .com)"; dns.query; content:"shopapppro.com"; nocase; bsize:14; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:md5,ef307ee48b59257e2728dd3b42a09305; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035161; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php INSERT"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004037; classtype:web-application-attack; sid:2004037; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (www .datacentre .center)"; dns.query; content:"www.datacentre.center"; nocase; bsize:21; reference:md5,26cb5fdcbdfccfa05399709d7dc12319; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035162; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Lazarus, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php DELETE"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004038; classtype:web-application-attack; sid:2004038; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Maldoc Domain (travelcrimea .info in TLS SNI)"; flow:established,to_server; tls.sni; content:"travelcrimea.info"; bsize:20; fast_pattern; reference:md5,126110a4b240f1fedba2ff8d3d8e2ebe; reference:url,twitter.com/h2jazi/status/1490829405106569217; classtype:domain-c2; sid:2035135; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Maldoc, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004039; classtype:web-application-attack; sid:2004039; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (datacentre .center in TLS SNI)"; flow:established,to_server; tls.sni; content:"datacentre.center"; bsize:17; fast_pattern; reference:md5,26cb5fdcbdfccfa05399709d7dc12319; reference:url,twitter.com/h2jazi/status/1490883892705828864; reference:url,twitter.com/ShadowChasing1/status/1490861199981907974; reference:url,twitter.com/cyberoverdrive/status/1490839283803951106; classtype:domain-c2; sid:2035163; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/cart.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2862; reference:url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded; reference:url,doc.emergingthreats.net/2004040; classtype:web-application-attack; sid:2004040; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Gamaredon CnC Domain in DNS Lookup"; dns.query; content:"http://surname192.temp.swtest.ru"; nocase; bsize:32; reference:url,twitter.com/IntezerLabs/status/1491033616519876617; classtype:command-and-control; sid:2035172; rev:1; metadata:created_at 2022_02_09, former_category MALWARE, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/portfolio/css.php?"; nocase; content:"theme="; nocase; reference:cve,CVE-2008-6265; reference:bugtraq,32218; reference:url,vupen.com/english/advisories/2008/3070; reference:url,milw0rm.com/exploits/7065; reference:url,doc.emergingthreats.net/2009764; classtype:web-application-attack; sid:2009764; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused Github-like Site (codeberg .org in DNS Lookup)"; dns.query; content:"codeberg.org"; nocase; bsize:12; classtype:misc-activity; sid:2035173; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, deployment SSLDecrypt, former_category INFO, signature_severity Informational, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/SELECT.+FROM/i"; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010271; classtype:web-application-attack; sid:2010271; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_10;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE sLoad Related CnC Domain in DNS Lookup (angedionisu .eu)"; dns.query; content:"angedionisu.eu"; nocase; bsize:14; reference:url,twitter.com/JAMESWT_MHT/status/1491058829903429640; reference:md5,73284816cf3182f446536c380f805b1f; classtype:domain-c2; sid:2035164; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010272; classtype:web-application-attack; sid:2010272; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.censurfridns.nu"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035151; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010273; classtype:web-application-attack; sid:2010273; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.uncensoreddns.dk"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035152; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010274; classtype:web-application-attack; sid:2010274; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=unicast.uncensoreddns.org"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035153; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plus/feedback_js.php?"; nocase; content:"arcurl="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,osvdb.org/show/osvdb/59406; reference:url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt; reference:url,doc.emergingthreats.net/2010275; classtype:web-application-attack; sid:2010275; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN="; startswith; content:".anycast.censurfridns.dk"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035154; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004083; classtype:web-application-attack; sid:2004083; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO UncensoredDNS DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN="; startswith; content:".anycast.censurfridns.nu"; endswith; fast_pattern; threshold:type both, count 1, seconds 600, track by_src; reference:url,blog.uncensoreddns.org/dns-servers/; classtype:misc-activity; sid:2035155; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004084; classtype:web-application-attack; sid:2004084; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>150; content:"_2B"; content:"_2B"; fast_pattern; distance:0; content:!"&"; content:!"?"; content:!"="; content:!"/tr/v1/"; startswith; http.host; dotprefix; content:!".surveymonkey.com"; endswith; http.host; dotprefix; content:!".cisco.com"; endswith; content:!".trendmicro.com"; endswith; http.connection; content:"Keep-Alive"; http.header_names; http.user_agent; content:!"TMUFE"; bsize:5; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033203; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Moderate, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004085; classtype:web-application-attack; sid:2004085; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Keweon Center DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=dns.keweon.center"; fast_pattern; bsize:20; threshold:type both, count 1, seconds 600, track by_src; reference:url,serverinfo.keweon.center/; classtype:misc-activity; sid:2035156; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, tag DoH, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004086; classtype:web-application-attack; sid:2004086; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Keweon Center DNS Over HTTPS Certificate Inbound"; flow:established,to_client; tls.cert_subject; content:"CN=doh.asecdns.com"; fast_pattern; bsize:18; threshold:type both, count 1, seconds 600, track by_src; reference:url,serverinfo.keweon.center/; classtype:misc-activity; sid:2035157; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, tag DoH, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004087; classtype:web-application-attack; sid:2004087; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed sLoad Related Domain (angedionisu .eu in TLS SNI)"; flow:established,to_server; tls.sni; content:"angedionisu.eu"; bsize:14; fast_pattern; reference:url,twitter.com/JAMESWT_MHT/status/1491058829903429640; reference:md5,73284816cf3182f446536c380f805b1f; classtype:domain-c2; sid:2035165; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0693; reference:url,www.securityfocus.com/bid/24201; reference:url,doc.emergingthreats.net/2004088; classtype:web-application-attack; sid:2004088; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".h264"; fast_pattern; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6361957001782ae7fa09ae213eca2625; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035166; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004456; classtype:web-application-attack; sid:2004456; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/amazing.dot"; fast_pattern; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; reference:md5,937a55cd5d63b81b3ca6f19f2bda2573; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035171; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004457; classtype:web-application-attack; sid:2004457; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:>150; content:"_2F"; fast_pattern; content:"_2F"; distance:0; content:"_2F"; distance:0; content:!"&"; content:!"?"; content:!"="; content:!"/tr/v1/"; startswith; http.host; dotprefix; content:!".surveymonkey.com"; endswith; content:!"cisco.com"; endswith; http.connection; content:"Keep-Alive"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:command-and-control; sid:2033204; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_06_29, deployment Perimeter, former_category MALWARE, malware_family ursnif, performance_impact Moderate, signature_severity Major, updated_at 2022_02_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004458; classtype:web-application-attack; sid:2004458; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Redline Stealer Related Domain in DNS Lookup (windows-upgraded .com)"; dns.query; content:"windows-upgraded.com"; nocase; bsize:20; reference:url,threatresearch.ext.hp.com/redline-stealer-disguised-as-a-windows-11-upgrade/; classtype:domain-c2; sid:2035174; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004459; classtype:web-application-attack; sid:2004459; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PrivateLoader Related Domain in DNS Lookup (fouratlinks .com)"; dns.query; content:"fouratlinks.com"; nocase; bsize:15; reference:url,intel471.com/blog/privateloader-malware; classtype:trojan-activity; sid:2035175; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"newsid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2994; reference:url,www.securityfocus.com/bid/24212; reference:url,doc.emergingthreats.net/2004460; classtype:web-application-attack; sid:2004460; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PrivateLoader Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:"privacytoolzfor-you"; startswith; fast_pattern; reference:url,intel471.com/blog/privateloader-malware; classtype:trojan-activity; sid:2035176; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_10, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004684; classtype:web-application-attack; sid:2004684; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)"; flow:established,to_client; file_data; content:"|3c|meta|20|name|3d 22|twitter|3a|description|22 20|content|3d 22|"; pcre:"/^[a-f0-9]{5}(?:[a-zA-Z0-9+\/]{4})*(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})[a-f0-9]{2}-v[a-f0-9]{2}\x0a\x22\x3e\x0a\x3c/R"; content:"|3c|meta|20|name|3d 22|twitter|3a|app|3a|id|3a|iphone|22 20|content|3d 22|686449807|22|"; fast_pattern; reference:md5,0b2463e542ff395417ecb1cd37f77556; classtype:command-and-control; sid:2034960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004685; classtype:web-application-attack; sid:2004685; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?h="; fast_pattern; content:"|2a|"; distance:0; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; reference:md5,1d7d9b2c46bd733f5270d34c4dd748e9; reference:url,twitter.com/h2jazi/status/1491852987324637185; classtype:trojan-activity; sid:2035180; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004686; classtype:web-application-attack; sid:2004686; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/public/bc/ur/Login/assets/corbu/sap_logo.png"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035182; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004687; classtype:web-application-attack; sid:2004687; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/admin/public/default.html?"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035183; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"mid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7118; reference:url,www.securityfocus.com/bid/21064; reference:url,doc.emergingthreats.net/2004688; classtype:web-application-attack; sid:2004688; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin M6"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:75; http.content_type; content:"text/plain|3b 20|charset=UTF-8"; bsize:25; http.request_body; content:"T7"; startswith; fast_pattern; pcre:"/^(?:[a-zA-Z0-9+/]{4})*(?:[a-zA-Z0-9+/]{2}==|[a-zA-Z0-9+/]{3}=|[a-zA-Z0-9+/]{4})$/"; reference:md5,108757a3cc9c5e9d529ca1a94f1432b2; classtype:command-and-control; sid:2035177; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp SELECT"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006081; classtype:web-application-attack; sid:2006081; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin Response M4"; flow:established,to_client; file_data; content:"2HVWm7UNyz"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9+\/]+(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})$/"; reference:md5,108757a3cc9c5e9d529ca1a94f1432b2; classtype:command-and-control; sid:2035178; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006082; classtype:web-application-attack; sid:2006082; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Raccoon Stealer Checkin Response M5"; flow:established,to_client; file_data; content:"VqiRa2vbXS"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9+\/]+(?:[a-zA-Z0-9+\/]{2}==|[a-zA-Z0-9+\/]{3}=|[a-zA-Z0-9+\/]{4})$/"; reference:md5,3acb8e439a1bd66a8a42c6bd5d8930b4; classtype:command-and-control; sid:2035179; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Raccoon_Stealer, performance_impact Moderate, signature_severity Major, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp DELETE"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006084; classtype:web-application-attack; sid:2006084; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (ledikexive .com)"; dns.query; content:"ledikexive.com"; nocase; bsize:14; reference:md5,6b707cd8b8061a6d268812cff1d1f505; reference:url,twitter.com/Unit42_Intel/status/1492160514109149193; classtype:domain-c2; sid:2035181; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_02_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ASCII"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006085; classtype:web-application-attack; sid:2006085; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Go/Anubis Registration Activity"; dsize:<400; content:"|54 67 69 2f 40|"; within:50; content:"|4f 6b 65 74 71 75 71 68 76 22 59 6b 70 66 71 79 75 22 5d 58 67 74 75 6b 71 70|"; fast_pattern; reference:md5,1f21b8e9ebc3b7480cc67ced7504916f; reference:url,medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e; classtype:trojan-activity; sid:2035184; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE"; flow:established,to_server; http.uri; content:"/set_preferences.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006086; classtype:web-application-attack; sid:2006086; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Go/Anubis CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /callback HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"callback="; startswith; content:"&reginfo="; distance:0; reference:md5,1f21b8e9ebc3b7480cc67ced7504916f; reference:url,medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e; classtype:command-and-control; sid:2035185; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006087; classtype:web-application-attack; sid:2006087; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkWatchman Checkin Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:"X-Client-Id|0d 0a|"; content:"X-Client-Controller|0d 0a|"; fast_pattern; content:"X-Client-Ut|0d 0a|"; http.request_body; content:"os="; startswith; content:"&cn="; distance:0; content:"&un="; distance:0; content:"&b="; distance:0; content:"&l="; distance:0; content:"av="; distance:0; reference:url,prevailion.com/darkwatchman-new-fileness-techniques/; reference:md5,2ccc9637823753de9cdcdf76a1d22725; classtype:trojan-activity; sid:2034745; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006088; classtype:web-application-attack; sid:2006088; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DarkWatchman Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /index.php HTTP/1.1"; fast_pattern; http.header; content:"|0d 0a|X-Client-Id|3a 20|"; pcre:"/^[a-z0-9]{8}\r\n/R"; http.host; content:".top"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/5.0(Windows NT|20|"; startswith; reference:md5,2ccc9637823753de9cdcdf76a1d22725; classtype:trojan-activity; sid:2035186; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006089; classtype:web-application-attack; sid:2006089; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Moxa MxView RCE Attempt (CVE-2021-38454)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"api/sites/site/"; fast_pattern; pcre:"/^[a-zA-Z0-9]{5,45}/R"; content:"/ping"; endswith; reference:cve,2021-38454; classtype:attempted-admin; sid:2035194; rev:2; metadata:attack_target Server, created_at 2022_02_14, cve CVE_2021_38454, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp DELETE"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006090; classtype:web-application-attack; sid:2006090; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Spy.Socelars.S CnC Activity M4 (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/base/api/"; startswith; content:".php"; endswith; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"???bll"; bsize:6; fast_pattern; http.header_names; content:!"Referer"; reference:md5,119501b9e0c53984d4af54644d7a7b47; classtype:trojan-activity; sid:2035188; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_14, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ASCII"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006091; classtype:web-application-attack; sid:2006091; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Domain (judgebryantweekes .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"judgebryantweekes.com"; bsize:21; fast_pattern; classtype:domain-c2; sid:2035195; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_02_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE"; flow:established,to_server; http.uri; content:"/send_password_preferences.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006092; classtype:web-application-attack; sid:2006092; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious Domain (lawyeryouwant .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"lawyeryouwant.com"; bsize:17; fast_pattern; classtype:domain-c2; sid:2035196; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_TLS_SNI, updated_at 2022_02_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006094; classtype:web-application-attack; sid:2006094; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected RULER.Hacktool HTML Payload"; flow:established,to_client; file.data; content:"OutlookApplication"; nocase; content:"CreateObject"; nocase; content:"0006F063-0000-0000-C000-000000000046"; nocase; reference:url,www.mandiant.com/resources/overruled-containing-a-potentially-destructive-adversary; reference:url,github.com/sensepost/ruler; classtype:trojan-activity; sid:2035187; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp INSERT"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006095; classtype:web-application-attack; sid:2006095; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Retired Intermediate"; flow:from_server,established; tls_cert_issuer; content:"Let's Encrypt Authority X"; fast_pattern; depth:25; offset:0; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035189; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp DELETE"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006096; classtype:web-application-attack; sid:2006096; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, R3"; flow:from_server,established; tls.cert_issuer; content:"R3"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035190; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ASCII"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006097; classtype:web-application-attack; sid:2006097; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Active Intermediate, E1"; flow:from_server,established; tls.cert_issuer; content:"E1"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035191; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE"; flow:established,to_server; http.uri; content:"/SecureLoginManager/list.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006098; classtype:web-application-attack; sid:2006098; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Backup Intermediate, R4"; flow:from_server,established; tls.cert_issuer; content:"R4"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035192; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006099; classtype:web-application-attack; sid:2006099; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed Let's Encrypt Certificate from Backup Intermediate, E2"; flow:from_server,established; tls.cert_issuer; content:"E2"; fast_pattern; reference:url,letsencrypt.org/certificates/; classtype:misc-activity; sid:2035193; rev:2; metadata:created_at 2022_02_14, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Performance, former_category INFO, signature_severity Informational, updated_at 2022_02_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006100; classtype:web-application-attack; sid:2006100; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/interference/"; fast_pattern; content:".mqo"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,64ce44c092145dfc80375159eaef5461; classtype:trojan-activity; sid:2035197; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent INSERT"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006101; classtype:web-application-attack; sid:2006101; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intercourse/"; fast_pattern; content:".mdl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,20bb6aec6889f9135d29ad40f4a25c23; classtype:trojan-activity; sid:2035198; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent DELETE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006102; classtype:web-application-attack; sid:2006102; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".stc"; endswith; fast_pattern; http.host; content:".ru"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,20bb6aec6889f9135d29ad40f4a25c23; classtype:trojan-activity; sid:2035199; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ASCII"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006103; classtype:web-application-attack; sid:2006103; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perceived/"; fast_pattern; content:".ts"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,7c75bd80374fed96018416a531983548; classtype:trojan-activity; sid:2035200; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/login.asp?"; nocase; content:"sent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006104; classtype:web-application-attack; sid:2006104; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related Domain in DNS Lookup (doc .filesaves .cloud)"; dns.query; content:"doc.filesaves.cloud"; nocase; bsize:19; reference:md5,85fe6affdb218b2d09a59e08e80eb1fa; reference:md5,de097c5ab5e31ac16b4466cd56e9bd2d; reference:url,twitter.com/h2jazi/status/1493598324053712915; classtype:domain-c2; sid:2035201; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_15, deployment Perimeter, former_category MALWARE, malware_family DangerousPassword, signature_severity Major, updated_at 2022_02_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent SELECT"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006105; classtype:web-application-attack; sid:2006105; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Cloudflare Universal (Shared) Certificate, Retired"; flow:established,to_server; tls.sni; content:"sni."; depth:4; pcre:"/(?:/d{6})/R"; content:".cloudflaressl.com"; fast_pattern; offset:9; reference:url,community.cloudflare.com/t/cloudflare-universal-and-universal-shared-certificates/59523; classtype:misc-activity; sid:2035203; rev:2; metadata:created_at 2022_02_15, deployment Perimeter, deployment SSLDecrypt, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_02_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006106; classtype:web-application-attack; sid:2006106; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization RCE T3 (CVE-2015-4852)"; flow:established,to_server; content:"|00 00|"; startswith; content:"|01 65|"; distance:2; within:2; content:"|ac ed 00|"; distance:0; content:"weblogic.rjvm.ClassTableEntry"; fast_pattern; distance:0; reference:cve,2015-4852; reference:url,www.exploit-db.com/exploits/46628; classtype:attempted-admin; sid:2035204; rev:1; metadata:created_at 2022_02_15, cve CVE_2015_4852, former_category EXPLOIT, updated_at 2022_02_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent INSERT"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006107; classtype:web-application-attack; sid:2006107; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?query=1"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Accept-Encoding|0d 0a|"; startswith; reference:md5,52f79913a72c1afe1cd6b22445aab3e5; reference:url,twitter.com/ShadowChasing1/status/1493902034453479431; classtype:trojan-activity; sid:2035206; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent DELETE"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006108; classtype:web-application-attack; sid:2006108; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Namecheap URL Forward"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; content:"X-Served-By"; http.header; content:"Namecheap URL Forward"; fast_pattern; reference:md5,a85e405481368f8a3384149243577155; classtype:misc-activity; sid:2035208; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ASCII"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006109; classtype:web-application-attack; sid:2006109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/2144FlashPlayer.E Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"computerName="; startswith; content:"diskId="; content:"&externalIp="; fast_pattern; content:"&machineId="; content:"&userName="; threshold:type limit, track by_src, count 1, seconds 600; reference:md5,99f1e8976f41e3089c7325af830a19e8; classtype:pup-activity; sid:2035205; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, updated_at 2022_02_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/content.asp?"; nocase; content:"sent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006110; classtype:web-application-attack; sid:2006110; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/GenKryptik.FQRH Download Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vbc.exe"; endswith; fast_pattern; pcre:"/^\/\d{2,3}\/vbc.exe$/U"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 6.1|3b|"; startswith; http.header_names; content:!"Referer"; reference:md5,180defaf66190b475e636e0d7bcf0aed; classtype:trojan-activity; sid:2035207; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent SELECT"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006111; classtype:web-application-attack; sid:2006111; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Moses Staff APT Related Domain in DNS Lookup (techzenspace .com)"; dns.query; content:"techzenspace.com"; nocase; bsize:16; reference:url,www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard; classtype:domain-c2; sid:2035209; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, malware_family MosesStaff, signature_severity Major, updated_at 2022_02_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006112; classtype:web-application-attack; sid:2006112; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET 222 -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/QuasarRAT CnC Traffic"; flow:established,to_client; content:"|40 00 00 00|"; startswith; dsize:68; fast_pattern; stream_size:server,<,210; reference:url,twitter.com/James_inthe_box/status/1494023718741286915; classtype:trojan-activity; sid:2035211; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent INSERT"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006113; classtype:web-application-attack; sid:2006113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MosesStaff APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.content_type; content:"boundary=----BoundrySign"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard; classtype:trojan-activity; sid:2035210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category MALWARE, malware_family MosesStaff, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent DELETE"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006114; classtype:web-application-attack; sid:2006114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M1 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PIN/?Authentication-EMAIL="; fast_pattern; nocase; http.host; content:"monzo"; http.request_body; content:"email="; depth:6; reference:md5,0a7b616bf44cb13fe0080b0c2d61305c; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035212; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ASCII"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006115; classtype:web-application-attack; sid:2006115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M2 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/EMAIL/?Authentication-EMAIL="; nocase; http.host; content:"monzo"; http.request_body; content:"pin_1=&pin_2=&pin_3=&pin_4=&confirmemail="; fast_pattern; depth:41; reference:md5,ac598a7113392e86e9f00847a0732713; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035213; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent SELECT"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006117; classtype:web-application-attack; sid:2006117; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Monzo Credential Phish M3 2022-02-17"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"start.php"; bsize:10; http.host; content:"monzo"; fast_pattern; http.request_body; content:"number="; depth:7; reference:md5,21365ef60a95f7453779fbd315ef5ec6; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035214; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UNION SELECT"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006118; classtype:web-application-attack; sid:2006118; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Monzo Credential Phish Landing Page 2022-02-17"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?a=login&say=invalid_login&e=&username="; fast_pattern; depth:40; nocase; http.host; content:"monzo"; reference:md5,4b8c4160334f21dc7b64ef0a5292441d; reference:url,blog.bushidotoken.net/2022/02/mobile-banking-phishing-campaign.html; classtype:credential-theft; sid:2035215; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent INSERT"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006119; classtype:web-application-attack; sid:2006119; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM - Cobalt Strike Malleable Profile M2"; flow:established,to_server; http.method; content:"GET"; http.cookie; bsize:>170; content:".html"; endswith; fast_pattern; http.content_type; content:"text/html"; bsize:9; http.header; content:"Cache-Control|3a 20|no-cache"; reference:url,www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies; classtype:command-and-control; sid:2035216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent DELETE"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006120; classtype:web-application-attack; sid:2006120; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_"; content:"/office.txt"; within:26; endswith; fast_pattern; http.header_names; content:!"Referer"; reference:md5,97d3d3fe312514f33a44dcd9d5887b54; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ASCII"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006121; classtype:web-application-attack; sid:2006121; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/declaration.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"name="; startswith; content:"&count="; distance:0; reference:md5,c2e7a48d6bcf0c875d911f3e6c3896ee; reference:url,raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/2022_02_Gamaredon_UPDATE.txt; classtype:trojan-activity; sid:2035219; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/applications/SecureLoginManager/inc_secureloginmanager.asp?"; nocase; content:"sent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006122; classtype:web-application-attack; sid:2006122; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/revers.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"name="; startswith; content:"&count="; distance:0; reference:md5,8c65c945a395d633f15b138e9aaf06f9; reference:url,raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/2022_02_Gamaredon_UPDATE.txt; classtype:trojan-activity; sid:2035220; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Multiple Products upload_image_category.asp cid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/upload_image_category.asp?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33253; reference:url,xforce.iss.net/xforce/xfdb/47959; reference:url,milw0rm.com/exploits/7767; reference:url,doc.emergingthreats.net/2009739; classtype:web-application-attack; sid:2009739; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/prevent/counter.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,5db3abc526fc334034f30e988a10c02a; classtype:trojan-activity; sid:2035221; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005088; classtype:web-application-attack; sid:2005088; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wsusa HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f8af71e85f5bee6b3fee2fcfd15da893; classtype:trojan-activity; sid:2035222; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005089; classtype:web-application-attack; sid:2005089; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert dns $HOME_NET any -> any any (msg:"ET DELETED test CnC Domain in DNS Lookup"; dns.query; dotprefix; content:".to.sv"; nocase; endswith; classtype:trojan-activity; sid:2035217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005090; classtype:web-application-attack; sid:2005090; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wa .sv)"; dns.query; content:"wa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035224; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005092; classtype:web-application-attack; sid:2005092; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (in .sv)"; dns.query; content:"in.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035225; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"qid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0663; reference:url,www.frsirt.com/english/advisories/2007/0424; reference:url,doc.emergingthreats.net/2005091; classtype:web-application-attack; sid:2005091; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (fl .sv)"; dns.query; content:"fl.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035226; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005113; classtype:web-application-attack; sid:2005113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (vk .sv)"; dns.query; content:"vk.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035227; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005112; classtype:web-application-attack; sid:2005112; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (2 .ua)"; dns.query; content:"2.ua"; nocase; bsize:4; classtype:misc-activity; sid:2035228; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005114; classtype:web-application-attack; sid:2005114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (fb .sv)"; dns.query; content:"fb.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035229; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005116; classtype:web-application-attack; sid:2005116; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (lc .sv)"; dns.query; content:"lc.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"catid="; nocase; fast_pattern; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0631; reference:url,www.milw0rm.com/exploits/3227; reference:url,doc.emergingthreats.net/2005115; classtype:web-application-attack; sid:2005115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (cli .co)"; dns.query; content:"cli.co"; nocase; bsize:6; classtype:misc-activity; sid:2035231; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005895; classtype:web-application-attack; sid:2005895; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tg .sv)"; dns.query; content:"tg.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035232; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005896; classtype:web-application-attack; sid:2005896; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (dl .sv)"; dns.query; content:"dl.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035233; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005897; classtype:web-application-attack; sid:2005897; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (qq .sv)"; dns.query; content:"qq.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035234; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005898; classtype:web-application-attack; sid:2005898; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tt .sv)"; dns.query; content:"tt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035235; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005899; classtype:web-application-attack; sid:2005899; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (ai .sv)"; dns.query; content:"ai.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035236; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ordernum="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6911; reference:url,www.milw0rm.com/exploits/3089; reference:url,doc.emergingthreats.net/2005900; classtype:web-application-attack; sid:2005900; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (do .sv)"; dns.query; content:"do.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/boardrule.php?"; nocase; content:"groupboardid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36282; reference:url,doc.emergingthreats.net/2010259; classtype:web-application-attack; sid:2010259; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (youlinkto .com)"; dns.query; content:"youlinkto.com"; nocase; bsize:13; classtype:misc-activity; sid:2035238; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/dfss/lgsl/lgsl_players.php?"; nocase; content:"lgsl_path="; nocase; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011099; classtype:web-application-attack; sid:2011099; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (me .sv)"; dns.query; content:"me.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035239; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/dfss/lgsl/lgsl_settings.php?"; nocase; content:"lgsl_path="; nocase; pcre:"/lgsl_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11888; reference:url,doc.emergingthreats.net/2011100; classtype:web-application-attack; sid:2011100; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (bd .sv)"; dns.query; content:"bd.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035240; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/logging/logviewer.jsp?"; nocase; content:"logfile="; nocase; reference:url,www.dsecrg.ru/pages/vul/show.php?id=152; reference:url,www.vupen.com/english/advisories/2009/2285; reference:url,doc.emergingthreats.net/2010194; classtype:web-application-attack; sid:2010194; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (link .sv)"; dns.query; content:"link.sv"; nocase; bsize:7; classtype:misc-activity; sid:2035241; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DeZine DZcms products.php pcat parameter SQL injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/products.php?"; nocase; content:"pcat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33194; reference:url,milw0rm.com/exploits/7722; reference:url,doc.emergingthreats.net/2009319; classtype:web-application-attack; sid:2009319; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (go .sv)"; dns.query; content:"go.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035242; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/latestposts.php?"; nocase; content:"forumspath="; nocase; reference:url,secunia.com/advisories/35315/; reference:url,milw0rm.com/exploits/8851; reference:url,doc.emergingthreats.net/2009904; classtype:web-application-attack; sid:2009904; rev:9; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tra-ta-ta.it .com)"; dns.query; content:"tra-ta-ta.it.com"; nocase; bsize:16; classtype:misc-activity; sid:2035243; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DeluxeBB misc.php qorder Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/misc.php?"; nocase; content:"sub=memberlist"; nocase; content:"qorder="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34174; reference:url,milw0rm.com/exploits/8240; reference:url,doc.emergingthreats.net/2009368; classtype:web-application-attack; sid:2009368; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (id .sv)"; dns.query; content:"id.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035244; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/header.php?"; nocase; content:"theme_directory="; nocase; reference:url,secunia.com/advisories/34485/; reference:bugtraq,34265; reference:url,milw0rm.com/exploits/8291; reference:url,doc.emergingthreats.net/2009380; classtype:web-application-attack; sid:2009380; rev:9; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (to .sv)"; dns.query; content:"to.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035245; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Demium CMS tracking.php follow_kat Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/tracking.php?"; nocase; content:"follow_kat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009323; classtype:web-application-attack; sid:2009323; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (rt .sv)"; dns.query; content:"rt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035246; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/urheber.php?"; nocase; content:"name="; nocase; reference:bugtraq,33933; reference:url,milw0rm.com/exploits/8124; reference:url,doc.emergingthreats.net/2009324; classtype:web-application-attack; sid:2009324; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (wc .sv)"; dns.query; content:"wc.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035247; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id SELECT"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004834; classtype:web-application-attack; sid:2004834; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (4 .fo)"; dns.query; content:"4.fo"; nocase; bsize:4; classtype:misc-activity; sid:2035248; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UNION SELECT"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004835; classtype:web-application-attack; sid:2004835; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (ya .sv)"; dns.query; content:"ya.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id INSERT"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004836; classtype:web-application-attack; sid:2004836; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (sa .sv)"; dns.query; content:"sa.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id DELETE"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004837; classtype:web-application-attack; sid:2004837; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (tw .sv)"; dns.query; content:"tw.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035251; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE"; flow:established,to_server; http.uri; content:"/page.asp?"; nocase; content:"art_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1077; reference:url,www.securityfocus.com/bid/22636; reference:url,doc.emergingthreats.net/2004839; classtype:web-application-attack; sid:2004839; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (yt .sv)"; dns.query; content:"yt.sv"; nocase; bsize:5; classtype:misc-activity; sid:2035252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_02_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/don3_requiem.php?"; nocase; content:"app_path="; nocase; pcre:"/app_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009317; classtype:web-application-attack; sid:2009317; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Maldoc OneDrive Download Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/"; fast_pattern; startswith; http.user_agent; content:"MyAgent"; bsize:7; http.host; content:"api.onedrive.com"; bsize:16; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Cache-Control|0d 0a 0d 0a|"; bsize:37; reference:url,twitter.com/cyberwar_15/status/1435260403127255043; reference:md5,baa9b34f152076ecc4e01e35ecc2de18; classtype:trojan-activity; sid:2033908; rev:2; metadata:created_at 2021_09_07, former_category MALWARE, updated_at 2022_02_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/frontpage.php?"; nocase; content:"app_path="; nocase; pcre:"/app_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,2008-2649; reference:url,xforce.iss.net/xforce/xfdb/42790; reference:url,milw0rm.com/exploits/5715; reference:url,doc.emergingthreats.net/2009318; classtype:web-application-attack; sid:2009318; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rejoice/clank.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,655f383e817a989e3114250232d0cd07; classtype:trojan-activity; sid:2035253; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy News And Article aid parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/article_details.php?"; nocase; content:"aid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,milw0rm.com/exploits/7014; reference:url,secunia.com/Advisories/32595/; reference:url,doc.emergingthreats.net/2008834; classtype:web-application-attack; sid:2008834; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/quietly/seedlings.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,9985bd33a8d129aba66feb1dd553fd22; classtype:trojan-activity; sid:2035254; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id SELECT"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005591; classtype:web-application-attack; sid:2005591; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sense/guarded.dot"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,7b62f40f5986be36f783863fa45a9946; classtype:trojan-activity; sid:2035255; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005592; classtype:web-application-attack; sid:2005592; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /refrigerator.dot HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,c36939365d244081d6860f42779a1503; classtype:trojan-activity; sid:2035256; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id INSERT"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005593; classtype:web-application-attack; sid:2005593; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /prediction.dot HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,f37095018deff37c70065ed5cf37e06b; classtype:trojan-activity; sid:2035257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_19, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id DELETE"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005594; classtype:web-application-attack; sid:2005594; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isnotset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; fast_pattern; content:"|04 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; endswith; threshold: type limit, count 1, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2030870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ASCII"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005595; classtype:web-application-attack; sid:2005595; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035259; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE"; flow:established,to_server; http.uri; content:"/visu_user.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0306; reference:url,www.milw0rm.com/exploits/3122; reference:url,doc.emergingthreats.net/2005596; classtype:web-application-attack; sid:2005596; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|2d 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035263; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id SELECT"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005835; classtype:web-application-attack; sid:2005835; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035258; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UNION SELECT"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005836; classtype:web-application-attack; sid:2005836; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035260; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id INSERT"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005837; classtype:web-application-attack; sid:2005837; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035261; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id DELETE"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005838; classtype:web-application-attack; sid:2005838; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Online File Storage Domain in DNS Lookup (gofile .io)"; dns.query; dotprefix; content:".gofile.io"; nocase; endswith; classtype:bad-unknown; sid:2035264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id ASCII"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005839; classtype:web-application-attack; sid:2005839; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /pre.dot HTTP/1.1"; fast_pattern; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,a9260f7ae7939637b9ae43dec8e03abb; classtype:trojan-activity; sid:2035265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE"; flow:established,to_server; http.uri; content:"/info_book.asp?"; nocase; content:"book_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0128; reference:url,www.milw0rm.com/exploits/3081; reference:url,doc.emergingthreats.net/2005840; classtype:web-application-attack; sid:2005840; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"filter_func"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035272; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/DetailFile.php?"; nocase; content:"nFileId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/0908-exploits/dscms-sql.txt; reference:url,doc.emergingthreats.net/2010195; classtype:web-application-attack; sid:2010195; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"script"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035273; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UPTDATE.+SET/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010073; classtype:web-application-attack; sid:2010073; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /barrier.dot HTTP/1.1"; fast_pattern; http.host; content:".ru"; endswith; http.header_names; content:!"Referer"; http.user_agent; content:"|3b 20|ms-office|3b 20|"; reference:url,www.anomali.com/blog/primitive-bear-gamaredon-targets-ukraine-with-timely-themes; reference:md5,b55956fbc3cda1481c07fe08ce254706; classtype:trojan-activity; sid:2035266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+UNION.+SELECT/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010074; classtype:web-application-attack; sid:2010074; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/intake/"; startswith; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fa882c526ba36ec4219698ab6e64e699; classtype:trojan-activity; sid:2035267; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+SELECT.+FROM/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010075; classtype:web-application-attack; sid:2010075; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (tobaccosafe .xyz)"; dns.query; content:"tobaccosafe.xyz"; nocase; bsize:15; reference:md5,0faee3dfee432f821ceabeaa0f2d234c; reference:url,twitter.com/ShadowChasing1/status/1496054996177240068; classtype:domain-c2; sid:2035268; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; pcre:"/(modname=meta_certificate|modname=certificate|modname=link).+DELETE.+FROM/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010076; classtype:web-application-attack; sid:2010076; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extensis Portfolio Unrestricted File Upload (CVE-2022-24252)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/FileTransfer/upload?sessionId="; fast_pattern; content:"&action=customPreview"; content:"&catalogId="; http.request_body; content:"filename="; content:"\\.."; within:25; reference:url,whiteoaksecurity.com/blog/extensis-portfolio-vulnerability-disclosure/; classtype:attempted-admin; sid:2035274; rev:2; metadata:attack_target Server, created_at 2022_02_22, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/doku.php?"; nocase; content:"config_cascade[main][default][]="; nocase; reference:bugtraq,35095; reference:url,milw0rm.com/exploits/8781; reference:url,doc.emergingthreats.net/2009876; classtype:web-application-attack; sid:2009876; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (font .backuplogs .xyz)"; dns.query; content:"font.backuplogs.xyz"; nocase; bsize:19; reference:md5,92a78894568e2e7869ef7ec454c52db3; reference:md5,b4dcb52e46cfc0ed7deb25ff72bdf521; reference:url,twitter.com/JAMESWT_MHT/status/1496139517736148994; reference:url,twitter.com/malwrhunterteam/status/1496129802239201289; classtype:domain-c2; sid:2035269; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/managePerson.php?"; nocase; content:"personId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35032; reference:url,milw0rm.com/exploits/8738; reference:url,doc.emergingthreats.net/2009795; classtype:web-application-attack; sid:2009795; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DonotGroup APT Related Domain in DNS Lookup (srvrfontsdrive .xyz)"; dns.query; content:"srvrfontsdrive.xyz"; nocase; bsize:18; reference:md5,92a78894568e2e7869ef7ec454c52db3; reference:md5,b4dcb52e46cfc0ed7deb25ff72bdf521; reference:url,twitter.com/JAMESWT_MHT/status/1496139517736148994; reference:url,twitter.com/malwrhunterteam/status/1496129802239201289; classtype:domain-c2; sid:2035270; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen SELECT"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004047; classtype:web-application-attack; sid:2004047; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/TrojanDownloader.Agent.TXV CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/postUP.php"; endswith; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6.0)"; http.connection; content:"keep-alive"; http.content_type; content:"application/x-www-form-urlencoded"; startswith; http.header_names; content:!"Referer"; reference:url,twitter.com/Unit42_Intel/status/1496172957726560257; classtype:trojan-activity; sid:2035271; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UNION SELECT"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004048; classtype:web-application-attack; sid:2004048; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ReverseRat 2.0 CnC Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"="; http.request_body; content:"|ed bb a7 14 24 02 2e cc 3f f4|"; startswith; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,8306b6dee8aca5ad5b3368cd070d5729; reference:url,twitter.com/malwrhunterteam/status/1494650167877935104; classtype:trojan-activity; sid:2035275; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family ReverseRAT, signature_severity Major, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen INSERT"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004049; classtype:web-application-attack; sid:2004049; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .cc)"; dns.query; dotprefix; content:".microsofts.cc"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen DELETE"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004050; classtype:web-application-attack; sid:2004050; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (08mma .com)"; dns.query; dotprefix; content:".08mma.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ASCII"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004051; classtype:web-application-attack; sid:2004051; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (microsofts .top)"; dns.query; dotprefix; content:".microsofts.top"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE"; flow:established,to_server; http.uri; content:"/tracking/courseLog.php?"; nocase; content:"scormcontopen="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2889; reference:url,www.milw0rm.com/exploits/3980; reference:url,doc.emergingthreats.net/2004052; classtype:web-application-attack; sid:2004052; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (3mmlq .com)"; dns.query; dotprefix; content:".3mmlq.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004065; classtype:web-application-attack; sid:2004065; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT10 Related Domain in DNS Lookup (7cnbo .com)"; dns.query; dotprefix; content:".7cnbo.com"; nocase; endswith; reference:url,medium.com/cycraft/supply-chain-attack-targeting-taiwan-financial-sector-bae2f0962934; classtype:domain-c2; sid:2035280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category MALWARE, malware_family APT10, signature_severity Major, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004066; classtype:web-application-attack; sid:2004066; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (u .to)"; dns.query; content:"u.to"; nocase; bsize:4; reference:md5,8c57fcf51e1d0f3fc1e1775d9fc624df; classtype:misc-activity; sid:2035281; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004067; classtype:web-application-attack; sid:2004067; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-02-25"; http.stat_code; content:"200"; file.data; content:"|3c|script|20|type|3d 22|text|2f|javascript|22 3e|"; nocase; content:"window.location.hash"; nocase; distance:100; content:".substring"; nocase; distance:500; content:".split"; nocase; distance:200; content:"let|20|email|20 3d 20|window|2e|atob"; fast_pattern; nocase; distance:500; content:"window.atob"; nocase; distance:200; content:"window.location"; nocase; distance:200; content:".substring"; nocase; distance:500; content:"+email"; nocase; distance:500; content:"window.location"; nocase; distance:100; content:"</script>"; nocase; distance:100; classtype:credential-theft; sid:2035294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_23, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004068; classtype:web-application-attack; sid:2004068; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TOTOLINK Realtek SDK RCE (CVE-2019-19824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/formSysCmd"; fast_pattern; http.request_body; content:"Run|2b|Command|26|sysCmd|3d|"; nocase; reference:cve,2019-19824; classtype:attempted-admin; sid:2035282; rev:2; metadata:attack_target Server, created_at 2022_02_23, cve CVE_2019_19824, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_02_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004069; classtype:web-application-attack; sid:2004069; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /chd.php HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,0981f1145c1cec6a5de51c7d585affe3; reference:md5,bcbcc87f61fad5d558b25c1200b2c34d; reference:md5,ab8a866434329d643273b3dab0473bbc; classtype:trojan-activity; sid:2035283; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_24, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE"; flow:established,to_server; http.uri; content:"/main/auth/my_progress.php?"; nocase; content:"course="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2902; reference:url,www.milw0rm.com/exploits/3974; reference:url,doc.emergingthreats.net/2004070; classtype:web-application-attack; sid:2004070; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $HOME_NET any -> 195.22.26.192/26 443 (msg:"ET INFO invalid.cab domain in SNI"; flow:established,to_server; tls.sni; content:"invalid.cab"; fast_pattern; flowbits:set,ET.invalid.cab; flowbits:noalert; classtype:misc-activity; sid:2020888; rev:4; metadata:created_at 2015_04_10, former_category INFO, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID SELECT"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006141; classtype:web-application-attack; sid:2006141; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY SSL Certificate IRC GEEKS Likely Encrypted IRC or CnC"; flow:established,to_client; tls.cert_subject; content:"O=IRC geeks"; fast_pattern; classtype:command-and-control; sid:2019387; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_10_10, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006142; classtype:web-application-attack; sid:2006142; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain in TLS SNI (litby .us)"; flow:established,to_server; tls.sni; content:"litby.us"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035284; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_24, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID INSERT"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006143; classtype:web-application-attack; sid:2006143; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/get.php"; bsize:8; fast_pattern; http.host; pcre:"/^[0-9]{6,10}\./"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; reference:md5,2dd5a4237122e73027404a91276f0235; reference:md5,9c8f6b38035c72421e1c71d2bb21ced9; reference:md5,860137d224440fd7c1cb3652199dcd58; classtype:trojan-activity; sid:2035288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID DELETE"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006144; classtype:web-application-attack; sid:2006144; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/junk.flv?"; startswith; fast_pattern; http.user_agent; content:"junk/"; http.header_names; content:!"Referer"; reference:md5,61c4a0ab7b156744fcc24fb0813fb9b3; reference:url,github.com/stamparm/maltrail/blob/master/trails/static/malware/apt_gamaredon.txt; classtype:trojan-activity; sid:2035289; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006146; classtype:web-application-attack; sid:2006146; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Buhtrap SourSnack Domain in DNS Lookup (widget .forum-pokemon .com)"; dns.query; content:".widget.forum-pokemon.com"; nocase; endswith; reference:url,cert.gov.ua/article/37246; reference:md5,4ac6e6c6668cac064b16cf786e3cab6f; classtype:domain-c2; sid:2035286; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family SourSnack, performance_impact Low, signature_severity Major, tag Buhtrap, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/libs/internals/core.write_compiled_include.php?"; nocase; content:"smarty="; nocase; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010707; classtype:web-application-attack; sid:2010707; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious lnk Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /joking.html HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; content:".ru"; endswith; reference:md5,d6b182c825d961154b5415de1a061ae0; classtype:trojan-activity; sid:2035290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/libs/internals/core.process_compiled_include.php?"; nocase; content:"smarty="; nocase; pcre:"/smarty\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010708; classtype:web-application-attack; sid:2010708; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (id .bigmir .space)"; dns.query; dotprefix; content:".id.bigmir.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035295; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/libs/plugins/function.config_load.php?"; nocase; content:"_compile_file="; nocase; pcre:"/_compile_file\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10682; reference:url,doc.emergingthreats.net/2010709; classtype:web-application-attack; sid:2010709; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (aplikacje .ron-mil .space)"; dns.query; dotprefix; content:".aplikacje.ron-mil.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035296; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004385; classtype:web-application-attack; sid:2004385; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (i .ua-passport .space)"; dns.query; dotprefix; content:".i.ua-passport.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035297; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id INSERT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004387; classtype:web-application-attack; sid:2004387; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (akademia-mil .space)"; dns.query; dotprefix; content:".akademia-mil.space"; nocase; endswith; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035298; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id DELETE"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004388; classtype:web-application-attack; sid:2004388; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (akademia-mil .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".akademia-mil.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035299; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ASCII"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004389; classtype:web-application-attack; sid:2004389; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (aplikacje .ron-mil .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".aplikacje.ron-mil.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004390; classtype:web-application-attack; sid:2004390; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (id .bigmir .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".id.bigmir.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006687; classtype:web-application-attack; sid:2006687; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (i .ua-passport .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".i.ua-passport.space"; endswith; fast_pattern; reference:url,www.bleepingcomputer.com/news/security/ukraine-links-phishing-targeting-military-to-belarusian-hackers/; classtype:trojan-activity; sid:2035302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006688; classtype:web-application-attack; sid:2006688; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Downloader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /joking.html HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.host; content:".ru"; endswith; reference:md5,d6b182c825d961154b5415de1a061ae0; classtype:trojan-activity; sid:2035291; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006689; classtype:web-application-attack; sid:2006689; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected PlugX Checkin Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[a-zA-z]{14}\//U"; content:"/update.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,ab96e541284afe6ffc3fcf4d05bc971e; reference:url,twitter.com/vupt_bka/status/1497147010927194112; classtype:trojan-activity; sid:2035292; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006690; classtype:web-application-attack; sid:2006690; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/[a-zA-z]{14}\//U"; content:"/plplpMj.php"; endswith; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; content:!"Referer"; http.request_body; content:"1="; startswith; reference:md5,ab96e541284afe6ffc3fcf4d05bc971e; reference:url,twitter.com/vupt_bka/status/1497147010927194112; classtype:trojan-activity; sid:2035293; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_25, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006691; classtype:web-application-attack; sid:2006691; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Suspicious SVCCTL CreateService Command via SMB - Observed Zerologon Post Compromise Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; fast_pattern; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; reference:md5,59e7f22d2c290336826700f05531bd30; classtype:attempted-admin; sid:2035287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_25, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iFile="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006692; classtype:web-application-attack; sid:2006692; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert smb any any -> $HOME_NET 445 (msg:"ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|00|R|00|e|00|s|00|e|00|t|00|-|00|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|M|00|a|00|c|00|h|00|i|00|n|00|e|00|P|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; distance:0; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_24, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_02_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006694; classtype:web-application-attack; sid:2006694; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Nessus Server SSL certificate detected"; flow:established,to_client; tls.cert_issuer; content:"OU=Nessus Certification Authority"; fast_pattern; classtype:bad-unknown; sid:2013298; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_02_26;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006695; classtype:web-application-attack; sid:2006695; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (0sh .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"0sh.org"; bsize:7; fast_pattern; classtype:bad-unknown; sid:2035304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006696; classtype:web-application-attack; sid:2006696; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (prourl .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"prourl.in"; bsize:9; fast_pattern; classtype:bad-unknown; sid:2035305; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006697; classtype:web-application-attack; sid:2006697; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"community.chocolatey.org"; bsize:24; fast_pattern; classtype:bad-unknown; sid:2035303; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, signature_severity Informational, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006698; classtype:web-application-attack; sid:2006698; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Chocolatey Windows Package Management Installation File Retrieval"; flow:established,to_server; http.request_line; content:"GET /install.ps1 HTTP/1.1"; http.host; content:"community.chocolatey.org"; fast_pattern; bsize:24; classtype:bad-unknown; sid:2035306; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"action="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006699; classtype:web-application-attack; sid:2006699; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SunSeed Lua Downloader Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^\/[0-9]{9,10}$/"; http.header_names; content:"|0d 0a|host|0d 0a|te|0d 0a|connection|0d 0a|user-agent|0d 0a 0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.user_agent; content:"LuaSocket|20|"; fast_pattern; startswith; classtype:trojan-activity; sid:2035360; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006700; classtype:web-application-attack; sid:2006700; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SunSeed Downloader Retrieving Binary (set)"; flow:established,to_server; flowbits:set,ETPRO.SunSeed.Downloader; flowbits:noalert; http.request_line; content:"GET / HTTP/1.1"; http.user_agent; content:"Windows Installer"; bsize:17; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; classtype:trojan-activity; sid:2035361; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006701; classtype:web-application-attack; sid:2006701; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SunSeed Download Retrieving Binary"; flow:established,to_client; flowbits:isset,ETPRO.SunSeed.Downloader; http.response_line; content:"HTTP/1.1 200 OK"; http.header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; content:".msi|0d 0a|"; distance:0; file.data; content:"http.lua"; fast_pattern; classtype:trojan-activity; sid:2035362; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006702; classtype:web-application-attack; sid:2006702; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PurpleFox Backdoor Related Domain in DNS Lookup (qq .c1c .ren)"; dns.query; content:"qq.c1c.ren"; nocase; bsize:10; reference:md5,757e04a9da1083b797b9dadc94300937; reference:url,twitter.com/0xrb/status/1496747426505531398; classtype:domain-c2; sid:2035307; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006703; classtype:web-application-attack; sid:2006703; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Trickbot Checkin Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/plain"; bsize:10; http.header; content:"Content-Length|3a 20|3|0d 0a|"; fast_pattern; nocase; file.data; content:"/1/"; depth:3; endswith; reference:md5,5d2d59d6cbff1dc1d108bdcae0294c51; classtype:command-and-control; sid:2032218; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006704; classtype:web-application-attack; sid:2006704; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html"; endswith; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,dddd77f42bfb365f36762ad4db4a741e; reference:md5,f4e7c05fde022ec76f8c2f0a4cf2e1b3; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035309; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iType="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6365; reference:url,www.securityfocus.com/bid/14034; reference:url,doc.emergingthreats.net/2006705; classtype:web-application-attack; sid:2006705; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Referer"; http.user_agent; content:!"Android"; content:!"Linux"; reference:md5,dddd77f42bfb365f36762ad4db4a741e; reference:md5,f4e7c05fde022ec76f8c2f0a4cf2e1b3; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006706; classtype:web-application-attack; sid:2006706; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-email .space)"; dns.query; dotprefix; content:".creditals-email.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035316; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006707; classtype:web-application-attack; sid:2006707; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (ua-passport .space)"; dns.query; dotprefix; content:".ua-passport.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035317; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006708; classtype:web-application-attack; sid:2006708; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mil-gov .space)"; dns.query; dotprefix; content:".mil-gov.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035318; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006709; classtype:web-application-attack; sid:2006709; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-email .space)"; dns.query; dotprefix; content:".verify-email.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035319; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006710; classtype:web-application-attack; sid:2006710; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-konta .space)"; dns.query; dotprefix; content:".weryfikacja-konta.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"iCity="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6355; reference:url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded; reference:url,doc.emergingthreats.net/2006711; classtype:web-application-attack; sid:2006711; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (konto-verify .space)"; dns.query; dotprefix; content:".konto-verify.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035321; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006712; classtype:web-application-attack; sid:2006712; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-uzytkownika .space)"; dns.query; dotprefix; content:".walidacja-uzytkownika.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035322; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006715; classtype:web-application-attack; sid:2006715; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .space)"; dns.query; dotprefix; content:".kontrola-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035323; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006713; classtype:web-application-attack; sid:2006713; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (weryfikacja-poczty .space)"; dns.query; dotprefix; content:".weryfikacja-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035324; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006714; classtype:web-application-attack; sid:2006714; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (walidacja-poczty .space)"; dns.query; dotprefix; content:".walidacja-poczty.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035325; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006716; classtype:web-application-attack; sid:2006716; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (bigmir .space)"; dns.query; dotprefix; content:".bigmir.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035326; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"iNews="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6354; reference:url,www.securityfocus.com/bid/15681; reference:url,doc.emergingthreats.net/2006717; classtype:web-application-attack; sid:2006717; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .site)"; dns.query; dotprefix; content:".mod-mil.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035327; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-Shop Shopping Cart Script search_results.php SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search_results.php?cid="; nocase; pcre:"/UNION.+SELECT/i"; reference:bugtraq,30692; reference:url,doc.emergingthreats.net/2008684; classtype:web-application-attack; sid:2008684; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirrohost .space)"; dns.query; dotprefix; content:".mirrohost.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035328; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank SELECT"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004624; classtype:web-application-attack; sid:2004624; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .online)"; dns.query; dotprefix; content:".mirohost.online"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035329; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UNION SELECT"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004625; classtype:web-application-attack; sid:2004625; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (meta-ua .space)"; dns.query; dotprefix; content:".meta-ua.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035330; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank INSERT"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004626; classtype:web-application-attack; sid:2004626; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mod-mil .online)"; dns.query; dotprefix; content:".mod-mil.online"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035331; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank DELETE"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004627; classtype:web-application-attack; sid:2004627; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (kontrola-poczty .site)"; dns.query; dotprefix; content:".kontrola-poczty.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035332; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank ASCII"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004628; classtype:web-application-attack; sid:2004628; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (creditals-mirohost .space)"; dns.query; dotprefix; content:".creditals-mirohost.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035333; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE"; flow:established,to_server; http.uri; content:"/listmembers.php?"; nocase; content:"rank="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3077; reference:url,www.milw0rm.com/exploits/4030; reference:url,doc.emergingthreats.net/2004629; classtype:web-application-attack; sid:2004629; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (verify-mail .space)"; dns.query; dotprefix; content:".verify-mail.space"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035334; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/application/views/public/commentform.php?"; nocase; content:"tpl_base_dir="; nocase; pcre:"/tpl_base_dir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/13890/; reference:url,vupen.com/english/advisories/2010/1497; reference:bugtraq,40881; reference:url,doc.emergingthreats.net/2011725; classtype:web-application-attack; sid:2011725; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain in DNS Lookup (mirohost .site)"; dns.query; dotprefix; content:".mirohost.site"; nocase; endswith; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035335; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005268; classtype:web-application-attack; sid:2005268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (creditals-email .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".creditals-email.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035336; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005269; classtype:web-application-attack; sid:2005269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (ua-passport .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".ua-passport.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035337; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword INSERT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005270; classtype:web-application-attack; sid:2005270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mil-gov .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mil-gov.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035338; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword DELETE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005271; classtype:web-application-attack; sid:2005271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-email .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verify-email.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035339; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ASCII"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005272; classtype:web-application-attack; sid:2005272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (weryfikacja-konta .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".weryfikacja-konta.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035340; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"keyword="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0403; reference:url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded; reference:url,doc.emergingthreats.net/2005273; classtype:web-application-attack; sid:2005273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (konto-verify .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".konto-verify.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005274; classtype:web-application-attack; sid:2005274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (walidacja-uzytkownika .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".walidacja-uzytkownika.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035342; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UNION SELECT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005275; classtype:web-application-attack; sid:2005275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (kontrola-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kontrola-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035343; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row INSERT"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005276; classtype:web-application-attack; sid:2005276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (weryfikacja-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".weryfikacja-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035344; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row DELETE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005277; classtype:web-application-attack; sid:2005277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (walidacja-poczty .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".walidacja-poczty.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035345; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ASCII"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005278; classtype:web-application-attack; sid:2005278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /set.lgo/"; startswith; fast_pattern; content:!".php"; content:!".asp"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; reference:md5,30342cff84f9b4ea94b0415cd26e2ee2; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035312; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE"; flow:established,to_server; http.uri; content:"/admin/memberlist.php?"; nocase; content:"init_row="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0401; reference:url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded; reference:url,doc.emergingthreats.net/2005279; classtype:web-application-attack; sid:2005279; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (bigmir .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".bigmir.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035346; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS page.php intpageID parameter sql injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/page.php?"; nocase; content:"intPageID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008883; classtype:web-application-attack; sid:2008883; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mod-mil.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035347; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS subcategory.php intSubCategoryID parameter sql injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"subcategory.php?"; nocase; content:"intSubCategoryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008884; classtype:web-application-attack; sid:2008884; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirrohost .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirrohost.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035348; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easyedit CMS news.php intPageID parameter sql injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"news.php?"; nocase; content:"intPageID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32822/; reference:url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt; reference:url,doc.emergingthreats.net/2008885; classtype:web-application-attack; sid:2008885; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirohost .online in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirohost.online"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035349; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005039; classtype:web-application-attack; sid:2005039; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (meta-ua .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".meta-ua.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035350; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UNION SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005040; classtype:web-application-attack; sid:2005040; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mod-mil .online in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mod-mil.online"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035351; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i INSERT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005041; classtype:web-application-attack; sid:2005041; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (kontrola-poczty .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".kontrola-poczty.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035352; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i DELETE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005042; classtype:web-application-attack; sid:2005042; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (creditals-mirohost .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".creditals-mirohost.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035353; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i ASCII"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005043; classtype:web-application-attack; sid:2005043; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (verify-mail .space in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verify-mail.space"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035354; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"i="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005045; classtype:web-application-attack; sid:2005045; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Suspected TA445 Spearphishing Related Domain (mirohost .site in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".mirohost.site"; endswith; fast_pattern; reference:url,otx.alienvault.com/pulse/621cce4e2752128dbfe537ed; classtype:credential-theft; sid:2035355; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005044; classtype:web-application-attack; sid:2005044; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo CnC Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /index.arc/"; startswith; fast_pattern; content:!".php"; content:!".asp"; http.header_names; content:!"Referer"; http.user_agent; content:!"Linux"; content:!"Android"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; reference:md5,0d7d8cc1756b932854e20dbe5d233afd; reference:url,twitter.com/h2jazi/status/1498017819539116033; classtype:trojan-activity; sid:2035311; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005046; classtype:web-application-attack; sid:2005046; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET USER_AGENTS Suspcious LeakIX User-Agent (l9explore)"; flow:established,to_server; http.user_agent; content:"l9explore"; startswith; fast_pattern; reference:url,ithub.com/LeakIX/l9format; classtype:bad-unknown; sid:2035314; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id INSERT"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005047; classtype:web-application-attack; sid:2005047; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linux/Attempted Hosts File Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?url=file|3a 2f 2f 2f|etc|2f|hosts"; endswith; http.header_names; content:!"Referer"; classtype:attempted-admin; sid:2035315; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id DELETE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005048; classtype:web-application-attack; sid:2005048; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-stream $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/Agent.UHC CnC Activity"; flow:established,to_client; stream_size:client,<,40; content:"|2e 2e 61 58 63 66|"; fast_pattern; reference:md5,042261407926beaaf0e3ed8bba5307cc; classtype:command-and-control; sid:2034219; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_10_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id ASCII"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005049; classtype:web-application-attack; sid:2005049; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BigLock Ransomware CnC Activity (gen)"; flow:established,to_server; content:"|0d 0a 0d 0a|gen="; fast_pattern; http.request_body; content:!"&syncID="; nocase; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header_names; content:!"Referer"; content:!"Pragma"; content:!"Cache-"; reference:md5,ca9f28f5ae85fd014cbf07041117a735; classtype:command-and-control; sid:2030183; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_05_19, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family BigLock, signature_severity Major, tag Ransomware, updated_at 2022_02_28, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/add_comment.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005050; classtype:web-application-attack; sid:2005050; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Snugy DNS Backdoor CnC Activity (Hostname Send)"; dns.query; bsize:>22; content:"266"; offset:3; depth:8; pcre:"/^[zjr9x]{1}[tmdhpz]{1}[0-9a-z]{1,6}266(?:[a-zA-Z0-9]{1,6})?+\./"; content:!".trendmicro.com"; content:!"cnr.io"; endswith; reference:url,unit42.paloaltonetworks.com/xhunt-campaign-backdoors/; classtype:command-and-control; sid:2031194; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i SELECT"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005051; classtype:web-application-attack; sid:2005051; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PurpleFox Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /i.php?i="; fast_pattern; startswith; http.user_agent; content:"Windows Installer"; bsize:17; http.header_names; content:!"Referer"; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; reference:md5,7f757563585debbbccc3e34664de04fe; reference:md5,c793425d192af8f89b1b8c7e1ea6f792; reference:url,twitter.com/Max_Mal_/status/1498351091066589184; classtype:trojan-activity; sid:2035313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_02_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UNION SELECT"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005052; classtype:web-application-attack; sid:2005052; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page 2022-03-01"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"method|3d 22|post|22 20|action|3d 22 2e 2f|index|2e|aspx|3f|code|3d|"; fast_pattern; content:"id|3d 22 5f 5f|VIEWSTATE|22|"; distance:0; content:"id|3d 22 5f 5f|VIEWSTATEGENERATOR|22|"; distance:0; content:"type|3d 22|password|22|"; distance:0; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035369; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i INSERT"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005053; classtype:web-application-attack; sid:2005053; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish Landing Page 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.aspx?code="; fast_pattern; pcre:"/[a-z0-9]{32}/Ri"; http.content_len; byte_test:0,>=,2000,0,string,dec; http.request_body; content:"__VIEWSTATE="; content:"&__VIEWSTATEGENERATOR="; distance:2000; reference:md5,121de0ed6f4ec91eb75bae5ef1d9765b; classtype:credential-theft; sid:2035377; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i DELETE"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005054; classtype:web-application-attack; sid:2005054; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected PlugX Checkin Activity (udp)"; dsize:24; content:"|30 00|"; startswith; content:"|00 00 00 bf 68|"; distance:1; within:5; content:"|00 04 00 00 00 10 00 00 00 00 00 00|"; distance:4; within:12; fast_pattern; threshold: type limit, count 1, seconds 20, track by_src; reference:md5,3db876a7ab11ce98687d381ec9207256; reference:md5,98b2faafb027cc4c225d9de1616f430c; reference:url,twitter.com/0xrb/status/1496747426505531398; classtype:trojan-activity; sid:2035308; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_28, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i ASCII"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005055; classtype:web-application-attack; sid:2005055; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Daxin CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php?htpmgcid="; startswith; fast_pattern; http.header_names; content:"Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; content:!"Referer"; reference:md5,fb7c61ef427f9b2fdff3574ee6b1819b; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage; classtype:command-and-control; sid:2035365; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE"; flow:established,to_server; http.uri; content:"/list_comments.php?"; nocase; content:"i="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0759; reference:url,www.securityfocus.com/bid/22369; reference:url,doc.emergingthreats.net/2005056; classtype:web-application-attack; sid:2005056; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M3"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|source|22 0d 0a 0d 0a|"; distance:0; content:"|20|cookies|0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035357; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId SELECT"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006554; classtype:web-application-attack; sid:2006554; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Maldoc Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"|3a 3a|"; content:"_"; distance:0; content:"|3a 3a|/."; distance:0; fast_pattern; http.header_names; content:!"Referer"; reference:md5,cc088f6cdcc6536404d1527f5addbde6; reference:md5,3543111b570bd274ba5d0f1a10268c84; reference:url,twitter.com/500mk500/status/1497837117572980740; classtype:trojan-activity; sid:2035363; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UNION SELECT"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006555; classtype:web-application-attack; sid:2006555; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Malicious Filename in Outbound POST Request (Browsers/Cookies/Microsoft Edge_)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Browsers/Cookies/Microsoft Edge_"; fast_pattern; reference:md5,758f815f3775e1b063eba3ab33479a9f; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035366; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId INSERT"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006556; classtype:web-application-attack; sid:2006556; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Information.txt"; fast_pattern; reference:md5,50f2b28aba4d4cb47544bcc98980a63e; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035367; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category HUNTING, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId DELETE"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006557; classtype:web-application-attack; sid:2006557; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET [465,993] (msg:"ET JA3 HASH - Possible AnchorMail CnC Traffic"; flow:established,to_server; ja3.hash; content:"c216e752cae6f8755fd27f561d031636"; reference:url,securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/; reference:md5,139e70aa7f26f998c1058c270a51783d; classtype:command-and-control; sid:2035359; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category JA3, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId ASCII"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006558; classtype:web-application-attack; sid:2006558; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Telegram Activity"; flow:established,to_server; http.uri; content:"/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/"; fast_pattern; startswith; http.host; content:"api.telegram.com"; bsize:16; reference:url,www.ic3.gov/Media/News/2022/220224.pdf; classtype:trojan-activity; sid:2035364; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE"; flow:established,to_server; http.uri; content:"/sptrees/default.aspx?"; nocase; content:"docId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6486; reference:url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded; reference:url,doc.emergingthreats.net/2006559; classtype:web-application-attack; sid:2006559; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?username="; bsize:<16; startswith; fast_pattern; pcre:"/^\/\x3fusername\x3d[a-z0-9]{2,3}_\d$/U"; http.connection; content:"Keep-Alive"; http.header_names; content:!"Referer"; content:!"User-Agent"; content:!"Accept"; reference:md5,f1006f3968f9edf76090e34702e647e6; reference:url,asec.ahnlab.com/ko/31703; classtype:trojan-activity; sid:2035368; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EasySiteNetwork Riddles Complete Website riddle.php riddleid Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/riddle.php?"; nocase; content:"riddleid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,29966; reference:url,milw0rm.com/exploits/5946; reference:url,doc.emergingthreats.net/2009366; classtype:web-application-attack; sid:2009366; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|data|22 0d 0a 0d 0a|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|source|22 0d 0a 0d 0a|"; distance:0; content:"|20|passwords|0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035356; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Easynet4u Link Host directory.php cat_id parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/directory.php?"; nocase; content:"ax=list"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31717; reference:url,www.milw0rm.com/exploits/6728; reference:url,doc.emergingthreats.net/2009117; classtype:web-application-attack; sid:2009117; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trickbot Data Exfiltration M4"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary=---------"; startswith; bsize:55; pcre:"/^[A-Z]{16}$/R"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|formdata|22 0d 0a 0d 0a 7b|"; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|billinfo|22 0d 0a 0d 0a 7b|"; distance:0; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|cardinfo|22 0d 0a 0d 0a 7b|"; distance:0; fast_pattern; reference:url,www.malware-traffic-analysis.net/2021/09/01/index.html; classtype:command-and-control; sid:2035358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_01, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005985; classtype:web-application-attack; sid:2005985; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/case"; bsize:5; fast_pattern; http.cookie; content:"wordpress_52345768e930f1ec699e4f12ab015a4f="; startswith; http.header_names; content:!"Referer"; http.header; content:"User-Agent|3a 20|Opera/9.61|20|(Windows|20|NT|20|5.1|3b 20|U|3b 20|ru)|20|Presto/2.1.1"; reference:md5,6b8d63299b70fb04a71bcadcf2f5f72b; reference:md5,2069c823d67e2d5d59606b3d8f6a7e22; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:trojan-activity; sid:2035370; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_02, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005986; classtype:web-application-attack; sid:2005986; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jquery-3.3.2.min.js?__cfduid="; startswith; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|"; reference:url,twitter.com/Unit42_Intel/status/1498802280992227330?s=20&t=iDY6vP8NF3muXpkS4ERenw; classtype:trojan-activity; sid:2035376; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup INSERT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005987; classtype:web-application-attack; sid:2005987; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miras C2 Activity"; flow:established,to_server; dsize:<1000; content:"|36 36 36 36 58 36 36 36|"; offset:2; depth:8; reference:md5,98a3a68f76ed2eba763eb7bfb6648562; classtype:command-and-control; sid:2018979; rev:3; metadata:created_at 2014_08_22, former_category MALWARE, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup DELETE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005988; classtype:web-application-attack; sid:2005988; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Royal Bank of Canada Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgibin/rbaccess/"; fast_pattern; http.request_body; content:"username="; content:"&password="; distance:0; reference:md5,e29fe69e683c7c04e9b14e46cdfd2e17; classtype:credential-theft; sid:2035378; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup ASCII"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005989; classtype:web-application-attack; sid:2005989; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947) (set)"; flow:established,to_server; flowbits:set,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/routes/"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035380; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"grup="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005990; classtype:web-application-attack; sid:2005990; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947)"; flow:established,to_server; flowbits:isset,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/refresh"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035381; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005991; classtype:web-application-attack; sid:2005991; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kimsuky APT BabyShark Related Domain in DNS Lookup (worldinfocontact .club)"; dns.query; content:"worldinfocontact.club"; nocase; bsize:21; reference:md5,fe3ad944d07b66c83dc433c39fc054f4; reference:url,www.huntress.com/blog/targeted-apt-activity-babyshark-is-out-for-blood; classtype:domain-c2; sid:2035374; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005992; classtype:web-application-attack; sid:2005992; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DangerousPassword APT Related Domain (cop .osonlines .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"cop.osonlines.co"; bsize:16; fast_pattern; reference:url,twitter.com/cyber__sloth/status/1498698178585104385; classtype:domain-c2; sid:2035382; rev:1; metadata:created_at 2022_03_02, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005993; classtype:web-application-attack; sid:2005993; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DangerousPassword APT Related  Domain in DNS Lookup"; dns.query; content:"cop.osonlines.co"; nocase; bsize:16; reference:url,twitter.com/cyber__sloth/status/1498698178585104385; classtype:domain-c2; sid:2035383; rev:1; metadata:created_at 2022_03_02, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005994; classtype:web-application-attack; sid:2005994; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mtl"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,11d19db057c4eee965878dd92181803e; reference:url,twitter.com/500mk500/status/1498769941998223366; classtype:trojan-activity; sid:2035375; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005995; classtype:web-application-attack; sid:2005995; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005996; classtype:web-application-attack; sid:2005996; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005997; classtype:web-application-attack; sid:2005997; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, updated_at 2022_03_02;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005998; classtype:web-application-attack; sid:2005998; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PurpleFox Related Domain in DNS Lookup"; dns.query; content:"oip.xioerabn.site"; nocase; bsize:17; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:domain-c2; sid:2035384; rev:1; metadata:attack_target Client_and_Server, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id INSERT"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2005999; classtype:web-application-attack; sid:2005999; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/PurpleFox Retrieving File (GET)"; flow:established,to_server; http.request_line; content:"GET /conf.dat HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE 6.0|3b 20|Windows|20|NT|20|5.0)"; bsize:50; http.header_names; content:!"Referer"; reference:md5,57b8bccf9cb8592ae86b4453cf74b4e8; classtype:trojan-activity; sid:2035385; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id DELETE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006000; classtype:web-application-attack; sid:2006000; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/PlugX Related Domain in DNS Lookup"; dns.query; content:"aoisudoisadn.kkb.tv"; nocase; bsize:19; reference:md5,1634d4a7ffdd698f6ccb541719fbff5c; reference:url,twitter.com/0xrb/status/1499287458500194304; classtype:domain-c2; sid:2035386; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id ASCII"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006001; classtype:web-application-attack; sid:2006001; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Domain in DNS Lookup"; dns.query; content:"diet-days.com"; nocase; bsize:13; reference:md5,b76199c0aaaa9c676ac7c6041f73be57; classtype:domain-c2; sid:2035394; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE"; flow:established,to_server; http.uri; content:"/admin.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6828; reference:url,www.frsirt.com/english/advisories/2006/5150; reference:url,doc.emergingthreats.net/2006002; classtype:web-application-attack; sid:2006002; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA402/Molerats Related Domain in DNS Lookup"; dns.query; content:"socialskinclub.com"; nocase; bsize:18; reference:md5,b76199c0aaaa9c676ac7c6041f73be57; classtype:domain-c2; sid:2035395; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006159; classtype:web-application-attack; sid:2006159; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BumbleBee Loader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gate HTTP/1.1"; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; http.request_body; content:"|22|client_id|22|"; content:"|22|group_name|22|"; distance:0; content:"|22|sys_version|22|"; distance:0; content:"User name|3a 20|"; distance:0; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; classtype:trojan-activity; sid:2035387; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006160; classtype:web-application-attack; sid:2006160; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (jaxebiridi .com)"; dns.query; content:"jaxebiridi.com"; nocase; bsize:14; reference:md5,07d3e518022aec38af7cb4cb709fd4e3; reference:md5,1cd603a9c0f9f251552e070d16591bef; classtype:domain-c2; sid:2035388; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006161; classtype:web-application-attack; sid:2006161; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wp-includes/RELEASE.gif HTTP/1.1"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (Linux|3b 20|Android 6.0|3b 20|HTC One X10 Build/MRA58K|3b 20|wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0"; bsize:113; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Host|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Connection|0d 0a 0d 0a|"; bsize:57; reference:md5,07d3e518022aec38af7cb4cb709fd4e3; reference:md5,1cd603a9c0f9f251552e070d16591bef; classtype:trojan-activity; sid:2035389; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006162; classtype:web-application-attack; sid:2006162; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/descent.php?id="; startswith; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"name="; startswith; content:"_"; distance:0; content:"&count="; distance:8; reference:md5,8184d72f1ce59bba32afc7a2b5953d52; classtype:trojan-activity; sid:2035390; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006163; classtype:web-application-attack; sid:2006163; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Arkei Stealer CnC Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tratata.php"; startswith; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; http.header; content:"Cache-Control: no-cache"; reference:url,blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu; classtype:trojan-activity; sid:2035392; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"grup="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6794; reference:url,www.securityfocus.com/bid/21726; reference:url,doc.emergingthreats.net/2006164; classtype:web-application-attack; sid:2006164; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Arkei Stealer CnC Checkin (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tratata.php"; startswith; bsize:12; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; http.header; content:"Cache-Control: no-cache"; reference:url,blogs.blackberry.com/en/2022/02/threat-thursday-arkei-infostealer?utm_medium=social&utm_source=bambu; classtype:trojan-activity; sid:2035393; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/WorkArea/reterror.aspx?"; nocase; content:"info="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011153; classtype:web-application-attack; sid:2011153; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".maxc"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer"; reference:md5,8842acb150e1625ff20a84190073ece6; reference:url,twitter.com/500mk500/status/1498769941998223366; classtype:trojan-activity; sid:2035391; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/workarea/medialist.aspx?"; nocase; content:"selectids="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bugtraq,39679; reference:url,secunia.com/advisories/39547/; reference:url,doc.emergingthreats.net/2011154; classtype:web-application-attack; sid:2011154; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Multiple User-Agent Components in a single UA"; flow:established,to_server; http.user_agent; content:"Compatible|3b 20|"; nocase; content:"Compatible|3b 20|"; nocase; distance:0; content:"MSIE|20|"; nocase; content:"MSIE|20|"; distance:0; nocase; fast_pattern; content:"|20|Windows|20|NT|20|"; nocase; content:"|20|Windows|20|NT|20|"; distance:0; nocase; reference:md5,0fc3d71e211f8d5101311d2800c459f7; classtype:misc-activity; sid:2035396; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006449; classtype:web-application-attack; sid:2006449; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Microsoft Credential Phish 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"username|3a 20|this|2e|email"; content:"password|3a 20|this|2e|password"; distance:0; content:"from|3a 20 22|Microsoft|20|Login|22|"; distance:0; content:"this|2e|error|20 3d 20 22|An|20|error|20|occured|2c 20|please|20|check|20|input|20|and|20|try|20|again|22 3b|"; distance:0; content:"this|2e|submitCount"; distance:0; content:"window|2e|location|2e|replace|28|"; distance:0; classtype:credential-theft; sid:2035453; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_04, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006450; classtype:web-application-attack; sid:2006450; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; http.method; content:"POST"; nocase; http.host; content:!".bitdefender.net"; http.content_len; byte_test:0,<=,200,0,string,dec; http.request_body; content:"id="; nocase; startswith; content:"&cn="; nocase; content:"&bid="; nocase; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,doc.emergingthreats.net/2010875; classtype:command-and-control; sid:2010875; rev:13; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_03_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006451; classtype:web-application-attack; sid:2006451; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET MALWARE CobaltStrike DNS Beacon Response"; content:"|81 80 00 01 00 01 00 00 00 00|"; offset:2; depth:10; content:"|c0 0c 00 01 00 01 00 00 00 00 00 04 00 00 00 00|"; endswith; threshold: type both, count 10, seconds 90, track by_dst; content:!"|06|nessus|03|org"; content:!"trr|03|dns|07|nextdns|02|io"; content:!"|08|cloudapp|03|net"; reference:url,www.youtube.com/watch?v=zAB5G-QOyx8; classtype:targeted-activity; sid:2026040; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_28, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, tag c2, updated_at 2022_03_05, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006452; classtype:web-application-attack; sid:2006452; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.php5"; http.request_body; content:"|3c 3f|php|20|system|28 24 5f|POST|5b 27|"; nocase; fast_pattern; reference:cve,2020-16152; classtype:attempted-admin; sid:2035401; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006453; classtype:web-application-attack; sid:2006453; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/action.php5"; http.request_body; content:"|2f 2e 2e 2f 2e 2e|"; fast_pattern; content:"/tmp/messages"; reference:cve,2020-16152; classtype:attempted-admin; sid:2035402; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE"; flow:established,to_server; http.uri; content:"/mod_banners.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3250; reference:url,www.securityfocus.com/bid/24478; reference:url,doc.emergingthreats.net/2006454; classtype:web-application-attack; sid:2006454; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed IP Tracking Domain (grabify .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"grabify.link"; bsize:12; fast_pattern; classtype:bad-unknown; sid:2035419; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID SELECT"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006135; classtype:web-application-attack; sid:2006135; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Azure Automation Authentication Bypass"; flow:established,to_server; http.uri; content:"/oauth2/token"; http.request_body; content:"resource"; content:"management.azure.com"; within:60; fast_pattern; http.header; content:"metadata"; nocase; content:!"X-IDENTITY-HEADER"; nocase; reference:url,orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/; classtype:attempted-admin; sid:2035403; rev:2; metadata:attack_target Server, created_at 2022_03_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006136; classtype:web-application-attack; sid:2006136; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/BlackGuard Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?user="; content:"&coockieCount="; distance:0; fast_pattern; content:"&searche="; distance:0; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 28|"; content:"|29 5f 5b|"; within:255; content:"|5d 2e|"; within:255; content:"|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; within:53; reference:url,app.any.run/tasks/3c8c54c1-d39f-4a14-af0c-242fd364ef15/; reference:md5,bb5f22fc74149158b637a2bac5064ddb; classtype:command-and-control; sid:2035398; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID INSERT"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006137; classtype:web-application-attack; sid:2006137; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Skimmer Inbound (Likely MageCart) M2"; flow:established,to_client; http.response_body; content:"W1sibmFtZSIsICJmaXJzdG5hbWUiL"; offset:50; depth:40; fast_pattern; content:"WyJuYW1lIiwgImxhc3RuYW1lIiw"; distance:0; content:"WyJuYW1lIiwgInN0cmVldFs"; distance:0; content:"WyJpZCIsICJhdXRobmV0Y2ltLWNjLW51bWJlciIs"; distance:0; content:"BbImlkIiwgImF1dGhuZXRjaW0tY2MtZXhwLXllYXI"; distance:0; reference:url,twitter.com/felixaime/status/1500812201262829568?s=20&t=xfD8gOOJuH7IZav4YxGkcw; reference:md5,a41474baac5a91c8033cfee943cea903; classtype:trojan-activity; sid:2035400; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, malware_family MageCart, signature_severity Major, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ASCII"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006139; classtype:web-application-attack; sid:2006139; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SystemBC Powershell bot registration"; flow:established,to_server; dsize:100; content: "|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31|"; offset: 0; depth: 50; reference:md5,d1fb59de13a2394622c84aca8d963071; reference:url,medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c; classtype:command-and-control; sid:2035399; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/newsdetail.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6806; reference:url,www.milw0rm.com/exploits/2990; reference:url,doc.emergingthreats.net/2006140; classtype:web-application-attack; sid:2006140; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TA445/Ghostwrite APT Related Domain in DNS Lookup (xbeta .online)"; dns.query; content:"xbeta.online"; nocase; bsize:12; reference:url,cert.gov.ua/article/37626; reference:md5,e34d6387d3ab063b0d926ac1fca8c4c4; reference:url,twitter.com/h2jazi/status/1500607147989684224; classtype:domain-c2; sid:2035404; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id SELECT"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006147; classtype:web-application-attack; sid:2006147; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/BlackGuard Stealer Variant Exfil via Telegram"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bot"; depth:4; content:"/sendDocument?chat_id="; distance:0; content:"&caption="; distance:0; content:"|e2 9a 99 ef b8 8f 20|Windows|20|"; distance:0; fast_pattern; content:"BROWSER|3a 0a|"; distance:0; content:"|0a 0a 20|Link|20|"; distance:0; http.host; content:"api.telegram.org"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|document|22 3b 20|filename|3d 22|"; content:".zip|22 0d 0a|Content-Type|3a 20|application/x-ms-dos-executable"; distance:0; reference:md5,d4e02002916f18576204a3f1722a958b; reference:md5,eb6c563af372d1af92ac2b60438d076d; reference:md5,ae84bf01058b29c178ae724df445c0c8; reference:url,twitter.com/3xp0rtblog/status/1499748871362261001; classtype:command-and-control; sid:2035397; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_07, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family BlackGuard, performance_impact Low, signature_severity Major, tag Stealer, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UNION SELECT"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006148; classtype:web-application-attack; sid:2006148; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; file.data; content:"|22|https|3a 2f 2f|webhook.site/3cc37709-f3bd-47bf-8b79-f090f0e8075b"; fast_pattern; reference:url,blog.google/threat-analysis-group/update-threat-landscape-ukraine/; classtype:credential-theft; sid:2035405; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, malware_family APT28, malware_family Fancy_Bear, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id INSERT"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006149; classtype:web-application-attack; sid:2006149; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING FancyBear/APT28 Related Phish Landing Page 2022-03-08"; flow:established,to_client; http.response_line; content:"HTTP/1.1 200 OK"; file.data; content:"|22|https|3a 2f 2f|webhook.site/d466f7a7-63a1-4c04-8347-fe2d0a96081f"; fast_pattern; reference:url,blog.google/threat-analysis-group/update-threat-landscape-ukraine/; classtype:credential-theft; sid:2035406; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category PHISHING, malware_family APT28, malware_family Fancy_Bear, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id DELETE"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006150; classtype:web-application-attack; sid:2006150; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual/STARWHALE Beacon Activity (POST)"; flow:established,to_server; urilen:>15; http.method; content:"POST"; http.uri; content:!".asp"; content:!".php"; content:!".htm"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.header_names; content:"|0d 0a|CharSet|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.request_body; content:"vl="; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035407; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family TA450, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ASCII"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006151; classtype:web-application-attack; sid:2006151; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ArmyOfUkraine Bot Activity"; flow:established,to_server; http.method; content:"GET"; http.request_line; content:"GET / HTTP/1.1"; bsize:14; http.header; content:"accept|3a 20 2a 2f 2a 0d 0a|"; content:"host|3a|"; http.host; content:".ru"; endswith; http.header_names; content:"|0d 0a|accept|0d 0a|host|0d 0a 0d 0a|"; fast_pattern; bsize:18; threshold:type both, seconds 600, count 20, track by_src; reference:md5,62d49fed7c54621b507a02541ee55066; reference:url,twitter.com/GossiTheDog/status/1497681806094737411; classtype:trojan-activity; sid:2035421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE"; flow:established,to_server; http.uri; content:"/Types.asp?"; nocase; content:"Type_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6803; reference:url,www.milw0rm.com/exploits/2989; reference:url,doc.emergingthreats.net/2006152; classtype:web-application-attack; sid:2006152; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 Nagual/STARWHALE GoLang Beacon Activity (POST)"; flow:established,to_server; urilen:>15; http.method; content:"POST"; http.uri; content:!".asp"; content:!".php"; content:!".htm"; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.content_type; content:"application/json"; bsize:16; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; fast_pattern; content:!"Referer"; http.request_body; content:"|7b 22|vl|22 3a 22|"; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035408; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, malware_family TA450, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID SELECT"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006153; classtype:web-application-attack; sid:2006153; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA450 GRAMDOOR Telegram CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.host; content:"api.telegram.org"; bsize:16; http.uri; content:"/bot2003026094:AAGoitvpcx3SFZ2_6YzIs4La_kyDF1PbXrY/sendMessage?"; fast_pattern; startswith; reference:url,www.mandiant.com/resources/telegram-malware-iranian-espionage; classtype:trojan-activity; sid:2035409; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006154; classtype:web-application-attack; sid:2006154; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TransparentTribe CnC Domain in DNS Lookup"; dns.query; content:"swissaccount.ddns.net"; nocase; bsize:21; reference:url,twitter.com/0xrb/status/1501061897604730881; classtype:domain-c2; sid:2035410; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID INSERT"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006155; classtype:web-application-attack; sid:2006155; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE TransparentTribe CnC Domain in DNS Lookup"; dns.query; content:"sunjaydut.ddns.net"; nocase; bsize:18; reference:url,twitter.com/0xrb/status/1501061897604730881; classtype:domain-c2; sid:2035411; rev:1; metadata:created_at 2022_03_08, updated_at 2022_03_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID DELETE"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006156; classtype:web-application-attack; sid:2006156; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (gmy .cimadlicks .net)"; dns.query; dotprefix; content:".gmy.cimadlicks.net"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035412; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ASCII"; flow:established,to_server; http.uri; content:"/actualpic.asp?"; nocase; content:"Biz_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6802; reference:url,www.milw0rm.com/exploits/2991; reference:url,doc.emergingthreats.net/2006157; classtype:web-application-attack; sid:2006157; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (community .weblives .net)"; dns.query; dotprefix; content:".community.weblives.net"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007042; classtype:web-application-attack; sid:2007042; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE SoulSearcher Malware Domain in DNS Lookup (app .tomelife .com)"; dns.query; dotprefix; content:".app.tomelife.com"; nocase; endswith; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:domain-c2; sid:2035414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, malware_family SoulSearcher, performance_impact Low, signature_severity Major, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007043; classtype:web-application-attack; sid:2007043; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Free Hosting Domain (*.freehostia .com in DNS Lookup)"; dns.query; dotprefix; content:".freehostia.com"; nocase; endswith; classtype:misc-activity; sid:2035422; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID INSERT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007044; classtype:web-application-attack; sid:2007044; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pripyat Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/endpoint.php HTTP/1.1"; fast_pattern; http.header_names; content:!"Referer"; http.user_agent; content:"cpp-httplib/0.9"; bsize:15; http.request_body; content:"|22|computername|22 3a 22|"; content:"|22|username|22 3a 22|"; distance:0; content:"|22|hashrate|22 3a|"; distance:0; reference:md5,ffb7bbf6e3e3199555b979b46d3789a6; reference:url,twitter.com/3xp0rtblog/status/1501330153900703745; reference:md5,a12ba07fcdb4eb1c1ea65e8fa49ec4ad; classtype:trojan-activity; sid:2035420; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID DELETE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007045; classtype:web-application-attack; sid:2007045; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/msn-msn/log/2/debug?tim="; startswith; fast_pattern; http.host; content:"trc.taboola.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; reference:md5,9a32e5a45336e705d23adc865bd30704; classtype:command-and-control; sid:2035415; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, malware_family SoulSearcher, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ASCII"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007046; classtype:web-application-attack; sid:2007046; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoulSearcher Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/en-my/CMSStyles/style.csx?k="; startswith; fast_pattern; http.host; content:"c.s-microsoft.com"; http.request_body; content:"|00 00 00 11|"; startswith; byte_jump:4,8,relative,little,post_offset -1; isdataat:!2,relative; content:"|78 9c|"; offset:16; depth:2; reference:url,www.fortinet.com/blog/threat-research/unraveling-the-evolution-of-the-soul-searcher-malware; classtype:command-and-control; sid:2035416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_09, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"AD_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007047; classtype:web-application-attack; sid:2007047; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Interactsh CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|Event|3d|"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; http.header_names; content:!"Referer"; threshold:type limit, seconds 600, count 5, track by_src; reference:url,unit42.paloaltonetworks.com/exploits-interactsh/; classtype:attempted-admin; sid:2034200; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_10_15, cve CVE_2020_28188, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id INSERT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007050; classtype:web-application-attack; sid:2007050; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB2 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|05 00|"; distance:8; within:2; content:"|22 00|"; distance:0; content:"|63 00|"; distance:8; within:2; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035417; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, performance_impact Moderate, signature_severity Major, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id DELETE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007051; classtype:web-application-attack; sid:2007051; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"|02|ru|00|"; pcre:"/(?:([a-z0-9])(?!\1)){33,}\x02ru\x00\x00/"; classtype:command-and-control; sid:2014363; rev:8; metadata:created_at 2012_03_13, former_category MALWARE, updated_at 2022_03_09;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ASCII"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007052; classtype:web-application-attack; sid:2007052; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE HermeticWizard - WMI Spreader - File Copy via SMB1 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|a2|"; within:1; content:"|27 00 00 5c 00 63 00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l|00|"; within:8; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"cat_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007053; classtype:web-application-attack; sid:2007053; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Oracle Access Manager RCE Attempt (CVE-2021-35587)"; flow:established,to_server; http.request_line; content:"POST /oam/server/opensso/sessionservice HTTP/1.1"; fast_pattern; http.request_body; content:"svcid"; content:"|5b|CDATA"; content:"requester|3d|"; distance:0; nocase; reference:cve,2021-35587; classtype:attempted-admin; sid:2035429; rev:2; metadata:attack_target Server, created_at 2022_03_10, cve CVE_2021_35587, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007054; classtype:web-application-attack; sid:2007054; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android.BankBot.11270 (DNS Lookup)"; dns_query; content:"xireycicin.xyz"; isdataat:!1,relative; reference:md5,c9ddaa4d670c262bf2621b8299ccf84e; classtype:domain-c2; sid:2035430; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007055; classtype:web-application-attack; sid:2007055; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.BankBot.11270 (TLS SNI)"; flow:established,to_server; tls_sni; content:"xireycicin.xyz"; isdataat:!1,relative; nocase; reference:md5,c9ddaa4d670c262bf2621b8299ccf84e; classtype:domain-c2; sid:2035431; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id INSERT"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007056; classtype:web-application-attack; sid:2007056; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".asp"; content:!".htm"; content:!".php"; http.header; content:"|0d 0a|CharSet|3a 20|UTF-8|0d 0a|"; fast_pattern; http.request_body; content:"c="; startswith; http.header_names; content:!"Referer"; reference:md5,69ff29b86ab5444197aeb0cf5eba0967; reference:url,blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html; classtype:trojan-activity; sid:2035425; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_10, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, malware_family TA450, signature_severity Major, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id DELETE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007057; classtype:web-application-attack; sid:2007057; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/protocol/function.php?page="; fast_pattern; startswith; http.header; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,blog.talosintelligence.com/2022/03/iranian-supergroup-muddywater.html; classtype:trojan-activity; sid:2035426; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_10, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, malware_family TA453, signature_severity Major, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ASCII"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007058; classtype:web-application-attack; sid:2007058; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/TrojanDropper.Agent.GWO Checkin"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"okhttp/"; http.header_names; content:!"Referer|3a 20|"; http.request_body; content:"{|22|logType|22 3a|"; depth:11; content:",|22|msg|22 3a 22|{|5c 22|auth|5c 22 3a|"; fast_pattern; content:"|5c 22|appVersionName|5c 22|"; reference:md5,dcfa846ca56e14e720d4a743ac5c9f0f; classtype:command-and-control; sid:2035432; rev:2; metadata:created_at 2022_03_10, former_category MOBILE_MALWARE, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE"; flow:established,to_server; http.uri; content:"/ad.asp?"; nocase; content:"sub_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007049; classtype:web-application-attack; sid:2007049; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert smb any any -> [$HOME_NET,$HTTP_SERVERS] 445 (msg:"ET MALWARE HermeticWizard - File Copy via SMB"; flow:established,to_server; content:"Wizard|2e|dll|00|DllInstall|00|DllRegisterServer|00|DllUnregisterServer"; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035424; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007030; classtype:web-application-attack; sid:2007030; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - SMB Spreader - Remote Process Creation"; flow:established,to_server; content:"|05 00 00|"; content:"cmd|20 2f|c|20|start|20|regsvr32|20 2f|s|20 2f|i"; distance:0; fast_pattern; content:"|5c|c"; within:8; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dat|20 26 20|start|20|cmd|20 2f|c|20 22|ping|20|localhost|20 2d|n|20|7|20 26 20|wevtutil|20|cl|20|System|22|"; within:62; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007031; classtype:web-application-attack; sid:2007031; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M2"; flow:established,to_server; content:"|05 00 00|"; content:"|5c 00|c|00|m|00|d|00 2e 00|e|00|x|00|e|00 20 00 2f 00|c|00 20 00|s|00|t|00|a|00|r|00|t|00 20|"; distance:0; fast_pattern; content:"r|00|e|00|g|00|s|00|v|00|r|00|3|00|2|00 2e 00|e|00|x|00|e|00 20 00 2f 00|s|00 20 00 2f 00|i|00 20 00|C|00 3a 00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|c|00|"; distance:0; pcre:"/^(?:[A-F0-9]\x00){12}/R"; content:"|2e 00|d|00|l|00|l"; within:7; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_10, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_10;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007032; classtype:web-application-attack; sid:2007032; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2022-03-11 1)"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3a|"; pcre:"/(?:\x22mining\.authorize\x22\x2c|\x22login\x22\x2c)/R"; content:"|22|params|22|"; within:50; pcre:"/(?:\x22login\x22\x3a\x22x\.0929c\x22\x2c\x22pass\x22\x3a\x22x\x22|\x22login\x22\x3a\x2282ZEhnLaX3ggrz5HbJJyinFjt8JyLomMnXYctMHJZCg368RrSyjQgN3TgrfbjqjUVdBPTP5VgEBkBYEWnTVHUgtjPweS5gc\x22\x2c\x22pass\x22\x3a\x22\x22|\x22login\x22\x3a\x224GdoN7NCTi8a5gZug7PrwZNKjvHFmKeV11L6pNJPgj5QNEHsN6eeX3DaAQFwZ1ufD4LYCZKArktt113W7QjWvQ7CW864Ah1Quz41mP4MJy\x22\x2c\x22pass\x22\x3a\x22x\x22|\x22login\x22\x3a\x2249GB8ucxW13fM78PMN2X3ZDYunniTj3pfdoyjztCkjDZQLSxRuZARgKEsfMDtoGGuiGGxWqeh6uez8mxYsPfm8TEGFq48Ce\x22\x2c\x22pass\x22\x3a\x22SynopsisX\x22|\x22login\x22\x3a\x22tyrenke\x22\x2c\x22pass\x22\x3a\x22tyrenke\x22)/R"; reference:md5,5c8ccae9c6841583a026c8276992045f; reference:url,www.btcguild.com/new_protocol.php; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2035435; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007033; classtype:web-application-attack; sid:2007033; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET COINMINER CoinMiner Known Malicious Stratum Authline (2022-03-11 2)"; flow:established,to_server; content:"|22|id|22 3A|"; content:"|22|method|22 3a|"; pcre:"/(?:\x22mining\.authorize\x22\x2c|\x22login\x22\x2c)/R"; content:"|22|params|22|"; within:50; pcre:"/(?:\x22login\x22\x3a\x226243128\x22\x2c\x22pass\x22\x3a\x22myminer\x22|\x22login\x22\x3a\x226249832\x22\x2c\x22pass\x22\x3a\x22viristotal\x22|\x22login\x22\x3a\x226250474\x22\x2c\x22pass\x22\x3a\x22Minecraft\x22|\x22login\x22\x3a\x2244z5DkTXSYBfYECbt5TdQ2SUpyAQJmmGubyUsWqzcByeKwxwsWSZabZQMuE39hedNcTL15eK8kHrAeZMUdGGmHQHBzNH5db\x22\x2c\x22pass\x22\x3a\x22bomba3\x22|\x22login\x22\x3a\x2247WpQT7o5YMPeUjZ2AYqo2HNu9SnfQ3Le5MywXMgCuBS1DHqMTQFNY7MCsWkr466gQNC5G182ZCCDiKs69mwdvr4EjvhT5c\x22\x2c\x22pass\x22\x3a\x22Krutish\x22)/R"; reference:md5,63c361252b50f6099ef962a554501257; reference:url,www.btcguild.com/new_protocol.php; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,mining.bitcoin.cz/stratum-mining; classtype:coin-mining; sid:2035436; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category COINMINER, signature_severity Major, tag Coinminer, updated_at 2022_03_11, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007034; classtype:web-application-attack; sid:2007034; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android/SharkBot Related Domain in DNS Lookup"; dns.query; content:"statscodicefiscale.xyz"; nocase; bsize:22; reference:md5,1f32aa3ad68eac774cfcaeb0cd84de4d; reference:md5,acaed4c74eb9f0c85c603d4077a95697; reference:url,research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/; classtype:domain-c2; sid:2035439; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007035; classtype:web-application-attack; sid:2007035; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - SMB Spreader - File Copy via SMB1 (NT Create AndX Request)"; flow:established,to_server; content:"SMB"; depth:8; content:"|a2|"; within:1; content:"|12 00 63|"; distance:0; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dat|00|"; within:5; fast_pattern; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035437; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, performance_impact Moderate, signature_severity Major, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007036; classtype:web-application-attack; sid:2007036; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (DNS Lookup)"; dns_query; content:"panel.anuka1.a2hosted.com"; isdataat:!1,relative; reference:md5,2f8f1f7565872f8cbce615f5dbe03d7d; classtype:domain-c2; sid:2035433; rev:2; metadata:created_at 2022_03_11, former_category MOBILE_MALWARE, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007037; classtype:web-application-attack; sid:2007037; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Anubis.t (TLS SNI)"; flow:established,to_server; tls_sni; content:"panel.anuka1.a2hosted.com"; isdataat:!1,relative; nocase; reference:md5,451d41b60db0fc16f16c8cef92a8a97d; classtype:command-and-control; sid:2035434; rev:2; metadata:created_at 2022_03_11, former_category MOBILE_MALWARE, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007038; classtype:web-application-attack; sid:2007038; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE APT41 KEYPLUG Related Domain in DNS Lookup"; dns.query; content:"afdentry.workstation.eu.org"; nocase; bsize:27; reference:url,www.mandiant.com/resources/apt41-us-state-governments; classtype:domain-c2; sid:2035440; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, signature_severity Major, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007039; classtype:web-application-attack; sid:2007039; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x32)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc e8 89 00 00 00 60 89 e5 31 d2 64 8b 52 30 8b 52 0c 8b|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035441; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007040; classtype:web-application-attack; sid:2007040; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc 48 83 e4 f0 eb 33 5d 8b 45 00 48 83 c5 04 8b|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035442; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6208; reference:url,www.securityfocus.com/bid/21192; reference:url,doc.emergingthreats.net/2007041; classtype:web-application-attack; sid:2007041; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|fc 48 83 e4 f0 e8 c0 00 00 00 41 51 41 50|"; startswith; fast_pattern; reference:md5,a133c9d87aa58e8cb1a6c0f413bf5dbd; reference:url,github.com/giMini/PowerMemory/blob/master/PowerProcess/Inject-ShellCodeInProcess.ps1; reference:url,cisa.gov/uscert/ncas/alerts/aa21-265a; classtype:trojan-activity; sid:2035443; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007076; classtype:web-application-attack; sid:2007076; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Remcos RAT Checkin 781"; flow:established,to_server; content:"|b1 1a 8f 90 16 1e ff 80 76 38 01|"; startswith; fast_pattern; content:"|31 28|"; distance:2; within:2; threshold:type limit, seconds 30, count 1, track by_src; classtype:command-and-control; sid:2035438; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_11, deployment Perimeter, former_category MALWARE, malware_family Remcos, performance_impact Low, signature_severity Major, tag RAT, updated_at 2022_03_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UNION SELECT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007077; classtype:web-application-attack; sid:2007077; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL Cert Associated with Lazarus Downloader (JEUSD)"; flow:established,to_client; tls.cert_subject; content:"CN=celasllc.com"; bsize:15; fast_pattern; reference:md5,5509ee41b79c5d82e96038993f0bf3fa; reference:url,blogs.360.cn/blog/apt-c-26/; reference:url,crt.sh/?id=492527550; classtype:trojan-activity; sid:2025990; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, former_category MALWARE, malware_family JEUSD, performance_impact Low, signature_severity Major, tag Lazarus, updated_at 2022_03_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid INSERT"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007078; classtype:web-application-attack; sid:2007078; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Self Signed SSL Certificate to 'My Company Ltd'"; flow:established,to_client; tls.cert_issuer; content:"My Company Ltd"; classtype:bad-unknown; sid:2013703; rev:4; metadata:attack_target Client_Endpoint, created_at 2011_09_28, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid DELETE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007079; classtype:web-application-attack; sid:2007079; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,to_client; tls.cert_subject; content:"CN=4b7gf8bngf877"; bsize:16; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022919; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_27, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ASCII"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007080; classtype:web-application-attack; sid:2007080; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2)"; flow:established,to_client; tls.cert_subject; content:"CN=WIN-K462BJ3GEEC"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022948; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_07_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE"; flow:established,to_server; http.uri; content:"/dircat.asp?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007081; classtype:web-application-attack; sid:2007081; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2)"; flow:established,to_client; tls.cert_serial; content:"00:CF:DD:B8:9F:9D:14:26:AD"; tls.cert_subject; content:"CN=localhost.localdomain"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023572; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_12_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007082; classtype:web-application-attack; sid:2007082; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC)"; flow:established,to_client; tls.cert_serial; content:"00:86:C5:19:74:50:39:69:7A"; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2020372; rev:4; metadata:attack_target Client_and_Server, created_at 2015_02_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UNION SELECT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007083; classtype:web-application-attack; sid:2007083; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=Denial, L=Springfield, O=Dis,"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021938; rev:3; metadata:attack_target Client_and_Server, created_at 2015_10_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid INSERT"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007084; classtype:web-application-attack; sid:2007084; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM)"; flow:established,to_client; tls.cert_subject; content:"CN=sni237731.cloudflaressl.com"; fast_pattern; classtype:domain-c2; sid:2023490; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid DELETE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007085; classtype:web-application-attack; sid:2007085; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,to_client; tls.cert_subject; content:"C="; pcre:"/^(?P<letter>[a-z])(?P=letter)\,/R"; content:"L=Default City"; content:"O=Default Company Ltd"; fast_pattern; content:!"CN="; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023496; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_11_10, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ASCII"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007086; classtype:web-application-attack; sid:2007086; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"=certs_division@sslslf.info"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022100; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE"; flow:established,to_server; http.uri; content:"/dirSub.asp?"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007087; classtype:web-application-attack; sid:2007087; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=www.hot-sex-tube.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022101; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID SELECT"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007088; classtype:web-application-attack; sid:2007088; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader CnC)"; flow:established,to_client; tls.cert_subject; content:"O=International Security Depart"; content:"CN=www.mgid.org"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022102; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_13, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007089; classtype:web-application-attack; sid:2007089; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,to_client; tls.cert_serial; content:"00:99:60:FE:ED:86:B8:81:83"; tls.cert_subject; content:"O=Sinkhole.Ru"; fast_pattern; content:"CN=*"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022907; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID INSERT"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007090; classtype:web-application-attack; sid:2007090; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=Sinkhole Party"; fast_pattern; content:"CN=sinkhole"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022908; rev:3; metadata:attack_target Client_and_Server, created_at 2016_06_21, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID DELETE"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007091; classtype:web-application-attack; sid:2007091; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=jmfbrtbsmth.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023161; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2016_09_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ASCII"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007092; classtype:web-application-attack; sid:2007092; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC)"; flow:established,to_client; tls.cert_serial; content:"00:AC:80:A0:72:11:64:DF:3F"; tls.cert_subject; content:"CN=localhost.localdomain"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2023727; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2017_01_11, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE"; flow:established,to_server; http.uri; content:"/types.asp?"; nocase; content:"TYPE_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007093; classtype:web-application-attack; sid:2007093; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,to_client; tls.cert_subject; content:"O=Agency Protocols Management of Internet"; content:"CN=bestylish.com"; fast_pattern; reference:md5,ecda8c6613fb458102fcb6f70b1cd594; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022209; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID SELECT"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007094; classtype:web-application-attack; sid:2007094; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-11"; flow:established,to_client; flowbits:isset,ET.genericphish; http.stat_code; content:"302"; http.server; content:"nginx/1.19.1"; bsize:12; http.location; content:"load.php?id="; startswith; fast_pattern; classtype:credential-theft; sid:2035447; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UNION SELECT"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007095; classtype:web-application-attack; sid:2007095; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Bancos/DarkTequila CnC)"; flow:established,to_client; tls.cert_subject; content:"O=Agency Protocols Management of Internet"; content:"=info@apmi.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022211; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_02, deployment Perimeter, former_category MALWARE, malware_family Bancos, malware_family DarkTequila, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag Banking_Trojan, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID INSERT"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007096; classtype:web-application-attack; sid:2007096; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit MITM)"; flow:established,to_client; tls.cert_subject; content:"CN=server.domain.com"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022229; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID DELETE"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007097; classtype:web-application-attack; sid:2007097; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".cmod"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,833cd8302870af5a50b3a09af0420297; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035448; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ASCII"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007098; classtype:web-application-attack; sid:2007098; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".ndf"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,eecaecd170ef3d7a5976d435f6d03ef8; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035449; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE"; flow:established,to_server; http.uri; content:"/homeDetail.asp?"; nocase; content:"AD_ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007099; classtype:web-application-attack; sid:2007099; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=google.com"; content:"@google.com"; fast_pattern; tls.cert_issuer; content:"CN=google.com"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022234; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007100; classtype:web-application-attack; sid:2007100; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=Wureuzisen"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022684; rev:3; metadata:attack_target Client_and_Server, created_at 2016_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007101; classtype:web-application-attack; sid:2007101; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,to_client; tls.cert_subject; content:!"ST="; content:!"L="; content:"C=CH"; fast_pattern; pcre:"/O=(?!GoDaddy)[A-Z][a-z]+\s[A-Z][a-z]+\s(?:NL|Pty|Inc|Corp|Ltd)\.?,.+CN=[a-z]{5,}\.[a-z]{2,3}(?:$|,)/R"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022279; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007102; classtype:web-application-attack; sid:2007102; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC)"; flow:established,to_client; tls.cert_subject; content:"C=US, ST=NY, L=NY"; fast_pattern; content:"CN="; distance:0; content:"=admin@"; distance:0; pcre:"/[eE]mail(?:Address)?=admin@/"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022534; rev:3; metadata:attack_target Client_and_Server, created_at 2016_02_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007103; classtype:web-application-attack; sid:2007103; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (ItIsMe)"; flow:to_server,established; http.user_agent; content:"ItIsMe"; depth:6; fast_pattern; reference:url,resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts; classtype:trojan-activity; sid:2035445; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007104; classtype:web-application-attack; sid:2007104; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC)"; flow:established,to_client; tls.cert_subject; content:"OU=obama team"; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2021513; rev:4; metadata:attack_target Client_and_Server, created_at 2015_07_23, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_14, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007105; classtype:web-application-attack; sid:2007105; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R6260 Mini_httpd Buffer Overflow Attempt - Possible RCE (CVE-2021-34979)"; flow:established,to_server; http.header; content:"SOAPAction|3a 20|"; content:"urn:NETGEAR-ROUTER:service:"; within:30; fast_pattern; content:!"|0d 0a|"; within:131; pcre:"/^SOAPAction\x3a\x20\x22?urn\x3aNETGEAR-ROUTER\x3aservice\x3a.{128,}(?!:\d#)/Hm"; http.request_body; content:"|3c 3f|xml"; startswith; reference:url,nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-netgear-nday.html; reference:cve,2021-34979; classtype:trojan-activity; sid:2035446; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_03_14, cve CVE_2021_34979, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007106; classtype:web-application-attack; sid:2007106; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/%D0"; startswith; content:"-%D0%9F"; distance:0; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header; content:!"Referer"; reference:md5,91c27abec8fda1410e2fae396f592e93; reference:md5,8d1ce6280d2f66ff3e4fe1644bf24247; reference:url,twitter.com/500mk500/status/1502545185510731777; classtype:trojan-activity; sid:2035450; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UNION SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007107; classtype:web-application-attack; sid:2007107; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User-Agent (HTTP-Test-Program)"; flow:to_server,established; http.user_agent; content:"HTTP-Test-Program"; bsize:17; startswith; reference:md5,6e69e15ae55aee85ace66bb99e6ba885; classtype:bad-unknown; sid:2035452; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare INSERT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007108; classtype:web-application-attack; sid:2007108; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ping Identity Landing Page 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- template name: html.form.login.template.html -->"; content:"<!-- Configurable default behavior for the Remember Username checkbox -->"; content:"<!-- set the checkbox to unchecked -->"; content:"<title>Log in</title>"; content:"|24 2e|ajax"; content:"type|20 3a 20 27|POST|27 2c|"; content:"url|20 3a 20 27|files|2f|action|2e|php|3f|type|3d|login|27 2c|"; content:"data|20 3a 20 24 28 27 23|loginForm|27 29 2e|serialize|28 29 2c|"; content:"location|2e|href|20 3d 20 22|Loading|2e|php|22|"; content:"Ping Identity Corporation"; reference:md5,391dd3f15f5520a3bbfc654dbb3a4ac6; classtype:credential-theft; sid:2035454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare DELETE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007109; classtype:web-application-attack; sid:2007109; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup (tvasahi .online)"; dns.query; content:"tvasahi.online"; nocase; bsize:14; reference:url,ti.qianxin.com/blog/articles/Analysis-of-ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/; classtype:domain-c2; sid:2035451; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, former_category MALWARE, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ASCII"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007110; classtype:web-application-attack; sid:2007110; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT29 Cache_DLL SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=private.directinvesting.com"; fast_pattern; reference:md5,8f154d23ac2071d7f179959aaba37ad5; reference:url,www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity; classtype:targeted-activity; sid:2023931; rev:3; metadata:created_at 2017_02_16, former_category MALWARE, malware_family APT29_Cache_DLL, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"compare="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007111; classtype:web-application-attack; sid:2007111; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,to_client; tls.cert_subject; content:"CN=*.tor2web."; nocase; fast_pattern; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_05_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007112; classtype:web-application-attack; sid:2007112; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,to_client; tls.cert_subject; content:"O=LogMeIn, Inc."; nocase; fast_pattern; pcre:"/CN=(?:[^\r\n\,]+?[\.-])?app\d/"; classtype:policy-violation; sid:2014756; rev:6; metadata:attack_target Client_Endpoint, created_at 2010_10_31, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UNION SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007113; classtype:web-application-attack; sid:2007113; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate"; flow:established,from_server; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; pcre:"/^.{2}(?P<fake_email>([asdfgh]+|[qwerty]+|[zxcvbn]+)\@([asdfgh]+|[qwerty]+|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_12_06, deployment Perimeter, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear INSERT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007114; classtype:web-application-attack; sid:2007114; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/44Caliber Stealer Discord Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/webhooks/943188844625428520/64LwO5Gsh0pUZCcm80BNwTcVPihRnEmr1rZOPj02k6T5sRc5Lq4sdaB2KyttNgJHeX3T"; fast_pattern; bsize:101; http.host; content:"discord.com"; endswith; reference:md5,0238e5a4b41c4dcff77e8b01e88bed22; reference:url,twitter.com/c3rb3ru5d3d53c/status/1503449439868014592; classtype:trojan-activity; sid:2035471; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear DELETE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007115; classtype:web-application-attack; sid:2007115; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Ghostwriter/UNC1151 Related Domain in DNS Lookup"; dns.query; content:"multilogin.online"; nocase; bsize:17; reference:url,ti.qianxin.com/blog/articles/Analysis-of-ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/; classtype:domain-c2; sid:2035457; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ASCII"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007116; classtype:web-application-attack; sid:2007116; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020084; rev:2; metadata:created_at 2015_01_05, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"clear="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007117; classtype:web-application-attack; sid:2007117; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Tor Proxy Domain in DNS Lookup (onion .pet)"; dns.query; dotprefix; content:".onion.pet"; nocase; endswith; classtype:domain-c2; sid:2035461; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007118; classtype:web-application-attack; sid:2007118; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/B1txor20 Backdoor Related Domain in DNS Lookup"; dns.query; dotprefix; content:".webserv.systems"; nocase; endswith; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_cn/; classtype:command-and-control; sid:2035458; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UNION SELECT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007119; classtype:web-application-attack; sid:2007119; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M1"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/tst/ins_cont.php"; startswith; bsize:17; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; http.user_agent; content:"Mozilla/4.0"; bsize:11; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035459; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID INSERT"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007120; classtype:web-application-attack; sid:2007120; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain (discord .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035463; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID DELETE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007121; classtype:web-application-attack; sid:2007121; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain (discordapp .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035464; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ASCII"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007122; classtype:web-application-attack; sid:2007122; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Webdor.NAC Variant CnC Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".html?m="; content:"&c="; distance:0; content:"&v="; distance:0; content:"&myID="; content:"/"; within:255; content:"/"; within:10; http.user_agent; content:"Catalyst"; bsize:8; fast_pattern; reference:md5,1e2a28d5f4f03420df7a6766e0e4277c; classtype:trojan-activity; sid:2035456; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE"; flow:established,to_server; http.uri; content:"/compareHomes.asp?"; nocase; content:"adID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007123; classtype:web-application-attack; sid:2007123; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discord .com)"; dns.query; dotprefix; content:"discord.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035465; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007124; classtype:web-application-attack; sid:2007124; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/TrojanDownloader.Agent.KUO CnC Activity M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn.php"; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header; content:"DNT: 1"; http.header_names; content:!"Referer"; content:"|0d 0a|Host|0d 0a|DNT|0d 0a|Connection|0d 0a 0d 0a|"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv:11.0) like Gecko"; bsize:61; reference:md5,f6cb005907be5516394525da16d427c7; reference:url,seguranca-informatica.pt/brazilian-trojan-impacting-portuguese-users-and-using-the-same-capabilities-seen-in-other-latin-american-threats; classtype:trojan-activity; sid:2035460; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007132; classtype:web-application-attack; sid:2007132; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)"; dns.query; dotprefix; content:"discordapp.com"; endswith; reference:md5,03f93498e1006ffa3a1f9fcb6170525a; classtype:misc-activity; sid:2035466; rev:1; metadata:created_at 2022_03_15, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007127; classtype:web-application-attack; sid:2007127; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, former_category EXPLOIT, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007128; classtype:web-application-attack; sid:2007128; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M1"; flow:established,to_server; content:"|05 00 00|"; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; distance:0; content:"C|00|r|00|e|00|a|00|t|00|e|00|"; within:200; content:"regsvr32|2e|exe|20 2f|s|20 2f|i|20|"; distance:0; fast_pattern; content:"|5c|c"; within:500; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dll|00|"; within:5; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, former_category MALWARE, malware_family HermeticWizard, signature_severity Major, updated_at 2022_03_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"aminprice="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007129; classtype:web-application-attack; sid:2007129; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls [195.22.26.192/26,195.22.28.192/27,195.38.137.100,195.22.4.21,195.157.15.100,212.61.180.100] 443 -> $HOME_NET any (msg:"ET MALWARE AnubisNetworks Sinkhole SSL Cert lolcat - specific IPs"; flow:established,to_client; tls.cert_subject; content:"CN=lolcat"; fast_pattern; flowbits:isnotset,ET.invalid.cab; classtype:trojan-activity; sid:2019628; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_11_03, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007130; classtype:web-application-attack; sid:2007130; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Remote Desktop AeroAdmin handshake"; flow:established,to_server; content:"|e1 00 00 00 00|"; depth:5; content:"|0d 00 00 d8 00 00 00 4d 49 47 64 4d 41|"; distance:1; within:13; fast_pattern; threshold: type limit, track by_src, count 1, seconds 30; reference:md5,5003c00cdd28d6d1461e9a6a76c544a6; classtype:policy-violation; sid:2035467; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007131; classtype:web-application-attack; sid:2007131; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; tls.cert_subject; content:"CN=ssl"; content:".ovh.net"; within:10; fast_pattern; pcre:"/CN=ssl\d{1,2}.ovh.net(?:$|,)/"; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:3; metadata:attack_target Client_Endpoint, created_at 2014_04_05, deployment Perimeter, former_category POLICY, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007133; classtype:web-application-attack; sid:2007133; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE rat-test CnC Response"; flow:established,to_client; dsize:8; content:"d|00|o|00|n|00|e|00|"; nocase; flowbits:isset,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; reference:url,twitter.com/James_inthe_box/status/1501604645759709186; classtype:trojan-activity; sid:2035477; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007134; classtype:web-application-attack; sid:2007134; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX Related Activity"; flow:established,to_server; dsize:6; content:"feiji."; fast_pattern; reference:url,twitter.com/0xrb/status/1503983616321552384; reference:md5,ff82ecc7bee903f3eb2e168855598d37; reference:md5,ae0bd618eedec0b1ba9f149333d08837; classtype:trojan-activity; sid:2035473; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"amaxprice="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007135; classtype:web-application-attack; sid:2007135; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING ZIP file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; content:"|00 00 00|"; distance: 1; within:3; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035478; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007136; classtype:web-application-attack; sid:2007136; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING RAR file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035479; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UNION SELECT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007137; classtype:web-application-attack; sid:2007137; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms INSERT"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007138; classtype:web-application-attack; sid:2007138; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO imPcRemote Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloads/impcremote"; depth:21; http.host; content:"impcremote.com"; bsize:14; reference:md5,3d72ee8e1e59b143fa496fa63ca33994; classtype:attempted-admin; sid:2035475; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms DELETE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007139; classtype:web-application-attack; sid:2007139; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING RAR file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"Rar|21 1a 07 00|"; fast_pattern; startswith; content:"|73|"; distance:2; content:"|00 00|"; distance:4; reference:url,forensicswiki.xyz/page/RAR; classtype:misc-activity; sid:2035481; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ASCII"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007140; classtype:web-application-attack; sid:2007140; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ZIP file download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035482; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE"; flow:established,to_server; http.uri; content:"/result.asp?"; nocase; content:"abedrooms="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6204; reference:url,www.securityfocus.com/bid/21193; reference:url,doc.emergingthreats.net/2007141; classtype:web-application-attack; sid:2007141; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET [!80,!443,!25,!22,!110] (msg:"ET MALWARE SideCopy APT MargulasRAT Related Activity"; flow:established,to_server; dsize:19; content:"|31 36 00 2b 9c 02 0d 6e 46 11 42 7e e5 8f 99 94 1d fe 24|"; fast_pattern; reference:md5,b361a415cb5fe33f54957b1aa58fffd6; reference:md5,ae29fbacb0a0aba4b8f82924551fae4d; classtype:trojan-activity; sid:2035474; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat SELECT"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005256; classtype:web-application-attack; sid:2005256; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed TA471/UNC2589 Go Downloader User-Agent (-hobot-)"; flow:established,to_server; http.user_agent; content:"-hobot-"; bsize:7; reference:md5,15c525b74b7251cfa1f7c471975f3f95; reference:url,cert.gov.ua/article/37704; classtype:trojan-activity; sid:2035468; rev:1; metadata:created_at 2022_03_16, former_category MALWARE, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005257; classtype:web-application-attack; sid:2005257; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Cobalt Strike CnC Domain in DNS Lookup (nirsoft .me)"; dns.query; content:"nirsoft.me"; nocase; bsize:10; reference:url,cert.gov.ua/article/37704; reference:md5,aa5e8268e741346c76ebfd1f27941a14; classtype:domain-c2; sid:2035469; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat INSERT"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005258; classtype:web-application-attack; sid:2005258; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Stike CnC  Domain (nirsoft .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"nirsoft.me"; bsize:10; fast_pattern; reference:md5,aa5e8268e741346c76ebfd1f27941a14; reference:url,cert.gov.ua/article/37704; classtype:domain-c2; sid:2035470; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_16;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat DELETE"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005259; classtype:web-application-attack; sid:2005259; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ELF/lizkebab CnC Activity (Server Banner)"; flow:established,from_server; content:"***|0d 0a|*|20 20 20 20 20 20 20 20|WELCOME TO THE BALL PIT|20 20 20 20 20 20 20 20|*|0d 0a|"; fast_pattern; content:"*|20 20 20 20 20|Now with|20|"; distance:0; reference:url,blog.malwaremustdie.org/2015/11/mmd-0044-2015-source-code-disclosure.html; classtype:command-and-control; sid:2022214; rev:2; metadata:created_at 2015_12_03, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat ASCII"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005260; classtype:web-application-attack; sid:2005260; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Raiffeisen Bank Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Raiffeisen ELBA-internet</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2024770; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_27, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE"; flow:established,to_server; http.uri; content:"/show_owned.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005261; classtype:web-application-attack; sid:2005261; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"|27|urn|3a|schemas-microsoft-com|3a|vml|27|"; content:"=String.fromCharCode|3b|"; fast_pattern; content:"return parseInt"; content:"return |27 27|"; classtype:exploit-kit; sid:2017577; rev:5; metadata:created_at 2013_10_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat SELECT"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005262; classtype:web-application-attack; sid:2005262; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32.Genome.boescz Checkin"; flow:to_server,established; content:"|0d 0a|Subject|3a 20|TenInfect"; fast_pattern; content:"|0d 0a 0d 0a|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:command-and-control; sid:2018033; rev:4; metadata:created_at 2014_01_29, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UNION SELECT"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005263; classtype:web-application-attack; sid:2005263; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024132; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat INSERT"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005264; classtype:web-application-attack; sid:2005264; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Zemot Fake Search Page"; flow:established,from_server; file_data; content:"background|3a 20|url(btn_search.png|29 2f 2a|tpa=http"; fast_pattern; reference:md5,38cad3170f85c4f9903574941bd282a8; classtype:trojan-activity; sid:2021107; rev:3; metadata:created_at 2015_05_15, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat DELETE"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005265; classtype:web-application-attack; sid:2005265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Predator Pain Sending Data over SMTP"; flow:established,to_server; content:"Subject|3a 20|Predator Pain v"; fast_pattern; reference:md5,e774a7e6ca28487db649458f48230199; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018688; rev:4; metadata:created_at 2014_07_17, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat ASCII"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005266; classtype:web-application-attack; sid:2005266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:4; metadata:created_at 2012_07_24, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE"; flow:established,to_server; http.uri; content:"/show_joined.php?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0484; reference:url,www.securityfocus.com/bid/22180; reference:url,doc.emergingthreats.net/2005267; classtype:web-application-attack; sid:2005267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET FTP Outbound Java Anonymous FTP Login"; flow:to_server,established; content:"USER anonymous|0d 0a|PASS Java1."; fast_pattern; pcre:"/^\d\.\d(_\d+)?\@\r\n/R"; flowbits:set,ET.Java.FTP.Logon; classtype:misc-activity; sid:2016687; rev:4; metadata:created_at 2013_03_29, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show_joined.php?"; nocase; content:"path="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; reference:url,doc.emergingthreats.net/2008832; classtype:web-application-attack; sid:2008832; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,ET.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern; classtype:exploit-kit; sid:2022465; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_01_28, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/show_joined.php?"; nocase; content:"path="; nocase; pcre:"/path=\s*(ftps?|https?|php)\:\//i"; reference:url,secunia.com/advisories/32628/; reference:url,bugreport.ir/index_57.htm; reference:url,doc.emergingthreats.net/2008833; classtype:web-application-attack; sid:2008833; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing M1 July 24 2015"; flow:to_client,established; file_data; content:"<title>Document Shared</title>"; nocase; fast_pattern; content:"name=|22|GENERATOR|22 22|>"; nocase; distance:0; content:"name=|22|HOSTING|22 22|>"; nocase; distance:0; content:"Login with your email"; nocase; distance:0; content:"Choose your email provider"; nocase; distance:0; classtype:social-engineering; sid:2021535; rev:4; metadata:created_at 2015_07_27, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user SELECT"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006219; classtype:web-application-attack; sid:2006219; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Chase Phishing Landing - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Chase Online - Identification</title>"; fast_pattern; nocase; classtype:social-engineering; sid:2025674; rev:4; metadata:created_at 2015_12_01, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UNION SELECT"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006220; classtype:web-application-attack; sid:2006220; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern; classtype:social-engineering; sid:2021966; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user INSERT"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006221; classtype:web-application-attack; sid:2006221; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern; content:"display"; nocase; pcre:"/^[\r\n\s]*?\x3a[\r\n\s]*?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2017634; rev:8; metadata:created_at 2013_10_25, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ASCII"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006223; classtype:web-application-attack; sid:2006223; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Apple Store Phish Landing 2015-07-30"; flow:to_client,established; file_data; content:"<title>Sign in - Apple Store</title>"; nocase; fast_pattern; content:"function isemail|28|email|29|"; nocase; content:"Double-check that you typed a valid Apple ID."; nocase; content:"Double-check that you have typed the right password."; nocase; classtype:social-engineering; sid:2031715; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_30, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006224; classtype:web-application-attack; sid:2006224; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:4; metadata:created_at 2015_08_25, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user DELETE"; flow:established,to_server; http.uri; content:"/administration/administre2.php?"; nocase; content:"id_user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6716; reference:url,www.milw0rm.com/exploits/2945; reference:url,doc.emergingthreats.net/2006222; classtype:web-application-attack; sid:2006222; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_02, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id SELECT"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005877; classtype:web-application-attack; sid:2005877; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made by UltimateHackerzTeam)"; http_header; fast_pattern; reference:url,doc.emergingthreats.net/2010346; classtype:trojan-activity; sid:2010346; rev:7; metadata:created_at 2010_07_30, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UNION SELECT"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005878; classtype:web-application-attack; sid:2005878; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 6.0.1 (Windows)"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016650; rev:3; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id INSERT"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005879; classtype:web-application-attack; sid:2005879; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024207; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id DELETE"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005880; classtype:web-application-attack; sid:2005880; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Wire Transfer Phishing Landing 2015-11-19"; flow:established,from_server; file_data; content:"<TITLE>Foreign Transfer"; nocase; fast_pattern; content:"view Online TT Copy"; nocase; distance:0; content:"Online TT(CURRENCY"; nocase; distance:0; content:"Email Address"; nocase; distance:0; content:"Secure access"; nocase; distance:0; classtype:social-engineering; sid:2031700; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_19, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ASCII"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005881; classtype:web-application-attack; sid:2005881; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DoS.Linux/Elknot.G Checkin"; flow:established,to_server; dsize:401; content:!"|00 00|"; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|Linux|20|"; offset:2; depth:21; fast_pattern; pcre:"/^\d/R"; reference:md5,917a2a3d8c30282acbe7b1ff121a4336; classtype:command-and-control; sid:2018808; rev:2; metadata:created_at 2014_07_30, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE"; flow:established,to_server; http.uri; content:"/productdetail.asp?"; nocase; content:"product_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0092; reference:url,www.milw0rm.com/exploits/3074; reference:url,doc.emergingthreats.net/2005882; classtype:web-application-attack; sid:2005882; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BleedingLife EK Payload Delivered"; flow:from_server,established; flowbits:isset,ET.BleedingLife.Payload; content:"200"; http_stat_code; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; fast_pattern; content:"Content-Type|3a 20|application/"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:exploit-kit; sid:2023291; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_23, deployment Perimeter, former_category MALWARE, malware_family Exploit_Kit, malware_family BleedingLife, signature_severity Major, tag BleedingLifeEK, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/resim.asp?"; nocase; content:"islem=altkat"; nocase; content:"kat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/33199/; reference:url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt; reference:url,doc.emergingthreats.net/2008998; classtype:web-application-attack; sid:2008998; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Sept 3"; flow:established,from_server; file_data; content:"<title>Google Drive</title>"; fast_pattern; content:"For security reasons"; distance:0; content:"access shared files and folders"; distance:0; content:"select your email provider below"; distance:0; content:"-- Select your email provider --"; distance:0; content:"G Mail"; distance:0; content:"Others"; distance:0; content:"Email:"; distance:0; content:"Password:"; distance:0; classtype:social-engineering; sid:2025004; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_09, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template SELECT"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005336; classtype:web-application-attack; sid:2005336; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; classtype:social-engineering; sid:2021258; rev:4; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UNION SELECT"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005337; classtype:web-application-attack; sid:2005337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M1"; flow:established,from_server; file_data; content:"<title>Google Docs</title>"; nocase; distance:0; fast_pattern; content:"input[type=email]"; nocase; distance:0; content:"input[type=number]"; nocase; distance:0; content:"input[type=password]"; nocase; distance:0; content:"input[type=tel]"; nocase; distance:0; content:"signin-card #Email"; nocase; distance:0; content:"signin-card #Pass"; nocase; distance:0; classtype:social-engineering; sid:2025681; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template INSERT"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005338; classtype:web-application-attack; sid:2005338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; urilen:6; content:".htm"; http_uri; content:"Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.0|3B| Trident/5.0)"; fast_pattern; http_user_agent; pcre:"/^\x2F[a-z]{1}\x2Ehtm$/U"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html; reference:url,www.fortiguard.com/latest/av/4057936; reference:md5,92899c20da4d9db5627af89998aadc58; classtype:command-and-control; sid:2016211; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_01_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template DELETE"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005339; classtype:web-application-attack; sid:2005339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|PrototypeB|0d 0a|"; http_header; fast_pattern; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:4; metadata:created_at 2013_09_30, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template ASCII"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005340; classtype:web-application-attack; sid:2005340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Apple Account Phishing Landing 2015-11-18"; flow:established,from_server; file_data; content:"<title>Verify Apple ID"; nocase; fast_pattern; content:"Please input a valid Email"; nocase; distance:0; content:"Your password is required"; nocase; distance:0; content:"Please sign in to verify"; nocase; distance:0; content:"iCloud Account"; nocase; distance:0; content:"Account Verification"; nocase; distance:0; classtype:social-engineering; sid:2031740; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE"; flow:established,to_server; http.uri; content:"/style.php?"; nocase; content:"template="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3214; reference:url,www.milw0rm.com/exploits/4054; reference:url,doc.emergingthreats.net/2005341; classtype:web-application-attack; sid:2005341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Horde Webmail Phish 2015-08-21"; flow:established,to_client; file_data; content:"<title>|2e 2e 3a 3a|Account Details"; fast_pattern; content:"Successfully Submitted|3a 3a 2e 2e|</title>"; distance:1; content:"Your request has been received"; distance:0; content:"and will be processed shortly."; distance:1; classtype:credential-theft; sid:2031726; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_08_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno SELECT"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007060; classtype:web-application-attack; sid:2007060; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:exploit-kit; sid:2021038; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_30, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UNION SELECT"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007061; classtype:web-application-attack; sid:2007061; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bladabindi/njrat CnC Command Response (Remote Cam)"; flow:to_server,established; content:"USB Video Device[endof]"; depth:23; fast_pattern; dsize:>0; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:command-and-control; sid:2017425; rev:3; metadata:created_at 2013_09_05, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno INSERT"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007062; classtype:web-application-attack; sid:2007062; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Datamaikon Checkin"; flow:to_server,established; content:"/index.dat?"; http_uri; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Win32)|0D 0A|Host|3a| "; fast_pattern; http_header; pcre:"/\/index.dat\?\d{5,9}$/U"; classtype:command-and-control; sid:2014466; rev:5; metadata:created_at 2012_04_04, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno DELETE"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007063; classtype:web-application-attack; sid:2007063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern; classtype:social-engineering; sid:2021537; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno ASCII"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007064; classtype:web-application-attack; sid:2007064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; fast_pattern; content:!"|0d 0a|Accept|3a|"; content:!"|0d 0a|Referer|3a|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443|8080|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:command-and-control; sid:2017784; rev:5; metadata:created_at 2013_11_27, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE"; flow:established,to_server; http.uri; content:"/products.asp?"; nocase; content:"partno="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6207; reference:url,www.securityfocus.com/bid/21323; reference:url,doc.emergingthreats.net/2007065; classtype:web-application-attack; sid:2007065; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:social-engineering; sid:2023037; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_10, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/threadstop/threadstop.php?"; nocase; content:"exbb[default_lang]="; nocase; reference:bugtraq,28686; reference:url,milw0rm.com/exploits/5405; reference:url,doc.emergingthreats.net/2009428; classtype:web-application-attack; sid:2009428; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:social-engineering; sid:2022853; rev:4; metadata:created_at 2016_06_03, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id SELECT"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005081; classtype:web-application-attack; sid:2005081; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern; classtype:credential-theft; sid:2023888; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_02_09, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005082; classtype:web-application-attack; sid:2005082; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:exploit-kit; sid:2021762; rev:3; metadata:created_at 2015_09_12, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id INSERT"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005083; classtype:web-application-attack; sid:2005083; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Horde Webmail Phishing Landing 2015-08-21"; flow:established,to_client; file_data; content:"<title>Mail |3a 3a 20|Welcome to Admin Portal</title>"; content:"Kindly update your information"; fast_pattern; distance:0; content:"Email Address"; distance:0; content:"Confirm Password"; distance:0; classtype:social-engineering; sid:2031725; rev:4; metadata:created_at 2015_08_21, former_category PHISHING, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id DELETE"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005084; classtype:web-application-attack; sid:2005084; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic AES Phish M1 Oct 24 2017"; flow:established,from_server; flowbits:isset,ET.genericphish; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:credential-theft; sid:2024997; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_10_24, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id ASCII"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005085; classtype:web-application-attack; sid:2005085; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Fake Webmail Account Phishing Landing 2015-09-10"; flow:established,to_client; file_data; content:"<title>Verify Your Account</title>"; fast_pattern; content:"ACCOUNT UPGRADE"; distance:0; content:"VERIFY YOUR WEBMAIL ACCOUNT"; distance:0; content:"Domain|5c|Username"; distance:0; content:"Department|3a|"; distance:0; content:"inconveniences"; distance:0; classtype:social-engineering; sid:2031696; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_10, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE"; flow:established,to_server; http.uri; content:"/faq.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0676; reference:url,www.milw0rm.com/exploits/3234; reference:url,doc.emergingthreats.net/2005086; classtype:web-application-attack; sid:2005086; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; classtype:social-engineering; sid:2021365; rev:4; metadata:created_at 2015_06_29, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Experts answer.php question_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/answer.php?"; nocase; content:"question_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,2008-5267; reference:url,milw0rm.com/exploits/5776; reference:bugtraq,29642; reference:url,doc.emergingthreats.net/2008931; classtype:web-application-attack; sid:2008931; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"</script></head>|0d 0a|<body>"; fast_pattern; content:" id="; pcre:"/^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27]/R"; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:exploit-kit; sid:2020354; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_04, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex SELECT"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"SELECT"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006813; classtype:web-application-attack; sid:2006813; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.bing.com)"; flow:established,to_server; dsize:38; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.bing.com|0d 0a 0d 0a|"; distance:1; within:24; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018432; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UNION SELECT"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"UNION"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006814; classtype:web-application-attack; sid:2006814; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021044; rev:3; metadata:created_at 2015_05_01, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex INSERT"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"INSERT"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006815; classtype:web-application-attack; sid:2006815; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex Post Checkin Activity 2"; flow:established,to_server; urilen:20<>100; content:!"Referer|3a|"; http_header; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; pcre:"/^Host\x3a\x20(?=[a-z0-9]{0,19}[A-Z])(?=[A-Z0-9]{0,19}[a-z])[a-zA-Z0-9]{4,20}\.[a-z]{2,3}/H"; content:"|0d 0a|Connection|3a 20|Close|0d 0a|User-Agent|3a 20|Mozilla/"; http_header; within:41; fast_pattern; reference:md5,b9de687cdae55d3c9fcfe6fc8bcdd28f; classtype:command-and-control; sid:2020302; rev:7; metadata:created_at 2015_01_23, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex DELETE"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"DELETE"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006816; classtype:web-application-attack; sid:2006816; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING AES Crypto Observed in Javascript - Possible Phishing Landing"; flow:established,from_server; file_data; content:"hea2p"; distance:0; nocase; content:"0123456789ABCDEFGHIJKLMNOPQRSTUVXYZabcdefghijklmnopqrstuvxyz"; fast_pattern; distance:0; content:"hea2t"; distance:0; nocase; content:"Aes"; nocase; distance:0; pcre:"/^\s*?\.\s*?Ctr\s*?\.\s*?decrypt/Rsi"; classtype:social-engineering; sid:2025656; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_10_22, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex ASCII"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006817; classtype:web-application-attack; sid:2006817; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Upatre IE Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|attachment|3b 20|"; http_header; content:".zip|20 3b 0d 0a|"; distance:0; http_header; content:"Content-Type|3a 20|$ctype|0d 0a|"; http_header; fast_pattern; file_data; content:"PK|03 04|"; within:4; classtype:trojan-activity; sid:2020160; rev:6; metadata:created_at 2015_01_09, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE"; flow:established,to_server; http.uri; content:"/articles.asp?"; nocase; content:"ex="; nocase; content:"UPDATE"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6274; reference:url,www.securityfocus.com/bid/21296; reference:url,doc.emergingthreats.net/2006818; classtype:web-application-attack; sid:2006818; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows net start Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"These Windows services are started|3a 0d|"; fast_pattern; content:"The command completed successfully|2e|"; distance:0; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019001; rev:2; metadata:created_at 2014_08_26, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp SELECT"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006339; classtype:web-application-attack; sid:2006339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Mailbox Renewal Phish Landing 2015-08-14"; flow:to_client,established; file_data; content:"<title>Mailbox Added services</title>"; nocase; fast_pattern; content:"autorised email address"; nocase; distance:0; content:"complete this autorization"; nocase; distance:0; classtype:social-engineering; sid:2031722; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_14, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006340; classtype:web-application-attack; sid:2006340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 14 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern; content:"|24 2c|"; distance:0; pcre:"/^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c/R"; classtype:exploit-kit; sid:2020180; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_14, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp INSERT"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006341; classtype:web-application-attack; sid:2006341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:exploit-kit; sid:2016144; rev:4; metadata:created_at 2013_01_03, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp DELETE"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006342; classtype:web-application-attack; sid:2006342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024125; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp ASCII"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006343; classtype:web-application-attack; sid:2006343; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016493; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE"; flow:established,to_server; http.uri; content:"/vdateUsr.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6525; reference:url,www.secunia.com/advisories/23304; reference:url,doc.emergingthreats.net/2006344; classtype:web-application-attack; sid:2006344; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Limitless Logger|20 3a 20 3a|"; nocase; fast_pattern; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:3; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005615; classtype:web-application-attack; sid:2005615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Fake Document Loading Error 2015-10-01"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; content:"Verifying Login, Please wait"; nocase; fast_pattern; distance:0; content:"Loading"; nocase; distance:0; content:"and collaborate documents"; nocase; distance:0; content:"Initializing"; distance:0; classtype:social-engineering; sid:2031697; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_01, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005616; classtype:web-application-attack; sid:2005616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Job314 EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"embedSWF(|22|index.swf?action=swf|22|"; fast_pattern; content:"src=|22|index.js?action=swfobject|22|"; classtype:exploit-kit; sid:2019689; rev:4; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005617; classtype:web-application-attack; sid:2005617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:exploit-kit; sid:2021374; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_02, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005618; classtype:web-application-attack; sid:2005618; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Stoberox.B"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"Host|3a|"; http_header; depth:5; content:"Connection|3a 20|Close|0d 0a|"; http_header; content:"Accept-Encoding|3a 20|none|0d 0a|"; http_header; fast_pattern; content:!"Referer"; http_header; pcre:"/^[a-zA-Z0-9\+\/]+={0,2}$/P"; reference:md5,6ca1690720b3726bc76ef0e7310c9ee7; classtype:trojan-activity; sid:2018300; rev:4; metadata:created_at 2014_03_20, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005619; classtype:web-application-attack; sid:2005619; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024126; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE"; flow:established,to_server; http.uri; content:"/boxx/ShowAppendix.asp?"; nocase; content:"iid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0266; reference:url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded; reference:url,doc.emergingthreats.net/2005620; classtype:web-application-attack; sid:2005620; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Stealthgenie Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/SGCommand.aspx?sgcommand="; fast_pattern; content:"&uid="; distance:0; content:"&sid="; distance:0; content:"&value="; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-"; http.user_agent; content:"|20|Android|20|"; reference:md5,06947ce839a904d6abcb272ff46e7de1; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99&tabid=2; reference:url,engadget.com/2014/09/30/crackdown-on-spying-apps-leads-to-stealthgenie-ceos-arrest/; classtype:trojan-activity; sid:2019805; rev:5; metadata:affected_product Android, attack_target Mobile_Client, created_at 2014_11_25, deployment Perimeter, former_category MOBILE_MALWARE, tag Android, updated_at 2022_03_17, mitre_tactic_id TA0037, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (poll.php)"; flow:established,to_server; http.uri; content:"/mod/poll.php?"; nocase; content:"GLOBALS[nlang]="; nocase; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/i"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010543; classtype:web-application-attack; sid:2010543; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; classtype:social-engineering; sid:2022011; rev:4; metadata:created_at 2015_10_31, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (new.php)"; flow:established,to_server; http.uri; content:"/mod/new.php?"; nocase; content:"GLOBALS[nlang]="; nocase; pcre:"/(\?|&)GLOBALS\[nlang\]=[^\x26\x3B\x2f\x5c]*[\x2f\x5c]/i"; reference:url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt; reference:url,doc.emergingthreats.net/2010544; classtype:web-application-attack; sid:2010544; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:social-engineering; sid:2022366; rev:4; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/manager/DiagLogListActionBody.do?"; nocase; content:"logFile="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010800; classtype:web-application-attack; sid:2010800; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent|3a| Microsoft|20|Internet|20|Updater|0d 0a|"; http_header; fast_pattern; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:5; metadata:created_at 2012_07_26, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; content:"captureFile="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010801; classtype:web-application-attack; sid:2010801; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern; classtype:social-engineering; sid:2021538; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/sat/ViewSatReport.do?"; nocase; content:"fileName="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010802; classtype:web-application-attack; sid:2010802; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:3; metadata:created_at 2012_11_14, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/manager/DiagCaptureFileListActionBody.do?"; nocase; content:"capture="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010803; classtype:web-application-attack; sid:2010803; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Phishing Fake Mailbox Quota Increase Messages 2016-05-25"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; content:"Upgrading your mailbox"; nocase; fast_pattern; distance:0; content:"Upgrade Successful"; nocase; distance:0; content:"added to your mail quota"; nocase; distance:0; content:"//Do not edit below this line"; distance:0; nocase; classtype:social-engineering; sid:2031989; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_25, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/acopia/sat/ViewInventoryErrorReport.do?"; nocase; content:"fileName="; nocase; reference:url,secunia.com/advisories/38113/; reference:url,doc.emergingthreats.net/2010804; classtype:web-application-attack; sid:2010804; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern; classtype:exploit-kit; sid:2023513; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_15, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006123; classtype:web-application-attack; sid:2006123; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:social-engineering; sid:2023051; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_08_12, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006124; classtype:web-application-attack; sid:2006124; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:exploit-kit; sid:2021064; rev:4; metadata:created_at 2015_05_07, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006125; classtype:web-application-attack; sid:2006125; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Andromeda Download"; flow:from_server,established; flowbits:isset,ET.andromeda; content:"200"; http_stat_code; content:"Server|3a 20|nginx"; http_header; content:"Content-Description|3a 20|File Transfer|0d 0a|"; http_header; content:"Content-Disposition|3a 20|attachment|3b 20|filename="; http_header; content:"Content-Transfer-Encoding|3a| binary|0d 0a|"; fast_pattern; pcre:"/filename=[a-f0-9]{32}v\.(?:docm|zip)\x0d\x0a/Hmi"; classtype:trojan-activity; sid:2022573; rev:3; metadata:created_at 2016_02_29, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006126; classtype:web-application-attack; sid:2006126; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016490; rev:13; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006127; classtype:web-application-attack; sid:2006127; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC)"; flow:established,from_server; content:"|55 04 03|"; content:"|25|www.signliquideducationdaughter.final"; distance:1; within:38; fast_pattern; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022247; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_17, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"ID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6813; reference:url,www.milw0rm.com/exploits/2997; reference:url,doc.emergingthreats.net/2006128; classtype:web-application-attack; sid:2006128; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:exploit-kit; sid:2016721; rev:5; metadata:created_at 2013_04_04, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/sitemap.xml.php?"; nocase; content:"dir[classes]="; nocase; reference:url,secunia.com/advisories/28047; reference:url,milw0rm.com/exploits/4712; reference:url,doc.emergingthreats.net/2009507; classtype:web-application-attack; sid:2009507; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Metro Document Phishing Landing 2015-11-17"; flow:established,from_server; file_data; content:"invited to download DATASHEET"; nocase; content:"<title>Metro Download Online"; fast_pattern; nocase; content:"simplest and secure way"; nocase; distance:0; content:"view your documents and files"; nocase; distance:0; content:"View Document"; nocase; distance:0; content:"Confirm email address to download"; nocase; distance:0; classtype:social-engineering; sid:2031699; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_17, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006327; classtype:web-application-attack; sid:2006327; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern; pcre:"/^\d+\x3b/R"; classtype:exploit-kit; sid:2021338; rev:12; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_25, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006328; classtype:web-application-attack; sid:2006328; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Page 2015-10-17"; flow:established,to_client; file_data; content:"<TITLE> DHL|7c 20|Trackinng</TITLE>"; nocase; fast_pattern; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|WOW64|3b 20|rv|3a|32.0)"; nocase; distance:0; content:"fnSubmitOnEnter"; nocase; distance:0; classtype:social-engineering; sid:2031728; rev:4; metadata:created_at 2015_09_16, former_category PHISHING, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006329; classtype:web-application-attack; sid:2006329; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020342; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_01, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id DELETE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006330; classtype:web-application-attack; sid:2006330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert smtp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; fast_pattern; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:10; metadata:created_at 2010_07_30, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006331; classtype:web-application-attack; sid:2006331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp any any -> any 445 (msg:"ET MALWARE Possible KAPTOXA SMB Naming Format"; flow:to_server,established; content:"SMB|A2|"; content:"|5c 00|W|00|I|00|N|00|D|00|O|00|W|00|S|00 5c 00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00 5c|"; distance:0; fast_pattern; pcre:"/^(?:(?!\x00\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?_\x00(?:(?!\x00\x00).)*?\x2e\x00t\x00x\x00t/Rsi"; flowbits:set,ET.kaptoxa; reference:url,securityintelligence.com/target-data-breach-kaptoxa-pos-malware/; classtype:trojan-activity; sid:2018058; rev:2; metadata:created_at 2014_02_04, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6542; reference:url,www.milw0rm.com/exploits/2906; reference:url,doc.emergingthreats.net/2006332; classtype:web-application-attack; sid:2006332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016492; rev:13; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/datumscalc.php?"; nocase; content:"kal_class_path="; nocase; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011096; classtype:web-application-attack; sid:2011096; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Archie EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"xmlhttp.open(|22|POST|22|, |22|/foo|22|, false)|3b|"; fast_pattern; content:"xmlhttp.send(sendstr)|3b|"; distance:0; classtype:exploit-kit; sid:2019690; rev:4; metadata:created_at 2014_11_11, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/monatsblatt.php?"; nocase; content:"kal_class_path="; nocase; pcre:"/kal_class_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11188; reference:url,doc.emergingthreats.net/2011097; classtype:web-application-attack; sid:2011097; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=|27|Exploit()|3b 27|>"; fast_pattern; content:"|3a|stroke"; nocase; classtype:exploit-kit; sid:2017852; rev:3; metadata:created_at 2013_12_13, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006898; classtype:web-application-attack; sid:2006898; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:social-engineering; sid:2021207; rev:4; metadata:created_at 2015_06_09, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006899; classtype:web-application-attack; sid:2006899; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Sweet Orange redirection Nov 4 2014"; flow:established,from_server; file_data; content:"var main_request_data_content"; within:29; fast_pattern; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:exploit-kit; sid:2019642; rev:3; metadata:created_at 2014_11_04, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006900; classtype:web-application-attack; sid:2006900; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Malicious Iframe Leading to EK"; flow:established,from_server; file_data; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; pcre:"/^[^\x27]+[\x27]\s*/R"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern; within:93; isdataat:!3,relative; classtype:exploit-kit; sid:2019798; rev:4; metadata:created_at 2014_11_25, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006901; classtype:web-application-attack; sid:2006901; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern; nocase; content:"src="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016337; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006902; classtype:web-application-attack; sid:2006902; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:exploit-kit; sid:2021746; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_09_05, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006903; classtype:web-application-attack; sid:2006903; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adilbo HTML Encoder Observed"; flow:established,to_client; file_data; content:"|2f 2a 20 61 64 69 6c 62 6f 20 48 54 4d 4c 20 45 6e 63 6f 64 65 72|"; fast_pattern; content:"*|20 20|Checksum|3a 20|927c770095e0daa48298343b8fd14624"; within:200; classtype:policy-violation; sid:2024763; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_23, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006904; classtype:web-application-attack; sid:2006904; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Generic Credential Phish - Loading Messages 2015-08-12"; flow:to_client,established; file_data; content:"//configure destination URL"; nocase; fast_pattern; content:"Contacting email provider"; nocase; distance:0; content:"Authenticating password for"; nocase; distance:0; content:"Authentication Success"; nocase; distance:0; content:"in spam list"; nocase; distance:0; content:"in fraudlent list"; nocase; distance:0; content:"Please Wait"; nocase; distance:0; content:"//Do not edit below this line"; nocase; distance:0; classtype:credential-theft; sid:2031719; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006905; classtype:web-application-attack; sid:2006905; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/includes/components/graphexplorer/visApi.php?"; nocase; fast_pattern; content:"type="; nocase; content:"div="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:6; metadata:created_at 2012_06_22, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006906; classtype:web-application-attack; sid:2006906; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Adobe Shared Document Phish Landing 2015-11-14"; flow:established,from_server; file_data; content:"<title>Adobe PDF</title>"; fast_pattern; nocase; content:"Adobe PDF Online"; nocase; distance:0; content:"You are not signed in yet"; nocase; distance:0; content:"Confirm your identity"; nocase; distance:0; content:"receiving email account to view document"; nocase; distance:0; classtype:social-engineering; sid:2031737; rev:4; metadata:created_at 2015_11_14, former_category PHISHING, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006907; classtype:web-application-attack; sid:2006907; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Landing Jan 06 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern; pcre:"/^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{/Rs"; classtype:exploit-kit; sid:2020103; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_07, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006908; classtype:web-application-attack; sid:2006908; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Commonwealth Bank Phish Fake Error Page 2015-08-20"; flow:established,to_client; file_data; content:"MSHTML 10.00.9200.16750"; content:"You&nbsp|3b|already read this statement!"; fast_pattern; distance:0; content:"System Error Code"; distance:0; content:"CommBank technical departament"; distance:0; classtype:credential-theft; sid:2031724; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_08_20, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"did="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6243; reference:url,www.securityfocus.com/bid/21289; reference:url,doc.emergingthreats.net/2006909; classtype:web-application-attack; sid:2006909; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:exploit-kit; sid:2022479; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_02_01, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/firestats/php/window-add-excluded-ip.php?"; nocase; content:"edit="; nocase; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011256; classtype:web-application-attack; sid:2011256; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mini Mail Dashboard Widget abspath Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?"; nocase; fast_pattern; content:"abspath="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/105238/WordPress-Mini-Mail-Dashboard-Widget-1.36-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014450; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/firestats/php/window-add-excluded-url.php?"; nocase; content:"edit="; nocase; pcre:"/edit\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011257; classtype:web-application-attack; sid:2011257; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Fake Webmail Quota Phish 2015-09-10"; flow:established,to_client; file_data; content:"<title>SUCCESSFULLY VALIDATED</title>"; nocase; fast_pattern; content:"MAILBOX HAVE BEEN SUCCESSFULLY"; nocase; distance:0; content:"QUOTA HAVE BEEN SCHEDUELED"; nocase; distance:0; content:"WITHIN 24 HOURS"; nocase; distance:0; classtype:credential-theft; sid:2031727; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_09_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/firestats/php/window-new-edit-site.php?"; nocase; content:"site_id="; nocase; pcre:"/site_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/40569/; reference:url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html; reference:url,doc.emergingthreats.net/2011258; classtype:web-application-attack; sid:2011258; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Survey Credential Phish 2015-08-12"; flow:to_client,established; file_data; content:"HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"<title>Survey Successful"; distance:0; nocase; fast_pattern; content:"Survey completed"; distance:0; nocase; content:"included in spam or fraudulent list."; distance:0; nocase; content:"email verification survey system."; distance:0; nocase; classtype:credential-theft; sid:2031720; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007182; classtype:web-application-attack; sid:2007182; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.msn.com)"; flow:established,to_server; dsize:37; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.msn.com|0d 0a 0d 0a|"; distance:1; within:23; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018431; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UNION SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007183; classtype:web-application-attack; sid:2007183; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:5; metadata:created_at 2013_10_04, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id INSERT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007184; classtype:web-application-attack; sid:2007184; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:exploit-kit; sid:2022779; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_05_03, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id DELETE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007185; classtype:web-application-attack; sid:2007185; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:exploit-kit; sid:2020352; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2015_02_03, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ASCII"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007186; classtype:web-application-attack; sid:2007186; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing Sept 14 2015"; flow:established,to_client; file_data; content:"<TITLE>DHL |7c| Tracking</TITLE>"; nocase; fast_pattern; content:"<title>TRADE FILE</title>"; nocase; distance:0; content:"Sign In With Your Correct Email"; nocase; distance:0; classtype:social-engineering; sid:2025690; rev:6; metadata:created_at 2015_09_15, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"show_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007187; classtype:web-application-attack; sid:2007187; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Yahoo Account Phish Landing 2015-10-23"; flow:established,from_server; file_data; content:"<title>Yahoo"; nocase; content:"You Have Been Signed Out"; fast_pattern; nocase; distance:0; content:"Yahoomail For Yahoo Security"; nocase; distance:0; content:"please Relogin"; nocase; distance:0; classtype:social-engineering; sid:2031688; rev:3; metadata:created_at 2015_10_22, former_category PHISHING, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007188; classtype:web-application-attack; sid:2007188; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; classtype:trojan-activity; sid:2024217; rev:4; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UNION SELECT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007189; classtype:web-application-attack; sid:2007189; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:10; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid INSERT"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007190; classtype:web-application-attack; sid:2007190; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; classtype:social-engineering; sid:2022033; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid DELETE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007191; classtype:web-application-attack; sid:2007191; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:exploit-kit; sid:2021043; rev:3; metadata:created_at 2015_05_01, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ASCII"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007192; classtype:web-application-attack; sid:2007192; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Paypal Account Phish 2015-10-16"; flow:established,from_server; file_data; content:"Temporarily unable to load your account"; nocase; content:"Temporarily unable to load your account"; nocase; distance:0; content:"confirm your informations"; fast_pattern; nocase; distance:0; content:"fix this problem"; nocase; distance:0; content:"access to your account"; nocase; distance:0; reference:md5,ce07d8a671e2132f404e13ff8e1959b5; classtype:credential-theft; sid:2031687; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_10_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE"; flow:established,to_server; http.uri; content:"/filelist.asp?"; nocase; content:"parentid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007193; classtype:web-application-attack; sid:2007193; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:social-engineering; sid:2022525; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid SELECT"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007194; classtype:web-application-attack; sid:2007194; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:exploit-kit; sid:2024037; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_08, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UNION SELECT"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007195; classtype:web-application-attack; sid:2007195; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA"; flow:established,to_server; content:" HTTP/1.1|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Win32|3b|Google|3b|)|0d 0a|Host|3a| "; fast_pattern; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a 0d 0a|"; within:70; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:2016429; rev:5; metadata:created_at 2011_08_05, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid INSERT"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007196; classtype:web-application-attack; sid:2007196; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING SUSPICIOUS Possible automated connectivity check (www.yahoo.com)"; flow:established,to_server; dsize:39; content:"GET / HTTP/1."; content:"|0d 0a|Host|3a 20|www.yahoo.com|0d 0a 0d 0a|"; distance:1; within:25; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; classtype:bad-unknown; sid:2018433; rev:2; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_04_30, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid DELETE"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007197; classtype:web-application-attack; sid:2007197; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:social-engineering; sid:2022527; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ASCII"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007198; classtype:web-application-attack; sid:2007198; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern; content:"spawAnyone("; nocase; distance:0; classtype:exploit-kit; sid:2016927; rev:12; metadata:created_at 2013_05_25, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE"; flow:established,to_server; http.uri; content:"/showfile.asp?"; nocase; content:"fid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6195; reference:url,www.securityfocus.com/bid/21282; reference:url,doc.emergingthreats.net/2007199; classtype:web-application-attack; sid:2007199; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; distance:0; classtype:social-engineering; sid:2021285; rev:4; metadata:created_at 2015_06_17, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz num_questions.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/num_questions.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009849; classtype:web-application-attack; sid:2009849; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:exploit-kit; sid:2016240; rev:6; metadata:created_at 2013_01_18, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/answers.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009850; classtype:web-application-attack; sid:2009850; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern; classtype:trojan-activity; sid:2016298; rev:5; metadata:created_at 2013_01_29, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz answers.php order_number Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/answers.php?"; nocase; content:"order_number="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009851; classtype:web-application-attack; sid:2009851; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windows ipconfig Microsoft Windows DOS prompt command exit OUTBOUND"; flow:established,to_server; content:"Windows IP Configuration|0d|"; fast_pattern; content:"Ethernet adapter Local Area Connection|3a|"; distance:0; content:"Physical Address"; content:"IP Address"; content:"Subnet Mask"; content:"Default Gateway"; reference:md5,a22af4fc7fe011069704a15296634ca6; classtype:trojan-activity; sid:2019000; rev:4; metadata:created_at 2014_08_26, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score_web.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/high_score_web.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009852; classtype:web-application-attack; sid:2009852; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Zimbra Phish 2015-11-03"; flow:established,from_server; file_data; content:"<title>Thank You</title>"; fast_pattern; nocase; content:"enable us complete your security updates"; nocase; distance:0; content:"wrongly kindly click back"; nocase; distance:0; content:"resulting to the deactivation"; nocase; distance:0; classtype:credential-theft; sid:2031689; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz results_table_web.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/results_table_web.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009853; classtype:web-application-attack; sid:2009853; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:6; metadata:created_at 2011_10_20, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/question.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009854; classtype:web-application-attack; sid:2009854; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024131; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz question.php order_number Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/question.php?"; nocase; content:"order_number="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009855; classtype:web-application-attack; sid:2009855; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"|0d 0a|User-Agent|3a 20|Opera/9 (Windows"; fast_pattern; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:command-and-control; sid:2014777; rev:3; metadata:created_at 2012_05_18, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Quiz high_score.php quiz Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/high_score.php?"; nocase; content:"quiz="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,35060; reference:url,milw0rm.com/exploits/8759; reference:url,doc.emergingthreats.net/2009856; classtype:web-application-attack; sid:2009856; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING DHL Phish Landing 2015-11-14"; flow:established,from_server; file_data; content:"<title>DHL |7c| EzyBill</title>"; fast_pattern; nocase; content:"GlobalEzybill"; nocase; distance:0; content:"NOW YOUR BILLS ARE JUST"; nocase; distance:0; content:"receivable parcel in real time"; nocase; distance:0; content:"Dispute your invoices online"; nocase; distance:0; classtype:social-engineering; sid:2031739; rev:4; metadata:created_at 2015_11_14, former_category PHISHING, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/pmscript.php?"; nocase; content:"with="; nocase; reference:url,milw0rm.com/exploits/8549; reference:bugtraq,34734; reference:url,doc.emergingthreats.net/2009745; classtype:web-application-attack; sid:2009745; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern; classtype:trojan-activity; sid:2016297; rev:5; metadata:created_at 2013_01_29, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/modules/formmailer/formmailer.admin.inc.php?"; nocase; content:"BASE_DIR[jax_formmailer]="; nocase; pcre:"/BASE_DIR\[jax_formmailer\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/55751; reference:url,doc.emergingthreats.net/2010484; classtype:web-application-attack; sid:2010484; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Phish M3 2016-07-11"; flow:from_server,established; file_data; content:"<title>Verifying |7c| Authentication"; nocase; fast_pattern; content:"<META HTTP-EQUIV="; nocase; distance:0; content:"refresh"; distance:1; within:8; nocase; content:"You have been logged"; nocase; distance:0; content:"view shared files"; nocase; distance:0; classtype:credential-theft; sid:2031953; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_11, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user SELECT"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005176; classtype:web-application-attack; sid:2005176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:5; metadata:created_at 2010_09_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UNION SELECT"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005147; classtype:web-application-attack; sid:2005147; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 12 2013"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern; classtype:social-engineering; sid:2017135; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2013_07_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user INSERT"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005148; classtype:web-application-attack; sid:2005148; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern; content:"CryptoJSAesJson"; nocase; classtype:exploit-kit; sid:2021090; rev:4; metadata:created_at 2015_05_13, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user DELETE"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005149; classtype:web-application-attack; sid:2005149; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern; classtype:social-engineering; sid:2021540; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user ASCII"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005150; classtype:web-application-attack; sid:2005150; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024130; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE"; flow:established,to_server; http.uri; content:"/info_user.asp?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0589; reference:url,www.milw0rm.com/exploits/3197; reference:url,doc.emergingthreats.net/2005151; classtype:web-application-attack; sid:2005151; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Phishing Landing - Common Multiple JS Unescape May 25 2017"; flow:from_server,established; file_data; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; content:"document.write(unescape(|27|"; nocase; fast_pattern; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; content:"<script type=|22|text/javascript|22|>|0d 0a|<!--|0d 0a|"; nocase; distance:0; content:"document.write(unescape(|27|"; nocase; within:25; content:"|27 29 29 3b 0d 0a|//-->|0d 0a|</script>"; nocase; distance:0; classtype:social-engineering; sid:2025227; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_05_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Bible Search readbible.php SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/readbible.php?"; nocase; content:"version="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,33301; reference:url,milw0rm.com/exploits/7798; reference:url,doc.emergingthreats.net/2009103; classtype:web-application-attack; sid:2009103; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Outlook Webmail Account Phish 2015-09-02"; flow:established,to_client; file_data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"Outlook Web Validation Successful"; distance:0; content:"email details correctly|3b|"; distance:0; content:"wrongly kindly click"; distance:0; content:"refill in details"; distance:0; classtype:credential-theft; sid:2031685; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_09_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/init.php?"; nocase; content:"API_HOME_DIR="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/32745/; reference:url,milw0rm.com/exploits/7155; reference:url,doc.emergingthreats.net/2008878; classtype:web-application-attack; sid:2008878; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert ftp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; fast_pattern; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:command-and-control; sid:2014757; rev:5; metadata:created_at 2012_05_16, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/includes/startmodules.inc.php?"; nocase; content:"lang_file="; nocase; reference:bugtraq,34538; reference:url,milw0rm.com/exploits/8446; reference:url,doc.emergingthreats.net/2009652; classtype:web-application-attack; sid:2009652; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET MALWARE Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|Predator Logger|20|"; fast_pattern; reference:md5,91f885e08d627097fb1116a3d4634b82; reference:url,stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html; classtype:trojan-activity; sid:2018017; rev:4; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Frontis aps_browse_sources.php source_class Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bin/aps_browse_sources.php?"; nocase; content:"source_class="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/35369/; reference:url,milw0rm.com/exploits/8900; reference:url,doc.emergingthreats.net/2009935; classtype:web-application-attack; sid:2009935; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe LiveCycle Designer ES 8.2"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016647; rev:4; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004917; classtype:web-application-attack; sid:2004917; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,26,587,2525] (msg:"ET MALWARE Pain File Stealer sending wallet.dat via SMTP"; flow:to_server,established; content:"Subject|3a| Pain File Stealer"; fast_pattern; content:"Content|2d|Type|3a 20|application|2f|octet|2d|stream|3b 20|name|3d|wallet.dat"; reference:url,www.cyphort.com/blog/nighthunter-massive-campaign-steal-credentials-revealed; classtype:trojan-activity; sid:2018738; rev:2; metadata:created_at 2014_07_18, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UNION SELECT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004918; classtype:web-application-attack; sid:2004918; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern; distance:0; classtype:social-engineering; sid:2021964; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat INSERT"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004919; classtype:web-application-attack; sid:2004919; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phishing Landing Aug 11 2015"; flow:to_client,established; file_data; content:"<title>Email Service Provider</title>"; nocase; fast_pattern; content:"<title>Signin</title>"; nocase; distance:0; classtype:social-engineering; sid:2025665; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_08_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat DELETE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004920; classtype:web-application-attack; sid:2004920; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:social-engineering; sid:2023752; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_01_20, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ASCII"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004921; classtype:web-application-attack; sid:2004921; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Fiesta EK Gate"; flow:established,from_server; file_data; content:"AgControl.AgControl"; content:"document.cookie.indexOf|28 22|xap|22 29|"; fast_pattern; content:"Math.random()|3b|"; classtype:exploit-kit; sid:2019183; rev:4; metadata:created_at 2014_09_16, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE"; flow:established,to_server; http.uri; content:"/listmain.asp?"; nocase; content:"cat="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0951; reference:url,www.securityfocus.com/bid/22545; reference:url,doc.emergingthreats.net/2004923; classtype:web-application-attack; sid:2004923; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern; content:"contact Microsoft Support"; nocase; distance:0; classtype:social-engineering; sid:2022409; rev:4; metadata:created_at 2016_01_26, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id SELECT"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005075; classtype:web-application-attack; sid:2005075; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern; distance:0; content:"myFunction()|3b|"; classtype:social-engineering; sid:2022365; rev:7; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UNION SELECT"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005076; classtype:web-application-attack; sid:2005076; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT CottonCastle EK Jar Download Method 2"; flow:established,from_server; content:"Content-Type|3a 20|application/octed-stream"; http_header; fast_pattern; flowbits:isset,ET.http.javaclient; classtype:exploit-kit; sid:2018545; rev:4; metadata:created_at 2014_06_09, former_category CURRENT_EVENTS, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id INSERT"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005077; classtype:web-application-attack; sid:2005077; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mailz/lists/config/config.php?"; fast_pattern; nocase; content:"wpabspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016117; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id DELETE"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005078; classtype:web-application-attack; sid:2005078; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP Wordpress enable-latex plugin url Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/enable-latex/core.php?"; fast_pattern; nocase; content:"url="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/107260/WordPress-Enable-Latex-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014448; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ASCII"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005079; classtype:web-application-attack; sid:2005079; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 9.0.0 (Windows)"; fast_pattern; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016649; rev:3; metadata:created_at 2013_03_22, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE"; flow:established,to_server; http.uri; content:"/windows.asp?"; nocase; content:"kategori_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0678; reference:url,www.milw0rm.com/exploits/3233; reference:url,doc.emergingthreats.net/2005080; classtype:web-application-attack; sid:2005080; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Nuclear EK Gate Injected iframe Oct 22 2014"; flow:established,from_server; file_data; content:"|2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29|"; within:93; fast_pattern; classtype:exploit-kit; sid:2019497; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_10_23, deployment Perimeter, malware_family Nuclear, signature_severity Critical, tag Exploit_Kit, tag Nuclear, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id SELECT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005372; classtype:web-application-attack; sid:2005372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible DarkHotel Landing M1"; flow:to_client,established; file_data; content:"eval|28|"; pcre:"/^[a-z]\x29/Rsi"; content:"Problems in loading internet explorer"; distance:0; content:"Try again after update your systems."; distance:0; fast_pattern; reference:url,securelist.com/blog/research/71713/darkhotels-attacks-in-2015/; classtype:targeted-activity; sid:2021609; rev:3; metadata:created_at 2015_08_11, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005373; classtype:web-application-attack; sid:2005373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Volatile Cedar Win32.Explosive External IP Leak"; flow:established,from_server; file_data; content:"<span id=|22|lblIPBehindProxy|22|>{"; within:29; fast_pattern; reference:md5,cefed502aaf38ee0089c527e7f537eda; reference:url,checkpoint.com/downloads/volatile-cedar-technical-report.pdf; classtype:external-ip-check; sid:2020811; rev:4; metadata:created_at 2015_03_31, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005374; classtype:web-application-attack; sid:2005374; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProjectSauron Remsec CnC Beacon (hardcoded HTTP headers)"; flow:established,to_server; content:"|41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 74 65 78 74 2F 70 6C 61 69 6E 2C 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 2D 31 2C 2A 0D 0A 4B 65 65 70 2D 41 6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 4E 6F 2D 43 61 63 68 65|"; fast_pattern; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:command-and-control; sid:2023032; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_09, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_17, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005375; classtype:web-application-attack; sid:2005375; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $SMTP_SERVERS [25,587] (msg:"ET SMTP Incoming SMTP Message with Possibly Malicious MIME Epilogue 2016-05-13 (BadEpilogue)"; flow:to_server,established; content:"|0d 0a|Content-Type|3a 20|multipart|2f|mixed|3b|"; fast_pattern; content:"|0d 0a 2d 2d|"; distance:0; pcre:"/^(?P<boundary>[\x20\x27-\x29\x2b-\x2f0-9\x3a\x3d\x3fA-Z\x5fa-z]{0,69}?[^\x2d])--(?:\x0d\x0a(?!--|\x2e|RSET)[^\r\n]*?)*\x0d\x0a--(?P=boundary)\x0d\x0a/R"; reference:url,www.certego.local/en/news/badepilogue-the-perfect-evasion/; classtype:bad-unknown; sid:2023255; rev:2; metadata:attack_target SMTP_Server, created_at 2016_09_22, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005376; classtype:web-application-attack; sid:2005376; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29  29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74  6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern; classtype:exploit-kit; sid:2021544; rev:3; metadata:created_at 2015_07_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3188; reference:url,www.milw0rm.com/exploits/4057; reference:url,doc.emergingthreats.net/2005377; classtype:web-application-attack; sid:2005377; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CazinoSilver Checkin"; flow:established,to_server; content:".php?key="; http_uri; content:"User-Agent|3A 20|DMFR|0D 0A|"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"|0d 0a|Accept"; classtype:command-and-control; sid:2013511; rev:4; metadata:created_at 2011_08_31, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006461; classtype:web-application-attack; sid:2006461; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Fedex Phishing Landing 2015-07-28"; flow:established,to_client; file_data; content:"<title>FedEx|20 7c 20|Login Page</title>"; fast_pattern; content:"form name=|22|logonForm|22|"; content:"method=|22|POST|22|"; distance:1; content:!"action=|22|/fcl/logon.do|22|"; distance:1; content:"onsubmit=|22|addWSSInfo|28|username.value|29 3b 22 3e|"; distance:1; classtype:social-engineering; sid:2031714; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Minor, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006462; classtype:web-application-attack; sid:2006462; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:social-engineering; sid:2024129; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_03_31, deployment Perimeter, former_category WEB_CLIENT, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006463; classtype:web-application-attack; sid:2006463; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:social-engineering; sid:2021206; rev:4; metadata:created_at 2015_06_09, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006464; classtype:web-application-attack; sid:2006464; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:social-engineering; sid:2022526; rev:4; metadata:created_at 2016_02_16, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006465; classtype:web-application-attack; sid:2006465; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:exploit-kit; sid:2017408; rev:4; metadata:created_at 2013_09_03, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3273; reference:url,www.securityfocus.com/bid/24498; reference:url,doc.emergingthreats.net/2006466; classtype:web-application-attack; sid:2006466; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern; isdataat:!3,relative; classtype:exploit-kit; sid:2021249; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_06_11, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode SELECT"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006467; classtype:web-application-attack; sid:2006467; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32.Chroject.B Receiving ClickFraud Commands from CnC 1"; flow:from_server,established; file_data; content:"/title><script>window.setTimeout(function () { window.location="; fast_pattern; content:"<title>"; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/title/R"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020748; rev:8; metadata:created_at 2015_03_25, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UNION SELECT"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006468; classtype:web-application-attack; sid:2006468; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET MALWARE PredatorPain Keylogger FTP Activity"; flow:established,to_server; dsize:21; content:"USER|20|panzerhund2015|0d 0a|"; fast_pattern; reference:url,malwareconfig.com/stats/PredatorPain; reference:md5,e5ddca929924e4f34cb18692f09ac424; classtype:trojan-activity; sid:2021745; rev:2; metadata:created_at 2015_09_04, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode INSERT"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006469; classtype:web-application-attack; sid:2006469; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern; content:"Java/1.7"; http_user_agent; classtype:exploit-kit; sid:2016491; rev:12; metadata:created_at 2013_02_22, former_category EXPLOIT_KIT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode DELETE"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006470; classtype:web-application-attack; sid:2006470; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Possible Generic Phishing Landing Jul 28 2015"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern; classtype:social-engineering; sid:2021539; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2015_07_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ASCII"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006471; classtype:web-application-attack; sid:2006471; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; classtype:social-engineering; sid:2022030; rev:4; metadata:created_at 2015_11_04, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE"; flow:established,to_server; http.uri; content:"/forum/include/error/autherror.cfm?"; nocase; content:"errorcode="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3301; reference:url,www.securityfocus.com/bid/24528; reference:url,doc.emergingthreats.net/2006472; classtype:web-application-attack; sid:2006472; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject|3a 20|CigiCigi Logger"; fast_pattern; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:3; metadata:created_at 2014_01_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006189; classtype:web-application-attack; sid:2006189; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; fast_pattern; content:"pid="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006190; classtype:web-application-attack; sid:2006190; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:social-engineering; sid:2022993; rev:3; metadata:attack_target Client_Endpoint, created_at 2016_07_29, deployment Perimeter, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006191; classtype:web-application-attack; sid:2006191; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Outlook WebApp Phish Landing 2015-11-05"; flow:established,from_server; file_data; content:"data-title=|22|Need a new Password?|22|>"; fast_pattern; nocase; content:"We|27|ll contact your admin to reset the password for|3a|"; nocase; distance:0; content:"We notified your admin to reset your password."; nocase; distance:0; content:"Now you'll need to wait until they do"; nocase; distance:0; content:"(or go ask them nicely, yourself)."; nocase; distance:0; content:"Once your admin resets your password"; nocase; distance:0; content:"you should receive an email with steps to login."; nocase; distance:0; classtype:social-engineering; sid:2031690; rev:5; metadata:created_at 2015_11_05, former_category PHISHING, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006192; classtype:web-application-attack; sid:2006192; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:exploit-kit; sid:2023074; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_08_17, deployment Perimeter, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006193; classtype:web-application-attack; sid:2006193; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Obfuscated Phishing Landing 2015-11-05"; flow:established,from_server; file_data; content:"<script language=|22|javascript|22| type=|22|text/javascript|22|>var "; depth:57; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"var o1,o2,o3,h1,h2,h3,h4,bits,i"; fast_pattern; distance:0; classtype:social-engineering; sid:2031698; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_05, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"newsId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006194; classtype:web-application-attack; sid:2006194; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern; classtype:attempted-recon; sid:2021024; rev:2; metadata:created_at 2015_04_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006195; classtype:web-application-attack; sid:2006195; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malware Connectivity Check to Google"; flow:established,to_server; content:"GET / HTTP/1.1|0d 0a|Host|3a| google.com|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|29 0d 0a 0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2019729; rev:4; metadata:created_at 2014_11_18, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006196; classtype:web-application-attack; sid:2006196; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern; classtype:attempted-recon; sid:2021023; rev:2; metadata:created_at 2015_04_28, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006197; classtype:web-application-attack; sid:2006197; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Google Drive Phishing Landing Nov 6 2015 M2"; flow:established,from_server; file_data; content:"Welcome to Google Docs"; nocase; fast_pattern; content:"Upload and Share Your Documents Securely"; nocase; distance:0; content:"Enter your email"; nocase; distance:0; content:"Enter a valid email"; nocase; distance:0; content:"Enter your password"; nocase; distance:0; content:"Sign in to view attachment"; nocase; distance:0; content:"Access your documents securely"; nocase; distance:0; classtype:social-engineering; sid:2025680; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_06, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag Phishing, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006198; classtype:web-application-attack; sid:2006198; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Scam Sep 08 2017"; flow:established,to_client; file_data; content:"background-color|3a|#CE3426|3b|"; nocase; fast_pattern; content:"=window[|22|eval|22|](|22|eval|22|)|3b|"; nocase; distance:0; content:"charCodeAt"; distance:0; content:"fromCharCode"; distance:0; classtype:social-engineering; sid:2024688; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_08, deployment Perimeter, former_category WEB_CLIENT, signature_severity Minor, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006199; classtype:web-application-attack; sid:2006199; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Connectivity Check of Unknown Origin 3"; flow:to_server,established; content:"GET"; http_method; content:"/images/logo.gif"; http_uri; urilen:16; content:"User-Agent|3a| Mozilla/4.0 (compatible)|0d 0a|Host|3a| www.study-centers.com|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; http_header; fast_pattern; depth:92; classtype:trojan-activity; sid:2013351; rev:4; metadata:created_at 2011_08_04, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"categoryid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006200; classtype:web-application-attack; sid:2006200; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; classtype:social-engineering; sid:2021965; rev:4; metadata:created_at 2015_10_19, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006201; classtype:web-application-attack; sid:2006201; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:social-engineering; sid:2022364; rev:4; metadata:created_at 2016_01_14, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UNION SELECT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006202; classtype:web-application-attack; sid:2006202; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"ET MALWARE MSIL/Banker.M Downloading Binary from SQL"; flow:established,to_client; content:"|03 00|d|00|b|00|o|00 09 00|n|00|o|00|v|00|o|00|s|00|l|00|o|00|a|00|d|00 03|i|00|m|00|g"; fast_pattern; content:"This program cannot be run"; distance:0; reference:md5,54618b126c69b2f0a3309b7c0ac5ae26; reference:url,blogs.mcafee.com/mcafee-labs/brazilian-banking-malware-hides-in-sql-database/; classtype:trojan-activity; sid:2021931; rev:2; metadata:created_at 2015_10_08, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId INSERT"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006203; classtype:web-application-attack; sid:2006203; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET MALWARE Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6)"; flow:established,to_server; content:"X-Mailer|3a| XimianEvolution1.4.6"; fast_pattern; content:"|0d 0a|Content-Disposition|3a| attachment|3b|"; content:!"|0d 0a|Subject|3a| Undeliverable|3a|"; content:!"X-Barracuda-"; reference:url,techhelplist.com/index.php/tech-tutorials/41-misc/438-asprox-botnet-trojan-run-malware-spamming-1; reference:url,stopmalvertising.com/tag/asprox.html; classtype:trojan-activity; sid:2018336; rev:6; metadata:created_at 2014_03_31, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId DELETE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006204; classtype:web-application-attack; sid:2006204; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:2; metadata:created_at 2012_03_05, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId ASCII"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006205; classtype:web-application-attack; sid:2006205; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern; nocase; content:"gall_id="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:10; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE"; flow:established,to_server; http.uri; content:"/index.cfm?"; nocase; content:"langId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6776; reference:url,www.securityfocus.com/bid/21727; reference:url,doc.emergingthreats.net/2006206; classtype:web-application-attack; sid:2006206; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:exploit-kit; sid:2023480; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_06, deployment Perimeter, malware_family SunDown, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic SELECT"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005330; classtype:web-application-attack; sid:2005330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:3; metadata:created_at 2015_08_10, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UNION SELECT"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005331; classtype:web-application-attack; sid:2005331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2015-11-14"; flow:established,from_server; file_data; content:"<title>PDF ONLINE</title>"; fast_pattern; nocase; content:"Document Has Been Removed"; nocase; distance:0; classtype:credential-theft; sid:2031738; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_11_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic INSERT"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005332; classtype:web-application-attack; sid:2005332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; classtype:social-engineering; sid:2021256; rev:4; metadata:created_at 2015_06_11, former_category WEB_CLIENT, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic DELETE"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005333; classtype:web-application-attack; sid:2005333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/"; startswith; fast_pattern; http.cookie; content:"PREF=ID="; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,aa5e8268e741346c76ebfd1f27941a14; reference:url,cert.gov.ua/article/37704; classtype:trojan-activity; sid:2035508; rev:2; metadata:created_at 2022_03_17, former_category MALWARE, malware_family Cobalt_Strike, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic ASCII"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005334; classtype:web-application-attack; sid:2005334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PE EXE Download over raw TCP"; flow:established,to_client; stream_size:client,<,5; dsize:>11; content:"MZ"; startswith; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,github.com/corkami/docs/blob/master/PE/PE.md; classtype:misc-activity; sid:2035480; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE"; flow:established,to_server; http.uri; content:"/low.php?"; nocase; content:"topic="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3235; reference:url,www.milw0rm.com/exploits/4062; reference:url,doc.emergingthreats.net/2005335; classtype:web-application-attack; sid:2005335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MOBILE_MALWARE Android.Trojan.AndroRAT.CE Checkin"; flow:to_server,established; content:"info=user"; depth:20; content:"simCountryCode="; distance:0; fast_pattern; content:"posnetwork="; distance:0; content:"recMic="; distance:0; content:"callMoniter="; distance:0; content:"callWhere="; distance:0; reference:md5,5cffec9d80acd836e945e410061363ca; classtype:command-and-control; sid:2035483; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GDL gdl.php node Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gdl.php?"; nocase; content:"mod=browse"; nocase; content:"node="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34144; reference:url,milw0rm.com/exploits/8228; reference:url,doc.emergingthreats.net/2009394; classtype:web-application-attack; sid:2009394; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Public Cloud Domain (cld .pt in TLS SNI)"; flow:established,to_server; tls.sni; content:"cld.pt"; bsize:6; fast_pattern; classtype:bad-unknown; sid:2035514; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GS Real Estate Portal email.php AgentID Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/email.php?"; nocase; content:"AgentID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,juniper.net/security/auto/vulnerabilities/vuln32307.html; reference:url,xforce.iss.net/xforce/xfdb/46638; reference:url,milw0rm.com/exploits/7117; reference:url,doc.emergingthreats.net/2009791; classtype:web-application-attack; sid:2009791; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Public Cloud Domain in DNS Lookup (cld .pt)"; dns.query; content:"cld.pt"; nocase; bsize:6; classtype:bad-unknown; sid:2035515; rev:1; metadata:created_at 2022_03_17, former_category INFO, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery2/lib/adodb/adodb-error.inc.php?"; nocase; content:"ADODB_LANG="; nocase; pcre:"/ADODB_LANG\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10705; reference:url,doc.emergingthreats.net/2011018; classtype:web-application-attack; sid:2011018; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loki Locker Ransomware User-Agent"; flow:established,to_server; http.user_agent; content:"Loki/"; startswith; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035510; rev:1; metadata:created_at 2022_03_17, former_category MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/core/includes/gfw_smarty.php?"; nocase; content:"config[gfwroot]="; nocase; pcre:"/config\[gfwroot\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12488; reference:bugtraq,39890; reference:url,doc.emergingthreats.net/2011116; classtype:web-application-attack; sid:2011116; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Loki Locker Ransomware CnC Domain in DNS Lookup"; dns.query; content:"loki-locker.one"; nocase; bsize:15; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:domain-c2; sid:2035511; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004000; classtype:web-application-attack; sid:2004000; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup)"; dns_query; content:"dostkafa.tk"; isdataat:!1,relative; reference:md5,5ea8d0f4f87b76dd1c7b6c2a34ece434; classtype:domain-c2; sid:2035484; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id INSERT"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004001; classtype:web-application-attack; sid:2004001; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI)"; flow:established,to_server; tls_sni; content:"dostkafa.tk"; isdataat:!1,relative; nocase; reference:md5,5ea8d0f4f87b76dd1c7b6c2a34ece434; classtype:command-and-control; sid:2035485; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004002; classtype:web-application-attack; sid:2004002; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 2"; dns_query; content:"hamta-fan-ir.gq"; isdataat:!1,relative; reference:md5,5dab8a38324deadd7a9738a6c59b69da; classtype:command-and-control; sid:2035486; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ASCII"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004003; classtype:web-application-attack; sid:2004003; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"hamta-fan-ir.gq"; isdataat:!1,relative; nocase; reference:md5,5dab8a38324deadd7a9738a6c59b69da; classtype:command-and-control; sid:2035487; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down_indir.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2810; reference:url,www.securityfocus.com/bid/23714; reference:url,doc.emergingthreats.net/2004004; classtype:web-application-attack; sid:2004004; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 3"; dns_query; content:"alfa-toxic.xyz"; isdataat:!1,relative; reference:md5,2ea18b97e95171afabd9cfafa4813812; classtype:domain-c2; sid:2035488; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori SELECT"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004397; classtype:web-application-attack; sid:2004397; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"alfa-toxic.xyz"; isdataat:!1,relative; nocase; reference:md5,2ea18b97e95171afabd9cfafa4813812; classtype:command-and-control; sid:2035489; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UNION SELECT"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004398; classtype:web-application-attack; sid:2004398; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 4"; dns_query; content:"sahm-melli.tk"; isdataat:!1,relative; reference:md5,56b25d666bb8174d822d8d4c558bad81; classtype:domain-c2; sid:2035490; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori INSERT"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004399; classtype:web-application-attack; sid:2004399; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"sahm-melli.tk"; isdataat:!1,relative; nocase; reference:md5,56b25d666bb8174d822d8d4c558bad81; classtype:trojan-activity; sid:2035491; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori DELETE"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004400; classtype:web-application-attack; sid:2004400; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 5"; dns_query; content:"kos-nnt.com"; isdataat:!1,relative; reference:md5,c6a3b408175410cd6b5204b804dee2ed; classtype:domain-c2; sid:2035492; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ASCII"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004401; classtype:web-application-attack; sid:2004401; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"kos-nnt.com"; isdataat:!1,relative; nocase; reference:md5,c6a3b408175410cd6b5204b804dee2ed; classtype:command-and-control; sid:2035493; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE"; flow:established,to_server; http.uri; content:"/kategori.asp?"; nocase; content:"kategori="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1410; reference:url,www.milw0rm.com/exploits/3437; reference:url,doc.emergingthreats.net/2004402; classtype:web-application-attack; sid:2004402; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 6"; dns_query; content:"samane.site"; isdataat:!1,relative; reference:md5,1cf18d4f51326c4409fccff0b05bd254; classtype:domain-c2; sid:2035494; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user SELECT"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005009; classtype:web-application-attack; sid:2005009; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"samane.site"; isdataat:!1,relative; nocase; reference:md5,1cf18d4f51326c4409fccff0b05bd254; classtype:command-and-control; sid:2035495; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UNION SELECT"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005010; classtype:web-application-attack; sid:2005010; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 7"; dns_query; content:"test-mrx-domin.ml"; isdataat:!1,relative; reference:md5,fa0c00e7e37c6bdd423a01819a1b8d66; classtype:domain-c2; sid:2035496; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user INSERT"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005011; classtype:web-application-attack; sid:2005011; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"test-mrx-domin.ml"; isdataat:!1,relative; nocase; reference:md5,fa0c00e7e37c6bdd423a01819a1b8d66; classtype:command-and-control; sid:2035497; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user DELETE"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005012; classtype:web-application-attack; sid:2005012; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 8"; dns_query; content:"405.bar"; isdataat:!1,relative; reference:md5,836c642b75b7d063bc663c9612f0f736; classtype:domain-c2; sid:2035498; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ASCII"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005013; classtype:web-application-attack; sid:2005013; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"405.bar"; isdataat:!1,relative; nocase; reference:md5,836c642b75b7d063bc663c9612f0f736; classtype:command-and-control; sid:2035499; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE"; flow:established,to_server; http.uri; content:"/inc/common.php?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0794; reference:url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded; reference:url,doc.emergingthreats.net/2005014; classtype:web-application-attack; sid:2005014; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidewinder APT Related Domain in DNS Lookup"; dns.query; content:"maritimepakistan.kpt-pk.net"; nocase; bsize:27; reference:md5,bbc955b1289b4f90fdfb8906606597e9; reference:url,twitter.com/ShadowChasing1/status/1504347312838959106; classtype:domain-c2; sid:2035516; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, malware_family Sidewinder, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/library/setup/rpc.php?"; nocase; content:"objectname="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/7344; reference:url,secunia.com/advisories/32982/; reference:url,doc.emergingthreats.net/2008937; classtype:web-application-attack; sid:2008937; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loki Locker Ransomware CnC Activity"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"unique-id="; fast_pattern; content:"disk-size="; content:"|20|GB&"; within:10; content:"user="; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035509; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id SELECT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004349; classtype:web-application-attack; sid:2004349; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 9"; dns_query; content:"dolat-sahm-ir.tk"; isdataat:!1,relative; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035500; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004350; classtype:web-application-attack; sid:2004350; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M2"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.response_body; content:"bgABExk3KwQzPic3bF9YcnJuHz02Jz4nI"; fast_pattern; content:"259Hz02Jz4nIWxfWHJybhcqIj08NzwmbBMDExBufRcqIj08NzwmbF9Ybn0AARMZNysEMz4nN2w="; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035513; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_17, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id INSERT"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004351; classtype:web-application-attack; sid:2004351; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"dolat-sahm-ir.tk"; isdataat:!1,relative; nocase; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:command-and-control; sid:2035501; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id DELETE"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004352; classtype:web-application-attack; sid:2004352; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 10"; dns_query; content:"namosan-nakon.tk"; isdataat:!1,relative; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035502; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id ASCII"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004353; classtype:web-application-attack; sid:2004353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"namosan-nakon.tk"; isdataat:!1,relative; nocase; reference:md5,a5e96e480c38e3a2f8df81c1d4eaac1c; classtype:domain-c2; sid:2035503; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE"; flow:established,to_server; http.uri; content:"/userdetail.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004354; classtype:web-application-attack; sid:2004354; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/perceive.cfg"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/ShadowChasing1/status/1504444062425747456; reference:md5,ef5017d8e7724f73d370e1b77d276d3c; classtype:trojan-activity; sid:2035517; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004355; classtype:web-application-attack; sid:2004355; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 11"; dns_query; content:"peygiri.tech"; isdataat:!1,relative; reference:md5,9262943f8fc52b77eedff18c7f122748; classtype:domain-c2; sid:2035504; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004356; classtype:web-application-attack; sid:2004356; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"peygiri.tech"; isdataat:!1,relative; nocase; reference:md5,9262943f8fc52b77eedff18c7f122748; classtype:trojan-activity; sid:2035505; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id INSERT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004357; classtype:web-application-attack; sid:2004357; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (DNS Lookup) 12"; dns_query; content:"sunlovelapi.xyz"; isdataat:!1,relative; reference:md5,f0c894498a890c3afc67916eac3e9c5d; classtype:domain-c2; sid:2035506; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id DELETE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004358; classtype:web-application-attack; sid:2004358; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Trojan-Spy.AndroidOS.Realrat.c (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"sunlovelapi.xyz"; isdataat:!1,relative; nocase; reference:md5,f0c894498a890c3afc67916eac3e9c5d; classtype:command-and-control; sid:2035507; rev:2; metadata:created_at 2022_03_17, former_category MOBILE_MALWARE, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id ASCII"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004359; classtype:web-application-attack; sid:2004359; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO stopify .co Domain in DNS Lookup"; dns.query; content:"stopify.co"; nocase; bsize:10; reference:md5,fff7de030fe2f4dfdedc7e8bab7e48a5; classtype:misc-activity; sid:2035519; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, signature_severity Major, updated_at 2022_03_17;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004360; classtype:web-application-attack; sid:2004360; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TA422 Credential Phish 2022-03-17 M1"; flow:established,to_server; http.method; content:"POST"; http.host; content:"webhook.site"; bsize:12; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035520; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id SELECT"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004361; classtype:web-application-attack; sid:2004361; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful TA422 Credential Phish 2022-03-17 M2"; flow:established,to_server; http.method; content:"POST"; http.host; content:"pipedream.net"; bsize:12; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035521; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004362; classtype:web-application-attack; sid:2004362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful TA422 Credential Phish 2022-03-17"; flow:established,to_server; http.method; content:"POST"; http.referer; content:"frge.io"; http.request_body; content:"login"; distance:0; content:"pass"; distance:0; content:"new_pass"; distance:0; content:"conf_pass"; distance:0; reference:url,cert.gov.ua/article/37788; classtype:credential-theft; sid:2035522; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id INSERT"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004363; classtype:web-application-attack; sid:2004363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.B Domain in SNI"; flow:established,to_server; tls.sni; content:"handbrake.biz"; bsize:13; fast_pattern; classtype:trojan-activity; sid:2024285; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_09, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id ASCII"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004365; classtype:web-application-attack; sid:2004365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (eltima .in in TLS SNI)"; flow:established,to_server; tls.sni; content:"eltima.in"; bsize:9; fast_pattern; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024889; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004366; classtype:web-application-attack; sid:2004366; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrake .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"handbrake.cc"; bsize:12; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024893; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004367; classtype:web-application-attack; sid:2004367; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Proton.C/D Domain (handbrakestore .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"handbrakestore.com"; bsize:18; fast_pattern; nocase; reference:url,www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia; classtype:trojan-activity; sid:2024891; rev:5; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_10_20, deployment Perimeter, former_category TROJAN, malware_family Proton, performance_impact Moderate, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UNION SELECT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004368; classtype:web-application-attack; sid:2004368; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake org name)"; flow:established,from_server; tls.cert_subject; content:"C=AU"; content:"ST=Some-State"; fast_pattern; tls.certs; content:"|06 03 55 04 0a|"; distance:0; pcre:"/^.{2}(?=[a-z]{0,15}\d)(?P<var>[a-z0-9]{4,16}[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=var)/Rs"; reference:md5,c35b37203859b9c0be0e3255a79ed64d; classtype:trojan-activity; sid:2019832; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url INSERT"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004369; classtype:web-application-attack; sid:2004369; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 2"; flow:established,to_server; dsize:51; content:"|01 00 30 01 01 00|"; fast_pattern; startswith; flowbits:set,ET.Tesch; reference:md5,872763d48730506af7eee0bf22c2f47b; classtype:command-and-control; sid:2018620; rev:6; metadata:created_at 2014_07_01, former_category MALWARE, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url DELETE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004370; classtype:web-application-attack; sid:2004370; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA471/UNC2589 Related Activity (GET)"; flow:established,to_server; urilen:2; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z]$/"; http.user_agent; content:"-hobot-"; bsize:7; fast_pattern; http.accept_enc; content:"gzip"; bsize:4; http.header_names; content:!"Referer"; reference:md5,1b161170a6b025b3f44746e20afd130f; reference:url,www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/; classtype:trojan-activity; sid:2035531; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url ASCII"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004371; classtype:web-application-attack; sid:2004371; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (runfs .icu)"; dns.query; content:"runfs.icu"; nocase; bsize:9; reference:url,isc.sans.edu/diary/rss/28448; classtype:domain-c2; sid:2035532; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE"; flow:established,to_server; http.uri; content:"/jump.php?"; nocase; content:"url="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004372; classtype:web-application-attack; sid:2004372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Linux/B1txor20 Backdoor Connectivity Check"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06 67 6f 6f 67 6c 65 03 63 6f 6d 00 00 00 00 01|"; distance:1; within:16; endswith; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; classtype:trojan-activity; sid:2035526; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011262; classtype:web-application-attack; sid:2011262; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bitter APT Backdoor Related Activity"; flow:established,to_server; dsize:3; content:"|03 00 dc|"; fast_pattern; threshold: type both, count 2, seconds 5, track by_src; reference:md5,bd054c4f43808ef37352f36129bf0c3d; reference:md5,06a7eccd74a6aa5aa12755cd48829f90; reference:md5,532345089619a1881176588a587d3cf1; reference:url,ShadowChasing1/status/1504833720489951234; classtype:trojan-activity; sid:2035533; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Bitter, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011263; classtype:web-application-attack; sid:2011263; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply"; flow:established,to_client; content:"|02 00 06|"; startswith; content:"|01 BB|"; endswith; fast_pattern; reference:md5,86b5491831522f3c7bdcdacb17417514; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018477; rev:2; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011264; classtype:web-application-attack; sid:2011264; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server Command (Confirm C2 IP and port)"; flow:established,from_server; flowbits:isset,ET.Tesch; dsize:9; content:"|02 00 06|"; startswith; reference:url,stopmalvertising.com/rootkits/analysis-of-a-triple-click-fraud-threat.html; classtype:command-and-control; sid:2018624; rev:6; metadata:created_at 2014_07_02, former_category MALWARE, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011265; classtype:web-application-attack; sid:2011265; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO infinityfree .net Domain in DNS Lookup"; dns.query; dotprefix; content:".infinityfree.net"; nocase; endswith; reference:md5,bf3ce5b341d021b4a03123fe81aa854e; classtype:misc-activity; sid:2035538; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/modules/comments/json.php?"; nocase; content:"task=comment"; nocase; content:"comment_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/40665/; reference:url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt; reference:url,doc.emergingthreats.net/2011266; classtype:web-application-attack; sid:2011266; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [8000:8001] (msg:"ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil"; flow:established,to_server; dsize:571; content:"|b9 b6 b5 c8 f1 ef ef d3 f1 ef ef ee ef ef ef 2c|"; startswith; fast_pattern; content:"|99 91 31 a9 39 97 27 81 f1|"; endswith; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,782cbc8660ff9e94e584adfcbc4cb961; reference:url,asec.ahnlab.com/en/32572; classtype:trojan-activity; sid:2035536; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category MALWARE, malware_family Gh0stCringe, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guestbook guestbook.php mes_id SQL Injection attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/guestbook.php?"; nocase; content:"mes_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/9197; reference:url,doc.emergingthreats.net/2009674; classtype:web-application-attack; sid:2009674; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DonotGroup Pult Downloader Activity (POST)"; flow:established,to_server; urilen:8<>25; http.method; content:"POST"; http.uri; content:!".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"batac="; startswith; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.user_agent; content:!"Linux|3b|"; content:!"iPhone|3b|"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; content:!"Referer"; reference:md5,765c01936caae2ba1b1b50ae1ed76cc0; classtype:trojan-activity; sid:2035534; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family DonotGroup, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id SELECT"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005222; classtype:web-application-attack; sid:2005222; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (CobaltStrike)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0_Frsg_stredf_o21_crown_type"; startswith; fast_pattern; reference:md5,b8b7a10dcc0dad157191620b5d4e5312; classtype:trojan-activity; sid:2035537; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category USER_AGENTS, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005223; classtype:web-application-attack; sid:2005223; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Empty Payload (set)"; flow:established,to_server; flowbits:set,ET.facefish; flowbits:noalert; dsize:8; content:"|00 00 00 02 00 00 00 00|"; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033109; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id INSERT"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005224; classtype:web-application-attack; sid:2005224; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE ELF/Facefish Server Response (201)"; flow:established,to_client; flowbits:isset,ET.facefish; dsize:8; content:"|18 00 01 02|"; startswith; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033110; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id DELETE"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005225; classtype:web-application-attack; sid:2005225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Client Response (202)"; flow:established,to_server; flowbits:set,ET.facefish; dsize:8; content:"|08 00 02 02|"; startswith; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033111; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ASCII"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005311; classtype:web-application-attack; sid:2005311; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE ELF/Facefish Session Closing (400)"; flow:established,to_server; flowbits:isset,ET.facefish; dsize:8; content:"|00 00 00 04 00 00 00 00|"; reference:url,blog.netlab.360.com/ssh_stealer_facefish_en; reference:md5,38fb322cc6d09a6ab85784ede56bc5a7; reference:md5,63dc3037bf0022e2d281f0463529bf60; classtype:trojan-activity; sid:2033112; rev:2; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2021_06_07, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE"; flow:established,to_server; http.uri; content:"/print.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0554; reference:url,www.milw0rm.com/exploits/3195; reference:url,doc.emergingthreats.net/2005226; classtype:web-application-attack; sid:2005226; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; bsize:10; http.referer; content:"login.php"; endswith; http.host; content:".duckdns.org"; http.request_body; content:"email="; startswith; content:"&password="; distance:0; content:"&link_grup="; distance:0; reference:md5,221ce301229b990a02f433a0f2e25a18; classtype:credential-theft; sid:2035539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007404; classtype:web-application-attack; sid:2007404; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Credential Phish 2022-03-18"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".html"; endswith; http.host; content:"selcdn.ru"; endswith; http.request_body; content:"email=&password="; content:"&s_rememberMe=true"; fast_pattern; classtype:credential-theft; sid:2035540; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UNION SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007405; classtype:web-application-attack; sid:2007405; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET INFO Non Standard Port DNS Query to google .com (udp)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|google|03|com"; fast_pattern; classtype:bad-unknown; sid:2035472; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd INSERT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007406; classtype:web-application-attack; sid:2007406; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET INFO DNS Query to google .com Non Standard Port (tcp)"; content:"|01|"; offset:4; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|06|google|03|com"; fast_pattern; classtype:bad-unknown; sid:2035535; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd DELETE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007407; classtype:web-application-attack; sid:2007407; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE EMAIL SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"2F:09:DD:E0:FF:81:B7:6C:BF:2F:17:92:0C:D8:BD:57"; tls.cert_subject; content:"CN=EMAIL"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016464; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ASCII"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007408; classtype:web-application-attack; sid:2007408; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M1"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZwc"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035527; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"ipadd="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007409; classtype:web-application-attack; sid:2007409; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M2"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZzH"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035528; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007410; classtype:web-application-attack; sid:2007410; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns any any -> $HOME_NET any (msg:"ET MALWARE Linux/B1txor20 Backdoor DNS Tunnel Activity M3"; byte_test:1,&,128,3; content:"|00 00 10 00 01 c0 0c 00 10 00 01 00 00 00 01|"; content:"1"; distance:3; within:1; content:"E6NZxA"; distance:2; within:6; fast_pattern; reference:url,blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/; reference:md5,43fcb5f22a53a88e726ebef46095cd6b; classtype:command-and-control; sid:2035529; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, deployment Internal, former_category MALWARE, malware_family B1txor20, performance_impact Low, signature_severity Major, updated_at 2022_03_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UNION SELECT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007411; classtype:web-application-attack; sid:2007411; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:92:87:8F:35:B4:AA:08:D1"; tls.cert_subject; content:"L=Taipei"; fast_pattern; classtype:trojan-activity; sid:2020289; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url INSERT"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007412; classtype:web-application-attack; sid:2007412; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/^[A-Za-z0-9]{4}$/"; http.user_agent; content:"FunWebProducts|3b|IE0006_ver1|3b|EN_GB"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:url,unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/; classtype:trojan-activity; sid:2035546; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url DELETE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007413; classtype:web-application-attack; sid:2007413; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/submit.php?id="; startswith; http.user_agent; content:"|3b 20|MANM|3b 20|MANM)"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"Cookie"; reference:url,unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/; classtype:trojan-activity; sid:2035547; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ASCII"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007414; classtype:web-application-attack; sid:2007414; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (grace-fraser .site)"; dns.query; content:"grace-fraser.site"; nocase; bsize:17; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035548; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE"; flow:established,to_server; http.uri; content:"/addrating.php?"; nocase; content:"url="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6155; reference:url,www.frsirt.com/english/advisories/2006/4689; reference:url,doc.emergingthreats.net/2007415; classtype:web-application-attack; sid:2007415; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (pam-beesly .site)"; dns.query; content:"pam-beesly.site"; nocase; bsize:15; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035549; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/smhui/getuiinfo"; nocase; content:"JS"; nocase; content:"servercert="; nocase; pcre:"/servercert\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727; reference:cve,2009-4185; reference:url,doc.emergingthreats.net/2010770; classtype:web-application-attack; sid:2010770; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Arid Gopher Related Domain in DNS Lookup (mozelllittel .com)"; dns.query; content:"mozelllittel.com"; nocase; bsize:16; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:domain-c2; sid:2035550; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/mypage.php?"; nocase; content:"trg="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32467; reference:bugtraq,31986; reference:url,milw0rm.com/exploits/6874; reference:url,doc.emergingthreats.net/2009878; classtype:web-application-attack; sid:2009878; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Mustang Panda APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/newtap.css"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,twitter.com/StillAzureH/status/1505823479945625604; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; classtype:trojan-activity; sid:2035551; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre SELECT"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004421; classtype:web-application-attack; sid:2004421; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mustang Panda APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Invitation.jpg"; fast_pattern; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,twitter.com/StillAzureH/status/1505823479945625604; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; classtype:trojan-activity; sid:2035552; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UNION SELECT"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"UNION"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004422; classtype:web-application-attack; sid:2004422; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed testcookie-nginx-module"; flow:established,to_client; http.stat_code; content:"200"; bsize:3; http.server; content:"nginx"; depth:5; file.data; content:"toNumbers"; content:"d.replace"; distance:30; content:"e.push(parseInt"; distance:30; content:"toHex"; distance:200; content:"e.toLowerCase"; distance:0; content:"toNumbers"; distance:20; content:"toNumbers"; distance:0; content:"toNumbers"; distance:0; content:"toHex(slowAES.decrypt"; distance:100; content:"<noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript>"; fast_pattern; distance:100; reference:url,github.com/kyprizel/testcookie-nginx-module; classtype:credential-theft; sid:2035554; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre INSERT"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004423; classtype:web-application-attack; sid:2004423; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lazarus APT Related Maldoc Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /wp-content/plugins/akismet/control/en/en.jpg HTTP/1.1"; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,854903e0b284ef78322082de46dcd160; reference:url,twitter.com/h2jazi/status/1505965580075114498; classtype:trojan-activity; sid:2035545; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre DELETE"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004424; classtype:web-application-attack; sid:2004424; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE LAME SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"0E:97:88:1C:6C:A1:37:96:42:03:BC:45:42:24:75:6C"; tls.cert_subject; content:"CN=LM-68AB71FBD8F5"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016465; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ASCII"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004425; classtype:web-application-attack; sid:2004425; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE StrongPity APT Related Domain in DNS Lookup (sessionprotocol .com)"; dns.query; content:"sessionprotocol.com"; nocase; bsize:19; reference:md5,98cca7f2f6ad00771f50e97f97b5b38e; reference:url,twitter.com/HONKONE_K/status/1505920551503626242; classtype:domain-c2; sid:2035553; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, malware_family StrongPity, signature_severity Major, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE"; flow:established,to_server; http.uri; content:"/giris_yap.asp?"; nocase; content:"sifre="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7161; reference:url,www.securityfocus.com/bid/20375; reference:url,doc.emergingthreats.net/2004426; classtype:web-application-attack; sid:2004426; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake loc)"; flow:established,from_server; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"; classtype:trojan-activity; sid:2018457; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, former_category MALWARE, malware_family Upatre, performance_impact Significant, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/includes/header.php?"; nocase; content:"c_temp_path="; nocase; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009231; classtype:web-application-attack; sid:2009231; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE NS SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"72:A2:5C:8A:B4:18:71:4e:BF:C6:6F:3F:98:D6:F7:74"; tls.cert_subject; content:"CN=NS"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016466; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/footer.php?"; nocase; content:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/8028; reference:url,doc.emergingthreats.net/2009232; classtype:web-application-attack; sid:2009232; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Possible Fake Edu Host with __test Cookie"; flow:established,to_server; http.method; content:"GET"; http.host; content:"edu"; pcre:"/(?!\.[a-z]{2}$|$)/R"; http.cookie; content:"__test="; fast_pattern; depth:7; classtype:misc-activity; sid:2035555; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category HUNTING, signature_severity Informational, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/header.php?"; nocase; content:"c_temp_path"; nocase; pcre:"/c_temp_path=\s*(https?|ftps?|php)\:\//i"; reference:cve,CVE-2008-2898; reference:url,secunia.com/advisories/30778/; reference:url,milw0rm.com/exploits/5904; reference:url,doc.emergingthreats.net/2009233; classtype:web-application-attack; sid:2009233; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKE AOL SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"7C:A2:74:D0:FB:C3:D1:54:B3:D1:A3:00:62:E3:7E:F6"; tls.cert_subject; content:"CN=mail.aol.com"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016469; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/knowledgebase.php?"; nocase; content:"act=art"; nocase; content:"article_id="; nocase; pcre:"/(\?|&)article_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt; reference:url,doc.emergingthreats.net/2010609; classtype:web-application-attack; sid:2010609; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake IBM SSL Cert APT1"; flow:established,to_client; tls.cert_issuer; content:"O=Internet Widgits Pty Ltd"; content:"CN=IBM"; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; content:"CN=IBM"; fast_pattern; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016463; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php"; flow:to_server,established; http.uri; content:"/horde/services/images/colorpicker.php?"; nocase; pcre:"/colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009494; classtype:web-application-attack; sid:2009494; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Virtually SSL Cert APT1"; flow:established,to_client; tls.cert_issuer; content:"O=www.virtuallythere.com"; content:"OU=new"; content:"CN=new"; tls.cert_subject; content:"O=www.virtuallythere.com"; fast_pattern; content:"OU=new"; content:"CN=new"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016462; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt test.php"; flow:to_server,established; http.uri; content:"/horde/test.php?"; nocase; pcre:"/test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009495; classtype:web-application-attack; sid:2009495; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE FAKE YAHOO SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"0A:38:C9:27:08:6F:96:4B:BE:75:DC:9F:C0:1A:C6:28"; tls.cert_subject; content:"CN=mail.yahoo.com"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016470; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_21;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php"; flow:to_server,established; http.uri; content:"/horde/passwd/main.php?"; nocase; pcre:"/passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22/i"; reference:url,bugs.horde.org/ticket/8398; reference:url,doc.emergingthreats.net/2009496; classtype:web-application-attack; sid:2009496; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely CryptoWall .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"kpai7ycr7jxqkilp."; fast_pattern; startswith; classtype:trojan-activity; sid:2018610; rev:3; metadata:created_at 2014_06_27, former_category MALWARE, updated_at 2022_03_21;)
+alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php (2)"; flow:to_server,established; http.uri; content:"/horde/services/images/colorpicker.php?"; nocase; pcre:"/colorpicker\x2Ephp\x3F[^\x0A\x0D]*(form|target)\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x29\x22\x27\x3B]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009497; classtype:web-application-attack; sid:2009497; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Loki Locker Ransomware Server Response (Public Key) M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text|2f|html|3b 20|charset|3d|UTF|2d|8"; bsize:24; http.content_len; byte_test:0,<=,1000,0,string,dec; http.response_body; content:"|7b 22|public|22 3a 22|"; startswith; fast_pattern; content:"|22 2c 22|message|5f|id|22 3a 22|"; distance:0; content:!"|22 2c 22|"; distance:0; reference:url,blogs.blackberry.com/en/2022/03/lokilocker-ransomware; reference:md5,8aea251877cb4f5ee6cf357831f8620c; reference:url,twitter.com/James_inthe_box/status/1504194638885711872; classtype:trojan-activity; sid:2035512; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Ransomware, updated_at 2022_03_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt test.php (2)"; flow:to_server,established; http.uri; content:"/horde/test.php?"; nocase; pcre:"/test\x2Ephp\x3F[^\x0A\x0D]*ext\x3D[^\x0A\x0D\x26]*[\x3E\x3C\x22\x27]/i"; reference:url,bugs.horde.org/ticket/8399; reference:url,doc.emergingthreats.net/2009498; classtype:web-application-attack; sid:2009498; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Arid Gopher Related User-Agent (aimxxhwpcc)"; flow:established,to_server; http.user_agent; content:"aimxxhwpcc"; bsize:10; fast_pattern; reference:md5,1f1969481fe9bca52d5c01e1a093c1b8; reference:url,www.deepinstinct.com/blog/arid-gopher-the-newest-micropsia-malware-variant; classtype:trojan-activity; sid:2035556; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family AridViper, malware_family TA401, signature_severity Major, updated_at 2022_03_22;)
+alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php (2)"; flow:to_server,established; http.uri; content:"/horde/passwd/main.php?"; nocase; pcre:"/passwd/main\x2Ephp\x3F[^\x0A\x0D]*backend\x3D[^\x0A\x0D\x26]*\x22/i"; reference:url,bugs.horde.org/ticket/8398; reference:url,doc.emergingthreats.net/2009499; classtype:web-application-attack; sid:2009499; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (product2020 .mrbasic .com)"; dns.query; content:"product2020.mrbasic.com"; nocase; bsize:23; reference:url,twitter.com/h2jazi/status/1505887653111209994; reference:md5,1af894a5f23713b557c23078809ed01c; reference:md5,1aba36f72685c12e60fb0922b606417c; classtype:domain-c2; sid:2035557; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, signature_severity Major, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hubscript XSS Attempt"; flow:to_server,established; http.uri; content:"/patch/single_winner1.php?bid_id="; nocase; content:"<script>"; nocase; content:"</script>"; nocase; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009647; classtype:web-application-attack; sid:2009647; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT ID Command Observed"; flow:established,to_server; content:"|3c 7c|ID|7c 3e|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035544; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hubscript PHPInfo Attempt"; flow:to_server,established; http.uri; content:"/patch/manage/phpinfo.php"; nocase; reference:url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt; reference:url,doc.emergingthreats.net/2009650; classtype:web-application-attack; sid:2009650; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AllaKore RAT CnC Checkin"; flow:established,to_server; content:"|3c 7c|mainzsoccer|7c|"; fast_pattern; startswith; classtype:attempted-admin; sid:2035542; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id SELECT"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2005179; classtype:web-application-attack; sid:2005179; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidecopy APT Backdoor Related Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /logs_files HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:trojan-activity; sid:2035558; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004630; classtype:web-application-attack; sid:2004630; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Sidecopy APT Backdoor Related Domain in DNS Lookup (kokotech .xyz)"; dns.query; content:"kokotech.xyz"; nocase; bsize:12; reference:md5,bc8e094a4fb6c724e6b32a00df6262f9; reference:url,twitter.com/bofheaded/status/1505928947955302401; classtype:domain-c2; sid:2035559; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family SideCopy, signature_severity Major, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id INSERT"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004631; classtype:web-application-attack; sid:2004631; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SUR SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"20:82:92:3F:43:2C:8F:75:B7:EF:0F:6A:D9:3C:8E:5D"; fast_pattern; tls.cert_subject; content:"CN=SUR"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016468; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id DELETE"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004632; classtype:web-application-attack; sid:2004632; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pterodo Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".kdc/"; fast_pattern; http.header_names; content:!"Referer"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"username="; startswith; content:"_"; distance:0; content:"&cart="; distance:0; content:"&cacogenics="; distance:0; reference:md5,1182940dca705e0b3a8349c9fdf99e10; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035560; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ASCII"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004633; classtype:web-application-attack; sid:2004633; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AllaKore RAT Set Keep-Alive Observed"; flow:established,to_server; content:"|3c 7c|SETPING|7c|"; fast_pattern; startswith; content:"|3c 7c|END|7c 3e|"; endswith; classtype:attempted-admin; sid:2035543; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_21, deployment Perimeter, former_category MALWARE, signature_severity Major, tag RAT, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE"; flow:established,to_server; http.uri; content:"/haberoku.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3080; reference:url,www.securityfocus.com/bid/24288; reference:url,doc.emergingthreats.net/2004634; classtype:web-application-attack; sid:2004634; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".mesh"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:url,twitter.com/500mk500/status/1505638483691544580; classtype:trojan-activity; sid:2035561; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_22, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005063; classtype:web-application-attack; sid:2005063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE FlawedGrace CnC Activity"; flow:to_server,established; dsize:14; content:"|47 43 52 47|"; offset:4; depth:4; threshold: type both, track by_src, count 10, seconds 60; reference:md5,2b1215fb65d33fc6206ab227a3b7e75a; classtype:command-and-control; sid:2026773; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_11_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005064; classtype:web-application-attack; sid:2005064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Known Sinkhole Response abuse.ch"; flow:established,to_client; dsize:22; content:"Sinkholed by abuse.ch|0a|"; fast_pattern; classtype:trojan-activity; sid:2020223; rev:4; metadata:created_at 2015_01_21, former_category MALWARE, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005065; classtype:web-application-attack; sid:2005065; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:CD:2D:4A:53:08:27:AA:B4"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021289; rev:3; metadata:attack_target Client_and_Server, created_at 2015_06_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005066; classtype:web-application-attack; sid:2005066; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:80:5C:5F:EC:50:39:a2:14"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:md5,a586db30ab21a02eee9e8ab2ebe8a2b5; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2021772; rev:3; metadata:attack_target Client_and_Server, created_at 2015_09_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005067; classtype:web-application-attack; sid:2005067; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9F:B1:5C:37:90:8A:2E:B7"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022095; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; reference:url,doc.emergingthreats.net/2005068; classtype:web-application-attack; sid:2005068; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:81:32:F4:D9:2C:39:C3:06"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022096; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/advanced/workingSet.jsp"; nocase; content:"operation=add"; nocase; pcre:"/(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010145; classtype:web-application-attack; sid:2010145; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:B4:78:3D:3F:BF:60:B9:94"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022097; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_16, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"searchWord="; nocase; pcre:"/searchWord\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010181; classtype:web-application-attack; sid:2010181; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit)"; flow:established,to_client; tls.cert_serial; content:"00:B4:E9:29:AF:96:2B:99:E2"; fast_pattern; tls.cert_subject; content:"O=Internet Widgits Pty Ltd"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022098; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_22, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"maxHits="; nocase; pcre:"/maxHits\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010182; classtype:web-application-attack; sid:2010182; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE SWORD Sending Sword Marker"; flow:established,to_server; content:"|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40|"; fast_pattern; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:3; metadata:created_at 2013_02_20, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"scopedSearch="; nocase; pcre:"/scopedSearch\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010183; classtype:web-application-attack; sid:2010183; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY onion.cab tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:".onion.cab"; fast_pattern; endswith; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018879; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ReqWebHelp/basic/searchView.jsp?"; nocase; content:"scope="; nocase; pcre:"/scope\s*=[\x22\x27\x3c\x3e\x20]*(script|img|src|onmouse|onkey|onload|ondragdrop|onblur|onfocus|onclick)/i"; reference:url,www.securityfocus.com/bid/36721/info; reference:url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895; reference:url,doc.emergingthreats.net/2010184; classtype:web-application-attack; sid:2010184; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot .onion Proxy domain in SNI Aug 04 2014"; flow:established,to_server; tls.sni; content:"zxjfcvfvhqfqsrpz."; fast_pattern; startswith; reference:md5,9c40169371adbee467587ab55a61e883; classtype:trojan-activity; sid:2018892; rev:4; metadata:created_at 2014_08_05, former_category TROJAN, updated_at 2022_03_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/help/readme.nsf/Header"; nocase; content:"OpenPage="; nocase; content:"BaseTarget="; nocase; pcre:"/BaseTarget\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,www.securityfocus.com/bid/38481; reference:url,doc.emergingthreats.net/2010865; classtype:web-application-attack; sid:2010865; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; tls.sni; content:"bridges.torproject.org"; bsize:22; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:3; metadata:created_at 2014_01_04, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/WebEditor/Authentication/LoginPage.aspx?"; nocase; content:"ReturnUrl="; nocase; content:"errMsg="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstorm.foofus.com/1003-exploits/ibmenovia-xss.txt; reference:url,doc.emergingthreats.net/2010980; classtype:web-application-attack; sid:2010980; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (vtaurl .com)"; dns.query; content:"vtaurl.com"; nocase; bsize:10; classtype:bad-unknown; sid:2035562; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/cindefn.php"; nocase; content:"INDEX="; nocase; pcre:"/INDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011190; classtype:web-application-attack; sid:2011190; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (vtaurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"vtaurl.com"; bsize:10; fast_pattern; classtype:bad-unknown; sid:2035563; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/power_management_policy_options.php"; nocase; content:"domain="; nocase; pcre:"/domain\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011191; classtype:web-application-attack; sid:2011191; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Send-Safe Bulk Mailer SSL Cert - Observed in Spam Campaigns"; flow:established,to_client; tls.cert_subject; content:"C=Unknown, ST=Unknown, L=Unknown, O=Send-Safe, OU=Unknown, CN=Send-Safe"; bsize:71; fast_pattern; reference:md5,837c7af7f376722a0315cb0a7cb12399; classtype:trojan-activity; sid:2022194; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_11_30, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/pm_temp.php"; nocase; content:"view="; nocase; content:"mod_type="; nocase; content:"slot="; nocase; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011192; classtype:web-application-attack; sid:2011192; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shifr Ransomware Malicious Domain in SNI Observed"; flow:established,to_server; tls.sni; content:"v5t5z6a55ksmt3oh.onion"; startswith; fast_pattern; reference:md5,7a8c9fbfad9a817c0a10fed926f134c2; classtype:trojan-activity; sid:2024486; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_20, deployment Perimeter, former_category MALWARE, malware_family Shifr, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/power_module.php"; nocase; content:"view="; nocase; content:"mod_type="; nocase; content:"slot="; nocase; pcre:"/slot\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011193; classtype:web-application-attack; sid:2011193; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Spora Ransomware SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=spora.bz"; fast_pattern; classtype:trojan-activity; sid:2024043; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_03_09, deployment Perimeter, former_category MALWARE, malware_family Spora, signature_severity Major, tag Ransomware, updated_at 2022_03_23, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/blade_leds.php"; nocase; content:"WEBINDEX="; nocase; pcre:"/WEBINDEX\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011194; classtype:web-application-attack; sid:2011194; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SteamStealer Domain in SNI"; flow:established,to_server; tls.sni; content:"steamdesktopauthenticator.com"; bsize:29; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:trojan-activity; sid:2025387; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_26, deployment Perimeter, former_category TROJAN, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/private/ipmi_bladestatus.php"; nocase; content:"SLOT="; nocase; pcre:"/SLOT\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=154; reference:url,doc.emergingthreats.net/2011195; classtype:web-application-attack; sid:2011195; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SteamStealer Malicious SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=steamdesktopauthenticator.com"; fast_pattern; reference:url,bartblaze.blogspot.co.uk/2018/02/fake-steam-desktop-authenticator-steals.html; classtype:domain-c2; sid:2025388; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2018_02_26, deployment Perimeter, former_category MALWARE, malware_family Steam_Stealer, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UNION SELECT"; flow:established,to_server; http.uri; content:"/vehiclelistings.asp?"; nocase; content:"listing_price="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6092; reference:url,www.securityfocus.com/bid/21154; reference:url,doc.emergingthreats.net/2007559; classtype:web-application-attack; sid:2007559; rev:12; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE StrongPity APT SSL Certificate Detected"; flow:established,to_client; tls.cert_subject; content:"CN=mevlut.oncu.example.com"; fast_pattern; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:targeted-activity; sid:2025416; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_12, deployment Perimeter, former_category MALWARE, malware_family StrongPity, performance_impact Low, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id SELECT"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005639; classtype:web-application-attack; sid:2005639; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ConPtyShell Client Response"; flow:established,to_server; content:"|1b 5b 32 4a 1b 5b 6d 1b 5b 48 1b 5b 48 1b 5d 30 3b|"; startswith; fast_pattern; content:"|5b 32 33 58 1b 5b 32 33|"; distance:0; content:"|43 0d 0a 1b 5b 38 30 58 1b 5b 38 30 43 0d 0a 1b|"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035565; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005640; classtype:web-application-attack; sid:2005640; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Command (whoami)"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"whoami"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id INSERT"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005641; classtype:web-application-attack; sid:2005641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ConPtyShell Server Close Shell"; flow:established,to_client; content:"|32 35 20 38 30 0a|"; startswith; fast_pattern; content:"exit"; distance:0; reference:url,github.com/antonioCoco/ConPtyShell; classtype:command-and-control; sid:2035567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id DELETE"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005642; classtype:web-application-attack; sid:2005642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA"; flow:established,to_client; tls.cert_issuer; content:"O=Superfish, Inc."; content:"CN=Superfish, Inc."; fast_pattern; reference:url,blog.erratasec.com/2015/02/extracting-superfish-certificate.html; reference:url,myce.com/news/lenovo-laptops-come-with-preinstalled-advertisement-injecting-adware-74290/; classtype:trojan-activity; sid:2020493; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_02_20, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ASCII"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005643; classtype:web-application-attack; sid:2005643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,to_client; tls.cert_subject; content:"OU=SomeOrganizationalUnit"; fast_pattern; classtype:policy-violation; sid:2013659; rev:6; metadata:attack_target Client_Endpoint, created_at 2011_09_15, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE"; flow:established,to_server; http.uri; content:"/dispimage.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005644; classtype:web-application-attack; sid:2005644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (Snake Oil CA)"; flow:established,to_client; tls.cert_issuer; content:"CN=Snake Oil CA"; fast_pattern; classtype:policy-violation; sid:2013295; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_21, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005645; classtype:web-application-attack; sid:2005645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Suspected SPECULOOS Backdoor CnC Init Packet Masquerading as SNI Request to live .com"; dsize:186; content:"|16 03 01 00 b5 01 00 00 b1 03 01|"; depth:11; content:"|00 00 48 c0 0a c0 14 00 88 00 87 00 3900 38 c0 0f c0 05 00 84 00 35 c0 07 c0 09 c0 11 c0 13 00 45 00 44 00 66 00 33 00 32 c0 0c c0 0ec0 02 c0 04 00 96 00 41 00 04 00 05 00 2f c0 08c0 12 00 16 00 13 c0 0d c0 03 fe ff 00 0a 02 0100 00 3f 00 00 00 13 00 11 00 00 0e 6c 6f 67 696e 2e 6c 69 76 65 2e 63 6f 6d ff 01 00 01 00 000a 00 08 00 06 00 17 00 18 00 19 00 0b 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 0000 00|"; distance:32; within:143; fast_pattern; isdataat:!1,relative; reference:url,unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/; classtype:command-and-control; sid:2029910; rev:5; metadata:attack_target Client_Endpoint, created_at 2020_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005646; classtype:web-application-attack; sid:2005646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M4"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/\?m=[a-z]&p1=[a-z0-9]{8,12}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; content:"/?m="; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Content-Type"; content:!"Referer"; reference:md5,2d1f1132ab7e80a6a8546dd2ac45bd89; reference:url,download.ahnlab.com/global/brochure/Analysis%20Report%20of%20Kimsuky%20Group.pdf; classtype:targeted-activity; sid:2035564; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_23, deployment Perimeter, former_category MALWARE, malware_family Kimsuky, signature_severity Major, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005648; classtype:web-application-attack; sid:2005648; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Remote Access - RView - SSL Certificate Seen"; flow:established,to_client; tls.cert_subject; content:"CN=*.rview.com"; fast_pattern; classtype:policy-violation; sid:2020805; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_03_31, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005649; classtype:web-application-attack; sid:2005649; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropboxusercontent.com"; fast_pattern; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:7; metadata:created_at 2013_06_13, updated_at 2022_03_23;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"order="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005650; classtype:web-application-attack; sid:2005650; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005651; classtype:web-application-attack; sid:2005651; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - Data Channel Client Request 2"; flow:established,to_server; content:"CONNECT="; depth:8; content:"8_=_8"; endswith; classtype:trojan-activity; sid:2022707; rev:3; metadata:created_at 2016_04_06, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UNION SELECT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005652; classtype:web-application-attack; sid:2005652; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC Password Exfil"; flow:established,to_server; content:"PASSWORDS="; depth:10; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022709; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page INSERT"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005653; classtype:web-application-attack; sid:2005653; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> any any (msg:"ET MALWARE LuminosityLink - CnC"; flow:established,to_server; content:"ACT="; depth:4; content:"8_=_8"; endswith; classtype:command-and-control; sid:2022710; rev:3; metadata:created_at 2016_04_06, former_category MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page DELETE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005654; classtype:web-application-attack; sid:2005654; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)"; flow:established,to_server; tls.sni; content:"ipinfo.io"; bsize:9; fast_pattern; classtype:external-ip-check; sid:2025331; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2018_02_07, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page ASCII"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005655; classtype:web-application-attack; sid:2005655; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE"; flow:established,to_server; http.uri; content:"/default.asp?"; nocase; content:"page="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6932; reference:url,www.securityfocus.com/bid/21131; reference:url,doc.emergingthreats.net/2005656; classtype:web-application-attack; sid:2005656; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Black Stealer Exfil System Info"; flow:established,to_server; content: "|2b 20 2b 20 2b 20 5b 20|VicTim Info|20 5d 20 2b 20 2b 20 2b|"; depth:120; nocase; fast_pattern; content:"End Stealer|20 3d 20 3d 20 3d 20 3d 20 3d 20 3d|"; nocase; endswith; classtype:trojan-activity; sid:2024790; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_10_02, deployment Perimeter, former_category TROJAN, malware_family BlackStealer, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id SELECT"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006862; classtype:web-application-attack; sid:2006862; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; endswith; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:3; metadata:attack_target Client_and_Server, created_at 2018_03_13, deployment Datacenter, former_category INFO, performance_impact Low, signature_severity Minor, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006863; classtype:web-application-attack; sid:2006863; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT CnC Checkin"; flow:established,to_server; dsize:<150; content:"aut_sep_"; depth:8; fast_pattern; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:command-and-control; sid:2026581; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id INSERT"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006864; classtype:web-application-attack; sid:2006864; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JavaRAT Sending Screen Size"; flow:established,to_server; dsize:<50; content:"sc.op_sep_"; depth:10; nocase; fast_pattern; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026584; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id DELETE"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006865; classtype:web-application-attack; sid:2006865; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JavaRAT Requesting Screenshot"; flow:established,to_client; dsize:<50; content:"SC.CAP_sep_"; depth:11; nocase; content:"_sep_"; distance:0; content:"_packet_"; endswith; reference:md5,9a33176dd80de6f49099a148a2df3491; classtype:trojan-activity; sid:2026587; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_07, deployment Perimeter, former_category TROJAN, malware_family JavaRAT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ASCII"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006866; classtype:web-application-attack; sid:2006866; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Winnti Payload - XORed Check-in to Infected System (0xd4413890)"; flow:established,to_server; dsize:<300; content:"|b0 1c 03 d4 90 38 41 d4 2a b4 80 7f|"; depth:12; content:"|04 00|"; endswith; reference:url,medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a; classtype:trojan-activity; sid:2027361; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_17, deployment Perimeter, former_category TROJAN, performance_impact Low, signature_severity Major, tag APT, tag Winnti, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE"; flow:established,to_server; http.uri; content:"/rating.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006867; classtype:web-application-attack; sid:2006867; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC USR Init Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 12 01 00 00 2d 55 53 52|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027831; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid SELECT"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006868; classtype:web-application-attack; sid:2006868; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022780; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UNION SELECT"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006869; classtype:web-application-attack; sid:2006869; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022781; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid INSERT"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006870; classtype:web-application-attack; sid:2006870; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 5.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|q|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022782; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid DELETE"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006871; classtype:web-application-attack; sid:2006871; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022783; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ASCII"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006872; classtype:web-application-attack; sid:2006872; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.1)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|e|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022784; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE"; flow:established,to_server; http.uri; content:"/meal_rest.asp?"; nocase; content:"mealid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006873; classtype:web-application-attack; sid:2006873; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.2)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|f|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022785; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid SELECT"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006874; classtype:web-application-attack; sid:2006874; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 6.3)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|g|01|r|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022786; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UNION SELECT"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006875; classtype:web-application-attack; sid:2006875; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Darpapox/Jaku CNAME CnC Beacon (WinVer 10.0)"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|01|d|01|v|00 00 05 00 01|"; fast_pattern; endswith; reference:md5,ffc984ddd4812bcae414903bf54c5e74; reference:md5,f2d1b3c9fc77d50e8cfabde28e0ebfd8; reference:url,www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf; classtype:command-and-control; sid:2022787; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_05_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid INSERT"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006876; classtype:web-application-attack; sid:2006876; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SDBbot CnC Checkin"; flow:established,to_server; content:"|00 00 de c0|"; depth:4; content:"ver="; distance:0; content:"|0a|domain="; distance:0; content:"|0a|pc="; distance:0; content:"|0a|geo="; distance:0; content:"|0a|os="; distance:0; content:"|0a|rights="; distance:0; content:"|0a|proxyenabled="; distance:0; fast_pattern; content:"|0a|"; endswith; reference:md5,892be85dc60df6bc82568384e83b9b4c; classtype:command-and-control; sid:2031217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_10_08, deployment Perimeter, former_category MALWARE, malware_family SDBbot, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid DELETE"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006877; classtype:web-application-attack; sid:2006877; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/1xxbot CnC Checkin"; flow:established,to_server; dsize:<250; content:"|00|<EOM>Windows|20|"; startswith; fast_pattern; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOM>"; distance:0; content:"<EOF>"; endswith; reference:md5,9eb50c6cdb59d11b01ca9f069e8ba79d; classtype:command-and-control; sid:2028984; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_15, deployment Perimeter, former_category MALWARE, malware_family 1xxbot, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ASCII"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006878; classtype:web-application-attack; sid:2006878; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Reporting Error to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=hmo"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029081; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE"; flow:established,to_server; http.uri; content:"/res_details.asp?"; nocase; content:"resid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6269; reference:url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded; reference:url,doc.emergingthreats.net/2006879; classtype:web-application-attack; sid:2006879; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tick Group Payload - Submitting Encrypted Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?"; content:"=A1f"; endswith; fast_pattern; http.user_agent; content:"|28|Windows|20|NT|20|6.1|3b 20|WOW64|3b|"; http.request_body; pcre:"/^[a-z0-9/=\+]$/i"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/; classtype:command-and-control; sid:2029082; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_02, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag TickGroup, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010131; classtype:web-application-attack; sid:2010131; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004797; classtype:web-application-attack; sid:2004797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Snatch Ransomware - Encryption Finished"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; startswith; http.request_body; content:"{|22|host|22 3a 22|"; startswith; content:"|22 2c 22|type|22 3a 22|finished|22 2c 22|username|22 3a 22|"; distance:0; fast_pattern; content:"|22|}"; endswith; http.header_names; content:!"Referer"; reference:md5,46406680a5825b6d1622acb984d4a41d; classtype:command-and-control; sid:2029104; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_10, deployment Perimeter, former_category MALWARE, malware_family Snatch, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UNION SELECT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004798; classtype:web-application-attack; sid:2004798; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Init"; flow:established,from_server; dsize:<150; content:"|7b 22 54 79 70 65 22 3a 22 45 6e 63 72 79 70 74 69 6f 6e 53 74 61 74 75 73 22 2c 22 53 74 61 74 75 73 22 3a|"; fast_pattern; depth:80; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029217; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004799; classtype:web-application-attack; sid:2004799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Arechclient2 Backdoor CnC Keep-Alive"; flow:established,from_server; dsize:<100; content:"|7b 22 54 79 70 65 22 3a 22 53 65 73 73 69 6f 6e 49 44 22 2c 22 53 65 73 73 69 6f 6e 49 44 22 3a 22|"; fast_pattern; depth:50; content:"|7d|"; endswith; reference:md5,4ccba79d95dfd7d87b43643058e1cdd0; classtype:command-and-control; sid:2029219; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_02, deployment Perimeter, former_category MALWARE, malware_family Arechclient2, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004800; classtype:web-application-attack; sid:2004800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, deployment Perimeter, former_category ATTACK_RESPONSE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004801; classtype:web-application-attack; sid:2004801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Magnitude EK JSE"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"X-UA-Compatible|3a 20|IE=EmulateIE8|0d 0a|"; file_data; content:"|3c 21|DOCTYPE html|3e 3c|html|3e 3c|head|3e 3c|script language|3d 22|JScript.Encode|22 3e 23 40 7e 5e|"; startswith; fast_pattern; pcre:"/^[^<]+\x0d\x0a<\/script>/R"; content:"|3c 2f|head|3e 3c|body|3e 3c 2f|body|3e 3c 2f|html|3e|"; endswith; reference:url,www.malware-traffic-analysis.net/2020/03/02/index.html; classtype:exploit-kit; sid:2029582; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2020_03_05, deployment Perimeter, former_category EXPLOIT_KIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE"; flow:established,to_server; http.uri; content:"/classes/class_session.php?"; nocase; content:"CLIENT_IP="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7071; reference:url,www.milw0rm.com/exploits/2010; reference:url,doc.emergingthreats.net/2004802; classtype:web-application-attack; sid:2004802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Suspected SandCat Related CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/socket.io/?EIO="; depth:16; content:"&transport=polling"; endswith; http.request_body; content:"|5b 22|add|20|user|22|,|22|ID_"; offset:5; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,eeecfa2999aea400deb8029d27db125e; classtype:command-and-control; sid:2029619; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img SELECT"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006669; classtype:web-application-attack; sid:2006669; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE StealRat Checkin"; flow:established,to_server; http.uri; content:"/d/"; startswith; fast_pattern; content:".jpg"; endswith; pcre:"/^\/d\/[a-z]+\d+\.jpg$/"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:"www.google.com"; bsize:14; classtype:command-and-control; sid:2017263; rev:4; metadata:created_at 2013_08_01, former_category MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UNION SELECT"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006670; classtype:web-application-attack; sid:2006670; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Woai.Dropper Config Request"; flow:established,to_server; http.uri; content:"/client/config.ini"; fast_pattern; http.user_agent; content:"MSIE"; content:"|3B 29|"; endswith; reference:md5,0425a66e3b268ef8cbdd481d8e44b227; classtype:trojan-activity; sid:2018102; rev:7; metadata:created_at 2014_02_10, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img INSERT"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006671; classtype:web-application-attack; sid:2006671; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Firebird RAT CnC Checkin"; flow:established,to_server; dsize:<100; content:"|01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 06 01 00 00 00|"; startswith; fast_pattern; content:"|0b|"; endswith; reference:md5,ede8ebfc82463d1e7e6f29ca66f96514; classtype:command-and-control; sid:2029606; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_11, deployment Perimeter, former_category MALWARE, malware_family Firebird, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img DELETE"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006672; classtype:web-application-attack; sid:2006672; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img ASCII"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006673; classtype:web-application-attack; sid:2006673; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request"; flow:established,to_server; http.uri; content:"2p/"; content:".exe"; fast_pattern; endswith; pcre:"/\/p?2p\/[0-9]{1,2}\.exe$/"; reference:md5,ca15e5e96aee8b18ca6f3c185a690cea; classtype:trojan-activity; sid:2018184; rev:7; metadata:created_at 2014_02_27, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE"; flow:established,to_server; http.uri; content:"/forum/modules/gallery/post.php?"; nocase; content:"img="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6370; reference:url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded; reference:url,doc.emergingthreats.net/2006674; classtype:web-application-attack; sid:2006674; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus.Downloader Campaign Second Stage Executable Request 10/4/2014"; flow:established,to_server; urilen:<11; http.uri; content:"/2p/"; depth:4; content:".exe"; endswith; fast_pattern; pcre:"/^\/2p\/[a-z]{1,2}\.exe$/"; reference:md5,94d5d99b910f9184573a01873fdc42fc; classtype:trojan-activity; sid:2018385; rev:5; metadata:created_at 2014_04_11, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid SELECT"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006681; classtype:web-application-attack; sid:2006681; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Hyteod.Downloader CnC Beacon"; flow:established,to_server; http.uri; content:"/payment_gateway/"; startswith; content:".gz"; endswith; pcre:"/\/[a-z0-9]{3,}\.gz$/"; http.user_agent; content:"OperaMini"; depth:9; reference:md5,8258c3d8bab63cacf143cf034e2e7c1a; classtype:command-and-control; sid:2019824; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_12_01, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UNION SELECT"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006682; classtype:web-application-attack; sid:2006682; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE rechnung zip file download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"rechnung"; fast_pattern; nocase; content:".zip"; nocase; endswith; http.header_names; content:!"Referer|0d 0a|"; classtype:trojan-activity; sid:2020622; rev:5; metadata:created_at 2015_03_05, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid INSERT"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006683; classtype:web-application-attack; sid:2006683; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Geodo/Emotet Downloading PE"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/mss"; fast_pattern; content:".exe"; endswith; pcre:"/\/mss\d+\.exe$/"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,6c4d198794d1afd2b8bbae6f16bdfaa7; classtype:trojan-activity; sid:2035043; rev:4; metadata:created_at 2015_03_17, former_category MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid DELETE"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006684; classtype:web-application-attack; sid:2006684; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:2; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ASCII"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006685; classtype:web-application-attack; sid:2006685; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download/ftp/grabftp"; fast_pattern; content:".bin"; endswith; pcre:"/^\/download\/ftp\/(?:grabftp|grabftp64)\.bin$/"; http.header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Win64|3B 20|x64)"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; classtype:trojan-activity; sid:2021321; rev:4; metadata:created_at 2015_06_23, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE"; flow:established,to_server; http.uri; content:"/lib/entry_reply_entry.php?"; nocase; content:"eid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6369; reference:url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded; reference:url,doc.emergingthreats.net/2006686; classtype:web-application-attack; sid:2006686; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RedControle Communicating with CnC"; flow:established,to_server; content:"SE_ND_CO_NN_EC|23|"; depth:15; fast_pattern; content:"|23|"; within:20; content:"|23|"; endswith; reference:url,threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html; reference:md5,855b937f668ecd90b8be004fd3c24717; classtype:command-and-control; sid:2026724; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family RedControle, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id SELECT"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006207; classtype:web-application-attack; sid:2006207; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dropbox Phish 2016-09-14"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&changing=Value"; nocase; endswith; classtype:credential-theft; sid:2032461; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_14, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UNION SELECT"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006208; classtype:web-application-attack; sid:2006208; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Personalized Adobe PDF Online Phish 2016-10-26"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php?e="; nocase; fast_pattern; pcre:"/\.php\?e=[a-zA-Z0-9+&*-]+(?:\.[a-zA-Z0-9_+&*-]+)*@(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]{2,7}$/"; http.request_body; content:"p="; depth:2; nocase; content:"&submit="; nocase; endswith; classtype:credential-theft; sid:2032462; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id INSERT"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006209; classtype:web-application-attack; sid:2006209; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Santander Bank Phish 2016-10-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"cpf="; depth:4; nocase; content:"&senha="; nocase; distance:0; content:"&ok=continuar"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032463; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id DELETE"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006210; classtype:web-application-attack; sid:2006210; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Wells Fargo Phish 2016-11-28"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&name="; nocase; distance:0; content:"&ssn="; nocase; distance:0; content:"&ccnum="; nocase; distance:0; content:"&cvv2="; nocase; distance:0; content:"&month="; nocase; distance:0; content:"&year="; nocase; distance:0; content:"&dob="; nocase; distance:0; content:"&atmpin="; nocase; distance:0; fast_pattern; content:"&add="; nocase; distance:0; content:"&city="; nocase; distance:0; content:"&state="; nocase; distance:0; content:"&zip="; nocase; distance:0; content:"&email="; nocase; distance:0; content:"&epass="; nocase; distance:0; content:"&question1="; nocase; distance:0; content:"&continue=Submit+Now"; nocase; endswith; classtype:credential-theft; sid:2032464; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_11_28, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ASCII"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006211; classtype:web-application-attack; sid:2006211; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful BB&T Bank Phish 2016-12-15"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"user="; depth:5; nocase; content:"&pass="; nocase; distance:0; content:"&input=Go"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032467; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_15, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE"; flow:established,to_server; http.uri; content:"/ixm_ixpnews.php?"; nocase; content:"story_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6754; reference:url,www.securityfocus.com/bid/21710; reference:url,doc.emergingthreats.net/2006212; classtype:web-application-attack; sid:2006212; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fareit/Pony Downloader Checkin 3"; flow:established,to_server; flowbits:set,ET.Fareit.chk; http.method; content:"GET"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 5.0"; depth:33; content:"Windows 98)"; fast_pattern; endswith; http.accept; content:"*/*"; http.connection; content:"close"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:"|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:md5,bf422f3aa215d896f55bbe2ebcd25d17; reference:md5,d50c39753ba88daa00bc40848f174168; reference:md5,9544c681ae5c4fe3fdbd4d5c6c90e38e; classtype:command-and-control; sid:2014234; rev:14; metadata:created_at 2012_02_17, former_category MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jeajaxeventcalendar&"; nocase; content:"view="; nocase; reference:url,exploit-db.com/exploits/12598; reference:url,doc.emergingthreats.net/2011140; classtype:web-application-attack; sid:2011140; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; http.uri; content:"/image/"; depth:7; content:".exe"; endswith; fast_pattern; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/i"; http.header_names; content:!"Referer"; classtype:trojan-activity; sid:2022622; rev:6; metadata:created_at 2016_03_16, former_category CURRENT_EVENTS, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005342; classtype:web-application-attack; sid:2005342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Zemot Requesting PE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ho"; content:"ping/mod_"; within:10; fast_pattern; content:"/"; endswith; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,08aab7cdbfc2446fbca2a2f350df4ea2; classtype:trojan-activity; sid:2019759; rev:8; metadata:created_at 2014_11_20, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005343; classtype:web-application-attack; sid:2005343; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KINS/ZeusVM Variant Retrieving Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/config"; fast_pattern; content:".jpg"; endswith; pcre:"/\/config[^\x2e\x2f]*?\.jpg$/"; http.header; content:"Cache-Control|3a 20|no-cache"; http.user_agent; pcre:"/(?:\x20MSIE\x20|rv\x3a11)/"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-"; content:!"Referer"; reference:md5,7a015848f24de23da43e2ca9970df11e; classtype:trojan-activity; sid:2021528; rev:8; metadata:created_at 2015_07_23, former_category TROJAN, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005344; classtype:web-application-attack; sid:2005344; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RansomCrypt Intial Check-in"; flow:established,to_server; http.user_agent; content:"Windows NT 5.1|3b 20|ru|3b|"; content:"Gecko/20100722 Firefox/3.6.12"; endswith; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; classtype:trojan-activity; sid:2016748; rev:6; metadata:created_at 2013_04_10, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005345; classtype:web-application-attack; sid:2005345; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sharik/Smoke CnC Beacon 7"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/"; depth:1; content:"/"; endswith; http.user_agent; pcre:"/(?:MSIE|rv\x3a)/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.connection; content:"keep-alive"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; http.content_len; content:"63"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|"; reference:md5,7e604b9e059d054d58c91330d4d88c62; classtype:command-and-control; sid:2025119; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_12_05, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Smoke_Loader, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005346; classtype:web-application-attack; sid:2005346; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 2 M2"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[a-z]{3,6}\/[a-z]{3,6}\.[a-z]{3}$/"; http.cookie; content:"=|3b 20|"; content:"=|3b 20|"; distance:0; content:"=|3b|"; endswith; http.header_names; content:"|0d 0a|Cache-Control|0d 0a|Connection|0d 0a|Pragma|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a 0d 0a|"; reference:md5,f12fc711529b48bcef52c5ca0a52335a; reference:url,community.rsa.com/community/products/netwitness/blog/2018/01/30/apt32-continues-asean-targeting; classtype:command-and-control; sid:2025291; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_02, deployment Perimeter, former_category MALWARE, malware_family elise, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"pass="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3204; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005347; classtype:web-application-attack; sid:2005347; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING [eSentire] Successful 163 Webmail Phish 2018-07-25"; flow:from_server,established; flowbits:isset,ET.genericphish; http.stat_code; content:"200"; http.content_type; content:"application/json"; file.data; content:"{|22|user_id|22|:|22|"; nocase; within:20; content:"|22|,|22|ip|22|:|22|"; nocase; within:15; content:"|22|,|22|add_time|22|:|22|"; nocase; distance:0; content:".163.com|5c 2f 22 2c 22|code|22 3a 22|ok|22|}"; nocase; endswith; fast_pattern; classtype:credential-theft; sid:2025893; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_25, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005360; classtype:web-application-attack; sid:2005360; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish (set) 2018-09-26"; flow:established,to_server; flowbits:set,ET.genericphish; flowbits:noalert; http.method; content:"POST"; http.request_body; content:"email="; depth:6; nocase; content:"&formtext1="; nocase; distance:0; content:"&formimage1.x=1&formimage1.y=1"; fast_pattern; nocase; endswith; classtype:credential-theft; sid:2026412; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_26, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UNION SELECT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005361; classtype:web-application-attack; sid:2005361; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kraken Ransomware Start Activity 1"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|Begin"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aBegin$/"; http.header_names; content:!"Accept"; content:!"Referer"; reference:md5,09d3bd874d9a303771c89385d938c430; classtype:trojan-activity; sid:2026471; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user INSERT"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005362; classtype:web-application-attack; sid:2005362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2"; flow:established,to_server; http.uri; content:!"."; content:!"&"; content:!"?"; http.user_agent; content:"-"; offset:2; depth:1; content:"|3a|StartU"; endswith; fast_pattern; pcre:"/^[A-Z]{2}-[0-9]{1,5}\x3aStartU$/"; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2026472; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_11, deployment Perimeter, former_category MALWARE, malware_family Kraken_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user DELETE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005363; classtype:web-application-attack; sid:2005363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidewinder Stage 2 VBS Downloader Reporting Successful Infection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/"; depth:9; content:"/true/true/done"; fast_pattern; endswith; http.user_agent; content:"WinHttp.WinHttpRequest."; http.header_names; content:"Referer"; content:!"Cache"; reference:md5,dfad7d4a7ecb2eed6d69abfbfb5f94c9; reference:url,medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739; classtype:trojan-activity; sid:2026545; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_24, deployment Perimeter, former_category TROJAN, malware_family Sidewinder, performance_impact Low, signature_severity Major, tag VBS, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ASCII"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005364; classtype:web-application-attack; sid:2005364; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DNS Query for DNSpionage CnC Domain"; dns.query; content:".microsoftonedrive.org"; nocase; fast_pattern; endswith; reference:url,blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html; classtype:command-and-control; sid:2026680; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag DNSpionage, tag DNS_tunneling, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE"; flow:established,to_server; http.uri; content:"/auth.php?"; nocase; content:"user="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005365; classtype:web-application-attack; sid:2005365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"outlooklive.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026704; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004152; classtype:web-application-attack; sid:2004152; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.toshiba.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026705; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004153; classtype:web-application-attack; sid:2004153; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.fujitsu.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004154; classtype:web-application-attack; sid:2004154; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.asus.org.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026707; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004155; classtype:web-application-attack; sid:2004155; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"api.miria.kz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026708; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004156; classtype:web-application-attack; sid:2004156; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"cloudpallets32.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026709; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"title="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1572; reference:url,www.frsirt.com/english/advisories/2007/0940; reference:url,doc.emergingthreats.net/2004157; classtype:web-application-attack; sid:2004157; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"contents.bz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026710; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004337; classtype:web-application-attack; sid:2004337; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"usasecurefiles.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026711; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004338; classtype:web-application-attack; sid:2004338; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"freecloud.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026712; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004339; classtype:web-application-attack; sid:2004339; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"alotile.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026713; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004340; classtype:web-application-attack; sid:2004340; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"transef.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026714; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004341; classtype:web-application-attack; sid:2004341; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"fundsxe.com"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026715; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"author="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1440; reference:url,www.milw0rm.com/exploits/3470; reference:url,doc.emergingthreats.net/2004342; classtype:web-application-attack; sid:2004342; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Group/More_Eggs CnC Domain in DNS Lookup"; dns.query; content:"document.cdn-one.biz"; nocase; fast_pattern; endswith; reference:url,medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648; classtype:command-and-control; sid:2026716; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_12_07, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Group, malware_family More_eggs, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq SELECT"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004480; classtype:web-application-attack; sid:2004480; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=begin"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026726; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq INSERT"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004482; classtype:web-application-attack; sid:2004482; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lucky Ransomware Reporting Successful File Encryption"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?code="; content:"&file="; distance:0; content:"&size="; distance:0; content:"&sys="; distance:0; content:"&VERSION="; distance:0; content:"&status=done"; fast_pattern; endswith; http.user_agent; content:"Client"; depth:6; endswith; reference:url,blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/; classtype:trojan-activity; sid:2026727; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, attack_target Client_Endpoint, created_at 2018_12_13, deployment Perimeter, former_category MALWARE, malware_family Satan, signature_severity Major, tag Ransomware, tag Multi_Platform, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq DELETE"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004483; classtype:web-application-attack; sid:2004483; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Unk Downloader 0 Byte POST CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Content-Length|3a 20|0|0d|"; http.user_agent; content:"xmsSofts_1.0.0_"; depth:15; fast_pattern; content:"|5c|"; endswith; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2026760; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_01_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag Downloader, tag JavaScript, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ASCII"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004484; classtype:web-application-attack; sid:2004484; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Retadup CnC Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"4D53473A213A"; content:"20457865637574656420417320"; distance:0; fast_pattern; content:"0D0A"; endswith; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-retadup-worm-goes-polymorphic-gets-an-autohotkey-variant/; classtype:command-and-control; sid:2027078; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_03_13, deployment Perimeter, former_category MALWARE, malware_family Retadup, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE"; flow:established,to_server; http.uri; content:"/G_Display.php?"; nocase; content:"iCategoryUnq="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004485; classtype:web-application-attack; sid:2004485; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"secure-message.online"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027222; rev:5; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID SELECT"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004486; classtype:web-application-attack; sid:2004486; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Unattributed CnC)"; flow:from_server,established; tls.cert_subject; content:"CN="; content:"internal-message.app"; nocase; fast_pattern; endswith; tls.cert_issuer; content:"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"; reference:url,krebsonsecurity.com/wp-content/uploads/2019/04/wiproiocs.txt; classtype:domain-c2; sid:2027223; rev:4; metadata:attack_target Client_and_Server, created_at 2019_04_18, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UNION SELECT"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004487; classtype:web-application-attack; sid:2004487; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Binance Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"binance"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027240; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID INSERT"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004488; classtype:web-application-attack; sid:2004488; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Ebay Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"ebay"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027242; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID DELETE"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004489; classtype:web-application-attack; sid:2004489; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Webmail Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"webmail"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027243; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ASCII"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004490; classtype:web-application-attack; sid:2004490; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Account Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"account"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027244; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE"; flow:established,to_server; http.uri; content:"/Search/DisplayResults.php?"; nocase; content:"iSearchID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3000; reference:url,www.securityfocus.com/bid/24253; reference:url,doc.emergingthreats.net/2004491; classtype:web-application-attack; sid:2004491; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Outlook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"outlook"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027246; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006492; classtype:web-application-attack; sid:2006492; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible DHL Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"dhl"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027247; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006493; classtype:web-application-attack; sid:2006493; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Docusign Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"docusign"; fast_pattern; content:".github.io"; endswith; classtype:policy-violation; sid:2027248; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006495; classtype:web-application-attack; sid:2006495; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Facebook Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"facebook"; content:".github.io"; endswith; fast_pattern; content:!"facebook.github.io"; depth:18; endswith; classtype:policy-violation; sid:2027275; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006496; classtype:web-application-attack; sid:2006496; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Paypal Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"paypal"; fast_pattern; content:".github.io"; endswith; content:!"paypal.github.io"; depth:16; endswith; classtype:policy-violation; sid:2027241; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE"; flow:established,to_server; http.uri; content:"/login.php?"; nocase; content:"login_username="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006497; classtype:web-application-attack; sid:2006497; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Information Disclosure CVE-2017-1000395"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/api/xml"; endswith; http.header_names; content:!"Referer"; reference:cve,2017-1000395; reference:url,jenkins.io/security/advisory/2017-10-11/#user-remote-api-disclosed-users-email-addresses; classtype:web-application-attack; sid:2027347; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2017_1000395, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006498; classtype:web-application-attack; sid:2006498; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Office Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"office"; fast_pattern; content:".github.io"; endswith; content:!"officedev.github.io"; classtype:policy-violation; sid:2027245; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006499; classtype:web-application-attack; sid:2006499; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Sending Screenshot to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?TOKEN="; content:"&funx=sc&i="; distance:0; fast_pattern; content:".png"; endswith; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027681; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006500; classtype:web-application-attack; sid:2006500; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater Payload Requesting Command from CnC"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|command|2f|"; depth:9; fast_pattern; content:".cmd"; endswith; pcre:"/^\/command\/[A-Fa-f0-9]{8}\-(?:[A-Fa-f0-9]{4}\-){3}[A-Fa-f0-9]{12}\.cmd$/"; reference:url,mp.weixin.qq.com/s/ko5ct9mnW78pD_RRqEUSkg; classtype:targeted-activity; sid:2027684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_04, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag MuddyWater, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006502; classtype:web-application-attack; sid:2006502; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible APT Sarhurst/Husar/Hussarini/Hassar CnC Command Response"; flow:from_server,established; http.stat_code; content:"200"; file.data; content:"<CHECK>"; depth:7; content:"</CHECK><COMMAND>"; distance:0; fast_pattern; content:"</COMMAND>"; endswith; pcre:"/^<CHECK>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})<\/CHECK>/"; reference:url,www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html; classtype:targeted-activity; sid:2027708; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE"; flow:established,to_server; http.uri; content:"/news.php?"; nocase; content:"item="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3313; reference:url,www.milw0rm.com/exploits/4081; reference:url,doc.emergingthreats.net/2006503; classtype:web-application-attack; sid:2006503; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eris Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/check"; depth:13; fast_pattern; endswith; http.request_body; content:"|7b 22 75 69 64 22 3a 22|"; depth:8; content:"|22 7d|"; endswith; pcre:"/^\{\x22uid\x22\x3a\x22[a-f0-9]+\x22\}$/si"; http.accept_enc; content:"gzip"; depth:4; endswith; http.header_names; content:!"Referer"; reference:md5,a4eeec442799c56c3e1aa9761661fb42; reference:url,www.bleepingcomputer.com/news/security/rig-exploit-kit-pushing-eris-ransomware-in-drive-by-downloads/; classtype:command-and-control; sid:2027802; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_05, deployment Perimeter, former_category MALWARE, malware_family Eris, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt"; flow:established,to_server; http.uri; content:"/HtmlAdaptor"; nocase; content:"action=inspect"; nocase; content:"bean"; nocase; content:"name="; reference:url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now; reference:cve,2010-0738; reference:url,doc.emergingthreats.net/2011696; classtype:web-application-attack; sid:2011696; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Rogue.WinPCDefender Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?machine_id={"; depth:14; fast_pattern; content:"}"; endswith; http.host; content:"anti"; depth:4; http.header_names; content:!"Referer"; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:pup-activity; sid:2025358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_14, deployment Perimeter, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004077; classtype:web-application-attack; sid:2004077; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlitchPOS CnC Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gate.php?ped="; fast_pattern; content:"&s=1"; endswith; http.header_names; content:!"Referer"; reference:md5,8cfa2adde150918062eb5d6af59d0e2a; classtype:command-and-control; sid:2027912; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"UNION"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004078; classtype:web-application-attack; sid:2004078; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004079; classtype:web-application-attack; sid:2004079; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004080; classtype:web-application-attack; sid:2004080; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful DHL Phish 2016-09-16"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"dhl"; nocase; content:".php"; endswith; http.request_body; content:"email="; depth:6; nocase; fast_pattern; content:"pass="; nocase; distance:0; classtype:credential-theft; sid:2032505; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_09_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004081; classtype:web-application-attack; sid:2004081; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal (DE) Phish 2016-10-04"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"login_password="; depth:15; nocase; content:"&submit.x=Soumettre"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032561; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_04, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; http.uri; content:"/admincp/attachment.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2911; reference:url,www.vbulletin.com/forum/project.php?issueid=21615; reference:url,doc.emergingthreats.net/2004082; classtype:web-application-attack; sid:2004082; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid="; depth:6; nocase; fast_pattern; content:"&compw="; nocase; distance:0; classtype:credential-theft; sid:2032573; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UNION SELECT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004667; classtype:web-application-attack; sid:2004667; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M2 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comid2="; depth:7; nocase; fast_pattern; content:"&compw2="; nocase; distance:0; content:"&addr="; nocase; distance:0; classtype:credential-theft; sid:2032574; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids INSERT"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004668; classtype:web-application-attack; sid:2004668; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful FreeMobile (FR) Phish M3 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; content:".php"; nocase; endswith; http.request_body; content:"comname="; depth:8; nocase; fast_pattern; content:"&comnum="; nocase; distance:0; content:"&common="; nocase; distance:0; content:"&comy="; nocase; distance:0; content:"&comc="; nocase; distance:0; classtype:credential-theft; sid:2032575; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids DELETE"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004669; classtype:web-application-attack; sid:2004669; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful HBL Bank Phish M1 2016-10-12"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"tp="; depth:3; nocase; content:"&tp2="; nocase; distance:0; content:"&form6="; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032583; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_12, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ASCII"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004670; classtype:web-application-attack; sid:2004670; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NatWest Bank Phish M3 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"nwolb"; nocase; content:".aspx"; nocase; distance:0; content:".php"; nocase; endswith; http.header; content:"nwolb"; nocase; http.request_body; content:"c1="; nocase; content:"&c2="; nocase; distance:0; fast_pattern; content:"&c3="; nocase; distance:0; content:"&submit="; nocase; distance:0; classtype:credential-theft; sid:2032597; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE"; flow:established,to_server; http.uri; content:"/inlinemod.php?"; nocase; content:"postids="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1292; reference:url,www.milw0rm.com/exploits/3387; reference:url,doc.emergingthreats.net/2004671; classtype:web-application-attack; sid:2004671; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful NAB Bank Phish M1 2016-10-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"userid="; depth:7; nocase; content:"&password="; nocase; distance:0; content:"&sbt=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032599; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jetik.net ESA sayfalar.php KayitNo Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sayfalar.php?"; nocase; content:"KayitNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31352; reference:url,www.milw0rm.com/exploits/6549; reference:url,doc.emergingthreats.net/2009118; classtype:web-application-attack; sid:2009118; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish 2016-10-21"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"mpp/"; content:".php"; nocase; endswith; distance:0; http.header; content:"mpp/"; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x=Login"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032608; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_21, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jetik.net ESA diger.php KayitNo Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/diger.php?"; nocase; content:"KayitNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,31352; reference:url,www.milw0rm.com/exploits/6549; reference:url,doc.emergingthreats.net/2009119; classtype:web-application-attack; sid:2009119; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Outlook Phish 2016-10-18"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Password="; nocase; distance:0; content:"&SI=Verify"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032594; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_18, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007344; classtype:web-application-attack; sid:2007344; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Online Phish 2016-10-05"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"X1="; depth:3; nocase; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032568; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_05, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UNION SELECT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007345; classtype:web-application-attack; sid:2007345; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Excel Phish 2016-11-17"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"excel"; nocase; content:".php"; nocase; endswith; http.request_body; content:"email="; depth:6; nocase; content:"&passwd="; nocase; distance:0; fast_pattern; content:"&.save="; nocase; distance:0; classtype:credential-theft; sid:2032625; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_11_17, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID INSERT"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007346; classtype:web-application-attack; sid:2007346; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (1 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"Email="; depth:6; nocase; content:"&Next=Next"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032648; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID DELETE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007347; classtype:web-application-attack; sid:2007347; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Three Step Gmail Phish (3 of 3) 2016-12-02"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"phoneNumber="; depth:12; nocase; content:"&altemail="; nocase; distance:0; content:"&City="; nocase; distance:0; content:"&submitChallenge=Continue"; nocase; fast_pattern; endswith; classtype:credential-theft; sid:2032650; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_02, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ASCII"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007348; classtype:web-application-attack; sid:2007348; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful PDF Online Phish 2016-12-19"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"pdf"; nocase; content:".php"; nocase; endswith; http.request_body; content:"t1="; depth:3; nocase; content:"X1="; nocase; distance:0; content:"&X2="; nocase; distance:0; fast_pattern; classtype:credential-theft; sid:2032726; rev:6; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_12_19, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE"; flow:established,to_server; http.uri; content:"/index.asp?"; nocase; content:"tID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6149; reference:url,www.milw0rm.com/exploits/2836; reference:url,doc.emergingthreats.net/2007349; classtype:web-application-attack; sid:2007349; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Paypal Phish M1 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/mpp/"; nocase; fast_pattern; content:".php"; nocase; endswith; http.request_body; content:"1="; depth:2; nocase; content:"&2="; nocase; distance:0; content:"&submit.x="; nocase; distance:0; pcre:"/^1=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032704; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID SELECT"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007350; classtype:web-application-attack; sid:2007350; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Adobe Shared Document Phish 2016-10-03"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; nocase; endswith; http.request_body; content:"username="; depth:9; nocase; fast_pattern; content:"&password="; nocase; distance:0; content:"&submit="; nocase; endswith; pcre:"/^username=[^%]+(?:@|%40)[^&]+&/"; classtype:credential-theft; sid:2032700; rev:9; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_03, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, tag Phish, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UNION SELECT"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007351; classtype:web-application-attack; sid:2007351; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (asrgd-uz .weedns.com)"; dns.query; content:"asrgd-uz"; fast_pattern; depth:8; content:".weedns.com"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023025; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID INSERT"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007352; classtype:web-application-attack; sid:2007352; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (sx4-ws42 .yi.org)"; dns.query; content:"sx4-ws42"; fast_pattern; depth:8; content:".yi.org"; nocase; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023026; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID DELETE"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007353; classtype:web-application-attack; sid:2007353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ProjectSauron Remsec DNS Lookup (we .q.tcow.eu)"; dns.query; content:"we"; depth:2; content:".q.tcow.eu"; nocase; fast_pattern; endswith; reference:url,securelist.com/analysis/publications/75533/faq-the-projectsauron-apt; reference:url,www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets; classtype:trojan-activity; sid:2023027; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_08_08, deployment Perimeter, malware_family APT_ProjectSauron_Remsec, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ASCII"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007354; classtype:web-application-attack; sid:2007354; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tflower Ransomware CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?name="; content:"&state=start"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:md5,53c923d4e39b966ab951f9a3b9d090be; reference:url,www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/; classtype:command-and-control; sid:2028597; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family Tflower_Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_03_24, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE"; flow:established,to_server; http.uri; content:"/openlink.asp?"; nocase; content:"LinkID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007355; classtype:web-application-attack; sid:2007355; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/jquery-"; depth:8; content:".min.js"; endswith; http.header; content:"Referer|3a 20|http|3a|//code.jquery.com/|0d 0a|Accept"; fast_pattern; http.accept; content:"text/html,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; bsize:63; http.accept_enc; content:"gzip, deflate"; bsize:13; http.cookie; content:"__cfduid="; depth:9; isdataat:!172,relative; pcre:"/^[A-Za-z0-9_-]{171}$/Rs"; reference:md5,8c9903db02a29847d04d0fd81dd67046; classtype:command-and-control; sid:2033658; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_09_22, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID SELECT"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007356; classtype:web-application-attack; sid:2007356; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Darkhotel Higasia Downloader Requesting Module"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/file/start?session="; depth:20; fast_pattern; content:"&imsi="; within:20; content:".exe"; endswith; reference:md5,0e1ed07bae97d8b1cc4dcfe3d56ea3ee; reference:url,github.com/blackorbird/APT_REPORT/blob/master/Darkhotel/higaisa/higaisa_apt_report.pdf; classtype:command-and-control; sid:2028934; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_11_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UNION SELECT"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007357; classtype:web-application-attack; sid:2007357; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BottleEK Landing"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"text/html"; depth:9; endswith; http.content_len; byte_test:0,<,1000,0,string,dec; file.data; content:"<!doctype html>|0d 0a|<html lang=|22|ja|22|>|0d 0a|<head>|0d 0a|<meta http-equiv=|22|Content-Type|22 20|content=|22|text/html|3b 20|charset=UTF-8|22|>|0d 0a|<meta http-equiv=|22|x-ua-compatible|22 20|content=|22|IE=10|22|>|0d 0a|<meta http-equiv=|22|Expires|22 20|content=|22|0|22|>|0d 0a|<meta http-equiv=|22|Pragma|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache-control|22 20|content=|22|no-cache|22|>|0d 0a|<meta http-equiv=|22|Cache|22 20|content=|22|no-cache|22|>"; content:"<body style=|22|background-color|3a 20|#F4F4F4|3b|font-family|3a|MS PGothic,Arial,Hiragino Kaku Gothic ProN,Osaka,sans-serif|22|>"; distance:0; fast_pattern; content:"/ajax.min.js|22|></script>|0d 0a|<script type=|22|text/javascript|22 20|src=|22|"; distance:0; content:"/main.js|22|></script>|0d 0a|</body>|0d 0a|</html>"; endswith; classtype:exploit-kit; sid:2029122; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID INSERT"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007358; classtype:web-application-attack; sid:2007358; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dl/"; content:"/final.html"; endswith; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:5; metadata:created_at 2013_12_17, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID DELETE"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007359; classtype:web-application-attack; sid:2007359; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Elise CnC Beacon 1 M2"; flow:to_server,established; content:"Cookie|3a 20|A="; fast_pattern; http.method; content:"GET"; http.uri; content:"/"; offset:9; depth:1; content:".html"; nocase; endswith; pcre:"/^\/[a-f0-9]{8}\/\D+\d{8,10}\.html$/i"; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:md5,23ace716ec34bfd9c98efd79b23a01af; reference:url,github.com/pan-unit42/iocs/tree/master/lotusblossom; classtype:command-and-control; sid:2021275; rev:9; metadata:attack_target Client_Endpoint, created_at 2015_06_16, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ASCII"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007360; classtype:web-application-attack; sid:2007360; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Dynamic Folder FreeMobile (FR) Phishing 2016-10-06"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"free.fr"; nocase; fast_pattern; content:".php"; nocase; endswith; http.header; content:"free.fr"; http.start; pcre:"/^POST[^\r\n]+(?P<hash>[a-f0-9]{32})\/(?:[^\r\n]+\r\n)+Referer\x3a\x20http(s)?:\/\/[^\r\n]+(?P=hash)/mi"; classtype:credential-theft; sid:2032703; rev:7; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_10_06, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE"; flow:established,to_server; http.uri; content:"/viewlinks.asp?"; nocase; content:"CategoryID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6147; reference:url,www.securityfocus.com/bid/21226; reference:url,doc.emergingthreats.net/2007361; classtype:web-application-attack; sid:2007361; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET [7080,8080,443,80,4143,995,21,50000,20,8090,8443,990,22] (msg:"ET MALWARE Win32/Emotet CnC Activity (POST) M8"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!"."; content:!"&"; content:!"-"; content:!"?"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 6."; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; pcre:"/^[A-Za-z]{5,20}\x22\x3b\x20filename=\x22[A-Za-z]{5,20}\x22/R"; content:"|0d 0a|Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a|"; within:44; content:"|2d 2d 00 00 00 00 00 00 00 00 00 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------------"; startswith; pcre:"/^\d{15}$/R"; http.content_len; byte_test:0,<,5000,0,string,dec; byte_test:0,>,4000,0,string,dec; http.start; pcre:"/^POST\s(?P<urivar>\/(?:[A-Z0-9a-z]{2,25}\/){1,10})\sHTTP\/1\.1\r\nReferer\x3a\x20http:\/\/(?:\d{1,3}\.){3}\d{1,3}(?:\x3a[0-9]{2,5})?(?P=urivar)\r\n/"; http.header_names; content:"|0d 0a|Referer|0d 0a|Content-Type|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:59; classtype:command-and-control; sid:2029380; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_02_05, deployment Perimeter, former_category MALWARE, malware_family Emotet, signature_severity Major, tag Emotet, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/windetail.php?"; nocase; content:"adtype="; nocase; reference:bugtraq,34537; reference:url,milw0rm.com/exploits/8443; reference:url,doc.emergingthreats.net/2009508; classtype:web-application-attack; sid:2009508; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Onliner Mailer Module Communicating with CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php?&1001="; fast_pattern; content:"&req="; distance:1; within:5; content:"&"; endswith; http.protocol; content:"HTTP/1.0"; http.header_names; content:"Accept-Charset"; content:!"Referer"; content:!"Cache"; reference:url,www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/; classtype:command-and-control; sid:2027810; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_06, deployment Perimeter, former_category MALWARE, malware_family Onliner, performance_impact Low, signature_severity Major, tag SpamBot, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/detail.php?"; nocase; content:"adtype="; nocase; reference:bugtraq,34537; reference:url,milw0rm.com/exploits/8443; reference:url,doc.emergingthreats.net/2009509; classtype:web-application-attack; sid:2009509; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GanDownloader CnC Checkin"; flow:established,to_server; http.request_body; content:"|2f 00 00 00|"; depth:4; content:"_"; distance:6; content:"202020202020|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; fast_pattern; pcre:"/^\x2f\x00{3}[A-Z0-9]{6}_[a-f0-9]+\x00{16}$/s"; http.request_line; content:"POST / HTTP/1.1"; depth:15; http.header_names; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; reference:md5,8f0017ed89c2f6639cc2a08bc1e83f1e; classtype:command-and-control; sid:2026946; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_20, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JobHut browse.php pk Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/browse.php?"; nocase; content:"pk="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,34300; reference:url,milw0rm.com/exploits/8318; reference:url,doc.emergingthreats.net/2009730; classtype:web-application-attack; sid:2009730; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Win32/SocStealer.Socelars C2 Response"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Server-Key|3a 20|"; pcre:"/[A-Za-z0-9]{62}/R"; file.data; content:"[DATA]"; depth:6; fast_pattern; content:"[DATA]"; endswith; classtype:command-and-control; sid:2025458; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_04_03, deployment Perimeter, former_category MALWARE, malware_family SocStealer, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004373; classtype:web-application-attack; sid:2004373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Yuok)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Youk$$"; fast_pattern; content:"Youk"; endswith; pcre:"/^(?:php)?Yuok\$\$\d\d/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022902; rev:6; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004374; classtype:web-application-attack; sid:2004374; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FOX-SRT ShimRat check-in (Data)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Data$$"; fast_pattern; content:"Data"; endswith; pcre:"/Data\$\$\d\d/"; http.header_names; content:!"Content-Type"; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/; classtype:trojan-activity; sid:2022900; rev:9; metadata:created_at 2016_06_15, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004375; classtype:web-application-attack; sid:2004375; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:5; metadata:created_at 2013_06_28, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004376; classtype:web-application-attack; sid:2004376; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrickBot CnC Initial Checkin M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_W"; content:"/5/file/"; endswith; fast_pattern; http.user_agent; content:"curl/"; depth:5; http.header_names; content:!"Accept"; content:!"Referer"; classtype:trojan-activity; sid:2033659; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_11_09, deployment Perimeter, former_category MALWARE, malware_family TrickBot, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004377; classtype:web-application-attack; sid:2004377; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Malleable C2 (OneDrive)"; flow:established,to_server; http.cookie; content:"E=P|3a|"; content:"=|3a|PFzM9cj"; endswith; fast_pattern; http.request_line; content:"GET|20|/preload?manifest=wac|20|HTTP/1.1"; bsize:34; http.header_names; content:!"Referer"; reference:url,github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile; classtype:command-and-control; sid:2029743; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_03_26, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE"; flow:established,to_server; http.uri; content:"/search.php?"; nocase; content:"salary="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1428; reference:url,www.exploit-db.com/exploits/3455/; reference:url,doc.emergingthreats.net/2004378; classtype:web-application-attack; sid:2004378; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible eDellRoot Rogue Root CA"; flow:established,to_client; tls.cert_issuer; content:"CN=eDellRoot"; fast_pattern; reference:url,arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/; classtype:trojan-activity; sid:2022134; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_11_24, deployment Perimeter, signature_severity Major, tag Web_Client_Attacks, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005292; classtype:web-application-attack; sid:2005292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/ProtonBot CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"newtask|3b|"; depth:8; fast_pattern; content:"|3b|1|3b|http"; within:15; content:".exe"; endswith; reference:url,fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild; reference:md5,efb1db340e78f6799d9fbc5ee08f40fe; classtype:command-and-control; sid:2027382; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005293; classtype:web-application-attack; sid:2005293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/Backdoor.Small.ao CnC Checkin"; flow:established,to_server; urilen:8; threshold: type limit, track by_dst, seconds 30, count 1; http.method; content:"POST"; http.uri; content:"/waiting"; fast_pattern; http.user_agent; content:"BC_Vic_"; depth:7; content:"BC_SPL"; endswith; http.header_names; content:"Expect"; content:!"Referer"; content:!"Accept"; content:!"Cache"; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c; classtype:command-and-control; sid:2025370; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_19, deployment Perimeter, former_category MALWARE, malware_family Backdoor_Small, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005294; classtype:web-application-attack; sid:2005294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:8; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005295; classtype:web-application-attack; sid:2005295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE [Fireeye] SUNBURST Related DNS Lookup to avsvmcloud .com"; dns.query; content:".appsync-api."; content:"avsvmcloud.com"; nocase; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031324; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005296; classtype:web-application-attack; sid:2005296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST HTTP Request to avsvmcloud .com"; flow:established,to_server; http.host; content:".appsync-api."; dotprefix; content:".avsvmcloud.com"; endswith; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031338; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE"; flow:established,to_server; http.uri; content:"/models/category.php?"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0387; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005297; classtype:web-application-attack; sid:2005297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [Fireeye] Backdoor.SUNBURST SSL Cert Inbound (avsvmcloud .com)"; flow:established,to_client; tls.cert_subject; content:".appsync-api."; content:".avsvmcloud.com"; endswith; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; classtype:trojan-activity; sid:2031341; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_12_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005298; classtype:web-application-attack; sid:2005298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Second Stage Payload Inbound 2021-02-19"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bestof/"; content:".exe"; within:20; endswith; http.header; content:"User-Agent|3a 20|AutoHotkey|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:md5,2184931b6412cc900837890a6c5685f6; classtype:trojan-activity; sid:2033044; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_02_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005299; classtype:web-application-attack; sid:2005299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Request for Possible Adobe Phishing Hosted on Github.io"; flow:established,to_server; tls.sni; content:"adobe"; fast_pattern; content:".github.io"; endswith; content:!"adobe.github.io"; depth:15; endswith; content:!"adobe-fonts.github.io"; depth:21; endswith; content:!"adobe-type-tools.github.io"; depth:26; endswith; content:!"adobe-apiplatform.github.io"; depth:27; classtype:policy-violation; sid:2027249; rev:8; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_04_23, deployment Perimeter, former_category POLICY, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005300; classtype:web-application-attack; sid:2005300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Beacon (Bing Profile)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search/?q="; startswith; content:"&go=Search&qs=bs&form="; distance:0; fast_pattern; http.cookie; content:"DUP="; startswith; content:"&T="; distance:0; content:"&A="; distance:0; content:"&IG"; endswith; http.header_names; content:!"Referer"; reference:url,twitter.com/TheDFIRReport/status/1376878123061551104; reference:md5,18b0ca0508f92c5ac6e75b9865b77a51; classtype:trojan-activity; sid:2032354; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_03_30, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_03_24, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005301; classtype:web-application-attack; sid:2005301; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Redirect to Adobe Shared Document Phishing M3 2016-04-18"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/pdf.adobe.cloud/"; fast_pattern; content:".php"; endswith; http.referer; content:".php"; endswith; classtype:social-engineering; sid:2032678; rev:10; metadata:attack_target Client_Endpoint, created_at 2016_04_18, deployment Perimeter, former_category PHISHING, signature_severity Major, tag Phishing, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005302; classtype:web-application-attack; sid:2005302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NOBELIUM Win32/VaporRage Loader CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/class-chll.php?session_info=60"; content:"5d"; distance:0; content:"&session="; distance:0; content:"&view_type=12"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4183.83 Safari/537.36"; bsize:102; fast_pattern; http.header_names; content:!"Referer"; content:!"Accept"; content:!"Cache-"; reference:url,www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset; classtype:trojan-activity; sid:2033057; rev:2; metadata:created_at 2021_06_01, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE"; flow:established,to_server; http.uri; content:"/letterman.class.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0382; reference:url,www.securityfocus.com/bid/22117; reference:url,doc.emergingthreats.net/2005303; classtype:web-application-attack; sid:2005303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE S400 RAT Client Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"content=S-400+RAT+%3a"; startswith; fast_pattern; content:"%0d%0ainformation"; distance:0; reference:md5,41ca8d5782ef5ac7a371b44f51dc48d9; classtype:command-and-control; sid:2034065; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family S400, signature_severity Major, tag RAT, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005390; classtype:web-application-attack; sid:2005390; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2021-11-10"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"check.php"; distance:0; http.referer; content:".otzo.com/verification.php"; fast_pattern; endswith; http.request_body; content:"email="; distance:0; content:"&password="; distance:0; reference:md5,11133fb1cdc61aa33e3de226dcdf92d4; classtype:credential-theft; sid:2034412; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_11_10, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005391; classtype:web-application-attack; sid:2005391; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Facebook Credential Phish 2021-11-16"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-content/plugins/my___fb/meme"; fast_pattern; startswith; content:".php"; endswith; http.request_body; content:"email="; content:"&pass="; distance:0; reference:md5,fdf21f9bdab460feed2f3fccde59b650; classtype:credential-theft; sid:2034487; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_16, deployment Perimeter, former_category PHISHING, signature_severity Critical, tag Phishing, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005802; classtype:web-application-attack; sid:2005802; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fpui/"; nocase; fast_pattern; content:"|2e|jsp"; within:30; endswith; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034531; rev:3; metadata:created_at 2021_11_22, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005392; classtype:web-application-attack; sid:2005392; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034045; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005394; classtype:web-application-attack; sid:2005394; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING BulletProofLink Phishkit Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/email-list/"; fast_pattern; content:".php"; endswith; reference:url,microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/; classtype:credential-theft; sid:2034046; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/user/example.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005395; classtype:web-application-attack; sid:2005395; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nodebb|2e|org|2f 3f 5b 5b 2e 2e 2f|"; nocase; fast_pattern; content:"|3a|"; content:"|5d 5d|"; within:50; endswith; reference:url,blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot; reference:cve,2021-43788; classtype:attempted-admin; sid:2034590; rev:2; metadata:attack_target Server, created_at 2021_12_06, cve CVE_2021_43788, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005396; classtype:web-application-attack; sid:2005396; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Banking Phish Landing Page 2022-01-11"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"banks"; startswith; content:"pin.php"; fast_pattern; endswith; reference:md5,ed0fb4e78b838c7d9884691efa434dd7; classtype:credential-theft; sid:2034893; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_11, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005397; classtype:web-application-attack; sid:2005397; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HVNC BOT Detected"; flow:established,to_server; content:"|3b 00 00 00 19 00 00 00 13 01 00 00 2d 42 4f 54|"; depth:16; content:"|00|"; endswith; reference:md5,4abde768b70e94093970901438e51cbd; classtype:trojan-activity; sid:2027832; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_08_09, deployment Perimeter, former_category TROJAN, malware_family HVNC, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005398; classtype:web-application-attack; sid:2005398; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ALEXANDR/"; fast_pattern; startswith; content:".rmvb"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,0fee6bb95bfbfeee768f742387d3ddce; reference:md5,81ada96074cbc01655fc3b9b570308cd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035117; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005399; classtype:web-application-attack; sid:2005399; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/clamp/"; fast_pattern; content:".cbl"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,fac3f024711fc5fd3e1d69b994b159bd; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035118; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_02_07, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005400; classtype:web-application-attack; sid:2005400; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/globe/"; fast_pattern; content:".cam"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035131; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE"; flow:established,to_server; http.uri; content:"/gmail.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005401; classtype:web-application-attack; sid:2005401; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/courageous/"; fast_pattern; content:".eft"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,6662dad691740c832ea2bcde17509d0a; classtype:trojan-activity; sid:2035132; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_08, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005402; classtype:web-application-attack; sid:2005402; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/endless/"; fast_pattern; content:".arj"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,2a0269cf18f2f1c055153408f85ab4c6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035167; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005403; classtype:web-application-attack; sid:2005403; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allocation/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,1579a5a8bdca4eda62315116e418b9d6; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035168; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005404; classtype:web-application-attack; sid:2005404; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sour/"; fast_pattern; content:".kdp"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,bb1c8ad9f422a39ce6329e93dc060438; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035169; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005405; classtype:web-application-attack; sid:2005405; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pretend/"; fast_pattern; content:".dot"; endswith; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer"; reference:md5,ca9fa910806f5aafd33f0dd48fdc8415; reference:url,unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/; classtype:trojan-activity; sid:2035170; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_02_09, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005406; classtype:web-application-attack; sid:2005406; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; content:"|1e 00|"; offset:22; depth:2; content:"|24 00 00 00 06|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035262; rev:3; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, former_category EXPLOIT, performance_impact Significant, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE"; flow:established,to_server; http.uri; content:"/example.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005407; classtype:web-application-attack; sid:2005407; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; classtype:trojan-activity; sid:2024213; rev:5; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, former_category EXPLOIT, signature_severity Critical, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005408; classtype:web-application-attack; sid:2005408; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService Pong response"; id:1; content:"101|3b|0000|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030055; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005409; classtype:web-application-attack; sid:2005409; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp $HOME_NET 1234 -> $EXTERNAL_NET 4000 (msg:"ET MALWARE NAZAR EYService OSInfo response"; id:1; content:"100|3b|"; reference:url,blog.malwarelab.pl/posts/nazar_eyservice_comm; classtype:command-and-control; sid:2030056; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_04_29, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005410; classtype:web-application-attack; sid:2005410; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (theskoolieblog .com)"; dns.query; content:"theskoolieblog.com"; nocase; bsize:18; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035596; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005411; classtype:web-application-attack; sid:2005411; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Nobelium APT Related Domain in DNS Lookup (ernesttheskoolie .com)"; dns.query; content:"ernesttheskoolie.com"; nocase; bsize:20; reference:url,twitter.com/h2jazi/status/1506439550968676360; classtype:domain-c2; sid:2035597; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005412; classtype:web-application-attack; sid:2005412; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:C1:3B:57:1A:83:A5:B1:4A"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022099; rev:3; metadata:attack_target Client_and_Server, created_at 2015_11_17, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/authentication/ldap.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005413; classtype:web-application-attack; sid:2005413; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F2:66:4A:29:E0:7E:C2:78"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022227; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005414; classtype:web-application-attack; sid:2005414; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (FindPOS)"; flow:established,to_client; tls.cert_serial; content:"00:E0:78:4E:9C:A4:AD:AB:24"; fast_pattern; tls.cert_subject; content:"O=Default Company Ltd"; reference:url,blog.team-cymru.org/2015/06/poseidon-and-the-backoff-pos-link/; classtype:domain-c2; sid:2022228; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005415; classtype:web-application-attack; sid:2005415; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:F6:DA:A5:22:B2:8B:91:BE"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022232; rev:3; metadata:attack_target Client_and_Server, created_at 2015_12_08, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005416; classtype:web-application-attack; sid:2005416; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (FindPOS CnC)"; flow:established,to_client; tls.cert_serial; content:"00:9D:A8:74:C5:50:98:DD:09"; fast_pattern; tls.cert_subject; content:"C=XX"; content:"L=Default City"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022306; rev:4; metadata:attack_target Client_and_Server, created_at 2015_12_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005417; classtype:web-application-attack; sid:2005417; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_issuer; content:"AsyncRAT Server"; reference:md5,f69cadedae72d9d1a1d1578b56c39404; classtype:domain-c2; sid:2030673; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2020_08_11, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005418; classtype:web-application-attack; sid:2005418; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)"; flow:established,to_client; tls.cert_subject; content:"AsyncRAT Server"; nocase; classtype:domain-c2; sid:2035607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2019_05_31, deployment Perimeter, former_category MALWARE, malware_family AsyncRAT, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE"; flow:established,to_server; http.uri; content:"/modules/mod_mainmenu/menu.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0375; reference:url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded; reference:url,doc.emergingthreats.net/2005419; classtype:web-application-attack; sid:2005419; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC)"; flow:established,to_client; tls.cert_subject; content:"CN=g5wcesdfjzne7255.onion.to"; reference:url,welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials; classtype:domain-c2; sid:2022953; rev:3; metadata:affected_product Mac_OSX, attack_target Client_and_Server, created_at 2016_07_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, tag TROJAN_OSX_Keydnap, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005420; classtype:web-application-attack; sid:2005420; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Command Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fecommand.acm"; endswith; fast_pattern; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035605; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005421; classtype:web-application-attack; sid:2005421; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious SSL certificate detected (Possible Sinkhole)"; flow:established,to_client; tls.cert_subject; content:"O=infosec.jp"; fast_pattern; content:"CN=www.infosec.jp"; content:"snowyowl@jpnsec.com"; distance:0; reference:md5,ef5fa2378307338d4e75dece88158d77; classtype:domain-c2; sid:2022323; rev:3; metadata:attack_target Client_and_Server, created_at 2016_01_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1587, mitre_technique_name Develop_Capabilities;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005422; classtype:web-application-attack; sid:2005422; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Domain Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zs_url.txt?dl=0"; endswith; fast_pattern; http.host; content:"dl.dropboxusercontent.com"; http.header_names; content:!"Referer"; http.connection; content:"Keep-Alive"; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:trojan-activity; sid:2035606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005423; classtype:web-application-attack; sid:2005423; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SERVER SSL Cert APT1"; flow:established,to_client; tls.cert_serial; content:"52:55:38:16:FB:0D:1A:8A:4B:45:04:CB:06:BC:C4:AF"; tls.cert_subject; content:"CN=SERVER"; reference:url,www.mandiant.com/apt1; classtype:targeted-activity; sid:2016467; rev:4; metadata:attack_target Client_Endpoint, created_at 2013_02_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005424; classtype:web-application-attack; sid:2005424; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Downloader.Win32.Tesch.A Server CnC Sending Executable"; flow:established,to_client; content:"This Program must be"; fast_pattern; content:"|0B 00|"; startswith; content:"|00|MZ"; distance:14; within:3; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:md5,28173e257188ce3b3cc663be661bc2c4; reference:md5,2bebb36872b4829f553326e102d014ed; classtype:command-and-control; sid:2018479; rev:3; metadata:created_at 2014_05_15, former_category MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/content.php?"; nocase; content:"where="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005425; classtype:web-application-attack; sid:2005425; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"uid="; startswith; content:"&avtype="; distance:0; content:"&majorv="; fast_pattern; content:"&minorv="; reference:url,twitter.com/jaydinbas/status/1506987283630768138; reference:md5,ecd47e596048ad1af9973a21af303465; classtype:command-and-control; sid:2035592; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005426; classtype:web-application-attack; sid:2005426; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command (inbound)"; flow:established,to_client; dsize:<20; content:"|69 6e 66 32 6f 3d 63 6f 64 61 6e 64|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035598; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005427; classtype:web-application-attack; sid:2005427; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending Command M2 (inbound)"; flow:established,to_client; dsize:<20; content:"|67 65 74 32 61 76 73 3d 61 76 70 72 6f|"; fast_pattern; endswith; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035599; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005428; classtype:web-application-attack; sid:2005428; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dl.dropboxusercontent.com"; bsize:25; fast_pattern; classtype:misc-activity; sid:2035593; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005429; classtype:web-application-attack; sid:2005429; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO DropBox User Content Download Access over SSL M2"; flow:established,to_client; tls.cert_subject; content:"CN=dl.dropbox.com"; fast_pattern; classtype:misc-activity; sid:2035594; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005430; classtype:web-application-attack; sid:2005430; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Win32/CrimsonRAT Variant Sending System Information (outbound)"; flow:established,to_server; dsize:<120; content:"|69 6e 73 35 66 6f 3d 75 73 66 73 65 72 3b|"; fast_pattern; depth:20; reference:md5,9bb081fb563b2905ea52e4b858d392ed; classtype:trojan-activity; sid:2035600; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/weblinks.php?"; nocase; content:"where="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005431; classtype:web-application-attack; sid:2005431; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI)"; flow:established,to_server; tls_sni; content:"update.imdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:command-and-control; sid:2035568; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005432; classtype:web-application-attack; sid:2005432; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 2"; flow:established,to_server; tls_sni; content:"imbbq.co"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035569; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005433; classtype:web-application-attack; sid:2005433; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 3"; flow:established,to_server; tls_sni; content:"ds-super-admin.imtokens.money"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035570; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005434; classtype:web-application-attack; sid:2005434; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 4"; flow:established,to_server; tls_sni; content:"imtokenss.token-app.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035571; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005435; classtype:web-application-attack; sid:2005435; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 5"; flow:established,to_server; tls_sni; content:"xdhbj.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035572; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005436; classtype:web-application-attack; sid:2005436; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 6"; flow:established,to_server; tls_sni; content:"update.xzxqsf.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035573; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/contacts.php?"; nocase; content:"text="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005437; classtype:web-application-attack; sid:2005437; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 7"; flow:established,to_server; tls_sni; content:"metamask.tptokenm.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035574; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005438; classtype:web-application-attack; sid:2005438; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 8"; flow:established,to_server; tls_sni; content:"two.shayu.la"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035575; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005439; classtype:web-application-attack; sid:2005439; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 9"; flow:established,to_server; tls_sni; content:"jdzpfw.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035576; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005440; classtype:web-application-attack; sid:2005440; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 10"; flow:established,to_server; tls_sni; content:"bp.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035577; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005441; classtype:web-application-attack; sid:2005441; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 11"; flow:established,to_server; tls_sni; content:"ok.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035578; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005442; classtype:web-application-attack; sid:2005442; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 12"; flow:established,to_server; tls_sni; content:"mm.tkdt.cc"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035579; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/categories.php?"; nocase; content:"text="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005443; classtype:web-application-attack; sid:2005443; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 20"; flow:established,to_server; tls_sni; content:"token-lon.me"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035580; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005444; classtype:web-application-attack; sid:2005444; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 13"; flow:established,to_server; tls_sni; content:"bh.imtoken.sx"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035581; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005445; classtype:web-application-attack; sid:2005445; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 14"; flow:established,to_server; tls_sni; content:"ht.imtoken.cn.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035582; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005446; classtype:web-application-attack; sid:2005446; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 15"; flow:established,to_server; tls_sni; content:"api.tipi21341.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035583; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005447; classtype:web-application-attack; sid:2005447; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 16"; flow:established,to_server; tls_sni; content:"ariodjs.xyz"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035584; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005448; classtype:web-application-attack; sid:2005448; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 17"; flow:established,to_server; tls_sni; content:"walletappforbit.web.app"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035585; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE"; flow:established,to_server; http.uri; content:"/plugins/search/sections.php?"; nocase; content:"text="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005449; classtype:web-application-attack; sid:2005449; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 18"; flow:established,to_server; tls_sni; content:"jaxx.su"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035586; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005450; classtype:web-application-attack; sid:2005450; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed GhostWriter APT Related Cobalt Strike Domain (ao3 .hmgo .pw in TLS SNI)"; flow:established,to_server; tls.sni; content:"ao3.hmgo.pw"; bsize:11; fast_pattern; reference:url,cert.gov.ua/article/38155; reference:url,twitter.com/netresec/status/1506990534547709972; reference:url,tria.ge/220324-p4dl5adghn; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:domain-c2; sid:2035601; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005451; classtype:web-application-attack; sid:2005451; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 19"; flow:established,to_server; tls_sni; content:"jaxx.tf"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035587; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005452; classtype:web-application-attack; sid:2005452; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 21"; flow:established,to_server; tls_sni; content:"master-consultas.com"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035588; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005453; classtype:web-application-attack; sid:2005453; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 22"; flow:established,to_server; tls_sni; content:"jaxxwalletinc.live"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035589; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005454; classtype:web-application-attack; sid:2005454; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Domain in DNS Lookup (hmgo .pw)"; dns.query; dotprefix; content:".hmgo.pw"; nocase; endswith; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; reference:url,tria.ge/220324-p4dl5adghn; classtype:domain-c2; sid:2035602; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE"; flow:established,to_server; http.uri; content:"/database/table/user.php?"; nocase; content:"email="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0373; reference:url,www.securityfocus.com/bid/22122; reference:url,doc.emergingthreats.net/2005455; classtype:web-application-attack; sid:2005455; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike"; flow:from_server,established; tls.cert_subject; content:"C=, ST=, L=, O=, OU=, CN="; endswith; bsize:25; fast_pattern; classtype:targeted-activity; sid:2023629; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_10_24, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index2.php?option=ds-syndicate"; nocase; content:"version=1"; nocase; content:"feed_id="; nocase; pcre:"/UNION.+SELECT/i"; reference:url,www.secunia.com/advisories/32321; reference:url,www.exploit-db.com/exploits/6792/; reference:url,doc.emergingthreats.net/2008685; classtype:web-application-attack; sid:2008685; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 23"; flow:established,to_server; tls_sni; content:"jaxx.podzone.org"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035590; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/admin.rssreader.php?"; nocase; content:"mosConfig_live_site="; nocase; pcre:"/mosConfig_live_site=\s*(https?|ftps?|php)\:\//i"; reference:url,vupen.com/english/advisories/2008/3119; reference:bugtraq,32265; reference:url,www.exploit-db.com/exploits/7096/; reference:url,doc.emergingthreats.net/2009369; classtype:web-application-attack; sid:2009369; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/FakeWallet.AH!tr (TLS SNI) 24"; flow:established,to_server; tls_sni; content:"saaditrezxie.store"; isdataat:!1,relative; nocase; reference:url,www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-targeting-android-ios-devices; classtype:trojan-activity; sid:2035591; rev:2; metadata:created_at 2022_03_24, former_category MOBILE_MALWARE, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- php5x.php"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/joomla/utilities/compat/php50x.php"; nocase; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009778; classtype:attempted-recon; sid:2009778; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GhostWriter APT Related Cobalt Strike Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/works"; endswith; http.header; content:"Accept|3a 20|application/json|0d 0a|Content-Type|3a 20|application/json|3b 20|charset=UTF-8|0d 0a|"; http.cookie; content:"_token"; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9\/+]{171}=$/R"; reference:url,cert.gov.ua/article/38155; reference:url,tria.ge/220324-p4dl5adghn; reference:url,twitter.com/netresec/status/1506990534547709972; reference:md5,b5525108912ee8d5f1519f1b552723e8; classtype:trojan-activity; sid:2035603; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family CobaltStrike, malware_family Ghostwriter, signature_severity Major, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- ldap.php"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/joomla/client/ldap.php"; nocase; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009779; classtype:attempted-recon; sid:2009779; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY tor4u tor2web .onion Proxy domain in SNI"; flow:established,to_server; tls.sni; content:"tor4u.net"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:policy-violation; sid:2018878; rev:3; metadata:created_at 2014_08_01, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- content.php"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/libraries/joomla/html/html/content.php"; nocase; reference:bugtraq,35780; reference:url,www.securityfocus.com/archive/1/505231; reference:url,doc.emergingthreats.net/2009780; classtype:attempted-recon; sid:2009780; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-#alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014"; flow:established,to_server; tls.sni; content:"knowledgewiki.info"; fast_pattern; reference:md5,de81fab8ec96bef76db828f4c1a42e4d; classtype:trojan-activity; sid:2018877; rev:4; metadata:created_at 2014_08_01, former_category TROJAN, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_artportal&portalid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009834; classtype:web-application-attack; sid:2009834; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 8"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; tls.cert_serial; content:"5f:31"; startswith; tls.cert_subject; content:"C=--"; startswith; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:md5,f58a4369b8176edbde4396dc977c9008; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2015-030500-0430-99; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; classtype:targeted-activity; sid:2020974; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_artportal&portalid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009835; classtype:web-application-attack; sid:2009835; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Observed IP Lookup Domain (formyip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"formyip.com"; fast_pattern; classtype:external-ip-check; sid:2024832; rev:4; metadata:created_at 2017_10_10, former_category POLICY, updated_at 2022_03_24;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_artportal&portalid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9563/; reference:url,www.securityfocus.com/bid/36206/info; reference:url,doc.emergingthreats.net/2009836; classtype:web-application-attack; sid:2009836; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DivX Client SSL Connection via Self-Signed SSL Cert"; flow:established,to_client; tls.cert_subject; content:"DivX, Inc. Certificate Authority"; fast_pattern; classtype:policy-violation; sid:2013300; rev:3; metadata:attack_target Client_Endpoint, created_at 2011_07_23, deployment Perimeter, former_category POLICY, signature_severity Informational, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection"; flow:to_server,established; http.uri; content:"/index.php?option=com_joomlub&controller=auction&view=auction&task=edit&aid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9593/; reference:url,doc.emergingthreats.net/2009881; classtype:web-application-attack; sid:2009881; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; tls.cert_subject; content:"CN=IOS-Self-Signed-Certificate-"; fast_pattern; classtype:misc-activity; sid:2014617; rev:4; metadata:created_at 2012_04_20, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009913; classtype:web-application-attack; sid:2009913; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in DNS query (www. rare-coisns. com)"; dns.query; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035614; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009914; classtype:web-application-attack; sid:2009914; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster domain observed in TLS SNI (www. rare-coisns. com)"; flow:established,to_server; tls.sni; content:"www.rare-coisns.com"; fast_pattern; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035615; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009915; classtype:web-application-attack; sid:2009915; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035616; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009916; classtype:web-application-attack; sid:2009916; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SodaMaster CnC HTTPS Checkin M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/image/look/javascript/index.php"; fast_pattern; startswith; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20| MSIE 7.0|3b 20|Windows NT 6.1|3b 20|WOW64|3b 20|Trident/4.0|3b 20|SLCC2|3b 20|.NET CLR 2.0.50727|3b 20|.NET CLR 3.5.30729|3b 20|.NET CLR 3.0.30729|3b 20|Media Center PC 6.0|3b 20|.NET4.0C|3b 20|.NET4.0E)"; reference:md5,0b182464a2351a9d79c1222bb1fdf35e; reference:md5,037261d5571813b9640921afac8aafbe; reference:md5,c5994f9fe4f58c38a8d2af3021028310; classtype:targeted-activity; sid:2035617; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_djcatalog&view=showItem&id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/9693/; reference:url,doc.emergingthreats.net/2009917; classtype:web-application-attack; sid:2009917; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:md5,a5bad2da096e9ebbb90845dbadec91fe; reference:md5,253cb5361e43bfb1931fa115336e7c16; reference:md5,dd6d09e0e565ea18b85a18af8e95eb75; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035608; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009919; classtype:web-application-attack; sid:2009919; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FIN7 JSSLoader Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /?id="; startswith; fast_pattern; http.uri; pcre:"/^\/\?id\=[A-Z]{12,28}[0-9]$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:46; reference:md5,6f743e8fda2031db9907a8d6bd0a41a8; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:trojan-activity; sid:2035609; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family FIN7, malware_family CarbonSpider, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009920; classtype:web-application-attack; sid:2009920; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE FIN7 JSSLoader Related Domain in DNS Lookup"; dns.query; content:"securmeawards.com"; nocase; bsize:17; reference:md5,0cd9c62063026d4199c941b5f644c5ce; reference:url,blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files; classtype:domain-c2; sid:2035610; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009921; classtype:web-application-attack; sid:2009921; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kimsuky APT Related Host Data Exfil M5"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\?m=[abcde]&p1=[a-f0-9-]{8,25}(?:&p2=[^&]+)?(?:&p3=[^&]+)?$/i"; http.uri.raw; content:"//?m="; depth:5; fast_pattern; content:"&p1="; distance:1; within:4; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0684d80e91581730f814e831f703bf5b; reference:url,twitter.com/s1ckb017/status/1507316584079142915; classtype:trojan-activity; sid:2035611; rev:1; metadata:created_at 2022_03_25, former_category MALWARE, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009924; classtype:web-application-attack; sid:2009924; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing Domain in DNS Lookup (info-getting-eu. com)"; dns.query; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035618; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jlord_rss&task=feed&id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36427/info; reference:url,doc.emergingthreats.net/2009922; classtype:web-application-attack; sid:2009922; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Generic Phishing domain observed in TLS SNI (info-getting-eu. com)"; flow:established,to_server; tls.sni; content:"info-getting-eu.com"; fast_pattern; classtype:credential-theft; sid:2035619; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category PHISHING, performance_impact Low, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/index.php?option=com_album&"; nocase; content:"Itemid=128&"; nocase; content:"target="; nocase; reference:url,www.securityfocus.com/bid/36441/info; reference:url,www.exploit-db.com/exploits/9706/; reference:url,doc.emergingthreats.net/2009929; classtype:web-application-attack; sid:2009929; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Webserver Resolving Known Webshell CnC Domain (anonymousfox)"; dns.query; content:"anonymousfox."; startswith; fast_pattern; pcre:"/(?:is|mx|info|co)$/"; reference:url,twitter.com/unmaskparasites/status/1507038308789936150; classtype:bad-unknown; sid:2035612; rev:2; metadata:attack_target Web_Server, created_at 2022_03_25, deployment Perimeter, former_category WEB_SERVER, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/com_koesubmit/koesubmit.php?"; nocase; content:"="; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36447/info; reference:url,www.owasp.org/index.php/PHP_File_Inclusion; reference:url,doc.emergingthreats.net/2009933; classtype:web-application-attack; sid:2009933; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to BaitAndPhish Domain"; dns.query; dotprefix; content:".important-notification.com"; nocase; endswith; threshold: type limit, track by_dst, count 1, seconds 120; fast_pattern; classtype:misc-activity; sid:2035613; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_moofaq/includes/file_includer.php?"; nocase; content:"file="; nocase; reference:bugtraq,35259; reference:url,www.exploit-db.com/exploits/8898/; reference:url,doc.emergingthreats.net/2009934; classtype:web-application-attack; sid:2009934; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Evil Keitaro Set-Cookie Inbound (85937)"; flow:established,from_server; http.stat_code; content:"200"; http.cookie; content:"85937=eyJ0e"; fast_pattern; pcre:"/^[A-Z0-9_\-.]{20,300}\x3b/Ri"; classtype:trojan-activity; sid:2035620; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2022_03_25, deployment Perimeter, deployment SSLDecrypt, former_category WEB_CLIENT, performance_impact Low, signature_severity Major, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009938; classtype:web-application-attack; sid:2009938; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 7"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"2c:2f"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,9ad55b83f2eec0c19873a770b0c86a2f; classtype:targeted-activity; sid:2020972; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009939; classtype:web-application-attack; sid:2009939; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls [108.160.162.0/20,162.125.0.0/16,192.189.200.0/23,199.47.216.0/22,205.189.0.0/24,209.99.70.0/24,45.58.64.0/20] 443 -> $HOME_NET any (msg:"ET POLICY Dropbox.com Offsite File Backup in Use"; flow:established,to_client; tls.cert_subject; content:"CN=*.dropbox.com"; fast_pattern; threshold: type limit, count 1, seconds 300, track by_src; reference:url,www.dropbox.com; reference:url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/; classtype:policy-violation; sid:2012647; rev:7; metadata:created_at 2011_04_07, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009940; classtype:web-application-attack; sid:2009940; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 6"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"09:a9"; fast_pattern; depth:5; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,1dde02ff744fa4e261168e2008fd613a; classtype:targeted-activity; sid:2020971; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009941; classtype:web-application-attack; sid:2009941; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 5"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; distance:0; tls.cert_serial; content:"03:5f"; depth:5; tls.cert_subject; content:"*.corp.utilitytelephone.com"; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,4121414c63079b7fa836be00f8d0a93b; classtype:targeted-activity; sid:2020970; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_surveymanager"; nocase; content:"task=editsurvey&"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36464/info; reference:url,doc.emergingthreats.net/2009942; classtype:web-application-attack; sid:2009942; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 4"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"0f:0d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,0e0182694c381f8b68afc5f3ff4c4653; classtype:targeted-activity; sid:2020969; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009943; classtype:web-application-attack; sid:2009943; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 3"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"1b:3c"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,181a88c911b10d0fcb4682ae552c0de3; classtype:targeted-activity; sid:2020968; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009944; classtype:web-application-attack; sid:2009944; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 2"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"65:5d"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,859f167704b5c138ed9a9d4d3fdc0723; classtype:targeted-activity; sid:2020967; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009945; classtype:web-application-attack; sid:2009945; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE CozyDuke APT Possible SSL Cert 1"; flow:from_server,established; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; content:"|02 2d 2d|"; distance:1; within:3; content:"|55 04 08|"; distance:0; tls.cert_subject; content:"SomeState"; tls.cert_serial; content:"31:d5"; depth:5; fast_pattern; reference:url,securelist.com/blog/69731/the-cozyduke-apt/; reference:md5,d5a82520ebf38a0c595367ff0ca89fae; classtype:targeted-activity; sid:2020966; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_25;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009946; classtype:web-application-attack; sid:2009946; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg"; flow:established,to_server; content:"layout"; http_uri; content:"viagra_super_active.jpg"; http_uri; classtype:bad-unknown; sid:2011339; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_jbudgetsmagic"; nocase; content:"view=mybudget&"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36461/info; reference:url,doc.emergingthreats.net/2009947; classtype:web-application-attack; sid:2009947; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV redirecting to fake scanner page - /?777"; flow:established,to_server; content:"/?777"; http_uri; classtype:bad-unknown; sid:2011421; rev:4; metadata:created_at 2010_09_28, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009956; classtype:web-application-attack; sid:2009956; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential-Hiloti/FakeAV site access"; flow:established,to_server; content:"?p=p52dcW"; http_uri; pcre:"/\/\?p=p52dcW[A-Za-z]{4}/U"; classtype:trojan-activity; sid:2011591; rev:5; metadata:created_at 2010_10_06, former_category MALWARE, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009957; classtype:web-application-attack; sid:2009957; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=CN, ST=ST"; fast_pattern; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x06\x03\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2015_01_23, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Upatre, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009958; classtype:web-application-attack; sid:2009958; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M1 (L O)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009959; classtype:web-application-attack; sid:2009959; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M2 (L CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_facebook"; nocase; content:"view=student"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36484/info; reference:url,doc.emergingthreats.net/2009960; classtype:web-application-attack; sid:2009960; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert M3 (O CN)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.certs; content:"|06 03 55 04 06 13 02|"; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:5; metadata:attack_target Client_Endpoint, created_at 2015_07_17, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009961; classtype:web-application-attack; sid:2009961; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; pcre:"/C=[A-Z]{2}\,/"; content:"ST="; distance:0; content:"L="; distance:0; content:"O="; distance:0; pcre:"/CN=[A-Z]/"; content:"OU="; distance:0; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_03, deployment Perimeter, deprecation_reason Relevance, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009962; classtype:web-application-attack; sid:2009962; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected SmokeLoader Retrieving Next Stage (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/smoke/loader/uploads/"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; bsize:22; reference:md5,bfbf171b4ebc5286c78d718e445c65fb; classtype:trojan-activity; sid:2035623; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009963; classtype:web-application-attack; sid:2009963; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Possible Windows Binary Observed in SSL/TLS Certificate"; flow:established,from_server; tls.certs; content:"This program cannot be run in DOS mode"; nocase; bsize:>768; reference:url,www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities; classtype:misc-attack; sid:2025315; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_02_06, deployment Perimeter, former_category POLICY, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009964; classtype:web-application-attack; sid:2009964; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; fast_pattern; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:6; metadata:created_at 2015_01_20, former_category MALWARE, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_sportfusion"; nocase; content:"view=teamdetail"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36481/info; reference:url,doc.emergingthreats.net/2009965; classtype:web-application-attack; sid:2009965; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; bsize:57; http.request_body; content:"symetric="; startswith; fast_pattern; content:"&unsyms="; distance:0; content:"&polls="; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:md5,5cbcc3485f4286098b3a111ceec8ce54; reference:md5,14a7002d7787ebc78d76479c73fc2856; classtype:trojan-activity; sid:2035624; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010014; classtype:web-application-attack; sid:2010014; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE TransparentTribe APT Related Backdoor Activity"; flow:established,to_server; dsize:6; content:"|36 6e 46 74 24 31|"; fast_pattern; reference:md5,bc2ef641fc8d709f4c111937353c0ac2; reference:md5,b03e0568a5f26addc51c8a3e32baeb7f; reference:md5,9dadf9ce41994f869e8c35e1917b8238; classtype:trojan-activity; sid:2035625; rev:2; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010015; classtype:web-application-attack; sid:2010015; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M3"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|dll"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035621; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, malware_family PurpleFox, performance_impact Moderate, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010016; classtype:web-application-attack; sid:2010016; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M4"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/octet-stream"; bsize:24; http.server; content:"HFS|20|"; startswith; fast_pattern; http.cookie; content:"HFS_SID_="; startswith; http.header; content:"|0d 0a|Content|2d|Disposition|3a 20|attachment|3b 20|filename|2a 3d|UTF|2d|8|27 27|"; content:"|3b 20|filename="; distance:1; within:11; content:"|0d 0a|"; distance:1; within:2; endswith; http.response_body; content:"Rar|21 1A 07|"; startswith; content:"|2e|lnk"; within:150; reference:md5,930d405c7653dcf36c04e75224a2ff9d; reference:url,www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html; classtype:command-and-control; sid:2035622; rev:1; metadata:created_at 2022_03_28, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_gameserver"; nocase; content:"view=gamepanel"; nocase; content:"id="; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36213/info; reference:url,doc.emergingthreats.net/2010017; classtype:web-application-attack; sid:2010017; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Phish 2022-03-28"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"M09009944646.php"; endswith; fast_pattern; http.request_body; content:"user="; content:"pass="; distance:0; reference:md5,40eff169fa7b8cacdde4499290a57aa5; classtype:credential-theft; sid:2035628; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010040; classtype:web-application-attack; sid:2010040; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (ntpserver .xyz)"; dns.query; content:"ntpserver.xyz"; fast_pattern; nocase; bsize:13; reference:md5,09c120d23f986040af202607db6157f0; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035626; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010041; classtype:web-application-attack; sid:2010041; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE PlugX Related Domain in DNS Lookup (cxks8 .com)"; dns.query; content:"cxks8.com"; fast_pattern; nocase; bsize:9; reference:md5,99ee1e21a34b0536b120d4a6977fd252; reference:url,twitter.com/0xrb/status/1508330395250868229; classtype:domain-c2; sid:2035627; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_28, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010042; classtype:web-application-attack; sid:2010042; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"12:85"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021591; rev:2; metadata:attack_target Client_Endpoint, created_at 2015_08_04, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010043; classtype:web-application-attack; sid:2010043; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 2"; flow:established,from_server; tls.cert_subject; content:"www.visionresearch.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021419; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_cbresumebuilder"; nocase; content:"task=group_members"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36598/info; reference:url,doc.emergingthreats.net/2010044; classtype:web-application-attack; sid:2010044; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 5"; flow:established,from_server; tls.cert_subject; content:"extranet.qualityplanning.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021422; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_28;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010045; classtype:web-application-attack; sid:2010045; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 6"; flow:established,from_server; tls.cert_subject; content:"edadmin.kearsney.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021423; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010046; classtype:web-application-attack; sid:2010046; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 7"; flow:established, from_server; tls.cert_subject; content:"redbluffchamber.com"; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021424; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010047; classtype:web-application-attack; sid:2010047; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 8"; flow:established,to_client; tls.cert_subject; content:"Connectads.com"; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021425; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection"; flow:established,to_server; http.uri; content:"/index.php?option=com_soundset"; nocase; content:"showcategory"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securityfocus.com/bid/36597/info; reference:url,doc.emergingthreats.net/2010048; classtype:web-application-attack; sid:2010048; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT CozyCar SSL Cert 3"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 06|"; distance:0; tls.cert_serial; content:"3d:d6"; tls.cert_subject; content:"--"; content:"SomeCity"; distance:0; content:"root@localhost.localdomain"; distance:0; fast_pattern; reference:url,researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke/; classtype:targeted-activity; sid:2021420; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.uri; content:"/components/com_ajaxchat/tests/ajcuser.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/59056; reference:url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt; reference:url,doc.emergingthreats.net/2010260; classtype:web-application-attack; sid:2010260; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Cobalt Group SSL Certificate Detected"; flow:established,from_server; tls.cert_subject; content:"dns-verifon.com"; reference:md5,26406f5cc72e13c798485f80ad3cbbdb; classtype:targeted-activity; sid:2025438; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_26, deployment Perimeter, former_category TROJAN, malware_family Cobalt_Group, performance_impact Low, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010349; classtype:web-application-attack; sid:2010349; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010350; classtype:web-application-attack; sid:2010350; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010351; classtype:web-application-attack; sid:2010351; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.header; content:"Content-Encoding|3a 20|gzip"; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010352; classtype:web-application-attack; sid:2010352; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (kutti .co in TLS SNI)"; flow:established,to_server; tls.sni; content:"kutti.co"; bsize:8; fast_pattern; classtype:bad-unknown; sid:2035640; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_photoblog&"; nocase; content:"&category="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36809; reference:url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt; reference:url,doc.emergingthreats.net/2010353; classtype:web-application-attack; sid:2010353; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:4; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_ezine/class/php/d4m_ajax_pagenav.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,37043; reference:url,doc.emergingthreats.net/2010474; classtype:web-application-attack; sid:2010474; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"Email=autodiscover/"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; reference:cve,2021-31207; classtype:attempted-admin; sid:2033701; rev:3; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_10, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010476; classtype:web-application-attack; sid:2010476; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2035648; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010477; classtype:web-application-attack; sid:2010477; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; content:"Email="; distance:0; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2033711; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010478; classtype:web-application-attack; sid:2010478; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Abused File Hosting Domain in DNS Lookup (transferxl .com)"; dns.query; dotprefix; content:".transferxl.com"; nocase; endswith; classtype:misc-activity; sid:2035636; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010479; classtype:web-application-attack; sid:2010479; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035637; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"index.php?option=com_jshop&"; nocase; content:"&pid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36808; reference:url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt; reference:url,doc.emergingthreats.net/2010480; classtype:web-application-attack; sid:2010480; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Abused File Hosting Domain (transferxl-download .com in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".transferxl-download.com"; endswith; fast_pattern; classtype:misc-activity; sid:2035638; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla MyRemote Video Gallery (user_id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"user_id="; content:"option=com_mytube"; nocase; content:"index.php?"; nocase; pcre:"/user_id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,milw0rm.org/exploits/9733; reference:url,doc.emergingthreats.net/2010528; classtype:web-application-attack; sid:2010528; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Backdoor Related Domain (swordoke .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"swordoke.com"; bsize:12; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035645; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla component com_jinc (newsid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"option=com_jinc"; nocase; content:"newsid="; nocase; content:"index.php?"; nocase; pcre:"/newsid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,milw0rm.org/exploits/9732; reference:url,doc.emergingthreats.net/2010529; classtype:web-application-attack; sid:2010529; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; http.cookie; content:"Email="; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2035649; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component City Portal (Itemid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/city_portal/index.php?"; nocase; content:"Itemid="; nocase; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010535; classtype:web-application-attack; sid:2010535; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; nocase; fast_pattern; http.request_body; content:"<s"; content:"<m:ResolveNames ReturnFullContactData=|22|true|22| SearchScope=|22|ActiveDirectory|22|>"; distance:0; content:"</m:ResolveNames>"; distance:0; reference:cve,2021-34473; classtype:attempted-admin; sid:2035650; rev:2; metadata:affected_product MS_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component Event Manager 1.5 (id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/eventmanager/index.php?"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt; reference:url,doc.emergingthreats.net/2010536; classtype:web-application-attack; sid:2010536; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Phish Landing Page 2022-03-29"; http.stat_code; content:"200"; http.content_len; byte_test:0,>=,68000,0,string,dec; file.data; content:!"<html>"; content:"<!-- ####### THIS IS A COMMENT - Visible only in the source editor #########-->"; content:"action="; pcre:"/\.php/Ri"; content:"name=|22|o8|22|"; fast_pattern; content:!"</html>"; reference:md5,60b2c87b34d51bb1ee2196d5b2db4c73; classtype:credential-theft; sid:2035647; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_zcalendar (eid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_zcalendar"; nocase; content:"eid="; nocase; pcre:"/(\?|&)eid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010537; classtype:web-application-attack; sid:2010537; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_acmis (Itemid) SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_acmisc"; nocase; content:"Itemid="; nocase; pcre:"/(\?|&)Itemid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt; reference:url,doc.emergingthreats.net/2010538; classtype:web-application-attack; sid:2010538; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_personel (id) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_personel"; nocase; content:"id="; nocase; pcre:"/(\?|&)id=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlapersonel-sql.txt; reference:url,doc.emergingthreats.net/2010541; classtype:web-application-attack; sid:2010541; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:1; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_joomportfolio"; nocase; content:"secid="; nocase; pcre:"/(\?|&)secid=[^\s\x26\x3B\x2f]*[\s\x2f]/i"; reference:url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt; reference:url,doc.emergingthreats.net/2010542; classtype:web-application-attack; sid:2010542; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (kutti .co)"; dns.query; content:"kutti.co"; fast_pattern; nocase; bsize:8; classtype:bad-unknown; sid:2035639; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010555; classtype:web-application-attack; sid:2010555; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Backdoor Related Domain in DNS Lookup (swordoke .com)"; dns.query; content:"swordoke.com"; fast_pattern; nocase; bsize:12; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:domain-c2; sid:2035644; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010556; classtype:web-application-attack; sid:2010556; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Warzone RAT Variant CnC Domain in DNS Lookup (dost .igov-service .net)"; dns.query; content:"dost.igov-service.net"; fast_pattern; nocase; bsize:21; reference:url,decoded.avast.io/threatintel/avast-finds-compromised-philippine-navy-certificate-used-in-remote-access-tool/; reference:md5,49e8853801554d9de4dd281828094c8a; classtype:domain-c2; sid:2035646; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_29;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010557; classtype:web-application-attack; sid:2010557; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (wikipedia-book .vote)"; dns.query; content:"wikipedia-book.vote"; nocase; bsize:19; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; reference:md5,e98774bee4ed490089f6c63b6c676112; classtype:domain-c2; sid:2035652; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family CobaltStrike, signature_severity Major, updated_at 2022_03_30, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010558; classtype:web-application-attack; sid:2010558; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon User Agent Observed"; flow:established,to_server; http.user_agent; content:"VerbleConnectTM"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035659; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_joaktree&"; nocase; content:"&view=joaktree"; nocase; content:"treeId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37178; reference:url,secunia.com/advisories/37535/; reference:url,doc.emergingthreats.net/2010559; classtype:web-application-attack; sid:2010559; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (gaymers .ax)"; dns.query; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035660; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_kkcontent"; nocase; content:"catID="; nocase; pcre:"/(\?|&)catID=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt; reference:url,doc.emergingthreats.net/2010606; classtype:web-application-attack; sid:2010606; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (gaymers .ax in TLS SNI)"; flow:established,to_server; tls.sni; content:"gaymers.ax"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035661; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/acomponents/com_mamboleto/mamboleto.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,xforce.iss.net/xforce/xfdb/54662; reference:url,www.exploit-db.com/exploits/10369; reference:url,doc.emergingthreats.net/2010620; classtype:web-application-attack; sid:2010620; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (jonathanhardwick .me)"; dns.query; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035662; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010636; classtype:web-application-attack; sid:2010636; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (jonathanhardwick .me in TLS SNI)"; flow:established,to_server; tls.sni; content:"jonathanhardwick.me"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035663; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010637; classtype:web-application-attack; sid:2010637; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Abused Hosting Domain in DNS Lookup (digital-ministry .ru)"; dns.query; content:"digital-ministry.ru"; fast_pattern; nocase; bsize:19; reference:md5,fbe79895053b29ec2cfe99cad3eb83d5; reference:md5,29fe7a619970157adfcecfade1b204be; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:bad-unknown; sid:2035654; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010638; classtype:web-application-attack; sid:2010638; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (.verble .rocks)"; dns.query; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035664; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010639; classtype:web-application-attack; sid:2010639; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (.verble .rocks in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".verble.rocks"; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035665; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_jphoto&"; nocase; content:"view=category&"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37279; reference:url,doc.emergingthreats.net/2010640; classtype:web-application-attack; sid:2010640; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Verblecon Related Domain in DNS Lookup (verble .software)"; dns.query; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035666; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-comments-post.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010659; classtype:web-application-attack; sid:2010659; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Trojan.Verblecon Related Domain (verble .software in TLS SNI)"; flow:established,to_server; tls.sni; content:"verble.software"; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord; classtype:trojan-activity; sid:2035667; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_mojo/wp-trackback.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt; reference:bugtraq,37179; reference:url,doc.emergingthreats.net/2010660; classtype:web-application-attack; sid:2010660; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Retrieving Task (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"R0VUVEFTSyUlJQ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035642; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010710; classtype:web-application-attack; sid:2010710; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Sending Task Status (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"UFVUVEFTSyUlJ"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035643; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010711; classtype:web-application-attack; sid:2010711; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?id="; startswith; http.header_names; content:!"Referer|0d 0a|"; http.request_body; content:"SU5JVCUl"; startswith; fast_pattern; reference:md5,341610a5a0cc430f99f9f9bd694b04a9; classtype:command-and-control; sid:2035641; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_29, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010712; classtype:web-application-attack; sid:2010712; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (hizliresim .com)"; dns.query; dotprefix; content:".hizliresim.com"; nocase; endswith; classtype:misc-activity; sid:2035655; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010713; classtype:web-application-attack; sid:2010713; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert (hizliresim .com)"; flow:established,to_client; tls.cert_subject; content:"hizliresim.com"; fast_pattern; pcre:"/CN=(?:[^\r\n]+?\.)?hizliresim\.com(?!\.)/"; classtype:misc-activity; sid:2035656; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_foobla_suggestions&"; nocase; content:"idea_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,36425; reference:url,doc.emergingthreats.net/2010714; classtype:web-application-attack; sid:2010714; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener Service Domain in DNS Lookup (kisa .link)"; dns.query; dotprefix; content:".kisa.link"; nocase; endswith; classtype:misc-activity; sid:2035657; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category INFO, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010750; classtype:web-application-attack; sid:2010750; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Service Domain (www .kisa .link in TLS SNI)"; flow:established,to_server; tls.sni; content:"www.kisa.link"; bsize:13; fast_pattern; classtype:misc-activity; sid:2035658; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, signature_severity Major, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010751; classtype:web-application-attack; sid:2010751; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service note .youdao .com  in DNS query"; dns.query; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035668; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010752; classtype:web-application-attack; sid:2010752; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Pastebin-style service (note .youdao .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"note.youdao.com"; fast_pattern; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; reference:md5,6cb6caeffc9a8a27b91835fdad750f90; classtype:misc-activity; sid:2035669; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category POLICY, performance_impact Low, signature_severity Informational, updated_at 2022_03_30;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010753; classtype:web-application-attack; sid:2010753; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert (fake state)"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; content:"C=AU"; fast_pattern; content:!"ST=Some-State"; tls.certs; content:"|06 03 55 04 06 13 02 41 55|"; content:"|06 03 55 04 08|"; distance:0; pcre:"/^.{2}(?=[A-Z]{0,32}[^A-Z01])(?P<var>[^01]{4,33}[01]).+?\x06\x03\x55\x04\x08.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2019833; rev:10; metadata:attack_target Client_Endpoint, created_at 2014_12_02, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_musicgallery&"; nocase; content:"&task=itempage"; nocase; content:"Id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37146; reference:url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt; reference:url,doc.emergingthreats.net/2010754; classtype:web-application-attack; sid:2010754; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Suspicious Long NULL DNS Request - Possible DNS Tunneling"; content:"|01|"; offset:2; depth:1; content:"|00 01 00 00 00 00 00|"; distance:1; within:7; content:"|00 0a 00 01|"; distance:70; fast_pattern; content:!"microsoft.com|03|"; classtype:trojan-activity; sid:2029995; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target DNS_Server, created_at 2020_04_22, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_mediaslide/viewer.php?"; nocase; content:"path="; nocase; reference:bugtraq,37440; reference:url,doc.emergingthreats.net/2010780; classtype:web-application-attack; sid:2010780; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eterprx .net)"; dns.query; content:"eterprx.net"; nocase; bsize:11; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035683; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010805; classtype:web-application-attack; sid:2010805; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup (eternitypr .net)"; dns.query; content:"eternitypr.net"; nocase; bsize:14; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035684; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010806; classtype:web-application-attack; sid:2010806; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eternitypr .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eternitypr.net"; bsize:14; fast_pattern; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:domain-c2; sid:2035685; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010807; classtype:web-application-attack; sid:2010807; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"eterprx.net"; bsize:11; fast_pattern; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; reference:md5,21ccad42f936524b311a8bc102b16752; classtype:domain-c2; sid:2035686; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010808; classtype:web-application-attack; sid:2010808; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eternity Stealer Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /api/accounts HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Connection|0d 0a 0d 0a|"; bsize:52; http.request_body; content:"growid="; startswith; content:"&password="; distance:0; content:"&stub_token="; distance:0; content:"&mac="; distance:0; content:"&token="; distance:0; content:"&creds="; distance:0; content:"&pcname="; distance:0; content:"&scrurl="; distance:0; reference:md5,21ccad42f936524b311a8bc102b16752; reference:url,twitter.com/James_inthe_box/status/1509271782578040832; classtype:trojan-activity; sid:2035687; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_yelp&"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38022; reference:url,doc.emergingthreats.net/2010809; classtype:web-application-attack; sid:2010809; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Social Media Credential Phish 2022-03-31"; flow:established,to_server; flowbits:set,ET.genericphish; http.method; content:"POST"; http.uri; content:".php?nick="; fast_pattern; classtype:credential-theft; sid:2035688; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_intuit/models/intuit.php?"; nocase; content:"approval="; nocase; reference:url,www.exploit-db.com/exploits/10730; reference:url,doc.emergingthreats.net/2010833; classtype:web-application-attack; sid:2010833; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX/Talisman Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"MCookie|3a 20|"; fast_pattern; pcre:"/^[0-9]-[0-9]-[0-9]{5}-[0-9]\r\n/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ecab63b6de18073453310a9c4551074b; reference:url,www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html; classtype:trojan-activity; sid:2035689; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, malware_family PlugX, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010843; classtype:web-application-attack; sid:2010843; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Lightning Stealer Exfil Activity"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:!"|0d 0a|User-Agent|0d 0a|"; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"|22|LogChromes|22 3a|"; content:"|22|LogGecko|22 3a|"; content:"|22|Screen|22 3a 7b|"; fast_pattern; content:"|22|Width|22 3a 22|"; distance:0; content:"|22|ScreenshotBase64|22 3a 22|"; distance:0; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:trojan-activity; sid:2035679; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Stealer, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010844; classtype:web-application-attack; sid:2010844; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)"; flow:to_server,established; http.header; content:"spring.cloud.function.routing-expression|3a|"; fast_pattern; reference:cve,2022-22963; classtype:attempted-admin; sid:2035670; rev:1; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22963, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010845; classtype:web-application-attack; sid:2010845; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M1"; flow:to_server,established; http.header; content:"request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035671; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010846; classtype:web-application-attack; sid:2010846; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M2"; flow:to_server,established; http.header; content:"executeCmd|28|request.getParameter|28|"; fast_pattern; nocase; classtype:attempted-admin; sid:2035672; rev:1; metadata:created_at 2022_03_31, former_category INFO, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_avosbillets&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37576; reference:url,doc.emergingthreats.net/2010842; classtype:web-application-attack; sid:2010842; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET INFO Common JSP WebShell String Observed in HTTP Header M3"; flow:to_server,established; http.header; content:"getRuntime|28 29|.exec"; fast_pattern; nocase; classtype:attempted-admin; sid:2035673; rev:1; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_morfeoshow/morfeoshow.html.php?"; nocase; content:"user_id="; nocase; pcre:"/user_id\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,secdb.4sec.org/?s1=exp&sid=18773; reference:url,doc.emergingthreats.net/2010848; classtype:web-application-attack; sid:2010848; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)"; dns.query; dotprefix; content:".seeklogo.com"; nocase; endswith; classtype:misc-activity; sid:2035690; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010853; classtype:web-application-attack; sid:2010853; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss .xyz in TLS SNI)"; flow:established,to_server; tls.sni; content:"panelss.xyz"; bsize:11; fast_pattern; reference:md5,1b922b6d15085da82e20fee0789a6617; reference:url,twitter.com/3xp0rtblog/status/1509484987401351177; classtype:domain-c2; sid:2035680; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010854; classtype:web-application-attack; sid:2010854; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Custom Logo Domain (seeklogo .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"seeklogo.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035691; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, signature_severity Informational, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010855; classtype:web-application-attack; sid:2010855; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Terse Request to note .youdao .com - Possible Download"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/yws/api/personal/file/"; content:"?method=download&shareKey="; distance:0; pcre:"/[a-f0-9]{32}$/UR"; http.host; content:"note.youdao.com"; fast_pattern; bsize:15; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:22; content:!"Referer"; reference:url,twitter.com/malwrhunterteam/status/1509160261881667585; classtype:misc-activity; sid:2035681; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, deployment SSLDecrypt, former_category HUNTING, performance_impact Moderate, signature_severity Informational, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010856; classtype:web-application-attack; sid:2010856; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MustangPanda APT Dropper Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|Content-Length|0d 0a|Host|0d 0a 0d 0a|"; bsize:46; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:">"; offset:8; content:">"; distance:1; within:1; content:">"; distance:7; within:1; content:"|2e|exe|5c|"; distance:0; fast_pattern; reference:md5,4a9b98832ba5c2b74f80dadd16b8a079; reference:url,twitter.com/StillAzureH/status/1505823479945625604; classtype:trojan-activity; sid:2035682; rev:2; metadata:created_at 2022_03_31, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_job&"; nocase; content:"id_job="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt; reference:url,doc.emergingthreats.net/2010857; classtype:web-application-attack; sid:2010857; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Killav.CM CnC Response"; flow:to_client,established; dsize:11; content:"|09 01 00 00 00 00 0b 00 00 00 00|"; startswith; fast_pattern; classtype:trojan-activity; sid:2035693; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010924; classtype:web-application-attack; sid:2010924; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Killav.CM Checkin M2"; dsize:<50; flow:to_server,established; content:"|04 00 00 00 00|"; startswith; content:"|00 00 7E 00 00 00 7E 00|"; distance:0; fast_pattern; content:"|00 00|"; endswith; classtype:trojan-activity; sid:2035694; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_03_31;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010925; classtype:web-application-attack; sid:2010925; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Downloader User-Agent (mozilla_horizon) GET request observed"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"mozilla_horizon"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,62d52076d41ab6e429a976d48173f29d; classtype:trojan-activity; sid:2035703; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010926; classtype:web-application-attack; sid:2010926; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (vpn2 .smi1egate .com)"; dns.query; content:"vpn2.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035704; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010927; classtype:web-application-attack; sid:2010927; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (svn1 .smi1egate .com)"; dns.query; content:"svn1.smi1egate.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035705; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?option=com_perchagallery&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/11103; reference:url,doc.emergingthreats.net/2010928; classtype:web-application-attack; sid:2010928; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda Domain in DNS Lookup (giga .gnisoft .com)"; dns.query; content:"giga.gnisoft.com"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; classtype:trojan-activity; sid:2035706; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010947; classtype:web-application-attack; sid:2010947; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deep Panda CnC Check-In"; flow:established,to_server; content:"CGKU"; fast_pattern; offset:16; depth:4; content:"MB|00 00|"; distance:128; within:4; content:"Win|20|"; distance:24; within:4; reference:url,www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits; reference:md5,0b991aca7e5124df471cf8fb9e301673; classtype:trojan-activity; sid:2035707; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010948; classtype:web-application-attack; sid:2010948; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Redirection 2022-03-14"; flow:established,to_client; http.stat_code; content:"302"; http.header; content:"location|3a 20|Alert.php|0d 0a|"; fast_pattern; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,07b9f93e06a83868a8b9ede2dff48346; classtype:credential-theft; sid:2035462; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_15, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010949; classtype:web-application-attack; sid:2010949; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.response_body; content:"Get-WMIObject"; startswith; content:"|24|miner_url"; distance:0; fast_pattern; content:"|24|miner_name"; distance:0; content:"|24|miner_cfg_url"; content:"|24|miner_cfg_path"; distance:0; reference:md5,6447bc87415b35532d9c8237a376ba70; classtype:trojan-activity; sid:2035695; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010950; classtype:web-application-attack; sid:2010950; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/WindowsDefender Bypass Download Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/kill.bat"; bsize:9; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.accept_enc; content:"gzip, deflate"; bsize:13; http.accept; content:"text/html"; startswith; reference:md5,a59277f422139a3c2341eee166eda629; classtype:trojan-activity; sid:2035696; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_hdflvplayer&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38691/; reference:url,doc.emergingthreats.net/2010951; classtype:web-application-attack; sid:2010951; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (imgyukle .com)"; dns.query; dotprefix; content:".imgyukle.com"; nocase; endswith; classtype:misc-activity; sid:2035697; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_jcollection&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11088; reference:url,doc.emergingthreats.net/2010942; classtype:web-application-attack; sid:2010942; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (imgyukle .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"imgyukle.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035698; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?option=com_ccnewsletter&"; nocase; content:"controller="; nocase; reference:bugtraq,37987; reference:url,doc.emergingthreats.net/2010989; classtype:web-application-attack; sid:2010989; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimag .com)"; dns.query; dotprefix; content:".resimag.com"; nocase; endswith; classtype:misc-activity; sid:2035699; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010990; classtype:web-application-attack; sid:2010990; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimag .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimag.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035700; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010991; classtype:web-application-attack; sid:2010991; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Image Hosting Domain (resimupload .org in TLS SNI)"; flow:established,to_server; tls.sni; content:"resimupload.org"; bsize:15; fast_pattern; classtype:misc-activity; sid:2035701; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010992; classtype:web-application-attack; sid:2010992; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Image Hosting Domain in DNS Lookup (resimupload .org)"; dns.query; dotprefix; content:".resimupload.org"; nocase; endswith; classtype:misc-activity; sid:2035702; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010993; classtype:web-application-attack; sid:2010993; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (win .mirtonewbacker .com)"; dns.query; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035708; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/components/com_sqlreport/ajax/print.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/38678/; reference:url,doc.emergingthreats.net/2010994; classtype:web-application-attack; sid:2010994; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (win .mirtonewbacker .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"win.mirtonewbacker.com"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035709; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010981; classtype:web-application-attack; sid:2010981; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (umpulumpu .ru)"; dns.query; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035710; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010982; classtype:web-application-attack; sid:2010982; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (umpulumpu .ru) in TLS SNI"; flow:established,to_server; tls.sni; content:"umpulumpu.ru"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035711; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010983; classtype:web-application-attack; sid:2010983; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (greenblguard .shop)"; dns.query; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035712; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010984; classtype:web-application-attack; sid:2010984; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (greenblguard .shop) in TLS SNI"; flow:established,to_server; tls.sni; content:"greenblguard.shop"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035713; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_quicknews&"; nocase; content:"&task=view_item"; nocase; content:"newsid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,37161; reference:url,doc.emergingthreats.net/2010985; classtype:web-application-attack; sid:2010985; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)"; dns.query; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035714; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_communitypolls&"; nocase; content:"controller="; nocase; reference:url,www.exploit-db.com/exploits/11511; reference:url,doc.emergingthreats.net/2010996; classtype:web-application-attack; sid:2010996; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed BlackGuard_v2 Domain (onetwostep .at) in TLS SNI"; flow:established,to_server; tls.sni; content:"onetwostep.at"; fast_pattern; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035715; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011001; classtype:web-application-attack; sid:2011001; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackGuard_v2 Data Exfiltration Observed"; flow:established,to_server; content:"POST"; content:"?user="; content:"&hwid="; distance:0; content:"&antivirus="; distance:0; content:"&os=Windows"; distance:0; content:"&passCount="; distance:0; content:"&coockieCount="; distance:0; fast_pattern; content:"&walletCount="; distance:0; content:"&telegramCount="; distance:0; content:"&vpnCount="; distance:0; content:"&ftpCount="; distance:0; content:"&country="; content:"multipart/form-data|3b 20|boundary="; distance:0; reference:url,www.zscaler.com/blogs/security-research/analysis-blackguard-new-info-stealer-malware-being-sold-russian-hacking; reference:url,blog.cyble.com/2022/04/01/dissecting-blackguard-info-stealer/; classtype:trojan-activity; sid:2035716; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_01, deployment SSLDecrypt, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_01;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011002; classtype:web-application-attack; sid:2011002; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound (CVE-2022-27643)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; nocase; content:"urn:NETGEARROUTER:service:ParentalControl:1#Authenticate"; fast_pattern; nocase; pcre:"/^SOAPAction\x3a\s?urn\x3aNETGEARROUTER\x3aservice\x3aParentalControl\x3a1#Authenticate/Hmi"; http.request_body; content:"<NewMACAddress>"; nocase; pcre:"/^[^<]{30,}<\/NewMACAddress>/Ri"; reference:url,blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html; reference:cve,2022-27643; classtype:attempted-admin; sid:2035717; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_03, cve CVE_2022_27643, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_03;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011003; classtype:web-application-attack; sid:2011003; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /async/newtab_ogb HTTP/1.1"; fast_pattern; http.header_names; content:"|0d 0a|Sec-Fetch-Site|0d 0a|Sec-Fetch-Mode|0d 0a|Sec-Fetch-Dest|0d 0a|"; content:!"Referer|0d 0a|"; http.cookie; content:"1P_JAR="; startswith; content:"NID="; distance:6; within:4; pcre:"/^[A-Za-z0-9\/_\-\+]{171}=$/R"; reference:md5,e98774bee4ed490089f6c63b6c676112; reference:url,blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/; classtype:trojan-activity; sid:2035653; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_30, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_03, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011004; classtype:web-application-attack; sid:2011004; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; fast_pattern; classtype:pup-activity; sid:2014286; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_02_28, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_rsgallery2&"; nocase; content:"catid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38009; reference:url,doc.emergingthreats.net/2011005; classtype:web-application-attack; sid:2011005; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,to_client; content:"ashburn@gmail.com"; fast_pattern; classtype:exploit-kit; sid:2015717; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_09_20, deployment Perimeter, former_category EXPLOIT_KIT, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011022; classtype:web-application-attack; sid:2011022; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011023; classtype:web-application-attack; sid:2011023; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, former_category EXPLOIT, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011024; classtype:web-application-attack; sid:2011024; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011025; classtype:web-application-attack; sid:2011025; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".modestoobgyn.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035721; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_blog&"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:bugtraq,38668; reference:url,exploit-db.com/exploits/11688; reference:url,doc.emergingthreats.net/2011026; classtype:web-application-attack; sid:2011026; rev:15; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".chyprediction.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035722; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_jcalpro/cal_popup.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt; reference:url,doc.emergingthreats.net/2011017; classtype:web-application-attack; sid:2011017; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".againcome.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035723; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_wgpicasa&"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/39467; reference:url,exploit-db.com/exploits/12230; reference:url,doc.emergingthreats.net/2011067; classtype:web-application-attack; sid:2011067; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".myshortbio.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035724; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011077; classtype:web-application-attack; sid:2011077; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".bestsecure2020.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035725; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011078; classtype:web-application-attack; sid:2011078; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".findoutcredit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035726; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011079; classtype:web-application-attack; sid:2011079; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".estetictrance.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035727; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011080; classtype:web-application-attack; sid:2011080; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to POWERPLANT Domain"; dns.query; dotprefix; content:".internethabit.com"; nocase; endswith; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035728; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_gbufacebook&"; nocase; content:"face_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/12299; reference:url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt; reference:url,doc.emergingthreats.net/2011081; classtype:web-application-attack; sid:2011081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (Query)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"UVVFUlk="; bsize:8; fast_pattern; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035729; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11845; reference:url,doc.emergingthreats.net/2011131; classtype:web-application-attack; sid:2011131; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/POWERPLANT CnC Exfil (INIT)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/gate?id="; startswith; http.request_body; content:"SU5JVA=="; depth:8; fast_pattern; content:"TWljcm9zb2Z0IFdpbmRvd3M"; distance:0; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,edb1f62230123abf88231fc1a7190b60; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035730; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/administrator/components/com_universal/includes/config/config.html.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/11865; reference:bugtraq,38949; reference:url,doc.emergingthreats.net/2011132; classtype:web-application-attack; sid:2011132; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (dumpor .com)"; dns.query; dotprefix; content:".dumpor.com"; nocase; endswith; classtype:misc-activity; sid:2035736; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009383; classtype:web-application-attack; sid:2009383; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (smihub .com)"; dns.query; dotprefix; content:".smihub.com"; nocase; endswith; classtype:misc-activity; sid:2035737; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/config.dadamail.php?"; nocase; content:"GLOBALS[mosConfig_absolute_path]="; nocase; pcre:"/GLOBALS\[mosConfig_absolute_path\]=\s*(ftps?|https?|php)\:\//i"; reference:url,secunia.com/advisories/32551; reference:bugtraq,32135; reference:url,www.exploit-db.com/exploits/7002/; reference:url,doc.emergingthreats.net/2009384; classtype:web-application-attack; sid:2009384; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Instagram Story Viewer Domain in DNS Lookup (greatfon .com)"; dns.query; dotprefix; content:".greatfon.com"; nocase; endswith; classtype:misc-activity; sid:2035738; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/com_ongumatimesheet20/lib/onguma.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(https?|ftps?|php)\:\//i"; reference:bugtraq,32095; reference:cve,CVE-2008-6347; reference:url,www.exploit-db.com/exploits/6976/; reference:url,doc.emergingthreats.net/2009391; classtype:web-application-attack; sid:2009391; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (dumpor .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"dumpor.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035739; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006760; classtype:web-application-attack; sid:2006760; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".incongruousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035731; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006761; classtype:web-application-attack; sid:2006761; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".fashionableeder.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035732; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006762; classtype:web-application-attack; sid:2006762; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (smihub .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"smihub.com"; bsize:10; fast_pattern; classtype:misc-activity; sid:2035740; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006763; classtype:web-application-attack; sid:2006763; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".electroncador.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035733; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006764; classtype:web-application-attack; sid:2006764; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to LOADOUT Domain"; dns.query; dotprefix; content:".spontaneousance.com"; nocase; endswith; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035734; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"category="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006765; classtype:web-application-attack; sid:2006765; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Instagram Story Viewer Domain (greatfon .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"greatfon.com"; bsize:12; fast_pattern; classtype:misc-activity; sid:2035741; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006766; classtype:web-application-attack; sid:2006766; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortener  Domain in DNS Lookup (lk .tc)"; dns.query; dotprefix; content:".lk.tc"; nocase; endswith; classtype:misc-activity; sid:2035742; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006767; classtype:web-application-attack; sid:2006767; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortener Domain (lk .tc in TLS SNI)"; flow:established,to_server; tls.sni; dotprefix; content:".lk.tc"; endswith; fast_pattern; classtype:misc-activity; sid:2035743; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, signature_severity Informational, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006768; classtype:web-application-attack; sid:2006768; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LOADOUT CnC Activity"; flow:to_server,established; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b 20|Win64|3b 20|x64|3b 20|rv:6.0) Gecko/20110101 Firefox/69.0"; http.header_names; content:"|0d 0a|content-type|0d 0a|"; content:"|0d 0a|user-agent|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; http.request_body; content:"yoyo="; depth:5; fast_pattern; reference:md5,4d56a1ca28d9427c440ec41b4969caa2; reference:url,mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_04, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_04;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006769; classtype:web-application-attack; sid:2006769; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006770; classtype:web-application-attack; sid:2006770; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE"; flow:established,to_server; http.uri; content:"/search_listing.asp?"; nocase; content:"agent="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006771; classtype:web-application-attack; sid:2006771; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .com)"; dns.query; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035762; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006772; classtype:web-application-attack; sid:2006772; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .com) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.com"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035763; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006773; classtype:web-application-attack; sid:2006773; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain in DNS Lookup (splashtop .eu)"; dns.query; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035764; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006774; classtype:web-application-attack; sid:2006774; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Splashtop Domain (splashtop .eu) in TLS SNI"; flow:established,to_server; tls.sni; dotprefix; content:".splashtop.eu"; endswith; fast_pattern; reference:url,support-splashtopbusiness.splashtop.com/hc/en-us/articles/115001811966-What-are-the-Firewall-Exceptions-and-IP-addresses-of-Splashtop-servers-Services-; classtype:misc-activity; sid:2035765; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_05, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006775; classtype:web-application-attack; sid:2006775; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26210)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"setUpgradeFW"; fast_pattern; content:"FileName|3a 20 3a|"; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26210; classtype:attempted-admin; sid:2035744; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26210, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006776; classtype:web-application-attack; sid:2006776; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:to_server,established; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"property_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6342; reference:url,www.securityfocus.com/bid/21199; reference:url,doc.emergingthreats.net/2006777; classtype:web-application-attack; sid:2006777; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-25075)"; flow:to_server,established; http.uri; content:"/cgi-bin/downloadFlile.cgi"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-25075; classtype:attempted-admin; sid:2035746; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_25075, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/adm/krgourl.php?"; nocase; content:"DOCUMENT_ROOT="; nocase; pcre:"/DOCUMENT_ROOT\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt; reference:url,doc.emergingthreats.net/2010475; classtype:web-application-attack; sid:2010475; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/customer.forumtopic.php?"; nocase; content:"forum_topic_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,2008-5590; reference:bugtraq,32672; reference:url,www.exploit-db.com/exploits/7368/; reference:url,doc.emergingthreats.net/2009198; classtype:web-application-attack; sid:2009198; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/Mirai Variant UA Inbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035748; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/linking.page.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,29205; reference:url,milw0rm.com/exploits/5611; reference:url,doc.emergingthreats.net/2009658; classtype:web-application-attack; sid:2009658; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET MALWARE ELF/Mirai Variant UA Outbound (b3astmode)"; flow:to_server,established; http.user_agent; content:"b3astmode"; fast_pattern; bsize:9; classtype:trojan-activity; sid:2035749; rev:1; metadata:affected_product Mac_OSX, affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004641; classtype:web-application-attack; sid:2004641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jsessid=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035692; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_01, deployment Perimeter, former_category MALWARE, malware_family Lazarus, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004642; classtype:web-application-attack; sid:2004642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Lazarus APT Related Backdoor Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".asp"; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.request_body; content:"jcookie=60d49d"; fast_pattern; content:"cookie="; http.header_names; content:!"Referer|0d 0a|"; reference:url,securelist.com/lazarus-trojanized-defi-app/106195/; reference:md5,0b9f4612cdfe763b3d8c8a956157474a; classtype:trojan-activity; sid:2035766; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004643; classtype:web-application-attack; sid:2004643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Proxy Domain in DNS Lookup (proxynet .io)"; dns.query; dotprefix; content:".proxynet.io"; nocase; endswith; classtype:misc-activity; sid:2035757; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004644; classtype:web-application-attack; sid:2004644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Proxy Domain (proxynet .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"proxynet.io"; bsize:11; fast_pattern; classtype:misc-activity; sid:2035758; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Informational, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004645; classtype:web-application-attack; sid:2004645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Agent.USB Variant CnC Activity"; flow:established,to_server; stream_size:server,<,5; content:"|2e d4 d6 19 57 d4 85 ba 0e 9d e5 56 fa 72 db af e5 17 e8 3e 3b 21 b7 26 fc 59 03 db d2 36 32 bb c3 c4 ab 7b 66 74 c4 68 ac 23 5b a3 fc e7 82 6a|"; offset:7; depth:48; reference:md5,c911d93b90bdef05be681a3b31c81679; reference:url,twitter.com/0xrb/status/1509396448387153920; classtype:trojan-activity; sid:2035752; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; reference:url,doc.emergingthreats.net/2004646; classtype:web-application-attack; sid:2004646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE MSIL/Unk.CoinMiner Downloader"; flow:to_client,established; http.content_type; content:"text/plain"; startswith; http.response_body; content:"Remove known miners by known process names"; content:"Write-Output|20 22|Miner Running|22|"; fast_pattern; reference:md5,6ae2d7ab6701bd9b46efe7f5d52b2c46; classtype:trojan-activity; sid:2035753; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/include/engine/content/elements/menu.php?"; nocase; content:"CONFIG[AdminPath]="; nocase; pcre:"/CONFIG\[AdminPath\]\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,osvdb.org/show/osvdb/57688; reference:url,doc.emergingthreats.net/2010197; classtype:web-application-attack; sid:2010197; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=thechinastyle.com"; bsize:20; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035754; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004979; classtype:web-application-attack; sid:2004979; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=divorceradio.com"; bsize:19; fast_pattern; reference:url,www.mandiant.com/resources/evolution-of-fin7; reference:md5,3985b60c6aba7cb38998e3f898fba79a; classtype:trojan-activity; sid:2035755; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004980; classtype:web-application-attack; sid:2004980; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE SSL/TLS Certificate Observed (FIN7 JSSLoader)"; flow:established,to_client; tls.cert_subject; content:"CN=physiciansofficenews.com"; bsize:27; fast_pattern; reference:md5,3985b60c6aba7cb38998e3f898fba79a; reference:url,www.mandiant.com/resources/evolution-of-fin7; classtype:trojan-activity; sid:2035756; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004981; classtype:web-application-attack; sid:2004981; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M1 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Bfrt4DSob5.ico"; fast_pattern; content:"|2e|php|22 20|enctype|3d 22|multipart|2f|form|2d|data|22|"; nocase; distance:0; content:"src|3d 22|poina|2e|png|22|"; distance:0; classtype:credential-theft; sid:2035759; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004982; classtype:web-application-attack; sid:2004982; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M2 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|inzo|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035760; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004983; classtype:web-application-attack; sid:2004983; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Generic Credential Phish Landing Page M3 2022-04-05"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"inzo"; content:"|3c|script|20|images|3d 22|JavaScript|22 3e|"; distance:0; content:"<!--"; distance:0; content:"window|2e|location|3d 22|cmzs|2e|html|22 3b|"; fast_pattern; distance:0; content:"// -->"; distance:0; content:"</script>"; distance:0; classtype:credential-theft; sid:2035761; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_05, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_05;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE"; flow:established,to_server; http.uri; content:"/forum.asp?"; nocase; content:"forumid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0826; reference:url,www.exploit-db.com/exploits/3278/; reference:url,doc.emergingthreats.net/2004984; classtype:web-application-attack; sid:2004984; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.pattern="; fast_pattern; classtype:attempted-admin; sid:2035674; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005796; classtype:web-application-attack; sid:2005796; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.suffix="; fast_pattern; classtype:attempted-admin; sid:2035675; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005797; classtype:web-application-attack; sid:2005797; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.directory="; fast_pattern; classtype:attempted-admin; sid:2035676; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005798; classtype:web-application-attack; sid:2005798; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.prefix="; fast_pattern; classtype:attempted-admin; sid:2035677; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005799; classtype:web-application-attack; sid:2005799; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)"; flow:to_server,established; http.request_body; content:"pipeline.first.pattern="; fast_pattern; content:"pipeline.first.suffix="; content:"pipeline.first.directory="; content:"pipeline.first.prefix="; classtype:attempted-admin; sid:2035678; rev:2; metadata:attack_target Server, created_at 2022_03_31, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005800; classtype:web-application-attack; sid:2005800; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Android Infostealer CnC Check-In"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/socket.io/?"; fast_pattern; startswith; content:"model="; content:"EIO="; content:"id="; content:"transport="; content:"release="; content:"manf="; reference:url,lab52.io/blog/complete-dissection-of-an-apk-with-a-suspicious-c2-server/; reference:md5,4f5617ec4668e3406f9bd82dfcf6df6b; classtype:command-and-control; sid:2035770; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE"; flow:established,to_server; http.uri; content:"/down.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0140; reference:url,www.securityfocus.com/bid/21889; reference:url,doc.emergingthreats.net/2005801; classtype:web-application-attack; sid:2005801; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain DNS Lookup (mail .spytector .com)"; dns.query; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035771; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005069; classtype:web-application-attack; sid:2005069; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spytector Domain (mail .spytector .com) in TLS SNI"; flow:established,to_server; tls.sni; content:"mail.spytector.com"; fast_pattern; reference:md5,1a72533d45c878cf4f35323e57c00887; classtype:trojan-activity; sid:2035772; rev:1; metadata:created_at 2022_04_06, former_category MALWARE, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005070; classtype:web-application-attack; sid:2005070; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Kaspov Related Hex In HTTP Accept Header"; flow:to_server,established; http.method; content:"GET"; http.accept; content:"|d1 69 4a cd 4f a4 77 44 bb 85 c3 6d 8d 4a 84 d6 86 a0 fa 1a af 8b d8 98 05 5e a0|"; startswith; fast_pattern; reference:md5,767370995ad5bdbcdaee2e3123cfe47c; classtype:bad-unknown; sid:2035768; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005071; classtype:web-application-attack; sid:2005071; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE APT28/Sednit SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=ngefqevwe"; fast_pattern; reference:md5,f7ee38ca49cd4ae35824ce5738b6e587; reference:url,www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf; classtype:targeted-activity; sid:2023423; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_10_25, deployment Perimeter, former_category MALWARE, malware_family APT28_Sednit, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005072; classtype:web-application-attack; sid:2005072; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-almasdar .com)"; dns.query; content:"akhbar-almasdar.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035773; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005073; classtype:web-application-attack; sid:2005073; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbar-islamyah .com)"; dns.query; content:"akhbar-islamyah.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035774; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE"; flow:established,to_server; http.uri; content:"/i-search.php?"; nocase; content:"itemid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0687; reference:url,www.exploit-db.com/exploits/3232/; reference:url,doc.emergingthreats.net/2005074; classtype:web-application-attack; sid:2005074; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (akhbarnew .com)"; dns.query; content:"akhbarnew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035775; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005973; classtype:web-application-attack; sid:2005973; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-nusr .net)"; dns.query; content:"al-nusr.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035776; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005974; classtype:web-application-attack; sid:2005974; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanews .net)"; dns.query; content:"al-taleanews.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035777; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005975; classtype:web-application-attack; sid:2005975; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al-taleanewsonline .net)"; dns.query; content:"al-taleanewsonline.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035778; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005976; classtype:web-application-attack; sid:2005976; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (al7erak247 .com)"; dns.query; content:"al7erak247.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035779; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005977; classtype:web-application-attack; sid:2005977; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO BrowseTor .onion Proxy Service SSL Cert"; flow:established,to_client; tls.cert_subject; content:"CN=*.browsetor.com"; fast_pattern; classtype:bad-unknown; sid:2018396; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_04_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE"; flow:established,to_server; http.uri; content:"/journal.php?"; nocase; content:"w="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6835; reference:url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded; reference:url,doc.emergingthreats.net/2005978; classtype:web-application-attack; sid:2005978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-#alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pegasus Domain in DNS Lookup (alrai .com)"; dns.query; content:"alrai.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035780; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, deprecation_reason False_Positive, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006315; classtype:web-application-attack; sid:2006315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (alrainew .com)"; dns.query; content:"alrainew.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035781; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006316; classtype:web-application-attack; sid:2006316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Hex Executable String"; flow:to_client,established; file_data; content:"4D5A"; content:"63616E6E6F74"; fast_pattern; distance:178; within:12; content:"72756E"; distance:8; within:6; content:"444F53"; distance:8; within:6; classtype:misc-activity; sid:2035769; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006317; classtype:web-application-attack; sid:2006317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup (arabia-islamion .com)"; dns.query; content:"arabia-islamion.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware/; classtype:trojan-activity; sid:2035782; rev:1; metadata:attack_target Mobile_Client, created_at 2022_04_06, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006318; classtype:web-application-attack; sid:2006318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Suspicious Form with Action Value Equal to bit .ly"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<form"; content:"action=|22|http://bit.ly"; fast_pattern; distance:0; classtype:credential-theft; sid:2035767; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_06, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_06;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006319; classtype:web-application-attack; sid:2006319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"login-service.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035860; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6577; reference:url,www.securityfocus.com/bid/21366; reference:url,doc.emergingthreats.net/2006320; classtype:web-application-attack; sid:2006320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"rss-me.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035861; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004523; classtype:web-application-attack; sid:2004523; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"talabatt.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035862; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004524; classtype:web-application-attack; sid:2004524; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.hona-alrabe3.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035863; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004525; classtype:web-application-attack; sid:2004525; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"cozmo-store.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035864; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004526; classtype:web-application-attack; sid:2004526; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"www.al7eraknews.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035865; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004527; classtype:web-application-attack; sid:2004527; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"khilafah-islamic.com"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035866; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE"; flow:established,to_server; http.uri; content:"/guestbook.php?"; nocase; content:"country="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1302; reference:url,www.securityfocus.com/bid/22821; reference:url,doc.emergingthreats.net/2004528; classtype:web-application-attack; sid:2004528; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mobiles-security.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035867; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/include/unverified.inc.php?"; nocase; content:"template="; nocase; reference:bugtraq,27964; reference:url,juniper.net/security/auto/vulnerabilities/vuln27964.html; reference:url,www.exploit-db.com/exploits/5179/; reference:url,doc.emergingthreats.net/2009761; classtype:web-application-attack; sid:2009761; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"unsubscribe-now.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035868; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007294; classtype:web-application-attack; sid:2007294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pegasus Domain in DNS Lookup"; dns.query; content:"mangoutlet.net"; fast_pattern; reference:url,citizenlab.ca/2022/04/peace-through-pegasus-jordanian-human-rights-defenders-and-journalists-hacked-with-pegasus-spyware; classtype:trojan-activity; sid:2035869; rev:2; metadata:attack_target Mobile_Client, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007295; classtype:web-application-attack; sid:2007295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in DNS Lookup)"; dns_query; content:"frances-thomas.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035783; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007296; classtype:web-application-attack; sid:2007296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (frances-thomas .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"frances-thomas.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035784; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007297; classtype:web-application-attack; sid:2007297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in DNS Lookup)"; dns_query; content:"scott-chapin.com"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035785; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007298; classtype:web-application-attack; sid:2007298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (scott-chapin .com in TLS SNI)"; flow:established,to_server; tls_sni; content:"scott-chapin.com"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035786; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007299; classtype:web-application-attack; sid:2007299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in DNS Lookup)"; dns_query; content:"linda-gaytan.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035787; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007300; classtype:web-application-attack; sid:2007300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (linda-gaytan .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"linda-gaytan.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035788; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007301; classtype:web-application-attack; sid:2007301; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in DNS Lookup)"; dns_query; content:"david-gardiner.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035789; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007302; classtype:web-application-attack; sid:2007302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (david-gardiner .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"david-gardiner.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035790; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007303; classtype:web-application-attack; sid:2007303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in DNS Lookup)"; dns_query; content:"amanda-hart.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035791; rev:2; metadata:created_at 2022_04_07, former_category MOBILE_MALWARE, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007304; classtype:web-application-attack; sid:2007304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (amanda-hart .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"amanda-hart.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035792; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007305; classtype:web-application-attack; sid:2007305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in DNS Lookup)"; dns_query; content:"javan-demsky.website"; isdataat:!1,relative; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035793; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007306; classtype:web-application-attack; sid:2007306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Spy APT-C-23 (javan-demsky .website in TLS SNI)"; flow:established,to_server; tls_sni; content:"javan-demsky.website"; isdataat:!1,relative; nocase; reference:url,www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials; classtype:trojan-activity; sid:2035794; rev:2; metadata:created_at 2022_04_07, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007307; classtype:web-application-attack; sid:2007307; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO URL Shortening Service Domain in DNS Lookup (s59 .site)"; dns.query; content:"s59.site"; fast_pattern; classtype:bad-unknown; sid:2035870; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007308; classtype:web-application-attack; sid:2007308; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ET INFO Observed URL Shortening Service Domain (s59 .site) in TLS SNI"; flow:established,to_server; tls.sni; content:"s59.site"; fast_pattern; classtype:misc-activity; sid:2035871; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007309; classtype:web-application-attack; sid:2007309; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .org)"; dns.query; dotprefix; content:".enerflex.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035804; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007310; classtype:web-application-attack; sid:2007310; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (supportskype .com)"; dns.query; dotprefix; content:".supportskype.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035805; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007311; classtype:web-application-attack; sid:2007311; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (alharbitelecom .co)"; dns.query; dotprefix; content:".alharbitelecom.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035806; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007312; classtype:web-application-attack; sid:2007312; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaupdate .co)"; dns.query; dotprefix; content:".cortanaupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035807; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007313; classtype:web-application-attack; sid:2007313; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cortanaservice .com)"; dns.query; dotprefix; content:".cortanaservice.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035808; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007314; classtype:web-application-attack; sid:2007314; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (cloudgoogle .co)"; dns.query; dotprefix; content:".cloudgoogle.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035809; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007315; classtype:web-application-attack; sid:2007315; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedrivelive .me)"; dns.query; dotprefix; content:".onedrivelive.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035810; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007316; classtype:web-application-attack; sid:2007316; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (edge-cloudservices .com)"; dns.query; dotprefix; content:".edge-cloudservices.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035811; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/forgotpass.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007317; classtype:web-application-attack; sid:2007317; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-audible .com)"; dns.query; dotprefix; content:".online-audible.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035812; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007318; classtype:web-application-attack; sid:2007318; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedefender .net)"; dns.query; dotprefix; content:".updatedefender.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035813; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007319; classtype:web-application-attack; sid:2007319; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sparrowsgroup .org)"; dns.query; dotprefix; content:".sparrowsgroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035814; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007320; classtype:web-application-attack; sid:2007320; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (helpdesk-product .com)"; dns.query; dotprefix; content:".helpdesk-product.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035815; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007321; classtype:web-application-attack; sid:2007321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (defenderupdate .ddns .net)"; dns.query; dotprefix; content:".defenderupdate.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035816; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007322; classtype:web-application-attack; sid:2007322; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (enerflex .ddns .net)"; dns.query; dotprefix; content:".enerflex.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035817; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/update.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007323; classtype:web-application-attack; sid:2007323; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (linkedinz .me)"; dns.query; dotprefix; content:".linkedinz.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035818; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007324; classtype:web-application-attack; sid:2007324; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (khaleejtimes .co)"; dns.query; dotprefix; content:".khaleejtimes.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035819; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007325; classtype:web-application-attack; sid:2007325; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftdefender .info)"; dns.query; dotprefix; content:".microsoftdefender.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035820; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007326; classtype:web-application-attack; sid:2007326; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookde .live)"; dns.query; dotprefix; content:".outlookde.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035821; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007327; classtype:web-application-attack; sid:2007327; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (lukoil .in)"; dns.query; dotprefix; content:".lukoil.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035822; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007328; classtype:web-application-attack; sid:2007328; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (careers-finder .com)"; dns.query; dotprefix; content:".careers-finder.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035823; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/inout/status.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6161; reference:url,www.frsirt.com/english/advisories/2006/4704; reference:url,doc.emergingthreats.net/2007329; classtype:web-application-attack; sid:2007329; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (online-chess .live)"; dns.query; dotprefix; content:".online-chess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035824; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007330; classtype:web-application-attack; sid:2007330; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (exprogroup .org)"; dns.query; dotprefix; content:".exprogroup.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035825; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007331; classtype:web-application-attack; sid:2007331; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (saipem .org)"; dns.query; dotprefix; content:".saipem.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035826; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007332; classtype:web-application-attack; sid:2007332; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mastergatevpn .com)"; dns.query; dotprefix; content:".mastergatevpn.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035827; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007333; classtype:web-application-attack; sid:2007333; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sauditourismguide .com)"; dns.query; dotprefix; content:".sauditourismguide.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035828; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007334; classtype:web-application-attack; sid:2007334; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (listen-books .com)"; dns.query; dotprefix; content:".listen-books.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035829; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE"; flow:established,to_server; http.uri; content:"/details.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6160; reference:url,www.milw0rm.com/exploits/2846; reference:url,doc.emergingthreats.net/2007335; classtype:web-application-attack; sid:2007335; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateservices .co)"; dns.query; dotprefix; content:".updateservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035830; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010023; classtype:web-application-attack; sid:2010023; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftcdn .co)"; dns.query; dotprefix; content:".microsoftcdn.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035831; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/locms/smarty.php?"; nocase; content:"cwd="; nocase; pcre:"/cwd=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9015/; reference:url,en.securitylab.ru/nvd/381880.php; reference:url,doc.emergingthreats.net/2010024; classtype:web-application-attack; sid:2010024; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (office-shop .me)"; dns.query; dotprefix; content:".office-shop.me"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035832; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006657; classtype:web-application-attack; sid:2006657; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (sharepointnotify .com)"; dns.query; dotprefix; content:".sharepointnotify.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035833; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006658; classtype:web-application-attack; sid:2006658; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (globaltalent .in)"; dns.query; dotprefix; content:".globaltalent.in"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035834; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006659; classtype:web-application-attack; sid:2006659; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (savemoneytrick .com)"; dns.query; dotprefix; content:".savemoneytrick.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035835; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006660; classtype:web-application-attack; sid:2006660; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Vidar Stealer CnC Domain in DNS Lookup"; dns.query; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035872; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006661; classtype:web-application-attack; sid:2006661; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (microsoftedgesh .info)"; dns.query; dotprefix; content:".microsoftedgesh.info"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035836; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE"; flow:established,to_server; http.uri; content:"/navigacija.php?"; nocase; content:"IDMeniGlavni="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006662; classtype:web-application-attack; sid:2006662; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (outlookdelivery .com)"; dns.query; dotprefix; content:".outlookdelivery.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035837; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006663; classtype:web-application-attack; sid:2006663; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (remgrogroup .com)"; dns.query; dotprefix; content:".remgrogroup.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035838; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006664; classtype:web-application-attack; sid:2006664; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (onedriveupdate .net)"; dns.query; dotprefix; content:".onedriveupdate.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035839; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006665; classtype:web-application-attack; sid:2006665; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Vidar Stealer Domain (computerprotect .me) in TLS SNI"; flow:established,to_server; tls.sni; content:"computerprotect.me"; fast_pattern; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035873; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006666; classtype:web-application-attack; sid:2006666; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .ddns .net)"; dns.query; dotprefix; content:".getadobe.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035840; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006667; classtype:web-application-attack; sid:2006667; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleservices .co)"; dns.query; dotprefix; content:".googleservices.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035841; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE"; flow:established,to_server; http.uri; content:"/prikazInformacije.php?"; nocase; content:"IDStranicaPodaci="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6387; reference:url,www.securityfocus.com/bid/21464; reference:url,doc.emergingthreats.net/2006668; classtype:web-application-attack; sid:2006668; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (librarycollection .org)"; dns.query; dotprefix; content:".librarycollection.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035842; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007362; classtype:web-application-attack; sid:2007362; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (freechess .live)"; dns.query; dotprefix; content:".freechess.live"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035843; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007364; classtype:web-application-attack; sid:2007364; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (elecresearch .org)"; dns.query; dotprefix; content:".elecresearch.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035844; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007363; classtype:web-application-attack; sid:2007363; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (applytalents .com)"; dns.query; dotprefix; content:".applytalents.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035845; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007365; classtype:web-application-attack; sid:2007365; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updateddns .ddns .net)"; dns.query; dotprefix; content:".updateddns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035846; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007366; classtype:web-application-attack; sid:2007366; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (mideasthiring .com)"; dns.query; dotprefix; content:".mideasthiring.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035847; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE"; flow:established,to_server; http.uri; content:"/linkslist.asp?"; nocase; content:"psearch="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007367; classtype:web-application-attack; sid:2007367; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (appslocallogin .online)"; dns.query; dotprefix; content:".appslocallogin.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035848; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007368; classtype:web-application-attack; sid:2007368; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (apply-jobs .com)"; dns.query; dotprefix; content:".apply-jobs.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035849; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007369; classtype:web-application-attack; sid:2007369; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (funnychess .online)"; dns.query; dotprefix; content:".funnychess.online"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035850; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007370; classtype:web-application-attack; sid:2007370; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talent-recruitment .org)"; dns.query; dotprefix; content:".talent-recruitment.org"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035851; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007371; classtype:web-application-attack; sid:2007371; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (googleupdate .co)"; dns.query; dotprefix; content:".googleupdate.co"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035852; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007372; classtype:web-application-attack; sid:2007372; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (updatedns .ddns .net)"; dns.query; dotprefix; content:".updatedns.ddns.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035853; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE"; flow:established,to_server; http.uri; content:"/search.asp?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6132; reference:url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded; reference:url,doc.emergingthreats.net/2007373; classtype:web-application-attack; sid:2007373; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (thefreemovies .net)"; dns.query; dotprefix; content:".thefreemovies.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035854; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/smallaxe-0.3.1/inc/linkbar.php?"; nocase; content:"cfile="; nocase; pcre:"/cfile\s*=\s*(https?|ftps?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/10676; reference:url,doc.emergingthreats.net/2011000; classtype:web-application-attack; sid:2011000; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (talktalky .azurewebsites .net)"; dns.query; dotprefix; content:".talktalky.azurewebsites.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035855; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lito Lite CMS cate.php cid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cate.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/7294/; reference:url,secunia.com/advisories/32910/; reference:url,doc.emergingthreats.net/2008927; classtype:web-application-attack; sid:2008927; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (etisalatonline .com)"; dns.query; dotprefix; content:".etisalatonline.com"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035856; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006473; classtype:web-application-attack; sid:2006473; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to TA455 Domain (getadobe .net)"; dns.query; dotprefix; content:".getadobe.net"; nocase; endswith; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2035857; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_07, deployment Perimeter, signature_severity Major, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006474; classtype:web-application-attack; sid:2006474; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Ordns DNS over HTTPS Domain (Ordns .he .net in TLS SNI)"; flow:established,to_server; threshold: type both, track by_src, count 1, seconds 600; tls.sni; content:"ordns.he.net"; endswith; reference:url,www.blackhillsinfosec.com/dns-over-https-for-cobalt-strike; classtype:misc-activity; sid:2035858; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006475; classtype:web-application-attack; sid:2006475; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Ordns DNS Over HTTPS Certificate Inbound"; flow:established,to_client; threshold: type limit, track by_src, count 1, seconds 300; tls.cert_subject; content:"CN=ordns.he.net"; endswith; fast_pattern; reference:url,developers.cloudflare.com/1.1.1.1/dns-over-https/request-structure/; classtype:misc-activity; sid:2035859; rev:2; metadata:created_at 2022_04_07, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_07;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006476; classtype:web-application-attack; sid:2006476; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".host.skybad.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035877; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006477; classtype:web-application-attack; sid:2006477; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Winnti Domain"; dns.query; dotprefix; content:".s2.yk.hyi8mc.top"; nocase; endswith; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035878; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, signature_severity Major, updated_at 2022_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE"; flow:established,to_server; http.uri; content:"/categoria.php?"; nocase; content:"cid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3293; reference:url,www.exploit-db.com/exploits/4082/; reference:url,doc.emergingthreats.net/2006478; classtype:web-application-attack; sid:2006478; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/Farfli.CUY CnC Server Response"; flow:established,to_client; content:"|68 78 20 10 00 00 00 01 00 00 00 01 00 00 00 11|"; dsize:16; startswith; fast_pattern; stream_size:server,=,17; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:command-and-control; sid:2035879; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, former_category MALWARE, signature_severity Major, tag c2, updated_at 2022_04_08, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005829; classtype:web-application-attack; sid:2005829; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY KeepAlive M2"; flow:established,to_server; content:"|68 78 20 cf 01 00 00 c0 01 00 00 01 00 00 00 cb|"; startswith; fast_pattern; stream_size:client,>,200; reference:md5,87100cb600d876bd022a4d93ce6305a0; classtype:command-and-control; sid:2035880; rev:2; metadata:created_at 2022_04_08, updated_at 2022_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005830; classtype:web-application-attack; sid:2005830; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005831; classtype:web-application-attack; sid:2005831; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035875; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005832; classtype:web-application-attack; sid:2005832; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; distance:0; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035874; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_08;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII"; flow:established,to_server; http.uri; content:"/main.asp?"; nocase; content:"subcatID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0129; reference:url,www.exploit-db.com/exploits/3073/; reference:url,doc.emergingthreats.net/2005833; classtype:web-application-attack; sid:2005833; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Havex RAT CnC Server Response HTML Tag"; flow:established,from_server; http.header; content:!"Keep-Alive|3a 20|"; nocase; content:!"Conncection|3a 20|Keep-Alive"; nocase; file_data; content:"|3c|mega http|2d|equiv|3d|"; fast_pattern; content:"|3c 2f|head|3e 3c|body|3e|"; within:200; reference:md5,6557d6518c3f6bcb8b1b2de77165c962; classtype:command-and-control; sid:2018244; rev:5; metadata:created_at 2014_03_11, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt"; flow:established,to_server; http.uri; content:"pathToIndex="; nocase; content:".php?"; nocase; pcre:"/\.php(\?|.*\x26)pathToIndex=(https?|ftps?)\:\/\/[^\x26\x3B]+\?\?/i"; reference:url,www.exploit-db.com/exploits/9729/; reference:url,doc.emergingthreats.net/2010530; classtype:web-application-attack; sid:2010530; rev:8; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Self-Signed Cert Observed in Various Zbot Strains"; flow:established,to_client; tls.cert_subject; content:"O=XX"; fast_pattern; tls.cert_issuer; content:"O=XX"; reference:md5,00e7afce84c84cd70fe329d8bb8c0731; classtype:trojan-activity; sid:2018284; rev:4; metadata:created_at 2014_03_17, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006321; classtype:web-application-attack; sid:2006321; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/resolve?name=gw.denonia.xyz&type=A"; bsize:35; endswith; fast_pattern; http.host; content:"dns.google.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035891; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006322; classtype:web-application-attack; sid:2006322; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Denonia DNS Request Over HTTPS (denonia .xyz) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dns-query?name=gw.denonia.xyz&type=A"; bsize:37; endswith; fast_pattern; http.host; content:"cloudflare-dns.com"; http.user_agent; content:"GoKit XHTTP Client"; startswith; http.accept; content:"application/dns-json"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|X-Http-Gokit-Requestid|0d 0a|"; reference:url,cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda; classtype:trojan-activity; sid:2035886; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006323; classtype:web-application-attack; sid:2006323; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via TCP (CVE-2022-0778)"; flow:established,to_server; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035887; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006324; classtype:web-application-attack; sid:2006324; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via UDP (CVE-2022-0778)"; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035888; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006325; classtype:web-application-attack; sid:2006325; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Commonly Abused Domain in DNS Lookup (blogattach .naver .com)"; dns.query; content:"blogattach.naver.com"; nocase; bsize:20; classtype:bad-unknown; sid:2035889; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE"; flow:established,to_server; http.uri; content:"/ProductDetails.asp?"; nocase; content:"PID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6559; reference:url,www.exploit-db.com/exploits/2908/; reference:url,doc.emergingthreats.net/2006326; classtype:web-application-attack; sid:2006326; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Commonly Abused Domain (blogattach .naver .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"blogattach.naver.com"; bsize:20; fast_pattern; classtype:bad-unknown; sid:2035890; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_11, deployment Perimeter, signature_severity Major, updated_at 2022_04_11;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/profiles/html/simpleSearch.do?name="; nocase; pcre:"/name=.+(IMG|SCRIPT|SRC|onkey|onmouse|onload)/i"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022945.html; reference:url,doc.emergingthreats.net/2009990; classtype:web-application-attack; sid:2009990; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ACMS/"; pcre:"/[a-zA-Z0-9]{8}\//UR"; content:"blockchainTemplate"; fast_pattern; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035902; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004961; classtype:web-application-attack; sid:2004961; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Win32/TrojanDownloader.Agent.GEM Domain"; dns.query; dotprefix; content:".naveicoip"; pcre:"/^[a-z]\.(?:tech|online)$/R"; reference:md5,ecd47e596048ad1af9973a21af303465; reference:url,twitter.com/jaydinbas/status/1506987283630768138; classtype:trojan-activity; sid:2035604; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004962; classtype:web-application-attack; sid:2004962; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Colibri Loader Domain in DNS Lookup (securetunnel .co)"; dns.query; dotprefix; content:".securetunnel.co"; nocase; endswith; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/; classtype:trojan-activity; sid:2035899; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, signature_severity Major, updated_at 2022_04_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004963; classtype:web-application-attack; sid:2004963; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004964; classtype:web-application-attack; sid:2004964; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Farfli.CUY Downloader"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/xghk.exe"; bsize:9; endswith; fast_pattern; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/W"; http.header_names; content:!"Referer"; reference:md5,c99397d66e49e2def1b17f57cd0c5fb9; classtype:trojan-activity; sid:2035900; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_12;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004965; classtype:web-application-attack; sid:2004965; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snatch Ransomware Checkin (POST)"; flow:established,to_server; http.request_line; content:"POST /news HTTP/1.1"; fast_pattern; http.request_body; content:"|22|pid|22 3a|"; content:"|22|host|22 3a|"; distance:0; content:"|22|type|22 3a|"; distance:0; content:"|22|username|22 3a|"; distance:0; reference:md5,5a9ae5f51c41f2de4f3eca94ddb4ccfd; classtype:trojan-activity; sid:2035898; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE"; flow:established,to_server; http.uri; content:"/comments.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0865; reference:url,www.exploit-db.com/exploits/3287/; reference:url,doc.emergingthreats.net/2004966; classtype:web-application-attack; sid:2004966; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (mail .igov-service .net)"; dns.query; content:"mail.igov-service.net"; nocase; bsize:21; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035914; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004967; classtype:web-application-attack; sid:2004967; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".js"; endswith; http.cookie; content:"Version=defaultSession-Id="; startswith; fast_pattern; pcre:"/^[a-zA-Z0-9-_]{171}$/R"; http.user_agent; content:!"Android"; content:!"Linux"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:trojan-activity; sid:2035915; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004968; classtype:web-application-attack; sid:2004968; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Cobalt Strike Related Domain (mail .igov-service .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"mail.igov-service.net"; bsize:21; fast_pattern; reference:md5,199369f6b6eba1147d7e1bca208d6dab; classtype:domain-c2; sid:2035916; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004969; classtype:web-application-attack; sid:2004969; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (ebook .port25 .biz)"; dns.query; content:"ebook.port25.biz"; nocase; bsize:16; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,bb505ef946a80d9d0ff64923a6ca79d9; classtype:domain-c2; sid:2035912; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004970; classtype:web-application-attack; sid:2004970; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Scarab APT - HeaderTip CnC Domain in DNS Lookup (mert .my03 .com)"; dns.query; content:"mert.my03.com"; nocase; bsize:13; reference:url,www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/; reference:md5,acd062593f70c00e310c47a3e7873df4; classtype:domain-c2; sid:2035913; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family HeaderTip, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004971; classtype:web-application-attack; sid:2004971; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.GEM Maldoc Remote Template Request M1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ACMS/"; fast_pattern; content:"?"; distance:16; within:10; pcre:"/[a-z0-9]{8}\/.*\?[a-z0-9]{3,10}=[a-z0-9]{8,11}$/Ui"; reference:url,mp.weixin.qq.com/s/kcIaoB8Yta1zI6Py-uxupA; classtype:trojan-activity; sid:2035901; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_04_12, deployment Perimeter, former_category MALWARE, malware_family Lazarus, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE"; flow:established,to_server; http.uri; content:"/register.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0864; reference:url,www.exploit-db.com/exploits/3288/; reference:url,doc.emergingthreats.net/2004972; classtype:web-application-attack; sid:2004972; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (showsvc .com)"; dns.query; dotprefix; content:".showsvc.com"; nocase; endswith; classtype:trojan-activity; sid:2035918; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005511; classtype:web-application-attack; sid:2005511; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (wicommerece .com)"; dns.query; dotprefix; content:".wicommerece.com"; nocase; endswith; classtype:trojan-activity; sid:2035919; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005512; classtype:web-application-attack; sid:2005512; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (upservicemc .com)"; dns.query; dotprefix; content:".upservicemc.com"; nocase; endswith; classtype:trojan-activity; sid:2035920; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005514; classtype:web-application-attack; sid:2005514; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (netpixelds .com)"; dns.query; dotprefix; content:".netpixelds.com"; nocase; endswith; classtype:trojan-activity; sid:2035921; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005515; classtype:web-application-attack; sid:2005515; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (allmyad .com)"; dns.query; dotprefix; content:".allmyad.com"; nocase; endswith; classtype:trojan-activity; sid:2035922; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005516; classtype:web-application-attack; sid:2005516; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (ananoka .com)"; dns.query; dotprefix; content:".ananoka.com"; nocase; endswith; classtype:trojan-activity; sid:2035923; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE"; flow:established,to_server; http.uri; content:"/email.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0354; reference:url,www.milw0rm.com/exploits/3141; reference:url,doc.emergingthreats.net/2005517; classtype:web-application-attack; sid:2005517; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (gvgnci .com)"; dns.query; dotprefix; content:".gvgnci.com"; nocase; endswith; classtype:trojan-activity; sid:2035924; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006225; classtype:web-application-attack; sid:2006225; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (msfbckupsc .com)"; dns.query; dotprefix; content:".msfbckupsc.com"; nocase; endswith; classtype:trojan-activity; sid:2035925; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006226; classtype:web-application-attack; sid:2006226; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (polanicia .com)"; dns.query; dotprefix; content:".polanicia.com"; nocase; endswith; classtype:trojan-activity; sid:2035926; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006227; classtype:web-application-attack; sid:2006227; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (informaxima .org)"; dns.query; dotprefix; content:".informaxima.org"; nocase; endswith; classtype:trojan-activity; sid:2035927; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006228; classtype:web-application-attack; sid:2006228; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (worldchangeos .com)"; dns.query; dotprefix; content:".worldchangeos.com"; nocase; endswith; classtype:trojan-activity; sid:2035928; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006229; classtype:web-application-attack; sid:2006229; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (liongracem .com)"; dns.query; dotprefix; content:".liongracem.com"; nocase; endswith; classtype:trojan-activity; sid:2035929; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE"; flow:established,to_server; http.uri; content:"/detail.asp?"; nocase; content:"p="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006230; classtype:web-application-attack; sid:2006230; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (jmarrycs .com)"; dns.query; dotprefix; content:".jmarrycs.com"; nocase; endswith; classtype:trojan-activity; sid:2035930; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006231; classtype:web-application-attack; sid:2006231; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DeathStalker/EvilNum Delivery Domain in DNS Lookup (am-reader .com)"; dns.query; dotprefix; content:".am-reader.com"; nocase; endswith; classtype:trojan-activity; sid:2035931; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, malware_family EvilNum, malware_family DeathStalker, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006232; classtype:web-application-attack; sid:2006232; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Checkin"; flow:established,to_server; dsize:5; content:"|ee 00 00 11 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035939; rev:1; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006233; classtype:web-application-attack; sid:2006233; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M1 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"vic_browser=n%2Fa&vic_os=n%2Fa&vic_screen=n%2Fa&vic_lang=n%2Fa&vic_flash=n%2Fa&vic_java=n%2Fa&vic_mime=n%2Fa&vic_plugins=n%2Fa&vic_fonts=n%2Fa"; depth:142; fast_pattern; content:"=Submit&login_name="; distance:0; content:"&pin="; distance:0; classtype:credential-theft; sid:2035933; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006234; classtype:web-application-attack; sid:2006234; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Sparkasse Credential Phish M2 2022-04-13"; flow:established,to_server; flowbits:set,ET.sparkassephishlanding; http.method; content:"POST"; http.uri; content:"Code?sslchannel=true&sessionid="; depth:32; http.request_body; content:"=Submit&old_sortcode="; fast_pattern; classtype:credential-theft; sid:2035934; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006235; classtype:web-application-attack; sid:2006235; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M1 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035935; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"l="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006236; classtype:web-application-attack; sid:2006236; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M2 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"type=|22|password|22|"; distance:0; content:"window.screen.availWidth"; distance:0; content:"window.screen.availHeight"; within:40; content:"jscd.browser"; distance:0; content:"jscd.browserMajorVersion"; within:45; content:"jscd.browserVersion"; within:45; content:"jscd.os"; distance:0; content:"jscd.osVersion"; within:30; content:"jscd.screen"; distance:0; content:"avail_res"; within:50; content:"screen.colorDepth"; within:40; content:"screen.deviceXDPI"; within:45; content:"screen.deviceYDPI"; within:45; content:"language"; distance:0; content:"jscd|2e|flashVersion|3b|"; distance:0; content:"navigator.javaEnabled()"; distance:0; content:"mime"; distance:0; content:"plugins"; distance:0; content:"listFonts().join(',')"; distance:0; classtype:credential-theft; sid:2035936; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012065; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M3 2022-04-13"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Code?sslchannel=true&sessionid="; fast_pattern; content:"vic_browser"; distance:0; content:"vic_os"; distance:0; content:"vic_lang"; distance:0; content:"vic_flash"; distance:0; content:"vic_java"; distance:0; content:"vic_mime"; distance:0; content:"vic_plugins"; distance:0; content:"vic_fonts"; distance:0; content:"type=|22|password|22|"; distance:0; classtype:credential-theft; sid:2035937; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/indexlight.php?"; nocase; content:"page=export"; nocase; content:"type=single"; nocase; content:"format=RIS"; nocase; content:"ID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/42463/; reference:url,securityreason.com/securityalert/7955; classtype:web-application-attack; sid:2012066; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Sparkasse Credential Phish Landing Page M4 2022-04-13"; flow:established,to_client; flowbits:isset,ET.sparkassephishlanding; http.stat_code; content:"200"; file.data; content:"type|3d 22|tel|22|"; distance:0; content:"Personal?sslchannel=true&sessionid="; fast_pattern; content:"sortcode"; classtype:credential-theft; sid:2035938; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/auktion/auktion_text.php?"; nocase; content:"id_auk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/12005/; classtype:web-application-attack; sid:2012068; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (ifn1h8ag1g .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"ifn1h8ag1g.com"; bsize:14; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035905; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"..%2f"; depth:200; http.method; content:"GET"; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; reference:url,exploit-db.com/exploits/15736/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012069; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (s22231232fdnsjds .top in TLS SNI)"; flow:established,to_server; tls.sni; content:"s22231232fdnsjds.top"; bsize:20; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035906; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/upgrade_unattended.php?"; nocase; content:"db_type="; nocase; pcre:"/db_type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/15735/; reference:url,secunia.com/advisories/42597/; classtype:web-application-attack; sid:2012070; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (equisdeperson .space in TLS SNI)"; flow:established,to_server; tls.sni; content:"equisdeperson.space"; bsize:19; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035907; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/session.cgi?"; nocase; content:"sid="; nocase; content:"app=urchin.cgi"; nocase; content:"action=prop"; nocase; content:"rid="; nocase; content:"n="; nocase; content:"vid="; nocase; content:"dtc="; nocase; content:"cmd="; nocase; content:"gfid="; nocase; reference:url,exploit-db.com/exploits/15737/; classtype:web-application-attack; sid:2012071; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android ExobotCompact.D/Octo Domain (xipxesip .design in TLS SNI)"; flow:established,to_server; tls.sni; content:"xipxesip.design"; bsize:15; fast_pattern; reference:url,www.threatfabric.com/blogs/octo-new-odf-banking-trojan.html; classtype:command-and-control; sid:2035908; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/wp-safe-search/wp-safe-search-jx.php?"; nocase; content:"v1="; nocase; pcre:"/v1\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,secunia.com/advisories/42544; classtype:web-application-attack; sid:2012072; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_12_18, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Malicious User-Agent (FastInvoice)"; flow:established,to_server; http.user_agent; content:"FastInvoice"; bsize:11; startswith; fast_pattern; reference:md5,42218b0ce7fc47f80aa239d4f9e000a1; classtype:bad-unknown; sid:2035932; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category USER_AGENTS, signature_severity Minor, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006237; classtype:web-application-attack; sid:2006237; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TransparentTribe APT Related Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"@"; content:".php"; endswith; http.user_agent; content:"Python-urllib/"; startswith; http.request_body; content:".exe|25|"; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,f9d7e0af85fd918dd5daf1b50bf649f6; reference:md5,68d73d596a7103e517967f7f4e22cecb; reference:url,blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html; classtype:trojan-activity; sid:2035917; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family TransparentTribe, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006238; classtype:web-application-attack; sid:2006238; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Android/SpyLoan.9ef8bf95 Domain (api .dreamloan .cc in TLS SNI)"; flow:established,to_server; tls.sni; content:"api.dreamloan.cc"; bsize:16; fast_pattern; reference:md5,5038f1ae69db7682e99c04947fa467aa; classtype:command-and-control; sid:2035909; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006239; classtype:web-application-attack; sid:2006239; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"fserverone.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035944; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006240; classtype:web-application-attack; sid:2006240; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed DNS Query to VBS/Agent.PUK Domain"; dns.query; content:"cmaildowninvoice.webcindario.com"; fast_pattern; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035945; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006241; classtype:web-application-attack; sid:2006241; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=error"; fast_pattern; content:"Sand="; content:"Data="; content:"Em="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035946; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"typ="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006242; classtype:web-application-attack; sid:2006242; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Observed Trojan-Spy.AndroidOS.Agent.abe Domain in TLS SNI"; flow:established,to_server; tls.sni; content:"5iw68rugwfcir37uj8z3r6rfaxwd8g8cdcfcqw62.de"; bsize:43; fast_pattern; reference:md5,ad6f124d00ca05f2a19b5215b85e25a8; classtype:command-and-control; sid:2035910; rev:1; metadata:created_at 2022_04_13, former_category MOBILE_MALWARE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006243; classtype:web-application-attack; sid:2006243; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VBS/Agent.PUK Data Exfiltration Request M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; content:"Cache=fail"; fast_pattern; content:"Sand="; reference:url,hasec.ahnlab.com/ko/33141/; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:md5,e49e41a810730f4bf3d43178e4c84ee5; classtype:trojan-activity; sid:2035947; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006244; classtype:web-application-attack; sid:2006244; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET HUNTING FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a 5c|WINDOWS|5c|system32|5c|"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:7; metadata:created_at 2010_07_30, former_category ATTACK_RESPONSE, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006245; classtype:web-application-attack; sid:2006245; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp any any -> $HOME_NET 445 (msg:"ET POLICY SMB NT Create AndX Request For an Executable File In a Temp Directory"; flow:established,to_server; content:"SMB|A2|"; depth:9; content:"temp|5c|"; nocase; distance:0; content:"|2E|exe|00|"; nocase; distance:0; classtype:bad-unknown; sid:2025702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Client, created_at 2018_07_16, deployment Internal, former_category POLICY, signature_severity Minor, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006246; classtype:web-application-attack; sid:2006246; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".webm"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,af944c93405d60adc350f94e24a3d5a1; reference:url,twitter.com/souiten/status/1511552820863852544; classtype:trojan-activity; sid:2036210; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_13;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006247; classtype:web-application-attack; sid:2006247; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious VBS Sending System Information (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Cache=error&Sand="; startswith; fast_pattern; content:"&Data="; distance:0; content:"&Em="; distance:50; http.header_names; content:!"Referer|0d 0a|"; reference:md5,ab97956fec732676ecfcedf55efadcbc; reference:url,asec.ahnlab.com/ko/33141/; classtype:trojan-activity; sid:2036211; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE"; flow:established,to_server; http.uri; content:"/listings.asp?"; nocase; content:"loc="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6709; reference:url,www.securityfocus.com/bid/21073; reference:url,doc.emergingthreats.net/2006248; classtype:web-application-attack; sid:2006248; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/public/plugins/"; fast_pattern; content:"|2f 2e 2e 2f|"; distance:0; within:40; reference:url,github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p; classtype:attempted-admin; sid:2034629; rev:2; metadata:attack_target Server, created_at 2021_12_07, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/reflect_base=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008897; classtype:web-application-attack; sid:2008897; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE EvilNominatus Ransomware Related Domain in DNS Lookup"; dns.query; content:"i-love-evilnominatuscrypt.000webhostapp.com"; nocase; bsize:43; reference:url,www.clearskysec.com/wp-content/uploads/2022/04/EvilNominatus_Ransomware_7.4.22.pdf; classtype:domain-c2; sid:2036212; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, signature_severity Major, tag Ransomware, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/snippet.reflect.php?"; nocase; content:"reflect_base="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.exploit-db.com/exploits/7204/; reference:url,secunia.com/advisories/32824/; reference:url,doc.emergingthreats.net/2008898; classtype:web-application-attack; sid:2008898; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/seized.xml"; endswith; fast_pattern; http.user_agent; content:!"Linux"; content:!"Android"; http.header_names; content:!"Referer|0d 0a|"; http.host; content:".ru"; endswith; reference:md5,d6fe6243a9b4293db6384f22524ff709; reference:url,cert.gov.ua/article/39386; classtype:trojan-activity; sid:2036213; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/getid3.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011062; classtype:web-application-attack; sid:2011062; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET INFO Empty POST with Terse Headers Over Non Standard Port"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:26; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.content_len; byte_test:0,=,0,0,string,dec; reference:url,twitter.com/3xp0rtblog/status/1509267848958562305; reference:md5,52a46f058ec6b726fe2829a590a15155; classtype:bad-unknown; sid:2036225; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category INFO, performance_impact Moderate, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/velid3/module.archive.gzip.php?"; nocase; content:"determined_format[include]="; nocase; pcre:"/determined_format\[include\]=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12219; reference:url,doc.emergingthreats.net/2011063; classtype:web-application-attack; sid:2011063; rev:6; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; distance:0; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004427; classtype:web-application-attack; sid:2004427; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:1; metadata:created_at 2022_04_14, cve CVE_2020_17456, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004428; classtype:web-application-attack; sid:2004428; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130 RCE Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; http.request_body; content:"&queriesCnt="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2035952; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004429; classtype:web-application-attack; sid:2004429; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/chkisg.htm"; content:"%3FSip%"; fast_pattern; nocase; distance:0; content:"%7C"; nocase; distance:0; reference:cve,2018-10823; classtype:attempted-admin; sid:2035953; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2018_10823, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004430; classtype:web-application-attack; sid:2004430; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004431; classtype:web-application-attack; sid:2004431; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2035955; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/moscomment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004432; classtype:web-application-attack; sid:2004432; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2035956; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004433; classtype:web-application-attack; sid:2004433; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"details="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035958; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004434; classtype:web-application-attack; sid:2004434; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Requesting Commands"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; http.request_body; content:"news="; content:"&request_for_read="; fast_pattern; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035959; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004435; classtype:web-application-attack; sid:2004435; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Submitting Data to CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.user_agent; content:"Go-http-client/"; http.header; content:"auth_token=|22|XXXXXXX|22|"; fast_pattern; http.request_body; content:"answer="; content:"&cid="; content:"&news="; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:trojan-activity; sid:2035960; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004436; classtype:web-application-attack; sid:2004436; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Gamaredon APT Related Malicious Shortcut Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/favicon.ico"; endswith; http.host; content:"military-ukraine."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:md5,c0d3a0ab9b47ab9bc81cf5d831053431; reference:md5,7b20e3ac2a4ebf507f6c8358245d5db5; classtype:trojan-activity; sid:2036214; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004437; classtype:web-application-attack; sid:2004437; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supership .dynv6 .net)"; dns.query; content:"supership.dynv6.net"; nocase; bsize:19; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036216; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE"; flow:established,to_server; http.uri; content:"/com_comment.php?"; nocase; content:"mcname="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7150; reference:url,www.securityfocus.com/bid/20650; reference:url,doc.emergingthreats.net/2004438; classtype:web-application-attack; sid:2004438; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (greatsong .soundcast .me)"; dns.query; content:"greatsong.soundcast.me"; nocase; bsize:22; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036217; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004766; classtype:web-application-attack; sid:2004766; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to ShadowPad Domain (supermarket .ownip .net)"; dns.query; content:"supermarket.ownip.net"; nocase; bsize:21; reference:url,otx.alienvault.com/pulse/624ff0af271429d152b5a27e; classtype:trojan-activity; sid:2036218; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, malware_family ShadowPad, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004767; classtype:web-application-attack; sid:2004767; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|25 7b|"; content:".exec|28|"; distance:0; fast_pattern; content:"|29 7d|"; distance:0; reference:url,github.com/CyborgSecurity/CVE-2020-17530; reference:cve,2020-17530; classtype:attempted-admin; sid:2033408; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_17530, former_category WEB_SPECIFIC_APPS, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004768; classtype:web-application-attack; sid:2004768; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba Lure (Package Delivery)"; flow:established,to_client; content:"|82|"; startswith; content:"jsonrpc"; distance:5; within:8; content:"Your parcel has been sent out.Please check and accept it. http"; fast_pattern; reference:url,team-cymru.com/blog/2022/04/07/moqhao-part-2-continued-european-expansion; classtype:trojan-activity; sid:2036215; rev:2; metadata:affected_product Android, attack_target Mobile_Client, created_at 2022_04_14, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004769; classtype:web-application-attack; sid:2004769; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.longmusic .com Domain"; flow:established,to_server; http.host; content:".longmusic.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035961; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004770; classtype:web-application-attack; sid:2004770; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.longmusic .com Domain"; dns.query; content:".longmusic.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035962; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE"; flow:established,to_server; http.uri; content:"/includes/mambo.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7092; reference:url,www.securityfocus.com/bid/20413; reference:url,doc.emergingthreats.net/2004771; classtype:web-application-attack; sid:2004771; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035963; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt"; flow:established,to_server; http.uri; content:"/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?"; nocase; content:"Command=FileUpload"; nocase; content:"/configuration.php"; nocase; content:"CurrentFolder="; nocase; reference:url,www.securityfocus.com/bid/27472/info; reference:url,doc.emergingthreats.net/2009937; classtype:web-application-attack; sid:2009937; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035964; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_viewfulllisting"; nocase; content:"listing_id="; nocase; pcre:"/(\?|&)listing_id=[^\x26\x3B]*[^\d\x2D]/i"; reference:url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt; reference:url,doc.emergingthreats.net/2010605; classtype:web-application-attack; sid:2010605; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zzux .com Domain"; flow:established,to_server; http.host; content:".zzux.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035965; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011091; classtype:web-application-attack; sid:2011091; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain"; dns.query; content:".wikaba.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035966; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011092; classtype:web-application-attack; sid:2011092; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain"; flow:established,to_server; http.host; content:".wikaba.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035967; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011093; classtype:web-application-attack; sid:2011093; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dumb1 .com Domain"; dns.query; content:".dumb1.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035968; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011094; classtype:web-application-attack; sid:2011094; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dumb1 .com Domain"; flow:established,to_server; http.host; content:".dumb1.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035969; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WorkOrder.do?"; nocase; content:"woID="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,secunia.com/advisories/39032/; reference:url,exploit-db.com/exploits/11793; reference:url,doc.emergingthreats.net/2011095; classtype:web-application-attack; sid:2011095; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onedumb .com Domain"; dns.query; content:".onedumb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035970; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prodshow.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:bugtraq,32043; reference:url,frsirt.com/english/advisories/2008/2976; reference:url,doc.emergingthreats.net/2008837; classtype:web-application-attack; sid:2008837; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onedumb .com Domain"; flow:established,to_server; http.host; content:".onedumb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035971; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005141; classtype:web-application-attack; sid:2005141; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.youdontcare .com Domain"; dns.query; content:".youdontcare.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035972; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005142; classtype:web-application-attack; sid:2005142; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.youdontcare .com Domain"; flow:established,to_server; http.host; content:".youdontcare.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035973; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005143; classtype:web-application-attack; sid:2005143; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.yourtrap .com Domain"; dns.query; content:".yourtrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035974; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005144; classtype:web-application-attack; sid:2005144; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.yourtrap .com Domain"; flow:established,to_server; http.host; content:".yourtrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035975; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005145; classtype:web-application-attack; sid:2005145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.2waky .com Domain"; dns.query; content:".2waky.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035976; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE"; flow:established,to_server; http.uri; content:"/news_page.asp?"; nocase; content:"uid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0600; reference:url,www.exploit-db.com/exploits/3194/; reference:url,doc.emergingthreats.net/2005146; classtype:web-application-attack; sid:2005146; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.2waky .com Domain"; flow:established,to_server; http.host; content:".2waky.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035977; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/file_manager/special.php?"; nocase; content:"fm_includes_special="; nocase; pcre:"/fm_includes_special=\s*(ftps?|https?|php)\:\//i"; reference:url,www.exploit-db.com/exploits/9350/; reference:url,vupen.com/english/advisories/2009/2136; reference:url,doc.emergingthreats.net/2011259; classtype:web-application-attack; sid:2011259; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexidude .com Domain"; dns.query; content:".sexidude.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035978; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1)"; flow:established,to_server; http.uri; content:"/includes/InstantSite/inc.is_root.php?is_projectPath=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009888; classtype:web-application-attack; sid:2009888; rev:7; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexidude .com Domain"; flow:established,to_server; http.host; content:".sexidude.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035979; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2)"; flow:established,to_server; http.uri; content:"/classes/class.Tree.php?GLOBALS[thCMS_root]=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009889; classtype:web-application-attack; sid:2009889; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mefound .com Domain"; dns.query; content:".mefound.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035980; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3)"; flow:established,to_server; http.uri; content:"/classes/class.thcsm_user.php?is_path=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009890; classtype:web-application-attack; sid:2009890; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mefound .com Domain"; flow:established,to_server; http.host; content:".mefound.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035981; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4)"; flow:established,to_server; http.uri; content:"/modul/mod.users.php?thCMS_root=http|3a|"; nocase; reference:url,www.sans.org/top20/; reference:url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt; reference:url,doc.emergingthreats.net/2009891; classtype:web-application-attack; sid:2009891; rev:8; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.organiccrap .com Domain"; dns.query; content:".organiccrap.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035982; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"queueMsgType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011082; classtype:web-application-attack; sid:2011082; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.organiccrap .com Domain"; flow:established,to_server; http.host; content:".organiccrap.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035983; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/admin/queuedMessage.do?"; nocase; content:"method=getQueueMessages&"; nocase; content:"QtnType="; nocase; pcre:"/(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf; reference:url,doc.emergingthreats.net/2011083; classtype:web-application-attack; sid:2011083; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toythieves .com Domain"; dns.query; content:".toythieves.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035984; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004265; classtype:web-application-attack; sid:2004265; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toythieves .com Domain"; flow:established,to_server; http.host; content:".toythieves.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035985; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004266; classtype:web-application-attack; sid:2004266; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.justdied .com Domain"; dns.query; content:".justdied.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035986; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004267; classtype:web-application-attack; sid:2004267; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.justdied .com Domain"; flow:established,to_server; http.host; content:".justdied.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035987; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004268; classtype:web-application-attack; sid:2004268; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain"; dns.query; content:".jungleheart.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035988; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004269; classtype:web-application-attack; sid:2004269; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jungleheart .com Domain"; flow:established,to_server; http.host; content:".jungleheart.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035989; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x["; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7171; reference:url,xforce.iss.net/xforce/xfdb/30215; reference:url,doc.emergingthreats.net/2004270; classtype:web-application-attack; sid:2004270; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrbonus .com Domain"; dns.query; content:".mrbonus.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035990; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004271; classtype:web-application-attack; sid:2004271; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrbonus .com Domain"; flow:established,to_server; http.host; content:".mrbonus.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035991; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004272; classtype:web-application-attack; sid:2004272; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.x24hr .com Domain"; dns.query; content:".x24hr.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035992; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004273; classtype:web-application-attack; sid:2004273; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.x24hr .com Domain"; flow:established,to_server; http.host; content:".x24hr.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035993; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004274; classtype:web-application-attack; sid:2004274; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.fartit .com Domain"; dns.query; content:".fartit.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035994; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004275; classtype:web-application-attack; sid:2004275; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.fartit .com Domain"; flow:established,to_server; http.host; content:".fartit.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035995; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"t="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004276; classtype:web-application-attack; sid:2004276; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itemdb .com Domain"; dns.query; content:".itemdb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035996; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004277; classtype:web-application-attack; sid:2004277; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itemdb .com Domain"; flow:established,to_server; http.host; content:".itemdb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035997; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004278; classtype:web-application-attack; sid:2004278; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.instanthq .com Domain"; dns.query; content:".instanthq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035998; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004279; classtype:web-application-attack; sid:2004279; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.instanthq .com Domain"; flow:established,to_server; http.host; content:".instanthq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2035999; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004280; classtype:web-application-attack; sid:2004280; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxuz .com Domain"; dns.query; content:".xxuz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036000; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004281; classtype:web-application-attack; sid:2004281; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxuz .com Domain"; flow:established,to_server; http.host; content:".xxuz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036001; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"productId="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004282; classtype:web-application-attack; sid:2004282; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jkub .com Domain"; dns.query; content:".jkub.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036002; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004283; classtype:web-application-attack; sid:2004283; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jkub .com Domain"; flow:established,to_server; http.host; content:".jkub.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036003; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004284; classtype:web-application-attack; sid:2004284; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.itsaol .com Domain"; dns.query; content:".itsaol.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036004; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004285; classtype:web-application-attack; sid:2004285; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.itsaol .com Domain"; flow:established,to_server; http.host; content:".itsaol.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036005; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004286; classtype:web-application-attack; sid:2004286; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.faqserv .com Domain"; dns.query; content:".faqserv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036006; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004287; classtype:web-application-attack; sid:2004287; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.faqserv .com Domain"; flow:established,to_server; http.host; content:".faqserv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036007; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"sk="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004288; classtype:web-application-attack; sid:2004288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.jetos .com Domain"; dns.query; content:".jetos.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036008; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004289; classtype:web-application-attack; sid:2004289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.jetos .com Domain"; flow:established,to_server; http.host; content:".jetos.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036009; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004290; classtype:web-application-attack; sid:2004290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qpoe .com Domain"; dns.query; content:".qpoe.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036010; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004291; classtype:web-application-attack; sid:2004291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qpoe .com Domain"; flow:established,to_server; http.host; content:".qpoe.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036011; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004292; classtype:web-application-attack; sid:2004292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.qhigh .com Domain"; dns.query; content:".qhigh.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036012; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004293; classtype:web-application-attack; sid:2004293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.qhigh .com Domain"; flow:established,to_server; http.host; content:".qhigh.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036013; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"x="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004294; classtype:web-application-attack; sid:2004294; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.vizvaz .com Domain"; dns.query; content:".vizvaz.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036014; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004295; classtype:web-application-attack; sid:2004295; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.vizvaz .com Domain"; flow:established,to_server; http.host; content:".vizvaz.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036015; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004296; classtype:web-application-attack; sid:2004296; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrface .com Domain"; dns.query; content:".mrface.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036016; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004297; classtype:web-application-attack; sid:2004297; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrface .com Domain"; flow:established,to_server; http.host; content:".mrface.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036017; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004298; classtype:web-application-attack; sid:2004298; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.isasecret .com Domain"; dns.query; content:".isasecret.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036018; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004299; classtype:web-application-attack; sid:2004299; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.isasecret .com Domain"; flow:established,to_server; http.host; content:".isasecret.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036019; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE"; flow:established,to_server; http.uri; content:"/product_review.php?"; nocase; content:"so="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004300; classtype:web-application-attack; sid:2004300; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mrslove .com Domain"; dns.query; content:".mrslove.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036020; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; pcre:"/SELECT.+FROM/i"; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004301; classtype:web-application-attack; sid:2004301; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mrslove .com Domain"; flow:established,to_server; http.host; content:".mrslove.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036021; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004302; classtype:web-application-attack; sid:2004302; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.americanunfinished .com Domain"; dns.query; content:".americanunfinished.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036022; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004303; classtype:web-application-attack; sid:2004303; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.americanunfinished .com Domain"; flow:established,to_server; http.host; content:".americanunfinished.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036023; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004304; classtype:web-application-attack; sid:2004304; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveusers .com Domain"; dns.query; content:".serveusers.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036024; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004305; classtype:web-application-attack; sid:2004305; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveusers .com Domain"; flow:established,to_server; http.host; content:".serveusers.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036025; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE"; flow:established,to_server; http.uri; content:"/order-track.php?"; nocase; content:"orderNo="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-7170; reference:url,www.securityfocus.com/bid/21072; reference:url,doc.emergingthreats.net/2004306; classtype:web-application-attack; sid:2004306; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.serveuser .com Domain"; dns.query; content:".serveuser.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036026; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion"; flow:to_server,established; content:"../"; http.method; content:"GET"; http.uri; content:"/centre.php?"; nocase; content:"padmin="; nocase; reference:url,vupen.com/english/advisories/2008/2938; reference:url,www.exploit-db.com/exploits/6846/; reference:url,doc.emergingthreats.net/2009330; classtype:web-application-attack; sid:2009330; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.serveuser .com Domain"; flow:established,to_server; http.host; content:".serveuser.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036027; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt"; flow:to_server,established; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/infusions/last_seen_users_panel/last_seen_users_panel.php?"; nocase; content:"settings[locale]="; nocase; reference:url,osvdb.org/show/osvdb/56583; reference:url,www.exploit-db.com/exploits/9018/; reference:url,doc.emergingthreats.net/2010631; classtype:web-application-attack; sid:2010631; rev:7; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myftp .info Domain"; dns.query; content:".myftp.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036028; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyioSoft EasyBookMarker Parent parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/bookmarker_backend.php?"; nocase; content:"Parent="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32636/; reference:url,www.exploit-db.com/exploits/7053/; reference:url,doc.emergingthreats.net/2008835; classtype:web-application-attack; sid:2008835; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp .info Domain"; flow:established,to_server; http.host; content:".myftp.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036029; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My PHP Dating id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/success_story.php?id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION\s+SELECT/i"; reference:url,secunia.com/advisories/32268; reference:url,www.exploit-db.com/exploits/6754/; reference:url,doc.emergingthreats.net/2008672; classtype:web-application-attack; sid:2008672; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mydad .info Domain"; dns.query; content:".mydad.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036030; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006627; classtype:web-application-attack; sid:2006627; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mydad .info Domain"; flow:established,to_server; http.host; content:".mydad.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036031; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006628; classtype:web-application-attack; sid:2006628; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mymom .info Domain"; dns.query; content:".mymom.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036032; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006629; classtype:web-application-attack; sid:2006629; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mymom .info Domain"; flow:established,to_server; http.host; content:".mymom.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036033; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006630; classtype:web-application-attack; sid:2006630; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypicture .info Domain"; dns.query; content:".mypicture.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036034; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006631; classtype:web-application-attack; sid:2006631; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypicture .info Domain"; flow:established,to_server; http.host; content:".mypicture.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036035; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE"; flow:established,to_server; http.uri; content:"/mystats.php?"; nocase; content:"details="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6403; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2; reference:url,doc.emergingthreats.net/2006632; classtype:web-application-attack; sid:2006632; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.myz .info Domain"; dns.query; content:".myz.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036036; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004612; classtype:web-application-attack; sid:2004612; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myz .info Domain"; flow:established,to_server; http.host; content:".myz.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036037; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004613; classtype:web-application-attack; sid:2004613; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.squirly .info Domain"; dns.query; content:".squirly.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036038; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004614; classtype:web-application-attack; sid:2004614; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.squirly .info Domain"; flow:established,to_server; http.host; content:".squirly.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036039; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004615; classtype:web-application-attack; sid:2004615; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toh .info Domain"; dns.query; content:".toh.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036040; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004616; classtype:web-application-attack; sid:2004616; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toh .info Domain"; flow:established,to_server; http.host; content:".toh.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036041; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE"; flow:established,to_server; http.uri; content:"/diary.php?"; nocase; content:"delete="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3063; reference:url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded; reference:url,doc.emergingthreats.net/2004617; classtype:web-application-attack; sid:2004617; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .info Domain"; dns.query; content:".xxxy.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036042; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004095; classtype:web-application-attack; sid:2004095; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .info Domain"; flow:established,to_server; http.host; content:".xxxy.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036043; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004096; classtype:web-application-attack; sid:2004096; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.freewww .info Domain"; dns.query; content:".freewww.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036044; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004097; classtype:web-application-attack; sid:2004097; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.freewww .info Domain"; flow:established,to_server; http.host; content:".freewww.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036045; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004098; classtype:web-application-attack; sid:2004098; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.xxxy .biz Domain"; dns.query; content:".xxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036046; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004099; classtype:web-application-attack; sid:2004099; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.xxxy .biz Domain"; flow:established,to_server; http.host; content:".xxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036047; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-2942; reference:url,www.exploit-db.com/exploits/3989/; reference:url,doc.emergingthreats.net/2004100; classtype:web-application-attack; sid:2004100; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sexxxy .biz Domain"; dns.query; content:".sexxxy.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036048; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UNION"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004743; classtype:web-application-attack; sid:2004743; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sexxxy .biz Domain"; flow:established,to_server; http.host; content:".sexxxy.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036049; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004742; classtype:web-application-attack; sid:2004742; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.www1 .biz Domain"; dns.query; content:".www1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036050; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004744; classtype:web-application-attack; sid:2004744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.www1 .biz Domain"; flow:established,to_server; http.host; content:".www1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036051; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004745; classtype:web-application-attack; sid:2004745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dhcp .biz Domain"; dns.query; content:".dhcp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036052; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004746; classtype:web-application-attack; sid:2004746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dhcp .biz Domain"; flow:established,to_server; http.host; content:".dhcp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036053; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE"; flow:established,to_server; http.uri; content:"/result.php?"; nocase; content:"surv="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1166; reference:url,www.exploit-db.com/exploits/3355/; reference:url,doc.emergingthreats.net/2004747; classtype:web-application-attack; sid:2004747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.edns .biz Domain"; dns.query; content:".edns.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036054; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006880; classtype:web-application-attack; sid:2006880; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.edns .biz Domain"; flow:established,to_server; http.host; content:".edns.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036055; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006881; classtype:web-application-attack; sid:2006881; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftp1 .biz Domain"; dns.query; content:".ftp1.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036056; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006882; classtype:web-application-attack; sid:2006882; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftp1 .biz Domain"; flow:established,to_server; http.host; content:".ftp1.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036057; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006883; classtype:web-application-attack; sid:2006883; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mywww .biz Domain"; dns.query; content:".mywww.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036058; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006884; classtype:web-application-attack; sid:2006884; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mywww .biz Domain"; flow:established,to_server; http.host; content:".mywww.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036059; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6268; reference:url,www.securityfocus.com/bid/21227; reference:url,doc.emergingthreats.net/2006885; classtype:web-application-attack; sid:2006885; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ftpserver .biz Domain"; dns.query; content:".ftpserver.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036060; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006736; classtype:web-application-attack; sid:2006736; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ftpserver .biz Domain"; flow:established,to_server; http.host; content:".ftpserver.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036061; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006737; classtype:web-application-attack; sid:2006737; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .biz Domain"; dns.query; content:".wwwhost.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036062; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006738; classtype:web-application-attack; sid:2006738; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .biz Domain"; flow:established,to_server; http.host; content:".wwwhost.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036063; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006739; classtype:web-application-attack; sid:2006739; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.moneyhome .biz Domain"; dns.query; content:".moneyhome.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036064; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006740; classtype:web-application-attack; sid:2006740; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.moneyhome .biz Domain"; flow:established,to_server; http.host; content:".moneyhome.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036065; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE"; flow:established,to_server; http.uri; content:"/plugins/ipsearch/ipsearch.admin.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006741; classtype:web-application-attack; sid:2006741; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.port25 .biz Domain"; dns.query; content:".port25.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036066; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006742; classtype:web-application-attack; sid:2006742; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.port25 .biz Domain"; flow:established,to_server; http.host; content:".port25.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036067; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006743; classtype:web-application-attack; sid:2006743; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.esmtp .biz Domain"; dns.query; content:".esmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036068; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006744; classtype:web-application-attack; sid:2006744; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.esmtp .biz Domain"; flow:established,to_server; http.host; content:".esmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036069; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006745; classtype:web-application-attack; sid:2006745; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .biz Domain"; dns.query; content:".dsmtp.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036070; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006746; classtype:web-application-attack; sid:2006746; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .biz Domain"; flow:established,to_server; http.host; content:".dsmtp.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036071; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/pfs/pfs.edit.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006747; classtype:web-application-attack; sid:2006747; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sixth .biz Domain"; dns.query; content:".sixth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036072; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012122; classtype:web-application-attack; sid:2012122; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sixth .biz Domain"; flow:established,to_server; http.host; content:".sixth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036073; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/deco/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012123; classtype:web-application-attack; sid:2012123; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ninth .biz Domain"; dns.query; content:".ninth.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036074; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012124; classtype:web-application-attack; sid:2012124; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ninth .biz Domain"; flow:established,to_server; http.host; content:".ninth.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036075; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/blanc/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012125; classtype:web-application-attack; sid:2012125; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.misecure .com Domain"; dns.query; content:".misecure.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036076; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012126; classtype:web-application-attack; sid:2012126; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain"; flow:established,to_server; http.host; content:".misecure.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036077; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/default/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012127; classtype:web-application-attack; sid:2012127; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.got-game .org Domain"; dns.query; content:".got-game.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036078; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/haut.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012128; classtype:web-application-attack; sid:2012128; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.got-game .org Domain"; flow:established,to_server; http.host; content:".got-game.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036079; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/maticmarket/bleu/gold/bas.php?"; nocase; content:"modulename="; nocase; reference:url,exploit-db.com/exploits/15783/; reference:url,doc.emergingthreats.net/2012129; classtype:web-application-attack; sid:2012129; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dns2 .us Domain"; dns.query; content:".dns2.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036080; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pingsvr.php?"; nocase; content:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt; reference:url,doc.emergingthreats.net/2012130; classtype:web-application-attack; sid:2012130; rev:6; metadata:created_at 2010_12_30, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns2 .us Domain"; flow:established,to_server; http.host; content:".dns2.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036081; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_seyret"; nocase; content:"task=videodirectlink"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14172/; reference:url,doc.emergingthreats.net/2012131; classtype:web-application-attack; sid:2012131; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_12_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .us Domain"; dns.query; content:".changeip.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036082; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012159; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .us Domain"; flow:established,to_server; http.host; content:".changeip.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036083; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012161; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .biz Domain"; dns.query; content:".changeip.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036084; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012162; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .biz Domain"; flow:established,to_server; http.host; content:".changeip.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036085; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012163; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.almostmy .com Domain"; dns.query; content:".almostmy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036086; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/plugins/accept-signups/accept-signups_submit.php?"; nocase; content:"email="; nocase; pcre:"/email\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt; classtype:web-application-attack; sid:2012164; rev:6; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.almostmy .com Domain"; flow:established,to_server; http.host; content:".almostmy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036087; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/blocks/file/controller.php?"; nocase; content:"DIR_FILES_BLOCK_TYPES_CORE="; nocase; pcre:"/DIR_FILES_BLOCK_TYPES_CORE=\s*(ftps?|https?|php)\:\//i"; reference:bugtraq,45669; classtype:web-application-attack; sid:2012165; rev:6; metadata:created_at 2011_01_07, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ocry .com Domain"; dns.query; content:".ocry.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036088; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/com_xmovie/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt; classtype:web-application-attack; sid:2012166; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ocry .com Domain"; flow:established,to_server; http.host; content:".ocry.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036089; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/express_edit/editor.aspx?"; nocase; content:"index="; nocase; content:"AND"; nocase; content:"IF"; nocase; pcre:"/AND.*IF\(/i"; reference:url,exploit-db.com/exploits/15124/; classtype:web-application-attack; sid:2012167; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ourhobby .com Domain"; dns.query; content:".ourhobby.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036090; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/tiki-jsplugin.php?"; nocase; content:"plugin="; nocase; content:"language="; nocase; reference:url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46; classtype:web-application-attack; sid:2012168; rev:6; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ourhobby .com Domain"; flow:established,to_server; http.host; content:".ourhobby.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036091; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006748; classtype:web-application-attack; sid:2006748; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsfailover .net Domain"; dns.query; content:".dnsfailover.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036092; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006749; classtype:web-application-attack; sid:2006749; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsfailover .net Domain"; flow:established,to_server; http.host; content:".dnsfailover.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036093; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006751; classtype:web-application-attack; sid:2006751; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ygto .com Domain"; dns.query; content:".ygto.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036094; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006752; classtype:web-application-attack; sid:2006752; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ygto .com Domain"; flow:established,to_server; http.host; content:".ygto.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036095; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE"; flow:established,to_server; http.uri; content:"/system/core/users/users.register.inc.php?"; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006753; classtype:web-application-attack; sid:2006753; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.gettrials .com Domain"; dns.query; content:".gettrials.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036096; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006754; classtype:web-application-attack; sid:2006754; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gettrials .com Domain"; flow:established,to_server; http.host; content:".gettrials.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036097; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006755; classtype:web-application-attack; sid:2006755; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4dq .com Domain"; dns.query; content:".4dq.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036098; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006756; classtype:web-application-attack; sid:2006756; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4dq .com Domain"; flow:established,to_server; http.host; content:".4dq.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036099; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006757; classtype:web-application-attack; sid:2006757; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.4pu .com Domain"; dns.query; content:".4pu.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036100; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006758; classtype:web-application-attack; sid:2006758; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4pu .com Domain"; flow:established,to_server; http.host; content:".4pu.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036101; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE"; flow:established,to_server; http.uri; content:"/polls.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6344; reference:url,www.secunia.com/advisories/23180; reference:url,doc.emergingthreats.net/2006759; classtype:web-application-attack; sid:2006759; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036102; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007288; classtype:web-application-attack; sid:2007288; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036103; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007289; classtype:web-application-attack; sid:2007289; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain"; dns.query; content:".dsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036104; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007290; classtype:web-application-attack; sid:2007290; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain"; flow:established,to_server; http.host; content:".dsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036105; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007291; classtype:web-application-attack; sid:2007291; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynumber .org Domain"; dns.query; content:".mynumber.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036106; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007292; classtype:web-application-attack; sid:2007292; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynumber .org Domain"; flow:established,to_server; http.host; content:".mynumber.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036107; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE"; flow:established,to_server; http.uri; content:"/users.php?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6177; reference:url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded; reference:url,doc.emergingthreats.net/2007293; classtype:web-application-attack; sid:2007293; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.rebatesrule .net Domain"; dns.query; content:".rebatesrule.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036108; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012181; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.rebatesrule .net Domain"; flow:established,to_server; http.host; content:".rebatesrule.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036109; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/media.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:6; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ezua .com Domain"; dns.query; content:".ezua.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036110; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/xmlrpc/server.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ezua .com Domain"; flow:established,to_server; http.host; content:".ezua.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036111; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nucleus/libs/PLUGINADMIN.php?"; nocase; content:"DIR_LIBS="; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//i"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012185; rev:5; metadata:created_at 2011_01_15, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.sendsmtp .com Domain"; dns.query; content:".sendsmtp.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036112; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/modules/profile/user.php?"; nocase; content:"aXconf[default_language]="; nocase; reference:url,exploit-db.com/exploits/15938/; classtype:web-application-attack; sid:2012186; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sendsmtp .com Domain"; flow:established,to_server; http.host; content:".sendsmtp.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036113; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/bizdir/bizdir.cgi?"; nocase; content:"f_srch="; nocase; pcre:"/f_srch\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt; classtype:web-application-attack; sid:2012187; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssmailer .com Domain"; dns.query; content:".ssmailer.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036114; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/English_manual_version_2.php?"; nocase; content:"client="; nocase; pcre:"/client\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012190; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssmailer .com Domain"; flow:established,to_server; http.host; content:".ssmailer.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036115; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/zimplit.php?"; nocase; content:"action=load"; nocase; content:"file="; nocase; pcre:"/file\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt; classtype:web-application-attack; sid:2012191; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .net Domain"; dns.query; content:".trickip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036116; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012212; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .net Domain"; flow:established,to_server; http.host; content:".trickip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036117; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012211; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.trickip .org Domain"; dns.query; content:".trickip.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036118; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012213; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.trickip .org Domain"; flow:established,to_server; http.host; content:".trickip.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036119; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012214; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnsrd .com Domain"; dns.query; content:".dnsrd.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036120; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/program/moduler_banner_aabn.php?"; nocase; content:"id="; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt; classtype:web-application-attack; sid:2012215; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnsrd .com Domain"; flow:established,to_server; http.host; content:".dnsrd.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036121; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud.swf?"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012216; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .com Domain"; dns.query; content:".lflinkup.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036122; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/op/op.Login.php?"; nocase; content:"login="; nocase; content:"sesstheme="; nocase; content:"lang="; nocase; reference:bugtraq,37828; classtype:web-application-attack; sid:2012217; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .com Domain"; flow:established,to_server; http.host; content:".lflinkup.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036123; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/tagcloud-ru.swf"; nocase; content:"mode=tags"; nocase; content:"tagcloud="; nocase; pcre:"/tagcloud\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt; classtype:web-application-attack; sid:2012220; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .net Domain"; dns.query; content:".lflinkup.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036124; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/customer_ftp.php?"; nocase; content:"id="; nocase; pcre:"/id=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/16051/; classtype:web-application-attack; sid:2012334; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .net Domain"; flow:established,to_server; http.host; content:".lflinkup.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036125; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"page=viewbus"; nocase; content:"bus="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16034/; classtype:web-application-attack; sid:2012335; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflinkup .org Domain"; dns.query; content:".lflinkup.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036126; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012336; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflinkup .org Domain"; flow:established,to_server; http.host; content:".lflinkup.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036127; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/cultbooking.php?"; nocase; content:"lang="; nocase; pcre:"/lang\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16028/; classtype:web-application-attack; sid:2012337; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.lflink .com Domain"; dns.query; content:".lflink.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036128; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012338; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.lflink .com Domain"; flow:established,to_server; http.host; content:".lflink.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036129; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012339; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.b0tnet .com Domain"; dns.query; content:".b0tnet.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036130; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012340; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0tnet .com Domain"; flow:established,to_server; http.host; content:".b0tnet.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036131; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012341; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .net Domain"; dns.query; content:".changeip.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036132; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/teams_structure/team.php?"; nocase; content:"team_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt; classtype:web-application-attack; sid:2012342; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .net Domain"; flow:established,to_server; http.host; content:".changeip.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036133; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/active_auctions.php?"; nocase; content:"lan="; nocase; reference:url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63; classtype:web-application-attack; sid:2012343; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mysecondarydns .com Domain"; dns.query; content:".mysecondarydns.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036134; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/lib/addressbook.php?"; nocase; content:"basedir="; nocase; pcre:"/basedir=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/12369/; classtype:web-application-attack; sid:2012344; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mysecondarydns .com Domain"; flow:established,to_server; http.host; content:".mysecondarydns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036135; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_frontenduseraccess"; nocase; content:"controller="; nocase; reference:url,secunia.com/advisories/43137/; reference:url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909; classtype:web-application-attack; sid:2012345; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dynssl .com Domain"; dns.query; content:".dynssl.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036136; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012346; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dynssl .com Domain"; flow:established,to_server; http.host; content:".dynssl.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036137; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012347; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mylftv .com Domain"; dns.query; content:".mylftv.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036138; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012348; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mylftv .com Domain"; flow:established,to_server; http.host; content:".mylftv.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036139; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012349; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .com Domain"; dns.query; content:".mynetav.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036140; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"lvl=coll_see"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16087/; classtype:web-application-attack; sid:2012350; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .com Domain"; flow:established,to_server; http.host; content:".mynetav.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036141; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/SearchCenter/Pages/AllResults.aspx?"; nocase; content:"k="; nocase; pcre:"/k\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98029/enp-xss.txt; classtype:web-application-attack; sid:2012351; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert tcp-pkt $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fodcha Bot CnC Client Heartbeat"; flow:established,to_client; dsize:5; content:"|69 00 00 96 ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035940; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/browsecats.php?"; nocase; content:"cid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/16062/; classtype:web-application-attack; sid:2012352; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .net Domain"; dns.query; content:".mynetav.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036142; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/audio/getid3/demos/demo.browse.php?"; nocase; content:"showfile="; nocase; pcre:"/showfile\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt; classtype:web-application-attack; sid:2012353; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .net Domain"; flow:established,to_server; http.host; content:".mynetav.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036143; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/gradebook/open_document.php?"; nocase; content:"file="; reference:bugtraq,46173; classtype:web-application-attack; sid:2012354; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mynetav .org Domain"; dns.query; content:".mynetav.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036144; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/lib/spikephpcoverage/src/phpcoverage.remote.top.inc.php?"; nocase; content:"PHPCOVERAGE_HOME"; nocase; pcre:"/PHPCOVERAGE_HOME\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt; classtype:web-application-attack; sid:2012355; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mynetav .org Domain"; flow:established,to_server; http.host; content:".mynetav.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036145; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/js/modalbox/tests/functional/_ajax_method_get.php?"; nocase; content:"param="; nocase; pcre:"/param\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt; classtype:web-application-attack; sid:2012356; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.homingbeacon .net Domain"; dns.query; content:".homingbeacon.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036146; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/components/com_xgallery/helpers/img.php?"; nocase; content:"file="; nocase; reference:url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt; classtype:web-application-attack; sid:2012357; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_11;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.homingbeacon .net Domain"; flow:established,to_server; http.host; content:".homingbeacon.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036147; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flash_upload.php?"; nocase; content:"modelid="; nocase; content:"ORDER"; nocase; content:"BY"; nocase; pcre:"/ORDER.+BY/i"; reference:bugtraq,45933; classtype:web-application-attack; sid:2012358; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ikwb .com Domain"; dns.query; content:".ikwb.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036148; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012359; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ikwb .com Domain"; flow:established,to_server; http.host; content:".ikwb.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036149; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012360; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.acmetoy .com Domain"; dns.query; content:".acmetoy.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036150; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012361; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.acmetoy .com Domain"; flow:established,to_server; http.host; content:".acmetoy.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036151; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012362; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dnset .com Domain"; dns.query; content:".dnset.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036152; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/notaevento.php?"; nocase; content:"id_novedad="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/98190/tcms-sql.txt; classtype:web-application-attack; sid:2012363; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dnset .com Domain"; flow:established,to_server; http.host; content:".dnset.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036153; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012364; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.as19557 .net Domain"; dns.query; content:".as19557.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036154; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012365; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.as19557 .net Domain"; flow:established,to_server; http.host; content:".as19557.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036155; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012366; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.toshibanetcam .com Domain"; dns.query; content:".toshibanetcam.com"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036156; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012367; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.toshibanetcam .com Domain"; flow:established,to_server; http.host; content:".toshibanetcam.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036157; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bexfront.php"; nocase; content:"sid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt; classtype:web-application-attack; sid:2012368; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fodcha Bot CnC Heartbeat Response"; flow:established,to_server; dsize:5; content:"|70 00 00 8f ff|"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:command-and-control; sid:2035941; rev:2; metadata:created_at 2022_04_13, former_category MALWARE, malware_family Fodcha, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/com_swmenupro/ImageManager/Classes/ImageManager.php?"; nocase; content:"mosConfig_absolute_path="; nocase; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//i"; reference:url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt; classtype:web-application-attack; sid:2012369; rev:5; metadata:created_at 2011_02_25, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .net Domain"; dns.query; content:".authorizeddns.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036158; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/explanation.php?"; nocase; content:"explain"; nocase; pcre:"/explain\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012370; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .net Domain"; flow:established,to_server; http.host; content:".authorizeddns.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036159; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/modules/boonex/custom_rss/post_mod_crss.php?"; nocase; content:"relocate"; nocase; pcre:"/relocate\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt; reference:bugtraq,46337; classtype:web-application-attack; sid:2012371; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .org Domain"; dns.query; content:".authorizeddns.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036160; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.cfm?"; nocase; content:"actcfug=LibraryView"; nocase; content:"LibraryID="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/14935/; classtype:web-application-attack; sid:2012372; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .org Domain"; flow:established,to_server; http.host; content:".authorizeddns.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036161; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"../"; depth:200; http.method; content:"GET"; http.uri; content:"/util/barcode.php?"; nocase; content:"type="; nocase; reference:url,packetstormsecurity.org/files/view/98424/horde-lfi.txt; classtype:web-application-attack; sid:2012373; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.authorizeddns .us Domain"; dns.query; content:".authorizeddns.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036162; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012374; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.authorizeddns .us Domain"; flow:established,to_server; http.host; content:".authorizeddns.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036163; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012375; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .biz Domain"; dns.query; content:".cleansite.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036164; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012376; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .biz Domain"; flow:established,to_server; http.host; content:".cleansite.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036165; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012377; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .info Domain"; dns.query; content:".cleansite.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036166; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/hilfsmittel.php"; nocase; content:"action=read"; nocase; content:"katid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16202/; classtype:web-application-attack; sid:2012378; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"folded.in"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035942; rev:3; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/allauctions.php?"; nocase; content:"aid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt; classtype:web-application-attack; sid:2012379; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .info Domain"; flow:established,to_server; http.host; content:".cleansite.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036167; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/core/themes.php?"; nocase; content:"L_failedopentheme="; nocase; pcre:"/L_failedopentheme\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt; classtype:web-application-attack; sid:2012380; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.cleansite .us Domain"; dns.query; content:".cleansite.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036168; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/itechd.php?"; nocase; content:"productid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_02_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.cleansite .us Domain"; flow:established,to_server; http.host; content:".cleansite.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036169; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt"; flow:established,to_server; http.uri; content:"awstats.cgi"; nocase; content:"config="; nocase; content:"pluginmode=rawlog"; nocase; content:"configdir=|5C 5C|"; nocase; fast_pattern; reference:bid,45123; reference:cve,2010-4367; classtype:web-application-attack; sid:2012393; rev:4; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .net Domain"; dns.query; content:".https443.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036170; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf/WebMessage"; nocase; content:"OpenView"; nocase; content:"messageString="; nocase; pcre:"/messageString\x3D.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012394; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .net Domain"; flow:established,to_server; http.host; content:".https443.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036171; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"stconf.nsf"; nocase; content:"unescape"; nocase; fast_pattern; pcre:"/stconf.nsf.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D).+unescape/i"; reference:bid,46471; reference:cve,2011-1038; classtype:web-application-attack; sid:2012395; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.https443 .org Domain"; dns.query; content:".https443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036172; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/Cewolf?"; nocase; pcre:"/\&(width|height)\=([2-9][0-9][0-9][0-9]*)/i"; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html; classtype:web-application-attack; sid:2012406; rev:5; metadata:created_at 2011_03_01, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.https443 .org Domain"; flow:established,to_server; http.host; content:".https443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036173; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; pcre:"/post_id\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012411; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .net Domain"; dns.query; content:".mypop3.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036174; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt  updateAJAX.php post_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012412; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .net Domain"; flow:established,to_server; http.host; content:".mypop3.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036175; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012413; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Fodcha Bot Domain"; dns.query; content:"fridgexperts.cc"; fast_pattern; reference:url,blog.netlab.360.com/fodcha-a-new-ddos-botnet/; classtype:trojan-activity; sid:2035943; rev:2; metadata:attack_target IoT, created_at 2022_04_13, deployment Perimeter, former_category MALWARE, malware_family Fodcha, performance_impact Low, signature_severity Major, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012414; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.mypop3 .org Domain"; dns.query; content:".mypop3.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036176; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012415; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.mypop3 .org Domain"; flow:established,to_server; http.host; content:".mypop3.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036177; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"ASCII"; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012416; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.ssl443 .org Domain"; dns.query; content:".ssl443.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036178; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE"; flow:established,to_server; http.uri; content:"/wp-content/plugins/iwant-one-ihave-one/updateAJAX.php?"; nocase; content:"post_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,exploit-db.com/exploits/16236/; reference:url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html; classtype:web-application-attack; sid:2012417; rev:5; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ssl443 .org Domain"; flow:established,to_server; http.host; content:".ssl443.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036179; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1"; flow:established,to_server; http.uri; content:"/shipping/methods/fedex_v7/label_mgr/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012418; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .biz Domain"; dns.query; content:".iownyour.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036180; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; http.uri; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; content:"form="; nocase; pcre:"/form\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/i"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_03_04, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .biz Domain"; flow:established,to_server; http.host; content:".iownyour.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036181; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/i"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_05_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.iownyour .org Domain"; dns.query; content:".iownyour.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036182; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE"; flow:established,to_server; http.uri; content:"/detail.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-1434; reference:url,www.securityfocus.com/bid/22911; reference:url,doc.emergingthreats.net/2004364; classtype:web-application-attack; sid:2004364; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.iownyour .org Domain"; flow:established,to_server; http.host; content:".iownyour.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036183; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/public/code/cp_html2xhtmlbasic.php?"; nocase; pcre:"/\x2Ephp\x3F.{0,300}\x3D(http\x3A|ftp\x3A|https\x3A|ftps\x3A)/i"; reference:url,www.securityfocus.com/bid/36609/info; reference:url,www.securityfocus.com/archive/1/507030; reference:url,doc.emergingthreats.net/2010080; classtype:web-application-attack; sid:2010080; rev:9; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .biz Domain"; dns.query; content:".onmypc.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036184; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .biz Domain"; flow:established,to_server; http.host; content:".onmypc.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036185; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_pro_desk"; nocase; content:"include_file="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:8; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .info Domain"; dns.query; content:".onmypc.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036186; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bINSERT\b.*?INTO\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .info Domain"; flow:established,to_server; http.host; content:".onmypc.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036187; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.uri; content:"/docebo/docebo"; nocase; content:"/index.php?modname="; nocase; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; pcre:"/modname=(?:(?:meta_)?certificate|link).+?\bUPDATE\b.*?SET\b/i"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .net Domain"; dns.query; content:".onmypc.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036188; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .net Domain"; flow:established,to_server; http.host; content:".onmypc.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036189; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .org Domain"; dns.query; content:".onmypc.org"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036190; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .org Domain"; flow:established,to_server; http.host; content:".onmypc.org"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036191; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.onmypc .us Domain"; dns.query; content:".onmypc.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036192; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.onmypc .us Domain"; flow:established,to_server; http.host; content:".onmypc.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036193; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; http.uri; content:"/subcat.php?"; nocase; content:"cate_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .info Domain"; dns.query; content:".dubya.info"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036194; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .info Domain"; flow:established,to_server; http.host; content:".dubya.info"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036195; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:1; pcre:"/UNION\s+?SELECT/i"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .us Domain"; dns.query; content:".dubya.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036196; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .us Domain"; flow:established,to_server; http.host; content:".dubya.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036197; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .biz Domain"; dns.query; content:".dubya.biz"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036198; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .biz Domain"; flow:established,to_server; http.host; content:".dubya.biz"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036199; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; http.uri; content:"/view_profile.php?"; nocase; content:"user_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dubya .net Domain"; dns.query; content:".dubya.net"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036200; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:11; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_13;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dubya .net Domain"; flow:established,to_server; http.host; content:".dubya.net"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036201; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Custom Contact Forms DB Upload/Download Auth Bypass"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-post.php?"; nocase; content:"page=ccf_settings"; nocase; fast_pattern; http.request_body; pcre:"/ccf_(?:(?:clear|merge)_im|ex)port/i"; reference:url,blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html; classtype:web-application-attack; sid:2018975; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_08_21, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.wwwhost .us Domain"; dns.query; content:".wwwhost.us"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036202; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"id_menu="; fast_pattern; distance:0; nocase; content:"INSERT"; distance:0; nocase; content:"INTO"; distance:0; nocase; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.wwwhost .us Domain"; flow:established,to_server; http.host; content:".wwwhost.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036203; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id parameter SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/gallery_photo.php?"; nocase; content:"photo_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,secunia.com/advisories/32593/; reference:url,milw0rm.com/exploits/7016; reference:url,doc.emergingthreats.net/2008831; classtype:web-application-attack; sid:2008831; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.zyns .com Domain"; flow:established,to_server; http.host; content:".zyns.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036204; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Parameter Blind SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mainx_a.php?"; nocase; content:"x="; nocase; content:"xid="; nocase; content:"bid="; nocase; content:"and"; nocase; content:"substring"; nocase; pcre:"/and.*substring\(/i"; reference:url,exploit-db.com/exploits/15999/; classtype:web-application-attack; sid:2012219; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_21, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.otzo .com Domain"; flow:established,to_server; http.host; content:".otzo.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036205; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/includes/hnmain.inc.php3?"; nocase; content:"config[incdir]="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,inj3ct0r.com/exploits/11731; reference:url,exploit-db.com/exploits/12160; reference:url,doc.emergingthreats.net/2011161; classtype:web-application-attack; sid:2011161; rev:7; metadata:created_at 2010_07_30, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns-report .com Domain"; flow:established,to_server; http.host; content:".dns-report.com"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036206; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE"; flow:established,to_server; http.uri; content:"/postingdetails.php?"; nocase; content:"postingid="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004546; classtype:web-application-attack; sid:2004546; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dns1 .us Domain"; flow:established,to_server; http.host; content:".dns1.us"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036207; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/goster.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1422; reference:url,www.securityfocus.com/bid/22910; reference:url,doc.emergingthreats.net/2004386; classtype:web-application-attack; sid:2004386; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.changeip .co Domain"; dns.query; content:".changeip.co"; fast_pattern; nocase; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036208; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/informacion_general.php?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.org/files/view/97188/phpig-sql.txt; classtype:web-application-attack; sid:2012160; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_07, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.changeip .co Domain"; flow:established,to_server; http.host; content:".changeip.co"; endswith; reference:url,changeip.com; classtype:bad-unknown; sid:2036209; rev:1; metadata:attack_target Client_and_Server, created_at 2022_04_14, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Jetpack/Twentyfifteen Possible XSS Request"; flow:established,to_server; http.uri; content:"/genericons/example.html"; endswith; fast_pattern; reference:url,blog.sucuri.net/2015/05/jetpack-and-twentyfifteen-vulnerable-to-dom-based-xss.html; classtype:web-application-attack; sid:2021062; rev:5; metadata:created_at 2015_05_07, updated_at 2020_09_15;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lyceum Golang HTTP Backdoor Connectivity Check"; flow:established,to_server; http.method; http.request_line; content:"POST /GO/"; fast_pattern; content:".php"; endswith; http.accept_enc; bsize:1; content:"*"; http.content_len; bsize:1; content:"0"; reference:url,research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/; classtype:command-and-control; sid:2035957; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_14, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Backdoor, updated_at 2022_04_14;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Blind Server-Side Request Forgery"; flow:established,to_server; http.uri; content:"/xmlrpc/pingback"; endswith; http.request_body; content:"<methodCall>"; content:"<methodName>pingback.ping</methodName>"; fast_pattern; content:"<value>http://"; content:"<value>http://"; distance:0; reference:url,exploit-db.com/raw/44945/; classtype:attempted-user; sid:2025759; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_06_27, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO URL Shortening Service Domain in DNS Lookup (maxiurl .com)"; dns.query; content:"maxiurl.com"; nocase; bsize:11; classtype:misc-activity; sid:2036226; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed URL Shortening Service Domain (maxiurl .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"maxiurl.com"; bsize:11; fast_pattern; classtype:misc-activity; sid:2036227; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, signature_severity Informational, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Online Trade - Information Disclosure"; flow:established,to_server; http.uri; content:"/dashboard/deposit"; fast_pattern; endswith; reference:cve,2018-12905; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-recon; sid:2025783; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (bnt2 .live)"; dns.query; content:"bnt2.live"; nocase; bsize:9; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036231; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ShopNx - Arbitrary File Upload"; flow:established,to_server; http.uri; content:"/api/media"; fast_pattern; endswith; http.request_body; content:"<script"; reference:cve,2018-12519; reference:url,exploit-db.com/exploits/44978/; classtype:web-application-attack; sid:2025784; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (signin .dedyn .io)"; dns.query; content:"signin.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036232; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:".dtd|22|>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (archery .dedyn .io)"; dns.query; content:"archery.dedyn.io"; nocase; bsize:16; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036233; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE html PUBLIC |22|-//W3C//DTD XHTML 1.0 Transitional//EN|22|"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .vinam .me)"; dns.query; content:"market.vinam.me"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036234; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Hilal RAT Domain (market .dedyn .io)"; dns.query; content:"market.dedyn.io"; nocase; bsize:15; reference:url,about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf; classtype:trojan-activity; sid:2036235; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family HilalRAT, performance_impact Low, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"<?xml"; content:"<!DOCTYPE data SYSTEM"; pcre:"/^[^>]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"<data>&send|3b|</data>"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_09_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon APT Related Maldoc Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".db2"; endswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,db9df7f1bcfba0346d9e7de729c018a2; reference:url,twitter.com/500mk500/status/1515002456882786310; classtype:trojan-activity; sid:2036228; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Pre-auth User Information Leakage"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/search/index?q="; distance:0; isdataat:1,relative; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:!"Referer"; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; reference:url,github.com/rapid7/metasploit-framework/pull/11466; classtype:web-application-attack; sid:2027348; rev:4; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Minor, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Bluebox Data Exfiltration"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?ver="; fast_pattern; content:"corp="; content:"os="; content:"softid="; content:"hid="; content:"macadd="; content:"md5="; content:"rand="; content:"subid="; http.user_agent; content:"IEhook"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,b13718f353c8c0ea51a15733e035199e; classtype:pup-activity; sid:2036236; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category ADWARE_PUP, performance_impact Low, signature_severity Minor, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Prime Infrastruture RCE - CVE-2019-1821"; http.method; content:"POST"; http.uri; content:"/servlet/UploadServlet"; depth:22; endswith; fast_pattern; http.header; content:"Destination-Dir|3a 20|tftpRoot"; http.request_body; content:"String(|22|/bin/"; content:"new Socket(|22|"; distance:0; content:"Runtime.getRuntime().exec("; distance:0; http.content_type; content:"multipart/form-data|3b|"; startswith; http.header_names; content:!"Referer"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce; classtype:web-application-attack; sid:2027368; rev:4; metadata:attack_target Server, created_at 2019_05_20, cve 2019_1821, deployment Perimeter, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY [TW] IPFS Protocol HTTP Headers Observed"; flow:established,to_client; http.header_names; content:"|0d 0a|X-Ipfs-"; nocase; fast_pattern; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036229; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian JIRA Template Injection RCE (CVE-2019-11581)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/secure/ContactAdministrators"; fast_pattern; content:".jspa"; endswith; http.request_body; content:"subject="; content:"|2e|forName"; distance:0; content:"java.lang.Runtime"; distance:2; within:23; content:"|2e|getMethod"; distance:2; within:16; content:"getRuntime"; distance:1; within:16; content:"|2e|exec"; distance:0; content:"|2e|waitFor"; distance:0; reference:url,medium.com/@ruvlol/rce-in-jira-cve-2019-11581-901b845f0f; reference:url,confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html; reference:cve,CVE-2019-11581; classtype:attempted-admin; sid:2027711; rev:5; metadata:attack_target Web_Server, created_at 2019_07_15, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY [TW] IPFS File Request Observed"; flow:established,to_server; http.uri; content:"/ipfs/"; fast_pattern; pcre:"/^[a-z0-9]{40,}/Ri"; threshold: type threshold, track by_src, count 10, seconds 30; classtype:misc-activity; sid:2036230; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_15, deployment Perimeter, former_category POLICY, signature_severity Informational, updated_at 2022_04_15;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/uploadplugin.action"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file_"; content:"Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a 50 4b 03 04|"; distance:0; reference:url,www.corben.io/atlassian-crowd-rce/; reference:cve,CVE-2019-11580; classtype:attempted-admin; sid:2027712; rev:3; metadata:attack_target Web_Server, created_at 2019_07_16, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed Bumblebee Loader User-Agent (bumblebee)"; flow:established,to_server; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; reference:url,blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/; classtype:trojan-activity; sid:2036237; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, malware_family Bumblebee_Loader, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"type="; content:"lien_2="; fast_pattern; nocase; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//i"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:7; metadata:created_at 2011_09_19, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (hojimizeg .com)"; dns.query; content:"hojimizeg.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036238; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla  com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; nocase; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_hello"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_20, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (notixow .com)"; dns.query; content:"notixow.com"; nocase; bsize:11; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:domain-c2; sid:2036239; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_jeformcr"; fast_pattern; nocase; content:"view="; nocase; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (rewujisaf .com)"; dns.query; content:"rewujisaf.com"; nocase; bsize:13; reference:url,www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/; classtype:trojan-activity; sid:2036240; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_bsadv"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matrix Max Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/gate.php"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; http.request_body; content:"zipx=UEsDBBQ"; startswith; fast_pattern; reference:md5,e8573f06d342ae05ece8d1be111669c4; reference:url,twitter.com/James_inthe_box/status/1516049381539004418; classtype:trojan-activity; sid:2036245; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment SSLDecrypt, former_category MALWARE, malware_family Matrix_Max, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/index.php?"; nocase; content:"option=com_mailchimpccnewsletter"; fast_pattern; nocase; content:"controller="; nocase; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_08_03, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE - Trojan.Proxy.PPAgent.t (updateb)"; flow:established,to_server; http.uri; content:"/updateb.php?p="; nocase; pcre:"/updateb\.php\?p=\d/i"; flowbits:isset,BT.ppagent.updatea; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; http.uri; content:"/core/Loader.php?"; fast_pattern; nocase; content:"g="; content:"s="; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:5; metadata:created_at 2012_11_28, updated_at 2020_09_17;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/admin/admin_header.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:5; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
 
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"D="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/ajax_list_tree.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:4; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; http.uri; content:"php?i="; content:"&v="; content:"&win=Windows"; content:"&un="; content:"&uv="; content:"&s="; content:"&onl="; content:"&ip="; content:"&f="; reference:url,doc.emergingthreats.net/2007700; classtype:command-and-control; sid:2007700; rev:7; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/includes/previews_functions.php?"; nocase; content:"root_folder_path="; fast_pattern; nocase; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//i"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:4; metadata:created_at 2012_12_08, updated_at 2020_09_17;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Rat CnC Exfil"; flow:established,to_server; content:"|00 00 00|ent4rme"; offset:2; depth:10; fast_pattern; content:"|20 7c 20|"; distance:0; content:"|23|runtimebroker"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036241; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/dispatch.php?"; nocase; content:"atkaction=search"; fast_pattern; nocase; content:"atknodetype="; nocase; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pointpack.kr Related Trojan Checkin"; flow:established,to_server; http.uri; content:"php?"; content:"kind="; content:"&pid="; content:"&ver="; content:"&uniq="; content:"&addresses="; content:"&hdmacid="; content:"&dllver="; content:"&subv="; reference:url,doc.emergingthreats.net/2008260; classtype:command-and-control; sid:2008260; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/consulta_fact.php?"; nocase; fast_pattern; content:"fact_num="; nocase; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; http.uri; content:"m="; content:"&a="; content:"&r="; content:"&os="; content:"00000"; pcre:"/\/s_\d\d_\d+\?/"; pcre:"/&os=[0-9a-z]{40}/i"; reference:url,doc.emergingthreats.net/2008412; classtype:command-and-control; sid:2008412; rev:6; metadata:created_at 2010_07_30, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newinventario.php?"; nocase; fast_pattern; content:"sn="; nocase; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Password Stealer (PSW.Win32.Magania Family) GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"pass="; content:"type="; content:"host="; content:"port="; content:"name="; content:"pc="; content:"user="; content:"ip="; content:"version="; http.header; content:"User-Agent|3a| NR"; reference:url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania; reference:url,doc.emergingthreats.net/2009094; classtype:trojan-activity; sid:2009094; rev:8; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/newtransact.php?"; nocase; fast_pattern; content:"ref="; nocase; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_08, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_17;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Swizzor Family GET"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"szclientid="; content:"szmac="; content:"szusername="; content:"szver="; content:"mode="; content:"value="; content:"systype="; content:"rid="; content:"szname="; content:"szpaname="; content:"palen="; content:"szpapaname="; content:"chksum="; reference:md5,ed06e3cd6f57fc260194bf9fa224181e; reference:url,doc.emergingthreats.net/2009441; classtype:trojan-activity; sid:2009441; rev:7; metadata:created_at 2010_07_30, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/hava_user.php?"; nocase; fast_pattern; content:"userId="; nocase; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirus2010 Checkin port 8082"; flow:established,to_server; http.uri; content:"/ask?"; content:"&u="; content:"a="; content:"&m="; content:"&h="; reference:url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/; reference:url,doc.emergingthreats.net/2011473; classtype:command-and-control; sid:2011473; rev:5; metadata:created_at 2010_09_29, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"module="; nocase; content:"view="; nocase; content:"having="; nocase; fast_pattern; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Java Archive sent when remote host claims to send an image"; flow:established,to_client; http.content_type; content:!"application/java-archive"; content:"image"; nocase; startswith; file.data; content:"PK"; depth:2; content:"META-INF/MANIFEST"; distance:0; fast_pattern; classtype:trojan-activity; sid:2014288; rev:6; metadata:created_at 2012_02_28, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/ssi_examples.php?"; nocase; fast_pattern; content:"view="; nocase; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_12_14, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
 
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:established,to_client; flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:5; metadata:created_at 2012_04_28, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/group/members.php?"; nocase; fast_pattern; content:"id="; nocase; content:"query="; nocase; pcre:"/query\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/i"; reference:url,securityfocus.com/bid/56718; classtype:web-application-attack; sid:2016156; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_09_18;)
 
-#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT SNET EK Downloading Payload"; flow:established,to_server; http.uri; content:"get"; content:"?src="; fast_pattern; distance:0; content:"snet"; endswith; pcre:"/\?src=[a-z]+snet$/"; http.user_agent; content:" WinHttp.WinHttpRequest"; classtype:exploit-kit; sid:2016566; rev:5; metadata:created_at 2013_03_14, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt"; flow:established,to_server; content:"|2e 2e 2f|"; depth:200; http.uri; content:"/up.php?del="; nocase; fast_pattern; content:"del="; nocase; reference:url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html; classtype:web-application-attack; sid:2016198; rev:5; metadata:created_at 2013_01_12, updated_at 2020_09_18;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file.data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri"; content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:exploit-kit; sid:2017177; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_collector"; nocase; fast_pattern; content:"view="; nocase; reference:url,exploit-db.com/exploits/24228/; classtype:web-application-attack; sid:2016288; rev:5; metadata:created_at 2013_01_25, updated_at 2020_09_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Neurevt.A/Betabot Check-in 4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:!".aspx"; http.user_agent; content:!"SmadavStat"; http.host; content:!"lavasoft.com"; http.request_body; content:!"Zerto.ZVM"; content:!"id1="; content:"1="; content:"2="; distance:0; content:"3="; distance:0; content:"4="; distance:0; fast_pattern; pcre:"/&(?P<vname>[a-z]+)1=[A-F0-9]+&(?P=vname)2=[A-F0-9]+&(?P=vname)3=[A-F0-9]+&(?P=vname)4=[A-F0-9]/"; http.content_type; content:"application/x-www-form-urlencoded"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; depth:16; content:!"Referer"; content:!"Accept"; reference:md5,5eada3ed47d7557df375d8798d2e0a8b; classtype:trojan-activity; sid:2018784; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_07_25, deployment Perimeter, former_category TROJAN, malware_family Neurevt, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade.php"; nocase; fast_pattern; http.header; content:"Origin|3a|"; http.request_body; content:"&customerid="; nocase; content:"&htmlsubmit="; content:"username"; nocase; content:"confirmpassword"; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:4; metadata:created_at 2013_10_10, updated_at 2020_09_21;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)"; flow:established,to_client; tls.cert_serial; content:"1F:23:9D:BD"; tls.cert_subject; content:"O=assylias.Inc"; fast_pattern; reference:md5,4e5c28fab23b35dea2d48a1c2db32b56; reference:md5,b102c26e04e97bda97b11bfe7366e61e; classtype:trojan-activity; sid:2020728; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_23, deployment Perimeter, former_category MALWARE, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; http.uri; content:"/WEB-INF/web.xml"; nocase; fast_pattern; http.uri.raw; content:"|2e 2e 2f|"; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:4; metadata:created_at 2013_10_17, updated_at 2020_09_21;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK Jun 14 2016"; flow:established,to_client; file.data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R"; content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:exploit-kit; sid:2022898; rev:5; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2016_06_15, deployment Perimeter, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; http.uri; content:"cmd="; nocase; content:"pwd=dayoff"; nocase; fast_pattern; pcre:"/[&?]pwd=dayoff(?:&|$)/i"; pcre:"/[&?]cmd=/i"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:5; metadata:created_at 2013_12_06, updated_at 2020_09_22;)
 
-#alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO QUIC UDP Internet Connections Protocol Client Hello (OUTBOUND)"; flow:to_server; content:"|80 01|CHLO"; content:"PAD"; content:"SNI"; content:"CCS"; content:"PDMD"; content:"VERS"; nocase; flowbits:set,ET.QUIC.FirstClientHello; reference:url,tools.ietf.org/html/draft-tsvwg-quic-protocol-00; classtype:protocol-command-decode; sid:2022996; rev:2; metadata:attack_target Client_Endpoint, created_at 2016_08_01, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS JCE Joomla Extension"; flow:to_server,established; http.uri; content:".php"; content:"option="; content:"&task="; content:"&plugin=imgmanager"; content:"&file="; content:"&version="; content:"&cid="; http.request_body; content:"folderRename"; fast_pattern; reference:url,exploit-db.com/exploits/17734/; reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html; classtype:web-application-attack; sid:2018326; rev:5; metadata:created_at 2014_03_26, updated_at 2020_09_24;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323,3323,4323] (msg:"ET HUNTING SUSPICIOUS Path to BusyBox"; flow:established,to_server; content:"/bin/busybox"; flowbits:set,ET.telnet.busybox; threshold: type limit, count 1, track by_src, seconds 30; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2016-August/027524.html; classtype:suspicious-filename-detect; sid:2023016; rev:2; metadata:attack_target Server, created_at 2016_08_08, deployment Datacenter, former_category TELNET, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TimThumb Remote Command Execution"; flow:established,to_server; http.uri; content:".php"; content:"webshot="; fast_pattern; content:"src="; content:"|24 28|"; pcre:"/[&?]src=https?[^&]+\x24\x28/"; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:attempted-user; sid:2018605; rev:4; metadata:created_at 2014_06_26, updated_at 2020_09_24;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023271; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Huge IT Image Gallery 1.0.0 SQL Injection"; flow:established,to_server; http.uri; content:"wp-admin/admin.php"; content:"page=gallerys_huge_it_gallery"; fast_pattern; content:"task=edit_cat"; content:"removeslide="; reference:url,packetstormsecurity.com/files/128118/wphugeitig-sql.txt; classtype:web-application-attack; sid:2019139; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_09_09, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023272; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Webmin Directory Traversal"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/save_env.cgi"; fast_pattern; http.request_body; content:"&user="; content:"|2e 2e 2f|"; distance:0; reference:url,sites.utexas.edu/iso/2014/09/09/arbitrary-file-deletion-as-root-in-webmin/; classtype:misc-attack; sid:2019157; rev:5; metadata:created_at 2014_09_10, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023273; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt URI"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019364; rev:4; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b641)"; flow:established,to_client; file.data; content:"x7soyTdaNq94NWpdLGZ4NWpd"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023274; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Bugzilla token.cgi HPP e-mail validation bypass Attempt Client Body"; flow:to_server,established; http.uri; content:"/token.cgi"; nocase; http.request_body; content:"&realname=login_name"; nocase; fast_pattern; reference:url,blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/; classtype:web-application-attack; sid:2019365; rev:7; metadata:created_at 2014_10_08, updated_at 2020_09_25;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b642)"; flow:established,to_client; file.data; content:"MlADchNaR0LGZ4NWpdLGZ4N"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023275; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download"; flow:established,to_server; http.uri; content:"/admin-ajax.php?"; fast_pattern; content:"slider_show_image"; pcre:"/^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rim"; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:6; metadata:created_at 2015_01_21, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK Slight Sep 22 2016 (b643)"; flow:established,to_client; file.data; content:"azTEhyWNbKGpdLGZ4NWpdLG"; flowbits:set,SunDown.EK; classtype:exploit-kit; sid:2023276; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_22, deployment Perimeter, malware_family SunDown, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress PingBack Possible GHOST attempt"; flow:established,to_server; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; content:"<string>"; pcre:"/^\s*?https?\x3a\/\//Rs"; isdataat:1024,relative; content:!"|2f|"; within:1024; content:!"</string>"; within:1033; pcre:"/^\d[\d\x2e]{255}/R"; classtype:web-application-attack; sid:2020327; rev:8; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_01_28, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_29;)
 
-#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Evil Redirector Leading to EK March 15 2017 M2"; flow:established,to_client; file.data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri"; content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:exploit-kit; sid:2024093; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_03_17, deployment Perimeter, former_category CURRENT_EVENTS, performance_impact Low, signature_severity Major, tag Redirector, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS FancyBox Remote Code Inclusion POST Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/admin-post.php?page=fancybox-for-wordpress"; fast_pattern; http.request_body; content:"INPUTBODY|3a|"; content:"action=update"; content:"mfbfw"; content:"extraCalls"; nocase; reference:url,blog.sucuri.net/2015/02/zero-day-in-the-fancybox-for-wordpress-plugin.html; classtype:attempted-admin; sid:2020368; rev:7; metadata:created_at 2015_02_05, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643"; flow:established,to_client; file.data; content:"|4e6f636e636f4d7a49334e6a6370|"; pcre:"/(?:NocncoMjE3Ni|Y2hydygyMTc2K|jaHJ3KDIxNzYp)/"; classtype:exploit-kit; sid:2024361; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_06_07, deployment Perimeter, former_category CURRENT_EVENTS, malware_family Exploit_Kit, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Cacti Superlinks Plugin SQL Injection"; flow:established,to_server; http.uri; content:"/superlinks.php?"; nocase; fast_pattern; pcre:"/[?&]id=\d*?[^\d]\d*?(?:&|$)/i"; reference:url,www.exploit-db.com/exploits/33809/; classtype:attempted-user; sid:2018612; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_06_27, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_29;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017"; flow:established,to_client; flowbits:isset,ET.DisDain.EK; http.stat_code; content:"200"; file.data; content:"document.write("; content:"w6UKpvNSUQKuCVmSVlTLELdj"; distance:0; within:75; classtype:exploit-kit; sid:2024612; rev:4; metadata:created_at 2017_08_23, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Drupal Object Unserialize Exploit Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/user/login"; http.request_body; content:"username"; content:"SelectQuery"; fast_pattern; http.content_type; content:"application/vnd.php.serialized"; bsize:30; reference:url,www.ambionics.io/blog/drupal-services-module-rce; classtype:web-application-attack; sid:2024039; rev:4; metadata:affected_product Drupal_Server, attack_target Server, created_at 2017_03_08, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Minor, updated_at 2020_10_08;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; flowbits:isset,ETPTadmoney; http.stat_code; content:"200"; file.data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12; depth:4; classtype:pup-activity; sid:2024699; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_11, deployment Internet, former_category ADWARE_PUP, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla 3.7.0 - Sql Injection (CVE-2017-8917)"; flow:to_server,established; http.uri; content:".php?"; content:"option="; content:"view="; content:"layout="; content:"&list[fullordering]="; fast_pattern; pcre:"/&list\[fullordering\]=(?:[a-zA-Z0-9])*[\x22\x27\x28]/i"; reference:url,blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html; reference:cve,2017-8917; classtype:web-application-attack; sid:2024342; rev:5; metadata:affected_product Joomla, attack_target Web_Server, created_at 2017_06_01, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_10_09;)
 
-#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 3"; flow:established,to_client; content:"|17 03|"; depth:2; content:"|00 40|"; distance:1; within:2; fast_pattern; stream_size:server, >,1789; stream_size:server,<,2124; stream_size:client, >,447; stream_size:client, <,1722; flowbits:isset, FB332502_0; flowbits:unset, FB332502_0; flowbits:set, FB332502_1; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024753; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024808; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
 
-#alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg:"ET MALWARE [PTsecurity] Backdoor.Java.Adwind.cu pkt Checker flowbit set 4"; flow:established,to_server; content:"|1703|"; depth:2; byte_test:2, >=,1024, 1, relative; byte_test:2, <=,1100, 1, relative; stream_size:server, >,1889; stream_size:server, <,2124; stream_size:client, >,1476; stream_size:client, <,1722; flowbits:isset, FB332502_1; flowbits:unset, FB332502_1; flowbits:set, FB332502_2; flowbits:noalert; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024754; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_21, deployment Perimeter, former_category TROJAN, malware_family Adwind, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024809; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016"; flow:established,to_client; file.data; content:"Windows Defender Alert"; nocase; fast_pattern; content:"Virus Detected"; nocase; distance:0; content:"Reset Your Computer"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:social-engineering; sid:2024845; rev:4; metadata:created_at 2017_10_16, former_category WEB_CLIENT, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"PUT"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024810; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dyoravdkiavfkbkx in DNS Lookup)"; dns.query; content:"dyoravdkiavfkbkx"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025507; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jsp/"; nocase; fast_pattern; pcre:"/\.jsp\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024811; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (dypmoywmjrevboat in DNS Lookup)"; dns.query; content:"dypmoywmjrevboat"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025508; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".jspx/"; nocase; fast_pattern; pcre:"/\.jspx\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024812; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (jjjooyeohgghgtwn in DNS Lookup)"; dns.query; content:"jjjooyeohgghgtwn"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025509; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt"; flow:to_server,established; http.method; content:"DELETE"; http.uri; content:".shtml/"; nocase; fast_pattern; pcre:"/\.shtml\/[^\x2f]*$/i"; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024813; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (lvanwwbyabcfevyi in DNS Lookup)"; dns.query; content:"lvanwwbyabcfevyi"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025510; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; threshold:type both, track by_dst, count 1, seconds 60; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"new|20|"; nocase; pcre:"/new\s+(java|org|sun)/i"; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035; rev:4; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_12;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (uxwavkmttywsuynt in DNS Lookup)"; dns.query; content:"uxwavkmttywsuynt"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025511; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sem/"; nocase; content:".php"; nocase; content:"uniqueid="; nocase; content:"|3B|"; pcre:"/\/sem\/\w+\.php.*(\?|&)uniqueid=\d*\;/i"; reference:url,www.securityfocus.com/bid/37375/info; reference:url,doc.emergingthreats.net/2010510; classtype:web-application-attack; sid:2010510; rev:6; metadata:created_at 2010_07_30, former_category WEB_SPECIFIC_APPS, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ABUSE.CH Locky C2 Domain (yaynawvtuqcarjwc in DNS Lookup)"; dns.query; content:"yaynawvtuqcarjwc"; depth:16; reference:url,ransomwaretracker.abuse.ch; classtype:command-and-control; sid:2025512; rev:4; metadata:created_at 2018_04_16, former_category MALWARE, updated_at 2022_04_18;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Thumbnail.php?"; nocase; content:"base_path="; nocase; pcre:"/^\s*(ftps?|https?|php)\:\//Ri"; reference:url,securityvulns.com/Odocument913.html; reference:url,doc.emergingthreats.net/2009053; classtype:web-application-attack; sid:2009053; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BKransomware Domain (3whyfziey2vr41yq in DNS Lookup)"; dns.query; content:"3whyfziey2vr41yq"; depth:16; reference:md5,892da86e60236c5aaf26e5025af02513; classtype:trojan-activity; sid:2025559; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_05_07, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/unathenticated/"; http.uri.raw; content:"/unauthenticated//..%01/..%01/..%01/"; reference:url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin; reference:url,doc.emergingthreats.net/2010009; classtype:web-application-attack; sid:2010009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_10_28;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Paypal Phishing Landing Jun 28 2017"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:!"https://*.paypal.com"; http.content_type; content:"text/html"; startswith; file.data; content:"<title>"; content:"|26 23|x50|3b 26 23|x61|3b 26 23|x79|3b 26 23|x50|3b 26 23|x61|3b 26 23|x6C|3b|"; fast_pattern; within:50; content:"</title>"; distance:0; classtype:social-engineering; sid:2025660; rev:5; metadata:attack_target Client_Endpoint, created_at 2017_06_28, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Minor, tag Phishing, updated_at 2022_04_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"&handle=java."; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031144; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_10_30;)
 
-alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt"; flow:established,to_server; http.uri; content:"${"; content:"ognl|2E|"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2022_04_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"%252e%252e%252f"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031145; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_11_06;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Win32/Remcos RAT Checkin 51"; flow:established,to_server; stream_size:server,=,1; content:"|4139 2f55 647c c126 8775 8f|"; depth:11; reference:md5,4f3cc55c79b37a52d8f087dbf7093dcd; classtype:command-and-control; sid:2026433; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_10_02, deployment Perimeter, former_category MALWARE, malware_family Remcos, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT"; flow:established,to_server; http.uri; content:"/account_change.php?"; nocase; fast_pattern; content:"style="; nocase; distance:0; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-2854; reference:url,www.milw0rm.com/exploits/3970; reference:url,doc.emergingthreats.net/2004023; classtype:web-application-attack; sid:2004023; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Kraken C2 Domain Observed (kraken656kn6wyyx in DNS Lookup)"; dns.query; content:"kraken656kn6wyyx"; depth:16; reference:url,go.recordedfuture.com/hubfs/reports/cta-2018-1030.pdf; classtype:command-and-control; sid:2026640; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_11_20, deployment Perimeter, former_category MALWARE, malware_family Ransomware, malware_family Kraken_Ransomware, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE"; flow:established,to_server; http.uri; content:"/usermgr.php?"; nocase; fast_pattern; content:"gid="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0122; reference:url,www.securityfocus.com/bid/21894; reference:url,doc.emergingthreats.net/2005850; classtype:web-application-attack; sid:2005850; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE JS/Agent.NZH CnC Response"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"File not found.|0a 3c 21 2d 2d|"; within:30; fast_pattern; content:"-->"; distance:0; classtype:command-and-control; sid:2026987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_27, deployment Perimeter, former_category MALWARE, performance_impact Moderate, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT"; flow:established,to_server; http.uri; content:"/user.php?"; nocase; fast_pattern; content:"passwordNew="; nocase; distance:0; content:"UNION"; nocase; distance:0; pcre:"/^\s+SELECT/Ri"; reference:cve,CVE-2006-4575; reference:url,www.securityfocus.com/bid/21870; reference:url,doc.emergingthreats.net/2006022; classtype:web-application-attack; sid:2006022; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"aptgetgxqs3secda"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027351; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE"; flow:established,to_server; http.uri; content:"/members.asp?"; nocase; fast_pattern; content:"sent="; nocase; distance:0; content:"UPDATE"; nocase; distance:0; content:"SET"; nocase; distance:0; reference:cve,CVE-2006-6816; reference:url,www.securityfocus.com/bid/21788; reference:url,doc.emergingthreats.net/2006116; classtype:web-application-attack; sid:2006116; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE ELF.SystemdMiner C2 Domain in DNS Lookup"; dns.query; content:"rapid7cpfqnwxodo"; depth:16; reference:url,blog.netlab.360.com/systemdminer-when-a-botnet-borrows-another-botnets-infrastructure/; classtype:command-and-control; sid:2027352; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2019_05_13, deployment Datacenter, former_category MALWARE, malware_family CoinMiner, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII"; flow:established,to_server; http.uri; content:"/bus_details.asp?"; nocase; fast_pattern; content:"ID="; nocase; distance:0; content:"ASCII("; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2006-6804; reference:url,www.milw0rm.com/exploits/2992; reference:url,doc.emergingthreats.net/2006145; classtype:web-application-attack; sid:2006145; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent"; flow:established,to_server; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1) Pico/"; startswith; classtype:trojan-activity; sid:2029306; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_01_22, deployment Perimeter, former_category MALWARE, malware_family Ransomware, signature_severity Major, tag Ransomware, updated_at 2022_04_18, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII"; flow:established,to_server; content:"SELECT"; nocase; distance:0; http.uri; content:"/kullanicilistesi.asp?"; nocase; fast_pattern; content:"ak="; nocase; distance:0; content:"ASCII("; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006829; classtype:web-application-attack; sid:2006829; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, former_category HUNTING, performance_impact Low, signature_severity Informational, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE"; flow:established,to_server; content:"FROM"; nocase; distance:0; http.uri; content:"/aramayap.asp?"; nocase; fast_pattern; content:"kelimeler="; nocase; distance:0; content:"DELETE"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006834; classtype:web-application-attack; sid:2006834; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE ActionSpy CnC (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ps/upinfo"; bsize:10; fast_pattern; http.user_agent; content:"android"; bsize:7; http.header; content:"Content-Encoding|3a 20|encrypted|0d 0a|"; reference:md5,43f1891a9c0d8fc69e273095708d9238; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/; classtype:command-and-control; sid:2030342; rev:2; metadata:attack_target Mobile_Client, created_at 2020_06_15, deployment Perimeter, former_category MOBILE_MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE"; flow:established,to_server; http.uri; content:"/mesajkutum.asp?"; nocase; fast_pattern; content:"mesajno="; nocase; distance:0; content:"DELETE"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:cve,CVE-2006-6270; reference:url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded; reference:url,doc.emergingthreats.net/2006846; classtype:web-application-attack; sid:2006846; rev:10; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Gootkit Activity"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?"; startswith; fast_pattern; pcre:"/^[1-z]{13}=[0-9]{16}$/R"; http.user_agent; content:"Mozilla/4.0|20 28|compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5|29|"; http.header_names; content:!"Referer"; reference:md5,82ddc740b8ff3aa4d818d1b421e0231e; classtype:trojan-activity; sid:2033022; rev:2; metadata:created_at 2021_05_24, former_category MALWARE, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT"; flow:established,to_server; http.uri; content:"/modules.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"INSERT"; nocase; distance:0; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6234; reference:url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded; reference:url,doc.emergingthreats.net/2006935; classtype:web-application-attack; sid:2006935; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Observed OWA Phishing Landing Page 2021-08-20"; flow:established,to_client; file.data; content:"<title>Outlook Web App</title>"; fast_pattern; content:"<form action|3d 22|save.php|22|"; content:"method|3d 22|POST|22|"; distance:0; content:"name|3d 22|logonForm|22|"; distance:0; content:"id|3d 22|logonForm|22|"; distance:0; content:"enctype|3d 22|application/x-www-form-urlencoded|22|"; distance:0; content:"autocomplete|3d 22|off|22 3e|"; distance:0; reference:url,app.any.run/tasks/40a14763-96a6-4897-86c4-2b4693a0034b/; classtype:social-engineering; sid:2033748; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_20, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter Remote SQL Injection"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/news.php?"; nocase; fast_pattern; content:"pid="; nocase; distance:0; content:"UNION"; nocase; distance:0; content:"SELECT"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7541; reference:bugtraq,32962; reference:url,doc.emergingthreats.net/2009000; classtype:web-application-attack; sid:2009000; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_02;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET [!80,!443] (msg:"ET MALWARE Win32/Numando Banker CnC Activity"; flow:established,to_server; content:"<|7c|>1<|7c|>"; offset:7; content:"<|7c|>Microsoft|20|Windows"; distance:0; content:"<|7c|>0<|7c|>"; distance:0; reference:md5,fec2f560619b88d9846fe03db6841e91; reference:url,www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/; classtype:trojan-activity; sid:2033983; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_17, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/scripts/export.php?"; nocase; fast_pattern; content:"ftype="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,secunia.com/advisories/33222; reference:bugtraq,32929; reference:url,doc.emergingthreats.net/2009009; classtype:web-application-attack; sid:2009009; rev:8; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Outdated Browser Landing Page M3"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"!|5c|n|5c|nWebsite work well"; fast_pattern; nocase; reference:url,blog.group-ib.com/perswaysion; classtype:misc-activity; sid:2033998; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_09_21, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/books/getConfig.php?"; nocase; fast_pattern; content:"book_id="; nocase; distance:0; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/7543; reference:bugtraq,32966; reference:url,doc.emergingthreats.net/2009010; classtype:web-application-attack; sid:2009010; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_02;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING IRS Credential Phish Credit Card Payment Data Exfil"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Internal Revenue Service"; nocase; content:"form action=|22|c5.php|22|"; fast_pattern; distance:0; content:"name|3d 22|amount|22 20|value|3d 22 22|"; distance:0; content:"PROCEED"; distance:0; reference:md5,55d8e8f74231e50c479d11683c7ab889; classtype:credential-theft; sid:2034328; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS GitList Argument Injection"; flow:established,to_server; http.request_body; content:"query=--open-files-in-pager"; fast_pattern; content:"php%20"; content:"%22eval"; content:"base64_decode"; reference:url,exploit-db.com/exploits/44993/; classtype:attempted-user; sid:2025820; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_07_10, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> any any (msg:"ET INFO Python BaseHTTP ServerBanner"; flow:established; http.server; content:"BaseHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034635; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Pie Register SQL Injection"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php?page=pie-invitation-codes&orderby="; nocase; content:"&order="; nocase; distance:0; pcre:"/^(?:[a-zA-Z0-9_])*[\x2c\x22\x27\x28]/Ri"; reference:url,www.exploit-db.com/exploits/44867/; classtype:web-application-attack; sid:2025747; rev:4; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2018_06_26, cve cve_2018_10969, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_04;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Kimsuky Related Malicious VBScript"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip"; http.response_body; content:"language|3d|javascript|3e|document|2e|write|28|unescape|28 27|"; content:"%47%65%74%4F%62%6A%65%63%74%28%22%22%6E%65%77%3A"; content:"%2E%76%62%73%20%26%40%65%63%68%6F%20%55%52%4C%20%3D%20%22%22"; distance:0; within:285; fast_pattern; content:"%73%65%6C%66%2E%63%6C%6F%73%65"; reference:md5,d74f268b986fecfa03b81029dd134811; classtype:trojan-activity; sid:2034697; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_13, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS DNN DNNPersonalization Cookie RCE Attempt (CVE-2017-9822)"; flow:established,to_server; http.cookie; content:"DNNPersonalization="; fast_pattern; content:"ObjectStateFormatter"; content:"ObjectDataProvider"; reference:cve,2017-9822; reference:url,f5.com/labs/articles/threat-intelligence/cyber-security/zealot-new-apache-struts-campaign-uses-eternalblue-and-eternalsynergy-to-mine-monero-on-internal-networks?sf176487178; classtype:attempted-admin; sid:2025545; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_04_27, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_11_04;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MuddyWater APT Related Maldoc Checkin M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getCommand?guid="; startswith; fast_pattern; http.user_agent; content:"|3b 20|ms-office|3b 20|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.header_names; content:!"Referer"; reference:md5,c9ab403bd43649b5fd57efac4bf83b7c; reference:md5,748ae5af58e52e940ab806bdbbe61c4c; reference:url,twitter.com/ShadowChasing1/status/1475819281648553986; classtype:trojan-activity; sid:2034844; rev:3; metadata:attack_target Client_Endpoint, created_at 2021_12_28, deployment Perimeter, former_category MALWARE, malware_family MuddyWater, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2018_04_03, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Metawallet Phish 2022-01-13"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"metawallet"; fast_pattern; content:".php"; endswith; http.request_body; content:"WoRd1="; content:"WoRd2="; distance:0; content:"WoRd3="; distance:0; content:"WoRd4="; distance:0; content:"WoRd5="; distance:0; content:"WoRd6="; distance:0; content:"WoRd7="; distance:0; content:"WoRd8="; distance:0; content:"WoRd9="; distance:0; content:"WoRd10="; distance:0; content:"WoRd11="; distance:0; content:"WoRd12="; distance:0; reference:md5,7ddee3930807ab2a21afe8c5760b2b13; classtype:credential-theft; sid:2034915; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/EJBInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017574; rev:6; metadata:created_at 2013_10_10, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tiggre Variant Activity Sending System Files (POST)"; flow:established,to_server; http.request_line; content:"POST /up/up.php HTTP/1.1"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|boundary=---------------------"; startswith; http.header_names; content:"|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; endswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; http.request_body; content:"form-data|3b 20|name=|22|file|22 3b|"; reference:md5,a023ece310a490a87e77c9bb28b6415b; classtype:trojan-activity; sid:2034962; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_25, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; fast_pattern; http.content_type; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017573; rev:6; metadata:created_at 2013_10_10, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Trojan.Valyria.6015 CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/eln-images/"; startswith; fast_pattern; http.user_agent; content:"WindowsPowerShell/"; http.header_names; content:!"Referer"; reference:md5,a118a3030807156eca8f805b8b83ce1f; classtype:trojan-activity; sid:2035223; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_02_18, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"option=com_edir"; nocase; fast_pattern; distance:0; content:"view="; nocase; distance:0; content:"controller="; nocase; distance:0; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2012_07_13, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_05;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Generic Credential Phish 2022-03-02"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/proccess/log.php"; fast_pattern; http.request_body; content:"FromPreSignIn_SIP=Y"; content:"&RSA_DEVPRINT="; distance:0; content:"&QQ1="; distance:0; reference:md5,023f93be3b12f211c5db927f234290ad; classtype:credential-theft; sid:2035379; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_02, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M1 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"console.portal?"; content:".sh.ShellSession|28|"; distance:0; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-admin; sid:2031143; rev:3; metadata:created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
 
-alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|05|"; depth:1; byte_test:1,&,16,3,relative; content:"|00|"; offset:1; depth:1; content:"|01 00|"; distance:19; within:2; byte_test:4,>,128,20,relative,little; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103158; rev:8; metadata:created_at 2010_09_23, updated_at 2022_04_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".FileSystemXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-admin; sid:2031184; rev:2; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
 
-alert tcp-pkt $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson Rat CnC Server Response"; flow:established,to_client; content:"|00 00 00|ent2rmezi="; offset:2; depth:13; fast_pattern; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,3829791a486b0b9ccb80ffcb7177c19c; reference:url,twitter.com/0xrb/status/1515979150515122178; classtype:command-and-control; sid:2036242; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M4 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.header; content:"|0d 0a|cmd|3a 20|"; fast_pattern; http.request_body; content:"_nfpb=true"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-admin; sid:2031186; rev:1; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Stealer Exfiltration Observed"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/g1nzo.php?"; startswith; fast_pattern; content:"data="; content:"countc="; content:"countp="; content:"country="; content:"ip="; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|Expect|0d 0a|Connection|0d 0a 0d 0a|"; bsize:60; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036246; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M5 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal?"; http.request_body; content:".ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-admin; sid:2031187; rev:1; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_11_06;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Blackguard_v3.5 Domain (ritmflow .online) in TLS SNI"; flow:established,to_server; tls.sni; content:"ritmflow.online"; bsize:15; fast_pattern; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036247; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/administrator/index2.php?"; nocase; fast_pattern; content:"limit="; nocase; content:"limitstart="; nocase; content:"zorder="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_01_03, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
 
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE MSIL/Crimson CnC Server Command (info) M3"; flow:established,to_client; dsize:18; content:"|0d 00 00 00 00|inf2o=command"; threshold:type limit,track by_dst, count 5,seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036243; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php  SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/popup.php?"; nocase; content:"dstfrm="; nocase; content:"dstfld1="; nocase; content:"srctbl="; nocase; content:"srcfld1="; nocase; fast_pattern; content:"only_hostid="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_12_02, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_06;)
 
-alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE MSIL/Crimson Client Command Response (info)"; flow:established,to_server; content:"|00 00 00 00|"; offset:1; depth:4; content:"inx7fo=usder"; distance:0; fast_pattern; content:"|00 00 00 00 7c|"; distance:1; within:5; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,fdd625f11ae39b85d4c0f794e8570abe; classtype:command-and-control; sid:2036244; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, former_category MALWARE, malware_family Crimson, signature_severity Major, tag c2, updated_at 2022_04_18, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?"; nocase; content:"option=com_content"; distance:0; content:"sflDir="; nocase; content:"|2e 2e 2f|"; nocase; distance:0; reference:url,exploit-db.com/exploits/17736; classtype:web-application-attack; sid:2013870; rev:5; metadata:created_at 2011_11_08, updated_at 2020_11_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Blackguard_v3.5 Domain in DNS Lookup (ritmflow .online)"; dns.query; content:"ritmflow.online"; nocase; bsize:15; reference:md5,dce3c6ed046018eac08f82942401123d; reference:url,twitter.com/3xp0rtblog/status/1516092338065612804; classtype:trojan-activity; sid:2036248; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_18, deployment Perimeter, malware_family Blackguard_Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; http.uri; content:"/ibrowser/scripts/random.php?"; nocase; fast_pattern; content:"dir="; nocase; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/files/105196; classtype:web-application-attack; sid:2013757; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_10_11, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful CSIS Credential Phish"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/policy/id1383729472034823098/United-States-Nonpaper-on-Iran.pdf/"; fast_pattern; http.referer; content:!"csis.org"; http.request_body; content:"email="; content:"password"; classtype:credential-theft; sid:2034255; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_10_26, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/accounts/ValidateAnswers?methodToCall=validateAll"; nocase; fast_pattern; http.request_body; content:"&Hide_Captcha=0"; nocase; content:"&LOGIN_NAME="; nocase; distance:0; content:"&quesList="; nocase; distance:0; reference:url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities; reference:cve,2010-3272; classtype:web-application-attack; sid:2012979; rev:4; metadata:created_at 2011_06_09, updated_at 2020_11_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; http.uri; content:"utl_inaddr.get_host"; nocase; fast_pattern; classtype:attempted-admin; sid:2015749; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2012_09_28, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/devtools/qooxdoo-sdk/framework/source/resource/qx/test/part/delay.php?"; nocase; fast_pattern; content:"sleep="; nocase; distance:0; content:"file="; nocase; distance:0; http.uri.raw; content:"..%2f"; reference:url,secunia.com/advisories/43818; classtype:web-application-attack; sid:2012657; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2011_04_11, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, updated_at 2020_11_06;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/%2e%2e/%2e%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,twitter.com/HackerGautam/status/1445412108863041544; reference:cve,2021-41773; classtype:attempted-admin; sid:2034124; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-runnow-iframe.php?wpabs=/"; nocase; content:"%00&"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012407; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
 
-alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/.%2e/.%2e/.%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,github.com/iilegacyyii/PoC-CVE-2021-41773/blob/main/CVE-2021-41773.py; reference:cve,2021-41773; classtype:attempted-admin; sid:2034125; rev:4; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/options-view_log-iframe.php?wpabs=/"; nocase; content:"%00&logfile=/"; distance:0; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
 
-alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M3"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/.%2e/"; reference:cve,2021-41773; classtype:attempted-admin; sid:2034128; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2021_10_06, cve CVE_2021_41773, deployment Perimeter, deployment Internet, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_18;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/components/com_banners/banners.class.php?"; nocase; content:"mosConfig_absolute_path="; nocase; distance:0; pcre:"/^\s*(ftps?|https?|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt; classtype:web-application-attack; sid:2011929; rev:5; metadata:created_at 2010_11_19, updated_at 2020_11_07;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Header"; flow:to_server,established; http.header; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036223; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"pageid="; nocase; distance:0; content:"mailform_send="; nocase; distance:0; content:"confirm_value="; nocase; distance:0; content:"mailform_1="; nocase; distance:0; fast_pattern; pcre:"/^.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ri"; reference:url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt; classtype:web-application-attack; sid:2011927; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_11_19, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_11_07;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP Body"; flow:to_server,established; http.request_body; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036224; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Significant, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php?"; nocase; fast_pattern; content:"album_user_id="; nocase; content:"album_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt; classtype:web-application-attack; sid:2011839; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_10_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING Potential Forced OGNL Evaluation - HTTP URI"; flow:to_server,established; http.uri; content:"|25 7b|"; fast_pattern; content:"|7d|"; distance:0; classtype:misc-activity; sid:2036222; rev:2; metadata:created_at 2022_04_14, deprecation_reason Performance, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2020-8518 (Horde Groupware RCE)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"data.php"; endswith; http.request_body; content:"|22 3b 20|filename=|22|"; content:"|2e|passthru|28|"; content:"|2e|die|28 29 3b|"; distance:0; http.header_names; content:"horde_secret_key|0d 0a|"; nocase; fast_pattern; reference:url,cardaci.xyz/advisories/2020/03/10/horde-groupware-webmail-edition-5.2.22-rce-in-csv-data-import/; reference:cve,2020-8518; classtype:attempted-admin; sid:2029636; rev:3; metadata:attack_target Web_Server, created_at 2020_03_13, cve 2020_8518, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_12;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)"; flow:established,to_server; tls.sni; content:"nominally.ru"; bsize:12; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:domain-c2; sid:2036249; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt"; flow:established,to_server; http.uri; content:"/wp-admin/admin.php"; nocase; content:"page="; nocase; distance:0; pcre:"/\x2Fwp\x2Dadmin\x2Fadmin\x2Ephp.+page\x3D(?:\x2Fcollapsing\x2Darchives\x2Foptions\x2Etxt|akismet\x2Freadme\x2Etxt|related\x2Dways\x2Dto\x2Dtake\x2Daction\x2Foptions\x2Ephp|wp\x2Dsecurity\x2Dscan\x2Fsecurityscan\x2Ephp)/i"; reference:url,www.securityfocus.com/bid/35584; reference:cve,2009-2334; reference:url,doc.emergingthreats.net/2010728; classtype:web-application-attack; sid:2010728; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|ginzoarchive|2e|zip|22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; fast_pattern; reference:md5,b918a1b21063907a9bbf4dda8259bd78; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036250; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt"; flow:established,to_server; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; distance:0; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010673; classtype:web-application-attack; sid:2010673; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Downloading Additional Payloads"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; dotprefix; content:".nominally.ru"; endswith; fast_pattern; reference:url,blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html; classtype:trojan-activity; sid:2036251; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010672; classtype:web-application-attack; sid:2010672; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M1"; flow:established,to_server; http.uri; content:".asp?prd_fld=racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036257; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010670; classtype:web-application-attack; sid:2010670; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected TA404 APT Related Activity M2"; flow:established,to_server; http.uri; content:".jsp?prd_fld_racket"; endswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; http.user_agent; content:!"Linux"; content:!"Android"; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical; classtype:trojan-activity; sid:2036258; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt"; flow:established,to_server; content:"INTO"; nocase; content:"OUTFILE"; nocase; distance:0; http.uri; content:"/zport/dmd/Events/getJSONEventsInfo"; nocase; content:"severity="; nocase; reference:url,www.securityfocus.com/bid/37802/info; reference:url,doc.emergingthreats.net/2010669; classtype:web-application-attack; sid:2010669; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (dafom .dev)"; dns.query; content:"dafom.dev"; nocase; bsize:9; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036259; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010134; classtype:web-application-attack; sid:2010134; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Observed DPRK Related APT User-Agent (dafom)"; flow:established,to_server; http.user_agent; content:"dafom"; bsize:5; fast_pattern; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:bad-unknown; sid:2036260; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, deployment SSLDecrypt, former_category USER_AGENTS, signature_severity Informational, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; http.uri; content:"/dispatch.php?atknodetype=reports.weekreport"; nocase; content:"userid="; nocase; distance:0; reference:url,securitytracker.com/alerts/2009/Oct/1023017.html; reference:url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt; reference:url,www.securityfocus.com/bid/36660/info; reference:cve,2009-2734; reference:url,doc.emergingthreats.net/2010133; classtype:web-application-attack; sid:2010133; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_11_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (tokenais .com)"; dns.query; content:"tokenais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036261; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1"; flow:established,to_server; http.method; content:"GET"; depth:3; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"descriptorByName/"; distance:0; content:"checkScriptCompile"; distance:0; content:"value=|40|GrabConfig"; distance:0; content:"|40|GrabResolver|28|"; distance:0; content:"|27|http"; within:60; content:"|27 29 0a 40|Grab|28|"; distance:0; http.header_names; content:!"Referer"; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027349; rev:5; metadata:attack_target Server, created_at 2019_05_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (cryptais .com)"; dns.query; content:"cryptais.com"; nocase; bsize:12; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036262; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins RCE CVE-2019-1003000"; flow:established,to_server; http.method; content:"POST"; depth:4; endswith; http.uri; content:"config.xml"; endswith; http.request_body; content:"|3c|script|3e 0a|"; content:"import|20|org|2e|buildobjects|2e|process|2e|ProcBuilder"; distance:0; fast_pattern; content:"|40|Grab|28 27|org|2e|buildobjects|3a|jproc|3a|"; distance:0; content:"|27 29 0a|"; within:12; content:"print|20|new|20|ProcBuilder|28 22 2f|"; distance:0; content:"|22 29 2e|run|28 29|"; within:200; content:"|2e|getOutputString|28|"; within:18; content:"|3c 2f|script|3e|"; within:30; reference:url,github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; classtype:web-application-attack; sid:2027346; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2019_1003000, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_11_19;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (alticgo .com)"; dns.query; content:"alticgo.com"; nocase; bsize:11; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036263; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache CouchDB Remote Code Execution 1"; flow:established,to_server; http.uri; content:"/_users/org.couchdb.user|3a|"; http.request_body; content:"|22|roles|22 3a 20 5b 22 5f|admin|22 5d 2c|"; fast_pattern; content:"password"; reference:cve,2017-12635; classtype:attempted-user; sid:2025740; rev:4; metadata:attack_target Web_Server, created_at 2018_06_25, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (esilet .com)"; dns.query; content:"esilet.com"; nocase; bsize:10; reference:url,www.cisa.gov/uscert/ncas/current-activity/2022/04/18/north-korean-state-sponsored-apt-targets-blockchain-companies; classtype:domain-c2; sid:2036264; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MOBILE_MALWARE, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT"; flow:established,to_server; http.uri; content:"/lire-avis.php?"; nocase; content:"aa="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2006-6519; reference:url,www.securityfocus.com/bid/21516; reference:url,doc.emergingthreats.net/2006353; classtype:web-application-attack; sid:2006353; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (vasepinay .com)"; dns.query; content:"vasepinay.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036265; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII"; flow:established,to_server; http.uri; content:"/forum.php?"; nocase; content:"c="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-1555; reference:url,www.milw0rm.com/exploits/3519; reference:url,doc.emergingthreats.net/2004168; classtype:web-application-attack; sid:2004168; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Cobalt Strike Related Domain in DNS Lookup (dixavokij .com)"; dns.query; content:"dixavokij.com"; nocase; bsize:13; reference:url,twitter.com/Max_Mal_/status/1514729699011928073; classtype:domain-c2; sid:2036266; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/mods/hours/data/get_hours.php?"; nocase; content:"take="; nocase; content:"skip="; nocase; content:"pageSize="; nocase; content:"id="; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/i"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:6; metadata:created_at 2012_04_28, updated_at 2022_05_03;)
 
-alert tcp any any -> any 3389 (msg:"ET SCAN RDP Connection Attempt from Nmap"; flow:established,to_server; content:"|00 00 00 00 00|Cookie|3a 20|mstshash|3d|nmap|0d 0a|"; fast_pattern; reference:url,github.com/nmap/nmap/blob/4b46fa7097673f157e7b93e72f0c8b3249c54b4c/nselib/rdp.lua#L211; classtype:network-scan; sid:2036252; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category SCAN, performance_impact Low, signature_severity Minor, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi MVEL Eval RCE Inbound M1 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"|22|script|3a 3a|"; distance:0; fast_pattern; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031219; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (key)"; flow:established,to_server; http.uri; content:"/key"; startswith; bsize:4; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; fast_pattern; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036267; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Unomi OGNL Eval RCE Inbound M2 (CVE-2020-13942)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"condition|22 3a|"; content:"getClass|28|"; distance:0; nocase; content:".runtime"; distance:0; nocase; content:"getDeclaredMethods|28|"; distance:0; fast_pattern; content:".invoke|28|"; distance:0; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031220; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Request To Suspicious Filename via Powershell (payload)"; flow:established,to_server; http.uri; content:"/payload"; startswith; bsize:8; fast_pattern; http.user_agent; content:"Mozilla/"; startswith; content:") WindowsPowerShell/"; distance:0; reference:md5,5ec22f6399ec0c51d120d27ecd26f2be; classtype:bad-unknown; sid:2036268; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Citrix XenMobile Server Directory Traversal Attempt Inbound (CVE-2020-8209)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?sbFileName=../"; fast_pattern; reference:url,github.com/B1anda0/CVE-2020-8209/blob/main/CVE-2020-8209.py; reference:cve,2020-8209; classtype:attempted-admin; sid:2031221; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_8209, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.Filetour Variant Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/A.php"; bsize:6; fast_pattern; http.user_agent; content:"wx"; http.request_body; content:"a"; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036269; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Nette Command Injection Attempt Inbound (CVE-2020-15227)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nette"; content:"?callback=shell_exec"; distance:0; fast_pattern; reference:url,github.com/hu4wufu/CVE-2020-15227/blob/master/exploit-CVE-2020-15227.py; reference:cve,2020-15227; classtype:attempted-admin; sid:2031222; rev:1; metadata:attack_target Server, created_at 2020_11_19, cve CVE_2020_15227, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/bind/?appid="; depth:18; content:"&version="; distance:0; content:"&hwid="; distance:0; content:"&runid="; distance:0; http.host; content:"dayzcheats.ru"; bsize:13; fast_pattern; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036270; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"application/x-httpd-php"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|"; pcre:"/^[^\r]*?name=[\x22\x27]image_file"\x3b[^(?>\r\n|\n|\r)]*?(?>\r\n|\n|\r)(?>\r\n|\n|\r)?Content-Type: application\/x-httpd-php/Rsi"; reference:url,www.exploit-db.com/exploits/34681/; reference:cve,2014-5460; classtype:trojan-activity; sid:2019728; rev:7; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2014_11_18, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win/Malware.FileTour Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/B.php?a="; content:"&v="; distance:0; content:"&h="; distance:0; content:"&r="; distance:0; reference:md5,467d78992086ffb4194a866981c33be2; classtype:bad-unknown; sid:2036271; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_19, deployment Perimeter, former_category ADWARE_PUP, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M6 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:"com.bea.core.repackaged.springframework.context.support.ClassPathXmlApplicationContext|28|"; fast_pattern; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031245; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_02, cve CVE_2020_14882, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_12_02;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M1"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0|3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036254; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"console.portal"; http.request_body; content:".sh.ShellSession"; fast_pattern; pcre:"/^(?:\x28|%28)/R"; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-admin; sid:2031185; rev:3; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_12_04;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46"; fast_pattern; content:!"|0d 0a|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036255; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|"; startswith; content:"%22%26"; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031590; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"auInfo|3d|YWRtaW46"; fast_pattern; content:!"|3b|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036256; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|unsafe+"; startswith; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031591; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, updated_at 2022_04_19;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Liferay Unauthenticated RCE via JSONWS Inbound (CVE-2020-7961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/jsonws/"; http.request_body; content:".c3p0.WrapperConnectionPoolDataSource"; fast_pattern; content:"&defaultData.userOverridesAsString=HexAsciiSerializedMap|3a|"; distance:0; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; reference:cve,2020-7961; classtype:attempted-admin; sid:2031592; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_7961, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_01_29;)
 
-alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc Login Attempt"; flow:established,to_server; stream_size:server,<,5; dsize:38; content:"{D79E94C5-70F0-46BD-965B-E17497CCB598}"; startswith; flowbits:set,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036272; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|type|22 3a 20 22|javascript|22|"; fast_pattern; content:"|22|function|22 3a 20|"; pcre:"/^\x22[^\x22]*\x7b[^\x22]*\x7d[^\x22]*\x22[^\x22]*\x22{2}/Rm"; reference:cve,2021-25646; classtype:attempted-admin; sid:2032340; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2021_03_29, cve CVE_2021_25646, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_29;)
 
-alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc System Details Request"; flow:established,to_server; content:"GET /"; startswith; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|1|0d 0a 0d 0a|"; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036273; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011108; classtype:web-application-attack; sid:2011108; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
 
-alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M2"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDp7MTIyMTNCRDEtNjlDNy00ODYyLTg0M0QtMjYwNTAwRDFEQTQwfQ|3d 3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036274; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011109; classtype:web-application-attack; sid:2011109; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
 
-alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE Attempt"; flow:established,to_server; content:"GET /saveSystemConfig"; depth:21; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|2|0d 0a 0d 0a|DAAAAAEAAAADAAAAIQACAAEABA"; distance:0; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036275; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2022_04_19;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011110; classtype:web-application-attack; sid:2011110; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Microsoft Connection Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/connecttest.txt"; bsize:16; http.host; content:"www.msftconnecttest.com"; bsize:23; fast_pattern; classtype:bad-unknown; sid:2031071; rev:2; metadata:created_at 2020_10_21, former_category INFO, performance_impact Low, updated_at 2022_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011111; classtype:web-application-attack; sid:2011111; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"c__"; content:"ENTERWindows"; distance:0; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:trojan-activity; sid:2036277; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/plugins/sip/sipark-log-summary.jsp?"; within:100; nocase; content:"type="; within:50; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:url,www.securiteam.com/securitynews/6T00C0AN5G.html; reference:url,doc.emergingthreats.net/2011112; classtype:web-application-attack; sid:2011112; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2021_04_06;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE DPRK APT Related Domain in DNS Lookup (beastmodser .club)"; dns.query; content:"beastmodser.club"; nocase; bsize:16; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,9f2235f0d07bd903c947b17caa82ded4; classtype:domain-c2; sid:2036278; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache Kylin REST API DiagnosisService Command Injection Inbound (CVE-2020-13925)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/kylin/api/diag/project/%7c%7c"; reference:url,github.com/bit4woo/CVE-2020-13925; reference:cve,2020-13925; classtype:attempted-admin; sid:2033404; rev:1; metadata:created_at 2021_07_24, cve CVE_2020_13925, updated_at 2021_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DPRK APT Related Maldoc Activity (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"Macro_Opened_"; startswith; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/h2jazi/status/1516443236264521740; reference:md5,aa8bd550de4f4dee6ab0bfca82848d44; classtype:trojan-activity; sid:2036279; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2019-0230)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"id=%25%7b%23"; reference:url,github.com/bit4woo/CVE-2020-13925; reference:cve,2019-0230; classtype:attempted-admin; sid:2033405; rev:1; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2021_07_24, cve CVE_2019_0230, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win64/CobaltStrike.Beacon.J CnC Checkin"; flow:established,to_server; http.uri; content:"/apiv8/"; startswith; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; http.header_names; content:!"Referer"; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036281; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Admin Cores"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/admin/cores?_="; startswith; fast_pattern; content:"&indexInfo="; classtype:attempted-recon; sid:2033425; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cobalt Strike X-Client Header (notevil)"; flow:established,to_server; http.header; content:"|0d 0a|X-Client: notevil|0d 0a|"; fast_pattern; reference:url,cert.gov.ua/article/39708; classtype:trojan-activity; sid:2036282; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, malware_family Cobalt_Strike, signature_severity Major, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1001, mitre_technique_name Data_Obfuscation;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Config"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/"; startswith; content:"/dataimport?_="; content:"&command=show-config"; fast_pattern; classtype:attempted-recon; sid:2033426; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.APBB Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//alert/7/"; bsize:10; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:md5,d2e2f0a2e553075d7968e55e15cd49a1; classtype:command-and-control; sid:2036318; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_22;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Solr DataImport Handler Disclose Config URL"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/solr/"; startswith; content:"/dataimport?_="; content:"&command=status"; fast_pattern; classtype:attempted-recon; sid:2033427; rev:1; metadata:attack_target Server, created_at 2021_07_26, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/TrojanDownloader.Agent.RFS Variant Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".bin?ver="; fast_pattern; content:"&lip="; distance:0; content:"&mac="; isdataat:!13,relative; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b 20 2e|NET|20|CLR|20|2|2e|0|2e|50727|3b 29|"; bsize:76; reference:md5,014d2e1a31ce397e7a5e3ba8edc45344; classtype:trojan-activity; sid:2036276; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_20, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig search.crud.php Command Injection (CVE-2019-16663)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.crud.php?searchTerm="; http.uri.raw; content:"&catCommand=%22%22"; fast_pattern; reference:cve,2019-16663; classtype:attempted-admin; sid:2033428; rev:1; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_16663, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_07_26;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/STEALBIT Data Exfiltration Tool Activity (PUT)"; flow:established,to_server; http.uri; pcre:"/^\/[A-F0-9]{33}$/"; http.method; content:"PUT"; http.request_body; content:"DAV2"; depth:10; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; reference:url,yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/; reference:url,www.cybereason.com/blog/research/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool; classtype:trojan-activity; sid:2036280; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_20, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_20;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Kibana Prototype Pollution RCE Inbound (CVE-2019-7609)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/timelion/run"; fast_pattern; http.request_body; content:"|7b 22|sheet|22|"; startswith; content:".__proto__."; content:"child_process"; distance:0; content:".exec|28|"; distance:0; reference:url,github.com/mpgn/CVE-2019-7609; reference:cve,2019-7609; classtype:attempted-admin; sid:2033452; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_7609, former_category WEB_SPECIFIC_APPS, updated_at 2021_07_27;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Pastebin Style Domain in DNS Lookup (pastetext .net)"; dns.query; content:"pastetext.net"; nocase; bsize:13; classtype:bad-unknown; sid:2036287; rev:1; metadata:created_at 2022_04_21, former_category INFO, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Kibana Path Traversal Inbound (CVE-2018-17246)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/console/api_server?apis=|2e 2e 2f 2e 2e 2f|"; fast_pattern; reference:url,github.com/mpgn/CVE-2018-17246; reference:cve,2018-17246; classtype:attempted-admin; sid:2033453; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_17246, updated_at 2021_07_27;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed Pastebin Style Domain (pastetext .net in TLS SNI)"; flow:established,to_server; tls.sni; content:"pastetext.net"; bsize:13; fast_pattern; classtype:bad-unknown; sid:2036288; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, signature_severity Informational, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Attempt Inbound (CVE-2021-34429)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/WEB-INF/web.xml"; fast_pattern; http.uri.raw; content:"/%u002e/"; startswith; flowbits:set,ET.2021.34429.attempt; reference:cve,2021-34429; classtype:attempted-admin; sid:2033460; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_34429, updated_at 2021_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M1"; flow:established,to_server; http.uri; content:"/baby.php"; startswith; content:"/baby"; endswith; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0)"; startswith; content:"::/.beagle/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036291; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
+alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Successful Exploitation (CVE-2021-34429)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<web-app>"; fast_pattern; flowbits:isset,ET.2021.34429.attempt; reference:cve,2021-34429; classtype:attempted-admin; sid:2033461; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_34429, updated_at 2021_07_27;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Shuckworm CnC Exfil M2"; flow:established,to_server; http.uri; content:"/begun.php"; startswith; bsize:10; http.user_agent; content:"Mozilla/5.0 (Linux"; startswith; content:"::/.balance/."; endswith; fast_pattern; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:trojan-activity; sid:2036292; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS PHP-Fusion Downloads.php Command Injection (CVE-2020-24949)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/infusions/"; content:"downloads.php?cat_id=|24 7b|system"; fast_pattern; reference:url,github.com/r90tpass/CVE-2020-24949/blob/main/exp.py; reference:cve,2020-24949; classtype:attempted-admin; sid:2033462; rev:1; metadata:created_at 2021_07_27, cve CVE_2020_24949, updated_at 2021_07_27;)
 
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5612 (msg:"ET MALWARE Win32/Pterodo CnC VNC Connect Request"; flow:established,to_server; content:"|49 44 3a|"; depth:3; pcre:"/^\d+?\x00/R"; content:"|3a 5c|"; distance:0; content:"\\Contacts|00|Driver"; fast_pattern; distance:0; content:"Hood.exe"; distance:0; within:10; reference:url,symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine; classtype:command-and-control; sid:2036293; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family Gamaredon, signature_severity Major, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible MobileIron MDM RCE Inbound (CVE-2020-15505)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mifs/|2e 3b|/"; fast_pattern; content:"|63 02 00 48 00 84|"; startswith; content:"B|00|e|00|a|00|n|00|F|00|a|00|c|00|"; content:"r|00|m|00|i|00 3a 00 2f 00 2f|"; distance:0; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2033606; rev:1; metadata:created_at 2021_07_28, cve CVE_2020_15505, updated_at 2021_07_28;)
 
-alert dns $HOME_NET any -> any any (msg:"ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)"; dns.query; content:"pool.hashvault.pro"; nocase; bsize:18; classtype:coin-mining; sid:2036289; rev:1; metadata:created_at 2022_04_21, former_category COINMINER, performance_impact Significant, signature_severity Major, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS rConfig ajaxArchiveFiles.php Command Injection Inbound (CVE-2019-19509)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; fast_pattern; http.uri.raw; content:"/ajaxHandlers/ajaxArchiveFiles.php?path="; pcre:"/^%(?:3B|0A|26|60|7C|24)/Ri"; reference:url,www.exploit-db.com/exploits/47982; reference:cve,2019-19509; classtype:attempted-admin; sid:2033424; rev:3; metadata:attack_target Server, created_at 2021_07_26, cve CVE_2019_19509, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_08_16;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/CrimsonRAT Activity (POST)"; flow:established,to_server; http.request_line; content:"POST /indexer.php HTTP/1.1"; http.request_body; content:"q="; startswith; content:"|7c|ver="; distance:0; fast_pattern; content:"|7c 7c|"; within:4; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent|0d 0a|"; content:!"Accept"; reference:url,twitter.com/0xrb/status/1517052777167732736?s=21&t=zTZ6AqU3_DB36dZ3DE1HCg; reference:md5,41702a1959b1b7038237d75330b904b6; classtype:trojan-activity; sid:2036290; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, malware_family CrimsonRAT, signature_severity Major, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Apache SkyWalking GraphQL SQL Injection Inbound (CVE-2020-13921)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/graphql"; fast_pattern; http.request_body; content:"|7b 22|query"; nocase; startswith; content:"|27 29|"; pcre:"/^\s?.{0,100}(?:SELECT|UNION|CHAR|LONGVARCHAR|SCHEMA|FROM|WHERE|IFNULL|INSERT|UPDATE)/R"; reference:url,blog.csdn.net/caiqiiqi/article/details/107857173; reference:cve,2020-13921; classtype:attempted-admin; sid:2033403; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_13921, updated_at 2021_08_16;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1"; flow:to_client,established; file_data; content:"var _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036300; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Wordpress Plugin TheCartPress Privilege Escalation Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php?action=tcp_register_and_login_ajax"; fast_pattern; http.request_body; content:"tcp_role|27 3a 20|"; content:"tcp_new_user_pass|27 3a 20|"; classtype:attempted-admin; sid:2034129; rev:1; metadata:attack_target Server, created_at 2021_10_06, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_10_06;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M2"; flow:to_client,established; file_data; content:"function _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036301; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Local File Inclusion Inbound (CVE-2021-41277)"; flow:established,to_server; http.uri; content:"/api/geojson?url=file|3a 2f|"; fast_pattern; reference:url,github.com/0x0021h/expbox/blob/main/CVE-2021-41277.yaml; reference:cve,2021-41277; classtype:attempted-admin; sid:2034518; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_41277, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, tag Exploit, updated_at 2021_11_22;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3"; flow:to_client,established; file_data; content:"return _0x"; fast_pattern; pcre:"/^[a-f0-9]+/Ri"; content:"_0x"; within:100; content:"_0x"; within:100; reference:url,github.com/javascript-obfuscator/javascript-obfuscator; classtype:misc-activity; sid:2036302; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category HUNTING, performance_impact Significant, signature_severity Informational, updated_at 2022_04_21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Joolma Simple File Upload Plugin Remote Code Execution (CVE-2011-5148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mod_simplefileuploadv1.3"; fast_pattern; reference:url,www.cvedetails.com/cve/CVE-2011-5148/; classtype:attempted-admin; sid:2034851; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2021_12_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Extention Payload Fetch"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/archive.zip?iver="; startswith; bsize:<20; fast_pattern; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036294; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern; nocase; content:"src="; nocase; pcre:"/^.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ri"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016337; rev:4; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_02_01, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, tag Wordpress, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/un?iver="; startswith; fast_pattern; content:"&did="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036295; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; http.uri; content:"/includes/components/graphexplorer/visApi.php?"; nocase; fast_pattern; content:"type="; nocase; content:"div="; nocase; pcre:"/^.+(?:s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ri"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:6; metadata:created_at 2012_06_22, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Query Redirection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"search?ext=properties&is"; startswith; fast_pattern; content:"&q="; distance:0; content:"&ver="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036296; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mini Mail Dashboard Widget abspath Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?"; nocase; fast_pattern; content:"abspath="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/105238/WordPress-Mini-Mail-Dashboard-Widget-1.36-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014450; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Sync"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"sync?ext=Properties&ver="; startswith; fast_pattern; content:"&dd="; distance:0; content:"&info="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/mailz/lists/config/config.php?"; fast_pattern; nocase; content:"wpabspath="; nocase; pcre:"/^\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ri"; reference:url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016117; rev:4; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_12_29, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker Home Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"hb?ext="; startswith; fast_pattern; content:"&ver="; distance:0; content:"&is="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036298; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS WEB-PHP Wordpress enable-latex plugin url Remote File inclusion Attempt"; flow:established,to_server; http.uri; content:"/wp-content/plugins/enable-latex/core.php?"; fast_pattern; nocase; content:"url="; distance:0; nocase; pcre:"/^\s*(?:ftps?|https?|php)\:\//Ri"; reference:url,packetstormsecurity.org/files/107260/WordPress-Enable-Latex-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014448; rev:6; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_04_01, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M1"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035881; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; fast_pattern; content:"pid="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:7; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_07_01, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2022_03_17;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/ChromeBack Browser Hijacker (getAd)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ad?ext=Properties"; startswith; fast_pattern; content:"&ver="; distance:0; content:"&dd="; distance:0; http.user_agent; content:"Wget"; startswith; reference:url,gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/; classtype:trojan-activity; sid:2036299; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; http.uri; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern; nocase; content:"gall_id="; distance:0; nocase; content:"SELECT"; nocase; distance:0; content:"FROM"; nocase; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:10; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2011_03_11, deployment Datacenter, signature_severity Major, tag SQL_Injection, tag Wordpress, updated_at 2022_03_17;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M2"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MHwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035882; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Jenkins Information Disclosure CVE-2017-1000395"; flow:established,to_server; http.method; content:"GET"; depth:3; endswith; http.uri; content:"/securityRealm/user/"; depth:20; fast_pattern; content:"/api/xml"; endswith; http.header_names; content:!"Referer"; reference:cve,2017-1000395; reference:url,jenkins.io/security/advisory/2017-10-11/#user-remote-api-disclosed-users-email-addresses; classtype:web-application-attack; sid:2027347; rev:5; metadata:attack_target Server, created_at 2019_05_10, cve 2017_1000395, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M3"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwwf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035883; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?action=twikidraw"; fast_pattern; content:"&target="; distance:0; content:"../moin.wsgi"; endswith; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:5; metadata:created_at 2013_06_28, updated_at 2022_03_24;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"MXwxf"; startswith; fast_pattern; content:"f"; distance:7; within:1; base64_decode:bytes 250; base64_data; pcre:"/%(?:USERPROFILE|APPDATA)%/i"; reference:url,blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique; reference:md5,bb41fbddc48fc3548d55a6ad9c321832; reference:md5,1cde32d54a0f0f2ddad79d7df6a7419f; classtype:command-and-control; sid:2035884; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_08, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_21;)
+alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Remote Code Execution Inbound (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|25 7b|"; content:".exec|28|"; distance:0; fast_pattern; content:"|29 7d|"; distance:0; reference:url,github.com/CyborgSecurity/CVE-2020-17530; reference:cve,2020-17530; classtype:attempted-admin; sid:2033408; rev:2; metadata:created_at 2021_07_24, cve CVE_2020_17530, former_category WEB_SPECIFIC_APPS, updated_at 2022_04_14;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Agent.OGR!tr.pws Stealer"; flow:established,to_server; http.request_line; content:"POST / HTTP/1.1"; bsize:15; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|profile_id|22|"; fast_pattern; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|hwid|22|"; distance:0; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file|22|"; distance:0; reference:url,twitter.com/James_inthe_box/status/1517238542434414592; reference:md5,21e2215738a8e9c9d1ed1e1f66cff10e; classtype:trojan-activity; sid:2036316; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_21, deployment Perimeter, former_category MALWARE, signature_severity Major, updated_at 2022_04_21;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII"; flow:established,to_server; http.uri; content:"/modules/Advertising/admin/index.php?"; nocase; content:"clickurl="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0372; reference:url,www.securityfocus.com/bid/22116; reference:url,doc.emergingthreats.net/2005478; classtype:web-application-attack; sid:2005478; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert dns $HOME_NET any -> any any (msg:"ET INFO Commonly Abused File Sharing Domain in DNS Lookup (filetransfer .io)"; dns.query; content:"filetransfer.io"; nocase; bsize:15; classtype:bad-unknown; sid:2036310; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, signature_severity Informational, updated_at 2022_04_22;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE"; flow:established,to_server; http.uri; content:"/index.php?"; nocase; content:"D="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; pcre:"/UPDATE.+SET/i"; reference:cve,CVE-2006-6446; reference:url,www.securityfocus.com/bid/21467; reference:url,doc.emergingthreats.net/2006614; classtype:web-application-attack; sid:2006614; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Commonly Abused File Sharing Domain (filetransfer .io in TLS SNI)"; flow:established,to_server; tls.sni; content:"filetransfer.io"; bsize:15; fast_pattern; classtype:bad-unknown; sid:2036311; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
+alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt"; flow:established,to_server; http.uri; content:"${"; content:"ognl|2E|"; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2022_04_18;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackCat Ransomware Related Domain in TLS SNI (updatedaemon .com)"; flow:established,to_server; tls.sni; content:"updatedaemon.com"; startswith; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036312; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http $EXTERNAL_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2 (CVE-2020-14882)"; flow:established,to_server; http.uri.raw; content:"/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel="; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; distance:0; within:75; http.uri; content:"com.tangosol.coherence.mvel2.sh.ShellSession("; fast_pattern; content:"java.lang.Runtime.getRuntime("; distance:0; content:".exec"; distance:0; reference:url,isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/26734/; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; reference:cve,2020-14883; classtype:attempted-user; sid:2031147; rev:3; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2022_05_03;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE BlackCat Ransomware Related Domain in DNS Lookup (updatedaemon .com)"; dns.query; content:"updatedaemon.com"; fast_pattern; endswith; nocase; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036313; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)"; flow:established,to_server; flowbits:set,ET.BonitaDefaultCreds; http.method; content:"POST"; http.uri; content:"/bonita/loginservice"; fast_pattern; http.request_body; content:"username=install"; content:"password=install"; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036815; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Minor, updated_at 2022_06_03;)
 
-alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed BlackCat Ransomware Related SSL Cert (updatedaemon .com)"; flow:established,to_client; tls.cert_subject; content:"CN=updatedaemon.com"; bsize:19; fast_pattern; reference:md5,e76fd61eea3bf2073d29c6aa963bc34b; reference:url,www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html; classtype:domain-c2; sid:2036314; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, signature_severity Major, tag Ransomware, updated_at 2022_04_22, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1486, mitre_technique_name Data_Encrypted_for_Impact;)
+alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M2 (Possible Staging for CVE-2022-25237)"; flow:established,to_server; flowbits:set,ET.BonitaDefaultCreds; http.method; content:"POST"; http.uri; content:"/bonita/platformloginservice"; fast_pattern; http.request_body; content:"username=platformAdmin"; content:"password=platform"; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036816; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Minor, updated_at 2022_06_03;)
 
-alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"icanhazip.com"; bsize:13; fast_pattern; classtype:external-ip-check; sid:2036304; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, performance_impact Low, signature_severity Informational, updated_at 2022_04_22;)
+#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion Attempt (CVE-2010-3055)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup.php"; nocase; http.request_body; content:"action="; nocase; content:"&configuration="; distance:0; content:"PMA"; distance:0; content:"Config"; within:11; pcre:"/source(?:\x22\x3b\w\x3a|%22%3b\w%3a)\d+(?:\x3a\x22|%3a%22)(?:(?:ftps?|%66%74%70(?:%73)?)|(?:https?|%68%74%74%70(?:%73)?)|(?:php|%70%68%70))(?:\x3a|%3A)(?:\x2f|%2f)/Ri"; reference:url,blog.spiderlabs.com/2012/04/honeypot-alert-phpmyadmin-setupphp-rfi-attacks-detected.html; reference:url,phpmyadmin.net/home_page/security/PMASA-2010-4.php; reference:cve,CVE-2010-3055; classtype:web-application-attack; sid:2014633; rev:6; metadata:created_at 2012_04_23, former_category WEB_SPECIFIC_APPS, updated_at 2020_04_21;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kratos Silent Miner Checkin via Discord"; flow:established,to_server; http.request_line; content:"POST /api/webhooks/"; startswith; http.host; content:"discord"; depth:7; content:".com"; endswith; http.request_body; content:"|22|name|22 3a 22|Kratos|20|Silent|20|"; fast_pattern; content:"|22|name|22 3a 22|PC|20|Name|3a 22 2c 22|value|22 3a 22|"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:command-and-control; sid:2036305; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+# Emerging Threats 
+#
+# This distribution may contain rules under two different licenses. 
+#
+#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
+#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
+#
+#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
+#  as follows:
+#
+#*************************************************************
+#  Copyright (c) 2003-2022, Emerging Threats
+#  All rights reserved.
+#  
+#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
+#  following conditions are met:
+#  
+#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
+#    disclaimer.
+#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
+#    following disclaimer in the documentation and/or other materials provided with the distribution.
+#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
+#    from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
+#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
+#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
+#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
+#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
+#
+#*************************************************************
+#
+#
+#
+#
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Blacktech Plead CnC Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx?m="; fast_pattern; pcre:"/^[0-9]{10}$/R"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|8.0|3b 20|Win32)"; bsize:41; http.header_names; content:!"Referer|0d 0a|"; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036315; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family BlackTech, signature_severity Major, updated_at 2022_04_22;)
+# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zingo/GinzoStealer Data Command List Fetch"; flow:established,to_server; http.request_line; content:"GET /ginzolist.txt HTTP/1.1"; bsize:27; fast_pattern; isdataat:!1,relative; http.header_names; content:"|0d 0a|Host|0d 0a 0d 0a|"; bsize:10; reference:url,twitter.com/struppigel/status/1506933328599044100; reference:md5,5009e04920d5fb95f8a02265f89d25a5; classtype:trojan-activity; sid:2036317; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family ZingoStealer, malware_family Ginzo, signature_severity Major, updated_at 2022_04_22;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Outbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003292; classtype:trojan-activity; sid:2003292; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Successful Banca Monte dei Paschi di Siena Credential Phish 2022-04-22"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"userType=&cod="; fast_pattern; content:"&pin="; distance:0; content:"&tel="; distance:0; classtype:credential-theft; sid:2036319; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Ping Inbound"; icode:0; itype:8; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_src; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003294; classtype:trojan-activity; sid:2003294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/call?key="; bsize:42; http.header_names; content:"|0d 0a|Host|0d 0a|User-Agent|0d 0a|Content-Length|0d 0a|Content-Type|0d 0a|Accept-Encoding|0d 0a 0d 0a|"; bsize:69; http.request_body; content:"PK|03 04|"; byte_test:1,<=,20,0,relative; content:"ProcessList.txt"; fast_pattern; distance:0; content:"Screenshot.png"; distance:0; reference:md5,3f9c1455992239f4efe31f0e56773433; classtype:trojan-activity; sid:2036321; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Inbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003293; classtype:trojan-activity; sid:2003293; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer CnC Checkin"; flow:established,to_server; http.request_line; content:"POST|20|/ping|20|"; startswith; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.content_len; byte_test:0,=,36,0,string,dec; http.request_body; content:"key="; startswith; pcre:"/^key=[A-F0-9]{32}$/"; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036306; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM shell bot perl code download"; flow:to_client,established; content:"# ShellBOT"; nocase; reference:url,doc.emergingthreats.net/2002683; classtype:trojan-activity; sid:2002683; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Banca Monte dei Paschi di Siena Credential Phish Landing Page 2022-04-22"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"Banca MPS"; content:"|3c|form|20|method|3d 22|POST|22 20|id|3d 22|includeCodUser|22 20|class|3d 22|margin|5f|login|5f|header|20|includeCodUser|20|dB|5f|box|5f|container|22 3e|"; nocase; distance:0; fast_pattern; content:"name=|22|userType|22|"; distance:0; content:"name=|22|cod|22|"; distance:0; content:"name=|22|pin|22|"; distance:0; content:"name=|22|tel|22|"; distance:0; content:"id=|22|loginOtp1|22|"; distance:0; classtype:credential-theft; sid:2036320; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category PHISHING, signature_severity Major, updated_at 2022_04_22;)
+#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM Shell Bot Code Download"; flow:to_client,established; content:"##################### IRC #######################"; nocase; reference:url,doc.emergingthreats.net/2002684; classtype:trojan-activity; sid:2002684; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (forummanazera .sk)"; dns.query; dotprefix; content:".forummanazera.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036322; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+#alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Allaple ICMP Sweep Reply Outbound"; icode:0; itype:0; content:"Babcdefghijklmnopqrstuvwabcdefghi"; threshold: type both, count 1, seconds 60, track by_dst; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; reference:url,isc.sans.org/diary.html?storyid=2451; reference:url,doc.emergingthreats.net/2003295; classtype:trojan-activity; sid:2003295; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (reality .skarabeus .sk)"; dns.query; dotprefix; content:".reality.skarabeus.sk"; nocase; endswith; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell; classtype:trojan-activity; sid:2036323; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (msrousinov .cz)"; dns.query; content:"msrousinov.cz"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036324; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud /qvod/ff.txt Checkin"; flow:established,to_server; content:"/qvod/ff.txt"; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; reference:md5,f97e1c4aefbd2595fcfeb0f482c47517; reference:md5,f96a29bcf6cba870efd8f7dd9344c39e; reference:md5,fae8675502d909d6b546c111625bcfba; classtype:trojan-activity; sid:2014401; rev:2; metadata:created_at 2012_03_20, updated_at 2012_03_20;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (googleprovider .ru)"; dns.query; content:"googleprovider.ru"; nocase; bsize:17; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036325; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (profiit .fiit .stuba .sk)"; dns.query; content:"profiit.fiit.stuba.sk"; nocase; bsize:21; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036326; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:command-and-control; sid:2017404; rev:3; metadata:attack_target Client_Endpoint, created_at 2013_08_31, deployment Perimeter, former_category WORM, signature_severity Major, tag c2, updated_at 2013_08_31, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (freetips .php5 .sk)"; dns.query; content:"freetips.php5.sk"; nocase; bsize:16; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036327; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+#alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"ET WORM Potential MySQL bot scanning for SQL server"; flow:to_server; flags:S,12; reference:url,isc.sans.org/diary.php?date=2005-01-27; reference:url,doc.emergingthreats.net/2001689; classtype:trojan-activity; sid:2001689; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (sivpici .php5 .sk)"; dns.query; content:"sivpici.php5.sk"; nocase; bsize:15; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036328; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Rimecud wg.txt Checkin"; flow:established,to_server; http.uri; content:"/wg.txt"; reference:md5,a89f7289d5cce821a194542e90026082; reference:md5,fd56ce176889d4fbe588760a1da6462b; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud; classtype:trojan-activity; sid:2014402; rev:3; metadata:created_at 2012_03_20, updated_at 2020_04_21;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (hotel-boss .eu)"; dns.query; content:"hotel-boss.eu"; nocase; bsize:13; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036329; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/tmUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018132; rev:5; metadata:created_at 2014_02_13, updated_at 2020_07_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (limousine-service .cz)"; dns.query; content:"limousine-service.cz"; nocase; bsize:20; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036330; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 3"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/hndUnblock.cgi"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,exploit-db.com/exploits/31683/; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018155; rev:5; metadata:created_at 2014_02_19, updated_at 2020_07_07;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (ms .rousinov .cz)"; dns.query; content:"ms.rousinov.cz"; nocase; bsize:14; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036331; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql"; flow:established,to_server; http.uri; content:"/setting.nql"; nocase; reference:md5,a70aad8f27957702febfa162556dc5b5; classtype:trojan-activity; sid:2012201; rev:5; metadata:created_at 2011_01_17, updated_at 2020_08_04;)
 
-alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed DNS Query to Certishell Domain (vavave .xf .cz)"; dns.query; content:"vavave.xf.cz"; nocase; bsize:12; reference:url,decoded.avast.io/danielbenes/warez-users-fell-for-certishell/; classtype:trojan-activity; sid:2036332; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, malware_family Certishell, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+alert http any any -> $HOME_NET 8080 (msg:"ET WORM TheMoon.linksys.router 1"; flow:established; urilen:7; http.method; content:"GET"; http.uri; content:"/HNAP1/"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; classtype:trojan-activity; sid:2018131; rev:6; metadata:created_at 2014_02_13, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 000Stealer Data Exfiltration M1"; flow:established,to_server; http.request_line; content:"POST|20|/call?key="; fast_pattern; pcre:"/^[a-f0-9]{32}\x20/R"; http.header; content:"Content|2d|Type|3a 20|multipart|2f|form|2d|data|3b 20|boundary|3d|"; pcre:"/^[a-f0-9]{60}\x0d\x0a/R"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22 5b|"; distance:0; content:"|5d 20|"; distance:2; within:2; content:"|20 5b|"; distance:32; within:2; content:"|5d 22 0d 0a|Content|2d|Type|3a 20|application|2f|octet|2d|stream|0d 0a 0d 0a|PK|03 04|"; distance:19; within:50; reference:md5,3f9c1455992239f4efe31f0e56773433; reference:url,twitter.com/3xp0rtblog/status/1509978637189419008; classtype:trojan-activity; sid:2036307; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_04_22, deployment Perimeter, former_category MALWARE, malware_family 000Stealer, performance_impact Low, signature_severity Major, tag c2, updated_at 2022_04_22, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Win32.Socks.s HTTP Post Checkin"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"proc=[System Process]|0a|"; depth:22; reference:url,doc.emergingthreats.net/2008020; classtype:trojan-activity; sid:2008020; rev:6; metadata:created_at 2010_07_30, updated_at 2020_08_18;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BlackTech FlagPro Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".htmld?flag"; fast_pattern; pcre:"/^(?:pro)?=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; http.header_names; content:!"Referer"; reference:md5,1b39dcc5de43d2840d6992a561e34eec; reference:url,twitter.com/GlobalNTT_JP/status/1517061187107946496; classtype:trojan-activity; sid:2036309; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_15, deployment Perimeter, former_category MALWARE, malware_family BlackTech, performance_impact Low, signature_severity Major, updated_at 2022_04_22;)
+#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM SDBot HTTP Checkin"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|quem=dodoi&tit="; content:"&txt="; within:40; reference:url,doc.emergingthreats.net/2007914; classtype:trojan-activity; sid:2007914; rev:5; metadata:created_at 2010_07_30, updated_at 2022_05_03;)
 
-alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check"; flow:established,to_server; http.request_line; content:"GET / "; startswith; http.host; dotprefix; content:".google.com"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:trojan-activity; sid:2036303; rev:2; metadata:created_at 2022_04_22, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/taskx.txt"; fast_pattern; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|Indy Library)"; depth:38; reference:md5,9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:4; metadata:created_at 2011_04_29, updated_at 2020_10_13;)